Monday, 2016-07-25

« Sunday, 2016-07-24 Index Tuesday, 2016-07-26 »
*** Dave has quit IRC00:00
*** shoutm has joined #openstack-keystone00:04
*** tonytan4ever has joined #openstack-keystone00:11
*** bknudson has joined #openstack-keystone00:13
*** ChanServ sets mode: +v bknudson00:13
*** bknudson has left #openstack-keystone00:14
*** code-R has joined #openstack-keystone00:16
*** code-R_ has joined #openstack-keystone00:17
*** code-R has quit IRC00:20
*** david-lyle_ has joined #openstack-keystone00:22
*** david-lyle_ has quit IRC00:27
*** korean101 has quit IRC00:53
*** chlong has quit IRC00:54
*** spandhe has quit IRC00:56
*** chlong has joined #openstack-keystone01:11
*** chlong is now known as chlong_POffice01:21
*** tqtran has joined #openstack-keystone01:36
*** tqtran has quit IRC01:40
*** davechen has joined #openstack-keystone01:46
*** code-R_ has quit IRC01:53
*** david-lyle_ has joined #openstack-keystone02:25
*** TxGVNN has joined #openstack-keystone02:25
*** david-lyle_ has quit IRC02:29
*** lamt has joined #openstack-keystone02:37
*** code-R has joined #openstack-keystone02:43
*** code-R has quit IRC02:43
*** code-R has joined #openstack-keystone02:44
*** GB21 has quit IRC02:45
*** code-R_ has joined #openstack-keystone02:53
*** code-R has quit IRC02:56
*** __zouyee has joined #openstack-keystone02:57
openstackgerritMerged openstack/keystone: Added cache for id mapping manager  https://review.openstack.org/32882002:59
*** __zouyee has quit IRC03:00
*** patchbot has quit IRC03:01
*** EinstCrazy has joined #openstack-keystone03:14
*** nkinder has quit IRC03:15
*** EinstCrazy has quit IRC03:25
openstackgerritMerged openstack/keystone: Add schema validation to create role  https://review.openstack.org/34570003:26
*** code-R_ has quit IRC03:27
*** code-R has joined #openstack-keystone03:33
*** nkinder has joined #openstack-keystone03:35
*** davechen has quit IRC03:43
*** nkinder has quit IRC03:47
*** patchbot has joined #openstack-keystone04:02
*** GB21 has joined #openstack-keystone04:15
*** tsufiev has quit IRC04:15
*** tsufiev has joined #openstack-keystone04:17
*** david-lyle_ has joined #openstack-keystone04:26
*** david-lyle_ has quit IRC04:32
*** GB21 has quit IRC04:32
*** notmyname has quit IRC04:36
*** code-R has quit IRC04:37
*** code-R has joined #openstack-keystone04:38
*** fifieldt has joined #openstack-keystone04:47
*** roxanaghe has joined #openstack-keystone04:48
*** roxanaghe has quit IRC04:48
*** notmyname has joined #openstack-keystone04:48
*** dikonoor has joined #openstack-keystone04:52
*** code-R has quit IRC04:56
*** code-R has joined #openstack-keystone04:56
*** spandhe has joined #openstack-keystone05:05
*** GB21 has joined #openstack-keystone05:08
openstackgerritMerged openstack/keystone: Use freezegun to increment clock in test_v3_assignment  https://review.openstack.org/34386005:10
*** GB21 has quit IRC05:16
openstackgerritTin Lam proposed openstack/keystone: Add schema validation to v2 create tenant  https://review.openstack.org/34659405:26
*** GB21 has joined #openstack-keystone05:29
*** sheel has joined #openstack-keystone05:35
*** tqtran has joined #openstack-keystone05:37
*** spandhe has quit IRC05:38
*** tqtran has quit IRC05:42
*** davechen has joined #openstack-keystone05:46
*** EinstCrazy has joined #openstack-keystone05:47
*** davechen has quit IRC05:48
*** roxanaghe has joined #openstack-keystone05:49
*** tonytan4ever has quit IRC05:50
*** roxanaghe has quit IRC05:53
*** EinstCrazy has quit IRC06:00
*** spandhe has joined #openstack-keystone06:03
*** rcernin has joined #openstack-keystone06:05
*** itisha has joined #openstack-keystone06:07
*** NishaYadav has joined #openstack-keystone06:07
*** NishaYadav is now known as Guest7810706:08
*** code-R has quit IRC06:09
*** code-R has joined #openstack-keystone06:16
*** Guest78107 has quit IRC06:17
*** nisha_ has joined #openstack-keystone06:17
*** nisha__ has joined #openstack-keystone06:20
*** nisha__ has quit IRC06:20
*** nisha_ has quit IRC06:20
*** jed56 has joined #openstack-keystone06:23
*** spandhe has quit IRC06:24
*** spandhe has joined #openstack-keystone06:25
*** david-lyle_ has joined #openstack-keystone06:29
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add endpoint functional tests  https://review.openstack.org/34041806:32
*** david-lyle_ has quit IRC06:33
*** code-R_ has joined #openstack-keystone06:36
*** pcaruana has joined #openstack-keystone06:37
*** davechen has joined #openstack-keystone06:39
*** code-R has quit IRC06:39
*** tesseract- has joined #openstack-keystone06:41
*** code-R_ has quit IRC06:43
*** code-R has joined #openstack-keystone06:43
*** tonytan4ever has joined #openstack-keystone06:50
*** spandhe has quit IRC06:54
*** tonytan4ever has quit IRC06:55
*** code-R has quit IRC07:09
*** GB21 has quit IRC07:39
*** Dave has joined #openstack-keystone07:46
openstackgerritSwapnil Kulkarni (coolsvap) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843507:50
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** nishaYadav has joined #openstack-keystone08:01
*** GB21 has joined #openstack-keystone08:04
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** Gorian has quit IRC08:11
*** Gorian has joined #openstack-keystone08:12
*** EinstCrazy has joined #openstack-keystone08:12
* nishaYadav waves hello o/08:14
*** nishaYadav has quit IRC08:25
*** nishaYadav has joined #openstack-keystone08:26
*** nishaYadav is now known as Guest3139708:26
*** EinstCra_ has joined #openstack-keystone08:29
*** david-lyle_ has joined #openstack-keystone08:31
*** EinstCrazy has quit IRC08:31
*** EinstCra_ has quit IRC08:34
*** david-lyle_ has quit IRC08:36
*** tqtran has joined #openstack-keystone08:39
*** EinstCrazy has joined #openstack-keystone08:43
*** tqtran has quit IRC08:43
*** tonytan4ever has joined #openstack-keystone08:52
*** tonytan4ever has quit IRC08:56
*** amakarov has joined #openstack-keystone09:07
*** mvk has quit IRC09:27
*** Guest31397 is now known as nishaYadav09:28
*** alex_xu has quit IRC09:31
*** david-lyle_ has joined #openstack-keystone09:32
*** alex_xu has joined #openstack-keystone09:34
*** GB21 has quit IRC09:34
*** david-lyle_ has quit IRC09:36
*** TxGVNN has quit IRC09:38
openstackgerritDinesh Bhor proposed openstack/keystone: Replace OpenStack LLC with OpenStack Foundation  https://review.openstack.org/34667509:39
