Friday, 2014-02-28

« Thursday, 2014-02-27 Index Saturday, 2014-03-01 »
*** dolphm_503 is now known as dolphm00:04
*** nkinder has joined #openstack-keystone00:05
*** david-lyle has quit IRC00:13
*** thedodd has quit IRC00:13
*** topol has joined #openstack-keystone00:15
*** dolphm is now known as dolphm_50300:16
*** amcrn_ has joined #openstack-keystone00:39
*** amcrn has quit IRC00:40
*** openstack has joined #openstack-keystone00:48
*** gokrokve has quit IRC00:49
*** gokrokve has joined #openstack-keystone00:49
*** chandankumar_ has joined #openstack-keystone00:50
*** topol has quit IRC00:54
*** gokrokve has quit IRC00:54
*** richm has quit IRC01:00
*** openstack has joined #openstack-keystone01:00
*** chandankumar_ has quit IRC01:08
*** chandankumar_ has joined #openstack-keystone01:08
*** achampion has joined #openstack-keystone01:14
*** openstack has quit IRC01:26
*** openstack has joined #openstack-keystone01:29
*** morganfainberg is now known as morganfainberg_Z01:30
*** stevemar has joined #openstack-keystone01:32
*** ChanServ sets mode: +v stevemar01:32
jamielennoxbknudson: the v2 and v3 auth plugins merged over the last few days. I had done everything you had commented on for v2 but i don't think you even saw v3. If you want to comment i'll fix your concerns in a new patch01:32
bknudsonjamielennox: sorry I didn't have time to review it but since we were asked to look at the i3 stuff I've been reviewing that.01:33
bknudsonand there's a lot of i3 stuff01:33
*** nkinder has quit IRC01:33
bknudsonI liked it, it just was making non-backwards compatible changes.01:34
jamielennoxbknudson: yea, i'm not trying to push - there is a lot to review, but you were fairly involved in the v2 one so i assumed you might have the same on v3 and it flew by01:34
jamielennoxany backwards compat issues should have been fixed when it was rebased onto the v2 patch01:34
*** gokrokve has joined #openstack-keystone01:35
*** marcoemorais has quit IRC01:48
*** stevemar has quit IRC01:52
*** dolphm_503 is now known as dolphm02:16
*** dstanek has joined #openstack-keystone02:20
*** ChanServ sets mode: +v dstanek02:20
*** zhiyan_ is now known as zhiyan02:21
*** david-lyle has joined #openstack-keystone02:37
*** dolphm is now known as dolphm_50302:37
*** gokrokve has quit IRC02:42
*** gokrokve has joined #openstack-keystone02:43
*** gokrokve has quit IRC02:43
*** devlaps has quit IRC02:44
*** raies has joined #openstack-keystone02:54
raieshi someone02:55
raieswhen I tried I tried following using admin user "curl -i -X POST http://10.0.9.40:35357/v2.0/users/36ea121ef93c4946baa33bd6ba1a094d/OS-KSADM/credentials -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: "<token>"  -d '{"passwordCredentials": {"username": "TU1", "password": "Password"}}'02:57
raiesthen error 404 Not Found is displayed02:57
raiesplease someone help on this02:57
raiesActually I want to test credentials API02:58
raiesand I tried above method but 404 error message is displayed02:58
raiesso can someone help me here02:58
*** Kanagaraj has joined #openstack-keystone02:59
raiesKanagaraj: how to check credential APIs03:02
raies??03:02
