Tuesday, 2014-05-27

« Monday, 2014-05-26 Index Wednesday, 2014-05-28 »
*** kun_huang has joined #openstack-keystone00:06
*** kun_huang has quit IRC00:09
*** packet has quit IRC00:18
*** diegows has quit IRC00:25
*** diegows has joined #openstack-keystone00:25
*** ncoghlan has joined #openstack-keystone00:30
*** zhiyan_ is now known as zhiyan00:38
*** xianghui has joined #openstack-keystone00:44
*** stevemar has joined #openstack-keystone00:45
*** gokrokve_ has quit IRC00:51
*** gokrokve has joined #openstack-keystone00:52
*** diegows has quit IRC00:53
*** gokrokve has quit IRC00:56
*** lbragstad has joined #openstack-keystone01:06
*** sbfox has quit IRC01:12
*** ncoghlan is now known as ncoghlan_afk01:24
*** ncoghlan_afk is now known as ncoghlan01:25
*** david-lyle has quit IRC01:30
*** gokrokve has joined #openstack-keystone01:44
*** gokrokve has quit IRC01:48
*** ncoghlan is now known as ncoghlan_afk02:14
openstackgerritA change was merged to openstack/keystone: Fix spelling mistakes in docs  https://review.openstack.org/9556402:27
openstackgerritA change was merged to openstack/keystone: Replace assertTrue and assertFalse with more suitable asserts  https://review.openstack.org/9549202:27
*** zhiyan is now known as zhiyan_02:29
*** david-lyle has joined #openstack-keystone02:31
*** david-lyle has quit IRC02:35
*** mberlin has joined #openstack-keystone02:36
*** mberlin1 has quit IRC02:37
*** gokrokve has joined #openstack-keystone02:41
*** gokrokve has quit IRC02:46
*** zhiyan_ is now known as zhiyan02:46
*** zhiyan is now known as zhiyan_02:52
*** zhiyan_ is now known as zhiyan02:52
*** dims has quit IRC03:16
*** ncoghlan_afk is now known as ncoghlan03:27
*** david-lyle has joined #openstack-keystone03:32
*** david-lyle has quit IRC03:36
*** david-lyle has joined #openstack-keystone03:38
*** gokrokve has joined #openstack-keystone03:42
*** david-lyle has quit IRC03:43
*** gokrokve has quit IRC03:46
*** ncoghlan is now known as ncoghlan_afk04:07
openstackgerritA change was merged to openstack/python-keystoneclient: add docstr to v2 shell module regarding CLI deprecation  https://review.openstack.org/9345704:12
*** zhiyan is now known as zhiyan_04:14
*** zhiyan_ is now known as zhiyan04:21
*** david-lyle has joined #openstack-keystone04:24
*** gokrokve has joined #openstack-keystone04:43
*** gokrokve has quit IRC04:48
*** gokrokve has joined #openstack-keystone04:48
*** praneshp has joined #openstack-keystone04:50
*** ncoghlan_afk is now known as ncoghlan04:55
*** ncoghlan is now known as ncoghlan_afk04:57
*** xianghui has quit IRC05:17
*** gokrokve has quit IRC05:17
*** gokrokve has joined #openstack-keystone05:18
*** ncoghlan_afk is now known as ncoghlan05:21
*** gokrokve has quit IRC05:22
openstackgerritA change was merged to openstack/keystone: remove a few backslash line continuations  https://review.openstack.org/9344605:26
*** zhiyan is now known as zhiyan_05:40
*** zhiyan_ is now known as zhiyan05:41
*** sbfox has joined #openstack-keystone05:46
*** gokrokve has joined #openstack-keystone05:48
*** gokrokve has quit IRC05:54
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851705:58
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:00
*** dstanek_zzz is now known as dstanek06:24
*** stevemar has quit IRC06:34
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Fixed wrong behavior when updating tenant with LDAP backends  https://review.openstack.org/9338606:42
*** bvandenh has joined #openstack-keystone06:46
*** leseb has joined #openstack-keystone06:48
*** gokrokve has joined #openstack-keystone06:49
*** gokrokve has quit IRC06:54
*** david-lyle has quit IRC06:54
*** dstanek is now known as dstanek_zzz07:00
*** boris-42 has quit IRC07:03
*** tomoiaga has joined #openstack-keystone07:04
*** tomoiaga has left #openstack-keystone07:05
*** leseb_ has joined #openstack-keystone07:07
*** leseb has quit IRC07:08
*** afazekas has joined #openstack-keystone07:08
*** boris-42 has joined #openstack-keystone07:11
*** BAKfr has joined #openstack-keystone07:13
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9554507:17
*** bvandenh has quit IRC07:21
*** xianghui has joined #openstack-keystone07:25
*** d0ugal_ has quit IRC07:25
*** praneshp has quit IRC07:28
*** gokrokve has joined #openstack-keystone07:49
*** gokrokve has quit IRC07:54
*** ajayaa has joined #openstack-keystone07:55
*** tomoiaga has joined #openstack-keystone08:15
*** ncoghlan has quit IRC08:16
tomoiagatrying to use the V3 client will always end up calling the v2 url (which is in the service catalog) regardless of what endpoint/auth_url I set for that client. Does anyone have any experience using the v3 client ?08:17
*** Ju has joined #openstack-keystone08:19
*** sbfox has quit IRC08:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects  https://review.openstack.org/7954208:25
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf  https://review.openstack.org/9501508:25
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from CLI options  https://review.openstack.org/9567808:25
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI  https://review.openstack.org/9567908:25
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568008:25
*** jamielennox is now known as jamielennox|away08:40
*** mberlin1 has joined #openstack-keystone08:49
*** gokrokve has joined #openstack-keystone08:49
openstackgerritIhar Hrachyshka proposed a change to openstack/keystone: Synced jsonutils from oslo-incubator  https://review.openstack.org/9105408:51
*** mberlin has quit IRC08:51
openstackgerritIhar Hrachyshka proposed a change to openstack/python-keystoneclient: Synced jsonutils from oslo-incubator  https://review.openstack.org/9569708:53
*** gokrokve has quit IRC08:53
*** andreaf has joined #openstack-keystone08:59
*** henrynash has joined #openstack-keystone09:11
*** kun_huang has joined #openstack-keystone09:38
*** zhiyan is now known as zhiyan_09:39
*** gokrokve has joined #openstack-keystone09:49
*** gokrokve_ has joined #openstack-keystone09:51
*** gokrokve has quit IRC09:53
*** gokrokve_ has quit IRC09:55
*** leseb_ has quit IRC10:12
*** bvandenh has joined #openstack-keystone10:31
*** gokrokve has joined #openstack-keystone10:49
openstackgerritChristian Berendt proposed a change to openstack/keystone: replaced unicode() with six.text_type()  https://review.openstack.org/9571910:51
*** gokrokve has quit IRC10:53
*** leseb has joined #openstack-keystone11:03
*** zhiyan_ is now known as zhiyan11:17
*** diegows has joined #openstack-keystone11:17
ajayaadolphm: hi, are the policies not enforced at all in v2 api?11:19
*** rushiagr has joined #openstack-keystone11:21
ajayaaI am trying different policies in policy.json and I am using v2 api. None of the policies are enforced.11:22
ajayaaEven in the code everywhere there is self.assert_admin() in v2 apis. When I remove them any user can do anything.11:24
*** dims has joined #openstack-keystone11:28
*** leseb has quit IRC11:48
*** gokrokve has joined #openstack-keystone11:49
*** xianghui has quit IRC11:51
*** gokrokve has quit IRC11:53
*** bvandenh has quit IRC11:54
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157811:56
*** rodrigods has joined #openstack-keystone11:58
*** rodrigods has joined #openstack-keystone11:58
*** leseb has joined #openstack-keystone11:59
*** bvandenh has joined #openstack-keystone12:04
*** afazekas has quit IRC12:07
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157812:13
*** dstanek_zzz is now known as dstanek12:14
*** dims has quit IRC12:20
*** afazekas has joined #openstack-keystone12:21
openstackgerritA change was merged to openstack/keystone-specs: Updated gitreview file for repo rename  https://review.openstack.org/9529812:26
*** afazekas is now known as _afazekas_mtg12:31
*** dstanek is now known as dstanek_zzz12:41
*** jaosorior has joined #openstack-keystone12:41
*** dims has joined #openstack-keystone12:45
*** gokrokve has joined #openstack-keystone12:49
*** dstanek_zzz is now known as dstanek12:50
*** gokrokve has quit IRC12:54
*** radez_g0n3 is now known as radez12:56
*** _afazekas_mtg has quit IRC13:04
*** mberlin1 has quit IRC13:12
*** _afazekas_mtg has joined #openstack-keystone13:16
*** ericvw has joined #openstack-keystone13:19
*** _afazekas_mtg is now known as afazekas13:19
*** jdennis has quit IRC13:23
*** mberlin has joined #openstack-keystone13:24
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Fixed a problem with creating user with empty description in LDAP  https://review.openstack.org/9576213:30
henrynashajayaa: I think we only introduced RBAC for keystone APIs with the v3 calls13:33
henrynashajayaa: For v2, you need to be admin to do almost anything13:34
ajayaahenrynash: I need to define a concept of tenant admin . If RBAC is not supported in v2 and v3 is not yet supported by all the components, then I am stuck I believe. :(13:36
henrynashajayaa: so nova v2 calls are fine…it’s only keystone v2 calls that are not…..and other components won’t call the keystone v2 API calls in general13:37
