Tuesday, 2014-06-03

« Monday, 2014-06-02 Index Wednesday, 2014-06-04 »
*** sbfox has quit IRC00:08
*** amerine has joined #openstack-keystone00:16
*** zhiyan_ is now known as zhiyan00:16
*** marcoemorais has quit IRC00:21
*** leseb has joined #openstack-keystone00:22
*** leseb has quit IRC00:27
*** schofield has quit IRC00:28
*** schofield has joined #openstack-keystone00:30
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Changes exception raised by v3.trusts.update()  https://review.openstack.org/9735500:30
*** gokrokve has quit IRC00:30
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Trusts Auth Broken in XML  https://review.openstack.org/5486100:36
morganfainbergstevemar, broken huh00:37
morganfainberg:P00:37
stevemarmorganfainberg, oh i just updated the commit msg00:46
morganfainbergstevemar, hehe ah00:49
*** pheadron has quit IRC00:56
*** pheadron has joined #openstack-keystone00:58
*** gokrokve has joined #openstack-keystone01:04
*** rodrigods_ has quit IRC01:09
*** rodrigods_ has joined #openstack-keystone01:12
*** davlaps has joined #openstack-keystone01:16
*** rodrigods_ has quit IRC01:16
*** browne has quit IRC01:17
*** leseb has joined #openstack-keystone01:21
*** leseb has quit IRC01:26
* morganfainberg restrains self from responding to the Error status code for out of quota errors as needing to use HTTP 402 - Payment required01:29
ayoungmorganfainberg, I see a parallel between your multi-token spec and S4U2Proxy01:32
ayoungIn both cases they are "trusted service plus indicator of intention from end user"01:33
*** ncoghlan has joined #openstack-keystone01:37
*** morganfainberg is now known as morganfainberg_Z01:41
harlowjajamielennox u got a sec, just wanted to maybe clear up https://review.openstack.org/#/c/88419/01:43
jamielennoxharlowja: sure, others here are probably interested in that one - i just think i got there first01:46
harlowjajamielennox cool, sooo i think phil and i got confused on that one, about what to expose, what should be exposed (domain not useful?)01:47
jamielennoxok, so i'm not sure from nova's aspect what the vm needs to do01:48
jamielennoxmy only point was that if you have a project_id a domain is kind of redundant, because a project exists in a domain01:48
harlowjaright, so this wouldn't be a nova usage, it would be an app inside the vm that wants to somehow signal out to the rest of the world this information (For example to configure puppet for the X creating user)01:49
jamielennoxmore that if you are scoped in a project you should never really care about the domain, because there is no assumption that you will have any permissions to do anything on that domain01:49
harlowjasure, lets say its not about permission but about identifying a (user, domain, project) in some other system (puppet in this case) to say uniquely identify the puppet recipe this user 'likes'01:50
harlowja*without said user needing to provide cloud-init data to do the same01:50
harlowja*making user all happy01:50
jamielennoxso i guess it stems from: is there a need to expose names01:51
jamielennoxonce you start trying to refer to things by names you end up with (as you are seeing) you need the domain_id possibly domain_name01:52
harlowjadepends on the user (in my case, names a currently also unique)01:52
harlowja*names are01:52
jamielennoxwhich in keystone at least we call project_domain_name to differentiate why you need the domain name01:52
jamielennoxyep, and there are definitely cases where that is true - however then there is things like swift recently who started using names as they were nicer and got burned by multi domains01:53
jamielennoxthen tried to insert a bunch of hacks to try to keep using names01:54
harlowjasure, so instead, provide either a uuid->name api (that is callable) or provide the full set of information (names included) and let the user choose what to use?01:54
harlowjaor just provide nothing i guess (the current situation)01:56
jamielennoxso most of those uuid->name apis are protected01:56
jamielennoxso you can obviously provide as much as you want and let users figure it out, i was just thinking you should provide ids and nothing else01:56
jamielennoxmake the end users work with ids01:57
jamielennoxso you would provide user_id, project_id - anyone with suitable privileges can find more information from that but that way there is no ambiguity01:58
harlowjaya, it'd just be nice if the VM itself had those suitable priviliges01:59
*** dims has quit IRC01:59
jamielennoxyea, i honestly don't know if there are security implications of passing through even what you are talking about now02:01
jamielennoxso in the case of puppet or some cloud-init, what's wrong with using ids?02:02
harlowjaso the case i have is downstream system still uses usernames, if they were say fully integrated with keystone then this wouldn't be needed (but they are legacy)02:03
*** praneshp has joined #openstack-keystone02:04
harlowjaso thats my own desire for usernames02:04
jamielennoxis this something that can be enforced by changing the policy on keystone to allow puppet to fetch that user information?02:04
harlowjawell also requires downstream system to change :)02:04
harlowjawhich with legacy stuff isn't so easy, ha02:04
jamielennoxeven before boot?02:05
jamielennoxahh, before puppet starts02:05
jamielennoxso your puppet script does a keystone user-get <id> and then feeds that through?02:05
harlowjawell right now there exists a patch we have in nova to drop down the username ;)02:06
harlowjainto the config-drive02:06
harlowja*and since user-names are unique and company wide, this has gone ok02:06
harlowjabut say without that, it would have to do something like the above02:06
ayoungharlowja, can you sneak another value in there for me?02:07
jamielennoxnkinder: you here? is there an issue about feeding usernames and such into a starting vm?02:07
ayoungI need an One Time Password02:07
harlowjaayoung sureeeee02:07
harlowjai can sneak anything u want02:07
ayoungharlowja, seriously02:07
ayoungI need to be able to do this:02:07
harlowjalol02:07
ayoungupon VM create, generate an OTP02:07
ayoungcan be a UUID402:07
ayoungso long as it is random02:08
harlowjathen send it to your email?02:08
ayoungthen I need to send it to an Identity Provider, as well as to the VM02:08
harlowjahmmm02:08
ayoungand then register the VM with the IdP02:08
ayoungI'm actually serious02:08
harlowjaoh, k, serious mode02:08
jamielennoxharlowja: so i guess the thing to do is make *another* config option with what you should pass through, because i can see in certain circumstances why user_name is good, but i would suggest you should do it by default02:08
jamielennox*wouldn't02:08
ayounghttp://adam.younglogic.com/2013/09/register-vm-freeipa/  harlowja02:08
ayoungI did it with a script before, but its the kind of thing that should not "take over the user data"02:09
ayoungharlowja, designate is already doing something like this to create the A AAAA records for the new VM02:10
*** gokrokve has quit IRC02:11
ayoungharlowja, if the token ID were not a "symetric shared secret" already I would just use it.  But  that would open up a security hole.02:11
harlowjaya, the OTP thing would seem useful to have nova drop in to the metadata02:12
ayoungharlowja, BTW, there should be no problem providing user, project to the VM, provided it is optional02:12
ayoungthere is nothing secret about either02:12
ayoungand the user spinning up the VM would have to opt in to it, but that is ok02:12
harlowjaayoung well i think jamielennox was wondering how really useful it is (which is a valid question)02:12
harlowjain at least my case its currently useful (maybe someday it won't be)02:13
jamielennoxharlowja: not really, i'm wondering about what user data should be passed into a vm02:13
ayoungharlowja, what are you planning on doing with that data?02:13
jamielennoxand arguing that we should be trying to obscure names in favour of ids because they will screw someone up02:14
harlowjaright now its just for interacting with a system that can drop the  user, passwd, ssh-key and a bunch of other stuff (this isn't chef/puppet yet) into the vm so they can log right in02:14
