Wednesday, 2014-07-23

openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.
*** nkinder has joined #openstack-keystone00:10
*** xianghui has joined #openstack-keystone00:19
*** joesavak has joined #openstack-keystone00:24
*** jsavak has joined #openstack-keystone00:27
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data
*** joesavak has quit IRC00:31
*** marcoemorais has quit IRC00:40
*** xianghui has quit IRC00:40
*** stevemar has joined #openstack-keystone00:41
*** marcoemorais has joined #openstack-keystone00:41
*** dims_ has quit IRC00:44
*** xianghui has joined #openstack-keystone00:53
*** bknudson has joined #openstack-keystone01:01
stevemargyee, did you need something, i think you pinged me earlier, but i was afk01:03
*** dims_ has joined #openstack-keystone01:09
*** topol has joined #openstack-keystone01:20
*** oomichi has quit IRC01:20
openstackgerritBrant Knudson proposed a change to openstack/keystone: JSON-Home for V3
*** kevinbenton has quit IRC01:33
*** kevinbenton has joined #openstack-keystone01:33
*** diegows has quit IRC01:37
*** marcoemorais has quit IRC01:39
*** gabriel-bezerra has quit IRC01:39
*** gabriel-bezerra has joined #openstack-keystone01:40
*** morganfainberg has quit IRC01:47
*** morganfainberg has joined #openstack-keystone01:47
*** mberlin1 has joined #openstack-keystone01:48
*** morganfainberg is now known as captainmorgan01:49
*** morganfainberg_Z has joined #openstack-keystone01:49
*** morganfainberg_Z is now known as morganfainberg01:50
*** mberlin has quit IRC01:50
*** morganfainberg is now known as captainmorgan01:50
*** ChanServ sets mode: +o captainmorgan01:51
captainmorganjamielennox, you can blame me for the heat tests that are failing after the new client01:57
*** captainmorgan is now known as morganfainberg01:58
morganfainbergjamielennox, sorry.01:58
jamielennoxmorganfainberg: i assumed it was you but you never now01:58
morganfainbergjamielennox, yeah i implemented that test :(01:58
jamielennoxwhat heat tests are failing? i fixed the horizon ones01:58
uvirtbotLaunchpad bug 1347319 in heat "Latest keystoneclient breaks tests" [High,In progress]01:58
jamielennoxlol, we have amazing CI - and yet every time01:58
morganfainbergjamielennox, it tries to get the domain from the domain name01:59
morganfainbergjamielennox, or it should have01:59
* morganfainberg very much dislikes Mox01:59
morganfainbergso, i am not sure why *that* doesn't actually work02:00
jamielennoxmorganfainberg: this is one of the reasons i really like doing mocking at the requests layer02:00
morganfainbergbut i just saw it.02:00
jamielennoxyea - i thought that would work02:00
jamielennoxyou aren't actually creating a DomainManager there like heat was02:01
jamielennoxmorganfainberg: you sure that fixes it?02:01
morganfainbergjamielennox, shardy just proposed that02:01
morganfainbergi mean, i just got back from the gym and sat down, so i was just *starting* to look at this02:02
jamielennoxyea, i was looking - i just don't see the difference02:02
jamielennoxi mean the new way is better, but the old way should have worked02:02
openstackgerritA change was merged to openstack/python-keystoneclient: Scope unscoped saml2 tokens.
morganfainbergi think this is mockanything vs mock02:03
morganfainbergit's a subtle object difference02:03
morganfainbergbut that whole test suite needs to move to httpretty02:03
morganfainbergyou know.. we should just provide a mock client in ksc02:04
jamielennoxmorganfainberg: well not httpretty, requests-mock02:04
jamielennoxis the new awesome cause i'm so sick of httpretty02:04
morganfainbergrequests-mock, whatever not mocking the object in the client directly02:05
morganfainbergjamielennox, so i think we need to use the token fixtures in keystone02:07
morganfainberg ran into oddities with the version(s) we use in the provider tests doing that02:07
morganfainbergit's *sortof* right02:08
morganfainbergjamielennox, eventually i want to make it better and make the accessinfo stuff align with it02:08
morganfainbergjamielennox, but accessinfo does some special magic in the factory at the moment i didn't want to try and fix (and get a ksc release) prior to getting some stuff in keystone lined up02:09
jamielennoxthe factories are a mess02:11
jamielennoxi think that's stevemar's fault actually02:11
morganfainbergjamielennox, so i figure, we do it in keystone as cleanly as possible, port the stuff from keystone over and fix the factories, convert to using ksc once we release with the fixes02:11
jamielennoxdidn't you do the original v3 client stuff02:11
jamielennoxmorganfainberg: sure, makes sense to re-use those fixtures02:12
jamielennoxi tend to avoid the accessinfo factory02:12
jamielennoxmost of the time you know if it's a v2 or a v3 token and you can just create the right object02:12
jamielennoxstevemar: sorry, my mistake02:12
morganfainbergjamielennox, yeah i really want a descriptor based system that can load in from the JSON and validate in one fell swoop to a unified (non dict based) object02:12
morganfainbergjamielennox, and then that object should be able to re-emit in any token format needed02:13
jamielennoxah, that's fairly different to accessinfo02:13
*** gabriel-bezerra has quit IRC02:13
morganfainbergjamielennox, right. but accessinfo could benefit from parts of that02:13
*** alex_xu has joined #openstack-keystone02:14
*** gabriel-bezerra has joined #openstack-keystone02:14
jamielennoxmorganfainberg: could do, but i wouldn't target client for it02:14
morganfainbergjamielennox, nah i'd do it first in keystone then move the json->object bits to ksc, then conver keystone to extend that02:15
stevemarnov 2012 :(02:15
morganfainbergjamielennox, for the convert to format bits02:15
stevemarjamielennox, i had to use the accessinfo stuff for oauthy bits, but never created it02:16
morganfainbergbut right now, i just need an object that works the same no matter the token format02:16
jamielennoxi see feb 201302:16
jamielennoxstevemar: i think i've done all the oauth in accessinfo bits02:16
jamielennoxayoung was going to use it as part of the revocation stuff02:17
jamielennoxbut last i saw he'd reverted to his big old dictionary model02:17
jamielennoxmorganfainberg: any update on gating on middleware?02:23
stevemarjamielennox, yep, you are right02:23
morganfainbergjamielennox, we should be gating on it now02:23
morganfainbergjamielennox, nova and a few other projects have converted over02:23
jamielennoxstevemar: on?02:24
jamielennoxmorganfainberg: cool, now that ksc is released theres a few changes i only want to do if we are properly testing it02:24
nkinderjamielennox: ...question on
stevemarjamielennox, that you did the oauthy bits02:24
nkinderjamielennox: shouldn't we try to cover password changes too?02:25
nkinderjamielennox: I know the patch is supposed to be simple... (sorry)02:25
nkinderjamielennox: I think that and authentication are the two possible calls that would contain the password in the request02:26
morganfainbergjamielennox, we should be, i mean... need to check devstack-g logs for a middlewarechange to be 100% sure, but i'm 99% positive we are02:26
jamielennoxnkinder: yea, that would make sense02:27
jamielennoxmorganfainberg: enough for me02:27
morganfainbergjamielennox, -e git+
morganfainbergkeystonemiddleware== from
morganfainbergjamielennox, paste.filter_factory = keystonemiddleware.auth_token:filter_factory from
morganfainbergi'd say we're gating on it02:28
jamielennoxmorganfainberg: cool02:29
*** gabriel-bezerra has quit IRC02:29
morganfainbergoh wait02:29
jamielennoxah damnit, i can obscure those calls, but it relies on a patch that is like 4 deep in a queue02:30
morganfainbergok that looks like the release version...02:30
morganfainbergthe g815 one looks like the dev one02:30
nkinderjamielennox: I added a comment to that effect in the review.02:30
*** gabriel-bezerra has joined #openstack-keystone02:30
nkinderjamielennox: any other requests that might have the password in it?02:30
jamielennoxnkinder: i did a grep and it looks like there is a v2_0/tokens that does another type of authenticate with a password02:31
morganfainbergor is that master02:31
* morganfainberg can't tell02:31
*** masahito has quit IRC02:31
morganfainbergooh we're always gating on master02:32
morganfainberghrm. we might need to figure a way to gate one test on current release as well02:32
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing kwargs from managers to session
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware
gyeestevemar, sorry I was afk, you still there?02:38
nkindermorganfainberg, jamielennox: is there a policy that every patch should have an associated bug?02:38
nkinderI have some additional unit tests I wrote for trusts that check things from a security perspective02:38
stevemargyee, yep02:38
jamielennoxnkinder: no, only if there is an actual bug you are fixing02:39
nkinderThe feature is behaving correctly, but there's a gap in the tests that I'm trying to fill02:39
morganfainbergnkinder, no policy, but it doens't hurt for tracking02:39
morganfainbergnkinder, no one will complain if you add a bug for it :)02:39
nkinderok, I planned on filing one anyway, but just wanted to see if there were any hard rules02:39
morganfainbergnkinder, but most "add a test nothing else is needed" is reasonable w/o a bug id02:39
gyeestevemar, looking at the code02:40
gyeefor scoped token, we get the user_id from the token?02:40
gyeemeans the token is already exist?02:41
stevemargyee, user_id was already in the unscoped token02:41
stevemargyee user_id is retrieved from mapping engine
stevemargyee, line 80 it's shoved into the unscoped token02:43
stevemargyee, when the user uses their unscoped token for a scoped token, the user_id is already there02:43
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Keystone WebSSO
gyeestevemar, what's line 50 means though02:56
gyeeseem like token is already in the payload?02:56
stevemargyee, yes, the token is in the payload02:56
stevemargyee, "To access this resource, an unscoped token is used"02:57
stevemargyee, crap: this would be better...
