Wednesday, 2014-10-01

« Tuesday, 2014-09-30 Index Thursday, 2014-10-02 »
*** alex_xu has joined #openstack-keystone00:00
*** gokrokve has quit IRC00:04
*** gokrokve has joined #openstack-keystone00:04
*** cjellick_ has quit IRC00:08
*** cjellick has joined #openstack-keystone00:08
*** gokrokve has quit IRC00:09
*** stevemar has joined #openstack-keystone00:12
*** cjellick has quit IRC00:13
*** dims has joined #openstack-keystone00:14
*** dims has quit IRC00:19
*** marcoemorais has quit IRC00:28
*** ayoung has joined #openstack-keystone00:39
*** NM1 has joined #openstack-keystone00:42
openstackgerritNathan Kinder proposed a change to openstack/keystone: Handle default string values when using user_enabled_invert  https://review.openstack.org/12524300:42
nkinder...and with that, I'm out.00:42
*** NM2 has joined #openstack-keystone00:44
*** NM3 has joined #openstack-keystone00:45
*** NM1 has quit IRC00:46
*** NM1 has joined #openstack-keystone00:46
*** NM1 has joined #openstack-keystone00:47
*** NM2 has quit IRC00:48
*** nkinder has quit IRC00:49
*** gyee has quit IRC00:49
*** NM3 has quit IRC00:50
*** stevemar has quit IRC00:57
*** gokrokve has joined #openstack-keystone01:03
*** r-daneel has quit IRC01:04
*** diegows has quit IRC01:05
*** NM1 has quit IRC01:08
*** openstackgerrit_ has joined #openstack-keystone01:19
*** HenryG_ has joined #openstack-keystone01:22
*** stevemar has joined #openstack-keystone01:24
*** HenryG has quit IRC01:24
*** ncoghlan has joined #openstack-keystone01:29
*** lcheng has quit IRC01:35
*** lcheng has joined #openstack-keystone01:35
*** dims has joined #openstack-keystone01:36
*** lcheng has quit IRC01:40
*** praneshp has quit IRC01:42
*** ncoghlan is now known as ncoghlan_afk01:43
*** gokrokve has quit IRC01:55
*** leonchio_ has quit IRC01:57
*** amcrn has quit IRC02:02
*** zzzeek has joined #openstack-keystone02:05
*** david-lyle has joined #openstack-keystone02:11
*** HenryG_ has quit IRC02:25
*** zzzeek has quit IRC02:34
*** r1chardj0n3s is now known as r1chardj0n3s_afk02:36
*** praneshp has joined #openstack-keystone02:37
*** jamielennox has quit IRC02:40
*** HenryG has joined #openstack-keystone02:41
*** praneshp_ has joined #openstack-keystone02:41
*** praneshp has quit IRC02:41
*** praneshp_ is now known as praneshp02:41
*** ncoghlan_afk is now known as ncoghlan02:41
*** harlowja is now known as harlowja_away02:42
*** swartulv has quit IRC02:42
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Ensure sql upgrade tests can run with non-sqlite databases.  https://review.openstack.org/12522802:44
*** swartulv has joined #openstack-keystone02:44
*** david-lyle has quit IRC02:47
*** jamielennox has joined #openstack-keystone02:48
openstackgerritNathan Kinder proposed a change to openstack/keystone: Handle default string values when using user_enabled_invert  https://review.openstack.org/12524302:49
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Handle default string values when using user_enabled_invert  https://review.openstack.org/12524302:52
openstackgerritNathan Kinder proposed a change to openstack/keystone: Handle default string values when using user_enabled_invert  https://review.openstack.org/12524302:53
*** nkinder has joined #openstack-keystone02:54
morganfainbergnkinder, you keep re-proposing the same fixes to master02:54
nkindermorganfainberg: yeah, I pushed to a branch from propsed/juno02:54
nkinder...but it's going against master in gerrit.  What gives?02:55
morganfainbergnkinder, you need to specify the branch with git review02:55
morganfainbergnkinder the .gitreview file says "master"02:55
morganfainbergso git reveiw <branch>02:55
nkinderbah, I don't have it set up to track properly.  I must have fixed that for my local icehouse and havana and forget that step :(02:55
*** NM1 has joined #openstack-keystone02:55
morganfainbergnkinder, the .gitreview file wont get updated until stable/juno is cut02:55
morganfainbergnah, we update it for the stable branches02:55
nkinderok, that makes sense then.  Sorry for the noise on this one...02:56
morganfainberghttps://github.com/openstack/keystone/blob/stable/havana/.gitreview#L502:56
morganfainbergnkinder, haha no worries, let me fix this one again and re-approve it :)02:56
morganfainbergnkinder i'm sure i've done the same thing a bunch :P02:56
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Handle default string values when using user_enabled_invert  https://review.openstack.org/12524302:57
morganfainbergnkinder, ok there ya go02:57
morganfainbergshould be gating again02:57
nkindermorganfainberg: thanks!  I'll propose it properly for proposed/juno now, cool?02:58
morganfainbergyeah02:58
morganfainbergjust make sure you specify the branch you're proposing to.02:58
nkinderyeah, I've done that before for some of our internal git repos02:58
nkinderok, that's better - https://review.openstack.org/#/c/125257/03:04
morganfainbergway better03:05
nkindermorganfainberg: I'll NOT screw up when proposing the other 2 issues for proposed/juno :)03:05
morganfainberghehehe03:05
morganfainbergit's ok, I'm just playing with the health kit stuff on my iphone, so nothing crazy going on here atm03:05
*** lcheng has joined #openstack-keystone03:07
*** lcheng has quit IRC03:09
*** lcheng has joined #openstack-keystone03:09
nkindermy other gating change is up for proposed/juno too now - https://review.openstack.org/#/c/125258/03:10
*** NM1 has quit IRC03:10
nkinderthat just leaves this one which still needs some review love - https://review.openstack.org/#/c/125097/03:11
*** jamielennox has quit IRC03:13
morganfainbergyeah03:15
morganfainbergi'm looking at it03:15
*** jamielenz has joined #openstack-keystone03:16
*** jamielenz is now known as jamielennox03:17
morganfainbergbleh i don't like using coding utf8, :P03:17
*** afaranha has quit IRC03:17
morganfainberg+203:17
*** tellesnobrega_ has quit IRC03:18
*** raildo has quit IRC03:18
*** thiagop has quit IRC03:18
*** samuelmz-awaw has quit IRC03:18
*** htruta has quit IRC03:18
*** gabriel-bezerra has quit IRC03:18
*** flwang has joined #openstack-keystone03:20
* morganfainberg sighs... fire alarm.. great...03:20
*** dims has quit IRC03:33
*** richm has quit IRC03:36
*** andreaf has quit IRC03:44
*** andreaf has joined #openstack-keystone03:45
*** amcrn has joined #openstack-keystone03:49
*** wwriverrat has joined #openstack-keystone03:56
stevemarmorganfainberg, both will need to be rechecked03:58
stevemarmorganfainberg, the gate is on the floor03:59
morganfainbergaww03:59
*** flwang has quit IRC04:02
*** r1chardj0n3s_afk is now known as r1chardj0n3s04:04
*** KanagarajM has joined #openstack-keystone04:22
*** gokrokve has joined #openstack-keystone04:38
*** dguitarbite has quit IRC04:55
*** ncoghlan is now known as ncoghlan_afk05:00
*** samuelmz has joined #openstack-keystone05:06
*** htruta has joined #openstack-keystone05:07
*** raildo has joined #openstack-keystone05:08
*** tellesnobrega has joined #openstack-keystone05:08
*** marcoemorais has joined #openstack-keystone05:14
*** afaranha has joined #openstack-keystone05:15
*** marcoemorais1 has joined #openstack-keystone05:15
*** alex_xu has quit IRC05:18
*** gabriel-bezerra has joined #openstack-keystone05:19
*** marcoemorais has quit IRC05:19
*** r1chardj0n3s is now known as r1chardj0n3s_afk05:24
*** amerine has joined #openstack-keystone05:24
*** NM1 has joined #openstack-keystone05:24
*** ncoghlan_afk is now known as ncoghlan05:26
*** ajayaa has joined #openstack-keystone05:27
*** NM2 has joined #openstack-keystone05:27
*** NM1 has quit IRC05:29
*** dguitarbite has joined #openstack-keystone05:32
*** ajayaa has quit IRC05:33
*** ncoghlan is now known as ncoghlan_afk05:36
*** ncoghlan_afk is now known as ncoghlan05:38
*** ajayaa has joined #openstack-keystone05:46
*** k4n0 has joined #openstack-keystone05:47
*** ukalifon has joined #openstack-keystone05:53
*** gokrokve_ has joined #openstack-keystone05:55
*** andreaf has quit IRC05:57
*** andreaf has joined #openstack-keystone05:57
*** gokrokve has quit IRC05:58
*** gokrokve_ has quit IRC05:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12495006:05
*** r1chardj0n3s_afk is now known as r1chardj0n3s06:13
*** henrynash has joined #openstack-keystone06:15
*** openstackgerrit_ has joined #openstack-keystone06:19
*** gokrokve has joined #openstack-keystone06:25
*** gokrokve has quit IRC06:26
*** gokrokve has joined #openstack-keystone06:27
*** henrynash has quit IRC06:29
*** jedix has quit IRC06:30
*** gokrokve has quit IRC06:32
*** dims has joined #openstack-keystone06:33
*** dims has quit IRC06:38
*** mflobo__ has quit IRC06:44
*** mflobo has joined #openstack-keystone06:44
*** lcheng has quit IRC06:47
*** jedix has joined #openstack-keystone06:49
*** miqui has quit IRC06:52
*** marcoemorais1 has quit IRC07:01
*** Tahmina has joined #openstack-keystone07:03
*** NM1 has joined #openstack-keystone07:08
*** NM2 has quit IRC07:08
*** amcrn has quit IRC07:11
*** andreaf has quit IRC07:18
*** stevemar has quit IRC07:18
*** oomichi has joined #openstack-keystone07:18
*** KanagarajM has quit IRC07:25
*** KanagarajM has joined #openstack-keystone07:26
*** gokrokve has joined #openstack-keystone07:28
*** gokrokve has quit IRC07:32
marekdmhu: hello07:32
*** flwang has joined #openstack-keystone07:37
*** ajayaa has quit IRC07:43
*** NM1 has quit IRC07:48
openstackgerritSergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838307:55
*** jistr has joined #openstack-keystone08:02
*** lsmola has joined #openstack-keystone08:04
*** ajayaa has joined #openstack-keystone08:04
*** ncoghlan has quit IRC08:07
*** bdossant has joined #openstack-keystone08:19
*** ayoung has quit IRC08:23
*** gokrokve has joined #openstack-keystone08:28
mhuhey marekd08:28
*** gokrokve has quit IRC08:33
*** henrynash has joined #openstack-keystone08:35
marekdmhu: i have a question.08:35
mhumarekd, sure08:38
marekdmhu: (sorry, got distracted). So i want to play with my mapping patches in openstackclient, but even though the entries like mapping_create, mapping_list are in the setup.cfg, when I type openstack -h it doesnt list mapping options08:39
marekdmhu: do you know how to make it usable?08:40
mhumarekd, I actually have had the same problem, turns out the command is likely available, even though it is not listed in the help08:41
marekdmhu: how can i make it appear in that help list?08:42
mhuI need to figure out what's missing. I supposed -wrongly- that declaring the command in setup.cfg was enough08:42
