Friday, 2014-11-21

richmstevemar2: ++00:02
stevemar2ayoung, you were right about the federated token stuff :)00:03
stevemar2lets just look at the auth_context and call it there00:03
stevemar2err and call it based on that, the other auth plugins should never provide that sort of info00:04
*** Viswanath has joined #openstack-keystone00:04
*** tellesnobrega has joined #openstack-keystone00:05
*** Viswanath has quit IRC00:09
*** chrisshattuck has quit IRC00:09
morganfainbergstevemar2 cause stevemar and stevemar1 are shady people00:09
stevemar2morganfainberg, so shady00:10
stevemar2do not trust those guys00:10
stevemar2bunch a jerks00:11
*** morganfainberg changes topic to "Blocking reviews: | Keystone Midcycle Details:"00:12
*** richm has quit IRC00:15
*** lhcheng_ is now known as lhcheng00:18
*** r-daneel has quit IRC00:20
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Update requests-mock syntax
*** radez is now known as radez_g0n300:27
*** NM has quit IRC00:28
*** david-lyle is now known as david-lyle_afk00:33
morganfainbergstevemar2, ping00:44
morganfainbergstevemar2, re split assignment from resource00:44
stevemar2morganfainberg, pong200:44
morganfainbergtrying to get my head wrapped around the significant benenfit of isolating role from roleassignment00:44
morganfainbergi talked to henrynash about it earlier, but looking for more insight00:44
morganfainbergis there a real benefit to splitting the role id/name and keeping that as a resource?00:45
morganfainbergi'm just having a hard time seeing the implementation that follows for a custom assignment backend00:45
stevemar2morganfainberg, i think it's architecturally better00:45
morganfainbergstevemar2, i am *for* the split.00:46
stevemar2and yeah, it allows for a pluggable assignments00:46
stevemar2in case someone doesn't like ours00:46
morganfainberglets be clear, i'm just trying to ensure we're not backing ourselves into a different corner00:46
morganfainbergif they don't like our assignment backend, wouldn't Roles typeically be managed there as well?00:46
stevemar2ah i see what you mean00:47
morganfainberghenry was using the concept of ABAC - but then if the role is managed outside of role-assignment... you now need glue to make it happen.00:47
morganfainbergsince his example was "use another interface to manage the ABAC assignment"00:47
morganfainberggreat, i think i can handle the construct of project.domain being independant00:47
morganfainbergbut roles?00:48
morganfainbergroles *could* be a resource00:48
stevemar2morganfainberg, you bring up a good point00:48
morganfainbergor role could be part of role-assignment00:48
morganfainbergand i don't want to play the flip-flop game and shuffle all this around all over the place00:49
stevemar2i agree that shuffling it bad00:49
stevemar2but this one seems like a good shuffle :)00:49
morganfainbergthe way I see it, roles tie directly to role assignment, role assignment is acting on the Roles with a resource00:50
morganfainbergyou have Actor, Resource, Role00:50
morganfainbergnot Actor, Resource(project|domain), Resource(Role), Mapping00:50
stevemar2and role assignments link all three up00:50
morganfainbergright but they are directly tied to the Role.00:51
morganfainbergin an ABAC system, I'd expect the "role" definition to be something more like "user-has_x and user_has_y but not Z"00:51
morganfainbergbut if you now need an explicit link of Role(resource) and Project(resource) and actor00:52
morganfainbergi think you're in the same place we are today, just with a weird pluggable thing mixed in00:52
morganfainbergyou'll still need our assignment logic to know what a "role" is, since it's not part of the assignment backend00:52
* morganfainberg might be over-thinking it00:53
morganfainbergbut somehow i am getting a "this doesn't look right" vibe from roles being a resource00:53
openstackgerritguang-yee proposed openstack/keystone: make account for the default options in keystone.conf
*** edmondsw has joined #openstack-keystone00:56
*** ncoghlan has joined #openstack-keystone01:02
*** afaranha has quit IRC01:02
*** tellesnobrega_ has quit IRC01:04
*** samuelms-away has quit IRC01:05
*** htruta has quit IRC01:05
*** raildo has quit IRC01:05
*** edmondsw has quit IRC01:07
*** zzzeek has quit IRC01:09
*** diegows has quit IRC01:14
*** chrisshattuck has joined #openstack-keystone01:16
openstackgerritDavid Stanek proposed openstack/keystone: Expanded mutable hacking checks
openstackgerritDavid Stanek proposed openstack/keystone: Removes a bit of WSGI code converts unicode to str
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of inspect.getcallargs
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of assertSetEqual
gyeejamielennox, you have time for this?
jamielennoxgyee: yep it's on my list for next to fix in nova, i remember last time i tried though i ended up making a bunch of changes in neutron client01:44
gyeewant me to work on it?01:45
jamielennoxgyee: merged :)01:45
jamielennoxso i should be able to take the auth_plugin bits from there for neutron01:45
gyeeyeah, similar change I think01:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use newer requests-mock syntax
*** htruta_ has quit IRC02:05
*** jorge_munoz has quit IRC02:09
openstackgerritSteve Martinelli proposed openstack/keystone: test some websso stuff
*** dims has joined #openstack-keystone02:14
*** stevemar has joined #openstack-keystone02:18
*** ChanServ sets mode: +v stevemar02:18
openstackgerritLin Hua Cheng proposed openstack/keystone: Always return the service name in the catalog
*** stevemar2 has quit IRC02:21
*** stevemar has quit IRC02:23
openstackgerritLin Hua Cheng proposed openstack/keystone: Always return the service name in the catalog
*** sigmavirus24 is now known as sigmavirus24_awa02:34
*** erkules_ has joined #openstack-keystone02:35
*** raildo has joined #openstack-keystone02:36
*** erkules has quit IRC02:37
*** htruta has joined #openstack-keystone02:37
*** sigmavirus24_awa is now known as sigmavirus2402:38
*** samuelms-away has joined #openstack-keystone02:39
*** tellesnobrega_ has joined #openstack-keystone02:39
*** afaranha has joined #openstack-keystone02:39
*** designate has quit IRC02:42
*** afaranha has quit IRC02:44
*** NM has joined #openstack-keystone02:45
*** _cjones_ has quit IRC02:46
openstackgerritDavid Stanek proposed openstack/keystone: Adds a wip decorator for tests
*** stevemar has joined #openstack-keystone03:06
*** ChanServ sets mode: +v stevemar03:06
*** dims has quit IRC03:11
*** dims has joined #openstack-keystone03:13
*** lhcheng has quit IRC03:17
*** amcrn has quit IRC03:17
*** chrisshattuck has quit IRC03:20
*** NM has quit IRC03:21
*** harlowja is now known as harlowja_away03:39
*** dims has quit IRC03:48
*** jdennis has quit IRC03:51
stevemarmorganfainberg, i hate SSO03:51
morganfainbergstevemar, really?03:51
stevemarmorganfainberg, yes, sort of, i don't know03:52
*** abelity has joined #openstack-keystone03:52
stevemari have it sort of working, but the token i get back is unscoped, so listing projects (which horizon does) doesn't work03:52
*** ncoghlan is now known as ncoghlan_afk03:56
*** afaranha has joined #openstack-keystone03:57
*** jdennis has joined #openstack-keystone04:07
abelityi have tried to setup the mod_auth_cas with CAS as the identity provider, but when I do browser call to /v2.0/tenants after the authentication with CAS I see this "status expected to be of type int"... fails at the wsgi's start_response line no 1021 of the webob's response.py04:08
abelityis this a chunked encoding issue04:08
*** Viswanath has joined #openstack-keystone04:09
*** topol has joined #openstack-keystone04:10
*** ChanServ sets mode: +v topol04:10
*** Viswanath has quit IRC04:13
*** chrisshattuck has joined #openstack-keystone04:25
*** oomichi_ has joined #openstack-keystone04:27
openstackgerritMerged openstack/keystone: Adds dynamic checking for mapped tokens
*** david-ly_ has joined #openstack-keystone04:43
*** david-lyle_afk has quit IRC04:43
*** dims has joined #openstack-keystone04:49
*** tellesnobrega has quit IRC04:50
*** stevemar has quit IRC04:51
*** stevemar has joined #openstack-keystone04:52
*** ChanServ sets mode: +v stevemar04:52
*** oomichi_ has quit IRC04:52
*** dims has quit IRC04:55
*** abelity has quit IRC04:56
*** chrisshattuck has quit IRC05:00
*** ncoghlan_afk is now known as ncoghlan05:03
*** jacorob has quit IRC05:09
*** afaranha has quit IRC05:15
*** htruta has quit IRC05:17
*** tellesnobrega_ has quit IRC05:17
*** htruta has joined #openstack-keystone05:17
*** tellesnobrega_ has joined #openstack-keystone05:18
*** afaranha has joined #openstack-keystone05:19
*** sigmavirus24 is now known as sigmavirus24_awa05:23
*** erkules_ is now known as erkules05:25
*** jdennis has quit IRC05:33
*** abelity has joined #openstack-keystone05:35
*** afaranha has quit IRC05:48
*** samuelms-away has quit IRC05:49
*** htruta has quit IRC05:49
*** samuelms-away has joined #openstack-keystone05:49
*** htruta has joined #openstack-keystone05:50
*** afaranha has joined #openstack-keystone05:50
*** ajayaa has joined #openstack-keystone06:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** k4n0 has joined #openstack-keystone06:17
*** henrynash has joined #openstack-keystone06:32
*** ChanServ sets mode: +v henrynash06:32
*** afazekas has joined #openstack-keystone06:58
openstackgerritSteve Martinelli proposed openstack/keystone: test some websso stuff
