Thursday, 2016-11-03

*** gyee has quit IRC		00:05
*** guoshan has joined #openstack-keystone		00:14
*** adrian_otto has quit IRC		00:26
ayoung	andrewbogott, no	00:29
ayoung	andrewbogott, a role assigned on a domain is different from a role assigned on a project, and yes, we made that way too confusing	00:29
ayoung	stevemar, I talked with 3 CS students today about a project to enable Kerberos for RabbitMQ	00:30
andrewbogott	ayoung: what is http://developer.openstack.org/api-ref/identity/v3/index.html#os-inherit-api then?	00:30
ayoung	andrewbogott, so I think you can make it work with some majik	00:30
ayoung	andrewbogott, follow me for a moment here, cuz it is weird	00:31
andrewbogott	ok :)	00:31
ayoung	we should never have introduced domains as a separate concept	00:31
ayoung	instead, we should have made projects hierarchical	00:31
ayoung	but we did, and the world suffers for it	00:31
ayoung	so...we tried to do some semantic sandpapering and say "a domain IS A project"	00:32
ayoung	and, it sort of is, and it sort of isn't	00:32
ayoung	but what you need to do is assign the user a role on a project at the top of a tree, and THAT gets inherited down	00:32
ayoung	assigning it on a domain is a different kind of role assignment, and that means something different	00:32
ayoung	so I think you can do a project role assignment on the project-that-is-the-domain	00:33
ayoung	and, let me test to see if that works	00:33
andrewbogott	So the thing in the docs that says 'Assign role to user on projects owned by domain'...	00:33
ayoung	this one /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects	00:34
ayoung	let me see...	00:34
ayoung	andrewbogott, ok here is my set up http://paste.openstack.org/show/587705/	00:39
ayoung	so now let me create a user...	00:39
ayoung	$ openstack role add --user-domain default --user u1 --project-domain test --project test mediator --inherited	00:42
ayoung	No project with a name or ID of 'test' exists.	00:42
ayoung	ok...lets try that by ID	00:42
andrewbogott	I'm confused that you're specifying —project-domain and —project	00:42
ayoung	openstack role add --user-domain default --user u1 --project 1ef534c4cb9349188870cac6ccd6bbef mediator --inherited	00:43
ayoung	ok it seemed to like that	00:43
ayoung	andrewbogott, so I am trying to assign the role to the user on the project named test...but here is where it is weird	00:43
ayoung	I never created a proejdct named test	00:43
ayoung	I created a domain named test	00:43
andrewbogott	ok, so that last one made sense… that's the same as setting it on any project, you just passed in a domain id instead of a project id	00:43
andrewbogott	with —inherited	00:43
andrewbogott	yes?	00:44
ayoung	and it turns out, that is also a project in the default domain...	00:44
ayoung	so, yes, that is what I did	00:44
ayoung	and let's see what we have	00:44
andrewbogott	ok. So the question is, can I set that on the 'default' domain and just have it everywhere...	00:44
* andrewbogott tries		00:44
andrewbogott	hm...	00:45
andrewbogott	https://www.irccloud.com/pastebin/IL0brlZ1/	00:45
andrewbogott	I think I'm doing what you're doing...	00:46
andrewbogott	(although there are software version differences which could confound)	00:46
ayoung	this is wierd	00:47
ayoung	I know what it looks like in the database...	00:48
ayoung	OK so here is what has succeeded:	00:48
ayoung	http://paste.openstack.org/show/587707/	00:49
ayoung	let me take a look in the database...	00:50
*** markvoelker has quit IRC		00:52
andrewbogott	did your paste cut off, or is the role not set on t31?	00:52
andrewbogott	(I guess I can't tell w/not it worked on t3 either since I don't know your role or user ids)	00:53
ayoung	andrewbogott, hmmm let me see	00:53
ayoung	andrewbogott, here is what my database shows	00:53
ayoung	http://paste.openstack.org/show/587708/	00:53
ayoung	andrewbogott, openstack role assignment list --project-domain test --project t31 --inherited	00:55
ayoung	returned no results	00:55
ayoung	so that is kindof hostile	00:55
*** LiYuenan has joined #openstack-keystone		00:55
andrewbogott	well, wait, when you did 'select * from assignment where actor_id = '865066d4f2ba46e7ac4c4352146ffe93';'	00:55
ayoung	let me see if we have a better api, for listing effective role assignements as callable from the CLI	00:55
andrewbogott	I would expect the target_id to be the id for domain 'test'	00:56
andrewbogott	/or/ a list of a bunch of projects	00:56
andrewbogott	but instead it's just the ID of one arbitrary project?	00:56
ayoung	heh	00:56
andrewbogott	So I don't see how that's doing anything other than just misfiring and applying the role to the first project in the list	00:56
andrewbogott	Which is 'inheritance' in a sense, I suppose :(	00:57
ayoung	select * from project where id = '2487d826053a47ceaa57278a9245045b';	00:57
ayoung	+----------------------------------+------+-------+-------------+---------+----------------------------------+----------------------------------+-----------+	00:57
ayoung	\| id \| name \| extra \| description \| enabled \| domain_id \| parent_id \| is_domain \|	00:57
ayoung	+----------------------------------+------+-------+-------------+---------+----------------------------------+----------------------------------+-----------+	00:57
ayoung	\| 2487d826053a47ceaa57278a9245045b \| t3 \| {} \| \| 1 \| 1ef534c4cb9349188870cac6ccd6bbef \| 1ef534c4cb9349188870cac6ccd6bbef \| 0 \|	00:57
ayoung	+----------------------------------+------+-------+-------------+---------+----------------------------------+----------------------------------+-----------+	00:57
*** guoshan has quit IRC		00:58
andrewbogott	right, the first project in the domain, right?	00:58
ayoung	nope that was the project t3 from...	00:59
ayoung	role add --user-domain default --user u2 --project 2487d826053a47ceaa57278a9245045b mediator --inherited	00:59
ayoung	so that is explicitly on t3, but we did something wicked	00:59
ayoung	that role will only show up on project under t3	01:00
ayoung	to get a role on t3 itself I need to do this:	01:00
ayoung	openstack role add --user-domain default --user u2 --project 2487d826053a47ceaa57278a9245045b mediator	01:00
ayoung	now I have	01:01
ayoung	select * from assignment where actor_id = '865066d4f2ba46e7ac4c4352146ffe93';	01:01
ayoung	+-------------+----------------------------------+----------------------------------+----------------------------------+-----------+	01:01
ayoung	\| type \| actor_id \| target_id \| role_id \| inherited \|	01:01
ayoung	+-------------+----------------------------------+----------------------------------+----------------------------------+-----------+	01:01
ayoung	\| UserProject \| 865066d4f2ba46e7ac4c4352146ffe93 \| 2487d826053a47ceaa57278a9245045b \| a5507dce2ca742628ea9fecc93188f94 \| 0 \|	01:01
