Monday, 2014-11-10

« Sunday, 2014-11-09 Index Tuesday, 2014-11-11 »
*** henrynash has joined #openstack-keystone00:03
*** viswanathsomanch has quit IRC00:16
*** Viswanath has joined #openstack-keystone00:18
*** Viswanath_ has quit IRC00:19
*** Viswanath has quit IRC00:23
*** dims__ has joined #openstack-keystone00:26
*** dims__ has quit IRC00:32
*** dims__ has joined #openstack-keystone00:32
*** diegows has joined #openstack-keystone00:41
*** henrynash has quit IRC00:49
*** viswanathsomanch has joined #openstack-keystone01:36
*** viswanathsomanch has quit IRC01:37
*** viswanathsomanch has joined #openstack-keystone01:37
*** viswanathsomanch has quit IRC01:38
*** viswanathsomanch has joined #openstack-keystone01:38
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:49
*** diegows has quit IRC02:23
*** viswanathsomanch has quit IRC02:40
*** alex_xu has joined #openstack-keystone02:52
*** alex_xu has quit IRC02:57
*** alex_xu has joined #openstack-keystone03:10
*** dims__ has quit IRC03:12
*** dims__ has joined #openstack-keystone03:12
*** stevemar has quit IRC03:56
*** stevemar has joined #openstack-keystone03:56
*** viswanathsomanch has joined #openstack-keystone04:07
*** alex_xu has quit IRC04:31
*** alex_xu has joined #openstack-keystone04:31
*** stevemar has quit IRC04:42
*** k4n0 has joined #openstack-keystone04:44
*** amerine has quit IRC05:23
*** ajayaa has joined #openstack-keystone05:50
*** jaosorior has joined #openstack-keystone06:01
*** ajayaa has quit IRC06:10
*** ukalifon1 has joined #openstack-keystone06:13
*** ajayaa has joined #openstack-keystone06:23
*** viswanathsomanch has quit IRC06:32
*** ajayaa has quit IRC06:37
*** amirosh has joined #openstack-keystone06:55
*** ajayaa has joined #openstack-keystone07:01
*** afazekas has joined #openstack-keystone07:02
*** nikunj2512 has joined #openstack-keystone07:04
nikunj2512what is different between update_password & update_own_password methods in keystoneclient>07:05
nikunj2512?07:05
*** henrynash has joined #openstack-keystone07:29
*** henrynash has quit IRC07:42
*** miqui has quit IRC07:54
*** henrynash has joined #openstack-keystone08:21
*** boris-42 has joined #openstack-keystone08:27
*** ukalifon1 has quit IRC08:29
*** jcastro has joined #openstack-keystone08:31
*** jcastro has quit IRC08:32
*** jcastro has joined #openstack-keystone08:32
*** jcastro has quit IRC08:33
*** jcastro has joined #openstack-keystone08:34
*** jcastro has quit IRC08:34
*** jcastro has joined #openstack-keystone08:35
*** jcastro has quit IRC08:36
*** jcastro has joined #openstack-keystone08:37
*** ajayaa has quit IRC08:37
*** jcastro is now known as josecastroleon08:39
*** josecastroleon has quit IRC08:40
*** josecastroleon has joined #openstack-keystone08:40
*** ajayaa has joined #openstack-keystone09:02
*** ajayaa has quit IRC09:07
*** ukalifon has joined #openstack-keystone09:11
*** alex_xu has quit IRC09:17
*** aix has joined #openstack-keystone09:17
*** nellysmitt has joined #openstack-keystone09:25
*** jistr has joined #openstack-keystone09:27
*** ajayaa has joined #openstack-keystone09:32
*** henrynash has quit IRC09:55
*** henrynash has joined #openstack-keystone09:55
*** henrynash has quit IRC10:00
*** nellysmitt has quit IRC10:26
*** nellysmitt has joined #openstack-keystone10:38
*** diegows has joined #openstack-keystone10:50
*** aix has quit IRC11:02
*** dims__ has quit IRC11:08
*** dims__ has joined #openstack-keystone11:08
*** nellysmitt has quit IRC11:14
*** nellysmitt has joined #openstack-keystone11:17
*** aix has joined #openstack-keystone11:29
*** nikunj2512 has quit IRC11:34
*** nellysmitt has quit IRC11:38
*** nellysmitt has joined #openstack-keystone11:39
*** ajayaa has quit IRC11:47
*** nellysmitt has quit IRC11:49
*** afazekas is now known as afazekas_on_food11:54
*** ajayaa has joined #openstack-keystone11:59
*** nikunj2512 has joined #openstack-keystone12:10
*** boris-42 has quit IRC12:17
*** henrynash has joined #openstack-keystone12:20
*** raildo has joined #openstack-keystone12:25
ekarlsojamielennox|away: ping12:27
*** amakarov has joined #openstack-keystone12:31
*** henrynash has quit IRC12:32
*** nellysmitt has joined #openstack-keystone12:45
*** pc-m has joined #openstack-keystone12:49
*** htruta has joined #openstack-keystone12:51
*** henrynash has joined #openstack-keystone12:55
henrynashmarekd: ping12:57
*** mflobo has joined #openstack-keystone13:02
mfloboIs there some schelude for python-keystoneclient deprecation? https://launchpad.net/python-keystoneclient/+milestone/1.0.013:03
marekdhenrynash: hey13:14
*** afazekas_on_food is now known as afazekas13:15
*** henrynash has quit IRC13:19
*** dims__ has quit IRC13:29
*** dims has joined #openstack-keystone13:30
*** elynn_ has joined #openstack-keystone13:37
marekdhenrynash: ping13:41
*** boris-42 has joined #openstack-keystone13:48
*** jistr has quit IRC13:55
*** amirosh has quit IRC13:56
*** jistr has joined #openstack-keystone13:57
*** openstackgerrit has joined #openstack-keystone14:04
*** pc-m has quit IRC14:07
*** amakarov has quit IRC14:14
*** p01s0n has joined #openstack-keystone14:23
*** amakarov has joined #openstack-keystone14:28
lbragstadmorganfainberg: pong (from rogue ping above ^^), not sure if that was from the summit or not?14:29
openstackgerritMarek Denis proposed a change to openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313014:31
*** elynn_ has quit IRC14:31
rodrigodsmarekd, thanks! was fixing that error right now =)14:35
marekdrodrigods: ah, sorry ;/14:35
marekdhope this will work now.14:35
rodrigodsmarekd, np, you saved some minutes here =), about here https://review.openstack.org/#/c/133130/5/keystone/tests/config_files/test_auth_plugin.conf, I think it must be "oidc"14:36
marekdrodrigods: yes yes, but i feel this should be aother patch (build on top of this one)14:37
marekdi can add it now.14:38
rodrigodsmarekd, ++14:38
marekdrodrigods: once i am back in Geneva I will have time to read carefully your blog post.14:39
marekdrodrigods: ah, and thanks for that: https://review.openstack.org/#/c/130564/14:39
rodrigodsmarekd, great! np, just a quick rebase14:42
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005014:44
*** joesavak has joined #openstack-keystone14:51
*** ajayaa has quit IRC14:53
openstackgerritMarek Denis proposed a change to openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349414:56
marekdrodrigods: ^^14:56
*** pc-m has joined #openstack-keystone14:56
lbragstaddstanek: are you migrating unit tests to keystone/tests/unit/ in any particular order?14:56
*** htruta has quit IRC14:58
*** saipandi has joined #openstack-keystone15:06
*** sigmavirus24_awa is now known as sigmavirus2415:08
*** saipandi has quit IRC15:10
openstackgerritMarek Denis proposed a change to openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349415:11
