Tuesday, 2014-11-25

« Monday, 2014-11-24 Index Wednesday, 2014-11-26 »
*** kobtea has quit IRC00:00
*** dims has quit IRC00:03
*** sigmavirus24 has left #openstack-keystone00:03
*** dims has joined #openstack-keystone00:03
*** nkinder has joined #openstack-keystone00:05
*** gordc has quit IRC00:05
*** dims has quit IRC00:08
bknudsonwhat if rather than remove the keystoneclient tests we changed it so that it runs the tests with a keystoneclient in the venv (instead of checkout)?00:12
bknudsonwould that be an improvement?00:12
bknudsonremoving the keystoneclient tests makes a lot of code uncovered00:13
bknudsonand it's going to take a lot of work to get the coverage back up00:13
morganfainbergbknudson, since we're not using it as a master ksc vs <vintage of keystone> really anymore00:14
morganfainbergthat seems like a good choice, just use the ksc in the venv, we *do* require it00:14
bknudsonI'll try making that change... should be pretty easy00:14
*** david-lyle is now known as david-lyle_afk00:17
*** chrisshattuck has quit IRC00:18
*** _cjones_ has quit IRC00:18
*** dims has joined #openstack-keystone00:21
*** _cjones_ has joined #openstack-keystone00:23
jamielennoxlbragstad: so one of the people in the audience of the session in paris asked to please not encrypt data that isn't necessarily private. do we consider the information within the AE token private?00:24
jamielennoxis it a security risk to expose those parameters to anyone who can grab the token anyway?00:25
*** ncoghlan is now known as ncoghlan_afk00:26
morganfainbergjamielennox, afaik no00:26
jamielennoxmorganfainberg: i can't think of a reason it is - so is there a reason to encrypt the payload?00:27
morganfainbergnah, but an HMAC is required.00:27
morganfainbergat the very least00:27
morganfainbergsomething keystonec an use to validate00:27
jamielennoxsure00:27
*** ncoghlan_afk is now known as ncoghlan00:28
jamielennoxnot questioning that at all00:28
*** dims has quit IRC00:31
*** dims has joined #openstack-keystone00:31
*** dims has quit IRC00:36
*** david-lyle_afk has quit IRC00:45
*** tellesnobrega_ has joined #openstack-keystone00:51
jamielennoxbknudson: posted https://review.openstack.org/#/c/136931/ for nova->neutron00:54
*** Mario_ has joined #openstack-keystone00:54
bknudsonjamielennox: cool!00:55
bknudsonjamielennox: so it can use v3 auth now?00:55
bknudsonseems like every use of session needs a custom auth plugin...00:56
bknudsonnot sure that's how it was supposed to work00:56
jamielennoxhmm, that's the idea, i had it configured to run with v2.Password in devstack - i should test v300:56
jamielennoxbknudson: yea, it's getting annoying, essentially it's just creating a default plugin which replicates the existing config structure00:57
bknudsonit would be nice if some old behavior that requires it could at least be deprecated00:57
jamielennoxbknudson: in this case i could probably just have the options always defined and create a v2.Password or token_endpoint.Token and use that but i wanted to get the old options out of the list00:58
jamielennoxthe idea would be to deprecate that whole plugin00:59
jamielennoxalso that PluginProxy can go away when neutronclient starts accepting my patches00:59
jamielennoxgot sick of waiting for them01:00
*** tellesnobrega_ has quit IRC01:01
openstackgerritwanghong proposed openstack/python-keystoneclient: remove the value convert that no logger needed  https://review.openstack.org/13250001:03
*** tellesnobrega_ has joined #openstack-keystone01:04
*** r-daneel has quit IRC01:07
openstackgerritBrant Knudson proposed openstack/keystone: Keystoneclient tests from venv-installed client  https://review.openstack.org/13663601:09
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup test-requirements for keystoneclient  https://review.openstack.org/13693901:09
jamielennoxbknudson: v3 works fine with tyhat patch01:11
*** diegows has quit IRC01:12
*** david-lyle_afk has joined #openstack-keystone01:14
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused testscenarios requirement  https://review.openstack.org/13694001:21
bknudsonjamielennox: you can set the domain?01:21
jamielennoxbknudson: yes01:22
bknudsonsweet01:22
jamielennoxbknudson: relevant config file section in nova.conf http://paste.openstack.org/show/137809/01:22
jamielennoxcan set v3password and add /v3 to auth url if you want to check - bug the password plugin will always go to v3 if domains are present01:23
jamielennoxs/bug/but01:23
bknudsoncan you regenerate the config file and post it?01:24
bknudson(the sample config)01:24
jamielennoxbknudson: won't change much from generated i think because it will have the old config options01:24
jamielennoxby dfeualt01:24
bknudsonI don't think project_name was used before... wasn't it tenant_name?01:25
jamielennoxyes01:25
jamielennoxproject_name is a value from the password plugin01:26
bknudsonjamielennox: you going to change devstack to set it to use v3 auth?01:26
jamielennoxbknudson: yes, i had a POC a while ago to do that, it wasn't a hard change01:26
jamielennoxthe cinder one is merged now so i guess i can start on that01:27
*** tellesnobrega_ has quit IRC01:28
jamielennoxso nova sample config generator doesn't work with the cmd given in the readme01:28
bknudsonjamielennox: your pasted config has "username" but the option in the review is "admin_username"01:28
*** tellesnobrega_ has joined #openstack-keystone01:28
bknudsonjamielennox: nova tox.ini calls it genconfig01:29
jamielennoxbknudson: so what is happening is when you specify auth_plugin=username instead of using the (i think i called it) DefaultAuthPlugin which contains all the admin_username etc options it loads the options for the username plugin01:29
jamielennoxthe username plugin specifies the username, project_id, project_domain_id etc options01:29
bknudsonoh, you set the plugin01:29
jamielennoxif you don't specify an auth_plugin = then you get the default one which will load up all the old values01:30
jamielennoxs/username plugin/password plugin01:30
bknudsonand the sample config file has all these options?01:30
jamielennoxbknudson: still generating the tox env - however it won't by default01:31
bknudsonhow is anybody going to know that they can use these other options with a different value for auth_plugin?01:31
jamielennoxauth_plugin will always be there, but the additional options are going to be dependant on the value of auth_plugin=01:31
jamielennoxright - good unsolved question01:32
jamielennoxso loading from plugin lets you do auth_section01:32
jamielennoxso you can say [neutron] auth_section = neutronpassword [neutronpassword] auth_plugin = password ....01:33
openstackgerritBrant Knudson proposed openstack/keystone: Remove requirements not needed by oslo-incubator modules anymore  https://review.openstack.org/13694101:33
jamielennoxso 1 idea is to just generate a couple of 'sections' that would contain like the password default values (as that is the plugin i expect everyone to use)01:34
jamielennoxbut a driving force here is to allow someone to do like client cert auth from neutron, possibly kerberos and we can't just add everything to the config01:35
bknudsonjamielennox: sample sections for configurations that are recommended seems like it would be adequate.01:36
bknudsone.g., the old config options and password for v3 auth.01:36
*** dims has joined #openstack-keystone01:42
*** htruta_ has quit IRC01:44
*** tellesnobrega_ has quit IRC01:45
openstackgerritBrant Knudson proposed openstack/keystone: Keystoneclient tests from venv-installed client  https://review.openstack.org/13663601:50
*** gyee_ has quit IRC01:55
*** _cjones_ has quit IRC01:58
*** dims has quit IRC02:00
*** dims has joined #openstack-keystone02:00
*** dims has quit IRC02:05
*** ncoghlan is now known as ncoghlan_afk02:06
*** erkules_ has joined #openstack-keystone02:29
*** erkules has quit IRC02:31
openstackgerritWill Foster proposed openstack/keystone: LP: #1395959: skip assignment table inserts when migrating schema from H to I if duplicate entries exist  https://review.openstack.org/13694602:32
*** amcrn has quit IRC02:37
openstackgerritWill Foster proposed openstack/keystone: LP #1395959: skip assignment table inserts when duplicate entries are present or else keystone-manage db_sync fails, also fixing whitespace.  https://review.openstack.org/13694802:39
uvirtbotLaunchpad bug 1395959 in keystone "assignment table migration fails for keystone-manage db_sync if duplicate entry exists" [Undecided,New] https://launchpad.net/bugs/139595902:39
