Thursday, 2016-06-30

« Wednesday, 2016-06-29 Index Friday, 2016-07-01 »
notmorganbknudson_: hhee00:02
jamielennoxnotmorgan: hey - thoughts on https://review.openstack.org/#/c/335423/ ?00:03
patchbotjamielennox: patch 335423 - keystone - Implement Views and convert credentials00:04
*** fangxu has quit IRC00:04
jamielennoxi got annoyed refactoring that query_string thing and came up with that, still need to write it up00:04
notmorganlooking00:04
*** ddieterly has joined #openstack-keystone00:05
jamielennoxif it's not going to succeed i'm not going to waste a bunch of time writing it up00:06
*** timcline has quit IRC00:09
*** rderose has quit IRC00:19
*** ravelar159 has joined #openstack-keystone00:21
dstanekjamielennox: that's interesting. i wonder how it would play with my flask work?00:22
jamielennoxdstanek: i had a look at flask views - they're not exactly the same but i can only think it would help00:22
jamielennoxdstanek: flask seems to assume you'll want to render_template which it's fairly unlikely we'd do00:23
jamielennoxbut i think anything that takes some responsibility away from that controller is going to help switch there00:23
jamielennoxideally i think i'd like to return the webob.Response from the view instead of a dict00:24
*** samueldmq has quit IRC00:31
dstanekjamielennox: yes, that's the direction i am heading. response objects00:32
jamielennoxdstanek: henrynash_ has a review up for handling the request as part of the response as well for microversion stuff which i think can be better handled this way00:33
jamielennoxbecause you isolate the microversion into the view layer00:33
jamielennoxthough as per normal the whole 'extras' thing is painful here00:33
*** ravelar159 has quit IRC00:40
*** gyee has quit IRC00:50
*** julim has quit IRC00:52
*** ddieterly has quit IRC00:54
*** rderose has joined #openstack-keystone00:57
*** links has joined #openstack-keystone00:57
*** julim has joined #openstack-keystone00:58
*** woodster_ has quit IRC00:59
*** tqtran has quit IRC00:59
*** spandhe has quit IRC01:03
*** code-R has quit IRC01:22
*** rderose has quit IRC01:33
*** wangqun has joined #openstack-keystone01:34
*** browne has quit IRC01:39
*** julim has quit IRC01:41
*** EinstCrazy has joined #openstack-keystone01:41
*** julim has joined #openstack-keystone01:41
*** sdake has joined #openstack-keystone01:54
*** code-R has joined #openstack-keystone01:59
*** code-R has quit IRC01:59
*** sdake has quit IRC02:04
*** markvoelker has quit IRC02:06
*** spandhe has joined #openstack-keystone02:09
*** diazjf has joined #openstack-keystone02:18
*** jraju has joined #openstack-keystone02:34
*** links has quit IRC02:36
*** julim has quit IRC02:37
*** spzala has quit IRC02:39
*** spzala has joined #openstack-keystone02:40
*** dan_nguyen has joined #openstack-keystone02:41
*** dan_nguyen has quit IRC02:42
*** spzala has quit IRC02:44
*** jorge_munoz has quit IRC02:45
*** jorge_munoz has joined #openstack-keystone02:48
*** browne has joined #openstack-keystone02:48
*** lamt has quit IRC02:51
jlkAny of you ever seen a situation where an admin can create services and SOME end points, but not a compute end point? I'm getting a 400 on creating endpoints for the compute service...02:56
jlkthis is bizarre. I can create an endpoint url for the image service, but not the compute one.02:59
jlkopenstack --debug endpoint create 63ec05a8d2eb40959d6b7125ee570d7e public "https://openstack.example.com:8774/v2/%(project_id)s"  gives me a 40002:59
jlkbut openstack --debug endpoint create a0f044ffa0d84a8abc5f7a1d2da55b20 internal "https://openstack.example.com:9292" is 200.03:00
jlkwell, 20103:00
*** spzala has joined #openstack-keystone03:00
*** diazjf has quit IRC03:01
*** jraju has quit IRC03:03
*** spzala has quit IRC03:05
*** markvoelker has joined #openstack-keystone03:06
jlkholy crap03:09
jlkI found it, I was sending "project_id" in the URL instead of "tenant_id", and something was refusing it on the backend.03:10
*** markvoelker has quit IRC03:11
jlkthat's... weird.03:12
jlk(Liberty)03:12
*** spandhe has quit IRC03:15
*** sheel has joined #openstack-keystone03:28
*** iurygregory_ has quit IRC03:36
openstackgerritAndrew Liu proposed openstack/keystone: Added cache for id mapping manager  https://review.openstack.org/32882003:42
*** dan_nguyen has joined #openstack-keystone03:44
*** TxGVNN has joined #openstack-keystone03:46
*** raddaoui has quit IRC03:47
*** darosale has joined #openstack-keystone03:56
*** tqtran has joined #openstack-keystone03:56
*** chrisshattuck has joined #openstack-keystone03:59
*** code-R has joined #openstack-keystone03:59
*** tqtran has quit IRC04:00
*** spzala has joined #openstack-keystone04:01
*** spzala has quit IRC04:07
*** richm has quit IRC04:07
*** markvoelker has joined #openstack-keystone04:07
*** dan_nguyen has quit IRC04:10
*** darosale has quit IRC04:11
*** markvoelker has quit IRC04:12
*** adu has joined #openstack-keystone04:22
*** ayoung has quit IRC04:29
*** chrisshattuck has quit IRC04:34
*** chrisshattuck has joined #openstack-keystone04:35
*** spandhe has joined #openstack-keystone04:39
*** chrisshattuck has quit IRC04:42
*** sdake has joined #openstack-keystone04:49
*** sdake_ has joined #openstack-keystone04:51
*** sdake_ has quit IRC04:53
*** sdake has quit IRC04:54
jamielennoxstevemar: here?05:03
*** GB21 has joined #openstack-keystone05:06
*** jorge_munoz has quit IRC05:06
*** sdake has joined #openstack-keystone05:24
*** rcernin has joined #openstack-keystone05:27
*** code-R has quit IRC05:32
*** code-R has joined #openstack-keystone05:32
*** rcernin has quit IRC05:34
*** sdake_ has joined #openstack-keystone05:36
*** henrynash has joined #openstack-keystone05:37
*** ChanServ sets mode: +v henrynash05:37
*** sdake has quit IRC05:37
*** adu has quit IRC05:38
*** code-R_ has joined #openstack-keystone05:39
*** nkinder has joined #openstack-keystone05:39
*** roxanaghe has joined #openstack-keystone05:40
*** code-R has quit IRC05:42
*** tqtran has joined #openstack-keystone05:46
*** roxanaghe has quit IRC05:49
*** tqtran has quit IRC05:50
*** code-R has joined #openstack-keystone05:53
*** code-R_ has quit IRC05:54
*** spandhe has quit IRC05:55
*** code-R_ has joined #openstack-keystone05:56
*** code-R has quit IRC05:59
*** markvoelker has joined #openstack-keystone06:09
*** rcernin has joined #openstack-keystone06:09
*** markvoelker has quit IRC06:13
notmorganjamielennox: odd06:16
notmorganerm06:16
notmorganjlk: odd06:16
notmorganjlk: well i mean, v2... IS well v2 :P06:16
notmorganand uses "06:16
jamielennoxthought that was an accusation there for a second06:16
notmorganTenantid instead of projects....06:16
notmorganjamielennox: no tab-complete fail06:17
notmorganjamielennox: since i'm somewhere in the depths of "docker06:17
notmorgan" + dpkg insanity06:17
jamielennoxyey, fun06:17
notmorganbut docker-compose is ... badass06:17
*** nkinder has quit IRC06:26
*** sdake_ has quit IRC06:30
*** pcaruana has joined #openstack-keystone06:37
*** belmoreira has joined #openstack-keystone06:40
*** amoralej|off is now known as amoralej06:55
*** spzala has joined #openstack-keystone06:56
*** spzala has quit IRC07:00
notmorganboo, a ruby thing I was trying to use doesn't work on Xenial ...07:03
notmorgancause git-buildpackage is now "gbp buildpackage"07:03
* notmorgan looks at sending a quick fix.07:03
*** aloga has quit IRC07:06
*** aloga has joined #openstack-keystone07:06
*** markvoelker has joined #openstack-keystone07:10
*** markvoelker has quit IRC07:14
*** tesseract- has joined #openstack-keystone07:15
*** GB21 has quit IRC07:25
*** danpawlik has joined #openstack-keystone07:42
*** jpena|off is now known as jpena07:43
janonymous@dstanek: Thanks!07:44
*** GB21 has joined #openstack-keystone07:46
*** tqtran has joined #openstack-keystone07:48
*** code-R has joined #openstack-keystone07:52
*** code-R_ has quit IRC07:52
openstackgerritEric Brown proposed openstack/keystone: Use min to avoid checking < 1 max fernet keys  https://review.openstack.org/33584007:52
*** tqtran has quit IRC07:53
*** spzala has joined #openstack-keystone07:56
*** browne has quit IRC07:58
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** spzala has quit IRC08:03
*** pnavarro has joined #openstack-keystone08:07
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** markvoelker has joined #openstack-keystone08:11
*** markvoelker has quit IRC08:15
*** jamielennox is now known as jamielennox|away08:16
*** reedip has joined #openstack-keystone08:29
reediphi, on trying to install RDO using packstack , keystone-manage --bootstrap is giving return value of 108:30
reedipis there any logs to see the same?08:30
notmorganreedip: hmm. that seems weird.08:32
openstackgerritAndrew Liu proposed openstack/keystone: Added cache for id mapping manager  https://review.openstack.org/32882008:33
notmorgani'm guessing an argument is somehow off or there is a conflict happening behind the scenes, unfortunately i'm not super familiar with the RDO packages atm08:33
notmorganreedip: depending when you're around i can point you at ayoung (he has done RDO and packstack stuff) or possibly rodrigods.08:34
notmorganreedip: i wish i was more up to speed on RDO and packstack so i could help08:34
