Friday, 2014-05-30

« Thursday, 2014-05-29 Index Saturday, 2014-05-31 »
*** dstanek is now known as dstanek_zzz00:01
*** gyee has quit IRC00:01
*** dgbaley has joined #openstack-keystone00:07
dgbaleyHey. I'm trying to use the /v3 REST API to create endpoints. It looks like they're created individually, but is there a way to get the legacy_endpoint_id as in /v2.0? Does it matter?00:08
*** sbfox has quit IRC00:08
*** zhiyan_ is now known as zhiyan00:20
*** leseb has joined #openstack-keystone00:27
*** bknudson has joined #openstack-keystone00:29
*** zhiyan is now known as zhiyan_00:29
*** leseb has quit IRC00:32
ayounggabriel-bezerra, sorry to have been ignoring you, but I've been working on Horizon/Kerberos integration, and it seems to be going swimingly....00:34
ayounggabriel-bezerra, and what you are doing with HTTP is going to be a key part of that strategy00:34
*** dstanek_zzz is now known as dstanek00:41
*** ozialien has quit IRC00:42
*** zhiyan_ is now known as zhiyan00:50
*** rodrigods has joined #openstack-keystone00:54
dstanekblah...before my vacation i was hoping to bring the open bug count to 225; i failed00:56
*** zhiyan is now known as zhiyan_00:59
*** praneshp has quit IRC01:00
*** lbragstad has joined #openstack-keystone01:01
*** devlaps has quit IRC01:05
*** rodrigods has quit IRC01:06
*** zhiyan_ is now known as zhiyan01:09
*** ncoghlan has joined #openstack-keystone01:11
*** xianghui has joined #openstack-keystone01:12
*** sbfox has joined #openstack-keystone01:13
morganfainbergdstanek, solution: delay the vacation!01:16
morganfainbergdstanek, >.>01:16
morganfainbergdstanek, *is not serious, vacations are awesome. someday I might even go on one01:17
*** browne has quit IRC01:18
*** ncoghlan is now known as ncoghlan_afk01:23
*** leseb has joined #openstack-keystone01:28
*** sbfox has quit IRC01:29
*** diegows has quit IRC01:30
ayoungmorganfainberg, I'm a Kerberizing fool!01:31
*** dstanek is now known as dstanek_zzz01:31
ayounghttp://adam.younglogic.com/2014/05/keystoneclient-s4u2proxy/01:31
ayoungNow all we need is the patch that lets us Get TGTs of HTTPS and we'll be in Business.01:32
*** leseb has quit IRC01:33
*** marcoemorais has quit IRC01:33
*** bobt has quit IRC01:33
morganfainbergayoung, tomorrow i'm actually sitting down and seeing how close i can get freeipa to do what i want on ubuntu (it appears to be all packaged and working in 14.04...ish)01:34
morganfainbergayoung, and starting to get the devstack changes rolled up for it to happen.01:34
morganfainbergayoung, :)01:34
ayoungScore.01:35
ayoungmorganfainberg, shout if you need a hand01:35
morganfainbergayoung, you know i will01:35
morganfainbergayoung, i think i have a solid story (mulling it over on how i want to present it) for moving delegation to a base level assignment request - so - non-impersonation-trusts but with the added benefit of limiting roles for evne your access.01:38
*** xianghui has quit IRC01:38
morganfainbergayoung, bah, didn't describe it well there01:38
morganfainbergayoung, stupid lack of coffee :)01:39
ayoungNo I get it01:39
ayoung"here is my profile for creating a token when I want to create a VM"01:39
morganfainbergayoung, yep.01:39
morganfainbergayoung, there ya go01:39
ayoungmorganfainberg, the key to the whole thing isgoing to be the audit work01:39
ayoung1.  move audit so that it is triggered from policy01:39
morganfainbergayoung, yep. which is why i'm still mulling over the details on how to get from here to there.01:40
ayoung2.  use that to determine what actually gets executed when you performa a workflow01:40
ayoungOK...here are some of them01:40
ayoungmorganfainberg, lets assume we start with the split of middleware from client01:40
morganfainbergbut i figured you'd be interested.01:40
morganfainbergayoung, that i assumed as much01:40
ayoungwe move gordon's middleware for audit into keystonemiddleware01:40
ayoungthat is two middleware components01:41
ayoungthen, clean up auth token such that it does not enforce the 403 if no token, but lets a policy do its job01:41
ayoungmove the current keystone policy enforcement into keystonemiddleware:  fully ack that it is not middleware01:42
ayoungbut it is server side code01:42
morganfainbergayoung, huge ++ on that cleanup (403)01:42
ayoungand let the other projects use our decorators, flatten code, etc, to standardize policy enforcement01:42
ayoungthen, with audit on, we gather data:  here is what you need to delegate in order to perform standard workloads01:43
ayoungendpoint binding + specific delegation and short lived tokens....and we are that much more secure01:43
ayoungI might have skippe a step there near the end01:43
morganfainbergayoung, ++01:44
morganfainbergayoung, need to poke nkinder about the session token spec - i'd like to get the spec for it up for review so we can start moving the peices into place (yes i know horizon needs to be involved too)01:45
ayoungHeh,  that is my job.  Session token is my baby, he wants just the unscoped to scoped only...but he can't ha that without sessions01:46
morganfainbergayoung, ah wasn't sure who was going to do the specing on those01:47
morganfainbergayoung, do you see pure unscoped as a separate spec?01:47
morganfainbergayoung, with session being dependant, or just pure unscope as a work item01:48
ayoungI see session encompassing both01:48
morganfainbergayoung, cool01:48
morganfainbergdoes 'recheck no bug' no longer work?01:51
ayoungnope01:53
ayoungyou need a bug01:53
ayoungChoose Bug 101:53
morganfainbergnah it works01:53
morganfainbergreverify no bug doesn't work01:53
morganfainbergayoung, https://review.openstack.org/#/c/91145/01:54
ayounghttps://bugs.launchpad.net/ubuntu/+bug/101:54
morganfainbergjust can;t have other cruft in the comment01:54
uvirtbotayoung: Error: Could not parse data returned by Launchpad: HTTP Error 503: Service Unavailable01:54
morganfainberg*snerk*01:54
*** xianghui has joined #openstack-keystone01:55
ayoungRecheck Bug 101:55
morganfainbergwe now have configurable hashes and compressed token support in cms (though i don't think we can make the compressed provider default until everyone has gone to minimum of 0.9.0 of ksc01:55
ayoung++01:55
ayounglets just make it possible in Juno, and default in Kilo01:56
morganfainbergthats fine.01:56
morganfainbergstill need 100% support for apache services gate01:56
morganfainbergok i need to bail. OS meetup.01:57
morganfainbergtime to go be social or something01:58
morganfainberg:)01:58
morganfainbergbe back in a while.01:58
morganfainbergoh quick review: https://review.openstack.org/#/c/96647/01:58
*** lbragstad has quit IRC02:08
*** xianghui has quit IRC02:12
*** ozialien has joined #openstack-keystone02:12
*** ncoghlan_afk is now known as ncoghlan02:13
ayoungmorganfainberg, https://review.openstack.org/#/c/96648/02:16
*** sbfox has joined #openstack-keystone02:18
*** dstanek_zzz is now known as dstanek02:22
*** sbfox has quit IRC02:24
*** xianghui has joined #openstack-keystone02:26
*** dims has quit IRC02:28
*** leseb has joined #openstack-keystone02:29
*** dstanek is now known as dstanek_zzz02:32
*** leseb has quit IRC02:33
*** dstanek_zzz is now known as dstanek02:34
*** harlowja_ is now known as harlowja_away02:41
*** dstanek is now known as dstanek_zzz02:44
*** browne has joined #openstack-keystone02:53
*** marcoemorais has joined #openstack-keystone02:54
*** shakayumi has quit IRC02:58
*** marcoemorais has quit IRC02:58
*** mberlin has joined #openstack-keystone02:58
*** mberlin1 has quit IRC02:59
*** marcoemorais1 has joined #openstack-keystone03:00
*** ncoghlan is now known as ncoghlan_afk03:00
*** ozialien has quit IRC03:10
*** xianghui has quit IRC03:12
nkindermorganfainberg: writing the spec is on my list.  I'll try to get a first draft going tomorrow.03:21
*** bknudson has quit IRC03:23
*** sbfox has joined #openstack-keystone03:27
*** sbfox has quit IRC03:28
*** xianghui has joined #openstack-keystone03:29
*** dstanek_zzz is now known as dstanek03:35
*** dstanek is now known as dstanek_zzz03:45
*** hrybacki has joined #openstack-keystone03:46
*** hrybacki has quit IRC03:57
*** leseb has joined #openstack-keystone04:30
*** leseb has quit IRC04:35
*** dstanek_zzz is now known as dstanek04:36
*** dstanek is now known as dstanek_zzz04:46
*** afazekas has quit IRC04:55
*** zhiyan is now known as zhiyan_05:13
*** ajayaa has joined #openstack-keystone05:28
*** ncoghlan_afk is now known as ncoghlan05:29
*** leseb has joined #openstack-keystone05:31
*** leseb has quit IRC05:35
*** zhiyan_ is now known as zhiyan05:35
*** dstanek_zzz is now known as dstanek05:36
morganfainbergnkinder, ack. awesome!05:41
morganfainbergayoung, ++ will review tomorrow05:43
*** dstanek is now known as dstanek_zzz05:46
*** zhiyan is now known as zhiyan_05:47
*** xianghui has quit IRC05:48
*** afazekas has joined #openstack-keystone05:57
*** xianghui has joined #openstack-keystone06:02
*** zhiyan_ is now known as zhiyan06:03
*** xianghui has quit IRC06:09
morganfainbergayoung, nkinder, either of you around?06:11
morganfainbergayoung, nkinder, will bug you tomorrow early.06:12
morganfainberg(early for me)06:12