henrynashajayaa: can you give me an example of a keystone v2 call you think will be a problem?13:38
ajayaahenrynash: sorry for digressing a bit but the keystone_authtoken middleware still uses v2 apis. So I would need both v2 and v3 api, right?13:40
henrynashajayaa: well, I think it only uses the v2 apis for things behind the scenes, but it will correctly validate v3 calls13:42
*** ayoung has joined #openstack-keystone13:42
henrynashajayaa: the keystone_client pyhon library, authtoken_middleware and the openstack client CLi all support v313:43
tomoiagahenrynash: authtoken_middleware supports keystone v3 as of icehouse, or with some new additions recently ?13:44
ajayaahttps://review.openstack.org/#/c/88620/13:44
henrynashajayaa: it’s true that other projects still call the keystone v2 api in places….but those are token/region/enpoint type things…not the APIs that manipulate keystone objects13:45
tomoiagahenrynash: I'll have to check and make sure, I have the same "problem", however I can deal with most issues, just the service catalog needs to have the v2 keystone url, otherwise auth may not work (for nova for example)13:45
ajayaahenrynash: Everybody says keystone v3 is not supported by all the components yet. How safe is it to use keystone v3 as of now?13:46
henrynashajayaa: yes, it’s true authtoekn uses the v2 keystone token validation API…(which we are fixing), but again that doesn’t mean that yuo will bypass any RBAC on v3 calls13:46
henrynashajayaa: …and yes you do need to be careful of the v2/v3 url issue….13:47
henrynashajayaa: jamie from the keystone team is working on that bit13:47
tomoiagaajayaa: keystone v3 is safe to use, however, I found some minor issues when creating domains or other stuff, where the keystone client library tries the service catalog url (which should be v2 for now) and things break. This is regardless of whay endpoint or auth_url you set. You will have to specify the base_url property. All this if you are using the python client library to do stuff.13:48
ajayaahenrynash: also things like domain are going to be deprecated in future according to the hierarchical multitenancy.  So it seems that v3 is not yet stable enough.13:49
*** gokrokve has joined #openstack-keystone13:49
henrynashajayaa: v3 is stable13:50
henrynashajayaa: domains will stil be supported even with hierachical multitenancy (even if they are essentially a view onto a top level project)13:50
ajayaahenrynash: thanks for your help.13:51
henrynashajayaa: np13:51
*** gokrokve has quit IRC13:53
*** tomoiaga has quit IRC13:54
*** nkinder has joined #openstack-keystone13:56
*** sbfox has joined #openstack-keystone13:57
*** zhiyan is now known as zhiyan_13:57
ajayaahenrynash: When someone says v3 api is not yet supported by all the openstack services yet, what do they mean? I have heard this multiple times. for e.g. https://ask.openstack.org/en/question/26805/what-is-the-major-difference-between-keystone-v2-and-v3/14:04
*** gordc has joined #openstack-keystone14:06
*** Camisa has quit IRC14:06
*** gokrokve has joined #openstack-keystone14:07
*** gokrokve_ has joined #openstack-keystone14:08
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157814:08
ajayaahenrynash: If I understand things clearly, I could work on the blueprint "migrating from v2 to v3"14:09
*** gokrokve has quit IRC14:11
bknudsonajayaa: some operations will fail if given a v3 token because the catalog format is different and the service doesn't parse it correctly14:12
bknudsonI think this is what jamielennox|away is working on14:13
ajayaabknudson: perhaps jamielennox|away can throw some light on things that don't work. :)14:19
*** jdennis has joined #openstack-keystone14:20
*** stevemar has joined #openstack-keystone14:23
*** david-lyle has joined #openstack-keystone14:30
*** gokrokve has joined #openstack-keystone14:33
*** gokrokve_ has quit IRC14:36
*** vhoward has left #openstack-keystone14:39
*** vhoward has joined #openstack-keystone14:39
*** sbfox has quit IRC14:46
*** ajayaa has quit IRC14:49
*** thedodd has joined #openstack-keystone14:53
dstanekstevemar: if lbragstad's jsonschema validation gets in will we need https://review.openstack.org/#/c/87849 ?14:55
lbragstadI don't *think* so?14:56
stevemardstanek, i imagine his stuff is done in chunks, and may not hit the federation pieces any time soon14:56
lbragstadwe could use the jsonschema validator for federation... I could get a WIP patch up for it14:56
henrynashajayaa: (sorry was AFK)…so there is lots of work going on in Juno for “keystone v3 everywhere” as dicussed at the design summit14:58
henrynashajayaa: all help gratefully reveived :-)14:58
henrynashajayaa: as per the comment on the link you sent me, the keystone_client CLI will never be upgraded (it is being deprecated in favor of teh stanadard openstack client - which support keystone v3 already)15:00
*** leseb has quit IRC15:02
*** leseb has joined #openstack-keystone15:02
*** bvandenh has quit IRC15:04
*** nkinder has quit IRC15:04
*** kun_huan_ has joined #openstack-keystone15:04
*** morganfainberg_Z is now known as morganfainberg15:04
*** zhiyan_ is now known as zhiyan15:05
*** kun_huang has quit IRC15:05
morganfainbergdstanek, lbragstad, which jsonschema patch?15:05
lbragstadmorganfainberg: https://review.openstack.org/#/c/86483/ https://review.openstack.org/#/c/86484/ https://review.openstack.org/#/c/92031/15:06
morganfainberglbragstadb, nice.15:06
* morganfainberg swears he can type15:06
*** leseb has quit IRC15:07
morganfainberglbragstad, I was actually about to start working on something similar for the tokens15:07
morganfainberglbragstad, but... if you already did awesome work... yay!15:07
openstackgerritJuan Manuel Ollé proposed a change to openstack/keystone: Adding Role for an unexisting user should fail.  https://review.openstack.org/9398215:07
lbragstadmorganfainberg: :) go ahead and leverage it if you can, or let me know if there is something else that needs to be done for you to use it15:08
morganfainberglbragstad, plan to. :)15:08
lbragstadwhat were you going to do with token validation?15:08
morganfainberglbragstad, basically an easy way to verify the token itself15:08
lbragstadmorganfainberg: cool15:09
morganfainberglbragstad, need to be able to easily convert a token to a standard structure so we don't need silly logic to know if it's v2, v3, vOver9000 token version15:09
lbragstadright, that makes sense15:10
morganfainbergit's part of the chnages needed to fully implment non-persistent tokens15:10
*** jdennis has quit IRC15:14
*** zhiyan is now known as zhiyan_15:14
*** kun_huan_ has quit IRC15:16
*** kun_huang has joined #openstack-keystone15:17
*** afazekas has quit IRC15:18
*** nkinder has joined #openstack-keystone15:20
*** gyee has joined #openstack-keystone15:23
morganfainberglbragstad, i think we'll need to add a datestamp validator in the long run as well15:25
lbragstad++ good idea15:25
lbragstadwe could add that in the inital commit15:27
lbragstador wait until we start using the validator on tokens and add it then15:27
*** kun_huang has quit IRC15:32
*** leseb has joined #openstack-keystone15:33
*** rodrigods_ has joined #openstack-keystone15:34
stevemarbknudson, can you take a look at:15:36
stevemarhttps://review.openstack.org/#/c/93982/ - i think it's undoing some of the work you did to separate out identity and assignment15:36
bknudsonstevemar: y, it's undoing a change that I made, but it turned out it was wrong to make that change15:37
morganfainberglbragstad, yeah we can def add it after15:37
bknudsonsince it's groups that are assigned for federated users and not users.15:37
stevemarbknudson, gotcha, i was putting up a fight for nothing!15:37
*** leseb has quit IRC15:37
*** zhiyan_ is now known as zhiyan15:39
*** leseb has joined #openstack-keystone15:41
*** zhiyan is now known as zhiyan_15:51
*** rodrigods_ has quit IRC15:52
*** shakamunyi has joined #openstack-keystone15:56
*** nkinder has quit IRC15:57
*** sbfox has joined #openstack-keystone16:00
ayounglbragstad, my god it feels like Struts all over again16:01
lbragstadayoung: the validations stuff?16:02
ayounglbragstad, yep16:02
*** leseb has quit IRC16:02
*** leseb has joined #openstack-keystone16:02
ayounglbragstad, I know why we need it, it just feels like a regression to me.  I have type-unsafe programming...it leads to validators16:03
lbragstadit will be nice when we have it to the point where it's all done with the same tool16:05
morganfainberglbragstad, ++16:05
dstanekayoung: you'd still have a validation layer if you were doing this in Java - it's just that some of the validation would be done with casting16:05
ayoungdstanek, not if I were writing the framework I wouldn't16:05
ayoungdstanek, what I would do is make you create real honest to goodness objects.16:06
ayoungand catch exceptions where the strings could not be marshalled to objects16:06
