Wednesday, 2014-06-11

morganfainbergperhaps need to pass a sanitized data structure in?00:00
morganfainbergno i don't like that00:00
jamielennoxmorganfainberg: that's passing two structures00:01
morganfainberglike i said don't like that00:02
jamielennoxyea, i had come up with that one as well00:02
jamielennoxalso had the idea of passing regexps00:02
jamielennoxcould do more precise than regexp because you know the sensitive data at that point so you could exact match - but still nasty00:03
morganfainbergis serialization expected to be handled at the HTTPClient object or above it?00:06
*** gokrokve has quit IRC00:08
*** bknudson has joined #openstack-keystone00:08
jamielennoxmorganfainberg: depends on usage00:08
morganfainbergwonder if we can force auth requests to always serialize in HTTPClient00:09
morganfainbergor maybe HTTPClient should be the only place we serialize00:09
morganfainbergif youwant something other than JSON give me a serializer00:09
morganfainbergthen we could log(sanatize+serialize) and emit(serialize)00:10
jamielennoxeven then though we can only test certain things00:11
jamielennoxlike we can say if a field exists called ['access']['user']['password'] then strip it out00:12
jamielennoxthat handles v2 password auth00:12
jamielennoxdo we need a way to push that information back towards the plugin?00:13
jamielennoxthe problem with all of this is can someone with a logging.conf file just get around it00:14
morganfainbergdepends on if we log it at all00:14
morganfainbergif we just don't ever log certain things - we should be safe00:15
morganfainbergmaybe sanitized data really is always ***SECURE DATA*** (or whatever) even if you're in DEBUG or TRACE00:15
morganfainbergwe can control what our auth plugins log00:15
jamielennoxso i'm looking at custom formatters and filters, but i guess you could get around that with specially crafted configs00:15
jamielennoxbut at which point you could get around it simply by editting the python code00:16
jamielennoxor wireshark00:16
morganfainbergif someone makes a dumb plugin that logs everything i don't know if we should care besides a fat warning saying "DONT LOG SECURE DATA" as a docstring00:16
morganfainbergwireshark is a higher level of effort00:16
morganfainbergyou need to be able to open a net device directly00:16
morganfainbergand editing the python code, again extra level of effort (usually requires elevated perms o the local system)00:17
morganfainbergthis is to eliminate centralized logging from having this data / log files that might be visible to low priv users00:17
morganfainbergif you can edit python code or open a netdevice for snooping - i'm willing to give you secure data. likely... you have root already00:18
morganfainbergroot is outside our control.00:18
jamielennoxsame thing could e set about a logging.conf file00:18
morganfainbergno because logging.conf could expose information to lower priv users00:18
morganfainbergthing logstash or centralized syslogging00:19
morganfainbergturning on debug logging shouldn't expose secure data to the low priv users. logging.conf falls into that category00:19
*** gokrokve has joined #openstack-keystone00:34
*** ncoghlan_afk is now known as ncoghlan00:38
*** kun_huang has joined #openstack-keystone00:45
ayoungjamielennox, RevokeEvent itself is not an API, and is instead a domain model class, so it does not belong in the V3 tree00:45
*** xianghui has joined #openstack-keystone00:46
*** kun_huang has quit IRC00:47
*** dstanek_zzz is now known as dstanek00:49
*** diegows has quit IRC00:51
gyeeayoung, remember that AD is not LDAP talk at the summit?00:56
gyeethere were some out of tree code, do you happen to remember the url?00:56
ayounggyee, there was no out of tree code, just some work I should do to deal with the differences between DN and filter based user lookups00:58
gyeeayoung, k, I thought they had to do something to write to AD00:59
gyeemaybe I remember it wrong00:59
ayoungnah, AD is still read only, with writes going to SQL only00:59
ayoungAD does == LDAP, it just is a very persnickety LDAP01:00
ayoungwe need Henrynash's patch to land01:00
gyeeyeah, I remember they had to create the service account there, but I wasn't sure it was done via the LDAP driver01:00
*** ncoghlan is now known as ncoghlan_afk01:00
gyeeservice accounts I mean01:01
*** amerine has quit IRC01:01
jamielennoxmorganfainberg: is it sufficient to just add a bool? log_request and if it's false then i'll just log ***SENSITIVE REQUEST EXCLUDED***01:05
*** kun_huang has joined #openstack-keystone01:05
jamielennoxyou loose access to all the other parts of the rquest you might care about01:05
*** gyee has quit IRC01:08
*** ncoghlan_afk is now known as ncoghlan01:10
*** mberlin1 has joined #openstack-keystone01:10
*** mberlin has quit IRC01:12
*** sbfox has joined #openstack-keystone01:15
*** dstanek is now known as dstanek_zzz01:26
*** amerine has joined #openstack-keystone01:26
ayoungjamielennox, morganfainberg if one of you two have the cojones to +2  I will pull the trigger on it01:29
*** dstanek_zzz is now known as dstanek01:29
ayoungdstanek, ^^ goes for you, too01:30
*** wwriverrat has quit IRC01:30
*** kun_huang has quit IRC01:31
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
*** dims__ has quit IRC01:35
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Refactor auth_token token cache members to class
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Refactor auth_token revocation list members to new class
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Refactor auth_token, move identity server members to class
*** amerine has quit IRC01:55
jamielennoxayoung: not me, i've spent almost no time server side since the summit to know what's happening there01:56
ayoungjamielennox,  heh01:57
*** PritiDesai has joined #openstack-keystone01:57
ayounggah !  gyee you don;t need a flipping wiki.  This is the auth plugin framework that YOU WROTE01:58
ayoungand I know he's not here01:58
jamielennoxayoung: why not just always raise and catch02:00
openstackgerritayoung proposed a change to openstack/keystone: Kerberos as method name
jamielennoxpeople go to great lengths to not do a try/catch and i don't et it02:00
ayoungjamielennox, where?02:01
ayoungjamielennox, ah...yeah, I could do that, too.  In this case, it is because I assume that this will become the hot path.02:02
ayoungThe raise is actually spurious at this point, as I just want to see if the thing is in the list02:02
jamielennoxi thought python was fine for exceptions02:02
ayoungI'm OK either way...02:02
ayoungwant me to redo it?02:03
jamielennoxruby i know i was told off for using too many exceptions apparently it's a lot slower02:03
jamielennoxmeh - i was just wondering02:03
ayoungActually, that one might look cleaner without..02:03
ayounglet me try02:03
jamielennoxeven the get_auth_method function there really should be done with a try/ecxept02:04
*** sbfox has quit IRC02:05
ayoungjamielennox, I like it better with the try02:06
ayoungrunning the tests and I'll repost02:06
*** xianghui has quit IRC02:08
ayoungjamielennox, btw, I go the space on the dreamhost beta02:10
ayoungI've got an ipa server up and running, but I need to straighten out some DNS issues02:11
*** dstanek is now known as dstanek_zzz02:11
jamielennoxayoung: the one you want to use for devstack deploys? proper DNS address?02:12
ayoungso, the issue is that the ipa server is running inside the cloud, and gets a local IP address for all of the hosts02:12
*** dstanek_zzz is now known as dstanek02:12
jamielennoxayoung: easy review:
ayoungI want the "good" name to link to the floating IP02:12
jamielennoxhmm, can you do that?02:13
jamielennoxi see designate has applied for incubation - but even then?02:13
