Friday, 2014-09-05

« Thursday, 2014-09-04 Index Saturday, 2014-09-06 »
gyeewhat we get back are DNs and attributes, those are independent of search scope00:00
ayoung        if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:00:00
ayoung            return self._id_to_dn_string(object_id00:00
ayoungDNs are, but ID attribute is not00:01
gyeeI am not using the DN at all00:01
gyeejust straight attribute map00:01
ayoung        if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:00:01
ayoung        if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:00:01
ayoung            return self._id_to_dn_string(object_id00:01
ayounger...00:01
ayoung        if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:00:02
ayoung                                       obj = self.model(id=self._dn_to_id(res[0]))00:02
ayoungnot00:02
gyeethat won't fix the attribute map problem as we are still making assumptions on the DN00:02
ayoungif any([self.allow_create, self.allow_update, self.allow_delete]):00:02
ayoungthe assumptions are based on  if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:  not read only, though00:03
gyeehow do we know its read-only?00:03
ayounggyee, it does not matter00:03
gyeeayoung, I tested it with live LDAP and it works fine00:04
ayoungif it is read only, and self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL tjhe current logic is correct.  If it is read-write...I don't think you can write to LDAP if there is SUBtree set00:04
ayoungit doesn't know where to write the value00:04
gyeewhat? we use scope to determine read-only?00:04
ayoungno00:05
ayounguse scope to determine if the id is in a field or in part of the DN00:06
ayoungyour logic is wrong00:06
ayoungid is not in the id field00:06
gyeesearch scope and DN are unrelated?00:06
gyeeDN ain't gonna change because of search scope00:06
*** marcoemorais has quit IRC00:07
gyeeayoung, look at the tests and tell me what I break00:07
*** marcoemorais has joined #openstack-keystone00:07
ayoungI think that you break the case where  self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL00:07
*** mfainberg_phone has joined #openstack-keystone00:08
gyeeoneleve is the default config00:08
ayoungdid you run this against a live server?00:08
gyeeoh yeah00:08
ayoungdon't trust the unit tests.  they use fake ldap00:08
gyeedid both one and sub00:08
gyeeI have OpenLDAP running on  my dev vm00:08
gyeethat's how I confirmed the bug00:09
ayoungyou might have had a false negative then. If the id_filed matches what is in the attrbitue,  but it is really using the DN section, you won't see a failure00:09
gyeeI have both configurations setup00:09
bknudsonayoung: I think gyee is saying that the user ID isn't in the DN.00:10
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Always add auth URI to unauthorized requests  https://review.openstack.org/11926100:11
gyeebknudson, right, and we can't make that assumption for read-only ldap00:11
ayoungbknudson, user ID is in the DN if ONELEVEL00:11
*** mfainberg_phone has quit IRC00:11
ayoungand it is not in the DN if sub00:11
gyeeayoung, no, that's the assumption we are making00:12
ayoungbknudson, and if it happens to be that the DN section matches the attribute in the LDAP object, you won't know that you broke anything00:12
bknudsonayoung: the dn is like cn=Brant,ou=IBM -- attrs are user_id: bknudson00:12
bknudsonand you want to use user_id as the user ID attribute.00:12
ayoungbknudson, then do sub00:12
gyeebknudson, amen brother00:12
bknudsonayoung: does that work already?00:13
gyeeayoung, how does sub help? your DN still the same00:13
ayoungbknudson, yes00:13
ayounggyee, I'll link00:13
*** zzzeek has quit IRC00:13
morganfainbergbah just missed zzzeek00:14
morganfainbergdang it00:14
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n1255  bknudson gyee00:14
*** ncoghlan__ has joined #openstack-keystone00:15
ayoungbknudson, that code is based on a config file option.00:15
*** amcrn has quit IRC00:16
gyeeayoung, but we don't use that logic for lookup00:16
ayoungIf SCOPE_ONELEVEL  then the id to dn conversion is done in process with not call to ldap00:16
ayoungthat code is called from00:17
gyeeayoung, I follow the rabbit hole from here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n142700:17
*** gokrokve has quit IRC00:17
ayoungcreate...update...delete00:17
ayoungenabled....00:18
*** gokrokve has joined #openstack-keystone00:18
bknudsongyee: so you're saying the id in the result isn't the id that it's looking up in http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n125500:18
gyeefor read-only LDAP they are all disabled00:18
*** ncoghlan_ has quit IRC00:18
bknudsonit's more like line 125900:19
bknudsonit does a search with %(id_attr)s=%(id)s which uses user_id_attr00:19
bknudsonbut then when it builds the user dict to return it's not going to use id_attr anymore, it uses the first DN value00:19
gyeebknudson, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n125500:19
gyeethe get logic doesn't use id_to_dn map00:20
gyeesorry I mean line 142700:20
*** marcoemorais has quit IRC00:21
*** marcoemorais has joined #openstack-keystone00:21
bknudson_ldap_get still does %(id_attr)s=%(id)s00:21
bknudsonso it should find the right entry00:21
gyeethat logic is used for writable LDAP only00:21
gyeeright00:22
ayoungbknudson, self._ldap_get(object_id, ldap_filter)  should be called with the DN00:22
gyeethat's why I was explicitly checking for create, delete, and update00:22
gyeelike I said, I am not touching writable LDAP00:22
*** gokrokve has quit IRC00:22
bknudsonkeep it simple and don't mess with writable ldap00:22
gyeeright00:23
ayoungthis is a monster00:23
gyeeayoung, I think there's room for improvement in our LDAP code, but one at a time man :)00:23
bknudsongyee: if you're not touching writable ldap then why does https://review.openstack.org/#/c/117658/5/keystone/common/ldap/core.py have a change in create()?00:23
ayoungno, I think this is broken and your code is just succeeding out of pure luck00:24
gyeebknudson, because create() ignores the user_id_attribute map00:24
gyeebknudson, if I don't do that, fakeldap's not happy00:24
gyeewe need that attribute in there00:24
gyeeayoung, look at the tests and let me know which one is broken00:25
bknudsongyee: I'm worried that someone might have the same attr for id_attr and another attr and then create() wouldn't work right.00:25
ayounggyee, here is what concerns me.  And it is not your code00:26
ayoungget takes in an ID00:26
ayoungit does no transform and does an ldap lookup00:26
ayoung query = (u'(&(%(id_attr)s=%(id)s)'00:26
gyeebknudson, I don't see how that'll break stuff, we are using the user_id_attribute in the filter00:26
ayounghowever, all of the code that does actual morphs of the database uses a different piece of logic00:27
gyeeayoung, I am only fixing read-only LDAP00:27
ayoung  conn.add_s(self._id_to_dn(values['id']), attrs)00:27
gyeeayoung, if we don't have enough tests (unit or gate), than that's a different story00:27
ayounggyee, I understand that00:27
gyeeif I break stuff, the tests would've scream by now00:28
ayoungbut I don't think that Read/Write LDAP can function with the code as written00:28
ayoungget uses different logic than create00:28
bknudsongyee: what tests? we don't test enough00:28
bknudsonthere's no read-only gate test or r/w gate test.00:28
gyeebkudson, that's my point, we keep saying my changes break stuff, gimme evident00:28
ayounggyee, it is not your changes00:29
*** ncoghlan has joined #openstack-keystone00:29
ayoungI think the underlying code is broken, your changes just expose that00:29
ayoungwell, me looking at your code makes me suspect that00:29
*** ncoghlan_ has joined #openstack-keystone00:29
gyeewithout that change, we can't effectively support read-only LDAP, which is 90% of the use case if not more00:29
ayounggyee, its the fact that you two both read the code and say "read only is different from read write"00:29
ayoungthere was never logic in the code base that made that distinction00:29
gyeeayoung, only reason I touch create was because of fakeldap00:30
ayoungthe only logic we have had is onelevel versus subtree, with onelevel being a requirement of read-write ldap00:30
gyeecreate didn't take the user_id_attribute map into consideration00:30
ayoungwith good reason00:30
ayoung user_id_attribute is where all this logic hinges00:31
gyeeonelevel and subtree are all we care, base doesn't get use at all00:31
bknudsoncreate builds the DN and doesn't do a search to figure out the DN00:31
ayoungbknudson, right00:31
gyeebase are for schema lookup mostly00:31
bknudsoncreate doesn't work with subtree or onelevel00:31
bknudsonit just puts it where it wants it00:31
ayoungbknudson, yes it does00:31
ayoungcreate calss id_to_dn00:31
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n136400:32
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n1254  then id_to_dn checks00:32
bknudsonif it's created with cn=<id>,whatever , that will work with this code.00:32
bknudsonbecause the entry will get a cn: <id> attribute.00:32
*** ncoghlan__ has quit IRC00:32
bknudsonalthough it might wind up being multivalued and then it would break00:32
gyeehuh?00:33
bknudsonbut since this code is only used with read-only ldap you don't have to worry about create00:33
*** ncoghlan has quit IRC00:33
gyeebknudson, exactly00:33
ayoungreturn self.conn.add_s(dn, modlist)00:33
ayoungbknudson, my concern is that read only ldap is already broken00:34
ayoungnot that gyee is breaking it00:34
bknudsonayoung: that's what gyee is fixing00:34
gyeeayoung, only that part, we've been hammering it like crazy :)00:34
ayounger,, read-write ldap is broken00:34
gyeetesting it against both AD and OpenLDAP00:34
bknudsonread-write ldap is broken, agreed.00:34
ayoungbknudson, my concern is that read-write ldap is broken00:34
gyeethat's how we discovered the mapping issue in the first place00:35
bknudsonit works for some extremely limited use00:35
gyeeour read-write logic make assumptions, which is fine as we have control00:35
gyeebut for read-only LDAP, we must honor the mappings00:35
ayoungbut I think that this code also is wrong for certain read-onluy cases00:36
ayoungbknudson, if  I have  cn=ayoung,ou=cloud,cn=redhat,cn=com as my dn, but my object has CN=Adam  it is broken00:36
gyeeayoung, bknudson, let me know which test case to add, I'll be glad to do that00:36
ayoungand that is a common case00:36
bknudsonayoung: what's your user ID attr? cn?00:37
ayoungCN in the DN is a different value than the CN attribute00:37
ayoungbknudson, uid00:37
gyeeayoung, right, we can't use multivalued attribute as IDs00:37
gyeeI check for that as well00:37
ayoungsorry00:37
ayoungbknudson, yes,  my ID attr is CN and scope == onelevel00:37
bknudsonayoung: as gyee mentioned, you wouldn't be able to use cn with his change because it's multivalued.00:38
bknudsonyour entry would actually have 2 CNs00:38
ayoungbknudson no00:38
gyeefor multivalued attributes, we just can't determine the ID00:38
bknudsonCN: Adam and cn: ayoung00:38
ayoungbknudson, the CN=ayoung would be from the DN00:38
ayoungDN is not really an attribute00:38
bknudsonthe server will add it.00:39
ayoungbut it would be DN:  CN=ayoung,....00:39
morganfainbergayoung, so you'd use DN as the id attr then, and dn2str would be called?00:39
ayoungmorganfainberg, if only it were so simple00:39
bknudsonmorganfainberg: DN isn't an attribute.00:39
morganfainbergbknudson, oh.. right derp00:39
ayoungmorganfainberg, its a flipping mess00:40
bknudsongyee: how about if the attribute is multivalued then use the first RDN?00:40
morganfainbergwe could just force DN to be an attr in the translation layer. :P00:40
gyeebknudson, that's dangerous assumption00:40
bknudsongyee: you could check if the RDN attr is the ID attr00:40
bknudsongyee: then that would be the preferred value00:41
gyeebknudson, only if RDN is returned in order00:41
ayounggyee,  I think you need to replace the check in your code with a check for ONELEVEL00:41
gyeewhich I am not sure if that's guaranteed00:41
bknudsongyee: you could have a multi-valued RDN, but that's just weird.00:41
ayoungthat will fix part of the problem, but not all00:41
ayoungbut you don't get an attribute for ONELEVEL, so you need additional code to populate that00:41
gyeebknudson, I think we should error out for multivalued ID map00:42
ayoungdon't do your logic based on read-only, do it based on the query strategy00:42
gyeeayoung, no, I need to be able to support sub search00:42
*** stevemar has joined #openstack-keystone00:42
ayounggyee, that is the easy one00:42
gyeeI think think my changes have any dependency on one vs sub00:42
gyeesub search is very important for read-only LDAP00:43
ayoungits the other case I'm worried about00:43
ayoungyour code is correct for SUB00:43
ayoungit is not correct for ONELEVEL00:43
ayoungbut I think that get(obejct_id) is also not correct for one level00:43
ayoungand that really worries me00:43
gyeeit works for onelevel as well, I verified both configuration with OpenLDAP00:44
ayoungwhat calls get(object_id)...00:44
gyeeGET /users/user_id and GET /users00:44
ayoungby luck, I think, gyee, not by design00:45
gyeeayoung, I don't believe in luck :)00:45
ayounggyee, ok, than due to the fact that your DN matched the cn field in your ldap00:45
gyeesheeeit, I loose money everytime I go to casino00:46
*** Ugallu has quit IRC00:46
bknudsongyee: it all goes to topol00:46
gyeeayoung, I have cn=Guang Yee,ou=users,dc=acme,dc=com, and user_id_attribute=uid00:47
ayounggyee, in a read-write setup?00:47
gyeeayoung, no, I don't use read-write00:47
gyeejust read-only00:47
ayounggyee, ok,  so in that case  it will  work if you look up the user by LDAP uid  as the user_id00:48
ayoungeven if it is set to onelevel00:48
ayoungand it is not supposed to00:48
ayoungit is supposed to use cn=Guang Yee  asthe user id00:49
gyeebut the uid is not part of DN00:49
ayounggyee, right.  it should be00:49
ayounglooking for00:49
morganfainbergayoung, bknudson, i *thought* that if cn is part of the DN it can't be multi-value00:49
ayounguid=gyee,ou=users,dc=acme,dc=com,00:49
morganfainbergbknudson, ayoung, for example.00:49
morganfainbergmulti RDN always sound like it would be broken.00:50
bknudsonmorganfainberg: no, you can have multiple CNs and have one of them in the DN00:50
gyeemorganfainberg, it can be, we don't have control over how read-only LDAPs are deployed00:50
ayoungmorganfainberg, when I wrote this code, I thought that cn=ayoung,ou=users,dc=acme,dc=com  implied that the cn=ayoung attribute would be set on the user00:50
gyeeayoung, you want to add a test case for me, because I don't think I get what the issue is00:50
ayoungand my guess is that the reason this works at all is because everyone runnning with read-write ldap is doing that00:50
ayoungwhich is probably like three organizations00:50
morganfainbergbknudson, hm. there was something similar i tried ... but the attr for the DN wasn't multi-able. but... i might be misremebering the use case00:51
ayounggyee, you've exposed a bug00:51
morganfainbergor it was alreadya  non-multi attr.00:51
ayoungbut not one that I can see how to fix00:51
gyeeayoung, yay, I earned karma points00:51
ayounggyee++00:51
*** marcoemorais has quit IRC00:51
ayoungwe don't have a karma bot, sorry00:51
gyeeheh00:51
ayoungI'm going home.00:51
gyeeayoung, uh, the -1?00:52
ayounggyee, I don't know what to do about your patch00:52
morganfainbergayoung, make our ldap core check if one of the items from the attr is in the DN (we can do that) and if it is in the DN use it as the RDN instead of the non-RDN one00:52
ayoungI need to think about it00:52
morganfainbergayoung, otherwise bail on multi-attrs00:52
gyeeayoung, trust me, the shit works00:52
ayoungmorganfainberg, yes....00:52
morganfainbergayoung, shouldn't be awful to do that.00:52
bknudsonI'll mark gyee's karma point on my whiteboard.00:52
gyeeha00:53
ayoungmorganfainberg, I'm not certain we know that information when we do the transform, though00:53
morganfainbergayoung, it might take reworking, but we can ensure that info is available, ldap core *can* be made smart enough, just would be lowlevel smarts - we do have the DN, it's a question of using it and making sure it propagates up00:54
ayoungmorganfainberg, I think I would rather make the RDN case an explicit config value00:54
morganfainbergayoung, not opposed to that either tbh, that would work as well.00:54
ayoungLDAP.user_id_in_dn or something00:54
ayoungmorganfainberg, I think it is the only way out of the mess...00:54
morganfainberggyee, moved my score to +1 for the mapping, but down from +2 due to this convo00:54
morganfainbergayoung, i think either impl would work tbh, it's a question of which knob we want deployers to need to know to turn00:55
bknudsonmorganfainberg: ayoung: I'm not sure what situation you're worried about breaking.00:55
gyeemorganfainberg, I am not convinced anything is broken, we need test cases00:55
bknudsonis it just the multi-valued?00:55
ayoungmorganfainberg, lets ask marekd and the CERN folks.  I know of very few other people running the LDAP writable code00:55
morganfainbergbknudson, i think so00:55
bknudsonwe're not changing the writeable case.00:55
gyeeif anything breaks, show me a test case00:56
