Friday, 2016-09-16

*** itsuugo has quit IRC		00:06
*** itsuugo has joined #openstack-keystone		00:07
*** ddieterly has joined #openstack-keystone		00:18
*** tqtran has quit IRC		00:22
*** asettle has joined #openstack-keystone		00:23
*** ddieterly has quit IRC		00:24
*** Marcellin__ has quit IRC		00:27
*** asettle has quit IRC		00:28
*** thumpba has quit IRC		00:29
*** markvoelker has joined #openstack-keystone		00:34
openstackgerrit	Merged openstack/keystone: Refactor find_migrate_repo(): require caller to specify repo https://review.openstack.org/370856	00:35
openstackgerrit	Merged openstack/keystone: Rename sql.migration_helpers to sql.upgrades https://review.openstack.org/371049	00:35
*** itsuugo has quit IRC		00:45
*** itsuugo has joined #openstack-keystone		00:46
*** thumpba has joined #openstack-keystone		00:55
*** gyee has quit IRC		00:56
*** itsuugo has quit IRC		00:56
*** asettle has joined #openstack-keystone		00:57
*** itsuugo has joined #openstack-keystone		00:58
*** asettle has quit IRC		01:01
*** itsuugo has quit IRC		01:06
*** itsuugo has joined #openstack-keystone		01:08
*** roxanaghe has joined #openstack-keystone		01:09
*** browne has quit IRC		01:14
*** itsuugo has quit IRC		01:15
*** itsuugo has joined #openstack-keystone		01:17
stevemar	crinkle: i look forward to reviewing your doc change :D	01:21
*** EinstCrazy has joined #openstack-keystone		01:21
*** EinstCrazy has quit IRC		01:22
*** itsuugo has quit IRC		01:22
*** EinstCrazy has joined #openstack-keystone		01:22
*** itsuugo has joined #openstack-keystone		01:22
*** itsuugo has quit IRC		01:30
*** itsuugo has joined #openstack-keystone		01:31
*** itsuugo has quit IRC		01:40
*** itsuugo has joined #openstack-keystone		01:41
*** itsuugo has quit IRC		01:51
*** itsuugo has joined #openstack-keystone		01:53
*** itsuugo has quit IRC		02:03
*** itsuugo has joined #openstack-keystone		02:03
*** thumpba has quit IRC		02:08
*** itsuugo has quit IRC		02:11
*** itsuugo has joined #openstack-keystone		02:12
*** itsuugo has quit IRC		02:17
*** itsuugo has joined #openstack-keystone		02:18
*** iurygregory_ has quit IRC		02:22
*** itsuugo has quit IRC		02:23
*** itsuugo has joined #openstack-keystone		02:23
*** catintheroof has joined #openstack-keystone		02:27
*** EinstCrazy has quit IRC		02:30
*** EinstCrazy has joined #openstack-keystone		02:30
*** henrynash has quit IRC		02:33
*** henrynash has joined #openstack-keystone		02:34
*** EinstCrazy has quit IRC		02:34
*** thumpba has joined #openstack-keystone		02:35
*** EinstCrazy has joined #openstack-keystone		02:36
*** EinstCrazy has quit IRC		02:41
*** EinstCrazy has joined #openstack-keystone		02:51
*** itsuugo has quit IRC		02:51
*** itsuugo has joined #openstack-keystone		02:53
*** browne has joined #openstack-keystone		02:53
stevemar	dolphm & lbragstad -- check out https://bugs.launchpad.net/keystone/+bug/1624109	02:55
openstack	Launchpad bug 1624109 in OpenStack Identity (keystone) "keystone-manage fernet_setup fails silently" [Undecided,New]	02:55
*** asettle has joined #openstack-keystone		02:59
*** itsuugo has quit IRC		03:01
*** sdake_ has quit IRC		03:01
*** itsuugo has joined #openstack-keystone		03:02
*** asettle has quit IRC		03:03
*** itsuugo has quit IRC		03:09
*** itsuugo has joined #openstack-keystone		03:11
*** browne has quit IRC		03:12
*** code-R has joined #openstack-keystone		03:14
*** code-R_ has joined #openstack-keystone		03:15
*** itsuugo has quit IRC		03:15
*** itsuugo has joined #openstack-keystone		03:16
*** code-R has quit IRC		03:18
*** EinstCrazy has quit IRC		03:21
*** EinstCrazy has joined #openstack-keystone		03:21
*** itsuugo has quit IRC		03:23
*** itsuugo has joined #openstack-keystone		03:25
*** EinstCrazy has quit IRC		03:26
stevemar	dolphm: or someone else with stable privs: https://review.openstack.org/#/c/367025/30	03:27
stevemar	who the heck even has stable privs any more, i feel like it's just dolphm and myself	03:28
*** itsuugo has quit IRC		03:30
*** itsuugo has joined #openstack-keystone		03:31
*** roxanaghe has quit IRC		03:33
*** mordred has quit IRC		03:38
*** roxanaghe has joined #openstack-keystone		03:39
*** thumpba has quit IRC		03:40
*** thumpba has joined #openstack-keystone		03:40
*** mordred has joined #openstack-keystone		03:43
*** itsuugo has quit IRC		03:48
*** itsuugo has joined #openstack-keystone		03:50
*** itsuugo has quit IRC		03:54
*** itsuugo has joined #openstack-keystone		03:56
*** thumpba has quit IRC		03:58
*** thumpba has joined #openstack-keystone		03:58
*** thumpba has quit IRC		03:58
*** thumpba has joined #openstack-keystone		03:59
*** thumpba has quit IRC		03:59
*** thumpba has joined #openstack-keystone		03:59
*** thumpba has quit IRC		04:00
*** itsuugo has quit IRC		04:00
*** itsuugo has joined #openstack-keystone		04:01
*** chrisshattuck has joined #openstack-keystone		04:07
*** EinstCrazy has joined #openstack-keystone		04:08
*** dave-mccowan has quit IRC		04:08
*** itsuugo has quit IRC		04:08
*** itsuugo has joined #openstack-keystone		04:11
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: move py3 spec from ongoing to newton https://review.openstack.org/371262	04:13
openstackgerrit	Merged openstack/keystone-specs: move py3 spec from ongoing to newton https://review.openstack.org/371262	04:19
*** itsuugo has quit IRC		04:20
*** itsuugo has joined #openstack-keystone		04:21
*** markvoelker has quit IRC		04:28
*** itsuugo has quit IRC		04:28
*** itsuugo has joined #openstack-keystone		04:29
*** stevemar changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html \| Meeting Agenda https://etherpad.openstack.org/p/keystone-weekly-meeting \| Newton retrospective: https://etherpad.openstack.org/p/keystone-newton-retrospective"		04:35
stevemar	if anyone wants to chime in: https://etherpad.openstack.org/p/keystone-newton-retrospective	04:35
stevemar	newton retrospective, would be great to hear thoughts about what worked	04:35
stevemar	and what didn't work	04:35
*** rcernin has quit IRC		04:37
*** itsuugo has quit IRC		04:37
*** itsuugo has joined #openstack-keystone		04:39
*** itsuugo has quit IRC		04:43
*** itsuugo has joined #openstack-keystone		04:45
*** harlowja has quit IRC		04:45
*** itsuugo has quit IRC		04:50
*** itsuugo has joined #openstack-keystone		04:51
*** itsuugo has quit IRC		04:56
*** itsuugo has joined #openstack-keystone		04:57
*** jaosorior has joined #openstack-keystone		04:57
*** asettle has joined #openstack-keystone		05:01
*** itsuugo has quit IRC		05:04
*** itsuugo has joined #openstack-keystone		05:05
*** asettle has quit IRC		05:05
*** esp has quit IRC		05:09
*** itsuugo has quit IRC		05:12
*** tqtran has joined #openstack-keystone		05:13
*** itsuugo has joined #openstack-keystone		05:14
*** itsuugo has quit IRC		05:18
*** woodster_ has quit IRC		05:20
*** itsuugo has joined #openstack-keystone		05:20
*** EinstCrazy has quit IRC		05:24
*** EinstCrazy has joined #openstack-keystone		05:24
*** markvoelker has joined #openstack-keystone		05:28
*** EinstCrazy has quit IRC		05:29
