Tuesday, 2014-12-23

*** thedodd has quit IRC00:02
*** erkules_ is now known as erkules00:06
*** nellysmitt has joined #openstack-keystone00:09
*** nellysmitt has quit IRC00:13
*** dims has joined #openstack-keystone00:22
*** dims has quit IRC00:23
*** dims has joined #openstack-keystone00:28
*** dims has quit IRC00:36
*** zzzeek has quit IRC00:37
*** rm_work is now known as rm_work|away00:43
*** hichtakk has quit IRC00:47
*** hichtakk has joined #openstack-keystone00:48
*** hichtakk has quit IRC00:58
*** hichtakk has joined #openstack-keystone00:58
*** harlowja has joined #openstack-keystone01:01
*** gyee has quit IRC01:12
openstackgerritwanghong proposed openstack/keystonemiddleware: support micro version if sent  https://review.openstack.org/13091601:17
*** hichtakk has quit IRC01:18
*** hichtakk has joined #openstack-keystone01:18
*** jacer_huawei is now known as wanghong01:20
*** dims has joined #openstack-keystone01:28
*** afaranha has joined #openstack-keystone01:33
*** dims has quit IRC01:34
*** raildo_ has joined #openstack-keystone01:40
*** raildo has joined #openstack-keystone01:40
*** diegows has quit IRC01:47
*** mitz_ has quit IRC01:48
*** raildo has quit IRC01:48
*** raildo_ has quit IRC01:49
*** mitz_ has joined #openstack-keystone01:49
*** afaranha has quit IRC01:53
*** harlowja has quit IRC01:54
*** raildo_ has joined #openstack-keystone01:59
ayoungrodrigods, the graduation package needs to be reviewed02:00
*** lhcheng has quit IRC02:01
*** raildo_ has quit IRC02:04
*** stevemar has joined #openstack-keystone02:04
openstackgerritMerged openstack/identity-api: Include a link to keystone-specs in the README  https://review.openstack.org/14353002:05
*** ChanServ sets mode: +v stevemar02:05
*** nellysmitt has joined #openstack-keystone02:10
*** afaranha has joined #openstack-keystone02:10
*** nellysmitt has quit IRC02:14
*** dims has joined #openstack-keystone02:34
*** dims has quit IRC02:39
*** henrynash has joined #openstack-keystone02:43
*** ChanServ sets mode: +v henrynash02:43
*** hdd has quit IRC02:48
*** erkules_ has joined #openstack-keystone02:50
*** erkules has quit IRC02:50
*** aix has quit IRC02:56
*** afaranha has quit IRC02:58
*** boris-42 has quit IRC03:13
*** LinstatSDR has quit IRC03:15
*** chrisshattuck has joined #openstack-keystone03:15
*** ayoung has quit IRC03:23
*** rm_work|away is now known as rm_work03:24
openstackgerritayoung proposed openstack/keystone-specs:  multiple signing certificate  https://review.openstack.org/12378203:26
*** raildo_ has joined #openstack-keystone03:26
*** lhcheng has joined #openstack-keystone03:26
*** LinstatSDR has joined #openstack-keystone03:30
*** hichtakk has quit IRC03:33
*** hichtakk has joined #openstack-keystone03:33
*** rushiagr_away is now known as rushiagr03:41
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow fetching user_id/project_id from auth  https://review.openstack.org/11852003:42
*** lhcheng_ has joined #openstack-keystone03:43
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Surface the user_id and project_id beyond the plugin  https://review.openstack.org/13203003:44
*** lhcheng has quit IRC03:45
*** lhcheng has joined #openstack-keystone04:00
*** lhcheng_ has quit IRC04:00
*** nellysmitt has joined #openstack-keystone04:11
*** nellysmitt has quit IRC04:15
*** hdd has joined #openstack-keystone04:27
*** stevemar has quit IRC04:40
*** stevemar has joined #openstack-keystone04:41
*** ChanServ sets mode: +v stevemar04:41
*** jaosorior has quit IRC04:43
*** hichtakk has quit IRC04:51
*** ajayaa has joined #openstack-keystone04:56
*** hichtakk has joined #openstack-keystone05:00
*** rushiagr is now known as rushiagr_away05:02
*** hichtakk has quit IRC05:03
*** henrynash has quit IRC05:17
*** henrynash has joined #openstack-keystone05:17
*** ChanServ sets mode: +v henrynash05:17
*** rushiagr_away is now known as rushiagr05:30
*** chrisshattuck has quit IRC05:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:03
*** chrisshattuck has joined #openstack-keystone06:05
*** chrisshattuck has quit IRC06:07
*** nellysmitt has joined #openstack-keystone06:11
*** raildo_ has quit IRC06:15
*** hichtakk has joined #openstack-keystone06:15
*** nellysmitt has quit IRC06:16
*** stevemar has quit IRC06:20
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Auth plugin serialization  https://review.openstack.org/11316306:35
