Thursday, 2014-08-21

« Wednesday, 2014-08-20 Index Friday, 2014-08-22 »
*** henrynash has joined #openstack-keystone00:00
*** bknudson has joined #openstack-keystone00:03
*** topol has quit IRC00:04
*** harlowja has quit IRC00:15
*** harlowja_ has joined #openstack-keystone00:15
*** dims has joined #openstack-keystone00:16
*** zzzeek has quit IRC00:19
*** gyee_ has quit IRC00:21
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance GET /v3 to handle Accept header  https://review.openstack.org/11546200:25
*** cjellick has quit IRC00:30
*** cjellick has joined #openstack-keystone00:30
*** cjellick has quit IRC00:35
*** diegows has quit IRC00:37
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use ConfigFilter for auth_token options  https://review.openstack.org/11583000:44
*** jorge_munoz has joined #openstack-keystone00:51
*** jorge_munoz has quit IRC00:56
*** jorge_munoz has joined #openstack-keystone00:59
*** alex_xu has joined #openstack-keystone01:01
jamielennoxayoung: if i simply https://review.openstack.org/#/c/113415/ it will change how it works01:02
jamielennoxthat is a horrible function01:03
ayoungjamielennox, ugh01:04
jamielennoxayoung: i don't know who wrote it, but they never considered anything beyond there immediate use case01:04
ayoungjamielennox, are all of those subordinate things not throwing exceptions?01:04
jamielennox(i try not to git blame in anger)01:05
ayoungheh01:05
jamielennoxno the is_valids are booleans01:05
jamielennoxfunction just needs to be deprecated01:05
openstackgerrithenry-nash proposed a change to openstack/keystone: Implements the controller for the endpoint policy extension  https://review.openstack.org/11574601:05
ayoungjamielennox, yeah, but if you send (None, **{}) in to them do they return true or false?01:07
*** topol has joined #openstack-keystone01:07
ayounghenrynash, go to bed01:07
jamielennoxthey return an AccessInfoV2 apparently01:07
henrynashayoung: yeah..i must do that!01:07
henrynashayoung: just one more…01:07
ayounghenrynash, do you trust the code you write at 2 AM?  I sure don't01:08
jamielennoxthat's what code review is for01:08
openstackgerrithenry-nash proposed a change to openstack/keystone: Add delete notifications for policy, region and service.  https://review.openstack.org/11576301:08
henrynashayoung: teh code at 2am is not so bad….in the old days it was the code I wrote after 3 pints on england’s finest “old thumper’ ale that I never trusted01:09
*** diegows has joined #openstack-keystone01:09
ayoungMissed the Balmer peak.   One way or the other henrynash01:09
jamielennoxhenrynash: they are often the best ideas, you just need to come back later and make the code sane01:10
ayounghttp://xkcd.com/323/01:10
henrynashayoung: nice!01:10
ayoungquestion was, which side of the peak were you on?01:10
ayoung"just one more"01:10
henrynashok, that now is me done….01:10
*** amerine has joined #openstack-keystone01:11
henrynashtime for bed (said zebedee)01:11
henrynashleft field reference: http://www.magicroundabout.com/Time-For-Bed-Said-Zebedee.asp01:12
ayoungGood work.  Sleep well.  I'll most likely kill you in the morning.01:12
*** henrynash has quit IRC01:12
ayoungjamielennox, OK,  let me give it a try.  I think I can at least make it legible...01:15
jamielennoxayoung: go for it01:15
*** shakamunyi has joined #openstack-keystone01:17
ayoungjamielennox, is this code wrong:01:25
ayoung        if body is None and not len(kwargs):01:25
ayoung            auth_ref = AccessInfoV2(**kwargs)01:25
ayoung            auth_ref.auth_token = auth_toke01:25
ayoungassuming, for a moment, that  auth_token is None,  would it be wrong to set the auth_ref.auth_token to none?01:25
jamielennoxumm, i assume not because the default value of auth_token will be None01:27
jamielennoxactually no it wont01:27
jamielennoxthe default will be KeyError01:27
ayoungjamielennox, is that the same as   auth_ref = AccessInfoV2()01:27
jamielennoxno because you're still setting a value to auth_token even if it's none01:28
ayoungor, better yet01:28
ayoungauth_ref = AccessInfoV2({auth_token:  auth_token})01:28
*** richm has quit IRC01:28
ayoungso auth_token == None is different from no auth_token property set>01:28
ayoung?01:28
*** marcoemorais has quit IRC01:29
*** gokrokve has joined #openstack-keystone01:30
jamielennoxmost of AccessInfo throws KeyError when a value isn't set01:31
jamielennoxthat's terrible but i don't want to change the behaviour for one thing01:31
ayoungjamielennox, what about  something like cloning the kwargs and sticking auth_token in it if it exists?01:32
jamielennoxayoung: think you're overreaching01:33
ayoungjamielennox, it also helps me to understand the code better.  Even if all this is futile, at the end, I'll *get* it01:33
jamielennoxso i don't think we should clone kwargs, and if we don't have auth_token as a header then our checks will fail01:34
jamielennoxbecause we will get a NotImplemented rather than an empty AccessInfo (which is a dumb default)01:34
ayoungWow this is some nasty cod01:37
ayoungcode01:37
ayoungjamielennox, last question.  You have a couple early returns on return AccessInfoV3(auth_token, **kwargs)  etc.  Where do they get their auth_token from?01:38
ayoungOK, I see the param01:39
ayoungwhy do we not do the same thing for V2?01:39
jamielennoxayoung: oh, i had something i thought made more sense but it got -1ed in an earlier review01:39
jamielennoxayoung: :)01:39
jamielennoxayoung: because horrible01:39
*** diegows has quit IRC01:39
jamielennoxbecause in V2 the token is supposed to be in the body and in v3 it's the header01:40
jamielennoxso whoever wrote the code figured we didn't need it for v201:40
jamielennoxwhich is terrible, and will fail whenever we have CMS tokens01:40
ayoungjamielennox, why do you only get the token out of the resp for v3?01:40
jamielennoxthis patch is the minimum effort i could put into that broken thing and make it sane01:41
ayoungif resp and not auth_token:01:41
ayoung                    auth_token = resp.headers['X-Subject-Token']01:41
ayoungwouldn't we want that for all cases?01:41
jamielennoxas above, in v3 it's in the headers, in v2 it's in the body01:41
jamielennoxwhy he didn't take token as a parameter rather than the whole resp i don't know01:41
jamielennoxamongst the problems here is that the body token id is wrong when we use CMS tokens01:43
ayoungjamielennox, so  if auth_token:01:43
ayoung            auth_ref.auth_token = auth_token  is only for v2 tokens ever?01:43
jamielennoxi've no idea why that hasn't bitten us yet01:43
*** dims has quit IRC01:44
jamielennoxayoung: have a look at patch set one01:44
*** dims has joined #openstack-keystone01:44
*** dims has quit IRC01:45
*** dims_ has joined #openstack-keystone01:45
*** hrybacki has quit IRC01:48
*** gokrokve has quit IRC01:50
*** amerine has quit IRC01:52
openstackgerritMorgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext  https://review.openstack.org/11485701:55
*** alex_xu has quit IRC01:56
*** hrybacki has joined #openstack-keystone02:00
*** dims_ has quit IRC02:02
*** dims has joined #openstack-keystone02:03
ayoungjamielennox, so, I don't know if my code is any better.  It seems clearer at least:02:03
ayoungjamielennox, http://paste.openstack.org/show/97986/02:04
jamielennoxayoung: yea, not sure02:05
*** gokrokve has joined #openstack-keystone02:06
ayoungjamielennox, want me to submit it or toss it?02:07
jamielennoxayoung: umm, i dont' mind it's probably a bit clearer, though not as concise02:08
jamielennoxdoesn't do any better job explaining the stupid decisions that were made02:08
ayoungI'll toss it, and that way I can +2 yours02:10
*** dims has quit IRC02:12
*** dims has joined #openstack-keystone02:12
*** alex_xu has joined #openstack-keystone02:14
jamielennoxayoung: i'm glad to share the pain :)02:21
ayoungjamielennox, just so as you see what I am dealing with in Horizon: https://review.openstack.org/#/c/115460/02:22
ayoungthat is all proof-of-concept code...needs to be severly cleaned up02:22
*** dims has quit IRC02:22
ayoungyour generic plugin patch will help02:22
*** dims has joined #openstack-keystone02:23
jamielennoxayoung: the generic plugin stuff is really hard to make work with existing code02:23
jamielennoxi'm playing with that myself now02:23
*** rushiagr_away is now known as rushiagr02:23
jamielennoxi just deprecated half the options to auth_token middleware :)02:23
ayoungjamielennox, what is the pain point02:23
jamielennoxincluding some that i only recently added02:24
ayoungthat should read02:24
ayoungjamielennox, what are the pain points  cuz I'm sure there is more than one02:24
