Thursday, 2017-04-06

samueldmq	lbragstad: nice! looks to be a nice city	00:00
antwash	samueldmq: it is!! very nice city	00:02
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move group policies to DocumentedRuleDefault https://review.openstack.org/449237	00:02
samueldmq	antwash: cool, hopefully I'll get approval to go :-)	00:03
*** shuyingya has joined #openstack-keystone		00:14
*** dikonoor has joined #openstack-keystone		00:18
*** shuyingya has quit IRC		00:19
*** shuyingya has joined #openstack-keystone		00:20
*** lucasxu has joined #openstack-keystone		00:24
*** shuyingya has quit IRC		00:24
*** Shunli has joined #openstack-keystone		00:28
openstackgerrit	Sam Yaple proposed openstack/keystone master: DONOTMERGE - LOCI zuul-cloner test https://review.openstack.org/453933	00:30
*** thorst has joined #openstack-keystone		00:30
*** zhurong has joined #openstack-keystone		00:32
*** brenttang has joined #openstack-keystone		00:38
*** harlowja has quit IRC		00:39
*** thorst has quit IRC		00:39
*** ediardo has quit IRC		00:52
*** gagehugo has quit IRC		00:57
*** lucasxu has quit IRC		01:01
*** liujiong has joined #openstack-keystone		01:07
*** gagehugo has joined #openstack-keystone		01:10
openstackgerrit	Merged openstack/keystone master: Move and refactor test_by_domain_domain https://review.openstack.org/452801	01:14
openstackgerrit	Merged openstack/keystone master: Move and refactor project_and_user_and_role https://review.openstack.org/452908	01:14
openstackgerrit	Merged openstack/keystone master: Move and refactor test_revoke_by_audit_chain_id https://review.openstack.org/453229	01:14
*** stingaci has quit IRC		01:15
*** stingaci has joined #openstack-keystone		01:16
*** shuyingya has joined #openstack-keystone		01:21
*** shuyingya has quit IRC		01:21
*** shuyingya has joined #openstack-keystone		01:21
*** harlowja has joined #openstack-keystone		01:26
*** harlowja has quit IRC		01:26
*** ediardo has joined #openstack-keystone		01:34
*** thorst has joined #openstack-keystone		01:40
*** thorst has quit IRC		01:45
*** shuyingya has quit IRC		01:59
*** shuyingya has joined #openstack-keystone		01:59
*** jamielennox is now known as jamielennox\|away		02:05
*** jamielennox\|away is now known as jamielennox		02:19
*** Shunli has quit IRC		02:26
*** Shunli has joined #openstack-keystone		02:27
*** Shunli has quit IRC		02:32
*** thorst has joined #openstack-keystone		02:41
*** stingaci has quit IRC		02:45
*** aojea has joined #openstack-keystone		02:54
*** aojea has quit IRC		02:59
*** thorst has quit IRC		03:00
*** brad[] has quit IRC		03:09
*** edmondsw has joined #openstack-keystone		03:11
*** lamt has joined #openstack-keystone		03:13
*** stingaci has joined #openstack-keystone		03:14
*** edmondsw has quit IRC		03:16
*** nicolasbock has quit IRC		03:20
*** brad[] has joined #openstack-keystone		03:24
*** links has joined #openstack-keystone		03:45
*** dave-mccowan has quit IRC		03:46
*** rderose_ has joined #openstack-keystone		03:48
*** ravelar has quit IRC		03:51
*** rderose has quit IRC		03:51
*** thorst has joined #openstack-keystone		03:57
*** thorst has quit IRC		04:01
*** erhudy_ has joined #openstack-keystone		04:03
*** thiagolib_ has joined #openstack-keystone		04:03
*** dikonoor has quit IRC		04:05
*** evrardjp_ has joined #openstack-keystone		04:09
*** thiagolib has quit IRC		04:10
*** erhudy has quit IRC		04:10
*** evrardjp has quit IRC		04:10
*** erhudy_ is now known as erhudy		04:10
*** jlopezgu_ has quit IRC		04:12
*** ediardo has quit IRC		04:42
*** rderose_ has quit IRC		04:44
*** lamt has quit IRC		04:45
openstackgerrit	Sean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile. https://review.openstack.org/452585	05:04
*** dikonoor has joined #openstack-keystone		05:07
openstackgerrit	Sean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile. https://review.openstack.org/452585	05:10
*** dikonoor has quit IRC		05:26
*** stingaci has quit IRC		05:27
*** richm has quit IRC		05:43
*** thorst has joined #openstack-keystone		05:59
*** thorst has quit IRC		06:03
*** jaosorior_away is now known as jaosorior		06:16
*** aojea has joined #openstack-keystone		06:30
*** voelzmo has joined #openstack-keystone		06:41
*** voelzmo has quit IRC		06:47
*** voelzmo has joined #openstack-keystone		06:47
*** edmondsw has joined #openstack-keystone		06:48
*** edmondsw has quit IRC		06:52
*** thorst has joined #openstack-keystone		06:59
*** pcaruana has joined #openstack-keystone		07:02
*** thorst has quit IRC		07:04
*** tesseract has joined #openstack-keystone		07:04
*** rcernin has joined #openstack-keystone		07:09
*** rcernin has quit IRC		07:10
*** rcernin has joined #openstack-keystone		07:10
*** belmoreira has joined #openstack-keystone		07:13
*** aojea has quit IRC		07:29
*** brenttang has quit IRC		07:42
*** Shunli has joined #openstack-keystone		07:50
*** shuyingya has quit IRC		07:50
*** adriant has quit IRC		07:50
*** shuyingya has joined #openstack-keystone		07:51
*** shuyingya has quit IRC		07:56
*** shuyingya has joined #openstack-keystone		07:57
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** thorst has joined #openstack-keystone		08:00
*** shuyingy_ has joined #openstack-keystone		08:05
*** shuyingya has quit IRC		08:08
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Imported Translations from Zanata https://review.openstack.org/449484	08:16
*** thorst has quit IRC		08:19
*** bjornar_ has joined #openstack-keystone		08:26
*** markvoelker has quit IRC		08:26
*** stingaci has joined #openstack-keystone		08:28
*** stingaci has quit IRC		08:32
*** alex_xu has quit IRC		08:41
*** alex_xu has joined #openstack-keystone		08:42
*** aojea has joined #openstack-keystone		08:46
*** aojea_ has joined #openstack-keystone		08:47
*** aojea has quit IRC		08:50
*** rocky has joined #openstack-keystone		09:03
*** rocky has quit IRC		09:06
*** rocky has joined #openstack-keystone		09:07
*** liujiong has quit IRC		10:03
*** liujiong_lj has joined #openstack-keystone		10:03
*** nicolasbock has joined #openstack-keystone		10:03
*** liujiong_lj has quit IRC		10:12
*** richm has joined #openstack-keystone		10:13
*** thorst has joined #openstack-keystone		10:17
*** thorst has quit IRC		10:22
*** markvoelker has joined #openstack-keystone		10:27
*** markvoelker has quit IRC		10:31
*** links has quit IRC		10:39
*** mvk has quit IRC		10:40
*** evrardjp_ has quit IRC		10:45
*** evrardjp has joined #openstack-keystone		10:45
*** links has joined #openstack-keystone		10:55
*** shuyingy_ has quit IRC		10:57
*** shuyingya has joined #openstack-keystone		10:57
*** dave-mccowan has joined #openstack-keystone		11:06
*** voelzmo has quit IRC		11:24
*** voelzmo has joined #openstack-keystone		11:25
samueldmq	morning keystone	11:29
*** thorst has joined #openstack-keystone		11:32
cmurphy	morning samueldmq	11:33
samueldmq	cmurphy: o/	11:33
samueldmq	cmurphy: there is a review in need of an operator view, if you don't mind ...	11:34
samueldmq	:-)	11:34
*** mvk has joined #openstack-keystone		11:35
samueldmq	cmurphy: https://review.openstack.org/#/c/441549 my point is that if it's okay to change info -> debug just like that	11:36
cmurphy	samueldmq: hmm I don't really have any opinion	11:39
cmurphy	I've never used that parameter	11:39
samueldmq	cmurphy: that's okay thank you :)	11:40
lbragstad	o/	12:13
*** shuyingya has quit IRC		12:21
*** shuyingya has joined #openstack-keystone		12:21
*** Aqsa has joined #openstack-keystone		12:25
*** shuyingy_ has joined #openstack-keystone		12:25
*** markvoelker has joined #openstack-keystone		12:28
*** shuyingya has quit IRC		12:28
*** edmondsw has joined #openstack-keystone		12:30
*** stingaci has joined #openstack-keystone		12:30
*** shuyingy_ has quit IRC		12:32
*** markvoelker has quit IRC		12:32
*** stingaci has quit IRC		12:35
*** voelzmo has quit IRC		12:38
*** voelzmo has joined #openstack-keystone		12:38
*** voelzmo has quit IRC		12:40
*** voelzmo has joined #openstack-keystone		12:41
*** lamt has joined #openstack-keystone		12:41
*** zhurong has quit IRC		12:42
*** ayoung has joined #openstack-keystone		12:52
*** jaosorior has quit IRC		12:52
*** jaosorior has joined #openstack-keystone		12:53
*** spilla has joined #openstack-keystone		12:53
*** Shunli has quit IRC		13:02
*** catintheroof has joined #openstack-keystone		13:05
andymccr	lbragstad: i reworked that patch would love your input when you get a second - the integration with keystone gate bit may require a bit more work to figure out what is exactly needed: https://review.openstack.org/#/c/432449/	13:08
