Wednesday, 2014-08-13

« Tuesday, 2014-08-12 Index Thursday, 2014-08-14 »
bknudson1jamielennox: what patch is that?00:00
bknudson1the one that merged recently?00:00
jamielennoxhttps://review.openstack.org/#/c/105031/00:00
bknudson1that still uses identity_uri00:01
jamielennoxoh, yea it does00:01
jamielennoxso you can use the same trick with neutron00:01
jamielennoxif you specify a full url eg http://xxx/xx/xx it will use that instead of the service catalog00:01
bknudson1jamielennox: specify a full url for what?00:03
*** nkinder has joined #openstack-keystone00:03
jamielennoxbknudson1: whatever request that neutron is making to endpoint_url00:04
jamielennoxi've no idea how practical that is00:04
bknudson1jamielennox: here's the code in neutronclient: http://git.openstack.org/cgit/openstack/python-neutronclient/tree/neutronclient/client.py#n28400:04
bknudson1it takes interface, service_type, region_name00:04
jamielennoxwhat the hell have they done00:05
bknudson1I assume those are the interface, service_type, and region_name for neutron00:05
bknudson1if you look down at line http://git.openstack.org/cgit/openstack/python-neutronclient/tree/neutronclient/client.py#n37600:06
bknudson1construct_http_client takes endpoint_url but it only passes it to HTTPClient and not SessionClient00:07
jamielennoxhmm, so they've broken compatability for nova there00:07
jamielennoxif you pass a session it will be ignored00:07
jamielennoxi did that on purpose in novaclient00:08
jamielennoxif you convert nova to use neutronclient with a session object then you should deprecated the endpoint_url option00:08
bknudson1jamielennox: Nova actually defaults the neutron.url.00:08
bknudson1jamielennox: y, that makes sense00:09
jamielennoxbknudson1: where does it get that from, isn't it just from the service catalog?00:09
jamielennoxit should just get it from the catalog, in which case it means you should just be passing the plugin (with catalog) to the session00:10
bknudson1jamielennox: ha ha, good one!00:10
bknudson1http://git.openstack.org/cgit/openstack/nova/tree/nova/network/neutronv2/api.py#n3900:10
bknudson1it's just hardcoded00:10
bknudson1default='http://127.0.0.1:9696'00:11
jamielennoxnice one00:11
jamielennoxi remember this being one of the cases for allowing auth plugins to be reloaded from the config file00:12
*** david-lyle has quit IRC00:12
bknudson1jamielennox: what do you mean reloaded? like with a signal tell it to re-read config?00:12
jamielennoxs/reloaded/reused00:13
jamielennoxso you don't need to specify username/password multiple times in the nova.conf for each of the different clients00:13
*** wwriverrat has joined #openstack-keystone00:15
bknudson1jamielennox: I think what I'll do for now is have essentially a switch for using session... e.g., you have to have 'neutron.url' set to some special value or neutron.identity_version=v3.00:15
bknudson1so they have to opt-in to using the session client00:16
jamielennoxbknudson1: can we do something without adding a new value?00:16
bknudson1and then deprecate the non-session client options.00:16
jamielennoxeg if neutron.url isn't set, then don't use the default use a session00:16
*** wwriverrat1 has quit IRC00:17
bknudson1jamielennox: it's got a default so we don't know if it isn't set or not, but I think we could remove the default then.00:17
jamielennoxbknudson1: right, change the default to None00:18
bknudson1but it still seems like we need more option00:18
bknudson1more options00:18
jamielennoxbknudson1: is there an error that makes sense: https://review.openstack.org/#/c/113712/1/keystoneclient/auth/identity/v2.py00:18
bknudson1jamielennox: are we running out of exception types? If not, define a new one.00:19
jamielennoxbknudson1: if you do the register_conf_options then it will add a auth_plugin option which you can check for00:20
bknudson1jamielennox: I'm happy to switch to the register_conf_options at some point, but given the problems I've already run into I don't see how it's going to work yet.00:21
bknudson1I think that will be a future change.00:21
jamielennoxbknudson1: for auth or for session?00:21
jamielennoxsession should be ok00:21
jamielennoxauth is still a problem i expect00:21
bknudson1jamielennox: I haven't looked into the nova changes to support session to know how it's going to turn out yet.00:22
*** zzzeek has quit IRC00:22
bknudson1jamielennox: the exception should be raised in the constructor rather than wait for get_auth_data00:22
*** david-lyle has joined #openstack-keystone00:23
*** david-lyle has quit IRC00:24
*** wwriverrat has left #openstack-keystone00:24
jamielennoxbknudson1: i get test failures when i do it in __init__00:25
*** david-lyle has joined #openstack-keystone00:25
*** wwriverrat has joined #openstack-keystone00:25
bknudson1jamielennox: why do tests fail?00:25
bknudson1they don't pass a username?00:25
jamielennoxbknudson1: oh, my bad, had my order of operations wrong00:27
*** david-lyle has quit IRC00:29
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing user_id to v2Password plugin  https://review.openstack.org/11371200:30
morganfainbergbknudson1, well looks like adding logging to detect the failure has just successfully removed the failure :(00:30
bknudson1morganfainberg: nice, check it in quick.00:31
morganfainbergbknudson1, lol00:31
jamielennoxbknudson1: ok ^ so that's userId, not sure what else can be done for now00:33
bknudson1jamielennox: thanks!00:35
dstanekdolphm, stevemar: i see that you guys have both +2ed the default cache_time review; i have an update to it that implements morganfainberg's idea00:39
stevemardstanek, what was his idea?00:40
stevemarits not in the review00:40
dstanekstevemar: running the tests now - to have a global cache_time similar to what we do with list_limits00:40
morganfainbergstevemar, the same way the enabled flag is overridden for cache, check global, check subsystem00:45
morganfainbergstevemar, so in this case if the subsystem doesn't define a cache time, fall back to the global default00:45
morganfainbergwell crap. how the hell am i supposed to solve this issue if it's timing is narrow enough LOG lines can swing it to not happening00:47
openstackgerritDavid Stanek proposed a change to openstack/keystone: Sets a default timeout for cached data  https://review.openstack.org/11358600:47
*** richm has quit IRC00:47
stevemarlol morganfainberg poor you00:56
jamielennoxgyee: https://review.openstack.org/#/c/104771/1800:56
jamielennoxor anyone else in search of a fairly simple review can they finish off ^00:56
stevemarjamielennox, on the job!01:00
ayoungjamielennox, stevemar if I add a big "WARNING THIS CODE IS STILL EXPERIMENTAL"  can we please just merge https://review.openstack.org/#/c/81166/3001:01
ayoungthat way, all of bknudson1 's bug fixes will be done on top of this code, and not be duplicated?01:02
ayoungand we can start writing tempest tests etc01:02
jamielennoxayoung: if tempest depends on it - how do we ever get rid of it later01:02
ayoungjamielennox, we don't get rid of this.  we need tempest tests to ensure that real live revocation is done01:03
stevemarjamielennox, holy poop that was some ugly code before (wrt reset variable)01:03
ayoungthis is in the client,  and will be used by the server (like how CMS is done)01:03
jamielennoxstevemar: yea, i hated that code so much, the new stuff isn't pretty but the stateful-ness of the old one was horrible01:04
ayoung++01:04
*** wwriverrat1 has joined #openstack-keystone01:04
ayoungjamielennox, can you look at the Kerberos plugin that Jose wrote?  That is pretty much the single most important thing we need from client01:05
*** wwriverrat has quit IRC01:05
ayoungif its wrong, we need to get it fixed01:05
stevemarjamielennox, it was only those 2 methods that were affected?01:05
jamielennoxstevemar: also i feel that bit is a vote in favour of putting a catalog in an unscoped token01:05
ayounghttps://review.openstack.org/#/c/74974/01:05
jamielennoxstevemar: they are the only operations (i could see) that can be performed with an unscoped token01:05
ayoungit needs rebase etc, and I can handlethat, but the general approach looks good to me, and its super-critical path01:06
ayoungjamielennox, the things we need from an unscoped token are : list projects, list domains,  and where to get tokens01:07
ayoungso /users/{userid}/projects /users/{userid}/domains and /auth/tokens01:07
jamielennoxayoung: reviewed01:09
jamielennoxyep, and v2 doesn't have domain listing01:09
jamielennoxi'm not sure why this stuff worked in v301:09
*** wwriverrat1 has quit IRC01:10
stevemarjamielennox, +A'ed01:13
jamielennoxstevemar: cheers01:13
*** cjellick has joined #openstack-keystone01:15
gyeejamielennox, sorry I got stuck in a meeting, looks like someone approve that one already01:18
jamielennoxgyee: that's alright stevemar got it01:18
stevemardstanek, why don't you need parenthesis when you call get_expiration_time01:18
stevemargyee, yeah thats right!01:19
gyeeheh01:19
stevemar:D01:19
dstanekstevemar: it's being called, it's passed in as an arg01:19
stevemardstanek, neato01:19
dstanekstevemar: if we called it at import time the config option wouldn't have been registed yet01:20
*** rkofman has left #openstack-keystone01:21
stevemardstanek, i was referring to here: @cache.on_arguments(should_cache_fn=SHOULD_CACHE, expiration_time=get_expiration_time)01:21
dstanekstevemar: me too01:21
stevemardstanek, but i guess there is specialness to passing a method in there01:21
dstanekif expiration is a callable it gets called01:22
dstanekstevemar: we were already passing a callable in; i just changed it from a lambda to a function01:22
stevemarahhh01:22
ayoungjamielennox, so we would have to ship a separate library in order to get Kerberos support?01:24
ayoungI don;t know...I think Kerberos should just be something that is expected to be there01:24
jamielennoxayoung: i don't mind - i was providing it as an option01:25
ayoungjamielennox, I hear ya, but others sometimes dogpile on these things.  I'd like to not put that high a barrier on adoption of Kerberos01:26
ayoungYou've got the existing way of doing things that are so wide-open-insecure, and people don't realize why.  Then we got and make Kerberos such a pain to work with, and people feel justified in staying away from it01:27
jamielennoxayoung: that's alright - i just don't think we want to get into the habbit of taking a new client dependency for everyone who adds a plugin01:29
ayoungjamielennox, I love the comment "this isn't used? how do the tests pass?"01:29
jamielennox:)01:29
ayoungits the whole "how did this ever work" phenomenon in programming01:29
*** cjellick has quit IRC01:31
*** diegows has joined #openstack-keystone01:33
*** andreaf has quit IRC01:35
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow providing a default value to CLI loading  https://review.openstack.org/11374201:35