*** nsquare has quit IRC02:14
harlowja*unix passwd02:14
ayoungjamielennox, i think the idea is that the VM should be getting project specific resources...which begs the question of "how are they authorized"02:15
ayoungyou don;t really want to pass a token in to a VM by default02:15
ayoungharlowja, same reason I want OTP, really.  SSO02:15
*** davlaps has quit IRC02:16
harlowjaayoung likely, if this was an OTP that both systems knew about then that would work also02:16
ayoungharlowja, yes, and it would only make sense if that were the case02:16
ayoungharlowja, also, the SSO system really needs to be per project02:16
ayoungcoke and pepsi in the same data center should not be working through a common LDAP server02:17
jamielennoxayoung: if you aren't able to pass a token through then passing anything through to the VM related to the way your vm was booted sounds dodgy02:17
ayoungjamielennox, its that the token has other security connotations02:17
ayoungyou don;t want the VM spinning up another vm02:18
jamielennoxso why isn't all of this being handled by templated boot scripts02:18
jamielennoxhere is the firstboot script02:18
ayoungjamielennox, you need an external OTP02:18
ayoungthe sequence is:02:18
jamielennoxits got a %(user_id) field in it that is replaced prior to sending off to the VM02:18
ayoung1.  generate OTP.  2.  create vm  with OTP  3.  Notify FreeIPA with OTP of new host02:19
jamielennoxthat way it's up to the person who sets up the script what information is transfered into the vm02:19
ayoungyes, there is a race condition, as the FreeIPA server needs to finish before the host can run ipa-client-install02:19
ayoungbut you can retry in a loop if needs be02:19
ayoungjamielennox, but you don't want to hijack "user-info" for every VM.  You want it to be "autoregister the VM with IPA" and then "run your cusomt initialization"02:20
jamielennoxotp = uuid.uuid4().hex, firstboot = bootscript % {'otp': otp, 'user_id': context.user_id, .... }    bootscript can know what to do with OTP once in02:20
harlowjajamielennox sure templated user-data/boot-scripts could work, although users really don't remember to fill in user-data and this information is already known in keystone so it doens't exactly feel like its user-data (its more of system-data)02:20
jamielennoxharlowja: but if not some sort of user-data script what is going to be receiving all this metadata on the VM end?02:21
harlowjauserdata can also be random shellscripts and other stuff, so templating would probably cause issues02:21
jamielennoxright, it'd be more involved than a python keyword format02:22
harlowjajamielennox so there is user-data and meta-data that is provided on config-drive/os-metadata-service02:22
*** leseb has joined #openstack-keystone02:22
harlowjametadata already has system information in it02:23
*** sbfox has joined #openstack-keystone02:23
jamielennoxis it just saved somewhere?02:24
harlowjanova generates the metadata02:24
harlowja^ info seems to be more metadata not userdata02:25
*** richm has quit IRC02:25
harlowjawith stuff like the following (from a havana vm i think)02:25
harlowja{"admin_pass": "XYZ", "uuid": "ABC", "availability_zone": "nova", "hostname": "blahblah", "launch_index": 0, "network_config": {"content_path": "/content/0000", "name": "network_config"}, "name": "anvil"}02:26
jamielennoxi was thinking on the VM side, does it call out to nova to get that, or is it put in a file on the drive?02:26
ayoungharlowja, I would like it to be something that is automated...so it should be from the metadata server02:26
harlowjajamielennox nova writes/provides that info02:26
jamielennox(showing my lack of nova knowledge here)02:26
*** xianghui has joined #openstack-keystone02:26
harlowjanp02:26
ayoungthe OTP is tricky as two different systems need to get involved: metadata and the notifications02:26
harlowjayup and the downstream system needs to know about the OTP i assume?02:27
*** leseb has quit IRC02:27
*** sbfox has quit IRC02:28
harlowja*which is tough (depending on said system, ha)02:28
jamielennoxharlowja: ok, so back to basics, my concern is essentially that any 'name' should be ignored outside of keystone, in the same way you can do volume-type names etc that should be used internally only by there id02:30
harlowjaayoung although the OTP thing and connections into other systems (via notifications or synchrnous? workflow plugins in nova) does seem like a way in the future02:30
jamielennoxif there's a reason you must then sure - the data should be available at that point, but it's kind of breaking the abstraction02:30
harlowjajamielennox so a config-option along with this for 'include_names' ? ;)02:30
harlowja^ or something similar02:30
harlowja*defaulting to off/false02:30
jamielennoxand i know there has been talk previously that we should create a new token format that contains nothing but ids so things like swift's screw up can't happen02:31
*** shakamunyi has quit IRC02:31
jamielennoxharlowja: if there is no security risk in providing the id then i don't see there's an additional risk to providing the name as well, it's purely a matter of "nothing should be using this" - which is obviously not always the case02:32
harlowjaya02:32
ayoungharlowja, not really...as I said, designate is already doing that.  Genreate an DNS name based on the VM name02:32
jamielennoxso i guess it's just a matter of people who use this information have to understand the concepts of names in openstack and they could get burnt02:32
harlowjaagreed02:33
jamielennoxnothing new there i guess02:34
harlowjaright, with great power comes great responsibility02:34
harlowjaha02:35
harlowja*for some version of 'great power', lol02:35
jamielennoxlol02:35
ayoungharlowja, I'd make it "opt in on a per project basis"02:35
harlowjahow's that setting gotten to nova?02:36
* harlowja i didn't know this existed (this type of metadata sharing)02:37
harlowjadoes the nova context contain all that info, from a quick look it doesn't seem to have project 'metadata' (from keystone)02:39
harlowjaanyway i'll bbl, can discuss this more maybe on the review if needed?02:42
jamielennoxharlowja: sure - but i'm ok, i was just trying to point out that names are bad02:48
harlowjajamielennox yes, agreed, names bad :)02:48
jamielennoxif you need them then i guess it's just a matter of making sure user's know what they're doing02:48
harlowjaright02:50
topolmorganfainberg you there?02:50
*** zhiyan is now known as zhiyan_02:50
*** mberlin has joined #openstack-keystone02:53
*** mberlin1 has quit IRC02:56
*** zhiyan_ is now known as zhiyan03:03
*** ayoung has quit IRC03:11
*** ayoung_ has quit IRC03:11
*** leseb has joined #openstack-keystone03:23
*** leseb has quit IRC03:24
*** xianghui has quit IRC03:25
*** leseb has joined #openstack-keystone03:25
*** xianghui has joined #openstack-keystone03:28
*** ukalifon has joined #openstack-keystone03:29
*** leseb has quit IRC03:29
*** praneshp has quit IRC03:47
*** packet has quit IRC03:54
*** radez is now known as radez_g0n303:54
*** nsquare has joined #openstack-keystone04:01
*** amcrn has quit IRC04:01
*** nsquare has quit IRC04:02
*** nsquare has joined #openstack-keystone04:03
*** ncoghlan is now known as ncoghlan_afk04:17
*** topol has quit IRC04:25
*** leseb has joined #openstack-keystone04:26
*** praneshp has joined #openstack-keystone04:29
*** leseb has quit IRC04:30
*** praneshp_ has joined #openstack-keystone04:32
*** henrynash has joined #openstack-keystone04:33
*** praneshp has quit IRC04:34
*** praneshp_ is now known as praneshp04:34
*** ozialien has quit IRC04:36
*** stevemar2 has joined #openstack-keystone04:43
*** stevemar has quit IRC04:43
openstackgerritBrad Topol proposed a change to openstack/keystone: Add instructions for removing pyc files to docs  https://review.openstack.org/9714004:45
