Friday, 2015-01-09

jamielennoxhowever we could just put a clear_time_override in the base teardown00:00
jamielennoxit won't cause any problems to call it unnecessarily00:00
*** serverascode____ is now known as serverascode00:01
*** chrisshattuck has quit IRC00:01
bknudsonjamielennox: I don't think I could get that change done today. There were quite a few places where the change needs to be made.00:01
bknudsonand then it would probably be worth it to create the fixture or a decorator (can fixtures be used as decorators?00:02
jamielennoxbknudson: if you think it's worth it i'll do it00:02
bknudsonjamielennox: I think it's worth switching from the mock, but at the same time it seems like the time would be better spent creating a fixture.00:03
jamielennoxok - i can whip that up00:04
openstackgerritMerged openstack/keystone: explicit namespace prefixes for SAML2 assertion
bknudsonjamielennox: creating a fixture in oslo.utils?00:07
jamielennoxi'll put it in keystoneclient initially to pass the bug, then we can move it to oslo.utils00:08
bknudsonkeystonemiddleware also needs it.00:08
*** arif-ali has quit IRC00:10
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** markvoelker has quit IRC00:14
*** arif-ali has joined #openstack-keystone00:16
*** lhcheng_ is now known as lhcheng00:22
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Use a test fixutre for mocking time
jamielennoxbknudson: ^00:32
bknudsonthat was easy00:32
morganfainbergjamielennox, fwiw, i thought the whole time_override thing was meant to be deprecated00:34
morganfainbergjamielennox, in favor of using a direct mock.00:35
jamielennoxmorganfainberg: it's not marked that way - and everyone that is doing the direct mock will get caught by this00:35
morganfainbergjamielennox, i mean, the fixture could do the mock00:35
morganfainbergbut the time_override stuff i was told not to use ages ago00:35
jamielennoxmorganfainberg: right - but the point is the path has changed so if you're doing a mock on the function it will fail00:36
morganfainbergbecause it is further reaching than changing the call00:36
* morganfainberg shrugs00:36
jamielennoxit would work if the fixture was in oslo.utils00:36
morganfainbergwhich would be what i'd advocate00:36
jamielennoxbut the last thing i submitted to oslo.utils has been unreviewed since....00:36
morganfainbergvs. using time override00:37
morganfainbergdhellmann, ^^ ;)00:37
jamielennoxoh no, only the start of dec00:37
morganfainbergjamielennox, and thats fair, just time_override is icky-ish.00:37
morganfainbergeh, i can't fault people for early dec -> now limited review time00:37
morganfainbergdue to holidays00:37
morganfainbergif it was say mid november i'd be more worried00:38
jamielennoxright - i've got a few of those old ones, thought it was going to be more dramatic :)00:38
*** _cjones_ has quit IRC00:40
*** _cjones_ has joined #openstack-keystone00:46
*** nellysmitt has joined #openstack-keystone00:48
*** dgonzalez has joined #openstack-keystone00:51
*** nellysmitt has quit IRC00:53
*** _cjones_ has quit IRC00:55
*** dgonzalez has quit IRC00:56
*** LinstatSDR has joined #openstack-keystone00:56
*** zzzeek has quit IRC00:59
*** dgonzalez has joined #openstack-keystone01:00
*** dgonzalez has joined #openstack-keystone01:01
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Use a test fixture for mocking time
*** dgonzalez has quit IRC01:05
*** gyee has quit IRC01:08
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use a test fixture for mocking time
jamielennoxbknudson: both updated ^01:09
*** samueldmq has joined #openstack-keystone01:15
ayoungdstanek, what is this code testing for, and do we need it?
ayoungMock Time, Mock!  1 2 3 4....01:54
*** dims__ has joined #openstack-keystone01:55
*** dims__ has quit IRC01:55
*** dims__ has joined #openstack-keystone01:55
*** xianghuihui has joined #openstack-keystone01:59
*** dgonzalez has joined #openstack-keystone02:01
*** xianghuihui has quit IRC02:05
*** dgonzalez has quit IRC02:06
jamielennoxayoung, morganfainberg: anyone here?02:08
morganfainbergjamielennox, maybe :P02:08
jamielennoxcan we approve and
morganfainbergno >.>02:09
jamielennoxunblocks client and middleware oslo.utils problem02:09
morganfainbergbut i dunt wanna /s02:09
jamielennoxmorganfainberg: lol - thanks02:11
openstackgerritayoung proposed openstack/keystone: common cloud policy logic
ayoungjamielennox, I'm 'ere02:18
jamielennoxayoung: morgan beat you to it02:18
ayoungjamielennox, good.  I shouldn't be the one +Aing everything02:18
*** oomichi has joined #openstack-keystone02:18
*** chrisshattuck has joined #openstack-keystone02:19
openstackgerritayoung proposed openstack/keystone: common cloud policy logic
ayoungif that commit comment gets any longer, people are going to think John Dennis wrote it.02:26
openstackgerritayoung proposed openstack/keystone: common cloud policy logic
*** chrisshattuck has quit IRC02:28
*** jamielennox is now known as jamielennox|away02:30
*** chrisshattuck has joined #openstack-keystone02:31
*** pcaruana is now known as pcaruana|afk|02:34
*** jamielennox|away is now known as jamielennox02:37
*** chrisshattuck has quit IRC02:43
openstackgerritMerged openstack/keystonemiddleware: Use a test fixture for mocking time