*** esp has quit IRC02:43
*** esmute has quit IRC02:44
*** tellesnobrega_ has joined #openstack-keystone02:49
openstackgerritMerged openstack/keystone: Add WSGIPassAuthorization to OAuth docs  https://review.openstack.org/13438802:53
*** KanagarajM has joined #openstack-keystone02:54
openstackgerritMerged openstack/keystone: Speed up memcache lock  https://review.openstack.org/13674902:57
openstackgerritWill Foster proposed openstack/keystone: LP #1395959: Skip assignment table inserts during db_sync if duplicate entries present. Change-Id: I394a0391ee074c3ee79bdb06391fc4d5fb9067a9  https://review.openstack.org/13694603:08
uvirtbotLaunchpad bug 1395959 in keystone "assignment table migration fails for keystone-manage db_sync if duplicate entry exists" [Undecided,New] https://launchpad.net/bugs/139595903:08
*** dnalezyt has quit IRC03:11
*** ncoghlan_afk is now known as ncoghlan03:21
*** richm has quit IRC03:25
*** kobtea has joined #openstack-keystone03:33
*** KanagarajM has quit IRC03:36
*** kobtea has quit IRC03:38
*** erkules_ is now known as erkules04:15
*** esp has joined #openstack-keystone04:27
*** stevemar has quit IRC04:36
*** oomichi has quit IRC04:38
*** _cjones_ has joined #openstack-keystone04:59
*** _cjones_ has quit IRC05:03
*** esmute has joined #openstack-keystone05:04
*** chrisshattuck has joined #openstack-keystone05:06
*** mikedillion has quit IRC05:09
*** jamielennox has quit IRC05:11
*** jamielennox has joined #openstack-keystone05:11
*** ChanServ sets mode: +v jamielennox05:11
*** chrissha_ has joined #openstack-keystone05:16
*** chrisshattuck has quit IRC05:17
*** ncoghlan is now known as ncoghlan_afk05:22
openstackgerritAndrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223505:26
*** amerine has quit IRC05:27
*** ncoghlan_afk is now known as ncoghlan05:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add --os-user-id to generic password plugin  https://review.openstack.org/13696805:29
*** oomichi has joined #openstack-keystone05:32
*** ajayaa has joined #openstack-keystone05:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:05
*** renlt has joined #openstack-keystone06:06
*** zzzeek has quit IRC06:16
*** k4n0 has joined #openstack-keystone06:24
*** xiaozhi has joined #openstack-keystone06:26
*** _cjones_ has joined #openstack-keystone06:33
*** ajayaa has quit IRC06:35
*** _cjones_ has quit IRC06:39
*** _cjones_ has joined #openstack-keystone06:39
*** ukalifon has joined #openstack-keystone06:46
*** lhcheng has joined #openstack-keystone06:52
*** ajayaa has joined #openstack-keystone06:54
zhiyanayoung: there regular expressions are applied on image's properties but oslo config. btw, sorry for delay response, due to timezone issue.06:55
*** harlowja is now known as harlowja_away07:01
*** lhcheng has quit IRC07:08
*** kobtea has joined #openstack-keystone07:10
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838307:12
*** chrissha_ has quit IRC07:13
*** lhcheng has joined #openstack-keystone07:14
*** ncoghlan has quit IRC07:14
*** kobtea has quit IRC07:15
*** ajayaa has quit IRC07:47
*** jamielennox is now known as jamielennox|away07:49
*** drjones has joined #openstack-keystone08:03
*** _cjones_ has quit IRC08:06
*** ajayaa has joined #openstack-keystone08:10
*** lhcheng has quit IRC08:15
*** lhcheng has joined #openstack-keystone08:15
*** jistr has joined #openstack-keystone08:18
*** drjones has quit IRC08:18
*** ukalifon has quit IRC08:27
*** afazekas has joined #openstack-keystone08:34
openstackgerritAndrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223508:41
*** ajayaa has quit IRC08:45
*** ajayaa has joined #openstack-keystone08:46
*** bdossant has joined #openstack-keystone08:56
*** ajayaa has quit IRC09:00
*** ukalifon has joined #openstack-keystone09:05
*** ajayaa has joined #openstack-keystone09:10
*** svasheka has quit IRC09:11
openstackgerritwanghong proposed openstack/python-keystoneclient: remove the value convert that no logger needed  https://review.openstack.org/13250009:22
*** renlt has quit IRC09:25
*** oomichi has quit IRC09:33
*** jistr has quit IRC09:33
*** nellysmitt has joined #openstack-keystone09:39
*** aix has quit IRC09:51
*** jistr has joined #openstack-keystone10:03
*** aix has joined #openstack-keystone10:17
*** xiaozhi has quit IRC10:28
*** xiaozhi_ has joined #openstack-keystone10:35
*** xiaozhi_ has quit IRC10:40
*** NM has joined #openstack-keystone10:43
*** kobtea has joined #openstack-keystone10:48
*** diegows has joined #openstack-keystone10:52
*** kobtea has quit IRC10:52
openstackgerritMarek Denis proposed openstack/keystone: Scope federated token with 'token' identity method  https://review.openstack.org/13059310:52
openstackgerritMarek Denis proposed openstack/keystone-specs: Scope federated tokens with ``token`` auth method.  https://review.openstack.org/13702011:06
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improves List Role Assignment Tests  https://review.openstack.org/13702111:11
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests  https://review.openstack.org/13702111:13
bretonhi11:15
bretoncan /tokens/revoked be called when uuid is used as token provider?11:15
*** lhcheng has quit IRC11:16
*** aix has quit IRC11:18
*** _cjones_ has joined #openstack-keystone11:19
*** k4n0 has quit IRC11:20
*** dims has joined #openstack-keystone11:20
*** _cjones_ has quit IRC11:24
*** henrynash has joined #openstack-keystone11:24
*** ChanServ sets mode: +v henrynash11:24
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Create a framework for federation plugins  https://review.openstack.org/13056411:25
*** aix has joined #openstack-keystone11:31
openstackgerritChristian Berendt proposed openstack/keystone: Log the username when using an invalid username or password  https://review.openstack.org/12886011:40
*** lhcheng has joined #openstack-keystone11:54
*** lhcheng has quit IRC11:59
*** lhcheng has joined #openstack-keystone12:10
*** NM has quit IRC12:15
*** NM has joined #openstack-keystone12:17
*** lhcheng_ has joined #openstack-keystone12:21
*** diegows has quit IRC12:23
*** lhcheng has quit IRC12:24
*** tellesnobrega_ has quit IRC12:25
*** NM has quit IRC12:29
*** bdossant_ has joined #openstack-keystone12:31
*** bdossan__ has joined #openstack-keystone12:32
*** jistr is now known as jistr|english12:32
*** bdossant has quit IRC12:34
*** bdossant_ has quit IRC12:35
*** bdossant has joined #openstack-keystone12:44
*** bdossan__ has quit IRC12:45
*** viktors|afk has left #openstack-keystone12:45
*** bdossant_ has joined #openstack-keystone12:47
*** bdossant has quit IRC12:49
*** NM has joined #openstack-keystone12:51
*** amakarov_away is now known as amakarov12:58
*** NM has quit IRC13:07
*** NM has joined #openstack-keystone13:07
*** NM has quit IRC13:08
samuelmshenrynash, morning13:11
henrynashsamulems: morning13:11
samuelmshenrynash, once we have your patch for splitting out the actual assignment backend .. we'll need to split out the tests, right?13:11
henrynashsamulems: yes13:11
samuelmshenrynash, can I grab this?13:11
henrynashsamulems: sure!!!!13:11
samuelmshenrynash, :)13:11
henrynashsamulems: and in the resource piece, teh code should call resoruce where requied etc.13:12
samuelmshenrynash, sure13:12
samuelmshenrynash, I saw morgan's thoughts about the role placement ..13:12
samuelmshenrynash, he's for placing the role on assignment instead of on resource, right?13:13
henrynashsamulems: I sent something to the dev list earlier today on this….and have it on the agenda for tonights calll13:13
samuelmshenrynash, perfect ! will follow and share my opinion .. thanks13:13
henrynashsamulems: yes, he is making the argument for leaving role definition in the “assignment” piece13:13
samuelmshenrynash, for me that makes sense (if you wanna discuss a bit about this)13:14
henrynashsamulems: I’m open to people’s arguments either way13:14
henrynashsamulems: please comment on the list, really want to get people’s views...13:15
samuelmshenrynash, ok :)13:15
*** NM has joined #openstack-keystone13:15
*** NM has quit IRC13:22
openstackgerritAlexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859013:30
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation  https://review.openstack.org/12689713:33
*** NM has joined #openstack-keystone13:34
*** NM has quit IRC13:34
*** kobtea has joined #openstack-keystone13:37
*** gordc has joined #openstack-keystone13:40
*** kobtea has quit IRC13:42
openstackgerritChristian Berendt proposed openstack/keystone: Log the username when using an invalid username or password  https://review.openstack.org/12886013:52
