Wednesday, 2017-01-11

*** ravelar has quit IRC		00:00
morgan_	no we dont' need to change those	00:01
morgan_	any more than with your plugin	00:01
morgan_	you can still make an out-of-tree plugin to work with the new system	00:01
morgan_	i am simply against making a "duplicate" password plugin that could cause massive failures if improperly setup for all users	00:02
morgan_	you still need to ensure the new auth plugin is used in ksa, (osc leans on ksa) and horizon may end up with the same workflow in either case. that is a UX discussion	00:02
morgan_	so i take it back, might be less wotrk on the horizon side, but the rest of the bits is still going to require a chunk oif the same work	00:03
adriant	KSA pretty much covers most of it, but to be able to do MFA with a rule ['password', 'totp'] would still require changes to actually make it usable for a standard user.	00:04
adriant	Although I guess in KSA and openstackclient we can stick a prompt in	00:04
*** chris_hultin\|AWA is now known as chris_hultin		00:05
adriant	horizon is the place that's more annoying as django openstack auth would need to somehow interact with it and pass along the right data for the given auth methods. :/	00:05
morgan_	well KSA can't (and wont) prompt	00:05
morgan_	ever	00:05
morgan_	that is an OSC/other-client thing	00:06
adriant	Then what am I thinking of... I thought I remembered seeing a prompt in the KSA code.	00:06
morgan_	nope, i squashed that review	00:07
morgan_	with a -2	00:07
morgan_	if it's there someone went around my -2	00:07
*** dave-mccowan has quit IRC		00:07
*** jamielennox is now known as jamielennox\|away		00:07
morgan_	and i'm going to make a stink (I am pretty sure it's not in there)	00:07
adriant	https://github.com/openstack/keystoneauth/search?utf8=%E2%9C%93&q=prompt	00:07
adriant	but that's probably not what I'm thinking of	00:07
morgan_	that is saying the plugin is expecting input and may require the consuming client to prompt	00:08
adriant	ah	00:08
adriant	so yes, that's what I'm thinking for the totp then.	00:08
morgan_	:)	00:08
adriant	something to tell OSC to prompt for the totp passcode	00:08
adriant	and OSC to know to expect it	00:08
adriant	and prompt (although it may do that automatically based on what KSA tells it?)	00:09
*** harlowja has quit IRC		00:09
adriant	Horizon is the hardest one.	00:09
adriant	although even in OSC I don't think there is a way to auth with multiple auth methods.	00:10
adriant	it assumes only one	00:10
*** gagehugo has quit IRC		00:11
*** jamielennox\|away is now known as jamielennox		00:11
*** evrardjp has quit IRC		00:11
*** ctracey has quit IRC		00:11
*** andrewbogott has quit IRC		00:11
*** markvoelker has quit IRC		00:12
*** NikitaKonovalov has quit IRC		00:12
morgan_	i think OSC simply takes it's cues from	00:12
morgan_	ksa	00:12
morgan_	so we just need updates to KSA.	00:12
*** med_ has quit IRC		00:12
*** afazekas has quit IRC		00:12
adriant	OSC has a param "auth type"	00:12
*** markvoelker has joined #openstack-keystone		00:12
adriant	which i don't think can be a list, although might need to be changed to a comma separated value.	00:13
morgan_	olso.cfg is easy to work with on those lines	00:13
*** NikitaKonovalov has joined #openstack-keystone		00:14
adriant	I'll need to check. the OSC + osc_lib code (+ cliff, + KSA) is hard to dig through sometimes.	00:14
adriant	But I have a feeling that the auth type param tells OSC what it will use in KSA.	00:14
*** Dave_____ has joined #openstack-keystone		00:14
*** g2 has quit IRC		00:15
*** andrewbogott has joined #openstack-keystone		00:15
adriant	So if it isn't already, will need to be able to be multiple auth methods, and then get thr right prompts from KSA>	00:15
jamielennox	there is a parameter of ksa Opts that it can specify this option can/should be prompted if unavailable	00:16
jamielennox	if that parameter is present then OSC should ask for it	00:16
jamielennox	i don't remember how far we actually got with that because OSC's auth validation logic is kinda messy	00:16
*** med_ has joined #openstack-keystone		00:16
jamielennox	and by kinda messy, i mean eeek	00:17
adriant	jamielennox: yep, but I was more meaning OSC needs to tell KSA "I need to auth with 'password' AND 'totp'"	00:17
*** med_ is now known as Guest47520		00:17
adriant	and I don't think it can. I think it's only auth method at a time right now	00:17
*** ctracey has joined #openstack-keystone		00:17
*** evrardjp has joined #openstack-keystone		00:17
*** afazekas has joined #openstack-keystone		00:17
*** BrAsS_mOnKeY has joined #openstack-keystone		00:18
*** gagehugo has joined #openstack-keystone		00:18
jamielennox	i'm not sure i follow that, it's not really OSC's job to tell KSA anything it just loads the appropriate plugin	00:18
*** Guest47520 is now known as medberry		00:19
*** medberry has quit IRC		00:19
*** medberry has joined #openstack-keystone		00:19
jamielennox	and all keystone and ksa will tell you is success or failure on auth	00:19
adriant	How does KSA know which plugin to load?	00:19
*** Dave has quit IRC		00:19
adriant	OSC has a "auth type" param, which can be token, password, etc	00:19
adriant	so I assume that's how KSA knows which plugin is being used.	00:20
adriant	http://paste.openstack.org/show/594488/	00:21
adriant	so if I want to auth with both password AND totp, I'd need that param to allow multiple values.	00:21
adriant	jamielennox: does that make sense?	00:22
adriant	I could be way off the mark. I tried reading through all this code and it's a complicated mess that is hard to follow.	00:23
*** tqtran has quit IRC		00:23
jamielennox	adriant: yep, i get it, this is something i've considered before but don't have a solution to	00:23
jamielennox	basically there's two things ways you could do it	00:23
jamielennox	1) create a new plugin --os-auth-type passwordotp	00:24
jamielennox	there is something liek this already - i don't know what it does	00:24
jamielennox	or i thought there was... where did it go	00:25
*** BrAsS_mOnKeY has quit IRC		00:25
adriant	we've mostly sidelined that plugin in favor of rules	00:25
*** BrAsS_mO- has joined #openstack-keystone		00:25
adriant	the spec is sitting in superseded	00:25
jamielennox	2) i've wondered how you could do a generic multi-plugin plugin	00:25
