Monday, 2014-12-08

« Sunday, 2014-12-07 Index Tuesday, 2014-12-09 »
*** zz_avozza is now known as avozza00:01
*** jasondotstar has joined #openstack-keystone00:21
*** jasondotstar has quit IRC00:21
*** oomichi has joined #openstack-keystone00:35
*** stevemar has quit IRC00:40
*** samuelms has joined #openstack-keystone00:42
*** boris-42 has quit IRC00:52
*** avozza is now known as zz_avozza01:22
samuelmsbknudson, hi, how max-complexity in tox.ini is calculated?01:23
samuelmsbknudson, ahh .. just saw that's the McCabe complexity threshold01:25
*** lhcheng has joined #openstack-keystone01:31
*** jacer_huawei has joined #openstack-keystone01:41
*** jacer_huawei is now known as wanghong01:41
*** wanghong has quit IRC01:56
openstackgerritwanghong proposed openstack/keystone: remove assignments for foreign actors when deleting domain  https://review.openstack.org/12743301:57
*** stevemar has joined #openstack-keystone02:05
*** ChanServ sets mode: +v stevemar02:05
*** fifieldt has joined #openstack-keystone02:05
*** wanghong has joined #openstack-keystone02:09
*** lhcheng has quit IRC02:13
*** erkules_ has joined #openstack-keystone02:17
*** erkules has quit IRC02:19
openstackgerritSteve Martinelli proposed openstack/keystone: User ids that begin with 0 cannot authenticate through ldap  https://review.openstack.org/13744902:26
openstackgerritwanghong proposed openstack/keystone: add circular check when updating region  https://review.openstack.org/13047402:26
openstackgerritwanghong proposed openstack/keystone: Can't update catalog objects when using kvs driver  https://review.openstack.org/13018002:26
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit b19af08  https://review.openstack.org/13825302:29
openstackgerritwanghong proposed openstack/keystone: Can't update catalog objects when using kvs driver  https://review.openstack.org/13018002:32
openstackgerritSteve Martinelli proposed openstack/keystone: Remove XML support  https://review.openstack.org/12573802:32
openstackgerritSteve Martinelli proposed openstack/keystone: Update docs to no longer show XML support  https://review.openstack.org/12575302:32
*** ncoghlan has joined #openstack-keystone02:34
openstackgerritMerged openstack/keystone: Typo in policy call  https://review.openstack.org/13978002:38
openstackgerritwanghong proposed openstack/keystone: add circular check when updating region  https://review.openstack.org/13047402:42
openstackgerritwanghong proposed openstack/keystone: Can't update catalog objects when using kvs driver  https://review.openstack.org/13018002:42
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Add library oslo.concurrency in file oslo.config.generator.rc  https://review.openstack.org/13727002:44
openstackgerritSteve Martinelli proposed openstack/keystone: Adds openSUSE support for developer documentation  https://review.openstack.org/12925602:44
openstackgerritMerged openstack/keystone: Move notification unit tests to unit test dir  https://review.openstack.org/13383402:56
openstackgerritwanghong proposed openstack/keystone: remove unnecessary checks in assignment/controllers.py  https://review.openstack.org/13072203:00
openstackgerritMerged openstack/keystone: make sample_data.sh account for the default options in keystone.conf  https://review.openstack.org/13619903:05
openstackgerritwanghong proposed openstack/keystonemiddleware: fallback to online validation if offline validation fails  https://review.openstack.org/13103603:16
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add name parameter to NoMatchingPlugin exception  https://review.openstack.org/13989803:16
*** lhcheng has joined #openstack-keystone03:25
*** david-lyle_afk has quit IRC03:31
*** david-lyle_afk has joined #openstack-keystone03:43
*** david-lyle_afk has quit IRC03:50
*** wanghong has quit IRC03:51
*** WDarren has joined #openstack-keystone03:52
*** david-lyle_afk has joined #openstack-keystone04:02
*** david-lyle_afk has quit IRC04:02
*** wanghong has joined #openstack-keystone04:06
WDarrendoes "endpoint policy" extension mean that we can set "policy.json" for other services?04:09
WDarrenI think examples in the current docs about "endpoin policy" is vague04:10
WDarrene.g. "blob": "--serialized-blob--"04:10
*** dimsum__ has quit IRC04:11
WDarrencan anybody provide a more specific example about "blob"?04:12
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add a test to ensure the version check error  https://review.openstack.org/13951204:17
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955204:17
*** ajayaa has joined #openstack-keystone04:17
jamielennoxWDarren: henry nash is the expert on that one, essentially it means though that we can set a policy.json specific to a service at a URL, and have services with different policies for different uses04:18
jamielennoxthe blob will essentially be the contents of policy.json04:18
jamielennoxthis is moving towards a place where keystone controls policy for all of OpenStack - i'm not aware of how you could use that functionality now04:19
*** lhcheng has quit IRC04:20
*** ishant has joined #openstack-keystone04:28
*** ishant has quit IRC04:28
*** lhcheng has joined #openstack-keystone04:36
*** samuelms has quit IRC04:39
*** samuelms has joined #openstack-keystone04:40
*** samuelms has quit IRC04:44
stevemarjamielennox, ping, can i bug you to review https://review.openstack.org/#/c/130564/ and https://review.openstack.org/#/c/134364/04:50
stevemarjamielennox, also, i'm thinking about how to best position this guy: https://review.openstack.org/#/c/134700/ on top of the 'federation framework'04:50
jamielennoxstevemar: so https://review.openstack.org/#/c/134364/5/keystoneclient/v3/contrib/oauth1/access_tokens.py will change a little04:52
jamielennoxthe object that is passed to the managers is an adapter, so you should be able to do self.client.get_endpoint()04:52