*** kswiatek has joined #openstack-keystone09:43
*** kaszkiet has joined #openstack-keystone09:44
*** TxGVNN has joined #openstack-keystone09:44
*** GB21 has joined #openstack-keystone09:46
*** davechen has left #openstack-keystone09:47
kswiatekhi, I need help with devstack, maybe you could help me :)09:48
kswiatekI have devstack on my vm, 2 deafult users and one I created (admin, demo, xaxa)09:48
kswiatekwhen i create instance as admin, as non-admin user when i type: nova list --all-tenants I see instances created by admin09:50
kswiatekno matter which user/project I use09:50
kswiatekany idea where can be problem? i use devstack from master branch09:50
*** hwcomcn has joined #openstack-keystone09:50
*** hwcomcn has quit IRC09:51
*** hwcomcn has joined #openstack-keystone09:52
*** hwcomcn has quit IRC09:55
*** hwcomcn has joined #openstack-keystone09:58
*** mvk has joined #openstack-keystone10:00
*** hwcomcn has quit IRC10:03
*** nishaYadav has quit IRC10:04
*** hwcomcn has joined #openstack-keystone10:04
*** hwcomcn has quit IRC10:05
*** hwcomcn has joined #openstack-keystone10:06
*** nishaYadav has joined #openstack-keystone10:14
*** nishaYadav is now known as Guest3703210:14
*** Guest37032 is now known as nisha_10:18
*** EinstCrazy has quit IRC10:36
*** tqtran has joined #openstack-keystone10:41
*** tqtran has quit IRC10:45
*** nisha_ has quit IRC10:46
*** nisha_ has joined #openstack-keystone10:57
*** nisha__ has joined #openstack-keystone11:16
*** nisha_ has quit IRC11:17
*** nisha__ has quit IRC11:18
*** TxGVNN has quit IRC11:21
*** gordc has joined #openstack-keystone11:27
*** nishaYadav has joined #openstack-keystone11:31
*** nishaYadav is now known as Guest6595511:32
*** david-lyle_ has joined #openstack-keystone11:34
*** Guest65955 is now known as nisha_11:34
*** david-lyle_ has quit IRC11:39
*** rodrigods has quit IRC11:47
*** rodrigods has joined #openstack-keystone11:47
*** sdake has joined #openstack-keystone11:54
*** edmondsw has joined #openstack-keystone11:59
*** mvk has quit IRC12:02
*** Guest32906 is now known as flaper8712:10
*** flaper87 has quit IRC12:10
*** flaper87 has joined #openstack-keystone12:10
*** raildo has joined #openstack-keystone12:11
*** d0ugal_ is now known as d0ugal12:17
*** d0ugal has quit IRC12:17
*** d0ugal has joined #openstack-keystone12:17
*** mvk has joined #openstack-keystone12:17
*** iurygregory has joined #openstack-keystone12:22
*** tonytan4ever has joined #openstack-keystone12:24
*** tonytan4ever has quit IRC12:28
*** tangchen has joined #openstack-keystone12:29
*** GB21 has quit IRC12:32
*** GB21 has joined #openstack-keystone12:35
openstackgerritTang Chen proposed openstack/keystoneauth: Use assertEqual() instead of assertDictEqual()  https://review.openstack.org/34674312:36
*** pauloewerton has joined #openstack-keystone12:37
*** sheel has quit IRC12:46
*** GB21 has quit IRC12:52
*** aurelien__ has joined #openstack-keystone12:54
*** jsavak has joined #openstack-keystone12:56
*** Trident has quit IRC13:08
*** bknudson has joined #openstack-keystone13:18
*** ChanServ sets mode: +v bknudson13:18
*** thiagolib has quit IRC13:18
*** woodster_ has joined #openstack-keystone13:19
*** jaugustine_ has joined #openstack-keystone13:27
*** tonytan4ever has joined #openstack-keystone13:30
*** julim has joined #openstack-keystone13:31
*** ayoung has joined #openstack-keystone13:32
*** ChanServ sets mode: +v ayoung13:32
*** david-lyle_ has joined #openstack-keystone13:36
*** david-lyle_ has quit IRC13:41
*** jaugustine_ has quit IRC13:43
*** tqtran has joined #openstack-keystone13:43
*** jaugustine_ has joined #openstack-keystone13:44
*** sdake_ has joined #openstack-keystone13:45
*** sdake has quit IRC13:45
*** nk2527 has quit IRC13:46
*** nk2527 has joined #openstack-keystone13:47
*** tqtran has quit IRC13:47
*** danpawlik has joined #openstack-keystone13:50
*** gordc has quit IRC13:52
*** BjoernT has joined #openstack-keystone13:55
*** richm has joined #openstack-keystone13:58
*** code-R has joined #openstack-keystone14:00
*** hwcomcn has quit IRC14:04
*** tonytan_brb has joined #openstack-keystone14:04
*** jaugustine_ has quit IRC14:06
*** tonytan4ever has quit IRC14:06
*** code-R_ has joined #openstack-keystone14:08
*** code-R_ has quit IRC14:09
*** ravelar159 has joined #openstack-keystone14:10
*** code-R_ has joined #openstack-keystone14:10
*** code-R has quit IRC14:14
*** pblaho has joined #openstack-keystone14:16
ayoungpblaho, welcome!14:18
pblahoayoung: hi and thank you14:18
ayoungpblaho, so you are tackling v3 everywhere, right?14:18
pblahoayoung: yeah :-)14:19
ayoungpblaho, we worked through it last summer using a Packstack install and then post-configuration using Ansible14:19
pblahoand I do not understand some things how keystone do14:19
*** gordc has joined #openstack-keystone14:20
ayoungpblaho, what has confused you so far?14:20
pblahoayoung: I do not understand how policies from policy.json are checked14:21
ayoungpblaho, ah...ok14:21
ayoungpblaho, that is kindof separate from calling via v3.14:21
pblahoayoung: I have an env installed using tripleo-quickstart and enabled keystone v3 ... hopefully correctly14:21
pblahoayoung: aha...14:22
*** jaugustine has joined #openstack-keystone14:22
ayounga policy check happens when the server calls it, not from middleware.  So, say I do openstack server create, all of the middleware code from keystonemiddleware happens, and then, somewhere in the nova code, it explicitly calls the policy check.  It is not automated, and is something that each of the services needs to implement14:22
ayoungso, keystone's v3 api is always enabled14:22
ayoungyou would have to work pretty hard to disable it, so you probably are set there14:23
ayoungto confirm, from your undercloud, you can do14:23
ayoung. ./overcloudrc14:23
*** code-R has joined #openstack-keystone14:23
ayounglook at the OS_AUTH_URL env var14:24
*** catintheroof has joined #openstack-keystone14:24
ayoung and chop off the /v2.014:24
ayoungor, better yet, use this hack:14:24
