Tuesday, 2014-12-16

« Monday, 2014-12-15 Index Wednesday, 2014-12-17 »
*** samuelms_ has joined #openstack-keystone00:00
dstanekgyee: nope, pysaml2 provides a sample IdP - using that as the basis for functional testing00:00
*** zz_avozza is now known as avozza00:00
gyeedstanek, in that, just take a peak at the assertion issued by sample IdP to see what attributes are there00:03
*** avozza is now known as zz_avozza00:10
*** zz_avozza is now known as avozza00:11
*** raildo has joined #openstack-keystone00:11
dstanekgyee: yeah, right now i don't see anything in there so i've been looking through the code to see where it should happen00:20
*** rm_work is now known as rm_work|away00:21
*** david-lyle is now known as david-lyle_afk00:35
morganfainbergdstanek, got a sec?00:35
dstanekmorganfainberg: sure00:35
morganfainbergdstanek, i need someone who can tell me why my understanding of python is wrong00:35
morganfainberghttps://bugs.launchpad.net/keystone/+bug/139847000:35
uvirtbotLaunchpad bug 1398470 in keystone "sql migration helpers incorrectly inspect for FKs" [High,In progress]00:35
morganfainbergwhy does inverting the if-clause change anything00:36
morganfainberghttps://review.openstack.org/#/c/138468/4/keystone/common/sql/migration_helpers.py00:36
morganfainbergam i not seeing a paren somewhere?00:36
morganfainbergsure it might be slightly more work to do the if in x first00:37
morganfainbergbut i'm not seeing why that is a "high" bug00:37
dstanekthe bug is that if fk isn't a ForeignKeyConstraint it may not have a columns attribute to look at00:37
morganfainbergah00:38
morganfainbergsee that is what i was missing00:38
*** dims has joined #openstack-keystone00:38
dstaneknow how in the heck did he catch that?00:38
morganfainbergmust be an edge case for the most part because we really haven't hit that until now00:38
morganfainbergdstanek, i think he's doing something that involves this in the split assignment stuff00:39
*** raildo has quit IRC00:39
dstanekah, that would make sense00:39
dstanekmorganfainberg: yeah, in his bug he mentions that there are other types of constraints00:39
morganfainbergright most constraints though have a column attr00:39
morganfainbergclearly, because we haven't run into this00:40
* morganfainberg is curious what constraint wouldn't have a column associated to it00:40
*** oomichi has joined #openstack-keystone00:41
*** raildo has joined #openstack-keystone00:51
*** raildo has quit IRC00:51
*** avozza is now known as zz_avozza01:06
openstackgerritwanghong proposed openstack/keystone: don't allow user to operate role on disabled proj or domain  https://review.openstack.org/14174601:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Fix up types within API documentation  https://review.openstack.org/14169301:30
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Fix up types within API documentation  https://review.openstack.org/14169301:36
*** hdd has quit IRC01:43
*** marcoemorais has joined #openstack-keystone01:53
*** marcoemorais2 has joined #openstack-keystone01:55
*** chrisshattuck has quit IRC01:56
*** marcoemorais1 has quit IRC01:56
*** marcoemorais1 has joined #openstack-keystone01:57
*** marcoemorais has quit IRC01:58
*** marcoemorais3 has joined #openstack-keystone01:58
*** marcoemorais1 has quit IRC01:58
*** chrisshattuck has joined #openstack-keystone01:59
*** marcoemorais2 has quit IRC02:00
*** diegows has quit IRC02:01
*** marcoemorais3 has quit IRC02:02
*** marcoemorais has joined #openstack-keystone02:04
*** diegows has joined #openstack-keystone02:05
*** erkules_ has joined #openstack-keystone02:05
*** dims has quit IRC02:06
*** dims has joined #openstack-keystone02:06
*** marcoemorais has quit IRC02:07
*** erkules has quit IRC02:08
*** gyee has quit IRC02:09
*** dims has quit IRC02:11
*** oomichi has quit IRC02:16
*** diegows has quit IRC02:16
openstackgerritMerged openstack/python-keystoneclient: Document session usage first  https://review.openstack.org/12775502:18
*** zz_avozza is now known as avozza02:27
*** avozza is now known as zz_avozza02:38
openstackgerritwanghong proposed openstack/keystone: Can't update catalog objects when using kvs driver  https://review.openstack.org/13018002:39
*** lhcheng has quit IRC02:41
*** chrisshattuck has quit IRC02:41
*** lhcheng has joined #openstack-keystone02:41
*** lhcheng has quit IRC02:46
*** jaosorior has joined #openstack-keystone02:52
*** lhcheng has joined #openstack-keystone02:57
*** dims has joined #openstack-keystone02:59
*** KanagarajM has joined #openstack-keystone02:59
*** rwsu has quit IRC03:09
*** erkules_ is now known as erkules03:22
openstackgerritayoung proposed openstack/keystone: policy refactoring  https://review.openstack.org/14196903:27
*** zz_avozza is now known as avozza03:30
*** htruta_ has quit IRC03:30
*** zzzeek has quit IRC03:31
*** boris-42 has quit IRC03:33
*** KanagarajM has quit IRC03:33
openstackgerritayoung proposed openstack/keystone: Modify the cloud policy  https://review.openstack.org/14197203:38
openstackgerritayoung proposed openstack/keystone: Modify the cloud policy  https://review.openstack.org/12350903:40
*** avozza is now known as zz_avozza03:40
*** richm1 has quit IRC03:42
*** dims has quit IRC03:49
*** oomichi has joined #openstack-keystone03:53
*** chrisshattuck has joined #openstack-keystone03:54
*** oomichi has quit IRC03:54
*** lhcheng has quit IRC04:03
*** lhcheng has joined #openstack-keystone04:03
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer  https://review.openstack.org/14197704:06
*** radez is now known as radez_g0n304:06
*** lhcheng has quit IRC04:08
*** wanghong has quit IRC04:10
*** chrisshattuck has quit IRC04:19
dstanekbknudson: you around?04:21
*** wanghong has joined #openstack-keystone04:23
*** zzzeek has joined #openstack-keystone04:24
*** zzzeek has quit IRC04:30
*** zz_avozza is now known as avozza04:31
stevemardstanek, he is not04:34
dstanekyou IBM guys and your need for sleep04:34
stevemardstanek, whatcha lookin at04:34
stevemaroccasionally we need to recharge, once a week or so04:34
dstaneki had a question about a comment, but realized i wanted to do what he suggested anyway :-)04:34
*** lbragstad has quit IRC04:35
*** vishy has quit IRC04:35
*** jraim_ has quit IRC04:36
*** gus has quit IRC04:36
*** lbragstad has joined #openstack-keystone04:38
*** jraim has joined #openstack-keystone04:38
*** gus has joined #openstack-keystone04:39
*** lhcheng has joined #openstack-keystone04:40
*** vishy has joined #openstack-keystone04:40
*** avozza is now known as zz_avozza04:41
stevemardstanek, marekd rodrigods https://bugs.launchpad.net/keystone/+bug/140291604:42
uvirtbotLaunchpad bug 1402916 in keystone "unable to validate signature from a keystone issued SAML assertion" [Undecided,New]04:42
dstanekstevemar: is that a bug in our code?04:48
stevemari'm not sure, but it needs to be doc'ed anyway, too many ppl asking about it04:50
stevemardstanek, it might be in bug in the way we generate SAML04:50
dstanekstevemar: i was getting a very similar issue from the pysaml2 IdP - are you using pysaml2 to generate the assertion?04:51
*** ayoung has quit IRC04:52
stevemardstanek, that's what keystone uses, so yes04:53
dstanekstevemar: i wonder if it has a flaw - i started tracing the logic into pysaml2 until i got the null security tip04:53
dstanekmaybe it's worth it to keep working through the code04:54
stevemardstanek, well rodrigods mentioned that he thinks it might have to deal with the issuer portion04:54
stevemarand we generate the entire SAML doc, so there might be an error there04:55
*** wanghong has quit IRC05:01
*** hdd has joined #openstack-keystone05:03
dstanekstevemar: i don't even know what that means05:09
*** jacer_huawei has joined #openstack-keystone05:17
*** jacer_huawei has quit IRC05:29
*** hdd has quit IRC05:31
*** zz_avozza is now known as avozza05:32
*** jacer_huawei has joined #openstack-keystone05:32
*** oomichi has joined #openstack-keystone05:38
*** jacer_huawei has quit IRC05:39
*** jacer_huawei has joined #openstack-keystone05:41
*** marcoemorais has joined #openstack-keystone05:41
*** avozza is now known as zz_avozza05:41
*** harlowja is now known as harlowja_away05:42
*** marcoemorais1 has joined #openstack-keystone05:43
*** marcoemorais has quit IRC05:46
*** boris-42 has joined #openstack-keystone05:59
*** oomichi has quit IRC06:02
*** jaosorior has quit IRC06:03
*** ajayaa has joined #openstack-keystone06:05
*** jacer_huawei is now known as wanghong06:10
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:12
*** wanghong has quit IRC06:16
*** ajayaa has quit IRC06:19
*** ajayaa has joined #openstack-keystone06:26
*** wanghong has joined #openstack-keystone06:28
*** ajayaa has quit IRC06:30
*** ajayaa has joined #openstack-keystone06:32
*** zz_avozza is now known as avozza06:41
*** stevemar has quit IRC06:46
*** ajayaa has quit IRC06:51
*** jamielennox is now known as jamielennox|away07:01
*** ajayaa has joined #openstack-keystone07:04
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer  https://review.openstack.org/14197707:08