lbragstad	andymccr awesome - thanks!	13:08
*** links has quit IRC		13:09
*** cristicalin has joined #openstack-keystone		13:12
openstackgerrit	Sean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile. https://review.openstack.org/452585	13:16
*** shuyingya has joined #openstack-keystone		13:21
*** knangia has quit IRC		13:21
*** stradling has joined #openstack-keystone		13:21
*** ravelar has joined #openstack-keystone		13:22
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove unused revocation check in revoke_models https://review.openstack.org/451452	13:24
*** shuyingya has quit IRC		13:25
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove unused code in test_revoke https://review.openstack.org/453235	13:27
bjornar_	What is causing the "Could not load memcache" error when using token backend memcache?	13:27
*** spzala has joined #openstack-keystone		13:30
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add setup to test classes and private method https://review.openstack.org/453254	13:31
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove unused code in test_revoke https://review.openstack.org/453235	13:31
*** chlong has joined #openstack-keystone		13:31
*** shuyingya has joined #openstack-keystone		13:32
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove unused code in test_revoke https://review.openstack.org/453235	13:33
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add setup to test classes and private method https://review.openstack.org/453254	13:40
*** Shunli has joined #openstack-keystone		13:45
lbragstad	bjornar_ do you have a trace? what release are you using?	13:46
dstanek	bjornar_: i would guess that the client library isn't installed	13:46
lbragstad	we also removed the kvs backend for token storage in pike	13:46
lbragstad	https://github.com/openstack/keystone/blob/stable/ocata/keystone/token/persistence/backends/kvs.py#L40-L43	13:47
dstanek	lbragstad: that's a very good point. it's not a great backend for persisting data	13:47
*** jistr is now known as jistr\|afk		13:47
*** Shunli has quit IRC		13:48
lbragstad	https://github.com/openstack/keystone/blob/stable/ocata/setup.cfg#L161-L163 was in ocata	13:48
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add setup to test classes and private method https://review.openstack.org/453254	13:49
lbragstad	bjornar_ https://github.com/openstack/keystone/commit/b8b1e189306539007b6afa052b6c9f909cad41a0 might be related	13:50
lbragstad	bjornar_ unless you're hitting something else	13:50
*** jaosorior is now known as jaosorior_away		13:55
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add setup to test classes and private method https://review.openstack.org/453254	13:55
bjornar_	I am trying to debug this, and what seems to happen is the following: oslo_utils/importutils.py:44 import_str == "memcache", so far so good, I think, but then: oslo_utils/importutils.py:30 (mod_str, _sep, class_str = import_str.rpartition('.')) .. mod_str == '', and __import__(mod_str) fails.. I have no clue what is supposed to be happening here, but I use it as documented!	13:56
dstanek	bjornar_: first i would say that you probably don't want to use memcache as a token backend	13:57
lbragstad	bjornar_ do you have the client library installed (via pip for example)?	13:57
dstanek	bjornar_: do you have a stack trace at all?	13:57
bjornar_	yeah, if I did not want to use memcache, I would not have configured it	13:58
bjornar_	lbragstad, the memcache [cache] is working, and py-memcache and python-memcached is instal.ed	13:59
lbragstad	bjornar_ which release are you using?	13:59
dstanek	bjornar_: just note that you may have excessive token expirations	13:59
dstanek	bjornar_: what version of keystone are you running?	14:00
dstanek	the backend was deprecated in M and removed in O	14:00
*** lamt has quit IRC		14:00
bjornar_	https://pastebin.com/raw/0Xq4GkDk	14:01
bjornar_	dstanek, why does it say nothing about that in: https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html	14:01
bjornar_	lbragstad, ocata	14:01
lbragstad	dstanek looks like it was removed in pike - https://github.com/openstack/keystone/commit/b8b1e189306539007b6afa052b6c9f909cad41a0	14:02
bjornar_	https://docs.openstack.org/ocata/config-reference/tables/conf-changes/keystone.html	14:02
bjornar_	it does not list even as deprecated	14:02
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add setup to test classes and private method https://review.openstack.org/453254	14:03
bjornar_	dstanek, why would one want to store temporary volatile data in db anyway?	14:03
bjornar_	(like a uuid token)	14:04
dstanek	bjornar_: i'm not sure where they got that from	14:04
dstanek	bjornar_: well, the problem with that backend is that it was impossible to control token expiration. so we kept getting lots of bugs about tokens no longer being valid before their expiration	14:05
dstanek	bjornar_: nowadays we have tokens that don't need to be stored in the DB	14:05
*** chris_hultin\|AWA is now known as chris_hultin		14:05
bjornar_	dstanek, ? .. its quite easy to control expiry in a database that support expiration....	14:05
*** melwitt has quit IRC		14:05
*** melwitt has joined #openstack-keystone		14:05
*** melwitt is now known as Guest48910		14:06
bjornar_	dstanek, Yeah, I know you have fernet, but I dont like it, too complex of a maintainance/rollover and so on.	14:06
*** chris_hultin is now known as chris_hultin\|AWA		14:06
*** jraim has quit IRC		14:06
*** agrebennikov has joined #openstack-keystone		14:06
*** jraim_ has joined #openstack-keystone		14:06
dstanek	bjornar_: it's hard to control it in memcache, not the DB	14:06
*** lbragstad has quit IRC		14:07
bjornar_	you dont need to control it, memcache expires it and its gone	14:07
*** spzala has quit IRC		14:07
dstanek	bjornar_: but if it's gone before the user expects then we get bug reports	14:07
bjornar_	anyway. The problem now is just that the documentation is not only misleading, but plain wrong, it seems.	14:07
*** lbragstad has joined #openstack-keystone		14:08
bjornar_	dstanek, why should it be gone before user expects?	14:08
dstanek	bjornar_: memcache eviction	14:08
bjornar_	I mean only if you run out of memory or your server is killed, its ok for me that you need to relogin then.	14:09
*** ChanServ sets mode: +o lbragstad		14:09
*** chris_hultin\|AWA is now known as chris_hultin		14:09
dstanek	bjornar_: since generated tokens are about the same size they fit into the same slabs. this means that you won't fully use all of your memcached memory like you would expect and evictions happen	14:09
dstanek	for example, if you have 8g for memcache then you have only have 128m for tokens	14:09
bjornar_	yeah, yeah.. I have some gigs, and I am not worried. For all I care it beats storing this in sql	14:10
bjornar_	dstanek, wth do you say that?	14:10
bjornar_	Back to where we started: where does it say that memcache backend is depricated/removed, and is this also true for for example redis?	14:11
*** dougshelley66 has quit IRC		14:11
dstanek	bjornar_: memcahce divides it's memory into slabs (iirc based on powers of 2) so object 32k-64k would be put into the same slab. slab fill up independent of other slabs	14:11
bjornar_	dstanek, sounds crazy unlikely to be true, but if it is its insanity	14:12
dstanek	bjornar_: i believe redis can be configured to persist to disk	14:12
bjornar_	dstanek, yeah it can	14:12
*** portdirect has quit IRC		14:12
dstanek	bjornar_: it's true. that's how it has the scaling properties that it has	14:12
*** portdirect has joined #openstack-keystone		14:13
dstanek	bjornar_: just google for memcached slabs and you'll see lots of descriptions of how they work	14:13
*** odyssey4me has quit IRC		14:13
*** chris_hultin is now known as chris_hultin\|AWA		14:14
bjornar_	I dont believe that is true for a bit, but I'll check it out	14:15
dstanek	https://github.com/openstack/keystone/commit/564c4	14:16
