Tuesday, 2014-11-18

« Monday, 2014-11-17 Index Wednesday, 2014-11-19 »
*** _sunil_ has joined #openstack-keystone00:01
dolphmjamielennox: there's totally a brew for mysql00:01
jamielennoxdolphm: oh yea, just not one that's devstacked - anyway, answers my question that we don't care about devstack on OSX because obviously stupid to run it on your desktop and there's no brew options in devstack00:02
dolphmjamielennox: ah yeah00:02
dolphmyeah no one should run devstack on os x00:02
dolphmeven if you could00:02
*** RichardRaseley has quit IRC00:02
*** gokrokve has joined #openstack-keystone00:04
*** tellesnobrega has joined #openstack-keystone00:07
*** marcoemorais has quit IRC00:07
*** marcoemorais has joined #openstack-keystone00:07
*** dims_ has quit IRC00:08
*** gordc has quit IRC00:09
*** thedodd has quit IRC00:11
*** david-lyle is now known as david-lyle_afk00:13
*** tellesnobrega has quit IRC00:17
*** tellesnobrega has joined #openstack-keystone00:30
*** NM has joined #openstack-keystone00:30
morganfainbergdolphm, /me runs ./stack.sh in OS X and watches it explode00:48
*** dims has joined #openstack-keystone00:49
*** stevemar has quit IRC00:52
*** marg7175 has quit IRC00:52
*** stevemar has joined #openstack-keystone00:52
*** ChanServ sets mode: +v stevemar00:52
*** gokrokve has quit IRC00:56
*** gokrokve has joined #openstack-keystone00:57
*** gokrokve has quit IRC00:57
*** marcoemorais has quit IRC01:02
*** marcoemorais has joined #openstack-keystone01:02
*** stevemar has quit IRC01:14
*** NM has quit IRC01:18
*** amcrn has quit IRC01:21
*** _cjones_ has quit IRC01:24
*** raildo_ has joined #openstack-keystone01:28
*** stevemar has joined #openstack-keystone01:28
*** ChanServ sets mode: +v stevemar01:28
*** lhcheng_ has quit IRC01:50
*** _sunil_ has quit IRC01:56
*** _sunil_ has joined #openstack-keystone01:56
*** dims has quit IRC01:58
*** _sunil_ has quit IRC02:01
*** zzzeek has quit IRC02:02
*** alex_xu has joined #openstack-keystone02:08
*** RichardRaseley has joined #openstack-keystone02:17
*** RichardRaseley has quit IRC02:19
*** marg7175 has joined #openstack-keystone02:20
*** tellesnobrega has quit IRC02:21
*** _sunil_ has joined #openstack-keystone02:27
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412502:27
*** gokrokve has joined #openstack-keystone02:29
*** sigmavirus24 has joined #openstack-keystone02:30
*** marcoemorais has quit IRC02:30
*** _sunil_ has quit IRC02:31
*** alex_xu has quit IRC02:33
*** erkules_ has joined #openstack-keystone02:38
*** Viswanath has joined #openstack-keystone02:38
*** oomichi has joined #openstack-keystone02:40
*** erkules has quit IRC02:40
*** Viswanath has quit IRC02:41
*** marg7175 has quit IRC02:45
*** marg7175 has joined #openstack-keystone02:45
*** marg7175 has quit IRC02:49
*** alex_xu has joined #openstack-keystone02:50
*** dims has joined #openstack-keystone02:51
*** raildo_ has quit IRC02:57
*** patrickeast has quit IRC02:58
*** erkules_ is now known as erkules02:58
*** dnalezyt has quit IRC02:58
*** alex_xu has quit IRC02:59
*** gokrokve has quit IRC03:00
*** gokrokve has joined #openstack-keystone03:00
*** sigmavirus24 is now known as sigmavirus24_awa03:02
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005003:05
*** alex_xu has joined #openstack-keystone03:12
*** dims has quit IRC03:13
*** dims has joined #openstack-keystone03:13
*** tellesnobrega has joined #openstack-keystone03:17
*** stevemar has quit IRC03:37
*** boris-42 has quit IRC03:47
*** alex_xu has quit IRC03:50
*** alex_xu has joined #openstack-keystone03:50
*** tellesnobrega has quit IRC03:52
*** gokrokve_ has joined #openstack-keystone03:52
*** tellesnobrega has joined #openstack-keystone03:53
*** richm1 has quit IRC03:53
*** gokrokve_ has quit IRC03:54
*** gokrokve_ has joined #openstack-keystone03:55
*** gokrokve has quit IRC03:55
*** stevemar has joined #openstack-keystone03:56
*** ChanServ sets mode: +v stevemar03:56
*** gokrokve_ has quit IRC03:59
*** _sunil_ has joined #openstack-keystone04:08
*** gokrokve has joined #openstack-keystone04:22
*** gokrokve has quit IRC04:24
*** gokrokve has joined #openstack-keystone04:24
*** gokrokve has quit IRC04:29
*** tellesnobrega has quit IRC04:34
*** marg7175 has joined #openstack-keystone04:46
*** marg7175 has quit IRC04:50
*** gokrokve has joined #openstack-keystone05:24
*** oomichi has quit IRC05:24
*** gokrokve has quit IRC05:28
*** oomichi has joined #openstack-keystone05:48
*** boris-42 has joined #openstack-keystone05:50
*** saipandi has quit IRC05:53
*** oomichi has quit IRC06:02
*** alex_xu has quit IRC06:05
*** oomichi has joined #openstack-keystone06:08
*** renlt has joined #openstack-keystone06:13
*** renlt has quit IRC06:14
*** renlt has joined #openstack-keystone06:14
*** renlt has quit IRC06:16
*** renlt has joined #openstack-keystone06:16
*** renlt has quit IRC06:16
*** renlt has joined #openstack-keystone06:17
*** renlt has quit IRC06:17
*** alex_xu has joined #openstack-keystone06:18
*** gokrokve has joined #openstack-keystone06:24
*** ajayaa has joined #openstack-keystone06:25
*** alex_xu has quit IRC06:27
*** gokrokve has quit IRC06:29
*** alex_xu has joined #openstack-keystone06:30
*** harlowja is now known as harlowja_away06:45
*** marg7175 has joined #openstack-keystone06:46
*** marg7175 has quit IRC06:50
*** _sunil_ has quit IRC06:57
*** k4n0 has joined #openstack-keystone06:57
*** gokrokve has joined #openstack-keystone07:24
*** gokrokve has quit IRC07:29
*** dtturner has quit IRC07:41
*** afazekas has joined #openstack-keystone07:45
*** ukalifon1 has joined #openstack-keystone07:50
*** _sunil_ has joined #openstack-keystone08:08
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Templated catalog backend not implemented  https://review.openstack.org/12001108:09
*** _sunil_ has quit IRC08:12
*** links has joined #openstack-keystone08:21
*** gokrokve has joined #openstack-keystone08:24
*** gokrokve has quit IRC08:29
*** lhcheng has joined #openstack-keystone08:31
*** henrynash has joined #openstack-keystone09:05
*** ChanServ sets mode: +v henrynash09:05
*** alex_xu has quit IRC09:08
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095409:18
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263409:19
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352509:19
*** henrynash has quit IRC09:19
*** amakarov_away is now known as amakarov09:20
*** nirupma_ has joined #openstack-keystone09:22
nirupma_hi09:22
*** gokrokve has joined #openstack-keystone09:24
*** nirupma_ has quit IRC09:27
*** gokrokve has quit IRC09:29
openstackgerritEndre Karlson proposed openstack/python-keystoneclient: Allow to allow for other then STABLE api version  https://review.openstack.org/13015909:31
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Templated catalog backend not implemented  https://review.openstack.org/12001109:32
*** marekd|away is now known as marekd09:41
*** jamielennox is now known as jamielennox|away09:43
*** KanagarajM has joined #openstack-keystone09:47
*** aix has joined #openstack-keystone09:48
*** henrynash has joined #openstack-keystone09:50
*** ChanServ sets mode: +v henrynash09:50
*** henrynash has quit IRC10:02
*** tellesnobrega has joined #openstack-keystone10:05
*** henrynash has joined #openstack-keystone10:12
*** ChanServ sets mode: +v henrynash10:12
*** tellesnobrega has quit IRC10:16
*** gokrokve has joined #openstack-keystone10:24
*** nellysmitt has joined #openstack-keystone10:27
*** nirupma has joined #openstack-keystone10:28
nirupmahi10:28
*** gokrokve has quit IRC10:29
*** stevemar has quit IRC10:39
*** nirupma has quit IRC10:47
*** tellesnobrega has joined #openstack-keystone10:47
*** NM has joined #openstack-keystone10:51
*** tsufiev has quit IRC10:58
*** tellesnobrega has quit IRC11:10
*** raildo_ has joined #openstack-keystone11:22
*** aix has quit IRC11:23
*** gokrokve has joined #openstack-keystone11:24
*** gokrokve has quit IRC11:29
*** raildo_ has quit IRC11:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/13477011:31
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/13523711:31
*** dims has quit IRC11:32
*** dims has joined #openstack-keystone11:32
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/13478911:36
*** aix has joined #openstack-keystone11:36
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13479411:36
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-federation: Updated from global requirements  https://review.openstack.org/13357011:36
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/13524411:36
*** samuelms-away is now known as samuelms11:36
samuelmshenrynash, ping11:36
henrynashsamuelms: hi11:42
samuelmshenrynash, morning :)11:46
henrynashmorning!11:46
samuelmshenrynash, just saw your new patch set for ' Split the assignments manager/driver.'11:46
samuelmshenrynash, how that deprecated_to_resource(f) wrapper works ?11:47
henrynashsamuelms: :-) it took me a while to get it right11:47
samuelmshenrynash, I mean, what happens when I call a method with that annotation?11:47
henrynashsamuelms: do you understand teh concept of decorators?11:48
samuelmshenrynash, haha and I still didnt do11:48
samuelmshenrynash, let me remember .. 2 secs11:48
henrynashsamuelms: don’t worry, I struggle….11:48
henrynashsamuelms: have a read up, then look at the wrapper itself (which is now at the top of assignment/core.py)11:49
samuelmshenrynash, ok11:50
henrynashsamuelms: what IS unusual about this case, is that I’m wrapping another wrapper - i.e the underlying versionutils.deprecated (which is fairly complciated, taking parms on its init and then the fucntion on the call)11:51
samuelmshenrynash, hmm .. saw this11:53
openstackgerritDave Chen proposed openstack/keystone: Add new "RoleAssignment" exception  https://review.openstack.org/13362811:53
samuelmshenrynash, what does versionutils.deprecated() do when called?11:53
samuelmshenrynash, raises a warning and then execute f() ?11:54
henrynashsamuelms: yes11:54
samuelmshenrynash, nice ! :-)11:54
henrynashsamuelms: ..although, as an aside, you can also cause it to throw an exception if you set CONF.fatal_depreactions to True11:54
samuelmshenrynash, where can I set this?11:55
henrynashlook at my test code in test_backend_sql.py - right at the end11:55
samuelmshenrynash, self.config_fixture.config(fatal_deprecations=True)11:56
samuelmshenrynash, cool11:56
henrynashsamuelms: yes11:56
samuelmshenrynash, glad to know this :-) thanks11:57
henrynashsamulems: np11:57
samuelmshenrynash, hmmm just looked at versionutils.deprecated11:59
samuelmshenrynash, you wrapped the wrapper so that you don't have to repeat arguments ..12:00
henrynashsamuelms: yep12:00
samuelmshenrynash, nice :)12:00
henrynashsamuelms: gotta go offline for a bit12:00
*** henrynash has quit IRC12:00
*** KanagarajM has quit IRC12:13
*** gokrokve has joined #openstack-keystone12:24
*** diegows has joined #openstack-keystone12:25
*** gokrokve has quit IRC12:29
*** oomichi has quit IRC12:33
*** ayoung-dadmode has quit IRC12:42
*** alex_xu has joined #openstack-keystone12:44
*** k4n0 has quit IRC13:01
*** radez_g0n3 is now known as radez13:02
*** htruta has joined #openstack-keystone13:04
*** alex_xu has quit IRC13:08
*** dims has quit IRC13:16
*** radez is now known as radez_g0n313:16
*** dims has joined #openstack-keystone13:17
*** henrynash has joined #openstack-keystone13:17
*** ChanServ sets mode: +v henrynash13:17
*** alex_xu has joined #openstack-keystone13:22
*** gokrokve has joined #openstack-keystone13:23
*** topol has joined #openstack-keystone13:26
*** ChanServ sets mode: +v topol13:26
*** topol has quit IRC13:33
raildomorganfainberg, https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy-improvements13:37
*** stevemar has joined #openstack-keystone13:38
*** ChanServ sets mode: +v stevemar13:38
*** bknudson has joined #openstack-keystone13:41
*** ChanServ sets mode: +v bknudson13:41
*** gordc has joined #openstack-keystone13:43
*** soulxu_ has joined #openstack-keystone13:46
*** alex_xu has quit IRC13:49
*** vejdmn has joined #openstack-keystone13:50
*** soulxu__ has joined #openstack-keystone13:53
*** soulxu_ has quit IRC13:55
*** saipandi has joined #openstack-keystone13:59
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/13524414:05
*** jistr has joined #openstack-keystone14:08
*** jistr is now known as jistr|mtgs14:08
*** saipandi has quit IRC14:11
*** soulxu_ has joined #openstack-keystone14:11
*** saipandi has joined #openstack-keystone14:11
*** soulxu__ has quit IRC14:15
*** soulxu__ has joined #openstack-keystone14:17
*** henrynash has quit IRC14:18
*** soulxu_ has quit IRC14:18
*** henrynash has joined #openstack-keystone14:18
*** ChanServ sets mode: +v henrynash14:18
*** soulxu_ has joined #openstack-keystone14:22
*** diegows has quit IRC14:23
*** diegows has joined #openstack-keystone14:23
*** soulxu__ has quit IRC14:26
*** ayoung has joined #openstack-keystone14:27
*** ChanServ sets mode: +v ayoung14:27
*** vsilva_ has joined #openstack-keystone14:28
*** soulxu__ has joined #openstack-keystone14:28
*** soulxu_ has quit IRC14:31
vsilva_ping dolphm morganfainberg marekd; I was browsing jdennis' "Alternative federation mapping" thread and wondering if anything was decided on the summit. Is there still an interest in improving our mapping capabilities?14:33
*** soulxu_ has joined #openstack-keystone14:34
*** soulxu__ has quit IRC14:37
openstackgerrithenry-nash proposed openstack/keystone-specs: Add support for groups of roles.  https://review.openstack.org/13385514:39
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Hierarchical Multitenancy Improvements  https://review.openstack.org/13530914:40
raildohenrynash, morganfainberg, ayoung  ^14:41
*** david-lyle_afk is now known as david-lyle14:43
*** sigmavirus24_awa is now known as sigmavirus2414:47
*** joesavak has joined #openstack-keystone14:48
samuelmshenrynash, ^ nice idea, just left a couple of comments up there14:49
henrynashsamuelms: thx14:49
samuelmshenrynash, when are you planning to start working on that?14:49
marekdvsilva_: nothing was decided.14:50
marekdvsilva_: that's why i am going to talk about it during todays meeting14:50
marekdvsilva_: what is missing from mapping engine now?14:50
vsilva_yeah I saw it marekd, wanted to read up on everything that had been discussed14:50
henrynashsamuelms: well- first we need to decide on this approach vs the a pure hieracrchical model, as mentionds by ayoung14:50
samuelmshenrynash, would be glad if we could split some tasks14:50
vsilva_I've got no complaints marekd, it's just an interesting discussion :p14:51
henrynashsamulems: sure14:51
ajayaaHi guys. When does keystonemiddleware set is_admin variable to true?14:51