mhuand adding a class docstring, since the help message is the docstring08:42
marekdmhu: L.O.L08:43
marekdmhu: ok i will try08:43
mhumarekd, first one to figure it out should tell the other ! :)08:43
mhumarekd, try to invoke the command, if you added it to setup.cfg it should be available even though the help doesn't show up08:45
marekdmhu: yep.08:45
marekd(osc)marek@cerntop:/srv/openstack/python-openstackclient$ openstack mapping create08:47
marekdERROR: openstack Unknown command ['mapping', 'create']08:47
marekdmhu: ^^08:47
marekddesole08:47
mhumarekd: what does it say with --debug ?08:49
marekdoh, always foget about --debug. It simply raises ValueError from /srv/env/osc/local/lib/python2.7/site-packages/cliff/commandmanager.py find_command08:50
marekdok, i will need to debug it.08:51
mhumarekd, it might be a long shot, it might be due to a missing dependency. Since the federation stuff is deemed "optional" in keystoneclient, some required libraries are declared in test-requirements (lxml being the culprit)08:52
mhumarekd, therefore they're not installed by default08:53
*** NellyK has joined #openstack-keystone08:53
mhumarekd, and thus the federation-related actions aren't available08:53
marekdhm, looks like osc is ignoring identity.v3 section from setup.cfg08:54
marekd(i tried to export OS_IDENTITY_API=3)08:54
*** Daviey has quit IRC08:54
marekdmhu: http://pasteraw.com/f5obb9uai5wzxg73jgmgml0qlm7y14o08:55
marekdmhu: for a future reference: I think the key is to choose proper identity api08:57
marekdbut it still doesn't solve my problem :P08:57
*** NellyK has quit IRC08:58
mhumarekd, what does python -c 'from openstackclient.identity.v3.mapping import ListMapping' return ?08:58
marekdnothing, the class is there.08:59
*** Daviey has joined #openstack-keystone09:06
marekdmhu: to be honest it's even hard for me to imagine whether identity provider/protocols/mappings from keystoneclient will use sessions at the moment.09:11
*** praneshp has quit IRC09:14
*** afazekas has joined #openstack-keystone09:17
*** oomichi has quit IRC09:20
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure sql upgrade tests can run with non-sqlite databases.  https://review.openstack.org/12522809:20
*** andreaf_ is now known as andreaf09:23
*** flwang has left #openstack-keystone09:23
mhumarekd: how do you mean ?09:24
*** gokrokve has joined #openstack-keystone09:26
marekdmhu: well, it still uses some client classes that I am not sure atm if they use keystoneclient.Session09:30
*** gokrokve has quit IRC09:31
*** nellysmitt has joined #openstack-keystone09:42
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure sql upgrade tests can run with non-sqlite databases.  https://review.openstack.org/12522809:58
*** amakarov has joined #openstack-keystone10:17
*** gokrokve has joined #openstack-keystone10:26
*** jaosorior has joined #openstack-keystone10:27
*** gokrokve has quit IRC10:30
*** KanagarajM has quit IRC10:40
*** diegows has joined #openstack-keystone10:51
*** aix has joined #openstack-keystone10:55
*** dims has joined #openstack-keystone11:12
*** henrynash has quit IRC11:24
*** henrynash has joined #openstack-keystone11:26
*** gokrokve has joined #openstack-keystone11:26
*** gokrokve has quit IRC11:31
*** ajayaa has quit IRC11:37
*** aix has quit IRC11:40
*** aix has joined #openstack-keystone11:41
*** ayoung has joined #openstack-keystone11:47
*** aix has quit IRC12:01
*** alex_xu has joined #openstack-keystone12:10
*** aix has joined #openstack-keystone12:14
*** dims has quit IRC12:21
*** dims has joined #openstack-keystone12:21
*** henrynash has quit IRC12:22
*** gokrokve has joined #openstack-keystone12:26
*** Gippa has joined #openstack-keystone12:28
*** gokrokve has quit IRC12:31
marekddolphm: easy review: https://review.openstack.org/#/c/124767/1, already got +2 from stevemar.12:44
*** gordc has joined #openstack-keystone12:59
*** NM1 has joined #openstack-keystone13:05
*** richm has joined #openstack-keystone13:07
marekdmhu: if you have time, can you take a look on this patch and check if mappings work on your env: https://review.openstack.org/#/c/86912/13:09
*** joesavak has joined #openstack-keystone13:15
*** NM1 has quit IRC13:19
amakarovGreetings! Found this: https://wiki.openstack.org/wiki/Keystone/Trusts13:19
amakarovDoes delegation chain actually works?13:20
amakarov>> A final parameter, delegation depth, says whether the delegation is recursive or not, and if recursive specifies the length of the delegation chain.13:20
amakarovIn "create_trust" API call transitive delegation is blocked13:22
amakarovIs there any document about delegation chain internals?13:23
*** Tahmina has quit IRC13:23
*** gokrokve has joined #openstack-keystone13:26
*** afazekas has quit IRC13:30
*** gokrokve has quit IRC13:31
mhumarekd, sure13:33
*** afazekas has joined #openstack-keystone13:33
*** nellysmitt has quit IRC13:36
Davieyayoung: Hey, just to check.. Did your p-k-k branch work with keystoneclient --os-auth-plugin / OS_AUTH_PLUGIN 'kerberos'?13:39
Davieyayoung: I was reading http://www.jamielennox.net/blog/2014/09/15/how-to-use-keystoneclient-sessions/ , but that seemed to imply you need a separate wrapper.. but surely that can't be right?13:41
*** topol has joined #openstack-keystone13:42
*** nellysmitt has joined #openstack-keystone13:47
*** gokrokve_ has joined #openstack-keystone13:48
*** gokrokve_ has quit IRC14:02
*** gokrokve has joined #openstack-keystone14:03
*** gokrokve_ has joined #openstack-keystone14:06
*** alex_xu has quit IRC14:07
*** gokrokve has quit IRC14:08
*** stevemar has joined #openstack-keystone14:10
*** sigmavirus24 has joined #openstack-keystone14:14
topolKeystone cores, what is typical amount of time of warning given before a dperecated feature is pulled from the code base?14:15
topoltwo release cycles or one?14:15
*** openstackgerrit has quit IRC14:18
*** openstackgerrit has joined #openstack-keystone14:18
*** bknudson has joined #openstack-keystone14:19
*** alex_xu has joined #openstack-keystone14:22
*** nellysmitt has quit IRC14:23
dstanektopol: maybe marked as deprecated in one release and removed in the next.14:23
topoldstanek, THANKS!!!14:23
dstanektopol: i think oslo has a deprecate in N and remove in N+214:23
dstanektopol: what are you looking to deprecate?14:24
topoldstanek, I must say how keystone handles deprecation via decorator seems much better than another project I just looked at14:24
dstanektopol: also APIs may be longer? not sure14:25
topoldstanek, makes sense14:25
topoldstanek if you are curious: https://review.openstack.org/#/c/121824/14:25
*** henrynash has joined #openstack-keystone14:27
*** david-lyle_ has joined #openstack-keystone14:30
gordctopol: there's a deprecated decorator in oslo... whether anyone uses it is another matter: https://github.com/openstack/oslo-incubator/blob/master/openstack/common/versionutils.py#L3314:35
bknudsongordc: that's what we use.14:35
gordcbknudson: oh... well that answers that. :)14:35
bknudsonI think we wrote it.14:36
bknudsonI've got a question about some server behavior and a test...14:36
gordcbknudson: that'd explain it... i used it once.14:36
bknudsonso the server generates a token and the response has a token in the body14:36
gordcthanks to keystone folks i guess.14:36
bknudsonshould I be able to take the body of the response, run cms_sign_token, and get the same token ID?14:37
bknudsonthe problem is, I think that json.dumps(token_dict) isn't going to always generate the same JSON14:37
*** dhellmann has joined #openstack-keystone14:38
bknudsonI assume it can reorder the fields in the dict14:38
*** dhellmann has quit IRC14:38
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Add an extension to store domain specific configuration in SQL.  https://review.openstack.org/12323814:38
bknudsonis there an application that would require being able to cms_sign_token the token body?14:40
topolHey gordc, since you are around. I got some folks using ceilometer and after it runs for a month with little activity the database gets so big that the  time it takes to run statistics queries is causing problems with actually triggering autoscaling behavior.14:40
*** david-lyle_ is now known as david-lyle14:40
topolgordc, have you heard of that happening?14:40
*** YorikSar has quit IRC14:40
*** dhellmann has joined #openstack-keystone14:41
*** ukalifon has quit IRC14:42
ayoungDaviey, I haven't tried yet.  Let me see14:42
gordctopol: yeah, i've heard. would it be possible to get a sense of the data collected? ie size of sample/meter/resource tables?14:43
gordctopol: i'm not sure we have any formal advice on how to archive data but i think it's something we should add in ceilometer as we get more and more users playing with it.14:43
ayoungDaviey, I don't think the keystone client does that yet.  I think you need the openstack common client...something I've managed to break on my test system14:44
gordctopol: i'm not sure any of the juno changes will improve the amount of data stored... it was improved for sql backends but i'm pretty sure mongodb will remain just as verbose in juno as in icehouse.14:44
topolgordc, I will have michael elder email you the details. Can you PM me your preferred email?14:44
gordctopol: sure.14:45
topolgordc THANKS14:45
*** nellysmitt has joined #openstack-keystone14:45
ayoungDaviey, and it does not look like that takes --os-auth-plugin  yet14:45
*** openstackgerrit has quit IRC14:47
*** openstackgerrit has joined #openstack-keystone14:48
*** dhellmann_ has quit IRC14:57
*** thedodd has joined #openstack-keystone14:57
*** dhellmann_ has joined #openstack-keystone15:01
*** openstackgerrit has quit IRC15:02
*** openstackgerrit has joined #openstack-keystone15:02
*** Gippa has quit IRC15:05
*** dhellmann_ has quit IRC15:05
*** henrynash has quit IRC15:06
*** dhellmann_ has joined #openstack-keystone15:06
amakarovWho knows anything about delegation chain?15:06
*** sigmavirus24 is now known as sigmavirus24_awa15:08
Davieyayoung: Okay, good.. Thanks15:08
*** nellysmitt has quit IRC15:08
*** cjellick has joined #openstack-keystone15:09
*** sigmavirus24_awa is now known as sigmavirus2415:10
*** andreaf_ has joined #openstack-keystone15:13
*** andreaf has quit IRC15:13
*** andreaf_ is now known as andreaf15:13
*** andreaf_ has joined #openstack-keystone15:13
ayoungDaviey, I'm sure it is coming...jamielennox is off for another week or two, but I know its in his queue15:18
*** mitz_ has quit IRC15:18
*** marekd is now known as marekd|away15:18
ayoungbknudson, I would say "No"15:18
