Tuesday, 2015-01-27

« Monday, 2015-01-26 Index Wednesday, 2015-01-28 »
*** chrisshattuck has quit IRC00:00
*** markvoelker has joined #openstack-keystone00:05
*** david_hu__ has quit IRC00:06
*** kfox1111 has quit IRC00:09
*** zzzeek has quit IRC00:11
*** zzzeek has joined #openstack-keystone00:14
gyeemorganfainberg, should I backport this one to juno? https://review.openstack.org/#/c/145159/00:16
morganfainberggyee yes please00:16
gyeesince I am in the backporting/cherrypicking mode today :)00:16
*** hichtakk has quit IRC00:19
*** hichtakk has joined #openstack-keystone00:20
*** hichtakk has quit IRC00:20
*** hichtakk has joined #openstack-keystone00:21
*** hichtakk has quit IRC00:21
*** hichtakk has joined #openstack-keystone00:22
*** zzzeek has quit IRC00:22
*** zzzeek has joined #openstack-keystone00:23
gyeemorganfainberg, for generic mapping enhancement, I presume backward compatibility is non-negotiable?00:32
morganfainbergyeah00:32
morganfainbergwe can't break backwards compat00:32
gyeeyeah, those {1} are making me headache right now00:32
*** gokrokve has quit IRC00:32
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add name parameter to NoMatchingPlugin exception  https://review.openstack.org/13989800:35
*** dims has quit IRC00:38
*** dims has joined #openstack-keystone00:39
*** fifieldt has joined #openstack-keystone00:39
*** dims has quit IRC00:39
*** gabriel-bezerra has quit IRC00:41
*** tellesnobrega has quit IRC00:41
*** htruta has quit IRC00:41
*** thedodd has joined #openstack-keystone00:42
*** gabriel-bezerra has joined #openstack-keystone00:42
*** tellesnobrega has joined #openstack-keystone00:43
*** htruta has joined #openstack-keystone00:43
*** atiwari has quit IRC00:44
*** atiwari has joined #openstack-keystone00:44
*** atiwari has quit IRC00:44
*** r-daneel has quit IRC00:44
*** dims has joined #openstack-keystone00:45
*** dims has quit IRC00:50
*** harlowja has quit IRC00:54
*** stevemar has joined #openstack-keystone00:54
*** ChanServ sets mode: +v stevemar00:54
*** gokrokve has joined #openstack-keystone00:56
*** topol has joined #openstack-keystone00:57
*** ChanServ sets mode: +v topol00:57
*** gokrokve has quit IRC01:01
*** mriedem has left #openstack-keystone01:05
*** markvoelker has quit IRC01:05
*** markvoelker has joined #openstack-keystone01:06
*** oomichi has joined #openstack-keystone01:08
*** markvoelker has quit IRC01:10
*** zzzeek has quit IRC01:13
*** gabriel-bezerra has quit IRC01:13
*** gabriel-bezerra has joined #openstack-keystone01:13
*** gyee has quit IRC01:15
*** gokrokve has joined #openstack-keystone01:16
*** kfox1111 has joined #openstack-keystone01:30
openstackgerritDave Chen proposed openstack/keystone: Remove duplicated check  https://review.openstack.org/15002201:32
*** htruta has quit IRC01:33
*** tellesnobrega has quit IRC01:33
*** gabriel-bezerra has quit IRC01:33
*** harlowja has joined #openstack-keystone01:35
*** tellesnobrega has joined #openstack-keystone01:35
*** htruta has joined #openstack-keystone01:39
*** hichtakk has quit IRC01:41
*** gabriel-bezerra has joined #openstack-keystone01:42
*** kfox1111 has quit IRC01:47
*** gokrokve has quit IRC01:51
*** thedodd has quit IRC01:51
*** dims has joined #openstack-keystone01:59
*** rwsu is now known as rwsu-afk02:05
*** avozza is now known as zz_avozza02:08
*** tqtran has quit IRC02:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/15020802:17
*** erkules_ has joined #openstack-keystone02:23
jamielennoxayoung: googling around after problems setting up packstack and found the keystone channel log with you and I talking02:24
jamielennoxayoung: do you remember how you got past 'Invalid command 'NSSPassPhraseDialog', perhaps misspelled or defined by a module not included in the server configuration'02:24
*** dims has quit IRC02:24
*** erkules has quit IRC02:26
jamielennoxpackstack is stupidly broken02:26
openstackgerritOpenStack Proposal Bot proposed openstack/identity-api: Updated from global requirements  https://review.openstack.org/15022102:27
ayoungjamielennox, what stage gives you that problem?02:27
jamielennoxi'm trying to setup kerberized keystone02:28
jamielennoxthought i'd go via packstack as nkinder has those scripts02:28
jamielennoxset packstack to use httpd for deployment, install mod_nss02:29
ayoungi RAN pACKSTACK AGAINST AN f21 vm LAST fRIDAY AND IT ERRORED OUT and I just realized I had caps lock on but am to lazy toretype02:29
ayoungjamielennox, so is that in the HTTPD setup?02:30
jamielennoxipa on f21 failed02:31
jamielennoxcentos vm on cloud didn't work02:31
jamielennoxi've currently got an f20 ipa02:31
jamielennoxand an f21 packstack02:31
jamielennoxi've already had to fix just some stupid problems with how it installs keystone02:31
ayoungits tought to get motivated to tilt at the particular windmill again.  Pretty sure it is not a giant now.02:31
jamielennoxi wanted a real life test of that horizon kerberos patch02:32
ayoungjamielennox, are you sure it is using NSS to set up SSL, and not mod_ssl?02:32
jamielennoxi got onto lhcheng in -horizon and we've got one +202:32
ayoungare the other directived NSS_  or SSL_  ?02:32
ayoungjamielennox, my guess is that error is coming from mod_nss not being enabled.02:34
jamielennoxayoung: that's what i was thinking02:34
jamielennoxit's loading the conf but not the module02:35
jamielennoxi'm just tryting to figure out how f21 handles that02:35
lhchengayoung: any recommended tutorial/page to jumpstart on setting up freeipa? I have to test out the kerberos patch too later when I review the changes.02:35
ayounglhcheng, OK, so just went through this last week.02:36
jamielennoxlhcheng: lol - i've been messing with it for two days02:36
jamielennoxthese scripts are pretty good: https://github.com/nkinder/rdo-vm-factory/tree/master/rdo-kerberos-setup02:36
ayounglhcheng, start with this:  get a new VM running F21 up and running,  ym updated, and install the freeipa-server RPM02:37
jamielennoxbut i don't want to run it on my local machine02:37
lhchengayoung: yeah, you were working with someone in the midcycle to set it up02:37
ayoungthe biggest gotcha I've seen has to do with host names.  I've been using a hack where I set the hostname in /etc/hosts  and in /etc/hostname02:37
ayoungthe one in /etc/hosts should use the IP address for the machine.  If you are doing an OpenStack type install, it can be the internal ip address.02:38
lhchengjamielennox: can you script that please. lol02:38
ayoungin /etc/hostname, just set the long FQDN02:38
ayoungthen I usually do02:38
ayoungsudo hostname=`cat /etc/hostname`02:38
* lhcheng thinking which public cloud to use02:38
jamielennoxlhcheng: my thought was i would do the steps manually first and verify - but it's all falling down around me02:39
ayounglhcheng, I had one working on dreamhost, but managed to mess it up.  I was using an Alpha of FreeIPA and it didn't upgradea cleanly02:39
*** gokrokve has joined #openstack-keystone02:40
ayounglhcheng, anyway, once you get the hostname setup, run ipa-server-install and it should prompt you for the values to use.  Take the defaults for things like REALM and Hostname.  Setup DNS is, now, I think something that is prompted02:41
lhchengayoung: ah yes, I remember you mentioned that last week. I like to learn how to set it up eventually. Just been pulled into some anvil work past couple of days.02:41
ayoungyou might want to pre-install the ldap module:02:41
ayoungbind-dyndb-ldap02:41
ayoungI had it as a one liner at one point for unattended installs, but better for you to go through the Q&A the first time.02:42
ayoungah, ne other gotcha02:42
ayoungmake sure you know the dns forwarders setup in /etc/resolv.conf02:42
ayoungit will prompt you at the DNS setup for what forwarders to use, and you almost always want to use the existing nameservers02:43
ayoungI often need to either kill the install script or open another terminal to find them02:43
ayounglhcheng, go ahead and plow through it.  It really is nothing to be afraid of.  You can do it on a local VM if you want;  I did most of my development on one that way02:45
lhchengayoung: so use the nameserver already used by my VM?02:45
ayoungyes02:46
lhchengI'll probably try to install it on a public cloud, at least I can show you the config later (if needed)02:46
ayoungit is a forwarder, meaning it will be used to answer queries that the bind instance associated with FreeIPA ca't answer itslef02:46
ayoungthat works too02:46
lhchengcool02:47
lhchengalright, will start off with this stuff for now02:47
ayoungtreat it like a devstack setup:  setup to be hacked on and trashed02:47
lhchenggotcha02:48
lhchengthanks02:48
lhchengwill bug you again in a couple of days :D02:48
ayoungYou better!02:48
ayounglhcheng, btw, thanks for the +2 on https://review.openstack.org/#/c/121281/  we really needto get that in before it needs a rebase02:49
ayoungjamielennox, the kerberos patch is going to need some help to catch up with what you did with auth plugins.  Is that what you are looking to test?  Have you been fixing that?02:51
jamielennoxayoung: yes, it appears the auth plugin stuff will get into DOA, so i want to bring the kerberos patch up to date02:52
lhchengayoung: sure. Thanks for the refactor! Having the auth plugin would come in handy.02:52
jamielennoxfigured i should try setting up my own environment again02:52
nkinderjamielennox: did you get your mod_nss thing figured out?02:52
jamielennoxnkinder: no02:52
nkinderjamielennox: it just sounds like the module isn't loaded02:52
jamielennoxnkinder: i was going to look at how hard it would be to replace your factory scripts that use libvirt to use neutron/openstack instead02:53
*** thedodd has joined #openstack-keystone02:53
*** thedodd has quit IRC02:53
jamielennoxappears OSC doesn't have much neutron support, looking at the neutron CLI app is making my head hurt02:53
ayoungnkinder, we have a snow day coming tomorrow.  Westford office is probably already officially closed.02:54
jamielennoxnkinder: from memory fedora you didn't have to do anything special to load a module right? it's controlled by the conf file conf.d/02:55
nkinderayoung: I noticed everyone I spoke with from westford today looking to the side to see how bad it was snowing and trying to hurry home02:55
ayoungits light so far,  little more than a dusting, but not really supposed to kick in until midnight02:55
nkinderjamielennox: it would be pulled in via an include from conf.modules.d02:55
nkinderjamielennox: I don't have F21 installed on a VM right now02:56
nkinderjamielennox: ...but I feel like they started using .load files in /etc/httpd IIRC02:56
jamielennoxnkinder: yea, i'm thinking i should scrap this and try again on f2002:56
ayoungnkinder, I have one...I tried to packstack it on Friday and it failed.  Also just got an IPA instance on one02:56
ayounginternal cloud...let me look02:56
nkinderjamielennox: actually, I have a f21 docker container.  Let me check it02:57
jamielennoxipa failed for me in F2102:57
jamielennoxso /etc/httpd/conf/httpd.conf on F21 says:02:57
nkinderjamielennox: for packstack, I've honestly been using centos/rhel02:57
jamielennoxInclude "/etc/httpd/conf.d/*.load"02:57
jamielennoxIncludeOptional "/etc/httpd/conf.d/*.conf"02:57
nkinderok, and mod_nss doesn't have a .load file02:57
nkinderyou can create one though.  I think it just contains LoadModule.  Take a look at one of the other ones.02:58
ayoung$ cat /etc/httpd/conf.modules.d/10-nss.conf02:58
ayoungLoadModule nss_module modules/libmodnss.so02:58
nkinderayoung: is that F21?02:58
ayoungyea02:58
nkinderayoung: and does anything else include it?02:58
nkinderI think mod_nss probably needs to have a .load file added02:59
ayoungjamielennox, on RHEL It might be in the /etc/httpd/conf.d directory02:59
nkinderayoung: RHEL7 is conf.modules.d02:59
nkinderI think it's just f21+ that changed it02:59
jamielennoxnothing in the default conf.modules.d has a .load03:00
jamielennoxonly in conf.d03:00
ayoungjamielennox, this is RHEL6 or RHEL 7?03:00
jamielennoxf2103:00
ayoungjamielennox, and you have the file I listed above?03:00
nkinderjamielennox: yes, add a mod_nss.load to conf.d03:00
jamielennoxi was going to do centos 7 but the VM wasn't working03:00
nkinderjamielennox: it should only need to contain "LoadModule nss_module modules/libmodnss.so"03:01
ayoungI have an IPA setup without any load files03:01
nkinderayoung: again, .load files are new as of F21 IIRC03:01
ayoungnkinder, this is IPA server on F2103:01
ayoung$ cat /etc/issue03:02
ayoungFedora release 21 (Twenty One)03:02
nkinderayoung: none under /etc/httpd/conf.d?03:02
ayoung find /etc/httpd/ -name \*load03:02
ayoungbupkis03:02
jamielennoxok03:02
jamielennoxso # ln -s ../conf.modules.d/10-nss.conf nss.load03:03
jamielennoxthat seems dumb03:03
*** tellesnobrega_ has quit IRC03:03
ayoungjamielennox, I think if you crank up logging and restart the server it will tell you what modules get loaded03:04
jamielennoxayoung: moved onto error: AH00015: Unable to open logs - so not sure we're even at that point03:05
jamielennoxthis i'm figuring out from journalctl -xe, nothing being sent to /var/log/httpd/error_log03:05
ayoungSELinux?03:05
nkinderI know I've seen .load files before (f21 I thought), but I don't see any in my docker container when I install httpd03:06
*** bjornar has quit IRC03:07
nkinderjamielennox: what version of httpd do you have?03:08