bjornar_	problem right now is why does the ocata documentation mention _nothing_ about deprecation or removal of this driver if it is already removed	14:16
*** odyssey4me has joined #openstack-keystone		14:16
dstanek	bjornar_: i wouldn't lie to you :-)	14:17
bjornar_	What a fucking ugly commit. Removing functionahlity without mentioning anywhere in docs. Wth do you let that kind of commits through?!	14:17
ayoung	stevemar, can you see if https://review.openstack.org/#/c/290253/ now meets your standards? I think I addressed your questions.	14:18
ayoung	bjornar_, I would totally lie to you. I lie to everyone.	14:18
dstanek	bjornar_: take it easy. i don't think we mention it anywhere in our docs anymore	14:18
bjornar_	dstanek, I just pointed you to ocata docs..	14:19
*** chris_hultin\|AWA is now known as chris_hultin		14:19
ayoung	bjornar_, the problem was revocations. You revoke a token and it was recorded in the token backend. Restart the token backed (and flush) and you unrevoke tokens.	14:19
dstanek	bjornar_: we don't control those	14:19
ayoung	bjornar_, that particular problem is no longer a problem	14:20
ayoung	but at the same time, we moved to Fernet tokens	14:20
ayoung	which are not persisted at all	14:20
ayoung	revocations are dumb anyway	14:20
ayoung	bjornar_, but that is neither here nor there. Any reason you can't move over to Fernet?	14:21
dstanek	i am curious why i didn't see it mentioned in the generated release notes	14:21
lbragstad	dstanek https://docs.openstack.org/releasenotes/keystone/ocata.html#deprecation-notes	14:22
dstanek	lbragstad: yeah, i just found the source in removed-as-of-ocata.....	14:23
lbragstad	dstanek looks like it rendered properly	14:23
bjornar_	ayoung, I can, but I just dont like it, and that I need to manage rollover and so on in a cluster with master/slave topoplogy and distribution and what not	14:24
dstanek	lbragstad: that says deprecated...there is a release note file for it being removed	14:24
ayoung	bjornar_, so don't	14:24
lbragstad	dstanek yeah - that was merged in Pike	14:24
ayoung	bjornar_, set up the keys once and forget them	14:25
dstanek	bjornar_: if you trust UUID tokens then i don't thing you need to rotate keys	14:25
ayoung	key rotation is highly over rated	14:25
dstanek	bjornar_: it would be more secure, but i think you can by with rotating only after a known issue	14:25
dstanek	ayoung: ++ over rated	14:26
ayoung	bjornar_, I assume you don't want to spend your life full time supporting keystone. Neither do we. THere is a metric ton of stuff in Keystone that should die in a fire.	14:27
ayoung	Tokens in general are a poor proxy for authentication	14:27
ravelar	dolphm	14:27
ayoung	so, yeah, we are going to remove things.	14:27
dstanek	lbragstad: it was burried "The memcache and memcache_pool token persistence backends have been removed in favor of using Fernet tokens (which require no persistence)."	14:27
ayoung	Writable LDAP	14:28
ayoung	PKI Tokens	14:28
ayoung	All of Keystone?	14:28
ayoung	in my dreams, maybe	14:28
ayoung	bottom line, Memcache backend for Tokens have been on the chopping block for a while.	14:28
ayoung	And I suspect UUID tokens will get there eventually, too	14:28
*** markvoelker has joined #openstack-keystone		14:29
bjornar_	The main problem is not that it is removed. Its that its still live and well in your own docs!	14:30
dstanek	ayoung: bjornar_: uuid is already deprecated in pike https://github.com/openstack/keystone/commit/5896d841dfa1e8ab2e3179991b1b5c70f54f2ed1	14:30
bjornar_	And also, I think its sad that "you" allow commits that break functionality, but does not update documentaion in the same commit	14:30
breton	could you please remind me why uuid tokens in sql are bad?	14:30
bjornar_	dstanek, we are not talking about pike here.	14:31
bjornar_	breton, because its volatile, and sql is persistent	14:31
bjornar_	..basically	14:31
bjornar_	no reason to "stress" sql with volatile data imhp	14:31
dstanek	bjornar_: ayoung mentioned that they may evenually go away. i was pointing out that they will go away.	14:31
bjornar_	dstanek, yeah, sure -- I was thinking on this: https://github.com/openstack/keystone/commit/564c4	14:32
breton	i mean, i don't understand why we didn't manage to fix them. Tokens are basically cookies. Cookies are often stored in the database. And cookies work fine for browsers and sites.	14:32
dstanek	bjornar_: this is already a done deal for the reasons that i've outlined. the question is how the docs team got that sample config	14:32
breton	except these cookies have 1h expiration time	14:32
bjornar_	dstanek, probably because the commit above did nothing to document the changes!	14:32
breton	or even better -- sessions	14:33
breton	django stores sessions in the database by default afaik	14:33
dstanek	bjornar_: it's in our release notes...so there was a commit to document it	14:33
ayoung	bjornar_, look deeper. If the keystone team is anything, it is detail oriented. I'm not, but the rest of the team is.	14:33
dstanek	bjornar_: do they actually document that the memcache backend is usable? or is it just in the sameple config?	14:34
bjornar_	dstanek, the problem is that this information is not "available" to everyone.	14:34
breton	so, how has facebook and other web applications managed to work with cookies and we haven't?	14:34
dstanek	bjornar_: what do you mean by available?	14:34
lbragstad	bjornar_ it was tracked under the same branch with a series of commits accomplishing the same goal - https://review.openstack.org/#/c/375914/	14:34
bjornar_	Are you guys seriously suggesting that one should not look at the official documentation, but the commit-logs?!	14:35
*** markvoelker has quit IRC		14:35
lbragstad	bjornar_ that's not what we're suggesting, but we do render formal release notes for changes like that as a way to communicate these kinds of things to operators and users	14:35
dstanek	bjornar_: no. not at all.	14:35
dstanek	bjornar_: do they actually document that the memcache backend is usable? or is it just in the sameple config?	14:35
bjornar_	dstanek, as longs as its in the sample config, and not in deprecations and so on, I would believe it is usable, unless otherwise documented (as for example kvs is)	14:36
dstanek	bjornar_: ok, so i'm trying to help and figure out what went wrong. i'm not looking to blame anyone keystone, docs team or you.	14:37
ravelar	dolphm Happy Birthday!	14:37
dolphm	ravelar: shh	14:37
dstanek	bjornar_: so the only place you've seen it mentioned is the sample config?	14:37
dstanek	dolphm: happy b-day!	14:38
bjornar_	dstanek, yeah, I mean. So far thats where I have looked..	14:38
bjornar_	There and in "new outdated and deprecated"..	14:38
bjornar_	not mentioned there	14:38
breton	what's not mentioned?	14:38
*** cristicalin has quit IRC		14:38
bjornar_	the deprecations	14:38
dstanek	bjornar_: it wasn't deprecated in O it was removed	14:39
bjornar_	it should still be mentioned, right?	14:39
breton	it was mentioned for 2 releases	14:39
breton	in warnings	14:40
bjornar_	and it should probably not be in sample config	14:40
bjornar_	breton, 2 releases ago does not really mean much for new deployers	14:40
bjornar_	Is it anything to discuss? The documentaion is wrong, and this is what people use as a reference mostly	14:40
breton	well, fix it	14:41
dstanek	bjornar_: yes, absolutely useful to discuss. it would be nice to figure out what happened and fix it	14:41
bjornar_	dstanek, imho what happened was that the commit that removed the functionality did nothing to update any documentation regarding it.	14:42
*** Guest48910 is now known as melwitt		14:42
dstanek	bjornar_: the docs you keep pointing to are not under our control	14:42
bjornar_	dstanek, so, perhaps you should have some better rules for what a commit that changes functionality needs to include	14:42
*** aojea_ has quit IRC		14:43
dstanek	bjornar_: that link's source isn't from the same repo either	14:43
bjornar_	dstanek, then thats the problem, where is this information rendered from -- you cant really blame me for reading it, can you? Its basically the official documentation, right?	14:43
dstanek	https://docs.openstack.org/ocata/config-reference/identity/token-provider.html is wrong as well because i belive we remvoved pki in O as well	14:43
