Thursday, 2014-10-23

*** cjellick has quit IRC00:00
*** zzzeek has quit IRC00:03
*** marcoemorais has quit IRC00:07
*** marcoemorais1 has joined #openstack-keystone00:07
*** gokrokve has quit IRC00:09
*** gokrokve has joined #openstack-keystone00:09
*** marcoemorais1 has quit IRC00:10
*** marcoemorais has joined #openstack-keystone00:11
*** gokrokve has quit IRC00:22
*** gokrokve has joined #openstack-keystone00:24
*** bknudson has joined #openstack-keystone00:27
*** david_lyle__ has joined #openstack-keystone00:30
*** raildo_ has joined #openstack-keystone00:30
*** david_lyle__ is now known as david_lyle00:31
*** bknudson has quit IRC00:31
*** david-lyle_ has quit IRC00:33
*** marcoemorais has quit IRC00:35
*** marcoemorais has joined #openstack-keystone00:36
*** marcoemorais has quit IRC00:37
openstackgerritBrant Knudson proposed a change to openstack/keystone: Move unit tests from test_backend_ldap
*** raildo_ has quit IRC00:42
*** jacer_huawei has joined #openstack-keystone00:45
*** bknudson has joined #openstack-keystone00:48
*** gokrokve_ has joined #openstack-keystone00:51
*** gokrokve_ has quit IRC00:51
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Remove string from URL in list_revoke_events()
*** gokrokve_ has joined #openstack-keystone00:52
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Remove string from URL in list_revoke_events()
*** gokrokve has quit IRC00:53
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change tenant to project
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Correct tests to use strings in conf
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change admin user to service user.
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change occurrences of keystone to identity server
*** _cjones_ has quit IRC01:02
*** _cjones_ has joined #openstack-keystone01:03
*** raildo_ has joined #openstack-keystone01:05
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Improves feedback message in SSL error
*** _cjones_ has quit IRC01:07
*** gokrokve_ has quit IRC01:07
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:18
*** gokrokve has joined #openstack-keystone01:20
*** gokrokve has quit IRC01:24
*** stevemar has joined #openstack-keystone01:26
*** gokrokve_ has joined #openstack-keystone01:27
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Improves feedback message in SSL error
openstackgerritA change was merged to openstack/keystonemiddleware: Updated from global requirements
openstackgerritA change was merged to openstack/keystone: Imported Translations from Transifex
*** sigmavirus24_awa is now known as sigmavirus2401:43
openstackgerritA change was merged to openstack/python-keystoneclient: Updated from global requirements
*** dims has quit IRC01:58
*** dims has joined #openstack-keystone01:58
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Remove string from URL in list_revoke_events()
*** tellesnobrega has quit IRC02:00
*** gokrokve has joined #openstack-keystone02:01
*** gokrokve has quit IRC02:01
*** dims has quit IRC02:03
*** richm has quit IRC02:03
*** gokrokve_ has quit IRC02:04
*** diegows has joined #openstack-keystone02:04
*** nkinder has joined #openstack-keystone02:07
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Remove string from URL in list_revoke_events()
*** lhcheng has quit IRC02:23
*** david_lyle has quit IRC02:24
*** david-lyle has joined #openstack-keystone02:25
*** lhcheng has joined #openstack-keystone02:32
*** diegows has quit IRC02:34
*** alex_xu has joined #openstack-keystone02:35
*** tellesnobrega has joined #openstack-keystone03:02
*** _cjones_ has joined #openstack-keystone03:04
*** raildo_ has quit IRC03:05
*** lhcheng has quit IRC03:15
*** r1chardj0n3s_afk is now known as r1chardj0n3s03:16
*** r-daneel has joined #openstack-keystone03:22
*** sigmavirus24 is now known as sigmavirus24_awa03:23
*** _cjones_ has quit IRC03:28
*** _cjones_ has joined #openstack-keystone03:28
*** r-daneel has quit IRC03:30
*** zzzeek has joined #openstack-keystone03:36
*** harlowja is now known as harlowja_away03:39
*** gokrokve has joined #openstack-keystone03:49
*** gokrokve has quit IRC04:02
*** gokrokve has joined #openstack-keystone04:02
*** topol has joined #openstack-keystone04:03
*** gokrokve has quit IRC04:07
*** wwriverrat has joined #openstack-keystone04:10
*** wwriverrat has left #openstack-keystone04:11
*** lhcheng has joined #openstack-keystone04:11
*** alee has quit IRC04:12
*** alee has joined #openstack-keystone04:12
*** lhcheng_ has joined #openstack-keystone04:13
*** lhcheng has quit IRC04:15
*** lhcheng_ is now known as lhcheng04:15
*** soulxu_ has joined #openstack-keystone04:34
*** alex_xu has quit IRC04:37
*** marcoemorais has joined #openstack-keystone04:38
*** soulxu__ has joined #openstack-keystone04:39
*** marcoemorais1 has joined #openstack-keystone04:40
*** soulxu_ has quit IRC04:43
*** marcoemorais has quit IRC04:43
*** soulxu_ has joined #openstack-keystone04:45
*** _cjones_ has quit IRC04:47
*** _cjones_ has joined #openstack-keystone04:48
*** soulxu__ has quit IRC04:48
*** mrmoje has joined #openstack-keystone04:52
*** alex_xu has joined #openstack-keystone04:52
*** _cjones_ has quit IRC04:52
*** soulxu_ has quit IRC04:54
*** stevemar has quit IRC04:55
*** stevemar has joined #openstack-keystone04:56
*** lhcheng_ has joined #openstack-keystone04:57
*** lhcheng has quit IRC04:57
*** lhcheng_ is now known as lhcheng04:57
*** soulxu_ has joined #openstack-keystone04:58
*** alex_xu has quit IRC05:02
*** gokrokve has joined #openstack-keystone05:03
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update docs to no longer show XML support