morganfainbergbknudson, and if we resolve this convo that we're not concerned i'll re up to +2. just don't want to make it look like it can merge00:56
ayoungbknudson, we are making logic based on writeable versus not-writable.  That distinction did not exist before00:56
ayoungat least not explicitly00:56
bknudsonwe should have.00:56
ayoungif nothing else, that check is exposing a bug00:56
gyeeayoung, can you add a test case in that patch so I know what's broken?00:56
ayounggyee, no I can't00:57
gyeethen I don't know what to fix00:57
ayounggyee, I thought I could, but I am too drainbead to do so00:57
gyeefirst rule of fixing a bug is to reproduce the bug00:57
gyeeayoung, that's fine, whenever you have time, appreciated00:58
ayounggyee, when you look at code and say "that should not work"  and you know it does, it implies something is wrong.  That is what happened here.  I believe that, empircally, you showed your code works for the cases you tested.  I also know that the logic between to parts of ldap is different that should be the same00:58
ayoungI think your code just avoids the problem cases00:59
ayoungbut it might be that the problem cases are dealt with through pure,dumb luck on my part00:59
gyeeayoung, then I think that should be a separate fix00:59
ayounggyee, but the logic in your code based on "writable" should not be there00:59
ayoungI understand it is you being cautious00:59
*** dims has joined #openstack-keystone00:59
ayoungwhat happens if you remove that check and that block?01:00
gyeeayoung, I bet if I remove that check and the tests still happy01:00
ayoungthe fact that you had to code around it in the create case indicates that something is wrong01:00
ayoungand that is why, right now, I can't change it away from -101:00
bknudsongyee: in the writable case we're saying we have control of the entries, so maybe you don't have to worry about it.01:01
gyeeayoung, anyway, show me a test case, I'll fix whatever01:01
gyeebknudson, right, I am not touching the writable part01:01
ayoungbknudson, I think, actually, that I might force the user_id field to be set to the same value as the RDN value01:01
bknudsonayoung: the LDAP server does that already01:02
bknudsonexcept maybe there's some old OpenLDAP that doesn't01:02
ayoungbknudson, no, I mean when we write the value from Keystone.  But no, an LDAP server would let you create aa DN with CN=ayoung,cn=redhat  but an attribute of cn=Adam01:02
bknudsonayoung: yes, but it would add the CN=ayoung to the entry.01:03
ayoungits just that the writable LDAP code makes an assumption that just happens to work01:03
bknudsonso you'd have 2 CNs01:03
ayoungbknudson, and that would be fine for search01:03
*** dims has quit IRC01:03
ayoungbecause it would be searching for the one that had CN=ayoung ...01:03
bknudsonnot with gyee's code.01:03
ayoungright01:03
ayounggyee, I really do apologize for this code01:04
*** dims has joined #openstack-keystone01:04
bknudsonthe problem is we provided a r/w ldap. should have stopped at read-only01:04
ayoungbknudson, wasn't an option01:04
ayoungbknudson, identity used to contain tenants01:04
gyeeI haven't come across any requirement for writable LDAP yet01:04
ayounggyee, cuz I fixed that01:05
gyeemaybe just CERN01:05
ayoungremember splitting identity01:05
gyeedefinitely not enterprise customers01:05
*** david-lyle has joined #openstack-keystone01:05
ayounggyee, without writable LDAP in the past, you could not have new projects01:05
ayoungbut...water under the washed out bridge01:05
*** dims_ has joined #openstack-keystone01:06
bknudsonthe LDAP admin can create entries for projects01:06
ayounggyee, anyway...I'll take another look at it tomorrow with a fresh set of eyes, and I'll help you come to a conclusion01:06
bknudsonor just use groups or something01:06
ayoungbknudson, I did use groups to begin with01:06
gyeeayoung, thanks01:06
ayoungthe horror,  the horror01:06
bknudsonthe role assignments are a real horror01:06
ayounggyee, I think that you can just remove the if and the top block.  Can you start by testing just that?01:07
gyeeremove the create, delete, and update check?01:07
ayoungyes, and the code below it01:07
*** dims has quit IRC01:08
gyeek, lemme give it a shot01:08
ayounggyee, just test it and let me know what you find.  I'm goingto head home.01:09
gyeeayoung, will do01:10
*** ayoung has quit IRC01:13
*** dims_ has quit IRC01:14
openstackgerritA change was merged to openstack/keystone: use one indentation style  https://review.openstack.org/11889401:14
*** dims has joined #openstack-keystone01:14
*** david-lyle has quit IRC01:16
gyeebknduson, morganfainberg, ayoung, yeah, we suck, we use multivalued attributes in our tests01:18
gyeefor cn01:18
*** dims has quit IRC01:19
*** gokrokve has joined #openstack-keystone01:19
gyeecn=Doe\\5c, John,ou=Users,cn=example,cn=com01:20
*** dims has joined #openstack-keystone01:20
bknudsongyee: if it's multivalued then use the value from the DN like it was before.01:20
gyeeif I change it to cn=Doe\\5c, John,ou=Users,dc=example,dc=com, everything's happy01:20
gyeebknudson, yeah, I don't think I have much choice01:20
gyeeeither that or changes the tests01:21
bknudsonif the tests are wrong then fix the tests01:21
gyeebknudson, I don't want to touch the tests, we are not wrong, but I doubt anybody would deploy the LDAP that way01:21
gyeefor domains, usually dc=01:22
gyeenot cn=01:22
gyeethat's what AD and OpenLDAP uses by default01:22
bknudsongyee: I don't understand why changing it to cn from dc would make a difference for the tests01:23
gyeebknudson, because dn would not longer multivalued01:23
bknudson??01:23
gyeeright now, if DN is cn=Doe\\5c, John,ou=Users,cn=example,cn=com, the cn attribute contains ['Doe\\5c, John', 'example', 'com']01:23
bknudsonreally?01:24
gyeecn returned from the search01:24
gyeewhich is expected01:24
bknudsonthat's f'ed up.01:24
stevemarjamielennox, ping01:24
bknudsonwhy is that expected?01:24
gyeesorry, expected from our fakeldap logic01:24
bknudsonthat's just broken01:24
stevemarjamielennox, actually... give me a few  minutes, need to get my links all together01:24
bknudsonit's fakeldap it's not supposed to be brokenldap01:25
gyeehehe01:25
gyeeyeah man, lemme see if I can go through that hairball01:25
* gyee feels like Alice in Wonderland01:26
bknudsonyou're down the rabbit hole now01:26
gyeeheh01:26
jamielennoxstevemar: ready when you are01:26
gyeeah, fuggit, I'll look after dinner01:27
*** tqtran has quit IRC01:39
*** ncoghlan__ has joined #openstack-keystone01:41
*** yasukun has joined #openstack-keystone01:43
*** ncoghlan_ has quit IRC01:45
*** dims has quit IRC01:46
*** dims has joined #openstack-keystone01:47
*** dims_ has joined #openstack-keystone01:49
*** dims has quit IRC01:52
*** ayoung has joined #openstack-keystone01:54
*** dguitarbite has joined #openstack-keystone01:55
*** diegows has quit IRC01:56
*** david-lyle has joined #openstack-keystone01:56
*** diegows has joined #openstack-keystone01:58
*** ocho has quit IRC02:02
*** david-lyle has quit IRC02:02
stevemarjamielennox, so i was gonna ping you about the horizon / kerberos stuff that was on the ML02:10
jamielennoxstevemar: yea, i got to the end of that email and nearly didn't send it02:11
jamielennoxi think ayoung was talking much more about the token fetching process than the how to fetch a token02:11
stevemarjamielennox, haha, don't worry, i just wanted a short sounding board.02:11
stevemarshort discussion / sounding board*02:11
jamielennoxok - wasn't sure how shortening it helped02:12
stevemarjamielennox, so from my (selfish) PoV, i just want the federation stuff to work, kerberos is an afterthought02:12
stevemarjamielennox, i think you totally nailed it wrt a function to list IdPs02:13
jamielennoxso this has come up internally a few times how we want this to work, and my suggestion is just list what's available and let other people do the smarts02:13
jamielennoxkerberos is a bit of a problem child02:13
stevemarand AFAIK, once the user inputs her username / password, it sends off a request to this function in DOA: https://github.com/openstack/django_openstack_auth/blob/0a0db68468a5a9a56c0f57b9b96eaa008b4b0d10/openstack_auth/backend.py#L86-L9802:13
jamielennoxphh, obviously something stupid02:14
*** diegows has quit IRC02:14
jamielennoxuses v3 though, that's kinda good02:14
stevemarjamielennox, i was thinking that if the user ends on selecting an idp, then we could use the samlunscopedtoken plugin we already have02:15
stevemarhopefully meaning that we don't need any new html (aside from maybe a drop down box)02:15
stevemaryep, v3 is good02:15
jamielennoxlol - i'm not much of a designer but we can probably do better than a drop down box02:15
jamielennoxso if we have a way of listing idps then we should have a way to determine from that which plugin would be required for that idp02:16
jamielennoxsome sort of hints, not sure exactly what02:16
jamielennoxsame as if we have a way to query available 'method': ['xxx'] values02:17
stevemarjamielennox, agreed, i'm just trying to connect the dots02:18
jamielennoxfrom that i *think* most of what horizon has to do is provide a nice way of fetching user details or redirecting to places and match up the plugin to the idp02:18
stevemarjamielennox, so i'm wondering if i'm missing any other dots here?02:18
ayoungstevemar, I'm here now02:19
jamielennoxright - there are obstacles, saml2 assumes ECP but none of that is a real problem02:19
stevemarayoung, i gotta check out your reviews for DOA02:20
jamielennoxstevemar: unrelated https://etherpad.openstack.org/p/token2saml have a look at dolphm's comments02:20
ayoungstevemar, don't rush.  I've got to rework them basd on what I learned/discussed today02:21
stevemarayoung, i was thinking plugins would have been used02:21
dstanekbknudson: what is the point of _LI vs. _?02:21
ayoungstevemar, sort of.  I think that the short solution is that if the Horizon URL is kerberized, we'll assume we need to do kerberos to Keystone as well02:22
ayoungstevemar, mod_auth_kerb sets a bunch of vars02:22
ayoungstevemar, this ugly code you can see checks for   https://review.openstack.org/#/c/115463/1/openstack_auth/backend.py,cm   https://review.openstack.org/#/c/115463/1/openstack_auth/backend.py,cm02:23
ayoungos.environ['KRB5CCNAME'] = request.META['KRB5CCNAME']02:23
ayoungstevemar, so I don't think DOA will have plug ins so much as it will have logic to handle the auth mechansim it determines needs to be used02:24
ayoungthe _auth_  mechanism in Django is supposed to be the plugin arch itself02:24
ayoungjamielennox, where would the "supported mechanisms" url live in your proposal?02:25
jamielennoxayoung: can we expose plugins to a higher level that that?02:25
*** dims_ has quit IRC02:25
ayoungjamielennox, ah, I see, under /auth02:25
jamielennoxnot sure, i think one part of GET /auth02:25
ayoungGET /auth  would list them....02:25
*** dims has joined #openstack-keystone02:25
jamielennoxthere are other things i think would want to be there as well02:26
ayoungand then you would see /auth/kerb and /auth/password?02:26
ayoungor a map that implies that same info02:26
ayoungjamielennox, " can we expose plugins to a higher level that that?"  what do you mean?02:26
jamielennoxayoung: i'm not sure yet, having /auth/password is a fairly large departure from our current02:26
*** harlowja is now known as harlowja_away02:27
jamielennoxhowever we need to be able to support having /kerb and others on a different URL that straight /auth/tokens02:27
ayoungjamielennox, right....I feel like we are doing stuff specific to Keystone that is already handled by the HTTP protocol.  THis is Negotiate type stuff.02:27
jamielennoxi don't know when negotiate is used outside of kerberos02:28
ayoung /kerb really is due to shortcomings of the Apache auth model:  doesn't allow fallback02:28
ayoungjamielennox, if you hit a page with no auth you get a list of support auth mechanisms02:28
jamielennoxit's a problem of the clients as well, requests-kerberos at least has no way to send a ticket opportunistically - ie without getting a 401 first02:29
ayoung401 Unauthorized  " The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource."02:29
jamielennoxayoung: well timed then: https://review.openstack.org/#/c/119261/02:30
*** dims_ has joined #openstack-keystone02:30
*** dims has quit IRC02:30
ayoungjamielennox, I think I like that one...02:31
ayoungyep, I'm sure of it02:31
jamielennoxok, so for keystone though we need a way to discover this stuff and probably not just on 40102:32
ayoungright02:32
jamielennoxthis is another reason for the unscoped catalog as well02:32
ayoungthe thing is, for federation, doesn't it depend on the IdP02:32
ayoungNo, unscoped catalog is after authentication,  too late for this02:33
jamielennoxi can only think that GET /auth would include a link to GET /OS-FEDERATION/idp if federation is enabled02:33
ayoungjamielennox, what if we treated keystones internal IdP as just another federated IdP?02:33
jamielennox... what if keystone didn't have an internal idp ..02:34
jamielennoxi know - done to death02:34
ayoungjamielennox, 3 classes of users: employees, partners, customers02:34
jamielennoxso you want to actually mount it behind /OS-FEDERATION or redeisgn /auth02:34
ayoungfor customer (people that pay us to use our cloud) we need a way to create them02:34
ayoungI think /OS-FEDERATION needs to be core, so /auth02:35
jamielennoxayoung: right - that doesn't need to be *internal* though02:35
ayoungjamielennox, there are other issues, too02:35
ayoungFederation for partners and customer02:36
ayoungyou don't want to advertise to everyone who is using your cloud02:36
ayoungPepsi should not look at the customer list and see Coke in there02:36
jamielennoxi think we've mixed up ideas here02:37
jamielennoxback on topic then - so how would we list out available auths02:37
jamielennoxor more rightly how would we manage them02:37
jamielennoxso if /auth gave you /auth/password /auth/kerb etc02:38
jamielennoxfederation has create idp, create protocol, fix up apache based on all this02:38
jamielennoxbrb02:38
ayoungjamielennox, the question is how do we list available auths for a given IdP02:39
ayoungfor employees that is LDAP02:39
ayoungfor Partners it is Federation02:39
ayoungfor customers it is SQL in Keystone02:39
ayoungnow,  I'ld like to convert SQL also to LDAP02:39
ayoungbut they are both fronted by the existing Keystone APIs02:39
ayoungSo  /auth  really needs to list the mechanism that keystone the token-generator accepts.02:40
ayoungthat would be /kerb  /password and  /x50902:40
ayoungand then /SAML  or maybe just /Fed02:41
stevemarjamielennox, see i was thinking /auth would just list the auth methods in keystone.conf02:46
*** richm has quit IRC02:46
stevemarayoung, what exactly does 'kerberizing' a url mean?02:47
stevemarit makes me think that horizon is going to have a dependency on kerberos and that makes me sad02:47
ayoungstevemar, not a dependency02:47
ayoungjust a potential to support02:47
ayoungthe Kerberos config is done at the Apache level02:47
ayoungstevemar, I (of course) have a blog post about it02:48
ayounglet me find it02:48
ayoungstevemar, http://adam.younglogic.com/2014/07/kerberos-for-horizon-and-keystone/02:48
ayoungabout 2/3rds of the way through that blog post I have an sample apache config02:49
ayounglook for <Location "/dashboard/auth/login/">02:49
jamielennoxstevemar: kind of like federation you need an apache module so you can't just use /auth/token02:49
stevemarhmmm, ok02:50
stevemarayoung, jamielennox so how does this fit together with your keystone cops stuff?02:51
stevemari guess that question is more ayoung than jamielennox02:51
ayoungstevemar, cops will be a follow on approach02:51
ayoungit needs CORS support and I think that is going to be non-trivial02:51
stevemargotcha02:51
ayoungcops will  be the long term solution though02:51
ayoungmore correctly, Horizon will be rewritten as a single page app and make requests direct to the services out of the browser02:52
stevemarso this current approach - just playing around with the DOA backend.py file, and loading /auth /idps, we should call it something02:52
ayoungDOAK02:52
jamielennoxso do we expect for the stnadard password authentication exchange people would GET /auth find the url for password and then go there?02:52
ayoungpronounces DOAK02:52
stevemarcause I want it to clearly distinguish itself from that webSSO spec we had a while ago02:52
ayoungstevemar, I think the COPS apporach will incorporate webSSO02:53
stevemarbut i'm thinking K release, not O or P (or whenever horizon switches to CORS)02:53
ayoungstevemar, I think we can do CORS in Kilo02:54
stevemari thought you said it depends on horizon being re-written?02:54
ayoungstevemar,  for CORS we can do magic in Auth token middleware that allows all service/endpoints to support OPTIONS02:54
ayoungno, other way around02:54
ayoungrewriting Horizon requires CORS.  We have to be first02:55
stevemarayoung, is OPTIONS something specific, or did you just capitalize for fun?02:56
jamielennoxso i only know the basics here but CORS is like ~50 lines of middleware in keystone right?02:56
ayoungOPTIONS is an HTTP verb that all of the services need to support for CORS02:56
