Thursday, 2014-05-08

jamielennoxand there's on reason to hide v2/v3password, just for cli and such the default should be discover00:00
jamielennoxno reason00:00
gyeefrom usability standpoint, the second one makes more sense00:00
gyeeuser should not have to specify which plugin to use00:00
gyeeCLI users I mean00:00
jamielennoxshould not specify a version - i agree00:01
jamielennoxi don't care if they have to speify  --os-auth-plugin00:01
jamielennoxbecause as a user entering information on the CLI you know exactly which auth plugin you want to use00:01
openstackgerritBrant Knudson proposed a change to openstack/keystone: Allow configuring for un-signed revocation list
openstackgerritBrant Knudson proposed a change to openstack/keystone: Regenerate sample config
gyeejamielennox, exactly, let me review those two patches00:02
gyeeare there any patches I should be looking at?00:02
jamielennoxgyee: the last one is still WIP00:02
jamielennoxi have some changes locally that i can push up if you like00:02
*** sbfox has joined #openstack-keystone00:02
jamielennoxi'm just trying to figure out how it works00:02
gyeejamielennox, please, I would like to get to a point where can start working on client changes00:03
gyeeboth CLI and lib00:03
*** bach has quit IRC00:03
morganfainbergwoot we'll have (at least) a non-vote check for mod_wsgi deployment shortly00:03
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent password authentication plugin
jamielennoxgyee: i figure if we can fix the libs then the CLIs will be easy to fix as they become available00:04
jamielennoxso i don't know if ^^ is even correct, it was just some changes i had made locally00:04
gyeejamielennox, yes I agree, I figure CLI changes will be a lot more involved as some client may require major refactoring00:05
jamielennoxgyee: i'm hoping we never have to do the CLI00:05
jamielennoxi intend to hand-hold OSC through the process00:05
jamielennoxi'll provide the ability for other clients CLI00:05
jamielennoxbut i'm hoping this is a good reason for people to move to OSC00:06
jamielennoxgyee: so looking at
*** bach has joined #openstack-keystone00:07
jamielennoxmy concern is what you can correctly ignore in a situation where someone is doing user/pass auth, and doesn't care if it's v2 or v300:07
jamielennoxif a user specifies a user_domain_id do we quit? if user_domain_id == default_domain_id then we can happily ignore that argument in v2 auth00:07
*** bach has quit IRC00:07
*** bach has joined #openstack-keystone00:08
gyeewe should always use v3 as it is backward compatible00:08
gyeeas clients should not have to parse/interpret token data00:08
gyeeall handled by keystoneclient00:09
jamielennoxgyee: part of the point of this session object is that the client's shouldn't know what a token is00:09
gyeeif client does not specify domain information, we use default domain in auth00:09
jamielennoxfrom the client side we don't know what default domain is00:10
gyeeah, I see what you mean00:10
gyeejamielennox, if user specify user_domain_id and asking for v2 auth, we should error out00:12
jamielennoxanyway because auth plugins are seperate from client now we can mix and match auth with client version00:12
jamielennoxso we can use a v2 token with a v3 client00:12
jamielennoxso *maybe* we don't always push for v300:12
jamielennoxwe say if username and not user_domain_id: use v2 even if v3 is available00:12
jamielennox(assuming v2 is available)00:13
gyeejamielennox, yeah I agree, if all the v3 args are specified, we use v300:14
gyeeotherwise, we fall back to v200:14
jamielennoxbut there are edge cases like that where, particularly from the CLI, you might want to use v2 auth even if v3 is available00:14
gyeeright, in that case, user will have to explicitly tell us what they want00:14
gyeeby specifying auth_version or auth plugin to use00:15
jamielennoxanyway - this is the reason it is still a WIP, i don't know how we can pick between v2 and v300:15
gyeethat would be in advanced mode or something00:15
gyeek, let me go through your changes, I think we can make some reasonable assumptions based on the args specified00:16
gyeebut provide a way for user to override the default behavoir00:16
jamielennoxgyee: cool that would be appreciated00:16
*** IanGovett has joined #openstack-keystone00:16
jamielennoxotherwise: and  particularly: are what's most needed for next steps i think00:17
jamielennoxthe CLI options should be a fairly easy refinement of CONF options00:18
jamielennoxif not then that's a bug to fix00:18
jamielennoxi would like to provide a similar register_argparse_arguments(parser) and auth_plugin_from_argparse(namespace) functions for CLI00:19
*** rwsu has joined #openstack-keystone00:20
gyeejamielennox, are you providing those two in OSC or keystoneclient?00:21
gyeewhat's namespace?00:22
jamielennoxisn't a namespace returned for argparse.parse()00:23
jamielennoxit's something like that00:23
gyeek, make sense00:23
jamielennoxgyee: i don't know yet how we provide --help for all these CLI arguments00:24
jamielennoxif you say --os-auth-plugin password then i can give you --help text and arguments for that00:24
*** IanGovett has quit IRC00:25
jamielennoxi don't know if we should iterate over all the plugin options and add the to --help or not00:25
*** bach has quit IRC00:26
*** bach has joined #openstack-keystone00:26
gyeejamielennox, that would required plugins themselves to advertised the args00:27
jamielennoxgyee, they do:
gyeejamielennox, U DA MAN!00:28
gyeethat's exactly what I was thinking00:28
jamielennoxmaybe i should turn that into an object rather that a flat function00:31
jamielennoxso auth.ConfigParser(CONF)00:31
*** bach has quit IRC00:31
jamielennoxand cli = auth.CLIParser()00:31
*** bach has joined #openstack-keystone00:32
jamielennoxso you can say cli.get_arguments_for(plugin_name) etc and give a bit finer control over what you do00:32
jamielennoxbut i'm trying hard to not add anything that doesn't have an explicit use case right now00:32
*** bach has quit IRC00:34
gyeewhat you have there should be good for now00:34
gyeewho knows, we may not be using ConfigParser later on00:35
gyeeyou want to make it as generic as possible00:35
gyeelet the presentation layer be separate00:35
jamielennoxright, i was talking to dean about it a while ago and he was saying how it might be best not to do CLI handling in the client00:36
jamielennoxbecause individual clients can do that stuff differently00:36
jamielennoxfor example a param called token will probably be appended with --os-auth before registered as a CLI opt00:36
gyeejamielennox, is there a way to specific which param is required and which one is optional?00:38
jamielennoxthat decision should be up to the individual cli00:38
jamielennoxgyee: not as yet - it will fail when it gets to the creating/authenticating the plugin, but it's not on the Param00:39
gyeemaybe we need to add "optional" here?
