Tuesday, 2014-10-14

« Monday, 2014-10-13 Index Wednesday, 2014-10-15 »
morganfainberglol00:01
*** lhcheng has quit IRC00:11
*** marcoemorais has quit IRC00:11
*** marcoemorais has joined #openstack-keystone00:11
*** lhcheng has joined #openstack-keystone00:11
*** zzzeek has quit IRC00:21
dstanekmorganfainberg: pong00:24
morganfainbergdstanek, added you as the leader for the obj. lifecycle design session00:24
morganfainberghttps://etherpad.openstack.org/p/kilo-keystone-summit-topics00:24
morganfainbergdstanek, please feel free to update/fix the description / goals00:24
morganfainbergdstanek, if you don't mind leading that is00:24
dstaneksure, i don't have a problem with that00:25
*** sigmavirus24_awa is now known as sigmavirus2400:25
morganfainbergdstanek, cool00:26
dstaneki spend time today thinking about it - so i was on the right track :-)00:26
*** sigmavirus24 is now known as sigmavirus24_awa00:27
ayoungmorganfainberg, ah...but it won't work for GETS or Deletes00:42
morganfainbergayoung, ?00:43
ayoungmorganfainberg, token in the request body00:43
morganfainbergayoung, ah true.00:44
morganfainbergeverything would need to be post00:44
ayoungthere is no request body for operations where it is all just the URL00:44
morganfainbergick00:44
ayoungmorganfainberg, if we do the endpoint constraints, and drop the service catalog,  we can probably have tokens down at the 1K level00:44
morganfainbergayoung, nah, 2-2.5k would be my expectation00:46
morganfainbergbut still better00:46
ayounggah,  xchat detached this window.  how do I reattach it?00:47
ayoungone sec00:47
morganfainberguh...00:47
*** ayoung has left #openstack-keystone00:47
*** ayoung has joined #openstack-keystone00:47
ayoungbrute force00:47
morganfainberglol00:49
rodrigodsjust send a patch to horizon, trying to get groups in keystone v200:52
rodrigodsand I thought I was learning something about keystone =(00:52
nkinderrodrigods: :)  No groups in v200:53
morganfainberghehe00:53
rodrigodsnkinder, yeah...00:53
nkinderit'd all be so much simpler if there was only v3...00:53
rodrigodsnkinder, ++00:54
rodrigodsI assumed that it was using v2, because it wasn't using role_assignments00:54
rodrigods(but I forgot that was me who added role_assignments to keystone client)00:54
morganfainbergrodrigods, one of those moments like "who wrote this!?! ... oh I did..."00:55
*** mitz_ has quit IRC00:55
morganfainbergi swear i've *never* done that :P00:55
rodrigodsmorganfainberg, totally believe you00:55
morganfainberghehe00:55
* morganfainberg glares at ubuntu installer00:56
rodrigodsdetail: the patch was near +A (had two +2)00:56
*** mitz_ has joined #openstack-keystone00:57
ayoungI haven't done that all day00:59
ayoungmainly cuz I've been looking at other people's code00:59
morganfainberghehe00:59
ayoungmorganfainberg, so, question for you.  If It turns out the data inside a keystone PKIZ token was improperly formattted (what was supposed to be binary was infact Base64 encded) would we have to release a new token version, or could we just silently fix it?01:00
*** dims_ has quit IRC01:00
rodrigodsyou cores, have a daily task: code review for X hours01:00
rodrigods?01:00
morganfainbergayoung, i'm... scared... why are you asking?01:00
ayounghttps://bugs.launchpad.net/python-keystoneclient/+bug/137978201:00
uvirtbotLaunchpad bug 1379782 in python-keystoneclient "PKIZ token processesing does PEM, not DER" [Undecided,In progress]01:00
*** dims has joined #openstack-keystone01:01
ayoungmorganfainberg, its not huge.  It probably has a minor effect on token size01:01
ayoungWe could make the validation accept either der or cms encoding (which is what that patch does)01:01
morganfainbergayoung, that is probably the right answer01:02
ayoungmorganfainberg, so, the hiccup would be (I think) only if they deployed KC for Keystone server without doing the same change for the client01:02
ayoungso the server was issuing tokens that the client could not validate01:02
*** shakayumi has quit IRC01:02
ayoungand...I could split it up into two patches01:02
morganfainbergayoung, so we *do* that now?01:02
ayoungone that does the validation for both forms01:02
ayoungmorganfainberg, I just found this01:03
morganfainbergah, ok01:03
ayoungwrote the patch over the weekend01:03
morganfainbergok so we should support both versions for sure01:03
ayoungah...py3301:03
morganfainbergand then once we release the client that does so, we can fix server to issue it sanely01:03
ayoungOk,  I bet that the py33 thing is due to the binary format01:03
ayoungI'm almost tempted to leave it01:03
ayounghere;s the deal (IIUC)01:04
ayoungwhen running openssl -outform der  you get a binary01:04
ayoungthat was the plan, but I fat fingered in pem01:04
ayoungI'm guessing it was part of trying to get the thing to work, and I left it in when I got the "HEY IT works!" endorphin rush01:04
*** shakayumi has joined #openstack-keystone01:05
ayoungso if we leave it...probably no harm done01:05
ayounglets see, I posted a patch with the updated sample data for the tokens...size difference....01:05
*** dims has quit IRC01:05
morganfainbergah01:06
ayoungcn't tell...01:06
morganfainbergnot worried about the size of the token, it should be minimal in this case01:06
morganfainbergmy concern is correctness and breaking someone if we change it01:06
ayounglet me see if I can get a size difference on the tokens.  In theory, compressing binary and base64 encoded should reduce to the same size-ish01:06
ayoungyeah01:06
ayoungmorganfainberg, http://paste.openstack.org/show/120861/01:08
ayoungdifference is significant enough to be interesting01:08
ayoungtop is binary, bottom is Base6401:08
morganfainbergsure. but again, breaking people = bad01:08
ayoungwell, since I don';t have a python33 fix anyway, its a Mute point.01:08
ayoungYou are just dying to correct that, aren;t you?01:09
morganfainbergwhat the pem -> der?01:09
morganfainbergor the py33 bit?01:09
ayoungno Mute to Moot01:09
morganfainbergoh01:09
morganfainbergdidn't even realize you typo'd it01:09
ayoungIts mute point.  we don't have to talk about it01:09
ayoungtry the veal01:10
* ayoung just a touch punchy01:10
morganfainbergmeh.01:10
*** jorge_munoz has quit IRC01:10
*** stevemar has joined #openstack-keystone01:10
morganfainbergooh lookie a wild stevemar appears01:11
stevemarmorganfainberg, howdy01:11
stevemarmorganfainberg, been away for a few days, holiday and such01:11
morganfainbergwelcome back01:12
stevemarmorganfainberg, what i miss?01:12
morganfainbergnothin01:12
morganfainbergis quiet.01:12
stevemarquiet is good01:12
*** jorge_munoz has joined #openstack-keystone01:13
ayoungnkinder, question for you:  I want to compare the signing data of two certificates.  I've gotten enough of a handle on python asn1 that I can extract the signer info.  Does it make sense that I could hash the signer info of a keystone token and check that it matched the signer info for a certificate?01:13
morganfainbergstevemar, https://etherpad.openstack.org/p/kilo-keystone-summit-topics added a tentative schedule01:14
stevemarmorganfainberg, i'm gonna go hard on the CI stuff01:15
stevemarprobably01:15
morganfainberg?01:16
*** dims has joined #openstack-keystone01:16
*** harlowja is now known as harlowja_away01:16
morganfainbergyou mean from the perspective of what you're working on this cycle?01:16
*** harlowja_away is now known as harlowja01:16
stevemarmorganfainberg, yesssh01:18
stevemarmorganfainberg, plus whatever topes has me workin on01:19
morganfainbergcool01:22
nkinderayoung: so you'd hash the signer on both sides and compare?01:22
stevemarmorganfainberg, probably something federation related, maybe finally adding openid connect :P01:22
ayoungnkinder, yeah,  that is what the OCSP code I found seems to be doing01:22
ayoungnkinder, https://github.com/coruus/pyasn1-modules/blob/master/tools/ocspclient.py#L4001:23
ayoungnkinder, it seems to make sense:  why bother doing the whole string conversion and comparison when the ASN1 data is already in cannonical form?01:24
ayoungnkinder, since the OS-SIMPLE-CERT extension returns all certificates, whomever is checking would parse them down to the issuer, hash that, and then do the same for any tokens that come in.  If there is a match, that is the certificate to use to try and validate the token01:26
nkinderayoung: looks like that's part of the request in the spec - https://www.ietf.org/rfc/rfc2560.txt01:26
ayoungnkinder, yeah, I know.  I was just looking around for pyasn1 examples, and came across that.  Do you know if it is Kosher?01:26
nkinderayoung: it sounds fine to me, but the right person to ask is Bob Relyea01:27
ayoungwill do01:27
ayoungdoesn;t he sit right behind you?01:27
nkinderayoung: shoot him an e-mail and I'll bug him when I see him if he doesn't get back to you01:27
nkinderayoung: yeah, a few desks over01:27