*** markvoelker has quit IRC		05:33
*** itsuugo has quit IRC		05:36
*** itsuugo has joined #openstack-keystone		05:36
*** richm has quit IRC		05:39
*** adriant has quit IRC		05:40
*** itsuugo has quit IRC		05:41
*** esp has joined #openstack-keystone		05:43
*** rcernin has joined #openstack-keystone		05:43
*** itsuugo has joined #openstack-keystone		05:43
*** esp has quit IRC		05:45
*** esp has joined #openstack-keystone		05:45
*** esp has quit IRC		05:46
*** itsuugo has quit IRC		05:48
*** itsuugo has joined #openstack-keystone		05:49
*** chrisshattuck has quit IRC		05:54
*** EinstCrazy has joined #openstack-keystone		05:57
*** thumpba has joined #openstack-keystone		06:01
*** roxanaghe has quit IRC		06:02
*** EinstCrazy has quit IRC		06:04
*** thumpba has quit IRC		06:06
*** itsuugo has quit IRC		06:07
*** itsuugo has joined #openstack-keystone		06:08
*** atod has quit IRC		06:10
*** EinstCrazy has joined #openstack-keystone		06:14
*** rcernin has quit IRC		06:14
*** itsuugo has quit IRC		06:15
*** itsuugo has joined #openstack-keystone		06:16
*** rcernin has joined #openstack-keystone		06:19
*** pcaruana has joined #openstack-keystone		06:23
*** EinstCrazy has quit IRC		06:26
*** itsuugo has quit IRC		06:33
*** itsuugo has joined #openstack-keystone		06:34
*** EinstCrazy has joined #openstack-keystone		06:35
*** dhellmann has quit IRC		06:39
*** vern has quit IRC		06:40
*** dhellmann has joined #openstack-keystone		06:42
*** vern has joined #openstack-keystone		06:43
*** itsuugo has quit IRC		06:44
*** itsuugo has joined #openstack-keystone		06:45
*** joerch has joined #openstack-keystone		06:47
*** itsuugo has quit IRC		06:54
*** itsuugo has joined #openstack-keystone		06:56
*** david-lyle_ has joined #openstack-keystone		06:59
*** david-lyle has quit IRC		07:00
*** itsuugo has quit IRC		07:01
*** itsuugo has joined #openstack-keystone		07:02
*** roxanaghe has joined #openstack-keystone		07:02
breton	\o	07:07
*** roxanaghe has quit IRC		07:07
*** atod has joined #openstack-keystone		07:13
*** itsuugo has quit IRC		07:15
*** itsuugo has joined #openstack-keystone		07:17
*** atod has quit IRC		07:18
*** amoralej\|off is now known as amoralej		07:19
*** aloga has quit IRC		07:20
*** aloga has joined #openstack-keystone		07:20
*** itsuugo has quit IRC		07:22
*** itsuugo has joined #openstack-keystone		07:23
*** jpena\|off is now known as jpena		07:26
*** david-lyle has joined #openstack-keystone		07:28
*** david-lyle_ has quit IRC		07:29
*** markvoelker has joined #openstack-keystone		07:29
*** tqtran has quit IRC		07:33
*** markvoelker has quit IRC		07:34
openstackgerrit	Lucky samadhiya proposed openstack/python-keystoneclient: delete python bytecode including pyo before every test run https://review.openstack.org/371324	07:54
*** pnavarro has joined #openstack-keystone		07:56
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
openstackgerrit	Lucky samadhiya proposed openstack/keystone: delete python bytecode including pyo before every test run https://review.openstack.org/371335	08:01
*** thumpba has joined #openstack-keystone		08:01
*** openstackgerrit has quit IRC		08:03
*** openstackgerrit has joined #openstack-keystone		08:03
*** itsuugo has quit IRC		08:08
*** itsuugo has joined #openstack-keystone		08:10
*** itsuugo has quit IRC		08:15
*** jed56 has joined #openstack-keystone		08:15
*** itsuugo has joined #openstack-keystone		08:16
*** code-R_ has quit IRC		08:17
*** asettle has joined #openstack-keystone		08:20
*** itsuugo has quit IRC		08:21
*** itsuugo has joined #openstack-keystone		08:22
*** itsuugo has quit IRC		08:29
*** thumpba has quit IRC		08:30
*** itsuugo has joined #openstack-keystone		08:31
*** namnh has joined #openstack-keystone		08:41
*** code-R has joined #openstack-keystone		08:42
*** code-R_ has joined #openstack-keystone		08:44
*** code-R has quit IRC		08:48
*** itsuugo has quit IRC		08:49
*** itsuugo has joined #openstack-keystone		08:50
*** roxanaghe has joined #openstack-keystone		08:51
*** itsuugo has quit IRC		08:55
*** roxanaghe has quit IRC		08:55
*** itsuugo has joined #openstack-keystone		08:56
*** EinstCrazy has quit IRC		08:57
*** itsuugo has quit IRC		09:08
*** itsuugo has joined #openstack-keystone		09:10
*** itsuugo has quit IRC		09:15
*** itsuugo has joined #openstack-keystone		09:16
*** itsuugo has quit IRC		09:27
*** itsuugo has joined #openstack-keystone		09:29
*** itsuugo has quit IRC		09:34
*** itsuugo has joined #openstack-keystone		09:36
*** itsuugo has quit IRC		09:41
*** namnh has quit IRC		09:41
*** namnh has joined #openstack-keystone		09:41
*** itsuugo has joined #openstack-keystone		09:42
*** itsuugo has quit IRC		09:47
*** itsuugo has joined #openstack-keystone		09:48
*** daemontool has joined #openstack-keystone		09:49
*** itsuugo has quit IRC		09:57
*** itsuugo has joined #openstack-keystone		09:58
*** daemontool has quit IRC		09:59
*** itsuugo has quit IRC		10:07
*** itsuugo has joined #openstack-keystone		10:09
*** richm has joined #openstack-keystone		10:11
*** itsuugo has quit IRC		10:14
*** itsuugo has joined #openstack-keystone		10:15
*** itsuugo has quit IRC		10:20
*** itsuugo has joined #openstack-keystone		10:21
*** daemontool has joined #openstack-keystone		10:26
*** thumpba has joined #openstack-keystone		10:27
*** thumpba has quit IRC		10:32
*** itsuugo has quit IRC		10:33
*** itsuugo has joined #openstack-keystone		10:36
*** roxanaghe has joined #openstack-keystone		10:39
*** itsuugo has quit IRC		10:41
*** itsuugo has joined #openstack-keystone		10:42
*** sdake has joined #openstack-keystone		10:42
*** roxanaghe has quit IRC		10:44
*** itsuugo has quit IRC		10:51
*** itsuugo has joined #openstack-keystone		10:52
*** nicolasbock has joined #openstack-keystone		10:56
*** itsuugo has quit IRC		10:57
*** namnh has quit IRC		10:57
*** itsuugo has joined #openstack-keystone		10:58
*** itsuugo has quit IRC		11:09
*** itsuugo has joined #openstack-keystone		11:10
*** artmr has joined #openstack-keystone		11:15
samueldmq	morning keystone	11:18
*** itsuugo has quit IRC		11:21
*** itsuugo has joined #openstack-keystone		11:23
breton	samueldmq: o/	11:24
dstanek	samueldmq: !	11:28
samueldmq	breton: dstanek: o/	11:28
*** itsuugo has quit IRC		11:30
*** markvoelker has joined #openstack-keystone		11:31
*** itsuugo has joined #openstack-keystone		11:31
*** markvoelker has quit IRC		11:35
*** itsuugo has quit IRC		11:38
*** itsuugo has joined #openstack-keystone		11:39
*** catintheroof has quit IRC		11:39
*** itsuugo has quit IRC		11:44
*** itsuugo has joined #openstack-keystone		11:45
*** jpena is now known as jpena\|lunch		11:49
*** jed56 has quit IRC		11:55
*** asettle has quit IRC		12:01
*** asettle has joined #openstack-keystone		12:01
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation model https://review.openstack.org/208488	12:05
artmr	hello all	12:05
*** asettle has quit IRC		12:06
*** itsuugo has quit IRC		12:07
artmr	I have a problem with client keystoneclient.v3	12:07