stevemarjamielennox, is that merged yet?04:53
jamielennoxstevemar: i think so04:53
jamielennoxstevemar: actually yes04:53
stevemarjamielennox, gah, okay, thanks for the heads up, i'll change it up04:54
stevemarjamielennox, as soon as that merges i'll be adding functional tests to osc to catch this stuff04:54
jamielennoxadded the comment, you should be able to use https://review.openstack.org/#/c/117089/ to test it04:55
jamielennoxi haven't touched that in a while i assume it still merges04:55
WDarrenjamielennox: I'm not using it now, just feel confused when reading docs because no examples show what blob is.04:57
jamielennoxthe framework one i wrote initially - i don't mind so much on that one, i like the clean up but i'm really hoping that marekd|away finishes of the push he's been doing to allow the unscoped->scoped transition to go via the regular Token mechanism rather than need something federation specific04:57
stevemarjamielennox, i'm assuming self.client.get_endpoint will be http://hostname:port/v3 (or v2.0) right?04:57
jamielennoxstevemar: if you give AUTH_INTERFACE it will be whatever you gave to auth_url=04:58
jamielennoxotherwise give version=(2,0) or version=(3,0) if you want the versioned endpoint04:59
*** lhcheng has quit IRC04:59
*** david-lyle_afk has joined #openstack-keystone05:01
jamielennoxstevemar: i'm not sure session does the right thing everywhere about cloning the headers dict05:02
jamielennoxstevemar: headers=self.HEADER_X_FORM might end up with token in it or some other junk05:02
stevemarjamielennox, so far it doesn't seem to do anything too bad to it05:03
jamielennoxstevemar: yep, just looking and saw it05:03
jamielennoxat that point there isn't a token or anything to pollute with05:04
*** wanghong has quit IRC05:05
*** wanghong has joined #openstack-keystone05:05
stevemarjamielennox, do you mean self.api.get_endpoint() ?05:06
jamielennoxstevemar: yes, from memory api/client are the same thing there - something the apiclient guys were trying to chang e05:06
*** dimsum__ has joined #openstack-keystone05:11
stevemarjamielennox, oh looks like you already fixed that for me :)05:15
stevemarjamielennox, just the project id is missing now, cause of the apache issue05:15
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Project ID in OAuth headers was missing  https://review.openstack.org/13436405:17
stevemarjamielennox, ^ it's now a tiny change05:17
*** dimsum__ has quit IRC05:17
jamielennoxstevemar: +2 - i assume you know what you are doing there and i don't have a setup to test it05:18
stevemarjamielennox, it's just to satisfy mod_wsgi, it's the exact same code on the server side, but mod_wsgi filters out headers with underscores05:19
jamielennoxstevemar: if that tests patch fixes things for you leave a review05:21
jamielennoxit's been around a while05:21
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412505:21
*** serverascode___ has quit IRC05:37
*** serverascode___ has joined #openstack-keystone05:41
stevemarjamielennox, ugh that federation framework patch is in a rough rebase05:50
*** k4n0 has joined #openstack-keystone06:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:05
*** tylerdurden has joined #openstack-keystone06:32
*** shakamunyi has quit IRC06:34
openstackgerritwanghong proposed openstack/keystone: fix wrong indentation in contrib/federation/utils.py  https://review.openstack.org/13992306:57
*** wanghong has quit IRC07:00
*** stevemar has quit IRC07:03
*** wanghong has joined #openstack-keystone07:13
*** nellysmitt has joined #openstack-keystone07:36
*** erkules_ is now known as erkules07:40
*** quack_quack_ has quit IRC07:49
*** mzbik has joined #openstack-keystone07:50
*** quack_quack_ has joined #openstack-keystone07:52
*** tsufiev has quit IRC07:58
*** amakarov_away has quit IRC08:00
*** lhcheng has joined #openstack-keystone08:00
*** lhcheng has quit IRC08:04
*** bdossant has joined #openstack-keystone08:06
*** amakarov has joined #openstack-keystone08:09
*** jamielennox is now known as jamielennox|away08:12
*** tsufiev has joined #openstack-keystone08:14
*** jistr has joined #openstack-keystone08:16
*** joe_____ has joined #openstack-keystone08:21
*** zz_avozza is now known as avozza08:25
*** WDarren has left #openstack-keystone08:34
*** WDarren has joined #openstack-keystone08:35
*** WDarren has left #openstack-keystone08:36
*** Nakato_ is now known as Nakato08:38
*** darren-wang has joined #openstack-keystone08:41
*** ncoghlan has quit IRC08:46
*** gothicmindfood has quit IRC08:48
*** nellysmitt has quit IRC08:49
*** nellysmitt has joined #openstack-keystone08:52
*** nellysmitt has quit IRC08:54
*** nellysmitt has joined #openstack-keystone08:56
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13479408:58
*** marekd|away is now known as marekd09:06
*** nellysmitt has quit IRC09:12
*** dimsum__ has joined #openstack-keystone09:15
*** gothicmindfood has joined #openstack-keystone09:15
*** nellysmitt has joined #openstack-keystone09:18
*** afazekas has joined #openstack-keystone09:19
*** dimsum__ has quit IRC09:20
*** Roland has joined #openstack-keystone09:21
*** oomichi has quit IRC09:22
*** joe_____ has quit IRC09:23
*** samuelms has joined #openstack-keystone09:44
*** nellysmitt has quit IRC09:45
*** aix has joined #openstack-keystone09:46
openstackgerritwanghong proposed openstack/keystone: set endpoint enabled default to True if not specified(kvs)  https://review.openstack.org/13995809:51
*** samuelms has quit IRC10:21
*** nellysmitt has joined #openstack-keystone10:28
*** jistr has quit IRC10:51
openstackgerritdarren-wang proposed openstack/keystone: Adding [database] section to the introduction to the structure of keystone's primary configuration file.  https://review.openstack.org/13997111:02