*** avozza is now known as zz_avozza07:08
*** gvernik has joined #openstack-keystone07:17
*** pcaruana has joined #openstack-keystone07:18
gvernikhi. i am trying to configure keystone. I did git clone http://github.com/openstack/keystone.git and then setup.py install. When i tried to run keystone-all i got ImportError: cannot import name backends. What i missed? I just need keystone for testing, not production07:20
*** marcoemorais1 has left #openstack-keystone07:20
gvernikgreat08:06
*** gvernik has quit IRC08:06
*** zz_avozza is now known as avozza08:09
*** nellysmitt has joined #openstack-keystone08:16
*** rushiagr_away is now known as rushiagr08:21
*** henrynash has joined #openstack-keystone08:24
*** ChanServ sets mode: +v henrynash08:24
*** Krast has joined #openstack-keystone08:42
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini {WIP}  https://review.openstack.org/13412408:45
*** k4n0 has joined #openstack-keystone08:47
*** svasheka has quit IRC08:54
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini {WIP}  https://review.openstack.org/13412408:55
*** ncoghlan has quit IRC09:04
*** andreaf has joined #openstack-keystone09:32
*** nellysmitt has quit IRC09:51
*** Ephur has quit IRC09:54
*** Ephur has joined #openstack-keystone09:55
*** jasondotstar has joined #openstack-keystone10:05
*** ekarlso- has quit IRC10:07
*** ekarlso- has joined #openstack-keystone10:07
*** lufix has joined #openstack-keystone10:10
*** bdossant has joined #openstack-keystone10:15
*** lhcheng_ has joined #openstack-keystone10:21
*** lhcheng has quit IRC10:21
*** andreaf has quit IRC10:21
*** nellysmitt has joined #openstack-keystone10:25
*** avozza is now known as zz_avozza10:29
*** andreaf has joined #openstack-keystone10:53
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Fixes HEAD return code for OS-INHERIT extension  https://review.openstack.org/14206510:55
*** zz_avozza is now known as avozza10:55
*** lhcheng_ has quit IRC10:59
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Self Management of Roles and Domain Scoped Roles  https://review.openstack.org/13872811:00
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer  https://review.openstack.org/14197711:05
openstackgerritRodrigo Duarte proposed openstack/keystonemiddleware: Adds Memcached dependencies doc  https://review.openstack.org/13499311:12
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Self Management of Roles and Domain Scoped Roles  https://review.openstack.org/14207211:15
rodrigodsmarekd, left a minor comment in the Service Provider spec, see if you agree11:23
*** diegows has joined #openstack-keystone11:38
openstackgerritwanghong proposed openstack/keystone: invalidate cache when updating catalog objects  https://review.openstack.org/14207911:49
*** jasondotstar is now known as jasondotstar|afk12:01
*** samuelms_ has quit IRC12:03
*** dims has joined #openstack-keystone12:07
*** jraim_ has joined #openstack-keystone12:12
*** dougwig_ has joined #openstack-keystone12:12
*** jraim has quit IRC12:14
*** jraim_ is now known as jraim12:14
*** dougwig has quit IRC12:14
*** diegows has quit IRC12:14
*** dougwig_ is now known as dougwig12:14
chmouelhey guys is there any chances to cut release for keystonemiddleware there is a fix for py34 there that I would love to use12:16
*** arif-ali has quit IRC12:16
chmoueli.e: https://github.com/openstack/keystonemiddleware/commit/6266ed437d454a95bbd002212:16
*** diegows has joined #openstack-keystone12:16
*** EmilienM is now known as EmilienM|afk12:17
*** arif-ali has joined #openstack-keystone12:17
*** tsufiev has quit IRC12:20
*** tsufiev has joined #openstack-keystone12:26
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Trusted Attributes Policy for External Identity Providers  https://review.openstack.org/13869312:31
marekdrodrigods: ok12:33
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Self Management of Roles and Domain Scoped Roles  https://review.openstack.org/14207212:46
*** amakarov_away has quit IRC12:55
*** htruta has quit IRC12:56
*** tellesnobrega has quit IRC12:56
*** dims has quit IRC13:07
*** dims has joined #openstack-keystone13:07
*** tellesnobrega has joined #openstack-keystone13:08
morganfainbergchmouel, plans are to do so this week.13:13
morganfainbergchmouel either today or tomorrow imo.13:14
morganfainbergchmouel, need to check on a couple things but yes.13:14
*** avozza is now known as zz_avozza13:17
*** raildo has joined #openstack-keystone13:26
openstackgerritLance Bragstad proposed openstack/keystone: Expose bug in token revocation for projects  https://review.openstack.org/14209913:27
*** EmilienM|afk is now known as EmilienM13:28
*** aix has joined #openstack-keystone13:31
openstackgerritLance Bragstad proposed openstack/keystone: Rename `removeEvent` to be more pythonic  https://review.openstack.org/14210313:33
*** htruta has joined #openstack-keystone13:37
*** gordc has joined #openstack-keystone13:42
chmouelmorganfainberg: awesome thank you!13:54
morganfainbergchmouel, it might be friday as well (just because i'm not at home)13:56
*** hdd has joined #openstack-keystone13:56
chmouelno worries that can wait for a week more :)13:56
*** lhcheng has joined #openstack-keystone13:59
*** lhcheng has quit IRC14:04
*** richm1 has joined #openstack-keystone14:13
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095414:13
*** Shohei has joined #openstack-keystone14:21
*** HenryG_ has joined #openstack-keystone14:28
*** jimbaker` has joined #openstack-keystone14:28
*** k4n0 has quit IRC14:30
*** Shohei_ has quit IRC14:30
*** uvirtbot has quit IRC14:30
*** HenryG has quit IRC14:30
*** jimbaker has quit IRC14:30
*** jdennis has quit IRC14:30
*** xxj has quit IRC14:30
*** bdossant has quit IRC14:30
*** aix has quit IRC14:31
*** k4n0 has joined #openstack-keystone14:31
*** aix has joined #openstack-keystone14:32
*** jdennis has joined #openstack-keystone14:32
*** xxj has joined #openstack-keystone14:34
gabriel-bezerramarekd, dstanek: what did you change in security-policy.xml for it to work?14:35
marekdgabriel-bezerra: <Policy id="default" validate="false">14:36
marekd        <PolicyRule type="NullSecurity"/>14:36
marekd    </Policy>14:36
gabriel-bezerramarekd: thanks, I'll try that14:39
*** tellesnobrega has quit IRC14:40
*** tellesnobrega has joined #openstack-keystone14:40
gabriel-bezerramarekd: great, I got an "Attempted to authenticate with an unsupported method. (Disable debug mode to suppress these details.)" code="401" title="Unauthorized"14:42
dstanekgabriel-bezerra: marekd: now that it's nice and secure!14:42
gabriel-bezerra:-)14:43
marekddstanek: you mean?14:43
dstanekgabriel-bezerra: i'll be posting a new review today that fixes up the automation with all that i have learned14:43
marekddstanek: did you make it work without that NullSecurity option ?14:44
dstanekmarekd: having a policy rule to not check the signatures isn't ideal14:44
*** lihkin has joined #openstack-keystone14:44
dstanekmarekd: yeah, i have to fix my mapping though14:44
marekddstanek: that's interesting. And what did you do to configure it that way ?14:44
dstanekmarekd: to ignore the signature?14:45
marekdto ignore the signatuer you add the entry in the security-policy.xml file14:45
marekddstanek: but i understood you made it work with proper signature check and validation14:46
*** uvirtbot has joined #openstack-keystone14:46
marekddstanek: am i right?14:46
dstanekmarekd: not all of the way through - after a short conversation with stevemar last night i'm going to see if i can find out what was wrong with the signature14:46
rodrigodsdstanek, did you see my email?14:47
rodrigodsdstanek, that step was the deepest I god debugging this14:47
marekdrodrigods: what email14:47
rodrigodsmarekd, the one in the thread about k2k14:47
dstanekmarekd: i think his bug may be caused by pysaml214:47
dstanekrodrigods: no, what email?14:48
*** henrynash has quit IRC14:48
marekddstanek: stevemars?14:48
rodrigodsdstanek, sent to you in pvt yesterday14:48
marekddstanek: well, it probably is but not in a straight way.14:48
marekddstanek: we do generate saml assertion, but we have a logic for that directly in keystone14:48
marekddstanek: it's not something like saml2.generate_assertion()14:49
marekdwhere saml2 is a pysaml2's module14:49
dstanekmarekd: who signs it?14:49
rodrigodsdstanek, tl; dr; used openssl to check the assertion signature, the output was a strange error. Than, used some argument to pass the CA issuer cert and it successfully verified the signature14:49
*** henrynash has joined #openstack-keystone14:49
*** ChanServ sets mode: +v henrynash14:49
dstanekrodrigods: hmmm...i don't see an email from you - but code reviews are clogging my inbox14:50
