Tuesday, 2017-01-10

*** edmondsw has quit IRC		00:02
dstanek	dolphm: ++ not in a project about security	00:08
openstackgerrit	John Dennis proposed openstack/keystone: Fix keystone-manage mapping_engine tester https://review.openstack.org/418165	00:10
*** agrebennikov has quit IRC		00:15
*** oomichi has quit IRC		00:17
*** catintheroof has joined #openstack-keystone		00:18
*** oomichi has joined #openstack-keystone		00:19
*** catintheroof has quit IRC		00:23
*** catintheroof has joined #openstack-keystone		00:25
*** jaugustine_ has quit IRC		00:27
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	00:28
*** jaugustine has quit IRC		00:28
morgan	stevemar: ^ here we go, about to start on the code surrounding the rules themselves. APIs will be the last bit(s)	00:29
morgan	adriant: ^	00:29
*** richm has quit IRC		00:32
*** catinthe_ has joined #openstack-keystone		00:32
*** richm has joined #openstack-keystone		00:32
*** guoshan has joined #openstack-keystone		00:34
*** catintheroof has quit IRC		00:34
morgan	mordred: did you ever get around to the example with the ksa fixture? if not i can brew up some local tests easily, but a concrete example is going to take be a good bit longer	00:37
morgan	because i would like https://review.openstack.org/#/c/362473/ to land.	00:37
*** jmccrory has quit IRC		00:37
*** jmccrory_ has joined #openstack-keystone		00:37
*** rm_work has quit IRC		00:38
*** rm_work has joined #openstack-keystone		00:38
*** guoshan has quit IRC		00:38
mordred	morgan: nope. because I suck	00:38
*** jmccrory_ is now known as jmccrory		00:39
morgan	i also worry about landing it before we have a real concrete test of them.	00:39
adriant	morgan: fantastic, will take a look at it tomorrow	00:39
morgan	adriant: tomorrow i'll have more code for it	00:40
morgan	adriant: some of the actual work around authentication. i can't work too late tonight, have to swing by the airport to pick someone up.	00:41
adriant	morgan: I'm not in the mindset for Keystone code anyway, so looking at it tomorrow sounds better :)	00:42
morgan	good stuff	00:43
openstackgerrit	Eric Brown proposed openstack/keystone: Bump API version and date https://review.openstack.org/418167	00:53
*** thorst has joined #openstack-keystone		01:01
*** spzala has quit IRC		01:01
*** oomichi has quit IRC		01:07
*** liujiong has joined #openstack-keystone		01:08
*** oomichi has joined #openstack-keystone		01:08
*** thorst has quit IRC		01:17
*** thorst has joined #openstack-keystone		01:20
*** hoangcx has joined #openstack-keystone		01:21
*** hoangcx_ has joined #openstack-keystone		01:23
*** gyee has quit IRC		01:24
*** david-lyle has joined #openstack-keystone		01:31
*** thorst has quit IRC		01:32
*** david-lyle has quit IRC		01:37
openstackgerrit	Eric Brown proposed openstack/keystone: Invalid parameter name on interface https://review.openstack.org/399870	01:40
stewie925	hello guys	01:45
stewie925	I have installed keystone service in openstack controller node, but when I tried to create the keystone service I am getting the following error:	01:48
stewie925	Unable to establish connection to http://controller:35357/v2.0/OS-KSADM/services	01:48
*** markvoelker has quit IRC		01:48
*** guoshan has joined #openstack-keystone		01:49
*** esp has quit IRC		01:49
*** catinthe_ has quit IRC		01:52
*** richm has quit IRC		01:52
*** adrian_otto has quit IRC		01:56
stevemar	dstanek: dolphm i would agree with not adding untested code in a security project, duh. but as the code stands right now we write everything when in debug mode. the only issue here is do we write application/json and application/text responses to debug, or just application/json	02:00
stevemar	dstanek: dolphm i would like to release new versions of the library tomorrow, so how about i patch master to remove application/text? would that be better?	02:01
stevemar	dstanek: dolphm unless samueldmq convinces you otherwise :)	02:02
*** hoangcx has quit IRC		02:08
*** hoangcx_ has quit IRC		02:08
*** browne has quit IRC		02:25
morgan	stevemar: only application/json imo	02:31
morgan	cc dolphm dstanek ^	02:32
mordred	jamielennox (or morgan I guess :) ) - endpoint_type vs. interface ... which one is "correct" and which one is legacy?	02:59
*** chris_hultin is now known as chris_hultin\|AWA		03:00
jamielennox	mordred: use interface=	03:01
jamielennox	but some of the clients butcher it	03:01
jamielennox	if you have the choice call it interface	03:01
mordred	jamielennox: cool.	03:01
mordred	jamielennox: I currently have:	03:02
mordred	if service_key in ('image', 'key-manager', 'identity'):	03:02
mordred	interface_key = 'interface'	03:02
mordred	else:	03:02
mordred	interface_key = 'endpoint_type'	03:02
mordred	so I think it's time to make a pass through the clients to see which ones I can use interface with now	03:02
*** tqtran has quit IRC		03:02
mordred	and maybe swap the logic so that I'm listing ones we have to use endpoint_type for	03:02
*** stewie925 has quit IRC		03:02
jamielennox	mordred: want to do it as a big bug and associate the ones that do't?	03:03
jamielennox	don't	03:03
mordred	jamielennox: ooh. that's a great idea	03:03
morgan	mordred: what jamielennox said.	03:04
morgan	interface++	03:04
*** stewie925 has joined #openstack-keystone		03:05
*** woodster_ has quit IRC		03:05
mordred	# Backwards compat for people assing in endpoint_type	03:06
mordred	that's the best comment ever	03:06
stevemar	jvarlamova: apologizing in advanced, i referred to you as julya in a comment, my mistake :)	03:06
*** stewie925 has quit IRC		03:06
*** adrian_otto has joined #openstack-keystone		03:09
*** adrian_otto has quit IRC		03:16
morgan	mordred: lol	03:18
*** adrian_otto has joined #openstack-keystone		03:18
mordred	jamielennox: remote: https://review.openstack.org/418192 Swap the order of interface and endpoint_type	03:19
mordred	jamielennox: I'll get the bug written up - but I'm landing now	03:19
*** esp has joined #openstack-keystone		03:20
stevemar	jamielennox: did you have an opinion on the whole application/json vs application/text of https://review.openstack.org/#/q/I93b6fff73368c4f58bdebf8566c4948b50980cee,n,z	03:22