ayoungI had something working in the past02:13
ayoungI know that there is a hack to Kerberos02:14
ayoungfound a really nasty bug, too02:14
ayoungipa-server-install was rewriting sshd_config into an invalid format,  and systemd refused to run it02:14
jamielennoxhow did that not get found?02:15
ayoungjamielennox, I suspect that it is something about Fedora 20 that changed02:16
ayoungF20 installs worked fine before02:17
openstackgerritayoung proposed a change to openstack/keystone: Kerberos as method name
ayoungjamielennox,,cm  I like that a lot better02:19
jamielennoxnow you want me to review the rest right02:20
*** xianghui has joined #openstack-keystone02:21
jamielennoxlooks easy enough, where does REMOTE_DOMAIN usually come from?02:22
jamielennoxalso you know you're going to get asked for tests02:23
*** richm has quit IRC02:30
*** browne has quit IRC02:34
jamielennoxayoung: taking that 2nd +2 on as +A02:44
ayoungjamielennox, you already reviewed the Kerb patch once, and I made the changes you suggested02:46
ayoungcheck for negotiate as the auth_type02:46
jamielennoxayoung: yep - looks good02:47
jamielennoxi assume it works with jose's patch - i don't really have an environment to test it on right now02:48
ayoung  jamielennox I think that is the only server side change that dpal is going to care about.  So long as we can have a Kerberos story02:48
ayoungIt basically is Jose's approach.  It works with his client code02:48
jamielennoxyea, i figured as much02:49
*** PritiDesai has quit IRC02:55
*** Abhijeet_ has joined #openstack-keystone03:01
*** nsquare has quit IRC03:03
*** browne has joined #openstack-keystone03:04
*** browne has quit IRC03:05
*** PritiDesai has joined #openstack-keystone03:09
*** sbfox has joined #openstack-keystone03:10
*** sbfox has quit IRC03:12
*** ncoghlan is now known as ncoghlan_afk03:21
*** pheadron has joined #openstack-keystone03:22
pheadronhey morganfainberg03:22
*** ncoghlan_afk is now known as ncoghlan03:24
*** harlowja is now known as harlowja_away03:24
dstanekayoung: i'm going to mess with a little and fix the style issues I commented on03:25
*** PritiDesai has quit IRC03:27
*** gokrokve has quit IRC03:30
stevemardstanek, already cleaning things up03:35
*** gokrokve has joined #openstack-keystone03:42
*** gokrokve has quit IRC03:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Basic-Auth middleware
openstackgerritDavid Stanek proposed a change to openstack/keystone: Basic-Auth middleware
dstanekstevemar: too late :-( just finished a first round03:48
stevemardstanek, nice changes :)03:49
dstanekstevemar: it was all just simple stuff and adding a few tests03:52
stevemardstanek, i had some comments03:56
dstanekstevemar: yeah, i wanted to ask ayoung about that - i was going to remove the domain_id stuff because the default will be the default id anyway04:12
dstanekbut i didn't know if he had other plans04:12
stevemardstanek, yeah, figured it might be possible, i dunno. just remarked on it anyway04:17
*** sbfox has joined #openstack-keystone04:20
openstackgerritDavid Stanek proposed a change to openstack/keystone: Basic-Auth middleware
*** praneshp has quit IRC04:25
dstanekso when will XML actually go away?04:30
dstanekour API i mean - i have no hope for the rest of the world04:30
*** gokrokve has joined #openstack-keystone04:34
*** henrynash has joined #openstack-keystone04:41
*** gokrokve has quit IRC04:42
*** sbfox has quit IRC04:44
*** ncoghlan is now known as ncoghlan_afk04:44
*** praneshp has joined #openstack-keystone04:51
*** ncoghlan_afk is now known as ncoghlan04:56
*** praneshp_ has joined #openstack-keystone04:56
*** praneshp has quit IRC04:58
*** praneshp_ is now known as praneshp04:58
*** ncoghlan is now known as ncoghlan_afk04:59
*** hrybacki has quit IRC05:00
*** nsquare has joined #openstack-keystone05:10
morganfainbergdstanek, stevemar, you guys here?05:11
stevemarmorganfainberg, maybe05:11
morganfainbergstevemar, need a quick pair of eyes on (ok not so quick), I'm doing a once-over before I +2/+A05:11
morganfainbergbut it's a big patch05:12
morganfainbergmaybe it needs to wait :(05:12
*** gokrokve has joined #openstack-keystone05:12
dstanekmorganfainberg: nope05:13
dstanekmorganfainberg: i'm still in the middle of it - i found lots of stuff that we can fix after the fact05:14
stevemarmorganfainberg, uhh that one05:14
morganfainbergdstanek, yeah that is where i was - but it;s huge, so extra eyes = better imo05:15
stevemarits so massive05:15
*** gokrokve_ has joined #openstack-keystone05:15
*** ajayaa has joined #openstack-keystone05:15
stevemarand hitting everything05:15
morganfainbergdstanek, i'm seeing some "we should fix this...but... doesn't need to be fixed here"05:15
morganfainbergand by waiting, i was thinking of waiting until tomorrow morning :P05:16
dstanekmorganfainberg: what i'm not liking about this patch is that it is huge and impacts lots of stuff05:16
morganfainbergdstanek, yeah.05:17
*** gokrokve has quit IRC05:17
morganfainbergdstanek, i really would have rather seen scaffolding for doing the mappoing (backend) and then a patch that makes everything use it05:17
morganfainbergat leas that would be easier to digest05:17
dstanekearlier i heard that we should get it in because it would allow people to use an "experimental" feature and get feedback, but this really does muck with lots of existing code05:17
morganfainbergi've reviewed this a bunch of times. i feel like its pretty good...05:18
morganfainbergmeh i'm gonna wait till morning, fresh eyes05:18
morganfainbergif it's not gating i'll weigh in05:18
morganfainbergdstanek, if you think it's good enough to go, don't hesitate to +A on my not wanting to look till morning05:19
morganfainbergdstanek, but if you're not comfortable i'll take a look at everything in the morning before making a call on it05:19
morganfainberg(unless there is a legitimate reason to -1 ni your view)05:20
morganfainbergon that happy note... g'night :)05:20
*** sbfox has joined #openstack-keystone05:20
stevemaris hashlib standard?05:20
morganfainbergstevemar, yeah05:20
dstanekmorganfainberg: i just don't understand the implications of messing with domain awareness05:20
morganfainbergat least... i think it is.05:20
dstanekyeah, it is05:20
morganfainbergdstanek, want to talk through it all tomorrow morning 1st thing?05:21
morganfainbergdstanek, i did a bunch of work on this code in havana so i know most of what it's trying to accomplish05:21
dstanekmorganfainberg: sure, ping me when you're up05:21
morganfainbergi'll be up around 6:30am pacific.05:21
morganfainbergso, uhm... 8:30 (your central right?) your time05:21
dstanekmorganfainberg: no eastern - 9:3005:22
morganfainbergah ok well then05:22
morganfainbergi'll catch ya 9:30 -> 10ish05:22
morganfainbergyour time05:22
dstaneksounds good05:22
*** pheadron has quit IRC05:36
*** amerine has joined #openstack-keystone05:42
*** gokrokve_ has quit IRC05:55
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** praneshp has quit IRC06:20
*** praneshp has joined #openstack-keystone06:23
*** jaosorior has joined #openstack-keystone06:23
*** ncoghlan_afk is now known as ncoghlan06:26
*** gokrokve has joined #openstack-keystone06:36
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints
*** zhiyan_ is now known as zhiyan06:37
*** stevemar has quit IRC06:39
*** gokrokve has quit IRC06:41
openstackgerritA change was merged to openstack/keystone: add docs on v2 & v3 support in the service catalog