*** soulxu__ has joined #openstack-keystone05:04
*** lhcheng has quit IRC05:05
*** lhcheng has joined #openstack-keystone05:06
*** gokrokve has quit IRC05:08
*** soulxu_ has quit IRC05:08
*** stevemar has quit IRC05:13
*** dims has joined #openstack-keystone05:25
*** soulxu_ has joined #openstack-keystone05:27
*** soulxu__ has quit IRC05:30
*** dims has quit IRC05:30
*** mrmoje has quit IRC06:01
*** lhcheng has quit IRC06:03
*** gokrokve has joined #openstack-keystone06:04
*** lsmola has quit IRC06:11
*** openstack has joined #openstack-keystone06:12
*** openstackstatus has quit IRC06:12
*** gokrokve has quit IRC06:15
*** breton_ has joined #openstack-keystone06:15
*** breton has quit IRC06:15
*** amcrn has quit IRC06:15
*** lsmola has joined #openstack-keystone06:20
*** zzzeek has quit IRC06:22
*** ukalifon1 has joined #openstack-keystone06:27
*** _cjones_ has joined #openstack-keystone06:42
*** bjornar has quit IRC06:46
*** tellesnobrega has quit IRC06:46
*** tellesnobrega has joined #openstack-keystone06:47
*** openstack has quit IRC06:59
*** openstack has joined #openstack-keystone14:17
jamielennoxmarekd: yea, that's what i was seeing - which makes the wrapper kind of weird because you can't use the options list to figure out which params belong to which plugins14:17
*** openstackstatus has joined #openstack-keystone14:18
*** ChanServ sets mode: +v openstackstatus14:18
*** joesavak has joined #openstack-keystone14:19
marekdjamielennox: because most of the plugins do and will in the future share the same set of required options.14:19
*** sigmavirus24 is now known as sigmavirus24_awa14:19
*** sigmavirus24_awa is now known as sigmavirus2414:19
ayoungjamielennox, yeah, I have a simliar problem, where the Kerberos plugin basically ignores userid and password, but OSC requires values there14:19
ayoungthe kerberos one really only needs auth_url14:20
jamielennoxayoung: that's an OSC issue though, not one of mine14:20
jamielennoxi'm pretty sure anyway14:20
ayoungright, its how they are using oslo config, if I understand the code14:20
ayoungjamielennox, it needs to do something like : if no --os-auth-plugin  assume --os-auth-plugin v3password and get the params from there, I think14:21
ayoungpretty soon we'll be reinventing SASL14:21
jamielennoxmarekd: you're going to hate this, but i think it might be easier just to fix the BaseSaml class to handle scoping there14:24
marekdjamielennox: hm, more details?14:26
marekdthe problem is wih unscoped/scoped plugins or the wrapper?14:26
jamielennoxmarekd: so the structure of the two federated plugins is really similar14:26
jamielennoxADFS and unscoped essentially share the same get_auth_ref method14:27
jamielennoxand they already report scoping options14:27
marekdwell, get_auth_ref is completely different14:27
marekddifferent messages passed, different workflow14:27
jamielennoxright, what happens is different, but the kick off is exactly the same14:27
jamielennoxif we make the base class an Abstract14:28
jamielennoxhave a common get_auth_ref handler that calls out to the abstract method14:28
*** gokrokve has quit IRC14:28
jamielennoxthen we can handle the scoping data in get_auth_ref and the plugins work just like the regular keystoneclient ones14:28
marekdso i'd use it --os-auth-plugin v3adfs --username x --password y --project_id X and have scoped token in the end?14:29
marekdand unscoped token in case i don't provide project_id?14:30
marekdbecause at first call i might not now my projcts and would like to utilize /OS-FEDERATION/projects call to find out.14:30
jamielennoxmarekd: in which case your flow is no different to password14:32
jamielennoxbah, other than we need that stupid Saml specific token scoping thing14:32
jamielennoxbut close14:32
marekdayoung: i see you managed to catch up today with your today's e-mails :-)14:33
ayoungI skipped a few14:33
marekdjamielennox: hm, so maybe we can propose code in keystone that will accept os-federation tokens with 'token' auth will simply distinguish an proceed accordingly14:33
jamielennoxmarekd: ++ oh please god yes14:34
jamielennoxi thought there was a technical reason we couldn't do that?14:34
*** henrynash has joined #openstack-keystone14:35
marekdinstead of doing if token.is_federated(): handle_federated() else: handle_classic() we did if method == 'saml2': handle_federated() else: handle_classic()14:36
*** gokrokve has joined #openstack-keystone14:37
*** gokrokve has quit IRC14:39
jamielennoxmarekd: that makes me want to cry14:41
jamielennoxall of this work around stuff is because a federated unscoped token was somehow different to a regular unscoped token14:42
jamielennoxi didn't realize it was just a case of where a switch was implemented14:42
marekdi hit me just now too14:42
*** vb has joined #openstack-keystone14:43
jamielennoxmarekd: if that's doable - please fix it14:43
marekdjamielennox: ok14:44
*** henrynash has quit IRC14:44
rodrigodslbragstad, ping14:45
*** diegows has joined #openstack-keystone14:45
bknudsonthe method shouldn't be hardcoded to a specific string.14:46
lbragstadrodrigods: pong14:47