*** amoralej is now known as amoralej\|lunch		12:08
*** itsuugo has joined #openstack-keystone		12:09
*** code-R_ has quit IRC		12:10
artmr	I can't list the roles created in a specific domain filtered by it	12:10
*** code-R has joined #openstack-keystone		12:11
*** asettle has joined #openstack-keystone		12:12
breton	"issued_at": "2016-09-12T23:10:56.000000Z", "expires": "2016-09-13T00:10:55Z"	12:13
breton	have we fixed the issue with different formats of datetimes?	12:13
*** raildo has joined #openstack-keystone		12:15
*** itsuugo has quit IRC		12:20
*** itsuugo has joined #openstack-keystone		12:21
*** markvoelker has joined #openstack-keystone		12:26
*** itsuugo has quit IRC		12:26
*** itsuugo has joined #openstack-keystone		12:27
*** catintheroof has joined #openstack-keystone		12:27
catintheroof	Hi, quick question, suppose i have lots of users into a single OU on ldap, and i need to assign each user to a new domain, i dont need domain specific driver for that right ? i just need multidomains enabled and how to do i do to filter that every user is a new domain ? can i apply some filter on keystone to achieve that ?	12:29
*** edmondsw has joined #openstack-keystone		12:32
*** itsuugo has quit IRC		12:34
*** itsuugo has joined #openstack-keystone		12:35
*** GB21 has joined #openstack-keystone		12:37
*** itsuugo has quit IRC		12:40
*** itsuugo has joined #openstack-keystone		12:41
*** porunov has joined #openstack-keystone		12:44
*** thumpba has joined #openstack-keystone		12:44
*** porunov has left #openstack-keystone		12:45
stevemar	o/	12:56
*** jpena\|lunch is now known as jpena		12:58
samueldmq	stevemar: hi	12:58
samueldmq	stevemar: morning	12:58
samueldmq	artmr: hi, what are the calls you're making ?	12:59
samueldmq	artmr: to create and list roles ?	12:59
*** sdake_ has joined #openstack-keystone		13:00
samueldmq	catintheroof: hi	13:00
samueldmq	catintheroof: I believe you would need to have domain specifc drivers for that	13:01
samueldmq	catintheroof: where each driver (connected to the same ldap) would map users to a different domain	13:01
samueldmq	catintheroof: however, as they're in the same point of the LDAP tree, I am not sure you can achieve that	13:02
samueldmq	ayoung: henrynash: any of you around ? ^	13:02
*** code-R_ has joined #openstack-keystone		13:02
*** sdake has quit IRC		13:03
catintheroof	samueldmq, is there any way to find that out ?	13:03
catintheroof	samueldmq, for sure ? maybe here someone that might know ?	13:03
*** jaosorior has quit IRC		13:03
samueldmq	catintheroof: we could check with ayoung or henrynash if they're around, they will have the answers for that	13:04
*** jaosorior has joined #openstack-keystone		13:04
samueldmq	catintheroof: you need to map each user to a different domain, right ?	13:04
samueldmq	catintheroof: but all the users are in a single point of the LDAP tree	13:04
catintheroof	samueldmq, EXACTLY !	13:05
*** GB21 has quit IRC		13:05
*** code-R has quit IRC		13:05
samueldmq	catintheroof: hmm, with federation mappings you could achieve that , but our LDAP support maps a point of the LDAP tree into a domain	13:05
catintheroof	samueldmq, maybe using domains specific pointing different domains to the same tree, but i need to tell every domain how to find the user that only belongs to that domain, maybe applying some filter to look for a specidif attribute ?	13:06
samueldmq	catintheroof: so you'd have a single domain for them all ... I don't think we support what you need yet	13:06
catintheroof	samueldmq, that's what i need to confirm for sure	13:07
samueldmq	catintheroof: I think you can apply a filter on user name ...	13:07
*** dave-mccowan has joined #openstack-keystone		13:07
samueldmq	catintheroof: so yes, maybe you could do with domain specific configs	13:07
samueldmq	catintheroof: let me look at the code	13:07
samueldmq	catintheroof: just remind that solution will require a bit of configuration	13:08
catintheroof	samueldmq, no prob, if its only conf, that's what openstack is all about, jut need to confirm that config things out will work	13:08
samueldmq	catintheroof: so yes, that's technically possible	13:09
samueldmq	catintheroof: there is a user filter you can use: https://github.com/openstack/keystone/blob/master/keystone/conf/ldap.py#L151	13:09
catintheroof	samueldmq, i was thinkign to add a DOMAIN attribute and apply a filter in the domain config to look only for user with an attribute with X value	13:09
samueldmq	catintheroof: so each domain config would have a ldap config, with that filter set to something different	13:09
catintheroof	samueldmq, oh, let me see	13:10
artmr	Samuel, https://s14.postimg.io/5df0qu3rl/oie_UDq_YPa2m9_RNw.png	13:10
*** ayoung_ has joined #openstack-keystone		13:11
*** atod has joined #openstack-keystone		13:12
artmr	The 'foo' user, admin of cloud joined at 'domainA' creates roles in the 'domainA', but not list it	13:12
artmr	the roles are present in database	13:12
samueldmq	artmr: looking	13:12
ayoung	catintheroof, "every user is a domain?"	13:13
samueldmq	artmr: maybe it's an authorization issue ?	13:13
samueldmq	artmr: check your policy file, maybe that user is not authorized to list roles ?	13:13
samueldmq	artmr: list all roles (wihtout filtering) and see what happens	13:13
artmr	without filter, the same roles are listed	13:16
*** thumpba has quit IRC		13:17
artmr	I'm check the policy file , now	13:17
openstackgerrit	Merged openstack/keystone: Update reno for stable/newton https://review.openstack.org/370878	13:20
artmr	authorization issue?	13:20
catintheroof	ayoung, yeahp !	13:21
catintheroof	ayoung, that's what i need ... dunno if using user_filter would help for every domain specific config	13:21
ayoung	catintheroof, you would have to create a domain each time a user logged in for the first time, then. That seems like a lot of overhead	13:21
ayoung	catintheroof, I think you want HMT and each user gets their own project, then have projects created by defua	13:22
ayoung	default	13:22
catintheroof	ayoung, the users already exists, they are pretty much fixed already (since every user is its own company) so i need to give them a domain, but they are all into the same LDAP tree, so i need on every domain specific config a way to map that domain to just ONE user	13:23
artmr	I create the roles in the same domain with user 'foo' client, but he hasn't authorization for list?	13:24
catintheroof	ayoung, talked with samueldmq and he pointed to me user_filter config feature	13:24
catintheroof	ayoung, maybe that would help ?	13:24
artmr	the user 'foo' is cloud admin	13:26
*** amoralej\|lunch is now known as amoralej		13:27
*** tonytan4ever has joined #openstack-keystone		13:27
*** ddieterly has joined #openstack-keystone		13:27
openstackgerrit	Karen Bradshaw proposed openstack/keystone: [WIP] rebuild api ref as one page/one toc https://review.openstack.org/371541	13:31
ayoung	catintheroof, one domain per user or one domain to bring them all and in the darkness bind them?	13:32
*** spilla has joined #openstack-keystone		13:36
raildo	ayoung, one domain per user sounds like a wrong way to dealing with domains :P	13:36
