Wednesday, 2014-07-30

ayoung	jamielennox, no, but even removing the session from that call breaks	00:04
jamielennox	i was just surprised they done that	00:04
*** gabriel-bezerra has quit IRC		00:04
jamielennox	i had some WIP stuff that i had held off on cause there was a lot of tests changes	00:05
jamielennox	nope - no need for that nonsense	00:05
*** gabriel-bezerra has joined #openstack-keystone		00:05
ayoung	jamielennox, for v3, how do we set domain for the project?	00:07
ayoung	Its close to working for V3, just the token request does not put a domain in there	00:07
ayoung	RESP BODY: {"error": {"message": "Expecting to find domain in project. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}	00:07
jamielennox	user domain, or scope to a domain	00:09
ayoung	yeah, Its all there. I'm Ok. Just need to dig through it.	00:11
*** ayoung has quit IRC		00:16
*** gokrokve has quit IRC		00:21
*** gokrokve has joined #openstack-keystone		00:21
*** gokrokve has quit IRC		00:25
openstackgerrit	A change was merged to openstack/keystone: Update middleware that was moved to keystonemiddleware https://review.openstack.org/106478	00:37
openstackgerrit	A change was merged to openstack/keystone: Check url is in the 'self' link in list responses https://review.openstack.org/109290	00:37
*** mitz has quit IRC		00:43
*** mitz has joined #openstack-keystone		00:48
*** amcrn has quit IRC		00:52
*** dhellmann is now known as dhellmann_		00:53
openstackgerrit	Angus Lees proposed a change to openstack/keystone: Issue multiple SQL statements in separate engine.execute() calls https://review.openstack.org/110512	00:53
*** zzzeek has quit IRC		00:56
*** diegows has quit IRC		00:57
*** mitz has quit IRC		01:00
*** mitz has joined #openstack-keystone		01:03
*** mitz has quit IRC		01:04
*** mitz has joined #openstack-keystone		01:06
*** griff is now known as jgriffith		01:11
*** mitz has quit IRC		01:17
*** rwsu has quit IRC		01:18
*** mrmoje has quit IRC		01:23
*** marcoemorais has quit IRC		01:27
*** mberlin1 has quit IRC		01:40
*** mberlin has joined #openstack-keystone		01:41
*** xianghui has joined #openstack-keystone		01:49
openstackgerrit	A change was merged to openstack/python-keystoneclient: Add an example of using v3 client with sessions https://review.openstack.org/108839	01:49
*** bknudson has quit IRC		01:59
morganfainberg	dolphm, ping, want to say this is a bug https://review.openstack.org/#/c/103493/6/specs/juno/del-tokens-when-del-ec2-credential.rst not a spec	02:19
*** ayoung has joined #openstack-keystone		02:47
*** harlowja is now known as harlowja_away		02:57
*** gabriel-bezerra has quit IRC		03:00
*** gabriel-bezerra has joined #openstack-keystone		03:01
*** jamielennox is now known as jamielennox\|away		03:05
*** hrybacki has joined #openstack-keystone		03:16
*** hrybacki has quit IRC		03:16
*** morganfainberg is now known as morganfainberg_Z		03:20
*** morganfainberg_Z is now known as morganfainberg		03:22
*** gyee has quit IRC		03:23
*** topol has joined #openstack-keystone		03:32
*** gabriel-bezerra has quit IRC		03:41
*** gabriel-bezerra has joined #openstack-keystone		03:42
*** nkinder_away has quit IRC		04:16
*** nkinder_away has joined #openstack-keystone		04:18
*** gabriel-bezerra has quit IRC		04:27
*** gabriel-bezerra has joined #openstack-keystone		04:28
*** flwang has quit IRC		04:29
*** ajayaa has joined #openstack-keystone		04:56
*** morganfainberg is now known as morganfainberg_Z		04:59
*** topol has quit IRC		05:06
*** jaosorior has joined #openstack-keystone		05:12
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: PoC - Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	05:32
stevemar	marekd\|away, https://review.openstack.org/110542	05:32
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: PoC - Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	05:36
*** gabriel-bezerra has quit IRC		05:38
*** gabriel-bezerra has joined #openstack-keystone		05:39
*** chandankumar has joined #openstack-keystone		05:44
*** tomoiaga has joined #openstack-keystone		05:51
*** jgriffit1 has joined #openstack-keystone		06:01
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/106939	06:04
*** jgriffith has quit IRC		06:05
*** henrynash has joined #openstack-keystone		06:07
*** gabriel-bezerra has quit IRC		06:12
*** gabriel-bezerra has joined #openstack-keystone		06:12
*** fifieldt_ is now known as fifieldt		06:15
*** stevemar has quit IRC		06:15
*** henrynash has quit IRC		06:16
*** fifieldt has quit IRC		06:19
*** YorikSar has quit IRC		06:20
*** YorikSar has joined #openstack-keystone		06:22
*** jgriffit1 is now known as jgriffith		06:24
*** bvandenh has joined #openstack-keystone		06:38
*** ukalifon1 has joined #openstack-keystone		06:38
*** henrynash has joined #openstack-keystone		06:57
*** henrynash has quit IRC		07:08
*** marekd\|away is now known as marekd		07:10
openstackgerrit	A change was merged to openstack/keystone: Updated from global requirements https://review.openstack.org/109002	07:21