*** topol has quit IRC07:04
*** MasterPiece has joined #openstack-keystone07:08
*** henrynash has quit IRC07:11
*** stevemar has quit IRC07:16
*** henrynash has joined #openstack-keystone07:17
*** ChanServ sets mode: +v henrynash07:17
marekd|awayabelity: Identity API 3 only07:22
*** marekd|away is now known as marekd07:22
marekdabelity: there is no local user in Keystone backend, right?07:35
marekdif you simply want to use saml authentication but with CAS you are advised to read some federation docs.07:35
*** henrynash has quit IRC07:37
marekdrodrigods: good change. Could add some tests  Henry was asking for but...what the heck.07:41
*** MasterPiece has quit IRC07:46
*** jaosorior has joined #openstack-keystone07:58
*** jamiec has quit IRC08:06
*** jamiec has joined #openstack-keystone08:08
*** ajayaa has quit IRC08:21
*** NM has joined #openstack-keystone08:25
*** ncoghlan has quit IRC08:28
*** ajayaa has joined #openstack-keystone08:33
*** jamiec has quit IRC08:39
*** links has joined #openstack-keystone08:39
*** jamiec has joined #openstack-keystone08:41
*** MasterPiece has joined #openstack-keystone08:47
*** ukalifon has joined #openstack-keystone09:09
marekdlbragstad: ping me when you are online - wanted to ask few questions about AE tokens.09:41
*** eglynn-nick is now known as eglynn09:45
*** lhcheng has joined #openstack-keystone09:53
*** k4n0 has quit IRC09:53
*** sluo_laptop has quit IRC10:02
*** aix has joined #openstack-keystone10:03
*** MasterPiece has quit IRC10:04
*** Shohei has joined #openstack-keystone10:07
*** mflobo has joined #openstack-keystone10:09
*** nellysmitt has joined #openstack-keystone10:19
*** kashyap has left #openstack-keystone10:26
*** tellesnobrega has joined #openstack-keystone10:28
*** NM has quit IRC10:36
*** tellesnobrega has quit IRC10:42
*** jaosorior has quit IRC10:43
zhiyanayoung: hey, updated testcases for my change on oslo-inc policy module at as we talked yday, pls let me know your idea when/if you ok. thanks!10:48
zhiyanrodrigods: ^^10:48
*** amakarov_away is now known as amakarov10:55
*** ukalifon has quit IRC10:57
*** NM has joined #openstack-keystone10:58
*** diegows has joined #openstack-keystone11:04
*** diegows has quit IRC11:09
*** dims has joined #openstack-keystone11:11
*** ajayaa has quit IRC11:14
*** nellysmitt has quit IRC11:15
*** nellysmi_ has joined #openstack-keystone11:15
*** afaranha has quit IRC11:19
*** ajayaa has joined #openstack-keystone11:25
rodrigodszhiyan, hey... was thinking about Julien comments11:46
rodrigodszhiyan, what do you think of having overwrite/force_reload in the __init__11:47
zhiyanrodrigods: hm, i think oslo module needs support adoption requirements ..tbh11:47
rodrigodszhiyan, yes, that's true11:48
zhiyanrodrigods: technically it could work, but it's ugly, in such function context, we need to 'merge' both param and self.* one11:48
zhiyanand most case, there's no sense11:48
rodrigodszhiyan, yeah... if we could remove the force_reload from load_rules() :P11:49
rodrigodsand use the class attribute11:50
rodrigodsbut I guess we don't want to break anything11:50
rodrigodszhiyan, will take a look in the tests11:50
zhiyanrodrigods: btw, i think current idea to make the interface be common11:50
zhiyanrodrigods: yes, that's a worth point as well!11:50
*** tellesnobrega_ is now known as tellesnobrega11:54
*** uvirtbot has quit IRC12:09
*** MasterPiece has joined #openstack-keystone12:16
zhiyanhi rodrigods, thanks for input, one question on your comments.12:25
*** eglynn is now known as eglynn-lunch12:25
*** NM has quit IRC12:26
*** ajayaa has quit IRC12:26
zhiyanrodrigods: you mean testing the combination of force_reload=False + overwrite=True/False?12:28
rodrigodszhiyan, yes12:31
rodrigodsmakes sense?12:31
zhiyanrodrigods: humm, i think the handling of whether to overwrite rules with (re)loaded polices is only happened when force_reload=True12:33
rodrigodszhiyan, you mean, the overwrite is only considered when force_reload=True?12:34
zhiyanrodrigods: yes, am i miss anything?12:34
*** afaranha has joined #openstack-keystone12:35
rodrigodszhiyan, yes, you are right :)12:38
zhiyanrodrigods: good to know12:38
zhiyanrodrigods: i will update the code according to your inline comment12:39
rodrigodszhiyan, great! :)12:39
zhiyanrodrigods: thanks man :)12:39
rodrigodszhiyan, np12:40
*** ajayaa has joined #openstack-keystone12:46
openstackgerritSridhar Gaddam proposed openstack/python-keystoneclient: Curl statements to include globoff for IPv6 URLs
*** topol has joined #openstack-keystone13:03
*** ChanServ sets mode: +v topol13:03
*** samuelms-away is now known as samuelms13:04
*** edmondsw has joined #openstack-keystone13:07
rodrigodsdstanek, have a review that might need your opinion:
dstanekrodrigods: we were using _ without importing it?13:10
rodrigodsdstanek, exactly13:10
dstanekrodrigods: i thought we removed all of that magic :-(13:10
dstanekrodrigods: or maybe we did and the tests don't hit that error condition13:11
rodrigodsdstanek, hmm true, maybe we should add this test, right?13:11
*** diegows has joined #openstack-keystone13:13
dstanekrodrigods: yes, actually try adding a test without that change and see if it fails13:14
rodrigodsdstanek, I added an extra _() in a place without a conditional branch and it failed, will try to write a test to cover the else: case there13:15
*** jdennis has joined #openstack-keystone13:17
*** jamielennox is now known as jamielennox|away13:20
marekddstanek: you wanted to talk yesterdat13:20
dstanekmarekd: i answered my own question :-)13:21
marekddstanek: cool13:21
*** bknudson has quit IRC13:23
marekdrodrigods: what coverage tests show?13:27
*** topol has quit IRC13:27
rodrigodsmarekd, you may ask dstanek13:27
rodrigodsa line from federation/controllers is using _() without importing _13:28
dstanekfor federation?13:28
dstanekmarekd: rodrigods: only look at the federation files because i only ran the federation tests in the last run:
dstanekfederation has very, very good coverage13:33
lhchengdstanek: ping13:34
dstaneklhcheng: pong13:36
lhchengdstanek: thanks for the review13:36
lhchengdstanek: I added my response on the comments, would appreciate your response before I move forward applying the comments.
dstaneklhcheng: just responded13:38
lhchengdstanek: thanks!13:39
dstaneklhcheng: i think it needs to be separate because it may indicate a bigger problem13:39
lhchengfor fixing tests, does it require a launchpad too?13:40
dstaneklhcheng: if it is truly required then the tests shouldn't pass13:40
lhchengdstanek: agree13:40
lhcheng*launchpad bug13:40
dstaneklhcheng: probably need a bug describing what is broken; because that line isn't required to make the tests pass13:41
dstaneklhcheng: so that mean to me that's it's not actually required or we are not testing the thing that validates13:41
lhchengdstanek: yup! I can open the bug to track it.13:42
*** tellesnobrega_ has joined #openstack-keystone13:45
dstaneklhcheng: thx13:47
dstaneklhcheng: paste a link here once you do13:48
*** gordc has joined #openstack-keystone13:48
*** dims is now known as dimsum__13:49
*** bknudson has joined #openstack-keystone13:51
*** ChanServ sets mode: +v bknudson13:51
*** MasterPiece has left #openstack-keystone13:51
openstackgerritRodrigo Duarte proposed openstack/keystone: Add import i18n to federation/
marekdwhat is the purpose of the 'target' in the policies ?13:54
rodrigodsmarekd, the object is being "targeted"13:55
*** radez_g0n3 is now known as radez13:55
rodrigodsdstanek, added the test =)13:55
marekdso, for instance i might add a rule that certain role can be granted on domain X ?13:55
marekdand domainX will be this
marekdwell, certain role can be granted to domainX *only*13:56
rodrigodsmarekd, in theory yes, not sure if it will work13:56
rodrigodsright now we are trying to avoid a domain_admin to give a cloud_admin13:56
rodrigodsin projects that doesn't understand domains13:57
marekdok, domain was an example13:57
marekdcould also be project13:57
marekdrodrigods: or...i don't know...a role can be granted only to user 'marek'13:58
marekdand then i will have two targets : and target.user.name13:58
rodrigodsmarekd, yep, I think it could work13:59
marekdrodrigods: ok14:00
*** diegows has quit IRC14:00
marekd“identity:get_project”: [["rule:admin_required",14:02
marekd“identity:list_projects”: [["rule:admin_required", "domain_id:%(domain_id)s"]],14:02
marekdso the difference here between list and get calls is probably you need target in list cause you don't specify domain_id in the url?14:03
*** jistr has joined #openstack-keystone14:03
*** jistr is now known as jistr|mtg14:04
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change tenant to project
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct tests to use strings in conf
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Fix paste config option conversion for auth options
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change admin user to service user.