*** david-lyle has joined #openstack-keystone14:47
rodrigodslbragstad, the XML removal will fix the issue?14:47
rodrigods(get IdP metadata)14:47
rodrigodsor at least, should it fix?14:48
lbragstadrodrigods: I'm not 100% sure, I just noticed you mentioned the deprecation and I posted the link for reference, in case anyone was digging for it.14:48
marekdbknudson: no no, it was not hardcoded. by using saml2 in 'method' attribute in a token Keystone was simply loading saml2 plugin from auth/plugins14:48
rodrigodslbragstad, will apply the review and see what happens =)14:49
lbragstadrodrigods: cool, let me know how it goes14:49
rodrigodslbragstad, ++14:49
*** Gippa has quit IRC14:51
*** david-lyle has quit IRC14:51
*** Gippa has joined #openstack-keystone14:52
*** vejdmn has quit IRC14:53
*** vejdmn has joined #openstack-keystone14:53
openstackgerritDavid Stanek proposed a change to openstack/keystone: Deprecates catalog substitution from config files
*** david-lyle has joined #openstack-keystone14:53
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create a framework for federation plugins
jamielennoxmarekd: have a look at ^, does it work?14:56
*** thedodd has joined #openstack-keystone14:57
ayoungdstanek, how dare you clean up crappy code in a deprecation patch!14:59
*** afazekas has quit IRC14:59
marekdjamielennox: looking. sorry i am doing 10 thing at the same time :(15:00
dstanekayoung: sorry, but it's so fun15:00
*** henrynash has joined #openstack-keystone15:03
*** gokrokve has joined #openstack-keystone15:05
*** ukalifon2 has quit IRC15:07
*** openstackgerrit has quit IRC15:07
*** joesavak has quit IRC15:08
lbragstadbknudson: dstanek I have the tests passing here
bknudsonlbragstad: I was going to run the coverage test on this change and without it to see if there's any more lines skipped.15:16
lbragstadbknudson: ok15:17
bknudsonactually the coverage is probably better since I'm sure some there were some untested things in there.15:17
*** afazekas has joined #openstack-keystone15:17
lbragstadbknudson: yeah, that's a good point15:17
lbragstadI'm not entirely sure what the coverage was on the XML cases15:17
mfischis the revoke driver really deprecated in J? because it's still the default15:31
mfischDeprecated: keystone.contrib.revoke.backends.kvs is deprecated as of Juno in favor of keystone.contrib.revoke.backends.sql and may be removed in Kilo.15:31
*** henrynash has quit IRC15:31
marekdjamielennox: works basically, needed to add two fixes but it worked.15:33
marekdjamielennox: uploading new patchset.15:33
jamielennoxmarekd: yea, i think there is an edge case or two i'm missing - and also some cleanup that can be don15:35
*** cjellick has joined #openstack-keystone15:37
marekdhm, do you think classes can be renamed?15:38
marekdor it will not be backwards compatible15:38
marekdfrom ADFSUnscopedToken to ADFSToken15:38
*** marcoemorais has joined #openstack-keystone15:43
jamielennoxI think we should15:47
jamielennoxor maybe we move them to the new -federated repo with the new names15:47
jamielennoxmarekd: there is some cleanup i'd like to do having poked around there for a bit, so maybe the cleaned up version can be the start of the new repo15:48
marekdjamielennox: uhm15:49
jamielennoxwell, we can copy it across directly now and then do stuff there15:53
jamielennoxnothing i was looking at would be a compatibility problem, just a few things you don't need15:53
*** gyee has joined #openstack-keystone15:58
*** openstack has joined #openstack-keystone16:01
jamielennoxbknudson: using i have devstack set up with some things running v3 auth and some using default auth16:06
jamielennoxit's a longer chain than i though it would be, and there are some missing tests as you get higher up - but if you want to have a look16:06
*** joesavak has joined #openstack-keystone16:07
jamielennoxalright, cya everyone16:08
amakarovjamielennox, good day to you! Please take a look I've reproduced the bug in devstack environment: client receives unexpected structure16:09
marekdjamielennox: cheers16:10
amakarovjamielennox, fixture for v3 tests does not match actual data structure16:10
jamielennoxamakarov: in the bug you create a new nova service on a devstack deployment16:11
jamielennoxthis is my point, why not service-list and use the existing one16:11
*** thedodd has quit IRC16:11
bknudsonjamielennox: did you update devstack to allow you to configure v3 auth?16:11
bknudsonin middleware16:12
jamielennoxno, i killed the n-api service from screen, editted the config file and then restarted the service16:13
jamielennoxi'm not sure how we setup devstack to allow multiple config sections yet16:14
amakarovjamielennox, so it have to be an error if I create a new service?16:18
jamielennoxamakarov: given that it's an error now i would like to be really certain it's something we want before we let the code do it16:18
jamielennoxbecause once we allow it in code we're stuck with it, and i see no reason for it to be allowed16:19
jamielennoxamakarov: i'm still not sure why it's something you would want?16:20
*** lhcheng has joined #openstack-keystone16:20
*** amerine has quit IRC16:20
*** amerine has joined #openstack-keystone16:21
amakarovjamielennox, there was a task to create a new nova region. V2 accepted both service and region creation, V2 returns correct endpoint while V3 does not16:23
lhchengrodrigods: ping16:24