*** jistr has joined #openstack-keystone11:09
*** andreaf has joined #openstack-keystone11:19
*** andreaf has quit IRC11:32
*** andreaf has joined #openstack-keystone11:47
*** dimsum__ has joined #openstack-keystone11:47
*** avozza is now known as zz_avozza11:55
*** dimsum__ is now known as dims12:05
*** luisjariz has joined #openstack-keystone12:09
*** zz_avozza is now known as avozza12:26
*** jistr has quit IRC12:27
*** jistr has joined #openstack-keystone12:28
*** tellesnobrega has joined #openstack-keystone12:29
*** jamielennox|away is now known as jamielennox12:31
*** wanghong has quit IRC12:32
*** luisjariz has quit IRC12:32
*** wanghong has joined #openstack-keystone12:34
*** wanghong has quit IRC12:38
*** jamielennox is now known as jamielennox|away12:41
*** Roland has left #openstack-keystone12:42
*** wanghong has joined #openstack-keystone12:42
*** tellesnobrega has quit IRC12:53
*** wanghong has quit IRC12:59
lbragstadmorganfainberg: yep, I'll be there on wednesday13:06
*** ajayaa has quit IRC13:07
*** bknudson has quit IRC13:08
*** saipandi has joined #openstack-keystone13:10
*** jacer_huawei has joined #openstack-keystone13:20
*** jacer_huawei has quit IRC13:25
*** jacer_huawei has joined #openstack-keystone13:27
*** jacer_huawei has quit IRC13:34
*** jacer_huawei has joined #openstack-keystone13:35
*** gordc has joined #openstack-keystone13:38
*** radez_g0n3 is now known as radez13:39
*** jacer_huawei has quit IRC13:42
*** bjornar has quit IRC13:48
*** jacer_huawei has joined #openstack-keystone14:04
*** ajayaa has joined #openstack-keystone14:09
*** richm has joined #openstack-keystone14:15
*** samuelms has joined #openstack-keystone14:16
*** mikedillion has joined #openstack-keystone14:17
*** jacer_huawei has quit IRC14:17
*** joesavak has joined #openstack-keystone14:23
*** saipandi has quit IRC14:24
*** ajayaa has quit IRC14:24
*** ayoung has joined #openstack-keystone14:26
*** ChanServ sets mode: +v ayoung14:26
*** ayoung has quit IRC14:26
*** mzbik has quit IRC14:32
*** samuelms has quit IRC14:33
*** ayoung has joined #openstack-keystone14:33
*** ChanServ sets mode: +v ayoung14:33
*** bdossant has quit IRC14:34
*** bdossant has joined #openstack-keystone14:35
*** bdossant has quit IRC14:36
*** jacer_huawei has joined #openstack-keystone14:43
*** jacer_huawei has quit IRC14:47
*** zzzeek has joined #openstack-keystone14:50
*** jacer_huawei has joined #openstack-keystone14:53
rodrigodsayoung, using https://review.openstack.org/#/c/133480 as spec to graduate oslo.policy as well. Need to address stevemar comments though, planning to do it today14:59
rodrigodsayoung, (saw your topic for tomorrow's meeting)14:59
ayoungrodrigods, cool14:59
*** jacer_huawei has quit IRC14:59
*** bknudson has joined #openstack-keystone15:00
*** ChanServ sets mode: +v bknudson15:00
ayoungrodrigods, so...I'm thinking we need a general "Cache" mechansim.  Its for all things in a middleware that eed t fetch docs from Keystone, like the certs in PKI and the policy files15:00
ayoungKeystone client would accept a cache object for operations, but Middleware would actively manage it15:01
*** jacer_huawei has joined #openstack-keystone15:03
*** tellesnobrega has joined #openstack-keystone15:12
*** nellysmitt has quit IRC15:12
morganfainbergmorning15:17
*** nellysmitt has joined #openstack-keystone15:19
*** gordc has quit IRC15:20
lbragstadmorganfainberg: I will be available wednesday in austin15:20
lbragstadmorganfainberg: just fyi15:20
*** gordc has joined #openstack-keystone15:23
morganfainberglbragstad, great!15:28
*** tellesnobrega has quit IRC15:28
*** nkinder has joined #openstack-keystone15:30
*** andreaf has quit IRC15:32
*** andreaf has joined #openstack-keystone15:33
*** k4n0 has quit IRC15:40
*** jorge_munoz has joined #openstack-keystone15:40
*** mikedillion has quit IRC15:40
*** tellesnobrega has joined #openstack-keystone15:49
morganfainbergrodrigods, you're using the same spec to graduate policy as well as other things?15:49
*** aix has quit IRC15:55
morganfainbergayoung, ping: re: https://bugs.launchpad.net/keystone/+bug/140036215:56
uvirtbotLaunchpad bug 1400362 in keystone "check and delete  policy_association_for_region_and_servce  performs create" [High,New]15:56
ayoungmorganfainberg, yep15:56
ayoungmorganfainberg, thats a backport.15:56
morganfainbergah15:57
*** nkinder has quit IRC15:57
ayoungmorganfainberg,15:57
morganfainbergnot a worry, just want to make sure we're not leaving bugs in "new state"15:57
morganfainberg:)15:57
ayoungmorganfainberg, that is:  that one has backport potential15:57
ayoungI just posted the bug15:57
morganfainbergwanted to check before marking it as something besides "new"15:57
morganfainbergright15:57
ayoungneeds at least one other person to look at it to confirm15:57
ayoungI think a simple code review shows the problem15:58
morganfainbergoh 20min ago15:58
morganfainberghah, thought this was older15:58
morganfainbergsorry15:58
ayoungcompare it with the other check and delete functions and you can see it is a copy and paste error, and has never beeen run for realz15:58
dstanekpre-spec spec for functional testing - https://etherpad.openstack.org/p/keystone-functional-tests15:58
morganfainbergyeah i'm trying to read through it. now.15:58
*** nkinder has joined #openstack-keystone15:58
morganfainbergdstanek, cool!15:58
ayoungmorganfainberg, BTW, I'm going to make a comparable set of functions like this15:59
morganfainbergayoung, nice "create" there16:00
morganfainbergwow.16:00
morganfainbergsolid bug.16:00
morganfainbergayoung, I'm tagging this to K1.16:01
ayoungmorganfainberg, ++16:02
ayoungmorganfainberg, anyway, I'm going to make 3 "default_policy" functions there16:02
morganfainbergif henrynash can't get to it, either you or I should get the patch in before k116:02
ayoungand they will just leave off anything but the policy id16:03
ayoungI can get a functioning patch16:03