jamielennox	stevemar: hmm, that's not right is it, text is text/plain?	03:23
jamielennox	i never remember	03:23
jamielennox	i don't know who/what uses application/text	03:23
jamielennox	i think it was just something samueldmq and i were talking about and i never checked	03:23
stevemar	okay, i can fix it in master	03:24
jamielennox	stevemar: it'd be interesting to know what we should actually print	03:24
jamielennox	i'm also ok with dropping it right back to json and seeing who complains and adding things back as required	03:24
stevemar	lets start with application/json and peel the onion from there	03:24
stevemar	++	03:24
stevemar	jamielennox: do you have time to do it? i'm heads down in some TC business	03:25
jamielennox	stevemar: yea, ok, that shouldn't take long	03:25
stevemar	i also don't want to fix 4 patches sigh	03:25
stevemar	2 on master, 2 in stable/newton and 2 in stable/mitaka	03:25
stevemar	i guess we can just chain propose those	03:25
jamielennox	ergh, hits me with that after i agree	03:27
stevemar	jamielennox: fix it in ksa/ksc and i'll get the stables going	03:28
*** adrian_otto has quit IRC		03:29
*** adrian_otto has joined #openstack-keystone		03:30
*** udesale has joined #openstack-keystone		03:30
*** edmondsw has joined #openstack-keystone		03:34
*** edmondsw has quit IRC		03:38
*** esp has quit IRC		03:47
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Only log application/json in session to start https://review.openstack.org/418194	03:47
jamielennox	stevemar: ^	03:47
*** markvoelker has joined #openstack-keystone		03:48
*** nicolasbock has quit IRC		03:53
*** links has joined #openstack-keystone		03:54
*** dave-mccowan has quit IRC		03:55
*** tqtran has joined #openstack-keystone		04:01
stevemar	jamielennox: thanks, lgtm, pretty simple patch	04:02
stevemar	i just realized i proposed backports without making you create a release note :O	04:02
stevemar	i suppose we can omit it, just this one time...	04:02
*** tqtran has quit IRC		04:03
*** guoshan has quit IRC		04:05
jamielennox	wasn't there a release note from the original?	04:05
stevemar	jamielennox: yes, the original said applicaiton/text though :)	04:08
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Only log application/json in session to start https://review.openstack.org/418194	04:11
jamielennox	stevemar: update reno	04:11
stevemar	meh	04:19
*** links has quit IRC		04:21
*** links has joined #openstack-keystone		04:22
stevemar	jamielennox: i probably won't bother to update the backports with the updated reno :P	04:23
jamielennox	oh, i didn't realize you'd done the others already	04:24
*** cburgess has quit IRC		04:25
*** cburgess has joined #openstack-keystone		04:25
*** adrian_otto1 has joined #openstack-keystone		04:35
*** diazjf has joined #openstack-keystone		04:37
*** adrian_otto has quit IRC		04:37
openstackgerrit	Eric Brown proposed openstack/keystone: Invalid parameter name on interface https://review.openstack.org/399870	04:41
*** dikonoor has joined #openstack-keystone		04:43
*** dikonoor has quit IRC		04:48
*** adrian_otto1 has quit IRC		05:00
*** adrian_otto has joined #openstack-keystone		05:02
*** itisha has quit IRC		05:02
*** markvoelker_ has joined #openstack-keystone		05:12
*** adrian_otto has quit IRC		05:12
*** markvoelker has quit IRC		05:15
*** markvoelker has joined #openstack-keystone		05:17
*** adriant has quit IRC		05:20
*** markvoelker_ has quit IRC		05:20
*** guoshan has joined #openstack-keystone		05:21
*** diazjf has quit IRC		05:21
*** guoshan has quit IRC		05:27
*** AlexeyAbashkin has joined #openstack-keystone		05:27
openstackgerrit	Merged openstack/keystone: [api-ref] Clean up OS-EP-FILTER association docs https://review.openstack.org/417533	05:37
*** portdirect has joined #openstack-keystone		05:41
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Only log application/json in session to start https://review.openstack.org/418194	05:45
*** guoshan has joined #openstack-keystone		06:03
*** zzzeek has quit IRC		06:06
*** zzzeek has joined #openstack-keystone		06:10
openstackgerrit	Merged openstack/keystone: listing revoke events should be admin only https://review.openstack.org/416841	06:12
*** AlexeyAbashkin has quit IRC		06:24
*** pcaruana has quit IRC		06:26
openstackgerrit	Eric Brown proposed openstack/keystone: Invalid parameter name on interface https://review.openstack.org/399870	06:29
*** dikonoor has joined #openstack-keystone		06:44
*** udesale has quit IRC		07:01
*** AlexeyAbashkin has joined #openstack-keystone		07:09
*** tesseract has joined #openstack-keystone		07:13
*** rcernin has joined #openstack-keystone		07:17
openstackgerrit	Julia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472	07:33
*** aloga has quit IRC		07:42
*** aloga has joined #openstack-keystone		07:42
*** voelzmo has joined #openstack-keystone		07:43
*** hoonetorg has quit IRC		07:48
*** brad[] has quit IRC		07:50
*** voelzmo has quit IRC		07:50
*** brad[] has joined #openstack-keystone		07:50
*** voelzmo has joined #openstack-keystone		08:01
*** pcaruana has joined #openstack-keystone		08:09
*** namnh has joined #openstack-keystone		08:27
*** xek has joined #openstack-keystone		08:27
*** nishaYadav has joined #openstack-keystone		08:45
nishaYadav	o/	08:46
*** rcernin has quit IRC		08:54
*** tesseract has quit IRC		08:54
*** pcaruana has quit IRC		08:55
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:02
