Thursday, 2015-01-08

*** chlong has quit IRC00:01
*** chlong has joined #openstack-keystone00:02
*** richm has quit IRC00:02
*** thedodd has quit IRC00:03
*** jaosorior has quit IRC00:03
*** chlong has quit IRC00:06
stevemarbknudson, what should i see if i use 145607?00:06
*** rdo has quit IRC00:14
*** avozza is now known as zz_avozza00:17
*** joesavak has quit IRC00:18
*** jungleboyj has joined #openstack-keystone00:18
*** zz_avozza is now known as avozza00:19
*** rdo has joined #openstack-keystone00:22
*** radez is now known as radez_g0n300:22
bknudsonstevemar: should look the same as running tests in nova.00:25
*** chlong has joined #openstack-keystone00:29
gyeenkinder, ayoung, does 389 support turst similar to AD trust?00:32
*** raildo has quit IRC00:35
*** dougwig is now known as dougwig_the_rude00:41
*** dougwig_the_rude is now known as dougwig00:42
*** arunkant has quit IRC00:53
*** samueldmq has joined #openstack-keystone00:56
nkindergyee: IPA does (not 389)00:57
nkindergyee: "trust" is really a cross-realm kerberos trust, so you need a KDC00:58
nkinder389 is just an LDAP server, but FreeIPA is a KDC on top of 389 (plus lots of other stuff)00:58
gyeenkinder, thanks, someone mentioned authenticating against AD trust so I thought it was an LDAP thing01:04
*** dank has quit IRC01:04
gyeeI have not tested that setup myself01:05
*** samueldmq has quit IRC01:07
*** jungleboyj has quit IRC01:15
stevemarbknudson, oh, it only works when i run tox -e py27, not tox -e debug :(01:23
bknudsonstevemar: debug needs to do its own thing.01:24
*** htruta has quit IRC01:30
*** htruta has joined #openstack-keystone01:33
*** avozza is now known as zz_avozza01:34
*** gyee has quit IRC01:36
*** dims__ has joined #openstack-keystone01:37
ayoungmorganfainberg, jamielennox OK, read through your discussion.  I think jamielennox 's points summarize to "client already has an access info, so why do we need another"  and "immutable is unpythonic"  neither of which I interpret as him having any real problem with a drop in replacement for AccessInfo.01:40
ayoungThere are some issues with heat using the existing AccessInfo directly01:40
ayoungSo, let me state that "immutable is optional but encouraged"01:40
ayoungand I can bend even on that if its a deal breaker01:41
ayoungso, really, I think we are all close enough that we can go with the accessinfo I wrote, if I do some follow on reviews replacing the old AccessInfo with mine and showing everything still works?01:41
jamielennoxayoung: if the interface matches the old AccessInfo (which it will have to do be used by plugins and passed down from middleware) why not fix the old one than start from scratch/01:42
ayoungjamielennox, that is really what I did.  If you remove the dictionary aspect and the decorators from the clients AccessInfo, you get something like mine.  But the real answer is that I wrote it in the server and then moved it to the client.01:44
ayoungjamielennox, but if it is a drop in replacement, are you OK with my approach?01:45
jamielennoxi'll need to look at it again - but if you can use that in replacement for what we have then sure01:45
jamielennoxi just don't want to run two implemenations side by side01:45
ayoungjamielennox, agreed.  I'll make sure it works as a replacement.01:48
*** zz_avozza is now known as avozza01:55
*** Zemeio has quit IRC02:10
*** Zemeio has joined #openstack-keystone02:10
*** _cjones_ has quit IRC02:11
*** chlong has quit IRC02:11
*** avozza is now known as zz_avozza02:12
*** samueldmq has joined #openstack-keystone02:20
*** samueldmq has quit IRC02:20
*** samueldmq has joined #openstack-keystone02:20
*** samueldmq has quit IRC02:20
*** samueldmq has joined #openstack-keystone02:21
openstackgerritMerged openstack/keystone: let endpoint_filter sql backend return dict data
*** topol has joined #openstack-keystone02:25
*** ChanServ sets mode: +v topol02:25
*** stevemar has quit IRC02:26
*** samueldmq has joined #openstack-keystone02:28
*** samueldmq has quit IRC02:29
*** samueldmq has joined #openstack-keystone02:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** samueldmq has quit IRC02:29
*** Zemeio has quit IRC02:39
*** Zemeio has joined #openstack-keystone02:39
*** samueldmq has joined #openstack-keystone02:47
*** gordc has quit IRC02:52
*** htruta has quit IRC02:52
*** erkules has quit IRC02:52
*** htruta has joined #openstack-keystone02:55
openstackgerritMerged openstack/keystone: Remove requirements not needed by oslo-incubator modules anymore
*** samueldmq has quit IRC03:03
*** gordc has joined #openstack-keystone03:09
*** htruta has quit IRC03:11
*** zz_avozza is now known as avozza03:20
*** avozza is now known as zz_avozza03:30
*** lhcheng has quit IRC03:32
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available
*** lihkin has joined #openstack-keystone03:45
*** _cjones_ has joined #openstack-keystone03:54
*** _cjones_ has quit IRC03:54
*** _cjones_ has joined #openstack-keystone03:54
*** chlong has joined #openstack-keystone03:57
*** erkules has joined #openstack-keystone04:01
*** chlong has quit IRC04:02
*** dims__ has quit IRC04:06
*** dims__ has joined #openstack-keystone04:08
*** tsufiev has quit IRC04:09
*** jungleboyj has joined #openstack-keystone04:09
*** tsufiev has joined #openstack-keystone04:09
*** dims__ has quit IRC04:11
*** chlong has joined #openstack-keystone04:18
*** _cjones_ has quit IRC04:20
*** chrisshattuck has quit IRC04:25
*** chrisshattuck has joined #openstack-keystone04:27
*** david-lyle has quit IRC04:50
*** lhcheng has joined #openstack-keystone04:53
*** zz_avozza is now known as avozza05:09
*** _cjones_ has joined #openstack-keystone05:12
*** gordc has quit IRC05:14
*** marg7175 has quit IRC05:14
*** LinstatSDR has quit IRC05:16
*** _cjones_ has quit IRC05:17
*** avozza is now known as zz_avozza05:18
*** chrisshattuck has quit IRC05:22
*** stevemar has joined #openstack-keystone05:22
*** ChanServ sets mode: +v stevemar05:22
*** LinstatSDR has joined #openstack-keystone05:26
*** lhcheng has quit IRC05:37
*** lhcheng has joined #openstack-keystone05:51
*** lihkin has quit IRC05:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** ajayaa has joined #openstack-keystone06:05
*** zz_avozza is now known as avozza06:10
*** avozza is now known as zz_avozza06:20
*** lihkin has joined #openstack-keystone06:22
*** topol has quit IRC06:22
*** lhcheng has quit IRC06:23
*** yasu_ has joined #openstack-keystone06:24
*** lihkin has quit IRC06:29
*** jamielennox is now known as jamielennox|away06:33
*** wanghong has quit IRC06:33
*** LinstatSDR has quit IRC06:36
openstackgerritSteve Martinelli proposed openstack/keystone: Do not depend on pysaml2 if using federation
*** mogami has joined #openstack-keystone06:54
openstackgerritSteve Martinelli proposed openstack/keystone: Check project id before creating request token
*** mogami has quit IRC06:59
*** afazekas is now known as __afazekas07:04
*** lhcheng has joined #openstack-keystone07:11
*** k4n0 has joined #openstack-keystone07:38
*** zz_avozza is now known as avozza07:41
*** lhcheng has quit IRC07:42
*** k4n0 has quit IRC07:42
*** afazekas_ has joined #openstack-keystone07:46
*** chlong has quit IRC07:47
*** avozza is now known as zz_avozza07:51
openstackgerrithenry-nash proposed openstack/keystone: Move projects and domains to their own backend.
openstackgerrithenry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver.
openstackgerrithenry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager.
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new reource manager.
*** stevemar has quit IRC08:02
*** henrynash has quit IRC08:03
*** henrynash has joined #openstack-keystone08:04
*** ChanServ sets mode: +v henrynash08:04
*** henrynash has quit IRC08:06
openstackgerritMarek Denis proposed openstack/keystone-specs: Standardize federated scoping process.