ayoungwill need a little more time to get a test going, but I should be able to bootstrap from Henry's last patch16:03
morganfainbergayoung, i think: https://bugs.launchpad.net/keystone/+bug/1384377 is a fail-fast issue not a potential security issue16:03
uvirtbotLaunchpad bug 1384377 in keystone "Policy rule position errors" [Undecided,New]16:03
morganfainbergayoung, btw. all tests i've done show this as a policy.py issue where it fails (safe) but incorrectly16:04
*** david-lyle_afk is now known as david-lyle16:06
ayoungmorganfainberg, its not security if it is a case where it fails instead of succeeds16:07
ayoungso, agreed16:07
ayoungis it shortcicuit logic in policy?16:08
ayoungrodrigods, you correcting the typos on https://review.openstack.org/#/c/133480  ?16:09
*** gordc has quit IRC16:10
*** darren-wang has quit IRC16:11
*** gordc has joined #openstack-keystone16:15
*** gordc has quit IRC16:15
*** jorge_munoz has quit IRC16:17
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/14005316:18
*** jorge_munoz has joined #openstack-keystone16:19
openstackgerritMerged openstack/keystone: Correct max_project_tree_depth config help text  https://review.openstack.org/13973616:21
*** mikedillion has joined #openstack-keystone16:22
*** gordc has joined #openstack-keystone16:23
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037616:24
openstackgerritMerged openstack/keystone: Adds openSUSE support for developer documentation  https://review.openstack.org/12925616:26
openstackgerritIlya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763916:27
morganfainbergayoung, right. i can't make it suceed in a case it should fail.16:27
morganfainbergayoung, it's a shortcircut that is happening incorrectly but safely afaict16:28
morganfainbergit's still a scary bug16:28
openstackgerritIlya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763916:28
morganfainbergbecause policy...16:28
ayoungmorganfainberg, we need to get the typos fixed in https://review.openstack.org/#/c/133480  to move that library promotion along16:28
morganfainbergayoung, about to step into a meeting here in austin, will take a look when done16:29
openstackgerritIlya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763916:29
ayoungmorganfainberg, we got it covered.16:29
morganfainberg++16:29
*** marcoemorais has joined #openstack-keystone16:35
openstackgerritIlya Pekelny proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764016:36
openstackgerritIlya Pekelny proposed openstack/keystone: Share engine between migration helpers.  https://review.openstack.org/13777816:36
openstackgerritIlya Pekelny proposed openstack/keystone: Add primary key to the endpoint_group id column.  https://review.openstack.org/13763816:36
openstackgerritIlya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763916:36
openstackgerritIlya Pekelny proposed openstack/keystone: Explicit MySQL engine designation.  https://review.openstack.org/13871216:36
openstackgerritIlya Pekelny proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063016:36
openstackgerritIlya Pekelny proposed openstack/keystone: Fix index name the assignment.actor_id table.  https://review.openstack.org/13763716:36
openstackgerritIlya Pekelny proposed openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355816:36
*** jorge_munoz has quit IRC16:39
*** packet has joined #openstack-keystone16:40
*** marcoemorais1 has joined #openstack-keystone16:40
*** marcoemorais has quit IRC16:42
*** marcoemorais1 has quit IRC16:43
*** marcoemorais has joined #openstack-keystone16:45
*** marcoemorais has quit IRC16:47
*** jacer_huawei has quit IRC16:52
openstackgerritDavid Stanek proposed openstack/keystone: Fixes links in Shibboleth configuration docs  https://review.openstack.org/14007716:54
*** jacer_huawei has joined #openstack-keystone16:55
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3  https://review.openstack.org/12541017:00
openstackgerritDavid Stanek proposed openstack/keystone: Updates Python3 requirements  https://review.openstack.org/13057917:00
openstackgerritDavid Stanek proposed openstack/keystone: Mocks out the memcache library for tests  https://review.openstack.org/12540917:00
openstackgerritDavid Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582717:00
*** jorge_munoz has joined #openstack-keystone17:07
*** lhcheng has joined #openstack-keystone17:09
*** afazekas has quit IRC17:11
*** avozza is now known as zz_avozza17:12
*** tellesnobrega has quit IRC17:13
*** chrisshattuck has joined #openstack-keystone17:17
*** openstackgerrit has quit IRC17:19
*** openstackgerrit has joined #openstack-keystone17:19
*** tylerdurden has quit IRC17:20
*** jorge_munoz has quit IRC17:26
*** _cjones_ has joined #openstack-keystone17:30
*** jacer_huawei has quit IRC17:31
*** jacer_huawei has joined #openstack-keystone17:32
*** zz_avozza is now known as avozza17:35
*** htruta has joined #openstack-keystone17:36
*** _cjones_ has quit IRC17:37
openstackgerritDavid Stanek proposed openstack/keystone: Make the mutable default arg check very strict.  https://review.openstack.org/13612617:37
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of inspect.getcallargs  https://review.openstack.org/13621017:37
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of assertSetEqual  https://review.openstack.org/13621117:37
openstackgerritDavid Stanek proposed openstack/keystone: Expanded mutable hacking checks  https://review.openstack.org/13620817:37
openstackgerritDavid Stanek proposed openstack/keystone: Removes a bit of WSGI code converts unicode to str  https://review.openstack.org/13620917:37
*** stevemar has joined #openstack-keystone17:52
*** ChanServ sets mode: +v stevemar17:52
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/14005318:03
*** mzbik has joined #openstack-keystone18:04
openstackgerritTyler North proposed openstack/keystone: Allow pre-hashed passwords for users  https://review.openstack.org/14010418:06