nkinderjamielennox: with httpd-2.4.10-9.fc21.x86_64, I don't see any include for *.load in /etc/httpd/conf/httpd.conf03:09
jamielennoxyes, that03:09
nkinderjamielennox: are you looking at a system post-packstack?03:10
jamielennoxnkinder: yes03:11
nkinderI wonder if the apache puppet module is setting it to include *.load03:11
jamielennoxok got it03:11
nkinderI'm just looking on a fresh container (no packstack)03:11
jamielennoxfor some reason root owned /var/log/httpd03:11
*** bjornar has joined #openstack-keystone03:11
jamielennoxwill re-run packstack03:12
nkinderjamielennox: I bet it's the puppet modules.  Let me see what happens with packstack and keystone httpd deployment on rhel703:12
jamielennoxnkinder: i tried to do it via scripts as you did https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-kerberos-setup/vm-post-cloud-init-rdo.sh#L47 failed badly03:13
nkinderjamielennox: were you letting my scripts create the VMs?03:13
jamielennoxhowever i eventually got an --allinone to work and could then edit the answer file it produced03:13
ayoungnkinder, did they...I'm almost afraid to ask...did...did they...kill03:13
ayoung/var/log/messages in F21?03:13
jamielennoxnkinder: no, i don't know if my laptop would handle 2 4gb vms on libvirt03:14
jamielennoxnkinder: this is what we use openstack for :)03:14
nkinder:)03:14
ayoungwait....so I have /var/log/messages on my laptop03:15
ayoung-rw-------. 1 root root 14792347 Jan 26 22:15 /var/log/messages03:15
ayoungand nonw o neither the IPA nor the Packstack machines I set up03:15
ayoungdouble you tee eff?03:15
jamielennoxayoung: maybe the cloud image?03:15
ayoungjamielennox, almost certainly03:16
ayoungbut...03:16
ayounghow?03:16
jamielennox/var/log/messages is some sort of output pipe of journalctl03:16
jamielennoxi don't know how you opt into that03:16
ayoungLENNNART!03:16
jamielennoxbut i know they kept it for workstations etc, they probably just didn't turn it on for cloud image03:16
ayoungLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEENNNART!03:16
ayoungMy Washing Machine is slightly unbalanced right now, and generating an admirable backbeat03:17
jamielennoxin general i approve because i hate touching /etc/init.d scripts, i do need to figure out journalctl03:17
ayoungIts like techno03:17
ayoungok  journactl it is....so how do I do the equivalent of tail -f...03:19
* jamielennox shrugs03:19
ayoung -f, --follow03:19
nkinderayoung: journalctl -f03:19
* ayoung faster03:19
nkinderayoung: I still have a finger that I can't use for typing.  Makes me nice and slow (and full of typos).03:21
ayoungCan you still play bass?03:21
*** _cjones_ has joined #openstack-keystone03:21
nkinderayoung: no :(03:21
ayounghow long until it is healed?03:22
*** lhcheng has quit IRC03:22
nkinderwell, as long as my fret-hand index finger isn't needed03:22
ayoungUgh03:22
nkinderwell, it's been 25 days so far03:22
ayoungoooh...what did you do?03:22
nkinderonly the top is black/purple now instead of the whole thing03:22
nkinder4lb deadblow mallet03:22
jamielennoxouch03:23
nkinderI'd guess another 2-3 weeks before it's in decent shape again (minus a nail)03:23
ayoungJust glad you didn'03:23
ayoungt pull a Tommy Caldwell03:23
nkinderouch.  No saws involved.03:24
ayoung Process: 25785 ExecStart=/usr/bin/keystone-all (code=exited, status=1/FAILURE)03:24
ayoungOK,  time to update Packstack to know about HTTPD...03:25
nkinderewww.... keystone-all :P03:25
ayoungHai!03:25
openstackgerritwanghong proposed openstack/keystone: remove unnecessary checks in assignment/controllers.py  https://review.openstack.org/13072203:25
ayoungwaiting on rich's work on Puppet I'm guessing?03:25
nkinderCONFIG_KEYSTONE_SERVICE_NAME=httpd03:26
nkinderwait for nothing.  It's done03:26
ayoungACHA!03:26
jamielennoxyou can set that as env or you need to do a packstack answers file>?03:26
*** _cjones_ has quit IRC03:27
ayoungjamielennox, I'm trying it in the answer file right now03:27
nkinderanswers file03:27
nkinderI've never tried it via ENV03:27
ayoungwasn't a generated KEY03:27
nkinderayoung: what version of packstack are you using?03:27
ayoungwhatever the default is wit h F2103:27
nkinderit's been in RDO Juno for quite a while now03:27
*** samueldmq has quit IRC03:28
ayoung$ rpmquery openstack-packstack03:28
ayoungopenstack-packstack-2014.1.1-0.31.1.dev1266.fc21.noarch03:28
nkinderayoung: fedora might include an older release03:28
ayoungOf course...03:28
nkinderI would use RDO03:28
ayoungFedora 21 is still in development and running RDO Juno on Fedora 21 is not recommended at this time. A separate announcement will be made on the rdo-list mailing list when RDO Juno on Fedora 21 is ready.03:29
ayoungCan I regen an answers file?03:29
ayounggah...OK,  I need to do a bit more to pre for using that03:30
nkinderayoung: yeah, I use centos or rhel703:30
nkinderit's what RDO targetted first, so it'll be more stable03:30
* ayoung Contrasts this with FreeIPA, which did it the right way....03:31
ayoungAh well...I can deal with that later....03:31
ayoungGonna wrap things up and head to bed03:32
*** wanghong_away is now known as wanghong03:33
*** rushiagr_away is now known as rushiagr03:36
nkinderjamielennox: so packstack creates all of the .load files03:43
nkinderjamielennox: ...and it's really likely it's the puppet-apache module03:44
stevemarnkinder is alive!03:47
stevemarhaven't seen you on in a while03:48
nkinderstevemar: yeah, lots of travel and just generally swamped by meetings lately03:48
stevemarthis channel gets very RED at this time of day, tHATs just my opinion03:48
*** ayoung is now known as ayoung_ZZzz__03:49
openstackgerritwanghong proposed openstack/keystone: add missing classmethod decorater for get_auth_context  https://review.openstack.org/15025103:57
*** rushiagr is now known as rushiagr_away04:01
*** gokrokve has quit IRC04:03
*** markvoelker has joined #openstack-keystone04:17
*** gokrokve has joined #openstack-keystone04:20
*** richm has quit IRC04:31
*** lhcheng has joined #openstack-keystone04:39
*** packet has quit IRC04:39
*** rushiagr_away is now known as rushiagr04:54
*** markvoelker has quit IRC05:09
*** markvoelker has joined #openstack-keystone05:10
*** harlowja is now known as harlowja_away05:10
*** markvoelker has quit IRC05:14
jamielennoxnkinder: i don't expect you're still here, but how do i add the cert for the ipa ldap server to the keystone server?05:30
*** pheadron2 has joined #openstack-keystone05:33
*** pheadron2 has quit IRC05:34
*** markvoelker has joined #openstack-keystone05:37
*** markvoelker has quit IRC05:38
*** henrynash has joined #openstack-keystone05:38
*** ChanServ sets mode: +v henrynash05:38
*** markvoelker has joined #openstack-keystone05:38
stevemarcan a trust cross domains?05:38
stevemarlike user on domain A give a role on a project (must be in domain A), delegate to a user in domain B?05:39
stevemarnow i'm not even sure if a user can have a role on a project thats not in his own domain....05:41
stevemarayoung_ZZzz__, morganfainberg ^ ?05:41
morganfainbergstevemar, i can only thing so much on glass of wine #305:41
morganfainbergstevemar, think*05:41
morganfainbergso give me a sec ;)05:41
stevemarmorganfainberg, dammit !05:41
*** dims has joined #openstack-keystone05:41
morganfainbergdude, had a spare bottle on my desk >.>05:42
morganfainbergtoday, yes a trust can cross domains05:42
morganfainbergthough that is probably a bad idea05:42
morganfainberg\05:42
morganfainbergsimply a user can have a role on a domain not his own, therefore a trust would do the same.05:42
stevemarand a user can have a role on a project not in his domain?05:43
morganfainbergyep05:43
stevemarbut...05:43
stevemarthen whats the point of a domain05:43
morganfainbergownership of the user05:43
stevemar*grumble grumble*05:43
stevemarAND projects05:43
morganfainbergi think this is a gap in security05:43
morganfainbergdude.05:43
stevemarat least, it was05:43
*** markvoelker has quit IRC05:43
*** ajayaa has joined #openstack-keystone05:47
*** dims has quit IRC05:49
*** dims has joined #openstack-keystone05:50
*** dims has quit IRC05:52
openstackgerritKenjiro Kosaka proposed openstack/keystone: Sample Identity endpoints changed to unversioned  https://review.openstack.org/13066905:52
*** dims has joined #openstack-keystone05:52
nkinderjamielennox: There are a few ways.  Easiest is configuring it at the system level for the entire ldap C library.  Let me dig up a link to a writeup on it.05:53
jamielennoxnkinder: found it05:54
nkinderjamielennox: ok, cool.05:54
jamielennoxsorry, should have mentioned05:54
nkinderjamielennox: no worries05:54
jamielennoxnkinder: https://github.com/nkinder/rdo-vm-factory/pull/105:54
nkinderjamielennox: is your keystone system an IPA client?05:55
jamielennoxnkinder: yes05:55
nkinderjamielennox: if so, it should already trust the IPA CA system-wide05:55
jamielennoxhmm, not sure05:55
nkinderjamielennox: ...which is why it's not doing anything extra in my script05:56
jamielennoxnkinder: i probably missed something05:56
jamielennoxstill trying to learn this by hand05:56
jamielennoxweird though - /etc/ipa/ca.crt wouldn't exist if i wasn't an ipa client05:57
nkinderjamielennox: yeah.  Perhaps there was something not set up right in the NSS shared database that libldap uses.05:59
nkinderjamielennox: does ldapsearch work from the keystone system using ldaps or starttls?05:59
jamielennoxnkinder: it always takes me so long to figure out a real query to test that06:00
nkinderuse -b "" -s base06:00
nkinderthat just searches the root DSE entry06:00
nkinderso 'ldapsearch -x -H <url> -b "" -s base'06:01
nkinderurl can just be 'ldaps://ipafqdn:636'06:01
nkinderjamielennox: if you want to use starttls, use '-Z -h ipafqdn -p 389' instead of -H06:02
jamielennoxfails, but simply: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)06:02
jamielennoxldaps is configured in keystone06:03
nkinderit sounds like trust for libldap wasn't set up properly then for some reason (ipa-client-install should have done it)06:03
jamielennoxi had various issues with ipa and these vms - so that's possible06:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/14915806:04
nkinderdoes '-v' give any more info?06:04
jamielennoxonly;  ldap_initialize( ldaps://ipa.jamielennox-freeipa.org:636/??base )06:04
*** gokrokve_ has joined #openstack-keystone06:05
jamielennoxnkinder: doesn't really matter for this - but i agree, i didn't think i would need to do anything special to contact that ldap server06:05
jamielennoxugh - IPA ui not coming up now...06:06
nkinderjamielennox: yeah, what you did is fine.  You shouldn't need to do anything extra though06:06
nkinderI think the system-wide cert trust is not set up properly06:06
nkindercert issues with that too?06:06
jamielennoxnkinder: ok - well i can kill that request06:06
jamielennoxnkinder: i haven't really used anything else against this ipa06:06
jamielennoxfrom this vm06:07
jamielennoxoh06:07
jamielennoxno, just blank screen06:07
nkinderjamielennox: you can try 'ipa-client-install --uninstall', then reinstall it.06:07
nkinderjamielennox: but it sounds like the server may not be healthy06:08
*** gokrokve has quit IRC06:08
jamielennoxno - it appears IPA has a javascript error06:08
jamielennoxin something that is compressed06:08
nkinderF21?06:08
jamielennoxnkinder: it has not been a reassuring experience06:08
jamielennoxno F20 - wouldn't install at all under F2106:09
jamielennoxf21 client06:09
nkinderis this the first time accessing IPA from that browser?06:10
*** gokrokve_ has quit IRC06:10
jamielennoxnkinder: no, was working on friday06:10
nkinderjamielennox: Strange.  I'd check out the webserver logs on the IPA VM.  Not sure what it would be.06:11
jamielennoxnkinder: at this point i'm hoping i can limp this environment through far enough to test the horizon patch, then i'll worry about making a clean one06:12
jamielennoxi'll try another centos 7 image next time06:12
nkinderjamielennox: yeah, centos and rhel testing has been solid for me06:13
nkinderjamielennox: we can check with some of the IPA folks to see if there are known issues on F21, though I hadn't heard anything06:13
*** oomichi has quit IRC06:13
*** abhirc has quit IRC06:14
jamielennoxi stuck fraser onto the f21 issue - i don't know how far he got06:15
nkinderjamielennox: I'll try it out too and see if anything jumps out06:18
nkinderjamielennox: going to go catch some sleep now06:19
jamielennoxnkinder: thanks for your help, talk tomorrow06:20
*** dims has quit IRC06:23
*** dims has joined #openstack-keystone06:26
*** _cjones_ has joined #openstack-keystone06:28
marekdjamielennox: hi, i am here.06:30
marekdjamielennox: i guess you are leaving soon.06:30
jamielennoxsoon - not yet06:30
*** dims has quit IRC06:30
jamielennoxi was looking at https://review.openstack.org/#/c/130564/13/keystoneclient/contrib/auth/v3/saml2.py06:31
jamielennoxdid you move the username and password variables up to _BaseSAMLPlugin on purpose?06:31
jamielennoxi though the intent was to allow other forms of creds on that06:31
*** markvoelker has joined #openstack-keystone06:31
marekdtopol: Hi Brad. Thanks.06:32
*** _cjones_ has quit IRC06:33
topolmarekd, NP06:33
stevemarmarekd, you are alive06:33
marekdjamielennox: yes, i basically moved it to _BaseSAMLPlugin, as I concluded that it should be there as those parameters are defined in get_options there.06:33
