Wednesday, 2014-10-29

*** bknudson has joined #openstack-keystone00:38
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain
*** marcoemorais has quit IRC00:44
*** marcoemorais has joined #openstack-keystone00:44
*** marcoemorais has quit IRC00:46
*** marcoemorais has joined #openstack-keystone00:46
*** marcoemorais has quit IRC00:46
*** marcoemorais has joined #openstack-keystone00:46
openstackgerritwanghong proposed a change to openstack/keystone: Can't update catalog objects when using kvs driver
openstackgerritwanghong proposed a change to openstack/keystone: add circular check when updating region
*** david-lyle has joined #openstack-keystone00:49
*** bknudson has left #openstack-keystone00:56
*** _cjones_ has quit IRC00:56
*** ncoghlan has joined #openstack-keystone00:57
*** edmondsw has quit IRC00:58
*** packet has quit IRC00:59
*** david-lyle has quit IRC01:04
openstackgerritA change was merged to openstack/keystonemiddleware: Convert authentication into a plugin
*** cds has quit IRC01:11
*** ayoung has joined #openstack-keystone01:16
*** marcoemorais has quit IRC01:17
ayoungnkinder, you still in Dad mode?01:19
ayoungI'm working on the Horizon/Kerberos thing on  .  I don;t think we actually have to mess with the service catalog:  that was only required (I think)  to deal with the changes of the ports.01:20
*** ncoghlan is now known as ncoghlan_afk01:22
*** ncoghlan_afk is now known as ncoghlan01:22
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list
r1chardj0n3sOhai  ncoghlan :-)01:26
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: call _choose_api_version in one place
openstackgerritRodrigo Duarte proposed a change to openstack/keystonemiddleware: Adds space after # in comments
openstackgerritRodrigo Duarte proposed a change to openstack/keystonemiddleware: Update python-keystoneclient reference
*** ncoghlan is now known as ncoghlan_afk01:32
nkinderayoung: eh, half-dad-mode01:33
ayoungnkinder, OK,  ping me when you'r done.  Working with gsilvis in #moc on the PKI handoff01:34
openstackgerritRodrigo Duarte proposed a change to openstack/keystonemiddleware: Adds space after # in comments
morganfainbergnkinder, hmmm....01:34
morganfainbergoh crud, need to write up some descriptions so russellb doesn't come looking for me at the summit :P01:35
morganfainbergayoung, i am putting you and nkinder on the hook for the x-project policy session (co-lead with me just like the keystone session) unless you have a reason i shouldn't (as in you have some other session to be in)01:35
nkindermorganfainberg: I'm cool with that01:35
ayoungNo, I'll be happy to lead,01:35
*** sigmavirus24_awa is now known as sigmavirus2401:42
rodrigodsanyone else have problems running keystonemiddleware tests on mac?01:43
morganfainbergrodrigods, what issues and did you upgrade to yosemite recently?01:43
rodrigodsmorganfainberg, yep, yosemite here01:44
*** david-lyle has joined #openstack-keystone01:44
morganfainbergrodrigods, ok so you need to re-install CLI tools: from terminal xcode-select --install01:44
morganfainbergrodrigods, then you need to re-build "brew" requirements01:45
morganfainbergwhich includes needing to build python01:45
morganfainbergbecause os X python 2.7 doesn't come with gdbm01:45
rodrigodsmorganfainberg, thanks!01:45
morganfainbergso testr can't work01:45
morganfainbergi installed brew in ~/Developer/homebrew01:45
morganfainbergadded ~/Developer/homebrew/bin to my path01:45
morganfainbergin my .bashrc01:45
morganfainbergthen did a brew install python01:45
morganfainbergand openssl01:46
morganfainbergalso, brew install gettext01:46
morganfainbergyou'll need to brew link openssl --force01:46
morganfainbergand brew link gettext --force01:46
* morganfainberg should write a blog post on this...01:47
rodrigodsmorganfainberg, thanks a lot, I usually run it in a vm01:47
morganfainbergalternatively, you could just run everything in a VM and call it a day01:47
morganfainbergway less work :P01:47
rodrigodsnetwork down in the lab =(01:47
morganfainberglocal VM (VMWare Fusion)01:47
rodrigodsmorganfainberg, you absolutely should write a blog post about it01:47
morganfainbergor VirtualBox (depending on your personal flavors)01:48
rodrigodsmorganfainberg, yeah... just lazy right now because I always rely on the vms in the lab01:48
rodrigodsmorganfainberg, was investigating and found some nits01:48
uvirtbotLaunchpad bug 1367062 in keystonemiddleware "401 and 404 errors from the heat API are not returned with JSON content type" [Low,Triaged]01:48
rodrigodsmorganfainberg, and the fun part is the lab vms are on openstack =P01:49
rodrigodsall my masters experiments ran in a small private openstack cloud, btw01:50
*** ncoghlan_afk is now known as ncoghlan01:50
morganfainbergbefore i write up the post let me make sure the tests *actually* run01:51
ayoungmorganfainberg, OK,  so I think I'm going to split multiple-signers up into two Specs.  One will just allow for multiple certs, but they will all be equivalent.01:53
morganfainbergayoung, ++ that is a *Very* important one01:53
ayoungThe second will attempt to figure out, based on the subject of the cert who can sign for what01:53
morganfainbergayoung, i like that01:53
ayoungmorganfainberg, yeah, the first spec will allow 2 things01:54
morganfainbergcovers both concerns, the first also should be an easier sell as it helps w/ cert rotation01:54
ayoung1.  Multiple keystones, each with their own set of private keys01:54
morganfainbergbig operational win.01:54
ayoung2.  Certificate rotation to deal with expiry01:54
morganfainbergthe 2nd one is the big big win01:54
ayoungyeah, we've been hit with that01:54
morganfainbergthe first one is potentially useful to have.01:54
ayoungI'm thinking we do a timeout: if the cert has a subject that we haven't seen before,  fetch all the certs from Simple cert, but no more often than once a minute to avoid a DOS01:55
morganfainbergmake the poll frequency configurable with a floor.01:55
ayoungof course01:55
morganfainbergand yes, if you haven't seen the subject, initiate a poll01:55
ayoungbut maybe we have a cache timeout value for all thethings from auth_token middleware?01:56
morganfainbergworth exploring01:56
ayoungso they don't have to set revocation list separate from cert cache?01:56
morganfainbergi could see a cert cache wanting to be much longer01:56
ayoungjust a "don't query any more frequently than this" timeout01:56
morganfainbergayoung, oh wait i know01:56
morganfainberglets implement this as IMS checks01:56
morganfainbergthats the right approach01:57
*** samuelms_home has joined #openstack-keystone01:57
ayoungIMS? You mean actually use HTTP as it is designed?01:57
morganfainberghaha yeah01:57
morganfainbergwe should actually implement IMS for *all* things in keystone01:57
ayoungthat is so
morganfainberg(all things in openstack)01:57
ayoungthen they become server side config values01:57
morganfainbergbut lets do it in keystone first. and this is a *great* case (same thing with tokens if we're caching a token)01:57
ayoungnew BP for thetoken revocate thing01:58
morganfainbergand this should be baked into revocation events while we're mucking around in there.01:58
ayoungmorganfainberg, isn't their another field that is supposed to tell the browser how long to hold on to content?02:01
morganfainbergayoung, cache-control02:01
morganfainbergand expires02:01
morganfainbergwe have all sorts of things (especially around cache control) we need to implement02:01
morganfainbergit's *super* important as it tells proxies (HAProxy? how much you wanna bet someone will put varnish in front of keystone?) how long they can keep things02:02
morganfainbergwe absolutely need to look at the fun HTTP headers we should be sticking in front of things...02:02
morganfainbergwe *may* also want to figure out if we can do cache-busting in certain cases02:03
morganfainbergbut thats a long ways out.02:03
ayoungmorganfainberg, so I had a discussion with okrieg of the #movc about this stuff.  gsilvis is going to work on it.  Once we have the multiple signers working for tokens, I want to make it work for oslo-messaging to implement the PKI stuff from last summits last session.02:03
morganfainbergPKI? or symmetrical *aka kite*?02:03
morganfainbergi *thought* PKI was too heavy02:03
ayoungwe need PKI for the vast majority of the uses02:04
morganfainbergthe general discussion iirc was HMAC was sufficient in most use cases02:04
ayoungSymmetrical is only good for a limited set of uses02:04
morganfainbergbut that needed kite and symmetric key distribution02:04
*** alex_xu has joined #openstack-keystone02:04
morganfainbergi htink we need to dig up the etherpad02:05
morganfainberg(this is why i linked the etherpads in the sessions this time)02:05
morganfainbergso when we look back it's not chasing "where did we put that etherpad"02:05
morganfainbergah the fan-out case02:06
ayoungmorganfainberg, its worse than that, though02:06
morganfainbergcan we look to see if there is something lighter than S/MIME for this though?02:07
ayoungbasically, the message queue is unprotected02:07
morganfainbergi don't want 1k messages on the bus02:07
ayoungwell, really, we need a library approach02:07
ayoungbut...sure we can try to lighten it.  When I looked, though, there really was not too much waste in that 1K02:07
morganfainbergor something we can derive the signature from for HMAC via PKI (i know weird thought)02:07
ayounglets get it working and then optimize02:08
morganfainbergi know there isn't much wasted in the 1k, thats why i'm trying to think if there is a sane way to do something else.02:08
ayoungI think the cost is really the crypto,02:09
morganfainbergmaking all messages on the message bus increase by 1k is going to be a big bottle neck. iirc nova -> bus data is a MAJOR bottleneck in hyper-scale clouds02:09
morganfainberg(>500 nodes)02:09
ayoungI mean, you need to have enough to get a valid hash, and then sign the hash02:09
