Tuesday, 2014-06-10

« Monday, 2014-06-09 Index Wednesday, 2014-06-11 »
gyeejamielennox, is there a way to make them backward compatible?00:02
gyeeright now user needs to specify ---os-auth-plugin00:02
jamielennoxwell that should make it compatible00:02
jamielennoxoh,00:02
*** stevemar has joined #openstack-keystone00:02
jamielennoxi was wondering about that00:02
jamielennoxmaybe we either need a new auth plugin that would abstract the v2password and token and make that the default?00:03
gyeecan we sorta take an educated guess, like if username, password, and tenant_id/name, we assume its v2 password00:03
jamielennoxbut i don't want to make that the default in session because then everyone will inherit it00:03
gyeeright, like backward_compat_auth or something00:04
gyeewould be awesome if we can make the user experience transition seamless00:05
jamielennoxright so user experience is going to have to be, it's the developer experience i'm wondering how far we push00:06
*** stevemar2 has joined #openstack-keystone00:06
*** opienkos has joined #openstack-keystone00:07
gyeejamielennox, developer experience is really about good documentation :)00:07
jamielennoxgyee: ok, can you review the patches in the tree up to https://review.openstack.org/#/c/8623700:08
gyeewe code monkeys usually bitch more about lack of documentation than having to write extra code00:08
jamielennoxthey are fairly easy, the last one is the Adapters00:08
gyeek, looking00:09
*** opienkos is now known as jittery00:10
*** stevemar has quit IRC00:10
*** zhiyan_ is now known as zhiyan00:10
*** jittery has left #openstack-keystone00:10
*** jittery has joined #openstack-keystone00:11
gyeejamielennox, can you imagine python is multithreaded, passing a shared session object around would be fun :)00:11
jamielennoxgyee: i actually don't think it would be that bad00:12
jitteryanyone got Kstone working with LDAP?00:12
gyeejittery, define "working" :)00:12
jamielennoxgyee: once you've created it you never really change the state on the object you just query methods00:12
jitteryKstone pulling auth of LDAP and map user, tenant and role with LDAP schema attribs00:14
hrybackicould someone explain why we use a fake wsgi app for auth_token_middleware tests?00:14
hrybackitrying to understand how exactly it works00:16
*** jittery has left #openstack-keystone00:18
*** jittery has joined #openstack-keystone00:19
*** jittery has quit IRC00:20
gyeejamielennox, what happen to other session methods?00:20
gyeelike post, get, update , etc00:21
jamielennoxHttpMethodsMixin00:22
gyeeah00:22
gyeek, I see00:23
*** gokrokve has quit IRC00:24
jamielennoxi'm not sure if it's worth having that class, but i'm repeating that structure a lot00:24
*** NM has joined #openstack-keystone00:29
gyeejamielennox, see if this make sense https://review.openstack.org/#/c/86237/2/keystoneclient/adapter.py00:35
gyeewith that you don't need the mixins00:35
jamielennoxgyee: is that subclassing session?00:37
gyeejittery, have you look at ayoung's read-only LDAP blog? http://adam.younglogic.com/2013/10/read-only-ldap-in-keystone/00:37
jamielennoxi don't think we need to go that far00:37
gyeejamielennox, right, we would use the session methods if one does not override00:37
jamielennoxi can write a decorator really easily that does the same job as the mixins00:37
jamielennoxbut i've given up on the idea that the adapter and the esssion should be interchangable - they do very different things00:38
*** marcoemorais has quit IRC00:38
gyeewe basically wrap session and override whatever is needed00:38
*** NM has quit IRC00:38
jamielennoxso we just keep as common an interface as makes sense00:38
*** marcoemorais has joined #openstack-keystone00:38
jamielennoxgyee: i think i'd prefer to just rewrite the functions than go to that level of magic00:38
gyeejamkelennox, but why the boilerplate stuff00:39
gyeeif we can just wrap it00:39
gyeejamielennox ^00:39
jamielennoxthat was the point of the mixin00:40
gyeeI mean is the mixin necessary00:40
jamielennoxi'd prefer to do the mixin as explicit as an object like that than doing metaclass stuff00:42
gyeek, that's good reason00:42
*** dstanek_zzz is now known as dstanek00:44
*** hrybacki has quit IRC00:44
*** ncoghlan has joined #openstack-keystone00:52
*** dstanek is now known as dstanek_zzz00:54
gyeejamielennox, I need to step away from keyboard a bit, will review the rest later tonight00:54
jamielennoxgyee: no worries - i'm going to gut barbicanclient and replace it all with session stuff - see what it looks like00:54
gyeejamielennox, but we are already doing it00:55
jamielennoxdoing what?00:55
gyeehttps://review.openstack.org/#/c/80124/9/barbicanclient/client.py00:55
gyeeI mean make it use session00:56
gyeemay need more work though00:56
jamielennoxoh, i was going to do it in a non-backwards compat way00:56
jamielennoxjut rip the entire internals out00:56
jamielennoxit's one of the newer clients so it's hopefully not too much work00:57
gyeeoh00:57
gyeethere's no requirement for backward compat?00:57
jamielennoxi'm not sure with barbican00:58
jamielennoxi don't think so00:58
gyeemay want to double check with them00:58
jamielennoxthey are looking to completely change there URI scheme00:58
jamielennoxyea,  i will00:58
*** clu_ has quit IRC01:00
*** topol has joined #openstack-keystone01:07
*** mberlin has joined #openstack-keystone01:11
*** mberlin1 has quit IRC01:11
morganfainbergwhat the heck... https://bugs.launchpad.net/keystone/+bug/132806701:23
uvirtbotLaunchpad bug 1328067 in python-keystoneclient "Token with "placeholder" ID issued" [Critical,New]01:23
morganfainberghow is a token being issued with 'placeholder' id?01:23
* morganfainberg continues looking at the code.01:23
*** marcoemorais has quit IRC01:26
*** diegows has quit IRC01:28
morganfainbergoooo01:28
bknudsonmaybe we need some kind of uniform token object01:30
morganfainbergbknudson, i see what you did there01:31
morganfainbergi'm trying to figure out how we're not seeing this more often.01:32
bknudsonit looks like it passes in auth_token_data['id'] = 'placeholder' and issue_v2_token doesn't change auth_token_data['id']01:33
morganfainbergit's an artifact of how we have to sign the data before we know what the token id is01:33
bknudsonah, format_token should move it around01:34
morganfainbergbknudson, we shouldn't be putting the token id in the signed body01:35
morganfainbergbknudson, token id should be external to signed data, {token_id: id, token_data: {data}}01:35
morganfainbergor similar.01:35
bknudsonreturn (token_id, token_data)01:36
morganfainbergbknudson, right which should be fine, until something looks in the token_data for the id01:36
morganfainbergbknudson, something in auth_token is grabbing the wrong value(s) in some cases01:36
openstackgerritA change was merged to openstack/python-keystoneclient: Make get_oauth_params conditional for specific oauthlib versions  https://review.openstack.org/9853401:37
*** sbfox1 has quit IRC01:37
bknudsonunblocked!01:37
morganfainbergbknudson, !!01:38
bknudsonmorganfainberg: where are we signing anything where "auth_token_data['id'] = 'placeholder'" is set?01:39
bknudsonlooks like it gets converted to token_data01:39
bknudsonV2TokenDataHelper's format_token takes token_ref (which was auth_token_data) and converts it to token_data01:40
morganfainberghmm.01:41
morganfainbergthen we call _get_token_id()01:41
morganfainbergwhich does the signing01:41
bknudsonmorganfainberg: ohh...01:41
morganfainbergthen we swap token_data['access']['token']['id'] with the id returned from _get_token_id01:41
bknudsonat that point token_data has 'placeholder' in it.01:42
morganfainbergyep01:42
bknudsonweird01:42
bknudsonso we should ... not have id in the token_data at that point?01:42
morganfainbergit should be something like {token_id: <id>, signature: <sig>, token_data: {<data dict>}}01:42
morganfainbergand then that whole object should be serialized and b64'd01:43
bknudsonwhat is token ID though?01:43
morganfainbergbknudson, the b64_urlsafe of the data_struct?01:44
bknudsonhow do you put the token id in the token when the token is the token id?01:44
morganfainbergbknudson, right now the id is the signed_b64 data01:44
morganfainbergbknudson, that is what we need to solve.01:44
bknudsonwe'll have to ask goedel about this one01:44
*** dstanek_zzz is now known as dstanek01:44
morganfainbergbknudson, hehe01:45
morganfainbergbknudson, let me see if i can figure out where we're going wrong...01:45
bknudsonthere's no way we can put the ID in the token01:45
bknudsonsince it would have to be the hash of the document01:45
morganfainbergbknudson, we can sign document, hash that sig, = consistent id01:46
bknudsonwhere the document is itself01:46
morganfainbergwe just can't put the id in the document01:46
bknudsonapparently something is getting the ID from the document01:46