stevemargyee, but yeah, it's part of the payload02:58
gyeek, much better02:58
gyeestevemar, thanks!02:58
stevemargyee, np, we didn't make it part of x-auth-token for some reason...02:58
gyeebtw, I am trying to put together a POC to do x.509 auth with the existing framework to get an idea what does it take02:59
gyeeseem like its easier than I thought :)02:59
gyeebut then again, its getting late and I am hungry for dinner right now02:59
gyeeso anything looks good02:59
stevemargyee, oh i remember, it's cause for the current 'scoping' call, the token id is part of the payload anyway03:00
stevemarn again, its getting late and I am h03:00
stevemargyee, ignore ^
gyeestevemar, k, I'll do more code diving later03:01
gyeethanks again03:01
stevemargyee, it's not that bad! the keystone stuff anyway, setting up saml stuff is a PITA. np, any time03:01
*** gyee has quit IRC03:02
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data
*** ncoghlan has joined #openstack-keystone03:06
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Specification for OpenID Connect
*** zzzeek has joined #openstack-keystone03:14
jamielennoxmorganfainberg: the AccessInfo you copied across to
jamielennoxis based on a dict, is that what you want for server side?03:14
morganfainbergjamielennox, initially, that is the simplest03:15
morganfainbergjamielennox, i figure we can make it better incrementally03:15
jamielennoxmorganfainberg: ahh, the luxury of server side :)03:15
morganfainbergjamielennox, lol yeah03:15
*** harlowja is now known as harlowja_away03:15
jamielennoxmorganfainberg: still have a preference for models/ so that it encourages others03:15
morganfainbergi talked w/ dolphm, ayoung, and a few others03:16
morganfainbergit was determined <subsystem> was more appropriate03:16
morganfainbergor well.. generally thought as much03:16
morganfainbergi offered both options03:16
jamielennoxpeople never agree with me on these things03:17
*** ncoghlan is now known as ncoghlan_afk03:17
* morganfainberg doesn't care which03:17
*** dims_ has quit IRC03:19
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Remove SAML unscoped token auth from setup.cfg
*** dims_ has joined #openstack-keystone03:46
*** zzzeek has quit IRC03:49
*** dims_ has quit IRC03:51
*** topol has quit IRC04:03
*** oomichi has joined #openstack-keystone04:19
stevemarjamielennox, hey dude, have a minute?04:28
jamielennoxstevemar: sure04:28
stevemarjamielennox, having a problem and it's one of those silly ones that takes another pair of eyes ->
stevemarjamielennox, using curl, create works fine, so i know the endpoint exists... but using the client, it 404s04:30
stevemarwhen doing: ks.oauth1.consumers.create("blah"), if I did ks.users.list(), it works fine04:31
jamielennoxumm, i think my first guess would be that the catalog is setup wrong04:33
jamielennoxso you're getting a bad base URL04:33
jamielennoxdoing logging.basicConfig(level=logging.DEBUG) in your script files will show you the requests that are made from the client04:34
*** mrmoje has quit IRC04:37
jamielennoxstevemar: do you have debug output there?04:37
stevemarjamielennox, yeah, just added it, was getting food, let me paste the output04:38
stevemarFailed to contact the endpoint at for discovery. Fallback to using that endpoint as the base url.04:39
stevemarand obviously have v2.0 will not work as that endpoint04:41
jamielennoxit's failing discovery for some reason04:41
stevemarwas there something i did incorrectly in setting up my client?04:41
jamielennoxwhich is probably the same reason it can't contact the oauth point04:41
jamielennoxi doubt it04:41
jamielennoxcan you http --json
jamielennoxah, that might be force of habit, use wget or curl or whatever you do04:42
stevemarnp, whoa that is weird04:43
stevemar$ curl
stevemar{"error": {"message": "Could not find version: v2.0", "code": 404, "title": "Not Found"}}04:43
jamielennoxso that is weird04:43
stevemar$ curl
stevemar{"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "", "rel": "self"}]}}04:43
stevemarthats a bit fucky04:43
jamielennox / ?04:43
jamielennoxlol, same meaning04:44
stevemarpretty much04:44
stevemari have no idea why v2 is not set up04:44
*** gabriel-bezerra has quit IRC04:44
jamielennoxibm is embracing v3 only?04:45
stevemarhmmm responds with stuff04:45
stevemarnot likely, this was spun up with devstack, probably just a corrupted env.04:45
stevemarit's a bit old04:45
jamielennoxmaybe it was a v3 everywhere devstack trial04:46
jamielennoxalthough password auth worked04:46
*** gabriel-bezerra has joined #openstack-keystone04:46
stevemari have no idea04:48
*** sumit__ has joined #openstack-keystone04:55
sumit__Hi, we are trying to generate token using keystone 'token-get' command, but it is throwing following error: 'NoneType' object has no attribute 'has_service_catalog'04:56
sumit__How to resolve this ?04:57
*** ajayaa has joined #openstack-keystone04:57
*** stevemar has quit IRC05:04
*** mrmoje has joined #openstack-keystone05:09
*** chandankumar has joined #openstack-keystone05:18
*** shausy has joined #openstack-keystone05:19
*** chandankumar_ has joined #openstack-keystone05:20
*** chandankumar has quit IRC05:22
*** ciypro|afk has quit IRC05:28
*** chandankumar_ is now known as chandankumar05:28
*** cjellick_ has joined #openstack-keystone05:32
*** k4n0 has joined #openstack-keystone05:33
*** cjellick has quit IRC05:35
*** cjellick_ has quit IRC05:37
*** ncoghlan_afk is now known as ncoghlan05:43
*** afazekas has quit IRC05:47
*** dims has joined #openstack-keystone05:50
*** dims has quit IRC05:55
ajayaadolphm, jamielennox, How do I get an endpoint associated with a service_id via catalog api?06:00
*** cjellick has joined #openstack-keystone06:03
*** alex_xu has quit IRC06:03
*** sumit__ has quit IRC06:06
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** cjellick has quit IRC06:12
*** alex_xu has joined #openstack-keystone06:20
*** afazekas has joined #openstack-keystone06:26
*** tomoiaga has joined #openstack-keystone06:26
jamielennoxajayaa: it's not via catalog api, when you create an endpoint you set the service id that it should be associated with06:27
jamielennoxso from cli keytone endpoint-create --service-id XXXX06:27
jamielennoxsumit__ is gone06:28
ajayaajaimelennox, remember yesterday I was talking about caching in catalog layer. When I a service is deleted, I need to invalidate the cache entry for associated endpoint also.06:28
ajayaaCurrently I am getting all the end points through catalog_api.list_endoints() and iterating through the list to match the service id.06:29
ajayaajamielennox, I was wondering whether there is a better way to get associated endpoint with a service.06:30
jamielennoxoh, it appears you can provide hints to list_endpoitns()06:32
jamielennoxthat will let you filter for a service id06:32
jamielennoxi don't know how you're doing caching to help you invalidate from that06:32
ajayaawhat is a hint? Can I just pass the service_id as hint?06:34
jamielennoxit's defined in common.driver_hints06:35
jamielennoxit's a series of prompts that a backend should respond to - if it knows how06:35
jamielennoxso you can tell it that it should only return those associated with a service_id - but you can't trust that it did it06:36
jamielennoxas in you still need to iterate over the returned values to make sure06:36
jamielennoxuse like06:36
jamielennoxhints = driver_hints.Hints()06:36
jamielennoxhints.add_filter('service_id', 'XXXXXX')06:36
jamielennoxi *think* it'll be service id, the SQL hints are fairly simple so it'll match the table name06:37
jamielennoxyou can see how they're applied in common.sql.utils i think it is06:37
ajayaajamielennox, Thanks. That is helpful. :)06:43
*** jimbaker has quit IRC06:43
*** joesavak has joined #openstack-keystone06:44
ajayaajamielennox, To make it work with all kind of backends I think I still need to get all the endpoints and invalidate the one which is associated with the service_id being deleted.06:45
*** jsavak has quit IRC06:46
*** jimbaker has joined #openstack-keystone06:47
*** jimbaker has quit IRC06:51
*** jimbaker has joined #openstack-keystone06:51
*** jimbaker has quit IRC06:57
*** jimbaker has joined #openstack-keystone07:01
*** jimbaker has quit IRC07:01
*** jimbaker has joined #openstack-keystone07:01
*** jimbaker has quit IRC07:07
*** cjellick has joined #openstack-keystone07:08
*** jimbaker has joined #openstack-keystone07:12
*** jimbaker has quit IRC07:12
*** jimbaker has joined #openstack-keystone07:12
*** cjellick has quit IRC07:13
*** alex_xu has quit IRC07:17
*** jimbaker has quit IRC07:17
*** jimbaker has joined #openstack-keystone07:23
*** jimbaker has quit IRC07:23
*** jimbaker has joined #openstack-keystone07:23
*** jimbaker has quit IRC07:29
*** alex_xu has joined #openstack-keystone07:29
*** gabriel-bezerra has quit IRC07:31
*** gabriel-bezerra has joined #openstack-keystone07:32
*** jimbaker has joined #openstack-keystone07:33
*** jimbaker has quit IRC07:33
*** jimbaker has joined #openstack-keystone07:33
*** jimbaker has quit IRC07:43
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Use keystoneclient.exceptions
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Removed keystone.apiclient
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Removed keystoneclient.apiclient
*** jimbaker has joined #openstack-keystone07:47
*** jimbaker has quit IRC07:47
*** jimbaker has joined #openstack-keystone07:47
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Removed keystoneclient.apiclient
*** dims has joined #openstack-keystone07:53
*** jimbaker has quit IRC07:53
*** mrmoje has quit IRC07:55
*** dims has quit IRC07:58
*** jimbaker has joined #openstack-keystone08:00
*** jimbaker has quit IRC08:00
*** jimbaker has joined #openstack-keystone08:00
*** jimbaker has quit IRC08:04
*** jimbaker has joined #openstack-keystone08:07
*** jimbaker has quit IRC08:07
*** jimbaker has joined #openstack-keystone08:07
openstackgerritwanghong proposed a change to openstack/python-keystoneclient: expose the revoke token for V3
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: CRUD grant functions don't check user_id and group_id
*** gabriel-bezerra has quit IRC08:12
*** jimbaker has quit IRC08:12
*** gabriel-bezerra has joined #openstack-keystone08:12
*** henrynash has joined #openstack-keystone08:15
*** jimbaker has joined #openstack-keystone08:19
*** jimbaker has quit IRC08:19
*** jimbaker has joined #openstack-keystone08:19
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Group related methods for LDAP backend
*** jimbaker has quit IRC08:24
openstackgerritwanghong proposed a change to openstack/keystone: add internal delete notification for endpoint
*** jimbaker has joined #openstack-keystone08:27
*** jimbaker has quit IRC08:27
*** jimbaker has joined #openstack-keystone08:27
*** andreaf has quit IRC08:29
*** mrmoje has joined #openstack-keystone08:30
*** andreaf has joined #openstack-keystone08:30
*** andreaf_ has joined #openstack-keystone08:30
*** andreaf_ has quit IRC08:41
*** ncoghlan has quit IRC08:45
marekdjamielennox: ping.08:51