ayoungjamielennox, about that02:56
stevemargotcha02:56
jamielennoxpossibly even a general middleware so that horizon can do the same thing with other services02:56
stevemarayoung, agree or disagree, we would need to change the horizon login screen? to show the idps a user can connect to?02:57
ayoungstevemar, not sure02:57
ayoungstevemar, for Federation...proba bly?02:57
stevemarayoung, why would you be opposed?02:57
jamielennoxayoung: going beyond kerberos to federation though - surely02:57
stevemaryeah02:58
ayoungyeah, and I think that for Federation is should be something like:02:58
ayounghere are list of known supported Idps, or enter your own URL here:02:58
ayoungnot sure if that is the Horizon login screen or what, but, yeah, we need a page flow for it02:58
jamielennoxsurely we want something like https://sites.google.com/site/oauthgoog/UXFedLogin/summary02:58
jamielennoxoption 102:59
stevemarjamielennox, what would the buttons be?02:59
ayoungjamielennox, something like....03:00
jamielennoxah, right this is what you meant by we can't necessarily publicly list our partner idps03:00
ayoungnot sure if the list of supported Federated buttons needs to be there, but yeah03:00
ayoungright03:00
ayoungso we need a "provide your own link"  field and then we can say "sorry, not supported"03:01
jamielennoxayoung: well that was part of the idea, to explicity say which one do you want to log in with03:01
ayoungI've seen that in other openid based work flows03:01
ayoungyep....and I don;t know that this is just our problem to solve....cross project meeting with Horizon at the summit for sure03:01
jamielennoxi don't want to have idp urls as part of a login flow03:01
ayounghttp://www.joyoftech.com/joyoftech/index.html03:02
ayoungah, cloud security03:02
openstackgerritwanghong proposed a change to openstack/keystone: remove default check keys in assertValidEntity  https://review.openstack.org/11257303:03
ayoungjamielennox, I think it needs to be there, but once the user enters it once, we can remember in a cookie03:03
*** ncoghlan__ is now known as ncoghlan_afk03:03
jamielennoxmaybe we need to scope a horizon instance to a domain03:04
*** dims_ has quit IRC03:04
jamielennoxugh - that doesn't mean anything here - ignore that03:04
stevemarjamielennox, yeah, i'm not liking the urls there either03:05
*** dims has joined #openstack-keystone03:05
jamielennoxso there are two very different use cases here03:05
jamielennoxlisting idps is a normal activity and should be open03:05
stevemarjamielennox, ayoung i was hoping to have a drop down that listed idps + localauth (for service users)03:06
jamielennoxlisting idps is very secret03:06
jamielennoxstevemar: ++03:06
stevemarwhy would it be very secret?03:06
ayoungjamielennox, so we have a list of public IdPs and a list of not so public IdPs03:06
jamielennoxstevemar: learning which companies are partners of your public cloud03:06
*** wanghong has quit IRC03:07
stevemarjamielennox, well, we could have a new idp field that makes it a partner or not, so it doesn't appear, but how would the user select it then?03:07
jamielennoxstevemar: this is the problem03:07
ayoungstevemar, for a partner, we assume that the company passes out the URL to use over an internal email03:07
jamielennoxso we have that new google apps trial and if i want to login to that i enter my @redhat.com email address and get bounced to the saml server03:08
ayoungand they cut and paste it in03:08
jamielennoxthat's nice and easy because my username contains my domain name03:08
jamielennoxhow is horizon expecting to deal with multiple idps in different domains anyway?03:09
jamielennoxusername is no longer a sufficient login03:09
*** dims has quit IRC03:10
jamielennoxthis is kind of what i meant earlier by scope horizon to a domain03:10
ayoungif you don't specify domain, you get the default domain03:11
ayoungheh03:11
jamielennoxwhat does that look like, i haven't seen juno horizon03:12
stevemarjamielennox, i tink it's the same thing03:13
ayoungno idea...didn't get V3 Horizon working03:13
stevemarthey just always assume default domain03:13
jamielennoxso our problem here is just an extension of that right?03:13
jamielennoxyou should be able to list the idps available for your domain03:14
stevemarthats what it looked like in the code that i saw03:14
stevemarbut you can't login without knowing your idp or domain03:14
jamielennoxyou should be able to list the idps available for your domain03:15
jamielennoxoops, wrong screen for up + enter03:16
openstackgerritwanghong proposed a change to openstack/keystone: remove default check keys in assertValidEntity  https://review.openstack.org/11257303:17
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Always add auth URI to unauthorized requests  https://review.openstack.org/11926103:18
*** wanghong has joined #openstack-keystone03:19
jamielennoxayoung: that review https://review.openstack.org/#/c/119261/ failed the py33 gate so had to re-upload03:21
ayoungok.  I'll wait to see if it passes, and, if so, I think it is safe to reapply the +A03:22
*** radez is now known as radez_g0n303:27
stevemaroh neat, devstack now creates another domain just for heat users and projects03:27
jamielennoxstevemar: i think that's a heat requirement rather than a devstack specific thing03:28
stevemarjamielennox, heres v3 horizon http://imgur.com/HgUzJYH03:30
stevemarso you can switch projects, and get a project scoped token03:30
stevemarbut theres no knowledge of domains yet03:31
stevemarAFAIK...03:31
jamielennoxi dont think horizon needs to know much about domains03:31
stevemarjamielennox, should have some knowledge, at least to list them03:31
jamielennoxdomain admin is a rare enough thing it can remain cli03:32
jamielennoxstevemar: it has no way to know which users have the priviledges to list domains03:32
jamielennoxand its kind of a bad UX to provide a button that only your super admins can use03:32
stevemaruse the same logic that the cli uses03:32
stevemarjust list none if you can't access any03:33
stevemarmeh03:33
jamielennoxyea, we have /auth/domains now - so that's essentially the same thing03:33
stevemarjamielennox, blah, we are going to run into a problem in DOA, it relies on users having a domain03:35
jamielennoxstevemar: inputted you mean03:35
stevemarjamielennox, i'm thinking of federation issued tokens, they don't have one03:35
stevemarwe really should just put a damn dummy id in there03:36
jamielennoxstevemar: i don't think that matters user_domain_id is just for auth lookup03:36
jamielennoxonce you've got the token it shouldn't matter03:37
stevemarjamielennox, i'm glad we're all at least - relatively - on the same page03:37
jamielennox:)03:37
jamielennoxstevemar: did you have a look at that etherpad03:39
stevemarjamielennox, i'm actually looking at that now03:40
stevemarand then i looked at zuul, and saw my patch at the top of the queue! yay!03:40
stevemarafter 5 rechecks it's finally there!03:40
*** jorge_munoz has left #openstack-keystone03:43
jamielennoxhttps://kantarainitiative.org/SWITCHwayf/WAYF.php?entityID=https%3A%2F%2Fkantarainitiative.org%2Fshibboleth-sp&return=https%3A%2F%2Fkantarainitiative.org%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1409888557_e9a703:43
jamielennoxso drop down boxes might still be a thing03:43
jamielennoxbetter link http://kantarainitiative.org/confluence/display/ulx/Home03:44
stevemarjamielennox, yep, i recall the UKent folks had drop downs too03:47
openstackgerritA change was merged to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413803:47
stevemarthats pretty neat03:47
jamielennoxhttp://www.slideshare.net/CloudIDSummit/02-dawes-relying-party03:47
jamielennoxstill heavily relies on have an @domain though03:48
jamielennoxand maybe that is the answer, to login via horizon you need to do username@domainname and we start pushing people towards email addresses03:49
jamielennoxthen associate domains with idps03:49
stevemarjamielennox, that works from a UX side03:50
bknudsondstanek: they go in different catalogs and it gives a hint to the translator which ones are more important03:51
openstackgerritwanghong proposed a change to openstack/keystone: Make the the assertValid<Entity> calls internal.  https://review.openstack.org/11928403:51
dstanekbknudson: what about cases where the same message is used multiple times like http://paste.openstack.org/show/106234/ ?03:54
*** yasukun has quit IRC03:56
*** yasukun has joined #openstack-keystone03:57
*** yasukun has quit IRC03:58
*** yasukun has joined #openstack-keystone03:59
*** ncoghlan has joined #openstack-keystone04:04
*** ncoghlan_afk has quit IRC04:08
*** ncoghlan_ has joined #openstack-keystone04:10
*** ncoghlan__ has joined #openstack-keystone04:10
*** ncoghlan__ is now known as ncoghlan_afk04:10
jamielennoxstevemar: so what do we do about region urls ?04:11
stevemarjamielennox, right, i agree with what dolphm said in his first and longest response04:12
stevemarthats the flow we envisioned at the mid cycle meet up04:12
stevemari agree that it is completely meaningless for a non-federated case04:12
stevemarjamielennox, your statement "given this token, what other clouds can i access?"04:13
stevemari don't think thats something we thought of, or want to support, it's a bit too dynamic i think (for our setup right now)04:14
*** ncoghlan has quit IRC04:14
stevemarauthN with your local keystone, then ask for saml assertion for another cloud, it's scoped to one cloud04:14
*** ncoghlan_ has quit IRC04:14
jamielennoxstevemar: how is that different to listing regions and seeing all the available URLs04:15
jamielennox?04:15
jamielennoxalso it's not so much that i disagree with the case i just don't think that region is the right concept to use04:15
stevemaroh, i thought you meant that the token can be used at another cloud04:15
jamielennoxno, you shouldn't be able to use your token on another cloud - your token is relative to the keystone that issued it04:16
stevemarcorrect04:16
jamielennoxi just mean a listing of known "partner" (for lack of a better word) clouds04:17
*** miqui has quit IRC04:23
openstackgerritguang-yee proposed a change to openstack/keystone: Use id attribute map for read-only LDAP  https://review.openstack.org/11765804:34
dtroyer_zzjamielennox: are you familiar with novaclient's timing facility to time each API request?04:40
jamielennoxdtroyer_zz: i am04:40
dtroyer_zzhow would you feel about adding that to the ksc session?04:41
jamielennoxdtroyer_zz: i've been trying to avoid it, it seems to be a CLI only thing04:41
dtroyer_zzok.  I'm going to see if I can figure out a hook to do it somehow then04:42
jamielennoxhowever would reconsider if there is other need04:42
jamielennoxdtroyer_zz: for OSC it's simple04:42
jamielennoxsubclass Session, override request() with a time.start, super(), time.finish04:42
dtroyer_zzright….some people don't like my subclasses ;)  that's the way I'm probably headed04:43
jamielennoxi was doing that in some messing around i was doing with novaclient CLI04:43
jamielennoxdtroyer_zz: so everything goes through request() on purpose to allow for stuff like that04:44
jamielennoxthe other option is you could pass your own requests.Session to ksc.Session which did timing04:44
jamielennoxif you trust there interfaces more than mine04:44
dtroyer_zzthat's how I have to actually use my subclass, right?04:44
jamielennoxno04:45
jamielennoxclass TimedSession(Session):04:45
jamielennox    def request(self, *args, **kwargs):04:45
jamielennox        time_start = time.now()04:45
jamielennox        resp = super(TimedSession, self).request(*args, **kwargs)04:46
jamielennox        time_stop = time.now()04:46
jamielennox        # add to timings list04:46
jamielennox        return resp04:46
jamielennoxthen just use that instead of ksc.Session04:46
dtroyer_zzI get that part…oh, I see the difference…I'm already creating my own session in OSC in the ksc.session review, so it'll just work04:47
*** rushiagr_away is now known as rushiagr04:47
jamielennoxyea. OSC is an application so somewhere you must be creating the session04:48
jamielennoxit should be relatively easy to override the Session.get_options() as well if you are using Session.load_from_cli_arguments()04:50
dtroyer_zzI'm not using that (yet)…first step is to just duplicate the existing functionality, and I'm having a hard enough time to string together enough minutes to get this far04:51
stevemardtroyer_zz, can we expect a new patch soon-ish? with plugins being used :D04:52
stevemardtroyer_zz, just read your last sentence.... when you reference time in minutes, you know you're short on time04:52
jamielennoxdtroyer_zz: if you want me to take a look or have a go at anything let me know04:52
dtroyer_zzstevemar: if I don't fall asleep first, maybe even tonight.  but I've been playing with oscquintette and replacing client libs directly…its getting fun04:52
dtroyer_zzjamielennox: will do, thanks.  maybe once I get something that passes some tests04:53
*** yasukun has quit IRC04:58
*** yasukun has joined #openstack-keystone05:00
*** kevinbenton has quit IRC05:03
*** ncoghlan_afk is now known as ncoghlan__05:04
*** kevinbenton has joined #openstack-keystone05:06
*** gokrokve_ has joined #openstack-keystone05:09
*** yasukun has quit IRC05:10
*** gokrokve has quit IRC05:11
stevemardtroyer_zz, bahhhh on swift05:19
mfischbknudson: I sent you and morgan some more data on the utf8 decode issue05:19
stevemari have no idea how swiftclient downloads an object05:20
mfischit does not like my msExhangeSecuritySomethingOrOther field from AD05:20
mfischstevemar: under the hood it uses zmodem05:20
stevemarmfisch, i don't even know if that a joke05:20
dtroyer_zzstevemar: don't listen to mfisch, it's really xmodem.  1k blocks are for wimps05:21
mfischmaybe stevemar is not old like us05:21
stevemarupon googling i now know that it is infact, a joke05:21
mfischpretty sure swift uuencodes files first though05:21
dtroyer_zzya, he doesn't even know how much of an improvement it was for procomm to support ymodem-batch05:21
stevemardtroyer_zz, just for you: https://pypi.python.org/pypi/xmodem05:22
dtroyer_zzthat's going into devstack tonight!05:22
dtroyer_zzI'm sure ironic's ipmi needs it or something05:22
mfischone day canada will get modems05:22
stevemarlol05:22
stevemari'm just tethering right now, phones are a pretty recent phenomena here05:23
mfischalso bedtime for me, its been good, and bad to be back looking at keystone this week05:23
stevemarwelcome back to the dark side05:23
mfischstevemar: moose antler antenna to improve reception05:23
stevemari think thats only for where anteaya lives05:24
mfischto be fair, lots of moose in my state05:24
mfischseriously bedtime now05:24
stevemarsee ya05:25
*** ncoghlan__ has quit IRC05:27
*** ncoghlan__ has joined #openstack-keystone05:27
jamielennoxdoes pressing ctrl+c not kill the s-proxy service in devstack or is it just me05:29
jamielennoxctrl+z then kill %1 takes down the screen process but doesn't kill the workers05:31
dtroyer_zzjamielennox: I don't mess with swift enough to know about the proxy, but unstack.sh should get everything cleaned up05:31
jamielennoxprobably, i just need to mess with swift specifically05:32
stevemarnever had to kill the proxy05:40
stevemarlookup the process and kill it?05:40
stevemardtroyer_zz, might have object save done for ya05:40
jamielennoxyea, but you kill the script, then you can kill the workers - but something gets screwed up that it doesn't just die nicely05:40
stevemardtroyer_zz, so for glance, we don't return anything upon a save, keep it that way i assume?05:41
dtroyer_zzstevemar: you mean visibly?  correct, success==no output without -v05:42
stevemardtroyer_zz, m'alright05:42
stevemargonna toss something up as soon as pep8 passes05:43
dtroyer_zzI'll race ya05:43
stevemari just nuked .tox, waiting for requirements05:44
stevemari think you'll win this one05:44
dtroyer_zzthat was too easy…. rm -rf .tox; tox05:44
stevemarbut my moose connection is slow05:44
stevemardtroyer_zz, up05:46
openstackgerritguang-yee proposed a change to openstack/keystone: Use id attribute map for read-only LDAP  https://review.openstack.org/11765805:46
stevemardtroyer_zz, https://review.openstack.org/11929305:46
stevemar yay05:46
dtroyer_zzstevemar: https://review.openstack.org/10617805:47
stevemardtroyer_zz, ohhh the same minute05:47
dtroyer_zzalso, I'm pushing in https://review.openstack.org/113046, it's baked long enough05:47
stevemardtroyer_zz, i think so05:47
stevemari was going to, just waiting on gate nonsense05:47
dtroyer_zzgate is down to normal busy levels, I'll pass through the rest of them in toe morning05:48
stevemardtroyer_zz, great, now you're going to make me rebase :)05:48
*** yasukun has joined #openstack-keystone05:49
dtroyer_zzthe thrill of victory!05:49
ekarlso-jamielennox: gotten that patch in for ksclient ? ;P05:49
stevemari'll have at least 1 successful build05:49
jamielennoxekarlso-: heh, ksclient has barely moved in the last week or so, hoping once the freeze is finished05:49
ekarlso-k05:50
stevemardtroyer_zz, i'll talk to you later about downloading an entire container, not sure what the default behaviour of that should be05:50