jamielennoxthis was just me starting minimal first00:39
jamielennoxwell the question is how would it be used?00:40
jamielennoxin oslo.config.CONF there is no such thing as required, you get a None value and error out00:40
gyeewe need to convey that information to the presentation layer00:40
jamielennoxin CLI you don't set anything to required because you want to be able to fallback to env[OS_AUTH_WHATEVER]00:41
gyeeI see00:42
jamielennoxgyee: i'm not anti the idea, but i'd like a real use case00:43
gyeeI was think we give the presentation layer as much information as we could so it can do whatever it needs to do00:44
gyeeI was thinking this information not just for CLI, perhaps UI as well00:44
jamielennoxwhat do you consider presentation layer here?00:44
gyeeCLI and perhaps UI00:45
jamielennoxCLI --help, horizon web form?00:45
gyeesay if I would to provide a dropdown menu to select the auth plugin to use00:45
gyeeI may put a * on the required params00:45
jamielennoxare you expecting it to be enforced anywhere?00:45
gyeeI was expecting some reasonable checking at the presentation layer00:46
jamielennoxyea, that's ok, but not enforced by the param or client layer - cause i'm not sure how that would work00:46
gyeejust thinking out loud here, but I am not a UI guys so I don't know00:46
ayoungbknudson, so you see that logic you have in the controller?  I want that even higher up the stack eventually, and part of the HTTP request content type to say " Give me signed and ompressed data"00:47
ayoungthere already is a way to do compression in HTTP,00:47
ayoungbut the signed-compressed where the content can be passed in a header is not there00:47
ayoungjamielennox, please drop plugin from the cli verbage.  --authn=password00:48
jamielennoxgyee: and that was my other concern - so far i've got two fairly limited scenarios where i see this being used, CONF and CLI, and i've been told maybe don't handle the CLI case within client let them do that on there own00:48
jamielennoxgyee: i'm sure there are a hundred other useful things that could go onto a param, but i don't know what they are yet and i'm trying not to guess00:49
openstackgerritNathan Kinder proposed a change to openstack/keystone: Reduce excess LDAP searches
gyeejamielennox, that's fine, what you have is a very good start00:49
jamielennoxayoung: either, i don't mind00:49
jamielennoxayoung: CLI is not my main concern here00:49
ayoungjamielennox, I was thinking more that you are going to be our proponent to the unified CLI, and that they are going to need this functionality00:50
jamielennoxayoung: right and i've discussed it with dtroyer00:50
jamielennoxif i can provide the properties it's his job to figure out how to make them usable00:51
jamielennoxwhat I want first is being able to load ANY auth plugin from CONF00:51
jamielennoxso auth_token with kerberos plugin00:51
jamielennoxwithout having to write every one into it00:51
gyeeayoung, you want signed an compressed by be specified by the client?00:54
gyeefor revocation list or token?00:54
jamielennoxi don't see the point in allowing the client to specify what kind of token they get00:55
gyeejamielennox, oh I agree, just want to make sure00:55
*** richm has quit IRC00:55
gyeefor revocation list, sure00:55
gyeejamielennox, should I drop the CLI changes here and do it in a separate patch?
gyeedo it after your patches are landed00:56
jamielennoxup to you, barbican indicated they weren't concerned with client API stability yet00:57
jamielennoxi agree it's fine to construct the session in shell00:57
jamielennoxthough you should be constructing the auth plugins there and not the clients.00:58
jamielennoxi would kill take over there Client.__init__(session= first argument and make that session mean keystoneclient session00:59
jamielennoxhmm, maybe should be provided from within keystoneclient?01:00
gyeeyeah would love to01:01
gyeeI think all clients need the same tests01:01
jamielennoxgyee: commented01:07
*** rodrigods_ has quit IRC01:08
gyeejamielennox, thanks!01:09
gyeejamielennox, I need to step away for an hour or so but I should be able to review the 3 patches by tonight01:10
jamielennoxgyee: no worries, if not there's always time next week to go through them :)01:10
*** dims has quit IRC01:11
*** dims has joined #openstack-keystone01:11
*** dims has quit IRC01:13
*** dims has joined #openstack-keystone01:15
*** dims has quit IRC01:15
*** xianghui has joined #openstack-keystone01:15
*** dims has joined #openstack-keystone01:15
*** marcoemorais has quit IRC01:16
*** dims has quit IRC01:16
*** dims has joined #openstack-keystone01:18
*** sbfox has quit IRC01:19
*** dims has quit IRC01:20
*** dims has joined #openstack-keystone01:21
*** dims has quit IRC01:22
*** dims has joined #openstack-keystone01:22
*** shakamunyi has joined #openstack-keystone01:27
*** shakamunyi has quit IRC01:42
*** BAKfr has quit IRC01:45
*** nkinder has quit IRC01:47
*** shakamunyi has joined #openstack-keystone01:57
*** harlowja has quit IRC02:03
*** diegows has quit IRC02:03
*** diegows_ has quit IRC02:03
*** harlowja has joined #openstack-keystone02:04
*** bach has joined #openstack-keystone02:10
*** mberlin1 has joined #openstack-keystone02:11
*** gokrokve has quit IRC02:11
*** mberlin has quit IRC02:11
*** shakayumi has joined #openstack-keystone02:15
*** dims has quit IRC02:16
*** dims has joined #openstack-keystone02:16
*** zhiyan_ is now known as zhiyan02:17
*** shakamunyi has quit IRC02:19
*** askb has joined #openstack-keystone02:21
*** amcrn has joined #openstack-keystone02:31
*** dims has quit IRC02:37
*** dims has joined #openstack-keystone02:38
*** dims has quit IRC02:40
*** gokrokve has joined #openstack-keystone02:42
*** harlowja has quit IRC02:44
*** gokrokve_ has joined #openstack-keystone02:44
*** harlowja has joined #openstack-keystone02:44
*** gokrokve has quit IRC02:47
*** gokrokve_ has quit IRC02:49
openstackgerritA change was merged to openstack/python-keystoneclient: Regions Management