*** ncoghlan is now known as ncoghlan_afk06:51
*** ajayaa has quit IRC06:59
*** BAKfr has joined #openstack-keystone07:11
*** dstanek is now known as dstanek_zzz07:15
*** xianghui has quit IRC07:16
*** xianghui has joined #openstack-keystone07:20
*** praneshp has quit IRC07:24
*** ncoghlan_afk is now known as ncoghlan07:26
*** leseb has joined #openstack-keystone07:26
*** ajayaa has joined #openstack-keystone07:28
*** ajayaa has quit IRC07:33
*** gokrokve has joined #openstack-keystone07:35
*** gokrokve_ has joined #openstack-keystone07:37
*** dstanek_zzz is now known as dstanek07:37
*** gokrokve has quit IRC07:40
*** gokrokve_ has quit IRC07:41
marekd|awayjamielennox: is your question still actual regarding the comment on the patchset?07:43
*** marekd|away is now known as marekd07:43
*** dstanek is now known as dstanek_zzz07:47
*** sbfox has quit IRC07:59
*** ncoghlan has quit IRC08:12
*** Abhijeet__ has joined #openstack-keystone08:18
*** Abhijeet_ has quit IRC08:21
*** nsquare has quit IRC08:25
*** Abhi_ has joined #openstack-keystone08:33
*** Abhijeet__ has quit IRC08:35
*** gokrokve has joined #openstack-keystone08:36
*** dstanek_zzz is now known as dstanek08:37
*** gokrokve has quit IRC08:41
*** Abhijeet_ has joined #openstack-keystone08:45
*** Abhi_ has quit IRC08:47
*** dstanek is now known as dstanek_zzz08:47
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** Abhijeet_ has quit IRC08:59
*** gokrokve has joined #openstack-keystone09:36
*** dstanek_zzz is now known as dstanek09:38
*** gokrokve has quit IRC09:41
openstackgerritAndre Naehring proposed a change to openstack/python-keystoneclient: Added help text for the debug option
*** dstanek is now known as dstanek_zzz09:48
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** rodrigods has joined #openstack-keystone09:52
*** rodrigods has quit IRC09:52
*** rodrigods has joined #openstack-keystone09:52
*** rodrigods has quit IRC09:55
*** zhiyan is now known as zhiyan_10:00
*** zhiyan_ is now known as zhiyan10:03
*** zhiyan is now known as zhiyan_10:28
*** gokrokve has joined #openstack-keystone10:36
*** dstanek_zzz is now known as dstanek10:39
*** gokrokve has quit IRC10:41
*** dstanek is now known as dstanek_zzz10:49
*** dims__ has joined #openstack-keystone11:01
*** ericvw has quit IRC11:06
*** ericvw has joined #openstack-keystone11:08
*** dtroyer_zz has joined #openstack-keystone11:10
*** afazekas is now known as __afazekas11:10
*** rwsu_ has joined #openstack-keystone11:13
*** dtroyer has quit IRC11:14
*** rwsu has quit IRC11:14
*** jaosorior has quit IRC11:14
*** jaosorior has joined #openstack-keystone11:15
*** mfisch has quit IRC11:25
*** mfisch has joined #openstack-keystone11:26
*** mfisch has quit IRC11:27
*** mfisch has joined #openstack-keystone11:27
*** gokrokve has joined #openstack-keystone11:36
*** dstanek_zzz is now known as dstanek11:40
*** gokrokve has quit IRC11:41
*** diegows has joined #openstack-keystone11:41
*** rodrigods has joined #openstack-keystone11:48
*** rodrigods has joined #openstack-keystone11:48
*** dstanek is now known as dstanek_zzz11:50
*** hrybacki has joined #openstack-keystone11:52
*** anteaya has quit IRC11:58
*** erecio has quit IRC12:05
*** openstackgerrit_ has joined #openstack-keystone12:05
openstackgerritKristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers
*** afazekas has joined #openstack-keystone12:07
*** erecio has joined #openstack-keystone12:09
*** NM has joined #openstack-keystone12:13
*** diegows has quit IRC12:13
*** erecio has quit IRC12:15
*** leseb_ has joined #openstack-keystone12:17
*** leseb has quit IRC12:19
*** leseb_ has quit IRC12:21
*** dims__ has quit IRC12:29
*** gokrokve has joined #openstack-keystone12:36
*** dims__ has joined #openstack-keystone12:36
*** oomichi_ has joined #openstack-keystone12:40
*** anteaya has joined #openstack-keystone12:40
*** dstanek_zzz is now known as dstanek12:41
*** gokrokve has quit IRC12:41
*** oomichi has quit IRC12:41
*** lbragstad has joined #openstack-keystone12:46
*** oomichi_ is now known as oomichi_sleeping12:47
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** dstanek is now known as dstanek_zzz12:51
*** joesavak has quit IRC12:51
*** joesavak has joined #openstack-keystone12:52
*** leseb has joined #openstack-keystone12:56
*** jraim has quit IRC13:00
*** zhiyan_ is now known as zhiyan13:00
*** gordc has joined #openstack-keystone13:01
*** jraim has joined #openstack-keystone13:01
*** jsavak has joined #openstack-keystone13:03
*** dstanek_zzz is now known as dstanek13:03
*** radez_g0n3 is now known as radez13:09
*** nkinder has quit IRC13:11
*** jraim has quit IRC13:15
*** jraim has joined #openstack-keystone13:17
*** gordc has quit IRC13:25
*** rushiagr is now known as rushi13:25
*** xianghui has quit IRC13:29
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** xianghui has joined #openstack-keystone13:30
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** gokrokve has joined #openstack-keystone13:36
*** bknudson has quit IRC13:39
*** gokrokve has quit IRC13:41
*** stevemar has joined #openstack-keystone13:45
*** afaranha has joined #openstack-keystone13:52
*** daneyon has joined #openstack-keystone13:52
*** bknudson has joined #openstack-keystone13:56
*** nkinder has joined #openstack-keystone13:58
*** bklei has joined #openstack-keystone13:59
*** daneyon_ has joined #openstack-keystone13:59
*** bklei has quit IRC13:59
*** bklei has joined #openstack-keystone14:00
*** daneyon has quit IRC14:01
*** DuncanT- has left #openstack-keystone14:03
openstackgerritKristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers
openstackgerritA change was merged to openstack/python-keystoneclient: Add service_name to URL discovery
henrynashmorganfainberg, dstanek: any new thoughts on the multi-backend-uuid patch?14:22
*** gokrokve has joined #openstack-keystone14:24
*** gokrokve_ has joined #openstack-keystone14:25
*** zhiyan is now known as zhiyan_14:26
*** gokrokve has quit IRC14:28
*** gordc has joined #openstack-keystone14:29
dstanekhenrynash: no, i created a few patches on top to fix my style nits14:29
morganfainbergdstanek, hi14:29
dstanekhenrynash: i also started to break it up into 3 smaller patches so i would understand it better :-)14:29
dstanekmorganfainberg: hey14:29
morganfainbergah so you've gotten through it yourself then14:30
dstanekmorganfainberg: yes, but i don't really grok the side effects of moving/removing some to the domain handling code14:31
dstanekhenrynash: just published a few comments14:32
henrynashdstanek: so the domain handling code represents the old “let’s try and guess which domain this user/group cmd is aimed at”14:32
morganfainbergdstanek, most of the old domain handling code is not really usable becasue of the name conflicts14:32
morganfainberghenrynash, ++14:33
dstanekhenrynash: are we no longer guessing?14:33
henrynashdstanek: no, we never guess any more….since mapping lookup gives us the domain14:34
*** PritiDesai has joined #openstack-keystone14:34
*** leseb has quit IRC14:35
henrynashdstanek: so basically all that gets removed, and then the idenity manager can determin which backend to sent the cmd to once it gets the domain from the mapping table14:35
morganfainbergyou always know (based upon ID) what backend is used14:36
morganfainbergit's the whole point of the mapping table14:36
morganfainbergLDAP assignment is 1 domain only, right?14:36
dstanekbut the mapping table isn't always used right?14:36
morganfainbergbecause that is the only thing that stood out to me as being odd, having a FK on domain.id14:36
dstanekwhat happens in old configurations?14:37
morganfainbergdstanek, in most cases, nothing changes.14:37
morganfainbergdefault domain (only really usable setup because of the bugs this addresses) can be used w/o mapping14:37
openstackgerritKristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers
morganfainbergand SQL doesn't need the mapping14:38
dstanekmorganfainberg: but the code is different and that's what i'm trying to understand14:38
dstanekfor example, did these tests actually need to change?