marekddstanek: it uses pysaml2's methods and objects but in general the logic is in keystone. Now i think the bug may be there because of pysaml2 just because it was heavily looking how it was done in pysaml when i was writing signing part in Keystone.14:50
marekddstanek: let me find the code14:50
marekddstanek: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/idp.py14:51
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add get certificates for v2.0  https://review.openstack.org/14212214:51
gabriel-bezerramarekd: Just adding the <PolicyRule type="NullSecurity"/> as the first entry in the default Policy also works (if that makes automation simpler...)14:51
rodrigodsdstanek, pct chat IRC now14:51
rodrigodspvt*14:51
dstanekrodrigods: thx14:52
marekddstanek: in fact we use xmlsec1 to sign the Assertion14:52
marekdline 39714:52
marekdbut that's how pysaml2 also dies14:52
marekddoes14:52
marekddstanek: unfortunately pysaml2 author didn't respond.14:53
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add fetch revocations for v2.0  https://review.openstack.org/14193514:53
*** ayoung has joined #openstack-keystone14:53
*** ChanServ sets mode: +v ayoung14:53
marekdgabriel-bezerra: ok, thanks.14:55
bknudsondstanek: you were pinging me yesterday?14:58
dstanekmarekd: it looks like Roland is very active in this space14:58
dstanekbknudson: yes, but i answered my own question14:59
marekddstanek: ....14:59
*** lihkin has quit IRC15:05
*** zzzeek has joined #openstack-keystone15:05
*** lihkin has joined #openstack-keystone15:07
*** hdd has quit IRC15:11
*** andreaf has quit IRC15:12
*** jasondotstar|afk is now known as jasondotstar15:15
*** timcline has joined #openstack-keystone15:15
*** timcline has quit IRC15:16
*** timcline has joined #openstack-keystone15:16
*** zzzeek_ has joined #openstack-keystone15:20
*** david-lyle has joined #openstack-keystone15:21
morganfainberghm. darn stevemar and topol are not here...15:22
morganfainbergjamielennox|away, I'm going to do KSC and middleware release on monday unless i shouldn't15:23
morganfainbergjamielennox|away, just looked at what is going on for me and i don't think i can do it until then.15:23
*** zzzeek has quit IRC15:23
*** zzzeek_ is now known as zzzeek15:23
morganfainbergjamielennox|away, let me know if there is anything we *need* to land asap for either, i'll take a look at outstanding reviews in a momenrt15:24
*** stevemar has joined #openstack-keystone15:24
*** ChanServ sets mode: +v stevemar15:24
*** HenryG_ has quit IRC15:25
*** HenryG_ has joined #openstack-keystone15:25
*** k4n0 has quit IRC15:25
*** k4n0 has joined #openstack-keystone15:25
*** aix has quit IRC15:25
*** aix has joined #openstack-keystone15:25
*** ayoung has quit IRC15:25
*** ayoung has joined #openstack-keystone15:25
*** rajaniemi.freenode.net sets mode: +v ayoung15:25
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add fetch revocations for v3  https://review.openstack.org/14212815:26
*** afazekas has joined #openstack-keystone15:29
*** afazekas is now known as afazekas_pto15:29
gabriel-bezerraI used a protocol that was not registered and got this error message: "Attempted to authenticate with an unsupported method. (Disable debug mode to suppress these details.)" code="401" title="Unauthorized" , listing the available authentication methods.15:32
gabriel-bezerraThis error message doesn't help anyway finding what is wrong and even exposes internals of the server15:33
gabriel-bezerraof the service*15:33
marekdwhich protoccccol ???????????????????15:33
marekdyou should rather get 40415:33
gabriel-bezerraI did GET http://localhost:5000/v3/OS-FEDERATION/identity_providers/pysaml2/protocols/saml/auth15:34
gabriel-bezerrabut the only protocol I have registered for this identity_provider is saml215:35
gabriel-bezerraand that was the error message15:36
marekddo you know what line raised that exception?15:36
gabriel-bezerramarekd: more weird things are happening15:37
morganfainbergbknudson, dstanek, i'm going to go through our backport potentials and see what we really should be backporting next week so after the holidays we can hit those [i might backport a bunch of things]15:37
morganfainbergover the holidays15:37
morganfainbergbknudson, dstanek, i'll ping you guys on it as i get them done.15:38
marekdgabriel-bezerra: namelt15:38
morganfainbergcc dolphm, ^^15:38
marekdnamely15:38
*** hdd has joined #openstack-keystone15:38
bknudsonmorganfainberg: ok... I'll get an email since I'm subscribed.15:38
dolphmmorganfainberg: awesome!15:38
morganfainbergbknudson, yeah i mean i'll put you on the reviews :)15:39
gabriel-bezerramarekd: if I do a get_mappings with saml protocol, it will list the mappings for the other protocol15:39
bknudsonmorganfainberg: no need, I'll add myself.15:39
morganfainbergdolphm, we have a bunch of things that need backport eyes so figure might as well do it while it gets a bit more quiet15:39
morganfainbergbknudson, ok works for me15:39
marekdgabriel-bezerra: so i gues you have screwed something15:39
dstanekmorganfainberg: nice. i've available for reviews whenever you get it done15:39
gabriel-bezerramarekd: sorry15:39
dstaneks/get it/get any/15:40
marekdgabriel-bezerra: no worries15:40
marekdi think it's somewhere wrong with your config.15:40
bknudsonhopefully we'll be able to merge something.15:40
gabriel-bezerramarekd: mappings are not tied to a protocol in my call15:40
bknudsonpass jenkins15:40
morganfainbergbknudson, right?15:41
gabriel-bezerramarekd: I have a bunch of shell script functions to use keystone by the rest api, and didn't notice that I was not using the protocol in the mapping call15:41
morganfainbergayoung, https://bugs.launchpad.net/keystone/+bug/1400362 do you need me to handle the comments on that, it's tagged for k1 meaning we need to have it ready today if at all possible.15:41
uvirtbotLaunchpad bug 1400362 in keystone "check and delete  policy_association_for_region_and_service  performs create" [High,In progress]15:41
marekdgabriel-bezerra: happens :-)15:41
*** pcaruana has quit IRC15:42
morganfainberghenrynash, ping re: https://bugs.launchpad.net/keystone/+bug/139834715:42
uvirtbotLaunchpad bug 1398347 in keystone "LDAP backend should do filtered query instead of getting all data and then filtering" [Undecided,New]15:42
gabriel-bezerramarekd: regarding the GET invalid_protocol/auth, it is actually happening15:42
henrynashmorganfainberg: will look15:42
dstanekwe need a good old fashioned make file - i miss 'make clean'15:43
marekdgabriel-bezerra: can you check the logs and hsee where the exception is being raised?15:43
gabriel-bezerra2014-12-16 15:40:13.160164 14150 DEBUG keystone.common.wsgi [-] arg_dict: {'identity_provider': u'pysaml2', 'protocol': u'saml'} __call__ /opt/stack/keystone/keystone/common/wsgi.py:19215:43
gabriel-bezerra2014-12-16 15:40:13.166163 14150 WARNING keystone.common.wsgi [-] Authorization failed. Attempted to authenticate with an unsupported method. (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 127.0.0.115:43
marekdi am elbow deep in something else15:43
marekdand don't want to get distracted with it now.15:43
marekdgabriel-bezerra: you can help me with that.15:43
dstanekgabriel-bezerra: it looks like you don't have federation wired up in your config15:44
morganfainbergdstanek, make instead of tox!15:44
morganfainbergdstanek, :P15:44
gabriel-bezerrait is15:44
dstanekgabriel-bezerra: do you have the the saml2 auth method in there?15:44
marekdgabriel-bezerra: exactly15:44
gabriel-bezerraif I just change the url to use saml2 protocol, it works15:44
marekdgabriel-bezerra: logs complain about sth else15:44
dstanekmorganfainberg: ++15:44
morganfainberggabriel-bezerra, that looks like it's trying to use a non-registered auth plugin15:45
gabriel-bezerra[auth]15:45
gabriel-bezerramethods=external,password,token,saml215:45
gabriel-bezerrasaml2=keystone.auth.plugins.saml2.Saml215:45
gabriel-bezerraI have this in my config15:45
dstanekadd the mapping plugin too?15:46
gabriel-bezerraand I don't have saml as a protocol of pysaml2 identity provider15:46
henrynashmorganfainberq: so this is a consequence of us not yet extending the filter hints into the ldap backend…we should do this….15:46
henrynashmorganfainberg: there may be a defect already….not sure15:46
morganfainberghenrynash, right - i wanted to check where we were with it and uhm... how we should classify this15:46
morganfainberghenrynash, yeh LP sucks tracking that stuff down, which is why i asked you :)15:46
morganfainberghenrynash, figured if anyone knew it was you.15:47
marekdgabriel-bezerra: remove external15:47
henrynashmorganfainberg: so hapy for you to assign it to me…15:47
marekdgabriel-bezerra: just to be sure.15:47
morganfainberghenrynash, sure thing. going to mark it wishlist though since it's really an enhancement not a "bug"15:47