morganfainbergand we can validate it forwards and backwards01:46
bknudsonauth_token middleware?01:46
morganfainbergbknudson, yeah thats my thought01:46
morganfainbergbknudson, caching in auth_token?01:46
morganfainbergdo we do that in gate?01:46
bknudson_request_admin_token01:47
morganfainbergbknudson, let me see how often this is really occurring...01:47
morganfainbergoh01:47
morganfainbergi think this is heat doing the wrong thing.01:48
morganfainbergthey load up the auth_token middleware for an admin token, then use that to create a trust01:48
morganfainbergso they use the same creds as auth_token middleware.01:49
bknudsonPOST /v2.0/tokens must not return a token with ID = placeholder01:49
bknudsonotherwise everything would be broken01:49
morganfainbergdepends on what they're doing to extract the token_id01:50
morganfainbergif they used the id returned from the post, it should be fine01:50
morganfainbergbut i'm guessing they're using the token_data bit.01:51
morganfainbergor.. wait ... how..01:51
bknudsonwe should stop putting 'placeholder' ID in the token and see what else breaks01:52
morganfainbergbknudson, ++ i plan on doing that here as well.01:52
morganfainbergbknudson, let me figure out what they're doing wrong so we can fix it...01:52
morganfainbergthen we can break lots of people *evilgrin*01:52
bknudsontoken_info = environ.get('keystone.token_info')01:53
bknudsonlooks like that's where heat is getting it?01:53
bknudsonand that would be the decrypted document.01:54
morganfainbergyeah.01:54
morganfainbergand they are using the token from there.01:54
*** dstanek is now known as dstanek_zzz01:54
bknudsonso we *could* have auth_token replace the id in there01:54
morganfainbergin their context it looks like.01:54
morganfainbergbknudson, we probably should :(01:54
bknudsonwith the hash01:55
bknudsonor... with the full PKI token01:55
morganfainbergbknudson, i'd do it with the full token_id01:55
bknudsonsince hashes aren't going to work soon enough01:55
morganfainbergbknudson, yeah01:55
morganfainbergwill be compat with UUID since you'll have both bits of info01:55
bknudsonok, well, that's an easy fix01:56
bknudsonmystery solved01:56
morganfainbergi feel like they're sourcing the data wrong though, it should be pulling the token separate from the keystone.token_info01:56
*** gokrokve has joined #openstack-keystone01:56
morganfainbergmystery solved sure, but we provide the token in the env right?01:56
morganfainbergso ... we should have them sourcing the token_id right out of the env not from the raw decrypted data01:56
morganfainbergfixing "auth_token" to replace that would be less optimal i think (and requires a KSC release)01:57
bknudsonis HTTP_X_AUTH_TOKEN still available?01:57
morganfainbergdoubtful01:57
bknudsonthen it's only keystone.token_info as far as I can tell01:57
morganfainberghmm01:57
bknudsonseems like keystone.token_info is going to be different depending on v2 or v3 token01:59
bknudsonwell, good luck, I need to take off.02:00
*** rodrigods_ has quit IRC02:00
morganfainbergbknudson, cheers, thanks for the help02:00
*** hrybacki has joined #openstack-keystone02:01
morganfainbergjamielennox, ping you here? have a question about auth_token middleware and what it passes to the underlying app02:05
jamielennoxmorganfainberg: shoot02:05
openstackgerritChangBo Guo(gcb) proposed a change to openstack/python-keystoneclient: Don't use mock non-exist method assert_called_once  https://review.openstack.org/9383902:05
morganfainbergdo we pass the token id (as received) to the underlying app, header/env wise?02:05
morganfainbergbecause... for PKI tokens we *uhm* put "placeholder" in the signed document (v2) for token IDs02:06
morganfainbergwhich.. means if someone takes the decrypted data (heat) and uses the token_id in keystone.token_info they have a bogus token_id of "placeholder"02:07
jamielennoxmorganfainberg: no, but we can always get that from X-Auth-Token02:07
morganfainbergjamielennox ok so it's going to be a new release of keystoneclient to fix02:07
jamielennoxhahaha02:07
morganfainbergjamielennox, so 2 things, 1: i'm going to make it so we never put a token_id in the token_data.02:07
morganfainbergbut first need to fix it so heat...can... work02:08
morganfainbergtrying to see how often this is occuring now02:08
*** amcrn has quit IRC02:08
jamielennoxwhat is heat doing with the token id/02:08
morganfainbergcreating a trust02:08
jamielennoxfrom id?02:08
morganfainbergwell, using the token to pass that same info along, i think02:08
morganfainbergwait... there isn't an env var passed down from auth_token with the token_id in it?02:09
* morganfainberg thought nova used the user's token_id for things02:09
jamielennoxno, because token_id should be just X-Auth-Token in the UUID case02:09
morganfainbergin UUID case it should be fine02:10
jamielennoxwhy would someone use token_id instead of just X-Auth-Token02:10
morganfainbergin PKI case it's bad.02:10
morganfainbergif i have auth_token middleware running from the underlying app can i get the X-Auth-Token header?02:10
jamielennoxsure, it's just a header02:10
morganfainbergoh we're not stripping it off?02:11
jamielennoxi don't think so, i can't see why we would02:11
morganfainbergok that makes more sense02:11
morganfainbergyeah i think they're just grabbing the token from the wrong place because it looks like it might be the 'correct' place02:12
jamielennoxtoken_id like that doesn't exist in v3 tokens - and i thought heat was v3 only now?02:12
morganfainbergheat uses v3 to talk to keystone02:12
jamielennoxoh, but i guess auth is different02:12
morganfainbergdoesn't mean a user will use v3 to talk to heat... i guess02:12
morganfainbergyeah02:12
morganfainbergyah just need to go look in req.headers for X-Auth-token02:13
morganfainbergjamielennox, cool. i think i can fix this.02:13
*** gokrokve has quit IRC02:18
*** nsquare has quit IRC02:21
morganfainbergjamielennox, ah this is new (to be landed) code02:23
morganfainbergaha. so it's not happening in the wild02:24
morganfainbergjamielennox, ok phew.02:24
jamielennoxcool, that seemed unlikely that would have slipped through02:24
jamielennoxgiven PKI tokens are default now02:24
*** rodrigods_ has joined #openstack-keystone02:29
*** rodrigods_ has quit IRC02:32
*** dstanek_zzz is now known as dstanek02:33
*** richm has quit IRC02:39
ayoungI think slipping the token_id into the token body after verifying the signature would probably be OK, so long as no one ever tried to re-sign the data to see that they got the same thing02:41
*** ncoghlan is now known as ncoghlan_afk02:43
openstackgerritLi Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option  https://review.openstack.org/9894202:46
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116602:46
*** rwsu has quit IRC02:52
*** dstanek is now known as dstanek_zzz02:52
openstackgerritayoung proposed a change to openstack/keystone: Default to PKIZ tokens  https://review.openstack.org/9889702:54
*** hrybacki has quit IRC02:56
*** praneshp has quit IRC03:03
*** dstanek_zzz is now known as dstanek03:04
*** david-lyle has joined #openstack-keystone03:11
*** lbragstad has quit IRC03:11
*** zhiyan is now known as zhiyan_03:20
*** ncoghlan_afk is now known as ncoghlan03:26
*** zhiyan_ is now known as zhiyan03:26
*** dims_ has quit IRC03:53
*** gokrokve has joined #openstack-keystone04:25
*** Abhijeet has joined #openstack-keystone04:29
*** daneyon has joined #openstack-keystone04:30
*** david-lyle has quit IRC04:33
*** marcoemorais has joined #openstack-keystone04:34
*** henrynash has joined #openstack-keystone04:36
*** marcoemorais1 has joined #openstack-keystone04:36
*** gokrokve has quit IRC04:37
*** lbragstad has joined #openstack-keystone04:38
*** marcoemorais has quit IRC04:39
*** dims_ has joined #openstack-keystone04:46
*** dstanek is now known as dstanek_zzz04:50
*** dims_ has quit IRC04:50
*** topol has quit IRC04:57
*** gokrokve has joined #openstack-keystone04:58
*** gokrokve has quit IRC04:58
*** harlowja is now known as harlowja_away04:59
*** sbfox has joined #openstack-keystone05:07
*** lbragstad has quit IRC05:13
*** lbragstad has joined #openstack-keystone05:15
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216605:30
*** Guest36764 has quit IRC05:33
*** Ackowa has joined #openstack-keystone05:34
*** daneyon has quit IRC05:37
*** gyee has quit IRC05:38
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session Documentation  https://review.openstack.org/8407005:46
*** dims_ has joined #openstack-keystone05:47
openstackgerritLi Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option  https://review.openstack.org/9894205:51
*** dstanek_zzz is now known as dstanek05:51
*** dims_ has quit IRC05:51
*** ajayaa has joined #openstack-keystone05:55
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9700506:00