ayoungpblaho, http://adam.younglogic.com/2016/03/v3fromv2/14:24
* ayoung should update that with the logic to clear old envvars14:24
*** code-R has quit IRC14:25
*** mvk has quit IRC14:25
*** code-R has joined #openstack-keystone14:25
*** code-R_ has quit IRC14:26
ayoungpblaho, I'd put this at the top of the generated file...14:26
ayoungfor key in `set | grep -E '^OS_'` ; do unset $key ; done14:26
*** mvk has joined #openstack-keystone14:26
pblahoayoung: nice script...14:28
*** gordc has quit IRC14:28
*** roxanaghe has joined #openstack-keystone14:28
*** gordc has joined #openstack-keystone14:29
ayoungpblaho, and...as I look at it, and try to code from my blog editing software, I realize that the "clear the environment" line needs to go after14:29
ayoungNEW_OS_AUTH_URL=`echo $OS_AUTH_URL | sed 's!v2.0!v3!'`14:30
* ayoung just updated blog...14:30
ayoungdoh14:30
* ayoung needs more coffee14:30
*** GB21 has joined #openstack-keystone14:30
*** michauds has joined #openstack-keystone14:30
*** clenimar has joined #openstack-keystone14:32
ayoungok...anyway, once you have a workable v3 rc file, run openstack token issue and you should get a token14:32
ayoungmake sure the OS_AUTH_URL ends in v314:33
*** roxanaghe has quit IRC14:33
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Retry revocation on MySQL deadlock  https://review.openstack.org/34492414:33
SamYapleayoung: isnt swift the only thing that still requires OS_AUTH_URL to end in v3?14:34
ayoungSamYaple, depends14:34
SamYaplei thought the goal was versionless for that variable14:34
ayoungSamYaple, yes, but discovery is a whole 'nother level14:35
ayoungSamYaple, http://adam.younglogic.com/2016/07/bypassing-discovery-keystoneauth1/14:35
SamYaplenew blog post? this month? i guess ill give it a read14:36
ayoungSamYaple, Heh14:36
stevemaro/14:36
pblahoayoung: is OS_PROJECT_DOMAIN_NAME and OS_PROJECT_NAME required in the rc file?14:36
ayoungpblaho, yes14:36
ayoungpblaho, ok...here's a short primer14:36
ayoungkeystone uses tokens, which are a short cookie that points to auth data.  When you get a token, or when a service validates it, the auth data might be scoped to something, or might be unscoped14:37
ayoungthe scope is almost always a project14:37
ayoungto uniquely identify a project, you either can use the OS_PROJECT_ID env var, or you can use the name.  But the name is only unique within its doamin, so you need to set both OS_PROJECT_DOMAIN_NAME and  OS_PROJECT_NAME14:38
pblahoayoung: ok...14:39
ayoungthe same is true of the user;  either you can set just the OS_USER_ID, or you can set OS_USER_DOMAIN_NAME and OS_USERNAME14:39
pblahoayoung: what to do if I have user who is admin for domain but do not have admin role for any project inside that domain?14:39
SamYapleayoung: openstack stack is just hacks upon hacks as it turns out.14:39
ayoungSamYaple, that is why the Keystone Mascot is a Turtle14:40
ayoung"it is Turtles all the way down."14:40
SamYaplei get it14:40
ayounghttp://www.zazzle.com/its_turtles_all_the_way_down_coffee_mug-16875589356117160314:40
SamYaplekeystone v4 will fix it all im sure. well just switch to RFC1149 for exchanging fernet keys14:41
*** BjoernT has quit IRC14:41
*** slberger has joined #openstack-keystone14:42
* ayoung googles RFC114914:42
ayoungSamYaple, I think we were going to bring back Kite to rotate keys.  right stevemar ?14:44
stevemarkite is dead, we'll need a new time14:45
SamYapleI hear storms can also cause data loss with that method, too14:45
stevemarname*14:45
ayoungpblaho, anyway,  you should have V3 enabled.  Assuming you do, and can get a token, the real question is how to make all of the other services14:45
ayoungstevemar, but it is the best way to get keys into the cloud?14:45
stevemarbarbican absorbed kite - didn't it?14:46
ayoungstevemar, I think it is so ironic that we spent all that time on Kite, realized it was a mismatch for the requirement, killed it, and now have the perfect use case for it.14:46
SamYapleayoung: i would think a rocket would be the best way, that names not taken right? maybe rkt for short?14:46
stevemarha14:47
ayoungSamYaple, actually, I would like it to be a Keystone to Keystone REST call, so no new project, based on PKI14:47
ayounguse a PKCS11 file to transmit it14:47
ayoungBut Keystone replica's don't know about each other, and making them know about each other is not part of the plan14:48
*** tonytan_brb has quit IRC14:48
*** tonytan4ever has joined #openstack-keystone14:49
pblahoayoung: I am not sure I understand it at all :-)14:49
pblahoayoung: http://paste.openstack.org/show/541611/14:49
pblahoayoung: since line 20 in new terminal14:50
*** code-R_ has joined #openstack-keystone14:50
ayoungpblaho, try openstack token issue14:50
SamYapleoh theres a token issue alright14:50
ayoungSamYaple, ha14:50
SamYapleenough puns. i gots work todo14:51
ayoungpblaho, OK, so that is the policy issue14:51
pblahoayoung: http://paste.openstack.org/show/541612/14:51
pblahoayoung: I use this policy file - https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json14:51
ayoungpblaho, doing a project show with the name means it has to do a list to resolve the name.  And the policy must be wonky.  let me see....14:51
pblahoayoung: ok, I will try it with project id14:52
*** code-R has quit IRC14:52
*** code-R_ has quit IRC14:52
ayoungpblaho, ah...did Tripleo switch over to the v3 cloud sample policy file?14:52
ayoung"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",14:52
*** code-R has joined #openstack-keystone14:53
ayoungthat rule implies that you have a domain scoped token....I'm still not 100% happy with cloudsample....14:53
ayoung"cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)",14:53
ayounghmmmmm14:53
pblahoayoung: I will paste my current policy file in a minute....14:54
pblahoayoung: http://paste.openstack.org/show/541613/14:55
ayoung "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",14:55
ayoungyeah...same thing.14:55
ayoungmake that a member rule, I think14:55
ayoungwhat do we do for default oplicy14:55
pblahoayoung: ok, openstack project show ID works...14:55
ayoungcool14:56
pblahoayoung: so every time I use names instead of IDs it will make a call to get a list of objects? and so it needs proper rights?14:56