jamielennox^ posted purely because the rebase is too difficult and i don't want to eject the current things from gate01:35
*** andreaf has joined #openstack-keystone01:35
jamielennoxgetting ridiculous ...01:35
openstackgerritA change was merged to openstack/keystone: Updates the sample config  https://review.openstack.org/11358501:36
*** andreaf has quit IRC01:40
*** gokrokve has joined #openstack-keystone01:40
*** andreaf has joined #openstack-keystone01:41
*** andreaf_ has joined #openstack-keystone01:44
*** andreaf has quit IRC01:44
*** gokrokve_ has quit IRC01:44
*** andreaf_ has quit IRC01:45
*** gokrokve has quit IRC01:45
*** andreaf_ has joined #openstack-keystone01:45
*** andreaf_ has quit IRC01:46
*** andreaf_ has joined #openstack-keystone01:46
*** andreaf_ has quit IRC01:46
*** andreaf_ has joined #openstack-keystone01:47
*** diegows has quit IRC01:51
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Refactor auth_token cache  https://review.openstack.org/10531401:52
*** Krast has joined #openstack-keystone02:00
ayoungjamielennox, we passed ridiculous  back in late December02:00
*** hrybacki has quit IRC02:00
ayoungmaybe earlier02:01
openstackgerritA change was merged to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477102:07
morganfainbergayoung, so... running into an issue with revocation events02:12
morganfainbergayoung, looks like a timing issue.02:12
*** med_ has joined #openstack-keystone02:13
*** med_ has joined #openstack-keystone02:13
*** amcrn has quit IRC02:13
ayoungmorganfainberg, running the tests?02:13
morganfainbergi can't duplicate it locally (unit OR tempest), but have it duplicated in gate consistently, adding logging output "fixes" it02:13
morganfainbergayoung, it's a tempest issue02:13
morganfainbergthis failure: https://review.openstack.org/#/c/113429/02:13
ayoungmorganfainberg, things reporting as not revoked that should be revoked?02:14
morganfainbergreporting as revokes that shouldn't be revoked02:14
morganfainbergand it's ... very tight timing.02:14
ayounglink?02:14
morganfainbergadding in https://review.openstack.org/#/c/113670/1/keystone/contrib/revoke/model.py (look at line 245) just for debugging to see what was matching resolved the issue.02:15
morganfainbergayoung, http://logs.openstack.org/29/113429/4/check/check-tempest-dsvm-full/024fced/console.html#_2014-08-13_00_07_13_20502:15
morganfainbergit's sporatic and changes which ones it fails on.02:15
morganfainbergtest wise02:16
ayoungit happening in tear down, or is that just where it is reported?02:16
morganfainbergi can't tell if it's 2 unscoped tokens colliding in revocation events because the resolution in mysql being 1s not microsecond02:16
morganfainbergit actually happens in teardownclass02:16
morganfainbergin other cases it happend in setupclass02:16
morganfainbergit's moved around some02:16
ayoungare they revoking their own token?02:17
morganfainbergthey do a revocation of a token at one point in the tests02:17
morganfainbergand when they do they revoke their own token expecting it to fail next call02:17
morganfainberg(testing for a 401)02:17
ayoungand maybe iun the cleanup they try to use it, or one that matches the same criteria02:17
morganfainbergayoung, that is what i'm thinking but... i can't confirm it because i can't log :P log pushes the timing outside the window of occurence02:18
ayoungclear_isolated_creds02:18
morganfainbergthis all stems from tokens and events have a 1s resolution because mysql sucks02:18
morganfainbergas far as i cant tell02:18
ayoungcan we get around that?02:18
morganfainbergnot without breaking compatibility with versions of mysql02:19
ayoungI'm sure that mysql must be able to deal with something finer02:19
ayoungwhat if we use a different datatype?02:19
morganfainbergit can after a certain version. but it would probably break a lot of things.02:19
morganfainbergwe could migrate to varchar02:19
morganfainbergmy other thought is stop revoking by expires time02:19
morganfainberginject a "token chain id" (uuid4?) that is carried forward on chaining tokens.02:20
ayoung 5.6.4 according to http://stackoverflow.com/questions/15526597/how-to-retrieve-microseconds-or-milliseconds-from-mysql-current-time02:20
morganfainbergyou revoke on this chain id (request id, whatever)02:20
ayounghmmm, yeah02:20
morganfainbergayoung, right but you need to specifically migrate the tables to datetime(6) because they default to datetime(0) [all other SQL servers default to datetime(6)]02:20
morganfainbergand ... older versions of mysql may puke/explode/etc (not sure what the minimum mysql for openstack is... it's not really documented)02:21
ayoungI'm on 5.5.38-MariaDB,02:21
ayoung\and that is Fedora02:21
ayoungSO the broken version is the norm02:21
morganfainbergi don't think migration to datetime(6) is a good idea02:21
ayoungok, we know what is happening.  revoke on expiration is matching too broadly02:22
morganfainbergunless RH backported the datetime support (i think unlikely)02:22
morganfainbergayoung, i *think* that is it, but it's hard to be 100% sure02:22
ayoungwhen you revoke a token, it revokes based on userid and expires_at02:22
ayoungif you requested two tokens too close together, the "other" one would be revoked by mistake02:22
ayoungIt smells right02:22
morganfainbergyep02:22
ayoungand I was assuming microsecond granularity02:23
morganfainbergi'm thinking the quickest / easiest fix is change what we use as the unique id for token chains02:23
ayoungthe revoke all by expires_at is very elegant02:23
ayoungugh02:23
ayoungmakes the token larger, and it can't be the shared secret02:23
*** Krast has quit IRC02:23
ayoungit would be good if it could be "forward only"02:24
morganfainbergayoung, yes it does, but i think we can justify 32bytes (ascii hex)02:24
*** andreaf_ has quit IRC02:24
ayoungwhich means that if I get an unscoped, then use that to get a scoped, revoking the scoped token does not revoke the unscoped02:24
morganfainbergi think i can lump that into this fix idea easily02:24
morganfainbergwith limited token bloat.02:24
ayoungdon't jump...this is tricky02:24
*** andreaf_ has joined #openstack-keystone02:24
ayoungright now, we have no limitation on token to token transfers02:25
*** hrybacki has joined #openstack-keystone02:25
morganfainbergayoung, and this wouldn't change that.02:25
ayounglogically there is no difference between going scoped to unscoped back to scoped....02:25
ayoungOTOH this unique identifier could be usedfor Audit02:26
morganfainbergayoung, yeah a nice side effect02:26
ayoungso if we say "yeah, you are always going to revoke the whole chain....we still break Horizon"02:26
morganfainbergayoung, i was thinking *when* we make unscoped from scoped not allowed, we make the "original" token identifiable02:27
morganfainbergor we do that now but don't use that functionality02:27
morganfainbergtoken.get('is_subtoken', false) [name sucks i know]02:27
ayounghow about when a user requests a new token, it it would already be revoked, wait one second02:28
morganfainbergwe can lay *some* ground work here02:28
ayoungnah...my guess is the token was alreayd issued02:28
ayoungmysql sucks02:28
morganfainbergayoung, ++ that is my guess02:28
ayounglets just switch to a real Database already02:28
morganfainbergayoung, lets talk about real answers to fixing this :P02:28
morganfainbergit does also affect postgres because we had to "fix" it based on lowest common lameness02:29
ayoungdb = sqlalchemy.create_engine('postgresql:///tutorial.db')02:29
ayoungadd an additional field to the token.  expires_at_microseconds.  Store it in an integer02:30
morganfainbergdoesn't mean it'll fly "oh keystone requires postgres an everyone else uses <insert options>"02:30
ayoungmorganfainberg, I've been raging impotently against MySQL for well over a Decade at this point02:31
ayoungmorganfainberg, damnit,  we can't use it for audit02:32
morganfainberg?02:32
ayoungtwo tokens would show up using the same id02:32
ayounga begets b02:32
ayoungboth have the same "source"02:32
ayoungunless we gave each a unique audit ID, and then when we revoke we revoke on audit id, and now we've lost the chain02:33
ayoungit unbreaks horizon02:33
ayounghmmm02:33
ayoungbut maybe that moves us forward, and we make revoke-all-with-expires-at a different call02:33
ayoungone we can use explicitly when we want it02:33
morganfainbergayoung, sure.02:34
*** topol has joined #openstack-keystone02:36
ayoungmorganfainberg, run it past dolphm ...02:37
ayoungit means adding the audit id to every token.  how do we make that unique?  another uuid?02:37
ayoungmorganfainberg, or we put a one second delay in the tempest tests.02:38
ayoungnah..02:39
morganfainbergayoung, i already had to put a 1s delay in one of our unit tests... lets not be silly02:41
ayoungmorganfainberg, surprised we haven't seen more problems along these lines.  The "issued_at" hack was to make two tokens different even if they were issued with the exact same data02:41
ayoungyeah, lets try to undo that change02:41
*** Krast has joined #openstack-keystone02:42
* ayoung trying to think of a way to do this without adding data to the token02:42
ayoungthey must be of different scopes.  Otherwise the DB would complain02:43
morganfainbergayoung, issued_at is actually useful though for things like revocation events02:43
ayoungmorganfainberg, oh, I'm aware, just that it was supposed to be more fine grained than one second for exactly this reason.  Is it?02:44
ayoungWe had unit tests failing until I put that in02:44
ayoungah..but it is in the token data, not a database column02:44
morganfainbergyep02:44
ayoungexpires at must be treated differently,  but maybe we can fix that02:45
morganfainbergexpires is a first order column in the db02:45
ayoungit should be in the body of the token02:45
morganfainbergbecause we use it as an indexed value02:45
ayoungtoo02:45
morganfainberghm, we do *wonky* crap with rebuilding the tokens02:45
ayoungyeah,but we don't need to use that copy to test the revocation event, or even to treat it as cannonical02:45
morganfainbergit's what i'm trying to solve with all this get rid of token_api02:46
* ayoung goes to look02:46
morganfainbergthat way we don't have multiple forms of tokens being worked with inside keystone02:46
morganfainberganyway. i need dinner02:46
* morganfainberg is starving02:46
morganfainbergi'll poke you / dolph about this tomorrow cause this is one of the last major changes needed to deprecate token_api (tests can be mucked with more easily)02:47
morganfainbergthis assignment_api and a couple of small others.02:47
morganfainbergthen it becomes stupid easy to turn off token persistence :)02:47