ayoung	\| UserProject \| 865066d4f2ba46e7ac4c4352146ffe93 \| 2487d826053a47ceaa57278a9245045b \| a5507dce2ca742628ea9fecc93188f94 \| 1 \|	01:01
ayoung	+-------------+----------------------------------+----------------------------------+----------------------------------+-----------+	01:01
ayoung	andrewbogott, so inherited is only applied to children	01:01
ayoung	and not inherited is only applied to the parent	01:01
andrewbogott	ok, that makes sense	01:01
ayoung	personally, I would have liked to have a both value	01:01
ayoung	and make that the default, but would not be backwards compat now	01:02
ayoung	ah well...	01:02
andrewbogott	but what I'm missing is the part where you did this:	01:02
andrewbogott	openstack role add --user-domain default --user u1 --project 1ef534c4cb9349188870cac6ccd6bbef mediator --inherited	01:02
andrewbogott	Did that have any effect at all? Can we see that role applied to things in that domain? (1ef534c4cb9349188870cac6ccd6bbef is the 'test' domain, right'?)	01:03
ayoung	andrewbogott, so I have proejct t3 and a child of that is t31	01:04
ayoung	that assignement means that user u1 gets a role on t31	01:04
ayoung	If I make another child project of t3 it will get that role. Or if I make a child project of t31	01:04
ayoung	try this out, and have the users request tokens, and look at the roles assigned on the tokens	01:05
ayoung	andrewbogott, OK>	01:05
ayoung	?	01:05
andrewbogott	Sorry, was that an answer to my question about setting an inherited role on the 'test' domain?	01:05
andrewbogott	I think I understand about setting things on new projects-inside-projects	01:06
*** hoangcx has joined #openstack-keystone		01:06
andrewbogott	but am still confused about how that relates to the 'use a domain id but tell the UI it's a project' bit	01:07
andrewbogott	For what it's worth, my ultimate goal: Set a role on all my projects, current and future. All my projects are conveniently in the 'default' domain, hence my interest in domains :)	01:11
ayoung	andrewbogott, I think it would only work for a domain other than default	01:14
ayoung	just cuz that one is wonky	01:14
andrewbogott	oooh, because 'default' is special	01:14
ayoung	but you might be able to do this	01:14
ayoung	create a new domain and update the config file to say that is now the default domain	01:14
ayoung	actually, that will break everything	01:15
ayoung	defautl domain is a V2 ism anywauy	01:15
ayoung	so yeah, put them somewhere else	01:15
andrewbogott	is it possible/safe to move existing projects to a new domain? Or move them under another project?	01:16
ayoung	you can't move nothin	01:18
ayoung	well, you could if you hacked the DB	01:18
ayoung	but that is not something I would advocate	01:18
andrewbogott	ok	01:19
andrewbogott	so sounds like inheritance is another dead end	01:19
andrewbogott	I guess I'll just write a cron that enumerates the projects and adds roles to them :)	01:19
ayoung	andrewbogott, nah, just don't do things in 'default'	01:19
andrewbogott	But I already have 100+ projects in the default domain	01:19
ayoung	you OK with hacking the database?	01:20
andrewbogott	sure	01:20
andrewbogott	is it really just the one field?	01:20
ayoung	maybe...hold on	01:20
ayoung	try this	01:20
ayoung	\| bc2b077e3b814f2988b706c383d90b50 \| service \| {} \| Tenant for the openstack services \| 1 \| default \| default	01:21
ayoung	er	01:21
ayoung	select * from project;	01:21
ayoung	in my case, I have a project as you see above	01:21
ayoung	it is the default domain, but you see its project id is bc2b077e3b814f2988b706c383d90b50	01:22
ayoung	try assigning roles on that proejct with --inherited and I think you will get what you want	01:22
andrewbogott	in my case the default domain has an id of 'default'	01:23
andrewbogott	which I can't set roles on, as per my earlier paste	01:23
andrewbogott	hm, the project table doesn't seem to have an entry called 'default' at all	01:23
* andrewbogott looks again		01:23
ayoung	I'm running the latest code. What version are you running?	01:24
andrewbogott	hm, nope, not there. Which probably explains why I can't set roles on it :)	01:24
andrewbogott	Liberty	01:24
andrewbogott	My install is very old though, upgraded from D	01:24
ayoung	Ah. Yeah, think this was done in Mitaka. Devs that did it are not here	01:24
ayoung	Nice!	01:25
ayoung	Time to upgrade again	01:25
andrewbogott	ah, you mean the 'domains are actually projects' change is an M thing?	01:25
jamielennox	raj_singh: sent you an email linking to https://gist.github.com/jamielennox/8749f39fc53a7d53c822ba76fd5271b2	01:28
jamielennox	stevemar et al: ^ example of how the service token wrapper plugin would be used	01:29
jamielennox	we will need to make it more intuitive, but building an auth plugin from an oslo_context has been on the cards for a while now, just need to get dependent stuff merged	01:29
*** jerrygb_ has joined #openstack-keystone		01:30
*** jerrygb has quit IRC		01:31
*** iurygregory_ has quit IRC		01:32
ayoung	jamielennox, so..question for you, on our last convo...why do you want the policy enforcement on a domain socket as opposed to a library called but the current process?	01:37
*** guoshan has joined #openstack-keystone		01:40
*** rvba has quit IRC		01:44
*** guoshan has quit IRC		01:44
*** jerrygb has joined #openstack-keystone		01:45
*** guoshan has joined #openstack-keystone		01:45
*** woodster_ has quit IRC		01:45
*** jerrygb_ has quit IRC		01:45
*** rvba has joined #openstack-keystone		01:50
*** rvba has quit IRC		01:50
*** rvba has joined #openstack-keystone		01:50
*** markvoelker has joined #openstack-keystone		01:53
*** markvoelker has quit IRC		01:58
*** jerrygb has quit IRC		01:59
*** jerrygb has joined #openstack-keystone		01:59
*** adrian_otto has joined #openstack-keystone		02:14
*** jerrygb has quit IRC		02:17
*** jerrygb has joined #openstack-keystone		02:18
openstackgerrit	ayoung proposed openstack/keystone: Support AD Nested groups https://review.openstack.org/389316	02:21
*** kiran-r has joined #openstack-keystone		02:22
*** jerrygb has quit IRC		02:22
*** kiran-r has quit IRC		02:23
*** GB21 has joined #openstack-keystone		02:34
knikolla	ayoung: dumb python question. in your ad nested patch, the format string is '(%s:%s:=%s)%s' however there's 3 arguments.	02:47
knikolla	am i missing something?	02:48
*** GB21 has quit IRC		02:54
*** dave-mccowan has quit IRC		02:57
*** jerrygb has joined #openstack-keystone		02:59
*** adrian_otto has quit IRC		03:03
*** nicolasbock has quit IRC		03:08
ayoung	looking...	03:11
ayoung	knikolla, that does look suspect	03:12
ayoung	knikolla, it should have a test anyway. I wonder if I broke that after I tested it	03:13
ayoung	knikolla, I think the second one should have "member" replaced with the member attribute too, but not 100% certain	03:14
knikolla	ayoung: it's the same in patchset 5, and the tests for 5 passed.	03:14
