Tuesday, 2014-12-09

*** bknudson has joined #openstack-keystone00:02
*** ChanServ sets mode: +v bknudson00:02
*** bknudson has quit IRC00:02
*** dims has quit IRC00:02
*** bknudson has joined #openstack-keystone00:02
*** ChanServ sets mode: +v bknudson00:02
*** arif-ali has quit IRC00:09
*** arif-ali has joined #openstack-keystone00:12
*** boris-42 has quit IRC00:12
*** RichardRaseley has quit IRC00:17
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add name parameter to NoMatchingPlugin exception  https://review.openstack.org/13989800:25
openstackgerritBrant Knudson proposed openstack/keystone: Move eventlet server options to a config section  https://review.openstack.org/13096200:26
bknudsonanybody else get messages like "ValueError: need more than 0 values to unpack" when running unit tests?00:30
bknudsonlooks like this: http://paste.openstack.org/show/147561/00:32
*** tellesnobrega has joined #openstack-keystone00:32
bknudsonthe tests still pass00:32
*** stevemar has quit IRC00:36
*** stevemar has joined #openstack-keystone00:37
*** ChanServ sets mode: +v stevemar00:37
*** tellesnobrega has quit IRC00:39
*** nellysmitt has joined #openstack-keystone00:39
*** nellysmitt has quit IRC00:43
openstackgerritBrant Knudson proposed openstack/keystone: Max complexity check considered harmful  https://review.openstack.org/14018800:46
*** aix has quit IRC00:49
*** dims has joined #openstack-keystone00:58
*** avozza is now known as zz_avozza01:06
*** _cjones_ has quit IRC01:08
openstackgerritMerged openstack/keystonemiddleware: Split identity server into v2 and v3  https://review.openstack.org/13053401:15
*** gyee has quit IRC01:19
*** andreaf has quit IRC01:28
*** shakamunyi has quit IRC01:28
*** andreaf has joined #openstack-keystone01:29
*** raildo has joined #openstack-keystone01:35
*** jacer_huawei has quit IRC01:40
*** marcoemorais has quit IRC01:40
*** marcoemorais has joined #openstack-keystone01:41
*** raildo has quit IRC01:46
*** lhcheng has quit IRC01:47
*** jacer_huawei has joined #openstack-keystone01:55
*** jacer_huawei has quit IRC02:01
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228102:07
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Auth token tests create temp cert directory  https://review.openstack.org/12228002:07
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240302:07
*** dims has quit IRC02:08
lbragstadbknudson: I haven't seen that one yet.02:11
lbragstadbknudson: are you just seeing that today?02:11
bknudsonjamielennox: https://review.openstack.org/#/c/102403/ is failing now.02:11
bknudsonlbragstad: y... it doesn't happen for you?02:11
lbragstadbknudson: nope, I haven't seen it.02:11
bknudsonmaybe I need to reboot.02:11
lbragstadbknudson: let me pull the latest and try02:11
jamielennoxbknudson: oh? did i break something or just a merge conflict02:12
jamielennoxbknudson: oh, i see comment02:12
lbragstadbknudson: running the tests now, we'll see what happens!02:13
bknudsonjamielennox: y, the change has self._identity_server and that causes discovery to happen now.02:13
bknudsonjamielennox: I don't think you broken anything but it's a side-effect that was unexpected.02:14
jamielennoxbknudson: yea, i don't know how we get around that02:14
jamielennoxcreating the plugin won't cause a request,02:15
*** erkules_ has joined #openstack-keystone02:15
bknudsonjamielennox: I'll probably look into using the strategy pattern, since that's what I was thinking should be used there.02:16
*** ayoung has joined #openstack-keystone02:17
*** ChanServ sets mode: +v ayoung02:17
jamielennoxbknudson: yea - i guess we could create a standard client object with the version discovery not happening until we do a validation02:17
*** erkules has quit IRC02:18
jamielennoxi had thought the client subclass would work better there02:18
lbragstadbknudson: I got that same error02:25
lbragstadbknudson: have you opened a bug yet?02:30
*** marcoemorais has quit IRC02:31
*** marcoemorais has joined #openstack-keystone02:31
*** stevemar has quit IRC02:33
lbragstadbknudson: I opened one https://bugs.launchpad.net/keystone/+bug/140056502:34
uvirtbotLaunchpad bug 1400565 in keystone "ValueError when running Keystone tests" [Undecided,New]02:34
*** nellysmitt has joined #openstack-keystone02:40
*** nellysmitt has quit IRC02:44
*** jacer_huawei has joined #openstack-keystone02:46
*** marcoemorais has quit IRC02:48
*** samuelms has quit IRC02:49
*** dims has joined #openstack-keystone02:50
*** stevemar has joined #openstack-keystone02:50
*** ChanServ sets mode: +v stevemar02:50
*** jacer_huawei has quit IRC02:56
bknudsonlbragstad: I hadn't opened an bug since I haven't rebooted yet.03:04
*** jacer_huawei has joined #openstack-keystone03:07
ayoungjamielennox, what other reviews need to go in in order to support auth_token middleware service users in domains other than default03:07
jamielennoxayoung: https://review.openstack.org/#/c/139512/303:08
jamielennoxand https://review.openstack.org/#/c/129552/03:08
ayoungjamielennox, last one has a python 3 error, it looks like due to string handling03:12
jamielennoxayoung: hmm03:13
ayoungjamielennox, I'll add it as a starred review, though, and keep an eye on it03:13
*** dims has quit IRC03:13
*** dims has joined #openstack-keystone03:14
*** dims has quit IRC03:18
*** topol has joined #openstack-keystone03:19
*** ChanServ sets mode: +v topol03:19
*** jacer_huawei is now known as wanghong03:20
*** david-lyle is now known as david-lyle_afk03:24
*** wanghong has quit IRC03:25
openstackgerritDave Chen proposed openstack/keystone: Refactor the code to join multiple criteria together  https://review.openstack.org/13313503:30
*** jacer_huawei has joined #openstack-keystone03:38
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955204:03
*** jacer_huawei is now known as wanghong04:11
*** richm has quit IRC04:36
*** nellysmitt has joined #openstack-keystone04:40
*** nellysmitt has quit IRC04:45
*** lhcheng has joined #openstack-keystone04:47
*** ajayaa has joined #openstack-keystone04:49
*** zzzeek has quit IRC04:52
*** ncoghlan has joined #openstack-keystone04:53
*** harlowja is now known as harlowja_away05:16
*** chrisshattuck has joined #openstack-keystone05:18
*** stevemar has quit IRC05:37
*** stevemar has joined #openstack-keystone05:38
*** ChanServ sets mode: +v stevemar05:38
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:06
*** chrisshattuck has quit IRC06:08
*** ajayaa has quit IRC06:10
*** Nakato has quit IRC06:12
*** d34dh0r53 has quit IRC06:12
*** Ephur has quit IRC06:13
*** Ephur has joined #openstack-keystone06:13
*** d34dh0r53 has joined #openstack-keystone06:13
*** Nakato has joined #openstack-keystone06:14
*** erkules_ is now known as erkules06:19
*** nellysmitt has joined #openstack-keystone06:42
*** russellb has quit IRC06:43
*** russellb has joined #openstack-keystone06:44
*** nellysmitt has quit IRC06:46
*** wanghong has quit IRC06:49
*** wanghong has joined #openstack-keystone06:49
*** lhcheng has quit IRC06:56
*** marcoemorais has joined #openstack-keystone06:56
*** xianghui has quit IRC06:57
*** marcoemorais1 has joined #openstack-keystone06:58
*** marcoemorais has quit IRC07:01
*** k4n0 has joined #openstack-keystone07:15
*** drjones has joined #openstack-keystone07:21
*** nellysmitt has joined #openstack-keystone07:23
*** drjones has quit IRC07:26
*** nellysmitt has quit IRC07:28
*** NellyK has joined #openstack-keystone07:30
*** NellyK is now known as nellysmitt07:36
*** nellysmitt has quit IRC07:46
*** topol has quit IRC07:48
*** topol has joined #openstack-keystone07:48
*** ChanServ sets mode: +v topol07:48
*** henrynash has joined #openstack-keystone07:53
*** ChanServ sets mode: +v henrynash07:53
*** topol has quit IRC08:00
*** xianghui has joined #openstack-keystone08:02
*** mzbik has joined #openstack-keystone08:04
*** bdossant has joined #openstack-keystone08:08
*** NellyK has joined #openstack-keystone08:14
*** afazekas has joined #openstack-keystone08:18
*** henrynash has quit IRC08:19
*** jistr has joined #openstack-keystone08:20
*** andreaf has quit IRC08:23
*** NellyK has quit IRC08:23
*** nellysmitt has joined #openstack-keystone08:24
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Create a framework for federation plugins  https://review.openstack.org/13056408:31
*** zz_avozza is now known as avozza08:33
*** avozza is now known as zz_avozza08:36
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803508:42
openstackgerritwanghong proposed openstack/keystonemiddleware: use keystone v3 api to fetch revocation list  https://review.openstack.org/12745908:43
*** ncoghlan has quit IRC08:52
*** zz_avozza is now known as avozza08:55
openstackgerritwanghong proposed openstack/keystonemiddleware: support micro version if sent  https://review.openstack.org/13091609:01