*** amcrn has joined #openstack-keystone18:07
*** tnorth has joined #openstack-keystone18:09
tnorthHello everyone, I've got a change I'd like to add to keystone https://review.openstack.org/#/c/140104/18:09
tnorththat basically reverts back this change https://git.openstack.org/cgit/openstack/keystone/commit/?id=e492bbc68ef41b276a0a18c6dbeda242d46b66f418:09
tnorthif someone could take a look it'd be much appreicated! thanks!18:09
*** jistr has quit IRC18:11
*** mikedillion has quit IRC18:19
*** harlowja_away is now known as harlowja18:20
*** mikedillion has joined #openstack-keystone18:20
*** mikedillion has quit IRC18:22
tnorthAlso just curious to see if anyone else thinks this is a bug18:24
tnorthhttps://bugs.launchpad.net/keystone/+bug/140044318:24
uvirtbotLaunchpad bug 1400443 in keystone "Keystone should support pre-hashed passwords" [Undecided,New]18:24
tnorthseems like a good idea for security to me18:24
lbragstadmorganfainberg: quick question on the structure of token things. With the token/persistence directory, the drivers inherit from token.persistence.Driver. For the non_persistence case, should they inherit from their own keystone/token/non_persistence/core.py:Driver class?18:26
morganfainbergHmm. No. The provider will just not call into provider.persistence18:28
morganfainbergThe idea behind moving things to provider.persistence and removing direct access to token_api is to allow the provider to determine if it should persist anything.18:29
morganfainbergSo in non-persistence a driver wouldn't be needed.18:29
lbragstadok, so backends in keystone/token/non_persistence/backends/driver.py:Driver() shouldn't inherit from anything?18:32
*** avozza is now known as zz_avozza18:39
*** marcoemorais has joined #openstack-keystone18:42
morganfainbergwait18:42
lbragstadmorganfainberg: oh wait, yeah.. so in non-persistence a new provider would be added to keystone/token/providers/<non-persistence-driver>.py18:42
morganfainbergyes18:43
lbragstadahhhh18:43
morganfainbergor providers/backends18:43
lbragstadproviders doens't have a backend18:43
lbragstador backends/18:43
lbragstadall backends for providers just live in keystone/token/providers/18:44
morganfainbergyeah wherever they live18:45
*** jaosorior has joined #openstack-keystone18:45
lbragstadok18:45
lbragstadmorganfainberg: cool18:45
lbragstadmorganfainberg: that helps, thank you18:45
openstackgerritayoung proposed openstack/keystone: default policy  https://review.openstack.org/14011318:50
*** nellysmitt has quit IRC18:52
openstackgerritayoung proposed openstack/keystone: policy default  https://review.openstack.org/14011318:54
*** marcoemorais has quit IRC18:59
*** marcoemorais has joined #openstack-keystone18:59
*** marcoemorais has quit IRC18:59
*** marcoemorais has joined #openstack-keystone18:59
*** lhcheng has quit IRC19:02
*** lhcheng has joined #openstack-keystone19:02
*** henrynash has joined #openstack-keystone19:05
*** ChanServ sets mode: +v henrynash19:05
*** raildo has joined #openstack-keystone19:07
henrynashrodigods: ping19:07
*** jacer_huawei has quit IRC19:09
*** henrynash has quit IRC19:09
*** marcoemorais has quit IRC19:12
*** marcoemorais has joined #openstack-keystone19:13
openstackgerritDavid Stanek proposed openstack/keystone: Make the mutable default arg check very strict  https://review.openstack.org/13612619:13
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of inspect.getcallargs  https://review.openstack.org/13621019:13
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of assertSetEqual  https://review.openstack.org/13621119:13
openstackgerritDavid Stanek proposed openstack/keystone: Expanded mutable hacking checks  https://review.openstack.org/13620819:13
openstackgerritDavid Stanek proposed openstack/keystone: Removes a bit of WSGI code converts unicode to str  https://review.openstack.org/13620919:13
openstackgerritayoung proposed openstack/keystone: Check and delete for  policy_association_for_region_and_service  https://review.openstack.org/14012219:14
*** htruta_ has joined #openstack-keystone19:19
*** aix has joined #openstack-keystone19:19
*** htruta has quit IRC19:20
*** lhcheng has quit IRC19:23
*** jacer_huawei has joined #openstack-keystone19:25
*** zzzeek has quit IRC19:29
*** jacer_huawei has quit IRC19:30
*** tnorth has left #openstack-keystone19:32
*** tnorth has quit IRC19:32
*** zzzeek has joined #openstack-keystone19:32
*** amcrn has quit IRC19:34
*** lhcheng has joined #openstack-keystone19:38
*** shakamunyi has joined #openstack-keystone19:38
*** amcrn has joined #openstack-keystone19:40
*** jacer_huawei has joined #openstack-keystone19:46
*** jorge_munoz has joined #openstack-keystone19:48
*** nkinder has quit IRC19:50
*** RichardRaseley has joined #openstack-keystone19:50
*** jacer_huawei has quit IRC19:54
*** radez is now known as radez_g0n319:54
morganfainberghrm, no henrynash huh19:57
*** radez_g0n3 is now known as radez19:57
*** henrique has joined #openstack-keystone19:57
dstanekmorganfainberg: ack on the meeting tomorrow - i'll probably sit it to see how it goes19:57
*** htruta_ has quit IRC19:59
morganfainbergdstanek, great. the relmanagment 1 on 1 is still cancelled, but the cross-project meeting/release meeting/whatever it is, i'll be there for19:59
morganfainbergplease sit in on the meeting and hang out though19:59
dstanekmorganfainberg: i shall...i've very interested in the inner workings of our processes20:00
*** nellysmitt has joined #openstack-keystone20:01
*** ajayaa has joined #openstack-keystone20:02
openstackgerritayoung proposed openstack/keystone: default policy  https://review.openstack.org/14011320:08