ayoung	not sure if that code gets tested, though, due to the filtered part of it	03:15
knikolla	ayoung: true, that doesn't seem to get tested.	03:17
ayoung	-1 it and I'll fix tomorrow. I suspect I just never tested that code path. it should throw an error. Against the live server, I used the CLI, and I probably didn't use the filter.	03:18
knikolla	ayoung: -1ed.	03:20
*** adrian_otto has joined #openstack-keystone		03:26
adriant	Hey, silly question... Groups need a domain_id to be created. A domain is a project. Can groups be greated and scoped to a project (and its children), or does the project need to actually be a domain?	03:27
adriant	If it does actually need to be a domain, why?	03:27
*** adrian_otto has quit IRC		03:27
adriant	s/greated/created/ odd typo	03:31
*** adrian_otto has joined #openstack-keystone		03:35
*** richm has quit IRC		03:41
adriant	ha! if I change: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L1057	03:50
adriant	to get_project(..) it works	03:50
adriant	Now lets see just how badly I've broken my devstack.	03:50
*** markvoelker has joined #openstack-keystone		03:54
*** browne has quit IRC		03:55
*** guoshan has quit IRC		03:56
adriant	hmmm interesting. You can only add users which are in the 'domain' for that group. Which if the domain_id for the group is actually a project complicates matters.	03:57
*** prometheanfire has left #openstack-keystone		03:57
adriant	no wait, that's just horizon no listing users. CLI lets me add a user just fine.	03:58
*** markvoelker has quit IRC		03:59
*** jerrygb has quit IRC		03:59
*** jerrygb has joined #openstack-keystone		04:01
*** links has joined #openstack-keystone		04:01
adriant	ah ha! But I can't add roles to said group because there are no projects on the same 'domain' as it. :(	04:03
jamielennox	ayoung: i was purely thinking that we would want something more dynamic than could be handled on a library	04:04
jamielennox	ayoung: a library is basically what oslo.policy provides	04:04
jamielennox	there was also a case where companies wanting to integrate with external policy would want more info that they could plug in there	04:05
*** adrian_otto has quit IRC		04:15
*** adrian_otto has joined #openstack-keystone		04:24
*** jerrygb_ has joined #openstack-keystone		04:28
*** jerrygb has quit IRC		04:29
adriant	Ok... so it's a little broken, but I have a group with domain_id that is just a project. I can add roles to it, and users. And I can then login as those users.	04:33
*** jerrygb has joined #openstack-keystone		04:44
*** jerrygb_ has quit IRC		04:45
*** guoshan has joined #openstack-keystone		04:57
*** jerrygb_ has joined #openstack-keystone		04:59
*** jerrygb has quit IRC		04:59
*** guoshan has quit IRC		05:01
*** jerrygb_ has quit IRC		05:15
*** jerrygb has joined #openstack-keystone		05:15
*** GB21 has joined #openstack-keystone		05:18
*** g2[CUBS-ATL] is now known as g2		05:18
*** jerrygb has quit IRC		05:33
*** jerrygb has joined #openstack-keystone		05:33
*** jerrygb has quit IRC		05:33
*** adrian_otto has quit IRC		05:34
*** adrian_otto has joined #openstack-keystone		05:34
*** adrian_otto has quit IRC		05:35
*** adrian_otto has joined #openstack-keystone		05:36
*** adriant has quit IRC		05:39
*** openstackgerrit has quit IRC		05:48
*** openstackgerrit has joined #openstack-keystone		05:48
*** markvoelker has joined #openstack-keystone		05:55
*** adrian_otto has quit IRC		05:56
*** guoshan has joined #openstack-keystone		05:57
*** markvoelker has quit IRC		05:59
*** guoshan has quit IRC		06:02
*** ravelar has joined #openstack-keystone		06:12
*** guoshan has joined #openstack-keystone		06:15
*** guoshan has quit IRC		06:19
*** guoshan has joined #openstack-keystone		06:20
*** annp has joined #openstack-keystone		06:23
*** sheel has joined #openstack-keystone		06:24
*** GB21 has quit IRC		06:26
*** tobberyd_ has joined #openstack-keystone		06:28
*** mnaser has quit IRC		06:37
*** afazekas has quit IRC		06:40
*** afazekas has joined #openstack-keystone		06:40
*** mnaser has joined #openstack-keystone		06:46
*** GB21 has joined #openstack-keystone		06:46
*** markvoelker has joined #openstack-keystone		06:55
*** markvoelker has quit IRC		07:00
*** flaper87 has joined #openstack-keystone		07:00
*** flaper87 has quit IRC		07:00
*** flaper87 has joined #openstack-keystone		07:00
*** ravelar has quit IRC		07:05
*** tesseract has joined #openstack-keystone		07:14
*** tesseract is now known as Guest25209		07:14
*** belmoreira has joined #openstack-keystone		07:24
jvarlamova	upgrade	07:25
*** GB21 has quit IRC		07:25
*** jaosorior has joined #openstack-keystone		07:28
*** jerrygb has joined #openstack-keystone		07:34
*** rcernin has joined #openstack-keystone		07:34
*** jerrygb has quit IRC		07:39
*** GB21 has joined #openstack-keystone		07:44
*** openstackgerrit has quit IRC		07:48
*** openstackgerrit has joined #openstack-keystone		07:48
*** GB21 has quit IRC		07:48
*** martinus__ has joined #openstack-keystone		07:54
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** amoralej\|off is now known as amoralej		08:35
*** jpich has joined #openstack-keystone		08:54
*** markvoelker has joined #openstack-keystone		08:56
*** markvoelker has quit IRC		09:00
*** GB21 has joined #openstack-keystone		09:01
*** GB21 has quit IRC		09:07
*** abhishekk has joined #openstack-keystone		09:09
*** GB21 has joined #openstack-keystone		09:19
*** xek has quit IRC		09:24
*** jerrygb has joined #openstack-keystone		09:35
*** jerrygb has quit IRC		09:41
*** jaosorior is now known as jaosorior_lunch		09:41
*** jpich has quit IRC		09:45
*** jpich has joined #openstack-keystone		09:49
*** mvk has quit IRC		09:51
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	09:56
*** jerrygb has joined #openstack-keystone		09:58
*** jerrygb has quit IRC		10:03
*** hoangcx has quit IRC		10:20
*** mvk has joined #openstack-keystone		10:26
samueldmq	morning keystone	10:27
*** links has quit IRC		10:40
*** nicolasbock has joined #openstack-keystone		10:41
*** nkinder has quit IRC		10:43
*** guoshan_ has joined #openstack-keystone		10:46
*** guoshan has quit IRC		10:49
*** guoshan_ has quit IRC		10:50
breton	o/	10:53
*** ChanServ sets mode: +v breton		10:53
*** nkinder has joined #openstack-keystone		10:53
*** markvoelker has joined #openstack-keystone		10:57
dstanek	samueldmq: morning	11:01
*** markvoelker has quit IRC		11:02
*** GB21 has quit IRC		11:03
*** dave-mccowan has joined #openstack-keystone		11:05
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	11:11
*** GB21 has joined #openstack-keystone		11:15
*** gb21_ has joined #openstack-keystone		11:16
samueldmq	dstanek: o/	11:18