*** hdd has quit IRC06:36
*** hdd has joined #openstack-keystone06:36
*** hdd has quit IRC06:58
*** k4n0 has joined #openstack-keystone07:07
*** ajayaa has quit IRC07:18
*** mitz has quit IRC07:22
*** LinstatSDR has quit IRC07:24
*** jamielennox is now known as jamielennox|away07:24
*** jorge_munoz has joined #openstack-keystone07:30
*** ajayaa has joined #openstack-keystone07:31
*** jorge_munoz has quit IRC07:34
*** hichtakk has quit IRC07:41
*** nellysmitt has joined #openstack-keystone07:49
*** EmilienM|afk is now known as EmilienM08:02
*** hichtakk has joined #openstack-keystone08:02
*** hichtakk has quit IRC08:23
*** hichtakk has joined #openstack-keystone08:46
*** abhirc has quit IRC08:57
*** lhcheng has quit IRC08:59
*** hichtakk has quit IRC09:17
*** EmilienM is now known as EmilienM|afk10:22
*** aix has joined #openstack-keystone10:32
*** EmilienM|afk is now known as EmilienM11:07
*** rm_work is now known as rm_work|away11:07
*** diegows has joined #openstack-keystone11:18
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Alembic for SQL migrations  https://review.openstack.org/13153111:43
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Alembic for SQL migrations  https://review.openstack.org/13153111:50
*** dims has joined #openstack-keystone11:56
*** andreaf has quit IRC12:00
*** andreaf has joined #openstack-keystone12:00
*** henrynash has quit IRC12:24
*** dims has quit IRC12:24
*** jungleboyj has quit IRC12:24
*** jamiec has quit IRC12:24
*** vhoward has quit IRC12:24
*** x58 has quit IRC12:24
*** zhiyan has quit IRC12:24
*** gus has quit IRC12:24
*** quack_quack_ has quit IRC12:24
*** vishy has quit IRC12:24
*** dougwig has quit IRC12:24
*** larsks has quit IRC12:24
*** zigo has quit IRC12:24
*** jamielennox|away has quit IRC12:24
*** rm_work|away has quit IRC12:24
*** toddnni has quit IRC12:24
*** notmyname has quit IRC12:24
*** xianghui has quit IRC12:24
*** gothicmindfood has quit IRC12:24
*** lvh has quit IRC12:24
*** gabriel-bezerra has quit IRC12:24
*** jraim has quit IRC12:24
*** rdo_ has quit IRC12:24
*** andreaf_ has quit IRC12:24
*** samuelms has quit IRC12:24
*** redrobot_away has quit IRC12:24
*** dobson has quit IRC12:24
*** henrynash has joined #openstack-keystone12:25
*** sendak.freenode.net sets mode: +v henrynash12:25
*** dims has joined #openstack-keystone12:26
*** jungleboyj has joined #openstack-keystone12:26
*** jamiec has joined #openstack-keystone12:26
*** vhoward has joined #openstack-keystone12:26
*** x58 has joined #openstack-keystone12:26
*** zhiyan has joined #openstack-keystone12:26
*** gus has joined #openstack-keystone12:26
*** quack_quack_ has joined #openstack-keystone12:26
*** vishy has joined #openstack-keystone12:26
*** dougwig has joined #openstack-keystone12:26
*** larsks has joined #openstack-keystone12:26
*** zigo has joined #openstack-keystone12:26
*** jamielennox|away has joined #openstack-keystone12:26
*** rm_work|away has joined #openstack-keystone12:26
*** sendak.freenode.net sets mode: +v jamielennox|away12:26
*** toddnni has joined #openstack-keystone12:26
*** notmyname has joined #openstack-keystone12:26
*** xianghui has joined #openstack-keystone12:26
*** gothicmindfood has joined #openstack-keystone12:26
*** lvh has joined #openstack-keystone12:26
*** gabriel-bezerra has joined #openstack-keystone12:26
*** jraim has joined #openstack-keystone12:26
*** rdo_ has joined #openstack-keystone12:26
*** andreaf_ has joined #openstack-keystone12:26
*** samuelms has joined #openstack-keystone12:26
*** dims has quit IRC12:28
*** redrobot_away has joined #openstack-keystone12:28
*** dobson has joined #openstack-keystone12:28
*** andreaf has quit IRC12:33
*** andreaf has joined #openstack-keystone12:34
marekdmorganfainberg: i think ayoung was referring to completely authN/authZ model he would like to have in OpenStack. But to me it looks like complete transformation and deservers at least major number of Keystone (if not all services), like Keystone2 :-)12:39
marekdmorganfainberg: speaking of the MFA bp I am also not clear on everything Werner wants to accomplish, that's why I had some issues/questions/comments.12:40
marekdmorganfainberg: i am not sure if we really want to mix auth plugin 'password' to handle both classic user/pass authentication with 1st stage of MFA ?12:41
*** dims has joined #openstack-keystone12:51
*** ayoung has joined #openstack-keystone13:41
*** ChanServ sets mode: +v ayoung13:41
*** amakarov_away is now known as amakarov13:47
amakarovayoung, hi! I saw redelegation spec merged, can you please look at the implementation? https://review.openstack.org/#/c/126897/14:10
ayoungamakarov, was aout 1/5 of the way through it14:17