*** bdossant_ has quit IRC13:56
*** bdossant_ has joined #openstack-keystone13:56
*** dims has quit IRC13:57
*** dims has joined #openstack-keystone13:58
*** NM has joined #openstack-keystone13:59
*** bdossant_ has quit IRC13:59
*** bdossant has joined #openstack-keystone14:01
*** diegows has joined #openstack-keystone14:05
*** NM has quit IRC14:06
*** richm has joined #openstack-keystone14:08
*** jistr|english is now known as jistr14:13
*** nkinder has quit IRC14:14
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095414:21
*** joesavak has joined #openstack-keystone14:23
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263414:24
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352514:26
*** raildo has quit IRC14:27
lbragstadmorganfainberg: jamielennox|away re: service['name']14:32
lbragstadmorganfainberg: jamielennox|away are we still going to require that a user supplies it?14:32
openstackgerritLance Bragstad proposed openstack/keystone: Move functional tests to keystone/tests/functional  https://review.openstack.org/13355614:35
mkodererhi folks, one question to keystone with ldap backend.. where does the initial admin user come from? I didn't find a ldif for that..14:49
*** r-daneel has joined #openstack-keystone14:51
*** bdossant has quit IRC15:01
openstackgerritLance Bragstad proposed openstack/keystone: Migration script for adding name to service table  https://review.openstack.org/13691715:01
*** josecastroleon has joined #openstack-keystone15:03
*** bdossant has joined #openstack-keystone15:03
*** nkinder has joined #openstack-keystone15:06
*** afazekas has quit IRC15:11
*** david-lyle has joined #openstack-keystone15:30
*** ayoung has quit IRC15:33
*** ayoung has joined #openstack-keystone15:33
*** ChanServ sets mode: +v ayoung15:33
*** henrynash has quit IRC15:38
*** david-lyle has quit IRC15:43
bknudsonbtw, if you're getting NOT_REGISTERED from gate-tempest-dsvm-src-keystonemiddleware-icehouse or client reviews, seems like it's been fixed so should just recheck15:51
*** ukalifon has quit IRC16:02
*** bdossant has quit IRC16:02
rodrigodsbknudson, ++ thx!16:03
openstackgerritJulien Danjou proposed openstack/keystone: Remove Python 2.6 classifier  https://review.openstack.org/13712016:03
*** david-lyle_afk is now known as david-lyle16:07
*** bdossant has joined #openstack-keystone16:08
*** chrisshattuck has joined #openstack-keystone16:10
*** NM has joined #openstack-keystone16:12
*** bdossant has quit IRC16:15
*** raildo has joined #openstack-keystone16:15
*** bdossant has joined #openstack-keystone16:16
*** radez is now known as radez_g0n316:17
*** bdossant has quit IRC16:17
*** bdossant has joined #openstack-keystone16:18
morganfainbergmorning16:19
*** mflobo has quit IRC16:19
*** mflobo has joined #openstack-keystone16:21
*** bdossant has quit IRC16:22
*** bdossant_ has joined #openstack-keystone16:23
dstanekmorning16:23
ayoungdolphm, link at the end of http://dolphm.com/openstack-kilo-design-summit-outcomes/  for HTM is a 404  should be http://dolphm.com/hierarchical-multitenancy/      but is    http://dolphm.com/hierarchial-multitenancy/ .... I se no difference between those urls, but empirically I know they differ16:25
*** zzzeek has joined #openstack-keystone16:25
ayoungah...missing a c in the latter url "hierarchial"16:25
ayoungmkoderer, it doesn't16:25
ayoungmkoderer, if you do an LDAP backend, you need to assign the admin role to a user using the admin_token16:26
*** bdossant_ has quit IRC16:27
ayoung"Hierarchical Multitenancy"  sounds best in 9/4 time.16:28
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation  https://review.openstack.org/12689716:32
raildoayoung, about HM, I include 2 topics in the keystone meeting :)16:33
raildohttps://wiki.openstack.org/wiki/Meetings/KeystoneMeeting16:33
ayoungraildo, yeah, but did you try singing the words in 9/4/ time?16:33
ayoungremember to stress rar,  mul  and ten....16:34
raildoayoung, no hahaha16:34
raildoI'm a terrible singer16:34
ayounghie-RAR-chi-cal MUL-ti-TEN-an-cy16:34
ayoungYou're Brazilian, no?  That means you automatically have like 5 times more rhythm than the rest of us, or so I've been told.16:35
raildoyes, i'm brazilian hahahaha16:36
* ayoung goes to put on some Jobim....16:36
raildoayoung, ++16:37
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation  https://review.openstack.org/12689716:37
*** NM has quit IRC16:37
*** ajayaa has quit IRC16:39
*** NM has joined #openstack-keystone16:43
*** _cjones_ has joined #openstack-keystone16:44
*** NM has quit IRC16:44
*** fifieldt has quit IRC16:45
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154116:46
htrutaayoung: you should listen to some frevo! remember?16:46
ayounghtruta, oooh...good idea.16:47
*** NM has joined #openstack-keystone16:47
ayounghtruta, finding good things at random...but any suggestions?16:49
htrutaayoung: you can search for Frevo Mulher from Ze Ramalho and Morena Tropicana from Alceu Valença16:51
ayoungthaks16:51
ayoungthanks16:51
*** thedodd has joined #openstack-keystone16:52
morganfainbergdolphm, also your link to "Morgan Fainberg to cover"16:54
morganfainbergdolphm, links to your current page ;)16:54
dolphmmorganfainberg: wtf lol16:54
dolphmmorganfainberg: yes it does16:54
morganfainbergdolphm, hehe16:54
dolphmmorganfainberg: fixed16:54
morganfainbergaha yep16:55
morganfainbergbetter16:55
ayounghtruta, its all over the place...accordian, punk...reggae...16:55
*** agireud has joined #openstack-keystone16:56
ayoungdolphm,  still need to get the link at the bottom of the page for HTM16:56
*** radez_g0n3 is now known as radez16:56
htrutaayoung: haha... yeah... there are lots of kinds of this style... this one is kinda mixed with forró, that's why the accordian16:57
*** NM has quit IRC16:57
ayounghtruta, Guess I need to get me a Black Fedora.16:58
htrutaayoung: hahaha16:59
*** NM has joined #openstack-keystone16:59
*** NM has quit IRC16:59
ayounghtruta, actully , I really want a black Pork Pie Hat.  Closer to what Alceu Valença  is wearing,  and goes with my last name, too.17:01
gabriel-bezerraayoung: listen to this: http://grooveshark.com/s/Vassourinhas/6Nz6rk?src=5 while you see this: https://www.google.com.br/search?q=carnaval+olinda&espv=2&biw=1855&bih=993&source=lnms&tbm=isch&sa=X&ei=F7V0VKXsK9aQsQS_0IGACQ&ved=0CAYQ_AUoAQ17:01
gabriel-bezerrathat's frevo :)17:02
gabriel-bezerraor this may sound more like being there in the crowd http://grooveshark.com/s/Abertura+Z+Pereira+Vassourinhas/4h1sib?src=517:02
htrutagabriel-bezerra: I showed vassourinha to him in Paris... He also learned how to dance frevo hahaha17:03
htrutabut I think it was the bourbon's fault17:03
gabriel-bezerraayoung: and this as well http://grooveshark.com/s/Voltei+Recife+Silv+rio+Pessoa/51vs9r?src=517:04
gabriel-bezerrahtruta: Nice!17:05
gabriel-bezerra:)17:05
morganfainbergzzzeek, https://bugs.launchpad.net/oslo.db/+bug/137449717:05
uvirtbotLaunchpad bug 1374497 in oslo.db/juno "change in oslo.db "ping" handling is causing issues in projects that are not using transactions" [High,Fix released]17:05
zzzeekyeah…didnt we have fixes in for that?17:05
morganfainbergzzzeek, we did in oslo.db, but i keep hearing people having issues with SQL backends dropping out17:06
morganfainbergzzzeek, not sure if it's something else or related.17:06
morganfainbergzzzeek, so trying to figure out if i need to find someone to take this on before K117:06
zzzeekmorganfainberg: well current oslo.db should be doing things in this area the same way as before17:06
morganfainbergto fix the keystone side.17:07
morganfainbergthat is.17:07
morganfainbergor can i punt this to when EngineFacade is fixed?17:07
zzzeekmorganfainberg: how can i get people to pull me in when they observe database issues?   I’m finding i have to go searching to find them, then to see people doing the wrong solution17:07
morganfainbergzzzeek, you've been in here for some of the convos i think17:08
zzzeekmorganfainberg: um if this is less stable beahvior than we had before w oslo.db it has to be fixed as is first, enginefacade is longer term as that requires projects to migrate to it17:08
zzzeekmorganfainberg: just found sahara doing it wrong with an alembic regression, for example17:08
morganfainbergzzzeek, well i haven't had a solid duplication of the complaints so far17:08
zzzeeki totally announced about alembic on the ML the other day, please contact me, etc., why dont they contact me?17:09
*** dims has quit IRC17:09
zzzeekmorganfainberg: ok these are all keystone?17:09
