Wednesday, 2014-10-29

*** bknudson has joined #openstack-keystone		00:38
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain https://review.openstack.org/131319	00:42
*** marcoemorais has quit IRC		00:44
*** marcoemorais has joined #openstack-keystone		00:44
*** marcoemorais has quit IRC		00:46
*** marcoemorais has joined #openstack-keystone		00:46
*** marcoemorais has quit IRC		00:46
*** marcoemorais has joined #openstack-keystone		00:46
openstackgerrit	wanghong proposed a change to openstack/keystone: Can't update catalog objects when using kvs driver https://review.openstack.org/130180	00:47
openstackgerrit	wanghong proposed a change to openstack/keystone: add circular check when updating region https://review.openstack.org/130474	00:49
*** david-lyle has joined #openstack-keystone		00:49
*** bknudson has left #openstack-keystone		00:56
*** _cjones_ has quit IRC		00:56
*** ncoghlan has joined #openstack-keystone		00:57
*** edmondsw has quit IRC		00:58
*** packet has quit IRC		00:59
*** david-lyle has quit IRC		01:04
openstackgerrit	A change was merged to openstack/keystonemiddleware: Convert authentication into a plugin https://review.openstack.org/115857	01:06
*** cds has quit IRC		01:11
*** ayoung has joined #openstack-keystone		01:16
*** marcoemorais has quit IRC		01:17
ayoung	nkinder, you still in Dad mode?	01:19
ayoung	I'm working on the Horizon/Kerberos thing on http://horizon.younglogic.net . I don;t think we actually have to mess with the service catalog: that was only required (I think) to deal with the changes of the ports.	01:20
*** ncoghlan is now known as ncoghlan_afk		01:22
*** ncoghlan_afk is now known as ncoghlan		01:22
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list https://review.openstack.org/127459	01:24
r1chardj0n3s	Ohai ncoghlan :-)	01:26
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: call _choose_api_version in one place https://review.openstack.org/127866	01:26
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystonemiddleware: Adds space after # in comments https://review.openstack.org/131614	01:26
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystonemiddleware: Update python-keystoneclient reference https://review.openstack.org/131615	01:30
*** ncoghlan is now known as ncoghlan_afk		01:32
nkinder	ayoung: eh, half-dad-mode	01:33
ayoung	nkinder, OK, ping me when you'r done. Working with gsilvis in #moc on the PKI handoff	01:34
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystonemiddleware: Adds space after # in comments https://review.openstack.org/131614	01:34
morganfainberg	nkinder, hmmm....	01:34
morganfainberg	oh crud, need to write up some descriptions so russellb doesn't come looking for me at the summit :P	01:35
morganfainberg	ayoung, i am putting you and nkinder on the hook for the x-project policy session (co-lead with me just like the keystone session) unless you have a reason i shouldn't (as in you have some other session to be in)	01:35
nkinder	morganfainberg: I'm cool with that	01:35
ayoung	No, I'll be happy to lead,	01:35
morganfainberg	cool	01:36
*** sigmavirus24_awa is now known as sigmavirus24		01:42
rodrigods	anyone else have problems running keystonemiddleware tests on mac?	01:43
morganfainberg	rodrigods, what issues and did you upgrade to yosemite recently?	01:43
rodrigods	morganfainberg, yep, yosemite here	01:44
*** david-lyle has joined #openstack-keystone		01:44
morganfainberg	rodrigods, ok so you need to re-install CLI tools: from terminal xcode-select --install	01:44
morganfainberg	rodrigods, then you need to re-build "brew" requirements	01:45
morganfainberg	which includes needing to build python	01:45
morganfainberg	because os X python 2.7 doesn't come with gdbm	01:45
rodrigods	morganfainberg, thanks!	01:45
rodrigods	hmm	01:45
morganfainberg	so testr can't work	01:45
morganfainberg	i installed brew in ~/Developer/homebrew	01:45
morganfainberg	added ~/Developer/homebrew/bin to my path	01:45
morganfainberg	in my .bashrc	01:45
morganfainberg	then did a brew install python	01:45
morganfainberg	and openssl	01:46
morganfainberg	also, brew install gettext	01:46
morganfainberg	you'll need to brew link openssl --force	01:46
morganfainberg	and brew link gettext --force	01:46
* morganfainberg should write a blog post on this...		01:47
rodrigods	morganfainberg, thanks a lot, I usually run it in a vm	01:47
morganfainberg	alternatively, you could just run everything in a VM and call it a day	01:47
morganfainberg	way less work :P	01:47
rodrigods	network down in the lab =(	01:47
morganfainberg	local VM (VMWare Fusion)	01:47
rodrigods	morganfainberg, you absolutely should write a blog post about it	01:47
morganfainberg	or VirtualBox (depending on your personal flavors)	01:48
rodrigods	morganfainberg, yeah... just lazy right now because I always rely on the vms in the lab	01:48
rodrigods	eheh	01:48
rodrigods	morganfainberg, was investigating https://bugs.launchpad.net/keystonemiddleware/+bug/1367062 and found some nits	01:48
uvirtbot	Launchpad bug 1367062 in keystonemiddleware "401 and 404 errors from the heat API are not returned with JSON content type" [Low,Triaged]	01:48
rodrigods	morganfainberg, and the fun part is the lab vms are on openstack =P	01:49
rodrigods	all my masters experiments ran in a small private openstack cloud, btw	01:50
*** ncoghlan_afk is now known as ncoghlan		01:50
morganfainberg	before i write up the post let me make sure the tests actually run	01:51
morganfainberg	;)	01:51
ayoung	morganfainberg, OK, so I think I'm going to split multiple-signers up into two Specs. One will just allow for multiple certs, but they will all be equivalent.	01:53
morganfainberg	ayoung, ++ that is a Very important one	01:53
ayoung	The second will attempt to figure out, based on the subject of the cert who can sign for what	01:53
morganfainberg	ayoung, i like that	01:53
ayoung	morganfainberg, https://etherpad.openstack.org/p/keystone-multiple-signers	01:53
ayoung	morganfainberg, yeah, the first spec will allow 2 things	01:54
morganfainberg	covers both concerns, the first also should be an easier sell as it helps w/ cert rotation	01:54
ayoung	1. Multiple keystones, each with their own set of private keys	01:54
morganfainberg	big operational win.	01:54
ayoung	2. Certificate rotation to deal with expiry	01:54
morganfainberg	the 2nd one is the big big win	01:54
ayoung	yeah, we've been hit with that	01:54
morganfainberg	the first one is potentially useful to have.	01:54
ayoung	I'm thinking we do a timeout: if the cert has a subject that we haven't seen before, fetch all the certs from Simple cert, but no more often than once a minute to avoid a DOS	01:55
morganfainberg	make the poll frequency configurable with a floor.	01:55
ayoung	of course	01:55
morganfainberg	and yes, if you haven't seen the subject, initiate a poll	01:55
ayoung	but maybe we have a cache timeout value for all thethings from auth_token middleware?	01:56
morganfainberg	worth exploring	01:56
ayoung	so they don't have to set revocation list separate from cert cache?	01:56
morganfainberg	well	01:56
morganfainberg	i could see a cert cache wanting to be much longer	01:56
ayoung	just a "don't query any more frequently than this" timeout	01:56
morganfainberg	ayoung, oh wait i know	01:56
morganfainberg	lets implement this as IMS checks	01:56
morganfainberg	derp	01:56
morganfainberg	thats the right approach	01:57
*** samuelms_home has joined #openstack-keystone		01:57
ayoung	IMS? You mean actually use HTTP as it is designed?	01:57
morganfainberg	haha yeah	01:57
morganfainberg	GAAASSSP	01:57
morganfainberg	we should actually implement IMS for all things in keystone	01:57
ayoung	that is so crazy...it just...might...work.	01:57
morganfainberg	(all things in openstack)	01:57
ayoung	then they become server side config values	01:57
morganfainberg	but lets do it in keystone first. and this is a great case (same thing with tokens if we're caching a token)	01:57
ayoung	++	01:58
ayoung	new BP for thetoken revocate thing	01:58
morganfainberg	++	01:58
morganfainberg	and this should be baked into revocation events while we're mucking around in there.	01:58
ayoung	morganfainberg, isn't their another field that is supposed to tell the browser how long to hold on to content?	02:01
morganfainberg	ayoung, cache-control	02:01
ayoung	Expires	02:01
morganfainberg	and expires	02:01
morganfainberg	we have all sorts of things (especially around cache control) we need to implement	02:01
morganfainberg	it's super important as it tells proxies (HAProxy? how much you wanna bet someone will put varnish in front of keystone?) how long they can keep things	02:02
morganfainberg	we absolutely need to look at the fun HTTP headers we should be sticking in front of things...	02:02
morganfainberg	we may also want to figure out if we can do cache-busting in certain cases	02:03
morganfainberg	but thats a long ways out.	02:03
ayoung	morganfainberg, so I had a discussion with okrieg of the #movc about this stuff. gsilvis is going to work on it. Once we have the multiple signers working for tokens, I want to make it work for oslo-messaging to implement the PKI stuff from last summits last session.	02:03
morganfainberg	PKI? or symmetrical aka kite?	02:03
morganfainberg	i thought PKI was too heavy	02:03
ayoung	http://junodesignsummit.sched.org/event/9a6b59be11cdeaacfea70fef34328931	02:04
ayoung	we need PKI for the vast majority of the uses	02:04
morganfainberg	the general discussion iirc was HMAC was sufficient in most use cases	02:04
ayoung	Symmetrical is only good for a limited set of uses	02:04
morganfainberg	but that needed kite and symmetric key distribution	02:04
*** alex_xu has joined #openstack-keystone		02:04
morganfainberg	i htink we need to dig up the etherpad	02:05
morganfainberg	(this is why i linked the etherpads in the sessions this time)	02:05
morganfainberg	so when we look back it's not chasing "where did we put that etherpad"	02:05
ayoung	https://etherpad.openstack.org/p/juno-oslo-pki-for-messaging	02:05
morganfainberg	hmm	02:06
morganfainberg	ah the fan-out case	02:06
morganfainberg	yeah	02:06
morganfainberg	blech	02:06
ayoung	morganfainberg, its worse than that, though	02:06