jamielennoxoh, you mean the version independant stuff?02:24
jamielennoxyea that should be good02:24
jamielennoxi was thinking of the load generic plugins from a CONF file02:24
jamielennoxload any plugin from a CONF file02:24
*** shakayumi has joined #openstack-keystone02:25
ayoungjamielennox, BTW,  I kindof need a way to confim a login for a session/auth_plugin pair.  Does it make sense to do that via the "list_projects" call?  The old code did it as two calls...02:26
ayoungbut now you delay authentication until Keystone makes some other call.02:26
jamielennoxayoung: if you call get_token() it will force an auth02:27
ayoungyeah.02:27
jamielennoxif it's already authed it will return the cached one02:27
ayoungIt would be nice if authenticate returned the set of projects.02:27
*** dims has quit IRC02:27
jamielennoxauthenticate?02:27
ayoungwould turn it into a single call02:27
jamielennoxlike unscoped token?02:27
ayoungPOST /v3/auth02:27
*** dims has joined #openstack-keystone02:27
ayoungPOST /v3/auth/tokens02:27
jamielennoxi had thought about that02:27
*** shakamunyi has quit IRC02:28
ayoungdoesn't need to be in the token, just in the response body02:28
ayounglist of domains would probably make sense, too, if user can get a domain scoped token02:28
jamielennoxayoung: we need to make a better distincition then that not everything in the response body form /auth/tokens is in the actual token02:28
ayoungyep02:29
jamielennoxayoung: well the calls are available there now, the auth-specific-data patch is on gate02:29
ayoungjamielennox, there is acutally no reason that they have to be at all related.02:29
jamielennoxso it's just take that code and include it in the response02:29
ayoungjamielennox, with auth-specific data, can I call that without a token, and get back a token?02:30
jamielennoxno02:30
ayounglike, if I post to /v3/auth/projects?02:30
ayoungdamn02:30
ayoungthat would be cool02:30
jamielennoxwould break the federation use02:30
ayoungPOST?  I didn't think it would do anything on POST?02:30
*** alexiz has joined #openstack-keystone02:30
jamielennoxoh02:31
jamielennoxyea, you're right02:31
ayoungmaybe the rule is that if you post to anything under /auth/  you can get back a token02:31
jamielennoxi think i would -1 having post to /v3/auth/projects, but i like the projects and domains as part of the unscoped token response02:31
jamielennoxbecause it's almost always going to be the very next thing you do02:32
jamielennox+ a service catalog02:32
ayoungwhat would be cool is posting to /v3/auth/projects/<projectid> with an empty auth body and basic-auth, and getting back a scoped token02:32
ayoungor supporting form auth that way02:33
jamielennoxi think the key will be making auth discoverable, that way you could put it in an extension or whereever you like02:33
ayoungbut, yeah, I suggested returning projects/domains to you before and you didn't seem so keen on it.  You've come around, or was I not clear?02:33
jamielennoxayoung: i don't know, can't remember what my problem with it last time was02:34
ayoungso GET /v3/auth could return the set of suburls for different auth methods02:34
ayounglike /v3/auth/krb   /v3/auth/password  /v3/auth/saml ....02:34
*** shakayumi has quit IRC02:34
jamielennoxkrb - yes, saml  would probably have to point to /OS-FEDERATION/identity_providers/02:35
jamielennoxis /password basic or methods = ['password']?02:35
*** dims has quit IRC02:35
*** dims has joined #openstack-keystone02:36
ayoungpassword would be current password.02:37
ayoungbasic could be a separate plugin as well.02:38
*** amerine has joined #openstack-keystone02:38
ayoungthing is, it is an interesting dance between what happens in wsgi and what is provided by HTTPD02:38
jamielennoxayoung: does that go instead of methods=['password']?02:38
ayoungnah,  this would be used to discover where to go for a given mechanism02:39
jamielennoxi have a real problem at the moment with anything that is duplicated between body and URI02:39
ayoungand to see what mechanisms a given keystone server supported02:39
jamielennoxfor example finding data about the logged in user and needing to specify the user_id on the URI02:39
jamielennoxthen somewhere in policy we check that uri user_id == token user_id02:39
jamielennoxif it's in the token it should not need to be on the cmdline02:40
*** dims has quit IRC02:40
jamielennoxs/cmdline/uri02:40
*** hrybacki has quit IRC02:40
*** RicoLin has quit IRC02:40
*** RicoLin has joined #openstack-keystone02:41
*** harlowja_ is now known as harlowja_away02:42
ayoungyeah, that one has come up a couple times02:45
*** amerine has quit IRC02:49
ayoungjamielennox, how do you feel about the state of https://review.openstack.org/#/c/81147/  ?02:54
*** RicoLin has quit IRC02:56
jamielennoxayoung: i don't think it'll pass review because there are no tests for the token one02:56
ayounghmmm02:57
ayoungcan I cherry pick that one?02:57
*** RicoLin has joined #openstack-keystone02:57
ayoungI guess I need the two before it in series02:57
jamielennoxyou'll need https://review.openstack.org/#/c/107570/13 as well02:57
*** jeffrey4l has quit IRC02:58
jamielennoxthe default values one is fine02:58
jamielennoxi can't even remember why it's in that series02:58
jamielennoxoh, because i was using that to mess with the shell stuff02:58
*** cjellick has joined #openstack-keystone03:01
*** cjellick has joined #openstack-keystone03:02
*** KanagarajM has joined #openstack-keystone03:19
*** stevemar has joined #openstack-keystone03:19
openstackgerritA change was merged to openstack/python-keystoneclient: Add v3scopedsaml entry to the setup.cfg.  https://review.openstack.org/11077003:25
*** chandankumar has joined #openstack-keystone03:27
*** hrybacki has joined #openstack-keystone03:32
*** amerine has joined #openstack-keystone03:39
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin  https://review.openstack.org/11585703:43
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Create a custom session object for retries  https://review.openstack.org/11585803:43
*** chandankumar has quit IRC03:44
*** gokrokve has quit IRC03:51
*** shakamunyi has joined #openstack-keystone03:54
*** alexiz has quit IRC03:57
*** ncoghlan is now known as ncoghlan_afk04:00
*** amirosh has joined #openstack-keystone04:04
*** hrybacki has quit IRC04:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220404:19
*** praneshp has joined #openstack-keystone04:22
praneshpdolphm: you around?04:22
praneshpdolphm: How do I get to the bp for https://github.com/openstack/keystone/commit/ec995b33763f99755e8512e0e0aa497c01e3744904:23
praneshplaunchpad search seems to return nothing04:24
*** stevemar has quit IRC04:26
*** alex_xu has quit IRC04:31
*** gokrokve has joined #openstack-keystone04:36
morganfainbergpraneshp, https://blueprints.launchpad.net/keystone/+spec/role-assignments-unified-sql but fyi that blueprint is marked as completed, if there are missing items it would need to be either a bug or some other bp04:38
morganfainbergpraneshp, i found it by searching for it under the icehouse release04:38
praneshpmorganfainberg: np, thanks04:38
praneshpmorganfainberg: correct, I did a generic google search and found it04:38
praneshpclicking the bp link on the review didn’t help04:39
morganfainberghttps://blueprints.launchpad.net/keystone/icehouse04:39
morganfainbergyeah because the default is master / juno development, and the search only works for specific releases04:39
praneshpmorganfainberg: no new bugs, an old internal patch of ours broke because of the changes there04:39
praneshpand I want to find out how to change our patch to match the changes04:39
*** cjellick_ has joined #openstack-keystone04:47
*** cjellick has quit IRC04:50
*** cjellick_ has quit IRC04:51
*** rushiagr is now known as rushiagr_away04:58
*** rushiagr_away is now known as rushiagr05:01
*** rushiagr is now known as rushiagr_away05:01
*** amerine has quit IRC05:04
*** RicoLin has quit IRC05:08
*** RicoLin has joined #openstack-keystone05:08
openstackgerritA change was merged to openstack/keystone: Fixing simple type in comment  https://review.openstack.org/11542905:13
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Auth plugin serialization  https://review.openstack.org/11316305:15
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162005:16
*** alex_xu has joined #openstack-keystone05:23
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162005:25
*** chandankumar has joined #openstack-keystone05:25
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Move fake session to HTTPClient  https://review.openstack.org/10886805:29
