Tuesday, 2014-11-11

*** kobtea has quit IRC00:02
*** marcoemorais1 has joined #openstack-keystone00:02
*** marcoemorais1 has quit IRC00:02
*** marcoemorais1 has joined #openstack-keystone00:03
*** david-lyle is now known as david-lyle_afk00:03
*** marcoemorais has quit IRC00:05
jamielennoxturns out i don't have a straight usb keyboard anywhere in my house... i'd slmost be proud of that if i didn't need one right now....00:05
*** nkinder has joined #openstack-keystone00:09
*** marcoemorais1 has quit IRC00:15
*** marcoemorais has joined #openstack-keystone00:15
*** dims has quit IRC00:16
*** boris-42 has quit IRC00:17
*** diegows has quit IRC00:29
*** dstanek has quit IRC00:31
*** dstanek has joined #openstack-keystone00:35
*** marcoemorais has quit IRC00:35
*** marcoemorais has joined #openstack-keystone00:36
*** marcoemorais has quit IRC00:36
*** marcoemorais has joined #openstack-keystone00:36
*** marcoemorais has quit IRC00:37
*** marcoemorais has joined #openstack-keystone00:37
*** marcoemorais has quit IRC00:50
*** marcoemorais has joined #openstack-keystone00:50
stevemarjamielennox, what kind of keyboards did you have?!? the old style? (ps2 or something?)00:51
*** zzzeek has quit IRC00:51
stevemardtroyer, around?00:54
*** dims has joined #openstack-keystone00:59
*** jaosorior has quit IRC01:03
*** zzzeek has joined #openstack-keystone01:05
*** esp has joined #openstack-keystone01:05
*** zzzeek has quit IRC01:06
dtroyerstevemar: in and out01:08
stevemardtroyer, same. was wondering if you had a theory on why this was failing devstack: https://review.openstack.org/#/c/67029/01:09
stevemarthe log message is very weird... considering a bunch of other commands had worked until sahara01:10
*** dims has quit IRC01:14
*** sigmavirus24_awa is now known as sigmavirus2401:18
*** amerine has quit IRC01:21
*** Guest47013 has joined #openstack-keystone01:29
*** boris-42 has joined #openstack-keystone01:44
*** ctracey has quit IRC01:56
*** ctracey has joined #openstack-keystone01:56
*** gsilvis_ has joined #openstack-keystone01:58
*** fifieldt has joined #openstack-keystone01:59
*** gsilvis has quit IRC02:00
*** radez_g0` has joined #openstack-keystone02:10
*** jdennis1 has joined #openstack-keystone02:10
*** radez_g0n3 has quit IRC02:10
*** jdennis has quit IRC02:10
*** junhongl has quit IRC02:10
*** gyee has quit IRC02:14
*** mitz_ has joined #openstack-keystone02:14
*** jdennis1 has quit IRC02:14
openstackgerritLance Bragstad proposed a change to openstack/keystone: Move functional tests to keystone/tests/functional  https://review.openstack.org/13355602:16
jamielennoxstevemar: yea, made a grub screw up and need to modify boot, went looking for my old debugging keyboard and found it was ps2q02:17
*** junhongl has joined #openstack-keystone02:17
stevemarjamielennox, did it have the old spring loaded keys?!02:18
jamielennoxstevemar: no - it wasn't a good old keyboard - just ol d02:19
jamielennoxjust bought a crappy $10 one02:20
jamielennoxall i needed to do was ESC at grub and change the default value02:20
lbragstadstevemar: nice catch on the docs for functional testing02:20
*** Guest47013 has quit IRC02:20
*** zzzeek has joined #openstack-keystone02:20
stevemarlbragstad, np bob02:22
*** Viswanath has joined #openstack-keystone02:23
*** marcoemorais has quit IRC02:26
*** Viswanath has quit IRC02:26
*** jdennis has joined #openstack-keystone02:32
*** jdennis has quit IRC02:40
*** gsilvis_ is now known as gsilvis03:07
*** thedodd has joined #openstack-keystone03:19
*** richm has quit IRC03:29
*** dims has joined #openstack-keystone03:45
*** zzzeek has quit IRC03:46
*** shakamunyi has joined #openstack-keystone04:04
*** shakamun_ has joined #openstack-keystone04:45
*** shakamunyi has quit IRC04:49
*** saipandi has quit IRC04:51
*** nikunj2512 has joined #openstack-keystone04:57
*** Dafna has quit IRC04:58
*** sigmavirus24 is now known as sigmavirus24_awa05:04
*** stevemar2 has joined #openstack-keystone05:09
*** amerine has joined #openstack-keystone05:12
*** stevemar has quit IRC05:13
*** thedodd has quit IRC05:14
*** marcoemorais has joined #openstack-keystone05:36
*** boris-42 has quit IRC05:37
*** marcoemorais1 has joined #openstack-keystone05:38
*** k4n0 has joined #openstack-keystone05:39
*** marcoemorais has quit IRC05:41
*** amerine has quit IRC05:49
*** amerine has joined #openstack-keystone06:02
*** ukalifon1 has joined #openstack-keystone06:18
*** junhongl has quit IRC06:29
*** junhongl has joined #openstack-keystone06:30
*** ajayaa has joined #openstack-keystone06:40
*** amerine has quit IRC06:57
stevemar2jamielennox, ping07:25
*** nellysmitt has joined #openstack-keystone07:26
*** adam_g` has joined #openstack-keystone07:33
*** adam_g has quit IRC07:38
*** afazekas has joined #openstack-keystone07:45
*** amcrn has quit IRC07:45
openstackgerritDave Chen proposed a change to openstack/keystone: Add unexcepted entity checking logic  https://review.openstack.org/13362507:48
*** stevemar2 has quit IRC07:59
*** stevemar has joined #openstack-keystone07:59
*** ukalifon1 has quit IRC08:03
*** jaosorior has joined #openstack-keystone08:07
openstackgerritDave Chen proposed a change to openstack/keystone: Add new "RoleAssignment" exception  https://review.openstack.org/13362808:35
jamielennoxstevemar: kind of - tomorrow is better08:35
*** ukalifon1 has joined #openstack-keystone08:45
*** ajayaa has quit IRC08:54
*** jistr has joined #openstack-keystone08:59
*** Dafna has joined #openstack-keystone09:19
*** aix has quit IRC09:25
*** henrynash has joined #openstack-keystone09:26
rodrigodshenrynash, ping09:28
henrynashrodigods: hi09:28
*** nikunj2512 has left #openstack-keystone09:28
rodrigodshenrynash, need your eyes at some reviews, whenever you have a moment09:28
henrynashrodigods: sure09:29
henrynashrodigods: I’ll get on them this morning09:29
rodrigodshenrynash, https://review.openstack.org/#/c/132143/ and https://review.openstack.org/#/c/130103/09:29
henrynashrodigods: ok09:29
rodrigodshenrynash, thanks!09:29
*** junhongl has quit IRC09:29
*** junhongl has joined #openstack-keystone09:30
*** aix has joined #openstack-keystone09:51
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about specifying domains in domains specific backends  https://review.openstack.org/13214310:04
*** aix has quit IRC10:04
*** boris-42 has joined #openstack-keystone10:11
*** aix has joined #openstack-keystone10:18
*** josecastroleon has quit IRC10:21
*** josecastroleon has joined #openstack-keystone10:23
*** amirosh has joined #openstack-keystone10:34
*** amirosh has quit IRC10:35
*** marcoemorais1 has quit IRC10:42
*** diegows has joined #openstack-keystone11:36
*** ajayaa has joined #openstack-keystone11:42
*** amirosh has joined #openstack-keystone11:53
*** amirosh has quit IRC11:53
*** amirosh has joined #openstack-keystone11:53
*** samuelms has joined #openstack-keystone11:54
*** dims has quit IRC12:13
*** dims has joined #openstack-keystone12:13
*** amakarov_away is now known as amakarov12:16
rodrigodshenrynash, will ping you later about the domain-specific error12:17
*** amirosh_ has joined #openstack-keystone12:21
*** amirosh has quit IRC12:21
*** jistr is now known as jistr|english12:23
*** amirosh_ has quit IRC12:23
*** amirosh has joined #openstack-keystone12:24
openstackgerritMarek Denis proposed a change to openstack/keystone: Allow for REMOTE_USER name in federation mapping  https://review.openstack.org/13303712:25
*** amirosh_ has joined #openstack-keystone12:26
*** amirosh has quit IRC12:26
*** amirosh_ has quit IRC12:28
*** afaranha has joined #openstack-keystone12:28
*** amirosh has joined #openstack-keystone12:28
marekdmflobo: hey, can we abandon it? I think it is already on cernops github repository, right?12:34