morganfainberg	can we look to see if there is something lighter than S/MIME for this though?	02:07
ayoung	basically, the message queue is unprotected	02:07
morganfainberg	i don't want 1k messages on the bus	02:07
ayoung	well, really, we need a library approach	02:07
ayoung	but...sure we can try to lighten it. When I looked, though, there really was not too much waste in that 1K	02:07
morganfainberg	or something we can derive the signature from for HMAC via PKI (i know weird thought)	02:07
ayoung	lets get it working and then optimize	02:08
morganfainberg	yeah	02:08
morganfainberg	i know there isn't much wasted in the 1k, thats why i'm trying to think if there is a sane way to do something else.	02:08
ayoung	I think the cost is really the crypto,	02:09
morganfainberg	making all messages on the message bus increase by 1k is going to be a big bottle neck. iirc nova -> bus data is a MAJOR bottleneck in hyper-scale clouds	02:09
morganfainberg	(>500 nodes)	02:09
ayoung	I mean, you need to have enough to get a valid hash, and then sign the hash	02:09
morganfainberg	rabbit already tips over too easily	02:10
ayoung	morganfainberg, so I suspect that going from PEM to DER is essential	02:10
*** david-lyle has quit IRC		02:10
morganfainberg	ayoung, sure. that helps	02:10
morganfainberg	it's still a big increase.	02:10
* morganfainberg wonders what other options we have.		02:11
morganfainberg	i haven't done much crypto research on new developments in ages	02:11
ayoung	I bet there are things we could do in the Queue topology	02:11
notstevemar	morganfainberg, ping	02:11
morganfainberg	thats a good thought	02:11
notstevemar	morganfainberg, thoughts on https://bugs.launchpad.net/pycadf/+bug/1347868 ?	02:11
uvirtbot	Launchpad bug 1347868 in pycadf "pycadf does not work with a templated keystone catalog" [High,In progress]	02:11
morganfainberg	notstevemar, oh hai	02:11
ayoung	like, if each node was writing to a dedicated queue, there could be a single reader that is responsible for declaring "this message came from node 4"	02:12
morganfainberg	ayoung, i think that was the concept we were running with for symmetrical	02:12
morganfainberg	ayoung, but that still runs into issues with "OMG how many queues do i need"	02:12
morganfainberg	rabbit likely would still tip over at hyperscale	02:12
morganfainberg	in worse ways than just putting 1k messages on the bus	02:12
ayoung	morganfainberg, so it looks like, while Rabbit does not have SASL today, there is an esasl library	02:13
morganfainberg	ayoung, yes there is. i think ejabberd uses it	02:13
ayoung	and that could be used to implement access control lists via kerberos in Rabbit	02:13
ayoung	let Kerberos do the symmetric for us	02:13
* morganfainberg had the joking thought, what if we used ejabberd and MUCs for the bus instead of AMQP - XMPP		02:13
*** david-lyle has joined #openstack-keystone		02:13
ayoung	morganfainberg, QPID already does this, too	02:13
ayoung	not the Proton/AMQP 1.0 stuff, but the older one	02:14
morganfainberg	ayoung, maybe the answer is we need to get resources on "making non-rabbit AMQP a better default"	02:14
ayoung	morganfainberg, that would be Proton	02:14
*** dims__ has quit IRC		02:14
*** chrisshattuck has joined #openstack-keystone		02:15
ayoung	and I was pushing to have rharwood work on that. The question is whether it makes more sense to push on proton or on Rabbit	02:15
morganfainberg	ayoung, like i said maybe we need to go pitch for our respective companies to give us resources to amek that the best default option	02:15
*** dims__ has joined #openstack-keystone		02:15
morganfainberg	ayoung, or fix rabbit	02:15
morganfainberg	notstevemar, looking	02:15
morganfainberg	notstevemar, i thnk we need to fix it somehow.	02:15
ayoung	morganfainberg, the question is whether adding SASL to Rabbit is like adding frost to snow?	02:16
morganfainberg	hehe	02:16
morganfainberg	well we have smart people who know rabbit pretty damn well @ the summit	02:16
morganfainberg	i think we can chase someone down	02:16
ayoung	morganfainberg, what gsilvis and okried and I are discussing, though, is more far reaching: making the Broker a public resource for integrating between openstack deployments	02:17
*** dims__ has quit IRC		02:17
ayoung	it means that nothing that gets written to the topics are implicitly trusted	02:17
*** sigmavirus24 is now known as sigmavirus24_awa		02:17
*** chrisshattuck has quit IRC		02:17
morganfainberg	ayoung, so... SQS but for the cringe undercloud?	02:17
ayoung	and it means that signing messages is pretty much a must-have	02:17
morganfainberg	or what zaquar is trying to do	02:17
morganfainberg	or however you spell that project's name	02:18
ayoung	there is no undercloud. only ZUUL!	02:18
morganfainberg	hah	02:18
*** ncoghlan is now known as ncoghlan_afk		02:18
*** morganfainberg is now known as only_zuul		02:18
*** only_zuul is now known as morganfainberg		02:18
rodrigods	morganfainberg, tests working here, what fixed everything was brew link gettext --force =)	02:18
morganfainberg	rodrigods, glad to help	02:18
ayoung	So, lets say that nova is owned by one org (Harvard) and Cinder is owned by another (Boston University)	02:18
rodrigods	morganfainberg, thanks =)	02:18
*** david-lyle has quit IRC		02:19
ayoung	right now the cinder agent runs on the Compute node, talks to only one cinder, and is implicitly trusted	02:19
notstevemar	morganfainberg, we either fix keystone or fix pycadf	02:19
morganfainberg	ayoung, i... in the same region? because i'm about to have my head explode from WAN cinder.	02:19
ayoung	we take that idea out back and put a bullet in it	02:19
notstevemar	morganfainberg, either some garbage ID value in keystone, or some garbage value in pycadf :P	02:19
ayoung	yeah, co-located, but owned by different orgs	02:19
morganfainberg	ayoung, WAN iscsid makes my brain hurt.	02:19
morganfainberg	ayoung, ok phew	02:19
morganfainberg	ayoung, sorry.	02:19
morganfainberg	notstevemar, name == id for template?	02:20
morganfainberg	can we do that?	02:20
ayoung	I hear it is possible, but understanding it is beyond my current effort	02:20
morganfainberg	ayoung, yeah i'm good with co-located but it's still a strange buildout.	02:20
morganfainberg	i think conceptually for talking it works but for makign the sales pitch we need somehting a bit more concrete	02:20
notstevemar	morganfainberg, we can do that, that is what my fix was for pycadf	02:21
morganfainberg	or realistic	02:21
morganfainberg	notstevemar, there are other cases we might assume endpoint ids	02:21
notstevemar	https://review.openstack.org/#/c/109060/3/pycadf/audit/api.py	02:21
notstevemar	yeah	02:21
morganfainberg	notstevemar, and the templated catalog should return the same format as the non-templated	02:21
notstevemar	yep, it should	02:21
morganfainberg	notstevemar, bigger issue to have inconsistent data format... how do you write code to a spec that changes based upon <things>	02:22
notstevemar	i hear ya	02:22
morganfainberg	notstevemar, so fix keystone methinks	02:22
notstevemar	okay, so fix keystone	02:22
notstevemar	get out of my brain	02:22
*** lhcheng has quit IRC		02:23
notstevemar	tis not a safe place	02:23
ayoung	gsilvis, so the current contract between ATM and KC is:	02:23
ayoung	http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/common/cms.py#n131	02:23
ayoung	gsilvis, I think it would better be something like	02:24
ayoung	def verify_signature(signed, certificate_cache, inform=PKI_ASN1_FORM):	02:24
gsilvis	That sounds reasonable, yeah	02:25
ayoung	notstevemar, if I promise to document the hell out of "kerberos" as a method will you remove your -1 and +A https://review.openstack.org/#/c/123614/	02:26
ayoung	notstevemar, I can't even submit a version of the Django patch that will pass the tests until we get a released version of ^^	02:26
ayoung	gsilvis, then we declare a cache object that knows about a backing store and maybe has a dictionary to avoid parsing everything every time	02:27
ayoung	gsilvis, the dictionary will let us go from certificate to the CA cert that signed it in one swell foop	02:27
notstevemar	ayoung, OK, just wondering about the requirements remark	02:28
morganfainberg	ayoung, python-keystoneclient-krb?	02:28
ayoung	morganfainberg, yep	02:29
gsilvis	ayoung: yup	02:29
morganfainberg	which requirements remark?	02:29
notstevemar	https://review.openstack.org/#/c/123614/17/requirements.txt	02:29
notstevemar	morganfainberg, maybe you know	02:29
morganfainberg	oh crud	02:29
morganfainberg	i failed at getting requirements repo running against that project	02:29
morganfainberg	thats the issue	02:29
morganfainberg	yes it should match, no we're not gating on it	02:29
notstevemar	morganfainberg, is that something we can fix in another patch?	02:30
morganfainberg	let me get that fixed ASAP	02:30
morganfainberg	so. fix it to match global reqs please.	02:30
ayoung	ok, we good?	02:30
morganfainberg	i'll make it so infra is gating on that stuff.	02:30
morganfainberg	oh	02:31
ayoung	morganfainberg, can we do that in another patch?	02:31
morganfainberg	hay we are gating on it	02:31
morganfainberg	phew	02:31
morganfainberg	oh wait	02:31
morganfainberg	this is a comment	02:31
morganfainberg	meh	02:31
morganfainberg	fix later	02:31
notstevemar	alright	02:31
notstevemar	+A!	02:31
ayoung	thanks guys	02:31
ayoung	much appreciated	02:31
notstevemar	np!	02:31
morganfainberg	comments aren't as important in this case.	02:31
notstevemar	now submit another patch to fix it :)	02:32
notstevemar	ayoung, ^ hehe	02:32
ayoung	wilco	02:32
notstevemar	and yeah, we definitely need to doc it somewhere, not sure where... the apis list most of the authN varieties, maybe under there makes the most sense	02:33
openstackgerrit	A change was merged to openstack/python-keystoneclient-kerberos: kerberos client plugin https://review.openstack.org/123614	02:33
morganfainberg	wow that was fast	02:33
morganfainberg	oh hah no temptest tests	02:33
notstevemar	probably under here http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#authenticate	02:34
notstevemar	hehe	02:34
morganfainberg	we also need to make sure keystoneclient can load it?	02:34
