Friday, 2014-12-05

*** bknudson has joined #openstack-keystone		00:01
*** ChanServ sets mode: +v bknudson		00:01
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Allow loading other auth methods in auth_token https://review.openstack.org/129552	00:01
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Split identity server into v2 and v3 https://review.openstack.org/130534	00:01
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Use real discovery object in auth_token middleware. https://review.openstack.org/130532	00:02
*** gus_ is now known as gus		00:02
*** henrynash has joined #openstack-keystone		00:04
*** ChanServ sets mode: +v henrynash		00:04
henrynash	stevemar: yes, I know it looks odd, but that is the technique used on a lot of the user/group not found execptions…the right data still ends up in msg being raised	00:10
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/139230	00:12
openstackgerrit	Merged openstack/keystone: Moves hacking tests to unit directory https://review.openstack.org/136125	00:12
*** henrynash has quit IRC		00:13
morganfainberg	hm.	00:18
morganfainberg	darn missed henrynash	00:18
*** openstackgerrit has quit IRC		00:18
morganfainberg	will have to ask him questions later.... i guess	00:19
*** openstackgerrit has joined #openstack-keystone		00:19
*** marcoemorais has quit IRC		00:31
*** marcoemorais has joined #openstack-keystone		00:31
*** marcoemorais has quit IRC		00:33
*** marcoemorais has joined #openstack-keystone		00:33
*** david-lyle is now known as david-lyle_afk		00:39
*** saipandi has joined #openstack-keystone		00:41
*** _cjones_ has quit IRC		00:47
*** shakamunyi has quit IRC		00:50
*** Tahmina has joined #openstack-keystone		00:52
*** boris-42 has quit IRC		00:57
*** Tahmina has quit IRC		00:59
*** dims_ has quit IRC		01:00
bknudson	the merge conflict checker must have broken	01:02
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Correct Session docstring https://review.openstack.org/127805	01:06
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Correct documenting constructor parameters https://review.openstack.org/127812	01:06
*** samuelms_ has joined #openstack-keystone		01:08
*** zzzeek has quit IRC		01:09
jamielennox	bknudson: ah - i was just updating that	01:10
bknudson	I asked on infra about the merge conflict checker and apparently it is brokenr.	01:11
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Pass all adapter parameters through to adapter https://review.openstack.org/138228	01:12
*** packet has quit IRC		01:24
*** dims has joined #openstack-keystone		01:31
*** diegows has quit IRC		01:35
ayoung	jamielennox, bknudson -1 says "needs bug or blueprint" we have that?	01:35
jamielennox	ayoung: didn't i do that/	01:36
jamielennox	ayoung: i filed the bug, and i'm sure i added that - but i di a few rebases	01:36
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Pass all adapter parameters through to adapter https://review.openstack.org/138228	01:38
jamielennox	ayoung: done	01:38
ayoung	bknudson care to bless that one: https://review.openstack.org/#/c/138228 as it seems like he's hit all your comments. We need it in before we can release a new client, and we have other work queued up behind that	01:42
jamielennox	ayoung: to approve that requires approving https://review.openstack.org/#/c/127805/6	01:50
jamielennox	ayoung: https://review.openstack.org/#/c/130532/ needs second +2	01:53
ayoung	done	02:00
jamielennox	ayoung: cheers - this one has taken so long	02:01
ayoung	deal	02:01
ayoung	lbragstad, hey, I just -2ed AE tokens again	02:20
*** erkules_ has joined #openstack-keystone		02:21
ayoung	I once again have significant enough concerns that I'm afraid of it getting rushed through without proper forethought.	02:21
*** erkules has quit IRC		02:23
ayoung	bknudson, , what if we treated trusts as specialized role assignments, and then an AE token could point to the role-assignment-id?	02:25
*** marcoemorais has quit IRC		02:37
*** darren-wang has joined #openstack-keystone		02:40
darren-wang	Hi, I have a question, "	02:45
darren-wang	The separation into admin and main interfaces is an historical anomaly. The new V3 API provides the same interface on both the admin and main interfaces". if what I want is v3 API only, can I merge [composite:main] and [composite:admin] in Paste ini file? If I can, what should I do?	02:45
darren-wang	I don't need v2 API	02:45
*** htruta_ has quit IRC		02:46
*** r-daneel has quit IRC		02:50
*** shakamunyi has joined #openstack-keystone		02:50
*** shakamunyi has quit IRC		02:50
jamielennox	darren-wang: in which case you theoretically don't need composite:admin	02:52
jamielennox	you will still need to set the admin endpoint to the public endpoint in the service catalog	02:52
jamielennox	darren-wang: if you look at the bottom of keystone-all you'll see where it loads the information for the 'admin' and 'main' apps	02:53
jamielennox	so if you are using keystone-all (dont) then you will need to modify that	02:53
jamielennox	ayoung: still here?	02:53
darren-wang	yeah	02:53
ayoung	jamielennox, nope. Nope. Nope.....Um...Yep	02:54
jamielennox	ayoung: can you just kick off https://review.openstack.org/#/c/127805/6	02:54
jamielennox	it was approved before but got rebased	02:54
jamielennox	it's bknudson's but there is stuff based on it	02:54
*** harlowja_ is now known as harlowja_away		02:54
ayoung	Done	02:54
ayoung	jamielennox, so...policy. I'm going put a file, I think right under keystoneclient named policy.py and base it on the guts of what Nova and Keystone are doing.	02:55
ayoung	But...	02:55
ayoung	I'm trying to figure out how to fetch the policy file in a generic (version non-specific) way	02:55
jamielennox	ayoung: so i think enforcement should go to oslo.policy	02:56
ayoung	Nope	02:56
jamielennox	and i actually think oslo is a fine place to have it	02:56
ayoung	that should be the rules engine itself	02:56
ayoung	not the binding to the keystone context	02:56
jamielennox	oh - right	02:56
jamielennox	i've been looking at policy as well just from a very different aspect	02:57
jamielennox	so what is the keystone context here?	02:57
ayoung	jamielennox, this is what Nova starts with https://github.com/openstack/nova/blob/master/nova/policy.py	02:57
ayoung	fetching the policy file from the keystone server, and using the token data to enforce it	02:58
jamielennox	ayoung: you want that in keystoneclient?	02:58
ayoung	I've said that all along	02:58
jamielennox	if we made that an object i have no problem with that in oslo.policy	02:58
jamielennox	other than the is_admin crap	02:58
ayoung	wrong abstraction	02:59
ayoung	yeah, is_admin must die	02:59
ayoung	there is also code from Keystone to mix in...	02:59
*** shakamunyi has joined #openstack-keystone		02:59
ayoung	also generic, and that might make its way into oslo eventually	02:59
jamielennox	ayoung: so i want auth_token to create an object with all the data that policy needs	02:59
ayoung	right...	02:59
ayoung	that is exactly it	02:59
jamielennox	and i want that to be the object that is passed to policy so that we can control both ends of that exchange	03:00
ayoung	so take the token, unpack and parse it, then figure out what policy file to use	03:00
darren-wang	ayoung, you mean keystone play as a center policy manager?	03:00
ayoung	darren-wang, heh yep	03:00
ayoung	darren-wang, https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/	03:00
*** lhcheng_ has quit IRC		03:01
jamielennox	right, so that's ok - however if you ignore the is_admin from that nova policy file all you have is an init which should be __init__ and a enforce() and a singleton	03:01
jamielennox	enforce() takes a currently oslo.context object	03:01
jamielennox	and that's what i want to change, i want that to be my middleware object	03:02
jamielennox	how you handle fetching the policy from keystone i don't really care at this level	03:02
jamielennox	it makes sense for something like that to be in keystoneclient that knows how to fetch and return something that can be set within the enforcer object	03:03
ayoung	jamielennox, right. So it is basically how do we find the right policy file	03:03
jamielennox	ayoung: not really, it's a fetch	03:03
ayoung	can't be to start	03:04