henrynashmorganfainberg: agreed15:47
morganfainberghenrynash, cheers and thanks15:47
gabriel-bezerramarekd: removing external did not resolve15:49
gabriel-bezerradstanek, marekd: when I use saml2 protocol, I get a "Could not map user (Disable debug mode to suppress these details.)" code="401" title="Unauthorized"15:49
gabriel-bezerrawhen I use saml protocol, I get that error15:49
gabriel-bezerrathat previous error*15:49
marekdgabriel-bezerra: for the saml2 protocol you have wrong mapping15:50
marekdrules15:50
marekdfor the wrong proto and 401 instead of 40415:50
gabriel-bezerramarekd: sure, but the point is that it is exposing the internals of the service when I use a bad protocol15:50
morganfainberggabriel-bezerra, sortof.15:51
marekdgabriel-bezerra: but where is that 401 with bad protocol ?15:51
marekdwhere is it in the logs?15:52
*** david-lyle has quit IRC15:52
gabriel-bezerrathe complete error is this : https://gist.github.com/gabriel-bezerra/aac13242060a98d4be4515:52
morganfainberggabriel-bezerra, that isn't really exposing the internals *that* much15:52
gabriel-bezerramorganfainberg: but it should be a 404, invalid protocol15:53
dstanekwhat does the message look like with debugging off?15:53
morganfainberggabriel-bezerra, i mean, sure you could fuzz/probe for protocols. --15:53
morganfainberggabriel-bezerra, well is it actually a 404 or a 401 in that case i *think* the URL is technically valid atm -based on routers.15:54
dstanekgabriel-bezerra: is the protocol in the URL?15:54
marekdand the error disappears when you use good protocol (registered one) ?15:54
gabriel-bezerradstanek: Yes, it is.15:54
morganfainbergdstanek, it would just say 401 very generically15:54
morganfainbergdstanek, w/o debug15:54
gabriel-bezerrawhen I use a good protocol, it gives me a mapping error, but that is expected, as I have not configured the mapping yet15:55
gabriel-bezerraat least not with the right rules15:55
dstanekso i think it looks good then15:56
*** topol has joined #openstack-keystone15:56
*** ChanServ sets mode: +v topol15:56
ayoungmorganfainberg, sorry, thought I had submitted that, but I guess that was one I assumed henry was picking up. Lets bump to K2, as I don't think it will be through today15:58
morganfainbergtopol, ping - need to bug ya.15:58
ayoungOh, wait15:58
morganfainbergayoung, you did put a patch in, just needs a tweak on it15:58
morganfainbergayoung, :)15:58
ayounghe did submit.  looking15:58
morganfainbergayoung, or henry did or someone did15:58
dstaneklbragstad: i just hacked up some docs for you :-) http://162.242.175.31:9999/docs/html/developing.html#work-in-progress-tests15:58
ayoungI'm the owner of the patch15:58
morganfainbergayoung, anyway just saw you on the bug so was pinging you before i fixed it15:58
morganfainbergayoung, since i am also digging into a few otherthings concurrently15:59
gabriel-bezerradstanek: marekd morganfainberg I updated the gist with the debbugin off15:59
ayoungmorganfainberg, I 'm on it15:59
gabriel-bezerradidn't resolve the exposure15:59
morganfainbergayoung, awesome, thanks.16:00
ayoungNP16:00
morganfainbergyou know, east coast time does make it feel like there is a *lot* more overlap with everyone.16:00
morganfainbergexcept jamielennox|away :(16:00
gabriel-bezerraI'll go for lunch now, will be back in an hour.16:01
morganfainberggabriel-bezerra, enjoy lunch!16:01
marekdgabriel-bezerra: to me the problem is compeletely somewhere else16:01
marekdbon app16:01
*** ajayaa has quit IRC16:07
morganfainberglbragstad, we need to scrub specs.openstack.org API spec of XML references http://specs.openstack.org/openstack/keystone-specs/api/v2.0/identity-api-v2.0-extensions.html (look at the bottom)16:10
*** chrisshattuck has joined #openstack-keystone16:11
*** amakarov has joined #openstack-keystone16:12
ayounglbragstad, OK...so your comment was "Other test cases only go through the PUT, GET, HEAD, and DELETE respectively, but here we do an additional GET and HEAD after the DELETE. I think it would be more descriptive to have a test cases that explicitly points this out."16:15
ayoungI think that the CRUD tests in general should do what I am doing here...so...would leaving this as the crud  test and just explaining what I am doing be OK?16:15
ayoungdamnit, I just figured out how I could make it all better....16:16
*** rushiagr is now known as rushiagr_away16:18
topolmorganfainberg leading a call but will ping when I free up16:19
morganfainbergtopol, figured you'd ping back when able16:19
openstackgerritDavid Stanek proposed openstack/keystone: Adds a wip decorator for tests  https://review.openstack.org/13151616:21
* dstanek things topol is a natural leader16:22
dstanekhe leads all the things16:22
morganfainbergwe should have all banded together and nominated him for the board16:22
morganfainberg;)16:22
dstanekhaha, next time16:22
morganfainbergdstanek, right?16:22
morganfainbergdstanek, though honestly the two people i wanted on the board ballot were there by the time i got to nominating folks16:23
* topol yes topol is a legend in his own mind :-)16:23
ayoungdstanek, did you bascially make it possible to let a teset fail and still have the overall set of tests pass.  I think I love that!16:24
morganfainbergayoung, ++ yeah the wip decorator is nice.16:24
dstanekmorganfainberg: i was disappointed that Chuck Norris was not nominated16:24
morganfainbergdstanek, i was disappointed OpenStack Proposal Bot wasn't nominated16:24
*** samuelms-away is now known as samuelms16:25
ayoungChuck Norris is a Neocon loudmouth.  And Bruce Lee cleaned the walls with him.16:25
dstanekayoung: yeah, i'm been using a variation of that decorator for a long time16:25
dstanekit seems that i've lost the ability to write grammatically correct sentences today16:26
*** lsmola has quit IRC16:26
bknudsondstanek: any reason not to put the test wip decorator in oslo?16:26
*** kragniz is now known as kragwhale16:26
ayoungbknudson, ++ it belongs there16:26
*** lihkin has quit IRC16:27
openstackgerritayoung proposed openstack/keystone: Check and delete for  policy_association_for_region_and_service  https://review.openstack.org/14012216:27
dstanekbknudson: nobody uses it yet, but i can propose it in oslotest16:27
bknudsondstanek: at least ask if they'll take it.16:28
ayoungmorganfainberg, BTW...did you see the unspeakable things I did with the policy code?  https://review.openstack.org/#/c/141969/16:28
morganfainbergayoung, nope haven't looked at that yet.16:28
ayoungIts not done, but that should really be the start of  the "enforce policy from a library" BP16:28
ayoungmorganfainberg, not needing a review yet, as it still has work to be done, but I think you will like the direction16:29
ayoungit leaves the decorators in place, but only in the controller code.  The guts of what they were doing is refactored out.16:29
morganfainbergayoung, i'll take a look once i'm back home post saturday16:29
ayoungNext step will be to reduce duplication16:29
*** david-lyle has joined #openstack-keystone16:30
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add validate token for v3  https://review.openstack.org/14214716:30
ayoungAlso, I want to get the abstraction right to be able to have the same code called inprocess from Keystone and remotely, while letting the callers handle how to get the token data and the policy data (remote fetch versus DB lookup)16:31
ayoungafaranha, thanks for the review on it.  I think now you see kindof where I was going.16:31
*** david-lyle has quit IRC16:33
*** EmilienM is now known as EmilienM|afk16:34
afaranhaayoung, :)16:34
afaranhaayoung, Now we are able to replace, target.project.domain_id or target.user.domain_id, by only target.member.domain_id, right?16:35
ayoungafaranha, yes.  It still is not where it needs to be 100% though16:35
afaranhadoes this works for rules like: %(domain_id)s?16:35
ayoungand I should split up that patch into the refactoring portion and the new functionality16:35
ayoungI kindof caught the new code up in the refactoring, and it ended up in the right place, but it needs to be a follow on patch16:36
ayoungafaranha, what it does not do yet is allow the caller to specify where in the request to look for the domain ID  for create requests16:36
morganfainbergayoung, dolphm, so pt-archiver - the only real solution to token bloat for *today* [meaning icehouse, juno, etc] in SQL16:37
morganfainbergdolphm, i expect to write up a quick doc patch that we can include in juno and icehouse explaining how to use it.16:37
afaranhaayoung, On creation we get the domain_id from the URL, don't we?16:38
afaranhaso in the policy we just use %(domain_id)s16:38
ayoungafaranha, not on all objects16:39
afaranhaayoung, right, on user for example, we get from the body of the request16:39
ayounghttps://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#create-user-post-users16:40