*** fifieldt has joined #openstack-keystone		07:23
*** henrynash has joined #openstack-keystone		07:30
*** henrynash has quit IRC		08:12
*** mrmoje has joined #openstack-keystone		08:14
*** henrynash has joined #openstack-keystone		08:14
*** henrynash has quit IRC		08:19
*** YorikSar has quit IRC		08:44
*** YorikSar has joined #openstack-keystone		08:46
*** henrynash has joined #openstack-keystone		08:53
*** henrynash has quit IRC		09:00
*** marzif has joined #openstack-keystone		09:01
*** afazekas has joined #openstack-keystone		09:03
openstackgerrit	Ajaya Agrawal proposed a change to openstack/keystone: Implemented caching in identity layer. https://review.openstack.org/110575	09:06
*** henrynash has joined #openstack-keystone		09:08
*** henrynash has quit IRC		09:08
*** openstackgerrit has quit IRC		09:16
*** openstackgerrit has joined #openstack-keystone		09:17
*** ByteSore_ has joined #openstack-keystone		09:43
*** ajayaa has quit IRC		09:44
*** asmacdo has quit IRC		09:44
*** afaranha has quit IRC		09:44
*** raildo has quit IRC		09:44
*** vhoward has quit IRC		09:44
*** ByteSore has quit IRC		09:44
*** asmacdo has joined #openstack-keystone		09:44
*** vhoward has joined #openstack-keystone		09:44
*** afaranha has joined #openstack-keystone		09:45
*** raildo has joined #openstack-keystone		09:46
*** ajayaa has joined #openstack-keystone		09:59
*** ajayaa has quit IRC		10:12
jaosorior	Does anybody know what the status of this is https://bugs.launchpad.net/keystone/+bug/1211582 ? it's been there for a while O_o	10:38
uvirtbot	Launchpad bug 1211582 in keystone "Filter user list by partial attributes" [Wishlist,New]	10:38
*** ajayaa has joined #openstack-keystone		10:51
*** ajayaa has quit IRC		11:00
*** ajayaa has joined #openstack-keystone		11:01
*** henrynash has joined #openstack-keystone		11:18
*** mitz has joined #openstack-keystone		11:27
*** mitz has quit IRC		11:28
*** mitz has joined #openstack-keystone		11:30
*** mitz has quit IRC		11:31
*** mitz has joined #openstack-keystone		11:33
bjornar	I have a problem with keystone not able to find keystone.contrib.revoke.backends.sql	11:51
*** diegows has joined #openstack-keystone		11:53
bjornar	fixed	11:55
*** xianghui has quit IRC		12:01
ajayaa	ayoung, hi. what does the test "keystone.tests.test_backend_ldap_pool.LdapIdentitySqlAssignment.test_utf8_encoded_is_used_in_pool" deal with?	12:05
openstackgerrit	Stuart McLaren proposed a change to openstack/keystonemiddleware: Add composite auth support (service token) https://review.openstack.org/108384	12:06
ayoung	ajayaa, I'd have to look. THat was from the pooling patch that just went in. Your best bet is to find the author of the patch and ask him directly	12:11
ayoung	Use git blame on that file to find the commit hash, and git show to see the author	12:11
*** ayoung is now known as ayoung-afk		12:11
openstackgerrit	Stuart McLaren proposed a change to openstack/keystonemiddleware: Add composite auth support (service token) https://review.openstack.org/108384	12:12
ajayaa	arunkant, git blames you for "keystone.tests.test_backend_ldap_pool.LdapIdentitySqlAssignment.test_utf8_encoded_is_used_in_pool"	12:14
*** cjellick has joined #openstack-keystone		12:24
openstackgerrit	Abhishek Kekane proposed a change to openstack/keystone: Keystone service throws error on SIGHUP signal https://review.openstack.org/107482	12:36
*** henrynash has quit IRC		12:47
*** hrybacki has joined #openstack-keystone		12:50
*** bvandenh has quit IRC		13:02
*** gordc has joined #openstack-keystone		13:02
*** joesavak has joined #openstack-keystone		13:08
*** jasondotstar has joined #openstack-keystone		13:09
*** bvandenh has joined #openstack-keystone		13:17
chmouel	i was wondering if pkiz should be added to devstack	13:17
*** lbragstad has joined #openstack-keystone		13:19
*** lbragstad has quit IRC		13:20
*** lbragstad has joined #openstack-keystone		13:20
*** bknudson has joined #openstack-keystone		13:32
*** afazekas has quit IRC		13:35
*** bknudson has quit IRC		13:36
*** jdennis1 has quit IRC		13:43
*** stevemar has joined #openstack-keystone		13:45
*** afazekas has joined #openstack-keystone		13:49
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on the Catalog V3 resources https://review.openstack.org/96266	13:58
openstackgerrit	Harry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions https://review.openstack.org/105031	14:00
*** gabriel-bezerra has quit IRC		14:04
*** gabriel-bezerra has joined #openstack-keystone		14:04
*** htruta has quit IRC		14:06
openstackgerrit	A change was merged to openstack/keystone: KeyError instead of exception.KeyError https://review.openstack.org/110397	14:08
*** henrynash has joined #openstack-keystone		14:15
*** gabriel-bezerra has quit IRC		14:19
*** gabriel-bezerra has joined #openstack-keystone		14:20
*** afazekas has quit IRC		14:20
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Rename contents to template https://review.openstack.org/110658	14:22
openstackgerrit	Alexey Miroshkin proposed a change to openstack/keystone: Add filters to the collections 'self' link https://review.openstack.org/110661	14:26
*** afazekas has joined #openstack-keystone		14:33
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Rename contents to template https://review.openstack.org/110658	14:39
stevemar	dstanek, ping?	14:40