jamielennox	ayoung: GET /policy/nova then install to enforcer	03:04
jamielennox	i don't think we need client smarts there right?	03:04
ayoung	jamielennox, we need to avoid breaking if there is no policy file	03:04
jamielennox	yea - that's fairly easy	03:04
ayoung	we don't even have the right API yet. We don't have a default policy file API, and we don't know our own endpoint id	03:05
ayoung	But I figure I'd do: fetch by endpointid (handwave how to get it) and if there is none, use the config file to get the path	03:06
ayoung	second step is to fix the API so that there is a default policy file, and get by endpoint Id will fall back to that if there is none	03:06
ayoung	jamielennox, I guess I am OK putting this in middleware, but its going to depend on https://review.openstack.org/#/c/138519/ in client, so doing it in client means I can actually tes ti	03:08
ayoung	test it	03:08
jamielennox	ayoung: i don't think i want that in client	03:08
jamielennox	it doesn't belong	03:08
jamielennox	why would auth_token need to have a builder? or anyone other than keystone?	03:09
jamielennox	ayoung: https://review.openstack.org/#/c/137268/ is where i was thinking	03:09
ayoung	yeah, well, ....policy checks are not just for servers, they are also for things that have to call servers and figure out "what can I do with this" or "will I be able to do this?"	03:09
jamielennox	it doesn't need to know about the catalog	03:09
jamielennox	it just needs to know those basic id fields	03:09
ayoung	jamielennox, we're on the same track, but look at mine.	03:10
ayoung	its going to be the canonical token data	03:10
ayoung	does similar things to what you are doing. I made sure already that it worked with revocation events	03:10
jamielennox	ayoung: right - yours reflects the token structure - even with the user fields	03:10
jamielennox	i don't think we care, and i'd prefer to just not	03:11
jamielennox	keep it simple and flat with just a couple of properties	03:11
ayoung	I want to be able to use it in the token provider code as well. Have one canonical token object that allows us to both build and work with the token data	03:11
ayoung	there is no "simple" here	03:11
jamielennox	ayoung: i can see it being useful in the provider	03:12
ayoung	and revocation spans both keystone and other services,as will policy	03:12
jamielennox	so at the point where i'm looking i already have a fairly heavy investment in the current AccessInfo object	03:12
ayoung	so we have a single object for all of that	03:12
ayoung	We can adapt to that	03:12
jamielennox	but revocation is similar to policy - we don't care about the whole token structure just a couple of id and expiry fields	03:13
ayoung	Have you ever looked at the code?	03:13
ayoung	it cares about everything	03:13
*** jdennis has quit IRC		03:13
ayoung	V.Re.Thing	03:13
jamielennox	revocation?	03:14
ayoung	jamielennox, you can revoke by domain, project, role	03:15
jamielennox	right - these are what i'm exposing	03:16
*** hilo has joined #openstack-keystone		03:17
ayoung	ah you mean it only cares about the ids of objects	03:17
*** hilo has left #openstack-keystone		03:17
jamielennox	ayoung: right, you've got layers of different objects and validation of those objects - and i just don't think we get anything for that complexity on the client side	03:17
jamielennox	all i want is to expose the individual properties that are required	03:18
*** kobtea has joined #openstack-keystone		03:18
ayoung	client needs all the data	03:19
ayoung	Horizon needs to display it,	03:19
ayoung	your way is actuall more complicated	03:19
jamielennox	can agree to disagree	03:20
jamielennox	also horizon is different here	03:20
ayoung	No we can't	03:20
ayoung	oh, wait...	03:20
jamielennox	i'm talking about consumers of auth_token	03:20
ayoung	I HATE that expresssion	03:20
ayoung	I want to code to the same API inside Keystone and inside Auth Token and inside DOA.	03:21
*** hilo has joined #openstack-keystone		03:21
ayoung	I don't want to do dictionaries unless I have to	03:22
*** samuelms_ has quit IRC		03:22
jamielennox	ayoung: i'm not advertising dictionaries	03:22
ayoung	I want to use Plain old Python Objects.	03:22
jamielennox	i'm not sure we want that, what's required within keystone is very different to what is outside	03:23
jamielennox	auth_token is similar - but really the AccessInfo we have is covering that front reasonably well	03:23
*** kobtea has quit IRC		03:23
openstackgerrit	Merged openstack/python-keystoneclient: Correct Session docstring https://review.openstack.org/127805	03:23
openstackgerrit	Merged openstack/python-keystoneclient: Correct documenting constructor parameters https://review.openstack.org/127812	03:24
*** gyee has quit IRC		03:25
ayoung	jamielennox, not when it comes to policy and revocations	03:25
*** hilo has left #openstack-keystone		03:25
ayoung	And we can deal with the V2 versus V3 issues this way too	03:25
jamielennox	the point of accessinfo is to not have v2/v3 differences - what are you missing with the current accessinfo?	03:26
*** dims has quit IRC		03:28
ayoung	A means to build one without going to JSON first is probably the biggest thing. But I can make sure I don';t break Accessinfo	03:29
*** hilo has joined #openstack-keystone		03:29
*** hilo has left #openstack-keystone		03:29
jamielennox	ayoung: but AccessInfo has properties for everything - what do you need from json?	03:31
*** jdennis has joined #openstack-keystone		03:32
ayoung	I don't need JSON. I need to be able to build the object from component parts inthe TokenProvider. I need a single API to code to	03:32
*** _cjones_ has joined #openstack-keystone		03:32
*** tellesnobrega_ has quit IRC		03:33
*** Hilomomo has joined #openstack-keystone		03:33
ayoung	jamielennox, this all started when I was trying to write an auth plugin for Keystone where I only had the username and I needed to get enough information to make a policy call.	03:34
*** _cjones_ has quit IRC		03:34
ayoung	Having one way to do it, and having thatway based on python objects is the simplest, least error prone approach	03:34
ayoung	adapting that to other places is relatively trivial	03:35
ayoung	look at this:	03:35
*** _cjones_ has joined #openstack-keystone		03:35
ayoung	https://review.openstack.org/#/c/138519/3/keystoneclient/models/access_info.py,cm line 145 on down	03:35
ayoung	that converts the base objects to a dictionary. The same thing can be done for policy checks.	03:35
ayoung	The existing AccessInfo can do the same thing, too, so that they are all working with the same canonical object	03:36
ayoung	without changing the interface	03:36
jamielennox	ayoung: cool so all that AuthContext stuff is great and essentially the interface i want to expose	03:37
jamielennox	why do you need to abstract the token? not just the context?	03:38
*** samuelms_ has joined #openstack-keystone		03:40
openstackgerrit	Jeremy Stanley proposed openstack/identity-api: Workflow documentation is now in infra-manual https://review.openstack.org/139328	03:41
openstackgerrit	Jeremy Stanley proposed openstack/keystone: Workflow documentation is now in infra-manual https://review.openstack.org/139332	03:41
openstackgerrit	Jeremy Stanley proposed openstack/keystone-specs: Workflow documentation is now in infra-manual https://review.openstack.org/139333	03:42
*** stevemar has joined #openstack-keystone		03:42
openstackgerrit	Jeremy Stanley proposed openstack/keystonemiddleware: Workflow documentation is now in infra-manual https://review.openstack.org/139334	03:42
*** ChanServ sets mode: +v stevemar		03:42
*** Hilomomo has quit IRC		03:44
openstackgerrit	Jeremy Stanley proposed openstack/pycadf: Workflow documentation is now in infra-manual https://review.openstack.org/139367	03:44
openstackgerrit	Merged openstack/keystonemiddleware: Use real discovery object in auth_token middleware. https://review.openstack.org/130532	03:46
*** richm has quit IRC		03:51
openstackgerrit	Jeremy Stanley proposed openstack/python-keystoneclient: Workflow documentation is now in infra-manual https://review.openstack.org/139375	03:51
openstackgerrit	Jeremy Stanley proposed openstack/python-keystoneclient-federation: Workflow documentation is now in infra-manual https://review.openstack.org/139376	03:51