marekdvsilva_: it is and since everybody has very own ideas i want to ask oday14:51
marekdtoday14:51
ajayaaI see a lot of components use this variable in their policy files.14:51
ayounghenrynash, so as to be clear: I only called it Hierarchical roles under duress14:52
vsilva_all right marekd, I'll be there14:52
ayounggroup roles, implies roles,  dinner roles, hot cross buns14:52
ayoungDamnig I should have said profiteroles14:52
henrynashayoung :-)14:52
ayounghenrynash, I think you and I were saying the same thing14:53
henrynashayoung: group-profiteroles….now, we’re talking14:53
ayoungbut it should be a DAG:  one role cannot point higher up the tree14:53
*** vsilva_ has quit IRC14:53
samuelmsayoung, ++14:53
ayounghenrynash, and my spec has more examples than yours14:53
ayoung:)14:53
samuelmsayoung, like .. a project admin cannot assign cloud_admin to someone,right?14:54
henrynashayoung: that’s a fair point :-)14:54
ayoungsamuelms, correct14:54
samuelmswill take a look at adam's spec14:54
ayounghenrynash, I think the biggest problem with mine is the naming:  we'd be fine if we were not using the term hierarchical roles for the project hierarchy14:55
ayoungHow about I rename mine "organize roles in a DAG"14:55
samuelmsayoung, haha14:55
ayoungor Role Composition?14:56
samuelmsayoung, have a link for ur spec? can't find it at keystone-specs/tree/master/specs/kilo14:56
samuelmsayoung, role composition looks interesting, describes well what it means14:56
ayounghttps://review.openstack.org/#/c/125704/14:56
samuelmsayoung, thanks14:56
ayoungsamuelms, I'm bascially saying the same thing as henrynash14:56
ayoung"For all our mutual experience, our separate conclusions are the same."14:57
samuelmsayoung, yes .. just saying this while reading your spec14:58
ayoung"Its either sadness or euphoria."   --Billy Joel, from "Summer, Highland Falls"14:58
*** nkinder has joined #openstack-keystone14:59
henrynashayoung:…. I’m not clear on is whether we really ARE saying the same thing :-) In The Henry Simple Model (THSM), there are global roles (liek today - except they are really capabilities)…and there are role-groups (or meta-roles or some other name) that, on a per domain basis, you can use to group togther and assign these global roles/capabilities14:59
*** tsufiev has joined #openstack-keystone14:59
samuelmsayoung, in order to have the same goal of henrynash's one, make 'hierarchical roles' name-spaced to domains ?14:59
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/13478914:59
ayounghenrynash, I think I took yours one step further:  if you call the groups roles themselves, you can put just the group in the token, and have the policy expand them15:00
*** ukalifon1 has quit IRC15:00
*** topol has joined #openstack-keystone15:00
*** ChanServ sets mode: +v topol15:00
ayoungotherwise you need to expand on the server15:00
henrynashayoung: right…I think that IS the difference15:00
*** soulxu_ has quit IRC15:01
samuelmshenrynash, ayoung IMO the only difference is that group of role on THSM are a hierarchy on adam's proposal15:01
henrynashayoung: and I quite liek that..we can do this within todays sandbox….no change to policy/tokens etc.15:01
samuelmsand at THSM we have roles name-spaced to domains15:01
*** NM has quit IRC15:02
henrynashayoung: and then expand to push the exapansion into teh policy engine...15:02
samuelmshenrynash, ++15:02
henrynashayoung: ..althoug I admit to wantingto really understand better the aditional problems we fix by doing that15:02
ayounghenrynash, we can do the roles on the server side even with my proposal15:02
dstanekayoung: what does step #2 mean in your blog post?15:02
ayoungdstanek, you mean the one labeled  ???15:02
ayoungask the underpants gnomes15:03
dstanekayoung: "Add to the policy library the essential code to enforce policy based on a keystone token."15:03
ayoungdstanek, ah15:03
ayoungso there is code in both Keystone and in Nova that binds the RBAC to the token15:03
ayoungits small15:03
ayoungbut the big one is the "Flatten " call15:03
henrynashsamuelms: in THSM , yes they are name-spaced by domain15:03
ayoungdstanek, all of the stuff inside the decorator15:03
henrynashsamulems: they are in both proposals15:04
*** openstackgerrit has quit IRC15:04
*** openstackgerrit has joined #openstack-keystone15:04
*** NM has joined #openstack-keystone15:04
samuelmshenrynash, we could use both approaches .. I mean .. using hierarchical roles inside a group of roles.. why not?15:04
ayoungdstanek, https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py  as well as https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L5215:05
henrynashsamuelms: I think we need to careful of not causing our operators to jump from tall buildings to avoid their heads exploding15:05
ayounghenrynash, so if we distinguish between "private roles" that the policy should never see and "domain scoped roles"  that just need to expand down to the basic operations, I think we will have it working15:06
ayoungPrivate roles were a one-operator request, and not something I desperately need to implement15:06
henrynashayoung: ohh…I think the opposite!15:07
henrynashayoung: domain scoped roles are never seen by policy15:07
henrynashayoung: in my model15:07
ayounghenrynash, so long as they resolve down to the base operations, that will work15:07
henrynashayoung: domain-scoped rolegroups are never seen by policy, to be accurate15:07
henrynashayoung: agreed15:08
*** radez_g0n3 is now known as radez15:08
ayounghenrynash, I'd almost want to rename roles, then.  Yours are truely the "roles" and what we have today are intermediate-reusabe-lists-of-capabilities15:09
henrynashayoung: yeah, I agree15:09
henrynashayoung: absolutely15:09
samuelmshenrynash, once we have reseller, they'll need to have their own policies, right? so they'd be able to define and use their own domain-scoped rolegroups15:09
dstanekayoung: have you seen this? http://engineering.utsa.edu/~krishnan/conferences/mmmacns2012.pdf15:09
ayoungsamuelms, they don't get their own policy, they get their own roles15:09
ayoungdstanek, looking15:10
samuelmsayoung, in this case .. a human won't be able to understand the policy file itself, right?15:10
ayoungdstanek, here's how I explain it:   ABAC is the mechanism. RBAC is an engineering effort to manage the attributes15:11
samuelmsayoung, we should have an api to define policy constraints, right?15:11
samuelmsayoung, without needing to edit the file by hand15:11
ayoungsamuelms, I wrote up a unified vision15:11
ayoungon sec15:11
samuelmssure15:11
dstanekayoung: i also notice a related post this morning on the openstack-dev mailing list15:12
ayoungsamuelms, http://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/15:12
ayoungsamuelms, so In the last couple of steps:15:12
ayoung7. Use the hierarchical role definitions to generate the rules for the file above.15:12
samuelmsayoung, looks interesting15:14
ayoungsamuelms, so I had originally written it like henrynash 's approach, and several people pointed out it should be enforced on the policy side.  I think we have to think about how much data we want to pass, and what should be in the token.  I think it should be our goal that a token only ever holds a single role15:15
ayoungand, in fact, a user should only ever be assigned a single role15:15
ayoungbut they can break that into finer grained roles for delegation15:16
*** bknudson has quit IRC15:16
ayoungdstanek, you mean Ioram's work with davidchadwick?  Yes, my writeup grew out of some of those discussions15:17
dstanekayoung: yes, sounds like they are already building something15:17
henrynashayoung: my concern is that checking permission on an API becomes a pretty intensive opertion, since in theory it would have to exceute an aribratary complexe set of domain-scpecifc hirerarcical calulcations…15:18
dstanekayoung: so if your vision to eventually read all policy from the database?15:18
ayoungdstanek, my goal is to get them directed up front, unlike the Federation approach that took years to merge in view-point15:18
henrynashayoung: and token issuance happens several orders of magnitude less than toen checking15:18
ayounghenrynash, nah...its actually pretty easy15:18
henrynashtoken checking15:18
ayounghenrynash role expansion happens in the policy file like this:15:18
ayoungsay the api is...compute:reboot_vm15:19
ayoungand to do that you need the "writer role"  which is under "member"  which is under admin15:19
ayoungthe rule would be15:19
ayoungdamnit, I didn't put the links in my article...need to update15:20
dstanekayoung: does that mean stacked files or database rows for policy?15:20
ayoungdstanek, 1 sec15:20
ayoung"compute:v3:servers:start": "rule:ROLE_MEMBER",15:21
henrynashayoung: I guess my argument is simpler…..I need to udnerstand teh real BIG problem we are solving by putting all the work in the palce that is executed many orders of magnitude more often15:21
ayoungand ROLE_MEMBER expands to15:21
samuelmsayoung, so that when generating the policy file from db schema .. you expand the hierarchical roles ?15:21
ayoung"(role:admin or role:member) and project_id:%(project_id)s"15:21
samuelmshenrynash, ^15:22
samuelmsdon't we expand the hierarchical roles when generating the policy files from db schema?15:23
*** NM has quit IRC15:23
samuelmsif we shouldn't, I agree with you .15:23
lhchenghi folks, I plan to work on a reported bug, but before I start it would be great if someone else can confirm that it is indeed a bug: https://bugs.launchpad.net/keystone/+bug/1393518 -  just to be sure I am going to work on a valid bug :)15:24
uvirtbotLaunchpad bug 1393518 in keystone "v3 service catalog returns services without names, but v2.0 api does not" [Undecided,New]15:24
*** ajayaa has quit IRC15:25
*** NM has joined #openstack-keystone15:26
samuelmshenrynash, and if we expand the role hierarchy when checking permission (service side) .. we have a problem of consistence when we update the role hierarchy15:26
samuelmsthink I got your point15:26
samuelmshave to go now .. back in few minutes ..15:29
*** samuelms is now known as samuelms-away15:29
*** marg7175 has joined #openstack-keystone15:32
*** bknudson has joined #openstack-keystone15:35
*** ChanServ sets mode: +v bknudson15:35
*** saipandi has quit IRC15:36
ayounghenrynash, well, token size was one consideration15:37
ayounghenrynash, but the ability to manage the policy files, and make things grow is probably the more important one15:38
henrynashayoung: token size is of course and issue, but wouln’t think that a role name list would be the killer15:41
henrynashayoung: so agreed that it is more the second issue..15:41
ayounghenrynash, We're trying to get things down to 150 bytes15:41
ayoungand if we need to put every expanded role into the token, it will be an issue15:42
ayounga token should have a single role in it...a token should not have any data that cannot be cached on the server side, excpet that which is specific to the user15:42
henrynashayoung: that’s one view15:42
henrynashayoung: not sure I agree15:42
ayoungit is the view I've had crammed down my throat....15:43
ayoungits what is making it difficult to use PKI tokens today15:43
ayounghenrynash, OK,  so I understand the goal of the private roles.15:43
henrynashayoung: why doesn’t a small token ID that indexes a pre-calcualted set of roles give you teh same result…and keep the processing in the more appropriate place?15:44
ayounghenrynash, that is what hierarchical roles are...15:44
henrynashayoung: I don’t see the conection between small token size and shift the calcualtion to the policy engine15:44
ayoungif I give your "role_groupid="1234abcd"15:44
ayoungthat is the same as saying role with id 1234abcd  expands to   ccddeef12  and aaddaa11215:45
ayoungso yes...15:45
ayounga single ID which gets expanded on the server side based on cached data is exactly what I am shooting for15:45
ayoung"a pre-calcualted set of roles"15:46
henrynashayoung: so why do we need to caneg the policy engine?15:46
ayoungcaneg is just good fun15:47
henrynashayoung: :-)15:47
ayoungthe policy engine stays unchaged.  What I am saying is change the policy generation15:47
henrynashayoung: why chaneg that?15:47
ayoungto avoid having to have a magic step in between15:47
ayoungcuz if we cahce on the server side, sometihng would need to expand that15:47
henrynashayoung: well, read it15:48
henrynashayoung: so to play devils advocate.....15:48
ayoungI hope4 you got a hefty retainer15:48
ayounghe's a bastard of a client15:48
henrynashayoung: you calucalate all your list or roles/capabilities at the point of token issuance, write it to the Keystone token table… and issue a shrt token ID15:49
henrynashayoung: sounds familiar !15:49
*** afazekas has quit IRC15:49
ayoungI thought we were doing away with the token table15:50
*** dtturner has joined #openstack-keystone15:50
ayoungthat is the whole point of ae tokens15:50
henrynashayoung: OK, call it teh token cache15:50
*** NM has quit IRC15:50
henrynashayoung: no used fo revocations!15:50
henrynashayoung: would taht be better than recalulating everying every time we have to check a token?15:51
ayoungno...the recalculation is cheap15:51
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037615:52
*** NM has joined #openstack-keystone15:52
ayounghenrynash, I want to avoid going back to keystone.  You know that.  Anything that ties to more calls back to Keystone is a step backwards15:53
henrynashayoung: maybe, maybe not…it’s about getting teh right balance that meets the performance nad flexibility profile we are aiming the keystone at15:54
ayoungyep15:54
ayounghenrynash, I'm far less concerned about the "private roles"  than I am about fixing "admin is everything"15:55
ayounghenrynash, if a token only had a role id, and that was expanded on the server side, would that be an acceptable solution to the groups/private roles?15:55
*** jorge_munoz has quit IRC15:56
henrynashayoung: and what is the server in this? Keystone? some other server runnign policy…I’m really unsure how much you are tearing up here15:57
ayoungother server15:57
ayounghenrynash, say the token just had15:57
ayoungrole_id="<uuid>"15:57
ayoungthen the server expaneded that out with implied roles15:58
ayoungs!server!middleware.auth_token!15:58
ayoungif we are shooting for id only tokens anyway, and we want to minimize token size, then that is the right balance.15:59
ayoungthe issue with private roles is there is no way today to say "this role that I just defined should be able to perform operations X,y, and z15:59
ayoung"15:59
ayoungwithout changing the policy files, your proposal has no path to implementation16:00