*** tomoiaga has joined #openstack-keystone06:16
*** zhiyan is now known as zhiyan_06:19
*** zhiyan_ is now known as zhiyan06:20
*** xianghui has joined #openstack-keystone06:23
*** praneshp has joined #openstack-keystone06:26
*** leseb has joined #openstack-keystone06:32
*** stevemar has quit IRC06:35
*** leseb has quit IRC06:37
*** dstanek_zzz is now known as dstanek06:37
*** browne has quit IRC06:37
*** dstanek is now known as dstanek_zzz06:47
*** xianghui has quit IRC06:56
*** xianghui has joined #openstack-keystone07:05
*** zhiyan is now known as zhiyan_07:06
*** ncoghlan has quit IRC07:07
*** zhiyan_ is now known as zhiyan07:17
*** Camisa has joined #openstack-keystone07:30
*** Camisa has joined #openstack-keystone07:30
*** dstanek_zzz is now known as dstanek07:38
*** leseb has joined #openstack-keystone07:47
*** dstanek is now known as dstanek_zzz07:48
*** dstanek_zzz is now known as dstanek07:54
*** esmute has quit IRC07:55
*** jimbaker has quit IRC07:56
*** esmute has joined #openstack-keystone08:03
*** dstanek is now known as dstanek_zzz08:04
*** bvandenh has joined #openstack-keystone08:19
*** zhiyan is now known as zhiyan_08:25
*** leseb has quit IRC08:37
*** leseb has joined #openstack-keystone08:37
*** leseb has quit IRC08:42
*** marekd|away is now known as marekd08:43
*** zhiyan_ is now known as zhiyan08:47
*** leseb has joined #openstack-keystone08:48
*** zhiyan is now known as zhiyan_08:49
*** dstanek_zzz is now known as dstanek08:55
*** marcoemorais1 has quit IRC08:56
*** dstanek is now known as dstanek_zzz09:05
*** xianghui has quit IRC09:22
marekdmhu: around?09:25
mhumarekd: hi !09:29
marekdhi, thanks for the e-mail on the -dev list!09:29
marekdI am looking at the patch now.09:29
marekdCan you explain, why would you like to authenicate user present in Keystone backed via protocols like openid?09:31
marekdbecause i think that's the purpose of your patch?09:31
mhumarekd, the user isn't present in keystone, that's the aim of the patch09:34
mhuto use what you've done with saml but more generically09:34
mhuI want to mix what can be done with federation mapping, with the external auth process09:34
marekdah, ok09:36
marekdmhu: and where is class Mapping used?09:37
*** xianghui has joined #openstack-keystone09:38
mhumarekd, I am thinking of using the federation protocol auth endpoint. I've documented a setup example for OpenID on this etherpad: https://etherpad.openstack.org/p/external-auth-federation-mapping09:38
*** jaosorior has joined #openstack-keystone09:39
*** leseb has quit IRC09:44
*** leseb has joined #openstack-keystone09:44
marekdhm, i don't think the logic is correct...09:48
*** leseb has quit IRC09:49
*** zhiyan_ is now known as zhiyan09:49
marekdmhu: first of all, in your example rule from the bp you will assign this group to *every* user who authenticates himself. This means for instance every CERN user from our 40k users ldap.09:50
mhumarekd, how so ?09:50
mhumarekd, yes, this has limitations inherent to the fact that you only get the remote_user env variable to make your mappings09:52
mhuso mappings can't be really granular09:52
marekdmhu: you are also discarding openid assertion and creating your own, which prevents me to create more restrictive rules..09:53
marekdso again it's either I give access to all my CERN users or none of them...and I might want to give access to IT dep employees...09:53
mhuI was envisioning a simple use case, like giving a trial access for users on a public cloud, thus mapping to a restricted group09:53
marekdmhu: I think you may make it work eventually.09:54
marekddo you mind if I leave my comments on the patch?09:54
mhumarekd, please do ! help is welcome :)09:55
*** dstanek_zzz is now known as dstanek09:55
marekdok :-)09:57
mhumarekd, while we're at it, I was wondering about supporting multiple idps for federation09:58
marekduhm?09:58
mhuit is implied apache has to be reconfigured each time you add a protocol for a different idp ?09:58
mhuis it even possible with mod_shib ?09:58
marekdshib is saml2 only09:59
*** zhiyan is now known as zhiyan_09:59
marekdso i'd say: if you want to add new proto, you will rather add new apache module and yes, reconfigure apache + add proto to keystone09:59
mhuyes, I meant protocol as the association idp + mapping in keystone09:59
*** leseb has joined #openstack-keystone10:00
mhusorry for the confusion on my part :)10:00
marekdif you add new idp, then you add it via Keystone API and you also might need to add idp to shib oconfig, reloading apache too...10:00
mhuI need to look more into shib about this10:02
*** praneshp has quit IRC10:03
mhubut yeah, you'll definitely have to reload apache and add the LocationMatch directive that is needed10:03
*** dstanek is now known as dstanek_zzz10:05
*** hxgqh1987 has joined #openstack-keystone10:07
*** hxgqh1987 has quit IRC10:07
marekdmhu: for sure you can add multiple idps to shib10:09
marekdwell, according to the specs :P10:09
mhumarekd, I'll believe it when I see it working :D10:09
marekdmhu: true.10:09
mhuanyway I am more "worried" about the apache config part that needs to be reloaded whenever you add an idp10:10
*** leseb has quit IRC10:11
marekdwhy?10:11
mhuthere are some use cases where adding a new idp might happen relatively often10:13
marekdlike? I thought federation is rather slow and static process (mainly due to many politics happening behind that)10:14
*** dstanek_zzz is now known as dstanek10:14
mhumarekd, gotta go now, but we'll resume the talk later if you want10:14
marekddrop me an email, hm?10:15
marekdi might be away10:15
marekdjust got to europe and i might crash soon, as I am jetlaging still ;/10:15
*** leseb has joined #openstack-keystone10:17
*** bauzas has joined #openstack-keystone10:27
bauzashi10:27
bauzaspython-keystoneclient-0.9.0 has been released yesterday, but now our gate is failing10:27
bauzashttp://logs.openstack.org/42/96642/1/check/gate-blazar-python27/63f3b4a/10:28
bauzasby reverting to 0.8.0, all is back to normal10:28
bauzasany chance to tell me how to fix this ?10:28
bauzashttps://bugs.launchpad.net/keystone/+bug/132486110:37
uvirtbotLaunchpad bug 1324861 in keystone "Pythonclient middleware auth's cache.set() is not expecting time as argument" [Undecided,New]10:38
*** leseb has quit IRC10:49
*** leseb has joined #openstack-keystone10:49
*** zhiyan_ is now known as zhiyan10:50
*** leseb has quit IRC10:53
*** zhiyan is now known as zhiyan_10:59
*** openstackgerrit has joined #openstack-keystone11:19
*** openstackgerrit has quit IRC11:19
*** openstackgerrit has joined #openstack-keystone11:25
marekdWhat was the proper  ordering of imports? First go stdlib modules (i.e. logging), later thirdparty modules (six), and lastly local modules?11:31
openstackgerritA change was merged to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851711:45
*** leseb has joined #openstack-keystone11:50
*** zhiyan_ is now known as zhiyan11:51
*** leseb has quit IRC11:54
*** leseb has joined #openstack-keystone11:55
*** zhiyan is now known as zhiyan_12:00
*** bvandenh has quit IRC12:03
*** diegows has joined #openstack-keystone12:05
*** leseb has quit IRC12:09
dstanekmarekd: yep, you are correct12:12
*** leseb has joined #openstack-keystone12:13
*** openstackgerrit has quit IRC12:22
*** openstackgerrit has joined #openstack-keystone12:22
*** rodrigods has joined #openstack-keystone12:27
*** rodrigods has joined #openstack-keystone12:27
marekddstanek: thanks...12:29
openstackgerritSteven Hardy proposed a change to openstack/python-keystoneclient: Enable forcing re-authentication for trust-scoped clients  https://review.openstack.org/9629812:31
*** rodrigods has quit IRC12:32
*** lbragstad has joined #openstack-keystone12:34
htrutastevemar, thowe (away): sorry, I didn't understand your comment "Potentially, identity_client here" on the patch (https://review.openstack.org/#/c/91634/12/openstackclient/identity/v3/role_assignment.py)12:34
marekdjamielennox|away:  do you want to take a look at: https://review.openstack.org/#/c/83829/ ?12:42
ayoungnkinder started it here https://review.openstack.org/#/c/96648/12:44
*** zhiyan_ is now known as zhiyan12:51
*** xianghui has quit IRC12:57
jaosoriorbauzas , the FakeMemCached there is in climate/tests/api/utils.py needs to have "time=0" instead of "timeout=None"12:58
jaosoriorI tried doing it in your repo, but it seems that chaning it triggers a bunch of errors in the unit tests. mostly checks where it expected 403 status12:59
bauzasjaosorior: thanks for that, I figured it out 1 hour ago, and provided the patch in our branch13:00
bauzasjaosorior: should be merged soon13:00
*** hrybacki has joined #openstack-keystone13:00
bauzasjaosorior: sorry about the misunderstanding13:00
*** zhiyan is now known as zhiyan_13:03
jaosoriorno prob13:07
*** ayoung_ has joined #openstack-keystone13:23
jaosoriorHey, in the function authenticate_for_token, from Auth, in the module keystone/auth/controllers ; Is there a reason why the whole function is covered by a try: ... except ...? is it really necessary? or could I put the try ... except in the places where it could happen to simplify things?13:23
*** bknudson has joined #openstack-keystone13:23
openstackgerritIlya Pekelny proposed a change to openstack/keystone: oslo.db implementation  https://review.openstack.org/7721013:24
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355813:24
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063013:24
*** dgbaley has quit IRC13:24
dstanekjaosorior: it's difficult to do that now because we could break things13:28
jaosoriorKeystone receives http messages asynchronously, right?13:31
openstackgerritVladimir Eremin proposed a change to openstack/keystone: Keystone compact PKI token  https://review.openstack.org/9672513:33
dstanekjaosorior: depends on what you mean by asynchronously and if you are running in apache13:33
*** ayoung has quit IRC13:33
*** ayoung_ is now known as ayoung13:34
jaosoriorSo, it could be processing two queries or commands related to the same trust at the same time? (not using apache)13:34
*** ayoung_ has joined #openstack-keystone13:34
dstanekyeah, i think that would be possible13:34
jaosoriorok, then probably I shouldn't move that try...except13:36
openstackgerritIonut Artarisi proposed a change to openstack/python-keystoneclient: allow a user's primary tenant to be modified  https://review.openstack.org/9676313:37