marekdmflobo: https://review.openstack.org/#/c/106096/12:34
*** raildo_away is now known as raildo12:35
openstackgerritDave Chen proposed a change to openstack/keystone: Add unexcepted entity checking logic  https://review.openstack.org/13362512:42
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add REMOTE_USER mapping info in federation docs.  https://review.openstack.org/13367112:54
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add REMOTE_USER mapping info in federation docs.  https://review.openstack.org/13367112:55
openstackgerritDave Chen proposed a change to openstack/keystone: Add new "RoleAssignment" exception  https://review.openstack.org/13362812:56
*** pc-m has quit IRC12:59
*** pc-m1 has joined #openstack-keystone13:00
openstackgerritMarek Denis proposed a change to openstack/keystone-specs: Add REMOTE_USER mapping info in federation docs.  https://review.openstack.org/13367413:03
*** amirosh has quit IRC13:14
*** amirosh has joined #openstack-keystone13:14
*** nellysmitt has quit IRC13:15
mflobomarekd, yes, we can13:18
mflobomarekd, do you have a better solution for this?13:19
marekdmflobo: not yet, but i'd rather start with a new patch...13:19
marekdmflobo: https://review.openstack.org/#/c/133529/1/specs/kilo/websso-portal.rst13:20
mflobomarekd, ok, go for it! ;)13:20
*** bearhands is now known as comstud13:22
*** amirosh has quit IRC13:26
*** amirosh has joined #openstack-keystone13:27
*** topol has joined #openstack-keystone13:32
openstackgerritMarek Denis proposed a change to openstack/keystone: Allow for REMOTE_USER name in federation mapping  https://review.openstack.org/13303713:41
rodrigodshenrynash, ping13:42
henrynashrodigods: hi13:43
rodrigodshenrynash, ++ to use a clear param like subtree_as_list13:43
raildo++ too13:43
rodrigodsare you ok with having the pure ?subtree in a following spec/patches?13:43
henrynashrodigods: yes, that was my thought….let’s not “use up” the pure ?subtree option….we can keep that for a follow on patch13:44
rodrigodshenrynash, ++13:44
*** topol has quit IRC13:44
rodrigodshenrynash, will update the API and the code patch13:44
raildohenrynash, i'll describe this in the new spec for HM13:45
henrynashrodigods: ok, with that change, I’m fine to +2 the api doc13:45
*** ajayaa has quit IRC13:45
*** richm has joined #openstack-keystone13:47
openstackgerritAndre Aranha proposed a change to openstack/keystone: Creating a policy sample  https://review.openstack.org/12350913:50
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy  https://review.openstack.org/13010313:50
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects  https://review.openstack.org/13027713:50
rodrigodshenrynash, ayoung-dadmode, morganfainberg ^13:51
*** ayoung-dadmode has quit IRC13:59
henrynashrodigods: question…how are you going to atually merge in the hierarchy code? it’s in its own tree, I believe…do you know what the process is to merge that into master?14:01
*** samuelms has quit IRC14:01
*** Dafna has quit IRC14:02
*** samuelms has joined #openstack-keystone14:02
*** jistr|english is now known as jistr14:02
henrynashrodigods: it would be nice if we merged it on top of: https://review.openstack.org/#/c/133525/ but I don’t know how easy that would be?14:03
*** jdennis has joined #openstack-keystone14:04
*** Dafna has joined #openstack-keystone14:04
*** sigmavirus24_awa is now known as sigmavirus2414:12
*** dims has quit IRC14:13
*** dims has joined #openstack-keystone14:14
*** nkinder has quit IRC14:16
*** pc-m1 is now known as pc-m14:16
*** vejdmn has joined #openstack-keystone14:19
*** sergey_ has quit IRC14:24
*** gokrokve has joined #openstack-keystone14:29
*** joesavak has joined #openstack-keystone14:34
*** ayoung has joined #openstack-keystone14:49
*** stevemar has quit IRC14:51
*** openstackgerrit has quit IRC14:55
*** ukalifon2 has joined #openstack-keystone14:57
*** topol has joined #openstack-keystone14:57
*** ukalifon5 has joined #openstack-keystone14:58
*** ukalifon1 has quit IRC14:58
*** nkinder has joined #openstack-keystone15:00
*** ukalifon2 has quit IRC15:01
*** amirosh has quit IRC15:07
*** zzzeek has joined #openstack-keystone15:17
*** tellesnobrega_ has joined #openstack-keystone15:18
*** marcoemorais has joined #openstack-keystone15:19
*** tellesnobrega_ has quit IRC15:20
*** marcoemorais1 has joined #openstack-keystone15:23
*** marcoemorais has quit IRC15:26
*** k4n0 has quit IRC15:27
*** ukalifon5 has quit IRC15:31
*** vejdmn has quit IRC15:36
*** gokrokve_ has joined #openstack-keystone15:44
*** gokrokve has quit IRC15:47
*** stevemar has joined #openstack-keystone15:51
*** afazekas has quit IRC15:57
*** thedodd has joined #openstack-keystone15:57
*** stevemar has quit IRC16:00
*** stevemar has joined #openstack-keystone16:00
*** wwriverrat has joined #openstack-keystone16:01
*** thedodd has quit IRC16:05
*** david-lyle_afk is now known as david-lyle16:06
*** bdossant has joined #openstack-keystone16:17
*** nellysmitt has joined #openstack-keystone16:21
*** david-lyle is now known as david-lyle_afk16:21
rodrigodshenrynash, the merge process is not clear for us too...16:21
rodrigodshenrynash, to put that review as dependency, we would need to create an additional review for the branch16:22
*** wwriverrat has left #openstack-keystone16:22
*** david-lyle_afk is now known as david-lyle16:25
ayoungstevemar, marekd on https://review.openstack.org/#/c/133037/6  the question is:  if REMOTE_USER is set, what does it map to in the Keystone view of things.  I can see it being one of three things...at least:16:27
ayoung1.  User name, 2 UserId,  3....something with one or both of thsoe embedded and also something to select domain16:28
ayoungrodrigods, did my last message make it up?16:28
ayoungrodrigods, at the summit we discussed renaming  "Inherited Roles to Projects"  to "Inherited Role Assignments"16:29
*** david-lyle is now known as david-lyle_afk16:30
*** david-lyle_afk is now known as david-lyle16:30
rodrigodsayoung, ++ will update it16:33
*** pc-m has quit IRC16:33
ayoungrodrigods, BTW, take a look at the hierarchical roles spec, as I think it will give us project-specific-roles16:33
*** marcoemorais1 has quit IRC16:34
ayoungI think we need to go in the following order:16:34
ayoung1.  enforce policy from a library (keystoneclient or comparable)\16:34
ayoung2.  Fetch policy from Keystone based on endpoint16:34
ayoung3.  Unified policy file for default16:34
ayoung4.  Generate policy from a DB schema16:35
ayoung5.  hierarchical roles16:35
*** pc-m has joined #openstack-keystone16:36
*** david-lyle is now known as david-lyle_afk16:37
*** david-lyle_afk is now known as david-lyle16:37
rodrigodsayoung, looks like a good plan16:37
ayoungrodrigods, thanks.  Care to implement it for me?16:38
rodrigodsayoung, haha I can absolutely help with a couple of them16:38
ayoungsounds good.16:38
*** amerine has joined #openstack-keystone16:39
ayoungrodrigods, once we have hierarchircal (and the gneeration of the policy file)  we can implicitly convert private/namespaced roles to public ones16:39
* rodrigods pretends that is following ayoung 16:40
*** stevemar2 has joined #openstack-keystone16:41
ayoungrodrigods, so all roles need to resolve down to something....the API where policy is enforced.  A Role can be seen as a collection of those16:41
rodrigodsayoung, ...16:42
ayoungrodrigods, ok, let me pull up the nova policy file for an example16:42
rodrigodsrodrigods, ok16:43
rodrigodsayoung, *16:43
*** gokrokve has joined #openstack-keystone16:43
ayoungrodrigods, a huge number of those are:  admin_ap[i  or admin_or_owner, right?16:43