marekdstevemar: you are STILL alive?!06:33
stevemarmarekd, somehow, the assassins you sent are not very good06:33
stevemarcorrection... were* not06:34
marekdi should rather attack your laptop, not yourself.06:34
stevemarno not my precious!06:34
marekdthe effect would be you sleeping :-)06:34
stevemarmarekd, time to talk websso ? i don't want to bug you and jamie06:34
marekdstevemar: i am good.06:35
marekdstevemar: or, maybe i will take advantage of jamie being here?06:35
stevemarmarekd, go for it06:35
stevemari have time06:35
marekdLOL06:35
*** markvoelker has quit IRC06:36
marekdjamielennox: so, do you think it's fine to actually inherit from _BaseSamlPlugin and create another plugin just because of different authN way?06:36
marekdauthN with IdP06:36
jamielennoxmarekd: it's a private class - i really don't mind06:37
jamielennoxi just don't want to lock something up for if we try and do cert based saml in future06:37
*** gokrokve has joined #openstack-keystone06:37
marekdjamielennox: ah, ok i will revert it and squeeze username/password into ADFS and ECP plugins.06:39
*** gokrokve has quit IRC06:39
*** gokrokve has joined #openstack-keystone06:39
marekdI am tempted to add some abstractmethod to _BaseSAMLPlugin called _authenticate_with_idp but i am fearing one day with some strange protocol this may be not enough.06:39
jamielennoxmarekd: that is my big concern with all this06:41
jamielennoxmarekd: i'd be happy enough to pass it as is06:41
marekdjamielennox: OK06:41
*** zz_avozza is now known as avozza06:41
jamielennox_BaseSaml is a private class so we can always push those options down to the plugins later06:42
jamielennoxi'm just not wanting to back us into a corner for later06:42
jamielennoxmarekd: oh - morganfainberg mentioned that the blueprint you assigned doesn't exit06:42
jamielennoxs/exit/exist06:42
jamielennoxi was going to do it but got distracted06:42
marekdjamielennox: ok, so let me spend 15 minutes reverting this user/pass moving to inheriting classes. I will move attributes as well as define them to get_options().06:42
marekdjamielennox: i will check and create if needed.06:43
jamielennoxmarekd: ok - thats the only thing i've seen for that review06:43
marekdjamielennox: backwards compatibility?06:43
jamielennoxi want to do a client release soon, we can look at pushing federation out to its own repo after that06:43
jamielennoxthe entrypoint names...06:43
marekdjamielennox: ayoung_ZZzz__ has been pinging me about that a lot, but wanted first to actually have new plugins structure merged and only then smoothly move it out ksc repo.06:44
*** gokrokve has quit IRC06:44
jamielennoxmarekd: so maybe this is a good point to do the break?06:45
marekdjamielennox: yes, please.06:45
jamielennoxif we are going to have to change entrypoint names06:45
marekdjamielennox: yes yes yes.06:45
marekdif you are good with that, it's fine.06:45
jamielennoxok - copy that whole review, propose it against keystoneclient-federation06:45
marekdalready?06:45
marekdok06:45
jamielennoxmark all the existing federation plugins deprecated06:45
jamielennoxwell that way we can leave the old entrypoint names the way they are06:46
jamielennoxjust put a warning on them06:46
marekdin docstring or there is some fancy decorator for that?06:46
marekdwhat's the deprecation period ?06:46
jamielennoxmarekd: forever at this point06:46
marekd:D06:46
jamielennoxwe haven't been allowed to do a keystoneclient v206:46
jamielennoxor 2.006:46
marekdjamielennox: depr. warning in docstring is enough, right?06:47
jamielennoxyep06:47
jamielennoxi had a review that added a warning prompt to ksc06:47
marekdjamielennox: and the structure of the patchset against keystoneclient-federation  will be the same?06:48
jamielennoxbut these are going to be reviews against seperate projects so there's no need to mark the old stuff deprecated until we have a release of ksc-federation ready to go06:48
jamielennoxmarekd: pretty similar, but you can move everything up to the root06:48
jamielennoxfederation/saml.py06:48
jamielennoxactually we probably still want to do federation/v3/saml.py just in case06:48
marekdhttps://github.com/openstack/python-keystoneclient-federation/tree/master/keystoneclient_federation <--- to this destination.06:49
jamielennoxthat way we can do generic plugins (version independent) at the root06:49
marekdallrigt06:49
jamielennoxyep06:49
jamielennoxmarekd: change mind06:49
jamielennoxmarekd: as first patch do a straight copy and paste of the existing code06:50
jamielennoxthen propose this refactor on top06:50
jamielennoxwill make reviewing easier06:50
marekdjamielennox: eeeee, straight copy means coping whole dir/files structure starting from /contrib/auth/v3/  ?06:52
jamielennoxmarekd: you don't want most of that?06:52
marekdi do06:52
jamielennoxoh - yea, you can change the path06:52
marekdjamielennox: ok, i am gonna put federation.py and saml2.py files into keystoneclient_federation/auth/v3/{federation,saml}.py06:54
marekdis that what you meant?06:54
jamielennoxyep06:54
marekdok06:54
marekdmakes sense.06:54
marekdi will do this today06:54
jamielennoxcool - that one will be a fairly easy review06:54
marekdjamielennox: yep06:54
marekdthanks.06:54
jamielennoxthen we can merge this refactor finally06:54
marekdjamielennox: oh yes.06:54
jamielennoxmarekd: we get until first release to mess with the APIs as well, so if you have found anything funny about the existing plugins this will be our chance to fix it06:55
marekdok06:55
marekdjamielennox: i think that's all for now, right?06:57
jamielennoxmarekd: think so06:58
marekdjamielennox: ok, thanks! :-)06:58
*** avozza is now known as zz_avozza06:58
marekdstevemar: what's up boss?06:58
jamielennoxi'll be up early for the meeting tomorrow - we can get it through then06:58
marekdjamielennox: OK06:58
*** markvoelker has joined #openstack-keystone06:58
stevemarmarekd, just wanted your opinion on the websso spec :)07:01
marekdstevemar: i am reading your comments now07:02
marekdthanks for answering07:02
*** MasterPiece has joined #openstack-keystone07:04
*** markvoelker has quit IRC07:04
marekdstevemar: it looks good in my opinion.07:04
stevemarwhat about marco's stuff07:04
marekdah, shit forgot.07:04
marekdhow do we define trusted horizons?07:04
marekdstevemar: i will bug ayoung_ZZzz__ today about that07:05
marekdi already know adding new set of APIs is a bunch of work as it's also keystoneclient and openstackclient.07:05
marekdand we end up with lots of code.07:06
stevemaris it normally more than one trusted horizon?07:07
stevemarif not, then we could put it in keystone.conf, heck even if there are many we could enumerate them somehow07:07
marekdstevemar: i'd imagine yes..but we need to ask other cloud deployers07:07
marekdstevemar: ok, looks like this is the last thing to figure out.07:08
stevemarare you planning to push a new patch for it?07:09
stevemaror shall i?07:09
marekdstevemar: i was also thinking we could actually make a static file with JS code and put its path in the keystone.conf. We would not hardcode JS code in Keystone code.07:09
marekdi can push.07:09
marekdyou are probably already tired.07:09
stevemarmarekd, yeah but you are swamped and this is fast :P07:10
*** topol has quit IRC07:10
marekdstevemar: ok, so push :-)07:10
stevemaryay!07:10
* marekd looking what 'swamped' means :P07:11
stevemardamn topol did one last comment and ran off!07:11
stevemarswamped == busy with lots of work07:11
marekdstevemar: LOL, not as swamped as you are I guess.07:11
stevemarmarekd, i'm not too bad07:11
stevemaryou have sp API to do07:12
stevemarand client07:12
stevemarand ... theres something else07:12
marekdstevemar: yes.07:12
stevemarmapping stuff07:12
*** zz_avozza is now known as avozza07:17
openstackgerritLin Hua Cheng proposed openstack/keystone: Add schema for endpoint group  https://review.openstack.org/15029207:23
*** nellysmitt has joined #openstack-keystone07:26
*** dims has joined #openstack-keystone07:27
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Visual Page for WebSSO  https://review.openstack.org/13352907:29
stevemarmarekd, ^07:29
*** jamielennox is now known as jamielennox|away07:29
*** dims has quit IRC07:31
*** MasterPiece has quit IRC07:32
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new resource manager  https://review.openstack.org/13095407:32
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263407:35
*** stevemar has quit IRC07:35
*** gokrokve has joined #openstack-keystone07:37
*** pnavarro has joined #openstack-keystone07:40
*** gokrokve has quit IRC07:42
*** avozza is now known as zz_avozza07:49
*** berendt has joined #openstack-keystone07:52
*** tomoiaga has joined #openstack-keystone07:57
*** markvoelker has joined #openstack-keystone08:00
*** markvoelker has quit IRC08:04
*** harlowja_away has quit IRC08:08
*** josecastroleon__ has quit IRC08:19
*** josecastroleon__ has joined #openstack-keystone08:19
*** oomichi has joined #openstack-keystone08:20
*** josecastroleon__ is now known as josecastroleo08:20
*** josecastroleo is now known as josecastroleon08:21
openstackgerritMarek Denis proposed openstack/python-keystoneclient-federation: Create a framework for federation plugins  https://review.openstack.org/15030508:21
*** dims has joined #openstack-keystone08:28
*** dims has quit IRC08:32
openstackgerritMehdi Abaakouk proposed openstack/keystone-specs: tokens swift persistent backend  https://review.openstack.org/13151508:37
*** gokrokve has joined #openstack-keystone08:37
berendthello. we recently had issues to allow the access to specific api methods using the policy.json file (I posted at http://lists.openstack.org/pipermail/openstack-operators/2015-January/006014.html). For example "identity:list_services": "@" does not allow us to access the list_services method with every user, it is still necessary to assign the admin role (HTTP error 403 ('admin_required')). Can anybody p08:38
openstackgerritMehdi Abaakouk proposed openstack/keystone-specs: tokens swift persistent backend  https://review.openstack.org/13151508:38
*** gokrokve has quit IRC08:42
*** lhcheng has quit IRC08:43
openstackgerritMarek Denis proposed openstack/python-keystoneclient-federation: Create a framework for federation plugins  https://review.openstack.org/15030508:48
*** markvoelker has joined #openstack-keystone09:00
*** markvoelker has quit IRC09:05
*** jistr has joined #openstack-keystone09:08
*** zz_avozza is now known as avozza09:15
*** jaosorior has joined #openstack-keystone09:25
*** erkules_ is now known as erkules09:29
*** gokrokve has joined #openstack-keystone09:37
*** gokrokve_ has joined #openstack-keystone09:39
*** gokrokve has quit IRC09:41
*** gokrokve_ has quit IRC09:44
*** avozza is now known as zz_avozza09:57
*** zz_avozza is now known as avozza09:57
rodrigodshenrynash, thanks for the review! will address them as soon as I arrive in the university :)10:01
*** markvoelker has joined #openstack-keystone10:01
*** markvoelker has quit IRC10:07
*** samueldmq has joined #openstack-keystone10:12
openstackgerritMehdi Abaakouk proposed openstack/keystone-specs: tokens swift persistent backend  https://review.openstack.org/13151510:16
*** dims has joined #openstack-keystone10:16
*** samueldmq has quit IRC10:18
*** dims has quit IRC10:21
*** gokrokve has joined #openstack-keystone10:37
*** gokrokve has quit IRC10:42
*** samueldmq has joined #openstack-keystone10:47
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes 'OS-INHERIT:inherited_to' info in tests  https://review.openstack.org/14454210:49
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor role assignment assertions  https://review.openstack.org/14454310:49
samueldmqmorning10:50
samueldmqhenrynash, hi10:50
*** marg7175 has quit IRC10:52
*** avozza is now known as zz_avozza11:05
*** zz_avozza is now known as avozza11:05
*** amakarov_away is now known as amakarov11:06
*** marg7175 has joined #openstack-keystone11:07
*** marg7175 has quit IRC11:07
*** marg7175 has joined #openstack-keystone11:08
*** tellesnobrega_ has joined #openstack-keystone11:11
openstackgerritMarek Denis proposed openstack/keystone: Implement Service Providers API for OS-FEDERATION  https://review.openstack.org/10462311:13
*** gokrokve has joined #openstack-keystone11:37
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param  https://review.openstack.org/14856711:43
*** gokrokve has quit IRC11:43
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param  https://review.openstack.org/14861811:43
rodrigodshenrynash, ^ addressed your comments11:43
*** tellesnobrega_ has quit IRC11:53
marekdrodrigods: thanks for the review11:55
rodrigodsmarekd, ++11:55
openstackgerritMarek Denis proposed openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085812:00
*** markvoelker has joined #openstack-keystone12:04
*** markvoelker has quit IRC12:09
henrynashrodigods: thx, will check12:18
*** diegows has joined #openstack-keystone12:27
*** tellesnobrega has quit IRC12:30
*** tellesnobrega has joined #openstack-keystone12:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix docstring of get hierarchy methods  https://review.openstack.org/15039112:32
*** ajayaa has quit IRC12:32
*** MasterPiece has joined #openstack-keystone12:36
*** gokrokve has joined #openstack-keystone12:37
*** afaranha has joined #openstack-keystone12:41
*** gokrokve has quit IRC12:42
samueldmqhenrynash, - ping, should we add a point to today's meeting regarding role inheritance changes ? other to domain roles api changes?12:47