amakarovayoung, cool! Tomorrow morganfainberg told me, you have ideas about revocation events rework, may I help somehow? I have an issue with revocation, and it looks weird to me14:20
amakarovayoung, s/Tomorrow/Yesterday/14:21
ayoungamakarov, he lied14:21
ayoungI had considered it, but I like the existing code approachj14:21
ayoungI have a client patch that needs review14:21
*** gordc has joined #openstack-keystone14:22
amakarovayoung, so speed of tree traversal is enough?14:26
ayoungI think so14:26
ayoungwe can look at optimizing it further if we get real performance numbers14:26
amakarovayoung, I'm worried about AE tokens actually - AFAIK, we'll have to do more calculations and keep an eye on potential bottlenecks :)14:29
*** jungleboyj has quit IRC14:31
ayoungamakarov, are you specifically concerend about AE tokens and revocation events?  Why?14:31
amakarovayoung, we have to use UUID until now, because PKI needs certificate sync across nodes in a cluster, and AE gives opportunity to get rid of it along with full catalog in a token14:33
amakarovayoung, looks very promising14:34
*** rushiagr is now known as rushiagr_away14:40
*** radez_g0n3 is now known as radez14:44
rodrigodswhere is the AE tokens spec?14:46
rodrigodsamakarov, thx14:49
*** zzzeek has joined #openstack-keystone15:08
*** k4n0 has quit IRC15:25
*** hdd has joined #openstack-keystone15:26
*** nellysmitt has quit IRC15:28
*** dims has quit IRC15:30
*** rushiagr_away is now known as rushiagr15:35
*** ajayaa has quit IRC15:38
*** chrisshattuck has joined #openstack-keystone15:39
*** ajayaa has joined #openstack-keystone15:39
*** henrynash has quit IRC15:40
*** henrynash has joined #openstack-keystone15:41
*** ChanServ sets mode: +v henrynash15:41
*** nellysmitt has joined #openstack-keystone15:42
ayoungmorganfainberg, we meeting today?15:56
*** lhcheng has joined #openstack-keystone15:58
openstackgerritMerged openstack/keystone: Memcache connection pool excess check  https://review.openstack.org/14068116:03
*** lhcheng has quit IRC16:03
*** chrisshattuck has quit IRC16:04
*** chrisshattuck has joined #openstack-keystone16:10
*** jorge_munoz has joined #openstack-keystone16:24
*** dims has joined #openstack-keystone16:31
*** dims has quit IRC16:35
morganfainbergayoung: was planning on it16:40
morganfainbergayoung: but I expect it to be light16:40
*** dims has joined #openstack-keystone16:41
*** hdd has quit IRC16:46
morganfainbergmarekd: I was just reading the back scroll, and 2 things - re: Werner and MFA, asking questions is good. I think we're in a weird place for the MFA stuff in general.16:49
*** boris-42 has joined #openstack-keystone16:50
morganfainbergmarekd: I'd like to hear more on your concerns about the policy rework. I can say confidently that this cycle we can focus on the centralization first. Anything beyond that is probably unlikely to land in Kilo. But this is also why we have multiple specs for it instead of a "mega spec".16:51
*** ajayaa has quit IRC16:52
morganfainbergMarekd: It means we can ensure the scope of changes is clear - and we can build on it. At the very least regardless of what ayoung is proposing we *cant* break the current model of policy / access / authz / authn.16:52
dstanekchadwick seems to always be so counter productive16:52
morganfainbergEven if a new and better system is made. A Keystone2 is not on the table not is an openstack2 at this time.16:53
*** nellysmitt has quit IRC16:54
morganfainbergmarekd: so, let's make sure things are broken up in clear ways and we get the obvious stuff / big win stuff (with less breaking everyone) clearly defined. We can then look at the wilder changes (even next cycle and beyond) and see if they are warranted / needed / the right direction.16:54
morganfainbergdstanek: academia, it often looks that way from the outside in my experience.16:55
dstanekmorganfainberg: did you see his ML post?16:55
morganfainbergNot yet. Have a whopping headache so far and just woke up.16:56
morganfainbergdstanek: going to take a look now.16:56
dstanekmorganfainberg: i just find it odd that he can't figure out how to get stuff done with people he doesn't control16:57
morganfainbergdstanek: I agree.16:57
morganfainbergWow. That is a "bug"?16:58
morganfainbergHmm. I could see it as a bug from a security perspective. Misconfiguration results in valid authn. Hmm16:59
*** andreaf has quit IRC17:00
*** andreaf has joined #openstack-keystone17:00
*** jungleboyj has joined #openstack-keystone17:01
ayoungmorganfainberg, I'm working on "every project is a domain"  as part of the policy work...wondering if that needs its own spec now, too17:05
