Wednesday, 2017-03-01

*** stewie925 has joined #openstack-keystone		00:05
stewie925	Hi guys, I was running devstack and I got the following error: "etc/keystone/fernet-keys/ does not exist"	00:07
*** hoonetorg has quit IRC		00:08
lbragstad	stewie925 devstack should create that for your - but you should be able to do it manually with `keystone-manage fernet-setup`	00:08
stewie925	hi lbragstad - thanks - but running that command would require first that stack is up and running?	00:08
lbragstad	stewie925 this should be the required bits you'd need https://github.com/openstack-dev/devstack/blob/7a30c7fcabac1cf28fd9baa39d05436680616aef/lib/keystone#L524-L526	00:08
lbragstad	stewie925 keystone would need to be installed, yes	00:09
lbragstad	stewie925 but devstack should be taking care of that for you, based on the current defaults	00:09
stewie925	ohhh	00:09
*** MasterOfBugs has joined #openstack-keystone		00:13
stewie925	lbragstad: how do I force devstack to reinstall my keystone?	00:13
stewie925	I assume removing /opt/stack/keystone would do the trick ,but I was still getting the "etc/keystone/fernet-keys/ does not exist" when running stack.sh	00:14
stewie925	also, I set the local.conf RECLONE=yes	00:15
*** hoonetorg has joined #openstack-keystone		00:22
*** _cjones_ has quit IRC		00:23
*** _cjones_ has joined #openstack-keystone		00:23
*** adrian_otto has joined #openstack-keystone		00:27
*** _cjones_ has quit IRC		00:27
gagehugo	stewie925: can you try making the directory manually "mkdir /etc/keystone/fernet-keys" and see if that works?	00:36
*** jamielennox is now known as jamielennox\|away		00:36
*** gyee has joined #openstack-keystone		00:40
*** wxy has joined #openstack-keystone		00:42
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API key credential https://review.openstack.org/438761	00:43
stewie925	gagehugo: sorry I stepped away, yes I tried that and it didnt work	00:43
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API access key credentials https://review.openstack.org/438761	00:44
*** jamielennox\|away is now known as jamielennox		00:44
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API access key credentials https://review.openstack.org/438761	00:45
gagehugo	might need to "chown -R keystone /etc/keystone"	00:46
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API access key credentials https://review.openstack.org/438761	00:46
lbragstad	gagehugo yeah - that could be a permissions issue	00:50
lbragstad	er stewie925 ^	00:50
lbragstad	stewie925 does the user you're running stack.sh with have root permissions?	00:50
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API access key credentials https://review.openstack.org/438761	00:51
stewie925	gagehugo: lbragstad: no it doesnt have root permissions :(	00:51
gagehugo	ah	00:51
stewie925	oh wait....	00:52
stewie925	I just ran an ls- l on /etc/keystone it shows the username for each file (not root)	00:52
stewie925	i was able to cd /etc/keystone without having to do 'sudo'	00:53
lbragstad	stewie925 hmmm	00:54
lbragstad	stewie925 when you run stack.sh, do you get an error?	00:54
stewie925	oh, to clarify - I was able to mkdir /etc/keystone/fernet-keys	00:54
lbragstad	stewie925 actually - do you have a stack trace?	00:54
lbragstad	stewie925 you can probably get more useful information from the keystone logs	00:55
lbragstad	I think devstack sets up /var/log/keystone/	00:55
stewie925	https://github.com/openstack-dev/devstack/blob/7a30c7fcabac1cf28fd9baa39d05436680616aef/lib/keystone#L524-L526	00:55
stewie925	oops	00:55
stewie925	I mean - World dumping... see /opt/stack/logs/worlddump-2017-03-01-004154.txt for details	00:55
stewie925	you mean that log right?	00:56
lbragstad	stewie925 i meant the keystone logs specifically	00:56
lbragstad	stewie925 is this happening in a change you have proposed to gerrit?	00:56
stewie925	lbragstad: no, it isnt	00:56
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API access key credentials https://review.openstack.org/438761	00:57
lbragstad	stewie925 devstack sets up logging in /var/log/	00:57
stewie925	its been a while since I ran stack.sh on my devstack (more than a month), then I tried to run it and I was getting into issues	00:57
lbragstad	https://github.com/openstack-dev/devstack/blob/7a30c7fcabac1cf28fd9baa39d05436680616aef/lib/keystone#L602-L603	00:57
lbragstad	see if you can find ^ that keystone.log	00:57
stewie925	lbragstad: thanks - I checked /var/log - there is no keystone.log file :(	00:59
lbragstad	stewie925 is there a /var/log/apache/ directory?	00:59
stewie925	yes it does and I see keystone.log in there	01:00
lbragstad	stewie925 cool - that's the one you want	01:00
stewie925	checking the log file now	01:00
*** lamt has joined #openstack-keystone		01:01
stewie925	let me share the log via pastebin.... brb	01:02
stewie925	here it is - I copied the last few pages of the log - http://paste.openstack.org/show/600863/	01:04
*** hoangcx has joined #openstack-keystone		01:06
lbragstad	stewie925 interesting - it looks like it failing to start keystone	01:09
lbragstad	here - https://github.com/openstack/keystone/blob/a66d0735b2829c8bdb30f2dc07e4b4400ceddc3b/keystone/token/providers/fernet/core.py#L33-L45	01:09
lbragstad	stewie925 and you can't do `keystone-manage fernet_setup`?	01:10
*** liujiong has joined #openstack-keystone		01:10
stewie925	I tried earlier it didnt work - but now it seems to work	01:11
lbragstad	stewie925 try restarting apache now and tail the keystone.log	01:12
lbragstad	you should see it start and wait for requests	01:12
lbragstad	or `sudo service apache2 restart; curl http://localhost:5000/`	01:13
lbragstad	if you get a version response back - it's safe to assume the problem is fixed since the token provider should have loaded properly at that point	01:13
stewie925	thanks! restarting apache2	01:13
stewie925	oooh - connection refused when I ran the curl command	01:14
lbragstad	hmm	01:14
lbragstad	tail the keystone.log again?	01:14
stewie925	sure	01:14