ayoungmorganfainberg, I think we can fix this without any changes to the data in the token.  We have to duplicate the expires at value, and keep the millisecond version around02:48
ayoungpersistance get_token just creates a dict...where is the logic02:48
morganfainbergit's the issue token02:48
morganfainbergissue does the store of the dict02:49
stevemardstanek, ping02:49
ayoung expires=token_data['access']['token']['expires'],02:49
dstanekstevemar: pong02:51
stevemardstanek, your second comment here: https://review.openstack.org/#/c/112204/7/keystone/notifications.py02:52
stevemaryou mean, access them via ['project_id'] instead of .get() ?02:52
dstanekstevemar: yes02:52
stevemardstanek, cool, minor performance enhancement i guess02:52
dstanekstevemar: i actually reworked it just now...gimme a sec and i'll paste it for you to take a look at02:53
stevemardstanek, that would be great02:53
*** andreaf_ has quit IRC02:53
morganfainbergayoung, and we explicitly set expires to the value from the db column in format_token02:53
stevemardstanek, for the raising exception, i just copy / pasta'ed the other manager wrapper02:54
*** andreaf_ has joined #openstack-keystone02:54
morganfainbergayoung, http://pasteraw.com/c6tz5zf1oe5978qr8o660sz4inywp9u02:54
dstanekstevemar: ha, then i'll fix that now :-)02:54
*** andreaf_ has quit IRC02:54
morganfainbergayoung, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L44-L5202:54
stevemari think it's to raise the exception that might be called if the actual function fails02:54
stevemardstanek, neato, and comment here ^02:54
stevemardstanek, also the spec is here: https://review.openstack.org/#/c/113669/02:55
morganfainbergayoung, so ... if we *didn't* override the value there (unless it didn't exist) i think all our timing issues go away (though... a unique chain id would be better that comparing microseconds in a distributed keystone front end)02:55
ayoungmorganfainberg, but adding an audit_id would be a more invasive change02:56
ayounglets fix the timing first.02:56
morganfainbergayoung, have i mentioned i hate the revocation event tree code. it gave me a headache again today :P02:56
ayoungI'm still on the fence about the horizon issue02:56
dstanekstevemar: http://paste.openstack.org/show/94121/02:56
ayoungmorganfainberg, well,  I origianlly wrote it as a series of functions,  pseudo-recursive02:57
ayoungI still think that was easier to read02:57
ayoungthis code...not so much02:57
morganfainbergayoung, might have been easier to read. the tree is not *fast*02:57
stevemardstanek, errr my gawd, inspect.getcallargs02:57
morganfainbergconsidering those tests always top the slowest tests.02:57
stevemarthat is so freaking cool02:58
morganfainbergnot saying it's horrible, just not blazing fast :P02:58
ayoungmorganfainberg, not sure if recursion would fix that or not.  I suspect it is the hashtable lookups that are the real bottleneck there02:58
morganfainbergstevemar, you can do EVIL things with inspect :)02:58
morganfainbergayoung, if it was the same cost to do the lookups/validate revocation i'd opt for easier to read code02:58
stevemarTIL inspect02:59
ayoungmorganfainberg, ok...let me pull up the original version in the review and you can tell me02:59
morganfainbergstevemar, i've done evil dirty things... including things like monkey patching and using inspect to do cryptographic verification of overrideen functions02:59
morganfainbergayoung, nah, lets not go down that path in Juno02:59
morganfainbergayoung, lets evaluate that in Kilo03:00
morganfainbergayoung, we have this now and it *mostly* works03:00
dstanekstevemar: yeah, pretty nice - it does all of that work for you03:00
morganfainbergif we can make it better in K at little cost, we do so. if not we can think about other options if they make sense03:00
stevemardstanek, technically the role_id is not part of the actor OR'ing :)03:00
ayoungmorganfainberg, OH, YEAH03:00
ayoung  Change-Id: If76c8cd5d01a5b991c58a4d1a9d534b2a3da875a03:01
stevemardstanek, did you intend to upload a new patch? o/w i'll poke around03:01
ayoung82 REVISIONS!03:01
ayoungI'll find the latest non-tree version via binary search!03:01
dstanekstevemar: sure i can do that03:02
morganfainberglol03:02
dstanekstevemar: role_id shouldn't be there?03:02
stevemardstanek, alrighty, i just didn't want to be in a state of limbo03:03
stevemardstanek, role_id is always passed in03:03
stevemardstanek, rm line 52 in your pastie03:03
stevemarit's in the right spot, line 5903:04
dstanekstevemar: oh, i think i got confused in the 'if actor is None' block03:04
ayoungmorganfainberg, here is a fairly late revision  https://review.openstack.org/#/c/55908/56/keystone/contrib/revoke/model.py,cm  prior to the rewrite03:04
morganfainbergayoung, i think.. 60 is the last pre-tree one03:04
morganfainbergayoung, honestly, it is easier to read. there is less magic.03:05
ayoungmorganfainberg, I suspect that code would also be faster.  Fewer hashtable lookups03:05
morganfainbergayoung, lets slate that for K1 ?03:05
morganfainbergayoung, do some testing.03:05
ayoung++03:05
openstackgerritDavid Stanek proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events  https://review.openstack.org/11220403:06
morganfainbergayoung, ok tomorrow i'll see if i can "not" override the token expires at if it already exists in the data structure03:06
morganfainbergayoung, maybe that'll make things all happy03:07
stevemardamn you make some pretty code dstanek03:08
ayoungmorganfainberg, the expires at time has to be inside the token data when the token is signed.  Modifying that value at any point is going to break things.  I'm surprised that the Hashes matched03:11
ayoungbut I don't think we are hashing the database generated times.03:11
morganfainbergayoung, we don't03:11
ayoungthen, maybe the problem is just where I am getting the expires at value03:12
morganfainbergayoung, we pull from the DB and never hash we compare values from the decoded token to the db values (at most)03:12
ayoungnot for revocation events we don't03:12
morganfainbergayoung, nah, the data is in the DB, we just need to not override it in format_token (and the v3) equiv03:12
morganfainbergayoung, we do, it's part of validate_token03:12
morganfainbergayoung, validate token re-writes the token in many ways.03:12
morganfainbergayoung, once everything uses validate token instead of get_token, it's easy to use the openssl stuff and decode the token and use that raw value never touching the db, in the case of loading from the db, we need to just be smarter03:13
morganfainbergayoung, easy enough fix. thanks for talking through it.03:14
ayoungmorganfainberg, so places like this  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py#n56003:14
morganfainbergnah in the token_data_helper03:15
morganfainbergthere as well.03:15
morganfainberghm, maybe just there03:15
ayoungexpires=token_ref['expires'],  that kind of call is the sin03:15
* morganfainberg is headed out.03:15
ayounggnigh03:15
*** rushiagr_away is now known as rushiagr03:16
stevemardstanek, ping03:39
dstanekstevemar: pong03:41
stevemardstanek, looks like inspect.getcallargs doesn't work in py26 :(03:42
stevemarlooks like inspect.getargspec(fn) has to be used ... i think03:42
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Standardize AccessInfo token setting  https://review.openstack.org/11341503:43
dstanekHmmm...let me have a look03:43
*** ayoung has quit IRC03:50
dstanekstevemar: ugg...the python impl or getcallargs is about 88 lines of code03:54
stevemarblah03:57
stevemarnot worth it since we only use it in 1 spot03:57
stevemarmight be worth proposing to oslo or something03:57
dstaneki think i have a shorter version - working on a few tests now03:58
*** hrybacki has quit IRC04:00
stevemardstanek, m'alright04:00
stevemarthanks for looking at this04:00
dstanek2.6 is dead to me!04:00
dstanekstevemar: ma pleasure - just going through the reviews in my inbox04:00
stevemari think 2.6 is dead to most04:01
*** rushiagr is now known as rushiagr_away04:01
*** hrybacki has joined #openstack-keystone04:02
*** hrybacki has quit IRC04:06
*** andreaf has joined #openstack-keystone04:12
openstackgerritA change was merged to openstack/python-keystoneclient: Convert shell tests to requests-mock  https://review.openstack.org/11021004:13
*** andreaf has quit IRC04:15
*** Kuo_ has joined #openstack-keystone04:30
*** david-lyle has joined #openstack-keystone04:31
*** RockKuo_Home has quit IRC04:33
*** gokrokve has joined #openstack-keystone04:36
*** chandankumar has joined #openstack-keystone04:50
*** chandankumar has quit IRC05:02
stevemardstanek, still alive?05:05
*** alex_xu has joined #openstack-keystone05:06
*** spandhe_ has quit IRC05:08
*** chandankumar has joined #openstack-keystone05:12
*** amirosh has joined #openstack-keystone05:13
*** ajayaa has joined #openstack-keystone05:19
*** Dafna has quit IRC05:22
*** Dafna has joined #openstack-keystone05:24
*** topol has quit IRC05:28
*** k4n0 has joined #openstack-keystone05:30
*** ukalifon1 has joined #openstack-keystone05:33
dstanekstevemar: mostly05:42
stevemardstanek, great to hear! don't let the zombies get you05:43
*** gokrokve_ has joined #openstack-keystone05:44
*** gokrokve has quit IRC05:47
*** gokrokve_ has quit IRC05:48
*** tomoiaga has joined #openstack-keystone05:49
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:06
*** abhishekk has joined #openstack-keystone06:25
*** yasukun has joined #openstack-keystone06:28
*** openstackgerrit_ has joined #openstack-keystone06:33
*** gokrokve has joined #openstack-keystone06:37
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054206:39
*** gokrokve has quit IRC06:42
*** stevemar has quit IRC06:42
*** stevemar has joined #openstack-keystone06:42
*** stevemar has quit IRC06:47
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: convert the conf value into correct type  https://review.openstack.org/11319107:04
*** amcrn has joined #openstack-keystone07:10
*** jaosorior has joined #openstack-keystone07:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow registering individual plugin CONF options  https://review.openstack.org/11347807:19
*** yasukun has quit IRC07:21
*** yasukun has joined #openstack-keystone07:22
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568007:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery  https://review.openstack.org/10757007:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768107:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow providing a default value to CLI loading  https://review.openstack.org/11374207:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins  https://review.openstack.org/8114707:23