*** zz_avozza is now known as avozza08:26
*** jacer_huawei has joined #openstack-keystone08:34
*** jacer_huawei is now known as wanghong08:41
*** avozza is now known as zz_avozza08:48
*** jistr has joined #openstack-keystone09:10
*** andreaf has joined #openstack-keystone09:37
*** fmarco76 has joined #openstack-keystone09:42
*** nellysmitt has joined #openstack-keystone09:45
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdP authentication URL
*** yasu_ has quit IRC10:03
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix
*** rushiagr_away is now known as rushiagr10:32
*** rushiagr is now known as rushiagr_away10:33
*** dims__ has joined #openstack-keystone10:34
*** dgonzalez has joined #openstack-keystone10:37
*** dims__ has quit IRC10:38
*** lhcheng has joined #openstack-keystone10:41
*** lhcheng has quit IRC10:46
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K
*** bdossant has joined #openstack-keystone11:14
*** dgonzalez has quit IRC11:24
*** marg7175 has joined #openstack-keystone11:27
*** dgonzalez has joined #openstack-keystone11:31
*** chlong has joined #openstack-keystone11:43
*** marg7175 has quit IRC11:52
*** marg7175 has joined #openstack-keystone11:52
*** ajayaa has quit IRC12:00
*** dims__ has joined #openstack-keystone12:05
*** ajayaa has joined #openstack-keystone12:14
*** dims__ has quit IRC12:25
*** dims__ has joined #openstack-keystone12:49
*** bdossant has quit IRC13:03
*** bdossant has joined #openstack-keystone13:10
*** zz_avozza is now known as avozza13:21
*** bdossant has quit IRC13:27
*** bdossant has joined #openstack-keystone13:35
*** bdossant has quit IRC13:37
*** gordc has joined #openstack-keystone13:39
*** bdossant has joined #openstack-keystone13:40
*** bdossant has quit IRC13:41
*** bdossant has joined #openstack-keystone13:43
*** avozza is now known as zz_avozza13:54
*** jungleboyj has quit IRC13:56
*** dgonzalez has quit IRC13:57
ayoungbknudson,  "domain is-a project" is in the critical path for doing anything sane with policy.  I was creating a new project entry for the domain object, but I think that is the wrong approach now.14:03
ayoungbknudson, if you list projects under another project in HMT you don't get the parent project14:03
ayounglisting projects for a domain....should you get the root project or not?14:03
ayoungOr should you get all projects *under* the domain?14:04
bknudsonayoung: did we have this discussion at the summit? I think it was mentioned.14:04
bknudsonI don't remember what the result was14:04
bknudsonI think if you list projects for a domain you shouldn't get the root project, since it's not the same as the child projects.14:05
bknudsonI was wondering if this mysql command works for anyone: alter table region convert to character set utf8 collate utf8_bin;14:06
bknudsonERROR 1025 (HY000): Error on rename of './keystone/#sql-3ffc_32' to './keystone/region' (errno: 150)14:06
bknudsonI think it's because it's a foreign key.14:14
*** bdossant has quit IRC14:15
*** nkinder has quit IRC14:16
*** bdossant has joined #openstack-keystone14:17
*** sriram has joined #openstack-keystone14:21
*** links has joined #openstack-keystone14:27
bknudsonLooks like the 61 downgrade doesn't work with mysql -- AttributeError: 'MetaData' object has no attribute 'c'14:28
*** richm has joined #openstack-keystone14:29
*** bdossant_ has joined #openstack-keystone14:30
*** bdossant has quit IRC14:31
bknudsoneasy fix.14:34
*** joesavak has joined #openstack-keystone14:35
openstackgerritBrant Knudson proposed openstack/keystone: Fix downgrade from migration 61 on non-sqlite
*** lihkin has joined #openstack-keystone14:39
*** mattfarina has joined #openstack-keystone14:44
*** dgonzalez has joined #openstack-keystone14:54
*** mattfarina has quit IRC14:57
*** mattfarina has joined #openstack-keystone14:57
*** bdossant_ has quit IRC15:04
*** nkinder has joined #openstack-keystone15:04
*** dgonzalez has quit IRC15:08
*** esp has left #openstack-keystone15:19
*** timcline has joined #openstack-keystone15:23
*** fmarco76 has left #openstack-keystone15:26
*** topol has joined #openstack-keystone15:28
*** ChanServ sets mode: +v topol15:28
*** stevemar has joined #openstack-keystone15:29
*** ChanServ sets mode: +v stevemar15:29
*** lihkin has quit IRC15:32
*** bdossant has joined #openstack-keystone15:33
*** bdossant has quit IRC15:37
*** bdossant has joined #openstack-keystone15:38
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Standardize federated scoping process.
openstackgerritSteve Martinelli proposed openstack/keystone: Check project id before creating request token
*** bdossant_ has joined #openstack-keystone15:43
*** bdossant has quit IRC15:43
openstackgerritSteve Martinelli proposed openstack/keystone: Check project id before creating request token
*** bdossant_ has quit IRC15:47
marekdstevemar: looks like gyee's patch for k2k really works :-)15:51
stevemarmarekd, yep!15:52
*** lufix has quit IRC15:54
*** LinstatSDR has joined #openstack-keystone15:56
*** raildo has joined #openstack-keystone16:00
stevemarmarekd, i see your bump!16:17
stevemari won't let you down16:17
*** bdossant has joined #openstack-keystone16:17
*** chrisshattuck has joined #openstack-keystone16:17
marekdyou never do.16:17
*** bdossant has quit IRC16:17
*** afazekas_ has quit IRC16:18
*** henrynash has joined #openstack-keystone16:18
*** ChanServ sets mode: +v henrynash16:18
*** nkinder has quit IRC16:24
*** dgonzalez has joined #openstack-keystone16:25
openstackgerritMarek Denis proposed openstack/keystone: Scope federated token with 'token' identity method
openstackgerritMarek Denis proposed openstack/keystone: Scope federated token with 'token' identity method
*** Zemeio has quit IRC16:26
*** bdossant has joined #openstack-keystone16:27
*** andreaf has quit IRC16:28
ayoungmarekd, why does'n _authenticate accept the token ref as a parameter?16:28
*** andreaf has joined #openstack-keystone16:28
marekdayoung: heh, if I had a good reason for that i cannot recall what was that and after reading this this look like my bug.16:31
marekdayoung: comment, and i will fix that.16:31
ayoungmarekd, I also don't like a call to an underscored function16:32
ayoungthose are supposed to be internal only16:32
marekdayoung: i was propossing changin the object class in the runtime depending on the token type, but it was rejected.16:32
marekdayoung: i need to run and do some business now, i shall be back slightly later.16:33
ayoungmarekd, ok...grab me before you do any rewriting16:33
ayoungthis logic looks wrong16:33
ayoungI'll see if I can think it through16:33
*** chlong has quit IRC16:34
* ayoung going to have to use his brain16:34
*** chrisshattuck has quit IRC16:35
*** henrynash has quit IRC16:36
*** henrynash has joined #openstack-keystone16:36
*** ChanServ sets mode: +v henrynash16:36
*** zzzeek has joined #openstack-keystone16:37
*** nkinder has joined #openstack-keystone16:38
*** gyee has joined #openstack-keystone16:39
*** ChanServ sets mode: +v gyee16:39
*** henrynash has quit IRC16:39
openstackgerritMerged openstack/keystone-specs: Standardize federated scoping process.