*** gokrokve has joined #openstack-keystone13:37
*** nkinder has quit IRC13:40
openstackgerritIonut Artarisi proposed a change to openstack/python-keystoneclient: allow a user's primary tenant to be modified  https://review.openstack.org/9676313:48
*** leseb has quit IRC13:52
*** zhiyan_ is now known as zhiyan13:54
*** gordc has joined #openstack-keystone13:57
*** topol has joined #openstack-keystone13:59
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355814:00
*** zhiyan is now known as zhiyan_14:03
*** bobt has joined #openstack-keystone14:05
*** sbfox has joined #openstack-keystone14:06
*** stevemar has joined #openstack-keystone14:06
ayoungmorganfainberg, "Composite" doesn't seem like the right name for these tokens:  https://review.openstack.org/#/c/96315/114:07
ayoungwhat are they "Composed" of?14:08
ayoungSeems more like a routing slip...14:08
htrutastevemar: ping14:08
morganfainbergayoung, sure. we can name it something else14:09
stevemarhtruta, pong14:09
morganfainbergayoung, sec. need to discuss something else.14:09
ayoungmorganfainberg, I'm trying to refresh my understanding....14:09
ayoungOK14:09
htrutastevemar, thowe (away): sorry, I didn't understand your comment "Potentially, identity_client here" on the patch (https://review.openstack.org/#/c/91634/12/openstackclient/identity/v3/role_assignment.py)14:09
*** rwsu has joined #openstack-keystone14:12
*** bauzas has left #openstack-keystone14:16
*** shakamunyi has joined #openstack-keystone14:22
*** leseb has joined #openstack-keystone14:23
*** henrynash has joined #openstack-keystone14:25
*** leseb has quit IRC14:28
*** dc_ has joined #openstack-keystone14:28
dc_does anyone have good documentation on making keystone HA?14:29
*** hrybacki has quit IRC14:32
*** sbfox has quit IRC14:32
bknudsongot a minute for an auth_token middleware question?14:34
*** comstud is now known as bearhands14:34
bknudsonwhen we store data in the cache, the data includes the expiration time:14:35
bknudsonhttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n93614:35
bknudsonthe expiration time of the token14:35
*** rodrigods has joined #openstack-keystone14:36
*** rodrigods has joined #openstack-keystone14:36
bknudsonbut then it does _cache_get -- http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n111114:36
bknudsonand it treats the expired time as more like the timeout of the cache14:36
*** openstackgerrit has quit IRC14:36
bknudsonand not that the token is expired14:36
*** openstackgerrit has joined #openstack-keystone14:37
bknudsonI'd expect _cache_get to "raise InvalidUserToken('Token authorization failed')" if the token in the cache was expired.14:38
bknudsonthat make sense?14:38
*** nkinder has joined #openstack-keystone14:39
*** gokrokve has quit IRC14:40
*** dhellmann_ is now known as dhellmann14:40
ayoungbknudson, it makes sense14:44
*** leseb has joined #openstack-keystone14:44
ayoungexpires = confirm_token_not_expired(data)14:44
ayoungwe take no chances that the cache expiration is longer than the expiration of the token14:45
bknudsonwhy store the token expiration time in the cache if it's not used?14:45
jaosoriorperhaps what was thought of is the possibility of the cache's expiration time being lower than the token's14:46
bknudsonif the token expiration time is passed _cache_get just returns that the token isn't cached... it should raise the exception14:46
bknudsonthere's a cache expiration time and there's the token expiration time14:47
bknudson_cache_get doesn't know anything about the cache expiration time.14:47
ayoungbknudson, there might be some duplication here, but we have to check that the token is not expired if it is not in the cache.  We might double check that for cached tokens14:47
ayoungbknudson, implcit14:47
*** rodrigods has quit IRC14:47
ayoungit can't get something out of the cache if the cache has expired14:47
bknudsonThe token is stored like this: cache.set(cache_key, data_to_store, time=self.token_cache_time)14:48
bknudsonso the cache time and the token expiration time are independent14:48
bknudsonwhich makes a bit of sense, we'll want to cache expired tokens rather than check every time14:49
*** thedodd has joined #openstack-keystone14:52
*** zhiyan_ is now known as zhiyan14:55
*** gokrokve has joined #openstack-keystone14:59
*** gokrokve has quit IRC15:02
*** vhoward has left #openstack-keystone15:04
*** zhiyan is now known as zhiyan_15:04
*** leseb has quit IRC15:06
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token _cache_get checks token expired  https://review.openstack.org/9678515:06
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token cached token handling  https://review.openstack.org/9678615:06
*** leseb has joined #openstack-keystone15:07
bknudson^ a couple proposals to change the behavior15:07
*** leseb has quit IRC15:11
*** hrybacki has joined #openstack-keystone15:12
ayoungI hereby dub dolphm 'Keystone 6'15:18
dolphmI hereby dub stevemar 'a door'15:21
dolphmmhu: are you Matthieu Huin?15:23
stevemardolphm, mhu is Matt Huin15:25
*** browne has joined #openstack-keystone15:26
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Fix minor formatting in template  https://review.openstack.org/9664715:26
dolphmstevemar: i assume he's in a euro TZ?15:29
stevemardolphm, y, in paris15:29
stevemarwell, france, not sure where15:29
dolphmstevemar: don't be racist15:30
*** leseb has joined #openstack-keystone15:30
* morganfainberg snickers15:30
stevemardolphm, what do i know, i'm just a door15:30
dolphmstevemar: i'm still wondering wtf that means15:31
dolphmayoung: i also don't know what Keystone 6 means15:31
morganfainbergdolphm, talked w/ adrian_otto last night, Solum and nova docker will want the composite tokens as well.15:31
stevemardolphm, i was trying really hard to remember a simpsons reference, but i butchered it15:31
dstanekdolphm: it means we're run out of good nams15:32
morganfainbergdolphm, i'm guessing Keystone 6 = sealteam 6 type thing15:32
dstanekerrr...names15:32
stevemardolphm, https://bestepisodeever.files.wordpress.com/2013/04/labf04a.jpg15:32
dolphmstevemar: so, 'a sign' would have made more sense?15:32
mhudolphm: yup15:32
ayoungRadio Call Signs.  Commander is the '6'  by convention15:32
morganfainbergayoung, ah.15:32
* dolphm learned something new15:32
morganfainbergayoung, neat!15:32
stevemardolphm, i already admitted that i butchered it15:32
ayoungUsually 1,2,3 are the leaders of the subordinate units, and 4 is the second in command.  5 is the Senior NCO (1st Sgt or CSM)15:34
ayoungSo Keystone PTL is Keystone 615:34
*** tomoiaga has quit IRC15:36
openstackgerritDirk Mueller proposed a change to openstack/python-keystoneclient: Adjust Python 2.6 OSerror-on-EPIPE workaround  https://review.openstack.org/9680515:39
*** hrybacki has quit IRC15:40
morganfainbergayoung, but... in Star Wars "Red 6" was just the sixth member of Red Squadron *duck*15:43
ayoungmorganfainberg, true, they used Red Leader15:43
morganfainbergayoung, >.>15:43
morganfainbergayoung, so what would you call composite tokens...15:43
ayoungmorganfainberg, "multiple tokens"  I think.15:44
ayoungEr...no15:44
dolphmdo backslash line continuations work in rst docs?15:44
morganfainbergdolphm, pretty sure they do15:44
ayoungthese are tokens that represent  permissions merged from multiple sources, right?15:44
morganfainbergayoung, yes15:44
dolphmmorganfainberg: is that a better way to format URLs within 79 chars?15:44
morganfainbergdolphm, probably. if so i'll put a quick >79 char line test into specs repo15:45
ayoungCollaborative Tokens?15:45
ayoungJoint Tokens?15:45
dolphmmorganfainberg: that'd be nice15:46
morganfainbergdolphm, will work on that today.15:46
dolphmTwinsy Tokens15:46
morganfainbergdolphm, ++15:46
nkindermutual tokens?15:47
ayoungWonder Twin Tokens15:47
morganfainbergayoung, hahah was going there next15:47
dolphmclass MutuallyFamilialOftenCollaborativeTokenCompositionProcessorator(object):15:47
*** ozialien has joined #openstack-keystone15:47
ayoungdolphm, wins15:47
nkinderdolphm: is that >79 chars? :)15:48
dolphmthis crap implements itself15:48
dolphmnkinder: dammit15:48
morganfainbergdolphm, can you get the class name > 120 characters so no one can ever use it.15:48
dolphmmorganfainberg: rofl15:48
ayoungOK, so the tokens themselves are nothing special, right?  It is the process by which they are created that is different?15:49
dolphmayoung: yeah15:49
morganfainbergayoung, they will contain some extra information (e.g. composite from token id X, X, X) but otherwise they are a normal token15:49
*** matsuhashi has joined #openstack-keystone15:50
*** fmarco76 has joined #openstack-keystone15:50
morganfainbergor... some kind of information indicating what generated them.15:50
morganfainbergrealizing token_id might be bad... you know... PKI token ids being so long15:50
dolphmi think we need to work on separating token audit information far away from the tokens themselves, otherwise it's going to bloat like crazy15:51
openstackgerritA change was merged to openstack/keystone-specs: Fix minor formatting in template  https://review.openstack.org/9664715:51
morganfainbergdolphm, yes. this is more for revocation abilities15:51
morganfainbergdolphm, if you revoke either of the originating tokens we need to be able to revoke this one15:51
morganfainbergdolphm, or ... will that even work?15:52
ayounglets call them joint tokens.  Its short, and the humor will play along with Keystoners.15:52
* morganfainberg is thinking revocation events.15:52
morganfainbergayoung, that works for me.15:53
*** david-lyle has joined #openstack-keystone15:53
ayoungmorganfainberg, could they be created from a trust instead of multiple tokens?15:53