morganfainbergrabbit already tips over too easily02:10
ayoungmorganfainberg, so I suspect that going from PEM to DER is essential02:10
*** david-lyle has quit IRC02:10
morganfainbergayoung, sure. that helps02:10
morganfainbergit's still a big increase.02:10
* morganfainberg wonders what other options we have.02:11
morganfainbergi haven't done much crypto research on new developments in ages02:11
ayoungI bet there are things we could do in the Queue topology02:11
notstevemarmorganfainberg, ping02:11
morganfainbergthats a good thought02:11
notstevemarmorganfainberg, thoughts on ?02:11
uvirtbotLaunchpad bug 1347868 in pycadf "pycadf does not work with a templated keystone catalog" [High,In progress]02:11
morganfainbergnotstevemar, oh hai02:11
ayounglike, if each node was writing to a dedicated queue, there could be a single reader that is responsible for declaring "this message came from node 4"02:12
morganfainbergayoung, i *think* that was the concept we were running with for symmetrical02:12
morganfainbergayoung, but that still runs into issues with "OMG how many queues do i need"02:12
morganfainbergrabbit likely would *still* tip over at hyperscale02:12
morganfainbergin worse ways than just putting 1k messages on the bus02:12
ayoungmorganfainberg, so it looks like, while Rabbit does not have SASL today, there is an esasl library02:13
morganfainbergayoung, yes there is. i think ejabberd uses it02:13
ayoungand that could be used to implement access control lists via kerberos in Rabbit02:13
ayounglet Kerberos do the symmetric for us02:13
* morganfainberg had the joking thought, what if we used ejabberd and MUCs for the bus instead of AMQP - XMPP02:13
*** david-lyle has joined #openstack-keystone02:13
ayoungmorganfainberg, QPID already does this, too02:13
ayoungnot the Proton/AMQP 1.0 stuff, but the older one02:14
morganfainbergayoung, maybe the answer is we need to get resources on "making non-rabbit AMQP a better default"02:14
ayoungmorganfainberg, that would be Proton02:14
*** dims__ has quit IRC02:14
*** chrisshattuck has joined #openstack-keystone02:15
ayoungand I was pushing to have rharwood work on that. The question is whether it makes more sense to push on proton or on Rabbit02:15
morganfainbergayoung, like i said maybe we need to go pitch for our respective companies to give us resources to amek that the best default option02:15
*** dims__ has joined #openstack-keystone02:15
morganfainbergayoung, or fix rabbit02:15
morganfainbergnotstevemar, looking02:15
morganfainbergnotstevemar, i thnk we need to fix it somehow.02:15
ayoungmorganfainberg, the question is whether adding SASL to Rabbit is like adding frost to snow?02:16
morganfainbergwell we have smart people who know rabbit pretty damn well @ the summit02:16
morganfainbergi think we can chase someone down02:16
ayoungmorganfainberg, what gsilvis and okried and I are discussing, though, is more far reaching:  making the Broker a public resource for integrating between openstack deployments02:17
*** dims__ has quit IRC02:17
ayoungit means that nothing that gets written to the topics are implicitly trusted02:17
*** sigmavirus24 is now known as sigmavirus24_awa02:17
*** chrisshattuck has quit IRC02:17
morganfainbergayoung, so... SQS but for the *cringe* undercloud?02:17
ayoungand it means that signing messages is pretty much a must-have02:17
morganfainbergor what zaquar is trying to do02:17
morganfainbergor however you spell that project's name02:18
ayoungthere is no undercloud.  only ZUUL!02:18
*** ncoghlan is now known as ncoghlan_afk02:18
*** morganfainberg is now known as only_zuul02:18
*** only_zuul is now known as morganfainberg02:18
rodrigodsmorganfainberg, tests working here, what fixed everything was brew link gettext --force =)02:18
morganfainbergrodrigods, glad to help02:18
ayoungSo, lets say that nova is owned by one org (Harvard)  and Cinder is owned by another (Boston University)02:18
rodrigodsmorganfainberg, thanks =)02:18
*** david-lyle has quit IRC02:19
ayoungright now the cinder agent runs on the Compute node, talks to only one cinder, and is implicitly trusted02:19
notstevemarmorganfainberg, we either fix keystone or fix pycadf02:19
morganfainbergayoung, i... in the same region? because i'm about to have my head explode from WAN cinder.02:19
ayoungwe take that idea out back and put a bullet in it02:19
notstevemarmorganfainberg, either some garbage ID value in keystone, or some garbage value in pycadf :P02:19
ayoungyeah,  co-located, but owned by different orgs02:19
morganfainbergayoung, WAN iscsid makes my brain hurt.02:19
morganfainbergayoung, ok phew02:19
morganfainbergayoung, sorry.02:19
morganfainbergnotstevemar, name == id for template?02:20
morganfainbergcan we do that?02:20
ayoungI hear it is possible, but  understanding it is beyond my current effort02:20
morganfainbergayoung, yeah i'm good with co-located but it's still a strange buildout.02:20
morganfainbergi think conceptually for talking it works but for makign the sales pitch we need somehting a bit more concrete02:20
notstevemarmorganfainberg, we can do that, that is what my fix was for pycadf02:21
morganfainbergor realistic02:21
morganfainbergnotstevemar, there are other cases we might assume endpoint ids02:21
morganfainbergnotstevemar, and the templated catalog should return the *same* format as the non-templated02:21
notstevemaryep, it should02:21
morganfainbergnotstevemar, bigger issue to have inconsistent data format... how do you write code to a spec that changes based upon <things>02:22
notstevemari hear ya02:22
morganfainbergnotstevemar, so fix keystone methinks02:22
notstevemarokay, so fix keystone02:22
notstevemarget out of my brain02:22
*** lhcheng has quit IRC02:23
notstevemartis not a safe place02:23
ayounggsilvis, so the current contract between ATM and KC  is:02:23
ayounggsilvis, I think it would better be something like02:24
ayoungdef verify_signature(signed, certificate_cache, inform=PKI_ASN1_FORM):02:24
gsilvisThat sounds reasonable, yeah02:25
ayoungnotstevemar, if I promise to document the hell out of "kerberos" as a method will you remove your -1 and +A
ayoungnotstevemar, I can't even submit a version of the Django patch that will pass the tests  until we get  a released version of ^^02:26
ayounggsilvis, then we declare a cache object that knows about a backing store and maybe has a dictionary to avoid parsing everything every time02:27
ayounggsilvis, the dictionary will let us go from certificate to the CA cert that signed it in one swell foop02:27
notstevemarayoung, OK, just wondering about the requirements remark02:28
morganfainbergayoung, python-keystoneclient-krb?02:28
ayoungmorganfainberg, yep02:29
gsilvisayoung: yup02:29
morganfainbergwhich requirements remark?02:29
notstevemarmorganfainberg, maybe you know02:29
morganfainbergoh crud02:29
morganfainbergi failed at getting requirements repo running against that project02:29
morganfainbergthats the issue02:29
morganfainbergyes it should match, no we're not gating on it02:29
notstevemarmorganfainberg, is that something we can fix in another patch?02:30
morganfainberglet me get that fixed ASAP02:30
morganfainbergso. fix it to match global reqs please.02:30
ayoungok,  we good?02:30
morganfainbergi'll make it so infra is gating on that stuff.02:30
ayoungmorganfainberg, can we do that in another patch?02:31
morganfainberghay we *are* gating on it02:31
morganfainbergoh wait02:31
morganfainbergthis is a comment02:31
morganfainbergfix later02:31
ayoungthanks guys02:31
ayoungmuch appreciated02:31
morganfainbergcomments aren't as important in this case.02:31
notstevemarnow submit another patch to fix it :)02:32
notstevemarayoung, ^ hehe02:32
notstevemarand yeah, we definitely need to doc it somewhere, not sure where... the apis list most of the authN varieties, maybe under there makes the most sense02:33
openstackgerritA change was merged to openstack/python-keystoneclient-kerberos: kerberos client plugin
morganfainbergwow that was fast02:33
morganfainbergoh hah no temptest tests02:33
notstevemarprobably under here
morganfainbergwe also need to make sure keystoneclient can load it?02:34
notstevemari totally thought this pic was of ayoung in my twitter feed
notstevemar*at first glance*02:34
morganfainbergnotstevemar, ayoung, before we release that - we need a test to make sure keystoneclient can load it.02:35
morganfainbergprobably something generic so we can make sure all of these plugins are tested on the keystoneclient side as well.02:35
ayoungmorganfainberg, I was thinking that was a tempest thing, but it needs to be released first02:36
morganfainbergayoung, i'd look more like how global-requirements works for projects.txt02:36
*** tellesnobrega_ has joined #openstack-keystone02:36
*** alex_xu has quit IRC02:36
morganfainbergayoung, since tbh right now i can't guarantee keystoneclient is goign to be able to use it based on a specific change for either side.02:37
morganfainbergayoung, you see my concern?02:37
morganfainbergshould be an easy gate test to get added though02:37
morganfainbergjust help me figure out how to do it and we'll get it in place. we'll run it on each change to keystoenclient and each change for the "out of tree" plugins02:38
morganfainbergshould keep us from breaking things in awful ways02:38
morganfainberghuh i kinda wish etherpad had a "lock this etherpad" administrative function02:39
notstevemarexcept i don't think it has any sense of admin-ness02:39
morganfainbergnotstevemar, it doesn't02:39
ayoungmorganfainberg, there is a shorthand for loading plugins in KC02:40
ayoungI'm not certain if it can load a plugin without actually trying to do something with it, but that should be OK02:41
ayoungmorganfainberg, jamielennox brought it up last we talked.02:42
*** ncoghlan_afk is now known as ncoghlan02:42
*** ncoghlan is now known as ncoghlan_afk02:42
*** dims__ has joined #openstack-keystone02:47
*** tellesnobrega_ has quit IRC02:49
ayoungmorganfainberg, found it!