ayoungnkinder, so I'm guessing that token.signing_info[0].issuer.hash ==  cert.issuer.hash && a serial number check will do it01:29
ayoungand with that, we know how to identify which cert to use to validate a token01:29
*** wpf has joined #openstack-keystone01:37
wpfAll,  anyone know that when using multi-region,  can we have the different service user/pw for different region ?   such as nova1 for region1 and nova2 for region2?01:38
ayoungwpf, yes.  so long as the nova uses that username when authenticating to keystone01:38
ayoungwpf, you can have a different user per endpoint.  I'd almost suggest that is a best practice01:39
wpfayoung:   thanks for your answer, anyway, forgive my ignorance ,   do we need to configure all the components's conf file in one region to have the different user for it ?01:40
ayoungwpf, components?01:41
ayoungyou mean endpoints?01:41
wpfnova ,glance ,neutron....01:41
wpfyes01:41
wpfsince I remember that there is no relationship between  user and endpoints in the keystone db ?01:42
ayoungwpf, each endpoint only needs to know about its specific service user.So if region1_nova is using a different user thant region2_nova  the conf files for Nova need to reflect that01:42
ayounglets say, though, that you don't care about that for, say, glance, then you could use on glance user for all endpoints everywhere01:42
ayoungthere is no explicit relationship between users and endpoints, that is correct01:43
wpfOk, then we need to add the new users and assign it the same role with the normal service users manually,  right ?01:44
*** wwriverrat has quit IRC01:44
ayoungwpf, that is correct01:53
wpfayoung:   thanks, you are a big help01:53
*** shakamunyi has joined #openstack-keystone01:56
*** shakayumi has quit IRC01:57
*** marcoemorais has quit IRC01:58
*** lhcheng has quit IRC02:00
*** lhcheng has joined #openstack-keystone02:00
*** lhcheng has quit IRC02:05
*** lhcheng has joined #openstack-keystone02:06
*** lhcheng has quit IRC02:11
*** lhcheng has joined #openstack-keystone02:12
*** lhcheng has quit IRC02:19
*** lhcheng has joined #openstack-keystone02:19
*** samuelmz__ has quit IRC02:22
*** lhcheng has quit IRC02:24
*** alex_xu has joined #openstack-keystone02:24
*** dims has quit IRC02:29
*** alex_xu has quit IRC02:32
*** shakamunyi has quit IRC02:34
*** shakamunyi has joined #openstack-keystone02:35
*** gyee has quit IRC02:37
*** alex_xu has joined #openstack-keystone02:44
*** stevemar2 has joined #openstack-keystone02:45
*** shakayumi has joined #openstack-keystone02:46
*** breton_ has joined #openstack-keystone02:49
*** jaosorior_ has joined #openstack-keystone02:49
*** ctracey_ has joined #openstack-keystone02:49
*** serverascode__ has joined #openstack-keystone02:50
*** morgan has joined #openstack-keystone02:51
*** vsilva` has joined #openstack-keystone02:52
*** d0ugal_ has joined #openstack-keystone02:52
*** shakamunyi has quit IRC02:54
*** stevemar has quit IRC02:54
*** jaosorior has quit IRC02:54
*** Dafna has quit IRC02:54
*** HenryG has quit IRC02:54
*** morganfainberg has quit IRC02:54
*** mgagne has quit IRC02:54
*** sudorandom has quit IRC02:54
*** serverascode_ has quit IRC02:54
*** comstud has quit IRC02:54
*** d34dh0r53 has quit IRC02:54
*** vsilva has quit IRC02:54
*** junhongl has quit IRC02:54
*** swartulv has quit IRC02:54
*** ctracey has quit IRC02:54
*** breton has quit IRC02:54
*** vishy has quit IRC02:54
*** lbragstad has quit IRC02:54
*** sigmavirus24_awa has quit IRC02:54
*** dtroyer has quit IRC02:54
*** adam_g has quit IRC02:54
*** d0ugal has quit IRC02:54
*** gsilvis has quit IRC02:54
*** mhu has quit IRC02:54
*** d0ugal_ is now known as d0ugal02:54
*** morgan is now known as morganfainberg02:54
*** jaosorior_ is now known as jaosorior02:54
*** d0ugal is now known as Guest8588702:54
*** jorge_munoz has quit IRC02:55
*** gsilvis has joined #openstack-keystone02:55
*** vishy has joined #openstack-keystone02:56
*** sigmavirus24_awa has joined #openstack-keystone02:56
*** adam_g has joined #openstack-keystone02:57
*** adam_g has quit IRC02:58
*** adam_g has joined #openstack-keystone02:58
*** d34dh0r53 has joined #openstack-keystone02:58
*** ctracey_ is now known as ctracey02:59
*** richm has quit IRC02:59
*** Dafna has joined #openstack-keystone03:00
*** junhongl has joined #openstack-keystone03:02
*** sigmavirus24_awa is now known as sigmavirus2403:04
*** sigmavirus24 has joined #openstack-keystone03:04
*** sigmavirus24 is now known as sigmavirus24_awa03:05
*** swartulv has joined #openstack-keystone03:07
*** thedodd has joined #openstack-keystone03:08
*** mhu has joined #openstack-keystone03:09
*** bknudson has quit IRC03:19
*** comstud has joined #openstack-keystone03:21
*** mgagne has joined #openstack-keystone03:21
*** mgagne is now known as Guest8878503:21
*** dtroyer has joined #openstack-keystone03:22
*** sudorandom has joined #openstack-keystone03:22
*** lbragstad has joined #openstack-keystone03:23
*** alex_xu has quit IRC03:23
*** dims has joined #openstack-keystone03:29
*** lhcheng has joined #openstack-keystone03:31
*** dims has quit IRC03:34
*** lhcheng has quit IRC03:35
*** lhcheng has joined #openstack-keystone03:37
*** alex_xu has joined #openstack-keystone03:38
*** ayoung has quit IRC03:42
*** harlowja is now known as harlowja_away03:48
*** harlowja_away is now known as harlowja03:52
*** thedodd has quit IRC03:56
*** stevemar2 has quit IRC04:00
*** stevemar2 has joined #openstack-keystone04:01
*** ncoghlan has joined #openstack-keystone04:01
*** alex_xu has quit IRC04:04
*** HenryG has joined #openstack-keystone04:12
*** alex_xu has joined #openstack-keystone04:17
openstackgerritwanghong proposed a change to openstack/keystone: fix the wrong order of assertEqual args in test_v3  https://review.openstack.org/12711004:26
*** mfisch has quit IRC04:28
*** dims has joined #openstack-keystone04:30
openstackgerritwanghong proposed a change to openstack/keystone: fix the wrong order of assertEqual args in test_v3  https://review.openstack.org/12711004:31
*** dims has quit IRC04:35
*** swamireddy has joined #openstack-keystone04:37
*** lhcheng has quit IRC05:12
*** lhcheng has joined #openstack-keystone05:17
*** mfisch has joined #openstack-keystone05:20
*** mfisch is now known as Guest1858805:20
*** stevemar2 has quit IRC05:28
*** stevemar has joined #openstack-keystone05:37
*** Guest18588 has quit IRC05:40
*** alex_xu has quit IRC05:40
*** vsilva` has quit IRC05:40
*** htruta has quit IRC05:40
*** afaranha has quit IRC05:40
*** mitz has quit IRC05:40
*** harlowja has quit IRC05:40
*** DavidHu__ has quit IRC05:40
*** Guest18588 has joined #openstack-keystone05:46
*** alex_xu has joined #openstack-keystone05:46
*** vsilva` has joined #openstack-keystone05:46
*** afaranha has joined #openstack-keystone05:46
*** htruta has joined #openstack-keystone05:46
*** mitz has joined #openstack-keystone05:46
*** harlowja has joined #openstack-keystone05:46
*** DavidHu__ has joined #openstack-keystone05:46
*** afazekas has joined #openstack-keystone05:48
*** dims has joined #openstack-keystone06:00
*** alex_xu has quit IRC06:01
*** ajayaa has joined #openstack-keystone06:01
*** dims has quit IRC06:05
*** ajayaa has quit IRC06:07
*** lhcheng has quit IRC06:12
*** lhcheng has joined #openstack-keystone06:12
*** alex_xu has joined #openstack-keystone06:15
*** lhcheng has quit IRC06:17
openstackgerritA change was merged to openstack/identity-api: Updated from global requirements  https://review.openstack.org/12812106:22
*** alex_xu has quit IRC06:23
*** k4n0 has joined #openstack-keystone06:24
*** harlowja is now known as harlowja_away06:25
*** lufix has joined #openstack-keystone06:25
*** lufix has quit IRC06:25
*** lufix has joined #openstack-keystone06:25
*** shakayumi has quit IRC06:34
*** alex_xu has joined #openstack-keystone06:35
*** ajayaa has joined #openstack-keystone06:35
*** ukalifon1 has joined #openstack-keystone06:45
*** zzzeek has joined #openstack-keystone06:51
*** zzzeek has quit IRC06:51
*** stevemar has quit IRC06:52
*** ajayaa has quit IRC06:53
*** stevemar has joined #openstack-keystone06:59
openstackgerritSergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838307:02
*** zarric has joined #openstack-keystone07:05
*** stevemar has quit IRC07:08
openstackgerritwanghong proposed a change to openstack/keystone: fix the wrong order of assertEqual args in test_v3  https://review.openstack.org/12711007:23
*** jaosorior has left #openstack-keystone07:31
*** Guest85887 has quit IRC07:32
*** alex_xu has quit IRC07:32
*** Guest50275 has joined #openstack-keystone07:32
*** Guest50275 has quit IRC07:35
*** dmatthews__ has joined #openstack-keystone07:36
openstackgerritwanghong proposed a change to openstack/keystone: use expected_length parameter to assert expected length  https://review.openstack.org/12819707:38