*** tqtran has joined #openstack-keystone		09:05
*** tqtran has quit IRC		09:06
*** tesseract has joined #openstack-keystone		09:07
*** rcernin has joined #openstack-keystone		09:08
*** pcaruana has joined #openstack-keystone		09:08
*** nishaYadav has quit IRC		09:15
*** mvk has quit IRC		09:34
*** rcernin has quit IRC		09:34
*** dobson has quit IRC		09:35
*** pcaruana has quit IRC		09:35
*** tesseract has quit IRC		09:35
*** dobson has joined #openstack-keystone		09:36
*** rderose has quit IRC		09:37
*** rdopiera has quit IRC		09:37
*** Alex_Oughton has quit IRC		09:37
*** masber has quit IRC		09:37
*** bapalm has quit IRC		09:37
*** david_cu has quit IRC		09:37
*** rybridges2 has quit IRC		09:37
*** stevemar has quit IRC		09:37
*** freerunner has quit IRC		09:37
*** rakhmerov has quit IRC		09:37
*** sigmavirus has quit IRC		09:37
*** andreykurilin has quit IRC		09:37
*** clayg has quit IRC		09:37
*** rakhmerov has joined #openstack-keystone		09:37
*** andreykurilin has joined #openstack-keystone		09:37
*** AlexOughton has joined #openstack-keystone		09:37
*** stevemar has joined #openstack-keystone		09:37
*** clayg has joined #openstack-keystone		09:37
*** rybridges2 has joined #openstack-keystone		09:37
*** rdopiera has joined #openstack-keystone		09:37
*** freerunner has joined #openstack-keystone		09:37
*** masber has joined #openstack-keystone		09:37
*** bapalm has joined #openstack-keystone		09:38
*** rderose has joined #openstack-keystone		09:38
*** asettle has joined #openstack-keystone		09:38
*** hogepodge has quit IRC		09:38
*** christophler has quit IRC		09:38
*** jefrite has quit IRC		09:38
*** christophler has joined #openstack-keystone		09:38
*** hogepodge has joined #openstack-keystone		09:39
*** openstack has joined #openstack-keystone		14:26
*** jascott1 has joined #openstack-keystone		14:27
*** jlopezgu has joined #openstack-keystone		14:30
*** markvoelker has quit IRC		14:34
*** jperry has joined #openstack-keystone		14:35
lbragstad	samueldmq i have a bunch of stuff locally that I didn't get a chance to push yesterday	14:39
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Add a full listing of all auth plugins and there options https://review.openstack.org/418347	14:40
lbragstad	samueldmq how does https://review.openstack.org/#/c/410949 not comply with the spec?	14:40
samueldmq	lbragstad: spec should be https://review.openstack.org/418410 to comply with what you implemented	14:41
samueldmq	lbragstad: the projects is immediatly inside local in the spec, while in the impl it's inside a match (which in turn is immediatly inside local)	14:42
lbragstad	hmm - i see	14:42
lbragstad	cc dstanek ^	14:42
*** lamt has joined #openstack-keystone		14:43
*** adrian_otto has joined #openstack-keystone		14:44
*** nishaYadav has joined #openstack-keystone		14:45
*** nishaYadav is now known as Guest33573		14:45
dstanek	samueldmq: lbragstad: lol, i just reviewed that	14:46
samueldmq	dstanek: yeah, responded :)	14:46
*** markvoelker has joined #openstack-keystone		14:48
lbragstad	samueldmq dstanek give me about 15 minutes to wrap something up quick and I should be free to work through some of those things	14:49
samueldmq	lbragstad: sure, take your time	14:49
dstanek	samueldmq: in the spec the 'project' and 'user' are at the same level. are you saying that we didn't implement it that way?	14:50
samueldmq	dstanek: yes	14:51
samueldmq	dstanek: in the spec they are not inside the same {}	14:51
samueldmq	dstanek: and in your impl it is. that's my patch to make the spec compliant (if that's correct to say), because I think it makes more sense as you've implemented	14:51
dstanek	samueldmq: that actually doesn't matter. i believe that in the code all local dicts are effectively combined	14:52
samueldmq	{local:[{matchrule1},{matchrule2},{apply_these_projs_and_roles}]}	14:53
samueldmq	is different than:	14:53
samueldmq	{local:[{matchrule1, apply_these_projs_and_roles1},{matchrule2, apply_these_projs_and_roles2}]}	14:53
samueldmq	dstanek: ^ you see the difference ?	14:53
*** BigWillie has joined #openstack-keystone		14:53
*** adrian_otto has quit IRC		14:53
*** links has quit IRC		14:54
dstanek	samueldmq: local doesn't have matchrules though right?	14:54
samueldmq	dstanek: by matchrule I mean "user": {": "{0}"}, for example	14:55
samueldmq	"user": { "name": "{0}" }	14:56
samueldmq	so you could say that user with name {0} gets project X with roles 1 and 2	14:56
samueldmq	and user with name {1} gets project Y with role 1	14:56
samueldmq	in the same mapping	14:57
*** adrian_otto has joined #openstack-keystone		14:57
dstanek	samueldmq: give me a few to show you what i mean. i have a meeting starting in 2 minutes	14:57
samueldmq	dstanek: sure	14:57
dstanek	samueldmq: the short, short is that i believe [{user: {}}, {project: []}] is no different than [{user: {}, projects: []}]	14:58
samueldmq	dstanek: kk they seem different to me, maybe I just do not understand completely how the engine works	14:59
*** stewie925 has joined #openstack-keystone		14:59
*** jaosorior has joined #openstack-keystone		15:00
stewie925	hello guys, have a question with Openstack installation of Keystone	15:02
stevemar	dikonoor: o/	15:02
*** jgrassler has quit IRC		15:03
stewie925	I am installing Openstack Kilo version and followed the instructions to a T for Keystone install (http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-install.html)	15:03
stewie925	but when I tried to create the keystone service I am getting the following error:	15:04
stewie925	ERROR: openstack No connection adapters were found for '=http://controller:35357/v2.0/OS-KSADM/services'	15:04
stevemar	dikonoor: hmm, based on what i'm reading here: http://docs.openstack.org/project-team-guide/i18n.html -- it sounds like i think we have everything in place	15:08
*** markvoelker has quit IRC		15:09
dikonoor	stevemar: But the locale directory is missing in keystonemiddleware..	15:09
stevemar	dikonoor: looking at https://translate.openstack.org/iteration/view/keystonemiddleware/master there are no translations for python files, just release notes	15:09
stevemar	hmm	15:09
dikonoor	stevermar: yes right	15:10
stevemar	dikonoor: maybe we're missing some of the infra pieces, i was going to double check that	15:10
dikonoor	stevermar: ok	15:10
stevemar	dikonoor: the things to do are written here: http://docs.openstack.org/infra/system-config/translate.html	15:11
* stevemar keeps getting new emails		15:12
*** markvoelker has joined #openstack-keystone		15:12
*** adrian_otto has quit IRC		15:12
*** lennyb has joined #openstack-keystone		15:12
dikonoor	stevermar: I will go through and check from my end	15:12
