bknudson | I assume 1 for x-subject-token, 1 for x-auth-token, 1 for validate_token ? | 00:00 |
---|---|---|
bknudson | should be able to get rid of the one for validate_token since it's x-subject-token. | 00:00 |
jamielennox | i think there is still some overlap now that auth_token middleware is in front of keystone | 00:00 |
bknudson | does auth_token care about x-subject-token ? | 00:01 |
jamielennox | i removed most but those auth paths are fraught with danger and i probably left it | 00:01 |
jamielennox | yes | 00:01 |
jamielennox | i'm not sure what's going on here with common/cache, it's being stored on the context which is stored on TLS | 00:02 |
jamielennox | ? | 00:02 |
bknudson | seems like that would be left to keystone, since x-subject-token gets returned so keystone needs the token data. | 00:02 |
bknudson | jamielennox: yes, the cache values are stored on the context which is in TLS. | 00:03 |
bknudson | not sure why it's not it's own bit of TLS? | 00:03 |
jamielennox | the token data is there after auth_token middleware - we should just move it into the context itself rather than wrappers | 00:03 |
bknudson | y, that would be handy, then validate_token would just be return context.subject_token | 00:04 |
jamielennox | why? x-subject-token gets validated which is what auth_token does. it can access the info in the same way as any other service | 00:04 |
jamielennox | yep, i want to make request.context actually useful | 00:04 |
jamielennox | i had a POC that actually attached a bunch of caching on context but it meant that you needed to have the backends all registered on the context | 00:05 |
jamielennox | and the dependency manager thing is not good with that | 00:05 |
bknudson | context should be able to get all the managers if it wants. | 00:06 |
bknudson | they're essentially globals | 00:06 |
dstanek | bknudson: yeah, that's terrible | 00:07 |
jamielennox | bknudson: i'd be ok with that if it wasn't for the dependency resolver system | 00:08 |
*** EinstCrazy has joined #openstack-keystone | 00:09 | |
*** EinstCrazy has quit IRC | 00:10 | |
openstackgerrit | Richard Avelar proposed openstack/keystone: Change python code revocation search to sql https://review.openstack.org/359371 | 00:17 |
openstackgerrit | Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435 | 00:24 |
*** itsuugo has quit IRC | 00:25 | |
*** tqtran has quit IRC | 00:27 | |
*** itsuugo has joined #openstack-keystone | 00:28 | |
*** roxanaghe has quit IRC | 00:36 | |
*** ddieterly has joined #openstack-keystone | 00:39 | |
*** itsuugo has quit IRC | 00:41 | |
*** itsuugo has joined #openstack-keystone | 00:43 | |
*** markvoelker has joined #openstack-keystone | 00:45 | |
*** markvoelker has quit IRC | 00:49 | |
*** itsuugo has quit IRC | 00:49 | |
openstackgerrit | Merged openstack/keystone: Revert "Allow compatibility with keystonemiddleware 4.0.0" https://review.openstack.org/374284 | 00:50 |
*** itsuugo has joined #openstack-keystone | 00:52 | |
*** spzala has joined #openstack-keystone | 00:53 | |
*** spzala has quit IRC | 00:53 | |
*** spzala has joined #openstack-keystone | 00:54 | |
openstackgerrit | Sean Perry proposed openstack/keystone: Add domain check in domain-specific role implication https://review.openstack.org/374463 | 00:56 |
*** spzala has quit IRC | 00:58 | |
*** davechen has joined #openstack-keystone | 01:00 | |
*** esp has quit IRC | 01:02 | |
*** sdake has quit IRC | 01:06 | |
*** itsuugo has quit IRC | 01:07 | |
*** itsuugo has joined #openstack-keystone | 01:08 | |
stevemar | breton: rodrigods ouch, stable/newton needs the backported patch too: https://review.openstack.org/374445 | 01:09 |
*** itsuugo has quit IRC | 01:18 | |
*** itsuugo has joined #openstack-keystone | 01:19 | |
*** itsuugo has quit IRC | 01:23 | |
*** itsuugo has joined #openstack-keystone | 01:25 | |
*** guoshan has joined #openstack-keystone | 01:26 | |
stevemar | wow we went crazy with deprecations in Mitaka eh | 01:29 |
stevemar | https://blueprints.launchpad.net/keystone/+spec/removed-as-of-ocata | 01:29 |
stevemar | using oslo.cache and making extensions always enabled really moved a lot of things around | 01:29 |
*** EinstCrazy has joined #openstack-keystone | 01:32 | |
*** r-daneel has quit IRC | 01:42 | |
*** namnh has joined #openstack-keystone | 01:42 | |
*** markvoelker has joined #openstack-keystone | 01:46 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens https://review.openstack.org/374479 | 01:49 |
stevemar | breton: oh, i forgot i had a patch that removed PKI, again it was done on a flight and i'm not sure if it's passing tests, want to take it over? ^^^ | 01:49 |
*** woodster_ has quit IRC | 01:50 | |
*** markvoelker has quit IRC | 01:50 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: WIP: remove LDAP write support https://review.openstack.org/374482 | 01:51 |
stevemar | knikolla: found the ldap remove patch ^ | 01:51 |
knikolla | stevemar: awesome! | 01:52 |
stevemar | knikolla: you can try to break it up into smaller patches if it makes things easier | 01:54 |
stevemar | but *shrug* | 01:54 |
stevemar | knikolla: apparently i did a better job of cleaning up the PKI stuff | 01:55 |
knikolla | stevemar: must have been a long flight. | 01:56 |
stevemar | knikolla: i think toronto to texas? i'm not sure :P | 01:56 |
knikolla | stevemar: next up barcelona! | 01:57 |
stevemar | knikolla: you coming? | 02:02 |
knikolla | stevemar: yep, i've also got a vbrownbag talk. | 02:03 |
stevemar | knikolla: nice, what are you gonna talk about? | 02:03 |
knikolla | stevemar: resource federation in a multi-landlord cloud. we've built a proxy which uses k2k to let users access resources from federated clouds. | 02:04 |
knikolla | stevemar: we were planning to make the changes in nova, but in the midcycle they favored the proxy approach. | 02:05 |
knikolla | (which explains why i missed the keystone midcycle) | 02:05 |
stevemar | knikolla: ah, i was wondering why :) | 02:05 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated items from contrib https://review.openstack.org/374489 | 02:08 |
*** spzala has joined #openstack-keystone | 02:08 | |
*** namnh has quit IRC | 02:08 | |
*** itsuugo has quit IRC | 02:16 | |
*** itsuugo has joined #openstack-keystone | 02:16 | |
*** spzala has quit IRC | 02:18 | |
*** itsuugo has quit IRC | 02:21 | |
*** ddieterly has quit IRC | 02:22 | |
*** itsuugo has joined #openstack-keystone | 02:22 | |
*** itsuugo has quit IRC | 02:27 | |
*** itsuugo has joined #openstack-keystone | 02:29 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove cache backends https://review.openstack.org/374496 | 02:31 |
*** itsuugo has quit IRC | 02:34 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove memcache token persistence backends https://review.openstack.org/374499 | 02:34 |
*** itsuugo has joined #openstack-keystone | 02:34 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove httpd/keystone.py https://review.openstack.org/374500 | 02:36 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated config options https://review.openstack.org/374504 | 02:39 |
*** ddieterly has joined #openstack-keystone | 02:42 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated config options https://review.openstack.org/374504 | 02:43 |
*** itsuugo has quit IRC | 02:44 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove saml2 auth plugin https://review.openstack.org/374508 | 02:44 |
*** itsuugo has joined #openstack-keystone | 02:45 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove keystone/service.py https://review.openstack.org/374509 | 02:46 |
*** markvoelker has joined #openstack-keystone | 02:46 | |
*** itsuugo has quit IRC | 02:50 | |
*** itsuugo has joined #openstack-keystone | 02:50 | |
*** markvoelker has quit IRC | 02:51 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated items from contrib https://review.openstack.org/374489 | 02:52 |
*** ddieterly has quit IRC | 02:53 | |
davechen | stevemar: wow, you are proposing like patch bot. :) | 02:54 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated config options https://review.openstack.org/374504 | 02:54 |
stevemar | davechen: haha, this is the easy stuff! | 02:54 |
stevemar | davechen: git rm <file> | 02:54 |
davechen | stevemar: what's got updated for this one - https://review.openstack.org/#/c/374489/ | 02:55 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove memcache token persistence backends https://review.openstack.org/374499 | 02:56 |
stevemar | davechen: the catalog_sql backend, i am not removing it right now | 02:57 |
stevemar | davechen: i don't think we deprecated it :( | 02:57 |
stevemar | davechen: well, it also caused random tests to fail, so i wanted to post my other changes before looking at the failures | 02:58 |
stevemar | davechen: feel free to remove it in a follow on :P | 02:58 |
davechen | stevemar: ah, that bit, we are trying to conslidate into catalog long long time ago! | 02:59 |
*** itsuugo has quit IRC | 02:59 | |
davechen | stevemar: iirc, there is still a patch to address that. | 02:59 |
*** itsuugo has joined #openstack-keystone | 03:00 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated items from contrib https://review.openstack.org/374489 | 03:01 |
stevemar | davechen: ^^ pep8 fixes | 03:01 |
*** david-lyle has quit IRC | 03:03 | |
*** itsuugo has quit IRC | 03:05 | |
*** itsuugo has joined #openstack-keystone | 03:05 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated config options https://review.openstack.org/374504 | 03:07 |
openstackgerrit | Colleen Murphy proposed openstack/keystone: Update, correct, and enhance federation docs https://review.openstack.org/371210 | 03:07 |
*** sdake has joined #openstack-keystone | 03:08 | |
*** itsuugo has quit IRC | 03:10 | |
*** itsuugo has joined #openstack-keystone | 03:11 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated config options https://review.openstack.org/374504 | 03:13 |
stevemar | crinkle: pumped to read your doc update | 03:16 |
*** roxanaghe has joined #openstack-keystone | 03:19 | |
*** roxanaghe has quit IRC | 03:22 | |
*** ravelar has quit IRC | 03:22 | |
crinkle | stevemar: \o/ | 03:26 |
*** roxanaghe has joined #openstack-keystone | 03:26 | |
stevemar | crinkle: i owe you many drinks of your choice in barcelona | 03:26 |
*** itsuugo has quit IRC | 03:27 | |
* crinkle looks up expensive champagnes | 03:27 | |
stevemar | crinkle: also, if you're interested: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm and https://etherpad.openstack.org/p/keystone-newton-retrospective -- i'm looking for feedback and such | 03:27 |
crinkle | stevemar: i'll take a peek | 03:27 |
*** itsuugo has joined #openstack-keystone | 03:28 | |
*** roxanaghe has quit IRC | 03:30 | |
stevemar | crinkle: i think https://www.tripadvisor.ca/ShowUserReviews-g187443-d4086816-r219835826-Mercado_Provenzal-Seville_Province_of_Seville_Andalucia.html is better than champagne | 03:32 |
stevemar | "In Seville, for your 40 cents small beer" | 03:32 |
*** itsuugo has quit IRC | 03:33 | |
*** itsuugo has joined #openstack-keystone | 03:34 | |
crinkle | hahaha | 03:37 |