*** thorst has joined #openstack-keystone		00:25
*** harlowja has joined #openstack-keystone		00:25
jamielennox	--os-auth-type=multi	00:25
jamielennox	and then do like --os-auth-type-1 password --os-auth-type-2 otp	00:26
jamielennox	but then you have variable collisions and all sorts of problems	00:26
jamielennox	and you have to distinguish between scope variables and auth variables (AuthN vs AuthZ	00:26
adriant	why not "--auth-type password,totp" or "--auth-type password --auth-type totp"	00:26
jamielennox	)	00:26
adriant	can't we make it a list internally?	00:26
adriant	the users would never know or need to so no backwards compat issues	00:27
jamielennox	it's a matter of how you combine them	00:27
adriant	order doesn't matter	00:27
adriant	at least it shouldn't really	00:27
jamielennox	right, but there's not really a way to do two plugins on one request, you need to find a way to do combine them	00:27
jamielennox	v3 has this ability	00:27
adriant	oh I see, KSA doesn't use multiple plugins	00:28
adriant	just one at a time, and one of the KSA plugins can talk to multiple auth methods	00:28
jamielennox	if you're doing it programatically it's kind of easy	00:28
adriant	that's right, i played with a multiple method plugin in KSA ages ago...	00:28
jamielennox	but it's how you load multiple methods into one plugin	00:28
adriant	hmmm	00:29
*** BrAsS_mO- is now known as g2		00:29
adriant	Yeah and changing KSA now to allow auth with multiple KSA plugins would be hard	00:30
jamielennox	programatically you need to do v3.Auth('https://keystone', [v3.PasswordMethod(...), v3.TotpMethod(...)], project_id='id')	00:30
jamielennox	and I'd be on board with doing a v3multi plugin	00:30
adriant	well for MFA we need it	00:30
adriant	but we'd need a good way to pass the auth type(method) data from OSC to KSA	00:31
jamielennox	but we'd need to refactor a whole bunch of stuff in ksa loading to seperate the AuthN information from like v3password (user,password) from authz (project, scope)	00:31
adriant	but that last part is mostly a UX think I guess	00:31
adriant	morgan_: see above ^	00:31
adriant	morgan_: that's what I was worried about	00:31
jamielennox	not sure if you can call it authn/authz in a request...	00:31
*** woodster_ has quit IRC		00:35
adriant	jamielennox: should we put together a spec for this then?	00:35
*** chris_hultin is now known as chris_hultin\|AWA		00:36
jamielennox	adriant: you can, but if you have a working multi plugin for ksa we'd probably just take it	00:36
jamielennox	adding another plugin is generally easy, and in a really common case like this with password+totp the easiest thing to do would be to just create a new launcher	00:37
adriant	I don't, but the problem is we'd want a good long term solution that works with arbitrary plugins.	00:37
adriant	I do have a password+totp plugin somewhere, but it was a quick thing when testing something	00:38
adriant	but with the way we want multi method rules to work in Keystone I'd assume we'd want a way in KSA to programatically do "auth me with these auth methods"	00:39
adriant	jamielennox: see this spec: https://github.com/openstack/keystone-specs/blob/master/specs/keystone/ocata/per-user-auth-plugin-requirements.rst	00:41
adriant	if we don't do it programatically in KSA then we need a new plugin for each possible combination...	00:41
jamielennox	i argued against those MFA specs :p	00:41
*** thorst has quit IRC		00:42
adriant	jamielennox: I know! :P	00:42
adriant	but we do need some sort of MFA, and this actually is a good solution	00:42
jamielennox	yep	00:42
*** thorst has joined #openstack-keystone		00:42
jamielennox	so we would basically need a new stevedore entry point that would let you pick up auth method instead of auth plugin	00:43
adriant	yes	00:44
*** adrian_otto has joined #openstack-keystone		00:44
jamielennox	like password etc in there	00:44
adriant	because we don't care about 'plugins' but methods	00:44
jamielennox	and let them specify options etc	00:44
adriant	exactly	00:44
jamielennox	i'm ok with that	00:44
jamielennox	the interesting bit is going to be whether it is ok to mash the options of mutliple plugins togethre	00:44
adriant	so the plugins are more like the KSA copy of the Keystone methods they'd link up with	00:44
jamielennox	right - and that's available already in KSA, just not the loading bit	00:45
*** thorst has quit IRC		00:46
jamielennox	for example, PasswordMethod and TotpMethod both require user_id, username options	00:47
* jamielennox bangs head on desk		00:47
adriant	Yeah... I have a feeling this change may be a lot of work to make things nice :(	00:48
adriant	sorry	00:48
jamielennox	in this case it's probably sufficient to have overlapping parameters sent to both parameters	00:48
jamielennox	in this case it's probably sufficient to have overlapping parameters sent to both plugins	00:48
adriant	i guess, but... we need them all to group under the same request	00:48
adriant	and the request does require user_id for each method :/	00:49
adriant	see the request json in this section: https://github.com/openstack/keystone-specs/blob/master/specs/keystone/ocata/per-user-auth-plugin-requirements.rst#proposed-change	00:49
jamielennox	so one of the good things we did in ksa vs ksc is split the plugin loading away from the plugin creation	00:50
jamielennox	so if you can do it from python it's just a matter of figuring out how you genericise it to a loader	00:50
adriant	that's the output multiple plugins/methods would need to merge into one request, then fire that off to keystone.	00:50
morgan_	jamielennox: we're not adding the multi plugin into keystone though	00:51
jamielennox	morgan_: ksa	00:51
morgan_	jamielennox: we have a spec for theper-user mfa rules	00:51
morgan_	right	00:51
adriant	If I remember right, the KSA plugins currently each setup their own request json	00:51
jamielennox	adriant: we can construct that request pretty easily	00:51
morgan_	however it works outside keystone i was saying was about the same.	00:51
jamielennox	adriant: from python that's easy	00:51
adriant	yep	00:51
morgan_	regardless of the work in keystone	00:51
jamielennox	the multiple methods still become part of the same plugin	00:52
adriant	jamielennox: so we'd do "--auth-type multi" and "--auth-method password --auth-method totp" ?	00:53