ayoungunless you had an algorithm that assured the text was identical, I would not expect to get an identical signature15:19
*** alex_xu has quit IRC15:22
*** NM1 has joined #openstack-keystone15:23
*** mitz_ has joined #openstack-keystone15:23
*** dhellmann_ has quit IRC15:26
*** dhellmann_ has joined #openstack-keystone15:28
chmouelkeystonemiddleware tests get stucks when I run them, stracing the python process get me some "Too many open files" errors http://paste.openstack.org/raw/49asAlBw1i5l2rkIJDZ7/15:29
chmouelthe worrying part is testr looping forever and growing the cpu/memory15:29
chmouelwaiting to get resource15:30
chmoueldid anyone else experienced that?15:30
chmoueland control-c on tox is not killing it properly i have runaway testr which i have to kill with pkill -9 -f "subunit.run discover"15:32
bknudsonayoung: that sounds right to me, too. I'm going to see about changing the test... not sure what it should do instead just yet.15:33
bknudsonor if I just remove the test15:33
ayoungwhich test?15:34
*** dhellmann has quit IRC15:34
*** dhellmann_ is now known as dhellmann15:34
*** jasondotstar has joined #openstack-keystone15:34
bknudsonayoung:  see http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_v3_auth.py#n14615:34
bknudsonit's actually one you modified recently for pkiz support15:35
bknudsonit does cms_sign_token on the response body and compares that to X-Subject-Token15:35
bknudsonwhich usually works since the X-Subject-Token JSON is the same as the body JSON15:36
bknudsonbut will fail if they're not exactly the same.15:36
ayounghttp://csrc.nist.gov/groups/SNS/rbac/documents/kuhn-coyne-weil-10.pdf  Very interesting15:42
*** mikedillion has joined #openstack-keystone15:42
ayoungbknudson, yeah, I kindof wondered about that at the time...probably too strict a test15:43
ayoungself.assertEqual(expected_token_id, token_id)  probably should be changed to something like:  make sure we can validate the id15:43
morganfainbergchmouel, i've not experienced that.15:44
bknudsonayoung: that's what I was thinking... I'm also thinking there must be a test for that already.15:44
ayoungbknudson, is valid pki token?  Hmmm15:45
morganfainbergchmouel, there was the buggy release of setuptools15:46
ayoungbknudson, I wasn't sure how to test it without basically making the code self referential15:46
ayoungthat is why I cached one and test against the cached15:46
morganfainbergchmouel, that caused massive memory leaks, you didn't happen to snag that did you somehow?15:46
bknudsonayoung: I don't think there's anything that can be asserted about a relationship between the body and the PKI... maybe the token ID could be decoded and the dicts compared15:46
ayoungbknudson, yeah15:47
bknudsonmaybe the size of the dicts ... sorry, just making a dict joke.15:47
morganfainbergbknudson, heh15:47
ayoungbknudson, give it a whirl...I'd like it if other people were more comfortable with the openssl calling code15:47
*** wwriverrat has quit IRC15:47
bknudsonI'll try decoding the PKI token and comparing.15:48
ayoungbknudson, you know what I learned recently?  If you die in Canada, you die in real life.15:48
ayoung++15:48
bknudsonayoung: I'm surprised by that, but good to know.15:49
*** lcheng has joined #openstack-keystone15:49
ayoungyeah, important safety tip15:49
*** jamielennox has quit IRC15:49
ayoungbknudson, morganfainberg chmouel what do you guys think of standardizing the ids for Services?  not endpoints, but "Keystone"  "Neutron"  all having fixed UUIDs for Ids?15:50
ayoungNot sure why they are dynamic, but it will make sharing data across keystones much harder15:50
bknudsonayoung: the user ID?15:51
*** nellysmitt has joined #openstack-keystone15:54
ayoungbknudson, no, the service id iteself15:56
*** henrynash has joined #openstack-keystone15:56
ayounghttps://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#services-v3services15:57
ayoungabout one screen down15:57
ayoungExample entity:15:57
ayoung{15:57
ayoung    "service": {15:57
ayoung        "enabled": true,15:57
ayoung        "id": "ee057c",15:57
bknudsonyep... made me think about the templated backend and if services have IDs in there.15:58
ayoungwhy should "Keystone" for Rackspace have a different id than "Keystone" for IBM?15:58
bknudsonif we're going to set the ID to a known value then seems like we could just use the type instead.15:59
ayoungyep15:59
*** jamielenz has joined #openstack-keystone16:00
ayoungI doubt anything is actually using the id16:00
ayoungits kindof meaningless16:00
*** jamielenz is now known as jamielennox16:00
ayoungjoesavak, any idea why the "Service" entity has an id on it?16:00
*** jsavak has joined #openstack-keystone16:03
*** afazekas has quit IRC16:04
*** joesavak has quit IRC16:04
*** k4n0 has quit IRC16:05
*** jamielennox has quit IRC16:08
*** alex_xu has joined #openstack-keystone16:15
*** raildo_ has joined #openstack-keystone16:16
*** jamielennox has joined #openstack-keystone16:16
*** colettecello has joined #openstack-keystone16:17
*** BAKfr has quit IRC16:17
*** gothicmindfood has quit IRC16:17
*** raildo has quit IRC16:17
*** harlowja_away has quit IRC16:17
*** rharwood has quit IRC16:17
*** ayoung has quit IRC16:17
*** openstackgerrit has quit IRC16:18
*** openstackgerrit has joined #openstack-keystone16:18
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix tests comparing tokens  https://review.openstack.org/12540616:18
*** ayoung has joined #openstack-keystone16:18
*** BAKfr has joined #openstack-keystone16:19
*** rharwood has joined #openstack-keystone16:19
*** samuelmz has quit IRC16:20
morgan_remote_ayoung: I actually like the concept of registered service ids. Similar to the IANA port assignments.16:23
ayoungmorgan_remote_, I had made that connection, too16:24
morgan_remote_We could publish the "known" services (this plays into the tc "big tent" conversation). Which also doesn't preclude deployers adding their own services.16:25
openstackgerritDavid Stanek proposed a change to openstack/keystone: Middleware tests now run under Python3  https://review.openstack.org/9966916:25
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582716:25
openstackgerritDavid Stanek proposed a change to openstack/keystone: Mocks out the memcache library for tests  https://review.openstack.org/12540916:25
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a type check to make it work in Python 3  https://review.openstack.org/12541016:25
*** gyee has joined #openstack-keystone16:25
*** diegows has quit IRC16:26
morgan_remote_This is definitely a case where random uuids do not make "sense" (though we need to handle transition to this model if we go there)16:26
morgan_remote_Then again. We could just make service name == id.16:27
*** Tahmina has joined #openstack-keystone16:27
*** marcoemorais has joined #openstack-keystone16:28
*** grantbow has quit IRC16:28
morgan_remote_And name == ID might be simpler (doe the uuids buy us anything besides fixed length, often longer than the name of the service)16:29
* morgan_remote_ kicks autocorrect16:29
*** gokrokve_ has quit IRC16:31
*** colettecello is now known as gothicmindfood16:33
*** leonchio_ has joined #openstack-keystone16:35
*** grantbow has joined #openstack-keystone16:40
*** david-lyle has quit IRC16:43
*** grantbow has quit IRC16:44
morgan_remote_dolphm: gordc do we want to add keystone-core to pycadf-core? Not saying we won't have separate cores for pycadf. Just seeing what makes sense from a reviewer standpoint (cc topol )16:44
openstackgerritChmouel Boudjnah proposed a change to openstack/keystonemiddleware: Encode middleware error message as bytes  https://review.openstack.org/12345116:45
*** diegows has joined #openstack-keystone16:47
dolphmmorgan_remote_: no preference here - depends on who's interested in contributing IMO16:47
*** david-lyle has joined #openstack-keystone16:49
*** wwriverrat has joined #openstack-keystone16:52
topolwho is morgan_remote_ ??? you should register a nickname :-)16:52
*** jaosorior has quit IRC16:53
morgan_remote_topol: hah. I haven't gotten around to it since I use irccloud (little different workflow).16:53
morgan_remote_dolphm: ++ makes sense.16:54
topolmorgan_remote_, dolphm,  seems like the pycadf cores and keystone cores have different expertises, no?16:54
topolalthough some folks like stevemar seem to know both16:55
stevemarwhat the who16:55
dolphm+1 for stevemar on pycadf-core16:56
stevemardolphm, do i have a choice? (kidding!)16:56
morgan_remote_I just want to ensure we have enough eyes on changes for pycadf to support reviewing the code since we (keystone) own it from a program sense16:56
morgan_remote_stevemar: voluntold!16:56
morgan_remote_Not that there is a lot of traffic to pycadf at the moment.16:57
topolI can start focusing more on pycadf  too if that helps16:57
morgan_remote_Sure. Let's just make sure it keeps getting appropriate amounts of love16:58
morgan_remote_Also making sure the bugs get triaged as they are reported.16:59
*** gyee has quit IRC16:59
*** thedodd has quit IRC17:00
dstanektopol: i've been wanting to get more into CADF after that call with Matt17:01
topoldstanek, cool17:01
topolIm guessing dolphm will have a list of some refactorings that he wants to see happen in pycadf. That kind of low fruit is good for folks like me17:03
topoland morgan_remote_ may have some thoughts there too17:03
morganfainbergok so...17:04
morganfainbergok so stevemar, in all seriousness, you interested in helping more with pycadf?17:04
topolyes he is :-)17:04
morganfainbergi'll avoid adding all of keystone-core unless we *all* really want to keep eyes on it.17:04
stevemarmorganfainberg, in all seriousness i can handle it, and am interested17:05
morganfainbergk17:05
topolstevemar has been doing a great job with it17:05
morganfainbergtopol, i assume Matt Rutkowski is still working on it?17:05
stevemarhe's working on the spec stuff17:05
morganfainbergok i'm just looking at the pycadf core team17:06
topolyes, drives it from the stds side.  and folks like stevemar and me will add to the code17:06
morganfainbergk17:06
morganfainbergstevemar, added you to pycadf core17:06
stevemaryay17:06
morganfainbergdhellmann, ping re: pycadf, do you have any interest in staying on as pycadf-core? [don't want to remove you if you are legitimately interested]17:06
morganfainbergdhellmann, same question about Julien Danjou if you know.17:07
*** grantbow has joined #openstack-keystone17:08
morganfainbergok added topol as well, and added stevemar and topol to the drivers for the LP project17:09