*** stevemar has joined #openstack-keystone03:03
*** ChanServ sets mode: +v stevemar03:03
*** devlaps has joined #openstack-keystone03:05
*** lbragstad has joined #openstack-keystone03:07
*** arosen has left #openstack-keystone03:08
*** arunkant has quit IRC03:14
*** devlaps has quit IRC03:15
*** devlaps has joined #openstack-keystone03:24
*** henrynash has joined #openstack-keystone03:32
*** devlaps has quit IRC03:40
*** henrynash has quit IRC03:44
*** chandan_kumar has joined #openstack-keystone03:45
*** henrynash has joined #openstack-keystone03:49
*** henrynash has quit IRC03:55
*** harlowja is now known as harlowja_away03:55
*** chandan_kumar has quit IRC03:57
*** achampion has quit IRC04:08
*** devlaps has joined #openstack-keystone04:13
*** devlaps has quit IRC04:13
*** devlaps has joined #openstack-keystone04:14
*** amcrn has quit IRC04:14
*** lnxnut has joined #openstack-keystone04:15
*** devlaps has quit IRC04:15
*** devlaps has joined #openstack-keystone04:26
*** devlaps has quit IRC04:26
*** openstack has joined #openstack-keystone04:38
*** lbragstad has quit IRC04:42
*** openstack has quit IRC04:48
*** openstack has joined #openstack-keystone04:50
*** chandan_kumar has joined #openstack-keystone04:54
*** openstack has joined #openstack-keystone05:02
*** david_lyle_ has joined #openstack-keystone05:02
*** marcoemorais has joined #openstack-keystone05:05
*** zhiyan- has joined #openstack-keystone05:06
*** openstack has quit IRC05:10
*** openstack has joined #openstack-keystone05:16
*** openstack has quit IRC05:22
*** openstack has joined #openstack-keystone05:23
*** openstack has quit IRC05:28
*** openstack has joined #openstack-keystone05:29
*** dickson.freenode.net sets mode: +ns 05:29
*** dickson.freenode.net sets mode: -o openstack05:30
-dickson.freenode.net- *** Notice -- TS for #openstack-keystone changed from 1393565362 to 137738402405:30
*** dickson.freenode.net sets mode: +ct-s 05:30
*** tellesnobrega has joined #openstack-keystone05:30
*** zhiyan has joined #openstack-keystone05:30
*** marcoemorais has joined #openstack-keystone05:30
*** david_lyle_ has joined #openstack-keystone05:30
*** lbragstad has joined #openstack-keystone05:30
*** dstanek_afk has joined #openstack-keystone05:30
*** Kanagaraj has joined #openstack-keystone05:30
*** raies has joined #openstack-keystone05:30
*** chandankumar_ has joined #openstack-keystone05:30
*** topol_ has joined #openstack-keystone05:30
*** YorikSar has joined #openstack-keystone05:30
*** bknudson has joined #openstack-keystone05:30
*** orion195 has joined #openstack-keystone05:30
*** jamielennox has joined #openstack-keystone05:30
*** jraim has joined #openstack-keystone05:30
*** huats has joined #openstack-keystone05:30
*** luisbg has joined #openstack-keystone05:30
*** rwsu has joined #openstack-keystone05:30
*** florentflament has joined #openstack-keystone05:30
*** amerine has joined #openstack-keystone05:30
*** harlowja_away has joined #openstack-keystone05:30
*** ChanServ has joined #openstack-keystone05:30
*** lari_ has joined #openstack-keystone05:30
*** morganfainberg_Z has joined #openstack-keystone05:30
*** dickson.freenode.net sets mode: +vvoo dstanek_afk jamielennox ChanServ morganfainberg_Z05:30
*** mhu has joined #openstack-keystone05:30
*** zigo has joined #openstack-keystone05:30
*** chmouel has joined #openstack-keystone05:30
*** koolhead17 has joined #openstack-keystone05:30
*** simo has joined #openstack-keystone05:30
*** dtroyer has joined #openstack-keystone05:30
*** Daviey has joined #openstack-keystone05:30
*** anteaya has joined #openstack-keystone05:30
*** mfisch has joined #openstack-keystone05:30
*** dolphm_503 has joined #openstack-keystone05:30
*** marekd has joined #openstack-keystone05:30
*** sudorandom has joined #openstack-keystone05:30
*** dickson.freenode.net sets mode: +vo morganfainberg_Z dolphm_50305:30
*** dickson.freenode.net changes topic to "[ Icehouse Milestone 3 Bugs and Blueprints https://launchpad.net/keystone/+milestone/icehouse-3 ] [ Icehouse Feature Freeze March 4, Features must be merged ]"05:30
*** openstack has quit IRC05:34
*** openstack has joined #openstack-keystone05:44