*** ncoghlan_afk is now known as ncoghlan05:34
*** shakamunyi has quit IRC05:37
*** tomoiaga has joined #openstack-keystone05:43
*** tomoiaga has left #openstack-keystone05:43
openstackgerritA change was merged to openstack/keystone: Allow LDAP lock attributes to be used as enable attributes  https://review.openstack.org/10440805:43
openstackgerritA change was merged to openstack/keystone: Create authentication specific routes  https://review.openstack.org/11490305:43
openstackgerritA change was merged to openstack/python-keystoneclient: Unsort pbr and hacking in requirements files  https://review.openstack.org/11470705:46
openstackgerritA change was merged to openstack/python-keystoneclient: Remove cruft from setup.cfg  https://review.openstack.org/11470805:46
*** cjellick has joined #openstack-keystone05:48
*** ajayaa has joined #openstack-keystone05:55
*** cjellick has quit IRC05:56
*** gokrokve_ has joined #openstack-keystone06:05
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:05
*** gokrokve has quit IRC06:08
*** gokrokve_ has quit IRC06:09
*** amerine has joined #openstack-keystone06:14
*** rushiagr_away is now known as rushiagr06:20
*** k4n0 has joined #openstack-keystone06:25
*** mflobo has joined #openstack-keystone06:39
*** ukalifon has joined #openstack-keystone06:45
*** amerine has quit IRC06:49
*** afazekas is now known as __afazekas06:55
*** topol has quit IRC07:03
*** shakamunyi has joined #openstack-keystone07:04
*** shakamunyi has quit IRC07:08
*** afazekas has joined #openstack-keystone07:18
*** afazekas has quit IRC07:18
*** ajayaa has quit IRC07:20
openstackgerritMarek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485007:23
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054207:23
openstackgerritMarek Denis proposed a change to openstack/keystone: Routes for Keystone-IdP metadata endpoint.  https://review.openstack.org/11588307:23
*** marekd|away is now known as marekd07:26
*** ncoghlan has quit IRC07:29
openstackgerritMarek Denis proposed a change to openstack/keystone: Generate IdP Metadata with keystone-manage.  https://review.openstack.org/11556407:31
*** ajayaa has joined #openstack-keystone07:42
*** afazekas has joined #openstack-keystone07:43
*** aix has joined #openstack-keystone07:53
*** henrynash has joined #openstack-keystone08:10
*** BAKfr has joined #openstack-keystone08:22
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768108:22
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins  https://review.openstack.org/8114708:22
openstackgerrithenry-nash proposed a change to openstack/keystone: Correct the signature for some catlog abstract method signatures.  https://review.openstack.org/11589508:31
openstackgerrithenry-nash proposed a change to openstack/keystone: Correct the signature for some catalog abstract method signatures.  https://review.openstack.org/11589508:32
openstackgerritMarek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485008:43
*** aix has quit IRC08:46
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768108:47
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins  https://review.openstack.org/8114708:47
*** praneshp has quit IRC08:53
*** mrmoje has joined #openstack-keystone08:55
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Distinguish between name not provided and incorrect  https://review.openstack.org/11590308:58
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054209:24
*** ajayaa has quit IRC09:24
*** aix has joined #openstack-keystone09:24
openstackgerritMarek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485009:34
openstackgerritMarek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485009:36
*** ajayaa has joined #openstack-keystone09:38
openstackgerritMarek Denis proposed a change to openstack/keystone: Generate IdP Metadata with keystone-manage.  https://review.openstack.org/11556409:39
openstackgerritMarek Denis proposed a change to openstack/keystone: Routes for Keystone-IdP metadata endpoint.  https://review.openstack.org/11588309:43
*** mrmoje_ has joined #openstack-keystone09:54
*** mrmoje has quit IRC09:56
*** henrynash has quit IRC10:27
*** topol has joined #openstack-keystone10:59
*** topol_ has joined #openstack-keystone11:00
*** topol has quit IRC11:03
*** topol_ has quit IRC11:05
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162011:14
*** mikedillion has joined #openstack-keystone11:18
*** yasukun has joined #openstack-keystone11:19
*** dims has joined #openstack-keystone11:20
*** dims has quit IRC11:20
*** RicoLin has quit IRC11:20
*** RicoLin has joined #openstack-keystone11:20
*** dims has joined #openstack-keystone11:20
*** diegows has joined #openstack-keystone11:31
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/10224411:32
*** mikedillion has quit IRC11:35
openstackgerritKanagaraj Manickam proposed a change to openstack/keystone: endpoint table is missing reference to region table  https://review.openstack.org/11318311:42
*** afaranha has joined #openstack-keystone11:45
*** hrybacki has joined #openstack-keystone11:49
*** KanagarajM has quit IRC11:54
*** hrybacki has quit IRC11:54
*** hrybacki has joined #openstack-keystone11:59
BAKfrI've a question about the method delete_grant in assignment/core.py https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L52712:01
BAKfrWhen we revoke a role on a specific project, all tokens of concerned users are revoked.12:01
BAKfrIs there a reason the code doesn't revoke only tokens associated to the project ?12:02
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054212:05
*** diegows has quit IRC12:16
*** wanghong has quit IRC12:29
*** wanghong has joined #openstack-keystone12:33
*** hrybacki has quit IRC12:40
*** yasukun has quit IRC12:47
*** radez_g0n3 is now known as radez12:48
*** dims has quit IRC12:54
*** dims has joined #openstack-keystone12:54
*** cjellick has joined #openstack-keystone12:54
*** aix has quit IRC12:57
*** cjellick has quit IRC12:59
*** xianghuihui has joined #openstack-keystone13:06
*** gordc has joined #openstack-keystone13:08
*** xianghui has quit IRC13:09
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 routers to store basic resource description  https://review.openstack.org/11157313:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Provide the V3 routers to the V3 extension controller  https://review.openstack.org/11157413:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 version controller to provide JSON Home response  https://review.openstack.org/11157513:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change V3 router classes to provide JSON Home data  https://review.openstack.org/11157613:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extensions to provide JSON Home data  https://review.openstack.org/10398313:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change the sub-routers to provide JSON Home data  https://review.openstack.org/11157713:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change OS-INHERIT extension to provide JSON Home data  https://review.openstack.org/11157813:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extension class to integrate JSON Home data  https://review.openstack.org/11157913:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance GET /v3 to handle Accept header  https://review.openstack.org/11546213:10
*** xianghui has joined #openstack-keystone13:10
*** henrynash has joined #openstack-keystone13:11
*** xianghui has quit IRC13:12
*** xianghui has joined #openstack-keystone13:12
*** xianghuihui has quit IRC13:13
*** ajayaa has quit IRC13:13
*** richm has joined #openstack-keystone13:14
*** jasondotstar has joined #openstack-keystone13:19
*** nkinder has quit IRC13:20
*** bknudson has quit IRC13:20
*** openstackgerrit has quit IRC13:21
*** topol has joined #openstack-keystone13:22
*** henrynash has quit IRC13:26
*** henrynash has joined #openstack-keystone13:26
henrynashanyone have a good understanding of how/if (currently) peope link endpoints to regions in keystone?13:27
*** radez is now known as radez_g0n313:43
*** bknudson has joined #openstack-keystone13:44
*** jdennis has quit IRC13:46
*** jdennis has joined #openstack-keystone13:48
*** jamielennox is now known as jamielennox|away13:48
*** diegows has joined #openstack-keystone13:52
*** k4n0 has quit IRC13:55
*** openstackgerrit has joined #openstack-keystone13:58
*** gokrokve has joined #openstack-keystone14:01
*** nkinder has joined #openstack-keystone14:05
openstackgerritDavid Stanek proposed a change to openstack/keystone: ldap/core deleteTree not always supported  https://review.openstack.org/7489714:08
openstackgerritDavid Stanek proposed a change to openstack/keystone: ldap/core deleteTree not always supported  https://review.openstack.org/7489714:13