notstevemar	i totally thought this pic was of ayoung in my twitter feed https://twitter.com/rafejudkins/status/527269375225524225	02:34
notstevemar	at first glance	02:34
ayoung	close	02:35
morganfainberg	notstevemar, ayoung, before we release that - we need a test to make sure keystoneclient can load it.	02:35
morganfainberg	probably something generic so we can make sure all of these plugins are tested on the keystoneclient side as well.	02:35
ayoung	morganfainberg, I was thinking that was a tempest thing, but it needs to be released first	02:36
morganfainberg	ayoung, i'd look more like how global-requirements works for projects.txt	02:36
*** tellesnobrega_ has joined #openstack-keystone		02:36
*** alex_xu has quit IRC		02:36
morganfainberg	ayoung, since tbh right now i can't guarantee keystoneclient is goign to be able to use it based on a specific change for either side.	02:37
ayoung	ok	02:37
morganfainberg	ayoung, you see my concern?	02:37
morganfainberg	should be an easy gate test to get added though	02:37
ayoung	deal	02:37
morganfainberg	just help me figure out how to do it and we'll get it in place. we'll run it on each change to keystoenclient and each change for the "out of tree" plugins	02:38
morganfainberg	should keep us from breaking things in awful ways	02:38
morganfainberg	huh i kinda wish etherpad had a "lock this etherpad" administrative function	02:39
notstevemar	except i don't think it has any sense of admin-ness	02:39
morganfainberg	notstevemar, it doesn't	02:39
ayoung	morganfainberg, there is a shorthand for loading plugins in KC	02:40
ayoung	I'm not certain if it can load a plugin without actually trying to do something with it, but that should be OK	02:41
morganfainberg	sure	02:41
ayoung	morganfainberg, jamielennox brought it up last we talked.	02:42
*** ncoghlan_afk is now known as ncoghlan		02:42
*** ncoghlan is now known as ncoghlan_afk		02:42
*** dims__ has joined #openstack-keystone		02:47
*** tellesnobrega_ has quit IRC		02:49
ayoung	morganfainberg, found it! http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/auth/base.py#n29	02:50
ayoung	so we do	02:50
nkinder	yay, py-ksc-kerb merged!	02:50
morganfainberg	thats a good starting place	02:50
ayoung	keystoneclient.auth.base.get_plugin_class("v3kerberos")	02:50
*** alex_xu has joined #openstack-keystone		02:50
morganfainberg	ayoung, yeah that should at least validate we can create eveything we need	02:50
morganfainberg	the way i see it, this script (look at requirements projects.txt test) should live in keystoneclient	02:51
*** tellesnobrega_ has joined #openstack-keystone		02:51
ayoung	morganfainberg, would it make sense to have that test in the p-kc-kerb test suite?	02:51
ayoung	OK	02:51
morganfainberg	we'll get the gate job running for all external-from-ksc tree plugins as well as ksc	02:51
ayoung	deal	02:51
morganfainberg	that way we can make sure that interface changes don't break things (yay for stable interfaces, right?)	02:52
*** dims__ has quit IRC		02:52
ayoung	nkinder, so I can't hit http://horizon.younglogic.net:35357/ from outside the machine, but I can from inside. I even stopped iptables, so it isn't firewall	02:52
morganfainberg	if we move keystone to using stevedore for it's drivers (we should) same kind of test will be needed. we will need to make those interfaces rock solid vs "changing when we feel like it")	02:52
morganfainberg	but i'd like a world where you can install keystone-ldap-identity	02:53
morganfainberg	instead of needing to carry the ldap identity driver locally.	02:53
ayoung	morganfainberg, my goals are more modest. Right now, I think I'm sunk with the service catalog having /v2.0 in it. Need to be able to do /v3 from auth_token middleware	02:54
morganfainberg	ayoung, those are all looong term goals	02:54
ayoung	they need to be short term goals	02:54
ayoung	or we are stuck with v2.0	02:54
morganfainberg	no my comments ^	02:54
morganfainberg	not your goals ;)	02:54
morganfainberg	your goals are good for shorter term	02:55
* morganfainberg needs new noise cancelling headphones (over-ear)		02:55
morganfainberg	any suggestions?	02:55
ayoung	morganfainberg, ah, I don't think your goals are too unrealistic	02:58
ayoung	keystone-ldap-identity goes into its own repo?	02:58
morganfainberg	ayoung, that would be my goal.	02:58
*** alex_xu has quit IRC		02:59
ayoung	++	02:59
morganfainberg	or maybe not even, but conceptually	02:59
ayoung	what would be the relationship between entrypoints and the paste file?	02:59
ayoung	morganfainberg, we certainly should do that for extensions	02:59
ayoung	and then make everything an extension	03:00
morganfainberg	ayoung, i have some serious concerns with the extension model.	03:00
ayoung	OSPy	03:00
morganfainberg	we need to chat at the summit about it	03:00
ayoung	OSGPy	03:00
ayoung	sed -s !extensions!drivers!g	03:00
morganfainberg	yes drivers != extensions, the extensions are a bit more weird.	03:00
nkinder	ayoung: that's strange. What does netstat show for port 35357?	03:01
ayoung	nkinder, on horizon.youinglogic.net...let me see	03:01
ayoung	nkinder, haven't run it in ages...what options should I use	03:02
*** gyee has quit IRC		03:03
ayoung	nkinder, I can connect internal, which leads me to think it is an issue with public/private ip addresses	03:05
*** alex_xu has joined #openstack-keystone		03:05
ayoung	this is running on an openstack deployment	03:05
*** richm has quit IRC		03:09
*** r1chardj0n3s is now known as r1chardj0n3s_afk		03:11
*** ayoung is now known as ayoung-ZZZzz		03:13
*** ncoghlan_afk is now known as ncoghlan		03:14
ayoung-ZZZzz	nkinder, it is firewall, at the Nova/Neutron level	03:17
*** samuelms_home has quit IRC		03:23
*** chrisshattuck has joined #openstack-keystone		03:26
*** alex_xu has quit IRC		03:33
*** alex_xu has joined #openstack-keystone		03:46
*** tellesnobrega_ has quit IRC		03:51
*** tellesnobrega_ has joined #openstack-keystone		03:52
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient-kerberos: Format requirements correctly and sync with global req https://review.openstack.org/131630	04:11
notstevemar	ayoung-ZZZzz, nkinder morganfainberg ^	04:11
openstackgerrit	David Stanek proposed a change to openstack/keystone-specs: Alembic for SQL migrations https://review.openstack.org/131531	04:12
nkinder	notstevemar: so Babel just wasn't used?	04:14
notstevemar	nkinder, there are no translation markings or jobs for it, so ... meh	04:15
notstevemar	nkinder, also https://github.com/openstack/python-keystoneclient-kerberos/search?utf8=%E2%9C%93&q=babel	04:15
nkinder	notstevemar: yeah, makes sense	04:15
*** marcoemorais has joined #openstack-keystone		04:16
nkinder	notstevemar: that must have just been copied from somewhere when the repo was set up	04:16
notstevemar	nkinder, likely	04:18
notstevemar	nkinder, the patch was mostly for the req-kerb syntax, then i realized it's actually incorrect :\|	04:18
notstevemar	it had an underscore instead of a dash	04:18
nkinder	notstevemar: pip seems to find it either way	04:19
notstevemar	nkinder, yeah! which is weird	04:19
nkinder	yeah	04:19
nkinder	notstevemar: jamielennox had mentioned something about updating projects.txt to add py-ksc-krb, but I don't see a pending review for it	04:19
notstevemar	nkinder, it's already there	04:19
nkinder	notstevemar: really?	04:20
notstevemar	nkinder, http://stackoverflow.com/questions/19097057/pip-e-no-magic-underscore-to-dash-replacement	04:20
notstevemar	yep https://github.com/openstack/requirements/blob/master/projects.txt#L54	04:20
nkinder	notstevemar: sorry, talking about https://git.openstack.org/cgit/openstack/requirements/tree/projects.txt	04:20
notstevemar	-federation needs to be there...	04:20
notstevemar	yep, it's there	04:20
notstevemar	to be fair, it was added 2 days ago	04:21
nkinder	hmmm, stale tab	04:21
nkinder	shift-reload is magic! ;)	04:21
notstevemar	skip that cache!	04:21
*** marcoemorais1 has joined #openstack-keystone		04:21
*** harlowja is now known as harlowja_away		04:21
*** tellesnobrega_ has quit IRC		04:22
nkinder	notstevemar: looks like it merged today - https://git.openstack.org/cgit/openstack/requirements/commit/	04:22
nkinder	I didn't remember opening that 2 days ago...	04:22
*** marcoemorais has quit IRC		04:23
notstevemar	looks like it was jamielennox	04:23
notstevemar	https://review.openstack.org/#/c/131065/	04:24
*** lhcheng has joined #openstack-keystone		04:26
morganfainberg	notstevemar, https://review.openstack.org/#/c/131624/	04:28
morganfainberg	ah you found it	04:28
notstevemar	pfft hours ago	04:28
notstevemar	morganfainberg, for you https://review.openstack.org/#/c/131630/	04:30
morganfainberg	wierd that the proposal bot hasn't run for it...	04:30
morganfainberg	also...	04:31
morganfainberg	-kerberos needs py33/py34 testing	04:31
*** lhcheng_ has joined #openstack-keystone		04:31
nkinder	morganfainberg: I want to say there was a problem with py3...	04:31
nkinder	morganfainberg: perhaps it was requests-kerberos doesn't support it. ayoung-ZZZzz would know for sure	04:32
morganfainberg	running the expirimental check	04:32
morganfainberg	ImportError: No module named 'commands'	04:32
morganfainberg	Downloading/unpacking kerberos==1.1.1 doesn't support py3k	04:33
nkinder	I might be thinking of python-kerberos though	04:33
morganfainberg	nkinder, yep	04:33
morganfainberg	python-kerberos looks b0rked for py3k	04:33
nkinder	so there was some discussion about a port of ot that is out there and a python-gssapi effort	04:33
morganfainberg	https://review.openstack.org/#/c/131630/	04:33
notstevemar	i think that was also part of the reasoning for putting it in it's own repo	04:33
nkinder	ayoung-ZZZzz can give us the scoop on it, but there was a path forward	04:34
morganfainberg	see the py34 test run failure	04:34
nkinder	notstevemar: yep	04:34
*** lhcheng has quit IRC		04:34
nkinder	morganfainberg: I believe there has been discussion with the maintainers of two different python-gssapi modules to merge efforts	04:36
nkinder	this one - https://github.com/sigmaris/python-gssapi	04:36
morganfainberg	i'm a fan if we can make it happen :)	04:37
nkinder	and this one - https://github.com/directxman12/python-gssapi	04:37