dstanek	bjornar_: nobody is blaming you. we are trying to understand where you saw it so that we can get it fixed.	14:44
dstanek	i've said this a few times	14:44
breton	i think it's a good opportunity to file a bugreport for some project	14:44
lbragstad	we have a process for that	14:44
dstanek	i can't find where those docs are actually stored	14:45
lbragstad	dstanek https://github.com/openstack/openstack-manuals/tree/master/doc/config-reference/source/identity	14:45
*** rderose has joined #openstack-keystone		14:45
dstanek	lbragstad: ah, manuals. i kept searching the page for docs	14:45
lbragstad	open a bug against openstack manuals and keystone, it's what we use to make sure all the details that need to be capture in the docs repo are communicated properly	14:45
breton	https://github.com/openstack/openstack-manuals/blob/master/doc/config-reference/source/identity/samples/keystone.conf.rst	14:46
breton	?h=stable/newton	14:46
breton	nice :)	14:46
*** knangia has joined #openstack-keystone		14:48
dstanek	breton: that'll do it	14:49
dstanek	breton: it looks like the ocata branch is fine. they their link should be adjusted	14:50
breton	https://bugs.launchpad.net/openstack-manuals/+bug/1680491	14:51
openstack	Launchpad bug 1680491 in openstack-manuals "keystone.conf is shown for newton" [Undecided,New]	14:51
*** voelzmo has quit IRC		14:51
*** spzala has joined #openstack-keystone		14:51
*** voelzmo has joined #openstack-keystone		14:51
*** voelzmo has quit IRC		14:52
*** voelzmo has joined #openstack-keystone		14:53
*** jistr\|afk is now known as jistr		14:53
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	14:53
dstanek	breton: thanks	14:53
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	14:56
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove unused code in test_revoke https://review.openstack.org/453235	14:57
breton	bjornar_: https://review.openstack.org/#/c/454223/ this should solve your issue	14:58
breton	bjornar_: please file bugreports as soon as you see something wrong or inconsistent	14:58
*** markvoelker has joined #openstack-keystone		14:59
bjornar_	another question you might be able to answer.. how can I force the openstack cli to use the internal endpoint url for the services?	14:59
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add federated support for get user https://review.openstack.org/448730	15:01
dstanek	ravelar: did my comment if your setup review make sense?	15:02
dstanek	bjornar_: according to 'openstack --help' you might be able to use --os-interface. i've never tried myself	15:04
*** TravT has joined #openstack-keystone		15:05
bjornar_	ok..	15:05
bjornar_	dstanek, that worked! thanks... nice documentaion on that option as well ;)	15:06
*** voelzmo has quit IRC		15:07
dstanek	bjornar_: that's a whole other team :D	15:07
*** shuyingya has quit IRC		15:11
openstackgerrit	Sean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile. https://review.openstack.org/452585	15:13
*** ravelar has quit IRC		15:15
*** ravelar has joined #openstack-keystone		15:17
knikolla	o/	15:21
dstanek	ravelar: you need to use more branches so that you don't push up so many revisions of the same changes	15:23
*** pcaruana has quit IRC		15:28
*** mvk has quit IRC		15:33
dolphm	dstanek: talking about his revocation refactor series?	15:38
*** belmoreira has quit IRC		15:39
*** voelzmo has joined #openstack-keystone		15:44
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: App Keys https://review.openstack.org/450415	15:45
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: App Keys for application authentication https://review.openstack.org/450415	15:46
*** zhurong has joined #openstack-keystone		15:47
*** zhurong has quit IRC		15:49
dstanek	dolphm: that's what drove the thought, but generally speaking too	15:49
*** jlopezgu_ has joined #openstack-keystone		15:50
notmorgan	dstanek: we should revisit keeping a sample config at all	15:51
notmorgan	dstanek: and we should simply ensure we render in the docs instead of a sample cnfig in tree	15:51
*** bjornar_ has quit IRC		15:51
notmorgan	lbragstad: ^	15:51
notmorgan	that way we never have an out-of-date sample config	15:51
notmorgan	or similar confusion	15:52
*** Aqsa has quit IRC		15:52
lbragstad	notmorgan yeah - that's not a bad idea	15:52
lbragstad	notmorgan something to close that gap would be nice	15:52
notmorgan	also the concern bjornar had was related to options being used for more than one thing	15:53
notmorgan	also, wasn't bjornar banned for being abusive to the team at one point?	15:53
notmorgan	from IRC.	15:53
notmorgan	dolphm: so... i hear it's your birthday.	15:54
dstanek	notmorgan: that wouldn't surprise me	15:54
*** ravelar1 has joined #openstack-keystone		15:58
*** ravelar1 has quit IRC		15:59
dolphm	notmorgan: technically	16:00
notmorgan	dolphm: hehe	16:00
notmorgan	dolphm: well... happy technically birthday	16:01
*** lxnch_ has quit IRC		16:01
*** lxnch has joined #openstack-keystone		16:01
*** voelzmo has quit IRC		16:02
*** voelzmo has joined #openstack-keystone		16:08
*** jaosorior_away has quit IRC		16:14
*** jaosorior has joined #openstack-keystone		16:15
gagehugo	dolphm: happy birthday!	16:15
*** browne has joined #openstack-keystone		16:16
*** voelzmo has quit IRC		16:16
*** chris_hultin is now known as chris_hultin\|AWA		16:31
*** chris_hultin\|AWA is now known as chris_hultin		16:31
*** mvk has joined #openstack-keystone		16:37
*** voelzmo has joined #openstack-keystone		16:39
*** jaosorior is now known as jaosorior_away		16:48
*** voelzmo has quit IRC		16:49
*** tesseract has quit IRC		16:50
*** harlowja has joined #openstack-keystone		17:23
*** chris_hultin is now known as chris_hultin\|AWA		17:39
*** rajpatel has joined #openstack-keystone		17:59
*** chlong has quit IRC		18:04
*** bjornar_ has joined #openstack-keystone		18:05
*** clenimar has quit IRC		18:18
*** chlong has joined #openstack-keystone		18:19
*** stingaci has joined #openstack-keystone		18:21
*** lucasxu has joined #openstack-keystone		18:22
*** TravT has quit IRC		18:24
*** rajpatel has quit IRC		18:24
*** aojea has joined #openstack-keystone		18:25
lbragstad	dstanek you were just playing with devstack recently, weren't you?	18:38
lbragstad	dstanek you didn't hit https://bugs.launchpad.net/keystone/+bug/1680525 did you?	18:40
openstack	Launchpad bug 1680525 in OpenStack Identity (keystone) "keystone-manage fails with "ImportError: No module named 'memcache'"" [Undecided,New]	18:40
*** voelzmo has joined #openstack-keystone		18:41
dstanek	lbragstad: nope, i play with devstack all the time. i've not seen that yet	18:44
*** MasterOfBugs has joined #openstack-keystone		18:46
*** rajpatel has joined #openstack-keystone		18:46
lbragstad	dstanek hmmm - seems like something merged recently that broke it?	18:46
lbragstad	or maybe a change in devstack?	18:46
*** chris_hultin\|AWA is now known as chris_hultin		18:47
dstanek	lbragstad: that should be installed by our tox.ini	18:47
lbragstad	dstanek i thought that was an optional dependency	18:47
dstanek	errr wait\	18:47
dstanek	they don't use that. maybe devstack no longer installs it?	18:48
dstanek	lbragstad: it's optional and up to the deployer to install	18:48
lbragstad	right - that's what i thought, too	18:48
dstanek	lbragstad: i just asked the quesiton on the bug	18:51
lbragstad	dstanek lol so did I	18:55
*** ayoung is now known as ayoung_admode		18:55
*** ayoung_admode is now known as ayoung_dadmode		18:55
* lbragstad steps away for a run		18:55
dstanek	ravelar: did you see my question from earlier?	18:56
ravelar	dstanek no, what about?	18:57
bjornar_	why can't I put fernet tokens in database?	18:59
dstanek	ravelar: i was asking about my comment if your setup patch	18:59
dstanek	bjornar_: they are not stored in the database	19:00
bjornar_	?	19:00
*** rajpatel has quit IRC		19:00
bjornar_	dstanek, are they not stored in filesystem? ey_repository = /etc/keystone/fernet-keys/	19:00
*** rajpatel has joined #openstack-keystone		19:00
ravelar	dstanek oh the review?	19:00
bjornar_	dstanek, ofcorse I mean keys, not tokens	19:00
dstanek	bjornar_: ah, keys. there i currently no backend to store them in the database. it's been talked about, but didn't get any traction AFAICR	19:02
bjornar_	Its just so obvious I am dazzled	19:03
dstanek	it's modeled more or less on apache certs	19:03