*** aix has joined #openstack-keystone12:48
henrynashwe certainly want to discuss domain roels api12:48
henrynashif you think worth a dsicussion on role inheritance, then please do add to agenda12:49
samueldmqhenrynash, cool, will add a point for both ... domain roles api with higher priority, role inheritance if we have time12:50
samueldmqhenrynash, I think I know the reason why your metadata removal patch is failing - have you a minut ?12:56
*** markvoelker has joined #openstack-keystone13:05
*** markvoelker has quit IRC13:10
*** ajayaa has joined #openstack-keystone13:20
*** markvoelker has joined #openstack-keystone13:25
*** diegows has quit IRC13:31
*** rushiagr is now known as rushiagr_away13:35
*** gokrokve has joined #openstack-keystone13:37
*** oomichi has quit IRC13:40
*** gokrokve has quit IRC13:42
*** bknudson has joined #openstack-keystone13:42
*** ChanServ sets mode: +v bknudson13:42
*** gokrokve has joined #openstack-keystone13:47
*** gokrokve has quit IRC13:51
*** markvoelker has quit IRC13:54
*** gordc has joined #openstack-keystone13:55
*** rushiagr_away is now known as rushiagr13:58
*** radez_g0n3 is now known as radez13:59
openstackgerritMerged openstack/identity-api: Updated from global requirements  https://review.openstack.org/15022114:03
*** sriram has joined #openstack-keystone14:05
*** mattfarina has joined #openstack-keystone14:13
*** richm has joined #openstack-keystone14:13
*** nkinder has quit IRC14:22
*** joesavak has joined #openstack-keystone14:28
*** dims has joined #openstack-keystone14:33
*** Ctina has joined #openstack-keystone14:34
*** markvoelker has joined #openstack-keystone14:36
*** gokrokve has joined #openstack-keystone14:37
openstackgerritMerged openstack/python-keystoneclient: fix enabled parameter of update doesn't default to None  https://review.openstack.org/14442214:41
*** gokrokve has quit IRC14:42
*** topol has joined #openstack-keystone14:42
*** ChanServ sets mode: +v topol14:42
*** gokrokve has joined #openstack-keystone14:48
*** david-lyle_afk is now known as david-lyle14:49
*** gokrokve_ has joined #openstack-keystone14:51
*** r-daneel has joined #openstack-keystone14:52
*** gokrokve has quit IRC14:53
*** abhirc has joined #openstack-keystone14:54
*** Ctina has quit IRC14:59
*** Ctina has joined #openstack-keystone14:59
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/15020815:00
*** gordc has quit IRC15:02
*** markvoelker has quit IRC15:03
*** gordc has joined #openstack-keystone15:03
*** markvoelker has joined #openstack-keystone15:03
*** rwsu-afk has quit IRC15:04
*** berendt has left #openstack-keystone15:04
*** ayoung_ZZzz__ is now known as ayoung_snowedin15:07
*** markvoelker has quit IRC15:09
*** jsavak has joined #openstack-keystone15:11
*** abhirc has quit IRC15:12
*** joesavak has quit IRC15:13
*** zzzeek has joined #openstack-keystone15:14
samueldmqbknudson, replied your comment on 'Move projects and domains to their own backend', thanks15:15
*** abhirc has joined #openstack-keystone15:17
*** avozza is now known as zz_avozza15:17
*** zz_avozza is now known as avozza15:17
*** nkinder has joined #openstack-keystone15:19
*** dims has quit IRC15:20
*** tsufiev is now known as tsufiev_15:20
*** dims has joined #openstack-keystone15:20
*** abhirc has quit IRC15:22
*** dims has quit IRC15:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720215:38
*** henrynash has quit IRC15:39
*** rwsu has joined #openstack-keystone15:42
*** henrynash has joined #openstack-keystone15:43
*** ChanServ sets mode: +v henrynash15:43
*** markvoelker has joined #openstack-keystone15:46
*** stevemar has joined #openstack-keystone15:47
*** ChanServ sets mode: +v stevemar15:47
*** carlosmarin has joined #openstack-keystone15:48
*** abhirc has joined #openstack-keystone15:49
*** nellysmitt has quit IRC15:49
*** andreaf_ has quit IRC15:53
*** andreaf_ has joined #openstack-keystone15:53
*** nellysmitt has joined #openstack-keystone15:54
rodrigodsstevemar, have two changes for you to check whenever you have a moment: two lines https://review.openstack.org/#/c/130081/  and the whitelist/blacklist https://review.openstack.org/#/c/142573/16:01
stevemarrodrigods, cool cool16:05
*** packet has joined #openstack-keystone16:07
*** joesavak has joined #openstack-keystone16:07
*** jsavak has quit IRC16:09
*** henrynash_ has joined #openstack-keystone16:11
*** ChanServ sets mode: +v henrynash_16:11
mfischhey keystoners, there's some operators ML questions about whether policy.json works in keystone, are there any issues with it?16:13
lbragstadmfisch: link?16:13
mfischhttp://lists.openstack.org/pipermail/openstack-operators/2015-January/006014.html16:13
mfischfrom what I saw what he did looked ok, well most of it did16:14
*** arif-ali_ has joined #openstack-keystone16:16
*** henrynash has quit IRC16:17
*** henrynash_ is now known as henrynash16:17
*** arif-ali has quit IRC16:18
*** svasheka has quit IRC16:18
*** arif-ali_ is now known as arif-ali16:18
*** tomoiaga has left #openstack-keystone16:18
lbragstadmfisch: thanks, I'll dig through it and see if I can recreate it16:18
rodrigodslbragstad, mfisch, we do have some hardcoded checks, remember a change from nkinder where they were being documented16:19
stevemarmfisch, i want to say using _member_ for anything is bad16:20
lbragstadrodrigods: mfisch I think those checks live in the common controller code?16:20
rodrigodslbragstad, mfisch, https://review.openstack.org/#/c/123862/16:21
rodrigodslast point of the commit message16:21
*** svasheka has joined #openstack-keystone16:21
lbragstadrodrigods: nice catch16:22
*** henrynash has quit IRC16:23
*** henrynash_ has joined #openstack-keystone16:23
*** ChanServ sets mode: +v henrynash_16:23
stevemarmfisch, also, is the user on the ML restarting keystone?16:23
stevemarit's not mentioned explicitly16:23
mfischstevemar: I asked him, he wasnt at first but he did try it16:23
stevemari'd try it without _member_16:24
mfischhere's what he said about restarts16:24
mfischIs this necessary? According to the logs the policy.json file is16:24
mfischautomatically be reloaded after each change (and each touch as well).16:24
mfisch2015-01-26 16:40:23.388 24240 DEBUG keystone.openstack.common.fileutils16:24
mfisch[-] Reloading cached file /etc/keystone/policy.json read_cached_file16:24
lbragstadstevemar: ++ yeah, I was just going to suggest that16:24
mfischhe said he tried "@" which I've not used, is that open to everyone?16:25
mfischI'm not familiar with "@"16:25
lbragstadhttps://github.com/openstack/keystone/blob/b3e969c065f991b8de180330f8f69d94012c6915/keystone/common/controller.py#L16916:26
lbragstadwhich is applied to list_services()16:26
lbragstadhttps://github.com/openstack/keystone/blob/b3e969c065f991b8de180330f8f69d94012c6915/keystone/catalog/controllers.py#L22616:26
*** 17WAA14VW has joined #openstack-keystone16:27
mfischso you have to be admin regardless as to the policy.json16:28
mfischbased on that first link16:28
*** chrisshattuck has joined #openstack-keystone16:28
lbragstadmfisch: those first two links are for the V3 api16:30
lbragstadthis is for the V2 api16:30
lbragstadhttps://github.com/openstack/keystone/blob/a2667edde6e91bda0ff2c9ba6abe1015f9a7e66a/keystone/common/wsgi.py#L27416:30
stevemari don't think so, that's the same as the regular projected call, but accounting for filters on a list16:30
lbragstadwhich calls assert_admin in v2 get_services https://github.com/openstack/keystone/blob/b3e969c065f991b8de180330f8f69d94012c6915/keystone/catalog/controllers.py#L36-L3916:30
mfischthat would be it16:31
mfischsounds like a documentation opportunity16:31
lbragstadand that looks like it hard codes 'admin_required' here16:31
lbragstadhttps://github.com/openstack/keystone/blob/a2667edde6e91bda0ff2c9ba6abe1015f9a7e66a/keystone/common/wsgi.py#L30116:31
mfischdoesnt this defeat the purpose of policy.json somewhat?16:32
*** 17WAA14VW is now known as dims16:33
stevemarlbragstad, yeah, now i think you've got the right line in the code16:33
lbragstadstevemar: ++16:33
lbragstadI can respond to the ML thread16:34
rodrigodsstevemar, lbragstad, ++16:34
mfischthanks guys16:35
lbragstadmfisch: no problem, thanks for letting us know16:35
stevemartheres another note on the -dev ML about about removing expiring tokens16:36
stevemaris there a reason we don't do it automatically16:36
lbragstadstevemar: yeah I saw that,16:36
*** avozza is now known as zz_avozza16:36
mfischthere was a bug that was fixed about locking the table during the cleanup16:37
mfischI thought one reason not to do it automatically was when you had a galera cluster16:37
lbragstadside note that I found about Galera documentation:16:38
lbragstadhttp://galeracluster.com/documentation-webpages/performance.html#dealing-with-large-transactions16:38
* lbragstad waits for it 16:38
mfischwe only run the token clean up on node 116:40
lbragstadmfisch: so you have something that applies clean up on one galera node and the writes propagate through the rest of the cluster, right?16:41
mfischyeah, its just a cron job on node116:42
mfischIIRC16:42
lbragstadmfisch: yeah, that makes sense16:42
mfischwe have a cluster that spans regions so it runs even hours in East and odd hours in west16:42
lbragstadI think the performance tuning referenced in the Galera docs is just for larger transactions16:43
lbragstadso when that massive cleanup runs, galera handles it better?16:43
lbragstadI haven't tried that but I thought it was funny how they explicitly use Keystone tokens as their example16:44
lbragstadof a large transaction16:44
mfischthe fix that a colleague made was so just allow range deletions to avoid locking the table for a long time16:45
*** _cjones_ has joined #openstack-keystone16:47
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Remove URL field from regions  https://review.openstack.org/15010916:48
rodrigodsstevemar, ^ thanks for the review16:48
stevemarnp!16:48
stevemarthanks for a quick fix :)16:48
rodrigods:)16:48
*** nellysmitt has quit IRC16:52
*** rwsu_ has joined #openstack-keystone16:53
*** rwsu has quit IRC16:53
marekdrodrigods what were your concerns about revocation in https://review.openstack.org/#/c/149071/ ? Tokens for normal users?16:54
*** abhirc has quit IRC16:54
*** abhirc has joined #openstack-keystone16:54
mfischlbragstad: here's the bug I was mentioning about token flush; https://bugs.launchpad.net/keystone/+bug/118837816:55
mfischsorry for the delay I'm in a meeting16:55
rodrigodsmarekd, federated tokens that still valid even after delete an IdP16:55
rodrigodsmarekd, assumed that both topics (the spec) and token revoking for that use case were discussed :)16:56
lbragstadmfisch: no worries, thanks!16:56
*** afaranha has quit IRC16:57
*** notmyname has quit IRC17:00
*** zz_avozza is now known as avozza17:01
lbragstadmfisch: would you be able to respond to http://lists.openstack.org/pipermail/openstack-operators/2015-January/006019.html just to bounce it off the mailing list? I just subscribed so I can reply17:01
*** notmyname has joined #openstack-keystone17:02
*** rwsu_ is now known as rwsu17:04
mfischyeah17:07
marekdrodrigods: but token revocation in general is a broad topic and i think there is a bug related to federated tokens and IdP deletion.17:07
marekd(still not resolved AFAIR)17:07
marekdand to be honest, this spec doesn't change anything in the matters you are concerned.17:08
marekdit just allows for authenticating users who actually exist in the backend.17:08
mfischlbragstad: done17:08
lbragstadmfisch: thank you sir!17:08
* mfisch cringes at all the TWC corporate legal BS that gets added to his emails :(17:08
marekdso, let's authn with 1st class IdP instead using auth methods like password in Keystone.17:08
*** rm_work is now known as rm_work|away17:10
marekdrodrigods: your concerns raised some flag, as how should we behave if the user was authenticated and the IdP got deregistered, but I think as long as the user himself is active and was not blocker, nor deleted, we shouldn't revoke his tokens.17:10
marekdayoung_snowedin: ^^ makes sense?17:10
marekdayoung_snowedin: talking https://review.openstack.org/#/c/149071/ now.17:10
*** MasterPiece has quit IRC17:10
stevemarmfisch, its like glitter at the end of a letter17:10
mfischyeah about as terrible as glitter too17:10
mfischlawyer glitter17:10
stevemarmarekd, that was always the case, even back in havana/icehouse17:11
henrynash_bknuson: hi17:11
henrynash_bknudson: hi17:11
marekdstevemar: you mean?17:11
marekdstevemar: i dared to change your kickass code. Hope you will not kill me: https://review.openstack.org/#/c/110858/17:12
stevemarmarekd, please dare away17:13
stevemaryou know i don't care :)17:13
rodrigodsmarekd, makes sense, although I'm curious to know how we going to finally solve this17:14
marekdrodrigods: revocation events and federation?17:14
rodrigodsmarekd, yes17:15
marekdrodrigods: so, recaling some discussions back somewhere in early Icehouse  cycle the only 'matching' point was Identity Provider from the token.17:16
marekdrodrigods: to be honest i am not super update what's te current state of revocation events :-)17:16
marekdare they merged, working etc?17:16