dstanekdo we have a plan for removing the extra? i remember the discussion, just not the outcome /cc morganfainberg16:00
henrynashayoung: i don’t udneratnd16:00
morganfainbergdstanek: well. No no plan :(. I do want it to go away.16:00
henrynashayoung: you mean with my proposal AND just an id in the token, there is no path to implemnation16:00
*** jorge_munoz has joined #openstack-keystone16:00
*** marg7175 has quit IRC16:01
dstanekmorganfainberg: can we break API compatibility for it or do we have to allow the extra data in? i don't think it's actually documented in most cases, but it behaves that way16:01
dstanekmorganfainberg: this made me think of it: https://review.openstack.org/#/c/129830/16:02
*** marg7175 has joined #openstack-keystone16:02
morganfainbergI think we need to have a "no extras" option for strict api enforcement.16:02
morganfainbergBut I know deployers use it. So we can't outright break it.16:03
henrynashayoung: what I am proposing is totally implemenatble without changing policy (assuming any one of our existing token formats can be used)….and that’s why I like it…incremental implementaion, while delivering a feature in Kilo16:03
*** KanagarajM has joined #openstack-keystone16:05
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/13523716:08
*** agireud has joined #openstack-keystone16:10
*** KanagarajM has quit IRC16:12
ayounghenrynash, no, you need my stuff to make yours viable16:12
ayounghenrynash, yes, you could make a private role to a domain with yours16:12
ayoungbuyt it would default to be "member"16:12
ayounghenrynash, ok...lets take it from the bottom16:13
ayounghere is the nova policy file....16:13
ayounghttp://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json16:13
*** lhcheng_ has joined #openstack-keystone16:13
ayoungthere are three classes of API:  ones that are admin, ones that have "admin_or_owner" and ones that are ""  or no enforcment16:14
ayoungnow, "admin_or_owner" actually is defined differently in Keystone16:14
*** esmute has quit IRC16:14
henrynashayoung: ok16:15
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n616:15
ayoungso keystone "owner" means "I own it"16:15
ayoungin nova "owner" means "user has any role on the project"16:15
ayounghttp://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n316:15
ayoungso...lets say that "any role" is kindof useless, right?  Replace it with "Member"16:16
ayoungthe lowest level role we have, and make admin encapsulate member16:16
*** lhcheng has quit IRC16:16
ayoungYou want to create a project specific role, you still need to enforce what that role can do16:16
ayoungnow,  lets go to extremes for am moment16:17
ayounglets say that every API is its own role16:17
ayoungso that we can separately assign them16:17
*** NM has quit IRC16:17
henrynashayoung: so noting I’ve seen yet makes we want to change anything we’re doing16:17
*** esmute has joined #openstack-keystone16:17
henrynashayoung: I’m clearly not seeing the problem16:17
ayoungnow a domain private role could be defined as a collection like "compute_extension:admin_actions:pause" "compute_extension:admin_actions:unpause" ....16:17
*** samuelms-away is now known as samuelms16:17
ayounghenrynash, why do you want domain private roles16:18
ayoung?16:18
henrynashayoung: so I a domain can name some collection of capabilities that are meaningful to them16:18
ayounghenrynash, that is my point.  You cannot do that without changing the policy file.16:19
samuelmswhen centralizing the policies .. when do policies become invalid?16:19
*** zzzeek has joined #openstack-keystone16:19
samuelmsayoung, ^16:19
henrynashayoung: I don’t see that leap16:19
ayounghenrynash, give me an example of what you want to do16:19
ayounghenrynash, put another way "role groups are meaningless if roles are meaningless"16:20
ayoungtoday, at least in nova, roles themselves are meaningless16:20
*** NM has joined #openstack-keystone16:20
ayoungadmin is not scoped, and member is ignored.  all that matters is that the user has some role16:20
ayoungwhat roles would be in your group?16:21
henrynashayoung: OK, In my company, the  job of vm administrator on a poject means they can create/delete/stop/start a vm16:21
ayounghenrynash, so you need a policy file change to make that happen16:21
ayounghenrynash, those APIs are here:  http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n3216:22
ayoungand the policy to enforce them is16:22
rodrigodsis it to ugly to copy the get_auth_context method from auth.controllers to assignment.controller? (want to get the user_id making the call, so I can filter the subtree/parents to be returned)16:22
ayoung"rule:admin_or_owner",16:22
ayoungthere is no way to say "a user can only create/delete/stop/start a vm"16:22
henrynashayoung: OK, so let me be a bit more specific.  For a GIVEN set of capabilities I want, in an orgainzation, I woudl expect the policy file to have exactly the same form as it does today, but to have more roles atatched to individual APIs (the capabilities_16:22
henrynashayoung: sure…I’m not saying don;t change the roles in apolicy file…I’m saying don’t chaneg the fucntionality we have today in policy16:23
ayounghenrynash, to what granularity?  With out one role per capability, you can't do that "on the fly"16:23
henrynashayoung: I;m not saying you should16:23
ayounghenrynash, if you are saying "domain specific roles" then you are16:24
samuelmshenrynash, ayoung I think a possible solution would be: 1) expand role hierarchy when generating the policy to deliver it to a service16:24
*** lihkin has joined #openstack-keystone16:24
ayoungsamuelms, YES!16:24
samuelmshenrynash, ayoung 2) if the role hierarchy has changed .. invalidate the policy16:24
samuelmsand make the service get it again16:24
henrynashayoung: they ARE created on-the-fly, but can only refernce teh capabilities (nee roles) that are defined in policy fules16:24
ayounghenrynash, and we don't have a way to know what those are today16:25
samuelmswhat about this ^?16:25
ayounghence the centralization of management16:25
henrynashayoung: there the roles!16:25
ayoungso we start by getting an inventory of the capabilites16:25
henrynashayoung: they’re the roles!16:25
henrynashayoung: list_roles()16:25
samuelmsI think this solution above match requirements from you both16:25
ayounghenrynash, tongiht, at a bout 3 AM, you are going to wake from a deep sleep and realize...Oh, that is what he meant...of course.16:26
ayoungThen you will roll over with a smile on your face, and tomorrow we'll file off the rought edges16:26
samuelmsno increase of load at service side when evaluating permissions ^16:26
ayoungsamuelms, ok,  so that is in my spec16:26
henrynashayoung: so I do actually udnerstand what you are proposing…I’m jsut not convinced we need it and think we can get 80% of what we need by taking a simpler, caompatible with what we have today, approach16:26
ayoungsamuelms, https://review.openstack.org/#/c/125704/7/specs/kilo/hierarchical-roles.rst  line 14616:27
ayounghenrynash, what I laid out was a step by step.  Each of the earlier step needs to be done before the later steps.  We get that as far as we can16:28
ayoungI don't think we can really affect policy without central management]16:28
ayoungexpanding the data in the token is, of course, possible today16:28
henrynashayoung: ahh, what you laid out was a set of thinsg to do…my big issue is that we ahve not started with the problmes we are trying to solve and described why alternative solutions are not better16:28
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Hierarchical Multitenancy Improvements  https://review.openstack.org/13530916:29
ayounghenrynash, I'm trying to fix one of the oldest bugs in the bug tracker:  https://bugs.launchpad.net/keystone/+bug/968696  without the steps I laid out, there is no hope for that16:29
uvirtbotLaunchpad bug 968696 in keystone ""admin"-ness not properly scoped" [High,Confirmed]16:29
henrynashayoung: which customers are askingh for this, and waht exactly are they asking for, and why are other incremental approaches insufficient16:30
ayounghenrynash, I'm sorry, I'm not authorized to share my customer list with you.  :)16:30
henrynashayoung: the bug you refence can simply be solved by not naming the super user ‘admin’ in every policy file.  whynot just change that?16:31
ayounghenrynash, that question is Rhetorical, right?  Like "Why haven't we replaced the policy.json file with Henry's cloud sample?"16:32
ayoungWe can't just change policy because it then gets out of sync with the policy as shipped by each project, and we have no way of merging16:33
henrynashayoung: (i know I am being facetious now)..but my big concern and twitchyness is that I don;t beleiev we have described why the simple solutions aren;t sufficent16:33
henrynashayoung: ..because I haven’t spent teh time doing that…someone has patch out that is close o do that16:33
ayounghenrynash, OK.  Problem one:  if we change the default policy we break everyone out there that is built on default policy16:33
*** gokrokve_ has joined #openstack-keystone16:34
ayoungproblem2:  Admin is definied as having the admin role on any project, and that antipattern has been copied-and-pasted to each of the projects16:34
ayoungproblem 3: We have 3 different delegation mechanism, and the primary one (role assignements) loses the chain of who-assigned-what16:34
ayoungand, in addition, there is no limitation on who-can-assign-what16:34
henrynashayoung: …but who says we solve thee problems with code….why don;t we jsut work to change those policy files?16:35
samuelmsayoung, henrynash problem2 : we're working on a policy.v3cloudsample like for each service :)16:35
*** KanagarajM has joined #openstack-keystone16:35
henrynashsamuelms: sounds good16:35
ayounghenrynash, "cut and paste" is not a good strategy.  It was bad for Oslo and it is bad for policy16:36
ayoungAnd each of the policy files have a stanza at the top that define their rules16:36
ayoungbut those definitions are different for each service16:36
samuelmshenrynash, for keystone : https://review.openstack.org/#/c/123509/16:36
samuelmshenrynash, as an example ..16:36
henrynashayoung: I don’t see it as conceptually cut and paste….I see it as we want each service to defince their own plicy as they see fit]16:36
ayounghenrynash, have you actually looked at the other policy files?16:37
samuelmshenrynash, we have proposed that for all services .. spliting admin global role into cloud_admin, domain_admin and project_admin16:37
ayoungits cut and paste16:37
*** gokrokve has quit IRC16:37
*** gsilvis has quit IRC16:37
ayounghttp://git.openstack.org/cgit/openstack/neutron/tree/etc/policy.json16:37
henrynashayoung: that’s how they did it…but don’t we WANT them to have theor own policy, however they chose to get ity?16:37
*** agireud has quit IRC16:38
ayounghenrynash, who should control policy?  The Neutron devs upstream, or the people deploying things in their own datacenters?16:38
*** thedodd has joined #openstack-keystone16:38
*** gokrokve_ has quit IRC16:38
ayounghttp://git.openstack.org/cgit/openstack/glance/tree/etc/policy.json   actually got me to laugh16:39
ayounghttp://git.openstack.org/cgit/openstack/cinder/tree/etc/cinder/policy.json16:40
henrynashayoung: just becasue we give out bad policy samples, doesn’t mean the approach we have won’t work for customers16:40
bknudsonayoung: check the ceilometer one.16:40
ayounghenrynash, looking16:40
bknudsonhttp://git.openstack.org/cgit/openstack/ceilometer/tree/etc/ceilometer/policy.json16:40
ayoungNice!16:41
bknudsonit's short16:41
ayoungbknudson with the zinger16:41
samuelmsayoung, we're proposing this to glance (https://review.openstack.org/#/c/123216/7/etc/policy.cloudsample.json)16:41
samuelmsayoung, stop laughing .. :P16:41
ayounghttp://git.openstack.org/cgit/openstack/sahara/tree/etc/sahara/policy.json16:42
ayoungsamuelms, nah16:42
ayoungsamuelms, first off, create a short rule for each16:43
ayoungavoid all the duplication16:43
ayoungrule:is_cloud_admin or rule:is_project_admin or rule:is_project_member  could be16:43
ayoungRULE:MEMBER  =  rule:is_cloud_admin or rule:is_project_admin or rule:is_project_member16:43
*** _cjones_ has joined #openstack-keystone16:44
samuelmsayoung, but we may have different types of members ..16:44
samuelmsayoung, RULE:MEMBER_1, RULE:MEMBER_2 ...16:44
ayoungsamuelms, all of those rules have the same code in them16:44
samuelmsayoung, will think about .. looks like policy would become clearer16:44
ayounginstead o MEMBER_!  etc16:44
samuelmshmm ..16:45
ayoungOPK..so this is exactly what I was trying to solve16:45
ayoungfirst we get an inventory of the places where we enforce policy (call them the PEPs for policy enforcement points)16:45
ayoungso16:45
ayoungadd_member is one16:46
samuelmsthe services ..16:46
samuelms= PEPs right16:46
samuelms?16:46
ayoungthe enpoints have multiple PEPs...really I am talking the APIs16:46
ayoungbut the point in the code that calls "enforce_policy"16:46
samuelmsok16:46
ayoungsamuelms, if Keystone knows about them, you can do soemthing like this:16:47
ayoungchange "add_image": "rule:is_cloud_admin or rule:is_project_admin or rule:is_project_member",16:47
ayoungto16:47
ayoungchange "add_image": "project_id= {%project_id}  and role:member",16:48
ayoungsamuelms, right now, your policy does not enforce that the user has the role *ON THE PROJECT*16:48
samuelmsayoung, right16:49
samuelmsayoung, that's what the 'project_id= {%project_id}' thing does ..16:49
ayoungsamuelms, so, in the future, if we want to split member into reader and writer, we say member inherits reader and member inherits writer16:49
ayoungor we say writer inherits reader and member inherits writer16:50
samuelmsayoung, makes sense16:50
ayoungthen we update the rules for the APIs to the more specific roles16:50
ayoungso, yes, henrynash we can do all of this outside of Keystone, with a management tool to generate the policy files16:50
*** agireud has joined #openstack-keystone16:51
samuelmsayoung, cloud_admin inherits from domain_admin which in turn inherits from project_admin16:52
samuelmsayoung, in our case16:52
samuelmsayoung, I'll review your spec more carefully .. looks an interesting idea :)16:54
ayoungsamuelms, "Big fleas have little fleas,16:54
ayoungUpon their backs to bite 'em,16:54
ayoungAnd little fleas have lesser fleas,16:54
ayoungand so, ad infinitum."16:54
samuelmsayoung, haha nice comparison16:54
ayounghttp://en.wikipedia.org/wiki/The_Siphonaptera16:55
samuelmsayoung, henrynash, bknudson as I said, we're proposing policies for some services (links can be found at http://paste.openstack.org/show/134439/)16:56