*** dstanek is now known as dstanek_zzz06:01
*** dims_ has joined #openstack-keystone06:17
*** dims_ has quit IRC06:22
*** stevemar2 has quit IRC06:30
*** ncoghlan is now known as ncoghlan_afk06:36
*** jaosorior has joined #openstack-keystone06:41
openstackgerritA change was merged to openstack/keystone: Consistenly use jsonutils instead of json  https://review.openstack.org/9703906:43
openstackgerritA change was merged to openstack/keystone: Catalog driver generates v3 catalog from v2 catalog  https://review.openstack.org/7063006:43
*** lbragstad has quit IRC06:49
*** lbragstad has joined #openstack-keystone06:50
*** afazekas is now known as __afazekas06:51
*** amerine has quit IRC06:51
*** amerine has joined #openstack-keystone06:52
*** BAKfr has joined #openstack-keystone07:09
*** ncoghlan_afk is now known as ncoghlan07:15
*** leseb has joined #openstack-keystone07:16
*** dims_ has joined #openstack-keystone07:17
*** dims_ has quit IRC07:22
*** andreaf has quit IRC07:31
*** afazekas has joined #openstack-keystone07:55
*** andreaf has joined #openstack-keystone07:58
*** sbfox has quit IRC08:03
*** dims_ has joined #openstack-keystone08:18
*** leseb has quit IRC08:18
*** dims_ has quit IRC08:22
*** marcoemorais1 has quit IRC08:23
*** ncoghlan is now known as ncoghlan_afk08:32
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216608:40
*** lbragstad has quit IRC08:43
*** lbragstad has joined #openstack-keystone08:43
*** leseb has joined #openstack-keystone08:50
*** Abhijeet has quit IRC08:59
*** leseb has quit IRC09:03
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216609:08
*** leseb has joined #openstack-keystone09:14
*** zhiyan is now known as zhiyan_09:18
*** dims_ has joined #openstack-keystone09:19
*** DuncanT- has joined #openstack-keystone09:20
*** dims_ has quit IRC09:25
*** xianghui has quit IRC09:37
*** xianghui has joined #openstack-keystone09:50
*** xianghui has quit IRC09:51
*** xianghui has joined #openstack-keystone09:52
openstackgerritChristian Berendt proposed a change to openstack/keystone: Bump hacking to 0.9.x series  https://review.openstack.org/9899610:02
*** leseb has quit IRC10:09
*** leseb has joined #openstack-keystone10:10
*** leseb has quit IRC10:12
openstackgerritA change was merged to openstack/python-keystoneclient: Add endpoint handling to Token/Endpoint auth  https://review.openstack.org/9121610:15
openstackgerritA change was merged to openstack/python-keystoneclient: Fix tests to use UUID strings rather than ints for IDs  https://review.openstack.org/9062110:15
openstackgerritA change was merged to openstack/python-keystoneclient: Remove _factory methods from auth plugins  https://review.openstack.org/8198510:15
*** dims_ has joined #openstack-keystone10:21
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/9626510:22
*** dims_ has quit IRC10:27
*** xianghui has quit IRC10:38
*** ekarlso has quit IRC10:57
*** ekarlso has joined #openstack-keystone10:58
*** xianghui has joined #openstack-keystone11:02
openstackgerritChristian Berendt proposed a change to openstack/keystone: WIP: Bump hacking to 0.9.x series  https://review.openstack.org/9899611:08
*** dims_ has joined #openstack-keystone11:23
*** leseb has joined #openstack-keystone11:32
*** xianghui has quit IRC11:40
*** diegows has joined #openstack-keystone11:41
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Add rally plugins support  https://review.openstack.org/9883611:43
*** xianghui has joined #openstack-keystone11:53
*** hrybacki has joined #openstack-keystone12:05
*** radez_g0n3 is now known as radez12:05
*** afazekas has quit IRC12:09
*** afazekas has joined #openstack-keystone12:24
*** hrybacki_ has joined #openstack-keystone12:26
openstackgerritOpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements  https://review.openstack.org/9903112:28
*** dhellmann has quit IRC12:28
*** bknudson has quit IRC12:34
*** Ju has quit IRC12:35
*** gordc has joined #openstack-keystone12:36
ayounghrybacki, fire away and I'll answer as much as I can12:38
ayoungmight disappear to get a kid to school, but I'll answer when I get back12:39
hrybackiayoung++12:39
marekd_ayoung: Do you want to take a look here: https://review.openstack.org/92166 ?12:40
hrybackiI've been digging around in python-keystoneclient  test code quite a bit, as you would imagine. There seems to be fake wsgi apps that are interacting with services but I'm not sure how and if this is how the I should do the revocation events as well -- thoughts?12:40
*** marekd_ has quit IRC12:40
*** marekd has joined #openstack-keystone12:41
*** lbragstad has quit IRC12:45
BAKfrIs someone wants review a little patch ? https://review.openstack.org/#/c/95212/12:50
*** bknudson has joined #openstack-keystone12:52
*** afazekas has quit IRC12:53
*** dims_ has quit IRC12:59
DuncanT-Hi. Cinder is having a problem in reusing the tenant's token to run a backup to swift, but horizon is invalidating the token before the backup is finished. Any suggestions please?13:00
DuncanT-I was looking that the new composite token stuff, but apparently getting a new token is considered a performance problem so they're going with two tokens, so extending the token there is out13:01
DuncanT-I'm not sure if trusts give something usable, I can't find any docs on what is actually implemented there13:02
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216613:02
ayounghrybacki, yes, middleware/auth_token.py:Auth needs to make calls against fake WSGI apps to get revocation events.13:04
ayoungmarekd, I'll look, but I don't know too much about ECP13:04
marekdayoung:  thanks. What I want to get from you is the architectre of the plugin, some code issues...13:05
ayoungmarekd, what is the general flow there13:05
hrybackiayoung: okay, would you advise reusing FakeApp/FakeAppV3 or constructing a new one?13:05
ayounghrybacki, probably reuse13:06
hrybackiayoung++13:06
ayoungthey should be able to respond to the calls you are making as is.  Depends on how much work it is to change from making the calls to get the revoke list to calls to get the Revocation Events.13:06
*** afazekas has joined #openstack-keystone13:07
*** jsavak has joined #openstack-keystone13:07
*** erecio has quit IRC13:07
ayoungmarekd, I see some things you have buried in there that look like reusable components13:08
*** erecio has joined #openstack-keystone13:08
ayoung def _scope_token(self, session):   specifcially13:08
marekdayoung: https://review.openstack.org/#/c/92166/14/keystoneclient/auth/identity/contrib/federation/saml2.py i added some docstrings there (see get_unscoped_token), where I tried to describe the workflow.13:08
marekdayoung: see? that's the feedback i need from you :-)13:09
ayoungmarekd, it looks really good13:09
*** gordc has quit IRC13:12
ayoungmarekd, in  _get_unscoped_token(self, session, **kwargs):  you make 3 calls.  You do a finally block, but what if one of that calls fails, say on a timeout?13:12
marekdyour concern is about executing that clear() method, or in general?13:12
ayoungmarekd,   just what is the end user experience going to be?  Are they going to end up with a 500 somehow, since the follow on commands don't know that it failed?13:13
ayoungmarekd, note:  I am nitpicking here, as I don;t understand the code yet.   Don't take what I say too seriously and start rewriting things13:13
marekdayoung: imo uesr should know why the workflow failed.13:14
*** nkinder has quit IRC13:14
ayoungmarekd, also, this looks kind of stateful13:14
marekdayoung: in most cases AuthorizationFailuer is raised, especially where plugin expects XML response body and gets something else.13:15
ayoungis that going to be a problem?13:15
marekdayoung: what do you mean?13:15
ayoungSaml2  holds on to local variables from elsewhere inthe request13:15
ayoungmarekd, is there going to be one Saml2 object per request?13:15
ayoungOr is it shared across multiple requests?13:16
marekdha, good question!13:16
marekdayoung: if you are asking if some of those assertions/data can be reused - honestly I don't know.13:17
*** lbragstad has joined #openstack-keystone13:17
marekdi'd say - after we create a session and have access to a protected resource it's a matter of cookie stored in the session.13:18
marekdand i meant: HTTP session, not object session.13:18
*** leseb has quit IRC13:19
*** leseb has joined #openstack-keystone13:20
*** dstanek_zzz is now known as dstanek13:23
*** leseb has quit IRC13:24
*** lbragstad1 has joined #openstack-keystone13:26
*** lbragstad has quit IRC13:28
*** lbragstad has joined #openstack-keystone13:29
*** lbragstad1 has quit IRC13:30
ayoungmarekd, I'm talking about the Python object called Saml213:30
*** dims_ has joined #openstack-keystone13:30
ayoungclass Saml2(v3._AuthConstructor):13:30