bjornar_	You basically have a single storage engine that needs to be distributed, sql.. and "you" choose to place keys that needs to be distributed in ... the only _not_ distributed place there is basically, the local fs	19:04
dstanek	it's not necessarily abuot being obvious. it's about not having a stakeholder that wants to commit to doing it or dealing with the related security issues	19:04
dstanek	bjornar_: do you put your SSL certs for apache in the DB?	19:04
bjornar_	dstanek, first of all, I dont use apache, I didnt think anyone did anymore. Second, yes, I ofcorse place ssl certificated in database.	19:05
*** raildo has quit IRC		19:06
dstanek	bjornar_: then feel free to submit a patch	19:06
*** raildo has joined #openstack-keystone		19:06
bjornar_	dstanek, I'd rather rewrite keystone from scratch in luajit I think	19:06
dstanek	bjornar_: i won't stop you	19:07
bjornar_	its probably exists some sql fuse	19:09
dstanek	bjornar_: we've accepted a backlog spec to allow for storage backends - https://review.openstack.org/#/c/311268/	19:11
notmorgan	bjornar_: please feel free to rewrite keystone in something else if you so desire. You're also welcome to contribute fixes such as making fernet keys something that can be distributed.	19:14
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move role policies to DocumentedRuleDefault https://review.openstack.org/449251	19:14
notmorgan	bjornar_: unfortunately we (the developers) cannot do everything and have to gauge interest in features. as dstanek said we proposed distributed backends for fernet keys, it had very little interest as the keys are mostly managed via config-management	19:16
*** voelzmo has quit IRC		19:16
notmorgan	at the moment, which was sufficient for operators.	19:16
notmorgan	it was accepted, but when we asked for contribution we didn't have any and most operators discussed it as pretty far down their requirements compared to other bits we've been working on	19:17
openstackgerrit	Merged openstack/keystone master: Remove unused code in test_revoke https://review.openstack.org/453235	19:17
bjornar_	notmorgan, Yeah, I mean its not a huge problem to do this with ansible, but still -- just a bit frustrated about the design, mostly, that this was not done from day1. I mean -- bootstrap/automatic key rollover and so on and so on could all then just be a part of the cluster-process, not a dependancy on some external "cronjob"	19:27
notmorgan	again, it's simply not been a consistent requirement we've been asked for as a high priority	19:27
notmorgan	part of what we did was leaned on cryptography's implementation of fernet	19:28
notmorgan	which used on-disk	19:28
notmorgan	as a default/easy behavior.	19:28
notmorgan	solving the issue in a secure way with a distributed bit in the DB is also challenging / we didn't have as much crypto info for storing the keys (i worry about DB access in general leaking vs FS access leaking remotely).	19:29
notmorgan	anyway, it's something that has been discussed and we're not opposed to it. we need either someone to own it and build it or we need it to rate higher on the requests for feature type surveys/operator feedback	19:30
bjornar_	notmorgan, I mean seriously, if you are worried about keys leeking out of sql.. hey..	19:31
bjornar_	notmorgan, so keys are cached in local memory right not, correct?	19:32
notmorgan	i worry that SQL is a larger attack vector from any API (since they all tend to share access) than the FS. it is my job to consider these things. I didn't say i'd block changes to enable the distributed thing you're asking for	19:32
notmorgan	i just gave you another bit to consider.	19:33
bjornar_	notmorgan, but still, you have to trust sql. Or get rid of it alltogether, with sql access one could do whatever anyway.. so its not really valid to even mention it	19:33
notmorgan	it is valid to mention, the fernet key can allow someone to craft tokens completely offline with other info	19:34
notmorgan	if someone injects user data into the DB, we can see that. tokens in fernet could be valid with no record of issuance.	19:35
notmorgan	and tokens could be created with near unlimited timeframes (in theory)	19:36
bjornar_	notmorgan, rollover should fix that, and db would allow for fast and automated rollover	19:37
notmorgan	no realistic expiry. with crypto, keys are very important to hold secure. all vectors of attack should be considered. IT doesn't mean halt development efforts. it does mean think before writing code when dealing with IAM.	19:37
* notmorgan shrugs.		19:38
notmorgan	i don't know how else to tell you I wouldn't block the development of what you're asking for. As long as it was considered what the attack vectors and implications for securing the keys are (aka, documentation so different models could be weighed by folks deploying keysotne)	19:39
notmorgan	and as long as someone steps up to write it/help maintain it.	19:39
bjornar_	yeah.. we will probably just do it inhouse to make it happen tomorrow, not next year	19:39
*** lwanderley has joined #openstack-keystone		19:42
notmorgan	feel free to contribute upstream. the spec was accepted, i'm sure (Even if it was dropped) we'd gladly take the code	19:42
notmorgan	the spec being dropped that is.. it's easy to re-add it if someone is developing it	19:42
bjornar_	notmorgan, so it's this thing? https://review.openstack.org/#/c/311268/2/specs/keystone/backlog/fernet-key-store.rst	19:44
*** openstack has joined #openstack-keystone		19:44
notmorgan	but it could be re-added/revert the deletion if someone is going to develop it.	19:44
notmorgan	thats a relatively simple process since it was already accepted	19:45
notmorgan	bjornar_: we would need to revert https://review.openstack.org/#/c/439194/	19:46
bjornar_	notmorgan, Ok, so I see.. so what about encrypting the keys in db with a static key in keystone.conf?	19:54
notmorgan	you'd need to see how fernet works and if you could do this easily. Second, I'd want to see the documentation on the thread analysis of a setup like that. What are the risks, what are the rewards, etc	19:55
notmorgan	threat*	19:56
notmorgan	doesn't need to be crazy detailed, just a solid overview.	19:56
notmorgan	with that said, I much prefer something that doesn't involve keystone.conf (since that is a restart of keystone service) to change.	19:56
*** voelzmo has joined #openstack-keystone		19:57
*** voelzmo has quit IRC		19:57
*** voelzmo has joined #openstack-keystone		19:57
notmorgan	for key rotation purposes / static keys. however, I can't say I'd score the idea -1, -2, +1, +2 etc without more detail than "what about X" on irc.	19:57
*** chris_hultin is now known as chris_hultin\|AWA		20:00
*** voelzmo has quit IRC		20:01
*** chris_hultin\|AWA is now known as chris_hultin		20:02
*** harlowja has quit IRC		20:03
dstanek	bjornar_: now you hitting the 'security considerations' i was talking about earlier	20:12
dstanek	bjornar_: from my perspective we do not trust the database with secrets.	20:12
bjornar_	its silly not to trust the database, but perhaps not not to trust the database backups.	20:17
dstanek	it's absolutely not silly. it's also potentially illegal depending on what is being stored..... this is why passwords are hashed and not stored in plaintext	20:22
dstanek	bjornar_: i often use this cartoon in security classes: https://xkcd.com/327/	20:27
bjornar_	dstanek, you are the cartoon in security classes	20:27
dstanek	bjornar_: um...sure	20:28
notmorgan	bjornar_: not sure if that was implying he was not competant or if we're hitting a language barrier here. I'm going to ask that we keep the channel free of insults (if that was the intent)	20:28
bjornar_	no insult intended	20:29
notmorgan	ok. cool, like i said, wasn't sure.	20:29
dstanek	bjornar_: it highlights why databases can't be trusted as a secure source of secrets	20:29
notmorgan	and i didn't want anything to feel like an overreaction ^_^. thanks for understanding	20:29
dstanek	not enough security controls by itself	20:29
bjornar_	dstanek, that is just not correct, seriously man	20:29
bjornar_	dstanek, how can you trust a filesystem when one has rm?	20:30
bjornar_	how can you trust a computer when it has a power cord	20:30
bjornar_	..and so on	20:30