*** bvandenh has quit IRC		14:43
*** gabriel-bezerra has quit IRC		14:45
*** gabriel-bezerra has joined #openstack-keystone		14:45
*** hrybacki has quit IRC		14:46
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Hierarchical Projects https://review.openstack.org/108841	14:48
*** chandankumar_ has joined #openstack-keystone		14:50
*** lbragstad has quit IRC		14:52
*** thedodd has joined #openstack-keystone		14:52
*** lbragstad has joined #openstack-keystone		14:52
stevemar	so many AFK's today	14:52
stevemar	even bknudson is out	14:53
*** chandankumar has quit IRC		14:53
marekd	stevemar: i ma here	14:53
stevemar	marekd, brant is offline, must be recharging	14:54
marekd	stevemar: LOL	14:54
marekd	stevemar: sorry i didn't have time to see your patch, i am finishing the adfs stuff :(	14:54
stevemar	marekd, np	14:54
marekd	BTW, do you know how to split patches?	14:54
stevemar	i believe ayoung had a post about that	14:55
marekd	There is A and B, B depends on A. I need to abandon A.	14:55
marekd	ok i will take a look at it later.	14:55
*** lbragstad has quit IRC		14:57
*** lbragstad has joined #openstack-keystone		14:57
*** rwsu has joined #openstack-keystone		14:58
stevemar	then just abandon A and rebase B on master?	14:58
*** jdennis has joined #openstack-keystone		14:59
marekd	hah, that might even work :-)	14:59
marekd	thanks.	14:59
ajayaa	marekd: you could use git add -p	14:59
marekd	ajayaa: i am always using add -p	15:00
ajayaa	okay. Probably I missed the context. :)	15:01
*** ajayaa has quit IRC		15:04
*** vhoward has left #openstack-keystone		15:09
jaosorior	lbragstad, you around?	15:13
stevemar	henrynash, ping?	15:13
lbragstad	jaosorior: yep	15:14
henrynash	stevemar: hi	15:14
stevemar	henrynash, could you take a very quick look at: https://review.openstack.org/#/c/110658/	15:14
*** david-lyle has joined #openstack-keystone		15:14
henrynash	stevemar: will do	15:14
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Enable filtering of credentials by user ID. https://review.openstack.org/110674	15:14
stevemar	henrynash, I did some work to setup specs.openstack.org/openstack/keystone-specs (to actually publish them)	15:14
*** tomoiaga has quit IRC		15:14
stevemar	but theres no data, i think we just need to push 1 patch through	15:15
henrynash	stevemar: OK!	15:15
jaosorior	cool, well, regarding the bug https://bugs.launchpad.net/keystone/+bug/1350273 , there is already this: https://bugs.launchpad.net/keystone/+bug/1211582 which would help with filtering stuff from the extra attributes in those models, but it's been there for a while and I'm not sure if it	15:16
uvirtbot	Launchpad bug 1350273 in keystone "Filtering services by name doesn't work" [Undecided,New]	15:16
jaosorior	it	15:16
jaosorior	it's actually being worked on	15:16
*** zzzeek has joined #openstack-keystone		15:16
*** afazekas has quit IRC		15:17
openstackgerrit	A change was merged to openstack/keystone-specs: Rename contents to template https://review.openstack.org/110658	15:17
lbragstad	jaosorior: it's been quiet for a while	15:18
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Enable filtering of credentials by user ID. https://review.openstack.org/110674	15:18
henrynash	a quickie spec: https://review.openstack.org/#/c/110674/	15:20
jaosorior	any way to contact eugeniya? I didn't take it over because it didn't seem polite somehow O_o	15:20
navid_	marekd: hi	15:20
*** gokrokve has joined #openstack-keystone		15:20
navid_	marekd: do you have time, questions?	15:21
jaosorior	lbragstad: But before that, I think it would actually make sense to add that field to the sql model, and make a migration	15:21
*** david-lyle has quit IRC		15:22
*** henrynash has quit IRC		15:22
*** david-lyle has joined #openstack-keystone		15:23
marekd	navid_: hey!	15:24
marekd	navid_: what's up?	15:24
*** vhoward has joined #openstack-keystone		15:24
*** henrynash has joined #openstack-keystone		15:25
*** henrynash has quit IRC		15:25
navid_	marekd: I wanted to know from the resources you send me, the service provider that you were helping to setup, is in what stage.	15:25
marekd	navid_: that day Carlos set up Identity Provider, not Service Provider.	15:25
marekd	i have SPs for a long time :-)	15:26
navid_	I know , I thought you are working on the service provider	15:26
marekd	navid_: what do you mean?	15:26
marekd	i need both	15:26
lbragstad	jaosorior: morganfainberg_Z might have an opinion on this come to think of it	15:26
stevemar	yay http://specs.openstack.org/openstack/keystone-specs/doc/build/html/	15:26
navid_	marekd: Farhan asked me that, give me couple of minutes.	15:27
marekd	navid_: ah i think what you are asking about....so I didn't configure that SP that was meant to be configured with IdP@UTSA.	15:28
marekd	is it what you are asaking about?	15:28
*** bknudson has joined #openstack-keystone		15:28
*** gyee has joined #openstack-keystone		15:28
*** tomoiaga has joined #openstack-keystone		15:29
*** tomoiaga has quit IRC		15:32
*** Farhan has joined #openstack-keystone		15:33
*** ukalifon1 has quit IRC		15:36
*** chandankumar_ has quit IRC		15:45
*** mrmoje has quit IRC		15:47
*** gyee has quit IRC		15:51
*** gokrokve_ has joined #openstack-keystone		15:51
*** gokrokve has quit IRC		15:55
*** gokrokve_ has quit IRC		15:55
*** marcoemorais has joined #openstack-keystone		16:00
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Hierarchical Projects https://review.openstack.org/108841	16:02
