In today's keystone meeting, Morgan mentioned that we had the ability to go
back to using OpenStack Wikis for meeting agendas. I created a poll to get
Let's keep it open for the week and look at the results as a team at our
On Fri, Nov 11, 2016 at 8:33 AM, Lance Bragstad <lbrags...@gmail.com> wrote:
> I've added some initial content to the etherpad , to get things
> rolling. Since this is going to be a recurring thing, I'd like our first
> meeting to level set th
On Wed, Nov 16, 2016 at 8:32 AM, Lance Bragstad <lbrags...@gmail.com> wrote:
> Just sending out a reminder that we'll be having our first meet
Great work Boris. Welcome to the team!
On Mon, Oct 31, 2016 at 2:50 PM, Kristi Nikolla wrote:
> Congrats Boris! Well deserved!
> On 10/31/2016 03:46 PM, Steve Martinelli wrote:
> > I want to welcome Boris Bobrov (breton) to the keystone core team. Boris
> > has
I totally agree with communicating this the best we can. I'm adding the
operator list to this thread to increase visibility.
If there are any other methods folks think of for getting the word out,
outside of what we've already done (release notes, email threads, etc.),
please let me know. I'd be
In case you missed the policy meeting today, we had a good discussion 
around incorporating keystone's policy into code using the Nova approach.
Keystone is in a little bit of a unique position since we maintain two
different policy files  , and there were a lot of questions
This is awesome! I pretty much just 'Select All' deleted my other calendars
I use for tracking this kind of information.
Thank you, Doug!
On Thu, Jan 12, 2017 at 12:41 PM, Emilien Macchi wrote:
> On Wed, Jan 11, 2017 at 1:51 PM, Doug Hellmann
FWIW - i'm seeing a common error in several of the rally failures  
 . Dims also pointed out a few bugs in rally for keystone v3 support
I checked with the folks in #openstack-containers to see if they were
experiencing anymore fallout, but it looks like the magnum gate is under
I put myself in Boris' camp on this one. This can open up the opportunity
for negative user-experience, purely based on where I authenticate and
which token I happen to authenticate with. A token would no longer be
something I can assume to be properly validated against any node in my
The ability to specify IDs at project creation time was proposed as a
specification last summer . The common theme from the discussion in that
thread was to use shadow mapping  to solve that problem.
something that both keystone and the
> community will benefit! :)
> On Wed, Dec 21, 2016 at 4:22 PM, Steve Martinelli <s.martine...@gmail.com>
>> Thanks for setting this up Lance!
>> You can count on me to join and smash some bugs.
++ to the suggestions Boris threw out. Answers to any of those would be
valuable. In addition to that, I'd find any information about policy
useful. Maybe something along the lines of "what changes to the policy
files are you making, if any". This could be something that is asked
We had another healthy discussion about policy today  and most of it
revolved around documenting policy guidelines. The question of the day was
where should these guidelines live? To answer that we highlighted the
- Guidelines should be proposed and reviewed in small
If you remember, last year we started a weekly bug day . The idea was to
dedicate one day a week to managing keystone's bug queue by triaging,
fixing, and reviewing bugs. This was otherwise known as keystone's office
I'd like to remind everyone that we are starting up this
Sending a note to summarize the policy meeting we had today . Also to
remind folks that our next policy meeting will be Wednesday, January 4th.
Hope everyone has a safe and happy holiday season!
Following up again. Today we merged the fixes for some WebOb 1.7
compatibility issues we were having . Thanks to David (dstanek) and John
(jdennis) for digging in and getting this squared away.
On Wed, Mar 22, 2017 at 1:37 PM, Lance Bragstad
The schedule for today's meeting is pretty empty  so we will go ahead
and cancel. There are several policy patches in keystone and nova that are
working their way through review. Instead of meeting, a better use of that
time might be reviewing what we have in the pipeline (detailed
Posting a keystone update here as well. We are iterating on it in review as
well as in IRC. There are a few things we're doing within keystone that
raised some questions as to how we should handle some of the new changes in
I'll post another update once we make some more progress.