*** Kanagaraj has quit IRC05:49
*** jraim has quit IRC05:49
*** chandankumar_ has quit IRC05:49
*** YorikSar has quit IRC05:49
*** huats has quit IRC05:49
*** florentflament has quit IRC05:49
*** bknudson has quit IRC05:49
*** jamielennox has quit IRC05:49
*** harlowja_away has quit IRC05:49
*** sudorandom has quit IRC05:49
*** tellesnobrega has quit IRC05:49
*** zhiyan has quit IRC05:49
*** lbragstad has quit IRC05:49
*** amerine has quit IRC05:49
*** topol_ has quit IRC05:49
*** rwsu has quit IRC05:49
*** dtroyer has quit IRC05:49
*** Daviey has quit IRC05:49
*** simo has quit IRC05:49
*** dolphm_503 has quit IRC05:49
*** mfisch has quit IRC05:49
*** koolhead17 has quit IRC05:49
*** chmouel has quit IRC05:49
*** zigo has quit IRC05:49
*** mhu has quit IRC05:49
*** lari_ has quit IRC05:49
*** ChanServ has quit IRC05:49
*** morganfainberg_Z has quit IRC05:49
*** raies has quit IRC05:49
*** orion195 has quit IRC05:49
*** marcoemorais has quit IRC05:49
*** david_lyle_ has quit IRC05:49
*** dstanek_afk has quit IRC05:49
*** marekd has quit IRC05:49
*** anteaya has quit IRC05:49
*** luisbg has quit IRC05:49
*** tellesnobrega has joined #openstack-keystone05:51
*** zhiyan has joined #openstack-keystone05:51
*** marcoemorais has joined #openstack-keystone05:51
*** david_lyle_ has joined #openstack-keystone05:51
*** lbragstad__ has joined #openstack-keystone05:51
*** dstanek_afk has joined #openstack-keystone05:51
*** Kanagaraj has joined #openstack-keystone05:51
*** raies has joined #openstack-keystone05:51
*** chandankumar_ has joined #openstack-keystone05:51
*** topol_ has joined #openstack-keystone05:51
*** YorikSar has joined #openstack-keystone05:51
*** bknudson has joined #openstack-keystone05:51
*** orion195 has joined #openstack-keystone05:51
*** jamielennox has joined #openstack-keystone05:51
*** jraim has joined #openstack-keystone05:51
*** huats has joined #openstack-keystone05:51
*** luisbg has joined #openstack-keystone05:51
*** rwsu has joined #openstack-keystone05:51
*** florentflament has joined #openstack-keystone05:51
*** amerine has joined #openstack-keystone05:51
*** harlowja_away has joined #openstack-keystone05:51
*** ChanServ has joined #openstack-keystone05:51
*** lari_ has joined #openstack-keystone05:51
*** morganfainberg_Z has joined #openstack-keystone05:51
*** dickson.freenode.net sets mode: +vvoo dstanek_afk jamielennox ChanServ morganfainberg_Z05:51
*** mhu has joined #openstack-keystone05:51
*** zigo has joined #openstack-keystone05:51
*** chmouel has joined #openstack-keystone05:51
*** koolhead17 has joined #openstack-keystone05:51
*** simo has joined #openstack-keystone05:51
*** dtroyer has joined #openstack-keystone05:51
*** Daviey has joined #openstack-keystone05:51
*** anteaya has joined #openstack-keystone05:51
*** mfisch has joined #openstack-keystone05:51
*** dolphm_503 has joined #openstack-keystone05:51
*** marekd has joined #openstack-keystone05:51
*** sudorandom has joined #openstack-keystone05:51
*** dickson.freenode.net sets mode: +vo morganfainberg_Z dolphm_50305:51
*** openstack has quit IRC06:09
*** openstack has joined #openstack-keystone06:10
-dickson.freenode.net- [freenode-info] why register and identify? your IRC nick is how people know you. http://freenode.net/faq.shtml#nicksetup06:10