*** hrybacki has joined #openstack-keystone		16:07
dstanek	dolphm: ping	16:12
*** thedodd has quit IRC		16:17
*** thedodd has joined #openstack-keystone		16:19
*** jasondotstar has quit IRC		16:22
openstackgerrit	David Chadwick proposed a change to openstack/keystone-specs: Specification for IETF ABFAB federation https://review.openstack.org/108631	16:24
openstackgerrit	Stuart McLaren proposed a change to openstack/keystonemiddleware: Add composite auth support (service token) https://review.openstack.org/108384	16:33
*** marcoemorais has quit IRC		16:34
*** marcoemorais has joined #openstack-keystone		16:35
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Make BaseValidationTestCase https://review.openstack.org/109098	16:35
*** marcoemorais has quit IRC		16:35
*** marcoemorais has joined #openstack-keystone		16:35
*** marcoemorais has quit IRC		16:35
*** marcoemorais has joined #openstack-keystone		16:36
*** marcoemorais1 has joined #openstack-keystone		16:36
*** marcoemorais1 has quit IRC		16:37
*** marcoemorais1 has joined #openstack-keystone		16:37
*** marcoemorais1 has quit IRC		16:37
*** marcoemorais1 has joined #openstack-keystone		16:37
*** jasondotstar has joined #openstack-keystone		16:40
*** marcoemorais has quit IRC		16:40
*** jasondotstar has quit IRC		16:40
*** gokrokve has joined #openstack-keystone		16:40
*** jasondotstar has joined #openstack-keystone		16:41
*** jasondotstar has quit IRC		16:41
*** rodrigods has quit IRC		16:43
*** jasondotstar has joined #openstack-keystone		16:43
*** joesavak has quit IRC		16:44
*** rodrigods has joined #openstack-keystone		16:47
*** rodrigods has joined #openstack-keystone		16:47
*** rodrigods has quit IRC		16:47
*** peluse_ has quit IRC		16:55
*** rodrigods has joined #openstack-keystone		16:56
*** rodrigods has joined #openstack-keystone		16:56
*** hrybacki has quit IRC		17:00
*** marcoemorais1 has quit IRC		17:00
*** marcoemorais has joined #openstack-keystone		17:01
*** henrynash has joined #openstack-keystone		17:01
*** marcoemorais has quit IRC		17:02
*** marcoemorais has joined #openstack-keystone		17:03
henrynash	dolphm, ayoung: a micro-spec I’d like to get into Juno-3: https://review.openstack.org/#/c/110674/	17:05
dolphm	henrynash: looking	17:05
*** markwash has quit IRC		17:08
*** morganfainberg_Z is now known as morganfainberg		17:09
morganfainberg	chmouel, pkiz added to devstack? the default right now is to use pkiz in devstack	17:10
chmouel	morganfainberg: ah i guess that because of my config, thanks!	17:10
morganfainberg	chmouel, sure thing	17:10
*** hrybacki has joined #openstack-keystone		17:12
hrybacki	ayoung-afk: https://review.openstack.org/#/c/105031/ is good to go	17:13
hrybacki	jamielennox\|away: ^^	17:13
*** bvandenh has joined #openstack-keystone		17:14
*** jasondotstar is now known as jasondotstar\|afk		17:26
*** david-lyle has quit IRC		17:30
*** david-lyle has joined #openstack-keystone		17:30
*** gabriel-bezerra has quit IRC		17:30
*** gabriel-bezerra has joined #openstack-keystone		17:31
openstackgerrit	Raildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy https://review.openstack.org/101017	17:32
openstackgerrit	Harry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions https://review.openstack.org/105031	17:33
*** david-lyle has quit IRC		17:35
openstackgerrit	A change was merged to openstack/keystone: Use config fixture from oslo.config https://review.openstack.org/103254	17:35
*** david-lyle has joined #openstack-keystone		17:36
raildo	morganfainberg: dolphm henrynash I created a vm with the hierarchical multitenancy code . If you want to test just run the command: ssh stack@ssh.cloud.lsd.ufcg.edu.br -p 10022	17:36
raildo	password: stack	17:36
raildo	and you can see the API here: https://wiki.openstack.org/wiki/HierarchicalMultitenancy_API	17:37
morganfainberg	raildo, FYI, i wouldn't put passwords in an open IRC channel (at least not for anything that'll last longer than a few minutes)	17:37
morganfainberg	raildo, this channel is logged as well btw.	17:37
raildo	morganfainberg: sorry	17:37
morganfainberg	raildo, i'm just worreid someone will do something malicious (not us here, someone else) with that VM	17:38
morganfainberg	raildo, no need to apologize	17:38
raildo	But as this password is only access to this VM, we have no problem,	17:38
*** chandankumar_ has joined #openstack-keystone		17:38
raildo	I plan to remove it later	17:39
raildo	but thanks for the tip :)	17:39
morganfainberg	raildo, right, but someone could use it to spam, or attempt hacking some other site, proxy, etc	17:39
morganfainberg	raildo, np. as long as you don't leave it running too long, should be fine	17:39
raildo	ok	17:39
*** harlowja_away is now known as harlowja		17:40
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Set default token provider to UUID https://review.openstack.org/110488	17:41