*** mzbik has quit IRC20:08
*** jacer_huawei has joined #openstack-keystone20:10
*** topol has joined #openstack-keystone20:13
*** gyee has joined #openstack-keystone20:13
*** ChanServ sets mode: +v gyee20:13
*** ChanServ sets mode: +v topol20:13
*** ajayaa has quit IRC20:15
*** samuelms has joined #openstack-keystone20:17
ayoungmorganfainberg, should I change https://review.openstack.org/#/c/133480/5/specs/keystoneclient/policy-enforce.rst,cm  to be in keystonemiddleware?20:17
*** raildo has quit IRC20:18
morganfainbergayoung, ok so why would it be in middleware, why would it be in client?20:21
*** amakarov is now known as amakarov_away20:22
morganfainbergi'm not clear why graduating policy.py has anything to do with keystoneclient.20:22
ayoungmorganfainberg, good question.  I was obviosuly origianlly thinking client.  jamielennox|away was inisitant on middleware.  I guess the rationale for middleware is that it is always supposedto be called from inside a service20:22
ayoungmorganfainberg, graduiating to its own library also should be broken out to a separate spec20:22
morganfainberg++20:23
morganfainbergok that out of the way20:23
ayoungthe more I think about it, the more I suspect that the right steps are this:20:23
ayoung1.  rewrite spec for pure graduation reqs20:23
ayoungcreate a cache abstraction...this is for handling the files20:23
morganfainbergi think that middleware is likely the right place to do enforcement20:23
morganfainbergooooooor20:23
ayounglike  certs etc...things that need to be called from the endpoints and then held on to20:23
morganfainbergactually...20:24
ayoungand then the client is used to populate the cache20:24
morganfainbergi'm not sure this enforcement belongs in either client or middleware (it might be consumed by middleware)20:24
* morganfainberg re-reads the spec.20:24
*** radez is now known as radez_g0n320:24
ayoungwell, it don't know if we could even do it as a straight middleware call, but having it available in middleware seems to make sense20:24
morganfainbergthis spec feels like it's really meant to be part of the policy lib.20:25
ayoungits just that the fetch needs to be from the client20:25
morganfainbergthe way it's written.20:25
ayoungso a cache object that ties the two together...20:25
morganfainberghm20:25
morganfainbergok i see20:25
*** ksavich has joined #openstack-keystone20:26
ayoungmorganfainberg, I'd like to keep the graduated policy lib agnositic of Keystone itself.  I think the congress folks are using it (or should) and it should not be a problem for them20:27
*** radez_g0n3 is now known as radez20:28
morganfainberghm20:28
morganfainbergright20:28
ayoungso the cache object would have either a filesystem or a memcache place to store the policy, and a method to fetch it from keystone20:28
ayoungor, in their case, fetch from congress20:28
morganfainbergso lets set congress aside, we don't care about the backend (keystone, congress, etc) a *way* to fetch it.20:29
ayoungwe could do the same thing with CMS for PKIZ tokens, and then the cache could be abstracted enough to support both flat files and the NSS Database20:29
morganfainbergwhat i'm thinking is: policy does this with stevedore and plugins20:29
morganfainbergsomething configured20:29
ayoungyeah...just using them as a second datapoint20:29
ayoungthe policy engine is content-agnositic, and should remain that way20:29
morganfainbergso the policy lib *can* fetch if a plugin is configured20:29
morganfainbergcongress would provide a stevedore loaded plugin20:30
morganfainbergas would keystone20:30
morganfainbergyou can configure it20:30
ayoungmeh20:30
morganfainbergthat plugin knows how to fetch/etc20:30
ayoungyou still need to say which plugin to use20:30
morganfainbergthat is in config20:30
ayoungI say let the consumer worry about that20:30
morganfainbergpolicy provides *that* config option20:30
ayoungand the consumer passes the cache in to the api call20:30
morganfainbergi'd make that plugin responsible for that20:31
morganfainbergthis doesn't belong in either keystoneclient or middleware as you've described20:31
ayoungconsumer needs to manage its own config file20:31
morganfainbergthe consumer already doesn't.20:31
ayoungso...it stevedor something that should be possilbe, but not required20:31
morganfainbergoslo.XXX with config20:31
ayoungAAA-policy!20:32
morganfainbergwith stevedore, if the plugin is supplied it will load in from policy and use that20:32
morganfainbergpolicy lib20:32
ayoungit puts a dependency on stevedore that is not there now.  I'd rather make that optional20:33
morganfainbergthats a fine dep to have20:33
ayoungI mean, I'd be OK with the keystoneclient or middleware code doing that20:33
morganfainbergit's not onerous20:33
ayoungbut not the policy enginer20:33
ayoung engine20:33
morganfainbergbut it doesn't belong in ekystonemiddleware or client as described20:33
ayoungthe cache object?20:34
ayoungI think you are missing some of the complexit20:34
ayoungthe cache object will nee to be populated with config values , maybe even a user object, in order to make a call to keystone20:34
ayoungso the cache for our cases needs a keystoneclient or comparable object20:35
ayoungsso, lets put the cache interface into aaa-policy, but put the keystone implementation into KC, and call it from Kmid20:36
morganfainbergsure.20:36
morganfainbergok so my point was how is keystoneclient called in this case?20:37
*** nellysmitt has quit IRC20:37
ayoungOK,  I think it would be like this:20:37
ayoungKeystonemiddleware creates a cache object and puts it into the applications context20:38
*** _cjones_ has joined #openstack-keystone20:38
ayoungwhen a user calls an API, the endpoint gets the cache object and uses it to call aaa-policy.enforce20:38
morganfainberghm.20:38
ayoungpasses in the cache object, or could even call it on the cache object if we want20:38
ayoungthe cache sees that there is no policy file (or it is outdated) and fetches20:39
ayoungfetch uses the KClient to get policy20:39