adriant	or make --auth-type and method mutually exclusive and if --auth-method is used ONLY use the multi plugin	00:54
adriant	and the v3 multi plugin is special with steveadore loaded methods?	00:55
jamielennox	you would need to specify both type and method	00:56
jamielennox	type to load the multi loader, and then the multi loader could look at the methods	00:56
adriant	yeah, that would work.	00:57
adriant	it's still not the greatest UX, but without know what auth rules a user has before login, or a challenge response system it's the best we can do without tooo much pain...	00:58
*** oomichi has quit IRC		00:58
adriant	s/know/knowing/	00:58
jamielennox	yea, it's not great UX however most people don't see this stuff	00:58
*** diazjf has joined #openstack-keystone		00:58
adriant	yeah, getting the UX right in django openstack auth is where it will be very important	00:59
jamielennox	again for password + totp which is going to be a really common combo i would suggest just doing a standalone plugin	00:59
*** agrebennikov has quit IRC		00:59
jamielennox	for weird combos like this it alls gets generated by the provided and dropped in a clouds.yaml file	00:59
jamielennox	that's been my justification with all the OS_ auth params up till now, there are very few people who remember them all anyway	01:00
adriant	jamielennox: fair enough. Just would hope to avoid too many custom plugins for odd combinations as it limits the flexibility you can have with rules.	01:00
*** oomichi has joined #openstack-keystone		01:00
jamielennox	adriant: yep, not saying we don't need the generic multi - just that for really common things we shouldn't have to jump through that many hoops	01:00
adriant	agreed	01:01
adriant	and yeah, you can easily set your OS_AUTH_TYPE in your clouds.yaml or your openstack.rc file	01:02
adriant	so you don't ever really need to deal with it once the params are set	01:02
*** diazjf has quit IRC		01:03
adriant	morgan_: that make sense to you?	01:03
morgan_	reading up.	01:03
adriant	brb, getting tea	01:04
morgan_	sure. makes sense re ksa/osc/horizon	01:04
*** stewie925 has quit IRC		01:05
jamielennox	also for horizon i'd skip all this and do it in python	01:09
*** adrian_otto has quit IRC		01:09
jamielennox	the multi stuff is relevant for OSC and anything CLI	01:09
*** agrebennikov has joined #openstack-keystone		01:11
*** thorst has joined #openstack-keystone		01:11
*** dave-mccowan has joined #openstack-keystone		01:11
morgan_	sure.	01:12
*** liujiong has joined #openstack-keystone		01:13
adriant	dammit, out of tea leaves.	01:15
adriant	jamielennox: what exactly do you mean in Horizon by doing it in python?	01:15
*** thorst has quit IRC		01:16
adriant	I don't think the user should need to specify a set of auth methods when logging in	01:16
jamielennox	so the loaders are just a way of exposing to CLI and CONF files how to create a valid auth_plugin	01:16
jamielennox	but what you end up from the loader is just an auth plugin	01:17
adriant	in horizon we'd need some dynamic way to get the passcode from the user in a more standard challenge response style.	01:17
adriant	at least for TOTP	01:17
adriant	I don't think weird MFA rules and Horizon really make sense	01:18
jamielennox	horizon currently doesn't expose every option of the "password" plugin to the user on login page, it has it's own version of a loader	01:18
adriant	yeah, openstack django auth or some such	01:18
jamielennox	something that loads a generic.Password plugin from a web page	01:18
adriant	It's not too complicated	01:18
adriant	I've extended in the past to allow an optional MFA field though	01:18
jamielennox	right, so you can pick the things in horizon that you want to expose, and TOTP would be one of them	01:19
adriant	but it's not the nicest way of doing it	01:19
jamielennox	and then you just create an auth plugin directly, i mentioned it earlier but if you do	01:19
jamielennox	v3.Auth('https://keystone', [v3.PasswordMethod(...), v3.TotpMethod(...)], project_id='id')	01:19
adriant	yep	01:20
jamielennox	you get the auth plugin you want	01:20
jamielennox	so you have horizon do its own challenge that if it sees TOTP is required then add a field and construct a plugin with the TotpMethod	01:20
adriant	jamielennox: me and morgan_ talked about an option to mimic challenge response as well. One was to just do a standard password auth, and based on the errors to rebuild with a totp field. or... do a new token type that is 'partially authed' or some such and needs the other MFA rules before turning into a full token.	01:22
adriant	in the token case, you'd password auth, get a mostly useless token that still requires TOTP. With with token and TOTP, and bam, full token.	01:22
adriant	but not sure how to do that one well, and dynamic/challenge response based on errors also kind of doesn't sound good.	01:23
jamielennox	hmm	01:23
jamielennox	it's information leakage but i think i would have keystone tell you that auth failed because you missed a method	01:24
morgan_	you can't do token totp really	01:24
morgan_	it'll break most of openstack	01:24
jamielennox	so still a 401, but just a message (which you only see if password is correct)	01:24
adriant	jamielennox: yeah, that's what we were thinking. "auth failed because missing methods"	01:24
morgan_	jamielennox: yeah the plan is to be explicit and say not enough auth forms supplied	01:24
morgan_	jamielennox: i am ok with this information leakage	01:24
morgan_	it is no different than say google auth	01:25
adriant	it's yep, it's reasonably safe data	01:25
morgan_	"you authed... oh time to give me your totp thing now"	01:25
jamielennox	horizon can look at the 401, see that not everything failed and reuse the user password from the first login screen to do another attempt	01:25
adriant	"this user has MFA enabled"	01:25
jamielennox	+ MFA this time	01:25
adriant	jamielennox: yep, exactly that	01:25
morgan_	jamielennox: yep.	01:25
morgan_	jamielennox: that was one option	01:25
adriant	reuse password feels a little ugly though	01:25
jamielennox	so i don't think it's real leakage because you'd only see it if password auth suceeded	01:25
adriant	as it then needs to store it for the second attempt	01:25
jamielennox	adriant: agreed, but otherwise the user would need to re-enter password for the second attempt	01:26