*** nellysmitt has joined #openstack-keystone02:49
*** erkules_ has joined #openstack-keystone02:49
*** chlong has joined #openstack-keystone02:49
*** erkules has quit IRC02:50
*** jamielennox is now known as jamielennox|away02:51
openstackgerritMerged openstack/python-keystoneclient: Use a test fixture for mocking time
*** nellysmitt has quit IRC02:53
*** jamielennox|away is now known as jamielennox03:01
*** dgonzalez has joined #openstack-keystone03:02
*** andreaf has quit IRC03:04
*** andreaf has joined #openstack-keystone03:04
*** dgonzalez has quit IRC03:06
*** richm has quit IRC03:21
*** david-lyle has joined #openstack-keystone03:29
*** lhcheng has quit IRC03:35
*** lhcheng has joined #openstack-keystone03:35
*** harlowja is now known as harlowja_away03:38
*** lhcheng has quit IRC03:40
*** dims__ has quit IRC03:40
*** dims__ has joined #openstack-keystone03:41
*** dims__ has quit IRC03:45
*** rwsu has quit IRC03:53
openstackgerritwanghong proposed openstack/keystone: clean up type filter definition of policy list
*** oomichi has quit IRC04:01
*** dgonzalez has joined #openstack-keystone04:03
*** links has joined #openstack-keystone04:07
*** dgonzalez has quit IRC04:07
*** oomichi has joined #openstack-keystone04:14
openstackgerritwanghong proposed openstack/keystone-specs: fix the doc of policy list API
*** david-lyle has quit IRC04:17
*** stevemar has joined #openstack-keystone04:23
*** ChanServ sets mode: +v stevemar04:23
*** erkules_ is now known as erkules04:34
*** nellysmitt has joined #openstack-keystone04:50
*** nellysmitt has quit IRC04:55
*** dgonzalez has joined #openstack-keystone05:04
*** lhcheng has joined #openstack-keystone05:05
*** dgonzalez has quit IRC05:08
*** ajayaa has joined #openstack-keystone05:18
*** samueldmq has quit IRC05:20
*** _cjones_ has joined #openstack-keystone05:23
*** _cjones_ has quit IRC05:32
*** _cjones_ has joined #openstack-keystone05:32
*** _cjones_ has quit IRC05:40
*** jimbaker has quit IRC05:51
*** dgonzalez has joined #openstack-keystone06:04
*** junhongl has quit IRC06:05
*** junhongl has joined #openstack-keystone06:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** dgonzalez has quit IRC06:09
*** zz_avozza is now known as avozza06:21
*** nellysmitt has joined #openstack-keystone06:51
*** nellysmitt has quit IRC06:54
*** jimbaker has joined #openstack-keystone07:00
*** jimbaker has quit IRC07:00
*** jimbaker has joined #openstack-keystone07:00
*** dims__ has joined #openstack-keystone07:00
*** dgonzalez has joined #openstack-keystone07:05
*** dims__ has quit IRC07:06
*** lhcheng has quit IRC07:09
*** dgonzalez has quit IRC07:10
*** jamielennox is now known as jamielennox|away07:15
*** mflobo has joined #openstack-keystone07:35
*** dgonzalez has joined #openstack-keystone08:06
*** dgonzalez has quit IRC08:11
*** afazekas_ has joined #openstack-keystone08:18
*** ajayaa has quit IRC08:30
*** ajayaa has joined #openstack-keystone08:31
*** _cjones_ has joined #openstack-keystone08:41
*** oomichi has quit IRC08:41
*** _cjones_ has quit IRC08:46
*** nellysmitt has joined #openstack-keystone08:55
*** nellysmitt has quit IRC08:59
*** jistr has joined #openstack-keystone09:05
*** dgonzalez has joined #openstack-keystone09:07
*** dgonzalez has quit IRC09:11
*** nellysmitt has joined #openstack-keystone09:12
*** boris-42 has quit IRC09:13
openstackgerritwanghong proposed openstack/keystone: do parameter check before updating endpoint_group
*** fmarco76 has joined #openstack-keystone09:42
*** bdossant has joined #openstack-keystone09:42
*** stevemar has quit IRC09:44
*** andreaf has quit IRC09:44
*** andreaf has joined #openstack-keystone09:47
*** henrynash has joined #openstack-keystone09:47
*** ChanServ sets mode: +v henrynash09:47
*** henrynash has quit IRC09:48
*** andreaf has quit IRC09:49
*** andreaf has joined #openstack-keystone09:49
*** henrynash has joined #openstack-keystone09:50
*** ChanServ sets mode: +v henrynash09:50
*** henrynash has quit IRC09:50
*** rushiagr_away is now known as rushiagr09:52
*** bdossant_ has joined #openstack-keystone09:54
*** bdossant has quit IRC09:54
*** dgonzale_ has joined #openstack-keystone10:02
*** dgonzale_ has quit IRC10:02
*** KanagarajM has joined #openstack-keystone10:07
*** fmarco76 has left #openstack-keystone10:09
*** rushiagr is now known as rushiagr_away10:11
*** afazekas_ is now known as afazekas10:11
*** avozza is now known as zz_avozza10:16
*** rushiagr_away is now known as rushiagr10:18
*** zz_avozza is now known as avozza10:28
*** rushiagr is now known as rushiagr_away10:30
*** bdossant_ has quit IRC10:53
*** KanagarajM has quit IRC11:12
*** links has quit IRC11:13
openstackgerritMarek Denis proposed openstack/keystone: Scope federated token with 'token' identity method
*** avozza is now known as zz_avozza11:49
*** jaosorior has joined #openstack-keystone11:50
*** fmarco76 has joined #openstack-keystone11:59
*** EmilienM|afk is now known as EmilienM12:07
*** boris-42 has joined #openstack-keystone12:15
*** fmarco76 has left #openstack-keystone12:19
*** chlong has quit IRC12:32
*** bdossant has joined #openstack-keystone12:38
*** EmilienM is now known as EmilienM|afk12:52
openstackgerritMarek Denis proposed openstack/keystone: Scope federated token with 'token' identity method
