Tuesday, 2017-11-21

*** edmondsw has joined #openstack-keystone		00:05
*** deepika08 has quit IRC		00:06
*** _ix has quit IRC		00:06
*** edmondsw has quit IRC		00:10
*** jrist-afk is now known as jrist		00:12
*** AlexeyAbashkin has joined #openstack-keystone		00:13
*** AlexeyAbashkin has quit IRC		00:17
*** itlinux has quit IRC		00:26
*** Sandy619 has joined #openstack-keystone		00:43
*** Sandy619 has quit IRC		00:45
*** edmondsw has joined #openstack-keystone		00:49
*** aojea has joined #openstack-keystone		00:50
*** edmondsw has quit IRC		00:52
*** edmondsw has joined #openstack-keystone		00:52
*** aojea has quit IRC		00:55
*** AlexeyAbashkin has joined #openstack-keystone		01:12
*** AlexeyAbashkin has quit IRC		01:16
*** daidv has quit IRC		01:18
*** daidv has joined #openstack-keystone		01:19
*** edmondsw has quit IRC		01:20
*** edmondsw has joined #openstack-keystone		01:20
*** edmondsw has quit IRC		01:25
*** dave-mccowan has joined #openstack-keystone		01:31
*** gmann_afk is now known as gmann		02:25
*** itlinux has joined #openstack-keystone		02:38
*** _ix has joined #openstack-keystone		02:46
*** aselius has quit IRC		02:49
*** aojea has joined #openstack-keystone		02:51
*** aojea has quit IRC		02:55
*** edmondsw has joined #openstack-keystone		02:55
ayoung	hey kmalloc wanna see something funny?	02:57
ayoung	https://paste.fedoraproject.org/paste/Djfzz3MFGZqVEl2hcEdWcQ	02:58
ayoung	tell me what is wrong with this otherwise discoverable API	02:58
*** edmondsw has quit IRC		03:00
*** dave-mccowan has quit IRC		03:10
*** links has joined #openstack-keystone		03:19
*** harlowja has quit IRC		03:22
lbragstad	ayoung: it has a tenant?	03:45
lbragstad	breton: yeah - wxy_ is picking up that work	03:45
*** deepika08 has joined #openstack-keystone		03:49
*** itlinux has quit IRC		03:58
*** harlowja has joined #openstack-keystone		04:01
ayoung	lbragstad, heh	04:07
ayoung	lbragstad, look at the verbs	04:07
*** itlinux has joined #openstack-keystone		04:12
*** ayoung has quit IRC		04:36
*** edmondsw has joined #openstack-keystone		04:44
*** itlinux has quit IRC		04:44
*** itlinux has joined #openstack-keystone		04:47
*** edmondsw has quit IRC		04:48
*** aojea has joined #openstack-keystone		04:51
*** aojea has quit IRC		04:56
*** _ix has quit IRC		04:57
*** lbragstad has quit IRC		04:58
*** markvoelker has quit IRC		05:00
*** edmondsw has joined #openstack-keystone		05:29
*** itlinux has quit IRC		05:31
*** edmondsw has quit IRC		05:33
*** pcaruana has joined #openstack-keystone		05:39
*** edmondsw has joined #openstack-keystone		05:48
*** harlowja has quit IRC		05:52
*** edmondsw has quit IRC		05:52
*** deepika08 has quit IRC		05:58
*** markvoelker has joined #openstack-keystone		06:00
*** pcaruana has quit IRC		06:13
*** annp has joined #openstack-keystone		06:23
*** aojea has joined #openstack-keystone		06:29
*** edmondsw has joined #openstack-keystone		06:29
*** aojea has quit IRC		06:33
*** edmondsw has quit IRC		06:33
*** edmondsw has joined #openstack-keystone		06:48
*** edmondsw has quit IRC		06:53
*** rcernin has quit IRC		06:59
*** aojea has joined #openstack-keystone		07:03
*** josecastroleon has quit IRC		07:04
*** josecastroleon1 has joined #openstack-keystone		07:04
*** edmondsw has joined #openstack-keystone		07:08
*** aojea has quit IRC		07:11
*** spectr has joined #openstack-keystone		07:11
*** spectr has quit IRC		07:12
*** edmondsw has quit IRC		07:12
*** edmondsw has joined #openstack-keystone		07:23
*** magicboiz has quit IRC		07:26
*** pcaruana has joined #openstack-keystone		07:30
*** edmondsw has quit IRC		07:33
*** josecastroleon1 has quit IRC		07:40
*** edmondsw has joined #openstack-keystone		07:48
*** edmondsw has quit IRC		07:52
*** d0ugal has joined #openstack-keystone		08:08
*** edmondsw has joined #openstack-keystone		08:08
*** josecastroleon has joined #openstack-keystone		08:12
*** edmondsw has quit IRC		08:13
*** hoonetorg