openstackgerrit	Jeremy Stanley proposed openstack/python-keystoneclient-kerberos: Workflow documentation is now in infra-manual https://review.openstack.org/139377	03:51
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Add a test to ensure the version check error https://review.openstack.org/139512	04:06
*** chrisshattuck has joined #openstack-keystone		04:07
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Import _LC into auth_token middleware. https://review.openstack.org/139513	04:08
*** drjones has joined #openstack-keystone		04:11
*** ncoghlan has joined #openstack-keystone		04:13
*** _cjones_ has quit IRC		04:13
*** drjones has quit IRC		04:15
*** david-ly_ has joined #openstack-keystone		04:15
*** r-daneel has joined #openstack-keystone		04:15
*** david-lyle_afk has quit IRC		04:17
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Pass all adapter parameters through to adapter https://review.openstack.org/138228	04:21
*** jdennis has quit IRC		04:26
*** dims has joined #openstack-keystone		04:29
*** lhcheng has joined #openstack-keystone		04:31
*** dims has quit IRC		04:34
*** chrisshattuck has quit IRC		04:35
*** Sanchit has joined #openstack-keystone		04:40
Sanchit	Hi	04:40
Sanchit	What is the minimum configuration required to setup a keystone server?	04:40
Sanchit	We have extensive usage for authentication	04:41
*** r-daneel has quit IRC		04:53
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Split identity server into v2 and v3 https://review.openstack.org/130534	05:10
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Add a test to ensure the version check error https://review.openstack.org/139512	05:12
*** avozza is now known as zz_avozza		05:30
*** lhcheng has quit IRC		05:39
*** ishant has joined #openstack-keystone		05:47
jamielennox	Sanchit: minimum? like config options?	05:53
jamielennox	mostly it's a database connection string	05:54
jamielennox	have a look at the config file generated after devstack run. It's not all required but it should give you some	05:55
*** ncoghlan has quit IRC		05:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/136243	06:04
*** ajayaa has joined #openstack-keystone		06:06
*** shakamunyi has quit IRC		06:07
*** ajayaa has quit IRC		06:13
*** saipandi has quit IRC		06:15
*** ajayaa has joined #openstack-keystone		06:17
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Add domain roles APIs https://review.openstack.org/139531	06:17
*** zz_avozza is now known as avozza		06:21
*** mfisch has quit IRC		06:23
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Fix 'heirarchy' typo on 'Get project' https://review.openstack.org/139536	06:25
*** mfisch has joined #openstack-keystone		06:27
*** mfisch is now known as Guest45087		06:27
*** avozza is now known as zz_avozza		06:31
*** zz_avozza is now known as avozza		06:33
*** dyasny has joined #openstack-keystone		06:43
dyasny	ping - anyone listening in?	06:47
*** openstackgerrit has quit IRC		06:49
*** openstackgerrit has joined #openstack-keystone		06:49
samuelms_	dyasny, hi :)	06:50
dyasny	samuelms_ hey, do you have a minute to help a lost soul?	06:50
samuelms_	dyasny, I can try :)	06:50
dyasny	I've got a test lab, which I didnt build, and it looks like by default, it's using v2.0	06:51
dyasny	it also looks like I need v3 for some heat stuff I'm working on	06:51
dyasny	question is, how can I figure out whether v3 is available or installed but disabled	06:52
dyasny	I'm on icehouse here	06:52
samuelms_	do you want to setup a Openstack installation with heat? that's all?	06:52
dyasny	samuelms_, already have an installation, I'm working on heat autoscaling	06:52
samuelms_	hmm.. how do you get a token?	06:52
dyasny	however, when I try to run my stack, I get http://fpaste.org/156848/41776168/	06:53
dyasny	I export OS_user/pass/auth_url	06:53
dyasny	and my auth_url points at a v2.0 URL. I checked for v3 and v3.0 at the same location - keep getting 404	06:54
samuelms_	dyasny, just checked and we had v3 on icehouse	06:55
dyasny	samuelms_, this is why I wonder whether I am looking in the wrong place somehow	06:55
dyasny	what's the typical 3.0 auth_url?	06:56
samuelms_	dyasny, try exporting OS_IDENTITY_API_VERSION=3	06:56
*** kobtea has joined #openstack-keystone		06:56
dyasny	samuelms_, and leave the URL pointing to v2.0?	06:56
samuelms_	dyasny, fix that as well .. to v3	06:57
samuelms_	export OS_IDENTITY_API_VERSION=3	06:59
samuelms_	export OS_AUTH_URL=http://<hostname>:5000/v${OS_IDENTITY_API_VERSION}	06:59
dyasny	samuelms_, curl says 404 if I try to go there	06:59
samuelms_	dyasny, so I dont know what's happening, sorry :/	07:00
samuelms_	dyasny, I dont have lots of experience deploying os	07:00
*** kobtea has quit IRC		07:00
dyasny	samuelms_, basically, after I change the AUTH_URL I get 404, that's an http error, simply means there is no such URL (http://server:5000/v3/)	07:01
samuelms_	dyasny, yes .. so you dont have /v3 running	07:02
dyasny	samuelms_, any idea how I can enable it?	07:03
samuelms_	dyasny, thought it was enabled by default .. dont know about icehouse	07:04
samuelms_	dyasny, you better ask in some hours .. when people get more active	07:04
dyasny	samuelms_, I see, thanks anyway, I appreciate the attempt	07:04
samuelms_	dyasny, you're welcome :-)	07:05
samuelms_	dyasny, hope you find a solution soon	07:05
dyasny	samuelms_, if not, I'll just go back to ovirt, it scales well enough	07:05
samuelms_	dyasny, dont give up .. openstack is amazing :D	07:06
samuelms_	dyasny, that shouldnt be that hard	07:06
samuelms_	dyasny, why not use juno version? or a fresh devstack (if you're just testing something)	07:06
dyasny	samuelms_, I know, this stuff works in devstack, but not in a real lab, and I find myself looking at code way too often for comfort	07:07
*** mzbik has joined #openstack-keystone		07:08
dyasny	samuelms_, guess it's all too fresh to google for answers	07:08
samuelms_	dyasny, I'll have the answers here on irc	07:09
samuelms_	dyasny, just need to come at time :p	07:09
dyasny	yup, 2am isn't the best time	07:10
*** avozza is now known as zz_avozza		07:12
*** stevemar has quit IRC		07:13
Sanchit	jamielennox: Thanks for replying, I am concerned regarding the hardware requirements for running a highly scalable setup	07:19
Sanchit	What should be the minimum RAM and all regarding	07:20
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Add test for changing password to blank https://review.openstack.org/139553	07:33
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: User password update should not accept blank https://review.openstack.org/139554	07:33
*** samuelms_ has quit IRC		07:41
*** henrynash has joined #openstack-keystone		07:52
*** ChanServ sets mode: +v henrynash		07:52
darren-wang	jamielennox, i just read the part of starting servers in keystone-all, so if in a new installation without any v2 API, can I modify like these:	07:57
darren-wang	jamielennox, 1. delete the [composite: admin] in .ini,	07:57
darren-wang	jamielennox: comment the admin server starting part in keystone-all,	07:57
darren-wang	jamielennox: 3. and do not set the 'admin_bind_host', 'admin_port' and 'admin_worker_amount' in .conf	07:58
jamielennox	Sanchit: I can't really answer in terms of RAM and such, however at it's base keystone is just a mod_wsgi app so you scale it behind haproxy and apache as you would any other service	07:58
jamielennox	darren-wang: if you don't use them then the config options will just be ignored	07:59
*** zz_avozza is now known as avozza		07:59
jamielennox	darren-wang: we've been recommending recently that people run keystone behind apache	07:59
jamielennox	in which case you would just not setup the admin route and comment out the v2 route in paste	07:59
darren-wang	jamielennox: oh, I haven't tried that yet.	08:00
jamielennox	darren-wang: not that i said the v2 route and not just the admin app	08:00
jamielennox	*note	08:00
jamielennox	so the admin interface typically runs on a different port	08:00
jamielennox	and there is a v2 and a v3 component to both the public and the admin servcie	08:00
jamielennox	just that in v3 it's the same thing	08:00