*** EmilienM|afk is now known as EmilienM13:09
*** bdossant has quit IRC13:15
*** radez_g0n3 is now known as radez13:19
*** bdossant has joined #openstack-keystone13:19
*** dims__ has joined #openstack-keystone13:28
*** samueldmq has joined #openstack-keystone13:28
marekdmorganfainberg: ayoung any links with revocation events patches to be reviewed?13:32
*** dims_ has joined #openstack-keystone13:33
*** dims__ has quit IRC13:35
*** dims_ has quit IRC13:37
*** dims__ has joined #openstack-keystone13:41
*** pcaruana|afk| has quit IRC13:53
*** rushiagr_away is now known as rushiagr14:06
*** mattfarina has joined #openstack-keystone14:07
*** rushiagr is now known as rushiagr_away14:10
*** sriram has joined #openstack-keystone14:16
*** richm has joined #openstack-keystone14:19
*** joesavak has joined #openstack-keystone14:21
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** ajayaa has quit IRC14:28
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** jungleboyj has joined #openstack-keystone14:51
*** topol has joined #openstack-keystone14:52
*** ChanServ sets mode: +v topol14:52
*** pcaruana|afk| has joined #openstack-keystone14:52
*** jbonjean has quit IRC14:54
jaosoriorIs there a reason why the 'auth_version' in the auth_token in keystonemiddleware is15:02
jaosoriorcoded to use 'v3.0' instead of 'v3'?15:02
jaosoriorThat's pretty confusing, as 'v3' is used all around the documentation, not 'v3.0'15:02
jaosoriorAnd I was thinking of adding the usage of 'v3' as an option15:03
*** packet has joined #openstack-keystone15:03
bknudsonjaosorior: that change is already proposed:
jaosoriorbknudson: Thanks15:05
*** jbonjean has joined #openstack-keystone15:20
marekdayoung: thanks.15:24
*** LinstatSDR has quit IRC15:25
*** LinstatSDR has joined #openstack-keystone15:25
ayoungmarekd, looking15:29
*** gordc has joined #openstack-keystone15:31
marekdayoung: thanks for the review.15:32
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor
*** andreaf has quit IRC15:34
*** jbonjean has quit IRC15:36
*** vhoward has joined #openstack-keystone15:36
*** samueldmq has quit IRC15:39
*** jbonjean has joined #openstack-keystone15:44
*** jbonjean has quit IRC15:44
*** jbonjean has joined #openstack-keystone15:44
marekdayoung: regarding this: . The goal is to move keystoneclient/contrib/auth/v3/{saml2, federation}.py and keystoneclient/v3/contrib/federation to that repo?15:48
*** chrisshattuck has joined #openstack-keystone15:48
ayoungmarekd, that is my understanding, yes15:48
ayoungmarekd, I wasn';t really driving it, but its what we had to do for Kerberos15:49
ayoungmakes sense from a dependency standpoint15:49
* ayoung grumbles about setuptools and multiple repos again15:49
marekdand ksc would simply import module like: from keystoneclient_federation import auth.saml215:49
ayoungmarekd, use stevedore to get the auth plugins15:49
marekdok, and CRUD operations, for like IDPs ?15:50
*** afazekas has quit IRC15:50
ayoungmarekd, see,cm  for the general approach15:50
ayoungalthough that needs to be rebased....jamie posted an update of the previous patch15:51
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements
*** ajayaa has joined #openstack-keystone16:00
*** openstackgerrit has quit IRC16:05
*** openstackgerrit has joined #openstack-keystone16:05
*** chrisshattuck has quit IRC16:06
*** zzzeek has joined #openstack-keystone16:06
*** jorge_munoz has quit IRC16:15
*** henrynash has joined #openstack-keystone16:18
*** ChanServ sets mode: +v henrynash16:18
*** _cjones_ has joined #openstack-keystone16:21
*** jorge_munoz has joined #openstack-keystone16:21
ayoungbknudson, lbragstad dolphm could I get this one through?  There is a chain of work based on the "explicit unscoped" and this is a fairly simple step16:21
*** chrisshattuck has joined #openstack-keystone16:28
*** zz_avozza is now known as avozza16:36
*** stevemar has joined #openstack-keystone16:36
*** ChanServ sets mode: +v stevemar16:36
openstackgerritayoung proposed openstack/keystone: default policy
*** rwsu has joined #openstack-keystone16:53
*** avozza is now known as zz_avozza16:56
*** bdossant_ has joined #openstack-keystone17:01
*** EmilienM is now known as EmilienM|afk17:04
*** bdossant has quit IRC17:04
*** spligak has quit IRC17:05
*** bdossant_ has quit IRC17:05
*** jorge_munoz has quit IRC17:06
*** jorge_munoz has joined #openstack-keystone17:09
*** dims__ has quit IRC17:22
*** dims__ has joined #openstack-keystone17:22
*** dims__ has quit IRC17:27
*** gyee has joined #openstack-keystone17:30
*** ChanServ sets mode: +v gyee17:30
*** jistr_ has joined #openstack-keystone17:31
*** lsmola_ has joined #openstack-keystone17:31
*** lhcheng has joined #openstack-keystone17:31
*** lsmola has quit IRC17:35
*** jistr has quit IRC17:35
*** lsmola_ has quit IRC17:37
*** jistr_ has quit IRC17:37
*** dims__ has joined #openstack-keystone17:49
*** lsmola_ has joined #openstack-keystone17:51
*** dims__ is now known as dimsum__17:53
*** jorge_munoz has quit IRC18:02
*** jorge_munoz has joined #openstack-keystone18:09
*** samueldmq has joined #openstack-keystone18:18
*** jorge_munoz has quit IRC18:20
*** samueldmq has quit IRC18:22
*** raildo has joined #openstack-keystone18:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** samueldmq has joined #openstack-keystone18:35
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** samueldmq has quit IRC18:36
