Monday, 2014-07-14

openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Use jsonutils to load adapter response https://review.openstack.org/105065	00:06
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681	00:06
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type https://review.openstack.org/104734	00:06
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Test that tenant list function can use auth_url https://review.openstack.org/104770	00:06
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware https://review.openstack.org/104771	00:06
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add v2 Token manager authenticate tests https://review.openstack.org/104769	00:06
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing kwargs from managers to session https://review.openstack.org/106658	00:06
*** dims has joined #openstack-keystone		00:24
*** dims has quit IRC		00:28
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Convert httpretty to requests-mock https://review.openstack.org/106659	00:33
openstackgerrit	A change was merged to openstack/identity-api: Fix wrong json response body for paginated collections https://review.openstack.org/106644	00:37
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Provide an __all__ for auth module https://review.openstack.org/104529	00:37
*** xianghui has joined #openstack-keystone		00:55
boris-42	jamielennox btw what is your TZ	01:19
boris-42	jamielennox hi*	01:19
*** dims has joined #openstack-keystone		01:24
*** dims has quit IRC		01:29
jamielennox	boris-42: hey	01:48
jamielennox	UTC+10	01:48
jamielennox	Brisbane/Australia	01:48
boris-42	jamielennox ah =)	01:48
*** mberlin1 has joined #openstack-keystone		01:59
*** mberlin has quit IRC		01:59
*** diegows has quit IRC		02:08
*** dims has joined #openstack-keystone		02:17
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Convert httpretty to requests-mock https://review.openstack.org/106659	02:24
*** Chicago has joined #openstack-keystone		02:53
*** morganfainberg_Z is now known as morganfainberg		02:54
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	03:16
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Convert httpretty to requests-mock https://review.openstack.org/106659	03:31
*** morganfainberg is now known as morganfainberg_Z		03:41
*** topol has joined #openstack-keystone		03:43
*** oomichi has quit IRC		04:05
openstackgerrit	A change was merged to openstack/keystonemiddleware: Sync with oslo-incubator 569979adf https://review.openstack.org/103999	04:16
*** stevemar has quit IRC		04:31
*** k4n0 has joined #openstack-keystone		05:13
*** ajayaa has joined #openstack-keystone		05:34
*** ukalifon has joined #openstack-keystone		05:41
*** shausy has joined #openstack-keystone		05:42
*** niteshselkari has quit IRC		05:59
*** topol has quit IRC		06:34
*** pheadron has joined #openstack-keystone		06:38
*** afazekas\|dst has joined #openstack-keystone		06:39
*** mat-lowery_ has quit IRC		07:08
*** mat-lowery has joined #openstack-keystone		07:09
*** tomoiaga has joined #openstack-keystone		07:18
*** afazekas\|dst has quit IRC		07:28
*** bvandenh has quit IRC		07:37
*** tomoiaga has quit IRC		07:44
*** tomoiaga has joined #openstack-keystone		07:44
*** bvandenh has joined #openstack-keystone		08:04
*** designated has quit IRC		08:29
*** designated has joined #openstack-keystone		08:29
*** alex_xu has joined #openstack-keystone		08:34
*** Dafna has joined #openstack-keystone		08:56
*** xianghui has quit IRC		09:12
*** alex_xu has quit IRC		09:16
*** jamielennox is now known as jamielennox\|away		09:17
*** xianghui has joined #openstack-keystone		09:21
*** dims has quit IRC		09:27
*** tristanC has quit IRC		09:31
*** tristanC has joined #openstack-keystone		09:32
*** pheadron has quit IRC		09:39
*** dims_ has joined #openstack-keystone		09:54
*** k4n0 has quit IRC		09:57
*** dims_ has quit IRC		09:58
openstackgerrit	Kristy Siu proposed a change to openstack/keystone-specs: Adding support for Virtual Organisation Management https://review.openstack.org/105769	09:59
*** kwss has joined #openstack-keystone		09:59
*** andreaf has quit IRC		10:07
*** k4n0 has joined #openstack-keystone		10:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558	10:15
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558	10:16