reedipnotmorgan: thanks for the suggestions and help08:34
reedipI am generally around at this time ( IST , +5:30 hrs from UTC)08:34
notmorganayoung is around East coast (-5ish UTC )08:35
notmorganand i think rodrigods is in brazil so similar timezone.08:35
notmorgani should be asleep, since i'm UTC -8, and it's late here :P08:35
notmorganor is it -7 with DST... whatever :P08:35
reedipnotmorgan: I think you should :)08:36
reedipnotmorgan: I am looking up the /var/log/keystone/keystone.log . so let me try to push some stuff around. If that doesnt work , I will let everyone here  know :)08:36
* notmorgan nods08:37
notmorgani would expect either STDOUT/STDERR or keystonelog08:37
notmorganfrom bootstrap08:37
notmorganthough tbh, i haven't looked at it recently :P08:37
notmorganit's grown a bit since i originally wrote it :P08:37
*** sheel has quit IRC08:45
*** imcsk8_ has joined #openstack-keystone08:57
*** bapalm has quit IRC08:57
*** bapalm has joined #openstack-keystone09:00
*** kfox1111 has joined #openstack-keystone09:00
*** NikitaKonovalov2 has joined #openstack-keystone09:01
*** aloga has quit IRC09:04
*** aloga has joined #openstack-keystone09:04
*** Dave_ has joined #openstack-keystone09:04
*** auggy_ has joined #openstack-keystone09:05
*** alex_xu_ has joined #openstack-keystone09:06
*** bj0rnar- has joined #openstack-keystone09:06
*** X-Istence has joined #openstack-keystone09:06
*** afazekas_ has joined #openstack-keystone09:07
*** kmARC has joined #openstack-keystone09:08
*** imcsk8 has quit IRC09:08
*** bj0rnar has quit IRC09:08
*** iurygregory has quit IRC09:08
*** ericksonsantos has quit IRC09:08
*** alex_xu has quit IRC09:08
*** afazekas has quit IRC09:08
*** kfox1111_ has quit IRC09:08
*** lmiccini has quit IRC09:08
*** Dave has quit IRC09:08
*** mordred has quit IRC09:08
*** NikitaKonovalov has quit IRC09:08
*** x58 has quit IRC09:08
*** auggy has quit IRC09:08
*** dolphm has quit IRC09:08
*** NikitaKonovalov2 is now known as NikitaKonovalov09:08
*** dolphm has joined #openstack-keystone09:08
*** ChanServ sets mode: +o dolphm09:08
*** auggy_ is now known as auggy09:10
*** mordred has joined #openstack-keystone09:12
*** lmiccini has joined #openstack-keystone09:13
*** raddaoui has joined #openstack-keystone09:14
*** ericksonsantos has joined #openstack-keystone09:14
*** iurygregory has joined #openstack-keystone09:15
*** mrsoul has joined #openstack-keystone09:21
*** Dave_ is now known as Dave09:28
*** GB21 has quit IRC09:29
kmARChi all, I'm trying to set up federated keystone with saml idprovider. The link to the official docs (http://docs.openstack.org/security-guide/identity/federated-keystone.html) is kind of confusing. Somewhere it uses examples with httpd (redhat terminology), other places it is apt-get install (debian/ubuntu), and points to directories and files which are not existent09:49
kmARCEspecially this:09:49
kmARC"Create the directory /var/www/cgi-bin/keystone/. Then link the files main and admin to the keystone.py file in this directory."09:50
kmARCIt creates an empty directory and then wants to link to files in it..?09:50
kmARCIs there a more up-to-date documentation regarding this?09:51
*** breton has quit IRC09:52
kmARCI'm using Ubuntu Trusty with Mitaka Keystone installed from Canonical cloud-archive09:56
*** GB21 has joined #openstack-keystone09:58
*** henrynash has quit IRC09:59
*** spzala has joined #openstack-keystone10:00
*** spzala has quit IRC10:05
*** wangqun has quit IRC10:06
*** david-lyle has quit IRC10:09
*** david-lyle_ has joined #openstack-keystone10:09
*** breton has joined #openstack-keystone10:19
*** nisha_ has joined #openstack-keystone10:24
nisha_hey all o/10:24
*** jefrite has joined #openstack-keystone10:28
*** mdavidson has quit IRC10:33
*** shauavik has quit IRC10:41
*** frickler has quit IRC10:43
*** shewless has quit IRC10:43
*** _fortis has quit IRC10:43
*** frickler has joined #openstack-keystone10:45
*** _fortis has joined #openstack-keystone10:57
*** spzala has joined #openstack-keystone11:01
*** spzala has quit IRC11:06
*** EinstCrazy has quit IRC11:13
*** jpena is now known as jpena|lunch11:16
*** ddieterly has joined #openstack-keystone11:17
*** mvk has quit IRC11:29
*** ericksonsantos has quit IRC11:38
*** jed56 has quit IRC11:45
*** tqtran has joined #openstack-keystone11:45
*** GB21 has quit IRC11:47
*** tqtran has quit IRC11:48
*** links has joined #openstack-keystone11:48
*** links has quit IRC11:48
*** GB21 has joined #openstack-keystone11:54
*** sdake has joined #openstack-keystone11:55
*** sdake_ has joined #openstack-keystone11:57
*** mvk has joined #openstack-keystone11:57
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 roles  https://review.openstack.org/33454611:57
*** ddieterly has quit IRC12:00
*** sdake has quit IRC12:01
*** spzala has joined #openstack-keystone12:02
*** spzala has quit IRC12:07
TxGVNNhello everyone.12:10
TxGVNNi have configured two server.12:10
TxGVNNone for keystone service as Identity Provider12:10
TxGVNNone for keystone service as Service Provider12:10
TxGVNNCall fedaration cloud or K2K=D12:11
TxGVNNAnd i have tested success12:11
TxGVNNBut, i have a large question12:11
TxGVNNWhat do keystone work?12:12
TxGVNNI will show for you.12:13
*** raildo-afk is now known as raildo12:13
*** henrynash has joined #openstack-keystone12:13
*** ChanServ sets mode: +v henrynash12:13
*** markvoelker has joined #openstack-keystone12:13
TxGVNNAs we see from https://cloudcomputinghust.github.io/2016/04/mo-hinh-hoat-dong-federation.html12:14
*** daemontool has joined #openstack-keystone12:14
*** markvoelker has quit IRC12:14
TxGVNNclient interact  to IdP, then interact  to SP12:14
*** markvoelker has joined #openstack-keystone12:15
TxGVNNi don't see interact  between about IdP and SP12:15
henrynash_TxGVNN: so what’s your goal here? To you already have an IdP you want to use with keystone?12:16
henrynash_(Do you already…)12:16
TxGVNNI want to understand about interact between IdP and SP12:17
TxGVNNI have tested by https://github.com/openstack/openstack-ansible/blob/master/scripts/federated-login.sh12:18
TxGVNNuse user from IdP to access resource from SP12:18
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add role functional tests  https://review.openstack.org/33511812:19
*** henrynash has quit IRC12:22
dstanekkmARC: did you get your questions anwered?12:22
*** ericksonsantos has joined #openstack-keystone12:23
*** nisha__ has joined #openstack-keystone12:23
dstanekTxGVNN: i don't think there has to be a direct interaction between the IdP and the SP12:24
dstanekunless you set the IdP/SP to poll for metadata from the other12:24
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add role functional tests  https://review.openstack.org/33511812:24
*** edmondsw has joined #openstack-keystone12:25
*** ericksonsantos has quit IRC12:26
*** nisha_ has quit IRC12:26
TxGVNNdstanek: Why Sir? https://wiki.shibboleth.net/confluence/display/CONCEPT/Home#Home-BasicInteraction12:26
TxGVNNYou can see from link. diagram about SP and IdP12:27
*** jamie_h has joined #openstack-keystone12:27
TxGVNNI think it's a standard12:27
dstanekTxGVNN: but the user is in the middle. for example, in keystone we generate a SAML request and have that to the user in the form of a URL to redirect to12:28
henrynash_TxGVNN: so linke “2” in the diagram is the web redirect to the IdP from the SP (i.e. part of SSO). This isn’t a direct “call”, rather exactly that, typically a web redirect12:28
dstanekTxGVNN: http://nsl.symc.io/SSO%20SAML%202.0_files/SSO_SAML_sequenceDiagram.jpg <- much better technical diagram12:29
dstanekthe browser is basically a broken/intermediary in the transaction12:30
dstanekgood morning henrynash_!12:30
dstanekor afternoon?12:30
henrynash_dstanek: afternoon (just)12:30
*** lamt has joined #openstack-keystone12:31
henrynash_TxGVNN: here some other documentation on setting of Horizon to act as that intermediary to achieve SSO: http://docs.openstack.org/developer/keystone/federation/websso.html12:32
*** ddieterly has joined #openstack-keystone12:35
*** aloga has quit IRC12:36
*** aloga has joined #openstack-keystone12:36
*** ericksonsantos has joined #openstack-keystone12:37
TxGVNNdstanek: henrynash_: Thank two Sir, i got it =D12:37
TxGVNNThank you very much12:37
*** gordc has joined #openstack-keystone12:39
dstanekTxGVNN: no problem12:40
stevemaro/12:40
*** GB21 has quit IRC12:44
dstanekstevemar: howdy12:44
*** jpena|lunch is now known as jpena12:46
*** mdavidson has joined #openstack-keystone12:49
*** ddieterly has quit IRC12:55
*** amoralej is now known as amoralej|lunch12:56
*** pauloewerton has joined #openstack-keystone12:57
*** rodrigods has quit IRC12:58
*** rodrigods has joined #openstack-keystone12:58
*** jed56 has joined #openstack-keystone12:59
*** henrynash has joined #openstack-keystone13:02
*** ChanServ sets mode: +v henrynash13:02
*** spzala has joined #openstack-keystone13:04
*** code-R_ has joined #openstack-keystone13:06
*** spzala has quit IRC13:08
*** code-R_ has quit IRC13:09
*** code-R_ has joined #openstack-keystone13:09
*** code-R has quit IRC13:09
bretonguyses13:09
bretonhave you seen https://review.openstack.org/#/c/329122/7 ?13:09