ayoungpblaho, yep14:57
pblahoayoung: and what do you mean by making it member rule?14:58
ayoungpblaho, I mean a rule that any member of a project should be able to make.  Not your job to do, though.  I need to take another pass at policy at some point and figure out what these really should be.14:58
ayoungpblaho, maybe what it should be is that openstack project show with no parameters should just use the current project id, but ...I'll fugyre that out later14:59
*** rcernin has quit IRC15:00
pblahoayoung: I have another question... openstack project list --user adm1 should show me projects that user has rights to?15:00
ayoungpblaho, sounds right15:01
ayoungpblaho, again, policy might interfere15:01
*** tonytan_brb has joined #openstack-keystone15:01
pblahoayoung: yeah, again with ID works, not with username :-)15:01
*** spandhe has joined #openstack-keystone15:02
*** jsavak has quit IRC15:03
*** KevinE has joined #openstack-keystone15:03
*** tonytan4ever has quit IRC15:04
*** KevinE has quit IRC15:04
ayoungpblaho, ok, so back to v3 everywhere....15:04
*** KevinE has joined #openstack-keystone15:04
ayoungthe big thing is the config files for Nova etc having an updated auth_token section15:05
ayoungI know that EmilienM did a lot of work along these lines15:05
pblahoayoung: I am not sure what do you mean by v3 everywhere....15:05
ayoungpblaho, replacing the points in server to server communication where authentication was using v2 to use v3, so we can make things  domain aware15:06
pblahoayoung: b/c I am not working on getting TripleO to have keystone v3 everywhere... I am now doing some integration with ManageIQ project15:06
ayoungfor example...15:06
ayounghttps://github.com/admiyo/rippowam/blob/master/roles/packstack/tasks/serviceauth.yml15:06
*** jsavak has joined #openstack-keystone15:06
*** spandhe has quit IRC15:08
ayoungpblaho, Oh15:08
ayoungpblaho, that makes sense. The same general issues apply, though15:09
pblahoayoung: I am not sure what info you got :-)15:09
ayoungpblaho, I glazed right over the CFME part of the message.15:09
pblahoayoung: haha15:10
pblahoayoung: I am glad that you take time and helped me...15:10
pblahoayoung: and be sure that I will ping you in the future w/r/t anything keystone related :-)15:10
ayoungpblaho, I focused on the part that said "Petr has started concentrating on some of the keystone v3  integration work"15:10
pblahoayoung: oh, I see...15:11
*** shoutm has quit IRC15:11
ayoungpblaho, my understanding is that CFME is pretty much going to focus on one project for a deployment15:11
pblahoayoung: there is work to have domain support for openstack overcloud15:12
ayoungso you should not need to expose project_list, but do you need user_list?  If so, we might need to work on the default policy to be nicer15:12
ayoungpblaho, ok...what are the requirements?15:12
pblahoayoung: not usre exactly now...15:12
ayoungpblaho, Status Quo, then..15:13
pblahoayoung: I was solving one bug with getting project list into CFME and during that I found out that these policies are not exactly flawless :-)15:13
ayoungpblaho, they are very conservative15:14
pblahoayoung: if I will get more info on what is needed w/r/t policies I will let you know15:14
*** pgbridge has joined #openstack-keystone15:20
*** nisha_ has quit IRC15:24
*** nisha_ has joined #openstack-keystone15:25
*** pcaruana has quit IRC15:26
*** jgarza has joined #openstack-keystone15:27
*** roxanaghe has joined #openstack-keystone15:29
jgarzaCreated a domain, project, user and assigned the role to the user in the project. Sourced the user file but I still cannot list users in the project cause it says it requires authentication even though the user is admin?15:31
ayoungjgarza, heh...you just missed that discussion15:33
*** dave-mccowan has joined #openstack-keystone15:33
*** roxanaghe has quit IRC15:33
jgarzaayoung, nooooooooo15:34
ayoungjgarza, one sec, I'll get you the evesdrop link15:34
ayoungjgarza, around http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-07-25.log.html#t2016-07-25T14:52:3315:34
jgarzaayoung, I am new. Just trying to learn how to operate keystone. I don't know where exactly the token stuff comes in.15:34
jgarzaayoung, but I setup the fernet token provider and ran the fernet_setup15:35
*** nisha_ has quit IRC15:35
ayoungjgarza, w00t!  Ship it!15:36
jgarzaayoung, ha yeah just stumbling around devstack15:36
*** david-lyle_ has joined #openstack-keystone15:37
*** gyee has joined #openstack-keystone15:39
*** ChanServ sets mode: +v gyee15:39
*** code-R has quit IRC15:39
*** aurelien__ has quit IRC15:40
*** david-lyle_ has quit IRC15:43
*** adrian_otto has joined #openstack-keystone15:45
*** sdake has joined #openstack-keystone15:46
*** browne has joined #openstack-keystone15:47
*** sdake_ has quit IRC15:49
*** slberger has quit IRC15:53
*** aastha has joined #openstack-keystone15:55
*** slberger has joined #openstack-keystone15:56
*** samueldmq has joined #openstack-keystone15:56
*** ChanServ sets mode: +v samueldmq15:56
samueldmqhey keystone15:57
*** KevinE has quit IRC15:58
stevemarahoy samueldmq15:58
jgarzadoes anyone know the openstack command to move a project to a certain domain? It seems to automatically end up in Default domain15:59
bknudsonsamueldmq made it back15:59
bknudsonor are you still in u.s.?15:59
stevemarjgarza: when you create there is an option to set the domain, same with the "set" command15:59
samueldmqstevemar: hey15:59
jgarzastevemar thanks!15:59
stevemarjgarza: make sure you are using v3 of the API with OSC (set OS_IDENTITY_API_VERSION to 3)15:59
samueldmqbknudson: I am back, got to home last night16:00
samueldmqbknudson: (finally)16:00
stevemarsamueldmq: you need to take it easy today :)16:00
stevemarbknudson: you're online and able to chat :O16:00
samueldmqstevemar: yeah indeed, just wanted to say hello and see if nisha needed anything :)16:01
bknudsonstevemar: don't tell my manager16:03
samueldmqhaha16:03
*** jsavak has quit IRC16:06
*** jsavak has joined #openstack-keystone16:07
dstaneksamueldmq: how long was the return trip?16:07