*** k4n0 has quit IRC		10:35
*** dims_ has joined #openstack-keystone		10:55
*** dims_ has quit IRC		10:59
*** Dafna is now known as Dafna_away		11:01
*** afazekas\|dst has joined #openstack-keystone		11:12
*** YorikSar has joined #openstack-keystone		11:15
*** x1b2j has quit IRC		11:16
*** dims_ has joined #openstack-keystone		11:19
*** dims_ has quit IRC		11:24
*** andreaf has joined #openstack-keystone		11:25
*** kimj has joined #openstack-keystone		11:34
*** kimj has quit IRC		11:35
*** kimj has joined #openstack-keystone		11:36
*** topol has joined #openstack-keystone		11:47
*** dims_ has joined #openstack-keystone		11:52
*** kwss has quit IRC		11:59
*** kwss has joined #openstack-keystone		12:04
*** Dafna_away is now known as Dafna		12:06
*** diegows has joined #openstack-keystone		12:14
*** radez_g0n3 is now known as radez		12:22
*** dstanek_zzz is now known as dstanek		12:27
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: SAML2 wrapper plugin for full federation authN https://review.openstack.org/106751	12:43
openstackgerrit	Ajaya Agrawal proposed a change to openstack/keystonemiddleware: Correct return code https://review.openstack.org/106010	12:46
*** chandankumar has joined #openstack-keystone		12:48
*** bknudson has quit IRC		12:50
*** shausy has quit IRC		12:53
*** jdennis has joined #openstack-keystone		12:58
*** alex_xu has joined #openstack-keystone		12:58
*** afazekas\|dst has quit IRC		13:03
*** bknudson has joined #openstack-keystone		13:12
*** joesavak has joined #openstack-keystone		13:12
*** afazekas\|dst has joined #openstack-keystone		13:15
*** chandankumar has quit IRC		13:18
*** chandankumar has joined #openstack-keystone		13:18
*** andreaf has quit IRC		13:34
*** andreaf has joined #openstack-keystone		13:36
*** samuelmz_ has quit IRC		13:41
*** afazekas\|dst has quit IRC		13:42
*** fifieldt has quit IRC		13:45
*** packet has joined #openstack-keystone		13:46
*** packet has quit IRC		13:46
*** andreaf has quit IRC		13:53
*** jdennis has quit IRC		14:05
*** topol has quit IRC		14:08
*** Redrtff has joined #openstack-keystone		14:11
*** Redrtff has quit IRC		14:14
*** daneyon has joined #openstack-keystone		14:17
*** daneyon has quit IRC		14:17
*** daneyon has joined #openstack-keystone		14:18
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: SAML2 ECP auth plugin https://review.openstack.org/92166	14:18
*** ajayaa has quit IRC		14:24
afaranha	Hi, do anybody knows where this functionality is implemented in keystone code GET /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects ?	14:27
*** ukalifon has quit IRC		14:30
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options https://review.openstack.org/106558	14:31
*** stevemar has joined #openstack-keystone		14:39
*** david-lyle has joined #openstack-keystone		14:40
*** kimj has quit IRC		14:47
*** morganfainberg_Z is now known as morganfainberg		14:51
*** dstanek is now known as dstanek_zzz		14:53
*** jdennis has joined #openstack-keystone		14:53
morganfainberg	mornin	14:54
*** thedodd has joined #openstack-keystone		14:54
*** richm has joined #openstack-keystone		14:55
marekd	morganfainberg: hey	14:57
*** joesavak has quit IRC		14:57
*** topol has joined #openstack-keystone		15:00
*** dstanek_zzz is now known as dstanek		15:00
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: SAML2 ECP auth plugin https://review.openstack.org/92166	15:01
*** tomoiaga has quit IRC		15:06
*** david-lyle has quit IRC		15:12
*** afazekas has joined #openstack-keystone		15:25
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	15:29
*** david-lyle has joined #openstack-keystone		15:30
*** afazekas has quit IRC		15:42
stevemar	marekd, i'm going to try your ECP patch now :O	15:45
marekd	stevemar: lol	15:45
stevemar	marekd, does your github repo have a script on how to use the plugin?	15:48
marekd	stevemar: it had for an old version :( I had sent you an email with the code a long time ago.	15:50
marekd	stevemar: basically the core didn't change.	15:50
stevemar	marekd, OK, i have a script that runs that	15:51
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options https://review.openstack.org/106558	15:53
morganfainberg	dolphm, i'm going to press "go" on https://review.openstack.org/#/c/106489/ unless there is a reason not to	15:53