*** markwash has joined #openstack-keystone		17:42
*** ajayaa has joined #openstack-keystone		17:43
ajayaa	morganfainberg, hi!	17:44
*** packet has joined #openstack-keystone		17:44
*** ajayaa has quit IRC		17:48
*** morganfainberg is now known as morganfainberg_Z		17:51
*** gabriel-bezerra has quit IRC		18:00
*** gabriel-bezerra has joined #openstack-keystone		18:01
*** packet has quit IRC		18:01
*** gyee has joined #openstack-keystone		18:04
*** gyee has quit IRC		18:05
*** gyee has joined #openstack-keystone		18:05
*** packet has joined #openstack-keystone		18:06
*** ayoung-afk is now known as ayoung		18:09
ayoung	dolphm, OK, squabbling aside, what is the plan for PKI tokens? Are we just going to disable them, or are we going to get rid of them?	18:09
ayoung	there are two issues we know about right now. The first is Horizon, and the second is the increase in request size. Are either of those insurmountable?	18:12
*** bvandenh has quit IRC		18:13
*** gyee has quit IRC		18:18
*** gyee has joined #openstack-keystone		18:19
*** joesavak has joined #openstack-keystone		18:20
*** jsavak has joined #openstack-keystone		18:22
*** joesavak has quit IRC		18:26
*** bvandenh has joined #openstack-keystone		18:28
stevemar	ayoung, i don't think they are going away any time soon	18:29
*** jsavak has quit IRC		18:29
ayoung	stevemar, we went from discussing it to a patch submitted to turn off PKI tokens. Without them enabled, we would never have discovered the problems with them in the first place	18:31
ayoung	stevemar, the Horizon thing got me thinking.	18:32
ayoung	The only way to make it palatable for Horizon to use PKI tokens is memcached	18:32
*** jasondotstar\|afk is now known as jasondotstar		18:33
ayoung	and the only thing that made UUID tokens palatable was memcached	18:33
ayoung	For some reason it is "optional" in Horizon, but required in All of the other services that use auth-token middleware	18:33
*** chandankumar_ has quit IRC		18:33
ayoung	without memcached, there would be a clear advantage to PKI tokens, but with it, the advantage is sortof on the side of UUID tokens. However, I still think that PKI tokens were required to solve usse cases that UUID tokens ignored, like revocations	18:34
ayoung	UUID tokens were cached in memcached, so if they were revoked, the service would never find out	18:35
ayoung	we also have the fact that none of the clients ever cached tokens, and always requested new ones, which means that caching UUID tokens was really kindof wasteful for anything but commo with Horizon	18:35
ayoung	or complex scripting not going through the clients	18:36
ayoung	stevemar, I'm just not sure it is that clean cut a case for or against	18:36
stevemar	ayoung, for the record, i like PKI, and i like the advantages it provides (one less round trip)	18:37
ayoung	stevemar, if Horizon were a single page app, and all calls went from the browser to the services, most of the issues would go away	18:37
*** marcoemorais has quit IRC		18:37
stevemar	i'm not a fan of the usability (longggg token), but that's more or less hidden from the user	18:37
ayoung	stevemar, drop the catalog from the token and the size shrinks, but I don't think even a catalog-less token would be much below 1K	18:38
*** marcoemorais has joined #openstack-keystone		18:38
*** marcoemorais has quit IRC		18:38
*** marcoemorais has joined #openstack-keystone		18:39
gyee	ayoung, you ain't got nothin on the "size" argument	18:39
*** ajayaa has joined #openstack-keystone		18:39
openstackgerrit	A change was merged to openstack/keystone: Remove duplicated asserts https://review.openstack.org/109760	18:39
*** marcoemorais has quit IRC		18:39
*** marcoemorais has joined #openstack-keystone		18:40
gyee	you want size, or efficiency? :)	18:40
*** marcoemorais has quit IRC		18:40
ayoung	gyee, actually, I do	18:40
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Remove an unused import from conf.py https://review.openstack.org/110749	18:40
*** marcoemorais has joined #openstack-keystone		18:40
ayoung	gyee, lets talk swift for a moment	18:40
ayoung	in the case of swift, the real issue is that the size would be paid up front:	18:40
ayoung	here is what I mean by that:	18:40
ayoung	swift needs the token in some form, UUID or PKI	18:41
ayoung	if it is UUID, it needs to go and query the data from Keystone	18:41
gyee	Swift is a bad example, Swift should be using signature access, just like AWS	18:41
ayoung	gyee, the difference is the going to Keystone is a "local" call as opposed to the PKI token	18:42
ayoung	both require the same bandwidth, but the PKI token has to go across the public internet	18:42
ayoung	the UUID call does not	18:42
ayoung	now, if there are multiple calls with the full PKI token payload, that is going to add up, with no benefit	18:42
ayoung	gyee, define "signature access"	18:43
gyee	ayoung, ec2 & s3	18:43
ayoung	I've never used Amazon	18:43
ayoung	Aside to buy things	18:43
notmyname	ayoung: shared secret that is used to HMAC sign a request	18:43
notmyname	HMAC generate client-side, then validated server side	18:43
gyee	right, so sample and effective	18:44
gyee	forget tokens man	18:44
ayoung	gyee, that means that all requests need to be signed, either by a symmetric or asymmetric key	18:44