ayounglike:  these two user get together, form a corporation, and start issuing tokens?15:53
morganfainbergayoung, from a UX needing to create a trust, then tell the service to use that trust - it's a lot less natural15:53
ayoungNone of this is natural.15:54
ayoungKeystone is unnatural15:54
ayoungComputers even more so15:54
morganfainbergayoung, ux perspective handing a token over to the service and the service can just work with it is way better15:54
ayoungmorganfainberg, there is something wrong there...15:54
morganfainbergayoung, vs. needing to go stand up a bunch of things then somehow tell that service to use this new thing.15:54
morganfainbergayoung, the trust workflow (especially when you talk about having a large number of actions) is very clunky15:55
ayoungmorganfainberg, only because it is new.  We can streamline it.  But I need to check out for a few minutes....15:55
*** ayoung is now known as ayoung-afk15:55
*** zhiyan_ is now known as zhiyan15:56
*** hrybacki has joined #openstack-keystone15:56
*** dstanek is now known as dstanek_zzz15:56
morganfainbergayoung-afk, i think using trusts here isn't the right answer - we talked through the possibilitiys for explicit delegation and having to do <grant delegation> to <service>, ask service to do <thing> service use <trust> was a lot of changes in a lot of places.15:57
morganfainbergayoung-afk, discuss more when you're back15:57
dolphm++ composite tokens *was* the streamlined solution16:01
*** ozialien has quit IRC16:02
*** browne has quit IRC16:04
*** zhiyan is now known as zhiyan_16:05
morganfainbergdolphm, I'm seeing requests for a simple-shared-secret auth mechanism again. but what is really wanted is a way to say give me a token for user X scoped to Y with specific roles. [i've been digging into the real use-cases here]16:06
*** sbfox has joined #openstack-keystone16:06
dolphmmorganfainberg: that's a fair use case, but what does it have to do with the proposed solution? sounds like oauth16:07
dolphmmorganfainberg: last time simple-shared-secret came up, the only use case we got out of it was for password rotation16:07
morganfainbergdolphm, right and this is the same thing again, but i've been asking more questions about what is really wanted16:07
morganfainbergdolphm, this does sound a lot like oauth16:08
*** leseb has quit IRC16:09
morganfainbergdolphm, i don't think i'd use the proposed solution as it was16:09
*** leseb has joined #openstack-keystone16:09
*** sbfox1 has joined #openstack-keystone16:09
morganfainbergdolphm, it would need to be something new.16:09
dolphmmorganfainberg: or oauth? lol16:10
morganfainbergdolphm, i mean if oauth isn't the right answer16:10
morganfainbergdolphm, let me go look at oauth and see if it'll work -- if not what we need to do to fix it16:10
morganfainbergfor this usecase.16:10
dolphmmorganfainberg: ack16:11
*** sbfox has quit IRC16:11
morganfainbergactually... gonna go get coffee and breakfast first instead.16:11
stevemarmhu, ping?16:14
*** leseb has quit IRC16:14
fmarco76hello guys16:14
stevemarfmarco76, hello!16:14
fmarco76if I would commit a spec and send to review, what should I put in the commit message?16:14
stevemarfmarco76, something like this https://review.openstack.org/#/c/96315/16:15
fmarco76have to put "Implements: blueprint xxxxxxxxxxxxxx"16:15
stevemarfmarco76, bp xxxxxxxx16:16
fmarco76OK, thanks16:16
*** dstanek_zzz is now known as dstanek16:17
*** richm has joined #openstack-keystone16:18
*** ajayaa has quit IRC16:19
*** shakamunyi has quit IRC16:20
*** thedodd has quit IRC16:21
*** thedodd has joined #openstack-keystone16:23
*** fmarco76 has quit IRC16:25
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/9122516:26
*** leseb has joined #openstack-keystone16:28
*** praneshp has joined #openstack-keystone16:29
*** leseb has quit IRC16:29
*** daneyon has joined #openstack-keystone16:31
*** ericvw has quit IRC16:32
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/9626516:32
*** gokrokve has joined #openstack-keystone16:36
*** gokrokve_ has joined #openstack-keystone16:37
*** gokrokve has quit IRC16:40
*** browne has joined #openstack-keystone16:45
*** ayoung-afk is now known as ayoung16:46
ayoungmorganfainberg, OK...one step at a time16:46
ayounga User needs to be able to request a token with a subset of roles, and targetted to a specific endpoint16:47
ayoungWe endd endpoint binding of tokens before anything else will work scoping wise, I think16:47
ayoungthat is an Auth Token Middleware issue to solve16:47
ayoungAdding explicit roles into the token request is a stand alone change that can happen in parallel, and nkinder expressed an interest in that as well.16:48
morganfainbergI disagree that we need endpoint binding before anything else. its something very nice to have, but far from required.16:48
ayoungthat is going to be somewhat broken if a user can request a token to get another token16:48
ayoungmorganfainberg, just within keystone:16:48
ayoungif a token does not have keystone in the service  catalog, keystone shouldn't honor it16:48
ayoungso I should be able to get a token, hand it to nova, and not worry that someone is going to upgrade it for another token16:49
*** sbfox1 has quit IRC16:50
morganfainbergayoung, again, a very nice to have and i want to see it. but i disagree with it being a hard requirement, we don't have it today. and it wont change much from today if we don't get it16:50
ayoungmorganfainberg, lets agree that it is necessary, and we can work out the dependencies and ordering later?16:50
dstanekwon't endpoint binding be confusing for users? they'll have to know what services will be talking to what other services right?16:50
morganfainbergayoung, absolutely, i was going to just offer that it should be worked orthogonally to joint tokens.16:50
ayoungdstanek, not really.  To start with, we just use the endpoint filtering16:50
ayoungper project16:50
morganfainbergayoung, orthogonally to most of the other work. adding the endpoint binding should have no other impact.16:51
ayoungdstanek, the question is what to do with tokens that have no service catalog in them, which is what we've been telling people is the work-around for token size...but compression should manage that16:51
*** Ju has quit IRC16:52
ayoungmorganfainberg, so, for workflow, where a user goes to nova, then nova goes to glance, and glance goes to swift, that is why you want the joint tokens, right?16:52
morganfainbergayoung, correct - preventing user X from changing something in swift (for example) directly16:52
dstanekayoung: what to do? are you talking client side or server side?16:52
morganfainbergbut also prventing compromise of glance from changing everythign in swift16:53
morganfainbergtwo keys to launch.16:53
dstanekmorganfainberg: like a nuclear missle!16:53
morganfainbergdstanek, except you trade both bits in for the launch code :P16:54
*** sbfox has joined #openstack-keystone16:54
ayoungmorganfainberg, so the trick is for nova to be able to add an additional limitation on a token...Ideally we would let Nova sign a new token, but with a way of confirming that it was only contianing a limited set of the data from the origianl token, without letting someone else strip out the origianl token and just use that16:54
morganfainbergayoung, correct, and in theory glance should be able to do the same with the joint token it gets from nova (if needed)16:54
ayoungmorganfainberg, so  why not have the user request all that up front?16:55
ayoung"I'm launching a VM,  give me a token scoped from Nova to Glance"16:55
ayoungand I need to go pickup food now...back in a few16:55
*** ayoung is now known as ayoung_fuud16:55
morganfainbergayoung_fuud, how does the user know he needs a glance token? or more to the point a glance and swift token?16:56
*** zhiyan_ is now known as zhiyan16:56
morganfainbergayoung_fuud, the user mostly only knows he wants to launch a VM and that requires talking to nova.16:56
* morganfainberg does the same and actually gets food and coffee.16:56
dstaneki've often wondered about using tokens that are not bearer tokens17:00
*** nkinder has quit IRC17:01
morganfainbergdstanek, a token that is explicitly scoped to a single action?17:03
*** marcoemorais has joined #openstack-keystone17:03
*** ozialien has joined #openstack-keystone17:04
*** richm has left #openstack-keystone17:04
dstanekmorganfainberg: no, i was thinking more oauth based signatures17:04
morganfainbergah17:04
dstanekif i want nova to do something on my behalf i could do a negotiation (kinda like kerberos) that gives the nova service a token that only it can use17:05
*** zhiyan is now known as zhiyan_17:06
dstaneki think part of the (or my) confusion is that services can use other services for a user or on behalf of a user17:06
dstaneknova stores stuff in glance on behalf of a user and the user can look in glance and see images and snapshots17:07
dstanekglance uses swift for a user to store their data, but the user doesn't see this raw data17:07
openstackgerritMarco Fargetta proposed a change to openstack/keystone-specs: Web Authentication for SAML federated Keystone  https://review.openstack.org/9686717:09
stevemardolphm, marekd ^17:11
morganfainbergdstanek, yeah.17:11
*** dims has joined #openstack-keystone17:13
*** nkinder has joined #openstack-keystone17:14
*** harlowja_away is now known as harlowja_17:15
*** dims is now known as dimsum17:16
*** richm1 has joined #openstack-keystone17:19
*** ayoung_fuud is now known as ayoung17:20
ayoungdstanek, that was the endpoint binding I was talking about17:21
ayoungdstanek, the things is, Nova is really a workflow engine.  Something needs to orchestrate the workflow17:22
