Thursday, 2017-06-29

*** spzala has quit IRC		00:07
*** spzala has joined #openstack-keystone		00:12
*** spzala has quit IRC		00:14
*** thorst has joined #openstack-keystone		00:18
*** jdwidari has joined #openstack-keystone		00:21
*** thorst has quit IRC		00:23
*** thorst has joined #openstack-keystone		00:31
*** thorst has quit IRC		00:33
*** edmondsw has joined #openstack-keystone		01:07
*** liujiong has joined #openstack-keystone		01:10
*** edmondsw has quit IRC		01:12
*** jmlowe has quit IRC		01:19
*** Shunli has joined #openstack-keystone		01:19
*** jmlowe has joined #openstack-keystone		01:32
*** sbezverk has quit IRC		01:34
*** tobberydberg has joined #openstack-keystone		01:35
*** thorst has joined #openstack-keystone		01:37
*** thorst has quit IRC		01:37
*** tobberydberg has quit IRC		01:39
*** wlfightup has joined #openstack-keystone		01:39
*** lucasxu has joined #openstack-keystone		01:41
morgan	mordred: i'll try and come up with something on that patch chain where i had to -1 if you don't by tomorrow	01:41
*** wlfightup has quit IRC		01:47
*** dave-mccowan has joined #openstack-keystone		01:58
*** dave-mccowan has quit IRC		02:05
*** dave-mccowan has joined #openstack-keystone		02:06
*** gyee has quit IRC		02:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth master: Updated from global requirements https://review.openstack.org/477945	02:19
*** aselius has quit IRC		02:28
lbragstad	cmurphy: stevemar thanks for the responses!	02:33
*** Shunli has quit IRC		02:33
*** Shunli has joined #openstack-keystone		02:33
*** Shunli has quit IRC		02:35
*** Shunli has joined #openstack-keystone		02:35
*** Shunli has quit IRC		02:40
*** Shunli has joined #openstack-keystone		02:40
*** Shunli has quit IRC		02:42
*** Shunli has joined #openstack-keystone		02:42
stevemar	@lbragstad np	02:46
stevemar	i think we used to get caught up deprecating things for a single true path	02:47
stevemar	but, if maintenance is low, let it be	02:47
*** Shunli has quit IRC		02:48
*** dave-mccowan has quit IRC		02:55
*** edmondsw has joined #openstack-keystone		02:56
openstackgerrit	yangweiwei proposed openstack/keystone master: Clean up auto created domain when creating duplicate idp in federation https://review.openstack.org/462408	02:57
*** edmondsw has quit IRC		03:00
*** zhurong has quit IRC		03:11
*** Shunli has joined #openstack-keystone		03:12
*** thorst has joined #openstack-keystone		03:38
*** thorst has quit IRC		03:43
*** ducttape_ has joined #openstack-keystone		03:44
*** zhurong has joined #openstack-keystone		03:49
*** ducttap__ has joined #openstack-keystone		03:58
*** john5223_ has joined #openstack-keystone		04:00
*** lucasxu has quit IRC		04:01
*** ducttap__ has quit IRC		04:02
*** ducttape_ has quit IRC		04:02
*** namnh has joined #openstack-keystone		04:23
*** namnh has quit IRC		04:23
*** namnh has joined #openstack-keystone		04:23
*** phalmos has joined #openstack-keystone		04:24
*** edmondsw has joined #openstack-keystone		04:43
*** edmondsw has quit IRC		04:49
*** liujiong has quit IRC		04:49
*** links has joined #openstack-keystone		04:53
*** phalmos has quit IRC		05:02
*** links has quit IRC		05:03
*** phalmos has joined #openstack-keystone		05:09
*** pcaruana has joined #openstack-keystone		05:14
*** phalmos has quit IRC		05:15
*** links has joined #openstack-keystone		05:15
*** gyee has joined #openstack-keystone		05:15
*** Shunli has quit IRC		05:18
*** Shunli has joined #openstack-keystone		05:19
*** Shunli has quit IRC		05:23
*** Shunli has joined #openstack-keystone		05:24
*** pcaruana has quit IRC		05:30
*** pcaruana has joined #openstack-keystone		05:33
*** thorst has joined #openstack-keystone		05:39
*** pcaruana has quit IRC		05:39
*** Shunli has quit IRC		05:43
*** Shunli has joined #openstack-keystone		05:44
*** thorst has quit IRC		05:44
*** Shunli has quit IRC		05:45
*** Shunli has joined #openstack-keystone		05:46
*** rcernin_ has joined #openstack-keystone		05:48
*** zhurong has quit IRC		05:56
*** rcernin_ is now known as rcernin		06:04
*** zhurong has joined #openstack-keystone		06:11
*** zhurong has quit IRC		06:19
*** zhurong has joined #openstack-keystone		06:22
*** edmondsw has joined #openstack-keystone		06:32
openstackgerrit	yangweiwei proposed openstack/keystone master: Clean up auto created domain when creating duplicate idp in federation https://review.openstack.org/462408	06:32