morganfainberg	bknudson, ^ cc	15:53
bknudson	morganfainberg: what's there works for me.	15:54
morganfainberg	bknudson, cool.	15:54
morganfainberg	bknudson, we should definitely improve the catalog building, but that doesn't need to go specifically in there (heck, that might not even need a spec, since it is just internal improvement, bug only?)	15:55
morganfainberg	bknudson, stevemar, i want to check with you guys, but https://review.openstack.org/#/c/106010/ i don't think an ISE (http 500) is correct if the middleware cannot validate a token, it seems like that should _always_ be 401 (even if it's a keystone cant talke to the db issue)	15:56
openstackgerrit	A change was merged to openstack/keystone-specs: standalone service catalog https://review.openstack.org/106489	15:57
morganfainberg	bknudson, stevemar, unless it is legitimately a unhandled error in middleware (e.g. some bad thing that really is 'internal server error' not 'oh we can't talk to that external service)	15:57
bknudson	morganfainberg: seems more secure to use 401.	15:57
bknudson	(slightly)	15:57
morganfainberg	i'm thining less security, more "correctness" in this case. (the security benefit seems minimal between the two responses)	15:58
stevemar	yeah, 401 would be better if it can't validate the token	15:58
bknudson	503 Service Unavailable might make sense -- http://tools.ietf.org/html/rfc2616#section-10.5.4	15:58
morganfainberg	hm.	15:59
*** david-lyle has quit IRC		15:59
morganfainberg	i still feel like it's 401, the token couldn't be validated.	15:59
morganfainberg	but 503 is better than generic 500 for sure	15:59
*** richm has quit IRC		16:02
*** jaosorior has joined #openstack-keystone		16:11
*** david-lyle has joined #openstack-keystone		16:13
*** spandhe has joined #openstack-keystone		16:15
*** richm has joined #openstack-keystone		16:15
*** kwss has quit IRC		16:22
*** richm has quit IRC		16:26
*** andreaf has joined #openstack-keystone		16:36
*** radez is now known as radez_g0n3		16:36
*** spandhe has quit IRC		16:39
*** richm has joined #openstack-keystone		16:40
*** andreaf has quit IRC		16:40
*** spandhe has joined #openstack-keystone		16:43
*** marcoemorais has joined #openstack-keystone		16:47
*** richm has quit IRC		16:49
*** dims_ has quit IRC		16:50
*** dims_ has joined #openstack-keystone		16:50
*** joesavak has joined #openstack-keystone		16:52
*** andreaf has joined #openstack-keystone		16:53
*** hyakuhei has joined #openstack-keystone		16:56
*** marcoemorais has quit IRC		16:59
*** marcoemorais has joined #openstack-keystone		17:00
*** marcoemorais has quit IRC		17:01
*** marcoemorais has joined #openstack-keystone		17:01
*** harlowja_away is now known as harlowja		17:03
*** chandankumar has quit IRC		17:05
*** richm has joined #openstack-keystone		17:07
*** dwaite has joined #openstack-keystone		17:17
dwaite	successful hackathon?	17:20
*** radez_g0n3 is now known as radez		17:20
openstackgerrit	Dolph Mathews proposed a change to openstack/keystonemiddleware: default to identity v3 https://review.openstack.org/106819	17:25
dolphm	dwaite: ++ i wrote a quick summary of things that i'll be expanding on this week http://dolphm.com/outcomes-from-the-openstack-keystone-hackathon-for-juno/	17:27
dwaite	ahh nice!	17:29
dwaite	re: ‘initiate federation protocol’ link , do you have any endpoints already to have horizon redirect the browser to keystone for auth?	17:31
dwaite	(back in 5)	17:34
dolphm	dwaite: no - IIRC that was one of our work items coming out of that discussion... although marekd and stevemar can probably correct me there	17:46
stevemar	dolphm, dwaite yeah, it's a big to-do, marekd threw up a patch but it's mostly a hack to get web sso working	17:48
*** amcrn has joined #openstack-keystone		17:49
stevemar	dolphm, we should answer shardy's email to -dev	17:54
*** dims_ has quit IRC		17:59
dolphm	stevemar: i was thinking the same. i put this patch up to see what will happen https://review.openstack.org/#/c/106819/	18:04
dolphm	stevemar: i've proposed this change before, but it broke on a few things that we have since fixed. i also don't know the integration coverage we have with keystonemiddleware.auth_token vs keystoneclient.middleware.auth_token yet?	18:05
dolphm	morganfainberg: ^	18:05