*** edtubill has joined #openstack-keystone		15:14
*** chris_hultin\|AWA is now known as chris_hultin		15:14
*** AlexeyAbashkin has quit IRC		15:15
*** AlexeyAbashkin has joined #openstack-keystone		15:16
*** raj_singh has joined #openstack-keystone		15:17
*** sheel has quit IRC		15:17
*** AlexeyAbashkin has quit IRC		15:19
*** markvoelker has quit IRC		15:21
knikolla	o/	15:23
*** ravelar has joined #openstack-keystone		15:24
*** diazjf has joined #openstack-keystone		15:30
dstanek	stewie925: you are using an invalid URL and requests is logging that error since it has no protocol handlers for '=http'	15:31
dstanek	knikolla: did you get your stuff worked out yesterday?	15:31
knikolla	dstanek: rderose says permissions come from the group, so i'll try that today.	15:33
dstanek	knikolla: what about my note on blacklists?	15:34
*** agrebennikov has joined #openstack-keystone		15:35
*** links has joined #openstack-keystone		15:35
knikolla	dstanek: i'll keep investigating today. got caught up in meetings yesterday after we discussed.	15:35
knikolla	if i find proof of a bug i'll open a report.	15:36
dstanek	samueldmq: done with my meeting...let me whip up a quick test	15:36
*** BigWillie has quit IRC		15:36
dstanek	knikolla: so the short answer is that you are using blacklists incorrectly	15:37
*** spzala has joined #openstack-keystone		15:38
*** diazjf has quit IRC		15:38
openstackgerrit	Merged openstack/keystoneauth: Only log application/json in session to start https://review.openstack.org/418194	15:39
*** belmoreira has quit IRC		15:40
knikolla	dstanek: what is the correct way?	15:40
knikolla	dstanek: rderose: btw, groups fixed the permissions.	15:41
dstanek	knikolla: ok, so i don't blacklist is what you think it is.	15:44
dstanek	it's really more of a filter	15:44
dstanek	knikolla: if you look at https://github.com/openstack/keystone/blob/master/keystone/tests/unit/contrib/federation/test_utils.py#L701 you'll see it's intended use	15:44
dstanek	i think you want something more like https://github.com/dstanek/ansible-role-keystone-sp/blob/master/templates/mapping.json.j2#L19 (although not_any_of is exactly what you'd want to use)	15:45
dstanek	knikolla: ^ from yesterday	15:45
*** mvk has quit IRC		15:45
knikolla	dstanek: any_one_of or not_any_one_of don't allow passing that attribute through {0} or {1}	15:45
*** adrian_otto has joined #openstack-keystone		15:45
knikolla	dstanek: documentation refers to using blacklist or whitelist in that case	15:45
rderose	knikolla: nice! glad, you got it working with groups :)	15:46
dstanek	knikolla: blacklist and whitelist are filters and their result is always a list which is not what you want for username	15:46
dstanek	your mapping can be done with not_any_of right?	15:47
knikolla	dstanek: oh, that explains the empty list as username yesterday. it matched admin and subtracted admin, resulting in [].	15:48
*** adrian_otto has quit IRC		15:49
dstanek	knikolla: exactly.	15:50
knikolla	dstanek: yes. i tried with not_any_of and it worked now.	15:50
dstanek	i'll look at the documentation today and see how i can fix it	15:51
knikolla	this bit of documentation confused me: empty, blacklist and whitelist are the only conditions that can be used in direct mapping ({0}, {1}, etc.)	15:51
samueldmq	dstanek: kk	15:51
samueldmq	dstanek: even if it behaves like that, I don't think it should, I understand those mappings differently, as they're written differently	15:52
knikolla	dstanek: that piece is actually right though. when i use not_any_of and come with that username, it rejects me with 401. but when i come with another user not part of the not_any_of list it gives me this error	15:53
knikolla	keystoneauth1.exceptions.http.InternalServerError: Local section in mapping keystone-idp-mapping refers to a remote match that doesn't exist (e.g. {0} in a local section)	15:53
stevemar	dolphm: around?	15:53
dstanek	knikolla: yes, another wart of our current mapping version. you need another remote dict to capture the direct mapping	15:54
stevemar	someone want to port https://review.openstack.org/#/c/418194/ to keystoneclient?	15:54
*** Guest33573 is now known as nishaYadav		15:54
dolphm	stevemar: o/	15:54
stevemar	dolphm: is https://review.openstack.org/#/c/418194/ good enough to you, sorry it already merged	15:55
knikolla	dstanek: so i need another rule?	15:56
dolphm	stevemar: yep! if you merge that into the backports, i'll +2	15:57
*** adrian_otto has joined #openstack-keystone		15:57
stevemar	dolphm: OK	15:57
dstanek	knikolla: yes another remote with just the 'type' specified	15:58
dolphm	stevemar: i.e. i think it should be merged with https://review.openstack.org/#/c/418091/	15:58
dolphm	stevemar: rather than proposed separately	15:58
*** markvoelker has joined #openstack-keystone		15:58
stevemar	dolphm: eh	15:59
knikolla	dstanek: thank you! that worked!	15:59
*** phalmos has joined #openstack-keystone		15:59
dstanek	knikolla: np	16:01
nishaYadav	stevemar, samueldmq hey!	16:04
samueldmq	nishaYadav: hello	16:04
nishaYadav	samueldmq, i am stuck at something for a while now, can you please look?	16:05
nishaYadav	samueldmq, I am trying to set up an LDAP back end with DevStack but getting this error when I run ./stack.sh http://paste.openstack.org/show/594431/	16:05
samueldmq	nishaYadav: look at what ? you apch ?	16:05
samueldmq	your patch*	16:05
nishaYadav	samueldmq, no, not a patch yet :(	16:06
samueldmq	ok, looking	16:06
nishaYadav	samueldmq, I read this link for help http://serverfault.com/questions/765744/openldap-no-such-object-32 but seeing this file https://github.com/openstack-dev/devstack/blob/master/files/ldap/manager.ldif.in I think configured backened databse is hdb, so, this doesn’t seem to be the issue.	16:06
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP add query for unique_id in list_users https://review.openstack.org/414720	16:06
*** AlexOughton has quit IRC		16:06
*** AlexOughton has joined #openstack-keystone		16:07
samueldmq	nishaYadav: I am not really familiar with LDAP in devstack	16:07
samueldmq	afaict it supported installing and configuring openldap	16:07