*** mflobo_ has joined #openstack-keystone14:06
*** eglynn-lunch is now known as eglynn14:07
*** mflobo has quit IRC14:08
zhiyanayoung: hey, one question added in that change. not sure if you think force_reload flag could stay there as a param of enforc() ?14:09
ayoungzhiyan, cuz I am not sure myself....14:09
zhiyanayoung: mh14:10
zhiyanayoung: any help i can do for it?14:10
*** tellesnobrega_ has quit IRC14:11
rodrigodsayoung, thought about putting the force_reload in __init__ as well, but it can break currently usage, right?14:12
*** mflobo has joined #openstack-keystone14:14
*** ctracey has quit IRC14:15
*** mflobo_ has quit IRC14:16
ayoungrodrigods, not sure...14:16
ayoungzhiyan, why do we need force reload on a specific enforce call?14:16
*** rm_work has quit IRC14:16
*** rm_work has joined #openstack-keystone14:17
ayoungI mean....we could always have it as a deliberate separate call or whatever....why have it on enforce?14:17
*** rm_work has quit IRC14:17
*** rm_work has joined #openstack-keystone14:17
*** ctracey has joined #openstack-keystone14:17
zhiyanayoung: if i read you correct, i explained it in my first comment in
*** tellesnobrega_ has joined #openstack-keystone14:20
*** joesavak has joined #openstack-keystone14:21
ayoungzhiyan, I think reload is different than force_overwrite14:21
zhiyanayoung: yes14:21
ayoungreload in enforce is putting two calls together14:21
ayoungif we already had a reload call,  it would not be necessary to have on enforce14:22
lbragstadmarekd: ping14:22
ayoungthe question is should we even have one14:22
ayoungif you don;t need it for this use case, though,  remove it.  We can add it when we do need it14:22
zhiyanayoung: without force_reload=True, reloaded flag fileutils.read_cached_file retruned will all be False14:22
zhiyanayoung: i think i need it14:23
ayoungzhiyan, when are the ProtectProperty  rules generated?  are they ever regenerated?14:24
zhiyanayoung: due to at L266, if reloaded=False, and self.rules contain in memory rules, then policy files will be skipped14:24
zhiyan1 sec14:24
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change tenant to project
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct tests to use strings in conf
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Fix paste config option conversion for auth options
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change admin user to service user.
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change occurrences of keystone to identity server
zhiyanayoung: yes, the are14:26
ayoungzhiyan, what does one of these rules look like?14:27
*** mkoderer has joined #openstack-keystone14:27
*** xiaozhi has joined #openstack-keystone14:27
zhiyan"prop_a:create": "rule:glance_creator"14:27
zhiyan"glance:creator": "role:admin or role:glance_create_user"14:27
ayoung"prop_a:create"  is that generated on the fly?14:29
zhiyanthis is a rule policy, operator could config to use role policy if needed14:29
ayoungwhat is prop_a14:29
zhiyanayoung: see there's a config in glance
*** uvirtbot has joined #openstack-keystone14:30
ayoungzhiyan, these are per object policies?14:31
zhiyanthat means if a image property meet that regx, then CRUD operations will be checked on the particular properties.14:31
zhiyanayoung: "per object" means?14:31
ayoungas opposed to API wide policies...each of these policies could vary depending on which object it is called on?14:32
zhiyanayoung: yes14:33
zhiyandepends on end user requested image obj14:33
ayoungzhiyan, then each object should probably have their own enforcer14:33
ayoungyou will have race conditions all over the place14:34
zhiyanno, probably i confused you14:34
ayoungsay two calls come in at the same time, both using a global enforcer14:34
*** vhoward has joined #openstack-keystone14:34
zhiyaneach api call will create different enforcer obj14:34
marekdlbragstad: brb, need to answer one e-mail.14:34
*** chrisshattuck has joined #openstack-keystone14:35
marekdlbragstad: actually, i asked few questios in your AR spec14:35
lbragstadmarekd: I'm addressing your comments in the review now14:35
marekdlbragstad: cool14:35
ayoungzhiyan, that is not how it works in Eventlet based code today14:35
zhiyaneach enforcer will contains same policies while laded from policy files, but different parts are related with which image the api involved14:35
lbragstadmarekd: no problem, thanks for the review14:35
*** nellysmi_ has quit IRC14:35
zhiyans/while laded/which loaded/14:36
zhiyanayoung: so there's no global enforcer object, i don't think there's a protential race condition issue..14:38
ayoungthen why reload?14:39
ayoungThat would be doubling the work on every call14:39
zhiyanayoung: because current only reload flag could make policy files be loaded up when self.rules contains some in memory rules14:40
vsilvahey marekd, I remember you were also interested in better testing for keystone and maybe some functional tests for federation. Did you have any interesting discussions about this on the summit?14:40
ayoungzhiyan, something is not right here14:40
vsilvaI was trying to gather interested people and figure out how we could move in that direction14:40
zhiyanayoung: am I confused you :)14:41
marekdvsilva: i was an i am :-) I didn't talk about that to anybody, but I know dstanek and lbragstad are gatekeepers in terms of funtional testing.14:41
*** tellesnobrega_ has quit IRC14:41
marekdvishy: i only shot a short e-mail to those gentlemen few days ago asking on their opinions.14:41
marekdvishy: sorry, wrong nickname14:42
marekdvsilva: i meant you ^^14:42
vsilvacool, marekd14:42
marekdvsilva: i can forward you the e-mail14:42
marekdbut it's nothing really special14:42
vsilvathat would be good anyway, marekd. what do you think of setting that as a topic for the next keystone meeting?14:43
marekdgreat idea14:43
marekddo you want to modify the agenda?14:43
dstanekvsilva: marekd: you are talking about testing against a real federation setup right?14:43
marekddstanek: kind of14:43
*** tellesnobrega_ has joined #openstack-keystone14:44
marekddstanek: having one big IdP for *all* jenkins VM doesn't scale14:44
marekdbut having a small instance of pysaml2 IdP on every VM14:44
vsilvacould you do it marekd? I bet you have a lot more to say, so having me as 'the guy' for that topic doesn't make a lot of sense...14:44
marekdcould work.14:44
vsilvaif I understand the meeting correctly, uh14:44
ayoungzhiyan, OK   here is what I understand to be happening.  And it varies from server to server based on their specific code14:44
ayoungwhen you call policy, from, say keystone or nova14:44
ayoungit does a bunch of stuff to get the web request into the right form14:45
ayoungthen....well, lets start with the code14:45
marekddstanek: i want to avoid situations where: we code, we add unittests that mock 80% of everything with some contants, we test it by hand and add comments 'worked on my test env'14:45
marekdvsilva, stevemar and other do want it too.14:46
ayoungyou can see it does have a global ENFORCER object.  Glance may not do that14:46
ayoungenforce(context, action, target, do_raise=True, exc=None):  calls init, to make sure that object is loaded then14:46
dstanekvsilva: marekd: i'll try to get some more information on this topic; it's a much bigger issue than just keystone14:46
ayoung _ENFORCER.enforce ...14:46
ayoungok, lets look at what glance does14:46
marekddstanek: did you read my email? I am not sure I should ask you...14:47
ayoungzhiyan, what is the lifespan of the gateway object14:47
zhiyanayoung: let's talk about v2 api stuff, v1 is going to be outdate14:47
marekddstanek: it's more like adding another testsuite to the jenkins tests14:47
marekddstanek: i don't know how to do this.14:47
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens
marekddstanek: however, morganfainberg pointed functional tests would let us have real federation tests14:48
zhiyanfrom api begin to handle in controller, and release after api return14:48
zhiyanayoung: ^14:48
ayoungzhiyan, so one per request?14:48
dstanekmarekd: if we are to expect a real apache/ldap/idp during our tests we'll need help14:48
zhiyanayoung: yes14:48
zhiyanayoung: e.g.