morganfainberghenrynash, ^ i defer to you, i think so, because you want to always be pulling from the default assignment driver in this case.14:39
dstanekmorganfainberg: it that's the case is it backward compatible and in what cases is it not?14:40
morganfainbergdstanek, the only case it isn't backwards compatible is the old per-domain-identity backend14:41
morganfainbergdstanek, and that is because we used to guess based upon the user's token id what scope to use14:41
morganfainbergerm, token.domain_id14:41
morganfainbergdstanek, and that code in havana and icehouse would make all sorts of strange things occur14:42
dstanekwhat happens to those configurations after this patch?14:42
morganfainbergdstanek, well, they weren't really usable befroe14:42
henrynashthe whole “guessing thing” was marked as experimental, so I don’t think we need to be baclward comaptibel with it14:42
morganfainbergif anyone tried to use it, you'd have a broken install14:42
morganfainbergyou couldn't assign grants from one domain to the other across backends (for the most part)14:42
henrynashand as mrgan says, it never would work properly14:43
henrynashwhich you can now14:43
morganfainberghenrynash, now that i am awake...14:43
morganfainberghenrynash, i'm going to do a once over on this again14:43
morganfainbergbut i think... _think_ it looks good.14:44
henrynashmorganfainberg: ok14:44
morganfainbergi'll ping you if I find anything major14:44
morganfainbergso we can roll up something (e.g. make this all "not work"14:44
morganfainbergif it's stylistic etc we can do post-merge14:45
dstaneki have no reason to block it, i just don't understand it enough to +2 it yet14:45
morganfainbergdstanek, keep asking questions :)14:45
morganfainbergmakes us who've dug around this think about it and expliain it better14:45
dstanekmorganfainberg: i have 3 or 4 commits on top of this to fix the style issues14:45
* morganfainberg nods.14:45
dstaneklast night i was too busy to look up the 'no rebase' flag on git-review14:46
*** leseb has joined #openstack-keystone14:46
henrynashmorganfainberg: I also have anotehr big commit on top of this which removes the assigment of a unique ID out of teh controller into the manager14:47
bknudsonI always git-review -nvF if it's a single commit or -nvR if it's multiple commits and no rebase14:47
henrynashmorganfainberg: small cahnge in real code, but very large set of mechanical changes to our unit tetss14:48
morganfainberghenrynash, ++14:48
dstanekhenrynash: you're killing me :-)14:48
morganfainberghenrynash, thanks for splitting that out.14:48
morganfainbergthis is a beast to begin with14:48
henrynashmorganfainberq: which is why I held that off14:48
morganfainbergbknudson, i'm going to split/recombine the non-persistence and token version specs up, make one a scaffolding spec since they have a common set of needs and then make non-persistence a smaller subset of work (that we can hold / look at as revocation events go in)14:49
morganfainbergbknudson, and same thing with expanding upon the token versions.14:49
bknudsonmorganfainberg: that sounds great14:49
morganfainbergbknudson, cool14:50
*** richm has joined #openstack-keystone14:51
dolphmis this actually a bug, or just misplaced expecatations?
uvirtbotLaunchpad bug 1328837 in python-keystoneclient "Cannot handle http(s)_proxy" [Undecided,New]14:51
morganfainbergdolphm, i think this is someone trying to use the debug CURL line14:53
bknudsondolphm: seems like the bug is in the python lib, if it's using http_proxy when the port is 3535714:53
bknudsonalthough I don't know how it's supposed to work. Not stuck behind a proxy14:53
morganfainbergthe python lib doesn't do conditional proxy14:54
morganfainbergthey have HTTP proxy for external connections, this isn't external14:55
morganfainbergso the env var said "go use this proxy" even though it wasn't correct to do so14:55
dstanekisn't that the expected behavior is the env var is set?14:56
morganfainbergdstanek, that would be what I'd expect14:56
morganfainberghey use this proxy! "ok i'll use that proxy"14:56
bknudsonthere's probably a way to set up the proxy so that it works14:56
morganfainbergbknudson, using an auto proxy config?14:57
morganfainbergor some such14:57
* morganfainberg hasn't tried that with curl or anything.14:57
morganfainbergor urllib314:57
dstanekeither way i think the bug is user error14:58
bknudson -- mentions http_proxy, or ftp_proxy14:58
bknudson'The no_proxy environment variable can be used to specify hosts which shouldn’t be reached via proxy'14:59
*** PritiDesai has quit IRC14:59
dolphmbknudson: that sounds like the best solution15:01
dolphmbknudson: will you comment on the bug and mark it invalid?15:01
openstackgerritKristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers
*** sbfox has joined #openstack-keystone15:09
ayoungnkinder, you asked me about multiple signers.  I think we can do that today with minimal changes.  The keystone server code needs to remain unchanged, but the OS-SIMPLECERT just needs a way to return a separate list from those used to sign the certificate.  It looks like the openssl verify command can handle having multiple certificates in a single file15:11
morganfainberghenrynash, ok comments posted, doing another pass before +2.15:12
morganfainberghenrynash, but the comments are what i found looking through everything15:12
morganfainberghenrynash, all are (for the most part) 'we fix later'15:13
morganfainbergi don't like defaulting to UUID mapping.15:13
ayoungif a token fails the verify call, we could check to see if we have an out of date set of certificates, and refetch.  Need to avoid abuse, so some throttleing,  but this should clear up a lot of the PKI misconfiguration problems15:14
dstanekhenrynash: question about you local id comment when you have a sec15:17
dstanekmorganfainberg: unless you know :-)15:17
morganfainbergdstanek, i can try and answer15:18
dstanekhenrynash, morganfainberg: where does local id come from?