*** _cjones_ has joined #openstack-keystone16:25
amakarovjamielennox, so it's an inconsistency. Or it must be explicitly forbidden to create a service with existing name/type16:26
jamielennoxamakarov: i would vote for it should be explicitly forbidden16:26
jamielennoxis this an internal task? what does v3 return that is different16:27
jamielennoxbecause using OSC and v3 api you still seperate services from endpoints16:28
amakarovjamielennox, endpoint for one of regions is returned in v2 and lost in v316:28
amakarovI reproduced it using devstack - not any custom build16:30
amakarovjamielennox, here is one more thing: somebody else may use this bug/feature on v216:32
jamielennoxamakarov: just trying to see how it could happen as that code you link to is common to both the v2 and the v3 catalog16:33
amakarovjamielennox, through ulr_for call16:34
jamielennoxwhy does keystone --debug no longer print the requests/responses?16:35
jamielennoxor openstack --debug16:35
*** marekd is now known as marekd|away16:35
*** vejdmn has quit IRC16:36
*** vejdmn1 has joined #openstack-keystone16:36
*** jsavak has joined #openstack-keystone16:36
amakarovjamielennox, maybe debug=False somewhere in config_overrides?16:38
amakarovjamielennox, btw we may make "service create" to return existing one if any...16:39
jamielennoxamakarov: you would have to test name and description etc for an exact match16:40
*** joesavak has quit IRC16:40
amakarovjamielennox, got it. Better simply forbid16:41
jamielennoxamakarov: ok, so this is the test file i'm looking at:
*** vb has quit IRC16:48
jamielennoxa v2 token and a v3 token each with 2 equivalent service catalogs, containing 2 nova services16:48
*** openstackgerrit has joined #openstack-keystone16:49
amakarovjamielennox, yes that is the difference16:50
amakarovin v3 first endpoint will be lost16:51
jamielennoxamakarov: right, but it could never have been found16:52
amakarovjamielennox, unless there are different regions16:53
jamielennoxif the argument is that you should be able to list it twice then i disagree and we can debate it16:53
jamielennoxmy issue is if there is a difference from v2 to v316:53
*** afazekas is now known as _afazekas16:53
jamielennoxso just tried that as well:
jamielennoxgives Traceback (most recent call last):16:54
jamielennox  File "", line 33, in <module>16:54
jamielennox    print "nova endpoint, region1", auth_ref2.service_catalog.url_for(service_type='nova', region_name='region1')16:54
jamielennox  File "/home/jlennox/work/python-keystoneclient/keystoneclient/", line 318, in inner16:54
jamielennox    return func(*args, **kwargs)16:54
jamielennox  File "/home/jlennox/work/python-keystoneclient/keystoneclient/", line 231, in url_for16:54
jamielennox    raise exceptions.EndpointNotFound(msg)16:54
jamielennoxkeystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound: publicURL endpoint for nova service in region1 region not found16:54
jamielennoxso again, can't be found on v2 either16:54
*** stevemar has joined #openstack-keystone16:55
*** jistr has quit IRC16:57
*** amcrn has joined #openstack-keystone16:57
*** afazekas has joined #openstack-keystone16:57
jamielennoxamakarov: alright, i've gotta go16:58
jamielennoxamakarov: if you can modify that to show me an example where v2 does something that v3 doesn't then thats a bug16:58
jamielennoxpop it into an email because our IRC times are syncing up well16:59
*** amcrn has quit IRC16:59
amakarovjamielennox, well, thanks - I'll dig this deeper )16:59
*** david-lyle has quit IRC17:03
*** david-lyle has joined #openstack-keystone17:03
*** alee is now known as alee_lunch17:07
*** sigmavirus24 is now known as sigmavirus24_awa17:10
*** thedodd has joined #openstack-keystone17:11
openstackgerritA change was merged to openstack/python-keystoneclient: set close_fds=True in Popen
morganfainbergdolphm, ok going to see about getting a release cut here.17:12
dolphmmorganfainberg: ++17:12
dolphmjamielennox: unless there's some reason not to release ksc soon ^17:12
morganfainbergdolphm, looks like we have *mostly* minor fixes17:14
* morganfainberg debates making this 0.11.217:15
*** packet has joined #openstack-keystone17:16
dolphmmorganfainberg: i was crossing my fingers it could be a 0.0.1 release17:17
morganfainberglooks like it can be17:18
dolphmmorganfainberg: i think you can definitely go either way17:18
morganfainbergi'd like to keep it 0.0.1 releass17:18
bknudsonno new api so .117:18
morganfainbergthis is really just minor fixes/bug fixes17:19
morganfainbergok where do i register a new milestone?17:19
dolphmmorganfainberg: Create milestone
morganfainbergi don't have that button17:20
dolphmuh oh17:20
*** sigmavirus24_awa is now known as sigmavirus2417:20
dolphmmorganfainberg: how about now?17:21
morganfainbergah now i do17:21
dolphmmorganfainberg: i set the keystoneclient Release Manager to keystone-drivers - you should be able to change it on that same page if you'd like17:21
morganfainbergaha, got it17:21
morganfainbergdo you have a script that will assign the "fix commeted" bugs to the milestone?17:23
morganfainbergor is it something done by hand?17:23
dolphmmorganfainberg: scripted17:23
dolphmmorganfainberg: without --release it'll set milestones17:24
*** vb has joined #openstack-keystone17:24
dolphmmorganfainberg: with --release it'll set milestones for Fix Committed items, and flip them to Fix Released17:24
dolphmmorganfainberg: so, python python-keystoneclient 0.11.217:25