nkinder	morganfainberg: should be doable. The latter is from a Nova developer who works here at RH	04:37
morganfainberg	notstevemar, wow this spec is only (i think) missing one thing to be ... well lack of a better word pretty good: https://review.openstack.org/#/c/130376/6	04:37
morganfainberg	notstevemar, it needs to fix the comment that the "auth plugin" is configured via the paste pipeline	04:38
notstevemar	hehe, that's a silly comment	04:38
morganfainberg	but i mean... that pretty much sums up what i was hoping to see to support MFA for keystone auth	04:38
notstevemar	i've had that spec queued up for reading, but lazy	04:38
morganfainberg	the spec pretty much hits exactly how i'd see it implemented.	04:39
morganfainberg	and i've heard that request a lot	04:39
morganfainberg	"can we have possession factor added for auth"	04:39
morganfainberg	rsa, hotp/totp (google), etc	04:39
morganfainberg	in theory this could even require X509 client cert + password auth.	04:40
nkinder	morganfainberg: if we use IPA, via LDAP it has native OTP support in recent versions...	04:40
nkinder	morganfainberg: so we'd get it for free	04:41
morganfainberg	nkinder, we'd still need to pass the info to the underlying system	04:41
nkinder	yubikey, google authenticator, etc.	04:41
morganfainberg	would need to be part of the auth plugin	04:41
nkinder	morganfainberg: no, it goes through the LDAP bind	04:41
morganfainberg	the ldap bind needs the info though, right?	04:41
nkinder	morganfainberg: but we do need to pass it in as the password	04:41
nkinder	morganfainberg: well, the password you supply is pin+code	04:41
morganfainberg	which has to come in via the REST api	04:41
morganfainberg	oh i see	04:42
morganfainberg	so it'd just be a "different" password model	04:42
morganfainberg	sure.	04:42
morganfainberg	e.g. my password is <totp>+password	04:42
nkinder	password+totp	04:42
morganfainberg	heh ok	04:42
morganfainberg	doesn't mean it works in all cases though, an auth plugin that covers the other cases would be good.	04:43
morganfainberg	is it always totp? or can it do HTOP too?	04:43
morganfainberg	IPA that is	04:43
morganfainberg	HOTP*	04:43
nkinder	there was work going on for both IIRC. I'd have to see where it's at with regards to HOTP	04:43
nkinder	there was also an ability to have a radius proxy to hook in other systems behind IPA	04:44
morganfainberg	so, i think having an auth plugin + support in keystone makes sense.	04:44
morganfainberg	with IPA you can use the native TOTP support instead if desired	04:44
nkinder	morganfainberg: http://www.freeipa.org/page/V4/OTP	04:44
morganfainberg	yep	04:44
morganfainberg	nice. and yes i am very interested in seeing if we can get ipa running under trusty...and then make it the recommended way to deploy keystone	04:45
morganfainberg	it's as if a million SQL servers suddenly cried out with a sigh of relief.	04:46
nkinder	I think that design page is slightly out of date, as one of the other IPA devs mentions that HOTP is working - http://blog-ftweedal.rhcloud.com/2014/07/otp-authentication-in-freeipa/	04:46
morganfainberg	nice.	04:46
morganfainberg	so 2fa requires a BIND and can't be done via COMPARE ?	04:47
*** nikunj2512 has joined #openstack-keystone		04:47
morganfainberg	hm.	04:47
morganfainberg	not clear will need to try it out	04:48
nkinder	we don't use COMPARE though	04:48
notstevemar	morganfainberg, whats this mean: "Add a new multi-factor auth-plugin that replaces "password""	04:48
morganfainberg	it might work with compare	04:48
nkinder	BIND is pretty normal	04:48
notstevemar	i don't like replacing things	04:48
nkinder	and it's what we use. A compare would require exposing the password hash via LDAP, which is not good	04:48
morganfainberg	notstevemar, you would instead use password_plugin=NewShiny2faPasswordPlugin	04:48
morganfainberg	notstevemar, instead of password=passwordplugin	04:49
morganfainberg	notstevemar, config options	04:49
notstevemar	isn't that "Add a new One-time password authentication driver"	04:49
morganfainberg	nkinder, i was under the impression compare worked like: Compare(<non-hashed-password> dn)	04:49
morganfainberg	notstevemar, there are a couple way to cut it, but i was thinking it was a "enable 2fa with the password plugin" vs a true/false toggle	04:50
morganfainberg	the "backend" stuff to do things like TOTP based on secret would be configurable as well	04:50
morganfainberg	nkinder, so my understanding is COMPARE() used the unhashed password, and you send it to the server and it does the hashing and comparison for the user's DN.	04:51
morganfainberg	vs. needing a full BIND (aka, could be done anonymous / service user wise)	04:51
morganfainberg	but if it requires hashed password, it's a nogo	04:51
*** chrisshattuck has quit IRC		04:51
nkinder	morganfainberg: that approach is not widely used from what I've seen	04:52
morganfainberg	nkinder, sure. maybe it's more of an AD-ism	04:52
morganfainberg	iirc mostly it's the AD folks who talked about that	04:52
notstevemar	morganfainberg, right, so new section for [2fa] that has TOTP and HOTP stuff, and a global enable switch, and then under [auth] you can change 'password' to be normal or shiny2FA	04:52
morganfainberg	notstevemar, no need for the global switch	04:52
notstevemar	y not	04:52
morganfainberg	yeah that was my thought	04:53
morganfainberg	so a deployer can't be accidently bitten by this cause someone wedge in the 2fa attributes in a strange way	04:53
morganfainberg	and i dislike the true/false toggles	04:53
morganfainberg	since we already have plugins that can do things... make the plugin smart?	04:53
morganfainberg	this could all even be done out-of-tree	04:53
morganfainberg	a 2fa password plugin that implents the manager bits for itself etc.	04:54
morganfainberg	the only question is getting the secret in that case.	04:54
morganfainberg	notstevemar, you missed my "i want keystone drivers to use stevedore and be able to be developed out of tree" comment sets	04:54
morganfainberg	long ter	04:55
morganfainberg	m	04:55
notstevemar	i did indeed	04:55
*** morganfainberg is now known as mightbestevemar		04:55
* mightbestevemar needs to convince everyone in this channel to "pick a stevemar name"		04:56
*** links has joined #openstack-keystone		05:03
*** mightbestevemar is now known as morganfainberg		05:04
*** r1chardj0n3s_afk is now known as r1chardj0n3s		05:14
*** alex_xu has quit IRC		05:15
*** alex_xu has joined #openstack-keystone		05:16
nikunj2512	Hi, can a non-admin user change their email address using v2 api??	05:21
*** r1chardj0n3s is now known as r1chardj0n3s_afk		05:51
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/130929	06:07
*** afazekas is now known as __afazekas		06:11
*** lhcheng_ has quit IRC		06:17
nikunj2512	How can i use v3 api in keystone??	06:23
nikunj2512	Does anyone knows while installing devstack, how can i set keystone to use V3 api instead of v2??	06:26
*** ukalifon1 has joined #openstack-keystone		06:36
jacer_huawei	Currently, only openstack client support v3 api.	06:41
jacer_huawei	openstack --os-identity-api-version=3	06:43
notstevemar	nikunj2512, i think jacer_huawei answered your question... but http://docs.openstack.org/developer/keystone/cli_examples.html#using-python-openstackclient-v3	06:45
*** amcrn has quit IRC		06:45
*** jacer_huawei has quit IRC		06:49
nikunj2512	jacer_huawei, notstevemar: thank You	06:49
*** wanghong has joined #openstack-keystone		06:53
*** tomoiaga has joined #openstack-keystone		07:03
*** afazekas has joined #openstack-keystone		07:03
*** ncoghlan is now known as ncoghlan_afk		07:27
*** nellysmitt has joined #openstack-keystone		07:28
*** wanghong has quit IRC		07:32
*** wanghong has joined #openstack-keystone		07:51
*** ncoghlan_afk is now known as ncoghlan		07:52
*** henrynash has joined #openstack-keystone		08:04
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Update templated catalog to return IDs for endpoints https://review.openstack.org/131663	08:08
*** gokrokve has joined #openstack-keystone		08:09
openstackgerrit	Mehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend https://review.openstack.org/131515	08:13
*** jaosorior has joined #openstack-keystone		08:14
*** notstevemar has quit IRC		08:14
*** ncoghlan is now known as ncoghlan_afk		08:14
openstackgerrit	Mehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend https://review.openstack.org/131515	08:16
*** henrynash has quit IRC		08:17
openstackgerrit	Mehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend https://review.openstack.org/131515	08:18
openstackgerrit	Mehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend https://review.openstack.org/131515	08:20
*** ncoghlan_afk is now known as ncoghlan		08:27
*** k4n0 has joined #openstack-keystone		08:28
*** wanghong has quit IRC		08:34
*** wanghong has joined #openstack-keystone		08:41
*** ajayaa has joined #openstack-keystone		08:46
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Create a framework for federation plugins https://review.openstack.org/130564	08:52
*** jistr has joined #openstack-keystone		09:06
*** aix has joined #openstack-keystone		09:11
*** dims__ has joined #openstack-keystone		09:15
*** alex_xu has quit IRC		09:18
*** dims__ has quit IRC		09:19
*** cjellick_ has joined #openstack-keystone		09:24
openstackgerrit	A change was merged to openstack/keystonemiddleware: Use connection retrying from keystoneclient https://review.openstack.org/129868	09:26
openstackgerrit	A change was merged to openstack/keystonemiddleware: Use an adapter in IdentityServer https://review.openstack.org/130530	09:26
*** cjellick has quit IRC		09:27
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: fallback to online validation if offline validation fails https://review.openstack.org/131036	09:31
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list https://review.openstack.org/127459	09:32
openstackgerrit	A change was merged to openstack/keystonemiddleware: Add versions to requests https://review.openstack.org/130531	09:32
*** wanghong has quit IRC		09:33
*** marcoemorais1 has quit IRC		09:41
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list https://review.openstack.org/127459	09:41