*** stevemar has quit IRC16:44
ayoungrodrigods, so lets start wtih "admin_or_owner"16:44
ayoungowner means "user_has_role_on_project"  I think16:44
ayoung"admin_or_owner": "is_admin:True or project_id:%(project_id)s",16:45
ayoungso any role is viable.  lets call that the member role.16:45
ayoungNow, if admin inherits member,  that could be written like this:16:45
ayoungadmin implies member.  member implies [compute:v3:servers:start, compute:v3:servers:stop ....]16:46
rodrigodsayoung, hmmm16:46
ayounglets say we want to make a more fine grained set of roles:  one for people that can affect change, and one for people that can only read values16:46
ayoungcall em reader and writer for now16:46
*** gokrokve_ has quit IRC16:46
ayoungso reader could do soemthing like:16:46
marekdayoung: stevemar2: REMOTE_USER is simply use ridentifier value later mapped to user_id16:46
marekdsome module set this shib by default too)16:47
ayoung"compute_extension:v3:os-aggregates:show": "rule:admin_api",16:47
rodrigodsayoung, yep, you can jump to the interesting part16:47
ayoungmarekd, hold on...let me finish this one first....16:47
ayoungrodrigods, and writer can do something like16:47
ayoung "compute_extension:v3:os-aggregates:update": "rule:admin_api",16:47
marekdayoung: ok16:47
ayoungbut writer implies reader,16:47
*** gokrokve has quit IRC16:48
ayoungso  at the loweset level, we define the operations that a role can perform, and build up a hierarchy.16:48
ayoungrodrigods, with me so far?16:48
rodrigodsayoung, yep16:48
*** tellesnobrega_ has joined #openstack-keystone16:48
*** tellesnobrega_ has quit IRC16:49
ayoungrodrigods, Ok, so we could generate this policy file if we had all of the roles in a database16:49
ayoungit would have to be restructured somewhat, but all of the "this role inherits from that role" could be rules at the top of the file16:50
rodrigodsayoung, yes16:50
rodrigodsnow I understand what you meant with "implicitly convert private/namespaced roles to public ones"16:51
ayoungSo then a token would have the top level role, like Writer, and the policy engine would be responsible for translating that to to indivdual APIs16:51
*** gokrokve has joined #openstack-keystone16:51
ayoungrodrigods, so private/namespaced roles probably should not be published in the policy file, but instead implicitly converted to something on the Keystone side16:51
ayoungso lets say the private role name is "supreme_dicatator"  that gets translated to "writer plus auditor"  the token would show, instead, the writer and auditor roles16:52
*** tellesnobrega_ has joined #openstack-keystone16:52
*** Viswanath has joined #openstack-keystone16:53
rodrigodsayoung, hmm16:53
ayoungrodrigods, so davidchadwick has a researcher working for him named Ioram...I met him briefly at the summit.  He is going to be working on some of the Database side of this, but for analysis purposes16:53
ayoungI'd like to make his effort and this policy work into a coherent whole16:54
*** gokrokve has quit IRC16:54
*** gokrokve has joined #openstack-keystone16:55
*** jistr has quit IRC16:55
rodrigodsayoung, all right, let me know how I can help16:56
*** Viswanath has quit IRC16:56
ayoungrodrigods, I started by posting an initial set of specs.  They need to grow16:56
ayounghttps://review.openstack.org/#/c/133480/  needs to be split16:57
ayounghttps://review.openstack.org/#/c/125704/  needs to be updated to reflect the policy generation16:57
ayoungrodrigods, does this tie in with your interests and responsibilities?16:58
rodrigodsayoung, I'm always interested in contributing, can negotiate here some tasks, but if I not succeed... There is also some free time (hacking time) =)16:59
ayoungrodrigods, so, the very first task is to get policy enforcement into a library.16:59
rodrigodsayoung, remove it from oslo?16:59
ayoungoslo policy.py is getting graduated to a library, and I think this stuff might live there16:59
*** rharwood has quit IRC17:00
ayoungnot remove, but rather it is going to graduate, but be managed under the AAA (Keystone) program17:00
*** david-lyle is now known as david-lyle_afk17:00
*** david-lyle_afk is now known as david-lyle17:00
rodrigodsyou mean under keystone team responsibility ?17:00
ayoungmorganfainberg has some ideas on it. Something like:  it will be under our program, but you need to opt in in order to review it17:01
ayoungI've been the policy point-of-contact for Keystone in osl for a while17:01
morganfainbergBasically what ayoung said17:01
rodrigodsmorganfainberg, ayoung, I'm in =)17:02
ayoungsounds good.  First off is the process to make it its own library17:02
morganfainbergThe policy lib will have a separate core team such as pycadf. So it is possible to add people without them needing to know all of keystone.17:03
morganfainbergThe process to become core will be the same as for any other project.17:03
morganfainbergayoung: there are two blockers from graduating today I need to check with dhellmann on.17:04
ayoungmorganfainberg, I'll let you manage that.  Let me know when you need me/others to engage17:04
morganfainbergFileutils and oslo.config (possibly on config)17:04
rodrigodsmorganfainberg, ayoung, cool... So the graduating part is with morganfainberg ?17:04
rodrigodsmorganfainberg, ayoung, from my side... what is needed right now?17:06
ayoungmorganfainberg, I'll start working on a spec for generating the policy file from a database schema17:06
ayoungrodrigods, keep on HMT for now, as that is as important, and closer to impl17:06
ayoungstay in the spec review process, and when we have something that needs implementing, you or others on your team can jump in and claim responsibility17:06
raildoayoung, ++17:07
ayoungrodrigods, my focus on implementation is going to be WebSSO for Federation, so I can't do this now17:07
ayoungso I need to be Tom Sawyer here17:07
ayoungand get other people to whitewash this particular fence17:07
rodrigodsayoung, that is another topic that me/the team has knowledge too17:07
*** tellesnobrega_ has quit IRC17:08
henrynashmorganfainberg, dstanek, lbragstad, (plus any others): really want to move ahead with: https://review.openstack.org/#/c/129397/ the code also up for review at https://review.openstack.org/#/c/130954/12 …and want to try and get it in before we start landing too much into assignment….17:08
ayoungrodrigods, so, I'm going to follow the lead of the CERN folks, and make a lnading page in Keystone to allow selecting the IdP17:08
ayoungit requires some clean up of Keystone code that I have wanted to do for a while17:08
lbragstadhenrynash: I added to my queue to review yesterday but ran out of time. I'll get to it today for sure17:09
ayoungmarekd, OK...so REMOTE_USER.  Did you see jdennis 's proposal?  I think he covers a lot of the ugliness of mapping from Remote user to Keystone in his doc17:09
henrynashlbragstad: thx17:09
samuelmshenrynash, tonight I am going to start the integration of the refactored list role assignment as dependency of your patch .. as we've discussed last week17:09
henrynashsamuelms: cool!17:09
ayounghenrynash, BTW  read up on my conversation with rodrigods .  I think I laid out the steps we need to get to the private roles....17:10
henrynashayoung: was doing so…17:10
rodrigodsayoung, ++17:11
morganfainberghenrynash: I'm getting breakfast and then I'm on code review for the rest of the morning.17:11
ayoungI think we need a database schema that will be used to generate the policy file.  It will start with the current Role table, but need to map all the way down to the policy-enforcement-points.17:11
rodrigodsmorganfainberg, you know that we have a great patch for you to review =)17:11
henrynashmorganfainberg: I’d suggest making it a good breakfast!17:12