*** leseb has quit IRC16:07
*** BAKfr_ has joined #openstack-keystone16:08
*** BAKfr has quit IRC16:08
*** marcoemorais has joined #openstack-keystone16:11
*** jaosorior has quit IRC16:11
morganfainbergayoung, sounds to me like you're advocating the equavalent of python descriptors16:13
morganfainbergin whatever framework/language you choose16:13
*** nkinder has joined #openstack-keystone16:14
*** browne has joined #openstack-keystone16:15
*** jdennis has joined #openstack-keystone16:18
morganfainbergayoung, fyi, going to be bugging you more and more about krb5 and the like wrt OpenStack. cc nkinder16:19
morganfainbergayoung, just a heads up :)16:19
*** thedodd has quit IRC16:21
*** leseb has joined #openstack-keystone16:21
*** thedodd has joined #openstack-keystone16:21
nkindermorganfainberg: cool.  I'll consider myself warned... :)16:22
nkindermorganfainberg: I have an auth plug-in question you might be able to help me with16:22
morganfainbergnkinder ask away16:23
morganfainbergnkinder, i'll answer that then go grab some food before meeting time16:23
nkindermorganfainberg: I was working on the token auth plug-in to not allow scoped tokens to be used to get unscoped tokens (or tokens with a different scope)16:23
nkindermorganfainberg: to do this, the auth plug-in needs to see the scope info from the request16:24
morganfainbergnkinder, makes sense (actually makes a lot of sense)16:24
nkindermorganfainberg: at first, I was pulling this out of context['environment']['openstack.params']['auth'] in the authenticate() method16:24
morganfainbergnkinder, ok16:25
nkinderthat is the only place it's currently available in the authenticate() method16:25
morganfainbergisn't that information in the auth_payload passed to the plugin?16:26
nkinderthis causes some of the trust unit tests to fail, as they set environment = {}16:26
nkindermorganfainberg: nope, auth payload only has the token being used for auth.  It extracts the scope info16:26
morganfainberghm.16:26
nkindermorganfainberg: What I started looking at was extending the authenticate() params16:26
stevemarbknudson, going to +A https://review.openstack.org/#/c/92215/1 i think it'll cause the rest to go through!16:27
bknudsonstevemar: progress!16:28
nkindermorganfainberg: basically, we would pass the tuple from auth_info.get_scope() as a fourth parameter to authenticate()16:28
morganfainbergnkinder, hm. i feel like this should be in the auth_info (AuthInfo object) that is created in the authenticate_for_token method16:29
morganfainbergah16:29
stevemarbknudson, done! now to wait on the gate =\ which has been super flakey lately16:29
nkindermorganfainberg: this would require changing all auth plug-ins, which isn't hard...16:29
morganfainbergnkinder, we just don't pass it to the plugin16:29
morganfainbergnkinder, hmmmmmm16:29
nkindermorganfainberg: I'm concerned about changing it in case there are other auth plug-ins out there16:29
*** BAKfr has joined #openstack-keystone16:30
bknudsonstevemar: this is why noone uses public clouds. routing failures16:30
*** sbfox has quit IRC16:30
morganfainbergnkinder, yeah. this is the hard part when it comes to changing signatures of public functions.16:30
morganfainbergnkinder, it's silly we don't pass that info down to the plugin tbh.16:31
*** BAKfr_ has quit IRC16:31
nkindermorganfainberg: yeah, agreed16:31
nkindermorganfainberg: is it acceptable to propose that we change the signature for Juno?16:32
morganfainbergnkinder, it hasn't stopped us from doing worse than changing a signature in a cycle16:32
morganfainbergnkinder, grizzly -> havana we broke a bunch of external code.16:33
*** sbfox has joined #openstack-keystone16:33
nkindermorganfainberg: I suppose this is a good topic for today's meeting16:33
openstackgerritDavid Stanek proposed a change to openstack/keystone: Updates Python3 requirements to match Python2  https://review.openstack.org/9582616:33
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582716:33
morganfainbergnkinder, i think it would be fine to change authenticate for Juno.16:33
morganfainbergnkinder, i think we should make it future proof, where we pass in all the relevant auth info vs. just a subset if we are changing it though16:33
nkindermorganfainberg: Yeah, we should pass AuthInfo in it's entirety16:34
morganfainbergnkinder, or at least a copy of it.16:34
nkindermorganfainberg: we can then extend it if needed in the future without having to tweak the method signature16:34
morganfainbergnkinder, ++ exactly16:34
*** gokrokve has quit IRC16:34
*** gokrokve has joined #openstack-keystone16:35
nkindermorganfainberg: thanks for your input!  I'll work up a patch for it.16:35
morganfainbergnkinder, if we are really worried about breaking older plugins we could do some versioning magic with a decorator to pass the limited dataset in if the plugin doesn't have the correct support (version?)16:36
*** vhoward has left #openstack-keystone16:36
morganfainbergnkinder, make "fixed" plugins inherit from a proper baseclass or .. have a version value or somesuch that indicates we should pass the whole object in.16:37
nkindermorganfainberg: interesting...  So the decorator would need to be used to get the full AuthInfo16:37
morganfainbergnkinder, well no, the decorator would either pass the full AuthInfo or just the bit you need to match the current mechanism (methods?)16:37
morganfainbergnkinder, so the decorator would grab auth_info, and conditionally pass the whole object in. if we are really worried about breaking external plugins16:38
morganfainbergnkinder, and the topic of external plugin breakage is worth bringing up at the meeting16:38
nkindermorganfainberg: ok, makes sense16:38
*** gokrokve has quit IRC16:39
morganfainbergnkinder, ok bbib gonna grab some breakfast,16:39
*** zhiyan_ is now known as zhiyan16:42
*** leseb has quit IRC16:50
*** leseb has joined #openstack-keystone16:51
*** zhiyan is now known as zhiyan_16:51
*** david-lyle has quit IRC16:51
*** david-lyle has joined #openstack-keystone16:52
*** david-lyle has quit IRC16:52
*** harlowja_away is now known as harlowja_16:55
*** leseb has quit IRC16:55
*** praneshp has joined #openstack-keystone16:58
*** arunkant has joined #openstack-keystone17:05
*** dims has quit IRC17:08
*** gabrielb has quit IRC17:13
*** dims has joined #openstack-keystone17:13
*** gokrokve has joined #openstack-keystone17:16
*** sbfox has quit IRC17:18
*** gokrokve_ has joined #openstack-keystone17:19
*** andreaf has quit IRC17:20
openstackgerritA change was merged to openstack/python-keystoneclient: Make auth_token return a V2 Catalog  https://review.openstack.org/8945817:21
openstackgerritA change was merged to openstack/python-keystoneclient: replace string format arguments with function parameters  https://review.openstack.org/9420517:21
*** gokrokve has quit IRC17:21
openstackgerritA change was merged to openstack/keystone: Replace magic value 'service/security' in CadfNotificationWrapper  https://review.openstack.org/9555017:22
*** sbfox has joined #openstack-keystone17:24
*** nkinder has quit IRC17:24
rodrigodsayoung, are we ready for a merge? =) https://review.openstack.org/#/c/91578/17:26
*** praneshp has quit IRC17:26
*** gabrielb has joined #openstack-keystone17:27
ayoungrodrigods, no idea, but I +2 +Aed anyway17:28
rodrigodsayoung, thanks17:28
morganfainbergthats a lot of +2s if it wasn't ready17:29
openstackgerritA change was merged to openstack/python-keystoneclient: Move auth_token cache pool tests out of NoMemcache  https://review.openstack.org/9221517:30
*** praneshp has joined #openstack-keystone17:31
rodrigodsmorganfainberg, first patch feelings17:32
*** jaosorior has joined #openstack-keystone17:34
jaosoriorlbragstad, regarding https://review.openstack.org/#/c/93992/ , it's not related to any bug (that I know of) :/17:35
lbragstadjaosorior: ok, I was just commenting on that since dstanek mentioned it in his comment on patch set 417:36
*** leseb has joined #openstack-keystone17:37
jaosorioroh, where?17:37
*** ajayaa has joined #openstack-keystone17:38
jaosorioroooh17:40
jaosoriornow I see17:40
openstackgerritA change was merged to openstack/python-keystoneclient: Cached tokens aren't expired  https://review.openstack.org/9221717:40
jaosoriorI'll file the bug then17:41
*** nkinder has joined #openstack-keystone17:41
jaosoriorthanks for pointing it out, I missed that review comment completely17:41
*** leseb has quit IRC17:41
*** bvandenh has joined #openstack-keystone17:42
openstackgerritA change was merged to openstack/python-keystoneclient: Move auth_token tests not requiring v2/v3 to new class  https://review.openstack.org/9222217:42
openstackgerritA change was merged to openstack/python-keystoneclient: Remove importutils from oslo config  https://review.openstack.org/9222317:42
openstackgerritA change was merged to openstack/python-keystoneclient: Sync with oslo-incubator 2640847  https://review.openstack.org/9222817:43
*** zhiyan_ is now known as zhiyan17:43
stevemarlots of merging going on :)17:46
*** sbfox has quit IRC17:46
rodrigods++17:47