gyee	symmetric	18:44
gyee	HMAC is based on shared secret	18:44
notmyname	gyee: yes, but swift (server side) needs to get the shared secret from keystone. ideally in some cacheable form so every request doesn't still require a request to keystone	18:45
notmyname	ayoung: it's basically what swift has today with the tempurl support.	18:45
gyee	notmyname, sure, Keystone or Barbican, and cache it	18:45
stevemar	gyee, ayoung can you guys push this patch through: https://review.openstack.org/#/c/110749/	18:45
gyee	but that's a one time deal right?	18:45
notmyname	but that is based on account metadata, not something living in keystone	18:45
stevemar	it's to update http://specs.openstack.org/openstack/keystone-specs/	18:45
notmyname	gyee: time-based, shared secret is stored in account metadata	18:46
ayoung	notmyname, gyee a signature can't be much less than 1k In size,	18:46
gyee	ayoung, HMAC is pretty small	18:46
notmyname	ayoung: generally it is hex of sha256	18:46
ayoung	that is roughly comparable to a pki token without catalog	18:46
ayoung	notmyname, do you not include the signer-data in that?	18:46
notmyname	ayoung: what is "Signer-data"?	18:47
ayoung	so a user only has one key that they can use?	18:47
gyee	only "signer data" is the access key ID	18:47
notmyname	ayoung: 2, in the case of swift's tempurls, so they can be rotated	18:47
gyee	which used to identify the secret	18:47
ayoung	notmyname, in CMS (usedfor PKI tokens) it is the identifier of who signed the document	18:47
ayoung	notmyname, it can't be a sha256. It has to be a signed sha256, which is much larger. about 512 bytes	18:48
gyee	ayoung, only signer is the "account holder"	18:48
notmyname	ayoung: for tempurls, see https://github.com/openstack/swift/blob/master/bin/swift-temp-url	18:48
ayoung	so, sure, with HMAC< it would be smaller than token, and you would have a better degree of "I signed this" than you do for PKI tokens	18:48
notmyname	$ swift-temp-url GET 3600 /v1/AUTH_test/mycontainer/someobject/name/to/sign foobarkey	18:49
notmyname	/v1/AUTH_test/mycontainer/someobject/name/to/sign?temp_url_sig=fa81cf7f1927fe8087cae1ffea7dd2255c1cc5fb&temp_url_expires=1406749771	18:49
notmyname	for example	18:49
gyee	notmyname, you only allow one key per container?	18:51
notmyname	gyee: 2 per account	18:51
notmyname	gyee: stored in account metadata. 2 keys so you can rotate it without worrying about prematurely expiring exising URLs out there	18:52
gyee	oh, that explains why your example don't need access key ID in temp_url_sig	18:52
ayoung	ok, lets punt on tempurls for the time being. The issues with PKI tokens stand regardless of swift for talking to any service. If the token goes across the wire more than once, its paying twice for no benefit	18:52
notmyname	ayoung: right. tempurls are an example :-)	18:52
notmyname	ayoung: if such were supported by keystone, swift still needs to get the shared secret from keystone. if it's not supported, then swift needs to validate the token	18:53
notmyname	ayoung: and either way, it's cheaper to do nothing than something (ie caching is good and therefore tokens can't be one-time-use)	18:53
gyee	ayoung, yeah, if I am using a mobile app, I'd hate PKI tokens :)	18:53
ayoung	notmyname, lets say i t needs to get the shared secret from somewhere. Unless that method is going to replace all token usage, we need to figure something out	18:54
ayoung	gyee, right.	18:54
gyee	I do see mobile apps accessing Swift btw	18:54
openstackgerrit	A change was merged to openstack/keystone-specs: Remove an unused import from conf.py https://review.openstack.org/110749	18:54
ayoung	gyee, yeah, but using keystone tokens or using tempurls?	18:55
gyee	ayoung, no idea, I don't have access to the code	18:55
stevemar	sweet! http://specs.openstack.org/openstack/keystone-specs/	18:56
*** gabriel-bezerra has quit IRC		18:56
*** gabriel-bezerra has joined #openstack-keystone		18:57
gyee	ayoung, I do think we can offer choices, based on application behavior	18:58
gyee	something like POST /v3/auth/tokens?format=PKI	18:58
stevemar	i've been pitching that ?format for saml too :)	18:59
gyee	stevemar, amen brother!	18:59
ayoung	gyee, that was why it was supposed to be /aut/tokens vs....	18:59
ayoung	stevemar, you want /auth/saml	18:59
ayoung	and so /auth/pkiz	18:59
ayoung	and so /auth/uuid	18:59
ayoung	etc	18:59
gyee	++	18:59
notmyname	I've got a swift meeting now	19:00
ayoung	But what is the default?	19:00
ayoung	notmyname, bring up this question and let us know if there is fundamentally a problem with PKI tokens for swift, please	19:00
stevemar	i guess it would be uuid, seems like thats what dolphinator wants	19:01
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Make BaseValidationTestCase https://review.openstack.org/109098	19:01
lbragstad	stevemar: addressed your comments	19:01
stevemar	thx dude	19:01
notmyname	ayoung: I'm actually not sure what the question is	19:01
lbragstad	stevemar: we need the special encoding on that test module because we're testing unicode strings	19:01
lbragstad	with goofy characters	19:01
gyee	goofy is a character	19:02