patchbotbreton: patch 329122 - nova - Policy-in-code servers rules (MERGED)13:09
raildobreton: I saw it yesterday13:10
*** spzala has joined #openstack-keystone13:10
*** sdake has joined #openstack-keystone13:10
*** spzala has quit IRC13:10
*** spzala has joined #openstack-keystone13:10
raildobreton: it was something used as base idea to propose this https://review.openstack.org/#/c/314704/2 on tempest13:10
patchbotraildo: patch 314704 - qa-specs - Policy testing APIs13:10
*** sdake_ has quit IRC13:13
*** spzala has quit IRC13:14
*** woodster_ has joined #openstack-keystone13:19
*** ametts has joined #openstack-keystone13:21
*** jsavak has joined #openstack-keystone13:24
*** pnavarro has quit IRC13:34
*** nisha__ has quit IRC13:35
*** ddieterly has joined #openstack-keystone13:37
bretonwhere is rderose13:38
dstanekbreton: i have not seen the code, but i was at the summit discussion13:39
*** amoralej|lunch is now known as amoralej13:40
dstanekbreton: if ron's in San Antonio this week it's only 8:30 there, if he's at home I think it's 7:30 there13:40
*** rderose has joined #openstack-keystone13:41
*** henrynash has quit IRC13:41
*** code-R has joined #openstack-keystone13:42
*** sheel has joined #openstack-keystone13:44
bretondstanek: good, thank you13:44
*** edmondsw has quit IRC13:44
*** code-R_ has quit IRC13:45
*** ayoung has joined #openstack-keystone13:48
*** ChanServ sets mode: +v ayoung13:48
kmARCdstanek, sorry i was afk. no, I didn't get an answer yet13:49
dstanekkmARC: you are having trouble setting up keystone under apache?13:50
kmARCno, that's fine, standard keystone installation (with all sql backend) is fine13:51
dstanekwhat trouble are you having?13:51
kmARCwhat I'm mising here a guide that has up-to-date info about how to enable keystone as an SP only with let's say Shibboleth.13:52
dstanekkmARC: i think the docs you linked to would work13:52
kmARCwhat I saw in the linked docs is that those files are not existent that it refers to and also the quoted sentence does not make sense13:52
dstanekkmARC: that is for setting up keystone under apache. if you skip that and start setting up shib you should be fine13:53
dstanekkmARC: our developer guide is also pretty good. http://docs.openstack.org/developer/keystone/configure_federation.html13:53
dstanekwe skip the apache bits since they are documented elsewhere13:53
kmARCthis is not the one I linked13:54
kmARCit says ubuntu 12.04, you sure it works with 14.04 too?13:54
dstanekkmARC: it should be fine even with 16.0413:56
dstanekthe only think OS specific is the packages to install (which hasn't changed) and the locations of the files (which also hasn't changed)13:57
kmARCokay13:57
kmARCthen let me try it using the developer docs13:57
kmARCaltho13:58
kmARCthe shibboleth related page (http://docs.openstack.org/developer/keystone/federation/shibboleth.html) has this:13:58
kmARCAdd WSGIScriptAlias directive to your vhost configuration:13:58
kmARCWSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$113:58
kmARCI do not have /var/www/keystone/main/$113:58
kmARC- $113:58
kmARCI followed mitaka keystone install guide13:59
dstanekkmARC: what do you have instead?14:00
kmARCcan you point me somewhere that describes how and when /var/www/keystone gets populated?14:00
kmARCwell, /var/www/html/index.html :)14:00
*** itisha has joined #openstack-keystone14:01
dstanekkmARC: /var/www/keystone/main/$1 is the keystone applicaiton. an html file won't work.14:01
kmARCI know14:01
dstanekdo you have keystone working behind apache?14:01
kmARCbut I have no /var/www/keystone14:01
kmARCyes, keystone runs in apache as wsgi14:01
kmARCI followed the official install guide14:02
dstanekkmARC: /var/www/keystone/main is the wsgi script. you may be calling yours something different14:02
dstanekjust use that instead14:02
kmARChttp://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html14:02
kmARCI can't find main, that's the problem14:02
dstanekyou may have to change the values a little bit14:02
kmARCthere is a standalone script in /usr/bin/14:02
dstanekkmARC: what is in your keystoe apache config?14:02
kmARCthe same what http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html suggests14:03
*** richm has joined #openstack-keystone14:03
kmARC( WSGIScriptAlias / /usr/bin/keystone-wsgi-public )14:03
dstanekkmARC: use that value instead then14:03
*** adu has joined #openstack-keystone14:05
kmARCso you say instead of WSGIScriptAliasMatch-ing /var/www/keystone/$1 (which is a regexp replacement) I should write /usr/bin/keystone-wsgi-public without substituting the value coming from the regexp...?14:05
kmARCthat sounds weird14:05
*** sdake_ has joined #openstack-keystone14:07
kmARCdstanek: Anyway, the biggest problem here I think is that we have the official install guide, and an official security guide, and if one follows the steps in the install guide, then he can't go through the security guide with enabling keystone federeation, because files are missing, etc. there. This is something what we should fix (I am happy to contribute once I understand how this thing works)14:09
*** EinstCrazy has joined #openstack-keystone14:09
kmARCother problem is that now I need to leave for my flight :-) Irssi runs in tmux so you can pm me if you want :-)14:10
kmARCthanks for the help so far, I appreciate it14:10
dstanekkmARC: i actually don't think that path matters at all. in my SP is use the /var/www one, but i dont' have any files there14:10
dstanekkmARC: you can probably just follow the guide and see if it works14:10
*** sdake has quit IRC14:11
*** aloga_ has joined #openstack-keystone14:11
*** nkinder has joined #openstack-keystone14:13
*** gagehugo has joined #openstack-keystone14:13
*** GB21 has joined #openstack-keystone14:13
*** rcernin has quit IRC14:14
*** sdake_ is now known as sdake14:20
*** ravelar159 has joined #openstack-keystone14:25
*** edmondsw has joined #openstack-keystone14:26
*** aloga_ has quit IRC14:28
*** belmoreira has quit IRC14:28
*** pnavarro has joined #openstack-keystone14:29
*** rcernin has joined #openstack-keystone14:29
*** jistr is now known as jistr|mtg14:31
*** adu has quit IRC14:33
*** spzala has joined #openstack-keystone14:34
bretonknikolla: i've been thinking about the mapping14:35
bretonknikolla: and experimenting14:35
*** slberger has joined #openstack-keystone14:35
bretonknikolla: lets not do mapping at all in the plugin14:36
bretonknikolla: and leave it to the test writers14:37
bretonknikolla: but we need it for creating a protocol...14:42
*** charz has quit IRC14:43
*** tonytan4ever has joined #openstack-keystone14:45
*** charz has joined #openstack-keystone14:46
*** rcernin has quit IRC14:46
openstackgerritMerged openstack/keystone: Improve keystone.conf [credential] documentation  https://review.openstack.org/33470214:46
*** slberger1 has joined #openstack-keystone14:46
*** pcaruana has quit IRC14:46
*** slberger has quit IRC14:47
openstackgerritMerged openstack/keystone: Improve keystone.conf [eventlet_server] documentation  https://review.openstack.org/33564214:47
openstackgerritMerged openstack/keystone: Improve keystone.conf [domain_config] documentation  https://review.openstack.org/33554514:47
openstackgerritMerged openstack/keystone: Improve keystone.conf [endpoint_policy] documentation  https://review.openstack.org/33563814:47
*** pushkaru has joined #openstack-keystone14:47
openstackgerritMerged openstack/keystone: Improve keystone.conf [identity_mapping] documentation  https://review.openstack.org/33568114:47
*** nkinder has quit IRC14:48
openstackgerritAlexander Makarov proposed openstack/keystone: Add failed auth attempts logic to meet PCI-DSS  https://review.openstack.org/32402914:50
*** amakarov_away is now known as amakarov14:50
*** ravelar159 has quit IRC14:51
*** david-lyle_ is now known as david-lyle14:51
*** jaugustine has joined #openstack-keystone14:52
*** sdake_ has joined #openstack-keystone14:56
*** sdake has quit IRC14:59
*** rcernin has joined #openstack-keystone14:59
*** slberger1 has quit IRC14:59
*** darosale has joined #openstack-keystone14:59
openstackgerritMerged openstack/keystone: Improve keystone.conf [federation] documentation  https://review.openstack.org/33566115:00
openstackgerritMerged openstack/keystone: Reduce domain specific config setup duplication  https://review.openstack.org/33406215:00
*** KevinE has joined #openstack-keystone15:00
*** KevinE has quit IRC15:01
*** KevinE has joined #openstack-keystone15:01
*** slberger has joined #openstack-keystone15:03
*** BjoernT has joined #openstack-keystone15:03
*** ravelar159 has joined #openstack-keystone15:04
*** code-R has quit IRC15:07
*** sdake has joined #openstack-keystone15:10
*** sdake_ has quit IRC15:13
*** KevinE has quit IRC15:13
dolphmnonameentername: around?15:13
nonameenternamedolphm: yeah, I'm here15:13
dolphmnonameentername: we're waiting for you to discuss credential encryption15:14
nonameenternameare you waiting here?15:14
nonameenternamewhere is the discussion?15:15
dolphmnonameentername: vidyo15:15
*** jsavak has quit IRC15:17
*** jsavak has joined #openstack-keystone15:19
*** rcernin has quit IRC15:19
nonameenternamejoin #osic15:23