marekdi remember there was some problems with them.17:17
marekdthey also seem to be crucial for PKI(Z) tokens, am I right?17:17
rodrigodsmarekd, exactly17:17
rodrigodsnot sure why they had some problems though, the revoking tree is "up and running"17:17
marekdrodrigods: exactly crucial for PKIs ?17:17
rodrigodsmarekd, yes17:18
rodrigodsquestions that ayoung_snowedin can easily answer, although he seems to be afk or just ignoring IRC pings17:18
marekdor working with his snowshovel17:19
* rodrigods needs to get a big picture of the token revoking status17:19
marekdwhere PKI tree code lays in Keystone?17:19
rodrigodsmarekd, hmm just a sec17:19
marekdcontrib/revoke17:19
marekdi tihnk17:19
*** lhcheng has joined #openstack-keystone17:20
rodrigodsmarekd, https://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/model.py#L11717:21
rodrigodsthe RevokeTree, to understand the code: http://adam.younglogic.com/2014/02/compressed-tokens/17:22
rodrigodsmarekd, assumed we need to add an IdP key somewhere in it17:22
rodrigodsmorganfainberg, in the mood to do some code review between meetings today?17:23
marekdrodrigods: yes.17:24
morganfainbergrodrigods, i'm going to go get some coffee ;) but this whole week needs code review and lots of it17:24
marekdmorganfainberg: yes sir, it does!17:24
*** _cjones_ has quit IRC17:24
rodrigodsmorganfainberg, so we have two changes that might help nested quota drivers in Nova a lot: https://review.openstack.org/#/c/148567/ and https://review.openstack.org/#/c/148618/17:25
marekddo revocation evens are being now used also for UUID tokens?17:25
rodrigodsmarekd, don't think so17:25
rodrigodsthink we have the old "is this token valid" request17:25
marekdHEAD /auth/tokens or sth like that, right?17:25
*** _cjones_ has joined #openstack-keystone17:25
rodrigodsmarekd, yeag17:26
rodrigodsyeah*17:26
*** atiwari has joined #openstack-keystone17:27
*** gokrokve_ has quit IRC17:28
morganfainbergmarekd,revocation events work for uuid and you can turn off the revocation list17:28
*** thedodd has joined #openstack-keystone17:28
morganfainbergmarekd, but auth_token middleware cannot consume revocation events, only works inside keystone17:28
rodrigodsmorganfainberg, hmm thanks for the explanation17:28
rodrigodsso right now all openstack services need to validate via HEAD /auth/tokens?17:29
*** rushiagr is now known as rushiagr_away17:40
*** gokrokve has joined #openstack-keystone17:44
morganfainbergrodrigods, or GET if you use revocation events.17:45
morganfainbergrodrigods, meaning PKI tokens wont work with it17:46
morganfainbergayoung_snowedin, is this something like your house? http://i.imgur.com/ILX0gmv.gifv17:46
openstackgerritArvind Tiwari proposed openstack/keystone: Bumping up the testr and subunit versions  https://review.openstack.org/15051517:47
*** krykowski has joined #openstack-keystone17:48
openstackgerritArvind Tiwari proposed openstack/keystone: Bumping up the testr and subunit versions  https://review.openstack.org/15051517:49
morganfainbergatiwari, ^ shouldn't the proposal bot be handling that?17:49
stevemar++17:49
atiwarimorganfainberg, I sorry not idea17:50
atiwarimay be I can abandon it17:51
morganfainbergatiwari, and that can't merge it doesn't match requirements from openstack/requirements repo17:51
atiwarihmm17:51
*** krykowski has quit IRC17:51
morganfainbergatiwari, propose the change against global reqirements repo17:51
atiwariok17:51
*** krykowski has joined #openstack-keystone17:51
*** ajayaa is now known as ajayaa_17:52
*** ajayaa_ has quit IRC17:53
-openstackstatus- NOTICE: Gerrit and Zuul will be offline for a few minutes for a security update17:53
*** ajayaa has joined #openstack-keystone17:53
stevemari imagine theres gotta be some projects doing something backwards incompatible with those libs17:54
ayoung_snowedinmorganfainberg, that looks about right.  Somewhere just over 2 feet on the sidewalk17:54
* ayoung_snowedin was out shoveling17:54
morganfainbergsend some snow over to SoCal... so you can laugh at people17:54
ayoung_snowedinmarekd, rodrigods when in doubt: revoke17:55
*** ayoung_snowedin is now known as ayoung17:55
*** ajayaa has quit IRC17:56
ayoungmorganfainberg, moving snow takes a lot of energy.  I moved it roughly 2 feet lateraly17:56
ayoungmoving it so SoCal ... whew17:56
*** ajayaa_ has joined #openstack-keystone17:57
*** ajayaa_ has quit IRC17:58
ayoungmarekd, rodrigods looks correct upon first glance17:58
*** ajayaa has joined #openstack-keystone17:59
openstackgerritMerged openstack/python-keystoneclient: Updated service name to be optional in CLI  https://review.openstack.org/14322317:59
rodrigodsayoung, in the mood for some code review today? :)18:00
rodrigodshave two awesome HMT patches18:00
rodrigodsneeding core reviews18:00
*** openstack` has joined #openstack-keystone18:03
-sendak.freenode.net- [freenode-info] help freenode weed out clonebots -- please register your IRC nick and auto-identify: http://freenode.net/faq.shtml#nicksetup18:03
*** openstack has quit IRC18:03
*** ajayaa has quit IRC18:04
*** openstack has joined #openstack-keystone18:04
*** openstack has quit IRC18:04
*** openstack has joined #openstack-keystone18:05
*** tqtran has joined #openstack-keystone18:05
*** openstack has quit IRC18:05
*** openstack has joined #openstack-keystone18:06
*** openstack is now known as angelamolock18:06
*** openstack` is now known as openstack18:06
*** harlowja has joined #openstack-keystone18:06
openstackgerritDavid Stanek proposed openstack/keystone: exclude functional tests from unit test runs  https://review.openstack.org/15052718:08
openstackgerritDavid Stanek proposed openstack/keystone: adds a tox target for functional tests  https://review.openstack.org/15052818:08
*** krykowski has quit IRC18:09
*** krykowski has joined #openstack-keystone18:09
openstackgerritMerged openstack/keystone-specs: Visual Page for WebSSO  https://review.openstack.org/13352918:10
*** kfox1111 has joined #openstack-keystone18:12
*** kfox1111 has quit IRC18:16
*** timcline has joined #openstack-keystone18:19
*** gyee has joined #openstack-keystone18:20
*** ChanServ sets mode: +v gyee18:20
*** krykowski has quit IRC18:20
*** markvoelker has quit IRC18:22
*** markvoelker has joined #openstack-keystone18:24
*** krykowski has joined #openstack-keystone18:25
*** jorge_munoz has joined #openstack-keystone18:28
*** gokrokve_ has joined #openstack-keystone18:28
*** openstackgerrit has quit IRC18:30
*** gokrokve has quit IRC18:31
*** openstackgerrit has joined #openstack-keystone18:32
*** gokrokve_ has quit IRC18:33
*** jaosorior has quit IRC18:34
rodrigodsgyee, available to do a couple reviews in some awesome HMT patches? https://review.openstack.org/#/c/148567/ and https://review.openstack.org/#/c/148618/18:39
gyeerodrigods, yes, after the meeting18:39
dolphm"2^64 * 16 is 256 exabytes. As in, you would need to store 256 exabytes worth of IDs before you had a 50% chance of an ID collision in a single application space."18:40
rodrigodsdolphm, wow18:40
rodrigodsgyee, thx!18:40
*** ChanServ changes topic to "Release Blockers: https://gist.github.com/dolph/651c6a1748f69637abd0 << please review for client release on Feb 1st | http://opensax.com/ | Reviews Guarantee Citizenship </starship troopers>"18:46
rodrigodsdolphm, can we add https://review.openstack.org/#/c/115770/ to that list?18:47
rodrigodsalso https://review.openstack.org/#/c/150078/ if we have the server changes merged in time18:47
morganfainbergFYI, since most cores are here - you all can change the topic of the channel: /msg chanserv topic[append] #openstack-keystone <topic>18:47
morganfainberglook at chanserv docs on how topic and topicappend work if you care18:47
rodrigodsthere is a patch in Nova (nested quota drivers using hierarchical projects)18:48
rodrigodsthat needs those changes18:48
rodrigodsmorganfainberg, ^asking you too, once the meeting is over you can check if it is possible :)18:49
*** gokrokve has joined #openstack-keystone18:50
*** harlowja has quit IRC18:52
*** nellysmitt has joined #openstack-keystone18:53
openstackgerritSteve Martinelli proposed openstack/pycadf: Pull out some CADF taxonomy to be constants  https://review.openstack.org/14901118:53
*** krykowski has quit IRC18:53
*** gokrokve has quit IRC18:56
*** gokrokve has joined #openstack-keystone18:56
jamielennoxgyee: you need https://review.openstack.org/#/c/141267/18:58
gyeejamielennox, awesome!!!!!!!!!!!!!18:58
gyeejamielennox, btw, are we going to wait for a new neutronclient release and then fix this one? https://review.openstack.org/#/c/141267/18:59
jamielennoxnot the patch i think you meant - but i know the one19:00
jamielennoxyea - i didn't see i had much option19:00
*** rushiagr_away is now known as rushiagr19:00
jamielennoxi've got the fix landed in neutronclient i just need them to release19:00
gyeejamielennox, cool, thanks, just want to make sure19:01
morganfainberghenrynash_, samueldmq, which specs under no-spec discussions on the meeting list still need to be reviewed?19:01
morganfainbergall three?19:01
gyeedomain roles spec, or the HMT ones?19:01
bretonthere was also "Review un-approved specs for Feb 5th Spec Proposal Deadline" in agenda19:02
samueldmqmorganfainberg, mine's merged, sorry for not removing from there (Improve list role assignments filtering performance)19:02
raildogyee, if you want review, i appreciate :) https://review.openstack.org/#/c/139824/17/specs/kilo/reseller.rst19:02
morganfainbergsamueldmq, please remove it from that list then19:02
henrynash_morganfainberg: and the lsit filtering one was Approved at the midcyce19:02
samueldmqmorganfainberg, well, in fact it needed a spec that is already merged now19:02
raildogyee, and this https://review.openstack.org/#/c/148730/19:03
morganfainbergok please remove ones we talked about from that list if you don't mind.19:03
samueldmqmorganfainberg, done19:03
morganfainberghenrynash_, ^19:03
bretonand I wanted to throw in Alembic spec there19:03
morganfainbergthanks19:03
raildogyee, it's related to HMT and reseller19:03
*** rm_work|away is now known as rm_work19:03
morganfainbergbreton, that is more of a "hey everyone review these"19:03
henrynash_done19:03
morganfainbergbreton, which is why i skipped.19:03
morganfainbergtoo cramped for time there19:03
samueldmqmorganfainberg, henrynash_ so we decided to push domain roles ?19:03
morganfainbergsamueldmq, i think so. they are nice to have but really provide minimal benefit without some dynamic policy (cc ayoung )19:04
henrynash_samueldmq: I’m getting that feeling…and we see how far we get with ayoung’s stuff and then see what we need to bring together19:04
*** saikrishna has joined #openstack-keystone19:04
morganfainberghenrynash_, ++ exactly19:04
openstackgerritSteve Martinelli proposed openstack/pycadf: Pull out some CADF taxonomy to be constants  https://review.openstack.org/14901119:05
ayoungdagnabit...I thought the meeting was at 2 my time19:05
samueldmqmorganfainberg, henrynash_ ok .. don't know exactly how far we will get ... but let's see, as you just said19:05
* ayoung reads up 19:05
henrynash_morganfainbeg, samueldmq: We definitely need to give a domain administrator teh ability to create roley-things that are private and meaningfu to just their domain…it’s just how we do it19:05
samueldmqhenrynash_, ++19:06
gyeehenrynash_, absolutely no argument there19:06
raildohenrynash_, morganfainberg and about the name clash, we can create a constraint to represent a domain (as henrynash_ suggested)  this and move on with the spec?19:06
gyeejust the way we go about it to make it intuitive and user friendly19:06
henrynash_gyee”++19:07
henrynash_gyee:++19:07
*** ksavich_ has joined #openstack-keystone19:07
ayoungArgh...so sorry I missed that discussion....19:07
samueldmqhenrynash_, I will check all the dynamic policy stuff and try to get an idea on how we'll get this in there19:08
ayoungmorganfainberg, Projects don't really *need* to be in domains, do they? Domains are are really only useful for User and group management19:08
samueldmqayoung, and projects in domains mean that only users/groups managed in that domain use them19:09
morganfainbergayoung, are you telling me there is no reason to now merge projects and domains (i feel like each time we talk you're on a different side of this conversation?)19:09
morganfainbergor am i mis-reading that?19:09
* morganfainberg might be misreading that statement.19:09
ayoungmorganfainberg, no...I am telling you that I am continuing to think about this probelm and my understanding is evolving19:10
ayoungwith the name clash issue...we make things worse on the Horizon front19:10
samueldmqayoung, we don't have name clash anymore19:10
ayoungif there is both a domain named "RedHat" and a preexisint project named RedHat19:10
ayoungthe user is going to be confused if they are both presented as the same thing19:10
gyeejust gimme a duck, damn it!19:11
samueldmqayoung, project names are domain scope, so we solve that ... we discussed that in meeting (raildo correct me if I'm wrong)19:11
ayounghey gyee ?19:11
ayoungDUCK!19:11
samueldmqs/scope/scoped19:11
morganfainberggyee, stop bringing ducks to the table, we already have enough ducks :P19:11
ayoungsamueldmq, nope, you didn't19:11
ayoungand I am really sorry I missed that discussion19:11
ayoung the real issue is presenting data to Horizon, or other ways that users need to select19:11