*** avozza is now known as zz_avozza09:15
*** henrynash has joined #openstack-keystone09:16
*** ChanServ sets mode: +v henrynash09:16
*** zz_avozza is now known as avozza09:16
*** bdossant_ has joined #openstack-keystone09:20
*** henrynash has quit IRC09:21
*** bdossant has quit IRC09:23
*** ajayaa has joined #openstack-keystone09:28
*** bdossant_ has quit IRC09:34
*** bdossant_ has joined #openstack-keystone09:34
*** bdossant_ has quit IRC09:34
*** bdossant_ has joined #openstack-keystone09:35
*** aix has joined #openstack-keystone09:35
*** nellysmitt has left #openstack-keystone09:58
*** stevemar has quit IRC10:04
*** jistr has quit IRC10:21
*** bdossant_ has quit IRC10:24
*** bdossant has joined #openstack-keystone10:25
*** marcoemorais1 has quit IRC10:40
*** bdossant has quit IRC10:48
*** jistr has joined #openstack-keystone10:49
*** bjornar has joined #openstack-keystone11:07
*** aix has quit IRC11:19
rodrigodsayoung, morganfainberg sorry... was afk yesterday11:23
rodrigodsayoung, saw you created an extra spec for graduating oslo.policy11:24
*** samuelms has joined #openstack-keystone11:25
*** aix has joined #openstack-keystone11:32
*** htruta has joined #openstack-keystone11:41
*** tellesnobrega has joined #openstack-keystone11:42
*** dims has joined #openstack-keystone11:48
*** andreaf has joined #openstack-keystone11:53
*** tellesnobrega has quit IRC11:54
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838312:00
*** amakarov_away is now known as amakarov12:18
*** afaranha has joined #openstack-keystone12:24
*** raildo has joined #openstack-keystone12:25
*** jamielennox is now known as jamielennox|away12:29
*** oomichi has quit IRC12:36
*** i159 has joined #openstack-keystone12:36
*** xianghui has quit IRC12:41
*** nirupma_ has joined #openstack-keystone12:59
nirupma_In http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v2_0.html#keystoneclient.v2_0.users.UserManager.get can we use both username and id?13:03
*** xianghui has joined #openstack-keystone13:08
*** darren-wang has joined #openstack-keystone13:13
*** xianghui has quit IRC13:14
*** radez_g0n3 is now known as radez13:18
*** samuelms_ has joined #openstack-keystone13:23
*** bknudson has quit IRC13:37
openstackgerritAndre Aranha proposed openstack/keystone-specs: Modify the policy file  https://review.openstack.org/13540813:41
*** gordc has joined #openstack-keystone13:43
openstackgerritRodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects  https://review.openstack.org/13855213:54
ayoungrodrigods, yep13:55
rodrigodsayoung, yeah, will work on this today13:57
rodrigodsayoung, I'm about to send a new version of the policy enforcement lib spec13:57
*** bdossant has joined #openstack-keystone13:57
rodrigodsayoung, and will take a look in the graduate one13:57
ayoungrodrigods, OK. so some thoughts on how we are going to do this13:57
ayoungwe need to have an abstraction for the file fetch and cache13:58
ayoungand that, I think , needs to be split over the new policy library and the keystone client13:58
ayoungthe cache object pulls a few  things together13:58
ayoungthe  storage, which can be either file or something like memcache13:58
ayoungand the fetch mechanism, which for our case would be KC calling to Keystone13:59
ayoungbut also the config option to time out cache data13:59
*** bdossant has quit IRC13:59
ayoungrodrigods, make sense?13:59
rodrigodsayoung, we can do this via HEAD/GET approach13:59
ayoungyou mean HEAD to see if there is a new version and GET to fetch it if there is?14:00
rodrigodsayoung, yes14:00
ayoungbut we don't want to do a HEAD call on every call to Nova, so there still needs to be a timeout14:00
*** bdossant has joined #openstack-keystone14:00
ayoungalthough we could do that based on the HTTP headers14:00
rodrigodsayoung, yep14:01
rodrigodsayoung, so... IMO this cache layer in the client needs another spec14:02
rodrigodsand for the first version of the lib + kc, we would use the files as it is today, or not?14:02
*** richm has joined #openstack-keystone14:09
*** tellesnobrega has joined #openstack-keystone14:09
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of inspect.getcallargs  https://review.openstack.org/13621014:10
openstackgerritDavid Stanek proposed openstack/keystone: Removes a Py2.6 version of assertSetEqual  https://review.openstack.org/13621114:10
openstackgerritDavid Stanek proposed openstack/keystone: Expanded mutable hacking checks  https://review.openstack.org/13620814:10
openstackgerritDavid Stanek proposed openstack/keystone: Removes a bit of WSGI code converts unicode to str  https://review.openstack.org/13620914:10
*** nkinder has quit IRC14:11
marekddstanek: just wanted to follow up how is the federation in functional testing going?14:15
*** diegows has joined #openstack-keystone14:17
dstanekmarekd: hey! i'm revamping my patch a little, but basically right now it sets up Keystone behind apache and pysaml2 as an IdP - i can definitely use your help in completing the configuration14:17
marekddstanek: any VM so we can share the configuration?14:17
marekddstanek: or configs, scripts14:17
openstackgerritMarek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules.  https://review.openstack.org/13901314:18
dstanekif you email me a public key i can give you access to my original VM14:18
marekddstanek: i will14:19
marekddstanek: give me a sec14:19
dstanekmarekd: awesome, thx14:19
samuelmsHi all .. as you may know, we have done some work regarding the policy v3 sample14:20
samuelmsI'd like to have some opinions on that14:20
samuelmsin other words, I'd like to know if you think that's something that would be good to have14:20
samuelmswe don't want to put more effort if you say us that isn't something you don't would like to see merged on our code14:20
samuelmsayoung, ^14:20
dstanekmarekd: lbragstad and i spent some time yesterday discussing the ideas here: https://etherpad.openstack.org/p/keystone-functional-tests14:20
ayoungsamuelms, looking...14:20
samuelmsayoung, maybe that's something we could discuss on our meeting14:20
dstanekmarekd: once my patch is fixed up a little bit i'll convert it into a spec14:20
*** k4n0 has quit IRC14:21
marekddstanek: ++14:21
marekddstanek: i've sent you an email14:22
ayoungsamuelms, so I think that the  effort is good, but there are some details and some long term direction things we should discuss14:25
ayoungI'd like to get the rules for the individual APIs down much shorter14:25
*** joesavak has joined #openstack-keystone14:25
ayoungand  maybe just have an indicator on certain APIs that project_is_a_domain14:26
samuelmsayoung, cool ... thanks for this feeback14:28
samuelmsayoung, so I'll put a bullet point in our today's meeting14:28
ayoungsamuelms, deal14:28
samuelmsayoung, and we can discuss further together :)14:28
*** KanagarajM has joined #openstack-keystone14:29
*** mzbik has quit IRC14:29
*** avozza is now known as zz_avozza14:31
*** zz_avozza is now known as avozza14:36
*** bknudson has joined #openstack-keystone14:38
*** ChanServ sets mode: +v bknudson14:38
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller Use case  https://review.openstack.org/13982414:39
openstackgerritMarek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules.  https://review.openstack.org/13901314:39
ayoungsamuelms, I don't think we want to take meeting time on this.  I think that it can be handled with the code review14:41
*** lhcheng has joined #openstack-keystone14:55
samuelmsayoung, I don't wanna take a lot of time. that's just to have an overall of the change and request people to review that14:59
samuelmsayoung, we'd like to have that merged on keystone (at least the spec) asap14:59
samuelmsayoung, so that we have more arguments to propose that to all the other involved services14:59
samuelmsayoung, once we have that merged, we plan to submit the same idea on all the services and then send an email to the mailing list15:00
samuelmsayoung, so that we can have cross-project discussion on the importance of this work15:00
samuelmsayoung, makes sense?15:00
*** k4n0 has joined #openstack-keystone15:01
samuelmsayoung, gotta to have lunch now. I'll be back in an hour15:02
*** samuelms is now known as samuelms-away15:02
*** nkinder has joined #openstack-keystone15:02
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803515:02
marekdvsilva: yeah, you can change your score now.15:02
*** shakamunyi has joined #openstack-keystone15:04
marekdvsilva: thank you15:04
vsilvamarekd, :D15:04
marekdadvantage of having multiple screens15:04
*** shakamunyi has quit IRC15:04
*** shakamunyi has joined #openstack-keystone15:05
marekdnkinder, morganfainberg: https://review.openstack.org/138035 so i think this one is finally ready.15:05
*** avozza is now known as zz_avozza15:05
*** zz_avozza is now known as avozza15:05
nkindermarekd: great!  Reviewing now...15:06
openstackgerritIlya Pekelny proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764015:09