morganfainbergayoung: what changes from a policy perspective there?17:07
ayounga couple things17:08
ayoungmorganfainberg, the goal is to let horizon get a project scoped token for domain work17:08
*** hugokuo has quit IRC17:08
ayoungso adding a project upon domain create that has the same id as the domain17:08
ayoungno parent, and the domain is the domain for the new "root" project17:08
ayoungit will need a migration17:09
ayoungand then, the fun stuff17:09
morganfainbergayoung: I thought we were getting rid of the domain table.17:09
marekdmorganfainberg: why would you think we are in a strange place for MFA at the moment?17:09
marekdmorganfainberg: if we make it an optional change it's good in general (imho).17:09
marekdmorganfainberg: i just want to make sure it's done right :-)17:09
ayoungmaking policy rules for domain operations work on token that is requested based on domain id, but that also has the project data in it17:10
ayoungI think that those tokens would just have both a domain {} section and a project {} section17:10
morganfainbergmarekd: not from a technology standpoint from the enforcement standpoint. We are odd because we have a different enforcement model - than most "apps" have.17:10
morganfainbergayoung: that's what we decided at the summit and seemed like the smallest hurdle17:11
marekdmorganfainberg: ok17:11
morganfainbergmarekd: I agree it should be optional. My push was for it to be an optional replacement password plugin - that has the logic to handle MFA for MFA enabled cases.17:11
ayoungmorganfainberg, I think this is a more reasonable interim step, but we can get rid of the domain table, too17:11
openstackgerrithenry-nash proposed openstack/keystone: My First ABAC: An example alternative assignments engine  https://review.openstack.org/14355717:11
ayoungI don't think that invalidates anything I've said17:12
morganfainbergayoung: nope. Just was commenting that was the direction I understood us going towards.17:12
marekdmorganfainberg: ok17:12
morganfainbergAnd interim is fine.17:12
*** nellysmitt has joined #openstack-keystone17:12
ayoungmorganfainberg, does it need a spec?17:12
ayoungit is is starting maybe to feel like it does17:12
morganfainbergWell 2 things: it could be part of the hmt next steps spec, or does it go into another spec we have proposed?17:13
morganfainbergIf anything I think it goes into17:13
morganfainbergHmt "next steps" (as a gut feeling)17:13
marekdmorganfainberg: for the policy rework you wanted me to weigh in. I am guessing you are talking keystone-specs, especially the full dependency chain starting from: https://review.openstack.org/#/c/134657/ ?17:14
ayoungmorganfainberg, it certainly is part of the HMT work17:14
morganfainbergmarekd: absolutely. The whole chain if you want or you can pick/choose which ones. But if you see a major concern, or minor, I fed want your feedback on it.17:15
ayounghttps://review.openstack.org/#/c/135309/  is probably sufficient, then17:15
marekdmorganfainberg: sure, i am adding myself as a reviewer.17:15
*** hugokuo has joined #openstack-keystone17:15
morganfainbergayoung: yeah. I would say they even have it in the commit message there.17:15
ayoungI'll work on updating that17:15
marekdmorganfainberg: i am on holiday now, so not spending days at work, but I will try to take a look at it.17:16
morganfainbergmarekd: thanks! Absolutely. Like I said those are still up in the air, the ideas are probably sound. And sure don't work on holiday!17:16
ayoungmorganfainberg, was there anything specifically you were worried I was headed towards breaking when you said "At the very least regardless of what ayoung is proposing we *cant* break the current model of policy / access / authz / authn"  above?17:17
morganfainbergIt can wait until next year - I think we're close enough and I don't see those specs landing yet.17:17
morganfainbergayoung: nothing in specific. But as a point that the current model can't break.17:17
morganfainbergayoung: hence why keystone2 and openstack2 was not on the table17:18
ayoungmorganfainberg, I've tried to be very careful to provide a step-by-step approach that we can validate at each step.  We should not break anything17:18
morganfainbergayoung: also that we are likely to bridge this work over 2+ cycles17:18
ayoungOh yeah17:18
morganfainbergayoung: and you have been good about it. This was a affirmation that we can't and won't break what we have today.17:19
morganfainbergNothing specific I was worried about. :)17:19