*** dims has joined #openstack-keystone02:54
*** stevemar has joined #openstack-keystone02:54
*** shakayumi has quit IRC03:01
*** david-lyle has joined #openstack-keystone03:02
ayoungjamielennox,  If you don't mind?03:03
*** topol_ has joined #openstack-keystone03:04
*** dims has quit IRC03:05
jamielennoxayoung: it's ready?03:06
ayoungjamielennox, yeah03:07
jamielennoxother than reviews03:07
jamielennoxok, i'll give it a proper going over03:07
ayoungjamielennox, bknudson has been playing with it on devstack, too03:07
ayoungthere is a WIP patch for the server03:07
*** topol_ is now known as topol03:08
jamielennoxayoung: i'll trust bknudson on the devstack side03:10
jamielennoxi'll get a review on it this afternoon, i need to do stevemar's oauth as well03:10
stevemarjamielennox, you are too late!03:10
jamielennoxi won't be around tomorrow - flying :)03:10
jamielennoxstevemar: oh! sorry, but also good03:11
jamielennoxwe went over it a lot last time so i didn't expect to have anything to say03:11
stevemarjamielennox, yeah, it's cool, i am hoping to rebase the auth plugin patch soon03:13
stevemarmaybe tonight, but i'm lazy and distracted03:13
ayoungI got the pleasure of the +A on that one03:15
ayoungstevemar, perfect mode for reviewing compressed tokens then...I am going to have to do some rework on the revocation events.03:15
stevemarayoung, good point03:16
ayoungjamielennox, I might need a hand on revocation events testing.  I realized I had copied the tests over from the server and just commented out a couple.  In the mean time, the CLient Manager grew.  So I'm going to need to mock out the response that the client uses03:16
stevemarayoung, i'll be asking some questions about it then03:16
ayoungstevemar, please do.03:16
jamielennoxayoung sure03:21
ayoungjamielennox, once again, since I am not using the standard managers, the standard tests don't really apply03:22
morganfainbergjamielennox, ah this time you have the brutal flight, don't ya :(03:22
ayoungmorganfainberg, he always does03:22
morganfainbergayoung, he had a less brutal flight to HK than we all did03:23
ayoungAustralia to Hong Kong was halfway round the world.03:23
jamielennoxmorganfainberg: yea, it's going to suck03:23
jamielennoxayoung: not really, was 9 or 10 hours i think03:23
ayoungtwas less Brutal.  But still brutal.03:23
*** david-lyle has quit IRC03:23
morganfainbergayoung, iirc was 10hrs vs like 15:P03:23
ayoungI leave at 6:40 and arrive just after 9 thistime03:24
morganfainbergayoung, just wait, we'll have a summit in aus soon, then his flight will be "great" compared to everyone else'03:24
morganfainbergayoung, soon = no bearing on reality, just a hunch03:24
jamielennoxi leave at 10:30am and get in at 6:25pm03:24
morganfainbergjamielennox, ouch.03:24
jamielennox+ whatever the timezone difference is03:24
morganfainbergjamielennox, heh.03:24
ayoungjamielennox, you have your passport all up to date, right?03:25
* ayoung has made that mistake before03:25
morganfainbergayoung, thats a painful mistake03:25
jamielennoxpaid my $14 for a visa03:25
jamielennoxwhich is just such a weird number03:25
morganfainbergjamielennox, ... you had to pay... for a visa?03:25
jamielennoxumm electronic something waiver something03:26
morganfainbergjamielennox, wierd03:26
morganfainbergjamielennox, and that is a very odd number03:26
stevemarayoung, morganfainberg should be an easy review:
stevemarjamielennox, ^03:26
jamielennoxstevemar: oh, i've no idea how to configure federation :)03:27
stevemarjamielennox, now you can learn! but if you're not comfy with it, that's cool03:28
stevemari think dolphm and marekd know if the most, and they are okay with it03:28
morganfainbergstevemar phsaw, easy review!? documentation is hard! :P I need to turn on my grammar parsing part of my brain :P03:29
stevemarIt's just, there are folks asking for docs for federation, and i'm getting tired of sending out emails with elaborate steps03:29
ayoungstevemar, um...that is not going to be an easy one.  But I'll dig through it in the morning03:29
stevemarmorganfainberg, ayoung, i always think doc changes are the easy ones :)03:30
ayoungstevemar, so you didn't split out the shibboleth parts?  I guess that is OK.  Probably makes sense to have a set of different Apache Config options in one file.03:30
*** shakayumi has joined #openstack-keystone03:31
ayoungstevemar, but I would like to keep all the Shibboleth stuff in one section, so that when we get to mod_lookup_identity or mod_mellon they just each have their own section03:31
ayoungYou can carry through the SAML values for the example, though03:32
jamielennoxmmm, 22 hours - i shouldn't have calculated that, it's just depressing03:33
ayoungjamielennox, Wow.03:34
stevemarjamielennox, load up a lot of movies on the laptop/tablet03:34
stevemarayoung, ohh i see what you mean03:36
stevemarayoung, i think for now, the mod_shib section is good enough, when we actually claim support for mod_lookup and mod_mellon, we can restructure the docs03:36
ayoungstevemar, I think we should get the organization for that right now, otherwise we will end up touching this stuff when we go to add a different module, and that review will be much worse for it.03:38
stevemarayoung, wouldn't it be just adding a sub-section?03:38
ayoungSo long as the mod_shib stuff is all together.  I'll need to look closer to see what should be the morrow...03:39
morganfainbergstevemar, looks like you're runnign ubuntu03:39
morganfainbergstevemar, do you want to clarify that in the docs?03:39