openstackgerritIlya Pekelny proposed openstack/keystone: Share engine between migration helpers.  https://review.openstack.org/13777815:09
openstackgerritIlya Pekelny proposed openstack/keystone: Add primary key to the endpoint_group id column.  https://review.openstack.org/13763815:09
openstackgerritIlya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763915:09
openstackgerritIlya Pekelny proposed openstack/keystone: Explicit MySQL engine designation.  https://review.openstack.org/13871215:09
openstackgerritIlya Pekelny proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063015:09
openstackgerritIlya Pekelny proposed openstack/keystone: Fix index name the assignment.actor_id table.  https://review.openstack.org/13763715:09
openstackgerritIlya Pekelny proposed openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355815:10
marekdnkinder: thanks. since i got an impression that there is a general agreement on the general concept i push a commit before a final +A on a spec: https://review.openstack.org/#/c/139013/15:12
nkindermarekd: oh, great.  I'll give that a look over today.15:13
marekdno rush15:13
marekdneed to add some tests15:13
*** ksavich has joined #openstack-keystone15:19
*** ksavich has quit IRC15:19
*** david-lyle has joined #openstack-keystone15:21
*** gokrokve has joined #openstack-keystone15:21
*** ajayaa has quit IRC15:23
*** shakamunyi has quit IRC15:25
*** shakamunyi has joined #openstack-keystone15:25
*** avozza is now known as zz_avozza15:26
*** zz_avozza is now known as avozza15:27
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037615:30
*** gokrokve has quit IRC15:32
*** gokrokve has joined #openstack-keystone15:33
*** afazekas has quit IRC15:36
marekdmorganfainberg: morning, and thanks for a +215:40
morganfainbergmarekd, yeah that one was close already15:40
marekddstanek: morganfainberg: yeah15:40
morganfainbergmarekd, ok so have a question about ECP wrap issues15:41
morganfainbergmarekd, got a few minutes to discuss what is going on there and what we need to do to solve it?15:41
marekdmorganfainberg: yes15:41
morganfainbergi need to understand it because i know i'm going to aiming on k2k federation being stable by k215:42
morganfainbergearlier would be better15:42
morganfainbergs/going to aiming/something that makes grammar logic more better phrasing15:42
marekdi was hoping to spend my whole time on that this week but it's not working as planned early.15:42
* morganfainberg drinks more coffee.15:42
marekdmorganfainberg: whatever :-)15:42
*** zzzeek has joined #openstack-keystone15:42
morganfainbergmarekd, hehe i know you knew what i meant15:42
marekdmorganfainberg: given the fact you are native and i am not i would rather think there is such a phrase in American English and I was simply not familiar with it :P15:43
marekdmorganfainberg: anyway, what would you like to know?15:43
morganfainbergso first off, i understand we can't validate the crypto on the assertions at the moment15:44
marekdmorganfainberg: correct.15:44
morganfainbergi'm not clear on why we're running into that with ECP - besides that we are15:44
marekdmorganfainberg: ok15:44
morganfainbergafaict it's due to the wrap mechanism.15:44
marekdmorganfainberg: correct.15:44
morganfainbergbut.. it's just not clicking clearly, figure you'd be able to explain the missing bit to me.15:45
marekdwhen i was playing with it, even before Juno15:45
rodrigodsmorganfainberg, marekd, the SOAP wrap? or the SAML assertion signature validation?15:45
rodrigodsjust getting into the discussion :P15:45
marekdsoap wrap15:45
rodrigodsok, sorry for interrupting, go ahead marekd15:46
morganfainbergmarekd, aha, i think i understand the bit i was missing15:46
morganfainbergwas missing soap bit15:46
morganfainbergthat makes a lot more sense now.15:47
* morganfainberg doesn't know how i missed soap was part of the wrap.15:47
marekdmorganfainberg: i needed a possibly quickiest way for transporting saml assertion from a IdP to a SP. So i decided to reuse soapwrap and ECP in general. It's simply I would need to transform assertion into some base64 variation, and build a dnamic url where one of the params is a assertion itself. This is how classic browser websso works.15:47
marekdhowever, i really don't think this is a problem, as only a part of the original assertion is being signed15:48
marekdand later should be validate15:48
rodrigodshere, Shibb was complaining in the validation step (SAML assertion)15:48
morganfainbergok, i have a much better understanding of what is going on then.15:48
marekdnamely <Assertion> object.15:48
rodrigodsmostly, it was rejecting the issuer (CA)15:49
marekdrodrigods: how do you know that?15:49
rodrigodsmarekd, logs15:49
rodrigodsShibboleth uses a pipeline of validators15:49
marekdrodrigods: lol, did it say "CA unknown" or similar ?15:49
rodrigodsmarekd, yep, something like that15:49
marekdcould you check what exactly?15:50
rodrigodsyes, let me search in the VM15:50
marekdcause i was getting an error that signature cannot be validated, nothing more.15:50
marekdbut to me it doesn't mean it's a CA problem.15:50
marekdit even shouldn't be a CA15:50
*** lhcheng_ has joined #openstack-keystone15:50
rodrigodsmarekd, you need to add extra log levels15:50
marekdi think i did.15:50
rodrigodsspecific to the validator15:50
*** lhcheng_ has joined #openstack-keystone15:51
rodrigodsthere is no example in the web (needed to figure out the path to the validator :P)15:51
*** topol has joined #openstack-keystone15:51
*** ChanServ sets mode: +v topol15:51
marekdrodrigods: so maybe you can share our config with me?15:51
rodrigodsmarekd, yep15:52
rodrigodsjust a sec15:52
marekdrodrigods: please, send it over an email15:52
rodrigodsmarekd, here is the log output http://paste.openstack.org/show/147976/15:52
rodrigodsmarekd, not the ExplicitKey part, which is the "default" validator (the first one in the pipeline)15:53
*** lhcheng has quit IRC15:53
marekdrodrigods: and which line indicates it's a CA problem?15:54
marekdrodrigods: i recall ver similar logs but i am not supe sure it's CA :(15:54
rodrigodsmarekd, 2014-11-03 14:18:43 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: no peer credentials validated the signature15:55
rodrigodsmarekd, its just a hint15:55
marekdrodrigods: ah, ok.15:55
marekdrodrigods: hint.15:56
marekdrodrigods: i thought we had different logs15:56
rodrigodsmarekd, don't we?15:57
rodrigodsmarekd, ahh, remembered why I think it is the CA15:57
rodrigodsso... looking at the ExplicitKey code, where it logs those messages15:58
marekdrodrigods: well, neither mine not yours  mention CA and the last warning is kind of similar, so i think we have similar logs :-)15:58
rodrigodsit fails in the signature verification, so I manually tried to use xmlsec to validate it15:58
rodrigodsand it was giving me the same error15:59
rodrigodsuntil I pass as argument, the CA signature15:59
rodrigodswhich worked15:59
morganfainberglbragstad, ping - re the bug you reported about the unpack values15:59
morganfainberglbragstad, thats an odd one15:59
marekdrodrigods: good.16:00
openstackgerritIlya Pekelny proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764016:01
openstackgerritIlya Pekelny proposed openstack/keystone: Share engine between migration helpers.  https://review.openstack.org/13777816:01
openstackgerritIlya Pekelny proposed openstack/keystone: Add primary key to the endpoint_group id column.  https://review.openstack.org/13763816:01
openstackgerritIlya Pekelny proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763916:01
openstackgerritIlya Pekelny proposed openstack/keystone: Explicit MySQL engine designation.  https://review.openstack.org/13871216:01
openstackgerritIlya Pekelny proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063016:01
openstackgerritIlya Pekelny proposed openstack/keystone: Fix index name the assignment.actor_id table.  https://review.openstack.org/13763716:01
openstackgerritIlya Pekelny proposed openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355816:01
*** afazekas has joined #openstack-keystone16:01
marekdrodrigods: did you validate whle assertion?16:01
rodrigodsmarekd, yes16:01
rodrigodsmarekd, maybe... does xmlsec has its own path to store certificates?16:02
rodrigodsmorganfainberg, following or already multithreading with other stuff?16:03
marekdrodrigods: i don't know but i don't think so at the same moment.16:03
morganfainbergrodrigods, i'm reading the discussion16:03
morganfainbergrodrigods, but mostly just watching atm.16:04
marekdmorganfainberg: anything else regarding that matter? Well, my plan is to get back to it, and it get higher and higher priority16:04
marekdalmost at the top starting from tmrw.16:04
morganfainbergmarekd, you've covered pretty much everything i needed ot know16:04