*** itsuugo has quit IRC | 03:43 | |
*** itsuugo has joined #openstack-keystone | 03:44 | |
*** roxanaghe has joined #openstack-keystone | 03:45 | |
*** esp has joined #openstack-keystone | 03:46 | |
*** itsuugo has quit IRC | 03:49 | |
*** itsuugo has joined #openstack-keystone | 03:51 | |
*** guoshan has quit IRC | 03:52 | |
*** adriant has quit IRC | 03:52 | |
*** itsuugo has quit IRC | 03:56 | |
*** itsuugo has joined #openstack-keystone | 03:57 | |
*** roxanaghe has quit IRC | 04:00 | |
openstackgerrit | Tony Xu proposed openstack/pycadf: Add oslo.i18n to requirements https://review.openstack.org/374522 | 04:02 |
*** itsuugo has quit IRC | 04:04 | |
*** roxanaghe has joined #openstack-keystone | 04:04 | |
*** nicolasbock has quit IRC | 04:04 | |
*** roxanaghe has quit IRC | 04:05 | |
*** roxanaghe has joined #openstack-keystone | 04:06 | |
*** itsuugo has joined #openstack-keystone | 04:06 | |
*** gagehugo has quit IRC | 04:07 | |
openstackgerrit | Tony Xu proposed openstack/pycadf: Add oslo.i18n to requirements https://review.openstack.org/374522 | 04:09 |
*** itsuugo has quit IRC | 04:11 | |
*** tristanC has quit IRC | 04:11 | |
*** itsuugo has joined #openstack-keystone | 04:13 | |
*** code-R has joined #openstack-keystone | 04:13 | |
*** itsuugo has quit IRC | 04:20 | |
*** vaishali_ has joined #openstack-keystone | 04:22 | |
*** itsuugo has joined #openstack-keystone | 04:22 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated items from contrib https://review.openstack.org/374489 | 04:22 |
*** roxanaghe has quit IRC | 04:23 | |
*** itsuugo has quit IRC | 04:26 | |
*** itsuugo has joined #openstack-keystone | 04:28 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove deprecated config options https://review.openstack.org/374504 | 04:41 |
*** itsuugo has quit IRC | 04:43 | |
*** itsuugo has joined #openstack-keystone | 04:44 | |
*** code-R has quit IRC | 04:47 | |
*** itsuugo has quit IRC | 04:49 | |
*** dikonoor has joined #openstack-keystone | 04:50 | |
*** itsuugo has joined #openstack-keystone | 04:51 | |
*** ravelar has joined #openstack-keystone | 04:52 | |
*** roxanaghe has joined #openstack-keystone | 04:52 | |
*** dikonoor has quit IRC | 04:57 | |
*** itsuugo has quit IRC | 04:59 | |
*** itsuugo has joined #openstack-keystone | 05:00 | |
*** dikonoor has joined #openstack-keystone | 05:04 | |
*** jaosorior has joined #openstack-keystone | 05:07 | |
*** itsuugo has quit IRC | 05:15 | |
*** itsuugo has joined #openstack-keystone | 05:15 | |
*** itsuugo has quit IRC | 05:20 | |
*** itsuugo has joined #openstack-keystone | 05:21 | |
*** ianw has quit IRC | 05:23 | |
*** ianw has joined #openstack-keystone | 05:27 | |
*** itsuugo has quit IRC | 05:28 | |
*** itsuugo has joined #openstack-keystone | 05:29 | |
*** roxanaghe has quit IRC | 05:30 | |
*** itsuugo has quit IRC | 05:34 | |
breton | morning, keystone | 05:34 |
*** itsuugo has joined #openstack-keystone | 05:36 | |
*** esp has quit IRC | 05:37 | |
openstackgerrit | Tony Xu proposed openstack/oslo.policy: Remove oslo.utils from requirements https://review.openstack.org/374539 | 05:38 |
*** richm has quit IRC | 05:40 | |
*** itsuugo has quit IRC | 05:43 | |
*** itsuugo has joined #openstack-keystone | 05:45 | |
*** dikonoor has quit IRC | 05:49 | |
breton | stevemar: pki patch is good, just some imports left | 05:50 |
*** tonytan_brb has quit IRC | 05:56 | |
*** itsuugo has quit IRC | 05:56 | |
*** itsuugo has joined #openstack-keystone | 05:57 | |
openstackgerrit | Tony Xu proposed openstack/oslo.policy: Remove oslo.utils from requirements https://review.openstack.org/374539 | 05:58 |
*** guoshan has joined #openstack-keystone | 06:00 | |
*** rcernin has joined #openstack-keystone | 06:07 | |
*** itsuugo has quit IRC | 06:10 | |
*** dikonoor has joined #openstack-keystone | 06:10 | |
*** itsuugo has joined #openstack-keystone | 06:11 | |
*** itsuugo has quit IRC | 06:16 | |
*** itsuugo has joined #openstack-keystone | 06:18 | |
*** vaishali_ has quit IRC | 06:26 | |
openstackgerrit | Roman Bogorodskiy proposed openstack/python-keystoneclient: Fix non-ascii attributes https://review.openstack.org/374552 | 06:29 |
*** vaishali_ has joined #openstack-keystone | 06:38 | |
*** roxanaghe has joined #openstack-keystone | 06:40 | |
*** AlexeyAbashkin has quit IRC | 06:44 | |
*** roxanaghe has quit IRC | 06:44 | |
*** AlexeyAbashkin has joined #openstack-keystone | 06:46 | |
openstackgerrit | Merged openstack/keystone: Tweak status code in api-ref doc for v3 users https://review.openstack.org/367767 | 06:49 |
*** vaishali_ has quit IRC | 06:57 | |
openstackgerrit | Qiming Teng proposed openstack/keystone: Reorder APIs in api-ref doc for v3 users https://review.openstack.org/373660 | 07:04 |
*** vaishali_ has joined #openstack-keystone | 07:09 | |
*** asettle has joined #openstack-keystone | 07:09 | |
openstackgerrit | Qiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups status codes https://review.openstack.org/367793 | 07:11 |
*** asettle has quit IRC | 07:14 | |
openstackgerrit | Qiming Teng proposed openstack/keystone: Reorder APIs in api-ref for v3 groups https://review.openstack.org/374577 | 07:16 |
*** amoralej|off is now known as amoralej | 07:28 | |
*** sdake has quit IRC | 07:30 | |
*** jpena|off is now known as jpena | 07:34 | |
*** marekd2 has joined #openstack-keystone | 07:35 | |
*** roxanaghe has joined #openstack-keystone | 07:41 | |
*** sto has left #openstack-keystone | 07:41 | |
*** marekd2 has quit IRC | 07:41 | |
*** roxanaghe has quit IRC | 07:45 | |
*** acoles_ is now known as acoles | 07:46 | |
*** ravelar has quit IRC | 07:53 | |
*** tonytan4ever has joined #openstack-keystone | 07:57 | |
*** namnh has joined #openstack-keystone | 07:57 | |
*** code-R has joined #openstack-keystone | 07:58 | |
*** zzzeek has quit IRC | 08:00 | |
openstackgerrit | gengchc2 proposed openstack/keystone: Replace assertEqual(None, *) with assertIsNone in tests https://review.openstack.org/374598 | 08:00 |
*** zzzeek has joined #openstack-keystone | 08:00 | |
*** tonytan4ever has quit IRC | 08:02 | |
*** jamielennox is now known as jamielennox|away | 08:09 | |
*** itsuugo has quit IRC | 08:13 | |
*** itsuugo has joined #openstack-keystone | 08:14 | |
*** rakhmerov has quit IRC | 08:17 | |
*** rakhmerov has joined #openstack-keystone | 08:17 | |
*** namnh_ has joined #openstack-keystone | 08:25 | |
*** code-R has quit IRC | 08:25 | |
*** namnh has quit IRC | 08:25 | |
*** namnh_ has quit IRC | 08:26 | |
*** namnh has joined #openstack-keystone | 08:26 | |
*** itsuugo has quit IRC | 08:35 | |
*** itsuugo has joined #openstack-keystone | 08:36 | |
*** asettle has joined #openstack-keystone | 08:40 | |
*** itsuugo has quit IRC | 08:43 | |
*** itsuugo has joined #openstack-keystone | 08:44 | |
*** itsuugo has quit IRC | 08:51 | |
*** itsuugo has joined #openstack-keystone | 08:52 | |
*** itsuugo has quit IRC | 08:57 | |
*** itsuugo has joined #openstack-keystone | 08:58 | |
openstackgerrit | ChangBo Guo(gcb) proposed openstack/oslo.policy: Doc: declare YAML/JSON support https://review.openstack.org/374632 | 09:16 |
*** jamielennox|away is now known as jamielennox | 09:18 | |
*** itsuugo has quit IRC | 09:18 | |
*** itsuugo has joined #openstack-keystone | 09:20 | |
*** ig0r_ has joined #openstack-keystone | 09:25 | |
*** itsuugo has quit IRC | 09:25 | |
*** asettle has quit IRC | 09:26 | |
*** itsuugo has joined #openstack-keystone | 09:26 | |
*** asettle has joined #openstack-keystone | 09:27 | |
*** asettle has quit IRC | 09:28 | |
*** asettle has joined #openstack-keystone | 09:28 | |
*** itsuugo has quit IRC | 09:31 | |
*** itsuugo has joined #openstack-keystone | 09:32 | |
*** mvk has quit IRC | 09:35 | |
*** itsuugo has quit IRC | 09:40 | |
*** code-R has joined #openstack-keystone | 09:41 | |
*** itsuugo has joined #openstack-keystone | 09:42 | |
*** code-R_ has joined #openstack-keystone | 09:43 | |
*** code-R has quit IRC | 09:47 | |
*** itsuugo has quit IRC | 09:47 | |
*** vaishali_ has quit IRC | 09:47 | |
*** itsuugo has joined #openstack-keystone | 09:48 | |
*** markvoelker has joined #openstack-keystone | 09:52 | |
*** itsuugo has quit IRC | 09:55 | |
*** markvoelker has quit IRC | 09:56 | |
*** marekd2 has joined #openstack-keystone | 09:56 | |
*** itsuugo has joined #openstack-keystone | 09:57 | |
*** tonytan4ever has joined #openstack-keystone | 09:58 | |
*** tonytan4ever has quit IRC | 10:02 | |
*** EinstCrazy has quit IRC | 10:05 | |
*** EinstCrazy has joined #openstack-keystone | 10:05 | |
*** EinstCrazy has quit IRC | 10:05 | |
*** mvk has joined #openstack-keystone | 10:06 | |
*** EinstCrazy has joined #openstack-keystone | 10:06 | |
*** asettle has quit IRC | 10:07 | |
*** itsuugo has quit IRC | 10:09 | |
*** EinstCrazy has quit IRC | 10:11 | |
*** itsuugo has joined #openstack-keystone | 10:11 | |
*** richm has joined #openstack-keystone | 10:11 | |
*** asettle has joined #openstack-keystone | 10:13 | |
*** marekd2 has quit IRC | 10:19 | |
*** itsuugo has quit IRC | 10:19 | |
*** itsuugo has joined #openstack-keystone | 10:21 | |
*** davechen has left #openstack-keystone | 10:23 | |
*** vaishali_ has joined #openstack-keystone | 10:25 | |
*** asettle has quit IRC | 10:26 | |
*** asettle has joined #openstack-keystone | 10:27 | |
*** bjolo has joined #openstack-keystone | 10:27 | |
*** itsuugo has quit IRC | 10:31 | |
*** itsuugo has joined #openstack-keystone | 10:33 | |
*** nicolasbock has joined #openstack-keystone | 10:35 | |
*** guoshan has quit IRC | 10:36 | |
*** ddieterly has joined #openstack-keystone | 10:42 | |
*** itsuugo has quit IRC | 10:43 | |
*** itsuugo has joined #openstack-keystone | 10:43 | |
*** asettle has quit IRC | 10:48 | |
*** asettle has joined #openstack-keystone | 10:48 | |
*** asettle has quit IRC | 10:48 | |
*** itsuugo has quit IRC | 10:48 | |
*** asettle has joined #openstack-keystone | 10:49 | |
*** itsuugo has joined #openstack-keystone | 10:49 | |
*** markvoelker has joined #openstack-keystone | 10:53 | |
*** itsuugo has quit IRC | 10:54 | |
*** itsuugo has joined #openstack-keystone | 10:55 | |
*** markvoelker has quit IRC | 10:57 | |
*** itsuugo has quit IRC | 11:00 | |
*** marekd2 has joined #openstack-keystone | 11:00 | |
*** itsuugo has joined #openstack-keystone | 11:00 | |
*** marekd2 has quit IRC | 11:01 | |
*** marekd2 has joined #openstack-keystone | 11:01 | |
*** marekd2 has quit IRC | 11:03 | |
*** marekd2 has joined #openstack-keystone | 11:03 | |
*** GB21 has joined #openstack-keystone | 11:05 | |
*** hoonetorg has joined #openstack-keystone | 11:06 | |
*** dikonoor has quit IRC | 11:10 | |
*** marekd2 has quit IRC | 11:10 | |
*** guoshan has joined #openstack-keystone | 11:19 | |
*** jistr is now known as jistr|mtg | 11:20 | |
*** dikonoor has joined #openstack-keystone | 11:21 | |
*** code-R_ has quit IRC | 11:35 | |
*** itsuugo has quit IRC | 11:36 | |
*** code-R has joined #openstack-keystone | 11:36 | |
*** itsuugo has joined #openstack-keystone | 11:38 | |
*** ddieterly has quit IRC | 11:38 | |
*** guoshan has quit IRC | 11:41 | |
*** guoshan has joined #openstack-keystone | 11:41 | |
*** itsuugo has quit IRC | 11:43 | |
breton | stevemar: do we need revocation lists API if PKI is removed? | 11:44 |
