Tuesday, 2014-05-06

jamielennoxanyway, every time i've tried to convert a client i've ended up needing something like that, but you can always just implement what you need of it within barbican for now00:01
jamielennoxthe -SDK project is doing a 'presentation' layer so that you can abstract things like JSON vs XML00:01
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.  https://review.openstack.org/8494500:02
jamielennoxi don't consider service_type etc to be part of the 'presentation', but it's similar00:02
jamielennoxgyee: also IMO, barbican shouldn't make it's own shell - it should just use OSC00:03
jamielennoxi wrote a plugin for OSC the other day, it's not well explained but it's not that hard to figure out00:03
gyeejamielennox, does OCS allow all the keystone v3 args now?00:04
jamielennoxgyee: it has the v3 CRUD operaions00:04
jamielennoxi'm not sure about v3 auth00:04
gyeejamielennox, looks like it has the v3 auth args00:13
jamielennoxgyee: https://github.com/jamielennox/python-kiteclient/blob/testing/kiteclient/cli/v1.py is what i needed to create an external plugin to OSC00:15
jamielennoxalso the setup.cfg file00:15
*** marcoemorais has quit IRC00:16
gyeejamielennox, I'll probably need to break it up into two patches00:17
gyeeone for keystoneclient integration, and the other for OSC integration00:17
*** marcoemorais has joined #openstack-keystone00:18
jamielennoxgyee: yea, two very different issues, i was just looking through the comments on that review00:18
bknudsondstanek: ever get this running tox -e py33 -- db type could not be determined00:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions  https://review.openstack.org/8114600:22
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog  https://review.openstack.org/7459900:22
*** dims has joined #openstack-keystone00:24
*** nkinder has joined #openstack-keystone00:25
dstanekbknudson: in server or client?00:27
bknudsondstanek: client00:27
dstanekbknudson: i have not, but i'll try it a few times now00:28
dstanekdo you get a stacktrace?00:28
bknudsonah, I removed .testrepository00:28
*** gokrokve has joined #openstack-keystone00:28
bknudsonnow it seems to be working.00:28
bknudsonprints out a bunch of stuff that py27 doesn't00:29
bknudsonsigning_dir mode is 0o775 instead of 0o70000:29
bknudsonand was able to recreate the error00:29
bknudsonfor some reason I can't run a test by itself.00:32
jamielennoxgyee: commented: https://review.openstack.org/#/c/84945/00:37
dstanekbknudson: you can't run any of them?00:40
bknudsondstanek: they're running now that I deleted .testrepository00:40
bknudsondstanek: I can run all the tests but can't run a test by itself.00:40
dstanekbknudson: i'm recreating venv now to play around a little bit00:41
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator 2640847  https://review.openstack.org/9222800:41
bknudsondstanek: this worked on my system ^00:41
bknudsonadded a decode()00:41
*** serverascode has quit IRC00:42
*** serverascode has joined #openstack-keystone00:43
dstanekjust got the same 'db type could not be determined' error00:45
bknudsondstanek: rm -r .testrepository00:45
*** shakamunyi has joined #openstack-keystone01:05
*** amcrn has quit IRC01:09
gyeejamielennox, thanks, another patch coming :)01:13
gyeejamielennox, you want a separate patch just for this? https://review.openstack.org/#/c/84945/8/keystone/auth/core.py01:14
jamielennoxgyee: i assumed it was a mistake01:14
jamielennoxyou probably should it's not related to what you're doing01:14
gyeeI just corrected a typo01:14
*** zhiyan_ is now known as zhiyan01:15
gyeedon't feel like creating a bug and everything01:15
*** rodrigods has joined #openstack-keystone01:15
*** shakayumi has joined #openstack-keystone01:15
*** shakamunyi has quit IRC01:18
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.  https://review.openstack.org/8494501:19
*** dims has quit IRC01:26
*** marcoemorais has quit IRC01:30
jamielennoxi don't think you need bugs for that sort of thing01:39
*** sbfox has joined #openstack-keystone01:41
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure  https://review.openstack.org/7732501:49
*** jimbaker has quit IRC01:56
ayoungbknudson, so...the revocation list for compressed is going to be a pain in the tuchus to implement01:57
ayoungI didn't plan on compressing the revocation list, but in order to generate it, I'll need to generate the tokens first, and then sign them, and then generate the revocation list01:57
*** diegows has quit IRC01:58
ayoungquestion is whether I should bother compressing the revocation list, too01:58
jamielennoxayoung: isn't the 'id' based on the token that was issued?01:59
ayoungjamielennox, its a hash of it, yes01:59
jamielennoxso if that's compressed then it should work the same way01:59
ayoungjamielennox, but not of the raw data01:59
ayoungoh, yeah, it will work the same way01:59
jamielennoxas in if you take the hash of the compressed token01:59
ayoungits just the order of generating things in the example code.02:00
ayoungAll of the old code was in shell script02:00
ayoungI am not even sure where the revocation list came from, but it looks hand jammed02:00
jamielennoxfor testing you mean?02:00
ayoungjamielennox, what the order needs to be is :  sign the tokens,  generate the revocation list, sign the revocation list02:00
ayoungjamielennox, yeah02:00
ayoungI can't just add the revocation list to the things to sign, because the signed data is different every time02:01
*** sbfox has quit IRC02:03
ayoungjamielennox, so it would make more sense to generate the complete revocation list for the compressed token, and then to used the compressed list for compressed tokens and then uncompressed list for uncompressed tokens, but then reqaaly we should test the reverse too...and it is a big pain in the tuchas02:06
jamielennoxayoung: why don't you just do some compressed and some not02:07
ayoungjamielennox, "just?"02:08
jamielennoxi'm going to put a filter on IRC for that sort of word02:08
jamielennoxnot sure what i do in person yet02:08
ayoungjamielennox, because I am in a state where I need to mix shell with python, or rewrite my shell in python02:08
ayoungand I don't want to do that02:09
ayoungI want to get this patch in, not cause more churn02:09
jamielennoxso it's the generating of the list which is the issue?02:11
ayoungso,  to do that, I guess I inject the pkiz signature (md5) into the revocation list and sign with cms....but I swear someone is going to complain about that hack when the review the code in examples02:11
jamielennoxyou might need to store everything in the shell variables02:11