morganfainbergyeah i think my concern was the cache interface being in ksc20:39
ayoungI can see that20:39
morganfainbergwhich makes it weird.20:39
ayoungI think interface for this goes in aaa-policy20:39
morganfainbergyeah20:39
morganfainbergthat solves my concern20:39
morganfainbergbut we should have a clean spec to graduate policy - that to begin with.20:40
ayoungcache implementation can go into either one.  Probably have a file one in KC, but a memcached based on in middleware?20:40
ayoungAgreed.  I'll work on that spec.20:40
morganfainberguhm.20:41
ayoungAre we officially OpenStack  authentication, authorization, and audit now?  Is OSAAA-Policy and OK name?20:41
morganfainbergthat is a question we're going to need to get TC approval for....20:42
morganfainbergand foundation likely20:42
morganfainbergbut i don't have an issue with it20:42
morganfainbergsomethingsomething lawyer things on names something something20:42
morganfainbergi'll put it on the TC agenda.20:42
*** _cjones_ has quit IRC20:42
morganfainbergand yes we are authn, authz, and audit20:42
ayoungaccording to https://wiki.openstack.org/wiki/Programs  we are still identity20:42
morganfainbergwiki is out of date20:43
ayounglets see the yaml20:43
ayounghttp://git.openstack.org/cgit/openstack/governance/tree/reference/programs.yaml#n4120:43
ayoungthey updated the PTL20:43
ayoungmorganfainberg, found a very elegant way to do default policy:20:46
ayounghttps://review.openstack.org/#/c/140113/20:46
ayounggot the fix and tests for the othe policy issue, too20:47
morganfainbergayoung, ok need to duck out here and run off for a few.20:47
morganfainbergwill take a look.20:47
ayounggo for it...I'll work up the graduation spec20:47
*** _cjones_ has joined #openstack-keystone20:52
*** _cjones_ has quit IRC20:54
*** ksavich has quit IRC20:54
*** _cjones_ has joined #openstack-keystone20:54
*** nkinder has joined #openstack-keystone21:02
*** marcoemorais has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:03
*** amcrn has quit IRC21:06
*** henrique has quit IRC21:06
*** ksavich has joined #openstack-keystone21:07
*** ksavich has quit IRC21:12
*** fifieldt_ has joined #openstack-keystone21:15
*** fifieldt has quit IRC21:19
*** gyee has quit IRC21:32
*** radez is now known as radez_g0n321:37
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005021:56
ayounglbragstad, I don't think we can say identifiers are 32chars long21:57
ayounguserids are 64 chars long21:57
lbragstadayoung: legacy uuids?21:58
lbragstadso, you mean for backwards compatible stuff?21:59
ayounglbragstad, no, I'm talking today, we have not ids to 32chars21:59
ayounghow is msgpack dealing with the length of strings?21:59
lbragstadmsgpack just condenses stuff22:00
*** boris-42 has joined #openstack-keystone22:00
ayoungthe more I look at it, the more it looks like ASN1 to me22:01
lbragstadayoung: there is an example of msgpack output in the review22:01
ayoungyeah...just looking at your comment.22:02
ayounglbragstad, I'm just worried that we are going to get something that works for some set of tokens, but not, say ,federated22:02
ayoungand the list of groupids is one thing that we are kindof handwaving away22:03
lbragstadI just addressed that in the last past22:03
lbragstadpatch*22:03
ayoungI would like to see the size of a federated AE token with a handful of groups specified22:03
ayounghow big?22:03
lbragstadhttps://gist.github.com/lbragstad/5381c639a3a4e17e112422:04
lbragstadthat's an example22:04
lbragstadadd a couple group ids and you're at ~210 characters22:04
ayoungwe could do the same thing with roles?22:07
lbragstadyou mean a role?22:07
ayoungmultiple22:07
lbragstadwhy multiple22:07
ayounglist of roles22:07
ayoungcuyz right now tokens have more than one role in them22:07
*** joesavak has quit IRC22:08
lbragstadsure, but isn't the plan to make that go away?22:10
lbragstadper the discussion we were having the other day?22:10
ayounglbragstad, do you want to postpone AE tokens until that happens? Not going to be in Kilo22:11
*** oomichi has joined #openstack-keystone22:11
lbragstadayoung: no, not really because you could still make AE tokens work if you have more than one role on the projec t22:11
ayounglbragstad, yeah, but then you assume "all of the roles"  which, to be hondest, is how standard rtokens work toady, but not trust etc.  So we are back to multiple formats22:12
lbragstadyou assume all of the roles are on a token?22:16
lbragstadI don't think ae tokens is trying to fix that problem22:18
*** tellesnobrega has joined #openstack-keystone22:33
ayounglbragstad, AE tokens are codifying the problem.  The old token format did not specify that the set of roles was the complete set the user had, that was only an implementation detail22:36
*** nellysmitt has joined #openstack-keystone22:38
lbragstadayoung: gotta run, be back on in a bit22:39
ayoungI'll be gone22:40
*** nellysmitt has quit IRC22:43
bknudsonae tokens will need to know that it's scoped to a project or domain or trust22:46
*** packet has quit IRC22:46
*** topol has quit IRC22:47
*** tellesnobrega has quit IRC22:49
*** gordc has quit IRC22:50
openstackgerritJorge Munoz proposed openstack/keystone-specs: This blueprint details the work required to add read and write LDAP drivers.  https://review.openstack.org/14017522:54
*** bknudson has quit IRC22:55
openstackgerritwerner mendizabal proposed openstack/keystone-specs: This blueprint details the work required to add read and write LDAP drivers.  https://review.openstack.org/14017522:59
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers  https://review.openstack.org/14017523:02
*** ayoung has quit IRC23:03
*** marcoemorais has quit IRC23:07
*** marcoemorais has joined #openstack-keystone23:08
*** jamielennox|away is now known as jamielennox23:15
*** jaosorior has quit IRC23:23
jamielennoxmorning everyone23:26