bknudsonjamielennox|away: please take a look at https://review.openstack.org/#/c/343694/ (another proposal in nova for the oslo.context change)16:08
patchbotbknudson: patch 343694 - nova - Prepare context tests for new to_dict() attributes16:08
jgarzastevemar, I can use project set --name to change the name of the project but when I use project set --domain to set the domain it should belong to it says doesn't exist :/16:09
samueldmqdstanek: from hotel to home (home) it was around 33 hours16:09
*** nishaYadav has joined #openstack-keystone16:09
samueldmqhome (sweet home)*16:09
samueldmq:)16:09
lbragstadsamueldmq damn16:09
lbragstadsamueldmq glad you had a safe trip16:09
samueldmqlbragstad: thanks :)16:10
nishaYadavsamueldmq, hey, nice to see you :)16:10
samueldmqyes, too long, I will need a few days to recover completly16:10
samueldmqnishaYadav: hey hey, how are you?16:10
nishaYadavsamueldmq, I am good, registered for this nick16:10
nishaYadavthanks16:11
stevemarjgarza: can you also pass in `--os-identity-api-version 3`16:12
samueldmqnishaYadav: nice you now have a registered nickname16:13
jgarzastevemar, still claiming devstack project demo doesn't exist. Exported the v3 lines as well.16:14
*** dave-mccowan has quit IRC16:14
openstackgerritColleen Murphy proposed openstack/keystone: Skip middleware request processing for admin token  https://review.openstack.org/34449616:14
*** code-R has joined #openstack-keystone16:15
jgarzastevemar, it's weird. I can run every other project set command on any project. But when I run it with --domain 'Name' it can't find the project all of a sudden16:15
stevemarjgarza: paste the output here: http://paste.openstack.org/ and share? you can pass in --debug to give lots of info16:15
stevemarjgarza: ohhh, wait a tick. i think i remember this bug16:16
stevemarjgarza: the --domain argument there is for finding projects that are non-default. we don't allow moving projects to other domains :(16:16
jgarzastevemar, ahhh I see then. thanks that saved me so much time ha16:17
stevemarjgarza: https://github.com/openstack/python-openstackclient/commit/66931c6931ee39cc58159d3823b46ad225f39ec816:17
*** code-R_ has joined #openstack-keystone16:18
*** TxGVNN has joined #openstack-keystone16:19
*** code-R has quit IRC16:20
*** tesseract- has quit IRC16:21
*** david-lyle_ has joined #openstack-keystone16:35
*** samueldmq has quit IRC16:36
*** GB21 has quit IRC16:41
*** dan_nguyen has joined #openstack-keystone16:42
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848816:47
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver  https://review.openstack.org/29131816:47
*** roxanaghe has joined #openstack-keystone16:48
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Re-target unified delegations to O  https://review.openstack.org/34694216:49
rderosestevemar jamielennox: the last day of the midcycle, we talked about including LDAP in the lockout requirements for PCI16:50
*** haplo37__ has joined #openstack-keystone16:50
rderosestevemar jamielennox: however, thinking about this some more, I don't think we should do that16:51
rderosestevemar jamielennox: LDAP (like AD) already have their own lockout policies16:51
rderosestevemar jamielennox: so it would be redundant. Therefore, I think it only makes sense for the SQL backend.16:52
rderosestevemar jamielennox: let me know if you disagree16:52
*** roxanaghe has quit IRC16:52
*** tqtran has joined #openstack-keystone16:54
bknudsonrderose: I agree. LDAP servers typically already support lockout.16:55
bknudsonI wasn't invited to the discussion.16:55
rderosecool, thanks bknudson, I'll keep it as is (only supporting SQL backend)16:56
bknudsonsame is true for all the other PCI requirements, I think?16:57
bknudsonalso, not just LDAP but also users coming in through federation16:58
*** karthikb has joined #openstack-keystone16:59
rderosebknudson: true, most PCI is only supported by the SQL backend16:59
rderosebknudson: the exceptions are validating password strength. If this feature is turned on, it will validate all password updates (manager level)17:00
*** david-lyle_ has quit IRC17:01
rderosebknudson: And disabling inactive users also is supported by all identities (federated, LDAP, SQL, custom...)17:01
rderosebknudson: everything else is SQL backend only17:01
*** nkinder has joined #openstack-keystone17:01
*** david-lyle_ has joined #openstack-keystone17:07
*** mvk has quit IRC17:12
*** karthikb has quit IRC17:14
*** roxanaghe has joined #openstack-keystone17:14
*** pcaruana has joined #openstack-keystone17:23
*** gordc has quit IRC17:26
*** dikonoor has quit IRC17:31
*** tonytan_brb is now known as tonytan4ever17:33
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create service in v2  https://review.openstack.org/34696217:33
*** spandhe has joined #openstack-keystone17:35
*** Gorian_ has joined #openstack-keystone17:40
bknudsonmy opinion is that password strength should be handled by sql driver too since LDAP already implements it.17:41
*** sdake has quit IRC17:41
*** harlowja has joined #openstack-keystone17:43
openstackgerritColleen Murphy proposed openstack/keystone: Fix v2-ext API enabled documentation  https://review.openstack.org/34696517:45
*** pgbridge has quit IRC17:46
*** jgarza has quit IRC17:48
*** ravelar159 has quit IRC17:49
openstackgerrithenry-nash proposed openstack/keystone-specs: Add rolling upgrade steps to keystone-manage  https://review.openstack.org/33768017:51
*** KevinE has joined #openstack-keystone17:51
henrynashrderose, stevemar, jammielennox: on PCI for other backends, I think  there was a request from at least one customer who want to be able to lock out (an LDAP) user form keystone, but not to lock them out of all corporate systems17:56
*** david-lyle has quit IRC17:57
*** david-lyle_ is now known as david-lyle17:57
openstackgerritColleen Murphy proposed openstack/keystone: Fix v2-ext API enabled documentation  https://review.openstack.org/34696517:57
rderosebknudson: ^ henrynash17:59
bknudsonrderose: that sounds like having a disabled option for shadow users.18:01
rderosehenrynash: oh I see, hmm...18:01
bknudsonlocked out because of invalid password attempts?18:01
rderosebknudson henrynash: yeah, locked out because too many failed auth attempts18:02