*** tellesnobrega_ has joined #openstack-keystone		08:00
darren-wang	... well, I'm still learning the code, so, does 35357 still necessary in pure v3?	08:03
*** tellesnobrega_ has quit IRC		08:04
*** bdossant has quit IRC		08:07
jamielennox	darren-wang: technically no, but most things still set it up that way	08:08
darren-wang	jamielennox: ok, I'll have a try.	08:08
darren-wang	jamielennox: we just need a consistent and easy solution, so v2 is totally unnecessary to us	08:09
darren-wang	jamielennox: thx jamie	08:10
jamielennox	darren-wang: np	08:10
Sanchit	jamielennox: Well, Thank you so much!	08:25
marekd	morganfainberg: OK, no problem.	08:26
Sanchit	jamielennox: One more thing, If using UUID token, will the service ping keystone server every time for token validation? As far as I know, this is not the case if using PKI. Correct ?	08:27
*** henrynash has quit IRC		08:40
*** oomichi has quit IRC		08:41
breton	Sanchit: yep. But in case of pki keystone the service needs to check revocation lists periodically	08:43
jamielennox	Sanchit: yes, but in practice the middleware will cache the token validation so it's generally only the first time per token per service	09:00
Sanchit	@jami	09:01
Sanchit	jamielennox: first time per token per service for PKI type only.	09:01
Sanchit	But for each time if Using UUID? Correct me if my undestanding is wrong	09:01
*** sluo_wfh has quit IRC		09:02
*** erkules_ is now known as erkules		09:03
*** Guest45087 has quit IRC		09:11
*** sluo_wfh has joined #openstack-keystone		09:14
*** jistr has joined #openstack-keystone		09:14
*** mfisch has joined #openstack-keystone		09:15
*** mfisch is now known as Guest3214		09:15
*** sluo_wfh has quit IRC		09:20
*** tellesnobrega_ has joined #openstack-keystone		09:35
jamielennox	Sanchit: sorry, i'm in and out	09:36
jamielennox	Sanchit: for UUID it will cache the response that it gets from keystone	09:37
jamielennox	for PKI all it needs is like one or two requests for the certs	09:37
jamielennox	then every minute or so it gets the revocation list	09:38
jamielennox	it doesn't do any work per token	09:38
*** tellesnobrega_ has quit IRC		10:00
Sanchit	jamielennox: Thank you :)	10:07
*** aix has joined #openstack-keystone		10:16
openstackgerrit	Marek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules. https://review.openstack.org/139013	10:59
mzbik	Guys I have problem with trusts	11:12
mzbik	when I create trust from admin to some member I get exception: Could not find role {role_id}	11:13
mzbik	I tried to create trust from admin to testUser with role _member_ to demo tenant/project	11:13
*** amakarov_away is now known as amakarov		11:17
*** darren-wang has quit IRC		11:30
openstackgerrit	Merged openstack/keystone: Remove irrelative comment https://review.openstack.org/138355	11:38
*** diegows has joined #openstack-keystone		11:54
*** dims has joined #openstack-keystone		12:04
mzbik	ok, nvm I forget to add project_id	12:05
*** thiagop has quit IRC		12:14
*** samuelms_ has joined #openstack-keystone		12:18
*** jdennis has joined #openstack-keystone		12:31
openstackgerrit	Alexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description https://review.openstack.org/118590	12:33
*** henrynash has joined #openstack-keystone		12:47
*** ChanServ sets mode: +v henrynash		12:47
*** mikedillion has joined #openstack-keystone		12:55
*** ajayaa has quit IRC		12:59
*** henrynash has quit IRC		13:01
*** dyasny has quit IRC		13:04
*** ajayaa has joined #openstack-keystone		13:13
*** mikedillion has quit IRC		13:19
*** andreaf has quit IRC		13:23
*** dims has quit IRC		13:29
*** dims has joined #openstack-keystone		13:29
*** dyasny has joined #openstack-keystone		13:32
*** dyasny has quit IRC		13:32
*** kobtea has joined #openstack-keystone		13:38
*** mzbik has quit IRC		13:42
*** kobtea has quit IRC		13:42
*** ishant has quit IRC		13:54
vsilva	marekd, are you there? I spent some days away from the Mapping Enhancements spec and a lot has changed. One thing that I didn't get from the comments: Why did you move from only setting role assignments in Keystone for the IdP groups to having to add the groups apriori?	13:54
amakarov	bknudson, hi! I've reverted code changes leaving doc changes only. Please look at the change https://review.openstack.org/#/c/118590/	13:56
*** stevemar has joined #openstack-keystone		13:57
*** ChanServ sets mode: +v stevemar		13:57
*** joesavak has joined #openstack-keystone		14:02
*** dims has quit IRC		14:05
*** dims has joined #openstack-keystone		14:06
*** andreaf has joined #openstack-keystone		14:07
*** radez_g0n3 is now known as radez		14:07
*** bdossant has joined #openstack-keystone		14:10
vsilva	hey stevemar, I'm trying to figure out one thing from the mapping enhancements spec: Why did they move from only setting role assignments in Keystone for the IdP groups to having to add the groups apriori?	14:13
vsilva	can't find the reason on comments and marek doesn't seem to be around	14:13
*** bdossant has quit IRC		14:13
vsilva	rodrigods, ^	14:13
*** bdossant has joined #openstack-keystone		14:15
*** bdossant has quit IRC		14:16
*** bdossant has joined #openstack-keystone		14:17
lbragstad	morganfainberg: I realize this might be a long shot, but we don't have Release Notes for Kilo do we/	14:17
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects https://review.openstack.org/138552	14:18
lbragstad	following criteria from sdague here: https://review.openstack.org/#/c/139051/	14:18
*** shakamunyi has joined #openstack-keystone		14:21
*** avozza is now known as zz_avozza		14:22
*** bdossant has quit IRC		14:27
*** richm1 has joined #openstack-keystone		14:28
*** diegows has quit IRC		14:33
*** bdossant has joined #openstack-keystone		14:34
lbragstad	maybe dolphm knows^	14:35
lbragstad	?	14:35
*** mikedillion has joined #openstack-keystone		14:45
ayoung	lbragstad, here's an idea for you. What if we had an identifier for role assignments. And then trusts were a form of role assignments. AE tokens could then point to a specific role assignment for its scope	14:50
lbragstad	that pretty much what jamielennox said	14:50
ayoung	lbragstad, so...that is the point of https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/	14:51
ayoung	those are the steps we need to go through to get there	14:51
ayoung	does it make sense in that context?	14:51
lbragstad	let me read it	14:51
ayoung	lbragstad, please do	14:51
lbragstad	ayoung: https cert expired?	14:51
ayoung	lbragstad, on my blog?	14:52
lbragstad	yeah	14:52
ayoung	lbragstad, nah, it is just signed by Dreamhosts ca	14:52
lbragstad	ah	14:53
ayoung	actually, I think they do a selfsigned	14:53
dstanek	does anyone actually use x-service-token?	14:53
ayoung	dstanek, isn't that what is used by Auth token to validate?	14:53
dstanek	ayoung: it's optional	14:54
dstanek	ayoung: but i can't find anything that ever sets it	14:54
*** r-daneel has joined #openstack-keystone		14:55
*** zzzeek has joined #openstack-keystone		14:55
ayoung	dstanek, it appears you are correct	14:55
bknudson	dstanek: I think glance or swift wanted it for a security feature.	14:56
bknudson	essentially you could have your policy.json say that this request needs to have both the user and the service user to fetch an image	14:56
dstanek	bknudson: interesting - i wonder if swift uses it; i don't have their code checked out	14:56
ayoung	there was the "you need two tokens to do something" discussion, but I thought that X-SERVICE-TOKEN pre-existed that	14:56
dstanek	nope, not in swift either	14:58
bknudson	I don't know if swift uses auth-token?	14:58
bknudson	the service would have to put the service user ID in their context so that policy could access it.	14:58
marekd	vsilva: hey. it's mainly we don't role assignments api allowing for specyfing groups identified by name/domain. And I think this is kind of philosophical question whether we should do that or not. More! It has already been discussed as henry-nash pointed out once) and tte second approach was not implemented. So I thought that it's better to have the mapping enhancement like proposed in a spec rather than depend on such a big (and unlikely t	15:01
*** gordc has joined #openstack-keystone		15:01
*** Guest3214 is now known as mfisch		15:01
*** mfisch has joined #openstack-keystone		15:01
*** thiagop has joined #openstack-keystone		15:03
vsilva	I think your last sentence was cut off there, marekd	15:03