*** zhiyan has left #openstack-keystone06:27
*** jamielennox is now known as jamielennox|away07:07
*** andreaf has joined #openstack-keystone07:15
*** Kanagaraj has quit IRC07:23
*** saju_m has joined #openstack-keystone07:32
*** david_lyle_ has quit IRC07:45
*** marcoemorais has quit IRC07:55
*** marcoemorais has joined #openstack-keystone07:57
*** marcoemorais has quit IRC08:01
*** dstanek_afk has quit IRC08:02
*** topol_ has quit IRC08:12
*** andreaf has quit IRC08:15
*** andreaf has joined #openstack-keystone08:20
*** leseb has joined #openstack-keystone08:23
*** marcoemorais has joined #openstack-keystone08:26
*** bvandenh_ has joined #openstack-keystone08:28
*** marcoemorais has quit IRC08:30
*** marcoemorais has joined #openstack-keystone09:27
*** marcoemorais has quit IRC09:32
*** zoresvit has joined #openstack-keystone09:39
*** zoresvit has quit IRC09:40
*** zoresvit has joined #openstack-keystone09:40
*** zoresvit has quit IRC09:44
*** saju_m has quit IRC09:49
*** saju_m has joined #openstack-keystone09:50
*** xuhanp has joined #openstack-keystone09:58
xuhanpdolphm_503, ping09:59
*** xuhanp has quit IRC10:06
*** bvandenh_ has quit IRC10:22
*** marcoemorais has joined #openstack-keystone10:28
*** marcoemorais has quit IRC10:32
*** marcoemorais has joined #openstack-keystone11:29
*** marcoemorais has quit IRC11:33
*** leseb has quit IRC12:03
*** leseb has joined #openstack-keystone12:21
*** marcoemorais has joined #openstack-keystone12:29
*** topol has joined #openstack-keystone12:30
*** leseb has quit IRC12:31
*** marcoemorais has quit IRC12:34
*** dstanek_afk has joined #openstack-keystone12:53
*** ChanServ sets mode: +v dstanek_afk12:53
*** ayoung has joined #openstack-keystone13:20
*** dstanek_afk is now known as dstanek13:22
*** marcoemorais has joined #openstack-keystone13:30
*** marcoemorais has quit IRC13:34
*** leseb has joined #openstack-keystone13:51
*** leseb has quit IRC13:55
*** dolphm_503 is now known as dolphm13:58
*** browne has joined #openstack-keystone14:03
*** leseb has joined #openstack-keystone14:06
*** sdague has joined #openstack-keystone14:10
sdaguehey, so - https://bugs.launchpad.net/cinder/+bug/1285833 is hitting us in the gate about twice a day, and looks like a very not good race14:10
sdagueI think I remember this issue before, where there is a race in token cache where it's not atomic, thus corrupting itself when running in a multi process environment (which the API server is always going to be)14:12
dolphmraies: i'm not actually sure if keystone implements that API... you might be interested in https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#credentials-v3credentials14:13
dolphmsdague: hmm, i'll try to reproduce14:14
sdaguewe're getting this about twice a day in the gate14:14
bknudsonsdague: dolphm: I think I was looking at this just the other day with nova-api... there are multiple caches created. One per process.14:15
dolphmsdague: do you actually think it's new?14:15
sdaguedolphm: it's got hits going back 2 weeks14:15
bknudsonoh, no, this is different.14:15
dolphmsdague: but that's as long as the archive goes back, right?14:15
sdagueso I don't think so. This just seems really like an old issue I remember around revoke cache14:16
sdaguedolphm: correct14:16
sdaguebut also realize that with parallism lower in the gate now, we'd actually be finding issues like this less often14:16
sdaguebknudson: how are the caches created?14:17
dolphmsdague: there's a couple caches in auth_token -- this one is just on disk per process unless you configure it otherwise14:17
sdagueor more importantly, when are they created14:17
bknudsonsdague: this was a different issue with in-memory caching of tokens, not the certificates.14:17
sdaguedolphm: ok, when is that created? when keystone client loads, or on first call to it?14:18
dolphmsdague: i'm double checking...14:18
sdaguebecause workers are spawned late14:18
dolphmsdague: on __init__14:19
dolphmsdague: so, each worker would have their own cache unless you set [auth_token] signing_dir14:19