ayoungso we do02:50
nkinderyay, py-ksc-kerb merged!02:50
morganfainbergthats a good starting place02:50
*** alex_xu has joined #openstack-keystone02:50
morganfainbergayoung, yeah that should at least validate we can create eveything we need02:50
morganfainbergthe way i see it, this script (look at requirements projects.txt test) should live in keystoneclient02:51
*** tellesnobrega_ has joined #openstack-keystone02:51
ayoungmorganfainberg, would it make sense to have that test in the p-kc-kerb test suite?02:51
morganfainbergwe'll get the gate job running for *all* external-from-ksc tree plugins as well as ksc02:51
morganfainbergthat way we can make sure that interface changes don't break things (yay for stable interfaces, right?)02:52
*** dims__ has quit IRC02:52
ayoungnkinder, so I can't hit  from outside the machine, but I can from inside.  I even stopped iptables, so it isn't firewall02:52
morganfainbergif we move keystone to using stevedore for it's drivers (we should) same kind of test will be needed. we will need to make those interfaces rock solid vs "changing when we feel like it")02:52
morganfainbergbut i'd like a world where you can install keystone-ldap-identity02:53
morganfainberginstead of needing to carry the ldap identity driver locally.02:53
ayoungmorganfainberg, my goals are more modest.  Right now, I think I'm sunk with the service catalog having /v2.0 in it.  Need to be able to do /v3 from auth_token middleware02:54
morganfainbergayoung, those are all looong term goals02:54
ayoungthey need to be short term goals02:54
ayoungor we are stuck with v2.002:54
morganfainbergno my comments ^02:54
morganfainbergnot your goals ;)02:54
morganfainbergyour goals are good for shorter term02:55
* morganfainberg needs new noise cancelling headphones (over-ear)02:55
morganfainbergany suggestions?02:55
ayoungmorganfainberg, ah,  I don't think your goals are too unrealistic02:58
ayoung keystone-ldap-identity  goes into its own repo?02:58
morganfainbergayoung, that would be my goal.02:58
*** alex_xu has quit IRC02:59
morganfainbergor maybe not even, but conceptually02:59
ayoungwhat would be the relationship between entrypoints and the paste file?02:59
ayoungmorganfainberg, we certainly should do that for extensions02:59
ayoungand then make everything an extension03:00
morganfainbergayoung, i have some serious concerns with the extension model.03:00
morganfainbergwe need to chat at the summit about it03:00
ayoungsed -s  !extensions!drivers!g03:00
morganfainbergyes drivers != extensions, the extensions are a bit more weird.03:00
nkinderayoung: that's strange.  What does netstat show for port 35357?03:01
ayoungnkinder, on me see03:01
ayoungnkinder, haven't run it in ages...what options should I use03:02
*** gyee has quit IRC03:03
ayoungnkinder, I can connect internal,  which leads me to think it is an issue with public/private ip addresses03:05
*** alex_xu has joined #openstack-keystone03:05
ayoungthis is running on an openstack deployment03:05
*** richm has quit IRC03:09
*** r1chardj0n3s is now known as r1chardj0n3s_afk03:11
*** ayoung is now known as ayoung-ZZZzz03:13
*** ncoghlan_afk is now known as ncoghlan03:14
ayoung-ZZZzznkinder, it is firewall, at the Nova/Neutron level03:17
*** samuelms_home has quit IRC03:23
*** chrisshattuck has joined #openstack-keystone03:26
*** alex_xu has quit IRC03:33
*** alex_xu has joined #openstack-keystone03:46
*** tellesnobrega_ has quit IRC03:51
*** tellesnobrega_ has joined #openstack-keystone03:52
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient-kerberos: Format requirements correctly and sync with global req
notstevemarayoung-ZZZzz, nkinder morganfainberg ^04:11
openstackgerritDavid Stanek proposed a change to openstack/keystone-specs: Alembic for SQL migrations
nkindernotstevemar: so Babel just wasn't used?04:14
notstevemarnkinder, there are no translation markings or jobs for it, so ... meh04:15
notstevemarnkinder, also
nkindernotstevemar: yeah, makes sense04:15
*** marcoemorais has joined #openstack-keystone04:16
nkindernotstevemar: that must have just been copied from somewhere when the repo was set up04:16
notstevemarnkinder, likely04:18
notstevemarnkinder, the patch was mostly for the req-kerb syntax, then i realized it's actually incorrect :|04:18
notstevemarit had an underscore instead of a dash04:18
nkindernotstevemar: pip seems to find it either way04:19
notstevemarnkinder, yeah! which is weird04:19
nkindernotstevemar: jamielennox had mentioned something about updating projects.txt to add py-ksc-krb, but I don't see a pending review for it04:19
notstevemarnkinder, it's already there04:19
nkindernotstevemar: really?04:20
nkindernotstevemar: sorry, talking about
notstevemar-federation needs to be there...04:20
notstevemaryep, it's there04:20
notstevemarto be fair, it was added 2 days ago04:21
nkinderhmmm, stale tab04:21
nkindershift-reload is magic! ;)04:21
notstevemarskip that cache!04:21
*** marcoemorais1 has joined #openstack-keystone04:21
*** harlowja is now known as harlowja_away04:21
*** tellesnobrega_ has quit IRC04:22
nkindernotstevemar: looks like it merged today -
nkinderI didn't remember opening that 2 days ago...04:22
*** marcoemorais has quit IRC04:23
notstevemarlooks like it was jamielennox04:23
*** lhcheng has joined #openstack-keystone04:26
morganfainbergah you found it04:28
notstevemarpfft hours ago04:28
notstevemarmorganfainberg, for you
morganfainbergwierd that the proposal bot hasn't run for it...04:30
morganfainberg-kerberos needs py33/py34 testing04:31
*** lhcheng_ has joined #openstack-keystone04:31
nkindermorganfainberg: I want to say there was a problem with py3...04:31
nkindermorganfainberg: perhaps it was requests-kerberos doesn't support it.  ayoung-ZZZzz would know for sure04:32
morganfainbergrunning the expirimental check04:32
morganfainbergImportError: No module named 'commands'04:32
morganfainbergDownloading/unpacking kerberos==1.1.1 doesn't support py3k04:33
nkinderI might be thinking of python-kerberos though04:33
morganfainbergnkinder, yep04:33
morganfainbergpython-kerberos looks b0rked for py3k04:33
nkinderso there was some discussion about a port of ot that is out there and a python-gssapi effort04:33
notstevemari think that was also part of the reasoning for putting it in it's own repo04:33
nkinderayoung-ZZZzz can give us the scoop on it, but there was a path forward04:34
morganfainbergsee the py34 test run failure04:34
nkindernotstevemar: yep04:34
*** lhcheng has quit IRC04:34
nkindermorganfainberg: I believe there has been discussion with the maintainers of two different python-gssapi modules to merge efforts04:36
nkinderthis one -
morganfainbergi'm a fan if we can make it happen :)04:37
nkinderand this one -
nkindermorganfainberg: should be doable.  The latter is from a Nova developer who works here at RH04:37
morganfainbergnotstevemar, wow this spec is only (i think) missing one thing to be ... well lack of a better word pretty good:
morganfainbergnotstevemar, it needs to fix the comment that the "auth plugin" is configured via the paste pipeline04:38
notstevemarhehe, that's a silly comment04:38
morganfainbergbut i mean... that pretty much sums up what i was hoping to see to support MFA for keystone auth04:38
notstevemari've had that spec queued up for reading, but lazy04:38
morganfainbergthe spec pretty much hits exactly how i'd see it implemented.04:39
morganfainbergand i've heard that request a lot04:39
morganfainberg"can we have possession factor added for auth"04:39
morganfainbergrsa, hotp/totp (google), etc04:39
morganfainbergin *theory* this could even require X509 client cert + password auth.04:40
nkindermorganfainberg: if we use IPA, via LDAP it has native OTP support in recent versions...04:40
nkindermorganfainberg: so we'd get it for free04:41
morganfainbergnkinder, we'd still need to pass the info to the underlying system04:41
nkinderyubikey, google authenticator, etc.04:41
morganfainbergwould need to be part of the auth plugin04:41
nkindermorganfainberg: no, it goes through the LDAP bind04:41
morganfainbergthe ldap bind needs the info though, right?04:41
nkindermorganfainberg: but we do need to pass it in as the password04:41
nkindermorganfainberg: well, the password you supply is pin+code04:41
morganfainbergwhich has to come in via the REST api04:41
morganfainbergoh i see04:42
morganfainbergso it'd just be a "different" password model04:42
morganfainberge.g. my password is <totp>+password04:42
morganfainbergheh ok04:42
morganfainbergdoesn't mean it works in all cases though, an auth plugin that covers the other cases would be good.04:43
morganfainbergis it always totp? or can it do HTOP too?04:43