marekd	no it wasn't..	15:04
marekd	change: role assignment api change	15:04
marekd	that's what i meant.	15:04
rodrigods	ayoung, https://review.openstack.org/#/c/138551/ \o/	15:04
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Adds correct checks in LDAP backend tests https://review.openstack.org/138551	15:06
marekd	vsilva: makes sense?	15:06
vsilva	So I thought that it's better to have the mapping enhancement like proposed in a spec rather than depend on such a big (and unlikely t	15:06
vsilva	that's how what you said ends. unlikely what?	15:06
marekd	vsilva: oh, strange...i can see whole sentence while you don't :-)	15:07
marekd	vsilva: hey. it's mainly we don't role assignments api allowing for specyfing groups identified by name/domain. And I think this is kind of philosophical question whether we should do that or not. More! It has already been discussed as henry-nash pointed out once) and tte second approach was not implemented. So I thought that it's better to have the	15:07
marekd	mapping enhncement like proposed in a spec rat her than depend on such a big (and unlikely to be quickly implemented)	15:07
*** dims is now known as dimsum__		15:07
marekd	vsilva: that's what I had sent.	15:07
vsilva	all right then	15:08
ayoung	rodrigods, lets get the parent on through, and then, assuming there are no changes, I'll +A that one again	15:08
*** ajayaa has quit IRC		15:08
marekd	vsilva: if you want to start a thread/spec about changing the role assignments api	15:14
marekd	vsilva: but i'd rather make it a separate patch, aiming for the Kilo release date, not next week. :(	15:14
vsilva	making it a separate patch makes a lot of sense, marekd. I'll think on that along with rodrigods and maybe bring it up here to see if that change really makes sense. I fear it might not!	15:18
marekd	vsilva: why it might not?	15:19
marekd	vsilva: well, ok, 2 ways of doing the same thing may be pointless	15:19
marekd	vsilva: but without ephemeral groups in RAs we are doomed.	15:19
marekd	vsilva: and that's exactly why i didn't want to depend on such dependency :-) I foresee lots of discussion and philosophical questions involved :-)	15:20
lbragstad	ayoung: I read your post	15:20
ayoung	lbragstad, I know it is dense.	15:22
*** dims_ has joined #openstack-keystone		15:24
*** ajayaa has joined #openstack-keystone		15:26
lbragstad	ayoung: so why not have a token format that requires the scope in the token?	15:27
ayoung	lbragstad, um...yes?	15:27
ayoung	why not?	15:27
lbragstad	I'm not saying we can't do that	15:27
lbragstad	but with the proposed spec, we have the ability to tailor token formats to fit needs like that	15:28
*** dimsum__ has quit IRC		15:28
ayoung	lbragstad, I'm not sure that just saying "we can have multiple token formats" is sufficient	15:30
lbragstad	ayoung: but having one token format to rule them all doesn't seem to work	15:30
marekd	lbragstad: ayoung AE tokens disq ?	15:30
lbragstad	yes	15:30
ayoung	lbragstad, OK...so a token is a cookie...what we really care about is what is it pointing at. And what Keystone needs to do is answer the question "what roles go along with this token that a user just handed me?"	15:31
lbragstad	why not have a format for a case that you need, where the formatter (creating the token) knows how to pack all the information required to do that specific case.	15:32
lbragstad	ayoung: why would that be needed if you have hierarchical roles/	15:33
lbragstad	you could decompose the list from the top down based on the highest role you have, right?	15:33
ayoung	lbragstad, hierarchical roles are just a sensible way to unify all of the approaches	15:33
lbragstad	I assert that because I have the 'member' role I also have the 'editor' and 'reader' roles	15:33
ayoung	we could keep going scatter gun, as we are, and have to support a million one-offs	15:33
ayoung	and I really seeAE as a one off	15:33
ayoung	and really, RBAC is based on the premise that a user has one role	15:34
ayoung	and that based on that role (Manager, boss-man, worker-bee) you determine what they can do	15:34
lbragstad	yeah	15:35
ayoung	so, if you want to say "here is a token format that points to a role for this user" OK	15:35
ayoung	lets do it right, and not paint ourselves into a corner	15:35
lbragstad	so, if every use is suppose to have only one role	15:36
lbragstad	and it's a hierarchical role	15:36
ayoung	As written, AE can only do "here is the scope, go lookup the roles the user has for that scope"	15:36
lbragstad	that I don't see the argument for requiring that a role is included in the token	15:36
ayoung	yeah, but we are not there yet	15:36
lbragstad	and until we get there we can include scope in an AE token	15:37
ayoung	you can think of a trustid as a short-lived role that contains the subordinate roles...its a limited version of inheritance	15:37
ayoung	I'd rather not make a form of AE token that knows about trusts	15:37
ayoung	as I am going to be on the hook to maintain it, and I don't have the time or effort	15:37
ayoung	time for the effort	15:38
lbragstad	ayoung: what would you absolutely need in a token to know it's a trust token	15:38
lbragstad	?	15:38
ayoung	lbragstad, I'd need the trust id	15:38
lbragstad	or a token representing a trust relationship between two entities	15:38
lbragstad	ok, so that's your delegation	15:38
lbragstad	right?	15:38
ayoung	lbragstad, yes, you could do something like	15:38
ayoung	AE01 is standard role-based AE tokens and AE02 is trust based, and in AE01 you assume the scoped is the proejct and in AE02 you assume the scope is the trust	15:39
ayoung	but you see how trusts and role assignments are really the same thing?	15:40
ayoung	They are really just delegations of abilities. Well, trusts are. Role assignments should be.	15:40
*** bdossant has quit IRC		15:41
*** bdossant has joined #openstack-keystone		15:42
lbragstad	ayoung: it's that what jamielennox meant when he said that for ae_token['role'] = trust_id?	15:43
*** gordc has quit IRC		15:43
lbragstad	if trusts and role assignments are the same, then treat them the same in an ae token until they are technically the same mechanism in Keystone	15:44
lbragstad	which is the first point you make https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/	15:47
ayoung	lbragstad, how would the token validation determine that ae_token['role'] = trust_id ?	15:49
lbragstad	that's were the token version stuff comes in handy	15:50
lbragstad	if keystone is creating an ae token to represent a trust relationship, make the ae token version AE03 or whatever,	15:50
lbragstad	that can be popped of in validation and it would know where in the token the trust_id and how to handle it	15:51
ayoung	lbragstad, are 2 digits going to be enough?	15:54
lbragstad	we would have up to 99 token formats	15:54
*** thiagop has quit IRC		15:54
lbragstad	99 problems and a token ain't one	15:54
ayoung	Shall we go Hex at least?	15:54
ayoung	FF?	15:55
lbragstad	if you wanted to modify the AE part you could do that too I guess	15:55
lbragstad	AE01 would be a generic ae token format	15:55
ayoung	AE00	15:55
ayoung	We are computer scientists.	15:56
lbragstad	AT could be an authenticated encrypted trust format	15:56
ayoung	Heh	15:56
lbragstad	for which you could have 99 authenticated encrypted trust formats	15:56
ayoung	What was the old PKI identifier? /me goes to look	15:56
* lbragstad grabs another coffee		15:57
lbragstad	brb	15:57
ayoung	PKI_ASN1_PREFIX = 'MII'	15:58
dstanek	lbragstad: more like "i got 99 problems and tokens are all of them"	16:00
*** thedodd has joined #openstack-keystone		16:01
openstackgerrit	Merged openstack/keystone: Create, update and delete hierarchical projects https://review.openstack.org/138550	16:02
ayoung	lbragstad, lay all of that out in the AE spec.	16:03
notmyname	dstanek: bknudson: swift is not yet using a service token	16:07
samuelms_	Hi guys .. what's your opinion on bug #1391116 ?	16:11
uvirtbot	Launchpad bug 1391116 in python-keystoneclient "keystone user-password-update also accept blank password." [Medium,In progress] https://launchpad.net/bugs/1391116	16:11