adriant	yes, and reentering password would be bad UX	01:26
adriant	cookie maybe?	01:26
adriant	store password in cookie if failed attempt with missing auth and reuse for totp?	01:26
adriant	shrug	01:27
adriant	that's why I theoretically prefer the unfinished token approach as it's closer to true challenge response, and password doesn't need to be sent twice.	01:28
adriant	but would mean more work	01:28
morgan_	unfinished token is a lot weirder code wise and not great	01:28
morgan_	we're adding another token type	01:28
adriant	and no info leakage	01:28
morgan_	doesn't really make sense	01:29
adriant	yeah	01:29
jamielennox	yea, it's a lot to support on the keystone side for this case	01:29
jamielennox	because you do have a token, you just can't use it	01:29
jamielennox	i guess it's kind of like unscoped, but i think it'd expose a lot of bugs	01:29
adriant	but with that you can then possibly do the same in the CLI and when using the "multi" plugin it would respond and ask for the missing pieces if you only supplied password	01:30
adriant	but again, not simple	01:30
adriant	no need to actually specify methods	01:31
adriant	well...	01:31
morgan_	cli asking for more items is terrible	01:31
adriant	yeah	01:31
morgan_	prompting that is	01:31
morgan_	just send the request again with the full set of info	01:31
morgan_	for horizon/web it's better to prompt like google auth workflow is: auth, totp	01:31
morgan_	vs auth, fail, auth+totp (cli)	01:32
adriant	yeah	01:32
adriant	alright, I think for CLI/KSA we're mostly on the same page, and then Horizon we'll need to work out with their team.	01:34
*** briancurtin has joined #openstack-keystone		01:35
adriant	morgan_: so what's next in Keystone? You did the patch for the db table, next is the controller/routers for that	01:36
adriant	then adding the code to the auth layer to actually use the rules?	01:36
morgan_	next is the code that will use that table when logging in	01:37
morgan_	then the controller/routes to setup the rules	01:37
adriant	If you want I can probably start putting together the controllers/routers while you do the auth.	01:39
*** namnh has joined #openstack-keystone		01:39
*** jperry has joined #openstack-keystone		01:39
adriant	based on the db model those should be reasonably simple unless we want some sort of special validation for incoming rules (are these valid methods?).	01:41
*** ravelar has joined #openstack-keystone		01:43
*** markvoelker has quit IRC		01:43
*** markvoelker has joined #openstack-keystone		01:44
*** markvoelker has quit IRC		01:49
*** gyee has quit IRC		02:00
*** thorst has joined #openstack-keystone		02:02
*** thorst has quit IRC		02:02
*** browne has quit IRC		02:08
*** jose-phillips has quit IRC		02:12
*** asettle has joined #openstack-keystone		02:16
*** asettle has quit IRC		02:23
*** voelzmo has joined #openstack-keystone		02:32
*** chlong has quit IRC		02:32
*** voelzmo has quit IRC		02:37
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement shadow mapping https://review.openstack.org/415895	02:44
*** spzala has quit IRC		02:52
*** rreimberg has quit IRC		02:54
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Only log application/json in session to start https://review.openstack.org/418653	03:05
stevemar	lbragstad: morgan_ do you guys have an opinion on https://review.openstack.org/#/c/418090/ and the follow-on?	03:06
stevemar	want it done in one patch or two?	03:06
stevemar	jamielennox: i proposed your patch to ksa ^ please review	03:07
jamielennox	stevemar: i think it's fine to merge them	03:09
stevemar	jamielennox: you stink :P	03:10
stevemar	thats more work for me!	03:10
jamielennox	yea, but it'll clear dolph's -1	03:10
jamielennox	and i can't +A it anyway	03:10
stevemar	jamielennox: just asking for opinions, i think dolphm is being pedantic here :P (yeah you better read this in the morning!)	03:12
*** dave-mccowan has quit IRC		03:17
*** thorst has joined #openstack-keystone		03:20
stevemar	dolphm: jamielennox: there, done, you guys made me do extra work :P	03:20
*** tqtran has joined #openstack-keystone		03:21
*** tqtran has quit IRC		03:23
*** nicolasbock has quit IRC		03:31
*** jperry has quit IRC		03:32
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Only log application/json content type https://review.openstack.org/418653	03:33
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Only log application/json in session to start https://review.openstack.org/418653	03:35
*** markvoelker has joined #openstack-keystone		03:36
*** agrebennikov has quit IRC		03:40
*** spzala has joined #openstack-keystone		03:47
*** links has joined #openstack-keystone		03:47
*** ayoung has quit IRC		03:53
*** spzala has quit IRC		04:19
*** jose-phillips has joined #openstack-keystone		04:27
*** jose-phillips has quit IRC		04:30
*** voelzmo has joined #openstack-keystone		04:33
*** sheel has joined #openstack-keystone		04:34
*** tqtran has joined #openstack-keystone		04:40
*** tqtran has quit IRC		04:42
*** voelzmo has quit IRC		04:46
*** adriant has quit IRC		04:47
*** dikonoor has joined #openstack-keystone		05:07
*** thorst has joined #openstack-keystone		05:09
stevemar	dolphm: organized it all up: https://review.openstack.org/#/q/topic:bug/1616105	05:10
stevemar	morgan_: if you're interested, too ^	05:10
*** thorst has quit IRC		05:14
*** dikonoor has quit IRC		05:40
*** adrian_otto has joined #openstack-keystone		05:42
*** diazjf has joined #openstack-keystone		05:44
*** adrian_otto has quit IRC		05:46
*** adrian_otto has joined #openstack-keystone		05:47
*** diazjf has quit IRC		05:47
*** adrian_otto has quit IRC		05:58
*** itisha has quit IRC		06:12
*** dims has quit IRC		06:13
*** pcaruana has joined #openstack-keystone		06:25
morgan_	thnx will look	06:31
*** sheel has quit IRC		06:37
*** richm has quit IRC		06:43
*** tesseract has joined #openstack-keystone		07:08
*** gsilvis has quit IRC		07:18
*** gsilvis has joined #openstack-keystone		07:18
*** AlexeyAbashkin has joined #openstack-keystone		07:42
*** hogepodge has quit IRC		07:56
*** chrome0 has joined #openstack-keystone		08:01
*** chrome0 has quit IRC		08:02
*** chrome0 has joined #openstack-keystone		08:05
openstackgerrit	Julia Varlamova proposed openstack/keystone: Do not merge: TEST PATCH https://review.openstack.org/414917	08:11