raildoayoung, but this data is presenting in different views, right?19:12
gyeeI just need a way to isolate resources, I don't care we call it project or domain or whatever19:12
*** markvoelker has quit IRC19:12
*** henrynash_ has quit IRC19:12
bknudsoncall them resources19:12
*** henrynash has joined #openstack-keystone19:12
*** ChanServ sets mode: +v henrynash19:12
raildowhen I use the domain view, I'll see the domain "Redhat" and when I use the project redhat...19:12
gyeebknudson, doh!19:12
ayoungI think the right solution is to use a nested namespace, much like what we do in URLs. so RedHat domain  could have RedHat proehjct and we would present it like RedHat:RedHat19:13
ayoungand if they have a...management project it would be19:13
ayoungRedHat:Management19:13
ayoungnested proejcts thne would be like:19:13
ayoungRedHat:Management/web/ha19:13
morganfainbergayoung, sure. i think that really doesn't change the argument of "are domains useful as a separate entity from projects". they're really all containers.19:13
morganfainbergayoung, and we've already said domains can be nested19:14
ayoungmorganfainberg, nested domains are a good idea, but there are some tricky aspects19:14
*** markvoelker has joined #openstack-keystone19:14
ayoungare domain names globally unique?19:14
morganfainbergayoung, no. only top-level domains19:14
ayoungor only within the scope of a degree of nesting19:14
morganfainbergayoung, but are unique within a namespace19:15
ayoungso they are namespaced by their parent domain?  Does this support the reseller info hiding needs?19:15
morganfainbergsame as projects (in fact they shouldn't collide with project names in the same namespace for the same reason)19:15
morganfainbergayoung, i think we will need some work on the info hiding bits.19:15
morganfainbergayoung, but largely, yes that is the idea. so you can have RedHat:Management:<project>19:16
ayoungmorganfainberg, I think the right approach is something like:  things are unique only within a namespace19:16
morganfainbergand IBM:Management:<project>19:16
samueldmqayoung, ++19:16
ayoungnested projects shouldn';t have to be globally unique, even within a domain19:16
raildomorganfainberg, young, so, what you want to say is: Yes, we can have name clash but not in the same hierarchy?19:16
ayoungbut more like the rules for two files in the same directory19:16
morganfainbergayoung, that is current design proposed.19:16
ayoungso how do we present that in Horizon?19:16
morganfainbergayoung, project names are unique in a namespace19:16
samueldmqmorganfainberg, yes, ayoung got the idea19:17
samueldmqhis concern is about horizon19:17
morganfainbergthe only thing that is also happening is domains and projects *also* cannot collide in a namespace19:17
morganfainbergto help limit confusion getting worse19:17
david-lyleI'm not worried about duplicate names, really, we work off id's anyway19:17
samueldmqdavid-lyle, but the ux ?19:18
morganfainbergdavid-lyle, he's asking how do you know it's Domain RedHat at the top or Project RedHat in domain RedHat19:18
*** david8hu has joined #openstack-keystone19:18
samueldmqmorganfainberg, ++19:18
morganfainbergsamueldmq, this is where a ux designer needs to step in. if we aren't breaking v3 compatibility we present the data in as sane a way as possible - we're already on that path. uniqueness of names is guaranteed within a namespace19:19
david-lylewe will likely show in some sort of tree19:19
morganfainberglet the guys who are good at ux help suss out presentation of that data19:19
david-lylewe have many designs in progress looking at hierarchies19:19
raildoI believe that david-lyle remember the design that I show in the summit. We don't have this problem in that design19:19
samueldmqmorganfainberg, yes, we dont break v3, but we added hierarchies ...19:19
samueldmqmorganfainberg, yes I agree, that's where ux designers come in19:20
samueldmq++19:20
david-lylePiet in the ux or horizon rooms is working on those19:20
morganfainbergsamueldmq, that is the point, we present data clearly <namspace>:<sub namespace> ....19:20
morganfainbergetc19:20
morganfainbergthis doesn't change our direction really19:20
raildodavid-lyle, yes, I was in a meeting with him today, discuss this :)19:20
samueldmqmorganfainberg, completely agree :)19:20
morganfainbergnor any conversations from the meeting19:20
openstackgerritDavid Stanek proposed openstack/keystone: exclude functional tests from unit test runs  https://review.openstack.org/15052719:20
openstackgerritDavid Stanek proposed openstack/keystone: adds a tox target for functional tests  https://review.openstack.org/15052819:20
morganfainbergi think for sanity reasons, it makes sense to still collapse domains -> projects19:21
david-lylebut if we're just giving users a flat list with domains and projects with name only and no context, we've already failed on the UX front19:21
morganfainbergotherwise the namespace restrictions start getting all sorts of heavy handed19:21
morganfainbergand open to edge cases.19:21
morganfainbergso i think we're all on the right path still.19:21
morganfainbergdavid-lyle, thanks!19:21
samueldmqdavid-lyle, ++ I agree, we are moving in the right path :)19:21
samueldmqgreat!19:21
ayoungmorganfainberg, I think, then,that domains are projects that are owned by parents, and do not own them self19:22
ayoungbut they are going to be "cut points" in visibility19:22
morganfainbergayoung, exactly what we discussed in the meeting.19:22
samueldmq++19:22
morganfainberg:)19:22
samueldmqmorganfainberg, can we have resources (vms) in a domain-ness porject ?19:22
morganfainbergayoung, the only exception is top-level which is "owned" by no one [well keystone service but you know]19:22
ayoungmorganfainberg, project names should not be unique within domains19:22
ayoungonly within nesting19:22
morganfainbergayoung, within a specific namespace19:23
raildosamueldmq, yes19:23
gyeedavid-lyle, but you can use different fonts for special projects :)19:23
samueldmqmorganfainberg, raildo don't that break v3 domain concept (which is a container for users/projects)?19:23
gyeeor maybe different color?19:23
morganfainbergyou cannot have RedHat:<Management <with idX>> and RedHat:<Management <with idY>>19:23
*** jistr has quit IRC19:23
morganfainbergsamueldmq, nope19:23
ayoungso long as we have a path to let horizon work on operations that are protected by domain scoped policy, we are good19:24
raildosamueldmq, no, because the other services don't know about domains19:24
raildosamueldmq, so, for the nova, its is just a project19:24
morganfainbergayoung, actually within a domain project names do need to be unique still - v3 compat19:24
morganfainbergayoung, sorry19:24
*** thedodd has quit IRC19:24
samueldmqraildo, I know it's possible to easily do it, my concern is about conssitency19:24
ayoungmorganfainberg, not if we say that nested project names inherit their parents19:24
ayoungso  instead of19:24
morganfainbergif you need duplicate names you'll need either to reference by full namespace ^^ [what you said] oooor19:24
morganfainbergcreate a secondary domain19:25
morganfainberg[easy]19:25
ayoungmanagement  we say it is is redhat/management19:25
morganfainbergboth work19:25
gyeewe could do it LDAP style, everything's is uniquely identity by DN19:25
ayoungmorganfainberg, list projects for domain would return the FQPN19:25
*** saikrishna has quit IRC19:27
*** radez is now known as radez_g0n319:27
*** harlowja has joined #openstack-keystone19:28
*** dims has quit IRC19:29
*** nkinder has quit IRC19:30
*** keystonelpbug has joined #openstack-keystone19:30
morganfainbergbug 124062519:31
keystonelpbugbug 1240625 in Keystone "User cannot set their own default project" [Wishlist,In progress] https://launchpad.net/bugs/124062519:31
morganfainberg^ temporary bot until my change gets added to -infra19:31
morganfainbergto make openstack bot smarter19:31
samueldmqmorganfainberg, ++19:31
morganfainbergbug 119:31
keystonelpbugbug 1 in Ubuntu Malaysia LoCo Team "Microsoft has a majority market share" [Critical,In progress] https://launchpad.net/bugs/119:31
samueldmqo/19:31
samueldmqmorganfainberg, just to make sure you understood my previous question: can domain-ness projects have vms?19:32
morganfainbergsamueldmq, no reason they can't.19:32
samueldmqmorganfainberg, we don't get it as projects if we list projects, dont we?19:32
morganfainbergsamueldmq, that is a deployer choice / nova choice.19:33
morganfainbergsamueldmq, you don't get it as a project if you list it's projects19:33
morganfainbergyou would get it as a project if you listed the projects of it's parent19:33
rodrigodsmorganfainberg, how can they control quotas then?19:33
*** dims has joined #openstack-keystone19:34
rodrigodsif the domainess project is root, for example19:34
samueldmqso subdomains will be treated as projects in this case??19:34
morganfainbergrodrigods, step back19:34
morganfainberghow do you expect to enforce this?19:34
morganfainbergif a domain is a project, how can keystone stop people from doing this?19:34
morganfainbergthis is a question out of scope for keystone19:35
rodrigodsmorganfainberg, ok...19:35
morganfainberghow the quota is consumed becomes a question for nova19:35
rodrigodswe just need to provide a clear and consistent API19:35
morganfainbergor cinder19:35
rodrigodsmorganfainberg, ++19:35
morganfainbergand it makes sense, what if you tie your glance images to the domain project19:35
morganfainbergand share those resources down19:36
rodrigodsmakes sense19:36
samueldmqmorganfainberg, hm... so if you ask for list_projects on a parent domain, *both* subdomains and projects will be seen in *project shell*19:36
morganfainbergnova may not let vms happen on a "domain" but other services may.19:36
samueldmqmorganfainberg, because a domain is a project19:36
samueldmqmakes sense to me19:36
morganfainbergsamueldmq, correct19:36
samueldmqmorganfainberg, ++19:36
rodrigodsso we need to agree on how to represent domain-ness projects and also what will be the constraint in the project table since name clashing isn't an issue19:37
rodrigodsraildo, ayoung, henrynash ^19:37
raildorodrigods, ++19:38
*** afazekas has quit IRC19:38
*** rushiagr is now known as rushiagr_away19:40
morganfainbergstevemar i punted cadf everywhere to k319:42
morganfainbergstevemar, since it had no reviews open19:43
*** nkinder has joined #openstack-keystone19:44
jamielennoxmorganfainberg: can you register keystoneclient-federation as a launchpad project?19:45
morganfainbergjamielennox, sure. give me a few19:46
morganfainbergi thought i did that already19:46
jamielennoxmorganfainberg: there's no bug tracker or blueprints apparently19:46
stevemarmorganfainberg, gah, i am in the process of doing the code now, but thats fine, early k319:49
openstackgerrithenry-nash proposed openstack/keystone: Move projects and domains to their own backend  https://review.openstack.org/14482419:49
morganfainbergjamielennox, fixed19:50
openstackgerritMerged openstack/keystone: Change /POST to /ECP at federation config  https://review.openstack.org/13008119:50
*** rushiagr_away is now known as rushiagr19:50
morganfainbergjamielennox, https://launchpad.net/python-keystoneclient-federation19:51
*** ljfisher has joined #openstack-keystone19:54
*** nellysmitt has quit IRC19:55
*** joesavak has quit IRC19:55
*** joesavak has joined #openstack-keystone19:56
*** aix has quit IRC19:56
raildomorganfainberg, henrynash, ayoung, rodrigods I have a proposal to resolve our problem about the name clashing, and domains as project..19:56
raildoso, we need to define 3 things...19:56
raildo1- domain in a top level of the hierarchy: a project that project_id and domain_id are the same, and parent_id is null19:57
raildo2- domains as a subdomain: a project that project_id and domain_id are the same, and parent_id is not null (points to a parent domain - we won't allow a domain to be under a "project")19:57
raildo3- project that is not a domain: a project that project_id is different from its domain_id and its domain_id is your first project domain-ness above him, and your parent_id is not null (points to a "project")19:57
raildoSo, we don't need a flag domain-ness to represent a domain in the project table and we can create a constrain like:19:58
raildoproject: name + (project_id != domain_id) and domain: name + (project_id == domain_id)19:58
raildoand also assert that a project always have a parent_id different of null, and we don't have any problem anymore. what do you think?19:59
openstackgerritSteve Martinelli proposed openstack/pycadf: Add new CADF taxonomy types  https://review.openstack.org/14901320:00
morganfainbergstevemar, if the code lands before the end of the week we can move it back to k220:01
morganfainbergstevemar, fyi20:01
morganfainbergstevemar, or is in flight by end of week20:01
stevemarmorganfainberg, hoping to have it in flight by tomorrow20:01
stevemarbut i keep getting distracted20:01
morganfainbergsounds good20:01
stevemarspec reviews and other reviews and other stuff20:02
openstackgerritMerged openstack/keystone: Assignment sql backend create_grant refactoring  https://review.openstack.org/14135220:02
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param  https://review.openstack.org/14856720:05
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param  https://review.openstack.org/14861820:05