*** gokrokve has joined #openstack-keystone13:31
marekdayoung: right. Now I am cleaning all the dynamic attributes, so I think it could be reusable.13:31
marekdayoung: I don't know if variables that are stored somewhere in the middle of the workflow can be reused.13:32
ayoungmarekd, I think not13:32
marekdayoung: ++13:32
ayoungyou need to create a specific object and pass them through with the request13:33
marekdayoung: I think what can be reused is a session coodie, but it's stored in the keystoeclient.session.Session() object.13:33
ayoungmarekd, only if you are going to be sending it back to the user.  Otherwise, that, too, needs to be  passed from function to function13:34
marekdayoung: hm, okay! I wanted to make it cleaner and avoid billions of arguments13:34
ayoungmarekd, so make it one object, and put the billions of arguments on that13:35
marekdright13:35
ayoungcall it a SamlRequest  or something13:35
marekdayoung: ok13:35
marekdayoung: anything else regarding the structure, and Python-specific issues?13:41
ayoungmarekd, I think that is a pretty big one.  Its going to call for a bit of restructuring.  I'm not a Python Maven, though.  You need dstanek for that kind of madness13:42
marekdayoung: i know it's huge but this is one big block of functionality, I didn't see any way in spliting it into multiple patches.13:43
marekdanyway, thanks!13:43
marekddstanek: Hello, sir!13:43
ayoungmarekd, its not too bad.  But lets see what it looks like when it is multi-access safe13:43
marekdayoung: normally keystoneclient plugins are reused?13:44
marekdkeystoneclient *auth* plugins.13:44
*** richm has joined #openstack-keystone13:48
*** lbragstad has quit IRC13:48
*** lbragstad has joined #openstack-keystone13:48
*** gordc has joined #openstack-keystone13:54
*** lbragstad1 has joined #openstack-keystone13:57
*** lbragstad has quit IRC13:58
*** nkinder has joined #openstack-keystone14:02
*** Ju_ has joined #openstack-keystone14:06
openstackgerritA change was merged to openstack/keystone-specs: Cross Backend Unique Identifiers for User and Group Entities  https://review.openstack.org/9749214:11
*** stevemar has joined #openstack-keystone14:11
BAKfrit seem that keystone unit tests doesn't pass when the locale is not en_US14:11
BAKfrShould I report  a bug ?14:12
*** lbragstad1 has quit IRC14:16
boris-42morganfainberg hey there14:18
boris-42morganfainberg could you pls review plugin patch14:18
boris-42morganfainberg this one https://review.openstack.org/#/c/98836/14:19
*** dhellmann has joined #openstack-keystone14:20
*** leseb has joined #openstack-keystone14:20
*** leseb has quit IRC14:25
openstackgerritA change was merged to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.  https://review.openstack.org/8494514:30
*** leseb has joined #openstack-keystone14:33
openstackgerritDolph Mathews proposed a change to openstack/keystone: add docs on v2 & v3 support in the service catalog  https://review.openstack.org/9907514:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/9907614:35
*** leseb has quit IRC14:38
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/9626514:39
*** NM has joined #openstack-keystone14:40
*** leseb has joined #openstack-keystone14:41
*** thedodd has joined #openstack-keystone14:45
*** xianghui has quit IRC14:47
*** diegows has quit IRC14:52
*** ajayaa has quit IRC14:55
*** afazekas has quit IRC14:56
marekddstanek: ping.14:58
stevemarBAKfr, sounds like a bug to me14:59
*** gokrokve has quit IRC14:59
*** gokrokve has joined #openstack-keystone15:00
*** sbfox has joined #openstack-keystone15:02
*** xianghui has joined #openstack-keystone15:04
dstanekmarekd: hi15:04
dstaneki'm actually looking at your issue now :-)15:04
dstanekwell, the py33 venv is building, but i'm close15:04
marekddstanek: great, thanks!15:05
marekddstanek: does py33 accept multiline string wrapped with >>"""<< ?15:05
dstanekmarekd: yes15:07
dstanekmarekd: at first glance it seems that the XML is a string instead of a byte string15:09
marekddstanek: yes, it's string.15:09
marekda *long* string :(15:09
marekddstanek: it passes tests under py2, but I suck in py3 so a hint how to make it work on py2 and 3 would be more than welcome :-)15:10
marekdwelcomed15:10
dstanekmarekd: the -d arg looks wierd here: http://logs.openstack.org/66/92166/14/check/gate-python-keystoneclient-python33/4471f0f/console.html#_2014-06-10_13_06_51_44515:10
marekddstanek: because of 'b' ?15:11
dstanekyeah15:13
*** praneshp has joined #openstack-keystone15:13
marekddstanek: do you think line 73 in https://review.openstack.org/#/c/92166/14/keystoneclient/tests/v3/test_auth_saml2.py might have something to do with that?15:14
*** daneyon has joined #openstack-keystone15:15
*** mberlin has quit IRC15:16
dstanekmarekd: i don't think so - but why do you have to make it a single line?15:16
*** mberlin has joined #openstack-keystone15:17
marekddstanek: I have some XML strings in saml2_fixtures file. Now, since I must transform it into XML objects (using etree.XML()) and cannot cmpare objects later I dediced I should transform everything again to strings and compare strings.15:18
marekdnow, etree puts different formatting so the strings would not be equal.15:19
dstanekmarekd: that is likely to break in the future is other changes happen (like attributes are re-ordered)15:20
marekddstanek: these are tests, so I decide what my fake server responds with...15:22
marekdi don't do that stupic comparision in a real code - i don't need to.15:22
*** jsavak has quit IRC15:22
*** jsavak has joined #openstack-keystone15:23
dstanekmarekd: no i mean when you convert the xml to strings in the tests15:23
marekddstanek: hm, so any better way of comparing those XMLs ?15:24
marekdtransforming strings into XML objects and recursively iterating on the tree?15:25
bknudsonmarekd: I think someone was working on an XML matcher for testtools / oslo.test15:28
marekdbknudson: oh, that would be nice.15:28
bknudsonmarekd: https://review.openstack.org/#/c/74861/4/oslotest/matchers.py15:28
marekdclass XMLMatches(object) could do the work...15:30
marekdbknudson: how can I use it? Any special import i need to have?15:30
bknudsonmarekd: it's not even merged yet... could steal it and put it in keystone15:30
marekdhmm, ok.15:31
bknudsonand switch to the testtools matcher if that gets merged15:31
marekdbknudson: okay!15:31
*** gyee has joined #openstack-keystone15:31
*** thedodd has quit IRC15:32
*** thedodd has joined #openstack-keystone15:34
dstanekmarekd: there are a couple of odd things i'm working though15:35
dstanekyou are using str() in at least 1 place which you probably don't want to do15:35
marekddstanek: i'd be great to see some feedback on the patchset!15:36
dstanekmarekd: in the process :-)15:44
*** jsavak has quit IRC15:44
marekddstanek: great, thanks!15:44
*** sbfox has quit IRC15:57
rodrigodsis there a chance of anyone review https://review.openstack.org/#/c/97600/? Maybe it's not a desired script at all?15:57
dstanekrodrigods: it likely hasn't been looked at much because it's failing pep816:01
*** sbfox has joined #openstack-keystone16:02
*** sbfox has quit IRC16:02
*** sbfox has joined #openstack-keystone16:03
morganfainbergmorning16:03
*** jsavak has joined #openstack-keystone16:04
gyeemorganfainberg, just added my comments https://review.openstack.org/#/c/96315/16:04
morganfainberggyee, thanks.16:04
rodrigodsdstanek, is it? I thought the second patch has passed the tests16:05
morganfainberggyee, should be easy to address the comments. plan on it post meeting today.16:05
rodrigodsdstanek, it did, actually...16:05
gyeemorganfainberg, if Glance does image encryption, I wonder how this all going to work16:06
morganfainberghehe16:06
dstanekmarekd: i got the tests working now16:08
*** marcoemorais has joined #openstack-keystone16:08
marekdsome link?16:09
marekdor you want to upload new version of the patch?16:09
marekd(both are fine)16:09
marekddstanek: ^^16:09
bknudsonmarekd: are you aware of plans for Juno to make keystone an IdP? (e.g., producing SAML assertions)16:10
marekdbknudson: are you talking about any specific blueprint?16:10
*** wwriverrat has joined #openstack-keystone16:10
bknudsonmarekd: no, just wondering if this was something you thought we'd be doing or that we'd need.16:11
marekdi am aware of making keystone2kyestone federtion which *may* require Keystone to act as a SAML/whatever fed protocol IdP.16:11
dstanekmarekd: i can push it up in a sec - i want to finish these last few review comments16:11
*** jaosorior has quit IRC16:12
marekddstanek: thanks, probably the cleanest way for that fix.16:12
bknudsonstevemar: were you looking at making Keystone a federation provider?16:12
marekddstanek: i will try to address your comments later.16:12
BAKfrmorganfainberg, I've a question to complete https://review.openstack.org/#/c/9521216:12
BAKfrIf an empty id (but present) is passed to the request of  region creation, should we returns an error or generate a random id ?16:13