*** amcrn has quit IRC07:38
*** dmatthews__ has quit IRC07:46
*** alex_xu has joined #openstack-keystone07:46
*** dmatthews__ has joined #openstack-keystone07:47
*** dmatthews__ has quit IRC07:52
*** d0ugal has joined #openstack-keystone07:53
*** d0ugal is now known as Guest5692207:53
*** nellysmitt has joined #openstack-keystone07:53
*** Guest56922 is now known as d0ugal07:54
*** d0ugal has joined #openstack-keystone07:54
*** jistr has joined #openstack-keystone07:57
*** ncoghlan has quit IRC08:01
*** alex_xu has quit IRC08:11
*** alex_xu has joined #openstack-keystone08:23
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument for unscoped SAML-based plugins  https://review.openstack.org/12810308:24
*** shakamunyi has joined #openstack-keystone08:27
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument for unscoped SAML-based plugins  https://review.openstack.org/12810308:28
*** shakamunyi has quit IRC08:32
*** k4n0 has quit IRC09:01
*** aix_ has joined #openstack-keystone09:01
*** breton_ is now known as breton09:02
*** k4n0 has joined #openstack-keystone09:14
*** alex_xu has quit IRC09:15
*** Tahmina has joined #openstack-keystone09:19
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: call _choose_api_version in one place  https://review.openstack.org/12786609:21
*** aix_ has quit IRC09:26
*** aix_ has joined #openstack-keystone09:27
*** swamireddy has quit IRC09:29
*** swamireddy has joined #openstack-keystone09:39
*** HenryG has quit IRC09:42
*** HenryG_ has joined #openstack-keystone09:42
*** HenryG_ has quit IRC09:43
*** HenryG has joined #openstack-keystone09:43
*** k4n0 has quit IRC10:33
*** shikui_ has joined #openstack-keystone10:35
*** Kui has quit IRC10:38
*** dims has joined #openstack-keystone10:38
*** dims has quit IRC10:43
*** dims has joined #openstack-keystone11:00
*** jistr is now known as jistr|english11:29
*** pc-m has joined #openstack-keystone11:53
*** amakarov_away is now known as amakarov12:03
*** k4n0 has joined #openstack-keystone12:14
*** ajayaa has joined #openstack-keystone12:15
*** dims has quit IRC12:24
*** dims has joined #openstack-keystone12:25
mhumarekd: I finally got to use your saml2 wrapper in OSC, it works nicely12:28
*** dims has quit IRC12:30
openstackgerritMasahito Muroi proposed a change to openstack/keystonemiddleware: hanging the value type of http_connect_timeout  https://review.openstack.org/12654312:30
marekdmhu: you mean https://review.openstack.org/#/c/106751/ ?12:33
mhumarekd, yes12:34
marekdmhu: did you have to hack anything?12:34
marekdor simply pull this review?12:34
marekdmhu: actually I already got into some design faults :(12:34
marekdnobody is using it and I will need to start deprecating few methods.12:35
*** shakayumi has joined #openstack-keystone12:35
marekdmhu: it was a good lesson for me (painful at the same time)12:35
marekdhttps://review.openstack.org/#/c/124767/1 <--12:35
*** shakayumi has quit IRC12:35
mhumarekd, I pulled the review, installed the lib in a venv -had to remove the version pulled when installing osc though- and it pretty much worked out of the box12:36
*** gordc has joined #openstack-keystone12:38
*** Tahmina has quit IRC12:38
mhumarekd, bah, it happens, it's not easy to foresee everything12:43
mhumarekd, it'd be cool to make the wrapper patch non dependent from the signature change one, though, so that the wrapper can actually land in ksc's next version12:45
marekdmhu: i should work on that today or tommorow.12:48
marekdmhu: i was thinking about adding factory methods.12:48
marekdor decorators.12:48
*** jasondotstar has quit IRC12:54
*** miqui has joined #openstack-keystone12:54
*** jistr|english is now known as jistr12:54
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355812:55
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063012:55
*** f13o_f13o has joined #openstack-keystone13:00
*** f13o_f13o has quit IRC13:00
*** packet has joined #openstack-keystone13:03
*** bknudson has joined #openstack-keystone13:05
*** shikui_ has quit IRC13:05
*** ayoung has joined #openstack-keystone13:14
*** Kui has joined #openstack-keystone13:17
*** kpavel has joined #openstack-keystone13:21
kpavelIs there an option to delegate authorization and authentication from keystone to external service? For example in case i want to login to openstack using VCenter local users/passwords?13:23
*** richm has joined #openstack-keystone13:24
ayoungkpavel, you would need to have a common password store13:24
ayoungkeystone is more made to consume external auth.13:24
ayoungkpavel, what do you mean by "local" for VCenter?  Active Directory?  Some SQL Backend?13:25
openstackgerritA change was merged to openstack/identity-api: Correct response status for HEAD requests  https://review.openstack.org/12424313:25
*** Kui has quit IRC13:27
rodrigodsanyone available to give some feedback in the comments here https://review.openstack.org/#/c/117785/22/keystone/assignment/backends/sql.py ?13:28
ayoungrodrigods, I'll do it if you review https://review.openstack.org/#/c/125673/13:29
* ayoung horse trader13:29
*** jasondotstar has joined #openstack-keystone13:29
ayoungrodrigods, its a pity that the relational database world has niot standardized how to do hierarchical queries13:31
rodrigodsayoung, yeah... I didn't know about this MPTT thing13:31
ayoungrodrigods, why does  def _get_children(self, session, project_ids)  take a list of project_ids?  It doesn't look recursive13:32
rodrigodsbut I think that the current solution is pretty simple and covers the first steps for HM13:32
rodrigodsayoung, in this way, we can do only one DB query13:32
ayoungyeah, its just a lot of Database hits for deep trees13:33
*** packet has quit IRC13:33
kpavelayoung, i think VCenter uses Active Directory.13:33
ayoungkpavel, then, yes,  use the LDAP backend for Keystone  and point it at AD.13:33
rodrigodsayoung, would love to study more about MPTT and maybe use it to improve the HM implementation, but I think that it really fits in the "next steps" area13:34
ayoung++13:34
kpavelayoung, thanks13:34
rodrigodsand maybe the guys from my team can discuss it in the summit =)13:34
rodrigodsayoung, can  you give your "core" opinion over there?13:36
ayoungI'll be there13:36
*** vhoward has left #openstack-keystone13:36
rodrigodsayoung, in the patch too =)13:36
ayoungmeh...13:37
ayoungrodrigods, nah, that s all good...don't want to derail13:37
rodrigodsayoung, ++13:38
ayoungrodrigods  is there any upper limit to the number of parameters we can have in a sql query?  Line 316, where we keep aedding more and more "parents" to the query as we go deeper?13:40
* rodrigods checking13:41
*** topol has joined #openstack-keystone13:43
rodrigodsayoung, never heard about size limits in this type of query...13:43
ayoungrodrigods, I don't think you need the explicit DB query for a leaf project.  When you query from the top down, some of the projects are going to return with no children.  You can detect at that point.13:43
ayoungand annotate on the record that it is a leaf13:44
rodrigodsayoung, if we use the "leaf" record, we could always change it to "not leaf" in the create_project() method13:45
ayoungyep13:45
rodrigodsnot necessarily in the traversal13:45
*** andreaf has joined #openstack-keystone13:45
rodrigodsayoung, but right now the "is_leaf_project" method is only used in the delete_project()13:46
ayoungthen don't bother13:46
rodrigods++13:46
ayoungjust do the query to delete children,13:47
ayoungwhere is the delete?  not seeing it13:47
rodrigodsit's in the next patch13:47
rodrigodsayoung, that patch only has the "util" methods part13:48
ayoungah.  funny how the hierarachy thing would be so much simpler in LDAP and we are not planning on supporting it there13:48
rodrigodsayoung, https://review.openstack.org/#/c/117786/22/keystone/assignment/core.py line 17313:48
ayoungrodrigods, what was the reason for the split between those two patches?13:49
rodrigodsayoung, just to ease the reviews, I think reviewers get scared with huge patches =)13:49
ayoungyeah, but what was the rationale for what went into which?13:50
rodrigodsayoung, "util" methods / actual crud operations13:50
*** sigmavirus24_awa is now known as sigmavirus2413:51
*** ajayaa has quit IRC13:58
*** kpavel has quit IRC14:00
*** radez_g0n3 is now known as radez14:07
*** swamireddy has quit IRC14:11
*** stevemar has joined #openstack-keystone14:12
*** dims has joined #openstack-keystone14:17
ukalifon1nkinder: should I recreate bug https://bugzilla.redhat.com/show_bug.cgi?id=1099628 with AD or with IPA? I am trying your ldapadd command and getting some strange connection errors (with AD)14:19
uvirtbotukalifon1: Error: Could not parse XML returned by bugzilla.redhat.com: HTTP Error 404: Not Found14:19
nkinderukalifon1: what errors do you get back from AD?14:20
nkinderukalifon1: If you're not connecting to AD using SSL/TLS, it won't allow you to set the "unicodePassword" attribute.14:21
nkinderukalifon1: that would be the most common reason for the add to fail14:21