*** atiwari1 has joined #openstack-keystone20:07
*** stevemar has quit IRC20:08
*** stevemar has joined #openstack-keystone20:08
*** ChanServ sets mode: +v stevemar20:08
*** atiwari has quit IRC20:10
samueldmqmorganfainberg, bknudson bug 141519020:12
keystonelpbugbug 1415190 in Keystone "list_user_projects method at assignment manager needs to be removed" [Undecided,New] https://launchpad.net/bugs/141519020:12
samueldmqrodrigods, ^20:12
*** thedodd has joined #openstack-keystone20:13
marekdjamielennox: morganfainberg looks like we can now register bp for python-keystoneclient-federation, right?20:14
jamielennoxmarekd: yep - morganfainberg just created the project20:15
marekdjamielennox: not sure how the tests should look like in https://review.openstack.org/#/c/150305/20:16
marekdshall we do the raw copy from ksc repo (ofc only those that tests plugins)20:17
jamielennoxmarekd: yea, i thought we were going to make the first patch just a copy across20:17
jamielennoxdo you want me to do that one?20:17
marekdjamielennox: go ahead.20:19
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom string truth handling  https://review.openstack.org/13822020:20
*** timcline has quit IRC20:21
*** timcline has joined #openstack-keystone20:21
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Remove list_user_projects method from assignment  https://review.openstack.org/15057420:21
*** openstack has joined #openstack-keystone20:37
ayoungraildo, I think we have some wiggle room, as V3 came without HMT20:37
ayoungwe are already saying HMT means "only global within namespace"20:38
*** dims has quit IRC20:38
*** david8hu has quit IRC20:38
*** openstackgerrit has quit IRC20:38
*** rwsu has quit IRC20:38
*** jasondotstar has quit IRC20:38
*** joesavak has quit IRC20:38
*** cyeoh has quit IRC20:38
*** mgagne_ has quit IRC20:38
*** dtroyer_zz has quit IRC20:38
*** _d34dh0r53_ has quit IRC20:38
*** dutsmoc has quit IRC20:38
*** ksavich_ has quit IRC20:38
*** lhcheng has quit IRC20:38
*** aslaen has quit IRC20:38
*** abhirc has quit IRC20:38
*** marg7175 has quit IRC20:38
*** grantbow has quit IRC20:38
*** ChanServ has quit IRC20:38
*** _cjones_ has quit IRC20:38
*** chrisshattuck has quit IRC20:38
*** svasheka has quit IRC20:38
*** bknudson has quit IRC20:38
*** nkinder has quit IRC20:38
*** keystonelpbug has quit IRC20:38
*** tqtran has quit IRC20:38
*** fifieldt has quit IRC20:38
*** larsks has quit IRC20:38
*** saltsa has quit IRC20:38
*** timcline has quit IRC20:38
*** EmilienM has quit IRC20:38
*** rm_work has quit IRC20:38
*** jamielennox has quit IRC20:38
*** markvoelker has quit IRC20:38
*** r-daneel has quit IRC20:38
*** tellesnobrega has quit IRC20:38
*** zhiyan has quit IRC20:38
*** f13o has quit IRC20:38
*** g2` has quit IRC20:38
*** ayoung has quit IRC20:38
*** andreaf has quit IRC20:38
*** x58 has quit IRC20:38
*** david-lyle has quit IRC20:38
*** zigo has quit IRC20:38
*** Nakato has quit IRC20:38
*** hogepodge has quit IRC20:38
*** gus has quit IRC20:38
*** dougwig has quit IRC20:38
*** jamiec has quit IRC20:38
*** sudorandom has quit IRC20:38
*** henrynash has quit IRC20:38
*** atiwari1 has quit IRC20:38
*** richm has quit IRC20:38
*** pnavarro has quit IRC20:38
*** bjornar has quit IRC20:38
*** gabriel-bezerra has quit IRC20:38
*** htruta has quit IRC20:38
*** breton has quit IRC20:38
*** lsmola has quit IRC20:38
*** xianghui has quit IRC20:38
*** gothicmindfood has quit IRC20:38
*** wanghong has quit IRC20:38
*** therve has quit IRC20:38
*** stevemar has quit IRC20:38
*** notmyname has quit IRC20:38
*** chlong has quit IRC20:38
*** rharwood has quit IRC20:38
*** swartulv has quit IRC20:38
*** xxj has quit IRC20:38
*** trey has quit IRC20:38
*** dguerri has quit IRC20:38
*** harlowja has quit IRC20:38
*** gokrokve has quit IRC20:38
*** packet has quit IRC20:38
*** Ctina has quit IRC20:38
*** topol has quit IRC20:38
*** samueldmq has quit IRC20:38
*** alex_xu has quit IRC20:38
*** mkoderer has quit IRC20:38
*** dobson has quit IRC20:38
*** amakarov has quit IRC20:38
*** jimbaker has quit IRC20:38
*** Qlawy has quit IRC20:38
*** thedodd has quit IRC20:38
*** mattfarina has quit IRC20:38
*** mitz has quit IRC20:38
*** tsufiev_ has quit IRC20:38
*** jjulien has quit IRC20:38
*** kragniz has quit IRC20:38
*** ekarlso has quit IRC20:38
*** radez_g0n3 has quit IRC20:38
*** telemonster has quit IRC20:38
*** chmouel has quit IRC20:38
*** wpf has quit IRC20:38
*** dhellmann has quit IRC20:38
*** a2hill has quit IRC20:38
*** rodrigods has quit IRC20:38
*** jorge_munoz has quit IRC20:38
*** gyee has quit IRC20:38
*** carlosmarin has quit IRC20:38
*** gordc has quit IRC20:38
*** josecastroleon has quit IRC20:38
*** serverascode has quit IRC20:38
*** jraim has quit IRC20:38
*** mhu has quit IRC20:38
*** d0ugal has quit IRC20:38
*** lbragstad has quit IRC20:38
*** crinkle has quit IRC20:38
*** amaurymedeiros has quit IRC20:38
*** evilrob has quit IRC20:38
*** rdo_ has quit IRC20:38
*** jell has quit IRC20:38
*** esp has quit IRC20:38
*** csd has quit IRC20:38
*** quack_quack_ has quit IRC20:38
*** hugokuo has quit IRC20:38
*** jacorob has quit IRC20:38
*** dolphm has quit IRC20:38
*** mancdaz has quit IRC20:38
*** adam_g has quit IRC20:38
*** hockeynut has quit IRC20:38
*** arif-ali has quit IRC20:38
*** andreaf_ has quit IRC20:38
*** zzzeek has quit IRC20:38
*** jdennis has quit IRC20:38
*** toddnni has quit IRC20:38
*** anteaya has quit IRC20:38
*** lvh has quit IRC20:38
*** esmute has quit IRC20:38
*** arunkant has quit IRC20:38
*** baffle_ has quit IRC20:38
*** davechen_ has quit IRC20:38
*** jbonjean has quit IRC20:38
*** HenryG has quit IRC20:38
*** navid_ has quit IRC20:38
*** vhoward has quit IRC20:38
*** avozza has quit IRC20:38
*** charz has quit IRC20:38
*** mfisch has quit IRC20:38
*** marekd has quit IRC20:38
*** angelamolock has quit IRC20:38
*** sriram has quit IRC20:38
*** raildo has quit IRC20:38
*** ctracey has quit IRC20:38
*** vishy has quit IRC20:38
*** redrobot has quit IRC20:38
*** wolsen_ has quit IRC20:38
*** tristanC has quit IRC20:38
*** rushiagr has quit IRC20:38
*** boris-42 has quit IRC20:38
*** morganfainberg has quit IRC20:38
*** nonameentername has quit IRC20:38
*** BAKfr has quit IRC20:38
*** gsilvis has quit IRC20:38
*** erkules has quit IRC20:38
*** achudnovets_ has quit IRC20:38
*** dstanek has quit IRC20:38
*** henrynash has joined #openstack-keystone20:44
*** joesavak has joined #openstack-keystone20:44
*** cyeoh has joined #openstack-keystone20:44
*** timcline has joined #openstack-keystone20:44
*** mgagne_ has joined #openstack-keystone20:44
*** EmilienM has joined #openstack-keystone20:44
*** dtroyer_zz has joined #openstack-keystone20:44
*** rm_work has joined #openstack-keystone20:44
*** jamielennox has joined #openstack-keystone20:44
*** _d34dh0r53_ has joined #openstack-keystone20:44
*** dutsmoc has joined #openstack-keystone20:44
*** thedodd has joined #openstack-keystone20:44
*** stevemar has joined #openstack-keystone20:44
*** atiwari1 has joined #openstack-keystone20:44
*** nkinder has joined #openstack-keystone20:44
*** dims has joined #openstack-keystone20:44
*** keystonelpbug has joined #openstack-keystone20:44
*** harlowja has joined #openstack-keystone20:44
*** david8hu has joined #openstack-keystone20:44
*** markvoelker has joined #openstack-keystone20:44
*** ksavich_ has joined #openstack-keystone20:44
*** gokrokve has joined #openstack-keystone20:44
*** openstackgerrit has joined #openstack-keystone20:44
*** jorge_munoz has joined #openstack-keystone20:44
*** gyee has joined #openstack-keystone20:44
*** sendak.freenode.net sets mode: +vvvv henrynash jamielennox stevemar gyee20:44
*** angelamolock has joined #openstack-keystone20:44
*** tqtran has joined #openstack-keystone20:44
*** _cjones_ has joined #openstack-keystone20:44
*** lhcheng has joined #openstack-keystone20:44
*** notmyname has joined #openstack-keystone20:44
*** abhirc has joined #openstack-keystone20:44
*** rwsu has joined #openstack-keystone20:44
*** chrisshattuck has joined #openstack-keystone20:44
*** svasheka has joined #openstack-keystone20:44
*** arif-ali has joined #openstack-keystone20:44
*** packet has joined #openstack-keystone20:44
*** andreaf_ has joined #openstack-keystone20:44
*** carlosmarin has joined #openstack-keystone20:44
*** zzzeek has joined #openstack-keystone20:44
*** gordc has joined #openstack-keystone20:44
*** Ctina has joined #openstack-keystone20:44
*** r-daneel has joined #openstack-keystone20:44
*** topol has joined #openstack-keystone20:44
*** richm has joined #openstack-keystone20:44
*** mattfarina has joined #openstack-keystone20:44
*** sendak.freenode.net sets mode: +v topol20:44
*** sriram has joined #openstack-keystone20:44
*** bknudson has joined #openstack-keystone20:44
*** tellesnobrega has joined #openstack-keystone20:44
*** marg7175 has joined #openstack-keystone20:44
*** samueldmq has joined #openstack-keystone20:44
*** josecastroleon has joined #openstack-keystone20:44
*** pnavarro has joined #openstack-keystone20:44
*** bjornar has joined #openstack-keystone20:44
*** erkules has joined #openstack-keystone20:44
*** gabriel-bezerra has joined #openstack-keystone20:44
*** htruta has joined #openstack-keystone20:44
*** fifieldt has joined #openstack-keystone20:44
*** chlong has joined #openstack-keystone20:44
*** jasondotstar has joined #openstack-keystone20:44
*** raildo has joined #openstack-keystone20:44
*** evilrob has joined #openstack-keystone20:44
*** zhiyan has joined #openstack-keystone20:44
*** serverascode has joined #openstack-keystone20:44
*** jdennis has joined #openstack-keystone20:44
*** ctracey has joined #openstack-keystone20:44
*** vishy has joined #openstack-keystone20:44
*** aslaen has joined #openstack-keystone20:44
*** vhoward has joined #openstack-keystone20:44
*** jraim has joined #openstack-keystone20:44
*** redrobot has joined #openstack-keystone20:44
*** f13o has joined #openstack-keystone20:44
*** mitz has joined #openstack-keystone20:44
*** g2` has joined #openstack-keystone20:44
*** ayoung has joined #openstack-keystone20:44
*** andreaf has joined #openstack-keystone20:44
*** wpf has joined #openstack-keystone20:44
*** toddnni has joined #openstack-keystone20:44
*** grantbow has joined #openstack-keystone20:44
*** larsks has joined #openstack-keystone20:44
*** tsufiev_ has joined #openstack-keystone20:44
*** saltsa has joined #openstack-keystone20:44
*** anteaya has joined #openstack-keystone20:44
*** mhu has joined #openstack-keystone20:44
*** d0ugal has joined #openstack-keystone20:44
*** rharwood has joined #openstack-keystone20:44
*** dhellmann has joined #openstack-keystone20:44
*** lbragstad has joined #openstack-keystone20:44
*** a2hill has joined #openstack-keystone20:44
*** lvh has joined #openstack-keystone20:44
*** esmute has joined #openstack-keystone20:44
*** sendak.freenode.net sets mode: +vv bknudson ayoung20:44
*** crinkle has joined #openstack-keystone20:44
*** swartulv has joined #openstack-keystone20:44
*** xxj has joined #openstack-keystone20:44
*** amaurymedeiros has joined #openstack-keystone20:44
*** x58 has joined #openstack-keystone20:44
*** arunkant has joined #openstack-keystone20:44
*** baffle_ has joined #openstack-keystone20:44
*** davechen_ has joined #openstack-keystone20:44
*** breton has joined #openstack-keystone20:44
*** wolsen_ has joined #openstack-keystone20:44
*** rodrigods has joined #openstack-keystone20:44
*** david-lyle has joined #openstack-keystone20:44
*** rdo_ has joined #openstack-keystone20:44
*** jjulien has joined #openstack-keystone20:44
*** lsmola has joined #openstack-keystone20:44
*** xianghui has joined #openstack-keystone20:44
*** kragniz has joined #openstack-keystone20:44
*** tristanC has joined #openstack-keystone20:44
*** rushiagr has joined #openstack-keystone20:44
*** gothicmindfood has joined #openstack-keystone20:44
*** boris-42 has joined #openstack-keystone20:44
*** zigo has joined #openstack-keystone20:44
*** gsilvis has joined #openstack-keystone20:44
*** Nakato has joined #openstack-keystone20:44
*** jbonjean has joined #openstack-keystone20:44
*** alex_xu has joined #openstack-keystone20:44
*** HenryG has joined #openstack-keystone20:44
*** hogepodge has joined #openstack-keystone20:44
*** ChanServ has joined #openstack-keystone20:44
*** gus has joined #openstack-keystone20:44
*** trey has joined #openstack-keystone20:44
*** jell has joined #openstack-keystone20:44
*** morganfainberg has joined #openstack-keystone20:44
*** dougwig has joined #openstack-keystone20:44
*** sudorandom has joined #openstack-keystone20:44
*** jamiec has joined #openstack-keystone20:44
*** mkoderer has joined #openstack-keystone20:44
*** dobson has joined #openstack-keystone20:44
*** amakarov has joined #openstack-keystone20:44
*** jimbaker has joined #openstack-keystone20:44
*** Qlawy has joined #openstack-keystone20:44
*** dguerri has joined #openstack-keystone20:44
*** wanghong has joined #openstack-keystone20:44
*** therve has joined #openstack-keystone20:44
*** navid_ has joined #openstack-keystone20:44
*** sendak.freenode.net sets mode: +ov ChanServ morganfainberg20:44
*** nonameentername has joined #openstack-keystone20:44
*** esp has joined #openstack-keystone20:44
*** avozza has joined #openstack-keystone20:44
*** csd has joined #openstack-keystone20:44
*** ekarlso has joined #openstack-keystone20:44
*** BAKfr has joined #openstack-keystone20:44
*** achudnovets_ has joined #openstack-keystone20:44
*** charz has joined #openstack-keystone20:44
*** mfisch has joined #openstack-keystone20:44
*** radez_g0n3 has joined #openstack-keystone20:44
*** dstanek has joined #openstack-keystone20:44
*** hockeynut has joined #openstack-keystone20:44
*** adam_g has joined #openstack-keystone20:44
*** mancdaz has joined #openstack-keystone20:44
*** dolphm has joined #openstack-keystone20:44
*** jacorob has joined #openstack-keystone20:44
*** hugokuo has joined #openstack-keystone20:44
*** quack_quack_ has joined #openstack-keystone20:44
*** marekd has joined #openstack-keystone20:44
*** telemonster has joined #openstack-keystone20:44
*** chmouel has joined #openstack-keystone20:44
*** sendak.freenode.net sets mode: +vo dstanek dolphm20:44
ayoungor we could keep an IdP to domain mapping in a separate table20:44