*** edmondsw has quit IRC		06:36
*** Shunli has quit IRC		07:04
*** Shunli has joined #openstack-keystone		07:05
*** Shunli has quit IRC		07:09
*** Shunli has joined #openstack-keystone		07:10
*** Shunli has quit IRC		07:11
*** gyee has quit IRC		07:12
*** aojea has joined #openstack-keystone		07:21
*** tesseract has joined #openstack-keystone		07:31
openstackgerrit	kavitha h r proposed openstack/keystone master: Remove unused None from dict.get() https://review.openstack.org/478782	07:33
*** pcaruana has joined #openstack-keystone		07:35
*** nkinder has quit IRC		07:36
*** thorst has joined #openstack-keystone		07:40
*** nkinder has joined #openstack-keystone		07:41
*** thorst has quit IRC		07:47
*** tesseract has quit IRC		07:47
*** openstackgerrit has quit IRC		07:47
*** tesseract has joined #openstack-keystone		07:48
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** junbo has quit IRC		08:03
*** junbo has joined #openstack-keystone		08:06
*** tesseract has quit IRC		08:30
*** tesseract has joined #openstack-keystone		08:32
*** pnavarro has joined #openstack-keystone		08:38
*** aojea has quit IRC		09:19
*** aojea has joined #openstack-keystone		09:20
*** liujiong has joined #openstack-keystone		09:38
*** tesseract has quit IRC		09:38
samueldmq	morning keystone!	09:40
*** tesseract has joined #openstack-keystone		09:40
cmurphy	\o	09:41
*** thorst has joined #openstack-keystone		09:43
*** openstackgerrit has joined #openstack-keystone		09:47
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone master: Move trust to DocumentedRuleDefault https://review.openstack.org/449278	09:47
*** thorst has quit IRC		09:48
*** mvk has quit IRC		09:58
*** aojea has quit IRC		09:59
*** aojea has joined #openstack-keystone		10:00
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystoneauth master: Add release note for 'none' auth plugin https://review.openstack.org/478839	10:02
*** liujiong has quit IRC		10:23
*** mvk has joined #openstack-keystone		10:25
openstackgerrit	yangweiwei proposed openstack/keystone master: Clean up auto created domain when creating duplicate idp in federation https://review.openstack.org/462408	10:51
*** aojea has quit IRC		10:55
*** aojea has joined #openstack-keystone		10:55
*** ducttape_ has joined #openstack-keystone		11:03
*** ducttape_ has quit IRC		11:08
*** nishaYadav has joined #openstack-keystone		11:09
nishaYadav	o/	11:09
openstackgerrit	Merged openstack/keystoneauth master: Updated from global requirements https://review.openstack.org/477945	11:11
*** sjain has joined #openstack-keystone		11:12
*** aojea has quit IRC		11:15
*** aojea has joined #openstack-keystone		11:15
nishaYadav	Can anyone please help me find the source of these docs - https://docs.openstack.org/ocata/config-reference/identity/config-options.html	11:30
sjain	nishaYadav: I think I know where these are, just a sec	11:31
cmurphy	nishaYadav: here http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/config-reference/source/identity/config-options.rst	11:31
sjain	yup these ^^	11:32
sjain	thanks cmurphy!	11:32
cmurphy	sjain: those are going to be moved into the keystone tree though right?	11:32
sjain	yes right	11:32
sjain	I'm working on those, they need integration with oslo.config which I'm trying to figure out	11:33
nishaYadav	thanks cmurphy sjain :)	11:34
*** edmondsw has joined #openstack-keystone		11:35
sjain	@lbragstad: I need some help with PKI certificates, can you ping me whenever you are free, we can start working on those docs	11:36
*** raildo has joined #openstack-keystone		11:39
*** thorst has joined #openstack-keystone		11:57
*** namnh has quit IRC		12:01
*** aojea has quit IRC		12:28
*** aojea has joined #openstack-keystone		12:29
*** chlong_ has joined #openstack-keystone		12:35
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Expose getting EndpointData on adapter and session https://review.openstack.org/469091	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add support for version ranges https://review.openstack.org/469090	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Support a list of interface values https://review.openstack.org/477169	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Support explicitly requesting the 'latest' version https://review.openstack.org/469089	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add flags to turn discovery on and off https://review.openstack.org/469088	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Clean up a few review nits https://review.openstack.org/477657	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Plumb endpoint_override through get_endpoint_data https://review.openstack.org/469092	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Update docs and add a release note https://review.openstack.org/477566	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Ensure we discover only when we should https://review.openstack.org/477242	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Optimize matching version no microversion needed https://review.openstack.org/470274	12:40