*** itsuugo has joined #openstack-keystone | 11:44 | |
*** guoshan has quit IRC | 11:46 | |
*** dikonoor has quit IRC | 11:46 | |
*** markvoelker has joined #openstack-keystone | 11:50 | |
*** jpena is now known as jpena|lunch | 11:53 | |
*** asettle has quit IRC | 11:53 | |
*** itsuugo has quit IRC | 11:54 | |
*** zigo has quit IRC | 11:54 | |
*** itsuugo has joined #openstack-keystone | 11:56 | |
*** code-R has quit IRC | 11:56 | |
*** code-R_ has joined #openstack-keystone | 11:56 | |
*** srobert has joined #openstack-keystone | 11:57 | |
*** gordc has joined #openstack-keystone | 11:58 | |
*** gordc has quit IRC | 11:58 | |
breton | i think that we can remove it | 11:58 |
*** zigo has joined #openstack-keystone | 11:58 | |
breton | but ceph is known for calling it from time to time | 11:58 |
*** zigo is now known as Guest83601 | 11:59 | |
*** guoshan has joined #openstack-keystone | 11:59 | |
*** edmondsw has joined #openstack-keystone | 12:02 | |
*** itsuugo has quit IRC | 12:02 | |
*** dikonoor has joined #openstack-keystone | 12:03 | |
*** namnh has quit IRC | 12:03 | |
*** Guest83601 has quit IRC | 12:03 | |
*** itsuugo has joined #openstack-keystone | 12:04 | |
*** porunov has joined #openstack-keystone | 12:08 | |
porunov | Hello! Does somebody know how to use policy.json? I want to use it for keystone and swift. But I don't know where to find those files and how to run swift or keystone with a special policy.json file. | 12:08 |
*** jdennis has joined #openstack-keystone | 12:09 | |
*** guoshan has quit IRC | 12:09 | |
*** nk2527 has quit IRC | 12:10 | |
*** guoshan has joined #openstack-keystone | 12:10 | |
*** amoralej is now known as amoralej|lunch | 12:10 | |
*** zigo_ has joined #openstack-keystone | 12:12 | |
*** guoshan_ has joined #openstack-keystone | 12:14 | |
*** guoshan has quit IRC | 12:14 | |
*** itsuugo has quit IRC | 12:16 | |
*** zigo_ has quit IRC | 12:17 | |
*** itsuugo has joined #openstack-keystone | 12:17 | |
*** zigo_ has joined #openstack-keystone | 12:18 | |
*** pauloewerton has joined #openstack-keystone | 12:21 | |
*** itsuugo has quit IRC | 12:22 | |
*** rodrigods has quit IRC | 12:24 | |
*** rodrigods has joined #openstack-keystone | 12:24 | |
*** itsuugo has joined #openstack-keystone | 12:24 | |
*** ddieterly has joined #openstack-keystone | 12:30 | |
*** asettle has joined #openstack-keystone | 12:31 | |
*** itsuugo has quit IRC | 12:35 | |
*** jistr|mtg is now known as jistr | 12:36 | |
*** itsuugo has joined #openstack-keystone | 12:36 | |
*** guoshan_ has quit IRC | 12:38 | |
*** srobert has quit IRC | 12:38 | |
*** guoshan has joined #openstack-keystone | 12:39 | |
*** roxanaghe has joined #openstack-keystone | 12:39 | |
*** ddieterly has quit IRC | 12:40 | |
*** roxanaghe has quit IRC | 12:43 | |
*** itsuugo has quit IRC | 12:45 | |
*** guoshan has quit IRC | 12:46 | |
*** vaishali_ has quit IRC | 12:46 | |
*** guoshan has joined #openstack-keystone | 12:46 | |
*** vaishali_ has joined #openstack-keystone | 12:46 | |
*** itsuugo has joined #openstack-keystone | 12:47 | |
*** guoshan has quit IRC | 12:47 | |
*** zigo_ has quit IRC | 12:48 | |
*** zigo_ has joined #openstack-keystone | 12:51 | |
*** david-lyle has joined #openstack-keystone | 12:57 | |
breton | porunov: they are usually in /etc/{component}/policy.json | 12:58 |
breton | porunov: for example in /etc/keystone/policy.json | 12:58 |
breton | porunov: samples are also in out repo, in etc/ directory | 12:59 |
breton | porunov: there are 2 samples -- policy.json and policyv3cloudsample.json | 12:59 |
*** tonytan4ever has joined #openstack-keystone | 12:59 | |
*** jpena|lunch is now known as jpena | 13:00 | |
*** tonytan4ever has quit IRC | 13:05 | |
*** itsuugo has quit IRC | 13:06 | |
*** itsuugo has joined #openstack-keystone | 13:08 | |
*** GB21 has quit IRC | 13:09 | |
*** GB21 has joined #openstack-keystone | 13:10 | |
*** jaosorior has quit IRC | 13:12 | |
*** jaosorior has joined #openstack-keystone | 13:13 | |
*** vaishali_ has quit IRC | 13:13 | |
*** GB21 has quit IRC | 13:16 | |
*** code-R has joined #openstack-keystone | 13:16 | |
*** jpena has left #openstack-keystone | 13:17 | |
*** guoshan has joined #openstack-keystone | 13:18 | |
bknudson | breton: we can't remove any APIs without going to a new version of the identity API | 13:19 |
*** woodster_ has joined #openstack-keystone | 13:20 | |
*** code-R_ has quit IRC | 13:20 | |
bknudson | I mean a major version ( v4 ) | 13:20 |
bknudson | it's only PKI tokens that are being removed as far as I know. | 13:21 |
*** spzala has joined #openstack-keystone | 13:27 | |
*** itsuugo has quit IRC | 13:27 | |
*** itsuugo has joined #openstack-keystone | 13:29 | |
*** ayoung has quit IRC | 13:30 | |
*** itsuugo has quit IRC | 13:34 | |
*** lamt has joined #openstack-keystone | 13:35 | |
*** itsuugo has joined #openstack-keystone | 13:36 | |
breton | bknudson: ok. So revocation lists can return just an empty list on each request if PKI are removed? | 13:39 |
bknudson | breton: if you're using uuid then there's a revocation list. | 13:41 |
*** asettle has quit IRC | 13:42 | |
bknudson | isn't there? | 13:42 |
*** asettle has joined #openstack-keystone | 13:47 | |
*** code-R has quit IRC | 13:48 | |
*** code-R has joined #openstack-keystone | 13:48 | |
*** spedione|AWAY is now known as spedione | 13:52 | |
*** srobert has joined #openstack-keystone | 13:52 | |
*** ngupta has joined #openstack-keystone | 13:58 | |
*** woodburn has joined #openstack-keystone | 14:00 | |
*** tonytan4ever has joined #openstack-keystone | 14:00 | |
*** r-daneel has joined #openstack-keystone | 14:01 | |
*** tonytan4ever has quit IRC | 14:05 | |
*** ddieterly has joined #openstack-keystone | 14:05 | |
*** sdake has joined #openstack-keystone | 14:06 | |
*** tonytan4ever has joined #openstack-keystone | 14:18 | |
*** daemontool has joined #openstack-keystone | 14:22 | |
*** roxanaghe has joined #openstack-keystone | 14:25 | |
dstanek | when does master open back up for O? | 14:25 |
*** zzzeek has quit IRC | 14:27 | |
bknudson | dstanek: it's open! | 14:29 |
bknudson | it's open when there's a stable/newton | 14:29 |
*** roxanaghe has quit IRC | 14:29 | |
*** jaosorior has quit IRC | 14:29 | |
*** zzzeek has joined #openstack-keystone | 14:31 | |
dstanek | bknudson: yay! | 14:31 |
bknudson | go to town | 14:32 |
*** amoralej|lunch is now known as amoralej | 14:33 | |
*** edtubill has joined #openstack-keystone | 14:43 | |
*** dikonoor has quit IRC | 14:45 | |
*** ayoung has joined #openstack-keystone | 14:49 | |
*** ChanServ sets mode: +v ayoung | 14:49 | |
*** catintheroof has joined #openstack-keystone | 14:50 | |
*** mfisch has joined #openstack-keystone | 14:51 | |
*** esp has joined #openstack-keystone | 14:51 | |
*** guoshan has quit IRC | 14:51 | |
*** mfisch has quit IRC | 14:51 | |
*** mfisch has joined #openstack-keystone | 14:51 | |
*** daemontool has quit IRC | 14:54 | |
*** daemontool has joined #openstack-keystone | 14:55 | |
*** nkinder has joined #openstack-keystone | 14:59 | |
*** ravelar has joined #openstack-keystone | 15:00 | |
*** rcernin has quit IRC | 15:07 | |
*** arahal_ has joined #openstack-keystone | 15:09 | |
*** nkinder has quit IRC | 15:09 | |
*** wajdi has joined #openstack-keystone | 15:13 | |
*** r-daneel has quit IRC | 15:13 | |
*** EinstCrazy has joined #openstack-keystone | 15:13 | |
wajdi | hello | 15:13 |
*** zigo_ is now known as zigo | 15:14 | |
samueldmq | hi keystone | 15:15 |
dstanek | hi samueldmq | 15:15 |
samueldmq | dstanek: o/ | 15:15 |
*** slberger has joined #openstack-keystone | 15:16 | |
amakarov | hi all! I found a question in openstack questionary: https://ask.openstack.org/en/question/69026/websso-with-keystone-idp/ | 15:16 |
amakarov | and actually ran into the same issue | 15:16 |
amakarov | Who was able to set up working federation recently? | 15:16 |
amakarov | I've set it up in kilo, and now I can't do that in mitaka | 15:17 |
*** lamt has quit IRC | 15:18 | |
dstanek | amakarov: not recently, but i'm pretty sure i've used mitaka and test-shib | 15:18 |
amakarov | dstanek, can you please provide a link to the scenario? | 15:19 |
dstanek | amakarov: ? | 15:20 |
*** nkinder has joined #openstack-keystone | 15:20 | |
amakarov | dstanek, for example: https://bigjools.wordpress.com/2015/05/22/saml-federation-with-openstack/ | 15:21 |
wajdi | I've been playing around with trusts, and I'm having difficulty with the following scenario. As an admin, I want to provide a trust from userA to userB. I am unable to accomplish this. Is this an expected behaviour? I was able to successfully apply a trust if my client was logged in as the trustor. I'm wondering if there is something obvious I am missing to allow my flow to work, or if this is as designed behaviour? | 15:21 |
dstanek | amakarov: oh, i don't have a blog post about it. let me see if my ansible stuff still works to create this | 15:21 |
amakarov | wajdi, yes - admin can do that | 15:21 |
dstanek | amakarov: what idp are you uisng? | 15:21 |
amakarov | dstanek, keystone in another cloud | 15:22 |
amakarov | dstanek, can you access this bug? https://bugs.launchpad.net/mos/+bug/1626471 | 15:22 |
openstack | Launchpad bug 1626471 in Mirantis OpenStack "Shibboleth doesn't recognize keystone IdP metadata" [Undecided,New] - Assigned to MOS Keystone (mos-keystone) | 15:22 |
dstanek | amakarov: does your metadata look correct? | 15:22 |
amakarov | dstanek, it looks correct for me, though shibboleth disagree | 15:23 |
dstanek | amakarov: what is MOS? | 15:23 |
wajdi | amakarov: thanks for the response. So, I must be clearly missing something that is not allowing me to do this. I keep getting a Forbidden when trying to create the trust as admin. Is there anywhere you can point me in the right direction to ensure that I have covered the proper configuration to allow this behvaiour to work? | 15:23 |
amakarov | dstanek, Mirantis OpenStack - consider it a clone :) | 15:23 |
dstanek | ah, ok | 15:24 |
*** nk2527 has joined #openstack-keystone | 15:25 | |
*** gagehugo has joined #openstack-keystone | 15:25 | |
*** EinstCrazy has quit IRC | 15:26 | |
*** slberger has quit IRC | 15:26 | |
dstanek | amakarov: ok, i'm going to try to setup k2k using my own scripts and see what happens | 15:27 |
dstanek | i haven't run them for quite a while so i hope they still work | 15:27 |
amakarov | dstanek, thank you, our first-class citizen fate is in your hands! | 15:28 |
*** slberger has joined #openstack-keystone | 15:29 | |
dstanek | amakarov: lol, ok. | 15:29 |
stevemar | dstanek: amakarov if you're looking for k2k setup... crinkle just went through it and update the docs https://review.openstack.org/#/c/371210/ | 15:29 |
dstanek | amakarov: i'm going to use ubuntu 15.10 and mitaka | 15:29 |
dstanek | stevemar: nice, i'll use that as a resource in my roles don't work | 15:30 |
amakarov | wajdi, I have a silly quiestion: have you enabled trusts in config? (just in case) | 15:30 |
dstanek | stevemar: crinkle: as i side effect i'll be in the right frame of mind for that review | 15:31 |
dstanek | amakarov: or not...it looks like Rackspace doesn't have a 15.04 image anymore so i'm going to use 16.04 | 15:32 |
amakarov | dstanek, I assume it's irrelevant :) | 15:33 |
breton | stevemar: i worked on your patch to remove PKI. The big issue is token revocation lists. We have an API that returns it. The API signs the list with same keys as PKI tokens. | 15:33 |
wajdi | @amakarov That is definitely not a silly question. Jumping in to Keystone for the first time, it is entirely possible something was missed. I *assumed* it would work because the call worked when not an admin. Let me validate. | 15:33 |