*** kun_huang has joined #openstack-keystone15:19
morganfainbergin the case of LDAP, it would be the bit of the DN that is used to be the id, usually like CN15:19
dstanekis that just a configuration choice? like as an operator i'll use XYZ value from my LDAP server?15:19
morganfainbergso cn=morgan,ou=users,dc=example,dc=com15:19
morganfainbergthe cn attribute might be chosen, therefore, "morgan"15:19
morganfainbergwhen configuring keystone to talk to ldap, that is the case.15:19
ayoungheh, you are repeating my mistake15:20
ayoungI want to break that cn=morgan   means append it to the rest to create the DN15:21
ayoungcn=morgan should work when the LDAP entry has cn=morgan.  Dagnabit.15:21
morganfainbergayoung, no that is the way it is done now, doesn't mean it is always the case15:21
morganfainbergayoung, it could be configured as something else15:22
morganfainbergayoung, it was a comment of how does it work now.15:22
ayoungyeah...I know...just one of my hot button topics15:22
morganfainbergcn=ayoung !15:22
ayoung(* ̄m ̄)15:22
dstanekmorganfainberg: maybe i need to re-read, but i thought local id was from the ref (in this case the user id) and that is something we generate with uuids...right?15:23
morganfainbergdstanek, only if we are doing R/W LDAP15:23
morganfainbergdstanek, if it's RO LDAP no, it's not UUID15:24
morganfainbergand SQL is obviously UUID based15:24
dstanekso if it's r/w ldap how would an operator get the local id?15:24
dstanekseems like a strange process that should be documented15:25
morganfainbergdstanek, look at the LDAP server i think - but in most cases if it's RW you're doing to use the compatible ids (default domain)15:25
morganfainbergi think we wanted to specify multi-ldap as the non-default domain was always R/O15:25
morganfainbergayoung, ^?15:25
morganfainbergalso henrynash, ^?15:26
dstanekmorganfainberg: also what is used for the id in RO ldap? i don't know where in the code that is set15:26
ayoungmorganfainberg, does dogtag currently have a file backed cache?15:26
morganfainbergayoung, dogpile? yes.15:27
morganfainbergayoung, dogtag... no idea15:27
ayoungmorganfainberg, dogpile, yes.  I'm dealing with certs, so some bleedover in my breain between terms.  OK...I think the multiple-signing-cert solution just got much simpler15:27
morganfainbergdstanek, that is partof the [ldap] section of the config.15:27
*** xianghui has quit IRC15:28
morganfainbergayoung, ayoung ,
ayoungmorganfainberg, ah, but not a generic filesystem one?15:29
morganfainbergayoung, nope.15:29
dstanekmorganfainberg: yeah, i see user_id_attribute, but not where it is used15:29
*** wwriverrat has joined #openstack-keystone15:29
ayoungmorganfainberg, that may be ok.  I think what I need is for OS-SIMPLE cert to be split from the certificates used by Keystone to sign the tokens: signing should be one and only one, but OS-SIMPLECERT should manage a list of CA and signing certs15:30
ayoungI guess it really doesn't matter where they are stored.15:30
*** wwriverrat has left #openstack-keystone15:30
ayoungDBM might be the right solution15:30
morganfainbergdstanek, it is from the LDAP backend UserApi which inherits from ldap common and the _get_id method i think15:31
morganfainbergayoung, it would be trival to create a dogpile backend the spit things out where key = filename, value = file contents15:31
morganfainbergayoung, if you don't like DMB15:32
henrynashmorganfainberq, dstanek: so we are going to generate a public ID whether it’s RO or RW15:32
ayoungmorganfainberg, the devil is in the locking15:32
morganfainberghenrynash, correct.15:32
morganfainbergayoung, don't use flock on NFS backed systems :P15:32
ayoungmorganfainberg, I think DBM might be a better solution.15:32
henrynashthe only issue right now is that if we are creating the user via keystone into a RW LDAP, then teh public ID is a UUID always….I have a fix for this, but it’s in my later patch15:33
morganfainbergDBM handles multi-reader/writer better than filesystem (with shared files)15:33
ayoungmorganfainberg, and, for NSS, It is close to the right semantics for managing an NSS database, too.  But that would have to be a separate provider....future work any way.15:33
morganfainberghenrynash, i don't think i see any show-stoppers here15:33
dstanekhenrynash: i'm just confused on how the local id is something that can be known15:33
dstanekhenrynash: unless as it apprears it is just the user_id15:34
henrynashdstanek: what do you mean “known"15:34
dstanekhenrynash: as an operator i would use it on the command line15:34
morganfainbergdstanek, the point is nothing except the mapping system should ever need to know the localid15:34
morganfainbergdstanek oh for purging purposes?15:34
dstanekmorganfainberg: not according to the docs15:34
*** gyee has joined #openstack-keystone15:35
henrynashok, so one way this would work is that say out-of-band a user is deleted from LDAP15:35
morganfainbergdstanek, in the case of a RW ldapbackend, don't we auto-cleanup the mapping on deletion?15:35
morganfainberghenrynash, ^15:35
* morganfainberg thought i saw that15:36
henrynashoen of the attributes of that LDAP objects is the one that represents the keystone user-id15:36
henrynashmorganfainberg: (yes, to auto clearn up in RW LDAP)15:36
morganfainbergso my biggest complaint is we default to UUID mapping15:36
morganfainbergnot sha115:36
dstanekok, so r/w ldap assumes that we control ldap and that nothing outside of keystone will write?15:37
morganfainbergdstanek, correct.15:37
henrynashmorganfainbeerq: no!15:37
morganfainbergdstanek, which should be... well... a fairly sane assumption.15:37
morganfainberghenrynash, we don't?15:37
morganfainberghenrynash, or we should use UUID by default15:38
henrynashmorganfainberg: no, why would we15:38
morganfainberghenrynash, i think we should default ot he most robust (can be recreated) mapping15:38
dstanekmorganfainberg: is that documented somewhere so i can fill in the gaps in my mind or is this tribal?15:39
dstanekmorganfainberg: wha? i expected to see it used somewhere15:39
morganfainbergdstanek, i think some of this is tribal some is documented15:39
*** bklei has quit IRC15:39
morganfainbergdstanek, the LDAP backend has dark dark magic.15:39
morganfainbergdstanek, daaaaaark spooooooky magic15:40
henrynashmorganfainberq: ok, so I think you can make that argument….my only issue with that is I would probably want to fix that limitation of the public ID not being sha1 when a user is created via keystone in a RW LDAP15:40
*** xianghui has joined #openstack-keystone15:40
morganfainbergit does a lot of "take this bit and that bit and figure out waht the ldap option should be)15:40
morganfainberghenrynash, i'm fine with that.15:40
dolphmthis is why i'd like to see the readonly pieces of the LDAP driver split out - that driver would be relatively simple. it's the write stuff that is nuts15:40
morganfainbergdolphm, ++++++++++++++15:40
morganfainbergdolphm, backend = "readonly_ldap"15:41
dstanekbknudson: haha, ok15:41
morganfainbergdstanek, like i said, spoooooky *waves hands*15:42
bknudsonthink of all the code duplication that was saved!15:42
morganfainbergbknudson, lol15:42
dstanekbknudson: :-P15:42
dolphmoh god there's LDAP code on my screen15:42
morganfainbergdolphm, it's ok, i'm sure there is some eyebleach to solve that issue15:43
dstanekbknudson: walk throught this change was hard enough using normal tools - now i'm completely out of luck15:43
dstaneks/walk thought/walking through/15:43
dolphmmorganfainberg: searching amazon for eye bleach
morganfainbergdolphm, LOL15:44
dstanekwill that be supplied in July or will we have to bring our own?15:44
morganfainbergdolphm, (SFW)15:44
morganfainbergdstanek, byoeb?15:45
bknudsonone thing I like about the ldap backend is it has separate classes for user, group, role manipulation15:46
bknudsoninstead of having it all in the one class15:46
*** nkinder has quit IRC15:47
dolphmmorganfainberg: am now distracted by puppies15:49
bknudsonbunnies and cats in pajamas15:49
morganfainbergdolphm, then that site is doing it's job!15:49
*** bklei has joined #openstack-keystone15:49
stevemarwhy is nothing getting merged15:51
morganfainbergstevemar, gate backup?15:51
dolphmstevemar: the gate is having a sad15:51
morganfainbergdolphm, a big sad15:51
*** jaosorior has quit IRC15:52
bknudson -- looks like it's 12 hrs to merge15:52
morganfainbergbknudson, better than the 35+hrs last week15:52
stevemari know why, i was just complaining15:52
bknudsonstevemar: if you complain then that means you have to help out with fixing the probs!15:52
bknudsonthat's why I never complain15:52
*** nkinder has joined #openstack-keystone15:52
stevemari already have too much on my plate15:53
stevemarmy metaphorical plate15:53
morganfainbergstevemar, is that some kind of fancy serving dish?15:54
*** sbfox has quit IRC15:54
*** BAKfr has quit IRC15:57
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Convert explicit session get/begin to transaction context
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove `with_lockmode` use from Trust SQL backend.