morganfainberg"my dployment see XXX", me: how do we duplicate, "uhhh... my deployment"17:09
morganfainbergyeah it's all been keystone focused.17:09
zzzeekmorganfainberg: and what oslo.db are they using?17:09
morganfainbergzzzeek, i'll start asking. that might be it17:09
morganfainberghopefully the fixed one or later ;)17:09
zzzeekmorganfainberg: b.c the issue with this one was, i thought ping at tranascvtion boundary was good enoguh but then it turns out it wasnt17:10
morganfainbergright17:10
morganfainbergi remember17:10
zzzeekso i reverted it back to on every connect17:10
morganfainbergok for now i'm going to punt this out of K1 and say we'll catch this when EngineFacade is fixed and we migrate.17:10
morganfainbergi wont close the bug as it's tracking that we shouldn't be using session like this...but that'll go away17:10
zzzeekmorganfainberg: Ok but if someone has thsi now lets capture their environemnt17:10
morganfainbergyeah17:10
morganfainbergwill do.17:11
zzzeekb.c. need to make sure we get this right17:11
morganfainbergyep.17:11
bknudsonzzzeek: I tried the fix for https://bugs.launchpad.net/oslo.db/+bug/1374497 on my dev system and it seemed to work as expected.17:11
uvirtbotLaunchpad bug 1374497 in oslo.db/juno "change in oslo.db "ping" handling is causing issues in projects that are not using transactions" [High,Fix released]17:11
morganfainbergzzzeek, thanks :)17:11
morganfainbergbknudson, same.17:11
bknudsonso not sure what else has to happen in keystone17:11
zzzeekmy irc client is b0rking, one moment17:12
*** zzzeek has left #openstack-keystone17:12
bknudsonwhen I've seen complaints is because they've got an older oslo.db17:12
*** zzzeek has joined #openstack-keystone17:12
bknudson(without the fix)17:12
morganfainbergbknudson, thats good enough for me.17:12
morganfainbergbknudson, i'm just looking to punt stuff off the milestone that we don'17:13
morganfainbergt need17:13
morganfainbergand we don't need that one17:13
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154117:13
morganfainbergbut we shouldn't be using session in autocommit. We'll fix that moving to enginefacade17:13
morganfainbergwhen it's fixed/redesigned17:13
zzzeekwhich I still have to write :)17:13
morganfainbergzzzeek, yep. so it's not K1 for us ;)17:13
bknudsonif there's a bp for it already then I don't think we need another bug.17:14
morganfainbergbknudson, its a bp in oslo?17:14
morganfainbergbknudson, i'm happy to close the bug if you think thats warranted in this case.17:15
*** kobtea has joined #openstack-keystone17:15
bknudsony, there's a spec in oslo for the enginefacade.17:15
bknudsonand the keystone bug isn't assigned to anyone.17:16
bknudsonmy opinion is close it.17:16
morganfainbergbknudson, ok sounds good, feel free to smush the bug closed ;)17:16
morganfainbergi'll circle back on it later if i see it next trip through the bug tracker. /me continues to try and triage the new bugs.17:17
*** kobtea has quit IRC17:19
openstackgerritAlexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859017:24
*** edmondsw has joined #openstack-keystone17:30
amakarovmorganfainberg, hi! I've stated in the spec that modification not allowed, review it again please - that one was a rebase before modification :)17:33
morganfainbergamakarov, sounds good17:33
amakarovmorganfainberg, btw found & fixed related issue in trust manager - was not covered by tests and allowed to do nasty things with redelegation count17:35
*** zzzeek has quit IRC17:36
samuelmsmorganfainberg, few minutes to discuss about assignment backend split?17:38
*** zzzeek has joined #openstack-keystone17:38
*** ajayaa has joined #openstack-keystone17:38
morganfainbergsamuelms, sure.17:38
samuelmsmorganfainberg, currently, we use 1) a role (connector) to link 2) an actor on 3) a target, right?17:39
rodrigodsayoung, thinking about policy enforcement + keystonclient... can't see a way to have two specs instead of just one (means that we would need to expand https://review.openstack.org/#/c/133480/4/specs/keystoneclient/policy-enforce.rst)17:39
morganfainbergsamuelms, yes17:39
samuelmssamuelms, why not to have 4 separate backends: (wait me list before saying no :p)17:40
samuelmsops17:40
samuelmsmorganfainberg, ^17:40
samuelmsmorganfainberg, 1) identity: actors17:40
samuelmsmorganfainberg, 2) resource : targets17:40
ayoungrodrigods, I mentioned Nova and Keystone cuz they had the most advanced bindings...but Now that I've seen what glance is doing, probably need to take that into account, too17:41
samuelmsmorganfainberg, 3) 'connector': to the links, like the actual roles17:41
samuelmsmorganfainberg, 4) assignment : the mapper itself17:41
amakarovbknudson, greetings, I've rewritten you test had concern about: https://review.openstack.org/#/c/11859017:42
samuelmsmorganfainberg, so that one assignment is a mapping to an actor on a target through one or more connectors (you can add one if you need, like an attribute for abac)17:42
morganfainbergso, i'm just not buying the usecase that we need separate assignment backends per domain, and without that i don't see a win for splitting roles from assignment17:42
morganfainbergsamuelms, this is adding massive complexity to the system17:42
amakarovbknudson, s/you test/test you/17:42
morganfainbergsamuelms, and i'm architecturally fine with moveing assignment out of resource - but... the more i think about it the more i'm inclined to say we're not going to get to a consensus on this17:43
rodrigodsayoung, ++ so we can change its title to "policy enforcement library" and have it encapsulated in keystoneclient be in the content. Also adding the oslo.policy graduation bits17:43
rodrigodsayoung, makes sense?17:43
morganfainbergsamuelms, in fact... the more i think about it, the more i'm inclined to say we're just going to make keystone *less* usable with this split.17:44
gabriel-bezerramorganfainberg, samuelms: if we keep roles, won't it still be rbac?17:44
bknudsonamakarov: it still can break existing installations (it's not backwards compatible)17:44
morganfainberggabriel-bezerra, RBAC is not something we're getting away from.17:44
samuelmsmorganfainberg, that way I think we should have more backend (wow maybe more complex) .. but we have more easier to understand ones ..17:44
morganfainbergsamuelms, i don't think it'll be easier to understand17:45
morganfainbergsamuelms, i think you're going down the same path a lot of openstack has17:45
morganfainbergloose federation of <things> that are really tightly coupled17:45
morganfainberggabriel-bezerra, we can't eliminate it because the other endpoints need it (for now)17:45
morganfainberggabriel-bezerra, e.g. middleware17:45
gabriel-bezerramorganfainberg: samuelms: in the e-mail, herynash said each domain would be able to use something different from rbac if they wanted17:46
samuelmsmorganfainberg, so we always have to use roles to connect actors on targets?17:46
morganfainberggabriel-bezerra, i am *not* convinced that is a good idea at all17:46
morganfainberggabriel-bezerra, i responded to the email17:46
ayoungrodrigods, I'm trying to get something done before the meeting...more later17:46
morganfainbergsamuelms, we still need to present roles / something the other services can enforce on17:46
gabriel-bezerraI saw, but what I mean is: even if roles go to a resource backend, the authorization would still be based on them17:47
morganfainberggabriel-bezerra, it would need to be.17:47
gabriel-bezerrathus, rbac17:47
morganfainberggabriel-bezerra, and my response that yes, we're not getting rid of RBAC17:47
samuelmsmorganfainberg, do we plan to have a centralized enforcement?17:47
morganfainbergsamuelms, we can't centralize enforcement17:48
morganfainbergsamuelms, it doesn't scale17:48
*** NM has joined #openstack-keystone17:48
gabriel-bezerrasamuelms: i don't think it would be right17:48
morganfainbergsamuelms, so lets remove the "each domain has it's own assignment backend" [this is setting off all sorts of red flags as a terrible idea]17:48
morganfainbergfrom the conversation17:48
samuelmsmorganfainberg, ++17:48
morganfainberglets look at the architecture of resource and assignment17:49
*** harlowja_away is now known as harlowja17:49
samuelmsmorganfainberg, I'm for allowing other access control (like rbac) for the whole system (not per domain)17:49
morganfainbergif assignment is doing things (lets say ABAC) to figure out what roles are passed into the token17:49
morganfainbergwhether a role is a simple permission or a bundle of permissions (what we have today)17:49