breton | stevemar: i see 2 options here. The first is to leave signing part in keystone completely. The second is to create a hardcoded null key | 15:34 |
dstanek | breton: can we keep that while just removing the tokens? | 15:34 |
breton | dstanek: yep, message above | 15:35 |
dstanek | that's what i would do to limit breaking folks using that api | 15:35 |
wajdi | @amakarov So under [trust], enabled = true | 15:36 |
*** ntpttr has quit IRC | 15:36 | |
amakarov | wajdi, well, let me take a closer look into the code | 15:37 |
wajdi | amakarov: Sure! Thank you for taking a look. Really appreciate it. | 15:37 |
*** ravelar has quit IRC | 15:38 | |
stevemar | breton: yes, you are right, i remember that part now when i was working on it | 15:39 |
stevemar | breton: so lets see... | 15:39 |
amakarov | wajdi, sorry, I was mistaken: https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L126 | 15:39 |
stevemar | breton: give me a minute to look at the patch, i just rebased it and pushed | 15:39 |
amakarov | wajdi, there is a strict requirement for trust creator to be the trustor | 15:39 |
wajdi | amakarov: Ah! Excellent. I have the full picture now. This lets me make a more confident design choice now for my solution. | 15:40 |
amakarov | wajdi, btw you can set debug=true in config to see verbose responses | 15:40 |
wajdi | amakarov: Yes. Will definitely need to be more diligent with analyzing my errors. Probably would have caught that one if debug was True. | 15:41 |
breton | stevemar: you want to do it yourself? I planned to push it soon-ish today | 15:42 |
stevemar | breton: oh go ahead | 15:42 |
stevemar | breton: i like never have time to do actual code | 15:42 |
stevemar | breton: thats why i do the removal patches lol | 15:42 |
wajdi | amakarov: Thank you for your time! | 15:43 |
*** arahal_ has quit IRC | 15:46 | |
*** ravelar has joined #openstack-keystone | 15:47 | |
*** ddieterly is now known as ddieterly[away] | 15:50 | |
*** ddieterly[away] is now known as ddieterly | 15:53 | |
*** esp has quit IRC | 15:54 | |
*** itsuugo has quit IRC | 15:55 | |
*** itsuugo has joined #openstack-keystone | 15:57 | |
*** ngupta has quit IRC | 15:58 | |
*** ngupta has joined #openstack-keystone | 15:59 | |
*** ngupta has quit IRC | 16:00 | |
*** ngupta has joined #openstack-keystone | 16:00 | |
*** code-R has quit IRC | 16:01 | |
*** arahal_ has joined #openstack-keystone | 16:01 | |
*** gyee has joined #openstack-keystone | 16:04 | |
*** ddieterly is now known as ddieterly[away] | 16:05 | |
*** ddieterly[away] is now known as ddieterly | 16:05 | |
*** ddieterly is now known as ddieterly[away] | 16:06 | |
*** ravelar has quit IRC | 16:13 | |
*** itsuugo has quit IRC | 16:18 | |
*** itsuugo has joined #openstack-keystone | 16:20 | |
*** rcernin has joined #openstack-keystone | 16:20 | |
*** code-R has joined #openstack-keystone | 16:24 | |
*** code-R has quit IRC | 16:26 | |
*** code-R has joined #openstack-keystone | 16:26 | |
*** spedione is now known as spedione|AWAY | 16:28 | |
*** ddieterly[away] is now known as ddieterly | 16:31 | |
*** edtubill has quit IRC | 16:39 | |
*** zigo has quit IRC | 16:41 | |
*** mvk has quit IRC | 16:41 | |
*** asettle has quit IRC | 16:41 | |
*** asettle has joined #openstack-keystone | 16:42 | |
openstackgerrit | Merged openstack/keystone: remove saml2 auth plugin https://review.openstack.org/374508 | 16:42 |
openstackgerrit | Merged openstack/oslo.policy: Remove oslo.utils from requirements https://review.openstack.org/374539 | 16:43 |
*** asettle has quit IRC | 16:46 | |
*** code-R has quit IRC | 16:47 | |
*** esp has joined #openstack-keystone | 16:47 | |
*** ravelar has joined #openstack-keystone | 16:49 | |
*** zigo has joined #openstack-keystone | 16:51 | |
*** zigo is now known as Guest18656 | 16:52 | |
*** Guest18656 has quit IRC | 16:56 | |
*** zigo_ has joined #openstack-keystone | 16:59 | |
*** browne has joined #openstack-keystone | 17:01 | |
*** ravelar has quit IRC | 17:02 | |
*** GB21 has joined #openstack-keystone | 17:04 | |
amakarov | dstanek, keystone generated metadata is attached to the bug 1626471 | 17:05 |
openstack | bug 1626471 in Mirantis OpenStack "Shibboleth doesn't recognize keystone IdP metadata" [Undecided,New] https://launchpad.net/bugs/1626471 - Assigned to MOS Keystone (mos-keystone) | 17:05 |
*** roxanaghe has joined #openstack-keystone | 17:06 | |
dstanek | amakarov: thx | 17:07 |
*** zigo_ has quit IRC | 17:07 | |
*** artmr has joined #openstack-keystone | 17:08 | |
*** zigo_ has joined #openstack-keystone | 17:11 | |
openstackgerrit | Merged openstack/keystone: remove httpd/keystone.py https://review.openstack.org/374500 | 17:18 |
*** ravelar has joined #openstack-keystone | 17:22 | |
*** code-R has joined #openstack-keystone | 17:28 | |
*** spedione|AWAY is now known as spedione | 17:29 | |
*** acoles is now known as acoles_ | 17:29 | |
*** roxanaghe_ has joined #openstack-keystone | 17:33 | |
*** edtubill has joined #openstack-keystone | 17:34 | |
*** roxanaghe__ has joined #openstack-keystone | 17:34 | |
openstackgerrit | Kristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support https://review.openstack.org/374482 | 17:37 |
*** roxanaghe has quit IRC | 17:37 | |
*** shaleh has quit IRC | 17:37 | |
*** spedione is now known as spedione|AWAY | 17:38 | |
*** roxanaghe_ has quit IRC | 17:39 | |
*** amoralej is now known as amoralej|off | 17:43 | |
openstackgerrit | Kristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support https://review.openstack.org/374482 | 17:43 |
*** lamt has joined #openstack-keystone | 17:44 | |
openstackgerrit | Rodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: test revocation search to sql https://review.openstack.org/374999 | 17:48 |
rodrigods | stevemar, ravelar ^ creative way to test https://review.openstack.org/#/c/359371/ | 17:48 |
*** jdennis has quit IRC | 17:51 | |
*** roxanaghe_ has joined #openstack-keystone | 17:56 | |
*** itsuugo has quit IRC | 17:57 | |
*** itsuugo has joined #openstack-keystone | 17:58 | |
ravelar | rodrigods nice! | 17:58 |
*** tqtran has joined #openstack-keystone | 17:59 | |
*** roxanaghe__ has quit IRC | 17:59 | |
*** code-R_ has joined #openstack-keystone | 18:03 | |
*** gyee has quit IRC | 18:04 | |
*** code-R has quit IRC | 18:06 | |
*** jdennis has joined #openstack-keystone | 18:07 | |
*** ngupta_ has joined #openstack-keystone | 18:09 | |
*** ig0r_ has quit IRC | 18:09 | |
*** jdennis has quit IRC | 18:11 | |
*** ngupta has quit IRC | 18:12 | |
*** ddieterly is now known as ddieterly[away] | 18:14 | |
*** jdennis has joined #openstack-keystone | 18:20 | |
*** ngupta_ has quit IRC | 18:20 | |
*** ngupta has joined #openstack-keystone | 18:20 | |
*** spedione|AWAY is now known as spedione | 18:21 | |
*** GB21 has quit IRC | 18:22 | |
*** ngupta_ has joined #openstack-keystone | 18:22 | |
*** ayoung has quit IRC | 18:25 | |
*** ngupta_ has quit IRC | 18:25 | |
*** ngupta_ has joined #openstack-keystone | 18:26 | |
*** arunkant__ has joined #openstack-keystone | 18:26 | |
*** ngupta has quit IRC | 18:26 | |
*** code-R_ has quit IRC | 18:29 | |
*** code-R has joined #openstack-keystone | 18:30 | |
*** ngupta_ has quit IRC | 18:30 | |
*** jdennis has quit IRC | 18:34 | |
*** ddieterly[away] is now known as ddieterly | 18:44 | |
bknudson | rodrigods: we need something repeatable on every commit not a one-off. | 18:45 |
bknudson | if there's a concern that the revocation sql change isn't tested adequately then improve the tests in keystone | 18:46 |
openstackgerrit | Boris Bobrov proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens https://review.openstack.org/374479 | 18:48 |
bknudson | there's actually 3 calls to list_events when a token is validated: | 18:50 |
bknudson | 1) validate the x-auth-token | 18:50 |
bknudson | 2) in @protected decorator! | 18:50 |
bknudson | 3) in validate_token | 18:50 |
bknudson | both 2 and 3 validate the subject token | 18:50 |
bknudson | so those 2 should be combined. | 18:51 |
bknudson | we can cut down on an entire token validation and call to list_events. | 18:51 |
openstackgerrit | Kristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support https://review.openstack.org/374482 | 18:51 |
*** ngupta has joined #openstack-keystone | 18:53 | |
*** porunov has quit IRC | 18:53 | |
*** arahal_ has quit IRC | 18:58 | |
bknudson | jamielennox: here's where the extra validate_token of the subject token comes from : http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n136 -- it's not in auth_token. | 19:02 |
*** itsuugo has quit IRC | 19:04 | |
*** itsuugo has joined #openstack-keystone | 19:04 | |
*** jdennis has joined #openstack-keystone | 19:09 | |
*** ddieterly is now known as ddieterly[away] | 19:10 | |
*** daemontool has quit IRC | 19:12 | |
lbragstad | i'm working on implementing mvc for the token API - and I was I have so far kind of confuses me | 19:12 |
lbragstad | cc jamielennox dstanek ^ | 19:12 |
bknudson | can't imagine anyone finding token processing confusing. | 19:13 |
lbragstad | bknudson I was on a roll yesterday - but now i'm lost | 19:13 |
*** daemontool has joined #openstack-keystone | 19:13 | |
dstanek | lbragstad: what's wrong? | 19:14 |
lbragstad | so far - i've collapsed all the token provider validate token methods into a single self.token_provider_api.validate_token(token_id) method | 19:14 |
lbragstad | dstanek everything | 19:14 |
lbragstad | :) | 19:14 |
*** ayoung has joined #openstack-keystone | 19:14 | |
*** ChanServ sets mode: +v ayoung | 19:14 | |
*** ayoung has quit IRC | 19:14 | |
lbragstad | so I made token_provider_api.validate_token(token_id) accept a token ID, it looks it up, takes out the important values, and then passes it to the token model | 19:15 |
lbragstad | which is in keystone/models/token_model.py:KeystoneToken | 19:15 |
lbragstad | makes sense right? | 19:15 |
lbragstad | so instead of having validate_v2_token, validate_v3_token, validate_token, validate_non_persistent_token, and _validate_token in the keystone.token.provider.py we have two methods - a validate_token and _validate_token (for caching purposes) | 19:16 |
lbragstad | and that will return a KeystoneToken model | 19:16 |
lbragstad | which goes back to the controller - with instantiates a View to translate it into the proper request | 19:16 |
lbragstad | but my spider senses are going off because the V2 token view and the V3 token view have a lot of duplicate logic | 19:17 |
*** itsuugo has quit IRC | 19:18 | |
lbragstad | for example - we should probably consider a token to be invalid if the token_model.user_id (or the user of the token) is disabled | 19:18 |
lbragstad | so should that check just live in the token provider? | 19:18 |
bknudson | why do we need validate_token and _validate_token? | 19:18 |
lbragstad | bknudson caching purposes? | 19:18 |
*** daemontool_ has joined #openstack-keystone | 19:18 | |
*** daemontool has quit IRC | 19:19 | |
lbragstad | the whole cache on issue stuff apparently expects a private method to be there... | 19:19 |
dstanek | lbragstad: refactor in smaller steps to make it easier? are you making small commits that you can share? | 19:19 |
bknudson | that's only if there's an optional parameter since the wrapper doesn't support optional parameters. | 19:19 |