marekdbknudson: service provider or identity provider?16:13
marekdbknudson: (in your question for stevemar)16:13
bknudsonmarekd: what's the difference?16:13
gyeerodrigods, dstanek, I am all for adding more examples, but we need a framework in place so we can gate them just like the unit tests16:14
gyeehaving broken examples is not cool16:14
marekdservice provider is something that will accept an assertion/claim and basically protects a resource. IdP is something that can authenticate yourself and issue an assertion.16:14
marekdcurrently Keystone is a SP.16:15
marekdand your LDAP database with something that talks SAML2 will be IdP.16:15
bknudsonmarekd: right, we've already got SP, so I'm wondering if IdP is something we've got planned.16:15
marekdbknudson: i think so...16:15
morganfainberggyee, responded to your comments, have a question in-line16:15
morganfainberggyee, before i upload a new patch, re the multiple filters.16:16
bknudsonmarekd: keystone IdP isn't something your group needs?16:16
morganfainberggyee, i think that would be a masssssssssive scope increase, and honestly, i wont get it done for Juno.16:16
morganfainberggyee, at least not likely.16:16
gyeemorganfainberg, how so? should be a simple change to auth_token middleware16:16
morganfainberggyee, it feels wrong to require extra filters to make it work.16:17
gyeewe just need to make them configurable16:17
morganfainberggyee, no, auth_token strips out all the headers etc16:17
*** jsavak has quit IRC16:17
marekdbknudson: my group?16:17
morganfainberggyee, it's going to be a bunch of work as is.16:17
*** jsavak has joined #openstack-keystone16:17
morganfainberggyee, why does it need to be configurable? X-Auth-Token isn't?16:17
gyeewe just need to make auth_token filter generic16:17
morganfainberggyee, i would rather have a fixed header to use here... predictable and we can drive projects to use it.16:17
gyeelike where to look for the auth token16:18
morganfainberggyee, i think that is far out of scope16:18
morganfainberggyee, far far far out of scope for this16:18
gyeeand how to set the headers, it can by any token16:18
morganfainberggyee, auth_token needs a massive refactor16:18
morganfainberggyee, i am not willing to do that here.16:18
morganfainberggyee, if we're making it generic, we should do that on a real cleanup not as part of a new feature16:18
gyeemorganfainberg, but if we make those configurable, changes should be trivial I think16:19
gyeemorganfainberg, let me put up some sample code to illustrate16:19
morganfainberggyee, being honest here, I don't see this happening in juno then.16:19
*** diegows has joined #openstack-keystone16:19
gyeeshould be a really simple change, but I could be smoking something for breakfast :)16:20
morganfainberggyee, if we want to do the auth_token clean up and make it generic, we do that, we don't commit to a massive refactor of the middleware and a big feature change16:20
gyeemorganfainberg, let me put up some simple code16:20
gyeeI don't think it needs to be a massive refactoring16:20
morganfainberggyee, it's not about it being a small code change, we shouldn't be "hacking" it to be more generic. if we're doing that we should do it right16:20
stevemarbknudson, marekd sorry - shoulders deep in configuring federation with someone atm16:21
morganfainberggyee, we don't make it worse, i think waht you're proposing will make the middleware worse from a later cleanup perspective.16:21
morganfainberggyee, unless we really do cleanup the middleware16:21
bknudsonstevemar: you'll be able to start your own consulting business16:21
gyeemorganfainberg, I honestly think making it generic would make it more flexible16:22
bknudsonmorganfainberg: gyee: here's some middleware cleanups: https://review.openstack.org/#/c/97127/16:22
stevemarbknudson, working with someone from tfim, we're about an 1.5 hrs into a call, i think we're almost done16:22
morganfainberggyee, then we "fix" middleware and commit to that this cycle. hacking it up to be generic is a bad idea16:22
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216616:23
dstanekmarekd: ^16:23
gyeemorganfainberg, see, see, bknudson started it :)16:23
morganfainberggyee, i'm happy to let you take this spec on if you want. but i wont commit to a cleanup + feature.16:23
dstanekmarekd: i'll do a real review now too16:23
marekddstanek: cool,16:23
marekddstanek: i will take care of that after you submit your comments.16:23
morganfainberggyee, thats fine, i'm not committing to fighting feature against cleanup this cycle.16:23
gyeemorganfainberg, making it generic is far from cleaning it up, we have much more work to do16:24
rodrigodsgyee, ++16:24
morganfainberggyee, if you're willing to commit to taking on the spec, including making it generic, please do. but i really don't think i can get it done16:24
rodrigodsgyee, there is any plan to do so?16:24
morganfainberggyee, limits on my time/capabilities within the cycle...especially since ... well we're already running up on J116:24
bknudsonwhy make auth_token generic? If you need something different then provide your own middleware16:25
gyeerodrigods, I am not aware, but you can start :)16:25
morganfainberggyee, i also heartily disagree with making it take <any> header for tokens.16:25
morganfainbergbknudson, ++16:25
morganfainberggyee, what is the use case for making it generic besides "it would be neat"?16:25
gyeemorganfainberg, just to make it less messy that's all16:26
morganfainbergthis is security related, i like security related stuff to be consistent and predictable16:26
*** diegows has quit IRC16:26
*** marcoemorais has quit IRC16:27
marekdneed to disappear for an hour or two. be back later.16:27
*** marcoemorais has joined #openstack-keystone16:27
gyeemorganfainberg, but it is predictable16:27
morganfainberggyee, i don't think it's the right approach. but if you're really heart set on it, propose it. and if making it generic is (really) a pre-req to this feature, i don't think this will land within j216:27
morganfainbergor even j316:28
morganfainberggyee, no it isn't.16:28
morganfainberggyee, you could accept the token from _any_ header by config.16:28
morganfainbergwhat is the need for that?16:28
*** marcoemorais has quit IRC16:28
rodrigodsgyee, great!16:28
morganfainbergit isn't predictable16:28
*** marcoemorais has joined #openstack-keystone16:29
*** marcoemorais has quit IRC16:29
morganfainberghow do i know what header my OpenStack solution is using for passing a token to a service?16:29
*** BAKfr_ has joined #openstack-keystone16:29
morganfainbergand it could be different for each and ever service16:29
*** marcoemorais has joined #openstack-keystone16:29
*** BAKfr has quit IRC16:29
morganfainbergagain i just disagree with that approach16:30
* morganfainberg hasn't had enough coffee for the morning to go more in depth :P16:32
gyeemorganfainberg, that's fine, I was merely making a suggestion with the worries that auth_token is becoming unmanageable as is16:32
gyeewe can do refactoring later if you want, but we seem to be keep adding more stuff to it where there are good opportunites for refactoring16:33
morganfainberggyee, we can discuss more when i'm more caffienated. i might change my mind :P16:34
morganfainberggyee, you know how it goes pre-morning coffee16:34
gyeehaha16:34
morganfainberggyee, brain can only connect so many dots before giving up16:34
gyeeI just had a strong vietnamese drop coffee, the shit is strong16:35
morganfainbergnice!16:35
gyeedrip16:35
morganfainbergi'm gonna go get an espresso and a drip coffee16:35
morganfainbergmaybe a breakfast sammich too16:35
*** xianghui has quit IRC16:35
gyeemorganfainberg, if you found yourself in S.F., try Blue Bottle http://www.bluebottlecoffee.com/16:37
morganfainbergthat is absolutely on my list of places!16:37
gyeeI had to stand in line for at least half hour if not more everytime I go there16:37
gyeetheir coffee is awesome!16:38
*** diegows has joined #openstack-keystone16:38
*** gokrokve_ has joined #openstack-keystone16:40
morganfainberggyee, yeah have heard nothing but good things.16:40
*** gokrokve has quit IRC16:43
morganfainbergayoung, gyee, dolphm said he will be out for the meeting today. but i need to take someone to the ER right now.16:47
ayoungmorganfainberg, why are you on IRC, then16:47
ayoungGO!16:47
gyeeNOW!16:47
morganfainbergayoung, it's migrane not bleeding out.. i am going. note from dolphm: there's two changes that need to be gating to make juno-1, and i don't have anything new on the hackathon to report other than the RSVP form if anyone missed it (i think everyone responded already)16:48
morganfainbergotherwise, meeting is on the list16:48
morganfainbergbe back later16:48
ayoung++16:48