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Hide details of HTTP 409 erros unless in debug
*** BAKfr has joined #openstack-keystone15:58
*** jsavak has quit IRC16:01
*** jsavak has joined #openstack-keystone16:01
dstanekmorganfainberg: i like your --unused idea - may be nice to capture that as a bug or task in the BP so it gets done16:02
morganfainbergunless anyone needs me... i need to go grab some coffeee16:03
* morganfainberg needs a coffee maker at home.16:03
* morganfainberg wouldspend a lot les $$$ on coffee that way16:03
henrynashmorganfainberg, dstanek: agreed, nice16:05
morganfainbergdolphm, i kinda want one of these:
morganfainbergdolphm, but i am _not_ spending $1600 on a coffee maker :P16:06
morganfainbergsorry $150016:06
* morganfainberg needs to learn how to book travel through corp website today for meetup.16:07
morganfainbergerm hackathon... er whatever16:07
*** xianghui has quit IRC16:07
*** NM has quit IRC16:07
dolphmmorganfainberg: especially if it only makes 16 shots - that's barely a week supply and then you're out another $1500? screw that16:09
henrynashmorganfainberg: so do you want me to submit a new patch to address your comments?  The most crucial would be the changing of the default from uuid to sha116:09
morganfainbergdolphm, LOL16:09
morganfainberghenrynash, no still looking it over, it's a complex patchset16:10
mfischhave fun with HP's travel system16:10
morganfainberghenrynash, i'm not seeing any show stoppers16:10
morganfainbergmfisch, thanks... :P16:10
henrynashmorganfainberg: ok….16:10
*** afazekas has quit IRC16:10
morganfainberghenrynash, but i really don't want a "oopse we broke everything" down the line yanno :)16:10
morganfainbergesp. w/ 1500lines added16:10
henrynashmorganfainberg: absolutely!16:11
*** xianghui has joined #openstack-keystone16:12
henrynashmorganfainberg: one thing is that we don;t really want to change the defaut generator down teh line….since otherwise you would chaneg IDs when you upgraded to teh version with the new default16:12
morganfainbergdolphm, i'm going to propose a fix to keystoneclient that makes x-auth-token header never get printed in debug (well, or maybe 'X-Auth-token: *** SECURE DATA ***'16:12
*** leseb has quit IRC16:12
morganfainbergthere has been pushback on getting that fix in other places, i figure we should just do the right thing and not expose the token data in debug logs (same as passwords)16:12
*** leseb has joined #openstack-keystone16:12
morganfainberghenrynash, that for me is a big concern, UUID is the 2nd teir choice imo.16:13
dstanekjust to play devil's advocate...why do they need a choice here?16:14
henrynashdstanek: I think that is a great question16:14
dolphmmorganfainberg: works for me. i've also been playing with the idea of hashing tokens to something unusable for anything but auditing, and logging that16:14
morganfainbergdstanek, the argument was in some cases you may not want the _same_ id generated in multiple cloud.16:15
morganfainbergdolphm, i like that for the audit logs16:15
morganfainbergdolphm, but for debug... bleh.16:15
dolphmmorganfainberg: agree16:15
henrynashmorganfainberg: but would you?  if your domain is different, then your hashed ID will be different16:15
dstanekmorganfainberg: why would they care though? would it break them it that were the case?16:15
morganfainbergdstanek, hm. don't think it would... default domain aside?16:16
morganfainbergcause we call it 'default' by 'default'16:16
dstanekbesides we could have a configurable salt to change the sha outcome and that could be different between clouds16:16
morganfainberghenrynash, think we could just make sha1 the only option for now? revisit if there is a demand?16:16
dstanekjust a thought16:16
morganfainbergdstanek, ooh that i like better16:16
*** leseb has quit IRC16:17
morganfainberguser_id salt option16:17
* morganfainberg approves of that16:17
morganfainbergif there really is a need16:17
morganfainberghenrynash, because i think that is really the only thing that bugs me about the implementation - UUID option sucks for the mapped IDs16:18
henrynashmorganfainberg: we could indeed just make sha1 the only option….16:18
henrynashmorganfainberg: the only thing that then doesn’t really work right is RW LDAPs when you create users from keystone….since the controller sets the ID16:20
morganfainbergso we need to fix RW ldap16:21
dolphmmorganfainberg: meh?
henrynashmorganfainberg: actually, I can think of how to work round that without changing all the unit tests for now….16:21
openstackgerritDavid Stanek proposed a change to openstack/keystone: Minor doc fix
morganfainberghenrynash, ok cool16:21
openstackgerritDavid Stanek proposed a change to openstack/keystone: Debug messages don't need translations
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a newline for pep8 compliance
openstackgerritDavid Stanek proposed a change to openstack/keystone: Stops overriding a builtin for pep8 compliance
morganfainbergdolphm, sha224?16:22
dolphmmorganfainberg: why not?16:22
morganfainbergdolphm, lets make the security folks squimish, MD5! :P16:23
morganfainbergdolphm, i don't want to expose the token id even in debug fwiw16:23
mfischI have a strange behavior with the client or maybe its with the server16:23
morganfainbergsomeone turns a service to debug, you shouldn't leak the token IDs to central logging16:23
mfischdoes my token expire when I add or remove a role from myself?16:24
morganfainbergor to lower priv user that can see the logs16:24
mfischThats what seems to happen16:24
morganfainbergmfisch, which release? h, I, master?16:24
mfischmorganfainberg: I16:24
morganfainbergmfisch, are you mucking with a role on the project/tenant you're scoped to?16:24
mfischmorganfainberg: I have a basic script test that makes a role then adds/removes it from me, and then tries to delete it16:24
mfischmorganfainberg: yeah16:24
*** BAKfr has quit IRC16:24
morganfainbergif so, yes.16:24
morganfainbergthat is expected behavior16:24
mfischmorganfainberg: it makes sense16:25
mfischmorganfainberg: I will modify16:25
dstanekmorganfainberg: ^ those were the commits i mentioned last night16:27
morganfainbergdstanek, ah cool.16:28
morganfainbergok coffee time16:30
morganfainbergbe back shortly.16:30
openstackgerritJuan Manuel Ollé proposed a change to openstack/python-keystoneclient: Keystoneclient create user API should have optional password.