*** dims has joined #openstack-keystone08:53
*** dims has quit IRC08:58
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Use keystoneclient.exceptions
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Removed keystoneclient.apiclient
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Check the url format when create endpoint
*** alex_xu has quit IRC09:14
openstackgerritwanghong proposed a change to openstack/keystone: add --rebuild option for ssl/pki_setup
*** oomichi has quit IRC09:29
*** ukalifon has joined #openstack-keystone09:37
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Catch correct oslo.db exception
*** henrynash has quit IRC09:45
*** henrynash has joined #openstack-keystone09:49
*** henrynash has quit IRC09:50
*** ajayaa has quit IRC10:01
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Enforce authenticated=False in saml2 plugin
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Rename saml2_token_url to token_url
*** ajayaa has joined #openstack-keystone10:26
*** afazekas has quit IRC10:29
*** afazekas has joined #openstack-keystone10:38
*** syedawaisali has joined #openstack-keystone10:43
*** dims has joined #openstack-keystone10:45
*** diegows has joined #openstack-keystone11:03
*** cjellick has joined #openstack-keystone11:10
*** cjellick has quit IRC11:15
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: generic-mapping-federation
*** kwss has joined #openstack-keystone11:16
*** joesavak has quit IRC11:20
*** jamielennox is now known as jamielennox|away11:26
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Check the url format when create endpoint
openstackgerritDavid Stanek proposed a change to openstack/keystone: Details the proper way to call a callable
*** chandankumar has quit IRC11:47
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Insert space between ``#`` and the comment
*** chandankumar has joined #openstack-keystone11:49
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Expand the caching layer in keystone
*** dims has quit IRC12:05
*** k4n0 has quit IRC12:05
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Keystone service throws error on SIGHUP signal
openstackgerritA change was merged to openstack/python-keystoneclient: Allow passing kwargs from managers to session
*** henrynash has joined #openstack-keystone12:26
*** gabriel-bezerra has quit IRC12:26
*** gabriel-bezerra has joined #openstack-keystone12:26
*** dims has joined #openstack-keystone12:27
*** lbragstad has joined #openstack-keystone12:35
*** xianghui has quit IRC12:36
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Hierarchical Projects
*** bvandenh has joined #openstack-keystone12:41
*** alex_xu has joined #openstack-keystone12:47
*** rwsu has joined #openstack-keystone13:01
*** bvandenh has quit IRC13:02
*** hrybacki has joined #openstack-keystone13:04
*** dims has quit IRC13:07
*** syedawaisali has quit IRC13:07
*** stevemar has joined #openstack-keystone13:15
*** bknudson has quit IRC13:17
*** zzzeek has joined #openstack-keystone13:20
*** afazekas has quit IRC13:27
*** gordc has joined #openstack-keystone13:28
*** joesavak has joined #openstack-keystone13:28
*** xianghui has joined #openstack-keystone13:29
kwssstevemar, thanks for renaming the blueprint! :)13:30
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: generic-mapping-federation
*** dims has joined #openstack-keystone13:37
openstackgerritLance Bragstad proposed a change to openstack/keystone: Add string id type validation
dstanekzzzeek: hi13:38
openstackgerritLance Bragstad proposed a change to openstack/keystone: Add string id type validation
zzzeekhey dstanek13:39
dstanekzzzeek: i created a fedora 20 vm last night, but i could not duplicate the issue13:39
stevemarkwss, np! i'm reviewing the spec again13:40
stevemarkwss, so the whole issue w/ user_id... is it because some apache plugins already set the user name?13:41
dstanekzzzeek: i had a commit merge yesterday that messed with the xml matcher... you can try to run the tests against c95fdbc5c54052eec30663b7ac82349c6539e2d2 which is the commit right before the change13:41
stevemarkwss, and you want to avoid using the mapping engine unnecessarily if it's already set?13:41
zzzeekdstanek: OK, I have to run out today for awhile but will try later13:41
kwssstevemar, well not necessarily the plugin, but SAML2 already passes the NameID in the assertion, I don't know how mod_shib translates that but it should already be there13:42
kwssother protocols have similar ways of defining this13:42
*** bknudson has joined #openstack-keystone13:42
*** afazekas has joined #openstack-keystone13:43
*** topol has joined #openstack-keystone13:43
stevemarkwss, then NameID would be a remote attribute in the rules, and we use user{id:%0%} in the local rules13:44
kwssstevemar, if we already have it, and know where it is, then we don't need to map it, and it can be used as a mapping value for mapping policies applied to multiple IdPs/protocols13:44
stevemarkwss, i agree that if it's already there, we don't need to map it13:44
kwssstevemar, I think that the NameID is carried in the subject element rather than the attribute statement, not sure if that affects how mod_shib assigns it in the environment13:46
marekddstanek: around?13:46
dstanekmarekd: yep13:46
stevemarkwss, one suggested re-write13:48
kwssstevemar, we're interested in creating virtual organisations, where users can self register for group membership, and we need to insert mappings based on the user_id for this13:48
kwssstevemar, that sounds better, thanks :) I'll patch it now13:49
dstaneklbragstad: you there?13:50
lbragstaddstanek: yep13:50
dstaneklbragstad: so i was thinking that night that the way we are defining type may be insufficient to handle create and update with the same type (at least as is)13:51
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: generic-mapping-federation
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series
dstanekfor update the type may change from 'string' to ['string', 'null']13:52
dstanekat least for the optional keys13:52
lbragstadyou mean optional keys being either a string or None, right?13:52
lbragstadallowing for a user to update an optional attr with None13:52
lbragstaddstanek: FYI13:53
marekddstanek: regarding your comments on that review, you might want to check out this one ( I posted it as I didn't see the previous bp progressing very much ;/)13:53
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Use keystoneclient.exceptions
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series
dstaneklbragstad: yes, i'll go through the reviews again and note if i see the case13:54
lbragstadok, sounds good13:54
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Removed keystoneclient.apiclient
dstanekmarekd: is this a new protocol instead of using oauth?13:55
marekddstanek: there is no new protocol.13:55
marekddstanek: in fact this is for federation only.13:55
*** richm has joined #openstack-keystone13:58
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Expand the caching layer in keystone
dstanekmarekd: hmmm... i'll have to look into this more, but i think it solves a different issue13:59
marekddstanek: two bps solve websso issue.13:59
dstanekmarekd: the other BP seemed to make Keystone IdP more accessible - yours delegates to another IdP14:00
*** chandankumar_ has joined #openstack-keystone14:01
marekddstanek: I don't follow14:01
marekddstanek: in case federation and web sso is going to be used14:01
marekdin the other BP will simply redirect to a protected url at the Keystone side14:02
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources
dstanekmarekd: where does openstack_auth run? i thought that was used in horizon?14:02
marekddstanek: user goes through federation workflow14:02
marekddstanek: horizon.14:02
dstanekthe other spec was about not giving horizon credentials and instead having a web interface on Keystone right? or did i misread?14:03
marekddstanek: not giving credentials - correct, having a web interace on Keystone - but only for passing your credentials.14:04
*** chandankumar has quit IRC14:04
marekdonce you have a token you should use your horizon or whatever.14:04
*** chandankumar_ has quit IRC14:04
dstanekmarekd: right. your spec isn't doing that though right? it sounds like you pick an IdP and you get redirected there14:05
stevemarkwss, thanks kristy! if i see any other changes i'll upload a new version, i won't change any content though14:05
kwssstevemar, great thanks :)14:05
marekddstanek: my BP solves one specific issue: websso and nothing more. you need to initiate websso saml workflow with Keystone. Instead of the unscoped token yu will be redirected to a horizon web interface (but with the token).14:06
*** chandankumar has joined #openstack-keystone14:06
*** zzzeek has quit IRC14:07
marekddstanek: the other BP tries to solve multple problems by applying oAuth2.0 (or homemare oAuth-like protocol)14:07
dstanekmarekd: ok, then i do understand them correctly. i'll go over yours in more detail after i look at lbragstad's latest push14:07
marekdsure, thanks.14:07
dstanekmarekd: does you bp make the other bp easier to implement?14:08
*** afazekas has quit IRC14:09
dstaneklbragstad: line 35 on
dstaneklbragstad: during a project update can the domain_id be cleared by sending a null value?14:09
lbragstadI don't see why it couldn't be14:09
*** cjellick has joined #openstack-keystone14:10
lbragstaddstanek: in that case,
*** cjellick has quit IRC14:10
lbragstadline 37 should be ['string', 'null']14:10
*** cjellick has joined #openstack-keystone14:10
dstaneklbragstad: but will all IDs be optional?14:11
lbragstadnot necessarily14:12
dolphmdstanek: domain_ids can't be cleared on PATCH /v3/projects/{project_id}14:12
lbragstaddstanek: if we were to use that type 'id_string' on  credentials it would allow for None on a required attribute14:13
dolphmdstanek: lbragstad: also, this is the problem i ran into when poking around with jsonschema like 2 years ago. i needed different schemas for create vs update, but most attributes were common14:13
dstaneklbragstad: that's my point - there are cases where you want a type require and others where you may not14:14
lbragstaddolphm: yeah, which makes for a lot of duplication in the schema per resource14:14
lbragstadthe easiest way to fix that i think would be to control it per resource14:14
dolphmlbragstad: i made my schemas classes that could be walked like dicts by jsonschemas, so i could use inheritance14:14
dstaneklbragstad: dolphm: i had a thought last night that i didn't hack out yet14:15
dstaneklet me throw something together real quick14:15
lbragstaddolphm: so, you're schemas were classes and not dictionaries14:17