ukalifon1nkinder: so I need to connect to ldaps:// ?14:22
ukalifon1nkinder: instead of ldap://14:22
nkinderukalifon1: yes, which means you'll need the CA cert, or you'll need to tell it to ignore validation (not ideal, but OK for testing)14:23
nkinderukalifon1: Also, AD has password complexitity requirements14:23
nkinderukalifon1: if you use too simple of a password, it will fail with an unhelpful error message14:23
nkinderukalifon1: requirements are 8 characters, and 3 character "classes" must be represented (lower, upper, digit, 8-bit, special, etc.)14:24
nkinderukalifon1: Something like Password123 would meet the requirements14:24
ukalifon1nkinder: I didn't even get to the stage where I need to choose a password yet14:24
nkinderukalifon1: your add doesn't include a password?14:24
*** david-lyle has joined #openstack-keystone14:24
ukalifon1nkinder: I try this: ldapadd -H ldaps://192.168.122.86 -x -D "cn=Manager,dc=win2012dom,dc=com" -w 'my_passwoprd'14:25
ukalifon1and I get: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)14:25
nkinderukalifon1: did you set up Microsoft Certificate Services on your AD system when you set up the domain controller?14:26
ukalifon1nkinder: I don't think so14:26
nkinderukalifon1: if not, you don't have a CA and there is no certificate to allow LDAPS to be enabled14:26
ukalifon1nkinder: can we tell it to ignore that?14:26
nkinderukalifon1: You can just add the user through the GUI on AD then14:26
nkinderno14:26
nkinderit will not ignore it.14:27
ukalifon1nkinder: If I use the GUI, can I add commas in the dn?14:27
nkinderukalifon1: yes, I think so IIRC14:27
ukalifon1nkinder: would ldapsearch work?14:28
nkinderukalifon1: yes14:28
nkinderukalifon1: the only thing that requires SSL/TLS is setting a password over a remote LDAP connection14:28
nkinderukalifon1: so in theory, you can use ldapmodify to add a user without a password, then go use the GUI to set the password14:29
*** k4n0 has quit IRC14:42
*** Dafna has quit IRC14:42
*** jorge_munoz has joined #openstack-keystone14:51
*** Dafna has joined #openstack-keystone14:55
*** thedodd has joined #openstack-keystone14:56
*** zzzeek has joined #openstack-keystone15:05
*** david-lyle has quit IRC15:06
*** roaet has joined #openstack-keystone15:19
*** gyee has joined #openstack-keystone15:20
*** roaet has left #openstack-keystone15:20
openstackgerritChmouel Boudjnah proposed a change to openstack/keystonemiddleware: Encode middleware error message as bytes  https://review.openstack.org/12345115:25
*** mpath-rax has joined #openstack-keystone15:34
*** ukalifon1 has quit IRC15:37
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: add doc8 validation  https://review.openstack.org/12833815:38
dolphmmorganfainberg: dstanek: ^15:38
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: add doc8 validation  https://review.openstack.org/12833815:38
dstanekdolphm: i love doc8!15:39
mpath-raxI'm looking for assistance with a keystone install - I'm seeing ImportError: Class TemplatedCatalog cannot be found. Does anyone know what this is about?15:39
dolphmdstanek: i'm adding it to all the repos, but figured -specs should be the first :)15:39
morganfainbergnice.15:40
morganfainberg++15:40
*** andreaf has quit IRC15:41
dolphmmpath-rax: change TemplatedCatalog to just Catalog IIRC - TemplatedCatalog has been deprecated for a couple releases15:43
dolphmmpath-rax: in keystone.conf15:43
*** marcoemorais has joined #openstack-keystone15:43
mpath-raxk thanks dolphm15:43
dolphmmpath-rax: err it's in your paste config, not keystone.conf necessarily15:43
mpath-raxyep, that worked. Thanks15:44
*** thedodd has quit IRC15:47
*** thedodd has joined #openstack-keystone15:49
stevemarhehe https://wiki.openstack.org/wiki/Summit/Kilo/Travel_Tips - "Do not drive your own car in Paris. Really, don't."15:52
marekdstevemar: lol15:53
dolphm10 C isn't bad15:53
dolphmunless it's windy15:53
stevemardolphm, shouldn't be an issue15:54
stevemarthis shuttle seems like a good idea15:56
stevemarhttp://en.lescarsairfrance.com/les-navettes-roissy-cdg.html15:56
dolphmstevemar: does that go somewhere useful for us?15:57
stevemardolphm, i believe right to the conference centre area15:57
stevemarfrom airport15:57
stevemar"If going to Porte Maillot, where the summit takes place ... take the "car Air France" coach that takes you directly from CDG to Porte Maillot"15:57
stevemarseems to leave every 30 minutes15:59
dolphmoh cool, so N 2?15:59
stevemarline number 216:00
stevemari wonder if i can buy a ticket at the airport instead of online16:01
mhuI live 10 minutes away from Porte Maillot, I can confirm that cars Air France leave and go from/to there16:01
mhuthere are also shuttles for ryan air/easyjet flights going there16:02
*** afazekas has quit IRC16:02
mhustevemar, I think you have to buy the bus ticket when boarding the bus, IIRC16:03
dolphmmorganfainberg: doc8 support is better for rst than for md - i'm tempted to convert all our api docs again16:04
stevemarmhu hmm there is an option to buy online, but i16:04
stevemari'd prefer to buy when i board16:04
*** _cjones_ has joined #openstack-keystone16:05
morganfainbergdolphm, works for me16:05
stevemari think finding the conference centre when exiting porte maillot should be easy :) *look for the giant building*16:05
mhustevemar, yep, you can't really miss it !16:07
bknudsonthe shuttle goes to palais maillot?16:10
*** thedodd has quit IRC16:11
bknudsonoh, it's one of the stops16:11
stevemarbknudson, definitely cheaper than a taxi16:12
dolphmwonder how long the train takes16:12
stevemarthe shuttle apparently takes 1h16:12
stevemartrain is probably on par with that16:12
stevemartrain is a few bucks cheaper16:13
dolphmit's a 6 hour walk16:13
*** lufix has quit IRC16:13
morganfainbergdolphm, walking it is then16:13
dolphmi can be there by lunch16:13
stevemardolphm, landing at 6am?16:13
dolphmstevemar: ish16:13
bknudsonat least you'd get to see something16:13
bknudsonis there a river taxi?16:14
dolphmgoogle maps is incapable of providing public transit directions16:14
stevemardolphm, yay i won't be the only one missing the keystone16:14
stevemardolphm, yeah :(16:14
* morganfainberg will be there on Saturday.16:14
stevemarlet alone river taxi directions16:14
bknudsonhow long is the swim? 6 hours, too?16:14
dolphmsame for bong maps16:14
gordcdolphm: there's an express train into city. i don't know why google maps is so useless.16:14
lbragstad... bong maps?16:15
*** Guest88785 is now known as mgagne16:15
dolphmbing16:15
lbragstad:)16:15
stevemargordc, oh yeah you've been already16:15
stevemargive me your knowledge!16:15
dolphmgordc: that's what i've heard16:15
gordc'salut, ca va'16:15
gordcthat's it.16:15
*** mgagne is now known as Guest6329316:15
dolphmgordc: someone told me to take the train from the airport, but i have no idea which one16:15
gordcthen walk away16:15
stevemarlies16:15
bknudsonje mange un pomme is as far as I've gotten16:15
gordcbbl. grabbing food.16:15
openstackgerritA change was merged to openstack/keystone-specs: add doc8 validation  https://review.openstack.org/12833816:16
*** Guest63293 is now known as mgagne16:16
*** mgagne has joined #openstack-keystone16:16
stevemargordc, just drops some knowledge and leaves16:16
*** thedodd has joined #openstack-keystone16:21
*** wwriverrat has joined #openstack-keystone16:26
*** wwriverrat1 has joined #openstack-keystone16:29
*** wwriverrat has quit IRC16:31
nkinderdolphm: when I went 13-14 years ago, the train was the RER B line from CDG into the city.16:32
nkinderThey had an "orange card" you could get, which was a week long metro pass and also covered the RER to/from the airport16:33
*** afazekas has joined #openstack-keystone16:35
dolphmnkinder: ooh, i need to look into train passes! thanks for the reminder16:36
nkinderdolphm: looks like the orange card still exists.  It worked nicely for me last time16:37
raildodolphm, I used the martha card in atlanta, what made ​​me save a good money16:47
gordcstevemar: lol that's all the knowledge i know.16:47
* gordc is going to get lost.16:47
raildoI hope it in paris works the same way16:47
*** navid_ has joined #openstack-keystone16:48
navid_@dolphm16:48
*** shakayumi has joined #openstack-keystone16:48
samuelmsdolphm, http://www.ratp.fr/en/ratp/r_61584/tickets/16:49
dolphmnavid_: ?16:49
dolphmsamuelms: i'd have to get 3 five day cards, i think :)16:50
dolphmor 3 cards anyway, 11 days16:50
samuelmsdolphm, nice16:53
samuelmsdolphm, it looks like we can even buy it online16:53
*** jistr has quit IRC16:53
raildodolphm, 38 euros per 5 days =O16:56
marekddolphm: you are also arriving on Mondday?17:01
*** lhcheng has joined #openstack-keystone17:07
*** harlowja_away is now known as harlowja17:13
morganfainbergmarekd: I think I need to bug you about post summit visit. Best way to get there, etc17:13
