Thursday, 2015-02-26

*** abhirc has quit IRC00:02
morganfainbergjamielennox, the filter in keystone or ksc?00:02
morganfainbergjamielennox, cause keystone filtering does do the right thing and could be used to filter things out00:03
jamielennoxmorganfainberg: whether the filter produces a new 'service' entry or just the endpoints beneath it00:03
morganfainbergsadly this case wouldn't matter, as you have 2 distinct things claiming to be called "compute"00:03
morganfainbergendpoint filter is *only* endpoints afair00:03
morganfainbergand doesn't care about the service00:03
morganfainbergfwiw this is multiple services saying they are compute00:04
morganfainbergwhich keystone would... it looks like also allow00:05
jamielennoxmorganfainberg: yea, i knew that one00:05
jamielennoxi think we looked at fixing it at one point00:05
jamielennoxbut it would break people00:05
morganfainbergrax is breaking people who have legacy stuff now00:05
morganfainbergso, the only thing we can do is make KSC say "300 multiple choices: pick something useful"00:06
morganfainbergi think00:06
morganfainbergbecause a deployer isn't going to rename things cause we suddenly got picky (hence the whole '/' in project name -2)00:07
jamielennoxmorganfainberg: we need to figure out ways to define what the service catalog contains00:08
jamielennoxi'm looking though - i can't see why in service_catalog it only checks the first 'type' entry00:09
morganfainbergand in this case the legacy is 2nd so probably overrides the first00:10
jamielennoxso it will only allow the last entry defined as type00:10
*** gordc has quit IRC00:10
jamielennoxso that is fairly easy to fix - i just don't know if it'll solve the bigger issue00:10
jamielennoxsc.setdefault(st, [])00:10
jamielennoxor if i want to :o00:11
morganfainbergi think it's totally fine to say "multiple services found be more specific" but we need a way to let people pick what they want / software to be better about it00:11
morganfainbergwe squash duplicate services endpoints00:12
jamielennoxi can see having get_endpoint returning a list would have been nice - but that's a pain now00:12
*** spandhe has joined #openstack-keystone00:12
jamielennoxalso - if i return a list i've no idea what they expect to do differently00:12
morganfainbergand say "you defined this as the same thing"00:12
*** raildo_ has joined #openstack-keystone00:12
morganfainbergi mean, would it break everything if ksc just said "oh hai, this is the same service *squish*" internally?00:13
*** gyee has joined #openstack-keystone00:13
*** ChanServ sets mode: +v gyee00:13
morganfainbergif you call thing A compute, and thing B compute, does it break it if all the endpoints are [compute] ?00:13
morganfainbergignoring the RAX wierd case00:14
jamielennoxmorganfainberg: what would *squish* be here?00:14
morganfainbergwhere they are really different things00:14
morganfainbergjust the endpoint data structure(s)00:14
morganfainbergso the endpoint list would contain all the endpoints00:14
jamielennoxright - no none at all i think00:14
*** david-lyle is now known as david-lyle_afk00:14
jamielennoxmorganfainberg: it's not even slower as there is no break in that for loop00:14
morganfainbergnow rax breaking people because compute != compute, thats something i will happily go yell at them about00:14
morganfainbergbecause that is just crazypants.00:15
morganfainbergbut we could at the very least not give just bizzare error responses because of that bad catalog data definition00:15
jamielennoxmorganfainberg: yep i'm fine with that for an EndpointNotFound - which is what you'd be getting now00:16
*** pdesai has quit IRC00:16
jamielennoxmorganfainberg: I'm not sure i like the idea of raising AmbiguousEndpoint (which it appears nova used to do) if more than one entry matches00:16
morganfainbergi think compute != compute is a case we shouldn't care about [well we should, we shouldn't have multiple things claiming to be compute...but that is a different issue]00:17
morganfainbergjamielennox, so i think the right answer is we squash this in our internal data structure.00:19
morganfainbergjamielennox, and i *think* we've had the ask to make service unique anyway00:20
morganfainbergfrom vishy and a few others00:20
jamielennoxmorganfainberg: on keystone side?00:26
jamielennoxhow do i show bugs in launchpad that have previously been marked invalid?00:28
jamielennoxgrrr launchpad00:28
*** henrynash has joined #openstack-keystone00:28
*** ChanServ sets mode: +v henrynash00:28
morganfainbergjamielennox, yeah vishy and some others asked for keystone to be more strict about that stuff00:30
morganfainbergjamielennox, uh. sec00:30
jamielennoxmorganfainberg: would love to see that00:30
*** henrynash has quit IRC00:30
jamielennoxmorganfainberg: i think i got the launchpad thing, clicked around a bit then editted the URL00:30
*** henrynash has joined #openstack-keystone00:31
*** ChanServ sets mode: +v henrynash00:31
morganfainberggod sorry00:31
jamielennoxstill can't find this bug but00:32
morganfainbergit's ok if we open a new one00:34
morganfainbergi don't care if we just ignore anything called "invalid" as past history even if it isn't ;)00:34
morganfainbergcause LP.00:34
lhchengmorganfainberg, jamielennox: this is the fix for django_openstack_auth ^00:34
*** henrynash has quit IRC00:35
lhchengmorganfainberg, jamielennox: unfortunately, can't use the auth_plugin.get_endpoint() since we need to iterate though the service catalog.00:35
morganfainberglhcheng, thats fine for a stopgap, we can improve it further as we go along.00:35
morganfainbergthis is a good starting place00:36
lhchengmorganfainberg: yup, should be good for now. still better than before :)00:36
morganfainbergjamielennox, it might have been an opinion bug...or an incomplete00:37
morganfainbergjamielennox, lets just spin a new bug up about this.00:38
*** browne has quit IRC00:43
*** browne has joined #openstack-keystone00:44
jamielennoxbug 142576600:46
openstackbug 1425766 in python-keystoneclient "Catalog can't handle multiple service definitions" [Undecided,New]
morganfainbergjamielennox, wtf. ok LP it just marked that as high when i clicked medium00:47
morganfainbergyes, thanks!00:47
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller
*** spandhe has quit IRC01:07
lhchengmorganfainberg: got a patch up too to fix horizon on catalog parsing:
openstackgerritMorgan Fainberg proposed openstack/python-keystoneclient: Collapse endpoints from services that are the same in the catalog
*** spandhe has joined #openstack-keystone01:09
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow handling multiple service_types
*** dims_ has joined #openstack-keystone01:11
morganfainbergjamielennox, hah01:11
jamielennoxmorganfainberg: ergh01:11
*** dims_ has quit IRC01:11
jamielennoxmorganfainberg: well i did tests01:11
morganfainbergyours is better01:11
morganfainbergi'm sure01:11
*** dims_ has joined #openstack-keystone01:11
*** dims has quit IRC01:12
*** gyee has quit IRC01:18
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API
*** rwsu is now known as rwsu-afk01:27
*** _cjones_ has quit IRC01:31
lhchengbknudson: thanks for review01:33
lhchengbknudson: too many comment, missed the top part01:33
lhchengbknudson: something easy for you when you get the chance:
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API
*** dims has joined #openstack-keystone01:37
*** dims_ has quit IRC01:40
*** raildo_ has quit IRC01:41
*** sigmavirus24 is now known as sigmavirus24_awa01:44
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Import functional CLI tests from tempest
*** davechen has joined #openstack-keystone01:51
openstackgerritDave Chen proposed openstack/keystone: Refactor the code in SQL backend of assignment
*** browne has quit IRC01:59
*** browne has joined #openstack-keystone01:59
*** ljfisher has quit IRC02:01
*** samueldmq_ has quit IRC02:04
*** tqtran has quit IRC02:04
openstackgerritLin Hua Cheng proposed openstack/keystone: WIP - Validate user/group exist when assigning roles
*** diegows has quit IRC02:14
*** richm has quit IRC02:17
*** erkules_ has joined #openstack-keystone02:18
*** erkules has quit IRC02:20
*** darrenc is now known as darrenc_afk02:28
*** thedodd has joined #openstack-keystone02:28
*** chlong_ has joined #openstack-keystone02:43
*** markvoelker has quit IRC02:47
*** markvoelker has joined #openstack-keystone02:47
*** stevemar has joined #openstack-keystone02:49
*** ChanServ sets mode: +v stevemar02:49
openstackgerritMerged openstack/keystone: Change use of random to random.SystemRandom
morganfainbergoh interesting02:51
*** darrenc_afk is now known as darrenc02:51
*** markvoelker has quit IRC02:51
*** lhcheng has quit IRC02:59
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available
*** browne has quit IRC03:07
*** rm_work has quit IRC03:10
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available
morganfainbergjamielennox, a recheck wont fix:
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
jamielennoxmorganfainberg: huh, i don't remember what i saw that i thought could be rechecked03:21
morganfainbergthere was another failure that would recheck03:21
jamielennoxmorganfainberg: yea - but i looked at both03:21
morganfainbergbut the py34 one wont... then again that might be the ubuntu fails a python303:21
jamielennoxmorganfainberg: i didn't know they removed xrange in py303:22
morganfainbergxrange = range in py303:22
morganfainbergand for the usecase range would be sufficient03:23
*** spandhe has quit IRC03:23
morganfainberga little more memory hungry (but not at 3 elements) in py2.x03:23
morganfainbergnot noticble03:23
*** dims has quit IRC03:24
jamielennoxmorganfainberg: oh yea, just xrange is kind of a habit and i didn't realize it had changed03:25
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Import functional CLI tests from tempest
morganfainbergin py3 we always use xrange unless we go our of our way to not03:25
morganfainbergmost of the time .range is good enough, but sometimes people don't expect the iterable03:26
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow handling multiple service_types
*** markvoelker has joined #openstack-keystone03:43
morganfainbergmarekd, stevemar, need to bug you about federation stuff.03:46
morganfainbergwhen you're around (tomorrow works)03:46
stevemarmorganfainberg, around now03:57
morganfainbergstevemar, just need to codify IDP vs SP requirements03:58
morganfainbergthe only one that really stood out was "Kilo Keystone"03:58
stevemarohhh thats what you mean, like the requirements for it?04:02
stevemaryeah, Kilo Keystone, which pulls down lxml and pysaml, and you need xmlsec1 for signing stuff and things04:03
*** aslaen has quit IRC04:03
morganfainbergthats all normal deps though04:04
stevemarmorganfainberg, i guess kilo horizon too?04:05
morganfainbergoh heh yeah for lin's fixes04:05
morganfainbergand DOA.04:06
*** aslaen has joined #openstack-keystone04:06
stevemarobvs updated ksm and ksc just to be on the safe side04:06
*** thedodd has quit IRC04:10
*** spandhe has joined #openstack-keystone04:10
*** thedodd has joined #openstack-keystone04:18
*** thedodd has quit IRC04:18
*** dims has joined #openstack-keystone04:25
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
*** dims has quit IRC04:30
*** lhcheng has joined #openstack-keystone04:31
*** rm_work|away has joined #openstack-keystone04:36
*** rm_work|away is now known as rm_work04:36
*** rm_work has joined #openstack-keystone04:36
*** markvoelker has quit IRC04:44
*** markvoelker has joined #openstack-keystone04:45
*** markvoelker has quit IRC04:49
*** spandhe has quit IRC04:49
openstackgerritMerged openstack/keystone: Fix invalid super() usage in memcache pool
*** lhcheng is now known as lhcheng_afk05:11
openstackgerritMerged openstack/keystone: Remove check_role_for_trust from sample policies
*** spandhe has joined #openstack-keystone05:24
*** lhcheng_afk has quit IRC05:39
openstackgerritMorgan Fainberg proposed openstack/keystone: Chain a trust with a role specified by name
openstackgerritMerged openstack/keystone: Uses SQL catalog driver for v2 REST tests
openstackgerritMorgan Fainberg proposed openstack/keystone: Chain a trust with a role specified by name
openstackgerritMerged openstack/keystone: make tests of endpoint_filter check endpoints num
stevemarmerge merge merge06:03
morganfainbergstevemar, should be an easy review06:07
morganfainbergstevemar, it was ready just had some legit cosmetic stuff.06:07
stevemaryup, looks good06:15
*** spandhe has quit IRC06:21
openstackgerritSteve Martinelli proposed openstack/keystone: Reference OSC docs in CLI examples
openstackgerritSteve Martinelli proposed openstack/keystone: Update `os service create` examples in config services
*** lhcheng_afk has joined #openstack-keystone06:24
morganfainbergstevemar, another relatively easy one:
morganfainbergi wish we could better test that one though06:25
*** fifieldt has joined #openstack-keystone06:26
openstackgerritSteve Martinelli proposed openstack/keystone: Use correct dependency decorator
stevemarmorganfainberg, i wonder if this will work ^06:27
morganfainbergstevemar, it should06:28
morganfainbergit's a more enforcing version06:28
morganfainbergyou might have a test that explodes06:28
stevemari'm hoping it'll fix this issue:
stevemarmorganfainberg, maybe, but there are too many tests that could be the issue and i don't want to run them all locally06:29