morganfainbergwow that is easy17:27
*** stevemar has quit IRC17:29
morganfainbergi think i lost the secret key for my gpg key17:29
* morganfainberg goes and looks17:29
dolphmhaha almost easy17:30
*** amcrn has joined #openstack-keystone17:30
*** thedodd has quit IRC17:32
morganfainbergaha, didn't have the keyid17:32
morganfainbergin the tag command17:32
morganfainbergooh boy i need ot update this key17:32
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove XML middleware from default paste config
*** diegows has quit IRC17:36
*** harlowja_away is now known as harlowja17:40
morganfainbergdolphm, so... following your instructions...17:44
morganfainbergUnable to find milestone by name: 0.11.217:44
morganfainbergdid i need to "mark as released" bnefore clicking "create release"?17:44
rodrigodslhcheng, pong17:47
*** openstackgerrit has quit IRC17:48
*** openstackgerrit has joined #openstack-keystone17:48
lhchengrodrigods: question on hierarchical projects, is it not going to be supported for LDAP backed “ever” or not supported just for the first pass of the implementation?17:49
*** vejdmn1 has quit IRC17:49
*** vejdmn has joined #openstack-keystone17:49
rodrigodslhcheng, for this first one, I think17:50
rodrigodslhcheng, to be certain, we can ask morganfainberg =)17:51
morganfainbergldap assignment?17:51
* morganfainberg dodges the question.17:51
morganfainbergi think that depends on what the state of ldap assignment is going to be ijn the long run17:51
rodrigodsmorganfainberg, ++17:51
rodrigodsthat was exactly what I thought17:51
lhchengmorganfainberg: yes, ldap assignment backend17:51
lhchenghmm do we know what percentage of the user does actually use ldap assignment?17:53
rodrigodslhcheng, there was a huge discussion about ldap in the previous keystone meeting17:54
morganfainbergCERN uses it. maybe one or two others.17:56
morganfainbergit is not commonly used17:56
*** aix has quit IRC17:59
* rodrigods still getting used to ldap, was presented to it once started hacking with keystone18:00
lhchengayoung raised a good point  in the last meeting about assuming that the assignment LDAP will be the same as identity.  Would be nice to split it up.18:00
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove XML middleware from default paste config
openstackgerritAnne Gentle proposed a change to openstack/keystone-specs: Adds Identity API v2.0 files
morganfainberglhcheng, there is actually a topic that will cover that18:01
morganfainbergat the summit (somewhat)18:02
morganfainbergor lead to covering that18:02
dolphmmorganfainberg: looks like you got it released okay?18:02
dolphmmorganfainberg: the instructions that appear in the console are really for --release18:02
dolphmmorganfainberg: they don't really apply to a dry run ... i should add a warning or something18:02
morganfainbergdolphm, i did the 6 bugs by hand. but your script couldn't "find" the milestone with --release18:02
lhchengmorganfainberg, great! I’ll be looking forward to that!18:02
morganfainbergonce i did the release bit.18:02
morganfainbergin lp18:02
ayounglhcheng, actually, I think that the assumption is safe, so long as both identity and assignement point to the same LDAP server,  but it gets wonky if you try to store things in assignment where there is no corresponding identity elenment18:03
dolphmmorganfainberg: yeah, don't follow the instructions at all unless you have done --release18:03
morganfainbergdolphm, ah ok18:03
lhchengayoung: I’m just thinking for the case where keystone would only have read-only access to corp ldap.  And would like to manage the assignment in a separate ldap.18:04
morganfainbergin theory that could be done with the per-domain backend config but it might get a little wonky18:05
ayounglhcheng, yeah,  that is going to require some deep LDAP Kung fu to get right.  The DNs in assignment will not reflect objects in the Directory18:05
morganfainbergor a lot wonky18:06
lhchengayoung, perhaps replicate the identity into the keystone-owned ldap too18:06
morganfainbergoh wait assingment ldap = no domains18:06
morganfainberglhcheng, ick18:06
morganfainberglhcheng, noooooo18:06
ayoungmorganfainberg, one domain per subtree18:06
morganfainbergayoung, not in assingment18:06
ayounglhcheng, I don't think so,  I think that it is more the other way:  relax the constraints18:06
ayoungmorganfainberg, yeah, even in assignment, maybe even more so...I think there is a place for it.  Course, I don't intend to code it.18:07
morganfainbergi think this falls into the category of the previous convo, if we're doing r/w ldap lets really do r/w ldap, for r/o we can do other / better desgin that doesn't need to support the r/w/ case18:07
lhchengayoung, allowing r/w access would solve it,  but it will be a battle to get r/w access to a corp ldap.18:14
ayounglhcheng, you don't want that, but why LDAP at all?18:14
lhchengayoung. I agree that we will start to have data inconsistencies once we split identity and assignment into two ldaps :(18:15
*** thedodd has joined #openstack-keystone18:16
lhchengmultiple openstack cluster,  like to have a single source of truth for identity rather than doing an ldap-to-db sync to each keystone in the cluster18:16
ayounglhcheng, look into how FreeIPA does a Kerbers Trust relationship to a corporate LDAP ,18:17
amakarovayoung, greetings! I've implemented user chain validation, can you please look at it?