lbragstad | dstanek not really :( because everything is so tightly coupled with the token api | 19:19 |
lbragstad | if you change a little thing here you'll have to change a bunch of stuff over there kind of stuff | 19:19 |
lbragstad | I was having a really hard time trying to figure out how to break it apart - so I just said screw it and started hammering out a bunch of changes just to prove that it works | 19:20 |
*** itsuugo has joined #openstack-keystone | 19:20 | |
lbragstad | I was going to push a monolithic patch to review as WIP and hope I could get some help figuring out how to break it apart | 19:21 |
lbragstad | but I ended up getting stumped on where the token validation lives when each token version has some specific validation cases they validate for | 19:22 |
bknudson | v2 apparently has a "belongs-to" feature | 19:22 |
lbragstad | bknudson yep | 19:22 |
lbragstad | that's a v2ism | 19:22 |
lbragstad | but it now lives in the token provider | 19:22 |
lbragstad | which doesn't make anysense because it should really only need to be used in the keystone.token.controller (v2 token controller) | 19:23 |
dstanek | lbragstad: can you share what you've done? | 19:24 |
*** daemontool_ has quit IRC | 19:24 | |
*** daemontool_ has joined #openstack-keystone | 19:25 | |
dstanek | lbragstad: another approach may be to stash what you did, try some simple rafactoring to simplify the code more and they try again | 19:25 |
openstackgerrit | Lance Bragstad proposed openstack/keystone: WIP: Reorganize the entire token provider api https://review.openstack.org/375069 | 19:26 |
lbragstad | dstanek ^ that's what I have so far | 19:26 |
lbragstad | don't judge me - it's gross | 19:26 |
dstanek | lol | 19:27 |
lbragstad | one of the tricky things that i'm struggling with is that I think the token provider should just return a token model when it validates a token | 19:28 |
lbragstad | but that means we're going to have to push some token validation logic into the views for both v2 and v3 | 19:28 |
dstanek | lbragstad: the keystone.auth.plugins change looks to be independent of views. could that be a separate commit? | 19:30 |
*** bjolo has quit IRC | 19:30 | |
*** zigo_ is now known as zigo | 19:30 | |
dstanek | also the token_model changes appear separate too | 19:30 |
lbragstad | dstanek also - we have a ton of really complicated logic here - https://github.com/openstack/keystone/blob/c024505b55021057114da8affd5262a8e61ce1d2/keystone/token/providers/common.py#L431-L521 | 19:30 |
lbragstad | dstanek should the token model just have a .role_ids() property that returns a list of role_ids regardless of it being domain_scoped, project_scoped, oauth_scoped, or trust_scoped? | 19:31 |
lbragstad | dstanek the weird thing is that the KeystoneToken model relies on a properly formatted auth_response (which seems backwards) | 19:33 |
lbragstad | token_model.KeystoneToken(token_id=token_id, token_data=self.token_provider_api.validate_token(token_id)) | 19:33 |
lbragstad | ^ that's how we currently use it | 19:33 |
*** itsuugo has quit IRC | 19:35 | |
dstanek | lbragstad: just taking a brief look i'm not sure about the property because you counldn't replace that method with it | 19:35 |
dstanek | you'd still need all that conditional logic based on function params somewhere | 19:36 |
*** itsuugo has joined #openstack-keystone | 19:37 | |
lbragstad | dstanek what do you mean? | 19:37 |
dstanek | lbragstad: but if you did want to just move the method because you think that logic fits better in the model then i say create a separate command and make sure that you are very specific about why that logic should be moved in the commti message | 19:37 |
lbragstad | ah | 19:37 |
ravelar | bknudson: I have a question about the unit test comment for https://review.openstack.org/#/c/359371/ | 19:37 |
ravelar | bknudson: so far there is pretty good test coverage in test_revoke, test_auth, test_v3_auth, and test_v3_os_revoke. I was curious as to what you were looking for specifically? | 19:37 |
lbragstad | dstanek you mean the _populate_roles method? | 19:38 |
*** ddieterly[away] is now known as ddieterly | 19:38 | |
dstanek | lbragstad: yes | 19:38 |
lbragstad | so that is suppose to put the roles in the token ref | 19:38 |
lbragstad | but it's suppose to do that for project_scoped, domain_scoped, trust_scoped, oauth_scoped | 19:39 |
bknudson | ravelar: there should be tests that call the sql backend is_revoked directly to show that it works as expected so that if it doesn't work we don't have to dig through a bunch of code. | 19:39 |
*** ddieterly has quit IRC | 19:39 | |
lbragstad | dstanek so instead of having the v2 view and v3 view implementing _populate_roles - would it make more sense to implement in the model? | 19:40 |
lbragstad | you could then just ask the model for a list of role ids it has | 19:41 |
*** spzala has quit IRC | 19:41 | |
*** woodburn has quit IRC | 19:41 | |
*** woodburn has joined #openstack-keystone | 19:42 | |
*** spzala has joined #openstack-keystone | 19:42 | |
dstanek | lbragstad: probably. is there any difference between the two implementations? | 19:42 |
lbragstad | dstanek not really? | 19:42 |
lbragstad | outside of how the token format looks | 19:43 |
*** itsuugo has quit IRC | 19:43 | |
lbragstad | i think each just provides a list of {'id': role['id'], 'name': role['name']} for every role assignment | 19:43 |
dstanek | lbragstad: i'm not sure how i feed about the model needing the manager too | 19:44 |
lbragstad | dstanek me either | 19:44 |
*** itsuugo has joined #openstack-keystone | 19:45 | |
lbragstad | dstanek I feel like tons of crap in the token provider needs a BUNCH of managers everywhere | 19:45 |
*** spzala_ has joined #openstack-keystone | 19:45 | |
dstanek | feels like things will get complicated manager uses models that use managers. right now it's easy to see our circular dependencies, but with that they would be lost | 19:45 |
lbragstad | can't we isolate all the manage dependencies somehwere? | 19:45 |
lbragstad | the way i see if - where ever the manager dependencies are that's where we are going to have to do the validation | 19:46 |
lbragstad | because that's the whole reason behind building the token on every validate call | 19:46 |
*** spzala has quit IRC | 19:46 | |
dstanek | is there any reason why you don't start by refactoring v2 and v3 implementations into the manager layer somewhere? | 19:47 |
lbragstad | we use the managers to make sure the user has roles on the project, domain, etc... | 19:47 |
lbragstad | dstanek how do you mean? | 19:47 |
dstanek | lbragstad: have one _populate_roles that both v2 and v3 uses | 19:48 |
lbragstad | dstanek well - we kind of have that already | 19:49 |
lbragstad | dstanek https://review.openstack.org/#/c/372655/ | 19:49 |
*** spzala_ has quit IRC | 19:49 | |
lbragstad | dstanek see line 794 here https://review.openstack.org/#/c/372655/3/keystone/token/providers/common.py | 19:50 |
dstanek | lbragstad: i think that's as far as i'd go with that part. | 19:50 |
lbragstad | when we validate v2 tokens, we take all the token values from a v2 auth response and pass them to the v3 get_token_data method, which returns a v3 response | 19:50 |
lbragstad | then we convert the v3 response to a v2 response | 19:51 |
*** ayoung has joined #openstack-keystone | 19:51 | |
*** ChanServ sets mode: +v ayoung | 19:51 | |
*** ngupta has quit IRC | 19:51 | |
dstanek | moving manager dependencies into the model starts to fundamentally change how i see that layer. it actually mixes the model and manager responsibilities | 19:51 |
lbragstad | dstanek yeah | 19:51 |
lbragstad | so - what benefit does the model provide then? | 19:52 |
ayoung | samueldmq, jamiec can one of you guys give some love to an implied roles fix to KC needed for OSC https://review.openstack.org/#/c/368288/ | 19:52 |
*** ngupta has joined #openstack-keystone | 19:52 | |
dstanek | i'd save that part for a rainy day | 19:52 |
ayoung | not jamiec I meant jamielennox | 19:52 |
ayoung | dstanek, um ...what? | 19:52 |
dstanek | lbragstad: models as they are today are more like Java DTO style objects | 19:52 |
ayoung | there should be no manager deps in the modles | 19:52 |
ayoung | models | 19:52 |
dstanek | ayoung: agreed. that's what i'm saying too :-) | 19:53 |
*** srobert has quit IRC | 19:53 | |
lbragstad | ok | 19:53 |
bknudson | do we want to be able to load some values lazily? If so the model will need the manager | 19:53 |
lbragstad | so - what we could do, is in the token provider (which is a manager), we use all the other manager to get all the information we need and then pass that to the model | 19:53 |
bknudson | for example, the catalog may never be needed | 19:53 |
lbragstad | making it so that the model doesn't need any managers | 19:54 |
lbragstad | bknudson yeah - that's a good question, too | 19:54 |
bknudson | when validating the x-auth-token keystone doesn't need the catalog. | 19:54 |
dstanek | right now i think we'd want to just give the model any relevant data | 19:54 |
*** ngupta_ has joined #openstack-keystone | 19:54 | |
dstanek | the model shouldn't know about some of that stuff anyway | 19:55 |
lbragstad | dstanek so the only responsiblility of the model is to relay that data, and not validate any of it | 19:55 |
bknudson | token model shouldn't include the catalog? (I'm fine with that) | 19:55 |
bknudson | controller can load the catalog separately | 19:55 |
lbragstad | bknudson for the catalog - i would almost leave that exclusively to the views | 19:55 |
lbragstad | the controller can ask a view for a v2 auth response with a catalog | 19:56 |
dstanek | bknudson: yeah, that's the way i'd do it. because in your example the token model shouldn't know anything about the headers anyway, that's for the controller layer | 19:56 |
lbragstad | and pass it a token model | 19:56 |
*** ngupta has quit IRC | 19:56 | |
openstackgerrit | Merged openstack/keystone: remove cache backends https://review.openstack.org/374496 | 19:56 |
lbragstad | so something like auth_response = view.response(token_model, include_catalog=True) | 19:57 |
*** ayoung has quit IRC | 19:57 | |
openstackgerrit | Merged openstack/keystone: remove memcache token persistence backends https://review.openstack.org/374499 | 19:57 |
bknudson | view has the reference to the catalog manager? | 19:58 |
* lbragstad shrug | 19:58 | |
lbragstad | it can? | 19:58 |
lbragstad | it has to format the catalog according to the api (v2 or v3) | 19:58 |
bknudson | the roles can also be left off of the token model | 19:59 |
lbragstad | bknudson why is that? | 20:00 |
bknudson | because you can calculate the roles from the project | 20:00 |
bknudson | and user | 20:00 |
bknudson | or domain | 20:00 |
lbragstad | or trust | 20:00 |
*** gagehugo has quit IRC | 20:00 | |
lbragstad | or oauth roles | 20:00 |
*** ddieterly has joined #openstack-keystone | 20:11 | |
*** itsuugo has quit IRC | 20:12 | |
*** ddieterly has quit IRC | 20:14 | |
*** itsuugo has joined #openstack-keystone | 20:14 | |
*** ngupta_ has quit IRC | 20:16 | |
*** ngupta has joined #openstack-keystone | 20:17 | |
*** ngupta has quit IRC | 20:21 | |
dstanek | keystone seems to do quite a bit of role playing | 20:21 |
*** spzala has joined #openstack-keystone | 20:24 | |
lbragstad | dstanek i think it would be nice to have all of that handled by the model | 20:24 |