stevemarjenkins and zuul shall do my bidding06:29
morganfainbergno only one or two tests that say things like "optional things should be optional"06:29
morganfainbergnot all of them ;)06:29
stevemarmorganfainberg, thanks for reviewing the oslo.policy change06:30
stevemari want to show keystone support before asking doug to cut a new release and add to GR06:30
morganfainbergsounds good06:30
stevemarmorganfainberg, but he and sigmavirus24 +1'ed the last patch, so we should be good06:31
stevemarmorganfainberg, you are reviewing like a mad man06:34
morganfainbergstevemar, no one is bothering me and we have k3 coming up06:35
stevemarlet me know if you need another +2/+A on something, i'm writing some emails atm, but i'd be willing to look away06:35
morganfainbergsure. i'm trying to clear out either the easy ones or the ones that are high prio06:35
morganfainbergabout to fix the minor nits to lbragstad's KLWT, but if you could review that one and make sure it looks sane ... that would be a big help, so we can get that thing in the gate tomororw.06:36
morganfainbergif at all possible06:36
stevemarmorganfainberg, sure, i've looked at it a few times early on, it looked solid06:37
morganfainbergstevemar, actually:
morganfainberglets knock that one out before KLWT06:37
stevemarugh, i've been putting this one off06:37
morganfainbergand the KLWT one we can do a nit cleanup / pass through if it's good.06:37
morganfainbergyou want to to KLWT first?06:37
morganfainbergi'm fine with knocking out KLWT before we do this one.06:37
stevemarno no, whitelist is fine06:38
stevemarthe schema definitely looks good06:39
stevemari think the only part that is sticking out is:06:46
stevemargroup_names_list = ast.literal_eval(identity_value['groups'])06:46
morganfainbergoh see now i started on KLWT :P06:46
morganfainbergi dislike that ast is used :(06:46
morganfainbergbut... uhm..06:46
stevemaroh so, it's basically mapping ASFS_GROUPS, g1, g2, g3 to keystone groups 'admin', 'member', 'test'06:48
morganfainbergafaict yes06:48
stevemarerr ASFS_GROUPS (g1, g2, g3) to keystone groups ('admin', 'member', 'test')06:48
openstackgerritguang-yee proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
bretondstanek: <+dstanek> too many reviews and not enough -1s06:49
stevemarsorry morganfainberg had to -1 it06:58
*** lhcheng_afk is now known as lhcheng06:59
morganfainbergstevemar, -1 what? the KLWT or the white/blacklist?06:59
morganfainbergstevemar, i just -1'd the KLWT one for lots of *this should be cleaned up* stuff (all could be followups)06:59
stevemarmorganfainberg, the white/black list07:00
morganfainbergyeah looking at that one now07:00
stevemari'm on board with it in general, just one test is missing07:00
stevemarhey passed all the tests, neat07:00
morganfainbergso white/blacklist, yep your comment is spot on07:01
openstackgerritSteve Martinelli proposed openstack/keystone: Use correct dependency decorator
morganfainbergstevemar, could use eyes on
stevemarmorganfainberg, sec, just rebasing one of brants patches07:05
openstackgerritSteve Martinelli proposed openstack/keystone: Avoid multiple instances for a provider
morganfainbergthis one should be easy to review... but i'm not pushign it through till i get some thoughts on approach07:05
stevemaryesss, rebasing it on my opt->req patch fixed the issue07:06
stevemarmorganfainberg, that service type one... barf07:06
*** henrynash has joined #openstack-keystone07:07
*** ChanServ sets mode: +v henrynash07:07
morganfainbergit's super easy though!07:07
morganfainbergi mean it's 2 lines of change ;)07:07
morganfainbergand right now RAX is somewhat broken for a number of their users... for $reasons07:07
morganfainbergbut in short for them they have compute... AND compute...07:07
morganfainbergthat is all sorts of ... broken07:08
stevemarmorganfainberg, is looks okay to me07:10
morganfainbergis the idea sound though?07:10
morganfainbergi mean. i *think* it is07:10
morganfainbergnow.. i need to go yell at rax for another reason (yell = talk sternly to someone about it)07:10
morganfainbergbecause in their case compute != compute07:10
morganfainbergbut that isn't really something ksc can solve07:10
stevemarmorganfainberg, well yeah, we shouldn't *have* to deal with that issue, but this is the nicest way of dealing with it07:12
stevemarmorganfainberg, this should be easy
*** erkules_ is now known as erkules07:13
morganfainbergthis is solving the "you put something wonky in the catalog cause we didn't tell you you couldn't" not "you put something crazypants in the catalog that tells your user that 2 very different things are infact not different...except when you say they are"07:13
stevemaryeah, its the admin's doing something silly pants07:13
stevemarthis is mitigating the sillyness07:13
stevemardo you think i should just drop the .. NOTE: blocks from here: ?07:14
morganfainbergi would keep those07:14
morganfainbergno reason to remove them.07:15
morganfainbergthough i'd wait till marek's stuff lands can we just mark k2k stable07:15
morganfainbergbefore pushing that change through07:15
stevemarmorganfainberg, last one of mine:
morganfainbergyou have an erroneous whitespace change in there07:18
morganfainberg+2 though07:18
stevemarmorganfainberg, i added that deliberately07:18
morganfainbergsomething something whitespace and real changes don't mix something something07:19
stevemarwant me to fix it up?07:19
morganfainbergno, +2'd already07:20
*** lhcheng has quit IRC07:34
*** chlong_ has quit IRC07:42
*** chlong has quit IRC07:43
*** henrynash has quit IRC07:43
*** markvoelker has joined #openstack-keystone07:44
marekdmorganfainberg: what/up with federation?07:48
stevemarmarekd, it's all broken07:48
stevemarmarekd, kidding :P07:48
marekdstevemar: it is :P07:48
*** markvoelker has quit IRC07:50
*** afazekas_ has joined #openstack-keystone07:50
marekdstevemar:  morganfainberg may not be here, but did we decide that service providers will be added on request, after speciifying ?service_providers in the /auth/catalog call ?07:50
*** ioram has quit IRC07:58
openstackgerritMerged openstack/keystone: Revamp the documentation surrounding notifications
*** dims has joined #openstack-keystone08:03
stevemarmarekd, no; it's basically what you have proposed08:04
stevemarif SPs exist, add to catalog as 'service_providers': []08:04
stevemarif not, add no section08:04
stevemarmorganfainberg, ^08:05
morganfainbergmarekd, what stevemar said08:05
morganfainbergand we'll need to probably do a FFE for getting filtering added, but i'm ok with that08:05
morganfainbergmarekd, the only reason the API change wasn't merged was I wanted to make sure you looked at brant's recent comments.08:06
marekdFFE stands for?08:06
morganfainbergfeature freeze exception08:06
morganfainbergpost k3 feature work08:06
*** dims has quit IRC08:07
morganfainbergmarekd, or confirm that the comments weren't something that needed to be addressed08:09
stevemarmarekd, your local user auth patch and white/black list are super close!08:11
openstackgerritMerged openstack/keystone: Add links to extensions that point to api specs
jamielennoxstevemar: why wouldn't you always return service_providers: []08:20
jamielennoxwhat does the empty list signify that the missing element doesn't?08:20
morganfainbergjamielennox, it doesn't break people with older systems if k2k is not enabled08:21
morganfainbergjamielennox, it's strictly a compatibility thing for allowing keystone [some advanced features limited] from running in older environments. something we've been *very* good about supporting08:21
jamielennoxmorganfainberg: we're not nesting this within the 'catalog' element though right?08:21
morganfainbergno, but horizon and DOA will explode08:21
morganfainbergthey still do direct catalog parsing08:22
morganfainbergas will old nova(s)08:22
jamielennoxbah, really...08:22
jamielennoxwell that settles any argument08:22
stevemarjamielennox, morganfainberg it's going to be in the 'catalog' element though right?08:22
morganfainbergoh it is.08:22
morganfainbergjust not in the normal service thing08:22
jamielennoxstevemar, morganfainberg: why? just make it it's own element08:22
morganfainbergjamielennox, what marek proposed08:22
morganfainbergjamielennox, it's part of the catalog. we said as much eysterday08:23
jamielennoxthe token has 'catalog': [...]08:23
* morganfainberg might be overly tired.08:23
jamielennoxmorganfainberg: last i heard it was going to be out on its own08:23
* morganfainberg should also be in bed already.08:23
jamielennoxbut i miss all the conversations that happen during the day08:24
morganfainbergin catalog, as it's own {} thing08:24
morganfainbergat least that is what i thought we discussed08:24
morganfainberglast night.08:24
jamielennoxmorganfainberg: yuk - i can see why it blows up08:25
marekdstevemar: cool, i will work on that08:25
jamielennoxwhy not just have 'service_providers': [] as a top level?08:25
marekdmorganfainberg: hah, how expensive would be changing token's structure?08:25
marekdtalking long term plans now.08:25
jamielennoxd.keys() = ['catalog', 'service_providers']08:25
morganfainbergjamielennox, how much would it break to return it as part of auth/catalog but not in catalog?08:25
morganfainbergi'm going to guess lots of stuff would break08:25
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
morganfainbergmarekd, changing token structure is painful08:26
marekdjamielennox: it's because service_providers are part of catalog? however i think we are slightly morphing into local/remote service catalog.08:26
jamielennoxmarekd: but i'm getting more and more keen for v4 tokens08:26
morganfainbergmarekd, because *some* companies like to directly inspect the token and assume it looks a certain way08:26
stevemarjamielennox, you're suggested to change the token structure now, not the catalog08:26
marekdjamielennox: huh? when? how?08:27
jamielennoxstevemar: i'm adding to the token structure, i don't think that's a problem08:27
morganfainbergjamielennox, please work with marekd to figure out how this needs to be (cc stevemar) i need to sleep :P08:27
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline
marekdmorganfainberg:  yes sir08:27
morganfainbergi don't think i'm that functional right now :P but the roadblocks to accepting it as "08:27
morganfainberg"not just another endpoint" are gone08:27
jamielennoxawww, i have my scotch, i can smell dinner...08:27
* morganfainberg just wants this to be in place and working.08:27
morganfainbergjamielennox, sooooo drink moar scotch, quick discussiojn and go have dinner ;)08:28
stevemari don't think having the SPs in the returned token would be a problem08:28
* morganfainberg has no horse in this race - as long as SPs are available. [and they *should* be part of the catalog response if we can do it w/o breaking people]08:28
stevemara call to /auth/catalog wouldn't return anything08:29
jamielennoxso when i thought we were talking about having service providers in the catalog i thought we were still talking {'endpoint': {stuff}}08:29
morganfainbergor something someting08:29
marekdmorganfainberg: gnight08:29
jamielennoxjust changing stuff08:29
morganfainbergi'll look for a review to +2 when i'm awake or something next08:29
stevemarjamielennox, so having them in endpoints was never an option08:29
marekdstevemar: ++08:29
jamielennoxstevemar: yep, i didn't read the review properly08:29
stevemaralong side endpoints was always the suggested08:29
marekdwell, gyee brought this up08:29
jamielennoxstevemar: and it makes sense why i had some wrong ideas08:30
jamielennoxbut they're not really along side08:30
marekdjamielennox: so now how do you want to have them done?08:30
jamielennoxcatalog is defined as a list - not a dictionary08:30
morganfainbergin short, they don't belong in endpoints [i swear i'm going to bed]08:30
stevemarjamielennox, right, gyee and bknudson suggested that we could 'force' these into endpoints, but that didn't fly08:30
jamielennoxmorganfainberg: you can do it08:30
morganfainbergjamielennox, you know.. if catalog has been a dict... that other issue we just solved in ksc wouldn't have happened08:30
jamielennoxstevemar: right and it was going to cause problems with auth.get_endpoint08:30
jamielennoxmorganfainberg: i know08:30
morganfainbergjamielennox, catalog v.. 3?08:31
jamielennoxmorganfainberg: i get why they didn't, but they should have08:31
jamielennoxmorganfainberg: token v4 lets us redefine catalog08:31
jamielennoxthough causes a hell of a lot of other problems08:31
morganfainbergooh catalog v31415926535908:31
marekdjamielennox: you seriously want to start working on v4 ?08:31
morganfainbergmarekd, not API v408:31
morganfainbergnew token format only08:32
jamielennoxmarekd: it's come up in the past08:32
stevemarmarekd, v4 is always a joke :P08:32
morganfainberggod no api v408:32
morganfainbergnever api v408:32
jamielennoxoh - that would be fun as well - but no08:32
morganfainbergbut a new token format wouldn't be bad.08:32
morganfainberga lot of work08:32
morganfainbergbut not nearly as bad08:32
jamielennoxjust seperating the CRUD api from the token format and auth work08:32
morganfainberg(most deployers never actually look *in* the token)08:32
morganfainbergon the wire that is08:32
marekdmorganfainberg: jamielennox:  this qualifies for a summit session proabably. My suggestion would be: make a format so we can easily support hybrid clouds.08:33