*** edtubill has quit IRC		08:13
openstackgerrit	Julia Varlamova proposed openstack/keystone: Do not merge: TEST PATCH https://review.openstack.org/414917	08:14
*** voelzmo has joined #openstack-keystone		08:25
*** voelzmo has quit IRC		08:28
*** haplo37_ has quit IRC		08:54
*** Dave_____ is now known as Dave		08:55
*** haplo37_ has joined #openstack-keystone		08:57
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** chrome0_ has joined #openstack-keystone		09:05
*** chrome0_ has quit IRC		09:05
*** asettle has joined #openstack-keystone		09:09
*** namnh has quit IRC		09:20
*** mvk has quit IRC		09:32
*** tqtran has joined #openstack-keystone		09:44
*** tqtran has quit IRC		09:45
*** mvk has joined #openstack-keystone		10:10
*** liujiong has quit IRC		10:11
*** Alexey_Abashkin has joined #openstack-keystone		10:18
*** AlexeyAbashkin has quit IRC		10:19
*** Alexey_Abashkin has quit IRC		10:31
*** thiagolib has joined #openstack-keystone		10:39
*** AlexeyAbashkin has joined #openstack-keystone		11:02
*** Alexey_Abashkin has joined #openstack-keystone		11:06
*** AlexeyAbashkin has quit IRC		11:07
*** Alexey_Abashkin_ has joined #openstack-keystone		11:09
*** Alexey_Abashkin has quit IRC		11:11
samueldmq	morning keystone	11:13
*** richm has joined #openstack-keystone		11:13
*** nicolasbock has joined #openstack-keystone		11:35
*** dims has joined #openstack-keystone		11:39
*** haplo37_ has quit IRC		11:40
*** haplo37_ has joined #openstack-keystone		11:43
*** AlexeyAbashkin has joined #openstack-keystone		11:58
*** Alexey_Abashkin_ has quit IRC		11:59
*** mvk has quit IRC		12:03
*** ayoung has joined #openstack-keystone		12:14
*** ChanServ sets mode: +v ayoung		12:14
*** mvk has joined #openstack-keystone		12:15
*** AlexeyAbashkin has quit IRC		12:20
*** raildo has joined #openstack-keystone		12:35
*** thorst has joined #openstack-keystone		12:41
*** jperry has joined #openstack-keystone		12:42
*** edmondsw has joined #openstack-keystone		12:43
*** chlong has joined #openstack-keystone		13:08
*** jperry has quit IRC		13:17
*** mvk has quit IRC		13:21
*** mvk has joined #openstack-keystone		13:33
*** AlexeyAbashkin has joined #openstack-keystone		13:35
dstanek	good morning samueldmq	13:36
*** aloga has quit IRC		13:39
openstackgerrit	Merged openstack/python-keystoneclient: Only log application/json in session to start https://review.openstack.org/418653	13:43
lbragstad	o/	13:51
*** masterjcool has quit IRC		13:52
*** aloga has joined #openstack-keystone		13:54
*** david-lyle has quit IRC		13:56
*** AlexeyAbashkin has quit IRC		13:57
*** crinkle_ has quit IRC		13:59
*** crinkle_ has joined #openstack-keystone		13:59
*** david-lyle has joined #openstack-keystone		13:59
*** AlexeyAbashkin has joined #openstack-keystone		13:59
*** lamt has joined #openstack-keystone		14:01
*** links has quit IRC		14:02
*** ayoung has quit IRC		14:03
*** masterjcool has joined #openstack-keystone		14:05
*** itisha has joined #openstack-keystone		14:11
*** jperry has joined #openstack-keystone		14:14
*** jamielennox is now known as jamielennox\|away		14:14
*** david-lyle has quit IRC		14:16
*** jvarlamova____ has joined #openstack-keystone		14:24
*** jvarlamova has quit IRC		14:27
*** dave-mccowan has joined #openstack-keystone		14:31
*** jgrassler has joined #openstack-keystone		14:32
*** chlong has quit IRC		14:37
stevemar	samueldmq: morning	14:39
*** lamt has quit IRC		14:40
*** cloudm2 has joined #openstack-keystone		14:51
*** stewie925 has joined #openstack-keystone		14:53
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	14:57
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	14:57
*** spzala has joined #openstack-keystone		15:06
*** spzala has quit IRC		15:06
*** spzala has joined #openstack-keystone		15:06
*** jaosorior has joined #openstack-keystone		15:13
*** edtubill has joined #openstack-keystone		15:14
knikolla	o/ morning	15:16
*** david-lyle has joined #openstack-keystone		15:17
*** david-lyle has quit IRC		15:21
*** lucas__ has joined #openstack-keystone		15:22
*** adu has joined #openstack-keystone		15:24
*** nklenke has joined #openstack-keystone		15:25
*** markvoelker has quit IRC		15:28
*** jaugustine has joined #openstack-keystone		15:29
*** markvoelker has joined #openstack-keystone		15:29
*** chris_hultin\|AWA is now known as chris_hultin		15:29
*** chris_hultin is now known as chris_hultin\|AWA		15:30
* breton yawns		15:31
breton	what to review?	15:32
*** ayoung has joined #openstack-keystone		15:32
*** ChanServ sets mode: +v ayoung		15:32
*** nklenke_ has joined #openstack-keystone		15:33
*** markvoelker has quit IRC		15:35
*** spilla has joined #openstack-keystone		15:35
*** ayoung has quit IRC		15:38
*** lucas__ has quit IRC		15:42
*** spzala has quit IRC		15:44
*** spzala has joined #openstack-keystone		15:44
*** spzala has quit IRC		15:45
*** spzala has joined #openstack-keystone		15:45
stewie925	dstanek: hello	15:46
*** mvk has quit IRC		15:48
*** ravelar has joined #openstack-keystone		15:49
*** chris_hultin\|AWA is now known as chris_hultin		15:49
*** ayoung has joined #openstack-keystone		15:50
*** ChanServ sets mode: +v ayoung		15:50
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement shadow mapping https://review.openstack.org/415895	15:57
*** markvoelker has joined #openstack-keystone		15:57
lbragstad	dstanek ^ done	15:57
lbragstad	ping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar	16:00
*** adrian_otto has joined #openstack-keystone		16:00
lbragstad	policy meeting in #openstack-meeting-cp	16:00
rderose	o/	16:00
*** lucas__ has joined #openstack-keystone		16:02
dolphm	\o	16:02
*** lamt has joined #openstack-keystone		16:03
*** phalmos has joined #openstack-keystone		16:08
*** phalmos has quit IRC		16:10
*** chlong has joined #openstack-keystone		16:11
dstanek	lbragstad: gracias	16:22
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	16:25
*** AlexeyAbashkin has quit IRC		16:32
*** lucas__ has quit IRC		16:33
*** lucas__ has joined #openstack-keystone		16:44
*** lucas__ has quit IRC		16:45
stewie925	dstanek: hi, I think I may have found the 'keystone service create' issue - but would like to request your input	16:49
dstanek	stewie925: go ahead and ask away. if i'm not ina position to help someone else here might be	16:51