morganfainberg*if* you need yet-another backend to map the resource role to waht the assignment backend spits out, what benefit have we added?17:50
morganfainbergi'd say zero, we've just added a useless abstraction17:50
morganfainbergthe argument roles go into resource and are connected to assignment separately is a *very* SQL view.17:50
*** dimsum__ has joined #openstack-keystone17:51
morganfainbergi'd argue that assignment backend doesn't care what the "role" is in resource, it knows what it's going to spit out. if you say: rule XXX is scoped to project Y, now we need to connect a role to that somehow?17:51
samuelmsmorganfainberg, ok .. so you're for putting roles on the assignment backend .. that should contains the links (roles) and the mappings (assignments itself)17:52
morganfainbergor should rule XXX say "give role on scope"17:52
*** jistr has quit IRC17:52
morganfainbergsamuelms, my view is the assignment backend after the split controls roles *and* the role assignments17:52
morganfainbergsince roleassignment is tightly coupled to role17:53
gabriel-bezerraI see two points that wouldn't change here: 1 - a repository of roles, 2 - a repository of assignments.17:53
morganfainbergok back in a couple minutes for the meeting17:53
*** NM has quit IRC17:53
gabriel-bezerrathe discussion now is whether they should be in different backends17:53
gabriel-bezerraam I right?17:53
samuelmsmorganfainberg, ok17:53
*** ajayaa has quit IRC17:54
samuelmsgabriel-bezerra, kind of ..17:54
gabriel-bezerrasamuelms: what would be different?17:55
samuelmsgabriel-bezerra, put it with resource (domain, project) or with assignment (the mappings themselves)17:55
samuelmsgabriel-bezerra, we'll discuss more about in the meeting in 4 minutes17:55
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation  https://review.openstack.org/12689717:55
*** gyee_ has joined #openstack-keystone17:56
gabriel-bezerrasamuelms: what channel is it going to be?17:57
gabriel-bezerra#openstack-meeting?17:57
*** kkowmoth has joined #openstack-keystone17:57
*** NM has joined #openstack-keystone17:57
samuelmsgabriel-bezerra, y17:57
*** jacorob_ has joined #openstack-keystone18:05
*** jacorob_ has left #openstack-keystone18:06
*** diegows has quit IRC18:06
*** henrynash has joined #openstack-keystone18:10
*** ChanServ sets mode: +v henrynash18:10
*** jamielennox|away is now known as jamielennox18:11
*** russellb has quit IRC18:11
*** kkowmoth has quit IRC18:11
*** russellb has joined #openstack-keystone18:12
openstackgerritJames Carey  proposed openstack/keystone: Use _ definition from keystone.i18n  https://review.openstack.org/13211618:22
*** diegows has joined #openstack-keystone18:23
*** aix has quit IRC18:25
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - test some websso stuff  https://review.openstack.org/13617718:27
*** NM has quit IRC18:33
*** NM has joined #openstack-keystone18:33
*** ajayaa has joined #openstack-keystone18:36
*** nellysmitt has quit IRC18:37
*** NM has quit IRC18:42
*** NM has joined #openstack-keystone18:42
*** stevemar has joined #openstack-keystone18:50
*** ChanServ sets mode: +v stevemar18:50
*** gokrokve has joined #openstack-keystone18:54
openstackgerritAlexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859018:56
*** NM has quit IRC18:57
openstackgerritWill Foster proposed openstack/keystone: skip assignment table migrate of duplicate entry exists. Closes-bug: #1395959 Change-Id: I394a0391ee074c3ee79bdb06391fc4d5fb9067a9  https://review.openstack.org/13694618:58
*** harlowja is now known as harlowja_away18:58
*** gokrokve has quit IRC19:00
*** gokrokve has joined #openstack-keystone19:00
samuelmso/19:00
*** Ioram7 has joined #openstack-keystone19:00
ayounggoing to recap, so it is all in one evesdrop19:01
ayoung<ayoung> lets say we have a single sign on system that allows us to manage hosts19:01
ayoung<ayoung> think something like an IDP, but for machines19:01
ayoung maybe something that does secure DNS, etc19:01
ayoungnow,  Keystone is going to map users from an idp to host access19:01
morganfainbergayoung, ++ thanks for the recap19:01
ayoungthe hosts are inside of groups that we could use as projects19:01
morganfainbergeasier than switching windows a lot19:01
*** NM has joined #openstack-keystone19:01
ayoungso we pull in the projects from this system as a domain, but here it is providing the projects, not the users19:02
ayoungkeystone then provides a management layer to map users to those projects...users from multiple IdP19:02
ayoungSo keystone needs to keep the definition of Roles separate from the projects themselves19:02
*** ajayaa has quit IRC19:02
morganfainbergso, let me make sure i understand19:02
morganfainbergthe resource backend is -- something not keystone SQL in this case?19:03
ayoungOK...so we have here a case for splitting the project listings off from the rest of domains...which was one thing I was asked at the start of the discussion19:03
morganfainberge.g. DNS?19:03
ayoungYeah, lets say DNS19:03
morganfainberggreat19:03
morganfainbergjust making sure i wasn't misunderstanding19:03
ayoungSo we use DNS to server out the projects here...each project is a subzone19:04
ayoungthis is syncronized with Designate and Nova...etc etc19:04
morganfainbergsure, makes sense.19:04
ayoungOK,  so now, thge roles are what Keystone and the other services use to communicate capabilites...they are shorthand19:04
samuelmsayoung, ++19:05
ayoungso this is OpenStack specific data, separate from the Projects data from DNS19:05
*** ajayaa has joined #openstack-keystone19:05
ayoungso it needs to be in an OpenStack specific backend.  We have two of those remaining;  either we store them with domains, or with policy19:05
ayoungright now, they are coupled with domains, since both are in the assignment backend19:05
morganfainbergayoung, so in henrynash's current proposed implementation19:05
morganfainbergroles would come from the same place projects / domains do19:06
morganfainbergayoung, but the role assigments would be in something else19:06
morganfainbergrole assignments are the current actor-role-scope SQL table thing19:06
morganfainbergayoung, i think your use-case here places role assignments and roles together.19:07
morganfainberglogically19:07
*** harlowja_away is now known as harlowja19:07
morganfainbergand the projects/domains are the resources from [in this case] dns19:07
raildomorganfainberg, ayoung a quickly question... If I create a user in a sub-domain, can I grant a role assignment to a parent domain? I need to explain this in the Reseller Spec or the henrynash spec about group role will explain this?19:08
morganfainbergraildo, you would need to be able to grant a role assignment to a *user* from a parent domain19:08
raildoto a *user*, sorry =P19:09
morganfainbergraildo, this is the concept of allowing my parent domain access (limited) to into my reseller block for support.19:09
raildomorganfainberg, ok, thanks :)19:09
henrynashso I can see the argument for having projects sourced externally19:09
samuelmsmorganfainberg, ++19:09
*** jistr has joined #openstack-keystone19:09
henrynashI can also see the cases that domain attributes might be an Openstack augmentation of certain projects19:10
*** amakarov is now known as amakarov_away19:10
henrynashprobably not come from the external source19:10
morganfainberghenrynash, the way i see it is both of those statements lend to the assignment backend owning the roles [in the context of the split]19:10
henrynashi don’t think any of that follows that roles go with assignments..19:10
openstackgerritWill Foster proposed openstack/keystone: skip assignment table migrate if duplicate entry exists. Closes-bug: #1395959 Change-Id: I394a0391ee074c3ee79bdb06391fc4d5fb9067a9  https://review.openstack.org/13694619:10
ayoungraildo, I have an answer for you19:10
raildoayoung, that is...19:11
ayoungraildo, but it involves understanding hierarchical roles definitions19:11
henrynashmorganfainberg: :-) we clearly have an interesting difference of views on this!!19:11
morganfainberghenrynash, if anything you have samuelms's [resource]|[role]|assignment construct19:11
morganfainberghenrynash, haha right?19:11
samuelmsmorganfainberg, o/19:11
rodrigodssamuelms, almost fell out his chair here19:12
morganfainberghenrynash, since resource suddenly became externally sourcable19:12
ayoungraildo, I want to start with two suppositions:  1, a role can always be broken down further until you get to distinct capabilities.  2. A user can only delegate roles that they have themselves, or a fragment of those roles19:12