stevemarmorganfainberg, i'm not really seeing a downside to adding 'service_providers' to the token level08:33
jamielennoxthen we could do some cool stuff with auth discovery and purely external auth08:33
jamielennoxstevemar: that's my vote08:33
marekdand make token that can really rule them all [federated clouds]08:33
jamielennoxstevemar: that's what i thought i was voting with when morganfainberg suggested keeping them seperate08:33
stevemarmorganfainberg, marekd thoughts on keeping it at the token level?08:34
jamielennoxfrom an auth plugin perspective it will be a whole lot easier to support08:34
jamielennoxbecause i'll just add a new call08:34
marekdjamielennox:,cm so here is curent proposition.08:34
jamielennoxthe problem was always how to intertwine catalog and service providers08:34
marekdyou are voting for moving service_providers level up?08:34
jamielennox(am i the only one who still can't get used to the new gerrit formatting)08:34
marekdi saw lots of options flying around and people changing their minds.08:34
morganfainbergstevemar, not the end of the world, but it's an extra call if you're sans token. but eh08:35
morganfainbergjamielennox, i refuse to use the new layout08:35
morganfainbergjamielennox, it's a trainwreck. the old gerrit = better08:35
morganfainbergor gertty08:35
jamielennoxcool, just everyone links the new way08:35
stevemarmarekd, so /auth/catalog wouldn't return the service provders08:35
stevemarjust /auth/tokens08:35
morganfainbergjamielennox, mostly ayoung-mtg and marekd afaik.08:35
jamielennoxi think that's ok08:35
jamielennoxGET /auth/service_providers08:35
jamielennoxGET /auth/catalog08:36
morganfainbergjamielennox, ^^ yes08:36
jamielennoxand a token has both08:36
morganfainbergif it isn't in the catlog, it needs it's own call08:36
jamielennoxi talked about GET /auth/service_providers yesterday and we got sidetracked with another discussion08:36
morganfainbergjamielennox, compute != (or does it) compute08:36
morganfainbergjamielennox was the sidetrack i think.08:36
morganfainbergor was that today?08:37
jamielennoxmorganfainberg: today08:37
morganfainbergwow... i uh.. things08:37
jamielennoxmorganfainberg: sleep08:37
* morganfainberg waves hands08:37
jamielennoxdid that pass check?08:37
morganfainberggo make SPs appear somewhere ;)08:37
morganfainbergjamielennox, yeah it did08:37
morganfainbergjamielennox, has 2x+2s as well08:37
*** pnavarro has joined #openstack-keystone08:37
openstackgerritMerged openstack/keystone: Fix for KVS cache backend incompatible with redis-py
marekdjamielennox: when client calls /auth/catalog?08:38
stevemarmarekd, jamielennox
jamielennoxstevemar: yep08:38
jamielennoxahh - what's with the auth_url: RegionOn08:38
stevemarjamielennox, copy/pasta08:39
jamielennoxok actual url there08:39
morganfainbergbtw, we need to use
morganfainbergin keystone somewhere08:39
stevemarjamielennox, yeah, they are actual urls08:39
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer
jamielennoxstevemar, marekd: cool like it08:40
stevemarthere we go08:40
jamielennoxstevemar: it must be late, but stanek got a jump on you so can you have a look at some of those auth_token splits08:40
stevemarjamielennox, link me up08:40
jamielennoxi have some stuff i want to do to auth_token for swift but i'm not going to rebase it until this all clears08:40
marekdjamielennox: stevemar ok, i will change the code so it looks like steves example.08:41
stevemarIIRC, we (future work) were going to look into the token for the SPs anyway, so i think we can just add them to the token08:42
marekd(though i think it will be removed from one year from now :P)08:42
morganfainbergbtw, feel free to push the API docs through if they match what you guys just discussed.08:42
stevemarthe only issue is if it's always there or not, morganfainberg opinion on that one?08:42
jamielennoxmarekd: possibly, hopefully by then we will understand how this whole thing will wokr08:42
jamielennoxstevemar: i vote always, it's not going to cause compat issues there08:43
morganfainbergeh, lbragstad is going to hate you in either case.08:43
stevemarlike if all tokens will have 'service_providers': []08:43
jamielennoxbut honestly it doesn't matter either way because we have to support old and new tokesn08:43
stevemarin terms of token bloat, its the same size08:43
marekdjamielennox: yes. as i asid earlier, we should start preparing ourselves for 'hybrid clouds' and hybrid tokens, so client could easily understand "these are my local endpoints and there are somewhere, far away"08:43
jamielennoxmarekd: yea, i don't know yet if the client stuff can support it08:44
jamielennoxmarekd: but it's in a better place than it was i guess08:44
stevemarjamielennox, food for thought08:44
morganfainbergstevemar, we should rot26 the sp_urls for security reasons08:44
marekdjamielennox: it's a long term future work08:44
jamielennoxwe still don't have people using v3 auth, i think hybrid cloud tokens will still be a while08:44
marekdwhat's that >.> ?08:44
morganfainbergmarekd, shifty eyes08:44
jamielennoxalright - gotta go, will check that spec later08:44
morganfainberglike spy vs spy but ascii08:45
marekdjamielennox: thanks08:45
marekdmorganfainberg: i would kick you out of channel so you finally go to bed if i could :P08:45
morganfainbergsince this is a dict, actually i vote don't put it in the token unless it exists08:45
morganfainbergthis also means that if we remove it for something else in the future ... it could just disappear08:46
morganfainbergrather than always being an empty []08:46
morganfainberg(with less pain that is)08:46
morganfainbergsince clients will already need to know if it's there/check it actually exists08:46
morganfainbergclient being not ksc that are doing things even though we said don't08:46
marekdok, so move service providers level up, make them appear only if we have something to show.08:47
morganfainbergyep. i think that is the best course08:47
stevemarmorganfainberg, how can we make them a dict?08:47
morganfainbergstevemar, the token itself is a dict08:47
morganfainbergso token,get('service_providers')08:47
morganfainbergvs token['service_providers']08:47
stevemaroh i thought you meant to make service_providers a dict08:48
stevemarof course token is08:48
marekdno no08:48
stevemari was confused for a sec08:48
morganfainbergmarekd, ?08:48
stevemarit is nearly 4am for me, confusion is bound to happen08:48
morganfainbergstevemar, go to bed08:48
stevemarand with that, i'm outtttttttt08:48
morganfainbergyou need ti more than i do08:48
stevemari sleep in like a beast08:48
marekdmorganfainberg: i was saying 'no no' to steve08:48
morganfainbergah yeah08:49
morganfainbergok so.. g'night08:49
morganfainbergor somesuch08:49
stevemarsee ya in a few hours08:49
*** karimb has joined #openstack-keystone08:49
*** rushiagr_away is now known as rushiagr08:49
stevemarmarekd, don't burn down the house08:49
marekdyes, mum08:49
stevemarget the black/white list and local user patches up, they are super close08:50
stevemarokay okay, not i'm gone08:50
openstackgerritSteve Martinelli proposed openstack/keystone: Avoid multiple instances for a provider
*** jistr has joined #openstack-keystone08:53
*** henrynash has joined #openstack-keystone08:53
*** ChanServ sets mode: +v henrynash08:53
openstackgerritMerged openstack/keystone: Chain a trust with a role specified by name
*** stevemar has quit IRC08:57
openstackgerritwanghong proposed openstack/keystone: apply endpoint_group filters on token catalog
*** henrynash has quit IRC08:59
*** henrynash has joined #openstack-keystone09:01
*** ChanServ sets mode: +v henrynash09:01
*** MasterPiece has quit IRC09:10
*** jaosorior has joined #openstack-keystone09:38
openstackgerritMarek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules
openstackgerritMerged openstack/keystonemiddleware: Extract revocations to file
*** markvoelker has joined #openstack-keystone09:47
*** davechen has quit IRC09:50
*** markvoelker has quit IRC09:52
*** krykowski has joined #openstack-keystone10:02
*** sluo_laptop has quit IRC10:05
*** henrynash has quit IRC10:08
*** EmilienM|afk is now known as EmilienM10:11
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow
*** pnavarro_ has joined #openstack-keystone10:42
*** pnavarro has quit IRC10:43
*** henrynash has joined #openstack-keystone10:46
*** ChanServ sets mode: +v henrynash10:46
*** pnavarro_ has quit IRC10:47
*** pnavarro_ has joined #openstack-keystone10:48
*** dims has joined #openstack-keystone10:52
*** himangi has joined #openstack-keystone10:54
*** dims_ has joined #openstack-keystone10:55
*** dims has quit IRC10:58
openstackgerritMarek Denis proposed openstack/keystone: Enhance user identification in mapping engine
*** nellysmitt has joined #openstack-keystone11:10
marekdanybody willing to take a look at this patch ?11:14
*** pcaruana has joined #openstack-keystone11:19
bretonI'm getting an error when I do db_sync on mysql11:32
*** rushiagr is now known as rushiagr_away11:33
marekdyou are right.11:38
*** samueldmq has quit IRC11:42
marekdbreton: is you mysql using InnoDB?11:43
bretonmarekd: I don't know, I just apt-geted it from debian stable11:45
*** dguerri is now known as dguerri`afk11:47
*** chlong has joined #openstack-keystone11:51
*** chlong_ has joined #openstack-keystone11:51
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config
*** amakarov_away is now known as amakarov11:52
*** samueldmq_ has joined #openstack-keystone12:09
*** samueldmq_ is now known as samueldmq12:09
samueldmqhenrynash, hi12:13
*** henrynash has quit IRC12:13
*** dims_ has quit IRC12:14
*** henrynash has joined #openstack-keystone12:14
*** ChanServ sets mode: +v henrynash12:14
*** dims has joined #openstack-keystone12:14
*** rodrigods has left #openstack-keystone12:16
*** rodrigods has joined #openstack-keystone12:17
*** himangi has quit IRC12:20
samueldmqhenrynash, you around?12:22
henrynashsamueldmq: sure12:22
samueldmqhenrynash, hi .. I've submitted a bug for the tests failing due to bad config of domain-specific on tests12:23
openstackLaunchpad bug 1425895 in Keystone "Tests on DomainSpecificLDAPandSQLIdentity cannot create and use new domains" [Undecided,New] - Assigned to Samuel de Medeiros Queiroz (samueldmq)12:23
samueldmqhenrynash, I'll fix it on the tests, as you suggested12:24
samueldmqhenrynash, however .... when domain-specific config is in SQL, could we couple a bit more the domain creation and the check for the config?12:25
henrynashsamueldmq: well, not without changing the API speci12:25
samueldmqhenrynash, what's your personal feeling? i) we really don't need that samuel! ii) I agree that would be better iii) I dont care, both work for me12:26
henrynashsamueldmq: I’m pretty much against overly linking these things…I think it is not teh correct thing to do for production deploments12:26
henrynashwe should a) make it possible for on-boardes  to use rest to create a domain and config it (that’s what I’m doing)….but I don’t think the shoul dbe combined….. and b) we should make our tests smarter12:28
samueldmqhenrynash, we could at least log somehting (INFO when it will be mapped into the default driver, WARNING when it cant be mapped and a config will need to be added)12:28
henrynashsamueldmq: as I said, I’m pretty much against overly linking these things12:28
henrynashsamueldmq: cloud admins do NOT want this stuff happending withou their control12:29
samueldmqhenrynash, ok I agree, but what about the log messages I said ^12:29
henrynashsamueldmq: if they want to offer a “one button” domain onbording, they’ll do that by layering on their own UI12:29
henrynashsamueldmq: I guess we could write a log message…..but on what condition? We create a domain, try and list users, catch thee error and log?12:31
henrynashall inside the create_domain method of the controller?12:32
samueldmqhenrynash, well, we couldn't without coupling them... since we will need to check available domain configs12:32
henrynashwell, we could just try the api call and catch the error….pretty yukky12:33
henrynashdoesn’t our log from idenitity already say what domain is in error….in which case, have we gained anything?12:33
henrynashnobody will look at the logs until something goes wrong anyway12:34
henrynash(you can tell I’m skeptical of this whole thing!)12:34
samueldmqwell, I do think if we raise an error at domain creation it would improve ux12:36
samueldmqHey, you are using domain-specific configs and new domains cannot be mapped into the default driver, since it's LDAP. Please provide a config for this domain first!'12:36
samueldmqbut since no cloud admin is hitting issues when configuring their domains, maybe this is not worth to do12:36
samueldmqand we have other things with higher priority :-)12:37
samueldmqso for me it's ok to let this as it is, np12:37
*** diegows has joined #openstack-keystone12:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposing bug in domain-specific config use on test
samueldmqhenrynash, ^ I'm exposing the bug, I will just make our tests smarter :-)12:46
henrynashmaking tests smarter is good12:48
*** markvoelker has joined #openstack-keystone12:50
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens
*** rodrigods is now known as rodrigod`12:51
*** rodrigod` is now known as rodrigods12:53
*** markvoelker has quit IRC12:56
*** kallebe has joined #openstack-keystone12:58
*** afazekas_ has quit IRC13:05
*** aix has joined #openstack-keystone13:13
dstaneklbragstad: i'm going through that stuff again this morning13:14