morganfainbergso you guys can help triage the bugs etc17:09
topolk17:10
*** radez_g0n3 is now known as radez17:10
morganfainbergdstanek, obviously if you're interested as well i'm good with adding you, and i feel much more comfortable with a few more people looking at it for when issues do crop up17:10
morganfainbergtopol, stevemar, thanks17:10
dstanekmorganfainberg: that would be fine by me17:11
morganfainbergdstanek, ok i'll add you as well.17:11
*** jistr has quit IRC17:13
*** joesavak has joined #openstack-keystone17:14
*** gyee has joined #openstack-keystone17:15
*** harlowja has joined #openstack-keystone17:15
*** jsavak has quit IRC17:16
*** praneshp has joined #openstack-keystone17:18
*** zzzeek has joined #openstack-keystone17:23
*** gokrokve has joined #openstack-keystone17:23
*** lsmola has quit IRC17:31
amakarovmorganfainberg, Hi! I'd like to develop a delegation(trust) chain according https://wiki.openstack.org/wiki/Keystone/Trusts17:37
amakarovI looked into the code and as far as I understand there is no way to delegate trusts17:37
morganfainbergamakarov, right now no, we've had discussion on this topic. though and there is definite interest in it17:38
morganfainbergamakarov, i *thought* we had a spec we had discussed for this...17:39
morganfainbergamakarov, https://github.com/openstack/keystone-specs/blob/master/specs/kilo/trusts-redelegation.rst17:39
amakarovmorganfainberg, should I start with a blueprint? Oh, i'll see this spec, thanks17:39
*** jaosorior has joined #openstack-keystone17:40
morganfainbergamakarov, so definitely sync up with shardy (he's usually in #head if not here) and that is definitely something we want in Kilo!17:40
morganfainberg#heat17:40
morganfainbergsorry, typos abound today17:40
ayoungmight want to include me on the discussion, too.  I have a passing interest in trusts17:41
morganfainbergamakarov, i also know ayoung is a good resource for anything trust related, but don't hesitate to ask any of us here17:41
amakarovmorganfainberg, my collegues also directed me to #heat channel and suggested to communicate with Steven Hardy there )17:41
morganfainbergayoung, haha, beat me to it17:41
morganfainbergamakarov, fantastic! it'll be nice to have the redelegation bits together this cycle.17:42
morganfainbergor subdelgation.. or chain-delegation (whatever we want to call it)17:42
morganfainbergamakarov, and the spec is already approved.17:43
amakarovmorganfainberg, thanks for the tip )17:43
ayoungamakarov, ok,  here is the fundamental rule of trusts17:43
ayoungeverything is checked to be valid when you execute the trust17:43
morganfainbergamakarov, i do recommend trying to work on/land the code as early as possible in the Kilo cycle. I am aiming to have new features land as early as possible, so we can ensure others can consume it and we get lots of drive time with it.17:44
amakarovayoung, btw, I'd like to whine a little about my change proposal's review ))17:44
ayoungso,  I create a trust for morganfainberg and he wants to redelegate to bknudson  who redelegates to you,  all those links in the chain need to be checked when you create a token using that trust17:44
ayoungamakarov, I like to call it whinging.  Whinge away.17:45
bknudsonI'll just get my own token17:45
amakarovsome thoughts: https://docs.google.com/a/mirantis.com/drawings/d/1ZAA-9XydF_HjgbT7FSZ_ekfz7WjaF4MXYGW0awwKEcM/edit17:45
*** wwriverrat has left #openstack-keystone17:46
amakarovayoung, whould you please look at that again? :) https://review.openstack.org/#/c/118590/17:47
morganfainbergayoung, also have some definite interest internal to HP (will have more info) on session/limited rescope [no scoped token rescope] implementations17:47
morganfainbergayoung, i'll have more info after my trip next week17:47
openstackgerritA change was merged to openstack/keystone: Fix parsing of emulated enabled DN  https://review.openstack.org/12508317:50
*** thedodd has joined #openstack-keystone17:52
ayoungamakarov, will do.  Ask nkinder too, as he has established himself as our resident LDAP guru.  a Decade working on a Directory server has taught him a thing or two about LDAP17:53
*** henrynash has quit IRC17:54
ayoungmorganfainberg, cool on the rescope.  I'm starting to think the only reason to have unscoped tokens is for Horizon.  If we go with tokenless  and the basic-auth approach, we can probably greatly simplify our story17:55
* ayoung going to refresh the basic-auth patch and write a spec for it17:55
*** radez is now known as radez_g0n317:56
ayoung jamielennox  are you really around, or did you set your IRC client to start upon machine reboot?17:56
ayoungwe really need some bench depth on client issues17:58
openstackgerritayoung proposed a change to openstack/keystone-specs: Token Constraints  https://review.openstack.org/12372617:59
amakarovnkinder, whould you kindly review my code again? https://review.openstack.org/#/c/118590/18:00
nkinderamakarov: sure18:00
nkinderamakarov: ah, that one.18:00
nkinderSo I'm still not sure it's really necessary.18:00
ayoungnkinder, thanks.  I was looking at it, and it looked sane, but then,  sane and LDAP are often seen together, but are not really a couple.18:00
nkinderWhy do we need to validate/enforce that LDAP has the additional attributes when Keystone doesn't use them for anything?18:01
ekarlsohey nkinder, can I ask you what the reason is to remove the iidentity part of keystone ?18:01
amakarovnkinder, if so then it's a feathure to deprecate of remove for good18:01
*** nellysmitt has quit IRC18:01
nkinderKeystone only uses the additional mappings for create operations.18:01
nkinderamakarov: well, it's there for the purpose of doing a user create with read/write LDAP18:01
ayoungnkinder  not just user18:02
nkinderamakarov: but we never expect to read those values back and use them for anything AFAIK18:02
nkinderayoung: ok, any entry type18:02
ayoungit would allow you to write a different object class with required fields18:02
ayoungamakarov, do you need this feature?  Did you trip up on it?18:02
nkinderekarlso: I'll get back to that question once we finish this other  conversation.18:02
ekarlsocool nkinder :)18:02
dstanekmorganfainberg: i was trying to fix for keystone.tokens for Python 3 and maybe ran into an issue18:02
*** aix has quit IRC18:03
amakarovnkinder, I recall you told me about it, and right now it does not block anything, but in the future it could be handy18:03
dstanekmorganfainberg: https://review.openstack.org/#/c/125410/ passes unit tests, but appears to fail on tempest tests18:03
dstanekmorganfainberg: i have a few thoughts...let me know when you have a few minutes to discuss..thsi is not urgent at all18:03
amakarovayoung, actually no, it was my exercise and first bug to fix in an opensource )18:04
nkinderamakarov: so I didn't see anything wrong with the code, but my feeling is that we shouldn't add more validation code when we don't even need to request those attributes for a search.18:04
nkinderamakarov: It's just more code to trip up when retrieving users for no real benefit.18:05
nkinderamakarov: if we actually did something with those retrieved values, then I could see the benefit.18:05
*** henrynash has joined #openstack-keystone18:06
ayoungnkinder, so this would be a way to expose more LDAP attributes for a given entity.  Right?18:06
amakarovnkinder, yes, it definitely does not speed anything up :)18:06
nkinderayoung: in theory yes, but I think that's the wrong direction.18:06
nkinderayoung: do we start allowing modification and display when doing a user-list of other attributes ?18:07
ayoungnkinder, it might also violate the spec18:07
ayoungwe don't allow arbitrary values in the user object18:07
amakarovnkinder, but there was a buggy feature described in documentation, so I think it would be better to have it working )18:07
nkinderayoung: that just starts encouraging the use of keystone as an interface to LDAP writes for all sorts of stuff18:07
nkinderamakarov: which feature and doc?18:07
amakarovnkinder, 1 sec18:08
nkinderamakarov: it might be that the docs should be improved, but I'd need to see the reference18:08
nkinderamakarov: thx18:08
ayoungnkinder, it was my understanding when I ported this code that this was strictly for the "create a new valid object of type X"18:08
ayoungbut that was before the v3 api had even been written18:08
nkinderayoung: that is my understanding of it too18:08
ayoungnkinder, so I think that we want to say "nothing that is not in the spec can be in the user object"18:09
ayoungotherwise, we will have Horizon trying to store user preferences in there18:09
ayoungdefault projects, even18:09
amakarovnkinder, actually it's in /etc/keystone.conf18:09
nkinderayoung: all sorts of stuff can be in th user object in LDAP, but keystone (and the rest of OpenStack) shouldn't ever need to know about it18:09
nkinderayoung: entry creation is a special beast though, as we need to satisfy the objectclass requirements.18:10
amakarovnkinder, *_additional_attribute_mapping18:10
ayoungnkinder, can you imagine the mapping to try and create a valid IPA user?18:10
ayoungshuder18:10
ayoungshudderer18:10
nkinderayoung: or posixAccount, etc.18:10
*** amcrn has joined #openstack-keystone18:10
*** amcrn has quit IRC18:10
nkinderamakarov: checking...18:10
ayoungnkinder, IPA user has like, 5 different object classes18:10
ayoungamakarov, what did I write there....18:11
nkinderamakarov: yeah, so those comments in keystone.conf are way too vague18:11
amakarovnkinder, it must be several encounters18:11
nkinderamakarov: I can see how you would think "Oh, awesome!  I can map all sorts of attributes from LDAP->Keystone."18:12
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n60418:12
ayoungnever says that they are supposed to be returned18:12
*** NM1 has quit IRC18:12
ayoungOK,  I lie18:12
ayounguser_attr is the Identity API attribute.18:12
ayoungI say we deprecate them, and see how long until Jose complains18:13
nkinderno, don't deprecate it18:13
nkinderit serves a purpose18:13
nkinderthe comments just need to say what that purpose is18:13
*** NM1 has joined #openstack-keystone18:13
nkinderassume that "cn", "sn", and "uid" are required in LDAP18:14
ayoungnkinder, it maps them to keystone user attributes18:14
nkinderand my normal mappings in keystone are "id->uid", "name->cn"18:14
*** henrynash has quit IRC18:14
ayoung"user_attr is the Identity API attribute."18:14
nkinderayoung: getting to that...18:14
nkinderso the above mappings are all well and good, but what about "sn"?18:15