morganfainbergstevemar, :)17:47
*** vhoward has joined #openstack-keystone17:49
*** zhiyan is now known as zhiyan_17:52
*** davlaps has joined #openstack-keystone17:53
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.(Work-in-progress)  https://review.openstack.org/9530017:54
morganfainbergdolphm, ayoung, bknudson, stevemar, dstanek, lbragstad, gyee, henrynash, jamielennox|away, auto abandon is dead, if something really should be abandoned, we should abandon it directly. it's rare we want reviews to legitimately auto-expire https://review.openstack.org/#/c/95836/17:55
ayoungmorganfainberg, good, but can only Dolph abandon one now if the origianl author is gone?17:55
morganfainbergayoung, any core17:55
bknudsonmorganfainberg: seems like a good idea.17:55
lbragstadoh hey, look at that17:55
stevemaroh, didn't know that17:55
dolphmmorganfainberg: ++17:56
morganfainbergInfra is going to send a message about it to the ML soonish17:56
lbragstadcool17:56
bknudsonanother option rather than abandon it is to fix it up ourselves and get it merged17:56
lbragstadbknudson: +117:56
bknudsonI think I've got some reviews out there that are on the back burner17:57
dolphmmorganfainberg: authors can still restore after we abandon, right?17:57
morganfainbergdolphm, yes17:57
morganfainbergdolphm, same as any core can restore17:57
dolphmcool17:57
gyeemorganfainberg, sounds good17:58
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator 4a777e5  https://review.openstack.org/9584517:58
morganfainbergbknudson, there are some cases we will want to abandon eventually, e.g. a -2 that isn't fixable17:59
*** gabrielb has quit IRC17:59
morganfainbergbknudson, but yeah most of the time.17:59
dolphmmorganfainberg: can you run today's meeting? i'm here but in a physical meeting too17:59
morganfainbergdolphm, sure thing.17:59
*** david-lyle has joined #openstack-keystone18:05
*** jamielennox|away is now known as jamielennox18:05
*** Priti has joined #openstack-keystone18:09
*** Priti has quit IRC18:13
*** sbfox has joined #openstack-keystone18:22
*** sbfox1 has joined #openstack-keystone18:25
*** sbfox has quit IRC18:29
*** zhiyan_ is now known as zhiyan18:44
*** gabriel-bezerra has joined #openstack-keystone18:51
*** leseb_ has joined #openstack-keystone18:54
*** zhiyan is now known as zhiyan_18:55
gabriel-bezerramorganfainberg, dtroyer: Hi folks, I'd like to carry on with https://review.openstack.org/90771. Should I start a new change on gerrit with your idea of abstracting the differences between operating systems, or should I continue using that change?18:55
ayoungnkinder, I had an image from a whiteboard session19:00
dolphmmorganfainberg: "do we support the concept of keystone across different versions of other services?" yes we do in theory, but we don't test it anywhere19:00
morganfainbergnkinder, i think with what dolphm said I'd like to not break non-lockstep deployments19:00
ayoungnkinder, https://twitter.com/admiyoung/status/429060448462577664/photo/119:00
nkinderdolphm: any guidelines on how many releases back?19:00
nkindermorganfainberg: yeah, that makes sense to me19:00
morganfainbergnkinder, especially orgs that track master closely19:01
morganfainbergnkinder, could get some wonky behavior19:01
ayoungnkinder, I realize that image is pretty gross19:01
nkindermorganfainberg: we should just set a target to change the default behavior to the more secure option19:01
ayoungmorganfainberg, in paste, can one pipeline call another?19:01
morganfainbergayoung, good question19:01
ayoungmorganfainberg, say we made the token pipeline in paste,  could we pull it out of the other?19:01
morganfainbergayoung, i haven't ever seen it done like that19:02
ayoungmorganfainberg, and what are we moving to in place of paste for py33 support?19:02
morganfainbergayoung, we aren't, i mis heard at the summit19:02
ayoungmorganfainberg, OK....19:02
dolphmmorganfainberg: nkinder: avoiding lockstep deployments is my only concern there - but -2 releases should be reasonable19:02
morganfainbergthe answer is either help fix paste or eliminate it.19:02
morganfainbergdolphm, ++19:02
dolphmanyone know what's up with the *-zeromq-* jobs? they have no build history... https://jenkins.openstack.org/job/gate-tempest-dsvm-postgres-zeromq-full-icehouse/19:03
ayoungmorganfainberg, so,  lets get a solution in the paste model19:03
ayoungmorganfainberg, something like this:19:03
nkinderso if the overall idea sounds good to others, I can start writing up a spec...19:03
ayoungmake a new pipeline that only is usable to create a token19:03
ayoungcall it /v3/auth2  or something19:03
morganfainbergayoung, /auth/<version> ?19:04
ayoungthen all of the code that leads to /v3/auth/token  ends up being callable from that19:04
ayoungmorganfainberg, nah19:04
ayoungmorganfainberg, acutally...19:04
nkinderayoung: you mean to only create an unscoped token?19:04
ayoungwe could do19:04
bknudsonare there other "pipeline" python APIs other than paste?19:04
jamielennoxnkinder: ++, it sounds like this should have been the original model - and someone though default_project would be convenient - i'm all for fixing it19:04
ayoung make it /v3/auth/pipeline19:04
ayounginstead of token19:04
dolphmbknudson: WSGI19:04
ayoungbut...regardless, we define that in past like this:19:05
morganfainbergdolphm, bknudson, i think ceiliometer doesn't use paste at all.19:05
morganfainbergjust straight wsgi19:05
dolphmbknudson: paste is just a configuration framework for WSGI apps - you can build a pipeline freehand in the interpreter just stacking wsgi interfaces19:05
dstanekbknudson: i wrote a really simple one a while back that uses the paste ini to create WSGI applications19:06
ayoung[pipeline:v3_auth]19:06
ayoungpipeline = sizelimit url_normalize build_auth_context  json_body   to start19:06
ayoungmorganfainberg, I assume we need all of those?19:06
morganfainbergayoung, i think that covers our requirements -- though i'd need to look more closely to be 100% sure19:07
dstanekayoung: it worries me a little to do what you are proposing in the WSGI pipeline because we wouldn't want the end used to mess with it19:07
ayoungmorganfainberg, then:19:07
ayoungnkinder, no, more than just unscoped19:07
ayoungnkinder, the idea is that the AUTH_URL does not need to be in the catalog19:07
ayoungthis would be a minimal viable AUTH_URL19:08
dstanekdolphm: what's up with https://bugs.launchpad.net/keystone/+bug/1253482 ? is there any change to make in keystone?19:08
uvirtbotLaunchpad bug 1253482 in devstack "Keystone's IANA-assigned default port in linux local ephemeral port range" [Undecided,In progress]19:08
morganfainbergdstanek, nothing we can do unless we get fully under apache19:08
morganfainbergdstanek, and share 80/44319:08
ayoungdstanek, ah, but that is the case for most of the auth pipeline.  This is instead of changing just the token provider19:08
ayoungdstanek, we could, in theory, make a separate paste file just for this.19:09
morganfainbergdstanek, or just throw our hands up and assume port 5000 will be ok19:09
ayoungBut if a user wants to switch PKI for PKIZ, that should be simple to do19:09
morganfainbergdstanek, effectively abandoning 3535719:09
ayoungwell, we can do that, but the whole token provider is pulled along with it19:09
dolphmdstanek: not without changing our default port?19:09
ayoungso,  what would the stages of the pipeline be now?19:09
ayoung1.  authenticate19:10
ayoung2.  Map19:10
morganfainbergdstanek, we could fix it in devstack, but it wouldn't "fix" the bug... might actually make things more confusing19:10
ayoung3. scope19:10
ayoung4. Sign19:10
morganfainbergs/devstack/gate/19:10
ayoung5. record19:10
ayoung6. Return19:10
ayoungwhen we get to ephemeral tokens we drop 5.19:10
dstanekthat's unfortunate19:10
dolphmayoung: then do that first :)19:10
dstanekshould it be marked as wishlist :-) ?19:11
morganfainbergdolphm, going to propose the spec for that this week.19:11
ayoungdolphm, we discusses this.  You said you wanted it back when gyee first proposed the token provider19:11
dolphmmorganfainberg: the blocker IIRC was eliminating all the get_token() calls we have, right?19:11
morganfainbergdstanek, well it's in-progress.19:11
ayoungdolphm, that is just an example of the kind of thing we get from the pipeline approach19:11
morganfainbergdolphm, that is the biggest blocker, and that depends on always decoding the token in the middleware19:11
ayoungdolphm, we could, in theory, put compression into an optional stage as well19:11
dolphmmorganfainberg: decode in the middleware OR fetch once from the backend, right?19:12
morganfainbergdolphm, for PKI always decode19:12
morganfainbergdolphm, never fetch, UUID = fetch19:12
dstanekmorganfainberg: the devstack side was in progress - what i'm hearing here is that we're probably not going to deal with it right now19:12
morganfainbergdolphm, and the resulting non-persistent provider would cease support for UUID19:13
dstaneki'm just trying to go through the open bugs and see if there are next actions we can take19:13