*** tonytan_brb has joined #openstack-keystone		13:44
*** rodrigods has quit IRC		13:45
*** rodrigods has joined #openstack-keystone		13:45
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation assignment driver https://review.openstack.org/291318	13:45
*** daemontool has quit IRC		13:46
catintheroof	ayoung, raildo of course, but as sometime things are not as we want to (when reaching a customer with an ALIEN ldap structure) i need to adapt, reason why im trying to find out if that can be made, dont know if i understand ayoung sentence, but i think its one user per one domain	13:46
*** tonytan4ever has quit IRC		13:46
ayoung	catintheroof, probably not	13:47
ayoung	catintheroof, you jumped to solutions. Lets start with the problem. You have an LDAP server....	13:47
catintheroof	ayoung, probably can't be made ?	13:47
openstackgerrit	Alexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager https://review.openstack.org/360735	13:47
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation trust driver https://review.openstack.org/291871	13:48
catintheroof	ayoung, YEAH	13:48
openstackgerrit	Alexander Makarov proposed openstack/keystone: OAuth1 driver for unified delegation https://review.openstack.org/370965	13:48
raildo	ayoung, ++	13:48
catintheroof	ayoung, i have an ldap	13:48
catintheroof	ayoung, raildo all users (every user is a company) is under OU=users,DC=company,DC=com	13:49
ayoung	catintheroof, OK, so each user in LDAP, when they log in to keystone come from a dsingle domain...lets call this domain company_directory	13:50
ayoung	that does not limit them to what projects they can use	13:50
catintheroof	ayoung, exactly	13:50
ayoung	say we have a new company join, with their own LDAP server in a different structure	13:50
ayoung	we'll create a new domain called accquired_directory	13:50
catintheroof	ayoung, sure	13:51
ayoung	lets say there is one big IT project. User from both domains can have a role on the IT project.	13:51
*** sdake_ has quit IRC		13:52
ayoung	their config files would say USER_DOMAIN_NAME=[company_directory\|accquire_directory] and PROJECT_DOMAIN_NAME=IT PROJECT_NAME=common	13:52
ayoung	3 domains. One for each source of users, one for common projects	13:52
catintheroof	ayoung, hmmmm, i think is not the use case	13:54
catintheroof	ayoung, can i elaborate ?	13:55
*** pnavarro has quit IRC		13:57
*** roxanaghe has joined #openstack-keystone		13:58
*** gagehugo has joined #openstack-keystone		14:00
*** roxanaghe has quit IRC		14:03
ayoung	catintheroof, please do, and understand I am multiplexing tasks here, so don't wait for my responses	14:04
*** asettle has quit IRC		14:06
*** asettle has joined #openstack-keystone		14:07
*** asettle has quit IRC		14:07
*** asettle has joined #openstack-keystone		14:07
*** ezpz has joined #openstack-keystone		14:10
*** jaosorior has quit IRC		14:10
*** asettle has quit IRC		14:12
*** asettle has joined #openstack-keystone		14:13
*** ezpz has quit IRC		14:14
samueldmq	artmr: sorry I was afk	14:15
catintheroof	ayoung, i have a single LDAP tree, OU=users,DC=company,DC=com, there are two users USER1, USER2, the customer told me that each user for them is a company, they can't change the LDAP TREE, but want to give the each user a DOMAIN, so that they can create their projects there (they will allways use the same user for that domain) so my question is, taking into consideration that all users are in a single tree, and i want to associate a	14:15
catintheroof	single user there with a specific domain, how can i achieve that ? so, to give an example i was thinking for example (and its just an example that i believe will help to understand what i need) is to add an attribute to USER1 that says domain=DOMAIN1 and use on the keystone.DOMAIN1.conf config file a user_filter to make sure that for that domain, only that user matches. so, in the end, can i match a single user into a tree full of users	14:15
catintheroof	to match one domain only ?	14:15
samueldmq	artmr: so, the user may have a role that gives him authorization to create roles	14:15
samueldmq	artmr: but not to list roles	14:15
samueldmq	artmr: that's why I asked you to list roles (without any filter) with that same user (who is creating roles)	14:16
samueldmq	artmr: what's the status code of the response when you list roles filtering by domain? is it a 200 OK ?	14:17
ayoung	catintheroof, ok, so this is not well supported, but I guess you could use the domain specific backend and the config in the database, but you would have to somehow script adding new entries	14:17
ayoung	I think Federation is going to be the only real option for you	14:17
ayoung	catintheroof, what platform are you deployed on?	14:17
*** asettle has quit IRC		14:18
*** asettle has joined #openstack-keystone		14:18
catintheroof	ayoung, ubuntu 16.04. ubuntu packages for mitaka release against an openLDAP, and, i would love to avoid federation since i want to avoid extra configs and extra hassle where i dont need to, if its possible of course	14:19
*** ddieterly is now known as ddieterly[away]		14:19
*** ddieterly[away] is now known as ddieterly		14:19
ayoung	catintheroof, it is not possible. Your CUstomer gave you the hassle. THis is going to suck no matter what	14:19
catintheroof	ayoung, ahahaha true	14:19
*** tonytan_brb is now known as tonytan4ever		14:20
ayoung	Ah...ok	14:20
ayoung	so no federation	14:20
ayoung	all users come from the same domain	14:20
ayoung	what you want is the domain where they create projects, and that is a notifications issue	14:20
ayoung	catintheroof, are you OK with pre-creating the domains for all users in LDAP?	14:21
ayoung	lets ignore later additions for the moment, we can deal with that in a bit.	14:21
catintheroof	ayoung, absolutely ! im ok with it and yes ... lets ignore that !	14:21
*** asettle has quit IRC		14:23
*** asettle has joined #openstack-keystone		14:23
catintheroof	ayoung, so ... cn=demo1,ou=Users,dc=company,dc=com on DOMAIN1 and cn=demo2,ou=Users,dc=nubeliu,dc=int on DOMAIN2	14:24
catintheroof	ayoung, that what i need	14:24
catintheroof	ayoung, suppose they all already exists and if they need to add a new one, it can be done manually and super controlled	14:25
ayoung	catintheroof, of so you can do that with the Python API, or the CLI fairly easily; for u in keystonec.users():; domain = u.username; keystoinec.domains.create(u)	14:26
ayoung	roughyl speaking of course	14:26
*** jed56 has joined #openstack-keystone		14:26
catintheroof	ayoung, so, how does the user_filter would look like on DOMAIN1 conf to only match user demo1?	14:27
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Return password_expires_at during auth https://review.openstack.org/367008	14:28
*** atod has quit IRC		14:28
ayoung	catintheroof, it doesn't	14:28
ayoung	all users are in a single domain for management. What you do is generate a new domain only for assignment for each one	14:29
ayoung	I forget a step in my pseduocode	14:29
ayoung	pseudo-code	14:29