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: call _choose_api_version in one place https://review.openstack.org/127866	09:41
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: support micro version if sent https://review.openstack.org/130916	09:45
*** wanghong has joined #openstack-keystone		09:47
*** gokrokve has quit IRC		09:47
*** gokrokve has joined #openstack-keystone		10:00
*** gokrokve has quit IRC		10:06
*** gokrokve has joined #openstack-keystone		10:06
*** nkinder has quit IRC		10:07
*** nkinder has joined #openstack-keystone		10:11
*** gokrokve has quit IRC		10:11
*** aix has quit IRC		10:21
*** gokrokve has joined #openstack-keystone		10:25
*** gokrokve has quit IRC		10:25
*** gokrokve has joined #openstack-keystone		10:26
*** dims__ has joined #openstack-keystone		10:30
*** gokrokve has quit IRC		10:30
*** gokrokve has joined #openstack-keystone		10:30
*** gokrokve has quit IRC		10:32
*** gokrokve has joined #openstack-keystone		10:33
*** ajayaa has quit IRC		10:34
*** gokrokve has quit IRC		10:35
*** gokrokve has joined #openstack-keystone		10:35
*** gokrokve has quit IRC		10:40
*** aix has joined #openstack-keystone		10:53
*** gokrokve has joined #openstack-keystone		11:01
*** nikunj2512 has quit IRC		11:03
*** gokrokve has quit IRC		11:05
*** gokrokve has joined #openstack-keystone		11:06
openstackgerrit	A change was merged to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests https://review.openstack.org/130247	11:06
*** ajayaa has joined #openstack-keystone		11:06
*** ajaya has joined #openstack-keystone		11:07
*** gokrokve has quit IRC		11:10
*** boris-42 has quit IRC		11:11
*** ajaya has quit IRC		11:16
*** ajaya has joined #openstack-keystone		11:16
*** vb123 has joined #openstack-keystone		11:20
vb123	hello, I am running icehouse keystone configured by puppet-keystone and am getting the following start-up error:	11:22
vb123	keystone ImportError: No module named persistence.backends.sql	11:22
vb123	I wonder if it is wrong version of openstack to test the configuration	11:22
*** tellesnobrega_ has joined #openstack-keystone		11:25
*** afaranha_ has joined #openstack-keystone		11:25
*** amakarov_away is now known as amakarov		11:29
*** vhoward has joined #openstack-keystone		11:31
*** andreaf_ has joined #openstack-keystone		11:33
*** andreaf_ is now known as andreaf		11:36
*** nikunj2512 has joined #openstack-keystone		11:36
*** gokrokve has joined #openstack-keystone		11:47
amakarov	vb123, hi! You'd better file a bug and refer to it here. Maybe more experienced people can help you but I can't even imagine how you've got this error :)	11:50
vb123	amakarov: thanks :)	11:56
*** tellesnobrega_ has quit IRC		12:03
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy https://review.openstack.org/130103	12:08
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects https://review.openstack.org/130277	12:14
*** wanghong has quit IRC		12:18
*** gokrokve has quit IRC		12:21
*** dims__ has quit IRC		12:24
*** dims__ has joined #openstack-keystone		12:24
*** shikui__ has joined #openstack-keystone		12:28
*** ayoung-ZZZzz is now known as ayoung		12:33
*** wanghong has joined #openstack-keystone		12:35
*** vejdmn has joined #openstack-keystone		12:36
*** vejdmn has quit IRC		12:40
*** vejdmn has joined #openstack-keystone		12:41
*** gokrokve has joined #openstack-keystone		12:44
*** gokrokve has quit IRC		12:45
*** jxxxxx has joined #openstack-keystone		12:46
*** Krast has joined #openstack-keystone		12:48
*** radez_g0n3 is now known as radez		12:51
*** nikunj2512 has quit IRC		12:51
*** nikunj2512 has joined #openstack-keystone		12:54
*** nikunj2512 has quit IRC		12:58
*** richm has joined #openstack-keystone		13:04
*** junhongl has quit IRC		13:13
*** junhongl has joined #openstack-keystone		13:13
*** nkinder has quit IRC		13:15
openstackgerrit	Alexander Makarov proposed a change to openstack/keystone: Trust redelegation https://review.openstack.org/126897	13:15
*** gordc has joined #openstack-keystone		13:17
*** tellesnobrega_ has joined #openstack-keystone		13:18
*** bknudson has joined #openstack-keystone		13:24
*** gokrokve has joined #openstack-keystone		13:24
*** joesavak has joined #openstack-keystone		13:24
*** miqui has joined #openstack-keystone		13:32
*** david-lyle has joined #openstack-keystone		13:37
*** afaranha has quit IRC		13:37
*** afaranha_ has quit IRC		13:37
*** david-lyle has quit IRC		13:43
*** Krast has quit IRC		13:43
*** jsavak has joined #openstack-keystone		13:44
*** raildo has quit IRC		13:44
*** jsavak has quit IRC		13:45
*** joesavak has quit IRC		13:47
*** nellysmitt has quit IRC		13:52
*** sigmavirus24_awa is now known as sigmavirus24		13:53
*** nkinder has joined #openstack-keystone		14:02
*** raildo has joined #openstack-keystone		14:09
*** andreaf has quit IRC		14:11
*** andreaf has joined #openstack-keystone		14:12
*** saipandi has joined #openstack-keystone		14:18
*** links has quit IRC		14:26
*** stevemar has joined #openstack-keystone		14:28
dolphm	vb123: it looks like you're running stable/icehouse code with a juno keystone.conf	14:31
lbragstad	dstanek: around?	14:36
*** edmondsw has joined #openstack-keystone		14:37
edmondsw	dstanek: note that I submitted a new patch set on https://review.openstack.org/#/c/131326/ that should be easier for you to review than what you started looking at yesterday	14:39
lbragstad	edmondsw I'm testing your patch...	14:40
lbragstad	not sure, but maybe http://pythex.org/ will help..	14:41
edmondsw	I just wrote a small python test program to test it, besides the unit tests I submitted in that patch set, but you're welcome to use pythex.org if you prefer	14:41
edmondsw	lbragstad: if you're using pythex.org, you'll probably need to write a script to generate the regex for you, since it's now using substitution strings and I doubt pythex.org will handle that	14:48
lbragstad	edmondsw: yeah, I did	14:48
lbragstad	edmondsw: http://254.101.101.101:5000 fails validation	14:49
edmondsw	hmm...	14:50
lbragstad	edmondsw: http://pasteraw.com/etn9tq841zf1ylsuvb6omrdfw9mdd57	14:50
lbragstad	resulted in 5 failed test cases: SchemaValidationError: Invalid input for field 'url'. The value is 'http://254.101.101.101:5000'.	14:51
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Update templated catalog to return IDs for endpoints https://review.openstack.org/131663	14:51
*** david-lyle has joined #openstack-keystone		14:52
*** thedodd has joined #openstack-keystone		14:56
edmondsw	lbragstad: think I see the problem	14:56
*** henrynash has joined #openstack-keystone		14:57
*** cjellick_ has quit IRC		15:01
lbragstad	edmondsw: what python program did you write to test this?	15:04
edmondsw	didn't really... using pdb	15:05
edmondsw	just copied/pasted into another script to make that easier	15:05
*** tellesnobrega_ has quit IRC		15:10
*** tomoiaga has quit IRC		15:10
openstackgerrit	werner mendizabal proposed a change to openstack/keystone-specs: Multifactor Authentication https://review.openstack.org/130376	15:11
*** shikui__ has quit IRC		15:14
openstackgerrit	werner mendizabal proposed a change to openstack/keystone-specs: Multifactor Authentication https://review.openstack.org/130376	15:14
openstackgerrit	Matthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support https://review.openstack.org/131326	15:25
edmondsw	lbragstad: that should fix it	15:25
*** cjellick has joined #openstack-keystone		15:35
*** topol has joined #openstack-keystone		15:35
*** ajaya has quit IRC		15:49
*** gokrokve has quit IRC		15:50
ayoung	edmondsw, I likeyour IPv6 support stuff. Thanks for doing it.	15:52
edmondsw	ayoung, thanks for your thanks :)	15:52
*** jorge_munoz has joined #openstack-keystone		15:53
ayoung	edmondsw, I recall that there was a slew of improper IPv6 address possibilities. The Reg Ex is hard to get right. I think you have it right (as I recall)	15:53
ayoung	seems a shame to have to brute force the :: shorthand, but, as I recall, that was the right solution	15:54
ayoung	been a few years since I've looked at V6	15:54
edmondsw	yeah, it's certainly not simple	15:54
edmondsw	this is taken pretty much straight from the RFCs, just converting ABNF into python regex	15:55
*** _cjones_ has joined #openstack-keystone		15:56
jamielennox	gordc: ping	16:02
jamielennox	gordc: what's happening with _get_aliases in middleware?	16:02
*** k4n0 has quit IRC		16:03
*** vhoward has left #openstack-keystone		16:14
*** marcoemorais has joined #openstack-keystone		16:19
morganfainberg	Morning	16:25
*** vejdmn has quit IRC		16:27
*** vejdmn has joined #openstack-keystone		16:28
*** vejdmn has quit IRC		16:28
*** vejdmn has joined #openstack-keystone		16:29
*** lhcheng has joined #openstack-keystone		16:30
*** afaranha has joined #openstack-keystone		16:33
*** gokrokve has joined #openstack-keystone		16:35
*** gokrokve has quit IRC		16:36
*** zhiyan has quit IRC		16:36
*** vejdmn has quit IRC		16:37
*** jraim has quit IRC		16:37
*** serverascode__ has quit IRC		16:37
*** vejdmn has joined #openstack-keystone		16:38
*** ctracey has quit IRC		16:38
*** gokrokve has joined #openstack-keystone		16:39
*** gyee has joined #openstack-keystone		16:39
ayoung	jamielennox, hey, just tried using OSC with a domain_i of YOUNGLOGIC.NET and it seemed to fail on validation. Is something doing the "assume it is a uuid for an id" trick in there, and ,if so, is it KC or OSC?	16:40
*** gokrokve has quit IRC		16:40
jamielennox	well ksc won't do anything	16:41
jamielennox	ayoung: umm, why would that be the domain_id, it just seems like it should be domain_name?	16:42
morganfainberg	Validation failed in osc or at keystone? It might be the "."	16:42
dstanek	lbragstad: just saw your message	16:43
*** vejdmn has quit IRC		16:43
lbragstad	we were working through the ip regex	16:43
*** marcoemorais has quit IRC		16:43
lbragstad	dstanek: ayoung started looking at it too	16:44
*** vejdmn has joined #openstack-keystone		16:44
ayoung	jamielennox, itis both	16:44
dstanek	bknudson: are you saying that we should not validate URLs at all?	16:45
ayoung	morganfainberg, seems to have failed on the client side	16:45