*** nk2527 has quit IRC18:02
bknudsonseems like something you would want implemented in your idp rather than requiring every application to re-implement.18:02
rderosebknudson: I think henrynash is saying to set this for LDAP, so that the user is locked out of keystone, but not an LDAP lockout where the user would be locked out of all corporate systems18:03
henrynashrederose: ++18:03
henrynashrederose: I'm not syaing that we should definitely do this...but that we have certainly seen this request from a customer....18:04
bknudsonyes, the idp (LDAP in this example) would know what the application is that's using it for authentication and be able to lock out by application.18:04
bknudsonrather than requiring keystone and outlook, etc., to implement a lock-out feature.18:04
rderosebknudson: so with lockout policy for LDAP, you can configure lockout by application?18:05
openstackgerritColleen Murphy proposed openstack/keystone: Fix v2-ext API enabled documentation  https://review.openstack.org/34696518:05
henrynashbknudson: that's certainly an option - although could you do that with LDAP? I guess you could remove it from the keystone group or something (whcih is probably how LDAP might permission a given user for keystone)18:05
bknudsonnothing stops you from doing that in an LDAP server.18:05
bknudsonLDAP is a protocol18:05
rderosebknudson: right, I guess I'm thinking more of AD18:06
bknudson(and the LDAP protocol doesn't even have authorization)18:06
rderosebknudson: and other common LDAP identity stores18:07
bknudsonI don't know. But the user could just as well ask them to add a feature as ask us.18:08
bknudsonit would be more useful to everybody if the LDAP server had the feature.18:08
rderosebknudson: yeah, good point18:08
*** gordc has joined #openstack-keystone18:08
*** adrian_otto has quit IRC18:11
*** jaugustine_ has joined #openstack-keystone18:16
*** jaugustine_ has quit IRC18:18
stevemarrderose: henrynash bknudson catching up18:22
stevemarrderose: bknudson henrynash do any ADs have that feature? how would it know where the request is coming from (keystone vs outlook) ?18:24
bknudsonI heard at the keystone meetup that it's really easy to set up an LDAP server, so if you have a separate LDAP server for keystone you can handle it there.18:26
henrynashbknudson: not sure that is what most corporate directory manages would like....another LDAP/AD which they have to sync and maintain?18:28
*** ayoung has quit IRC18:30
bknudsonthis was in the context of adding more info to ldap (assignments)18:30
*** ravelar159 has joined #openstack-keystone18:34
*** nishaYadav has quit IRC18:34
*** nk2527 has joined #openstack-keystone18:36
*** roxanagh_ has joined #openstack-keystone18:36
*** ravelar159 has quit IRC18:38
*** roxanagh_ has quit IRC18:41
*** michauds has quit IRC18:42
*** spandhe has quit IRC18:43
*** julim has quit IRC18:43
*** sdake has joined #openstack-keystone18:44
*** julim has joined #openstack-keystone18:45
*** ravelar159 has joined #openstack-keystone18:47
openstackgerritLance Bragstad proposed openstack/keystone: Make AuthWithTrust testable against uuid and fernet  https://review.openstack.org/34568618:52
*** michauds has joined #openstack-keystone18:58
*** ksavich has joined #openstack-keystone19:00
*** slberger has quit IRC19:02
*** TxGVNN has quit IRC19:02
*** jsavak has quit IRC19:05
*** EinstCrazy has joined #openstack-keystone19:05
*** fifieldt has quit IRC19:05
*** ksavich has quit IRC19:05
*** EinstCrazy has quit IRC19:10
*** EinstCrazy has joined #openstack-keystone19:14
*** EinstCrazy has quit IRC19:15
*** slberger has joined #openstack-keystone19:18
*** fifieldt has joined #openstack-keystone19:18
*** ddieterly has joined #openstack-keystone19:19
*** chlong_POffice has quit IRC19:30
*** chlong_POffice has joined #openstack-keystone19:31
*** spandhe has joined #openstack-keystone19:33
*** code-R_ has quit IRC19:33
*** jsavak has joined #openstack-keystone19:34
*** ddieterly is now known as ddieterly[away]19:36
*** roxanagh_ has joined #openstack-keystone19:37
*** ddieterly[away] is now known as ddieterly19:38
*** roxanagh_ has quit IRC19:41
*** code-R has joined #openstack-keystone19:44
*** jsavak has quit IRC19:54
*** jsavak has joined #openstack-keystone19:54
*** pgbridge has joined #openstack-keystone19:54
openstackgerritLance Bragstad proposed openstack/keystone: Switch fernet to be the default token provider.  https://review.openstack.org/34568819:58
openstackgerritLance Bragstad proposed openstack/keystone: Allow V2TestCase to be tested against fernet and uuid  https://review.openstack.org/34568719:58
*** gyee has quit IRC20:01
*** jsavak has quit IRC20:03
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336020:06
*** slberger has quit IRC20:07
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password expires validation  https://review.openstack.org/33336020:08
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create service in v2  https://review.openstack.org/34696220:08
*** slberger has joined #openstack-keystone20:09
*** ddieterly is now known as ddieterly[away]20:12
*** ddieterly[away] is now known as ddieterly20:12
*** ddieterly is now known as ddieterly[away]20:13
*** ravelar159 has quit IRC20:13
*** sdake has quit IRC20:16
*** jsavak has joined #openstack-keystone20:16
*** ravelar159 has joined #openstack-keystone20:17
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create service in v2  https://review.openstack.org/34696220:21
*** ddieterly[away] is now known as ddieterly20:34
browneshould a v3 token ever include the service catalog in v2 format?20:35
brownei ask because that's what i'm seeing in an environment. v3 token with v2 service catalog20:36
*** roxanagh_ has joined #openstack-keystone20:37
bknudsonv3 token should never include the service catalog in v2 format.20:38
*** raildo has quit IRC20:39
brownecrap20:39
brownehttp://paste.openstack.org/raw/541647/20:40
bknudsonthat is messed up.20:40
brownethis is stable/mitaka.  not sure the root cause yet20:41
brownebut results in this bug: https://bugs.launchpad.net/keystonemiddleware/+bug/160535520:41