ayoung	pneumatic drill	14:29
ayoung	damn you autocorrect!	14:29
catintheroof	ayoung, hahahaah	14:29
catintheroof	ayoung, i think im not understanding, can you update your pseudo ?	14:30
artmr	Thank you, samueldmq. I'm not sure what was happening, but I try again and the result was the expected. Later, I'm try reproduce the same scenario from the beginning	14:30
ayoung	for u in keystonec.users():; domain = u.username; d=keystoinec.domains.create(u); keystoinec.roles.assign(u,d,'Member' );	14:30
samueldmq	artmr: you're welcome. Glad you got it working	14:31
*** jaugustine has joined #openstack-keystone		14:31
catintheroof	ayoung, that means that u use multidomains, but not domains specific ?	14:34
*** ravelar has joined #openstack-keystone		14:34
*** nicolasbock has quit IRC		14:36
*** itsuugo has quit IRC		14:38
*** itsuugo has joined #openstack-keystone		14:41
ayoung	rodrigods, sure do!	14:43
rodrigods	ayoung, :)	14:43
*** spilla has quit IRC		14:44
*** nicolasbock has joined #openstack-keystone		14:44
*** woodburn has quit IRC		14:56
ravelar	rodrigods: in comment on test_token_provider.py are you talking about using the validate_token assert test before check_domain_and_project_enabled or switching the test for validate_test?	15:03
ravelar	rodrigods: https://review.openstack.org/#/c/371165/1/keystone/tests/unit/test_token_provider.py	15:03
rodrigods	ravelar, think the test is more valuable if you check if the validation works, not only the method you added	15:03
ravelar	rodrigods: ahh okay, just needed clarification on what you meant. Thanks for you feedback btw!	15:04
*** woodburn has joined #openstack-keystone		15:06
rodrigods	ravelar, np :)	15:12
*** sdake has joined #openstack-keystone		15:14
*** rcernin has quit IRC		15:15
*** chrisshattuck has joined #openstack-keystone		15:17
*** sdake_ has joined #openstack-keystone		15:18
*** sdake has quit IRC		15:20
ayoung	rodrigods, +2 FROM ME	15:26
rodrigods	thanks ayoung	15:26
ayoung	https://review.openstack.org/#/c/358770/7	15:26
*** GB21 has joined #openstack-keystone		15:29
openstackgerrit	Merged openstack/keystone: Fixes password created_at errors due to the server_default https://review.openstack.org/367025	15:29
openstackgerrit	Merged openstack/keystone: Adds tests for verify_length_and_trunc_password() https://review.openstack.org/370239	15:30
*** spedione\|AWAY is now known as spedione		15:34
*** slberger has joined #openstack-keystone		15:38
*** itsuugo has quit IRC		15:39
*** itsuugo has joined #openstack-keystone		15:41
*** ebalduf has joined #openstack-keystone		15:43
*** roxanaghe has joined #openstack-keystone		15:46
*** michauds has joined #openstack-keystone		15:48
*** avozza has joined #openstack-keystone		15:50
*** roxanaghe has quit IRC		15:50
*** avozza has quit IRC		15:52
*** avozza has joined #openstack-keystone		15:53
*** code-R_ has quit IRC		15:59
*** tonytan4ever has quit IRC		16:04
*** roxanaghe has joined #openstack-keystone		16:06
lbragstad	ravelar https://review.openstack.org/#/c/371083/ might help you in removing some revocation events	16:09
*** gyee has joined #openstack-keystone		16:11
*** avozza has quit IRC		16:12
dstanek	dolphm: horizon's out of the box multi-domain support confuses me	16:13
*** mordred has quit IRC		16:13
dstanek	in a brand new devstack instance (configured with multidomain) i can seem to find a way to create domains as admin	16:14
dolphm	dstanek: do you have the Domains tab on the left?	16:15
dstanek	nope	16:15
*** mordred has joined #openstack-keystone		16:17
openstackgerrit	Richard Avelar proposed openstack/keystone: Reduce revoke events for disabled domains/projects https://review.openstack.org/371165	16:17
*** asettle has quit IRC		16:22
*** NishaYadav has joined #openstack-keystone		16:23
*** asettle has joined #openstack-keystone		16:23
NishaYadav	o/	16:25
openstackgerrit	Merged openstack/keystone: Move test_sql_upgrade.MigrationRepository into keystone.common https://review.openstack.org/371058	16:25
*** asettle has quit IRC		16:27
openstackgerrit	David Stanek proposed openstack/keystone: Ensure the sqla-migrate scripts cache is cleared https://review.openstack.org/371075	16:31
dstanek	stevemar: rderose: rodrigods: lbragstad: ^	16:31
lbragstad	dstanek oh - i'm already on it	16:32
lbragstad	dstanek like RG3 and the ground... I'm on it	16:32
dstanek	ouch	16:32
dolphm	dstanek: have you seen scarlise around?	16:32
lbragstad	;)	16:32
dolphm	scarlisle*	16:33
*** ebalduf has quit IRC		16:33
dolphm	or henrynash	16:33
dstanek	dolphm: nope	16:34
*** ddieterly is now known as ddieterly[away]		16:34
*** chrisshattuck has quit IRC		16:37
*** GB21 has quit IRC		16:38
*** chrisshattuck has joined #openstack-keystone		16:39
*** nisha_ has joined #openstack-keystone		16:41
*** artmr has quit IRC		16:42
*** browne has joined #openstack-keystone		16:43
*** jaosorior has joined #openstack-keystone		16:44
*** NishaYadav has quit IRC		16:44
*** esp has joined #openstack-keystone		16:44
*** agireud has quit IRC		16:49
*** nisha__ has joined #openstack-keystone		16:50
*** nisha_ has quit IRC		16:51
*** agireud has joined #openstack-keystone		16:51
*** tqtran has joined #openstack-keystone		16:53
*** spilla has joined #openstack-keystone		16:53
*** ddieterly[away] is now known as ddieterly		16:58
*** itsuugo has quit IRC		17:00
*** itsuugo has joined #openstack-keystone		17:00
*** tonytan4ever has joined #openstack-keystone		17:04
dolphm	stevemar: how much do you know about horizon's domain features?	17:09
*** tonytan4ever has quit IRC		17:10
david-lyle	dolphm: I know a bit :)	17:10
*** ddieterly is now known as ddieterly[away]		17:10
*** ddieterly[away] is now known as ddieterly		17:10
dolphm	david-lyle: \o/	17:10
david-lyle	here or horizon?	17:10
dolphm	david-lyle: here is fine to me	17:11
dolphm	david-lyle: dstanek: so, we're trying to work through federation + multi-domain support both	17:11
david-lyle	ok, what can I answer	17:11
dolphm	david-lyle: so, it looks like horizon can auth for a domain-scoped token	17:11
david-lyle	yes	17:11
dolphm	david-lyle: but we were seeing a couple issues that seem to lie between horizon and keystone's policy	17:12
david-lyle	we'll get a domain scoped token and a project scoped token if you have a role on a project	17:12
dolphm	david-lyle: or horizon's understanding of keystone's policy	17:12
david-lyle	ok	17:12
dolphm	david-lyle: so, as of Mitaka, keystone supports the magic admin project, which is a more explicit form of global root cloud-level admin	17:13
david-lyle	ah yes, this addition is not support yet unfortunately	17:13
dolphm	david-lyle: horizon (in mitaka, i believe) apparently choked on the "token.is_admin_project" flag here https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L3	17:13
*** chrisshattuck has quit IRC		17:14
dolphm	david-lyle: so, we were actually able to make the cloud admin use case work, sort of, by giving a user no authz except the admin role on the admin project... but that user had no Domains tab in horizon, so they couldn't create domains	17:14