has quit IRC		08:18
*** tesseract has joined #openstack-keystone		08:23
*** edmondsw has joined #openstack-keystone		08:28
*** edmondsw has quit IRC		08:33
*** hoonetorg has joined #openstack-keystone		08:35
*** magicboiz has joined #openstack-keystone		08:38
*** aloga has quit IRC		08:48
*** aloga has joined #openstack-keystone		08:48
*** edmondsw has joined #openstack-keystone		08:49
*** edmondsw has quit IRC		08:53
*** Sandy619 has joined #openstack-keystone		09:05
*** aojea has joined #openstack-keystone		09:16
*** aojea has quit IRC		09:21
*** Sandy619 has quit IRC		09:30
*** mvk has quit IRC		09:30
*** mvk has joined #openstack-keystone		09:30
*** rcernin has joined #openstack-keystone		10:01
*** daidv has quit IRC		10:05
*** annp has quit IRC		10:28
*** jhesketh has quit IRC		10:28
*** jhesketh has joined #openstack-keystone		10:30
*** gmann is now known as gmann_afk		10:34
*** betherly has joined #openstack-keystone		10:41
betherly	hi all! running devstack on my vm and connecting to my local horizon through the local_settings. I can login to the dashboard through the direct url for the devstack instance on the vm but through my local horizon i am getting keystone auth errors	10:42
betherly	any ideas?	10:42
betherly	http://paste.openstack.org/show/626923/	10:43
cmurphy	"Unable to establish connection to http://10.211.55.13:5000/v2.0/token" is that the right host for keystone and can you reach that IP and port from your local env?	10:44
betherly	cmurphy: ive left the OPENSTACK_KEYSTONE_URL settings as default	10:46
betherly	cmurphy: has that changed now in the default devstack keystone settings?	10:47
*** edmondsw has joined #openstack-keystone		10:48
cmurphy	betherly: on devstack it will use /identity instead of :5000 and devstack should set that up properly for horizon but if you have set up a local horizon you'd have to change it to match	10:48
betherly	cmurphy: hmm ive never had to change that before. i guess somethings changed in devstack somewhere :/ so i should change:	10:51
betherly	OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST	10:51
betherly	to OPENSTACK_KEYSTONE_URL = "http://%s/identity	10:52
betherly	?	10:52
*** edmondsw has quit IRC		10:52
cmurphy	betherly: it should also use v3 since we deleted v2.0, so http://%s/identity/v3 (but that would cause a different error)	10:53
cmurphy	betherly: i think if you just make the OPENSTACK_KEYSTONE_URL and OPENSTACK_HOST in your local env match the devstack version it will work	10:54
betherly	still getting errors :( thanks for all your help though its super appreciated	10:58
cmurphy	betherly: different errors or the same error?	10:58
betherly	http://paste.openstack.org/show/626926/	10:59
betherly	im wondering if its something to do with this line:	11:00
betherly	Login failed for user "admin", remote address 127.0.0.1.	11:00
betherly	that its looking for remote address as my localhost even though openstack_host is set to the devstack environment	11:00
cmurphy	betherly: i think there's some kind of IDENTITY_API_VERSION setting in local_settings? it should be set to 3 or v3 or something	11:01
cmurphy	it's trying to use /tokens which doesn't exist in keystone v3, it should be using /auth/tokens	11:01
cmurphy	betherly: brb	11:01
betherly	cmurphy: its set to 3 as default	11:02
cmurphy	betherly: hrm i'm not sure then :/	11:07
*** edmondsw has joined #openstack-keystone		11:08
betherly	cmurphy: thanks for your help!	11:08
cmurphy	betherly: np	11:09
