Monday, 2015-02-16

« Sunday, 2015-02-15 Index Tuesday, 2015-02-17 »
morganfainbergit's the weekend or i'd write something a bit more in depth in response to the ML, and I'm happy to follow up tomorrow w/ you and the ML if that helps :)00:00
*** kragniz_ is now known as kragniz00:00
morganfainbergzigo, i'm not trying rto say we wont go back to auth_fragments, just as of today i would recommend using the non-fragemented version00:00
*** markvoelker has joined #openstack-keystone00:02
zigomorganfainberg: I'm just asking for a friendly warning when this actually happens, nothing more! :)00:04
zigoAnyway, time for me to sleep.00:05
morganfainbergzigo, so - my friendly warning is "it's deprecated" short of putting a comment in the code saying "warn zigo when you remove this" [which is a bit silly right?], what about issuing a deprecation message isn't the warning you're looking for?00:05
morganfainbergzigo, it wont be soon fwiw.00:05
zigook, fair enough.00:06
morganfainbergzigo, and we're likely going to have a planned removal of deprecation stuff in client/middleware down the line that should be explicit00:06
morganfainbergzigo, so i'm not saying "tomorrow", i just don't have enough information to set forth a timeline00:06
zigoOk.00:06
morganfainbergzigo, but unless we reverse course (and i'm willing to talk about that non-weekend time:) ] lets assume it's going away sometime in the future00:07
morganfainberg:)00:07
morganfainbergzigo, sleep well man! catch ya later on00:07
*** markvoelker has quit IRC00:08
*** dims_ has quit IRC00:12
*** dimsum__ has joined #openstack-keystone00:49
*** markvoelker has joined #openstack-keystone00:52
*** dimsum__ has quit IRC00:54
*** ncoghlan has joined #openstack-keystone00:54
*** markvoelker has quit IRC00:57
*** bknudson has quit IRC01:07
*** avozza is now known as zz_avozza01:44
*** markvoelker has joined #openstack-keystone01:54
*** markvoelker has quit IRC01:58
*** jacorob has quit IRC02:01
*** jacorob has joined #openstack-keystone02:03
*** jamielennox is now known as jamielennox|away02:19
openstackgerritwanghong proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743302:25
*** jamielennox|away is now known as jamielennox02:27
*** erkules_ has joined #openstack-keystone02:31
*** erkules has quit IRC02:33
openstackgerritIan Wienand proposed openstack/oslo.policy: Do not log on missing or empty policy_dirs  https://review.openstack.org/15474202:43
openstackgerritIan Wienand proposed openstack/oslo.policy: Do not log on missing or empty policy_dirs  https://review.openstack.org/15474202:47
*** sluo_wfh has quit IRC02:49
*** sluo_wfh has joined #openstack-keystone02:50
*** markvoelker has joined #openstack-keystone02:55
*** sluo_wfh has quit IRC02:55
*** sluo_wfh has joined #openstack-keystone02:56
*** markvoelker has quit IRC03:01
*** richm has quit IRC03:11
*** markvoelker has joined #openstack-keystone03:57
*** markvoelker has quit IRC04:02
*** jaosorior has quit IRC04:11
*** stevemar has joined #openstack-keystone04:17
*** ChanServ sets mode: +v stevemar04:17
*** BAKfr has quit IRC04:32
*** BAKfr has joined #openstack-keystone04:32
*** BAKfr has quit IRC04:37
*** stevemar has quit IRC04:47
*** BAKfr has joined #openstack-keystone04:48
*** markvoelker has joined #openstack-keystone04:58
*** markvoelker has quit IRC05:03
*** stevemar has joined #openstack-keystone05:25
*** ChanServ sets mode: +v stevemar05:25
*** nikunj2512 has joined #openstack-keystone05:32
nikunj2512Hi,... Did _memeber_ role is removed from keystone?05:32
*** markvoelker has joined #openstack-keystone05:59
jamielennoxnikunj2512: no, it's still there - or as much as it ever was06:03
*** markvoelker has quit IRC06:04
*** ajayaa has joined #openstack-keystone06:08
*** stevemar has quit IRC06:20
*** atmark has joined #openstack-keystone06:59
*** markvoelker has joined #openstack-keystone07:01
*** mflobo has joined #openstack-keystone07:04
*** markvoelker has quit IRC07:06
*** MasterPiece has joined #openstack-keystone07:18
*** ajayaa has quit IRC07:30
*** afazekas_ has joined #openstack-keystone07:35
*** junhongl has quit IRC07:40
*** ajayaa has joined #openstack-keystone07:43
*** chlong has quit IRC07:51
*** nellysmitt has joined #openstack-keystone07:53
*** zz_avozza is now known as avozza07:53
*** amerine has quit IRC08:01
*** markvoelker has joined #openstack-keystone08:02
*** amerine has joined #openstack-keystone08:02
*** markvoelker has quit IRC08:07
*** jistr has joined #openstack-keystone08:08
*** mzbik has joined #openstack-keystone08:12
openstackgerritMarek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules  https://review.openstack.org/14257308:31
*** ncoghlan has quit IRC08:47
*** topol has quit IRC08:49
*** openstackgerrit has quit IRC08:57
*** openstackgerrit has joined #openstack-keystone08:57
*** karimb has joined #openstack-keystone08:59
*** jistr has quit IRC08:59
*** markvoelker has joined #openstack-keystone09:03
*** markvoelker has quit IRC09:08
openstackgerritMarek Denis proposed openstack/keystone: Fix nits from patch #110858  https://review.openstack.org/15615809:09
*** lsmola has joined #openstack-keystone09:20
*** amerine has quit IRC09:31
*** amakarov_away is now known as amakarov09:43
*** obutenko_ has quit IRC10:03
*** sluo_wfh has quit IRC10:04
*** markvoelker has joined #openstack-keystone10:04
*** markvoelker has quit IRC10:09
*** rushiagr_away is now known as rushiagr10:23
openstackgerritAlexander Makarov proposed openstack/keystone: Chain a trust with a role specified by name  https://review.openstack.org/14864210:38
openstackgerritMarek Denis proposed openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085810:40
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493410:40
*** rushiagr is now known as rushiagr_away10:40
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185410:44
*** aix has joined #openstack-keystone10:44
*** markvoelker has joined #openstack-keystone11:05
*** markvoelker has quit IRC11:11
*** arunkant has quit IRC11:18
*** arunkant has joined #openstack-keystone11:23
*** aix has quit IRC11:27
ajayaaHi jamielennox, When is the v2 api being removed?11:58
bretonit's not even really deprecated yet, isn't it?12:05
*** henrynash has joined #openstack-keystone12:07
*** ChanServ sets mode: +v henrynash12:07
*** henrynash has quit IRC12:07
*** markvoelker has joined #openstack-keystone12:08
ajayaabreton, I don't know man.12:10
*** dimsum__ has joined #openstack-keystone12:11
ajayaaBut I can see the deprecated decorator on keystone v2 controller.12:11
*** markvoelker has quit IRC12:12
bretonajayaa: afaik it does nothing yet12:14
ajayaaagree. Just asking for a guestimate on when v2 is going to be removed.12:14
bretonN-cycle I think, if we stick to 2-cycle deprecation. But I'd like to hear an answer too.12:16
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool  https://review.openstack.org/13082412:31
*** aix has joined #openstack-keystone12:32
*** henrynash has joined #openstack-keystone12:36
*** ChanServ sets mode: +v henrynash12:36
openstackgerritMarek Denis proposed openstack/keystone: Fix nits from patch #110858  https://review.openstack.org/15615812:51
marekdhenrynash: ^^ addressed your comments12:52
henrynashmarekd: ok…looking12:53
henrynashmarked: looks good, thx12:54
marekdhenrynash: thank You!12:55
*** jaosorior has joined #openstack-keystone12:59
*** hogepodge has quit IRC13:03
*** hogepodge has joined #openstack-keystone13:04
*** dimsum__ is now known as dims13:05
*** dims is now known as Guest7026613:05
*** markvoelker has joined #openstack-keystone13:09
henrynashsamueldmq: ping13:12
*** markvoelker has quit IRC13:14
*** henrynash has quit IRC13:19
*** EmilienM is now known as EmilienM|afk13:20
marekddstanek: expert with json-schema?13:21
dstanekmarekd: i know a bit about it; definitely no expert13:28
dstanekwhat's up?13:29
marekddstanek: I think you and stevemar built some schemas for mapping rules structure. Now I wanted to extend it so the user object is somehow formalized and asked if you know how to quickly make a schema with a logic "user object has either string "id" or (string "name" and object "domain" which has either "name" or "id" inside).13:30
*** gordc has joined #openstack-keystone13:32
dstanekmarekd: that will get pretty complicated13:32
dstanekmarekd: i think you'll have to define a user object using 'oneOf' to select from your list of definitions - 1 definition will have the id string and the other will have name and domain object13:34
*** rushiagr_away is now known as rushiagr13:34
marekddstanek: ah, maybe.13:34
*** joesavak has joined #openstack-keystone13:34
dstanekmarekd: i can mess with it in a little bit if you get stuck13:34
marekdmakes sense.13:34
marekddstanek: i will bug i I am indeed stuck.13:34
marekdthanks13:34