dstanekmarekd: i assume that is what you are asking for14:49
marekddstanek: yes,keystone runningg on top of apache w/ mod_Shib cofigured.14:49
marekddstanek: correct14:49
marekddstanek: we, keystone project, we == you ?14:49
openstackgerritLin Hua Cheng proposed openstack/keystone: Always return the service name in the catalog
*** lhcheng_ has joined #openstack-keystone14:49
ayoungzhiyan, you sure?  In keystone under eventlet, controllers are created once and maintained for the life of the application14:49
dstanekmarekd: keystone14:49
zhiyanayoung: sorry, i mean it belong to controller obj14:50
ayoungzhiyan, so there is one global enforcer.14:50
ayoungzhiyan, do some tracing of a running server and I suspect you will find that it is global14:51
zhiyanayoung: i was checking the code
ayoungwhich means changin the policy per object is not going to work.  Instead, have a second enforcer object14:51
zhiyanayoung: hm14:51
ayoungyeah, routers are application scoped too14:51
zhiyanayoung: yes14:52
zhiyanayoung: have second enforcer obj for what, sorry i'm confused14:52
ayoungzhiyan, this is a lot like SELinux.   When you get the actual object out of the datastore, you look at it to see what its specific security context is14:52
*** lhcheng has quit IRC14:52
ayoungzhiyan, one enforce for global, a second one per object from the database14:53
ayoungwhat glance is trying to do is tricky, and it is awesome that you guys are trying to make this happen14:53
ayoungbut getting it right is a huge task14:53
*** r-daneel has joined #openstack-keystone14:54
zhiyanayoung: so, back to thetopic, currently i just want to make a way to syncup latest policy module to glance14:54
ayoungzhiyan, I have to head to a dentist appointment.  I'm going to think about what you are trying to do here and give some feedback afterwards14:54
zhiyanayoung: and i'm sure currently PropertyProtect feature is runing will with existing model14:54
ayoungI'll make sureI have an updated version of the glance code to understand what is going on14:54
*** richm has joined #openstack-keystone14:55
*** sigmavirus24_awa is now known as sigmavirus2414:57
zhiyanayoung: ok. glance domain model has a responsibility-chain structure, one layer of it is work for PP14:57
zhiyanit constructs proper in memory rules and update them into enforcer obj.14:57
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3
samuelmsI'd like to know what's the correct way to do a rebase when we have dependent patches ..14:57
samuelmsdstanek, lbragstad  ^14:57
zhiyanthen a under layer take the responsibility to check these rules in particular handling code context14:58
dstaneksamuelms: 'git review -d [last one]' and then rebase14:58
*** lhcheng_ is now known as lhcheng14:58
dstaneksamuelms: is that what you mean?14:58
marekdlbragstad: shall i assume new version automatically answers all my questions? :-)14:59
marekdlbragstad: AE tokens14:59
samuelmsdstanek, hm .. kind of ..14:59
lbragstadmarekd: just published my general responses14:59
samuelmsdstanek, let's take an example14:59
marekdlbragstad: yeah14:59
lbragstadto your questions14:59
marekdjust noticed e-mail14:59
lbragstadmarekd: hopefully that helps14:59
samuelmsdstanek, to start a patch that depends on this .. I do : git review -d 13095415:00
samuelmsdstanek, this give me a new branch review/../henrynash .. something like that, right?15:00
lbragstadsamuelms: correct15:00
dstaneksamuelms: yes15:00
bknudsoncherry-pick your changes onto that branch15:00
samuelmsdstanek, then I do: 'git checkout -b bug/<number>' where I'll work15:01
dstaneksamuelms: so you want rebase on top of someone else's work?15:01
samuelmsdstanek, yes .. in fact .. that first patch was rebased to master .. then we have a neew patch set15:02
lbragstadsamuelms: I don't think you need to put yourself on a new branch before you do the 'git review -d [number15:02
lbragstadbecause it will do that for you15:02
samuelmslbragstad, I do 'git checkout -b ..' after 'git review -d'15:02
dstaneksamuelms: if the patchset (in this case henry's) changes under you - you would have to pull the most recent version and rebase your changes on top of that15:03
samuelmsdstanek, correct15:03
*** dtturner has quit IRC15:03
marekdlbragstad: maybe i am misunderstanding the whole concept, but it looks to me that you want to make a whole token super short, with just few fields. But i don't get a clear information where the rest of the information for that token will be kept. Do you want to compute it dynamically everytime it's actually needed instead of doing a db lookup? Say, I want to use federated authn. All my data, especially my groups will be computed dynamically15:03
*** rharwood has quit IRC15:03
samuelmsdstanek, how should I pull the changes from<patchset> to my local 'review/../henrynash' branch?15:04
bknudsonmarekd: it goes to the server to fetch the whole token15:04
bknudsonmarekd: like with uuid tokens15:04
marekdbknudson: ah-ha, i was imagining that but i think this was not clearly stated in the spec15:04
bknudsonmarekd: so yes, it's computed dynamically every time15:04
samuelmsdstanek, if I go to my untouched  'review/../henrynash' branch and run 'git pull refs/changes/54/130954/22'15:05
lbragstadthe Keystone server would then dynamically do it15:05
dstaneksamuelms: you can you git the fetch command listed on the review to bring in his changes15:05
samuelmsdstanek, I get merge conflicts15:05
marekdbknudson: lbragstad: so its not like uuid tokens.15:05
marekdbknudson: cause uuid was just id and everything was in the DB15:05
dstaneksamuelms: you'll probably have to specify just your commits to rebase too. otherwise git will use all commits up to the common ancestor15:06
bknudsonmarekd: well, there's no reason that uuid tokens can't be changed to work like AE tokens.15:06
lbragstadmarekd: from a workflow perspective it is15:06
bknudsonmarekd: and I would prefer it if they were... if it works for AE then it should work for UUID15:06
lbragstadboth AE tokens and UUID tokens need to return to the server to be validated15:06
lbragstadversus the PKI|z implementation that can be validated on the service side15:06
samuelmsdstanek, right .. so as I left that branch untouched.. I can run : 'git pull -X theirs refs/changes/54/130954/22'15:06
samuelmsdstanek, and then after go back to my 'bug/<bugnumber>' and then run 'git rebase -i review/../henrynash'15:07
marekdlbragstad: bknudson: so the added value is that first validation can be done at the service level, but actually the service must always hit Keystone to get full set of roles, my groups or wahatever15:08
marekdlbragstad: bknudson seriously, is it really an advantage to give up IO in favor of bigger CPU work?15:08
bknudsonmarekd: the token doesn't have to be persisted because all the info needed to recreate it is in the token15:08
bknudsonmarekd: and it's smaller than a PKI token15:08
dstaneksamuelms: is that failing?15:08
samuelmsdstanek, no .. :p15:08
samuelmsdstanek, was just wondering if people do like that15:09
dstaneksamuelms: are the conflicts lines you have changed?15:09
bknudsonmarekd: I think it depends on the size of your cloud... if you have servers on the other side of the world you don't want to do IO15:09
lbragstadmarekd: if you think about it at scale, it can be argued that it's easier to scale CPU operations versus replication of I/O bound tokens15:09
samuelmsdstanek, can you enter ?15:10
lbragstadin the case bknudson makes, scaling would mean standing up another API node versus replicating your entire backend store15:10
lbragstadmarekd: this is the token schema (for the sql backend)
lbragstadso every time we POST to /auth/token we write the entire catalog to 'extra'15:11
*** tellesnobrega_ has quit IRC15:11
marekdlbragstad: you are talking about current tokens15:12
lbragstadmarekd: yes15:12
bknudsonwith AE tokens every time a token is validated you'll have to rebuild the catalog15:12
bknudsonwhich is not pretty either15:12
marekdbknudson: lbragstad and backend like token will not be required15:12
marekdin theory..15:13
lbragstadmarekd: your 'backend' would be an AE token implementation that understand the format of the token and knows how to validate and authenticate tokens based on that format15:13
bknudsonbtw - is keystone going to support AE, UUID, and PKI tokens at the same time?15:13
marekdlbragstad: i mean, no tokens or extra information would be stored in the DB15:14
lbragstadmarekd: correct15:14
*** xiaozhi has quit IRC15:14
samuelmsdstanek, you understand what's the problem?15:14
bknudsonwe also have a spec for non-persistent tokens so PKI tokens wouldn't be stored either.15:14
marekdlbragstad: bknudson ok, so let's talk about federation tokens....15:14
lbragstadmarekd: this would change to an ae token driver implementation
dstaneksamuelms: yeah, once my tests are done i'll try it out15:15
samuelmsdstanek, ok15:15
marekdlbragstad: bknudson: having a user_id doesn't really help me as such user doesn't exist and i can only build my data (group_ids) from input data which is very likely no longer available.15:16
marekdas i build it from env variables pushed there by mod_shib15:16
bknudsonif you can't rebuilt it later it needs to be in the token15:16
marekdand i do this accessint /v3/OS-FEDERATION/.../auth URL15:16
bknudsonso the AE token would have to contain the group IDs15:17
lbragstadmarekd: so the group id would be in place of a user id15:17
lbragstadmarekd: correct?15:17
marekdlbragstad: no, cause you get a list of groups15:17
bknudsonlbragstad: that sounds like the way to do it15:17
lbragstadmarekd: why a list of groups?15:18
marekdlbragstad: bknudson ^^15:18
marekdlbragstad: cause you have SAML assertion -> list of groups you are a member of15:18
bknudsonit's going to need all that stuff from the token15:18
marekdbknudson: yes :(15:19
lbragstadmarekd: the group ids are always in the format of uuid.uuid4().hex right?15:19
bknudsonall the OS-FEDERATION stuff15:19
marekdlbragstad: no, you could have names too...i think15:19
bknudsonit just means it's a bigger token :(15:19