*** edmondsw has quit IRC		11:12
*** aojea has joined #openstack-keystone		11:17
*** aojea has quit IRC		11:22
*** AlexeyAbashkin has joined #openstack-keystone		11:24
*** mvk has quit IRC		11:27
*** edmondsw has joined #openstack-keystone		11:28
*** edmondsw has quit IRC		11:32
*** edmondsw has joined #openstack-keystone		11:48
*** edmondsw has quit IRC		11:52
*** aojea has joined #openstack-keystone		11:55
*** mvk has joined #openstack-keystone		11:57
*** aojea has quit IRC		12:05
*** raildo has joined #openstack-keystone		12:10
*** panbalag has joined #openstack-keystone		12:12
*** panbalag has left #openstack-keystone		12:22
*** niraj_singh has quit IRC		12:37
*** edmondsw has joined #openstack-keystone		12:48
*** aojea has joined #openstack-keystone		12:48
*** aojea_ has joined #openstack-keystone		12:50
*** aojea has quit IRC		12:50
*** efried has quit IRC		13:04
*** dave-mccowan has joined #openstack-keystone		13:11
*** dave-mcc_ has joined #openstack-keystone		13:16
*** dave-mccowan has quit IRC		13:17
*** efried has joined #openstack-keystone		13:17
*** belmoreira has joined #openstack-keystone		13:18
*** rmascena has joined #openstack-keystone		13:24
*** raildo has quit IRC		13:26
*** rcernin has quit IRC		13:30
*** _ix has joined #openstack-keystone		13:42
*** _ix has quit IRC		13:52
*** aojea_ has quit IRC		13:53
*** raildo has joined #openstack-keystone		14:04
*** rmascena has quit IRC		14:05
*** _ix has joined #openstack-keystone		14:16
*** lbragstad has joined #openstack-keystone		14:24
*** ChanServ sets mode: +o lbragstad		14:24
*** clayton has quit IRC		14:27
*** _ix_ has joined #openstack-keystone		14:30
*** clayton has joined #openstack-keystone		14:30
*** rmascena has joined #openstack-keystone		14:31
*** markvoelker has quit IRC		14:31
*** markvoelker has joined #openstack-keystone		14:31
*** _ix has quit IRC		14:32
*** raildo has quit IRC		14:33
*** links has quit IRC		14:47
openstackgerrit	Matthew Edmonds proposed openstack/keystonemiddleware master: Expect paste.deploy and gnocchi/panko options https://review.openstack.org/515291	14:49
openstackgerrit	Matthew Edmonds proposed openstack/keystonemiddleware master: Expect paste.deploy and gnocchi/panko options https://review.openstack.org/515291	14:52
*** aojea has joined #openstack-keystone		14:53
*** magicboiz has quit IRC		14:56
*** aojea has quit IRC		14:58
*** mvk has quit IRC		15:03
cmurphy	betherly: so i just tried it and I had to uncomment OPENSTACK_API_VERSIONS to get it to use the right identity version, so i guess v3 isn't really the default	15:16
openstackgerrit	Merged openstack/keystone master: Populate user, project and domain names from token into context https://review.openstack.org/518751	15:16
*** mvk has joined #openstack-keystone		15:19
betherly	cmurphy: ah thanks muchly! trying now	15:24
*** ayoung has joined #openstack-keystone		15:25
betherly	cmurphy: what value did you have for OPENSTACK_KEYSTONE_URL	15:26
betherly	so i can try exactly your setup?	15:26
betherly	(using my own ip obvs)	15:26
cmurphy	betherly: i have OPENSTACK_KEYSTONE_URL = "http://%s/identity/v3" % OPENSTACK_HOST	15:36
* lbragstad digs into bug triage in preparation for office hours		15:36
cmurphy	lbragstad: that reminds me, i won't be around for the meeting or office hours (on a plane)	15:37
lbragstad	cmurphy: no worries - thanks for the heads up!	15:37
*** rmascena is now known as raildo		15:47
knikolla	o/	15:48
*** panbalag has joined #openstack-keystone		15:48
*** panbalag has left #openstack-keystone		15:49
*** mvk has quit IRC		15:54
*** aojea has joined #openstack-keystone		15:54
*** jistr is now known as jistr\|mtg		15:59
*** aojea has quit IRC		16:00
*** spilla has joined #openstack-keystone		16:01
*** links has joined #openstack-keystone		16:03
*** ktibi has joined #openstack-keystone		16:05
ktibi	Hi, where can I find keystone-manage client for centos pike version ??	16:05