morganfainbergCroissant, eggs, coffee, and some cheese.17:12
raildomorganfainberg, paris feelings...17:12
*** marcoemorais has joined #openstack-keystone17:13
morganfainbergraildo: it's my normal breakfast in California ;)17:13
rodrigodsayoung, speaking of reviews... don't you want to check https://review.openstack.org/#/c/130103/17:13
raildomorganfainberg, great breakfast :)17:13
morganfainbergYesterday was avocado too17:13
ayoungrodrigods, I'd given it a once read-through already17:13
ayoungI think it is ok....had to think about parent-id vs domain id....17:14
rodrigodsayoung, it has super powers now (a +2 from henrynash )17:14
*** bdossant has quit IRC17:14
raildoayoung, and if you can review this too: https://review.openstack.org/#/c/117300/17:14
ayoungrodrigods, which makes me more cautious17:14
henrynashsamuelms: I think this is the one that you need to base off: https://review.openstack.org/#/c/132634/17:15
ayoungOK...I'll +2. I think that we might need to go further, but nothing here ties us in to a bad idea.17:15
henrynashsamuelms: unless you have changed anything in the one that is dependant on it: https://review.openstack.org/#/c/133525/ , but I doubt you have17:15
rodrigodsayoung, yay17:15
ayoungrodrigods, did you see my comments in there?  Domains are "cut points' in the hierarchy traversal17:16
ayoungpotential cut points17:16
ayoungonly travers down to a domain....unless you explicitly have permissions to go further.  Only traverse up to the next level domain unless....etc17:17
rodrigodsmorganfainberg, it means that https://review.openstack.org/#/c/117786/ is free17:17
rodrigodsayoung, yep, we had a discussion about this topic today, BTW17:17
rodrigodswe'll tie roles to domains, right?17:17
morganfainbergrodrigods: nice17:18
ayoungYeah, tie roles to domains.17:21
*** lhcheng has joined #openstack-keystone17:21
*** thedodd has joined #openstack-keystone17:21
samuelmshenrynash, no I haven't ..17:21
samuelmshenrynash, it's ok to being based off on #132634 :)17:22
stevemar2henrynash, heads up https://bugs.launchpad.net/keystone/+bug/139159217:23
uvirtbotLaunchpad bug 1391592 in keystone "multiple backend mapping generator fails with non-string ids" [Undecided,New]17:23
morganfainbergOmg Pasadena might get rain in a week! ;)17:27
rodrigodsayoung, I think this part is in the followon HM spec that raildo is starting to write17:27
*** gyee has joined #openstack-keystone17:28
raildorodrigods, yes17:29
raildogyee, ping17:29
rodrigodsayoung, BTW, the inherited_to_roles vs inherited_to_role_assignments has a bug already?17:29
rodrigodsor henrynash17:29
marekdayoung: i did see the thread, i didn't see the whole paper.17:30
*** lhcheng_ has joined #openstack-keystone17:31
*** lhcheng has quit IRC17:34
morganfainbergmarekd: btw I hear the cern trip made people's day. Thanks for helping set that up!!17:34
morganfainbergmarekd, stevemar2, rodrigods: so what fixes if any are immediately needed to make k2k work? Anything we have code for, does it work as is (no outstanding fixes)?17:35
morganfainbergjamielennox: let me know when you're awake. Want to know how that sdk discussion (re: 1.0/2.0 of keystoneclient)17:37
stevemar2morganfainberg, i think there is still some mix up with with the SP region - the auth info doesn't appear in the service catalog, so when rodrigods was playing around with it, he just saved the value of it locally17:37
morganfainbergstevemar2: ok. Anything I can do to help get that fixed? I'd like to see k2k be fully working by k1 if possible / do we have a bug on that?17:38
gyeeraildo, yes17:39
rodrigodsmorganfainberg, stevemar2, marekd for it to appear in the catalog, don't we need a service as well?17:44
raildogyee, do you have time do review a patch for HM? :D https://review.openstack.org/#/c/117300/17:44
rodrigodsbesides the region17:44
*** tellesnobrega_ has joined #openstack-keystone17:45
*** openstackgerrit has joined #openstack-keystone17:47
stevemar2morganfainberg, i think we just need a way to slot in other region data into the catalog17:48
stevemar2but i'm not sure we want to do that17:48
rodrigodsstevemar2, I assumed the catalog is built by iterating in the services17:51
rodrigods(just because of how it looks =) )17:51
raildomorganfainberg, ayoung we have a slot for HM meetings, do you have intention to participate? https://wiki.openstack.org/wiki/Meetings#Hierarchical_Multitenancy_Meeting17:51
raildogyee, henrynash ^17:52
marekdmorganfainberg: stevemar2 rodrigods: i don't know exactly what was missing while doing the blogpost, but I feel we should have two values added to KeystoneIdP  - Service Provider where a assertion should be sent (already there), but also a proteced url (not there)17:55
jamielennoxmorganfainberg: awake17:56
marekdalso...is there any filtering applied on those 'extra' regions?17:56
marekdmorganfainberg: stevemar2: and how does user know which region is a k2k region?17:56
marekdmorganfainberg: stevemar2 and what protocol should be used17:56
rodrigodsmarekd, by having an URL I think17:56
morganfainbergjamielennox: ack.17:57
marekdrodrigods: ?17:57
rodrigodsyeah, that extra parts are out of band17:57
rodrigodsmarekd, k2k region = the ones with URL17:57
stevemar2marekd, that's the disconnect17:57
jamielennoxmorganfainberg: essentially the SDK will consume the session if we break it out17:57
jamielennoxmorganfainberg: i convinced them on only writing auth plugins once for everything17:57
marekdrodrigods: very loose assumption. One day somebody will need it for something new and then what?17:57
morganfainbergjamielennox: we talked about that already. Let's plan that for this cycle then.17:58
gyeeraildo, k17:58
marekdstevemar2: that's what?17:58
jamielennoxmorganfainberg: there is a couple of tweaks they wanted which i don't think will be a problem17:58
morganfainbergjamielennox: great. Need help splitting the repo? Or can you (I want to maintain history). Ksc can dep on the new lib.17:58
morganfainbergKeystonecommon? Put cms in there too?17:59
marekdmorganfainberg: unless somebody else works on that i will need to setup k2k with proper crypto18:01
jamielennoxmorganfainberg: i'd prefer not to call it anything after keystone18:01
jamielennoxit's a base lib for all types of clients18:01
marekdmorganfainberg: and fix what's is wrong.18:01
morganfainbergjamielennox: ok.18:01
jamielennoxi was thinking i'd try and catch dhellmann before end of summit and ask about an oslo.client18:01
jamielennoxmissed him18:01
morganfainbergjamielennox: oslo?18:01
morganfainbergAh ok yeah oslo. Makes sense.18:01
jamielennoxright - i think the V3 auth etc would continue to live in keystoneclient, however session is common18:02
jamielennoxmy problem with oslo.client is the workflow because i expect users to construct a session18:02
jamielennoxare we having a meeting this morning ?18:03
jamielennox /today18:03
*** tellesnobrega_ has quit IRC18:03
jamielennoxi'm a little unsure at the moment how compatibility is going to work, with setuptools and that sort of thing18:03
ayoungraildo, added it to my calendar.  Feel free to ping me when it happens, too18:06
raildoayoung, sure18:06
jamielennoxmorganfainberg: no meeting?18:07
gyeewhich meeting HM or Keystone?18:07
ayoungjamielennox, no.  morganfainberg called it off for this week18:07
raildoHM meeting is on friday :)18:07
gyeeyes, got that one18:08
ayounggo back to bed18:08
morganfainbergmarekd, i'm ok with the k2k stuff being side-band intially for setup18:08
morganfainbergjamielennox, sorry, yeah go back to sleep.18:08
jamielennoxwasn't too bad, my jetlag is all over the place18:08
ayoungmorganfainberg, so, I think I might need to hack on Paste18:08