dstanekbknudson: i was planning on creating a new commit to deal with the Nones you mention here:
dstanekis that good enough to remove the -1? they are separate commits to me because a None is not broken, just stupid looking :-)16:32
*** jaosorior has joined #openstack-keystone16:32
dstaneki was also planning on jumping on lbragstad's bandwagon and changing my one patch to use jsonschema validation16:32
lbragstadwhoop whoop!16:34
*** gordc1 has joined #openstack-keystone16:37
*** gordc has quit IRC16:38
*** bklei has quit IRC16:38
morganfainbergdolphm, i figure you have better knowledge on this... how many non-OpenStack services (meaning not using auth_token, e.g. Java) decode the keystone token?16:39
morganfainbergdolphm, i'm concerned that w/ PKI tokens they're doing the same thing heat was trying to do w/ that 'placeholder' id.16:40
dolphmmorganfainberg: well, does that only affect v3?16:40
dolphmmorganfainberg: (tokens don't have IDs in the v3 spec, anyway)16:41
*** PritiDesai has joined #openstack-keystone16:42
*** bklei has joined #openstack-keystone16:44
*** browne has joined #openstack-keystone16:45
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing
openstackgerritDavid Stanek proposed a change to openstack/keystone: Updates Python3 requirements to match Python2
*** afaranha has left #openstack-keystone16:48
*** browne1 has joined #openstack-keystone16:48
*** browne has quit IRC16:48
*** gokrokve_ has quit IRC16:48
*** openstackgerrit_ has joined #openstack-keystone16:49
henrynashmorganfainberg: so I don’t think I can fix the RW ldap case cleanly enough, quickly enough to get this into Juno-116:50
henrynashmorganfainberg: I just don’t want to rush this in16:50
henrynashmorganfainberg, dstanek: if we really want sha1 as the default, then we should move this to Juno-216:52
nkinderhenrynash: sha1 as the default for what?16:53
*** harlowja_away is now known as harlowja16:53
henrynashnkinder: the proposal is to actually only use sha1 as the public id generator in the mutlple-backend_uuids patch16:54
nkinderhenrynash: this is the id that maps to the IdP backend, right?16:55
henrynashnkinder: the current patch has uuid as the default, and there is more work in a subsequent patch (taht wasn’t palnned for J1) to make sha1 always be used with RW LDAP (yes to your question)16:55
henrynashdolphm: I’m gonna move my patch out of J116:56
*** praneshp has joined #openstack-keystone16:57
dstanekhenrynash: it's not just changing the default in the config?16:57
henrynashdstanek: so that bits easy16:57
*** praneshp_ has joined #openstack-keystone16:57
henrynashdstanek: the issue is that with RW ldap, the conrtrollers curently set the ID as a UUID on create which becomes the public ID...16:58
henrynashdstanek: and all our unit tests assume they can set the ID as well16:58
henrynashdstanek: I already have the patch ready that fixes all this, but it changes a lot of test code (all mechanical, but a lot)16:59
dstanekah, i see16:59
henrynashdstanek: I was looking to see if I could just remove the code from teh controller and then check if no ID was specified in the manager and hence still make the unit tests work..17:00
henrynashdstanek: and I can, but it looks yuk…..teh controller calls the manager with create_user(ID, user_ref)17:00
henrynashdstanek, so we’d ahev to pass a dummy ID…or create new manager calls for the controller to call…whcih we will tehn delete after J1…..17:01
henrynashdstanek: neather seems attractive17:01
*** praneshp has quit IRC17:01
*** praneshp_ is now known as praneshp17:01
henrynashand if we make sha1 the only option, i think we hsave to get this right...17:03
morganfainberghenrynash, j1 was tagged17:07
morganfainberghenrynash, don't worry about hitting J1 :P17:07
morganfainbergi think17:07
morganfainberghenrynash, or will be tagged.17:07
*** hrybacki has quit IRC17:09
*** thedodd has joined #openstack-keystone17:10
dstaneklunch time!17:12
*** erecio has joined #openstack-keystone17:14
*** dstanek is now known as dstanek_zzz17:14
*** amcrn has joined #openstack-keystone17:14
*** NM has joined #openstack-keystone17:15
openstackgerritMorgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output
*** gordc1 is now known as gordc17:18
*** gokrokve has joined #openstack-keystone17:19
henrynashmorganfainberg: no worries…I’ll update the patch (ready for openning up for J2) that has sha1 as THE generator,  plus a temp workaround for fixing RW LDAP, followed by a second patch that properly moves the ID generation from controller to manager (which will remove the temp workaround)…so we can keep all teh unit test changes in the second patch17:20
morganfainberghenrynash, great, - yeah we're close lets not have any icky cleanup later :)17:21
henrynashmorganfainberg: agreed17:21
*** nsquare has joined #openstack-keystone17:24
*** radez is now known as radez_g0n317:28
*** praneshp has quit IRC17:30
morganfainbergok going to spend some time repinning the token spec proposals to be more sane (persistence, versioning) and get a basic scaffolding spec in.17:32
morganfainbergso we're moving in the needed direction even if the bigger "change" specs aren't accepted.17:32
*** radez_g0n3 is now known as radez17:41
*** rushi has quit IRC17:51
*** kun_huang has quit IRC17:52
*** rushiagr has joined #openstack-keystone17:54
*** hrybacki has joined #openstack-keystone17:54
*** thedodd has quit IRC17:56
*** praneshp has joined #openstack-keystone17:57
*** thedodd has joined #openstack-keystone17:58
*** radez is now known as radez_g0n318:03
*** PritiDesai has quit IRC18:09
dolphmmorganfainberg: there's no bug report to close out for the token id thing?18:11
dolphmmorganfainberg: (i don't think you need to open one, but SecurityImpact would be nice)18:11
morganfainbergdolphm, yeah will add18:11
morganfainbergdolphm also sdague brought up a better idea18:12
dolphmmorganfainberg: ?18:12
morganfainbergjust make it -H X-Auth-token: sha1(<hashed token id>)18:12
morganfainbergin all cases18:12
morganfainberguntil we can rid ourselves of the curl format18:12
dolphmmorganfainberg: for logging?18:12
morganfainbergdolphm, example:
morganfainbergdolphm, yeah18:13
dolphmmorganfainberg: is that saying that the value in the parens *is* a SHA1 hash?18:13
morganfainbergdolphm, it makes it so it is possible to correlate token_ids across requests if they are reused.18:13
dolphmmorganfainberg: of a real token?18:13
morganfainbergdolphm, yes.18:13
morganfainbergmaybe (SHA1)hashed_token_id ?18:13
morganfainberglike LDAP does for SSHA passwords (e.g. {SSHA}<password_hash>18:14
morganfainbergsometimes if a token has expired it is good to know the same token worked previously or didn't work previously (vs. its a new token) when looking at requests18:14
dolphmmorganfainberg: that's more self-explanatory to me18:14
morganfainbergok i'll go with {SHA1}<hashed_token_id>18:15
dolphmmorganfainberg: you commented earlier that tokens should never be in debug output, and i'd argue that they should, but that we're not using verbose correctly, which i think would better serve the use case you have in mind (debug should be a dev-only feature, and verbose should be an operator feature)18:17
morganfainbergdolphm, my concern is if you ever turn a service on in debug and funnel data to a central source (sometimes you need a service in prod in debug) that central logging is likely incorrect place to see tokens18:18
morganfainbergi think the right answer would be to include (structured data format) data from within the token in the debug output.18:18
morganfainbergjust not the bearer token id itself.18:18
dolphmmorganfainberg: aren't you really looking for a middle ground there, between debug and relatively quiet logging?18:18
morganfainbergdolphm, in debug, do we want passwords in logs?18:18
morganfainbergdolphm, if the answer is no, then i hold that tokens are only slightly less bad than passwords18:19