sdagueand if you set signing_dir?14:19
sdaguethen there is no protection?14:20
dolphmsdague: if you set signing_dir, then they're probably racing to populate the cache14:20
sdagueso, in the gate, we're always setting signing_dir14:20
*** saju_m has quit IRC14:21
*** leseb has quit IRC14:21
dolphmsdague: unsetting it might be the simplest solution, along with increasing revocation_cache_time to correspondingly reduce the load14:21
sdagueso that seems like keystone client should be locking that access14:21
*** leseb has joined #openstack-keystone14:21
dolphmrevocation_cache_time should be increased anyway, it's stupid low14:21
dolphmsdague: our default anyway14:22
sdaguedolphm: I don't think it's acceptable to say "you can't set signing_dir and not race"14:22
sdagueif it's a valid config option, keystone client needs to not be inherently racy here14:22
sdaguesounds like it needs locking around cache access14:23
dolphmsdague: honestly i doubht there's not much gain to having it end-user configurable anyway (vs. just having each worker cache it themselves)14:23
sdagueso if it wasn't configurable, where would yuo be putting it?14:23
*** ayoung has quit IRC14:24
*** leseb has quit IRC14:25
dolphmsdague: if you don't set it, it uses tempfile.mkdtemp() per worker (personally i'd rely on that behavior)14:27
sdaguedolphm: so the use of signing_dir is *all over* all the documentation around openstack14:28
bknudsoncould keystoneclient do locking to avoid this?14:28
sdaguebknudson: I would think so14:28
bknudsonwould that be an eventlet function or a lockfile or something?14:29
sdaguedolphm: so if you are removing signing_dir entirely from keysteon14:29
dolphmbknudson: yes14:29
bknudsonmaybe there's an example somewhere14:29
sdaguethat's fine14:29
sdaguebut if you aren't, this needs to be fix14:29
dolphmbknudson: client side dogpile?14:29
sdaguebknudson: yeh, oslo lockutils makes this pretty easy14:29
dolphmsdague: haven't heard of that -- looking...14:29
*** marcoemorais has joined #openstack-keystone14:31
bknudsonI just wonder if we can use lockutils in keystoneclient ... it's got config options... where would it get them from?14:31
dolphmbknudson: auth_token gets CONF from paste14:32
bknudsondolphm: right, but lockutils registers oslo.config options -- http://git.openstack.org/cgit/openstack/oslo-incubator/tree/openstack/common/lockutils.py#n4814:32
bknudsonI guess we could copy the code and get rid of that part.14:33
dolphmbknudson: unless i'm misunderstanding, you should be able to set those options in the paste filter configuration14:33
dolphmbknudson: right next to the conf for signing_dir, for example14:34
sdagueso if you want multi process support you need to set a lock path14:34
sdaguebecause of the way it works with open filedescriptors14:34
sdaguehow is multiprocess locking done today in keystone?14:35
sdagueor keystoneclient?14:35
*** marcoemorais has quit IRC14:35
sdagueactually, hold on, the lockpath will be set in nova14:35
bknudsonsdague: we don't do any... it's typically handled by the backend (database or memcache)14:35
sdagueso keystone client will just get that14:36
bknudsonor LDAP14:36
sdaguebknudson: client side14:36
sdaguenot the server14:36
*** ayoung has joined #openstack-keystone14:36
dolphmsdague: possibly hacky, but we could just default the lock path to signing_dir?14:36
sdaguedolphm: no, you should just let the caller set it14:37
sdaguewhich nova will14:37
sdagueor cinder14:37
sdagueor any of it14:37
bknudsonsdague: I don't think the client library itself would do any locking... and the middleware is obviously not doing it now.14:37