ayoungright now, we duplicate the set of filters used for each pipeline18:09
morganfainbergayoung, and the token "pipeline" if there are any optional filters shouldn't be in paste like that18:09
ayoungmorganfainberg, so I think I want to add a filter-list filter.  I tried doing it outside of paste, but you lose all of the configuration18:09
morganfainbergayoung, just let me say that upfront.18:09
ayoungmorganfainberg, I think the auth plugin needs to be specified in paste18:09
ayoungbut,  even if we don't, doesn't change the  issue18:10
ayoungso liets table the token pipeline discussion so as not to distract18:10
morganfainbergayoung, ok that much i wanted to in either case18:10
morganfainbergayoung, lets focus on what you're trying to accomplish with paste in this case.18:11
ayoungright now, we lump all of the routes into a set of pipeliens, and then expose them via composite18:11
morganfainbergassuming things that are already "common-ish" we can keep that way18:11
ayoungI just want to conver this:18:11
ayounginto this:18:11
ayoungpipeline = standard_filters service_v318:12
*** tellesnobrega_ has joined #openstack-keystone18:12
ayoungand pull out all of the extensions  so they are in their own pipeliens.  So we would change, for example revoke_extension to18:12
morganfainbergayoung, stop.18:13
ayoungpipeline = standard_filters revoke_etension18:13
morganfainbergayoung, so, back to this, paste doesn't support this construct?18:13
morganfainbergayoung, and you're saying we need to fix that first?18:13
ayoungno the reusable-set-of-filters construct18:13
marekdmorganfainberg: what do you mean side-band?18:13
ayoung"not the reusable-set-of-filters construct"18:13
morganfainbergmarekd, oh nvm mis-read18:14
morganfainbergmarekd, sorry. was on my phone :P18:14
morganfainbergmarekd, strike that comment.18:14
ayoungmorganfainberg, so my first attempt was to do this completely in Keystone:18:15
morganfainbergayoung, while i'm fine with you working on paste to make it better (yay), i would hope that you don't block all of the work on a project we don't controll.18:15
morganfainbergayoung, i mean.. i'm not your boss ;), but since we (openstack) don't control paste, it might be something we need to handle the way we're doing it now.18:15
ayoungI think it is more of a "it is not manageble due to cut and paste"  issue, not a blocker18:15
*** marekd is now known as marekd|away18:15
ayoungwe can always duplicate the filter list all over the place, it just is going to be a mess18:15
morganfainbergayoung, making paste better is fine - assume we have to go with "copy-paste" [sucky] for now.18:16
morganfainbergand if paste accepts and we increment global reqs we can make it way better18:16
morganfainbergayoung, also remember, you scale about as well as I do :P so....18:16
openstackgerritAlexander Makarov proposed a change to openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154118:16
ayoungmorganfainberg, if we are stuck with paste at its present state, we may want to take all of our current filters and make python code that calls the filters instead...it just takes control out of the hands of the oeprators, and I'd rather not do that18:17
morganfainbergayoung, while you're at it, want to make paste py3k friendly? :P last i saw it wasn't18:17
ayoungI'm willing to entertain options.  Sounds like Pecan/WSME doesn't solve this for us, though18:18
*** amcrn has joined #openstack-keystone18:19
morganfainbergayoung, well operators shouldn't be configuring non-optional filters anyway18:20
ayoungmorganfainberg, I'm thinkging of the admin_token filter18:20
ayoungwe explicitly say "remove that after setup"18:20
ayoungwould like to have them do that in exactly one place18:20
morganfainbergayoung, hmm...18:21
ayoungmorganfainberg, and I would like to be able to make paste  routes for anything that has to be in sync with Apache.  So if I need mod_auth_kerb,mod_sam and mod_nsss/client cert routes, I can do it in a config file18:22
*** edmondsw has joined #openstack-keystone18:22
ayoungideally, I would specify something like this18:22
morganfainbergayoung, well like i said, not really something i can say "yes lets do" barring paste accepting this new construct18:23
ayoungpipeline = standard_filters  mapped_auth  token_pipeline18:23
morganfainbergayoung, if we get paste there and it goes in, and is released, great! if not, we need a backup plan (and yes one option is "do what we do today"18:23
ayoungmorganfainberg, worst case is we get the past thing working, they say no, and we have to do it in a subclass of the paste-deploy config parser18:24
morganfainbergayoung, so, i mean, i don't have a lot more to say besides "yes that would be better".18:24
morganfainbergayoung, there are many ways to skin this cat, - yes your proposal is better, but honestly i don't have anything to say to it. i am not a person who can accept code into paste18:25
*** amakarov is now known as amakarov_away18:25
morganfainbergayoung, so i think this conversation is relatively pointless besides "yep it would be nicer to have that construct". ;) seriously, it's sortof way outside the scope of OpenStack atm besides it would be nice to have.18:26
ayoungmorganfainberg, I know jamielennox looked in to this a way back.  I can't see a better alternative at the moment18:26
morganfainbergayoung, so - don't block up your direction in keystone on this fix landing, but yeah i'm all for a cleaner paste config.18:27
ayoungmorganfainberg, I won't.  I think I can make paste file that does what I want, just ugly, without any of this.18:28
morganfainbergayoung, if you need someone to argue^wmake a case for this with paste devs, i'm happy to help there :)18:28
ayoungDo you know Ian Bicking?18:28
morganfainbergayoung, and for updating global reqs. but we've spent a chunk of time agreeing here :P18:28
ayoungI'm sending him an email now.  Maybe I'll get a better way to do it18:28
morganfainbergsounds good, feel free to CC me if you want. no need to if you got it.18:29
*** nellysmitt has quit IRC18:33
ayoungAlready sent18:35
*** nellysmitt has joined #openstack-keystone18:38
*** tellesnobrega_ has quit IRC18:39
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Backlog  https://review.openstack.org/12664718:42
ayoungraildo, rodrigods here is the general class model for RBAC http://adam.younglogic.com/presentations/RBAC.svg18:43
*** tellesnobrega_ has joined #openstack-keystone18:43
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add small comment for partially implemented specs in backlog  https://review.openstack.org/13378318:44
ayoungmorganfainberg, the backlog spec still refers to lost-and-found.  Is that deliberate?18:45
morganfainbergayoung, does it?18:45
morganfainbergayoung, hm..18:45
ayoungmorganfainberg, under client...18:45
morganfainbergcrud. let me fix that18:46
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Backlog  https://review.openstack.org/12664718:47
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add small comment for partially implemented specs in backlog  https://review.openstack.org/13378318:48
stevemar2dtroyer, i think https://review.openstack.org/#/c/131804/ warrants another look18:49
*** aix has quit IRC18:49
*** vejdmn has joined #openstack-keystone18:49
raildoayoung, maybe  do you have to explain about the inherited roles assignments in this diagram?18:49
stevemar2dtroyer, that + default domains + or-show for a bunch more identity stuff = 1.0 ?18:50
raildoor this is other discussion18:50
ayoungraildo, heh...sure18:50
ayoungthis diagram does not show inherited roles...I should add it18:50
ayoungraildo, I made it before the summit.  Based on how Keystone works now18:50