dstanekmarekd: have you seen http://json-schema.org/example2.html ? that's similar to what i was thinking. not exactly, but has the building blocks13:35
*** wanghong has quit IRC13:36
*** henrynash has joined #openstack-keystone13:42
*** ChanServ sets mode: +v henrynash13:42
openstackgerritBoris Bobrov proposed openstack/keystone: Fix invalid super() usage in memcache pool  https://review.openstack.org/15409513:43
*** wanghong has joined #openstack-keystone13:44
*** zzzeek has joined #openstack-keystone13:47
*** Guest70266 is now known as dims__13:48
*** henrynash has quit IRC13:51
*** nikunj2512 has quit IRC13:55
*** radez_g0n3 is now known as radez13:55
openstackgerritBoris Bobrov proposed openstack/keystone: Fix invalid super() usage in memcache pool  https://review.openstack.org/15409513:55
bretondstanek: sorry to waste your +2, but the comments were not the same everywhere13:56
*** Nakato has quit IRC13:59
*** Nakato has joined #openstack-keystone13:59
*** markvoelker has joined #openstack-keystone14:10
*** MasterPiece has quit IRC14:12
*** markvoelker has quit IRC14:15
dstanekbreton: haha, no problem14:16
*** mzbik has quit IRC14:21
*** afazekas_ has quit IRC14:23
*** markvoelker has joined #openstack-keystone14:28
*** markvoelker has quit IRC14:34
*** afazekas has joined #openstack-keystone14:40
*** ayoung has joined #openstack-keystone14:58
*** ChanServ sets mode: +v ayoung14:58
ayounglbragstad, I had a realization last night.  The signed portion of the token does not need to have even the scope in it, so long as the scope gets passed back to Keystone to validate.  We only need two token formats:  regular and federation, with the federation one having the groups lists in it, and the group lists can be unbounded.15:00
marekdayoung: what do you mean 'unbounded' ?15:01
ayoungthe token should only have the absolute minimal amount of data in the signed portion.  I think that is userid,  issuedat, expiresat, auditid.15:01
ayoungmarekd, no maximum number of groups15:02
marekdayoung: aha.15:02
ayoungmarekd, basicall,y the AE token is a proxy for authentication only.15:02
ayoungIE...they really are unscoped tokens.  the scoping data can come from a separate channel, namely, the  service looking to make a policy decision15:03
marekdayoung: because all the informatin is 'recreated' every time token is validated?15:03
ayounggroups are necessarily part of the unscoped token15:03
ayoungyes15:03
ayoungand...if we allow for PKI, we get the best of both worlds:15:03
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Delay denial when service token is invalid  https://review.openstack.org/15324715:04
ayoungIf  a service already has the authorization data cached,  all the token is giving is a "freshness" check which allows the service to validate the data itself15:04
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Delay denial when service token is invalid  https://review.openstack.org/15324715:05
ayoungmarekd, it really is no different than the standard corporate setup with Kerberos and LDAP.  Kerberos is used merely to give authentication, and the the service does an LDAP lookup to get additional authorization attributes.  THat is why Kerberos doesn't need revocation,  cuz if you revoke a users rights, it gets removed from LDAP15:05
*** carlosmarin has joined #openstack-keystone15:16
*** EmilienM|afk is now known as EmilienM15:16
*** timcline has joined #openstack-keystone15:21
*** timcline has quit IRC15:22
*** marg7175 has joined #openstack-keystone15:22
*** timcline has joined #openstack-keystone15:22
marekdayoung: so, from the user perspecitive, the AE fed-tokens will be allowed to grow infititely?15:22
*** marg7175 has quit IRC15:23
ayoungmarekd, only in the group field, but yeah.  I don't see any ral problem with that.15:23
*** marg7175 has joined #openstack-keystone15:23
ayoungI mean, we can size limit them if it really gets to be a problem, but a problem would be on the neighbor hood of 8k, and we are talking uuid size group here15:24
*** ajayaa has quit IRC15:25
ayoungmarekd to the actual token, the part to be validated would be  {char[64], int64, int64, char[64],}signature15:27
ayoungand then for fed it would be15:27
ayoung {char[64], int64, int64, char[64], int32 [char[64],  .... ]  }signature15:28
ayoungfor a trust token, it would be15:29
ayoung {char[64], int64, int64, char[64], int32 [char[64],  .... ]  }signature, `trustid`=char[64]15:29
ayoungand for regular scoped tokens15:29
ayoung {char[64], int64, int64, char[64], int32 [char[64],  .... ]  }signature, `projectid`=char[64]15:29
*** markvoelker has joined #openstack-keystone15:31
*** markvoelker has quit IRC15:35
marekdayoung: so, basically  these are versioned tokens, and we accept the fact the they may grow.15:39
*** thedodd has joined #openstack-keystone15:50
ayoungmarekd, I think so.  You OK with that?15:50
marekdayoung: essentially yes.15:51
ayoungI think the real issue i symmetric versus asym15:51
*** nellysmitt has quit IRC15:51
ayoungI have a few concerns about the symmetric approach15:51
*** markvoelker has joined #openstack-keystone15:53
*** abhirc has joined #openstack-keystone15:54
ayoungdolphm, Since AE tokens are essentially a proxy for authentication, let's move the scoping information outside the signed data.  It means we don't have to have multiple token formats to keep the essential part under 255 Bytes.15:55
*** nkinder has joined #openstack-keystone15:55
*** jistr has joined #openstack-keystone15:58
*** markvoelker has quit IRC15:58
*** david-lyle_afk is now known as david-lyle16:01
*** thedodd has quit IRC16:04
morganfainbergayoung: your comments on AE are now more in line with the -1 typical cycle. Please downgrade your -2 to a -1. I assume we can address the outstanding comments in normal review. My -2 will remain until spfe is granted (or will remain if spfe is not granted)16:07
marekdwhat;s the k3 deadline?16:10
morganfainbergmarekd: sooner than I'd like it to be.16:11
marekd:(16:11
marekd2015-03-19 ?16:12
morganfainbergIn like 2wks16:12
morganfainbergBecause we need code ready to gate before the deadline.16:12
*** thedodd has joined #openstack-keystone16:15
morganfainbergayoung, except scope is an essential part of the token16:15
ayoungmorganfainberg, couple things still need to be cleared up.  I think that if the token has a signer field in it, we can avoid the keyczar thing as well16:15
ayoungmorganfainberg, nah,   scope is an essential part of token validation...it can be reconsituted upong validation16:16
ayoungso the keystone server can say "yes, authentication data is OK, and for that scope....yep, here are the roles and the service catalog to go with it."16:16
ayoungmorganfainberg, It acatull stemmed from my comment "the only tokens worth keeping are unscoped"16:17
morganfainbergayoung, can we back way up on the change of architecture16:18
morganfainbergwe're not making that shift this cycle.16:18
ayoungIf tokens are always validated against Keystone server, we only need the unscoped token.  Everything else should be  context16:18
ayounghear me out16:18
ayoungso,  we redefine a scoped token to ber16:18
ayoungbe16:18
morganfainbergplease do not couple this design change across a cycle that has literally 2 weeks left of work left in it for features16:18
ayoungunscoped token + context16:18
*** hogepodge has quit IRC16:18
ayoungit keeps us from having to design a new format for each type of scoped token16:18
morganfainbergyour idea is not bad. it is NOT happening in kilo16:18
ayoungit elides the issue with supporting trusts, oauth, etch16:19
morganfainbergit is 100% worth looking at in L16:19
ayoungall that stuff is "additional payload"16:19
morganfainbergwe do not have time to redesign tokens in kilo at this level16:19
ayoungjust move it outside the signing section, but keep it in the token16:19
morganfainbergso someone could mangle the token (user) and eliminate the trust data out of it?16:20
*** hogepodge has joined #openstack-keystone16:23
*** zigo has quit IRC16:26
*** ajayaa has joined #openstack-keystone16:30
*** zigo has joined #openstack-keystone16:31
*** jistr has quit IRC16:32
ayoungmorganfainberg, nah, trusts are not really sensitive data.  We treat them that way out of paranoia, but really, anyone should be able to llok at a trust.  It needs the authentication paired with it to treat as an assertion16:46
ayoungso  there is no difference betweeen uscoped token + trust or a scoped token.16:46
*** jimbaker has joined #openstack-keystone16:46
ayoungThey both have the same degree of trustworthiness...If, say, nova passed a token to glance, and that token was unscoped, but also said "here is the trust ID"  then glance can go back to Keystone and say "execute this trust for the user and pass me back the roles etc"16:47
ayoungsame is reAlly true for the project data.  Adding it to the token is just convenient, not necessary16:47