morganfainbergAnd which day makes the most sense. I'll be headed to Lyon for part of my trip this time (post summit)17:14
dstanekin looking at https://review.openstack.org/#/c/111982/1/specs/juno/email-attribute.rst it makes me wonder if we have an PII guidelines17:14
marekdmorganfainberg: sure, why don't you drop me an e-mail with some more details: when do you want to come to Geneva/CERN, for how long etc.17:15
morganfainbergdstanek: nope. We should. And it's part of why I am a fan of splitting out identity to its own thing. We can be more restrictive and eliminate PII from being available to the main keystone APIA openstack uses.17:15
marekdmorganfainberg: i will then try to advise what's worth seeing and try to organise some cern trips. :-)17:15
morganfainbergmarekd: will do. ;)17:16
samuelmsmorganfainberg, Lyon is a great city .. I've lived there for a year :)17:16
*** afazekas has quit IRC17:16
ayoungmorganfainberg  here is the first shot at dealing with multiple signers.  http://adam.younglogic.com/2014/10/who-can-sign-for-what/17:16
marekdsamuelms: oh, really?17:16
marekdmorganfainberg: samuelms: it's indeed nice17:16
morganfainbergI'll only have a day or so in Geneva though. :(. Wish I'd have more but limited time.17:16
samuelmsmarekd, yes .. it was an exchange year at INSA de Lyon :)17:16
marekdsamuelms: where are you from originally?17:17
samuelmsmarekd, I'm from Brazil17:17
marekdmorganfainberg: :(((( so i'd say CERN trip and some of Geneva.17:17
morganfainbergsamuelms: Lyon is one of the places I'd move to if I had the chance.17:17
marekdmorganfainberg: why?17:17
samuelmsmorganfainberg, yes .. absolutely, Lyon is amazing17:17
morganfainbergmarekd: why Lyon or why limited time? Lyon because I have friends there and it's great.17:18
* marekd is wondering if we are talking about the same Lyon :P17:18
marekdmorganfainberg: why Lyon17:18
samuelmshehe17:19
marekdit's nice city but nothing that amazing in my opinion. Maybe that's because i went there for trips only.17:19
marekdmorganfainberg: ok, drop me an e-mail, i need to disappear for ~1h.17:20
*** david-lyle has joined #openstack-keystone17:20
*** lufix has joined #openstack-keystone17:20
morganfainbergmarekd:  will do post meeting.17:21
*** david-lyle has quit IRC17:29
*** david-lyle has joined #openstack-keystone17:29
*** lufix has quit IRC17:30
ayoungdstanek, are bitwise operators the right way to do Boolean logic in python?  Like all the &=  here https://review.openstack.org/#/c/126897/5/keystone/trust/controllers.py,cm  ?17:32
dstanekayoung: use 'and' and 'or' for boolean logic - bitwise are really for mathematical things17:33
ayoungdstanek, he's doing it to maintain a 'valid' bool using &=.  I think the right approach is to throw and exception at each possible failure point anyway17:34
ayoungmorganfainberg, now that we have multiple backends for id, and users are cheap, can we say that all oauth consumers are users, and merge trusts and oauth into a single delegation mechanism?  Please?17:36
ayoungHeh.  "users are cheap" can mean so many things17:36
*** david-lyle has quit IRC17:39
dstanekayoung: jas on a call17:39
navid_@dolphm: hi how can i add a review to this https://review.openstack.org/#/c/8116617:39
*** david-lyle has joined #openstack-keystone17:39
ayoungnavid_, hey17:39
ayoungyou want to update that review?17:40
navid_@dolphm: I used this:git remote add gerrit ssh://Navid@review.openstack.org:29418/openstack/python-keystoneclient refs/changes/66/81166/3017:40
navid_@ayoung: yes17:40
ayoungnavid_, no need for @ in IRC.  Here @ is for email addresses17:40
ayoungheh17:40
ayoungnavid_, OK,  so you probably want to get git-review installed17:41
ayoungyum, apt,  or pip all work.17:41
ayoungI think pip is your best bet, as that is the latest17:41
navid_ayoung: I installed it17:42
ayoungnavid_, should just be `git review` after that17:42
*** navid_ has quit IRC17:42
morganfainberg@ayoung, but I like the @ in IRC17:43
*** edmondsw has joined #openstack-keystone17:43
rodrigodslol17:43
ayoungmorganfainberg, @ goes after the username, not before17:43
rodrigodshashtags are channels, though =/17:43
ayoungflipping twits17:43
*** navid_ has joined #openstack-keystone17:43
morganfainbergayoung@ am I doing it rite?17:43
ayoungyes17:43
morganfainbergayoung@ great!17:44
navid_ayoung: then i used git review17:45
*** amcrn has joined #openstack-keystone17:45
ayounglooking.  But we should have seen a notification here in channel...17:45
ayoungnavid_, anything in your command promp[t to suggest it didn't get sent?17:46
morganfainbergayoung: only for master changes. If it's any other branch... No notification17:46
ayoungmorganfainberg, that should be master17:46
morganfainbergK17:47
ayoungand the review didn't go through, but it is based on a handful of other changes,17:47
ayoungguessing a rebase problem in there somewhere17:47
morganfainbergThe bot may also have died. (Happens a lot). But if the change isn't there, that's a diff story.17:47
navid_ayoung: Errors running git rebase -p -i remotes/gerrit/master Cannot rebase: You have unstaged changes. Please commit or stash them.17:47
morganfainbergAhh17:47
dolphmnavid_: git-review --download <review-number>17:47
ayoungnavid_, I couldn't have said that clearer myself:  You have unstaged changes. Please commit or stash them.17:48
dolphmnavid_: make your changes, git commit --amend, and then git-review to upload a revision17:48
ayoung++17:48
morganfainbergayoung: oauth users are really just federated users. Right? Just not SAML based17:50
ayoungum...well, sort of?17:51
ayoungthey are "consumers" not "users"17:51
morganfainbergSure.17:51
ayoungSo, I would treat them as federated users17:51
morganfainbergI meant functionally (not necessarily in keystone)17:51
*** aix_ has quit IRC17:52
ayoungprobably should make a dedicated oauth domain and put all of the consumers in their as users17:52
ayoungI mean, they won't go through the Federation token process, cuz they can only get tokens via oauth17:52
morganfainbergWorth thinking about, as long as we don't break the current oauth user workflow. (We made our bed we get to sleep in it)17:52
gyeetopol, stevemar, we have no CADF for project creation/deletion?17:53
morganfainbergOk walking back home/to my desk for the meeting. Might be a minute late or sot starting it.17:53
ayoungmorganfainberg, it would only be an issue today if:  someone was running both oauth (stored in SQL) and LDAP for identity.17:53
ayoungnot multi-backend identyt with LDAP in its own domain17:53
stevemargyee, just a notification17:54
gyeestevemar, will you object if I add CADF to project? we need it to track billing and metering17:55
topolgyee, did you find me my next work item?17:55
topolgyee sure17:55
gyeetopol, please17:55
topolgyee you want it or you want me to do it. or together?17:55
stevemargyee, why doesn't the regular notification work? (just curious...)17:55
stevemarwhat info are you auditing? who did the project create/delete?17:56
gyeestevemar, we need end-to-end trace, and CADF is a mechanism17:56
gyeestevemar, yes, we need to know who f it up17:56
stevemargyee, ain't that always the case, someone f ing something up17:56
gyee:)17:57
gyeebut now we have the evidence17:57
gyeevia CADF17:57
stevemarexactamundo17:58
*** thedodd has quit IRC17:58
*** henrynash has joined #openstack-keystone18:00
rodrigodsamakarov, ping18:03
amakarovrodrigods, pong )18:03
*** browne has joined #openstack-keystone18:03
rodrigodsamakarov, did you see my reply in HM patch?18:03
*** d0ugal has quit IRC18:04
amakarovrodrigods, yes - just have forgotten to commit mine :) look18:06
rodrigodsamakarov, ++18:06
*** d0ugal has joined #openstack-keystone18:06
*** d0ugal is now known as Guest8657818:06
amakarovrodrigods, I don't know if it's time to change data model like that, but if you want to handle tree structure effectively, you definitely need a way to flatten it somehow18:08
amakarovrodrigods, I know MPTT and MP18:08
rodrigodsamakarov, yeah... you are right, the MPTT thing is awesome =)18:08
rodrigodshaven't heard about it until your comment18:08
amakarovrodrigods, not always18:08
amakarovrodrigods, it has a performance issue18:09
amakarovrodrigods, updates are heavy18:09
rodrigodsamakarov, yeah... really heavy18:09
rodrigodseverything in life is a trade off right? =)18:09
amakarovI recommend to google for materialized path18:10
amakarovI used it in a commercial project - it really kicks ass )18:10
rodrigodswill do18:10
*** radez is now known as radez_g0n318:11
*** afazekas has joined #openstack-keystone18:11
amakarovrodrigods, since we use mysql as an RDBMS, we can use array field for path with all that bells and whistles like indexes18:12
amakarovsame for postgres18:12
rodrigodsamakarov, materialized path?18:13
* rodrigods not googled yet18:13
amakarovrodrigods, read my comment in review - i described MP there18:15