ayoungmarekd, I think you were on the right path with revision one.  It should be a single plugin with multiple cases for the type of token, not calling the mapped plugin16:42
*** nellysmitt has quit IRC16:44
*** Zemeio has joined #openstack-keystone16:45
*** raildo has quit IRC16:46
*** henrynash has joined #openstack-keystone16:52
*** ChanServ sets mode: +v henrynash16:52
*** bdossant has quit IRC16:58
*** _cjones_ has joined #openstack-keystone17:00
*** chrisshattuck has joined #openstack-keystone17:06
*** dgonzalez has quit IRC17:08
*** gordc has quit IRC17:08
*** chrisshattuck has quit IRC17:11
*** chrisshattuck has joined #openstack-keystone17:14
*** EmilienM is now known as EmilienM|afk17:15
*** thedodd has joined #openstack-keystone17:17
*** links has quit IRC17:18
*** lhcheng has joined #openstack-keystone17:32
*** thedodd has quit IRC17:41
*** jistr has quit IRC17:43
openstackgerritayoung proposed openstack/keystone: Explicit Unscoped
ayounggyee, do you really care:
ayoungI think having the scoping info in the same portion of the request as everything else is least surprising and also best documentation17:46
gyeeayoung, yeah, very much17:46
ayoungwhy?  what am i missing?17:46
gyeehaving unscoped inside scope seem wrong17:47
ayoung?no_default_scope  means a change to a whole lot of code, both inside the server and the client17:47
*** gordc has joined #openstack-keystone17:47
ayounggyee, it just makes it explicit.  I would say it should be17:47
gyeeit should be the same as no_catalog17:47
ayoungscope: None17:47
ayoungbut that could be tricky in JSON17:47
gyeeno JSON if you do this with a param17:48
nkindergyee: the way I see it is that the "scope" section indicates the requested scope of the token.  "unscoped" is an actual explicit scope if you think about it17:48
*** rushiagr_away is now known as rushiagr17:48
gyeenkinder, I thought it was kinda confusing to have unscoped inside scope17:49
ayounggyee, I might be more prone to agree with you if we did not have an actual scope section.  Otherwise we could have a contradiction like  ?no_default_scope specified on the URL and scope = proejct in the token request body17:49
gyeeanyway, I don't have a strong objection either way, just thought that param is more natural17:49
*** thedodd has joined #openstack-keystone17:50
ayounggyee, I would almost have preferred the no_catalog option to be inside the request body as well17:50
*** stevemar2 has joined #openstack-keystone17:50
*** ChanServ sets mode: +v stevemar217:50
bknudsongyee: it's not that the token doesn't have a catalog, right... it's that the response doesn't include the catalog.17:50
*** stevemar has quit IRC17:50
ayoungbknudson, welll...PKIZ has the catalog in to body of the token17:50
bknudsonso in this case the token doesn't have a scope17:50
nkindergyee: what happens if I reuqest a scope in the JSON and also use ?unscoped ?17:51
ayoungbut...lets say that is an artefact17:51
ayoungand not intention17:51
gyeedefault scope is an implicit behavior17:51
nkindergyee: that case seems more confusing to me than putting "unscoped" in JSON17:51
gyeethis is overriding it17:51
gyeenkinder, to be honest, I never like the idea of default scope :)17:52
nkindergyee: +117:52
ayounggyee yeah, me too17:52
nkinderbut we have to live with thay17:52
ayoungProgramming is like sex17:52
ayounggyee, so you good with the code as is?17:52
gyeeayoung, sure, lemme change the review17:53
ayounggyee, thanks17:53
ayounggyee, If we make this work, and have it around for long enough, we can probably then throw in a config option that does the same thing, and eventually have unscoped by default be the default behavior17:54
ayounglong term, of course17:54
ayounglike in the S-T releases...17:54
ayounghow long until we run out of letters?17:54
gyeeayoung, ++17:54
ayoungI guess openstack only plans on doing releases for 13 years17:55
nkinderayoung: 7 years17:55
gyeemy understanding is the default scope was specifically designed for Horizon to enhance usability17:55
gyeebut with the session token, it is no longer useful17:55
*** stevemar2 has quit IRC17:56
*** stevemar2 has joined #openstack-keystone17:57
*** ChanServ sets mode: +v stevemar217:57
rharwoodclearly openstack should go rolling release when we run out of letters17:59
gyeewe identity a release by name anyway, next time around we'll call it Kilimanjaro and have our summit there :)18:01
gyeeit would be interest to see how many can attend though18:02
*** zz_avozza is now known as avozza18:03
ayounggyee, Denali....18:05
ayounggyee, default scope was from the get go when the assumption was that each user would only be in a single project18:05
*** rushiagr is now known as rushiagr_away18:06
ayoungrharwood, I want to release Keystone on its own schedule anyway.  The synced release doesn't do much for us18:06
*** gyee has quit IRC18:08
*** EmilienM|afk is now known as EmilienM18:14
*** timcline has quit IRC18:17
*** dgonzalez has joined #openstack-keystone18:22
*** LinstatSDR has quit IRC18:23
stevemar2looking for a +3 for bknudson
*** dgonzalez has quit IRC18:27
*** dgonzalez has joined #openstack-keystone18:32
*** LinstatSDR has joined #openstack-keystone18:32
*** thedodd has quit IRC18:34
*** LinstatSDR has quit IRC18:35
*** vhoward- has left #openstack-keystone18:37
*** junhongl has quit IRC18:38
*** junhongl has joined #openstack-keystone18:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** nellysmitt has joined #openstack-keystone18:45
*** _cjones_ has quit IRC18:48
*** _cjones_ has joined #openstack-keystone18:49
*** stevemar2 has quit IRC18:50
*** nellysmitt has quit IRC18:50
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** thedodd has joined #openstack-keystone18:51
*** jorge_munoz has quit IRC18:55
*** stevemar has joined #openstack-keystone19:07
*** ChanServ sets mode: +v stevemar19:07
*** jorge_munoz has joined #openstack-keystone19:08
*** jorge_munoz has quit IRC19:09
openstackgerritayoung proposed openstack/keystone: Unscoped to Scoped only
ayoungmorganfainberg,  seems ready to go.  What next?19:11
ayoung"Promote policy to a top level library."19:12
morganfainbergNeed to wait for the next tc meeting. Next week.19:13
morganfainbergThis weeks meeting was not on.19:13
*** LinstatSDR has joined #openstack-keystone19:23
*** packet has joined #openstack-keystone19:27
*** atiwari has joined #openstack-keystone19:28
*** atiwari1 has joined #openstack-keystone19:29
*** _cjones_ has quit IRC19:33
*** _cjones_ has joined #openstack-keystone19:34
*** LinstatSDR has quit IRC19:36
*** ajayaa has quit IRC19:36
*** ajayaa has joined #openstack-keystone19:37
*** stevemar has quit IRC19:37
*** stevemar has joined #openstack-keystone19:38
*** ChanServ sets mode: +v stevemar19:38
morganfainbergayoung: then I think we just need to get the policy stuff imported into the new repo (infra) and do a release.19:39
ayoungmorganfainberg, cool.  I am starting to get to stuff that needs changes to policy, would rather do in the new library than in incubator19:40
morganfainbergYes. Tha tis where it should go.19:41
*** ajayaa has quit IRC19:46
*** atiwari1 has quit IRC19:51
*** atiwari has quit IRC19:51
*** atiwari has joined #openstack-keystone19:52
*** atiwari1 has joined #openstack-keystone19:52
*** _cjones_ has quit IRC19:53
*** atiwari1 has quit IRC19:54
*** atiwari has quit IRC19:54
*** atiwari has joined #openstack-keystone19:54
*** atiwari has quit IRC19:54
*** atiwari has joined #openstack-keystone19:55
*** packet has quit IRC20:05
*** packet has joined #openstack-keystone20:08
*** raildo has joined #openstack-keystone20:12
*** atiwari has quit IRC20:13
*** jorge_munoz has joined #openstack-keystone20:29
*** jorge_munoz has quit IRC20:29
openstackgerritayoung proposed openstack/python-keystoneclient: Revocation event API
*** fifieldt_ has quit IRC20:32
*** fifieldt_ has joined #openstack-keystone20:33
*** jorge_munoz has joined #openstack-keystone20:35
*** Zemeio has quit IRC20:35
gordcmorganfainberg: stevemar: any thoughts on making a release of pycadf lib with deprecated audit middleware? or stevemar did you want to fix that bug we talked about first?20:35
stevemargordc, we should fix that bug i think20:37
gordcstevemar: kk. works for me.20:37
stevemarand update the requirements (minor but theres a patch in flight for that)20:37
*** harlowja_away is now known as harlowja20:37
gordci feel like there will be a lot with ongoing oslo changes.20:38
gordcstevemar: any timeframe in regards to fix?20:39
stevemargordc, haven't even begun it yet, our side convo didn't have a conclusion, what are you thinking ... just don't emit the event or have config options for swift?20:42
morganfainberggordc: let's fix the bug. Happy to do a release at anytime you want (except Friday nights and weekends)20:42
gordcmorganfainberg: cool cool. that's why i asked now. wasn't going to do it until next week if not.20:43
morganfainbergBut we can do the release pre-bug fix if that is important. Basically release is totally open to when you want it :)20:43
morganfainbergSounds good!20:43
gordcmorganfainberg: ok. i'll give you a heads up if i ever decide20:43
morganfainbergGreat. At the very least I'll plan to release next week (even if we delay it some no big deal)20:44
gordcstevemar: um... probably doesn't make sense to have it do processing in pipeline but never emit anything.20:44
*** jorge_munoz has quit IRC20:44
morganfainbergJust so I have my time planned out (releas is easy but I need to remember I planned to do it)20:44
stevemargordc, but if they change swift to allow for the service catalog retrieval, then it'll be no changes for pycadf20:45
gordcstevemar: actually do we plan to fix this in pycadf as well or just in keystonemiddlewrae?20:45
gordcor wait... the logic is in pycadf.20:45
stevemargordc, i just don't know what the best solution should be =\20:45
morganfainbergjamielennox|away: let's plan the next ksc/middleware release for early feb - keep the cadence up so we aren't hanging back on new features. We can always delay. (Barring critical bug fixes)20:45
gordcstevemar: i'll think about it a bit more. caught between two convo right now. :|20:46