ayoungafaranha, let me split that patch and repost16:40
afaranhaOk16:40
afaranhalet me check the workflow for create a user16:41
ayoungafaranha, also,  look at the policy file patch.  There is a failure on check_token that is due to the "owner" logic being broken16:41
ayoungI think it shows a bug in the rules engine16:41
lbragstadmorganfainberg: agreed, I can go through the specs.16:42
morganfainberglbragstad, thanks.16:42
lbragstadmorganfainberg: no problem16:42
lbragstadnice catch16:42
*** jimbaker` is now known as jimbaker16:43
lbragstadayoung: about the CRUD tests, I was just making the observation that the test being modified is of a different patterns than the rest16:43
*** david-lyle_afk is now known as david-lyle16:44
*** jaosorior has joined #openstack-keystone16:44
lbragstadayoung: so should we make that test pattern (PUT, HEAD, GET, DELETE, HEAD-404, GET-404) the pattern?16:44
lbragstadayoung: for all functional tests?16:44
*** andreaf has joined #openstack-keystone16:45
ayounglbragstad, your question is rhetorical.  Right?16:45
afaranhaayoung, could you show where?16:45
ayoungand you missed the16:45
ayoungHEAD-404, GET-404  at the begining of the sequence.16:45
lbragstadayoung: your test adds them to the end of the sequence16:46
lbragstadright?16:46
ayoungafaranha, if you checkout that patch, run  tox  -epy27 test_v3_auth16:46
ayounglbragstad, both16:46
morganfainberglbragstad, i added a comment to that patch.16:46
ayoungit is a precondition check, too16:46
* lbragstad digs for the review16:46
morganfainbergbut my recommendation is out of scope for the fix.16:46
morganfainberglbragstad, https://review.openstack.org/#/c/140122/3/keystone/tests/test_v3_endpoint_policy.py16:47
ayoungmorganfainberg, knowing that GET and HEAD are coming from the same code is not the same as confirm it16:47
ayoungconfirming it16:47
topolmorganfainberg, I am free. How can I help?16:47
morganfainbergayoung, no my point is .get() should do the check that head matches16:47
ayoungmorganfainberg, I could make it explicit, but they both check the same return code.16:48
morganfainbergayoung, so .get(404 expected, check_head_req=True) should validate that you get the same responses16:48
morganfainbergayoung, in any/all cases we check head and/or get.16:48
morganfainbergayoung, like i said that was out of scope for the change16:48
ayoungmorganfainberg, I see what you are saying.16:48
morganfainbergayoung, i did some of that before, but we can make all testing better. anyway waaaay out of scope for this test case.16:49
ayoungmorganfainberg, I could add a comment that the GET and HEAD need to return the same value16:49
lbragstadayoung: looks good to me16:49
morganfainbergayoung, nah, don't in this case16:49
ayoungOK16:49
lbragstadusing _crud_test works16:49
morganfainbergayoung, out of scope really for the fix.16:49
morganfainbergayoung, something we should enhance as we're making tests better16:49
lbragstadI had one minor comment on spelling16:50
morganfainbergayoung, if you respin for another patch a comment would be useful, but not worth a new patchset for unless we're changing something else.16:50
lbragstadpublished my comments16:51
ayoungrespinning16:51
afaranhaayoung, I run the tests here and it's working fine16:53
afaranhaLet me try another thing here16:53
*** ajayaa has joined #openstack-keystone16:54
rodrigodsmarekd, ping. Using blacklist/whitelist we'll need to *always* use direct mappings, right?16:54
*** rm_work|away is now known as rm_work16:55
afaranhaayoung, but I'm using the default policy.json. Did run with another version of the policy, or just test if the refactor didn't break anything?16:56
ayoungafaranha, wait one and I 'll show you, just fixing a test for another bug first16:56
openstackgerritayoung proposed openstack/keystone: Check and delete for  policy_association_for_region_and_service  https://review.openstack.org/14012217:01
ayoungmorganfainberg, there, think that is what you meant17:02
ayoungafaranha, OK. lets see what I get17:02
morganfainbergayoung, pretty spot on17:03
morganfainbergayoung, thanks17:03
*** rushiagr_away is now known as rushiagr17:05
ayoungafaranha, I see that it did not break in the check job, either, so maybe I had something wacky on my machine.  I'll look again after lunch,  but first will split the refactoring patch17:06
*** nellysmitt has quit IRC17:10
afaranhaayoung, If you wanna help I can help you on this17:12
*** lhcheng has joined #openstack-keystone17:14
openstackgerritayoung proposed openstack/keystone: Modify the cloud policy  https://review.openstack.org/12350917:15
openstackgerritayoung proposed openstack/keystone: policy refactoring  https://review.openstack.org/14196917:15
openstackgerritayoung proposed openstack/keystone:  member for assignment policy  https://review.openstack.org/14216217:15
ayoungafaranha, yes please.  Here's what I'd like you to do17:15
*** lhcheng_ has joined #openstack-keystone17:15
ayoungstarting with  "member for assignment policy"  put in an optional parameter for the decorator that allows the coder to specify which attribute in the request has the domain ID in it17:16
ayoungor  even better, which attribute in the request should have policy enforced on it....17:16
ayoungkindof like the "member"  change17:16
afaranhabut isn't it what it does after your change?17:17
afaranhaayoung, ah, ok17:18
afaranhathis is for the code knows if the attribute is on the object, or in the post body, right?17:18
*** lhcheng has quit IRC17:19
afaranhaayoung, Just saw you send more patches, right o/17:19
ayoungafaranha, just split out one line from the patch, but yes17:19
afaranhaayoung, Don't we need to also put this code: "auth_context['scope'] = 'project'" outside the refactor patch?17:21
ayoungOh...yeah17:22
ayoungI knew there was something I was missing17:22
*** dims has quit IRC17:23
afaranha:P17:23
morganfainbergjamielennox|away, AHA I rememebred what i wanted to talk to you about17:23
*** dims has joined #openstack-keystone17:23
morganfainbergjamielennox|away, i wanted to make keystone service discoverability better (minor optimisation) - so we can more easily get a catalog17:23
morganfainbergjamielennox|away, i'd like to be able to leverage a DNS SRV record -17:24
morganfainbergjamielennox|away, but i wanted your thoughts on it17:25
morganfainbergit would be nice to be able to say "keystone client use public.hpcloud.com" and it would know how to find keystone [no ports etc, needed]17:26
morganfainbergor rax, or <insert_domain here>17:26
afaranhaayoung, I think the reason you got error on the test is that you are using this policy: https://review.openstack.org/#/c/123509/26/etc/policy.v3cloudsample.json17:27
*** dims_ has joined #openstack-keystone17:28
*** dims has quit IRC17:28
gabriel-bezerradstanek, marekd, morganfainberg: back17:28
gabriel-bezerrathanks for your wishes17:28
gabriel-bezerraregarding the error, I think the information should be about the protocol not being registered, instead of about the authentication method. Plus, it should not expose details about the configuration of the service.17:31
dstanekgabriel-bezerra: what details are being exposed?17:34
gabriel-bezerradstanek: about the available authentication methods: password, token, saml217:34
gabriel-bezerraand external, when it was enabled17:34
richm1zigo: ping - was wondering if you could help with https://bugs.launchpad.net/ubuntu/+source/python-openstackclient/+bug/139387317:34
uvirtbotLaunchpad bug 1393873 in python-openstackclient "Update python-openstackclient to version 1.0.1" [Undecided,New]17:34
dstanekgabriel-bezerra: that's only if debug is enabled right?17:35
gabriel-bezerradstanek: no, it happened with debug disabled17:35
gabriel-bezerradstanek: https://gist.github.com/gabriel-bezerra/aac13242060a98d4be4517:35
openstackgerritAndre Aranha proposed openstack/keystone: policy refactoring  https://review.openstack.org/14196917:35
dstanekgabriel-bezerra: that's interesting17:36
dstanekgabriel-bezerra: i still don't know if it's a big deal - doesn't a service that expects users to authenticate need to tell them how they can authenticate?17:37
openstackgerritMorgan Fainberg proposed openstack/keystone: Check and delete for policy_association_for_region_and_service  https://review.openstack.org/14012217:38
morganfainbergayoung, ^ removed the now 100% duplicated test.17:38
*** andreaf has quit IRC17:40
gabriel-bezerradstanek: I don't think this is the case to show other authentication methods when one try to authenticate with FEDERATION and give a protocol id that is not registered.17:40
gabriel-bezerrasorry for the caps17:40
*** andreaf has joined #openstack-keystone17:40
morganfainberggabriel-bezerra, i am inclined to say this is an acceptable setup, with debug off it should just give a 40117:40