*** leseb_ has quit IRC19:13
morganfainbergdstanek, well i'd like to do it in juno... but it has a lot of moving pieces, i'd mark that one as triaged19:13
morganfainbergdstanek, we can come back / revisit down the line.19:13
morganfainbergwhich reminds me, dolphm, whats the timeline on the next ksc release?19:14
dstanekis it still critical then?19:14
morganfainbergdstanek, we have it documented... i could see it dropped to high or medium (defer to dolphm on that)19:14
dolphmmorganfainberg: was waiting until we need it to land service-side token compression - which is now19:15
morganfainbergdolphm, ++ exactly why i was asking19:15
dolphmmorganfainberg: but we also need auth_token support for token compression19:15
dolphmso, not sure if there's any point in making a release atm?19:15
morganfainbergayoung, doens't auth_token do pkiz now?19:15
morganfainbergayoung, was almost sure it did19:15
bknudsonauth_token doesn't need anything to compression19:15
morganfainbergbknudson, yeah i thought that was part of the cms decode19:16
bknudsonwould be unfortunate if https://review.openstack.org/#/c/80398/ didn't make this keystoneclient release.19:16
dolphmmorganfainberg: it's a parallel API in the cms module though, right? so auth_token needs to call into it specifically?19:16
dolphmayoung: ^19:16
bknudsonauth_token was changed to use the new cms function19:17
morganfainbergdolphm, let's get bknudson's merged (i'll do the deep dive again today) and if auth_token doesn't need anything else we can release. i think it's seemless vs. parallel19:17
bknudsonI tried it19:17
dolphmbknudson: ah, i missed that then19:18
morganfainbergbknudson, i was almost positive i tested that as well.19:19
dolphmis anyone looking to land a BP in juno-1?19:19
dolphmother than token compression19:19
*** leseb has joined #openstack-keystone19:20
dolphmthat's the only thing on our milestone https://launchpad.net/keystone/+milestone/juno-119:20
morganfainbergdolphm, not I. I plan to write specs for everything I want to land in Juno (even if I land it pre-J1)19:20
*** bvandenh has quit IRC19:20
dstanekfor Python 3 support i've started to leap (before I look) a little bit. i've been getting Keystone to work against some unofficial patches so that we can keep it moving forward.19:24
dstanekmy hope is that i can help make the patches part of the projects. see https://review.openstack.org/#/c/95827/ for the first one19:24
dstaneki have a few other ones queued up that i have almost working.19:24
dstaneki know we can release like this, but is this acceptable while Py3 doesn't work anyway?19:25
dolphmdstanek: the py3 requirements files aren't managed by global requirements at all, right?19:31
morganfainbergbknudson, https://review.openstack.org/#/c/92499/4/keystoneclient/middleware/auth_token.py really? we did all that work multiple times. hehe19:31
morganfainbergbknudson, good fix.19:31
*** jdennis has quit IRC19:33
dolphmdstanek: i think that's a good way to document the gap we have to cover to support py319:33
bknudsonmorganfainberg: you asked for that change19:33
morganfainbergbknudson, oh right *derp*19:33
dstanekdolphm: i don't think so19:33
morganfainbergbknudson, i've been juggling a bunch of stuff getting moved to new job :)19:34
morganfainbergbknudson, +2/+A now.... https://review.openstack.org/#/c/80398/ on to this one.19:34
bknudsonmorganfainberg: I think if I was switching jobs I'd be juggling less (or just stop juggling)19:35
morganfainbergbknudson, i was writing code / transferring knowledge up to about 1h before turning in keys.19:36
morganfainbergbknudson, then i checked out completely for the 3 day weekend19:36
dolphmmorganfainberg: p.s. i also +2/+A'd a change to unbreak git-review on keystone-specs this morning after the repo name change (without a second +2) https://review.openstack.org/#/c/95298/19:36
morganfainbergdolphm, good call19:36
morganfainbergi don't think i even looked at email this weekend.19:37
bknudsonmorganfainberg: you've started with hp then?19:38
morganfainbergbknudson, today is 1st day19:38
morganfainbergbknudson, :)19:39
bknudsonmorganfainberg: do they have an orientation get-together?19:39
morganfainbergbknudson, i'm remote, so the get together would be on IRC :P19:39
*** leseb has quit IRC19:39
bknudsonwhen I joined IBM we had an orientation week in Chicago19:40
morganfainbergyeah, no such thing (that I'm aware of so far)19:40
raildomorganfainberg: When we discuss about inherited roles in hierarchical projects?19:43
lbragstadjamielennox: around for a few questions on the validator stuff?19:43
morganfainbergraildo, you mean how the roles inherit?19:44
ayoungmorganfainberg, yes, auth_token now does pkiz.  If we have released an new client, that is19:44
morganfainbergayoung, right.19:45
jamielennoxlbragstad: sure - i haven't looked at it for a while19:45
*** andreaf has joined #openstack-keystone19:46
*** zhiyan_ is now known as zhiyan19:46
lbragstadjamielennox: ok, no worries. I was looking at your refactor to schema objects today and was trying to remember what the motive for that was again... I am going to write up a spec for the json schema stuff19:46
dstaneklbragstad: jamielennox: there's no official declarative layer around jsonschema yet is there?19:47
jamielennoxlbragstad: essentially i would like to stop passing dictionaries around and put some of the intelligence of parsing requests into an object of that request19:47
raildomorganfainberg: According to what I discussed with vish, the idea would be to use a flag to determine whether a role is inherited. To list the roles of a project, you must list all roles inherited from their hierarchy, addition to the roles associated with this project.19:48
jamielennoxdstanek: official like OS wide? there's nothing i know of19:48
morganfainbergraildo, i think the way we would do it is the same as we already have it. not a "role" flag, but a flag when assigning the role19:48
morganfainbergraildo, we already support that concept with the OS-INHERIT extension19:48
dstanekjamielennox: or from the jsonschema project19:49
raildoyeah, of course19:49
morganfainbergraildo, in short, the data lives in the assignment (user A is role X on project Y, inheritable) vs role X is inherited for everyone19:49
raildomorganfainberg: what is missing is the part of list roles according to this hierarchy19:50
jamielennoxdstanek: not like that i don't think - they seem mostly concerned with just parsing python primatives19:50
morganfainbergraildo, ahh oh i see.19:50
lbragstadjamielennox: so the request is the object, and the schema to validate is an instance of the request object... right?19:50
morganfainbergraildo, we need to support it under the heirarchy and not just from domain (optionally)19:51
raildomorganfainberg: +119:51
morganfainbergraildo, i think this is something we could justify moving outside of an extension. which, i think, would solve the issue once the project hierarchy code is in place19:51
*** jaosorior has quit IRC19:51
jamielennoxlbragstad: not following the distinction, from memory the way i did it was just to have it as an attribute on the object19:52
lbragstadso ProjectCreate would inherit from models.Request https://review.openstack.org/#/c/92031/1/keystone/assignment/schema.py19:52
morganfainbergayoung, henrynash, any reason we wouldn't want to make OS-INHERIT non-extension at this point? it seems like a useful feature to have in all cases. - and since it's optional... it wouldn't affect anything directly unless used.19:53
*** ajayaa has quit IRC19:53
raildomorganfainberg: you speak to incorporate inherited roles at Keystone and not an extension, I get it correct?19:53
morganfainbergraildo, correct.19:53
ayoungmorganfainberg, because that would be a pain in the fourth point of contact to implement19:53
raildomorganfainberg: sounds good to me19:53
lbragstadand so the self.schema of ProjectCreate would hold the schema19:53
ayounglets just say it is a "required extension"19:53
*** dims has quit IRC19:54
morganfainbergayoung, sure, final implementation detail, but default to on i think is my main point.19:54
morganfainbergand required if you want the heirarchy stuff to work19:54
ayoungmorganfainberg, required.  Period19:54
morganfainbergayoung, sure.19:55
*** zhiyan is now known as zhiyan_19:55
*** gyee has quit IRC19:57
raildoayoung: morganfainberg One question, if I took a -1 on a patch, but I think that -1 was invalid, what should I do?19:57
*** leseb has joined #openstack-keystone19:58
ayoungnkinder, raildo appeal to core and we can ignore it19:58
ayoungwhich one?19:58
morganfainbergraildo, you typically respond to the comments (inline or on the review) and / or talk in IRC about it.19:58
morganfainbergraildo, also, what ayoung said.19:58
raildohttps://review.openstack.org/#/c/84136/19:58
morganfainbergraildo, thought it was that one.19:59
raildoI justified it in the comment.19:59