joesavak	stevemar, dolphm - what's the next step on https://review.openstack.org/#/c/100023/ ? Sorry I missed Friday hack-a-thon - but does it seem the token-to-saml idea works?	18:05
joesavak	marekd ^^	18:05
morganfainberg	o/	18:06
stevemar	joesavak, the next step is to go with the flow we decided here: https://etherpad.openstack.org/p/keystone-juno-hackathon line 193	18:06
stevemar	update the spec, get to hacking	18:06
morganfainberg	dolphm, until we get a project merged using the keystonemiddleware i want to be very careful about accepting patches. - basically, we need some integrated project (pref. nova?) to use the middleware	18:07
morganfainberg	dolphm, right now we're not testing it in tempest [no one is _really_ using it]	18:07
morganfainberg	dolphm, as soon as we have projects on middleware, we should get full integration testing	18:07
dolphm	morganfainberg: so, should i propose my change to keystoneclient a proof-of-concept? i don't think it should ever merge there though	18:07
dolphm	referring to https://review.openstack.org/#/c/106819/	18:08
morganfainberg	dolphm, that would work	18:08
morganfainberg	but i'd -2 CR it on ksc	18:08
morganfainberg	just to be sure it never merges	18:08
joesavak	ah - so no token-saml exchange flow?	18:08
joesavak	token only assertion flow...	18:08
openstackgerrit	Dolph Mathews proposed a change to openstack/python-keystoneclient: default to identity v3 - DO NOT MERGE https://review.openstack.org/106833	18:09
dolphm	morganfainberg: done ^	18:10
morganfainberg	that should prove it out for us	18:11
* morganfainberg continues to poke at the projects so we can get middleware merged tothem.		18:12
dwaite	dilphm, stevemar - I’d suggest looking at OAuth 2 there, the authorization code flow specifically. Rather than consider it specifically for federation, make an interface where you send the user off to log in, and get back a token	18:14
stevemar	dolphm, ^	18:14
dwaite	dilphm? yeah, typo :$	18:15
stevemar	dilphm is cool too	18:15
dwaite	then you can have basically any authentication logic you want to send a browser user through - federation, multi-factor, etc - entirely as a keystone responsibility	18:15
morganfainberg	stevemar, dolphm, some initial diff on in-memory token format	18:18
morganfainberg	http://dpaste.com/1FEVX91.txt	18:18
*** radez is now known as radez_g0n3		18:18
morganfainberg	stevemar, dolphm, trying to simplify where we do lookups when interacting with the token.	18:19
morganfainberg	stevemar, dolphm, a little more work before i write tests and post that before trying to convert over to using it.	18:19
dwaite	for shib specifically, the ‘return list of IDPs’ is more commonly done with WAYF or DS. You may want to make choosing how someone logs into horizon a keystone responsibility as well (own the login page)	18:20
dwaite	but thats a harder line to draw since that authentication business logic doesn’t appear to be shared - horizon AFAICT is the only web ui component	18:21
*** shakamunyi has joined #openstack-keystone		18:21
*** dims_ has joined #openstack-keystone		18:25
dolphm	morganfainberg: ++	18:26
morganfainberg	and descriptors are really really cool	18:27
dolphm	dwaite: pretty sure WAYF is entirely new to me	18:28
*** dims_ has quit IRC		18:30
dwaite	since I do more enterprise and consumer markets, its not something I hit often either	18:30
*** marcoemorais has quit IRC		18:30
dwaite	its more education (like shib is)	18:30
*** marcoemorais has joined #openstack-keystone		18:32
dwaite	stevemar, dolphm since you have taken the approach of using shib and apache filters, you might also be interested in https://github.com/pingidentity/mod_auth_openidc	18:32
dolphm	dwaite: i think stevemar and i have both checked out that project a bit already :D	18:32
dolphm	dwaite: what's the status of it? it's been a month or two since i've looked at it	18:33
dwaite	active development	18:33
stevemar	dolphm, dwaite i actually used it at one point for keystone, and got it somewhat working... but still had some issues	18:35
stevemar	it's being distributed now, which is cool	18:35
dwaite	yeah, I think it got into debian after some work	18:38
dwaite	I joked with the author that I had code in debian without really knowing it	18:38
dwaite	I’m just getting myself more confused trying to explain user/groups/roles + domains/projects	18:39