nkinderIf keystone tries to do an add, it needs to supply something for the sn18:15
ayoungah...so dual mapping...yeah that could be clearer18:15
ayoungwhat about this language18:15
nkinderAn additional mappings lets you do "id->uid", "name->cn", "id->sn"18:15
*** radez_g0n3 is now known as radez18:15
nkinderor "name->sn"18:15
ayoungList of additional LDAP attributes used for creating new entities18:15
amakarovproblem was in mismatched mapping direction - I described it in comment to the bug https://bugs.launchpad.net/keystone/+bug/1336769/comments/218:16
uvirtbotLaunchpad bug 1336769 in keystone "LDAP additional attribute mappings do not care about model attribute" [Low,In progress]18:16
*** serverascode_ has quit IRC18:16
*** morgan_remote_ has quit IRC18:16
*** zhiyan has quit IRC18:16
*** gokrokve_ has joined #openstack-keystone18:16
*** morgan_remote_ has joined #openstack-keystone18:17
nkinderamakarov: ok, so the order was swapped18:17
amakarovnkinder, right18:17
*** zhiyan has joined #openstack-keystone18:17
ayoungamakarov, its ok,  this code actually predates Keystone.18:17
nkinderamakarov: I think we should just make the comments more clear for this18:18
*** nellysmitt has joined #openstack-keystone18:18
ayoungnkinder so do you agree I should change the language to make it clear that these are for creationg only?18:19
ayoungcreation18:19
nkinderayoung: yes please18:19
*** serverascode_ has joined #openstack-keystone18:19
ayoungor amakarov  can make the  change18:19
*** gokrokve has quit IRC18:19
ayoungI'll annotate in the bug to start18:19
nkinderayoung++18:19
nkinderekarlso: ok, so back to your question...18:20
amakarovayoung, ok, I'll just rollback changes and correct comments in conf?18:21
nkinderekarlso: it's not so much removal of identity, but externalizing it18:21
*** gokrokve_ has quit IRC18:21
nkinderekarlso: keystone should not be considered to be a centralized identity provider that other apps use as a user database18:22
*** amcrn has joined #openstack-keystone18:22
ayoungamakarov, bug is still assigned to you. Sorry it is not so much fun.18:23
nkinderekarlso: keystone should be thought of as an application whose responsibility is handing out tokens.  For users/groups, it should be using an external identity provider of some sort.18:23
nkinderekarlso: this could be LDAP, a SAML IdP, etc.18:23
morganfainbergnkinder, ++18:23
nkinderekarlso: for LDAP, Keystone does way too much heavy lifting of it's own that it doesn't really need to do18:24
nkinderekarlso: I would prefer for the LDAP functionality in the underlying operating system to provide user/group information to keystone.18:24
*** henrynash has joined #openstack-keystone18:24
nkinderekarlso: you with me so far?18:25
ekarlsonkinder: yeah18:27
ekarlsoso q is then, how you do make that identity thing pluggable ?18:28
nkinderekarlso: ok, I'll get to that part, but first a bit about federation since it ties in18:28
nkinderekarlso: the SAML federation functionality uses a model where the webserver in front of keystone (really an apache module) supplies the information about the user to Keystone18:29
nkinderekarlso: this is a trusted source, so the authentication is already performed outside of keystone18:29
ekarlsonkinder: hmm k then18:30
nkinderekarlso: keystone then performs some mapping of the user information that is supplied to determine what goes into the token (roles, etc.)18:30
nkinderekarlso: I would like that same model to be used for LDAP or other mechanisms (OpenID connect, etc.)18:31
nkinderekarlso: there is an apache module named mod_lookup_identity that helps with this18:31
*** lcheng has quit IRC18:31
ekarlsonkinder: how you federate towards ldap ?18:31
ekarlsok18:31
nkindermod_lookup_identity calls into SSSD on the platform18:31
*** henrynash has quit IRC18:31
nkinderSSSD deals with talking to LDAP, AD, /etc/passwd, etc.18:32
nkinderso the same way that you can allow LDAP to be used for system login and user info is used for Keystone18:32
nkinderyou can have separate domains of users though, so I'm not saying that system login is granted to keystone users18:33
nkinderthink of it like different pam service files that applications use18:33
nkinderSSSD provides a lot of nice benefits too, such as caching of user/group data18:34
*** lcheng has joined #openstack-keystone18:34
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859018:36
amakarovayoung, nkinder, there is also minor nice-to-have improvement: https://review.openstack.org/#/c/120043/18:38
amakarovwill you look at it please?18:40
*** gokrokve has joined #openstack-keystone18:41
*** lcheng has quit IRC18:42
openstackgerritayoung proposed a change to openstack/keystone: Basic-Auth middleware  https://review.openstack.org/9213718:43
*** lcheng has joined #openstack-keystone18:43
openstackgerritayoung proposed a change to openstack/keystone-specs: Basic-Auth middleware  https://review.openstack.org/12545718:43
nkinderamakarov: I think that the sample config is generated from common/config.py IIRC18:44
*** lcheng has quit IRC18:44
nkinderamakarov: so you would need to update the comment strings there18:44
*** lcheng has joined #openstack-keystone18:44
nkindermorganfainberg: is tools/config/check_uptodate.sh supposed to be run manually after editing config.py?18:46
amakarovnkinder, thanks18:46
nkindermorganfainberg: or tools/config/generate_sample.sh I guess18:46
nkinderamakarov: I've done it before myself, but forgot the details :)18:47
ayoungbknudson, can I walk you through the kerberos plugin code review? I'd like you to beat the hell out of it for me.18:47
ayounghttps://review.openstack.org/#/c/123614/18:47
*** ukalifon has joined #openstack-keystone18:50
ayoungnkinder, its a tox job18:51
ekarlsonkinder: does it map diff domans to diff backends ?18:51
ayoungtox -e sample_config18:51
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859018:51
nkinderekarlso: domains is a bit of an overloaded term since SSSD has domains too18:52
nkinderekarlso: so SSSD domans can map to separate backends18:52
nkinderekarlso: keystone domains should be able to map to SSSD domains, though that hasn't been attempted yet18:52
*** lcheng has quit IRC18:52
nkinderekarlso: ayound has set up mod_lookup_identity with keystone some time back, but it was before multi-LDAP backend support was in Keystone18:52
ekarlsonkinder: i'd be interested in looking at forgerock with this18:53
*** lcheng has joined #openstack-keystone18:53
nkinderekarlso: there is likely some work to be done there to tie thing together nicely18:53
nkinderekarlso: SSSD should work with forgerock, as it's just LDAP AFAIK18:53
nkinderekarlso: SSSD has a concept of "providers", and there is a general LDAP one (in addition to AD, IPA, local, and maybe some others I'm forgetting)18:54
*** thedodd has quit IRC18:54
nkinderayoung: ah, that's right.  You do it via tox18:55
ayoungnkinder, right now, the keystoneclient doesn't really know about auth plugins, it only uses them via the session.  But for Horizon,  there is no real benefit to manipulating sessions.  As I see it, the session really is there for sharing connection info between clients.  It almost seems like a better approach is:18:55
*** jaosorior has quit IRC18:55
ayoungpass an auth plugin to client.Client and, if so, use that to instantiate a session18:56
ayoungthis will insulate the Horizon code from the internals of the client18:56
*** ukalifon has quit IRC18:56
ayoungthis is what it does now18:57
ayounghttp://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py#n8618:57
nkinderamakarov: so did you generate keystone.conf.sample using 'tox -e sample_config' or the generate_sample.sh script directly?18:57
ayoungI'd like to see the code look something like this:18:57
*** lcheng has quit IRC18:57
*** jaosorior has joined #openstack-keystone18:57
openstackgerritA change was merged to openstack/keystone: Convert unicode to UTF8 when calling ldap.str2dn()  https://review.openstack.org/12509718:58
ayounghttp://paste.openstack.org/show/117558/ nkinder18:58
ayoungthat is the minimal change that will keep everything working.  But to do that requires  yet another client change18:59
nkinderayoung: so what needs to change for that?18:59
ayoungnkinder, the client creation code and authenticate calls19:00
ayoungI'll link19:00
*** lcheng has joined #openstack-keystone19:00
ayoungnkinder, this call is already horribly long:  http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/client.py#n4419:01
ayoungand a comparable for V219:01
zzzeekheya morganfainberg : how attached is keystone to the fact that the DB-related methods in the various */backends/sql.py don’t accept a “context” argument, the way that is common in pretty much every other openstack project ?19:01
ayoungnkinder, and authenticate is session/auth plugin agnostic as well: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/httpclient.py#n33219:02
ayoungnkinder, I started a hack to deal with session...let me see if I posted it19:02
ayoungnkinder, https://review.openstack.org/#/c/122309/19:03
*** amerine_ has joined #openstack-keystone19:05
*** amerine has quit IRC19:05
*** radez is now known as radez_g0n319:07
ayoungnkinder,  It would also be good if the client  could return the auth plugin from the entrypoints19:11
ayoungI'm starting to wonder if there should be a separate client creation function to handle all of this.19:11
ayoungWhat I would like is something like:   client = client_factory(config)19:12
ayoungnkinder, jamie wrote this up on the 15th http://www.jamielennox.net/blog/2014/09/15/how-to-use-keystoneclient-sessions/19:14
ayoungdon't tell his wife19:14
morganfainbergzzzeek, hey19:16
zzzeekhey19:16
morganfainbergzzzeek, uhm, not that attached to that concept.19:16
morganfainbergoh wait19:16
morganfainbergcontext in one sense? like context from the controller layer down?19:16
morganfainbergor an SQLA context ?19:17
zzzeeka positioanl argument called “context” that is passed to a DB-based method, which you can say, “context.session” to get at the ORM19:17
morganfainbergor... some other type of context (wow, almost as overloaded a word as "project")19:17
zzzeekmost similar woudl be what you see in neutron’s code19:17
zzzeekdoesnt matter what kind of object “context” is19:17
zzzeek(thats why its usually called “context” )19:17
morganfainbergok so if it's isolated to the SQL backend for a given subsystem, zero attachment to not having a context19:17
zzzeekmorganfainberg: for keystone, i might propose a decorator that actually adds “context” to the argument list19:18