With pycrypto removed from keystoneauth  (thanks Brant, Monty, and
Morgan!), I did some poking at the usage in keystonemiddleware .
The usage is built into auth_token middleware for encrypting and decrypting
things stored in cache , but it is conditional based on configuration
On Wed, Mar 29, 2017 at 10:41 AM, Lance Bragstad <lbrags...@gmail.com>
> With pycrypto removed from keystoneauth  (thanks Brant, Monty, and
> Morgan!), I did some poking at the usage in keystonemiddleware .
> The usage is built into aut
The TC meeting today  had some discussion on an interpretation of
OpenStack's mission statement . The purpose of this note is two-fold.
First, it would be great to get some keystone folks to review that change,
especially paragraph four. Second, is an overall request for any last
The keystone gate is currently broken . This seems related to a previous
change we made to be compatible with webob 1.7 . Looks like we missed a
couple spots in the original patch that are failing now that we're using a
newer version of webob.
There is a solution up for review  that
On Thu, Mar 16, 2017 at 8:07 AM, Jeremy Stanley wrote:
> On 2017-03-15 13:46:42 +1300 (+1300), Adrian Turjak wrote:
> > See, subdomains I can kind of see working, but the problem I have with
> > all this in general is that it is kind of silly to try and stop access
> > down
I think the success of this, or a revived fernet-backend spec, is going to
have a hard requirement on the outcome of the configuration opts discussion
. When we attempted to introduce an abstraction for fernet keys
previously, it led down a rabbit hole of duplicated work across
gt; On Thu, Mar 16, 2017 at 12:45 PM, Lance Bragstad <lbrags...@gmail.com>
> > I think the success of this, or a revived fernet-backend spec, is going
> > have a hard requirement on the outcome of the configuration opts
> > . When we
On Thu, Mar 16, 2017 at 12:46 PM, Morgan Fainberg <morgan.fainb...@gmail.com
> On Mar 16, 2017 07:28, "Jeremy Stanley" <fu...@yuggoth.org> wrote:
> On 2017-03-16 08:34:58 -0500 (-0500), Lance Bragstad wrote:
> > These sec
On Thu, Mar 16, 2017 at 4:31 PM, John Dickinson <m...@not.mn> wrote:
> On 16 Mar 2017, at 14:10, Lance Bragstad wrote:
> Hey folks,
> The reseller use case  has been popping up frequently in various
> discussions , including unified limits.
The reseller use case  has been popping up frequently in various
discussions , including unified limits.
For those who are unfamiliar with the reseller concept, it came out of
early discussions regarding hierarchical multi-tenancy (HMT). It
essentially allows a certain level of
I have a couple questions in addition to Matt's.
The keystone group is still trying to figure out what this means for us and
we discussed it in today's meeting . Based on early feedback, we're
going to have less developer presence at the Forum than we did at the PTG.
Are these formal sessions
With the forum approaching, I threw together a slide deck that incorporates
the new mascot. I wanted to send this out in enough advance for folks to
use them at the forum.
This is in no way our *official* deck and you're not required to use it for
keystone related talks or presentations.
Of course I would make changes to the template *right* after sending this
email. I'll just share the presentation that I have .
On Tue, Mar 14, 2017 at 8:54 PM, Lance Bragstad <lbr
I would love to have one for on-boarding new identity developers.
On Wed, Mar 15, 2017 at 1:43 PM, Michał Jastrzębski
> One for Kolla too please:)
> On 15 March 2017 at 11:35, Чадин Александр (Alexander Chadin)
> > +1 for Watcher
ther up or down the tree? If not, would it be a
> *From:* Lance Bragstad [lbrags...@gmail.com]
> *Sent:* Thursday, March 16, 2017 2:10 PM
> *To:* OpenStack Development Mailing List (not for usage questi
Sending out a heads up that the initial spec  merged.