morganfainbergIPA that is04:43
nkinderthere was work going on for both IIRC.  I'd have to see where it's at with regards to HOTP04:43
nkinderthere was also an ability to have a radius proxy to hook in other systems behind IPA04:44
morganfainbergso, i think having an auth plugin + support in keystone makes sense.04:44
morganfainbergwith IPA you can use the native TOTP support instead if desired04:44
morganfainbergnice. and yes i am very interested in seeing if we can get ipa running under trusty...and then make it *the* recommended way to deploy keystone04:45
morganfainbergit's as if a million SQL servers suddenly cried out with a sigh of relief.04:46
nkinderI think that design page is slightly out of date, as one of the other IPA devs mentions that HOTP is working -
morganfainbergso 2fa requires a BIND and can't be done via COMPARE ?04:47
*** nikunj2512 has joined #openstack-keystone04:47
morganfainbergnot clear will need to try it out04:48
nkinderwe don't use COMPARE though04:48
notstevemarmorganfainberg, whats this mean: "Add a new multi-factor auth-plugin that replaces "password""04:48
morganfainbergit *might* work with compare04:48
nkinderBIND is pretty normal04:48
notstevemari don't like replacing things04:48
nkinderand it's what we use.  A compare would require exposing the password hash via LDAP, which is not good04:48
morganfainbergnotstevemar, you would instead use password_plugin=NewShiny2faPasswordPlugin04:48
morganfainbergnotstevemar, instead of password=passwordplugin04:49
morganfainbergnotstevemar, config options04:49
notstevemarisn't that "Add a new One-time password authentication driver"04:49
morganfainbergnkinder, i was under the impression compare worked like: Compare(<non-hashed-password> dn)04:49
morganfainbergnotstevemar, there are a couple way to cut it, but i was thinking it was a "enable 2fa with the password plugin" vs a true/false toggle04:50
morganfainbergthe "backend" stuff to do things like TOTP based on secret would be configurable as well04:50
morganfainbergnkinder, so my *understanding* is COMPARE() used the unhashed password, and you send it to the server and it does the hashing and comparison for the user's DN.04:51
morganfainbergvs. needing a full BIND (aka, could be done anonymous / service user wise)04:51
morganfainbergbut if it requires hashed password, it's a nogo04:51
*** chrisshattuck has quit IRC04:51
nkindermorganfainberg: that approach is not widely used from what I've seen04:52
morganfainbergnkinder, sure. maybe it's more of an AD-ism04:52
morganfainbergiirc mostly it's the AD folks who talked about that04:52
notstevemarmorganfainberg, right, so new section for [2fa] that has TOTP and HOTP stuff, and a global enable switch, and then under [auth] you can change 'password' to be normal or shiny2FA04:52
morganfainbergnotstevemar, no need for the global switch04:52
notstevemary not04:52
morganfainbergyeah that was my thought04:53
morganfainbergso a deployer can't be accidently bitten by this cause someone wedge in the 2fa attributes in a strange way04:53
morganfainbergand i dislike the true/false toggles04:53
morganfainbergsince we already have plugins that can do things... make the plugin smart?04:53
morganfainbergthis could all even be done out-of-tree04:53
morganfainberga 2fa password plugin that implents the manager bits for itself etc.04:54
morganfainbergthe only question is getting the secret in that case.04:54
morganfainbergnotstevemar, you missed my "i want keystone drivers to use stevedore and be able to be developed out of tree" comment sets04:54
morganfainberglong ter04:55
notstevemari did indeed04:55
*** morganfainberg is now known as mightbestevemar04:55
* mightbestevemar needs to convince everyone in this channel to "pick a stevemar name"04:56
*** links has joined #openstack-keystone05:03
*** mightbestevemar is now known as morganfainberg05:04
*** r1chardj0n3s_afk is now known as r1chardj0n3s05:14
*** alex_xu has quit IRC05:15
*** alex_xu has joined #openstack-keystone05:16
nikunj2512Hi, can a non-admin user change their email address using v2 api??05:21
*** r1chardj0n3s is now known as r1chardj0n3s_afk05:51
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** afazekas is now known as __afazekas06:11
*** lhcheng_ has quit IRC06:17
nikunj2512How can i use v3 api in keystone??06:23
nikunj2512Does anyone knows while installing devstack, how can i set keystone to use V3 api instead of v2??06:26
*** ukalifon1 has joined #openstack-keystone06:36
jacer_huaweiCurrently, only openstack client support v3 api.06:41
jacer_huaweiopenstack --os-identity-api-version=306:43
notstevemarnikunj2512, i think jacer_huawei answered your question... but
*** amcrn has quit IRC06:45
*** jacer_huawei has quit IRC06:49
nikunj2512jacer_huawei, notstevemar: thank You06:49
*** wanghong has joined #openstack-keystone06:53
*** tomoiaga has joined #openstack-keystone07:03
*** afazekas has joined #openstack-keystone07:03
*** ncoghlan is now known as ncoghlan_afk07:27
*** nellysmitt has joined #openstack-keystone07:28
*** wanghong has quit IRC07:32
*** wanghong has joined #openstack-keystone07:51
*** ncoghlan_afk is now known as ncoghlan07:52
*** henrynash has joined #openstack-keystone08:04
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update templated catalog to return IDs for endpoints
*** gokrokve has joined #openstack-keystone08:09
openstackgerritMehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend
*** jaosorior has joined #openstack-keystone08:14
*** notstevemar has quit IRC08:14
*** ncoghlan is now known as ncoghlan_afk08:14
openstackgerritMehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend
*** henrynash has quit IRC08:17
openstackgerritMehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend
openstackgerritMehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend
*** ncoghlan_afk is now known as ncoghlan08:27
*** k4n0 has joined #openstack-keystone08:28
*** wanghong has quit IRC08:34
*** wanghong has joined #openstack-keystone08:41
*** ajayaa has joined #openstack-keystone08:46
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Create a framework for federation plugins
*** jistr has joined #openstack-keystone09:06
*** aix has joined #openstack-keystone09:11
*** dims__ has joined #openstack-keystone09:15
*** alex_xu has quit IRC09:18
*** dims__ has quit IRC09:19
*** cjellick_ has joined #openstack-keystone09:24
openstackgerritA change was merged to openstack/keystonemiddleware: Use connection retrying from keystoneclient
openstackgerritA change was merged to openstack/keystonemiddleware: Use an adapter in IdentityServer
*** cjellick has quit IRC09:27
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: fallback to online validation if offline validation fails
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list
openstackgerritA change was merged to openstack/keystonemiddleware: Add versions to requests
*** wanghong has quit IRC09:33
*** marcoemorais1 has quit IRC09:41
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: call _choose_api_version in one place
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: support micro version if sent
*** wanghong has joined #openstack-keystone09:47
*** gokrokve has quit IRC09:47
*** gokrokve has joined #openstack-keystone10:00
*** gokrokve has quit IRC10:06
*** gokrokve has joined #openstack-keystone10:06
*** nkinder has quit IRC10:07
*** nkinder has joined #openstack-keystone10:11
*** gokrokve has quit IRC10:11
*** aix has quit IRC10:21
*** gokrokve has joined #openstack-keystone10:25
*** gokrokve has quit IRC10:25
*** gokrokve has joined #openstack-keystone10:26
*** dims__ has joined #openstack-keystone10:30
*** gokrokve has quit IRC10:30
*** gokrokve has joined #openstack-keystone10:30
*** gokrokve has quit IRC10:32
*** gokrokve has joined #openstack-keystone10:33
*** ajayaa has quit IRC10:34
*** gokrokve has quit IRC10:35
*** gokrokve has joined #openstack-keystone10:35
*** gokrokve has quit IRC10:40
*** aix has joined #openstack-keystone10:53
*** gokrokve has joined #openstack-keystone11:01
*** nikunj2512 has quit IRC11:03
*** gokrokve has quit IRC11:05
*** gokrokve has joined #openstack-keystone11:06
openstackgerritA change was merged to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests
*** ajayaa has joined #openstack-keystone11:06
*** ajaya has joined #openstack-keystone11:07
*** gokrokve has quit IRC11:10
*** boris-42 has quit IRC11:11
*** ajaya has quit IRC11:16
*** ajaya has joined #openstack-keystone11:16
*** vb123 has joined #openstack-keystone11:20
vb123hello,  I am running icehouse keystone configured by puppet-keystone and am getting the following start-up error:11:22