*** GB21 has quit IRC		11:20
*** annp has quit IRC		11:22
*** jerrygb has joined #openstack-keystone		11:26
*** gb21_ is now known as GB21		11:27
*** AlexeyAbashkin has quit IRC		11:30
*** links has joined #openstack-keystone		11:30
*** AlexeyAbashkin has joined #openstack-keystone		11:35
*** jaosorior_lunch is now known as jaosorior		11:44
*** GB21 has quit IRC		11:48
*** AlexeyAbashkin has quit IRC		11:49
*** AlexeyAbashkin has joined #openstack-keystone		11:50
*** tobberyd_ has quit IRC		11:51
*** edmondsw has joined #openstack-keystone		12:05
*** LiYuenan has quit IRC		12:07
*** tobberyd_ has joined #openstack-keystone		12:11
*** raildo has joined #openstack-keystone		12:14
raj_singh	jamielennox: Thanks Jamie. I will ping you if need more info.	12:14
*** markvoelker has joined #openstack-keystone		12:22
*** thiagolib has joined #openstack-keystone		12:29
*** jerrygb has quit IRC		12:30
*** lamt has joined #openstack-keystone		12:32
*** daemontool has joined #openstack-keystone		12:37
dstanek	breton: good morning	12:43
*** haplo37_ has quit IRC		12:47
*** haplo37_ has joined #openstack-keystone		12:47
breton	dstanek: morning!	12:47
breton	15:47 :3	12:47
dstanek	quit showing off :-)	12:48
*** david-lyle has quit IRC		12:55
openstackgerrit	ayoung proposed openstack/keystone-specs: Token Verify Role Check https://review.openstack.org/391624	13:06
*** jerrygb has joined #openstack-keystone		13:10
breton	keystone_manage token_flush doesn't purge token cache	13:15
*** jperry has joined #openstack-keystone		13:16
breton	not a big deal though.	13:21
*** jerrygb_ has joined #openstack-keystone		13:21
*** jerrygb has quit IRC		13:22
knikolla	o/	13:22
*** amoralej is now known as amoralej\|lunch		13:25
*** Alexey_Abashkin has joined #openstack-keystone		13:27
*** spzala has joined #openstack-keystone		13:30
*** AlexeyAbashkin has quit IRC		13:30
*** dikonoor has joined #openstack-keystone		13:42
*** rodrigods has quit IRC		13:46
*** rodrigods has joined #openstack-keystone		13:46
*** links has quit IRC		13:52
*** edtubill has joined #openstack-keystone		13:53
*** pcaruana has joined #openstack-keystone		13:53
*** dave-mcc_ has joined #openstack-keystone		13:54
*** tobbery__ has joined #openstack-keystone		13:55
*** dave-mccowan has quit IRC		13:57
*** jerrygb has joined #openstack-keystone		13:57
*** agrebennikov has joined #openstack-keystone		13:58
*** tobberyd_ has quit IRC		13:59
*** sheel has quit IRC		14:00
*** jerrygb_ has quit IRC		14:00
*** dave-mcc_ has quit IRC		14:01
*** amoralej\|lunch is now known as amoralej		14:03
*** abhishekk has left #openstack-keystone		14:05
*** spilla has joined #openstack-keystone		14:12
*** jaugustine has joined #openstack-keystone		14:16
*** jaosorior has quit IRC		14:17
openstackgerrit	ayoung proposed openstack/keystone: Support AD Nested groups https://review.openstack.org/389316	14:18
ayoung	breton, so...I know I -2ed your proposal. I don't want to leave you stuck.	14:19
ayoung	breton, how badly do you need that, and why?	14:20
*** chris_hultin\|AWA is now known as chris_hultin		14:21
*** edtubill has quit IRC		14:22
*** edtubill has joined #openstack-keystone		14:23
breton	ayoung: project properties? That's not my proposal. I just know that we had to do that for at least one customer.	14:25
ayoung	breton, ah...thought it was you.	14:26
breton	ayoung: my proposal is about quota limits, which is kinda similar in terms of new attributes. But lets talk about it later, after i formalize it and do some other things.	14:27
ayoung	breton, OK, but, other than deactivation of a project, why is Quota limits going into Keystone as opposed to having it as a separate microservice?	14:28
*** dave-mccowan has joined #openstack-keystone		14:29
gagehugo	ayoung: project properties was "mine", but we do want it pretty badly so we don't need to keep using janky ways to keep things in extras. Using something external would not be ideal to just keep track of these labels for projects.	14:34
gagehugo	I dont mean to butt in on the quota limits discussion however	14:34
ayoung	gagehugo, please butt in	14:35
dstanek	gagehugo: what's the usecase?	14:35
ayoung	dstanek, they provide 2 in the spec	14:35
ayoung	https://review.openstack.org/#/c/388886/4/specs/keystone/ocata/project-properties.rst	14:36
ayoung	post server orchestration processing,	14:36
ayoung	and	14:36
ayoung	Bookkeeping	14:36
ayoung	both of which I find suspect	14:36
dstanek	ayoung: i don't understand the first usecase. what would need to be stored?	14:37
ayoung	gagehugo, I think quota limits falls exactly into the same category as bookkeeping	14:37
dstanek	the second usecase is really just the ability to add tags - i like this a lot for my own environments	14:38
ayoung	dstanek, so, lets say you have a generic key-value store under each project. One of the keys could be "host group" and you could add all of the servers in that project to the corresponding host group in Active Directory/FreeIPA	14:38
ayoung	dstanek, so here is what I am worried about	14:38
ayoung	say someone decides to use a tag like, production	14:39
ayoung	who gets to set that on a proejct?	14:39
ayoung	the admin of the project? CLoud admin?	14:39
gagehugo	yes	14:39
ayoung	its an ownership and clash thing, and could have security ramifications	14:39
ayoung	We don't do a good job of saying "in order to operate on subordinate projects, you need to have this role on the parent project"	14:40
ayoung	but even there it is possible to abuse	14:40
gagehugo	the second use case is more of what we need than the first	14:40
ayoung	we are making a global namespace, and see how hard that is to manage in python?	14:40
dstanek	ayoung: yes i agree that security is a huge concern here	14:40
breton	ayoung: i don't have very strong opinion about keystone vs separate service. However, we own everything the limits are related to: projects, domains, users, services, regions.	14:40
dstanek	the example is billing codes - who gets to set that?	14:41
ayoung	breton, heh...except for the things that the limits are actually placed on: storage, networks, objects in swift etc	14:41
dstanek	breton: is there a spec for that too?	14:41
ayoung	treat the project as an external resource to the tools that manage specific resources, not the other way around	14:42
*** nk2527 has joined #openstack-keystone		14:43
*** edtubill has quit IRC		14:43
breton	dstanek: not really, https://review.openstack.org/#/c/363765/3/specs/keystone/backlog/quota-limits.rst	14:43
*** woodster_ has joined #openstack-keystone		14:43
*** edtubill has joined #openstack-keystone		14:44
ayoung	breton, so what services actually consume quotas? Cinder, Swift and neutron? Any others?	14:45
ayoung	Nova has a bunch...here is a list	14:45
ayoung	http://docs.openstack.org/admin-guide/dashboard-set-quotas.html	14:45
breton	ayoung: ayoung nova, cinder, neutron. I know there was something else from the big tent.	14:46
ayoung	So we have BLock Storage and Compute resources.	14:46
ayoung	Its like policy all over again...Keystone is going to have to know about everything else in Openstack to do that	14:47