stewie925	dstanek: will do, thank you!	16:54
*** dikonoor has joined #openstack-keystone		16:57
ayoung	samueldmq, sure	17:00
samueldmq	ayoung: so I think I've mentioned with you already an idea for policy validation	17:00
samueldmq	basically, one would define RBAC in a DSL, and that would be checked against openstack	17:01
edmondsw	dstanek why don't you think we can pick a single value that works for both use cases? I thought ayoung's example did exactly that	17:01
ayoung	samueldmq, read through my proposal...I think it covers yours.	17:01
samueldmq	ayoung: something like http://paste.openstack.org/show/594594/	17:02
samueldmq	ayoung: I think it should be based on yours actually. I'd be writting a tool	17:02
dstanek	edmondsw: i think we have to decide how we want the policy to work and do it. if we like the cloud semantics then we should use them.	17:02
ayoung	samueldmq, yeah...I like that.	17:02
samueldmq	ayoung: that needs to know what role is needed for a given operation (which is yours)	17:02
ayoung	samueldmq, it would explicitly be for the RBAC stuff, and assume the scope check is performed deeper in the code?	17:02
*** cloudm2 has quit IRC		17:03
samueldmq	ayoung: the definitions in the DSL can be even written by someones in another level in the organization, who may not even know how to code	17:03
ayoung	Heh	17:03
samueldmq	ayoung: the operator will implement that, and check with that tool	17:03
samueldmq	the conformity	17:03
edmondsw	dstanek I would expect what we codify to more closely resemble v3cloudsample than the other json file, if that's what you're getting at	17:03
ayoung	So, yeah, should be able to support that with the REST Call from Keystone to support the RBAC Middleware	17:03
edmondsw	dstanek but it should work just as well for both cases	17:03
samueldmq	ayoung: exactly, I only care for the role stuff, pute rbac	17:03
samueldmq	ayoung: pure	17:04
ayoung	edmondsw, yeah probably necesassary. The one thing I don't like is it might lock us in to making things be "admin" for domain operations if it is in the policy file, but tI can't see an easy way to transition around that	17:04
dstanek	edmondsw: that is exactly it	17:04
samueldmq	ayoung: that'd be: "let me see if I've registered RBAC roles in keystone as defined by my boss"	17:05
samueldmq	hehe	17:05
samueldmq	ayoung: that will be in an academic context, so I think that conformity checker will make sense	17:06
samueldmq	to make sure rules are defined as expected	17:06
samueldmq	ayoung: I should write usecases for that, it'll be easier to present to idea to others and get feedback	17:06
ayoung	samueldmq, sounds good	17:07
samueldmq	ayoung: how do you see your effort and policy in the code effort in the future?	17:07
samueldmq	ayoung: would you like to see all role checks in middleware and policy in the code for the rest ( scope, etc ) ?	17:07
ayoung	samueldmq, you nailed it.	17:08
ayoung	role checks in middleware and scope check (and service specific policy) in the code	17:09
samueldmq	ayoung: yeah, I am trying to think how we could migrate from things on the code (separate repos) to centralized in keystone	17:10
samueldmq	ayoung: it'd be awesome if we get to that point	17:10
*** briancurtin has quit IRC		17:11
ayoung	samueldmq, migration is factored in	17:12
*** pcaruana has quit IRC		17:12
*** jose-phillips has joined #openstack-keystone		17:13
*** akrzos is now known as akrzos-mtg		17:14
stewie925	hello all - I have an issue with creating keystone service using Openstack kilo instructions - I provided the information in http://paste.openstack.org/show/594596/. Input appreciated.	17:14
ayoung	the default role would be "Member" . Admin implies Member.	17:15
*** tqtran has joined #openstack-keystone		17:16
samueldmq	stewie925: iirc kilo is no longer maintained	17:17
samueldmq	stevemar: there is no branch stable/kilo anymore, that's why the file can't be found, then the HTML returned is stored, rather than the .py file	17:18
samueldmq	stewie925: ^	17:18
stewie925	samueldmq: oh...	17:18
stewie925	samueldmq: thats what I am afraid of - the kilo instructions had been pulled offline recently	17:19
samueldmq	stewie925: ty it with"curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/mitaka \ \| tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin"	17:19
samueldmq	that may work, not sure how much that script has changed between those versions	17:19
stewie925	samueldmq: I'll give this a shot, thanks so much	17:19
samueldmq	stewie925: you're welcome	17:19
*** tesseract has quit IRC		17:20
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP extend users API to add federated object https://review.openstack.org/418624	17:21
dstanek	stewie925: your /var/www/cgi-bin/keystone/admin is html instead of the python code	17:22
stewie925	dstanek: yeah, thats what I figured :(	17:23
dstanek	oh i see samueldmq already fouund that	17:23
stewie925	dstanek: so I will try re-executing using samueldmq	17:23
stewie925	using samueldmq's link instead (pointing to stable/mitaka) see if it will pull a wsgi script	17:23
dstanek	stewie925: if you go to the file in github you just have to grab the 'raw' link	17:24
stewie925	dstanek: thank you	17:25
*** asettle has quit IRC		17:26
lbragstad	stevemar dstanek samueldmq ayoung gagehugo edmondsw rderose http://lists.openstack.org/pipermail/openstack-dev/2017-January/109967.html	17:29
stevemar	lbragstad: ++	17:29
* dstanek hopes for some useful dialog		17:30
lbragstad	dstanek me too	17:34
lbragstad	stevemar i sent a note to henry's ibm address	17:34
lbragstad	stevemar but I'll rely on the stevemar-over-sametime protocol as a backup communication effort ;)	17:35
stevemar	hehe	17:39
dstanek	stewie925: what made you choose kilo?	17:39
stevemar	lbragstad: not online :P	17:39
stevemar	lbragstad: henrynash isn't online, that is	17:39
lbragstad	stevemar bah!	17:39
stevemar	lbragstad: it is 5:30 for him now, probably out at a pub	17:39
* lbragstad resorts to carrier pigeon		17:39
lbragstad	stevemar i don't blame him ;)	17:40
stewie925	dstanek: hi, I am testing internal project that requires a kilo install	17:40
dstanek	stewie925: gotcha	17:40
stewie925	but yeah kilo is ancient	17:40
stevemar	lbragstad: your [0] reference in the email to henry does not exist	17:41