vb123keystone ImportError: No module named persistence.backends.sql11:22
vb123I wonder if it is wrong version of openstack to test the configuration11:22
*** tellesnobrega_ has joined #openstack-keystone11:25
*** afaranha_ has joined #openstack-keystone11:25
*** amakarov_away is now known as amakarov11:29
*** vhoward has joined #openstack-keystone11:31
*** andreaf_ has joined #openstack-keystone11:33
*** andreaf_ is now known as andreaf11:36
*** nikunj2512 has joined #openstack-keystone11:36
*** gokrokve has joined #openstack-keystone11:47
amakarovvb123, hi! You'd better file a bug and refer to it here. Maybe more experienced people can help you but I can't even imagine how you've got this error :)11:50
vb123amakarov: thanks :)11:56
*** tellesnobrega_ has quit IRC12:03
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects
*** wanghong has quit IRC12:18
*** gokrokve has quit IRC12:21
*** dims__ has quit IRC12:24
*** dims__ has joined #openstack-keystone12:24
*** shikui__ has joined #openstack-keystone12:28
*** ayoung-ZZZzz is now known as ayoung12:33
*** wanghong has joined #openstack-keystone12:35
*** vejdmn has joined #openstack-keystone12:36
*** vejdmn has quit IRC12:40
*** vejdmn has joined #openstack-keystone12:41
*** gokrokve has joined #openstack-keystone12:44
*** gokrokve has quit IRC12:45
*** jxxxxx has joined #openstack-keystone12:46
*** Krast has joined #openstack-keystone12:48
*** radez_g0n3 is now known as radez12:51
*** nikunj2512 has quit IRC12:51
*** nikunj2512 has joined #openstack-keystone12:54
*** nikunj2512 has quit IRC12:58
*** richm has joined #openstack-keystone13:04
*** junhongl has quit IRC13:13
*** junhongl has joined #openstack-keystone13:13
*** nkinder has quit IRC13:15
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation
*** gordc has joined #openstack-keystone13:17
*** tellesnobrega_ has joined #openstack-keystone13:18
*** bknudson has joined #openstack-keystone13:24
*** gokrokve has joined #openstack-keystone13:24
*** joesavak has joined #openstack-keystone13:24
*** miqui has joined #openstack-keystone13:32
*** david-lyle has joined #openstack-keystone13:37
*** afaranha has quit IRC13:37
*** afaranha_ has quit IRC13:37
*** david-lyle has quit IRC13:43
*** Krast has quit IRC13:43
*** jsavak has joined #openstack-keystone13:44
*** raildo has quit IRC13:44
*** jsavak has quit IRC13:45
*** joesavak has quit IRC13:47
*** nellysmitt has quit IRC13:52
*** sigmavirus24_awa is now known as sigmavirus2413:53
*** nkinder has joined #openstack-keystone14:02
*** raildo has joined #openstack-keystone14:09
*** andreaf has quit IRC14:11
*** andreaf has joined #openstack-keystone14:12
*** saipandi has joined #openstack-keystone14:18
*** links has quit IRC14:26
*** stevemar has joined #openstack-keystone14:28
dolphmvb123: it looks like you're running stable/icehouse code with a juno keystone.conf14:31
lbragstaddstanek: around?14:36
*** edmondsw has joined #openstack-keystone14:37
edmondswdstanek: note that I submitted a new patch set on that should be easier for you to review than what you started looking at yesterday14:39
lbragstad edmondsw I'm testing your patch...14:40
lbragstadnot sure, but maybe will help..14:41
edmondswI just wrote a small python test program to test it, besides the unit tests I submitted in that patch set, but you're welcome to use if you prefer14:41
edmondswlbragstad: if you're using, you'll probably need to write a script to generate the regex for you, since it's now using substitution strings and I doubt will handle that14:48
lbragstadedmondsw: yeah, I did14:48
lbragstadedmondsw: fails validation14:49
lbragstadresulted in 5 failed test cases: SchemaValidationError: Invalid input for field 'url'. The value is ''.14:51
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update templated catalog to return IDs for endpoints
*** david-lyle has joined #openstack-keystone14:52
*** thedodd has joined #openstack-keystone14:56
edmondswlbragstad: think I see the problem14:56
*** henrynash has joined #openstack-keystone14:57
*** cjellick_ has quit IRC15:01
lbragstadedmondsw: what python program did you write to test this?15:04
edmondswdidn't really... using pdb15:05
edmondswjust copied/pasted into another script to make that easier15:05
*** tellesnobrega_ has quit IRC15:10
*** tomoiaga has quit IRC15:10
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: Multifactor Authentication
*** shikui__ has quit IRC15:14
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: Multifactor Authentication
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support
edmondswlbragstad: that should fix it15:25
*** cjellick has joined #openstack-keystone15:35
*** topol has joined #openstack-keystone15:35
*** ajaya has quit IRC15:49
*** gokrokve has quit IRC15:50
ayoungedmondsw, I likeyour IPv6 support stuff.  Thanks for doing it.15:52
edmondswayoung, thanks for your thanks :)15:52
*** jorge_munoz has joined #openstack-keystone15:53
ayoungedmondsw, I recall that there was a slew of improper IPv6 address possibilities.  The Reg Ex is hard to get right.  I think you have it right (as I recall)15:53
ayoungseems a shame to have to brute force the  :: shorthand, but, as I recall, that was the right solution15:54
ayoungbeen a few years since I've looked at V615:54
edmondswyeah, it's certainly not simple15:54
edmondswthis is taken pretty much straight from the RFCs, just converting ABNF into python regex15:55
*** _cjones_ has joined #openstack-keystone15:56
jamielennoxgordc: ping16:02
jamielennoxgordc: what's happening with _get_aliases in middleware?16:02
*** k4n0 has quit IRC16:03
*** vhoward has left #openstack-keystone16:14
*** marcoemorais has joined #openstack-keystone16:19
*** vejdmn has quit IRC16:27
*** vejdmn has joined #openstack-keystone16:28
*** vejdmn has quit IRC16:28
*** vejdmn has joined #openstack-keystone16:29
*** lhcheng has joined #openstack-keystone16:30
*** afaranha has joined #openstack-keystone16:33
*** gokrokve has joined #openstack-keystone16:35
*** gokrokve has quit IRC16:36
*** zhiyan has quit IRC16:36
*** vejdmn has quit IRC16:37
*** jraim has quit IRC16:37
*** serverascode__ has quit IRC16:37
*** vejdmn has joined #openstack-keystone16:38
*** ctracey has quit IRC16:38
*** gokrokve has joined #openstack-keystone16:39
*** gyee has joined #openstack-keystone16:39
ayoungjamielennox, hey,  just tried using OSC with a domain_i of YOUNGLOGIC.NET and it seemed to fail on validation.  Is something doing the "assume it is a uuid for an id" trick in there, and ,if so, is it KC or OSC?16:40
*** gokrokve has quit IRC16:40
jamielennoxwell ksc won't do anything16:41
jamielennoxayoung: umm, why would that be the domain_id, it just seems like it should be domain_name?16:42
morganfainbergValidation failed in osc or at keystone? It might be the "."16:42
dstaneklbragstad: just saw your message16:43
*** vejdmn has quit IRC16:43
lbragstadwe were working through the ip regex16:43
*** marcoemorais has quit IRC16:43
lbragstaddstanek: ayoung started looking at it too16:44
*** vejdmn has joined #openstack-keystone16:44
ayoungjamielennox, itis both16:44
dstanekbknudson: are you saying that we should not validate URLs at all?16:45
ayoungmorganfainberg, seems to have failed on the client side16:45
morganfainbergayoung: ^16:45
*** vejdmn has quit IRC16:45
morganfainbergMaybe osc is assuming (wrongly) domain is is always a uuid16:46
ayoungmorganfainberg, that is my guess16:46
*** vejdmn has joined #openstack-keystone16:46
ayoungbut it might be KC that is doing that logic16:46
morganfainbergDoes "default" work?16:46
morganfainbergErp. Werid16:46
morganfainbergCan't you try a domain with no . ?16:47
ayoungmorganfainberg,  $ openstack --os-identity-api-version 3 --os-auth-url http://$HOSTNAME:35357/v3 --os-username admin --os-password Secret12 --os-user-domain-name Default --os-project-domain-name Default --os-project-name admin project create --domain "YOUNGLOGIC.NET"   --description "Example Projects"    example16:47
ayoungERROR: openstack Invalid input for field 'domain_id'. The value is 'YOUNGLOGIC.NET'. (HTTP 400)16:47
*** marcoemorais has joined #openstack-keystone16:47
morganfainbergThat isn't default16:47
lbragstadayoung: that looks like a schema validation error16:48
morganfainbergYeah. My guess is the "."16:48
morganfainberglbragstad: ^16:48
* morganfainberg is mobile so slow to look.16:48
ayounglbragstad, and id_string?16:49
lbragstadso, yeah... looks like it's the period16:49
lbragstadbecause 'id_string' is assuming a string that represents some uuid16:50
lbragstadnot a URL16:50
lbragstador a 'domain-name'16:50
morganfainberglbragstad: it looks like it is any string.16:50