marekdbknudson: exactly...15:19
lbragstadsome of that could be serialized...15:19
lbragstadlike the protocol15:19
marekdbknudson: and i think this is just a first use case :(15:19
marekdothers may say 'what about trusts? what about this and that?'15:20
bknudsontrusts need to be supported... I think the idea was to put the trust as the scope (i.e., rather than project or domain)15:21
marekdbknudson: aha15:21
marekdlbragstad: bknudson : unscoped tokens?15:21
lbragstadwe also have ``auth_type``15:21
marekdlbragstad: bknudson how about mixing stuff?15:22
lbragstadmixing stuff?15:22
marekdlbragstad: say, we agree to have long and json tokens at first, but we end up with your AE tokens, always scoped to something15:23
*** jacorob has joined #openstack-keystone15:23
marekdsay in our federation example:15:23
marekdusers get unscoped, token, with OS-federation stuff inside15:23
marekdbut eventually he wants to scope to domain/project15:23
marekdand his scoped project (something he is actually going to use) could be small AE token.15:24
marekdthis is what i get once i scope my federated token15:24
marekdand this is actually normal token, and looks like AE would be enough.15:24
marekdoh shit...15:25
marekdit won't work :(15:25
marekdkeystone will not be able to check the roles15:25
marekdOS-FEDERATION is in scoped tokens too.15:25
bknudsonthe token also has "methods" in it, so not sure how that's going to be rebuilt from an AE token15:26
*** ayoung is now known as ayoung-dentist15:28
dstaneksamuelms: what review is yours?15:28
*** ayoung-dentist has quit IRC15:28
samuelmsdstanek, in fact I didnt submit it yet ..15:28
samuelmsdstanek, actually I just got it working ..15:28
samuelmsdstanek, probably I had messed something up15:29
dstaneksamuelms: perfect!15:29
lbragstadmarekd: one sec,15:30
samuelmsdstanek, thanks15:30
openstackgerritDavid Stanek proposed openstack/keystone: Adds missing log hints for level E/I/W
openstackgerritDavid Stanek proposed openstack/keystone: Extends hacking check for logging to verify i18n hints
*** NM has joined #openstack-keystone15:31
*** NM has quit IRC15:38
marekdbknudson: is AE a standardized concept?15:39
marekdbknudson: any other example of big scale use?15:39
bknudsonmarekd: my understanding is that rackspace has an impl already15:39
*** wpf has quit IRC15:41
*** junhongl has quit IRC15:41
*** richm1 has joined #openstack-keystone15:42
joesavakyes - we are working on one - it's java right now. We'll start contributing the python version when the spec goes through15:42
bknudsonjoesavak: does it support federation?15:42
*** richm has quit IRC15:42
marekdjoesavak: i added some concerns to the spec15:43
marekdjoesavak: and with lbragstad and bknudson we are discussing them now15:43
joesavakbknudson - in the case of juno - where token is returned in exchange for a SAML construct, yes15:43
joesavakmarekd - awesome15:43
lbragstadmarekd: I'm getting the guy who did the java version of it in here now15:44
*** dimsum__ has quit IRC15:45
marekdsure :-)15:45
*** dimsum__ has joined #openstack-keystone15:45
openstackgerritBrant Knudson proposed openstack/keystone: Correct use of config fixture in test_v3_federation
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - test some websso stuff
lbragstadmarekd: jacorob did a lot of the work in the Java implementation15:46
*** stevemar has joined #openstack-keystone15:47
*** ChanServ sets mode: +v stevemar15:47
bknudsonI bet there's a lot of interfaces and factories15:47
marekdlbragstad: that's what joesavak just said.15:47
dstanekmorganfainberg: are we still looking to get in?15:48
dstanekJava makes me sad15:49
jacoroba tea drinker?15:49
joesavaka snake charmer.15:49
lbragstadjacorob: \o/ welcome to #openstack-keystone!15:49
marekddstanek: why ?15:49
bknudsonlack of multiple inheritance15:49
*** wpf has joined #openstack-keystone15:50
*** junhongl has joined #openstack-keystone15:50
dstanekmarekd: all sorts of reasons - had to use it for too long - culture of huge tools and code generation doesn't help15:50
marekdbknudson: so i guess you hate ANSI C15:51
dstaneklack of properties, meta programming and no duck typing hurts too15:51
bknudsonmarekd: I also hate ANSI C15:51
marekdbknudson: it's not even OOP15:51
marekdbknudson: and what do you like? Apart from Python ?15:51
lbragstadjacorob: marekd and stevemar did a bunch of the federation stuff and they are wondering about how AE tokens will work in the federated case15:51
bknudsonmarekd: C++ ... I also like JavaScript15:51
* lbragstad thinks we should start using lambda moo15:52
* marekd reference ? 15:52
dstaneki also have objective-c15:52
marekdseems to be a nice bridge15:52
marekdah no..doesn't have multiple inheritance15:52
morganfainbergdstanek: it makes sense to get that one in.15:53
lbragstadmarekd: it's legit, array indexing starts at 115:53
jacoroblbragstad: from my perspective fed shouldn’t be different. we don’t store any different info in the token from regular tokens. that said, i’m not necessarily that familiar with the keystone fed15:53
morganfainberglbragstad: no no lambdamoo :P15:54
lbragstadmorganfainberg: :P15:54
dstanekmorganfainberg: did you have time to address the comments? if not i can do it today15:54
dstaneki just have to revisit what you were doing15:55
morganfainbergdstanek: I hope I have time.15:55
dstanekmorganfainberg: ok, i'll ignore it for now15:55
marekdjacorob: we do15:55
lbragstadjacorob: this is what marekd is sending in the token to get an unscoped token:
marekdjacorob: OS-FEDERATION15:55
marekdis created once and there is no way to recreate it later.15:56
lbragstadso the validate case, right marekd15:56
morganfainbergstevemar: any thoughts more on the convo about the split?15:56
stevemarmorganfainberg, not really, i'll still +1 for split, but -1 because as you say, i can't think of a scenario where roles are handled in keystone, and role-assignments are not15:57
jacorobmarekd: so for federated the token is completely self contained - in that no ephemeral user or whatnot is stored on the local system? Ultimately I think AE tokens will need to be flexible in order to allow different data to be included for different use cases. We’re doing that for other scenarios outside of federation.15:58
morganfainbergstevemar: ok, I added the same comment with a-1.15:58
morganfainbergstevemar: thanks for being a sounding board.15:58
marekdjacorob: no user content stored in the backend15:58
marekdactually, you are what you have in the token (today)15:59
marekdjacorob: i was just reviewing lbragstad's spec for AE tokens in OpenStack15:59
marekdjacorob: and wanted to clear out those corner-cases15:59
marekdi have a strage feeling that such constrained token structure may be some troublesome for future features :(16:00
marekdtoday we need OS-FEDERATION in the token, tomorrow OS-SOMETHING16:00
jacorobmarekd: makes sense. ultimatley it’s just a tradeoff, more data == longer token.16:00
marekdjacorob: yes yes16:00
jacorobi don’t think the structure has to be so constrained though16:00
marekdlbragstad: they only thing i am suggesting is to keep in mind such corner cases16:01
marekdlbragstad: and hopefully mention federated tokens, since we alredy have this feature in Keystone16:01
marekdjacorob: ok, thanks :-)16:01
jacorobultimatley ae tokens is just a wrapper around some constructs. I think the key is just the methods used to generate the token - e.g. encrypt then mac approach, some bytes for versioning, etc16:01
marekdjacorob: it's not always possible.16:02
marekde.g. in case of federated tokens, once you create one you are not able to re-generate it16:02
*** chrisshattuck has quit IRC16:02
stevemardstanek, replied to some of your comments16:02
jacorobnot sure i follow.16:02
marekdjacorob: well, OS-FEDERATION object
marekdis generated from input which is deleted after this operation.16:03
*** chrisshattuck has joined #openstack-keystone16:04
marekdit's federation internall stuff16:04
jacorobunderstand. guess what i’m not understanding is what you’re referring to by “it's not always possible.”16:04
lbragstadmarekd: would it be helpful to build an ae token format around federation specifically?16:04
dstanekstevemar: on which review?16:04
dstanekstevemar: oh wip'ed on?16:05
marekdlbragstad: very likely, but do you want to fill all the possible hole with a custom format, token? :(16:05
stevemardstanek, correct16:05
marekdjacorob: if you don't store extra data like OS-FEDERATION in the token, you will not be able to re generate the token basing on currently proposed fields, so user_id, project_id , ...16:06
stevemarmarekd, did you and jose code most of the cernops websso stuff, or did just he?16:06
lbragstadmarekd: wouldn't a token just need to add those fields in?16:07
lbragstadmarekd: it could extend the ae token implementation to include that extra information16:07
marekdstevemar: i did keystone part16:07
marekdstevemar: mostly, he then tweaked it a little bi later as he needed something else in horizon.16:08
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3
openstackgerritDavid Stanek proposed openstack/keystone: Updates Python3 requirements
openstackgerritDavid Stanek proposed openstack/keystone: Mocks out the memcache library for tests
marekdlbragstad: yes, it could.16:08
openstackgerritDavid Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing
jacorobmarekd: agreed. i don’t see an issue storing additional data based on the needs of the token. basically, the ae wrapper just takes in some construct - a list of fields, a json structure, whatever, and does the encryption/mac to form a token.16:08
*** topol has joined #openstack-keystone16:08
*** ChanServ sets mode: +v topol16:08
marekdlbragstad: jacorob i got impression that the list is fixed...16:09
lbragstadmarekd: it doesn't have to be fixed if the validator understand the format16:10
jacorobi don’t think in can be. It needs to extensible, IMO.16:10
*** jacorob_ has joined #openstack-keystone16:11
*** Viswanath has joined #openstack-keystone16:11
*** jacorob_ has quit IRC16:12
marekdlbragstad: ok16:13