samuelmsI'd be glad to have your review up there :D16:56
ayounghenrynash, OK...so...all that argument aside, I don't think our proposals are in conflict16:56
bknudsongive them the same topic or changeid and you don't need a paste for it.16:56
ayoung Groups would stay server side, and would be private16:56
samuelmsbknudson, didn't know we could have the same change-id for different patches .. :p16:57
bknudsonthey're in different projects16:57
samuelmsbknudson, yes16:57
bknudsonso they can have the same change-id16:57
samuelmsbknudson, cool ... using the same topic is also a good human-readable idea :)16:58
ayoungbknudson, how/where do you set topic16:58
samuelmsbknudson, will ask my workmate to do this16:58
bknudsonyou can set the --topic on git-review16:58
bknudsonthe topic defaults to the branch name16:58
bknudsonalso, I think you can change the topic right in the gerrit interface16:59
samuelmsbknudson, yes .. we can using the ui16:59
*** r-daneel has joined #openstack-keystone17:03
*** r-daneel has quit IRC17:04
*** thedodd has quit IRC17:05
*** r-daneel has joined #openstack-keystone17:05
*** r-daneel has quit IRC17:07
ayoungsamuelms, Also, make sure you run from Horizon using the policy files.17:07
*** r-daneel has joined #openstack-keystone17:07
ayoungWe had some issues with the cloud_sample...namely that Horizon then could not do domain scoped operations17:07
henrynashayoung: so agreed…they are not in conflict…yours is a super set, which includes changing where the expansion of domain-specifc-roley-thingies happens17:09
samuelmsayoung, yes .. we have that in mind17:10
samuelmsayoung, as for now, we solved that putting the cloud admin on the project admin of the default domain ..17:10
samuelmsayoung, using devstack ..17:11
*** gokrokve has joined #openstack-keystone17:11
henrynashmorganfainberg, stevemar: I think we may be ready again to consider approving: https://review.openstack.org/#/c/13095417:11
*** r-daneel has quit IRC17:11
samuelmsayoung, all those feedbacks are important .. will forward them to the team working on that ..17:11
samuelmsafaranha ^17:12
morganfainberghenrynash: great17:14
* morganfainberg drinks morning coffee17:14
morganfainbergAhhhhhh French press is the best way to enjoy coffee.17:14
*** marcoemorais has joined #openstack-keystone17:15
dolphmthems be fightin words, son17:15
stevemarmcdonalds mccafe beats everything17:16
stevemarhenrynash, reviewing now17:16
stevemarmarekd, alive?17:16
marekdstevemar: yep17:16
marekdstevemar: what's up, sir?17:16
samuelmsbknudson, https://review.openstack.org/#/q/status:open+branch:master+topic:bp/policy-sample,n,z17:17
marekdBTW: the meeting starts in ~45 minutes, right?17:17
bknudsonsamuelms: nice!17:17
stevemarmarekd, in the cernops patches, how do y'all get a project scoped token to return to the client in the websso flow17:17
stevemarmarekd, yes, 45 mins17:17
*** m7m88 has joined #openstack-keystone17:18
marekdstevemar: afair this was pretty standard horizon procedure17:18
marekdstevemar: the problem was with transporting the *unscoped* token to horizon17:18
ayoungdolphm, did you get a chance to read the policy overview?  Is this roughly what you were thinking?17:18
dolphmayoung: only read partially so far, hoping to finish before the meeting17:19
ayoungdolphm, cool17:19
*** m7m88 has quit IRC17:19
*** marg7175 has quit IRC17:22
marekdstevemar: did it answer your question?17:23
morganfainbergayoung: read the post. Still digesting it some.17:24
ayoungmorganfainberg, thanks.  Should I add it to the agenda?17:24
*** lihkin has quit IRC17:25
*** marg7175 has joined #openstack-keystone17:25
morganfainbergI think that was the longer term direction we were aiming for. Fairly well lined up with the summit discussions with minor differences (eg henrynash 's grouping was the first pass to get us headed the right way)17:25
*** lihkin has joined #openstack-keystone17:25
morganfainbergIt bought us base functionality that was needed without hindering progression to the end goal.17:26
henrynashmorganfainberg: agreed17:26
ayoungmorganfainberg, I think groups (server side) and hierarchical (policy side) can co-exist.  The server side ones could be done client side in the future if we decide to optimize that way17:27
morganfainbergYou can add it to the agenda of you want more discussion on it.17:27
ayoungcool17:27
morganfainbergayoung: absolutely.17:27
morganfainbergayoung: the grouping was a low cost that addressed a major complaint today without needing a ton of extra work. Basically gets us pointed in the right direction. And if we miss the hierarchical roles in kilo we have some basic stuff satisfied this cycle. They should def coexist as you described long term.17:28
ayoungOK,  added it to the end.17:29
*** _sunil_ has joined #openstack-keystone17:32
*** _sunil_ has quit IRC17:32
morganfainbergdolphm: ok so French press is out for you? What is your preferred mode off caffienation w/ coffee?17:32
dolphmmorganfainberg: not out for me at all, but if i have really good beans, i stick with a chemex17:32
morganfainbergAh chemex is good. My #1 choice is café in Europe. But uh. I'm in SoCal :P17:33
marekdwhat's chemex?17:34
morganfainbergAlso ayoung 's disappointment at the "un café" at the summit still amuses me ;) (sorry Adam)17:34
marekda coffee brand?17:34
ayounga volume17:34
ayoungroughly comparable to a thimble17:35
morganfainbergmarekd: a device for doing coffee as a pour-over17:35
dolphmmarekd: http://www.chemexcoffeemaker.com/17:35
morganfainbergdolphm: beat me to it17:35
marekd++17:35
morganfainbergPour over is great.17:36
marekdmorganfainberg: i like mokkas17:37
dolphmand cheap compared to a lot of other systems17:38
*** links has quit IRC17:38
morganfainberg marekd aha! I was trying to figure out what that was called! Those are awesome too.17:39
dolphmooh this is something i've seen, but never heard the name of until now http://en.wikipedia.org/wiki/Moka_pot17:39
marekdmorganfainberg: there is nothing like a cup of italian coffee from moka17:40
morganfainbergmarekd: yeah those are on my short list of "I need one".17:40
ayoungI thought that was called a Percolator?  I have one for camping17:40
dolphmmorganfainberg: if your "i need one" list is short, then you clearly don't spend enough time on the internet17:41
marekd:D :D :D17:41
morganfainbergayoung: mokka is espresso not percolator17:41
ayoungwhat is the difference between Moka and http://en.wikipedia.org/wiki/Coffee_percolator17:41
morganfainbergayoung: pressure forcing water through the beans like an espresso machine does.17:42
morganfainbergVs drip through the filter17:42
ayoungAh...from the bottom up...I see17:42
dolphmayoung: percolator http://en.wikipedia.org/wiki/Coffee_percolator#mediaviewer/File:Coffee_Percolator_Cutaway_Diagram.svg17:42
dolphmayoung: moka http://en.wikipedia.org/wiki/Moka_pot#mediaviewer/File:Moka_Animation.gif17:42
morganfainbergdolphm: my "must have" list is short. Or I'd be broke.17:42
dolphmthe moka has a super elegant design17:43
ayoungI know they make a camping version of that17:43
ayounghttp://farm8.staticflickr.com/7162/6626256185_cbf55955e3_b.jpg17:43
*** marcoemorais has quit IRC17:44
dolphmwhat is that17:44
*** marcoemorais has joined #openstack-keystone17:44
ayoungSame idea as the Moka, but for camping17:44
lhcheng_morganfainberg: I am planning to work on a keystone bug, but before I start would be great if someone can confirm if it is indeed a bug. :) Here's the link: https://bugs.launchpad.net/keystone/+bug/139351817:44
uvirtbotLaunchpad bug 1393518 in keystone "v3 service catalog returns services without names, but v2.0 api does not" [Undecided,New]17:44
*** marcoemorais has quit IRC17:44
ayounglhcheng_, looking17:44
dolphmayoung: makes espresso?17:44
*** marcoemorais has joined #openstack-keystone17:44
morganfainberglhcheng_: will look when I'm back at my desk. Enjoying my coffee atm.17:45
ayoungdolphm, yeah...friend had it on a camping trip long time ago...made a very good ccup as I recall17:45
lhcheng_morganfainberg: heh sure, take your time :)17:45
*** harlowja_away is now known as harlowja17:45
ayounglhcheng_, start by replicating the bug and confirming it17:46
morganfainbergayoung: ++17:46
ayounglhcheng_, once you do, set it to confirmed17:46
dolphmhttp://www.amazon.com/dp/B000CNY6UK/17:46
*** marg7175 has quit IRC17:46
lhcheng_I can replicate it, but not sure if it is by design or bug.17:46
morganfainbergayoung: hey tonight I am setting up a multi federated cloud test env. Might bug you on some stuff.17:46
ayoungcool17:46
ayounggonna run and grab food before the meeint (in 15 minutes, right?)17:47
morganfainberg1317:47
morganfainbergBut yes.17:47
*** KanagarajM has quit IRC17:47
lhcheng_ayoung: okay. I guess for v2, it should also return service catalogs even if the service has no name.17:47
morganfainberglhcheng_: I'll take a close look in a few.17:48
lhcheng_morganfainberg: thanks!17:48
morganfainbergI'm guessing it shouldn't care about name if v3 doesn't. But it might be an issue with the v2 catalog parsers (read in client and elsewhere)17:48
dolphmayoung: i was going to finish your article, but reading about mokkas is much more interesting. #thanksmarek17:50
lhcheng_morganfainberg: that's what I thought, the response should be the same for v2 and v3.  Thanks for the starting point for debugging.17:51
*** thedodd has joined #openstack-keystone17:51
*** ukalifon has joined #openstack-keystone17:52
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027717:53
*** aix has quit IRC17:53
*** vsilva_ has joined #openstack-keystone17:56
*** ukalifon has quit IRC17:59
*** marcoemorais has quit IRC18:00
morganfainbergmeeting time18:00
*** marcoemorais has joined #openstack-keystone18:00
morganfainbergDST shift and all that (for the NA residents)18:00
*** marcoemorais has quit IRC18:00
*** joesavak has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:02
*** esp has quit IRC18:02
*** joesavak has joined #openstack-keystone18:02
*** Guest32278 is now known as mgagne18:03
*** mgagne has quit IRC18:03
*** mgagne has joined #openstack-keystone18:03
*** gokrokve has quit IRC18:03
*** gokrokve has joined #openstack-keystone18:03
*** jamielennox|away is now known as jamielennox18:04
*** esp has joined #openstack-keystone18:04
*** jamielennox is now known as jamielennox|away18:04
*** jamielennox|away is now known as jamielennox18:05
*** marg7175 has joined #openstack-keystone18:10
*** thedodd has quit IRC18:11
*** marg7175_ has joined #openstack-keystone18:12
*** marg7175 has quit IRC18:14
*** marg7175_ has quit IRC18:14
*** marg7175 has joined #openstack-keystone18:14
*** diegows has quit IRC18:17
*** diegows has joined #openstack-keystone18:18
*** designated has joined #openstack-keystone18:18
*** marg7175 has quit IRC18:19
*** packet has joined #openstack-keystone18:19
designatedI have 4 HA controllers running a galera cluster, all 4 servers can connect to each of the others but for some reason when one of the servers gets hit with a keystone request, I get an error about it losing mysql connection.  anyone seen this before?18:20
designatedERROR keystone.common.wsgi [-] (OperationalError) (2006, 'MySQL server has gone away')18:20
*** patrickeast has joined #openstack-keystone18:21
designatedit's just the one server, none of the others are having problems.  all are running keystone 0.10.1 and the only differences in the configs are the IP address the server binds to.18:21
dolphmdesignated: https://bugs.launchpad.net/keystone/+bug/136137818:22
uvirtbotLaunchpad bug 1361378 in oslo.db ""MySQL server has gone away" again" [Undecided,Incomplete]18:22
*** gyee has joined #openstack-keystone18:22
*** amcrn has joined #openstack-keystone18:24
*** marg7175 has joined #openstack-keystone18:29
designateddolphm: thank you but why is the issue not presenting itself on the other, identically configured servers?  How do I fix it?18:29
*** marg7175 has quit IRC18:29
*** marg7175 has joined #openstack-keystone18:30
dolphmdesignated: i haven't followed the issue too closely myself; do ping mike beyer (zzzeek) in #openstack-dev18:30
dolphmor here :) didn't realize you were in this channel, zzzeek18:31
zzzeekthere’s been some issues when failover occurs and a node switches back to the previously unavailable one18:31
zzzeekthat was in nova18:32
zzzeekwhen HA clusters switch, its to be expected that a node with connections is now no longer good; the API call will get this error and then will have to retry the whole operation18:32
zzzeekin nova theres a @_retry_on_failure decorator that does this18:32
zzzeekafter one retry, should be good18:33
zzzeekdesignated: ^^ tahts about all i know about this.  though my employer wants me to know more about galera :(18:33
designatedI'm using haproxy to balance the load amongst my galera mysql cluster, there is no failover happening.18:33
designatedall keystone requests succeed except when they hit this one particular server out of the 4 in the cluster18:34
*** marg7175 has quit IRC18:34
zzzeekdesignated: what happens if you just try to ping / log in to that server manually18:34
*** links has joined #openstack-keystone18:34
zzzeekdesignated: is it up?18:34
*** marg7175 has joined #openstack-keystone18:34
designatedyes it's up, that's how I'm getting the log from /var/log/keystone/keystone-all.log18:34
designatedall 4 servers have a consistent keystone configuration, with the only difference being the ipv4 address the serverice is binding to locally.18:35
zzzeekdesignated: i meant, the MySQL service itself18:35
zzzeekdesignated: can you make a MySQL connection to the node in question18:35
designatedzzzeek: correct18:36
zzzeekdesignated: the issue referred to here has to do with an intermittent failure, after one of those errors the connecvtion pool would dump and it would be working again18:37
zzzeekdesignated: are you saying the system is permanently unable to use the node ?18:37
dstanekdesignated: so you have 4 keystone instances talking through an haproxy instance to a set of galera instances?18:37
designatedzzzeek: From what I can tell as the request gets round robined through all 4 servers in the cluster via haproxy, it succeeds on all but one of the servers.18:37
designateddstanek: yes18:38
zzzeekdesignated: might that mean HAPRoxy is not connecting to that node18:38
dstanekdesignated: and the error is 100% on one of the keystone nodes? or when any keystone talks to a particular database?18:39
designatedzzzeek: no because the connection gets passed through haproxy correctly, which is how I get the log when the failure occurs18:39
designatedI have 4 servers all running a galera mysql cluster, the same 4 servers are also running haproxy as an HA frontend for keystone.18:40