*** nellysmitt has joined #openstack-keystone20:46
morganfainberggordc: any logic that is in the middleware should only be fixed in middleware package unless it is a major security issue. Treat audit middleware in pycadf as frozen.20:46
morganfainbergJust in case the question comes up in the future.20:47
morganfainbergIf the logic is in pycadf, easy choice to fix.20:47
stevemarmorganfainberg, definitely in pycadf20:47
stevemargordc, yeah take your time20:47
gordcmorganfainberg: sounds good to me.20:47
stevemargordc, but i think we should get this one sorted out before releasing20:48
morganfainbergstevemar: yeah. Was just pointing out how to determine where to fix re middleware.20:48
ayoungnkinder, morganfainberg so...policy.  I've been working on the V3 cloudsample update, and I think we have at least 3 domains we might need to reflect in there;  default (no big deal),  admin, service.20:48
ayoungadmin domain should probably be considered a separate domain from service domain.20:48
morganfainbergayoung: sure that makes logical sense.20:48
morganfainbergThough, I could see some orgs lumping them together, I like the separation of concerns.20:48
ayoungmorganfainberg, right20:48
nkinderayoung: I don't even think default needs to be there (we just do a domain match for those rules)20:49
ayoungmorganfainberg, they should be seperate*able*20:49
nkinderadmin and service are special (and ideally separate)20:49
morganfainbergnkinder: we can't remove default and need to represent it for compat.20:49
ayoungor however you spell that dang word20:49
morganfainbergnkinder: but in principle I agree with you.20:49
nkindermorganfainberg: I just mean we don't need it to be specially defined in the policy20:49
ayoungnkinder, yeah, default is more "make sure things work for V2" than anything else20:49
nkindermorganfainberg: ...not that it must go away20:49
ayoungand, as we know, v2 should die20:50
morganfainbergnkinder: we might for v2 compat since lots of people are v2 vs v3.20:50
morganfainbergerm in v2 domain but using v3 api in the future20:50
ayoungbut is it like an zombie20:50
morganfainbergayoung: braaaaaaaaaaaiiiiinnnsssss20:50
ayoungmorganfainberg, you in the bay area today?20:51
gordcstevemar: ok.20:51
*** nellysmitt has quit IRC20:51
morganfainbergayoung: on the 15th and 22/2320:51
ayoungthat goes for gyee ... too, but he's gone20:51
morganfainbergNot this week. :(. Otherwise I'd go20:51
ayoungbe interested in having someone with a Keystone voice there20:51
morganfainbergGyee or nkinder would be the best bets I think then.20:52
ayoungmorganfainberg, guess who I asked first?20:52
morganfainbergIf I wasn't booked up with so much travel the next 2 weeks id hop a flight just for it.20:53
*** _cjones_ has joined #openstack-keystone20:53
raildohey, ayoung later, I want to talk with you about HMT, ok? :)20:54
*** david-lyle has joined #openstack-keystone20:54
ayoungraildo, when you are ready20:54
raildojust to update the specs20:54
morganfainbergSo ayoung need to chat about some v2 token isms that predate my working on keystone. I *think* we can rip some stuff out of the provider/issuance. You might know. I'll bug you later on / tomorrow about it.20:55
openstackgerritMerged openstack/keystone: Fix downgrade from migration 61 on non-sqlite
ayoungraildo,,  domain-is-a-project20:55
raildoI jsut think that we need to define better the relation domain as a project20:55
ayoungraildo, should "list projects for domain" return the domain?20:55
ayoungmy gut says no, but then I don't know how to represent it20:56
ayoungunless it is something like merge the domain and project tables, provide a flag20:56
raildoa project domainess? yes... just a domain( created using the domain API) no20:56
morganfainbergayoung, so i can see why your gut says no, but let me quickly present the other side20:57
raildoayoung, yeah, I implemented a POC to represent a project as a flag to represent a domain.20:57
morganfainbergayoung, the domain (since it is a project) is also managed by itself.20:57
ayoungmorganfainberg, yeah, I see that POV too20:57
morganfainberg*technically* that should be included then right?20:57
morganfainbergjust playing devils advocate here20:58
ayoungmorganfainberg, the issue is LDAP20:58
ayoungwhich also should die20:58
morganfainbergi don't have a strong opinion that it needs to be that way20:58
ayoungthere is no nesting in LDAP, and thus it means there needs to be a magic project for the domain20:58
morganfainbergayoung, LDAP does a lot of magic already :(20:58
raildoayoung, ++20:58
*** _cjones_ has quit IRC20:59
morganfainbergdoes it hurt if we do more (oh god no please no, lets not)20:59
ayoungraildo, in HMT  list projects for domain won't be a tree, right, it will be a flat list of all projects?20:59
*** _cjones_ has joined #openstack-keystone20:59
ayoungmorganfainberg, we still talking software?20:59
ayoungor do I need to call 911?20:59
morganfainbergayoung, haha20:59
ayoungwith the LDAP backend, we can't even have domain scoped roles now, can we?21:00
raildoayoung, we have two option, we can get the projects as a list, so its just a subtree list. or we can use other way, to return as a dictionary21:00
ayoungraildo, let me post my POC.21:01
raildoin this second option, we return just the project_ids as a hierarchy21:01
raildoayoung,  I see this patch
ayoungraildo, yeah.  I've done some more work, but still don't have the tests passing21:02
raildoayoung, ok21:02
ayoungraildo, mainly due to the LDAP tests breaking21:02
raildoayoung, I have some problems with this too :P21:02
ayoungsince it needs to be rebased on henrynash 's work anyway, and we are discussing deprecating LDAP assignments, I might just recommend we skip all of those tests21:03
*** markvoelker has joined #openstack-keystone21:03
morganfainbergi wonder if i qualify for the OpenStack pycharm license...21:04
raildoayoung, for HMT we create some tests just to show that we can't create a hierarchy, or get a subproject...21:04
ayoungmorganfainberg, I don't think so21:05
ayoungraildo, yes, but my change will be breaking some older tests21:05
morganfainbergayoung, there is an odd in-between qualification if you work only on upstream even if employed by $corpwhosellsopenstack$21:05
ayoungthe ones that count the number of projects returned in difference circumstances.  The numbers are different fro SQL and LDAP right now21:05
morganfainbergayoung, meh, whatever, it's not expensive.21:05
ayoungmorganfainberg, I've reverted to emacs21:06
raildoayoung, right21:06
morganfainbergayoung, great operating system there... if only it had an editor21:06
morganfainbergayoung, ;)21:06
ayoungmorganfainberg, I was using it mostly for debugging, but found import rpdb; rpdb.set_trace() to be the universal debugger21:06
ayoungpycharm that is21:06
ayoungso emacs as an editor (and OS) works fine for me21:06
morganfainbergayoung, i'd need ot use the vi plugin for emacs to get a usable editor :P21:07
stevemarmorganfainberg, bknudson if y'all know of a better way to get around this, let me know
ayoungI am also conversant in vi21:07
stevemarI should probably file a bug :(21:07
morganfainbergstevemar, out-of-tree magic? :(21:07
morganfainberg[no no no]21:08
morganfainbergwhat ugly deps does pysaml2 have?21:08
ayoungstevemar,   if that extension is not included, why would they need it?21:08
ayoungI mean, why would you need an optional include?21:08
ayoungit seems to me that k2k should be a separate module that is dependant on federation, not a part of it21:09
*** thedodd has quit IRC21:09
ayoungfederation should be promoted to a non-extension, IMNSHO21:10
morganfainbergayoung, extensions are going away.21:10
ayoungmorganfainberg, that, too21:10
morganfainbergare we getting complaints about pysaml2?21:10
morganfainbergor is this pre-emptive "make it optional"?21:10
ayoungmorganfainberg, packaging is a nightmare,  lets not make it harder.21:10
ayoungif this is really needed for  a niche, lets keep it optional21:10
morganfainbergayoung, hold on.21:11
raildoIt remains a little more than one week, for the midcycle, I really wanted to go :(21:11
stevemarso for k2k, pysaml2 is needed; but for old fashioned federation it's not21:11
ayounglooking to see if it is already packaged21:11
morganfainbergayoung, yeah that would be the first question21:11
stevemarideally we should have k2k and regular federation separated, but it wasn't built that way21:11
morganfainbergstevemar, so are people complaining about pysaml2 - or is this pre-emptive?21:11
stevemarmorganfainberg, sry, just saw your pings now21:12
ayoungI don't see it in an entirely too cursory look21:12
stevemarmorganfainberg, no one is complaining, i was just trying to use OIDC only, and noticed that it wasn't working cause i didn't have pysaml2 installed21:12
morganfainbergok lets look at it from a deployer perspective21:14
morganfainberghaving a bunch of "if you want X go and also install all this extra stuff over here" is bad21:14
morganfainbergnot saying we need it as a hard dep, just keep in mind our deployer experience is ugly as is21:15
bknudsonstevemar: isn't a bad way to do it. I'd expect that the code below there would check for "if not saml2: fail"21:15
*** marg7175 has quit IRC21:15
morganfainbergit's early enough that if we say this is a real dep, most packagers shouldn't complain too much21:15
morganfainbergif it was post milestone-2 i'd be more leery21:15
stevemarbknudson, good call21:16
morganfainbergsince it isn't a separate module - i *tend* to err on the side of include it to make the deployer experience not suck more for <feature X> [regardless of feature]21:16
stevemarmorganfainberg, so right now pysaml2 is in test-req anyway right now21:16
stevemarso it's still a shitty UX21:17
morganfainbergstevemar, yes. i know21:17
stevemarthis is making it less shitty if you want to just play with openidc21:17
morganfainbergwe can work to make it better - the question is the value.21:17
stevemarbut i know what you're saying21:17
stevemarif you want to enable federation, you have to install all of these things21:17