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Refactor volume mock urls in identity_common tests https://review.openstack.org/477246	12:40
mordred	morgan: I believe I figured it out	12:40
cmurphy	good morning mordred	12:40
mordred	cmurphy: morning! I just replied to your question on the version ranges patch - tl;dr - this is all about major versions	12:44
cmurphy	mordred: okay then that makes a little more sense	12:45
mordred	oh - I need to go back and address the min_version='latest' question. blast - I had intended to address all the things before pushing the stack up again	12:45
mordred	cmurphy: it's a weird concept/area and pretty much confuses everyone	12:45
cmurphy	ya :(	12:46
mordred	cmurphy: so you think we should accept min_version='latest' - but then maybe error if min_version='latest' and max_version is anything other than 'latest' or None ?	12:46
cmurphy	mordred: that seems intuitive to me	12:47
cmurphy	morgan: ^	12:47
*** masber has quit IRC		12:48
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add support for version ranges https://review.openstack.org/469090	13:00
mordred	cmurphy: maybe like that ^^	13:00
*** lucasxu has joined #openstack-keystone		13:01
cmurphy	mordred: I think that makes sense	13:02
mordred	cool. adding test real quick	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Expose getting EndpointData on adapter and session https://review.openstack.org/469091	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add support for version ranges https://review.openstack.org/469090	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Support a list of interface values https://review.openstack.org/477169	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Clean up a few review nits https://review.openstack.org/477657	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Plumb endpoint_override through get_endpoint_data https://review.openstack.org/469092	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Update docs and add a release note https://review.openstack.org/477566	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Ensure we discover only when we should https://review.openstack.org/477242	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Optimize matching version no microversion needed https://review.openstack.org/470274	13:03
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Refactor volume mock urls in identity_common tests https://review.openstack.org/477246	13:03
mordred	cmurphy, morgan, samueldmq: enjoy your daily does of version-discovery! :)	13:04
*** ayoung has joined #openstack-keystone		13:07
*** ducttape_ has joined #openstack-keystone		13:07
*** ducttape_ has quit IRC		13:12
*** sjain has quit IRC		13:17
*** jsavak has joined #openstack-keystone		13:18
*** sjain has joined #openstack-keystone		13:29
*** pnavarro has quit IRC		13:29
*** ducttape_ has joined #openstack-keystone		13:31
*** nishaYadav has quit IRC		13:32
*** ducttap__ has joined #openstack-keystone		13:32
*** ducttap__ has quit IRC		13:33
*** ducttap__ has joined #openstack-keystone		13:33
*** ducttape_ has quit IRC		13:36
*** nishaYadav has joined #openstack-keystone		13:45
*** zhurong has quit IRC		13:49
stevemar	lbragstad: https://review.openstack.org/#/c/478601/1	13:50
openstackgerrit	Chandan Kumar proposed openstack/keystone-tempest-plugin master: Cleaned up *-requirements.txt https://review.openstack.org/478938	13:51
*** ducttap__ has quit IRC		13:56
*** ducttape_ has joined #openstack-keystone		13:57
*** phalmos has joined #openstack-keystone		13:57
*** nishaYadav_ has joined #openstack-keystone		13:58
*** phalmos_ has joined #openstack-keystone		14:00
*** spzala has joined #openstack-keystone		14:01
*** phalmos has quit IRC		14:03
cmurphy	this could use some keystone feedback before i start harassing the horizon team for reviews https://review.openstack.org/#/c/476064/	14:04