*** jistr|mtg is now known as jistr15:23
*** gb21_ has joined #openstack-keystone15:24
*** GB21 has quit IRC15:25
*** gb21_ is now known as GB2115:25
*** browne has joined #openstack-keystone15:25
*** gagehugo has quit IRC15:25
*** spandhe has joined #openstack-keystone15:26
*** tesseract- has quit IRC15:27
*** spandhe_ has joined #openstack-keystone15:29
*** spandhe has quit IRC15:30
*** spandhe_ is now known as spandhe15:30
*** code-R_ has joined #openstack-keystone15:31
*** dan_nguyen has joined #openstack-keystone15:33
*** chrisshattuck has joined #openstack-keystone15:39
*** pushkaru has quit IRC15:39
*** jaugustine has quit IRC15:41
*** KevinE has joined #openstack-keystone15:44
*** KevinE_ has joined #openstack-keystone15:45
*** dan_nguyen has quit IRC15:46
*** KevinE has quit IRC15:49
*** jaugsutine has joined #openstack-keystone15:53
*** gagehugo has joined #openstack-keystone15:53
*** EinstCrazy has quit IRC15:55
*** dims has quit IRC16:00
*** bjornar_ has joined #openstack-keystone16:01
*** tonytan4ever has quit IRC16:06
*** dims has joined #openstack-keystone16:06
*** nkinder has joined #openstack-keystone16:07
*** shewless has joined #openstack-keystone16:10
*** KevinE_ has quit IRC16:10
shewlesskmARC: I just setup federation using 16.04 so I can try and answer basic questions16:11
shewlesskmARC: I used http://docs.openstack.org/developer/keystone/configure_federation.html16:12
shewlessdstanek: did you have a chance to look up how to use the openstack CLI as a federated user? I wasn't able to find it in the IRC archives16:12
*** roxanaghe has joined #openstack-keystone16:13
*** mwheckmann has joined #openstack-keystone16:15
*** sdake_ has joined #openstack-keystone16:15
*** browne has quit IRC16:17
*** sdake has quit IRC16:18
*** aloga_ has joined #openstack-keystone16:20
*** sdake_ is now known as sdake16:23
stevemarshewless: you may have to install the master branch level of osc to try that out16:23
*** nkinder has quit IRC16:24
*** nisha_ has joined #openstack-keystone16:34
*** gyee has joined #openstack-keystone16:36
*** ChanServ sets mode: +v gyee16:36
*** bjornar_ has quit IRC16:41
*** zqfan has joined #openstack-keystone16:41
*** ddieterly is now known as ddieterly[away]16:42
*** nkinder has joined #openstack-keystone16:43
*** aloga_ has quit IRC16:45
*** ddieterly[away] is now known as ddieterly16:45
jlknotmorgan: yeah this is weird though. I wouldn't have expected Keystone to be doing any sort of validation of the URL provided. Nor that it would send a 400 error if the URL wasn't "right"16:46
*** dan_nguyen has joined #openstack-keystone16:52
*** julim has joined #openstack-keystone16:52
*** fangxu has joined #openstack-keystone16:54
*** KevinE has joined #openstack-keystone16:55
*** KevinE_ has joined #openstack-keystone16:57
*** thumpba has joined #openstack-keystone16:59
*** nkinder has quit IRC16:59
*** KevinE has quit IRC17:00
*** daemontool_ has joined #openstack-keystone17:01
thumpbadoes keystone always expose the horizon endpoint url when viewing source?17:02
*** browne has joined #openstack-keystone17:03
*** spandhe has quit IRC17:04
*** daemontool has quit IRC17:04
*** dan_nguyen has quit IRC17:05
*** mvk has quit IRC17:06
*** jpena is now known as jpena|off17:08
shewlessstevemar: do I just pull that from here: https://github.com/openstack/python-openstackclient17:15
shewlessstevemar: or do I need to pip install it or something?17:15
stevemarshewless: yeah, create  virtualenv with $ virtualenv <some_name>, then cd into that dir, and run $ pip install -e .17:15
stevemaroops wait, source the virtualenv17:16
shewlessstevemar: does ocs use python2.7 or 3?17:16
stevemarshewless: http://paste.openstack.org/show/524308/17:16
stevemarshewless: py2717:16
shewlessstevemar: cool so I download the python-openstackclient and then cd into it and run the command you pasted?17:18
shewlessstevemar: and then once I do that how do auth as a federated user?17:18
stevemarshewless: you should see new flags in openstack --help17:19
*** lucas__ has joined #openstack-keystone17:19
*** lucas__ has quit IRC17:20
*** ddieterly is now known as ddieterly[away]17:20
*** julim has quit IRC17:21
thumpbadoes keystone always expose the horizon endpoint url in the horizon dashboard when viewing source?17:24
*** X-Istence is now known as x5817:24
shewlessstevemar: thanks.. I"m trying now. I just need to install x86_64-linux-gnu-gcc .. apparently it's needed to install the openstack client17:25
openstackgerritEric Brown proposed openstack/keystone: Include doc directory in pep8 checks  https://review.openstack.org/33571017:25
david-lylethumpba, your question is confusing. keystone doesn't know about horizon, so can't expose the horizon endpoint to anything17:26
*** roxanaghe_ has joined #openstack-keystone17:29
*** spandhe has joined #openstack-keystone17:30
*** imcsk8_ is now known as imcsk8|doctor17:30
*** tonytan4ever has joined #openstack-keystone17:31
*** roxanaghe has quit IRC17:32
shewlessstevemar: I don't see any additional help with the keyword "federat".. maybe you can give me a hint at what I'd be looking for in the help?17:35
stevemarshewless: oh you probably want to change your OS_IDENTITY_API_VERSION to 3  and  your OS_AUTH_URL to end in v317:38
*** spandhe_ has joined #openstack-keystone17:38
*** spandhe has quit IRC17:39
*** spandhe_ is now known as spandhe17:39
shewlessstevemar: I think I missed a step. Are you expecting me to have an rc file sourced?17:39
nisha_rodrigods, hi17:39
rodrigodshi nisha_17:40
*** tonytan4ever has quit IRC17:41
thumpbadavid-lyle: so when i view source on my horizon dashboard and i see <input id="id_region" name="region" type="hidden" value="http://172.16.108.2:5000/v2.0" />, you can see the comparison here http://pastebin.com/yHC8eT8g17:41
*** tonytan4ever has joined #openstack-keystone17:41
*** fangxu has quit IRC17:42
*** fangxu has joined #openstack-keystone17:42
nisha_rodrigods, I saw your comment on the patch Add role functional tests regarding missing cleanUp17:43
nisha_rodrigods, the same thing happened in the project functional tests17:43
shewlessstevemar: my identity is set to v3. and not sure about the auth rul though17:43
rodrigodsnisha_, it was just a guess since the implied roles test has failed17:43
nisha_rodrigods, but I have used fixtures at most places17:43
rodrigodsnisha_, so the failure is in the project's functional tests17:44
rodrigodslet me check there17:44
nisha_rodrigods, can there be anything else I can check, to make sure what can cause this17:44
nisha_rodrigods, thanks17:44
*** sdake has quit IRC17:45
*** gyee has quit IRC17:48
dstanekshewless: i haven't looked, but i can look now17:48
rodrigodsnisha_, need some prints, looks like the implied roles test is not being able to create one role17:49
dstanekthumpba: that's horizon knowing about keystone, right?17:50
dstanekthumpba: what's the question?17:50
nisha_rodrigods, hmm, but I haven't used test_implied_roles.py anywhere17:51
shewlessdstanek, stevemar: I think I need to specify the --os-auth-type. Trying this: openstack project list --os-auth-type v3oidcpassword17:51
thumpbadstanek: my question is should that be visable from horizon login?17:51
shewlessdstanek, stevemar: then I tried adding the --os-auth-url "https://mycloud.foo.com" and my user name..but it says Auth plugin requires parameters which were not given: identity_provider, protocol17:51
rodrigodsnisha_, yeah... let's dig into it to find out what's going on17:52
shewlessnot sure how to specify those parameters17:52
dstanekthumpba: so should horizon expose the keystone endpoint? i shouldn't hurt17:52
dstaneks/i/it/17:52
thumpbaokay, just curious17:52
dstaneki actually don't currently hurt17:52
nisha_rodrigods, sure, le'me know if I need to check anything or some other work I can help in17:52
dstanekthumpba: david-lyle would know if that's intentional, but the user needs to know that anyway for command line usage17:52
rodrigodsnisha_, i'm going to execute your patch locally and add prints to test_implied_roles17:53
nisha_rodrigods, alright17:53
thumpbadstanek: true, but if an unintended party was able to see that, it could give them a point of attack17:53
dstanekthumpba: the keystone url isn't a secret17:53
dstanekthumpba: does it show that before you are authenticated?17:54
thumpbadstanek: maybe the better question is, can i hide that from the login17:54
dstanekthumpba: also most clouds publish the auth url publicly anyway17:55
thumpbadstanek: you can only see it if you view source on the login page17:55
dstanekthumpba: it may be hard to hide that because if you allow federated authentication then it has to be exposed17:55
shewlessthumpba: you can make the keystone url  use SSL if that would help :)17:56
*** roxanaghe__ has joined #openstack-keystone17:57
thumpbashewless: good point17:58
*** roxanaghe_ has quit IRC18:00
dstanekif you are creating a non-development cloud then it should be SSL18:02
thumpbashewless: but it is the internal url not the public that "publicly" viewable18:02
shewlessIE: NOT port 5000?18:03
thumpbashewless: no its port 5000 but "| internalurl  | http://172.16.108.2:5000/v2.0    | "18:03
thumpbaas opposed to "| publicurl    | http://172.16.107.226:5000/v2.0  | "18:04