*** topol_ has joined #openstack-keystone14:14
dstanekrichm: ^14:16
*** topol has quit IRC14:16
*** topol_ is now known as topol14:17
*** mrmoje_ has quit IRC14:17
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Base methods to handle hierarchical projects  https://review.openstack.org/11184114:18
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Add parent_project_id field  https://review.openstack.org/11184014:18
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184214:18
*** mrmoje has joined #openstack-keystone14:19
*** aix has joined #openstack-keystone14:20
*** david-lyle has joined #openstack-keystone14:21
*** raildo has joined #openstack-keystone14:24
marekdgyee: hello14:28
*** stevemar has joined #openstack-keystone14:28
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Base methods to handle hierarchical projects  https://review.openstack.org/11184114:28
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Add parent_project_id field  https://review.openstack.org/11184014:28
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184214:28
*** mrmoje has quit IRC14:29
*** rushiagr is now known as rushiagr_away14:30
marekdgyee: i cant remember - did you postpone your x509 auth plugin for K release?14:30
*** henrynash has quit IRC14:38
openstackgerritKanagaraj Manickam proposed a change to openstack/keystone: endpoint table is missing reference to region table  https://review.openstack.org/11318314:40
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413814:40
dstanekstevemar: ping14:40
stevemardstanek, pong14:40
*** bknudson has left #openstack-keystone14:40
*** bknudson has joined #openstack-keystone14:40
stevemarapparently I missed some eventful stuff yesterday14:41
dstanekstevemar: do you think what i did made sense?14:41
stevemardstanek, the only issue i have is the user_id attribute14:41
dstanekstevemar: yesterday is ancient history in OpenStack terms14:41
dstanekmarekd: i don't see it here https://gist.github.com/dolph/651c6a1748f69637abd014:42
dstanekstevemar: how do you mean?14:42
stevemardstanek, i'll show you a pastie of why i don't like user_id14:42
dstanekstevemar: k14:42
stevemardstanek, http://paste.openstack.org/show/98201/14:43
dstanekyeah, i can see that being confusing14:44
dstanekwhat about target_user and target_group?14:44
stevemaractor*14:44
dstanek...or that :-)14:45
dstanekuser_actor/group_actor?14:45
stevemardstanek, i was also thinking of placing it at the event level instead of the initiator level14:45
dstanekstevemar: i'd be OK with anything because I don't really understand the systems that use this data14:46
stevemardstanek, so it would look like this14:47
stevemarhttp://paste.openstack.org/show/98202/14:47
dstanekstevemar: that's what i was hoping to get yesterday. "this is where the data goes and what it should be called because that easiest for auditors or is inline with the spec."14:47
dstanekstevemar: what does that target block represent?14:48
stevemardstanek, apparently we just declare it once: target=resource.Resource(typeURI=taxonomy.ACCOUNT_USER),14:50
stevemarand never change it14:50
stevemari think it means a 'security' event happened14:51
stevemarother values would be compute or volume14:51
*** hrybacki has joined #openstack-keystone14:55
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162014:55
*** ayoung has quit IRC14:55
dstaneki think the typeURI is throwing me off. is there a list of those?14:57
*** ukalifon2 has joined #openstack-keystone14:57
dstanekstevemar: yesterday mrutkows was refering to an OpenStack spec for CADF - do you know where that lives?14:57
*** ukalifon has quit IRC14:58
*** gokrokve_ has joined #openstack-keystone15:01
*** ayoung has joined #openstack-keystone15:03
stevemardstanek, no idea to both your questions15:04
*** gokrokve_ has quit IRC15:04
*** gokrokve has quit IRC15:05
*** gokrokve_ has joined #openstack-keystone15:05
*** mikedillion has joined #openstack-keystone15:05
stevemaryour second statement sounds like a mini spec of a spec15:05
dstanekstevemar: "CADF spec", "OpenStack profile" and "OpenStack spec" were talked about yesterday - but i have no idea where the OpenStack things are defined (maybe topol knows?)15:14
*** henrynash has joined #openstack-keystone15:14
*** vhoward has joined #openstack-keystone15:14
dstanekstevemar: feels like we can't get audit right without understanding how it will be used15:15
*** cjellick has joined #openstack-keystone15:16
henrynashanyone have a good understanding of how/if (currently) peope link endpoints to regions in keystone?15:17
topoldstanek, stevemar, please connect with mrutkowski.  he can explain where all the profiles are and how things are used15:17
dstanektopol: i asked yesterday :-(15:17
topoldtsanek, what did you ask yesterday?15:17
dstanekwhere to find the specs/profile for OpenStack15:18
dstanekstarting to read http://www.dmtf.org/standards/cadf now to get an overview15:18
topoldstanek, did you see this?15:19
topolhttps://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf15:19
henrynashgyee: ping15:20
topoldstanek or https://wiki.openstack.org/wiki/Ceilometer/blueprints/support-standard-audit-formats15:20
dstanektopol: no, but that looks like a lot of good information15:20
dstanektopol: that one looks good too - reading over the usecase pdf now15:21
henrynashbknudson: ping15:21
*** rwsu has quit IRC15:23
*** cjellick has quit IRC15:23
*** cjellick has joined #openstack-keystone15:24
*** henrynash has quit IRC15:26
*** gokrokve_ has quit IRC15:27
bknudsonI was too slow15:27
*** gokrokve has joined #openstack-keystone15:27
*** afazekas has quit IRC15:29
*** gokrokve has quit IRC15:32
*** chandankumar has quit IRC15:36
*** rwsu has joined #openstack-keystone15:39
*** KanagarajM2 has joined #openstack-keystone15:41
*** amirosh has quit IRC15:44
*** amirosh has joined #openstack-keystone15:45
*** amirosh has quit IRC15:49
*** hrybacki has quit IRC15:50
dolphmdstanek: have time to investigate the failures here? https://review.openstack.org/#/c/115941/ https://review.openstack.org/#/c/115947/ all the failed jobs are the same & look legit15:53
dstanekstevemar: after browsing the spec (specifically table 3 in section 4.2) it seems that the components are supposed to differentiate type..maybe...messing around i came  up with http://paste.openstack.org/show/98239/15:54
dstanekstevemar: i still don't understand the context behind most of that15:54
dstanekdolphm: sure15:54
stevemardstanek, action eh15:55
dolphmdstanek: ooh, i bet tempest needs the tox fix before keystone15:55
dolphmdstanek: nevermind, i bet that's exactly what it is https://review.openstack.org/#/c/115963/15:56
stevemardstanek, i'd argue that inherited goes under action too15:56
dstanekstevemar: probably, because that's metadata about the grant right?15:57
stevemaryes15:57
dstanekdolphm: yeah, i'll wait then until we know for sure there's an issue15:58
*** mikedillion has quit IRC15:58
stevemardstanek, not sure if the typeURI you have there is valid15:58
*** gyee_ has joined #openstack-keystone15:59
stevemaralso, the spec makes it seem like action is usually just a string, not  dict15:59
*** mikedillion has joined #openstack-keystone16:00
*** aix has quit IRC16:00
*** dguitarbite has quit IRC16:01
*** topol has quit IRC16:02
*** topol has joined #openstack-keystone16:03
dstanekstevemar: yeah...check out B316:03
*** ukalifon2 has quit IRC16:03
*** stevemar has quit IRC16:05
dstanekstevemar: interesting..B.3.2 seems to recommend multiple events for our scenario16:06
*** stevemar has joined #openstack-keystone16:06
stevemardstanek, B3?16:07
dstanekhttp://www.dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf16:07
dstanek"Multi-target events"16:07
*** praneshp has joined #openstack-keystone16:08
*** aix has joined #openstack-keystone16:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires  https://review.openstack.org/11486416:21
*** aix has quit IRC16:21
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342916:22
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model  https://review.openstack.org/11343016:22
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946216:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api  https://review.openstack.org/11501216:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api  https://review.openstack.org/11504516:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove wsgi and base controller dependency on token_api  https://review.openstack.org/11520516:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Notification Constant Cleanup and internal notify type  https://review.openstack.org/11533716:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment_api dependency on token_api  https://review.openstack.org/11533816:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove oauth controller dependency on token_api  https://review.openstack.org/11534316:23