*** ducttape_ has quit IRC		14:05
*** nishaYadav_ has quit IRC		14:05
*** ducttape_ has joined #openstack-keystone		14:05
*** sjain has quit IRC		14:06
*** ducttape_ has quit IRC		14:23
*** pnavarro has joined #openstack-keystone		14:25
*** aojea has quit IRC		14:25
*** aojea has joined #openstack-keystone		14:26
*** ducttape_ has joined #openstack-keystone		14:30
*** zhurong has joined #openstack-keystone		14:30
*** ducttape_ has quit IRC		14:39
*** zhurong has quit IRC		14:40
*** lbragstad has quit IRC		14:40
*** ducttape_ has joined #openstack-keystone		14:41
*** jmlowe has quit IRC		14:46
*** ducttape_ has quit IRC		14:47
*** spzala has quit IRC		14:57
*** ayoung has quit IRC		15:01
*** jmlowe has joined #openstack-keystone		15:02
*** ducttape_ has joined #openstack-keystone		15:07
*** lbragstad has joined #openstack-keystone		15:14
*** ChanServ sets mode: +o lbragstad		15:14
*** jistr is now known as jistr\|afk		15:20
*** ayoung has joined #openstack-keystone		15:21
knikolla	o/	15:21
lbragstad	o/	15:21
*** rcernin has quit IRC		15:28
*** gyee has joined #openstack-keystone		15:38
*** aselius has joined #openstack-keystone		15:40
gagehugo	o/	15:49
*** aojea has quit IRC		15:51
*** nishaYadav has quit IRC		15:54
*** jistr\|afk is now known as jistr		16:07
lbragstad	stevemar: need a release for stable/newton i think https://review.openstack.org/#/c/478984/	16:10
stevemar	lbragstad: isn't stable/newton borked?	16:10
lbragstad	stevemar: ?	16:10
lbragstad	stevemar: how so?	16:10
stevemar	https://review.openstack.org/#/c/469514/	16:11
stevemar	gate-keystone-dsvm-functional-ubuntu-xenial has been failing consistently	16:11
lbragstad	ugh	16:12
lbragstad	something must have changed in tempest?	16:12
lbragstad	so apparently https://github.com/openstack/keystone-tempest-plugin/blob/360bbafa385624f1e86841875baabbbf1104e877/keystone_tempest_plugin/tests/api/identity/v3/test_identity_providers.py#L228-L244 is possible in stable/newton	16:16
samueldmq	cmurphy: about https://review.openstack.org/#/c/476064	16:18
morgan	mordred: well then	16:19
samueldmq	cmurphy: how do users on a private hidden domain log in into horizon (it their domain does not appear in the dropdown)?	16:19
lbragstad	stevemar: damn...	16:21
lbragstad	stevemar: it's because https://github.com/openstack/keystone/commit/de8fbcf9a0072c84adf4f3630088bc34f9e9782e didn't get back ported	16:22
lbragstad	that ^ patch adds validation for mapping_ids	16:22
lbragstad	which didn't make it back to stable/newton	16:22
lbragstad	as a result, we wrote tests in out tempest plugin to assert that functionality	16:22
lbragstad	which breaks stable/newton (because it doesn't have it...)	16:22
morgan	mordred: have a nit on the chain (needs to be fixed, but can be done as a followup), so far looking like +2s the whole way	16:25
stevemar	@lbragstad backport it :)	16:26
mordred	morgan: WOOT	16:26
lbragstad	stevemar: ok - not sure if it falls within the realm of acceptable backport material (since it's not a security fix) but since stable/newton is borked - what do we have to lose	16:27
mordred	morgan: I have a 'fix-nits' patch at the end we can add the nit fixes to	16:27
morgan	yeah, the latest != latest bit	16:27
morgan	that should be ValueError not TypeError	16:27
morgan	i know you're looking at types, but we care about the values, since we allow string and int	16:28
morgan	and float or whatever	16:28
*** mvk has quit IRC		16:28
morgan	commented and tossed a +2 on it	16:28
morgan	mordred: https://review.openstack.org/#/c/477169 did you see my in-line question?	16:28
morgan	on the earlier patchset?	16:28
morgan	that one ^ and i'm now reviewing https://review.openstack.org/#/c/477242 -- but pretty much the whole chain looks good	16:30
mordred	morgan: good point re: ValueError	16:30
morgan	so, +2s all across, need the ValueError fixed at the end of the chain and answer the question re interface names.	16:31
morgan	(477169 will get a +2 with an answerto my question)	16:32
mordred	morgan: we are not adding a new hard-lock on those values - the comment about the valid values was deeper in the chain and I just copied it to all the places that take interface	16:32
morgan	wfm	16:32
morgan	just wanted a sanity check on that	16:32
mordred	morgan: yah- if you look at the bottom of https://review.openstack.org/#/c/477169/5/keystoneauth1/access/service_catalog.py - you can see the old copies of that comment	16:32
morgan	next time, don't change docs like that.	16:32
morgan	make the relatively unrelated doc change separately	16:33
mordred	morgan: fair	16:33
morgan	will make it more clear that we're not changing something unexpected	16:33
morgan	+2.	16:33