openstackLaunchpad bug 1605355 in keystonemiddleware "TypeError: string indices must be integers" [Undecided,New]20:41
*** roxanagh_ has quit IRC20:42
*** isd has joined #openstack-keystone20:46
isdHey all. I'm trying to integrate keystonemiddleware into an existing service. I think I've got things mostly rigged up correctly, but the middleware is trying to connect to keystone via https, despite having explicitly specified http: as the scheme in auth_url. https is obviously desirable for production, but for development on my local machine I'd like to be able to avoid messing with certs; is there a way to force pla20:50
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Minimum password age requirements  https://review.openstack.org/34331420:52
*** gyee has joined #openstack-keystone20:53
*** ChanServ sets mode: +v gyee20:53
*** jsavak has quit IRC20:56
*** chlong_POffice has quit IRC20:56
*** jsavak has joined #openstack-keystone20:56
lbragstadjamielennox|away I have a few questions on the views stuff21:00
lbragstadjamielennox|away leaving them as comments on your review21:01
lbragstadjamielennox|away but I have a feeling I'll need to sit down with you to fully grasp them21:01
lbragstadjamielennox|away ping me whenever you read them and have time to visit about them?21:01
*** gyee has quit IRC21:03
*** haplo37__ has quit IRC21:03
*** chlong_POffice has joined #openstack-keystone21:09
*** itisha has quit IRC21:10
*** mvk has joined #openstack-keystone21:15
*** gagehugo has joined #openstack-keystone21:17
isdIs there a reference somewhere for the config options that keystonemiddleware recognizes? I can't even find that.21:17
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833921:19
*** julim has quit IRC21:20
bknudsonisd: from http://docs.openstack.org/ , there's a link to "Services and Libraries", which has a link for keystonemiddleware, which has a link to "Middlware Architecture" which has a section on configuration21:21
bknudsonhttp://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration21:21
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833921:21
isdbknudson: thanks.21:23
notmorganoooh how was the midcycle?21:33
notmorganstevemar: ^21:33
bknudsonwe all were missing notmorgan21:33
lbragstadnotmorgan it was good21:33
notmorganbknudson: aw, sorry I couldn't make it21:33
notmorganbut ftr, I feel quite relaxed with less travel :)21:34
* notmorgan has to be in SF tomorrow though21:34
notmorganand my flight is PDX -> SEA -> SFO *blink*21:34
bknudsontrying to get more miles.21:35
openstackgerritRon De Rose proposed openstack/keystone-specs: Add rolling upgrade steps to keystone-manage  https://review.openstack.org/33768021:35
notmorganlol21:35
notmorgannah, i don't expect to collect another 18k miles this year21:35
notmorganso no platinum status next year21:35
notmorgan #ohwell21:35
notmorganbut not being on a plane is nice.21:36
notmorganI'd take a train to SF, but that is a LONG train ride21:36
bknudsonas long as it's comfy21:36
stevemarlol @ PDX -> SEA -> SFO21:37
notmorganplane is like 4hrs w/ layover21:37
notmorgantrain is like 19hr21:37
notmorganyeah i'll take 4hr21:37
stevemarnotmorgan: midcycle was nice21:38
stevemarjust writing up my recap21:38
notmorgandid cburgess get yall setup with a good location too?21:38
lbragstadnotmorgan yep - it was nice21:39
notmorgani know it wasn't the merakai offices but...21:39
cburgessnotmorgan I think that depends on who you ask. Most folks seemed to  find it adequate.21:39
notmorgani hear cisco has nice offices21:39
cburgessSome yes21:39
bknudsonwe've definitely had worse.21:40
bknudsonnot sure if we've had anything especially better21:40
bknudsonI enjoyed the midcycles in san antonio but for some reason the wireless never works.21:41
*** jsavak has quit IRC21:42
*** spandhe has quit IRC21:42
*** Gorian_ has quit IRC21:45
*** adrian_otto has joined #openstack-keystone21:46
*** josdotso has joined #openstack-keystone21:48
josdotsoHi folks.  Trying to better understand auth plugins.  Right now, I'm struggling to get auth-type v3oidcpassword working using CLI of python-openstackclient.  I have many questions -- but the most pressing is this:  Suppose I perfect my syntax for v3oidcpassword on $(openstack), how applicable will this all be when I want to do $(neutron) or $(nova) for example?21:50
*** ravelar159 has quit IRC21:51
josdotsoToday I tried $(nova --auth-type v3oidcpassword) vs. $(nova --auth-type v3oidcpasswordFOO) and found that nova complained "ERROR (NoMatchingPlugin): The plugin v3oidcpasswordFOO could not be found".. but for the "v3oidcpassword" looked like an arg issue.  Seems like $(nova) will support v3oidcpassword once $(openstack) works, right?21:52
bknudsonIf I was working on the other CLIs I wouldn't bother implementing auth plugins and assume people who want that functionality would use openstack client.21:54
josdotsobknudson: But openstack client cannot do all that the legacy clients can.21:56
josdotsoAnd what if the auth type is requisite21:56
bknudsonthen I would focus on implementing all that the legacy clients can.21:57
josdotsoAgreed.21:57
*** adriant has joined #openstack-keystone22:00
notmorganbknudson: the geekdom midcycle was really nice22:03
notmorganjosdotso: legacy clients should still use keystoneauth.22:04
notmorganjosdotso: i would only implement for keystoneauth, osc should be hooking into novaclient under the hood anyway22:04
notmorganjosdotso: some clients are lagging behind22:04
josdotsonotmorgan: so v3oidcpassword won't work readily in the older clients then, correct?22:05
notmorganjosdotso: but that will be remedied and keystoneclient.session is deprecated/going away22:05
josdotso*today22:05
notmorganjosdotso: possibly, but no guarantees it will be easy to implement for both22:05
notmorganand/or really be worth the effort22:05
openstackgerritMerged openstack/keystone: Refactor TestAuthExternalDomain to not inherit tests  https://review.openstack.org/34388622:05
notmorgannewclient explicitly should work with old servers, provided keystone server is supporting the OID auth mechanism in a cloud, you should be able to use the new client22:06
josdotsook cool. Just thinking of end use case right now. IaaS standardizing on OIDC in a new release causes client side issues because older clients.22:06