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens
*** Viswanath has quit IRC16:14
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - test some websso stuff
* marekd short and self-validated tokens seem to be a Holy Grail16:16
bknudsonif the token is unscoped, then the auth_token middleware really doesn't have to go to the server to validate16:17
bknudsonif the AE token has got everything16:18
marekdbknudson: but then we are again growing ang growing and we may endup actually with PKI token without SC16:18
bknudsonor if it turns out you don't need the catalog then no need to go to the server16:19
bknudsonmarekd: y, I was just remarking that AE tokens are different in that sometimes you don't have to go to the server (unlike UUID tokens)16:20
marekdbknudson: understand.16:21
marekdbknudson: well, what i need to understand is that there is no golder rule16:21
marekdfor the tokens.16:21
marekdlbragstad: anyway, i liked the discussion. Put some light on the whole least I did educate myself in your plans.16:22
lbragstadmarekd: no problem, hopefully it helped, it was nice to get that perspective on federation with ae too16:23
*** dimsum__ has quit IRC16:25
*** dimsum__ has joined #openstack-keystone16:26
marekdok, i am out of here16:27
*** marekd is now known as marekd|away16:27
* marekd|away is going to open his ski season16:28
openstackgerritAndre Aranha proposed openstack/keystone: Creating a policy sample
*** richm1 has quit IRC16:29
lbragstadmarekd|away: have fun!16:29
*** dimsum__ has quit IRC16:30
*** jacorob_ has joined #openstack-keystone16:31
openstackgerritDavid Stanek proposed openstack/keystone: WIP: Middleware tests now run under Python3
*** diegows has joined #openstack-keystone16:32
*** nellysmitt has joined #openstack-keystone16:36
*** jacorob has quit IRC16:40
*** jacorob_ is now known as jacorob16:40
*** nellysmitt has quit IRC16:41
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - test some websso stuff
*** Ctina has joined #openstack-keystone16:45
openstackgerritAndre Aranha proposed openstack/keystone-specs: Modify the policy file
openstackgerritAndre Aranha proposed openstack/keystone-specs: Modify the policy file
*** nellysmitt has joined #openstack-keystone16:52
*** ajayaa has quit IRC16:52
*** david-ly_ is now known as david-lyle16:56
*** jsavak has joined #openstack-keystone16:58
*** joesavak has quit IRC17:01
*** _cjones_ has joined #openstack-keystone17:03
*** NM has joined #openstack-keystone17:03
openstackgerritAndre Aranha proposed openstack/keystone: Creating a policy sample
*** NM has quit IRC17:07
dolphmwhy do we attempt two ldap binds during auth? the only difference i see between the first and second is the first includes a limited list of attributes, and the second has attrs=None17:15
*** thiagop has joined #openstack-keystone17:16
bknudsonbind doesn't have a list of attributes17:16
dolphmsorry, there's two binds followed by two nearly identical queries17:17
dolphmbknudson: fwiw i'm just looking at this snippet
bknudsonusually you do a bind as the user to validate the password17:18
bknudsonbut you don't have to do a search afterwards.17:18
*** Ctina_ has joined #openstack-keystone17:20
*** Ctina has quit IRC17:20
dolphmbknudson: but that's not what this is doing, as i read it? it looks like it's just validating the user ID using the ldap service account17:22
bknudsonI assume "dn=CN=phx1-svc,OU=Service Accounts,OU=Org West,DC=hq,DC=corp,DC=org,DC=com simple_bind_s" is validating the password17:23
*** nellysmitt has quit IRC17:24
bknudsonit would have to do a search to get the user DN, which is probably this one: dn=OU=Accounts,DC=hq,DC=corp,DC=org,DC=com, scope=2, query=(&(cn=790eaf8185b14ea28331871c87815a3a)(obj ectClass=person))17:24
bknudsonoh, it binds as the same user twice17:24
dolphmbknudson: but that's binding as the service account, not as the authenticating http api user17:24
*** zzzeek has joined #openstack-keystone17:25
dolphmthe [ldap] user + password17:25
dolphmis the only simple_bind_s in the log, which occurs twice17:25
*** dimsum__ has joined #openstack-keystone17:26
openstackgerritAndre Aranha proposed openstack/keystone: Creating a policy sample
openstackgerritIlya Pekelny proposed openstack/keystone: Comparision of database models and migrations.
*** links has quit IRC17:43
*** RichardRaseley has joined #openstack-keystone17:48
*** ajayaa has joined #openstack-keystone17:50
*** amakarov is now known as amakarov_away17:51
*** harlowja_away is now known as harlowja17:52
rodrigodsbknudson, regarding, are you suggesting to leave the 500 error as it is and create a bug about it?17:54
*** ayoung has joined #openstack-keystone17:59
*** ChanServ sets mode: +v ayoung17:59
ayoungstevemar, marekd|away lets say I use SAML to Horizon, and then Horizon fetches a token from Keystone.   Is there anything in the SAML assertion that Horizon could pass to Keystone to prove that a user actually attempted to connect?18:00
RichardRaseleyIs there any pre-Juno way to have Keystone use its local store for service accounts (e.g. neutron, nova, etc.) and LDAP strictly for user accounts?18:04
stevemarRichardRaseley, not really, it was intended for pre-Juno, but very important bugs were fixed in Juno18:05
RichardRaseleystevemar: OK, thank you. So for any pre-Juno environment the prescribed approach is to pick one or the other before you start provisioning your service accounts.18:06
ayoungRichardRaseley, yep18:06
RichardRaseleyGreat, thanks all for your help.18:07
afaranhaDo someone knows from where the tests read the admin_app ( )?18:07
stevemarRichardRaseley, yeah, it's probably best to create a few service accounts in your ldap... i think, ayoung ?18:07
stevemarits either that or store all your users in sql *yuck!*18:07
ayoungstevemar, there is a compelling reason to move to Juno18:08
RichardRaseleystevemar: Yeah, my thoughts exactly.18:08
RichardRaseleyIt will work for this small pilot environment, but I will add that to my list of compelling reasons to deploy to Juno in production. =]18:08
ayoungRichardRaseley, you can use a Juno Keystone and Icehouse everything else18:08
ayoungstevemar, have you thought about how we should be doing SAML in Horizon?  There more I think about it, the more depressed I get18:13
*** _cjones_ has quit IRC18:13
ayoungits like, only Horizon has enough data to confirm that the user actually attempted to log in18:13
ayoungbut only keystone can sign a token18:13
*** _cjones_ has joined #openstack-keystone18:13
RichardRaseleyayoung: Good to know, thanks.18:14
ayoungif Horizon passed the entire SAML assertion to Keystone, and included its own service username and password...say in a basic-auth style submission,  and we did a policy check on the username to say "this user needs to be able to get a token issued for the real user"18:15
ayoungIt would defend against two classes of attacks.18:15
ayoung1.  RIght now, if an attacker evesdrops on the Horizon conversations, they can harvest users passwords18:16
ayoung2.  If we instead said that Horizon could issue tokens for any user, the horizon password becomes a huge liabilityu18:16
*** eglynn is now known as eglynn-officeafk18:16
ayoungwe really want to combine  service user credentials with a confirmation that the user has an exteranally granted valid assertion of identity18:17
*** _cjones_ has quit IRC18:22
*** amcrn has joined #openstack-keystone18:25
*** gyee_ has joined #openstack-keystone18:25
*** NM has joined #openstack-keystone18:31
*** _cjones_ has joined #openstack-keystone18:32
*** htruta has quit IRC18:33
*** htruta has joined #openstack-keystone18:36
*** _cjones_ has quit IRC18:45
bknudsonrodrigods: yes, you can leave the 500 error as is since that's what it does, but file a bug and put a note with the bug #18:51
rodrigodsbknudson, ++18:52
*** jistr|mtg has quit IRC19:04
*** saipandi has joined #openstack-keystone19:04
*** _cjones_ has joined #openstack-keystone19:05
*** _cjones_ has quit IRC19:06
*** _cjones_ has joined #openstack-keystone19:06
uvirtbotLaunchpad bug 1395117 in keystone "Create SAML assertion using domain scoped tokens returns 500 (Internal Server Error)" [Undecided,New]19:08
*** _cjones_ has quit IRC19:08
*** _cjones_ has joined #openstack-keystone19:08
stevemarrodrigods, thats for k2k19:09
rodrigodsstevemar, ++ already handling it in
rodrigodsstevemar, can work in a fix for it as well19:10
stevemarrodrigods, split that change up :)19:11
rodrigodsstevemar, any objections to leave the import _ review as it is and fix the bug in a follow on patch?19:12
stevemarrodrigods, none at all19:12
rodrigodsstevemar, ++ thx19:13
*** amcrn has quit IRC19:13
openstackgerritRodrigo Duarte proposed openstack/keystone: Add import i18n to federation/
topoldolphm, you there?19:19
*** radez is now known as radez_g0n319:21
morganfainbergdolphm, dstanek, lbragstad, bknudson, can re remove the "git checkout of ksc" test yet?19:26
morganfainbergi *think* it's not super useful anymore19:27
bknudsonmorganfainberg: If we do then we lose coverage19:27
morganfainbergbknudson, do we? even with the changes to how clients are tested?19:27
bknudsonmorganfainberg: try removing it and check the coverage diff... I think there will be v2 code that's not tested.19:27
morganfainbergoh we're using it for that?19:27
* morganfainberg grumbles.19:27
bknudsonmorganfainberg: yes, it's not just testing the client.19:27
morganfainbergwe need to fix that then.19:28
*** dimsum__ has quit IRC19:29
*** NM has quit IRC19:32
dstanekmorganfainberg: yeah, what bknudson  said19:32
openstackgerritBrant Knudson proposed openstack/keystone: Correct use of config fixture
openstackgerritBrant Knudson proposed openstack/keystone: Add import i18n to federation/
openstackgerritRodrigo Duarte proposed openstack/keystone: Fixes create_saml_assertion() return
openstackgerritRodrigo Duarte proposed openstack/keystone: Fixes create_saml_assertion() return
morganfainbergdidn't we fix this: ?19:41
afaranhaHello, I submitted a spec proposing to change the policy, could you read and give comments?