dolphmsdague: right, but i just meant as the default14:37
sdaguebknudson: if the client is openning files, it has to do locking14:37
sdaguedolphm: there is no default for a reason14:38
dolphmif OSLO_LOCK_PATH isn't set either14:38
sdaguebecause if lockpath isn't secured correctly14:38
sdagueit's a problem14:38
sdaguethere was a long thread on that a couple months ago14:38
bknudsonif the application is already setting the config options for us then that shouldn't be a problem.14:38
sdagueright, exactly14:38
bknudsonisn't it going to say the options are already registered if keystoneclient tries to register the options?14:40
lbragstad__would we need to register them? or do we just use them?14:41
*** lbragstad__ is now known as lbragstad14:41
bknudsonlbragstad: the options are registered on import of the lockutils module14:41
sdaguebknudson: that's a good question14:41
bknudsonso keystoneclient would have a copy of lockutils and so would nova14:41
sdaguehonestly, oslo folks might be needed there14:41
sdagueto understand14:41
bknudsonso they'd both do CONF.register_opts(util_opts)14:41
sdagueright14:41
lbragstadah14:41
sdaguelet's go take this to -dev14:41
bknudsonif lockutils was in a oslo.lockutils library rather then copying then that should be safe14:42
sdagueyeh, if wishes were horses ....14:43
bknudsonI could have sworn we made this safe when we did the rename of the file rather than writing to it.14:43
bknudsonoh, that's the revocation list.14:44
bknudsonmaybe we need to do the same with the cert files, too.14:44
bknudsonhttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n134214:45
bknudsonand here's writing the cert file: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n137414:45
bknudsonit just overwrites the file.14:45
bknudsonso if we did write to a temp file and then rename that should be safe.14:46
bknudsonunless readers are closing and opening their file all the time.14:46
sdaguebknudson: you tell me14:46
sdaguebecause I don't know how often that's happening, because it's all keystone under the covers14:47
dolphmbknudson: two of them are used by openssl (certs), one is used by keystoneclient (revocation list)14:48
dolphmbknudson: they're all in signing_dir14:48
bknudsonthe revocation list happens more often, like every second14:49
sdagueright, so basically from what I can see every write call in auth_token.py needs to be wrapped in something that makes it automic14:51
sdaguebe that locking, or tempfile renaming14:51
*** leseb has joined #openstack-keystone14:52
* dolphm my brother is having a baby right now so i'm going to run away for a bit14:52
sdagueenjoy14:53
*** dolphm is now known as dolphm_50314:53
*** leseb has quit IRC14:53
*** leseb has joined #openstack-keystone14:53
*** leseb has quit IRC14:58
*** sdague has left #openstack-keystone15:16
topolbknudson, so if I want to add some docs for the keystone CADF audit support for authentication is that patch considered a bug or do I just say the patch implements the audit blueprint I used to add the feature?15:20
bknudsontopol: if the blueprint is closed already then shouldn't use the blueprint15:20
bknudsonbut if it's still open then can use it15:21
*** richm has joined #openstack-keystone15:21
*** lnxnut has joined #openstack-keystone15:24
lbragstadtopol: I had to do that with the notification stuff too, after the initial implementation the blueprint was closed, so I had to create another one to use in the patch for notifications on trusts.15:26
topollbragstad, for docs couldn't I just open a bug?15:26
lbragstadeither or I guess. I did a blueprint since it was extending the use of notifications to OS-TRUST. I could see a bug working too15:27