shewlessdstanek, stevemar: would really appreciate some help getting the osc working with federated user.  I have the osc from the master branch but I have no idea what I'm doing18:04
dstanekshewless: looking for my example now18:04
shewlessthumpba:  hmm. mine is one and the same (only public) and using SSL18:05
rodrigodsnisha_, 'keystoneclient-functional-140b1e1d6d5542f0b7cab8d7e04cbc06' appears in test_implied_roles18:05
rodrigodsnisha_, it is the role fixture, right?18:05
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833918:05
dstanekthumpba: i don't think horizon is getting that from the catalog. i would guess it's configured to use that url18:05
*** ravelar159 has quit IRC18:06
dstanekthumpba: does horizon have their own channel? you might have more luck finding somebody there that knows how it works18:06
nisha_rodrigods, I don't know. I haven't wrote test_implied_roles files. But I have added code in client_fixture.py to for role18:07
thumpbadstanek: will do. i wasn't sure if that was something that keystone was putting out there. thanks18:07
dstanekthumpba: unless you are talking directly through keystone it horizon thing. they have complete control over what is displayed.18:08
rodrigodsnisha_, i'm not saying you wrote test_implied_roles, i'm saying the fixture used in test_projects is appearing in test_implied_roles18:09
dstanekshewless: http://paste.openstack.org/show/524316/18:09
*** mvk has joined #openstack-keystone18:09
nisha_rodrigods, hmm okay18:10
*** chrisshattuck has quit IRC18:11
*** ddieterly[away] is now known as ddieterly18:12
nisha_rodrigods, I don't understand why test_projects is interfering with test_implied_roles? Anything I can do to fix this up18:12
rodrigodsnisha_, think it is related with the order the stuff is erased in the test18:12
rodrigodsnisha_, in test_get_hierarchy_as_list18:12
dstanekshewless: that is based on a working test script that i use18:14
rodrigodsnisha_, keystone only allows the deletion of project without children, it might be the case where the test is trying to delete a project that has children so the cleanup fails18:14
rodrigodsnisha_, it is just a guess, because removing that test, everything works fine18:14
nisha_rodrigods, ohh18:15
dolphmrderose: i've been poking at https://review.openstack.org/#/c/328339/ and i'm not sure you're keeping & discarding the correct passwords in all cases18:15
patchbotdolphm: patch 328339 - keystone - PCI-DSS Password history requirements18:15
nisha_rodrigods, Also, why some tests, run successfully once, but after sometime they fail when I do recheck18:16
rderosedolphm: really? passwords are added at the end of the list and discarded from the beginning18:16
rodrigodsnisha_, might be the order they are ran18:16
nisha_rodrigods, thanks for help18:17
dolphmrderose: maybe you can walk me through it a bit18:17
dolphmrderose: the complexity and importance of _truncate_passwords is still raising red flags for me18:17
dolphmrderose: when it's called, the *new* password has not been added to the list, yet, correct?18:17
rderosedolphm: correct18:18
rodrigodsnisha_, np, please let us know of your findings :) you can debug this by creating an internal add_cleanup() method that prints the entity it is trying to erase before calling addCleanup18:18
*** thumpba has quit IRC18:18
*** roxanaghe__ has quit IRC18:18
nisha_rodrigods, sure :)18:19
nisha_rodrigods, le me try18:19
dolphmrderose: i can definitely make your tests pass when i intentionally break _truncate_passwords(), because the tests don't seem to care about *which* passwords were removed18:19
dolphmrderose: just that the right number of passwords remain18:19
rderosedolphm: and the passwords list is sorted in the sql model18:20
shewlessdstanek: thanks. so I can't use the openstack client directly?18:20
*** RichardRaseley has joined #openstack-keystone18:20
rderosedolphm: the right number and the right passwords should remain because they are sorted18:20
shewlessdstanek: what is sp_id and idp_id?18:21
rderosedolphm: how do you intentionally break _truncate...?18:21
dolphmrderose: i'm saying i can arbitrarily remove passwords and the tests pass18:21
dolphmas long as the number of passwords is correct18:21
dolphmrderose: by rewriting it18:21
rderosedolphm: hmm...18:22
dolphmrderose: i'm trying to understand it in the process18:22
RichardRaseleyCan anyone direct me towards a detailed explanation of how Keystone interacts with memcache? I am generally aware that it employs two different caching strategies, one for tokens and one for more general request caching (if that is correct?).18:22
rderosedolphm: process is 1) update password 2) get previous passwords 3) validate against previous passwords18:23
dstanekshewless: i don't think the cli client has support for that yet18:23
dstanekshewless: those should be _ip18:23
rderosedolphm: you wouldn't be removing passwords as part of an update18:23
*** amoralej is now known as amoralej|off18:24
dstanekRichardRaseley: yes, sorta. the token cache is actually a driver and not an actual cache (you should not use that). otherwise keystone uses oslo.cache to cache other things.18:25
dstanekRichardRaseley: are you looking for something specific?18:25
dolphmrderose: and when there's no max password count configured, you always truncate to just 1 password, right?18:26
dstanekRichardRaseley: http://docs.openstack.org/developer/keystone/configuration.html#caching-layer18:27
RichardRaseleydstanek: Well, we are having some really weird behaviors with authenticating, services logging that they couldn't validate tokens and such. I started looking through my Keystone configuration, just to validate things and then realized I didn't really understand how the two were different.18:27
RichardRaseleydstanek: When you say above "you should not use that", what was the 'that' you were referring to?18:27
dstanekRichardRaseley: the memcached token backend18:28
shewlessdstanek: okay. stevemar was saying that the master branch of ocs works.. I guess not?18:28
rderosedolphm: right, unless you don't have any previous passwords n > 0 in _truncate...18:28
RichardRaseleydstanek: Oh? I thought that was recommended in Kilo.18:28
dstanekRichardRaseley: so you are seeing log entries from auth_token saying it could not authenticate?18:28
*** nisha_ has quit IRC18:29
rderosedolphm: if no previous passwords, then the passwords are not truncated18:29
*** thumpba has joined #openstack-keystone18:29
dstanekRichardRaseley: it has too many pitfalls and corner cases. for example, memcached may remove token from the cache when it wants to. they would make tokens not work and you'd have to auth to get a new one.18:30
*** nisha_ has joined #openstack-keystone18:30
*** TxGVNN has quit IRC18:30
dstanekif memcached is down completely you might not be able to auth at all (i'd have to check the code)18:30
RichardRaseleydstanek: I feel like we might have a couple issues here, which makes it a little hard to know where one starts and the other ends. I am seeing a few different things. In keystone logs I se a lot of 'WARNING keystone.common.wsgi [-] Could not find token: c07cf093cab14558a97884d4af44b220'18:30
rderosedolphm: otherwise correct, always truncate to 1 password18:30
RichardRaseleyWith different tokens, over and over.18:30
shewlessdstanek: so I tried putting your paste into a file and executing it.. that didn't work. ImportError: No module named keystoneauth118:30
dstanekshewless: you are missing dependencies in your environment18:31
shewlessdstanek: I guess in the end I'm trying to deploy openstack to a bunch of users.. so OSC would need to work18:31
dolphmrderose: the "unless" and "otherwise" imply to my ears that there is room for simplification18:31
RichardRaseleyI am seeing the corresponding errors in Neutron that say token cannot be found, authorization failed.18:31
dstanekshewless: stevemar may be right. it was in development when i was doing my work. he would know better about the state of that project18:31
shewlessdstanek: okay thanks. Do you know how I would use the OCS if it would support federation?18:32
dolphmrderose: so, if we change the default value from None to 1, that fits the business case of "if i don't want this feature, i only expect there to ever be 1 password in the history table", right?18:32
rderosedolphm: okay, I'm open to suggestions :)18:32
dstanekRichardRaseley: are you using the memcached token backend?18:32
shewlessdstanek: I'm missing a lot of things in my environment.. I don't even have an environment!18:32
dstanekshewless: nope, you'll have to look at the docs18:32
RichardRaseleydstanek: But, just to confirm my understanding, we have the following 3 sections we have to configure for memcache in keystone: [cache], [memcache], and [token]18:33
RichardRaseleydstanek: Yes, we are.18:33
rderosedolphm: min value is 218:33
RichardRaseleyWe were considering switching to the SQL backend18:33
dolphmrderose: so the min becomes 118:33
shewlessdstanek: which docs? I want to look at them but I don't know where they are18:33
*** GB21 has quit IRC18:33
dolphmrderose: 1 means there's no "history"18:33
dolphmrderose: 2 means you have 1 password in history, etc18:33
rderosedolphm: but we don't allow 118:33