morganfainberg"service apache2 restart" is not rh/fedora iirc03:40
morganfainbergsame w/ the a2ensite etc03:40
*** bach has quit IRC03:40
stevemarmorganfainberg, good point!03:40
morganfainbergstevemar, looks like there aren't any rendering errors. let me review verbiage next.03:43
ayoungstevemar, at least now I won't have to deal with rebases on the oauth and regions stuff.  Both merged/03:43
morganfainbergayoung, ++03:44
morganfainbergayoung, i think we also now have mod_wsgi deployment once zuul reloads it's config03:44
morganfainbergayoung, check*03:44
ayoungOOOH YEAH!03:44
morganfainbergit's non-vote till we're sure it works03:44
* ayoung promised he wouldn't cry03:44
morganfainbergbut talking with infra once it's looking good we'll combine it w/ gate checks (probably) e.g. postgres, neutron, something03:45
ayoungmorganfainberg, First beer is on me03:45
*** gokrokve has joined #openstack-keystone03:45
ayoungthat one earned it03:45
morganfainbergayoung, lets plan to celebrate once we're gating on it and devstack defaults to mod_wsgi :)03:45
morganfainbergayoung, we can toast to this success in ATL though!03:46
ayoungwe can drink multiple beers03:46
morganfainbergayoung, I support this messabe03:46
ayoungI though you had gone Gungan on me03:46
morganfainbergayoung, oh god no. /me cringes03:47
ayoungBet they put him in a Cameo in SW EP 703:47
ayoungLike the ETs in the Senate03:47
morganfainbergayoung, I'm trying to think positively about EP7! :P03:48
ayoungjamielennox, did you write the crud tests?  It looks like magic to me03:48
jamielennoxayoung: no, but i know (mostly) how they work03:48
ayoungreturned = self.manager.create(**parameterize(manager_ref))03:48
ayoungI am trying to emulate a call like that03:49
ayoungbut can';t figure out how to get the Manager...03:49
jamielennoxso it's like the server03:49
jamielennoxthere is a base class, and then you mix it into manager specific tests03:49
jamielennoxi assume manager is a class atttribute03:50
*** gokrokve has quit IRC03:50
ayoungand I see how the client is created in the Tests Class...03:50 far pretty clear.03:51
ayoungjamielennox, OK,  I need to split my test into a model portion and a V3 specific portion...that will happen tomorrow.  Gnight all03:54
morganfainbergstevemar, commented on the documentation04:03
morganfainbergstevemar, is there a "better" place to link against than
morganfainbergstevemar, few minor rephrasing comments to help make sure we are as clear as possible.04:04
stevemargithub was linked? hmmm04:04
morganfainbergstevemar, you have a bunch of things linking to github (.md files)04:04
morganfainbergstevemar, identity-api?04:05
morganfainbergstevemar, not sure if we have a better place to link to... something based maybe?04:05
morganfainbergstevemar, but if we don't no big deal04:05
stevemarohh the identity api ones04:05
stevemari'm not sure there is a better spot04:05
morganfainbergstevemar, we might need to ask the lovely doc folks04:06
morganfainbergstevemar, would be better if we linked to o.o instead of github04:06
*** topol has quit IRC04:08
*** shakayumi has quit IRC04:08
morganfainbergstevemar, hmm. we might be missing some data from the API site.04:12
morganfainbergstevemar, seems to be missing things04:12
morganfainbergstevemar, doesn't have the create group info (which the .md has, added by henrynash in 2012)04:14
morganfainbergsimilarly we're missing data for creating users04:14
stevemarmorganfainberg, and we're getting on my case about not futureproofing the structure of a guide :P04:16
stevemarmorganfainberg, the site receives no love04:16
morganfainbergstevemar, hey, the docs look quite good except for what is missing04:16
morganfainbergstevemar, i only _asked_ if there was a better place to link to :P04:17
morganfainbergstevemar, valid response is "nope, github is the best"04:17
morganfainbergstevemar, funny, the PDF version has "adding group" and "adding user"04:18
stevemarmorganfainberg, hehe, just gettin on your case for fun04:19
stevemarmorganfainberg, all your suggestions are great, i think i'll just wait for ayoung to have comments tomorrow so i don't have to submit 2 patches04:23
morganfainbergstevemar, ++ cool04:23
stevemarmorganfainberg, do you think adding a sentence about the steps being ubuntu specific is cool at the end of the 'prereqs' section?04:29
stevemari can't really find a spot to put it04:29
*** gokrokve has joined #openstack-keystone04:44
*** zhiyan is now known as zhiyan_04:46
*** gokrokve has quit IRC04:49
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions
*** chandan_kumar has joined #openstack-keystone05:37
*** marcoemorais has joined #openstack-keystone05:38
*** marcoemorais1 has joined #openstack-keystone05:41
*** marcoemorais has quit IRC05:42
*** stevemar has quit IRC05:43
*** gokrokve has joined #openstack-keystone05:44
*** gokrokve_ has joined #openstack-keystone05:46
*** gokrokve has quit IRC05:49
*** gokrokve_ has quit IRC05:50
*** shakayumi has joined #openstack-keystone05:52
*** tomoiaga has joined #openstack-keystone05:57
*** shakayumi has quit IRC05:57
*** dstanek_zzz is now known as dstanek05:59
*** zhiyan_ is now known as zhiyan05:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** abelur_ has joined #openstack-keystone06:02
*** askb has quit IRC06:05
*** zhiyan is now known as zhiyan_06:05
*** morganfainberg is now known as morganfainberg_Z06:05
*** gyee has quit IRC06:06
*** zhiyan_ is now known as zhiyan06:08
*** zhiyan has left #openstack-keystone06:08
*** harlowja is now known as harlowja_away06:08
*** zhiyan has joined #openstack-keystone06:09
*** zhiyan is now known as zhiyan_06:12
*** zhiyan_ is now known as zhiyan06:12
*** jaosorior has joined #openstack-keystone06:22
*** zhiyan is now known as zhiyan_06:30