jamielennoxneed to jam through about 10 patches next week cause then i'm away for 405:50
stevemars/later/tomorrow05:50
ekarlso-jamielennox: 4 weeks ?05:50
jamielennoxyep05:50
ekarlso-jamielennox: dang05:50
stevemarjamielennox, damn thats a sweet vacation05:50
ekarlso-hope u get that auth one in also!05:50
ekarlso-it's a really niceness for clients that need to keep legacy support in the constructor05:50
jamielennoxhoneymoon :)05:50
ekarlso-oh, grats05:51
stevemarjamielennox, !! congrats dude :)05:51
ekarlso-jamielennox: think u will make it in with that before u gotta go ?05:51
jamielennoxi'm always surprised by the people who aren't aware of this, guess i never advertised it or anythign05:51
jamielennoxekarlso-: gyee is pretty keen for that one as well, so hoping so05:52
*** nsaje has joined #openstack-keystone06:02
*** stevemar has quit IRC06:03
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:03
*** oomichi has quit IRC06:05
*** ajayaa has joined #openstack-keystone06:10
gyeejamielennox, which patch? Didn't I +2 everythong already? :)06:15
gyeeeverything06:15
jamielennoxgyee: definetly not - i would have noticed06:15
jamielennoxhttps://review.openstack.org/#/c/81147/06:15
jamielennoxgyee: and if you need a few more let me know06:17
gyeejamielennox, you not sharing code with the existing plugins?06:20
jamielennoxgyee: what do you mean?06:20
gyeewe have existing plugins in keystoneclient.identity.auth06:21
jamielennoxyea06:21
gyeethey are implementing stuff in identity base06:21
gyeeso these are brand new ones with their own base class06:21
jamielennoxidentity/generic/base subclasses identity/base06:22
gyeejamielennox, nevermind, I see what you did there06:22
gyeelgtm!06:22
*** yasukun has quit IRC06:23
*** k4n0 has joined #openstack-keystone06:25
gyeejamielennox, I'll find more time for code review later06:25
*** jaosorior has joined #openstack-keystone06:25
gyeeI am way passed bed time06:25
*** gyee has quit IRC06:25
jamielennoxgyee: i'm going to try and force people to do them next week as we are passed FF, if you can have a go before then it'd be appreciated06:25
*** yasukun has joined #openstack-keystone06:31
openstackgerritwanghong proposed a change to openstack/keystone: Make the the assertValid<Entity> calls internal.  https://review.openstack.org/11928406:34
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609606:53
*** amirosh has joined #openstack-keystone06:54
*** bvandenh has joined #openstack-keystone06:58
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: convert the conf value into correct type  https://review.openstack.org/11319107:00
jamielennoxwanghong: comment on ^07:05
*** nsaje_ has joined #openstack-keystone07:12
*** nsaje has quit IRC07:13
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add auth manager  https://review.openstack.org/11853107:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768107:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make tests run against original client and session  https://review.openstack.org/11708907:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow retrying some failed requests  https://review.openstack.org/11800407:18
openstackgerritwanghong proposed a change to openstack/keystone: wrong logic in assertValidRoleAssignmentListResponse method  https://review.openstack.org/11930307:18
* jamielennox weekend07:26
wanghongjamielennox, are you here?07:27
*** KanagarajM has joined #openstack-keystone07:34
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: convert the conf value into correct type  https://review.openstack.org/11319107:44
*** afazekas has joined #openstack-keystone08:09
*** jimbaker has quit IRC08:16
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609608:28
*** jimbaker has joined #openstack-keystone08:28
*** jimbaker has quit IRC08:29
*** jimbaker has joined #openstack-keystone08:29
*** ncoghlan__ has quit IRC08:45
*** KanagarajM has quit IRC08:46
*** gokrokve has joined #openstack-keystone08:49
*** gokrokve_ has quit IRC08:53
*** gokrokve has quit IRC08:53
*** BAKfr has joined #openstack-keystone08:56
*** k4n0 has quit IRC09:16
*** andreaf has joined #openstack-keystone09:19
*** gokrokve has joined #openstack-keystone09:25
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: convert the conf value into correct type  https://review.openstack.org/11319109:29
*** ajayaa has quit IRC09:30
*** gokrokve has quit IRC09:30
*** KanagarajM has joined #openstack-keystone09:33
*** yasukun has quit IRC09:34
*** KanagarajM2 has joined #openstack-keystone09:36
*** KanagarajM has quit IRC09:38
*** ajayaa has joined #openstack-keystone09:41
*** vhoward has joined #openstack-keystone10:02
*** yasukun has joined #openstack-keystone10:05
*** yasukun has quit IRC10:13
*** andreaf has quit IRC10:23
*** andreaf has joined #openstack-keystone10:23
*** gokrokve has joined #openstack-keystone10:25
*** bvandenh has quit IRC10:28
*** bvandenh has joined #openstack-keystone10:29
*** gokrokve has quit IRC10:30
*** aix has joined #openstack-keystone10:38
*** andreaf_ has quit IRC10:39
*** andreaf_ has joined #openstack-keystone10:40
*** dims has joined #openstack-keystone10:54
*** dims has quit IRC10:56
*** dims_ has joined #openstack-keystone10:57
openstackgerritAndreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings  https://review.openstack.org/11804810:57
*** dims has joined #openstack-keystone10:57
*** KanagarajM2 has quit IRC10:57
openstackgerritSasikanth Eda proposed a change to openstack/keystone: Fix create and user-role-add in LDAP backend  https://review.openstack.org/11934511:01
*** dims_ has quit IRC11:01
*** andreaf has quit IRC11:09
*** andreaf has joined #openstack-keystone11:10
*** samuelmz_ has joined #openstack-keystone11:15
*** ajayaa has quit IRC11:22
*** gokrokve has joined #openstack-keystone11:25
*** gokrokve has quit IRC11:30
*** diegows has joined #openstack-keystone11:31
*** samuelmz_ has quit IRC11:36
*** ajayaa has joined #openstack-keystone11:48
*** k4n0 has joined #openstack-keystone11:55
*** openstackgerrit has quit IRC12:01
*** openstackgerrit has joined #openstack-keystone12:02
*** amirosh has quit IRC12:04
*** amirosh has joined #openstack-keystone12:04
*** andreaf has quit IRC12:07
*** andreaf has joined #openstack-keystone12:07
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a mock cleanup issue caused by oslotest  https://review.openstack.org/11922412:13
*** dims has quit IRC12:19
*** dims has joined #openstack-keystone12:20
*** gokrokve has joined #openstack-keystone12:25
*** samuelmz_ has joined #openstack-keystone12:29
*** gokrokve has quit IRC12:30
openstackgerritAndreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings  https://review.openstack.org/11804812:35
*** dims has quit IRC12:39
*** dims has joined #openstack-keystone12:40
*** lbragstad has quit IRC12:43
*** lbragstad has joined #openstack-keystone12:43
*** d34dh0r53 has quit IRC12:44
*** d34dh0r53 has joined #openstack-keystone12:44
*** pabelanger has quit IRC12:45
*** dims has quit IRC12:45
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor assignment expansion related functions  https://review.openstack.org/11936312:45
*** dims_ has joined #openstack-keystone12:46
*** pabelanger has joined #openstack-keystone12:46
*** dims_ has quit IRC12:49
*** dims has joined #openstack-keystone12:50
*** morganfainberg has quit IRC12:54
*** morganfainberg has joined #openstack-keystone12:57
*** richm has joined #openstack-keystone13:10
ayoungbknudson, so  I was right....the _id_to_dn  code does get called at a point in the  identity code13:11
*** amirosh has quit IRC13:11
*** amirosh has joined #openstack-keystone13:12
*** andreaf has quit IRC13:14
*** andreaf has joined #openstack-keystone13:14
*** amirosh has quit IRC13:16
*** amirosh has joined #openstack-keystone13:16
*** joesavak has joined #openstack-keystone13:21
*** morganfainberg has quit IRC13:25
*** gokrokve has joined #openstack-keystone13:25
*** morganfainberg has joined #openstack-keystone13:27
*** gokrokve has quit IRC13:30
*** bknudson has quit IRC13:30
ayoungbknudson, dolphm   nkinder https://bugs.launchpad.net/keystone/+bug/1366020   I don't know if this is a real problem or not, but it affects the bug gyee was working on that is a blocker13:32
uvirtbotLaunchpad bug 1366020 in keystone "LDAP Identity does not convert ID to DN for lookup" [Undecided,New]13:32
*** bvandenh has quit IRC13:33
ajayaadolphm, ayoung, Is the multi domain identity backend being reverted?13:33
ayoungajayaa, not that I know of.  Why?13:33
ajayaahttps://blueprints.launchpad.net/keystone/+spec/revert-multiple-ldap-servers13:33
ajayaaayoung, I see a blueprint registered by doplhm.13:34
*** d34dh0r53 has quit IRC13:34
*** d34dh0r53 has joined #openstack-keystone13:35
*** topol has joined #openstack-keystone13:37
ayoungajayaa, no that is old and we've fixed them instead13:40
*** dhellmann is now known as dhellmann_13:40
ajayaaayoung, Do I need to create service users in sql backend if I am using a read only ldap server?13:40
ayoungajayaa, yep13:41
ayoungajayaa, or mount a second LDAP server for service users13:41
ayoungajayaa, http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/13:41
ajayaaayoung, I assume the service users can be contained in any domain.13:43
ayoungyep13:43
ajayaaayoung, okay thanks.13:44
openstackgerritA change was merged to openstack/keystone: Add test for single app loaded version response  https://review.openstack.org/11890213:44
openstackgerritA change was merged to openstack/keystone: Fix admin server doesn't report v2 support in Apache httpd  https://review.openstack.org/11875713:45
*** bknudson has joined #openstack-keystone13:51
*** r-daneel has joined #openstack-keystone13:53
*** jaosorior has quit IRC14:02
*** gokrokve has joined #openstack-keystone14:02
*** zzzeek has joined #openstack-keystone14:05
*** dims is now known as dimsum_14:12
*** bklei has joined #openstack-keystone14:15
*** bklei has left #openstack-keystone14:15
*** morganfainberg has quit IRC14:18
*** luvshines has joined #openstack-keystone14:19
*** luvshines is now known as viral_mutant14:20
*** david-lyle has joined #openstack-keystone14:26
*** morganfainberg has joined #openstack-keystone14:27
*** sigmavirus24_awa is now known as sigmavirus2414:28
*** amirosh has quit IRC14:29
*** amirosh has joined #openstack-keystone14:30
*** cjellick has quit IRC14:30
*** viral_mutant has quit IRC14:30
*** cjellick has joined #openstack-keystone14:31
*** andreaf has quit IRC14:33
*** andreaf has joined #openstack-keystone14:33
*** _nonameentername is now known as nonameentername14:35
*** amirosh has quit IRC14:35
*** radez_g0n3 is now known as radez14:35
*** cjellick has quit IRC14:36
*** dhellmann_ is now known as dhellmann14:43
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation.  https://review.openstack.org/7497414:49
ajayaadolphm, ayoung, We are importing ldappool in keystone/common/ldap/core.py. Should not it be present in requirements.txt?14:50
ayoungajayaa, yes14:50
ajayaaIt is not there I think.14:51
ajayaahttps://github.com/openstack/keystone/blob/master/requirements.txt14:51
ayoungajayaa, please fix14:51
ajayaaokay. Shall I first file a bug and then fix it?14:51
ajayaaayoung,14:51
ayoungyep14:52
*** jorge_munoz has joined #openstack-keystone14:52
*** vhoward has left #openstack-keystone14:54
*** k4n0 has quit IRC14:57
*** stevemar has joined #openstack-keystone14:57
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Added ldappool to requirements.txt  https://review.openstack.org/11939215:00
r1chardj0n3sayoung: dolphm has nixed your keystonemiddleware plan, but I have a new plan involving olso now15:01
ayoungr1chardj0n3s, of course he has.  He's a purist.  He's also  just voicing his opinion.  Lets discuss it at the next Keystone team meeting.15:02
r1chardj0n3sayoung: he makes a compelling argument15:02
ayoungr1chardj0n3s, was it in here?  I'll check evesdrop15:03
r1chardj0n3sayoung: no, was IRL just now15:03
ayoungr1chardj0n3s, then it didn't happen15:03
ayoungIRL does not exist15:03
r1chardj0n3swell, I could submit the spec and have it rejected if you like :)15:04
*** joesavak has quit IRC15:04
ayoungr1chardj0n3s, here's the deal:  if we do anything other than auth_token.py it will require an additional middleware config in all servers.  If that is the case, it doesn 't matter where it lives15:04
ayoungBut this is Keystone specific logic, and should be in keystonemiddleware, even if not auth_token.py15:05
r1chardj0n3sayoung: there's an abandoned change in oslo to add cors that I'm going to look at resurrecting15:05
ayoungWe need to know "who"  can do cors and that means the service catalog15:05
r1chardj0n3sayoung: the config issue is solved by people's existing configuration management tools (aka salt, etc)15:05
r1chardj0n3sthe "who" is handled by each API in its own config15:06
ayoungr1chardj0n3s, if it helps you to sleep at night to think that, please go right ahead15:06
ayoungnope15:06
r1chardj0n3sayoung: well, it'll help me move forward; whereas the keystonemiddleware proposal is going to be rejected15:06
ayoungr1chardj0n3s, dolphm and I often go head to head on these things...its part of the process that makes Keystone better15:06
r1chardj0n3sayoung: if you would like me to I can commit the spec15:07
r1chardj0n3sayoung: go through the formal process15:07
ayoungr1chardj0n3s, oslo is not for new ideas.  oslo is for things that are already vetter in another project15:07
ayoungCORS support in Keystone is going to be different from the other services anyway.  Lets solve that one first15:07
ayoungKeystone does not do auth_token.py15:07
r1chardj0n3sayoung: but CORS isn't tied to auth_token15:07
ayoungr1chardj0n3s, of course it is15:08
ayoungcuz auth-token extracts the service catalog15:08
r1chardj0n3sayoung: I don't see how15:08
ayoungand CORS will need that service catalog15:08
ayoungit can be a follow on component15:08
r1chardj0n3sthe service catalog is not needed for CORS, unless I'm missing something15:08
ayoungyou are missing something15:08
ayounghow do we know what set of services can respond yes to CORS if not from the service catalog?15:09
ayoungand please don't say "config management tools"  cuz that is not an answer15:09
r1chardj0n3seach service configures itself15:09
r1chardj0n3sbut that is the answer15:09
r1chardj0n3ssorry, better: why isn't that the answer? :)15:09
ayoungr1chardj0n3s, hmmm....the short answer is that CORS evaluation needs to be on a request by request basis15:11
ayoungjust because one user can do CORS from keystone1 to nova1 doesn't mean that every request is valid15:11
dolphmshouldn't the CORS header just contain Horizon's domain - which isn't in the service catalog?15:12
r1chardj0n3swhat aspect of the request is needed apart from the host? that's basically all CORS cares about - it's not up to CORS to provide any level of protection beyond host, and possibly filter some headers15:12
r1chardj0n3sdolphm: correct15:12
dolphmso, nova would respond with Access-Control-Allow-Origin: https://horizon.example.com/15:12
r1chardj0n3sdolphm: yes, though there's some ancillary stuff around that15:12
r1chardj0n3s(OPTIONS handling, maybe some header controls as well)15:12
r1chardj0n3sayoung: security is not CORS' concern.15:13
ayoungdolphm, once again, I am thinking MOC  and don't trust anyone....15:13
r1chardj0n3sayoung: er, user-based security that is15:13
dolphmr1chardj0n3s: sure, but there's no configuration i'm aware of beyond "nova, glance, keystone, etc need to know that horizon belongs in [filter:oslo.cors.whatever] allowed_origins"15:14
r1chardj0n3sdolphm: oh, yes15:14
ayoungr1chardj0n3s, the goal is to prevent cross site request forgeries15:14
dolphmayoung: how is CORS related to XSRF?15:15
*** cjellick has joined #openstack-keystone15:15
ayoungr1chardj0n3s, there is also the problem that so many people deploy with IP addresses, but lets punt on that for a moment15:15
dolphmhttp://stackoverflow.com/questions/19793695/does-a-proper-cors-setup-prevent-xsrf15:15
ayoungdolphm, those answers are cursory and don't explain the whole thing.  Let me see if I can talk it through15:16
bknudsonCORS implies that your application is written correctly.15:16
ayoungdolphm, you might be right, though, that with CORS we can be more forgiving, since the token itself will restrict access15:16
r1chardj0n3syes, it's up to the token to provide that protection15:17
ayoungdolphm, bascially, the XSRF attack is "I think this user might have gone to that site before and have a cookie that allows unfettered access.  Let me submit a second response."15:17
ayoungThe normal way to protect against XSRF is by writing a header that is not a cookie.  In this case, it would be the Token15:18
ayoungnow...I think actually even with CORS we are ok15:18
ayoungcus the origin would be the attackers site, not horizon15:18
ayoung0k...I think maybe using the service catalog for the OPTIONS  response might be more than we need, and it means that we need to put horizon in there...15:19
ayounghmmm.....15:19
ayoungr1chardj0n3s, let me look at the Oslo spec...15:19
ayoungI'm not 100% on this.  I kindof suspect that we need the service catalog as part of "is CORS legal for this request"15:21