lbragstaddstanek: ++ thanks for the reviews!13:15
openstackgerritMerged openstack/keystone: Reference OSC docs in CLI examples
openstackgerritMerged openstack/keystone: Update `os service create` examples in config services
*** chlong has quit IRC13:20
*** chlong_ has quit IRC13:20
*** rushiagr_away is now known as rushiagr13:22
*** MasterPiece has joined #openstack-keystone13:30
*** MasterPiece has quit IRC13:34
*** baffle has quit IRC13:42
bretondstanek: I have a problem in reviewing your functional testing patches: I don't know how to use them. What should I do after I did "git fetch && git checkout"?13:51
*** markvoelker has joined #openstack-keystone13:53
dstanekbreton: which patch are you working on?13:56
bretondstanek: for example. Or
*** markvoelker has quit IRC13:59
*** sigmavirus24_awa is now known as sigmavirus2413:59
*** joesavak has joined #openstack-keystone14:01
dstanekbreton: for those you have to hack up a devstack config - the k-pyidp is a service and the federation is a keystone extension14:01
dstanekbreton: might now be worth reviewing them at this point14:04
bretonhm, ok.14:05
bretonI am not sure even where to start. Do I need a running devstack for that? Do I have to apply the changeset against Keystone used in that devstack?14:06
*** henrynash has quit IRC14:06
*** markvoelker has joined #openstack-keystone14:10
*** arunkant has quit IRC14:10
*** richm has joined #openstack-keystone14:11
*** bknudson has quit IRC14:15
kallebehey. How do I use keystone client in code? I am trying to use the client from code, not CLI.14:16
kallebeI tried14:16
kallebecl = keystoneclient.client.Client(auth_url='http://localhost:35357/v2.0')14:16
kallebebut it returns keystoneclient.openstack.common.apiclient.exceptions.ConnectionRefused: Unable to establish connection to http://localhost:35357/v2.014:16
kallebekeystoneclient.openstack.common.apiclient.exceptions.ConnectionRefused: Unable to establish connection to http://localhost:35357/v2.014:16
kallebekeystoneclient.openstack.common.apiclient.exceptions.ConnectionRefused: Unable to establish connection to http://localhost:35357/v2.014:16
*** gordc has joined #openstack-keystone14:17
amakarovkallebe, make sure Keystone listens on localhost, not on some 10.xx.xx.xx14:18
dstanekbreton: you have to have a devstack that contains the new code - but the kicker is that you have to actually move it into the devstack directoies14:18
kallebeamakarov ok, I will see that14:18
dstanekkallebe: what happens when you "curl http://localhost:35357/v2.0" on that same machine?14:18
kallebeit returns connection refused14:19
kallebeI will try to use direct IP14:19
amakarovkallebe, ++14:19
*** ljfisher has joined #openstack-keystone14:19
kallebewell, I guess keystone must have some problem here in my machine. I will try to restore it. When i use keystone endpoint-list the connection is refused14:21
amakarovkallebe, a pity. I hoped for a bug :)14:22
kallebeamakarov so just to make it clear how I will use the keystoneclient. I want to use it to get the port of keystone adminurl14:23
kallebecan i just instantiate the client and use service_catalog.get_endpoints.get_endpoints()14:23
amakarovjust use v3 instead of v2.014:26
dstanekkallebe: is keystone running on that machine?14:26
*** pnavarro__ has joined #openstack-keystone14:26
kallebeok, thanks. Had not realized that :) I will try it when Keystone goes up again.14:26
kallebe+dstanek I thought it was running but apparently no process is listening on port 5000 nor 3535714:26
kallebeI went to screen keystone tab and tried to up it again14:26
kallebehowever, the last command is about log :(14:26
kallebesudo tail -f /var/log/apache2/keystone.log14:27
*** pnavarro_ has quit IRC14:27
dstanekkallebe: is apache running?14:28
kallebedstanek yes14:29
kallebewell, I will unstack and stack again. No problem.14:29
*** afazekas_ has joined #openstack-keystone14:31
*** pnavarro__ has quit IRC14:31
dstanekkallebe: is you still have issue 'netstat -l' will show that the ip:port things are listening on14:31
kallebe+dstanek ok, thanks. I also use netstat -taupen | grep <number> to check one in particular14:32
*** radez_g0n3 is now known as radez14:34
*** bknudson has joined #openstack-keystone14:36
*** ChanServ sets mode: +v bknudson14:36
dstaneklbragstad: you here?14:38
lbragstaddstanek: yes?14:39
dstaneklbragstad: confused by key rotation14:39
lbragstaddstanek: I can attempt to answer the questions on it14:39
lbragstaddstanek: but dolphm did quite a bit of that logic14:40
lbragstaddstanek: what's up?14:40
dstanekyou have keys 0, 1, 2 and then you rotate by moving 0 to 3 and creating a new 0?14:40
lbragstadthe key that is 0 is always the primary key14:40
lbragstadwhich is the key that does all the encrypting and signing14:40
lbragstadthen the old primary gets 'demoted' but is still available to decrypt14:41
dstanekbut it's demoted by moving it to max + 1?14:41
lbragstadyeah, that logic ties into the max_active_keys option as well.14:42
lbragstadso if you say that you only want to have a maximum of 10 active keys, it takes that into consideration14:43
*** pnavarro__ has joined #openstack-keystone14:43
dstanekok, that is what i thought - the naming of current_primary_key and new_primary_key threw me off because they don't make sense14:43
lbragstaddstanek: yeah, I believe dolphm said he was working on documenting that? gyee also had questions on that14:44
lbragstadold keys can be cleaned up once they're older than the default token lifetime14:44
lbragstadactually, scratch that last statement14:45
lbragstadI was wrong14:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller
dstaneklbragstad: yeah, i looks like they are only cleaned up based on the count14:49
lbragstaddstanek: correct,14:49
lbragstaddstanek: so, it would break if you had a token expiration of 6 hours, but wanted to rotate keys every 30 minutes and had max_active_keys set to 4 or something like that14:50
lbragstadbecause there would still be valid tokens out there that wouldn't able to be validated once the excess keys are pruned14:50
dstaneksounds like some sweet documentation - really users should only set one of those settings and the other one would be calculated14:51
dstaneklbragstad: they control rotation outside of keystone though, right?14:52
lbragstaddstanek: so you're saying that max active keys should be generated based off token expiration time and rate of key rotation?14:52
lbragstaddstanek: yeah14:53
lbragstadsay I have a 24 token lifetime, and i want to rotate keys every hour, my max_active_keys shouldn't be less than 2414:53
lbragstadbut, not sure that management belongs in the keystone server?14:53
lbragstad24 hour*14:54
lbragstadthe tricky part is the key rotation policy since that part is up to the deployer14:54
dstanekyeah, i think that's a documenation thing14:54
lbragstaddstanek: cool14:55
dstanekit's harder since we are doing half the work14:55
*** csoukup has joined #openstack-keystone14:55
*** htruta has quit IRC14:59
dstaneklbragstad: first patch done15:04
lbragstaddstanek: thanks!15:04
*** htruta has joined #openstack-keystone15:04
morganfainberglbragstad: key rotation is always hard15:10
morganfainberglbragstad: and I apologize if my comment didn't make sense in the key rotation bits because it was super late when I reviewed that last night.15:11
*** mattfarina has joined #openstack-keystone15:11
lbragstadmorganfainberg: no worries, I tried addressing them15:11
morganfainbergLooking now.15:11
morganfainberglbragstad: no need to split this up more. My comment about could have been separate was more future looking.15:14
morganfainberglbragstad: btw.15:14
lbragstadmorganfainberg: cool, works for me. This should get easier when the first commit goes through since we can start working things in parallel15:15
dstaneklbragstad: the user_id/group_id stuff concerns me a little, but i think it's really close15:16
lbragstaddstanek: cool, trying to address that now15:16
dstanekit seems like they should both be specified or that's an error15:16
dstaneklbragstad: probably shouldn't have defaults for them in the function signature since that really are not optional15:17
*** nellysmitt has quit IRC15:19
*** markvoelker has quit IRC15:21
*** markvoelker has joined #openstack-keystone15:21
*** krykowski has quit IRC15:22
dstaneklbragstad: is really something that was forgotten in the parent patch? meaning if you deleted a token it would fail for KLWT15:23
lbragstaddstanek: it could live in the parent patch, but that patch was growing15:24
lbragstadand revocation needs that one line change in provider.py15:24
dstaneki'm not sure i understand how it allows then to take advantage or revocation events - is it that they were broken in the first patch then?15:24
lbragstaddstanek: there wasn't any revocation testing done in the first patch15:25
dstanekok, the comment in the commit message threw me off because i expected something to me changed that looked like it enabled revocation events. not a big deal15:26
*** markvoelker has quit IRC15:26
dstaneklbragstad: my guess is that the delete is broken in the first patch and that you'd get a 404 or something because the token wasn't in the database15:27
dstaneklbragstad: what do you think is needed in the middleware?15:28
*** kallebe has quit IRC15:28
lbragstaddstanek: I didn't the revocation stuff in middleware knew how to pull the latest revocation list15:28
lbragstadI didn't think*15:28
morganfainbergdstanek: middleware should consume events. Right now if someone enables caching and uses klwt no revokes will ever happen for cached tokens.15:29
morganfainbergSo middleware needs to learn to pull events and process them. Like the TRL.15:29
dstanekmorganfainberg: that's not a klwt problem though, right?15:30
morganfainbergIt is a use events problem. Prior to klwt most people used TRL only. Now we force using events.15:31
morganfainbergWhich creates a gap. So no not exclusively a klwt issue.15:31
dstanekthat's what i thought, just wanted to make sure my understanding was still correct15:32
morganfainberglbragstad: you addressed the major comments I had.15:34
morganfainberglbragstad: looks pretty close.15:35
dstaneki didn't realize that patchset 24 had lots of commentary15:35
lbragstadmorganfainberg: cool, finishing up dstanek's comments quick15:35
lbragstadyeah, ps 24 was a good iteration15:36
dstanekso is this being marked as experimental?15:36
morganfainbergdstanek: ideally yes.15:36
morganfainbergWith the hope that next cycle we can make it stable / default.15:37
dstanekis that just a documentation thing or do was have a clever code was of doing it too?15:37
morganfainbergDoc thing.15:37
morganfainbergI don't want to make clever code things if we can avoid it :)15:37
dstaneki didn't know if you wanted to have the deployer or user specifically allow it15:38
dstaneki guess the user already is since that's what they are requesting15:38
morganfainbergExperimental stuff is mostly a deployer choice to enable and a user choice to either use that cloud or api. But since this has no api changes, the user can't know short of a wierd token coming back.15:40
dstaneklbragstad: what's with the adding {} around the UUID strings?15:40
morganfainbergFor apis they should show up in json home marked as experimental15:40
lbragstaddstanek: is there a better way to do that?15:41
dstanekdoesn't uuid.UUID(uuid_string) work?15:42
dstaneklbragstad: one last question and then i'll leave you alone for the day :-D15:45
lbragstaddstanek: checking quick15:45
dstaneklbragstad: line 152 ->; what is happening that v2 is unicode and v3 is bytes? and is that the same in python3?15:46
lbragstaddstanek: I'm not sure why that it, I figured it was something with how v2 requests are routed versus v3?15:47
*** jorge_munoz has joined #openstack-keystone15:47
dstaneklbragstad: i'll investigate today - i'm very curious15:48
lbragstaddstanek: I appreciate it15:48
dstaneklbragstad: OK i'm through all of those reviews - ping me if you need me15:49
lbragstaddstanek: sounds good, thanks!15:49
dolphmlbragstad: dstanek: i need to document key rotation a bit better, but i could probably also skip using 0 as a crutch (that made more sense in an earlier implementation, now it's just odd)15:50
*** markvoelker has joined #openstack-keystone15:51
dolphmlbragstad: dstanek: and concerning calculating settings, i was thinking about including a formula somewhere to act as a guide to tuning, based on the desired token lifetime and rotation frequency15:52
lbragstaddolphm: interesting, do you want that to live in Keystone?15:53
dolphmlbragstad: it would just be docs15:53
lbragstaddolphm: cool, that works for me15:53
dstanekdolphm: i think that's a good idea; i can see deployers getting confused when their keys expire early15:54
dolphmlbragstad: dstanek: i'm also leaning on renaming the "KLWT" to "Fernet," since that best represents the outward facing token format, and i looked at refactoring the token providers into "payload providers" and "format providers"15:55
lbragstadI agree with that15:55
dolphmlbragstad: dstanek: so theoretically, you could package up a UUID4 in a fernet token ... if you were so inclined15:56
dolphmor even swap Fernet for OAuth :D15:56
lbragstadthat'd be cool15:56
dstanekthat's neat15:56