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Mark methods on token_api deprecated  https://review.openstack.org/11534716:23
*** andreaf has joined #openstack-keystone16:24
*** andreaf has quit IRC16:24
*** andreaf has joined #openstack-keystone16:25
*** andreaf has quit IRC16:25
*** gokrokve has joined #openstack-keystone16:26
*** marcoemorais has joined #openstack-keystone16:28
*** amerine has joined #openstack-keystone16:33
*** BAKfr has quit IRC16:34
*** dims_ has joined #openstack-keystone16:38
dstanekmorganfainberg: it looks like something happened to you rebase - https://review.openstack.org/#/c/113430/16:40
*** dims has quit IRC16:40
bambam1Hello, does anybody know if I have to enable something to get the list of users using the v2 REST API?? I can't pass a 400 'Bad Request' error and i'm querying this path /v2.0/users16:44
ayoungstevemar, bknudson have either of you guys looked at Henrynash's endpoint backend patch?  His commit message has this in it:16:51
ayoungThis patch needs to be re-based on the patch to formally link endpoint region_id to the region table,16:51
ayoungdoes that imply that his patch should be rebased, or just that without it, it is missing some functionality?16:51
ayoungI have a rebased version I can submit, but don't know if it will mess him up16:52
stevemarayoung, let me take a look16:52
stevemarayoung, i think his works depends on that other patch16:58
ayoungstevemar, then I'll post16:58
ayoungit rebases cleanly16:58
*** hrybacki has joined #openstack-keystone16:59
stevemarcause the other patch adds an endpoint column to the region table16:59
*** dguitarbite has joined #openstack-keystone17:00
stevemarayoung, i can't figure out why henry mentions rebasing, the two seem separate17:02
ayoungstevemar, yeah.  I was confused by that, too17:03
morganfainbergdstanek, doh!17:04
morganfainbergdstanek, i think jgit got cranky17:04
morganfainbergor.. something merged and invalidated the whole tree17:04
morganfainbergyep.17:05
morganfainbergdstanek, ok i think i'm stuck again until things merge or i kick them out of check/gate.17:07
morganfainbergdstanek, since i can't fix without rebasing the whole chain17:07
*** Jean-Daniel has quit IRC17:09
bknudsonseems like jenkins is notifying us of merge conflicts in existing reviews whenever something merges now.17:09
morganfainbergbknudson, yeah it's because everyone is touching the same sections of code :P17:11
dstanekwell you guys should stop that :-P17:12
dstanekthat's probably why i feel like i'm reviewing the same thing over and over17:13
morganfainbergdstanek, either that or you're stuck in a loop and really are reviewing the same things over and over17:13
dstanekmorganfainberg: that's also true - i'd like to get a lot of this stuff merged so that i don't have to see it anymore17:14
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Base methods to handle hierarchical projects  https://review.openstack.org/11184117:14
morganfainbergso slightly related17:14
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184217:14
morganfainberghm. nvm17:15
morganfainbergi think i'm gonna go get breakfast before it gets too late17:15
*** amirosh has joined #openstack-keystone17:15
*** RicoLin has quit IRC17:22
*** amirosh has quit IRC17:23
*** amirosh has joined #openstack-keystone17:24
*** harlowja_away is now known as harlowja_17:25
openstackgerritayoung proposed a change to openstack/keystone: backend for policy endpoint extension  https://review.openstack.org/11536217:28
*** amirosh has quit IRC17:28
openstackgerritayoung proposed a change to openstack/keystone: controller for the endpoint policy extension  https://review.openstack.org/11574617:29
ayoungstevemar, does that look right to you?17:29
morganfainbergdolphm, ping17:30
stevemarayoung, i suppose, but you've just added another review for me :(17:30
morganfainbergdolphm, did we want to push through dstanek's stable/icehouse fixes for catalog still (just noticed they've been lingering around for a bit) - beyond stable needing more people to review was there a reason?17:31
*** hrybacki has quit IRC17:31
ayoungstevemar, blue on black, tears on a river....17:31
ayoung"Like adding Frost to Snow"17:31
dolphmmorganfainberg: link?17:31
morganfainbergdolphm, https://review.openstack.org/#/c/111519/4 this chain17:31
morganfainbergit's the v3 catalog 500 error17:31
stevemarayoung, woe is me!17:32
* morganfainberg has +2 on stable now, so... can help get these things in.17:32
dolphmmorganfainberg: yes, but just icehouse17:32
morganfainbergright17:32
morganfainbergok i'm looking over the chain it's looking good. if i don't see anything i'll press go on it. (actually, *eyes gate* maybe i'll press go tonight when things calm down)17:32
*** chandankumar has joined #openstack-keystone17:34
morganfainbergdolphm, unrelated, i should have the V3 "validate pki tokens like auth_token does" bits done today but the v2 version of that is going to be a lot more work because v2 validate/issue are less friendly17:35
morganfainbergmaybe ... maybe we should only issue v3 tokens and make validate/issue v2 do an explicit conversion to the v2 format.17:35
morganfainberg(something at the controller level)17:35
dolphmmorganfainberg: +++++++++++++++++++17:36
morganfainbergdolphm, ok i'll go down that path, i think i'll be easier than "fixing" v2 issue (it's really bad)17:36
*** chandankumar has quit IRC17:37
dstanekanyone have a chance to look at my comments on the review for endpoint policy association? https://review.openstack.org/#/c/112292/17:40
dstanekwondering if my "this is not REST" is useful or not17:40
*** diegows has quit IRC17:41
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens  https://review.openstack.org/10683817:41
bknudsondstanek: if you have a better design for the REST API then that would be interesting to see17:42
bknudsondstanek: but the API presented there is similar to other APIs that already exist in Keystone17:42
dstanekbknudson: nothing beyond my gist17:44
bknudsondstanek: ok, thanks.17:45
dstanekbknudson: https://gist.github.com/dstanek/5d6e4380377bef46c76517:45
bknudsondstanek: I don't think that what you have there is going to work with the xml translator17:46
bknudsondstanek: might need to do "policy": {"id": "--policy-id--"}17:46
dstanekbknudson: yeah, i think so too. also because it's more like the GET format.17:47
dstanekthat way just me doing a quick copy-paste to get the idea out17:47
bknudsondstanek: there's no Link header in http17:47
bknudsondstanek: supposed to be Location ?17:48
dstaneklink isn't defined in 2616 it's defined in 598817:49
bknudsondstanek: fancy!17:49
morganfainbergdstanek, i agree with your comment,s but i didn't have a better design.17:50
morganfainbergdstanek, bknudson, also documenting HEAD is a bit weird, we should start documenting GET and say "HEAD is also supported"17:50
morganfainbergbknudson, so i agree with your comment a lot :)17:51
dstanekmorganfainberg: i think that's a side effect of the original spec only defining HEAD17:51
morganfainbergdstanek, probably17:51
*** hrybacki has joined #openstack-keystone18:00
*** mikedillion has quit IRC18:05
*** wanghong has quit IRC18:06
*** amirosh has joined #openstack-keystone18:10
*** morganfainberg is now known as morganfainberg_Z18:13
*** diegows has joined #openstack-keystone18:15
*** radez_g0n3 is now known as radez18:17
*** mrmoje has joined #openstack-keystone18:26
*** mrutkows has joined #openstack-keystone18:26
*** mikedillion has joined #openstack-keystone18:28
*** mikedill_ has joined #openstack-keystone18:32
*** mikedillion has quit IRC18:33
*** mikedill_ has quit IRC18:34
*** mikedillion has joined #openstack-keystone18:36
*** gyee_ has quit IRC18:36
*** ukalifon1 has joined #openstack-keystone18:40
*** bknudson has quit IRC18:40
*** hockeynut has joined #openstack-keystone18:42
stevemardstanek, https://gist.github.com/stevemart/c5f52d0592ca6944b3a218:42
stevemardstanek, i think we need to move it from the code, from initiator to the top level event objcet18:44
*** radez is now known as radez_g0n318:45
*** morganfainberg_Z is now known as morganfainberg18:47
*** radez_g0n3 is now known as radez18:53
KanagarajM2dolphm: could you please review https://review.openstack.org/#/c/113183/ Thanks.18:56
dolphmKanagarajM2: it's already near the top of our list of things to do to complete juno-3 https://gist.github.com/dolph/651c6a1748f69637abd018:59