ayoungjust a starting point for a model, but I think it captures the basics18:51
raildohum, nice :) this is a great explanation how this works today18:51
ayoungraildo, thanks.  I try to cut to the essentials18:51
rodrigodsayoung, didn't get the Responsibility vs Resource_Type relationship =)18:53
rodrigods(it's a great diagram, btw)18:53
ayoungrodrigods, so...responsibility is kindof like an inherited role18:53
ayoungthere have been many iterations of this diagram.  I started with the party-pattern from Martin Fowler.  Can't take full credit18:54
rodrigodsayoung, example of how a responsibility is different based on the resource type?18:55
ayoungrodrigods, other way around:  you are role means you are responsible for a class of resources18:55
ayounga network admin is responsible for objects in Neutron, a storage admin for things in cinder, etc18:55
rodrigodsayoung, hmm18:55
rodrigodsnow I remember18:56
htrutaayoung:  I didn't understand why the Responsibility is attached to the ResourceType while the AssignedResponsibility is attached to the Resource18:56
rodrigodsHierarchical Roles spec =P18:56
ayounghtruta, good question, let me try to make it clear18:56
*** vejdmn has quit IRC18:57
ayounghtruta, the idea is that certain objects are mine, and only I can manage them.  Other types of resources are group resources, and anyone with the roel-assignment can manage them18:57
*** marcoemorais has quit IRC18:58
ayoungSo an assigned responsibility is on an actual resource instance.  This was trying to get the whole ACL issue from Swift and Barbican represented the same way.  Maybe it is the wrong representation18:58
*** marcoemorais has joined #openstack-keystone18:58
*** marcoemorais has quit IRC18:59
*** marcoemorais has joined #openstack-keystone18:59
*** Dafna has quit IRC18:59
rodrigodsayoung, it sounds more like ownership than assignment19:01
rodrigodsfor those cases19:01
*** gokrokve has quit IRC19:01
htrutaayoung: nice. Got it19:01
htrutarodrigods: +119:01
ayoungrodrigods, I was going for the more general term.  Maybe you are right19:01
ayoungBut also, you could assign the same object to multiple people...ACL means anyone in the list can access it19:02
ayoungAnd even ACL might be based on group membership, not just on individual identity, so...lets just say that part of the diagram might be adjusted...19:02
rodrigodsayoung, ++19:03
*** amirosh has joined #openstack-keystone19:03
*** gokrokve has joined #openstack-keystone19:04
*** rharwood has joined #openstack-keystone19:07
htrutaayoung: cool. I think I'll be working with raildo and rodrigods ont his19:07
ayounghtruta, excellent19:07
ayounghtruta, I'm working on a spec for the database scheme right now.  I'll add to the huge policy review, and then we can split them out.19:07
raildoayoung, ++19:08
htrutaayoung: ++19:08
*** gokrokve has quit IRC19:09
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Replace the concept of extensions in Keystone.  https://review.openstack.org/13380919:11
morganfainberghenrynash, yay!^19:11
ekarlsojamielennox: you around  ?19:12
henrynashmorganfainberg: so I have included a bucnh of question in this first version…since there is quite a lot to consider…I guess I’m not entoredly convinced yet myself of the trade-offs19:12
morganfainberghenrynash, sure thing.19:12
henrynashmorganfainberg: wanted to get it out there for discussion19:12
*** gyee has quit IRC19:13
morganfainberghenrynash, the #1 thing is "extensions" that are optional (meaning optional APIs) are an awful design19:13
henrynashmorganfainberg: agreed19:13
morganfainbergand the #2 thing: we treat our extensions as stable APIs19:13
morganfainbergexpirimental means we *could* if needed change the API19:13
morganfainbergnot that we should assume we will.19:13
morganfainbergother than that, it's largely the same. but i really don't want "optional" parts of the API.19:14
morganfainbergand we need to have it clearly documented.19:14
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add small comment for partially implemented specs in backlog  https://review.openstack.org/13378319:14
ekarlsojamielennox: I'll have to nag you again on https://review.openstack.org/#/c/133676/ where to add tests ?19:14
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Replace the concept of extensions in Keystone.  https://review.openstack.org/13380919:15
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add project documentation links to index  https://review.openstack.org/13381019:20
*** tellesnobrega_ has quit IRC19:20
*** esp has left #openstack-keystone19:21
*** marcoemorais has quit IRC19:21
*** marcoemorais has joined #openstack-keystone19:22
*** tellesnobrega_ has joined #openstack-keystone19:23
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Replace the concept of extensions in Keystone.  https://review.openstack.org/13380919:28
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add warning about milestone 2 deadline  https://review.openstack.org/13381319:29
openstackgerritayoung proposed a change to openstack/keystone-specs: policy  https://review.openstack.org/13348019:29
openstackgerritayoung proposed a change to openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381419:29
ayounghtruta, raildo rodrigods ^^19:30
raildoayoung, nice, I'll read the spec today :)19:31
ayoungraildo, thanks19:31
openstackgerritayoung proposed a change to openstack/keystone-specs: Backlog  https://review.openstack.org/12664719:33
raildoayoung, i'm writing the spec about HM, maybe i can finish this today , so i send to you19:33
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Split up assignments, making role-assignments pluggable.  https://review.openstack.org/12939719:35
morganfainberghenrynash, ^ +2 LGTM, fixed typos19:36
henrynashmorganfainberg: thx19:36
*** gokrokve has joined #openstack-keystone19:37
morganfainbergayoung, i think you got the wrong bits untabbed in your last push to backlog19:38
morganfainbergayoung, it doesn't look right.19:38
morganfainbergv2 api?19:38
ayoungmorganfainberg, I was trying to address stevemar2 's commnets.  I think you are right.19:38
stevemar2yeah, i meant the backlog section19:38
stevemar2specs/backlog/* should have a few less spaces before it19:39
ayoungone more try coming up19:40
morganfainbergayoung, hehe.19:40
morganfainberggoing to see if we can get the v2 API merged here soon.19:40
openstackgerritayoung proposed a change to openstack/keystone-specs: Backlog  https://review.openstack.org/12664719:40
ayounghttps://review.openstack.org/#/c/126647/11/doc/source/index.rst,cm  stevemar2 look better?19:41
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add small comment for partially implemented specs in backlog  https://review.openstack.org/13378319:41
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add project documentation links to index  https://review.openstack.org/13381019:41
stevemar2ayoung, i think that should work19:41
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add warning about milestone 2 deadline  https://review.openstack.org/13381319:41
morganfainbergayoung, yeah that looks better.19:41
ayoungall +2s still apply?19:41
*** gokrokve has quit IRC19:41
rodrigodsmorganfainberg, yay19:43
morganfainbergayoung, waiting for jenkins but was going to re-+2 it19:43
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Adjust for integer only user ids from ldap  https://review.openstack.org/13381519:43
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131519:48
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Update headers slightly for API specification(s)  https://review.openstack.org/13381619:48
morganfainbergstevemar2, ok so i think we're pretty close on the V2 specs landing.19:49