stewie925	no new entries in the keystone log	01:15
lbragstad	hm	01:15
stewie925	btw when I ran the sudo service apache2 restart it shows this	01:15
stewie925	* Restarting web server apache2	01:15
lbragstad	does `keystone-manage fernet_setup` give you any output?	01:15
stewie925	let me run that again, and share my output	01:16
*** alex_xu has quit IRC		01:19
stewie925	http://paste.openstack.org/show/600864/	01:19
*** alex_xu has joined #openstack-keystone		01:19
stewie925	even after I re-created the /etc/keystone/fernet-keys	01:19
lbragstad	stewie925 yeah - it looks like the user you're using doensn't have write permissions to that directory	01:20
lbragstad	stewie925 fwiw - when ever i stand up new devstack nodes, I typically use the ubuntu system user (for 14.04 and 16.04)	01:20
lbragstad	and that works just fine for using stack.sh	01:20
stewie925	lbragstad: thank you for putting up with me - I think I may have to just build a new devstack	01:21
notmorgan	oh well now.. that is sloppy	01:21
lbragstad	stewie925 that's also something that I do often when I have stale devstack	01:21
notmorgan	lbragstad: i found a bug where we are probably increasing our writes to the SQL db backend... well a lot	01:21
lbragstad	notmorgan ugh	01:22
notmorgan	lbragstad: potentially that is.	01:22
lbragstad	notmorgan i'm just about to step away - but I'll catch up with the gist of it via scrollback	01:22
stewie925	lbragstad: yeah... too bad there s no effective way to rebuild devstack	01:23
notmorgan	when we do .update_user	01:23
notmorgan	https://www.irccloud.com/pastebin/mfq1pDzz/	01:23
notmorgan	that sets the attributes for the entire user model, even if they don't need to be set.	01:23
notmorgan	specifically with the hybrid attribute setting	01:24
*** alex_xu has quit IRC		01:25
*** alex_xu has joined #openstack-keystone		01:25
* notmorgan was running into an issue trying to push password hashing down onto the sql_model itself.		01:26
*** alex_xu has quit IRC		01:26
*** alex_xu has joined #openstack-keystone		01:27
*** guoshan has joined #openstack-keystone		01:30
*** phalmos_ has quit IRC		01:31
notmorgan	i think i have it fixed now.	01:32
*** phalmos has joined #openstack-keystone		01:34
*** MasterOfBugs has quit IRC		01:34
*** guoshan has quit IRC		01:35
*** guoshan has joined #openstack-keystone		01:36
*** thorst has joined #openstack-keystone		01:41
*** thorst has quit IRC		01:46
*** thorst has joined #openstack-keystone		01:46
*** edmondsw has joined #openstack-keystone		01:48
*** thorst has quit IRC		01:50
*** aasthad has quit IRC		01:52
*** hoonetorg has quit IRC		01:52
*** edmondsw has quit IRC		01:53
*** tovin07 has quit IRC		01:59
*** hoonetorg has joined #openstack-keystone		02:01
*** edmondsw has joined #openstack-keystone		02:02
*** dave-mccowan has quit IRC		02:03
*** tovin07 has joined #openstack-keystone		02:03
*** edmondsw has quit IRC		02:05
*** agrebennikov_ has quit IRC		02:06
*** stewie925 has quit IRC		02:09
*** thorst has joined #openstack-keystone		02:13
*** gyee has quit IRC		02:14
*** browne has quit IRC		02:20
*** ngupta has joined #openstack-keystone		02:28
*** thorst has quit IRC		02:33
*** thorst has joined #openstack-keystone		02:33
*** thorst has quit IRC		02:38
*** guoshan has quit IRC		02:42
openstackgerrit	Richard Avelar proposed openstack/keystone master: WIP https://review.openstack.org/439290	02:49
*** lucasxu has joined #openstack-keystone		02:54
*** guoshan has joined #openstack-keystone		02:54
*** ngupta has quit IRC		02:56
*** ngupta has joined #openstack-keystone		02:56
*** lucasxu has quit IRC		02:57
*** ngupta has quit IRC		03:01
*** zhurong has joined #openstack-keystone		03:04
*** thorst has joined #openstack-keystone		03:08
*** thorst has quit IRC		03:08
*** rderose has quit IRC		03:12
*** zhurong has quit IRC		03:13
notmorgan	hmm...	03:16
notmorgan	how did this test ever pass....	03:16
*** ngupta has joined #openstack-keystone		03:26
*** _cjones_ has joined #openstack-keystone		03:27
*** _cjones_ has quit IRC		03:27
*** _cjones_ has joined #openstack-keystone		03:28
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes https://review.openstack.org/438701	03:29
*** thorst has joined #openstack-keystone		03:39
*** thorst has quit IRC		03:40
darrenc	Hi, I'm testing the ocata install guide and running into an issue initializing fernet key repos	03:42
darrenc	can anyone help?	03:42
darrenc	Step 4 in https://docs.openstack.org/ocata/install-guide-rdo/keystone-install.html#install-and-configure-components	03:43
darrenc	the second command "keystone-manage credential_setup --keystone-user keystone --keystone-group keystone" returns an error "keystone-manage: error: argument command: invalid choice: 'credential_setup' "	03:44
darrenc	Has the command changed?	03:45
notmorgan	darrenc: the command should not have changed.	03:45
notmorgan	darrenc: that looks correct.	03:46
darrenc	ok, thanks	03:46
notmorgan	darrenc: i can take a closer look in a moment	03:47
darrenc	that would be great, thank you!	03:47
notmorgan	darrenc: let me take a gander at the code.	03:47
darrenc	ok	03:47
notmorgan	darrenc: just to be sure you're not using an old keystone-manage or something like that [sometimes islly things like that happen]	03:48
notmorgan	darrenc: i'm seeing what i can come up with now	03:49
darrenc	I'm using ocata packages	03:49
*** thorst has joined #openstack-keystone		03:49
notmorgan	hmm	03:52
notmorgan	ok well i just tried the direct code	03:52
notmorgan	https://www.irccloud.com/pastebin/9XTsvzgt/	03:52
notmorgan	darrenc: and as you can see ^ it worked. [ignore the config-file bit, i just don't have things in /etc]	03:53
notmorgan	darrenc: i assume you're on ubunut?	03:54
notmorgan	ubuntu*	03:54
darrenc	yes, that's correct	03:54
notmorgan	hm.	03:54
darrenc	ok, it might be user error :)	03:54
darrenc	It was fine when I was testing pre-release packages	03:55
notmorgan	i never assume user-error in these cases ;)	03:55
notmorgan	so many things go weird sometimes with this code	03:55