*** simo has left #openstack-keystone15:28
*** marcoemorais has joined #openstack-keystone15:32
*** stevemar has joined #openstack-keystone15:34
*** ChanServ sets mode: +v stevemar15:34
*** chandan_kumar has joined #openstack-keystone15:35
*** marcoemorais has quit IRC15:36
*** david_lyle_ has joined #openstack-keystone15:37
bknudsontopol: you can open a bug15:42
bknudsonor just do it without a bug or blueprint15:42
topolbknudson, thanks!15:43
*** nkinder has joined #openstack-keystone15:45
*** lbragstad has quit IRC15:50
*** topol has quit IRC15:54
*** leseb has joined #openstack-keystone15:54
*** leseb has quit IRC15:59
*** leseb has joined #openstack-keystone16:02
*** leseb has quit IRC16:16
*** leseb has joined #openstack-keystone16:16
*** YorikSar has quit IRC16:17
*** thedodd has joined #openstack-keystone16:18
*** leseb has quit IRC16:21
*** lbragstad has joined #openstack-keystone16:21
*** chandan_kumar has quit IRC16:29
*** leseb has joined #openstack-keystone16:30
stevemardolphm_503, dstanek can you take a look at the saml patch: we're at +2 so far, need another set of eyes on it: https://review.openstack.org/#/c/71353/16:42
dstanekstevemar: sure thing16:42
dstanekstevemar: i some discussion about the empty policy the other day. is that OK to have?16:49
marekddstanek: i think dolphm_503 liked it, ayoung eventually too16:50
*** david_lyle_ is now known as david-lyle16:50
ayoungstevemar, I'll +2 anything today16:50
dstanekmarekd: what does it mean when it's empty?16:50
marekddstanek: well, basically when i was trying to put rule_owner for instance, i was failing cause obviously a user doesn't exist in the backend. So I can access /OS-FEDERATION/projects just because I have a token, and nothing more.16:52
marekddstanek: the call /OS-FEDERATION/projects is to list all accessible projects a federated user can access, as a member of set of keystone groups.16:52
*** lbragstad has quit IRC16:53
marekddstanek: /OS-FEDERATION/projects or /OS-FEDERATION/domains..but i am using a shortcut here.16:53
*** henrynash has joined #openstack-keystone16:54
dstanekmarekd: ah i see and if you don't have a token what is the expected status code?16:54
ayoungmarekd, stevemar interesting concept of writing the controller in Assignments and mapping the route in the extension.  I like that.16:54
*** nkinder has quit IRC16:54
marekdayoung: cool!16:56
marekddstanek: well, it should fail if the token is not present in the backend16:59
ayoungmarekd, stevemar, I +2e .  Didn't approve to give dolph a few to chime back in.  If he doesn't, or gies you an IRC thumbs up, stevemar can push the approve button16:59
dstanekmarekd: 5xx fail or a 4xx fail?16:59
*** orion195 has quit IRC16:59
marekddstanek: let me check17:00
dstanekmarekd: maybe there is a test already defining that behavior?17:00
marekddstanek: there is not, just locally extended it and it looks like you get HTTP 401.17:06
*** marcoemorais has joined #openstack-keystone17:06
*** nkinder has joined #openstack-keystone17:07
dstanekmarekd: is the documentation on line 44 https://review.openstack.org/#/c/71353/43/keystone/auth/plugins/saml2.py accurate?17:09
dstanekmarekd: it doesn't seem to always set the identity_provider and protocol  - and i'm not sure where to find the federated_token17:10
*** gyee has joined #openstack-keystone17:11
ayoungdstanek, If there is no token, the controller will not even let you into the method17:12
ayoungdstanek, that is the difference between @controller.protected with a rule of [] and no decorator17:12