ayoungraildo, make a trivial change, resubmit, and the -1 gets dropped.  Then lbragstad appeals to me to -2 it so you have to address his comment.  Nad the whole thing breaks down into anarchy19:59
ayoungthen dolphm declares martial law19:59
*** sbfox1 has quit IRC19:59
morganfainbergdolphm, LOL19:59
raildohahahaha20:00
ayoungraildo, I'd agree with lbragstad on that one, though20:00
morganfainbergdolphm, stevemar, damn twitter convo.20:00
* dolphm unable to comply, anarchy in progress20:00
ayoungactually, I'd probably go on to a rant20:00
* ayoung takes a deep breath20:00
ayoungok, raildo here is why that is wrong20:00
ayoungKeystone really is two things20:00
ayoungone is an identity provider20:01
* morganfainberg steps back away letting the rant wind up.20:01
ayoungtwo is an assignment layer20:01
* dolphm logs off20:01
morganfainbergdolphm, not so fast! :P20:01
ayounggoing from "user has a role in a project" to "this is that users data" is tricky20:01
jamielennoxlbragstad: i did it that way because it was  a relatively easy refactor - if you have something else in mind i'm ok20:01
stevemarmorganfainberg, gotta get the best price on household goods20:02
ayoungraildo, we are splitting the Identity provider out of the assignement server20:02
ayoungpeople are going to want both, but I would rather never deal with the SQL based identity provider if I don't have to20:02
jamielennoxlbragstad: i figured it was more important to make something that had the general pattern now and we could figure out interesting ways of storing the schema later20:02
ayoungraildo, in my world, people are stored in LDAP20:02
morganfainbergstevemar, now i'm sorry this i caused this conversation bleed over to IRC.20:02
morganfainbergstevemar, :P20:03
stevemarmorganfainberg, as dolphm said, #openstack, better?20:03
*** hrybacki has joined #openstack-keystone20:03
stevemarhehe20:03
morganfainbergstevemar, thats what made me laugh and bring it here.20:03
ayoungso...making more streamlined calls to say "give me all of the data about all users for this project" is not really a supportable approach, even more so in a federated world.20:03
raildoayoung: so I'll abandon this change.20:05
*** morazi has joined #openstack-keystone20:05
ayoungraildo, the important question is "what are you trying to do?"20:05
morganfainbergdolphm, so for moving over all the API specs to the new spec repo, is that something we need to convert the data from and move over or just "going forward"... or?20:05
morganfainbergand how does that get structured.20:05
rodrigodsraildo, ayoung I think that get all users that have a role in a project is a really common use case20:06
ayoungrodrigods, in order to do what?20:07
*** marcoemorais has quit IRC20:07
*** sbfox has joined #openstack-keystone20:07
rodrigodsayoung, list them in horizon?20:07
*** marcoemorais has joined #openstack-keystone20:07
ayoungrodrigods, In a federated world, that will be impossible20:07
morganfainbergrodrigods, besides listing them in horizon, what is the usecase?20:07
raildoayoung: I believe the same way that it is possible to list the user_id by project via role assingment, it should be possible to list the others informations from this user.20:07
ayoungraildo, nope.  No in Federation20:08
morganfainbergrodrigods, listing them is not really a "use case", but what is the end goal?20:08
raildoI did not know it was impossible in federation.20:08
rodrigodsmorganfainberg, change their information?20:09
morganfainbergrodrigods, but federated users keystone can't change the user info20:10
rodrigodsayoung, hmm didn't know federation issue too20:10
morganfainbergrodrigods, raildo, think of it how Facebook connect works on the web, you can log into any number of websites for it, but is it really reasonable to ask facebook for all it's users that could log into the website?20:11
rodrigodsmorganfainberg, true...20:11
morganfainbergrodrigods, raildo, and how would that scale if you had to ask that question a whole number of times (billions of users)20:12
rodrigodsmorganfainberg, pagination20:12
morganfainberglikely you'd say if a user matched these attributes (maybe email address ends with @yahoo-inc.com), they are in a group, adn that group can do X20:12
morganfainbergrodrigods, you want to paginate 1+billion users? [extreme case, i knopw most IDPs wont have that many] even at 10,000 at 100 per page, you're talking 100+ pages and sourcing that data would take a very long time20:13
morganfainbergrodrigods, especially if you had to ask for that list even a few times a minute20:14
raildomorganfainberg: I did not have this knowledge when I was proposing this idea, taking federation, I thought a good idea.20:14
raildothanks for the clarification20:14
morganfainbergraildo, it's not a bad idea at all. it just doesn't fit with the questions we can ask of federated users.20:15
*** radez is now known as radez_g0n320:15
rodrigodsmorganfainberg, hmm yeah, in this extreme scenario, things can get messy20:15
morganfainbergrodrigods, and now assume you can't even ask the IDP some of these questions, because they don't expose that information.20:16
lbragstadjamielennox: I was just talking to bknudson and he brought up a good point.20:16
lbragstadhow do we go about enforcing limits specific to the backend...20:16
rodrigodsmorganfainberg, and what about other calls, like GET /v3/users? Doesn't it fall in the same issue?20:17
jamielennoxlbragstad: limits like ?marker etc?20:17
morganfainbergrodrigods, correct and federated users don't appear there. and in some environments that call causes major issues and should never be used.20:18
lbragstadjamielennox: example the sql backend allows for 255 character user names but the LDAP backend doesn't have limit20:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Remove left over vim headers  https://review.openstack.org/9589620:19
jamielennoxlbragstad: i guess that's something that we don't try and enforce at the jsonschema level at all20:19
ayoungrodrigods, the most you should expect to have in a Federated environment is the list of Groups that have roles assigned to the project20:19
ayoungyou might have some users with direct role assignments, but we are anticipating that will be the less common approach20:20
ayoungnkinder, back to Horizon:20:20
jamielennoxlbragstad: the jsonschema should enforce things defined by identity-api, backend specific things like that will have to be defined by the backend as they are now20:20
ayoungnkinder, I was looking at the code for Kerberos20:20
ayoungspecifically: what do we need to do to Horizon to support Kerberos20:20
morganfainberglbragstad, hopefully we are limiting things sanely to a specification not letting anything through.20:20
ayoungI think I need Jose's Kerberos patch first20:20
lbragstadjamielennox: yep, that makes sense20:20
morganfainberglbragstad, jamielennox, and if we don't specify the length of values... (or expected ranges) we probably should.20:21
morganfainbergcould get dicey otherwise20:21
ayounghttps://review.openstack.org/#/c/74974/20:21
rodrigodsayoung, morganfainberg makes sense =)20:21
jamielennoxmorganfainberg: again that would be a question for identity-api20:21
*** boris-42 has quit IRC20:21
ayoungand...if we used Kerberos/S4U2 you would not need unscoped tokens20:21
lbragstadmorganfainberg: in one of the first patches I pushed i was doing that on UUIDs and such...20:21
morganfainbergjamielennox, well keystone-specs now ;)20:21
*** boris-42 has joined #openstack-keystone20:21
morganfainberglbragstad, user_id max is 64 according to schema, (all ids iirc)20:21
ayounginstead, you would use the Service ticket as the unscoped token...assuming that you could make Keystone calls without a token20:22
ayoungsomething we have discussed numerous times:  gyee and I would like it to be possible:20:22
jamielennoxmorganfainberg: actually i guess jsonschema can enforce implementation specific things, so long as they're global across backends20:22
morganfainberglbragstad, since we need to support non-uuid ldap type stuff, you'd need to say string len(x) for example20:22
morganfainbergjamielennox, ++20:22
ayoungnkinder, in fact, requiring any token for talking to Keystone is kindof dumb20:23
jamielennoxmorganfainberg: i'm hoping that between keystone-specs and identity-api reviews a person can actually get something implemented in a cycle20:23
ayoungand it only exists becasue Horizon uses the token as a session20:23
morganfainbergjamielennox, we should be merging the two repos20:23
morganfainbergjamielennox, everything should be keystone-specs20:23
jamielennox..? that wasn't my understanding20:23
morganfainbergjamielennox, was part of the meeting earlier, docs folks specifically asked us to merge it, notably because i think we're the only project using it as a spec.20:24
morganfainbergjamielennox, and it's not published anywhere anyway20:24
lbragstadmorganfainberg: currently I'm just basing things of the identity api specs for the different keystone resources...20:24
lbragstadit could be tighted down though I'm sure..20:24