dstanekstevemar: that sounds perfect19:00
*** praneshp has quit IRC19:00
KanagarajM2dolphm: sure thanks.19:01
*** mikedillion has quit IRC19:05
dstanekKanagarajM2: i haven't tried it yet, but does your patch change the responses for listing endpoints?19:07
*** amirosh has quit IRC19:07
KanagarajM2dstanek: there is no changes made to the REST API lelve19:07
*** amirosh has joined #openstack-keystone19:08
*** mikedillion has joined #openstack-keystone19:08
*** harlowja_ has quit IRC19:08
dstanekKanagarajM2: this was already on my list because Henry has patches based on this that I am interested in19:09
KanagarajM2dstanek: yes, today discussed with him in detail about my patch19:09
KanagarajM2dstanek: what is your patch19:10
dstanekKanagarajM2: i don't have any patches for this19:11
KanagarajM2dstanek: ok19:11
*** amirosh has quit IRC19:12
*** praneshp has joined #openstack-keystone19:14
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Hash for PKIZ  https://review.openstack.org/11465419:14
*** harlowja has joined #openstack-keystone19:15
*** hrybacki has quit IRC19:17
*** harlowja has quit IRC19:19
*** radez is now known as radez_g0n319:20
*** morganfainberg has quit IRC19:25
dstanekKanagarajM2: how will region_id be used in the future?19:26
dstanekKanagarajM2: i'm also a little concerned that the region field won't be output anymore for an endpoint19:27
*** morganfainberg has joined #openstack-keystone19:27
*** harlowja has joined #openstack-keystone19:28
*** ukalifon1 has quit IRC19:30
KanagarajM2dstanek: with my patch, endpoint['region'] is migrated to endpoint[region_id]19:32
dstanekhow would i set that in the REST API?19:32
KanagarajM2dstanek: in the db level, next step would be make it still API level which is having side effect on the client consuming the endpoint.19:33
*** harlowja has quit IRC19:34
KanagarajM2dstaneK: i will be submitting a another blueprint for the 2nd step, which may come up for K release19:34
dstanekKanagarajM2: doesn't your migration break all existing endpoints that contain a region entry? i don't see how it would be returned in the API19:34
KanagarajM2dstanek: in the REST API there is no change made19:35
*** harlowja has joined #openstack-keystone19:40
dstanekKanagarajM2: i was mixing up what your _wrap_* methods do, our current behavior and what the spec says19:42
KanagarajM2dstanek: could n't get your point, can you please explain in details19:44
openstackgerritHenrique Truta proposed a change to openstack/python-keystoneclient: Implementing inherited role domain calls on keystoneclient v3  https://review.openstack.org/11608119:44
*** rm_work is now known as rm_work|away19:46
dstanekKanagarajM2: we don't seem to be returning region_id like it says in the spec http://docs.openstack.org/api/openstack-identity-service/3/content/list-endpoints-get-endpoints.html and your _wrap methods had me confused19:47
*** mrutkows has quit IRC19:50
openstackgerritThiago Paiva Brito proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184219:53
KanagarajM2dstanek: _wrap method is provided to make sure that the current endpoint is not borken at the api level19:55
dstanekKanagarajM2: i think this is actually broken19:57
dstanekendpoint new refers to region.name instead of region.id so if a user takes the endpoint.region and tries to use it as endpoint.id they will run into trouble19:57
KanagarajM2dstanek: I will look at this tomorrow.19:58
dstanekk, i'll put a note on the review19:58
morganfainbergugh....20:01
KanagarajM2dstanek: before go to bed, let me summarize the change, endpoint[region] will be converted to endpoint[region_id] then region[id] will be haing endpoint[region_id], this will break the keystone client and middleware also,20:01
morganfainbergv2 tokens are a trainwreck :(20:01
morganfainbergwe just pull random crap from all over the place shove it into the issue_token method and get something out the other end20:02
*** mrmoje has quit IRC20:03
*** wanghong has joined #openstack-keystone20:07
dstanekdolphm: what is the driver behind making region_id a uuid?20:09
dolphmmorganfainberg: ++20:09
dolphmdstanek: vs user-specified?20:09
dstanekdolphm: yes20:09
morganfainbergdolphm, i'm honestly not sure how this actually works :P20:09
morganfainbergbut aparently it does.20:10
dolphmdstanek: just a fallback behavior20:10
dolphmdstanek: backwards compatibility with previously established conventions?20:10
dolphmi.e. not specifying an ID20:10
dolphmmorganfainberg: barely20:10
dstanekdolphm: i think that creates a disconnect in the API because the user specified value is no longer the id20:11
*** dims has joined #openstack-keystone20:15
dstanekwhere does http://docs.openstack.org/api/openstack-identity-service/3/content/list-endpoints-get-endpoints.html get generated from?20:17
dstanekand why is it not the same as http://developer.openstack.org/api-ref-identity-v3.html ?20:17
*** dims_ has quit IRC20:18
ayoungdstanek, can I dynamically create a variable in the local context out of a string?20:20
ayoungI do this all the time:20:21
ayoungtry:20:21
ayoung    OS_USERNAME = os.environ['OS_USERNAME']20:21
ayoungfor about 5 different variables.  I'd like to do it with a loop20:21
*** dims has quit IRC20:21
*** dims has joined #openstack-keystone20:22
dstanekayoung: not in any good way20:22
dstanekbeing explicit is almost always better anyway20:23
ayoungdstanek, nah20:23
ayoung:)20:23
*** radez_g0n3 is now known as radez20:26
dstanekayoung: sometimes you make me sad :-)20:31
ayoungdstanek, I'm going to do this20:31
*** morganfainberg is now known as morganfainberg_Z20:31
ayoung_os·=·Object()$20:31
ayoung                                                                                           |$20:31
ayoung                                                                                           |$20:31
ayoung                                                                                           |try:$20:31
ayoung                                                                                           |····params·=·['USERNAME',·'PASSWORD',·'AUTH_URL',·'TENANT_NAME']$20:31
ayoung                                                                                           |····for·p·in·params:$20:31
ayoung                                                                                           |········setattr(_os·,·p,·os.environ['OS_'+p])$20:31
ayoung                                                                                           |····except·KeyError·as·e:$20:31
ayoung                                                                                           |········raise·SystemExit('%s·environment·variables·not·set.'·%·e.message)$20:32
ayoungAHHH!20:32
ayoungsory for the spew20:32
ayoungI'm usoing emacs in a split view terminal.  Of course it did that20:32
openstackgerritA change was merged to openstack/keystone: Add notifications for policy, region, service and endpoint.  https://review.openstack.org/11576320:32
ayoungdstanek, the alternative is to make a bunch of attributes on the object and use those to generate strings to get the values out of the dictionary.  That is more my usual approach to these20:33
*** adam_g has joined #openstack-keystone20:37
*** rm_work|away is now known as rm_work20:38
adam_gtrying to debug consistent tempest XML client failures, seem to be pointing to something in keystone. is this error obvious to anyone here? http://paste.ubuntu.com/8109045/ seems to have just crept into the ironic gate just today20:39
*** radez is now known as radez_g0n320:44
*** wanghong has quit IRC20:45
*** morganfainberg_Z is now known as morganfainberg20:47
dstanekadam_g: looks like an XML issue? is there anyway to see the XML?20:48
dstanekadam_g: one possible way this could happen is a messed up declaration like: http://paste.ubuntu.com/8109124/20:49
adam_gdstanek, hmm not able to get at the XML from the archived logs.. trying to reproduce the issue locally. hopefully will have more20:51
dstanektopol: i found a few interesting QRadar videos on YouTube20:52
topoldstanek, this one is short and sweet:20:53
topolhttp://thoughtsoncloud.com/2014/04/guide-openstack-icehouse-release/20:53
topoldstanek shows Openstack CADF events triggering alerts in QRadar20:54
topoldstanek its only two mins long20:54
*** henrynash has joined #openstack-keystone20:55
henrynashanyone have a good understanding of how/if (currently) peope link endpoints to regions in keystone?20:55
*** hrybacki has joined #openstack-keystone20:56
*** gokrokve has quit IRC20:57
dstanektopol: very nice20:58
topoldstanek, THANKS20:59