notmorgan	you can do a lot with POSIX and MAC at the kernel level. a lot of those features are harder to implement when an application needs r/w access to the db	20:30
dstanek	bjornar_: so that cartoon uses DROP, but there have lots of DB injection attacks that have allowed attackers to pull out data	20:30
bjornar_	I hope sql injections are a thing of the pas	20:31
dstanek	bjornar_: maybe, maybe not. we still have to protect against them	20:31
notmorgan	bjornar_: so do i, we use the ORM, but if there is an issue, it could happen. it is more likely to happen than a read on the FS or even a read out of memory	20:31
dstanek	you also mentioned backups. that's a real problems	20:31
notmorgan	dstanek: ++	20:31
dstanek	we would be negligent not to hash password. and the same goes for any other secret we store.	20:32
bjornar_	Is this #paranoid about sql, but codebase crappy as f*** with bugs one can see from miles away?	20:32
notmorgan	bjornar_: ok so, please point out the bugs.	20:32
notmorgan	we have issues, it is known we have issues, we work on fixing them	20:33
bjornar_	notmorgan, they are for my own hobby purposes ;)	20:33
bjornar_	I mean, it impossible to keep a civil and intellectual discussion about anything if people keeps bringing up things like uid's are not safe, sql is not safe, sql-injections (1980) and so on.	20:34
dstanek	bjornar_: i'm sorry, but i must point out the obvious. as a core part of openstack's security posture we have the responsibility and obligation to follow all of the security best practices.	20:34
dstanek	bjornar_: how so? we've not had complaints about being to secure in the past	20:34
notmorgan	bjornar_: i don't think we're being unreasonable in pointing these out. we have not said in the slightest we can't lean on the DB for secrets.	20:34
notmorgan	we are saying if we look at that we need to have a clear "what are the risks"	20:35
notmorgan	and a discussion about risks included things such as SQL injection, even with sanitized input... it happens. bugs occur	20:35
dstanek	we actually currently have passwords in the DB and a whole credentials subsystem for other types of secrets	20:36
notmorgan	security is important, and as dstanek said, it is important we look at all best practices.	20:36
bjornar_	Yeah, that I can relate to, but one cannot be a channel full of paranoid schitzoprenics	20:36
notmorgan	we haven't said "SQL is insecure" we have said "SQL has issues, here are what we see, this is important before we put these types of secrets in the DB"	20:37
notmorgan	i classify the former as paranoid, the latter as realistic approach to technology that has security implications	20:37
bjornar_	the point is still on a level above, and not related to the keystone project as such	20:37
notmorgan	and there are times to say "yep we know issue X, Y, Z are real issues and if you use this driver, be aware of the exposures"	20:38
bjornar_	the choice that one trusts sql is done at the above level. After that, its not valid to discuss anymore I think	20:38
notmorgan	and sometimes it's better to say "we can't do that because it is a serious issue"	20:38
bjornar_	where backups are placed and so on it the users security issue	20:38
bjornar_	same goes for fs and whatever else	20:38
notmorgan	i can make the same argument about using the FS insead of SQL for the keys	20:38
notmorgan	it's the user's issue to synchronize	20:38
dstanek	bjornar_: you're missing my point about SQL. if we store secrets there we must enrypt or hash. that's it. we can't trust that the data won't leak.	20:39
bjornar_	dstanek, one must not	20:39
bjornar_	dstanek, thats bs.. why should it leak?	20:39
bjornar_	anymore than a file in ansible?	20:39
notmorgan	it's the same reason sha512_crypt is "Secure" but you don't publish your shadow file for your servers	20:40
dstanek	bjornar_: yes. it's actually a common problem.	20:40
notmorgan	or even your private SSH key encrypted.	20:40
bjornar_	I mean how keys are generated one place, copied into ansible localhost's memory and then distributed around is a far bigger security risk	20:40
bjornar_	and thats what "everyone" does these days	20:40
dstanek	backups, interfaces built on top of database, faulty logging, etc....	20:40
dstanek	so we do our best to protect against real world issues.	20:40
notmorgan	we have mostly stayed out of the "secure the keys" details where we can. leaving the details for such things in the same tech that say SSL Private Keys are handled for deployment	20:41
dstanek	we are not being obstructionists and saying you can't put those things in the database. feel free to write the driver for it	20:41
notmorgan	it's a different scope of security/data distribution.	20:41
bjornar_	notmorgan, Yeah, please do	20:41
bjornar_	Completely agree, this has to be secured on a different level	20:41
notmorgan	we are and have been saying we will accept code for this	20:41
notmorgan	we're not saying no at all.	20:42
dstanek	notmorgan: i actually like that because the problem has already been solved so no reason to solve it again	20:42
notmorgan	dstanek: i also agree	20:42
notmorgan	but i wouldn't block a driver to put this in the DB as long as the risks are documented	20:42
bjornar_	I can set a guy on implementing this tomorrow, but I'm just not ready for the whole database is not secure cartoon conversation.	20:42
notmorgan	i'm happy to accept useful code to make people's lives better.	20:42
dstanek	notmorgan: the spec i reference earlier was because the deployment tooling someone was using made rotation and distribution hard for some reason	20:43
notmorgan	dstanek: yah.	20:43
notmorgan	and i'm happy to revive the spec honestly	20:43
lbragstad	we talked about refining it in the meeting	20:43
notmorgan	but unless someone is willing to contribute and document the details and risks (so informed decisions can be made when deploying) it wont happen	20:44
*** david-lyle has quit IRC		20:44
dstanek	bjornar_: then make sure the secure the data. it may be as easy as using the same approach that we used for credentials	20:44
notmorgan	bjornar_: we're really trying to say we're not blocking you or your people from working on it.	20:44
bjornar_	thing is one has to trust the db	20:44
notmorgan	and that we'd accept it.	20:44
*** rcernin has quit IRC		20:44
dstanek	bjornar_: no, you have to enrypt your secrets	20:44
notmorgan	but you'll have to work with us on it.	20:44
bjornar_	dstanek, I dont want to speak to you anymore, so please be kind and stay out of the rest of this conversation	20:45
notmorgan	bjornar_: then i'm sorry we're kindof at an impass.	20:45
notmorgan	i trust dstanek very much when it comes to this type of stuff	20:45
lbragstad	bjornar_ as a community we do not tolerate the negativity you've displayed in this conversation. It's unnecessary and counter-productive. I encourage you to read and understand our community guidelines https://www.openstack.org/legal/community-code-of-conduct/	20:45
notmorgan	and his view is important as a core on the project.	20:45
dstanek	bjornar_: that's fine, but just realize that nothing will merge if it has secrets as plaintext in the database	20:45
notmorgan	and what lbragstad said.	20:46
notmorgan	lbragstad: heh i was looking for that link. thanks.	20:46