*** harlowja is now known as harlowja_away04:48
*** ncoghlan_afk is now known as ncoghlan04:52
*** Abhijeet has joined #openstack-keystone04:52
*** zhiyan is now known as zhiyan_05:01
*** dolphm has quit IRC05:03
*** dolphm has joined #openstack-keystone05:04
*** marcoemorais has joined #openstack-keystone05:04
*** marcoemorais1 has joined #openstack-keystone05:06
*** marcoemorais has quit IRC05:08
openstackgerritChristian Berendt proposed a change to openstack/keystone: fixed several pep8 issues  https://review.openstack.org/9368605:16
openstackgerrithenry-nash proposed a change to openstack/keystone: multi-backend support for identity  https://review.openstack.org/7421405:24
*** amcrn has joined #openstack-keystone05:26
*** leseb has joined #openstack-keystone05:26
*** leseb has quit IRC05:30
*** ajayaa has joined #openstack-keystone05:37
*** praneshp has quit IRC05:38
openstackgerritBrad Topol proposed a change to openstack/keystone: Add cloud auditing notification documentation  https://review.openstack.org/9714605:39
*** praneshp has joined #openstack-keystone05:39
*** derek_c has joined #openstack-keystone05:40
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9554505:40
*** topol has joined #openstack-keystone05:46
topolstevemar2 dont you ever sleep :-)05:47
stevemar2topol, meh, it's overrated05:47
stevemar2how am i stevemar2 again?05:48
stevemar2i really do not like my isp05:48
topolstevemar2, dunno. but you are now ready to have kids!!!05:48
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9700506:01
*** xianghui has quit IRC06:18
*** topol has quit IRC06:28
*** derek_c has quit IRC06:40
*** sbfox has joined #openstack-keystone06:40
*** xianghui has joined #openstack-keystone06:44
*** xianghui has quit IRC06:51
marekdjamielennox: no, i didn't. I will try to do it now. Anyway, it looks like it's an error coming from Keystone. Is it even possible to use requests.Session() instead of keystoneclient.session.Session()?06:57
*** tomoiaga has joined #openstack-keystone06:58
jamielennoxmarekd: no, they are not replaceable, keystoneclient.Session uses a requests.session internally06:58
marekdjamielennox: yes i know06:58
marekdjamielennox: but on the other hand, it uses requests.Session() underneath and basically wraps it...06:58
jamielennoxyea, it adds to a requests.Session, so you do need both07:00
marekdjamielennox: ;/ ok, i am going to look into it right about now..07:01
marekdjamielennox: are you going to be here or logging out?07:01
marekd[in case i need some quick consultancy]07:01
jamielennoxi'll be gone in about 15 minutes :)07:01
marekd=> so no07:02
*** tomoiaga has left #openstack-keystone07:06
*** xianghui has joined #openstack-keystone07:08
*** sbfox has quit IRC07:09
*** gyee has quit IRC07:10
*** BAKfr has joined #openstack-keystone07:13
*** afazekas has joined #openstack-keystone07:14
*** andreaf has joined #openstack-keystone07:22
*** stevemar2 has quit IRC07:23
*** andreaf has quit IRC07:26
ajayaaHi. Can I add filters like project_id:(scope.project.id)s in policy for all the apis?07:31
*** ncoghlan is now known as ncoghlan_afk07:44
*** ncoghlan_afk is now known as ncoghlan07:44
*** ncoghlan has quit IRC07:44
*** praneshp has quit IRC07:50
marekdjamielennox: hmmm, the reason for the bug was: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L25507:55
marekdif i change allow_redirects = True, the requests.Session() will work correctly. Now, I really want to to be able to change that value when I call keystoneclient.session.Session.request() method07:57
*** xianghui has quit IRC08:05
*** xianghui has joined #openstack-keystone08:22
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Allow for using requests.Session() redirections  https://review.openstack.org/9742808:22
*** andreaf has joined #openstack-keystone08:28
*** xianghui has quit IRC08:45
openstackgerritChristian Berendt proposed a change to openstack/keystone: add missing log hints for level C/E/I/W  https://review.openstack.org/9538108:49
*** amcrn has quit IRC08:49
*** xianghui has joined #openstack-keystone08:58
*** yfujioka has joined #openstack-keystone09:05
yfujiokahello09:05
yfujiokaI have been trying ldap backend with devstack09:05
yfujioka I couldn't get default project id of user when backend is ldap.09:07
yfujiokais it specification? did I miss configuration?09:08
*** fmarco76 has joined #openstack-keystone09:13
*** fmarco76 has left #openstack-keystone09:13
*** marcoemorais1 has quit IRC09:22
marekdAssuming PKI tokens are used, do services like nova will ever contact Keystone after the request for e.g. a new VM machine will arrives?09:27
*** rodrigods_ has joined #openstack-keystone09:32
*** rodrigods_ has quit IRC09:46
*** jaosorior has joined #openstack-keystone09:50
*** gabriel-bezerra has quit IRC10:07
*** tellesnobrega has quit IRC10:07
*** htruta has quit IRC10:07
*** samuelmz has quit IRC10:07
*** rodrigods has quit IRC10:07
*** gabriel-bezerra has joined #openstack-keystone10:09
*** samuelmz has joined #openstack-keystone10:09
*** rodrigods has joined #openstack-keystone10:10
*** htruta has joined #openstack-keystone10:11
*** afaranha has joined #openstack-keystone10:13
*** tellesnobrega has joined #openstack-keystone10:13
*** xianghui has quit IRC10:26
*** nsquare has quit IRC10:27
ajayaamarekd: there is something called revocation list which is fetched by the middle ware in certain intervals which lists out the revoked tokens.10:36
ajayaamarekd: see this. https://wiki.openstack.org/wiki/PKI-Revoke10:38
*** xianghui has joined #openstack-keystone10:44
*** xianghui has quit IRC10:50
*** dims_ has joined #openstack-keystone11:14
ajayaaHi. Any idea on how do I list users in a project in keystone v3 api?11:20
*** htruta has quit IRC11:23
BAKfrajaya, I think you can list user's roles on project, and consider that the user is on the project only if he has at least one role.11:28
*** htruta has joined #openstack-keystone11:30
*** Abhijeet has quit IRC11:32
*** diegows has joined #openstack-keystone11:39
marekdajayaa: true, forgot to think about that, but, apart from that, when a request for booting a machine arrives to nova, it has all the information in the token and internal config.11:39
*** ukalifon has quit IRC11:39
openstackgerritMarco Fargetta proposed a change to openstack/keystone-specs: Web Authentication for SAML federated Keystone  https://review.openstack.org/9686711:40
openstackgerritMarco Fargetta proposed a change to openstack/keystone-specs: Web Authentication for SAML federated Keystone  https://review.openstack.org/9686711:43
*** packet has joined #openstack-keystone11:55
*** raildo has joined #openstack-keystone11:59
ajayaaBAKfr: agee. But I think there should be some way to list users without roles. If an user has multiple roles then the "role-assignment-list" result would be too big.12:04
ajayaamarekd: Yes nova has all the information. afaik things like authentication and authorisation is handled by the middleware which when gives a go-ahead, actual nova service comes into picture.12:06
marekdajayaa: ok, thanks.12:07
*** ukalifon has joined #openstack-keystone12:11
*** packet has quit IRC12:11
openstackgerritMarek Denis proposed a change to openstack/keystone: Enforce ``saml2`` protocol in Apache config  https://review.openstack.org/9747912:17
marekddolphm, morganfainberg_Z: easy review ^^12:18
openstackgerritMarek Denis proposed a change to openstack/keystone: Enforce ``saml2`` protocol in Apache config  https://review.openstack.org/9747912:19
*** zhiyan_ is now known as zhiyan12:21
*** ukalifon has quit IRC12:23
*** zhiyan is now known as zhiyan_12:31
*** dims_ has quit IRC12:31
*** dims_ has joined #openstack-keystone12:32
*** gordc has joined #openstack-keystone12:32
*** xianghui has joined #openstack-keystone12:33
*** bvandenh has joined #openstack-keystone12:47
*** radez_g0n3 is now known as radez12:57
marekdlbragstad: https://review.openstack.org/#/c/87849/ -> I think stevemar was right, you will not use it at the moment. Could you please add a comment so the patch could be either processed or abandoned?13:03
lbragstadmarekd: sure13:04
marekdlbragstad: thanks.13:04
marekd:-)13:04
lbragstadmarekd: no problem, thanks for the reminder13:04
*** openstackgerrit has quit IRC13:06
*** openstackgerrit has joined #openstack-keystone13:06
lbragstadmarekd: updated13:06