notmorgan	darrenc: if you poke at it a bit more and find out what is up, let me know.	03:56
notmorgan	darrenc: likewise if you're still stuck tomorrow, let me know i'll spin up a vm and check out the packages	03:56
darrenc	Yep, I'll do that. Thanks again, I really appreciate your help!	03:56
notmorgan	right now i need to drown my mushy brain in a nice glass of ginger beer [non-alcoholic] (I've been looking at cryptographic hashing algorithims all day]	03:57
notmorgan	my brain is definitely mush	03:57
darrenc	hmm, I love a good ginger beer	03:57
darrenc	Actually Mmmmm	03:57
notmorgan	darrenc: bundaberg ginger beer tonight	03:58
notmorgan	because i am out of cock and bull.	03:58
notmorgan	both are top tier imo	03:58
darrenc	Ahh, so you're in Australia as well?	03:58
notmorgan	nope, Seattle	03:58
notmorgan	^_^	03:58
darrenc	you get bundaberg ginger beer over there?	03:58
notmorgan	yup, in the supermarket	03:59
darrenc	I didn't know they export	03:59
notmorgan	it's one of the more common ones i've found (i love ginger beer, so i find the good stuff)	03:59
darrenc	It definitely my favourite ginger beer	03:59
darrenc	it's*	03:59
notmorgan	i like some of the locally micro-brew style stuff.	04:00
darrenc	I'm curious, what do they charge for a bottle?	04:00
notmorgan	but it's hit and miss to get it.	04:00
notmorgan	hmmm...	04:00
notmorgan	i think i paid... $1.50 - $3 USD for it	04:00
notmorgan	somewhere in there	04:00
notmorgan	but.. honestly, i can't remember	04:01
notmorgan	it was on sale this time. Amazon has it for ~$5/bottle (4 pack for $19.99)	04:01
darrenc	oh, that's expensive	04:02
darrenc	$5.50AU for a 4 pack here	04:02
notmorgan	i usually buy it when it's on sale so $1-2 / bottle	04:02
notmorgan	so $4-8 range for a 4 pack	04:02
notmorgan	plus tax (since i live in a place that does sales tax)	04:02
darrenc	ah, that's not too bad	04:03
notmorgan	yah, it's reasonable	04:03
notmorgan	i wont buy it for $5/bottle	04:03
notmorgan	that is too much	04:03
notmorgan	i drink very little fizzy sweet drinks	04:04
notmorgan	(mostly fizzy unflavoured water)	04:04
*** drjones has joined #openstack-keystone		04:05
darrenc	FYI, you can also get ginger cordial https://www.woolworths.com.au/Shop/Search/Products?searchTerm=ginger%20cordial&name=buderim-ginger-cordial&productId=146307	04:05
notmorgan	ooooh NICE	04:05
darrenc	mix it with soda water, and it tastes almost the same as bundaberg	04:05
notmorgan	i'm gonna do that	04:05
notmorgan	i <3 ginger	04:05
darrenc	Plenty of ginger bite and heat	04:06
*** nicolasbock has quit IRC		04:06
notmorgan	.... i ... might eat pickled ginger by the handful when at sushi restaurants	04:06
notmorgan	I'm not allowed to have any pickeled ginger in my house...	04:06
notmorgan	:P	04:06
notmorgan	i'd get fat on it.	04:06
darrenc	lol	04:06
*** _cjones_ has quit IRC		04:08
*** drjones has quit IRC		04:09
*** guoshan has quit IRC		04:11
*** hoonetorg has quit IRC		04:23
darrenc	notmorgan: when you're awake, it looks like someone else has reproduced my issue: https://bugs.launchpad.net/openstack-manuals/+bug/1668528	04:24
openstack	Launchpad bug 1668528 in openstack-manuals "Install and configure in Installation Guide" [Undecided,New]	04:24
notmorgan	thnx	04:26
darrenc	So keystone 9.2.0 is provided, but we need 10.0	04:26
darrenc	ah sorry, I didn't expect you to respond until tomorrow	04:26
*** links has joined #openstack-keystone		04:27
*** hoonetorg has joined #openstack-keystone		04:35
*** adrian_otto has quit IRC		04:44
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes https://review.openstack.org/438701	04:47
*** adriant has quit IRC		04:49
*** thorst has joined #openstack-keystone		04:50
*** thorst has quit IRC		04:55
openstackgerrit	Richard Avelar proposed openstack/keystone master: WIP https://review.openstack.org/439290	05:09
*** guoshan has joined #openstack-keystone		05:10
*** ngupta has quit IRC		05:22
*** ngupta has joined #openstack-keystone		05:23
*** ngupta has quit IRC		05:27
*** dikonoor has joined #openstack-keystone		05:29
*** bkudryavtsev has joined #openstack-keystone		05:30
*** guoshan has quit IRC		05:32
*** guoshan has joined #openstack-keystone		05:38
*** masterjcool has quit IRC		05:40
*** lamt has quit IRC		05:47
*** masterjcool has joined #openstack-keystone		05:52
*** guoshan has quit IRC		05:53
*** guoshan has joined #openstack-keystone		05:59
*** guoshan has quit IRC		06:02
*** dikonoor has quit IRC		06:02
*** dikonoor has joined #openstack-keystone		06:03
*** guoshan has joined #openstack-keystone		06:04
*** adrian_otto has joined #openstack-keystone		06:05
*** adrian_otto has quit IRC		06:07
*** adrian_otto has joined #openstack-keystone		06:09
*** adrian_otto has quit IRC		06:13
*** hoonetorg has quit IRC		06:16
*** lucasxu has joined #openstack-keystone		06:25
*** hoonetorg has joined #openstack-keystone		06:30
*** richm has quit IRC		06:43
*** phalmos has quit IRC		06:46
*** rcernin has joined #openstack-keystone		06:51
*** sigmavirus has quit IRC		06:52
*** thorst has joined #openstack-keystone		06:52
*** sigmavirus has joined #openstack-keystone		06:53
*** sigmavirus is now known as Guest53153		06:54
*** lucasxu has quit IRC		06:54
*** thorst has quit IRC		06:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/439420	06:59
openstackgerrit	Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449	07:03
*** namnh has joined #openstack-keystone		07:04
*** h5t4_ has joined #openstack-keystone		07:07
*** jaosorior has joined #openstack-keystone		07:09
openstackgerrit	Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449	07:12
*** tesseract has joined #openstack-keystone		07:12
*** ravelar has quit IRC		07:13
*** prashkre has joined #openstack-keystone		07:23
*** lwiecek has joined #openstack-keystone		07:40
*** blake has joined #openstack-keystone		07:47
*** blake has quit IRC		07:55
*** phalmos has joined #openstack-keystone		08:10
*** phalmos has quit IRC		08:35
*** henrynash has joined #openstack-keystone		08:50
*** ChanServ sets mode: +v henrynash		08:50
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** hoangcx has left #openstack-keystone		09:00