morganfainberggabriel-bezerra, with debug on, it gives more info17:41
dstanekmorganfainberg: the list of methods is there with debug off too17:41
*** Haneef_ has joined #openstack-keystone17:41
morganfainbergdstanek, oh *shrug* i don't know if that is really bad17:41
morganfainbergdstanek, you know who we should summon to weigh in17:41
dstanekmorganfainberg: i don't think so17:41
morganfainbergnkinder, ping ^17:41
nkindermorganfainberg: hey17:42
morganfainbergnkinder, so in a case we have an auth attempt with Federation to an unknown protocol it says "you can't do that, 401, and here are the auth methods i support"17:42
morganfainbergeven with debug off17:42
morganfainbergnkinder, is the "here are the auth methods i support" correct, incorrect, an exposure we shouldn't have?17:43
morganfainbergspecifically in the debug-is-off case17:43
nkinderThat doesn't seem bad to me17:43
*** kragwhale is now known as kragniz17:43
nkinderIf there's an insecure auth method, you have a problem whether you advertise it or not17:43
morganfainbergexactly17:43
dstanekmorganfainberg: nkinder: it's similar to going to a website and seeing you can login using a password or facebook - at some point the user has to know17:44
morganfainbergand being opaque about the protocols supported is not security17:44
dstaneki will say that this only happens because of how we result the auth pipeline and maybe the user experience is a bit weird17:44
gabriel-bezerrathe current message also doesn't help clarify that the problem is with the specified protocol id not existing17:44
morganfainbergdstanek, sure we can make UX a bit better here, but i don't see this as a critical bug.17:44
nkinderis that advertisement per-IdP?17:44
morganfainberggabriel-bezerra, we probably should make that *better* at the least17:45
gabriel-bezerrabut I agree with you regarding the exposure of the authentication methods17:45
gabriel-bezerramakes total sense17:45
morganfainberggabriel-bezerra, so improvement of the UX indicating what is going on i think is what we should be targeting here.17:45
morganfainbergnkinder, not sure if it's per, idp, but i *think* it is.17:45
openstackgerritAndre Aranha proposed openstack/keystone: Member for assignment policy  https://review.openstack.org/14216217:46
dstaneki don't think we do auth methods by IdP if that's what you mean17:46
morganfainbergdstanek, we don't17:46
nkindermorganfainberg: I would hope so, as we don't necessarily want to list/expose IdPs17:46
nkinderwe do support protocols per-IdP though17:46
morganfainbergnkinder, i think we need to enahnce this for per-idp protocols though then.17:47
morganfainbergbut - we're not far off from that and no we wont expose other idps17:47
morganfainbergjust might say something like "password, token, saml" are options17:47
gabriel-bezerraexactly, nowadays the error shows: password, token, saml217:48
nkinderas long as we dont expose IdP's, I think we're good17:48
gabriel-bezerrabut it doesn't list the protocols supported by the idp17:48
gabriel-bezerranor it says the protocol is not registered17:48
nkinderWhat I mean by the protocols being tied to an IdP can be see by the OS-FEDERATION auth URL format - /v3/OS-FEDERATION/identity_providers/<IdP ID>/protocols/<protocol>/auth17:48
morganfainberggabriel-bezerra, nkinder, right17:49
morganfainbergnkinder, gabriel-bezerra, so we should work to make the ux on what is returned better, but this is by no means crazy critical17:49
gabriel-bezerramorganfainberg: agreed17:49
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185417:50
morganfainbergsoo it's almost that time folks.17:52
morganfainbergthat magical time of the week.17:52
samuelmsmorganfainberg, p/17:52
morganfainbergwhere we take our arguments to the officially sanctioned meeting channel :P17:52
samuelmso/17:52
morganfainbergjust a heads up we *are* having the meeting today17:52
morganfainbergin 8 minutes or so17:53
gabriel-bezerrain #openstack-meeting?17:53
samuelmsgabriel-bezerra, yep17:54
gabriel-bezerrathanks, samuelms17:55
*** lhcheng_ is now known as lhcheng18:00
morganfainbergjamielennox|away, meeting time if you're awake18:01
*** k4n0 has quit IRC18:06
*** jamielennox|away is now known as jamielennox18:08
*** marcoemorais has joined #openstack-keystone18:10
*** harlowja_away is now known as harlowja18:12
*** ajayaa has quit IRC18:22
*** gyee has joined #openstack-keystone18:31
*** ChanServ sets mode: +v gyee18:31
*** zz_avozza is now known as avozza18:33
*** EmilienM|afk is now known as EmilienM18:35
*** marcoemorais has left #openstack-keystone18:35
*** abhirc has joined #openstack-keystone18:39
marekdrodrigods: what do you mean?18:42
rodrigodsmarekd, ?18:46
marekdrodrigods: "ping. Using blacklist/whitelist we'll need to *always* use direct mappings, right?"18:48
marekdrodrigods: what do you mean always?18:48
*** HenryG_ has quit IRC18:48
*** HenryG has joined #openstack-keystone18:49
rodrigodsmarekd, using whitelist/blacklist is tied to groups using direct maps18:51
*** gokrokve has joined #openstack-keystone18:53
*** aix has quit IRC18:53
rodrigodsmarekd, tied to the new key "groups" in the local rule18:55
*** afaranha has quit IRC18:55
marekdrodrigods: yes18:56
rodrigodsmarekd, great18:56
marekdrodrigods: are you implementing it now?18:56
rodrigodsmarekd, yes18:56
marekdgood18:56
rodrigodsme and vsilva should submit a patch this week18:56
marekdallrogty18:56
marekdi will have to stay then with debugging pysaml2 :(18:57
rodrigodsmarekd, heh :P18:58
rodrigodsmarekd, your reviews are always handy too :)18:58
marekdrodrigods: i will do my best.19:00
morganfainbergthanks all for the productive meeting.19:01
jamielennoxmorganfainberg: so, ksc release?19:01
morganfainbergit's going to be monday19:02
morganfainbergfor sure19:02
jamielennoxmorganfainberg: what are we waiting for?19:02
morganfainbergfor me to do release management stuff and get home19:02
morganfainbergunless there is a burning need for it tomorrow19:02
*** amolock has joined #openstack-keystone19:03
morganfainbergjamielennox, which case i'll fight with LP to do it19:03
*** marcoemorais has joined #openstack-keystone19:03
jamielennoxmorganfainberg: i have things waiting - but not burning, i just thought the intent was early this week and i thought you might have been waiting for certain patches19:03
ayoungjamielennox, do we have anything outstanding for "service users in non default domain" yet?19:04
ayounger...still?19:04
jamielennoxayoung: no, all that stuff is merged i think19:04
lbragstadso, question on the splits we talked about. If there isn't a direct benefit of doing it, should it really be done?19:04
topollbragstad does it make the code easier to read and maintain/19:05
lbragstador should that split wait until we have sound reason to follow through with it19:05
*** amolock has quit IRC19:05
lbragstadtopol: I'd have to revisit the 25000 line patch :)19:06
topollbragstad, me too. After some liquid courage19:06
lbragstadtopol: ++19:07
jamielennoxlbragstad: i can't tell, most of the reasons i can come up with for having roles split out are nice in theory - but i don't think people would use it19:07
morganfainbergjamielennox, ok then lets do a pass and i'll fight LP tomorrow morning19:07
morganfainbergsame with middleware19:07
jamielennoxmorganfainberg: this is not something i can help with right?19:07
*** afaranha has joined #openstack-keystone19:07
morganfainbergjamielennox, not at the moment, well besides verifying that things are all merged and in a good state19:08
topollbragstad, did you find any good places to drink near where we will be for the upcoming hackathon?19:08
*** henrynash has quit IRC19:08
jamielennoxmorganfainberg: yea, i'm looking to see if there's anything else i want in this release if we wait a bit longer19:08
openstackgerritSteve Martinelli proposed openstack/keystone: Provide additional detail if OAuth headers are missing  https://review.openstack.org/14219119:09
*** bernardo-silva has joined #openstack-keystone19:09
morganfainbergjamielennox, if not i'll plan for tomorrow.19:09
morganfainbergor bug dolph to help me if the network is being particularly ornery19:09
openstackgerritSteve Martinelli proposed openstack/keystone: Remove unnecessary ldap import  https://review.openstack.org/14219219:10
morganfainbergok it's long past lunchtime for me. and i need to find a new place to camp [where i have power]19:10
jamielennoxmorganfainberg: i don't see anything urgent, ideally we need to speed up the release cycle on these19:10
morganfainbergjamielennox, works for me. tomorrow it is.19:10
lbragstadtopol: dolphm makes mean margaritas.19:10
*** nellysmitt has joined #openstack-keystone19:11
morganfainbergjamielennox, so silly question, should we just bump the version to 1.0.0?19:11
morganfainbergsince this *might as well* be stable19:11
morganfainbergfor ksc19:12
jamielennoxmorganfainberg: does that mean i get to break things?19:12