dolphm	david-lyle: known issue?	17:15
david-lyle	wouldn't that be expected?	17:15
dolphm	david-lyle: i'd expect a cloud admin to be able to create domains	17:15
david-lyle	if I'm admin in a project aren't I a service admin not an identity admin?	17:15
* david-lyle thinks I missed some finer points of the feature		17:15
dolphm	david-lyle: that's what the is_admin_project / magic admin project is supposed to convey - cloud-level authz	17:16
dolphm	across domains	17:16
david-lyle	for identity as well?	17:16
dolphm	david-lyle: yes	17:16
dolphm	ayoung: correct me if i'm wrong ^^	17:16
david-lyle	is this the offshoot of special projects and domains hiding in plain sight?	17:16
*** scarlisle has joined #openstack-keystone		17:16
dolphm	david-lyle: not really	17:17
david-lyle	because you're really treating that admin project like a domain?	17:17
david-lyle	ok, I'm still confused	17:17
dolphm	david-lyle: so, in liberty and before, the "admin" role on any project basically gave you global / root / cross-domain / whatever admin access, right?	17:17
scarlisle	o/	17:18
david-lyle	right leaky admin, but not in identity IIRC	17:18
*** sdake_ has quit IRC		17:18
dolphm	david-lyle: so, to solve for the "domain admin" case, or even "project admin" case, we introduced a magic project, where, if you have the (now less magical) "admin" role on the (magical) "admin" project, THAT now means you have cloud-level authz, and we suddenly open up the "admin" role to actually be meaningful within a domain or (non-magic-admin) project	17:19
*** jpena is now known as jpena\|away		17:19
david-lyle	within a domain	17:19
david-lyle	so why should I see the domain tab?	17:19
dolphm	david-lyle: there are two cases i think where you should be able to manage domains...	17:20
*** chrisshattuck has joined #openstack-keystone		17:20
david-lyle	ok you should see the domain tab with the current domain listed	17:20
dolphm	david-lyle: and in both cases, the token coming from keystone will now have an is_admin_project flag set to true	17:20
david-lyle	I over simpified	17:20
dolphm	david-lyle: so, you should be able to rely on the is_admin_project attribute in a token to signal "cloud admin"	17:21
david-lyle	but the blurb you pasted above indicates "within a domain"	17:21
david-lyle	which would be domain admin, no?	17:21
dolphm	psh, pasted	17:22
david-lyle	oh I assumed that was from the spec	17:22
dolphm	david-lyle: oh, no. is_admin_project=True == cloud admin	17:23
david-lyle	good grief really?	17:23
dolphm	david-lyle: yes	17:23
dolphm	david-lyle: for deployments that haven't configured these bits in mitaka+, is_admin_project will be "true" for ALL projects with an "admin" role assignment	17:24
*** amoralej is now known as amoralej\|off		17:24
david-lyle	so I can be cloud admin with either a admin role on the admin domain OR an admin role on the is_admin_project project	17:24
dolphm	david-lyle: you have to configure keystone with a specific admin project for it to suddenly become specific in the API	17:24
dolphm	david-lyle: wait, is "admin domain" a thing?	17:25
dolphm	stevemar: ^?	17:25
david-lyle	wasn't that the default domain?	17:25
dolphm	oh, the last bit of https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L3	17:25
david-lyle	admin on the default domain made you cloud admin where default was the default but changeable	17:25
david-lyle	yup	17:26
david-lyle	that was all there was before is_admin_project came into being	17:26
dolphm	david-lyle: the literal string "admin_domain_id" in policy there is supposed to be a placeholder for a real domain ID	17:26
*** nisha_ has joined #openstack-keystone		17:26
dolphm	david-lyle: correct	17:26
david-lyle	dolphm: yes I understand	17:26
david-lyle	and it has to be configured	17:26
dolphm	david-lyle: so, "default" might be a reasonable value to put in place of "admin_domain_id", i suppose	17:26
dolphm	david-lyle: correct	17:26
david-lyle	which is a bit annoying as an aside	17:26
dolphm	david-lyle: agree	17:27
dolphm	david-lyle: that's sort of where is_admin_project makes things "easier"	17:27
david-lyle	sure, but adds another way	17:27
dolphm	honestly, i think we could probably drop support for domain_id:admin_domain_id immediately... ? cc- henrynash ayoung ?	17:28
david-lyle	we have not fully pulled in the is_admin_project	17:28
david-lyle	we can update django_openstack_auth and release it for O	17:28
dolphm	david-lyle: this is also made more complicated by policy.v3cloudsample.json now trying to support multiple different use cases, it could be simplified if not split (at least)	17:28
david-lyle	and consider a backport to N	17:28
*** tonytan4ever has joined #openstack-keystone		17:29
david-lyle	yes the sample is very complicated	17:29
*** nisha__ has quit IRC		17:29
dolphm	david-lyle: that'd be valuable, but you're going to have to help me understand if that will address my second use case...	17:29
dolphm	or maybe this use case is supported some other way and i'm just lost	17:29
dolphm	david-lyle: so, while you have a very small number of cloud admins, we'd like to have many more domain-level admins, that do not have authorization across domains	17:30
david-lyle	yes, theoretically that should be supported now	17:31
dolphm	david-lyle: so, if you have 10 domains, i'd like to have a domain admin group of users for each of them, with domain+group+admin-role assignments	17:31
david-lyle	we are probably checking roles directly, you would have to have the admin role on the domain you want to administer	17:32
dolphm	david-lyle: maybe you could just point me to the code (i've been grepping through horizon and django openstack auth looking for it)... but what is horizon expecting before it exposes domain-admin UI features?	17:32
dolphm	david-lyle: so, an 'admin' role on a domain-scoped token	17:32
david-lyle	yes	17:32
dolphm	david-lyle: does that depend on the contents of policy at all?	17:32
openstackgerrit	Kristi Nikolla proposed openstack/keystone: WIP: Devstack plugin for Federation https://review.openstack.org/320623	17:32
dolphm	david-lyle: or would 'admin' be hardcoded?	17:32
david-lyle	dolphm: it shouldn't be hardcoded, I hope that it's not	17:33
* david-lyle looks for the code		17:33
dolphm	david-lyle: appreciate all your help, btw	17:33
*** nisha__ has joined #openstack-keystone		17:33
*** ddieterly is now known as ddieterly[away]		17:33
*** ddieterly[away] is now known as ddieterly		17:33
david-lyle	no worries, I put off the domain scoped token support in horizon for a long time because it created such a mess	17:34
dolphm	david-lyle: =D	17:34
david-lyle	now we have it, and it's indeed a mess	17:34
*** ddieterly is now known as ddieterly[away]		17:34
david-lyle	because we ended up with things like https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L295 which aren't very flexible	17:35
*** chrisshattuck has quit IRC		17:35
*** nisha__ is now known as nishaYadav		17:35
david-lyle	but at least it's policy driven assuming that policy rule exists	17:36