*** alex_xu has quit IRC		09:01
*** alex_xu has joined #openstack-keystone		09:02
*** tovin07 has quit IRC		09:15
*** henrynash has quit IRC		09:49
*** Dinesh_Bhor has joined #openstack-keystone		10:04
*** phalmos has joined #openstack-keystone		10:04
*** mvk has quit IRC		10:12
*** henrynash has joined #openstack-keystone		10:19
*** ChanServ sets mode: +v henrynash		10:19
*** aloga has quit IRC		10:21
*** pcaruana has joined #openstack-keystone		10:24
*** liujiong has quit IRC		10:25
*** aloga has joined #openstack-keystone		10:27
*** guoshan has quit IRC		10:30
*** alex_xu has quit IRC		10:31
openstackgerrit	Béla Vancsics proposed openstack/keystone master: Remove unused variable https://review.openstack.org/439525	10:31
*** alex_xu has joined #openstack-keystone		10:33
*** mvk has joined #openstack-keystone		10:44
*** mvk has quit IRC		10:45
*** alex_xu has quit IRC		10:45
*** mvk has joined #openstack-keystone		10:45
*** henrynash has quit IRC		10:46
*** alex_xu has joined #openstack-keystone		10:46
*** thorst has joined #openstack-keystone		10:53
*** thorst has quit IRC		10:58
*** erlon has joined #openstack-keystone		10:59
*** nicolasbock has joined #openstack-keystone		11:04
*** richm has joined #openstack-keystone		11:14
*** namnh has quit IRC		11:23
*** mvk has quit IRC		11:32
*** mvk has joined #openstack-keystone		11:44
*** phalmos has quit IRC		11:46
*** phalmos has joined #openstack-keystone		11:48
*** Guest53153 is now known as sigmavirus		12:10
*** sigmavirus has quit IRC		12:10
*** sigmavirus has joined #openstack-keystone		12:10
*** dave-mccowan has joined #openstack-keystone		12:15
*** alex_xu has quit IRC		12:18
*** phalmos has quit IRC		12:21
*** alex_xu has joined #openstack-keystone		12:25
Dinesh_Bhor	Hi all, Can someone from the core take a look at all the patches submitted for request-id feature: https://blueprints.launchpad.net/python-keystoneclient/+spec/return-request-id-to-caller	12:27
*** edmondsw has joined #openstack-keystone		12:44
*** thorst has joined #openstack-keystone		12:46
*** phalmos has joined #openstack-keystone		12:47
*** dave-mccowan has quit IRC		12:50
*** phalmos has quit IRC		12:58
*** mvk has quit IRC		13:29
*** spilla has joined #openstack-keystone		13:54
*** lwiecek has quit IRC		13:56
Dinesh_Bhor	bknudson_: Hi, we talked about this in PTG, Could you please take a look at the request-id patches submitted against this bp: https://blueprints.launchpad.net/python-keystoneclient/+spec/return-request-id-to-caller	13:58
*** zhurong has joined #openstack-keystone		14:00
*** lamt has joined #openstack-keystone		14:03
*** shewless has joined #openstack-keystone		14:05
shewless	Hi. I have a private cloud running Mitaka. I'm trying to find a simple way for my ~500 users to access the CLI and REST api without having to type or store their password anywhere (LDAP backend)	14:06
shewless	I've been looking at tokens (openstack token issue) but I'd have to set the expiry to something crazy (like 5 years) because I want it to be transparent for my users	14:07
shewless	Does anyone have any suggestions for the best way to provide easy authentication for my users?	14:07
shewless	tokenless_auth looks interesting but I'm having trouble finding information on how I would actually go about setting that up	14:09
bknudson_	Dinesh_Bhor: https://review.openstack.org/#/c/261188/ ?	14:09
bknudson_	I thought you were referring to a different change when we talked at the meeting	14:10
bknudson_	Are you taking over this review?	14:10
Dinesh_Bhor	bknudson_: yes	14:11
bknudson_	check out my comments from before.	14:11
bknudson_	and also the comments from the other reviewers	14:12
Dinesh_Bhor	bknudson_: you have removed your -1 vote after Maho Koshiya's reply	14:13
bknudson_	right, because I didn't intend to review it again until my comments were addressed. I was going to leave it for someone else.	14:14
bknudson_	I can +2 it but if nobody else is going to then it's a waste of my time.	14:14
Dinesh_Bhor	bknudson_: ok, I will request others to take a look at it.	14:15
Dinesh_Bhor	bknudson_: thanks for your time.	14:15
bknudson_	go ahead. there's already comments on it that aren't addressed so I doubt they'll approve it.	14:15
Dinesh_Bhor	bknudson_: yah, I will address them after discussion.	14:17
*** zhurong has quit IRC		14:19
*** links has quit IRC		14:19
Dinesh_Bhor	samueldmq: Hi, if you have time could you please have a look at it: https://review.openstack.org/#/c/261188/	14:20
*** larsks has quit IRC		14:20
*** zhurong has joined #openstack-keystone		14:21
*** dave-mccowan has joined #openstack-keystone		14:22
shewless	also, after I do a "openstack token issue" is that information stored in the database? I want to be able to see how many tokens are issued	14:23
bknudson_	shewless: if you're using fernet tokens the token isn't stored in the database.	14:24
bknudson_	uuid tokens are stored in the database	14:24
shewless	+bknudson_: thanks. I am using fernet tokens. are they in memcached?	14:24
shewless	if my controller gets rebooted are the fernet tokens persistant?	14:24
bknudson_	fernet tokens are not stored in memcached	14:26
bknudson_	they're not stored anywhere since they contain all the information needed to validate	14:26
bknudson_	that's why they're larger than uuid tokens	14:26
shewless	+bknudson_ cool thanks! Is there a way to A) make them not expire and B) make them persistent across reboot?	14:29
bknudson_	fernet tokens can be used across reboots	14:30
bknudson_	you can't make them not expire... you can set the lifetime of the token to a very long time and not rotate your keys... but this comes with security issues.	14:30
shewless	+bknudson_: thanks. If a user executes "openstack token issue" 10 times.. do they now have 10 valid tokens? Is there a need to "clean them up"?	14:31
*** bauruine has quit IRC		14:31
bknudson_	yes, they'd have 10 valid tokens. the server doesn't store them anywhere so no need for the admin to clean them up.	14:31