ayoungamakarov, happy to do so18:18
ayoungamakarov, looks clean18:18
ayoungI'm assuming that the get_trust_pedigree would break if any of the delegations were revoked18:19
morganfainbergrodrigods, put a -2 on the CRUD patch for HM until the api change merges18:19
ayoungI'd like to see a test on that18:19
morganfainbergrodrigods, just as an FYI, that isn't because HM CRUD code is wrong, just we need the API change in first.18:19
rodrigodsmorganfainberg, fair enough18:19
ayoungamakarov, didn't you have tests before?18:20
rodrigodsmorganfainberg, will start to ping people to review the API change hehe18:20
lhchengayoung, thanks! I’ll check FreeIPA.18:20
amakarovayoung, there are tests for it18:20
morganfainbergthe one before it is now gating fyi18:20
amakarovayoung, a moment...18:20
morganfainbergrodrigods, i really do expect we'll have this all done by the summit.18:20
* morganfainberg subscribed to the calendars for the summit18:22
amakarovayoung, keystone.tests.test_v3_auth.TestTrustRedelegation.test_intermediate_user_disabled18:22
morganfainbergwow... my phone's calendar is impossible to read w/ them turned on18:22
ayoungamakarov, looks good.  On tests like those, I like to do a positive check before disabling, to ensure that the mechanism you are using is actuall responsible, so18:24
ayoungdo a self.v3_authenticate_token(auth_data, expected_status=210)  or whatever the status is prior to disabling18:24
amakarovayoung, got it, thanks for the idea18:25
ayounguser_chain[0]  is going to be first ancestor, right?  So in a three person chain, it would be the one in the middle?18:25
amakarovayoung, user_chain[0] is first trustee, the trustor is still self.user_id18:28
ayoungamakarov, it looks good.  I'm just paranoid.  But you know the old saying:18:28
amakarovso there is 2 in the middle.18:28
ayoungJust because I'm paranoid doesn't mean they are not out to get me.18:28
ayoungamakarov, so trustor to trustee1(t1),  t1 to t2, t2 to t3?18:29
amakarovayoung, ++18:29
ayoungand user_chain[0]  would point to t2 ot t1?18:29
ayoungand user_chain[0]  would point to t2 or t1?18:29
*** _cjones_ has quit IRC18:30
*** _cjones_ has joined #openstack-keystone18:30
amakarovayoung, user_chain[0] == t1, user_chain[1] == t218:30
ayoungah, so top down.18:30
amakarovayoung, user_chain[2] is the last - he is to use the trust18:32
*** gokrokve has quit IRC18:32
*** rodrigods has left #openstack-keystone18:32
*** rodrigods has joined #openstack-keystone18:33
*** gokrokve has joined #openstack-keystone18:33
*** _cjones_ has quit IRC18:34
*** jacer_huawei has quit IRC18:37
*** jacer_huawei has joined #openstack-keystone18:38
ayoungamakarov,  def test_redelegation_roles(self): seems strange.  Why are you creating a new role?18:39
amakarovayoung, it's the case when trustee tries to delegate role not delegated to him18:40
ayoungamakarov, ah.18:41
ayoungamakarov, so can I drop roles from a trust when I redelegate?  Where is that tested?18:42
amakarovayoung, yes, you can redelegate a subset of roles and never a superset. Subset redelegation wasn't tested (18:43
ayoungamakarov, lets get that in there:  check that the token from the redelgated trust has exactly the set of roles redelegated to it18:43
*** nkinder has quit IRC18:45
amakarovayoung, ok, I'll make a more detailed test for roles18:45
ayoungamakarov, I like this patch18:45
*** nellysmitt has quit IRC18:45
ayoungI want dolphm to give it a once over, though, as he did a really thorough set of tests for the original trusts implementation18:45
*** nellysmi_ has joined #openstack-keystone18:45
ayoungamakarov, nicely done, though.  This is just being thorough18:46
amakarovayoung, pleased to hear that :)18:47
ayoungamakarov, now if only we could merge this with the oauth implementation18:47
*** alee_lunch is now known as alee18:48
*** thedodd has quit IRC18:48
amakarovayoung, yes, that would be nice! Looking forward to make it in my future contributions :)18:49
ayoungvery cool18:49
ayoungamakarov, you going to Paris?18:49
amakarovamakarov, for now I'm about to write a todo list and wish a good night to everybody! Yes, I'm going18:50
ayoungamakarov, excellent,  we'll walk this one through then.18:51
ayoungAnd maybe kidnam stevem for an oauth discussion, too18:52
*** diegows has joined #openstack-keystone18:52
morganfainbergayoung, i kindof want to see trusts (OS-TRUSTS) go away and just make delegation a top-level bit of assingment... though not sure how we'd do that18:53
morganfainbergor at the very least make it so i can say "give me token with XXX roles".18:54
ayoungmorganfainberg, first we merge the oauth and trust implementation on the backend18:54