lbragstaddolphm: wasn't your original POC with oauth?15:58
dolphmlbragstad: yep15:58
*** kallebe has joined #openstack-keystone15:59
dolphmlbragstad: the twist was that i included the secret key as part of the encrypted message in the access key, so the whole combo (secret key + access key) was entirely non persistent15:59
openstackgerritDavid Stanek proposed openstack/keystone: Add parent_id to test_project_model
openstackgerritDavid Stanek proposed openstack/keystone: Fixes the SQL model tests
openstackgerritDavid Stanek proposed openstack/keystone: Removes useless setup from SQL model tests
lbragstaddolphm: ah, nice16:00
*** mikedillion has joined #openstack-keystone16:03
*** himangi has joined #openstack-keystone16:03
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens
lbragstadjorge_munoz: rebase while it's hot! ^16:04
dstanekdolphm: that's what happens when i get bored in the middle of the night - i fix inconsequential test problems16:04
*** sigmavirus24 is now known as Slackwarebot16:07
*** Slackwarebot is now known as sigmavirus2416:07
*** himangi has quit IRC16:08
*** himangi has joined #openstack-keystone16:08
*** mikedillion has quit IRC16:11
*** himangi has quit IRC16:12
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose register decorator as part of public API
*** himangi has joined #openstack-keystone16:13
jorge_munozlbragstad: will do, thanks16:13
morganfainbergdstanek: some day I'll write code again >.>16:14
morganfainbergThese days I sleep in the middle of the night. :P16:14
*** ljfisher has quit IRC16:18
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose register decorator as part of public API
*** ljfisher has joined #openstack-keystone16:21
*** dhague has joined #openstack-keystone16:23
*** gyee has joined #openstack-keystone16:24
*** ChanServ sets mode: +v gyee16:24
raildomorganfainberg, we are with a doubt in the API call returns for domains... if I use  GET /domains/ we have to return the domain's body as works today, or we can add the others field related to a project is_domain (parent_id, is_domain)16:25
morganfainbergraildo: you could add extra fields, but you cannot break what is there today. Is_domain shouldn't leak out from the v3 domains interface, if it isn't a domain you can't reference it there.16:27
morganfainbergSince everything on v3/domain should be a domain everything will have is_domain. Silly to add it to the on-the-wire data structure right?16:28
*** david-lyle_afk is now known as david-lyle16:36
*** joesavak has quit IRC16:37
raildomorganfainberg, right, I'm just with rodrigods if we will have some gain put this informations in the domains API, but maybe the parent_id can be useful in the future.16:38
morganfainbergMaybe in the future doesn't sound like a resounding reason to add data to the structure via that api.16:39
morganfainbergWe can always add data when it becomes useful. Removing data from an api is hard.16:40
*** rushiagr is now known as rushiagr_away16:40
raildomorganfainberg, right. :) we don't intend remove and data, its more to add something, but for now we will not change this.16:41
morganfainbergSounds good.16:42
*** himangi has quit IRC16:42
openstackgerritDavid Stanek proposed openstack/keystone: Fixes the SQL model tests
openstackgerritDavid Stanek proposed openstack/keystone: Removes useless setup from SQL model tests
*** stevemar has joined #openstack-keystone16:44
*** ChanServ sets mode: +v stevemar16:44
*** himangi has joined #openstack-keystone16:46
raildomorganfainberg, think more  about this, we will have a gain now, because we can list subdomains using the parent_id and list the root domains when this parent_id is None. so I think that is a good reason to add the parent_id in the domain API.16:46
*** rushiagr_away is now known as rushiagr16:47
*** pcaruana has quit IRC16:50
*** joesavak has joined #openstack-keystone16:50
*** rwsu-afk is now known as rwsu16:50
*** amakarov is now known as amakarov_away16:51
*** afazekas_ is now known as afazekas17:00
*** jistr has quit IRC17:02
*** jsavak has joined #openstack-keystone17:05
*** lsmola has quit IRC17:06
*** joesavak has quit IRC17:08
*** joesavak has joined #openstack-keystone17:09
*** jsavak has quit IRC17:10
*** andreaf_ has joined #openstack-keystone17:19
*** nellysmitt has joined #openstack-keystone17:20
*** andreaf_ has quit IRC17:20
*** _cjones_ has joined #openstack-keystone17:21
*** htruta has quit IRC17:22
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose stuff used in Neutron as part of public API
*** htruta has joined #openstack-keystone17:24
ayoung-mtgThe problems with Tokens as a one act play:
*** nellysmitt has quit IRC17:25
*** pdesai has joined #openstack-keystone17:35
*** jsavak has joined #openstack-keystone17:37
*** karimb has quit IRC17:39
*** joesavak has quit IRC17:39
openstackgerritJorge Munoz proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)
openstackgerritJorge Munoz proposed openstack/keystone: Use revocation events for lightweight tokens
openstackgerritJorge Munoz proposed openstack/keystone: Implement KLWT for v2.0 tokens
*** lhcheng has joined #openstack-keystone17:41
*** nellysmitt has joined #openstack-keystone17:41
*** karimb has joined #openstack-keystone17:43
stevemarayoung-mtg, bravo17:43
*** karimb has quit IRC17:43
*** ayoung-mtg is now known as ayoung17:44
ayoungstevemar, trying really hard to not put the audience to sleep17:44
ayoungstevemar, OK...dumb idea time:17:46
ayoungWhat if...when we validated a token, we created a dictionary, that was to be consumde by Nova (etc)17:46
ayoungthe dictionary says:  for glance, use this token,  for Cinder, use that one, and for Neutron this other one17:47
stevemarayoung, it was really funny, i liked it17:47
ayoungthen...when Nova validates a user's token...the response comes back with a bunch of other tokens17:47
ayoungAssuming we had endpoint binding in place, the new tokens would then be bound to each of the other endpoints.17:48
stevemarcould work, whats the gain?17:48
ayoungThe only change Nova would have to make is that, instead of reusing one token, it would select the token for the appropriate endpoint.17:48
ayoungstevemar, ....  I'm trying to deal with delelgation, and making sure that we only delegate what we need to17:49
ayoungand I'm trying to havea light touch17:49
ayoungOK...I was trying to get away from the user trying to get a token at all17:49
ayoungand instead just going direct to Nova and saying "use this project"17:50
ayoungand then Nova going to Keystone to say "give me roles for user  X on project Y"17:50
ayoungwe make an implied rule that says when Nova does that, it can request a token for the user  that matches.17:50
ayoungIt means that Nova still has a lot of could fake a request for a token scoped to a different project17:51
stevemarthe user would still need a token for the initial call to nova? no?17:51
ayoungI'm trying to break the "bearerness" of tokens17:51 the above, they would17:51
ayoungNova needs something to hand to Keystone to prove the user was really there....17:52
ayoungand I don;t want to shove PKI down everyones gullet17:53
ayoungstevemar, morganfainberg has, at one point, suggested signed requests.  It would be like a PKI token, but instead of the token being signed, the whole request to Nova would be signed.  It would not have the roles information in it, as that would still have to belooked up, but it would allow nova to both authenticate the user as well as prove to another service that the user actually contacted Nova17:55
ayoungDoing it from the CLI is not that hard, but doing it via Horizon is impractical17:56
ayoungstevemar, No silver bullet there, either17:57
stevemarsigned requests was an interesting concept, i remember morganfainberg bringing it up17:57
stevemarit seemed like oauth17:57
openstackgerritJorge Munoz proposed openstack/keystone: Use revocation events for lightweight tokens
openstackgerritJorge Munoz proposed openstack/keystone: Implement KLWT for v2.0 tokens
morganfainbergIt is like oauth-ish17:57
stevemari'm just not sure how much is gained by nova doing actions and getting tokens17:57
stevemaron the plus side, it should be mostly middleware changes :D17:58
morganfainbergIt is impractical unless we fix how we talk to services via other services. :(17:58
*** pdesai1 has joined #openstack-keystone17:59
dstaneklbragstad: you around still?18:00
ayoungstevemar, OAuth absolutely could be made to work, but it would be more invasive18:00
ayoungstevemar, image the scenario where Nova and CInder are managed and operated by different organizations.  Where a user wnated to make sure that no more resources were used than paid for, and the Nova admins were not implicitly trusted18:01
ayoungSo, while I can send a token to Nova to mount a Cinder Volume, the Cinder admin wants to know that *I* actually requested that18:02
*** pdesai has quit IRC18:02
ayoungIN an Oauth setup, I would first go to Cinder, get an Oauth delegation setup, and pass that delegation to Nova along with my request18:03
ayoungTOday, we don't make users do that.  Keystone is the sole source of delegation18:03
*** spandhe has joined #openstack-keystone18:03
stevemarlhcheng, first ever osc meeting in -meeting :D18:04
lhchengstevemar, nice! see you there :D18:05
*** Ctina has joined #openstack-keystone18:06
openstackgerritBen Nemec proposed openstack/oslo.policy: Add missing space to help message
*** afazekas has quit IRC18:16
dstanekdolphm: lbragstad: just yell at me if you think i'm being too picky on
*** browne has joined #openstack-keystone18:18
*** pnavarro__ has quit IRC18:24
stevemarbknudson, dstanek i figured you both would be interested in
dstanekwell i like the title!18:28
*** henrynash has joined #openstack-keystone18:32
*** ChanServ sets mode: +v henrynash18:32
*** MasterPiece has joined #openstack-keystone18:34
dstanekmorganfainberg: i only work late nights because these tests take so long to execute18:34
*** tqtran has joined #openstack-keystone18:35
ayoungmorganfainberg, so with accessinfo, I found a whole body of tests that were not going through the factory.  Once I started using them, I found a bunch more I had broken.   I'm now down to 25 not working..but date handling is going to be much better18:36
morganfainbergayoung: nice.18:36
ayoungSomething is going on with arg passing, as I now get these18:36
ayoungTypeError: factory() takes at most 5 arguments (75 given)18:36
ayoungsomething about a dictionary I am guessing18:37
morganfainberg75 given. Hah.18:37
ayoungmorganfainberg, what confuses me is I thought I hadn't changed the interface to the factory methof18:38
ayoung    def factory(cls, resp=None, body=None, region_name=None, auth_token=None,18:38
ayoung                **kwargs)18:38
ayoungbut it is called as18:38
ayoung self.auth_ref = access.AccessInfo.factory(*resp)18:38
dstanekwasn't there a review to get rid of the old XML testing stuff?18:44
*** grantbow has quit IRC18:44
*** grantbow has joined #openstack-keystone18:46
*** gyee has quit IRC18:48
*** arunkant_ has joined #openstack-keystone18:49
*** dims_ has joined #openstack-keystone18:51
*** dims_ has quit IRC18:53
*** dims_ has joined #openstack-keystone18:54
*** dims has quit IRC18:55
ayoungdstanek, I'm stumped.  see my comments just above yours18:58
ayoungI have not changed the method signature, nor the calling function18:59
ayoungbut somehow, I broke that18:59
dstanekayoung: was it always called with the *?18:59
ayoungdstanek, doing a git show --stat I see I have not changed the calling file19:01
lbragstaddstanek: responded inline
ayoung  File "keystoneclient/", line 508, in authenticate19:01
ayoung    self.auth_ref = access.AccessInfo.factory(*resp)19:01
*** tqtran_ has joined #openstack-keystone19:01
*** pdesai has joined #openstack-keystone19:01
ayoung[ayoung@ayoung530 python-keystoneclient (issued-at-rebased)]$ git show --stat | grep httpclient19:02
ayoungdstanek, maybe it is passed through from outside?19:02
dstanekis it possible that resp was a tuple of a tuple of 75 things? ((.....),)19:02
*** tqtran has quit IRC19:03
*** pdesai1 has quit IRC19:03
ayoungdstanek, maybe it comes from the data used in the test?19:04
ayoungdstanek, I can check...let's see19:04
dstaneklbragstad: haha, me too19:05
ayoungdstanek, I got it19:05
ayoungMy AccessInfo is no longer descended from the base on, and the following test changes19:06
dstaneklbragstad: if the user can configure user_id or group_id as empty string or None (i don't know if they can) then that code would be broken19:06
ayoungif isinstance(resp, access.AccessInfo):19:06
ayoung                self.auth_ref = resp19:06
ayoung            else:19:06
ayoung                self.auth_ref = access.AccessInfo.factory(*resp)19:06
ayoungOK..I'm good19:06
lbragstaddstanek: ah, yep19:07
samueldmqhenrynash, ping - have a question regarding driver_hints19:12
henrynashsamueldmq: shoot19:12
samueldmqhenrynash, is that an easy way to check if an arbitrary entity (a project, for instance) satisfy filters ?19:12
lbragstaddstanek: I can't seem to pass empty strings in for those values?19:12
samueldmqhenrynash, ok a bit of background ..19:12
samueldmqhenrynash, I have list_projects on ldap resource... it should return the filtered projects + the is domain project (which isnt stored in ldap, as the domain isnt)19:13
samueldmqhenrynash, so I filter and add the is domain project, *if* it satisfies provided filters ... makes sense?19:14