samuelms_	I'm fixing that .. but I'd like to see your thoughts before putting more effort on that	16:11
*** Qlawy has quit IRC		16:12
*** Qlawy has joined #openstack-keystone		16:14
bknudson	samuelms_: we have a general issue where the Keystone SQL backend doesn't do password validation.	16:15
bknudson	i.e., most deployers will require a password with a certain length and special characters, not reusing etc.	16:16
bknudson	and I'd prefer it if it wasn't fixed piecemeal	16:16
bknudson	but I also don't know if we want to put a lot of effort into it... use LDAP as the backend instead.	16:16
bknudson	and there's also the idea that we should split user / group management out into its own service so it looks more like LDAP / federation	16:17
*** thedodd has quit IRC		16:17
samuelms_	bknudson, hmm interesting	16:18
bknudson	if we split user/group management out into its own service then I'd say go nuts adding security features like password validation.	16:19
*** thedodd has joined #openstack-keystone		16:19
samuelms_	bknudson, for sql we could allow some kind of expressions to define constraints ..	16:20
samuelms_	bknudson, any entry point (spec) for splitting user/group?	16:20
bknudson	samuelms_: I haven't seen a spec for splitting user / group... it was discussed at atlanta summit	16:21
samuelms_	bknudson, ok .. will look for some logs on this	16:25
samuelms_	bknudson, maybe we could discuss about it in a meeting and then decide if we'll go on with it	16:25
bknudson	samuelms_ sounds good... there's a lot of details to work out that might make it easier or harder... for example, does it support multiple domains and how.	16:27
bknudson	also, I'm not sure how auth would work, if it would use auth_token?	16:28
bknudson	but that creates a circular dependency	16:28
samuelms_	bknudson, yes .. some interesting points .. I ll find some time to think about all this	16:34
samuelms_	bknudson, unfortunately I don't have a good knowledge on keystone auth .. tokens , federation etc	16:34
samuelms_	bknudson, I've put all my efforts on roles/assignments/policies	16:34
samuelms_	bknudson, I see that I have to have more time to study every main part of keystone :)	16:35
samuelms_	bknudson, and then be able to help more ... even if just having interesting ideas	16:35
*** david-ly_ is now known as david-lyle		16:37
*** thedodd has quit IRC		16:39
*** _cjones_ has joined #openstack-keystone		16:39
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/134794	16:39
lbragstad	dstanek: :)	16:40
stevemar	lbragstad, go home	16:42
*** dims_ is now known as dimsum__		16:47
*** gordc has joined #openstack-keystone		16:49
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Migrate_repo init version helper https://review.openstack.org/137640	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Share engine between migration helpers. https://review.openstack.org/137778	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Add primary key to the endpoint_group id column. https://review.openstack.org/137638	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at. https://review.openstack.org/137639	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Explicit MySQL engine designation. https://review.openstack.org/138712	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Fix index name the assignment.actor_id table. https://review.openstack.org/137637	16:52
openstackgerrit	Ilya Pekelny proposed openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558	16:52
*** thedodd has joined #openstack-keystone		16:53
*** bdossant has quit IRC		16:53
openstackgerrit	ayoung proposed openstack/keystone: split auth from other services in paste https://review.openstack.org/138452	16:54
lbragstad	stevemar: it's not 5 yet!	16:55
*** lvh has quit IRC		16:57
*** lvh has joined #openstack-keystone		16:59
stevemar	lbragstad, close enough	17:03
lbragstad	stevemar: it is Friday	17:04
marekd	stevemar: why do you make him go home?	17:04
*** lvh has quit IRC		17:05
*** lvh has joined #openstack-keystone		17:09
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	17:12
lbragstad	ayoung: addressed ^	17:12
*** Haneef_ has joined #openstack-keystone		17:22
openstackgerrit	Marek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules. https://review.openstack.org/139013	17:22
*** marekd is now known as marekd\|away		17:23
*** mikedillion has quit IRC		17:24
Haneef_	jamielennox: Who are the consumers of identity endpoint in catalog?. Keystoneclient relies on discovery url (from version) which can be different from catalog endpoint	17:24
*** mikedillion has joined #openstack-keystone		17:25
*** shakamunyi has quit IRC		17:25
openstackgerrit	Merged openstack/keystone: Adds correct checks in LDAP backend tests https://review.openstack.org/138551	17:31
*** lhcheng has joined #openstack-keystone		17:36
*** zzzeek has quit IRC		17:37
*** mikedillion has quit IRC		17:40
*** zz_avozza is now known as avozza		17:42
*** zzzeek has joined #openstack-keystone		17:44
*** ayoung has quit IRC		17:44
*** jistr has quit IRC		17:45
*** tellesnobrega_ has joined #openstack-keystone		17:54
*** boris-42 has joined #openstack-keystone		17:57
*** amakarov is now known as amakarov_away		17:59
*** tellesnobrega_ has quit IRC		17:59
*** rwsu has joined #openstack-keystone		18:02
*** shakamunyi has joined #openstack-keystone		18:07
*** _cjones_ has quit IRC		18:11
*** henrynash has joined #openstack-keystone		18:16
*** ChanServ sets mode: +v henrynash		18:16
*** avozza is now known as zz_avozza		18:17
*** zzzeek has quit IRC		18:17
*** ayoung has joined #openstack-keystone		18:20
*** ChanServ sets mode: +v ayoung		18:20
ayoung	OK, I freaken love next-review	18:22
*** zzzeek has joined #openstack-keystone		18:24
*** gyee has joined #openstack-keystone		18:25
*** radez is now known as radez_g0n3		18:29
*** harlowja_away is now known as harlowja_		18:31
*** thedodd has quit IRC		18:32
*** amcrn has joined #openstack-keystone		18:34
*** gyee has quit IRC		18:35
*** gyee has joined #openstack-keystone		18:38
*** gyee has quit IRC		18:38
*** _cjones_ has joined #openstack-keystone		18:38
*** gyee has joined #openstack-keystone		18:39
*** ChanServ sets mode: +v gyee		18:39
*** shakamunyi has quit IRC		18:44
vsilva	ping dstanek	18:45
vsilva	what IdP are you using for your federation testing setup?	18:45
dstanek	vsilva: pysaml2	18:46
vsilva	stevemar, dstanek, marekd\|away, I'd love to hear from you any specific things you believe we need to test	18:46
*** shakamunyi has joined #openstack-keystone		18:46
dstanek	1. simple authentication	18:47
dstanek	2. different mapping constructs	18:47
dstanek	other than that i'm not really sure	18:48
*** shakamunyi has quit IRC		18:48
*** zz_avozza is now known as avozza		18:49
*** shakamunyi has joined #openstack-keystone		18:52
*** _cjones_ has quit IRC		18:52
vsilva	all right dstanek	18:52
*** _cjones_ has joined #openstack-keystone		18:53
*** avozza is now known as zz_avozza		18:54
ayoung	henrynash, I realize you should be asleep, but...I just tried to do the migration for the endpoint filter and it threw an exception. I think it might have bitrotted	18:55
ayoung	2014-12-05 13:54:39.295 11241 TRACE keystone OperationalError: (OperationalError) (1005, "Can't create table 'keystone.project_endpoint_group' (errno: 150)") '\nCREATE TABLE project_endpoint_group (\n\tendpoint_group_id VARCHAR(64) NOT NULL, \n\tproject_id VARCHAR(64) NOT NULL, \n\tPRIMARY KEY (endpoint_group_id, project_id), \n\tFOREIGN KEY(endpoint_group_id) REFERENCES endpoint_group (id)\n)\n\n' ()	18:55
*** diegows has joined #openstack-keystone		19:01
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects https://review.openstack.org/138552	19:01
*** thedodd has joined #openstack-keystone		19:04
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects https://review.openstack.org/138552	19:09
openstackgerrit	Merged openstack/keystone: Provide useful info when parsing policy file https://review.openstack.org/131574	19:14
*** mikedillion has joined #openstack-keystone		19:17
*** stevemar2 has joined #openstack-keystone		19:18
*** ChanServ sets mode: +v stevemar2		19:18
*** stevemar has quit IRC		19:18
*** gothicmindfood has quit IRC		19:19
*** lhcheng has quit IRC		19:19
samuelms_	henrynash, hi	19:25