*** zhiyan_ is now known as zhiyan06:34
*** zhiyan is now known as zhiyan_06:37
*** derek_c has joined #openstack-keystone06:43
*** gokrokve has joined #openstack-keystone06:44
*** gokrokve has quit IRC06:49
*** praneshp has quit IRC06:58
*** daneyon has quit IRC06:59
*** ukalifon1 has joined #openstack-keystone07:00
*** praneshp has joined #openstack-keystone07:01
*** praneshp has quit IRC07:02
*** amcrn has quit IRC07:06
*** henrynash has joined #openstack-keystone07:11
*** derek_c has quit IRC07:34
*** derek_c has joined #openstack-keystone07:34
*** abelur_ has quit IRC07:37
*** gokrokve has joined #openstack-keystone07:44
*** gokrokve has quit IRC07:49
*** derek_c has quit IRC07:49
*** dstanek is now known as dstanek_zzz07:55
*** andreaf has joined #openstack-keystone08:07
*** gokrokve has joined #openstack-keystone08:44
*** gokrokve has quit IRC08:49
*** gabriel-bezerra is now known as gabriel-bezerraa08:51
*** gokrokve has joined #openstack-keystone09:44
*** marcoemorais1 has quit IRC09:46
*** gokrokve has quit IRC09:49
*** gokrokve has joined #openstack-keystone10:44
*** amerine_ has joined #openstack-keystone10:47
*** BAKfr has joined #openstack-keystone10:48
*** gokrokve has quit IRC10:49
*** ukalifon1 has quit IRC10:55
*** amerine has quit IRC10:55
*** rodrigods has quit IRC10:55
*** gabriel-bezerraa has quit IRC10:55
*** rodrigods has joined #openstack-keystone10:56
*** rodrigods has quit IRC10:56
*** rodrigods has joined #openstack-keystone10:56
*** gabriel-bezerraa has joined #openstack-keystone10:57
*** ukalifon1 has joined #openstack-keystone10:57
openstackgerritRoman Bodnarchuk proposed a change to openstack/keystone: Return 400 in case request body is JSON, but not a dictionary
*** dims has joined #openstack-keystone11:12
*** erecio has quit IRC11:23
*** jamielennox is now known as jamielennox|away11:26
*** gokrokve has joined #openstack-keystone11:44
*** erecio has joined #openstack-keystone11:47
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor test_auth trust related tests
*** gokrokve has quit IRC11:49
*** IanGovett has joined #openstack-keystone12:04
openstackgerritMarek Denis proposed a change to openstack/keystone: Add detailed federation configuration docs
*** abelur_ has joined #openstack-keystone12:11
*** abelur_ has quit IRC12:11
marekdAny particular time when sunday meetup would start?12:25
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone: Filter User by project
*** tomoiaga has left #openstack-keystone12:32
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone: Filter User by project
*** ayoung has left #openstack-keystone12:41
*** ayoung has joined #openstack-keystone12:42
*** gokrokve has joined #openstack-keystone12:44
*** bknudson has quit IRC12:48
*** gokrokve has quit IRC12:49
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone: Filter User by project
*** IanGovett has quit IRC13:04
*** xianghui has quit IRC13:07
*** bknudson has joined #openstack-keystone13:09
marekdayoung: o/13:10
marekdyou know anything more about that Sunday summit meetup? when does it start?13:10
*** david-lyle has joined #openstack-keystone13:11
ayoungmarekd, heh,  just whenever people trickle in.  Its a travel day13:14
ayoungmarekd, I'm not coming in till after 9 PM13:14
marekdayoung: aha, ok13:17
ayoungmarekd, what hotel are you stayin at?13:17
openstackgerritMarek Denis proposed a change to openstack/keystone: Add detailed federation configuration docs
marekdayoung: Melia Atlanta13:19
marekdayoung: U ?13:20
ayoungmarekd, looking.13:20
ayoungmarekd, Omni13:27
* ayoung is pretty sure..13:27
openstackgerritMarek Denis proposed a change to openstack/keystone: Add detailed federation configuration docs
marekdi guess it's quite close to the Georgia World Congress Center13:28
*** chandan_kumar has quit IRC13:28
marekdok, just check on google maps :D13:28
*** dstanek_zzz is now known as dstanek13:29
lbragstad^ that's the place, right?13:29
*** david-lyle has quit IRC13:34
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources
*** bknudson has quit IRC13:41
*** gokrokve has joined #openstack-keystone13:44
*** chandan_kumar has joined #openstack-keystone13:46
*** gokrokve has quit IRC13:48
*** bknudson has joined #openstack-keystone13:54
*** zhiyan_ is now known as zhiyan13:56
*** stevemar has joined #openstack-keystone13:56
*** gokrokve has joined #openstack-keystone14:01
*** bach has joined #openstack-keystone14:02
*** IanGovett has joined #openstack-keystone14:08
*** stevemar has quit IRC14:18
*** dstanek is now known as dstanek_zzz14:23
*** vhoward has joined #openstack-keystone14:31
*** stevemar has joined #openstack-keystone14:32
*** dstanek_zzz is now known as dstanek14:33
*** chandan_kumar has quit IRC14:34
*** chandan_kumar has joined #openstack-keystone14:34
*** thedodd has joined #openstack-keystone14:38
*** nkinder has joined #openstack-keystone14:48
*** gokrokve has quit IRC14:48
*** gokrokve has joined #openstack-keystone14:52
*** ukalifon2 has joined #openstack-keystone15:01
*** jaosorior has quit IRC15:01
*** andreaf has quit IRC15:02
*** ukalifon1 has quit IRC15:04
*** dims has quit IRC15:04
*** dims has joined #openstack-keystone15:05
openstackgerritMarek Denis proposed a change to openstack/keystone: Add detailed federation configuration docs
marekdstevemar: ^^ this is for you :-)15:11
*** spligak has quit IRC15:13
stevemarmarekd, it is?!15:14
stevemarmarekd, hehe, the other sentence was a bit sassy!15:15
*** marcoemorais has joined #openstack-keystone15:19
marekdi know i know.15:19
*** marcoemorais has quit IRC15:19
marekdthat's why i told ya it was for you :-)15:19
marekdthanks for +215:19