*** ddieterly has joined #openstack-keystone | 20:25 | |
lbragstad | since it might help isolate some of that logic | 20:25 |
lbragstad | all the role stuff is super confusing | 20:25 |
*** code-R has quit IRC | 20:25 | |
*** spzala has quit IRC | 20:28 | |
*** ngupta has joined #openstack-keystone | 20:30 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone: move _belongs_to logic to v2 controller https://review.openstack.org/375097 | 20:31 |
*** ddieterly is now known as ddieterly[away] | 20:32 | |
lbragstad | bknudson dstanek ^ | 20:32 |
*** spzala has joined #openstack-keystone | 20:33 | |
*** ddieterly[away] is now known as ddieterly | 20:37 | |
*** ddieterly is now known as ddieterly[away] | 20:43 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone: move _belongs_to logic to v2 controller https://review.openstack.org/375097 | 20:44 |
*** itsuugo has quit IRC | 20:50 | |
*** asettle has joined #openstack-keystone | 20:51 | |
*** itsuugo has joined #openstack-keystone | 20:52 | |
*** raildo has quit IRC | 20:52 | |
*** ddieterly[away] has quit IRC | 20:53 | |
*** roxanaghe__ has joined #openstack-keystone | 20:53 | |
*** pauloewerton has quit IRC | 20:55 | |
*** roxanaghe_ has quit IRC | 20:57 | |
openstackgerrit | Boris Bobrov proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens https://review.openstack.org/374479 | 21:03 |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Undeprecate options used for signing https://review.openstack.org/375109 | 21:03 |
*** ddieterly has joined #openstack-keystone | 21:05 | |
*** markvoelker has quit IRC | 21:07 | |
*** ddieterly is now known as ddieterly[away] | 21:10 | |
*** itsuugo has quit IRC | 21:10 | |
*** spzala has quit IRC | 21:10 | |
*** wajdi has quit IRC | 21:11 | |
*** itsuugo has joined #openstack-keystone | 21:11 | |
openstackgerrit | Boris Bobrov proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens https://review.openstack.org/374479 | 21:11 |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Simplify tests after PKI removal https://review.openstack.org/375121 | 21:11 |
stevemar | breton: thanks for working on the PKI bits | 21:13 |
jamielennox | bknudson, lbragstad: yea we should no longer need the subject_token_id thing in controller at all | 21:15 |
jamielennox | auth_token will handle that | 21:15 |
*** itsuugo has quit IRC | 21:16 | |
bknudson | jamielennox: auth_token isn't handling it as far as I can see. | 21:16 |
jamielennox | lbragstad: that's ambitious, i've wanted to refactor token validation for ages but there are so many small edge cases and tests wrapped up in their | 21:16 |
bknudson | why would auth_token handle subject token? | 21:17 |
jamielennox | lbragstad: my hope was if we could get the context stuff everywhere and then the views stuff we could at least standardize on one token model | 21:17 |
*** itsuugo has joined #openstack-keystone | 21:17 | |
jamielennox | bknudson: oh - sorry, subject token not service token | 21:17 |
jamielennox | i confuse those all the time | 21:18 |
bknudson | I suppose one could pass auth token, service token, and subject token. | 21:18 |
jamielennox | well it would all be checked if you did | 21:19 |
*** gagehugo has joined #openstack-keystone | 21:20 | |
*** ddieterly[away] has quit IRC | 21:20 | |
stevemar | jamielennox: bknudsonif you haven't added to this yet: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm | 21:23 |
stevemar | jamielennox: i think we can remove all the auth and session parts from ksc now? | 21:24 |
stevemar | jamielennox: did you have anything major you wanted to add to ksm / ksc / ksa this go around? | 21:24 |
jamielennox | stevemar: i haven't, but mostly i want to do some view model refactoring in keystone itself which i feel i got approval for at the last midcycle | 21:24 |
jamielennox | oh, and the expired tokens thing, which i don't feel we need to talk about again | 21:25 |
jamielennox | stevemar: re the ksc session stuff i have some reviews up to see just how badly that will fail | 21:25 |
lbragstad | jamielennox yeah - that would be awesome | 21:25 |
lbragstad | but - it's a total pita to refactor | 21:26 |
lbragstad | because *everything* is so tightly coupled | 21:26 |
jamielennox | stevemar: this being the end of the pile; https://review.openstack.org/#/c/359708/ that we can recheck every now and then | 21:26 |
jamielennox | stevemar: it's good for finding who is misusing stuff | 21:26 |
jamielennox | stevemar: and ksa is pretty stable, mostly just bugfixes and small features i don't think really need talking about | 21:27 |
*** gyee has joined #openstack-keystone | 21:27 | |
*** ChanServ sets mode: +v gyee | 21:27 | |
jamielennox | lbragstad: yea, that's where i was going with the views start, i want to do models that traverse the backend boundary instead of dicts | 21:27 |
jamielennox | lbragstad: but it's the tests as much as anything else that hurt | 21:28 |
lbragstad | jamielennox yes - the tests shouldn't have to rely on the token_provider_api to validate stuff | 21:28 |
jamielennox | right, i made a start on this but basically if your testing an API you should never call the providers directly | 21:29 |
lbragstad | maybe one thing we can do is refactor all the tests to not use the manager lay and actually make it do a real api call | 21:29 |
jamielennox | and a whole bunch of other problems | 21:29 |
lbragstad | layer* | 21:29 |
jamielennox | so ages ago i added a whole bunch of testing using webtest so that facility is in there | 21:30 |
jamielennox | what we would need to do around that is all the test startup/teardown and i was hoping to put that into proper fixtures.Fixture objects | 21:30 |
jamielennox | they will still call the manager layer but at least you could change it in one place unlike the current spread | 21:31 |
jamielennox | its just one of those things that will take up a whole lot of time that i should probably be spending elsewhere atm | 21:31 |
*** ddieterly has joined #openstack-keystone | 21:32 | |
*** flwang has joined #openstack-keystone | 21:33 | |
lbragstad | jamielennox yeah - it's a massive refactor - but it would be so nice | 21:33 |
bknudson | with PKI going away in keystone we could remove it from auth-token, too. | 21:33 |
*** rcernin has quit IRC | 21:34 | |
flwang | stevemar: ping | 21:34 |
lbragstad | jamielennox in your opinion the model should just relay information right - it shouldn't be the thing that validates anything | 21:34 |
jamielennox | lbragstad: basically yea, i don't mind if they grow a function or two eventually but typically they're just structured information | 21:35 |
*** spzala has joined #openstack-keystone | 21:35 | |
jamielennox | somewhere i have a branch with an example, but i'm doubting i can find it | 21:35 |
flwang | stevemar: zaqar client is trying to move from keystoneclient to keystoneauth, i know you did it for glance client, so would you mind helping to review the patch? thanks https://review.openstack.org/#/c/348118/ | 21:35 |
*** ravelar has quit IRC | 21:36 | |
lbragstad | jamielennox got it | 21:36 |
lbragstad | jamielennox so what about the views | 21:36 |
lbragstad | do they validate anythign? | 21:36 |
lbragstad | anything* | 21:36 |
*** spzala has quit IRC | 21:36 | |
*** slberger has quit IRC | 21:36 | |
*** chianingwang has quit IRC | 21:37 | |
*** bradjones has quit IRC | 21:37 | |
*** Trident has quit IRC | 21:37 | |
*** amitkqed has quit IRC | 21:37 | |
*** aloga has quit IRC | 21:37 | |
*** jhesketh has quit IRC | 21:37 | |
*** ddieterly has quit IRC | 21:37 | |
*** daemontool_ has quit IRC | 21:37 | |
*** jdennis has quit IRC | 21:37 | |
*** edmondsw has quit IRC | 21:37 | |
*** richm has quit IRC | 21:37 | |
*** jlvillal has quit IRC | 21:37 | |
*** baffle has quit IRC | 21:37 | |
*** akrzos has quit IRC | 21:37 | |
*** evrardjp has quit IRC | 21:37 | |
*** DuncanT has quit IRC | 21:37 | |
*** artmr has quit IRC | 21:37 | |
*** AlexeyAbashkin has quit IRC | 21:37 | |
*** acoles_ has quit IRC | 21:37 | |
*** charz has quit IRC | 21:37 | |
*** madorn has quit IRC | 21:37 | |
*** d34dh0r53 has quit IRC | 21:37 | |
*** boris-42 has quit IRC | 21:37 | |
*** dobson has quit IRC | 21:37 | |
*** BlackDex has quit IRC | 21:37 | |
*** cburgess has quit IRC | 21:37 | |
*** mnikolaenko has quit IRC | 21:37 | |
*** kragniz has quit IRC | 21:37 | |
*** sigmavirus has quit IRC | 21:37 | |
*** samueldmq has quit IRC | 21:37 | |
*** melwitt has quit IRC | 21:37 | |
*** barclaac has quit IRC | 21:37 | |
*** rderose has quit IRC | 21:37 | |
*** tsufiev has quit IRC | 21:37 | |
*** zhiyan has quit IRC | 21:37 | |
*** nikhil has quit IRC | 21:37 | |
*** mugsie has quit IRC | 21:37 | |
*** tqtran has quit IRC | 21:37 | |
*** mfisch has quit IRC | 21:37 | |
*** rodrigods has quit IRC | 21:37 | |
*** nicolasbock has quit IRC | 21:37 | |
*** freerunner has quit IRC | 21:37 | |
*** jlopezgu has quit IRC | 21:37 | |
*** hugokuo has quit IRC | 21:37 | |
*** mkoderer__ has quit IRC | 21:37 | |
*** akscram has quit IRC | 21:37 | |
*** stevemar has quit IRC | 21:37 | |
*** topol has quit IRC | 21:37 | |
*** brad[] has quit IRC | 21:37 | |
*** eglute has quit IRC | 21:37 | |
*** gsilvis has quit IRC | 21:37 | |
*** zzzeek has quit IRC | 21:37 | |
*** tonytan4ever has quit IRC | 21:37 | |
*** yarkot has quit IRC | 21:37 | |
*** jamielennox has quit IRC | 21:37 | |
*** knikolla has quit IRC | 21:37 | |
*** cargonza has quit IRC | 21:37 | |
*** gus has quit IRC | 21:37 | |
*** diltram has quit IRC | 21:37 | |
*** zeus has quit IRC | 21:37 | |
*** raddaoui has quit IRC | 21:37 | |
*** andrewbogott has quit IRC | 21:37 | |
*** BrAsS_mOnKeY has quit IRC | 21:37 | |
*** clenimar has quit IRC | 21:37 | |
*** haplo37_ has quit IRC | 21:37 | |
*** dtroyer_zz has quit IRC | 21:37 | |
*** lbragstad has quit IRC | 21:37 | |
*** notmorgan has quit IRC | 21:37 | |
*** bigjools has quit IRC | 21:37 | |
*** HenryG has quit IRC | 21:37 | |
*** dstanek has quit IRC | 21:37 | |
*** andreaf has quit IRC | 21:37 | |
*** mgagne has quit IRC | 21:37 | |
*** artmr has joined #openstack-keystone | 21:38 | |
*** AlexeyAbashkin has joined #openstack-keystone | 21:38 | |
*** acoles_ has joined #openstack-keystone | 21:38 | |
*** charz has joined #openstack-keystone | 21:38 | |
*** madorn has joined #openstack-keystone | 21:38 | |
*** boris-42 has joined #openstack-keystone | 21:38 | |
*** dobson has joined #openstack-keystone | 21:38 | |
*** BlackDex has joined #openstack-keystone | 21:38 | |
*** cburgess has joined #openstack-keystone | 21:38 | |
*** kragniz has joined #openstack-keystone | 21:38 | |
*** mnikolaenko has joined #openstack-keystone | 21:38 | |
*** sigmavirus has joined #openstack-keystone | 21:38 | |
*** samueldmq has joined #openstack-keystone | 21:38 | |
*** melwitt has joined #openstack-keystone | 21:38 | |
*** barclaac has joined #openstack-keystone | 21:38 | |
*** rderose has joined #openstack-keystone | 21:38 | |
*** tsufiev has joined #openstack-keystone | 21:38 | |
*** zhiyan has joined #openstack-keystone | 21:38 | |
*** nikhil has joined #openstack-keystone | 21:38 | |
*** mugsie has joined #openstack-keystone | 21:38 | |
*** orwell.freenode.net sets mode: +v samueldmq | 21:38 | |
*** asettle is now known as 7JTABTGDJ | 21:40 | |
*** asettle has joined #openstack-keystone | 21:40 | |
*** zzzeek has joined #openstack-keystone | 21:40 | |
*** tonytan4ever has joined #openstack-keystone | 21:40 | |
*** yarkot has joined #openstack-keystone | 21:40 | |
*** jamielennox has joined #openstack-keystone | 21:40 | |
*** knikolla has joined #openstack-keystone | 21:40 | |
*** gus has joined #openstack-keystone | 21:40 | |
*** diltram has joined #openstack-keystone | 21:40 | |
*** zeus has joined #openstack-keystone | 21:40 | |
*** BrAsS_mOnKeY has joined #openstack-keystone | 21:40 | |
*** dtroyer_zz has joined #openstack-keystone | 21:40 | |
*** clenimar has joined #openstack-keystone | 21:40 | |
*** haplo37_ has joined #openstack-keystone | 21:40 | |
*** lbragstad has joined #openstack-keystone | 21:40 | |
*** notmorgan has joined #openstack-keystone | 21:40 | |
*** bigjools has joined #openstack-keystone | 21:40 | |
*** HenryG has joined #openstack-keystone | 21:40 | |
*** dstanek has joined #openstack-keystone | 21:40 | |
*** andreaf has joined #openstack-keystone | 21:40 | |
*** mgagne has joined #openstack-keystone | 21:40 | |
*** orwell.freenode.net sets mode: +vv jamielennox dstanek | 21:40 | |
*** spzala has joined #openstack-keystone | 21:40 | |
*** slberger has joined #openstack-keystone | 21:40 | |
*** chianingwang has joined #openstack-keystone | 21:40 | |
*** bradjones has joined #openstack-keystone | 21:40 | |
*** Trident has joined #openstack-keystone | 21:40 | |
*** amitkqed has joined #openstack-keystone | 21:40 | |
*** aloga has joined #openstack-keystone | 21:40 | |
*** serverascode has quit IRC | 21:41 | |
*** 7JTABTGDJ has quit IRC | 21:41 | |
*** jhesketh has joined #openstack-keystone | 21:41 | |
*** d34dh0r53 has joined #openstack-keystone | 21:41 | |
*** ddieterly has joined #openstack-keystone | 21:41 | |
*** daemontool_ has joined #openstack-keystone | 21:41 | |
*** jdennis has joined #openstack-keystone | 21:41 | |
*** edmondsw has joined #openstack-keystone | 21:41 | |
*** richm has joined #openstack-keystone | 21:41 | |
*** jlvillal has joined #openstack-keystone | 21:41 | |
*** baffle has joined #openstack-keystone | 21:41 | |
*** akrzos has joined #openstack-keystone | 21:41 | |
*** evrardjp has joined #openstack-keystone | 21:41 | |
*** AndyWojo has quit IRC | 21:41 | |
*** boris-42 has quit IRC | 21:41 | |
*** zhiyan has quit IRC | 21:41 | |
*** nikhil has quit IRC | 21:41 | |
jamielennox | and we're back | 21:41 |
lbragstad | jamielennox in the token case - when we validate a v2 token - the v2 token controller will get a token model and pass the model to the token view | 21:42 |
lbragstad | and the view is suppose to format an auth response how v2.0 likes it based on the model | 21:42 |
*** daemontool_ has quit IRC | 21:42 | |
lbragstad | right? | 21:42 |
*** tqtran has joined #openstack-keystone | 21:42 | |
*** mfisch has joined #openstack-keystone | 21:42 | |
*** rodrigods has joined #openstack-keystone | 21:42 | |
*** nicolasbock has joined #openstack-keystone | 21:42 | |
*** freerunner has joined #openstack-keystone | 21:42 | |
*** jlopezgu has joined #openstack-keystone | 21:42 | |
*** hugokuo has joined #openstack-keystone | 21:42 | |
*** mkoderer__ has joined #openstack-keystone | 21:42 | |
*** akscram has joined #openstack-keystone | 21:42 | |
*** stevemar has joined #openstack-keystone | 21:42 | |
*** topol has joined #openstack-keystone | 21:42 | |
*** brad[] has joined #openstack-keystone | 21:42 | |
*** eglute has joined #openstack-keystone | 21:42 | |
*** gsilvis has joined #openstack-keystone | 21:42 | |
*** orwell.freenode.net sets mode: +ov stevemar topol | 21:42 | |
jamielennox | yea, the model is version independant, the view is what makes it a 2.0 | 21:43 |
jamielennox | in which case the view can raise an exception if it can't render it | 21:43 |
stevemar | flwang: of course, i suggest you get jamielennox to review https://review.openstack.org/#/c/348118/ too :) | 21:43 |
flwang | stevemar: sure, thank you very much | 21:43 |
stevemar | jamielennox: i'd place the token expiry stuff above the model view bits | 21:44 |
lbragstad | jamielennox so the v2 view would raise an exception if the model is scoped to a domain that isn't the default domain for example? | 21:44 |
jamielennox | flwang: what i'd really love is to be able to pass an existing session into zaqar client | 21:44 |
stevemar | jamielennox: in terms of priority | 21:44 |
jamielennox | flwang: zaqar, monasca and mistral are the 3 clients i know of that don't let you do that - and i know this because heat was complaining about it | 21:44 |
jamielennox | stevemar: yea, i know, actual features | 21:45 |
bknudson | v2 should probably pass an indicator that says the token has to be in a particular domain so that processing can short-circuit. | 21:45 |
*** asettle has quit IRC | 21:45 | |
jamielennox | lbragstad: yea, most likely - but it's a pretty unlikely case because it's the v2 controller that is saying i want a token rendered as v2 | 21:46 |
jamielennox | lbragstad: and there's no way from the v2 controller to pass in information that can't be rendered in v2 | 21:46 |
lbragstad | if we want the model to not care about the version that leaves the provider and the view as the only places left to validate that kind of stuff | 21:46 |
*** spzala has quit IRC | 21:47 | |
jamielennox | so you'd have a check in there as kind of a runtimeerror, but i don't know how you'd actually hit it | 21:47 |
jamielennox | oh, i guess you could ask for an existing v3 token as a v2 token | 21:47 |
lbragstad | jamielennox would you hit that case if you had a v3 domain scoped token and passed it to the v2 api? | 21:47 |
bknudson | lbragstad: the model doesn't have to know the version, only the allowed domain | 21:47 |
*** andrewbogott has joined #openstack-keystone | 21:48 | |
bknudson | it doesn't need to know the version just that a specific domain is required or not | 21:48 |
lbragstad | bknudson which it currently does - through the domain scope | 21:48 |
jamielennox | lbragstad: you can make v2 calls with a v3 token, you just can't ask for it to be rendered or exchange it for something else | 21:48 |
lbragstad | jamielennox right - if you validate a token on v2.0 you get a v2.0 format back | 21:48 |
lbragstad | but if it's a v3 token being validated against v2.0 it's up to the view to catch those things | 21:49 |
lbragstad | or cases where v2.0 doesn't honor v3-isms of the model | 21:49 |
jamielennox | so yea, you can probably short circuit the logic there but if it's caught in the view rather than in the validate it's not a big deal | 21:49 |
bknudson | I thought we deprecated v2? can't we just remove it? | 21:49 |
jamielennox | bknudson: ahhahaha | 21:50 |
lbragstad | word on the street is that we will always have it deprecated | 21:50 |
lbragstad | deprecated - but never removed | 21:50 |
bknudson | can we separate out the code into its own part of the repo and just forget about it? | 21:50 |
jamielennox | bknudson: yes, views/v2.0 | 21:50 |
lbragstad | yeah | 21:50 |
lbragstad | that would be idea | 21:51 |
lbragstad | then if there is something about v2.0 that is bothering you and you need to figure it out - you only have to look in one spot :) | 21:51 |
jamielennox | which would be awesome | 21:51 |
*** slberger has left #openstack-keystone | 21:51 | |
jamielennox | and a flake8 check that slaps anyone who says is version == X | 21:52 |
lbragstad | it's easier to sift through garbage when it's all in one pile | 21:52 |
jamielennox | part of what would be so nice about this is to have one place to look when you want to figure out what's called when you hit a specific api | 21:52 |
lbragstad | yeah | 21:53 |
jamielennox | rather than have to know which provider/backend thing implements it | 21:53 |
lbragstad | jamielennox so the token_provider_api should return a model, right? | 21:53 |
jamielennox | token_providers are interesting and i'm not sure | 21:54 |
lbragstad | because it's not exactly a controller | 21:54 |
lbragstad | it doesn't care about web stuff | 21:54 |
lbragstad | but it certainly isn't a view either | 21:54 |
jamielennox | so a token_provider is basically a persistance backend right? | 21:54 |
jamielennox | sql, kvs, fernet | 21:54 |
lbragstad | sure | 21:54 |
lbragstad | something that provides a token | 21:54 |
lbragstad | which makes me think it should return a token model | 21:55 |
jamielennox | so i guess os | 21:55 |
jamielennox | i was somehow thinking it should be created before that | 21:55 |
jamielennox | because what i'd kind of like to see is isinstance(token.user, UserModel) | 21:55 |
lbragstad | yeah | 21:56 |
lbragstad | the issue token stuff is a bit messy though | 21:56 |
jamielennox | and i don't think that should be resolved via token provider | 21:56 |
lbragstad | you should just pass auth context into the token provider and it should persist what it needs to | 21:56 |
*** ayoung has joined #openstack-keystone | 21:56 | |
*** ChanServ sets mode: +v ayoung | 21:56 | |
lbragstad | i.e. in the token or sql or whatever | 21:56 |
lbragstad | and then it should give you back a token model | 21:56 |
lbragstad | which would get back to the controller -> and view to translate | 21:57 |
ayoung | I've been in and out, going to go read up on Evesdrop | 21:57 |
*** mvk has joined #openstack-keystone | 21:58 | |
ayoung | there is a gap between the end of evesdrop and this | 21:58 |
jamielennox | we ahd a netsplit in there | 21:58 |
flwang | jamielennox: what do you mean 'don't let you do that'? do you mean 'doesn't support'? | 21:59 |
lbragstad | ayoung http://cdn.pasteraw.com/ch05svpakwmvkwi3sojwfl90qmd2lff | 21:59 |
jamielennox | flwang: i haven't looked at zaqarclient in a bit, but i want to do z = zaqarclient.Client(session=session) | 21:59 |
ayoung | lbragstad, thanks! | 22:00 |
lbragstad | ayoung np | 22:00 |
flwang | jamielennox: oh, yep, that's on my to-do list acutally | 22:00 |
jamielennox | flwang: because i've already got my auth figured out and i don't need zaqarclient to do it again | 22:00 |
flwang | jamielennox: exactly | 22:00 |
jamielennox | flwang: cool, i'll have a look at the review but that's where i hope we get to | 22:00 |
*** raddaoui has joined #openstack-keystone | 22:01 | |
jamielennox | and i know that's what heat says they are missing | 22:01 |
flwang | jamielennox: awesome, and that's one thing i'd like to get your suggestion | 22:01 |
flwang | if i should do that in the same patch | 22:01 |
flwang | or it's better to do it in the following patch | 22:01 |
ayoung | OK...start at the beginning of that flow: the v2 token controller gets JSON and determines which version it is. It uses the appropriate view to convert from JSON to a model, with the view throwing an exception if the JSON contains something that is not valid in that view. Right? | 22:01 |
jamielennox | flwang: i think i'd do it in a follow up, it's already going to be hard to get people to review and you don't want to overload them with stuff | 22:02 |
lbragstad | ayoung well - the v2 token controller can assume a version based on the path | 22:02 |
lbragstad | right? | 22:02 |
bknudson | the v2 token controller can only get v2 JSON | 22:02 |
*** ddieterly is now known as ddieterly[away] | 22:02 | |
jamielennox | flwang: however (forexample) the swiftclient version of use keystoneauth is like 5 lines of code where they auth via a plugin and then go right back to there old ways | 22:02 |