dstaneklbragstad: yeah, i may be being too pedantic here19:15
henrynashsamueldmq: and why does it matter whether the filter was satis fied or not…why don’t you just add it in as long as it satisfies the filter (which would would check BEFORE you call the ldap backend)19:16
henrynashsamueldmq: ahh, I suppos you’d have to apply the filter manually, duplicating the logic....19:16
samueldmqhenrynash, exactly19:17
*** MasterPiece has quit IRC19:17
dstaneklbragstad: am i calling it wrong?19:17
samueldmqhenrynash, look
henrynashsamueldmq: so the filtering IS duplicated anyway…the log is in the v3controller class….so you could refact or that and call that on your list of one, and if there is anything left in your list afterwards, you add it into the list taht is returned from teh backend driver19:18
samueldmqhenrynash, if is_domain filter is true, it's easy to do so ... but for other filters ... manually :/19:18
lbragstaddstanek: ahh, makes sense19:18
samueldmqhenrynash, I think this is dirty ... since the backend should honor filters it knows ...19:19
samueldmqhenrynash, and it would be possibly returning something that does not match the filters19:19
henrynashsamueldmq: it will…I’m not saying you take it out…but do something like19:19
henrynash1) before calling the backend, copy the hints object19:20
henrynash2) call the bacend and get the filtered list of real projects19:20
samueldmqhenrynash, yes because it removes the filters it honors19:20
henrynash3) now called v3controller.filter_by_attributes, pass iyour copued hints object and you own list of one fake project19:21
samueldmqhenrynash, this case is just for ldap, since we store the is_domain project in sql .... sql already returns everything ok19:21
henrynash4) if there is an item in tnelist after that, then add it to the response from teh backend and then pass back19:21
henrynashteh only issue is you DON’t want to call a controller class….you’d probably have to refactor the filter_by_attributes to put it somewhere it can be called by either place19:22
henrynasha bit yukky, i know19:22
samueldmqhenrynash, I could add the v3controller call here
dstanekayoung: getting closer!19:23
henrynashsamueldmq: sorry, just taking a call…19:24
samueldmqhenrynash, it would be still more yukky, but would keep backends behavior conssitent, since sql already works pretty well19:24
samueldmqhenrynash, ok np, already have the info I need, thanks !19:24
henrynashsamueldmq: not quite sure about putting it in the ldap code itself….19:25
*** himangi has quit IRC19:26
*** dhague has quit IRC19:28
lbragstaddstanek: figure out what you meant19:28
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens
*** raildo has quit IRC19:35
*** leonchio_ has joined #openstack-keystone19:39
*** raildo has joined #openstack-keystone19:40
leonchio_hello, guys, I have a patch some test cases failed at the gate and I tried to rerun it with 'recheck no bug' and it does not seem to it?19:42
leonchio_another thing from the failed cases is that it actually complains an import error, like19:43
leonchio_File "/opt/stack/new/keystone/keystone/common/ldap/", line 23, in <module>19:43
leonchio_2015-02-26 19:04:48.307236     import ldap.filter19:43
leonchio_2015-02-26 19:04:48.307261 ImportError: No module named ldap.filter19:43
leonchio_that should been a merged code, I'm not sure why it complains ldap.filter, anyone has any clues?19:44
*** pdesai has quit IRC19:44
samueldmqleonchio_, regarding jenkins ... I think ours is quite broken, it might be people from infra working on that19:45
samueldmqleonchio_, regarding the import error .... is that in the same patch?19:45
samueldmqleonchio_, doesnt look to be, since gate-keystone-python27 is passing19:45
leonchio_samueldmg, yeah, that's the same patch19:45
samueldmqleonchio_, ok, I will try to run the tests by myself, just a minute19:46
leonchio_samueldmg, thx for looking into it19:46
dolphmdstanek: did you have any unaddressed questions on key rotation?19:46
dolphmdstanek: wondering where i should put effort on that piece next19:47
dolphmdstanek: documentation, functional tests, or change the approach?19:47
morganfainbergsamueldmq, leonchio_ :
morganfainbergwhich is related to:
morganfainbergyou found it.19:48
dstanekdolphm: i think one or two questions...jas19:49
samueldmqmorganfainberg, this is imported from python right?19:49
morganfainbergsamueldmq, python-ldap19:49
samueldmqmorganfainberg, at least mines import from .tox/py27/../site-packages ...19:50
dolphmdstanek: i read through your comments from the last few patchsets, but didn't see anything left outstanding. what are they?19:50
samueldmqmorganfainberg, exactly, python-ldap then :)19:50
morganfainbergsamueldmq, not sure why you're hitting that and not hitting something else somewhere19:50
morganfainbergbut i've seen that before19:50
morganfainbergis this change not rebased?19:50
samueldmqmorganfainberg, is this affecting someone else?19:51
morganfainbergno i mean the ldap.filter bit19:51
samueldmqmorganfainberg, leonchio_ is getting this error19:51
morganfainbergdon't see why that is happening19:51
samueldmqmorganfainberg, me neither, looks like his .tox environment is broken19:51
morganfainbergexcept i'm seeing it in gate?19:51
dstanekdolphm: no it looks like you answered it...does that mean the first rotate is always broken?19:52
samueldmqmorganfainberg, hmm sure, your pastes from the gate ....19:52
dolphmdstanek: no, it'll just use key 0 as the primary19:52
dolphmdstanek: so, on setup, you'll just get a key 0, and that's your primary19:52
dstanekand then rotate 0 -> 1, but that won't actually rotate19:52
samueldmqmorganfainberg, maybe the gate is failing to install some dependencies on the venv ? jenkins look to be so broken, it's failing too much19:53
dstanekseems like the setup should generate 2 keys - one for current primary and one for next primary19:53
morganfainbergsamueldmq, unlikely19:53
dolphmdstanek: ahh, i see what you mean19:53
dolphmdstanek: i agree. simplest fix would be to add a rotate to KLWTSetup?
morganfainbergsamueldmq, because passed gate 1h ago19:54
leonchio_samueldmq morganfainberg I actually got this since last night :(19:55
morganfainbergleonchio_, so something in your patch is causing it19:55
dolphmdstanek: might also be worth rewriting it to always increment, never use 0 more than once, and always select the second key in the list as the primary (if there are at least two)19:55
morganfainberglikely there is an import error you're not seeing19:55
morganfainbergcausing something to be obscured19:55
morganfainbergremember unit tests don't test through apache19:55
morganfainbergleonchio_, once i've had coffee and food i can help dig into this and see what is going on19:56
leonchio_samueldmq morganfainberg, ok, that's great. since all the test passed on my local env19:56
*** kallebe has left #openstack-keystone19:56
morganfainbergleonchio_, you'd need to run devstack to find the issue. unit tests don't run keystone in the same way19:56
samueldmqleonchio_, k np, will try to dig a bit19:56
morganfainbergthis is why we do devstack + tempest :)19:57
leonchio_samueldmq morganfainberg ok, will try to run devstack and see :)19:57
*** justincampbell has joined #openstack-keystone19:57
dolphmdstanek: also, lbragstad wrote def _convert_to_integers(keystone_user_id, keystone_group_id) ... i don't quite understand whatthat's guarding against19:57
morganfainbergdolphm, non-string int represenations19:58
morganfainbergyou *probably* should never have that happen19:58
dolphmmorganfainberg: from where?19:58
dstanekdolphm: :
morganfainbergoh cli19:58
stevemarleonchio_, morganfainberg19:58
stevemar<leonchio_> samueldmq morganfainberg ok, will try to run devstack and see :)19:58
stevemar<dolphm> dstanek: also, lbragstad wrote def _convert_to_in19:58
morganfainbergcli opts don't work quite the same as conf opts19:58
dolphmmorganfainberg: well, they can come from CONF or CLI, but ... the ints are provided on L119 on the right
stevemarleonchio_, your error is coming from there19:59
morganfainbergstevemar, uhm.19:59
morganfainbergstevemar, yes. i was just pointing that out to him ;)19:59
dolphmmorganfainberg: L117*19:59
morganfainbergdolphm, oh does utils.get_unix_* not return an int19:59
dstanekdolphm: only is they are provided20:00
dolphmdstanek: they're either int or None, right?20:00
dstanekif you don't provide a command line opt then it's None and get_user_group will happily return None20:00
leonchio_stevemar morganfainberg, so he meant i have to run devstack, right, just tried to get ti right ;)20:00
dstanekdolphm: yes20:00
dolphmdstanek: so drop the _convert_to_ints() ?20:01
*** Ctina_ has joined #openstack-keystone20:01
dstanekdolphm: i think that was just the way to make sure the args are both provided - my original comment was the geteuid/gid where broken because of the possibility of a None value20:02
dolphmdstanek: i saw that. the 'or' should have been an 'and'20:02
dstanekdolphm: you could guard using 'if not keystone_user_id and keystone_group_id: raise ...20:02
dolphmdstanek: at least, i assumed that would be the fix20:02
dolphmnot (x and y)20:02
morganfainbergdolphm, ++20:03
*** himangi has joined #openstack-keystone20:03
dstanekdolphm: if the test fails you also want an error message to the user - you wouldn't want to just skip the permission modifications20:03
dolphmdstanek: ++20:03
dstanekoops, yes parens20:03
morganfainbergdolphm, slightly related: are we renaming klwt?20:03
morganfainbergdolphm, because i'd like to tee that up if we can.20:04
morganfainbergwe we are going to do that20:04
dolphmmorganfainberg: yeah, so i wrote a bunch of junk to explain each token in terms of the token's payload and transport format20:04
dolphmmorganfainberg: and we tend to name tokens after their transport format, not the payload20:05
dolphmmorganfainberg: so i'd propose we rename klwt (which is describing the payload: msgpack) to Fernet (the transport format)20:05
* morganfainberg is not opposed to that20:05
*** Ctina has quit IRC20:05
dolphmmorganfainberg: i also looked at refactoring the token providers into token payload providers + token format providers, where you could theoretically mix and match any payload with any containing format20:06
dolphmmorganfainberg: it's a non-kilo refactor to say the least :)20:06
*** Ctina_ has quit IRC20:06
dolphmmorganfainberg: but it would buy you msgpack + pki, for example20:06
dolphmwhich i think would make ayoung quite happy20:06
morganfainbergdolphm, figured. that was the direction i was mostly driving at with the cleanup of the provider..just taken 1 step further20:06
dolphmmorganfainberg: yeah, we're not quite there yet20:07
morganfainbergdolphm, yep20:07
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint
ayoungdolphm, sounds about right20:07
morganfainbergdolphm, so the question is ... are we renaming to fernet?20:07
dolphmmorganfainberg: i'll propose a rename patch in the next 24 hours or so, separate from the existing impl (not sure what other changes lbragstad is making)20:07
morganfainbergi think lbragstad is really close tbh20:07
dolphmmorganfainberg: ++20:07
morganfainberghe's working on the last couple comments from dstanek20:07
dolphmmorganfainberg: i have some work to do for dstanek too :)20:08
morganfainbergand i think all the other major comments have been addressed.20:08
* dolphm has to run - see ya'll in gerrit20:08
morganfainbergin short, i think this can gate soon™20:08
morganfainbergleonchio_, here20:09
morganfainbergleonchio_, line 23 on the right20:09
morganfainbergleonchio_, you're importing LDAP.20:09
*** nellysmitt has quit IRC20:09
morganfainbergleonchio_, ldap is not in requirements20:10
morganfainbergyou would need to either add ldap to requirements *or* install python-ldap directly20:10
morganfainbergleonchio_, ldap is optional20:10
morganfainbergand devstack doesn't install test-requires20:10
openstackgerritRodrigo Duarte proposed openstack/keystone: List projects filtering by is_domain flag
leonchio_morganfainberg optional means it is installed, so what I need to do to get it there?20:12
leonchio_morganfainberg it is not20:12
morganfainbergleonchio_, it needs to be in requirements.txt20:12
samueldmqmorganfainberg, nice catch! I looked into test-requirements .... but didnt realize devstack install requirements since it's deploying keystone and not running testrs internally :p20:13
morganfainberginstead of test-requirements.txt20:13
leonchio_morganfainberg, oh got it20:13
morganfainbergleonchio_, why are you importing LDAP btw?20:13
morganfainbergfor tokenless auth?20:13
samueldmqmorganfainberg, not instead I guess, but also :)20:13
leonchio_morganfainberg yeah, i need to do a url escaped to the DNs20:13
leonchio_morganfainberg the parser does not like the commas20:13
morganfainbergleonchio_, isn't this something we were planning on relying on apache to break apart cert stuff for us?20:14
morganfainbergvs. something that works in eventlet and apache ?20:14
morganfainbergi am 100% ok with eventlet not growing features like this btw.20:14
leonchio_morganfainberg yeah but we need to define the trusted issue (DNs) in keystone.conf20:14
leonchio_morganfainberg issuers20:15
*** himangi has quit IRC20:15
morganfainbergleonchio_, this again sounds like something that can be managed in apache modules20:15
morganfainbergvia CA bundles.20:15
leonchio_morganfainberg, like that's what needs to defined in keystone.conf trusted_issuers =