morganfainbergjamielennox, i offered that to you at the summit, you told me "nah, talk with sdk folks and such"19:12
morganfainbergwell the x-project meeting and release group agrees, non-compat stuff should wortk w/ the sdk folks19:13
jamielennoxmorganfainberg: you ran in past the TC and they said they didn't want v2 of clients19:13
morganfainbergand we should move *that* direction in general19:13
ayoungtopol, I'm staying at the Valencia again, which means the Riverwalk is right there19:13
morganfainbergthe TC said they'd prefer SDK.19:13
topolayoung, me too19:14
jamielennoxmorganfainberg: right19:14
morganfainberganyway. i was meaning should this release be called 1.0.0 because well ksc is effectively stable19:14
morganfainbergand we should drop the 0.x.x for a stable nomenclature19:14
jamielennoxmorganfainberg: sure, ksc has been effectively stable for as long as i've been messing with it19:14
morganfainbergif anyone has a reason i shouldn't make this 1.0.0 of ksc19:14
morganfainbergplease let me know19:14
morganfainbergbut i'm off to eat and get my laptop plugged in19:15
ayoungI like the Linus Torvalds approach that major revision numbers should just be randomly assigned a some point in time19:15
jamielennoxmorganfainberg: does it let me change little, "this is technically backwards incompatible but you won't really notice" problems?19:15
jamielennoxbecause i think old releases are pinned < 1.019:16
*** nellysmitt has quit IRC19:16
*** marcoemorais has quit IRC19:27
*** marcoemorais has joined #openstack-keystone19:27
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add OS-SIMPLE-CERT support for v3.  https://review.openstack.org/14220019:30
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add OS-SIMPLE-CERT support for v3.  https://review.openstack.org/14220019:31
*** lhcheng has quit IRC19:33
*** lhcheng has joined #openstack-keystone19:33
*** lhcheng_ has joined #openstack-keystone19:34
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13479419:36
*** lhcheng has quit IRC19:38
*** marcoemorais has quit IRC19:42
*** marcoemorais has joined #openstack-keystone19:42
*** marcoemorais has quit IRC19:42
*** marcoemorais has joined #openstack-keystone19:43
*** marcoemorais has quit IRC19:44
*** amolock has joined #openstack-keystone19:44
*** marcoemorais has joined #openstack-keystone19:44
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add get certificates for v2.0  https://review.openstack.org/14212219:45
*** hdd has quit IRC19:48
dolphmif anyone has *not* booked a hotel for the hackathon - do so *this week* if you want a discount at the valencia19:49
bknudsonjamielennox: old releases can't be pinned.19:50
morganfainbergjamielennox, no.19:51
morganfainbergdolphm, i've had only a couple people ask for the discount code19:51
morganfainbergso...19:51
*** marcoemorais has left #openstack-keystone19:51
morganfainbergi assume everyone else is booking on their own19:52
gabriel-bezerramarekd: idp_users.py describes the users' attributes.19:52
gabriel-bezerradstanek: ^19:52
dstanekgabriel-bezerra: ?19:52
dstanekon my new devstack instance apache is only listening on tcp6 :-(19:53
gabriel-bezerrayou were having problems with the attributes sent by the idp, weren't you?19:53
gabriel-bezerradstanek: in my setup, netstat -ltnp shows only the ipv6 address, but it works with the ipv4 too19:54
dstanekgabriel-bezerra: it doesn't seem to be listening on ipv4 - maybe i just need to rebuild the machine19:55
*** hdd has joined #openstack-keystone19:55
gabriel-bezerraI mean, there is only a process listening on port 5000 in the ipv6 list, but it also works when I use ipv4 from another machine19:55
gabriel-bezerraand there is no process lisetinng on 0.0.0.0:500019:56
gabriel-bezerranor any ipv4 address:500019:56
dstanekno such luck for me19:56
*** dims_ has quit IRC19:58
dstanekgabriel-bezerra: i stopped just before i was going to edit the attribute xml configuration - so i'm not yet sure what needs to go in there19:59
*** dims has joined #openstack-keystone19:59
*** bernardo-silva has quit IRC19:59
openstackgerritayoung proposed openstack/keystone: Member for assignment policy  https://review.openstack.org/14216220:02
openstackgerritayoung proposed openstack/keystone: policy refactoring  https://review.openstack.org/14196920:02
openstackgerritayoung proposed openstack/keystone: policy exception handling  https://review.openstack.org/14220720:02
*** dims has quit IRC20:03
openstackgerritBrant Knudson proposed openstack/keystone: Check and delete for policy_association_for_region_and_service  https://review.openstack.org/14012220:11
ayoungbknudson, feel free to +2 that one again20:12
*** marcoemorais has joined #openstack-keystone20:14
bknudsonayoung: which?20:14
ayoungbknudson, https://review.openstack.org/#/c/140122/620:14
ayoungyour change was trivial, and I think between you, me and morganfainberg we are OK saying that is ready to go in20:15
bknudsonmorganfainberg: want to take a quick look at https://review.openstack.org/#/c/140122 ?20:15
morganfainbergbknudson, looking now20:15
ayoungjust to re +A it20:15
morganfainbergyeah wait till jenkins then +A20:16
morganfainbergi tossed a +2 on there as well20:16
morganfainbergthanks!20:16
bknudsonthanks20:16
morganfainbergtwo more bugs to get gating - easy enough.20:17
morganfainbergor maybe it's one20:17
*** dims has joined #openstack-keystone20:18
*** DaveChen has quit IRC20:19
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add generic auth plugin documentation  https://review.openstack.org/14168020:19
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add auth plugin params to doc  https://review.openstack.org/14168120:21
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Document the auth plugins that are loadable by name  https://review.openstack.org/14168320:24
lbragstadand reason to not push https://review.openstack.org/#/c/140122/6 into the gate?20:37
marekdgabriel-bezerra: yes.20:37
lbragstadoh, yeah... Jenkins...20:37
*** marcoemorais has quit IRC20:41
*** marcoemorais has joined #openstack-keystone20:42
gabriel-bezerramarekd: so am I =/20:43
*** rushiagr is now known as rushiagr_away20:44
marekdgabriel-bezerra: ?20:44
openstackgerritayoung proposed openstack/keystone: Consolidation for policy  https://review.openstack.org/14216220:47
gabriel-bezerramarekd: I'm also having trouble with the attributes20:52
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Self Management of Roles and Domain Scoped Roles  https://review.openstack.org/14207220:54
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Self Management of Roles and Domain Scoped Roles  https://review.openstack.org/14207221:01
*** marcoemorais has left #openstack-keystone21:02
openstackgerritDolph Mathews proposed openstack/keystone-specs: Fix RST formatting issues  https://review.openstack.org/14193021:08
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Self Management of Roles and Domain Scoped Roles  https://review.openstack.org/14207221:11
*** nellysmitt has joined #openstack-keystone21:11
afaranhaayoung, So I'm creating a variable, like the member you created, called: enforce (temporary name).21:13
afaranhaayoung, the idea is that we can write rules like this: create_user: role:domain_admin and domain_id:%(enforce.domain_id)s21:13
ayoungafaranha, yeah, naming is tricky21:13
ayoungthat is the right idea...21:13
afaranhaIn the common/controller.py where we have: def protected(callback=None) I added enforce variable21:14
afaranhadef protected(callback=None, enforce=None)21:14
afaranhaso, the entity controller will call the protected method passing also this variable if needed21:15
*** tellesnobrega has quit IRC21:15
afaranhaayoung, I'll just make a test to make sure it's passing the right entity as intended21:16
afaranhajsut a minute21:16
ayoungmorganfainberg, I just +a-ed one of the last 3 reviews for  https://launchpad.net/keystone/+milestone/kilo-121:16
morganfainbergthanks21:16
ayounghttps://bugs.launchpad.net/bugs/138367621:16
uvirtbotLaunchpad bug 1383676 in keystone "endless loop when deleting region" [High,In progress]21:16
*** nellysmitt has quit IRC21:17
ayoungmorganfainberg, that really just leaves one21:17
ayounghttps://bugs.launchpad.net/keystone/+bug/139847021:17
uvirtbotLaunchpad bug 1398470 in keystone "sql migration helpers incorrectly inspect for FKs" [Medium,In progress]21:17
morganfainbergpost x-project meeting i'm going to be looking at it and see what can be done21:17
*** tellesnobrega has joined #openstack-keystone21:17
morganfainbergisn't that one already gating?21:17
morganfainbergthe FK one21:17
ayoungyep21:18
ayoungwas just looking.21:18
ayoungso all 3 should be through shortly,  gate willing and the creek don't rise21:18