*** browne has joined #openstack-keystone16:50
ayoung'pattern': '^[a-zA-Z0-9-]+$'16:50
morganfainbergBut t not consistent. Some cases it uses string some cases it doesn't validate.16:50
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support
lbragstadit validates for domain_id16:51
lbragstadso when you use --domain for OSC it builds the request with that as the domain_id16:51
lbragstadsee the description of domain_id here:
morganfainberglbragstad, vs
*** amerine has joined #openstack-keystone16:53
morganfainberglbragstad, ah16:54
morganfainberglbragstad, controller assignes a unique id16:54
morganfainbergso in one case we assume you never can have a domain that isn't that regex^16:54
morganfainbergunless you use ldap assignment / something else to create the domain16:55
*** haneef has joined #openstack-keystone16:56
*** marekd is now known as marekd|away16:58
*** vejdmn has quit IRC16:59
*** vejdmn has joined #openstack-keystone17:00
lbragstadmorganfainberg: right17:01
morganfainbergok. i've got to go rtakecare of some stuff pre-summit travel17:02
morganfainbergi'll be back on later.17:03
dstanekso what is the right thing so say when entering the country? i'm there for a conference or vacation? i don't want to be hung up on if i'm working like stevemar was.17:04
morganfainbergdstanek, yeah conference17:05
morganfainbergdstanek, at least thats what i always say17:05
*** thedodd has quit IRC17:05
stevemardstanek, always conference17:05
lbragstadayoung: so your request from above should work if you replace YOUNGLOGIC.NET with the id of your domain17:05
morganfainbergdstanek, stevemar said "work"17:05
stevemaryeah, i was stupid17:05
ayounglbragstad, it was the ID17:05
ayoungI changed the id from YOUNGLOGIC.NET to YOUNGLOGIC17:05
morganfainberglbragstad, he has a domain ID that doesn't match the string regex17:05
ayoungbut, still17:05
dstanekstevemar: morganfainberg: gracias17:05
lbragstadayoung: did you create it through Keystone?17:06
dstanekthat's about as good as my french gets17:06
ayounglbragstad, probably17:06
morganfainbergjamielennox, you're on the hook for the cross-summit "keystone v3 adoption" session if you don't have any objections17:06
ayounglbragstad, unfortunately this VM keeps locking me out, and I lose bash history, but I think I did17:06
lbragstadayoung: interesting...  looking at the keystone validation code and we don't allow users to specify their domain id in the request.17:07
jamielennoxmorganfainberg: i don't know what that means exactly - but umm ok17:07
* lbragstad double checks17:07
morganfainbergjamielennox, i'm writing up the description for the summit session now17:07
morganfainbergfeel free to jump in and help17:07
*** vejdmn has quit IRC17:08
*** vejdmn has joined #openstack-keystone17:08
*** vejdmn has quit IRC17:08
*** vejdmn has joined #openstack-keystone17:08
lbragstadayoung: looks like the controller takes care of it.
ayounglbragstad, I might ask to expand that Regex to include a dot.  I think I want to be able to use the Kerberos REALM name as the domain ID, as that dictates what the userid will be in a multi-backend system17:10
ayoungsha256 {'ayoung', 'YOUNGLOGIC.NET'}17:10
lbragstadayoung: since parameter_types.id_string is used by other things, we should create a new type. dstanek might have thoughts on that though17:11
ayoungnah, just let me put a dot into ids17:11
ayoungit is common enough.  hostnames for example17:11
lbragstadayoung: we cover that case with parameter_types.url17:12
ayoungnot a full url, though17:12
dstaneki'd rather keep id_string the same since it was really to check things where we generate a uuid17:12
jamielennoxmorganfainberg: ok - you expecting a Q&A, or like for me to come with issues?17:13
lbragstadit protects what we generate for id from our controllers17:13
dstanekis there any reason we chose id_string for domain?17:13
lbragstaddstanek: domain_id is generated by the assignment controller17:13
morganfainbergjamielennox, this was the initial description17:13
morganfainbergso i think this is where you have an audience and working group to say "hey so we need to do X, what is the way we get there" also Q/A from the other projects/folks17:14
*** harlowja_away is now known as harlowja17:16
*** vejdmn has quit IRC17:16
jamielennoxmorganfainberg: hmm, domain policies become interesting - do we have our policy session before or after that?17:16
*** vejdmn has joined #openstack-keystone17:16
*** vejdmn has quit IRC17:16
morganfainbergwe have 2 policy sessions17:16
morganfainbergone cross-project one that will be right after the keystone adoption one17:16
morganfainbergand the our keystone-specific session a few days later17:17
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a wip decorator for tests
*** vejdmn has joined #openstack-keystone17:17
ayoungdstanek, but that logic is so wrong as to be backwards17:18
ayoungwe do UUIDs because they are nothing but strings, unique, but strings17:19
morganfainbergjamielennox, i just added to the description in the ether pad17:19
morganfainberg*please* update as you see fit17:19
ayoungso...lets stop assuming IDs are UUIDs17:19
ayoungwe need to start testing the living daylights out of the cloudsample policy, too17:20
ayoungand...Horizon is going to need some help on consuming domain tokens.17:21
*** vejdmn has quit IRC17:21
ayoungDagnabit, domains should have been projects from day 117:21
*** harlowja_ has joined #openstack-keystone17:21
morganfainbergayoung, some things *should* only be uuids.17:21
morganfainbergayoung, some things should be more flexible17:21
ayoungmorganfainberg, not to the public API17:21
*** harlowja has quit IRC17:21
morganfainbergayoung, yes to the public API17:21
*** vejdmn has joined #openstack-keystone17:21
ayoungmorganfainberg, heh...just wait17:22
ayoungmorganfainberg, OK,  domain Id is not one of them17:22
ayoungbecause we use that to generate UserIds17:22
morganfainbergayoung, ++ that is fine :)17:22
ayoungand we need to make sure that those are capable of being shared across multiple deployments17:22
*** thiagop has joined #openstack-keystone17:22
ayoungbut..knowing that requires deep knowledge of Keystone internals17:22
morganfainbergayoung, correct17:22
ayoungthe id_mapping approach really needs to be made optional17:23
morganfainbergayoung, domain id should be more flexible than id_string17:23
ayoungwell, same thing with user_id17:23
morganfainbergayoung, it *Cant* be optional for non-default domains17:23
ayoungso what does that leave17:23
morganfainbergayoung, with per-domain backends17:23
ayoungproject id?  nope17:23
ayoungthat comes from LDAP in the Assignemtn backend17:23
ayounggroups ?  same deal17:23
ayoungids are typically in RDN format in LDAP17:24
ayoungdo we allow commas?  going to check17:24
morganfainbergayoung, we do a lot of magic to make those urlsafe17:24
morganfainbergand no we don't not in id_string17:24
ayoung'pattern': '^[a-zA-Z0-9-]+$17:24
ayoungok, so we just broke the LDAP assignement backend17:24
*** vejdmn has quit IRC17:24
ayoungand...probably identity as well, but only in the R/W case17:25
morganfainbergno, we broke read-only assignment backend managed outside of keystone17:25
* ayoung checks clock...nope, still too early to start drinking17:25
morganfainbergthe r/w backend uses uuids and does all sorts of magic17:25
*** david-lyle has quit IRC17:25
*** vejdmn has joined #openstack-keystone17:25
*** vejdmn has quit IRC17:25
morganfainbergthe r/w backend ends up looking a lot like SQL with the data that gets out of the ldap driver.17:25
morganfainberge.g. id format, etc17:25
*** vejdmn has joined #openstack-keystone17:26
ayoung....adored by little statesmen and philosophers and divines.17:26
morganfainbergand we only pull out the uid=<blah> bit.17:26
morganfainbergso i don't think we've broken anything directly *except* maybe read-only setups that are using non-id-string characters17:27
*** vejdmn has quit IRC17:27
morganfainbergso we probably need to look at fixing it, but it's not "the world is broken".17:27
morganfainbergit needs tweaking to be "right"17:27
*** vejdmn has joined #openstack-keystone17:27
morganfainbergayoung, the sky is not falling.17:28
stevemarthe sky is falling!17:29
morganfainbergstevemar, stop it, i'm getting on an airplane soon17:29
ayounghow about "we are continuing to make assumptions about how Keystone should work based on the Public Cloud provider use case."17:30
*** thedodd has joined #openstack-keystone17:30
morganfainbergayoung, thats not even wholly accurate in this case17:30
morganfainbergor even close to accurate17:30