morganfainbergso - if we move to seprate packaging for the backends [waaaay different discussion] we could isolate this stuff.21:17
stevemarrather than piecemeal stuff21:17
morganfainbergin fact it would be good to make it where if you want memcache token, you get memcache dep - but we're not there at the moment21:18
morganfainbergapt-get install keystone-token-memcached (example)21:18
morganfainbergor pip, or whatever21:18
stevemarOK, so similar discussion for this then21:18
morganfainberglike i said i tend to err to the side of include it to make deployment experience less icky. but I'm fine with making it optional (we have prior art for this)21:19
stevemari'll leave the CR open for now and open a bug, feel free to mark it as won't fix, but i want it for the record in case someone else sees it21:19
bknudsonhow terrible is pysaml? it's not packaged?21:19
stevemarpysaml2 has weird dependencies21:19
morganfainbergbknudson, that is my question. i hope it's not terrible - just lacking current packaging because no one pushed it21:20
morganfainberggod. zope21:20
stevemarthose are both pretty old21:21
stevemar1.x and 0.x, when the author is at >2.021:21
morganfainbergok so, the only really ugly dep (or two) are zope and pyopenssl21:21
morganfainbergoh interesting and repoze21:21
morganfainbergbut that shouldn't be too bad21:21
gordcstevemar: added comment to bug, let me know if it works for you:
uvirtbotLaunchpad bug 1397938 in pycadf "pycadf doesn't work when service catalog is not set" [Undecided,New]21:22
morganfainbergdoesn't require lxml, nice.21:22
morganfainbergstevemar, so - i think pysaml2 could safely be made a hard-dep. zope.interface bleh, but somehow i bet that makes it in somewhere else in OpenStack as well21:22
stevemarpretty sure it does21:23
stevemarthanks gordc looking in a minute21:23
morganfainbergthis one is likely going to raise less ire than lxml does21:23
*** jamielennox|away is now known as jamielennox21:24
morganfainbergeventually we probably should be working to split things up for keystone by module - but that is a much much bigger disscussion that we can't hit anytime soon.21:24
morganfainbergand we're early in the cycle21:24
morganfainbergstevemar, so i'll support either - just make sure to keep the deployer experience in mind when making the choice.21:25
*** gyee has joined #openstack-keystone21:28
*** ChanServ sets mode: +v gyee21:28
stevemarmorganfainberg, i'm too slow, marekd saw this months ago,
uvirtbotLaunchpad bug 1369986 in keystone "Federaton extension fails due to missing pysaml2 library" [Medium,Invalid]21:29
morganfainbergstevemar, sure. like i said, i'll support either21:30
morganfainbergjust keep in mind deployer experience21:30
ayoungmorganfainberg, can we not?  We don't make LDAP a hard dep even21:30
stevemarayoung, i think it's past due that we made that a requirement21:31
morganfainbergayoung, ^ i'm leaving this to stevemar's discretion here, i would prefer to work on making our deployer experience less crummy. if i need to know to install XXX and XXX and XXX and XXX and XXX to turn on features it's a really really bad experience21:31
morganfainbergayoung, or we start splitting these things out so keystone is the framework and if you want ldap, you install keystone-ldap-identity21:32
ayoungstevemar,   I see no K2K as niche.  Would like to defer Adding a package to RDO  for it21:32
ayoungmorganfainberg, ++21:32
stevemari' leaning toward your line of thinking morganfainberg, i was originally OK with handling import errors, but yeah, it's just shitt UX to have to install x, y and z to actually use things21:32
morganfainbergayoung, so i think even k2k should be in the same boat here21:32
morganfainbergayoung, now, there is nothing saying we can't make it a goal of L-cycle to fix all this and make things more modular.21:33
*** jorge_munoz has joined #openstack-keystone21:34
morganfainbergayoung, i am not going to force the issue here though. we have prior art on "document this and if you want it do X" with ldap and memcache21:34
ayoungmorganfainberg, until I can break RDO of the anitpattern of the All in One deployment (far more common than we like) I'd rather be very adverse to any new hard deps21:34
morganfainbergayoung, well if we split the modules out - you are getting hard deps on those modules regardless21:35
morganfainbergayoung, it will happen within the next cycle or so anyway21:35
morganfainbergayoung, just keep it in mind.21:35
ayoungmorganfainberg, sure21:35
morganfainbergayoung, and frankly the choices redhat makes on how they package things for RDO is not a sole reason i'm willing to exclude something from reqs.21:36
*** henrynash has quit IRC21:37
morganfainbergayoung, my only requirement is we look at deployer expeirence - it's bad now. we can keep it as is, or work to fix now. we have prior art on both sides, but lets make good choices here.21:37
ayoungmorganfainberg, its not just Red Hat   THat is just where I sit.  The issue is with the requirement of packaging up something for an optional feature21:38
morganfainbergayoung, it is something we'll need to fix soon™, but this could be just another memcache/ldap. i'll let stevemar and other cores comment on this - and i'll support both methodologies until we decide how we fix the deployer experience21:38
ayoungmaking the based footprint larger21:38
morganfainbergayoung, but we just need to make sure we're not making the deployer experience worse.21:39
ayoungHow hard did yoiu have to look to fine the ™ anyway?21:39
morganfainbergayoung, not at all, i know how to type it ;)21:39
morganfainbergi used to work at blizzard, that is like a requirement21:39
stevemarhaha, they do slap it on a lot of things21:39
* morganfainberg also cheats, OS X can type lots of those things more easily than Windows or Linux.21:40
jamielennoxoff the top of my head i'm not even sure how i'd go about finding that symbol21:41
openstackgerritMerged openstack/pycadf: Updated from global requirements
morganfainberg*maybe* we need to package some lightweight dep-only packaged for keystone?21:43
*** nkinder has quit IRC21:43
ayounganyway, I would say the K2K is different from base Federation, and should be separate code, regardless of all other issues21:43
morganfainberginstall keystone-memcache, keystone-federation-k2k just provides the deps21:44
morganfainbergmakes it easier for deployers?21:44
morganfainberglong term we could move real code into those.21:44
ayoungI'd be OK with that21:44
morganfainbergit also give packagers clear deliniation on what to package for what21:44
* morganfainberg should go chat w/ TC/infra on that21:44
ayoungdo we need to split git repos to make that happen?  That always annoyed me21:45
morganfainbergwe would need to split repos to put the code elsewhere21:45
morganfainbergwe would need separeate repos for the requirements.txt in either case21:45
morganfainbergwe can't make two packages from 1 repo atm21:45
ayoungthat is so dumb21:45
morganfainbergpbr and pypi don't like it [both are issues]21:45
ayoungthe feeling is mutual.  I don't like either of them21:46
* ayoung grumpy21:46
marekdstevemar: morganfainberg: regarding the pysaml2 as dependency - maybe splitting k2k and icehouse federation is a good idea. Why stevemar would need pysaml2 for his oidc Keystone21:46
morganfainbergpbr is fine. but it inherits ick from setuptools21:46
ayoungpbr is ick21:46
ayounganything that needs to tell you it is reasonable obviously is no such thing21:46
morganfainbergayoung, nah. it's really making the setuptools experience is bearable21:47
morganfainbergand we need that.21:47
stevemarmarekd, why do i need libvirt if i'm using xen only? (from a nova perspective)21:47
ayoungit makes the packaging experience less so.  Its like bundling Make with an binary21:47
marekdstevemar: ask nova guys :P21:47
stevemarand if i want to switch from oidc to k2k ?21:48
morganfainbergmarekd, it's the same argument. if i'm not using libvirt why should i need it. well at the moment iirc you do need it.21:48
stevemari shouldn't have to re-install a lib21:48
stevemari just want *keystone*, not have to install all this other crap21:48
marekdstevemar: well, then you are changing your usecase - from oidc SP to Keystone-idp.21:48
morganfainbergif we commit to splitting out modules into repos it's an easy sell. you want federation install keystone-federation21:48
morganfainbergif you want k2k you install keystone-federation-k2k21:49
morganfainbergetc etc21:49
marekdmorganfainberg: ++21:49
morganfainbergbut that is *not* happening in kilo21:49
marekdwell, at first i was even proposing to put pysaml into requirements.txt but it was rejected as federation was optional.21:49
morganfainbergso, lets focus on kilo - i'll plan to propose that for L (regardless of being PTL or not)21:49
morganfainbergmarekd, that changes with
morganfainbergmarekd, if extensions go away (please)21:50
ayounglibvirt is slightly more central to nova than k2k is to Keystone.  I've yet to get any demand for it, much as I like the concept21:50
marekdmorganfainberg: ++21:50
morganfainbergayoung, there has been documented demand, both at HP and RAX and it is being used.21:50
morganfainbergayoung, and cisco.21:50
ayoungmorganfainberg, Oh, I am sure it is being used.  Just that we have not had demand for it on our side21:51
ayoungour customers are slow on the uptake21:51
morganfainbergayoung, ok fair enough, no demand at RH yet :)21:51
morganfainbergi'm sure there will be21:51
ayoungmorganfainberg, I predicted it....2 years ago?21:51
morganfainberg(shameless plug) stevemar ^ review that spec.21:51
morganfainbergayoung, yah - about the time i started on working on keystone and I saw this as the direction i wanted to see (didn't say anything back then) :)21:52
morganfainbergayoungy, 2.5-3 yrs ago.21:52
* ayoung refuses to believe it has been that long....deny deny21:53
morganfainbergdeny all you want21:53
morganfainbergayoung, yep.21:54
ayoungwhen'd I first write that?21:54
stevemarit has been a fun 2 years :P21:55
stevemarmorganfainberg, link me, i don't see the spec21:55
*** raildo has quit IRC21:55
ayoungNo.  Fun is hanging by your fingertips off a cliff face or having a 1 AM Jam session21:55