ayoungmorganfainberg, dstanek the thing is, endpoint binding is really simple, if the endpoints know their own endpoint id.  "Endpoint must be in the catalog"17:24
*** fmarco76 has joined #openstack-keystone17:25
dstanekayoung: if you do it that way what will nova use to talk to glance?17:26
*** fmarco76 has left #openstack-keystone17:26
ayoungdstanek, to start with, the same token17:26
ayoungyou could make a token with both nova and glance in it17:26
ayoungassuming you had different roles for each service, you could restrict things fairly easily17:27
ayoung1 role is launch_vm  the other is fetch_image17:27
ayoungwe don't need a new mechanism, we need to make better use of the mechanisms we have to enforce that17:27
*** radez_g0n3 is now known as radez17:31
dstanekayoung: that doesn't help glance verify that nova or anything else is allowed to use that token17:31
ayoungdstanek, true.  It is still a bearer token17:31
ayoungdstanek, you could make is a single use token.  Glance accepts it, hands out the image, and then sticks the token in the revocation list.17:34
dstanekayoung: who would revoke it nova, glance or swift?17:37
ayoungGlance17:37
ayoungdstanek, and swift could do the same thing17:37
dstanekso how would glance get a token to use with swift?17:37
ayoungso if the token goes from nova to glance, glance accepts it once.  THne glance passes to swift, and swift accepts it once17:37
bknudsonnova probably needs it for neutron too17:38
ayoungthe "single use" policy is specified in the token, and enforced on the endpoints17:38
*** sbfox has quit IRC17:39
ayoungbknudson, yep, and the same rule would apply there.17:40
ayoungIt could even be a counter:  use it X number of times on endpoint Y17:40
ayoungthe alternative would be something like this:17:41
bknudsonwhen I get a token I need to know if nova is configured for neutron or not?17:41
dstanekbknudson: worse...you have to know that the instance of glance used by nova uses swift as a backend17:42
ayounguser goes directly to glance and tells glance:  let endpoint E  fetch image I.  Glance responds with: I'm going to need permissions from Swift to do that, and also returns a cookie.  So user goes to Swift and says, let Glance Endpoint G fetch object O.  Swift holds on to that preauth, and passes a cookie  back to the user.  The user then hands both of these cookies over to Nova17:43
ayoungdstanek, put the onus of all that on the Service Catalog17:43
ayoung"everything that this token is expected to work with is in this catalog"17:43
dstanekayoung: how do you show in the catalog that glance uses a swift backend? swift may be in there just because the user has access to it17:44
*** afazekas has quit IRC17:44
bknudsoncould the user go to glance and say "let endpoint E fetch image I using this cookie"17:45
ayoungdstanek, is that common?17:45
ayoungbknudson, it could all be prearrainged, and signed by a users private key if you really wanted17:45
dstanekno idea...it was a topic of conversation at the summit17:46
ayounguser would not even hav to go to glance to set that up,  just have the workflow set up ahead of time17:46
bknudsonit could just be "let this image be fetched using this cookie"17:46
bknudsonsince glance shouldn't need to know that a particular endpoint is going to be doing it.17:47
ayoungbknudson, why not?  Then anyone can fetch it.17:48
bknudsonif they have the cookie they could. how would they get the cookie unless the user gave it to them?17:48
dstanekbknudson: i like the idea of signatures so glance could verify that nova was allowed to reuse that token17:49
bknudsonso it would be signed with nova's public key?17:50
nkinderayoung: the composite token idea seems much cleaner to me17:51
ayoungnkinder, why>17:52
dstanekbknudson: something like that17:52
dstanekbknudson: i'm not proposing any changes right now, i've just been thinking about how to get rid of bearer tokens17:52
nkinderayoung: for one, we don't have a slew of revocation events like we would for the one time use tokens17:53
nkinderayoung: two, the user doesn't have to know what services talk to what other services on the back-end17:53
dstaneknkinder: what is the token a composite of?17:54
nkindertwo separate parties (the real user and the service user) are both agreeing on an action17:54
ayoungnkinder, how do they agree?17:54
nkinderdstanek: a token from the real user and a token from the service user17:54
dstaneknkinder: ah, right. i think that is similar to what i was thinking17:56
nkinderayoung: it is true that the user doesn't really know what a service might do with it's token17:56
nkinderayoung: but the composite token prevents the service user from performing an action without possession of a user token that is authorized17:56
nkinderthe service user can't perform the action alone, and neither can the user17:57
dstaneknkinder: right, i just want to say 'i trust nova to do X on my behalf' and if nova feels the need to talk to something else i wouldn't care17:57
nkinderdstanek: exactly17:57
ayoungnkinder, how common is it that such an action would never be authorized?17:57
*** zhiyan_ is now known as zhiyan17:57
nkinderayoung: I don't have any statistics.  Perhaps dolphm does, as he was who I heard the use case from.17:58
ayoungnkinder, the problem is that we don't know what nova is going to do on a users behalf.  That is why I want to solve things at the policy/audit level before purusing more delegation mechanisms17:59
nkinderayoung: I don't really see it as delegation, as the user isn't saying "you(glance) can talk to swift on my behalf"18:02
nkinderthe user is just saying "I'm me.  Perform this glance operation."18:02
ayoungnkinder, the number one threat I want to defend against is where a Hypervisor compromise gets access tpo general purpose tokens.  Everything else, is, I think secondary to that.  But the MOC   approach makes things more interesting:18:03
ayoungif Nova is run by HP, Swift by EMC, and Glance by Red Hat, no one trusts anyone18:03
*** praneshp has quit IRC18:04
ayoungthe end use wants to say "here is my workflow.  THis and this alone is authorized"18:04
ayoungbut right now, we don't know what that workflow really is18:04
*** gyee has joined #openstack-keystone18:04
ayoungnkinder, and, in this case, the user is saying "its ok if nova gets access to my glance image stored in my swift account"18:04
openstackgerritBrant Knudson proposed a change to openstack/keystone-specs: Template cleanup - RST docs  https://review.openstack.org/9688618:05
morganfainbergayoung, no, it's the user saying "it's ok for nova to access the image in glance that happens to be stored in swift, but glance can't do it alone" the user wouldn't be able to get the glance image w/o going through glance either18:06
morganfainbergayoung, similarly nova couldn't do it alone.18:06
ayoungmorganfainberg, why should a user not be able to fetch their own image?18:06
*** zhiyan is now known as zhiyan_18:06
bknudsononce glance has gotten the image once it can just save it off somewhere18:06
morganfainbergayoung, because it isn't owned by the user.  it is managed by glance on behalf of the user18:07
bknudsonDid I sign my image so that I can trust that the right image was used?18:07
ayoungmorganfainberg, so this is the case where corporate uploads a special image, and people in their org can use that image on a set of nova machines, but can't download it to transport it around?18:08
bknudsonI could sent nova a hash of the image and hope it verifies18:08
morganfainbergayoung, more to the point, the user uploads an image to glance.  Glance stores said image (and metadata)18:08
*** sbfox has joined #openstack-keystone18:08
morganfainbergayoung, user wants to perform some kind of update.  you want glance to control that update.  but only if the user requests it18:09
ayoungmorganfainberg, so the user already has access to the image, why should they not be able to download it again directly?  Why should it not be usable on every Nova in the Datacenter?  Why should they not be able to provide access to it to some other service?18:09
morganfainbergayoung, if it was just "stored in swift" the user could update w/o glance knowing18:09
morganfainbergayoung, similarly, compromise of glance service user couldn't directly update images w/o the user's concent [token] as well18:10
dstanekthe use-case i heard at the summit is that a user can see their images in glance, but not in swift (even though they are actually stored there)18:10
dstanekthe use doesn't know or need to know that they are in swift18:10
morganfainbergayoung, because you've asked glance to manage it.  do you know where glance stores images? do you care?18:10
morganfainbergayoung, as an end user18:10
ayoungmorganfainberg, again, it is solvable by current policy.  If I want to mess myself up, I should be able to do so.  If an org wants to say "all modifications to GLance must go through glance"  that can be done today, too18:11
*** erecio has joined #openstack-keystone18:11
ayoungmorganfainberg, its based on the glance config, I assume.  I assume glance has the ability tpo make multiple choices,  or I need multiple glance instances for that?18:11
morganfainbergayoung, if you use the current policy and glance stores an image in swift either a) the user can change, not through glance18:11
morganfainbergayoung or b) glance can change w/o the user.18:12
ayoungglance can do whatever it wants.  It could change the image on the fly if it is compromised18:12
morganfainbergayoung, not the glance service, the glance user. if keystone is compromised (itself) we're screwed. i accept if the service is in-memory compromised there is nothing we can do18:13
morganfainbergif any service itself is compromised we are kinda SOL.18:13