*** schofield has quit IRC16:51
*** schofield has joined #openstack-keystone16:52
*** NM has quit IRC16:53
*** leseb has quit IRC16:57
openstackgerritayoung proposed a change to openstack/keystone: Allow for multiple PKI Style Providers  https://review.openstack.org/9884516:59
openstackgerritayoung proposed a change to openstack/keystone: Default to PKIZ tokens  https://review.openstack.org/9889716:59
*** kun_huang has joined #openstack-keystone17:01
*** sbfox has quit IRC17:02
*** BAKfr_ has quit IRC17:04
*** sbfox has joined #openstack-keystone17:07
*** harlowja_away is now known as harlowja17:08
*** nsquare has joined #openstack-keystone17:09
*** sbfox1 has joined #openstack-keystone17:11
*** sbfox1 has quit IRC17:14
*** sbfox1 has joined #openstack-keystone17:14
*** sbfox has quit IRC17:15
dstanekmarekd: just went through my first pass of your review17:15
dstanekmarekd: one thing i noticed, but forgot to comment on was the extra spacing in the License headers17:16
*** NM has joined #openstack-keystone17:22
*** dims_ has quit IRC17:28
*** schofield has quit IRC17:29
*** schofield has joined #openstack-keystone17:32
openstackgerritBrant Knudson proposed a change to openstack/keystone-specs: V3 extension advertisement  https://review.openstack.org/9597317:33
marekddstanek: thanks, looking at it now.17:38
*** dims_ has joined #openstack-keystone17:42
*** thedodd has quit IRC17:42
*** sbfox1 has quit IRC17:48
*** sbfox has joined #openstack-keystone17:48
*** sballe_ has quit IRC17:50
*** daneyon has quit IRC17:50
*** sbfox has quit IRC17:58
*** openstack-securi has joined #openstack-keystone18:00
*** rwsu has joined #openstack-keystone18:02
*** sbfox has joined #openstack-keystone18:04
*** jsavak has quit IRC18:04
*** jsavak has joined #openstack-keystone18:04
*** CraigLee has joined #openstack-keystone18:07
*** leseb has joined #openstack-keystone18:08
*** leseb has quit IRC18:13
*** __afazekas is now known as afazekas18:18
*** harlowja is now known as harlowja_away18:25
*** dims_ has quit IRC18:25
*** gokrokve_ has quit IRC18:26
*** thedodd has joined #openstack-keystone18:46
*** gokrokve has joined #openstack-keystone18:46
*** erecio has quit IRC18:48
*** erecio has joined #openstack-keystone18:49
*** bknudson has quit IRC19:02
*** harlowja_away is now known as harlowja19:03
*** thedodd has quit IRC19:04
stevemarmarekd, ping19:04
morganfainbergayoung, cool we've got a few to discuss next week, but all-in-all not a bad result19:05
ayoung++19:05
*** thedodd has joined #openstack-keystone19:05
*** praneshp_ has joined #openstack-keystone19:06
*** jsavak has quit IRC19:06
*** jsavak has joined #openstack-keystone19:07
*** praneshp has quit IRC19:08
*** praneshp_ is now known as praneshp19:08
*** nkinder has quit IRC19:08
ayoungmorganfainberg, here's how it looks  http://eavesdrop.openstack.org/meetings/keystone/2014/keystone.2014-06-10-18.01.html19:08
morganfainbergayoung, nice.19:08
morganfainbergyeah that works for me.19:08
marekdstevemar: 5 min.19:09
*** erecio has quit IRC19:10
*** dims_ has joined #openstack-keystone19:10
*** erecio has joined #openstack-keystone19:11
*** marcoemorais has quit IRC19:11
*** marcoemorais has joined #openstack-keystone19:11
*** marcoemorais has quit IRC19:12
*** marcoemorais has joined #openstack-keystone19:12
*** sbfox has quit IRC19:13
marekdstevemar: sorry, I was on the phone.19:20
marekdstevemar: what's up?19:20
*** gyee has quit IRC19:23
stevemarmarekd, not seeing saml attributes in the env. context19:24
*** CraigLee has quit IRC19:25
marekddid you configure attribute-map.xml in /etc/shibboleth ?19:25
stevemarlet me poke around in there19:25
stevemarthere should be defaults shouldn't there?19:25
marekdthere should.19:26
marekdstevemar: are you getting into Keystone (so it complains there is nothing it can map etc etc)?19:26
*** afazekas has quit IRC19:26
stevemarmarekd, yep, its getting into keystone, and then the mapping engine blows up19:27
stevemarmarekd, when i print out the context, to log, it doesn't show much in the environment19:27
stevemari think you are right, my attribute-map looks pretty sparse19:27
marekdhm19:28
marekdlet me check one option.19:28
marekdstevemar: let me look for an option that additionally stores whole assertion into environment. You will be able to see how the assertion looks like, try to check what's in your attribute-map.xml and see if they intersect somehow.19:29
*** amcrn has joined #openstack-keystone19:31
*** daneyon has joined #openstack-keystone19:37
marekdstevemar: i think the option is : ShibExportAssertion set to On in the apache vhost config19:38
marekdhttp://docs.openstack.org/developer/keystone/configure_federation.html#configure-apache-httpd-for-mod-shibboleth19:39
*** bknudson has joined #openstack-keystone19:40
morganfainbergi wish my laptop's screen was brighter....19:41
morganfainbergwould make it easier to sit outside and code19:41
rodrigodsis there a better way to "emulate" a domain related role in services like Nova, than granting roles to all projects in a domain?19:45
jamielennoxhey, do people mind having a look over https://review.openstack.org/#/c/98955/ (actually a nova-spec) just to make sure i'm sane before i send it off to the wider -dev community?19:46
jamielennoxayoung: ^19:46
ayoungjamielennox, sure19:47
*** thedodd has quit IRC19:47
jamielennoxi'll put it on the -dev list because the same things will happen in cinder etc, but let me know if there's anything that needs to be expanded or better explained first19:48
ayoungjamielennox, most of that "spec" is problem description19:49
*** openstack-securi has quit IRC19:49
stevemarthanks marekd i'll give it a try19:49
ayoungjamielennox, that is very sane19:49
ayoung option_group = 'neutron'20019:50
ayoung20119:50
ayoungsess = session.Session.load_from_conf_options(CONF, option_group)20219:50
ayoungsess.auth = conf.plugin_from_conf(CONF, option_group)20319:50
ayoungclient = client.Client(session=sess)19:50
ayoungthat is the heart of it, and it makes a load of sense19:50
*** thedodd has joined #openstack-keystone19:50
jamielennoxok, but shuffle the rest around into problem description19:50
ayoungjamielennox, conf.plugin_from_conf  looks off19:50
*** kun_huang has quit IRC19:50
ayoungthat should not be conf19:50
jamielennoxyea, i thought that too19:50
ayoungcan we do it off the session?19:51
jamielennoxumm19:51
jamielennoxtheres a fair bit of code there, i think it needs to be isolated like that somehow19:51
jamielennoxyou could have session call out to it19:51
ayoungsession.plugin_from_conf(CONF, option_group)   would do it in one line19:52
ayoungyou could reuse the plugin with19:52
ayoungauth = session.auth19:52
jamielennoxso plugin there is auth plugin and in general i think it makes more sense to provide the plugin to the session19:53
ayounginfact,19:53
ayoungsess.auth = conf.plugin_from_conf(CONF, option_group)  is different from previosu examples because you don't know the  class to load in, right?19:54
ayounganyway, that is a little awkward, but the overall approach is solid19:54
jamielennoxwhat do you mean the class?19:55
jamielennoxin previous examples i would have always loaded the auth plugin first and then passed it to session, i don't think the from_conf function currently will let me specify additional params19:56
jamielennoxbut that's fixable19:56
*** marcoemorais has quit IRC19:57
*** marcoemorais has joined #openstack-keystone19:58
ayoungright,  you loaded the auth plugin by classname19:58
ayoungbut here you want to get that out of the config file, so there is no obvious facotry, which is why you hung it off the conf19:58
ayoungbut it doesn't belong there19:59
marekdanybody had an issue with py33 tests and missing pyconfig.h header?19:59
marekdi did install python3-dev package (using debian)19:59
jamielennoxayoung:  from keystoneclient.auth import conf19:59
jamielennoxit's not the actual CONF object19:59
ayoungyuck19:59
ayoungI'd rather not do that....20:00
ayoungshould be something like20:00
ayoungauth.Auth20:00
openstackgerritBrant Knudson proposed a change to openstack/keystone-specs: JSON Home  https://review.openstack.org/9735920:00
ayoungjust like session is20:00
*** NM has quit IRC20:00
jamielennoxyou mean make an actual plugin object that takes the CONF as params and proxies to the eventual object?20:01
*** NM has joined #openstack-keystone20:01
ayoungjust to keep it consistant, and to encapsulate the discovery logic20:01
*** daneyon has quit IRC20:02
jamielennoxinteresting20:02
*** jsavak has quit IRC20:03
jamielennoxayoung: i'm not sure it's better though, you simply end up wrapping a plugin rather than providing a factory to one20:03
ayoungjamielennox, I mean only thjat auth.Auth is the factory, instead of conf20:04
*** jsavak has joined #openstack-keystone20:04
jamielennoxsession.auth = ConfPlugin(CONF, option_group) seems odd20:04
ayoungsession.auth = AuthPluginFactory(CONF, option_group)20:04