*** topol has joined #openstack-keystone15:12
*** henrynash has joined #openstack-keystone15:14
*** k4n0 has quit IRC15:14
*** ukalifon has quit IRC15:17
*** p01s0n has quit IRC15:20
*** nikunj2512 has quit IRC15:20
*** jistr has quit IRC15:30
marekddolphm: ping.15:30
*** jistr has joined #openstack-keystone15:32
marekddolphm: so, during mid cycle meetun in TX there was some long discussion about proper method name for all federated auth methods. I have a string feeling that we were talking that all of them should be named 'mapped', however, the code seems to keep per protocol name. Can you recall such ideas for using one generic 'mapping' auth method?15:32
*** zzzeek has joined #openstack-keystone15:32
marekdrodrigods: no, DAvid says what I said earlier today15:36
marekdrodrigods: use one mapping auth method and call it 'mapped'15:36
marekdrodrigods: for some reason this sits deeply somewhere in my head15:36
*** ajayaa has joined #openstack-keystone15:39
rodrigodsmarekd, hmm cool15:39
rodrigodsmarekd, let's see what will be decision this time15:39
marekdrodrigods: this is all more like academic talk.15:41
marekdrodrigods: he is right at some point, but....do you want to put auth method to 'modshib' ?15:42
marekdrodrigods: it's stupid15:42
rodrigodsmarekd, and strongly "connects" with Apache only stuff15:43
marekdrodrigods: i doubt there is apache alternative atm.15:45
marekdbut essentially you are right.15:45
rodrigodsmarekd, i think i saw keystone + ngnix stuff somewhere (probably online tutorials)15:45
rodrigodsanyway...15:45
marekdrodrigods: now, i'd rather say: use auth methods like saml2, oidc but call classes plugin specific (if needed): MappedShibboleth, MappedWeirdApachePlugin etc15:46
marekdthen yo will have a strong connection between plugin handlig input from a specific apache module.15:46
*** Viswanath has joined #openstack-keystone15:47
rodrigodsmarekd, since are plugins, lgtm15:47
*** Viswanath has quit IRC15:50
*** ajayaa has quit IRC15:52
*** jistr has quit IRC15:52
*** jistr has joined #openstack-keystone15:53
marekdhenrynash: ping.15:53
henrynashmarked: hi15:53
marekdhenrynash: a question. Is OS-INHERIT different on putting role assignments on a domain and a user?15:54
marekdhenrynash: if i put a role on a user marek and domain pepsi15:54
henrynashmarked: not sure I understand the question15:54
henrynashmarked: ok15:54
henrynashmarked: it can be inherted or non-inherited15:55
marekdok, what can is do concerning domains/ role assignments without OS-INHERIT?15:55
henrynashmarked: so without OS-INHERIT, anyting you can assign to a proejct you can also assign to a domain15:55
henrynashmarked: i.e. a user role or a group role15:55
marekdhenrynash: ok, lets sa i will assign role member on my user and a domain15:56
henrynashmarked: with OS-INHERIT, on a per assignmnet basis, you can decide if that assignment should be inherited or not15:56
henrynashmarked: ok15:56
marekdhenrynash: this would mean that my user will have role member on every project in that domain?15:56
*** wwriverrat has joined #openstack-keystone15:56
henrynashmarked: ONLY if you explicitely mark teh assignment as inherited at the time of creating the assignment15:57
henrynashmarked: it’s a boolean you pass to the create_grant API15:57
*** wwriverrat has left #openstack-keystone15:57
*** Viswanath has joined #openstack-keystone15:57
marekdhenrynash: and this is core of OS-INHERIT15:57
henrynashmarked: (Actually I think it’s a string, but same idea)15:57
marekdhenrynash: so, lets say i would have that role member on a domain withut inheritance enabled - is there any place i can use it?15:58
henrynashmarked: on the domain…i.e. in a domain scoped token15:58
henrynashmarked: for instance, a role taht allows you to create users in that domain15:59
marekdhenrynash: yeah, but what can i do with that? i guess nothing15:59
henrynashmarked: or manage grousp15:59
henrynashmarked: or create projects15:59
henrynashmarked: user on-boarding is the classic example15:59
marekdhenrynash: i thought this would be more a work for admin not average member, but we are talking theory here.16:00
henrynashmarekd:…and of couse the domain admin IS mosy likely a role on the domain16:00
marekdso, only with os-inherit me having a member role in a domain will mean that i am a member in every project => i can even boot a machine there.16:00
henrynashmarked: correct16:01
*** Viswanath has quit IRC16:01
marekdis this role assignment resolved dynamically?16:01
henrynashmarked: yes16:01
henrynashmarekd: yes16:01
henrynashmarekd: when we build a token (scoped to a project), we check the project domain to see if the user has a role on that16:02
marekdwhich is either a role assignment specifically for that user and project, or inherited role assignment for a domain and that user.16:04
marekdhenrynash: ^^16:04
henrynashmarked:… or a group role, of which the user is a member, on either16:05
marekdah, yes, forgot the groups.16:05
marekdhenrynash: ok, thanks, it clarifies a little bit.16:06
henrynashmarekd: np16:06
*** Viswanath has joined #openstack-keystone16:08
marekdhenrynash: one more question. So, once I have domain role which is inherited I should see this role while listing it or a that role assigned to all projects from this domain?16:08
*** htruta has joined #openstack-keystone16:09
henrynashmarekd: you mean in a keystone api call?16:09
marekdhenrynash: yes, for instance when I will be listing my role assignments.16:10
henrynashmarekd: syes…but yor need to make sure you use the API properly… i16:11
henrynashmarekd: e.g. call list_role_assignments with the ?effective filter on it16:11
henrynashmarekd: which will tell it to give the list of “effective” rolea ssignments on a given project16:12
marekdhenrynash: so, for instance here: https://review.openstack.org/#/c/132826/2/keystone/tests/test_v3_federation.py the test from line 1079 should fail because scoping to a domain should be not allowed, because the roles are inheriting to a project, right?16:13
henrynashmarekd: if you call list_grants, then it will show you the explicit grants…i.e. you WON’T see the inherited role show up on the project, since that API is designed to manage the grants themselves16:13
henrynashmarekd: exactly16:14
*** Viswanath has quit IRC16:14
marekdand without inheriting i'd get role assignments on domain, but not on project.16:14
marekd(just making sure i understand it completely)16:14
marekdhenrynash: so, for an admin, who should be able to a) manage domain projects/users b) maanage projects (like evacuate vms from projects) i need two role assignments - one with inheriting to projects and another one *not* inheriting to projects?16:16