ayoung	gyee, the thing is, UUID tokens will end up requiring persistence in Keystone	19:04
ayoung	I would never have wasted the time on revocation events if we were going to keep persistence	19:04
gyee	ayoung, right, that's one of the tradeoffs	19:05
gyee	that's really not much you can do on the client-side with an opaque string	19:06
ayoung	gyee, does it make any real difference for an app to do a memcache call and to make an http call to keystone?	19:07
ayoung	if all of the apps end up caching the tokens in memcache...but then, they were doing that even with UUID tokens. What is the difference there?	19:08
gyee	memcache is also client-server thingy, so yeah, there will be network overhead as well	19:09
gyee	but if there's an instance running on the same host then it suppose to be fast	19:10
gyee	but if you are running a memcache ring, then I suppose you have to deal with replication as well?	19:10
ayoung	gyee, I suspect that the way people are using memcache here is not in a ring	19:11
ayoung	so local call vs remote	19:11
gyee	ayoung, we are running a ring	19:11
ayoung	plus going to Keystone is 2 calls: call to keystone, keystone to datastore	19:11
gyee	we = HP	19:11
ayoung	gyee, not on nova	19:11
ayoung	gyee, the auth token caching on nova is in a ring?	19:11
gyee	ayoung, it depends on how many nova instances, for HA purposes	19:12
ayoung	gyee, that sounds like a mistake	19:12
gyee	nova API instances I mean	19:12
ayoung	gyee, why not just have each instance of the api server cache tokens when required?	19:12
*** gabriel-bezerra has quit IRC		19:12
gyee	ayoung, for HP, LB can route the call to any instance	19:13
gyee	s/HP/HA/	19:13
*** gabriel-bezerra has joined #openstack-keystone		19:13
gyee	if you have 50 instance, you don't want to hit Keystone 50 times	19:14
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains https://review.openstack.org/107393	19:23
*** markwash_ has joined #openstack-keystone		19:23
marekd	stevemar: lol, I am afraid I am gonna ask you for the 3rd +2 on this patch: https://review.openstack.org/#/c/107393 :-)	19:24
marekd	stevemar: i have abandoned underlying one after jamie's suggestions	19:24
marekd	stevemar: and I confirm the patch in the current shape also lists my projects/domains :-)	19:24
raildo	gyee: I answered your comments there, I had forgotten to send: P	19:24
*** markwash__ has joined #openstack-keystone		19:26
*** markwash has quit IRC		19:26
openstackgerrit	A change was merged to openstack/keystone-specs: Enable filtering of credentials by user ID. https://review.openstack.org/110674	19:28
*** markwash has joined #openstack-keystone		19:29
*** markwash_ has quit IRC		19:29
*** markwash__ has quit IRC		19:32
*** bvandenh has quit IRC		19:32
*** markwash_ has joined #openstack-keystone		19:34
gyee	raildo, thanks, will take another look	19:35
*** markwash has quit IRC		19:37
*** packet has quit IRC		19:37
*** markwash_ has quit IRC		19:39
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains https://review.openstack.org/107393	19:42
ayoung	gyee, no session affinity?	19:47
stevemar	marekd, i don't think httpretty is included	19:50
marekd	stevemar: yeah	19:50
marekd	stevemar: i just noticed there is something definitely wrong.....	19:51
marekd	stevemar: even though the real code (not tests) work pretty well.	19:51
marekd	but even fresh pull from master fails for me.	19:51
marekd	stevemar: what's the solution for that?	19:53
marekd	stevemar: ah, I didn't rebase properly...:/\	19:53
*** markwash_ has joined #openstack-keystone		19:53
stevemar	marekd, that would be the problem	19:54
ayoung	morganfainberg_Z, let me know when you wake up. I don't want to sit on this PKI token issue for ever, but I want to make sure we all understand it before moving forward	19:56
*** ajayaa has quit IRC		19:59
marekd	stevemar: eh, it was not me not rebasing properly but not fixing the tests where Python was not very helpful in showing where is the problem (have you ever expected the big output log with set of classes and no helpful info what is screwed up?)	20:04
marekd	running full set of tests and uploading new ver.	20:04
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains https://review.openstack.org/107393	20:05
stevemar	marekd, ill check it out when i get back, heading out soon	20:05
marekd	stevemar: sure!	20:05
marekd	stevemar: have fun.	20:05
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Redact tokens in request headers https://review.openstack.org/110117	20:12
*** stevemar has quit IRC		20:12
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Add v3scopedsaml entry to the setup.cfg. https://review.openstack.org/110770	20:13
marekd	jamielennox\|away: stevemar: appreciate your eyes on this patch: https://review.openstack.org/#/c/106751/	20:17
marekd	it's been stuck for a while without a review :(	20:18
*** markwash_ is now known as markwash		20:18
*** amerine_ is now known as amerine		20:25
*** hemna has joined #openstack-keystone		20:30
*** andreaf has quit IRC		20:34
openstackgerrit	Diane Fleming proposed a change to openstack/identity-api: Remove ATOM responses for list versions and get version details. https://review.openstack.org/110777	20:35