ayoungmorganfainberg, I have a request out to David about the Database work for policy.  My guess is that he's solving a slighly different problem, so that whole piece will, I suspect be next release, not Kilo17:19
ayoungdid we name the L release yet?17:19
* ayoung calls it Lima17:19
morganfainbergHaven't heard about a poll for it yet.17:19
morganfainbergYeah I saw your email to him.17:19
marekdmorganfainberg: also, thanks for adding me to te ADFS CI mail-loop. I am responding now.17:20
morganfainbergIs nkinder out for holidays yet?17:20
ayoungHe seems to be17:20
ayoungNah, Langley is my guess17:20
morganfainbergmarekd: of course!17:20
openstackgerrithenry-nash proposed openstack/keystone: My First ABAC: An example alternative assignment engine  https://review.openstack.org/14355717:21
morganfainbergayoung: so, re: Chadwick's latest email - in your opinion is that a bug?17:21
ayounghaven't finished reading it17:21
ayounglooks like it, yes17:22
morganfainbergBut is there anything we can do about it. Since we don't control the Apache modules?17:22
ayoungmorganfainberg, all we should trust from HTTPD is that the authentication is valid, not that it maps to anything in Keystone.  We need to confirm that17:22
morganfainbergIt's just a bag of attributes passed down.17:23
ayoungI think it should be a Keystone issue, not an HTTPD issue17:23
ayoungwe can trust the attributes themselves17:23
morganfainbergHm. Right but how do we know it's mod_shib or mod\abfab17:23
ayoungwe need the protocol to be set.  Is it not?17:23
morganfainbergThat is the next thing I'm going to look into, I hope it is - but you know how things are in Apache sometimes ;)17:24
ayoung"need the Apache plugins to pass the name of the IDP and the protocol17:24
ayoungbeing used as environmental parameters to Keystone, and then Keystone17:24
ayoungcan check that the ones that it has been configured to trust, are17:24
ayoungactually being used by Apache.17:24
ayoungpretty sure that data is there, but it does depend on the module what gets set17:24
morganfainbergAnd I was coming to the same conclusion that it is a bug, but maaaay be in some cases hard to fix w/o patches to Apache mods.17:25
ayoungI suspect that we could also do more work at the Apache layer to distinguish between two different Auth Urls and put additional env vars17:25
*** nellysmitt has quit IRC17:25
morganfainbergYeah. Probably.17:25
morganfainbergMaybe just an env-set at least?17:25
ayoungmorganfainberg, yes17:25
morganfainbergThis might just be a doc bug "hey do this too"17:26
ayoungmorganfainberg, this was one reason I was looking to split off "/auth" as I would like to be able to custmize the plugin used for different auth urls17:26
morganfainbergAnd then make keystone expect that. Doesn't fix if a module is bad, but it is one extra layer to prevent cross-vhost/auth-url leaking / miss authn17:26
ayoungI havea todo item to loop back around on Federation, but right now we have two other people on our team looking at it from slightly different angles.  I was hoping to get some feedback from them before my next foray17:27
morganfainbergSounds good.17:27
ayoungone is going Shib, the other Ipsilon.17:27
ayoungjdennis is doing the Shib work.  He might know how to deal with that issue17:28
*** thedodd has joined #openstack-keystone17:29
ayoungI'll reply to the list17:29
morganfainbergOk, I was planning on replying pre-meeting today as well.17:29
*** dnalezyt has joined #openstack-keystone17:30
*** dnalezyt has quit IRC17:30
*** dnalezyt has joined #openstack-keystone17:31
morganfainbergGonna go get coffee and then meeting time. Like I said I expect this to be a short meeting.17:31
morganfainbergI also expect to cancel next weeks .. For obvious reasons.17:31
*** dnalezyt has quit IRC17:33
*** dnalezyt has joined #openstack-keystone17:33
*** openstackgerrit has quit IRC17:34
*** openstackgerrit has joined #openstack-keystone17:34
*** jungleboyj has quit IRC17:37
*** lhcheng has joined #openstack-keystone17:40
*** hichtakk has joined #openstack-keystone17:41
*** jorge_munoz has quit IRC17:41
*** jorge_munoz has joined #openstack-keystone17:43
*** LinstatSDR has joined #openstack-keystone17:47
*** stevemar has joined #openstack-keystone17:47
*** ChanServ sets mode: +v stevemar17:47
*** jorge_munoz has quit IRC17:51
*** zzzeek has quit IRC17:56
*** zzzeek has joined #openstack-keystone17:56
morganfainberghenrynash: are your items on the meeting agenda new for this week? I thought I cleared it but they look similar - so just checking.17:56