leonchio_morganfainberg, having commas there won't work as the paser will not take it20:16
morganfainbergthe option parser wont?20:17
morganfainbergthe issue is ListOpt is the wrong option type20:17
morganfainbergthis is a case where multistropt is correct20:18
morganfainbergfor each trusted issuer you would have another line in your config20:18
morganfainbergputting massive url-encoded strings in the conf will make deployers scream at us.20:19
morganfainbergor requiring it20:19
ayoungleonchio_, what are you trying to do here?20:20
* ayoung interested...20:21
ayoungmorganfainberg, would that be a domain specific config file?20:21
leonchio_morganfainberg ayoung, we try to define a list of trusted issuers(DNs) in keystone.conf like issuers=[cn=a,o=foo]20:21
ayounglike:  this domain can accept users with certs from that issuer over there?20:21
leonchio_morganfainberg ayoung however the comma there causes the issue as it is a list20:22
morganfainbergayoung, the whole extract info from a cert and use that to issue a token20:22
morganfainbergtype thing20:22
*** aix has quit IRC20:22
morganfainbergor to validate a token (more to the point)20:22
leonchio_morganfainberg ayoung but the DN is seperated by coma20:22
ayoungmorganfainberg, it is a mapping question, right?20:22
morganfainbergayoung, well right now it's an issue where they are using a ListOpt, and listopts use comma dilmeters20:22
morganfainbergbecause what is cn=a,o=foo20:23
leonchio_morganfainberg ayoung so all the coma in the DN is all url escaped in this case20:23
ayoungleonchio_, morganfainberg, this is specifically to authenticate users, right?20:23
morganfainbergayoung, think so. i lost track of this spec tbh20:23
leonchio_morganfainberg ayoung yesh, that's right20:23
morganfainbergthis is the service user auths w/ a cert iirc20:23
ayoungleonchio_, have you been drinking :)20:23
morganfainbergayoung, but asking a deployer to put url-encoded strings in configs = don't do that20:24
ayoungleonchio_,'s a thought.  Only allow one, but do it on a per domain basis20:24
leonchio_morganfainberg ayoung drinking?!20:24
morganfainbergleonchio_, ^20:24
ayoungthen we could have a domain specific config file that has that trusted issuer in there?20:24
morganfainbergthat would break i think because you need to specify drivers then for the domain config20:24
ayoungyesh,, driningsh20:24
morganfainbergthis should work for non-domain-specific as well20:24
morganfainbergas in service users are just in domain X which is part of SQL driver20:25
morganfainbergsince you can only have 1 SQL driver across keystone for all domains20:25
ayoungmorganfainberg, should be per domain.20:25
ayoungI would not want multiple signers for one domain20:25
*** pdesai has joined #openstack-keystone20:25
morganfainbergayoung, we'd need to delay this into liberty for that, there are other issues to make that work20:25
morganfainbergayoung, and i don't mind delaying it, but take that up with gyee before we do that20:26
ayoungmorganfainberg, if we don't allow a list, though, this can make in to Liberia, right?20:26
ayoungleonchio_, do you *really* need multiple signers?20:26
leonchio_morganfainberg ayoung basically apache configurations allow trusted CA to be specified, but what we do here is just a second level of trust20:27
morganfainbergayoung, this can all make it into liberty regardless, we can work on other structural changes to make everything happy20:27
ayoungleonchio_, I get it20:27
*** himangi has joined #openstack-keystone20:27
morganfainbergayoung, if it's trying to make it in Kilo we are limited in what we can support20:27
leonchio_morganfainberg ayoung no, it doesn't have to be multiple20:27
ayoungmorganfainberg, I meant Kilo20:27
ayounglets go with one20:27
morganfainbergthen if it's a single opt (stropt) we can say you get 1 signer20:28
ayoungand an eye to figuring out, in Listering how to do one per domain20:28
ayoungsorry. that should read Listerine20:28
morganfainbergleonchio_, so no url encoded options please... don't make me explain that one to anyone using this software ;)20:28
leonchio_morganfainberg ayoung ok, sure we can just allow one but we thought supporting multiple would be a better options ;-)20:28
morganfainbergleonchio_, and use stropt.20:28
morganfainbergleonchio_, and only allow 1.20:29
leonchio_morganfainberg ayoung, ok you got20:29
leonchio_morganfainberg ayoung it20:29
morganfainbergleonchio_, make sure to mark this feature in documentation as experimental20:29
leonchio_morganfainberg ayoung will do it20:29
ayoungleonchio_, not for one domain.  The HTTPD server should allow multiple, but we should map singer->domain.  richm nkinder make sense20:29
morganfainbergayoung, that was my impression20:29
ayoungI like this.  leonchio_ this is very cool20:30
ayoungthanks for doing20:30
leonchio_morganfainberg ayoung cool, no problem20:30
morganfainbergayoung, if you don't use per-domain backends you'll get 1 signer for all non-per-domain-driver domain20:30
morganfainbergayoung, and that is where mapping should reject if there is no good way to map cert -> user in a sane way20:31
morganfainbergayoung, i get the feeling this wont be super useful until we get the liberty changes in20:31
morganfainbergbut it is an interesting direction for supporting service users20:31
ayoungmorganfainberg, we need it for service users first, which means default domain20:31
morganfainbergayoung. yeah20:31
ayoungmorganfainberg, it will make Banks and SOX type people happy20:32
ayoungno passwords for Nova to talk to keystone20:32
*** sigmavirus24 is now known as sigmavirus24_awa20:32
morganfainbergayoung, oh exactly. i am just thinking it wont be super useful till we get liberty stuff. because service users shouldn't be ind efault domain ;)20:33
morganfainbergayoung, they should be able to be in a service domain :)20:33
morganfainbergayoung, it will def. fill a gap until then. and then become wwaaaaaaaaay better next cycle20:33
*** himangi has quit IRC20:33
samueldmqmorganfainberg, hmm... just curious, domain service implies no password required for services?20:36
morganfainbergright you can use a client cert for nova to validate tokens with keystone20:36
samueldmqmorganfainberg, so keystone use the nova cert to validate who 'nova' says to be is what we expect20:37
samueldmqmorganfainberg, as in normal ssl workflow ...20:37
morganfainbergayoung. dolphm, dstanek, lbragstad: about to press go on that and potentially press "point release" on ksc20:37
morganfainbergayoung, dolphm, dstanek, lbragstad, that corrects the erroneous behavor that happens with say RAX cloud catalog20:37
morganfainbergwhere service "compute" is defined 2 times, with wildly different values20:37
morganfainbergnow... i can't comprehend what should be done when "compute" != "compute" [the are different services]20:38
samueldmqmorganfainberg, great! I did wonder why services can't just trust themselves and no passwd :)20:38
morganfainbergbut that prevents novaclient et al from exploding20:38
morganfainbergbecause endpoints aren't found since we only ever allow the last entry in the catalog20:38
morganfainbergthis all stems from us not being more picky about the catalog.20:39
*** himangi has joined #openstack-keystone20:40
*** jorge_munoz has quit IRC20:46
ayoungleonchio_, morganfainberg, this could still work with any domain, right?20:49
ayoungjust we are limiting it to a single signer, but saying that the domain id comes from the ENV VARs  is still possible20:49
morganfainbergbut to use a specific domain config you'd need that domain backed by something like LDAP or not be the default driver and be sql.20:50
morganfainbergwhere the default driver isn't sql20:50
morganfainbergso it's not as useful.20:50
leonchio_morganfainberg ayoung yeah, I think so20:51
ayoungmorganfainberg, the setup I saw yseterday (Puppetized) had and admin_domain specified, which was other than default.  I am not sure where service users were going, but assume it was also not the default domain20:51
ayoungso in that case, you would reserve the X509 mechanism for service domain20:52
morganfainbergayoung, so this would only work if that domain was backed by a per-domain config [if only that x509 would work in that domain] - OR it would apply to all domains provided mapping allowed it20:52
morganfainbergayoung, which is what i was getting at for the liberty fixes.20:52
ayoungleonchio_, if you can get it to work with the multistropt  I would have no objection20:52
morganfainbergthe latter case would be if it's in the main config20:52
leonchio_morganfainberg ayoung multistropt? not sure i understand that20:53
ayoungleonchio_, in config definition20:53
ayoungleonchio_, I'll link let me find it20:53
morganfainbergleonchio_ multistropt is where you define the option in the config file multiple times, and it makes a list out of them20:53
morganfainbergleonchio_, it's a different oslo config cfg opt type20:54
morganfainbergjust like listopt is a type20:54
leonchio_morganfainberg ayoung ok i got it, I've not tested that20:54
ayoungmorganfainberg, we have any examples?20:54
morganfainbergayoung, in the dogpile/kvs/cache stuff20:54
ayoungdamn beaten to the punch20:55
morganfainbergayoung, also the WebSSO stuff20:56
leonchio_ayoung morganfainberg great, will look at that20:56
morganfainbergok i need coffee badly20:57
morganfainbergKeystone Developer Needs Coffee Badly </gauntlet>20:57
*** morganfainberg is now known as needscoffee20:57
leonchio_morganfainberg, you got philz there?! i will need it too ;-)20:58
needscoffeeleonchio_, in santa monica20:58
needscoffeebut thats a 45m-2h drive depending on traffic20:58
needscoffeei have Urth Caffe20:58
needscoffeeand Inteligentsia20:58
leonchio_haha, we got one 10mins away20:58
needscoffeeleonchio_, Bowl of coffee20:59
needscoffeethis is a better picture of the general size:
samueldmqstevemar, ping - have question about notifications :p21:00
leonchio_needscoffee ++21:01
*** rushiagr is now known as rushiagr_away21:06
stevemarsamueldmq, o/21:10
samueldmqstevemar, I'd like to ask if notifications are sent when we enter a method .. independently if the method has failed or not21:11
samueldmqstevemar, it looks like yes21:11
stevemarsamueldmq, depends on the notification, for authentication yes, for CRUD on resources, no21:12
*** henrynash has quit IRC21:14
*** henrynash has joined #openstack-keystone21:15
*** ChanServ sets mode: +v henrynash21:15
samueldmqstevemar, ok I'll check for resource CRUD, I think it send even if failed ....21:16
samueldmqstevemar, going to check ..21:16
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose stuff used in Neutron as part of public API
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose register and Check as part of public API
needscoffeestevemar: a couple open oslo.policy changes we need to land before tag.21:21
stevemarneedscoffee, noooo21:22
stevemarsamueldmq, nah
needscoffeeYep. Neutron can't adopt without some extra symbols exposed.21:22
stevemarneedscoffee, thats fine, we deliberately made a lot things private21:23
stevemarso we can resurface as we need21:23
needscoffeeYes. I think register and the base check is all that is needed.21:23
needscoffeeSee the notice a few lines up?21:23
samueldmqstevemar, naaah, I tested it by myself as well ...21:23
samueldmqstevemar, I said bull****21:23
samueldmqstevemar, thx21:23
stevemarmarekd, do you think we should always make the token -> saml generation code have the ECP bits?21:24
stevemari think this will help consume it21:24
openstackgerritMerged openstack/oslo.policy: Add missing space to help message
stevemarmarekd, gyee, needscoffee
openstackLaunchpad bug 1426128 in Keystone "Add ECP related bits to saml generation code" [Undecided,New]21:28
*** pdesai has quit IRC21:36
*** abhirc has joined #openstack-keystone21:37
*** abhirc has quit IRC21:45
*** pdesai has joined #openstack-keystone21:50
*** markvoelker has quit IRC21:51
*** markvoelker has joined #openstack-keystone21:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Honor domain operations in project table
*** radez is now known as radez_g0n321:54
stevemarayoung, q about revoke_api21:54
*** justincampbell has quit IRC21:54
ayoungfire away21:54
stevemarwhats up with all the if self.revoke_api: spots in the code?21:54
stevemari thought it was _always_ ther21:55
ayoungIt used to be an extension, optional depedency21:55
stevemarokay, that's what i had figured... theres one spot where it sets it to None21:55
ayoungso,  nope.  THe object might not have a revoke_api attribute21:55
stevemarin a test21:56
*** markvoelker has quit IRC21:56
*** markvoelker has joined #openstack-keystone21:57
*** karimb has joined #openstack-keystone21:58
ayoungGAH...  everything expects things to be dictsm, not to act like dicts...  whatever happend to the python fascination with duck typing?  JSON marshalling code failing on me22:03
*** gordc has quit IRC22:04
ayoungstevemar, yeah, that is due to the fact that enabling extensions was done via paste and not config, no clean way to overload22:05
*** rwsu has quit IRC22:06
needscoffeeayoung: let's rewrite OpenStack in c++. Or Rust. Or Java! ;)22:06
stevemardolphm, regarding your comment here:
stevemari will remove the oauth conditional in that patch22:07
stevemarbut i'll have to put a new one up for revoke_apis, it might need a bit more massaging22:07