henrynashmarekd: well the grant made to the domain would have been marked explictly as inherited or not (at the time teh grant was made)….the bug was that we weren’t honouring the flag when we searched for roles16:16
henrynashmarekd: yes, although might well want to have separate “roles”  for those two administrative duties…rather than use the same role name16:17
marekdhenrynash: ok, i might bug you about it later. Thanks for now!16:18
henrynashmarekd: say role “user_manager” non-inherited on the domain, and “vm_manager” assigned as inherited on the domain (and hence effective on projects_16:18
*** afazekas has quit IRC16:21
*** thedodd has joined #openstack-keystone16:22
*** wwriverrat has joined #openstack-keystone16:22
*** wwriverrat has left #openstack-keystone16:23
*** stevemar has joined #openstack-keystone16:36
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313016:37
raildomorganfainberg, ping16:38
*** richm has joined #openstack-keystone16:38
*** thedodd has quit IRC16:42
*** thedodd has joined #openstack-keystone16:44
*** marcoemorais has joined #openstack-keystone16:44
*** gyee has joined #openstack-keystone16:45
*** nkinder has joined #openstack-keystone16:52
*** amerine has joined #openstack-keystone17:00
*** _cjones_ has joined #openstack-keystone17:00
*** jsavak has joined #openstack-keystone17:01
*** joesavak has quit IRC17:04
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352517:05
*** wwriverrat1 has joined #openstack-keystone17:22
*** jaosorior has quit IRC17:23
*** ajayaa has joined #openstack-keystone17:24
*** wwriverrat1 has left #openstack-keystone17:24
*** Viswanath has joined #openstack-keystone17:29
*** saipandi has joined #openstack-keystone17:30
*** marcoemorais has quit IRC17:30
*** marcoemorais has joined #openstack-keystone17:30
*** marcoemorais has quit IRC17:31
*** marcoemorais has joined #openstack-keystone17:31
openstackgerritayoung proposed a change to openstack/keystone-specs: WebSSO  https://review.openstack.org/13352917:32
*** ayoung has joined #openstack-keystone17:32
*** Viswanath has quit IRC17:34
*** marcoemorais has quit IRC17:36
*** marcoemorais has joined #openstack-keystone17:36
ayoungnkinder, https://review.openstack.org/#/c/133529/   I tried to break it down as fine as possible.17:37
henrynashayoung, morganfainberg, dstanek, stevemar, bknudson, lbragstad: have a long series of dependant patches that fix a series of defects that I suspect we will want to backport…if you have time if you could follow teh chain up from https://review.openstack.org/#/c/132826/ that would be great17:37
*** david-lyle has joined #openstack-keystone17:38
morganfainbergMorning.17:38
morganfainbergraildo: pong17:38
*** marcoemorais has quit IRC17:38
morganfainbergraildo: I need to run shortly but can respond later.17:38
morganfainbergIf you're not here right now.17:38
*** marcoemorais has joined #openstack-keystone17:38
raildook, just a doubt17:38
morganfainbergraildo: go for it.17:39
raildoi have to create one spec for all discussion about HM17:39
raildo?17:39
raildoor a have to create a spec for update discussion, delete discussion, reseller...17:39
morganfainbergraildo: well we have the one for the current stuff.17:39
morganfainbergThe reseller stuff needs a new spec specifically.17:40
ayoungmorganfainberg, https://review.openstack.org/#/c/133529/  bascially needs token-provider-as-pipeline.17:40
raildomorganfainberg, ok17:40
ayoungI think I can do it without too much rewriting17:40
raildoso, i will create two specs, one for reseller use case, and other for HM stuffs17:40
morganfainbergraildo: wait. What other hm stuff?17:41
rodrigodsraildo, there is also the schema evolution: regarding scalability (dolph's blog post)17:41
raildothis link? http://dolphm.com/hierarchical-multitenancy/17:41
htrutarodrigods:  I don't think this is the current priority17:41
rodrigodshtruta, I mean, where it is gonna be placed (spec)17:42
rodrigodswe need to have the update leaf projects stuff17:42
rodrigodseven it is not going to be implemented right now17:42
morganfainbergayoung: let me discuss that with you when I'm not on my phone. Will be setup to talk later today.17:42
raildomorganfainberg, the other hm stuff = recursive deletion, update project, quotas...17:42
htrutarodrigods:  yeah, sure17:43
ayoungmorganfainberg, sounds good.17:43
morganfainbergayoung: a little jet lagged - just got home at 1am this morning.17:43
ayoungHeh17:43
ayoungmorganfainberg, bummer about bailing on your trip.17:43
morganfainbergayoung: eh better than really injuring myself right? Can always vacation else time.17:44
ayoungmorganfainberg, not if CERN releases the Higgs Bosun on us all and destroys the planet17:44
ayoungraildo, reseller:  we are going to cut at domains, right?  Some sort of property on a domain object that says "people above this line can't see things below this line...."17:46
raildoayoung, right17:46
morganfainbergayoung: yes. The namespace roles is something (the bigger part) that henrynash is working on.17:47
ayoungraildo, I like this.17:47
raildomorganfainberg, ++17:47
morganfainbergReseller doesn't work w/o that.17:47
*** Viswanath has joined #openstack-keystone17:47
htrutaayoung:  it will be optional, right?17:48
htrutaAnd  will the domain owner also be able to give some kind of temporary access to the reseller in case things go wrong?17:48
*** joesavak has joined #openstack-keystone17:49
morganfainbergraildo: so yes we need a reseller spec that depends on/works with Henry's work(might be 1 spec). But the other items might need smaller specs. Eg: update (change hierarchy for leaf nodes and recursive delete). Then we have quota17:49
morganfainbergraildo: does that breakdown make sense?17:50
raildomorganfainberg, great. I'll talk with henrynash later17:50
morganfainberghtruta: yes it is optional and yes you can grant a role to someone to help fix.17:51
raildothank you17:51
morganfainbergraildo: the update / delete one is one spec (if that wasn't clear)17:51
morganfainbergayoung: I also have not read your email on trusts. Was flying near 100% of yesterday.17:51
ayoungmorganfainberg, no problem.17:52
*** jsavak has quit IRC17:52
morganfainbergayoung: reminds me. Need to send the reminder email tomorrow's meeting is cancelled.17:52
raildomorganfainberg,ok,  I get it. I'll start with the part of update/delete which is simpler and then I talk to henrynash about the reseller17:53
ayoungmorganfainberg, why cancel it?  We can hold.  I suspect there is enough to discuss17:53
morganfainbergayoung: we just did a full week of in-person face to face work. I think there isn't a lot to discuss directly that can't be a smaller crowd on IRC.17:54
ayoungmorganfainberg, maybe focus on "who is doing what, and what is not going to get done?"17:55