morganfainberglbragstad, that makes sense, just keep in mind the different backends20:25
lbragstadyep20:25
morganfainberglbragstad, there may actually be a mis-match in some cases (which we should identify and fix one side or the other depending on the mismatch)20:25
*** afazekas has joined #openstack-keystone20:25
nkinderayoung: yes, you could simply get scoped tokens using the service ticket with Kerberos.20:26
morganfainbergayoung, jamielennox, nkinder  https://review.openstack.org/#/c/80398 would be good to get that in before the next ksc release20:26
nkinderayoung: there's really no need for the unscoped token in that situation20:26
morganfainbergayoung, jamielennox, nkinder, i think if we got that in it would make for a solid ksc release (compression + hash config)20:26
*** dims has joined #openstack-keystone20:26
ayoungnkinder, right and if we solved that X509 thing I was kicking around on the internal mailing list, we could in theory say that this is the pivot point for delegation of trust from the user to Horizon....20:27
ayoungmorganfainberg, now bknudson is trying for my record of most revisions on a patch?20:27
morganfainbergayoung, nah, he wont even come close to stevemar's :P20:28
ayoungI beat stevemar pretty sure....20:28
lbragstadmorganfainberg: mismatch between what the different backends allow?20:28
morganfainbergayoung, stevemar was > 60, so 33 is nothing :P20:28
morganfainberglbragstad, what the spec says and what the backends allow20:28
lbragstadahh, right20:28
ayoungmorganfainberg, I +2Aed that before...willing to do so again now20:29
morganfainbergayoung, it looks solid, nothing bad (fair certain i've reviewed it 3 or 4 times now)20:29
stevemarmorganfainberg, ayoung's revocation stuff beat mine by a good bit20:29
stevemari no longer hold the record, woo20:30
ayoungmorganfainberg, I've readded my +2.  Feel free to pull the trigger at your leisure.20:30
morganfainbergayoung, doing a final once over. doesn't look wrong but just... you know :P client breakage = bad so want to be sure :)20:31
ayoungmorganfainberg, the positive thrad for tokens  gets the wringer in tempest20:32
ayoungthread20:32
morganfainbergright20:32
schofieldI'm getting a stack trace running "keystone-all" on a manually installed keystone (icehouse/stable on Ubuntu 12.04). Stack trace and my config files are at https://gist.github.com/johnmarkschofield/4ad1fa81d798eca651a1 . Possibly a config error, possibly *anything* as it's a manual-install from source as a learning exercise.20:32
schofieldI'm looking for either a solution or debugging suggestions.20:33
jamielennoxmorganfainberg: looking20:33
ayoungschofield, do you want the templated backend for catalog?20:33
morganfainbergjamielennox, +2'd if you don't see any issues +2/+A (or let us know so we can get it fixed re-reviewed)20:34
ayoungjamielennox, how comfortable do you feel with jose's Kerberos client patch?20:34
morganfainbergschofield, i'm guessing it's not finding the template file20:35
jamielennoxmorganfainberg: i've +2ed in the past so it should be ok20:36
schofieldayoung: I honestly don't know. I copied keystone-paste.ini from source. I'm attempting to follow http://docs.openstack.org/trunk/install-guide/install/apt/content/index.html as a learning exercise, but I'm still waaaay ignorant about keystone.20:36
morganfainbergschofield, you might try using a fully-qualified path for the template file itself.20:36
morganfainbergschofield, vs ./etc/...20:36
morganfainbergschofield in the config20:36
morganfainbergjamielennox, ack20:36
schofield@morganfainberg: Thanks for the help! Will dig into that.20:36
morganfainbergjamielennox, so want me to +A or you? [don't care either way]20:36
jamielennoxayoung: i remember it being ok, we were waiting for a server side thing20:37
jamielennoxmorganfainberg: i've got a couple of calls to do,i dont see a problem from first look20:37
morganfainbergschofield, also, you have data in your template, correct?20:37
morganfainbergjamielennox, ok i feel comfortable with a +A then. will push go.20:38
schofield@morganfainberg: I will shortly. ;-) This is me figuring out how the parts fit together from a position of complete ignorance.20:38
morganfainbergschofield, having an empty template might also be causing that error20:38
morganfainbergschofield, it is not a friendly error to be sure.20:39
schofield@morganfainberg ayoung: Thanks for your help! It was a missing template file. Copied the one from source and changed the path in keystone.conf to be explicit, and I seem to be up and running. (At least, I'm not getting that error anymore.)20:41
morganfainbergschofield, no problem! I highly recommend looking at the SQL based catalog (the template one is very limited). but I know a number of deployments that still use the templated one.20:42
schofield@morganfainberg: This is a toy deployment just for learning. Will explore the SQL-based backend once I get all the parts of this one working.20:43
morganfainbergschofield, sounds good! good luck :)20:43
schofield@morganfainberg: Thanks for your help!20:43
dstanekjamielennox: what is the name property for here https://review.openstack.org/#/c/92031/1/keystone/assignment/schema.py,cm?20:45
jamielennoxdstanek: i think i did it as kind of an example of how i'd like to put request parsing code onto the objects20:46
*** zhiyan_ is now known as zhiyan20:47
jamielennoxat the time the patch was mostly for showing ideas, i don't think i use it anywhere20:47
dstanekjamielennox: how does that dict key actually get set? i didn't see any reason to make that a subclass of dict20:48
jamielennoxdstanek: the point initially is to co-exist between the current works as a dict and future is an object20:49
jamielennoxwhen everyone uses the results correctly we could remove that subclass20:49
jamielennoxresults = request object, correctly = as an objct20:50
*** marcoemorais has quit IRC20:51
*** marcoemorais has joined #openstack-keystone20:51
*** gokrokve_ has quit IRC20:52
openstackgerritDolph Mathews proposed a change to openstack/keystone: indicate that sensitive messages can be disabled  https://review.openstack.org/9487120:53
dstanekjamielennox: i wish this stuff was more like formencode - we used to have the great validate() decorator that accepted a formencode schema (like your patch does) and then output Python values in a new dict named clean_values20:54
dstanekjamielennox: that was if the validator was checking for a date/timestamp the resulting value would be a datetime object20:55
*** zhiyan is now known as zhiyan_20:56
jamielennoxso the validator should do that because if its wrong then it'll fail validation, then i was thinking that you'd do datetime etc on a property or something at object level20:57
*** huats has quit IRC21:01
*** huats has joined #openstack-keystone21:01
*** leseb has quit IRC21:01
dstanekjamielennox: have you ever used formencode?21:02
*** gyee has joined #openstack-keystone21:02
dstanekjamielennox: check this out for some inspiration http://formencode.readthedocs.org/en/latest/Validator.html#using-validation21:02
*** gyee has quit IRC21:07
*** henrynash has quit IRC21:10
dstanekis there anyway for the gerrit emails show if i've voted for a change?21:11
dstanekif i +1 a review and someone else -1s it i want to go back and look; OTOH if i -1 it and get an email because someone else -1s it, i don't need to look21:12
*** dims has quit IRC21:13
dstanekright now i always click the links...21:13
jamielennoxdstanek: i looked for this a while ago and not that i found, however in new gerrit there is a json api, so you can queru that for details in some script21:14
dstanekjamielennox: bummer...maybe i'll just have to do that21:15
*** gyee has joined #openstack-keystone21:18
dstanekbknudson: i'm happy with https://review.openstack.org/#/c/86578 except for the % in the logging statement - every other patchset it gets added back in21:24
bknudsondstanek: I didn't notice it21:27
dstanekbknudson: i'm going to push a fix for it because otherwise i think it's fine21:28
bknudsondstanek: works for me21:28
-openstackstatus- NOTICE: Zuul is offline due to an operational issue; ETA 2200 UTC.21:32
*** ChanServ changes topic to "Zuul is offline due to an operational issue; ETA 2200 UTC."21:32
openstackgerritDavid Stanek proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method  https://review.openstack.org/8657821:35
*** devkulkarni has joined #openstack-keystone21:36
devkulkarniHey there, I am looking for differences between Keystone trusts and Keystone OAuth1 (use cases handled, implementation status, upcoming plans for these features, etc.). I was wondering if someone here could point me to some document(s) discussing this..21:39
*** marcoemorais has quit IRC21:43
*** marcoemorais has joined #openstack-keystone21:44
*** hrybacki has quit IRC21:44
morganfainberggyee, ping re: https://review.openstack.org/#/c/94251 - should we do an if-check to see if user_id != project_id so we don't lookup the domain multiple times?21:44