rodrigodsmorganfainberg, having this errors here on mac as well19:42
morganfainbergrodrigods, fantastic... :(19:42
* morganfainberg wonders where that started from.19:42
rodrigodsmorganfainberg, :( last sartuday it was already happening, thought it was some issue in my machine19:43
*** NM has joined #openstack-keystone19:43
morganfainbergclearly it doesn't happen on linux19:44
morganfainbergso .. someone really broken something in LDAP.19:44
morganfainbergnot us likely19:44
afaranhaHaneef, bknudson, ayoung, morganfainberg could you review?19:44
*** NM has quit IRC19:48
openstackgerritMorgan Fainberg proposed openstack/keystone: Make the default cache time more explicit in code
morganfainbergdstanek, ^19:57
*** topol has quit IRC19:59
bknudsonmorganfainberg: fancy!19:59
morganfainbergbknudson, i *think* that addresses the bulk of the code comments you had.20:00
morganfainbergit also makes it much easier to read.20:00
morganfainbergthe hard part was the mocking :P20:00
*** tellesnobrega has quit IRC20:01
dstanek morganfainberg: excellent20:02
morganfainbergwhoopse missed removing a line20:02
morganfainbergnext patch incoming20:02
morganfainbergbknudson, ^20:02
morganfainbergugh... wtf... it just passed pep8 now it fails...20:03
morganfainberghm. this might still be broken. please don't review yet.20:04
dstanekmorganfainberg: bknudson: what do you guys think about
morganfainbergdstanek, hm. i do like the idea of comparing models to the actual results of the migrations20:06
bknudsondstanek: I've been thinking about it for a while and am still thinking about it.20:06
dstanekmorganfainberg: but do you like the impl? see my last comment20:08
*** junhongl has quit IRC20:08
* morganfainberg looks.20:09
morganfainbergdstanek, i tend to agree... metaclasses usually imply you're doing it wrong.20:09
morganfainbergmostly because they can do very crazy things... like even change your parent objects out from under you20:10
dstanekin this case it's an implicit factory for test classes; while clever i think it will confuse more than half the people that look at it20:11
morganfainbergi think doing explicit walk + create is more explicit at least20:11
*** junhongl has joined #openstack-keystone20:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Make the default cache time more explicit in code
morganfainbergdstanek, bknudson, ^ ok that should fix the issues with the last patchset *and* fixes commit message.20:15
bknudsonmorganfainberg: probably should have a bug or DocImpact if the config is changing.20:16
morganfainbergis the config actually changing?20:16
* morganfainberg checks20:16
morganfainbergit's been a while since i've looked at this tbh20:16
bknudsonit just moved something from one place to another20:17
bknudsonI like to see bugs for those so it's easy to find.20:17
*** r-daneel has quit IRC20:17
morganfainbergDocImpact makes a bug?20:17
bknudsonmorganfainberg: yes, I think I read somewhere that config changes should have a DocImpact20:18
openstackgerritMorgan Fainberg proposed openstack/keystone: Make the default cache time more explicit in code
morganfainbergbknudson, i wasn't aware of that magic20:19
openstackgerritMorgan Fainberg proposed openstack/keystone: Make the default cache time more explicit in code
*** tellesnobrega has joined #openstack-keystone20:22
*** pc-m has quit IRC20:27
morganfainbergrodrigods, ping re:
morganfainbergrodrigods, did we decide the status of "expand or not expand the refs"20:29
morganfainbergas in was it a security thing to expand the ref or not?20:29
rodrigodsmorganfainberg, yes... we decided to show only the projects the user has access to20:31
morganfainbergah ok20:31
rodrigodsmorganfainberg, for subtree_as_list and parents_as_list20:31
rodrigodswe are proposing new queries subtree_ids and parents_ids which will return only the ids in a structured fashion20:32
*** dimsum__ has joined #openstack-keystone20:34
*** packet has joined #openstack-keystone20:34
boris-42morganfainberg: around?20:37
boris-42morganfainberg: hi20:37
dstanekmorganfainberg: you co-authored your own commit! i knew there was two of you\20:38
morganfainbergdstanek, huh?20:38
morganfainbergdstanek, no you owned the change didn't you?20:38
morganfainbergoh it broke your sumbission20:39
morganfainberglet me fix that20:39
dstanekmorganfainberg: lol20:39
morganfainbergi'll set you co-author? or you want to be primary? i don't care20:39
dstanekco-author is fine20:39
dstanekboris-42: hi20:39
openstackgerritMorgan Fainberg proposed openstack/keystone: Make the default cache time more explicit in code
rodrigodsmorganfainberg, thanks for your review!20:40
morganfainbergrodrigods, comments on
morganfainbergit's closew20:40
morganfainbergit really is20:40
boris-42dstanek: hi =)20:40
morganfainbergboris-42, hi i'm here as well, in the middle of a bunch of stuff, but might be able to chat some.20:41
boris-42ьmorganfainberg so I found some issue with authenticate functionallity20:41
boris-42morganfainberg: during that testing of zaqar20:41
boris-42morganfainberg:  take a look here
boris-42morganfainberg: on "failure" tab20:42
boris-42morganfainberg: keystone just died..20:42
boris-42morganfainberg:  i can repeat this in keystone gates if you would like*20:42
morganfainbergboris-42, i'd like to know *what* caused keystone to tip over vs "a list of it tipped over"20:42
morganfainbergif that makes sense?20:42
boris-42morganfainberg: logs enough?20:43
morganfainbergi mean, perhaps.20:43
morganfainbergdepends on what the logs are showing20:43
boris-42morganfainberg: ?20:43
boris-42morganfainberg: just standard dsvm logs20:43
boris-42morganfainberg:  we were running about 50 per/second authentication20:43
boris-42morganfainberg: 2k times20:43
*** NM has joined #openstack-keystone20:43
boris-42morganfainberg:  it means 50 new per second20:44
morganfainbergok where the hell is the keystone log20:44
morganfainbergboris-42, i don't see a keystone log there20:44
morganfainbergam i ... crazy?20:44
bknudsonI think we lost the keystone logs at some point20:44
bknudsonwhen switching to http20:44
boris-42morganfainberg: I can't see it20:44
boris-42bknudson: eh20:45
morganfainbergbknudson, we had them for a while20:45
morganfainbergi know20:45
boris-42bknudson: morganfainberg lemme make patch20:45
boris-42in keystone20:45
dstanekboris-42: died, meaning the process just went away?20:45
bknudsonI tried to put a fix in for it but it doesn't seem to have taken20:45
boris-42dstanek: I don't know not a big guru of keystone20:45
boris-42AuthorizationFailure: Authorization Failed: Unable to establish connection to
morganfainbergbknudson, ok lets see about getting that resolved asap.20:46
boris-42morganfainberg:  just a second20:47
bknudsonLooking for related changes...20:47
openstackgerritBoris Pavlovic proposed openstack/keystone: Test authenticate (DO NOT MERGE)
boris-42bknudson: morganfainberg ^ this should reproduce it in keystone gates20:50
morganfainbergboris-42, ty.20:50
morganfainbergboris-42, we need to chase down our logs first though :P20:50
boris-42morganfainberg: I hope now we will gate keystone logs as well20:50
boris-42morganfainberg: actually you can use that task to repeat it locally *20:50
bknudsonhere's one that was abandoned:
morganfainbergbknudson, my guess is we're just missing the infra "grab the log"20:53
morganfainbergconfig line20:53
*** afazekas has quit IRC20:54
*** ajayaa has quit IRC20:56
*** tsufiev has quit IRC20:56
*** topol has joined #openstack-keystone20:58
*** ChanServ sets mode: +v topol20:58
*** tsufiev has joined #openstack-keystone20:59
openstackgerritMerged openstack/keystone: Adds missing log hints for level E/I/W
*** packet has quit IRC21:03
*** Ctina_ has quit IRC21:05
morganfainbergbknudson, ok yeah that looks like we need that, the "screen" isn't actually logging *i guess*21:07
*** NM has quit IRC21:07
bknudsonmorganfainberg: I've been running locally with eventlet so I can debug, so am not sure what it looks like when run in httpd.21:07
morganfainbergyeah i'll go poke at this a bit more unless infra has a quick answer21:08
bknudsonmorganfainberg: I can restore that one if you want, then see if has a keystone log21:09
morganfainbergmight be good.21:09