*** jorge_munoz has joined #openstack-keystone17:58
*** raildo has joined #openstack-keystone17:58
*** raildo_ has joined #openstack-keystone17:58
morganfainberghenrynash: meeting?18:04
ayounghenrynash, come to the meeting!18:04
ayoungwe miss you!18:04
*** henrynash has quit IRC18:21
*** henrynash has joined #openstack-keystone18:26
*** ChanServ sets mode: +v henrynash18:26
ayoungOooh, across the Puget from Vancouver is the town of Ladysmith.  That is a better L name than Langley18:29
*** harlowja has joined #openstack-keystone18:35
*** henrynash has quit IRC18:36
*** andreaf has quit IRC18:36
*** andreaf has joined #openstack-keystone18:37
*** henrynash has joined #openstack-keystone18:38
*** ChanServ sets mode: +v henrynash18:38
*** jungleboyj has joined #openstack-keystone18:49
*** jorge_munoz has quit IRC18:59
ayounghenrynash, I'm, provided we do it as the two pieces.  Does that work for you?  DSR is the name, and the role-group is a reusable concept?18:59
henrynashayoung: so I’m not sure I understand what makes them separate….19:00
henrynashayoung: in my domain I need to great a <thingy> which is a set of roles or other <thingys> and I want to call it “myadmin”19:01
henrynash…actually, I want to call it “admin”19:01
*** rushiagr is now known as rushiagr_away19:02
amakarovhenrynash, How it's called when an actor plays only one kind of roles?19:03
ayounghenrynash, typecast19:03
amakarovLike Willis always saving the world19:03
ayoungamakarov, typecast19:03
amakarovayoung, thanks, meybe consider it?19:03
ayoungtypecast means something different in software.19:04
*** hdd has joined #openstack-keystone19:04
amakarovayoung, unfortunately :(19:04
*** chrisshattuck has quit IRC19:05
morganfainbergI like "thingy" and "whoozawutzit" as constructs.19:05
amakarovso, maybe call it "actor" ?19:06
amakarovActor can have many roles19:06
morganfainbergamakarov: already use that in grant tables.19:06
morganfainbergNot exposed via api, but it's there.19:06
amakarovtrouper? )19:07
amakarovGoogle says: an actor or other entertainer, typically one with long experience19:08
morganfainbergamakarov, i don't think we can do an odd name like that - it'll be bad UX for those consuming the API19:21
ayoungactor has a role on a target19:22
ayoungand via that role they get a set of permissions19:22
amakarovok, let's put it this way: an employee receives his access to one room or another according to his: role, position... what else?19:24
amakarovno, status doesn't go19:25
*** nellysmitt has joined #openstack-keystone19:26
*** nellysmitt has quit IRC19:30
amakarovmorganfainberg, "powers"19:32
morganfainbergdstanek, ayoung, reading david's response. i am inclined to believe that the choice to trust apache is the same as the choice to trust a specific IDP in this case.19:42
morganfainbergdstanek, ayoung, we *could* make it possible to do end-to-end like he's advocating, but that takes a lot of the offload work out of apache (all if it?)19:42
morganfainbergmarekd, ^ cc19:43
ayoungmorganfainberg, "if Keystone is given the original19:44
ayoungsigned SAML assertion "  means Keystone then needs to handle each and every protocol.  I think we're shooting at the wrong target with that19:44
morganfainbergayoung, exactly19:44
morganfainbergayoung, like i said we could. i don't like it19:44
ayoung "mal-configured Apache "19:44
* morganfainberg is going to respond.19:44
ayoungquestion is how to confirm that we have the right system19:44
ayoungI think, though, that we should be getting more info than he has in that mail19:45
morganfainbergayoung, yeah that i'll ask - but honestly i think in this case we *cant* know if apache isn't passing that info down.19:45
morganfainbergi would think we should get more info from the SAML assertion down in the env though, right?19:45
ayoungmorganfainberg, absence of the variable is also actionable19:45
morganfainbergayoung, haha, i'm just slow at typing.19:45
morganfainbergayoung, but yes you and i are on the same page here.19:46
ayoung"SAML implies SHIB which means we need the Shib specific variable"19:46
*** amakarov is now known as amakarov_away19:46
ayoungmorganfainberg, OK, I'll come clean....I've been working at becoming a court reporter and am using a chorded keyboard19:46
ayoungmorganfainberg, actually, my Brother-in-law is going this route. He's up to something like 150 WPM19:47
morganfainbergideally apache should be passing more information down (unique information about the external IDP, etc)19:47
morganfainbergayoung, thats crazy!19:47
* morganfainberg needs to swap back to the cherry-brown based keyboard, the cherry blue is slowing typing down a lot19:48