*** nisha_ has quit IRC		17:37
david-lyle	so whatever you defined for admin_required should work	17:37
*** chrisshattuck has joined #openstack-keystone		17:38
dolphm	david-lyle: thinking	17:38
david-lyle	now we ran into all sorts of problems trying to tie domain admin to any sort of project admin abiliity	17:38
david-lyle	so a domain admin in horizon just allows managing identity	17:38
david-lyle	for that domain	17:39
dolphm	david-lyle: gotcha	17:39
dolphm	david-lyle: that would explain a bit of what we saw	17:39
david-lyle	the project token is used to determine your roles for other services	17:39
dolphm	david-lyle: so you can't even create a project?	17:39
dolphm	david-lyle: as a domain admin?	17:39
david-lyle	you can create a project	17:39
dolphm	david-lyle: oh?	17:39
david-lyle	that's identity	17:39
dolphm	oooh	17:39
david-lyle	we had to strip quota out of it though	17:40
david-lyle	which is somewhat unrelated but cobbled into the typical horizon workflow for creating a projec	17:40
david-lyle	t	17:40
ayoung	dolphm, in a meeting,	17:41
dolphm	ayoung: ack	17:41
ayoung	domain_id:admin_domain_id should be superceded by is_admin project, but is really just a doc change	17:41
*** ravelar has quit IRC		17:42
dolphm	david-lyle: ^	17:42
ayoung	so, yeah, document more than dropping it, I think	17:42
david-lyle	release not for anybody using the existing mechanism	17:42
david-lyle	*note	17:42
*** spzala has joined #openstack-keystone		17:43
dolphm	ayoung: is the code capable of evaluating token.is_admin_project:True somewhere in keystone instead of oslo.policy?	17:44
dolphm	david-lyle: and does openstack_dashboard use oslo.policy to evaluate other service's policy files?	17:44
david-lyle	yes	17:45
david-lyle	we have to add a little strangeness up front for credentials, but essentially yes it's just oslo policy	17:45
dolphm	ayoung: i don't see anything to evaluate is_admin_project in either keystone or oslo.policy	17:47
ayoung	dolphm, I think it always has been. I had it working a while back. The cloudsample one was changed	17:47
openstackgerrit	Kristi Nikolla proposed openstack/keystone: WIP: Devstack plugin for Federation https://review.openstack.org/320623	17:48
ayoung	and I had an approach for the default policy, but...jamie had a different approach and we were working to make it happen	17:48
ayoung	my approach was "if nothing is set in keystone, report all admin tokens as admin tokens"	17:48
ayoung	jamie's was a little more introspective	17:48
ayoung	let me see	17:48
dolphm	ayoung: i thought your approach is what we were using	17:48
ayoung	dolphm, http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n3	17:49
dolphm	ayoung: if you have the "admin" role and keystone is not configured with an [resource] admin_project_name, then the project doesn't matter and is_admin_project appears true in all tokens, no?	17:49
ayoung	dolphm, in keystone, I think we are. But that is not quite what oslo-context is doing	17:49
ayoung	keystone as it is today does not use oslo-context	17:49
ayoung	but it passes the whole token to policy, so we can enforce on token values	17:50
ayoung	that policy rule would not work in Nova or glance	17:50
dolphm	oh weird	17:50
ayoung	token.is_admin_project:True	17:50
ayoung	yeah	17:50
dolphm	ayoung: so that's why it doesn't work in horizon, either?	17:50
ayoung	so jamielennox got it fixed in context, and was working through all the other projects, cuz they do funky things	17:50
rodrigods	knikolla, ^ how is this evolving?	17:50
ayoung	that was what we were discussing so long in the meeting on Tuesday	17:50
ayoung	dolphm, probably worth you rereading the Evesdrop of that now with the additional context	17:51
ayoung	the oslo-context fix went in a while back, let me see...	17:51
knikolla	rodrigods: it basically just needs testing.	17:51
rodrigods	knikolla, awesome	17:52
rodrigods	knikolla, can you add in the commit message how we would use the plugin?	17:52
rodrigods	what should be added in the local.conf file	17:52
dolphm	ayoung: tuesday this week?	17:52
ayoung	dolphm, yeah this one	17:53
knikolla	rodrigods: everything is in the readme.rst in the devstack folder. when using it from the gerrit review you need to also set the keystone_repo and keystone_branch as usual.	17:53
ayoung	dolphm, here is the oslo fix	17:53
ayoung	https://review.openstack.org/#/c/331916/	17:53
ayoung	dolphm, but then there is a follow on one for nova that looks like this: https://review.openstack.org/#/c/341905/	17:54
ayoung	I'm not certain if that is needed, or just a better way	17:54
ayoung	jamielennox, seemed to imply it was needed, but I can't quite track how	17:55
knikolla	i think i want to pick up http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/service-providers-filters.html for ocata.	17:55
*** adrian_otto has joined #openstack-keystone		17:58
dolphm	david-lyle: ayoung: thanks for your help - i have to run to a meeting, but that's given me a bunch of info to run with	17:58
ayoung	dolphm, YW	17:59
david-lyle	dolphm: np, let me know what else we missed :)	17:59
*** adrian_otto has quit IRC		17:59
dolphm	david-lyle: my next question will be about federation support :)	18:00
david-lyle	dolphm: find lhcheng and bring him back	18:00
david-lyle	I'll do my best	18:01
*** adrian_otto has joined #openstack-keystone		18:04
*** slberger1 has joined #openstack-keystone		18:04
*** slberger has quit IRC		18:04
*** chrisshattuck has quit IRC		18:10
*** chrisshattuck has joined #openstack-keystone		18:11
*** dave-mcc_ has joined #openstack-keystone		18:12
*** harlowja has joined #openstack-keystone		18:13
*** dave-mccowan has quit IRC		18:16
*** hello_world has joined #openstack-keystone		18:17
*** adrian_otto has quit IRC		18:17
*** hello_world is now known as Guest59295		18:17
*** adrian_otto has joined #openstack-keystone		18:18
Guest59295	hi! Is there someone who can explain me how can I get project id by auth_url and auth_token?	18:20
*** Marcellin__ has joined #openstack-keystone		18:21
*** avozza has joined #openstack-keystone		18:21
openstackgerrit	Kristi Nikolla proposed openstack/keystone-specs: Move 'Service provider filters' to Ocata https://review.openstack.org/371754	18:22
*** adrian_otto has quit IRC		18:23
Guest59295	I went through these steps https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/client.py#L135-L140 and then got http://paste.openstack.org/show/580216/	18:23
*** spzala has quit IRC		18:24
*** adrian_otto has joined #openstack-keystone		18:24
*** ravelar has joined #openstack-keystone		18:26
*** chlong_ has quit IRC		18:27
*** avozza has quit IRC		18:30
*** ddieterly[away] is now known as ddieterly		18:30
*** spzala has joined #openstack-keystone		18:33
*** spzala has quit IRC		18:37
*** nisha_ has joined #openstack-keystone		18:38
*** Guest59295 has quit IRC		18:38
*** ravelar has quit IRC		18:40
*** nishaYadav has quit IRC		18:41
*** spzala has joined #openstack-keystone		18:46
*** ravelar has joined #openstack-keystone		18:46
*** nisha_ is now known as nishaYadav		18:50
*** adrian_otto has quit IRC		18:52
*** adrian_otto has joined #openstack-keystone		18:55
*** adrian_otto has quit IRC		18:55
*** adrian_otto has joined #openstack-keystone		18:57
*** adrian_otto has quit IRC		18:58
*** thiagolib has quit IRC		18:58
*** jaosorior has quit IRC		19:05
*** nishaYadav has quit IRC		19:05
rodrigods	knikolla, regarding http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/service-providers-filters.html	19:09