morganfainberg	ayoung: ^	16:45
*** vejdmn has quit IRC		16:45
morganfainberg	ah	16:45
morganfainberg	Hmmm	16:45
morganfainberg	Maybe osc is assuming (wrongly) domain is is always a uuid	16:46
ayoung	morganfainberg, that is my guess	16:46
*** vejdmn has joined #openstack-keystone		16:46
ayoung	but it might be KC that is doing that logic	16:46
morganfainberg	Does "default" work?	16:46
ayoung	yeah	16:46
morganfainberg	Erp. Werid	16:46
morganfainberg	Can't you try a domain with no . ?	16:47
ayoung	morganfainberg, $ openstack --os-identity-api-version 3 --os-auth-url http://$HOSTNAME:35357/v3 --os-username admin --os-password Secret12 --os-user-domain-name Default --os-project-domain-name Default --os-project-name admin project create --domain "YOUNGLOGIC.NET" --description "Example Projects" example	16:47
ayoung	ERROR: openstack Invalid input for field 'domain_id'. The value is 'YOUNGLOGIC.NET'. (HTTP 400)	16:47
*** marcoemorais has joined #openstack-keystone		16:47
morganfainberg	That isn't default	16:47
lbragstad	ayoung: that looks like a schema validation error	16:48
morganfainberg	Yeah. My guess is the "."	16:48
morganfainberg	lbragstad: ^	16:48
* morganfainberg is mobile so slow to look.		16:48
lbragstad	ayoung: https://github.com/openstack/keystone/blob/f45b3e5e0000f33c3da0349a0f475d5de71ee9de/keystone/assignment/schema.py#L22	16:49
ayoung	lbragstad, and id_string?	16:49
lbragstad	ayoung: https://github.com/openstack/keystone/blob/f45b3e5e0000f33c3da0349a0f475d5de71ee9de/keystone/common/validation/parameter_types.py#L37	16:49
lbragstad	so, yeah... looks like it's the period	16:49
ayoung	bah!	16:49
lbragstad	because 'id_string' is assuming a string that represents some uuid	16:50
lbragstad	not a URL	16:50
lbragstad	or a 'domain-name'	16:50
morganfainberg	lbragstad: it looks like it is any string.	16:50
*** browne has joined #openstack-keystone		16:50
ayoung	'pattern': '^[a-zA-Z0-9-]+$'	16:50
morganfainberg	But t not consistent. Some cases it uses string some cases it doesn't validate.	16:50
openstackgerrit	Matthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support https://review.openstack.org/131326	16:51
lbragstad	it validates for domain_id	16:51
lbragstad	so when you use --domain for OSC it builds the request with that as the domain_id	16:51
lbragstad	right?	16:51
lbragstad	see the description of domain_id here: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#projects-v3projects	16:52
morganfainberg	lbragstad, https://github.com/openstack/keystone/blob/master/keystone/assignment/schema.py#L59-L66 vs https://github.com/openstack/keystone/blob/master/keystone/assignment/schema.py#L22	16:53
*** amerine has joined #openstack-keystone		16:53
morganfainberg	lbragstad, ah	16:54
morganfainberg	lbragstad, controller assignes a unique id	16:54
morganfainberg	so in one case we assume you never can have a domain that isn't that regex^	16:54
morganfainberg	unless you use ldap assignment / something else to create the domain	16:55
*** haneef has joined #openstack-keystone		16:56
*** marekd is now known as marekd\|away		16:58
*** vejdmn has quit IRC		16:59
*** vejdmn has joined #openstack-keystone		17:00
lbragstad	morganfainberg: right	17:01
morganfainberg	ok. i've got to go rtakecare of some stuff pre-summit travel	17:02
morganfainberg	i'll be back on later.	17:03
dstanek	so what is the right thing so say when entering the country? i'm there for a conference or vacation? i don't want to be hung up on if i'm working like stevemar was.	17:04
morganfainberg	dstanek, yeah conference	17:05
morganfainberg	dstanek, at least thats what i always say	17:05
*** thedodd has quit IRC		17:05
stevemar	dstanek, always conference	17:05
lbragstad	ayoung: so your request from above should work if you replace YOUNGLOGIC.NET with the id of your domain	17:05
morganfainberg	dstanek, stevemar said "work"	17:05
stevemar	yeah, i was stupid	17:05
ayoung	lbragstad, it was the ID	17:05
ayoung	I changed the id from YOUNGLOGIC.NET to YOUNGLOGIC	17:05
morganfainberg	lbragstad, he has a domain ID that doesn't match the string regex	17:05
ayoung	but, still	17:05
dstanek	stevemar: morganfainberg: gracias	17:05
lbragstad	ayoung: did you create it through Keystone?	17:06
dstanek	that's about as good as my french gets	17:06
ayoung	lbragstad, probably	17:06
morganfainberg	jamielennox, you're on the hook for the cross-summit "keystone v3 adoption" session if you don't have any objections	17:06
ayoung	lbragstad, unfortunately this VM keeps locking me out, and I lose bash history, but I think I did	17:06
lbragstad	ayoung: interesting... looking at the keystone validation code and we don't allow users to specify their domain id in the request.	17:07
jamielennox	morganfainberg: i don't know what that means exactly - but umm ok	17:07
* lbragstad double checks		17:07
morganfainberg	jamielennox, i'm writing up the description for the summit session now	17:07
morganfainberg	feel free to jump in and help	17:07
morganfainberg	https://etherpad.openstack.org/p/kilo-crossproject-summit-topics	17:07
*** vejdmn has quit IRC		17:08
lbragstad	ayoung: https://github.com/openstack/keystone/blob/f45b3e5e0000f33c3da0349a0f475d5de71ee9de/keystone/assignment/controllers.py#L361	17:08
*** vejdmn has joined #openstack-keystone		17:08
*** vejdmn has quit IRC		17:08
*** vejdmn has joined #openstack-keystone		17:08
lbragstad	ayoung: looks like the controller takes care of it. https://github.com/openstack/keystone/blob/f45b3e5e0000f33c3da0349a0f475d5de71ee9de/keystone/common/controller.py#L558-L562	17:09
ayoung	lbragstad, I might ask to expand that Regex to include a dot. I think I want to be able to use the Kerberos REALM name as the domain ID, as that dictates what the userid will be in a multi-backend system	17:10
ayoung	sha256 {'ayoung', 'YOUNGLOGIC.NET'}	17:10
lbragstad	ayoung: since parameter_types.id_string is used by other things, we should create a new type. dstanek might have thoughts on that though	17:11
ayoung	nah, just let me put a dot into ids	17:11
ayoung	it is common enough. hostnames for example	17:11
lbragstad	ayoung: we cover that case with parameter_types.url	17:12
ayoung	not a full url, though	17:12
dstanek	i'd rather keep id_string the same since it was really to check things where we generate a uuid	17:12
jamielennox	morganfainberg: ok - you expecting a Q&A, or like for me to come with issues?	17:13
lbragstad	it protects what we generate for id from our controllers	17:13
dstanek	is there any reason we chose id_string for domain?	17:13
lbragstad	dstanek: domain_id is generated by the assignment controller	17:13
morganfainberg	jamielennox, http://paste.openstack.org/show/126599/ this was the initial description	17:13
lbragstad	so https://github.com/openstack/keystone/blob/f45b3e5e0000f33c3da0349a0f475d5de71ee9de/keystone/common/controller.py#L558-L562	17:14
morganfainberg	so i think this is where you have an audience and working group to say "hey so we need to do X, what is the way we get there" also Q/A from the other projects/folks	17:14
*** harlowja_away is now known as harlowja		17:16
*** vejdmn has quit IRC		17:16
jamielennox	morganfainberg: hmm, domain policies become interesting - do we have our policy session before or after that?	17:16
*** vejdmn has joined #openstack-keystone		17:16
*** vejdmn has quit IRC		17:16
morganfainberg	we have 2 policy sessions	17:16
morganfainberg	one cross-project one that will be right after the keystone adoption one	17:16
morganfainberg	and the our keystone-specific session a few days later	17:17
openstackgerrit	David Stanek proposed a change to openstack/keystone: Adds a wip decorator for tests https://review.openstack.org/131516	17:17
jamielennox	ok	17:17
*** vejdmn has joined #openstack-keystone		17:17
ayoung	dstanek, but that logic is so wrong as to be backwards	17:18
ayoung	we do UUIDs because they are nothing but strings, unique, but strings	17:19
ayoung	Gah	17:19
morganfainberg	jamielennox, i just added to the description in the ether pad	17:19
morganfainberg	please update as you see fit	17:19
ayoung	so...lets stop assuming IDs are UUIDs	17:19
ayoung	we need to start testing the living daylights out of the cloudsample policy, too	17:20
ayoung	and...Horizon is going to need some help on consuming domain tokens.	17:21
*** vejdmn has quit IRC		17:21
ayoung	Dagnabit, domains should have been projects from day 1	17:21
*** harlowja_ has joined #openstack-keystone		17:21
morganfainberg	ayoung, some things should only be uuids.	17:21
morganfainberg	ayoung, some things should be more flexible	17:21
ayoung	morganfainberg, not to the public API	17:21
*** harlowja has quit IRC		17:21
morganfainberg	ayoung, yes to the public API	17:21
*** vejdmn has joined #openstack-keystone		17:21
ayoung	morganfainberg, heh...just wait	17:22
ayoung	morganfainberg, OK, domain Id is not one of them	17:22
ayoung	because we use that to generate UserIds	17:22
morganfainberg	ayoung, ++ that is fine :)	17:22
ayoung	and we need to make sure that those are capable of being shared across multiple deployments	17:22
*** thiagop has joined #openstack-keystone		17:22
ayoung	but..knowing that requires deep knowledge of Keystone internals	17:22
morganfainberg	ayoung, correct	17:22
ayoung	the id_mapping approach really needs to be made optional	17:23
morganfainberg	ayoung, domain id should be more flexible than id_string	17:23
ayoung	well, same thing with user_id	17:23
morganfainberg	ayoung, it Cant be optional for non-default domains	17:23
ayoung	so what does that leave	17:23
morganfainberg	ayoung, with per-domain backends	17:23
ayoung	project id? nope	17:23
ayoung	that comes from LDAP in the Assignemtn backend	17:23
ayoung	groups ? same deal	17:23
ayoung	ids are typically in RDN format in LDAP	17:24
ayoung	do we allow commas? going to check	17:24
morganfainberg	ayoung, we do a lot of magic to make those urlsafe	17:24
morganfainberg	and no we don't not in id_string	17:24
ayoung	'pattern': '^[a-zA-Z0-9-]+$	17:24
ayoung	ok, so we just broke the LDAP assignement backend	17:24
*** vejdmn has quit IRC		17:24
ayoung	and...probably identity as well, but only in the R/W case	17:25