openstackgerritMerged openstack/oslo.policy: Do not log on missing or empty policy_dirs  https://review.openstack.org/15474216:47
morganfainbergayoung, the only concern is if that data is changed, do we care?16:47
morganfainbergor is keystone able to say "meh that's ok" or "you can't do that"16:48
morganfainbergi am not sure if we should allow that data to be changed. we could always move it out of the signed data later (or in if we need to)16:48
ayoungmorganfainberg, changed by whom?  Nova gets the data back from Keystone, and caches it,  then passes the token on to glance.  for uuid tokens,  that means glance has to go and fetch the data from keystone itseklf anyway16:48
morganfainbergayoung, the end user.16:48
ayoungwe are not tlakning a huge document like PKI tokens16:48
morganfainbergor the service that took the token and is acting on your behalf16:49
ayoungmorganfainberg, OK...try this thought experiment16:49
ayounga user has a role on project "demo"16:49
ayoungthey go to keystone anr request a token for project demo16:49
ayoungit comes back signeddata+demo16:49
ayoungthey edit it, and change demo to admin16:49
ayoungthen send it to nova.16:49
ayoungNow nova validates the token16:49
ayoungthey send signeddata+admin to Keystone16:50
morganfainbergright.16:50
ayoungWhat is keystone going to do?16:50
ayoungUse has no roles on project admin16:50
morganfainbergwell if it's allowed keystone validates the token16:50
morganfainbergif the user doesn't have roles it rejects16:50
ayoungexcatly16:50
morganfainbergit decouples scope16:50
ayoungyes16:50
morganfainbergso do you trust nova not to rescope your token for you? or try?16:50
ayoungmorganfainberg, ah..., you mean when Nova sends the token to glance...16:51
morganfainbergor <some service that you are communicating to>16:51
morganfainbergyep16:51
ayounghmm, good point, the whole "unscoped to sscoped only" thing.16:51
morganfainbergor a MITM attack [more extreme]16:51
morganfainbergyeah, i think i missed saying it in as many words ;)16:51
morganfainbergthanks for working through the thought experiment16:52
ayoungso (damn caps LOCK)16:52
ayoungso this approach would be no worse (but no better) than how we operate today.  It would allow for rescoping...16:52
ayoungMy thought is this16:53
*** markvoelker has joined #openstack-keystone16:54
ayoungyou know how gyee wants tokenless operations?  This would let tokenless operations work against anything.  You could authenticate with X509 or Kerberos, and then the token would really be nothing more than the scope id.  Nova would accept the request, and then say to Keystone, what does userX have on project Y.  And uyse that moving forward.  But, as You point out, that approach suffers from the same scope creep issue that16:54
ayoungtokens do now16:54
ayoungso...we are back to having specific formats for oauth, trusts, scoped (project and domain) , a Federation unscoped?16:55
morganfainberghaha, caps lock, i want to rip that key off my keyboard16:55
ayoungmorganfainberg, I have done it on other keyboards16:55
morganfainbergyeah16:56
ayoungWhich means we need a token format field.16:57
morganfainbergwell, sortof16:57
morganfainbergbut close enough.16:58
morganfainbergi think in L we look at moving this way16:58
*** tqtran_afk has joined #openstack-keystone16:58
morganfainbergespecially if we clearly say any data encoded in the enw tokens is considered private, if we need to make internal adjustments16:58
morganfainbergwe can16:58
ayoungmorganfainberg, I think that, if we do this right, though, we can get to the point I was driving for with PKI tokens.  If we can make the key type configuratble (asym versus sym)  then a remote site can hold on to the authZ data and validate in process.  Tjhat is not a make-or-break, mind you, just where I would like things to head16:59
morganfainbergand it doesn't prevent us from moving the way you're describing.16:59
*** markvoelker has quit IRC16:59
morganfainbergayoung, yeah i see that as something that this can lead towards16:59
morganfainbergayoung, i just don't see it as possible to make that big of a shift in K16:59
morganfainbergwe have ~2wks left?16:59
ayoungmorganfainberg, putting federation and groups aside for a moment, how would we address trust tokens in the current design?16:59
morganfainberg2.5wks?16:59
ayoungWhile I don't want to break OAuth, I *can't* break trusts or the Heat team will get all molten on my kiester17:00
morganfainbergayoung, i think we go with the same thing we do today, encode the data in the token. [a today thing], down the road we can look at alternatives for ensuring that data is there17:00
ayoungmorganfainberg, how do we distinguish between a trust token and a non trust token?17:01
morganfainbergwe shouldn't break OAuth or Trusts... [and federation is special]17:01
morganfainbergin the AE (to be renamed?) world, i'd use a null field17:01
morganfainbergagain for now.17:01
ayoung payload = [auth_type, user_id, project_id, created_at, expires_at, audit_id]17:01
morganfainbergso [expirs, blah, blah, NULL(orTrust),17:01
ayoungmake that line:17:01
morganfainberglbragstad, ^^ cc17:02
ayoung payload = [format, auth_type, user_id, project_id, created_at, expires_at, audit_id]  and I think we can then say17:02
ayoung payload = [format1, auth_type, user_id, trust_id, created_at, expires_at, audit_id]  and I think we can then say17:02
morganfainbergor we could just fixed field it with a 1byte null.17:02
morganfainbergw/o needing the format id.17:02
ayoungyou mean put a type field before project id?17:02
morganfainbergyep.17:02
morganfainbergwell, more like just the trust_id17:03
ayoungnah,  do it for the whole token, its more flexible17:03
morganfainbergunless you're saying trust_id and oauth_id are the same thing?17:03
ayoungcuz that would not work for the federation multi-groups thing17:03
ayoungthey can't be treated the same today, much as I would like them to be17:03
morganfainbergwell we have a very narrow set of things we need in the token id (encoded in the payload)17:03
morganfainbergthe payload is only relevant inside keystone -17:04
ayoungIf it is a difference of one byte, lets put it up front and make it the token format identifier17:04
morganfainbergso we could do [auth_type, user_id, trust_id(ORNULL), oauth(ORNULL), FEDERATION_LIST(orNULL), created, expires, audit]17:04
ayoungeaser to check token[0] == FOMATE_CONSTANT17:04
*** thedodd has quit IRC17:05
ayoungactaully, we should put the scope at the end17:05
morganfainbergsure.17:05
*** thedodd has joined #openstack-keystone17:05
morganfainbergas an implementation detail, this is a good case for named tuples17:05
ayoung payload = [format, auth_type, user_id, created_at, expires_at, audit_id,   scope]17:05
morganfainbergpayload.<attr>17:05
ayoungand then we could move the scoped format to the end...that makes sense17:06
ayoung payload = [auth_type, user_id, created_at, expires_at, audit_id,  scope_type, scope]17:06
morganfainbergi'd like to keep the number of formats to manage minimal, but i think that covers the bulk of it17:07
ayoung0=Unscoped,  1=Project Scoped, 2=Domain Scoped, 3=Trusts Scoped,4=groups scoped (Federation Unscoped)17:07
morganfainbergcan't federation be also project scoped?17:07
ayoungnah, that is a standard token17:07
ayoungfederation unscoped is where we have the group list.  THose get dropped in federation scoped (right marekd ?)17:08
morganfainberglets be sure on that17:08
morganfainbergbut if that is the case, the only thing missing is OAuth.17:08
ayoungmorganfainberg, I'm willing to resubmit the spec with those changes.  Is that ok?17:08
morganfainbergayoung, lbragstad  said he's working on it right now17:09
lbragstadayoung: no, I'm working on it currently17:09
morganfainbergayoung, so before you do coordinate with him. he's looking at the other comments at the same time17:09
lbragstadshould have a revision up within the hour17:09
ayounglbragstad, OK,  can you incorporate what we just put up there?  scope gets pushed to the end of the token and has a scope_type field in it?17:09
ayoungI would love to see a (signed by) field, too, but that can, in theory, be passed outside the signed data as well, so that can be a Lovelace  feature17:10
lbragstadayoung: reading back17:10
morganfainbergayoung, yeah i think in Liberty we'll be adjusting how the fields work and improving on the payload so we can be more flexible. this provider definitely does not lock us into too much (which is why it's a good way to solve the big immidiate issues with tokens)17:12
ayoungmorganfainberg, has lbragstad, has submitted AE code yet, or just spec?17:14
ayounghttps://review.openstack.org/#/c/145317/17:14
lbragstadayoung: code has been up for a while https://review.openstack.org/#/c/145317/17:14
ayoungOK...looking there17:14
morganfainbergayoung, part of the reason the SPFE is possible is they have [even with the changes needed] most of the work done in the POC code.17:15