*** marcoemorais has joined #openstack-keystone15:22
*** praneshp has joined #openstack-keystone15:23
*** joesavak has joined #openstack-keystone15:24
*** zhiyan is now known as zhiyan_15:26
*** jsavak has joined #openstack-keystone15:29
*** joesavak has quit IRC15:33
*** chandan_kumar has quit IRC15:34
*** ukalifon2 has quit IRC15:34
*** marcoemorais has quit IRC15:35
*** stevemar has quit IRC15:45
*** gokrokve_ has joined #openstack-keystone16:07
*** stevemar has joined #openstack-keystone16:10
*** gokrokve has quit IRC16:11
*** andreaf has joined #openstack-keystone16:21
*** nkinder has quit IRC16:21
ayounglbragstad, I arrive in ATLANTA, GA (ATL) at 9:20 PM.  Probably take me an hourish to get to the Hotel.  Might not be showing at the Park Bar.16:25
lbragstadayoung: gotcha, I think bknudson and I leave MN before noon,16:25
lbragstadI think it's only a couple hour flight of u16:26
*** stevemar has quit IRC16:29
*** stevemar has joined #openstack-keystone16:30
*** dstanek is now known as dstanek_zzz16:31
*** nkinder has joined #openstack-keystone16:40
*** marcoemorais has joined #openstack-keystone16:45
openstackgerritRichard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values
*** gyee has joined #openstack-keystone16:56
*** amerine_ is now known as ameirne16:56
*** ameirne is now known as amerine16:56
amerineAnyone able to tell me how to get the docs that where here for Havana?16:57
*** harlowja_away is now known as harlowja17:01
*** andreaf has quit IRC17:07
*** htruta has quit IRC17:08
*** richm has joined #openstack-keystone17:13
*** amcrn has joined #openstack-keystone17:21
*** gokrokve_ has quit IRC17:21
*** rodrigods has quit IRC17:27
*** dstanek_zzz is now known as dstanek17:29
*** tsv has joined #openstack-keystone17:47
*** thedodd has quit IRC17:50
*** thedodd has joined #openstack-keystone17:54
*** amcrn_ has joined #openstack-keystone17:54
*** gokrokve has joined #openstack-keystone17:54
*** amcrn has quit IRC17:56
*** bach has quit IRC18:00
stevemarbknudson, ping18:04
bknudsonstevemar: what's up?18:04
stevemarin this change, did you update tox, or was that automagic?18:04
stevemarsame with tools/install_venv_common18:04
bknudsonstevemar: I made the change to tox.ini since tox -epep8 was failing18:05
bknudsonstevemar: checked the keystone version and noticed it had that18:05
bknudsonstevemar: the change to install_venv_common came from
stevemarbknudson, oh yeah? i never noticed that in the keystone version, good to know.18:06
stevemarbknudson, yeah, i thought he is associated with oslo. cool18:06
stevemarbknudson, uh oh, i started down the rabbit hole, you've got 5 patches strung together18:08
bknudsonstevemar: there was a change to
bknudsonwhich caused some tests to fail18:09
bknudsonso I changed some tests18:10
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources
bknudsonwe'll have to get an un-session together to discuss input validation18:10
*** ayoung has quit IRC18:13
*** IanGovett1 has joined #openstack-keystone18:17
*** IanGovett has quit IRC18:17
*** IanGovett1 has quit IRC18:17
*** IanGovett1 has joined #openstack-keystone18:17
stevemari think lbragstad's on the right track18:17
*** ayoung has joined #openstack-keystone18:18
stevemarbknudson, another question, is the thinking behind this change:, that we only keep a list of the modules we specifically call out in keystoneclient?18:18
*** bach has joined #openstack-keystone18:18
bknudsonstevemar: yes, we only explicitly list what keystoneclient requires (i.e., imports) -- oslo can take care of the other dependencies.18:19
stevemarcool cool18:19
bknudsonthat way those modules will go away automatically if oslo stops depending on it.18:19
bknudsonwhich I expect to happen as oslo moves modules into libraries18:20
*** lbragstad has quit IRC18:20
*** bach has quit IRC18:21
*** BAKfr has quit IRC18:21
*** morganfainberg_Z is now known as morganfainberg18:22
*** bach has joined #openstack-keystone18:23
*** lbragstad has joined #openstack-keystone18:24
*** bach has quit IRC18:28
*** vhoward has left #openstack-keystone18:34
*** derek_c has joined #openstack-keystone18:39
*** bach has joined #openstack-keystone18:40
*** thedodd has quit IRC18:41
*** leseb has joined #openstack-keystone18:52
*** openstackgerrit has quit IRC19:04
*** openstackgerrit has joined #openstack-keystone19:05
*** amcrn_ has quit IRC19:07
*** andreaf has joined #openstack-keystone19:10
*** andreaf has quit IRC19:10
*** andreaf has joined #openstack-keystone19:11
*** leseb has quit IRC19:17
*** thedodd has joined #openstack-keystone19:31
*** leseb has joined #openstack-keystone19:32
*** bach has quit IRC19:43
dolphmi'm blanking out - can anyone recall the term for "using the network itself as a storage medium" ? (i'm trying to describe the move to ephemeral tokens)19:45
*** derek_c has quit IRC19:45
*** bach has joined #openstack-keystone19:46
*** bach has quit IRC19:48
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth
*** d0ugal has quit IRC19:51
*** leseb has quit IRC19:54
*** jsavak has quit IRC20:05
ayoungdolphm, "20:06
ayoung    Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)20:06
ayoung        Torvalds, Linus (1996-07-20). Message. linux-kernel mailing list. IU. Retrieved on 2014-04-26.20:06
dolphmayoung: that's still using traditional storage resources on a server somewhere... which isn't what i'm referring to20:07
ayoungdolphm, in this case though, I would say that the tokens are no longer persisted, but rather we are moving to cryptographic20:07
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
*** IanGovett1 has quit IRC20:09
dolphmayoung: ^20:12
ayoungdolphm, I'm not sure I am with you on this one.  What are you implying here?  THat you can always retrieve the token from somewhere on the net?20:12
dolphmayoung: no, just that the only place something is persisted is on the network20:12