*** mvk has joined #openstack-keystone		16:07
*** ktibi has left #openstack-keystone		16:09
*** itlinux has joined #openstack-keystone		16:10
*** links has quit IRC		16:12
*** jistr\|mtg is now known as jistr		16:16
*** edmondsw has quit IRC		16:24
*** KwozyMan has joined #openstack-keystone		16:25
*** edmondsw has joined #openstack-keystone		16:25
*** jose-phillips has joined #openstack-keystone		16:26
*** AlexeyAbashkin has quit IRC		16:28
*** edmondsw has quit IRC		16:29
*** josecastroleon has quit IRC		16:29
*** belmoreira has quit IRC		16:39
*** openstackstatus has quit IRC		16:58
*** openstackstatus has joined #openstack-keystone		16:59
*** ChanServ sets mode: +v openstackstatus		16:59
*** tesseract has quit IRC		17:09
*** josecastroleon has joined #openstack-keystone		17:10
*** KwozyMan has quit IRC		17:21
*** d0ugal has quit IRC		17:30
*** aojea has joined #openstack-keystone		17:36
*** aojea has quit IRC		17:41
*** pcaruana has quit IRC		17:48
*** d0ugal has joined #openstack-keystone		17:50
*** jistr is now known as jistr\|off\|trng		18:04
*** mvk has quit IRC		18:09
*** david-lyle has quit IRC		18:09
*** david-lyle has joined #openstack-keystone		18:09
*** _ix_ has quit IRC		18:30
*** AlexeyAbashkin has joined #openstack-keystone		18:40
*** aselius has joined #openstack-keystone		18:42
*** AlexeyAbashkin has quit IRC		18:44
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: WIP: Return the endpoint_override from EndpointData https://review.openstack.org/491947	18:50
*** mvk has joined #openstack-keystone		18:54
openstackgerrit	Sean McGinnis proposed openstack/oslo.policy master: Handle deprecation of inspect.getargspec https://review.openstack.org/521979	18:55
*** KwozyMan has joined #openstack-keystone		18:55
*** itlinux has quit IRC		18:57
kmalloc	o/	18:57
* kmalloc is here.		18:57
lbragstad	o/	18:57
* kmalloc is trying to do more than lurk		18:57
josecastroleon	hi	18:57
lbragstad	KwozyMan: josecastroleon	18:57
* kmalloc needs cooffeeeeeee		18:57
kmalloc	so. sec	18:57
kmalloc	ok	18:59
kmalloc	no coffee but...	18:59
kmalloc	so	18:59
kmalloc	here we go	18:59
kmalloc	the biggest issue with allowing an admin to specify the ID (in any case) is that you now have the potential for Keystone to run into "i don't own" the ID issues. and start conflating the name/id and cause for things like id "squatting" in public (or even in corporate, people are sometimes petty) environments	19:01
kmalloc	it also opens up things for say "guessing Ids", if they are randomly generated (or random with seeds based upon IDP ids) we can avoid almost all of those cases	19:01
kmalloc	I'll eat my hat if we have more than an isolated incident of conflicting UUIDs (when done with UUID4) based upon the 64-bit space.	19:01
kmalloc	the main use cases we came up with started with two places	19:02
kmalloc	1) Restoring Deleted Projects	19:02
kmalloc	that is solved with either soft deletes or with admin allowed specification of ID	19:02
kmalloc	2) "I want the same ID in multiple deployments without DB replication"	19:03
KwozyMan	both valid usecases, imho	19:03
*** itlinux has joined #openstack-keystone		19:03
kmalloc	this turned out to be one or two total folks asking for it, and I would be highly concerned with making the API generally able to do this in the case of sourcing data from outside locations [if more than one vector for creating <resource> occurs]	19:03
lbragstad	the second use case was made more apparent to me at the forum	19:04
kmalloc	if you have folks who are supplying enough information to force an ID to be created, you could then end up with creating a malicious case where you own and ID for something that will be created in the future	19:04
lbragstad	because there are restrictions in EU that prevent data replication	19:04
josecastroleon	that's the one from the orange folks	19:04
kmalloc	i create XXXXXXXXXX because i know it will be created when org Y's IDP passes information in	19:05
kmalloc	and now I can, in theory, own their data	19:05
kmalloc	it's a public-ish cloud concern, but we have to look at both cases.	19:05
lbragstad	right - that's a good point	19:05
josecastroleon	we don't allow project autoprovissioning	19:05
kmalloc	josecastroleon: you don't, some folks do	19:05
lbragstad	yeah - we built that feature in a while ago	19:06
KwozyMan	specifying an id at creation time doesn't mean not checking if said id exists already? or am I missing something?	19:06