marekdyep, thanks. dstanek_zzz - I think you can now remove your -2 and we can move it back to the federation.13:08
marekddstanek_zzz: https://review.openstack.org/#/c/87849/13:10
*** gordc has quit IRC13:11
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749213:15
openstackgerritMarek Denis proposed a change to openstack/keystone: Move mutable parameter checking into federation  https://review.openstack.org/8784913:15
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749213:17
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Purpose api-validation blueprint  https://review.openstack.org/9595713:21
*** hrybacki has joined #openstack-keystone13:25
*** bknudson has joined #openstack-keystone13:32
*** ChanServ sets mode: +o dolphm13:33
ajayaadolphm: Hi. How do I list users in a project in keystone v3 api? I could use list-role-assignments. But there was such an api present in v2 but not in v3.13:42
dolphmajayaa: I believe it's GET /v3/role_assignments?project.id={project_id}13:43
ajayaaYes it gives you all the roles along with users.13:43
ajayaadolphm: it gives the roles along with users, right? but in v2 there was /v2.0/tenants/​{tenantId}​/users. There is no such api in v3. Just curious why such an api is not there.13:46
*** ayoung has joined #openstack-keystone13:47
ayoungmorganfainberg_Z, when you wake up, there is good news waiting for you.  https://github.com/krb5/krb5/commit/d950809ff49e3e7603594186d77135a09ab6b1b213:49
dolphmajayaa: i'm not clear what about the v2 call you're looking for that the v3 call does not provide? the v3 equivalent is actually much more powerful13:50
dolphmor should be, anyway13:50
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749213:51
*** shakamunyi has joined #openstack-keystone13:51
htrutastevemar, dtroyer: hey :(13:52
*** xianghui has quit IRC13:52
openstackgerrithenry-nash proposed a change to openstack/keystone: multi-backend support for identity  https://review.openstack.org/7421413:54
*** joesavak has joined #openstack-keystone13:56
ajayaadolphm: Yes it's powerful but If an user has multiple roles he would appear multiple times in the v3 call. It could be useful  to provide an api which would list out just the user names and user ids in a project.13:57
ajayaadolphm: If you want to list out the users of a project along with their id and email it would take two calls as of now.13:58
dolphmajayaa: what's the second call, GET /users/{user_id} ?14:01
ajayaayes. I think you can call  GET /users.14:04
ajayaadolphm, The call " /users" is not documented but the openstack client calls it when you issue "openstack user list"14:06
dolphmajayaa: it's documented here https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#list-users-get-users14:07
lbragstadisn't it documented here https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#users14:07
*** topol has joined #openstack-keystone14:07
dolphmlbragstad: ++14:07
ajayaasorry my bad. I was following http://developer.openstack.org/api-ref-identity-v3.html14:08
*** henrynash has quit IRC14:11
*** gordc has joined #openstack-keystone14:12
dolphmajayaa: unfortunately that page is full of copy/pasted mistakes from the link above, and is far from complete :( we're trying to figure out how to get rid of it14:12
ajayaadolphm: okay. Thank you. If I use keystone v3 token with other services such as nova, would they have a problem? I have tried calling a few nova apis with v3 token and they work.14:16
ayounghrybacki, dolphm http://adam.younglogic.com/2014/06/keystone-tox-cheat-sheet/14:17
hrybackiayoung++14:18
lbragstadayoung:  do you know if there is a community wide tox guide somewhere?14:23
dolphmajayaa: the latest version of auth_token should take care to handle any differences14:23
dolphmlbragstad: pip install tox; tox  # <-- community guide14:24
lbragstad:) good point14:24
ayounglbragstad, I do not14:26
ayoungI've not seen one, but I have not looked14:26
ajayaadolphm: Our servers are still running havana. Could the latest auth_token be backported to havana or would it be too much work?14:26
dolphmajayaa: auth_token lives in the client, so it wouldn't require backporting. just install the latest client14:26
lbragstadayoung: ok, for some reason I thought I saw one at some point, figure your info would be a good addition14:26
dolphmajayaa: (on your control plane)14:26
*** andreaf has quit IRC14:29
ajayaadolphm: The command line script "keystone" doesn't support keystone v3, right? I think I will need to use "openstack" command line script.14:34
*** stevemar has joined #openstack-keystone14:36
*** gokrokve has joined #openstack-keystone14:36
ayounghrybacki, http://koji.fedoraproject.org/koji/buildinfo?buildID=466643  that is a 1.6.1 RPM ...gonna try it14:38
ayoungdolphm, is there some way we could make tox honor older versions of the stable branches?  Something like:  tox -epy27i  for icehouse and -3py27h  for havana?14:43
*** ajayaa has quit IRC14:45
ayoungBackports are expensive in rebuild time14:45
*** gordc1 has joined #openstack-keystone14:46
*** gordc has quit IRC14:46
*** rodrigods has quit IRC14:47
lbragstadayoung:  can't that be accomplished by checking out the stable branch code?14:48
ayounglbragstad, but then tox rebuilds the venv14:48
ayoungI guess I could do the mv .tox/epy27  .tox/ep27h14:48
ayoungand so forth14:48
ayoungwould be nice if tox managed that directly, is all14:49
*** dims_ has quit IRC14:49
*** gordc1 is now known as gordc14:50
*** rodrigods has joined #openstack-keystone14:51
ayounglbragstad, what is the magic to failfast on tox?14:54
ayoungIE  run until first error and then stop14:54
dolphmayoung: it just passes arguments to the underlying test runner14:55
lbragstadayoung: testr run --until-failure ?14:57
ayounghrybacki, libxml2-devel-2.9.1-2.fc20.x86_6414:57
hrybackiayoung++14:57
ayounglbragstad, with tox?  Or just activate the venv and run that14:57
lbragstadyou could try it in venv, but tox should do the same thing14:58
lbragstadI've never used that before I don't think14:58
ayounglbragstad, OK,  I'm trying;   tox -epy27 -r -- --until-failure15:01
ayoungor should that be15:01
ayounglbragstad, OK,  I'm trying;   tox -epy27 -r args --until-failure15:01
hrybackiayoung, still seems to be crashing on libxml -- same point15:01
ayounghrybacki, you running tox inside the venv?15:02
hrybackinope15:02
ayoungshouldn;t matter, though15:02
lbragstadhrybacki: to activate your venv: /opt/stack/keystone$ . .tox/py27/bin/activate15:02
ayounghrybacki,  #include "libxml/xmlversion.h"  should be in /usr/include15:02
ayoungis it?15:02
lbragstadyour prompt should change: (py27)lbragstad@precise64:/opt/stack/keystone$15:02
ayoung/usr/include/libxml2/libxml/xmlversion.h15:02
ayounglbragstad, nah, he'15:03
ayoung's past that15:03
bknudsonhttps://wiki.openstack.org/wiki/Testr15:03
ayoungproblem is with the dependenciesthat are not from pip15:03
hrybackiayoung, /usr/include/libxml2/ is the closest thing15:03
ayounghrybacki, rpmquery -f /usr/include/libxml2/libxml/xmlversion.h15:03
ayounglibxml2-devel-2.9.1-2.fc20.x86_6415:03
lbragstadayoung: hrybacki there could be conflicts with what is installed already on the system15:03
hrybackiayoung, libxml2-devel-2.9.1-2.fc20.x86_6415:04
hrybackilbragstad, hrm15:04
lbragstadhrybacki: how are you hitting the error?15:07
*** yfujioka has quit IRC15:08
hrybackilbragstad, ran tox -epy2715:08
lbragstadhave you tried recreating your tox env?15:08
hrybackiso /usr/include/libxml2/libxml/xmlversion.h shows I'm 2.9.1 is installed15:08
hrybackiand the reqs are looking for >= 2.315:08
hrybackihow?15:08
lbragstadtox -e py27 --recreate15:08
hrybackikk15:09
marekdor tox -re <option>15:10
lbragstadmarekd: ++15:10
hrybackilearning all of the things today15:10
hrybackialso failed at the same sport -- pastebin -- http://paste.fedoraproject.org/106841/01808292/15:11
*** joesavak has quit IRC15:12
ayounghrybacki, bet it is a dependency15:12
ayoungnot libxml/xmlversion.h  but something it depends on15:12
ayounghrybacki, the list of RPMS needed is in devstack15:12