*** shausy has quit IRC14:19
dstaneklbragstad: is what i did the day before the hackathon14:20
dolphmlbragstad: they were classes that quacked like dictionaries14:20
dstanekstevemar: ^ i object-ifed the federation schema14:20
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
* dolphm is going to go to the castle before claco managers me for working from home14:20
*** tziOm has quit IRC14:24
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
stevemardstanek, dolphm whats the expected output for curl http://localhost:35357/v2.014:25
stevemari keep getting 404'd14:25
*** ayoung has joined #openstack-keystone14:25
*** afazekas has joined #openstack-keystone14:27
dstanekstevemar: new devstack doesn't run anything on 35357 - but on 5000 i get a short json doc14:27
*** gabriel-bezerra has quit IRC14:27
stevemardstanek, yes on 5000 i get that too14:28
stevemardstanek, i'm wondering if something is screwy with devstack, or keystoneclient14:28
*** gabriel-bezerra has joined #openstack-keystone14:28
stevemardstanek, cause discovery seems to default to :35357/v2.0 as a fall back14:29
dstanekstevemar: devstack now runs behind apache so i'm betting that's why i'm confused14:29
stevemarbut if it's not there, seems like a bad choice to default to that14:29
dstanekstevemar: found it?14:32
dstaneklbragstad: this is what is was thinking
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Check the url format when create endpoint
lbragstaddstanek: so, the create method wouldn't allow for an attribute to be None,14:34
lbragstadand update would allow for a reference to contain an optional attribute that is either of type string or None.14:35
dstaneklbragstad: i'd rather name it though - parameter_types.optional_id_string since you may use it more than once14:35
dstaneklbragstad:  you mean in my example?14:35
lbragstaddstanek: yeah,14:35
lbragstadI suppose, if we put these things in common/validation/parameter_types.py14:35
lbragstadwe could name them14:35
lbragstadoptional and what not14:35
dstaneklbragstad: i think it would be ok to have null optional value - but i coded it to not allow14:35
lbragstadI like the idea of optional_id_string and id_string14:36
lbragstador required_id_string14:36
*** david-lyle has joined #openstack-keystone14:36
lbragstadit would be nice if the schema referenced as much of the common types as possible.14:37
dstaneki'd be fine with it either way - agreed14:37
alex_xuayoung, hi, are you around14:37
lbragstadok, gotta run to standup, I'll get something coded up in the first id_string patch14:38
dstanekdolphm, lbragstad: it is worth it to spend another hour or two to take the jsd prototype and implement in keystone?14:38
stevemardstanek, nope... i'm still confused, i don't see how apache could cause an issue with it14:39
dstanekstevemar: for me i just don't have anything running on that port14:40
dstanekhmmm...actually if i run keystone-all i don't get anything on that port either14:41
stevemardstanek, "{"error": {"message": "Could not find version: v2.0", "code": 404, "title": "Not Found"}}"14:41
stevemarcould not find version is a suspicious error14:41
*** gabriel-bezerra has quit IRC14:41
stevemarit's not "The resource could no be located"14:41
*** gabriel-bezerra has joined #openstack-keystone14:42
*** rajesh has joined #openstack-keystone14:43
dstanekah, once i specified the sample config i got it running on the right port14:44
*** rajesh is now known as Guest5720014:44
*** vhoward has left #openstack-keystone14:44
dstanekstevemar: i do get a json doc there14:44
stevemardstanek, ?? what do you mean14:45
stevemarwhat what changes did you do to the sample config?14:45
dstanekstevemar: no changes to it. i had to specify it using: "python bin/keystone-all --config-file=etc/keystone.conf.sample"14:46
dstanekstevemar: otherwise it used the /etc/keystone/keystone.conf installed by devstack14:46
*** ukalifon has quit IRC14:48
*** thedodd has joined #openstack-keystone14:48
*** lbragstad has quit IRC14:49
marekdstevemar: super busy with debugging devstack and port 35357?14:49
*** lbragstad has joined #openstack-keystone14:50
marekdkwss: hellouuu14:50
kwssmarekd: hi :)14:50
marekdkwss: i have a question for you - isn't usually WAYF/DS a protocol specific?14:51
marekdis it common to present a WAYF website to a user where he can chhose a protocol (saml, oidc) and the IdP?14:51
*** chandankumar_ has joined #openstack-keystone14:51
kwssmarekd, ordinarily the SP will not support multiple protocols, but as Keystone does it needs to be handled differently14:52
stevemarmarekd, i got time, whats up14:52
marekdkwss: because I was rather thinking: /OS-FEDERATION/websso/saml2 is fully handled by mod_shib and saml wayf/ds service, whilst /OS-FEDERATION/websso/oidc will have have another wayf servie14:52
stevemardstanek, thats weird, i am using the default config file, i think anyway, let me check14:52
kwssmarekd, but then either horizon, or the user needs to choose the protocol14:53
kwssmarekd, if horizon does, how does it know which the user's IdP uses, and if the user does, we expect end users to be protocol aware?14:53
marekdstevemar: this patch: relies on get_options() that you want to remove in
marekdkwss: before i answer it: suppose the /secure is our protected endpoint.14:54
marekdkwss: and this is normal website14:54
marekdkwss: user types
*** lbragstad has quit IRC14:55
marekdand by typing that he is already binded to one protocol, right?14:55
kwssmarekd, how so?14:55
*** chandankumar has quit IRC14:55
marekdbecause you cannot configure mod_shib and mod_auth_oidc to protect the same endpoint14:55
marekdkwss: correct me if i am wrong.14:55
*** Guest57200 has quit IRC14:56
kwssmarekd, but isn't the protected endpoint actually{protocol}?14:57
*** lbragstad has joined #openstack-keystone14:57
marekdkwss: yes yes yes, i was talking about another usecase. I am proposing /websso/{p} otherwise we will lock ourselves with one protocol only, am I right?14:57
kwssmarekd, right, so you need to know the protocol to try to access the protected endpoint?14:58
marekdkwss: I would expect horizon admins to add one option in settings and a button the redirects a user to hardcoded url: /websso/saml2 or /websso/oidc14:58
marekdkwss: i don't think it's common for companies to have multiple federated protocols.14:59
kwssmarekd, and if keystone supports both, how does horizon know which to send the user to if the user might have an IdP at either?14:59
morganfainbergdolphm, to Sean Dague's point, TripleO's Program name is "Deployment"14:59
morganfainbergdolphm, TripleO is the code-name14:59
kwssmarekd, isn't the point of federation partly to enable cross organisation collaboration?14:59
marekdkwss: horizon: two buttons: "authN via SAML" -> redirects to /websso/saml2, "authN via oidc" -> redirect to /websso/oidc15:00
marekdkwss: but not with a one protocol usually?15:00
*** erecio has joined #openstack-keystone15:00
marekdkwss: you can ask David15:00
marekdkwss: he probably knows the stuff.15:00
ajayaamorganfainberg, good morning! Please have a look at
kwssmarekd, do you not think it's feasible for Org A to use a SAML2 IdP and Org B to use an Open IDC one, and for them to share resources15:01
morganfainbergajayaa, already looking better (See the added configs!), i'll review it shortl15:01
kwssTwo buttons is fine, as long as end users know which one they use, but in my experience, end users are often not so aware of underlying mechanisms15:02
marekdkwss: :(15:02
ajayaamorganfainberg, thanks!15:02
marekdkwss: i don't see any specific parameter that lets discovering protocol used.15:03
kwssmarekd, Keystone is already capable of functioning as a WAYF service by using /v3/identity_providers and the user gets to choose his IdP name instead15:03
marekdkwss: there is something in what you are saying :-)15:04
kwssmarekd, will horizon login page be modified to add a federation login button?15:05
marekdyes, but i don't think it's within the scope of this BP15:05
marekdkwss: if you take a look at BP's references (at the bottom)15:05
marekdthere is something published15:05
marekdas we had to sketch something quite quickly as cern joined a federation15:06
kwssmarekd, but any client could query Keystone for the IdPs theoretically and give the user a list15:06
openstackgerritA change was merged to openstack/python-keystoneclient: Insert space between ``#`` and the comment
marekdkwss: what client?15:06
alex_xuayoung, have to go to sleep now. I miss you again :( I just want to ask could you revisit again, do you think keystone based policy will instead of file based policy, or file based and keystone based can be existed at sametime as different backend? if they can be existed sametime, I will continue push that propose. And will think about keystone based later.15:06
openstackgerritA change was merged to openstack/python-keystoneclient: Enforce authenticated=False in saml2 plugin
openstackgerritA change was merged to openstack/python-keystoneclient: Rename saml2_token_url to token_url
dolphmmorganfainberg: that's not what governance says15:06
morganfainbergdolphm, ah so wiki and governance are out of sync15:07
morganfainbergi trust governance then15:07
dolphmmorganfainberg: i am wrong!15:07
dolphmdevstack's program name is devstack15:07
kwssmarekd, horizon or an custom client, it doesn't matter15:09
*** radez_g0n3 is now known as radez15:10
marekdkwss: client like web interface or cli client?15:10
marekdclie should use ecp15:10
kwssmarekd, web interface15:10
marekdkwss: well, if you develop your own webif and want to use websso you have some requirements...15:11
*** lbragstad has quit IRC15:11
marekdkwss: i cannot fix all the problems :-)15:11
morganfainbergajayaa, just commented, a couple more things to fix, but you're close15:11
kwssmarekd, don't worry, I wasn't suggesting you make one, just that if you did, it would work the same15:11
*** alex_xu has quit IRC15:12
marekdstevemar: any comments?15:13
marekdstevemar: (sorry, i focused on disq with kwss )15:13
stevemarmarekd, (sorry, i'm focused on other stuff, too) :(15:14
marekdstevemar: np15:14
*** erecio has quit IRC15:14
dolphmif anyone is interested in trying it, Textual IRC client is available for free on the OS X app store *today only* (it's normally like $5 or $10)15:15
morganfainbergdolphm, it is also free if you want to compile it15:17
morganfainbergdolphm, buying it on the app store is just a "hey i support you guys and may want direct support in the future"15:17
dolphmmorganfainberg: wtf where's the link to github on their site?!15:17
morganfainbergdolphm, they *want* you to pay15:18
morganfainbergdolphm, it's also a fork of limechat (back in the bsd license days)15:18
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Keystone service throws error on SIGHUP signal
dolphmmorganfainberg: but they don't even mention that's its open source...15:18
dolphmmorganfainberg: i normally use limechat; it's got a couple issues that make me want to try something new15:19