ayoungmorganfainberg, mod_mellon does something different than mod_shib, and there was some reason we were favoring it...its been 1+ yeasr since I looked at it, though19:48
morganfainbergayoung, i think mod_shib was either more modern or more friendly.19:48
morganfainbergthough marekd could probably shed specific light on it19:48
ayoungI thought mod_shib was doing something shib specific.  I really don't recall the rationale19:52
ayoungmorganfainberg, adding domain-is-a-project breaks 27 tests19:53
ayoungwell, 30, but I already fixed 3 I think19:53
ayoungthey are all of the form  MismatchError: 4 != 619:53
morganfainbergnot bad actually19:54
morganfainberg4 != 6 just means we're getting the expected differential of projects / domain listings19:54
*** raildo has quit IRC19:56
*** raildo_ has quit IRC20:01
*** fifieldt has quit IRC20:03
*** fifieldt has joined #openstack-keystone20:16
ayoungmorganfainberg, I would like to get that somehow reflected in the fixtures, though.  I think we are doing project-creates based on the values in there, and we can't add the root project into those lists without making it be explicitly added20:19
*** abhirc has joined #openstack-keystone20:21
ayoungmorganfainberg, would it make sense to add the automatically created project to the projects listed in default_fixtures at the end of the  load_fixtures call?20:25
ayoungmorganfainberg, or...better to copy them to "self" and reference them via self.default_fixtures20:26
*** harlowja has quit IRC20:44
*** harlowja has joined #openstack-keystone20:48
*** jorge_munoz has joined #openstack-keystone20:49
*** jorge_munoz has quit IRC20:54
*** jorge_munoz has joined #openstack-keystone20:57
*** EmilienM is now known as EmilienM|afk21:04
*** rm_work|away is now known as rm_work21:08
*** jorge_munoz has quit IRC21:09
*** dnalezyt has quit IRC21:16
*** rm_work is now known as rm_work|away21:17
*** gordc has quit IRC21:19
*** rm_work|away is now known as rm_work21:20
*** thedodd has quit IRC21:23
*** nellysmitt has joined #openstack-keystone21:27
*** nellysmitt has quit IRC21:32
*** flwang1 has joined #openstack-keystone21:33
flwang1greetings, i'm trying to add a new role and change the policy.json so that the user can add new user, but i still run into the 403 error, anybody can help? Cheers21:33
ayoungflwang1, write the rule first so that both the old role and new role will work21:35
flwang1ayoung: sorry, what did you mean "write the role first" ?21:37
ayoungflwang1, I didn't say that21:37
ayoungI said write the "rule" first21:38
ayoungmeaning the policy rule21:38
flwang1ayoung: sorry, typo :)21:38
ayoungyou working with the default policy file?21:38
ayoungOK ... let me link21:38
flwang1ayoung: firstly, I created a new role named 'manager' under tenant21:39
ayoungflwang1, http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n43  this is the rule you are trying to update, right?21:39
ayoungflwang1, heh, no you didn21:39
ayoungroles are not under tenants21:39
ayoungroles are global names21:39
ayoungwhat I think you meant is21:39
ayoungyou created a new role and assigned that to a user in the corresponding project (tenant)21:39
flwang1sorry for the confution21:39
ayoungNo problem, I'm just being precise21:40
flwang1"identity:create_user": "rule:admin_or_manager",21:40
flwang1and i updated the rule like above21:40
ayoungdon't take it personally, its only meant to keep clear what I am telling you to do21:40
ayoungor what does  "rule:admin_or_manager",  look like?21:40
flwang1restart the the apache2 service21:40
ayoungflwang1,  what does  "rule:admin_or_manager",  look like?21:42
flwang1"admin_or_manager": "rule: admin_required or role:manager",21:42
ayoungyeah, that is bad21:43
flwang1cool, what's the problem?21:43
ayoungthat means that if you have the role manager anywhere21:43
ayoungyou can add to any project21:43
ayoungwhich, I'm guessing is not what you want21:43
ayoungflwang1, you need to ensure the project id matches21:44
flwang1yep, I hope the user with manager role can only add new user to the tenant which the manager belongs21:44
flwang1does that make sense?21:44
flwang1but even i set the OS_TENANT in env, i still got the 403 error21:45
ayoungflwang1, I think you want something that looks like this rule21:45
flwang1i agree, but seems it's the next step, right?21:46
ayoungbut...you want an OR between the admin_required and the portion specific21:46
flwang1for now, even for the same tenant, I still failed21:46
ayoungsay you have a rule project_manager21:46
ayoungit would be21:46