*** david-lyle has quit IRC07:29
*** david-lyle has joined #openstack-keystone07:29
*** david-lyle has quit IRC07:34
*** rwsu has quit IRC07:34
*** gokrokve has joined #openstack-keystone07:36
*** gokrokve has quit IRC07:37
*** gokrokve has joined #openstack-keystone07:38
*** bvandenh has joined #openstack-keystone07:40
*** gokrokve has quit IRC07:43
*** rwsu has joined #openstack-keystone07:52
*** ajayaa has quit IRC07:53
*** afazekas has joined #openstack-keystone07:54
*** alex_xu has quit IRC08:02
*** marekd|away is now known as marekd08:05
*** ajayaa has joined #openstack-keystone08:06
*** alex_xu has joined #openstack-keystone08:15
*** alex_xu has quit IRC08:15
*** alex_xu has joined #openstack-keystone08:16
openstackgerritChristian Berendt proposed a change to openstack/keystone: Bump hacking to 0.9.x series  https://review.openstack.org/9899608:24
*** yasukun has quit IRC08:29
*** gokrokve has joined #openstack-keystone08:37
*** gokrokve has quit IRC08:41
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609609:28
*** david-lyle has joined #openstack-keystone09:30
*** renlt has joined #openstack-keystone09:32
*** david-lyle has quit IRC09:35
*** gokrokve has joined #openstack-keystone09:37
*** david-lyle has joined #openstack-keystone09:38
*** gokrokve has quit IRC09:38
*** gokrokve has joined #openstack-keystone09:39
*** david-lyle has quit IRC09:43
*** gokrokve has quit IRC09:43
*** alex_xu has quit IRC09:45
*** amcrn has quit IRC09:47
*** andreaf has joined #openstack-keystone09:47
openstackgerritAndreas Jaeger proposed a change to openstack/keystone: Rename bash8 requirement  https://review.openstack.org/11382809:55
*** bvandenh has quit IRC10:00
*** med_ has quit IRC10:00
*** gyee has quit IRC10:00
*** nonameentername has quit IRC10:00
*** bvandenh has joined #openstack-keystone10:07
*** med_ has joined #openstack-keystone10:07
*** gyee has joined #openstack-keystone10:07
*** nonameentername has joined #openstack-keystone10:07
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054210:10
openstackgerritAndreas Jaeger proposed a change to openstack/keystone: Rename bash8 requirement  https://review.openstack.org/11382810:17
*** bvandenh has quit IRC10:23
*** med_ has quit IRC10:23
*** gyee has quit IRC10:23
*** nonameentername has quit IRC10:23
openstackgerritSergey Lukjanov proposed a change to openstack/keystone: Remove trailing space in tox.ini  https://review.openstack.org/11383710:26
*** bvandenh has joined #openstack-keystone10:30
*** med_ has joined #openstack-keystone10:30
*** gyee has joined #openstack-keystone10:30
*** nonameentername has joined #openstack-keystone10:30
*** abhishekk has quit IRC10:31
*** abhishekk has joined #openstack-keystone10:32
*** gokrokve has joined #openstack-keystone10:37
*** david-lyle has joined #openstack-keystone10:39
*** gokrokve has quit IRC10:41
*** david-lyle has quit IRC10:43
*** henrynash has joined #openstack-keystone10:46
*** henrynash has quit IRC10:54
*** topol has joined #openstack-keystone10:55
*** renlt has quit IRC11:01
*** henrynash has joined #openstack-keystone11:02
*** miqui has joined #openstack-keystone11:06
*** ukalifon1 has quit IRC11:12
*** diegows has joined #openstack-keystone11:19
*** ukalifon has joined #openstack-keystone11:26
*** andreaf_ has joined #openstack-keystone11:32
*** andreaf has quit IRC11:34
*** henrynash has quit IRC11:37
*** gokrokve has joined #openstack-keystone11:37
*** andreaf_ has quit IRC11:38
*** david-lyle has joined #openstack-keystone11:40
*** gokrokve has quit IRC11:42
*** david-lyle has quit IRC11:44
*** ajayaa has quit IRC11:48
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in identity layer.  https://review.openstack.org/11057511:52
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Fix handling of deprecated opts in CLI  https://review.openstack.org/11385912:00
*** jamielennox is now known as jamielennox|away12:02
*** ajayaa has joined #openstack-keystone12:05
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in trust layer.  https://review.openstack.org/11327712:08
*** boris-42 has quit IRC12:21
*** chandankumar has quit IRC12:32
*** bknudson1 has quit IRC12:32
*** cjellick has joined #openstack-keystone12:32
*** boris-42 has joined #openstack-keystone12:32
*** chandankumar has joined #openstack-keystone12:33
*** gokrokve has joined #openstack-keystone12:37
*** david-lyle has joined #openstack-keystone12:40
*** gokrokve has quit IRC12:41
*** david-lyle has quit IRC12:45
*** bknudson has joined #openstack-keystone12:52
*** radez_g0n3 is now known as radez12:54
*** henrynash has joined #openstack-keystone13:03
*** topol has quit IRC13:04
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in policy layer.  https://review.openstack.org/11323613:05
*** ajayaa has quit IRC13:07
*** gordc has joined #openstack-keystone13:10
*** nkinder has quit IRC13:11
*** andreaf has joined #openstack-keystone13:14
*** henrynash has quit IRC13:17
*** ajayaa has joined #openstack-keystone13:20
*** stevemar has joined #openstack-keystone13:24
*** andreaf_ has joined #openstack-keystone13:25
marekddolphm: What is more preferable in k2k token to saml exchange? another endpoint, say /v3/OS-FEDERATION/saml or sending a request to /v3/auth/tokens ?13:25
dolphmmarekd: definitely a new endpoint because you're not getting back a token (which is what /tokens implies)13:27
dolphmmarekd: /v3/auth/OS-FEDERATION/saml2 ?13:27
marekddolphm: ok13:27
*** andreaf has quit IRC13:28
*** rushiagr_away is now known as rushiagr13:29
marekdi think we will return a json object, where a saml assertion should be an attribute.13:29
*** andreaf_ has quit IRC13:31
*** andreaf has joined #openstack-keystone13:32
*** ayoung has joined #openstack-keystone13:32
*** henrynash has joined #openstack-keystone13:33
*** kwss has joined #openstack-keystone13:33
*** zzzeek has joined #openstack-keystone13:34
*** andreaf has quit IRC13:34
*** andreaf has joined #openstack-keystone13:35
*** vhoward has left #openstack-keystone13:36
*** gokrokve has joined #openstack-keystone13:37
*** radez is now known as radez_g0n313:40
*** gokrokve has quit IRC13:42
dolphmmarekd: what other attribute do you need to return with the saml doc?13:43
raildohenrynash: I answered your comments about multitenancy hierarchical, if you can check there, I will thank you13:43
*** chandankumar has quit IRC13:44
henrynashraildo: Ok, will do13:44
henrynashraildo: thx13:44
dolphmbknudson: any chance you know if there are *two* oslo config generators? perhaps one in python and in bash?13:46
bknudsondolphm: I think markmc was working on a different sample config generator13:46
marekddolphm: essentually nothing else.13:47
henrynashraildo: responded….I think you if you make those changes, then I’mm good with the spec13:47
dolphmbknudson: hmm https://github.com/openstack/oslo.config/blob/master/oslo/config/generator.py13:48
bknudsondolphm: y, that's the new one13:48
raildohenrynash: Perfect! :D13:48
henrynashraildo: :-)13:49
dolphmbknudson: that one actually works for me, but produces completely different results13:49
marekddolphm: we might want to return region id as well, but if not, I will make keystoneclient remember it.13:49
bknudsondolphm: I'd expect it to produce different output... it also has support for other plugins to modify the output13:49
dolphmbknudson: any reason for us not to switch?13:50
*** ajayaa has quit IRC13:50
stevemarmarekd, i figured we would just return the saml assertion13:51
bknudsondolphm: I think we should switch. I assume the generator in oslo-incubator is abandoned.13:51
stevemaralso, good morning marekd!13:51
*** andreaf_ has joined #openstack-keystone13:52
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/config/generator.py13:52
stevemarhenrynash, ping!13:52
dolphmbknudson: cool, thanks13:52
henrynashstevemar: hi13:52
bknudsondolphm: the oslo.config generator just worked without changes?13:53
stevemarhenrynash, we need you to voice you opinion on https://review.openstack.org/#/c/113666/13:53
stevemarhenrynash, dolph suggested maybe moving openidconnect support to K13:53
bknudsonit's backwards compat?13:53
stevemari wanted to make sure i wasn't breaking you13:54
dolphmbknudson: seems to, but i'll ping you with a patch in a minute13:54
henrynashstevemar: thx for checking, let me quickly get a read from a couple of my colleagues…13:54
*** andreaf has quit IRC13:55
*** nkinder has joined #openstack-keystone13:55
marekdstevemar: hey !13:55
dolphmbknudson: new keystone.conf.sample in the mean time, if you're interested http://pasteraw.com/kn1ocrtj9m33ewpe33fldda2we4lvi713:55
bknudson`oslo-config-generator --namespace keystone` generated some output for me13:56
marekdstevemar: but prely and xml?13:56
marekdpurely13:56
*** jasondotstar has joined #openstack-keystone13:56
bknudsondolphm: looks like we need to add entry points for the oslo libraries that keystone uses.13:57
stevemarmarekd, yep, some of the controllers already return XML13:57
dolphmbknudson: that's already done in setup.cfg13:57
dolphmbknudson: unless we're going to have different config for keystone-manage or something13:57
*** zzzeek has quit IRC13:58
marekdstevemar: not very openstacky, but whatevs :-)13:59
bknudsondolphm: missing from http://pasteraw.com/kn1ocrtj9m33ewpe33fldda2we4lvi7 are "Options defined in oslo.messaging"13:59
bknudsonfor example13:59
marekdstevemar: you prefer to send a region_id in the json request or specify in the URL ?14:00
stevemarmarekd, http://docs.openstack.org/api/openstack-identity-service/2.0/content/ ctrl+f XML, all the v2 controllers have xml support :)14:00
bknudsondolphm: when I ran `oslo-config-generator --namespace keystone --namespace oslo.messaging`  it also output "From oslo.messaging"14:01
dolphmbknudson: ++ and oslo.db14:01
bknudsonI thought we had to add entry points in setup.cfg for those but I guess not.14:02
*** andreaf_ has quit IRC14:02
*** andreaf_ has joined #openstack-keystone14:02
stevemarmarekd, i'm not sure, what did you think? dolphm your thoughts (on specifying the region when you want a saml assertion?)14:02
*** abhishekk has quit IRC14:03
marekdif we specify region id keystone will make +1 db lookup :P14:03
*** ajayaa has joined #openstack-keystone14:03
marekdstevemar: ah, it will always make a lookup14:03
marekdi would specify the region in the url.14:04
stevemarhehe, yeah, can't get out of that one14:04
marekdwe  actually don't want to POST/PUT anything, we only want to get something new.14:05
marekdso GET seems like a logical HTTP method.14:05
stevemarmarekd, hmmmm... i guess so14:09
*** richm has joined #openstack-keystone14:10
marekddolphm: for token -> saml exchange - seems like stevemar agrees that region should be specified in the URL and then we can use  HTTP GET instead os POST/PUT and sending the region in the request body.14:10