*** ChanServ sets mode: +b !@*		20:46
*** tlbr was kicked by ChanServ (User is banned from this channel)		20:46
*** andrewbogott was kicked by ChanServ (User is banned from this channel)		20:46
*** peterstac was kicked by ChanServ (User is banned from this channel)		20:46
*** jistr was kicked by ChanServ (User is banned from this channel)		20:46
*** redrobot was kicked by ChanServ (User is banned from this channel)		20:46
*** briancurtin was kicked by ChanServ (User is banned from this channel)		20:46
*** jgrassler was kicked by ChanServ (User is banned from this channel)		20:46
*** topol was kicked by ChanServ (User is banned from this channel)		20:46
*** cargonza was kicked by ChanServ (User is banned from this channel)		20:46
*** kamal___ was kicked by ChanServ (User is banned from this channel)		20:46
*** raddaoui was kicked by ChanServ (User is banned from this channel)		20:46
*** jamiec was kicked by ChanServ (User is banned from this channel)		20:46
*** kevinbenton was kicked by ChanServ (User is banned from this channel)		20:46
*** med_ was kicked by ChanServ (User is banned from this channel)		20:46
*** zigo was kicked by ChanServ (User is banned from this channel)		20:46
*** nonameentername was kicked by ChanServ (User is banned from this channel)		20:46
*** serverascode was kicked by ChanServ (User is banned from this channel)		20:46
*** sudorandom was kicked by ChanServ (User is banned from this channel)		20:46
*** jefrite was kicked by ChanServ (User is banned from this channel)		20:46
*** baffle was kicked by ChanServ (User is banned from this channel)		20:46
*** Kimmo_ was kicked by ChanServ (User is banned from this channel)		20:46
*** hrybacki was kicked by ChanServ (User is banned from this channel)		20:46
*** andreaf was kicked by ChanServ (User is banned from this channel)		20:46
*** bradjones was kicked by ChanServ (User is banned from this channel)		20:46
*** Daviey was kicked by ChanServ (User is banned from this channel)		20:46
*** mancdaz was kicked by ChanServ (User is banned from this channel)		20:46
*** ctracey was kicked by ChanServ (User is banned from this channel)		20:46
*** johnthetubaguy was kicked by ChanServ (User is banned from this channel)		20:46
*** Nakato was kicked by ChanServ (User is banned from this channel)		20:46
*** martinus__ was kicked by ChanServ (User is banned from this channel)		20:46
*** breton was kicked by ChanServ (User is banned from this channel)		20:46
*** anteaya was kicked by ChanServ (User is banned from this channel)		20:46
*** cburgess was kicked by ChanServ (User is banned from this channel)		20:46
*** wolsen was kicked by ChanServ (User is banned from this channel)		20:46
*** robcresswell was kicked by ChanServ (User is banned from this channel)		20:46
*** spotz was kicked by ChanServ (User is banned from this channel)		20:46
*** afazekas was kicked by ChanServ (User is banned from this channel)		20:46
*** wasmum- was kicked by ChanServ (User is banned from this channel)		20:46
*** mgagne was kicked by ChanServ (User is banned from this channel)		20:46
*** comstud was kicked by ChanServ (User is banned from this channel)		20:46
*** chris_hultin was kicked by ChanServ (User is banned from this channel)		20:46
*** hyakuhei was kicked by ChanServ (User is banned from this channel)		20:46
*** g2 was kicked by ChanServ (User is banned from this channel)		20:46
*** mjb was kicked by ChanServ (User is banned from this channel)		20:46
*** zeus was kicked by ChanServ (User is banned from this channel)		20:46
*** EmilienM was kicked by ChanServ (User is banned from this channel)		20:46
*** ildikov was kicked by ChanServ (User is banned from this channel)		20:46
*** bigjools was kicked by ChanServ (User is banned from this channel)		20:46
*** jlvillal was kicked by ChanServ (User is banned from this channel)		20:46
*** Anticimex was kicked by ChanServ (User is banned from this channel)		20:46
*** asettle was kicked by ChanServ (User is banned from this channel)		20:46
*** dims was kicked by ChanServ (User is banned from this channel)		20:46
*** Alex_Oughton was kicked by ChanServ (User is banned from this channel)		20:46
*** dstanek was kicked by ChanServ (User is banned from this channel)		20:46
*** bknudson_ was kicked by ChanServ (User is banned from this channel)		20:46
*** dtroyer was kicked by ChanServ (User is banned from this channel)		20:46
*** dr_gogeta86 was kicked by ChanServ (User is banned from this channel)		20:46
*** yuval was kicked by ChanServ (User is banned from this channel)		20:46
*** clayton was kicked by ChanServ (User is banned from this channel)		20:46
*** iurygregory was kicked by ChanServ (User is banned from this channel)		20:46
*** antwash was kicked by ChanServ (User is banned from this channel)		20:46
*** charz was kicked by ChanServ (User is banned from this channel)		20:46
*** vaishali was kicked by ChanServ (User is banned from this channel)		20:46
*** basilAB was kicked by ChanServ (User is banned from this channel)		20:46
*** sirushti was kicked by ChanServ (User is banned from this channel)		20:46
*** arturb was kicked by ChanServ (User is banned from this channel)		20:46
*** waj334 was kicked by ChanServ (User is banned from this channel)		20:46
*** DuncanT was kicked by ChanServ (User is banned from this channel)		20:46
*** jmccrory was kicked by ChanServ (User is banned from this channel)		20:46
*** david_cu was kicked by ChanServ (User is banned from this channel)		20:46
*** Tahvok was kicked by ChanServ (User is banned from this channel)		20:46
*** d34dh0r53 was kicked by ChanServ (User is banned from this channel)		20:46
*** eglute was kicked by ChanServ (User is banned from this channel)		20:46
*** lifeless was kicked by ChanServ (User is banned from this channel)		20:46
*** rha was kicked by ChanServ (User is banned from this channel)		20:46
*** kencjohnston was kicked by ChanServ (User is banned from this channel)		20:46
*** woodburn was kicked by ChanServ (User is banned from this channel)		20:46
*** tonyb was kicked by ChanServ (User is banned from this channel)		20:46
*** flaper87 was kicked by ChanServ (User is banned from this channel)		20:46
*** Administrator_ was kicked by ChanServ (User is banned from this channel)		20:46
*** john5223 was kicked by ChanServ (User is banned from this channel)		20:46
*** wxy was kicked by ChanServ (User is banned from this channel)		20:46
*** aleph1 was kicked by ChanServ (User is banned from this channel)		20:46
*** htruta was kicked by ChanServ (User is banned from this channel)		20:46
*** eandersson was kicked by ChanServ (User is banned from this channel)		20:46
*** jlopezgu was kicked by ChanServ (User is banned from this channel)		20:46
*** knikolla was kicked by ChanServ (User is banned from this channel)		20:46
*** r1chardj0n3s was kicked by ChanServ (User is banned from this channel)		20:46
*** rakhmerov was kicked by ChanServ (User is banned from this channel)		20:46
*** samueldmq was kicked by ChanServ (User is banned from this channel)		20:46
*** AndyWojo was kicked by ChanServ (User is banned from this channel)		20:46
*** timburke was kicked by ChanServ (User is banned from this channel)		20:46
*** hugokuo was kicked by ChanServ (User is banned from this channel)		20:46
*** dgonzalez was kicked by ChanServ (User is banned from this channel)		20:46
*** mnaser was kicked by ChanServ (User is banned from this channel)		20:46
*** chrome0 was kicked by ChanServ (User is banned from this channel)		20:46
*** raginbajin was kicked by ChanServ (User is banned from this channel)		20:46
*** obre_ was kicked by ChanServ (User is banned from this channel)		20:46
*** freerunner was kicked by ChanServ (User is banned from this channel)		20:46
*** bauruine was kicked by ChanServ (User is banned from this channel)		20:46
*** sileht was kicked by ChanServ (User is banned from this channel)		20:46
*** nkinder was kicked by ChanServ (User is banned from this channel)		20:46
*** openstackstatus was kicked by ChanServ (User is banned from this channel)		20:46
*** Guest6666 was kicked by ChanServ (User is banned from this channel)		20:46
*** rdo was kicked by ChanServ (User is banned from this channel)		20:46
*** dulek was kicked by ChanServ (User is banned from this channel)		20:46
*** andreykurilin was kicked by ChanServ (User is banned from this channel)		20:46
*** timss was kicked by ChanServ (User is banned from this channel)		20:46
*** DinaBelova was kicked by ChanServ (User is banned from this channel)		20:46
*** luzC was kicked by ChanServ (User is banned from this channel)		20:46
*** jlwhite was kicked by ChanServ (User is banned from this channel)		20:46
*** cmurphy was kicked by ChanServ (User is banned from this channel)		20:46
*** dobson was kicked by ChanServ (User is banned from this channel)		20:46
*** ianw was kicked by ChanServ (User is banned from this channel)		20:46
*** dmellado was kicked by ChanServ (User is banned from this channel)		20:46
*** Adobeman was kicked by ChanServ (User is banned from this channel)		20:46
*** kukacz was kicked by ChanServ (User is banned from this channel)		20:46
*** nikhil was kicked by ChanServ (User is banned from this channel)		20:46
*** rm_work was kicked by ChanServ (User is banned from this channel)		20:46
*** SamYaple was kicked by