ayoung	a type system	14:47
gagehugo	dstanek: the billing stuff is why we want the ability to tag projects	14:47
*** dikonoor has quit IRC		14:48
breton	ayoung: i'd say it's more like service catalog, but without formats. Also, there are only 2 types.	14:48
gagehugo	these use cases we wrote could probably be clarified better tbh	14:48
ayoung	breton, Gigabytes, Instances, Injected Files, Keypairs, Metadata Items, RAM, Security Groups, Security Groups Rules, Snapshots, VCPUs, Volumes...	14:49
ayoung	and that is just from 2 services	14:49
breton	ayoung: none of that is tracked in those services	14:50
ayoung	add in the neutron concepts you have about a dozen more	14:50
breton	ayoung: it's just (string) key: (int) value	14:50
ayoung	breton, the fact that it is written down means that someone wants to track it. It is a type system.	14:50
ayoung	And it is the same idea as the policy enforcement per resource	14:50
ayoung	hmmm	14:51
ayoung	quote is kindof like a role assignment	14:51
ayoung	quots	14:51
ayoung	gah	14:51
ayoung	quota	14:51
breton	lets talk about limits and usages. "Quota" is too generic.	14:52
ayoung	URLs are, literally, Universal Resource Locators.	14:52
ayoung	and we want to enforce policy on URLS...but really on resources	14:52
ayoung	breton, did you see what I wrote up for RBAC?	14:52
*** tobbery__ has quit IRC		14:52
dstanek	gagehugo: i don't really understand what you need to do with the first usecase	14:53
ayoung	https://review.openstack.org/#/c/391624/	14:53
breton	ayoung: if role check, then yes	14:53
ayoung	breton, and inherited roles are kindof like inherited resource limits...	14:54
breton	ayoung: you are talking about limits enforcement	14:54
*** xarses has joined #openstack-keystone		14:54
breton	ayoung: *usages	14:55
breton	ayoung: you are talking about usages	14:55
*** edtubill has quit IRC		14:55
*** andreww has joined #openstack-keystone		14:55
ayoung	breton, I'm unclear on your distinction between the terms. Usages must be equal to or lower than limits, no?	14:56
breton	ayoung: i suggest to leave the enforcemnt and usage on the services. Nova fetched the key-value from keystone, checks the usages and allows/forbids the creation	14:56
gagehugo	dstanek: the first use case is just built off the second about doing something with the tags	14:57
gagehugo	Its not written in the best way, I can clean it up	14:57
gagehugo	the main thing is use case #2	14:57
ayoung	breton, so, no.	14:57
gagehugo	which is being able to associate string values to projects	14:57
gagehugo	which we do in extras currently, which sucks	14:57
ayoung	breton, Nova already knows about the resource types	14:57
breton	ayoung: and marks that N resources are already used, in its own database	14:57
ayoung	nova should store those limits]	14:57
*** d0ugal has quit IRC		14:57
gagehugo	ayoung I think nova does	14:57
knikolla	anybody have the eventbrite ptg link handy?	14:57
*** ravelar has joined #openstack-keystone		14:58
ayoung	gagehugo, yes, it does ,because we've had this discussion multiple times, and that is where Nova always ends up coming back to wanting them	14:58
ayoung	knikolla, I think so, one sec	14:58
ayoung	https://www.eventbrite.com/e/project-teams-gathering-tickets-27549298694?invite=&err=29&referrer=&discount=&affiliate=&eventpassword=	14:58
*** edtubill has joined #openstack-keystone		14:59
*** xarses has quit IRC		14:59
breton	ayoung: that's how it is done now. And it leads to 3 places to store these key-values. And they all support different things. For example, Cinder supports hierarchical projects, nova per-user quotas and neutron supports none of that. And that support happens not because of resource types, but just because.	14:59
knikolla	ayoung: thanks! buying now.	14:59
ayoung	I think it is only the inheritance part of the project setup that causes people to head back to ask for it out of Keystone	14:59
*** tobberyd_ has joined #openstack-keystone		15:00
ayoung	breton, If we tell Nova that they can no longer store per user quotas they will ignore us and do it anyway	15:00
breton	ayoung: we will support per-user quotas.	15:01
breton	ayoung: (even if they are not exposed via horizon)	15:01
ayoung	breton, I think that is a mistake	15:01
ayoung	actually, it is a huge mistake.	15:02
ayoung	ugh	15:02
ayoung	no	15:02
ayoung	AAAAAH!	15:02
robcresswell	Just lurking, but quotas is likely to get some love this cycle in Horizon if anyone wanted to explain their expectations etc.	15:03
ayoung	breton, think what that means. On a give resource consumption, the service needs to identify if the quota comes from the user or the organization.	15:03
breton	ayoung: another problem with services storing their own limits is that it requires people (or clients) to know which keys correspond to which services. To set "disk_usage" limit i must know that it relates to cinder, and that "number_of_ip" is from neutron.	15:03
ayoung	It should only ever come from the organization	15:03
ayoung	breton, they should be, explicitly, APIs on those services	15:04
dstanek	gagehugo: i added some questions to your review	15:04
breton	ayoung: there are ~30 resources now. Should there be 30 APIs?	15:04
ayoung	breton, the services should assume that Keystone is read only data	15:04
ayoung	breton, how many services are there? Perhaps one per service.	15:05
gagehugo	dstanek ok	15:05
breton	ayoung: keystone in this case will be read-only data. When usage happens, data will be read from keystone, writes will happen on service side.	15:05
ayoung	breton, there are 30 different APIs for createing and 30 for deleteing resources. Why should quota then be centralized?	15:05
ayoung	breton, if a new service comes along, and wants to write its quota data into Keystone?	15:06
ayoung	Alot will have to be written there....	15:06
ayoung	I'm really torn on this. I see both sides....	15:06
breton	ayoung: it will do the write the same way it creates a service, endpoint etc.	15:06
ayoung	Especially as this really parallels what I was mulling over with policy	15:06
ayoung	breton, OK, here is the weakness in my policy proposal	15:07
ayoung	assume Hroizon FTM	15:07
breton	policy was never managed via API. Limits always were.	15:07
ayoung	and a user logs in to horiozon, getting a token	15:07
ayoung	Horiz sends it to Nova, that authenticates it, and caches the auth	15:07
ayoung	breton, table that thought...I have some pedantry for the response, but let me proceed...	15:08
ayoung	so if Horizon makes 16 calls to Nova, there is only one call to Keystone	15:08
ayoung	If we implement my proposal, each of those calls would need to be sent to Keystone, assuming they are for differnt verbs/urls	15:08
ayoung	so caching is shot	15:09
ayoung	now, assume that 1/3rd of them are for creating something, each of those would have to be calls to Keysonte (or a bulk call with data cached...)	15:09