*** raildo has quit IRC18:41
openstackgerritMerged openstack/keystone: Fix tests using extension drivers
*** harlowja_away is now known as harlowja18:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritMerged openstack/keystone: Cleanup test-requirements for keystoneclient
-openstackstatus- NOTICE: is going offline for a database migration (duration: ~2 minutes)18:58
ayoungbknudson, in keystoneclient/fixtures/v3  the sample data does not have 'id'  fields nor necessarily names in them.  This is not what the spec shows;  those fields are required.  Adding them is the right thing to do, right?  Otherwise, my AccessInfo objects are blowing up with invalid data.19:05
bknudsonayoung:  yes, we want the fixtures to be whatever keystone would generate.19:05
ayoungbknudson, thanks, just checking19:07
bknudsonif the fixtures are wrong then there's danger that the tests aren't validating what we want them to.19:08
*** ajayaa has quit IRC19:12
*** jorge_munoz has joined #openstack-keystone19:17
*** EmilienM|afk is now known as EmilienM19:24
*** _cjones_ has quit IRC19:36
*** _cjones_ has joined #openstack-keystone19:41
ayoungbknudson, stevemar  "# NOTE(stevemar): Federated tokens do not have a domain for the user"  why not?19:44
bknudsonayoung: the user doesn't exist in keystone, only the idp19:45
ayoungbknudson, we don't even put them in a federated domain?  Seems wrong.19:46
ayoungLike, broken abstraction levels of wrong19:46
stevemarall they really care about is the role, the user can have a role on any domain or assignment, so the user doesn't have to live in a domain19:47
stevemarwe already hashed this out before? i think we didn't want yet another dummy domain19:48
openstackgerritBrant Knudson proposed openstack/keystone: Refactor keystone-all and http/keystone
*** zzzeek has quit IRC19:49
openstackgerritBrant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware
*** bdossant has joined #openstack-keystone19:53
*** samueldmq has joined #openstack-keystone19:56
ayoungstevemar,  yeah, yeah.  It is still a mistake.  We took away the only way we had to distinguish the grouping of users.  Since Federated users don't have domains, none of the code can assume that the Domain is there on users, and the abstration goes from asset to  liability19:57
samueldmqhenrynash, ping - need to talk about the current representation of OS-INHERIT in role assignments19:57
ayoungand regular users don't have an IdP19:57
ayoungwe basically split the user set19:58
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Switch from oslo.utils to oslo_utils
*** bdossant has quit IRC19:59
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Switch from oslo.utils to oslo_utils
*** bdossant has joined #openstack-keystone20:03
samueldmqbknudson, still working on the chain that starts at ?20:03
ayoungWe need to stop doing this to people.  When we mess with the basic language of the abstractions, it gets really confusing.  We can't even answer the question "does a user have a domain" with a simple yes/no.20:03
samueldmqbknudson, just got confused because they're on stable/juno instead of on master20:03
ayoungI blame gyee20:03
ayounghe's the one that railroaded through domains years ago20:04
bknudsonsamueldmq: these are backports from master.20:04
* ayoung ready to go all second system syndrome on Keystone20:04
samueldmqbknudson, ok20:05
samueldmqbknudson, what happens to the juno vX when we backport some changes ?20:06
samueldmqbknudson, we then release juno vX.1 ?20:06
samueldmqbknudson, dumb question; but I don't know how is this workflow20:06
bknudsonsamueldmq: yes, we get a new release of juno every once in a while, 2014.2.2 or whatever.20:07
samueldmqbknudson, ok thanks.. will review that chain20:07
bknudsonsamueldmq: for the backports, just a) make sure it's acceptable to backport, and b) make sure the change in stable/juno is the same as the change in master.20:08
bknudsonif there's any problems in the code, the fixes need to be made to master and then backported.20:08
samueldmqbknudson, hmm .. I thought we needed to merge the changes in the older version and then rebase master20:09
samueldmqbknudson, but in fact we apply changes in both ..20:09
bknudsonsamueldmq: changes go in master first and then are backported.20:09
samueldmqbknudson, nice20:09
samueldmqbknudson, so that chain is already merged in master?20:09
bknudsonotherwise you might have a fix in juno that's not in kilo.20:09
morganfainbergbknudson: ++20:10
bknudsonsamueldmq: all those changes are already merged in master... it wasn't a chain in master.20:10
morganfainbergayoung: bknudson I thought we pushed for federated users / Idps to be tied to a domain but there was dissent that it was even needed.20:11
samueldmqbknudson, so no need to review them since they're already merged in master ?20:11
bknudsonsamueldmq: the review in the stable branches are to make sure it's an ok change to go in stable and also to make sure the backport was done correctly... so they still need to be reviewed it's just a different kind of review.20:12