morganfainbergayoung, w/o the POC code, the SPFE wouldn't have been even considered.17:15
lbragstadok, why put scope_type at the end?17:15
lbragstadwith scope?17:15
morganfainberglbragstad, the thought is trust scoped, federated unscoped, project scoped, domain scoped17:16
lbragstadIf anything, I think it should be at the front of the token, that way the KLWT provider can determine what scope type it is, and then pass it to the right formatter17:16
lbragstadright formatter being the one that knows how to handle each scope type17:16
morganfainberglbragstad, order shouldn't matter too much.17:17
lbragstadit would matter in the provider case17:17
*** amerine has joined #openstack-keystone17:17
lbragstadbecause the provider shouldn't be verifying all the tokens,17:17
morganfainberglbragstad, if it's [0], [:] or [:-1], or NAMEDTUPLE().scope_type17:17
marekdayoung: ayoung https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-a-scoped-os-federation-token nope17:17
lbragstadit should just determine the format than pass it to the right formatter17:17
morganfainberglbragstad, i'd look at using a named tuple vs. a list here: so you could do payload.scope_type17:18
ayounglbragstad, actually,  that was my initial thought, too.  Jsut that the only thing that varies is the scope, the rest of the token data would be unchanged.  I don't case so much where it is as that it exists, though17:18
morganfainberglbragstad, again, order isn't super important as long as we know where to find it.17:18
*** tqtran_afk is now known as tqtran17:18
ayoungmorganfainberg, ^^ what marekd just siad there is that only federation unscoped have groups in them17:18
morganfainbergayoung, awesome.17:19
morganfainbergthat makes that waaaay easier17:19
marekdayoung: no, scoped also has group list.17:19
morganfainbergmarekd, thanks!17:19
morganfainbergmarekd, ahhh17:19
* morganfainberg reads17:19
ayoungmorganfainberg, actually, it would be greoovy if all unscoped tokens had that17:19
morganfainbergayoung, ^^17:19
ayoungit would mean assignments would never have to go back to the identity backend17:19
marekdayoung: morganfainberg lbragstad: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-a-scoped-os-federation-token17:20
lbragstadso my idea was to have the format (or scope in this case at the front of the token), so each "layer" of the KLWT provider pops of what it needs and then pass the right17:20
lbragstads/right/rest/17:20
morganfainberglbragstad, i don't really care what index the scope_type ends up as. ;)17:20
lbragstadok17:20
ayoungmorganfainberg, that would really aid in the whole "split identity from assignment" effort...def something to comnsider for Loveless.17:20
lbragstadI'll probably keep it in the front then17:20
ayoungLizardlove17:20
ayounglbragstad, works for me17:21
morganfainberglbragstad, my only comment was regarding the namedtuple, since you can reference it as an attr if you want17:21
lbragstadok17:21
morganfainbergvs. needing the index, but you'd still need to know the index for decoding to named tuple17:21
marekdmorganfainberg: ayoung i am thinking if we really need group list in the token.17:21
morganfainbergso.. again, doesn't really matter17:21
ayounglbragstad, not a deal breaker, but please indicate that either sym or asym crypt can be used to sign the token.  I'm a little concerned with the keys distribution issues for the sym case and multiple keystones.  Asym much easier.  Not a deal breaker, just a good idea17:22
ayoungmarekd, yes, we need group lists in the token17:22
morganfainbergayoung, lets put that on the docket for Liberty to discuss.17:22
ayoungmarekd, they should be in unscoped tokens17:22
ayoungmorganfainberg, ++17:22
ayoungmorganfainberg, heh, otherwise, we might just have justified the existence of Kite17:23
*** _cjones_ has joined #openstack-keystone17:23
morganfainbergayoung, hah17:23
marekdayoung: i meant, that i am wondering if we really need group list in SCOPED token.17:23
ayoungmarekd, no, we don't17:23
ayoungmarekd, we could put it there, but it would muddy the water17:23
morganfainbergmarekd, trying to think if we do..17:23
marekdayoung: they already are in scoped token.17:24
morganfainbergi think we do until we can codify no scoped -> scoped token17:24
morganfainbergas the only way forward17:24
ayoungmorganfainberg, it would be a different abstraction17:24
*** _cjones_ has quit IRC17:24
morganfainbergayoung, today i think we need that info for scoped -> scoped17:24
*** _cjones_ has joined #openstack-keystone17:24
ayoungif we have groups specified separate from roles-in-projects  it needs to be something managed by Keystone17:24
marekdmorganfainberg: cause today we need to be able to do fed-scoped-> fed-scoped  ?17:24
morganfainbergmarekd, yeah.17:24
ayoungit might be passed throgu hfrom the assertion, but keystone needs to be able to layer additional auth attributes on...way beyond scope here17:25
*** timcline has quit IRC17:25
*** tellesnobrega has quit IRC17:25
*** mkoderer has quit IRC17:25
*** mtreinish has quit IRC17:25
*** kibutzz has quit IRC17:25
*** tsufiev has quit IRC17:25
*** ptoohill has quit IRC17:25
*** notmyname has quit IRC17:25
*** rharwood has quit IRC17:25
*** trey has quit IRC17:25
marekdmorganfainberg: ah, se this was for backwards compatibility.17:25
ayoungwhy fed-scoped to fed-scoped?17:25
morganfainbergayoung, because we support scoped -> scoped today17:25
morganfainbergit's a compat issue not a "we should do this"17:25
ayoungah...yeah, lets ignore that17:25
ayoung:)17:25
morganfainbergas we move towards unscoped -> scoped only, then eliminiating that data is more doable17:25
morganfainbergand we should head that way17:26
* marekd wonders if fed-scoped -> fed-scoped would even work today...17:26
marekdmorganfainberg: ++17:26
ayoungmorganfainberg, we can't do that today, thogh, can we?  We don't have the groups in the scoped tokens, so treat it as a won't-fix-bug17:26
*** amerine has quit IRC17:26
marekdayoung: federation case or classic?17:26
ayoungfederation17:26
marekdayoung: yes, we do have groups in both unscoped and scoped federation token.17:27
ayoungmarekd, we have a future plan to fix17:27
ayoungargh17:27
morganfainbergmarekd, we should make sure fed scoped -> fed scoped works17:27
morganfainbergi think someone (lots of people) will be broken without it <today>17:27
marekdmorganfainberg: urgs.17:27
ayoungok...we'll then in a fed AE token, the scope section will  have to be   projectid groups[]  with the project ID being potentially blank...or we have two federation formats17:28
morganfainbergayoung, also going to rename AE to KLWT17:28
morganfainbergayoung, i think17:28
morganfainbergkeystone lightweight tokens17:28
ayoungKSLT17:28
morganfainbergKSLT?17:28
marekdSuperLightweightTokens?17:28
ayoungKeystone Light Tokens17:28
morganfainbergha17:28
morganfainberg:)17:29
ayoungmorganfainberg, I am concerned that putting a new crypto requirement on Keystone is a more burdensome undertaking than we realize for deployers. I'd like to make PKI the default on the implemenation, with symmetric an option, and maybe the default in Lizardface17:30
*** amerine has joined #openstack-keystone17:30
morganfainbergI'd rather avoid crypto all together. I think you underestimate the burdon of PKI setup17:30
*** notmyname has joined #openstack-keystone17:31
morganfainbergmany deployers refused to use PKI because it's a headache to setup.17:31
ayoungmorganfainberg, heh, no I do not.  Its just that we've forced that issue already17:31
morganfainbergexcept we haven't really17:31
ayoungand, for them, AE might have the smae issue with symmetric17:31
*** timcline has joined #openstack-keystone17:31
*** tellesnobrega has joined #openstack-keystone17:31
*** mkoderer has joined #openstack-keystone17:31
*** mtreinish has joined #openstack-keystone17:31
*** kibutzz has joined #openstack-keystone17:31
*** tsufiev has joined #openstack-keystone17:31
*** ptoohill has joined #openstack-keystone17:31
*** rharwood has joined #openstack-keystone17:31
*** trey has joined #openstack-keystone17:31
amakarovlbragstad mentioned keyczar in his spec - was it rejected?17:32
notmynamenot sure if I missed anything in the netsplit17:32
notmynameif a spec has landed but someone has a questions, how does one make questions or ask for clarification?17:32
ayoungamakarov, it has to be an optional17:32
ayoungkeyczar is a Java key management solution17:32
ayoungI've got our crypto guys looking at it17:33
ayoungthey just got back from a weeklong Brno conference, so they are a little spent at the moment...17:33
morganfainbergnotmyname, ML, ask in IRC, propose a fix to the spec via gerrit covering changes needed to clarify17:33
lbragstadklwt is optional all together17:33
notmynamemorganfainberg: ok, thanks. that's great info17:33
morganfainberg:)17:33