*** NM has joined #openstack-keystone21:10
*** NM has quit IRC21:15
bknudsonmorganfainberg: it prints out the config file a billion times.21:17
morganfainbergbknudson, welcome to each worker starting up21:18
morganfainbergbknudson, each tiem a worker is started it dumps the config, debug mode21:18
bknudsonmorganfainberg: there's a way to have some parts "cached"...21:18
bknudsonI think I had a change for it at one point.21:18
morganfainbergwhat does that mean?21:18
morganfainbergsome parts cached?21:19
morganfainbergwe could make a pre-loader script that isn't keystone.application21:21
morganfainbergsimilar to what we have in httpd/keystone.py21:21
morganfainbergbut specifically for pre-load21:21
bknudsondoes it actually re-read the config file when it starts a worker?21:22
bknudsonthat would be confusing for someone who makes a change not expecting it to take effect21:23
morganfainbergit is a complete applciation spin-up.21:23
morganfainberghm. well maybe not...21:23
morganfainbergit *might* just start the runtime which does the debug21:23
morganfainbergmy guess is it reloads configs.21:23
morganfainbergyeah. it looks like it reloads the configs21:24
bknudsonnew feature, dynamic config21:24
morganfainbergwelllllll sortof21:24
bknudson"KVS lock acquired for: os-revoke-events acquire" -- sure does acquire this lock a lot21:25
bknudsonis it doing an update?21:25
bknudsonand according to the log it acquires the lock twice anyways:
bknudsonthat's an odd kind of lock21:26
bknudsondebug log considered useless.21:29
bknudsoneven the warnings are useless: 2014-11-19 07:49:19.767491 24840 WARNING keystone.common.wsgi [-] Could not find project: 6144a75d98d9442baa519096cd076a5921:30
bknudsonweird: 2014-11-19 07:45:23.188878 24838 WARNING keystone.common.wsgi [-] Invalid input for field 'enabled'. The value is 'False'.21:32
bknudsonis it just ignored?21:32
-openstackstatus- NOTICE: gating is going offline while we deal with a broken block device, eta unknown21:44
*** ChanServ changes topic to "gating is going offline while we deal with a broken block device, eta unknown"21:44
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool
dolphmmorganfainberg: meeting next week?21:51
bknudsonthose who don't use apache are doomed to reimplement it21:51
dolphmbknudson: tshirt that21:51
morganfainbergdolphm, uhm.21:51
morganfainbergdolphm, oh.21:51
morganfainbergit's that eat too much food holiday21:52
morganfainbergI was thinking we could still meet - but i wont hold it against anyone who is on vacation21:52
dolphmmorganfainberg: THE BEST ONE21:52
bknudsonstevemar and others will be here.21:52
dolphmmorganfainberg: well i'll be around, but figure there might be a bunch of slackers21:52
morganfainbergdolphm, so we'll have a "ok everyone go eat food"21:52
stevemarbknudson, i'm gonna what now?21:53
bknudsonstevemar: you already had your turkey21:53
bknudson2nd monday in october21:54
dolphmstevemar: celebrate your americanism by working next week21:54
stevemarbknudson, you are correct21:54
dolphmmorganfainberg: marekd|away: OH totally got a moka pot today21:54
stevemardolphm, i have no choice, i am forced to hold down the fort21:54
bknudsonthey're smarter in that they don't pile all their holidays together21:54
dolphmstevemar: that's because you don't live in a free country21:54
morganfainbergdolphm, damn it. I kinda want one today...21:54
stevemarbknudson you know too much about us, just convert over21:55
morganfainbergstevemar, you *could* just move.21:55
dolphmmorganfainberg: i got the 3 "cup" one (6oz)21:55
bknudsonmove to buffalo21:55
dolphmit's just like canada except with freedom21:55
morganfainbergdolphm, oh so, Austin Dec, 8, 9, 10. supposed to be meeting with bunch of RAX folks on the 10th afternoon21:55
morganfainbergin the austin office21:55
dolphmmorganfainberg: yeah, i'm on the invite :)21:55
morganfainbergi think you were on that list21:55
morganfainbergjust realized it21:56
*** tellesnobrega_ has joined #openstack-keystone21:57
dolphmmorganfainberg: i'll be there21:58
dstaneki'll be here next week too :-(22:02
dstaneki had some functional testing stuff to talk about next week. should i just hold on to it until 12/2?22:04
dstanekmorganfainberg: to spec or not to spec
*** topol has quit IRC22:05
morganfainbergi think that is one we toss on the list to say "no spec needed"22:06
rodrigodsmorganfainberg, ping re: . In a previous patch, we made the HM calls from LDAP to return "default" values instead of raising NotImplemented:
morganfainbergrodrigods, if its a default value *or* a notimplemented doesn't matter to me22:08
morganfainbergas long as we *test* for that response22:08
morganfainbergmeans someone wont wedge something in and change behavior22:08
morganfainbergrather than skipping the test22:08
rodrigodsmorganfainberg, cool... thanks22:08
morganfainbergdolphm, i might ask you to cover the 1:1 Release meeting on Tuesday the 9th. depends on how busy i am that day.22:13
morganfainbergdolphm, if you're open to it.22:13
dolphmmorganfainberg: happy to22:13
morganfainbergdolphm, cool. yeah not sure how impacted my time will be that day. hopefully not too bad, but we'll see22:13
bknudsonI'm going to start buying up RAX stock now.22:14
dolphmmorganfainberg: actually, when is your new timeslot?22:14
morganfainbergdolphm, uhm sec22:14
dolphmbknudson: =)22:14
morganfainbergdolphm, 1700 UTC (9am Pacific) - 171022:16
dolphmmorganfainberg: k22:16
* dolphm recently bought a digital wall clock for my office and set it to UTC22:17
morganfainbergi actually defaulted back to using Outlook because exchange *can* to UTC meetings22:19
morganfainbergdolphm, i also have in the new notification center on the mac a UTC clock ;)22:19
morganfainbergyay widgets!22:20
dstaneki wish google would do that :-(  makes things so much harder22:20
morganfainbergdstanek, i *hear* you can make a custom timezone.22:20
morganfainbergi haven't successfully done it though22:21
dolphmmorganfainberg: that might be a useful widget!22:21
dolphmnever heard of such a thing22:21
morganfainbergdolphm, yeah i have West Coast, UTC, Central, Eastern, and Brisbane22:21
dstanekmorganfainberg: i started to use iceland's timezone because it's UTC with no DST22:21
dolphmcan you set timezones in owa?22:22
morganfainbergdstanek, I see a GMT +0 NO DST22:23
morganfainbergdolphm, no :(22:23
morganfainbergdolphm, or at least i wasn't able to figure out how.22:23
morganfainbergdstanek, in google now. let me try setting a meeting there (I can create a calendar in that timezone)22:23
morganfainbergdstanek, yeah the only way I think it works is you make a whole calendar that is in GMT +0 No DST22:25
morganfainbergdstanek, then assign things to that calendar22:25
morganfainbergdstanek, lame. why can't i just set the timezone of a meeting.22:25
dstanekmorganfainberg: hmm, maybe i'll give that a try22:25
dstanekif i set the timezone of a meeting it auto converts :-(22:25
*** dims_ has joined #openstack-keystone22:26
morganfainbergdolphm, OWA doesn't seem to know how to do timezones.22:27
morganfainbergdolphm, but Outlook (ugh) does.22:27
morganfainbergyes i'm using the mac version22:27
*** richm1 has joined #openstack-keystone22:29
dolphmmorganfainberg: i'm so sorry22:29
morganfainbergdolphm, i acutally only use it to schedule things in UTC22:29
morganfainbergon my calendar22:29
*** dimsum__ has quit IRC22:29
dolphmmorganfainberg: my condolences22:30
*** NM has joined #openstack-keystone22:46
*** tellesnobrega_ has quit IRC22:47
*** jsavak has quit IRC22:50
*** tellesnobrega_ has joined #openstack-keystone22:56
*** packet has joined #openstack-keystone22:56
*** gordc has quit IRC22:56
*** bknudson has quit IRC22:58
*** htruta_ has joined #openstack-keystone23:08
*** chrisshattuck has quit IRC23:16
*** chrisshattuck has joined #openstack-keystone23:16
*** dims_ has quit IRC23:16
*** edmondsw has quit IRC23:17
*** dimsum__ has joined #openstack-keystone23:19
*** packet has quit IRC23:25
*** RichardRaseley has quit IRC23:44
*** dimsum__ has quit IRC23:55
*** dimsum__ has joined #openstack-keystone23:55
*** dimsum__ has quit IRC23:56
*** dimsum__ has joined #openstack-keystone23:57

Generated by 2.14.0 by Marius Gedminas - find it at!