morganfainbergdolphm, hm.20:12
morganfainbergdolphm, interesting.20:13
ayoungdolphm, but that is not true here.  The token is not necessarily "persisted" anywhere20:13
ayoungjust that if you happen to find one, you can verify it20:13
morganfainbergdolphm, ayoung, i want to talk about token validators when we get to the summit [on the topic of ephermeral tokens20:13
dolphmi want to say the term is as simple as "network-based storage" but that just renders lots of google results for NAS, etc20:13
morganfainbergdolphm, it's not really "hiding" the cipher though20:14
dolphmmorganfainberg: agree20:15
ayoungTHe Network is the Computer?  Nah.20:15
morganfainbergayoung, soylent green is people?20:15
dolphmmorganfainberg: i don't think 'stenography' is accurate, but it's thematically related20:15
morganfainbergdolphm, Ephemeral is really the best phrasing.20:16
morganfainbergthe data can be validated but has a limited life (while being used)20:16
ayoungmorganfainberg, well,  not really.  Tokens are already Ephemeral, they just get written to disk20:16
morganfainbergit's not that it really is ever stored.20:16
morganfainbergayoung, ++20:16
morganfainbergayoung, true20:16
*** arborism has joined #openstack-keystone20:16
ayoungin this case, what he means is that the only place the token is reliably stored is as part of the network protocols that use it20:17
*** dstanek is now known as dstanek_zzz20:18
dolphmayoung: exactly20:18
bknudsonwhat do you think about advertising "capabilities" in /v2.0/extensions?20:18
bknudsonfor example, this server supports returning an unsigned revocation list20:19
ayoungbknudson, or MD5 vs SHA256 for hashes?20:19
dolphmbknudson: i've advocated for that in the past, and was convinced it was a bad idea20:19
ayoungbknudson, what is the HTTP way?20:20
morganfainbergbknudson, i would support doing that20:20
dolphmbknudson: although i was looking to introduce a /capabilities on *every* service that clients could make authenticated requests to, in order to discover the subset authorized capabilities at that endpoint20:20
morganfainbergayoung, dolphm, i asked smart people here and they keep saying "on the wire" is the best phrasing as in: the data only exists on the wire20:20
ayoungI'm mixed20:21
dolphmmorganfainberg: nice...20:21
bknudsonI think there's a show called "the wire"20:21
morganfainbergbknudson, oh we probably need to never use that phrase again then :P20:21
ayoungthe opposite of
nkinderdata in action20:22
bknudsonayoung: I'll see if there's anything in http for advertising it20:22
morganfainbergnot(data at rest)20:22
morganfainbergnkinder, data in motion?20:22
bknudsonof course the client could just try it and fail, but I'd rather avoid the error message in the keystone server log20:22
ayoungIt puts the Data in the  Bucket or it gets the hose again.20:22
morganfainbergnkinder, damn, "data in motion" is a real state of data :(20:23
morganfainbergnkinder, shouldn't use that then :P20:23
nkindermorganfainberg: you type new articles fast! ;)20:24
dolphmmorganfainberg: that's a great way to look at it20:24
dolphmnkinder: ha20:24
ayoungData on Vacation!20:24
morganfainbergnkinder, >.>20:24
dolphmmorganfainberg: so we're just avoiding 'data at rest'20:24
morganfainbergdolphm, sounds right20:25
ayoungdolphm, the token only exists as Data in Use20:25
dolphmayoung: or in motion20:25
ayoungYeah, I guess that is not a strict subset20:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Allow fetching a plaintext revocation list
bknudson is what I was talking about.20:28
*** arborism is now known as amcrn20:30
ayoungbknudson, I would love it if plaintext vs signed was inthe accepts header20:38
ayoungand applied to anything (except for tokens which are always signed)20:38
bknudsonayoung: that makes sense. It's JSON either way20:38
ayoungbknudson, JSON  that is ASN1 encoded, signed, compressed, and then Base64 Encoded to be pedantic20:39
ayoungPKIZ for short20:39
bknudsonayoung: the response is {'signed': 'ajsdlkfdsafds'}20:39
*** dstanek_zzz is now known as dstanek20:39
bknudson{"signed": "-----BEGIN CMS-----\nMI20:39
ayoungbknudson, I was young.  I needed the money20:39
bknudsonayoung: I'm guessing you wouldn't do it that way today20:40
ayoungbknudson, no.  But then, the signed, compressed, and Base64 standard has not yet been published, either, so I don;t have a good standard content type for that20:41
bknudsonmaybe with HTTP you would do a HEAD request to find out if it supported the representation?20:41
ayoungbknudson, I would make it a client call:  give me it signed or give me it unsigned20:41
ayoungbknudson, I mean, tehcniocally, we could make it a request param20:41
ayoungits just not somethjing that can be blanketly applied20:42
*** bach has joined #openstack-keystone20:44
*** dstanek is now known as dstanek_zzz20:49
*** bach has quit IRC20:53
*** huats has quit IRC21:01
*** huats has joined #openstack-keystone21:04
*** huats has joined #openstack-keystone21:04
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions
morganfainbergayoung, oops
morganfainbergayoung, we should have already been running the non-voting job *wince*21:13
morganfainbergbad regex.21:13
* morganfainberg is to blame for that.21:13
ayoungno blood, no foul21:17
morganfainbergayoung, ok we should get apache-services check now :)21:21
* morganfainberg goes to recheck a patch for fun21:21
ayounghere's hoping21:22
morganfainbergayoung, or we might need to wait still for zuul to reread config21:22
*** dstanek_zzz is now known as dstanek21:23
morganfainbergi'll chase down clarkb and get this worked out if it's still not working soon21:24
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions
morganfainbergdolphm, if you're around some v2-to-v3 general timeline bp questions came up in nova meeting #openstack-meeting21:27