dolphmrderose: this is just a thought experiment18:33
rderosedolphm: okay18:34
dolphmrderose: what if we changed the default to 1, then changed the min to 118:34
*** jsavak has quit IRC18:34
*** thumpba has quit IRC18:34
dolphmrderose: then you'd never be checking to see if max_cnt is zero18:34
*** roxanaghe has joined #openstack-keystone18:34
*** jsavak has joined #openstack-keystone18:34
dolphmrderose: in fact, the ternary around gathering a value for that config option entirely goes away18:34
RichardRaseleydstanek: Are you suggesting we switch to SQL?18:34
dolphmrderose: because you have something >= 118:34
RichardRaseleyWe have a 3-node HA cluster.18:34
dstanekshewless: http://docs.openstack.org/developer/python-openstackclient/18:34
dolphmrderose: so then _truncate_passwords never has to worry about max_cnt == 018:35
*** thumpba has joined #openstack-keystone18:35
dolphmrderose: and _validate_password_history() always gets a non-zero max_cnt to work with, so the conditional is ALWAYS met18:35
dstanekRichardRaseley: that is a bigger operational discussion for you to have, but i wouldn't use the memcached backend for a variety of reasons18:35
shewlessdstanek: should I use --os-auth-type v3oidcpassword?18:35
*** thumpba has quit IRC18:35
dstanekRichardRaseley: is memcached up and is it getting data saved to it18:35
*** thumpba has joined #openstack-keystone18:36
dolphmrderose: so, that basically leaves _truncate_passwords with a one-liner18:36
dstanekshewless: no idea18:36
RichardRaseleydstanek: Fair enough. So if were to go that route (SQL backend) we would configure that in the 'token' configuration section, but preserve the memcache and cache configuration for the other caching Keystone is doing?18:37
dolphmrderose: and if you use a slice instead of del, you can safely perform the operation unconditionally18:37
RichardRaseleydstanek: Yes, it is up and data is being written to it.18:37
dolphmrderose: http://cdn.pasteraw.com/ozdho47ylalklsm6preyq251oxl5l6318:37
*** pnavarro has quit IRC18:38
*** henrynash has joined #openstack-keystone18:38
*** ChanServ sets mode: +v henrynash18:38
dstanekRichardRaseley: i'd have to look at the code or example config, but i think the memcached section is just for the token cache18:38
RichardRaseleyOK18:39
dstanekRichardRaseley: have you looked at what token is being used against the service and see if keystone knows about it?18:39
rderosedolphm: looks sound :)  let me play with it and I'll update the patch18:40
*** henrynash has quit IRC18:41
RichardRaseleydstanek: You're asking if I've seen a failed request, looked at the auth token, then done a token validate on it?18:41
rderosedolphm: and thanks, that definitely simplifies the logic18:42
dstanekRichardRaseley: yes18:42
dolphmrderose: i'm paranoid that i did something wrong because i had to revise the tests18:42
rderosedolphm: I know coding that, certainly made my head hurt18:43
dstanekRichardRaseley: the first step is to get a token from keystone and then validate it to know that keystone is generally working.18:43
dstanekRichardRaseley: then i'd try to take a token that should work, but doesn't according to the logs and if it works18:43
RichardRaseleydstanek: Sorry I wasn't more clear. This is an otherwise functioning cloud that is just exhibiting these symptoms intermittantly.18:43
dstanekRichardRaseley: then i could check a token that should work, but doesn't.18:44
rderosedolphm: if there was 1 previous password and max count is 1, you'll truncate before the check, right?18:44
dstanekRichardRaseley: is your memcache showing evictions18:44
RichardRaseleyI can launch instances, attach IPs, do work, whatever, but about 2-3% of the time I get an auth error in web-ui or cli and auth errors in log. Was working on the memcache evicting tokens theory, started digging through config, realize I didn't udnerstand the difference between some of the options and asked in channel.18:45
RichardRaseley</story of my life.18:45
rderosedolphm: so then there wouldn't be a password to check against18:45
dstanekRichardRaseley: did you check memcache to see if it's evicting?18:45
dolphmrderose: uhh, it should still be there to check against18:45
rderosedolphm: :)18:45
RichardRaseleydstanek: I have not checked that specifically. I am going to have to review the docs for the way to go about that.18:46
dolphmrderose: >>> [0][-1:]18:46
dolphmrderose: [0]18:46
rderosedolphm: ah, okay18:46
dstanekRichardRaseley: if you run the stats command against memcache it'll how you the evictions18:47
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336018:52
*** dan_nguyen has joined #openstack-keystone18:54
*** samueldmq has joined #openstack-keystone18:57
shewlessstevemar: I guess if you get back and you could help me with the master branch of the osc it would be appreciated.18:57
*** bjornar_ has joined #openstack-keystone18:58
*** samueldmq has quit IRC19:00
*** setuid has left #openstack-keystone19:01
*** chrisshattuck has joined #openstack-keystone19:01
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [memcache] documentation  https://review.openstack.org/33625919:01
*** chrisshattuck has quit IRC19:07
*** gordc has quit IRC19:07
*** jsavak has quit IRC19:07
*** jsavak has joined #openstack-keystone19:08
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833919:09
*** jed56 has quit IRC19:15
notmorgandstanek: man i just wrote a novel on https://bugs.launchpad.net/horizon/+bug/159786419:15
openstackLaunchpad bug 1597864 in OpenStack Security Advisory "Horizon exposes keystone endpoint url when viewing login source code" [Undecided,Incomplete]19:15
notmorgandstanek: :P19:15
notmorgandolphm: how did the encrypted creds talk go?19:15
*** chrisshattuck has joined #openstack-keystone19:16
notmorgandolphm: i only ask because -- i didn't see any update here. :)19:16
dstaneknotmorgan: about how we do key rotation?19:17
notmorgandstanek: yeah and other such things. that nonameentername and dolphm were disucssing earliuer today19:17
dstaneknotmorgan: we're going to do it more like we do fernet rotation so that it's easier on operators and avoid the staging key corner cases19:17
notmorgandstanek: cool.19:18
dstaneknotmorgan: in the middle of your novel :-)19:18
notmorganhehe19:18
notmorgani warned you, it is a novel19:18
dstaneki can't disagree with you (on the content that is)19:19
*** jsavak has quit IRC19:19
*** chrisshattuck has quit IRC19:21
*** ravelar159 has joined #openstack-keystone19:21
notmorgandstanek: i just felt like a lot more information was needed on why this isn't a bug. we could make this better/different, but it's not really worth it until we change how service->service works.19:21
notmorganbut i'm going to still argue catalog isn't really priv. info19:22
notmorgandstanek: hmmm... so i had fun, learned how to build .debs in docker containers for isolated builds [ with relatively simple tools, docker-compose is damn cool ]19:23
dstaneknever had to use it. i've mostly stayed away from docker in favor of lxd/lxc19:24
*** fangxu has quit IRC19:25
*** ravelar159 has quit IRC19:25
*** darosale has quit IRC19:25
notmorgandstanek: you can do it directly with lxd/lxc, but docker-compose is kindof awesome, i built a simple dockerfile, and a .yaml, said docker-compose build, and it built the environment for me (scripted), then docker-compose run and it builds the packages and drops them on the FS locally for me.19:25
notmorgandstanek: had to do some hacking to make it work with Xenial, but i'd have had to do the same things with lxc/lxd19:26
* notmorgan even used ... *gasp* ruby.19:26
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [oauth1] documentation  https://review.openstack.org/33626619:28
*** jsavak has joined #openstack-keystone19:30
notmorganuh... why do we have config options defined out of keystone.common.config? I thought we didn't do that because if we *do* we end up with configs that are initialized befor the server is.19:30
notmorgandolphm, stevemar: ^ see dolph's patch (not the patch, but that there is an option in the file]19:31
notmorganor are we moving how all these things work?19:31
dstaneknotmorgan: moving how they work19:31
dstanekthis is following the nova lead so we don't have that initialization problem19:32
notmorganoh dear god.19:32
notmorganthis looks awful.19:32
dolphmnotmorgan: keystone.conf?19:32
dstanekhow so? i like the organization better19:32
notmorgani dislike it being quite so flat.19:32
dolphmnotmorgan: i deleted keystone.common.conf altogether, but there are a few stragglers defined randomly19:33
dstanek"flat is better than nested"19:33
notmorganeh, sortof?19:33
bknudson_I was going to check to see if the initialization happens on import19:33
notmorganbknudson_: iirc it does.19:34
*** darosale has joined #openstack-keystone19:34
notmorganwhich is why we locked it in a method we called.19:34
notmorganbut i also might be totally mis-remembering19:34
bknudson_I'm not a fan of things happening on import in general19:34
notmorganoh maybe it's tied to "register"19:35
notmorgan?19:35
dolphmbknudson_: notmorgan: they're registered once on import, assuming you're reading options from keystone.conf and not from oslo_config.cfg.CONF https://github.com/openstack/keystone/blob/master/keystone/conf/__init__.py#L91-L9319:35