morganfainbergif it was passing the user context down from the wsgi layer, i'd be very skeptical19:18
ayoungzzzeek, context is evil and leads to shoddy coding19:18
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859019:18
zzzeekayoung: OK can i show you the problem statement and you suggest your approach ?19:18
ayoung"lets just let everything talk to everything through a global dictionary"19:18
amakarovnkinder, fixed. I use tox19:18
morganfainbergbut i'd prefer to have something a bit more specific (object wise) than an arbitrary "we shove things into this method and extract it"19:19
morganfainberge.g. dict with "things" in it19:19
zzzeekayoung: i dont really think that’s what im getting at, see this is why i have a very large blueprint in the works b.c. nobody seems to know what im talking about19:19
ayoungzzzeek, in python, context is usually kwargs19:19
ayoungand we do unspeakable things with them19:19
zzzeekayoung: ok i think we are not on the same page here as I havent introduced this topic to you19:20
ayoungzzzeek, typically, context should be outside of objects19:20
morganfainbergzzzeek, what ayoung is getting at is people throw crap into the context dict and then assume they can grab that data vs a "real" argument19:20
zzzeekayoung: OK less typing and more reading, here: https://review.openstack.org/#/c/125181/19:20
morganfainbergthat has a relatively known set of interfaces (duck type or not)19:20
zzzeekmorganfainberg / ayoung : that blueprint has no “proposed solution” yet, just the problem.  if you think what i describe there is not a problem, then maybe we’re done :)19:21
*** henrynash has joined #openstack-keystone19:21
ayounglooking19:21
ayounga cloth bandaid on the thumb is incompatible with a thumb driven trackball19:21
morganfainbergzzzeek, ok so part of the issue is with nova they use the admin-level context deep down in the internals19:22
morganfainbergzzzeek, which is what the @require_context or @require_admin_context thing is19:22
morganfainbergiirc19:23
ayoungits cuz we don't split up object creation and object use.19:23
zzzeekmorganfainberg  / ayoung: OK forget about context for the moment, the point is you fokls need a database “thing” that you aren’t ad-hoc creating inside of methods19:23
zzzeekand you need to get rid of all that boilerplate as does everyone else19:23
zzzeekall other projects already have an argument called “context” that is sitting there already19:23
morganfainbergzzzeek, yes i'm fine with a way of passing a more unified facade *thing* into our SQL drivers that can handle re-use of sessions19:23
ayoungzzzeek, its called inversion of control, and if you have a solution for it, propose it.  Otherwise, I  move we steal dstanek 's19:23
ayounganything is better than what we have now19:23
morganfainbergzzzeek, etc.19:24
dstanekayoung: yay!19:24
zzzeekayoung: anything…except an argument called “context” apparently :)19:24
morganfainbergzzzeek, if that is the answer you're looking for.19:24
ayoungdstanek, yours sucks,  it just sucks less than everything else19:24
morganfainbergwait dstanek has something to steal?19:24
* morganfainberg gets in line to steal it19:24
zzzeekOK why dont i add you all to this and please let me know what solutions you are open to b.c. i dont really feel like spending two weeks defining something that youre all going to shoot down anyway19:24
dstanekayoung: :-) this is a java problem and has a java solution19:24
morganfainbergzzzeek, fair enough.19:25
ayoungdstanek, no.  IoC is a coding issue.19:25
dstanekayoung: maybe i'll dust off my DI patch and re-apply19:25
zzzeekayoung: yeah IoC is kind of “invisible-ish” in python :)19:25
ayoungdstanek, lets discuss at the summit.  That would be a fantastic thing, but we need to play nice with stevedore19:25
ayoungzzzeek, that is the thing,  not it is not19:25
zzzeekayoung: compared to spring19:25
morganfainbergzzzeek, i think our only *real* concern was ensuring "context" wasn't equivalent to "kwargs" and just a bundle of "throw junk into this thing and extract it later"19:25
ayoungIofC is easier in strictly typed languages19:25
dstanekayoung: i'll have something ready ahead of time for us to walk through19:26
zzzeekayoung: which is like AH MY EYES19:26
ayoungzzzeek, let me burn your eyeballs for a moment19:26
ayounghttp://sourceforge.net/p/cpp-resolver/svn/HEAD/tree/TRUNK/include/resolver.h19:26
zzzeekmorganfainberg: i was going to have it just inject “session” directly, but ive seen most proj’s have “context” already and neutron says “context.session”19:26
morganfainbergayoung, i know better than to click that link19:26
dstanekayoung: my experience has been that it's been much easier in Python than in Java because of the dynamic typing19:27
zzzeekwell all c++ burns my eyes19:27
morganfainbergzzzeek, sure, and that is clearly not a "bundle of whatever we felt like"19:27
ayoungzzzeek, so, yeah, I've thought about this for a while19:27
ayoungIofC in python needs a clean way to state what should fulfill a dependency19:27
ayoungin  C++ and Java, you can use type info19:27
ayoungPython...not so much19:28
ayoungmaybe there is something we could do with ABC?19:28
morganfainbergayoung, DUCK!19:28
morganfainbergayoung, yeah or another metaclass19:28
zzzeekayoung: so, a simple decorator that just works and everythign is great, no good huh.19:28
ayoungmorganfainberg, Duck typing is kindof "found out too late"19:28
* morganfainberg is disappointed ABC can't do strict signature enforcement.19:28
ayoungzzzeek, I want to be able to consume objects that don't have the decorator19:29
ayoungand I want the "wiriing up" to be outside the class definition file19:29
zzzeekayoung: i dont understnad waht you mean.  im talking only about methods taht right now say, “get_session()” all over the place inside of them19:29
ayoungsomething like stevedore19:29
ayoungzzzeek, OK,  you are familiar with entrypoiunts?19:29
zzzeekayoung: yes19:29
ayoungzzzeek, that is close19:29
zzzeekayoung: sounds incredibly heavyhanded and magical for what is a simple problem19:30
dstanekayoung: morganfainberg: the problem i ran into with IoC was that identity and assignment depend on each other19:30
ayoungzzzeek, so, lets say I have 2 different databases19:30
zzzeekayoung: and for which the current approach is *horrible*19:30
ayounglets use keystone as an example, and I have Identity in one, and Assignments in another19:30
morganfainbergdstanek, i *think* we can break that now.... or at least move the domain bit from Assignment around to help break that apart.19:30
zzzeekayoung: im trying to *imrpve* the current situation, not build an amazing magic IoC system19:30
dstanekayoung: morganfainberg: i never implemented that in my framework because it enables bad design :-(19:30
ayoungI want the python code that stoartes users to just say "I need a database"  but not specify which one19:30
dstanekzzzeek: what review are we talking about here19:31
dstanek?19:31
zzzeekdstanek: https://review.openstack.org/#/c/125181/419:31
ayoungzzzeek, I understand, but this is a recurring problem19:31
ayoungI don';t want another 0.5 glute solution19:31
ayoungzzzeek, for example, we now have code for multiple identity backends19:32
ayoungfinding the right one is custome code.19:32
zzzeekayoung: getting rid of get_session() everywhere is the first step to that19:32
zzzeekayoung: you know how to do things “incrementally” right ? :)19:32
ayoungI want a solution that unifies that with the ability to split the Token Database from the identity database19:32
morganfainbergayoung, sure. i think we can get there in steps19:33
zzzeekayoung: i dont have that for you.  I have fixes for excessive boilerplate and multiple transactions right now19:33
ayoungzzzeek, probably better than most, yet19:33
ayoungzzzeek, let me find the XKCD reference for you...19:33
morganfainbergpart of that will be make it less "oh we implemented this thing ourselves different from everyone else, but only subtly so"19:33
ayounghttp://xkcd.com/927/19:33
zzzeekayoung: wow youre really going to just link to that huh19:34
ayoungzzzeek, yep19:34
ayoungzzzeek, ok,  so you touched on one of the issues that we have discussed in the past without resolving19:34
zzzeekayoung: sure.  guess ill just quit now, b.c if theres a problem, you’re done.  it cant be solved b.c. XKCD somewhat tangentially can be applied.19:34
ayoungwe have dependency resolution in keystone, and it is a one-off19:34
* zzzeek takes his ball19:34
ayoungzzzeek, oh no you don19:35
ayoung't19:35
ayoungzzzeek, I think you are missing the point19:35
ayoungyou are seeing one aspect of a larger problem, if only in Keystone19:35
ayoungContext is used to "create" objects, but should not be around after they are created19:35
ayoungand even context itself needs to be somewhat ordered19:35
ayoungcontext in the web means:19:36
ayoungconf file, global values, session values (not that we have sessions) and request values, in that order19:36
*** radez_g0n3 is now known as radez19:36
ayoungdatabases are often the worst offenders here, because people start with a simple app and write direct to the database...and then the app grows19:37
ayoungBTW, the XKCD reference was poking fun at my approach, not yours, in case it wasn't clear19:37
zzzeekayoung: do me a favor.  here’s a keystone method: http://paste.openstack.org/show/117568/19:37
*** swartulv has quit IRC19:37
zzzeekayoung: a. if you would make this method look like something else, what woudl it look like?19:37
zzzeekayoung: or b. this method is perfect19:37
ayoungzzzeek, zzzeek the answer is not b, but the margin is too small....19:38
morganfainbergayoung, i'd argue you could make the whole object driver smarter in handling the db facade and sessions19:38
zzzeekayoung: doesnt it concern you that a method that calls sql.transcation() which then calls another that calls get_session() ends up using nested transctions on two simultaneous connections?  that shouldnt be solved ?19:38
morganfainbergrather than needing to context manager each step of the way here.19:38
zzzeekayoung: i have a simple, tangible bug that is demonstratble.  i dont know that we shoudl do nothing because XKCD has told us the perfect system is unattainable19:39
ayoungzzzeek, get_current_transaction()....19:39
zzzeekayoung: oh!  you have a solution!  OK can I see it please, rewrite the fn for me19:39
ayoungzzzeek, actually, it was Godel that told us that19:39
zzzeekayoung: im not very well educated19:39
ayoungzzzeek, do you know termie?19:39
zzzeekayoung: nope19:40