designatedas I make a keystone request to the VIP, the request gets sent to one of the 4 servers.  when it hits one server in particular the request fails, if it hits any of the other 3 servers, it succeeds.18:41
zzzeekdesignated: unfortunately I dont have direct experience with HAProxy to know with authority what would be seen and not; the error you describe is raised by the driver and indicates it isn’t connecting, so by itself i dont know how that illustrates that HAProxy connected successfully18:42
dstanekdesignated: from the broken keystone can you hit the database?18:42
designateddstanek: yes18:42
zzzeekdesignated: but if the error is permanent then that suggests it is not the issue seen in https://bugs.launchpad.net/keystone/+bug/136137818:43
uvirtbotLaunchpad bug 1361378 in oslo.db ""MySQL server has gone away" again" [Undecided,Incomplete]18:43
dstanekdesignated: so it's just when running through the app that you have the problem... does that keystone node fail 100% of the time?18:43
designatedi make a request example: "keystone --os-tenant-name admin --os-username admin --os-password password --os-auth-url http://10.100.30.1:35357/v2.0 tenant-list" if it hits the server in question, I get the "mysql server has gone away", if it hits any of the other 3 servers, it succeeds.18:46
designated10.100.30.1 is the VIP that haproxy uses to balance amongst all 4 servers18:47
dstanekdesignated: so no requests to the bad server ever successfully hit the database?18:47
designateddstanek: not that I can tell18:47
designatedbut if I create a sql connection from the server in question, it works. "mysql -h 10.100.30.1 -u keystone -ppassword"18:48
designatedevery time18:48
dstanekdesignated: i know next to nothing about galera, but it sounds like that node is connecting to the database in a different way18:48
designateddstanek: I've diffed all of the configs and they are all consistent.  Thanks for the help, I'll keep troubleshooting.18:49
designatedzzzeek: thank you as well.18:49
zzzeekdesignated: restarting the keystone sever doesnt resolve either right18:49
dstanekdesignated: look beyond the config; maybe the network path, etc.18:49
designatedzzzeek: that was the second thing I tried, after verifying the configurations were correct.18:50
dstanekdesignated: this was also an interesting read: http://www.gossamer-threads.com/lists/openstack/operators/4133218:50
designateddstanek: very simple network path, all L2 with multiple 10GBe bonded connections on each server.18:51
designateddstanek: that is intersting, I'll read through it.  thank you18:53
dstanekdesignated: good luck; if you figure it out please report it back here :-) and if not come back to discuss some more18:54
marekdayoung: so if you were to compare and support different Kent proposals for the federation and current one which is landed in Icehouse (and following) - do out think we were mistaken and Kent was right?18:56
*** harlowja is now known as harlowja_away18:56
*** edmondsw has joined #openstack-keystone18:58
*** pballand has joined #openstack-keystone18:58
jamielennoxso how does this relate to the role aliasing we were talking about in paris? i thought the intention was that 'domain scoped roles' and such were going to be handled by creating a name in the alias table, but what the service received was going to be the global role names19:02
morganfainbergjamielennox, the first pass was that19:02
henrynashjamielennox: yes, that is the base proposal: https://review.openstack.org/#/c/133855/19:02
jamielennoxit's evolved?19:02
morganfainbergthe second pass was to move towards being able to break things up to more-fine-grained controll and redelegate a permission (e.g. what ayoung wants with constraints)19:02
morganfainbergthe reason being that we want to move towards being to give very fine-grained control, but the domain-owned roles is *very* important to our deployers now.19:03
morganfainbergso we make it iterative19:03
jamielennoxmy understanding was that what went in the 'roles' in the token were going to be top level as well19:03
henrynashjamielennox: what do you mean “top level”19:04
gyeejamelennox, only the "effective" roles are going to be in the tokens19:04
jamielennoxthat way the whole concept of groups and what the service fetched as policy was static19:04
gyeethe lowest level19:04
jamielennoxhenrynash: global, pretty much what we have now19:04
gyeerole group works like user groups19:04
henrynashjamieloeenox, gyee: agreed19:04
jamielennoxso if you have a domain scoped role that aliases to some global role the token would contain the global role19:05
morganfainbergjamielennox, that is the correct first pass. following that (because it's a much bigger deal) figure out how to move towards fine-grained permission delegation based upon your underlying roles19:05
henrynashjamielennox, gyee: which makes it totally indpendant from the longer term work19:05
gyeeright19:05
morganfainbergjamielennox, so long term we want to be able to allow someone the ability to delegate "boot instance" even though the role they were delegated gives "boot instance, view instance, terminate instance".19:05
morganfainbergbut that is a much larger hurdle and can almost be orthoganal to the "grouping" of roles we are proposing now19:06
gyeewe gotta be careful with this delegate thingy19:06
morganfainbergcorrect.19:06
gyeewe need to think UX19:06
morganfainbergwhich is why we start with basic.19:06
morganfainbergsimple grouping.19:06
gyeedon't place too much responsibility on the users19:06
gyeemake it mindnumbingly simple19:06
*** jacorob has joined #openstack-keystone19:07
morganfainbergeasy to work with, and then expand to make it more flexible.19:07
dstanekmorganfainberg: do we have the uses cases documented or have an existing model for the fine-grained permissions?19:07
henrynashmorganfainberg; agreed19:07
morganfainbergdstanek, i have limited use-cases / models for this. hence why i want to start basic19:07
morganfainbergdstanek, and expand as we have time to evaluate it. and the usecases that surface19:08
dstanekis there an end vision or are we winging it and seeing where it goes?19:08
jamielennoxmorganfainberg: ok, but we are talking resolving the groups on the server side right19:08
jamielennoxmorganfainberg: as in these group names don't go into the token or policy files19:08
jamielennoxhenrynash: ^19:08
morganfainbergjamielennox, yes. that *may* change down the line if warranted19:08
samuelmscould we have any case where a domain-specific role doesnt match with a global role?19:08
morganfainbergbut initially it is all server side resolved19:08
*** breton has quit IRC19:08
henrynashjamielennox: correct, tokens contents are unchanged19:08
samuelmsif I'd like to create cloud, domain and project admin.. how to map them to the admin global ?19:08
dolphmi'm trying to grasp whether hierarchical roles will make role expolosion disease better or worse, but i'm leaning on worse ... with a bunch of extra complexity as a bonus19:09
*** _cjones_ has quit IRC19:09
morganfainbergdolphm, which form the per-permission expansion or the grouping bit?19:09
*** breton has joined #openstack-keystone19:09
*** toddnni has quit IRC19:09
samuelmsso it only works if granularity(domain-specific roles) >= granularity(global roles), right?19:09
dstanekhenrynash: does that mean that there will always be a hit (or two) back to keystone to get role groups and resolve that to a list of roles?19:10
morganfainbergsamuelms, correct.19:10
dolphmmorganfainberg: both?19:10
morganfainbergdstanek, the token issued will contain the global cloud-admin roles19:10
morganfainbergdolphm, not the "domain specifc" roles19:10
morganfainbergs/dolphm/dstanek^19:10
henrynashdstanek: no…the rolegroups and expanded into roles at token issuance time...19:10
dolphmhenrynash: domain specific roles are meaningless without domain-specific policy, correct?19:11
morganfainbergdolphm, the domain specific roles allows the cloud provider to provide a rich set of permissions and group them into logical groupings and/or the domain admin to respin as well.19:11
henrynashdtsanek: so token/policy checking is oblivious to all this19:11
henrynashdolphm: untrue19:11
dstanekhenrynash: ah, ok. so the roles are really just a management concern and not a runtime concern19:11
morganfainbergdolphm, the point being that a domain admin may only group all the read-only roles into the "audit" role they create19:11
morganfainbergdolphm, and another domain admin might spin that differently into anyone who can read instance data can boot instances.19:12
*** Haneef has joined #openstack-keystone19:12
morganfainbergdolphm, it's defined by the top level cloud-admin roles, but allows logical groupings as needed at *any* level.19:12
henrynashdolphm: the main use case is that the cloud provider owns the servcies (and hence the policy files), role-groups let a domain owner create named groups of roles that are meaninful to them…but the refer to underlyingglobal roles19:12
morganfainberghenrynash, ++19:12
morganfainberg"storage admin" for one domain might be swift and cinder, another might be cinder only.19:13
dolphmhenrynash: ah, okay19:13
morganfainbergvs. needing to know what swift_admin_read_only really does.. etc19:13
henrynashdolphm: which is why it has limited impact on the rest of the systems….since it is purely a “short-hand” within a domain adminstritive boundary for how to assign useful “grousp of roles”19:14
samuelmsmorganfainberg, and then we should use 'admin' on swift .. and then map 'storage admin' -> admin when issuing the token, right?19:14
gyeeits like funny money, at the end, it always ends up with the same amount :)19:14
samuelmsmorganfainberg, on swift/on swift policy19:14
*** _cjones_ has joined #openstack-keystone19:14
morganfainbergsamuelms, so keystone would expand the roles in the group to the top-level-cloud-admin-provided-roles when issuign the token19:15
dolphmhenrynash: so, the logical conclusion would be that the deployer creates one role for every permission in the policy blob, and then domain owners create role groups as appropriate for them?19:15
morganfainbergdolphm, that is the extreme case19:15
henrynashdolphm, morganfainberg: what we woudl like to encourage is that cloud operators ad more fine grained (global roles)…that are more like capabilities…to control access to their APIs….then we can have real RBAC!19:15
*** thedodd has joined #openstack-keystone19:15
samuelmsmorganfainberg, exactly .. initially I was thinking this would give us more granularity at policy level .. but in fact it gives us more flexibility (once granularity(domain-specific roles) >= granularity(global roles))19:15
henrynashdolphm: snap19:15
morganfainbergdolphm, but it allows us to hit any level of fine-grained control19:16
dolphmso why not just expose capabilities in a better fashion?19:16
dolphmmorganfainberg: it does, but so does role explosion disease19:16
morganfainbergdolphm, we will need this grouping functionality in either case.19:16
morganfainbergand namespaced roles (per domain)19:16
henrynashdolphm: go on19:16
morganfainbergthere are big big hurdles to solve for capability/permission expansion19:16
morganfainberghow do we know what all the services provide?19:17
morganfainberga central registry? when they connect they register?19:17
dolphmhenrynash: i don't have a solution; i'm just thinking there should be a simpler model, if you're willing to let keystone interpret the policy blobs of other services, which i think ayoung is leaning on?19:17
morganfainberghow do we resolve that in a sane way in the million different combinations.19:17
morganfainbergdolphm, the point being that we spin this up 1st pass and we build the capability/permissioning under it as we jump through the hoops of solving the issues around maintaining that permission list19:18
openstackgerritMerged openstack/python-keystoneclient: Cleanup docs - raises class  https://review.openstack.org/12785819:18
dolphmmorganfainberg: we did have a proposal long ago of a GET /capabilities being exposed by every service, and keystone retrieving those for every endpoint it's aware of. idea never got any traction because it required participation of every service19:18
morganfainbergdolphm, the grouping still matters / still is useful to give logical groups of roles - though the underlying token result might change19:18
morganfainbergdolphm, having to delegate boot_instance, terminate, allocatE_storage, read_image, update_instance, get_instance_data every time would be awful19:19
morganfainbergso you *still* need a way of grouping the permissions in a sane way if we make very fine-grained capability delegation possible19:19
stevemarthanks for the review jamielennox19:20
dolphmmorganfainberg: my complaint is that roles are already defined by their "groups" of capabilities, and the solution here is to essentially create groups of groups :-/19:20
*** r-daneel has joined #openstack-keystone19:20
*** nellysmitt has quit IRC19:21
gyeewhat's the problem with groups or groups?19:22
dolphmi feel like you should be able to solve the same use case without introducing additional layers of complexity19:22
dolphmfor example, by making the policy language more powerful19:23
morganfainbergdolphm, well the other option is policy-side resolution19:23
morganfainbergwhere we can control the data in the policy file.19:23
morganfainbergi'm just not seeing a clear path that way right now - especially getting all the capabilities grouped up in a sane way.19:24
morganfainbergi am also *very* concerned the currently policy engine isn't efficient enough to handle a full bore explosion of and/or/and/or for every capability19:25
morganfainbergand asking keystone everytime for a resolution of group-> capabilities is a short step from centralized enforcement (with all the pitfalls)19:25
dolphmyeah, distributed enforcement needs to stick around19:25
henrynashdolphm, morganfainberg: the other thing is that essentially part of our job is to allow customers (who may be working with a multi-customer cloud) to model the raw capabilities available in ways that make sense for them, not us19:26
amakarovGood day, is there any document describing required policy capabilities?19:26
henrynashdolphm, morganfainberg: to me, that implies levels of abstraction (although I agree there are other ways of doing it)19:26
morganfainbergamakarov, in the context of this conversation "capability" is the specific API call for say nova to boot an instance19:27
rodrigodsmarekd, would be nice a etherpad for k2k as well19:27