*** hrybacki has quit IRC18:14
ayoungmorganfainberg, the glance user does not talk to swift.  If glance talks to swift today, it passes the owning users token.  Where does the glance use come into play>18:14
nkinderayoung: the glance user comes into play from the idea of composite tokens18:15
morganfainbergayoung, the point is you don't want the user to have access to change the swift store that glance is using. glance _needs_ to know each change. so you'd have a glance user to create the composite token18:15
nkinderwe don't want the user to be able to download the image18:15
nkinder...directly from swift18:15
ayoungnkinder, the glance user should actually be going away.  Right now it is needed only to talk to keystone to fetch revocation information and certs.18:15
ayoungnkinder, then the user should be using someone elses storage, and some sort of proxy arraingment needs to be set up with glance.18:16
morganfainbergayoung, service users aren't going away18:16
morganfainbergayoung, they just wont be.18:16
ayoungmorganfainberg, they should not be increasing in responsibility18:16
morganfainbergayoung, why?18:16
ayoungmorganfainberg ... how important is the Voltron Token?18:17
morganfainbergayoung, we have (so far) 3 confirmed use cases18:18
morganfainbergayoung, glance, solum, and use for nova+docker18:18
morganfainbergayoung, well glance+swift18:18
morganfainbergayoung, oh, 4, barbican and user-secrerts18:18
*** erecio has quit IRC18:19
*** erecio has joined #openstack-keystone18:19
morganfainbergayoung, lets try this from the other angle -- how would you setup the proxy arrangement with glance? how does the end user handle that. [think end user managing an image],18:21
morganfainberguploading for users to utilize (public) in nova18:21
ayoungmorganfainberg, I'm not certain that the use case as presented is the general use case.  I don't have enough information to confirm, but I do know that it sounds like the composite tokens are a  very specific mechanism.   I'm wary.  Just trying to understand, but I've been thinking about this problem for a long, long time, and that is not one of the major use cases I've confronted.18:23
*** bobt has quit IRC18:24
ayoungmorganfainberg, oooh...just discovered restview18:24
ayounghttp://mg.pov.lt/restview/18:25
morganfainbergayoung, thats cool!18:25
topolayoung++ restview looks really cool18:28
ayoungmorganfainberg, OK,  lets nail down the use case, before we hit the solution.  I'm going to use the Whiteboard on the BP for this:18:28
morganfainbergayoung, lets do etherpad18:28
ayoungmorganfainberg, that works, too:18:29
morganfainberghttps://etherpad.openstack.org/p/keystone-joint-tokens18:29
morganfainbergnkinder, ^ if you want to jump in18:29
morganfainbergnkinder, since you were also around for the original discussion at the summit18:30
ayoungmorganfainberg, so the big thing I want to point out is that if any of these operations are going to take place outside of direct involvement of the user (token expired)  they are going to require a trust or oauth.18:32
ayoungKicking off a VM is already a known issue:18:33
morganfainbergassume the use cases here do not involve an expired user-token18:33
morganfainbergwe aren't orchestrating e.g. heat18:35
morganfainbergso single op, which a token should be valid for.18:35
bknudsonuser doesn't know how long their op is going to take18:35
morganfainbergand if it's not and everything has to be trusts, we are doing a lot of things wrong18:35
morganfainbergbknudson, sure.18:36
bknudsoneven with trusts you have the expiration issue -- how long does it take to get a trust?18:36
morganfainbergbknudson, in theory a service user could use a trust.18:37
morganfainbergbknudson, so less of an issue i guess18:37
ayoungmorganfainberg, trusts are a delegation mechanism.  THey have certain drawbacks, the biggest of which is that they require the delegated entity to be another Keystone user.  But that does not mean we cannot expand on what is meant by a trust in order to make this work.  What a bout Group trusts?18:37
ayoungtrusts do not have to expire bknudson18:37
bknudsonayoung: right, but you need an unexpired token to get a trust18:38
ayoungbknudson, the service user has to have that anyway18:38
morganfainbergbknudson, service user would do that in this case18:38
*** marcoemorais has quit IRC18:38
bknudsonI do nova boot with a token and nova uses it to get a trust18:38
morganfainbergayoung, my biggest concern with a trust is how do you know what trust to use (as a service user) to do the nova boot18:38
ayoungbknudson, that really should be :  user has to be authenticated18:38
bknudsonbut maybe that token was just about to expire18:38
*** praneshp has joined #openstack-keystone18:38
bknudsonor do I pass a trust token to nova on boot?18:39
morganfainbergayoung, X-AUTH-TOKEN: blah, http://nova/boot_instance {instance info}18:39
ayoungmorganfainberg, how about a general purpose query:  Please use the trust that is relevant for this operations:18:39
*** marcoemorais has joined #openstack-keystone18:39
morganfainbergayoung, i have 5 trusts to nova for various things, which one?18:39
ayoungmorganfainberg, instead of create token for trust based on id, it would be create token for trust based on trustor/trustee/role18:40
*** rodrigods has joined #openstack-keystone18:40
*** rodrigods has joined #openstack-keystone18:40
ayoungIf I only care about a specific role, just give me the first that fits.18:40
*** sbfox has quit IRC18:40
morganfainbergayoung, how do you know what role is needed?18:41
ayoungwhat if we define the trust on the project, not the user18:42
ayoungany user that is a member of this project is enrolled in a trust relationship with the endpoints.18:42
morganfainbergayoung, i'm not saying we can't do all this with trusts, but we need the UX for booting up and instance (example use case) to remain mostly the same - asking a whole lot more mechanism will make it so no one migrates to the new system and hacks around it18:42
ayoungmorganfainberg, I think I am just coming up with a way to implement your blueprint in the context of trusts...18:43
ayoungA trust is already a way of creating a contract between two endpoints.18:43
ayoungwell, a user is really not an endpoint, but18:43
morganfainbergayoung, ok lets explore project18:43
ayoungso a project admin sets up a series of trusts.  One if for glance to talk to swift18:44
morganfainbergayoung, everything is really project scoped not user scoped anyway18:44
ayoung++18:44
ayoungand with the endpoint filter, we have a clean way of associating endpoints with projects18:44
ayoungSo, we make a bunch of implicit trusts.18:45
morganfainbergayoung, lets leave the endpoint filter off - we'll def get there18:45
morganfainbergbut it doesn't impact the design (we know we want it and will implement it)18:45
ayoungmorganfainberg, the endpoint filter makes the whole thing much clearer, as it says which specific endpoints are enrolled in the trust18:45
ayoungbut anyway....18:46
morganfainbergok, so project admin needs to know about cloud deployment to build the trusts?18:46
morganfainbergthat glance uses swift?18:46
*** arunkant has joined #openstack-keystone18:47
ayoungOK,  so  for project P,  we create a trust that says Nova can get a token on behalf of a user  with role "fetch_from_glance"  in Project P only18:47
morganfainbergand the roles to delegate18:47
ayoungalso  for project P,  we create a trust that says Glance  can get a token on behalf of a user  with role "fetch_from_swift"  in Project P only18:47
morganfainbergso far with you on the mechanism.18:48
morganfainbergand what the trust structure looks like18:48
ayoungNow, this does not say that the user kicked off the use case18:48
ayoungglance can perform it at any time18:48
ayoungto get to where you are, glance should have to add to the request the token from nova18:48
morganfainbergayoung, which breaks the 'compromise of the glance service user shoudln't be able to be malicious to everything" [in this case]18:48
morganfainbergayoung, ok, so how does that end up working.18:49
*** marcoemorais has quit IRC18:49
ayoungmorganfainberg, I think we are solving the wrong problem.  The user can preauthorize anything.  THe problem is that we don't know what to pre-authorize18:50
ayoungSo, yeah, we could add "and you need an active user token to activate the trust"18:50
ayoungthat only limits things if that user token alone couldn't be used to talk to swift18:50
morganfainbergayoung, which was one of the clear desires.18:51
ayoungI'd rather have the user get a bunch of tokens up front, and hand them off to the services.  No round trip to Keystone required18:51
ayoungInstead of One token, the user gets one per endpoint18:51
morganfainbergayoung, but the user shouldn't have to know what tokens to get18:51
ayoungSomeone needs to set this up ahead of time.  The user can execute someone elses plan18:52
morganfainbergayoung, so the project admin needs to know about the deployer's grand scheme18:52
morganfainbergayoung, user B wants to boot an image - how does user B do so without knowing the deployment details of OpenStack18:53
morganfainbergs/boot an image/boot an instance/18:53
*** sbfox has joined #openstack-keystone18:53
morganfainberghow does the user know if glance stores something in swift or not (and if a special token with a special role for that is needed)18:54
morganfainbergayoung, as long as the story is clear, i don't mind doing it that way (multiple tokens) either18:54
morganfainbergayoung, but it would need to be "not the end user's responsibility" to know all the tokens.18:54
*** dimsum has quit IRC18:56
ayoungmorganfainberg, I think the essential thing to know is that in order to perform a specific workflow, what are the potential operations.18:56