*** Krast has quit IRC14:13
*** radez_g0n3 is now known as radez14:13
*** Krast has joined #openstack-keystone14:14
openstackgerritDolph Mathews proposed a change to openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390514:16
*** openstackgerrit has quit IRC14:16
*** openstackgerrit has joined #openstack-keystone14:17
dolphmbknudson: ^^ config file appears to be shorter because it's actually wrapping differently14:18
dstanekstevemar: i got side tracked last night because i found getcallargs in oslo14:19
stevemardstanek, i noticed in the comments, i was hoping it was in oslo14:20
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101714:21
dstanekstevemar: theirs is broken for decorators :-(14:21
stevemarbahhhh14:21
dstanektesting my simple version now14:21
bknudsondolphm: it's missing "Options defined in keystone.notifications"14:21
bknudson"default_publisher_id"14:22
bknudsondolphm: and "backdoor_port"14:23
dolphmbknudson: wtf is backdoor_port?14:23
bknudsondolphm: that's my secret port for hacking into systems.14:23
bknudsondolphm: and the options from keystone.openstack.common.log14:24
dolphmbknudson: are these from more oslo namespaces?14:24
bknudsonkeystone.openstack.common.policy14:24
bknudsondolphm: no, they're from oslo-incubator14:25
bknudsonI assume these are registered on import14:25
bknudsonLooks like the new config generator alphabetizes rather than taking them in order.14:26
dolphmbknudson: it does14:26
openstackgerrithenry-nash proposed a change to openstack/identity-api: Extension for endpoint policy association.  https://review.openstack.org/11229214:26
openstackgerritDolph Mathews proposed a change to openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390514:26
dstanekboo...really? so you can't group related options within a section?14:26
morganfainbergdstanek, isn't the point of a section to group related options?14:27
*** gokrokve has joined #openstack-keystone14:27
bknudsondstanek: They'll be grouped based on the file they're in, too.14:27
bknudsonor is it the entry point now?14:27
dolphmdstanek: it seems to sort by group, then by option14:28
*** Krast has quit IRC14:28
dstanekmorganfainberg: yes, but some of our sections span multiple pages in my editor14:28
*** Krast has joined #openstack-keystone14:28
bknudsondstanek: but it does separate "admin_workers" and "public_workers", which is not ideal14:28
bknudsonmaybe we should have separate entry points.14:29
dstanekbknudson: right. i'm sure there are other cases where they are defined together in code because they are somehow related14:29
*** Krast has quit IRC14:31
*** Krast has joined #openstack-keystone14:31
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Role assignment notifications  https://review.openstack.org/11366914:31
openstackgerritDavid Stanek proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events  https://review.openstack.org/11220414:35
*** ajayaa has quit IRC14:35
dolphmas far as i can tell, no other project is using oslo-config-generator yet, and i have no idea how to include logging options14:37
*** kwss has quit IRC14:38
stevemardstanek, thanks for adding yourself as co-author, saves me the trouble :D14:40
dstanekstevemar: i figured i'd be deflecting blame if others dislike the inspect based approach14:42
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a URL field to region table  https://review.openstack.org/10693514:42
raildohenrynash: I'll wait for someone else to review, if you receive a -1 I will fix this together, ok?14:43
raildohenrynash: Thanks for all your help this time. This was my first spec, I promise that in the next spec I will give you less work.14:43
henrynashraildo: you got hieracjical-projects for your first spec!!! Ouch!!!14:43
stevemari just realized i forgot to eat breakfast14:44
raildohahahahaha yes14:44
henrynashraildo: tehy couldn’t find anything harder :-)14:44
morganfainbergstevemar, go eat!14:44
morganfainbergbreakfast is important!!!!14:44
henrynashstevemar: go west14:45
stevemarmorganfainberg, may as well wait for lunch14:45
morganfainbergstevemar, even if you're only eating a snack @11am it's better to eat breakfast then lunch14:45
raildohenrynash: Well, it's a big change and a big challenge for me and my team but it will come out all right in the end :)14:46
henrynashraildo: I’m sure14:46
stevemarmorganfainberg, alllright14:46
*** henrynash has quit IRC14:48
*** ajayaa has joined #openstack-keystone14:48
*** gokrokve has quit IRC14:50
*** gokrokve has joined #openstack-keystone14:50
*** samuelmz has joined #openstack-keystone14:52
*** gokrokve has quit IRC14:55
*** ajayaa has quit IRC15:01
*** jorge_munoz has joined #openstack-keystone15:04
stevemardolphm, can you use your PTL powers to get attention to this guy: https://review.openstack.org/#/c/113294/15:05
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054215:05
*** amirosh has quit IRC15:08
*** amirosh has joined #openstack-keystone15:09
*** amirosh_ has joined #openstack-keystone15:12
*** amirosh has quit IRC15:12
*** hrybacki has joined #openstack-keystone15:20
*** hrybacki has quit IRC15:21
*** hrybacki has joined #openstack-keystone15:21
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove unnecessary declaration of CONF  https://review.openstack.org/11393015:23
*** bvandenh has quit IRC15:31
*** jaosorior has quit IRC15:32
ayoungdagnabit, henrynash, where are you?15:37
*** topol has joined #openstack-keystone15:37
ayoungstevemar, use your -215:39
ayoungOh, wait15:39
ayoungthat is not what you want..15:39
ayoungI'll look at it15:39
stevemarayoung, hola15:39
ayounglooks clean.15:39
stevemarwhich patch you talking about?15:40
ayoungthe pysaml2 global req15:40
stevemarah15:40
ayoungstevemar, ok,  need to talk something over with someone.15:40
stevemaryeah, but none of us have power there :(15:40
ayoungSHould be henry15:40
ayoungbut he's not here, and you are smart15:40
ayoungand this will, I think, affect SAML15:40
ayoungI have a set up where I can use both password and kerberos to get a token for a user  in a domain specific backend15:41
stevemarwrite it out, we can fwd him a copy of the transcript15:41
ayoungpassword succeeds, kereberos fails15:41
ayoungI think it is due to the password code calling authenticate15:41
ayoungcuz authenticate does this15:41
*** amirosh_ has quit IRC15:41
*** gokrokve has joined #openstack-keystone15:41
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n52615:41
ayoungseems to me that the logic to do that should not be specific to "authenticate" but should instead happen  somewhere between the auth plugin and the rest of the token provider15:42
ayoungNow, I can hack the "external" plugin to support that call15:42
ayoungbut every plugin needs to do that logic.15:43
stevemari'm not sure every plugin calls identity.core.authenticate15:43
*** diegows has quit IRC15:43
stevemarwhen you authN with kerberos, the users exist in keystone?15:44
topoldolphm, you there15:44
topolor dstanek, you there?15:45
ayoungnot every plugin calls authenticate15:45
ayoungthat is the problem15:45
ayoungthe problem is that the authenticate code currently does the line:15:45
ayoung domain_id, driver, entity_id = (15:45
ayoung            self._get_domain_driver_and_entity_id(user_id))15:45
*** rushiagr is now known as rushiagr_away15:46
ayoungstevemar, so if the user is, as is my case 'ayoung'  in LDAP,  that needs to become15:46
ayoungsha256(ayoung:<domainid>)15:46
ayoungstevemar, with kerberso, the users are in LDAP15:47
ayoungI have ldap mounted as an domain specific backend15:47
stevemarayoung, so, one thing about the identity.core.authenticate, the only thing that should be calling it is the password auth plugin http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/password.py#n12815:48
ayoungstevemar, exactly15:48
stevemardo you plan on creating a kerberos plugin?15:48
ayoungbut the other plugins need to do the same userid transform15:48
ayoungstevemar, I'd like to avoid that15:48
ayoungkerberos should be one of many handled by the mapping approach15:49
ayoungright now I am using the external plauijng but with a "method" of Kerberos15:49
*** tomoiaga has quit IRC15:49
ayoungstevemar, you are going to want https://review.openstack.org/#/c/107873/15:49
ayoungmapping is the generic plugin, but authentiation is done on the "pre-mapped" userid15:50
ayoungso id a SAML assertion set REMOTE_USER=stevemar  the saml/mapping plugin will have to do the sha256 transform15:51
stevemaryeah, i don't get the whole method_name thing15:51
dstanektopol: yup15:51
stevemarwhy it was there in the first place15:51
ayoungstevemar, one was for MultiFactor:15:51
ayoungbut also, I think, it was a nod toward a need for dependency injection without getting it quite right15:52
topoldstanek, can you help me with the following? http://paste.openstack.org/show/94466/15:52
ayoungstevemar, but we are now using that as part of the client15:52
ayoung's way of setting up the connection15:52
ayoungclient plugins are making use of the method to figure out how to structure the request15:53
ayounga kerberos request for tokne looks like this:15:53
* ayoung WAITS FRO A SLOW SERVER 15:53
ayoung{"auth":{"identity":{"methods":["kerberos"],"kerberos":{}}}}15:54
ayoungsince there is no kerberos specific data to send,  its a little redundant15:54
ayoungand the ,"kerberos":{}  probably should be optional15:54
ayoungbut its part of the contract15:55
stevemari remember trying to make that optional, but it broke things15:55
ayoungyeah.15:55
ayoungbut on the client side, if you use the kerberos plugin, its like  setting  --negotiate on a curl call15:55
dolphmstevemar: set your bp to blocked and escalated15:56
dolphmtopol: yesish15:56
dstanektopol: that's trying to make a new venv using tox?15:56
topoldstanek, so bknudson said my virutalenv was backlevel.  I just upgraded virtualenv and am hoping that fixes it15:57
ayoungstevemar, so the question is where to put that  self._get_domain_driver_and_entity_id(user_id))  call .15:57
topoldstanek but yes15:57
dstanektopol: a couple of people have had to update virtualenv and tox because they were using older versions15:58
ayoungIt probably should not have been embedded inside the authenticate call, but rather put into the password plugin15:58
ayoungand the comparable code in the v2 token controller15:58
*** henrynash has joined #openstack-keystone15:58
topoldstanek, ok I just updated virutal env. If that doesnt fix stuff I'll try updating tox15:59
stevemardolphm, was that a statement or a request?16:00
dolphmstevemar: statement16:01
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events  https://review.openstack.org/11220416:01
stevemarblocked against what?16:01
dolphmstevemar: the patch to openstack/requirements16:01
stevemaroh16:01
*** k4n0 has quit IRC16:01
stevemarmeh, i figure that's procedural16:01