morganfainbergamakarov, the current rules engine is smart enough to handle most simple logic for the rules - it's a question of scaling that logic up19:27
morganfainbergamakarov, and the right way to scale it up19:28
openstackgerritMerged openstack/python-keystoneclient: Reorder index links  https://review.openstack.org/12768819:28
amakarovmorganfainberg,  I understand that, I'm asking about starting point to think about it :)19:29
dstanekmorganfainberg: that's why i was asking about vision here because i don't know how to think about this to help19:30
morganfainbergdstanek, maybe the answer is as simple as caching the graph of roles -> permissions19:31
ayoungmarekd, I think K2K and Kent are somewhat complementary.  Back when when we were first discussing things, we thought maybe the IdPs should go into the service catalog.19:31
jamielennoxhey everyone, i need some client reviews to get v3 in auth_token moving again: https://review.openstack.org/#/c/130532/ is next in line19:32
morganfainbergmake it so middleware collects the full graph for services it cares about (configured) and has a TTL. if it sees a role it doesn't know it asks keystone for the graph of that role19:32
amakarovmorganfainberg, we can build a simple yet powerful graph framework to implement some sort of semantic web or remain with simple if-then logic19:32
morganfainbergand it passes the *raw* capabilities down to the service19:32
amakarovit depends on our goals19:32
morganfainbergwhich the policy language is sufficient to handle19:32
morganfainbergthe issue still lies in "what are the capabilities that can be assigned to a given role"19:33
morganfainbergdstanek, and on fixed intervals update the graph. [with some magic timeshift to avoid overloading keystone]19:34
morganfainbergand the data is something that while expensive to calculate should be stupidly cachable19:34
*** links has quit IRC19:34
amakarovmorganfainberg, do we have a vision what are these capabilities?19:34
dstanekmorganfainberg: that's still implementaton...what are the problems being solved?19:34
samuelmsmorganfainberg, I don't understand yet how to map domain-specific-roles on global-roles and still use a single policy19:34
morganfainbergdstanek, user-story19:35
morganfainbergdstanek, I, a keystone domain admin .. or project admin, want to delegate very limited roles to someone/service to perform an action on my behalf19:35
dstanekfrom what i read earlier from henrynash, we have the need to split up the roles a cloud providers defines from the usage by a customer19:35
samuelmsmorganfainberg, if we have different specific roles (by domain) used to grant different permissions .. it would be clear to me that we should have one policy per domain19:35
morganfainbergdstanek, so i don't need to give *everything* to a service if all that service needs to do is boot an instance every-now-and-again19:35
*** harlowja_away is now known as harlowja19:36
*** marcoemorais has quit IRC19:36
morganfainbergdstanek, second case: read-only access for auditing but at an admin level. "what services / resources can this read-only access get" it may not include swift ever, but all nova instances19:36
*** marcoemorais has joined #openstack-keystone19:36
dstanekmorganfainberg: for that i still like my idea of just scoping a token to an action/resource19:36
*** marcoemorais has quit IRC19:36
morganfainbergdstanek, the issue is tokens need more than 1 capability19:37
*** marcoemorais has joined #openstack-keystone19:37
morganfainbergdstanek, and my "determination" of what admin-read-only is might be different than yours19:37
dstanekyour second case is a little more interesting19:37
dstanekmorganfainberg: i think i need to read up on our policy impl, but i sounds like we don't really have a good permission model19:38
morganfainbergdstanek, heck i might have someone in my org that *is* an admin and can muck with all instances.19:38
morganfainbergdstanek, that's their job, so give them all the permissions needed to do so19:39
morganfainbergdstanek, but they don't need anything ins wift19:39
openstackgerritMerged openstack/keystonemiddleware: I18n  https://review.openstack.org/13128719:39
morganfainbergour permission model is limited by the RBAC system we define and that services can add/remove API actions at a whim19:39
morganfainbergeffectively19:39
morganfainbergthe policy language is generally smart enough to handle these cases.19:39
*** marcoemorais has quit IRC19:40
ayoungOK...so I was trying to figure out the clearest "root problem" that this policy approach addresses.  How's this for a starting point:  "How do you determine who can assign which roles?"19:40
*** marcoemorais has joined #openstack-keystone19:40
bknudsonI18N for keystonemiddleware... interesting19:40
morganfainbergayoung, i think that 1 one of the two problems19:40
bknudsonI wonder if the translators will provide translations19:41
morganfainbergayoung, the second question is still "what do i need to perform action X"19:41
ayoungand, I think it comes down to a general rule of "a user should not be able to delegate something that they themselves cannot do."19:41
morganfainbergayoung, agreed.19:41
ayoungmorganfainberg, I think the horizon guys would reverse what you said?19:41
ayoungWhat do I show to a user based on their roles that indicates what they can do19:41
morganfainbergayoung, well we have the 3rd question as well: i have auth x, what can i do19:42
ayoungright19:42
morganfainbergayoung, so we're back to the two questions from the summit plus "what can i delegate to whom"19:42
dstanekmorganfainberg: yeah, i have to look for the gaps; NIST talks about a bunch of RBAC stuff like role hierarchies, etc. and i don't think we implement it yet (role hierarchies obviously since we've been discussing similar concepts at length)19:42
ayoungmorganfainberg, and I think phrasing it both ways is actually valuable:  capabilites from roles and roles from capabilites are both needed19:42
ayoungdstanek, yep19:43
ayoungnist RBAC is not namespaced like ours is19:43
ayoungso is I was admin for a project named X, the role would be X_admin in the nist approach19:43
ayoungI like ours better, but it means that we have two hierarchies;  the naming or roles, and the project hierarchy19:44
dstanekayoung: i'm also interested in ARBAC after the Atlanta summit19:44
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13479419:45
ayoungdstanek, OK,  so ABAC is the mechanism19:45
ayoungRBAC is built on ABAC19:45
ayoungARBAC is just a name that acknowledges that19:45
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768119:45
dstaneknot ABAC; ARBAC - using RBAC on top of RBAC to controls delegating management of permissions19:45
ayoungoh, the admin side19:46
jamielennoxdstanek: did you try and read the papers he had on that though19:46
ayoungwe have that by having the RBAC on Keystone19:46
*** amakarov is now known as amakarov_away19:46
jamielennoxthe concept isn't that hard, the academic papers are mind bending19:46
ayoungI see it like this:19:46
dstanekjamielennox: kinda, sorta; i skimmed, but never read in depth19:46
ayounga user can only potentially delegate arole that they have, or some subordinate role implied by that.  But they need specific role to make that delegation sticky19:47
ayoungsticky means role-assignemnt19:47
dstanekayoung: it's actually different because it's a second layer or RBAC (i believe separated for security/auditing reasons)19:47
ayoungdstanek, We get that by concentrating the RBAC administration inside of Keystone19:48
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: OAuth headers are missing  https://review.openstack.org/13436419:48
ayoungIt probably means that we should have a separate set of roles for operations on Keystone than for operations in Nova, but with hiearchiacl, they will all get rolled up into "super godlike admin of all"19:48
morganfainbergayoung, we should absolutly use the policy namespace construct "e.g. enforce for <keystone> or <glance>"19:49
stevemarjamielennox, fixed it up, thanks a lot for showing me that code, it always bugged me the way we mangled urls19:49
morganfainbergwhich *should* be separate roles19:49
ayoungmorganfainberg, no question there19:49
dstanekayoung: i'll have to read up on the paper for why they think it should be separated19:49
morganfainbergregardless of how it rolls up or doesn't later19:49
jamielennoxstevemar: ok, i can only speak for that side of it - i've no idea how to test the header values you're changing19:50
stevemarjamielennox, the only one i'm changing the is requested-project-id one19:50
ayoungmorganfainberg, it may mean that there are roles that should not be assigned down or something like that...in order to affect cahnge on Keyston, you need a token with exactly the role, and not one that expands out into it, so that a user needs to explicitly select the role for the operations to be performed19:50
ayoungkindof like logging in as a normal user, and then doing sudo for admin tasks19:51
morganfainbergayoung, that *may* be the right answer19:51
morganfainbergi don't discount it as one of the potentials for sure19:51
ayoungmorganfainberg, it also may be that when you get a proejct scoped token, you never get the roles that couldn't be scoped to that project19:52
ayoungso if I am "cloud_admin" and that gets inheritaed as "project_admin" on project P,  If I ask for a token on P, it will have the project_admin role, not cloud_admin19:52
openstackgerritEndre Karlson proposed openstack/python-keystoneclient: Allow to allow for other then STABLE api version  https://review.openstack.org/13015919:54
*** vsilva_ has quit IRC19:54
ayoungdstanek, dangit, now you got me thinking again19:55
ayoungnever a good idea19:56
dstanek^H^H^H - any way to erase my previous comments?19:56
ayoungheh19:58
morganfainbergdstanek, ^w^w^w19:59
morganfainbergdstanek, didn't work either darn19:59
ekarlso-anyone wanna sign off again on ^?20:00
ekarlso-it's rebased20:00
ayoungdstanek, OK, I don't feel so bad at confusing ARBAC with RABAC.20:02
samuelmshenrynash, ping20:02
ayoungsamuelms, no naked pings!20:02
morganfainbergayoung, ping20:02
morganfainberg>.>20:03
ayoungHA!20:03
morganfainberg<.<20:03
samuelmshaha20:03
samuelmsmorganfainberg, ++20:03
ayoung64 bytes from ayoung (127.0.0.1): icmp_seq=1 ttl=64 time=0.071 ms20:03
rodrigodsping was how I learned to chat in IRC =(20:03
morganfainbergwell crap.20:03
ayoungrodrigods, I know, we all did20:03
morganfainbergi forgot to say stuff about mid-cycle20:03
morganfainberganyway i'll send the email20:04
ayounghttp://blogs.gnome.org/markmc/2014/02/20/naked-pings/20:04
rodrigodsayoung, but I saw your tweet, it makes sense20:04
htrutahttps://twitter.com/admiyoung/status/53325642659739648120:04
htrutaops... slower than ayoung20:04
ayoungrodrigods, Adam Jackson is awesome.20:04
morganfainbergdolphm, have firm dates for SAT20:04
morganfainbergdolphm, Jan 19, 20, 2120:04
dolphmmorganfainberg: woot20:04
morganfainbergdolphm, just need to confirm geekdom or RAX space20:04
stevemaryay20:05
morganfainbergdolphm, i had to go with the earlier days for the mid-cycle since i *cant* make the the second half of the week.20:05
morganfainberg:P20:05
dolphmmorganfainberg: i'll aim for geekdom first and get back to you20:05
* morganfainberg feels bad bug has another meeting end fo that week in the bay20:05
morganfainbergs/bug/but20:05
rodrigodsquick question: is the HEAD return for the OS-INHERIT extension wrong for domains as well? https://review.openstack.org/#/c/130277/9/api/v3/identity-api-v3-os-inherit-ext.rst20:05
morganfainbergdolphm, ++ i'll update everything - post a blog that i can keep updated etc.20:06
morganfainbergdolphm, and update wiki saying the space in SAT is TBD20:06
morganfainberguntil we're confirmed20:06
morganfainbergdolphm, also hotel discount would be *awesome* if we can swing it again.20:06
morganfainbergdolphm, tyvm btw :)20:06
ayoungdolphm, so...the big thing I would like it if you confirm:  Is it acceptable to move toward managing the individual rules for each API in the database?20:07
ayoungThe policy rules, that is20:07
bknudsonrodrigods: the HEAD status has to match what the GET status would be... apache will turn a HEAD into a GET anyways.20:08
dolphmmorganfainberg: ++20:08
ayoungyou had suggested at the midcycle that the managing of the policy files could be done off line.  Without the hierarchical roles, I agree. Its just the hierarchical portion and expanding in the generation that would make sense to be done inside of Keystone itself20:08
rodrigodsbknudson, hmm thanks... will check if we have a doc bug there and update our review20:08
raildoHaneef, I respond your questions here: https://review.openstack.org/#/c/130277/ :)20:09
dolphmmorganfainberg: expecting a similar turnout to summer, i assume?20:12
morganfainbergdolphm, sec.20:12
bknudsonthe weather should be nicer (there) in winter.20:12
morganfainbergdolphm, just added you to the poll20:13
morganfainbergdolphm, so you can see the responses20:13
dolphmbknudson: it'll probably be 60's & 70's20:13
morganfainbergdolphm, we'll send out a second real "RSVP" form with my email since we have dates / city pinned down20:14
dolphmmorganfainberg: i thought barbican was for sure doing it in SF?20:14
morganfainbergbut i would expect similar-ish turnout20:14
morganfainbergthey aren't sure they are20:15
morganfainbergit's up in the air. and i don't want to make people scramble to get to our20:15
morganfainbergs20:15
morganfainbergso, if barbican *really* wants overlap.. they can get it, but at this point it was pretty non-committed on anything specific20:15
* morganfainberg asked a bunch20:15
*** marcoemorais has quit IRC20:15
morganfainbergand the majority of people are keystone with a "if we get a barbican day overalp it's good"20:16
*** marcoemorais has joined #openstack-keystone20:17
*** _cjones_ has quit IRC20:20
openstackgerritAndre Aranha proposed openstack/keystone-specs: Modify the policy file  https://review.openstack.org/13540820:20
ayoungI need to write a new spec for role assignments based on the Hierarchical spec.20:22
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955220:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Split identity server into v2 and v3  https://review.openstack.org/13053420:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Additional discovery changes  https://review.openstack.org/13053320:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use real discovery object in auth_token middleware.  https://review.openstack.org/13053220:27
*** dtturner has quit IRC20:28
*** NM has quit IRC20:31
samuelmsjamielennox, just replied your comment at role-groups spec20:33