samueldmq	not sure if it needed an update or not	16:07
stevemar	dikonoor: looks like keystonemiddleware is all setup, i don't know what else there is to do :\	16:07
stevemar	dikonoor: want to jump on #openstack-infra and we can ask there?	16:08
nishaYadav	samueldmq, oh, okay, should I ask on #openldap channel?	16:08
samueldmq	nishaYadav: I don't know, are you trying to use devstack code to set it up ?	16:08
samueldmq	yes, you are	16:09
*** jaugustine has joined #openstack-keystone		16:09
samueldmq	nishaYadav: I don't think the issue is with openldap, but in the way devstack scripts are configuring the ldap itself	16:09
samueldmq	take a look at the devstack code and try to understand it, it may require an update	16:10
nishaYadav	samueldmq, Oh, actually I got in touch with rodrigods regarding LDAP testing, he told me that this issue needs to be fixed first	16:10
samueldmq	yes, so I think this is something related to devstack configuring LDAP, not an openldap bug	16:10
nishaYadav	samueldmq, alright, so I need to fix this in the ldap file? this one https://github.com/openstack-dev/devstack/blob/master/lib/ldap	16:12
openstackgerrit	David Stanek proposed openstack/keystone: Adds tests showing how mapping locals are handled https://review.openstack.org/418460	16:12
dstanek	samueldmq: lbragstad: ^	16:12
samueldmq	nishaYadav: you should start looking at the function failing in your paste	16:12
samueldmq	ldap_modify	16:12
samueldmq	nishaYadav: start debugging from there and try to understand why ti's failing	16:12
nishaYadav	samueldmq, hmm I will try again	16:13
*** yarkot has joined #openstack-keystone		16:13
nishaYadav	samueldmq, thanks :)	16:13
samueldmq	np	16:13
samueldmq	dstanek: kk that current behavior is okay	16:16
samueldmq	dstanek: for me, where you scope projects/roles would determine to what users/groups it applies	16:16
dstanek	samueldmq: i don't know why we did that. maybe we were just trying to be too smart?	16:17
samueldmq	dstanek: until now, it really doesn't matter because the mapping will result on users/groups	16:17
samueldmq	when we add scoping, we need to be precise on where/for whom apply it	16:17
samueldmq	dstanek: maybe, we should just have a right way to do it :(	16:17
samueldmq	one	16:17
dstanek	samueldmq: the locals dictionary should have a projects key at the same level as the user key. the projects key is a list that may also contain roles	16:18
samueldmq	dstanek: yes, but who get those roles assigned on those projects ?	16:18
*** rcernin has quit IRC		16:18
samueldmq	for me, the answer would be, depends on where the projects/roles is defined in the dict	16:18
dstanek	samueldmq: the user. there is only one user in a local section	16:19
rodrigods	samueldmq, ++ regarding the issue of devstack configuring openldap, not the issue being in openldap itself	16:19
samueldmq	dstanek: so one mapping always map to a single user or group ?	16:19
stewie925	dstanek: hello	16:21
stewie925	dstanek: thank you so much for your input, I made the change and I am still getting an error trying to create the keystone service	16:22
stewie925	I have created http://paste.openstack.org/show/594440/ showing the keystone configuration and the OS_* settings, as well as the '--debug' results of my openstack service create run	16:22
*** dikonoor has quit IRC		16:23
samueldmq	dstanek: if that's true (one mapping always map to a single user or group), I agree with you it doesn't matter where we put the projects/roles.	16:24
*** jaugustine has quit IRC		16:39
dstanek	samueldmq: each rule maps to a single user and each mapping has multiple rules	16:41
lbragstad	stevemar we didn't amend any keystone release notes to fix this and not track them in the bug - did we? https://bugs.launchpad.net/keystone/+bug/1640504	16:43
openstack	Launchpad bug 1640504 in openstack-manuals "release notes and config guide missing new settings for Newton" [Undecided,Fix released] - Assigned to guoshan (guoshan)	16:43
stevemar	lbragstad: we can't really amend release notes	16:47
nishaYadav	rodrigods, hey, you around?	16:47
rodrigods	hey nicolasbock	16:47
rodrigods	oops nishaYadav	16:47
*** thiagolib has joined #openstack-keystone		16:47
nishaYadav	:)	16:48
nicolasbock	Hi rodrigods	16:49
rodrigods	nicolasbock, sorry, autocomplete issue :) was trying to ping nishaYadav	16:50
nicolasbock	rodrigods, well, nishaYadav is almost like nicolasbock ;)	16:50
nishaYadav	rodrigods, I tried setting up LDAP back end with DevStack and got the expected error. I tried to find fix the issue but need some help.	16:50
rodrigods	nicolasbock, ni<tab> :)	16:51
nicolasbock	rodrigods, :)	16:51
rodrigods	nishaYadav, ok... what is your doubt	16:51
*** links has quit IRC		16:52
nishaYadav	rodrigods, I ran the command $sudo ldapsearch -H ldapi:// -Y EXTERNAL -b 'cn=config' -s one dn and only found mdb databases in the result. So, I guess the problem is that I can't modify the hdb database because there isn't one present.	16:54
nishaYadav	rodrigods, I asked on #openldap channel for help then and got this advice, basically, your choices are to drop your current config and re-initialize with that suse-base-config; or to adapt the manager.ldif to work with your existing setup	16:55
nishaYadav	rodrigods, what do you think the issue is?	16:55
*** tqtran has joined #openstack-keystone		16:55
rodrigods	nishaYadav, ok... you went much further than i was aware in the issue :)	16:56
rodrigods	nishaYadav, do you know what that line in ldap/lib tries to accomplish?	16:56
rodrigods	nishaYadav, but sounds like that adapting manager.ldif is the correct approach	16:57
nishaYadav	rodrigods, oh, i dont really understand the ldap modify command :(	16:57
nishaYadav	rodrigods, I read some docs but EXTERNAL wasn't used in most	16:58
rodrigods	nishaYadav, the first step is to understand it and try to figure out what it is failing	16:58
rodrigods	so you can replace with something that works	16:58
nishaYadav	rodrigods, should I be reading more about ldap or how keystone uses openldap or the purpose of all commands in ldap file inside lib?	17:00