jamielennoxwhy, it's just another id in the list?02:12
ayoungI think I am just going to generate the whole list on the fly,  both pkiz and pki  format.02:12
jamielennoxright, you'll need to construct JSON in bash but it's not too bad02:12
ayoungnah, I'll do it in python02:12
jamielennoxit doesn't have to be pretty json02:13
*** mberlin has joined #openstack-keystone02:13
jamielennoxthe downside of doing it in python is the code is going to be almost exactly the same as the code you're testing02:14
*** mberlin1 has quit IRC02:14
jamielennoxbut given that we shell out to openssl that could be said of the current stuff02:14
*** richm has quit IRC02:15
*** bach has quit IRC02:23
*** rodrigods has quit IRC02:25
*** dims has joined #openstack-keystone02:28
*** zhiyan is now known as zhiyan_02:37
openstackgerritRichard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values  https://review.openstack.org/7600202:46
*** morganfainberg is now known as morganfainberg_Z02:46
*** praneshp_ has joined #openstack-keystone02:49
*** praneshp has quit IRC02:50
*** praneshp_ is now known as praneshp02:50
*** daneyon has quit IRC02:53
*** sbfox has joined #openstack-keystone02:53
*** daneyon has joined #openstack-keystone02:53
*** shakayumi has quit IRC02:58
ayounggit rebase origin/hamster02:59
*** bach has joined #openstack-keystone03:05
*** praneshp has quit IRC03:13
*** sbfox has quit IRC03:14
*** xianghui has joined #openstack-keystone03:14
*** dims has quit IRC03:17
*** sbfox has joined #openstack-keystone03:18
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118103:34
*** daneyon has quit IRC03:39
*** harlowja is now known as harlowja_away03:39
*** daneyon has joined #openstack-keystone03:39
*** harlowja_away is now known as harlowja03:45
*** ayoung has quit IRC03:48
*** xianghui has quit IRC03:51
*** xianghui has joined #openstack-keystone03:58
*** marcoemorais has joined #openstack-keystone04:05
*** sbfox has quit IRC04:05
*** dstanek is now known as dstanek_zzz04:08
*** dstanek_zzz is now known as dstanek04:14
*** chandan_kumar has joined #openstack-keystone04:20
*** chandan_kumar is now known as chandankumar04:26
*** kfox1111 has quit IRC04:33
*** daneyon has quit IRC04:45
*** sbfox has joined #openstack-keystone04:49
*** gabriel-bezerra is now known as gabriel-bezerra_04:53
*** gyee has quit IRC05:05
*** praneshp has joined #openstack-keystone05:20
*** harlowja is now known as harlowja_away05:22
*** toddnni has joined #openstack-keystone05:24
*** praneshp_ has joined #openstack-keystone05:26
*** praneshp has quit IRC05:27
*** praneshp_ is now known as praneshp05:27
*** dstanek is now known as dstanek_zzz05:30
*** gokrokve has quit IRC05:41
*** tomoiaga has joined #openstack-keystone05:45
*** dstanek_zzz has quit IRC05:53
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:01
*** gokrokve has joined #openstack-keystone06:12
*** gokrokve has quit IRC06:16
*** tomoiaga has quit IRC06:20
*** sbfox has quit IRC06:26
*** praneshp has quit IRC06:28
*** bach has quit IRC06:28
*** tomoiaga has joined #openstack-keystone06:31
*** tomoiaga has quit IRC06:32
*** sbfox has joined #openstack-keystone06:33
*** sbfox has quit IRC06:38
*** Abhijeet has joined #openstack-keystone06:44
*** tomoiaga has joined #openstack-keystone06:44
*** leseb has joined #openstack-keystone06:47
*** stevemar has quit IRC06:49
*** Manishanker has joined #openstack-keystone07:11
*** gokrokve has joined #openstack-keystone07:12
*** leseb has quit IRC07:15
*** gokrokve has quit IRC07:17
*** marcoemorais has quit IRC07:19
*** jamielennox is now known as jamielennox|away07:29
*** jaosorior has joined #openstack-keystone07:42
*** andreaf has joined #openstack-keystone07:59
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter  https://review.openstack.org/9065607:59
*** andreaf has quit IRC08:00
*** marekd|away is now known as marekd08:00
*** andreaf has joined #openstack-keystone08:01
*** andreaf_ has joined #openstack-keystone08:02
*** andreaf_ has quit IRC08:03
*** andreaf has quit IRC08:05
*** leseb has joined #openstack-keystone08:06
*** gokrokve has joined #openstack-keystone08:13
*** gokrokve has quit IRC08:17
*** ekarlso has quit IRC08:29
*** ekarlso has joined #openstack-keystone08:29
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851708:31
*** gokrokve has joined #openstack-keystone09:14
*** gokrokve has quit IRC09:18
*** xianghui has quit IRC09:31
*** xianghui has joined #openstack-keystone09:37
*** morganfainberg_Z has quit IRC09:50
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor create_trust for readability  https://review.openstack.org/9094309:57
*** morganfainberg_Z has joined #openstack-keystone09:59
openstackgerritA change was merged to openstack/python-keystoneclient: Synced jsonutils from oslo-incubator  https://review.openstack.org/9108010:03
*** gokrokve has joined #openstack-keystone10:14
*** gokrokve has quit IRC10:19
*** andreaf has joined #openstack-keystone10:19
*** leseb has quit IRC10:20
*** leseb has joined #openstack-keystone10:21
*** jimbaker has joined #openstack-keystone10:23
*** jimbaker has quit IRC10:23
*** jimbaker has joined #openstack-keystone10:23
*** leseb has quit IRC10:25
*** bvandenh has joined #openstack-keystone10:46
*** bvandenh has quit IRC10:52
*** bvandenh has joined #openstack-keystone10:52
*** xianghui has quit IRC10:53
*** bvandenh has quit IRC10:53
*** bvandenh has joined #openstack-keystone10:54
*** bvandenh has quit IRC10:54
*** bvandenh has joined #openstack-keystone10:55
*** bvandenh has quit IRC10:57
*** bvandenh has joined #openstack-keystone10:57
*** bvandenh has quit IRC11:05
*** leseb has joined #openstack-keystone11:07
*** diegows has joined #openstack-keystone11:12
*** leseb has quit IRC11:12
*** dims_ has joined #openstack-keystone11:12
*** gokrokve has joined #openstack-keystone11:15
*** bvandenh has joined #openstack-keystone11:18
*** gokrokve has quit IRC11:20
*** leseb has joined #openstack-keystone11:29
*** leseb has quit IRC11:31
*** leseb has joined #openstack-keystone11:31
*** leseb has quit IRC11:35
*** Abhijeet has quit IRC11:38
*** leseb has joined #openstack-keystone11:43
*** leseb has quit IRC11:44
*** leseb has joined #openstack-keystone11:44
*** andreaf_ has joined #openstack-keystone11:47
*** andreaf has quit IRC11:49
*** lbragstad has quit IRC11:52
*** lbragstad has joined #openstack-keystone11:53
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216611:58