*** gothicmindfood has joined #openstack-keystone		19:25
samuelms_	henrynash, I've a first version of the domain-role api change	19:25
samuelms_	henrynash, https://review.openstack.org/#/c/139531/	19:25
*** ayoung has quit IRC		19:25
*** lhcheng has joined #openstack-keystone		19:26
*** raildo has quit IRC		19:28
*** afaranha has quit IRC		19:28
*** samuelms has quit IRC		19:28
*** htruta has quit IRC		19:29
*** tellesnobrega has quit IRC		19:29
*** packet has joined #openstack-keystone		19:31
*** thedodd has quit IRC		19:32
*** gyee has quit IRC		19:34
henrynash	samuelms_: great!! Will take a look ina while	19:35
samuelms_	henrynash, I still need to put the other operations a role has .. like granting for domain-roles	19:37
samuelms_	henrynash, I've to duplicate all of those methods; if we go for not reusing the api calls we've for role	19:38
samuelms_	henrynash, (we've already started discussing about this)	19:38
samuelms_	henrynash, an example we have there is adding or removing role/domain-roles to/from a domain-role	19:39
samuelms_	henrynash, in which we have different calls, and could have one for delete and one for add :p	19:39
*** thedodd has joined #openstack-keystone		19:41
stevemar2	dstanek, pm'ed you the hangout	19:48
openstackgerrit	Merged openstack/pycadf: Workflow documentation is now in infra-manual https://review.openstack.org/139367	19:49
*** marcoemorais has joined #openstack-keystone		19:49
*** shakamunyi has quit IRC		19:54
*** shakamunyi has joined #openstack-keystone		19:59
*** ayoung has joined #openstack-keystone		19:59
*** ChanServ sets mode: +v ayoung		19:59
*** shakamunyi has quit IRC		20:00
*** shakamunyi has joined #openstack-keystone		20:01
*** kobtea has joined #openstack-keystone		20:05
*** drjones has joined #openstack-keystone		20:07
*** radez_g0n3 is now known as radez		20:08
*** kobtea has quit IRC		20:10
*** _cjones_ has quit IRC		20:10
*** drjones has quit IRC		20:11
*** marcoemorais has quit IRC		20:17
*** samuelms_ has quit IRC		20:28
*** Haneef_ has quit IRC		20:36
*** marcoemorais has joined #openstack-keystone		20:36
*** marcoemorais has quit IRC		20:37
*** marcoemorais has joined #openstack-keystone		20:37
*** thedodd has quit IRC		20:42
*** tellesnobrega_ has joined #openstack-keystone		20:43
*** tellesnobrega_ has quit IRC		20:43
*** saipandi has joined #openstack-keystone		20:46
*** saipandi has quit IRC		20:48
*** saipandi has joined #openstack-keystone		20:48
*** thedodd has joined #openstack-keystone		20:51
*** andreaf has quit IRC		20:56
dolphm	is everyone watching https://www.youtube.com/watch?v=Th61TgUVnzU ?	20:56
*** shakamunyi has quit IRC		20:59
*** mikedillion has quit IRC		21:03
*** _cjones_ has joined #openstack-keystone		21:04
*** _cjones_ has quit IRC		21:05
*** _cjones_ has joined #openstack-keystone		21:05
*** ajayaa has quit IRC		21:05
*** shakamunyi has joined #openstack-keystone		21:06
*** andreaf has joined #openstack-keystone		21:07
*** saipandi has quit IRC		21:08
ayoung	dstanek, your workplace looks pretty ghetto.	21:08
dolphm	ayoung: that's detroit in the background	21:11
dstanek	ayoung: that back you were looking at was all of my shelves with raspberry pi and arduino components	21:12
dstanek	and my new crappy dell laptop was up there	21:13
ayoung	stevemar2, good job filling in	21:14
stevemar2	ayoung, i lol'ed at your ghetto workspace comment, poor dstanek	21:15
dstanek	stevemar2: me too :-)	21:15
dstanek	stevemar2: you did fantastical and sdague makes it feel relaxed	21:16
ayoung	stevemar2, it still looks more humane than the sterile THX1138 environment IBM has you working in	21:16
stevemar2	ayoung, i was at home	21:16
Qlawy	disagree	21:16
Qlawy	my workplace is not sterile in IBM oO	21:16
openstackgerrit	Brant Knudson proposed openstack/keystone: Internal notifications for cleanup domain https://review.openstack.org/125521	21:16
stevemar2	ayoung, but that does describe my home, so thats fair	21:16
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	21:17
henrynash	rodigods: have added more comments to https://review.openstack.org/#/c/138552/	21:17
*** marcoemorais has quit IRC		21:17
*** marcoemorais has joined #openstack-keystone		21:18
dstanek	ayoung: i should do a video cast of my home automation projects	21:18
dolphm	dstanek: and have sdague host?	21:19
dstanek	dolphm: yes!	21:19
stevemar2	that would be good	21:19
*** stevemar2 is now known as stevemar		21:19
dstanek	i've been working on stuff inspired from http://lifehacker.com/build-an-entire-home-automation-system-with-a-raspberry-1640844965	21:20
dolphm	dstanek: what have you accomplished on that front?	21:24
dstanek	dolphm: i have the software running on the pi and a few radios talking back to it; the only sensor i have hooked up at at is the temp one because it was easy	21:25
dolphm	dstanek: i'd love to tie my security system together with my nest. like if my nest thinks i'm away for a couple hours and the alarm isn't set, then arm it. or if i arm the alarm for away mode, then set the nest in away mode, etc	21:25
*** jsavak has joined #openstack-keystone		21:25
dstanek	dolphm: that would be a neat idea	21:25
openstackgerrit	Brant Knudson proposed openstack/keystone: Move eventlet server options to a config section https://review.openstack.org/130962	21:25
dstanek	dolphm: i decided to use xbee radios instead of the ones they use in the tutorial mostly because the price to learning tradeoff made sense	21:26
ayoung	dstanek, I need to do something to get the music more distributed around the house	21:26
dolphm	ayoung: i use airfoil for that	21:27
dolphm	ayoung: although i only have two soundsystems to sync together	21:27
dstanek	there is this guy in Australia that completely rewired his house with automation in mind - he has inspired me to say the least	21:27
*** joesavak has quit IRC		21:28
stevemar	ahh man i sound awful, i should have gotten closer to the mic	21:28
*** joesavak has joined #openstack-keystone		21:28
stevemar	dammit, dstanek sounds fine	21:28
*** toddnni has quit IRC		21:28
dolphm	stevemar: you need a better mic	21:28
dolphm	stevemar: http://www.modmic.com/	21:29
dstanek	this dude is amazing: https://www.youtube.com/watch?v=ZUEKr_48EfQ&list=UU75HTMhqVZs0sPOMTMQqI9g	21:29
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct max_project_tree_depth config help text https://review.openstack.org/139736	21:29
*** jsavak has quit IRC		21:30
stevemar	dstanek, dolphm i still sound better than mriedeman	21:30
ayoung	You spent a long time on token formats	21:31
dolphm	dstanek: watching	21:32
*** toddnni has joined #openstack-keystone		21:32
*** packet has quit IRC		21:37
*** boris-42 has quit IRC		21:37
ayoung	lbragstad, have you tried signing an AE token with RSA and seeing what the size difference ends up being?	21:38
*** hdd has joined #openstack-keystone		21:38
stevemar	ayoung, that was unexpected	21:39
stevemar	ayoung, we started off on that topic, and kept going... next thing i know, i look down and it's 20 past	21:40
ayoung	heh	21:40
ayoung	good thing I wasn't there...would have gone of forever	21:40
ayoung	expiration question was interesting...	21:42
*** hdd has left #openstack-keystone		21:42
stevemar	well, i am outta here, see you all on the 15th	21:42
morganfainberg	zzzeek: I realize I have like 4 fixes for dogpile I need to respin and submit pull requests for >.<	21:42
stevemar	staycation time!	21:42
zzzeek	morganfainberg: OK, I’ve been super lazy about dogpile and there’s a bunch of PRs ive been sitting on	21:42
morganfainberg	stevemar: that isn't allowed! :P. Gonna tell uncle Topol! Have a good one dude.	21:43
ayoung	stevemar, enjoy. Good work	21:43
morganfainberg	zzzeek: yeah, there isn't a lot "wrong". I just know some QOL stuff is still outstanding. Not critical at all.	21:43
morganfainberg	Dogpile has been... Well... Pretty damn good.	21:44
*** redcup1 has joined #openstack-keystone		21:45
morganfainberg	ayoung: if i swing through the north east, I'm going to bug you about food / drinks in your neck of the woods.	21:45
ayoung	morganfainberg, I was trying to figure out how to do a default policy file. I figure the client should always request for a specific endpoint. The endpoint_policy should do: endpoint, fallback to service, fallback to default.	21:46