morganfainbergrodrigods, i gotta work harder so he *actually* falls out of his chair next19:12
samuelmsmorganfainberg, haha19:12
rodrigodsmorganfainberg, not too hard19:12
raildoayoung, right...19:13
ayoungraildo, now,  lets assume we have a separate role for people that can create role-assignments.19:13
morganfainberghenrynash, so the way i see it resources become equally hard to write a backend for by only moving assignments out19:13
morganfainberghenrynash, if we are assuming SQL-like, most of my arguments are gone, but we just need to be ok that we're really prescribing sql here19:13
ayoungin order to delegate something to someone permananently, you need the "assingners" role on the thing that you are assigning to19:13
ayoungso....19:13
samuelmsmorganfainberg, ok .. so if we have roles in assignments backend .. we could have two parts in it : the mapper and the connectors (roles, etc)19:14
henrynashmorgainfainberg: i guess the bit I don’t get is why not having roles included makes it harder…19:14
samuelmsmorganfainberg, makes sense ?19:14
morganfainberghenrynash, and projects/domains are managed by keystone not *someexternalsource*19:14
morganfainbergsamuelms, yes, i was simplifying ;)19:14
samuelmslol19:14
ayoungif I have the assingners role  and the member role on Dom1,  and dom2 is under it, and userX is in Dom2, I have the power to assign the members role to userX on Dom1.19:14
morganfainberghenrynash, it is because you have unrelated data-types meshed into a single backend19:15
morganfainberghenrynash, which i think is the *reason* we're looking to split this19:15
morganfainberghenrynash, i mean, getting down to brasstacks19:15
ayounghenrynash, are you going to be putting domains and projects into the same backend?19:15
henrynashmorganfainberg: agreed19:15
morganfainberghenrynash, roles are not the same data-types as domains or projects19:15
henrynashayoung: well that’s as it stands today…19:16
samuelmshenrynash, I kind of agree with morganfainberg now .. it makes sense to keep on assignment the mapper + the connectors (what we use to map an actor (identity) to a target (resource))19:16
ayounghenrynash, lets split them now19:16
samuelmshenrynash, makes sense?19:16
raildoayoung, ok,I get it,  but this part of the group role / hierarchical role discussion right?19:16
morganfainberghenrynash, roles are a related datatype to role-assignment, but aslo...not exactly the same datatype19:16
ayounghenrynash, lets assume that domains are something that Keystone needs to manage, a layer of abstraction added over projects19:16
morganfainberghenrynash, but the assignment backend could be *smart* enough [not saying it is] to circumvent the need for the extra datatype19:16
samuelmshenrynash, if you want to replace just the mapper you can by replacing assignment.mapper .. and if you want to add other attributes you can by adding them to assignment.connector (where roles live)19:17
raildowhat I mean is, this is not part of HM discussion... this is most related to the henrynash's propose...right?19:17
ayoungso if we were to pullin projects from an LDAP source for one Domain, we could do that without requiring all domains to be backed by LDAP19:17
morganfainbergraildo, yeah the convos are a bit mixed up atm19:17
morganfainbergraildo, this is the split not HM specific.19:17
morganfainberg^19:17
samuelmshenrynash, makes sense?19:17
henrynashso one problem I have is that if I have a system with our current mapper…and I swap out to a new mapper…all teh roles disssapear19:17
ayoungHM brings all of these issues to the forefront19:17
*** gokrokve has quit IRC19:17
raildomorganfainberg, ok :)19:17
samuelmshenrynash, no ..19:18
henrynashteh roles shouldn’t be stored by the mapper....19:18
*** gokrokve has joined #openstack-keystone19:18
morganfainbergayoung, ++19:18
henrynashthe roles are really definitions of service capabilties19:18
morganfainbergayoung, HM makes this super important, but this affects more than HM19:18
samuelmshenrynash, you plug a new assignment.mapper .. but assignment.connectors (where roles live) can stay19:18
henrynashwhy would a mapper store them?19:18
samuelmshenrynash, the actual assignments in your implementation19:19
samuelmshenrynash, it's like creating a fourth backend called 'connectors' now19:19
henrynashsamulems: ahh, so is assignment.connectors are another backend…or just part of assignment?19:19
samuelmshenrynash, but we're putting it in assignment.connectors19:19
henrynashsamuelms: ahh, ok…19:19
morganfainberghenrynash, samuelms is advocating 4 backends.19:19
morganfainberghenrynash, identity, resource, assignment.mapper, assignment.connector19:19
samuelmsmorganfainberg, but having 2 inside assignment namespace if you prefer19:19
henrynashok, so that’s certainly another way of doing it19:19
samuelmsmorganfainberg, ++19:20
henrynashI’m kind of OK with that19:20
samuelmsmorganfainberg, also ok ?19:20
morganfainberghenrynash, my view is the assignment backend could be smart enough to circumvent the need to *store* roles19:20
henrynashalthough I suspect ayoung still is agains projects and domains in the same backend19:21
morganfainberghenrynash, why do i need to store a role if i make it do rules( attribute x, y, z = role Q)19:21
morganfainberghenrynash, sure it means if i change the backend out roles disappear... but lets be fair...19:21
ayounghenrynash, it would make the DNS backed project hierarchy I just described impossible19:21
henrynashmorgainfaingberg: so I agree we could imagine a role just being named as service.role_name19:21
morganfainberghenrynash, if we change the identity backend out, your users need to be migrated19:21
morganfainberghenrynash, or they just disappear (leaving out the multi-tree ldap story)19:22
ayoungI thnk domains are fundamentally Keystone constructs,  Projects have be thus far, but are not fundamental in the same way19:22
morganfainbergsame with the resource backend.19:22
morganfainbergayoung, i disagree, but it's semantics19:22
*** gokrokve has quit IRC19:22
morganfainbergayoung, it would be easy to move the needle either way on projects.19:23
samuelmswe'll have domains everywhere from KIlo, right?19:23
samuelmsmorganfainberg, I remember something like allocating keystone people to help other projects to migrate v2 -> v319:23
*** NM has quit IRC19:23
morganfainbergsamuelms, yeah we need to do something like that19:23
ayoungmorganfainberg, I think it was this use case that lead me to wanting to have domains only under domains19:23
*** amcrn has joined #openstack-keystone19:23
henrynashso how about we keep things separate within the assignment backends as samuelms is suggesting….and then we work to see how roles evolve (e.g. to really be capabilities etc.)19:23
samuelmshenrynash, +219:24
samuelmshenrynash, oops ++ :p19:24
rodrigodsok, now samuelms is on the floor19:24
morganfainberghenrynash, ok, lets go with this: roles are part of assignment, but the implementation is logically split in a way that it would be easy to take it further as samuelms is describing19:24
samuelmsmorganfainberg, ++19:25
morganfainberghenrynash, so we may not make it explicitly some kind of backend, but something that can be isolated out and worked with.19:25
morganfainberghenrynash, ?19:25
henrynashyep, I’ll give it a +1 while I go mull it over and see if anything bad rears it;s head…if not, I’m good with that19:25
morganfainberghenrynash, and if resource needs more work domain, project, tenant (yes lets call things tenants)19:25
morganfainberghenrynash, we can look at that.19:26
henrynashagreed19:26
samuelmsagreed19:26
morganfainbergooh totally should rename projects and domains to tenants19:26
morganfainberg>.>19:26
morganfainberg<.<19:26
henrynashcliff…jump…splat19:26
morganfainbergbknudson, i know you're on board with that! ^19:26
morganfainbergstevemar, where is topol...19:27
henrynashok, I’ll be offline for while…back on later19:27
morganfainbergstevemar, when i need someone who will actually fall out of their chair19:27
*** henrynash has quit IRC19:27
ayoungthat will work19:28
ayoungroles can stay with assignment19:28
samuelmsayoung, o/19:28
stevemarmorganfainberg, you know topol is getting ready for thanksgiving mode19:29
morganfainbergstevemar, look at the tweet i just sent to him...19:29
morganfainbergstevemar, https://twitter.com/MdrnStm/status/53732717659751628819:30
gabriel-bezerraso there should also be a resource.domain and resource.projects?19:30
*** ajayaa has quit IRC19:30
morganfainberggabriel-bezerra, i'd rather not have that split19:31