*** topol has joined #openstack-keystone12:04
*** sbfox has joined #openstack-keystone12:08
*** lbragstad has quit IRC12:10
*** leseb has quit IRC12:15
*** leseb has joined #openstack-keystone12:16
*** dims_ has quit IRC12:27
*** jimbaker has quit IRC12:30
*** dims has joined #openstack-keystone12:33
*** leseb_ has joined #openstack-keystone12:38
*** dims has quit IRC12:38
*** leseb has quit IRC12:41
*** dims has joined #openstack-keystone12:45
*** dstanek has joined #openstack-keystone13:01
*** kun_huang has joined #openstack-keystone13:02
*** jsavak has joined #openstack-keystone13:04
*** lbragstad has joined #openstack-keystone13:06
*** gokrokve has joined #openstack-keystone13:17
*** dstanek has quit IRC13:17
*** erecio has quit IRC13:21
*** gokrokve has quit IRC13:21
*** ayoung has joined #openstack-keystone13:22
*** erecio has joined #openstack-keystone13:22
*** bknudson has quit IRC13:23
*** rodrigods has joined #openstack-keystone13:23
*** rodrigods has joined #openstack-keystone13:23
*** topol has quit IRC13:29
*** david-lyle has joined #openstack-keystone13:35
*** chandankumar is now known as chandankumar|afk13:37
*** david-lyle has quit IRC13:37
*** vhoward has joined #openstack-keystone13:38
*** david-lyle has joined #openstack-keystone13:38
*** david-lyle has quit IRC13:43
*** thiagop has quit IRC13:46
*** bknudson has joined #openstack-keystone13:46
*** nkinder has quit IRC13:54
*** gokrokve has joined #openstack-keystone14:10
rodrigodsdolphm, ping14:15
dolphmrodrigods: o/14:16
rodrigodsdolphm, just to ask you to review https://review.openstack.org/#/c/91578/ (whenever possible) =)14:16
dolphmrodrigods: it's already in my queue!14:17
rodrigodsdolphm, great! thanks!14:17
*** dstanek has joined #openstack-keystone14:18
*** dstanek has quit IRC14:32
*** dstanek has joined #openstack-keystone14:32
*** topol has joined #openstack-keystone14:35
*** stevemar has joined #openstack-keystone14:35
*** david-lyle has joined #openstack-keystone14:35
*** david-lyle has quit IRC14:35
*** bach has joined #openstack-keystone14:35
*** david-lyle has joined #openstack-keystone14:36
*** nkinder has joined #openstack-keystone14:41
*** daneyon has joined #openstack-keystone14:41
*** daneyon has quit IRC14:46
*** daneyon has joined #openstack-keystone14:47
*** shakayumi has joined #openstack-keystone14:51
*** zhiyan_ is now known as zhiyan15:01
*** thedodd has joined #openstack-keystone15:19
*** andreaf_ has quit IRC15:21
*** andreaf has joined #openstack-keystone15:21
*** bvandenh has quit IRC15:24
openstackgerritA change was merged to openstack/identity-api: Remove email as optional query parameter  https://review.openstack.org/9065615:27
*** sbfox has quit IRC15:27
*** daneyon has quit IRC15:28
*** daneyon has joined #openstack-keystone15:28
*** shakayumi has quit IRC15:31
*** bach has quit IRC15:31
*** shakamunyi has joined #openstack-keystone15:32
*** sbfox has joined #openstack-keystone15:40
*** sbfox has quit IRC15:43
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs  https://review.openstack.org/8922015:44
*** dims has quit IRC15:46
*** zhiyan is now known as zhiyan_15:47
*** bach has joined #openstack-keystone15:50
*** richm has joined #openstack-keystone15:51
*** bach has quit IRC15:53
*** bach has joined #openstack-keystone15:53
*** dims has joined #openstack-keystone15:57
*** praneshp has joined #openstack-keystone15:59
*** daneyon has quit IRC16:04
*** Manishanker has quit IRC16:13
*** tomoiaga has quit IRC16:14
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs  https://review.openstack.org/8922016:15
*** stevemar has quit IRC16:20
*** stevemar has joined #openstack-keystone16:20
*** dstanek has quit IRC16:21
*** dstanek has joined #openstack-keystone16:21
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216616:21
*** jaosorior has quit IRC16:21
*** sbfox has joined #openstack-keystone16:24
*** gyee has joined #openstack-keystone16:30
*** marcoemorais has joined #openstack-keystone16:30
*** leseb_ has quit IRC16:32
*** leseb has joined #openstack-keystone16:33
*** amerine_ has joined #openstack-keystone16:35
*** amerine has quit IRC16:38
*** zhiyan_ is now known as zhiyan16:42
*** amerine_ has quit IRC16:42
*** shakamunyi has quit IRC16:42
*** vhoward has left #openstack-keystone16:42
*** leseb has quit IRC16:43
*** daneyon has joined #openstack-keystone16:45
*** amerine has joined #openstack-keystone16:46
*** jimbaker has joined #openstack-keystone16:47
openstackgerritFlorent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API  https://review.openstack.org/8862016:53
*** zhiyan is now known as zhiyan_16:53
*** gyee has quit IRC16:58
*** amcrn has joined #openstack-keystone17:04
*** harlowja_away is now known as harlowja17:07
*** bach has quit IRC17:08
*** kun_huang has quit IRC17:11
*** andreaf has quit IRC17:17
*** chandankumar|afk has quit IRC17:24
*** leseb has joined #openstack-keystone17:31
*** dims has quit IRC17:37
*** henrynash has joined #openstack-keystone17:38
*** leseb has quit IRC17:41
*** morganfainberg_Z is now known as morganfainberg17:45
*** sbfox has quit IRC17:47
*** sbfox has joined #openstack-keystone17:51
morganfainbergayoung, for the compressed token / validation does it make sense to use the new fixture-type-thing that jamielennox|away built rather than having a .json file on disk?17:52
morganfainbergayoung, oh strike that, i see you need the matching revocation list.17:52
morganfainbergayoung in the future we should work on using a consistent token generator even for this.17:53
ayoungmorganfainberg, so..that whole chunk of code in example is actually unnecessary17:54
ayoungthe revocation list is created in code, not read from disk17:54
morganfainbergayoung, ah.17:54
ayoungIti s a different test that uses the revocation list, and it still passes17:54
ayoungso, its not bad, just unnecessary.  But I wrote it before I realized that17:54
ayoungdidn't realize until I had to figure out why my test was still failing17:54
morganfainbergayoung, ok so we should move to a single source of raw token data (jamie's fixture)17:55
ayoungI don't know17:55
morganfainbergayoung, but i think that can wait at this point (follow on patch)17:55
ayoungI need to understand it better, but I don't want to use the same code to test itself.  I like having the tokens read from disk17:55
ayoungIn this case, that is not possible, of course, but in the future, any changes to the signing mechanism need to be backwards compat with these tokens17:56
morganfainbergayoung, we should have a single fixture source for token examples across the board rather than having to maintain a .json file etc17:56
morganfainbergayoung, i think i'll want to see that change once we have clear mechanism for validating token format17:57
ayoungmorganfainberg  link ?17:57
morganfainbergayoung, after meeting :)17:57