lbragstad	stevemar you're right	17:42
lbragstad	alright - it's about that time to go get lunch	17:43
*** jaugustine has quit IRC		17:45
stevemar	lbragstad: same	17:46
*** browne has joined #openstack-keystone		17:46
*** AlexeyAbashkin has joined #openstack-keystone		17:55
*** AlexeyAbashkin has quit IRC		17:58
*** AlexeyAbashkin has joined #openstack-keystone		17:58
*** mvk has joined #openstack-keystone		17:59
*** tqtran has quit IRC		18:03
*** dikonoor has quit IRC		18:03
*** stewie925 has quit IRC		18:04
*** stewie925 has joined #openstack-keystone		18:05
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	18:11
*** phalmos has joined #openstack-keystone		18:12
*** stewie925 has quit IRC		18:13
*** adrian_otto has quit IRC		18:13
*** adrian_otto has joined #openstack-keystone		18:15
*** david-lyle has joined #openstack-keystone		18:15
*** david-lyle has quit IRC		18:16
*** david-lyle has joined #openstack-keystone		18:16
*** jaugustine has joined #openstack-keystone		18:20
*** Alexey_Abashkin has joined #openstack-keystone		18:21
*** lucas__ has joined #openstack-keystone		18:23
*** AlexeyAbashkin has quit IRC		18:24
*** adrian_otto has quit IRC		18:25
*** chlong has quit IRC		18:46
*** stewie925 has joined #openstack-keystone		18:46
*** dave-mccowan has quit IRC		18:54
*** dave-mcc_ has joined #openstack-keystone		18:54
*** tqtran has joined #openstack-keystone		18:57
*** thiagolib has quit IRC		18:58
*** chlong has joined #openstack-keystone		18:59
ayoung	lbragstad, looks good	19:00
openstackgerrit	Kam Nasim proposed openstack/keystone: Set connection timeout for LDAP configuration https://review.openstack.org/390948	19:04
*** spzala has quit IRC		19:07
*** spzala has joined #openstack-keystone		19:07
*** briancurtin has joined #openstack-keystone		19:09
*** spzala has quit IRC		19:12
stewie925	I was able to point to stable/mitaka and download the wsgi script to /var/www/cgi-bin/keystone/admin, though I encountered another issue : http://paste.openstack.org/show/594604/	19:13
dstanek	stewie925: did you pull down the correct version of the file? there will be a branch for each release	19:14
*** dave-mcc_ has quit IRC		19:15
stewie925	dstanek: yeah I think I'll go ahead and reinstall with a later version of openstack	19:16
stewie925	some kilo components are no longer available	19:17
stevemar	morgan_: hi, can you take a final look at the open patches here: https://review.openstack.org/#/q/topic:bug/1616105	19:23
morgan_	yep	19:23
morgan_	stevemar: jenkins doesn't like a bunch of them	19:23
morgan_	oh abandoned	19:23
morgan_	nvm	19:23
stevemar	:)	19:23
morgan_	lol oh that bug	19:27
morgan_	oi	19:27
*** diazjf has joined #openstack-keystone		19:27
*** diazjf has quit IRC		19:30
morgan_	done	19:30
stevemar	morgan_: ty	19:33
*** jaosorior has quit IRC		19:46
*** Alexey_Abashkin has quit IRC		19:48
*** voelzmo has joined #openstack-keystone		19:51
*** AlexeyAbashkin has joined #openstack-keystone		19:51
*** jaosorior has joined #openstack-keystone		19:56
*** Alexey_Abashkin has joined #openstack-keystone		19:56
*** AlexeyAbashkin has quit IRC		19:57
*** morgan_ is now known as morgan		19:58
*** ayoung has quit IRC		20:06
*** Alexey_Abashkin_ has joined #openstack-keystone		20:11
*** Alexey_Abashkin has quit IRC		20:13
*** akrzos-mtg is now known as akrzos		20:13
*** spzala_ has joined #openstack-keystone		20:15
*** Alexey_Abashkin_ has quit IRC		20:20
*** spzala_ has quit IRC		20:20
*** spzala has joined #openstack-keystone		20:21
*** diazjf has joined #openstack-keystone		20:22
*** diazjf has quit IRC		20:22
*** jaugustine has quit IRC		20:23
*** jaugustine has joined #openstack-keystone		20:24
*** lucas__ has quit IRC		20:25
*** jaugustine_ has joined #openstack-keystone		20:26
*** jaugustine has quit IRC		20:26
*** lucas__ has joined #openstack-keystone		20:28
*** browne has quit IRC		20:28
*** Alexey_Abashkin_ has joined #openstack-keystone		20:28
*** asettle has joined #openstack-keystone		20:29
*** lucas__ has quit IRC		20:31
*** voelzmo has quit IRC		20:32
*** browne has joined #openstack-keystone		20:33
*** asettle has quit IRC		20:33
*** voelzmo has joined #openstack-keystone		20:33
*** asettle has joined #openstack-keystone		20:33
*** nklenke has quit IRC		20:35
*** lucas__ has joined #openstack-keystone		20:37
*** voelzmo has quit IRC		20:37
*** asettle has quit IRC		20:38
*** jaosorior has quit IRC		20:39
*** adrian_otto has joined #openstack-keystone		20:42
*** nklenke_ has quit IRC		20:42
*** diazjf has joined #openstack-keystone		20:54
*** Alexey_Abashkin_ has quit IRC		21:00
*** jamielennox\|away is now known as jamielennox		21:01
*** raildo has quit IRC		21:02
*** diazjf has quit IRC		21:02
*** adriant has joined #openstack-keystone		21:04
adriant	stevemar: out of curiosity, when does security support for Keystone in liberty end (I though it already had)?	21:05
adriant	morgan: you about?	21:07
*** adrian_otto has quit IRC		21:11
*** adrian_otto has joined #openstack-keystone		21:12
stevemar	adriant: EOL stuff is here: https://releases.openstack.org/index.html	21:15
adriant	stevemar: Saw that, just was confused by the EOL vs non-sec support :(	21:16
adriant	so it is EOL, but still mostly security supported then?	21:17
stevemar	ohh right	21:18
stevemar	adriant: you might want to ask fungi about security supported	21:18
adriant	yeah, the EOL for Liberty has passed, but the status still reads Security-supported :P	21:18
adriant	kk	21:18
adriant	I'm partly asking because the stable branches for liberty seem gone in a bunch of the repos.	21:19
adriant	stevemar: thanks by the way, may ask fungi when he's about. :)	21:20
*** diazjf has joined #openstack-keystone		21:20
*** asettle has joined #openstack-keystone		21:21
*** lucas__ is now known as lucasxu		21:24
morgan	adriant: here	21:24
adriant	morgan: Ah! Same question as yesterday, do you want me to start on the router/controller for the rules while you handle the auth layer?	21:27
adriant	They should be reasonably independent, although I assume I'd update the controllers as you find problems while doing the auth	21:27
adriant	morgan: If not, I've got plenty else I can do. Just thought I'd offer to do something reasonably easy to help get this done faster. :)	21:31