rodrigods	you can take it :)	19:10
rodrigods	(if is there any work remaining to do)	19:10
knikolla	rodrigods: any place i can see how much has been implemented or not? maybe a very old etherpad?	19:12
rodrigods	knikolla, https://blueprints.launchpad.net/keystone/+spec/service-provider-filters	19:12
*** ddieterly is now known as ddieterly[away]		19:14
knikolla	rodrigods: only one of the reviews in the list there got merged	19:15
rodrigods	knikolla, hmm so you should definitely take it!	19:16
knikolla	rodrigods: cool. i'll add it to the list of topics for tuesday's meeting.	19:18
rodrigods	++	19:18
*** ddieterly[away] is now known as ddieterly		19:20
*** adrian_otto has joined #openstack-keystone		19:20
rodrigods	did something break kcs functional tests?	19:23
*** spedione is now known as chris_hultin		19:27
*** roxanaghe has quit IRC		19:28
*** david-lyle has quit IRC		19:30
*** david-lyle has joined #openstack-keystone		19:30
*** roxanaghe has joined #openstack-keystone		19:30
openstackgerrit	Kristi Nikolla proposed openstack/keystone: WIP: Devstack plugin for Federation https://review.openstack.org/320623	19:31
*** adrian_otto has quit IRC		19:32
*** adrian_otto has joined #openstack-keystone		19:35
*** atod has joined #openstack-keystone		19:38
*** roxanaghe has quit IRC		19:38
*** adrian_otto has quit IRC		19:39
*** esp has quit IRC		19:40
*** nicolasbock has quit IRC		19:42
*** david-lyle has quit IRC		19:43
*** jpena\|away is now known as jpena\|off		19:44
*** itsuugo has quit IRC		19:50
*** itsuugo has joined #openstack-keystone		19:50
*** ddieterly is now known as ddieterly[away]		19:53
*** roxanaghe has joined #openstack-keystone		19:55
openstackgerrit	Kristi Nikolla proposed openstack/keystone: WIP: Devstack plugin for Federation https://review.openstack.org/320623	19:56
openstackgerrit	Richard Avelar proposed openstack/keystone: Reduce revoke events for disabled domains/projects https://review.openstack.org/371165	19:58
*** openstackstatus has quit IRC		19:58
*** sdake has joined #openstack-keystone		19:59
*** openstackstatus has joined #openstack-keystone		20:00
*** ChanServ sets mode: +v openstackstatus		20:00
*** slberger1 has quit IRC		20:01
*** slberger has joined #openstack-keystone		20:04
*** alex_xu has quit IRC		20:04
*** alex_xu has joined #openstack-keystone		20:07
openstackgerrit	Richard Avelar proposed openstack/keystone: Reduce revoke events for disabled domains/projects https://review.openstack.org/371165	20:07
*** atod has quit IRC		20:08
*** chris_hultin is now known as spedione\|AWAY		20:08
*** dave-mcc_ has quit IRC		20:11
*** ddieterly[away] is now known as ddieterly		20:15
*** AndyWojo has quit IRC		20:16
*** AndyWojo has joined #openstack-keystone		20:17
*** Marcellin__ has quit IRC		20:21
*** Marcellin__ has joined #openstack-keystone		20:23
*** woodburn has left #openstack-keystone		20:31
*** iurygregory has quit IRC		20:32
*** dave-mccowan has joined #openstack-keystone		20:33
lbragstad	ravelar hah - looks like we test this already https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/test_v3_auth.py#L623	20:37
*** sdake has quit IRC		20:37
ravelar	lbragstad haha nice, one less thing now	20:37
lbragstad	ravelar and here - https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/test_v3_auth.py#L991	20:37
lbragstad	yep!	20:37
lbragstad	ravelar so that's the behavior we want to make sure we preserve	20:37
*** dave-mccowan has quit IRC		20:38
*** raildo has quit IRC		20:38
lbragstad	ravelar another thing we can probably refactor once one of our patches merges is this - https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/token/provider.py#L163-L164	20:39
*** itsuugo has quit IRC		20:40
lbragstad	merge*	20:40
*** itsuugo has joined #openstack-keystone		20:41
ravelar	lbragstad sounds good to me, looking forward to cleaning this up more ha	20:41
*** Marcellin__ has quit IRC		20:47
*** gyee has quit IRC		20:48
*** atod has joined #openstack-keystone		20:49
*** spzala has quit IRC		20:50
*** edmondsw has quit IRC		20:51
*** ebalduf has joined #openstack-keystone		20:55
*** sdake has joined #openstack-keystone		20:55
*** itsuugo has quit IRC		21:02
*** itsuugo has joined #openstack-keystone		21:04
openstackgerrit	Richard Avelar proposed openstack/keystone: Reduce revoke events for disabled domains/projects https://review.openstack.org/371165	21:09
*** ravelar has quit IRC		21:17
*** wasmum has quit IRC		21:18
*** sdake has quit IRC		21:20
*** wasmum has joined #openstack-keystone		21:20
*** sdake has joined #openstack-keystone		21:21
*** adrian_otto has joined #openstack-keystone		21:21
*** ebalduf has quit IRC		21:23
*** adrian_otto has quit IRC		21:24
*** sdake has quit IRC		21:25
*** spilla has quit IRC		21:26
*** michauds has quit IRC		21:28
lbragstad	so...	21:29
lbragstad	this confuses me https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/token/test_backends.py#L466-L473	21:29
lbragstad	how it is possible to create a token when the project you're scoping to doesn't exist?	21:29
lbragstad	O.o	21:29
*** jaugustine has quit IRC		21:30
lbragstad	or the user?!	21:32
*** ddieterly is now known as ddieterly[away]		21:33
*** ddieterly[away] is now known as ddieterly		21:34
*** itsuugo has quit IRC		21:43
*** itsuugo has joined #openstack-keystone		21:44
*** slberger has left #openstack-keystone		21:46
*** scarlisle has quit IRC		21:55
*** ddieterly has quit IRC		22:04
*** ravelar has joined #openstack-keystone		22:05
*** ravelar has quit IRC		22:06
*** gyee has joined #openstack-keystone		22:16
*** itsuugo has quit IRC		22:18
*** itsuugo has joined #openstack-keystone		22:19
*** chrisshattuck has quit IRC		22:21
*** ayoung_ has quit IRC		22:24
ayoung	lbragstad, it was based on isolating the back ends. Old stuff, and possibly from the termie time frame	22:26
ayoung	lets see	22:26
*** catintheroof has quit IRC		22:31
*** markvoelker has quit IRC		22:34
*** itsuugo has quit IRC		22:39
*** itsuugo has joined #openstack-keystone		22:41
*** chrisshattuck has joined #openstack-keystone		22:44
*** chrisshattuck has quit IRC		22:45
*** david-lyle has joined #openstack-keystone		22:48
*** spzala has joined #openstack-keystone		22:54
*** itsuugo has quit IRC		22:55
*** itsuugo has joined #openstack-keystone		22:56
*** erhudy has quit IRC		23:02
*** itsuugo has quit IRC		23:06
*** itsuugo has joined #openstack-keystone		23:08
*** spzala has quit IRC		23:20
*** atod has quit IRC		23:43
openstackgerrit	Merged openstack/keystone: Ensure the sqla-migrate scripts cache is cleared https://review.openstack.org/371075	23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!