ayoung	again we are going to hammering Keystone	15:09
ayoung	so people are going to say "put the quotas into the token validation response"	15:10
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly https://review.openstack.org/388842	15:10
*** edtubill has quit IRC		15:10
ayoung	But that will bloat the memcache stored data	15:10
breton	we can't do that for some other reasons too	15:11
breton	not only memcache	15:11
ayoung	We'll end up with either a load of data we don't need, or multiple trips to Keystone for each user, negating the value of caching the token data	15:11
breton	> now, assume that 1/3rd of them are for creating something	15:11
breton	why is that?	15:12
ayoung	so, since quota is specific to each individual service, what is the benefit of holding it in Keystone instead of in Nova?	15:12
*** jerrygb_ has joined #openstack-keystone		15:12
ayoung	Garbage collection is just as big a problem:	15:12
ayoung	say you have HMT set up.	15:12
ayoung	P1 is parent, C1 C2 C3 are children	15:12
*** d0ugal has joined #openstack-keystone		15:12
ayoung	P1 gets 10 instances	15:12
ayoung	admin decides to split it 3 3 4 over child projects	15:13
ayoung	then C3 is deactiveated,	15:13
ayoung	quota is still allocated to C3 until someone takes it away	15:13
*** jerrygb has quit IRC		15:13
gagehugo	dstanek: good points	15:14
ayoung	its workflow	15:14
ayoung	and while you might be able to see "some" workflow, I suspect the right answer there should be "make it code run in mistral, triggered from project deletion"	15:14
ayoung	But you still need somewhere to store that data...	15:16
*** jaosorior has joined #openstack-keystone		15:17
breton	ayoung: benefit of holding it in keystone is easier to manage, easier to support new things. How do i add HMT to nova and neutron when cinder supports it?	15:18
breton	and when the customer asks "can i have hierarchical quotas" we have to answer him "weeel, in cinder yes, in nova we can kinda emulate it, in neutron no"	15:19
*** edtubill has joined #openstack-keystone		15:19
breton	(true story)	15:19
breton	i will afk for 10 minutes to get something to eat	15:20
*** edtubill has quit IRC		15:21
gagehugo	ayoung: we can clarify those use cases, I dont think they are written clearly enough. We just want the ability to associate string values with projects in keystone, and those use cases are just generic things we use those tags for	15:22
*** richm has joined #openstack-keystone		15:24
ayoung	gagehugo, "just" is one of my trigger words	15:27
ayoung	it indicates an attempt to downplay an issue, usually the important issue at hand.	15:27
gagehugo	I can see the arguement	15:27
gagehugo	that*	15:27
gagehugo	foot in the door situation	15:27
ayoung	gagehugo, dumb idea...	15:28
ayoung	nah, forget it	15:28
ayoung	I already talked myself out of it.	15:28
gagehugo	but in this case, that is really what we want from project properties	15:29
ayoung	The problem with all of this is that all the services need Keystone set up correctly to function	15:29
ayoung	we are coding in dependencies	15:29
ayoung	and we haven't even figured out how to do RBAC right yet	15:29
gagehugo	quotas is not in the scope of that spec	15:30
gagehugo	but I can see that someone can abuse it for that	15:30
dstanek	gagehugo: what is keeping track of a project for billing purposes?	15:30
ayoung	dstanek, CloudKitty	15:31
*** davechen has quit IRC		15:31
gagehugo	marking a project with a tag, then using that tag to bill people later	15:32
dstanek	gagehugo: so it is billing system related?	15:32
*** davechen has joined #openstack-keystone		15:33
gagehugo	the tags we store in properties will be used later for billing yes	15:33
dstanek	gagehugo: so in a large could example...who maintains the tags? a cloud admin, domain admin or something else?	15:34
lamt	it is a use case AT&T uses - but generically we just want ways to query projects based on some properties. We have a handful of these sandbox projects created that only exits for X days.	15:34
gagehugo	dstanek: what lamt said	15:34
lamt	dstanek : currently it is the cloud admin	15:34
dstanek	so the spec should definitely be updated to show/enforce that	15:35
lamt	dstanek : agreed, the use cases need to be reworded	15:36
dstanek	lamt: not just that. the apis need to be changed	15:36
gagehugo	removing the properties from creation/updating into their own separate calls?	15:37
*** ashyoung has joined #openstack-keystone		15:38
gagehugo	that would be better in terms of security	15:38
*** d0ugal has quit IRC		15:39
dstanek	gagehugo: without that you couldn't easily limit to cloud admin unless you start doing policy check deeping in the code	15:41
gagehugo	dstanek: yeah thats a good point	15:42
*** ashyoung has quit IRC		15:43
dstanek	does tag information need to be returned in the project resource?	15:44
*** adrian_otto has joined #openstack-keystone		15:44
lamt	dstanek : no - that can be taken out. I thought for a while /projects returns extras too, but that was removed.	15:45
*** jaosorior has quit IRC		15:54
*** browne has joined #openstack-keystone		15:55
*** edtubill has joined #openstack-keystone		15:56
*** tobbery__ has joined #openstack-keystone		16:01
dstanek	lamt: there has been a push to not have extras around anymore because keystone shouldn't be used as a kvs	16:02
*** rcernin has quit IRC		16:02
*** edtubill has quit IRC		16:02
lamt	dstanek : ah	16:02
*** davechen has quit IRC		16:04
*** tobberyd_ has quit IRC		16:04
*** tobbery__ has quit IRC		16:06
gagehugo	dstanek: using extras really isnt the greatest	16:06
*** david-lyle has joined #openstack-keystone		16:10
*** dave-mccowan has quit IRC		16:17
*** dave-mccowan has joined #openstack-keystone		16:19
*** belmoreira has quit IRC		16:19
*** pcaruana has quit IRC		16:20
*** edtubill has joined #openstack-keystone		16:21
*** rcernin has joined #openstack-keystone		16:25
knikolla	can a user use an unscoped token to update his own password?	16:29
*** gyee has joined #openstack-keystone		16:32
*** david-lyle has quit IRC		16:32
*** david-lyle has joined #openstack-keystone		16:33
gagehugo	knikolla: yes	16:33
gagehugo	I was just able to anyway	16:33
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/393399	16:33
knikolla	gagehugo: thanks!	16:38
openstackgerrit	Kam Nasim proposed openstack/keystone: Network conn timeout on Identity LDAP backend https://review.openstack.org/390948	16:43
*** edtubill has quit IRC		16:44
*** edmondsw has quit IRC		16:46
*** dikonoor has joined #openstack-keystone		16:46
*** andreww has quit IRC		16:46
*** xarses has joined #openstack-keystone		16:50
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/393399	16:55