lbragstad	(newton?)	19:06
kmalloc	we, unfortunately, need to ensure we're planning for all supported (sorry) methods of creation	19:06
kmalloc	KwozyMan: you could, but the error in creation results in 2 issues	19:06
lbragstad	#link https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#auto-provisioning	19:07
lbragstad	#startmeeting keystone-office-hours	19:07
openstack	Meeting started Tue Nov 21 19:07:42 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	19:07
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	19:07
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		19:07
openstack	The meeting name has been set to 'keystone_office_hours'	19:07
kmalloc	1) I can't create the resource at all. and now i am stuck because someone squatted/created/owns it	19:08
kmalloc	2) I error, but can still use the resource, but someone else can as well	19:08
kmalloc	(one of two issues*)	19:08
kmalloc	randomized creation explicitly dodged these issues.	19:08
kmalloc	let me be clear, i am not going to block or say we are unable to add this feature	19:08
kmalloc	we have to be Very careful if we are adding it	19:08
kmalloc	and we have to consider interop between deployments/use	19:08
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/5F0h9Hoe/keystone"		19:08
KwozyMan	fair enough	19:09
kmalloc	if some clouds allow you to create ids and some don't - it adds to the already awful UX we have where options change the API behavior	19:09
josecastroleon	the concern I have with autoprovisioning is that the resources are not cleaned up	19:09
*** hoonetorg has quit IRC		19:09
josecastroleon	you lose track from the user because it's not yours	19:09
kmalloc	josecastroleon: no resources are really auto-cleaned up	19:09
josecastroleon	and on a public cloud you have your credit card	19:10
kmalloc	you lose track the moment is is created in keystone.	19:10
*** hoonetorg has joined #openstack-keystone		19:10
josecastroleon	so you don't care	19:10
kmalloc	it is the CRM's job to track that stuff	19:10
josecastroleon	yes	19:10
kmalloc	(customer relations management software, aka salesforce or sugar, etc)	19:10
lbragstad	another interesting side-effect of project IDs over the API is if a token is revoked in one region	19:10
kmalloc	FTR: i disagreed with adding autoprovisioning	19:10
lbragstad	it won't be revoked in another	19:10
kmalloc	i wish i had been at the forum, so i could have worked w/ orange folks to understand the specific replication concerns	19:11
kmalloc	it is likely that it is PII-specific not "zero replication"	19:11
lbragstad	since the data base isn't replicated - if the token is revoked in region A it won't be revoked in region B	19:11
*** AlexeyAbashkin has joined #openstack-keystone		19:11
kmalloc	which could lead towards isolation of data and certifying what is replicatable	19:11
lbragstad	true - i asked for some more information on the actually restriction	19:12
lbragstad	i'll be sure to send it out if i get it	19:12
lbragstad	actual*	19:12
kmalloc	i am fairly certain it is not "you cannot replicate" but most orgs default to that because it dodges issues with "well but we got item Y by accident"	19:12
lbragstad	the other requirement was that authZ data can't come from the source of authN	19:13
kmalloc	that was orange's requirement?	19:13
kmalloc	eh, thats easy enough with some SSO things.	19:14
lbragstad	not sure - it came up in discussion somewhere and i wrote it down	19:14
lbragstad	but you could also do that today by not having a mapping	19:14
kmalloc	i wonder if that means the authoritative authn or any authn	19:14
lbragstad	and just manually managing role assignment on the shadow user	19:14
kmalloc	because what if keystone is backed by ldap	19:14
kmalloc	ldap is providing authn but by proxy to ldap	19:14
kmalloc	is that sufficient	19:14
kmalloc	and what you said about mapping	19:15