nishaYadav	rodrigods, considering I haven't worked on ldap before	17:01
dstanek	stewie925: is 'controller' resolvable?	17:01
rodrigods	nishaYadav, you should understand what ldapmodify does and what each argument being passed to it means	17:01
rodrigods	nishaYadav, also... understanding basic ldap is useful, but anything really high level should be enough	17:01
stewie925	dstanek: hi could you rephrase the question? sorry	17:02
rodrigods	nishaYadav, keystone uses ldap like everyone else, as a user storage solution	17:02
nishaYadav	rodrigods, hmm	17:02
nishaYadav	rodrigods, I will search and read more then	17:03
rodrigods	nishaYadav, understanding the meaning of the line "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $tmp_ldap_dir/manager.ldif" is critical to fix it	17:03
rodrigods	nishaYadav, i can try to learn and explain to you, but don't have much time right now	17:03
nishaYadav	rodrigods, hmm and we need to use this file manager.ldif and not any other file right?	17:03
stewie925	dstanek: I created a multinode openstack and I was able to test that the controller can communicate with network and compute nodes and vice-versa	17:04
nishaYadav	rodrigods, that's alright, I will try myself again. Thanks for helping :)	17:04
*** voelzmo has quit IRC		17:08
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP add query for unique_id in list_users https://review.openstack.org/414720	17:09
*** gyee has joined #openstack-keystone		17:13
*** diazjf has joined #openstack-keystone		17:13
*** david-lyle has joined #openstack-keystone		17:13
dstanek	stewie925: can the machine you are running the client on resolve the 'controller' domain name? 'ping controller' from it	17:13
stewie925	dstanek - yes I can ping controller	17:14
stewie925	64 bytes from controller (10.10.10.11): icmp_seq=1 ttl=64 time=0.024 ms	17:14
*** jose-phillips has joined #openstack-keystone		17:15
*** nishaYadav has quit IRC		17:16
*** diazjf has quit IRC		17:17
*** asettle has quit IRC		17:18
stewie925	also I am wondering... if I made a change to the /etc/keystone/keystone.conf, how do I make sure that keystone is picking up the new values?	17:18
stewie925	I tried to run "sudo service keystone restart" and its giving me "stop: Unknown instance: keystone start/running, process 10959"	17:19
stewie925	although I assume that the 'openstack service create' does not look at the keystone.conf yet	17:20
*** browne has joined #openstack-keystone		17:24
*** pcaruana has quit IRC		17:25
stewie925	dstanek: or maybe I need to refresh the OS_TOKEN value hourly?	17:27
*** tqtran has quit IRC		17:30
*** tqtran has joined #openstack-keystone		17:30
samueldmq	dstanek: so yes that's my poitn, the project/role should belong to a rule rather than to the mapping	17:31
*** tesseract has quit IRC		17:31
*** rreimberg has joined #openstack-keystone		17:32
dstanek	stewie925: you are probably running keystone under apache so you'd have to restart that	17:39
stewie925	yes I had already restarted apache2	17:40
dstanek	samueldmq: it does belong to a rule	17:40
samueldmq	dstanek: in your patch yes, in the spec no	17:41
samueldmq	dstanek: in the spec it is defined at a higher level, so we don't know what user the project/roles apply to	17:41
dstanek	samueldmq: it's defined in the locals list right?	17:41
*** chris_hultin is now known as chris_hultin\|AWA		17:42
dstanek	stewie925: can you connect to that port from the client box	17:42
dstanek	stewie925: the problem in your log is 'ConnectionRefused: Unable to establish connection to http://controller:35357/v2.0/OS-KSADM/services'	17:42
samueldmq	dstanek: yes, but in your patch, it's inside the locals->user, so we know it's for that user	17:42
samueldmq	if we have multiple local{user} and local{projects} we don't know what local{user} that apply, or to all ?	17:43
dstanek	samueldmq: https://review.openstack.org/#/c/410949/9/keystone/tests/unit/mapping_fixtures.py	17:44
dstanek	samueldmq: the outcome of a local block is a single user. there cannot be more than one	17:44
samueldmq	dstanek: ah okay, so a single porject or group	17:45
samueldmq	gotcha	17:45
samueldmq	so it doesn't matter where projects is.... we shoul ddocument/test that	17:46
dstanek	samueldmq: a local block can render to a user plus some optional thing. list of group name, list of group ids and not a list of projects	17:46
dstanek	samueldmq: those local tests i submitted earlier show how it works	17:46
*** esp has joined #openstack-keystone		17:47
samueldmq	dstanek: ++	17:48
stewie925	dstanek: I ran "netstat -anp \| grep 35357" and it returned "tcp6 0 0 :::35357 :::* LISTEN 10398/apache2 "	17:54
dstanek	stewie925: that means it's listening, but doesn't mean that your client can connect. try 'curl http://controller:35357' from the client box	17:55
*** spilla has joined #openstack-keystone		17:55
stewie925	dstanek: # curl http://controller:35357 <HTML> <HEAD><TITLE>Redirection</TITLE></HEAD> <BODY><H1>Redirect</H1></BODY> </HTML>	17:56
*** chrisplo has joined #openstack-keystone		17:58
stevemar	ping for meeting agrebennikov, amakarov, annakoppad, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc,	18:00
stevemar	stevemar, topol	18:00
gagehugo	o/	18:00
*** jaugustine has joined #openstack-keystone		18:01
openstackgerrit	Merged openstack/keystoneauth: Add a full listing of all auth plugins and there options https://review.openstack.org/418347	18:01
*** Guest34220 is now known as medberry		18:04
*** medberry has quit IRC		18:04
*** medberry has joined #openstack-keystone		18:04
*** medberry is now known as med_		18:04
*** AlexeyAbashkin has joined #openstack-keystone		18:09
*** mvk has joined #openstack-keystone		18:10
openstackgerrit	Merged openstack/keystone: Invalid parameter name on interface https://review.openstack.org/399870	18:10
openstackgerrit	Merged openstack/keystone: Bump API version and date https://review.openstack.org/418167	18:11
*** stewie925 has quit IRC		18:19
*** ravelar has quit IRC		18:19
*** ravelar has joined #openstack-keystone		18:20
*** asettle has joined #openstack-keystone		18:20
openstackgerrit	Tin Lam proposed openstack/keystone: Filtering invalid resources should return 400 Bad Request https://review.openstack.org/417315	18:20