*** pabelanger has left #openstack-keystone15:21
r1chardj0n3sayoung: CORS should be independent of request payload *except* perhaps blocking headers *but only* based on header name, not contents15:22
r1chardj0n3s(except the specific CORS headers, natch)15:22
ayoungr1chardj0n3s, OK...lets to a thought experiment here.  To keep things simple, we will limit it to two keystone servers, one horizon server and two nova servers15:23
ayounghorizon is purely static javascript15:24
ayounguser "logs in" to Horizon by going to keystone and getting a token.15:24
ayoungthat requires CORS supportin Keystone, accepting the horizon server15:24
*** gokrokve_ has joined #openstack-keystone15:24
ayoungnow that token has a service catalog that says Nova115:25
ayoungOPTIONS to NOVA1  says CORS OK15:25
ajayaabknudson, while using ldap identity backend through devstack I encountered this error.15:25
ayoungand the "create vm" call goes through15:25
ayoungauth token is still processed.15:25
bknudsonajayaa: sounds like a bug in devstack15:25
ayoungnow...somehow something malicious got into, oh, say horizon's javascript.  Cuz I'm paranoid15:26
ajayaabknudson, I think they don't consolidate test-requirements.txt.15:26
ayoungat this point...anything could happen, and the damage is limited by auth_token15:26
ayoungit says, send your token to nova215:26
ajayaabknudson, But if something is critical to starting of keystone server itself, should not it be present in requirements.txt?15:27
bknudsonajayaa: still sounds like a bug in devstack15:27
ayoungnova2 is an attack site, but OPTIONS comes back and says "Nova2 OK"15:27
ajayaainstead of test-requirements.txt15:27
ayoungand now your token is sent to an attack site.15:27
ayoungBut...I don't think there is any defense against that15:27
ayoungand service catalog is irrelevant15:27
r1chardj0n3sCORS is really not going to help, yeah ;)15:27
ayounghmmm15:27
*** gokrokve has quit IRC15:28
ayoungand if I got to hooorizon instead of horizon,  keystone CORS is going to reject it and no token will be available15:28
r1chardj0n3syep15:29
* ayoung assumes hooorizon is an attack site15:29
*** gokrokve_ has quit IRC15:29
ayoungand if your DNS gets poisoned...CORS doesn't protect you at all anyway15:29
r1chardj0n3sCORS is only handling a very specific thing, which is cross-site javascript. It doesn't pretend to offer protection for anything else.15:30
r1chardj0n3strying to overload it to handle anything else is a mistake as well, imo15:31
ajayaabknudson, we are importing ldappool in "keystone/common/ldap/core.py"15:31
bknudsonajayaa: that part isn't imported unless keystone is configured to use ldap.15:32
ayoungr1chardj0n3s, I'm aware.  I was just trying to limit the amount that we open things up via CORS.15:32
ayoungCORS says "relax the browser protections for these set of sites"15:32
ayoungand I want to keep that set as small as possible15:32
r1chardj0n3syep, we have to ensure that people don't just "allow_origin: *" without being duly warned15:32
ajayaabknudson, Okay. Thanks15:33
ayoungHTTPS is a requirement for this to work15:33
ayoungI mean, strict certificate checking15:33
*** ajayaa has quit IRC15:33
r1chardj0n3shmm, that makes sense, but will probably be far too high a barrier15:34
r1chardj0n3snote that the APIs are already exposed, just not to Javascript15:34
r1chardj0n3s(though not with the potential availability of an auth token, I suppose)15:35
r1chardj0n3sbut they're already open, and most likely not over HTTPS15:35
r1chardj0n3sI gotta run for a moment, brb15:36
*** r1chardj0n3s is now known as r1chardj0n3s_afk15:36
*** packet has joined #openstack-keystone15:38
*** gokrokve has joined #openstack-keystone15:38
morganfainbergmornin15:41
ayoungmorning morganfainberg,15:42
ayoungGuten morgen15:42
morganfainberglol15:42
ayoungmorganfainberg, read up on out conversation about CORS if you get the chance.15:43
morganfainbergyeah reading the scrollback now15:43
*** r1chardj0n3s_afk is now known as r1chardj0n3s15:43
r1chardj0n3sback15:43
ayoungr1chardj0n3s, http://adam.younglogic.com/2014/08/phishing/  is why we really shouldn't trust DNS15:43
*** samuelmz_ has quit IRC15:44
ayoungr1chardj0n3s, but that attack could be used against Horizon itself.  HTTPS is a baseline requirement for OpenStack security.15:44
r1chardj0n3syep15:44
morganfainberginteresting15:45
*** gokrokve has quit IRC15:49
*** gyee has joined #openstack-keystone15:49
*** gokrokve has joined #openstack-keystone15:50
r1chardj0n3sayoung: FYI the new point of work for CORS will start from https://bugs.launchpad.net/oslo.middleware/+bug/98704415:51
uvirtbotLaunchpad bug 987044 in oslo.middleware "OpenStack APIs should support CORS to be usable from Javascript" [Wishlist,Triaged]15:51
nkinderayoung, jdennis: what do you think the right behavior is if ldap2py() encounters a decoding error due to a binary value?15:51
dolphmmorganfainberg: if a callable wrapped by dogpile's cache-on-arguments raises an exception, that exception isn't cached for that method signature is it?15:52
nkinderayoung, jdennis: skip that attribute and log an error, but continue on?15:52
morganfainbergdolphm, negative. exceptions are not cached15:52
dolphmyay15:52
nkinderit is unlikely that the binary value is actually needed by keystone for anything (as we'd blow up elsewhere)15:52
morganfainbergdolphm, also if the SHOULD_CACHE_FN check fails it wont be cached.15:52
ayoungnkinder, right15:52
nkinderayoung: ok, cool.  I have a patch coming up15:53
ayoungnkinder, I don;t think I can foresee all possible uses15:53
morganfainbergso we can add a lot of extra logic magic to that if needed / wanted15:53
ayoungbut this is keystone specific, right?15:53
nkinderayoung: yes15:53
ayoungthen, yes, that is the right behavior15:53
ayoungnkinder, did you see the bug I filed, though?15:53
nkinderayoung: LOG.warn?15:53
nkinderayoung: yes, but that's different15:53
ayoungno logging15:53
ayoungit will spam the hell out of the logs15:54
nkinderayoung: well, LOG.debug15:54
ayounglog.DEBUG yea15:54
jdennisnkinder: In IPA we never get into that situation (well, we shouldn't) because we know the type of every attribute given the schema, therefore we only decode UTF8 strings15:54
ayoungwould be nice to have "log.ONCE15:54
nkinderjdennis: what I found last night was that AD will return objectSID, which blows us up15:54
jdennisbut OpenStack doesn't have enough information, so I would just skip it and use the binary value15:54
ayoungjdennis, and others have this same problem15:54
nkinderjdennis: we shouldn't be getting that attribute back in the first place though15:54
*** gokrokve has quit IRC15:54
ayoungthe issue is that a get without any attribute filter will return all attributes15:55
nkinderjdennis: so just copy the raw value, or eliminate the attribute completely?15:55
ayoungeven  an attribute filter of []  will do that15:55
nkinderI suppose the former is better, though something else may barf on it later if it tries to use that value15:55
jdennisnkinder: I don't know the answer to your question because I don't know the context, what attributes are you expecting?15:56
ayoungnkinder, I'm almost tempted to say we should only fetch the attributes explicitly required15:56
dstaneknkinder: could the AD issue be what Brent is seeing here? https://review.openstack.org/#/c/118430/15:56
nkinderayoung: I already fixed that too15:56
nkinderayoung: but we should make the code tolerant in case something slips in later15:56
ayoungnkinder, what I was thinking was maybe we should fail catastophically instead15:56
morganfainbergdolphm, i'm thinking as a K1 target doing the functional test setup like swift/neutron does for keystone so we can start migrating/updating the relevant tests from RESTFUL / tempest over.15:57
ayoungif someone said that user_id was a binary field....15:57
nkinderjdennis: so keystone does a search in some cases where it doesn't ask for any attribute to be returned15:57
nkinderjdennis: this results in all attributes being returned15:57
ayoungID to DN conversion:  just look for existence15:57
nkinderjdennis: when we convert that entry with ldap2py, it blows up on any binary values15:57
bknudsonnkinder: mfisch has this same problem15:57
jdennisnkinder: I think it's a problem to get back attributes you don't know anything about15:58
nkinderjdennis: the assumption (and my experience) is that any attribute with a binary value isn't an attribute that Keystone actually will use15:58
nkinderjdennis: it is, and I'm fixing that15:58
bknudsony, keystone has no use for binary attrs15:58
nkinderSo do we silently drop the whole attribute?15:58
bknudsonnkinder: we shouldn't have requested it15:58
nkinderI'm OK with that if we log it at LOG.debug15:58
bknudsonwe should know what attrs we need.15:58
nkinderbknudson: I know, and I fixed that15:58
nkinderbknudson: but I'd like to protect against crashing if someone adds a search back in that gets all attrs15:59
jdennisnkinder: ok, then you know which are strings, right?15:59
bknudsonnkinder: add a test.15:59
bknudsonput it in fakeldap... you must specify attrs.15:59
nkinderjdennis: well, I would catch UnicodeDecodeError16:00
*** wwriverrat has joined #openstack-keystone16:00
morganfainbergbknudson, but i want to use the picture of the person in my AD setup as their ID /snark16:00
bknudsonopenstack user list should display their jpeg.16:00
morganfainberg++ totally!16:01
nkinderbknudson: I still think tolerant code is the correct thing to do though16:01
nkindertests are great, but the code should catch the exception16:01
jdennisnkinder: but catching a UnicodeDecodeError is a weak test16:01
bknudsonI have no problem with also dropping binary attrs on the result.16:01
bknudsonmaybe a debug log.16:01
morganfainbergsounds reasonable.16:01
jdennisnkinder: what happens when you successfully UTF8 decode a binary values that's not a string? Or for that matter a string that's supposed to be UTF8 encoded but can't be decoded?16:02
wwriverratI'm having trouble with outputting the value to the logs.  Our Active Directory impl has a "Thumbnail" jpeg attribute that would likely munge the logs every time that attribute was hit16:03
dstanekjdennis: in the first case you'll get garbage test and in the second case you'll get an exception16:03
nkinderjdennis: gotta jump on a call.  bbiab16:03
dstaneknkinder: jdennis bknudson: https://review.openstack.org/#/c/118430/4/keystone/common/ldap/core.py,cm16:04
nkinderjdennis: but I would hope that the ldap server is enforcing syntax correctness16:04
jdennisdstanek: yes I know that, I'm just saying it's not robust logic16:04
bknudsondstanek: can the caller handle getting None back?16:05
nkinderjdennis: I agree about the logic being weak, but keystone shouldn't be using binary attrs unless it's misconfigured16:05
dstanekdoesn't the ldap library tell use what types we're getting back16:05
bknudsondstanek: maybe it should return a string indicating the ldap value was invalid.16:05
bknudsondstanek: ldap library doesn't know the type16:05
jdennisnkinder: the ldap server enforcing syntax isn't the issue, the issue is we don't utilize the schema to know what the syntax is16:06
bknudsondstanek: the server's schema can define what's a valid value (binary or not)16:06
dstanekbknudson: could be i commented on the review that i thought they were solving the wrong problem16:06
dstanekbknudson: that's unfortunate16:06
wwriverratimho: It would be nice if every call to retrieve data from ldap specified the attrlist it should retrieve.  We know that if not specified (or empty list) it will return them all (including the binary attrs).16:06
*** joesavak has joined #openstack-keystone16:07
jdenniswwriverrat: but at some point someone is going to need a binary attriibute, an x509 cert is a perfect example16:08
wwriverratyep... so not fully comfortable with the UnicodeDecodeError catch either16:08
*** BAKfr has quit IRC16:09
*** packet has quit IRC16:09
*** dims_ has joined #openstack-keystone16:09
*** dims_ has quit IRC16:09
*** dims_ has joined #openstack-keystone16:10
*** david-lyle has quit IRC16:11
dstaneki say for right now just specify the attribute16:11
*** dims has joined #openstack-keystone16:11
dstanekat some point in the future Keystone will just have to know what attributes are text and what are not16:12
dstanekthink in terms of defining a SQLAlchemy model16:12
*** dims_ has joined #openstack-keystone16:13
jdennisFWIW lessons learned the hard way during IPA development is your LDAP code must know the schema otherwise you're flying blind when it comes to data types16:13
*** dimsum_ has quit IRC16:14
*** dims_ is now known as dimsum_16:14
wwriverratThere is a couple of identified locations where ldap being called in this bug.  There is also one fix.  https://bugs.launchpad.net/keystone/+bug/135548916:14
uvirtbotLaunchpad bug 1355489 in keystone "authenticate ldap binary fields fail when converting fields to utf8" [Medium,Triaged]16:14
*** dimsum_ has quit IRC16:14
*** dolphm changes topic to "Countdown to RC1 https://launchpad.net/keystone/+milestone/juno-rc1"16:15
*** dimsum_ has joined #openstack-keystone16:16
*** dimsum_ has quit IRC16:17
*** packet has joined #openstack-keystone16:19
*** marcoemorais has joined #openstack-keystone16:20
*** dims has joined #openstack-keystone16:24
*** dims has quit IRC16:24
ayoungdstanek, http://logs.openstack.org/74/74974/15/check/gate-python-keystoneclient-python33/4eee72e/console.html  seems the problem with Kerberos in Python is that it imports commands  which is a python27 thing.  Is that right?16:28
dstanekayoung: looking...but i thought commands was old school16:28
ayoungdstanek, it looks like python-kerberos is old school, too16:29
dstanekyeah, commands has been deprecated since 2.6 :-(16:29
dstaneki have bigger fish to fry with the 33 tests, so i can get this fixed too if you don't have the time16:30
*** marcoemorais has quit IRC16:32
*** marcoemorais has joined #openstack-keystone16:32
*** dims has joined #openstack-keystone16:33
*** packet has quit IRC16:33
ayoungdstanek, that would be great16:34
ayoungdstanek, I am not clear what is happening16:34
*** packet has joined #openstack-keystone16:34
ayoungis it from the build process, or is it something in the kerberos package we fetch from upstream?16:34
nkinderwwriverrat: I have a newer patch that fixes all of the areas where we don't specify attributes that I could fine (in the identity and assignment drivers)16:36
wwriverratcool16:36
nkinderwwriverrat, jdennis, dstanek: so was the decision to just specify the attributes to return and leave the decoding code as is?16:38
nkinderI'll add that this issue was tough to track down with the current logging, so perhaps we should catch the UnicodeDecodeError and at least log a debug message16:39
jdennisnkinder: I believe so, but down the road we really need to address the need to know the data type of attributes, see my comment in  https://bugs.launchpad.net/keystone/+bug/135548916:39
uvirtbotLaunchpad bug 1355489 in keystone "authenticate ldap binary fields fail when converting fields to utf8" [Medium,Triaged]16:39
dstaneknkinder: i'd be ok with just specifying the attributes and letting the decoding bomb16:40
nkinderjdennis: I agree.  I'm looking for a short term solution.  This hoses up Keystone->AD pretty badly at the moment16:40
dstaneknkinder: that other patch logs it, but allows the request to keep going after if fails16:40
nkinderdstanek: which patch?16:41
jdennisnkinder: yup I think your approach is a reasonable short term work around16:41
dstaneki asumg that it works for the patch auther because if was trying to decode a non-necessary binary field16:41
dstaneknkinder: https://review.openstack.org/#/c/118430/4/keystone/common/ldap/core.py,cm16:41
wwriverratfor the logging the attempted value my opinion wavers: 1) would be nice to see what failed, but 2) I really dont want to clutter my logs with the binary stuff (ours has jpeg image as attribute).16:42
*** cjellick_ has joined #openstack-keystone16:43
*** cjellick has quit IRC16:43
dolphmanyone interested in a script to give you real time growl notifications when there's any activity on your starred reviews in gerrit?16:43
dstanekwwriverrat: if we specified every attribute explicitly the only errors in the logs would be true errors16:43
dstanekdolphm: me, me, pick me16:43
wwriverratagree16:43
dolphmdstanek: lol - k. just wanted to guage if i'm the only OCD one or not. i'll publish on github later today then16:44
dstanekdolphm: nice16:44
nkinderdstanek: I'm adding my logging to convert_ldap_result() instead of ldap2py(), as it lets us say what attribute and dn we encountered the problem in16:46
*** rushiagr is now known as rushiagr_away16:47
morganfainbergdolphm, oh god. that memcache bug.16:49
morganfainbergdolphm, it's eventlet.16:49
morganfainbergdolphm, just confirmed and it's nasty. massive leak16:49
dstanekmorganfainberg: memcache bug?16:51
morganfainbergdstanek, threadlocal + eventlet = OMG BAD16:51
morganfainbergbasically we leak memcache clients all over16:51
dstanekmorganfainberg: that's not cool. do we not patch threading or does patching it now patch threadlocals?16:53
morganfainbergdstanek, i think that is an eventletism16:54
*** r1chardj0n3s has left #openstack-keystone16:54
morganfainbergdstanek, under apache we leak no clients16:54