morganfainbergnotmyname, basically where you'd expect to find information on this stuff17:33
morganfainbergnotmyname, and people knowledgable17:34
notmynameright. Iv'e had the question come up a couple of times in swift. "the spec is 'landed', but I have questions. what do I do now"17:34
ayounglbragstad, ok..I guess it is a non-issue to start, but I suspect that we'll have people looking to use it right out the gate.  What is the library that keyczar uses to do its crypto?  We don't have a bouncycastle based solution do we?17:35
*** vhoward has quit IRC17:35
morganfainbergnotmyname, yeah i think that they're already in the right place asking that17:35
amakarovayoung, I looked at keyczar and didn't see java port  - it looked like a separate python implementation to me... I'll try again.17:36
ayoungamakarov, ?17:36
morganfainbergamakarov, it has java impl17:36
morganfainbergit also has a python impl17:36
notmynamemorganfainberg: ya, I just proposed https://review.openstack.org/156291 to answer it for our specs repo17:37
morganfainbergi'm looking at them. now17:37
morganfainbergi think the python impl is isolated / python only, and doesn't require java17:37
ayoungI thought it was a java server.  It was my understanding the Python code was just client code...but I could well be wrong.  Question still stnads, then?  What does keyczar use to do crypto17:37
lbragstadhttps://code.google.com/p/keyczar/wiki/KeyczarPhilosophy?tm=617:37
morganfainbergayoung, yeah looks like python is standalone as well17:37
morganfainbergpycrypto and pyasn1 it looks like17:38
morganfainbergayoung, https://code.google.com/p/keyczar/wiki/PythonDependencies17:38
ayoungmorganfainberg, then  we should look at the python-cryptography17:38
ayoungasn1?  interesting17:39
lbragstadhttps://code.google.com/p/keyczar/source/browse/#git%2Fpython%2Fsrc%2Fkeyczar17:39
morganfainberghttps://code.google.com/p/keyczar/source/browse/python/src/keyczar/keys.py#3317:39
lbragstadlooks like there are implementations in cpp, java, and python17:39
morganfainbergpycrypto and if it has M2Crypto it'll use it17:39
morganfainberghand hmac / hashlib17:40
morganfainbergugh17:40
morganfainbergSHA117:40
*** nellysmitt has joined #openstack-keystone17:40
morganfainbergpeople are going to complain :(17:40
lbragstaduses pycrypto https://code.google.com/p/keyczar/source/browse/python/src/keyczar/keys.py17:40
openstackgerritMerged openstack/keystone: fix a small issue in test_v3_auth.py  https://review.openstack.org/15604017:40
ayoungneeds to be an optional dependency until we can iron that side out17:41
morganfainbergayoung, the lib looks sane and is isolated for python only17:41
morganfainbergit just has java and c++ support so you can use the same repo of keys for different apps17:41
ayoungIt's called NSS and OpenSSL....they should not be implementing a repo17:42
bretonare we ok with it being not actively developed?17:42
bretonhttps://code.google.com/p/keyczar/source/list17:42
*** karimb has quit IRC17:42
morganfainbergi'm thinking it's not a good choice17:42
ayoungJan 1, 201517:43
ayoungHe's in Tahoe right now17:43
bretonayoung: yes, but there are commits from 2013 on the first page17:43
morganfainbergbreton, does not mean it's not being looked at.17:43
morganfainbergif there are no reported bugs / features to add... i mean17:44
morganfainbergdoes it need to change?17:44
ayoungI think the right solution lies in us discussing with the Barbican folks driving python-cryptography17:44
*** abhirc has quit IRC17:44
*** atiwari has joined #openstack-keystone17:45
morganfainbergthis leads me to believe that the HMAC digests to start are really the right place to focus.17:45
lbragstadayoung: yes, I'd agree, but I don't know if that support is available right now.17:45
ayoungThere are a handful of issues here, locally maitainer the sym key. key distribtuion,17:45
ayoungmorganfainberg, can you do HMAC without a private key?17:45
ayoungor without a key at all?17:45
morganfainbergdon't we have code for this in openstack already17:45
morganfainbergit's not *great* but i think it's there17:46
ayounghttp://en.wikipedia.org/wiki/Hash-based_message_authentication_code17:46
morganfainbergby not great i mean, it's just not feature rich, it's already passed the basic "is this sane" muster17:46
ayoungmorganfainberg, HMAC needs a Key.  These issues remain whenther we use asym or sym,  and whether we encrypt or just sign17:46
morganfainbergright, i think we already have simple HMAC key support in OpenStack17:47
morganfainbergsomewhere17:47
lbragstadayoung:  I don't think determining that is a real big issue17:47
lbragstadthe current code up for review determines what your key repository is meant to do and initializes a reader object according to the purpose17:47
ayounglbragstad, Keystone today does not have to deal with symmetric crypto.  We can't just say "use Keyczar"  without causing a serious ruckas17:47
bretonmorganfainberg: there are bugs from 2013 that were not addressed at all17:48
morganfainbergbreton, like i said it may not be the right choice.17:48
bretonhttps://code.google.com/p/keyczar/issues/detail?id=14817:48
morganfainbergbreton, i'm not for or against keyczar at the moment.17:48
*** timcline has quit IRC17:48
ayoungI would say that we make the HMAC/Signing thing configurable.  Provide a PKI solution for people using PKI tokens today and it is still a step forard, with no additional burden.  Then, in parallel, we hunt down a symmetric solution17:48
lbragstadayoung: it's opt in anyway17:48
bretonmorganfainberg: neither am I, I'm just joining the discussion17:49
*** timcline has joined #openstack-keystone17:49
lbragstadif people don't want to use keyczar, then they can wait until we cut the l release17:49
morganfainbergbreton, yeah17:49
lbragstadwhen we possibly have something else in place17:49
ayounglbragstad, let me be clear...I am not saying "do this in order for me to remove the -2 on the spec"  I only care there about the trusts being support out the gate17:49
morganfainberglbragstad, there is concern about keyczar, if we see some of these issues will it land in global reqs?17:50
ayoungkeyczar can be an optional dependency17:50
*** amerine has quit IRC17:50
morganfainberglbragstad, if it's not in global reqs we can't rely on it (even "optionally")17:50
lbragstadmorganfainberg: ayoung It's already been purposed17:50
lbragstadhttps://review.openstack.org/#/c/154590/17:50
ayoungI wonder what that would do on a Centos7 install?  My guess is that pycrypto is already supported17:50
lbragstadayoung: trusts were a target to hit with this from the beginning17:51
ayoung++17:51
morganfainberglbragstad, i advise a backup plan in case pykeyczar can't land in global reqs.17:51
morganfainberglbragstad, thats all.17:51
ayounglbragstad, ping me when you get the updated spec up, and I plan on removing the -2 at that point17:51
* ayoung asks everyone stop bothering lbragstad so he can write and /me promises to do so, too17:51
morganfainberglbragstad, anyway that is a separate issue. will let you get spec done /me has a meeting to jump on17:52
marekdwhat was used that tests are running on all available CPUs? multipocessing?17:52
lbragstadmorganfainberg: let's wait and see what people say on the global-req review17:52
morganfainbergmarekd, testrepository (aka testr) + subunit17:52
morganfainbergnot sure the core implementation of testr atm17:53
marekdaha.17:53
*** hogepodge has quit IRC17:53
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005017:53
*** timcline has quit IRC17:53
*** stevemar has joined #openstack-keystone17:53
*** ChanServ sets mode: +v stevemar17:53
*** hogepodge has joined #openstack-keystone17:54
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow.  https://review.openstack.org/15630817:55
*** markvoelker has joined #openstack-keystone17:56
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005017:56
morganfainberglbragstad, not sure if you want to rename the file from ae-tokens (and BP, but those can be left fwiw, wont block on that)17:57
amakarovayoung, can we allow re-authenticate using trust-scoped token? Just a stub returning the very same token? https://blueprints.launchpad.net/keystone/+spec/trust-scoped-re-authentication17:57
amakarovIt appears many clients need it17:57
ayoungamakarov, hmmm...sounds like a client bug17:58
*** raildo has joined #openstack-keystone17:58
amakarovayoung, that is the question17:58
ayoungfloat it past jamielennox (he's asleep right now)17:58
amakarovayoung, ok, thanks, I'll email him17:58
*** markvoelker has quit IRC18:01
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005018:01
*** radez is now known as radez_g0n318:04
ayounglbragstad, downgraded to a -118:05
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493418:05
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow.  https://review.openstack.org/15630818:06