jamielennoxsamuelms: i guess its a matter of terminology20:35
jamielennoxcurrently when you add a role you add a global role20:35
jamielennoxwhen we start talking about domain roles and such we are still calling them roles20:35
samuelmsjamielennox, right20:35
jamielennoxi'm not sure how we are going to express that relationship when you create a domain role how do you link it to the global role20:36
jamielennoxbut is it a similar process to define a role which is a group of global roles20:36
jamielennoxdon't really mind - was just a though20:37
samuelmsjamielennox, in fact I think role are still global20:37
samuelmsjamielennox, group-roles are for domains20:37
marekdrodrigods: right.20:37
samuelmsjamielennox, I took a bit to understand that relationship .. I mean the mapping that will be applied when issuing a token ..20:38
marekdrodrigods: https://etherpad.openstack.org/p/keystone2keystone20:38
telemonsterQuick question. Openstack Havana. User in db has a default project assigned to it, LDAP is in place, but this always comes back when trying to log in:20:38
telemonsterYou are not authorized for any projects.20:38
samuelmsjamielennox, suppose we have a global role per API operation .. then a domain_admin create his own set of role-groups, mapping to the global roles20:38
samuelmsjamielennox, he has fine grained choices when making his groups :)20:38
samuelmsjamielennox, the domain_admin defines the mapping when creating the role-group (with the role: field inside it, as you said)20:39
samuelmsjamielennox, and the reverse-mapping is applied when we the token is issued, so that we have only global roles inside the token20:40
stevemarnkinder dtroyer, so whats the stance we want to take on defaulting user and project domains to default in OSC - bknudson brings up a good point here: https://review.openstack.org/#/c/135152/20:41
jamielennoxyep, get that, but i was thinking if we get down to a role per API operation then i'd call that a capability, and a role is a group of capabiliies anyway, so given a role is already a group, do we need the concept of role-groups or are we just trying to mess with the existing terminology in a compatible way20:42
stevemarbknudson, we could just doc that those env. variables are needed (which we do in the keystone docs), and maybe have devstack default to those values (for now)20:43
marekdjamielennox: how far do you think we are with  keystoneclient  being able to hande multiple tokens  at the same time?20:43
marekdor rather s/are/from/  ?20:44
*** pballand has quit IRC20:44
*** bknudson has quit IRC20:44
jamielennoxmarekd: eek, what was the case again?20:44
jamielennoxi mean, you can write a plugin to do what you like, what was the reason to have the client manage multiple plugins?20:45
ayoungENCRYPT ALL THE WEBS!  https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web20:45
marekdjamielennox: for instance keystoneclient being able to burst into multiple clouds with k2k20:45
marekdwe cannot use one token across multiple clouds, so at least we can hide that fact at the lib layer.20:45
jamielennoxyea, i'm not sure - what do we think the UX for that is going to be?20:46
samuelmsjamielennox, got your point on the terminology .. so role-groups means groups of groups of capabilities :B20:47
*** raildo is now known as raildo_away20:48
jamielennoxsamuelms: i'm ok with a new route was just wondering, because technically a role-group will just be a role right? it'll be delegated and such in exactly the same way a role is now20:50
jamielennoxmarekd: do you think bursting like that should be transparent to the user?20:50
*** _cjones_ has joined #openstack-keystone20:52
nkinderstevemar: I agree with bknudson20:53
marekdjamielennox: i think so.20:53
nkinderstevemar: Implicitly using 'Default' doesn't seem like a good idea, as that domain may not even exist.20:53
marekdjamielennox: at least, again i think  it should not repeat whole workflow with every call...20:54
stevemarnkinder, okay, i'm bugging you, since it's your bug :)20:54
nkinderstevemar: I just think that we should assume that the project domain is the same as the user domain20:54
marekdjamielennox: ok, this gets back to a token caching somewhat.20:54
nkinderstevemar: it's annoying to have to specify 3 domain options for a single command when they are all the same domain20:54
stevemarnkinder, what's the 3rd domain option?20:55
nkinderstevemar: 3 if I'm getting a domain scoped token.  Let me get you an example command...20:55
stevemarah20:55
marekdjamielennox: https://review.openstack.org/#/c/134606/2/keystoneclient/contrib/auth/v3/saml2.py by the way.20:55
marekdjamielennox: i'd like to have your opinion to see if there is reason to carry on20:56
stevemarnkinder, nah, i know what you mean20:56
nkinderstevemar: yeah, it's like this command - https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-kerberos-setup/vm-post-cloud-init-rdo.sh#L26920:56
*** marg7175 has quit IRC20:58
jamielennoxmarekd: we can't have the library creating files like that20:58
jamielennoxi think we need to look at serializing the plugins then letting OSC handle caching20:58
marekdjamielennox: why?20:59
marekdjamielennox: do you have a review to a serialization patch ?21:00
jamielennoxmarekd: well mostly you just never know how someone wants to use it, it's generally not a good idea to have a library maintaining it's own state21:00
jamielennoxmarekd: this is the most recent one i've done21:01
jamielennoxhttps://review.openstack.org/#/c/113163/21:01
marekdjamielennox: i remember user/pass was not serialized, but in the end every separate call ended with a new token?21:01
marekdjamielennox: ok, maybe you are right.21:01
jamielennoxi'd like some input on it from the OSC perspective, dtroyer, stevemar ^ do you know how you'd use something like that21:01
jamielennoxit comes into what we were talking about at summit and serializing of sensitive data 'm not sure what to do there so i just haven't finished it21:02
*** marg7175 has joined #openstack-keystone21:02
*** bknudson has joined #openstack-keystone21:04
*** ChanServ sets mode: +v bknudson21:04
*** marg7175 has quit IRC21:05
stevemarjamielennox, something like that == token / saml caching?21:05
*** marg7175 has joined #openstack-keystone21:05
jamielennoxgenerally plugin caching - not just saml21:06
designatedwhy can't the openstack documentation be more comprehensive?  why must I scour the internet for tidbits of information to make openstack work?  If the documentation isn't correct or will not get you to a working state then don't just throw shit out there to irritate people /rage21:06
marekdstevemar: yes, general token caching21:08
marekdstevemar: but i wanted to start at my playground :-)21:08
marekdstevemar: generally i think tokens should be reused as much as possible21:08
jamielennoxmarekd: so within a process you should be fine because you can hang on to the auth plugin as long as you want, it's the CLI case which is the problem21:10
* jamielennox offloads that problem :) 21:11
marekd:-)21:11
telemonster2014-11-18 21:12:26.327 13560 WARNING keystone.token.controllers [-] User Neutron Service is unauthorized for tenant f88b07200f33441fa8a40354b63b438521:12
stevemarjamielennox, marekd yeah i recall a design session where we were talking about caching and CLI, and how the process ends, and you are kinda screwed for caching.21:13
*** jacorob has quit IRC21:14
*** bknudson has quit IRC21:15
stevemarnkinder, why are we not using your script in our CI21:15
designatedzzzeek: How do I implement the fix for juno from this link? https://bugs.launchpad.net/oslo.db/+bug/137449721:16
uvirtbotLaunchpad bug 1374497 in oslo.db/juno "change in oslo.db "ping" handling is causing issues in projects that are not using transactions" [High,Fix released]21:16
designatedzzzeek: or at the very least, verify the version I have is updated so I'm not chasing my tail.21:16
samuelmsjamielennox, yes .. makes sense .. thanks :)21:16
*** thiagop has quit IRC21:17
zzzeekdesignated: i think you’d want to look and see if https://review.openstack.org/#/c/125079/ is present21:17
dstanekdesignated: now what's the issue?21:20
designatedzzzeek: I don't follow21:20
designateddstanek: the same issue I was having.  I'm not familiar enough with patching to determine whether the version I have is affected or not.21:20
zzzeekopen up the file “oslo/db/sqlalchemy/session.py” within the code you are testing and ensure it has the patches that you see in https://review.openstack.org/#/c/125079/1/oslo/db/sqlalchemy/session.py.   taht’s the most brute force way to check.  there are probably better ways but I don’t know openstack release mechanics that intimately21:21
designatedI'm getting 2006, 'MySQL server has gone away' from keystone intermittently21:21
*** bknudson has joined #openstack-keystone21:22
*** ChanServ sets mode: +v bknudson21:22
*** bknudson1 has joined #openstack-keystone21:22
dstanekdesignated: what release are you using?21:22
designateddstanek: juno21:23
designatedon ubuntu 14.0421:23
dstanekdesignated: is that the package provides in the standard repos21:24
dstanek?21:24
designatedyes21:24
zzzeekdesignated: this is a persistent connectiviy issue you’re having so if i were you id be verifying that MySQLdb can connect as its supposed to, that is, test script, “import MySQLdb; conn = MySQLdb.connect(<args>)”21:24
zzzeekdesignated: then see that connect() succeeds.  also in the stack trace, “mysql gone away” occurs at what operation, is it on connect(), or wihtin cursor.execute(), and if the latter, what is the statement being invoked, do other statements prior to that one succeed, etc.21:25
dstanekzzzeek: i had designated that earlier21:25
zzzeek“mysql gone away” error means a lot of things with MySQL-python21:25
zzzeekand all of that works fine21:25
nkinderstevemar: that's a good question... :)  I am setting up various infrastructure that the CI wouldn't have in place, but we could make some tests that use the same commands to exercise the use of domains.21:25
zzzeek?21:25
dstanekdesignated: can you pastebin some of the logs?21:25
marekdstevemar: why screwed for caching ?21:26
*** bknudson has quit IRC21:26
*** stevemar has quit IRC21:26
dstanekdesignated: have you gone through normal debugging steps like find the smallest configuration that exhibits the failure? (e.g. direct traffic directly at the node you think is broken, have it talking to a single mysql instance, etc)21:27
designateddstanek: http://pastebin.com/gMjQiuGX21:27
dstanekdesignated: is there any error earlier in the log about connectivity or error while connecting?21:28
designateddstanek: no, it works sometimes, sometimes it fails.21:28
designateddstanek: let me change haproxy to only talk to 1 node21:29
designateddstanek: If I take the server in question out of the haproxy config for keystone admin (TCP 35357), it balances the load amongst the other 3 servers just fine and I no longer receive the error.  there must be an issue with that one server.21:36
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005021:36
dstanekdesignated: what happens when you go directly against that one server?21:36
designateddstanek: testing that now21:37
dstanekmorganfainberg: are you trying to get the Rax discount at the hotels?21:38
designateddstanek: if I hit that single server, it works intermittently.  I get either "An unexpected error prevented the server from fulfilling your request. (HTTP 500)", "Authorization Failed: An unexpected error prevented the server from fulfilling your request. (HTTP 500)" or it succeeds.21:38
morganfainbergdstanek, yes21:39
morganfainbergdstanek, or *a* discount.21:39
morganfainbergdstanek, just bugging dolphm to help out on that front again.21:39
dstanekdesignated: is it only happening for certain operations then?21:40
designateddstanek: I'm running the same query over and over "keystone --os-tenant-name admin --os-username admin --os-password password --os-auth-url http://10.100.30.1:35357/v2.0 tenant-list"21:41
designateddstanek: I have to go pick my kids up from school.  I'll be back in about 30 minutes.21:43
*** gokrokve_ has joined #openstack-keystone21:46
*** gokrokve has quit IRC21:50
henrynashmorganfainberg, stevemar: gentle prod on https://review.openstack.org/#/c/130954/21, if you get a chance21:56
morganfainberghenrynash, tuesday = meeting craziness21:58
morganfainbergbut yes21:58
* morganfainberg is still in meetings.21:58
henrynashmorganfainberg: understand!21:58
*** marcoemorais has quit IRC22:00
morganfainberghenrynash, ok i need some lunch and then i've got one more meeting today22:00
*** marcoemorais has joined #openstack-keystone22:00
*** bknudson1 has quit IRC22:03
*** bknudson has joined #openstack-keystone22:05
*** ChanServ sets mode: +v bknudson22:05
*** _cjones_ has quit IRC22:09
*** _cjones_ has joined #openstack-keystone22:10
*** RichardRaseley has joined #openstack-keystone22:14
telemonsterDoes anyone have any knowledge of openstack/LDAP? Havana?22:17
telemonsterMy coworkers that were sent to the Openstack redhat training have no idea, and I'm trying to help them22:17
telemonsterWe're migrating to EC2 and scrapping Openstack as of tomorrow if it isn't fixed22:17
telemonsterWe rolled back to Havana hoping the LDAP (AD) part would work as it did, but no go22:18
telemonsterIt's passing the LDAP part AFAIK, but failing the project authroization22:19
telemonsterI checked the mysql tables (no way to auth with it on ldap) and the cloudadmin user is in the admin project22:19
telemonsterand admin project in the metadata table has cloudadmin uid22:19
telemonsteras well as admin22:19
telemonsterthis config worked prior on a havana install, but not sure what other things were done to make it work22:20
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228122:20
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Auth token tests create temp cert directory  https://review.openstack.org/12228022:20
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240322:20
*** marekd is now known as marekd|away22:25
*** agireud has quit IRC22:26
gyeewe have a metadata table?22:28
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change tenant to project  https://review.openstack.org/12706622:30
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct tests to use strings in conf  https://review.openstack.org/12865522:30
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Fix paste config option conversion for auth options  https://review.openstack.org/13191422:30
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options  https://review.openstack.org/12865622:30
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change admin user to service user.  https://review.openstack.org/12707522:30