stevemarhehe19:31
*** ayoung has quit IRC19:31
morganfainberggabriel-bezerra, i'd rather domains be special projects rather than something separate19:31
morganfainberggabriel-bezerra, but... i will defer to whichever implemenrtation makes the most sense.19:31
rodrigodsayoung, bp/policy-enforcement-library for https://review.openstack.org/#/c/133480/ ?19:31
*** NM has joined #openstack-keystone19:31
gabriel-bezerraok. how about the hierarchical roles?19:32
gabriel-bezerraand domain-specific roles19:32
*** samuelms has quit IRC19:33
gabriel-bezerrashould roles have a parent and a domain attributes?19:33
gabriel-bezerrain order to implement these?19:33
gabriel-bezerraif so, roles aren't that simple to circumvent the storage need19:36
*** samuelms has joined #openstack-keystone19:39
*** jimhoagland has joined #openstack-keystone19:40
*** Ioram7 has left #openstack-keystone19:41
openstackgerritChristian Berendt proposed openstack/keystone: Log the user id when using an invalid username or password  https://review.openstack.org/12886019:46
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037619:56
*** gokrokve has joined #openstack-keystone19:59
*** henrynash has joined #openstack-keystone20:11
*** ChanServ sets mode: +v henrynash20:11
morganfainbergdolphm: which moka did you get?20:11
morganfainbergI'm getting one today.20:11
*** ayoung has joined #openstack-keystone20:11
*** ChanServ sets mode: +v ayoung20:11
dolphmmorganfainberg: the 3 cup one20:12
dolphmmorganfainberg: i read that smaller ones make better coffee *shrug*20:12
morganfainbergBrand? Link?20:12
dolphmmorganfainberg: http://www.amazon.com/gp/product/B0000CF3Q6/20:12
dolphmmorganfainberg: i've made about 6 servings so far (one serving per brew with the 3 "cup" one)20:12
morganfainbergCool. That one was he one I was looking for.20:13
afaranhaDo anyone knows what happens to other services' context when I use a domain scoped token to access them?20:13
dolphmmorganfainberg: the 3-cup one takes just under 20 grams of coffee20:13
morganfainbergFor/at20:13
afaranhaDo their context will have the domain_id variable?20:13
morganfainbergNice. I am going to get a good grinder / scale as well.20:13
dolphmafaranha: auth_token will provide it, yes, but the service's policy engine will probably balk at the lack of tenancy, since no other service cares about domain-level authorization20:14
morganfainbergafaranha: most of them fail because they don't know what to do with domain auth. ... What Dolph said.20:14
dolphmmorganfainberg: i'd recommend my grinder http://www.amazon.com/gp/product/B003AM7KIK/ but not my scale20:14
bknudsonI don't think domain-scoped tokens are anything that another service should accept.20:14
morganfainbergIt might make sense for limited cases. But I would agree in most cases.20:15
bknudsonI assume there's no catalog with a domain-scoped token?20:15
bknudsonor if there is a catalog it's not going to contain a valid compute URL20:15
morganfainbergbknudson: think reseller wanting to see all vms for their domain?20:15
dolphmmorganfainberg: the "pull out" screen on this looks awesome http://www.amazon.com/dp/B0020L6T7K/20:15
morganfainbergMaybe-- maybe that is a bad idea (the domain scoped)20:16
dolphmbut i also weigh large things like buckets and whatnot in my kitchen20:16
morganfainbergHehe20:16
afaranhadolphm, morganfainberg: hey put project_id as none on the context on Nova, but I thing they do create a context20:16
morganfainbergdolphm: more French press today though.20:17
afaranhaI would like to see the context, I tried to get the Hypervisors in Nova, bu they require the user to have the tenant_id in the URL the same as the project_id in the context, but it's none =/20:17
morganfainbergHuh. IRC cloud has a photo icon. I didn't think IRC did photos.  :p20:18
dolphmmorganfainberg: gravatar?20:18
dolphmafaranha: does it 4xx?20:18
afaranhadolphm: Yep20:18
afaranhacode 40020:18
afaranhamessage: "Malformed request URL: URL's project_id '47a745322f374fac9243cfd4632b9fb5' doesn't match Context's project_id 'None'",20:19
morganfainbergImgur20:19
dolphmwell that should be 40120:19
dolphmbut close enough20:19
morganfainbergdolphm: well it *is* a 4xx class so it's close enough.20:19
afaranhaDon't know if I got this error because they require all operations to pass the project_id20:19
dolphmafaranha: they do, and should20:19
morganfainbergafaranha: because you don't have a project and they expect one.20:19
rodrigodsayoung, there you are :P ... Created https://blueprints.launchpad.net/keystone/+spec/policy-enforcement-library and will link https://review.openstack.org/#/c/135604/6/specs/kilo/k2k-service-providers.rst to it. Also, I'm making some changes in the spec content/commit message20:20
lbragstadmorganfainberg: qq on the service['name'] discussion we had yesterday, are we still going to require that?20:21
afaranhamorganfainberg: yes, but what if I perform get /v2/images in Glance, that doesn't require an project?20:21
afaranhalet me try this20:21
morganfainberglbragstad: nope. Name should be be required as per jamielennox 's comments. Type needs to be unique.20:21
dolphmafaranha: that call might only require authentication, but not any specific authorization (IIRC)20:22
lbragstadso, we *won't* be making service name required by default20:22
morganfainbergdolphm: ++20:22
jamielennoxmorganfainberg: given type is unique i honestly don't care if we have name required or not, it just felt easier to add it to everything than have it sometimes present20:22
morganfainberglbragstad: no. We're not.20:22
lbragstadmorganfainberg: I'll abandon those patches with an explaination20:22
morganfainberglbragstad: or well we don't need to20:22
lbragstadexplanation*20:22
morganfainbergBut type is not unique constrained so we still need that.20:23
morganfainbergOnly unique constraint we have is id atm.20:23
morganfainberglbragstad: is UX better or worse requiring name? If it is better, require it.20:23
lbragstadmorganfainberg: I'm not sure, doesn't matter to me. Does anyone else feel strongly about it?20:24
afaranhadolphm: Yes, I could get the images. The point I was trying to get is, even the service not recognizing domain, if their context will have the variable domain_id on it, because of the contxt of Keystone20:25
morganfainbergIt should have the domain id in the context20:26
morganfainbergMiddleware does that.20:27
*** topol has joined #openstack-keystone20:27
*** ChanServ sets mode: +v topol20:27
morganfainbergtopol: you're on vacation aren't you? ;)20:27
dolphmafaranha: that's correct20:27
dolphmmorganfainberg: he claims to be20:28
morganfainbergdolphm: lies. Deceit.20:28
afaranhamorganfainberg, dolphm: Thank you :)20:28
*** NM1 has joined #openstack-keystone20:30
*** NM has quit IRC20:30
ayoungrodrigods, thank you20:31
ayoungrodrigods, I set the url to the KC spec....maybe this BP maps to multiples, but this is the second one, and the Keystone owned one as well.20:32
*** nellysmitt has joined #openstack-keystone20:32
*** chrisshattuck has quit IRC20:32
rodrigodsayoung, ++20:33
*** nellysmitt has quit IRC20:33
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Policy enforcement library  https://review.openstack.org/13348020:38
rodrigodsayoung, ^20:38
ayoungRock on!20:38
rodrigodsmorganfainberg, ^ oslo.policy graduation + keystoneclient bits20:38
morganfainbergrodrigods: thanks!20:39
morganfainbergAnyone have some friends at Microsoft that like openstack? I'm trying to figure out the best way to get some 3rd party CI for adfs and keystone.20:41
*** jistr has quit IRC20:41
morganfainbergObviously the ms licenses are the one of the hurdles.20:41
*** topol has quit IRC20:41
lbragstadmorganfainberg: I did some checking, and I don't think making service['name'] required is a big deal.20:42
morganfainberglbragstad: I'm good with it either way as long as we solve the type issue(s)20:42
jamielennoxmorganfainberg: there is microsoft involvement in openstack, i don't know who but it would be the same person who maintains the hyper-v CI for nova right20:42
morganfainbergHmm. Ok.20:42
lbragstadmorganfainberg: primeministerp?20:42
* morganfainberg will go poke at the -nova folks.20:43
lbragstadapilotti is responsible for the hyper-v stuff, he might have a lead you could talk to as well20:43
morganfainberglbragstad: thanks.20:43
lbragstadmorganfainberg: np20:43
lbragstadmorganfainberg: I'll update my patches and abandon, I'll see if I can get another one up to make service['type'] unique20:43