*** Alexey_Abashkin_ has joined #openstack-keystone		16:56
*** Alexey_Abashkin has quit IRC		16:59
*** rcernin has quit IRC		17:03
*** rcernin has joined #openstack-keystone		17:03
*** esp has joined #openstack-keystone		17:05
*** gyee has quit IRC		17:07
*** rcernin has quit IRC		17:08
*** artmr has joined #openstack-keystone		17:14
*** rcernin has joined #openstack-keystone		17:19
artmr	I'm not sure if I am inconvenient when I request a review here, but it's a very simple patch:	17:22
artmr	https://review.openstack.org/#/c/389796/	17:22
*** rcernin has quit IRC		17:24
*** daemontool has quit IRC		17:28
*** pjm6 has quit IRC		17:38
jlk	stevemar: so what needs to happen to kick https://review.openstack.org/#/c/253273/ into getting attention? Apparently we're able to tickle the issue in some of our testing.	17:43
*** harlowja has quit IRC		17:43
*** harlowja has joined #openstack-keystone		17:46
*** ravelar has quit IRC		17:49
*** kiran-r has joined #openstack-keystone		17:56
*** edtubill has joined #openstack-keystone		17:57
*** Guest25209 has quit IRC		17:57
ayoung	stevemar, https://admiyo.fedorapeople.org/openstack/stoney-turtle.svg	18:05
*** rcernin has joined #openstack-keystone		18:05
*** sdake has joined #openstack-keystone		18:05
gagehugo	happy turtle	18:08
ayoung	gagehugo, I call him stoney	18:09
gagehugo	stoney the happy turtle	18:10
gagehugo	I like it	18:10
bknudson	what is stoney smoking?	18:11
*** chris_hultin is now known as chris_hultin\|AWA		18:12
ayoung	gagehugo, a first draft for a Keystone mascot	18:12
gagehugo	yeah, I was rooting for komodo dragon, but I like turtles as well	18:13
gagehugo	I like the keyhole in the shell	18:13
jlk	tokens	18:13
bknudson	high on fernet	18:14
*** kiran-r has quit IRC		18:15
openstackgerrit	Matt Fischer proposed openstack/keystone: Allow running expand & migrate at the same time https://review.openstack.org/392320	18:16
*** chris_hultin\|AWA is now known as chris_hultin		18:17
*** ravelar has joined #openstack-keystone		18:21
*** sdake has quit IRC		18:22
artmr	thank you for review, ayoung	18:22
*** dikonoor has quit IRC		18:22
*** davechen has joined #openstack-keystone		18:24
*** davechen has quit IRC		18:28
*** davechen has joined #openstack-keystone		18:28
*** mvk has quit IRC		18:32
morgan_	ayoung: nice spec	18:34
ayoung	morgan_, the RBAC one?	18:34
morgan_	the role verify one	18:34
*** adrian_otto has quit IRC		18:34
ayoung	morgan_, think it will work?	18:36
morgan_	I think it can work	18:36
morgan_	it's a lot of change, but doable.	18:36
*** jpich has quit IRC		18:37
ayoung	morgan_, so jamielennox 's big concer was about caching of tokens	18:38
ayoung	this will essentially break that	18:38
ayoung	unless the request is identical, we'd have to revalidate, just to get the roles confirmed	18:38
*** ravelar has quit IRC		18:39
morgan_	yep. but doable.	18:39
*** ravelar has joined #openstack-keystone		18:39
morgan_	I think it can work. but it requires some hard engineering.	18:40
ayoung	morgan_, my thought was implement this, and then extract it into middleware if we need to optimize it	18:40
morgan_	++	18:40
morgan_	that is what I would do.	18:40
ayoung	morgan_, so...the URL patterns we are matching. I want them to be likes roles. I want to use the role inference rules to link from a role to a pattern.	18:40
ayoung	should I require each one to have a name?	18:41
*** asettle has joined #openstack-keystone		18:41
morgan_	I would.	18:41
ayoung	Or maybe just a UUID based ID	18:41
morgan_	names.	18:41
morgan_	operationally it'll be easier to digest	18:41
morgan_	code wise worse. don't make it harder to talk about / work with.	18:42
morgan_	uuid is always unfriendly outside of code	18:42
ayoung	right, but the "name" really should be "identity PUT /v3/users/{user_id}"	18:42
ayoung	ort post or whatever add user is called	18:43
ayoung	so the name should then be	18:43
ayoung	identity:user_add	18:43
*** spzala has quit IRC		18:43
ayoung	or maybe even a 3 part name: (service,resource,operation)	18:43
ayoung	I don;t want to backpedal on the namespacing we have now in policy, but I would like to make it more rigorous	18:44
ayoung	I'm also wondering if we need to do something to accound for wildcards in the version strings. I suspect we'll have things like	18:45
ayoung	PUT /v2.1/image	18:45
ayoung	which needs to really be	18:45
ayoung	PUT /v2.{subversion}/image	18:45
ayoung	lots of details	18:45
*** spzala has joined #openstack-keystone		18:46
morgan_	ayoung: true.	18:48
ayoung	morgan_, I want to keep the fkey constraint on the role inference rules, so one thing we could do is a one-to-one link between an URL p[attern and a role, but that seems messy. I kindof wnat the URL patterns to show up only when explicitly asked for, not when list-roles is done	18:48
morgan_	it needs a lot of work, but generally it would be an improvement over what we have today.	18:48
*** thiagolib has quit IRC		18:48
ayoung	but I do want the URL patterns to be usable in a trust-like way	18:48
morgan_	you might have e to pick one or the other there.	18:48
ayoung	I don't want one role per url pattern	18:49
ayoung	yeah, yeah	18:49
*** thiagolib has joined #openstack-keystone		18:50
ayoung	morgan_, also, I think if we make the default rule for most things be "Member" it allows people to then start adding Read_only roles	18:50
morgan_	right	18:50
ayoung	since it won't pass this check, it will not matter if a role like "auditor" passes the latter policy.json check	18:51
openstackgerrit	Merged openstack/python-keystoneclient: Increase readability of 'find()' method and small improvements https://review.openstack.org/389796	18:54
*** asettle has quit IRC		18:59
*** adrian_otto has joined #openstack-keystone		18:59
*** adrian_otto1 has joined #openstack-keystone		19:03
*** adrian_otto has quit IRC		19:05
*** jaugustine_ has joined #openstack-keystone		19:19
*** david-lyle has quit IRC		19:23
*** david-lyle has joined #openstack-keystone		19:25
*** adrian_otto1 has quit IRC		19:29
*** adrian_otto has joined #openstack-keystone		19:31
*** amoralej is now known as amoralej\|off		19:35
ayoung	morgan_, how about this. We extend the definition of a role to have a couple extra fields. One indicates whether it is directly assignable. only assignable roles show up when you do "list_roles" by default. The other field is a link to an url pattern.	19:38
ayoung	I really want "an url pattern IS-A role" because then trusts and oauth delegations will just work	19:40
*** jrichli has joined #openstack-keystone		19:41
jrichli	hello. I am configuring keystone for the first time - not using devstack. I only need a simple setup. I have gotten as far as running keystone-manage bootstrap.	19:45
jrichli	But verifying that is not working : http://paste.openstack.org/show/587831/	19:45
jrichli	I having done any setup with db except for running keystone-manage db_sync.	19:47