amakarovmorganfainberg, greetings! Am I correct in my understanding: if create_trust gets allow_redelegation=False it just wipes redelegation_count out from the stored trust?16:04
marekdmorganfainberg: lol, that was quick :P16:04
marekda magic word: soap wrap :P16:05
morganfainbergmarekd, hehe i figured i was missing some bit.16:05
morganfainbergamakarov, setting allow_redelegation=False would just set redelegation_count to 016:05
marekdmorganfainberg: staying with K2K i  am not sure sure how to proceed with K2K Service Providers objects.16:05
*** nirupma_ has quit IRC16:05
morganfainbergbasically, any case we don't allow relegation, we set that value.16:06
*** chrisshattuck has joined #openstack-keystone16:06
morganfainbergmarekd, from the service catalog perspective?16:06
amakarovmorganfainberg, well, but in this case redelegation_count=0 will be present in returned trust while you want to minimize data size. Besides we don't need that count anymore16:06
marekdmorganfainberg: namely this: https://review.openstack.org/#/c/135604/ i am not sure we should make a framwork workable with different protocols, like saml2, oidc and so on16:06
morganfainbergamakarov, well i guess we could remove the value?16:07
marekdmorganfainberg: if so, we may need to combine it 'protocol' objects16:07
amakarovmorganfainberg, ++16:07
morganfainbergmarekd, hrm.16:07
marekdmorganfainberg: oh yes, it gave me a lot of 'hrm'...16:07
marekdmorganfainberg: it's even worse :-)16:08
morganfainbergmarekd, ok let me re-read this spec16:09
ayoungmarekd, morganfainberg so I've been talking with some of the other devs here about SAML providers.  Here is what we are planning on doing for RDO etc:16:09
ayoungthe SAML Discovery page will be in Ipsilon16:09
marekdayoung: its another topic, right?16:09
marekdayoung: ipsilon is a IdP, right?16:09
morganfainbergayoung, i think that is related but not the same thing.16:09
ayoungno real UI in Keystone, which I think is in keeping with the general desire to keep UI out of Keystone16:09
ayoungah...hadn't read up16:10
ayoungnew topic16:10
marekdayoung: ipsilon is a IdP, correct?16:10
ayoungyes, Ipsilon is sortof IdP16:10
ayoungmore like IdP gateway, but from our perspective, yes, IdP16:11
marekdayoung: fair enough.16:11
ayoungbut it will also do the multiplexing for other IdPs16:11
marekdayoung: it's like adfs does today.16:11
ayoungit will be required to talk to Keystone, but also others16:11
ayoungyes, just like ADFS16:11
ayoungthink of it as the FOSS equivalent, like we are trying to make FreeIPA for AD16:11
morganfainbergmarekd, oh slightly related got a microsoft contact to talk about ADFS 3rd party CI. [slightly related]16:12
marekdmorganfainberg: ayoung: rodrigods : lol, 5 parallel topics at the same time...16:12
ayoungSo the goal is that Ipsilon should work not just for Keystone and the undercloud, but also as the portal for the end users16:12
morganfainbergmarekd, yeah sorry16:12
ayoungHeh...I can wait16:12
marekdmorganfainberg: got my email about MS PoC?16:12
morganfainbergmarekd, yeah16:12
morganfainbergmarekd, i did. i meant to reply - but got caught up in travel etc.16:13
morganfainbergmarekd, so re-reading this spec first.16:13
marekdmorganfainberg: if you need help please reply, if not, please reply with short 'thanks, no need' :-)16:13
morganfainbergmarekd, absolutely will be replying this week [today/tomorrow]16:14
marekdayoung: let's get back in 10 mins, wanted to finish the SP objects convo now, i don't switch context that fast :-)16:14
marekdmorganfainberg: so, the thing even with idps is as follows16:14
marekdif you have a federation where you need to configure (means add via identity api ) say 500 IdPs16:15
marekdyou need to make up 500 names for each of them, right?16:15
marekdnormally, with classic IdP you would simply add a Metadata configured by a trusted SP16:15
morganfainbergwhich seems wrong16:15
*** agireud has joined #openstack-keystone16:15
marekdwell, cumbersome and super tedious.16:15
morganfainbergawful UX16:16
marekdthe same thing was with SPs16:16
marekdwe can now: keep the APIs consistent and carry on with not the best approach b) split the APIs and let users configure SPs by adding SAML metadatas16:17
marekdbut i am opting for option a16:17
marekdwhy, you ask16:17
morganfainbergwas actually going to ask why ;)16:17
marekdi simply don't want to start making Keystone a first-class IdP16:17
morganfainbergthat is fair enough16:17
morganfainbergit's a proxy IDP basically16:17
marekdif we had more people16:17
morganfainbergin k2k, and otherwise only a SP16:17
marekdmorganfainberg: this would mean building full set of capabilities that saml2 idp today has16:18
marekdwe would need to implement whole saml2 stack16:18
morganfainbergfair enought16:19
morganfainbergthe issue i see here is  that from the service-provider use-case (e.g. i'm HP providing a public cloud)16:19
morganfainbergneeding a unique name might become hard if we had tons and tons and tons of IDPs16:20
*** david-lyle has quit IRC16:20
marekdmorganfainberg: those names are simply entityId which turns to be URLs16:20
marekdin a standard federations.16:20
marekdwe could try to replace ids with uuids (just for PKs in a DB) and try to identify by entityId16:21
marekdand this would make things easier.16:22
morganfainbergi think that might become much better16:22
morganfainbergi was mulling over the implications16:22
marekdbut it means changing the API.16:22
marekdincluding the calls16:22
morganfainbergwhich is problematic for the standard federation consumption16:22
morganfainbergif we're changing apis16:23
morganfainbergi'm concerned we break compatbility ons table apis16:23
marekdwe woule need to build new api, pt the old one in a deprecated mode and for 1 or 2 cycles handle both.16:24
morganfainbergok i am behind that change then16:24
marekdwhere new api uses uuid as a ID and old uses idp_name as an ID16:24
marekdmakes sense?16:24
marekdallrighty. i was  going to push another spec for changing idp api either way, but need to talk with marco fargeta from an italian institute either way.16:25
marekdnext thing.16:25
marekdservice providers for K2K again. so we needed to build some login to issue saml assertions16:25
morganfainbergmarekd, thanks for helping and driving the backend on this16:25
morganfainbergi really really appreciate it.16:25
marekdmorganfainberg: sure :-) that's why i am here :-)16:25
morganfainbergmarekd, :)16:25
*** agireud has quit IRC16:25
morganfainbergmarekd, but just wanting to be clear how much i appreciate it16:26
marekdmorganfainberg: great to hear that :-)16:26
ayoungsamuelms-away, I think revision 16 is closer to what we need.16:26
*** samuelms-away is now known as samuelms16:26
marekdmorganfainberg: so, k2k and making keystone understand saml ,even in a limited way was some effort, not a matter of building a framework and configuration. But i don't know if we want to make it ready for other federation protocols, like open id connect?16:27
marekdso we are ready for k2k with oidc ?16:27
morganfainbergi don't think we need k2k to be oidc?16:27
morganfainbergi'm perfectly happy to say k2k is saml and thats it16:28
morganfainbergsince we're issuing the assertion and we control end-to-end16:28
marekdcause if we do....we must be able to distinguis what protocol should be used for which trusted SP, right?16:28
morganfainbergif that makes it/keeps it simpler16:28
morganfainbergmarekd, right. which is part of why i don't see the value16:28
marekdmorganfainberg: ok, understand.16:28
morganfainbergis there a concern with only using saml2?16:28
morganfainbergor a big win to using oidc for k2k vs saml2?16:29
marekdmorganfainberg: the only win is that somebody can federated their cloud with SP talking Saml2,Oidc etc instead of saml2 only.16:29
marekdi am not in a position to talk which protocol is better or more secure...i think both are good.16:30
morganfainbergmarekd, this sounds like utilizing keystone as a general idp-proxy16:30
morganfainbergand for non-k2k16:30
marekdmorganfainberg: that's my concern too...i want to make something usable and extendable, but i don't want to endup building something like : idp for every possible protocol that exists, and probably screw this up :-)16:31
samuelmsayoung, hi, makes sense ... we changed like that to be compatible with already deployed clouds16:31
morganfainbergmarekd, lets start with saying we do SAML2 and thats it16:31
morganfainbergmarekd, it's our standard16:31
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154116:31
ayoungsamuelms, a good rule of thumb:  avoid "or" in the api rules16:31
samuelmsayoung, I think we'll need to write a script for migrating db16:31
marekdmorganfainberg: ok.16:31
morganfainbergif someone *really* wants oidc, we can get a spec / discussion on why and what the use-case is. Let's keep this to "do one thing and do it really well"16:32
ayoungsamuelms, maybe...one thing at a time16:32