stevemarthanks16:01
dolphmstevemar: yeah, but if that patch doesn't land by next tuesday, it'll be on the cross-project agenda and get a ton of attention16:02
topoldstanek, dolphm, I'm good now.  THANKS bknudson!!!16:02
dstanekstevemar: thanks! just saw the red screen of failure16:02
stevemardstanek, np, i saw it too, easy enough16:02
*** gyee_ has joined #openstack-keystone16:02
*** rushiagr_away is now known as rushiagr16:03
ayoungstevemar, I think the password code actually does the transform http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/password.py#n8216:04
*** henrynash has quit IRC16:05
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/password.py#n103  user_ref = self.identity_api.get_user(user_id)16:05
stevemarayoung, yeah, definitely only the password does it atm16:06
ayoungstevemar, hmmm, but something should call  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n55716:06
ayoungAH!16:06
ayoungProblem is the kerberos is using the default domain16:07
ayoungit wasn't this code at all16:07
ayounghmmm,  so the REALM is going to be YOUNGLOGIC.NET16:08
ayoungI wonder if16:08
ayoungkeystone.YOUNGLOGIC.NET.conf is a valid domain config file...lets try this out...16:08
gyee_stevemar, ayoung, morganfainberg, ran into something interesting while looking at Kristy's generic map plugin16:11
ayoung?16:11
gyee_plugin to method used to be a one-to-many relationship16:11
gyee_meaning I can have something like this16:12
gyee_methods = a,b,c16:12
gyee_a = keystone.auth.plugins.SomePlugin16:12
gyee_b = keystone.auth.plugins.SomePlugin16:12
gyee_c = keystone.auth.plugins.SamePlugin16:12
gyee_with morganfainberg's patch sometime ago, we no longer allow this16:12
stevemara,b and c all point to the same plugin?16:12
gyee_all plugins must specific a single "method"16:13
gyee_stevemar, yes16:13
gyee_that's essentiall for generic map16:13
stevemarwhat patch was that (morgan's)?16:13
gyee_where a plugin can serve multiple methods16:13
gyee_morganfainberg submitted a patch to allow specify the class directly in methods16:14
stevemargyee, they could just have it:16:14
stevemara = keystone.auth.plugins.a; b = keystone.auth.plugins.b; c = keystone.auth.plugins.c16:14
gyee_however, he also restricted to plugin-method as a one to one relationship16:14
stevemarand they all inherit from some base class16:14
gyee_stevemar, with generic map *plugin*, it should be able to serve multiple methods16:15
ayounggyee_, I have a patch to fix that16:15
gyee_ayoung, link?16:15
ayoungcoming up16:15
ayounggyee_, https://review.openstack.org/#/c/107873/16:15
gyee_wtf?16:15
ayounggyee_, it means that you could have kerberos= ....plugins.Mapping16:16
gyee_dolphm, why the big red cross? we used to allow one-to-many relationship16:16
gyee_ayoung, exactly16:16
ayoungand also  x509= ....plugins.Mapping16:16
gyee_amen brother!16:16
ayoungnah, the big red X is just to get the docs in line16:16
gyee_ah, sorry, I thought he doesn't like the idea16:17
gyee_my bad16:17
ayoung"Patch Set 6: Code-Review-1 Workflow-116:17
ayoungso, either the configuration file defines a package path to a plugin and the plugin defines it's own method name... or we pre-register plugins and then map them to a method in conf. supporting two solutions to the same problem is complex/confusing and needs strong documentation to justify both approaches. revise doc/ appropriately."16:17
gyee_man this new UI is a bit confusing, the big red cross man mean two different things now16:18
ayoungI'll try to update that one later on today16:18
* gyee_ needs to get use to it16:18
ayounggyee_, yeah and its a WIP  if the owner sets Workflow -116:18
ayoungwhich is really what he meant by it16:19
ayounglets see what the docs say...16:19
* ayoung hasn't looked yet16:19
gyee_ayoung, I know, I need to relearn how to read :)16:19
*** wwriverrat has joined #openstack-keystone16:19
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/doc/source/configuration.rst#n20716:19
ayoungI don't think the alternative ways of specifying the auth plugins are documented]16:20
gyee_ayoung, yeah, you're right16:21
*** wwriverrat1 has joined #openstack-keystone16:23
openstackgerritayoung proposed a change to openstack/keystone: Do not require method attribute on plugins  https://review.openstack.org/10787316:23
ayounggyee_, lets see if it passes check.  If so, please +2 and comment16:24
stevemarmarekd,16:24
gyee_ayoung, definitely, its blocking the generic map work16:24
stevemarping16:24
ayounggyee_, y'all will catch up to me someday16:24
*** wwriverrat has quit IRC16:24
gyee_heh, u da man16:25
ayoungI'm just a simple caveman16:25
*** wwriverrat1 has left #openstack-keystone16:27
*** wwriverrat1 has joined #openstack-keystone16:28
*** rm_work has quit IRC16:29
*** rm_work has joined #openstack-keystone16:30
*** henrynash has joined #openstack-keystone16:30
*** rm_work has quit IRC16:34
*** rm_work has joined #openstack-keystone16:35
*** rm_work has quit IRC16:35
*** rm_work has joined #openstack-keystone16:35
*** andreaf_ has quit IRC16:36
*** fifieldt has quit IRC16:37
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101716:39
*** rm_work has quit IRC16:41
*** rm_work has joined #openstack-keystone16:42
*** rm_work has quit IRC16:42
*** rm_work has joined #openstack-keystone16:42
*** afazekas has quit IRC16:42
*** fifieldt has joined #openstack-keystone16:44
*** rm_work has quit IRC16:47
*** amerine has joined #openstack-keystone16:47
*** rm_work has joined #openstack-keystone16:47
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a URL field to region table  https://review.openstack.org/10693516:48
*** spandhe_ has joined #openstack-keystone16:52
*** rm_work has quit IRC16:52
*** rm_work has joined #openstack-keystone16:53
*** rm_work has quit IRC16:53
*** rm_work has joined #openstack-keystone16:53
*** gyee_ has quit IRC16:53
*** hrybacki has quit IRC16:57
*** amirosh has joined #openstack-keystone16:58
*** rm_work has quit IRC16:58
*** rm_work has joined #openstack-keystone16:58
*** rm_work has quit IRC16:58
*** rm_work has joined #openstack-keystone16:58
*** rm_work has quit IRC17:03
*** rm_work has joined #openstack-keystone17:04
*** rm_work has quit IRC17:04
*** rm_work has joined #openstack-keystone17:04
*** rm_work has quit IRC17:08
*** arborism has joined #openstack-keystone17:09
*** arborism is now known as amcrn17:09
*** rm_work has joined #openstack-keystone17:10
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a URL field to region table  https://review.openstack.org/10693517:10
*** zzzeek has joined #openstack-keystone17:11
*** rm_work has quit IRC17:15
*** diegows has joined #openstack-keystone17:16
*** rm_work has joined #openstack-keystone17:19
*** rm_work has quit IRC17:19
*** rm_work has joined #openstack-keystone17:19
*** henrynash has quit IRC17:21
*** rm_work has quit IRC17:26
*** rm_work has joined #openstack-keystone17:27
*** amcrn has quit IRC17:29
*** rm_work has quit IRC17:32
*** rm_work has joined #openstack-keystone17:32
*** abhishekk has joined #openstack-keystone17:35
*** abhishekk has left #openstack-keystone17:35
openstackgerritBrant Knudson proposed a change to openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390517:37
*** dguitarbite has joined #openstack-keystone17:37
bknudsondolphm: includes some more of the options ^17:37
*** rm_work has quit IRC17:37
*** rm_work has joined #openstack-keystone17:38
*** rm_work has quit IRC17:38
*** rm_work has joined #openstack-keystone17:38
openstackgerritBrant Knudson proposed a change to openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390517:43
*** rm_work has quit IRC17:43
*** rm_work has joined #openstack-keystone17:44
*** rm_work has quit IRC17:44
*** rm_work has joined #openstack-keystone17:44
dguitarbitehello17:45
dguitarbiteI have a weird question17:45
dguitarbiteabout nova endpoints17:45
dguitarbitecan someone answer them?17:45
dguitarbite*it17:45
*** rm_work has quit IRC17:49
*** rm_work has joined #openstack-keystone17:49
*** rm_work has quit IRC17:50
*** rm_work has joined #openstack-keystone17:50
*** radez is now known as radez_g0n317:51
ayoungdguitarbite, Fire away.  No promises on the quality of the answer17:52
*** amcrn has joined #openstack-keystone17:53
*** rm_work has quit IRC17:54
dguitarbitewhy does nova endpoints require "tenant_id" in the URL?17:54
dguitarbite --publicurl=http://controller:8774/v2/%\(tenant_id\)s \17:54
ayoungdguitarbite, because someone at some point made a bad decision about scoping17:54
*** portante has quit IRC17:55
ayoungdguitarbite, it really shouldn't be, but the nova client, and all of the code is written assuming it gets the url that way17:55
*** radez_g0n3 is now known as radez17:56
dguitarbiteayoung: it pains me17:58
ayoungdguitarbite, you knowthat /v2 part before it.  That is dumb, too17:58
dguitarbite*it pains to see the inconsistencies in the code17:58
dguitarbiteI know :)17:58
dguitarbiteIm with you in this17:58
ayoungand that is keeping people on older versions of the apis17:59
dguitarbiteand if I try to fix it and put a patch they will say its not required17:59
dguitarbitewe dont have the required time for this level of patching17:59
dguitarbiteeven the "db sync" and "db_sync" issue17:59
amiroshhi guys, could somebody review https://review.openstack.org/#/c/111200/ (updated Aug 5 - it feels so lonely)?18:01
*** portante has joined #openstack-keystone18:02
*** CaioBrentano has joined #openstack-keystone18:04
ayoungamirosh, looking18:05
*** rm_work has joined #openstack-keystone18:05
*** rm_work has quit IRC18:05
*** rm_work has joined #openstack-keystone18:05
amiroshayoung: thanks!18:05
dguitarbiteayoung: thanks :)18:05
ayoungamirosh, +218:06
amiroshayoung: awesome! I have 2 more in the queue:)18:08
CaioBrentanodoes anybody ever had any "CRITICAL IOError" with eventlet_server on a keystone-all process?18:08
*** rm_work has quit IRC18:11
*** rm_work has joined #openstack-keystone18:12
*** rm_work has quit IRC18:16
*** rm_work has joined #openstack-keystone18:16
*** amirosh has quit IRC18:19
*** amirosh has joined #openstack-keystone18:19
*** jasond` has joined #openstack-keystone18:23
*** amirosh has quit IRC18:24
*** ayoung has quit IRC18:26
*** rm_work has quit IRC18:29
*** rm_work has joined #openstack-keystone18:29
*** rm_work has quit IRC18:33
*** rm_work has joined #openstack-keystone18:33
*** miqui_ has joined #openstack-keystone18:34
*** ukalifon has quit IRC18:37
*** raildo has quit IRC18:40
*** portante_ has joined #openstack-keystone18:40
*** portante has quit IRC18:41
*** openstackgerrit has quit IRC18:41
*** miqui has quit IRC18:41
*** openstackgerrit has joined #openstack-keystone18:49
*** diegows has quit IRC18:52
*** rushiagr is now known as rushiagr_away18:56
dolphmCaioBrentano: are you hacking on keystone, or deploying it?18:59