*** gokrokve has joined #openstack-keystone19:49
stevemar2morganfainberg, v2 api :P19:49
morganfainbergstevemar2, yeah that19:49
*** shakamun_ has quit IRC19:52
*** marcoemorais has quit IRC19:53
*** marcoemorais has joined #openstack-keystone19:53
ekarlsoanyone here with a clue on the discovery stuff / session that can help me write tests for my change ? I just need some hints on how :)19:53
ekarlsomy ksclient foo is off19:54
morganfainbergstevemar2, ugh we need to go put code-type identifiers into the rst.19:55
morganfainbergstevemar2, it's missing them. (e.g. XML)19:55
morganfainbergstevemar2, we can do that as a followup i guess19:55
*** shakamunyi has joined #openstack-keystone19:57
openstackgerritayoung proposed a change to openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381419:57
morganfainberghenrynash, stevemar2, pagination doesn't work in v2 does it20:03
morganfainbergspecifically... https://review.openstack.org/#/c/131315/6/api/v2.0/identity-api-v2.0-paginated_collections.rst we should just remove that file20:03
henrynashmorganfainberg: there is some funky weird support in one or two apis I believe20:04
morganfainberghenrynash, it is inconsistent and not well supported and/or broken?20:04
morganfainberghenrynash, right?20:04
morganfainbergbecause i keep getting asked about pagination... :P20:04
henrynashmorganfainberg: that’s an understatment20:04
morganfainbergso.. i want to vote that file off the island :P20:05
henrynashmorganfainberg: the v2 admin router of /tenants has marker/limit support in it20:06
henrynashmorganfainberg: that’s the only case I know if20:07
david-lylehey when do we get pagination?20:07
* david-lyle ducks20:07
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131520:11
*** stevemar2 is now known as stevemar20:11
morganfainbergstevemar, ^ that should add all the code-type identifiers20:11
morganfainbergotherwise i think it looks good20:11
stevemarmorganfainberg, thanks, let me check20:11
morganfainbergXML doesn't actually render differently20:12
morganfainbergbut meh, might as well add them20:12
raildodavid-lyle, for something specific?20:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Update headers slightly for API specification(s)  https://review.openstack.org/13381620:12
*** afaranha has quit IRC20:23
*** tellesnobrega_ has quit IRC20:26
*** vhoward has left #openstack-keystone20:28
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Allow to allow for other then STABLE api version  https://review.openstack.org/13015920:28
*** gyee has joined #openstack-keystone20:41
openstackgerritLance Bragstad proposed a change to openstack/keystone: Add positive test case for content types  https://review.openstack.org/13059120:45
morganfainberghenrynash, aww really: https://bugs.launchpad.net/keystone/+bug/1390125 ?20:47
uvirtbotLaunchpad bug 1390125 in keystone "Federation tokens can't be handled if assignment backend is LDAP " [Undecided,New]20:47
stevemarmorganfainberg, there are some weird characters in that spec patch20:48
stevemarlike Â20:48
morganfainbergstevemar, which one? the V2 one?20:48
morganfainbergwhich files?20:49
*** stevemar has quit IRC20:50
*** stevemar has joined #openstack-keystone20:50
morganfainbergstevemar which files?20:50
morganfainbergstevemar, i'm not seeing them20:51
stevemarmorganfainberg, almost all of them - but i'm not seeing them in gerrit20:51
stevemarmorganfainberg, give me a sec, i'm uploading a new version20:51
stevemarand fixing the code blocks20:51
morganfainbergoh i wonder...20:51
morganfainbergdid something do autocorrect rough-shot over the entire bloody thing20:52
morganfainbergstevemar, what line and what file let me look at my local copy20:52
morganfainbergand what is wrong with the code blocks?20:52
morganfainbergXML doesn't AFAICT render differently regardless20:52
stevemarmorganfainberg, paginated collections: **Example: Tenant collection, last page: JSON response**20:53
stevemarit should be code-block::xml20:53
stevemari'm 99% done20:53
stevemarjust checking20:53
morganfainbergstevemar, both forms work iirc.20:53
*** amirosh has quit IRC20:54
morganfainbergstevemar, uhm.20:54
morganfainbergstevemar, local copy doesn't have the :Â20:54
morganfainbergi think you have something wonky in your checked out version20:54
stevemarmorganfainberg, hehe, let me fiddle for a few more minutes...20:58
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131521:02
stevemarmorganfainberg, new patch up, if you disagree let me know and i'll pull it out21:02
stevemarmorganfainberg, for instance here: https://review.openstack.org/#/c/131315/7..8/api/v2.0/identity-api-v2.0-paginated_collections.rst21:03
stevemarthere was something screwy about the "-" used on line 20, and the space used on line 3321:04
morganfainbergstevemar, meeting for me, but after will look21:04
ayoungmorganfainberg, I'm a +A the backlog, since it had enough eyes.21:05
morganfainbergayoung, ack21:07
openstackgerritA change was merged to openstack/keystone-specs: Backlog  https://review.openstack.org/12664721:08
*** Viswanath has joined #openstack-keystone21:09
*** Viswanath has quit IRC21:12
*** zzzeek has quit IRC21:15
*** zzzeek has joined #openstack-keystone21:17
*** nellysmitt has quit IRC21:18
*** nellysmitt has joined #openstack-keystone21:18
*** shakamunyi has quit IRC21:18
stevemarayoung, theres a few more from morganfainberg that were relying on the backlog patch21:21
stevemari've already +2'ed and they are looking for another +2/+A :) they are all pretty minor21:22
*** nellysmitt has quit IRC21:23
*** jacorob has joined #openstack-keystone21:25
morganfainbergstevemar, i still don't see how you got the weird characters in there. i can't see them. *shrug*21:27
morganfainbergon any interface / way21:27
stevemarmorganfainberg, but the xml stuff looks prettier :)21:29
morganfainbergcan we get line numbers?21:30
morganfainbergor no.21:30
morganfainbergcause that would be super duper awesome21:30
morganfainbergotherwise this looks good to me. going to merge it.21:30
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Update headers slightly for API specification(s)  https://review.openstack.org/13381621:31
ekarlsoanyone wanna look at https://review.openstack.org/#/c/130159/ ?21:31
*** shakamunyi has joined #openstack-keystone21:34
openstackgerritA change was merged to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131521:34
*** shakamunyi has quit IRC21:39
openstackgerritA change was merged to openstack/keystone-specs: Split up assignments, making role-assignments pluggable.  https://review.openstack.org/12939721:41
openstackgerritA change was merged to openstack/keystone: Tests raise exception if logging problem  https://review.openstack.org/11994621:44
*** zzzeek has quit IRC21:47
morganfainbergstevemar, https://review.openstack.org/#/c/126180/ i don't like the truncation to just the initiator section21:47
*** fifieldt has quit IRC21:47
morganfainbergstevemar, i'd rather be explicit and show the whole cadf notification in the docs (consistent and less confusing w/o needing to be *sure* to carefully read the "only the initiator in this section")21:48
stevemarmorganfainberg, i might just abandon that, with the new cadf everywhere spec it'll be time for new docs21:49
morganfainbergstevemar, ++21:49
openstackgerritA change was merged to openstack/keystone: Prevent infinite loop in token_flush  https://review.openstack.org/13189921:52
*** marcoemorais has quit IRC21:52
lbragstaddstanek: around?21:52
*** marcoemorais has joined #openstack-keystone21:53
dstaneklbragstad: kinda sorta yeah21:53
dstaneklbragstad: what's up21:53
lbragstaddstanek: just curious if you have a criteria for the moving of tests?21:53