marekdmorganfainberg: makes thing much much easier :-)16:32
ayoungsamuelms, I'm going to clean up revision 16 as I think it should look16:32
samuelmsayoung, great!16:32
marekdmorganfainberg: so ou basically cleaned off my "concerns list" :-)16:32
morganfainbergmarekd, happy to help!16:32
marekdmorganfainberg: thanks.16:32
morganfainbergmarekd, this is why i wanted to make sure i got to sync up with you on this stuff. figured we could solve stuff.16:33
*** shakamunyi has quit IRC16:33
marekdmorganfainberg: i am likely to be forced to skip todays meeting but should be back in ~4hours, ayoung can we talk then?16:33
morganfainbergmarekd, we're not holding the meeting today [i should send an email]16:33
ayoungmarekd, sure16:33
*** k4n0 has quit IRC16:34
marekdmorganfainberg: oh, so i am not missing anything :-) great.16:34
ayoungmorganfainberg, why not?16:34
morganfainbergmy schedule since i'm in Austin talking w/ the folks @ the foundation made it hard to be sure i'm available16:34
morganfainbergbasically: review code16:34
ayoungmorganfainberg, who says we need you?16:34
morganfainbergwas the result from last meeting16:34
morganfainbergayoung, i offered to let someone run it16:34
ayoungI must have missed that16:34
samuelmsayoung, then you'll submit a new patchset, right?16:34
ayoungsamuelms, yes16:34
morganfainbergayoung, you guys are welcome to run the meeting16:34
marekdmorganfainberg: children, no new topics today, instead focus on reviews from 18.00 utc to 19.0016:34
morganfainbergayoung, i'm fine with that16:34
samuelmsayoung, perfect! looking forward to see it16:34
ayoungmorganfainberg, s'alright16:34
samuelmsafaranha, ^16:34
afaranhaayoung, nice :) Thank you16:35
ayoung morganfainberg I'll lurk, and lead a discussion if others want to.16:35
morganfainbergayoung, i just asked someone to run the meeting this week, and i think we all said "great lets do code-review"16:35
ayoungmorganfainberg, NP, and really, if you are there, I'd rather not hold the serious discussions right now anyway16:36
*** gokrokve has quit IRC16:36
morganfainbergayoung, hackathon/mid-cycle details updated16:37
morganfainbergayoung, btw16:37
morganfainbergif you didn't see the email16:37
ayoungcool, I'm going to push for approval to fly today16:37
* morganfainberg can't book for anouther day or so 16:38
morganfainbergjust waiting to see if i am needed in the bay the day after the midcycle16:38
dstaneki was thinking of flying out Sun the 18th and flying back Thurs the 22nd16:40
ayoungI'll probably fly back night of the 21st16:41
morganfainbergyeah i'm probably going to have to leave on the 21st16:42
ayoungdepending on flight availability16:42
morganfainbergbtw: make sure to book hotels and such early16:42
ayoungmorganfainberg, I don't see an email...what did you title it?16:42
morganfainbergit was a reply to the original one16:42
morganfainbergon dev mailing list16:42
ayoungRe: [openstack-dev] [Keystone] Mid-Cycle Meetup Dates/Time/Location16:42
ayounggot it16:42
dstanekthat's what i'm trying to find out now16:42
morganfainbergmostly i did what dolph did the previous times, just updated the blog post and the wiki page(s)16:43
dstanekusually flight back to cle are in the late afternoon and i'd have to leave by 116:43
*** ayoung has left #openstack-keystone16:44
*** ayoung has joined #openstack-keystone16:44
*** ChanServ sets mode: +v ayoung16:44
*** gyee has joined #openstack-keystone16:47
*** ChanServ sets mode: +v gyee16:47
*** shakamunyi has joined #openstack-keystone16:47
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Policy enforcement library  https://review.openstack.org/13348016:48
rodrigodsayoung, ^16:48
ayoungrodrigods, ah...16:54
ayoungso I wrote a spec for oslo, too16:54
rodrigodsayoung, I saw it16:54
ayoungI'll take another look at this16:54
rodrigodsayoung, since you added this another spec, I've made this one more focused in the keystoneclient part16:55
ayoungrodrigods, but I think we need to set up the policy library, and then move most of the guts of this spec to that.16:55
rodrigodsayoung, in a github rep?16:55
ayoungand some of it needs to be in middleware16:55
ayoungrodrigods, I think it will break down like this:16:55
ayoungthe os-policy library will have  the generic rules engine, plus the cache abstraction in it16:56
rodrigodsthe middleware part still is a bit obscure to me16:56
ayoungmiddleware will then have the code to call the rules engine, and know that the cache is supposed to be backed by filesystem or memcache16:56
*** samuelms_ has quit IRC16:56
ayoungkeystoneclient will be pulled into the cache to fetch the policy file,  but I don't think the cache should live *in* client16:57
ayoungbut...maybe it should16:57
rodrigodsI thought the service would call kc directly16:58
*** lhcheng_ has quit IRC16:58
rodrigodslike from kc import policy_enforcer16:58
rodrigodspolicy_enforcer.enforce( ... )16:58
rodrigodsinside the "protected" method16:58
ayoungrodrigods, that was my initial thought, too.16:58
ayoungBut the need to manage the cache kindof munges that16:58
ayoungand the thing that is most like that now is the certs for PKI tokens16:59
ayoungrevocation list, too16:59
rodrigodsayoung, hmm16:59
rodrigodsso we need a spec to define a cache layer in the middleware as well?16:59
ayoungso we should have a single cache abstraction for those16:59
rodrigodslots of dependencies16:59
ayounglots of details17:00
ayoungwe are just doing the due dilligence to get it right17:00
rodrigodsayoung, ++17:00
morganfainbergayoung, rodrigods, policy lib name thought "Themis": http://www.greek-gods.org/titans/themis.php17:00
ayoungmorganfainberg, howabout openstack-policy instead?17:00
morganfainbergayoung, i don't think that is going to work17:01
morganfainbergjust a hunch17:01
morganfainbergnotice no libraries are named "openstack-<thing>"17:01
ayoungthis is stupid17:01
rodrigodsI like those kind of names morganfainberg17:01
morganfainbergi think this is a branding issue17:01
ayoungit is a part of the openstack set of applications17:01
morganfainbergthere is a reason oslo exists instead of calling all of those libraries openstack-<thing>17:02
ayoungmaking it impossible to sensibly name things due the the needs to deconflict between the global namespace of python packages and the openstack unwillingness to let us use its name is kindof make-worky to me17:02
ayoungso call it oslo17:02
ayoungoslo-policy, managed by the identity team is fine17:02
ayounghell, we can leave anyone from oslo-core on it that feels strongly enough17:03
morganfainbergijust confirmed with the foundation folks we can't name anything openstack-<thing> for now17:03
ayoungI do't want to "hide" it17:03
ayoungthemis, while clever, does not describe it17:03
morganfainbergayoung, the point is if it's under our program we can't make it oslo17:03
rodrigodsnova described nova?17:03
ayoungkeystone-policy then17:04
rodrigodskeystone-policy is too "keystone"17:04
morganfainbergand i'm against namespacing it keystone17:04
ayoungif it has to be named by our team, let us use our code name17:04
morganfainbergif this is the sticking point i'll just pick a name and we'll add it to the wiki and call it that.17:05
morganfainbergbut i *dont* want it named keystone, and it can't be oslo under our program17:05
ayoungWhy not Keystone?17:05
morganfainbergayoung, because it isn't keystone specific17:05
*** ajayaa has joined #openstack-keystone17:05
morganfainbergyou don't need keystone to work with it17:05
ayoungKeystone isn't anything17:05
*** afazekas has quit IRC17:05
rodrigodsmorganfainberg, ayoung https://etherpad.openstack.org/p/policy-library-name you just forgot about this :(17:05
ayoungit is a code name for our team17:05
morganfainbergkeystone is also a project17:06
morganfainbergin tiself17:06
dstanekmorganfainberg: springer?17:06
morganfainbergdstanek lol17:06
dstanekmorganfainberg: my names are always from wikipedia http://en.wikipedia.org/wiki/Keystone_%28architecture%2917:07
morganfainbergdstanek, ++17:07
dstanekayoung: +1 it would excite and severely disappoint java guys!17:07
ayoungPolicy is integral to keystone. The fact that keystone-policy  can be used stand alone is just an artifact of good design.17:08
*** KanagarajM has quit IRC17:08
rodrigodsnaming keystone-policy, sounds like we could have nova-policy17:08
*** _cjones_ has joined #openstack-keystone17:09
morganfainbergayoung, i'm punting this back to oslo land17:10
ayoungrodrigods, if the nova team wanted to have their own policy library, they could17:11
morganfainbergthis will be oslo_policy17:11
dstanekrodrigods: i agree...i would actually expect to see {{project}}-policy packages17:12
morganfainbergdstanek, i expect if it wasn't a general use case over all of openstack already it would be setup like that17:12
rodrigodsmorganfainberg, I think having it in oslo could confuse developers because the enforcement handling will be mostly in keystoneclient/middleware17:14