*** PritiDesai has joined #openstack-keystone18:19
dolphmi've always (weakly) argued yes - that's the kind of stuff i expect from a "debug" mode - i don't want anything suppressed18:19
dolphmverbose should be sanitized, though18:20
morganfainbergdolphm, sure. if debug means "yep even passwords" then i don't argue18:20
morganfainbergwhich case verbose = sanitized18:20
morganfainbergbut right now, debug i think is considered = verbose in most OpenStack projects.18:21
morganfainbergmeaning we need to be a bit more heavy handed about it.18:21
openstackgerritMorgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output
*** hrybacki has quit IRC18:24
*** hrybacki has joined #openstack-keystone18:24
* morganfainberg thinks we need to maybe remove 'verbose' and go to debug levels. debug=99999 means don't obscure anything (or something like that) where --debug = todays' verbose18:25
morganfainbergor what verbose should be18:26
*** juanmo has joined #openstack-keystone18:26
dolphmmorganfainberg: yeah, i think that because we've never provided a proper "verbose" level, operators have turned to debug, and don't find what they were expecting in the first place (sanitized verbosity)18:27
morganfainbergdolphm, ++18:28
*** bklei has quit IRC18:30
*** bklei has joined #openstack-keystone18:32
*** dstanek_zzz is now known as dstanek18:33
*** jraim has quit IRC18:39
*** jraim has joined #openstack-keystone18:40
*** bklei has quit IRC18:41
*** jaosorior has quit IRC18:42
*** sbfox has joined #openstack-keystone18:54
*** PritiDesai has quit IRC18:57
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add example script for role_assignments module
*** sbfox has quit IRC18:59
*** sbfox has joined #openstack-keystone18:59
*** PritiDesai has joined #openstack-keystone19:07
*** PritiDesai has quit IRC19:08
*** nsquare has quit IRC19:16
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Hide details of HTTP 409 erros unless in debug
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add example script for role_assignments module
*** sbfox has quit IRC19:28
*** rodrigods_ has joined #openstack-keystone19:30
*** bklei has joined #openstack-keystone19:38
*** leseb has joined #openstack-keystone19:49
*** rodrigods_ has quit IRC19:57
*** leseb has quit IRC20:01
*** leseb has joined #openstack-keystone20:02
*** sbfox1 has joined #openstack-keystone20:03
*** leseb has quit IRC20:06
*** stevemar has quit IRC20:09
*** dstanek is now known as dstanek_zzz20:26
*** nsquare has joined #openstack-keystone20:29
*** NM has quit IRC20:30
*** marcoemorais has joined #openstack-keystone20:33
*** jamielennox is now known as jamielennox|away20:34
*** CaioBrentano1 has quit IRC20:37
*** thiagop has joined #openstack-keystone20:38
*** vhoward has quit IRC20:39
*** vhoward has joined #openstack-keystone20:40
*** leseb has joined #openstack-keystone20:47
*** vhoward has left #openstack-keystone20:53
*** juanmo has quit IRC20:57
*** sbfox1 has quit IRC20:58
*** vhoward has joined #openstack-keystone20:59
*** leseb has quit IRC20:59
*** leseb has joined #openstack-keystone21:00
*** leseb has quit IRC21:04
*** hrybacki has quit IRC21:07
*** jsavak has quit IRC21:09
*** amcrn has quit IRC21:10
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add example script for role_assignments module
*** Guest81438 has joined #openstack-keystone21:24
*** amcrn has joined #openstack-keystone21:24
*** redrobot is now known as Guest5796921:25
*** Guest81438 is now known as redrobot21:27
*** sbfox has joined #openstack-keystone21:33
*** rwsu_ has quit IRC21:39
*** rwsu has joined #openstack-keystone21:42
*** marekd is now known as marekd|away21:43
*** PritiDesai has joined #openstack-keystone21:45
*** hrybacki has joined #openstack-keystone21:45
gyeebknudson, ping21:50
bknudsongyee: what's up?21:50
gyeewhen using sqlite and running Keystone in Apache, the sqlite_db option has no effect21:51
gyeeonly the connection property is being used21:51
gyeeI wasn't sure if was documented anywhere21:53
bknudsondo we actually support sqlite anywhere but the unit tests?21:53
gyeenope, I was testing something21:54
gyeeopted for a quickie setup21:54
gyeeanyway, I'll add a note21:54
bknudsonI don't see sqlite_db used anywhere??21:55
gyeeyeah, funny the option is there in keystone.conf.sample21:55
bknudsonkeystone/tests/ksfixtures/        sqlite_db=tests.DEFAULT_TEST_DB_FILE)21:55
bknudsonwell, we set it but then don't read it anywhere21:55
gyeebut it is used to construct the connection string21:55
bknudsongyee: I don't see where it's used to construct the connection string.21:57
*** Guest57969 has quit IRC21:58
gyeebknudson, keystone/tests/ line 14721:58
gyeesorry, test_sql_upgrade.py21:58
bknudsongyee: that's not using sqlite_db, though21:59
bknudsonthat's setting the connection string21:59
gyeeright, only indirectly using it in the test code21:59
gyeeI think we should just remove that option to prevent confusion22:00
bknudsongyee: yes, let's get rid of it22:00
bknudsonwant me to do that?22:00
gyeebknudson, thanks22:00
bknudsonthe option itself is coming from oslo, which is moving to a separate lib.22:00
bknudsonbut we can stop referring to it in keystone already22:00
gyeeoh, we can't just remove it from keystone.conf.sample?22:01
*** PritiDesai has quit IRC22:02
*** redrobot has left #openstack-keystone22:02
*** gordc has quit IRC22:02
bknudsoncan't even get rid of it, it's a positional parameter to set_defaults22:03
bknudsonI'll open a bug.22:04
*** amcrn has quit IRC22:05
*** PritiDesai has joined #openstack-keystone22:07
*** kieren has quit IRC22:09
*** hrybacki has quit IRC22:09
bknudsonwe should be able to get to oslo.db in J, so that will probably be when we get rid of it.22:09
bknudsongyee: do we need something for I?22:10
*** nkinder has quit IRC22:12
*** nsquare has quit IRC22:16
gyeebknudson, I don't think so22:20
*** afazekas has joined #openstack-keystone22:22
*** gokrokve has quit IRC22:25
*** dims__ has quit IRC22:28
*** sbfox1 has joined #openstack-keystone22:29
*** sbfox has quit IRC22:30
*** nsquare has joined #openstack-keystone22:33
*** jdennis has quit IRC22:36
*** afazekas has quit IRC22:42
*** bknudson has quit IRC22:45
*** henrynash has quit IRC22:53
*** jamielennox|away is now known as jamielennox23:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create HTTP methods mixin object
richmdid someone recently commit something that got the in-code config out-of-sync with the sample config?23:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session Adapters
richmI changed one default in a config setting, ran tox -esample_config, and now keystone.conf.sample has many changes23:15
richmDid I do something wrong, or should I wait for a corrective commit to be pushed?23:17
*** thedodd has quit IRC23:21
*** nkinder has joined #openstack-keystone23:23
*** sbfox1 has quit IRC23:26
*** dims__ has joined #openstack-keystone23:30
morganfainbergrichm, it is likely we haven't run a config update in a while23:31
morganfainbergrichm, you can either push 2 commits: sample_config (before your change) and then one after23:31
morganfainbergor you can do it as one commit23:32
morganfainbergrichm, we've taken the tack that config sample changes should be done every so often, and then as the last change for a release. it's a bit lazy but it means we don't get broken by gating on the sample being up to date and a dependent library changes23:33
morganfainberg(e.g. oslo.messaging)23:33
morganfainbergin short, you did nothing wrong23:33
richmI'll just push my commit with the config change without the sample config change23:33
morganfainbergyeah that works.23:34
openstackgerritRichard Megginson proposed a change to openstack/keystone: test_user_mixed_case_attribute fails - mail, not email
richmmorganfainberg: Thanks!23:39
morganfainbergsure thing!23:39
morganfainbergalso, changing the default - i like that much better23:39
*** sbfox has joined #openstack-keystone23:43
*** dstanek_zzz is now known as dstanek23:53

Generated by 2.14.0 by Marius Gedminas - find it at!