shewless	+bknudson_: awesome	14:31
shewless	+bknudon_: I'm not too concerned about security because it a private cloud for my company and no confidential data is stored there.. but I would still love to find a "better" way to do this	14:32
shewless	would x509 tokenless auth be better for example?	14:32
samueldmq	Dinesh_Bhor: Hi. Yes I can take a look at it. Just make sure all bknudson_'s comments and suggestions have been discussed/addressed, he's been reviewing that patch since the beginning.	14:33
lbragstad	shewless what are you trying to do with the tokens that you need them to not expire?	14:33
shewless	@lbragstad I'm trying to allow my users to access teh CLI, REST, SDK, without having to type their password	14:36
lbragstad	shewless so you'd just give them a token that doesn't expire?	14:38
lbragstad	shewless and they'd use that through the CLI?	14:38
shewless	@lbragstad: that's what I'm considering at the moment.	14:38
lbragstad	gotcha	14:38
*** bauruine has joined #openstack-keystone		14:38
shewless	(the could login to horizon with their user/password (via LDAP) but they would access the CLI and API with the token	14:39
*** chris_hultin\|AWA is now known as chris_hultin		14:39
lbragstad	antwash one quick comment here and I think this one is good to go - https://review.openstack.org/#/c/435609/	14:41
*** rderose has joined #openstack-keystone		14:47
*** mvk has joined #openstack-keystone		14:54
*** lamt has quit IRC		14:56
*** lucasxu has joined #openstack-keystone		15:05
*** lucasxu has quit IRC		15:07
*** lucasxu has joined #openstack-keystone		15:11
*** jaosorior has quit IRC		15:12
*** ngupta has joined #openstack-keystone		15:15
*** ravelar has joined #openstack-keystone		15:16
openstackgerrit	Richard Avelar proposed openstack/keystone master: Policy in code https://review.openstack.org/435609	15:18
openstackgerrit	Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449	15:20
*** h5t4_ has quit IRC		15:21
openstackgerrit	Richard Avelar proposed openstack/keystone master: Policy in code (part 2) https://review.openstack.org/435751	15:22
*** chlong has joined #openstack-keystone		15:23
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	15:24
shewless	Another question +bknudson_ and @lbragstad: It seems the fernet tokens are unscoped? Is there a way to issue a token that is "project scoped"? I'm not sure if I'm using the right terminology	15:26
bknudson_	fernet tokens work just like uuid tokens. They can be scoped to a project if you ask for a scoped token.	15:27
*** chlong has quit IRC		15:27
shewless	+bknudson_ is there a way to do that from the CLI? I thought setting the OS_PROJECT_NAME and OS_PROJECT_DOMAIN variables would do it	15:28
bknudson_	that should do it. I'm not that familiar with the CLI	15:28
shewless	I want to add myself to user "X" project and generate a token for them.	15:28
*** chlong has joined #openstack-keystone		15:28
shewless	But what I'm seeing is, that it generates a token for me instead	15:28
*** jistr is now known as jistr\|biab		15:29
*** zhurong has quit IRC		15:31
dstanek	shewless: you want to generate a token for someone else?	15:31
shewless	+dstanek: yes. (darn lazy users) :)	15:31
*** chlong has quit IRC		15:32
shewless	I have OS_PROJECT_DOMAIN_NAME, USER_DOMAIN_NAME, OS_PROJECT_NAME set at the time I issue a token. but It still ties it to my user name instead of the project. Do I need to set OS_DOMAIN_ID as well as the name for some readon?	15:34
*** lamt has joined #openstack-keystone		15:34
*** chlong has joined #openstack-keystone		15:36
shewless	hmm. maybe I'm getting a scoped token but I don't understand what that really means	15:39
shewless	Say I have "userA" and "userB" who have own "projectA" and "projectB" respectively.	15:40
*** chlong has quit IRC		15:41
shewless	I want to add userA to projectB temporarily, and issue a token that is scoped to projectB for userB.	15:42
dstanek	shewless: what credentials are you using to get the token? theirs?	15:42
shewless	maybe that's not possible?	15:42
shewless	"mine"	15:42
shewless	(my user name, their project)	15:42
dstanek	i wouldn't think that what you are doing is possible	15:43
dstanek	to get a token for another user and to get a scope that they don't currently have access to	15:44
shewless	+dstanek. Far enough. To clarify: If I have a user who is admin, and someone else gets a hold of that users token.. I guess that user would then be able to execute administrative operations ?	15:44
dstanek	yes, if they have an admin token that would be possible	15:44
*** agrebennikov_ has joined #openstack-keystone		15:45
shewless	+dstanek: okay thanks. I guess I'll have the users create their own tokens	15:46
*** chlong has joined #openstack-keystone		15:52
openstackgerrit	Gage Hugo proposed openstack/keystone master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439674	15:54
*** jistr\|biab is now known as jistr		15:56
lbragstad	ping antwash, raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan, raj_singh, johnthetubeguy	15:56
ayoung	PONG!	15:56
ayoung	POINT!	15:56
ayoung	POING!	15:56
lbragstad	policy meeting starting in #openstack-meeting-cp in 4 minutes for those interested	15:56
gagehugo	always sneaks up on me	15:57
rderose	o/	15:57
lamt	o/	15:58
openstackgerrit	Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449	16:02
*** rcernin has quit IRC		16:03
*** aasthad has joined #openstack-keystone		16:22
*** adrian_otto has joined #openstack-keystone		16:25
openstackgerrit	ayoung proposed openstack/keystone master: Refactor Authorization: https://review.openstack.org/387161	16:26
openstackgerrit	ayoung proposed openstack/keystone master: Refactor is_admin https://review.openstack.org/387710	16:26
openstackgerrit	ayoung proposed openstack/keystone master: Add is_admin_project check to policy.json https://review.openstack.org/257636	16:26