rodrigodsayoung, ^17:14
ayoungrodrigods, no17:14
ayoungrodrigods, oslo means "openstack common"17:14
ayoungits a generic namespace17:14
ayoungand this is a library17:14
ayoungthe part that is keystone specific only will be in keystone code17:14
*** avozza is now known as zz_avozza17:15
ayoungthe policy.py file and anything we expand it with will be oslo-policy17:15
rodrigodsayoung, thought the idea was to remove duplicates from everywhere17:15
rodrigodsand having them using our enforcement part17:15
ayoungrodrigods, GAH!17:15
ayoungrodrigods, all we are talking about is the name of the promoted library17:16
rodrigodsayoung, ahh17:16
ayoungwhich will replace the synced-from-incubator code17:16
rodrigodsforget ^17:16
dstanekanyone remember how late we ended on the last day for the last mid-cycle17:18
morganfainbergdstanek, 5ish17:19
morganfainbergbut it was a friday and they kicked us out17:19
morganfainbergor 6ish17:19
morganfainbergayoung, email sent to dev-list with ${reasons:-0} to keep it in oslo17:19
dstanekalrighty - i'll just leave thurs in the afternoon just in case17:20
*** lhcheng has joined #openstack-keystone17:21
rodrigodsayoung, back to middleware/client discussion?17:22
ayoungrodrigods, sure17:23
*** hugokuo has quit IRC17:23
morganfainbergayoung, http://lists.openstack.org/pipermail/openstack-dev/2014-December/052574.html17:23
*** charz has quit IRC17:23
ayoungmorganfainberg, ++17:24
morganfainbergayoung, if you don't mind +1 that i'd appreciate it if you agree17:24
ayoungmorganfainberg, wilco17:24
rodrigodsayoung, so we have this cache layer, that should be in middleware17:24
rodrigodsand we have the oslo_policy and the enforcement handler17:25
rodrigodsthe former in keystoneclient?17:25
morganfainbergrodrigods, to start we're going to graduate the policy lib as-is.17:25
morganfainbergwell perhaps as-is with minor fixes17:25
*** gokrokve has joined #openstack-keystone17:25
morganfainbergand get a release so it's drop in replacement17:25
morganfainbergwe can then scrub it from incubator17:25
rodrigodsmorganfainberg, need a github rep for it?17:26
morganfainbergrodrigods, we will need to follow the oslo graduation steps (and maintain history)17:26
*** marcoemorais has joined #openstack-keystone17:26
morganfainbergrodrigods, part of that will be pushing the new lib to github so infra can source it in.17:26
morganfainbergrodrigods, https://wiki.openstack.org/wiki/Oslo/CreatingANewLibrary#Graduating_a_Library_from_the_Incubator17:27
rodrigodsmorganfainberg, great, seems the first steps are yours :)17:27
morganfainbergrodrigods, email has been sent. we're going to give it a day or so to settle and then update spec.17:27
morganfainbergor update spec later today17:27
morganfainbergand start the process17:27
rodrigodsmorganfainberg, ok, thank you :)17:28
rodrigodsI can help ayoung to take care of the spec as well (as I'm doing with the keystoneclient part)17:29
ayoungrodrigods, updating the oslo spec now17:29
rodrigodsayoung, ++17:30
ayoungmorganfainberg, so what do we namespace policy.py with in this case?17:30
ayoungfrom oslo_policy import policy?17:30
*** charz has joined #openstack-keystone17:31
*** hugokuo has joined #openstack-keystone17:34
ayoungrodrigods, if you want to go through the steps to clone the repo, please do so17:34
rodrigodsayoung, ok, doing17:35
*** ayoung is now known as ayoung-lunch17:35
rodrigodsayoung, oslo_policy right? (the example is oslo.i18n)17:35
rodrigodsmorganfainberg, ^17:36
morganfainbergmarekd, sent a reply for ADFS17:40
morganfainbergmarekd, email that is17:40
lbragstadmorganfainberg: yeah, it was weird. I didn't find it until bknudson said someting17:40
morganfainberglbragstad, but that latest change shouldn't have caused it.17:41
lbragstadand i was able to recreate it17:41
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation  https://review.openstack.org/12689717:41
morganfainbergsince the unpack is in wsgi?17:41
lbragstadI don't think it was that change.17:41
morganfainbergi think this might have been lingering for a bit17:41
lbragstadI just recorded that in the bug report for reference17:41
morganfainbergrodrigods, use oslo_policy17:42
morganfainbergrodrigods, we're trying to get away from the dot-namespace in oslo (oslo.<thing> causes issues in develop / other install modes for python libs)17:42
*** stevemar has joined #openstack-keystone17:42
*** ChanServ sets mode: +v stevemar17:42
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154117:43
rodrigodsrodrigods, cool17:44
rodrigodsmorganfainberg, cool17:44
bknudsonlbragstad: I tried running some tests by themselves (catalog) and no log in that case... so I don't know where it's coming from17:44
bknudsongoing back through commits should find it, but it's going to take a while if there's no way to narrow down what test it is.17:45
lbragstadbknudson: yeah, exactly.. that's the tricky part17:46
lbragstadis everyone still planning on reviewing specs during the meeting?17:48
openstackgerritMerged openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803517:49
morganfainberglbragstad, that was the thought iirc17:50
morganfainberglbragstad, also K1 is next week17:51
morganfainbergwe have an outstanding BP or two that need code review17:51
amakarovmorganfainberg, I've made discussed changes to both spec and code. For now I leave allow_redelegation=False in the trust to explicitly state that the chain is terminated. Is it correct? I don't want to remove it because Heat folks (especially Steven Hardy) want allow redelegation by default in the future :) I've managed to convince them that we don't want it enabled in a new feature, but I think it is a thing to remember.17:51
morganfainbergamakarov, thanks17:52
lbragstadmorganfainberg: sounds good17:52
lbragstadmorganfainberg: is dolphm's gist still being used for those kinds of reviews?17:52
morganfainberglbragstad, i belive so17:52
morganfainberglbragstad, i haven't starred all the things though17:52
*** gokrokve has quit IRC17:52
morganfainbergamakarov, hm.17:53
lbragstadmorganfainberg: looking pretty full https://gist.github.com/dolph/651c6a1748f69637abd017:53
morganfainbergamakarov, i don't think we need "allow_redelgation" anywhere17:53
morganfainberglbragstad, yeah17:53
*** gokrokve has joined #openstack-keystone17:53
morganfainbergamakarov, except in the creation request17:53
morganfainbergamakarov, the default behavior could be setting the max_depth to 0 (to disable) in the trust17:54
morganfainbergamakarov, i don't see a need for more than one way to reference "can I redelegate"17:55
morganfainberghaving to check 2 values seems silly17:55
morganfainbergamakarov, i think is my point overall.17:56
i159ayoung: Hi! please see my updates on https://review.openstack.org/#/c/138712/.17:57
amakarovmorganfainberg, so what do we do to redelegation_count field?17:57
morganfainbergamakarov, sorry max_depth = redelegation_count17:58
morganfainbergamakarov, but when we disable redelegation for anyreason we just set that to 017:58
*** david-lyle_afk is now known as david-lyle17:58
morganfainbergamakarov, that way it avoids needing to check trust['allow_redelegation'] and trust['redelegation_count']17:59
amakarovmorganfainberg, set it to 0 and return; set to 0, store and NOT return; remove completely ?17:59
morganfainbergamakarov, that sounds like the best plan to me.17:59
*** packet has joined #openstack-keystone17:59
morganfainbergamakarov, set to 017:59
morganfainbergand store it17:59
morganfainbergdo we *need* a field called allow_redelegation if we have redelegation_count?18:00
morganfainbergthe way i see it is we always check redelegation_count18:00
morganfainbergif redelegation_count is 0, we either hit the end of the chain or we disallowed redelegation18:00
stevemarno meeting this week?18:01
morganfainbergif there is a real reason to have a second field, i'm open to it, but my concern is that we don't need it18:01
amakarovmorganfainberg, there was a discussion in the spec18:01
morganfainbergstevemar, until just now i was supposed to be in a meeting right now and based on last week no one wanted to run it so "review specs"18:01
stevemarmorganfainberg, right, fair enough18:01
morganfainbergstevemar, and blocking code (for k1)18:02
morganfainbergamakarov, i don't see the spec stating "allow_redelegation" is needed from a store standpoint18:03
samuelmsmorganfainberg, dont we have keystone meeting starting in few seconds? :-)18:03
morganfainbergsamuelms, ^ last week no one wanted to run the meeting and until ~5mins ago i was supposed to be in a meeting.18:04
amakarovmorganfainberg, allow_redelegation seems a convenience flag to me, I've asked Steve about it and he said community demands it :)18:04
morganfainbergsamuelms, we can have the meeting - but the general consensus was "review specs / code"18:04