josdotso*because users still use older clients22:06
notmorgancarrot to use the new client22:06
notmorganwhich is going to have more security eyes on/fixes/etc22:07
notmorganand i assume this is end user, not service->service [since that is very tied to release of openstack]22:07
henrynashhaving problems running openstack client...getting: Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.22:07
henrynashis the the clouds.yaml thing?22:07
josdotsoMakes sense.  and yeah.. thinking about end user experience.22:07
openstackgerritMerged openstack/keystone: Don't run TokenCacheInvalidation with Fernet  https://review.openstack.org/34393222:08
notmorganhenrynash: everytime i've seen that it's actually a conflict with clouds.yaml and/or auth url and/or ENV var+cli opotions22:08
notmorganhenrynash: and/or saying use v3 but sending a v2 auth endpoint22:08
henrynashnotmorgan: yep, I think my clouds.yaml (from devstack) does have v3 in the endpoints22:08
notmorganhenrynash: basically it comes down to telling the client conflicting info... and the client is not smart enough to say "uhhh you're crazy22:09
notmorgan":22:09
henrynashnotmorgan: it's an older devstack22:09
notmorganyah22:09
josdotsoI did uncover that legacy clients can interact with an OIDC-enforced cloud by taking the --os-auth-token as output of openstack command22:09
notmorganlikely the issue22:09
henrynashnotmorgan: ok, thx22:09
josdotso.. thanks folks22:09
notmorganjosdotso: if the client uses keystoneauth it almost always can use any auth method keystoneauth supports22:09
notmorganjosdotso: if it's using ekystoneclient.session (or worse not even session), it gets a bit weirder22:10
notmorganjosdotso: most clients are using keystoneauth these days22:10
josdotsonotmorgan: Oh i see.  That's good news.  I'll try to pull together a list of what is what22:10
notmorgan:)22:10
*** isd has left #openstack-keystone22:10
notmorganthe idea is OSC really is the common cli22:11
notmorganthe other clients *could* do things22:11
notmorganand may expose extra options (for now)22:11
notmorganbut it should hook into the common auth module (keystoneauth)22:11
josdotsoYeah, I get that.  Legacy client libs were both CLI and Lib, and now we're looking for them to be just libs, right?22:11
josdotsoYMMV22:11
notmorganexactly22:12
notmorgan:)22:12
josdotsook cool. thanks!22:12
notmorganthe push for keystoneauth was just to isolate the exposure and consolidate a ton of code.22:12
notmorgan:)22:12
notmorganhappy to help22:12
josdotsoany tips on where to look in each legacy client lib for the obvious "new or old" import?22:13
*** pauloewerton has quit IRC22:13
josdotsoI guess I can just search for "keystoneauth" and if zero results, fail22:13
josdotsohttps://github.com/openstack/nova/blob/59c57ae77ae15bc8bd319126bfb4f9cf251030c0/nova/context.py#L2422:14
josdotsorequirements.txt, duh .. later folks22:15
adriantHey, do we have any good documentation on disabling the V2 identity API (what is left of it)?22:16
*** gordc has quit IRC22:19
notmorganjosdotso: you can also look at codesearch.openstack.org for more expanded regex matching22:21
openstackgerritMerged openstack/keystone: Run AuthWithToken against all token providers  https://review.openstack.org/34393522:22
josdotsoty!22:22
*** roxanagh_ has joined #openstack-keystone22:26
josdotsoGuess this one is using keystoneauth, but also keystoneclient.. Hmm: https://github.com/openstack/aodh/blob/3b312fd0ec075c1cff035c272f016ba8547f041e/aodh/keystone_client.py#L2122:28
josdotsooh hmm.. that's aodh server side, nvm22:29
*** roxanagh_ has quit IRC22:30
*** ddieterly has quit IRC22:33
openstackgerritMerged openstack/keystone: refactor: inherit AuthWithRemoteUser for other providers  https://review.openstack.org/34507522:34
openstackgerritMerged openstack/keystone: refactor: make TestAuthKerberos test pki/pkiz/uuid  https://review.openstack.org/34508922:38
openstackgerritMerged openstack/keystone: refactor: make TestAuthExternalDefaultDomain test uuid/pki/pkiz  https://review.openstack.org/34509022:38
openstackgerritMerged openstack/keystone: refactor: make TestFetchRevocationList test uuid  https://review.openstack.org/34509922:39
openstackgerritMerged openstack/keystone: Use freezegun in OSRevokeTests  https://review.openstack.org/34510422:39
*** michauds has quit IRC22:42
openstackgerritMerged openstack/keystone: Only run KvsTokenCacheInvalidation against uuid  https://review.openstack.org/34510822:44
openstackgerritMerged openstack/keystone: Use freezegun in AssignmentInheritanceTestCase  https://review.openstack.org/34568422:46
*** slberger has left #openstack-keystone22:52
*** spandhe has joined #openstack-keystone22:57
Gorianhey23:01
*** ddieterly has joined #openstack-keystone23:02
*** ddieterly has quit IRC23:04
*** ddieterly has joined #openstack-keystone23:04
*** ddieterly is now known as ddieterly[away]23:05
*** ddieterly has joined #openstack-keystone23:06
*** ddieterly has quit IRC23:07
openstackgerritMerged openstack/keystone: Replace OpenStack LLC with OpenStack Foundation  https://review.openstack.org/34667523:19
*** chlong_POffice has quit IRC23:25
*** pgbridge has quit IRC23:31
openstackgerritAdrian Turjak proposed openstack/keystone-specs: New TOTP contrib plugin for non-admin access to TOTP credentials  https://review.openstack.org/34570523:33
*** ravelar159 has joined #openstack-keystone23:39
*** chlong_POffice has joined #openstack-keystone23:42
*** ravelar159 has quit IRC23:45
openstackgerritMerged openstack/keystone-specs: Re-target unified delegations to O  https://review.openstack.org/34694223:46
josdotsonotmorgan: In my audit, I saw four kinds of keystoneauth1 usage... One was to "import keystoneauth1 loading", Second was to "import keystoneauth1 adapter" and third was to "import keystoneauth1 session"..fourth was "import keystoneauth1 plugin"... Which of these have the best outlook for allowing v3oidcpassword ?23:46
josdotsohttp://codesearch.openstack.org/?q=%5Ekeystoneauth1&i=nope&files=&repos=23:47
*** roxanaghe has quit IRC23:56
« Sunday, 2016-07-24 Index Tuesday, 2016-07-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!