rodrigodsamakarov, sorry, didn't find the comment explaining18:16
amakarovrodrigods, strange - it's still a draft...18:21
*** thedodd has joined #openstack-keystone18:22
amakarovrodrigods, my mistake ) done.18:23
*** afazekas has quit IRC18:24
rodrigodsamakarov, ++ looks better than MPTT, and the update is also trivial18:24
rodrigodsamakarov, 1 query to get the subtree, 1 query to get the parents and 1 query to update the tree (project creation)18:25
rodrigodsreally awesome18:25
amakarovrodrigods, welcome )18:26
*** nkinder is now known as not_jamielennox18:34
*** not_jamielennox is now known as nkinder18:37
*** radez_g0n3 is now known as radez18:49
*** vsilva` is now known as vsilva18:51
morganfainbergsession name: Policy Discussion of Doom, DOOM I say.19:00
morganfainbergi mean ... *shiftyeyes*19:00
bknudsonit would be interesting to know from ops if the way openstack does policy meets what they need19:01
stevemarmorganfainberg, i'm gonna wrangle up tqtran for the federation/horizon stuff19:02
morganfainbergbknudson, that is a good thing to get into the ops session19:02
morganfainbergtopol, ^19:02
morganfainbergstevemar, great.19:02
stevemarmorganfainberg, he's been working with horizon for a while now, and i want him to toss him in the deepend, err.. i mean get his feet wet19:03
morganfainbergstevemar, also poke at david-lyle about that19:03
stevemarfo sho19:03
*** shakayumi has quit IRC19:04
*** shakayumi has joined #openstack-keystone19:04
david-lylewe talkin' policy?19:05
stevemardavid-lyle, nah, SSO19:05
stevemardavid-lyle, i'm requesting your presence on thursday at the summit, at 9:5019:06
amakarovmorganfainberg, can you please direct me where that fearsome "token problem" described? :)19:06
david-lyleah, I don't have a very big soap-box for that19:06
stevemardavid-lyle, info here https://etherpad.openstack.org/p/kilo-keystone-summit-topics19:06
morganfainbergif you're leading a session (or even if you're not) please feel free to help update the descriptions in the etherpad / goals for a session19:06
stevemarwait a tick... i think thats the time for my talk19:06
morganfainbergstevemar, i'm willing to try and trade someone for a slot if needed.19:07
* morganfainberg looks to david-lyle ;)19:07
* david-lyle trying to remember when the horizon slots are19:07
morganfainbergsince keystone/horizon have limited overlap.19:07
david-lyleI think they're all in the PM19:07
morganfainbergou have 2 morning ones i think19:07
* morganfainberg was looking19:07
david-lyleshows what I know19:07
morganfainbergthe goal was to make sure the SSO one didn't overlap19:07
stevemarmorganfainberg, nope, i'm going up on wednesday19:08
david-lyleI would appreciate19:08
morganfainbergdavid-lyle, i'll also make sure the policy one isn't an overlap if at all possible19:08
david-lylemorganfainberg, do you have thierry's link handy?19:08
david-lyleyes please19:08
*** marcoemorais has quit IRC19:08
david-lyleI've been living that pain for some time now19:08
morganfainbergdavid-lyle, i know you have, thats why i started that convo on the ML19:08
david-lyletrying to get to the ML thread19:09
david-lylestill unburying19:09
morganfainbergit *is* a problem and we need to solve it.19:09
* david-lyle I hope this is dirt19:09
david-lyle++19:09
lhchengstevemar:  "keystone to keystone federation" is this something for kilo?19:09
stevemarlhcheng, it's experimental in juno19:10
david-lylemorganfainberg, I'll have a horizon/keystone topic session too19:10
stevemarand the goal is to make it awesome in kilo19:10
morganfainbergdavid-lyle, ah cool, lets see if we can get those next to each other (ours and yours)19:10
morganfainbergso we can continue the conversation with the same group(s) of people19:10
david-lylethat's my hope19:10
morganfainbergmy guess is the policy discussion of doom will be a morning session on Thursday.19:11
morganfainbergjust a hunch based on schedules19:11
openstackgerritA change was merged to openstack/keystonemiddleware: Encode middleware error message as bytes  https://review.openstack.org/12345119:11
lhchengstevemar: ++ for making features awesome.19:13
morganfainbergoh ops summit is thursday19:13
morganfainbergdoh*19:13
david-lylewell that blows19:15
david-lyleI have 4 Horizon sessions that day19:15
morganfainbergyeah19:15
morganfainbergthere is also ops summit on monday19:15
morganfainbergwow that is a *lot* of ops summit19:15
*** Guest18588 is now known as mfisch19:16
*** mfisch has joined #openstack-keystone19:16
*** marcoemorais has joined #openstack-keystone19:16
morganfainbergdavid-lyle, ok so i think the best bet will be to make the horizon side of the cross-project topic tobe 1430 on tuesday19:17
morganfainbergdavid-lyle, no overlap, and it will only be a couple sessions apart from the keystone19:17
*** _cjones_ has quit IRC19:17
lbragstadmorganfainberg: do you remember seeing something on the Kilo session etherpad about running keystone with different pythons (i.e. jython, pypy, etc?)19:17
*** _cjones_ has joined #openstack-keystone19:18
morganfainbergdavid-lyle, or i could move the keystone one to the afternoon at 1630 if we really want them to be next to each other19:18
morganfainberglbragstad, CI.19:18
lbragstadmorganfainberg: gotcha, thanks!19:18
morganfainberglbragstad, i made a comment we should gate on that external CI if possible (e.g. RAX does it)19:18
david-lyleI have thursday morning sessions right after yours, too19:20
david-lyleoops, didn't read back far enough19:20
morganfainbergi really wish sched would let me filter on *two* projects19:20
morganfainbergdavid-lyle, yeah i want to keep the auth/client/policy discussions for thursday so we can keep them bundled on that day, meaning SSO/federation goes on wed.19:22
*** _cjones_ has quit IRC19:22
morganfainbergdavid-lyle, ok i'm going to move the keystone ops session to 1720, and the SSO/federation one to the one right after yours19:26
morganfainbergso lets do horizon side 1530 on wed?19:26
*** thedodd has quit IRC19:27
*** david-lyle_ has joined #openstack-keystone19:29
stevemarmorganfainberg, on the topic of migrating to graduated oslo libraries, create a spec or no?19:30
morganfainbergstevemar, nah.19:30
stevemarmorganfainberg, fair enough19:30
*** david-lyle has quit IRC19:33
*** amakarov is now known as amakarov_away19:35
*** david_lyle__ has joined #openstack-keystone19:35
*** thedodd has joined #openstack-keystone19:38
*** david-lyle has joined #openstack-keystone19:38
*** wwriverrat1 has left #openstack-keystone19:38
*** david-lyle_ has quit IRC19:39
*** david_lyle__ has quit IRC19:40
raildoayoung, ping19:40
ayoungraildo, sorry, I have notoriously long ping times19:42
*** david-lyle_ has joined #openstack-keystone19:42
raildoayoung, haha no problem19:42
raildoayoung, I'm working on the bug to revoke tokens if the IdP is deleted.19:43
*** david-lyle has quit IRC19:43
ayoungyep,  and I'm thrilled19:44
raildoWe could reproduce the bug and implement a solution19:44
*** david_lyle__ has joined #openstack-keystone19:44
raildoso, we implement the solution  here https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L90519:44
raildoAt this point we get the IdP's token and validate it.19:45
*** david-lyle has joined #openstack-keystone19:46
raildoBut when we execute any call on openstack client,  it does not go through this code19:46
raildothis is not the correct place for this implementation?19:46
ayoungkeystoneclient/middleware is not used anywhere anymore19:47
*** david-lyle_ has quit IRC19:47
ayoungits in keystonemiddleware, and it is only for the servers19:47
ayoungmorganfainberg, can we remove the python-keystoneclient version of middleware/auth_token.py  yet?19:47
rodrigodsayoung, raildo, this was just a PoC, right?19:47
rodrigodsto ease the testing19:47
ayoungsure19:47
morganfainbergno19:47
*** david-lyle_ has joined #openstack-keystone19:47
morganfainbergayoung, likely not until M cycle19:47
ayoungOK19:47
ayoungneed to put a message in there "DO NOT USE"19:48
morganfainbergayoung, there is a deprecation warning iirc19:48
ayoungthat too19:48
ayoungraildo, so, the clients never validate tokens anyway19:48
ayoungits only the middleware that validates19:49
raildoayoung, ok19:49
stevemarbknudson, morganfainberg why is it that when i change this line to oslo.config.generator it breaks everything https://github.com/openstack/keystone/blob/master/tools/config/generate_sample.sh#L12419:49
*** _cjones_ has joined #openstack-keystone19:49
*** david_lyle__ has quit IRC19:49
raildoayoung, I will modify the implementation, thank you19:49
*** david-lyle has quit IRC19:50
ayoungtellesnobrega, raildo why isn't this named _list_project_parents    https://review.openstack.org/#/c/117785/23/keystone/assignment/core.py,cm19:51
*** david_lyle__ has joined #openstack-keystone19:51
ayoungline 47519:52
rodrigodsayoung, we are following the pattern in the code19:52