ayoungAnd allow only those operations18:56
ayoungthis is the case for both interactive and non interactive workfloes18:57
ayounginteractive can be done using the same mechanisms as non interactive, which is why I want to solve non-interactive first18:57
bknudsonis it only the glance->cinder case that we have to support/18:58
*** zhiyan_ is now known as zhiyan18:58
bknudsonusually it's just nova forwards the token18:58
morganfainbergayoung, i was going to say exactly the opposite but i agree.18:58
bknudsonbut cinder wants the requirement that the token is both glance + user18:58
bknudsonfor glance, there's no need for the token to be both nova + user, the user by themselves should be able to fetch images.18:59
morganfainbergbknudson, yes that was one of the types of examples.18:59
bknudsonwhat's the other examples?19:00
*** afazekas has joined #openstack-keystone19:00
bknudsonnova -> neutron, because you don't want the user to mess with networks themselves?19:00
bknudsonor should nova use its own token for nova -> neutron?19:00
morganfainbergbknudson, i would say if you don't want the user to mess with networks, but you also don't want the nova user to mess with networks w/o an authorization to do so19:01
bknudsonnova's going to need to be able to teardown the network by itself19:01
morganfainbergbknudson, when does nova act on the network w/o authorization (not being snarky, actually curious)?19:02
bknudsonmorganfainberg: I'm not familiar enough with nova to say... I'd think there'd be a case where nova wants to get rid of some instance it doesn't like.19:03
morganfainbergbknudson, hm. haven't run across that but sure, it could be the case.19:03
morganfainbergbknudson, i'm honestly not familiar enough to know if that is 100% the case19:04
morganfainbergthat it doesn't act on the user's behalf (or heat stack etc) always19:04
ayoungI would say then that they user talkingto Neutron should be using a limitedrole for their operation, and the more complex operation should be performed by a more powerful user with a wider role19:04
ayoungsnapshot is  non-interactive use case, or at least it can be19:05
bknudsony, like a network destroyer role19:05
ayoungI want that role19:05
morganfainberg" - bknudson, destroyer of networks"19:05
ayoungI already have it, I just want the title19:05
*** morganfainberg is now known as network_destroye19:06
network_destroyedang it... too many letters with the _19:06
bknudsonthey already made a movie about conan the destroyer19:06
*** network_destroye is now known as morganfainberg19:06
*** ayoung is now known as networkDstroyer19:07
*** networkDstroyer is now known as ayoung19:07
morganfainbergi read that at "networkDtroyer"19:07
*** zhiyan is now known as zhiyan_19:07
ayoungConan the Social Network Destroyer19:07
morganfainbergok anyway19:07
morganfainbergback on topic19:07
ayoungmorganfainberg, so the short of it is, you are stepping into a stream I've been trying to swim across for a couple of years now.19:08
ayoungI want to get the audit thing done, and use that to define the operations required by workflows before we build any new mechanisms19:09
ayounggordc is working on that19:09
morganfainbergayoung, i don't think we can block everything on that though. or we wont be working on anything until... K.19:09
ayoungmorganfainberg, I also think that fetchable policy and per project policy all fall into this same problem space19:09
bknudsonwhat's the composite token idea? it's just an auth with 2 tokens and you get back a composite token?19:10
morganfainbergbknudson, yep.19:10
bknudsondoesn't sound hard to implement19:10
morganfainbergbknudson, nope.19:10
ayoungmorganfainberg, in the Army we called it "half-assed, full blast, don't know where we're going but we should have been there yesterday."19:10
bknudsonthen glance needs to use it and cinder needs to support it.19:11
morganfainbergbknudson, correct.19:11
morganfainbergbknudson, well cinder's policy needs to support it19:11
morganfainbergbknudson, no change besides that would be needed19:11
ayoungIts a trap!19:11
ayoungYou know how I know?  Cuz your statment has  a magic word in it.19:11
ayoungCan you guess which one?19:11
bknudsonso we need to update policy with a rule for composite tokens or something19:12
morganfainbergbknudson, the composite token would have combined roles.19:12
ayoungWe don't need that19:12
morganfainbergbknudson, e.g. glance_service and <user_role>19:12
morganfainbergscoped to <project>19:12
ayoungit could be done with a separate role19:12
ayoungglance gets the "do_somehting_for_someone" role19:13
ayoungonlythe Voltron TOkens get that role19:13
bknudson<token1:<user1, scope1>, token2:<role2:scope2>, roles: [composite]>19:14
ayoungI should call them MegaZord tokens for you young kids.  Have you even watched Voltron?19:14
bknudsonI did watch voltron19:14
morganfainbergbknudson, sure.19:14
bknudsonit was one of the better cartoons19:14
topolI watched Voltron I believe. froma long time ago?19:14
morganfainbergayoungy, MegaZord, Voltron, <awful knock off>TranzordZ (or similar)19:14
bknudsonhaven't heard of megazort19:14
ayoungtopol, you don't coun't as one of the Young kids.  I'm guessing you never watched Power Rangers.19:14
bknudsonmegazord19:14
topolIm thinking of something else... ultraman perhaps19:15
bknudsonvoltron was the one where the robot lions all combined into a huge robot with a sword19:15
bknudsonthey always waited until the end... why not just combine at the beginning.19:16
morganfainbergbknudson that was the good voltron, not to be confused with the car version of it (the bad one)19:16
topolhttp://en.wikipedia.org/wiki/Ultraman19:16
bknudsonhave you ever heard of a show where there was a family of rocket ships?19:17
morganfainbergbknudson, but yes that is the idea - obviously with logic to ensure scopes match, usually the service user would have an unscoped token in the design sessions we talked about.19:17
bknudsonmorganfainberg: so does it need to be general or not? i.e., only support an unscoped service + user19:18
ayoungVoltron ~= MegZord19:18
ayoungthe question is "what is the token supposed to be authorized to do"19:19
*** daneyon has quit IRC19:19
ayoungis it blanket authority, or is it limited/19:19
morganfainbergbknudson, i wanted to make it unscoped only, but hierarcy might dictate you want to combine roles of two projects as long as a common minimum scope can be resolved19:19
morganfainbergroles from two projects that is19:20
ayoungThere was the use case:  move a resource from project to project, where two users were involved19:21
morganfainbergayoung, i think that was it.19:22
bknudsonI was thinking the rule could be like : "service_token: <glance user ID> and owner: $(user_id)s"19:23
bknudsonthis would be in cinder policy19:23
* ayoung stopped pay attention and is watching/listening to cartoon opening theme songs on YouTube19:23
morganfainbergbknudson, quick ayoung isn't paying attention, approve something >.>19:24
morganfainbergbknudson, yeah that could absolutely be a policy entry19:24
ayoungmorganfainberg, you are asking bknudson to do that?19:24
bknudsonhttp://git.openstack.org/cgit/openstack/cinder/tree/etc/cinder/policy.json19:25
bknudsonright, so we're saying the user can't get the volume data... let's say19:25
bknudson"volume:get_volume_metadata": [],19:25
bknudsonchanges to "volume:get_volume_metadata": "service_token:<glance user ID> and rule:admin_or_owner",19:26
bknudsonthen the context would have to expose service_token19:26
bknudsonand auth_token middleware would have to provide it19:26
bknudsonand the token would have to encode it19:27
ayoungso we need to honor "two tokens"  not "a token built from two users"19:27
bknudsonayoung: like 2 X-Auth-Token: lines?19:28
ayoungbknudson, each in a separate header?19:28
bknudsonayoung: right, or a separate header for X-Service-Token19:28
ayoungYep19:29
bknudsonwe'd really have to compress the tokens!19:29
stevemardolphm, if you have time, take a look at https://review.openstack.org/#/c/96836/19:29
ayoungbknudson, each header gets its own limit19:29
*** sbfox has quit IRC19:29
morganfainbergayoung, no, HTTP: if you issue X-AUTH-TOKEN twice it is presented comma delimited down the line19:30
morganfainbergayoung, so, it would be X-AUTH-TOKEN: token1,token219:30
ayoungmorganfainberg, right, so two different headers19:30
ayoungX-AUTH-TOKEN X-SERVICE-TOKEN19:30
morganfainbergoh you're saying make it X-SERVICE-T.. yeah19:30
bknudsonwhat's the advantage to having keystone generate a token from 2 tokens rather than 2 tokens in headers?19:31
morganfainbergbknudson, i think that was spawned from doing the hiearchy resolution and common scope19:32
bknudsonwould we want to reset the expiration time?19:32
morganfainbergbknudson, i could see 2 headers working just as well19:32
bknudsonmaybe they don't want to expose their service token to cinder?19:33
ayoungHas the advantage that you don't need to go back to Keystone19:33
bknudsonthe service token could be short lived.19:33
morganfainbergbknudson, hm. that would be an advantage. and it is signed as valid from keystone - middleware doesn't need to change what it presents to policy enforcement. less change was needed on the enforcement front19:34
*** sbfox has joined #openstack-keystone19:35
ayoungI'm glad we had this little talk19:35
*** rodrigods has quit IRC19:36
*** thedodd has quit IRC19:39
topolwhen will there be a spec to review?19:42
*** radez is now known as radez_g0n319:42
topol:-)19:42
morganfainbergheh19:42
*** afazekas has quit IRC19:42
morganfainbergbknudson, so is there a solid reason to not expose the service token?19:42