ayoung	I kindof want it all in the database, no config option	21:46
morganfainberg	ayoung: looks like it might happen (have some friends in Maine I need to visit and all trips go through Boston with looooong layovers)	21:46
ayoung	morganfainberg, let me know when...	21:46
*** stevemar has quit IRC		21:47
morganfainberg	ayoung: I would agree, in principle. Let me think for a moment.	21:47
lbragstad	ayoung: I haven't	21:47
lbragstad	just the AES stuff that dolphm prototyped	21:48
dolphm	dstanek: that guy's house runs on php	21:48
ayoung	lbragstad, I'm not certain if it would be usable, but I'd be interested in knowing the impact	21:48
morganfainberg	dolphm: I hear scary words coming from you. Mostly php being in there.	21:48
ayoung	it would minimize our key management	21:48
dstanek	dolphm: when he talked about light switches POSTing to the central switch service my mouth started to water	21:48
lbragstad	ayoung: I added a bunch of stuff around using keyCzar	21:49
dolphm	dstanek: that's right at about 10 minutes. i went back and watch that bit again.	21:49
ayoung	lbragstad, I know, which is what made me think about it.	21:49
dstanek	dolphm: when he talked about upgrading and rebooting his house i decided that level of automation is not for me	21:49
dolphm	dstanek: lol	21:49
morganfainberg	So, I think this can be an either-or. And the db could have a "default" rule set that is applied.	21:49
morganfainberg	ayoung: ^^. So, either config file or db, but no fall through.	21:50
ayoung	morganfainberg, right. Why I said I want it in the DB is there is an oredering issue. You need to upload the policy, which assignes the ID, then you would ned to updatre the confoig file and restart Keystone to pick up the change	21:50
morganfainberg	Fall through could pose "interesting" and unintentional side effects.	21:50
dolphm	dstanek: "honey, i'm rebooting the house because of a critical security vulnerability in the kernel! stay in one room until the lights stop flickering, okay?!"	21:50
morganfainberg	ayoung: make the ID deployer definable.	21:51
ayoung	morganfainberg, I'd like to make the ID the SHA256 hash of the file	21:51
ayoung	reassigning IDs is something I feel queasy about	21:52
morganfainberg	ayoung: why? I don't disagree but step me through the logic behind sha256	21:52
dstanek	dolphm: that guys uses ethernet, but since i'm not planning on ripping my house apart i'm just using xbees	21:52
morganfainberg	I do have a thought, but it is an extra web request.	21:52
morganfainberg	dstanek: that the power line networking?	21:53
dstanek	morganfainberg: no he's using real ethernet and i think PoE	21:53
ayoung	morganfainberg, policy is security sensitive. I could see a policy file being audited, and being able to run the sha256 is a valudlate "nothing has changed check"	21:53
ayoung	by making the ID the SHA we don't have to do a separate distribution for the sha	21:54
morganfainberg	ayoung: ok so we would need an abstraction to make it friendly. The SHA as the ID is just not friendly to configure.	21:56
morganfainberg	I'm not opposed to using that for verification purposes.	21:56
dstanek	morganfainberg: the opposite - sending power over ethernet	21:56
morganfainberg	dstanek: right. Poe.	21:57
morganfainberg	Got it. Misread earlier.	21:57
ayoung	just a thought, but I still don't like the user setting the ID. It seems to me that it is something that should be in the database, just strange to have a whole table for a single value	21:57
dstanek	morganfainberg: i tried the do-it-yourself version and it didn't go well	21:57
*** gordc has left #openstack-keystone		21:57
morganfainberg	Heh	21:57
dstanek	morganfainberg: got a nice shock and tripped the breaker	21:57
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	21:58
morganfainberg	ayoung: maybe store the sha and history of when it changed?	21:58
ayoung	morganfainberg, it seems to me that default policy if is something we should be able to deduce from the database. Maybe it makes sense to put an ordering column on the endpoint_poicy table, and you select the lowest number that meets your criteria, with the default being a really high number and no criteria?	21:59
ayoung	I know that idea sucks, but there is a kernel in there somewhere	21:59
morganfainberg	Sec. Switching to desktop from phone.	22:00
morganfainberg	ok so..	22:00
*** diegows has quit IRC		22:00
morganfainberg	sure, a rule ordering thing seems sane	22:00
morganfainberg	it doesn't suck that badly actually	22:00
ayoung	would there be any real use for it besided deducing the default?	22:01
*** marcoemorais has quit IRC		22:01
morganfainberg	nah, there really isn't i guess	22:01
*** marcoemorais has joined #openstack-keystone		22:01
*** marcoemorais has quit IRC		22:01
ayoung	I mean, we could have a "default" flag, but that seems dumb, as only one row would ever need default	22:01
ayoung	looking at the table, it has	22:01
*** marcoemorais has joined #openstack-keystone		22:01
*** marcoemorais has quit IRC		22:02
*** _cjones_ has quit IRC		22:02
*** marcoemorais has joined #openstack-keystone		22:02
ayoung	policy_id endpoint_id service_id region_id	22:03
*** gyee has joined #openstack-keystone		22:03
*** ChanServ sets mode: +v gyee		22:03
ayoung	if you just had all of those values empty, you have the default policy	22:04
ayoung	and we should probably have a constraint saying that a combination of all those columns needs to be unique	22:04
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	22:04
ayoung	does that work? default policy is the one with only id and policy_id set?	22:04
ayoung	OK...need to go be a dad. morganfainberg tell me if ^^ makes sense to you. I think it does to me...	22:05
morganfainberg	ayoung, hm	22:12
*** zz_avozza is now known as avozza		22:15
*** avozza is now known as zz_avozza		22:19
dolphm	morganfainberg: dear PTL, https://review.openstack.org/#/c/131007/ or https://review.openstack.org/#/c/130013/ which would win in a fight? thanks.	22:28
*** andreaf has quit IRC		22:29
* morganfainberg takes a gander and gets ready to place bets.		22:29
notmyname	http://www.googlefight.com/index.php?lang=en_GB&word1=131007&word2=130013	22:30
*** zz_avozza is now known as avozza		22:30
morganfainberg	notmyname, hehheh	22:30
morganfainberg	dolphm, i'm inclined to say the discussion was deprecate the hell out of that functionality.	22:32
morganfainberg	dolphm, but i guess we need some kind of subst from the config?	22:32
morganfainberg	dolphm, ah i see what is going on.	22:33
morganfainberg	hm.	22:33
morganfainberg	dolphm, also "compute_port" was something that needed to be completly removed...	22:35
morganfainberg	oh L release	22:35
morganfainberg	bah	22:35
*** _cjones_ has joined #openstack-keystone		22:36
morganfainberg	dolphm, commented. Removal is my first choice, but didn't approve yet. Leaving open for comments for a bit in case there is a strong argument to keep the whitelist option around.	22:39
*** avozza is now known as zz_avozza		22:41
openstackgerrit	Brant Knudson proposed openstack/keystone: Remove endpoint_substitution_whitelist config option https://review.openstack.org/131007	22:47
*** r-daneel has quit IRC		22:49
*** joesavak has quit IRC		22:58
*** joesavak has joined #openstack-keystone		22:58
*** shakamunyi has quit IRC		23:01
openstackgerrit	Merged openstack/keystone-specs: Workflow documentation is now in infra-manual https://review.openstack.org/139333	23:03
openstackgerrit	Merged openstack/keystone-specs: Fix 'heirarchy' typo on 'Get project' https://review.openstack.org/139536	23:04
*** redcup1 has quit IRC		23:13
*** joesavak has quit IRC		23:19
*** boris-42 has joined #openstack-keystone		23:21
*** henrynash has quit IRC		23:24
*** rwsu has quit IRC		23:24
*** jorge_munoz has quit IRC		23:27
*** thedodd has quit IRC		23:30
*** marcoemorais has quit IRC		23:33
*** marcoemorais has joined #openstack-keystone		23:34
*** kobtea has joined #openstack-keystone		23:42
*** kobtea has quit IRC		23:47
*** _cjones_ has quit IRC		23:52
*** henrynash has joined #openstack-keystone		23:55
*** ChanServ sets mode: +v henrynash		23:55
*** _cjones_ has joined #openstack-keystone		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!