morganfainberg	no, we broke read-only assignment backend managed outside of keystone	17:25
* ayoung checks clock...nope, still too early to start drinking		17:25
morganfainberg	the r/w backend uses uuids and does all sorts of magic	17:25
*** david-lyle has quit IRC		17:25
*** vejdmn has joined #openstack-keystone		17:25
*** vejdmn has quit IRC		17:25
morganfainberg	the r/w backend ends up looking a lot like SQL with the data that gets out of the ldap driver.	17:25
morganfainberg	e.g. id format, etc	17:25
*** vejdmn has joined #openstack-keystone		17:26
morganfainberg	uid=<uuid>,rndstuff=blah,.....dc=something,dc=som	17:26
ayoung	....adored by little statesmen and philosophers and divines.	17:26
morganfainberg	and we only pull out the uid=<blah> bit.	17:26
morganfainberg	so i don't think we've broken anything directly except maybe read-only setups that are using non-id-string characters	17:27
*** vejdmn has quit IRC		17:27
morganfainberg	so we probably need to look at fixing it, but it's not "the world is broken".	17:27
morganfainberg	it needs tweaking to be "right"	17:27
*** vejdmn has joined #openstack-keystone		17:27
morganfainberg	ayoung, the sky is not falling.	17:28
stevemar	the sky is falling!	17:29
morganfainberg	stevemar, stop it, i'm getting on an airplane soon	17:29
morganfainberg	:P	17:29
ayoung	how about "we are continuing to make assumptions about how Keystone should work based on the Public Cloud provider use case."	17:30
*** thedodd has joined #openstack-keystone		17:30
morganfainberg	ayoung, thats not even wholly accurate in this case	17:30
morganfainberg	or even close to accurate	17:30
ayoung	Yes it is. The whole approach to anonymyzing [sp?] the userids is due to that use case. The UUID approach grew out of htat use case, as opposed to working with the naming conventions that were already standard	17:31
morganfainberg	"we made some assumptions on the data format based upon how keystone manages the data in a read-write context and with regards to URL-Safe data"	17:31
morganfainberg	no the whole approach to anonymizing user ids is because we need to be able derive the IDP source	17:32
morganfainberg	and we can't break our contract	17:32
morganfainberg	that has nothing to do with public cloud use-case, it has everything to do with multiple backends and colliding IDs. which i've had the ask for in private-single-org deployments	17:32
morganfainberg	multiple times	17:32
ayoung	anyways...I can work around it for now	17:33
morganfainberg	e.g. service accounts in 1 ldap tree, user accounts elsewhere	17:33
*** jraim has joined #openstack-keystone		17:33
*** vejdmn has quit IRC		17:33
morganfainberg	and because we can't use the complete DN for ids.	17:33
morganfainberg	it's really not sane.	17:33
morganfainberg	sometimes we also may not want to expose what org a user comes from to the service.	17:34
morganfainberg	this isn't strictly public provider stuff.	17:34
morganfainberg	this is also hybrid.	17:34
*** andreaf has quit IRC		17:35
*** andreaf has joined #openstack-keystone		17:35
*** vejdmn has joined #openstack-keystone		17:36
*** jistr has quit IRC		17:37
nkinder	ayoung: just reading back about your OSC problem. What version of OSC are you using?	17:37
morganfainberg	nkinder, it's a keystone API validation issue	17:37
morganfainberg	nkinder, his domain id has a . in it	17:37
ayoung	nkinder, problem solved	17:37
lbragstad	nkinder: the domain_id is compared against a regex in jsonschema	17:37
morganfainberg	domain id is assumed to be id_string [a-zA-Z0-9-]+	17:37
ayoung	nkinder, was on the keystone validation size, not OSC	17:37
morganfainberg	by the schema validator	17:38
ayoung	which is going to mess up "REALM == DOMAIN_ID"	17:38
nkinder	ayoung: oh, just got to that point. That sucks.	17:38
ayoung	nkinder, yeah, so the question is how broad to make the id_string validation	17:38
ayoung	my thought was that it really is unnecessary	17:39
ayoung	and is a leaking abstraction	17:39
morganfainberg	it's something we should fix, but we probably can't make it "the kitchen sink"	17:39
ayoung	nothing should force IDs to be anything other than url-safe strings	17:39
nkinder	so domains are a pain to use. Our calls require you to use the domain_id, and you can't make the id actually be something memorable	17:39
ayoung	well, I dropped the .NET	17:39
morganfainberg	nkinder, domain_name is also explicitly unique	17:40
*** jamielennox is now known as jamielennox\|away		17:40
morganfainberg	nkinder, it would be possible to say domain_name should be used instead and domain_id should be something non-human muckable.	17:40
nkinder	morganfainberg: yeah, but you can't use it when making calls since most calls only take the ID and not a name (which we discussed the other day)	17:40
*** marcoemorais1 has joined #openstack-keystone		17:40
*** marcoemorais has quit IRC		17:40
morganfainberg	right now domains also are only ever really supported in SQL assignment	17:40
morganfainberg	nkinder, so i think domains are a case where url-safe is the important bit.	17:41
nkinder	no, they are supported in LDAP identity too	17:41
*** vejdmn has quit IRC		17:41
morganfainberg	nkinder, really?	17:41
nkinder	yes	17:41
nkinder	I've been using them	17:41
morganfainberg	ok no.	17:41
morganfainberg	"domain" is an assignment construct	17:41
morganfainberg	ldap identity doesn't know it's own domain, keystone manages that bit for it	17:41
morganfainberg	and ldap assignment doesn't do domains iirc	17:42
*** vejdmn has joined #openstack-keystone		17:42
nkinder	morganfainberg: ok, I see what you're saying	17:42
*** marcoemorais1 has quit IRC		17:42
*** vejdmn has quit IRC		17:42
*** ctracey has joined #openstack-keystone		17:42
morganfainberg	but we should fix domains.	17:42
morganfainberg	and validation	17:42
morganfainberg	we can talk at the summit how to fix this. and this is something we can backport to juno	17:42
morganfainberg	it's validators.	17:42
* morganfainberg has to get going.		17:42
morganfainberg	i have too much to do pre flight ;)	17:42
*** marcoemorais has joined #openstack-keystone		17:43
*** vejdmn has joined #openstack-keystone		17:43
nkinder	good luck!	17:43
*** vejdmn has quit IRC		17:43
morganfainberg	nkinder, also, pre-policy session want to chat w/ ya	17:43
nkinder	morganfainberg: sounds good	17:43
*** fifieldt has quit IRC		17:43
morganfainberg	so we can walk in with some ammo	17:43
nkinder	morganfainberg: I'm getting in on saturday morning, so I'll be around	17:43
morganfainberg	please look at https://etherpad.openstack.org/p/kilo-crossproject-summit-topics and update hte description for the x-project one as you see fit	17:43
morganfainberg	yeah i'm in sat morning as well	17:44
samuelms	henrynash, ping	17:44
nkinder	morganfainberg: will do	17:44
*** vejdmn has joined #openstack-keystone		17:44
*** vejdmn has quit IRC		17:44
*** vejdmn has joined #openstack-keystone		17:45
gordc	jamielennox\|away: sorry went out for lunch i'll reply on gerrit	17:46
dstanek	ayoung: in the discussions we talked about making it as strict as possible (since we make the ids we know what they are)	17:47
dstanek	ayoung: i think the vision was to eventually make many of the regexes configurable	17:48
ayoung	dstanek, I think we have selection bias	17:48
ayoung	but...I can work with it for now	17:48
ayoung	I'd really suggest that we add . to the id_string to handle a broad class of ids, but also commas	17:48
ayoung	however, I have a demo to set up...	17:49
*** serverascode__ has joined #openstack-keystone		17:49
*** tellesnobrega has joined #openstack-keystone		17:50
ayoung	OK...I think I have managed to expose a bug...very subtle	17:52
ayoung	I was messing around with domain, and I have	17:52
*** aix has quit IRC		17:52
ayoung	15c2b8b1be5945e6887a684b9065fbd7 \| YOUNGLOGIC \| 1 \| {"description": "admin_domain"}	17:52
ayoung	as well as	17:52
ayoung	YOUNGLOGIC \| YOUNGLOGIC.NET \| 0 \| {"description": "admin_domain"}	17:52
ayoung	but in	17:52
ayoung	/etc/keystone/domains I have	17:52
ayoung	keystone.admin_domain.conf keystone.YOUNGLOGIC.NET.conf	17:53
morganfainberg	nkinder, http://paste.openstack.org/show/126635/ that is my first pass. i need to take off so please fix it if anything is needed so russellb can publish it.	17:53
morganfainberg	it's already in the etherpad like that	17:53
ayoung	so I can log in with domain (in Horizon) set to YOUNGLOGIC	17:53
nkinder	morganfainberg: ok	17:53
ayoung	but that should be the domain name, and, infact the user that gets logged in shows a domain of 15c2b8b1be5945e6887a684b9065fbd7	17:53
ayoung	but there is no corresponding domain file for just YOUNGLOGIC	17:53
ayoung	weeeird	17:54
morganfainberg	ayoung, there is def. some UX improvements we can have there.	17:54
ayoung	ah, restart...and now everythign is broken	17:54
ayoung	OK, it was cached in Keystone I suspect	17:54
morganfainberg	oh the per-domain thing?	17:54
morganfainberg	ayoung, yes re-start is needed ot pick up those changes.	17:54
ayoung	cuz I've been totally messing around at the SQL level	17:55
morganfainberg	and if you enable assignment caching, sql changes would get very odd.	17:55
*** harlowja_ has quit IRC		17:55
*** tellesnobrega has quit IRC		17:55
morganfainberg	nkinder, and don't hesistate to totally gut/rewrite the description. i wont be offended ;)	17:56
*** miqui has quit IRC		17:56
*** harlowja has joined #openstack-keystone		17:56
nkinder	morganfainberg: it looks pretty good. I'll probably just make some slight tweaks	17:56
nkinder	morganfainberg: do you want me to give russellb the go-ahead when I'm finished?	17:56
*** afazekas has quit IRC		17:57
morganfainberg	nkinder: whatever he needs to know if anything.	17:57
bknudson	dstanek: yes, I'm saying don't bother trying to validate that the URL is a URL.	17:57
morganfainberg	But yeah. Not sure when he's publishing it.	17:57
*** vejdmn1 has joined #openstack-keystone		17:58
*** vejdmn has quit IRC		17:58
ayoung	morganfainberg, David Chadwick is gonna be fun in that session.	17:59
*** zhiyan has joined #openstack-keystone		18:00
russellb	nkinder: morganfainberg if you get it sometime today, we're in good shape	18:00
russellb	i'll publish tomorrow or friday probably	18:00