*** chandan_kumar has joined #openstack-keystone17:58
ayoungjamielennox|away, MEETING TIME!18:00
*** jamielennox|away is now known as jamielennox18:05
openstackgerritA change was merged to openstack/keystone: Refactor create_trust for readability  https://review.openstack.org/9094318:07
*** bach has joined #openstack-keystone18:16
*** bach has quit IRC18:19
*** bach has joined #openstack-keystone18:20
*** htruta has joined #openstack-keystone18:21
*** chandan_kumar has quit IRC18:22
*** sbfox has quit IRC18:22
htrutahello, guys. i'm trying to run a keystone v3 command through openstack client. even when I pass the "--os-identity-api-version 3" param, it still gets a v2.0 token. I think it's some configuration on keystone client. Can anyone help me?18:23
*** bach_ has joined #openstack-keystone18:23
morganfainberghtruta, the keystone irc meeting is happening right now (will be over in ~35minutes)18:23
*** bach has quit IRC18:23
morganfainberghtruta, if you don't mind waiting i'm sure we can help you some at that point18:23
htrutamorganfainberg: no problem. I can wait. thanks18:24
morganfainberghtruta, or at least give you an idea of the state of affairs (i don't want to give a bad answer and there are folks who just worked on that kind of stuff recently)18:25
*** nkinder has quit IRC18:30
*** sbfox has joined #openstack-keystone18:31
jamielennoxhtruta: most likely the identity endpoint in your service catalog has a /v2.0 url18:32
*** tstevenson has quit IRC18:34
*** leseb has joined #openstack-keystone18:45
openstackgerritFlorent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API  https://review.openstack.org/8862018:49
htrutajamielennox: how can I change this idendity endpoint?18:49
jamielennoxhtruta: using the keystone CLI it's when you do keystone endpoint-create you use keystone_url:5000/v3 instead of /v2.018:51
jamielennoxhowever that has a lot of ramifications as the other services don't necessarily support v3 yet18:51
jamielennoxhtruta: ideally OSC would be doing a hack around that for you, stevemar do you know if OSC does the v2/v3 endpoint hack?18:53
stevemarjamielennox, we don't,18:54
stevemarjamielennox, htruta it depends on what was specified in the endpoint18:54
jamielennoxstevemar: do you know if that's something that would be automatically fixed by the hack being available in keystoneclient or is it to do with how you setup auth?18:55
*** leseb has quit IRC18:56
jamielennoxbecause without checking i would expect that setting --os-identity-api-version 3 would mean using the v3 client which does have the hack18:56
stevemarjamielennox, i feel like it would be fixed... OSC is pretty 'dumb', it's just a wrapping the clients18:57
morganfainbergayoung, part of ephemeral tokens we need to use a unified internal token structure, (working on that). and the fixture https://github.com/openstack/python-keystoneclient/tree/master/keystoneclient/fixture should be used for any "example" tokens (might need some massaging)18:59
htrutathanks, guys. I solved the problem with "--os-identity-api-version 3 --os-auth-url"18:59
morganfainbergayoung, eventually, we should have a single source of exampl tokens (each version) vs. a bunch of different locations on disk to maintain18:59
morganfainbergayoung, i don't think it's needed right now, however.19:00
ayoungmorganfainberg, Agreed.  I  want to make the gen_pkiz.py script the start of how we generate,  and then have the tokens themselves in the subdir.  All other sources should point to that.19:01
*** gokrokve has quit IRC19:01
*** leseb has joined #openstack-keystone19:02
*** praneshp has quit IRC19:06
*** praneshp has joined #openstack-keystone19:06
stevemarayoung, if you clean this up https://review.openstack.org/#/c/79096/9/keystoneclient/v3/regions.py you get a +2 :D19:06
stevemarthat or beer, i'm open to bribes19:07
ayoungTuesday night is Guiness Stout Float Night  for those that chose to Eschew the pre-cannedfun19:08
ayoungstevemar, we don't have atox docs job for clilent, do we?19:08
*** praneshp has quit IRC19:10
stevemaryes, there is19:10
stevemarayoung, ^19:10
ayoungstevemar, how to kick it off then?19:11
ayoung[testenv:docs]   ?19:11
stevemartox -e docs19:11
ayoungOK, lets see if it fails.19:12
stevemarwhere my second comment is, that one has crazy spacing :P19:12
ayoungstevemar, Oh, I agree with the comment.  I just want to have a way to confirm I have the formatting correct19:13
ayoungstevemar, it must be rebuilding the venv.  Taking a long while19:18
stevemarayoung, :(19:19
ayoungstevemar, it should reuse the venv for py27 instead of creating its own, but, oh well19:19
stevemarayoung, but tox is special like that19:20
*** gokrokve has joined #openstack-keystone19:21
marekdjamielennox: o/19:22
jamielennoxmarekd: hey19:23
dstanekmorganfainberg: i've been doing some password hacking, but i'm not sure i can easily remove password from the identity filter19:23
*** gokrokve_ has joined #openstack-keystone19:24
*** gokrokve has quit IRC19:26
marekdjamielennox: In the SAML2 auth workflow i think i need to reimplement Auth class, as some methods will be certainly different (token_url for sure, but also get_auth_ref()) Now, since the Auth classes are instantiated here https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/client.py#L158 i think we will have to somehow change this workflow, either by extendind Auth._factory() method, or add kind of 'if' conditio19:26
marekdjamielennox: i am guessing some 'dynamic' modules mechanism could be used here.19:27
jamielennoxmarekd: so i don't want to edit /v3/client.py19:30
jamielennoxthe new workflow should be session.Session(auth=SamlPlugin())19:30
jamielennoxthen client = Client(session)19:30
marekdit's still v3.Client(httpclient.HTTPClient), right?19:32
jamielennoxmarekd: sorry flicking between here and the -sdk meeting19:33
jamielennoxif you load the SAML auth plugin that way do we still need to change the workflow?19:34
marekdok, so where this session should be actualy created? The v3.Client docstring example says something like: keystone = client.Client(username=USER, password=PASS) .Apparently i couldn't find it in the basecode :(19:34
marekdjamielennox: i don't think so.19:34
jamielennoxso the docs are somewhat in conflict19:35
marekdjamielennox: what i basically need is to control where (to what url) certain requests will be sent and what will be the body.19:35
jamielennoxi've been pushing everyone to creating the session first, but i need to keep compatibility with the existing stuff19:35
marekdjamielennox: i don't want to send any body, and want to start my federated authn by hitting url different than /v3/auth/tokens19:36