morganfainbergamakarov, right, from an API perspective18:04
morganfainbergamakarov, i don't see a benefit for using it in the data store.18:04
morganfainbergamakarov, or in validating trust can redelegate18:04
samuelmsmorganfainberg, ok. I've added a point on there18:05
raildomorganfainberg, I created the reseller spec :) https://review.openstack.org/#/c/139824/18:05
samuelmsmorganfainberg, we'd like to discuss about our proposal for the cloud policy file18:05
morganfainbergsamuelms, i am trying to find out if i'm being pulled off to a meeting18:05
samuelmsmorganfainberg, in which we split global admin role18:05
samuelmsmorganfainberg, ok18:05
morganfainbergsamuelms, i think we're going to keep with the no meeting today - since i might be pulled out any moment18:06
openstackgerritgordon chung proposed openstack/pycadf: deprecate audit middleware  https://review.openstack.org/13838618:06
samuelmsmorganfainberg, ok then. I'll ping some people to get some reviews up there18:06
morganfainbergsamuelms, ack18:07
samuelmsmorganfainberg, https://review.openstack.org/#/c/135408/11/specs/kilo/modify-policy.rst18:07
samuelmsmorganfainberg, would be glad tyo have your opinion :D18:07
amakarovmorganfainberg, aha... so you want allow_redelegate to be a request parameter - not a trust field, right? One can specify it in a request, but it is not stored in a trust?18:07
*** i159 has quit IRC18:07
morganfainbergamakarov, yes it would be a parameter in the request, a short-hand to set redelegate_count to 018:08
anteayayou aren't meeting today?18:08
amakarovmorganfainberg, got it! thanks :)18:08
topolmorganfainberg, https://www.morganfainberg.com/blog/2014/11/18/keystone-hackathon-kilo/ doesnt appear to work for me18:08
morganfainbergtopol, in what way?18:09
*** jamielennox|away is now known as jamielennox18:09
topolmorganfainberg: The server rejected the handshake because the client downgraded to a lower TLS version than the server supports.18:09
morganfainberganteaya, based on last week's meeting and that I'm in Austin (and supposed to be in a meeting) - no. no one wanted to run the meeting when i asked18:09
morganfainbergtopol, cloudflare issue?18:09
morganfainbergtopol, try again?18:09
morganfainbergit works for me.18:09
topolI think my firefox is up to date18:09
anteayamorganfainberg: okay thanks, just doing a sanity check18:10
morganfainberganteaya, will send email really quick18:10
topolmorganfainberg, same error:18:10
topol(Error code: ssl_error_inappropriate_fallback_alert)18:10
openstackgerritgordon chung proposed openstack/pycadf: sync oslo  https://review.openstack.org/13838118:11
morganfainbergtopol, your browser is wierd18:11
morganfainbergjust confirmed it with a couple people here18:11
openstackgerritgordon chung proposed openstack/pycadf: sync oslo  https://review.openstack.org/13838118:11
jamielennoxmorganfainberg: meeting?18:11
topolmorganfainberg, yes its weird. It does work from my phone18:12
dstanekwhen i the spec approval deadline?18:13
morganfainbergdstanek, k218:13
morganfainberganteaya, email sent18:14
anteayaif only for my benefit18:14
dstanekmorganfainberg: that's when the specs have to be merged or the implementations?18:14
morganfainberganteaya, /me is in Austin meeting with the foundation today this week.18:14
morganfainbergdstanek, specs merged18:14
dstanekmorganfainberg:  oh, ok :-) thanks18:15
jamielennoxhmm, /me is going back to bed18:15
samuelmslbragstad, thanks for your review on that policy spec18:15
morganfainbergdstanek, yeah, any thing that is past the k2 deadline - we will likely need some level of POC/implementation to accept a spec-approval deadline exception18:15
lbragstadsamuelms: no problem,18:15
lbragstadsamuelms: it's mostly questions18:16
morganfainbergsamuelms, once i'm done with this meeting i'm jumping into, i'll be looking at specs/reviews/etc18:16
*** jamielennox is now known as jamielennox|away18:16
samuelmsmorganfainberg, fair enough :-)18:16
samuelmslbragstad, cool. In fact afaranha is the person who is managing patches, etc18:17
samuelmslbragstad, I'm just helping him to have reviews on that18:17
lbragstadsamuelms: cool!18:17
samuelmslbragstad, and then decide if we keep putting efforts or stop wasting them18:18
samuelmslbragstad, if keystone really want that.. we'll speed up to have that spec approved asap18:18
dstaneklbragstad: we're basically in a holding pattern for the XML stuff right?18:18
lbragstaddstanek: yes... it's all pretty much on this guy: https://review.openstack.org/#/c/139051/18:18
lbragstadbecause grenade uses old configs on new upgrades of a project18:19
lbragstadso the old keystone paste files contain the xml middleware stuff.18:19
lbragstadso we have to provide a migration, or keep the xmlBodyMiddleware in middleware/core.py18:19
lbragstadonce that goes in, I can rerun https://review.openstack.org/#/c/125738/18:20
lbragstadand then I can rerun https://review.openstack.org/#/c/132122/18:20
lbragstad... it's a deep and dark rabbit hole18:21
openstackgerritDavid Stanek proposed openstack/keystone: Adds a wip decorator for tests  https://review.openstack.org/13151618:23
*** radez is now known as radez_g0n318:24
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154118:24
dstaneklbragstad: sounds like fun18:24
lbragstaddstanek: tons!18:24
lbragstaddstanek: but I think this is the last layer of the onion and we should be done with XML in Keystone18:25
*** ajayaa has quit IRC18:25
*** amakarov is now known as amakarov_away18:25
bknudsonlbragstad: the old config needs to work otherwise upgrades won't work.18:27
lbragstadbknudson: the old config will work18:27
bknudsonkeep the xmlbodymiddleware18:27
lbragstadbknudson: the script will only run on upgrade18:27
lbragstadwe will have references to XMLBodyMiddleware the don't exist or do anything, it would be like a glorified deprecation message.18:29
*** harlowja_away is now known as harlowja18:30
openstackgerritEndre Karlson proposed openstack/python-keystoneclient: Allow to allow for other then STABLE api version  https://review.openstack.org/13015918:30
ekarlso-can I get some eyes on ^?18:30
*** dims has quit IRC18:31
*** r-daneel has joined #openstack-keystone18:35
*** diegows has quit IRC18:38
*** shakamunyi has quit IRC18:39
afaranhalbragstad, I answered your questions on the patch, could you read it? If you have any question you can ask me18:39
*** saipandi has joined #openstack-keystone18:44
*** jistr has quit IRC18:49
lbragstadafaranha: sounds good, thanks for the quick turnaround18:51
*** diegows has joined #openstack-keystone18:55
*** diegows has quit IRC18:57
dstanekbknudson: morganfainberg: i'm happy with https://review.openstack.org/#/c/131007/ and i'm going to abandon my review18:58
*** saipandi has quit IRC19:00
dstanekstevemar: should you just abandon https://review.openstack.org/#/c/133815/ ?19:01
stevemardstanek, yeah i think so19:02
*** radez_g0n3 is now known as radez19:03
*** ajayaa has joined #openstack-keystone19:07
openstackgerritEndre Karlson proposed openstack/python-keystoneclient: Allow for other then STABLE api version  https://review.openstack.org/13015919:07
openstackgerritgordon chung proposed openstack/pycadf: sync oslo  https://review.openstack.org/13838119:12
*** saipandi has joined #openstack-keystone19:13
*** diegows has joined #openstack-keystone19:18
openstackgerritgordon chung proposed openstack/pycadf: sync oslo  https://review.openstack.org/13838119:18
*** aix has quit IRC19:20
*** ajayaa has quit IRC19:30
*** ajayaa has joined #openstack-keystone19:31
openstackgerritgordon chung proposed openstack/pycadf: deprecate audit middleware  https://review.openstack.org/13838619:32
*** ajayaa has quit IRC19:33
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers  https://review.openstack.org/14017519:34
*** marcoemorais has quit IRC19:39
*** marcoemorais has joined #openstack-keystone19:40
*** marcoemorais has quit IRC19:40
*** marcoemorais has joined #openstack-keystone19:41
*** marcoemorais has quit IRC19:41
*** marcoemorais has joined #openstack-keystone19:41
*** samuelms_ has joined #openstack-keystone19:46
openstackgerritAndre Aranha proposed openstack/keystone-specs: Modify the policy file  https://review.openstack.org/13540819:51
*** marcoemorais has quit IRC19:52
*** marcoemorais has joined #openstack-keystone19:52
openstackgerritDavid Stanek proposed openstack/keystone-specs: Adds a spec for fixing Keystone's DI  https://review.openstack.org/13593119:54
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: WIP - Add openid connect client support  https://review.openstack.org/13470019:56
*** ayoung-lunch is now known as ayoung20:00
*** gyee has quit IRC20:06
rodrigodsmorganfainberg, ayoung, just created the lib repo (about to send to github), need to ask some questions first20:09