morganfainbergayoung, no he doesn't i'm sure.19:40
ayoungheh19:40
dstanekzzzeek: if you could make your decorator a context manager i'd be really happy19:40
ayoungmorganfainberg, still not certain he isn't termie19:40
zzzeekdstanek: i planned for it to work in both ways19:40
morganfainbergayoung, heh19:40
zzzeekdstanek: however.   does keystone need transaction replaying for deadlocks?   that’s somethuign you need the decorator version for19:41
*** f13o_f13o has joined #openstack-keystone19:41
*** f13o_f13o has quit IRC19:41
morganfainbergzzzeek, i hm, i don't think we have run into many deadlock issues actually.19:41
dstanekzzzeek: that's a really good question19:41
bknudsonwhy would keystone have a deadlock?19:41
zzzeekbknudson: not sure, ive been looking at projects in the big picture and there;’s lots of retry_on_deadlock decorators19:42
ayoungzzzeek, OK,  here's the deal,  the code we have assumes a single instance for all of the objects.  When you write that way, you need to externalized all of the state.  If you don;t have magic methods that pull the state out of some global registry, you need to pass it in to the function call as a parameter19:42
morganfainbergzzzeek, we've largely written things to be isolated. we don't use that afaict19:42
zzzeekmorganfainberg ok that is fine19:42
ayoungso  instead of19:43
*** swartulv has joined #openstack-keystone19:43
morganfainbergzzzeek, it *does* result in some race-y-ness in some cases, and long term we need to fix that as well, but it's been of limited impact so far.19:43
dstanekmorganfainberg: that's also helped by autocommit - so no chance of philosphers dining in our current implementation19:43
morganfainbergdstanek, ++19:43
ayoung with sql.transaction() as session:  creating a new transaction, under the covers it could  join an existing transaction19:43
ayoungthat would not require changes in this code, but rather in the sql.transaction() call19:44
morganfainbergayoung, or a replacement of sql.transaction19:44
morganfainbergto something more universal across openstack19:44
zzzeekayoung: that woudl require tons of cahgnes because most keystone calls do not use sql.transaction()19:44
ayoungmorganfainberg, yep19:44
zzzeekayoung: of course, sql.transaction() should be maintaining state across nesting19:44
morganfainbergzzzeek, for any writes we *should* use that, for anything that is read only, we've been more lax about that19:44
zzzeekmorganfainberg: so i was thinking, sql.reader() vs. sql.writer()19:45
morganfainbergbarring migrations... lets not even talk about those19:45
ayoungzzzeek, but the way our code is written  also assumes a global database19:45
zzzeekanyway it sounds like ppl like context managers, sure that is not a problem19:45
morganfainbergzzzeek, sure. that makes logical sense (esp. if you want to fan out read-only replicas)19:45
ayoungwhich really is poor design as well19:46
zzzeekayoung: that’s a different issue, by at least abstracting out how you get at the DB you provide a chance to work on that second19:46
ayoungfor example, we need different semantics on, say, tokens, which are immutable versus trusts which require strict locking19:46
morganfainbergayoung, i think if we had a smarter set of managers for this. we could move towards having multuple dbs.19:46
morganfainberglayer in something way better that knows DB db vs Identity vs Assignment vs credential19:46
zzzeekmorganfainberg ayoung  this spec is just the first step, *getting everyone to use a context manager*19:46
zzzeekthat oslo.db defines and does the right thing19:47
morganfainbergzzzeek, and we do tend to like context managers.19:47
zzzeekmorganfainberg: fine.  other projects though really need the retry on deadlock part and that should be integrated19:47
zzzeekmorganfainberg: itll work both ways, that was my plan anyway19:47
morganfainbergzzzeek, that is fine, if we're not using the retry_on_deadlock yet we might need it in the future this future proofs us19:47
morganfainbergzzzeek, i wouldn't complain if it worked both ways :)19:47
zzzeekmorganfainberg: only if you used the decorator version :)   deosnt matter.  i just want to celan up this enginefacade junk19:48
morganfainbergright19:48
*** crowell has joined #openstack-keystone19:48
zzzeekmorganfainberg: and if i can get it in keystone/nova/neutron then the rest of the projects can follow19:48
openstackgerritA change was merged to openstack/pycadf: Stop using intersphinx  https://review.openstack.org/12493519:48
ayoungzzzeek, what would your version of list_projects_in_domain(  look like?19:48
ayoungmorganfainberg, actually, I know zzzeek isn't termie because termie hates sql19:49
morganfainbergayoung, Hah!19:49
zzzeekayoung: http://paste.openstack.org/show/117572/19:49
morganfainbergdstanek, do you think we could revisit DI stuff at the summit and have a target/goal out of the session?19:50
dstanekmorganfainberg: yes19:50
morganfainbergdstanek, mind giving a little thought to that on the etherpad?19:50
ayoungzzzeek, no problem with that19:50
zzzeekayoung: by saying reader() you give a clue to clustering / HA systems what to do19:50
ayoungdistinguishing between read and write locks is good19:51
morganfainbergzzzeek, how would the ._get_domain know the session?19:51
dstanekmorganfainberg: sure, i'll do that now19:51
zzzeekmorganfainberg: it would use the same decorator / contextmanager19:51
morganfainbergok19:51
morganfainbergcool19:51
dstaneketherpad really needs a freaking search19:51
morganfainbergdstanek, haha yeah19:51
morganfainbergzzzeek, and yes read vs write would be great19:51
zzzeekmorganfainberg: now what if a reader() called a writer().   probably raise an error19:51
morganfainbergzzzeek, yes that would be logical, if you expect to write always start with write19:52
morganfainbergzzzeek, but a writer *should* be able to call a reader19:52
zzzeekmorganfainberg: in nova, they are passing the “session” along to methods trying to share the transaction, and they frequently forget to do it19:52
zzzeekmorganfainberg: and in other cases they cant19:52
zzzeekmorganfainberg: so it is a crapshow19:52
morganfainbergzzzeek, we do some of that. and do if not session: get_session19:52
morganfainbergwe've been fairly good at it, but.. sometimes we miss19:52
zzzeekmorganfainberg: yes that is just mistakes waiting to happen19:52
zzzeekmorganfainberg: thats TMTOWTDI, to quote anoteher meme19:53
morganfainbergzzzeek, i think this is absolutely in the right direction, and helps makes things a bit more clear what is expected.19:53
zzzeekits in nova that its really serious19:53
morganfainbergayoung, we might want to abstract this kind of concept out for LDAP as well.19:54
*** crowell has left #openstack-keystone19:54
zzzeekmorganfainberg: so neutron already uses context.session.   for them i might propose that these decorators are configured up front, as injecting an argument or patching it on an existing context argument19:54
morganfainbergzzzeek, i'd argue for the argument vs patching context.19:55
morganfainbergbut that would just be my choice. i don't like "random budles of cruft" that people just extract things from and hope their right19:55
zzzeekmorganfainberg: right but you can see if i go to neutron and say they ahve to chagne all def foo(context) into def foo(context, session), they’d not like that19:55
zzzeekmorganfainberg: both have their place :)19:56
morganfainbergnow, what might work for neutron is a wraper for the decorator, simple that says "context.session = my thing"19:56
*** nellysmitt has quit IRC19:56
morganfainbergor vice versa for us.19:56
zzzeekmorganfainberg: in sqlalchemy, some of these events have huge piles of junk to send in , that can change across releases…so i just send the user event a context objecvt with a well defined interface19:56
morganfainbergmostly for ease of transition19:56
*** nellysmitt has joined #openstack-keystone19:56
morganfainbergzzzeek, yeah. and that is what i dislike about "context". summed up neatly19:57
zzzeekmorganfainberg: i agree that an amorphous “context” sucks.   but a well defined one can be appopriate when there is a really large and complex set of information to be made available.19:57
morganfainbergsure.19:57
morganfainbergwe do that in keystoneclient somewhat19:57
zzzeekmorganfainberg: but even then, yes the “context” should have something to do with the kinds of methods being called19:58
morganfainbergthe problem is mostly it's amorphus context in openstack19:58
zzzeekmorganfainberg: i wouldnt want to send the same “context” everywhere to everything19:58
morganfainbergvs. well defined19:58
dstanekmorganfainberg: i'm going to leave it at that for now - if i think about it anymore i may dish out an ayoung style rant to etherpad :-)19:58
morganfainbergdstanek, thanks19:58
zzzeekthanks for the input dstanek19:58
morganfainbergdstanek, which etherpad?19:58
morganfainberghttps://etherpad.openstack.org/p/kilo-keystone-summit-topics ?19:58
dstanekmorganfainberg: yes, i expanded on the DI sectioin19:59
morganfainbergdstanek, ah wrong one, ok moving it over to the "right" one19:59
ayoungmorganfainberg, there are no transaction in LDAP19:59
ayoungeach call is atomitc19:59
ayoungatomic19:59
dstanekzzzeek: my OpenStack contribution for the day: *related* on line 16 of your spec20:00
zzzeekwoop20:00
dstaneknap time!20:00
dstanekzzzeek: after talking to you the other day about SQA I started reading up on current patterns and practices20:01
morganfainbergdstanek, ok moved it over and zeroed out the old ether pad so no one uses it.20:01
*** nellysmitt has quit IRC20:01
morganfainbergok i need to go .. lunch time20:01
dstanekmorganfainberg: thx i didn't realize that was an older one20:01
ayoungmorganfainberg, can we label this one as "no the otherone, dummy"20:02
morganfainberghttps://etherpad.openstack.org/p/keystone-kilo-summit-sessions20:02
morganfainbergayoung, fixed it20:02
dstanekhow'd we get two?20:02
morganfainbergdstanek, my mistake, i picked the wrong name at one point20:03
morganfainberg:P20:03
morganfainbergthe correct one was started by ttx20:03
dstanekah20:03
dstanekmorganfainberg: i found it in my chrome history since etherpad hasn't grown that feature yet20:03
ayoungdstanek, I guess my fundamental question is:  how do I distinguish between what two registered objects provide if all I know is the string that they are named by20:04
dstanekayoung: with snake-guice you can't have more than one thing registed to the same name unless they have different scope/annotations20:05