bknudsonyou have to install some dev packages15:12
ayoung1 sec15:13
hrybackiayoung, bknudson++15:13
bknudsonsudo apt-get install -y git git-review15:13
ayounghrybacki, https://github.com/openstack-dev/devstack/blob/master/files/rpms/keystone15:13
bknudsonsudo apt-get install -y libxslt1-dev libmysqlclient-dev15:13
ayoungthat is not enought, though15:14
ayounghttps://github.com/openstack-dev/devstack/blob/master/files/rpms/general15:14
bknudsonthat's needed before running devstack15:14
ayoungthere are also specific ones for mysql15:14
bknudsonat least that's what worked for me15:14
marekdon my debian i had to also install: python-dev libldap2-dev libsasl2-dev libssl-dev zlib-dev libxml2-dev libxslt1-dev15:15
*** joesavak has joined #openstack-keystone15:15
lbragstadayoung: I had to do sudo yum install mysql-devel to get devstack to work on centOS15:18
*** afazekas has quit IRC15:20
hrybackilbragstad++ on mysql-devel15:24
lbragstadhrybacki: did that work?15:24
hrybackifind out -- it crashed on sql this time -- seeing how far this run gets it15:25
marekdstevemar: hm, you very likely right about the protocol. I will change the patch, however I think the location should not accept wildcards.15:28
stevemarmarekd, yeah, maybe mention that in the change?15:29
marekdstevemar: yeah.15:29
stevemarNote: saml2 may be different in your deployment, but do not use a wildcard value?15:30
stevemarmarekd, ^15:30
marekdstevemar: OK15:30
*** pheadron has quit IRC15:30
*** radez is now known as radez_g0n315:31
marekdstevemar: and leave saml2 hardcoded in that <Location> regex?15:32
*** pheadron has joined #openstack-keystone15:32
stevemarmarekd, yes, i think so15:33
marekdstevemar: ok15:33
marekdtox'ing.15:33
*** gyee has joined #openstack-keystone15:34
openstackgerritMarek Denis proposed a change to openstack/keystone: Enforce ``saml2`` protocol in Apache config  https://review.openstack.org/9747915:36
*** gokrokve has quit IRC15:37
*** bvandenh has quit IRC15:43
*** morganfainberg_Z is now known as morganfainberg15:43
*** andreaf has joined #openstack-keystone15:46
marekdstevemar: if I make patch X a dependency for patch Y, and X is for some reason -2'ed, is there a way to cleanly undo the dependency in gerrit/git ?15:46
marekdstevemar: I am not sure the allow_redirects for requests.Session() will be +A and that's why I didn't want to make it a dependency for saml authn plugin.15:47
stevemarmarekd, ahh, then just call out the patch in the commit msg15:47
marekdstevemar: sure.15:48
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216615:51
*** vhoward has left #openstack-keystone15:52
stevemari vote henrynash do all of our specs from now on15:55
stevemarhttps://review.openstack.org/#/c/97492/3/specs/juno/multi-backend-uuids.rst was such a nice read15:55
morganfainbergstevemar, lol15:56
stevemarmorganfainberg, it really was!15:56
stevemarmorganfainberg, yours are equally good :)15:56
morganfainbergstevemar, meh. mine are a litte haphazard compared to henry's15:57
*** joesavak has quit IRC16:01
*** afazekas has joined #openstack-keystone16:04
*** richm has joined #openstack-keystone16:07
*** BAKfr has quit IRC16:08
openstackgerritDolph Mathews proposed a change to openstack/keystone: Add v2 & v3 API documentation  https://review.openstack.org/9624216:10
*** dims_ has joined #openstack-keystone16:16
bknudsonmarekd: you can undo the dependency with gerrit/git16:18
bknudsonshould be able to do a git rebase -i HEAD~2 , remove the commit you don't want16:19
bknudsonand then push that with git-review16:19
*** dims_ has quit IRC16:21
*** marcoemorais has joined #openstack-keystone16:22
openstackgerritDolph Mathews proposed a change to openstack/keystone: Add v2 & v3 API documentation  https://review.openstack.org/9624216:26
*** joesavak has joined #openstack-keystone16:29
*** afaranha has left #openstack-keystone16:40
*** pafuent has joined #openstack-keystone16:40
pafuentayoung: Sorry to bother you, but, Did you have time to look deeper at the auth_url issue that I mentioned yesterday?16:44
*** harlowja_away is now known as harlowja16:45
*** thedodd has joined #openstack-keystone16:45
*** gokrokve has joined #openstack-keystone16:50
ayoungpafuent, nope16:55
*** 7F1AATB60 has joined #openstack-keystone16:58
*** 7F1AATB60 has quit IRC16:59
*** radez_g0n3 is now known as radez16:59
*** marcoemorais has quit IRC16:59
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648316:59
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources  https://review.openstack.org/9626616:59
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648416:59
*** marcoemorais has joined #openstack-keystone16:59
pafuentayoung: OK, from my side I'll provide a quick fix for Blazar. If you need more info in order to check if it is a bug please let me know.16:59
*** amcrn has joined #openstack-keystone17:00
*** marcoemorais1 has joined #openstack-keystone17:00
*** marcoemorais has quit IRC17:04
*** sbfox has joined #openstack-keystone17:07
*** vhoward has joined #openstack-keystone17:08
morganfainbergstevemar, ping17:10
stevemarmorganfainberg, pong17:10
*** henrynash has joined #openstack-keystone17:10
morganfainbergstevemar, oauth17:11
stevemarmorganfainberg, y17:11
morganfainbergstevemar, so that thread you're on... there is a need for long-term delegation17:11
morganfainbergrequest tokens live for 28800 by default right?17:12
stevemarmorganfainberg, if you mark the expires values in the .conf to None they should live forever17:12
stevemary17:12
morganfainbergstevemar, ah but don't get to control the conf in this case17:12
morganfainbergcan't guarantee oauth isn't being used elsewhere17:12
stevemarmorganfainberg, bah17:12
morganfainbergstevemar, yeah.17:13
morganfainbergstevemar, hmmm.17:13
morganfainbergstevemar, any thoughts on how to handle this type of scenario?17:15
stevemarmorganfainberg, not really, shardy brought up the same problems17:15
*** kun_huang has joined #openstack-keystone17:16
stevemarmorganfainberg, i had hoped that places the values in .conf was flexible enough, but apparently not17:16
stevemarmorganfainberg, we could make it an optional call in authorize_request_token...17:16
*** dims_ has joined #openstack-keystone17:17
stevemarthat is the only step where the authorizing user actually interacts with the REST API17:17
stevemarmorganfainberg, i'm assuming it's more important that an access token live longer, than a request token17:18
ayoungmorganfainberg, did you see my wakeup message for you?17:22
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749217:23
*** shakamunyi has quit IRC17:24
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749217:24
ayoungmorganfainberg, also, in response to yesterday's conversations about users, backend, and the like...I have not totally given up on multiple LDAP support in its current incarnation without a shadow table entry17:25
*** browne has joined #openstack-keystone17:26
ayounghenrynash, looks good!17:29
henrynashayoung: getting there….specs rule, me thinks17:29
ayoung++17:29
ayoungits nice having the checklist of items to cover17:30
ayounghenrynash, for docs,  you can run tex -edocs and see just those errors17:30
ayounghttp://logs.openstack.org/14/74214/25/check/gate-keystone-docs/2c8159b/console.html17:30
henrynashyes…was about to go hunt that down! tahnsk17:31
ayounghenrynash, some of them are frustrating...rst rules in the internal comments17:31
henrynashyeah...17:31
ayoungkeystone.identity.core.Manager:28: ERROR: Unexpected indentation.17:32
ayoungthat is not line 28 of the file, but of the docstring17:32
ayoungline 238 in your patch17:33
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749217:33
ayoung    - there is a single LDAP driver and backward compatible IDs are not17:33
ayoungand then17:33
ayoung      required.17:33
ayoungwhich probably should just align with the hash mark17:34
morganfainbergayoung, never expect you to give up on an option w/o a shadow table. but for Juno we're going with the mapping table (pluggable of course). if it turns out to be better to drop it for an alternative for the default that's fine :)17:35