*** saipandi has quit IRC20:10
rodrigodsi'm using openstack.common.lockutils instead of oslo.concurrency.lockutils because I didn't find a way to wrap lockutils in tox.ini without being like that: https://review.openstack.org/#/c/64006/2/run_tests.sh20:10
rodrigodsbesides that, we are using fileutils and _i18n20:10
rodrigodsahh, and log20:11
openstackgerritMerged openstack/python-keystoneclient: Project ID in OAuth headers was missing  https://review.openstack.org/13436420:16
rodrigodsmorganfainberg, ayoung, https://github.com/rodrigods/oslo.policy20:31
ayoungrodrigods, ok20:32
ayoungI don't think we want the lockutils thing longterm20:32
ayoungrodrigods, does it do some sort of monkeypatch?20:33
rodrigodsayoung, monkeypatch?20:34
ayounggoogle it20:34
*** marcoemorais has quit IRC20:34
*** marcoemorais has joined #openstack-keystone20:34
*** marcoemorais has quit IRC20:35
rodrigodsayoung, ahh, AFAIK, it exports some env vars20:36
ayoungthat is it?20:37
*** marcoemorais has joined #openstack-keystone20:41
rodrigodsayoung, so I guess the other graduation steps are with you and morganfainberg, right?20:42
ayoungrodrigods, yes.20:43
ayoungThanks for getting that.  Still, what do we do inside Keystone?  I thought we used concurency there.20:43
rodrigodsayoung, what do you mean by "inside Keystone"?20:44
ayoungwe don't have to modify run_tests...we don't even use it20:44
rodrigodsayoung, yeah... good question20:45
ayoungmaybe we dont.20:45
rodrigodsayoung, keystone tests don't use lockutils20:45
ayoungyeah, neither does client20:46
ayoungrodrigods, is it used in the library, or just in the tests?20:47
rodrigodsayoung, just in tests20:47
rodrigodsayoung, there is a comment in the setup()20:47
rodrigodsayoung, https://github.com/rodrigods/oslo.policy/blob/master/oslo_policy/tests/test_policy.py#L12120:47
ayoungrodrigods, what happens if you remove that line and run the tests?20:48
rodrigodsayoung, just a sec20:48
rodrigodsayoung, greenbar20:49
ayounglets leave it off for now.  I think the need for it in our tests is questionable20:49
ayoungalthough, it might be an issue if the tests are run in parallel?  I thought the parallel test runner ran in separate processes, though.20:50
*** dims has joined #openstack-keystone20:51
rodrigodsayoung, by default they are run in parallel right? so I guess not (if the tests passed)20:51
ayoungnot necessarily.  If the tests are run in parallel on a remote machine, but in the same process...20:52
ayoungmorganfainberg, dstanek do you know if that is even a real thing?  Why would the policy tests need a concurrency lock?20:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Add domain roles APIs  https://review.openstack.org/13953120:55
rodrigodsayoung, the commit to remove it is ready here :) let's wait to morganfainberg and dstanek feedback20:56
*** marcoemorais has quit IRC20:57
ayoungrodrigods, heh...patience young Padawan20:57
ekarlso-https://review.openstack.org/#/c/130159/ < ok to get a +X ayoung ?20:58
ayoungekarlso-, +X?20:58
ekarlso-+1/2 ;P20:58
ayoungekarlso-, I'll have to take some time to actually look at it first20:59
*** jamielennox|away is now known as jamielennox20:59
ekarlso-jamielennox: too https://review.openstack.org/#/c/130159/ ;p21:00
*** topol has quit IRC21:01
*** dims has quit IRC21:03
*** dims has joined #openstack-keystone21:03
*** harlowja is now known as harlowja_away21:04
dstanekrodrigods: link?21:06
*** dims has quit IRC21:08
*** henrynash has joined #openstack-keystone21:11
*** ChanServ sets mode: +v henrynash21:11
*** harlowja_away is now known as harlowja21:12
*** marcoemorais has joined #openstack-keystone21:23
*** samuelms_ has quit IRC21:30
*** marcoemorais has quit IRC21:33
*** marcoemorais has joined #openstack-keystone21:33
bknudsonmorganfainberg: I thought we were like the first group to do osprofiler?21:41
morganfainbergbknudson, we did some of it, there is another patch that adds all of this... or it's not in requirements21:41
morganfainbergor something /me has to look at the history21:41
morganfainbergthere is an outstanding patchset on this.21:42
bknudsonmorganfainberg: yes, it's -W21:42
*** samuelms_ has joined #openstack-keystone21:46
jamielennoxhey, i think this one is non-controversial and on the 'needed for release path': https://review.openstack.org/#/c/139512/21:48
rodrigodsdstanek, https://github.com/rodrigods/oslo.policy/blob/master/oslo_policy/tests/test_policy.py#L121 :)21:49
rodrigodshenrynash, saw your review, any feedback about the patch status? +2 ready, etc?21:49
rodrigods(after fix your comments)21:49
dstanekmorganfainberg: bknudson: is that the one where the middleware was being turned on by default?21:50
morganfainbergdstanek, think so21:50
morganfainbergdstanek, i need to hunt through the history for a definitive answer but fairly certain that was / is the one21:50
morganfainbergmy next question is... this is middleware WHY is each project implementing their own option?21:51
morganfainbergbut not sure enough that is what this is about to ask21:51
bknudsonhttps://review.openstack.org/#/c/98836/ ?21:51
bknudsonBoris has a bunch of reviews in my watch list.21:51
morganfainbergbknudson, hm, i dunno if that's the one21:51
morganfainbergnope that isn't ti21:52
bknudsonthat's the one I was thinking of because I see it all the time in my list21:52
bknudsonmorganfainberg: dstanek: https://review.openstack.org/#/c/103368/18/keystone/common/config.py21:56
bknudsonit's in merge conflict now21:56
bknudsonhas [profiler] enabled21:57
dstaneki still think having it on by default is bad - then you don't need to bikeshed the enabled opiton21:58
dstanekthat's effectively proposing all possible middleware is configured in paste as on and then control it with enabled flags22:00
*** joesavak has quit IRC22:00
bknudsonit's off by default22:00
openstackgerritayoung proposed openstack/python-keystoneclient: Honor the inform and outform parameters  https://review.openstack.org/12753322:00
bknudsonauth_token middleware can load it's config from the config file so osprofiler could do the same.22:01
dstanekbknudson: only because i had an issue with it being in the pipeline by default, but it seems that other projects have fallen for it22:02
*** harlowja has quit IRC22:02
openstackgerritayoung proposed openstack/python-keystoneclient: Endpoint_policy support for default  https://review.openstack.org/14049122:04
*** zz_avozza is now known as avozza22:07
*** henrynash has quit IRC22:24
*** gordc has quit IRC22:36
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use newer requests-mock syntax  https://review.openstack.org/13546822:36
*** harlowja has joined #openstack-keystone22:37
openstackgerritDavid Stanek proposed openstack/keystone-specs: Adds a spec for fixing Keystone's DI  https://review.openstack.org/13593122:45
*** philloooo has joined #openstack-keystone22:49
marekdayoung: so, what was that thing with ipsilon?22:49
openstackgerritDavid Stanek proposed openstack/keystone-specs: Adds a spec for fixing Keystone's DI  https://review.openstack.org/13593122:51
ayoungmarekd, I'm in Dad mode right now...22:53
marekdayoung: ah, ok then :-)22:54
* marekd transforming into bed-mode.22:54
*** marekd is now known as marekd|away22:54
*** gokrokve has quit IRC22:58
*** gokrokve has joined #openstack-keystone22:59
*** lhcheng has quit IRC23:02
*** lhcheng_ has joined #openstack-keystone23:02
*** bknudson has quit IRC23:03
*** shakamunyi has joined #openstack-keystone23:04
*** nkinder has quit IRC23:04
*** jamielennox is now known as jamielennox|away23:05
*** mikedillion has joined #openstack-keystone23:16
*** mikedillion has quit IRC23:23
*** jamielennox|away is now known as jamielennox23:24
*** mikedillion has joined #openstack-keystone23:24
*** gyee has joined #openstack-keystone23:33
*** ChanServ sets mode: +v gyee23:33
*** prontotest has joined #openstack-keystone23:34
*** prontotest has left #openstack-keystone23:34
*** lhcheng_ has quit IRC23:36
*** lhcheng has joined #openstack-keystone23:37
*** lhcheng_ has joined #openstack-keystone23:39
*** lhcheng_ has quit IRC23:39
*** shakamunyi has quit IRC23:39
*** lhcheng_ has joined #openstack-keystone23:40
*** lhcheng has quit IRC23:41
*** lhcheng has joined #openstack-keystone23:42
*** dims has joined #openstack-keystone23:43
*** lhcheng_ has quit IRC23:44
*** shakamunyi has joined #openstack-keystone23:45
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Take plugin params from ENV rather than default  https://review.openstack.org/13224023:45
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin  https://review.openstack.org/13857523:51
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make session use the Loadable interface  https://review.openstack.org/13857623:51
*** raildo_ has joined #openstack-keystone23:53
*** shakamunyi has quit IRC23:54
*** harlowja has quit IRC23:56
*** chrisshattuck has quit IRC23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!