*** ukalifon1 has joined #openstack-keystone		18:41
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Use jsonutils to load adapter response https://review.openstack.org/105065	18:48
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681	18:48
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type https://review.openstack.org/104734	18:48
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Test that tenant list function can use auth_url https://review.openstack.org/104770	18:48
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware https://review.openstack.org/104771	18:48
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Add v2 Token manager authenticate tests https://review.openstack.org/104769	18:48
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: unscoped tokens still set auth info in client https://review.openstack.org/106838	18:48
*** joesavak has quit IRC		18:49
*** rwsu has joined #openstack-keystone		18:51
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens https://review.openstack.org/106838	18:51
*** jaosorior has quit IRC		18:52
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: render json examples with syntax highlighting https://review.openstack.org/106840	18:53
openstackgerrit	henry-nash proposed a change to openstack/identity-api: Extension to provide a REST API to read configuration options https://review.openstack.org/106842	18:54
stevemar	dolphm, can you review this patch: https://review.openstack.org/#/c/83829/	18:58
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options https://review.openstack.org/106558	18:58
stevemar	it's been done for >10 days now :P	18:59
dwaite	question: are domains definable in ldap?	19:00
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options https://review.openstack.org/106558	19:00
*** amcrn has quit IRC		19:00
dolphm	dwaite: they used to be sort of - but the answer is no. ldap is a single domain backend	19:00
*** henrynash has joined #openstack-keystone		19:00
dolphm	dwaite: we have a patch either in master or about to be approved to enable multiple ldap backends (one per domain)	19:01
dwaite	it looks like users are domain level and inherited by projects, and groups ‘can be’. Are roles?	19:01
*** thedodd has quit IRC		19:01
dwaite	dolphm: I suppose my confusion is figuring out what is per domain vs per project vs both	19:02
*** radez_g0n3 is now known as radez		19:03
dwaite	also, if groups influence roles	19:04
*** mitz_ has quit IRC		19:06
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: project disabled/deleted notification recommendations https://review.openstack.org/106845	19:09
*** ukalifon1 has quit IRC		19:09
*** daneyon has quit IRC		19:13
stevemar	dolphm, i think your experiment is working	19:14
dwaite	experiment?	19:20
morganfainberg	minus the elastic recheck issue, this looks good dolphm: https://review.openstack.org/#/c/106833/	19:22
morganfainberg	also, nova has approved the middleware change-over patch from bknudson	19:22
stevemar	dwaite, dolphm was experimenting on getting devstack to run v3 by default...	19:23
stevemar	morganfainberg, i agree, it looks good	19:24
dwaite	oh that would be nice	19:26
*** dims_ has joined #openstack-keystone		19:26
dwaite	would the goal be to have v2 off-by-default in juno? :-)	19:26
dolphm	dwaite: not off by default, but using v3 everywhere by default with v2 available as a fallback	19:29
dolphm	dwaite: it might be interesting to have it off by default in devstack for a release first	19:29
dolphm	like K	19:29
dolphm	morganfainberg: COOL! that failed miserably like 6 months ago :) i mostly blame jamielennox\|away for the improvement	19:30
*** amcrn has joined #openstack-keystone		19:31
*** dims_ has quit IRC		19:31
morganfainberg	hmm. ok now i just need to figure out how to populate the roles for the new token object	19:31
* morganfainberg will be happy when there is only _one_ way we populate this data		19:32
dwaite	dolphm, stevemar: If you have problems with mod_auth_openidc, I suggest hitting up the author	19:38
dwaite	he’s been feeling popular lately ;-)	19:38
stevemar	dwaite, i've reached out to hans before, he's pretty awesome	19:38
dwaite	nod I get to work with some pretty awesome people :-)	19:39