bknudsonsamueldmq: if somebody's already reviewed it for those things then your time is probably better spent reviewing something else.20:13
bknudsonsamueldmq: and if you do review it for those 2 things then make sure you mention that in your review comments.20:14
*** zzzeek has joined #openstack-keystone20:14
samueldmqbknudson, ack20:15
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from oslo.utils to oslo_utils
*** bdossant has quit IRC20:17
*** LinstatSDR has quit IRC20:18
*** andreaf has joined #openstack-keystone20:18
stevemarhey bknudson what was the reason for oslo to drop namespace packages?20:23
*** bdossant has joined #openstack-keystone20:23
bknudsonstevemar: I guess it caused to many problems with installing packages?20:24
* stevemar shrugs, i was just curious20:24
*** bdossant has quit IRC20:29
morganfainbergbknudson, it's an issue with develop mode installs20:29
morganfainbergstevemar, ^20:29
morganfainbergif you install a non-develop mode and then a develop mode (or vice versa) the packages end up all sorts of broken.20:30
morganfainbergyou end up missing like oslo.db but oslo.config is installed20:30
morganfainbergit gets even wonkier in other cases. but that was the really big issue - made devstack and other development much harder - it also makes packaging wierd because you need a stub package to own "oslo" then packages for .db and .config etc20:31
morganfainbergpython packaging is lacking in a number of ways20:31
*** pack3t has joined #openstack-keystone20:31
bknudson<insert system here> packaging is lacking in a number of ways20:32
*** nellysmitt has quit IRC20:36
stevemari never realized how much trouble packaging was :(20:37
stevemaris the oslo team going to move all oslo.* libraries to oslo_*20:38
bknudsonstevemar: that's my understanding.20:39
ayoungGAH!  Roles are by name (only) in the use section, and by ID  (only) in the metadata.  What the actual?  V2 tokens must die!20:46
ayoungmorganfainberg, So in parsing a V2 tokens, I can get the name.  I can get the id.  I have no correlation between these two pieces of data.  I have two choices:  make ID optional, or fake it out using the name.20:49
ayoungI think I am just going to fake it.  Why do roles even have IDs anyway?  We never use them20:50
samueldmqayoung, why do users have IDs anyway, since (name, domain) could be used as pk? :p20:52
ayoungsamueldmq, cuz someone wanted to be able to anonymize them?20:52
samueldmqayoung, couldnt be the same case as roles?20:52
ayoungbecause there is no good way to split the user/domain if it is in a single string20:52
*** zz_avozza is now known as avozza20:52
ayoungsamueldmq, nope.  Roles are purelu internal.  We never user the role Ids20:53
ayoungand the role definitions have to be public.20:53
ayoungNo info hiding possible20:53
ayoungbesides, we only define 3 or so roles by default20:53
ayoungthe ID part of roles is only there for hobgoblin purposes20:53
*** avozza is now known as zz_avozza20:54
samueldmqor to be in accordance with *all* the other entities on OS20:54
samueldmqayoung, well, what's the problem you're facing? would be glad to help if I can20:55
ayoungsamueldmq, I'm trying to do the AccessInfo thing.20:55
ayoungand I need to parse v2 tokens20:56
ayoungI want the "role" object to be a valid object, and that means it has id and name, IAW the spec20:56
samueldmqayoung, what a v2 token looks like? any link?20:56
ayoungRoles are by name (only) in the use section, and by ID  (only) in the metadata.20:56
ayoungsamueldmq, yeah, 1 sec20:56
samueldmqayoung, so roles_links contains ids?20:58
ayoungsamueldmq, actually,that one has no metadata....20:58
ayounglet me see if I can find another20:58
samueldmqayoung, and roles: [] just the entities with names ?20:58
samueldmqayoung, k20:58
ayoungsamueldmq, so, that one has no metadata either21:01
ayoungI know that they are there in actual tokens.21:01
ayoungBut...if we can't count on it, we have no role id to get anyway21:01
ayoungsamueldmq, in V3 we have:21:01
ayoungboth id and is just for V2 that it is an issue.21:02
ayoungSo maybe I just drop the id when parsing aV2 token?  Yuck21:02
samueldmqtoken validation is at service side, right?21:02
samueldmqand they need to ensure that's a valid role ? (if so, they need to query keystone, right)?21:03
*** bdossant has joined #openstack-keystone21:03
*** bdossant has quit IRC21:08
openstackgerritSteve Martinelli proposed openstack/keystone: Check consumer and project id before creating request token
morganfainbergayoung, ooh i need to send out the LDAP identity survey.21:10
ayoungmorganfainberg, who created the oslo-policy repo?21:11
morganfainbergayoung, hm. uh rodrigods ?21:12
morganfainbergayoung, i think?21:12
morganfainbergthe one in github right?21:12
rodrigodsmorganfainberg, ayoung, yes... me21:12
morganfainbergor has it been merged to git.openstack.21:12
rodrigodsnot yet21:12
samueldmqmorganfainberg, ayoung
rodrigodsayoung, that's right21:13
samueldmqayoung, yep that one21:13
*** raildo has joined #openstack-keystone21:13
*** jdennis has quit IRC21:14
morganfainbergwow... #googlefail21:15
morganfainbergthey broke the google drive ui21:15