ChanServ (User is banned from this channel)		20:46
*** davechen was kicked by ChanServ (User is banned from this channel)		20:46
*** aloga was kicked by ChanServ (User is banned from this channel)		20:46
*** marekd was kicked by ChanServ (User is banned from this channel)		20:46
*** Dave was kicked by ChanServ (User is banned from this channel)		20:46
*** frickler was kicked by ChanServ (User is banned from this channel)		20:46
*** BlackDex was kicked by ChanServ (User is banned from this channel)		20:46
*** jdennis1 was kicked by ChanServ (User is banned from this channel)		20:46
*** mfisch was kicked by ChanServ (User is banned from this channel)		20:46
*** jrist was kicked by ChanServ (User is banned from this channel)		20:46
*** oomichi was kicked by ChanServ (User is banned from this channel)		20:46
*** openstackgerrit was kicked by ChanServ (User is banned from this channel)		20:46
*** darrenc was kicked by ChanServ (User is banned from this channel)		20:46
*** wuyanjun was kicked by ChanServ (User is banned from this channel)		20:46
*** Aurelgad1o was kicked by ChanServ (User is banned from this channel)		20:46
*** John341 was kicked by ChanServ (User is banned from this channel)		20:46
*** NikitaKonovalov was kicked by ChanServ (User is banned from this channel)		20:46
*** Guest94155 was kicked by ChanServ (User is banned from this channel)		20:46
*** akrzos was kicked by ChanServ (User is banned from this channel)		20:46
*** Krenair was kicked by ChanServ (User is banned from this channel)		20:46
*** Dinesh_Bhor was kicked by ChanServ (User is banned from this channel)		20:46
*** mtreinish was kicked by ChanServ (User is banned from this channel)		20:46
*** rvba was kicked by ChanServ (User is banned from this channel)		20:46
*** toddnni was kicked by ChanServ (User is banned from this channel)		20:46
*** haplo37_ was kicked by ChanServ (User is banned from this channel)		20:46
*** slunkad was kicked by ChanServ (User is banned from this channel)		20:46
*** szaher was kicked by ChanServ (User is banned from this channel)		20:46
*** rodrigods was kicked by ChanServ (User is banned from this channel)		20:46
*** andymccr was kicked by ChanServ (User is banned from this channel)		20:46
*** raj_singh was kicked by ChanServ (User is banned from this channel)		20:46
*** d0ugal was kicked by ChanServ (User is banned from this channel)		20:46
*** rarora was kicked by ChanServ (User is banned from this channel)		20:46
*** masterjcool was kicked by ChanServ (User is banned from this channel)		20:46
*** gsilvis was kicked by ChanServ (User is banned from this channel)		20:46
*** masber was kicked by ChanServ (User is banned from this channel)		20:46
*** MarkMielke was kicked by ChanServ (User is banned from this channel)		20:46
*** toabctl was kicked by ChanServ (User is banned from this channel)		20:46
*** smccully was kicked by ChanServ (User is banned from this channel)		20:46
*** gus was kicked by ChanServ (User is banned from this channel)		20:46
*** jamielennox was kicked by ChanServ (User is banned from this channel)		20:46
*** hoonetorg was kicked by ChanServ (User is banned from this channel)		20:46
*** gagehugo was kicked by ChanServ (User is banned from this channel)		20:46
*** brad[] was kicked by ChanServ (User is banned from this channel)		20:46
*** erhudy was kicked by ChanServ (User is banned from this channel)		20:46
*** thiagolib_ was kicked by ChanServ (User is banned from this channel)		20:46
*** zzzeek was kicked by ChanServ (User is banned from this channel)		20:46
*** alex_xu was kicked by ChanServ (User is banned from this channel)		20:46
*** rocky was kicked by ChanServ (User is banned from this channel)		20:46
*** nicolasbock was kicked by ChanServ (User is banned from this channel)		20:46
*** richm was kicked by ChanServ (User is banned from this channel)		20:46
*** evrardjp was kicked by ChanServ (User is banned from this channel)		20:46
*** dave-mccowan was kicked by ChanServ (User is banned from this channel)		20:46
*** thorst was kicked by ChanServ (User is banned from this channel)		20:46
*** edmondsw was kicked by ChanServ (User is banned from this channel)		20:46
*** ayoung_dadmode was kicked by ChanServ (User is banned from this channel)		20:46
*** spilla was kicked by ChanServ (User is banned from this channel)		20:46
*** catintheroof was kicked by ChanServ (User is banned from this channel)		20:46
*** stradling was kicked by ChanServ (User is banned from this channel)		20:46
*** melwitt was kicked by ChanServ (User is banned from this channel)		20:46
*** agrebennikov was kicked by ChanServ (User is banned from this channel)		20:46
*** jraim_ was kicked by ChanServ (User is banned from this channel)		20:46
*** portdirect was kicked by ChanServ (User is banned from this channel)		20:46
*** odyssey4me was kicked by ChanServ (User is banned from this channel)		20:46
*** rderose was kicked by ChanServ (User is banned from this channel)		20:46
*** knangia was kicked by ChanServ (User is banned from this channel)		20:46
*** spzala was kicked by ChanServ (User is banned from this channel)		20:46
*** markvoelker was kicked by ChanServ (User is banned from this channel)		20:46
*** ravelar was kicked by ChanServ (User is banned from this channel)		20:46
*** jlopezgu_ was kicked by ChanServ (User is banned from this channel)		20:46
*** lxnch was kicked by ChanServ (User is banned from this channel)		20:46
*** jaosorior_away was kicked by ChanServ (User is banned from this channel)		20:46
*** browne was kicked by ChanServ (User is banned from this channel)		20:46
*** mvk was kicked by ChanServ (User is banned from this channel)		20:46
*** bjornar_ was kicked by ChanServ (User is banned from this channel)		20:46
*** chlong was kicked by ChanServ (User is banned from this channel)		20:46
*** stingaci was kicked by ChanServ (User is banned from this channel)		20:46
*** lucasxu was kicked by ChanServ (User is banned from this channel)		20:46
*** aojea was kicked by ChanServ (User is banned from this channel)		20:46
*** MasterOfBugs was kicked by ChanServ (User is banned from this channel)		20:46
*** rajpatel was kicked by ChanServ (User is banned from this channel)		20:46
*** raildo was kicked by ChanServ (User is banned from this channel)		20:46
*** lwanderley was kicked by ChanServ (User is banned from this channel)		20:46
*** openstack was kicked by ChanServ (User is banned from this channel)		20:46
*** openstack has joined #openstack-keystone		22:00
fungi	now it's back	22:00
*** Dave has joined #openstack-keystone		22:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements https://review.openstack.org/453881	22:03
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements https://review.openstack.org/439318	22:03
*** darrenc has joined #openstack-keystone		22:03
lbragstad	fungi sweet - thanks!	22:13
*** topol has joined #openstack-keystone		22:24
*** asettle has joined #openstack-keystone		22:27
*** eandersson has joined #openstack-keystone		22:37
*** chrome0 has joined #openstack-keystone		22:39
*** tik has joined #openstack-keystone		22:39
*** tik has quit IRC		22:41
mordred	fungi: why didn't I get kicked from the channel?	22:46
fungi	mordred: i think it must not kick anyone with certain flags (maybe in the chanserv access list?)	22:48
morgan	mordred: +r/+e i think is safe	22:48
morgan	mordred: infra, and a couple of us (ptl/ex-ptls) are set that way	22:48
morgan	mordred: +e - Exempts from +b and enables unbanning self.	22:49
morgan	mordred: and the fat finger was +b !@* :P	22:49
fungi	(more or less anyway)	22:50
mordred	ah. this makes sense	22:50
*** rajpatel is now known as Raj_zzz		22:54
*** chris_hultin is now known as chris_hultin\|AWA		23:02
*** Raj_zzz is now known as rajpatel		23:05
*** rajpatel is now known as rajpatel_away		23:05
*** spzala has joined #openstack-keystone		23:22
*** rajpatel_away has quit IRC		23:32
*** adriant has joined #openstack-keystone		23:37
*** thorst has joined #openstack-keystone		23:43
*** david-lyle has joined #openstack-keystone		23:48
*** thorst has quit IRC		23:48
*** lwanderley has joined #openstack-keystone		23:50
*** lwanderley has quit IRC		23:53
*** lwanderley has joined #openstack-keystone		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!