morganfainbergdolphm, sanity check, are we *really* at 4007 tests?19:00
CaioBrentanodeploying it… I have 2 servers running keystone, and one instance suddenly stopped19:00
CaioBrentanoand I got a IOError on the logs19:01
CaioBrentanorelated with "keystone/common/environment/eventlet_server.py"19:02
bknudsonmorganfainberg: skips=109219:03
morganfainbergbknudson, yep. thats what i have19:03
bknudsonso we skip 25% of the tests...19:03
morganfainbergbknudson, yeah a lot of skips in ldap backend19:03
morganfainbergbknudson, we should *fix* that and stop skipping and verify we get the response (exception) we should get.19:03
bknudsonit might turn out that some of them actually work19:04
*** henrynash has joined #openstack-keystone19:05
morganfainbergbknudson, hehe19:05
dolphmooh, detailed jenkins votes at the top now19:06
morganfainbergbknudson, iirc you ran across this: if we validate a v3 token via v2 interface, the issued_at time changes.19:06
dolphmmorganfainberg: that includes the copy/pasted ones19:06
morganfainbergbknudson, was that *not* really fixable.19:06
bknudsonmorganfainberg: y, it should be fixed19:06
dolphmCaioBrentano: can you open a bug report with the full traceback and whatever led to the behavior?19:07
morganfainbergbknudson, huh. i just pulled master still seeing:                                   'issued_at': timeutils.strtime()19:07
morganfainbergin format_data19:07
bknudsonmorganfainberg: https://review.openstack.org/#/c/111772/19:07
morganfainbergerm format_token19:07
morganfainbergah the inverse is also true19:08
morganfainbergconverting a v3 token to v2 changes issued_at19:08
bknudsonmorganfainberg: ah.. I didn't look into that19:08
morganfainbergbknudson, you fixed v2 to v319:08
morganfainbergbknudson, no worries, i'll fix it while i'm in here.19:08
henrynashmorganfainberg: let me know if added eoungh to https://review.openstack.org/#/c/99842/ for you to +2 (see lines 57-64)19:08
bknudsonmorganfainberg: it was a security vulnerability... since it cause revocation events to not work19:09
morganfainbergbknudson, i'll split it out into it's own patch and tag it as related19:09
morganfainbergto the bug you had19:09
morganfainbergor should i open a new bug?19:09
bknudsonmorganfainberg: I'd open a new bug since that one's closed19:09
morganfainbergbknudson, ++ will do shortly19:09
morganfainberghenrynash, looks good to me19:10
morganfainberghenrynash, just so we have a target to hit and people can't complain that we don't re-fetch the policy etc19:10
henrynashmorganfainberg: agreed, thx19:11
morganfainberghenrynash, +219:11
henrynashmorganfainberg: ta19:12
morganfainbergdolphm, ooooh i see what you mean by the scoring by jenkins. sweeeeeeet19:12
*** amirosh has joined #openstack-keystone19:13
henrynashstevemar: any chance you could check out: https://review.openstack.org/#/c/99842/19:23
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION  https://review.openstack.org/11399819:23
stevemarhenrynash, you betcha19:24
stevemarhenrynash, perfect reading material for my coffee break!19:24
henrynashstevemar: ha!19:25
henrynashstevemar: fyi, your view.openstack.org/#/c/106935/ is on its way…19:25
*** vhoward has joined #openstack-keystone19:25
henrynash(https://review.openstack.org/#/c/106935/)19:26
*** med_ has quit IRC19:26
stevemarhooray!19:27
stevemarthanks for keeping me honest on the tests19:28
*** radez is now known as radez_g0n319:30
*** portante_ is now known as portante19:34
henrynashstevemar: yw19:38
*** amirosh has quit IRC19:50
*** andreaf_ has joined #openstack-keystone19:53
*** andreaf_ is now known as andreaf19:53
*** elmiko has joined #openstack-keystone19:55
*** henrynash has quit IRC19:56
elmikohey folks, i'm trying to do some experiments with creating a domain and adding users to that domain. so far so good, but i find that keystoneclient won't create clients for the users unless i give the user id, username doesn't work even when the client is scoped to the domain. is this normal behavior?19:56
elmikofwiw, these are roleless, projectless, domains19:57
*** andreaf has quit IRC19:57
*** andreaf has joined #openstack-keystone20:01
*** amcrn has quit IRC20:05
wwriverrat1back20:05
*** henrynash has joined #openstack-keystone20:05
*** zzzeek_ has joined #openstack-keystone20:06
*** zzzeek has quit IRC20:06
*** zzzeek_ is now known as zzzeek20:06
*** ayoung has joined #openstack-keystone20:15
stevemarhenrynash, have you got any identity-api spec drafted for endpoint policy?20:17
*** jasond` has left #openstack-keystone20:18
henrynashstevenar: yep: https://review.openstack.org/#/c/112292/20:18
marekdstevemar: pong.20:20
stevemarmarekd, hola20:20
stevemarhenrynash, ty20:21
stevemari'm having trouble putting the endpoint->policy stuff all together20:21
marekdstevemar: what's up. I see you want POST for trading token for saml assertion...20:22
stevemarmarekd, yes, i put this up20:22
stevemarhttps://review.openstack.org/#/c/113998/1/v3/src/markdown/identity-api-v3-os-federation-ext.md20:22
marekdwhy post not get? to follow authn methods?20:22
*** RockKuo_Home has joined #openstack-keystone20:23
*** Kuo_ has quit IRC20:26
*** topol has quit IRC20:26
dolphmmarekd: i'd expect to get the same response back for subsequent GET requests - would that be the case?20:29
marekddolphm: that response would be a saml assertion?20:30
marekddolphm: plus I think stevemar proposed returning pure saml assertion, not wrapped with any json structure.20:31
dolphmmarekd:always the same assertion20:31
dolphmmarekd: stevemar: you'd also have to do GET /v3/auth/OS-FEDERATION/saml2?region_id={region_id} + scoped X-Auth-Token20:31
dolphmand the query string would be required, so 400 without it? that's odd20:31
stevemardolphm, ohhh i like that20:31
stevemarthat is a bit odd20:32
stevemarhenrynash, so it's still kinda RBACish?20:32
dolphmGET /v3/regions/{region_id}/OS-FEDERATION/saml2 + scoped X-Auth-Token? lol20:32
henrynashstevemar: yes, the idea is just so that you can specify your RBAC rules by endpoint (or group of endpoints)20:33
marekddolphm: ok ok, i get it :P20:34
stevemarhenrynash, oh, rather than one that applies to all of keystone20:34
stevemarhenrynash, why didn't you say that!20:34
marekddolphm: so for POST /v3/auth/OS-FEDERATION/saml2 do you expect to send json like we send for /auth/tokens?20:34
henrynashstevemar: well, today we allow a service to store its policy in keystone and then its endpoints would retrieve it by Policy ID20:35
stevemarhenrynash, comparatively, this now allows you set one for each endpoint20:36
henrynashsteevmar: this allows a cloud provider to allow the endpint ID, or its poisiton in region hierachy to get a more specific policy20:37
henrynashstevemar: you could, although I suspect the example in the spec is more likely….I want all the nova endpoints in the production region to have this speciiic polciy…20:38
henrynashstevemar: and those in the test region to ahve this different one20:38
dolphmmarekd: some subset of it, yes20:38
*** wwriverrat1 has left #openstack-keystone20:38
*** hrybacki has joined #openstack-keystone20:39
stevemarmarekd, dolphm i'm gone in a few, but if you guys update the etherpad, i'll have a new patch ready for tomorrow morning20:41
marekdstevemar: sure.20:43
* marekd even stevemar sometimes rests20:43
*** stevemar has quit IRC20:47
ayounggyee, https://review.openstack.org/#/c/107873/20:49
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Endpoint policy extension  https://review.openstack.org/9984220:51
henrynashstevemar: fixed those 4 nits20:52
*** hrybacki has quit IRC20:54
*** rm_work has quit IRC20:57
*** rm_work has joined #openstack-keystone20:57
*** rm_work has quit IRC20:58
*** rm_work has joined #openstack-keystone20:58
gyeeayoung, thanks, lgtm21:01
*** rm_work has quit IRC21:01
openstackgerritA change was merged to openstack/keystone: Filter List Regions by 'parent_region_id'  https://review.openstack.org/11120021:03
openstackgerritA change was merged to openstack/keystone: Add a URL field to region table  https://review.openstack.org/10693521:03
*** hrybacki has joined #openstack-keystone21:03
*** rm_work has joined #openstack-keystone21:04
*** rm_work has quit IRC21:04
*** rm_work has joined #openstack-keystone21:04
elmikoayoung: question about roleless domains and whatnot, i've been working on implementing some of the stuff we talked about earlier, but i'm having an issue creting Client objects from usernames. it works if i use user id's but not names, thoughts?21:04
ayoungelmiko, Client objects?  you mean keystoneclient?21:04
elmikoyea21:05
elmikokeystoneclient.v3.Client21:05
*** miqui_ is now known as miqui21:06
*** cjellick_ has joined #openstack-keystone21:06
henrynashstevemar, morganfainberg: when you have a moment, could you guys re-apply +2s (and maybe even a +A !) for https://review.openstack.org/#/c/99842/ - only change from last vesion is fixing 4 nits commented by stevemar21:07
*** rm_work has quit IRC21:07
*** rm_work has joined #openstack-keystone21:07
*** rm_work has quit IRC21:07
*** rm_work has joined #openstack-keystone21:07
*** cjellick has quit IRC21:09
*** cjellick_ has quit IRC21:11
*** afaranha has quit IRC21:12
*** samuelmz has quit IRC21:12
*** rushiagr_away has quit IRC21:12
*** fifieldt has quit IRC21:13
*** afaranha has joined #openstack-keystone21:13
*** fifieldt has joined #openstack-keystone21:13
*** henrynash has quit IRC21:14
*** rm_work has quit IRC21:14
*** samuelmz has joined #openstack-keystone21:14
*** rushiagr_away has joined #openstack-keystone21:15
*** amcrn has joined #openstack-keystone21:16
openstackgerritBrant Knudson proposed a change to openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390521:18
*** rm_work has joined #openstack-keystone21:18
*** rm_work has quit IRC21:19
*** rm_work has joined #openstack-keystone21:19
ayoungelmiko, do you pass the domain in when creating the client?21:19
elmikoayoung: i tried that, and it didn't like the username21:19
ayoungelmiko, let me give it a try21:20
elmikoayoung: but it did work with user id, i'm gonna put together a pastebin to make things clearer21:20
ayoungelmiko, yes, please21:20
elmikoayoung: might take me a few minutes, formatting got all screwed up21:20
*** jasondotstar has quit IRC21:26
elmikoayoung: ok, setup for this is that i used the rest api to create a domain named "sahara_proxy_domain", added a user "sahara_proxy_user" with pw "openstack", i got the domain id from the keystone cli tool. https://gist.github.com/elmiko/903fda01adef71e0915521:33
*** rm_work has quit IRC21:33
ayoungelmiko, let me  try it with a setup I have here21:33
*** rm_work has joined #openstack-keystone21:33
morganfainbergbknudson, ayoung, so i think i need to make revocation events sql us a varchar for the expiration.21:34