stevemarmarekd, how do you specify a prefix for shib?20:04
ayoungalthough not Factory20:04
jamielennoxwhere AuthPluginFactory is a class or a function?20:05
ayoungsession.auth = auth.AuthPlugins(CONF, option_group)20:05
marekdstevemar: in keystone config or where?20:05
ayoungah, rihgt...cuz session.Session is a constructor20:05
stevemarmarekd, in the shib config side of things20:05
stevemari know how to change it in keystone :)20:05
ayoungsession.auth = auth.plugins(CONF, option_group)20:05
marekdstevemar: hehe, of course you do :-)20:05
marekdstevemar: let me check.20:05
jamielennoxok, so that's mostly saying that i should put it in keystoneclient/auth/__init__.py rather that /auth/conf.py20:06
*** sbfox has joined #openstack-keystone20:06
*** sbfox has quit IRC20:06
*** sbfox has joined #openstack-keystone20:06
marekdstevemar: http://linux.web.cern.ch/linux/scientific6/docs/shibboleth/attribute-map.xml -> id tag.20:07
marekdlater in the environment i was seeing variables named accordingly to the values from the id tag.20:07
stevemarah i see20:08
marekdstevemar: yeah, that's kinda shitty :/20:08
stevemarwhat about just disabling external from keystone.conf?20:08
marekdexternal prefix?20:09
*** NM has quit IRC20:09
stevemarmarekd, from auth_methods20:09
marekdstevemar: aaaa, go ahead and disable :-)20:09
marekdhaving issues with REMOTE_USER?20:09
marekdactually...20:09
marekdright now, even if you disable external and you put something into REMOTE_USER you will be in troubles.20:10
marekdstevemar: besides why do you think about disabling external auth method while talking about assertions prefixes?20:11
stevemarmarekd, then we can keep REMOTE_USER in env, and not go through external auth?20:12
*** sbfox has quit IRC20:12
*** NM has joined #openstack-keystone20:13
marekdstevemar: AFAIR keystone checks for REMOTE_USER at first place and if it finds it there it automatically tries to execute external auth workflow.20:13
stevemarmarekd, thats kinda lame, even if external auth isn't listed as a method?20:14
marekdstevemar: https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L45120:14
stevemarwow20:14
stevemarwe should really expand that conditional to include: if 'external' in auth_methods:20:15
marekdtafam20:15
marekdyeah.20:15
stevemarbah20:16
marekd?20:16
stevemarmarekd, do you have a sample assertion somewhere? it's been a while20:16
marekdstevemar: pure xml?20:16
stevemarmarekd, yeah20:17
*** browne has joined #openstack-keystone20:20
marekdstevemar: https://gist.github.com/zaccone/48ae00a5f9de8ccbbb7820:21
marekdfrom my test federated-keystone.20:21
rodrigodsis there any docs where the content from a token is described?20:21
stevemarmarekd, can you get one that is unencrypted?20:22
openstackgerritBrant Knudson proposed a change to openstack/keystone: add docs on v2 & v3 support in the service catalog  https://review.openstack.org/9907520:23
*** afazekas has joined #openstack-keystone20:24
marekdstevemar: hah, right :-) I would have to probably print some debug log in Keystone, but for now I think you can take a look at: http://adam.younglogic.com/2013/10/saml-example/ and http://adam.younglogic.com/resources/adam_example.saml20:25
marekdstevemar: i need to pick somebody up from the airport and i am already late :( Be back in 40mins20:25
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216620:29
marekddstanek: ^^20:29
*** browne has quit IRC20:33
*** arunkant has quit IRC20:33
*** esmute has quit IRC20:33
*** esmute has joined #openstack-keystone20:33
*** arunkant has joined #openstack-keystone20:33
*** browne has joined #openstack-keystone20:34
*** browne has quit IRC20:39
*** browne has joined #openstack-keystone20:40
*** dhellmann_ has joined #openstack-keystone20:41
*** schofield has quit IRC20:46
*** dhellmann_ has quit IRC20:48
*** schofield has joined #openstack-keystone20:48
*** dhellmann_ has joined #openstack-keystone20:48
*** gyee has joined #openstack-keystone20:49
*** gyee has quit IRC20:51
*** gyee has joined #openstack-keystone20:53
*** rodrigods_ has joined #openstack-keystone20:54
*** bknudson has quit IRC20:54
*** amcrn has quit IRC20:54
*** dhellmann has quit IRC20:54
*** hrybacki_ has quit IRC20:54
*** rodrigods has quit IRC20:54
*** DuncanT- has quit IRC20:54
*** openstackgerrit has quit IRC20:54
*** dhellmann_ is now known as dhellmann20:54
*** dhellmann has quit IRC20:56
*** openstack-securi has joined #openstack-keystone21:01
dolphmstevemar: i noticed bkhudson provided an update for one of your two comments on https://review.openstack.org/#/c/99075/ ...21:03
dolphmstevemar: for the other, would a link to http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html be appropriate?21:03
stevemardolphm, maybe to http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#authenticating specifically21:04
dolphmstevemar: works for me21:05
stevemardolphm, i'll wait til jenkins is done, but brants changes look good21:05
dolphmstevemar: cool. i made the same change locally and was trying to figure out how to address your other comment :)21:05
*** marcoemorais has quit IRC21:09
*** marcoemorais has joined #openstack-keystone21:09
*** leseb has joined #openstack-keystone21:10
*** openstack-securi has quit IRC21:10
*** bknudson has joined #openstack-keystone21:11
*** amcrn has joined #openstack-keystone21:11
*** hrybacki_ has joined #openstack-keystone21:11
*** DuncanT- has joined #openstack-keystone21:11
*** openstackgerrit has joined #openstack-keystone21:11
*** htruta has quit IRC21:12
stevemardolphm, commented21:14
*** rodrigods_ has quit IRC21:18
openstackgerritSteven Hardy proposed a change to openstack/python-keystoneclient: Enable forcing re-authentication for trust-scoped clients  https://review.openstack.org/9629821:22
*** leseb has quit IRC21:26
*** NM has quit IRC21:30
*** jsavak has quit IRC21:31
*** amcrn has quit IRC21:31
morganfainbergjamielennox, ping21:33
jamielennoxmorganfainberg: hello21:34
morganfainbergjamielennox, re some heat + ksc work.21:34
morganfainbergjamielennox, so, with all the new cool session magic in ksc, is it best to just still (for simplicity sake) just do a if domain_id is provided, use domain_id, else use domain_name?21:34
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add v3 curl examples  https://review.openstack.org/9697321:34
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use code-block for curl examples  https://review.openstack.org/9852621:34
morganfainbergjamielennox, they're using V3Client object directly now, not sure if that is the best option.21:35
*** leseb has joined #openstack-keystone21:36
jamielennoxso version discovery hasn't been merged yet - it's actually what i'm looking at again now21:36
jamielennoxah - automatic version discovery in the session21:37
jamielennoxi don't think how you manage domain_id/name will change21:37
jamielennoxeven if you switch to an auth plugin you get like v3.Password() which takes both and takes the one most appropriate21:37
openstackgerritDolph Mathews proposed a change to openstack/keystone: add docs on v2 & v3 support in the service catalog  https://review.openstack.org/9907521:37
morganfainbergjamielennox, ok21:38
morganfainbergjamielennox, so for now i'll keep the same logic21:38
dolphmstevemar: dstanek: bknudson: addressed all comments https://review.openstack.org/#/c/99075/21:38
jamielennoxi'd like to see heat attempt to go towards a session as i think they will be one of the big winners - but it's not a trivial change21:38
morganfainbergjamielennox, ++ make the big swing to session independent of this bug fix21:39
jamielennoxyea21:39
morganfainbergcool21:39
morganfainbergthats what i was looking for21:39
dolphmis anyone actively reviewing henry's change for multi-backend-uuids?21:39
dolphm ^--> https://review.openstack.org/#/c/74214/21:39
stevemarthanks dolphm21:40
stevemardolphm, that one scares me21:41
stevemarbknudson, did you mention tempest tests for changes to federation today (or yesterday)?21:42
stevemarwas wondering if you had any ideas cooking on how we could do that21:42
bknudsonstevemar: I think I did mention it yesterday21:42
dstanekdolphm: i am right now21:43
bknudsonsince there's a section of the spec template for testing considerations21:43
marekdbknudson: that's interesting, what was your idea?21:43
bknudsonstevemar: and since we didn't have that section before, it turns out that there's a lot of things that aren't being tested21:43
bknudsonmarekd: I have no idea how to test it in tempest, since I'm not very familiar with tempest testing21:44
bknudson(we didn't worry about it before since we didn't have a spec template that says to worry about it)21:44
*** henrynash has quit IRC21:44
stevemarwell put21:44
stevemarit was a to-do on my federation list going into the summit21:45