samueldmqchecking in 3, 2 ,1 ..21:15
morganfainbergnow it only tells me "you can upload things" on the main page.21:15
morganfainbergnothing loads but that. greaaaaat21:15
morganfainbergor some new ui i can't go back to classic21:16
samueldmqmorganfainberg, you can go back :p21:17
samueldmqmorganfainberg, go in settings -> Leave the new Drive21:17
morganfainbergsamueldmq, hm.21:17
morganfainbergsamueldmq, nope option isn't there for me.21:18
samueldmqmorganfainberg, well I just did it21:18
morganfainbergsamueldmq, more and more i want to stop using all google products except search - it's about the only thing they seem to do right.21:18
samueldmqmorganfainberg, they chose you to test the new ui21:18
samueldmqmorganfainberg, that's why you cant leave21:18
morganfainbergi can't leave because too many people use their products - it's currently easier to stay with them (but not by much).21:19
morganfainbergdropbox is looking better and better for ~90% of what i use google (non-email, non-search) for21:19
* samueldmq needs to try more dropbox21:20
gyeeayoung, multi-tenancy is about resource isolation21:23
ayounggyee, I still blame you21:23
gyeeright now, with the way federation is implement, we can't isolate an IdP with a project or domain21:23
gyeeIdP is global21:23
gyeefor a private cloud this may be fine21:24
gyeefor a co-tenant model, it may not be21:24
gyeemulti-tenancy is really about resource isolation21:25
nkindergyee: you sort of can associate an IdP with a domain/project through the group mapping21:26
nkindergyee: users from an IdP can only map to the groups that you put in the mapping, and projects are controlled by role assignment at the group level21:27
gyeenkinder, sure, but you still expose IdP globally21:28
nkindergyee: you mean the IdP specific URIs being accessible by anyone?21:30
nkindergyee: I wonder if you could just lock it down in the httpd config21:32
gyeewith virtualhost, yeah maybe21:32
*** jdennis has joined #openstack-keystone21:32
nkindergyee: well, each IdP could be specified as a <Location> (that's how I've set it up)21:33
*** jaosorior has quit IRC21:33
nkindergyee: so you could just do "Deny from all", then allow access to it from whatever network(s)/ip(s)/host(s) you want21:34
gyeenkinder, yeah, I am heading down that path :)21:34
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller
nkindergyee: seems like the best way to go21:35
ayoungsamueldmq, rodrigods morganfainberg
ayoungshould I create a new group for it?21:35
gyeenkinder, for now yes, ideally if we can do this dynamically that would be awesome21:35
rodrigodsayoung, ++ nice21:35
gyeenkinder, like the way we do domain-specific backends21:36
gyeedynamically configure IdPs, without having to touch config files and restart services21:36
ayounggyee, why would we not say that each IdP is-a domain?21:36
nkindergyee: you can't do that though (dynamically configure IdPs)21:37
gyeeayoung, ideally we should21:37
gyeenkinder, that's why I said ideally21:37
samueldmqraildo, thanks for addressing my comments on reseller spec21:37
ayounggyee, so does anyone actually disagree with that, then?21:37
nkindergyee: how would you set up the apache module, generate SP metadata (for SAML), and tell the IdP about your SP?21:37
samueldmqraildo, I will re-review it soon :)21:37
raildosamueldmq, :) thanks21:37
ayoungcan we make that a reality?  create IdP creates a new domain entry?21:37
gyeenkinder, for k2k, we sign the saml2 assertion with xmlsec121:38
gyeewe should be able to do the same with it, bypass shibd21:38
gyeelike xmlsec1 --verify21:39
nkinderI really think this logic should all stay outside of keystone as much as possible (k2k is a bit of an exception since we're acting as an IdP)21:39
gyeenkinder, for us, having to do a deployment to add IdP is a PITA21:39
gyeewe have to touch so many things, chef, QA, etc21:40
nkinderAn external IdP needs to trust our SP metadata.  Keystone can't do anything there.21:40
ayoungrodrigods, would you like to take care of the PyPi side of things?21:40
nkinderSo you want to duplicate what mod_shib or mod_auth_mellon does in keystone itself?21:40
morganfainbergcouldn't we just tie the IDP to a domain?21:40
gyeeI would like to avoid write new chef recipe for a new IdP21:40
nkinderand not rely on httpd for that?21:40
morganfainbergi mean doesn't that solve *all* the issues with users being dumped in?21:40
rodrigodsayoung, yeah, I can do that21:41
gyeenkinder, for us, new IdP means new deployment21:41
nkinderdefine "new IdP"...21:41
gyeewe have to bake the IdP meta xml file into chef recipe21:41
nkinderdo you mean you are setting up a new SAML IdP, or configuring keystone as an SP for an existing IdP?21:41
ayoungrodrigods, keep track of the state on
morganfainbergnkinder, i think it affects both21:42
rodrigodsayoung, ok21:42
gyeenkinder, configure shibd to trust a new signer21:42
morganfainbergnkinder, k2k *and* strict shibd configuration fo any provider21:42
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Fixes 'OS-INHERIT:inherited_to' info in tests
nkinderwell, the IdP also needs to trust your SP metadata21:43
gyeeright, they'll have to do the same21:43
gyeeis the CI/CD part that is PITA21:43