*** stewie925 has joined #openstack-keystone		18:26
stewie925	dstanek: sorry I got disconnected	18:26
dstanek	stewie925: if you confirm that your client machine can make the connection?	18:26
stewie925	dstanek: so I set up my controller node with ip addr 10.10.10.11 in the /etc/hosts	18:27
stewie925	and on the same controller node, I thought I'd run 'curl 10.10.10.11' but I got access denied, Your credentials could not be authenticated: "Credentials are missing. You will not be permitted access until your credentials can be verified."	18:29
dstanek	stewie925: that's because you need to authenticate	18:29
stewie925	I do have OS_TOKEN set up	18:29
dstanek	stewie925: if you are making a curl request you'll have to provide the token in a header. the environment variable is something our client uses	18:31
stewie925	oh ... thank you - let me run again	18:31
*** chris_hultin\|AWA is now known as chris_hultin		18:34
*** erhudy has joined #openstack-keystone		18:41
rderose	stevemar: you have time to discuss that PCI patch?	18:52
morgan	dolphm: you smoking meats much or was that lbragstad that was doing that?	18:54
morgan	i know one of you SAT folks were	18:54
stevemar	rderose: i do not unfortunately, i'm leaving in 10 minutes for a doctor's appointment	18:54
rderose	stevemar: okay, np	18:54
lbragstad	morgan i had a couple feeble attempts - i'd refer to dolphm though	18:54
stevemar	rderose: i'll be around in the evening or tomorrow. i'm never away for too long	18:55
rderose	stevemar: sounds good	18:55
dolphm	morgan: i'm trying to make it a sunday ritual	18:55
ravelar	morgan: dolphm bbq is great!	18:55
morgan	lbragstad, dolphm: because I sent some of these https://www.winecountrycraftsman.com/shop/products/296/bbq-staves-wine-soaked-oak-for-bbq-smokers.php over to mordred, waiting to see how they work. but passing along the option :)	18:55
dolphm	morgan: https://twitter.com/dolphm/status/814929722673131520	18:55
morgan	it sounds like a damn tasty thing.	18:55
morgan	dolphm: ooooooh yesssssssss	18:55
morgan	yum	18:56
lbragstad	morgan nice!	18:56
dolphm	morgan: i have about 10 pounds of chopped up wine barrel at home :D	18:56
dolphm	morgan: for exactly that reason	18:56
morgan	dolphm: niiice	18:56
dolphm	morgan: i haven't decided what to do with it just yet	18:56
morgan	dolphm: yeah, it sounds just amazing to add to a smoker/bbq	18:56
lbragstad	morgan stevelle does a bunch of bbq stuff, too	18:57
dolphm	morgan: my experiment for this weekend is to smoke bone-in ribeyes .. that might be the perfect pairing	18:57
morgan	oh yes	18:57
lbragstad	dolphm i've heard that's good	18:57
morgan	esp. if the staves are from red wine barrels	18:57
morgan	chard might not be strong enough	18:57
morgan	dolphm: let me know how the bone-in ribeye smoking goes	18:57
* morgan would get a smoker but... no place for it at the new seattle residence		18:58
dolphm	morgan: will do	18:58
*** voelzmo has joined #openstack-keystone		18:58
morgan	i might need to visit san antonio and sample the smoked foods.	18:58
morgan	;)	18:58
dolphm	morgan: you can smoke indoors	18:58
morgan	ugh. no, no i can't :P	18:58
dolphm	morgan: totally can	18:58
lbragstad	tea leaves help	18:59
morgan	I can't :P	18:59
dolphm	morgan: do you have an oven?	18:59
morgan	as in, not going to try because i don't want the house to smell like smoked meats. (also limited space)	18:59
morgan	oven is small	18:59
morgan	it's nice but the inside is a bit wimpy space wise.	19:00
dolphm	morgan: smelling like smoked meats is better than the alternative	19:00
morgan	and also not super consistent in heat =/	19:00
morgan	when cooking it's a lot of manually checking temp and adjusting. it's a bit finacky	19:00
morgan	but in short. i'll just wait till i buy my place/move in 18mo and build/get a real smoker	19:01
morgan	and by then i can get lots of "what not to do" from you and mordred ^_^	19:01
lbragstad	https://goo.gl/a0NqEs	19:01
morgan	lbragstad: yep. still needs lots of adjusting to get right. sadly.	19:02
morgan	oven is a bit weird.	19:02
mordred	++	19:02
morgan	tends to be too hot. actually.	19:02
*** d0ugal has quit IRC		19:04
stewie925	dstanek: would it be possible to redo the keystone install without having to trash the controller box?	19:10
*** itisha has joined #openstack-keystone		19:11
dstanek	stewie925: do you know the problem now?	19:11
stewie925	dstanek: am pretty stumped here :(	19:12
stewie925	I am able to connect to the keystone db and all	19:12
stewie925	its just that I can't run this 'openstack service create keystone'	19:12
dolphm	stevemar: morgan: lbragstad: stable branch dashboard, inbox-zero style (things you've reviewed disappear) http://cdn.pasteraw.com/bchm66gu7rd0jf9pj2o22hmwqylrmw0	19:12
dolphm	stevemar: morgan: lbragstad: source- https://github.com/dolph/dotfiles/blob/master/gerrit-dashboards/stable.dash	19:13
stewie925	using the configuration i listed in http://paste.openstack.org/show/594440/	19:13
stewie925	dstanek - let me rerun those curl commands and I'll share the results with you via a pastebin link	19:14
stewie925	dstanek: let me rerun those curl commands and I'll share the results with you via a pastebin link	19:14
*** ravelar has quit IRC		19:14
lbragstad	dolphm very nice - thanks!	19:14
*** chrisplo_ has joined #openstack-keystone		19:15
lamt	stewie925 : "ConnectionRefused: Unable to establish connection to http://controller:35357/v2.0/OS-KSADM/services" <- you will probably need to change that controller to the actual node	19:15
stewie925	lamt: thank you - how do I do that	19:16
*** esp has left #openstack-keystone		19:16
*** chrisplo has quit IRC		19:17
*** voelzmo has quit IRC		19:19
gagehugo	stewie925: hosts file but I think you have that already	19:19
*** d0ugal has joined #openstack-keystone		19:20
dstanek	stewie925: the way i read you error is that the machine running that command can't connect to the URL you want to use	19:25
dstanek	that's why i was asking about dns resolution and such	19:25