marekdok, so those two lines session = Session(), client = v3.Client(session=session) would be done not inside the python-keystoneclient, but rather openstackclient, for instance?19:37
marekdor you'd expect to see such lines in a keystoneclient patch?19:37
marekdbecause how i understand it now it's the v3.Client you can basically import, pass some params and expect it to magically work, correct?19:38
jamielennoxyes, within openstackclient19:38
marekdjamielennox: ok, that's what I wanted to know :-)19:38
jamielennoxor whatever you have that is actually consuming keystoneclient19:38
marekdjamielennox: ok, thanks,19:39
jamielennoxmarekd: no problem - i haven't tried to do a federated auth plugin yet so let me know any changes that need to be done to accomodate them19:40
marekdi think we will squeeze everything to Auth inheriting class :-)19:41
marekdjamielennox: the veeeery early drafter WIP is here: https://review.openstack.org/#/c/92166/19:41
marekdjamielennox: the thing we might want to think about is again kinda authentication mechanism inside the saml2 authn plugin :-)19:43
jamielennoxmarekd: so that makes the assumption that the auth_url will be the ferated endpoint?19:43
jamielennoxmarekd: will you be at summit?19:43
marekdjamielennox: yes.19:43
marekdjamielennox: ^^ i meant: i will19:43
jamielennoxmarekd: excellent, because there's some more about this workflow i'd like to know19:44
jamielennoxbecause that assumes i think that you need to pass the federation endpoint as auth_url?19:44
marekdjamielennox: hm, how does typically auth_url looks like?19:44
marekdis it just https://keystone.openstack.local  ?19:45
jamielennoxmarekd: it's the same as --os-auth-url19:47
*** gabriel-bezerra_ is now known as gabriel-bezerra19:47
jamielennoxso for now typically it's https://keystone:5000/v2.019:48
jamielennoxand for the v2 plugins i've been assuming a suffix of /v2.0 and for v3 a suffix of /v319:48
jamielennoxthe intention being that there would be a higher level plugin that accepted https://keystone:5000/ and figured out whether it should use v2.0 or v319:49
marekdok, so i think i was right. so for the federated auth it will be https://keystone:5000/v3/OS-FEDERATION/identity_providers/{idp_name}/protocols/saml2//auth19:49
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Regions Management  https://review.openstack.org/7909619:49
jamielennoxeg https://review.openstack.org/#/c/81147/19:49
marekdand this is handled by my token_url property19:49
ayounglbragstad, you trying to make me cry?19:50
ayoungis "Keys" meant to be capitalized?  NO.  I took German in College, and it taught me that all Nouns should be capitalized19:50
lbragstadayoung: :)19:51
lbragstadayoung:  this looks better though, nice catches by stevemar https://review.openstack.org/#/c/79096/1019:51
ayounglbragstad, yeah.  There are some errors, but not from my code19:51
ayoungI might submit a separate patch for those19:51
jamielennoxmarekd: yea, so i didn't have that use case in mind initially19:52
jamielennoxmarekd: does hitting that endpoint give you a token, or data to pass to /auth/tokens?19:52
lbragstadayoung:  for the region management?19:52
ayounglbragstad, nah, the errors are in19:52
ayoung/opt/stack/python-keystoneclient/keystoneclient/openstack/common/apiclient/client.py:docstring of keystoneclient.openstack.common.apiclient.client.HTTPClient.request:9: WARNING: Block quote ends without a blank line; unexpected unindent.19:52
ayoung/opt/stack/python-keystoneclient/keystoneclient/openstack/common/apiclient/base.py:docstring of keystoneclient.openstack.common.apiclient.base.HookableMixin.run_hooks:5: WARNING: Inline strong start-string without end-string.19:52
*** dims has joined #openstack-keystone19:52
lbragstadahh, gotcha19:53
jamielennoxgrrr, apicient...19:53
marekdjamielennox: neither. the workflow is as follows: HTTP GET to /v3/OS-FEDERATION/[...], get SOAP message, play with it, and send a HTTP POST to an external Identity_provider url (passed as an argument to the plugin). Now...*authenticate* against IdP, for instance via HttpBasicAuth, maybe one day kerberos or similar, get SOAP message again, again play with that, and send to Keystone (it's url is stored in the SOAP received from either SP or I19:54
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118119:56
jamielennoxok yea, so what is that second URL that you hit on keystone?19:56
jamielennoxonce you've gotten your external auth data19:57
*** leseb has quit IRC19:57
lbragstadjamielennox: I like the SimpleCreate here...19:57
marekdjamielennox: hmm,would have to check that second url, but it's to send the SAML2 assertion issued by a IdP to the ServiceProvider (keystone).19:57
jamielennoxlbragstad: yea, i much prefer that as an object19:58
lbragstadeasier to read19:58
jamielennoxlbragstad: it means that we can put properties on the objects that are passed as well which i'm quite excited for19:58
marekdjamielennox: i know it will work, because I could get the token using external Python piece of code. I now just need to marry it with keystoneclient.19:58
lbragstadthats for sure19:58
jamielennoxlbragstad: as in we can encode the information and helpers onto the object and then our controller code needs to know less of the format of the messages19:59
jamielennoxmarekd: yea - what i'm hoping though is that the second URL is /auth/tokens19:59
lbragstadjamielennox: right, that makes sense, I like it... still working through the review but I like it19:59
marekdjamielennox: ah, no no19:59
jamielennoxi'm sure i argued for that a while ago19:59
marekdjamielennox: this is completely SAML2 internal url20:00
lbragstadjamielennox: the models.py is just for building the validator right? https://review.openstack.org/#/c/92031/1/keystone/validation/models.py20:00
marekdjamielennox: more than sure it's not /auth/tokens - i'd say it's either /v3/OS-FEDERATION/identity_providers and stuff, or something like /Shibboleth.sso/SAML2/ECP20:00
marekdjamielennox: why would you hope for /auth/tokens?20:01
*** harlowja has quit IRC20:01
marekdjamielennox: SAML2 session, cookies are handled by mod_shib and standalone shibd daemon, not keystone.20:01
*** marcoemorais has quit IRC20:02
jamielennoxlbragstad: yes and no, i expect that certain requests have validation requirements that are not expressable as jsonschema so i would like them to be able to override the validate() comand20:02
marekdjamielennox: do you expect any problems with that? all in all i understand Auth.get_auth_ref() is supposed to return a token, right?20:02