morgan	now you just need someone else to +2/+A the ones that don't already have +2s	16:33
morgan	erm 2x+2	16:33
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Clean up a few review nits https://review.openstack.org/477657	16:34
mordred	morgan: ^^ that's got the ValueError bits	16:34
morgan	nice	16:35
lbragstad	stevemar: well - let's see what happens https://review.openstack.org/#/c/478994/	16:39
morgan	lbragstad: uhm https://review.openstack.org/#/c/475929 -- doesn't this leak if a bad user password is used	16:42
morgan	when using ldap?	16:42
morgan	i.e. shouldn't this be a security error?	16:43
lbragstad	morgan: what information would leak?	16:48
lbragstad	morgan: if a user used a bad password anyway?	16:48
*** pcaruana has quit IRC		16:48
*** jdwidari has quit IRC		16:49
morgan	we say "bad username / password" elsewhere	16:50
morgan	this explicitly communicates a bad password	16:50
morgan	it's inconsistent	16:50
lbragstad	morgan: oh - i see what you mean	16:50
lbragstad	morgan: good point	16:50
lbragstad	cc gagehugo ^	16:50
morgan	and breaks current security guidelines we implemented in keystone	16:50
morgan	it's not "wrong" to do this, but we should be consistent in one direction or another	16:51
lbragstad	morgan: yeah - that makes sense	16:51
lbragstad	morgan: well - does credentials mean only password or username + password?	16:53
*** sjain has joined #openstack-keystone		16:54
*** jsavak has quit IRC		16:56
openstackgerrit	Merged openstack/keystone master: Remove keystone_tempest_plugin from setup.cfg https://review.openstack.org/478601	16:56
morgan	i don't know in this case	16:56
*** jsavak has joined #openstack-keystone		16:56
morgan	this is why i asked.	16:56
lbragstad	morgan: it's a good question	16:57
lbragstad	gagehugo: ping*	16:57
*** tesseract has quit IRC		16:58
*** jsavak has quit IRC		17:01
*** rderose has joined #openstack-keystone		17:04
gagehugo	imo credentials is username/password, but I'm fine with being explicit in saying "username / password" instead	17:06
gagehugo	https://github.com/openstack/keystone/blob/59177627b36236466baaeac6484c4550d4a0ba11/keystone/auth/plugins/password.py#L40	17:07
gagehugo	It says username or password there, I'm fine with using that for LDAP as well	17:08
*** jsavak has joined #openstack-keystone		17:11
*** nishaYadav has joined #openstack-keystone		17:11
*** aojea has joined #openstack-keystone		17:15
openstackgerrit	Gage Hugo proposed openstack/keystone master: Clarify LDAP invalid credentials exception https://review.openstack.org/475929	17:17
gagehugo	morgan lbragstad ^	17:17
*** sjain_ has joined #openstack-keystone		17:18
samueldmq	lbragstad: so we run current code against old (in stable branches) tempest	17:18
samueldmq	?	17:18
lbragstad	samueldmq: yeah	17:18
lbragstad	gagehugo: thanks - looks good to me	17:19
lbragstad	gagehugo: morgan thoughts on adding a releasenote for that?	17:19
lbragstad	gagehugo: morgan i'm not sure how the wording work go, but it fixes a bug	17:19
samueldmq	lbragstad: so every single change that changes an API behavior needs to be backported to the affected stable branches	17:20
*** sjain has quit IRC		17:20
lbragstad	samueldmq: yeah - essentially	17:20
*** aojea has quit IRC		17:20
samueldmq	lbragstad: I thought there were some requirements to meet in order to be able to backport	17:20
samueldmq	like needs to be a security issue, etc	17:20
lbragstad	samueldmq: yeah - i looked into that, stable/newton is in phase II	17:20
lbragstad	which means it's acceptable to backport critical fixes and security fixes	17:21
lbragstad	phase III is security fixes only	17:21
lbragstad	according to https://docs.openstack.org/project-team-guide/stable-branches.html#support-phases	17:21
samueldmq	lbragstad: https://github.com/openstack/keystone/commit/de8fbcf9a0072c84adf4f3630088bc34f9e9782e does not look to be critical	17:21
samueldmq	nor a security thing, does it?	17:22
lbragstad	samueldmq: it does change the API, but it also fixes the gate :-/	17:22
lbragstad	otherwise stable/newton is broken	17:22
lbragstad	samueldmq: i was considering the fact the stable/newton is broken without it to be critical	17:23
samueldmq	yeah I know we fix the gate, my whole point is that our methods/approach in tempest in stable branches might not be in agreement with what we have from the stable branches requirements	17:23
lbragstad	samueldmq: we also don't run stable branches against changes in master	17:23
lbragstad	because of the lack of resources	17:23