dolphmhenrynash: i'm working on a small patch for the endpoint policy API review if you don't mind20:59
henrynashdolphm: sure20:59
dolphmhenrynash: also, regarding your question above, have you seen https://review.openstack.org/#/c/113183/ ?21:00
topoldstanek, tools like QRadar allow you to setup rules and triggers and can even use the extra key value pairs you and stevemar were discussing21:01
henrynashdolphm: that was what prompted my question - I was reviewing that patch (and thinking about teh endpoint policy_21:01
henrynashdolphm: teh assumption made by https://review.openstack.org/#/c/113183/ is that nobody has created any region entites21:01
dolphmhenrynash: the short answer is that most people aren't yet, or are doing so very arbitrarily since we don't provide much in the way of structure there21:02
henrynashdolphm: while I had assumed that people would have created region entities with a mtaching ID to the endpoint[‘region’] attribute (kept in sync manually, today)21:02
dolphmhenrynash: eek, the migration should take that into account. i think the spec documents all the possible migration scenarios IIRC?21:03
henrynashdolphm: teh migration doesn’t take that into account (at least, I don’t think so)…it will create a new region entity (with a new concealed ID), but with a ‘name’ attribute that has the old ID in it21:04
henrynashdolphm: see my comment at 10:27am on that patch….which describes my worry21:04
dolphmhenrynash: regions don't have names :(21:05
dolphmhenrynash: they're id + optional description21:05
henrynashdolphm: the do INTERNALLY with this patch, but the name is not exposed21:05
dstanekdolphm: not with this patch21:05
dolphmhenrynash: that's... odd21:05
dstanekhenrynash: i think the name is exposed where the ID is exposed today which is why i think this breaks the API21:05
dolphmhenrynash: also, i'd consider this out of scope for now, but your endpoint policy patch made me remember this: instead of returning the policy immediately on `GET /OS-ENDPOINT-POLICY/endpoints/{endpoint_id}/policy` ... we should 302 to the actual `GET /v3/policies/{policy_id}`. advantages: one resource to cache, one resource to provide real RBAC on, etc21:07
henrynashdolphm, dstanel: oops, yes, sorry the (new) name attribute is exposed21:07
dolphmdstanek: that sounds bad21:07
*** elmiko has joined #openstack-keystone21:07
dolphmdstanek: and not what i recall the spec outlining21:08
elmikohey folks, are usernames unique within a domain?21:08
henrynashdolphm: interesting…I had thought that it might be good to do something like that..21:08
henrynashelmiko: yep21:08
elmikohenrynash: thanks!21:08
henrynashdstanek, dolphm: this was how I described my worry with the current approach:21:09
henrynashPrior to this patch, a region has a region_id (which was usually supplied by the caller of create_region()). For an endpoint to be in that region, the endpoint['region'] field contains this region_id. After this patch, the "old region id" will be put in region['name'] and a real (but concealed) uuid region['id] will be created, and the new endpoint['region_id'] will point to it. So far so good. But think of the following sequence (happening21:09
henrynashafter this patch is in):21:09
henrynashI read an endpoint, and it looks like it always did (since you have wrapped the get_endpoint() call to re-instate the endpoint['region']). This endpoint['region'] field contains what is (now) in the region['name'] column.21:09
henrynashSo as a caller I want to read the region entity for this endpoint...so I do what I always did and call get_region() with the endpoint['region']...and...it fails! Since get_region wants the REAL region_id, which has been concealed.21:09
dolphmthat's super overly complicated :(21:10
dstanekhenrynash: yeah, that's exactly what i was thinking/saying in my comment21:10
henrynashnow it isn’t taht bad as long as nobody has created any region entities before…but I’m not sure we can assuem that21:10
dolphmthat patch should primarily just be a sequence of migrations that don't affect the data model other than by making the endpoint region attribute a FK, not a bunch of obfuscated behavior in controllers21:11
dolphmhenrynash: we certainly cannot assume that21:11
henrynashi had a long conversation with KanagarajM today on this…..and they are basically assuming no regions before this patch21:12
dstanekdolphm: that's what i was thinking - making the existing region column a fk to the region table21:12
henrynashbe back in a bit…21:13
*** nkinder has quit IRC21:15
*** bknudson has joined #openstack-keystone21:17
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220421:20
dstanekdolphm, henrynash: i think that spec is flawed21:21
dolphmdstanek: which one?21:22
dstanekhttp://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/juno/endpoint-table-missing-reference-to-region-table.rst21:22
*** jasondotstar has quit IRC21:27
openstackgerritDolph Mathews proposed a change to openstack/identity-api: Extension for endpoint policy association.  https://review.openstack.org/11229221:28
dolphmhenrynash: ^21:28
*** gokrokve has joined #openstack-keystone21:28
morganfainbergdolphm, i'm sad to say this but i don't know if we'll hit the non-persistent tokens with v2 tokens.21:28
dolphmmorganfainberg: it's a LONG road, what's left?21:28
morganfainbergdolphm, reworking all of the v2 validate/check/issue code to not assume random crap is shoved into it all over the place21:29
openstackgerritSteve Martinelli proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295821:29
dolphmmorganfainberg: let's land what we can, and suppress the config options for juno?21:30
dolphmwhatever doesn't make sense to expose, anyway21:30
dolphmslash, advertise21:30
morganfainbergdolphm, well, i don't think adding the options to go persistentless makes sense. but the rest of the scafolding is in place21:30
openstackgerritA change was merged to openstack/keystone: Correct the signature for some catalog abstract method signatures.  https://review.openstack.org/11589521:31
morganfainbergdolphm, revocation events should be doable (have to hit middleware with that one), v3 from cms decode should be doable21:31
morganfainbergfor pki21:31
morganfainbergprovided the long chain of patches i have open lands / doesn't keep getting caught in rebase hell21:31
morganfainberg*most* of the hard work has been done, we now have a very limited path of token validation/check/issue21:32
morganfainbergbut the last big hurdle will be the v2 token issue/validate/etc that just assumes we pass junk to it and we can shove that exact junk into the token, which is how we end up with random crap in like token_ref['metadata']21:32
dolphmdstanek: bknudson: i think i addressed your concerns on https://review.openstack.org/#/c/112292/ cc- henrynash21:35
dstanekdolphm: i still think it's a little funky at the REST API level, but i wouldn't hold things up because of that21:36
bknudsondolphm is not lazy!21:36
dolphmmorganfainberg: ack.21:36
dolphmbknudson: ha21:37
dolphmbknudson: i'm lazy quite often21:37
*** henrynash has quit IRC21:39
*** hrybacki has quit IRC21:40
stevemardolphm, re: the endpoint policy api, shouldn't return something on a GET?21:42
*** hrybacki has joined #openstack-keystone21:42
stevemaralso, whats with the random 3 dashes :P21:42
*** zzzeek has joined #openstack-keystone21:46
*** hrybacki has quit IRC21:47
dstanekstevemar: six is third-party21:51
dstanekdolphm: things have to be proposed tonight and in review right? not actually merged21:52
dolphmstevemar: a 204 is fine for that GET21:53
dolphmstevemar: don't *have* to return a body, ever21:53
dolphmstevemar: our HEAD requests have been defined wrongly for awhile. the way the patchset above is now written is how they should all work. support GET first, with a 204 response, and then support HEAD on top of that that has the *exact* same response, but with a guaranteed lack of a response body21:54
bknudsonI wonder what apache does if you point it at an empty file.21:54
dolphmbknudson: like, static content apache serving an empty file?21:55
bknudsondolphm: ye21:55
bknudsonyes21:55
dstanekbknudson: i would guess 20021:56
bknudsony, I got 200 OK with Content-Length: 021:57
bknudsonthink of all the bytes they could have saved with a 204 No Content21:57
dolphmlol21:57
dolphmbknudson: wonder if nginx does something different...21:58
bknudsona HEAD request doesn't include the Content-Length.21:58
bknudsonbut it does if the file isn't empty21:58
dolphmbknudson: well then that's a bit weird21:59
bknudsonsaving a few bytes, I guess.21:59
openstackgerritDavid Stanek proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220422:01