On Thu, Mar 30, 2017 at 1:44 PM, Tim Bell wrote:
> For those that are interested in nested quotas, there is proposal on how
> to address this forming in openstack-dev (and
On Tue, Apr 11, 2017 at 1:21 PM, Matt Riedemann wrote:
> On 4/11/2017 2:52 AM, Alex Xu wrote:
>> We talked about remove the quota-class API for multiple times
>> I guess we can deprecate
On Wed, Apr 12, 2017 at 9:42 AM, Amrith Kumar
> Hmm, all the cool kids didn’t receive the email but I did. Now I feel bad
> *From:* Morgan Fainberg [mailto:morgan.fainb...@gmail.com]
> *Sent:* Wednesday, April 12, 2017 9:53 AM
Just a reminder that we will be having the policy meeting in 45 minutes in
#openstack-meeting-cp . It was cancelled last week due to tight
See you there!
On Wed, Apr 12, 2017 at 9:28 AM, David Stanek wrote:
> [tl;dr I want to remove the artificial restriction of not allowing FKs
> subsystems and I want to stop FK enforcement in code.]
> The keystone code architecture is pretty simple. The data and
I've proposed keystone's pike-1 release . If there is anything that we
need to wait on for pike-1 that hasn't merged yet, please let me know at
your earliest convenience.
they've found useful for RBAC
discussions, feel free to drop them here.
On Wed, Apr 5, 2017 at 4:45 PM, Lance Bragstad <lbrags...@gmail.com> wrote:
> We ended up cancelling today's policy meeting, but policy discussions
If you chill in #openstack-keystone, we had a little mishap today that
resulted in people getting accidentally kicked from the channel. Everything
is back to normal and if you haven't already done so, feel free to hop back
Happy Thursday folks,
Rob and I have noticed that the weekly attendance for the Keystone/Horizon
 meeting has dropped significantly in the last month or two. We
contemplated changing the frequency of this meeting to be monthly instead
of weekly. We still think it is important to have a sync
nth it falls in.
> On 13 April 2017 at 22:03, Lance Bragstad <lbrags...@gmail.com> wrote:
>> Happy Thursday folks,
>> Rob and I have noticed that the weekly attendance for the
>> Keystone/Horizon  meeting has dropped signifi
On Thu, Mar 9, 2017 at 3:46 PM, Doug Hellmann wrote:
> Excerpts from Andrea Frittoli's message of 2017-03-09 20:53:54 +:
> > Hi folks,
> > I'm trying to figure out what's the best approach to fade out testing of
> > deprecated API versions.
> > We currently host in
Isn't what you just described the reseller use case ? Was that work ever
fully finished? I thought I remember having discussions in Tokyo about it.
On Tue, Mar 14, 2017 at 7:38 AM, Rodrigo
Sending out a quick announcement that we've merged our project-specific
deadlines for the Pike release schedule . Our first deadline this
release is spec proposal freeze which is going to be R-20 (April 14th).
On Fri, Mar 10, 2017 at 8:49 AM, Andrea Frittoli <andrea.fritt...@gmail.com>
> On Fri, Mar 10, 2017 at 2:24 PM Doug Hellmann <d...@doughellmann.com>
>> Excerpts from Ghanshyam Mann's message of 2017-03-10 10:55:25 +0900:
>> > On Fr
>From a keystone-perspective, I'm fine killing keystone.openstack.org.
Unless another team member with more context/history has a reason to keep
On Wed, Mar 8, 2017 at 9:12 AM, Monty Taylor wrote:
> Hey all,
> We have a set of old vanity redirect URLs from
Post PTG there has been some discussion regarding quotas as well as limits.
While most of the discussion has been off and on in #openstack-dev, we also
have a mailing list thread on the topic .
I don't want to derail the thread on quotas and limits with this thread,
but today's discussion 
FWIW - There was a lengthy discussion in #openstack-dev yesterday regarding
On Wed, Mar 1, 2017 at 5:42 AM, John Garbutt wrote:
> On 27
During the PTG, Morgan mentioned that there was the possibility of keystone
removing the v2.0 API . This thread is a follow up from that discussion
to make sure we loop in the right people and do everything by the books.