*** h5t4_ has joined #openstack-keystone		16:33
*** prashkre has quit IRC		16:33
*** _cjones_ has joined #openstack-keystone		16:37
*** _cjones_ has quit IRC		16:37
*** _cjones_ has joined #openstack-keystone		16:38
*** browne has joined #openstack-keystone		16:38
*** dnalezyt has joined #openstack-keystone		16:47
*** rcernin has joined #openstack-keystone		16:52
*** chris_hultin is now known as chris_hultin\|AWA		16:57
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes https://review.openstack.org/438701	16:57
*** akrzos is now known as akrzos-mtg		16:58
*** jose-phillips has joined #openstack-keystone		17:02
notmorgan	lbragstad, dstanek: ^ there ya go, hashing algos	17:03
lbragstad	notmorgan sweet	17:04
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Remove EndpointFilterCatalog https://review.openstack.org/438210	17:05
dstanek	notmorgan: nice	17:05
notmorgan	dstanek: i dropped the hashing rounds to the minimum for our unit tests	17:08
notmorgan	dstanek: if we don't, due to the churn, we end up with ~55-70m runtime for our tests on my laptop, vs ~12	17:09
notmorgan	dstanek: we aren't testing the hash durability here, so for testing it is fine to drop it way down	17:09
dstanek	whoa	17:09
bknudson_	for tests, mock it	17:10
notmorgan	bknudson_: no	17:10
notmorgan	bknudson_: god no.	17:10
dstanek	a null hash would also work	17:10
notmorgan	except we rely on hashing to validate passwords and there is mechanisms in there to select hashing	17:11
notmorgan	i really really don't want to mock out all that	17:11
notmorgan	where rounds=4 for bcrypt is quite fast	17:11
dstanek	what about using 'str' as a hashing algorithm :-)	17:11
notmorgan	dstanek: wouldn't work. str isn't a hasher supported in passlib	17:12
notmorgan	and passlib "plaintext" is missing key features of other hashers	17:12
notmorgan	such as... ident, and prefixes for metadata	17:12
notmorgan	i did look at plaintext as a testing option	17:12
notmorgan	it was a bigger headache	17:12
*** akrzos-mtg is now known as akrzos		17:13
notmorgan	now in devstack, the runtime is not bad, it does a LOT less user setup/authn than keystone unit tests (as expected)	17:13
notmorgan	i did opt for varchar(255) in the db for the new password hash	17:14
notmorgan	instead of varchar(1500) which would be needed to allow for scrypt and a salt size of 1024 bytes	17:14
notmorgan	so in kyestone scrypt and pbkdf2_sha512 are limited to ~96bytes of salt	17:14
notmorgan	which results in ~230ish bytes in a hash	17:15
dstanek	that's a bummer. we can revisit later if we need to	17:15
notmorgan	i could make it 1500... just people seem to get cranky when you force mysql to use > .5 page for a column	17:16
notmorgan	so, 255 was chosen for sanity-sake	17:16
notmorgan	we also now maintain password.password and password.password_hash	17:16
notmorgan	the .password_hash is the new column	17:16
notmorgan	and keystone does the syncronization not a trigger. a trigger couldn't do the different hashing	17:17
notmorgan	new keystone loads password_hash then password, and writes to both if compat option is set.	17:17
* notmorgan has mush for brains now after delving into password algorithms		17:17
dstanek	:-)	17:19
*** lucasxu has quit IRC		17:21
*** h5t4_ has quit IRC		17:25
*** h5t4 has joined #openstack-keystone		17:26
*** h5t4 has quit IRC		17:33
*** h5t4 has joined #openstack-keystone		17:35
*** lucasxu has joined #openstack-keystone		17:36
*** arunkant has joined #openstack-keystone		17:41
samueldmq	wow, OpenStack Summit in Vancouver again next year	17:44
samueldmq	:)	17:44
*** edmondsw has quit IRC		17:44
notmorgan	this is a good thing	17:46
notmorgan	vancouver was the best venue imho	17:46
samueldmq	I like it too.	17:46
knikolla	ravelar: you there?	17:47
ravelar	knikolla o/	17:51
knikolla	ravelar: o/	17:52
knikolla	was going through your federated attr review	17:52
knikolla	and federated_objects_to_list seems overly complicated for what it's doing	17:53
knikolla	i came up with a shorter approach, interested?	17:53
ravelar	knikolla sure :)	17:54
knikolla	ravelar: cool! http://paste.openstack.org/show/600986/	17:54
knikolla	let me know if that does the same thing.	17:54
ravelar	knikolla sure thing, thanks! :)	17:54
knikolla	:)	17:55
*** lucasxu has quit IRC		17:56
*** lucasxu has joined #openstack-keystone		17:57
*** agrebennikov_ has quit IRC		17:59
*** _cjones_ has quit IRC		18:01
*** _cjones_ has joined #openstack-keystone		18:02
ravelar	knikolla setdefault is interesting, I didn't know it existed, thanks for the neat trick. It seems to work fine :)	18:04
notmorgan	ravelar: you cand do magic with setdefaulyt	18:05
notmorgan	ravelar: i always like using it to set a base value in a dict but not override one if it exists. not even to use it as a implicit get.	18:06
ravelar	notmorgan: yeah still in C mode of thinking where magic doesn't really exist and everything is manual grudge work	18:06
notmorgan	ravelar: honestly, i prefer C/C++... less magic is good	18:06
ravelar	notmorgan well it sure is a nice little life saver	18:06
notmorgan	though Rust and Go is awesome	18:06
ravelar	notmorgan oh same! It hide alot less from you lol	18:06
knikolla	ravelar: it takes a while to fully enter pythonic mode	18:07
ravelar	havent looked into Go yet but dolphm was playing with Ruzxst	18:07
ravelar	Rust*	18:07
knikolla	reviewing notmorgan's code seems to help pick up neat tricks	18:07
notmorgan	knikolla: oh god, don't do that :P	18:07
notmorgan	my code is aweful	18:07
notmorgan	i just do dirty python things in ways you shouldn't usually	18:07
notmorgan	>.>	18:07
ravelar	knikolla tell me about it, you go from the lowest level like C and briefly assembly language to python ha	18:08
notmorgan	ravelar: a few jobs ago was almost exclusively C++ and lua	18:08
ravelar	notmorgan but the unusual part is what makes for interesting tricks ;)	18:08
dolphm	i like the novels that notmorgan shares via inline comments	18:08
ravelar	haha	18:08
notmorgan	dolphm: hey, they help....	18:08
notmorgan	usually	18:08
notmorgan	dolphm: be careful, you're going to find war and peace in a python file in a keystone review at some point	18:09