ayoungdstanek, so we have name, scope?20:05
ayoungI miss type safety20:05
dstanekscope is a concept from guice, nomal scope in created on demand, singleton only once (per thread), request is created once per request, etc.20:06
dstanekit's not about the type - it's about the lifecycle of an object20:06
*** amakarov is now known as amakarov_away20:12
*** Gippa has joined #openstack-keystone20:17
ayoungnkinder, OK,  I think keystoneclient.client  has some other code that DOA should be using instead.  It looks like it handles creating a client of the right version already20:19
ayoungand, I think, it accepts an auth plugin.  I'm going to test it out.20:19
nkinderayoung: Cool.  I haven't dove into a lot of the details you mentioned earlier.20:19
nkinderayoung: my brain is melting trying to figure out setting up federation... :)20:19
ayoungnkinder, its ok,  its mostly important that I get them clear in my own head20:20
ayoungnkinder, I'll avoid following up on that statement to avoid getting derailed myself20:21
*** henrynash has quit IRC20:24
*** henrynash has joined #openstack-keystone20:25
*** nkinder has quit IRC20:29
rodrigodsstevemar, marekd|away ping20:36
rodrigodsat metadata exchange step to configure k2k fed, where do I put the SP metadata?20:37
stevemarrodrigods, it should be at a location determined by shibboleth20:38
rodrigodsstevemar, don't I need to put the SP information at the keystone IdP?20:39
rodrigodshttps://github.com/openstack/keystone/blob/master/doc/source/configure_federation.rst#generate-metadata20:40
stevemarrodrigods, so keystoneIdP is generated using keystone-manage, and is placed at keystoneSP's shib directory20:42
stevemar... wait now you've got me confused too20:42
stevemarboth keystones (IdP and SP) need to have each other's metadata20:43
rodrigodsstevemar, right, I've placed the IdP metadata at the SP. I thought I would need to do the same in the other way20:43
rodrigodsexactly20:43
*** dims_ has joined #openstack-keystone20:46
*** cjellick has quit IRC20:47
*** raildo_ is now known as raildo_away20:47
*** dims_ has quit IRC20:48
*** dims_ has joined #openstack-keystone20:48
*** dims_ has quit IRC20:49
*** dims_ has joined #openstack-keystone20:49
stevemarrodrigods, i think you still specify it in shibboleth2.xml20:50
*** dims has quit IRC20:50
*** mikedillion has quit IRC20:51
rodrigodsstevemar, so I need shibboleth  for the IdP too?20:51
stevemaryep20:51
*** nkinder has joined #openstack-keystone20:51
rodrigodsok, will add some lines in the doc then =)20:52
*** dims_ has quit IRC20:54
stevemarrodrigods, thank you sir!20:57
*** marcoemorais has quit IRC21:02
*** jasondotstar has quit IRC21:02
*** marcoemorais has joined #openstack-keystone21:02
*** marcoemorais has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:05
*** marcoemorais has quit IRC21:05
*** marcoemorais has joined #openstack-keystone21:05
*** marcoemorais has quit IRC21:06
*** marcoemorais has joined #openstack-keystone21:06
*** morgan_remote_ has quit IRC21:06
*** morgan_remote_ has joined #openstack-keystone21:09
*** radez is now known as radez_g0n321:10
*** joesavak has quit IRC21:10
openstackgerritDolph Mathews proposed a change to openstack/keystone: revise docs on default _member_ role  https://review.openstack.org/11080321:19
*** jaosorior has quit IRC21:33
*** jaosorior has joined #openstack-keystone21:34
nkinderstevemar: none of the CLIs support creation of an IdP, protocol, or mappings for OS-FEDERATION, right?21:35
nkinderstevemar: just use curl for now?21:36
stevemarnkinder, OSC supports IdP21:36
stevemarand there is a patch for mapping21:36
nkinderstevemar: oh, cool.  I suppose I'll try that way to test it out then21:36
stevemarnkinder, it's just been on the back burner is all21:36
nkinderstevemar: I'm using mod_auth_mellon and ipsilon, so that could turn into some doc updates to cover other cases than just shibboleth21:37
stevemarnkinder, sweet!21:38
stevemarnkinder, yeah adam had some of that on his blog, but if you could make legit docs, i'll be happy to review21:39
*** andreaf has quit IRC21:41
*** andreaf has joined #openstack-keystone21:42
*** stevemar has quit IRC21:43
*** stevemar has joined #openstack-keystone21:44
*** joesavak has joined #openstack-keystone21:47
rm_workstevemar: hey, you linked me to a thing yesterday about using Trusts with API v2 -- I was wondering if you could clear up some confusion i've been having about the Keystone versioning T_T21:52
stevemarrm_work, i'll gladly try to21:53
rm_workSo, I have been told in the past "There is no Keystone v3 -- there is Identity API v2.0 and Identity API v3"21:54
rm_workis that accurate?21:54
bknudsonrm_work: yes21:55
rm_workIE, the API versions are not tied to the Keystone version21:55
bknudsonyou can enable or disable either version support in keystone21:55
rm_workOk, so Trusts are an Identity API v3 thing, but are doable in v2 -- how do I figure out what version of keystone is actually required for them to work?21:55
rm_workper https://bugs.launchpad.net/keystone/+bug/1331884 it looks like maybe they were backported into API v2?21:56
uvirtbotLaunchpad bug 1331884 in keystone "A V2 token from trust cannot be generated with user/pass" [Wishlist,In progress]21:56
bknudsonin v2 I think you can check for the extension... there's a v2.0/extensions21:56
rm_workor something like that21:56
rm_workso Trusts are an extension?21:56
bknudsonkind of... you can disable trusts.21:56
rm_workOk but... if someone only has Identity API v2 available, that could be either because they disabled v3, or because their version of Keystone was shipped before v3 EXISTED, right?21:57
bknudsonsure21:57
rm_workand in the case of "they just disabled v3", then probably v2 supports Trusts still in the backend21:57
rm_workbut possibly they have an older version of Keystone and trusts aren't supported at all?21:58
*** thedodd has joined #openstack-keystone21:58
rm_workso I'd have to do the /extension call you mentioned and see if it's there21:58
bknudsonmaybe they don't even run keystone and instead implement their own identity api21:58
rm_worklol yes, I definitely have that problem too <_<21:58
rm_worktrying to keep to one huge cluster-f$#* at a time tho ;)21:58
rm_workSo, what I *actually* need to say instead of "Keystone Identity API v3 is required for this to work" is "Keystone must have the Trusts extension installed for this to work"22:00
bknudsonrm_work: that sounds right. for keystone it's not installed it's just enabled.22:00
rm_workwell, it may or may not be there to BE enabled/disabled22:01
rm_workdepending on how old the Keystone installation is22:01
bknudsonsure22:01
rm_workok22:01
*** dims has joined #openstack-keystone22:02
*** rkofman has quit IRC22:03
*** joesavak has quit IRC22:03
stevemarrm_work, that sounds super weird, i wonder why you aren't seeing v322:03
*** rkofman has joined #openstack-keystone22:03
stevemarrm_work, what do you get when you hit just '/' -> hostname:5000/22:03
stevemarit should list all available versions22:03
rm_workstevemar: it's not that I don't see v3 in our install22:04
rm_workwell, actually our install doesn't USE keystone, as bknudson hinted and I lamented :(22:04
rm_workbut22:04
*** lcheng has quit IRC22:04
*** lcheng has joined #openstack-keystone22:05
*** cjellick has joined #openstack-keystone22:05
*** marcoemorais has quit IRC22:05
rm_workI need this to work across many cloud deployers (ie, anyone who runs Openstack)22:06
*** marcoemorais has joined #openstack-keystone22:06
rm_workand I am trying not to intruduce dependencies where I don't have to, and am currently surveying to see what versions of Keystone the major players involved in my project are running22:06
*** marcoemorais has quit IRC22:06
*** marcoemorais has joined #openstack-keystone22:07
*** marcoemorais has quit IRC22:07
*** marcoemorais has joined #openstack-keystone22:07
*** henrynash has quit IRC22:08
*** lcheng has quit IRC22:09
*** lcheng has joined #openstack-keystone22:09
stevemarrm_work, sounds like you have a headache to deal with22:10
rm_workindeed22:10
*** mikedillion has joined #openstack-keystone22:10
*** henrynash has joined #openstack-keystone22:11
*** NM1 has quit IRC22:12
*** marcoemorais has quit IRC22:13
*** flwang1 has quit IRC22:13
*** marcoemorais has joined #openstack-keystone22:13
*** henrynash has quit IRC22:13
*** bknudson has quit IRC22:15
*** gordc has quit IRC22:17
*** Tahmina has quit IRC22:18
*** marcoemorais has quit IRC22:20
*** amcrn_ has joined #openstack-keystone22:26
*** topol has quit IRC22:27
*** amcrn has quit IRC22:30
*** marcoemorais has joined #openstack-keystone22:31
*** lcheng has quit IRC22:32
*** lcheng has joined #openstack-keystone22:33
*** marcoemorais has quit IRC22:33
*** zzzeek has quit IRC22:33
*** zzzeek has joined #openstack-keystone22:34
*** andreaf has quit IRC22:35
*** andreaf has joined #openstack-keystone22:36
*** lcheng has quit IRC22:37
*** sigmavirus24 is now known as sigmavirus24_awa22:37
*** shuffleb1t is now known as shufflebot22:37
*** shufflebot has joined #openstack-keystone22:38
*** zzzeek_ has joined #openstack-keystone22:47
*** zzzeek has quit IRC22:47
*** zzzeek_ is now known as zzzeek22:47
dstanekdolphm: maybe you deserve more than a +2...but i had to correct all that crap!22:58
openstackgerritKui Shi proposed a change to openstack/keystone: Add memcached_backend configuration  https://review.openstack.org/12203723:00
*** mikedillion has quit IRC23:09
*** lcheng has joined #openstack-keystone23:12
*** bknudson has joined #openstack-keystone23:17
*** thedodd has quit IRC23:32
*** Tahmina has joined #openstack-keystone23:44
openstackgerritA change was merged to openstack/keystone: Handle default string values when using user_enabled_invert  https://review.openstack.org/12524323:45
openstackgerritA change was merged to openstack/keystone: Remove duplicated assertion  https://review.openstack.org/12338223:46
*** david-lyle has quit IRC23:49
*** jaosorior has quit IRC23:53
*** mikedillion has joined #openstack-keystone23:55
openstackgerritBrant Knudson proposed a change to openstack/keystone: Internal notifications for cleanup domain  https://review.openstack.org/12552123:55
ayoungmorganfainberg, I think that endpoint constraints could replace the service catalog, and give us a way to get to an id only catalog23:58
*** gokrokve has quit IRC23:58
*** bknudson has quit IRC23:58
*** bknudson has joined #openstack-keystone23:59
« Tuesday, 2014-09-30 Index Thursday, 2014-10-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!