The result of the session  listed the following work items:
We ended up cancelling today's policy meeting, but policy discussions
carried on throughout the day in #openstack-keystone . We have several
specs up for review . Some are nova specs and a couple are
proposed to keystone. With keystone's spec proposal freeze coming up next
We had to do similar things in keystone in order to validate uuid-ish types
(just not as fancy)  . If we didn't have to worry about being
backwards compatible with non-uuid formats, it would be awesome to have one
implementation for checking that.
Here is a condensed report of what was accomplished during office hours
today. Most activity focused on reviewing fixes in flight. Full log can
be found in IRC .
Bug #1635389 in OpenStack Identity (keystone):
"keystone.contrib.ec2.controllers.Ec2Controller is untested"
I was cleaning up a few documentation things for keystone and noticed an
issue with how the configuration reference was rendering. It turns out
the oslo.policy library needed a few tweaks to the show-policy directive
along with some changes to keystone that allowed us to properly render
One of the community goals for Queens is to move all policy into code
and document it . I'd like to make myself available to work with
projects face-to-face if they need help at the PTG. In order to
successfully plan that, we need to have an estimate of how many projects
are interested in
I made the announcement in today's keystone meeting  that the current
reviewers have decided to add Kristi Nikolla (knikolla) to the team.
Kristi has been an extremely valuable asset to the team over the last
couple of releases. He especially stepped up to the plate during Pike.
Office hours was pretty focused today. We spent the majority of the time
discussing and merging fixes we need for RC2. In addition to that we
discussed plans for the PTG as well as the schedule. Full details can be
found in the logs .
During RC, Morgan's made quite a bit of progress on a bug found by the
gate . Part of the solution led to another patch that removes the
ability to configure anything but sql for keystone's resource backend
(`keystone.conf [resource] driver`). The reasoning behind this is that
there were FK
working on a fix and we've targeted bug 1702211 to
rc2. I'll keep an eye out for the translations patch and make sure that
lands before we cut the next release candidate.
On 08/11/2017 12:02 PM, Thierry Carrez wrote:
> Lance Bragstad wrote:
>> We rolled out rc1 last night , but missed
Help if you actually attach the link you want to send .
On 08/11/2017 11:26 AM, Morgan Fainberg wrote:
> On Fri, Aug 11, 2017 at 9:25 AM, Morgan Fainberg
>> On Fri, Aug 11, 2017 at 8:44 AM, Felipe
More context on the patch Morgan is working on can be found in the bug
On 08/11/2017 11:26 AM, Morgan Fainberg wrote:
> On Fri, Aug 11, 2017 at 9:25 AM, Morgan Fainberg
>> On Fri, Aug 11, 2017 at 8:44 AM, Felipe Monteiro
I proposed a patch to remove the deprecation .
On 06/28/2017 09:33 PM, Lance Bragstad wrote:
> Cool - I'm glad this is generating discussion. I personally don't see
> a whole lot of maintenance costs with `keystone-manage
 fail tempest run --regex
On 08/11/2017 06:26 PM, Morgan Fainberg wrote:
> On Fri, Aug 11, 2017 at 11:10 AM, Lance Bragstad <lbrags...@gmail.com> wrote:
We rolled out rc1 last night , but missed a couple important
documentation patches and release notes . I'll propose rc2 as soon as
those merge. I've also created a new official bug tag,
pike-backport-potential. Please feel free to use the tag if you're doing
bug triage and find something you
Oh - the original issues with the stable branches were reported here:
On 07/13/2017 06:00 PM, Lance Bragstad wrote:
> Colleen found out today while doing a backport that both of our stable
> branches are broken. After doing some digging, it
Colleen found out today while doing a backport that both of our stable
branches are broken. After doing some digging, it looks like bug 1687593
is the culprit . The fix to that bug merged in master and the author
added some nicely written functional tests using the
I wanted to send a friendly reminder that feature freeze for keystone
will be in R-5 , which is the end of next week. That leaves just
under 10 business days for feature work (8 considering the time to get
through the gate). Of the specifications we've committed to for Pike,
Based on the comments and opinions in the original thread, I think a fix
for this is justified. I wouldn't mind running this by the TC to double
check that nothing has changed from the first time we had to fix this
On 07/11/2017 06:03 AM, Attila Fazekas wrote:
> Hi all,
Just a quick reminder that today we will be holding office hours after
the keystone meeting . See you there!