openstackgerritJorge Munoz proposed openstack/keystone-specs: This blueprint details the work required to add read and write LDAP drivers.  https://review.openstack.org/14017523:30
morganfainbergjamielennox, mornin23:32
*** marcoemorais1 has joined #openstack-keystone23:32
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers  https://review.openstack.org/14017523:32
*** marcoemorais has quit IRC23:33
morganfainbergjamielennox, so as a quick note, i pushed ayoung to not put the caching interface for policy in either ksc or middleware23:33
morganfainbergjamielennox, the interface itself goes in policy lib, ksc/middleware just has a way to "fetch" if needed. recommending stevedore plugin23:33
*** jdennis has quit IRC23:33
morganfainbergjamielennox, more to discuss i'm sure but, as proposed it didn't belong in either ksc or middleware.23:33
* morganfainberg is about to run off23:34
jamielennoxmorganfainberg: so the more i think about it i'm just as happy to hve policy go to oslo - we can get core as needed23:35
jamielennoxmorganfainberg: i think the initial policy library should only be the enforcement engine23:35
*** jdennis has joined #openstack-keystone23:35
morganfainbergjamielennox, they would prefer we own it.23:35
morganfainbergand yes.23:35
jamielennoxwe need to figure out the caching aspect before we actually stick it in a library23:35
morganfainbergthat is what is initially graduated23:35
morganfainberganything beyond that will need to be separate.23:35
jamielennoxi'm not sure on some of ayoung's client changes, he's pushing a token interface which i don't think belongs in client23:36
morganfainbergwhere does the interface belong?23:36
jamielennoxunfortunately whilst middleware would be nice for policy enforcement the way we do it now can't be enforced by middleare23:36
jamielennoxmorganfainberg: keystone is the only place that ever needs to build a token23:36
morganfainbergjamielennox, and i don't see policy being enforced by middleware ever23:37
morganfainbergtbh23:37
morganfainbergbecause policy enforcement has more to do than just "can i access REST URL with role" in projects besides keystone23:37
jamielennoxhttps://review.openstack.org/#/c/137268/ is my take on token interface23:37
morganfainbergeven in keystone23:37
jamielennoxwhat more do you want to do than enforcing rest access?23:38
jamielennoxif you mean object based policy then sure, but are you thinking something else23:39
morganfainbergso, in the case of nova, they do lookups on the object and make sure they match things like project23:39
morganfainbergall in a single enforce23:39
morganfainbergso it is object based, and we do awful hacky things in keystone to get the same kind of enforcement23:39
morganfainbergso middleware is likely the wrong place for policy enforcement.23:40
jamielennoxmorganfainberg: i'm somewhat of the opinion that the object based policy is going to be a different object/enforcement point23:40
morganfainbergi have *no* idea what ayoung is proposing at this point because the specs are wildly inconsistent and combining things in odd ways23:40
jamielennoxthat's possibly where these quota and policy enforcement point as a seperate service needs to live23:40
jamielennoxmorganfainberg: :)23:40
morganfainbergjamielennox, the issue is we use the same policy language for this enforcement atm23:40
jamielennoxmorganfainberg: yea - i think that's a mistake23:41
jamielennoxthe policy we do now should be rest only23:41
morganfainbergand we can't break backwards compat.23:41
jamielennoxthen we split object based23:41
jamielennoxthen we could actually enforce at middleware23:41
morganfainbergok so policy enforcement graduation and figure out the next step?23:41
jamielennoxmorganfainberg: is there a start for that somewhere?23:41
jamielennoxthat review i posted: https://review.openstack.org/#/c/137268/ is the interface i want policy to consume23:42
morganfainbergi ... am not sure.23:42
morganfainbergit needs to be a spec23:42
morganfainbergbut it's somewhat involved with like 2 or 3 different specs23:42
jamielennoxthat way auth_token contolls the token information to expose, and policy controls the reading, so we can modify this stuff without having to fix every server every time23:42
jamielennoxi put something about this on the ML a week or so ago23:42
morganfainbergright23:43
jamielennoxI think dhellmann is right - there's nothing i can do about the current context layout as bad as it is23:43
morganfainberg:(23:43
jamielennoxit would be a huge win just to remove is_admin, and generate_admin_context from the library23:43
morganfainberg+++++++++23:43
morganfainbergwant to +++ more23:44
jamielennoxit scares me a little but i've had to mess with glance's context object and i can see the need to standardize23:44
jamielennoxi was almost hoping we could standardize on that auth_token object23:44
openstackgerritMerged openstack/keystone: User ids that begin with 0 cannot authenticate through ldap  https://review.openstack.org/13744923:45
jamielennox^ ? that's sad23:45
morganfainbergthat ldap does wierd things?23:45
morganfainbergyeah23:45
*** marcoemorais1 has quit IRC23:46
openstackgerritMerged openstack/keystone: Remove useless field passed into SQLAlchemy "distinct" statement  https://review.openstack.org/13334323:46
*** marcoemorais has joined #openstack-keystone23:46
morganfainbergok anyway23:46
morganfainbergneed to go23:46
morganfainbergback later23:46
jamielennoxmorganfainberg: cya23:47
*** zz_avozza is now known as avozza23:47
*** marcoemorais has quit IRC23:50
*** marcoemorais has joined #openstack-keystone23:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955223:51
*** chrisshattuck has quit IRC23:57
*** gyee has joined #openstack-keystone23:58
*** ChanServ sets mode: +v gyee23:58
« Sunday, 2014-12-07 Index Tuesday, 2014-12-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!