*** navid_ has quit IRC		20:36
*** cjellick_ has joined #openstack-keystone		20:38
*** cjellick_ has quit IRC		20:41
*** cjellick_ has joined #openstack-keystone		20:41
*** cjellick has quit IRC		20:42
openstackgerrit	henry-nash proposed a change to openstack/identity-api: Enable filtering of credentials by user ID https://review.openstack.org/110782	20:44
*** cjellick_ has quit IRC		20:46
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: SAML2 wrapper plugin for full federation authN https://review.openstack.org/106751	20:48
*** marekd is now known as marekd\|away		20:49
*** jasondotstar has quit IRC		20:59
openstackgerrit	henry-nash proposed a change to openstack/identity-api: Enable filtering of credentials by user ID https://review.openstack.org/110782	21:03
*** LinStatSDR has joined #openstack-keystone		21:06
*** lbragstad has quit IRC		21:06
*** hrybacki_ has joined #openstack-keystone		21:09
*** lbragsta_ has joined #openstack-keystone		21:10
*** lbragsta_ is now known as lbragstad_		21:11
lbragstad_	dstanek: do you know if there is a jsonschema property for validating a property isn't None if it is in the request?	21:13
*** hrybacki has quit IRC		21:13
*** hrybacki_ has quit IRC		21:14
*** henrynash has quit IRC		21:15
*** henrynash has joined #openstack-keystone		21:18
*** henrynash has quit IRC		21:20
dstanek	lbragstad_: you mean that if you get the key it can't be None, but you don't require it?	21:26
lbragstad_	dstanek: thinking about the region case...	21:26
lbragstad_	if we provide an 'id' in the region request, it can't be None, or null	21:27
lbragstad_	because, then we create an entry in the DB, or whatever backend, that doens't have an id	21:27
lbragstad_	dstanek: http://paste.openstack.org/show/89251/	21:27
openstackgerrit	Brant Knudson proposed a change to openstack/identity-api: JSON Home support https://review.openstack.org/109881	21:27
lbragstad_	dstanek: pushing a new commit here soon,	21:28
dstanek	lbragstad_: so you want to allow parent to not be specified, but if it is it must match the pattern right?	21:28
lbragstad_	dstanek: we should be able to fix https://bugs.launchpad.net/keystone/+bug/1322639 with jsonschema	21:29
uvirtbot	Launchpad bug 1322639 in keystone "region creation API should not allow empty id" [Medium,In progress]	21:29
lbragstad_	if 'id' is passed in a region create request, then it should be checked that it is not None	21:29
lbragstad_	but 'id' isn't technically required in a region create request. If an 'id' isn't provided by the user, keystone will generate a UUID for it	21:30
*** lbragstad_ is now known as lbragstad		21:30
dstanek	lbragstad_: i think this will work http://paste.openstack.org/show/89252/ but you should probably verify in the interpreter	21:30
dstanek	lbragstad: id is not required and type is string with a pattern	21:31
*** rwsu has quit IRC		21:31
openstackgerrit	A change was merged to openstack/keystone: Add filters to the collections 'self' link https://review.openstack.org/110661	21:32
lbragstad	dstanek: my mistake... we shouldn't allow an empty ID string	21:33
lbragstad	dstanek: the "id": {"type": "string"} part should throw an exception when passing id: None	21:35
*** rwsu has joined #openstack-keystone		21:39
*** gordc has quit IRC		21:39
*** henrynash has joined #openstack-keystone		21:42
*** henrynash has quit IRC		21:43
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on the Catalog V3 resources https://review.openstack.org/96266	21:43
*** lbragsta_ has joined #openstack-keystone		21:48
*** lbragstad has quit IRC		21:52
*** lbragsta_ has quit IRC		21:53
*** hrybacki has joined #openstack-keystone		21:57
*** henrynash has joined #openstack-keystone		22:00
*** bknudson has quit IRC		22:08
*** hrybacki_ has joined #openstack-keystone		22:15
*** alex_xu has quit IRC		22:17
*** hrybacki has quit IRC		22:19
*** david-lyle has quit IRC		22:42
*** david-lyle has joined #openstack-keystone		22:42
*** david-lyle has quit IRC		22:47
*** thedodd has quit IRC		22:51
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: revise docs on default _member_ role https://review.openstack.org/110803	22:52
henrynash	gyee, dstanek: thx for quick approval of the spec chaneg for filtering credentials by user_id	22:57
gyee	henrynash, np, that's one of those no-brainers :)	23:00
henrynash	gyee: nice to have one of those from time to time....	23:00
*** thedodd has joined #openstack-keystone		23:05
openstackgerrit	A change was merged to openstack/identity-api: Enable filtering of credentials by user ID https://review.openstack.org/110782	23:06
*** zzzeek has quit IRC		23:09
*** bknudson has joined #openstack-keystone		23:13
*** bknudson has quit IRC		23:18
*** bknudson has joined #openstack-keystone		23:19
*** jaosorior has quit IRC		23:22
*** henrynash has quit IRC		23:29
*** thedodd has quit IRC		23:48
*** thedodd has joined #openstack-keystone		23:52
*** jamielennox\|away is now known as jamielennox		23:53
*** gyee has quit IRC		23:55
*** morganfainberg_Z is now known as morganfainberg		23:55
*** hrybacki_ has quit IRC		23:57
*** thedodd has quit IRC		23:57
morganfainberg	dolphm, ping, back	23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!