samueldmq	lbragstad: so https://github.com/openstack/keystone/commit/de8fbcf9a0072c84adf4f3630088bc34f9e9782e is from Ocata	17:23
lbragstad	the change that added that test to the keystone_tempest_plugin would have broken	17:24
*** raildo has quit IRC		17:24
lbragstad	samueldmq: yeah - which is prior to our tempest plugin support, which is where that test was added	17:24
samueldmq	ok, I just would like to point out that there might be some exceptions to the stable branches rules	17:25
samueldmq	and this looks to be one	17:26
openstackgerrit	Kelly Hall proposed openstack/keystone master: Trim Whitespace from X-Subject-Token https://review.openstack.org/470425	17:26
lbragstad	samueldmq: yeah - it's a weird edge case	17:26
lbragstad	samueldmq: we're kind of stuck between a rock and a hard place	17:27
samueldmq	lbragstad: ++	17:28
lbragstad	that branch is in phase II, but the fix isn't security related or critical and changes an API :-/	17:28
*** aojea has joined #openstack-keystone		17:30
lbragstad	grabbing lunch	17:31
*** mvk has joined #openstack-keystone		17:33
samueldmq	lbragstad: exactly, and this is cause by the process we have. so something might need to be fixed (in addition to the gate) :)	17:34
samueldmq	caused	17:35
openstackgerrit	Kelly Hall proposed openstack/keystone master: Trim Whitespace from X-Subject-Token https://review.openstack.org/470425	17:35
*** sjain_ has quit IRC		17:48
*** nishaYadav has quit IRC		17:51
*** raildo has joined #openstack-keystone		17:52
cmurphy	samueldmq: re horizon they wouldn't be able to log in if the domain isn't in the dropdown, but for instance service users wouldn't want that anyway	17:56
*** aojea_ has joined #openstack-keystone		18:00
*** aojea has quit IRC		18:02
*** aojea_ has quit IRC		18:10
*** aojea has joined #openstack-keystone		18:11
lbragstad	stevemar: https://review.openstack.org/#/c/478994/ passed	18:14
*** aojea has quit IRC		18:15
*** jmlowe has quit IRC		18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Ensure there isn't duplication in federated auth https://review.openstack.org/479026	18:20
*** mnaser has left #openstack-keystone		18:21
*** rmascena has joined #openstack-keystone		18:34
*** raildo has quit IRC		18:36
*** jdennis1 has joined #openstack-keystone		18:44
*** jdennis has quit IRC		18:45
*** sbezverk has joined #openstack-keystone		18:52
lbragstad	rodrigods: ^ addresses a couple of you comments from an old review	18:54
*** jmlowe_ has joined #openstack-keystone		18:55
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Clean up a few review nits https://review.openstack.org/477657	18:56
mordred	morgan: when you update the exception something throws, you need to update the test that tests thta it throws that exception too :)	18:56
mordred	cmurphy: didja see? the ksa stack has a morgan +2 all the way up!!!	18:57
morgan	mordred: hah	18:57
cmurphy	mordred: very impressive	18:59
cmurphy	mordred: i may not get a chance to revisit till tomorrow	18:59
mordred	cmurphy: that's perfectly fine - I appreciate all of your reviews	19:01
*** aojea has joined #openstack-keystone		19:05
*** thorst has quit IRC		19:06
*** thorst has joined #openstack-keystone		19:08
*** thorst has quit IRC		19:13
lbragstad	gagehugo: want to add a release note to https://review.openstack.org/#/c/475929/8 ?	19:15
gagehugo	lbragstad sure	19:15
lbragstad	gagehugo: awesome - thanks!	19:15
gagehugo	will do after this meeting	19:16
lbragstad	gagehugo: no worries	19:16
lbragstad	gagehugo: i left a comment on the review, too	19:16
*** sbezverk has quit IRC		19:16
lbragstad	knikolla: do you want to add a release note for https://bugs.launchpad.net/keystone/+bug/1696111 to keystone so that we don't miss it?	19:18
openstack	Launchpad bug 1696111 in python-keystoneclient "Keystone confuses users when creating a trust when there's a roles name conflict" [Low,Fix committed] - Assigned to Kristi Nikolla (knikolla)	19:18
lbragstad	knikolla: thanks for the fixes there, it looks like all of them merged	19:19
*** ducttap__ has joined #openstack-keystone		19:22
*** ducttape_ has quit IRC		19:22
*** thorst has joined #openstack-keystone		19:23
*** sbezverk has joined #openstack-keystone		19:23
*** jmlowe_ has quit IRC		19:28
*** jmlowe has joined #openstack-keystone		19:40
*** sjain has joined #openstack-keystone		19:45
*** jmlowe_ has joined #openstack-keystone		19:48
*** jmlowe has quit IRC		19:49
*** sjain has quit IRC		19:51
*** sbezverk has quit IRC		19:57
*** aojea has quit IRC		20:01
*** eandersson has quit IRC		20:10
*** aojea has joined #openstack-keystone		20:11
*** sbezverk has joined #openstack-keystone		20:15
*** pnavarro has quit IRC		20:39
lbragstad	samueldmq: ping	20:42