morganfainberguser/group should be pretty easy as is20:44
ayoungthat would be the most flexible, allowing many-to-many should we need to embrace that madness20:44
morganfainbergand idp -> domain looks to be a separate table since in the future you likely will have many-to-many20:44
morganfainbergyeah20:44
ayoungso,  if lets say we have an idP_domain mapping table,  and then domainess could be determined by any entry in there20:45
morganfainbergayoung, i'd rather not use soft logic like that20:45
morganfainbergayoung, i'd rather only allow IDPs to be mapped to projects that are domains20:45
ayounga falg is more explicit, and allows us to have domains not backed by any Idp20:45
morganfainbergand i think that is a more flexible usecase20:45
ayoungSo, is there really any call for a domain table then?20:45
morganfainbergnah20:46
ayoungOr is flag sufficient for all known issues?20:46
morganfainbergand it simplifies the schema20:46
rodrigodsstevemar, yes... I guess all the steps were taken20:46
morganfainbergprobably cheaper to have IS_DOMAIN: True20:46
*** Farhan has joined #openstack-keystone20:46
rodrigodsstevemar, we just need to be added in the gerrit group :)20:46
morganfainbergthan relationship(domain).load20:46
*** Amy_ has joined #openstack-keystone20:46
morganfainbergand a bit more straightforward20:46
ayoungOK,  so domains will have the domain flag set.  What other migration logic do we need20:46
ayoungdoes a domain have a domain_id value set?  If so, what does it mean?20:47
morganfainbergdomain_id is set on a domain only in the case it is subdomain20:47
ayoungOK20:47
morganfainbergas it belongs to it's parent20:47
ayoungbut I would have thought we would use parent_id for that20:47
morganfainbergfrom the project angle20:47
morganfainbergif it is a project it should act like one20:48
ayoungkeeping both domain and parent id will confuse people, although I think we must do so20:48
*** angelamolock has quit IRC20:48
morganfainbergprojects are tied to domains, so simply domain_id is consistency20:48
ayoungits like if every directory entry in the OS had a link to root20:49
raildoayoung, but a project have a domain_id and a parent_id (other project)20:49
ayoungdomain_id should probably be calculated, not recorded20:49
morganfainbergayoung, that would probably be too expensive for times we need domain_id20:49
morganfainberghaving to recurse the hierarchy to find the domain id is ... potentially bad20:50
ayounghierarchical queries?  Yeah, that is expensive20:50
ayoungalthough dogpile would probably mitigate20:50
morganfainbergcaching helps, but we can't assume people will enable it20:50
ayoungCRUD!.  School just got cancelled for tomorrow, too20:51
morganfainbergsnooooow20:51
morganfainbergSNOW!20:51
ayoungIt is really nice snow, too20:51
ayounglight, like Utah powder20:51
ayoungit was cold, not the heavy wet stuff we usually get20:51
raildoi don't know what is thishahaha20:51
raildois this*20:51
morganfainbergi want snow :(20:51
ayoungI got out there early to shovel to move it while it was easier20:52
* morganfainberg needs to escape SoCal.20:52
ayoungI think we have another 1-3 inches inboud, but the majority of it has landed20:52
*** rushiagr is now known as rushiagr_away20:53
ayoungmorganfainberg, OK,  so domain is the "owning domain"  and a domain does not own itself.  Is that our story?20:53
morganfainbergcorrect20:53
*** radez_g0n3 is now known as radez20:53
bknudsonbetter than heavy snow, like a clam chowder.20:53
ayoungSo the migration then:20:53
ayoungfor each entry in the domain table, create an entry in the project table20:53
ayoungdomainid  becomes project id20:53
ayoungand...the domain flag gets set20:54
ayoungis that it?20:54
morganfainbergsounds about right20:54
morganfainbergdrop domain_table20:54
ayoungoh...and then for every project in the domain that has no parent_id, set it to the domain id?20:54
morganfainbergyep20:55
raildoomg, we have a solution *-*20:55
ayoungYeah.20:55
ayoungwould love to make parent_id a required field20:55
morganfainbergayoung, you can, but it needs to be nullable in the root case20:55
ayoungcould we somehow make a root-of-all-evil-domain20:55
stevemarrodrigods, hmmm20:55
raildoI'll drink a beer today, to celebrate.20:55
morganfainberg*or* we need a special magic string for the root-case20:55
ayoungmorganfainberg, what if we create a root domain that is the parent, and it owns itself?20:56
morganfainberg"_YOU_CANT_NAME_YOUR_DOMAIN_THIS_CAUSE_IT_IS_OUR_SPECIAL_THING_"20:56
ayoung"I'm my own grandpa"20:56
rodrigodsayoung, heheheh20:56
stevemarrodrigods, pip install oslo.policy doesn't work though :(20:56
rodrigodslol20:56
morganfainbergayoung, i was advocating for a long time we should have a "openstack" or "keystone" top-level root20:56
rodrigodsstevemar, isn't released yet :(20:56
ayoungLet's do it20:56
morganfainbergthat we can treat kinda specail like we do "default"20:56
rodrigodsstevemar, think the only person in the release group is dhellmann20:56
stevemaroh20:57
morganfainbergrodrigods, oslo-release can as well20:57
morganfainbergwhich also may only be dhellmann20:57
raildook, I'll update the spec and update the sql migration script :)20:57
rodrigodsmorganfainberg, yes20:57
stevemar:)20:57
stevemaralright then20:57
morganfainbergayoung, lets just rename project back to tenant while we're at it20:57
morganfainbergayoung, then we'll have gone full circle20:58
ayoungmorganfainberg, OK20:58
morganfainbergbknudson, ^ cc :)20:58
ayoungmorganfainberg, domains and projects are types of tenants20:58
morganfainbergayoung, /doesn't feel like being lynched by the operators20:58
*** Amy_ has quit IRC20:58
bknudsonmost haven't changed to project yet, so they wouldn't notice.20:59
ayoungmorganfainberg, the thing is, I don't know if we could pull it off.  I think we actually could.  "look guys, we realize you like tenants, so we  concede the point."20:59
morganfainbergayoung, i think we'd be shot20:59
*** rushiagr_away is now known as rushiagr20:59
rodrigods++20:59
rodrigods+10020:59
morganfainbergbut it would be better overall (unfortunately)20:59
morganfainbergtenant is a less overloaded term20:59
ayoungmorganfainberg, I think rodrigods is giving range estimates to the snipers20:59
rodrigodsstevemar, seems like there are 3 people in the world that could do a release for oslo.policy https://review.openstack.org/#/admin/groups/148,members21:00
morganfainbergayoung, thankfully the snipers can't hit me from brazil yet..21:00
ayoungrodrigods, I might be able to add more people to that group21:00
rodrigodsheh21:00
ayoungOooh, no21:00
rodrigodsayoung, and the core ones? so I could give a +2? :O21:00
ayoungMeeting time21:00
raildomorganfainberg, ayoung so, i have to go now, but I'll send a new patch today, thanks a lot for the help :)21:02
ayoungraildo, thanks21:02
*** _cjones_ has quit IRC21:02
raildoayoung, :D21:03
*** raildo is now known as raildo_away21:04
*** joesavak has quit IRC21:07
*** g2` has quit IRC21:08
*** abhirc has quit IRC21:13
*** rushiagr is now known as rushiagr_away21:15
*** atiwari1 has quit IRC21:17
*** atiwari1 has joined #openstack-keystone21:18
*** gokrokve has quit IRC21:21
*** abhirc has joined #openstack-keystone21:22
*** nellysmitt has joined #openstack-keystone21:22
*** stevemar has quit IRC21:28
*** stevemar has joined #openstack-keystone21:28
*** ChanServ sets mode: +v stevemar21:28
*** nellysmitt has quit IRC21:29
*** harlowja has quit IRC21:35
openstackgerrithenry-nash proposed openstack/keystone: Move projects and domains to their own backend  https://review.openstack.org/14482421:36
openstackgerritDavid Stanek proposed openstack/keystone: Adds a wip decorator for tests  https://review.openstack.org/13151621:43
*** nkinder has quit IRC21:43
*** gokrokve has joined #openstack-keystone21:46
openstackgerrithenry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver  https://review.openstack.org/14502221:48
*** g2` has joined #openstack-keystone21:49
openstackgerrithenry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager  https://review.openstack.org/13352521:49
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new resource manager  https://review.openstack.org/13095421:50
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263421:51
*** _cjones_ has joined #openstack-keystone21:55
*** nkinder has joined #openstack-keystone21:56
*** tellesnobrega_ has joined #openstack-keystone21:57
openstackgerritMerged openstack/pycadf: Pull out some CADF taxonomy to be constants  https://review.openstack.org/14901122:00
*** mattfarina has quit IRC22:07
*** radez is now known as radez_g0n322:17
*** joesavak has joined #openstack-keystone22:17
*** sriram has quit IRC22:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param  https://review.openstack.org/14856722:35
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param  https://review.openstack.org/14861822:35
*** gordc has quit IRC22:37
*** _d34dh0r53_ is now known as d34dh0r5322:38
openstackgerritBrant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware  https://review.openstack.org/14469722:38
*** atiwari2 has joined #openstack-keystone22:39
*** topol has quit IRC22:41
*** atiwari1 has quit IRC22:42
*** angelamolock has joined #openstack-keystone22:44
*** harlowja has joined #openstack-keystone22:44
*** nkinder has quit IRC22:45
*** pnavarro has quit IRC22:47
*** andreaf_ has quit IRC22:49
*** harlowja_ has joined #openstack-keystone22:49
*** harlowja has quit IRC22:50
*** dhellmann has quit IRC22:54
*** angelamolock has quit IRC22:55
*** dhellmann has joined #openstack-keystone22:55
*** angelamolock has joined #openstack-keystone22:56
*** tellesnobrega_ has quit IRC22:59
*** timcline has quit IRC22:59
*** joesavak has quit IRC23:01
stevemarq for anyone23:01
*** henrynash has quit IRC23:01
stevemaris 'user_enabled_attribute' supposed to actually be used?23:02
stevemarthere are no instances of it in the code23:02
stevemarjust in tests and config.py23:02
*** harlowja_ has quit IRC23:03
richmstevemar: yes, I'm using it23:04
stevemarrichm, what do you set it to?23:06
stevemarrichm, i'm not actually seeing it used anywhere23:06
bknudsonstevemar: it's set up here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n117723:06
bknudsonstevemar: see http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap.py#n20023:07
stevemarah thanks bknudson23:07
richmstevemar: for MS AD you probably want to use userAccountControl - for 389/IPA you probably want to use nsAccountLock (with the invert thing)23:07
bknudsonrichm: it would be good to have that info in the help text.23:08
stevemarthe userAccountControl one is there23:08
richmthat's probably the most common for folks who use AD23:09
*** bknudson has quit IRC23:12
*** carlosmarin has quit IRC23:13
*** angelamolock has quit IRC23:15
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Register token_endpoint as a loadable plugin  https://review.openstack.org/15061523:17
*** evilrob has quit IRC23:20
*** ljfisher has joined #openstack-keystone23:22
*** ljfisher has quit IRC23:22
stevemarbah no more bknudson23:27
stevemarrichm, trying to figure out where this guy actually gets called https://github.com/openstack/keystone/blob/7541fda1db8290f639e19420b7ac3f683aab27a5/keystone/identity/backends/ldap.py#L217-L23523:27
stevemari'm supplying an attribute for user_enabled_attribute, and setting the invert flag to true, but it's not flipping it23:28
*** mgagne_ is now known as mgagne23:29
*** nellysmitt has joined #openstack-keystone23:29
*** nellysmitt has quit IRC23:34
*** markvoelker has quit IRC23:35
*** harlowja has joined #openstack-keystone23:36
*** Ctina_ has joined #openstack-keystone23:36
*** Ctina has quit IRC23:40
*** Ctina_ has quit IRC23:41
openstackgerritLin Hua Cheng proposed openstack/keystone: Add schema for endpoint group  https://review.openstack.org/15029223:42
richmstevemar: hmm - not sure - I haven't tried the invert thing yet23:49
jamielennoxmorganfainberg: for the federation plugins should i be attempting to keep the history or just copy?23:50
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062723:52
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline  https://review.openstack.org/15062923:54
*** markvoelker has joined #openstack-keystone23:55
*** greghaynes has joined #openstack-keystone23:56
« Monday, 2015-01-26 Index Wednesday, 2015-01-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!