ayoungwill likely upgrade that once I am done reading it.  morganfainberg I assume your -2 stays there as a "not yet ready for a SFE"18:06
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow.  https://review.openstack.org/15630818:06
*** EmilienM is now known as EmilienM|afk18:07
*** rushiagr is now known as rushiagr_away18:11
*** afazekas has quit IRC18:13
morganfainbergayoung, yes my -2 is that18:14
openstackgerritSteve Martinelli proposed openstack/keystone: Fix nits from patch #110858  https://review.openstack.org/15615818:17
*** amakarov is now known as amakarov_away18:19
morganfainbergayoung, until we confirm the SPFE (either today or tomorrow), my -2 stays18:21
ayoungmorganfainberg, so this is why, in the future,  I'm proposing everything for backlog18:21
morganfainbergayoung, ++ and i totally support that18:22
morganfainbergayoung, i also hope to open spec reviews for Liberty just post m318:22
morganfainbergso we have lots of time to get them proposed / ready / moved from backlog over18:22
ayounggoing from backlog to release should not happen until it is approved in backlog.  No one likes looking at something with a big ole -2 on it18:22
ayoung++18:22
*** timcline has joined #openstack-keystone18:22
morganfainbergayoung, the procedural -2 thing i don't like, but you know it serves a purpose18:23
ayoungyep18:23
ayoungno arguing18:23
*** amerine has joined #openstack-keystone18:25
*** timcline has quit IRC18:27
ayounglbragstad, made some comments to the spec.  Minor stuff, and I am, ready to get behind this18:32
ayounglbragstad, shout if you have any questions18:32
morganfainbergayoung, hah. some of your comments were the same as mine18:33
lbragstadayoung: ok, thanks for the review. Working on refactoring the current code so it's not AE specific, I should be able to look in a bit18:33
morganfainberglbragstad, also commented, most were similar nits (Can -> will). removal of a dependency, and a little clarification on federated data.18:34
ayounglbragstad, so...AE changes the division of labor between the persistance andthe token provider...I think that:18:35
ayoung12. We creat an AE persistance driver18:35
ayoungit will be responsible for repopulating the token data based on the AE data.18:35
ayoungthen, validate is pretty much a  no-op...any valid reconstituted token is valid18:35
morganfainbergayoung, oh interesting way to handle that, overload the persistence driver to grab all the data instead of the provider doing it.18:36
morganfainbergayoung, i was thinking the AE token driver would just not talk to persistence.18:36
morganfainbergayoung, so it didn't matter what persistence driver you picked.18:36
ayoungmorganfainberg, yeah, cuz non of the other drivers need to reconstitute18:36
morganfainbergAE token provider*18:36
morganfainbergsince we've narrowed persistence calls down to ~2 places in the provider code (i think)18:37
ayoungthe token_ref that you get back from SQL, DOgpie etc has all the data it needs in it.18:37
ayoungWith revocation events, the workflow collapses to the same thing:18:37
ayoungget the token from persistance (or reconstitute) then compare with revocation events18:38
openstackgerritMarek Denis proposed openstack/keystone: Add ``service_providers`` in Service Catalog  https://review.openstack.org/15265918:38
marekdstevemar: ^^ answered your question/concern and rebased the patch18:38
*** MasterPiece has joined #openstack-keystone18:38
morganfainbergayoung, well persistence driver doesn't reconstitute the token atm. it really just does the store token_id index -> token data18:38
marekd(strage, that gerrit cannot do it automatically, while local git does)18:38
morganfainbergayoung, or "grab values" from store18:38
ayoungmorganfainberg, yeah, but that is what the rest of the code means buy token_ref18:39
ayoungthe AE code would be the only one that would have an token ref that is not constituted18:39
morganfainbergayoung, well sortof, we store the data in the store, but on issue the provider ref is still used18:40
morganfainbergwe don't do a .create, .get18:40
morganfainbergayoung, i think we'd need to push more logic down to persistence from provider to make that happen in issuance18:41
morganfainbergayoung, or we lift all the non "storage" logic out of persistence (probably the better idea). i think we're still a little mixed up where things go18:42
morganfainbergayoung, persistence probably should really only be "store data" and "retrive" nothing else.18:45
morganfainbergayoung, so a provider that doesn't need persistence wont use it.18:46
ayoungIf you think about it the AE token stores its data in the assignment, identity, and service catalogbackends18:51
morganfainbergright, today providers do the cross-system talking, so either we need to push some logic down or perhaps remove some token_persistence logic18:52
morganfainbergi'm thinking less work to keep provider as the thing that talks across subsystems like assignment, identty, etc18:53
morganfainbergayoung, i don't want people to need to configure both the AE provider and the AE persistence [if that make sense], meaning logic would need to be shifted to make ae persistence only18:54
morganfainbergnot opposed to it, just something we should be aware of.18:54
*** rdo has joined #openstack-keystone18:55
ayoungIf you use PKI or AE tokens, you do not need to persist.  With PKI token, you would break the ability to validate based on the Hash, that is all18:55
morganfainbergwhich is still all provider logic.18:56
ayoungIn fact, we could reduce the PKI hash to an AE token  body18:56
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005018:56
ayoungwith PKI, however, the body is reconstituted from the data in the signed document18:56
lbragstadmorganfainberg: ayoung will address comments on those, but wanted to fix the reference to the blueprint. I fix comments in another patch18:56
ayoung++18:56
morganfainberglbragstad, ++18:56
*** markvoelker has joined #openstack-keystone18:57
ayoungI think what I am stumbling towards is that AE tokens  can shortcut the storage process...but lets assume that any form of token can do that...so configuring persistance is separate from  format18:57
morganfainbergayoung, the way i see it is the provider determines if it needs to call persistence or not18:58
ayoungbut...with AE and assuming no persistence, we have a new requirement: reconstitute.   None of the other forms require that.18:58
morganfainbergayoung, so with AE it just never calls self._token_provider_api.<method>18:58
ayoungmorganfainberg, yep18:58
ayoungI like that18:58
morganfainbergsame with pki18:58
morganfainbergpki w/ no persistent store that is :P18:59
ayoungWe really should make these different token formats all work alongside each other, instead of assumign it is one global config option.  THe global config should just say the preferred format18:59
morganfainbergayoung, i think thats an L-cycle target, the provider cleanup w/ stevedore is headed that way19:00
ayoungisss  POST /auth/token?formate=AE19:00
ayoungformate19:00
openstackgerritgordon chung proposed openstack/pycadf: cleanup documentation  https://review.openstack.org/15633319:00
morganfainbergformaté19:00
ayoungmuscle memory is funny19:00
morganfainbergfö®mætē ? :P19:01
*** timcline has joined #openstack-keystone19:01
*** markvoelker has quit IRC19:02
amerineI just hit an odd issue that I'm failing to solve.19:07
amerineI added a custom config section to keystone.conf19:07
amerine[foo_bar]19:07
amerineWhen I go to get CONF.foo_bar in my extension.. it cannot find it.19:08
amerine"2015-02-16 11:08:15.497 5168 CRITICAL keystone [-] NoSuchOptError: no such option: foo_bar"19:08
morganfainbergamerine, oslo.config requires options to be registered with the CONF object19:08
morganfainbergamerine, if you don't register the option it wont be available to you19:09
amerinemorganfainberg: Ok, I guess that's a step I'm missing.19:09
amerinemorganfainberg: How do I register an extensions config options with oslo.config?19:09
morganfainbergamerine, so if you look here: https://github.com/openstack/keystone/blob/master/keystone/common/config.py#L100119:09
morganfainbergyou'll see the for-loop that registers the file options for keysotne from with that same file19:10
*** erkules_ is now known as erkules19:11
*** aix has quit IRC19:11
amerinemorganfainberg: Cool. So perhaps the extensions Manager should register options in CONF?19:12
*** timcline_ has joined #openstack-keystone19:12
morganfainbergamerine, it could do that19:12
*** radez_g0n3 is now known as radez19:12
amerinemorganfainberg: Is there are more correct pattern than that?19:12
morganfainbergamerine, well in keystone main configs we don't register options until the .configure method (that for loop i pointed you at) is called19:13
morganfainbergthis prevents people from getting options read in before keystone is ready19:13