morganfainbergdolphm, they don't have to. it's a secret-ish-sortof15:19
*** lbragstad has joined #openstack-keystone15:21
dolphmmorganfainberg: in light of TripleO being the code name, I'm thinking AAA makes a lot more sense15:21
morganfainbergdolphm, ++15:21
morganfainbergdolphm, i commented as much15:22
dolphmmorganfainberg: so, just spell them all out as the program name?15:23
morganfainbergdolphm, short or long form, but spelling them out might be more correct15:23
morganfainbergsimply so someone doesn't assume we do accounting15:23
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add docs for how to create an OAuth auth instance
dolphmmorganfainberg: so then we just need to discuss the oxford comma15:24
morganfainbergdolphm, imo always use the oxford comma unless you want the last two elements to be considered a single item :P15:24
morganfainbergdolphm, and in this case, auditing isn't exclusive to authorization15:24
morganfainbergdolphm, /me stops being picky about that kind of grammar :P15:25
dolphmmorganfainberg: also, my yaml parser pukes on the comma...15:25
morganfainbergin quotes?15:25
dolphmmy yaml syntax highlighter* (going to run a validator now..)15:25
*** afazekas has quit IRC15:27
*** tomoiaga has quit IRC15:27
dolphmmorganfainberg: the first two i tried didn't seem to care, but i can't get this one to say it's valid at all
dolphmmorganfainberg: "Error: Element 'Authentication__Authorization_and_Audit': This element is not expected. Expected is ( groups )."15:29
morganfainbergpaste of the yaml?15:30
morganfainbergthe link is an empty web-form15:30
dolphmoh, fuck. it's expecting a certain yaml structure. this isn't a yaml validator at all15:30
dolphmmorganfainberg: okay, so if the program name is Authentication, Authorization and Audit, is the codename still Keystone or is the codename then AAA? :-/15:32
morganfainbergI'd keep the codename keystone15:32
morganfainbergno reason to change that.15:32
*** joesavak has quit IRC15:33
*** xianghuihui has joined #openstack-keystone15:34
*** xianghui has quit IRC15:36
dolphmmorganfainberg: so,
morganfainbergdolphm, LGTM15:37
*** lbragstad has quit IRC15:38
*** lbragstad has joined #openstack-keystone15:39
*** lbragstad has quit IRC15:40
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: generic-mapping-federation
stevemarkwss, polished it up a bit ^ just formatting15:42
kwssstevemar, thanks so much, I really appreciate it :)15:42
*** packet has joined #openstack-keystone15:44
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Expand the caching layer in keystone
ajayaamorganfainberg, updated. :)15:47
morganfainbergajayaa, you see the reasoning behind those comments right? caching is a bit fickle and a royal pain to do right15:48
*** joesavak has joined #openstack-keystone15:48
morganfainbergayoung, you might need to remove 'token caching' bit from the cache_time help15:49
morganfainbergayoung, not you ajayaa ^15:49
morganfainbergajayaa, you still hve 'token' in the help string15:49
morganfainbergajayaa, line 75015:50
*** marcoemorais has joined #openstack-keystone15:50
ajayaamorganfainberg, missed a bit in excitement. Thanks.15:50
morganfainbergand i think line 132 needs to be above the for loop15:50
morganfainbergajayaa, otherwise you still have hte potential for caching to occur on an endpoint where a service hasn't been invalidated yet15:51
ajayaamorganfainberg, yes. Which one should be done first? the service invalidation or the endpoint invalidation?15:53
ajayaamorganfainberg, endpoint depends on service[id], so service invalidation followed by endpoint invalidation is the right way, I suppose.15:54
morganfainbergajayaa, yeah you got it15:54
dolphmwhy does pip consider v1.2b3 to match <1.2 ?!15:55
morganfainbergdolphm, alpha and beta release15:56
morganfainbergdolphm, its dumb15:56
morganfainbergdolphm, you want 1.2(stable) to win over 1.2(alpha)15:57
*** gyee has joined #openstack-keystone15:58
*** jsavak has joined #openstack-keystone15:59
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Expand the caching layer in keystone
stevemarkwss, yay +2's from everyone, dolphm gyee want to pull the trigger and +A it?16:00
*** lbragstad has joined #openstack-keystone16:00
kwssstevemar, yay :D16:00
*** ajayaa has quit IRC16:01
*** joesavak has quit IRC16:03
gyeestevemar, did16:07
*** hrybacki has quit IRC16:07
gyeethis should work for x509 as well, which is coolness16:08
*** packet has quit IRC16:08
*** ayoung has quit IRC16:09
*** packet has joined #openstack-keystone16:10
*** chandankumar_ has quit IRC16:13
*** xianghuihui has quit IRC16:16
dstanekstevemar: did you get your issue straightened out?16:24
*** afazekas has joined #openstack-keystone16:24
stevemardstanek, nope, gave up, i dunno whats going on16:26
dstanekstevemar: I don't blame you16:28
*** topol_ has joined #openstack-keystone16:31
*** topol has quit IRC16:31
*** topol_ is now known as topol16:31
openstackgerritLance Bragstad proposed a change to openstack/keystone: Add string id type validation
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources
dolphmlbragstad: can i submit another patchset for the first string id type validation ^ ?16:34
lbragstaddolphm: sure, go for it16:35
lbragstadI'm wrapping my head around dstanek's implementation16:35
openstackgerritDolph Mathews proposed a change to openstack/keystone: Add string id type validation
openstackgerritDolph Mathews proposed a change to openstack/keystone: Implement validation on Assignment V3 resources
dolphmlbragstad: simplied the default regex and expanded the help text for the option ^16:39
lbragstaddolphm: perfect, thanks16:40
*** henrynash has quit IRC16:41
*** henrynash has joined #openstack-keystone16:41
*** lbragstad has quit IRC16:43
*** gabriel-bezerra has quit IRC16:43
openstackgerritA change was merged to openstack/keystone-specs: generic-mapping-federation
*** gabriel-bezerra has joined #openstack-keystone16:45
*** henrynash has quit IRC16:48
*** ayoung has joined #openstack-keystone16:49
*** joesavak has joined #openstack-keystone16:50
ayoungmorganfainberg, I just did an clean install and setup of devstack.  And Keystone is running in HTTPD, and It made me so happy...16:51
morganfainbergayoung, :)16:51
ayoungmorganfainberg, I'm a figure out how to attach a debugger to it now16:51
*** afazekas is now known as _afazekas16:52
*** turul_ has joined #openstack-keystone16:52
*** turul_ is now known as afazekas16:52
*** amcrn has joined #openstack-keystone16:53
*** kwss has quit IRC16:53
*** jsavak has quit IRC16:53
ayoungmorganfainberg so the eventlet approach was to add it to the command line, but I am thinking config options like:  DEBUGGER=admin  or DEBUGGER=main to distinguish between each of the wsgi apps, otherwise you'll have conflict at startup over who owns the debugging port16:54
ayoungdolphm, can you approve a stable backport  ?16:56
raildomorganfainberg: ping16:57
*** marcoemorais has quit IRC17:00
*** gokrokve has joined #openstack-keystone17:01
*** marcoemorais has joined #openstack-keystone17:02
ayoungmorganfainberg, what is the "right" way to restart httpd in devstack?17:03
ayoung$ sudo systemctl status httdp.service17:03
ayoung   Loaded: not-found (Reason: No such file or directory)17:03
ayoungbut I know it is running17:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence
morganfainbergayoung, httdp ?17:06
morganfainbergayoung, i think you have a typo there17:06
*** browne has joined #openstack-keystone17:07
ayoungmorganfainberg, heh, I was expecting it not to work, so I was not surprised when it didn't17:07
* morganfainberg slowly plods along getting non-persistent tokens going17:07
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence
*** gokrokve has quit IRC17:12
*** gabriel-bezerra has quit IRC17:12
*** gokrokve has joined #openstack-keystone17:13
*** gabriel-bezerra has joined #openstack-keystone17:14
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke tokens under the same domain
*** gabriel-bezerra has joined #openstack-keystone17:15
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke tokens under the same domain
*** gokrokve has quit IRC17:17
ayoungmorganfainberg, OK,  so I have horizon running in a VM, with Keystone and the other /opt/stack directories nfs mounted.  I'm going to develop on my local desktop system, but see the changes on the remote vm.  If this works.....17:19
ayoungmorganfainberg, do you know if pycharm has support for remote debugging?17:19
morganfainbergayoung, it has pydevd support17:19
dolphmayoung: that's not a backport17:20
dolphmayoung: i also don't understand why I'm a co-author on it17:20
morganfainbergayoung, i think you need to use it's specific pydevd,17:20
ayoungdolphm, I think you were co-author on the main patch17:20
*** harlowja_away is now known as harlowja17:20
ayoungdolphm, it required modifications, so it is no Cherry Pick, but it is a backport of
ayoungDolph Mathews17:22
ayoungMar 18 7:20 AM17:22
ayoungUploaded patch set 3.17:22
dolphmayoung: why is there no icehouse backport?17:23
ayoungdolphm, I think it went in already17:24
morganfainbergdolphm, not sure why icehouse one was abandond? was this something that snuck into RC?17:24
morganfainbergor predated Icehouse release17:24
ayoungthis fix is in icehouse stable17:24
ayoungcommit 9c15b73f8361ce8606a531b5765c94b3927d99c417:24
morganfainbergpredated icehouse release.17:24
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor set domain-id and mapping code
ayoungThis was one of the things that THe Go Daddy team talked about in the session at the Juno Summit17:25
ayoungmorganfainberg, BTW, I replace the /var/www/keystone/admin and main files with symlinks to /opt/stack/keystone/httpd/  and it seems to work.  I think we probably want that in the future.17:27
ayoungin devstack17:27
morganfainbergdolphm, so, quick update on non-persistent tokens.  I think I've got 1 big change (will be split up) and 2-3 smaller ones for keystone server to be happy17:28
*** Chicago has quit IRC17:29
dolphmayoung: i'm reviewing it, but this change has always appeared feature-y to me. i'd suggest bringing it up on the mailing list17:32
dolphmayoung: the stable maintenance list, to be specific17:32
*** gokrokve has joined #openstack-keystone17:34
dolphmayoung: +1'd, but ping the list ^ and explain why a configuration option is a desirable backport here17:41
ayoungwill do17:42
dolphmdstanek: morganfainberg: any ideas on why the "NoSuchOptError: no such option: validation" here?
*** marcoemorais has quit IRC17:47
morganfainbergdolphm, not sure but will never work, the CONF.validation.id_string_regex will always be the default17:47
morganfainbergdolphm, since that will be generated at import time17:47
dolphmmorganfainberg: oh that's exactly what it is17:48
dolphmmorganfainberg: CONF hasn't been built yet17:48
morganfainbergdolphm, ah17:48
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.