morgan	adriant: sure. remember 2 things. controller just handles the request and validates it	21:32
morgan	adriant: and the businesslogic goes in the manager	21:32
morgan	and then driver (backend, sql.py thing) only does "store" and "retrive" (so 3 things)	21:32
morgan	manager is usually in core.py	21:32
adriant	morgan: yeah, I'm basically meaning that whole thing. Just wrong terms.	21:32
morgan	i'm going to need to do some of the core.py work to make the auth bits work	21:33
morgan	i think	21:33
morgan	maybe not.	21:33
adriant	Shouldn't have to'	21:33
morgan	i'll have to poke at it.	21:33
morgan	it depends on how the ORM does loading.	21:33
fungi	adriant: stevemar: i think it was an oversight in the releases repo, i've just proposed https://review.openstack.org/419144 so we'll see what they say about it	21:33
adriant	other than odd rules and validation you'd want to add so the rules don't break the auth	21:33
morgan	yeah basically need to do lots of parsing and validation in the auth path	21:33
morgan	i know how that has to look already	21:34
morgan	the controller will need JSON schema as well for request validation	21:34
morgan	i plan to use the exact layout in the spec for the auth path	21:34
*** asettle has quit IRC		21:34
morgan	of the json stored that is	21:34
adriant	yep	21:34
morgan	hopefully it doesn't need much extra work.	21:34
adriant	I'll leave it to you for now then and review as needed.	21:35
adriant	morgan: Oh and, as a side note. We're likely to use that password+totp plugin ourselves until we get this MFA fully supported across the required projects (I doubt we'll get that all done in Ocata), but moving to using the rules should be easy. :)	21:36
adriant	fungi: thanks, thought that was the case! Good to know.	21:40
*** jaosorior has joined #openstack-keystone		21:44
morgan	adriant: right makes sense	21:44
adriant	morgan: We have a fairly urgent need for MFA, and that plugin gives us a quick way that doesn't break anything, and with how the rules will work I can migrate to using them later.	21:45
morgan	yup	21:46
morgan	:)	21:46
adriant	Although I will need to write a script or do some sql: "for all users with totp creds, create rule password+totp"	21:46
morgan	yeah it wont be terrible	21:46
adriant	but that's easy and only a one time thing	21:46
morgan	you could just use the same totp cred type	21:46
adriant	true	21:47
morgan	oh yeah need the rules, but that should be easy	21:47
adriant	well, more need the rules and switch to the proper password + totp as two methods rather than the single plugin	21:47
adriant	but we'd need to issue a deprecation warning to customers to make sure they upgrade their keystoneauth/clients etc	21:48
adriant	because it never ceases to surprise me how old some of the installed libraries people use are :(	21:48
adriant	"Why are you still using the keystoneclient for cli?!"	21:49
lbragstad	stevemar does my response here make sense? https://bugs.launchpad.net/keystone/+bug/1655013	21:51
openstack	Launchpad bug 1655013 in OpenStack Identity (keystone) "double assignment of user to group does not give error" [Undecided,Invalid]	21:51
bknudson	seems like everybody wants errors from keystone all the time	21:51
bknudson	should just replace it with a server that returns 400.	21:51
*** lucasxu has quit IRC		21:52
*** dave-mccowan has joined #openstack-keystone		21:54
*** lucas__ has joined #openstack-keystone		21:54
breton	410	21:54
*** thorst has quit IRC		21:54
bknudson	402 Payment Required	21:55
adriant	lbragstad: It's one of those weird things where yes a 409 would make sense, but you asked for an action to be done, and hey, your action was already completed, have a 2** code.	21:55
lbragstad	right	21:56
adriant	Why would you need to care if you did it, or someone else did it? Maybe if data was changed, but that doesn't happen here.	21:56
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	21:57
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	21:57
lbragstad	it feels like it's automation related...	21:57
*** thorst has joined #openstack-keystone		21:57
*** thorst has quit IRC		22:02
*** spzala has quit IRC		22:09
stevemar	bknudson: lol	22:11
*** ayoung has joined #openstack-keystone		22:13
*** ChanServ sets mode: +v ayoung		22:13
*** diazjf has quit IRC		22:15
*** spzala has joined #openstack-keystone		22:16
*** lucas__ has quit IRC		22:18
*** spzala has quit IRC		22:20
*** spzala has joined #openstack-keystone		22:28
*** spzala has quit IRC		22:28
*** markvoelker has quit IRC		22:29
*** markvoelker has joined #openstack-keystone		22:32
*** edtubill has quit IRC		22:34
*** markvoelker has quit IRC		22:34
*** markvoelker has joined #openstack-keystone		22:34
*** markvoelker_ has joined #openstack-keystone		22:39
*** markvoelker has quit IRC		22:39
*** phalmos has quit IRC		22:43
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP extend users API to add federated object https://review.openstack.org/418624	22:49
*** spilla has quit IRC		22:49
*** catintheroof has quit IRC		22:50
*** catintheroof has joined #openstack-keystone		22:51
*** ayoung has quit IRC		22:51
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	22:52
*** ravelar has quit IRC		22:53
*** chlong has quit IRC		22:55
*** catintheroof has quit IRC		22:55
*** chris_hultin is now known as chris_hultin\|AWA		22:59
*** spzala has joined #openstack-keystone		23:01
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	23:01
*** spzala has quit IRC		23:09
*** spzala has joined #openstack-keystone		23:09
*** jperry has quit IRC		23:10
*** dave-mccowan has quit IRC		23:11
*** lamt has quit IRC		23:11
*** tqtran has quit IRC		23:17
*** spzala has quit IRC		23:18
*** adrian_otto has quit IRC		23:25
*** tqtran has joined #openstack-keystone		23:29
*** markvoelker_ has quit IRC		23:32
*** adrian_otto has joined #openstack-keystone		23:33
*** edmondsw has quit IRC		23:36
*** edtubill has joined #openstack-keystone		23:36
*** markvoelker has joined #openstack-keystone		23:40
*** edtubill has quit IRC		23:40
*** thorst_ has joined #openstack-keystone		23:48
*** thorst_ has quit IRC		23:53
openstackgerrit	Kam Nasim proposed openstack/keystone: Set connection timeout for LDAP configuration https://review.openstack.org/390948	23:53
*** jaosorior has quit IRC		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!