bknudsonmaybe we'll set something up internally and then hook it up for external CI21:45
stevemarbknudson, internally within ibm?21:45
bknudsonstevemar: yes21:45
marekdCI ?21:45
bknudsonlike the DB2 CI21:45
stevemarbknudson, cool... cool21:45
stevemarah21:45
bknudsonmarekd: continuous integration21:45
*** sbfox has joined #openstack-keystone21:45
stevemarbknudson, so, who set up the DB2 CI?21:46
stevemarbknudson, would the same team be able to do it for TFIM?21:46
bknudsonstevemar: we had a team in beijing set it up... zhu zhu21:46
stevemari see21:46
bknudsonthere should be a wiki page that says how the db2 ci works...21:46
marekdstevemar: btw - did you succeed with your federation setup?21:47
bknudsonhttps://wiki.openstack.org/wiki/IBM/DB2-TEST21:47
stevemarmarekd, the idp guy had to go, so we will continue tmrw, he was asking if you could get the unencrypted saml assertion21:47
marekdAdam's didn't work well?21:48
marekdstevemar: let me try get an unencrypted one.21:48
marekdbut it's not the CERN's one.21:48
stevemarmarekd, i think the idp guy wants to look @ the values in the saml assertion and the attribute-map.xml file21:49
dolphmstevemar: i saw something recently about SAML2 encryption being mandatory over http, but relaxed over https (so make sure you use https?)21:51
*** dims__ has joined #openstack-keystone21:52
stevemardolphm, yeah, right now I'm testing it over http, cause I was lazy with devstack21:52
stevemaris there an easy way to switch it to https?21:52
*** hrybacki has quit IRC21:53
*** dims_ has quit IRC21:54
*** dhellmann has joined #openstack-keystone21:55
dolphmstevemar: "If the Service Provider uses SSL/HTTPS and supports decrypting assertions, the Identity Provider MAY encrypt the assertion." as opposed to MUST with HTTP21:55
*** openstack-securi has joined #openstack-keystone21:56
stevemardolphm, previous question, do you know?21:57
*** hrybacki_ has quit IRC21:57
stevemardolphm, normally i would just teardown devstack and bring it back up, having tls as an enabled service, but if there is an easier way...21:58
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove unnecessary word in docs: 'an'  https://review.openstack.org/9921821:58
dolphmstevemar: offhand, i don't recall :(22:01
dolphmstevemar: ayoung or bknudson might know better?22:01
bknudsonif https setup is in devstack I haven't tried it22:03
*** openstack-securi has quit IRC22:04
dstanekdolphm: thar seems to be dragons lying in the domain specific driver code22:04
dolphmdstanek: lots! be afraid to enter22:05
dolphmdstanek: are you looking at issues being fixed by henry's patch, or introduced by it? :-/22:05
*** marcoemorais has quit IRC22:08
dstaneki think neither - i'm walking through everything trying to understand the implications of the changes22:09
openstackgerritA change was merged to openstack/keystone: fixed several pep8 issues  https://review.openstack.org/9368622:09
dstaneki don't understand the whole 'is_domain_aware' deal22:09
bknudsonsome backends are domain aware and some are not22:10
bknudsonI think it's just LDAP that's not22:10
dstanekwhat does it mean to 'support domains'? that all queries will automatically have a domain_id added for filtering?22:10
marekddolphm: where did you see that spec about encrypting saml assertion and http vs https?22:11
dstanekbknudson: for example http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n31722:11
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog  https://review.openstack.org/7459922:12
dstanekbknudson: why does selecting a non-domain aware driver clear the hint? because it doesn't support it and the comment is misleading?22:12
bknudsondstanek: if the driver isn't domain aware then it only contains 1 domain.22:13
dstanekwhen i say 'list_users(domain_scope="blah")' where does the filter get set?22:14
*** gordc has quit IRC22:14
marekdstevemar: anyways, I will dig up a little bit and try to somehow decrypt that assertion and send it along with working attribute-map.xml .22:17
stevemarwoo hoo22:17
*** bknudson has quit IRC22:22
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session Documentation  https://review.openstack.org/8407022:25
morganfainbergdstanek, meh, if we get henry's unique id stuff in and per-domain backen logic, we can make any/all backends not "domain aware"22:26
morganfainbergdstanek, more to the point, SQL is domian aware because... it lends itself to be, brant did a ton of work to make kvs more domain friendly iirf22:27
morganfainbergiirc22:27
morganfainbergdstanek, the domain_scope is just used to determine the backend driver. that is part of the multi-backend story (e.g. SQL + LDAP +LDAP _ LDAP22:27
*** schofield has quit IRC22:27
morganfainbergdstanek, in short, it doesn't filter, it just looks up the specific backend.22:28
*** PritiDesai has joined #openstack-keystone22:29
*** schofield has joined #openstack-keystone22:29
jamielennoxdstanek: can you review your -2 on https://review.openstack.org/#/c/87849/ i don't think it matters anymore as lance is going with jsonschema22:29
*** leseb has quit IRC22:32
dstanekjamielennox: yeah, i can remove the -222:38
marekdstevemar: dolphm: morganfainberg: docs fix, should be easy: https://review.openstack.org/#/c/97479/22:41
*** thedodd has quit IRC22:43
marekdstevemar: thanks for quick +2 :-)22:46
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create HTTP methods mixin object  https://review.openstack.org/9768022:49
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768122:49
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session Adapters  https://review.openstack.org/8623722:49
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add service_name to URL discovery  https://review.openstack.org/9767922:49
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382922:50
marekddstanek: do you think you will find few minutes for a second round of https://review.openstack.org/#/c/92166/ ?22:56
dstanekmarekd: sure22:56
marekdsomewhere today, not now of course.22:56
marekddstanek: great22:57
*** marekd is now known as marekd|away22:59
*** PritiDesai1 has joined #openstack-keystone23:03
*** PritiDesai has quit IRC23:03
*** radez is now known as radez_g0n323:04
ayoungstevemar, you still have a question?23:05
jamielennoxmarekd|away: how did you go with the redirect thing?23:05
*** nkinder has joined #openstack-keystone23:06
*** dims__ has quit IRC23:06
*** dims__ has joined #openstack-keystone23:08
*** dstanek is now known as dstanek_zzz23:13
*** rodrigods has joined #openstack-keystone23:14
*** gokrokve has quit IRC23:19
*** sbfox has quit IRC23:25
*** hrybacki has joined #openstack-keystone23:27
*** rodrigods has quit IRC23:28
*** praneshp has quit IRC23:30
*** praneshp has joined #openstack-keystone23:33
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create HTTP methods mixin object  https://review.openstack.org/9768023:35
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768123:35
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session Adapters  https://review.openstack.org/8623723:35
jamielennoxayoung: i'm going through your revocation events change, why is RevokeEvent outside the v3 tree? why doesn't the manager inherit from BaseManager?23:40
jamielennoxi'm not seeing the point of some of this, why build the RevokeEvent object just to convert it back to a dictionary23:41
*** kun_huang has joined #openstack-keystone23:41
jamielennoxwhy do you need to call build_token_values before calling is_revoked? why not just handle it there?23:43
*** PritiDesai1 has quit IRC23:45
*** gokrokve has joined #openstack-keystone23:52
jamielennoxmorganfainberg: as you seem to be interested in logging token - do you have any ideas how to strip that out sanely?23:55
jamielennoxX-Auth-Token is easy, i've no idea how to signal that this particular request is an auth request and you shouldn't log the password - but everything else is fine23:56
morganfainbergjamielennox, obscure them in the session object, never actually put them in a log?23:56
morganfainbergjamielennox, pretty much we should never log auth requests or tokens. (maybe some crazy trace level)23:57
jamielennoxmorganfainberg: so x-auth-token is easy, you just put a check https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L243-L24523:57
morganfainbergerm strip out password in the auth request by not logging.23:57
morganfainbergaye23:57
*** kun_huang has quit IRC23:57
jamielennoxhowever, in the case of an auth request - the session doens't really know that23:58
morganfainbergbut you do know if it's coming from the authenticate code path  - might need a flag that says _obscure_fields=[field, field, etc] and have it search/replace23:59
jamielennoxassuming at that point that we're using json - which is safe but not quite right23:59
« Monday, 2014-06-09 Index Wednesday, 2014-06-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!