notmorgandolphm: then don't do that.19:35
notmorgandolphm: it should still be gated via an explciit register_opts()19:35
*** sheel has quit IRC19:35
notmorganthe reason we changed this is so that you can't access an option and default vaule before the config is loaded19:36
bknudson_I'd prefer we didn't do that... easy enough to make that a function and call it where necessary19:36
notmorganwe had a lot of issues.19:36
dolphmnotmorgan: that is still true19:36
notmorgandolphm: not based on what you said19:36
bknudson_issues that were impossible to test19:36
dolphmnotmorgan: in fact, is more true now, because you can't accidentally register things twice19:36
notmorganyou said it's handled in __init__19:36
notmorganon import19:36
notmorganbefore we did import, then .configure() to register19:37
dolphmoops, i did mistype... "they're registered once on import, assuming you're ***NOT*** reading options from keystone.conf and not from oslo_config.cfg.CONF"19:37
notmorganwhich is the pattern i would like to keep.19:37
dolphmwait, dammit19:37
*** tonytan4ever has quit IRC19:37
dolphmi had it right hte first time, nevermind19:37
notmorgandolphm: yeah see :P19:37
dolphmoptions are registered once, period19:37
notmorganright, so...19:37
notmorgani'm 100% ok with that.19:37
dolphmyou can't re-register them, and there's no explicit work to do other than try to read from keystone.conf19:38
notmorgani remember nightmares of import registering, and something accessing config BEFORE keystone.conf is loaded19:38
notmorganso, i don't want to go back to that hell19:38
notmorganhence the ask for a simple .run_register()19:38
dolphmnotmorgan: i don't see how we can go back to that hell if it's done automatically on import19:38
notmorgantype function that is explicitly called once we know everything is loaded19:38
bknudson_there were references to config option in, for example, default arguments19:38
*** chrisshattuck has joined #openstack-keystone19:39
notmorgandolphm: because otherthings can reference the config object now and get the defaults on import19:39
dolphmnotmorgan: the other constraint is that options should not be registered outside of keystone.conf19:39
notmorganit's not registering it's code referencing the config object and the options19:39
bknudson_or there may be references to config options in module-level variables, too.19:39
dstaneknotmorgan: code using the config on import would be terrible either way19:39
*** aloga_ has joined #openstack-keystone19:39
notmorgandstanek: that is why we explicitly blocked it before19:39
*** tqtran has joined #openstack-keystone19:39
notmorganso it *cant* happen19:40
notmorganit would explode19:40
notmorganthis makes it so it is possible again.19:40
dolphmnotmorgan: ah, we're talking about slightly different problems then19:40
notmorgansince the options are registered on import19:40
notmorgandolphm: yah, i don't mind the change i want to keep the pattern we had were we have an explicit "register_all_the_options" method we call19:40
notmorganfor making sure no one sneaks in broken code by accident19:40
*** hoonetorg has quit IRC19:40
bknudson_look at this!: https://review.openstack.org/#/c/334673/1/keystone/common/validation/parameter_types.py19:41
patchbotbknudson_: patch 334673 - keystone - Allow id string validation to be configurable19:41
dstanekin my mind *nothing* should import the config directly and instead should be passed an object in the constructor - just the very top level would import config19:41
bknudson_this is exactly the problem.19:41
*** nisha_ has quit IRC19:41
notmorgandolphm: so prior to this flattening, that would have exploded vs. passing19:42
notmorganbknudson_: ++19:42
notmorganbknudson_: good find so quickly btw.19:42
bknudson_I'd seen it passing by and wondered how it was implemented now.19:43
dolphmso, what caused the explosion, exactly?19:43
bknudson_the options weren't registered, so some kind of reference error19:43
dolphmso, now they're registered but not initialized, right?19:44
notmorgandolphm: oslo config would say "NO SUCH OPTION"19:44
dolphmwith values from config files, etc19:44
dolphmso, why don't we also initialize before keystone.conf is finished importing19:44
bknudson_it's registered but the config hasn't been read yet.19:44
notmorgandolphm: right, so you'll in that case never get the value from keystone.conf19:44
notmorgandolphm: since you've bound "pattern" to the default value19:44
dolphmthen we don't have to have wsgi code initializing config, and keystone-manage code initializing config, and unit tests initializing config...19:45
bknudson_not sure how the configuration could happen on import, it would need the parameters19:45
notmorgandolphm: we can't read the config on import really? needs to be at runtime.19:45
bknudson_although we've gotten rid of keystone-all so maybe not a problem anymore.19:45
notmorganbknudson_: eh, this will still be an issue.19:45
notmorgani think.19:46
dolphmnotmorgan: how is nova solving (or not solving) this problem?19:46
notmorganignoring it19:46
notmorganand banking that bugs/reviewers will catch it.19:46
notmorganafaik19:46
*** daemontool_ has quit IRC19:46
bknudson_might want to do a quick check of nova code to see if there are references to unconfigured options19:47
*** jaugustine has joined #openstack-keystone19:47
shewlessdoes anyone know if using the top example here should give me an unscoped token: http://docs.openstack.org/developer/keystone/api_curl_examples.html19:47
shewlessI get a 401 when I try that19:47
notmorgani'm guessing they do a config load early in the wsgi process, but... it still begs the question, why not make it hard to pass through, since we have had this issue before19:47
notmorganand it caused all sorts of odd behavior19:48
*** aloga_ has quit IRC19:48
dolphmjohnthetubaguy: ping, wondering if nova has the possibility for races between things utilizing registered but still-unconfigured configuration options with the new nova.conf package19:48
notmorgandolphm: iirc it's always had that possibility.19:48
notmorganeven before this new package.19:48
notmorganbut they may also only ever reference config values in methods/functions which is safe.19:49
notmorganjust ... easy for an import reference to sneak through.19:49
*** tonytan4ever has joined #openstack-keystone19:50
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [policy] documentation  https://review.openstack.org/33626719:51
*** hoonetorg has joined #openstack-keystone19:52
openstackgerritDolph Mathews proposed openstack/keystone: Do not register options on import  https://review.openstack.org/33626819:53
dolphmnotmorgan: untested ^19:53
*** ddieterly is now known as ddieterly[away]19:53
notmorgandolphm: yeah you're probably going to need a hook somewhere to do that for you now.19:53
notmorganbut everything should explode.19:54
dolphmnotmorgan: see L139 and L14019:54
notmorganwe used to call keystone.common.config.configure()19:54
dolphmnotmorgan: that basically didn't change from keystone.common.config19:54
notmorganah19:54
notmorganso, i think you need to move your code down into that, and make .configure() only runable once?19:55
notmorgansince i think no opts are going to be registered now19:55
dolphmnotmorgan: nothing prevented it from being called twice before19:55
*** roxanaghe has quit IRC19:55
notmorgandolphm: except it would explode after keystone.conf was loaded19:55
notmorgani guess that is fine.19:55
notmorganre-registering opts is safe as long as keystone.conf hasn't been loaded19:56
notmorganit doesn't impact anything.19:56
notmorganoslo.config is safe in that regard.19:56
dolphmnotmorgan: the code in keystone.common.config before i touched it https://github.com/openstack/keystone/blob/3f78996cfa163291cadecb72fb3c102e578bec0d/keystone/common/config.py#L1177-L120119:56
notmorgandolphm: and now https://github.com/openstack/keystone/blob/3f78996cfa163291cadecb72fb3c102e578bec0d/keystone/common/config.py#L1191-L1196 is missing19:57
notmorganso you're not actually registering the options from keystone.conf19:57
notmorganin the new code19:57
dolphmnotmorgan: the single for loop replaces it19:57
notmorganoh i'm just blind19:58
notmorgani can't see the for loop19:58
notmorganit's hiding under the register_cli_opt19:58
notmorganin plain sight19:58
notmorgandolphm: so, yeah that should do it as long as we haven't grown magical dependencies on config options on import somewhere in the mean time :)19:59
notmorgandolphm: maybe i need more coffee...19:59
notmorganor ... any coffee?19:59
dolphmnotmorgan: i left a handful of other notes here https://review.openstack.org/#/c/325604/8/keystone/common/config.py19:59
patchbotdolphm: patch 325604 - keystone - Replace keystone.common.config with keystone.conf ... (MERGED)19:59
dolphmnotmorgan: and then here as well https://review.openstack.org/#/c/325604/8/keystone/conf/__init__.py19:59
patchbotdolphm: patch 325604 - keystone - Replace keystone.common.config with keystone.conf ... (MERGED)19:59
dstanekcan't olso.config just throw an error if the config hasn't been read and someone is trying to use it20:02