ayoung"project_manager": "role:manager and project_id:%(project_id)s",21:47
ayoungthen you could do21:47
ayoung"admin_or_manager": "rule: admin_required or rule:project_manager",21:47
flwang1is that only supported by v3?21:47
ayoungthat should work v221:47
flwang1adding... but did you notice my above concern?21:47
flwang1or you believe this can fix my above concern?21:48
ayoungOh, one other thing21:48
ayoungcreate_user is not what you want21:48
ayoungthat creates a new user record21:48
ayoungthose are not under projects/tenants21:48
*** EmilienM|afk is now known as EmilienM21:48
ayoungall you can do at the project level is assign a role to that user21:48
ayoungdoes this completely mess you up?21:49
flwang1ayoung: but you understand what I want to do, right?21:49
ayoungnot 100% no21:49
ayoungflwang1, if you want to create a  new user, that is different from adding a user to a project21:49
ayoungwhich do you want to do?21:49
flwang1ayoung: as a public cloud provider, i just create a tennat for my customer21:49
flwang1and one user for their admin/manager21:50
ayounggo on21:50
flwang1and then we would like to see the admin/manager can add more user by themselves instead of calling us :)21:50
*** dims has quit IRC21:51
flwang1BTW, i'm really happy to see the HMT landed in21:51
flwang1that's another requirement from our customer21:51
flwang1back to the adding user question now21:52
flwang1so i'm thinking if we can workaround something so that the admin/manager of the tenant can get the permission to do that21:52
flwang1i'm making it more clear or mess? :)21:53
ayoungflwang1, adding a user is a global operation, not per tenant21:56
*** dims has joined #openstack-keystone21:56
ayoungso if you want to just create a new role for that, then you want21:56
flwang1ayoung: yep, i understand21:56
ayoung"admin_or_manager": "rule: admin_required or role:manager"  like you have.  If that is not working ,then it is a debugging problem21:56
flwang1ayoung: so you mean my way should be workable, is it?21:57
flwang1and after that, I may need assign the user to the specific tenant, right?21:57
ayoungflwang1, just creating a new role for create users?  Yes, what you have should do that21:57
flwang1ayoung: so maybe there is a bug for the policy, is it?21:58
ayoungflwang1, I'd suspect your set up first21:58
flwang1or it would be nice if you can help recreate it to confirm21:58
flwang1it's a fresh devstack21:59
ayoungmy guess is that you have something wrong. Either policy file or user is not what you think it is21:59
ayoungmy guess would be that the user token doesn't have theright role in it21:59
flwang1ayoung: okay22:00
flwang1ayoung: FWIW, the way I'm trying is correct, is it?22:00
ayoungflwang1, looks like it is to me22:00
flwang1ayoung: thanks a lot and merry Xmas22:01
flwang1ayoung: i will debug it and bug you after the holiday :)22:01
ayoungJoy to the World.22:01
*** harlowja_ has joined #openstack-keystone22:01
*** LinstatSDR has quit IRC22:02
*** erkules_ is now known as erkules22:02
*** harlowja has quit IRC22:02
*** jamielennox|away is now known as jamielennox22:03
dstanekmorganfainberg: ayoung: i agree with your earlier conversation - we chose architecturally to trust the Apache plugin22:07
*** dims has quit IRC22:11
*** esmute has quit IRC22:17
*** gothicmindfood has quit IRC22:18
ayoungdstanek, if I automatically create a project (with same id as the domain) when I create a domain, should I automatically delete it when I delete the domain and prevent a deliberate deletion of that project?22:21
ayoungactually...deleting the domain should already delete the project...hmmm22:23
*** harlowja_ has quit IRC22:31
*** harlowja has joined #openstack-keystone22:31
*** flwang1 has quit IRC22:35
*** samuelms_ has joined #openstack-keystone22:41
samuelms_henrynash, ping22:41
*** diegows has quit IRC22:42
*** hdd has quit IRC22:43
*** esmute has joined #openstack-keystone22:46
*** gothicmindfood has joined #openstack-keystone22:47
*** dims has joined #openstack-keystone23:12
*** hichtakk has quit IRC23:12
*** harlowja has quit IRC23:12
*** hichtakk has joined #openstack-keystone23:12
*** radez is now known as radez_g0n323:13
*** rm_work is now known as rm_work|away23:16
*** dims has quit IRC23:16
*** harlowja has joined #openstack-keystone23:20
*** jamielennox is now known as jamielennox|away23:24
*** nellysmitt has joined #openstack-keystone23:28
*** nellysmitt has quit IRC23:32
*** LinstatSDR has joined #openstack-keystone23:35
*** hichtakk has quit IRC23:47

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!