morganfainbergayoung, gives us options and doesn't lock us in.17:36
ayoungmorganfainberg, actually, for multiple LDAP, even with the shadow table, I think we'll need it.17:36
ayoung"no lookup in the backend"17:36
ayoungthe API is17:36
ayoungaccepst userid, projectid and roleid17:36
ayoungthey will come in knowing username and the other info17:36
ayoungso...I guess the lookup in LDAP, if successful, will have to put in the shadow table entry17:37
morganfainbergayoung, yeah. likely17:37
henrynashayoung: thx17:38
morganfainberghenrynash, yea the specs make it a lot easier to define the targert.17:38
morganfainbergstevemar, i could get a new access token if the request token lived a long time17:39
morganfainbergstevemar, either way it's cut, one of them needs potential to keep living for a long time for this use case.17:39
henrynashmorganfainberg: I’m a total convert (but then I always was)…but I just think it will make us much more efficient - i.e. REALLy agree the design upfront and then code reviews are just that17:39
stevemarmorganfainberg, i initially set access tokens for a day :(17:40
morganfainberghenrynash, i'd like if it was built into the BP system (e.g. what I hope StoryBoard ends up being)17:41
morganfainberghenrynash, but it's good.17:42
morganfainbergstevemar, any thoughts on how to address this? maybe a way (when authorizing the request token) to say how long the access token can live?17:42
morganfainbergstevemar, if not specified, you get the default17:43
openstackgerrithenry-nash proposed a change to openstack/keystone: multi-backend support for identity  https://review.openstack.org/7421417:45
morganfainbergayoung, gertty is pretty awesome if you've not looked at it17:48
morganfainbergstevemar, topol, ^ (gertty)17:49
*** nsquare has joined #openstack-keystone17:50
ayoungmorganfainberg, so...this was why trusts:17:51
ayoungsplit authentication from authorization17:51
ayoungthen trusts can live as long as we need17:52
ayoungand you authenticate as the "user"17:52
ayoungthe problem with access tokens is that it lumps the two together17:52
morganfainbergayoung, unfortunately I'm losing the battle of "needing a user for every single end point that wants to talk to X"17:52
ayoungand we have no unique way to identify Consumers outside of access tokens17:52
marekdbknudson: thanks. I will make the dependencies then.17:52
morganfainbergayoung, i don't disagree with you at all.17:53
ayoungmorganfainberg, I think the answer is outside the scope of the current oauth mechanism17:53
ayoungbut it might be in oauth217:53
morganfainbergayoung, and that is 100% acceptable answer17:53
morganfainbergayoung, if current oauth can do it, great, if not - i'll see what else can17:53
ayoungmorganfainberg, we need to merge oauth and trusts, we need a way to identify consumers17:54
ayoungwe need a global directory17:54
morganfainbergthough, i'm thinking the easiest way is to just tack in limited roles to EC2 credentials [it isn't dying] and work on a real "better solution" - around trusts, etc17:54
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities  https://review.openstack.org/9749217:54
morganfainbergayoung, we already support EC2 creds, the only thing it doesn't support is restricted roles.17:55
morganfainbergayoung, very minor change when creating the cred. -- but i would much rather not encourage the use of those things17:55
ayoungmorganfainberg, could we make it?17:55
morganfainbergyeah, would be easy to just have a simple "roles_allowed:" and store that in the cred, and when we issue a token force those as the only valid roles.17:56
morganfainbergsome extra mechanisms to ensure they are valid for user/<scope> combinations17:56
morganfainbergayoung, small changeset i think.17:56
morganfainbergi just would rather not encourage those tokens. :P17:56
henrynashmorganfainberg: one thing the creds API should support is a user_id filter…then at least we could craete policy that let a user look at his own creds17:57
* morganfainberg is biased against EC2Credential crontrib.17:57
ayoungmorganfainberg, what if anything exhcnaged for a token went through a trust configuration, and we didn;t need to exlicitly create trusts, but could inherit trust definitions?  Group based trusts?17:57
henrynashmorganfainberg: I was going to write-up a quick bp (err.maybe spec :-) )17:57
morganfainbergayoung, interesting.17:57
morganfainberghenrynash, we already support it, just don't expose it to non-admin i think.17:58
morganfainberghenrynash, or well.. guard against looking at anyone's credentials17:59
henrynashmorganfainberg: but you need to be able to list your entries so that you can read it17:59
morganfainberghenrynash, righr17:59
henrynashmorganfainberg: we support the filter in the manager….just not in the controller17:59
morganfainberghenrynash, yah, we need to "fix" that so non-relational credential backends could work17:59
henrynashmorhanfainberg: I’ll fix that up18:00
morganfainbergah meeting time.18:00
*** daneyon has joined #openstack-keystone18:03
openstackgerritBrad Topol proposed a change to openstack/keystone-specs: Spec for audit support for federation  https://review.openstack.org/9758118:06
*** praneshp has joined #openstack-keystone18:17
*** ajayaa has joined #openstack-keystone18:38
*** juanmo has joined #openstack-keystone18:45
*** kun_huang has quit IRC18:58
*** kun_huang has joined #openstack-keystone18:58
*** kun_huang has quit IRC19:00
ayounghenrynash, I'd be OK with adding to the user_crud extension19:00
ayoungGET  /user/byname/{username}19:00
ayoungor something less gross19:00
henrynashayoung: maybe I’m being dumb…why can’t you just call the manager…where is it you want to call this from?19:01
ayounghenrynash, CLI19:01
ayounghenrynash, as a project administrator, I want to grand a user a role on a proejct19:02
ayounguser has never logged in to open stack before19:02
*** praneshp has quit IRC19:02
bknudsonwith federation, there might not even be a user19:02
henrynashayoung: Ok, right19:02
ayoung I can't log in as them, because its LDAP19:02
bknudsonjust a bag of attrs in a saml doc19:02
ayoungso I need to prepopulate the actor table19:02
ayoungbknudson, not once it is in the actor table it isn't19:02
bknudsonwhat's in the actor table?19:03
bknudsonthe user's attrs?19:03
bknudsonthat attrs in the saml doc?19:03
openstackgerritJuan Manuel Ollé proposed a change to openstack/python-keystoneclient: Keystoneclient create user API should have optional password.  https://review.openstack.org/9759719:04
*** praneshp has joined #openstack-keystone19:04
henrynashayoung: sorry, on phone19:04
jamielennoxmorganfainberg: can you kick along: https://review.openstack.org/#/c/81985/19:06
jamielennoxand a quick one for everyone: https://review.openstack.org/#/c/91216/19:07
*** daneyon has quit IRC19:08
*** daneyon has joined #openstack-keystone19:08
morganfainbergayoung, do you think you're going to have time to work on the compressed token stuff here soon or should i move the apache_services check job to expirimental until we land everything19:08
ayoungmorganfainberg, its coming19:09
ayoungmorganfainberg, I just got some help on it...19:09
morganfainbergayoung, just means you'd need to comment on the review to get the check done instead on everyone's reviews.19:09
morganfainbergayoung, ok just checking before i start mucking with infra config patches19:09
ayoungI need to drop making it the default, but then figure out what are the right tests to add19:09
ayoungah..you need it default in order to use it in infra19:10
ayoung move the apache_services check job to experimental19:10
ayoungdolphm, so we really should have an API that exposes get_user_by_name19:11
ayoungits only in authenticate right now19:11
dolphmayoung: GET /v3/users?name={something}19:11
ayoungdolphm, yeah19:11
ayoungto populate the actors identity mapping table19:12
ayoungdolphm, I'm kindof worried about the effect list users would have first time it is run, if every user is going to trigger an entry in that table.  For SQL it would be a migration, but for LDAP....19:12