Description: OpenPGP digital signature
On 07/05/2017 04:28 PM, Colleen Murphy wrote:
> On Wed, Jul 5, 2017 at 9:36 PM, Lance Bragstad <lbrags...@gmail.com
> <mailto:lbrags...@gmail.com>> wrote:
> Hi all,
> Keystone has a script to perform some bootstrapping operations
> . It'
On 07/12/2017 09:17 AM, Akihiro Motoki wrote:
> 2017-07-12 10:35 GMT+09:00 Lance Bragstad <lbrags...@gmail.com>:
>> Hey all,
>> This is a summary of what was worked on today during office hours. Full logs
>> of the meeting can be found below:
I'd like to reach out and get ahead of the curve now that we established
the community goals for Queens. If you have any questions about the
policy-in-code work  and how it pertains to your project, please
don't hesitate to ping me in #openstack-dev. Once pike starts winding
This is a summary of what was worked on today during office hours. Full
logs of the meeting can be found below:
*The future of the templated catalog backend
Some issues were uncovered,
On 07/11/2017 09:28 PM, Mathieu Gagné wrote:
> So this email is relevant to my interests as an operator. =)
Glad to hear it!
> On Tue, Jul 11, 2017 at 9:35 PM, Lance Bragstad <lbrags...@gmail.com
> <mailto:lbrags...@gmail.com>> wrote:
All the patches in the original note have merged for both stable/ocata
and stable/newton. Existing patches to both branches are being recheck
On 07/13/2017 06:04 PM, Lance Bragstad wrote:
> Oh - the original issues with the stable branches were reported here:
On Mon, Jul 17, 2017 at 6:39 PM, Zane Bitter wrote:
> So the application credentials spec has merged - huge thanks to Monty and
> the Keystone team for getting this done:
On 07/17/2017 10:12 PM, Lance Bragstad wrote:
> On Mon, Jul 17, 2017 at 6:39 PM, Zane Bitter <zbit...@redhat.com
> <mailto:zbit...@redhat.com>> wrote:
> So the application credentials spec has merged - huge thanks to
> Monty and the Ke
On 07/18/2017 08:21 AM, Andy McCrae wrote:
> The branches have now been retired, thanks to Joshua Hesketh!
> Thanks Josh, Andreas, Tony, and the rest of the Infra crew for sorting
> this out.
++ thanks all!
On 07/19/2017 09:27 PM, Monty Taylor wrote:
> On 07/19/2017 12:18 AM, Zane Bitter wrote:
>> On 18/07/17 10:55, Lance Bragstad wrote:
>>>> Would Keystone folks be happy to allow persistent credentials once
>>>> we have a way to
We just released keystoneauth 3.0.0 , which contains a bunch of
built-in functionality to handle version discovery so that you don't
have to! Check out the documentation for all the details .
Big thanks to Eric and Monty for tackling this work, along with all the
I started noticing some trivial changes failing in the
keystonemiddleware gate . The failures are in tests that use the
keystoneauth1 library (8 tests are failing by my count), which we
released a new version of yesterday . I've proposed a patch to
blacklist keystoneauth1 3.0.0 from
On 07/21/2017 04:43 PM, Lance Bragstad wrote:
> The pa
:00 PM, Lance Bragstad wrote:
> I started noticing some trivial changes failing in the
> keystonemiddleware gate . The failures are in tests that use the
> keystoneauth1 library (8 tests are failing by my count), which we
> released a new version of yesterday . I've prop
On Fri, Jul 21, 2017 at 9:39 PM, Monty Taylor <mord...@inaugust.com> wrote:
> On 07/22/2017 07:14 AM, Lance Bragstad wrote:
>> After a little head scratching and a Pantera playlist later, we ended up
>> figuring out the main causes. The failures can be found in the gate
The patch to blacklist version 3.0.0 is working through the moment .