ayoungthis has been decent work21:55
stevemarohh all the +'s21:56
morganfainbergayoung, what about doing both? hanging off a cliff WHILE having a jam session at 1am21:56
marekdayoung: have a minute to talk about ?21:56
morganfainberghm. that might be a bit cold where i usually climb21:56
ayoungmorganfainberg, don't want to risk dropping the Sax21:56
ayoungmarekd, sure.21:56
ayoungmarekd, so...couple ways we could do it21:57
morganfainbergayoung, ah, see my brother always had a $200 guitar he took with him... so worst case was the crappy camping guitar was broken21:57
morganfainbergthose usually lasted a couple years or so21:57
ayoungone is to lump everything into the token plugin21:57
ayoungthe other is to make a second plugin that only gets added if you are doing federation21:57
marekdayoung: i think the exact plugin to handle the authN should be resolved at...the plugin level. not in the controller21:57
* morganfainberg needs to get back to rock climbing :(21:57
morganfainbergit's been... years.21:58
morganfainbergand years21:58
ayoungmorganfainberg, climbing gym in SA?21:58
marekdayoung: and it will be, as this is where will point to.21:58
morganfainbergayoung, probably not this time - i'm on a whirlwind trip to the bay right after the midcycle21:58
morganfainbergif i wasn't leaving wed @ 6pm flight i would.21:59
ayoungmarekd, so lets go with the approach you had in revision 121:59
marekdayoung: yep.21:59
ayoungmarekd, the fact that we already have a config option means that it is the right solution21:59
morganfainbergbut i'm likely to be moving to the east coast - and i'll be up outside of boston (NH) by ~1h visiting friends fairly regularly if i do. so i can swing over your direction and check out that work-space w/ the gym in it when up that way22:00
ayoungotherwise, we *could* register an alternative token plugin that handles bothj22:00
ayoungmorganfainberg, where in the East Coast?22:00
marekdmorganfainberg: so you basically work remotely?22:00
morganfainbergwell i'll be moving to NYC. but 2 of my best friends are moving somewhere close to boston in NH in a few months22:00
ayoungvery cool.  I have family (in laws) in NYC.  Was just down there22:01
morganfainbergso if i'm in NYC i'll def be up by boston at least monthly or so.22:01
marekdayoung: which config option?22:01
* ayoung happy with this news22:01
* morganfainberg wants out of Los Angeles22:01
ayoungmarekd, um..22:01
bknudsonsounds expensive22:01
morganfainbergmarekd, yeah i work from wherever i have an internet connection.  coffee shops are a frequent place for me.22:02
ayoungmarekd, I lied22:02
morganfainbergbknudson, not much more than pasadena :(22:02
marekdmorganfainberg: do you like working remotely?22:02
morganfainbergbknudson, if you factor in i wont need to keep my car to get everywhere22:02
morganfainbergmarekd, some days. some days i really miss hanging out in the office w/ people.22:02
marekdayoung: :-)22:03
morganfainbergthe OpenStack crowd in LA is pretty spread out - and on monty's team there is only one other guy here (SpamapS) - we get lunch monthly or so, but still hard since everyone travels a lot22:03
morganfainbergmarekd, portland OR has a large OpenStack contingent22:03
morganfainbergas well22:03
bknudsonyou should move to vancouver and then to tokyo in a few months22:03
morganfainbergbknudson, haha22:04
morganfainbergbknudson, i am not looking forward to the flight to tokyo tbh22:04
morganfainbergi *think* one of the guys on Monty's team does go to <place of the summit> for as long as the visa lasts each cycle.22:04
ayoungmorganfainberg, when are you moving?  And, do you have a target Burrough?22:04
morganfainbergayoung, probably march (late) - and target Burrough is either Manhattan (west villiage/soho/tribeca/les) or some of the areas of brooklyn22:05
marekdayoung: so, do you have any hint how to make this change right?22:05
morganfainbergayoung, it depends on some travel for work if i can make march happen, it might need to wait till post vancouver.22:06
ayoungmarekd, I think you were closest with patch 1.  Go back to that, drop the mapping plugin, and mix in any of the logic that is needed from later reviews to keep things "stateless"22:06
ayoungmarekd, so none of the self,token_ref stuff you fixed in later reviews,22:07
morganfainbergbknudson, we removed the need for the vendor download of ksc right?22:08
ayoungmarekd, I would think it would be like:22:08
marekdayoung:  wait, you want me to move logic from plugins/ and mix it with ?22:08
ayoungmarekd, call if from there22:09
ayoungtreat the plugin as an adapter, but the logic should be a helper function that can be called from either22:09
bknudsonmorganfainberg: we made it optional some time ago use an env var... I've got a change proposed to never download.22:09
morganfainbergbknudson, ++ let me go find that22:09
morganfainbergi want to push that through if possible before k222:09
ayoungmarekd, is the idea that you still want to be able to use the mapped plugin stand alone?22:09
marekdayoung: it's not super easy, as is also used for getting and handling requests for unscoped tokens.22:09
bknudsonmorganfainberg: -- looks like I need to rebase.22:09
*** joesavak has quit IRC22:10
ayoungmarekd, the logic there is small, no?>22:10
marekdayoung: and we will need to handle scoping tokens with authN methods 'mapped', 'saml2' for some time.22:10
marekdayoung: rather small.22:11
openstackgerritBrant Knudson proposed openstack/keystone: Keystoneclient tests from venv-installed client
ayoungah...bigger than I thought22:11
morganfainbergbknudson, cool, reviewing now22:12
marekdayoung: well, I was thinking about having some kind of factory, will still remaing and class called Token.22:12
stevemarmorganfainberg, yay you'll be in the same time zone as the rest of us22:12
ayoungmarekd, I wonder if the guts of  _handle_scoped_token and _handle_unscoped_token should move to federation/core.py22:12
ayoungmarekd, you could make them helper functions inside the mapped plugin and just call them from, though.  I think that would be the right approach here22:13
bknudson-244 !22:14
bknudsonand can finally get rid of those weird "from keystoneclient import exceptions as client_exceptions"22:14
marekdayoung: let me see.22:14
ayoungmarekd, you can drop the self paramter and pass in the API objects you need to those functions22:14
marekdayoung: yeah, i am looking if we can make it 'stateless'22:15
ayoungmost of the "self" params we have are for linking to API objects22:15
morganfainbergstevemar, another shameless plug: needs to go through (cc ayoung, dolphm, gyee, lbragstad, jamielennox, dstanek)22:15
ayoungcode removal?22:15
stevemardouble +A'ed!22:16
ayoungbknudson, you are the cleaner22:16
ayoung"I never minded much about the little things."22:16
gyeedoes stackanalysis subject LOC for code removal? :)22:17
ayounggyee, it must.  IBM leads in Keystone, and guess why22:17
*** EmilienM is now known as EmilienM|afk22:17
ayoungif we left him alone for a month, we'd come back to find the Keystone repo empty22:18
ayoungwhich is my way of saying "thank you" bknudson in case it was not clear22:18
ayoungmorganfainberg, if I can get a tentative "that looks good" on  I'll write the spec change that accounts for it...if I have not already....22:19
morganfainbergayoung, looking22:20
ayoung  is the spec change22:20
stevemarbknudson, one day it'll empty, one day22:20
ayounggyee, morganfainberg start with that one22:20
stevemarayoung, ^ the repo that is22:20
morganfainbergayoung, give me a moment - i'm actually looking at the changes.22:20
stevemarmorganfainberg, since there are no owners here, this should go to the parking lot / backlog
morganfainbergstevemar, we need to find an owner and get ti in this cycle22:21
morganfainbergstevemar, most of the work is doc work22:21
stevemarall of us then!22:21
morganfainbergstevemar, i'd actually be ok with that one being assigned to keystone-cores22:22
marekdayoung: so, once again: move _handle_scoped(), _handle_unscoped() to federation/core and make them classless. Use _handle_scoped() directly from auth/plugins/  to handle scoping federated token, and in the end keep as a baes class for obtaining unscoped tokens (that may vary per protocol and/or plugin). also keep _handle_scoped_token() in mapped with some deprecation warning.22:22
marekdayoung: morganfainberg stevemar: makes sense?22:22
morganfainbergstevemar, there is some json-home work to be done.22:22
morganfainbergstevemar, so maaaaaybe we could bribe bknudson  to help us :)22:22
ayoungmarekd, keep them in the plugin, just make them helper functions22:22
ayoungand can import mapping.py22:23
morganfainbergmarekd, i'll need top go look at the review i'm between 2 reviews right now.22:23
ayoungif they really are helper code for the plugins,  leave them where we will need them22:23
marekdayoung: to be more specific - by calling helper function you mean def _helper_function() (starting with '_') ?22:23
ayoungmarekd, drop the _22:24
stevemarmorganfainberg, he's easy to bribe22:24
ayoungthey are meant to be used by plugins, but they are not private22:24
morganfainbergstevemar, hehe22:24
ayoungthey are helper functions, meant to be used by multiple plugins22:24
marekdayoung: ok22:24
ayoungjust don't have one plugin call functions on another plugin object22:25
ayoungthe plugin objects are meant to be adapters.  They should have very little logic embedded in them directly22:25
morganfainbergayoung, ++22:25 is likely going to be more used by other plugins than as a standalone plugin itslef22:25
morganfainbergayoung, so.. unscoped is an explicit flag in this review it looks like, right?22:26
marekdayoung: ahh, you suggest moving those functions out of the class definition. Got it.22:26
ayoungmarekd, ++22:26
ayoungmorganfainberg, the question was always "how do we indicate that I want unscoped and always unscoped"22:27
ayoungmorganfainberg, Jilly Scarlilly is in NYC now, as I am sure you are aware22:27
openstackgerritMerged openstack/keystone-specs: Replace the concept of extensions in Keystone.