morganfainbergOr via email. Would you say the same thing if the meeting was today?17:55
ayoungmorganfainberg, possibly.  I'm still trying to pull together the details from last week, but that will likely be the case for a while.17:56
openstackgerritMarek Denis proposed a change to openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349417:56
ayoungPerhaps a summary for people that were not able to make it to the summit, or a pointer to the artifacts would be in order.17:56
ayoungmaybe a Q&A meeting for people to inquire about details?17:57
morganfainbergayoung: largely the same and I'm try to write up summary of our sessions to publish.17:57
ayoungfair enough.  I'm willing to stand by IRC for an hour to field questions about the summit sessions for people that weren't there17:57
morganfainbergayoung: my thought is we will largely do that next week with some summary of the sessions already written up.17:58
*** Viswanath has quit IRC17:59
morganfainbergI think the benefit will be bigger that way. Besides, we all *do* have things to do that don't need lots of extra discussion (review HM stuff, spec writing etc - some things are absolutely on the deck for kilo)18:00
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy  https://review.openstack.org/13010318:01
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects  https://review.openstack.org/13027718:01
raildomorganfainberg, ++18:01
*** jistr has quit IRC18:02
*** Viswanath has joined #openstack-keystone18:02
rodrigodsmorganfainberg, raildo, reseller is for Kilo?18:03
raildorodrigods, yes18:03
morganfainbergrodrigods: I would hope so :)18:03
rodrigodsmorganfainberg, raildo, nice18:04
rodrigodsbusy is good =)18:04
*** marcoemorais has quit IRC18:05
*** marcoemorais has joined #openstack-keystone18:05
*** Viswanath has quit IRC18:07
*** marcoemorais has quit IRC18:08
marekdrodrigods: one more comment regarding fed auth methods18:08
marekdand we should be good to fo.18:09
marekdgo18:09
*** marcoemorais has joined #openstack-keystone18:09
*** marcoemorais has quit IRC18:09
*** marcoemorais has joined #openstack-keystone18:09
*** Viswanath has joined #openstack-keystone18:15
rodrigodsmarekd, is it ok to put 'List of federation authentication methods. It must be a subset of \'methods\' list. Examples: \'saml2, oidc\'' (backslashed) ?18:16
rodrigodsmarekd, the generated conf looks good IMO18:18
rodrigodswill update the patchset18:18
*** marcoemorais has quit IRC18:18
*** thedodd has quit IRC18:19
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313018:19
*** Viswanath has quit IRC18:19
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349418:20
*** marcoemorais has joined #openstack-keystone18:21
*** marcoemorais has quit IRC18:24
*** marcoemorais has joined #openstack-keystone18:24
*** diegows has quit IRC18:29
*** saipandi has quit IRC18:34
*** jistr has joined #openstack-keystone18:37
*** Viswanath has joined #openstack-keystone18:42
*** thedodd has joined #openstack-keystone18:42
*** jaosorior has joined #openstack-keystone18:44
*** amcrn has joined #openstack-keystone18:44
*** Viswanath has quit IRC18:44
*** saipandi has joined #openstack-keystone18:45
*** diegows has joined #openstack-keystone18:46
*** aix has quit IRC18:48
*** Viswanath has joined #openstack-keystone18:48
*** wwriverrat has joined #openstack-keystone18:50
*** wwriverrat has left #openstack-keystone18:50
*** diegows has quit IRC18:51
*** Viswanath has quit IRC18:54
*** jsavak has joined #openstack-keystone18:59
*** joesavak has quit IRC19:01
*** jsavak has quit IRC19:05
*** joesavak has joined #openstack-keystone19:09
*** diegows has joined #openstack-keystone19:11
*** Viswanath has joined #openstack-keystone19:12
*** Viswanath has quit IRC19:17
*** amakarov is now known as amakarov_away19:19
*** Viswanath has joined #openstack-keystone19:27
*** Viswanath has quit IRC19:33
*** ajayaa has quit IRC19:33
*** rwsu has joined #openstack-keystone19:35
ayoungnonameentername, so...MFA.   as Goldman once penned "I do not think it means what you think it means."19:41
ayoungTo wit: I think that MFA to create a token is not really MFA once you present the (bearer) token to the end service19:42
lbragstadayoung: nonameentername is still bouncing around Europe somewhere..19:42
gyeeMFA is a concept, not a protocol19:43
ayounggyee, um,  ok.  Its still not implemented with bearer tokens19:44
ayounggyee, lets say you want to do a nova boot.  The user should authenticate to Nova with multiple factors,  not to Keystone19:45
lbragstadso...19:45
lbragstadthat would be MFA for *every* operation19:45
gyeeayoung, definitely not bearer token19:46
ayounglbragstad, no,  but I would say for the first operation, and then require TLS and session reuse19:47
*** marcoemorais has quit IRC19:47
lbragstadso, use MFA for the authenticate call19:47
*** marcoemorais has joined #openstack-keystone19:47
lbragstadand then use that token for booting a server in Nova19:47
ayounglbragstad, and then when someone steals that token>19:47
ayoungyou have no MFA19:48
gyeebut token and MFA are two different thing, once you get a token, MFA is out of the picture19:48
gyeeunless we are taking about replacing token with MFA19:49
gyeetalking19:49
ayounghttp://epeus.blogspot.com/2002/12/douglas-adams-on-digital-id.html19:50
ayoungonce you have a token, security is out of the picture19:51
*** Viswanath has joined #openstack-keystone19:51
gyeefor bearer token yes19:51
*** Viswanath has quit IRC19:53
lbragstadisn't that the case with all bearer tokens? Once it's compromised, it's compromised...19:54
ayounglbragstad, We should be authenticating to the services themselves, not just to Keystone19:54
gyeesimple, 2 way SSL :)19:54
ayounglbragstad, Keystone really should just be saying "if the user is really who they claim to be, then here is what roles they should have"19:55
ayounggyee, yep19:55
ayoung2ways SSL19:55
ayoungor TLS since SSL is now a dirty word19:55
gyeehaha19:55
ayoungstevemar, https://review.openstack.org/#/c/133037/   you don't need mapped.  You can use the external plugin19:59
ayounggyee, then MFA would be a second factor after client cert, right?20:00
gyeeayoung, no, MFA usually involves one time passcode20:04
gyeepin + one time passcode20:04
gyeepin is something you know20:05
gyeeone time passcode comes from something you have (keyfab)20:06
lbragstador could be generated based on a time algorithm or HMAC20:07
lbragstadTOTP (time-based) or HOTP (HMAC-based)20:07
gyeeright20:08
*** david-lyle has quit IRC20:08
*** marcoemorais has quit IRC20:09
*** marcoemorais has joined #openstack-keystone20:10
stevemarayoung, most of the apache module for federation end up setting REMOTE_USER to some value, so we still want to use the mapping engine for the other properties20:11