ayoungYes  it is.  The whole approach to anonymyzing [sp?] the userids is due to that use case.  The UUID approach grew out of htat use case, as opposed to working with the naming conventions that were already standard17:31
morganfainberg"we made some assumptions on the data format based upon how keystone manages the data in a read-write context and with regards to URL-Safe data"17:31
morganfainbergno the whole approach to anonymizing user ids is because we need to be able derive the IDP source17:32
morganfainbergand we *can't* break our contract17:32
morganfainbergthat has nothing to do with public cloud use-case, it has everything to do with multiple backends and colliding IDs. which i've had the ask for in private-single-org deployments17:32
morganfainbergmultiple times17:32
ayounganyways...I can work around it for now17:33
morganfainberge.g. service accounts in 1 ldap tree, user accounts elsewhere17:33
*** jraim has joined #openstack-keystone17:33
*** vejdmn has quit IRC17:33
morganfainbergand because we can't use the complete DN for ids.17:33
morganfainbergit's really not sane.17:33
morganfainbergsometimes we also may not want to expose what org a user comes from to the service.17:34
morganfainbergthis isn't strictly public provider stuff.17:34
morganfainbergthis is also hybrid.17:34
*** andreaf has quit IRC17:35
*** andreaf has joined #openstack-keystone17:35
*** vejdmn has joined #openstack-keystone17:36
*** jistr has quit IRC17:37
nkinderayoung: just reading back about your OSC problem.  What version of OSC are you using?17:37
morganfainbergnkinder, it's a keystone API validation issue17:37
morganfainbergnkinder, his domain id has a . in it17:37
ayoungnkinder, problem solved17:37
lbragstadnkinder: the domain_id is compared against a regex in jsonschema17:37
morganfainbergdomain id is assumed to be id_string [a-zA-Z0-9-]+17:37
ayoungnkinder, was on the keystone validation size, not OSC17:37
morganfainbergby the schema validator17:38
ayoungwhich is going to mess up "REALM == DOMAIN_ID"17:38
nkinderayoung: oh, just got to that point.  That sucks.17:38
ayoungnkinder, yeah, so the question is how broad to make the id_string validation17:38
ayoungmy thought was that it really is unnecessary17:39
ayoungand is a leaking abstraction17:39
morganfainbergit's something we should fix, but we probably can't make it "the kitchen sink"17:39
ayoungnothing should force IDs to be anything other than url-safe strings17:39
nkinderso domains are a pain to use.  Our calls require you to use the domain_id, and you can't make the id actually be something memorable17:39
ayoungwell, I dropped the .NET17:39
morganfainbergnkinder, domain_name is also explicitly unique17:40
*** jamielennox is now known as jamielennox|away17:40
morganfainbergnkinder, it would be possible to say domain_name should be used instead and domain_id *should* be something non-human muckable.17:40
nkindermorganfainberg: yeah, but you can't use it when making calls since most calls only take the ID and not a name (which we discussed the other day)17:40
*** marcoemorais1 has joined #openstack-keystone17:40
*** marcoemorais has quit IRC17:40
morganfainbergright now domains also are only ever really supported in SQL assignment17:40
morganfainbergnkinder, so i think domains are a case where url-safe is the important bit.17:41
nkinderno, they are supported in LDAP identity too17:41
*** vejdmn has quit IRC17:41
morganfainbergnkinder, really?17:41
nkinderI've been using them17:41
morganfainbergok no.17:41
morganfainberg"domain" is an assignment construct17:41
morganfainbergldap identity doesn't know it's own domain, keystone manages that bit for it17:41
morganfainbergand ldap assignment doesn't do domains iirc17:42
*** vejdmn has joined #openstack-keystone17:42
nkindermorganfainberg: ok, I see what you're saying17:42
*** marcoemorais1 has quit IRC17:42
*** vejdmn has quit IRC17:42
*** ctracey has joined #openstack-keystone17:42
morganfainbergbut we should fix domains.17:42
morganfainbergand validation17:42
morganfainbergwe can talk at the summit how to fix this. and this is something we can backport to juno17:42
morganfainbergit's validators.17:42
* morganfainberg has to get going.17:42
morganfainbergi have too much to do pre flight ;)17:42
*** marcoemorais has joined #openstack-keystone17:43
*** vejdmn has joined #openstack-keystone17:43
nkindergood luck!17:43
*** vejdmn has quit IRC17:43
morganfainbergnkinder, also, pre-policy session want to chat w/ ya17:43
nkindermorganfainberg: sounds good17:43
*** fifieldt has quit IRC17:43
morganfainbergso we can walk in with some ammo17:43
nkindermorganfainberg: I'm getting in on saturday morning, so I'll be around17:43
morganfainbergplease look at and update hte description for the x-project one as you see fit17:43
morganfainbergyeah i'm in sat morning as well17:44
samuelmshenrynash, ping17:44
nkindermorganfainberg: will do17:44
*** vejdmn has joined #openstack-keystone17:44
*** vejdmn has quit IRC17:44
*** vejdmn has joined #openstack-keystone17:45
gordcjamielennox|away: sorry went out for lunch i'll reply on gerrit17:46
dstanekayoung: in the discussions we talked about making it as strict as possible (since we make the ids we know what they are)17:47
dstanekayoung: i think the vision was to eventually make many of the regexes configurable17:48
ayoungdstanek, I think we have selection bias17:48
ayoungbut...I can work with it for now17:48
ayoungI'd really suggest that we add .  to the id_string to handle a broad class of ids, but also commas17:48
ayounghowever, I have a demo to set up...17:49
*** serverascode__ has joined #openstack-keystone17:49
*** tellesnobrega has joined #openstack-keystone17:50
ayoungOK...I think I have managed to expose a bug...very subtle17:52
ayoungI was messing around with domain, and I have17:52
*** aix has quit IRC17:52
ayoung15c2b8b1be5945e6887a684b9065fbd7 | YOUNGLOGIC     |       1 | {"description": "admin_domain"}17:52
ayoungas well as17:52
ayoungYOUNGLOGIC                       | YOUNGLOGIC.NET |       0 | {"description": "admin_domain"}17:52
ayoungbut in17:52
ayoung/etc/keystone/domains  I have17:52
ayoungkeystone.admin_domain.conf  keystone.YOUNGLOGIC.NET.conf17:53
morganfainbergnkinder, that is my first pass. i need to take off so please fix it if anything is needed so russellb can publish it.17:53
morganfainbergit's already in the etherpad like that17:53
ayoungso I can log in with domain (in Horizon) set to YOUNGLOGIC17:53
nkindermorganfainberg: ok17:53
ayoungbut that should be the domain name, and, infact the user that gets logged in shows a domain of 15c2b8b1be5945e6887a684b9065fbd717:53
ayoungbut there is no corresponding domain file for just YOUNGLOGIC17:53
morganfainbergayoung, there is def. some UX improvements we can have there.17:54
ayoungah, restart...and now everythign is broken17:54
ayoungOK,  it was cached in Keystone I suspect17:54
morganfainbergoh the per-domain thing?17:54
morganfainbergayoung, yes re-start is needed ot pick up those changes.17:54
ayoungcuz I've been totally messing around at the SQL level17:55
morganfainbergand if you enable assignment caching, sql changes would get very odd.17:55
*** harlowja_ has quit IRC17:55
*** tellesnobrega has quit IRC17:55
morganfainbergnkinder, and don't hesistate to totally gut/rewrite the description. i wont be offended ;)17:56
*** miqui has quit IRC17:56
*** harlowja has joined #openstack-keystone17:56
nkindermorganfainberg: it looks pretty good.  I'll probably just make some slight tweaks17:56
nkindermorganfainberg: do you want me to give russellb the go-ahead when I'm finished?17:56
*** afazekas has quit IRC17:57
morganfainbergnkinder: whatever he needs to know if anything.17:57
bknudsondstanek: yes, I'm saying don't bother trying to validate that the URL is a URL.17:57
morganfainbergBut yeah. Not sure when he's publishing it.17:57
*** vejdmn1 has joined #openstack-keystone17:58
*** vejdmn has quit IRC17:58
ayoungmorganfainberg,  David Chadwick is gonna be fun in that session.17:59
*** zhiyan has joined #openstack-keystone18:00
russellbnkinder: morganfainberg if you get it sometime today, we're in good shape18:00
russellbi'll publish tomorrow or friday probably18:00
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:01
*** marcoemorais has quit IRC18:02
*** marcoemorais has joined #openstack-keystone18:02
ayoungnkinder, how are you setting REMOTE_DOMAIN in the kerberos case?18:03
nkinderayoung: there's no way to extract the realm in mod_auth_kerb18:04
nkinderayoung: so you have to put it in the Location18:05
ayoungnkinder, hmmm, as I recall, there was an option, but it only worked for non default REALMS18:05
nkinderayoung: also, turn on local user mapping18:06