*** david-lyle has quit IRC22:28
morganfainbergayoung, yeah was supposed to grab drinks w/ Jill when i was out in NYC in december22:28
morganfainbergdidn't happen, scehduling conflict22:28
ayounggyee, one thing I realized.  The way I did it, it has to be "scope" : "unscoped"  then you can';t also have "scope":"project"22:29
ayoungit makes it impossible to request an invalid combination22:29
*** topol has quit IRC22:29
*** sriram has quit IRC22:30
marekdayoung: i am gonna work on that tomorrow.22:30
marekdayoung: thanks for the consultation.22:30
ayoungmarekd, thanks.  And good work22:30
jamielennoxahh. the soothing sounds of the Keystone PTL overview in the background ...22:30
morganfainbergjamielennox, lol22:31
morganfainbergayoung, ok no score on the unscoped token, but comment. it looks reasonable22:31
jamielennoxayoung: you had a previous +2 on
jamielennoxcare to revisit?22:32
ayoungjamielennox, doing so22:32
bknudson ??22:32
ayoungGAh, diff against the version I +2ed asploded22:33
morganfainbergbknudson, +2 on the no-more-keystoneclient download, once verified feel free to +A if someone else doesn't get to it.22:33
bknudsonmorganfainberg: this is going to be great.22:34
morganfainbergbknudson, makes me happy to be done with that git-checkout stuff.22:34
gyeeayoung, that's good, one scope at a time22:34
ayoungjamielennox, +A22:35
morganfainbergstevemar, going to propose an update to the extensions spec to add a couple people to help drive it.22:36
morganfainbergstevemar, but otherwise very happy to see that merged.22:36
*** gordc has quit IRC22:36
stevemarmorganfainberg, figured ya would :)22:36
*** dims__ has quit IRC22:36
*** dims__ has joined #openstack-keystone22:37
*** nkinder has joined #openstack-keystone22:37
ayoungjamielennox, can you -1  with the comments you had regarding code duplication?22:37
* ayoung makes sure that is not a dupe22:38
marekdnonameentername: hi.22:39
nonameenternamemarekd: hello22:39
marekdnonameentername: i am reding your comments in
nonameenternamedid you have questions on my comments?22:40
marekdnonameentername: i was asking for a API spec, as I wanted to check how you want to pass the secretes/seeds for synchronizing client and Keystone.22:40
*** dims__ has quit IRC22:41
marekdnonameentername: just from the user perspective. my admin wants me to use MFA. I have my Google Authenticator installed and usually i need to enter some code generated by the server.22:42
marekdnonameentername: did you plan to add some APIs in Keystone for that?22:42
nonameenternameI haven't designed the admin API yet.  I was thinking that would be done during the implementation.22:43
marekdnonameentername: in fact it's not the admin api, as user would call it.22:43
marekdnonameentername: ok, as long as you have it somewhere in the back of your head it's good.22:43
*** avozza is now known as zz_avozza22:44
marekdnonameentername: maybe some exta sentence how this 'syncho' step likes would be useful.22:44
*** zz_avozza is now known as avozza22:44
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Update work items and assignees for no-more-extensions spec
morganfainbergstevemar, ^22:45
morganfainbergstevemar, that should be pretty straight forward.22:45
nonameenternameI think you could add it as an extension to the user as an additional attribute.  Then it would be available for create and update user22:45
morganfainbergstevemar and this work can all be done between k2 and k322:46
marekdnonameentername: not sure if we are on the same page.22:46
nonameenternamewhat are you talking about?22:46
bknudsonwell, keystoneclient is broken... not sure what it was.22:46
*** nellysmitt has joined #openstack-keystone22:47
bknudsonit's the auth_token tests so maybe it's time to just get rid of them?22:47
morganfainbergbknudson, in gate? or in general?22:47
bknudsonin gate22:47
morganfainbergbknudson, oh ugh22:47
morganfainbergbknudson, hm...22:47
marekdnonameentername: i am about to use MFA. I sit down, and need to configure my Google Authenticator to work with my Keystone. How do I do with your proposed solution?22:48
morganfainbergyou know.. if we move cms out of ksc we could remove the auth_token in ksc and make ksc import middleware22:48
nonameenternameoh ok, I see what you are asking22:48
morganfainbergand just use the new middleware (maybe session needs to move too)22:48
stevemarmorganfainberg, pfft, adding my name without consent!22:49
stevemarthat's grounds for -222:49
morganfainbergstevemar, haha22:49
nonameenternamekeystone api would only provide a mechanism to store the MFA seed.22:49
jamielennoxsession ideally would move, but clietn can't import middleware22:49
stevemarclear enough :)22:49
jamielennoxbknudson: haven't seen that before22:49
morganfainbergjamielennox, it could if session and cms and other common stuff moved out22:49
nonameenternamethe qr code could be generated by horizon22:49
bknudsonI'm wondering if someone has a tox venv where it still works?22:50
marekdnonameentername: it should be restful first.22:50
bknudsonI blew mine away22:50
morganfainbergjamielennox, what release did we do the splt? J? or was it I?22:50
* morganfainberg is trying to figure out when-if-ever we can just rip out the old auth_token from ksc22:50
marekdnonameentername: that's why i asked for the api - to see if this would be covered or not.22:50
marekdnonameentername: my suggestion is to think about this workflow.22:51
jamielennoxmorganfainberg: it all blurs together22:51
*** nellysmitt has quit IRC22:51
nonameenternamemarekd: ok, what do the other Keystone devs thing?  qr code is very specific to the implementation.  How would this be handled for other implementations?22:51
marekdnonameentername: new API call, where user asks for the seed22:52
marekdthe seed is a string, right?22:52
marekdnonameentername: so simply new API call.22:53
morganfainbergjamielennox, was juno22:53
morganfainbergjamielennox, nova icehouse still imports from ksc.22:53
jamielennoxmorganfainberg:  i just don't think we can ever remove functionality from the library22:53
jamielennoxwith new pip and the pep440 stuff we can probably start changing requirements to pin to major versions22:54
jamielennoxthen maybe we can do a v222:54
nonameenternamemarekd: do you think it would be sufficient to get and store MFA seed?22:55
*** stevemar has quit IRC22:55
morganfainbergjamielennox, i am thinking we should probably look at doing a v2 of ksc and just use that as the hard break for cleaning up all the kruft (not incompatible, but the deprecated but around for ancient versions of openstack) stuff22:55
morganfainbergjamielennox, as decided we wont do total breakage - that goes into SDK or whatever.22:56
jamielennoxwhat do you consider deprecated - i consider everything that doesn't use a session deprecated22:56
marekdnonameentername: store? I thought TOTP was generating it.22:56
nonameenternameyou specify what you want the seed to be.22:56
bknudsonkeystonemiddleware is broken in the same way22:57
jamielennoxbknudson: are you investigating? otherwise i will, as it was working for me yesterday22:57
*** avozza is now known as zz_avozza22:57
marekdnonameentername: a string value used once, when I 'connect' my GA with Keystone, so the TOTP codes are right and synchronized with Keystone side.22:57
bknudsonjamielennox: I'm going to look into it for a little while here.22:57
bknudsonI don't know how far I'll get.22:57
bknudsonat least I got the pip freeze from before and after in keystonemiddleware22:57
morganfainbergbknudson, ++22:58
bknudsonit's only oslo modules that are different22:58
morganfainbergi'm working out how we're going to handle it from a infra/project leadership perspective going forward.22:58
*** arif-ali has quit IRC22:58
morganfainbergbut we can't make that change immidiately anyway so yeah fixing it is important22:59
morganfainberg(or dropping that test)22:59
nonameenternamemarekd: yes, you would provide a string 'seed' value for GA and Keystone.  For GA would would need to generate the qr code.23:00
nonameenternameimport qrcode; img = qrcode.make('otpauth://totp/keystone:username?secret=secret&issuer=keystone');"totp.png")23:01
bknudsonoslo.utils==1.1.0 worked and oslo.utils==1.2.1 fails23:01
bknudsonMaybe it's the rename of the package and the timeutils mock.23:01
marekdnonameentername: you means who?23:02
marekdnonameentername: a user?23:02
nonameenternamethe client setting up MFA23:03
nonameenternamethis could be a service, horizon or end user23:03
marekdok, my opinoin is that we should not rely on QR codes only23:07
nonameenternameyeah, this will be outside of keystone23:07