*** unstable has joined #openstack-keystone21:53
openstackgerritLance Bragstad proposed a change to openstack/keystone: Move notification unit tests to unit test dir  https://review.openstack.org/13383421:53
unstablehttp://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html ; With keystone can I have two user_tree_dn s? So We have ou=Users and ou=Services, I want to add both of them. Is this possible?21:53
dstaneklbragstad: mostly that the tests really are unit tests and have limited dependencies21:54
unstableI looked for a bug in launchpad, and I tried to check the specs stuff (which is confusing).21:54
lbragstaddstanek: so whatever falls into that category can be moved to keystone/tests/unit/* ?21:54
dstaneklbragstad: yeah i think so21:54
dstaneklbragstad: i was trying to keep the naming similar so you can programatically find the tests for a module21:55
lbragstaddstanek: I tried doing the opposite of that with the functional tests patch21:55
lbragstaddstanek: I saw that, it looks good21:55
dstaneklbragstad: opposite of naming?21:55
lbragstadopposite of dependencies kinda thing21:55
openstackgerritA change was merged to openstack/keystone: Enable hacking rule H904  https://review.openstack.org/13306621:55
dstaneklbragstad: ah yeah sure - the v3 tests need to be ripped apart21:56
*** jacorob has quit IRC21:56
*** jacorob has joined #openstack-keystone21:57
lbragstaddstanek: I started by moving them into keystone/tests/functional for now21:57
lbragstaddstanek: how would you go about splitting them further?21:57
dstaneklbragstad: along functional lines - not really sure yet - i think i may make a commit on top of yours to monkey with it21:58
lbragstaddstanek: sure thing,22:00
*** fifieldt has joined #openstack-keystone22:01
lbragstaddstanek: as far as moving test modules over to keystone/tests/unit/ or keystone/tests/functional/, do you mind if they are in one big commit or move them over in bit-sized commits/22:02
dstaneklbragstad: i'm technically on vaca this week, but i'm planning on doing some reviews - i'll do your first since i am biased22:02
*** amcrn has quit IRC22:02
lbragstaddstanek: no worries, you don't have to go out of your way to do it, just wanted to sync with you on the process since I have time to work on it22:03
dstaneklbragstad: i don't mind either way - probably good to split it up a little though22:03
lbragstaddstanek: agreed, I'll start proposing them as smaller commits.22:03
*** topol has quit IRC22:03
lbragstaddstanek: easier to review22:03
*** amirosh has joined #openstack-keystone22:05
*** marzif has joined #openstack-keystone22:05
*** amirosh has quit IRC22:09
*** unstable has left #openstack-keystone22:13
*** joesavak has quit IRC22:34
*** henrynash has quit IRC22:39
*** amerine has quit IRC22:41
*** amerine has joined #openstack-keystone22:43
*** marzif has quit IRC22:46
*** edmondsw has quit IRC22:48
*** shakamunyi has joined #openstack-keystone22:59
*** zzzeek has joined #openstack-keystone23:00
*** shakamun_ has joined #openstack-keystone23:00
*** toddnni has quit IRC23:03
*** henrynash has joined #openstack-keystone23:03
*** toddnni has joined #openstack-keystone23:03
*** shakamunyi has quit IRC23:04
*** shakamunyi has joined #openstack-keystone23:07
*** shakamun_ has quit IRC23:11
*** jaosorior has quit IRC23:13
*** jacorob has quit IRC23:16
*** thedodd has quit IRC23:21
*** sigmavirus24 is now known as sigmavirus24_awa23:21
openstackgerrithenry-nash proposed a change to openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095423:27
openstackgerrithenry-nash proposed a change to openstack/keystone: Split the assignments controller  https://review.openstack.org/13263423:29
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352523:31
ekarlsojamielennox: the cli plugin thing, did that die ?23:41
*** ayoung has quit IRC23:41
jamielennoxekarlso: not so much die - i just haven't figured out what i would want in it beyond generic.Password23:41
*** htruta_ has joined #openstack-keystone23:42
jamielennoxsome clis support --os-token and --os-endpoint, some dont23:42
jamielennoxi'm not sure if it's something we should support23:42
ekarlsojamielennox: good morning to you also I guess :)23:43
jamielennoxoff the top of my head i guess we do support it23:43
jamielennoxekarlso: :)23:43
jamielennoxbut i haven't worked on it23:43
ekarlsojamielennox: would be nice to get it in soon :P23:43
jamielennoxekarlso: ok - well i know OSC is essentially using that same thing so it's probably worth moving it to keystoneclient23:44
jamielennoxekarlso: it'll probably happen faster if you propose it23:44
ekarlsojamielennox: I already proposed a cliplugin :p23:44
jamielennoxhmm, let me have a look23:44
jamielennoxekarlso: i don't see it23:45
*** zzzeek has quit IRC23:45
jamielennoxalso for designate you really should just use OSC23:45
ekarlsojamielennox: is OSC going anywhere atm ?23:46
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Add support for groups of roles.  https://review.openstack.org/13385523:46
jamielennoxekarlso: stronger and stronger23:46
jamielennoxthey're looking at a final stable version soon23:46
jamielennoxOSC is the CLI project - not the SDK which is the library23:46
*** dims_ has joined #openstack-keystone23:47
ekarlsojamielennox: is that using sessions ? :)23:49
jamielennoxto various degrees23:49
jamielennoxthere are a lot of existing projects that it supports that don't use sessions yet23:49
jamielennoxfor those that do it will use sessions23:49
ekarlsois experimental api's allowed there ?23:50
ekarlsowe've got V2 in designate going stable in K I hope23:50
jamielennoxekarlso: it works via entrypoints23:50
*** dims has quit IRC23:50
jamielennoxso you can specify your CLI in your own client library and then it will load if it available23:50
ekarlsowill check with my team tmrw then :)23:51
ekarlsothey are all vast asleep23:51
gyeehenrynash, how's does role groups different from hierarchical roles?23:52
henrynashgyee: so I tried to keep teh concepts separate23:53
*** shakamunyi has quit IRC23:53
gyeebut they are the same, conceptually23:53
mfischnkinder: I'm trying to manually cherry-pick your PAGING_OID fix, whats the etiquette on maintaining original author in the commit message?23:53
henrynashgyee: we want a) teh ability to have some kind of way for domains to create their own roles and then have these mapped to teh global roles (so that we don’t haev to keep changing the policy file)23:54
*** dims_ has quit IRC23:54
henrynashgyee: b) when you apply hierarchical MT to a), then you end up with hierarcical roles (although in fact it is hierarcical role groups…but that’s ok)23:55
*** nkinder has quit IRC23:55
gyeeyes, two different ways to describe the same thing :)23:55
*** dims has joined #openstack-keystone23:55
gyeewe need the featuer, just that you and ayoung need to figure out the English words :D23:56
henrynashgyee: I kept them seperate since I think even with HMT, role goups are very usefull…since it allows domains to have their own roles23:56
gyeeI am all for role groups23:57
henrynashgyee: yes, I thikn ayoung is making a leap for teh endgame, I’m a bit more pedestrian and taking it one step at a time…sicne I think that’s all we can achieve!23:57
gyeehenrynash, ++23:57
henrynashgyee: correcting my comment above: I kept them seperate since I think even WITHOUT HMT, role goups are very usefull…since it allows domains to have their own roles23:58
gyeehenrynash, I agree, not just role groups, resource groups in general are immensely helpful23:59
henrynashgyee: yep….23:59
gyeeyou want to go as far as nested groups or just one level for now?23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!