bknudsonthese changes are to make it so that we can get rid of the rest calls in auth_token and use keystoneclient: https://review.openstack.org/#/q/status:open+project:openstack/python-keystoneclient+branch:master+topic:bp/auth-token-use-client,n,z21:20
*** andreaf has quit IRC21:21
*** samuelms_ has joined #openstack-keystone21:26
openstackgerritDavid Chadwick proposed openstack/keystone-specs: Trusted Attributes Policy for External Identity Providers  https://review.openstack.org/13869321:26
openstackgerritMerged openstack/keystonemiddleware: remove the unused method _will_expire_soon  https://review.openstack.org/14096621:30
openstackgerritMerged openstack/keystonemiddleware: documentation for audit middleware  https://review.openstack.org/13034421:30
morganfainbergayoung, thanks!21:31
dolphmmorganfainberg: lbragstad: side thought, from a comment that lance made- spec authors should never register blueprints. the person hitting WorkFlow+1 should be creating the corresponding blueprint.21:36
morganfainbergdolphm, i'm fine with that21:36
morganfainbergdoesn't ttx have a tool for that though (or we could make one)21:36
dolphmmorganfainberg: i don't know if you can enforce that within lp ...?21:36
morganfainbergyou can't21:36
dolphmit'd clean up all the random blueprints in a hurry21:37
morganfainbergbut we can just say tool XXX will co-opt a previously registered bp21:37
morganfainbergand we can have it cleanup any bp that isn't in -specs21:37
lbragstadI like that idea. Not sure we had a criteria for it before?21:39
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13479421:42
*** diegows has quit IRC21:43
afaranhaDo someone knows how these parameters are passed to this function? https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L10221:46
rodrigodsafaranha, it's a decorator21:46
*** Tahmina has joined #openstack-keystone21:47
morganfainberglbragstad, no more/less of a critera than "make a spec"21:52
morganfainberglbragstad, we just didn't specify who made the bp21:53
lbragstadyep, exactly21:53
morganfainberglbragstad, easy to make this change if we make a tool do the job for us21:53
afaranhaayoung, working :D22:03
stevemarhmm, weird cinder error coming up when using devstack now... i think they moved the bin directory22:03
afaranhaayoung, I'll post as WIP if you wanna check22:03
afaranhaayoung, but needs much more improvements22:03
ayoungafaranha, cool.  Have to head home now, and do some family time.  I'll check later on tonight.  THanks.22:04
*** ayoung has quit IRC22:04
*** diegows has joined #openstack-keystone22:05
openstackgerritAndre Aranha proposed openstack/keystone: Member for assignment policy  https://review.openstack.org/14216222:07
morganfainbergraildo, rodrigods, ping - re HMT (now that it's merged)22:11
rodrigodsmorganfainberg, o/22:11
morganfainbergrodrigods, so now that HMT is merged, you guys mind writing up a little blurb we can publish highlighting what it means *today* for an OpenStack user/deployer? and what is next. I'd like to also use it in the "keystone webinar" i'm doing next week (the kilo release one)22:12
rodrigodsmorganfainberg, not at all! Where? Blog post or something?22:14
morganfainbergif you have a blog post for it that would be PERFECT!22:14
morganfainbergi'll also link to it from my blog ;)22:14
rodrigodsmorganfainberg, great! Think raildo is afk, but will send him an email right now :)22:15
morganfainbergbut the key is to highlight the two peices: what does it mean today, and what is next22:15
rodrigodsabsolutely, we are really excited about the next steps22:15
morganfainbergthat'll help with socializing this to nova and other projects and get them thinking about it :)22:15
rodrigods++22:16
morganfainbergwe'll also get a message on the -dev list and operator list with a link to your post22:16
rodrigodsgreat! :)22:16
morganfainbergooh boy i need to rebase this change to get it in.22:29
morganfainbergwonder if i can break the dep on the previous change...22:30
*** chrisshattuck has quit IRC22:32
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Cleanup exceptions  https://review.openstack.org/14224322:33
jamielennoxi knew apiclient was going to bite us in the arse eventually22:34
*** marcoemorais has joined #openstack-keystone22:35
bknudsoncan't be removed since it's part of the public api now22:35
jamielennoxbknudson: no but it can be absorbed so it stops doing so much damage22:36
jamielennoxthat review is a start for keystoneclient ^22:37
lbragstadmorganfainberg: following up from earlier, all the xml references in here should be removed: https://github.com/openstack/keystone-specs/blob/master/api/v2.0/identity-api-v2.0-extensions.rst22:38
lbragstadcorrect?22:38
lbragstadand all the other identity-api-v2.0*.rst files22:38
morganfainberglbragstad, we should make sure they aren't relevant before we remove them.22:38
morganfainberglbragstad, but if we don't support XML it shouldnt be there :)22:38
morganfainbergsaying we do that is22:39
*** amolock has quit IRC22:39
lbragstadcorrect, makes sense22:39
*** samuelms_ has quit IRC22:39
openstackgerritMerged openstack/keystone: Fix the way migration helpers check FK names.  https://review.openstack.org/13846822:39
* morganfainberg hates being at a place he can't run local unit tests.22:40
morganfainbergbecause data rates and $hotel wifi is bad22:40
openstackgerritMorgan Fainberg proposed openstack/keystone: add circular check when updating region  https://review.openstack.org/13047422:40
bknudsonmorganfainberg: NameError: global name 'old_region' is not defined22:41
morganfainbergbknudson, dang it.22:41
morganfainbergbknudson thanks22:41
morganfainbergbknudson, i'm tempted to just smash this change in...22:42
bknudsonmorganfainberg: why?22:42
morganfainbergthe parent change was having a number of issues.22:42
morganfainbergi meant combine the fix from the parent.22:42
morganfainbergor.. i guess i could just punt this from k122:42
bknudsonit's not ready22:42
* morganfainberg grumbles.22:42
morganfainbergwell this change is.22:43
morganfainbergthe other one isn't22:43
bknudsonthere's probably a bunch of changes that are ready...22:43
bknudsonfor example, things that already have 1 or 2 +2s22:43
morganfainbergbknudson, the parent is the issue here22:44
morganfainbergbknudson, not the change i tried to rebase the parent out of22:44
morganfainbergbknudson, it had 2x+2 and a +A22:44
morganfainbergjust the parent change was a) outdated, and b) not ready22:44
bknudsonmorganfainberg: I think he made the parent change because he found it while trying out the dependent change.22:44
morganfainbergyeah seeing what he's doing now.22:45
* morganfainberg puts it all back22:45
*** topol has quit IRC22:45
bknudsonthe parent change was to fix a bug where an update actually did a replace22:45
morganfainbergi hate the catalog kvs driver22:45
openstackgerritMerged openstack/keystone: default revoke driver should be the non-deprecated driver  https://review.openstack.org/13091722:45
openstackgerritMerged openstack/keystone: Fixes links in Shibboleth configuration docs  https://review.openstack.org/14007722:46
bknudsonshould be fine with decent unit tests22:47
openstackgerritMerged openstack/keystone: fix wrong indentation in contrib/federation/utils.py  https://review.openstack.org/13992322:48
openstackgerritMorgan Fainberg proposed openstack/keystone: add circular check when updating region  https://review.openstack.org/13047422:48
openstackgerritMerged openstack/keystone: Rename `removeEvent` to be more pythonic  https://review.openstack.org/14210322:49
morganfainbergbknudson, it's all good will punt that fix to k222:51
openstackgerritMerged openstack/keystone: Add test for update role without name  https://review.openstack.org/14118522:51
morganfainbergit needed a rebase anyway22:51
*** gokrokve has quit IRC22:57
openstackgerritLance Bragstad proposed openstack/keystone-specs: Remove XML references from API documentation  https://review.openstack.org/14225022:58
*** timcline has quit IRC22:59
*** gokrokve has joined #openstack-keystone23:02
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Cleanup exceptions  https://review.openstack.org/14224323:05
*** gokrokve has quit IRC23:06
*** dims has quit IRC23:07
*** gokrokve has joined #openstack-keystone23:07
*** dims has joined #openstack-keystone23:07
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Cleanup exceptions  https://review.openstack.org/14224323:08
*** dims has quit IRC23:08
*** dims has joined #openstack-keystone23:08
*** nellysmitt has joined #openstack-keystone23:12
*** marcoemorais has left #openstack-keystone23:13
*** nellysmitt has quit IRC23:17
*** gordc has quit IRC23:23
*** gokrokve has quit IRC23:28
openstackgerritAlexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens  https://review.openstack.org/14139723:44
*** andreaf has joined #openstack-keystone23:52
« Monday, 2014-12-15 Index Wednesday, 2014-12-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!