marekddstanek: yeah, you are right. at some point the token 'dictionary' was flattened, hence federated_token object was removed.17:13
dstanekayoung: are you talking about authenticate?17:13
ayounghttps://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L5217:13
ayoungdstanek, nope17:13
marekddstanek: about policies i guess17:13
dstanekmarekd: ok, the doc confused me a little17:13
ayoungdstanek, policies17:13
marekddstanek: sorry17:13
dstanekayoung: ah, i gotcha17:14
dstanekmarekd: looks like it's just a little out of date then17:14
marekdayoung: BTW, what's the difference between policy '' and [] ? Something new and fancy, depicted by [] ?17:14
marekddstanek: yes :(17:14
ayoungso anything with @controller.protected does a token lookup.  If it is not present raise exception.Unauthorized()17:14
ayoungmarekd, heh...I wish we had used what was supposed to be the standard for always pass, which is '@'17:15
dstanekmarekd: also the identity_provider and protocol - should they always be set or only on an unscoped token?17:15
ayoungmarekd, but, I mean ""17:15
*** lbragstad has joined #openstack-keystone17:16
marekddstanek: also, the identity_provider and protocol variables are only set when dealing with unscoped_token.17:17
dstanekmarekd: k, the docs to me seemed to imply that they were alway set17:18
ayoungstevemar, quid-pro-quo  https://review.openstack.org/#/c/55908/   I merged in the SQL and RevokeByTree pieces.  The majority of the patch is unchanged from the last bknudson review modulo I made the changes he suggested17:19
marekddstanek: this docstring should be changed so it describes the situation appropriately.17:19
marekddstanek: eventually :-)17:20
dstanekmarekd: i commented and let it as a 0 - i do think that the docs should be fixed sooner rather than later17:25
dstaneks/let/left/17:25
marekddstanek: understood.17:25
dstanekmarekd: ..and nice job!17:26
marekddstanek: thanks, stevemar  did a good damn contribution here as well.17:27
*** lbragstad has quit IRC17:37
*** david-lyle has quit IRC17:39
*** openstack has joined #openstack-keystone22:50
morganfainbergoh eavesdrop is back!22:51
* morganfainberg waves at openstack 22:51
morganfainbergbeen gone most of the day22:51
*** lnxnut has joined #openstack-keystone22:54
*** lbragstad has quit IRC23:02
krsnamorganfainberg, This is one of my first contributions. Just wanted to make sure I did things to desired specifications and requirements. https://review.openstack.org/#/c/77294/ Does that seem half way decent?23:19
*** stevemar has quit IRC23:21
*** dolphm_503 has quit IRC23:24
*** wchrisj has joined #openstack-keystone23:30
ayoung_morganfainberg, do we have a way of converting a v2 token into a v3?23:30
wchrisjI'm looking for the Keystone v3 auth endpoint in my recent devstack install. Is there something I can do to activate that endpoint?23:31
ayoung_wchrisj, nope23:31
ayoung_there are no "versioned" endpoints23:32
ayoung_there are only identity endpoints23:32
*** ayoung_ is now known as ayoung23:32
*** openstack has quit IRC23:36
*** openstack has joined #openstack-keystone23:41
*** lnxnut has quit IRC23:43
*** richm1 has quit IRC23:43
*** lnxnut has joined #openstack-keystone23:43
*** dolphm_503 has joined #openstack-keystone23:43
*** dolphm_503 is now known as dolphm23:43
*** richm has joined #openstack-keystone23:49
morganfainbergayoung, uhm not really23:51
*** lnxnut has quit IRC23:52
morganfainbergayoung, i mean you could just tell the provider to make you a v3 token from the v2 token id.23:52
morganfainbergayoung, i _think_ that would work, might need a line of code change though23:52
« Thursday, 2014-02-27 Index Saturday, 2014-03-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!