*** praneshp has joined #openstack-keystone20:03
jamielennoxmarekd: it can be made to work i'm sure but i'll admit i was hoping that it would go through the standard mechanism at some point20:03
*** marcoemorais has joined #openstack-keystone20:03
*** harlowja has joined #openstack-keystone20:04
marekdit's been already argued - no chances at this posint, as this workflow is governed by SAML2 authn workflow so mod_shib and stuff.20:04
jamielennoxmarekd: given that auth is pluggable, once you've done all you need to regarding interaction with your own idp i see no reason that the final submission of data isn't the same as passing a password or other secret to keystone20:04
jamielennoxbecause you still need to exchange it for a token as the last step20:04
*** leseb has joined #openstack-keystone20:05
marekdjamielennox: but this would need implementing SAML2 assertion parser in the Keystone.20:05
marekdjamielennox: now it's mod_shib that does the dirty work for us.20:05
marekdjamielennox: secondly, you would somewhat break the protocol workflow...is it worth doing that?20:05
jamielennoxmarekd: oh, so you have a seperate route setup with apache guarding it20:05
marekdjamielennox:  i have to.20:06
marekdjamielennox: https://review.openstack.org/#/c/89220/15/doc/source/configure_federation.rst line 6420:06
jamielennoxmarekd: no i don't want to break the correct workflow, i just assumed that given we are going to return a keystone token anyway that we are already doing something non-standard20:06
marekdjamielennox: understand your concerns, but as long as we use apache for SAML2 federation dance we have to deal with 'non standard' auth workflow in the OpenStack.20:07
jamielennoxmarekd: yep, and honestly i'd like to keep the standards as much as possible20:09
jamielennoxso i take it that we can't do keystone multi factor auth this way20:10
marekdjamielennox:  me too :-) Just wanted to clarify couple of things and thanks to you i did.20:10
jamielennoxmarekd: so is <Location /Shibboleth.sso> prescribed by the standard or something we set?20:16
marekdjamielennox: it's just to ensure that urls starting with /Shibboleth.sso will not be swallowed by Keystone wsgi.20:16
*** marcoemorais has quit IRC20:17
marekdjamielennox: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-MakingURLsUsedbymod_shibGetProperlyRouted20:17
jamielennoxmarekd: ok, but that route itself is a standard one20:18
marekdjamielennox: what do you mean?20:19
marekdjamielennox: it's standard for shibboleth, yes. Is that what you meant?20:19
*** lbragstad has quit IRC20:20
jamielennoxmarekd: as in defined by the protocol that it should do interaction with the server at that URL, it's not a URL returned from the initial call to gET  /v3/OS-FEDERATION/[...]20:20
ayoungmarekd, can we rename configure_federation.rst  to configure_shibolleth.rst  ?20:21
ayoungIt won't be the only Federation approach, just the first one.20:21
jamielennoxayoung: right, <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth> looks too generic to me20:22
marekdayoung: so i vote for somehow splitting it into multiple files - general configuration, like enablig plugin, adding idps, mappings, protocol will stay.20:23
ayoungmarekd, ++20:23
ayoungjamielennox, Did you see how I did it with Kerberos?20:23
jamielennoxso how is /v3/OS-FEDERATION/identity_providers/XXX/protocols/XXX/auth determined, or is it just known?20:23
ayoungI did:20:23
*** gyee has joined #openstack-keystone20:24
ayoungyou use that as the AUTH_URL, and then leave the endpoint at20:24
ayounghttps://hostname/keystone/main/  and /admin20:24
marekdjamielennox: well for now the second xxx will be only saml2, but the first is a IdP name you, as a user should know apriori.20:25
marekdand it's equal to the object id of the identity_provider stored in the Keystone backend.20:25
jamielennoxso what i think we need here is some way to discover all this20:25
jamielennoxmarekd: but as a configurer you should know that ahead of time20:25
ayoungmarekd, never liked the fact that the token is coming from an extension instead of a Auth plugin.20:25
jamielennoxayoung: ++++20:25
jamielennoxayoung: i was just saying that, but apparently it can't be helped20:26
jamielennoxso auth_plugins are very much defined around the standard entry point /auth/tokens and what you send to it20:26
ayoungjamielennox, I suspect the location should be20:26
marekdguys, it's done at a different layer - apache, that cannot understand the request body, and it doesn't realy care. what it cares is the url20:26
marekdand it's binary - either you have an access or you don't.20:27
ayoungmarekd, put all of SAML under its own location, I think20:27
ayoungmarekd, so if You want to use SAML, you do  OS_AUTH_URL=https://hostname/keystone/saml/20:28
marekdand if you want to auth what is the url: https://hostname/keystone/saml/v3/auth/tokens ?20:30
jamielennoxmarekd: so the data sent is in a header then? in which case it's a similar workflow to the external plugin we have now20:30
marekdsoaps transmited between peers (SP and IdP) are in the request body.20:31
marekdfor the normal websso similar i would say.20:31
jamielennoxmarekd: ok, so because we never construct the standard v3 auth body, you can't use multiple auths with SAML right20:34
jamielennoxmultiple auths within keystone where there are multiple 'methods'20:34
jamielennoxok, so you should never need to make a v3.AuthMethod20:35
jamielennoxbecause that maps to a 'method' in a normal auth structure20:35
marekdjamielennox: yep. just created it to follow the pattern (in fact it would raise an exception if somebody called get_auth_data() on it)20:36
jamielennoxyou can do v3.Auth(auth_url, methods=[v3.PasswordMethod(), v3.TokenMethod()]) to do multi factor auth20:36
marekdv3.PasswordMethod(), v3.TokenMethod() are not correlated in any way, are they?20:37
marekdi can choose only v3.PasswordMethod(), e.g. and will get a legitimate token.20:38
jamielennoxyep, that's what AuthConstructor is doing, just mapping the method into the base auth class20:38
jamielennoxmarekd: so how do you specify things like domain_id, project_id etc to SAML?20:39
marekdyou are asking about the server side?20:39
*** dims_ has joined #openstack-keystone20:39
jamielennoxmarekd: so i'm looking at the base v3.Auth object that you inherit from20:40
marekdi don't know *yet*.20:41
jamielennox    def __init__(self, auth_url, auth_methods, trust_id=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None):20:41
jamielennoxwhich are the same as the --os-trust-id etc flags20:41
*** dims has quit IRC20:41
jamielennoxi'm wondering how you scope a token with SAML20:41