*** dims_ has joined #openstack-keystone		19:41
*** joesavak has joined #openstack-keystone		19:43
openstackgerrit	Dolph Mathews proposed a change to openstack/identity-api: use backticks on literal string, not single quotes https://review.openstack.org/106849	19:43
dolphm	trivial doc fix ^	19:43
dwaite	bbiab	19:43
*** dwaite has quit IRC		19:44
*** navid has joined #openstack-keystone		19:45
*** navid has quit IRC		19:50
*** andreaf has quit IRC		19:54
stevemar	dolphm, +2'ed	19:54
*** nkinder has joined #openstack-keystone		19:55
stevemar	dolphm, so whats the plan with your v3 changes?	19:55
dolphm	stevemar: well, i'm surprised it passed.	19:56
stevemar	dolphm, me too kinda	19:56
dolphm	stevemar: the biggest blocker was returning a v3 catalog to nova, when it only understood a v2 catalog	19:56
dolphm	jamie fixed that	19:56
dolphm	there were a few other little things	19:56
dolphm	i'm tempted to say we should merge the change to keystonemiddleware and release as 1.1.0	19:57
dolphm	need to attach to a wishlist bug first though	19:57
openstackgerrit	Dolph Mathews proposed a change to openstack/identity-api: The Most Obvious Way to Get a Service Catalog That You Have to See to Believe https://review.openstack.org/106854	19:57
morganfainberg	dolphm, i say wait for https://review.openstack.org/#/c/102342/ to merge before we merge that change, but otherwise	19:58
morganfainberg	gtg	19:58
morganfainberg	dolphm (the v3 one)	19:58
dolphm	morganfainberg: ++	19:58
dolphm	morganfainberg: i'm not in a rush	19:58
morganfainberg	do we want to sneak in the session refactor too for 1.1.0?	19:58
morganfainberg	stevemar, do you know if you can use a descriptor from within a descriptor? /me is stumbling on wanting to reduce minor amounts of duplicated code	20:00
morganfainberg	i guess i could just create an object that does it for me.	20:00
morganfainberg	meh.	20:00
dolphm	morganfainberg: i'm not opposed, but haven't reviewed it yet	20:02
*** marcoemorais has quit IRC		20:02
*** marcoemorais has joined #openstack-keystone		20:03
*** vhoward has left #openstack-keystone		20:07
dstanek	morganfainberg: is there any reason you are using getattr here? https://review.openstack.org/#/c/106599/9/tests/unit/test_versionutils.py	20:07
morganfainberg	dstanek, obnoxiously long line :P	20:08
morganfainberg	and was being lazy about trying to figure out how to pep8-friedly that	20:08
morganfainberg	friendly*	20:08
dstanek	morganfainberg: haha, ok	20:08
*** dwaite has joined #openstack-keystone		20:20
openstackgerrit	A change was merged to openstack/identity-api: use backticks on literal string, not single quotes https://review.openstack.org/106849	20:20
*** miqui has joined #openstack-keystone		20:22
henrynash	dstanek, bknudson: did my updates regarding security of https://review.openstack.org/#/c/106558 satisfy your conerns?	20:31
bknudson	henrynash: I'd still like to see a discussion on the -dev mailing list	20:32
bknudson	if other projects are willing to do this too then I'm fine with it	20:32
*** marcoemorais has quit IRC		20:32
*** marcoemorais has joined #openstack-keystone		20:33
henrynash	bknudson: sure, ok…happy to initiate that…	20:33
*** henrynash has quit IRC		20:35
*** huats has quit IRC		20:35
*** huats has joined #openstack-keystone		20:36
*** huats has quit IRC		20:36
*** huats has joined #openstack-keystone		20:36
*** henrynash has joined #openstack-keystone		20:38
*** amcrn has quit IRC		20:39
*** dstanek is now known as dstanek_zzz		20:41
*** radez is now known as radez_g0n3		20:43
*** mfainberg_phone has joined #openstack-keystone		20:54
*** arborism has joined #openstack-keystone		20:59
*** arborism is now known as amcrn		20:59
*** harlowja is now known as harlowja_away		21:02
*** joesavak has quit IRC		21:03
*** marcoemorais has quit IRC		21:03
*** marcoemorais has joined #openstack-keystone		21:03
*** harlowja_away is now known as harlowja		21:03
*** dstanek_zzz is now known as dstanek		21:04
dstanek	henrynash, bknudson: i agree	21:05
*** marcoemorais has quit IRC		21:05
*** marcoemorais has joined #openstack-keystone		21:06
*** mfainberg_phone has quit IRC		21:15
openstackgerrit	A change was merged to openstack/python-keystoneclient: Add invalidate doc string to identity plugin https://review.openstack.org/99558	21:23