* morganfainberg looks at the policy discussion at the summit18:54
ayoungnah, this is not policy18:54
morganfainbergit is related to the "what capabilities do i need18:54
ayoungmore like the authorization session18:55
ayoungbut, quibbles18:55
ayoungwe need to sort it allout18:55
ayoungbut cleaning up the interface is harder than unifying the implementation18:56
ayoungI think that we can make oauth consumers into keystone users in  their own domain18:56
ayoungand then we could have oauth potentiall reuse an existing user as a consumer18:57
*** _cjones_ has joined #openstack-keystone18:57
morganfainbergdang it... can't make it to nkinder's talk:
* morganfainberg wonders about trading a session timeslot.18:58
ayoungoooh,  I need to be there, too.  What's it conflict with?18:59
ayoungWednesday, November 5 • 09:00 - 09:4018:59
ayoungFer Fooks Sake!19:00
morganfainbergnot a lot of options for trading :(19:01
*** amakarov is now known as amakarov_away19:03
morganfainbergthat day is booked solid19:03
ayoungmorganfainberg, its OK,  I can tell you what he is going to say.19:04
ayoungthe question, though, is whether I leave him unsupervised or not.19:04
morganfainbergayoung, he'll be fine ;)19:05
*** bknudson has quit IRC19:05
ayoungManagers are a trickly lot and must be watched or they will get you into trouble.19:05
morganfainbergok so i need to bail for a bit. have an appt to run to19:05
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: This blueprint details the work required for Multi-factor Authentication
ayoungFortunately, he has many years as an engineer, and it was not that long ago,  hope he hasn't forgotten19:05
openstackgerritayoung proposed a change to openstack/keystone-specs: Multifactor Authentication
ayounglbragstad, you like that :)19:06
*** marcoemorais has quit IRC19:06
*** ayoung is now known as ayoung-afk19:07
lbragstadnonameentername: ayoung-afk did you both push specs patches at the same time?19:08
lbragstadyes.. I think you did19:08
*** thedodd has joined #openstack-keystone19:10
*** andreaf has quit IRC19:11
*** andreaf has joined #openstack-keystone19:12
*** __TheDodd__ has joined #openstack-keystone19:12
*** nellysmitt has joined #openstack-keystone19:12
*** david-lyle has quit IRC19:13
*** nellysmi_ has quit IRC19:16
*** saipandi has joined #openstack-keystone19:16
*** thedodd has quit IRC19:16
*** bknudson has joined #openstack-keystone19:25
*** mrmoje has joined #openstack-keystone19:25
*** marcoemorais has joined #openstack-keystone19:27
*** bknudson has quit IRC19:29
*** mrmoje has quit IRC19:31
*** mrmoje has joined #openstack-keystone19:31
*** ayoung-afk is now known as ayoung19:31
ayounglbragstad, nah, I just corrected his commit message19:31
lbragstadayoung: gotcha, thanks!19:32
*** aix has joined #openstack-keystone19:37
*** _cjones_ has quit IRC19:45
*** bknudson has joined #openstack-keystone19:45
nonameenternameayoung: Thanks19:45
*** _cjones_ has joined #openstack-keystone19:45
*** _cjones_ has quit IRC19:50
*** gokrokve has quit IRC19:54
*** gokrokve has joined #openstack-keystone19:56
*** gokrokve has quit IRC19:57
*** gokrokve has joined #openstack-keystone19:57
ayoung    import rpdb; rpbd.set_trace()20:05
ayoung   # GAH20:05
*** david-lyle has joined #openstack-keystone20:06
*** tristanC has quit IRC20:10
*** _cjones_ has joined #openstack-keystone20:12
bknudsonDoes everything need to be an extension?20:13
*** tristanC has joined #openstack-keystone20:16
*** andreaf has quit IRC20:17
*** andreaf has joined #openstack-keystone20:17
*** gyee has quit IRC20:21
*** nkinder has joined #openstack-keystone20:26
rodrigodslbragstad, just tested with the Xml removal patch20:36
rodrigodsnow it's breaking in the AuthContextMiddleware20:36
lbragstadrodrigods: really?20:36
lbragstadrodrigods: paste?20:36
rodrigodslbragstad, yeah, the request doesn't include a token20:37
rodrigodslbragstad, 2014-10-23 20:31:06.050548 27643 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request keystone/keystone/middleware/
*** nellysmitt has quit IRC20:37
lbragstadrodrigods: interesting20:37
rodrigodslbragstad, we still have a bug, but not a Xml bug20:38
*** stevemar has joined #openstack-keystone20:38
rodrigodslbragstad, any idea how can I explicit that an endpoint won't need the auth_context?20:38
rodrigodsmorganfainberg, ^20:42
morganfainbergOn the road. Can't look till I get home this evening.20:43
morganfainbergBut I have an idea if you don't solve it before the.20:44
*** david-lyle has quit IRC20:44
rodrigodsmorganfainberg, great, thanks!20:44
morganfainbergLook at how /v3/auth works20:45
rodrigodsmorganfainberg, ++20:45