ayoungstevemar, I'm missing something then,  as I thought that REMOTE_USER would be one of the inputs to the mapper anyway.20:12
marekdayoung: external simply takes REMOTE_USER value and does the user lookup in the db i think20:13
ayoungyeah, pretty much20:13
marekdayoung: which is clearly not stevemar's case20:13
stevemarayoung, right, this just makes the mapping even easier, so the admin doesn't have to specify the 'user' part of the rule20:13
ayoungI thought any input variables could be used in the mapping case?20:13
morganfainberggod i hope we're not talking about totp/hotp IN A TOKEN20:14
gyeemapping to groups is the right balance20:14
morganfainbergto get a token, sure.20:14
gyeeits going to a foggin nightmare auditing the permissions if we do individual maps20:14
gyeemorganfainberg, no, MFA is for auth only20:15
gyeeauthn20:15
morganfainberggood20:15
* ayoung goggles hotp20:16
stevemarayoung, yes they can, this is just a convenience thing - rather than specifying that input variable in the mapping, if we notice REMOTE_USER + one of the federation protocols, then we can assume that's the user id20:16
lbragstadayoung: http://www.ietf.org/rfc/rfc4226.txt20:16
* gyee really hope *hotp* is not some pron site20:16
*** gmurphy has left #openstack-keystone20:17
morganfainbergayoung, hotp = 1 time use20:17
morganfainbergayoung, totp = time based (what you think of when someone says google authenticator, even though it can do hotp as well)20:17
ayoungI got the OTP part20:17
morganfainbergit's HMAC One Time Password20:17
ayoungas opposed to totp which is time based20:18
lbragstadright, so it's based on increments20:18
morganfainbergyep20:18
morganfainberghotp is still time-based, but it has an incrementing identifier each time you burn a token (create it)20:18
morganfainbergso your token + server need to be in sync (there is magic to try multiples from the server side to help limit "issues")20:19
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:19
ayoungOK...so last week, I realized we should unify role-assignements, trusts, and oauth all into one single delegation mechanism.  Tokens are kindof one of those two, but tokens are dumb and should just go away.  We should instead provide a mechanism for the users to authenticate to the services themselves, and provide a pointer to a delegation agreement20:19
ayoungif you were to think:  authenticate with X509 + trustID, you wouldn't be far off20:19
morganfainbergwe talked about this one right?20:20
ayoungKeystone gets out of the authentication business except for the case where Keystone is itself the IdP20:20
* morganfainberg tries to beat back jetlag20:20
*** r1chardj0n3s has left #openstack-keystone20:20
morganfainbergthis is all sounding *very* similar to about 3 conversations20:20
ayoungand for those cases, we use Barbiacn in CA mode to issue an X50920:20
morganfainberg1 of which was over congac20:20
gyeeheh20:20
ayoungWas not Cognac.  Amarac?20:21
gyeeI don't remember that conversation20:21
lbragstad+1 for "Bar Track Design Session"20:21
lbragstadwe fixed all the problems20:21
lbragstadbut we can't remember how...20:21
gyeedamn straight!20:21
ayoungArmagnac20:22
lbragstad:)20:22
morganfainbergayoung, well i drank plenty of both20:23
morganfainberglbragstad, #afterstack20:23
ayoungmorganfainberg, I cannot speak to the Cognac discussions then.  Only the Armagnac  one20:23
morganfainbergayoung, i think the armagnac was the second drink that night, you had beer prior and i cognac20:24
ayoungAh20:24
morganfainbergayoung, anyway20:24
morganfainbergfwiw i did get my whiskey fix as well ... just day 2 afterstack ;)20:24
ayoungAnyway, the only reason we have tokens as a proxy for authentication is because ...20:24
ayoungNIH?20:25
ayoungNIMH?20:25
morganfainbergwell 2 thinks.20:25
morganfainbergthings20:25
morganfainbergmaybe 320:25
ayoungLittle Speaking rats?20:25
morganfainberg1) We don't have a good story for conveying the AuthN information outside of our AuthZ mechanism [this is largely historical and original design]20:26
morganfainberg2) we already convey authz in a "workable" way (not good, but workable) so we imposed limits that made this proxy for authn reliable - think in the context of UUID tokens anyway to start20:26
morganfainberg3) backwards compat - we can't break the contract (can't remove this mechanism) in the very short term20:27
morganfainbergwe can provide a better alternative though.20:27
morganfainbergand i can't speak as to why it was done this way or not using some other standard/thing/something.  predates my working on OpenStack.20:28
ayounghmmm....OK.  1)  There are preexisting mechanisms for that.  If people care about security they should use them.  2)  Yes, but the assumptions for when it is workable have never been explicitly stated.  I think we've passed beyond them.  3)  We don't need to break in order to provide a better mechanism, but we should have a moritorium on new features for tokens20:33
ayoungBut here's a thought: A token is a delegation agreement.  Not really diffferent than a role assignment or a trust20:34
ayoungIf I ask Nova to boot a VM for me, It requires that I supply proof of an acceptable role assignment20:35
ayounganything that fulfills that proof should be acceptable20:35
ayoungIf I can authenticate to Nova, nova could even query Keystone for me20:35
*** david-lyle has joined #openstack-keystone20:36
morganfainbergayoung, you were asking why, i was providing my understanding of hte context of where we were and why20:36
ayoungmorganfainberg, it predates my involvement in Keystone as well, but I can deduce from what I know:  it started with a single password file for one service, and then the need to share the password between services.  As I recall, it was origianlly synchronized, and Keystone was the solution ot not copying the passwords around.20:37
morganfainbergsure.20:37
*** afazekas has joined #openstack-keystone20:38
gyeehey, tokens are mindnumbingly simple to use, isn't usability count for something? :)20:43
gyeejust saying20:43
ayounggyee, I think that is your way of saying you agree with me?20:46
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349420:47
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313020:47
rodrigodsstevemar, marekd, ^20:47
ayoungWe have this bizarre suspension of skepticism when it comes to tokens.  We don't just trust all of the service users, but then we blindly hand over tokens to them that have all powers for the users that request things20:47
morganfainbergayoung, you are right and i want that solved regardless of if we change tokens20:48
morganfainbergayoung, we *can* fix that even without ripping apart tokens20:49