*** r1chardj0n3s has joined #openstack-keystone16:54
morganfainbergso eventlet probably patches it16:54
nkinderdstanek: I still think we should continue processing and just skip the bad attribute for now honestly.  If we encounter a binary attribute that Keystone doesn't need, it just seems better to not blow up16:54
r1chardj0n3sayoung: FYI further CORS conversations will be over in #openstack-oslo, since the keystone involvement is now complete AFAICT16:54
*** r1chardj0n3s has left #openstack-keystone16:55
dstanekmorganfainberg: take a look at keystone-all - from some reason we are not patching threading16:55
dstanekif we were this may go away16:55
morganfainbergoh hm16:55
morganfainberglet me try that in my devstack16:55
morganfainbergdstanek, isn't https://github.com/openstack/keystone/blob/master/bin/keystone-all#L131 this supposed to patch thread if not set?16:57
morganfainbergdstanek, https://github.com/openstack/keystone/blob/master/bin/keystone-all#L13916:57
*** gokrokve has joined #openstack-keystone16:58
dstanekdepends on that standard threads stuff16:58
morganfainbergright16:58
morganfainbergi'm fairly certain i'm not setting standard threads here16:58
*** david-lyle has joined #openstack-keystone16:58
*** rkofman1 has quit IRC16:59
*** rkofman has joined #openstack-keystone16:59
morganfainbergi'll bet if standard threads are set, we don't leak17:01
ayounggyee, you ready to talk LDAP yet>17:03
ayoung?17:03
*** marcoemorais has quit IRC17:04
*** openstackgerrit has quit IRC17:04
*** marcoemorais has joined #openstack-keystone17:04
*** marcoemorais has quit IRC17:05
*** marcoemorais has joined #openstack-keystone17:05
*** harlowja_away is now known as harlowja17:05
*** marcoemorais has quit IRC17:07
*** marcoemorais has joined #openstack-keystone17:07
jdennisnkinder: fwiw convert_ldap_result() and the other utf8 changes were modeled after IPA LDAP code, however as I hope is obvious the current implementation of ldap2py is a hack. In IPA the equivalent code performs a schema lookup to know what the data type of the attribute is only then converts it to a Python type.17:07
gyeeayoung, yo17:08
ayounggyee, So something is wonky17:08
gyeeayoung, so I removed the read-only check logic17:08
ayounggyee, the code that nkinder is working on fixing is for AD in a read only mode, and it used id_to_dn17:08
gyeeayoung, won't work for AD either17:09
ayoungNow, his fix aside, that shows that id_to_dn is not just supposed to be used in read-write mode17:09
gyeeAD uses SMAccountName for username17:09
jdennisnkinder: the attempt to convert to an int and if that failed convert to a string was the existing (flawed) logic that was merely copied because adding schema lookups was beyond the scope of the patch I made.17:09
ayounggyee, what won't work?17:09
gyeeayoung, AD uses SAAccountName for username17:10
ayoungsAMAccount name, yes, I've become friendly with it17:10
gyeeCN is not unique17:10
ayoungI think username is not an issue here, it is the user_id only17:10
ayoungand if you wanted to use sAMAccounName for that, you would need to use subtree17:10
ayounghere's the problem17:11
ayoungand, once again, it IS NOT YOUR PATCH that iis the problem.  It is the existing code17:11
ayoungyour patch just showed the problem...and I'm trying to figure out how to expose it17:11
gyeeayoung, bottom line, we need to honor the attribute maps for read-only LDAP17:12
ayoungI think that your patch, as currrently written, will be OK.17:12
*** HenryG is now known as HenryThe8th17:12
ayoungI'm not 100% certain, however.  Just pretty-sure17:12
gyeeayoung, I think we need to optimized for read-only LDAP going forward17:12
ayoungIf I understand what is happening, in the read-write case, there is an assumption that the RDN will match the user_id_attribute field17:13
gyeefrom what we've been hearing, seem like read-only is more urgent17:13
ayoungIt used to be part of the read-only case, too17:13
ayoungPeople are using Read-Write, too.  We can't break that17:13
*** cjellick_ has quit IRC17:14
*** cjellick has joined #openstack-keystone17:14
ayoungEven if it is a smaller use case.  With Henrynash's change to multi-backends we'll see more writable LDAP17:14
morganfainbergdstanek, this is likely going to require monkeypatching memcache backend.17:14
morganfainbergdstanek, like the memcache python lib.17:14
ayoungbut lets get a solution that makes everything work17:14
morganfainbergugh. i'm very non-plussed :(17:14
gyeeayoung, k17:14
gyeeayoung, I think we should use attribute map for everything17:15
ayounggyee, so there are 3 use cases:  read-only/one  read-only/sub  read-write/sub17:15
gyeebut we shouldn't make any distinction between one and sub17:15
ayoungI think we can convert the read-only/one case to be the same as read-only/sub17:15
gyeethey are just search scopes, should not impact the way we formulate the IDs17:16
ayoungwe need to get rid of the logic that says "id comes from the DN"17:16
gyeeayoung, ++++++++17:16
ayounggyee, I'm just concerned that removing that will break someone17:16
dstanekmorganfainberg: bummer. does that mean we'll have to maintain monkey patching code of the supported memcached libs?17:16
morganfainbergtalking w/ zzzeek and YoriSar in oslo channel about how we're going to handle this going forward. but for icehouse and juno it's going to be non-fun17:17
gyeeayoung, we'll deal with them one at a time, don't think we have much choices17:17
gyeeayoung, the Jenkins gates are all we have to work with right now17:17
gyeewe can add more test coverages as we discover more use cases17:18
ayounggyee, if we make any changes here, I think we are going to break things for someone17:20
gyeeI am all for adding more tests, but we can only test the knowns17:20
ayounggyee, why do you need this patch?17:20
gyeeayoung, we need to deal with read-only LDAPs17:20
ayounggyee, that is not an answer17:21
ayoungthis code has been run for a long while now17:21
ayoungwhat is the actual problem17:21
gyeeayoung, probelm is we don't have control over the customer's DIT17:21
dhellmanndstanek: the new release of oslotest with your fix is on pypi17:22
ayoungSo17:22
gyeeand we are not honoring the id attribute mpas17:22
gyeemaps17:22
ayounggyee, only for ID. and that is a known exception17:22
ayoungAre you seeing an actual problem?17:22
gyeeayoung, that's a bug, not exception17:22
ayoungNpo17:22
ayoungNo17:22
ayoungthe SUB apporach (where ID is an attribute) came second17:22
*** dhellmann is now known as dhellmann_17:23
ayoungthe ID is part of the DN came first17:23
dstanekdhellmann: great thanks!17:23
ayoungso you can't call it a bug if it was the initial design17:23
gyeeayoung, what is user_id_attribute for?17:23
ayoungso let me rephrase the question.  What problem does not honoring user_id_attribute cause you?17:23
ayoungYour bug is not a bug.  It is a feature request17:24
gyeeayoung, everything, role assignment, lookup17:24
ayoungProvide an example.17:24
gyeeayoung, you telling me not honoring user_id_attribute is by design?17:24
gyeeyou joking right17:24
ayounggyee, I'm telling you that the original design was that the RDN was the user id, not an attribute17:25
ayoungnow, I will admit this is a poor design17:25
ayoungbut there are people who have deployed around this17:25
ayoungso, if we are going to break it, I need to be able to justify that breakage17:25
gyeehow do I assign role to user if user_id map is not correct?17:25
ayoungand we are going to break it17:25
gyeewe ain't breaking anything17:25
ayounggyee, use the actual value of the user_id17:26
gyeeyou keep saying we break something, offer me a test to show it17:26
ayoungnot what you "think" it should be17:26
ayoungoffer me a test to show that something is broken right now17:26
gyeeayoung, its not what I think, its what user_id_attribute is documented forr17:26
gyeeayoung, take a look at the bug17:27
ayounggyee, I've read it.  I understand what you are saying.  But the problem is that you are trying to pre-calculate the user_ids.   For read only LDAP, that seems like it should work, but it is surprising.17:27
ayoungOf anything else (SQL) you don't know the UserID until it is created anyway17:28
ayoungso, before we change this, and break it for someone, show me why you need this change17:28
ayoungI don't disagree that it varies from the docs17:28
gyeeayoung, problem is I can't even assign role if user_id map is broken17:30
ayoungyes you can17:30
gyeehow?17:30
ayoungyou can't assign it "a-priori"17:30
ayoungyou do an actual query, that is how17:30
ayounglook up user by username, like the SQL backend forces you to17:30
gyeewe lookup users by user_id at the backend17:31
gyeeproject role assignment for example, PUT /projects/project_id/users/user_id/roles/role_id, username is not used17:34
*** rushiagr_away is now known as rushiagr17:44
*** andreaf has quit IRC17:47
*** andreaf has joined #openstack-keystone17:48
nkinderayoung: gyee's problem is that cn is not unique.  Really, cn is not an ID, but is a user name.17:48
*** david-lyle is now known as david-lyle_afk17:49
nkinderideally, the user_id wodl be sAMAccoutnName (or the userPrincipalName), and user_name would be cn17:49
ayoungnkinder, except the sAMAccountName is not in the RFC schemas.17:49
nkinderRFCs don't matter here17:50
ayoungAnd the LDAP code was written with defaults as simplisitic as possible17:50
nkinderayoung: the RFCs dont' state what attributes should be in the DN17:50
ayoungnkinder, yeah...I was young and dumb.17:50
ayoungactually, I'm still Young....17:50
ayoungyou can draw conclusions about the other17:50
nkinderI could be using inetOrgPerson/POSIX and have 'dn: cn=<name>,...' instead of uid being the RDN17:50
*** radez is now known as radez_g0n317:51
ayoungthe mistake I made was based on how FreeIPA works:  the rdn must match the id field17:51
nkinderAD just popularized the cn as RDN approach17:51
ayoungI now know that assumption is not true everywhere17:51
*** stevelle_ has joined #openstack-keystone17:52
gyeefor read-only LDAP, we have zero control over customer's directory, we can only rely on the attribute maps17:52
nkindermany AD deployments would end up with the user_id in Keystone being something like "Kinder, Nathan"17:52
nkinderwhich is stupid17:52
gyeenkinder, heh, stupid, but customer writes the check17:53
nkindergyee: oh, I'm not saying that  it's stupid for that to be the RDN17:53
nkindergyee: it's just not what I woudl consider an ID for a user in Keystone17:53
nkindergyee: I would want the ID to be sAMAccountName (nkinder in my case)17:53
gyeenkinder, no, but attribute map is the most effective way to support the stuff17:54
nkinderbut, that's not what's used in the DN17:54
ayoungnkinder, I agree that what we have now is bad.  I just don't think we can blindly change it without breaking someone's deployment somewhere17:54
gyeethat give us most flexibility17:54
nkindergyee: I think you're right, but I haven't had a change to really look into your code yet :(17:54
ayoungnkinder, some one is going to have user_id_attribute=cn  and the CN RDN is not going to match what is in the object17:54
nkinderayoung: define object.. the LDAP entry?17:55
gyeeayoung, we can't worry about someone till we have a test in the gates17:55
gyeethat's the only thing we have control over17:55
ayoungnkinder, I still don't know how the code you looked at triggered an id_to_dn lookup, as the code paths I looked at all used the user.get  method which does not do that fetch17:55
ayoungand that code predates Icehouse by a good bit17:55
nkinderayoung: not sure, but it did...17:56
*** wwriverrat has left #openstack-keystone17:56
nkinderayoung: so what is the concern about breaking someone with what gyee is proposing?  Writing to LDAP during new user creation?17:57
nkinderand not knowing what attribute to use as the RDN when forming the DN?17:57
ayoungnkinder, no, even in a read-only case, if the attributes don't line up,  and we start honoring user_id_attribute17:57
ayoungbut...I can't help but think that it is broken already.17:58
nkinderayoung: I'm not sure I follow.  Can you elaborate with an example?17:58
ayoungnkinder, user_id_attribute=cn17:58
ayoungand the cn part of the RDN does not match the CN attribute in the object17:59
nkinderok, and "dn: uid=foo,..."?17:59
nkinderwhat do you mean cn part of the RDN17:59
ayoungnkinder, no17:59
ayoungdn:  cn=foo,...."17:59
ayoungbut CN= Adam17:59
nkinderayoung: multi-valued cn's?17:59
nkinderwell, cn=foo has to exist in the entry if it's in the DN17:59
ayoungit turns out the CN segment of the DN doesn't have to match even a single value CN attribute18:00
nkinderit is a multi-valued attribute, but the RDN value must be present in the entry18:00
nkinderayoung: no, that's not true18:00
ayoungdefine "must"  cus I've seen cases where they don't match18:00
nkinderit MUST be in there18:00
ayoungit was in the AD != LDAP presentation IIRC18:00
gyeenkinder's correct, cn must be the same in the attribute list18:00
nkindereven in AD AFAIK18:00
nkinderayoung: here's what you might have seen...18:00
gyeenkinder, correct, AD enforce that18:00
nkinderayoung: if you add an LDPA entry and leave out the CN in the entry that you used in the DN, the client (or server) adds it in automatically18:01
morganfainbergdolphm, dstanek, actually this eventlet memcache thing is worse than just for keystone, once we have some kind of fix in keystone i'll look at getting it over in keystonemiddleware as well.18:01
ayoungThat was my assumption when I wrote the code origianlly, and people pointed out places where that got messed up.  Sorry, its been too long to remember exactly when.18:01
gyeewe've been testing against both OpenLDAP and AD18:01
nkinderI've written server code that does that before18:01
ayoungI'll defer to you guys on what is "right"18:01
dolphmmorganfainberg: that's what i was afraid to assume :-/18:02
nkinderThere are old server versions of OpenLDAP that said "go away stupid user", and newer ones that nicely add the missing attribute for you18:02
gyeeAD will throw you a very cryptic error if the attribute don't mat18:02
gyeematch18:02
*** dhellmann_ is now known as dhellmann18:02
morganfainbergdolphm, YorikSar is going to propose a fix to keystone today.18:02
ayoungLet's see. I have a free IPA instance18:02
gyeeserver unwilling to perform - my favor error :)18:02
nkinderayoung: I know what FreeIPA will do... I wrote some of the underlying 389 code that deals with this18:03
nkindergyee: nothing wrong with good ol' err=53 :)18:03
morganfainbergdolphm, it's not pretty but it'll get us to K when we can rev dogpile versions and get upstream stuff all fixed / in place.18:03
gyeehaha18:03
ayoungnkinder, I'd like to drop the ID to DN  code that does not do a search first18:03
nkindergyee: it's the DSID errors that AD throws that drive me crazy (and no good access logging)18:03
ayoungthe one that assumes the id_attribute is a portion of the DN18:03
morganfainbergdolphm, but short of new deps that aren't even in pip yet / releases of libs, we wont be able to do a clean fix (unless we re-implement python-memcache w/o thread local in-tree for the projectS)18:04
nkinderayoung: yes, we should make no assumption about the DN18:04
ayoungand always search against LDAP.  It will be slower for the ONE case, but it means that everything is consistant18:04
nkinderayoung: the only time where we really need to care about what is in the DN is if we are adding a user through keystone18:04
ayounghowever...that was what the AD != LDAP presentation called out.18:04
nkinderayoung: and we might need to add a config setting for "naming_attribute" to offer flexibility there18:04
morganfainbergdolphm, i'll tag that bug to keystonemiddleware... do we want to fix python-keystoneclient auth_token in this case too? it's not security fix but it's a bad bug.18:05
ayoungnkinder, this is why I think we've needed a specific LDAP meetup at the summit.18:05
gyeeyeah, sub search have a performance cost, we usually avoid it if we can18:05
ayoungNot just in the developers side, but in the real summit...18:05
dolphmmorganfainberg: let's see the fix in middleware first, but probably18:05
morganfainbergdolphm, ++18:05
ayounggyee, yeah, and the only reason that code is there is for the assignments backend now18:05
ayoungwell,  group membership, too18:05
*** bobt has joined #openstack-keystone18:06
nkinderayoung: id_to_dn should only search (unless we've cached a DN in the object)18:06
nkinderayoung: we should never construct a DN unless it's a user add operation18:06
ayoungyep18:07
ayoungagreed18:07
ayoungnkinder, just worried about making changes like this without feedback from the community18:07
ayoungmarekd, you around?18:07
gyeenkinder, there's a patch pending to do caching at the identity manager level, which should help out with performance18:07
ayoungWe have an LDAP question, and you CERN folks might have the answer18:07
gyeenkinder, https://review.openstack.org/#/c/110575/18:08
morganfainbergdolphm, ok targeted icehouse / keystonemiddleware and updated title to reflect the real issue(s).18:09
dolphmmorganfainberg: thanks!18:10
*** openstackgerrit has joined #openstack-keystone18:10
*** aix has quit IRC18:10
ayoungcjellick, read up when you have a chance18:12