morganfainbergdolphm, bknudson's change (from like icehouse) is doing it's job! preventing that from happening17:48
*** marcoemorais has joined #openstack-keystone17:49
bknudsony, CONF() doesn't happen until after imports17:50
*** bjornar has joined #openstack-keystone17:52
dstanekhide the schema generation behind functions?17:56
dolphmand that's how i broke python
dstanekdolphm: no i mean have validated call a function that returns a schema17:58
dolphmdstanek: understood; the above is what i was already trying17:59
dstanekah i see17:59
dolphmmorganfainberg: uhh, belated question. auth_token used to depend on wsgi things like webob. i don't see any wsgi-things left in keystonemiddleware/requirements.txt18:05
dolphmmorganfainberg: so we didn't gain what i thought we gained from the repo split..? or am i missing something18:06
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add docs for how to create an OAuth auth instance
morganfainbergdolphm, hm. well the middleware depends on keystoneclient (whcih we can't remove it's version of middleware from yet**)18:07
morganfainbergdolphm, we might need to increase the requirements for keystonemiddleware to cover a gap, we might be succeeding because we depend on keystoneclient18:07
morganfainbergdolphm, i'm not sure when we can yank the middleware bit out of keystoneclient tbh.18:08
dolphmmorganfainberg: i thought of that, but i don't see anything in keystoneclient either.18:08
*** jamielennox|away has quit IRC18:08
morganfainbergdolphm, i don't think we actually rely on webob or wsgi things18:09
morganfainbergdolphm, for auth_token. but we do have things like memcache requiremnt18:09
morganfainbergdolphm, our tests depend on webob18:10
openstackgerritDolph Mathews proposed a change to openstack/keystonemiddleware: remove unused dep: prettytable
morganfainbergdolphm, s3token relies on webob18:11
*** hrybacki has joined #openstack-keystone18:11
dolphmrelated change ^18:11
morganfainbergdolphm, ++18:11
*** jamielenz has joined #openstack-keystone18:12
*** lbragstad has joined #openstack-keystone18:13
dolphmmorganfainberg: is keystonemiddleware going to use stevedore?18:14
dolphmor just client18:15
*** jamielennox|away has joined #openstack-keystone18:15
morganfainbergdolphm, is there a reason for it to?18:15
*** gabriel-bezerra has quit IRC18:15
morganfainbergi think just client18:15
dolphmmorganfainberg: not that i can think of18:15
openstackgerritDolph Mathews proposed a change to openstack/keystonemiddleware: remove unused dep: stevedore
morganfainbergwe should move webob to requirements.txt from test-requirements.txt for middleware since S3 relies on webob18:16
*** gabriel-bezerra has joined #openstack-keystone18:16
*** jamielenz has quit IRC18:16
dolphmmorganfainberg: ++ i'll do that now18:16
*** radez has quit IRC18:16
*** ukalifon1 has joined #openstack-keystone18:16
*** jamielenz has joined #openstack-keystone18:17
*** rwsu_ has joined #openstack-keystone18:17
*** syedawaisali has joined #openstack-keystone18:18
openstackgerritDolph Mathews proposed a change to openstack/keystonemiddleware: move webob from test-requirements to requirements
*** rharwood has quit IRC18:18
stevemardolphm is crushing the 1 line changes today18:19
*** jamielennox|away has quit IRC18:19
dolphmstevemar: hey the last one was +1 / -118:19
*** jamielennox|away has joined #openstack-keystone18:20
*** hrybacki has quit IRC18:20
dolphma dude from IBM once told me that IBM engineers write an average of 4 lines of code per day, according to some internal survey/study/whatever IBM does in it's free time18:21
*** rwsu has quit IRC18:21
dolphmso i've now met my quota18:21
*** jamielenz has quit IRC18:21
stevemardolphm, guys like bknudson bring our average up18:22
morganfainbergdolphm, they take surveys on how many lines of code they write instead of writing them18:22
*** hrybacki_ has joined #openstack-keystone18:23
bknudsonI don't follow the development process.18:23
dolphmi wonder what my LOC reviewed vs written ratio is18:23
*** rharwood has joined #openstack-keystone18:23
dolphmbknudson: ++18:23
bknudsonwith the new spec process we can get keystone to the same level18:23
morganfainbergbknudson, but stackalytics counts specs as LOC, so .. thats hundreds of extra :P18:23
*** jamielenz has joined #openstack-keystone18:24
bknudsonyou can get a lot done in 4 lines of code18:24
*** jamielennox|away has quit IRC18:24
*** radez_g0n3 has joined #openstack-keystone18:25
*** radez_g0n3 is now known as radez18:25
*** jamielennox|away has joined #openstack-keystone18:27
*** xianghui has joined #openstack-keystone18:28
dolphmoh noes, my 3 hours of sleep last night just caught up with me18:28
*** jamielenz has quit IRC18:30
*** jamielennox|away has quit IRC18:31
*** jamielenz has joined #openstack-keystone18:31
*** mrmoje has quit IRC18:34
lbragstadmorganfainberg: when adding a new configuration group is there anything else that needs to be added outside of the options in
stevemardolphm, why would you do a silly thing like that18:37
morganfainberglbragstad, shouldn;t be18:38
lbragstadmorganfainberg: ok, sounds good, just wanted to check since I was getting NoSuchOptError: no such option: validation18:39
morganfainberglbragstad, that is because CONF() isn't built at that point (dolphm asked about i assume the same patch earlier)18:39
lbragstadwanted to make sure I didn't miss a step18:39
morganfainbergit ensures you aren't referencing conf values at import time and therefore not getting updated values when the conf is changed/loaded from the config file18:40
ayoungmorganfainberg, I GOT REMOTE DEBUGGING TO WORK !!!!!111!1!11One!11!!Won!!!obiwan!!!18:47
lbragstadmorganfainberg: ok, so we if want to reference CONF.validation.id_string_regex here :
*** syedawaisali has quit IRC18:48
lbragstaddo I have to redo that part and pull it in somewhere else?18:48
*** gabriel-bezerra has quit IRC18:48
*** gabriel-bezerra has joined #openstack-keystone18:49
lbragstadmorganfainberg: dolphm ok, on the same page now, should we pull the config options for id_string_regex then?18:53
morganfainberglbragstad, yes, you need to build that object (dict) after keystone is running.18:53
dolphmlbragstad dstanek morganfainberg: i'm trying to think of the simplest way to do that ^18:53
morganfainberglbragstad, basically, it can't be referenced until the config file is loaded18:53
lbragstadmorganfainberg: and we can't really enforce order can we?18:54
morganfainberglbragstad, we do by not loading the config until runtim.18:54
morganfainberglbragstad, or closer to runtime that is18:55
dstanekthis is what i was thinking :
lbragstaddstanek: oh, gotcha... and that would live in keystone/common/validation/parameter_types.py18:58
dolphmdstanek: lbragstad: my approach is worse
dstaneklbragstad: yeah, but the kicker is that is can't get called until is it used. not at import time19:00
dolphmdstanek: yeah, test_validation still wants to call it at import19:00
*** rwsu_ is now known as rwsu19:01
dstanekactually i have another idea19:01
raildodolphm: What is the deadline for spec approval, so that the functionality can get in Juno?19:01
dolphmlbragstad: your call to self.config_fixture.config() can be dropped from test_validation btw, it's only resetting the default19:02
lbragstadand we could reference that in the different schemas by doing,
lbragstadfor example?19:02
dolphmraildo: we never set a firm date, but the theory was that it would be this week
dstaneklbragstad: no, because that is still import time19:03
dolphmraildo: neutron had a firm date of July 20th based on that wiki, and has enforced it19:03
bknudsonI'm looking a this issue with revocation events...19:05
raildodolphm: ok, I'm a little concerned with the approval of the spec on ​​hierarchical multi-tenancy due to this deadline.19:05
lbragstaddstanek: gotcha19:05
bknudsonit looks like if you revoke a scoped token created from an unscoped token then the unscoped token is revoked19:05
bknudsonwhich I think breaks horizon, since it uses an unscoped token19:06
raildodolphm: There will be some activity in the next days to review the specs with more intensity?19:06
bknudsonof course it depends on your database returning timestamps in milliseconds or something...19:06
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions
dolphmraildo: i'd like to have a feature branch for hierarchical multitenancy, so we can make it easy for people to spin up devstack with it enabled19:07
hrybacki_jamielenz: !!!19:07
bknudsonit looks like it's just a fundamental issue with revocation events19:07
dolphmraildo: don't be too worried about spec approval deadline, though. i think it's fine to see specs evolve in parallel with the implementation, especially for something as impactful as hierarchical multitenancy19:08
bknudsonsince it doesn't revoke by token id19:08
lbragstaddstanek: well, we could do it without the CONF option19:09
raildodolphm: For now that the spec is not approved, we're keeping the code as WIP.
dolphmraildo: ++19:10
openstackgerritayoung proposed a change to openstack/keystone: Remote Debugging for HTTPD
raildodolphm: I'll put the code in a devstack installation and create a small tutorial.19:12
dolphmbknudson: taht should depend on how the scoped token was revoked19:12
dolphmbknudson: (what caused it to be revoked?)19:13
bknudsondolphm: DELETE the scoped token19:13
dolphmbknudson: then the revocation event should contain the scope, which means it wouldn't match the unscoped token19:13
bknudsonthat makes sense... wonder why it doesn't work that way.19:14
dstaneklbragstad: i'm not at all happy with this, but you can see where my mind is headed
dolphmbknudson: when you delete a specific token, the revocation event should contain as much descriptive information about that token as possible, to avoid impacting other tokens19:14
bknudsonwould essentially be "_revoke_by_user_and_project"19:14
*** cjellick has quit IRC19:14
dolphmbknudson: precise issued_at, for example19:14
bknudsonoh, and revoke by user and project and issued_at.19:14
dolphmdstanek: ++ i went down the same road ;)19:15
lbragstaddstanek: gotcha, making sense19:15
bknudsonthere isn't an example of that in the RevokeTreeTests... I'll see if I can add one.19:16
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.