jrichli	I see old config instructions that use mysql and there is setup to do. but i am using the default sqlite - and I had the understanding that bootstrap would do what was needed.	19:48
dstanek	jrichli: i'm not entirely sure sqlite will actually work. it's really there for our testing processes	19:50
*** jaugustine_ has quit IRC		19:50
*** jerrygb has joined #openstack-keystone		19:51
jrichli	dstanek: oh, ok. interesting.	19:51
dstanek	jrichli: are you just trying to test keystone out?	19:52
jrichli	dstanek: sort of ... I have a VM that already has swift-all-in-one that I have been using for development. I would like to add a minimal keystone setup for some internal dev testing.	19:54
*** jerrygb_ has quit IRC		19:54
*** jaugustine_ has joined #openstack-keystone		19:55
*** adrian_otto has quit IRC		19:55
*** artmr has quit IRC		19:57
*** cheran75 has joined #openstack-keystone		19:58
*** mvk has joined #openstack-keystone		20:14
openstackgerrit	Jeffrey Augustine proposed openstack/keystone-specs: Add keystone project properties https://review.openstack.org/388886	20:16
openstackgerrit	Gage Hugo proposed openstack/keystone-specs: Add keystone project properties https://review.openstack.org/388886	20:19
*** khamtamtun has joined #openstack-keystone		20:21
*** jaugustine_ has quit IRC		20:22
morgan_	ayoung: i could see that working	20:22
*** andreww has joined #openstack-keystone		20:23
openstackgerrit	Gage Hugo proposed openstack/keystone-specs: Add keystone project properties https://review.openstack.org/388886	20:23
*** xarses has quit IRC		20:26
*** esp has quit IRC		20:28
*** dave-mccowan has quit IRC		20:30
*** andreww has quit IRC		20:30
*** andreww has joined #openstack-keystone		20:31
morgan_	dstanek, stevemar, breton: we should update the cacher(s) to use https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/util.py?at=master&fileviewer=file-view-default#util.py-67:118 as the key gen function	20:31
morgan_	we can then directly memoize functions with kwargs/functions with kwargs passed to it	20:32
morgan_	rather than needing a "translate" latyer	20:32
morgan_	layer*	20:32
*** gyee has joined #openstack-keystone		20:32
*** ChanServ sets mode: +v gyee		20:32
openstackgerrit	Raildo Mascena proposed openstack/keystone: Disable user lists without a filter https://review.openstack.org/314829	20:33
ayoung	OK, URL pattern is not a role. For now, we treat them separately. Let's do things simply, and see how they progress. We can always introduce new concepts later to optimize or improve UX	20:37
openstackgerrit	ayoung proposed openstack/keystone: Disable user lists without a filter https://review.openstack.org/314829	20:38
openstackgerrit	Raildo Mascena proposed openstack/keystone: Disable user lists without a filter https://review.openstack.org/314829	20:38
*** esp has joined #openstack-keystone		20:39
ayoung	raildo, heh	20:40
raildo	ayoung, lol, you was faster than me	20:41
ayoung	did we really tie on that?	20:41
raildo	ayoung, ++	20:41
*** ravelar has quit IRC		20:41
ayoung	raildo, let me look at your approach....	20:41
ayoung	raildo, OK, so logic like this belongs in the core, not in the controllers	20:41
ayoung	2 we don't want to throw an exception, as that will force Horizon et alles to change	20:42
ayoung	make sense?	20:42
ayoung	3 the test needs to ensure it works without the config option set.	20:42
raildo	ayoung, sure, for now I just tried to make a rebase, and fix some previous comments. I saw this patch away for a long time	20:42
ayoung	you want to take my version and work on it?	20:42
raildo	ayoung, I'll do that. :) thanks sir	20:43
ayoung	raildo, thank you	20:43
ayoung	raildo, lets come up with a better config option name, too	20:44
raildo	ayoung, I'm not good with config/variable names, but I'll do my best!	20:44
ayoung	raildo, write it in the positive, with the default True	20:44
raildo	ayoung, ok	20:45
ayoung	and keep it short...	20:45
openstackgerrit	Kristi Nikolla proposed openstack/keystoneauth: Adds last_request_id to adapter and session classes https://review.openstack.org/393485	20:46
*** raildo has quit IRC		20:54
*** khamtamtun has quit IRC		20:55
*** rcernin has quit IRC		20:57
dstanek	morgan_: good call. i'll throw up a patch	21:00
morgan_	:)	21:00
*** ayoung has quit IRC		21:06
*** david-lyle has quit IRC		21:09
*** spzala has quit IRC		21:09
*** spzala has joined #openstack-keystone		21:10
stevemar	jlk: re: https://review.openstack.org/#/c/253273/ - i dunno, reviews :P	21:12
*** jrichli has left #openstack-keystone		21:14
jlk	lol, okay.	21:14
*** spzala has quit IRC		21:15
jlk	I wasn't sure if it was blocked for some other reason.	21:15
*** edtubill has quit IRC		21:17
*** spzala has joined #openstack-keystone		21:21
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	21:21
openstackgerrit	Steve Martinelli proposed openstack/keystone: Allow running expand & migrate at the same time https://review.openstack.org/392320	21:23
*** adrian_otto has joined #openstack-keystone		21:23
*** spilla has quit IRC		21:25
*** khamtamtun has joined #openstack-keystone		21:27
*** adrian_otto has quit IRC		21:30
*** chris_hultin is now known as chris_hultin\|AWA		21:30
*** khamtamtun has quit IRC		21:34
*** khamtamtun has joined #openstack-keystone		21:34
stevemar	jlk: nah	21:39
stevemar	jlk: hehe, sorry if my reply was snarky ... or czrarky :P	21:39
*** jrichli has joined #openstack-keystone		21:41
*** esp has quit IRC		21:42
*** jaugustine_ has joined #openstack-keystone		21:44
*** jaugustine_ has quit IRC		21:44
*** khamtamtun has quit IRC		21:45
*** jaugustine has quit IRC		21:45
*** harlowja has quit IRC		21:56
jlk	czrnasty	21:57
*** jperry has quit IRC		22:00
*** david-lyle_ has joined #openstack-keystone		22:01
*** david-lyle_ has quit IRC		22:02
*** david-lyle has joined #openstack-keystone		22:03
*** lamt has quit IRC		22:10
*** ayoung has joined #openstack-keystone		22:26
*** ChanServ sets mode: +v ayoung		22:26
*** thiagolib has quit IRC		22:28
*** jerrygb_ has joined #openstack-keystone		22:29
*** jerrygb has quit IRC		22:32
*** kiran-r has joined #openstack-keystone		22:34
*** adriant has joined #openstack-keystone		22:36
*** ayoung has quit IRC		22:43
*** ayoung has joined #openstack-keystone		22:44
*** ChanServ sets mode: +v ayoung		22:44
*** adrian_otto has joined #openstack-keystone		22:54
openstackgerrit	Merged openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	22:54
*** andreww has quit IRC		23:03
*** ayoung has quit IRC		23:03
*** adrian_otto has quit IRC		23:04
*** spzala has quit IRC		23:04
openstackgerrit	Merged openstack/keystone: Allow running expand & migrate at the same time https://review.openstack.org/392320	23:09
*** g2 is now known as g2[ATL]		23:28
*** ayoung has joined #openstack-keystone		23:48
*** ChanServ sets mode: +v ayoung		23:48
*** gyee has quit IRC		23:49

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!