ayoungmorganfainberg, part of the problem is this:  when a user goes direct to Nova,  we understand that Nova already has full power over its resources.  If it wanted to, it could kill all our VMs, create new ones, empty our quota, etc.  Delegation  Only comes in to play to convince Nova to do something on our behalf.20:49
morganfainbergayoung, but it's a crossproject thing20:49
morganfainbergayoung, it *might* be easier to rip apart tokens for it, just saying it's not the only way20:49
ayoungmorganfainberg, So,  there is certainly a place where tokens, even UUID tokens, are the most appropriate20:50
ayoungits for small, all in one deployments20:50
morganfainbergayoung, i'm not arguing with you ;)20:50
*** jamielennox|away is now known as jamielennox20:50
ayoungand they avoid all the need for larger infrastructure, etc20:50
ayoungthose cases could have been just as well handled by usind mod_auth_mysql20:51
ayoungor whatever it is called20:51
ayoungbut for eventlet....20:51
morganfainbergayoung, i think we're on the same page for the most part20:52
ayoungIt is the larger deployments that interest me20:52
ayoungand in the larger cases, deploying Kerberos or a CA is viable anyway20:52
morganfainbergand i think even in the medium cases it is likely as well20:52
ayoungyeah20:53
morganfainbergand if we have a super easy way to deploy <IDP>, it might be reasonable in the small cases as well. but we're talking down the line. solve the big cases and cascade it down20:53
ayoungSo If a user can authenticate to Nova directly, they probably should do so.20:53
morganfainbergsmall deployments are served fine as is20:53
morganfainbergok, so lets start small and build on this iteratively20:54
ayoungAnd then Keystone provides the authorization data...which is basically "this user has been delegated role R on project P20:54
morganfainbergyep.20:54
*** arunkant has joined #openstack-keystone20:55
ayoungso, lets staryt by unifying the delegation approach20:55
morganfainbergwhat are the steps we need to get there.20:55
ayoungtrusts are a model of what we want:  a chain from user to user of role delegations20:55
morganfainbergok, so oauth (the separate table/thing), trusts, and role assignments?20:55
ayoungso  when a role assignment happens, we start be keeping track of the trail20:55
openstackgerritLance Bragstad proposed a change to openstack/keystone: Move functional tests to keystone/tests/functional  https://review.openstack.org/13355620:55
lbragstadmarekd: stevemar ^20:55
ayoungall assignments are delegations20:56
lbragstadstevemar: marekd on the federation stuff, WIP so you can get an idea of what I'm doing20:56
morganfainbergayoung, great. can we make this a core part of assignment (leverage the "role assigment" api) not in os-trusts?20:56
ayoungand in order to do a delegation, you need to have the role being delegated20:56
ayoungyep20:56
morganfainbergperfect20:56
marekdlbragstad: thanks20:56
*** arunkant has quit IRC20:56
ayoungI think we want role inheritance first, so we can split a big role into multiple little ones20:57
morganfainbergwe can mark os-trusts as deprecated then, since there is an alternative (we will need to update heat to use the alternative etc)20:57
ayoungnot a hard requirement, but we'll want it soon20:57
ayoungotherwise we have to explicitly give the superadmin all of the roles we know about....20:57
morganfainbergayoung, lets have that come from henrynash's namespaced roles.20:57
morganfainbergayoung, since initially we're levering it as a "grouping" capable20:57
ayoungkindof,  but his is even more specific20:57
morganfainberglets just work to make that the base construct across the board20:57
ayoungI think inheritnace is more basic, and namespaced builds on it20:58
morganfainbergso we don't have 2 ways we do the permission -> role X -> role-including-role-X20:58
morganfainbergbut it can be the *same* internal structures20:58
morganfainbergjust who "owns20:58
morganfainberg" the namespaced role is the difference.20:59
ayounglets push namespaced roles to the side for a moment.  I think they are a distraction right now.   We'll come back to them in a bit20:59
ayounglets start with where we are now20:59
ayoung1.  we start with an inventory of capabilties21:00
morganfainbergayoung, my point was, lets make namespaced dependent on this, not separate - meaning it pushes namespaced to an easy addon21:00
ayoungagreed21:00
ayoungso the inventory  can be done now21:00
morganfainbergbut the "inherited" / "Hierarchical Roles" can be done separate from the delegation bit you're talking about21:00
ayoungwith the caveat that we need to make sure we catch new things as they are added21:00
ayoungI don't think so.. hear me out21:00
morganfainbergtrying to keep the work isolated to workable bits and not lumped onto you, me, or henry exclusively21:00
morganfainbergetc21:01
ayoungI think the inheritance thing needs to be first21:01
ayoungit can be really simple in a first implementation21:01
*** gyee has quit IRC21:01
ayoungbecause once we have the mechanisms, it gets much easier to morph21:01
ayounglets say we have two roles, like we do today21:01
ayoungadmin and member21:01
ayoungmember can do a bunch of things, but admin can do all that and more21:02
ayoungso we start by mapping cpabilities to member, and the rest to admin, and saying that admin inherits from member21:02
ayoungSo we have a three level hierarchy:  admin, member, individual capability21:03
morganfainbergmy biggest concern is i don't want to block the delegation work - it will be largely the same code - on cataloging the capabilities21:03
morganfainbergand capturing new capabilities21:03
ayoungI think we can parallelize, so long as we all understand where we are going21:03
ayoungI'm pulling this all together into a document, but it is getting big....21:04
morganfainbergthats fine, again i *think* this can be done without blocking one side for the other except at certain merge points.21:04
ayoungOnce I have the overall picture, we'll see finer and finer tasks that can be chipped off and implemented21:04
ayoungOne question is whether to start by putting the implied roles in the token, and then moving that to the policy file once we have a mechanism for generating the policy file21:05
morganfainbergi think that is a call we can make, again, separate from the other code.21:06
ayoungnamespaced roles will be tricky without the ability to compose them out of finer scoped roles...otherwise, the namespaced roles will end up in the policy file21:06
morganfainbergwe already said the initial implementation of the namespaced roles will resolve to the underlying roles21:06
ayoungAnd I don't think we want full expansion of the role hierarchy in each token21:06
morganfainbergand we can't split a capability off the underlying role21:06
ayoungSo we create an implicit role for each capability?21:07
morganfainbergit still relies on a rich role definition frmo the deployer to start21:07