jamielennox | so i just wanted to make sure zaqarclient was at least planning on the other way as well | 22:03 |
jamielennox | lbragstad: yea, jsonschema will kill anything coming to a v2 endpoint that's not expected | 22:03 |
jamielennox | by being a v2 endpoint it knows the version already | 22:04 |
lbragstad | but in the validation case - the v2 token controller needs to be able to pass a model to the v2 view | 22:04 |
*** cargonza has joined #openstack-keystone | 22:04 | |
jamielennox | ayoung: also view is a display thing, so for model -> json, json->model is probably handled by the controller | 22:04 |
lbragstad | making the view responsible for catching any v3-isms | 22:04 |
flwang | jamielennox: no, not the way like swiftclient i think | 22:04 |
jamielennox | flwang: excellent! | 22:05 |
flwang | what i want to see is zaqarcleint = client.Client(session) , just like you said above | 22:05 |
*** ddieterly[away] is now known as ddieterly | 22:05 | |
ayoung | in an interactive app, the view is the UI component, so edit cn be different from report, say. Here, I would have classified the controller *as* the view. So we are kindof duplicating the use of the term. Version and view are related, but different | 22:05 |
lbragstad | for example - if we took that approach and the v2 view saw that model.oauth_scoped == True - then we should bail | 22:06 |
ayoung | lbragstad, v2 and v3 are "views" of the token, no? | 22:06 |
jamielennox | ayoung: honestly in this case if the controller handled the view i wouldn't be too worried - however the current controllers are so overloaded that i don't know how to get from here to there without seperating them out | 22:07 |
lbragstad | ayoung yep | 22:07 |
jamielennox | like if the controller did the rendering instead of handing to a view object | 22:07 |
*** boris-42 has joined #openstack-keystone | 22:07 | |
ayoung | jamielennox, the controllers need to be divested of any business logic and only do view stuff | 22:07 |
lbragstad | that's the part the confuses me | 22:07 |
jamielennox | ayoung: there will always be a little logic in the controllers, there has to be some | 22:07 |
lbragstad | because that would mean the view wouldn't be able to invalidate tokens | 22:07 |
ayoung | jamielennox, only HTTP specific logic. If we had another protocol, say Rabbit, it would be much easier to keep thing separate | 22:08 |
*** DuncanT has joined #openstack-keystone | 22:08 | |
*** edtubill has quit IRC | 22:09 | |
*** roxanaghe__ has quit IRC | 22:09 | |
*** AndyWojo has joined #openstack-keystone | 22:11 | |
lbragstad | jamielennox ayoung - i gotta run, it's my wife's birthday... and so far what i've learned is that the only thing worse than forgetting your wife's birthday is working after hours on her birthday | 22:12 |
bknudson | controllers manipulate, not views | 22:12 |
bknudson | https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller#/media/File:MVC-Process.svg | 22:12 |
lbragstad | but in this case we would have to rely on the view's manipulating (even just throwing errors) | 22:12 |
lbragstad | ah! I'll read the scroll back tonight | 22:13 |
lbragstad | o/ | 22:13 |
ayoung | lbragstad, RUN! | 22:13 |
bknudson | don't you work from home? | 22:13 |
lbragstad | lol - she does, too | 22:14 |
*** serverascode has joined #openstack-keystone | 22:14 | |
jamielennox | yea, my definition has always been that the controller is the thing that creates a model, does stuff on the model, renders the view and returns it | 22:15 |
jamielennox | lbragstad: say happy birthday from all of us, i'm sure that'll help | 22:15 |
jamielennox | bknudson: model updates view is interesting, i always had the controller making a view from a model | 22:15 |
*** ngupta has quit IRC | 22:15 | |
*** nikhil has joined #openstack-keystone | 22:16 | |
bknudson | if you've got a gui your view listens to the model to get updates. | 22:16 |
*** ngupta has joined #openstack-keystone | 22:16 | |
*** zhiyan has joined #openstack-keystone | 22:16 | |
bknudson | like to show how many bytes are downloaded or whatever | 22:16 |
openstackgerrit | Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435 | 22:16 |
jamielennox | oh, right, yea that makes sense in a gui/responsive way, rather than a web way | 22:17 |
bknudson | web would be using push or websockets | 22:17 |
bknudson | so like subscribe to notifications for a user ? | 22:17 |
bknudson | that would be odd | 22:17 |
bknudson | well, we've got notifications, so you could do that | 22:18 |
bknudson | I assume we do notifications now in the manager. | 22:18 |
bknudson | yep - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n973 | 22:19 |
*** jrist has quit IRC | 22:19 | |
bknudson | so if we did mvc then the User model would send the notification on update. | 22:19 |
*** ngupta has quit IRC | 22:20 | |
*** esp has quit IRC | 22:23 | |
bknudson | I'm getting a couple of failures running tox -e py27: | 22:24 |
bknudson | keystone.tests.unit.credential.test_fernet_provider.TestFernetCredentialProviderWithNullKey.test_warning_is_logged_when_encrypting_with_null_key | 22:24 |
bknudson | keystone.tests.unit.credential.test_fernet_provider.TestFernetCredentialProviderWithNullKey.test_encryption_with_null_key | 22:24 |
*** lamt has quit IRC | 22:24 | |
bknudson | anyone seen this? | 22:24 |
bknudson | http://paste.openstack.org/show/582675/ | 22:24 |
bknudson | maybe it's finding existing credential keys? | 22:24 |
jamielennox | hmm, i don't know, i would probably have had the controller doing notifications, but i'm not sure | 22:28 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Request cache should not update context https://review.openstack.org/375142 | 22:29 |
*** ngupta has joined #openstack-keystone | 22:30 | |
bknudson | I think the point is you could have multiple controllers? | 22:31 |
stevemar | bknudson: whats the error with the tests? | 22:36 |
bknudson | stevemar: http://paste.openstack.org/show/582675/ | 22:37 |
stevemar | lol @ lbragstad, go eat dinner ya bum | 22:37 |
stevemar | thx bknudson | 22:37 |
bknudson | stevemar: if I "rm /etc/keystone/credential-keys/*" the tests pass | 22:38 |
stevemar | bknudson: ah, that's good, at least it's not busted | 22:38 |
*** esp has joined #openstack-keystone | 22:46 | |
stevemar | bknudson: bug for https://review.openstack.org/#/c/375142/1 ? | 22:49 |
bknudson | stevemar: it doesn't have any visible effect ... I think I explained that in the commit message. | 22:50 |
*** iurygregory_ has joined #openstack-keystone | 22:50 | |
bknudson | I just found it annoying when I set a breakpoint to see where the context was getting reset and saw a bunch of useless ones. | 22:50 |
stevemar | bknudson: you normally always have proof for the most vague change :P | 22:50 |
stevemar | ah | 22:50 |
stevemar | bknudson: no need to backport to newton then, i assume | 22:51 |
bknudson | no... while the context cache was resetting the thread request context all the time it wasn't actually changing the value. | 22:52 |
bknudson | was just setting the value to what it already was. | 22:52 |
bknudson | and according to the code that's all it would ever do. | 22:52 |
*** mvk has quit IRC | 22:52 | |
*** ngupta has quit IRC | 22:54 | |
*** ngupta has joined #openstack-keystone | 22:54 | |
*** ddieterly has quit IRC | 22:58 | |
*** ngupta has quit IRC | 22:59 | |
*** ngupta has joined #openstack-keystone | 23:00 | |
*** adriant has joined #openstack-keystone | 23:03 | |
stevemar | ayoung: when you get a chance, please review: https://review.openstack.org/#/c/374479/ i've left a comment asking what we can do for a few things that are leftover | 23:06 |
stevemar | bknudson -- you're familiar with PKI too, if you get a chance ^ | 23:07 |
*** itsuugo has quit IRC | 23:08 | |
*** mvk has joined #openstack-keystone | 23:08 | |
stevemar | we don't even have /auth/tokens/OS-PKI/revoked and /OS-SIMPLE-CERT advertised in the API ref, ughhhh | 23:08 |
* stevemar goes to file bugs | 23:09 | |
*** lamt has joined #openstack-keystone | 23:09 | |
*** itsuugo has joined #openstack-keystone | 23:10 | |
jamielennox | stevemar: how do i propose a cross project summit session? | 23:12 |
*** martinus__ has quit IRC | 23:12 | |
jamielennox | i was expecting to see something on the ML - have you heard anything? | 23:12 |
*** ayoung has quit IRC | 23:13 | |
*** itsuugo has quit IRC | 23:15 | |
*** itsuugo has joined #openstack-keystone | 23:16 | |
stevemar | jamielennox: there was something out there | 23:17 |
jamielennox | stevemar: found it right after asking, i just had to go back furhter | 23:17 |
jamielennox | sry | 23:17 |
stevemar | jamielennox: share it anyway, i lost the link | 23:17 |
jamielennox | https://etherpad.openstack.org/p/ocata-cross-project-sessions | 23:17 |
stevemar | https://bugs.launchpad.net/keystone/+bug/1626778 and https://bugs.launchpad.net/keystone/+bug/1626779 make me sad | 23:17 |
openstack | Launchpad bug 1626778 in OpenStack Identity (keystone) "[api] document /auth/tokens/OS-PKI/revoked" [Medium,Confirmed] | 23:17 |
openstack | Launchpad bug 1626779 in OpenStack Identity (keystone) "[api] document OS-SIMPLE-CERT routes" [Medium,Confirmed] | 23:17 |
*** ngupta has quit IRC | 23:18 | |
*** martinus__ has joined #openstack-keystone | 23:18 | |
*** ngupta has joined #openstack-keystone | 23:18 | |
stevemar | dolphm: thanks for proposing the upgrade story for cross-project, i was gonna do that if you didn't ;) | 23:18 |
jamielennox | dolphm: and jumping in with johnthetubaguy for cross-project communications, that's basically what i was going to propose | 23:19 |
stevemar | jamielennox: do you have time to work on the token expiry bp? | 23:19 |
stevemar | not just the spec, but the work | 23:19 |
jamielennox | stevemar: yea, if we do it as proposed in the midcycle it's not actually that much work | 23:20 |
stevemar | jamielennox: get on it then :P | 23:20 |
jamielennox | just post midcycle i didn't have time, so i let it lag | 23:20 |
stevemar | jamielennox: ocata-1, go! | 23:20 |
stevemar | jk :) | 23:20 |
stevemar | eat time | 23:20 |
jamielennox | dmanit, alright | 23:20 |
jamielennox | well it would be good to have a POC up for barcelona | 23:20 |
jamielennox | spec + code | 23:21 |
*** roxanaghe has joined #openstack-keystone | 23:21 | |
*** ngupta has quit IRC | 23:23 | |
jamielennox | damn, i remember now, it was actually ksm that caught this up because i have to change around the model i just finished making public | 23:25 |
*** ngupta has joined #openstack-keystone | 23:28 | |
*** HenryG has quit IRC | 23:28 | |
*** HenryG has joined #openstack-keystone | 23:28 | |
*** roxanaghe has quit IRC | 23:33 | |
*** spedione is now known as spedione|AWAY | 23:37 | |
openstackgerrit | Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435 | 23:41 |
*** ddieterly has joined #openstack-keystone | 23:42 | |
*** ddieterly has quit IRC | 23:45 | |
*** itsuugo has quit IRC | 23:50 | |
*** ngupta has quit IRC | 23:51 | |
*** itsuugo has joined #openstack-keystone | 23:51 | |
*** ngupta has joined #openstack-keystone | 23:51 | |
*** arunkant__ has quit IRC | 23:56 | |
*** itsuugo has quit IRC | 23:56 | |
*** itsuugo has joined #openstack-keystone | 23:57 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!