ayoungI suspect we are going to have a bit of a transition19:13
bknudsondolphm: I'd expect that to get the users in any domain?19:13
ayoungbknudson, its ok if the query is domain specific19:13
dolphmbknudson: correct, you have to additonally filter by domain_id19:13
ayoung GET /v3/users?name={something}&domain_name={}19:14
ayoungor19:14
dolphmayoung: domain_id19:14
ayoung GET /v3/users?name={something}&domain_id={}19:14
ayoungdolphm, only if you can get domain_id from domain name19:14
bknudsonok, now keystone knows how to talk to the federation server to get user info?19:14
bknudsonidentity server19:14
dolphmayoung: GET /v3/domains?name={domain_name}19:14
dolphmbknudson: no19:15
morganfainbergayoung, will propose making it expirimental today then, thanks19:15
*** htruta has quit IRC19:15
jamielennoxmarekd: ping19:15
ayoungdolphm, hmmm, I wonder if we need a policy check on that call.  Otherwise, people will start looking "I wonder if Domain = "Pepsi" is in this datacenter.19:15
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add example script for role_assignments module  https://review.openstack.org/9760019:15
rodrigodsayoung, ^19:16
ayoung++19:16
rodrigodsfinally the example script you suggested =)19:16
jaosoriorIs there any way to log user activity in keystone besides setting the debug option?19:16
bknudsonnow we need to maintain a bunch of scripts?19:16
jaosoriorfor auditing19:16
bknudsonare there going to be tests so that they get run?19:17
dolphmayoung: list_domains has a policy entry already19:17
dolphmjaosorior: you should talk to topol19:17
topolo/19:17
ayoungdolphm, yeah,  just not sure we are enforcing that a user needs to have a role in that domain, or a project in that domain, before they get an answer back...would be anexpensive call19:17
dolphmjaosorior: not quite auditing but http://docs.openstack.org/developer/keystone/event_notifications.html19:18
topolHi jaosorior19:18
topolwhat do you need19:18
dolphmtopol: i don't see any docs on openstack.org about authentication auditing?19:18
topolawesome, a stakeholder19:18
rodrigodsbknudson, would be nice to have those scripts for a first time user, IMO19:19
bknudsonrodrigods: not if the scripts stop working due to not being tested19:19
topoldolphm, I thought they were added to http://docs.openstack.org/developer/pycadf/19:19
topolif not that is my bad and I will get that fixed19:19
dolphmtopol: wasn't aware of that page either19:20
dolphmjaosorior: i'd also suggest running keystone behind apache and enabling an access log19:20
rodrigodsbknudson, i think those scripts are just a type of documentation19:20
topoldolphm, I just posted a doc patch to keystone with that information19:20
dolphmtopol: link?19:20
rodrigodsbknudson, they can get deprecated, and need maintenance19:20
topoldolphm, #link https://review.openstack.org/#/c/97146/19:22
bknudsonI think we have enough problems maintaining the docs as it is19:22
dolphmtopol: #link only works in #openstack-meeting19:22
topoldolphm, sorry, topol is #dumb19:22
topoldolphm, I'll add you as an a reviewer,let me know if we need to advertise http://docs.openstack.org/developer/pycadf/ in places other than where I added it19:23
rodrigodsbknudson, the current docs doesn't show how we can use the client, for example19:24
rodrigodsor, only shows a really limited set of operations19:24
bknudsonrodrigods: right, we need those docs19:24
rodrigodsbknudson, and, what's best than a script showing how it works for a dev?19:24
rodrigods=)19:24
bknudsona script that's tested that it works?19:25
jaosoriorI'll check the notifications, but dolphm, can you elaborate on the access log?19:25
topoljaosorior, if you have feedback on where we need to add more audit records for keystone let me know. We like stakeholder driven development19:25
rodrigodsbknudson, you mean, tests for the example script? can't they become obsolete as well?19:25
bknudsonrodrigods: the tests run on every commit, so when it fails we have to fix it to get the code merged19:26
dolphmjaosorior: http://httpd.apache.org/docs/2.2/logs.html#accesslog19:26
jaosoriorexcellent, I'll check it out and see if there's anything needed19:31
openstackgerritDolph Mathews proposed a change to openstack/keystone: document keystone-specs instead of LP blueprints in README  https://review.openstack.org/9760419:33
rodrigodsbknudson, suggestions on how to test it?19:33
jaosoriorBut basically we would need to know what user, with what roles are getting tokens, issuing or requesting trusts, and so on. Since auditing in telecom is quite strict19:34
bknudsonrodrigods: I guess it would be like the other keystoneclient tests, mocking the keystone server responses for any URLs it hits.19:35
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: use double backticks on literals in README  https://review.openstack.org/9760519:35
openstackgerritayoung proposed a change to openstack/keystone: Compressed Token Provider  https://review.openstack.org/9114519:47
*** hrybacki has quit IRC19:51
*** sbfox has quit IRC19:56
*** sbfox has joined #openstack-keystone19:56
*** hrybacki has joined #openstack-keystone19:59
*** joesavak has quit IRC20:04
*** marcoemorais has joined #openstack-keystone20:05
*** ajayaa has quit IRC20:06
*** marcoemorais has quit IRC20:06
*** marcoemorais2 has joined #openstack-keystone20:06
*** marcoemorais1 has quit IRC20:08
bknudsonhttps://bugs.launchpad.net/openstack-ci/+bug/1083101 !!20:08
uvirtbotLaunchpad bug 1083101 in openstack-ci "Set up private gerrit for security reviews" [High,In progress]20:08
lbragstadnice20:09
marekdjamielennox: what's up.20:12
jamielennoxmarekd: oh, so what is different between our redirects and requests that it doesn't work for you?20:13
jamielennoxi really don't want to make that redirects flag configurable20:13
*** topol has quit IRC20:14
marekdjamielennox: i don't know what happened under the cover, but switching to requests redirections simply worked...20:17
jamielennoxmarekd: do you have some commands i can issue to debug it?20:18
jamielennoxmarekd: we handle redirects manually as requests does some interesting browser tricks which we generally don't want in an API, so it might be one of those20:19
marekdjamielennox: in general this: https://review.openstack.org/#/c/92166/ but it needs a working SAML Service Provider, which I have as a VM on my local machine. Let me create SP available from the Internet, so everybody can use it...20:20
marekdjamielennox: i know, i read the docs and I guess one of the requests's trick does the magic here.20:20
stevemarmarekd, not one to try and cover up his use of magic20:20
marekdstevemar: whose?20:21
stevemarmarekd, your magic20:21
marekddefinitely too much magic in all that stuff.20:22
jamielennoxmarekd: so if you want to check out what's happening you can get the response.history which should give you all the requests that were sent20:23
jamielennoxthen print out the bodies and the response codes etc20:23
marekdjamielennox: ok, gonna try that20:24
marekdi will keep you updated.20:24
jamielennoxmarekd: yep, if you can get a good print of the exchange (even with wireshark) and send it to me i can look into it as well20:25
marekdjamielennox: ok20:26
*** raildo has left #openstack-keystone20:27
*** hrybacki has quit IRC20:31
openstackgerritayoung proposed a change to openstack/keystone: Compressed Token Provider  https://review.openstack.org/9114520:32
*** joesavak has joined #openstack-keystone20:35
*** erecio has quit IRC20:36
*** erecio has joined #openstack-keystone20:42
*** pheadron has quit IRC20:43
*** pheadron has joined #openstack-keystone20:43
*** joesavak has quit IRC20:46
ayoungdolphm, can you Approve https://review.openstack.org/#/c/91883/20:47
*** marcoemorais has joined #openstack-keystone20:48
*** pheadron has quit IRC20:48
*** marcoemorais2 has quit IRC20:49
*** marcoemorais1 has joined #openstack-keystone20:49
*** marcoemorais has quit IRC20:49
*** joesavak has joined #openstack-keystone20:53
*** juanmo has quit IRC20:54
dolphmayoung: not without a +1 from bknudson :)20:57