*** jedix has left #openstack-keystone20:46
*** david-lyle has joined #openstack-keystone20:48
lbragstadrodrigods: what was the link to that bug again?20:52
* lbragstad is digging 20:52
uvirtbotLaunchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,New]20:52
lbragstadrodrigods: thanks!20:52
*** gyee has joined #openstack-keystone20:54
*** NM1 has quit IRC21:00
rodrigodslbragstad, it worked here, i missed a configuration in the fed extension21:01
*** alex_xu has joined #openstack-keystone21:01
lbragstadrodrigods: gotcha, so you didn't get the 'Auth token not in the request header' error?21:01
lbragstadwith the XML removal patch?21:01
rodrigodslbragstad, nope, it worked beautifully =)21:02
*** packet has quit IRC21:02
*** lhcheng has quit IRC21:02
* lbragstad high-fives rodrigods 21:02
lbragstadrodrigods: thanks for testing that21:03
rodrigodslbragstad, o/21:03
rodrigodslbragstad, maybe change the review commit message to point that is also closing this bug?21:05
rodrigodsmakes sense?21:05
lbragstadrodrigods: yeah21:06
*** gyee has quit IRC21:06
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support
rodrigodslbragstad, ++21:06
*** lhcheng has joined #openstack-keystone21:11
*** HenryG has quit IRC21:11
*** jsavak has quit IRC21:21
*** alex_xu has quit IRC21:30
*** harlowja has quit IRC21:31
*** harlowja has joined #openstack-keystone21:36
*** marcoemorais has quit IRC21:38
*** alee is now known as alee_on_way_home21:45
*** alee_on_way_home has quit IRC21:49
*** stevemar has quit IRC21:51
*** mgagne has quit IRC22:05
*** mgagne has joined #openstack-keystone22:05
*** gokrokve has quit IRC22:12
*** david-lyle has quit IRC22:13
*** david-lyle has joined #openstack-keystone22:13
*** gokrokve has joined #openstack-keystone22:20
*** marcoemorais has joined #openstack-keystone22:20
*** esp has joined #openstack-keystone22:22
esphello, can someone help figure out how to enable keystone v3 support in devstack.  I don’t believe this is enabled by default correct?22:23
esp$ keystone --debug --os-identity-api-version 3.0 tenant-list22:24
espWARNING: unsupported identity-api-version 3.0, falling back to 2.022:24
*** harlowja has quit IRC22:30
vsilvahi esmute22:31
vsilvaoops, esp22:31
esphi vsilva :)22:31
espnp, me and esmute are pals22:31
vsilvaI believe you can change that in openrc. OS_IDENTITY_API_VERSION=3, I think22:31
vsilvagive it a try22:31
espk, let me do that ;)22:32
*** __TheDodd__ has quit IRC22:32
*** gyee has joined #openstack-keystone22:32
*** marcoemorais1 has joined #openstack-keystone22:32
*** marcoemorais1 has quit IRC22:33
espOS_IDENTITY_API_VERSION=3 keystone --debug tenant-list22:33
espWARNING: unsupported identity-api-version 3, falling back to 2.022:33
*** marcoemorais has quit IRC22:33
*** marcoemorais1 has joined #openstack-keystone22:33
espwonder if my client is outta date?22:33
espI’ll try some curls maybe?22:33
* esp shrugs22:33
vsilvaesp, did you auth with openrc?22:34
vsilvachange that in openrc and auth again22:34
espyep, but I have to admin my devstack is probably 2 weeks old22:34
espah, ok22:34
espgood idea22:34
lhchengesp keystone v3 is not supported in keystoneclient CLI22:36
lhchengyou have to use the openstackclient for keystone v322:36
espmakes sense lhcheng22:36
espthank you!22:36
lhchengesp np!22:36
espbut I bet curl will work22:36
espI was gonna try that next22:36
*** marcoemorais1 has quit IRC22:38
*** marcoemorais has joined #openstack-keystone22:39
*** vejdmn has quit IRC22:40
*** harlowja has joined #openstack-keystone22:41
*** saipandi has quit IRC22:41
*** saipandi has joined #openstack-keystone22:41
*** gokrokve has quit IRC22:46
*** gokrokve has joined #openstack-keystone22:46
*** marcoemorais has quit IRC22:47
*** marcoemorais has joined #openstack-keystone22:47
*** gordc has quit IRC22:49
*** david-lyle has quit IRC22:54
*** HenryG has joined #openstack-keystone23:04
*** gokrokve has quit IRC23:05
*** andreaf has quit IRC23:11
*** andreaf has joined #openstack-keystone23:11
*** gokrokve has joined #openstack-keystone23:14
*** gokrokve has quit IRC23:17
*** gokrokve has joined #openstack-keystone23:18
*** gokrokve has quit IRC23:23
*** david-lyle has joined #openstack-keystone23:24
*** david-lyle has quit IRC23:31
*** gokrokve has joined #openstack-keystone23:34
*** gokrokve has quit IRC23:34
*** gokrokve has joined #openstack-keystone23:34
*** gokrokve has quit IRC23:42
*** oomichi has joined #openstack-keystone23:49
*** oomichi__ has joined #openstack-keystone23:49
*** _cjones_ has quit IRC23:52
*** _cjones_ has joined #openstack-keystone23:52
*** alex_xu has joined #openstack-keystone23:52
*** _cjones_ has quit IRC23:57
*** diegows has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!