stevemarmorganfainberg, ayoung do either of you know how to tell if a gate is broken? would zuul report that?21:27
morganfainbergstevemar, in what way broken?21:28
*** derek_c has joined #openstack-keystone21:28
stevemarmorganfainberg, well, last time the oauth stuff merged, stable/havana broke because of library dependency21:29
stevemari want to make sure the same thing didn't happen again21:29
morganfainbergayoung, woo the keystoneclient change at the bottom of the check queue now has apache-services tempest!21:29
morganfainbergstevemar, ah we test for that now :)21:29
morganfainbergstevemar, there is a stable tempest run specifically to close that gap21:30
stevemarmorganfainberg, yep, i know, and that one is passing!21:30
morganfainbergstevemar, but the way we'd know is... try and merge things to havana21:30
morganfainbergstevemar, so no, zuul doesn't know if something is broken without a change specifically in the queue21:30
morganfainbergstevemar, there might be a bit-rot check (periodic) that would catch it as well. but not 100% sure on that21:30
stevemarmorganfainberg, ah, i thought maybe it was automagically run somewhere21:30
ayoungcheck-tempest-dsvm-full-apache-services: queued21:39
ayoungmorganfainberg, that specificially is the reason that, on Tuesday night, I am making Guinness Stout Ice Cream Floats.21:40
morganfainbergayoung, ++21:41
*** bach has joined #openstack-keystone21:44
*** Chicago has joined #openstack-keystone21:47
*** Chicago has joined #openstack-keystone21:47
*** andreaf_ has joined #openstack-keystone21:51
stevemarayoung, i'm glad i'm not the only one who remembers the guinness stout ice cream floats21:52
*** rodrigods has joined #openstack-keystone21:53
*** rodrigods has joined #openstack-keystone21:53
*** andreaf has quit IRC21:54
*** rodrigods has quit IRC21:58
*** stevemar has quit IRC21:59
morganfainbergayoung, i think we are going to have some cleanup to do to get mod_wsgi deployments to pass tempest.22:00
ayoungmorganfainberg, say it ain't so, Joe.22:08
ayoungmorganfainberg, file them as bugs.22:09
morganfainbergayoung, [Thu May 08 21:59:14 2014] [error] [client] malformed header from script. Bad header=25PbmUiLCAiaW50ZXJmYWNlIjogImF: main
morganfainbergayoung, trying to figure out the bugs22:09
ayoungmorganfainberg, (HTTP 500)?  Could it be the token-too-big thing?22:10
morganfainbergayoung, perhaps22:10
ayoungmorganfainberg, this is all on one machine, so the clocks should be in sync in the logs, right?22:12
morganfainbergayoung, yes22:12
morganfainbergayoung, the mod_wsgi logs though don't have microsecond resolution22:13
morganfainbergayoung, something i can fix in apache 2.422:13
*** marcoemorais has quit IRC22:13
morganfainbergayoung, [Thu May 08 21:59:14 2014] [error] 32677 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /opt/stack/new/keystone/keystone/middleware/
morganfainbergayoung, i am thinking we might be losing the tokens22:14
morganfainbergayoung, too large etc22:14
ayoung2014-05-08 21:58:49.429 | {2} tempest.api.identity.admin.v3.test_tokens.TokensV3TestXML.test_rescope_token [0.738703s] ... FAILED22:14
morganfainbergayoung, oh oh22:14
morganfainbergayoung, derp.22:14
morganfainbergayoung, interesting.22:14
ayoungit might be that it is crossing a threshold22:15
morganfainbergayoung, yeah.22:15
ayoungnot just XML22:15
ayoungtempest.api.orchestration.stacks.test_update.UpdateStackTestJSON.test_stack_update_nochange [0.287952s] ... FAILED22:16
ayoung2014-05-08 21:59:14.452 |22:16
morganfainbergayoung, well this at the very least shows us potential problems with mod_wsgi deployments22:16
morganfainbergayoung, it's great to have this!22:16
*** marcoemorais has joined #openstack-keystone22:16
morganfainbergayoung, aha22:16
morganfainbergayoung, that wont work, PKI token exceeds max request length22:17
ayoungtoo big22:17
morganfainbergayoung, yep22:17
ayoungwe need compressed tokens22:17
morganfainbergayoung,++ let me go review that patchset right now22:17
ayoungmorganfainberg, ++.  jamielennox|away -1ed it last night, but his changes will be miniscule.  I'm finishing some testing on revoke events and will loop backaround to compressed, hopefully tonight22:18
morganfainbergayoung, great!22:19
morganfainbergayoung we also need revocation events >.>22:19
*** dims has quit IRC22:23
*** marcoemorais has quit IRC22:29
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
*** henrynash has quit IRC22:29
*** marcoemorais has joined #openstack-keystone22:30
*** bknudson has quit IRC22:31
*** nkinder has quit IRC22:35
*** joesavak has joined #openstack-keystone22:39
gyeeayoung, nkinder, I am also good with
*** jsavak has joined #openstack-keystone22:40
*** erecio has quit IRC22:42
*** rodrigods has joined #openstack-keystone22:43
*** joesavak has quit IRC22:43
*** tsv has quit IRC22:46
*** dstanek is now known as dstanek_zzz22:54
*** andreaf_ has quit IRC22:58
*** gokrokve has quit IRC23:00
*** jsavak has quit IRC23:09
*** rodrigods has quit IRC23:26
*** rodrigods has joined #openstack-keystone23:26
*** rodrigods has quit IRC23:26
*** rodrigods has joined #openstack-keystone23:26
*** rodrigods has quit IRC23:31
*** praneshp has quit IRC23:35
*** morganfainberg is now known as morganfainberg_Z23:38
*** rodrigods has joined #openstack-keystone23:39
*** rodrigods has quit IRC23:39
*** rodrigods has joined #openstack-keystone23:39
*** dstanek_zzz is now known as dstanek23:39
*** gokrokve has joined #openstack-keystone23:43
*** praneshp has joined #openstack-keystone23:44
*** thedodd has quit IRC23:47
*** morganfainberg_Z is now known as morganfainberg23:49
*** dstanek is now known as dstanek_zzz23:49

Generated by 2.14.0 by Marius Gedminas - find it at!