*** marcoemorais has quit IRC21:45
gyeemorganfainberg, yo21:45
*** marcoemorais has joined #openstack-keystone21:45
morganfainberggyee, i would rather not have to do another round trip to the backend if we don't need to.21:45
*** dims has joined #openstack-keystone21:45
gyeemorganfainberg, but this is for checking the scoped project's domain21:46
morganfainberggyee, right21:46
gyeewhich could be different from the user's domain21:46
morganfainberggyee, so if user_id['domian_id'] != project['domain_id'] assert_domain_is_enabled21:46
morganfainbergelse, we already should have asserted on that21:46
gyeemorganfainberg, oh21:46
gyeeI see your wisdom :)21:46
morganfainbergsaves us a round trip to the backend :)21:47
gyeeyes, performance ftw!21:47
gyeegood point21:47
morganfainbergcool will comment on it as such21:47
gyeelemme patch it up21:47
gyeethanks!21:47
morganfainberggyee commented.21:48
*** zhiyan_ is now known as zhiyan21:48
* morganfainberg is catching up on reviews today.21:48
gyeeyeah man, I am behind on code reviews too21:48
gyeeneed to burn some midnight oil21:48
morganfainberggyee, happens to all of us.21:49
gyeemorganfainberg, actually, a bit of a problem, user_ref is not yet available yet21:56
*** harlowja_ is now known as harlowja_away21:57
gyeethat logic was merely validating the scope info21:57
*** zhiyan is now known as zhiyan_21:57
morganfainberghm. sec21:57
*** harlowja_away is now known as harlowja_21:57
gyeebecause, auth payload is not interpreted until it gets to the auth plugins21:57
morganfainberggyee, hm. we don't have the user_id in self.auth there?21:59
gyeemorganfainberg, no, we don't have the user_id till it comes back from the auth plugins22:00
morganfainbergoh bleh.22:00
morganfainberghm..22:00
gyeeyeah I know, it needs refactoring :)22:00
gyeeayoung's pipeline approach22:01
morganfainbergi guess it is cheaper to do a single domain lookup than get all the way to validating user info just to save a round trip22:01
gyeetoken issurance based on policy22:01
morganfainberghm...22:01
gyeemorganfainberg, yet, at this point, that's probably the quick and dirty way22:02
morganfainberggyee, lets leverage the _lookup_domain code instead thean22:02
morganfainberggyee, maybe22:03
*** shakamunyi has quit IRC22:03
gyeemorganfainberg, lookup_domain is assuming domain_info22:03
gyeeI suppose I could refactoring it22:03
gyeebut we're not gaining much22:03
morganfainberggyee, hm.22:03
morganfainberggyee, meh, this is ugly in either case :(22:04
dstanekdolphm: are we good to start rolling on https://review.openstack.org/#/c/64159/ again?22:04
morganfainberggyee, in that case in the else in _lookup_project you should do the _assert_domain_enabled not in _assert_project_enabled22:06
gyeemorganfainberg, but dogpile may save our asses as domain_ref is highly static22:06
morganfainberggyee, so you don't assert on domain enabled when doing the project_name lookup AND then in the assert project and then on the user too22:06
morganfainberggyee, sure, but lets not be too sloppy if we can avoid it22:06
gyeemorganfainberg, project is enabled if both the project and the project's domain are enabled22:07
gyeeso I have to check both cases22:07
morganfainbergright and in the case (line 161) you're looking up by project name _lookup_domain does the assert for you22:07
morganfainbergso put the domain_ref lookup and assert at line 164 instead of in _assert_project_enabled22:07
morganfainbergin the "else" post project_ref lookup, and add in DomainNotFound in the except clause for 166 (i think)22:08
*** thedodd has quit IRC22:08
morganfainberggyee, does that make sense?22:09
-openstackstatus- NOTICE: Zuul is started and processing changes that were in the queue when it was stopped. Changes uploaded or approved since then will need to be re-approved or rechecked.22:09
*** ChanServ changes topic to "Juno-1 June 12th! New formalized Identity-spec process for Juno-2 and beyond blueprints."22:09
morganfainberglooking at https://review.openstack.org/#/c/94251/1/keystone/auth/controllers.py for the line numbers22:10
gyeemorganfainberg, I hear ya22:10
gyeelemme put up a new patch22:10
gyeeone sec22:10
morganfainberggyee, cool.22:10
*** shakamunyi has joined #openstack-keystone22:10
lbragstadmorganfainberg: how would you classify testing a jsonschema validator in the gate?22:11
morganfainberglbragstad, in the restful tests, would be my guess22:12
morganfainberglbragstad, oh not where...22:12
lbragstadyep,22:12
lbragstadlooking at https://github.com/openstack/keystone-specs/blob/master/specs/template.rst#testing22:13
morganfainberglbragstad, uhm. options?22:13
lbragstadwould we add tempest tests for validating every Keystone resource22:13
lbragstadand combinations ?22:13
gyeemorganfainberg, took 30 seconds to make the change, 30 min to run the tests :(22:13
morganfainbergin theory tempest should test that.22:13
morganfainberggyee, yeah i know :( sorry.22:13
lbragstador would the majority of that be executed with unit tests22:13
lbragstadok22:13
morganfainberglbragstad, that way if something in the validator changes and bounces requests someone doesn't / didn't change the unit test at the same time22:14
lbragstadok22:14
morganfainberglbragstad, but, in theory tempest should already be hitting the interfaces.22:14
morganfainberglbragstad, theory != reality22:14
lbragstadthe way it stands now, the validation is being done in the resource controllers22:15
morganfainberg:P22:15
morganfainbergi'd ask the QA folks if they want tests verifying the validator bounces invalid requests in tempest (i would want it there) but not sure if the volume of added tempest tests are a good idea22:15
morganfainbergwe might just need a fuzz testing suite vs. testing alll variations.22:16
lbragstadmorganfainberg: ok, sounds good... it would be good to have them there but testing all the permutations on all the resources  + extentions might be lengthy22:16
morganfainberglbragstad, exactly22:16
morganfainberggyee, lol i am rapidly brain frying on reviews :P let me see if i can get through another 15 or so today before i start writing specs instead22:18
gyeehaha22:18
morganfainberglbragstad, and that was super easy!22:25
lbragstadmorganfainberg: :)22:25
*** browne has quit IRC22:27
*** stevemar has quit IRC22:29
*** henrynash has joined #openstack-keystone22:30
*** browne has joined #openstack-keystone22:31
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint  https://review.openstack.org/9595722:36
*** toddnni has joined #openstack-keystone22:36
morganfainberglbragstad, NICE first real spec proposed!22:37
morganfainbergwooooooo22:37
* lbragstad facepalm whitespace issues22:37
* lbragstad got too excited22:37
*** marcoemorais has quit IRC22:38
morganfainberglbragstad, LOL22:38
*** marcoemorais has joined #openstack-keystone22:38
*** toddnni_ has quit IRC22:38
*** marcoemorais has quit IRC22:38
morganfainberglbragstad, -2 <pout>I wanted to be the first to submit a spec</pout> *snicker*22:38
morganfainberglbragstad, in all seriousness, nice glad to see this process starting22:39
*** marcoemorais has joined #openstack-keystone22:39
* morganfainberg needs some lunch.22:39
lbragstadmorganfainberg: me too... nice template btw... enforces a lot of thought when filling out a blueprint spec22:39
morganfainberglbragstad, give credit to the nova team! most of it came from them22:39
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint  https://review.openstack.org/9595722:41
openstackgerritMatt Fischer proposed a change to openstack/python-keystoneclient: Add support for extensions-list  https://review.openstack.org/9297822:45
*** zhiyan_ is now known as zhiyan22:48
*** gordc has quit IRC22:52
*** dstanek is now known as dstanek_zzz22:52
*** jdennis has joined #openstack-keystone22:56
*** zhiyan is now known as zhiyan_22:58
*** nkinder has quit IRC22:58
*** andreaf has quit IRC22:59
*** nkinder has joined #openstack-keystone23:00
*** henrynash has quit IRC23:11
openstackgerritDirk Mueller proposed a change to openstack/keystone: Sync systemd with oslo-incubator 17c4e21e31  https://review.openstack.org/9596323:16
*** hrybacki has joined #openstack-keystone23:17
*** devkulkarni has quit IRC23:20
*** david-lyle has quit IRC23:25
*** nkinder has quit IRC23:28
*** hrybacki has quit IRC23:30
*** davlaps has quit IRC23:33
*** dstanek_zzz is now known as dstanek23:33
*** browne has quit IRC23:34
*** gokrokve has joined #openstack-keystone23:41
*** dstanek is now known as dstanek_zzz23:43
*** marcoemorais has quit IRC23:53
*** henrynash has joined #openstack-keystone23:54
gabriel-bezerraHi, may you guys that work with fedora tell me what the names of the default sites of apache are?23:58
*** henrynash has quit IRC23:59
gabriel-bezerraon Ubuntu 14.04 there are 000-default.conf and default-ssl.conf23:59
gabriel-bezerraon Ubuntu 12.04, default and default-ssl23:59
gabriel-bezerrawhat about Fedora?23:59
« Monday, 2014-05-26 Index Wednesday, 2014-05-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!