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change occurrences of keystone to identity server  https://review.openstack.org/12706222:30
*** gokrokve_ has quit IRC22:31
*** topol has quit IRC22:31
*** tellesnobrega has joined #openstack-keystone22:33
*** diegows has quit IRC22:35
*** radez is now known as radez_g0n322:36
jamielennoxbknudson: can i bug you to have a look at those patches for plugins in middleware again22:36
jamielennox(when you have a moment)22:36
bknudsonjamielennox: which?22:36
jamielennoxbknudson: starting https://review.openstack.org/#/c/130532/22:37
*** vejdmn has quit IRC22:42
gyeejamielennox, you have time to finish this one up? https://review.openstack.org/#/c/113735/22:42
gyeeits similar to your nova, cinder patch22:43
marekd|awaygyee: I cannot recall, did ADFS worked with Keystoneclient?22:43
bknudsonI might also have some time to look at the nova work again sometime ( gyee , jamielennox )22:43
gyeemarekd|away, yes, sam did test it22:43
marekd|awaygyee: and what ADFS version do you use?22:43
bknudsonmarekd|away: btw - I spent a day in Geneva last week... the water jet was under repair.22:44
bknudsonyou should have warned us.22:44
marekd|awaybknudson: you should  have told me.22:44
gyeemarekd, let me check22:44
gyeeone sec22:44
marekd|awaybknudson: really, was it? for how long?22:45
marekd|awaybknudson: i don't even notice such things. sometimes they turn  it off due to wind.22:45
*** packet has quit IRC22:45
bknudsonmarekd|away: I think it was off for repairs for several days. It might be back on now.22:46
marekd|awayit is22:46
marekd|awaybknudson: this simply  means you need to come back :-)22:46
gyeemarekd|away, Windows Server 2012 R222:47
marekd|awaybknudson: where else did you go for your post summit voyage?22:47
marekd|awaygyee: ack22:47
marekd|awaygyee: thanks22:47
bknudsonmarekd|away: yes... I didn't get the full experience... also, I should have gotten on a boat that takes me around to the castle22:47
bknudsonmarekd|away: we planned it poorly since it was spur of the moment22:47
gyeemarekd|away, though I haven't read the code, but according to Sam, we are not validating the assertion for K2K22:48
gyeebecause of the ecb wrap?22:48
bknudsonmarekd|away: otherwise we hung around paris... louvre, cluny, orly, notre dame... took a day tour of chateaus in the loire valley.22:48
bknudsonmarekd|away: I was there with my mom.22:48
gyeeyou could easily spend a week in louvre22:50
bknudsongyee: it is ridiculously amazing.22:50
bknudsonmakes other museums look like a joke22:50
marekd|awaybknudson: oh, you could have told me, we could try organizing some CERN trips :(22:50
gyeeI know22:50
jamielennoxgyee, bknudson: did that nova patch work without the neutronclient changes? i had one that was dependant on stuff in client and that was just taking forever22:50
gyeejamielennox, I am review your patch right now22:51
gyeereviewing22:51
marekd|awaybknudson: hope you liked Paris/Geneva/Europe in general :-)22:51
marekd|awaygyee: hm, this means we can confirm ksc saml2 plugins work with ADFS322:52
marekd|awaygyee: as I think ADFS3 is shipped by default with w2012 R222:52
marekd|awaygyee: i *dont* think this is due to ECP wrap, as we only sign one part of the whole assertion.22:53
bknudsonmarekd|away: y, it was great. Was worried about the language but turned out not to be a problem. Hopefully we'll be back there for a summit ... in a couple years (?)22:53
openstackgerritwerner mendizabal proposed openstack/keystone: Test gerrit  https://review.openstack.org/13544622:53
gyeemarekd|away, yes ADFS322:53
marekd|awayor a mid cycle meetup.22:53
gyeemid cycle in Paris?22:54
marekd|awaygyee: Geneva :-)22:54
gyeeshit I would have to write an essay in the expense report22:54
marekd|awaygyee: David Chadwick was proposing meetup in Geneva, so we could stay over the weekend and go skiing22:54
marekd|awayi think henrynash would approve this idea22:55
gyee++++++22:55
gyeecan we get a glimpse of the dark matter? :D22:55
jamielennoxgyee: you can't see it, it's dark22:56
gyeeah22:56
marekd|awayno, but you can get some Higgs Bosons (i have them too much in my belly)22:57
gyeeheh22:57
gyeethey did mention about that one in Ancient Alien TV series22:58
marekd|away?22:58
*** harlowja is now known as harlowja_away22:58
gyeehttp://www.history.com/shows/ancient-aliens22:59
marekd|awayah22:59
*** jistr|mtgs has quit IRC22:59
gyeeI think they mention Higgs Bosons in one of them23:00
*** lihkin has quit IRC23:00
ayoungtelemonster, sorry, was in meetings23:03
ayoungtelemonster, I think you lie:  user probably does not have a role in a project...my guess is the userid that you think has the role in the project is not the userid from LDAP23:03
gyeejamielennox, https://review.openstack.org/#/c/131098/9/nova/api/auth.py line 14423:06
marekd|awayok, going to bed23:06
gyeewhere's keystone.token_auth being set?23:06
gyeemarekd|away, ttyl23:06
*** edmondsw has quit IRC23:06
jamielennoxgyee: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L75523:08
jamielennoxso auth_token provides a plugin for the current user session23:08
jamielennoxuser auth23:08
*** nkinder has quit IRC23:08
jamielennoxwhich makes 90% of nova's context object redundant - if only i could make serialize work23:09
gyeejamielennox, got it, thanks23:09
gyeeyep, good stuff23:09
jamielennoxi talked to jogo at summit, and he suggested making the patch smaller - i don't know if it's worth seperating that context stuff out from the cinder stuff23:10
jamielennoxalso i need to figure out some way of dealing with the exceptions mess we currently have but i don't see how it's doable without breaking everything23:11
gyee~300 loc is small23:11
gyeepersonal preference I suppose23:11
*** ChanServ has quit IRC23:12
jamielennoxthere are two logical changes, they just only make sense when used together23:12
gyeehalf of them are test code23:12
gyeeI suppose you can separate out the register_conf_options part23:13
*** ChanServ has joined #openstack-keystone23:15
*** sendak.freenode.net sets mode: +o ChanServ23:15
*** gordc has quit IRC23:17
ayounggyee, are you guys still pursuing tokenless operations in keystone?23:17
*** henrynash has quit IRC23:17
gyeeayoung, sure, for service users which uses SSL client cert auth, there's no need to use tokens23:18
*** chrisshattuck has joined #openstack-keystone23:19
ayounggyee, so I have a similar use case right now:  I need to create a service user that makes a call without a token, but that needs to do a policy check.  How are you building the context to send to policy?23:20
gyeeayoung, just parse the cert attributes and feed them straight to policy check23:21
ayounggyee, what about roles?23:21
*** harlowja_away is now known as harlowja23:21
telemonsterayoung - hmmm23:21
telemonsterayoung - how can I verify?23:21
telemonsteruserid = cloudadmin23:22
telemonsterAD sAMAccountName = cloudadmin23:22
gyeeayoung, why even bother with roles, service user account is highly static23:22
ayounggyee, need an RBAC check for the operation that the service user is performing.23:23
ayoungOK,  if you guys aren't doing it, I'll figure out the right way to make it happen.23:23
gyeeayoung, policy is just attribute matching23:23
telemonsterayoung - also, I do notice that it takes the sAMAccountName (cloudadmin) and picks up the cn (OpenStack Admin)23:23
telemonsterI'd hope it's not trying to use OpenStack Admin as the user?23:23
telemonsterverifying against the SQL database23:23
ayoungtelemonster, what does your ldap config have for the userid field23:24
telemonsteruser_id_attribute = cn23:24
telemonsteruser_name_attribute = sAMAccountName23:24
telemonster(keystone.conf)23:24
telemonsterserver is AD, not OpenLDAP so ...23:24
telemonsterI swapped out user_id_attribute to sAMAccountName also and of course it failed23:25
ayoungtelemonster, ok...there might be one thing...are you doing nested queries or onelevel23:26
ayoungthe config option is...23:26
ayoungquery_scope'23:26
ayoungdefaults to 'one'23:26
telemonstercurrently set to sub23:27
ayoungthis is...ugly23:27
ayoungOK,  so wuith sub, you should be OK23:27
ayoungso what is your cn value?23:27
ayoungcn is "OpenStack Admin"23:28
telemonsterYea, the history was havana install was running but other issues, went icehouse, went back havana, havana doesnt work (But old install might of had other mods)23:28
*** henrynash has joined #openstack-keystone23:28
*** ChanServ sets mode: +v henrynash23:28
ayoungthat is what it is expecting for the userid23:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Update requests-mock syntax  https://review.openstack.org/13138023:28
ayoungtelemonster, it looks like you want user_id_attribute = sAMAccountName23:28
telemonsterIs that a new option?23:28
telemonsteroh hmp23:29
telemonsterWith that set I think it fails user/pass but let me try23:29
ayoungtelemonster, when I do ldap, I usually set userid and username to the uid field.23:29
telemonsteryea AD is a bit different23:29
telemonsterwe have 20 or so other services authing off of it, although future we might move to linux or Apple Opendirectory23:30
ayoungtelemonster, but in your assignment table, you would look for something where the "target" value matches user_id_attribute23:30
ayoungso if cn = "OpenStack Admin"  that is what you would need in that table23:30
*** dims_ has joined #openstack-keystone23:31
ayoungand it sounds like you have cloudadmin there23:31
telemonsterokay with user_id_attribute sAMAaccountname and name = cn, it wont allow login23:32
telemonsterand I tried the long name23:32
telemonsterIll revert keystone coofnig back, and steal the CN value from the debug output on keystone console and see if I can stuff it in the database23:32
*** henrynash has quit IRC23:33
*** dims has quit IRC23:34
telemonsterput_filter: "(&(cn=OpenStack Admin)(objectclass=person))"23:34
telemonsterI just swapped the field in the user table for name ... and it still gives me the "you are not authorized for any projects" on the web ui. Pretty strange23:38
*** marcoemorais has quit IRC23:39
*** marcoemorais has joined #openstack-keystone23:39
*** thedodd has quit IRC23:40
*** marcoemorais has quit IRC23:40
*** marcoemorais has joined #openstack-keystone23:40
ayoungtelemonster, can you get a token from Keystone?23:41
*** marcoemorais has quit IRC23:42
telemonstertoken-get fails with a http auth23:42
*** marcoemorais has joined #openstack-keystone23:42
ayoungtelemonster, what the UI does is 1.  gets an unscoped token (cuz it is LDAP and there is no default project) then list projects, then selects the first one23:42
ayoungStart by getting an unscoped token using keystone token-get23:42
ayoungif you don't set OS_TENANT_NAME or OS_PROJECT_NAME or anything comparable, it should get a token with no project data23:43
telemonsteryea the tenantname is set to admin23:43
telemonsterbut let me see if I unset that if it works?23:43
ayoungyou can also do this via CURL if you really want to lock down to the specifics, but lets not go there yet23:43
telemonsteryea it worked23:45
*** marcoemorais has quit IRC23:45
ayoungOK, and it shows you your user id?23:45
telemonsteryea OpenStack Admin, but I modded it in the db23:45
ayoungthat makes no sense23:46
ayoungit did not do any DB calls for that23:46
ayoungonly LDAP23:46
telemonsteroh okay23:46
*** marcoemorais has joined #openstack-keystone23:46
ayoungso your userid is "OpenStack Admin"23:46
ayoungtelemonster, now, in your DB, do the following:23:46
ayoung1.  select * from roles;23:47
*** gokrokve has joined #openstack-keystone23:47
ayoungmake sure you actually have the right role_id for your assignment table23:47
ayoung2.  select * from assignment where actor_id = "OpenStack Admin";23:47
telemonsterthere is no entry in the role table for the cloudadmin user23:47
telemonsterno assignment table23:48
ayoungwhat are you running?23:48
telemonsterunder keystone db23:48
telemonsterhavana23:48
ayoungwhat version of openstack23:48
telemonster... :-) 1 sec23:48
telemonsterkeystone is version 0.7.123:49
ayoungDude, you guys need to stop panicking and running back to old versions.  Seriously....23:49
telemonsterWe were on an old version23:49
ayoungtelemonster, didn't you roll forward to Juno at one point?  Or at least Icehouse?23:50
telemonsteryes we were on icehouse, but hit a wall with the ldap and the (hope) was rolling back to where we were-- it would work again23:50
telemonsterthe boss calls this, and this is a long outage with impacts and upset people23:51
ayoungOK...lets get you running again....23:52
telemonsterthe guy that set this stuff up quit and went to work for a consulting company23:52
telemonster:-)23:52
ayoungactually, I think he works here23:52
telemonsterSo I should swap out the cloudadmin with 'OpenStack Admin' (sAMAccountName to cn conversion)23:52
ayoungtelemonster, not necessarily23:53
ayoungright now you know that you can get an unscoped token with what you have working.23:53
telemonstercorrect23:53
telemonster(He works for Mirantis, looked it up)23:53
ayoungI don't think you want to change what is being used for the userid across the cloud.  It probably would only affect Keystone and swift23:53
ayoungbut the userid is not used in Nova AFAICT23:54
ayoungah...so not our guy...ok23:54
telemonsterwe like to use what is in the sAMAccountName field of LDAP23:54
telemonsterThat's how it has been23:54
ayoungtelemonster, ok, then that should be the userid field in the LDAP config23:54
ayoungand it makes sense23:54
ayounglets at least get things working with that.23:55
ayoungmake that change, and make sure that once again you can get an unscoped token23:55
telemonsterChanged to this:23:56
telemonsteruser_id_attribute = sAMAccountName23:56
telemonsteruser_name_attribute = cn23:56
telemonsterand now token get fails23:56
ayoungyou need to reset the env vars23:57
ayoungset OS_USER_ID=to the sAMAccountName23:57
*** boris-42 has quit IRC23:57
ayoungNot sure what happens if username has a space in it, but you should be able to do OS_USERNAME="..."  too23:57
ayoungor just set them both to sAMAccountName23:58
telemonsterOS_USERNAME or OD_USER_ID ?23:58
ayoungtelemonster,  lets start with user_ID...23:58
ayoungset that to the sAMAccountName23:58
telemonsterdo those represent the two fields use by the auth?23:58
ayoungYeah,  horizon uses the username to login23:58
ayoungyou can get a token using either one23:58
telemonsterokay OS_USERNAME is set to cloudadmin23:59
telemonsterpass and url are set23:59
telemonsterfailed23:59
*** gokrokve has quit IRC23:59
« Monday, 2014-11-17 Index Wednesday, 2014-11-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!