* topol thats because I need more detail and multiple readings to get my head around this stuff. totally self serving19:43
morganfainbergbknudson, besides avoiding a change to the middleware.19:43
morganfainbergi do like not having to get keystone involved a second time (or each step of the way)19:44
bknudsonmorganfainberg: I can't think of anything especially compelling.19:44
topolwhat days are the keystone hackathon? do we havce those locked down?19:45
*** gordc has quit IRC19:45
morganfainbergtopol, http://dolphm.com/openstack-keystone-hackathon-for-juno/19:45
bknudsontopol: did you like the hotel you stayed at last time?19:46
topolyeah, it was great19:46
morganfainbergbknudson, if we end up at geekdom the Valencia is a better place than the courtyard19:46
topolthey have an IBM rate19:46
bknudsonldbragst wants to not run into any druggies this time.19:46
morganfainbergtopol, ^19:46
topolyes, but I agree with morganfainberg19:47
topolsince at geekdom, we need to find something else19:47
morganfainbergtopol, hopefullt dolphm will have an answer re: geekdom or Rackspace castle19:47
bknudsonhopefully there's a hotel closer to downtown on the approved hotels list19:47
morganfainbergbknudson, Hotel Valencia is - riverwalk, isn't that close to downtown?19:48
bknudsondid anyone stay there last time?19:49
topolbknudson, Im checking if they have an IBM contract rate19:49
bknudsongoogle maps says it's $189!19:49
topolotherwise I think we can get you an exception to be able to stay where everyone else is staying19:49
morganfainbergbknudson, $114 if you use the "Rackspace" codeword19:49
morganfainbergaccording to dolphm's blog post19:50
bknudsonthat's such a good deal we have to buy it19:50
topolI thought the codeword was tumbler19:50
morganfainbergi think the courtyard was ... ~100/night last time (ish)19:50
morganfainbergtopol, tumblr . com19:50
morganfainbergtopol, >.>19:51
*** thedodd has joined #openstack-keystone19:52
morganfainbergbknudson, so nova would pass the bearer token over to glance (still) and glance would use bearer token + it's service token for ... swift - there is no reason nova needs to be involved afaict19:54
morganfainbergbknudson, on the glance -> swift bit19:54
bknudsonmorganfainberg: right19:54
bknudsonso that's just thinking about this specific problem19:54
bknudsonI don't know what the other issues are that needed to be solved19:54
morganfainbergbknudson, we'll need to do any hierarchy scope resolution magic in the middleware (nbd)19:55
morganfainberginstead of being able to rely on keystone to figure out common scope.19:55
*** dstanek is now known as dstanek_zzz19:55
morganfainbergbknudson, if we want to support that kind of stuff.19:56
morganfainbergbknudson, ok i think i'm on board with this. - do we want to call it a SERVICE token or use some other nomenclature (cc topol ), and do we want to support only 2 tokens or N tokens19:57
morganfainbergnkinder, ayoung, ^19:57
morganfainbergdolphm, dstanek_zzz, ^19:57
*** marcoemorais has joined #openstack-keystone19:58
*** zhiyan_ is now known as zhiyan19:59
ayoungMegaZordToTheMaxToken19:59
topoldid we get consensus that $114 really is the special rate? And is this where everyone is staying?  If so we should be able to stay there as well.  Lots of stuff gets done in the lobby bar20:00
ayoungtopol, https://review.openstack.org/#/c/96315/20:02
ayoungtopol, and I think we just decided to not go with that approach20:02
ayoungtopol, we tried to collaborate on an Etherpad to get the use cases20:03
ayounghttps://etherpad.openstack.org/p/keystone-joint-tokens  topol20:03
ayoungmorganfainberg, have we released a new Client yet?20:04
morganfainbergayoung, 0.9.0 is released w/ compression and configurable hashes20:04
morganfainbergayoung, yesterday20:04
bknudsonok, so one use case is "in glance images are uploaded by nova when it takes a snapshot; images  can potentially also be uploaded directly to Glance by end users."20:05
bknudson"allow all users to take snapshots while restricting direct upload with a role"20:05
topolayoung, so the approach we are going with is in  https://review.openstack.org/#/c/96315/  or isnt?20:05
*** amerine has quit IRC20:05
*** amerine has joined #openstack-keystone20:06
morganfainbergtopol, i'm reaching out to some folks to make sure there are no pitfalls w/ the dual token headers20:06
*** hrybacki has joined #openstack-keystone20:06
ayoungtopol, not as of 15 seconds ago20:06
morganfainbergtopol, but i'm on board with it instead of asking keystone to be involved between requests20:06
*** stevemar has quit IRC20:06
ayoungtopol, it seems like a very specific mechanism for a limite use case.  I think that we don't need it, and we need to look instead to the exsitng mechanisms we have to solve that and a broader class of problems.20:07
morganfainbergayoung, i'll keep the change-id and replace the spec with the new one [details about the middleware and dualing tokens]20:07
ayoungThe rest is commentary, go and study...er read up20:07
ayoungBanjo Tokens!20:07
morganfainbergayoung, bagpile tokens!20:07
morganfainbergbagpipe*20:07
ayoungDueling Banjos much more sinister than dueling Bagpipes20:08
*** zhiyan is now known as zhiyan_20:08
*** browne has quit IRC20:08
morganfainbergayoung, what about banjos dualing bagpipes?20:10
morganfainbergX-BAGPIPE-TOKEN and X-BANJO-TOKEN20:11
bknudsonso one advantage to keystone doing the composing is it'll be a lot simpler to use20:17
bknudsongiven the client libs that we have today20:17
morganfainbergbknudson, ++20:17
bknudsonalthough that doesn't seem like the best reason to go with what seems pretty inefficient20:18
morganfainbergi think it'll be about the same level of effort to convince the client libs to put a service token into the request - make it part of the session object.20:18
morganfainbergwe front load in service token options in the part of KSC other clients use20:18
bknudsony, if clients are using session then that's a lot easier20:18
morganfainbergbknudson, it's also a carrot for the session object.20:18
bknudsonmorganfainberg: yes, now we need a stick20:19
morganfainbergbknudson, i think jamielennox|away  has been providing some of that with the changes he's been pushing to the other clients20:20
*** erecio has quit IRC20:24
*** nkinder has quit IRC20:29
*** ozialien has quit IRC20:30
*** marcoemorais1 has joined #openstack-keystone20:34
*** marcoemorais has quit IRC20:34
*** nkinder has joined #openstack-keystone20:42
*** browne has joined #openstack-keystone20:43
topolmorganfainberg, isn't keystoners who typically update the client libs?20:48
topoli.e. jamielennox taking the lead20:49
morganfainbergtopol, well jamielennox|away is doing it. we committed to helping other clients, but we're not 100% on the hook as i understand it20:50
*** zhiyan_ is now known as zhiyan20:59
*** praneshp has quit IRC20:59
*** openstackgerrit has quit IRC21:01
*** jaosorior has quit IRC21:02
*** henrynash has quit IRC21:05
*** zhiyan is now known as zhiyan_21:09
*** dc_ has quit IRC21:11
*** matsuhashi has quit IRC21:18
*** praneshp has joined #openstack-keystone21:19
*** henrynash has joined #openstack-keystone21:29
ayoungmorganfainberg, my goal is to get all of the other clients to use keystoneclient, and all of the services to use keystonemiddleware for middleware and policy management, and then to just solve things for them21:40
morganfainbergayoung, sure - lofty goal, i like it :)21:40
ayoungand then break things21:41
morganfainberghaha21:41
*** hrybacki has quit IRC21:42
*** nkinder has quit IRC21:50
*** david-lyle has quit IRC21:50
*** rodrigods has joined #openstack-keystone21:51
*** david-lyle has joined #openstack-keystone21:51
*** david-lyle has quit IRC21:56
*** zhiyan_ is now known as zhiyan22:00
*** dims has joined #openstack-keystone22:02
*** dims has quit IRC22:02
*** dims has joined #openstack-keystone22:04
*** dims has quit IRC22:04
*** dims has joined #openstack-keystone22:07
*** zhiyan is now known as zhiyan_22:09
*** dims has quit IRC22:12
*** dims has joined #openstack-keystone22:12
*** hrybacki has joined #openstack-keystone22:24
*** gyee has quit IRC22:28
*** hrybacki has quit IRC22:29
*** openstackgerrit has joined #openstack-keystone22:31
*** openstackgerrit has quit IRC22:35
*** amerine has quit IRC22:35
*** openstackgerrit has joined #openstack-keystone22:35
*** amerine has joined #openstack-keystone22:35
*** topol has quit IRC22:36
*** dims has quit IRC22:36
*** dims has joined #openstack-keystone22:37
*** dims has quit IRC22:41
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add v3 curl examples  https://review.openstack.org/9697322:44
*** hrybacki has joined #openstack-keystone22:44
*** sbfox has quit IRC22:55
*** henrynash has quit IRC22:58
*** zhiyan_ is now known as zhiyan23:01
*** sbfox has joined #openstack-keystone23:02
*** stevemar has joined #openstack-keystone23:06
*** zhiyan is now known as zhiyan_23:10
*** rodrigods has quit IRC23:11
*** diegows has quit IRC23:13
*** nsquare has joined #openstack-keystone23:14
*** thedodd has quit IRC23:20
*** dims has joined #openstack-keystone23:24
*** dims has quit IRC23:24
*** dims has joined #openstack-keystone23:26
*** dims has quit IRC23:26
*** stevemar has quit IRC23:27
*** dims has joined #openstack-keystone23:28
*** dims has quit IRC23:28
*** hrybacki has quit IRC23:29
*** dims has joined #openstack-keystone23:32
*** dims has quit IRC23:32
*** rodrigods has joined #openstack-keystone23:32
*** dims has joined #openstack-keystone23:38
*** dims has quit IRC23:38
*** ozialien has joined #openstack-keystone23:38
*** nkinder has joined #openstack-keystone23:40
*** browne has quit IRC23:51
« Thursday, 2014-05-29 Index Saturday, 2014-05-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!