elmikoayoung: cool, thanks21:34
morganfainbergbknudson, ayoung, and issues/thoughts with doing that?21:34
ayoungmorganfainberg, why can't we use the extra data21:35
bknudsonmorganfainberg: not that I can think of. I considered it as an option at one point.21:35
bknudsonmorganfainberg: or it could be an integer21:35
morganfainbergayoung, this is in the revocation event itself21:35
*** rm_work has quit IRC21:35
bknudsonmorganfainberg: also, could consider storing both the timestamp and the string / integer21:36
ayoungcrud21:36
*** rm_work has joined #openstack-keystone21:36
* ayoung stifles a MySQL rant.21:36
*** CaioBrentano has left #openstack-keystone21:37
bknudsonmorganfainberg: oh, you wouldn't have to store the timestamp string in the event.21:37
ayoungbknudson, morganfainberg what about storing just the chopped portion as an integer21:37
morganfainbergayoung, no21:38
bknudsonayoung: I think he's saying chopping doesn't work21:38
morganfainbergayoung, once it hits mysql it trims microseconds21:38
bknudsonthe 1s granularity is inadequate21:38
morganfainbergbut we don't know that has occured until it's stored21:38
bknudsonbut apparently 1ms granularity is ok21:38
ayoungmorganfainberg, right, so we store microseconds in their own field, and then recompose21:38
ayoungexpires_at_microsecons #this field exists becuz mysql chops microsecs21:39
morganfainbergayoung, that kinda makes me cringe21:39
ayoungmorganfainberg, it makes the workaround specific to mysql21:39
morganfainbergayoung, i'd rather just store isotime, it's less effort to compare at the sql level that way.21:39
morganfainbergayoung, right but now i need to *check* both columns to see if something is actually expired.21:40
openstackgerritA change was merged to openstack/keystone: Remove _BaseFederationExtension  https://review.openstack.org/11313621:40
ayoungmorganfainberg, I want to keep the "get all from a particular point" as a Database query21:40
ayoungthe revocation event itself can then compose the time from the two fields21:40
ayoungand the check uses the value out of the model21:40
morganfainbergayoung, revocation event expires at is *not* "revoked_at"21:41
ayoungthe "compose" would only be done on databases that require it....IE migh sequel21:41
morganfainbergayoung, "expires_at" is from the token data21:41
bknudsonI didn't think of the "get all from a particular point" query... that would miss events since mysql chops the timestamp.21:41
ayoungah, try, we don';t qure on that, do we21:41
morganfainbergayoung, yeah :P different column... maybe we should call that "token_expires_at" :P21:42
ayoungheh21:42
ayoungyou won't make this Adam proof.  Adam will still find ways to confuse things21:42
ayoungOK,  varchar should be fine21:42
morganfainbergayoung, i'll make the migration and i'll *rename* the column to token_expires_at for clarity21:42
ayoungum, no21:43
ayoungdon't rename the column21:43
morganfainbergwhy not?21:43
ayoungthat will have 2nd order effects through the code21:43
bknudsony, that's going to be confusing21:43
bknudsonif the col is token_expires_at and the model is expires_at that will be confusing21:43
morganfainbergbknudson, no i was going to rename both.21:44
ayoungyeah,  and the confusion was not over what was expiring, it was over which we were querying on21:44
bknudsonmorganfainberg: that's not backwards compatible21:44
morganfainbergbknudson, by column rename i meant "fix the model and make the column match"21:44
morganfainbergbknudson, it isn't?21:44
ayoungmorganfainberg, nah, just change the datatype, please.21:44
bknudsonmorganfainberg: I assume these wind up in the response for fetching the revocation list?21:45
morganfainbergbknudson, only the events that nothing consumes yet.21:45
morganfainbergbknudson, but whatever, doesn't bug me - i just will point out I'll say "i told you so" if this convo comes up again :)21:45
ayoungmorganfainberg, all of the fields refer to the token.  Putting that in there is redundant21:46
morganfainbergayoung, except "revoked_at"  :P21:46
ayoungtoken_revoked_at21:46
ayoungeven that21:46
ayoungits just not afield On the token21:46
morganfainbergno it's when the *event* occured.21:46
morganfainbergayoung, it's not relevant to the token21:46
bknudsonmorganfainberg: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-revoke-ext.md21:47
bknudsonyou'd have to change the spec21:47
ayoungit absolutely is.  It means that if a token was used before that time it was valid.21:47
morganfainbergayoung, i thought we were going to make revocation events pkey auto_inc ints21:47
ayoungmorganfainberg, its an open request21:47
ayoungI haven't implemented it yet.21:47
morganfainbergayoung, ah haven't gotten there yet, ok.21:48
ayoungSo much other churn on events21:48
marekddolphm: hm, something like this? http://pasteraw.com/2ze1c6tb5bewttdig9jpac9p4xszncd .21:48
marekddolphm: we can pass roles only but some other values could also be useful (like expiration date)21:49
*** hrybacki has quit IRC21:52
*** marekd is now known as marekd|away22:00
bknudsonmorganfainberg: were you also going to backport the migration to icehouse?22:00
morganfainbergbknudson, i could22:00
morganfainbergbknudson, hadn't gotten that far yet22:00
bknudsonI think you'll need to22:01
*** nkinder has quit IRC22:05
elmikoayoung: i figured it out, i was using domain_id instead of user_domain_id22:08
ayoung++22:08
elmikoayoung: a question that came up during review of my updated spec was, is there any concern with sahara creating perhaps 100s of users in this proxy domain?22:10
ayoungelmiko, I don't think so22:10
elmikoayoung: that's what i thought, but due dilligence :)22:11
ayoungelmiko, list users might be a problem.  I'm not certain, but that call might be domain agnostic.22:12
ayoungthat is something we could fix.22:12
ayoungI think that the v2 call will only list users in the default domain...and v3 requires a domain, I think22:12
elmikoayoung: ok, we probably won't need to list the users, but good to know.22:13
elmikoideally, we will create them, hand them off to the cluster, then delete them when a job is complete22:13
ayoungmorganfainberg, what happens with list users if no domain is specified?22:13
morganfainbergayoung, uhm. i think you get told to fly a kite22:13
elmikolol22:14
ayoungelmiko, try it out, would you?22:14
elmikosure22:14
ayoungI can look at the code, too22:14
morganfainbergbknudson, sure. easy enough22:14
ayoungyeah, v2 is deafult domain http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n4722:15
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n218  looks like it select the scope from self._get_domain_id_for_list_request22:15
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n55922:16
elmikoayoung: i'm not seeing them show up through the cli tool22:16
ayoungso you will have domain specific drivers...22:16
ayoungother wise, it looks like it grabs the users domain id22:17
ayoungfrom the token22:17
ayoungelmiko, you should be good22:17
elmikoayoung: k, cool. i tried this workflow all the way through to accessing swift with a trust scoped token from the proxy user and it worked. we're just trying to understand the ask we are making on operators to make the domain specific driver change.22:18
elmikoayoung: or in a best case scenario, having operators specify a domain that sahara can use as a proxy.22:19
ayoungelmiko, I have a proof of concept of the LDAP as a domain working22:19
elmikoayoung: is that different than the blog post you shared the other day?22:19
ayoungit might take a little reworking if you wanted LDAP as the default domain, but I think we could make that work, to22:19
ayoungelmiko, not really22:20
elmikoi inferred from your post that if an op wanted to they could create a domain specific driver for the sql backed domain as well22:20
ayoungelmiko, I have not idea how that would work22:20
elmikooh.. maybe my inferrence went too far lol22:20
*** rwsu has quit IRC22:21
ayoungthe domain table is in the assignment backend.  It might work, but I'm not willing to swear on it22:21
elmikoayoung: gotcha22:22
*** henrynash has joined #openstack-keystone22:22
elmikoso many backends...22:22
* elmiko head spins22:22
ayoungelmiko, I think it would work like this22:22
ayoungthe main identity backend would be SQL22:22
ayoungyou would set up domain specific backends, and create a file domains/keystone.default.conf  and make sure that the domain-id for that one was set in the keystone.conf file as the default domain id22:23
*** joesavak has joined #openstack-keystone22:24
ayoungservices would be required to use V3 for the service users22:24
*** jorge_munoz has quit IRC22:25
elmikois keystone recommending using domain specific confs from juno and beyond?22:26
ayoungmorganfainberg, can you please bless https://review.openstack.org/#/c/107873/  as it is needed for the mapping stuff22:26
ayoungelmiko, I think so.  Certainly for the AD use cases it makes sense22:26
* ayoung has to disappear into family time now22:27
elmikotake care22:27
*** ayoung is now known as ayoung_is_a_Dad22:27
morganfainbergayoung_is_a_Dad, i think that might break things.22:29
morganfainbergayoung_is_a_Dad, i think that change is going make it so we require the awful "here is the list of my plugins option" and then each one of those needs to have it's own option that is dynamically registered to point ot the class22:31
morganfainbergayoung_is_a_Dad, you can't use the "load by classname" method of loading auth plugins22:32
morganfainbergi *think*22:32
* morganfainberg continues to look at that code22:32
*** elmiko is now known as _elmiko22:33
*** rwsu has joined #openstack-keystone22:36
*** joesavak has quit IRC22:41
*** henrynash has joined #openstack-keystone22:41
*** bknudson has quit IRC22:45
*** andreaf has quit IRC22:53
*** henrynash has quit IRC22:53
*** rkofman has joined #openstack-keystone22:54
_elmikoayoung_is_a_Dad: fyi, i did a GET on /v3/users and i do see the proxy users in that list. not sure if that has any impact.22:59
*** andreaf has joined #openstack-keystone22:59
*** andreaf_ has joined #openstack-keystone23:04
*** andreaf has quit IRC23:07
*** nkinder has joined #openstack-keystone23:14
openstackgerritA change was merged to openstack/keystone: Remove unnecessary declaration of CONF  https://review.openstack.org/11393023:15
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162023:19
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/11405923:19
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/11406723:24
*** gordc has quit IRC23:36
*** RockKuo_Home has quit IRC23:38
*** jamielennox|away is now known as jamielennox23:51
*** gokrokve has quit IRC23:59
« Tuesday, 2014-08-12 Index Thursday, 2014-08-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!