lbragstaddstanek: and do you plan on keeping parameter_types.id_string a dictionary or a method?19:16
dolphmbknudson: we had an example of that in the summit session etherpad when we accounted for the DELETE token use case19:16
lbragstaddstanek: nevermind, answered my own question19:17
dstanekit would have to be a function so that the exectuion is defered19:17
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke tokens under the same domain
*** rwsu has quit IRC19:18
dstaneklbragstad: i think i'm going spend a little time right now playing with jsd19:19
dolphmlbragstad: how is that related (or not) to jsonschema?19:20
dolphmlbragstad: is it a javascript lib?19:21
lbragstaddolphm: jsd?19:21
dolphmlbragstad: yes19:22
lbragstaddolphm: no, it's something dstanek came up with
dstanekdolphm: yeah, it's a little hack that i started19:23
bknudsonrevoke_token doesn't use the scope, only user and expires_at.19:23
dolphmdstanek: are you building a jsonschema definition lib? lol19:23
bknudsonthe revoke api doesn't provide a function to revoke by user, expiration time, and scope...19:24
bknudsonso that probably needs to be added.19:24
dolphmdstanek: if you do, you should totally call it Mage because it's the opposite of
dstanekdolphm: sorta - after talking over my ideas at the barbican hackathon i challenged myself to see what an implementation would look like19:25
dstaneki showed juan what i thought the federation schema should look like declaratively and then built enough support to make it work19:26
lbragstaddstanek: the part is going to be replacing, right?19:30
dolphmlbragstad: dstanek: bumped api validation to j3 since we don't have enough in to start adding resource validation today19:31
lbragstaddolphm: makes sense19:31
dolphmrussellb: ready to tag keystone juno-2 anytime19:31
dstaneklbragstad: i was thinking that it would just used the lib in there instead19:31
*** rwsu has joined #openstack-keystone19:32
dolphmrussellb: master is at 686597b52a7b64161ca82e468a401efe22553a2219:32
dstaneklbragstad: i'll work up an example19:32
lbragstaddstanek: ok, is there anything you want me to start cleaning up19:32
dstaneklbragstad: no specifically - are there more unaddressed comments on the reviews?19:33
lbragstadin assignment validation, no19:33
*** fausto has joined #openstack-keystone19:33
lbragstadI can break the rest of the validation series out of dependency19:34
lbragstadand purpose them19:34
dstaneklbragstad: ah, right. that would be a good idea19:34
lbragstaddstanek: ok,19:35
russellbdolphm: perfect, thanks!19:36
russellbdolphm: want that hash specifically, or whatever HEAD is when i do it within the next hour or 2?19:36
* russellb will assume the hash unless i hear otherwise19:40
russellbbased on the gate queue (no keystone patches), that will likely still be HEAD anyway19:40
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on the Catalog V3 resources
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3
*** zzzeek has joined #openstack-keystone19:52
zzzeekdstanek: can you tell me, on that fedora VM, what the output of “rpm -qa | grep xml” is ?19:52
zzzeekdstanek: the comparison feature here is using c14n so, my first hunch is a libxml issue19:53
dstanekzzzeek: i deleted it, but it'll only take a few minutes to recreate19:53
zzzeekdstanek: hrm OK19:53
zzzeekdstanek: on my end, the error is non-deterministic19:54
zzzeekdstanek: meaning once in awhile it succeeds19:54
zzzeekdstanek: seems like the canonical form is not working as expected and I am seeing issues here specifically due to dictionary ordering19:54
dstanekzzzeek: it's building now19:57
openstackgerritLance Bragstad proposed a change to openstack/keystone: Make BaseValidationTestCase
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Trust V3 API
bknudsonzzzeek: you might have some idea about this... it looks like the timestamps returned by mysql are only accurate to the second, whereas for sqlite and DB2 they're accurate to a microsecond.19:59
zzzeekdstanek: this test is wrong.  the canonicalization does *not* order nodes the way it is expecting:
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Policy V3 API
zzzeekbknudson: three things can be getting in the way: mysql version, datatype declared in MySQL, missing features in mysql-python20:02
bknudsonzzzeek: ok. I'll look into it more.20:02
*** hrybacki_ has quit IRC20:03
lbragstaddstanek: ok, that *should* be all the validation patches, just not dependent on each other20:03
bknudsonzzzeek: if it's the mysql version then there's nothing we could do about it?20:04
zzzeekbknudson: im not up to speed on microsecond support in MySQL, I know its out there but you need to gather the current facts20:05
bknudsonzzzeek: ok.20:05
zzzeekbknudson: but overall, if you’re ordeirng by timestamp, I’d point out that sometimes two events can actually be logged in the same microsecond in any case :)20:05
bknudsonzzzeek: there seems to be something fishy going on here... 2 timestamps are being compared... one is in the token and one is in the revocation event (they have to be the same)20:06
zzzeekbknudson: risky20:07
bknudsonI think the token timestamp is actually stored as a JSON blob so isn't coming from the DB20:07
bknudsonbut the revocation event timestamp is a sql.Column(sql.DateTime())20:07
zzzeekbknudson: unless said timestamp is copied from a single source of time20:07
bknudsony, I think the source for the revocation event timestamp (stored in the database) is the timestamp in the token20:08
bknudsonso I think it's generally safe, but mysql is truncating20:08
bknudson"MySQL 5.6.4 and up expands fractional seconds support for         TIME,         DATETIME, and         TIMESTAMP values"20:09
bknudsonmaybe we could store the timestamp as a string.20:09
*** ukalifon1 has quit IRC20:09
bknudsonoh, and looks like you also have to "CREATE TABLE t1 (t TIME(3), dt DATETIME(6));" since the default is no fractional part.20:11
nkinderI have some questions about the trust re-delegation work20:12
nkinderThe spec seems to cover the ability to create a new trust using a trust token.20:12
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Hierarchical Projects
nkinderI wrote a unit test last week to test something similar around obtaining trust tokens (not creation of a trust)20:14
nkinderWhat I'm testing is that A creates a trust for B, and B creates a trust for C20:15
nkinderC then gets a trust token to impersonate B20:15
nkinderThen using that trust token that impersonates B, the test attempts to get the trust token for A20:15
nkinderThis is rejected (as it should be IMHO).20:15
nkinderThe re-delegation spec seems to be more concerned with trust creation.  Is the behavior I'm testing expected to change once re-delegation is implemented?20:17
nkinderstevemar, dolphm, ayoung: ^^^ you may have input since you all reviewed the re-delegation spec20:18
ayoungnkinder, I coded in the automatic rejection for trust token used to create trust20:18
*** hrybacki_ has joined #openstack-keystone20:19
ayoungthat was a CVE fix late last cycle IIIRC20:19
nkinderayoung: I'm not talking about trust creation20:20
nkinderI'm talking about executing a trust20:20
nkinderA creates a trust for B20:20
nkinderB creates a trust for C20:20
nkinderThat is all fine20:20
nkinderC uses a trust to impersonate B, then uses that trust token to attempt to execute the trust for A20:20
ayoungnkinder, using a trust token to get a trust token?20:20
nkinderayoung: yes20:21
ayoungI think that was rules out in the original impl20:21
nkinderayoung: we don't test that now, so it's a unit test gap I'm filling20:21
nkinderayoung: yeah, which makes sense.  We should have unit tests for it to check for regressions though20:21
nkinderayoung: I just want to be sure redelegation doesn't plan to change that behavior20:21
hrybacki_Zuul has 287 jobs in the queue... That's three times higher than I've ever seen it before. Is this abnormal?20:22
*** hrybacki_ is now known as hrybacki20:23
dolphmhrybacki_: everyone is trying to hit the juno-2 deadline today20:23
zzzeekdstanek: got the whole thing documented:
uvirtbotLaunchpad bug 1347891 in keystone "mis-use of XML canonicalization in keystone tests" [Undecided,New]20:23
*** gokrokve has quit IRC20:23
ayoungnkinder, talk to  shardy to see what he needs.  I don't think that was in the Heat use cases20:24
dstanekzzzeek: excellent thanks - i wonder why it works on my vm20:24
zzzeekdstanek: my 99.99% guess is dicationry ordering.  but actually i havent confirmed that20:24
bknudsonI think there's a proposal to add xml matching to testtools.20:24
zzzeekdstanek: i get different ordering if i run that test under py.test vs. tox vs. testr standalone20:25
zzzeekdstanek: only Python dictionaries / sets do that :)20:25
*** radez is now known as radez_g0n320:25
dstanekzzzeek: to answer your earlier question:
nkinderayoung: I'll submit my tests as a patch.  It seems separate from what shardy is proposing.20:25
zzzeekdstanek: yeah thats what i have too20:25
bknudsondoesn't python have native support for xml?20:28
dstanekzzzeek: hmmm...shouldn't the c14n method order the elements in the doc?20:29
dstanekbknudson: depending on the version20:29
zzzeekdstanek: i tested it and it does not.  its in the ticket20:29
zzzeekdstanek: read the spec and didn’t see this behavior referred to either: but then again its a spec, highly verbose20:29
zzzeekdstanek: taht’s lxml run on my mac and also the fedora VM, same behavior20:30
zzzeekdstanek: whats the output of this script for you?
zzzeekdstanek: if it reorders the two nodes there, then theres an xml issue20:31
*** rwsu has quit IRC20:32
dstanekon my mac it's false20:32
zzzeekdstanek: yeah its not ordering those nodes20:33
dstanekzzzeek: this is weird because this hasn't failed in years20:34
dstaneksomething feels off20:34
zzzeekdstanek: that section 2.2 might be talking just about the namespace and the attributes20:34
zzzeekdstanek: dictionary ordering issues can take years to pop up :)20:35
zzzeekdstanek: OK well, the part i haent looked at is, why is the test receiivng XML from the source that doesnt match20:35
-openstackstatus- NOTICE: nodepool is unable to build test nodes so check and gate tests are delayed20:40
*** ChanServ changes topic to "nodepool is unable to build test nodes so check and gate tests are delayed"20:40
dstanekzzzeek: ha, this was added in 2013 in 167a8b7a20:41
*** gokrokve has joined #openstack-keystone20:41
zzzeekdstanek: yeah i have no idae how to find where this XML comes from w/o learning the whole app’s web service routing20:43
dstanekzzzeek: yeah the reason this works for me is that the XML from the service already matches the expected XML20:45
dstanekzzzeek: when i reorder the expected XML it all breaks20:45
dstanekzzzeek: i'll work on a fix20:45
zzzeekdstanek: w00p thanks20:46
dstanekzzzeek: np, i'll get to it right after dinner20:46
zzzeekdstanek: no rush on my end :)20:47
*** stevemar has quit IRC20:53
*** topol has quit IRC20:54
*** topol has joined #openstack-keystone20:55
*** gokrokve has quit IRC20:56
openstackgerritNathan Kinder proposed a change to openstack/keystone: Trust unit tests should target additional threat scenarios
openstackgerritNathan Kinder proposed a change to openstack/keystone: Trust unit tests should target additional threat scenarios
*** gokrokve has joined #openstack-keystone21:10
*** marcoemorais has quit IRC21:14
*** flwang has joined #openstack-keystone21:16
flwangbknudson: ping21:16
*** marcoemorais has joined #openstack-keystone21:16
bknudsonflwang: what's up?21:16
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add a test for revoking a scoped token from an unscoped
*** fausto has quit IRC21:28
*** browne has quit IRC21:32
*** gokrokve has quit IRC21:46
*** joesavak has quit IRC21:46
*** gokrokve has joined #openstack-keystone21:47
vishymorganfainberg: we are suddenly getting certificate validation failures with self signed certs using keystone client 0.1021:47
vishyanyone else here seen that?21:48
vishyworks fine with 0.921:48