*** marcoemorais1 has quit IRC20:58
*** marcoemorais has joined #openstack-keystone20:58
ayoungdolphm, can't fault youthere20:58
dolphmbknudson: consider your +1 to be a +2/+A there20:58
ayoung++20:58
bknudsondolphm: ok, will take a look20:58
dolphmbknudson: thanks!20:58
*** daneyon has quit IRC20:59
*** daneyon has joined #openstack-keystone21:00
*** marcoemorais1 has joined #openstack-keystone21:00
*** marcoemorais has quit IRC21:02
*** marcoemorais has joined #openstack-keystone21:02
*** marcoemorais has quit IRC21:02
*** marcoemorais1 has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:03
*** marcoemorais has quit IRC21:05
*** marcoemorais has joined #openstack-keystone21:05
*** pheadron has joined #openstack-keystone21:06
*** marcoemorais has quit IRC21:06
*** marcoemorais has joined #openstack-keystone21:07
stevemarwe need to see more people running tox before pushing to keystone-specs!!21:07
dolphmstevemar: why?21:08
*** jsavak has joined #openstack-keystone21:09
dolphmstevemar: (i don't see how they're really related)21:09
*** joesavak has quit IRC21:09
dolphmstevemar: also, pong21:09
stevemardolphm, too many white spaces, hard tabs, and ==='s not lining up with titles21:09
dolphmstevemar: oh tox *in* keystone-specs?21:09
stevemardolphm, isn't that what i said?21:09
dolphmstevemar: i thought you just meant getting people to use tox instead of run_tests.sh in general21:10
stevemarno no21:10
dolphmstevemar: doesn't jenkins -1 then?21:10
stevemardolphm, yes21:10
stevemardolphm, but jenkins is super overloaded atm21:10
dolphmstevemar: that job should be quick, at least :-/21:10
stevemardolphm, meh, it distracts from the review21:11
*** dhellmann has quit IRC21:11
*** dims__ has joined #openstack-keystone21:13
*** dhellmann has joined #openstack-keystone21:13
stevemardolphm, and maybe look @ doc/build/html :)21:14
stevemarwhat do i know, i just work here21:14
dolphmstevemar: i'd almost appreciate if there was a run_tests in that repo that did an open on doc/build/html (is there an index created in that repo?)21:14
stevemarlikely21:14
dolphmstevemar: because yes, just because tox passes doesn't mean your rendered RST is readable21:15
dolphmstevemar: as we learned with my accidentally indented paragraph for example :)21:15
*** dims_ has quit IRC21:15
*** jsavak has quit IRC21:18
*** pafuent has left #openstack-keystone21:31
*** marcoemorais has quit IRC21:32
*** marcoemorais has joined #openstack-keystone21:32
*** marcoemorais has quit IRC21:33
*** marcoemorais has joined #openstack-keystone21:33
*** joesavak has joined #openstack-keystone21:34
*** marcoemorais has quit IRC21:34
*** marcoemorais has joined #openstack-keystone21:35
*** henrynash has quit IRC21:38
*** gordc has quit IRC21:38
*** marcoemorais1 has joined #openstack-keystone21:38
*** daneyon has quit IRC21:39
*** marcoemorais has quit IRC21:39
*** marcoemorais has joined #openstack-keystone21:42
*** dims__ has quit IRC21:42
*** marcoemorais has quit IRC21:42
*** joesavak has quit IRC21:43
*** marcoemorais has joined #openstack-keystone21:44
*** marcoemorais has quit IRC21:44
*** marcoemorais has joined #openstack-keystone21:44
*** marcoemorais has quit IRC21:44
*** marcoemorais has joined #openstack-keystone21:45
*** marcoemorais1 has quit IRC21:45
*** jaosorior has quit IRC21:52
ayoungstevemar, why from keystone.openstack.common import jsonutils as json  instead of import json?21:59
stevemarjsonutils has much better support for all versions on python21:59
stevemarand we use it everywhere else21:59
jamielennoxwhy not just leave it called jsonutils? we do that everywhere else22:00
stevemarjamielennox, true,22:01
stevemarjamielennox, i'm advocating the use of jsonutils, not just straight up 'import json'22:01
*** marcoemorais has quit IRC22:02
*** marcoemorais has joined #openstack-keystone22:02
ayoungsounds good.  I'll make the change22:02
jamielennoxyep, i agree on jsonutils, just wasnt sure on rename22:02
*** marcoemorais has quit IRC22:03
*** marcoemorais has joined #openstack-keystone22:04
*** joesavak has joined #openstack-keystone22:05
*** henrynash has joined #openstack-keystone22:09
*** joesavak has quit IRC22:11
*** dims has joined #openstack-keystone22:12
*** thedodd has quit IRC22:14
*** rodrigods_ has joined #openstack-keystone22:19
stevemarjamielennox, that was my bad :)22:20
*** bknudson has quit IRC22:21
*** marekd is now known as marekd|away22:24
openstackgerritayoung proposed a change to openstack/keystone: Compressed Token Provider  https://review.openstack.org/9114522:28
ayoungstevemar, ^^ addresses your points.22:28
*** browne has quit IRC22:32
morganfainbergayoung, dolphm, https://review.openstack.org/#/c/97638/22:40
ayoungmorganfainberg, care to look at  https://review.openstack.org/91145  in response22:41
morganfainbergayoung, sure.22:41
morganfainbergcompressed token provider?22:41
ayoungmorganfainberg, hmmm....looking for the zuul job for it22:42
ayoungmorganfainberg, is it not getting triggered because it was origianlly a draft?  It is not a draft anymore22:42
morganfainbergyeah, drafts are broken22:43
morganfainbergalso... you can't submit drafts anymore22:43
morganfainbergayoung, oh22:43
ayoungmorganfainberg, I saw that...but why no Zuul jobs for that patch?  Is Zuul stuck?22:43
morganfainberg... zuulk looks unhappy22:43
ayoung14 hours is a long time...22:44
morganfainbergQueue lengths: 1207 events,22:44
morganfainbergworse22:44
morganfainberg1200 events backed up22:44
morganfainbergnot just backed up queue22:44
morganfainbergerm check queue22:44
morganfainbergit isn't processing the events atm22:44
morganfainbergyeah -infra is working on it22:44
*** marcoemorais has quit IRC22:46
*** marcoemorais has joined #openstack-keystone22:46
*** browne has joined #openstack-keystone22:56
*** praneshp has quit IRC22:59
ayoungjamielennox, on AUTH_TYPE == 'Negotiate'23:01
morganfainbergayoung, and zuul caught up23:02
ayoungif you set up apache mod_auth_krb5 with the fallback to basic-auth23:02
ayoungI don't think you get AUTH_TYPE == 'Negotiate'23:02
ayoungcool23:03
openstackgerritA change was merged to openstack/keystone: Unimplemented get roles by group for project list  https://review.openstack.org/7647023:03
*** zhiyan_ is now known as zhiyan23:17
*** zhiyan is now known as zhiyan_23:18
*** mhu1 has joined #openstack-keystone23:20
*** EmilienM_ has joined #openstack-keystone23:20
*** radez` has joined #openstack-keystone23:20
*** radez has quit IRC23:20
*** mhu has quit IRC23:20
*** mhu1 is now known as mhu23:20
*** andreaf has quit IRC23:20
*** EmilienM has quit IRC23:20
*** EmilienM_ is now known as EmilienM23:20
*** andreaf has joined #openstack-keystone23:20
openstackgerritayoung proposed a change to openstack/keystone: Kerberos as method name  https://review.openstack.org/9598923:24
*** sbfox has quit IRC23:25
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.  https://review.openstack.org/9530023:32
*** henrynash has quit IRC23:34
jamielennoxayoung: but if you fallback to basic-auth do you want it to pass through the kerberos plugin anyway?23:37
*** stevemar has quit IRC23:37
ayoungjamielennox, nah, decided I didn't and submitted it your way23:38
*** bknudson has joined #openstack-keystone23:39
*** marcoemorais has quit IRC23:40
*** marcoemorais has joined #openstack-keystone23:40
*** marcoemorais has quit IRC23:41
*** marcoemorais has joined #openstack-keystone23:41
jamielennoxayoung: can you have a look at: https://review.openstack.org/#/c/91216/ it's really simple and it keeps being a PITA that it hasn't been merged yet23:42
jamielennoxif you +2 it i can badger morganfainberg or someone for the other23:42
*** andreaf has quit IRC23:42
ayoungjamielennox, +223:45
ayoungmorganfainberg, +2 that would you23:45
*** diegows has quit IRC23:47
*** daneyon has joined #openstack-keystone23:50
jamielennoxit's ok, i'll get the next core to speak....23:54
openstackgerritayoung proposed a change to openstack/keystone: Basic-Auth middleware  https://review.openstack.org/9213723:55
*** gokrokve has quit IRC23:58
« Monday, 2014-06-02 Index Wednesday, 2014-06-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!