*** topol has quit IRC		21:24
*** joesavak has joined #openstack-keystone		21:26
*** dstanek is now known as dstanek_zzz		21:28
*** openstackgerrit has quit IRC		21:31
*** dstanek_zzz is now known as dstanek		21:31
*** openstackgerrit has joined #openstack-keystone		21:32
*** dstanek is now known as dstanek_zzz		21:40
*** shakamunyi has quit IRC		21:40
*** bvandenh has quit IRC		21:41
bknudson	morganfainberg: were you working on a change to hash the tokens logged by keystoneclient?	21:41
morganfainberg	bknudson, i was, but i scrapped it for the time being	21:42
bknudson	morganfainberg: ok, was wondering why I couldn't find it.	21:42
bknudson	morganfainberg: looks like instead of putting in the change to sha1 the token we decided to boil the ocean instead.	21:53
morganfainberg	bknudson, heh	21:56
morganfainberg	bknudson, i think i also was waiting till middleware was split, since the change legitimately needed to go there	21:56
stevemar	q for folks - anyway to reply to a ML thread when all you have is the link from lists.openstack.org ?	21:58
stevemar	and not create a new thread...	21:58
*** dims__ has joined #openstack-keystone		22:05
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options https://review.openstack.org/106558	22:05
bknudson	morganfainberg: https://review.openstack.org/#/c/99432 patch set 7 looks good to me.	22:05
*** dims_ has quit IRC		22:05
bknudson	how about we take that and work on further optimizations separately?	22:06
*** jsavak has joined #openstack-keystone		22:09
bknudson	actually, I tried it and it's incomplete as is... the token id is still displayed when you keystone --debug	22:09
morganfainberg	yeah	22:09
bknudson	from the POST /v2.0/tokens response	22:09
morganfainberg	i noticed that :(	22:10
bknudson	nothing that can't be fixed	22:10
*** joesavak has quit IRC		22:11
bknudson	ah, this is the stuff in oslo	22:13
stevemar	henrynash, whoa you went super short with the spec	22:14
henrynash	stevemar: so that’s waht ayoung was suggesting…I’m happy to add stuff back in once we agree it is the right thing to do	22:15
henrynash	stevemar: I think this is what we decided at the hackathon…we start with teh short form	22:16
stevemar	henrynash, replied, the short form was just 3 less sections	22:16
stevemar	henrynash, you were mis-informed, sir	22:16
henrynash	oh, so now I am confused	22:17
henrynash	dolphm: so what did we agree here?	22:17
bknudson	I thought we agreed to just accept the problem statement	22:17
stevemar	the tests aren't updated to reflect that	22:18
stevemar	rebooting	22:19
*** stevemar has quit IRC		22:19
*** jsavak has quit IRC		22:21
*** henrynash has quit IRC		22:23
dolphm	user_id: context['environment'][authorization.AUTH_CONTEXT_ENV]['user_id'] # this is an ungodly terrible dev experience	22:25
*** spandhe has quit IRC		22:32
*** spandhe has joined #openstack-keystone		22:33
*** alex_xu has quit IRC		22:50
*** stevemar has joined #openstack-keystone		22:53
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output https://review.openstack.org/106890	22:56
bknudson	morganfainberg: took a stab at also obfuscating the token in the request ^	22:57
bknudson	and need to head home	22:57
morganfainberg	bknudson, sounds good!	22:59
morganfainberg	i'll take a look at it	22:59
bknudson	obviously needs tests, doc updates, etc	22:59
morganfainberg	bknudson, the other way people are doing is the creditcard way, asdfasdf123XXXXXXXXXX...XXXXXasdfe1234	23:00
morganfainberg	with a min/max and % of data shown	23:00
morganfainberg	bknudson, not sure if i like that, hashlib.sha1() just seems so clean in comparison	23:01
bknudson	morganfainberg: from the mailing list discussion I didn't see a resolution to use one or the other.	23:01
bknudson	should put it in a function so it's easy to change.	23:01
morganfainberg	yeah	23:01
morganfainberg	++	23:01
morganfainberg	dolphm, len(context['something']['omg'].get('thing', {}).setdefault('stuff', [thing])[0]['ENV']['user_id']) # how long is the user's id	23:02
morganfainberg	>.>	23:03
dolphm	morganfainberg: any reason why it's not just context['user_id'] ?	23:03
dolphm	and will i break anything if i rewrite it as such?	23:03
dolphm	that's sort of what was supposed to be in context anyway	23:03
morganfainberg	dolphm, that in keystone or middleware?	23:03
dolphm	morganfainberg: keystone	23:03