*** prashkre has joined #openstack-keystone		18:09
knikolla	i prefer verbose comments	18:09
knikolla	notmorgan: during the flight was going through old TODO's	18:10
knikolla	and made a few patches from yours	18:10
knikolla	not sure if i pushed them all or some are in local branches	18:10
*** agrebennikov_ has joined #openstack-keystone		18:14
dolphm	notmorgan: http://cdn.pasteraw.com/kpemw3b07uoj8vp0sdr5kl7iqslyn5a	18:15
notmorgan	dolphm: keystone/auth/_important_comment.py \| 66055 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++	18:15
notmorgan	>>	18:15
dolphm	lol	18:15
notmorgan	i would actually push it to gerrit, but a 3MB joke file seems like a waste of resources	18:15
dolphm	notmorgan: just make it a binary	18:16
*** tesseract has quit IRC		18:16
notmorgan	https://www.irccloud.com/pastebin/AmLVNTjg/	18:16
notmorgan	:)	18:16
notmorgan	annnnyway	18:16
notmorgan	now that we've gotten past that ^_^	18:17
dolphm	why do people put "DNR / WIP / etc" into commit summaries instead of using Workflow-1?	18:23
notmorgan	dolphm: because WIP -1 is not sticky	18:23
notmorgan	(with good reason)	18:23
notmorgan	and they want to be clear it's WIP even if they push multiple patches	18:24
notmorgan	and since git-review can't proactively set "-1 workflow", it is the best "sticky" way to do so.	18:24
notmorgan	i got tired of having to set -1 workflow over and over and over, but wanted to post up a change so 1) I didn't lose it in a worst-case scenario, 2) could get feedback, 3) could collaborate better	18:25
dolphm	lame excuse for spamming my, everyone else's, review queue	18:25
notmorgan	fix git-review or gerrit then :), if git-review could proactively set -1 workflow, i'd use that instead (as would others i'm sure)	18:25
dolphm	notmorgan: those are great reasons to upload early (i do that as well), but none are reasons not to use workflow-1	18:25
notmorgan	and DNR is silly	18:26
notmorgan	DNM (do not merge) is acceptable in my book	18:26
dolphm	notmorgan: that's been my longest standing request for git-review	18:26
dolphm	pretty sure my bug was closed for some reason	18:26
dolphm	it's been many years	18:26
notmorgan	it probably isn't hard to supply the code for it.	18:26
notmorgan	but it might require an extra round-trip and/or HTTP calls	18:26
notmorgan	i don't think the SSH interface can do those things	18:27
notmorgan	probably why git-review doesn't.	18:27
notmorgan	(or we, as non-special users can't do those things)	18:27
notmorgan	dolphm: i am incorrect: https://review.openstack.org/Documentation/cmd-review.html	18:29
dolphm	notmorgan: you should always be able to wip your own review	18:30
notmorgan	dolphm: right, i meant i wasn't sure the SSH interface supported that	18:30
notmorgan	i know the REST and web interfaces do	18:30
dolphm	notmorgan: --label Workflow=-1 ?	18:31
notmorgan	yep	18:32
notmorgan	that should do it	18:32
notmorgan	though i think we use the git interface, so you'd need a second round-trip to do it (we don't use --submit)	18:32
notmorgan	not the worst thing, but w/o an ssh-agent you might need to type your ssh-key password 3 times now instead of 2 :P	18:32
notmorgan	ssh -p 29418 review.example.com gerrit review --label mylabel=+1 c0ff33 <-- gerrits example	18:33
openstackgerrit	Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449	18:33
*** h5t4 has quit IRC		18:35
*** h5t4_ has joined #openstack-keystone		18:37
*** h5t4_ has quit IRC		18:42
*** harlowja has quit IRC		18:43
*** h5t4 has joined #openstack-keystone		18:44
*** harlowja has joined #openstack-keystone		18:46
*** h5t4 has quit IRC		19:01
*** h5t4 has joined #openstack-keystone		19:03
openstackgerrit	Anthony Washington proposed openstack/oslo.policy master: Add additional param to policy.RuleDefault https://review.openstack.org/439070	19:20
*** _cjones_ has quit IRC		19:21
*** agrebennikov_ has quit IRC		19:26
openstackgerrit	Gage Hugo proposed openstack/keystoneauth master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439797	19:36
openstackgerrit	Gage Hugo proposed openstack/keystoneauth master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439797	19:37
*** jose-phillips has quit IRC		19:40
*** ngupta has quit IRC		19:46
*** ngupta has joined #openstack-keystone		19:46
*** raildo has joined #openstack-keystone		19:49
*** MasterOfBugs has joined #openstack-keystone		19:53
*** dikonoor has quit IRC		19:57
openstackgerrit	Gage Hugo proposed openstack/keystonemiddleware master: Added "warning-is-error" sphinx check for docs https://review.openstack.org/439819	19:58
*** pcaruana has quit IRC		19:58
openstackgerrit	Anthony Washington proposed openstack/oslo.policy master: Add additional param to policy.RuleDefault https://review.openstack.org/439070	19:59
*** chlong_ has joined #openstack-keystone		20:01
*** chlong has quit IRC		20:01
*** spilla has quit IRC		20:02
*** adrian_otto has quit IRC		20:02
*** openstackgerrit has quit IRC		20:03
*** lucasxu has quit IRC		20:05
*** chlong_ has quit IRC		20:08
*** harlowja has quit IRC		20:08
*** ngupta has quit IRC		20:10
*** ngupta has joined #openstack-keystone		20:11
*** agrebennikov_ has joined #openstack-keystone		20:14
*** lucasxu has joined #openstack-keystone		20:16
*** henrynash has joined #openstack-keystone		20:19
*** ChanServ sets mode: +v henrynash		20:19
*** jose-phillips has joined #openstack-keystone		20:19
*** chlong_ has joined #openstack-keystone		20:20
*** spilla has joined #openstack-keystone		20:28
*** jrist has quit IRC		20:29
*** agrebennikov_ has quit IRC		20:30
*** agrebennikov_ has joined #openstack-keystone		20:30
*** henrynash has quit IRC		20:34
*** chlong_ has quit IRC		20:36
*** ngupta_ has joined #openstack-keystone		20:38
*** edmondsw has joined #openstack-keystone		20:39
*** ngupta has quit IRC		20:41
*** ngupta_ has quit IRC		20:42
*** jrist has joined #openstack-keystone		20:42
*** edmondsw has quit IRC		20:46
*** adrian_otto has joined #openstack-keystone		20:47
*** edmondsw has joined #openstack-keystone		20:47
*** lucasxu has quit IRC		20:48
*** openstackgerrit has joined #openstack-keystone		20:49
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Add API access key credentials https://review.openstack.org/438761	20:49