*** ddieterly[away] is now known as ddieterly20:02
notmorgandstanek: possibly, but i mean, maybe there is no config file to read? so in either case we need to do .load_config_if_needed_and_mark_conf_initialzed or something20:03
notmorgandstanek: i think it's a feature request for oslol.config for better UX from a dev standpoint, but for now we have a path forward.20:04
dolphmnotmorgan: py27 tests pass with that change20:05
notmorgandolphm: cool20:05
notmorganWFM.20:05
*** tonytan4ever has quit IRC20:05
bknudson_dstanek: that would be a nice feature!20:06
*** tonytan4ever has joined #openstack-keystone20:06
dstaneknotmorgan: i'm not sure i'm parsing tristan's comment properly20:07
*** dan_nguyen has quit IRC20:09
notmorganhe;s just commenting that this is a MOS bug or Openstack Ansible or whatever is configuring it20:09
*** tqtran has quit IRC20:09
notmorganor it's that MOS/Ansibvle/WHatever explciitly sets the horizon config value to "internal"20:09
notmorganand he was pointing to the documentation explaining how to pick the right endpoint20:10
*** tqtran has joined #openstack-keystone20:10
dstaneknotmorgan: gotcha. so i was parsing correctly-ish, thx20:10
notmorganand that horizon was set that way explicitly.20:10
notmorganbased on the doc.20:10
dstaneksounds like maybe that bug needs to be on some of the CM tools then20:11
*** mwheckmann has quit IRC20:11
notmorganwell... sure?20:11
*** tonytan4ever has quit IRC20:12
dstaneknot necessarily because it's a security thing, but for horizon to actually work when the internat endpoints are locked down20:12
notmorgandepends on if django is doing the request or the browser20:12
*** jaugustine has quit IRC20:12
*** tonytan4ever has joined #openstack-keystone20:13
*** tqtran has quit IRC20:15
dstanekstevemar: re:https://review.openstack.org/#/c/333490 is the actual message not returned/shown to the user?20:15
*** tqtran has joined #openstack-keystone20:15
dstaneknotmorgan: for federated login i think the user is redirected to keystone and from there back to horizon. although that interaction could happen in django20:16
notmorgandstanek: yeah20:17
*** tonytan4ever has quit IRC20:17
*** tonytan4ever has joined #openstack-keystone20:18
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336020:18
*** fangxu has joined #openstack-keystone20:23
*** spzala has quit IRC20:25
*** gyee has joined #openstack-keystone20:26
*** ChanServ sets mode: +v gyee20:26
*** ddieterly is now known as ddieterly[away]20:26
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336020:31
*** jaugustine has joined #openstack-keystone20:35
*** aloga_ has joined #openstack-keystone20:36
*** imcsk8|doctor is now known as imcsk820:39
*** toddnni has quit IRC20:39
*** thumpba has quit IRC20:40
*** rcernin has joined #openstack-keystone20:41
*** toddnni has joined #openstack-keystone20:44
stevemardstanek: o/20:45
dstanekstevemar: howdy20:45
stevemardstanek: looking at https://review.openstack.org/#/c/333490/2/20:46
patchbotstevemar: patch 333490 - keystone - Additional logging when authenticating20:46
stevemarwhat actual message are you talking abut?20:46
dstanekstevemar: line 185 for example on https://review.openstack.org/#/c/333490/2/keystone/auth/controllers.py20:47
patchbotdstanek: patch 333490 - keystone - Additional logging when authenticating20:47
*** ddieterly[away] is now known as ddieterly20:48
dstanekor any of them really20:48
dstanekthe reason for this patch is that users won't know what is wrong when they can't auth and they'll need to call the cloud admin who can find it in the log20:49
stevemardstanek: it'll still raise an exception20:51
stevemarwith the same message as before20:51
stevemardstanek: i don't see how its any different than before, aside from more logging20:52
stevemardstanek: or are you saying the fix is not sufficient?20:53
*** jaugustine has quit IRC20:54
*** raildo is now known as raildo-afk21:02
*** henrynash has joined #openstack-keystone21:03
*** ChanServ sets mode: +v henrynash21:03
*** henrynash has quit IRC21:04
browneHi all.  I'm running into an issue in Mitaka (after upgrade from Kilo) where a user isn't authorized to a role on a project even though I just assigned it.  It seems caching related and does disappear after turning off caching of roles.  Any known issues around this?  In flight patch?21:08
*** gagehugo has quit IRC21:10
*** jaugustine has joined #openstack-keystone21:11
*** pauloewerton has quit IRC21:11
dstanekstevemar: i don't care if we add extra logging. i just don't see it as a fix to anything. the user should be getting an error message that would let them know what they are doing wrong.21:12
*** jaugustine has quit IRC21:13
*** ametts has quit IRC21:13
*** jaugsutine has quit IRC21:13
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336021:14
openstackgerritEric Brown proposed openstack/keystone: Include doc directory in pep8 checks  https://review.openstack.org/33571021:14
*** roxanaghe has joined #openstack-keystone21:18
*** ddieterly is now known as ddieterly[away]21:18
*** ddieterly[away] is now known as ddieterly21:20
*** tonytan4ever has quit IRC21:21
*** edmondsw has quit IRC21:24
*** notmyname has quit IRC21:28
*** notmyname_ has joined #openstack-keystone21:28
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833921:29
*** notmyname_ is now known as notmyname21:29
*** ayoung has quit IRC21:34
*** jefrite has quit IRC21:34
*** jefrite_ has joined #openstack-keystone21:36
*** hoonetorg has quit IRC21:45
*** KevinE_ has quit IRC21:45
*** BjoernT has quit IRC21:45
*** iurygregory has quit IRC21:45
*** mordred has quit IRC21:45
*** mkoderer__ has quit IRC21:45
*** ianw has quit IRC21:45
*** hogepodge has quit IRC21:45
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833921:46
*** jamie_h has quit IRC21:47
*** RichardRaseley has quit IRC21:48
*** roxanaghe has quit IRC21:49
*** sdake_ has joined #openstack-keystone21:53
*** sdake_ has quit IRC21:53
*** sdake_ has joined #openstack-keystone21:53
*** rvba has quit IRC21:55
*** iurygregory has joined #openstack-keystone22:01
*** catintheroof has joined #openstack-keystone22:03
*** ddieterly is now known as ddieterly[away]22:05
*** slberger has left #openstack-keystone22:15
*** julim has joined #openstack-keystone22:16
notmorganstevemar: this sounds like a case where we should include error codes22:17
notmorgansomething that can clearly communicate things like "bad domain data" where it still needs to say unauthorized22:17
notmorganor erm not bad domain data, invalid domain name - may not contain special characters22:18
notmorganor whatever22:18
notmorganbut we don't want to expose all the debug info in our exceptions...22:18
notmorganso maybe a consistent error code included with the HTTP status?22:18
notmorganand we can publish what they are? or we could just include debug_msg and non-debug in things like unauthorized22:19
notmorganfor where we need to communicate things like "this request included an invalid-format for domain name"22:19
*** henrynash has joined #openstack-keystone22:21
*** ChanServ sets mode: +v henrynash22:21
*** mordred has joined #openstack-keystone22:22
*** ntpttr has quit IRC22:31
*** ntpttr has joined #openstack-keystone22:31
*** sdake_ has quit IRC22:33
*** ddieterly[away] is now known as ddieterly22:36
*** jamielennox|away is now known as jamielennox22:37
*** roxanaghe has joined #openstack-keystone22:38
*** rderose has quit IRC22:44
*** aloga_ has quit IRC22:49
*** dan_nguyen has joined #openstack-keystone22:53
*** tqtran has quit IRC22:59
*** KevinE has joined #openstack-keystone23:00
*** ddieterly is now known as ddieterly[away]23:02
*** ddieterly[away] has quit IRC23:02
*** tqtran has joined #openstack-keystone23:03
*** darosale has quit IRC23:05
*** tqtran_ has joined #openstack-keystone23:07
*** tqtran has quit IRC23:07
*** ayoung has joined #openstack-keystone23:09
*** ChanServ sets mode: +v ayoung23:09
*** KevinE has quit IRC23:10
*** sdake has joined #openstack-keystone23:11
*** sdake has quit IRC23:11
*** catintheroof has quit IRC23:18
*** jbell8 has joined #openstack-keystone23:20
*** jsavak has quit IRC23:21
*** markvoelker has quit IRC23:21
*** tqtran has joined #openstack-keystone23:22
*** tqtran_ has quit IRC23:24
*** tqtran_ has joined #openstack-keystone23:27
*** EinstCrazy has joined #openstack-keystone23:28
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Adds password_expires_at to API docs  https://review.openstack.org/33631823:29
*** tqtran has quit IRC23:29
*** fangxu has quit IRC23:29
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336023:31
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Adds password_expires_at to API docs  https://review.openstack.org/33631823:31
*** rderose has joined #openstack-keystone23:33
*** EinstCrazy has quit IRC23:33
*** jbell8 has quit IRC23:35
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add create_plugin to loader  https://review.openstack.org/33311923:37
*** rderose has quit IRC23:42
*** BjoernT has joined #openstack-keystone23:44
*** bjornar_ has quit IRC23:49
*** BjoernT has quit IRC23:50
*** spandhe has quit IRC23:57
*** hogepodge has joined #openstack-keystone23:59
« Wednesday, 2016-06-29 Index Friday, 2016-07-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!