lbragstad	samueldmq: were you about to recreate https://bugs.launchpad.net/keystone/+bug/1688123 per gagehugo's comment?	20:42
openstack	Launchpad bug 1688123 in OpenStack Identity (keystone) "ignore_password_expiry is not honored" [Undecided,New]	20:42
*** lucasxu has quit IRC		20:44
*** sbezverk has quit IRC		20:44
*** sbezverk has joined #openstack-keystone		20:45
openstackgerrit	Kelly Hall proposed openstack/keystone master: Trim Whitespace from X-Subject-Token https://review.openstack.org/470425	21:01
*** jmlowe has joined #openstack-keystone		21:02
*** jmlowe_ has quit IRC		21:03
openstackgerrit	Gage Hugo proposed openstack/keystone master: Clarify LDAP invalid credentials exception https://review.openstack.org/475929	21:08
gagehugo	lbragstad ^ lemme know if that works	21:08
lbragstad	gagehugo: commented	21:10
gagehugo	ah yeah will do	21:11
openstackgerrit	Gage Hugo proposed openstack/keystone master: Clarify LDAP invalid credentials exception https://review.openstack.org/475929	21:17
openstackgerrit	Nicolas Helgeson proposed openstack/keystone master: WIP: Add project tags https://review.openstack.org/470317	21:17
*** f13o has joined #openstack-keystone		21:21
gagehugo	samueldmq lbragstad I also played around with the unit test/freezegun for the expiry bug and I couldn't get it to break	21:21
lbragstad	samueldmq: gagehugo so - i think i figured out the problem	21:21
lbragstad	samueldmq: gagehugo http://paste.openstack.org/show/614119/ sets the resource option	21:22
lbragstad	but the clients interpret http://paste.openstack.org/show/614120/ as also being "valid" because it's in extras	21:23
lbragstad	so - you end up with something like this	21:24
*** rmascena has quit IRC		21:25
gagehugo	hmm	21:25
*** raildo has joined #openstack-keystone		21:26
*** jmlowe has quit IRC		21:27
lbragstad	http://paste.openstack.org/show/614121/	21:28
lbragstad	i can't actually update the resource options via the api because json schema is expecting a boolean but the actual json body isn't marshalling it to a boolean	21:28
lbragstad	which seems wrong	21:28
lbragstad	cc morgan ^	21:28
*** aojea_ has joined #openstack-keystone		21:29
morgan	weird	21:29
lbragstad	fwiw - my update_user.json file looks like this - http://paste.openstack.org/show/614119/	21:29
gagehugo	I just curl'd to update my example	21:29
morgan	hm	21:29
lbragstad	http://paste.openstack.org/show/614119/ is value json but keystone is giving me a 400	21:30
morgan	"True" != True	21:30
lbragstad	right - somewhere along the line keystone isn't making u"True" -> True	21:30
*** sbezverk has quit IRC		21:31
morgan	don't quote it	21:31
morgan	JSON doesn't quote booleans	21:31
*** aojea has quit IRC		21:31
gagehugo	http://paste.openstack.org/show/614123/	21:31
gagehugo	I used true instead of "True"	21:31
morgan	>>> json.loads('{"t": true}')	21:32
morgan	{u't': True}	21:32
lbragstad	http://paste.openstack.org/show/614124/	21:32
morgan	lowercase	21:32
lbragstad	derp	21:32
morgan	sorry.	21:32
lbragstad	yeah - ok	21:32
morgan	true vs True ;)	21:32
*** sbezverk has joined #openstack-keystone		21:32
gagehugo	heh	21:33
lbragstad	ok - it works!	21:33
lbragstad	http://paste.openstack.org/show/614125/	21:33
morgan	yup	21:33
morgan	"True" != true != True ...	21:34
lbragstad	morgan: ture	21:34
lbragstad	true*	21:34
lbragstad	so there isn't an issue with https://bugs.launchpad.net/keystone/+bug/1688123	21:34
openstack	Launchpad bug 1688123 in OpenStack Identity (keystone) "ignore_password_expiry is not honored" [Undecided,New]	21:34
*** raildo has quit IRC		21:34
lbragstad	samueldmq: was attempting to update the user by using http://paste.openstack.org/show/614120/	21:35
lbragstad	which wasn't getting filed as an option	21:35
lbragstad	but the client actually returns is in the response because it's in extras	21:35
* lbragstad hates extras		21:35
gagehugo	does it show up in options though if it's stored in extras?	21:38
lbragstad	gagehugo: no	21:38
lbragstad	gagehugo: it's just a weird usability wart	21:38
gagehugo	hmm	21:38
lbragstad	if you attempt to update the user with http://paste.openstack.org/show/614120/	21:38
gagehugo	yeah that gets dumped in extras	21:39
lbragstad	you see if rendered as http://paste.openstack.org/show/614126/	21:39
lbragstad	but the password expiry logic is right in requiring you to update it as http://paste.openstack.org/show/614119/	21:40