morganfainbergyou could.21:07
*** topol has quit IRC21:07
*** raildo is now known as raildo_away21:08
morganfainbergand the best part is it allows the deployer to even create the same effect the current admin/member role is today and communicate how to use the better role system21:08
ayoungmorganfainberg, I did post the three-in-one review for policy here https://review.openstack.org/#/c/133480/21:09
morganfainbergthis is laying out the stepping stones to get us in the right place without breaking anyone.21:09
ayoungMaybe I should collect up all of the specs on policy into one review21:09
morganfainbergdon't do that.21:09
morganfainbergplease.21:09
ayounghttps://review.openstack.org/#/c/125704/  is the other one21:09
morganfainbergmake it a chain if they are dependent21:09
ayoungI'm not yet certain of the dependencies, or if they can be parallelized21:10
morganfainbergi can already say i am happy to comment but wont approve (and will block approval) if they are in all one review21:10
morganfainbergthey *should* be separate reviews21:10
ayoungthat is fine, and I can split them out when it makes sense to do so...wasn't even sure if they should be separate specs21:10
morganfainbergyeah.21:10
morganfainberggood for comment to start21:11
morganfainbergi also expect to spend most of tomorrow writting up the summaries of the summit.21:11
*** sigmavirus24 is now known as sigmavirus24_awa21:11
*** sigmavirus24_awa is now known as sigmavirus2421:12
morganfainbergso we'll have that as well. some of this will be included in that summary21:12
ayoungmorganfainberg, actually, when you (others) do review, the ordering between the specs is probably one thing that you should evalutate21:12
morganfainbergayoung, thats fine.21:12
ayoungI think the ordering is something like this:21:12
ayoungenforce policy in library is first21:12
ayoungfetch policy from keystone by that library is second21:13
ayoungunified policy file is third, but might be a requirement for the second step to be viable21:13
morganfainbergreminds me i need to ask dhellmann about timeline for fileutils to move out of incubator21:13
morganfainberg*and* if we need to split oslo.config dep off oslo.policy [To be renamed]21:13
ayounggenerating policy file from Keystone is a possible fourth, and then hierarchical roles to feed in to that21:14
morganfainbergso uh.. dhellmann ^ ;)21:14
ayoungonce we have those..."maintaing the delegation chain on role assignemnts" would be next21:14
ayoungunifying trust with role assignements would follow after that21:15
ayoungI don't think we would delegate trusts, though.  Just make them an alternate mechanism for a temporary role assignment21:15
ayoungif "maintain the delegation chain on role assignments"  gives each delegation a unique identifier, we could replace "call with a token" with "call with full authentication and delegation agreement"21:17
morganfainbergayoung, i think trusts disappear21:17
ayoungand by replace I mean "either/or"21:17
morganfainbergayoung, we just cant remove them until everyone is on the new system21:17
morganfainbergwho is doing the redelegation work, cause that work doesn't go into trusts in this case.21:18
ayoungmorganfainberg, so long as any thing we do with trusts can be handled by the role assignment/delegation system, sure21:18
morganfainbergayoung, hm. impersonation *might* be the one feature we leave to trusts.21:18
morganfainbergayoung, not sure how that fits into delegation.21:18
ayoungugh,  that might be all that trusts do...and then I 'd *want* to deprecate them21:19
ayoungbut...maybe we won't need it by then21:19
morganfainbergayoung, it's the only thing i can think of that doesn't line in with the delegation plans21:19
ayoungonce we have that, we've given people a mechanism for authorization for long lived tasks21:20
ayoungand a unified one at that21:20
morganfainbergand i'm fine with that being a trust-only thing. if we find it is still heavily uses/has a place we can then look at moving it over somehow so trusts can actually go away21:20
ayoungI wonder if we could sweep all of this into "tokens"  somehow21:20
ayounglike the tokenid is the delegation agreement21:20
morganfainbergnow you're scaring me21:20
morganfainberg:P21:21
ayoungand we distinguish between tokens with expiry and authentication data in them21:21
morganfainberglets not jump to that yet.21:21
morganfainberglets get the base stuff done and then look at building on top of it21:21
ayoungWe need gyee to finish off the X509 stuff he was working on21:22
ayoungIU think that is the baseline authentication mechanism for the service users21:22
morganfainbergayoung, again, does not block anything we've talked about (the simple/basic stuff)21:22
ayoungagreed...parallel21:23
morganfainbergayoung, so we can move forward on these fronts.21:23
ayoungjust needed to have a minimal viable product21:23
*** nellysmitt has quit IRC21:28
*** gyee has joined #openstack-keystone21:32
*** nellysmitt has joined #openstack-keystone21:35
ayoungjamielennox, does pecan replace the paste.ini approach?21:42
*** afazekas is now known as __afazekas21:43
*** joesavak has quit IRC21:45
*** _cjones_ has quit IRC21:46
*** _cjones_ has joined #openstack-keystone21:46
*** Viswanath_ has joined #openstack-keystone21:51
*** Viswanath has joined #openstack-keystone21:51
jamielennoxayoung: no21:53
*** Viswanath_ has quit IRC21:53
*** Viswanath has quit IRC21:54
ayoungjamielennox, ok.  I was looking at some limitations of paste, wondering if they were worth working around:21:54
jamielennoxit can and IMO should replace some of it - however it doesn't have to21:54
ayoungjamielennox, specifically, the number of places where we duplicate the long list of filters21:54
jamielennoxayoung: i think that's something that you can fix21:54
jamielennoxpaste has some form of grouping i think21:54
ayoungeach of the pipelines have:  standard-filters sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body21:55
ayoungsome with v3, but still...21:55
jamielennoxright, and so some of that is what i would like to rip out of paste21:55
ayoungI was writing a filter that was a filter_list21:55
jamielennoxif you remove some of those filters then the whole process doesn't work - that breaks my definition of middleware and should be handle by keystone itself21:56
ayoungbut paste doesn't expose the details of what is configured21:56
ayoungI don't want to remove them, just have something like this:21:56
jamielennoxayoung: yep, i had some issue with paste and trying to reach back up21:56
ayoung[filter:filter_list]21:56
ayoungfilters =  standard-filters sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body21:57
ayoungthen in a pipeline21:57