*** marcoemorais has quit IRC		18:01
*** marcoemorais has joined #openstack-keystone		18:01
*** marcoemorais has quit IRC		18:02
*** marcoemorais has joined #openstack-keystone		18:02
ayoung	nkinder, how are you setting REMOTE_DOMAIN in the kerberos case?	18:03
nkinder	ayoung: https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-kerberos-setup/vm-post-cloud-init-rdo.sh#L113	18:04
nkinder	ayoung: there's no way to extract the realm in mod_auth_kerb	18:04
nkinder	ayoung: so you have to put it in the Location	18:05
ayoung	nkinder, hmmm, as I recall, there was an option, but it only worked for non default REALMS	18:05
nkinder	ayoung: also, turn on local user mapping	18:06
ayoung	so that if you do a trust, you get it set, but if not, you got the short form	18:06
ayoung	ah, that was for REMOTE_USER	18:06
nkinder	ayoung: yeah, I looked in the mod_auth_kerb code, and there was nothing to pull the realm off of the principal unfortunately	18:06
nkinder	ayoung: it seems like it would be useful	18:06
ayoung	which is why I was parsing	18:06
ayoung	KerberosLegacy	18:07
nkinder	ayoung: but SetEnv is easy enough for most cases. It's the trust cases where you would lose flexibility	18:07
nkinder	ayoung: DomainLegacy does it too	18:07
ayoung	does that set domain name or id, I wonder...	18:07
nkinder	I tried to stick with non-deprecated plugins	18:07
ayoung	damnit, ID	18:08
* ayoung shakes fist		18:08
*** jaosorior has quit IRC		18:13
*** andreaf has quit IRC		18:17
*** nellysmitt has joined #openstack-keystone		18:17
*** chrisshattuck has joined #openstack-keystone		18:18
bknudson	dstanek: the problem is if we don't get the URL validation perfect then we're going to be dealing with bugs forever.	18:21
*** marcoemorais1 has joined #openstack-keystone		18:23
*** marcoemorais has quit IRC		18:24
*** thedodd has quit IRC		18:29
*** marcoemorais1 has quit IRC		18:32
*** marcoemorais has joined #openstack-keystone		18:32
*** marcoemorais has quit IRC		18:32
*** marcoemorais has joined #openstack-keystone		18:33
*** marcoemorais has quit IRC		18:34
*** marcoemorais has joined #openstack-keystone		18:34
*** thedodd has joined #openstack-keystone		18:37
*** jxxxxx has quit IRC		18:44
*** marcoemorais has quit IRC		18:45
*** marcoemorais has joined #openstack-keystone		18:45
*** marcoemorais has quit IRC		18:49
*** marcoemorais has joined #openstack-keystone		18:49
dstanek	bknudson: i agree that it's a pretty big problem; what about making the regex looser?	18:50
dstanek	bknudson: [a-z]+://[\w\.:]+/?.*	18:51
dstanek	bknudson: or something similar - that's basically scheme://{host\|ip}/optional	18:52
bknudson	dstanek: I think we should be able to create an endpoint like $(public_endpoint)s	18:52
ayoung	don't forget IPv6	18:52
bknudson	this would use the substitution code	18:53
ayoung	which has [feed:babe:oooa::1]	18:53
*** _cjones_ has quit IRC		18:53
bknudson	We do format_url in get_catalog: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/backends/sql.py#n288	18:53
bknudson	so you should be able to use substitutions in the endpoints	18:53
bknudson	I don't think you can do substitution for the region url... so maybe that can be [a-z]+://[\w\.:]+/?.*	18:54
*** marcoemorais has quit IRC		18:54
*** marcoemorais has joined #openstack-keystone		18:55
bknudson	I'm surprised we don't have a test creating an endpoint with a port like $(public_port)s	18:56
*** __TheDodd__ has joined #openstack-keystone		18:57
*** thedodd has quit IRC		18:58
*** marcoemorais has quit IRC		18:59
*** ukalifon1 has quit IRC		19:01
*** _cjones_ has joined #openstack-keystone		19:04
*** ajayaa has quit IRC		19:07
*** nkinder has quit IRC		19:21
*** marcoemorais has joined #openstack-keystone		19:22
dstanek	bknudson: hmmm...public_endpoints isn't one of the things we wanted for substitution long term according to the last IRC chat i had about it	19:26
dstanek	we talked about project_id and user_id, but nothing from the config file	19:26
bknudson	dstanek: ok, I'm fine with that.	19:28
bknudson	wouldn't be backwards compatible	19:28
openstackgerrit	A change was merged to openstack/keystonemiddleware: add context to keystonemiddleware https://review.openstack.org/130312	19:30
*** __afazekas is now known as afazekas		19:30
ayoung	richm, have you addressed doing HTTPS for Horizon?	19:30
edmondsw	bknudson: so where have we ended up with url validation?	19:35
edmondsw	dstanek: ^	19:35
edmondsw	lbragstad: ^	19:36
bknudson	edmondsw: my opinion is that we should lenient and not try to validate all aspects of it since it will only lead to bugs when it doesn't accept every url that someone wants to use.	19:37
edmondsw	I'm fine with that, but is that opinion the consensus?	19:39
richm	ayoung: no - that was rcrit	19:39
dstanek	bknudson: this is the review where i deprecate catalog substitution from config files https://review.openstack.org/#/c/130013/	19:39
dstanek	edmondsw: bknudson: lbragstad: i'm totally OK with that, but i think we want to have some level of validation of help users when they make mistakes - even if if only checks scheme://something/optional	19:40
bknudson	dstanek: that would be lenient enough for me.	19:41
bknudson	dstanek: I've got a change to remove the option that we said we were going to remove in juno -- https://review.openstack.org/#/c/131007/	19:42
edmondsw	so ... '(?:.+://.+)' ?	19:42
bknudson	rfc1738 section 2.1 says it's <scheme>:<scheme-specific-part>	19:46
bknudson	and <scheme> is a-z, A-Z, digits, +, ., -	19:47
bknudson	I assume <scheme-specific-part> can be anything.	19:48
*** arborism has joined #openstack-keystone		19:52
*** arborism is now known as amcrn		19:52
openstackgerrit	Jorge Munoz proposed a change to openstack/keystone-specs: Refresh Token spec https://review.openstack.org/131575	19:53
*** marcoemorais has quit IRC		19:54
edmondsw	so ... '(?:[a-zA-Z0-9+.-]+:.+)'	19:55
edmondsw	lbragstad: you ok with this?	19:55
lbragstad	dstanek: edmondsw reading back	19:58
samuelms	Hi guys, I'd like to have a core opinion on a potential security issue when showing a project parents/subtree ids ..	20:01
samuelms	It's related to the Hierarchical Projects concept	20:01
samuelms	https://review.openstack.org/#/c/117786/29/keystone/assignment/controllers.py	20:01
samuelms	morganfainberg, ^	20:01
samuelms	I've left a couple of comments on this patch	20:01
dstanek	bknudson: i like your patch better because it allows some of the other fields to be included for substitution	20:05
bknudson	dstanek: I tried to keep the behavior the same... if we want to deprecate substitution altogether then we'll need yours	20:06
dstanek	bknudson: i'd love to hear what morganfainberg and dolphm think so that we can get one through and abandon the other	20:07
bknudson	I think they're both valid changes.	20:07
lbragstad	edmondsw: bknudson dstanek yeah that works for me	20:16
lbragstad	edmondsw: bknudson dstanek I wish there were a library we could use for this	20:17
*** topol has quit IRC		20:17
dstanek	edmondsw: my original thought was something like - "[a-z]+://[\w\.:]+/?.*" - but i'd be OK with something else	20:18
*** marcoemorais has joined #openstack-keystone		20:18
*** amakarov is now known as amakarov_away		20:18
*** vejdmn1 has quit IRC		20:18
edmondsw	'(?:[a-zA-Z0-9+.-]+:.+)' would align with what Brant found in rfc1738 section 2.1	20:18
bknudson	edmondsw: y, that looks fine.	20:18
*** vejdmn has joined #openstack-keystone		20:18
edmondsw	ok, I'll submit a new (and much simpler) patch set with that	20:19
*** vejdmn has quit IRC		20:27
*** adam_g_gone is now known as adam_g		20:30
*** david-lyle has joined #openstack-keystone		20:34
*** afazekas_ has joined #openstack-keystone		20:36
*** amerine has quit IRC		20:37
*** amerine has joined #openstack-keystone		20:38
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Provide useful info when parsing policy file https://review.openstack.org/131574	20:39
lbragstad	stevemar: thanks for the review, comments addressed	20:39
stevemar	i reviewed somethign?	20:40
*** david-lyle has quit IRC		20:40
stevemar	lies	20:40
rodrigods	stevemar, is helping me a lot with reviews =)	20:42
*** david-lyle has joined #openstack-keystone		20:42
*** david-lyle_ has joined #openstack-keystone		20:43
stevemar	rodrigods, lies	20:43
*** david-lyle_ has quit IRC		20:47
*** nkinder has joined #openstack-keystone		20:49
*** raildo has quit IRC		20:50
*** marcoemorais1 has joined #openstack-keystone		21:02
*** marcoemorais has quit IRC		21:02
*** browne has quit IRC		21:02
*** r1chardj0n3s_afk is now known as r1chardj0n3s		21:03
*** marcoemorais1 has quit IRC		21:03
*** marcoemorais has joined #openstack-keystone		21:04
*** amcrn has quit IRC		21:06
openstackgerrit	Matthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support https://review.openstack.org/131326	21:18
*** stevemar has quit IRC		21:20
*** edmondsw has quit IRC		21:25
morganfainberg	dstanek: bknudson I'll look at that review once I am not on mobile doing pre-travel stuff.	21:29
*** nellysmitt has quit IRC		21:38
*** gordc has quit IRC		21:41
*** gyee has quit IRC		21:49
*** openstackgerrit has quit IRC		21:50
*** marcoemorais has quit IRC		22:04
*** marcoemorais has joined #openstack-keystone		22:05
*** marcoemorais has quit IRC		22:15
*** bknudson has quit IRC		22:26
*** dims_ has joined #openstack-keystone		22:28
*** lhcheng has quit IRC		22:28
*** dims_ has quit IRC		22:29
*** marcoemorais has joined #openstack-keystone		22:29
*** dims_ has joined #openstack-keystone		22:30
*** lhcheng has joined #openstack-keystone		22:31
*** dims__ has quit IRC		22:31
*** david-lyle has quit IRC		22:32
*** __TheDodd__ has quit IRC		22:37
*** david-lyle has joined #openstack-keystone		22:49
*** saipandi has quit IRC		22:50
*** gyee has joined #openstack-keystone		22:54
*** dims_ has quit IRC		23:05
*** dims__ has joined #openstack-keystone		23:06
*** lhcheng has quit IRC		23:14
*** lhcheng has joined #openstack-keystone		23:17
*** david-lyle has quit IRC		23:32
*** shikui__ has joined #openstack-keystone		23:34
*** samuelms_home has joined #openstack-keystone		23:34
*** bknudson has joined #openstack-keystone		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!