morganfainbergIf I can get the license hurdle solved I can probably get hp or rax to kick in CI check resources. (If ms won't)20:44
morganfainberglbragstad: ++20:44
*** NM1 has quit IRC20:44
morganfainbergDon't forget the sql migrate. ;)20:44
lbragstadmorganfainberg: sql-what? ;)20:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/13720220:46
*** jimhoagland has quit IRC20:46
*** thedodd has quit IRC20:47
morganfainberglbragstad: I hear mongodb is webscale. We should use that.20:47
openstackgerritWill Foster proposed openstack/keystone: skip assignment table migrate if duplicate entry exists. Closes-bug: #1395959 Change-Id: I394a0391ee074c3ee79bdb06391fc4d5fb9067a9  https://review.openstack.org/13694620:48
lbragstadmorganfainberg: didn't we hit a weird case with unique constraints a few migrations back?20:48
morganfainbergMaaaybe?20:49
ayoungI was not able to reproduce morganfainberg20:50
morganfainbergI only remember one about FK constraints not matching.20:50
ayoungI have their sql dump...20:50
ayoungand went through the migrations by hand...did not see the problem20:50
morganfainbergIs this the folks with assignment duplication bug open?20:50
morganfainbergOr something else?20:51
ayoungmorganfainberg, yeah, it was in inhouse Openstack deployment here20:51
morganfainbergHuh. Yeah I didn't see how they got there. It looks a little weird.20:51
ayoungmorganfainberg, I suspect shenanigans on their part20:51
morganfainbergHaha20:51
ayoungbut, if it is possible to have bad data, the failure mode was still a disaster20:51
ayoungthe migration failed, but we continued on, and the next migration purged the old metadata tables20:52
ayoungthey ended up with no assignments, and no old data20:52
ayounga better failure mode would have been to stop the migrations right there20:52
*** kobtea has joined #openstack-keystone20:52
ayoungI haven't gotten back to it today20:53
morganfainbergayoung: migrations should always fail-safe and fast20:53
ayoungyeah20:53
morganfainbergReminds me. Time to collapse migrations again.20:53
morganfainbergNow that grenade is sane.20:53
ayoungYou keep using that word.  I do not think it means what you think it means/20:54
morganfainbergCertain values of sane?20:54
morganfainbergSane™20:54
rodrigodsmorganfainberg, ayoung, dolphm, https://etherpad.openstack.org/p/policy-library-name20:54
morganfainbergSane® ?20:55
*** kobtea has quit IRC20:57
morganfainbergrodrigods: is it wrong I want to call it something coffee related? :P20:59
*** thedodd has joined #openstack-keystone21:00
rodrigodsmorganfainberg, haha coffee + beer related ftw21:02
*** Haneef has joined #openstack-keystone21:10
dolphmrodrigods: added more dumb name21:12
dolphms21:12
rodrigodsdolphm, ++ honesty :)21:14
samuelmshenrynash, are you already working on 'Remove the old-style role grant metadata in assignments' ?21:15
samuelmshttps://blueprints.launchpad.net/keystone/+spec/remove-role-metadata21:15
*** jdennis has quit IRC21:20
*** jdennis has joined #openstack-keystone21:21
*** jamielennox is now known as jamielennox|away21:23
*** jamielennox|away is now known as jamielennox21:28
henrynashsamulems: no…I was going to layer that on top of the new split21:29
henrynashmorganfainberg: regarding the roles as part of assignments…would you object if it were it’s own backend under the umbrella of assignments?  I think that helps with the plugging in of a new assignments model without needing to migrate the roles.21:31
*** thedodd has quit IRC21:33
*** agireud has quit IRC21:36
*** agireud has joined #openstack-keystone21:36
openstackgerritMerged openstack/keystone: Remove Python 2.6 classifier  https://review.openstack.org/13712021:43
*** raildo_ has joined #openstack-keystone21:46
*** lhcheng_ is now known as lhcheng21:46
*** samuelms_ has joined #openstack-keystone21:54
*** raildo_ has quit IRC21:58
bknudsongoodbye python 2.622:05
*** joesavak has quit IRC22:07
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests  https://review.openstack.org/13702122:11
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests  https://review.openstack.org/13702122:11
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/13720222:11
*** joesavak has joined #openstack-keystone22:15
*** dimsum__ has quit IRC22:16
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037622:16
*** dimsum__ has joined #openstack-keystone22:17
*** dimsum__ has quit IRC22:21
morganfainberghenrynash: hmm. Let me ponder for a few what it really means for us.22:21
*** joesavak has quit IRC22:22
morganfainberghenrynash: would that mean it's own set of routers etc? Or just a separate driver config?22:22
morganfainbergAnd what would the defaults be? A unified backend?22:22
samuelms_morganfainberg, I'd be glad to have your opinion on this https://etherpad.openstack.org/p/role-capabilities-policy22:26
*** NM has joined #openstack-keystone22:26
samuelms_morganfainberg, henry and I share some ideas described there :)22:26
*** agireud has quit IRC22:31
*** gokrokve has quit IRC22:36
openstackgerritayoung proposed openstack/keystone: Access Info  https://review.openstack.org/13723122:37
ayoungsamuelms_, one goal of ^^ is to have something consistent to be used in all the places where we enforce policy22:39
*** NM has quit IRC22:40
*** gokrokve has joined #openstack-keystone22:40
*** dims_ has joined #openstack-keystone22:49
samuelms_ayoung, so the services use this to get info from the policy enforcer?22:54
henrynashmorganfainberg: in terms or routers, it would just point to a different manager in the assignment/core.py22:54
morganfainberghenrynash, so just a separate driver directive then?22:55
morganfainbergin the config22:55
henrynashmorganfainberg: yep22:55
samuelms_:)22:55
henrynasha bit lke teh way identity has a mapping backend that is separte from the user/group ones22:55
morganfainberghm. yeah22:56
ayoungsamuelms_, we'll get it to work and then move it into the client22:56
*** ayoung is now known as ayoung-dad-mode22:56
morganfainbergi'm trying to figure out if this is too modular (so much so it'll be confusing/difficult)22:56
samuelms_morganfainberg, henrynash glad to see we've converged to a solution :-)22:56
morganfainbergstevemar ping - have a sec?22:56
henrynashmorganfainberg: mull it over…I’ll try and pull a patch together that shows it22:57
morganfainberghenrynash, /me is trying to stay engaged considering turkey is on the horizon.22:57
morganfainberg:)22:57
morganfainbergwell specifically turkey *AND* Ham22:58
henrynashah, yes…of course….22:58
henrynashwe just kind of save it all up for xmas22:58
henrynashwithout the trial run22:58
samuelms_ayoung-dad-mode, will this be put on the oslo.policy? or we'll have just the common enforcement there?22:58
*** stevemar has quit IRC23:00
*** stevemar has joined #openstack-keystone23:01
*** ChanServ sets mode: +v stevemar23:01
morganfainberghenrynash, lol23:01
morganfainbergoh i guess stevemar is idle.23:01
morganfainbergsamuelms_, oslo.policy is *mostly* about enforcement.23:04
morganfainbergsamuelms_, it may grow some extra superpowers, not sure how much of that stuff ends up in the new policy lib.23:04
samuelms_morganfainberg, hmm .. cool  :-)23:05
samuelms_morganfainberg, haha extra superpowers23:05
samuelms_morganfainberg, it will still be graduated, right?23:05
morganfainbergyes23:06
samuelms_morganfainberg, for kilo?23:06
morganfainbergyes23:06
morganfainbergas soon as we can graduate it23:06
morganfainbergas in.. spec approved and making it happen23:06
morganfainbergno delay short of needing a name for it23:06
samuelms_morganfainberg, cool .. so we have lots of place for working on  it23:06
morganfainbergwow, apple mail has gotten terribad at handling mail threads.23:07
morganfainberg:(23:07
samuelms_haha23:07
*** gordc has quit IRC23:09
*** edmondsw has quit IRC23:12
openstackgerritWill Foster proposed openstack/keystone: skip assignment table migrate if duplicate entry exists. Closes-bug: #1395959 Change-Id: I394a0391ee074c3ee79bdb06391fc4d5fb9067a9  https://review.openstack.org/13694623:13
*** chrisshattuck has joined #openstack-keystone23:13
*** samuelms_ has quit IRC23:13
*** gokrokve has quit IRC23:16
*** samuelms_ has joined #openstack-keystone23:16
*** nkinder has quit IRC23:18
*** gokrokve has joined #openstack-keystone23:30
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Improves feedback message in SSL error  https://review.openstack.org/12976923:41
*** oomichi has joined #openstack-keystone23:46
*** gyee_ has quit IRC23:49
« Monday, 2014-11-24 Index Wednesday, 2014-11-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!