dstanekstevemar: ^ fixed my nit and i think i'm happy now22:02
stevemardstanek, oops, thanks boss22:04
dolphmbknudson: this is nginx http://pasteraw.com/2u9ah4s6dpfoc0sspscw5nr57ebq97o22:05
bknudsonkeep-alive by default... risky22:06
*** marcoemorais has quit IRC22:07
dolphm*shrug* on wheezy22:07
*** nkinder has joined #openstack-keystone22:07
*** marcoemorais has joined #openstack-keystone22:07
dstanekdolphm: squid?22:07
dolphmdstanek: i was wondering about that too. i'm at a coffee shop22:07
dstanekodd22:08
bknudsonthey're sniffing all your traffic22:08
bknudsonthey're going to wonder why you're downloading 0-byte files22:09
*** henrynash has joined #openstack-keystone22:09
*** marcoemorais has quit IRC22:09
bknudsonseems like a bug in httpd to not send the content-length header, the way I read the rfc22:10
*** jamielennox|away is now known as jamielennox22:10
*** marcoemorais has joined #openstack-keystone22:10
*** marcoemorais has quit IRC22:10
*** marcoemorais has joined #openstack-keystone22:11
*** marcoemorais has quit IRC22:11
*** marcoemorais has joined #openstack-keystone22:11
*** elmiko is now known as _elmiko22:12
bknudsonthe tempest failure on this one is kind of interesting -- http://logs.openstack.org/73/111573/4/check/check-tempest-dsvm-full/c5ce3bd/console.html22:12
*** gokrokve_ has joined #openstack-keystone22:12
bknudsonbecause it's actually keystone... "code": 401, "title": "Unauthorized"}}22:12
*** gokrokve has quit IRC22:15
bknudsonthe keystone log is horrible now22:15
*** kwss has joined #openstack-keystone22:17
henrynashdolphm: you ok to approve the endpoint policy API?  I might go back in after and tweak the position of OS-ENDPOINT-POLICY in the url….but let’s get a baseline in there22:18
ayounghenrynash, did I jump the gun on rebasing your patches?22:19
henrynashayoung: i doubt it!22:19
henrynashayoung: just off to look at those22:19
ayounghenrynash, I rebased ontop of the endpoint region patch as you suggested in the comment22:19
ayounghenrynash, that and cleaned up the commit headers lines...removed the comment about rebasing.  No code changes22:20
henrynashayoung:…ahh good…and bad….since I hadn’t done taht yet since I had concerns over that patch…as dolph and I were discussing earlier22:20
dstaneklbragstad: have you worked on the validation stuff recently?22:20
dolphmhenrynash: yes to the above22:20
henrynashdolphm: ok22:21
henrynashayoung: but thanks for doing the rebase!!!!22:21
ayounghenrynash, its easy enough to break the link, but it seems like you are implicitly depending on it.  I wanted to ask you how?22:22
bknudsonthe keystone log doesn't have the request or response line in it anymore... this is going to make things difficult22:22
dolphmhenrynash: ooh, don't know if you looked at the diff, but i also added an explanation in parens to one of the first paragraphs22:22
henrynashdolphm: let me check22:23
dolphmhenrynash: something about being in descending priority22:23
dolphmhenrynash: although really, that behavior is implementation specific and doesn't belong in the API spec *shrug*22:23
henrynashdolphm: ah, yes, nice description.  great22:23
dolphm(now that i think about it)22:23
bknudsonwhere would the request / response line be... apache access.log?22:24
henrynashdolphm: ah well22:24
dolphmbknudson: yes22:24
bknudsonI don't think the jenkins runs gather that info22:24
dolphmbknudson: i think we still have apache-style access log middleware in conrib22:24
*** kwss has quit IRC22:25
henrynashayoung: well when I wrote that comment…I was assuming that the region-endpoint patch would change things like endpoint[region] to endpoint[region_id]....22:25
henrynashayoung: and the CURRENT (and I think concensus view is broken) patch is that although this is happening under teh covers, it’s not exposed at the driver api level22:26
ayounghenrynash, so drop the rebase?22:27
ayoungOr do we need to rework the endpoint region patch regardless?22:27
dolphmhenrynash: ++ it should be endpoint['region_id']22:27
henrynashayoung: I think we need that rework regardless22:27
henrynashayoung: we just need to get the design of that patch right22:27
dolphmayoung: yeah, it needs that reworked and it's only about 60% of the spec implemented22:27
dolphmayoung: and frankly, i'd want the whole spec in one patch, otherwise things will have wonky (if not broken) behavior22:28
ayounghenrynash, OK, then lets keep it as a strict sequence of patches.22:28
morganfainbergbknudson, if we're missing log info we need to grab it.22:28
henrynashayoung:++22:28
henrynashayoung: so, indeed, thanks for teh rebase!22:28
dolphmbknudson: easy patch to some file buried in infra i'm sure :)22:28
morganfainbergbknudson, if that is captureing another log from apache or whatever, let me know if i can help22:28
ayoungdolphm, and you agree that the endpoint-region one should land before henrynash 's?22:28
bknudsonmorganfainberg: I'll take a look at it.22:29
morganfainbergbknudson, sounds good22:29
dolphmayoung: probably, yes22:29
ayoungok.  henrynash let me know if you need a hand.22:29
henrynashayoung: thx22:30
* dolphm kinda want a daemon to give me growl notifications when a review i have starred has any sort of activity22:31
*** marcoemorais has quit IRC22:31
*** marcoemorais has joined #openstack-keystone22:31
*** marcoemorais has quit IRC22:31
*** marcoemorais has joined #openstack-keystone22:32
*** marcoemorais has quit IRC22:32
*** marcoemorais has joined #openstack-keystone22:33
openstackgerritA change was merged to openstack/identity-api: Extension for endpoint policy association.  https://review.openstack.org/11229222:35
*** topol has quit IRC22:36
*** marcoemorais has quit IRC22:36
*** marcoemorais has joined #openstack-keystone22:37
bknudsondevstack should set up log rotation for /var/log/apache2/keystone22:37
*** mrmoje has joined #openstack-keystone22:37
*** hrybacki has joined #openstack-keystone22:37
morganfainbergdolphm, that'd be cool22:41
morganfainbergdolphm, i pressed go on the stable backports for the catalog stuff (icehouse)22:41
morganfainbergdolphm, they all had recent checks and passed cleanly.22:41
bknudsonis there a way to tail -f 2 files?22:44
*** ayoung is now known as ayoung-afk22:45
morganfainbergbknudson, ... i think there is?22:45
morganfainbergbknudson, just put both like: tail -f <file 1> <file2>22:45
morganfainberg?22:45
bknudsonI'll try22:45
morganfainberglooks like it works22:46
bknudsonmorganfainberg: does it read from both files?22:46
morganfainbergbknudson, it should22:46
morganfainbergbknudson, bknudson  http://paste.openstack.org/show/98406/22:47
morganfainbergbknudson, i did an echo 1 >> to each file there22:47
bknudsonI'm going to see what happens.22:47
bknudsonmorganfainberg: it does work... looks funny though.22:50
morganfainbergbknudson, yeah it's awkward :(22:50
bknudsonwould be nice to not have the ==> keystone_access.log <==22:50
bknudsonI could grep them out.22:50
bknudsonsed22:51
*** shakamunyi has joined #openstack-keystone22:51
morganfainbergbknudson, i also need to circle back and finish https://review.openstack.org/#/c/102425/ so we have better formatted error log out of apache22:52
morganfainberg(back to oslo fmt)22:52
bknudsonmorganfainberg: that would help!22:53
morganfainbergbknudson, yeah need to fix the fedora case and it should be good.22:53
morganfainbergbknudson, i'll put tha ton my todo for tomorrow since i have a dentist thing - so less headache prior to teeh ache :P22:54
*** mrmoje has quit IRC23:05
*** marcoemorais has quit IRC23:10
*** marcoemorais has joined #openstack-keystone23:10
*** marcoemorais has quit IRC23:14
*** marcoemorais has joined #openstack-keystone23:14
*** stevemar has quit IRC23:15
*** joesavak has joined #openstack-keystone23:27
bknudsonmorganfainberg: https://review.openstack.org/#/c/116134/23:29
morganfainbergbknudson, i'm going to need to start using ==> [stuff] <== in keystone logs >.>23:30
morganfainbergbknudson, nice.23:30
bknudsonyou're going to wonder where it went.23:31
bknudson==> GOT HERE <==23:32
*** gordc has quit IRC23:34
*** henrynash has quit IRC23:35
*** zzzeek_ has joined #openstack-keystone23:40
*** zzzeek has quit IRC23:40
*** zzzeek_ is now known as zzzeek23:40
*** david-lyle has quit IRC23:41
*** alex_xu has quit IRC23:42
*** jorge_munoz has quit IRC23:45
*** zzzeek has quit IRC23:49
*** zzzeek has joined #openstack-keystone23:50
*** gokrokve has joined #openstack-keystone23:53
*** gokrokve_ has quit IRC23:53
*** gokrokve has quit IRC23:58
*** zzzeek has quit IRC23:58
*** oomichi has joined #openstack-keystone23:59
« Wednesday, 2014-08-20 Index Friday, 2014-08-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!