dolphm	morganfainberg: build_auth_context middleware	23:03
morganfainberg	dolphm, i'd re-write it to be context['user_id']	23:04
dolphm	morganfainberg: cool, i shall try that soon	23:04
morganfainberg	dolphm, i almost have the new KeystoneToken object done. just need to figure out how to populate roles in a sane way (both v2 and v3)	23:04
morganfainberg	but it's soooo close.	23:04
morganfainberg	then i need to add tests (this is all before actually using it)	23:05
morganfainberg	it should really help simplify the token code.	23:05
*** bknudson has quit IRC		23:06
morganfainberg	well, at least consolidate the ick into one place rather than be spread out all over	23:06
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: implement GET /v3/catalog https://review.openstack.org/106893	23:12
*** jamielennox\|away is now known as jamielennox		23:12
*** david-lyle has quit IRC		23:20
*** henrynash has joined #openstack-keystone		23:25
*** oomichi has joined #openstack-keystone		23:33
*** richm has left #openstack-keystone		23:37
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options https://review.openstack.org/106558	23:38
openstackgerrit	A change was merged to openstack/python-keystoneclient: Provide an __all__ for auth module https://review.openstack.org/104529	23:42
*** lbragstad has joined #openstack-keystone		23:50
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Use jsonutils to load adapter response https://review.openstack.org/105065	23:51
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681	23:51
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type https://review.openstack.org/104734	23:51
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens https://review.openstack.org/106838	23:51
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Test that tenant list function can use auth_url https://review.openstack.org/104770	23:51
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware https://review.openstack.org/104771	23:51
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add v2 Token manager authenticate tests https://review.openstack.org/104769	23:51
morganfainberg	jamielennox, ping	23:54
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Use jsonutils to load adapter response https://review.openstack.org/105065	23:54
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681	23:54
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type https://review.openstack.org/104734	23:54
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens https://review.openstack.org/106838	23:54
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware https://review.openstack.org/104771	23:54
jamielennox	morganfainberg: hey	23:54
morganfainberg	jamielennox, want to ask your opinion about descriptor-magic-stuff	23:54
jamielennox	sure, what are you looking at	23:55
morganfainberg	jamielennox, so i'm building a new token object, and using descriptors to do some of the magic (read: heavy lifting) so it just happens "token.user = <user_id>" and then "token.user" = the ref	23:55
morganfainberg	jamielennox, erm referencing token.user is now the "token-filtered" ref	23:55
jamielennox	morganfainberg: server side token stuff, or token fixture stuff in client	23:55
morganfainberg	i'm running into a sticking point with roles	23:56
morganfainberg	server side	23:56
morganfainberg	this is consolidating the assignment_api stuff and the format token stuff to a single in-memory format	23:56
morganfainberg	here let mepost a quick diff	23:56
jamielennox	morganfainberg: it's the model in MVC	23:56
*** marcoemorais has quit IRC		23:57
morganfainberg	jamielennox, http://pasteraw.com/qux2mkrxijvqqdxk6egcoe8kc4fubgs	23:57
morganfainberg	but yes the Model idea in MVC	23:57
*** marcoemorais has joined #openstack-keystone		23:57
morganfainberg	and i'm using the potisional decorator :)	23:58
morganfainberg	cause i can	23:58
*** diegows has quit IRC		23:58
morganfainberg	jamielennox, so, the question is resolving the roles in a sane way between v2 and v3	23:58
jamielennox	morganfainberg: wow	23:59
morganfainberg	should i just suck it up and do a .populate_roles() method on the KeystoneToken or should it be a descriptor	23:59
morganfainberg	or somewhere inbetween	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!