jamielennoxyou can subclass the paste builder class and make one that will give you what you need - and at which point i gave up on fixing paste21:57
ayoungpipeline = standard-filters   public_service21:57
ayoungnone of our filters accept config parameters, so I could make it work21:58
ayoungbut then I wanted to make a filter with config values for content_types21:58
ayoungso you would specify which class to use for json, html, xml....21:58
*** ayoung is now known as ayoung-dadmode22:01
*** aix has joined #openstack-keystone22:02
jamielennoxayoung-dadmode: i don't know how to do that with paste22:04
morganfainbergjamielennox, i think it's likely the wrong approach.22:04
jamielennoxmorganfainberg: as i said, if you start removing some of those middlewares from  paste then keystone starts to act very strangely22:05
morganfainbergjamielennox, i think the right approach is to use accepts headers and make it a set of renderers, i hear that is kindof how pecan worked [haven't looked]22:05
jamielennoxby my defintion that means it doesn't belong in paste22:05
morganfainbergand stevedore for the *actual* provider22:05
jamielennoxmorganfainberg: yes, that's more of less how it works22:05
jamielennoxgenerally you specify it as a decorator per function though22:05
morganfainbergah. sure.22:05
morganfainbergthats fine.22:06
jamielennoxit makes sense if you think that JSON is generally not the default returned, normally it sends out to some html renderer22:06
morganfainberganyway, i think the whole "tokens are a pipeline" in the sense of "paste pipeline" is wrong22:06
jamielennoxin the patch i did at least i hacked my own renderer to do some compatibility stuff - so we can do whatever we like there22:06
jamielennoxummm22:06
morganfainbergespecially considering the talking we did at the summit (and more importantly this discussion)22:06
jamielennoxnot sure - but in general you shouldn't do it _via_ paste22:07
morganfainbergright.22:07
morganfainbergi was referring to ayoung's implementation he's trying to do.22:07
jamielennoxi don't care either way on the pipeline thing, that's been in discussion for a while22:07
morganfainbergthe filters are *not* optional22:07
morganfainbergif they aren't optional, they shouldn't be configured as such22:07
jamielennoxif you can break down the process into enough 'providers' then it shouldn't matter22:07
jamielennoxmorganfainberg: ++22:07
*** lbragstad_ has joined #openstack-keystone22:19
*** Viswanath has joined #openstack-keystone22:25
rodrigodsneeding reviews in some patches with a +2 already... candidates? hehe22:27
*** Viswanath has quit IRC22:28
gyeerodrigods, which one22:38
*** shakamunyi has joined #openstack-keystone22:39
rodrigodsgyee, \o/ https://review.openstack.org/#/c/131319/22:39
gyeejamielennox, whenever you have a chance, https://review.openstack.org/#/c/105900/22:39
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349422:43
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313022:43
rodrigodsmarekd, stevemar, ^22:43
marekdok22:43
rodrigodsgyee, https://review.openstack.org/#/c/132311/ that one is well, minor one =P22:44
*** nellysmitt has quit IRC22:44
*** lbragstad_ has quit IRC22:49
rodrigodsgyee, thanks!!!22:50
*** jistr has quit IRC22:51
*** lbragstad_ has joined #openstack-keystone22:52
jamielennoxgyee: set +1, i haven't had a chance to actually run it but he's addressed what i was concerned about22:53
jamielennoxanything left is minor and can be addressed later22:53
gyeejamielennox, thanks22:54
gyeeyeah, followon patch22:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient-federation: Updated from global requirements  https://review.openstack.org/13357023:04
openstackgerritLance Bragstad proposed a change to openstack/keystone: Move functional tests to keystone/tests/functional  https://review.openstack.org/13355623:04
morganfainberglbragstad, i like that change ^ cause it's minimal just shuffling things around23:07
morganfainberglbragstad, however...23:08
morganfainberglbragstad, please don't use nose as a default test runner.23:09
morganfainberglbragstad, unless there really is no other way.23:09
lbragstadmorganfainberg: gotcha, I saw that it was being used for the py3* testing23:09
morganfainbergyeah23:10
morganfainbergpy3 is a special case... and should likewise be converted to testr if possible23:10
lbragstadcan we pass in that location (keystone/tests/functional/) with something else?23:10
lbragstador testr?23:10
morganfainberglbragstad, yeah there is a way to convince subunit to do it (what testr uses)23:10
morganfainberglbragstad, it'll be related to https://testrepository.readthedocs.org/en/latest/MANUAL.html#listing-tests23:11
morganfainberglbragstad, give me a moment and i'll have a real answer for you23:12
lbragstadmorganfainberg: yeah, I tried parsing that doc but couldn't come up with something simple enough23:12
morganfainberglbragstad, https://github.com/openstack/neutron/blob/master/tox.ini#L24-L2723:12
lbragstadmorganfainberg: gotcha, I saw that23:12
lbragstadwe'll have to sync lockutils.23:13
morganfainbergand: https://github.com/openstack/neutron/blob/master/tox.ini#L29-L36 need to see how OS_TEST_PATH works23:13
morganfainbergnah23:13
morganfainberglockutils is just loaded cause thier tests require it - ours don't (at the moment)23:13
morganfainbergthey use it for synchronising against db schemas or some such23:13
lbragstadah23:13
morganfainbergsee https://github.com/openstack/neutron/blob/master/tox.ini#L1623:14
morganfainbergtheir base testenv uses it too23:14
morganfainbergso you'll need to see how OS_TEST_PATH is handled in neutron's test framework23:14
morganfainbergbut.. that is basically what they're doing.23:14
*** nkinder has quit IRC23:15
*** zzzeek has quit IRC23:18
*** shakamunyi has quit IRC23:18
*** henrynash has quit IRC23:19
openstackgerritLance Bragstad proposed a change to openstack/keystone: Move functional tests to keystone/tests/functional  https://review.openstack.org/13355623:22
lbragstadmorganfainberg: ^ better ?23:22
*** thedodd has quit IRC23:30
*** dims has quit IRC23:36
*** dims has joined #openstack-keystone23:37
*** zzzeek has joined #openstack-keystone23:39
*** sigmavirus24 is now known as sigmavirus24_awa23:43
*** _cjones_ has quit IRC23:50
*** kobtea has joined #openstack-keystone23:50
*** _cjones_ has joined #openstack-keystone23:50
openstackgerritA change was merged to openstack/keystone: Change ca to uppercase in keystone.conf  https://review.openstack.org/13231123:51
openstackgerritA change was merged to openstack/keystone: Doc about deleting a domain specific backend domain  https://review.openstack.org/13131923:51
*** _cjones_ has quit IRC23:55
*** esp has left #openstack-keystone23:56
« Sunday, 2014-11-09 Index Tuesday, 2014-11-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!