morganfainbergfrom a strict deployment standpoint - it would be nice to not need massive redeployment to get a new federated identity source (either k2k or ADFS[forexample]) to a keystone21:43
gyeemorganfainberg, ++21:44
morganfainbergi'm not sure if that is logistically possible.21:44
nkinderI don't get why it's a massive redeployment though21:44
morganfainbergsince we're relying on something outside of keystone21:44
morganfainbergnkinder, most stuff in keystone [some limited config values] are APIs we can make these changes via21:44
morganfainbergnkinder, this is a case where we don't have a nice API to work with - it requires CMS changes to get a new idp trusted21:45
nkinderit's updating apache config and triggering it to reload it's config.  I would expect this to be in the realm of puppet, etc.21:45
morganfainbergnkinder, exactly - CMS vs REST API in keystone - i don't think we can solve this in keystone21:45
gyeeright puppet or chef21:45
morganfainbergthis is likely going to always be a CMS thing21:45
nkinderyeah, understood.  I'm thinking that we'll want puppet-keystone support for federation (and for whatever else people are using)21:45
morganfainbergunless keystone gets way smarter21:45
nkinderway smarter == way more complex21:46
morganfainbergand we chose to use mod_shib and not make keystone smarter for a reason21:46
nkinderthe CMS problem can be solved21:46
morganfainbergin a public cloud - CMS problems are big problems, in smaller private deployments they are still a problem, but not as massive21:46
morganfainbergsince we want federated identity for all scales of deployment - this is something we need to look at closely and make the best recommendations we can21:47
*** zz_avozza is now known as avozza21:47
morganfainbergi don't have a good answer for this, but just summing up the issues gyee was pointing out21:47
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused fields in base TestCase
morganfainbergthis comes back to making our deployer experience as good as possible.21:48
*** sriram has quit IRC21:48
gyeemorganfainberg, I think this will be an interesting argument for awhile, keystone versus apache21:49
nkindergyee, morganfainberg: yeah.  I think the benefits outweigh the costs to be honest21:51
nkinderotherwise keystone needs to reimplement the world for things like x509 client auth, kerberos, openid, saml, etc.21:51
gyeenkinder, I think its case by case21:51
nkinderSo making httpd as easy on deployers as possible is something we need to think about21:52
gyeeand deployment model21:52
morganfainbergnkinder, defnitely not arguing to move the logic to keystone, but making a smart recommendation on how to handle deployment and updates as painless as possible is important21:52
gyeenot disagreeing either21:52
nkindermorganfainberg: +1, understood.  I'm not disagreeing either. :)21:53
morganfainbergnow if shib could source it's information from somewhere other than an xml file this would be easier21:54
gyeenkinder, by CMS, you mean PKI/Z tokens right?21:54
nkinderCMS = config management21:54
gyeeoh :)21:54
morganfainbergcms = configu.. yeagh21:55
gyeedamn acronyms21:55
nkindersorry, acronyms are overloaded.  I blame morganfainberg for using it first :P21:55
*** samueldmq has quit IRC21:55
openstackgerritMerged openstack/keystone: Keystoneclient tests from venv-installed client
morganfainbergopenssl should have stuck with ASN121:55
morganfainbergnot calling it cms :P21:55
morganfainbergi blame them21:55
nkinderI'm also without one typing finger due to an injury, so +1 for acronyms :)21:55
morganfainberggyee, what version of shib are we using?21:59
morganfainbergbecause this looks to be in line with what we're looking at for *more* friendly setup:
morganfainbergstill needs a reload it looks like to pickup new files22:01
* morganfainberg grumbles.22:01
gyeemorganfainberg, libapache2-mod-shib2                                  2.5.2+dfsg-222:03
morganfainbergit *might* help22:03
bknudsonlooks like gyee doesn't want to have control over his environment22:03
morganfainbergat the very least each metadata could be isolated to a file.22:03
gyeebknudson, I love writing chef recipes22:04
morganfainberggyee, i don't think there is a good way around needing chef/puppet for this22:05
nkindermorganfainberg: looking at mod_auth_mellon, it has a MellonIdPMetadataGlob directive22:05
nkinderso you can glob the metadata files in httpd config22:05
morganfainbergmaybe mod_mellon is better at it?22:05
bknudsonwe should use chef/puppet to distribute the signing PKI certs.22:05
morganfainbergbknudson, likely you should.22:05
nkinderso you still need to get the XML onto the system, but httpd config may not need changes22:05
*** jamielennox|away has quit IRC22:05
morganfainbergnkinder, sure.22:05
morganfainbergnkinder, and probably need a graceful reload of apache22:05
morganfainbergnkinder, at the very least22:06
nkindermaybe, maybe not...22:06
morganfainbergnkinder,. with shib you do. wonder if mellon is better22:06
nkinderwould need to test22:06
gyeeI have to restart shibd everytime I make a change22:06
morganfainberggyee, well with that metadata directive you can at least look for changes to current files22:07
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused fields in base TestCase