morganfainbergbut - it's hard to say the best option for your extension19:13
morganfainbergsince it's not being proposed against upstream19:13
amerine*nods*19:14
amerineWe've done a few extensions to change behavior for our keystone systems, this is the first that I've wanted some dynamic-ish configurable behavior.19:14
*** timcline has quit IRC19:14
amerineI'll see if I can collect my thoughts about how mainline could expose better config bindings for extensions.19:15
amerineThis is basically wrong http://docs.openstack.org/developer/keystone/extension_development.html#modifying-the-keystone-conf-sample-file without more work19:15
*** jsavak has joined #openstack-keystone19:15
morganfainbergyeah that whole set of documents needs to be update19:16
morganfainbergwe have a lot of doc fixes to do this cycle...19:16
morganfainbergwill likely happen post M319:16
morganfainbergs/M/K19:16
*** joesavak has quit IRC19:16
amerineword. I just assumed I missed some extension hook or something non-obvious.19:17
amerinemorganfainberg: Thanks again for the help.19:17
*** joesavak has joined #openstack-keystone19:17
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005019:19
*** jsavak has quit IRC19:20
*** amerine has quit IRC19:22
*** lhcheng has joined #openstack-keystone19:22
*** amerine has joined #openstack-keystone19:23
*** ajayaa has quit IRC19:23
*** dims__ has quit IRC19:25
*** jhop has joined #openstack-keystone19:27
*** jhop has quit IRC19:27
morganfainberglbragstad, in the spec where is the scope info located?19:27
morganfainbergi see scope_type, but not clear on where the scope info is19:28
morganfainberglbragstad, otherwise i think you're very very close to having all the comments addressed, [then we just have the SPFE convo for tomorrow at the meeting]19:29
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005019:29
lbragstadmorganfainberg: addressed ^19:29
morganfainberglbragstad, aha19:29
morganfainbergi see it now19:29
morganfainberglbragstad, looks goot to me.19:30
lbragstadmorganfainberg: cool, thanks for reviewing19:30
morganfainberglbragstad, please make sure there is a topic on the meeting agenda for the SPFE19:30
*** samueldmq has joined #openstack-keystone19:30
lbragstadstevemar: do they sell Keystone Light in Canada?19:30
stevemarlbragstad, nopeee19:31
morganfainbergrodrigods, ^ please make sure there is a topic on the meeting for the SPFE you're requesting19:31
stevemarlbragstad, oh wait, they do, i recognize the logo now http://www.thebeerstore.ca/beers/keystone-light19:32
stevemarit's not very popular19:32
lbragstadstevemar: yeah, I imagine not, I was going to say I'd buy a cold Keystone Light for each person who reviewed the KLWT spec and patch, but on second thought that'd probably deter people from reviewing it19:33
morganfainberglbragstad, i think i need a -3 if you're doing that.  *bleghch* keystone lite is baaaaad beer19:34
lbragstadmorganfainberg: lol yeah, it is19:34
morganfainberglbragstad, minor issue: http://logs.openstack.org/50/130050/31/check/gate-keystone-specs-python27/74a663f/console.html#_2015-02-16_19_34_07_490 line 9419:35
morganfainbergtoo long19:35
morganfainbergyou need to fix it ;)19:35
*** vhoward has joined #openstack-keystone19:38
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005019:38
*** Ephur has joined #openstack-keystone19:39
*** lhcheng has quit IRC19:41
*** thedodd has quit IRC19:44
*** MasterPiece has quit IRC19:49
*** abhirc has joined #openstack-keystone19:51
*** hrybacki has joined #openstack-keystone19:51
*** hrybacki has left #openstack-keystone19:52
*** thedodd has joined #openstack-keystone19:56
morganfainberglbragstad, stevemar, ayoung, dstanek, dolphm, i'm asking for 5 fishbowl sessions and 8 working sessions at the summit - this will give us 5 slots during the summit with nothing booked (on the wed/thurs) and I'm asking for 1 full day for the friday meetup thing19:56
morganfainbergfishbowl = sessions we had in paris19:57
morganfainbergstrike that, 10 working sessions19:57
dstaneki like calling them fishbowl - very accurate19:58
*** markvoelker has joined #openstack-keystone19:58
morganfainbergso we'll have 2 less main sessions and a ton more hacking on stuff type sessions19:58
morganfainberg(what we did at the tables / dev lounge)19:58
ayoung10 working sessions, five targetted, 5 open?20:00
morganfainbergchanged it to 4-5 fishbowl (Targeted), 8-10 working20:00
morganfainbergand then it'll be 3-6 with nothing scheduled20:01
morganfainberglikely we will settle on the low end of 4, and 8 is my guess20:01
ayoungsounds good.20:01
morganfainbergbut, will bring it up tmorrow in the meeting20:01
ayounglbragstad, I see why you did that, but...20:02
*** markvoelker has quit IRC20:03
ayoungthe scope info is the variable sized data, and should got at the end of the token...for parsing purposes that is the right approach20:03
lbragstadparsing wise it can be at the beginning of the toke too, that's how we do it with the token format20:04
*** EmilienM|afk is now known as EmilienM20:04
*** abhirc has quit IRC20:05
ayounglbragstad,  how about this:  instad of calling it scope_type, call it token_format, and then just annotate that the token_format determines the strucutre of the data in the scope section. It gives us the wiggle room to modify other fields in the future if we deem necessary, but keeps the static portion of the token in a fixes size section of the token's signed data20:06
lbragstadok20:06
lbragstadso20:06
*** jsavak has joined #openstack-keystone20:06
lbragstadKLWT00 - > scoped token20:06
lbragstadKLWT01 -> trust tokens20:06
lbragstador whatever20:06
* morganfainberg tries to wedge the ascii bell character in as a token format identifier20:07
dstanekmorganfainberg: will those hacking sessions be in dedicated space?20:07
morganfainberg(mostly to screw with people)20:07
morganfainbergdstanek, yeah it'll be our space20:07
morganfainbergdstanek, http://lists.openstack.org/pipermail/openstack-dev/2015-January/054122.html20:07
morganfainberginstead of project pods20:08
morganfainbergwe'd have a room (20-40ppl sized) for hacking on stuff20:08
*** joesavak has quit IRC20:09
morganfainbergmy hope is we'll have enough stuff to cover the time but not so much that we don't get to visit other projects' sessions20:09
morganfainbergwhich is why the 4 fishbowl and ~8 working feels a bout right, leaving a good chunk of time to wander around to other projects20:10
morganfainbergor 5/8 split20:10
ayounglbragstad, yes, exactly...I think that is what we want20:12
ayoungnote I really don't have a hard and fast need for the scope at the end,  just it feels more correct to have the variable data there20:13
*** _cjones_ has quit IRC20:15
*** dims__ has joined #openstack-keystone20:25
*** dims__ has quit IRC20:30
*** joesavak has joined #openstack-keystone20:52
*** jsavak has quit IRC20:54
*** _cjones_ has joined #openstack-keystone20:56
*** markvoelker has joined #openstack-keystone20:59
*** devlaps has joined #openstack-keystone21:01
*** timcline_ has quit IRC21:02
*** timcline has joined #openstack-keystone21:03
*** markvoelker has quit IRC21:04
*** _cjones_ has quit IRC21:22
*** _cjones_ has joined #openstack-keystone21:23
ayoungjamielennox, I need some input on the unified access info review.  Got some time to talk about it?21:24
*** amerine has quit IRC21:24
ayoungstevemar, morganfainberg, BTW, totally agree on the split for https://review.openstack.org/#/c/138519/  as suggested.  THanks to both of you for slogging through.  I didn't know what this was going to look like until I got close to done with it21:26
ayoungthe whole service catalog integration was very illuminating.  I need to talk over some details with jamielennox to figure out where different pieces are going to land in the final.21:27
*** chuckcarmack has joined #openstack-keystone21:31
jamielennoxayoung: sure - what's up21:31
ayoungjamielennox, OK..so the data in the token is JSON.  It gets converted to dict format21:32
ayounghow much of that are we expected to expose to the end user, versus them working with the auth_context  things21:32
jamielennoxayoung: so the problem is that really anything can be exposed - and probably someone is using whatever the current state is21:33
jamielennoxthe approach i've been taking is to force people up a layer21:33
ayoungI think I managed to keep the format consistent with V321:33
jamielennoxso don't touch the service catalog at all and use .get_endpoint(...)21:33
*** dims__ has joined #openstack-keystone21:33
ayoungthe service catalog stuff work, I think, though I copied the classes21:33
jamielennoxthat way i'm the only one that has to deal with the crappy interface21:33
ayoungI was wondering if I needed to keep the JSON specific versions21:33
* ayoung 's mouse cursor has dissappears21:34
*** dims_ has joined #openstack-keystone21:34
ayoungAh...there it is...21:34