ayoungso that if you do a trust, you get it set, but if not, you got the short form18:06
ayoungah, that was for REMOTE_USER18:06
nkinderayoung: yeah, I looked in the mod_auth_kerb code, and there was nothing to pull the realm off of the principal unfortunately18:06
nkinderayoung: it seems like it would be useful18:06
ayoungwhich is why I was parsing18:06
nkinderayoung: but SetEnv is easy enough for most cases.  It's the trust cases where you would lose flexibility18:07
nkinderayoung: DomainLegacy does it too18:07
ayoungdoes that set domain name or id, I wonder...18:07
nkinderI tried to stick with non-deprecated plugins18:07
ayoungdamnit, ID18:08
* ayoung shakes fist 18:08
*** jaosorior has quit IRC18:13
*** andreaf has quit IRC18:17
*** nellysmitt has joined #openstack-keystone18:17
*** chrisshattuck has joined #openstack-keystone18:18
bknudsondstanek: the problem is if we don't get the URL validation perfect then we're going to be dealing with bugs forever.18:21
*** marcoemorais1 has joined #openstack-keystone18:23
*** marcoemorais has quit IRC18:24
*** thedodd has quit IRC18:29
*** marcoemorais1 has quit IRC18:32
*** marcoemorais has joined #openstack-keystone18:32
*** marcoemorais has quit IRC18:32
*** marcoemorais has joined #openstack-keystone18:33
*** marcoemorais has quit IRC18:34
*** marcoemorais has joined #openstack-keystone18:34
*** thedodd has joined #openstack-keystone18:37
*** jxxxxx has quit IRC18:44
*** marcoemorais has quit IRC18:45
*** marcoemorais has joined #openstack-keystone18:45
*** marcoemorais has quit IRC18:49
*** marcoemorais has joined #openstack-keystone18:49
dstanekbknudson: i agree that it's a pretty big problem; what about making the regex looser?18:50
dstanekbknudson: [a-z]+://[\w\.:]+/?.*18:51
dstanekbknudson: or something similar - that's basically scheme://{host|ip}/optional18:52
bknudsondstanek: I think we should be able to create an endpoint like $(public_endpoint)s18:52
ayoungdon't forget IPv618:52
bknudsonthis would use the substitution code18:53
ayoungwhich has [feed:babe:oooa::1]18:53
*** _cjones_ has quit IRC18:53
bknudsonWe do format_url in get_catalog:
bknudsonso you should be able to use substitutions in the endpoints18:53
bknudsonI don't think you can do substitution for the region url... so maybe that can be [a-z]+://[\w\.:]+/?.*18:54
*** marcoemorais has quit IRC18:54
*** marcoemorais has joined #openstack-keystone18:55
bknudsonI'm surprised we don't have a test creating an endpoint with a port like $(public_port)s18:56
*** __TheDodd__ has joined #openstack-keystone18:57
*** thedodd has quit IRC18:58
*** marcoemorais has quit IRC18:59
*** ukalifon1 has quit IRC19:01
*** _cjones_ has joined #openstack-keystone19:04
*** ajayaa has quit IRC19:07
*** nkinder has quit IRC19:21
*** marcoemorais has joined #openstack-keystone19:22
dstanekbknudson: hmmm...public_endpoints isn't one of the things we wanted for substitution long term according to the last IRC chat i had about it19:26
dstanekwe talked about project_id and user_id, but nothing from the config file19:26
bknudsondstanek: ok, I'm fine with that.19:28
bknudsonwouldn't be backwards compatible19:28
openstackgerritA change was merged to openstack/keystonemiddleware: add context to keystonemiddleware
*** __afazekas is now known as afazekas19:30
ayoungrichm, have you addressed doing HTTPS for Horizon?19:30
edmondswbknudson: so where have we ended up with url validation?19:35
edmondswdstanek: ^19:35
edmondswlbragstad: ^19:36
bknudsonedmondsw: my opinion is that we should lenient and not try to validate all aspects of it since it will only lead to bugs when it doesn't accept every url that someone wants to use.19:37
edmondswI'm fine with that, but is that opinion the consensus?19:39
richmayoung: no - that was rcrit19:39
dstanekbknudson: this is the review where i deprecate catalog substitution from config files
dstanekedmondsw: bknudson: lbragstad: i'm totally OK with that, but i think we want to have some level of validation of help users when they make mistakes - even if if only checks scheme://something/optional19:40
bknudsondstanek: that would be lenient enough for me.19:41
bknudsondstanek: I've got a change to remove the option that we said we were going to remove in juno --
edmondswso ... '(?:.+://.+)'  ?19:42
bknudsonrfc1738 section 2.1 says it's <scheme>:<scheme-specific-part>19:46
bknudsonand <scheme> is a-z, A-Z, digits, +, ., -19:47
bknudsonI assume <scheme-specific-part> can be anything.19:48
*** arborism has joined #openstack-keystone19:52
*** arborism is now known as amcrn19:52
openstackgerritJorge Munoz proposed a change to openstack/keystone-specs: Refresh Token spec
*** marcoemorais has quit IRC19:54
edmondswso ... '(?:[a-zA-Z0-9+.-]+:.+)'19:55
edmondswlbragstad: you ok with this?19:55
lbragstaddstanek: edmondsw reading back19:58
samuelmsHi guys, I'd like to have a core opinion on a potential security issue when showing a project parents/subtree ids ..20:01
samuelmsIt's related to the Hierarchical Projects concept20:01
samuelmsmorganfainberg, ^20:01
samuelmsI've left a couple of comments on this patch20:01
dstanekbknudson: i like your patch better because it allows some of the other fields to be included for substitution20:05
bknudsondstanek: I tried to keep the behavior the same... if we want to deprecate substitution altogether then we'll need yours20:06
dstanekbknudson: i'd love to hear what morganfainberg and dolphm think so that we can get one through and abandon the other20:07
bknudsonI think they're both valid changes.20:07
lbragstadedmondsw: bknudson dstanek yeah that works for me20:16
lbragstadedmondsw: bknudson dstanek I wish there were a library we could use for this20:17
*** topol has quit IRC20:17
dstanekedmondsw: my original thought was something like - "[a-z]+://[\w\.:]+/?.*" - but i'd be OK with something else20:18
*** marcoemorais has joined #openstack-keystone20:18
*** amakarov is now known as amakarov_away20:18
*** vejdmn1 has quit IRC20:18
edmondsw'(?:[a-zA-Z0-9+.-]+:.+)' would align with what Brant found in rfc1738 section 2.120:18
bknudsonedmondsw: y, that looks fine.20:18
*** vejdmn has joined #openstack-keystone20:18
edmondswok, I'll submit a new (and much simpler) patch set with that20:19
*** vejdmn has quit IRC20:27
*** adam_g_gone is now known as adam_g20:30
*** david-lyle has joined #openstack-keystone20:34
*** afazekas_ has joined #openstack-keystone20:36
*** amerine has quit IRC20:37
*** amerine has joined #openstack-keystone20:38
openstackgerritLance Bragstad proposed a change to openstack/keystone: Provide useful info when parsing policy file
lbragstadstevemar: thanks for the review, comments addressed20:39
stevemari reviewed somethign?20:40
*** david-lyle has quit IRC20:40
rodrigodsstevemar, is helping me a lot with reviews =)20:42
*** david-lyle has joined #openstack-keystone20:42
*** david-lyle_ has joined #openstack-keystone20:43
stevemarrodrigods, lies20:43
*** david-lyle_ has quit IRC20:47
*** nkinder has joined #openstack-keystone20:49
*** raildo has quit IRC20:50
*** marcoemorais1 has joined #openstack-keystone21:02
*** marcoemorais has quit IRC21:02
*** browne has quit IRC21:02
*** r1chardj0n3s_afk is now known as r1chardj0n3s21:03
*** marcoemorais1 has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:04
*** amcrn has quit IRC21:06
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support
*** stevemar has quit IRC21:20
*** edmondsw has quit IRC21:25
morganfainbergdstanek: bknudson I'll look at that review once I am not on mobile doing pre-travel stuff.21:29
*** nellysmitt has quit IRC21:38
*** gordc has quit IRC21:41
*** gyee has quit IRC21:49
*** openstackgerrit has quit IRC21:50
*** marcoemorais has quit IRC22:04
*** marcoemorais has joined #openstack-keystone22:05
*** marcoemorais has quit IRC22:15
*** bknudson has quit IRC22:26
*** dims_ has joined #openstack-keystone22:28
*** lhcheng has quit IRC22:28
*** dims_ has quit IRC22:29
*** marcoemorais has joined #openstack-keystone22:29
*** dims_ has joined #openstack-keystone22:30
*** lhcheng has joined #openstack-keystone22:31
*** dims__ has quit IRC22:31
*** david-lyle has quit IRC22:32
*** __TheDodd__ has quit IRC22:37
*** david-lyle has joined #openstack-keystone22:49
*** saipandi has quit IRC22:50
*** gyee has joined #openstack-keystone22:54
*** dims_ has quit IRC23:05
*** dims__ has joined #openstack-keystone23:06
*** lhcheng has quit IRC23:14
*** lhcheng has joined #openstack-keystone23:17
*** david-lyle has quit IRC23:32
*** shikui__ has joined #openstack-keystone23:34
*** samuelms_home has joined #openstack-keystone23:34
*** bknudson has joined #openstack-keystone23:56

Generated by 2.14.0 by Marius Gedminas - find it at!