marekdin the federation you get an unscoped token, and can now scope it (at /auth/tokens actually). I am not sure it should be done within Auth object..20:42
marekdjust wanted to make a more or less good shape of the code retrieving unscoped tokens.20:42
jamielennoxyea, i'm just trying to think how it's supposed to be abstracted20:43
jamielennoxfor example given the CLI use case20:44
jamielennoxand if i define that an auth_plugin should get all those arguments then i expect the plugin to have the scoped data20:44
marekdand do all the calls behind the scenes...20:45
ayoungjamielennox,    self._client.get(base_url, **kwargs)    How do I tell that about a param that I am sending to the server?20:45
jamielennoxwhich means the plugin should be responsible for getting an unscoped token and rescoping it - which is a bit nasty20:45
jamielennoxbut at least then the auth_url makes sense :)20:46
ayounghttps://review.openstack.org/#/c/81166/11/keystoneclient/v3/contrib/revoke.py,cm   line 29ish20:46
morganfainbergdstanek, really?20:46
ayoung32 is the call20:46
morganfainbergdstanek, (sorry lunch just got back)20:46
dstanekmorganfainberg: np, i think i'll have to fix kvs and maybe other things too20:47
morganfainbergdstanek, ah, yeah kvs probably needs fixing as well *doh*20:48
*** bknudson has quit IRC20:48
dstanekmorganfainberg: there are lots of other little things that bother me, but i have something that seems to work and passes existing tests20:48
ayoungjamielennox, so GET  /OS-REVOKE/events?since=<timestampt> works, but I realize I was not enabling that in the Client call.20:48
morganfainbergdstanek, ok well thats a start20:48
dstaneki'm working on new tests now to verify the behavior20:49
*** bknudson has joined #openstack-keystone20:49
dstanekah, and i still need to migrate the passwords20:49
morganfainbergdstanek, ++20:49
jamielennoxayoung: why aren't you inheriting from manager?20:50
jamielennoxi hate managers as well, but they are there for this purpose20:50
morganfainbergdstanek, what are we filtering these days? just password?20:51
morganfainbergdstanek, if we have limited overlap in what we filter out maybe we make the filter emthod part of the driver20:51
ayoungjamielennox, becasue the CRUD is one function, and so I had more code shutting things on than I needed to write enabling things20:51
morganfainbergdstanek, so if the driver needs to filter passwd, we filter it.20:51
jamielennoxayoung: yea, the managers suck like that20:51
ayoungjamielennox, but I forgot uintil just now looking at some other code that I was doing that20:51
marekdjamielennox: ++ ;/20:52
jamielennoxmarekd: unfortunately they are now 'standardized' in apiclient so i can't just rip it out20:52
dstanekmorganfainberg: lots - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n5320:52
jamielennoxayoung: so if you don't use the Manager base class you'll have to construct the path yourself20:52
morganfainbergdstanek, huh.20:52
ayoungjamielennox, uh huh...looking now20:53
jamielennoxayoung: make it part of base_url20:53
morganfainbergdstanek, oh there is a lot of KVS-isms there20:53
morganfainbergdstanek, bleh20:53
jamielennoxayoung: there is a constructor thing that helps you build query params in one of the std libs20:53
ayoungOh dear god my eyes. I can't unsee that code20:53
ayoung def find(self, **kwargs):20:54
morganfainbergdstanek, ok so we can probably just get the password stuff for SQL in the new place, we can "fix" kvs to not make silly assumptions (and be dogpile based)20:54
ayoungloads the entire list then filters on the Python side.20:54
jamielennoxin manager?20:54
morganfainbergayoung, wow.20:54
morganfainbergdstanek, if we "fix" kvs, we can probably simplify that a bunch20:55
ayoungmorganfainberg, please don't think that Jamie is at fault here.  That approach predates him20:55
morganfainbergayoung, nope20:55
jamielennoxgod i want that whole thing to die20:55
ayoungjamielennox, ManagerWithFind20:55
morganfainbergayoung, i wouldn't blame anyone here for it20:55
morganfainbergayoung, i'd just assume it was inherieted and we should fix it when we get a chance20:56
jamielennoxbut then if i kill managers, and i kill the base client, then i'm not sure what's left from the basic stuff20:56
dstanekmorganfainberg: lots to do, lots to do20:56
morganfainbergdstanek, yep20:56
jamielennoxi recently won the debate in -sdk to completely kill off the manager approach so you would do User.find(), i want to see if that approach works out before trying to bring it to other clients20:58
ayoungKILL IT ALL!20:58
ayoungAhem.  Sorry20:58
jamielennoxi guess they did client side filtering because there isn't a standard filter operation for resources on the server20:59
*** bach_ has quit IRC21:00
jamielennoxmorganfainberg: can you re-affirm discovery: https://review.openstack.org/#/c/81146/8 it needed a rebase21:01
morganfainbergjamielennox, looking now21:02
*** bach has joined #openstack-keystone21:03
*** bach has quit IRC21:04
*** topol has quit IRC21:04
*** marcoemorais has joined #openstack-keystone21:04
*** harlowja has quit IRC21:05
*** dstanek has quit IRC21:10
stevemarjamielennox, how are you even up?21:12
stevemardo you stay up? or wake up early?21:12
*** harlowja has joined #openstack-keystone21:12
jamielennoxstevemar: always for keystone meeting21:12
stevemarjamielennox, yeah, i know, but that ended > 2 hrs ago21:13
jamielennoxthough our actual team meeting was cancelled this morning - and i was tempted to skip it as i'll see everyone next week21:13
jamielennoxstevemar: yea, but it's 7am now - that's too late to go back to bed21:13
jamielennoxalso i made them change the -sdk meeting to directly after the keystone meeting, so i feel like i have to attend that one now21:15
stevemarjamielennox, makes sense21:15
stevemarjamielennox, bknudson if you all want to have another look at oauth1 client stuff ... that https://review.openstack.org/#/c/81980/ hoping to squeeze this in before summit. I think the mess with the import of oauthlib is finally sorted out21:17
*** marcoemorais has quit IRC21:17
jamielennoxstevemar: ok, wil have a look but i assume it's much the same?21:18
*** ayoung has quit IRC21:18
stevemarjamielennox, pretty much, new handling for how oauthlib was being imported. there was push back to adding it to stable/havana requirements, so it should fail gracefully21:19
stevemarjamielennox, anyway, wrapping up early today, i'll likely see you online later, see ya21:21
jamielennoxstevemar: later21:21
*** marcoemorais has joined #openstack-keystone21:24
*** stevemar has quit IRC21:25
*** nkinder has joined #openstack-keystone21:27
*** leseb has quit IRC21:37
morganfainbergjamielennox, sorry got dragged into a meeting21:37