We also have a WIP patch proposed to handled the cases exposed by
On 07/21/2017 03:58 PM, Lance Bragstad
On Thu, Jul 20, 2017 at 5:41 PM, Lance Bragstad <lbrags...@gmail.com> wrote:
> Happy Thursday,
> We just released keystoneauth 3.0.0 , which contains a bunch of
> built-in functionality to handle ve
Nearly all of today's activity in office hours consisted of bug triage.
We now have a list of target bugs for rc1 . Full logs can be found
below . The following is a summary of what was accomplished:
Bug #1669080 in OpenStack Identity (keystone): ""openstack role create"
, Lance Bragstad wrote:
> Hey all,
> I've started an etherpad  for us to collect topics and ideas for the
> PTG in September. I hope to follow the same planning format as last
> time. Everyone has the opportunity to add topics to the agenda and after
> some time we'll gr
There isn't anything on the agenda for today's policy meeting  and I
know several members of the team are wrapping things up for pike-3. As a
result, I'm canceling the policy meeting today and we can reconvene next
week after the dust settles.
participants: gagehugo, kaerie
Reproposed patch in review
For what it's worth, I also apparently thought office hours occurred on
the 7th when it was actually on the 11th.
On 07/11/2017 08:35 PM, Lance Bragstad wrote:
> Hey all,
> This is a summary of what was worked on today
> On Fri, Jul 21, 2017 at 11:40 PM, Lance Bragstad <lbrags...@gmail.com>
> > On Fri, Jul 21, 2017 at 9:39 PM, Monty Taylor <mord...@inaugust.com>
This is a day late, but here is the summary for what we worked on during
office hours yesterday. The full log can be found below .
Bug #1689888 in OpenStack Identity (keystone): "/v3/users is
>> On Wed, Jun 28, 2017 at 2:00 AM, Lance Bragstad
>> <lbrags...@gmail.com <mailto:lbrags...@gmail.com>> wrote:
>> Hi all,
>> Keystone has deprecated the domain configuration upload
On 06/28/2017 03:20 PM, Ben Nemec wrote:
> On 06/28/2017 02:47 PM, Lance Bragstad wrote:
>> On 06/28/2017 02:29 PM, Fox, Kevin M wrote:
>>> I think everyone would benefit from a read-only role for keystone
>>> out of the box. Can we get this
I've created a new official tag, 'office-hours' . If you're reviewing
or triaging bugs and come across one that would be a good fit for us to
tackle during office hours, please feel free to tag it. I was
maintaining lists locally, and I'm sure you were, too. This should help
d, Jun 28, 2017 at 2:00 AM, Lance Bragstad <lbrags...@gmail.com
> <mailto:lbrags...@gmail.com>> wrote:
> Hi all,
> Keystone has deprecated the domain configuration upload capability
> provided through `keystone-manage`. We discussed it's removal in
On 06/28/2017 02:29 PM, Fox, Kevin M wrote:
> I think everyone would benefit from a read-only role for keystone out of the
> box. Can we get this into keystone rather then in the various distro's?
Yeah - I think that would be an awesome idea. John Garbutt had some good
work on this earlier in
Keystone's stable/newton gate is broken  . The TL;DR is that our
keystone_tempest_plugin is validating federated mappings before updating
the protocol . The lack of validation was a bug  that was fixed in
Ocata, but the fix  was never backported.
Since stable/newton is in Phase II,
I've started an etherpad  for us to collect topics and ideas for the
PTG in September. I hope to follow the same planning format as last
time. Everyone has the opportunity to add topics to the agenda and after
some time we'll group related topics and start building a formal schedule.
101 - 200 of 497 matches
Mail list logo