stewie925	dstanek: yeah thats right :(	19:25
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	19:30
*** voelzmo has joined #openstack-keystone		19:34
*** pcaruana has joined #openstack-keystone		19:37
*** ravelar has joined #openstack-keystone		19:39
*** jaugustine has quit IRC		19:41
*** jaugustine has joined #openstack-keystone		19:45
*** AlexeyAbashkin has quit IRC		19:46
*** odyssey4me has quit IRC		19:46
*** odyssey4me has joined #openstack-keystone		19:46
*** asettle has quit IRC		19:46
*** asettle has joined #openstack-keystone		19:47
*** asettle has quit IRC		19:51
*** voelzmo has quit IRC		19:57
*** voelzmo_ has joined #openstack-keystone		19:57
*** stewie925 has quit IRC		19:58
*** spzala has quit IRC		20:00
*** voelzmo_ has quit IRC		20:01
*** AlexeyAbashkin has joined #openstack-keystone		20:05
*** browne has quit IRC		20:17
*** adrian_otto has quit IRC		20:20
*** voelzmo has joined #openstack-keystone		20:21
*** spzala has joined #openstack-keystone		20:23
*** asettle has joined #openstack-keystone		20:24
*** voelzmo has quit IRC		20:25
*** AlexeyAbashkin has quit IRC		20:27
*** chris_hultin is now known as chris_hultin\|AWA		20:27
*** chris_hultin\|AWA is now known as chris_hultin		20:32
*** stewie925 has joined #openstack-keystone		20:39
*** raildo has quit IRC		20:48
morgan	dolphm: thnx!	20:48
dstanek	stewie925: get any closer to a solutin	20:48
*** AlexeyAbashkin has joined #openstack-keystone		20:50
stewie925	dstanek: hi , am still looking... but i have my suspicions :\|	20:51
*** browne has joined #openstack-keystone		20:54
*** adriant has joined #openstack-keystone		20:54
dstanek	stewie925: in my mind you have a server running keystone and a different server/vm/laptop running client commands and those commands are failing right?	20:57
*** dave-mccowan has quit IRC		21:03
stewie925	dstanek: hi , actually I am running both from the same box	21:05
*** htruta has quit IRC		21:08
*** htruta` has joined #openstack-keystone		21:08
*** eglute has quit IRC		21:08
*** eglute has joined #openstack-keystone		21:08
dstanek	stewie925: now that's pretty weird that the box has trouble talking to itself	21:12
stewie925	yeah it has a split personality	21:12
morgan	stewie925, dstanek: i've seen that type of stuff when the ebtables are wacky and containers and networking can muck with ebtables in strange ways	21:21
*** voelzmo has joined #openstack-keystone		21:29
*** voelzmo has quit IRC		21:29
*** AlexeyAbashkin has quit IRC		21:31
*** jose-phillips has quit IRC		21:32
*** jose-phillips has joined #openstack-keystone		21:34
*** thiagolib has quit IRC		21:38
*** AlexeyAbashkin has joined #openstack-keystone		21:41
*** AlexeyAbashkin has quit IRC		21:47
*** pcaruana has quit IRC		21:48
*** rdo has quit IRC		21:48
*** chrome0 has joined #openstack-keystone		21:57
*** chrome0 has quit IRC		22:02
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	22:03
*** spilla has quit IRC		22:08
*** adrian_otto has joined #openstack-keystone		22:09
*** rdo has joined #openstack-keystone		22:11
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	22:11
*** edtubill has quit IRC		22:23
*** edmondsw has quit IRC		22:27
*** edmondsw has joined #openstack-keystone		22:27
*** voelzmo has joined #openstack-keystone		22:30
*** voelzmo has quit IRC		22:35
*** edmondsw has quit IRC		22:37
*** thorst has quit IRC		22:45
*** edtubill has joined #openstack-keystone		22:46
*** adrian_otto has quit IRC		22:46
*** pepperingranivor has quit IRC		22:47
*** asettle has quit IRC		22:51
*** dave-mccowan has joined #openstack-keystone		23:05
*** jaugustine has quit IRC		23:08
*** jperry has quit IRC		23:09
*** asettle has joined #openstack-keystone		23:12
*** asettle has quit IRC		23:12
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement shadow mapping https://review.openstack.org/415895	23:22
lbragstad	dstanek ^	23:22
*** jraim has quit IRC		23:22
*** briancurtin has quit IRC		23:22
stewie925	dstanek: morgan: I compiled some info on my keystone config and the curl commands that I ran: http://paste.openstack.org/show/594476/	23:23
lbragstad	dstanek gotta run to a family supper for a bit - i'll check back in later though	23:23
*** morgan has quit IRC		23:23
*** jraim has joined #openstack-keystone		23:26
*** jaosorior has quit IRC		23:27
*** thorst has joined #openstack-keystone		23:31
*** thorst has quit IRC		23:35
*** morgan_ has joined #openstack-keystone		23:38
*** chris_hultin is now known as chris_hultin\|AWA		23:41
*** stephen-la has joined #openstack-keystone		23:46
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP extend users API to add federated object https://review.openstack.org/418624	23:46
stephen-la	does anyone know if its still possible to use devstack scripts for going back to liberty release?	23:46
*** chris_hultin\|AWA is now known as chris_hultin		23:46
stephen-la	Cloning into '/opt/stack/keystone'...	23:47
stephen-la	+ git checkout stable/liberty	23:47
stephen-la	seems to fail everytime now on keystone	23:47
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP extend users API to add federated object https://review.openstack.org/418624	23:48
*** lamt has quit IRC		23:49
*** chris_hultin is now known as chris_hultin\|AWA		23:51
adriant	morgan_, stevemar: although the new MFA spec mostly supersedes it as a overall MFA replacement, I'm curious if the password+totp plugin is still useful to allow simple MFA without needing ALL the various libraries and pieces changed/updated/upgraded to play nice with the proper MFA changes we're doing.	23:52
morgan_	adriant: i don't see why we would support both modes in-tree	23:53
morgan_	adriant: the library additons will be minimal.	23:53
morgan_	(or non-existant)	23:53
morgan_	and changed bits/peices are mostly in the auth line(s).	23:53
adriant	but to actually use it we need to change horizon, osclient, etc	23:54
adriant	with the password+totp one, it doesn't interfere with the proper MFA rules, but allows 'it just works' basic MFA by attaching the passcode to the password.	23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!