*** gordc has quit IRC21:51
*** gokrokve has quit IRC21:52
*** gokrokve has joined #openstack-keystone21:53
nkindervishy: jamielennox should have some ideas about what might be causing that (I'd expect him to show up here sometime soon given his timezone)21:53
openstackgerritguang-yee proposed a change to openstack/keystone-specs: X.509 SSL certificate authentication
nkinderayoung: I have some (potentially crazy) ideas around trusts...21:58
* ayoung runs in panic21:59
nkinderayoung: you like crazy though, right? :)21:59
ayoungnkinder, I am one Acquainted with the Night.21:59
nkinderayoung: today, any service you give your token to can create a trust to delegate your roles to itself22:00
ayoungthat is true22:00
nkinderayoung: this is done without the user's consent22:00
ayoungthey consented when they gave away their token.22:00
nkinderayoung: yeah, they are kind of forced to give consent (which sucks)22:00
ayoungI've been trying to get away from that for a long time.  Creating trusts with unscoped tokens only makes sense to me22:01
nkinderayoung: once the whole unscoped token thing behaves as it should, we could say that an unscoped token only can be used to create a trust22:01
ayoungBeat you to it22:01
nkinderok, but there's a problem there too22:01
ayoungNo problems, only opportunities22:01
nkinderthe user never gives their unscoped token to the other service, and the other service knows what needs to be delegated (in theory)22:02
*** topol has quit IRC22:02
nkinderayoung: what about a two-phase approach22:02
nkinderthe service creates a trust request, but the user has to approve/enable it22:02
nkinderenabling is only allowed with the unscoped token22:02
ayoungnkinder, policy.  If all of the policy files are in one place, the user can know apriori what they need to delegate to perform an action22:02
nkinderthe user still needs to be told what is needed in that case though22:03
ayoungI'd rather have them pre-canned22:03
ayoung"use the create VM trust template"22:03
nkinderayoung: we should talk with shardy about some of these ideas22:03
ayoungnkinder, simo would state that users will just click through whatever they are presented with22:04
ayoungas they do now...22:04
ayounglets not give them the ability to sign their rights away22:04
ayoungif the service is hacked, or soemthing, lets not let the service define new trusts22:04
nkinderayoung: that's true, but I would want to restrict a service to have to use the users token to create the unapproved trust22:04
*** lbragsta_ has joined #openstack-keystone22:05
ayoungthe templates for trusts are going to be fairly static, and should be reviewable prior to execution22:05
nkinderayoung: so tyour token that it uses today to create a trust would be used the same way, but the created trust would not be approved (and couldn't contain roles/projects that are not in that token it holds)22:05
nkinderayoung: so a service can't just go off saying "delegate admin to me" without an admin token in the first place22:06
-openstackstatus- NOTICE: zuul is working through a backlog of jobs due to an earlier problem with nodepool22:06
*** ChanServ changes topic to "zuul is working through a backlog of jobs due to an earlier problem with nodepool"22:06
ayoung" I would want to restrict a service to have to use the users token to create the unapproved trust"22:06
ayoungle me chew that over22:07
flwangayoung: may I get your opinion about the mail I sent 'more granular role management'?22:07
*** lbragstad has quit IRC22:08
ayoungflwang, assume I know nothing about Amazon.22:08
vishynkinder: ah looks like 0.10 is ignoring OS_CA_CERT22:09
*** lbragsta_ has quit IRC22:09
vishyer OS_CACERT22:09
flwangayoung: the link I posted is a GUI like22:09
flwangI just wanna know do we want to support a role management to manage the function and resource22:10
*** shakamunyi has joined #openstack-keystone22:10
ayoungflwang, Keystone's own RBAC enforcement has the concept of "fetch the object from the database before you apply the rule"  but that is not standard across all openstack services.  I would like it to be22:11
morganfainbergvishy, not sure why that would have changed.22:12
flwangyep, we are using 'policy' which distributed in projects to manage the 'function' level22:12
morganfainbergvishy, let me see if i can figure it out.22:12
morganfainbergvishy, oh ignoring OS_CACERT ah. ok22:12
flwangayoung: but seems we still can't manage the 'resource' level for role22:12
ayoungflwang, I'm sorry, I don't understand what you mean22:14
*** shakamunyi has quit IRC22:15
ayoungflwang, Roles are a global list, assigned to functions by policy.  The Role requires is not going to vary based on the object out of the database.22:15
flwangayoung: for example, I'd like to create a role which can only do 'nova delete'(function/rest api level) of  'compute service'(service level) for 'ip:' (resource level)22:16
ayoungflwang, nope22:16
ayoungflwang, is  'ip:' (resource level)  the actualy VM you are trying to delete?22:17
vishymorganfainberg: lol22:17
vishy$ git grep load_from_cli_options22:17
vishykeystoneclient/    def load_from_cli_options(cls, args, **kwargs):22:17
vishykeystoneclient/tests/        return client_session.Session.load_from_cli_options(args, **kwargs)22:17
vishyit is never called22:17
flwangayoung: it's a resource I want to manage22:17
ayoungflwang, what does that mean?22:18
morganfainbergvishy, yeah a few minutes behind you on that *just got back*22:18
ayoungresource as in a virtual machine?22:18
flwanglet's think a bigger scenario22:18
ayounglets define your terms....22:18
morganfainbergvishy, ok i think we can get that fixed ... uhm... *eye gate* soon™22:18
ayoungwhat do you mean by resource?22:18
ayoungflwang, do you mean the object that the api is operating on?22:19
flwang'resource' sounds like a nova instance, glance images, cinder volume, a network, etc22:19
ayoungOK, so no. we are not planning on defining different roles for different objects22:19
flwangbut not all the objects under the tenant22:19
ayoungflwang, sounds like you want a way to distinguish between to objects in the same project.22:20
ayoungtwo objects22:20
flwangkind of22:20
flwangactually, we got the requirements from our customer22:20
ayoungflwang, I would not say "different roles"  for objects, but some other way to differentiate them.  Owner is the obvious one.  THere is also the hierarchical multitenacy proposal which could potentially help22:21
flwangfor example, there is a project for the customer, and they created different resource, VM, images, volumes, networks, but those resource should be managed by different teams22:21
ayoungno, I get it22:22
ayoungI'm just saying there is no plan to support that22:22
ayoungI wouldn't make it object level roles, though22:22
flwangi see, but you mean we should user different owners to workaround it, right?22:22
vishymorganfainberg: i have no idea where the session object is actually created22:23
vishyso i’m a bit confused22:23
ayoungKeystone is never going to be responsible for individual objects, so storing RBAC per object in Keystone does not make sense22:23
ayoungflwang, I don't have a solution for you.  We had a rule that worked for trusts...I'll post a link22:23
morganfainbergvishy, i think it's all in keystoneclient/client.py22:24
vishyalso the options are registered twice22:24
vishywhich is extra fun22:24
ayoungthat checks that the user_id of the caller matches the trust.trustor_user_id  for the trust they are trying to create22:24
morganfainbergvishy, i see that, but that shouldn't matter with the suppress22:25
vishyno i mean22:25
vishyget_base_parser is called two times22:25
morganfainbergvishy, right, and it shouldn't really matter iirc22:25
ayoungflwang, you could put any attribute on the object, and it would have to match the user.  You need some attribute on the object to match22:26
flwangayoung: sounds like tag the object, and match it with the expected user, is it?22:27
ayoungflwang, it could match the role,even22:27
ayoungbut you have to have some way of decorating the object.22:27
flwanggot it, I will take a look22:27
flwangayoung: thank you so much for your patience22:27
ayoungflwang, its kindof like SELinux labels now that I think about it22:27
ayoungand...its a really good idea.  flwang it might be something we could generalize22:28
ayoungI need to think about it....22:28
flwangayoung: good to know22:29
morganfainbergvishy, the load_from_cli_opts shouldn't matter22:29
*** ayoung is now known as ayoung-aft22:29
*** dims has quit IRC22:29
morganfainbergvishy, main gets the base parser that then loads the options: which then uses the args:22:30
morganfainbergfor unauth, and for auth:
morganfainbergvishy, maybe the re-register is horking thigs up? *continues to look*22:30
*** dims has joined #openstack-keystone22:33
*** shakamunyi has joined #openstack-keystone22:34
morganfainbergjamielenz, ping, you around?22:34
*** thedodd has quit IRC22:38
*** hrybacki has quit IRC22:42
*** henrynash has joined #openstack-keystone22:42
*** dims has quit IRC22:43
vishymorganfainberg: lol figured it out22:44
morganfainbergvishy, what is it?22:44
morganfainbergactually, i have a thought, but might be off.22:44
morganfainbergstrike that, just disproved my theory, but i see where it *should* be passed through22:45
openstackgerritVish Ishaya proposed a change to openstack/python-keystoneclient: Reorder the old compatibility arguments
vishymorganfainberg: ^^22:51
*** griff has joined #openstack-keystone22:51
vishymorganfainberg: i could probably do it by specifying the default values in the supressed versions as well22:52
vishybut this is the way the old code did it so seemed safer22:52
vishymorganfainberg: you probably want to push out a 0.10.1 once that merges22:52
morganfainbergright because os-cacert evaluates to the same target as os_cacert, which the first one wins the definition22:52
morganfainbergvishy, ++ yeah22:53
morganfainbergdolphm, ^^22:53
vishyah right dolphm has that responsibility22:53
morganfainbergvishy, yep22:53
morganfainbergvishy, i'll keep an eye on that patch22:54
*** bknudson has quit IRC23:02
nkindermorganfainberg: should we try to get this into 0.10.1 too?
nkindermorganfainberg: I just rebased it and addressed the issue gyee pointed out.23:03
nkindermorganfainberg: just working on ensuring we have enough unit test coverage before proposing a new patch23:04
morganfainbergif we can get that in, great23:04
morganfainbergno not for 0.10.123:04
morganfainbergfor 0.11 i'd say23:04
nkindermorganfainberg: questions about running python-keystoneclient unit tests are likely forth-coming...23:04
nkindermorganfainberg: that's fine.  The other issue is a regression, hence more important23:04
morganfainbergif we land that, we could release 0.11 instead of 0.10.123:04
gyeenkinder, k, will take another look23:07
nkindergyee: not ready yet...23:07
gyeemorganfainberg, ++ 0.1123:07
nkindergyee: I'm assuming you were referring to the lack of tests for password update operations?23:07
gyeenkinder, right23:07
nkindergyee: auth seems like it's covered23:08
nkindergyee: cool, adding tests now23:08
*** david-lyle has quit IRC23:14
jamielenzhow the hell did i become jamielenz?23:20
*** jamielenz is now known as jamielennox23:20
jamielennoxmorganfainberg, vishy: anything i can help with23:21
morganfainbergjamielennox, ^
morganfainbergjamielennox, looks like the arguments (compat) being registered first broke the env defaults23:22
vishyjamielennox: figured it out but good to know for the future23:22
morganfainbergjamielennox, since the re-register didn't pickup the new default settings23:22
morganfainbergvishy, ++23:22
jamielennoxoh, that's weird - wonder why that matters23:23
*** packet has quit IRC23:36
*** dims has joined #openstack-keystone23:38
*** dims has quit IRC23:43
*** gokrokve has quit IRC23:51
morganfainbergugh. we issue a hacky token on password change in the OS-KSCRUD/users/{user_id} extensions23:52
morganfainbergwe're doing it very wrong23:52
*** shakamunyi has quit IRC23:56
openstackgerritNathan Kinder proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data

Generated by 2.14.0 by Marius Gedminas - find it at!