morganfainbergmarekd, agreed. QR code suck.23:07
morganfainbergQR code should be *a* form not *the* form [if anything]23:08
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Switch from oslo.utils to oslo_utils
marekdmorganfainberg: suck or not, it's not RESTfull and implies deps on horizon and so on.23:08
morganfainbergmarekd, ++23:08
morganfainbergmarekd, it's horizon's business to render a QR if that is the form they want23:08
morganfainbergnot keystone's23:08
nonameenternameok, I just checked GA and you can also enter secret without QR23:08
morganfainbergnonameentername, most you can23:09
marekdnonameentername: yes!23:09
marekdand i am asking how you want users to get this secret23:09
nonameenternameThere is a manaual account entry23:09
marekdnonameentername: did you plan to add an extra API for that?23:09
* morganfainberg votes storing things in barbican.23:09
* morganfainberg votes not seeing things in keystone to hold more secrets.23:09
nonameenternameI think this should be provided by the user23:10
bknudsonbarbican needs to graduate23:10
nonameenternamesimilar to password23:10
morganfainbergbknudson, yes23:10
nonameenternameand you should not be able to retrieve it23:10
rm_workbknudson: hopefully soon... but I think it was decided we could use it even if it hasn't yet?23:10
morganfainbergbknudson, but that may be a non-issue post election23:10
marekdnonameentername: point 2c23:10
morganfainbergbknudson, if the bylaws change + big-tent stuff23:10
marekdin the link i had sent23:10
morganfainberggraduation becomes a non-issue23:10
marekdis 2c user or server generated?23:11
morganfainbergbknudson, jamielennox, re: ksc.middleware - going to be on the TC agenda for next week23:11
nonameenternamewhat is 2c?23:11
marekdnonameentername: label 2c23:11
marekdif you open desc for android23:11
morganfainbergwe will either announce the removal when icehouse is EOLd *or* will work to fix it in icehouse pre-eol and then remove it when EOL'd (second option is likely to be move to keystonemiddleware, but just so we can tell people "no really don't ever use this")23:11
marekdctrl+f for  'label 2c'23:12
morganfainbergs/announce when/announce that it will be removed when/23:12
nonameenternamemarekd: you would enter a secret you choose, and then make an api call to give the same secret to keystone23:12
jamielennoxmorganfainberg: i'm not sure about breaking interfaces in a library - but honestly i want something done and if the TC signs off so be it23:12
marekdnonameentername: aha.23:12
morganfainbergjamielennox, just chatted w/ jelblair and clarkb, will get the TC to agree so we can put this to bed somehow23:13
morganfainbergjamielennox, we can't maintain it forever23:13
morganfainbergjamielennox, and we wont break the library we're removing a long-dead section people shouldn't be using.23:13
jamielennoxmorganfainberg: same thing happens for client in general - at some point we're going to need to know how to deprecate things from a library23:13
morganfainbergjamielennox, SDK /snarkyresponse23:13
*** zz_avozza is now known as avozza23:13
morganfainbergjamielennox, i think major versions will be the answer23:13
morganfainbergget global reqs to cap at <current.999.99923:14
jamielennoxi want SDK sure, but there's a lot of stuff that happens in these libraries that isn't REST in these libraries23:14
jamielennoxmeh repeat23:14
marekdnonameentername: i just checked. my GA has two options: scan QR code and 'insert returned key' which to me means it's the server that generates the key.23:14
morganfainbergthen the flip from 1.xx.xx to 2.xx.xx is where things can break23:14
jamielennoxmorganfainberg: pep440 says ~=1.0 is >1.0 <223:14
morganfainbergjamielennox, same thing different phrasing23:15
marekdok, time to go to bed. good night.23:15
morganfainbergjamielennox, but i think that is the real answer23:15
morganfainberg~=1.0 and then break things in ~=2.x.x23:15
nonameenternamemarekd: Keystone could generate the value and then allow the user to retrieve it.  I prever specifying it, since once created no one could access it.23:16
jamielennoxyep, i was going to say that in infra that we could have some projects on ~1.0 and some on ~2.0 however those two things can't be installed in parallel23:16
morganfainbergjamielennox, well we have a bit of time to work it out.23:16
morganfainbergi guess23:16
* morganfainberg shrugs23:16
morganfainbergjamielennox, come to the TC meeting next week if you can23:16
morganfainbergjamielennox, dunno if it's too crazy early/late for you23:17
jamielennoxi think it's really late23:17
bknudsonrm_work: we can use barbican but if it's not graduated we shouldn't require it.23:17
morganfainberg20:00 UTC23:17
bknudsonso it will be easier if it's graduated23:17
jamielennoxoh 6am isn't so bad23:17
jamielennoxoh - does that mean there was one a few hours ago?23:18
morganfainbergon tuesday23:18
morganfainbergand it was skipped this week23:18
bknudsonmorganfainberg: how much do we need to do for ksc.middleware? We could just remove the tests from ksc and let it live there23:18
morganfainbergbknudson, well, we need to make sure it doesn't break at least through icehouse23:19
morganfainbergbknudson, i'll know more once i talk w/ the tC next week23:19
jamielennoxmorganfainberg: oh, yea c&p-ed the time and google gave me a date23:19
bknudsonI'm not sure that we actually validate that.23:19
jamielennoxok so after the keystone meetings is good23:19
bknudsonas it is23:19
*** LinstatSDR has joined #openstack-keystone23:19
morganfainbergbknudson, well ... i'd say our unit tests should continue to function till we remove it23:19
morganfainbergbknudson, at the very least, most people wont be using crazy new keystone with icehouse and before23:20
morganfainbergbknudson, i'm hoping we can find a way to remove it from ksc prior to icehouse EOL.23:20
morganfainbergbknudson, and convince everyone to move over to keystonemiddleware23:20
*** mattfarina has quit IRC23:22
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from oslo.utils to oslo_utils
*** LinstatSDR has quit IRC23:33
*** avozza is now known as zz_avozza23:33
bknudson^ this one should get keystoneclient going again.23:33
morganfainbergbknudson, thanks!23:34
jamielennoxbknudson: what version of oslo.utils is requird for that?23:34
bknudsonjamielennox: the one that was just released: 1.2.123:35
morganfainbergbknudson, i'll plan to do a minor release of ksc to incorporate that change once it passes. will be good to not have the namespaced pacakges required at all23:36
morganfainbergor another point release if needed.23:36
morganfainbergdepending on what's landed23:36
jamielennoxso we'll need to update the oslo.utils in requirements23:36
bknudsonmorganfainberg: I've got some other changes for oslo.config23:36
morganfainbergbknudson, ++ ok will wait for those23:36
jamielennoxwhich will fail unless we have this patch but it should happen before release23:36
jamielennoxbknudson: excellent - do you know what they broke in 1.2.1?23:37
bknudsonjamielennox: the parts were moved from oslo.utils to oslo_utils ... so the mock didn't work right anymore for some reason.23:38
bknudsonI'd have to think about it more to know what the problem is.23:38
dhellmannbknudson: the mock replaces the name in the old module location, which is then not called by the new code23:38
dhellmannmocking out those time functions has been the source of a lot of pain over the last year. I wonder if we could come up with some fixtures to replace the need to mock23:40
*** packet has quit IRC23:42
bknudsondhellmann: I hope you're not going to rename/move the library again.23:44
bknudsonrename it to stockholm23:45
*** lhcheng_ has joined #openstack-keystone23:47
*** lhcheng has quit IRC23:49
*** dgonzalez has quit IRC23:50
*** dgonzalez has joined #openstack-keystone23:50
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Update work items and assignees for no-more-extensions spec
morganfainberg^ fixed line length issues23:52
morganfainbergayoung, stevemar, ^23:52
*** arif-ali has joined #openstack-keystone23:53
*** dgonzalez has quit IRC23:55
jamielennoxbknudson: that oslo.utils patch, it seems to me the problem is that we are doing our own mock rather than using the set_override_time function that it provides23:57
jamielennoxshould we just do that as a patch first?23:57
bknudsonjamielennox: set_time_override23:58
bknudsonwe'd still want a fixture to unset it.23:58
jamielennoxi'm a little surprised oslo.utils doesn't provide one23:59
jamielennoxoslo.config and some others have started to provide fixtures with the libraryt23:59

Generated by 2.14.0 by Marius Gedminas - find it at!