ayoungcjellick, we are addressing the thing you commented on during your AD != LDAP talk18:13
cjellickkk..will catch up. thanks for the heads up18:13
*** stevelle_ has quit IRC18:17
ayoungcjellick, remember when we talked about the userid in the DN?18:18
nkinderayoung: though I don't think that this is a violation of LDAP at all18:19
ayoungcjellick, if we were to change that...would it break your deployment?18:19
ayoungI'm guessing, no.18:19
ayoungYou just got tripped up on the fact that we were composing the dns, right cjellick ?18:20
*** YorikSar has joined #openstack-keystone18:21
YorikSarmorganfainberg: I'm back.18:21
YorikSarmorganfainberg: I guess we can continue here.18:22
YorikSarmorganfainberg: Looking through logs I see you're thinking about doing this thing in middleware instead?18:22
cjellickright, composing the dn and assuming the user_id was part of it was/is the issue18:22
nkinderok, we have 3 bugs for the same LDAP binary values issue...https://bugs.launchpad.net/keystone/+bug/136452118:23
uvirtbotLaunchpad bug 1364521 in keystone "LDAP integration with Active Directory backend can throw: UnicodeDecodeError" [Medium,In progress]18:23
nkinderhttps://bugs.launchpad.net/keystone/+bug/135833018:24
uvirtbotLaunchpad bug 1358330 in keystone "Error on _ldap_get_list without attrlist value" [Medium,In progress]18:24
nkinderhttps://bugs.launchpad.net/keystone/+bug/135548918:24
uvirtbotLaunchpad bug 1355489 in keystone "authenticate ldap binary fields fail when converting fields to utf8" [Medium,Triaged]18:24
nkinderWhich one should "win" here?18:24
nkinderI have a proposed fix, but I'm not sure which bug to reference18:25
nkinderperhaps the oldest one, then we can abandon the others (assuming my approach is accepted)?18:25
morganfainbergYorikSar, welcome back18:26
morganfainbergYorikSar, i only have ~30more mins of battery18:26
morganfainbergYorikSar, no we need to do this in middleware as well18:26
morganfainbergYorikSar, since we deploy middleware under eventlet and it can use memcache to cache tokens18:27
morganfainbergYorikSar, it's not just dogpile specific.18:27
morganfainbergYorikSar, so once we have the fix for keystone i'll work on implementing that for middleware (should be a lot easier)18:28
YorikSarmorganfainberg: But where should we put that pool then?.. It'd be sad to copypaste it around.18:28
morganfainbergYorikSar, again due to the fact we can't add new deps at the moment we likely will need to copy it around some. we *might* be able to put it in middleware and import it to keystone... but long term it should go to a library as we discussed in -oslo channel18:29
YorikSarmorganfainberg: Yes, sure.18:30
gyeenkinder, I think the first two have patches in review right now, you may want to ping the authors to consolidate18:30
YorikSarmorganfainberg: Btw, does middleware use dogpile?18:30
morganfainbergYorikSar, no, it uses a separate pool implementation18:30
morganfainbergYorikSar, https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L1085-L110918:30
morganfainbergYorikSar but everything in middleware is effectively private, so updating it will be easier than keystone, it's doesn't have many public interfaces to worry about18:31
YorikSarmorganfainberg: Just found out that I've been testing Icehouse version using devstack's master. Keystone stability is cool :)18:33
morganfainbergYorikSar, we've worked *really* hard on that18:33
morganfainbergYorikSar, :)18:34
morganfainbergYorikSar, and i'm super happy to hear that. means we're doing something right :)18:34
YorikSarmorganfainberg: although then my patch got tested on our 'scale' lab, with all Icehouse :)18:34
morganfainbergthere has been a lot of shuffling of stuff in juno within keystone, but the eventlet and common.cache and common.kvs have stayed fairly stable18:35
YorikSarmorganfainberg: Oh, when I got appointed to "handle Keystone issues for our OpenStack distro" my first reaction was: "what issues?" :)18:35
YorikSarmorganfainberg: And it seems that memcached thing is the only issue we found18:36
YorikSarmorganfainberg: Yeah, my patch rebased cleanly on them :)18:36
morganfainbergdolphm, ayoung, gyee, bknudson, lbragstad, dstanek, stevemar, topol, ^ See that compliment from YorikSar! :) good stuff!18:37
bknudsonhe he.18:37
ayoungmorganfainberg, looks like I need to break more things then18:37
morganfainbergayoung, hehehe18:37
bknudsoncan I send some your way?18:38
morganfainbergif i haven't said it recently, i'm very happy with what we've accomplished with Keystone. and it's a good team to be working with :)18:38
stevemarthat is pretty awesome to hear YorikSar and morganfainberg18:39
morganfainbergnkinder, ayoung, https://bugs.launchpad.net/keystone/+bug/1360446 this is potential dos effect, do we need an OSSN on this?18:39
uvirtbotLaunchpad bug 1360446 in keystonemiddleware "client connection leak to memcached under eventlet due to threadlocal" [High,Triaged]18:39
ayoungmorganfainberg, I think that bug title should be "Eventlet considered harmful.  Flee"18:40
gyeeha18:40
morganfainbergayoung, don't disagree..18:40
ayoungmorganfainberg, let me read a bit more in depth18:40
*** hrybacki has joined #openstack-keystone18:40
YorikSarmorganfainberg: Ok. It looks like I'll be working on keystonemiddleware as well.18:40
bknudsonmorganfainberg: if we're providing a fix then it's generally OSSA18:41
morganfainbergbknudson, ok OSSA18:41
morganfainbergbut same question applies18:41
morganfainbergYorikSar, cool. let me know if you need any help.18:41
YorikSarmorganfainberg: (that guy who reported it is from our team)18:41
ayoungmorganfainberg, standard-thread under Eventlet is even an option?18:41
morganfainbergayoung, i don't think so not for production18:42
ayoungmorganfainberg, are there tuning parameters, or does it require a code fix?18:42
morganfainbergayoung, this requires a code fix. nothing we can tune18:42
ayoungOK18:42
bknudsonmorganfainberg: I thought we had a change in middleware to avoid thread local issues.18:42
ayoungmorganfainberg, and its not just memcached backend, but using it for caching.  Is it all dogpile, or just memcached?18:42
bknudsonmorganfainberg: we have a pool of memcached clients.18:43
morganfainbergbknudson, it doesn't look like it works, dogpile does pooling as well18:43
bknudsonmorganfainberg: dolphm provided that fix18:43
morganfainbergbknudson, memcache library explicitly uses unavoidable threadlocal18:43
morganfainbergbknudson, and wrapping it in the pool doesn't "fix" the issue.18:43
morganfainbergit just makes some of the racyness go away18:44
*** andreaf has quit IRC18:44
morganfainbergwe still run into issues with running out of FDs due to leaking connections18:44
bknudsonmorganfainberg: memcache lib needs eventlet monkeypatching18:44
morganfainbergbknudson, yes. :(18:44
*** andreaf has joined #openstack-keystone18:45
morganfainbergit's *basically* what YorikSar is doing.18:45
dolphmbknudson: that just fixed a security vulnerability... or seemed to18:45
YorikSarmorganfainberg: Do you know if smth changed with parsing backend_argument in [cache]?18:45
morganfainbergYorikSar, shouldn't have.18:45
morganfainbergdolphm, which iirc was race-related18:46
dolphmmorganfainberg: yes18:46
YorikSarmorganfainberg, bknudson: Nooo, it's eventlet-friendly. It's so eventlet-friendly that we basically get new memcached Client instance for every green thread.18:46
morganfainbergLOL18:46
morganfainbergthat is a good description18:46
morganfainbergit works *too well* with eventlet18:47
YorikSarAnd if we wrap it in pool, we'll get new connection for every green thread for every Client in pool18:47
dolphmmorganfainberg: talking about my unbounded poolish thing?18:48
morganfainbergbknudson, if the deployer doesn't use memcache in middleware/keystone it wont cause issues though.18:48
morganfainbergdolphm, yeah18:48
topoldid I get pinged?18:48
morganfainbergbknudson, or in the case of keystone, use apache, again no issue.18:48
dolphmunder load, yep!18:48
dolphmmorganfainberg: ++ use not eventlet many problem is fixed18:49
morganfainbergtopol, yes was pointing a nice compliment out to the people who live eat sleep and breath keystone, scroll up :)18:49
bknudsoneventlet is unsafe at any speed.18:49
bknudsonconvenient, though18:49
morganfainbergbknudson, +∞18:50
YorikSarmorganfainberg: I'm lost... How do I provide 'url' backend_argument to cache backend?..18:50
topolmorganfainberg, I see that. From YorikSar.  Been a while since we have heard from him :-)18:50
morganfainbergYorikSar, hm. ok let me see.18:50
morganfainbergYorikSar in kvs or cache?18:50
topolYorikSar still loving the LDAP keystone integration world?18:50
YorikSarmorganfainberg: It used to be like backend_argument=url:localhost:11211,localhost:11212,localhost:1121318:51
morganfainbergunfortunately it's two different implementations **to be fixed soon*18:51
YorikSarmorganfainberg: cache, kvs don't have arguments (or didn't?)18:51
morganfainbergYorikSark kvs does but it's super awkward18:51
YorikSartopol: Yeah.. I even have intern working on LDAP :)18:51
morganfainbergyeah that looks right for cache18:51
YorikSartopol: https://review.openstack.org/#/q/owner:%22Peter+Razumovsky%22+status:open,n,z18:52
morganfainbergtopol, yes, backend_argument=url:localhost:11211....18:52
morganfainbergerm YorikSar ,^ not topol18:52
morganfainbergYorikSar, that should still be the syntax18:52
YorikSarmorganfainberg: But... It doesn't work anymore. There used to be special branch for 'url'18:52
topoleasy to confuse. Im a better looking version of YorikSar :-)18:53
morganfainbergYorikSar, it should still come from build_cache_config in keystone.common.cache.core18:53
YorikSarmorganfainberg: around here: https://github.com/openstack/keystone/blob/master/keystone/common/cache/core.py#L9318:53
morganfainbergYorikSar, yesh18:54
YorikSarmorganfainberg: Yes, but it isn't split into list anymore...18:54
morganfainbergoh url needs to be an explicit list?18:54
YorikSarmorganfainberg: Yep.18:54
morganfainbergoh wait18:54
YorikSarmorganfainberg: It might happily handle string like '127.0.0.1:11211', but not comma-separated list18:55
morganfainbergYorikSar, hmm.. ah that must be it18:55
morganfainbergdoh!18:55
morganfainbergok associated bug18:55
morganfainberg:(18:55
morganfainbergok i'm out of battery and need lunch.18:55
morganfainbergsorry18:55
morganfainbergbe back in a bit.18:55
morganfainberg(have someone waiting for me for lunch)18:55
* YorikSar found a bug while fixing two other bugs (and might be adding forth one to the list)18:56
morganfainbergYorikSar, hehe18:56
YorikSarmorganfainberg: I'll try to overcome that and test my pool on master in the mean time.18:56
*** arosen has joined #openstack-keystone18:57
ayoungbknudson, on  https://bugs.launchpad.net/keystone/+bug/1366062  if ldap is in requirements, shouldn't ldappool be there, too?19:00
uvirtbotLaunchpad bug 1366062 in keystone "ldappool is not present in requirements.txt" [Undecided,Won't fix]19:00
bknudsonayoung: http://git.openstack.org/cgit/openstack/keystone/tree/requirements.txt19:01
*** openstackgerrit has quit IRC19:01
bknudsonthere's no ldap in there19:01
*** openstackgerrit has joined #openstack-keystone19:01
bknudsonit's in http://git.openstack.org/cgit/openstack/keystone/tree/test-requirements.txt19:02
bknudson(both ldap and ldappool are in there)19:02
ayoungbknudson, hmmm, I thought we had agreed to move ldap.  Must be misrememberising19:02
bknudsonI guess it's just because it's optional to configure keystone for ldap19:03
bknudsonor it's not the default configuration19:03
*** packet has quit IRC19:03
ayoungdstanek, morganfainberg I need to debug a tox issue.  THere is something in /opt/stack/python-keystoneclient/.tox/py33/build/kerberos/setup.py  that is messing things up, but that file does not exist post tox run...what am I missing?19:04
ayoungbknudson, yeah, I remember the discussion.  Might mess up the packagers, though ,as I know they look at requirements.txt19:05
*** rushiagr is now known as rushiagr_away19:05
dstanekayoung: build files are deleted after tox creates the venv - you'll have to get a local checkout of the code19:05
bknudsonayoung: I just got a defect from someone because we don't have an ldappool rpm.19:05
bknudsonayoung: so it will mess up packagers.19:06
ayoungbknudson, I wonder if we should do that as an optional import?19:06
ayoungIE, not fail if it doesn't exist?19:06
ayoungor is ldappool going to be the norm, do you think?19:06
*** joesavak has quit IRC19:07
bknudsonayoung: considering the performance increase that gyee mentioned I think it should be used.19:07
ayoungok...lets see the packagin status...19:07
bknudsonI'm surprised that ldap admins don't kill us for what we do to their servers.19:08
ayounghttp://koji.fedoraproject.org/koji/packageinfo?packageID=1364719:08
ayoungthat is upstream  Fedora...19:08
ayoung1.0-3.fc20  getting installed19:09
*** packet has joined #openstack-keystone19:09
*** samuelmz_ has joined #openstack-keystone19:12
YorikSarmorganfainberg: Ok, that parsing was added in our internal patch... I wonder why didn't it land to upstream already.19:12
dstanekayoung: kerberos looks like it may take a bit of work to be py33 compatible, but the good news is that all of the code is right there in *subversion*19:13
ayoungdstanek, rapture19:13
bknudsonthere's a git-subversion tool19:14
*** david-lyle_afk is now known as david-lyle19:14
dstanekbknudson: been there done that - it still sucks19:14
dstaneki had to do that were i used to work - you couldn't take advantage of the best git feature -- merges19:15
dstanekon the other hand the project hasn't been released in 3 years or seen a commit in 4 months so likely there would be no need for merging19:15
samuelmz_Hi, I'd like to know your thoughts on using functional programming on keystone19:16
dstaneksamuelmz_: in what context?19:16
samuelmz_Sometimes I get advises to use it on my patches19:16
YorikSarbknudson: Unfortunately those who actually use LDAP backend are enterprises that can easily throw more resources to LDAP server.19:16
samuelmz_like https://review.openstack.org/#/c/117787/6/keystone/assignment/backends/sql.py19:16
YorikSarbknudson: And they are far-far from upstream.19:16
YorikSarbknudson: That's why LDAP backend lacks behind...19:17
samuelmz_dstanek, in those cases, I don't think we have a better performance nor readability19:17
dstaneksamuelmz_: what wu is talking about isn't really functional programming - if you give me a few to finish up what i was working on i can take a deeper look19:17
samuelmz_dstanek, yes sure19:18
*** broskos has joined #openstack-keystone19:18
dstaneksamuelmz_: to me what Alexander suggested is really, really not readable19:18
samuelmz_dstanek, +119:18
ayoungdstanek, are you dealing with he Kerberos packaging?19:20
dstanekayoung: no i just took a look at the code - i can't be packaged by py319:21
ayoungdstanek, I don;t think anything can package you19:21
dstaneki work fine in py2 :-)19:22
*** stevemar has quit IRC19:23
*** joesavak has joined #openstack-keystone19:23
*** stevemar has joined #openstack-keystone19:24
broskoswhat does the workflow -1 mean?19:24
broskoshttps://review.openstack.org/#/c/118430/19:24
bknudsonbroskos: work in progress19:24
broskosok19:25
broskosty19:25
broskosbknudson: did you have a particular length in mind for your truncate suggestion?19:26
bknudsonbroskos: actually I don't want to see the value because I think it will be useless.19:27
bknudson10 chars should be enough19:27
bknudsonbut as I said I don't see what the point is of logging the value19:27
ayoungdstanek, is this a show stopper?  Is there no way to do commands in python 3?19:27
broskossure.. yep, it is pretty useless.  I’ll chop it to 10.19:27
broskosbknudson: I origninally submitted it without logging :)19:28
bknudsonbroskos: logging at debug seems adequate.19:29
broskosbroskos: and have done 3 or so updates on polishing the output that really doesn’t tell you which dn throws it.19:29
broskosbknudson: good idea19:29
dstanekayoung: we can't deploy to py3 anyway - so i wouldn't even worry about it19:29
ayoungdstanek, its client code19:29
bknudsonbroskos: we've got so many problems with logging and error reporting that I can't make a big deal out of this one.19:29
dstanekoh, hmmm.. that's not good then19:29
ayoungdstanek, right19:29
dstanekayoung: i wonder if it would be easy to port...19:30
ayoungdstanek, I'm going to try now19:30
broskosbknudson: cool.. I’m just happy to get something in that works for whatever crap AD is spewing back at us19:30
broskosThere are other fixes in progress to limit the attributes returned, I believe19:31
*** amirosh has joined #openstack-keystone19:31
dstaneksamuelmz_: i commented on that review19:32
samuelmz_dstanek, ok i'm gonna take a look at it, thanks19:32
dstanekayoung: there's good amount of C in there :-(19:34
ayoungdstanek, you say that like that is a bad thing19:34
dstanekayoung: for porting it's either been really easy or really hard for me19:35
openstackgerritAaron Rosen proposed a change to openstack/python-keystoneclient: Sync with latest oslo-incubator  https://review.openstack.org/11945119:35
dstaneksince there is almost no code besides C it may end up being really easy19:35