rodrigodscheck list_projects_in_domain()19:52
stevemardstanek, dolphm same question for you guys, ^19:52
ayoungif it is internal, it should be named as such19:52
stevemarmorganfainberg, fwiw -> trying to track all this https://etherpad.openstack.org/p/keystone-move-to-oslo-libraries19:53
*** david_lyle has joined #openstack-keystone19:53
dstanekstevemar: i'm not sure, but i remember talk of oslo.config's generator being different in some way19:53
rodrigodsayoung, there is a reason for not being _list_projects_in_domain() ?19:53
stevemardstanek, seems like a waste to rely on the sycn'ed version when we have the library handy19:54
ayoungrodrigods, not that I am aware of.  I suspect it was origianlly not expected to be private19:54
*** david-lyle_ has quit IRC19:54
rodrigodsayoung, ok, so will add the _19:54
ayoungyeah, I think that is the right change.  ask henrynash about the other19:55
stevemardstanek, errr... it looks like config.py was removed from incubator19:55
tellesnobregathanks rodrigods19:56
stevemarhttps://github.com/openstack/oslo-incubator/tree/master/openstack/common19:56
*** david_lyle__ has quit IRC19:56
*** david-lyle has joined #openstack-keystone19:56
morganfainbergstevemar, we have a couple keystoneclient things that need to move to oslo libs from incubator as well19:57
stevemarmorganfainberg, yeah, tallying that up now19:58
rodrigodsayoung, is it ok to access an external class private method?19:58
rodrigodslike, self.driver._list_project_parents()19:58
rodrigodsbecause their implementation is different for each backend19:58
*** david_lyle has quit IRC19:59
stevemartheres a 'module=install_venv_common' in ksc, but shouldn't that be 'script=tools/install_venv_common' ...20:00
ayoungrodrigods, ah, so this is something called from the drivers?20:00
rodrigodsayoung, yep20:01
ayounghmmm,  no clue.  probably OK to leave as is20:01
rodrigodsayoung, ++20:03
lhchengnot that much, I think the familiar names would be: josh harlow and mark mcclain20:03
lhchengoops wrong window, (facepalm)20:03
*** Kui has joined #openstack-keystone20:03
morganfainbergdolphm, ok i think we will classify BPs as "priority 'not'" if they need specs20:04
*** shakayumi has quit IRC20:04
morganfainbergdolphm, looks like all the other fields are settable by non-drivers20:04
*** shakayumi has joined #openstack-keystone20:05
*** david-lyle has quit IRC20:06
*** edmondsw has quit IRC20:13
*** _cjones_ has quit IRC20:16
*** Kui has quit IRC20:16
*** Kui has joined #openstack-keystone20:16
morganfainbergstevemar, topol: https://blueprints.launchpad.net/keystone/+spec/cadf-project-operations and https://blueprints.launchpad.net/keystone/+spec/cadf-notifications-everywhere which one wins?20:18
*** _cjones_ has joined #openstack-keystone20:19
openstackgerritSteve Martinelli proposed a change to openstack/keystone: try removing oslo.config  https://review.openstack.org/12844020:19
*** shakayumi has quit IRC20:20
stevemarmorganfainberg, you decide :P in case the everywhere option isn't popular we can still do projects20:20
*** shikui_ has joined #openstack-keystone20:20
*** shakayumi has joined #openstack-keystone20:20
morganfainberguh20:20
morganfainberglets do it as "everywhere"20:20
morganfainbergplease merge them / mark topol's as superseded.20:21
r1chardj0n3sayoung: just FYI, it looks like the CORS middleware is going to be nixed from oslo.middleware and we'll just use a generic 3rd party wsgi middleware, since there's no longer anything OpenStack specific '20:21
dstanekstevemar: in Keystone i changed it to be explicit about the tools path20:21
topolmorganfainberg, works for me20:21
ayoungr1chardj0n3s, do you have a link to the one we are considering?20:21
r1chardj0n3sayoung: also, the angularjs prototype not using CORS is coming along swimmingly - I'd be interested to know your thoughts about using different auth mechanisms20:22
stevemardstanek, i tossed up a patch20:22
stevemarhttps://review.openstack.org/#/c/128440/1/etc/keystone.conf.sample20:22
ayoungr1chardj0n3s, fantastic20:22
r1chardj0n3sayoung: a quick search found wsgicors, but I've not fully looked at it20:22
*** shikui__ has joined #openstack-keystone20:23
ayoungso there is not an obvious project?20:23
r1chardj0n3sayoung: https://github.com/r1chardj0n3s/angboard if you have time :)20:23
r1chardj0n3sayoung: it's the top hit on pypi for wsgi cors middleware, and looks reasonable at first glance20:23
*** Kui has quit IRC20:23
ayoungr1chardj0n3s, you managed to merge Tolkien with Rock Climbing in that project name20:23
r1chardj0n3sayoung: ;)20:23
morganfainbergstevemar, https://blueprints.launchpad.net/keystone/+spec/openid-connect please revisit and poke at the status of that.20:24
r1chardj0n3sayoung: (you're the only person so far to make that connection)20:24
*** shikui_ has quit IRC20:25
ayounghttp://www.younglogic.com/images/left.png20:25
stevemarmorganfainberg, it definitely isn't blocked20:25
morganfainberggyee, nkinder, ayoung, bknudson, we have this functionality right: https://blueprints.launchpad.net/keystone/+spec/ldap-posixgroup-support20:26
ayoungr1chardj0n3s, I def need to play around with that20:27
ayounglooking20:27
*** topol has quit IRC20:27
bknudsonmorganfainberg: nope20:27
nkindermorganfainberg: yes, I was using that functionality a few days ago20:27
nkinderwell, I was able to use posixGroup with full DN member attributes20:27
ayoungmorganfainberg, I think that requires the nested20:27
morganfainbergoh no, i have conflicting answers! HTTP 30020:27
*** Kui has joined #openstack-keystone20:28
nkinderah, this is for non-compliant groups that just use uid (like memberUID)20:28
bknudsonour ldap implementation expects member to be the full dn20:28
morganfainbergah20:28
nkindermine expects full DN too (that's more standard)20:28
morganfainbergi'm going to say we should bug track that *not* bp it.20:28
nkindermorganfainberg: I'll check my installation and evaluate that bug a bit later this afternoon20:29
bknudsonit's not a bug, it's working as designed20:29
morganfainbergok so ... obsoltete not applicable20:29
morganfainbergbknudson, mind commenting and marking the bp as obsoltete20:29
morganfainbergor superseded *doesn't matter which*20:30
ayoungr1chardj0n3s, I thinky you have a type20:30
ayoungtypo20:30
*** david-lyle has joined #openstack-keystone20:30
bknudsonmorganfainberg: why is it obsolete?20:30
r1chardj0n3sayoung: yus?20:30
ayoungr1chardj0n3s,  (install ruby / gem per your operating system)20:30
ayounggem install compass20:30
morganfainbergbknudson, limited functionality to "close" bps.20:30
ayoungYou can't really mean that you've built Ruby into your solution, right?20:31
bknudsonmorganfainberg: what do I set to mark it obsolete? there's lots of fields here.20:31
morganfainbergbknudson, definition20:31
bknudsonmorganfainberg: is there a wiki page?20:31
r1chardj0n3sayoung: unfortunately, rubby and the node.js programming language are where the modern web development toolchain is at :(20:31
ayoungcompass for compiled CSS http://compass-style.org/help/20:31
*** shikui__ has quit IRC20:31
morganfainbergbknudson, LP's fields suck :P20:31
morganfainbergand i can't belive there isn't a "No we don't want this" option in LP20:32
ayoungI understand the need for the node module management20:32
ayoungcan we get rid of the ruby?20:32
bknudsonmorganfainberg: this might be useful... I was just saying that it's not implemented yet.20:32
morganfainbergbknudson, ah ok20:32
bknudsonand it doesn't look like anyone is signed up to do it.20:32
morganfainbergright. it's one of those... i want to close-up the BPs so we have something manageable to work from20:33
ayoungr1chardj0n3s, I know that django already has/does something along these lines.  If it is just for performance, lets skip that for now20:33
r1chardj0n3sayoung: ok, so this is a prototype, and if some less-rubby alternative to compass is proposed, sure, but for now, it's the one to use20:33
ayoungis there any real need for compiled css?20:33
r1chardj0n3sayoung: the compiled css came with the project bootstrapper I used, and I had very little interest in messing about in that dimension of the prototype (also, compiled css can be very handy)20:34
*** marcoemorais has quit IRC20:35
r1chardj0n3sayoung: basically, I am more interested in other aspects of the prototype, and using a bootstrapper to get the project started meant I didn't have to fart around with irrelevant details under the hood, I could just do the interesting part of the prototype20:35
*** marcoemorais has joined #openstack-keystone20:35
morganfainberggyee, https://blueprints.launchpad.net/keystone/+spec/service-metadata20:35
*** marcoemorais has quit IRC20:36
*** marcoemorais has joined #openstack-keystone20:36
ayoungr1chardj0n3s, fair enough.  Just be aware how complex that pulling in ruby can make the whole scenario20:36