openstackgerrit	Gage Hugo proposed openstack/keystoneauth master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439797	20:50
*** chlong_ has joined #openstack-keystone		20:51
*** htruta` has joined #openstack-keystone		20:52
*** edmondsw has quit IRC		20:52
*** htruta has quit IRC		20:53
*** sirushti has quit IRC		20:53
knikolla	This has 3 +2s and is a simple doc change, if anybody wants to +W it. https://review.openstack.org/#/c/437423/	20:53
notmorgan	knikolla: -2! i mean +A	20:54
knikolla	notmorgan: haha, thanks!	20:54
*** lucasxu has joined #openstack-keystone		20:55
*** sirushti has joined #openstack-keystone		20:55
*** henrynash has joined #openstack-keystone		20:56
*** ChanServ sets mode: +v henrynash		20:56
knikolla	notmorgan: this is a correction to the api-ref, if you're interested in reviewing. https://review.openstack.org/#/c/437973/	20:57
knikolla	thanks!	21:00
*** chris_hultin\|AWA is now known as chris_hultin		21:00
*** harlowja has joined #openstack-keystone		21:01
*** harlowja has quit IRC		21:01
*** harlowja has joined #openstack-keystone		21:01
*** ngupta has joined #openstack-keystone		21:02
*** Nakato has quit IRC		21:06
*** Nakato has joined #openstack-keystone		21:07
*** sirushti has quit IRC		21:07
*** sirushti has joined #openstack-keystone		21:08
*** catintheroof has joined #openstack-keystone		21:08
*** catintheroof has quit IRC		21:10
*** catintheroof has joined #openstack-keystone		21:10
*** ngupta has quit IRC		21:12
*** ngupta has joined #openstack-keystone		21:13
*** raildo has left #openstack-keystone		21:17
*** h5t4 has quit IRC		21:28
*** pcaruana has joined #openstack-keystone		21:30
*** pcaruana has quit IRC		21:33
openstackgerrit	Eric Brown proposed openstack/keystone master: Typos in the LoadAuthPlugins note https://review.openstack.org/438714	21:34
*** _cjones_ has joined #openstack-keystone		21:36
*** gyee has joined #openstack-keystone		21:40
*** phalmos has joined #openstack-keystone		21:47
*** ngupta has quit IRC		21:52
*** ngupta has joined #openstack-keystone		21:52
cmurphy	thanks knikolla and notmorgan	21:55
knikolla	cmurphy: you're welcome :)	21:56
*** ngupta has quit IRC		21:57
notmorgan	cmurphy: of course!	21:57
*** thorst has quit IRC		22:00
*** thorst has joined #openstack-keystone		22:00
*** boris-42_ has quit IRC		22:01
*** ngupta has joined #openstack-keystone		22:03
openstackgerrit	Merged openstack/keystone master: Add instruction to restart apache https://review.openstack.org/437423	22:04
*** thorst has quit IRC		22:04
*** lucasxu has quit IRC		22:09
notmorgan	lbragstad: responded to your comments on the hashing review	22:12
*** phalmos has quit IRC		22:13
*** henrynash has quit IRC		22:18
*** gyee has quit IRC		22:20
*** dave-mccowan has quit IRC		22:21
*** henrynash has joined #openstack-keystone		22:23
*** spilla has quit IRC		22:24
*** henrynash has quit IRC		22:24
*** browne has quit IRC		22:27
*** chris_hultin is now known as chris_hultin\|AWA		22:29
openstackgerrit	Merged openstack/keystone master: Remove x-subject-token in api-ref for v3/auth/{projects,domains} https://review.openstack.org/437973	22:30
*** thorst has joined #openstack-keystone		22:30
*** thorst has quit IRC		22:35
darrenc	notmorgan: morning/afternoon	22:36
darrenc	do you have any thoughts on https://bugs.launchpad.net/openstack-manuals/+bug/1668528	22:38
openstack	Launchpad bug 1668528 in openstack-manuals "Install and configure in Installation Guide" [High,Confirmed]	22:38
*** gyee has joined #openstack-keystone		22:40
EmilienM	can someone reminds me when admin_token middleware will be removed? In pike? when exactly?	22:40
lbragstad	EmilienM https://github.com/openstack/keystone/commit/4981da8fb073bb55b689a9ee6f7efc0ac1afb093	22:43
notmorgan	darrenc: no new thoughts. i need to go examine the things in the ubuntu packages	22:43
notmorgan	EmilienM: you have to not have it in your paste pipeline by Queens	22:44
EmilienM	gotcha	22:44
* EmilienM working on it		22:44
notmorgan	EmilienM: but Pike wont break if you leave it in	22:45
EmilienM	thanks!	22:45
darrenc	ok, no worries	22:45
notmorgan	it will just scream loudly in the logs	22:45
notmorgan	and the functionality is not gone, just been moved out of it's own filter and into the main middleware so we can more easily drop it without breaking everyone again	22:45
notmorgan	EmilienM: but that is TBD. "a future release".	22:46
notmorgan	EmilienM: :)	22:46
EmilienM	notmorgan: so the tl;dr is we still use it for the very initial bootstrap of keystone resources (and we should not I know !!) - I'm working on the new workflow that won't require it anymore.	22:53
EmilienM	notmorgan: if you still remind it, please let me know when you actually remove it :D	22:53
EmilienM	notmorgan: vice versa, I'll let you know as soon as we don't need it anymore (it affects tripleo also)	22:54
notmorgan	EmilienM: you need to make sure to set the value in the keystone.conf still, as the default is the behavior is disabled, but i know you need it, the point is that you must remove the middleware, but the functionality just yells at you loudly.	22:56
notmorgan	EmilienM: and because it is a major functionality change we just punted on it and made the defaults as sane/secure as possible	22:57
EmilienM	notmorgan: ack	22:57
*** adriant_ has joined #openstack-keystone		23:01
*** chlong_ has quit IRC		23:08
*** browne has joined #openstack-keystone		23:15
*** lamt has quit IRC		23:17
*** gyee has quit IRC		23:18
*** gyee has joined #openstack-keystone		23:19
*** catintheroof has quit IRC		23:29
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439914	23:34
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439914	23:45
*** dave-mccowan has joined #openstack-keystone		23:51
*** dave-mccowan has quit IRC		23:51
*** Guest27057 is now known as zigo		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!