openstackgerritYuriy Taraday proposed a change to openstack/keystone: Add a pool of memcached clients  https://review.openstack.org/11945219:36
dstanekayoung: it may be as easy as replacing commands with subprocess19:36
YorikSarmorganfainberg, ayoung, bknudson, dolphm, whoever else interested in memcached bug: ^^^19:36
ayoungdstanek, I'm going to get it into Git first19:36
dolphmdstanek: any chance you have terminal-notifier installed? (brew)19:38
dstanekdolphm: i don't, but that's easy to change19:39
dolphmdstanek: i'm looking for a better option19:40
dstanekdolphm: i have used a python lib for this for other stuff like weechat19:40
dstaneki think the one i currectly use is pygrowl, but i'd have to doublecheck19:41
dolphmdstanek: i'm about to try this https://wiki.python.org/moin/MacPython/Growl/AppleScriptSupport19:43
dolphmdstanek: but right now i'm using subprocess to call terminal-notifier19:43
bknudsonis that like VBScript?19:43
dstanekdolphm: i think i just 'pip install growl' to get my weechat plugin to work19:44
dolphmdstanek: https://github.com/dolph/gerrit-growler19:46
dstanekdolphm: nice, i'll give is a try momentarily19:47
dolphmdstanek: run it with --debug and --verbose the first time ... otherwise it authenticates similarly to next-review19:50
openstackgerritNathan Kinder proposed a change to openstack/keystone: Avoid conversion of binary LDAP values  https://review.openstack.org/11945719:55
bknudsonnkinder: you and broskos should make sure your fixes work together!19:55
nkindergyee, ayoung, dstanek, bknudson: ^^^ that should address this binary value issue19:55
ayoungnkinder, looking19:55
nkinderbknudson: they should, though I don't know that his is necessary the way I implemented mine19:56
ayoungnkinder, I've hit a bit of a blocker on Kerberos.  It won't build under python33, and python33 is required for keystoneclient19:56
bknudsonnkinder: it's got kind of the same code.19:56
nkinderbknudson: that is a good topic for discussion though19:56
nkinderbknudson: yes, just at different levels19:56
dolphmstevemar: see you in 12 more hours19:57
ayoungnkinder, what is the ['1.1'] in there?19:57
stevemardolphm, ugh19:57
stevemarwe really need recheck rubber stamps19:58
nkinderayoung: 1.1 means 'return no values'19:58
bknudsonstevemar: just ninja it at some point19:58
nkinderayoung: only the dn will be returned19:58
nkinderayoung: it's an LDAP standard19:58
ayoungnkinder, MAJICK!19:58
broskos:)19:59
ayoungcode looks good.  but wonder if that should be commented19:59
bknudsonayoung: http://tools.ietf.org/html/rfc4511#section-4.5.1.819:59
ayoungI mean, really, no one know LDAP19:59
nkinderbroskos: so, didn't want to step on your patch either19:59
bknudsonit's a special OID19:59
dolphmstevemar: i *think* when jenkins says "This change depends on a change that failed to merge." that you don't need to recheck. when the failed underlying patch re-gates, the subsequent patch will go with it19:59
nkinderayoung: we already use 1.1 throughout the assignment code19:59
bknudsonnkinder: ayoung: I think I did comment it at one place...19:59
ayounggood enough19:59
broskosnkinder: I’d rather fix it before it get’s to ldap2py as you have done19:59
nkinderbroskos: yeah, we can log the attr name that way20:00
stevemardolphm, yeah i also think that too, but i don't want to miss out on it20:00
ayoungnkinder, +2 from me...the change looks right20:00
dolphmstevemar: https://github.com/dolph/gerrit-growler/20:00
dolphmstevemar: fair enough20:00
*** topol has quit IRC20:01
ayounghttp://ksylvest.github.io/jquery-growl/20:01
broskosnkinder: do we want to keep a try around the utf8 encode where I have it?  The main reason that I ask, is that if something else falls through, all we get to go on is user/password error20:01
ayoungvery different from http://cdnjs.com/libraries/bootstrap-growl20:01
* ayoung going to name his next project growl20:01
broskosnkinder: otherwise I can just abandon20:01
openstackgerritAaron Rosen proposed a change to openstack/python-keystoneclient: Sync with latest oslo-incubator  https://review.openstack.org/11945120:02
ayoungbroskos, so long as why gets logged in debug  I think that is correct behavior20:02
nkinderbroskos: I added a log statement that will catch it too, though I left it at DEBUG20:02
ayoungbroskos, here's my rationale20:02
ayoungwe've seen this from people "trying out" new versions of Keystone20:02
ayoungthey are going to start getting problems, and need to be able to debug it20:02
ayoungwe don't want to spam a log for a live deployment20:03
ayoungso, we really need to focus on providing the tools for identifying the problem in debug mode first and foremoist20:03
ayoungmost20:03
broskosayoung: makes sense - I’m not a fan of useless logging.  Previously it was a silient failure, which had nothing to do with user/pw specifically20:04
broskosand it took several hours of digging to find the real issue20:04
ayoungbroskos, and twice I've spent a lot of time tracingthrough ... and nkinder picked that up from me yesterday...this is a pain to debug20:04
broskosI’m happy to abandon at this point, it looks like this a better approach.20:05
ayoungKeystone LDAP in general needs better debugability20:05
broskosfingers crossed for an icehouse backport20:05
ayoungyeah, I think this should be safe for backport20:05
* broskos dances20:05
ayoungbroskos, If your really want it, can you submit the backported patch>20:05
ayoung?20:05
broskossure20:06
broskosjust submit via review to stable/icehouse ?20:06
nkinderbroskos: yep, as soon as I get approval on the master fix, I'll propose the backport20:07
nkinderbroskos: I think it's really really needed for icehouse20:08
nkinderbroskos: the fact that there are 3 bugs on it already is a testament to that20:08
broskos+120:08
broskoscool, thanks guys20:08
nkinderbroskos: if my fix looks good for you, please +1 it too20:08
broskosk20:09
broskosIm going to take a few to test it locally on my broke ad integration, then I will +120:09
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds missing log hints for level E/I/W  https://review.openstack.org/11888320:09
openstackgerritDavid Stanek proposed a change to openstack/keystone: Extends hacking check for logging to verify i18n hints  https://review.openstack.org/11888420:09
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a spelling error in hacking tests  https://review.openstack.org/11946120:09
*** raildo has quit IRC20:11
*** amirosh has quit IRC20:12
openstackgerritAndreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings  https://review.openstack.org/11804820:12
*** amirosh has joined #openstack-keystone20:13
dolphmdstanek: so bug 1364521 is a dupe of bug 1355489?20:14
uvirtbotLaunchpad bug 1364521 in keystone "LDAP integration with Active Directory backend can throw: UnicodeDecodeError" [Medium,In progress] https://launchpad.net/bugs/136452120:14
uvirtbotLaunchpad bug 1355489 in keystone "authenticate ldap binary fields fail when converting fields to utf8" [Medium,In progress] https://launchpad.net/bugs/135548920:14
*** amirosh has quit IRC20:14
*** amirosh has joined #openstack-keystone20:14
*** rodrigods has quit IRC20:15
dolphmbroskos: nkinder: ayoung: ^20:16
nkinderdolphm: yes, there are 2 dups (grabbing #'s)20:17
nkinderdolphm: 1358330 and 1364521 are dups of 135548920:19
nkinderdolphm: 3 bugs in one fell swoop! ;)20:19
nkinderbroskos: that testing would be much appreciated!20:20
dstanekdolphm: it looks like we got 2 birds with 1 stone20:22
dolphmnkinder: dstanek: awesome. lbragstad and i were wondering about those yesterday :)20:23
lbragstadoh, the unicode ones with ldap20:23
dolphmdstanek: nkinder: so this should be abandoned as well? https://review.openstack.org/#/c/114986/20:24
dstanekdolphm: nkinder: i have no idea what that is doing20:26
*** arborism has joined #openstack-keystone20:26
dstanekdolphm: nkinder: based on the TB here: https://bugs.launchpad.net/keystone/+bug/1358330 i think it's the same issue - not sure why the fix looks so different20:27
uvirtbotLaunchpad bug 1358330 in keystone "Error on _ldap_get_list without attrlist value (dup-of: 1355489)" [Medium,In progress]20:27
uvirtbotLaunchpad bug 1355489 in keystone "authenticate ldap binary fields fail when converting fields to utf8" [Medium,In progress]20:27
*** amirosh has quit IRC20:27
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use oslo_debug_helper and remove our own version  https://review.openstack.org/11942220:27
*** amirosh has joined #openstack-keystone20:28
* dolphm is off to beer for now.20:30
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Add test for getting a token with inherited role  https://review.openstack.org/11920620:31
*** amirosh has quit IRC20:32
dstanekstevemar: how is that helper installed?20:34
stevemardstanek, i added it to oslotest20:35
stevemardstanek, and oslotest exports it in setup.py/cfg20:35
stevemardstanek, https://github.com/openstack/oslotest/blob/master/setup.cfg#L2620:36
dstanekis that is the version they released this morning? that doesn't get installed for me20:37
*** hrybacki has quit IRC20:37
stevemardstanek, yep, it's based on the version released this morning20:37
stevemardstanek, thats why i upgraded test-requirements20:37
dstaneki didn't know you could install shell scripts like that20:38
stevemardstanek, i didn't either20:38
stevemardstanek, bnemec and dhellmann helped :)20:38
*** jsavak has joined #openstack-keystone20:39
stevemardstanek, we have to wait until global requirements is actually updated, but i wanted to make sure it worked20:40
stevemardstanek, and it means other projects can use it more easily now :D20:41
*** joesavak has quit IRC20:41
dstaneknice20:41
dstaneki say just don't use testr for development :-) i can't anymore because it's too slow20:41
stevemari think a few other projects like pycadf/ksc/osc were carrying their own versions, but now it's just a one line change20:42
bknudsonit's not testr that's the problem it's our unit tests20:43
dstanekno, it's definitely testr - i shouldn't have to wait for it to build a list of all possible tests when I want to run tests in a single file20:45
dstanekit throws off my testing mojo20:45
lbragstadmy testing mojo is hard to find... so when it's thrown off it *really* messes with me20:46
dstanekit's great for automated testing when you don't care how slow it is, but when you want a 1 second response you need to look elsewhere20:46
dstanekso with FF we can't add features, config options and new string to master?20:48
*** cjellick has quit IRC20:48
*** cjellick has joined #openstack-keystone20:53
*** hrybacki has joined #openstack-keystone20:54
bknudsondstanek: you can request a feature freeze exemption20:55
dstanekbknudson: but that's to merge into master right?20:56
*** packet has quit IRC20:56
bknudsondstanek: yes, the feature freeze is for juno20:57
bknudsondstanek: where else are you going to merge things?20:57
*** joesavak has joined #openstack-keystone20:57
nkinderdstanek: yeah, I wasn't sure about that fix proposal either (None vs [])20:57
bknudsonfeature branch?20:57
dstanekbknudson: is was hoping that they would cut a tag or something so we can continue working on new stuff20:59
*** jsavak has quit IRC21:00
nkinderdolphm, dstanek: I just replied to your review comments.  I did code it to skip the entire attribute if we encounter a binary value on purpose.21:01
nkinderI'm OK with continuing to process through the values though21:01
nkinderIt we encounter an attribute with binary values, it seems likely that it's an attribute that Keystone shouldn't even be using in the first place (like the objectSID occurrence that I saw).21:02
dstaneknkinder: ah, i see... that list of values is for a single attribute?21:03
nkinderdstanek: yes21:03
nkinderdstanek: so we will process additional attributes21:04
*** andreaf has quit IRC21:05
*** gokrokve has quit IRC21:05
ayoungdstanek, nkinder https://github.com/admiyo/PyKerberos21:07
dstaneknkinder: that makes sense to me21:07
ayounglets hear it for the github importer21:07
*** dims has quit IRC21:08
broskosnkinder: tests fine on my icehouse / ad integration - good stuf21:09
nkinderbroskos: great, thanks!21:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix dn_startswith  https://review.openstack.org/11947821:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add characterization test for group role assignment listing  https://review.openstack.org/11947921:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix LDAP group role assignment listing  https://review.openstack.org/11948021:10
bknudsonmore LDAP fixins.21:10
broskosnkinder: for backport fyi you will need to bring _ldap_get_list along in common/ldap/core21:10
nkinderdolphm: are you good with it?21:10
broskosnkinder: once I did that it worked fine21:10
*** r-daneel has quit IRC21:12
*** dims has joined #openstack-keystone21:12
*** gokrokve has joined #openstack-keystone21:14
nkinderbroskos: ok, cool.  I'm going to head out here in a bit, but I'll backport tonight or tomorrow21:16
*** joesavak has quit IRC21:16
dstanekayoung: nice21:21
*** jasondotstar has quit IRC21:24
*** jorge_munoz has left #openstack-keystone21:24
*** nkinder has quit IRC21:26
*** openstackgerrit has quit IRC21:31
*** openstackgerrit has joined #openstack-keystone21:32
dstanekayoung: have you seen this https://pypi.python.org/pypi/python-krbV/1.0.90 ?21:37
*** samuelmz_ has quit IRC21:38
ayoungdstanek, doesn't surprise me, but in this case, I want to go with the module we've been coding to.21:41
*** zzzeek has quit IRC21:41
*** broskos has left #openstack-keystone21:41
ayoungdstanek, there were several python kerberos implementations.  I need the one that works with requests-kerberos21:42
*** dims_ has joined #openstack-keystone21:44
*** dims_ has quit IRC21:46
ayoungdstanek, doesn't look too bad21:46
ayounghttp://paste.openstack.org/show/106812/21:46
ayoungdstanek, that is with import subprocess as commands21:47
*** dims has quit IRC21:47
*** dims_ has joined #openstack-keystone21:47
ayoungI think I'll need 6 or something to get it to work for both, but  shouldn't be that bad21:48
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove unused variable TIME_FORMAT  https://review.openstack.org/11949021:52
*** saipandi has joined #openstack-keystone21:55
ayoungdstanek, Ok, here is the state:  if I am on python2 I want commands,  if python3, I want subprocess.  I really don;t want to pull in six just to do the build.21:56
dstanekpython2 has subprocess21:56
*** dims_ has quit IRC21:57
*** dims has joined #openstack-keystone21:58
ayoungdstanek, yeah, but it does not have the right functions (getoutput)21:59
ayounghttp://paste.fedoraproject.org/131428/09954298/21:59
ayoungdstanek, ^^ works ok21:59
ayoungis that horrible?21:59
*** bobt has quit IRC22:00
*** marcoemorais has quit IRC22:01
bknudsonDeprecated since version 2.6: The commands module has been removed in Python 3.  Use the subprocess module instead.22:01
bknudsonhttps://docs.python.org/2/library/commands.html22:01
dstanekayoung: you just need subprocess.check_output right?22:01
*** marcoemorais has joined #openstack-keystone22:02
ayoungdstanek, um,  probably22:02
ayounghere is the full code22:02
ayounghttp://paste.fedoraproject.org/131429/9545151422:02
*** marcoemorais has quit IRC22:02
dstanekthere isn't anything you can do with commands that youy can't do with subprocess in some way22:02
*** marcoemorais has joined #openstack-keystone22:02
*** marcoemorais has quit IRC22:03
dstanekactually check_output is 2.7 so you may have to use Popen directly to get the same effect22:03
ayoungit actually needs to parse the output, so more than just check_output22:03
*** marcoemorais has joined #openstack-keystone22:03
ayoungnot worth it22:03
*** marcoemorais has quit IRC22:03
ayoungthis is build code22:03
*** marcoemorais has joined #openstack-keystone22:03
ayoungpython 3 subprocess does what the old commands code does22:04
ayoungI'd be more prone to change the pre 3 version to22:04
ayoungimport commands as subprocess22:04
ayoungand be done with it22:04
*** ayoung is now known as ayoung-afk22:06
*** dims has quit IRC22:06
*** sigmavirus24 is now known as sigmavirus24_awa22:08
*** saipandi has quit IRC22:13
*** stevemar has quit IRC22:28
*** bknudson has quit IRC22:30
*** saipandi has joined #openstack-keystone22:36
*** hrybacki has quit IRC22:41
*** arborism is now known as amcrn22:46
*** harlowja is now known as harlowja_away23:00
*** richm has quit IRC23:17
*** sigmavirus24_awa is now known as sigmavirus2423:22
*** marcoemorais has quit IRC23:26
*** marcoemorais has joined #openstack-keystone23:26
*** sigmavirus24 is now known as sigmavirus24_awa23:26
*** marcoemorais has quit IRC23:26
*** marcoemorais has joined #openstack-keystone23:26
*** marcoemorais has quit IRC23:27
*** marcoemorais has joined #openstack-keystone23:27
*** larsks has quit IRC23:30
*** harlowja_away is now known as harlowja23:31
*** david-lyle has quit IRC23:49
*** gokrokve has quit IRC23:51
*** marcoemorais has quit IRC23:55
*** marcoemorais has joined #openstack-keystone23:56
*** gyee has quit IRC23:58
*** amerine has joined #openstack-keystone23:59
« Thursday, 2014-09-04 Index Saturday, 2014-09-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!