gagehugo	ah ok	21:40
lbragstad	becaus that's the official option	21:40
lbragstad	make sense?	21:40
gagehugo	yup	21:40
gagehugo	I was just confused why it was showing up for samueldmq in the report as correct	21:40
lbragstad	i literally had to stare at this for an hour to figure out why samueldmq was hitting the issue and you weren't	21:40
gagehugo	options \| {'ignore_lockout_failure_attempts': True, 'ignore_password_expiry': True, 'ignore_change_password_upon_first_use': True}	21:41
lbragstad	yeah - that's how it should render	21:41
lbragstad	not like http://paste.openstack.org/show/614126/	21:41
gagehugo	but no that makes sense cause I ran into the 400 issue cause I was trying to do "True" as well opposed to true	21:41
lbragstad	yeah	21:42
lbragstad	we need to update https://docs.openstack.org/developer/keystone/admin/identity-security-compliance.html :(	21:44
*** aojea_ has quit IRC		21:49
*** f13o has quit IRC		21:53
lbragstad	gagehugo: updated https://bugs.launchpad.net/keystone/+bug/1688123	21:54
openstack	Launchpad bug 1688123 in OpenStack Identity (keystone) "ignore_password_expiry is not honored" [Undecided,Invalid]	21:54
lbragstad	make sense?	21:54
lbragstad	cc samueldmq ^	21:55
gagehugo	lbragstad yup	21:56
*** jsavak has quit IRC		21:59
*** aojea has joined #openstack-keystone		22:01
*** jdennis1 has quit IRC		22:01
*** jdennis has joined #openstack-keystone		22:01
*** thorst has quit IRC		22:01
lbragstad	gagehugo: samueldmq opened https://bugs.launchpad.net/keystone/+bug/1701389 as a result	22:01
openstack	Launchpad bug 1701389 in OpenStack Identity (keystone) "Security compliance documentation in admin-guide is out of date" [High,Triaged]	22:01
gagehugo	lbragstad I can pick that up if no one else is dying to do it	22:05
lbragstad	gagehugo: all yours if you want it :)	22:05
*** aojea has quit IRC		22:05
lbragstad	gagehugo: it falls in line with all the documentation work we're doing, too	22:06
gagehugo	lbragstad yup	22:06
lbragstad	we effectively have to take the relevant bits from https://docs.openstack.org/developer/keystone/advanced-topics/security_compliance.html and move it into https://docs.openstack.org/developer/keystone/admin/identity-security-compliance.html	22:06
lbragstad	and make sure https://docs.openstack.org/developer/keystone/admin/identity-security-compliance.html is up to date	22:07
lbragstad	then remove https://docs.openstack.org/developer/keystone/advanced-topics/security_compliance.html	22:07
lbragstad	that sounds like a lot of work, but it could all be done in a single patch set as far as i'm concerned	22:07
lbragstad	i don't see a reason not to anyway	22:07
gagehugo	ok	22:08
lbragstad	gagehugo: thanks for picking it up, i appreciate it	22:08
gagehugo	np!	22:10
lbragstad	here's an easy federated review - https://review.openstack.org/#/c/479026/	22:18
*** ducttape_ has joined #openstack-keystone		22:30
*** jmlowe has joined #openstack-keystone		22:31
*** ducttap__ has quit IRC		22:33
lbragstad	alright - stepping away for a bit	22:53
*** jamielennox has quit IRC		22:57
*** jamielennox has joined #openstack-keystone		23:03
*** ducttape_ has quit IRC		23:12
*** johnthetubaguy has quit IRC		23:18
openstackgerrit	Jaewoo Park proposed openstack/keystone master: WIP: Add project tags https://review.openstack.org/470317	23:27
*** johnthetubaguy has joined #openstack-keystone		23:28
openstackgerrit	Jaewoo Park proposed openstack/keystone master: WIP: Add project tags https://review.openstack.org/470317	23:30
*** thorst has joined #openstack-keystone		23:32
*** thorst has quit IRC		23:37
samueldmq	nishaYadav has a post in OpenStack superuser about mentoring	23:40
samueldmq	she was our mentee last year for Outreachy	23:40
samueldmq	#link http://superuser.openstack.org/articles/tips-mentor-openstack/	23:40
samueldmq	:)	23:40
*** enriquetaso_ has joined #openstack-keystone		23:42
samueldmq	lbragstad: yes I think it makes sense, I will try to reproduce that tomorrow morning, but I guess somehting was weird in my environment	23:46
samueldmq	lbragstad: it's worth giving another try, at least to figure out what I was doing wrong	23:46
*** rderose has quit IRC		23:47
samueldmq	also, I think I can pick up that bug about documenting PCI. I spent some time on it, so shouldn't be too hard	23:47
*** dougshelley66 has quit IRC		23:50
*** ducttape_ has joined #openstack-keystone		23:51
*** ducttape_ has quit IRC		23:55
*** phalmos_ has quit IRC		23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!