*** openstackgerrit has quit IRC20:36
*** marcoemorais has quit IRC20:36
r1chardj0n3sayoung: sure, but again: prototype :)20:36
*** marcoemorais has joined #openstack-keystone20:36
*** shikui_ has joined #openstack-keystone20:37
ayoungr1chardj0n3s, Rough Draft == Final Copy20:37
r1chardj0n3sayoung: <wink>20:37
r1chardj0n3sayoung: there are some Python tools which purport to do similar things, maybe someone will do the small amount of work to sub one of those in :)20:38
*** Kui has quit IRC20:38
gyeemorganfainberg, we can kill that one20:39
gyeethat was for quota aggregation and enforcement20:39
*** shikui_ has quit IRC20:42
*** andreaf has joined #openstack-keystone20:46
*** nellysmitt has quit IRC20:46
*** nellysmitt has joined #openstack-keystone20:47
morganfainbergdolphm, gyee, stevemar , ayoung, nkinder, topol, henrynash, dstanek, lbragstad, bknudson, https://review.openstack.org/#/c/116699/ that is the trivial bp guidelines for nova.20:47
stevemarso many checkmarks20:47
bknudsonwe should document our process, too.20:48
morganfainbergbknudson, +++++20:48
gyeeyes, I like that20:49
*** nellysmitt has quit IRC20:51
*** gyee has quit IRC20:57
*** lhcheng has quit IRC20:58
*** lhcheng has joined #openstack-keystone20:58
*** lhcheng has quit IRC20:59
*** lhcheng has joined #openstack-keystone20:59
*** lhcheng has quit IRC21:00
*** lhcheng has joined #openstack-keystone21:00
morganfainbergbknudson, https://blueprints.launchpad.net/keystone/+spec/v3-extension-adv json-home addresses this right?21:02
morganfainbergor somewhat?21:02
*** lhcheng has quit IRC21:02
bknudsonmorganfainberg: json-home covers this.21:02
morganfainberggreat21:02
*** marcoemorais has quit IRC21:04
*** marcoemorais has joined #openstack-keystone21:05
*** andreaf has quit IRC21:08
morganfainbergdstanek, this is largely implemented right: https://blueprints.launchpad.net/keystone/+spec/more-code-style-automation ?21:09
morganfainbergdstanek, or are we only partially there?21:09
*** marekd is now known as marekd|away21:09
* ayoung has that good feeling that comes from realizing a spec is "missing" because it has been approved. 21:12
*** zigo has quit IRC21:16
navid_ayoung: hi I submitted for review anf i got the following:remote: Resolving deltas: 100% (17/17) remote: Processing changes: updated: 1, refs: 1, done     To ssh://Navid@review.openstack.org:29418/openstack/python-keystoneclient  * [new branch]      HEAD -> refs/publish/master/bp/revocation-event-api21:17
*** lhcheng has joined #openstack-keystone21:17
ayoungnavid_, cool21:19
*** Kui has joined #openstack-keystone21:21
ayoungnavid_, I'm going to clean up the commit message.  Remving the file list etc21:21
*** andreaf has joined #openstack-keystone21:22
navid_ayoung: I am looking into 2 min tokens, and come back later to ask questions21:22
navid_ayoung: sorry about that21:23
rodrigodsayoung, https://review.openstack.org/#/c/117785/24/keystone/assignment/core.py those methods weren't necessary at all =)21:23
ayoungnavid_, rock on!21:23
ayoungrodrigods, cool21:23
*** gyee has joined #openstack-keystone21:30
*** _cjones_ has quit IRC21:31
*** _cjones_ has joined #openstack-keystone21:31
*** _cjones_ has quit IRC21:36
*** _cjones_ has joined #openstack-keystone21:36
*** gordc has quit IRC21:38
*** harlowja is now known as harlowja_away21:39
stevemarhmm, no automatic notification about client change?21:50
ayoungnkinder, what was the commit for openstack client that I need to have for the auth plugins?21:52
ayoung0c77a9fe8baa4df9ea2d0055db9c700af3cae310   Support for keystone auth plugins21:52
ayoung?21:52
nkinderayoung: https://review.openstack.org/#/c/108325/21:52
ayoungnkinder, good.  I have that...testing now21:52
*** morganfainberg has left #openstack-keystone21:53
*** morganfainberg has joined #openstack-keystone21:53
ayoungand after rebasing I get21:54
ayoung$openstack hypervisor list21:54
ayoungERROR: openstack 'Namespace' object has no attribute 'os_auth_plugin'21:54
*** ChanServ sets mode: +o morganfainberg21:54
*** morganfainberg changes topic to "Now open for Kilo development! Blocking reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Tentative Keystone Design Session Schedule: https://etherpad.openstack.org/p/kilo-keystone-summit-topics"21:54
ayoungERROR: openstack SSL exception connecting to https://ayoungf20packstack.cloudlab.freeipa.org/keystone/main/v2.0/tokens21:54
*** ChanServ sets mode: -o morganfainberg21:54
ayoungbetter...I think21:54
stevemarbknudson, morganfainberg does this change make sense? https://review.openstack.org/#/c/128455/21:55
morganfainbergstevemar, does that work?21:56
stevemarmorganfainberg, it works in keystone server21:56
morganfainbergsure then... seems reasonable21:57
stevemarhttps://github.com/openstack/keystone/blob/master/openstack-common.conf21:57
morganfainbergto me21:57
ayoungopenstack: error: argument --os-auth-plugin: invalid choice: 'kerberos' (choose from 'v2token', 'v2password', 'v3password', 'v3scopedsaml', 'v3unscopedadfs', 'token', 'v3token', 'password', 'v3unscopedsaml')21:57
gyeestevemar, do you have a nice slide/picture on K2K?21:57
stevemargyee, i can share something with you on google docs if you PM your gmail address21:58
dstanekmorganfainberg: partially right now, i think i got halfway through the list22:01
morganfainbergdstanek, ah22:01
stevemarmarekd|away, great job on the slides!22:02
*** ayoung has quit IRC22:03
*** dims_ has joined #openstack-keystone22:04
dstanekmorganfainberg: i actually had duplicate blueprints22:05
morganfainbergdstanek, you close one out then?22:05
*** dims_ has quit IRC22:06
dstanekmorganfainberg: yes22:06
*** dims_ has joined #openstack-keystone22:07
*** dims has quit IRC22:07
dstanekmorganfainberg: i abandoned the reviews for this since nobody seems to want this anymore - should this be a priority 'Not'?22:09
morganfainbergdstanek, either "not" or we can close the BP completly22:10
morganfainbergdstanek, your call22:10
dstanekmorganfainberg: if it's closed is it still viewable/searchable?22:11
morganfainbergdstanek, no.22:11
morganfainbergdstanek, bps become hard to find when closed completly22:11
morganfainbergdstanek, i think this is where whishlist bugs win out22:11
*** dims_ has quit IRC22:12
dstanektoo bad there isn't a 'convert to bug' button - i'll make as not for now and close it out next week if there is no feedback22:13
dstanekmorganfainberg: does anyone have access to restore it if we want it back after closing?22:13
*** jorge_munoz has quit IRC22:13
morganfainbergdstanek, if you go directly to the bp link, we can change the status (anyone really can)22:13
morganfainbergnot even restricted to keystone drivers it looks like22:14
dstanekok, cool - i have a note to close after next week's meeting22:16
morganfainbergthnx22:16
morganfainbergi've cleaned up a bunch of bps (we had a bunch of duplicates)22:17
morganfainbergamong other things22:17
*** henrynash has quit IRC22:18
nkindermorganfainberg: so this bp is valid still - https://blueprints.launchpad.net/keystone/+spec/ldap-posixgroup-support22:19
nkindermorganfainberg: but it's not a high priority.  Most people are using groupOfNames or similar, where the member attribute is a full DN22:19
*** dims has joined #openstack-keystone22:19
morganfainbergnkinder, ok, now the question is, it is a BP or wishlist bug?22:20
nkindermorganfainberg: but this feature adds flexibility22:20
morganfainbergor something else22:20
morganfainbergi'll mark it as priority "not" pending approval22:20
morganfainbergwe can revisit22:20
nkindermorganfainberg: well, I think we'd welcome this if someone wanted to contribute it22:21
morganfainbergright.22:21
nkindermorganfainberg: but I don't see a reason to focus on it22:21
morganfainbergsounds good22:21
*** stevemar has quit IRC22:21
*** dims is now known as dimsum_22:22
*** dimsum_ is now known as dims22:22
*** dims has quit IRC22:22
*** dims has joined #openstack-keystone22:23
*** harlowja_away is now known as harlowja22:25
*** andreaf has quit IRC22:27
*** andreaf has joined #openstack-keystone22:28
*** ChanServ sets mode: +o morganfainberg22:46
*** thedodd has quit IRC22:47
*** browne has quit IRC23:00
*** openstackgerrit has joined #openstack-keystone23:01
*** amerine has quit IRC23:04
*** amerine has joined #openstack-keystone23:05
*** dims has quit IRC23:12
*** dims has joined #openstack-keystone23:13
*** zzzeek has quit IRC23:21
*** dims has quit IRC23:22
*** marcoemorais has quit IRC23:23
*** david-lyle has quit IRC23:24
*** marcoemorais has joined #openstack-keystone23:24
*** marcoemorais has quit IRC23:24
*** marcoemorais has joined #openstack-keystone23:24
*** andreaf has quit IRC23:41
*** andreaf has joined #openstack-keystone23:42
*** amerine has quit IRC23:47
*** sigmavirus24 is now known as sigmavirus24_awa23:51
*** amerine has joined #openstack-keystone23:54
« Monday, 2014-10-13 Index Wednesday, 2014-10-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!