nkindermellon doesn't have a daemon22:07
gyeebknudson, yes, we have a databag for SSL certs as well22:07
morganfainberggyee, additions/removals would require shibd restarts22:07
nkinderso it's different from shib in thay way22:07
morganfainbergnkinder, still likely requires graceful.22:07
morganfainbergnkinder, but graceful is less impactful22:07
gyeenkinder, interesting, I haven't try mellon yet22:07
gyeemaybe I'll give it a shot22:08
nkinderSo I could see having a keystone API thay allows metadata to be uploaded, and a config directive can identify where to dump them22:08
bknudsonmore code removal: -- getting closer to k0 (0 lines of code in keystone)22:08
morganfainbergnkinder, yeah.22:08
morganfainbergbknudson, lol22:08
gyeeha nice22:08
nkinderthen some sort of graceful reload could be figured out (cron, a smarter trigger, etc.)22:08
*** jamielennox|away has joined #openstack-keystone22:09
morganfainbergnkinder, wonder what happens when apache cycles the children.. maybe it does something cool there and reloads.22:09
*** jamielennox|away is now known as jamielennox22:09
morganfainbergnkinder, even w/o the graceful22:09
*** ChanServ sets mode: +v jamielennox22:09
*** joesavak has quit IRC22:09
morganfainberggyee, if mellon makes this better we should get setup w/ mellon documented22:10
gyeemorganfainberg, sure22:10
nkindermorganfainberg: I have mellon config for keystone on my github22:10
morganfainberggyee, i can see both shib and mellon being good options for setup - let the deployer choose the right option, especially if they are roughly equivalent22:10
morganfainbergnkinder, cool22:10
nkindermorganfainberg, gyee:
nkinderthe lines up above it show how to generate SP metadata too22:11
nkinderI'm not using the glob setting I mentioned though22:11
nkinderSo use MellonIdPMetadataGlob instead of MellonIdPMetadataFile22:12
morganfainbergnkinder, i wouldn't put an API into keystone to dump XML on disk for apache tbh. but it opens doors to being more interesting / better if we can isolate metadata info to a file-per-idp22:12
*** gordc has quit IRC22:12
gyeemorganfainberg, the Keystone IdP meta xml file is generated with keystone-manage CLI rigth now22:14
gyeeso we're good22:14
morganfainberggyee, right.22:14
morganfainberggyee, ok22:14
gyeenkinder, why do we need this? MellonSPPrivateKeyFile22:15
nkinderthe SP (keystone) needs to be able to sign things it sends to the IdP22:15
stevemarah bknudson ever aiming for the empty repo22:15
gyeefor K2K its a one way thing I think22:16
gyeeI don't see anything send from SP Keystone22:16
morganfainbergin most cases of federation, it is SP-initiated22:16
morganfainberguser -> SP -> redirect -> IDP -> SP22:17
morganfainbergk2k is idp initiated22:17
morganfainbergso user -> idp -> user -> sp22:17
nkinderit's using ECP22:17
morganfainbergsimplified for text but change that to ECP22:17
morganfainbergso in some cases SP [keystone] does need to sign things to the IDP22:18
*** dimsum__ has quit IRC22:19
nkindergyee: more details on mellon config are in comments here -
*** dimsum__ has joined #openstack-keystone22:20
gyeenkinder, thanks!22:21
* gyee GTFBTW now22:21
nkindergyee: sure.  If you have questions on it later, let me know.22:22
*** dimsum__ has quit IRC22:24
*** mattfarina has quit IRC22:29
*** packet has quit IRC22:35
*** pack3t is now known as packet22:35
*** nellysmitt has joined #openstack-keystone22:37
*** packet has quit IRC22:37
*** raildo has quit IRC22:40
*** nellysmitt has quit IRC22:42
*** lhcheng_ has joined #openstack-keystone22:48
*** lhcheng has quit IRC22:48
*** andreaf has quit IRC22:52
*** EmilienM is now known as EmilienM|afk23:01
*** lhcheng has joined #openstack-keystone23:04
*** topol has quit IRC23:07
*** lhcheng_ has quit IRC23:08
*** _cjones_ has quit IRC23:09
*** _cjones_ has joined #openstack-keystone23:09
openstackgerritSteve Martinelli proposed openstack/keystone: Check consumer and project id before creating request token
*** atiwari has joined #openstack-keystone23:19
*** dgonzalez has joined #openstack-keystone23:19
atiwariall, I am trying to setup dev env on mac and getting "Symbol not found: _BIO_new_CMS" while running tox.23:20
atiwariany idea23:20
atiwarilook at for details23:22
*** bdossant has joined #openstack-keystone23:30
*** atiwari has quit IRC23:34
*** bdossant has quit IRC23:34
morganfainbergah missed atiwari23:38
morganfainbergwas going to say that keystone / keystone testing is no longer supported on os x23:38
*** atiwari has joined #openstack-keystone23:39
*** dimsum__ has joined #openstack-keystone23:40
*** dimsum__ has quit IRC23:41
*** dimsum__ has joined #openstack-keystone23:42
*** chrisshattuck has quit IRC23:43
openstackgerritSean Dague proposed openstack/python-keystoneclient: don't log service catalog in every token response
*** pcaruana|afk| has quit IRC23:46
*** chrisshattuck has joined #openstack-keystone23:50
*** chrisshattuck has quit IRC23:51
openstackgerritMerged openstack/keystone: Remove unused fields in base TestCase
*** _cjones_ has quit IRC23:57
*** dimsum__ has quit IRC23:58
*** dimsum__ has joined #openstack-keystone23:58
*** LinstatSDR has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!