kmalloc	in short, autogeneration of IDs is the best option for most of keystone's use-cases	19:15
lbragstad	right authZ from an openstack perspective would be completely isolated from authN	19:15
KwozyMan	Gentlemen, I have to retire now.	19:16
kmalloc	i might be willing to add id-specification (for projects and users) as resource-options to a domain	19:16
*** AlexeyAbashkin has quit IRC		19:16
kmalloc	so you create the domain with that option set	19:16
kmalloc	and then you're allowed to specify ids.	19:16
lbragstad	KwozyMan: no worries - thanks for coming	19:16
kmalloc	but it has to be discoverable	19:16
KwozyMan	We'll try to rewrite the spec to consider your concerns	19:16
kmalloc	KwozyMan: ^	19:16
lbragstad	kmalloc: yeah - that'd be another way to go about it	19:16
*** KwozyMan has quit IRC		19:17
kmalloc	lbragstad: that makes me a bit happier since you can look at the domain object to know if it's allowed	19:17
kmalloc	and then you can provide or not	19:17
*** aojea has joined #openstack-keystone		19:17
lbragstad	which should be specific to an idp	19:17
kmalloc	it doesn't really break APIs and it makes it so it is every explicitly opted into	19:17
lbragstad	which gets around the stealing of namespace before someone hooks things up from the Idp, right?	19:17
kmalloc	now ids are still 100% globally unique	19:17
kmalloc	so i would probably force a prefix that we can control	19:18
kmalloc	do a UUID5(namespace-prefix, uuid4)	19:18
kmalloc	so they can generate it but it must conform to a way we can avoid conflicts and we can reject uuids in other places that don't conform	19:18
kmalloc	or prefix + uuid4[4:]	19:19
josecastroleon	the project id will be then the uuid4 or the whole blob?	19:19
kmalloc	josecastroleon: the id would be the whole blob. it makes this viable going forward	19:19
lbragstad	it would be munged together	19:19
kmalloc	not retroactively	19:19
lbragstad	(token payloads would be a bit longer)	19:19
kmalloc	lbragstad: nah	19:19
kmalloc	lbragstad: we'd still 32 byte ids	19:20
lbragstad	unless you deconstruct the token and serialize them separately?	19:20
kmalloc	just say first 4 bytes would be restricted or frist 10	19:20
kmalloc	lbragstad: ids are imuutable	19:20
kmalloc	so 2 cases:	19:20
kmalloc	auto creation of id, lets say 10-bytes unique (lots ot space)	19:20
kmalloc	domain-specific-10-by-prefix + uuid4()[10:]	19:21
kmalloc	so 1234567890 + uuid4() and drop the first 10 bytes of the uuid before munging	19:21
josecastroleon	then they need to have the same domain id in both enviroments right?	19:21
kmalloc	right	19:21
kmalloc	we would need to address that, but domain-flagged projects, I'm more willing to be flexible on	19:22
josecastroleon	but when you are creating it, would you be able to specify it?	19:22
josecastroleon	i meant the domain	19:22
kmalloc	ugh but we run into the same issues since domains and projects are the same type	19:22
josecastroleon	yep	19:23
kmalloc	josecastroleon: well you can specify domain-names for everything	19:23
kmalloc	and you could specify the domain-prefix id	19:23
kmalloc	this is awful.	19:23
kmalloc	i don't think we can reasonably supply a consistent API to allow specification of IDs	19:23
josecastroleon	can we do some kind of configuration option to allow them to go forward? with a very big warning message with all the things that will fail	19:24
kmalloc	josecastroleon: i can't +2 that, but i can "not block it"	19:25
kmalloc	because i never feel good with the "set an option that changes the API behavior"	19:25
josecastroleon	it's more on orange side	19:25
kmalloc	right. and it still comes down to a general purposew config to handle that use case	19:26
josecastroleon	we can workaround it	19:26
kmalloc	right.	19:26
kmalloc	i think i need to know more about the orange restrictions	19:27
kmalloc	what are the real limitations	19:27
*** _ix has joined #openstack-keystone		19:27
kmalloc	but that said... i understand what they're trying to do.	19:27