morganfainbergjamielennox, +A now.21:38
jamielennoxmorganfainberg: finally... :) thanks21:38
*** jsavak has quit IRC21:41
*** dims_ has quit IRC21:41
*** marcoemorais has quit IRC21:42
bknudsonwhat do you think about a backport of https://review.openstack.org/#/c/88109/ ?21:43
bknudsonit's kind of a feature but it's also kind of a security fix21:43
dolphmpotential mid-cycle hackathon dates: July 9, 10, 1121:46
*** dstanek has joined #openstack-keystone21:47
*** bach has joined #openstack-keystone21:47
dolphmthat's 1 week before earliest proposed juno-m2 deadline; 2 weeks before oscon; 3 weeks before last potential juno-m2 deadline21:48
*** david-lyle has quit IRC21:48
morganfainbergdolphm, looking at my schedule21:48
morganfainbergdolphm, i'm for 9,10,11 personally21:49
*** dolphm changes topic to "Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)"21:51
*** nkinder has quit IRC21:53
*** dims has joined #openstack-keystone21:55
morganfainbergbknudson, i think a backport to I is (possible)22:03
morganfainbergbknudson, but i would be concerned about moving it any further back22:03
morganfainbergbknudson, i know a bunch changed between H and I22:04
dolphmbknudson: the bug report doesn't illustrate any actual affect on end users; i'd want to see that before discussing the possibility of a backport22:06
*** ayoung has joined #openstack-keystone22:06
morganfainbergbknudson, i do see the benefit of getting that backwards into I. I'd claim it is less feature and more security fix.22:06
morganfainbergdolphm, fair enough.22:06
*** bach has quit IRC22:06
morganfainbergdolphm, the only real change to users is that if keystone manages passwords, they can use {ssha} or whatever hashing on the backend vs. having to accept the {md5}? we previously used22:07
morganfainbergdolphm, s/users/deployers22:07
dolphmmorganfainberg: except we previously used "ldap_salted_sha1"22:08
bknudsonthe only thing that deployers should see is that their LDAP configuration for password hashing will now be used22:08
morganfainbergdolphm, oh we used ssha?22:09
morganfainbergdolphm, so we did22:09
morganfainbergok so, what bknudson  just said, whatever is configured will be used vs hard-set ssha22:09
bknudsonfor example, some methods require the passwords in plain text in the directory22:10
bknudsonso then you'd change your LDAP config for plaintext passwords22:10
bknudsonbefore this you couldn't even do that.22:10
bknudsondeployments might also want a stronger password hash22:10
morganfainbergand some deployments explicitly disallow hashed passwords so they can control it (password history, etc)22:11
morganfainbergdepending on the implementation (of course)22:11
bknudsonI guess it's only used in r/w mode and not to check passwords22:13
dolphmmorganfainberg: that doesn't seem like a good compromise22:13
morganfainbergdolphm, to let the admins of the LDAP server configure the hashing to be used?22:13
morganfainbergdolphm, vs. forcing {ssha}?22:14
dolphmi've never thought about implementing "unique password history" with salted hashed passwords before...22:14
morganfainbergdolphm, it's not hard to do, but some implementations are bad.22:14
*** marcoemorais has joined #openstack-keystone22:14
dolphmmorganfainberg: oh you mean disallowing hashed passwords so deployers can control the hashing?22:15
morganfainbergdolphm, correct.22:15
dolphmmorganfainberg: how do you check that a new password isn't in your last 10 passwords, if your last 10 passwords are all salted hashes?22:15
*** dims has quit IRC22:15
morganfainbergdolphm, you know the salt, you can hash the password against with each salt and see if it matches22:15
*** dstanek has quit IRC22:15
dolphmmorganfainberg: ahh, there you go22:16
morganfainbergdolphm, otherwise how could you compare the password w/o it being plain text :P22:16
dolphmsimple solution ftw22:16
morganfainbergdolphm, doesn't mean someone doesn't have some reason to track plain-text (i really don't want to know why). it should be LDAP admin's choice on the hashing algo if at all possible22:17
morganfainbergsome tools even require passwords to be {md5}22:17
morganfainberglike the google apps sync. (that would be a strange mix, keystone to manage users, then syncing to google apps)22:17
*** bknudson has quit IRC22:25
*** marekd is now known as marekd|away22:25
*** bach has joined #openstack-keystone22:30
*** dims_ has joined #openstack-keystone22:34
*** rodrigods_ has joined #openstack-keystone22:38
*** dims_ has quit IRC22:39
*** dims_ has joined #openstack-keystone22:39
*** thedodd has quit IRC22:43
openstackgerritA change was merged to openstack/python-keystoneclient: Discovery URL querying functions  https://review.openstack.org/8114622:45
*** gabriel-bezerra is now known as gabriel-bezerraa22:46
morganfainbergjamielennox, ^ yay!22:47
jamielennoxmorganfainberg: :) now have to try and resurrct the dependencies22:48
morganfainbergjamielennox, hehe yeah22:48
morganfainbergjamielennox, hey slowly marching forward!22:48
jamielennoxslowly slowly22:48
jamielennoxthe problem is getting it syned to requirements so i can make use of it elsewhere22:49
jamielennoxi just put an email to -dev list because it was wanted by novaclient first22:49
morganfainbergjamielennox, yeah22:49
jamielennoxon the other hand though, the keystoneclient hacks are horrible because it was incremental. The novaclient conversion is actually really nice22:50
jamielennoxeverything deprecated/changed in one review22:51
morganfainbergjamielennox, as much as it sucks, they benefit from our pain.22:53
morganfainbergjamielennox, probably the better way to do things than force the pain on them22:53
jamielennoxmorganfainberg: yep, and at least i know the crap that goes on in ours rather than having to maintain it for someone else22:53
morganfainbergjamielennox, ++22:53
*** bach has quit IRC22:56
*** dims_ has quit IRC22:56
*** dims_ has joined #openstack-keystone22:57
*** bach has joined #openstack-keystone22:59
*** dims_ has quit IRC22:59
*** bach has quit IRC23:00
*** dims_ has joined #openstack-keystone23:00
*** dims_ has quit IRC23:08
*** dims has joined #openstack-keystone23:08
*** nkinder has joined #openstack-keystone23:13
*** rodrigods_ has quit IRC23:25
*** bach has joined #openstack-keystone23:27
*** sbfox has quit IRC23:35
*** sbfox has joined #openstack-keystone23:36
*** bach has quit IRC23:36
*** bknudson has joined #openstack-keystone23:40
*** bknudson has left #openstack-keystone23:42
*** daneyon has quit IRC23:42
*** rodrigods_ has joined #openstack-keystone23:48
*** sbfox has quit IRC23:52

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!