ayoungneedscoffee, don't say that too loud.  THere is always someone that loves some other language more.22:08
ayoungneedscoffee, I thought you could marshall any python object to JSON, though22:08
openstackgerritSteve Martinelli proposed openstack/keystone: Use correct dependency decorator
needscoffeeayoung: you can if you have code that knows how that object is designed. :P22:08
*** jsavak has quit IRC22:10
needscoffeebknudson: or use a thing like oslo objects or protobuf22:10
*** henrynash has quit IRC22:10
*** henrynash has joined #openstack-keystone22:11
*** ChanServ sets mode: +v henrynash22:11
marekdstevemar: if we dont use ecp we will need to make ksc pretend it's a browser.22:11
needscoffeemarekd: I don't know if ksc should ever pretend that.22:12
*** needscoffee is now known as needsmostcoffee22:12
*** spandhe has quit IRC22:13
marekdneedsmostcoffee: yeah.22:13
ayoungdo we only ever marshall dicts to JSON in the server?22:13
*** needsmostcoffee is now known as morganfainberg22:13
*** stevemar is now known as thinksmorganneed22:13
thinksmorganneedgah! character limit22:13
*** abhirc has joined #openstack-keystone22:13
marekdneedsmostcoffee: it's a matter of long term vision. We can now wrap it with ECP.22:13
*** thinksmorganneed is now known as stevemar22:13
ayounghmmm argument for doing a named tuple....22:14
morganfainbergayoung: named tuples are cool22:14
openstackgerritSteve Martinelli proposed openstack/keystone: Remove conditionals that check for revoke_api
stevemarayoung, ^22:15
*** jorge_munoz has joined #openstack-keystone22:17
ayoungcan named tuples have constructors?22:18
openstackgerritSteve Martinelli proposed openstack/keystone: Add minimum release support notes for federation
morganfainbergayoung: you mean overloaded constructors? Not sure.22:19
*** samueldmq is now known as samueldmq-away22:20
*** pdesai has quit IRC22:21
ayoungyeah, that is not going to work22:21
ayoungthey don't act like dictionaries, which is what I really need22:21
*** pdesai has joined #openstack-keystone22:22
morganfainbergok so they aren't dicts, but it's not hard to make them act like one. thats just __getitem__, __setitem__, keys, values, iteritmes, iterkeys, itervalues and possibly __iter__22:22
morganfainbergdepending on your needs22:22
morganfainbergmost of the time the iters and __getitem__ are enough for most applications.22:23
marekdmorganfainberg: stevemar: what happens if i authenticate myself with password and specify user id, name and domain ?22:23
morganfainbergbut i prefer the tuple.<attr_name> method of access.22:23
morganfainbergmarekd, user id *and* user name?22:23
stevemaroh in general?22:24
stevemarthats a good question22:24
morganfainbergi think we prefer user id to name.22:24
stevemarmorganfainberg, but what if both are there22:24
stevemardoes it error out?22:24
morganfainbergiirc we take id.22:24
morganfainbergbut it might barf.22:24
ayoungmorganfainberg, can you add that to a tuple?>22:24
morganfainbergat one point it barfed.22:24
marekdmorganfainberg: yes, AND22:24
stevemarmarekd, ha, no one knows22:24
morganfainbergayoung, you'd need to subclass tuple or use a metaclass.22:24
marekdi think it takes id22:24
morganfainbergayoung, but youcan.22:24
stevemari say take id first22:24
ayoungmorganfainberg, Its not what I prefer, it is what I have to make work on the client22:24
stevemarit's always the same bet22:25
marekdand i think i was checking it.22:25
ayoungthe logic is in the authenticate function of the identity driver22:25
ayoungno, wait, that takes user_id22:26
ayoungmust be in the controller22:26
morganfainbergwe prefer username to id22:27
openstackgerritSteve Martinelli proposed openstack/keystone: Add in non-decorator notifiers
openstackgerritSteve Martinelli proposed openstack/keystone: Get initiator from manager and send to controller
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for trusts
marekdmorganfainberg: stevemar lol, user_name has higher prio.22:27
stevemaroh gosh22:27
stevemarwe don't check user_id in the backend, try/except, then try user_name?22:28
* stevemar gives up22:28
morganfainbergstevemar, we try username if it exists else we try id. if you supply a username and it's bad we don't fall back22:28
morganfainbergthis is relatively sane, but we should document that22:28
stevemari suppose it's fine22:29
stevemari'm tired and being dramatic22:29
morganfainbergi'm releaseing a new KSC unless there is a reason not to22:29
morganfainbergto fix that lovely catalog thing22:29
stevemardo it22:29
morganfainbergas soon as merges22:29
marekdmorganfainberg: so, in my patch for direct user mapping i was not erroring when effective user had specified id and name/domain. i was simply taking id first.22:30
*** rwsu has joined #openstack-keystone22:30
marekdgyee pointed out that we should err such case.22:30
morganfainbergmarekd, ah.22:30
*** jorge_munoz has quit IRC22:30
morganfainbergmarekd, either raise an execption or make it consistent with the current api22:30
morganfainbergdo not prefer id over name.22:30
morganfainbergi have a slight preference that we error if both are passed... but not enough to say it makes a ton of sense.22:31
marekdmorganfainberg: lol, i just realized i can make gyee happy with 0-lines of change...22:31
morganfainbergmarekd, then awesome!22:31
marekdmapping engine will accept id and name/domain but it will pass that to UserAuthInfo22:32
marekdthat does that normalization.22:32
*** samueldmq_ has joined #openstack-keystone22:33
openstackgerritMarek Denis proposed openstack/keystone: Make RuleProcessor._UserType class public
openstackgerritMarek Denis proposed openstack/keystone: Move UserAuthInfo to a separate file
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow
*** samueldmq_ is now known as samueldmq22:38
*** gyee has joined #openstack-keystone22:38
*** ChanServ sets mode: +v gyee22:38
*** gyee has quit IRC22:40
*** jaosorior has quit IRC22:42
* morganfainberg glares at tempest...22:42
*** gyee has joined #openstack-keystone22:42
*** ChanServ sets mode: +v gyee22:42
*** rodrigods is now known as rodrigod`22:42
mtreinishmorganfainberg: anything I can help with?22:42
*** rodrigod` is now known as rodrigods22:43
morganfainbergmtreinish, nope. just one job is slower than i want it to be.. cause i need to do a release ;)22:43
morganfainbergmtreinish, nothing *anyone* can do about it.22:43
mtreinishmorganfainberg: heh, ok :)22:44
morganfainbergmtreinish, :) i'd come bug you in -qa if there was a real issue :)22:44
morganfainbergmtreinish, thanks for checking in though! :)22:44
*** henrynash has quit IRC22:44
morganfainbergthat makes me count 4 PTLs in this channel, ^_^22:45
*** rodrigods is now known as rodrigod`22:51
*** raildo_ has joined #openstack-keystone22:51
*** rodrigod` is now known as rodrigods22:51
morganfainbergwell at least success: 2629.0000 sec but wow.22:52
openstackgerritMerged openstack/python-keystoneclient: Allow handling multiple service_types
morganfainbergyay! ^^22:52
openstackLaunchpad bug 1377080 in Keystone "Stale endpoint selection logic in keystone client" [Medium,Triaged]22:53
morganfainbergbreton sorry we couldn't find it.22:53
morganfainbergbreton, we looked last night :(22:53
marekdgyee: re
morganfainbergand yes it was re-evaluated as not invalid22:54
morganfainbergbreton, LPs search... lets just say is awful22:54
bretonwell, I'm not the author of that patch, but I remember amakarov being angry that no one saw the bug :)22:56
morganfainberghopefully storyboard can help.22:56
morganfainbergit's hard to find things in LP22:56
morganfainbergi know both jamielennox and i looked for the bug22:56
stevemarmarekd, whats up with
marekdstevemar: held it off for a sec as dstanek wants more tests.22:57
marekdalso gyee had an issue with setup_username()22:58
marekdlet me check one thing.22:58
marekdi will un-wip it22:58
gyeemarekd, k, looking22:58
jamielennoxbreton: apologise to amakarov_away for me, i had said no to his fix and then got pressured into it and couldn't find the bug to link it against22:59
marekdgyee: in both federated and standard token user object has: id, name, domain23:00
bretonjamielennox: I guess he'll read the logs :)23:00
gyeemarekd, my only concern there is the notion of multiple usernames yield by the mapping23:00
morganfainbergjamielennox, just pushed 1.2.023:00
morganfainbergjamielennox, sending an email in a minute announcing it.23:00
gyeeuser yield mapping should be unambiguous23:00
dstanekmarekd: ah, i had to read my comments in that review to know what you were talking about :-)23:00
gyeeyield by mapping23:01
marekdgyee: so, it's logged, and only first one is used.23:01
morganfainbergbreton, yeah sorry about that if we had found it we would have used his bug/fix.23:01
marekdgyee: i am talking setup_username() now.23:01
gyeeif we ended up with multiple, that means we have a potential security incident23:01
morganfainbergcc amakarov_away ^^23:01
gyeemarekd, other than that, I don't have any major concerns23:02
marekdgyee: can you point me file and line which bugs you now?23:02
marekdgyee: i think you were talking about mapped.setup_username()23:02
*** ncoghlan has joined #openstack-keystone23:02
marekdgyee: line 190
*** spandhe has joined #openstack-keystone23:03
gyeemarekd, hangon23:03
gyeeline 44423:04
gyeewe should raise an error instead of merely logging it23:04
marekdgyee: ok, but this is not the part of this patch. This is here since day 0 when mapping was merged ~1 year ago.23:05
marekdso i'd say: improvement or bug?23:05
gyeemarekd, that's fine if you want a follow-on patch23:05
gyeelets fix it before someone file an OSSN :)23:06
marekdgyee: we can solve it but imho this is independent change.23:07
marekdanyway, you also had comments here: line 20423:07
gyeemarekd, I think we should stay away from name=id assignment magic23:08
gyeewhen it comes to identity, it has to be unambiguous23:08
stevemargyee, that was done initially because user_id is required in auth_context23:08
gyeestevemar, understood23:09
stevemarand in a mapping, a name is all that could be given23:09
stevemarfor an ephemeral user, its good enough23:09
marekdabout both id and name set.23:09
marekdgyee: (ok,for the followup patch)23:09
*** bknudson has quit IRC23:09
gyeestevemar, whatever it is, it has to be precisely the product of mapping23:09
marekdgyee: for ephemeral users we can take name/domain only from mapping.23:09
gyeenot some magic in the code23:10
marekdand both standard and fed tokens put id, name, domain of the user.23:10
gyeemarekd, right, everything should be directly yield by mapping23:11
gyeemuch easier to audit the mapping23:11
marekdso, we need to cover two cases for ephemeral users: id, name domain are set (do nothing)23:12
marekdand: name set (federated domain auto-added) -> user_id make of user_name ?23:13
marekdfor the record the latter case is what we need to be backward compatible.23:13
morganfainbergKSC 1.2.0 should be out now in the wild23:13
gyeeideally we shouldn't need to fill anything in23:13
gyeeif you want to map ephemeral user to the 'Federated' domain, express that in the mapping23:14
marekdgyee: i cannot, because until now, ephemeral users are not in domains.23:14
marekdso nobody was specifying this.23:14
marekdwe also couldn't directly map users, so users were by definition ephemeral.23:14
gyeemarekd, understood, that's why I said "ideally" :)23:15
gyeeideal != reality23:16
gyeemarekd, I need to step out a bit, if you amend the patch, I'll review them after I come back23:17
marekdgyee: i will23:17
gyeethank you  sir23:18
* jogo likes the play ayoung wrote
*** mattfarina has quit IRC23:18
*** stevemar has quit IRC23:19
morganfainbergayoung, EXIT (Stage Left)23:19
* jogo found a typo "Keystoen knows this immediately"23:21
dstanekjogo: it didn't go through code review :-)23:22
*** pdesai1 has joined #openstack-keystone23:30
*** flaviof has quit IRC23:31
*** pdesai has quit IRC23:33
*** ljfisher has quit IRC23:39
*** browne has quit IRC23:41
*** browne has joined #openstack-keystone23:42
*** spandhe has quit IRC23:44
morganfainbergwhy is that failing?23:45
openstackgerritSteve Martinelli proposed openstack/keystone: Use correct dependency decorator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove conditionals that check for revoke_api
openstackgerritSteve Martinelli proposed openstack/keystone: Avoid multiple instances for a provider
*** spandhe has joined #openstack-keystone23:49
*** EmilienM is now known as EmilienM|afk23:49
openstackgerritSteve Martinelli proposed openstack/keystone: Remove conditional check (and test) for oauth_api
morganfainberg./keystone/token/providers/klwt/ H701  Empty localization string23:52
morganfainberg        LOG.error(_LE(msg))23:52
*** chlong has joined #openstack-keystone23:53
*** csoukup has quit IRC23:53
*** himangi has quit IRC23:54
*** dims_ has quit IRC23:55
openstackgerritMorgan Fainberg proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)
morganfainberglbragstad, ^^ pep8 fix (cc dolphm)23:55
*** henrynash has joined #openstack-keystone23:55
*** ChanServ sets mode: +v henrynash23:55
*** browne has quit IRC23:56
*** browne has joined #openstack-keystone23:57
openstackgerrithenry-nash proposed openstack/keystone: Refactor and provide scaffolding for domain specific loading
jamielennoxayoung: Manny's head came out of that meeting throbbing i expect :)23:58
*** pdesai1 has quit IRC23:58

Generated by 2.14.0 by Marius Gedminas - find it at!