lbragstad	yeah - if it is a law thing, we should hopefully be able to dig into some public documentation on it somewhere	19:28
lbragstad	maybe that helps clarify requirements	19:29
kmalloc	yep	19:31
lbragstad	josecastroleon: either way - let's see if we can get this stuff captured somewhere	19:31
lbragstad	especially since this conversation comes up frequently	19:32
josecastroleon	sure	19:32
lbragstad	it'll hopefully be easier to iterate towards a solution when we have things documented	19:32
lbragstad	or come up with alternatives that work	19:32
josecastroleon	thanks, i need to retire, it's getting late here :D	19:35
lbragstad	josecastroleon: sounds good - thanks for sticking around	19:42
*** josecastroleon has quit IRC		19:48
lbragstad	for those here for office hours - i'll be working on bug triage	19:52
lbragstad	i haven't done much of that in the last couple weeks with all the things going on, so i'll be catching up on that	19:52
lbragstad	i have stumbled across several good candidates if anyone is looking for something though	19:52
*** rmascena has joined #openstack-keystone		19:54
*** raildo has quit IRC		19:57
*** jose-phillips has quit IRC		20:09
*** AlexeyAbashkin has joined #openstack-keystone		20:11
*** jose-phillips has joined #openstack-keystone		20:11
*** AlexeyAbashkin has quit IRC		20:15
*** aojea has quit IRC		20:29
*** aojea has joined #openstack-keystone		20:29
*** aojea has quit IRC		20:34
*** sbezverk has quit IRC		20:42
*** McClymontS has joined #openstack-keystone		20:45
*** McClymontS has quit IRC		20:49
*** McClymontS has joined #openstack-keystone		20:52
*** McClymontS has quit IRC		20:52
lbragstad	lamt: https://bugs.launchpad.net/oslo.cache/+bug/1731921	21:07
openstack	Launchpad bug 1731921 in keystonemiddleware "memcache_socket_timeout is too high" [Undecided,In progress] - Assigned to Vincent Untz (vuntz)	21:07
lbragstad	^ that might be something that gets fixed once we port ksm to use oslo.cache	21:08
*** sbezverk has joined #openstack-keystone		21:11
*** rmascena has quit IRC		21:21
*** dave-mcc_ has quit IRC		21:47
*** threestrands has joined #openstack-keystone		21:48
*** rcernin has joined #openstack-keystone		21:50
lamt	lbragstad : am planning to start oslo.cache work after Thanksgiving	21:52
lbragstad	i parsed most of the recent bug activity and updated various reports with office-hours tags https://bugs.launchpad.net/keystone/+bugs?field.tag=office-hours	21:52
lbragstad	lamt: awesome	21:53
lbragstad	most of those bugs seem like things that can be accomplished in a few hours	21:53
lbragstad	if anyone is looking for bugs to work on	21:53
*** mvk has quit IRC		21:59
*** mvk has joined #openstack-keystone		22:15
*** markvoelker has quit IRC		22:16
*** aojea has joined #openstack-keystone		22:22
*** markvoelker has joined #openstack-keystone		22:27
*** ayoung has quit IRC		22:35
*** efried is now known as fried_turkey		22:38
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Add scope_types to RuleDefault objects https://review.openstack.org/510222	22:53
lbragstad	#endmeeting	23:02
*** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/5F0h9Hoe/keystone"		23:02
openstack	Meeting ended Tue Nov 21 23:02:52 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	23:02
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-21-19.07.html	23:02
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-21-19.07.txt	23:02
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-21-19.07.log.html	23:02
*** itlinux has quit IRC		23:05
*** aojea has quit IRC		23:06
*** AlexeyAbashkin has joined #openstack-keystone		23:12
*** AlexeyAbashkin has quit IRC		23:16
*** spilla has quit IRC		23:21
*** Sandy619 has joined #openstack-keystone		23:28
*** gmann_afk is now known as gmann		23:28
*** Sandy619 has quit IRC		23:30
*** d0ugal has quit IRC		23:58
*** d0ugal has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!