jamielennoxayoung: i've been of the opinion that if we used to have it we have to keep it21:34
jamielennoxit's amazing some of the internals from keystoneclient people rely on21:34
ayoungyeah...I think that my approach will only work for V3 and later, but we are looking at deprecating V2.0.  It is an argument against a drop in replacement21:35
jamielennoxbecause we also make the AccessInfo object available to people via keystonemiddleware21:35
jamielennoxso that whole interface is now poluting other peoples code as well21:35
ayoungI would think we would see major explosions in the gate if I broke something21:36
ayoungbut  check passed....21:36
*** lhcheng has joined #openstack-keystone21:37
ayoungjamielennox, for the most part, what you get from parsing and then using the python objects is not much different than you get parsing the JSON directly, so I would expect those kind of things to work21:38
*** dims__ has quit IRC21:38
jamielennoxso for better or worse the problem with the gate is that it's running the latest code21:38
jamielennoxthere are a whole bunch of things in ksc that i've wanted to fix, and have fixed in dependent clients21:39
jamielennoxhowever using the old dependent and the new ksc would break21:39
ayoungjamielennox, I was wondering if we had a case where someone used token data to directly constitute a service catalog object.  If so, I don't think that we can remove the old classes21:39
jamielennoxayoung: i've never seen it21:39
jamielennoxi think cinder used to use our catalog directly, but i've fixed that up21:40
ayoungIdeally, I would make a first pass that just adjusted the tests, and showed that they worked with the existing  access-info21:40
ayoungI had to drop a couple places that checked which subclass of AccessInfo (V2, V3) was created, as there is a unified one now21:40
jamielennoxayoung: i think the goal would be to not adjust the tests, show that the new stuff still works with the way it used to be accessed21:41
ayounghttps://review.openstack.org/#/c/138519/11/keystoneclient/service_catalog.py,cm  is mostly cut and paste code, but I could drop a lot of it if I can drop the old21:41
ayoungjamielennox, well  that is the goal, but some of the tests are too specific, l;ike I pointed out.  Which subclass is the most obvious one21:41
ayounglet me see what else I touched.  I might be able to reverse some of those hacks no21:42
ayoungnow21:42
ayoungI had to make changes like this:21:43
ayounghttps://review.openstack.org/#/c/138519/11/keystoneclient/tests/unit/v3/test_tokens.py,cm21:43
ayoungthese time tests are spooky  https://review.openstack.org/#/c/138519/11/keystoneclient/tests/unit/v3/test_access.py,cm21:43
dims_howdy all, we have a candidate looking to work on keystone for GSoC 2015, all through summer. Anyone interested in being a mentor?21:44
*** jsavak has joined #openstack-keystone21:44
ayoungI'm guessing the formats in the wrapper are wrong.  THat test should go through unmodified21:44
ayoungalso, the whole "assertNotIn"  logic is kindof strange.21:45
ayoungjamielennox, also, I think we can finally drop the tests for diablo tokens, as we no longer have to support those, or are we still on the hook?21:46
jamielennoxdims_: i think most of the US based folks have gone by this time21:47
*** joesavak has quit IRC21:47
jamielennoxdims_: we have a meeting tomorrow UTC 1800 i think - that would be your best time to ask21:48
dims_jamielennox: thanks will ask again tomorrow21:48
dims_thanks21:48
ayoungdims_, depends.  Do I get to set her/his design agenda?21:48
jamielennoxrun!21:48
jamielennox:)21:48
dims_ayoung: yep21:49
jamielennoxdims_: if you want to do that pop it on the agenda: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting21:49
ayoungoooh21:49
dims_jamielennox: thanks will do21:49
jamielennoxabout to have a power outage21:53
jamielennoxback soon21:53
*** chuckcarmack has left #openstack-keystone21:54
mfischare the LDAP connection pools pretty well baked?21:54
mfischready for prod anyway?21:54
stevemargordc, thanks for releasing pycadf21:55
samueldmqfor anyone interested in gsoc, fell free to join #openstack-gsoc :)21:55
samueldmqI am a candidate to mentor a project for keystone21:56
gordcstevemar: i forgot it was family day.21:56
stevemargordc, do you get it in qc?21:57
gordcanother holiday missed :(21:57
gordcwe get jack...21:57
lbragstadayoung: can you ever have an unscoped trust token?21:58
ayounglbragstad, nope21:58
ayounga trust token is explicitly scoped.21:58
stevemargordc, womp womp...21:58
lbragstadso by the time the calls gets into the provider, it should *always* have a project_id21:58
ayoungwe check on a trust creation that it has at least one role assigned to it21:59
lbragstadok21:59
ayoungyes21:59
lbragstadayoung: thanks21:59
gordcstevemar: indeed21:59
ayounglbragstad, you working on a clever way to represent tokens, dividing scoped from unscoped?21:59
stevemargordc, woke up at noon, haven't checked my email til now, it's been glorious21:59
lbragstadayoung: no, not yet. Trying to keep it simple21:59
gordcstevemar: you have already worked too hard.22:00
ayounglbragstad, I think we could, in theory, merge unscoped and federation unscoped into a single format22:00
ayounga standard unscoped would have no groups22:00
ayoungbut it might be worthwhile from a processing perspective to keep those as two separate types22:00
*** markvoelker has joined #openstack-keystone22:01
*** aix has joined #openstack-keystone22:02
*** raildo has quit IRC22:03
*** jamielennox is now known as jamielennox|away22:03
*** jsavak has quit IRC22:05
*** markvoelker has quit IRC22:05
*** jamielennox|away is now known as jamielennox22:14
*** samueldmq has quit IRC22:14
morganfainbergstevemar, ping22:18
*** abhirc has joined #openstack-keystone22:22
stevemarmorganfainberg, pong22:23
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Use single quotes consistently  https://review.openstack.org/15640422:27
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Fix minor spelling issues in oslo.policy  https://review.openstack.org/15640522:27
*** nellysmitt has quit IRC22:37
*** nellysmitt has joined #openstack-keystone22:38
*** nellysmitt has quit IRC22:42
morganfainbergjamielennox, crud forgot to release -kerberos22:43
morganfainbergjamielennox, will do tomorrow ok?22:44
morganfainbergor tonight22:44
jamielennoxmorganfainberg: sure22:46
*** afazekas has joined #openstack-keystone22:47
*** dims_ has quit IRC22:51
*** dims__ has joined #openstack-keystone22:51
*** ayoung has quit IRC22:52
*** darrenc is now known as darrenc_afk22:55
lbragstadrandom trust question time! in this example https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-trust-ext.rst#consuming-a-trust what does e80b74 represent?22:55
lbragstada token ID?22:55
lbragstadgiven that i want to consume the trust22:55
*** afazekas has quit IRC23:01
*** markvoelker has joined #openstack-keystone23:02
*** markvoelker has quit IRC23:07
jamielennoxlbragstad: token for rescoping23:08
jamielennoxlbragstad: it would be the same as providing an exisitng token to be rescoped to a project23:08
*** chlong has joined #openstack-keystone23:09
*** timcline has quit IRC23:10
lbragstadso, you pass the trust id as the token?23:11
lbragstadjamielennox: so like http://pasteraw.com/hf6kybsq02p2asjcvnceov97i7qjp2v ?23:12
lbragstador would token['id'] be the unscoped token?23:12
jamielennoxlbragstad: the unscoped token23:12
lbragstadahh...23:12
lbragstadgot it23:12
lbragstadjamielennox: thanks!23:12
jamielennoxlbragstad: np23:13
*** darrenc_afk is now known as darrenc23:17
*** afazekas has joined #openstack-keystone23:30
*** dims_ has joined #openstack-keystone23:30
*** dims__ has quit IRC23:32
*** gordc has quit IRC23:32
*** henrynash has joined #openstack-keystone23:34
*** ChanServ sets mode: +v henrynash23:34
henrynashdstanek: you around?23:46
*** dims__ has joined #openstack-keystone23:47
*** dims_ has quit IRC23:47
dstanekhenrynash: yes23:49
henrynashdstanek: so I’m experimenting with how we might break up all our “backend” tests…23:49
*** thedodd has quit IRC23:49
henrynashdstanek: and was imagining we might have something like backend/role/core, backend/role/sql23:50
*** richm has joined #openstack-keystone23:50
henrynashdstanek: and then backend/assignment/core + sql + ldap etc.23:50
henrynashalthough not quite sure if we can make tox/testr run one of those tests on demand23:51
henrynashdstanek: I don’t think I can say tox — backend/role/sql for instance23:51
henrynashdstanek: thoughts?23:52
henrynash(this is all within unit, of course)23:52
henrynashdstanek: ahhh…but I think tox — backend.role.test_sql would work…23:54
*** dims__ has quit IRC23:56
*** dims_ has joined #openstack-keystone23:56
« Sunday, 2015-02-15 Index Tuesday, 2015-02-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!