Thursday, 2015-03-05

*** joesavak has joined #openstack-keystone00:01
*** samueldmq_ has quit IRC00:02
openstackgerritSteve Martinelli proposed openstack/keystone: Crosslink to other sites that are owned by Keystone
*** markvoelker has quit IRC00:07
*** jorge_munoz has quit IRC00:15
*** r-daneel has quit IRC00:15
*** thedodd has quit IRC00:16
jamielennoxhow is tokenless auth going to work with X-Service-Token?00:19
jamielennoxgyee: ^00:20
jamielennoxSam Leong: ^ (what's his nick?)00:20
gyeejamielennox, you mean dual token approach?00:21
gyeetokenless is not designed for that use case00:22
jamielennoxgyee: right, swift and others now are using a service-token to identify where the request came from00:22
gyeeservice-token is very specific00:23
jamielennoxgyee: i assume it's largely designed for auth_token middleware though?00:23
gyeeafaik, they are for glance to swift interaction where the account is jointly owned00:23
gyeejamelennox, right, for services talking to keystone00:24
jamielennoxgyee: ok, i just know that there are other services looking to adopt the X-Service-Token approach and we've talked about doing policy on X-Service-Token00:24
gyeebut the joined ownership is a very specific use case00:24
jamielennoxif it's not going to work in all situations that's fine00:25
jamielennoxgyee: kind of00:25
jamielennoxgyee: specific cases, but the tokens are sent always00:25
jamielennoxgyee: also;
jamielennoxif it won't work in all situations that's fine - and what i assumed, was just wondering if you'd thought about it00:26
gyeeI have00:27
gyeebut I can't think of other use cases for X-Service-Token00:27
gyeewth? we always going to send service token?00:33
openstackgerritSteve Martinelli proposed openstack/keystone: Update developer docs landing page
gyeejamielennox, I think it should be optional instead of always sending it00:35
openstackgerritSteve Martinelli proposed openstack/keystone: Crosslink to other sites that are owned by Keystone
jamielennoxgyee: that was the plan00:38
kfox1111ok. just updated my cloud to have public stuff on a public ip and private stuf on a private network. compute nodes have no access to public ip's.00:39
gyeejamielennox, but the code doesn't seem reflect that00:39
kfox1111mostly just works. but cinder attachments are not working.00:39
jamielennoxgyee: we discussed going this way at a previous summit00:39
kfox1111the compute node's trying to access the public api. any way to force it?00:39
*** stevemar has quit IRC00:39
jamielennoxgyee: what i want to do for example is remove the need for the user that nova talks to neutron with to need admin rights00:39
jamielennoxgyee: there are commands that are not supposed to be called by a user, they are for service to service use but on behalf of a user00:40
jamielennoxgyee:  i want to be able to write policy files that say this user called this command - but it came via nova and so it's ok00:40
jamielennoxnot: is_admin00:40
gyeejamielennox, but isn't what OAUTH is for?00:40
jamielennoxgyee: not afaik00:40
jamielennoxit's not a permission that the user has that it can delegate00:40
jamielennoxits a combination thing00:41
jamielennoxthis service is allowed to perform this operation, but only on behalf of this user00:41
jamielennoxprobably user=owner00:41
*** devlaps has quit IRC00:41
gyeeI thought x-service-token is designed for joined ownership, not for delegation00:42
gyeeneither party owns it outright, access must be done in a joined manner00:42
jamielennoxgyee: it's not delegation00:42
jamielennoxthat's not delegation00:42
kfox1111cinder_catalog_info='volume:cinder:internalURL' looks like it might do the trick...00:42
jamielennoxso barbican is going to need similar things00:43
*** david-lyle has quit IRC00:43
gyeejamielennox, I thought the only use case is glance uses swift backend00:43
gyeeno, barbican is going with ACL model right?00:43
jamielennoxgyee: they will have the same problem00:43
gyeeat least that's what I heard00:43
jamielennoxgyee: volume encryption keys will be glance/user00:44
jamielennoxthey are doing a per-secret ACL, i don't konw yet how they will configure it00:44
gyeeyou mean like split key encryption?00:44
jamielennoxgyee: regarding ACL or volume encryption?00:45
jamielennoxgyee: i don't think split key for either00:45
gyeefor volume encryption00:45
jamielennoxgyee: i just mean that the key should only be accessed by user and glance, not glance alone, and probably not user alone00:45
jamielennoxthough user is probably ok for that00:46
gyeeok, I need to check with them, I am now aware of the dual ownership model in Barbican00:46
jamielennoxgyee: another thing i want it to do is make binding work00:47
jamielennoxgyee: if you always submit an X-Service-Token then we can enforce binding only on that and all of a sudden it's feasable00:47
gyeeinteresting angle00:48
gyeeso we bind a user token to a service?00:49
jamielennoxgyee: no, not token to token00:50
jamielennoxso binding doens't work because services reuse the user token00:50
jamielennoxIf X-Service-Token is set then this is the service from which the current request originated00:51
jamielennoxso the binding on that token should be valid00:51
jamielennoxIf X-Service-Token is not set then this request came from a user and the binding on X-Auth-Token should be valid00:51
jamielennoxthen it's up to policy to determine what the combination of X-Auth-Token and X-Service-Token can do once that is validated00:52
jamielennoxas assumedly the binding on X-Auth-Token was validated by the service that received the first user request00:52
gyeemake sense00:53
gyeebut always sending service token seem overkill00:54
gyeeit should be optional00:54
jamielennoxgyee: sure, if get_token() returns None it just won't include it00:57
jamielennoxor that's the plan anyway00:57
jamielennoxassumedly the X509 plugin would not set an X-Auth-Token00:57
*** joesavak has quit IRC00:57
gyeeor a no-op plugin :)00:58
jamielennoxgyee: but i want in future an X509 auth that acutally gets a token00:58
gyeejamielennox, yes, it will work with the existing mapped auth plugin01:00
gyeex509 works just like federation01:00
jamielennoxgyee: yep01:00
gyeeattributes comes in from the request env, and we just need to set a mapping for it01:00
jamielennoxgyee: we should probably try and make kerberos work that way as well?01:01
gyeeoh absolutely01:01
gyeeit is designed to be generic01:01
gyeeand remote_user01:01
bknudsonand HTTP basic auth01:01
jamielennoxand keystone auth01:01
gyeebasically anything that can be validated by apache mods01:01
gyeelots of possibilities01:02
jamielennoxbknudson, gyee: so do you have any thoughts on the best way to make auth_token middleware accept regular options and other conf files?01:03
*** henrynash has quit IRC01:03
jamielennoxi thought i could make a sublcass that took every option as a kwarg and then had a load_from_conf that converted it01:03
jamielennoxit's kinda ugly, and at least regarding plugins it doesn't get us anything01:03
bknudsonjamielennox: what do you mean?01:04
bknudsonan auth_token middleware that takes options as arguments?01:04
jamielennoxbknudson: right so extract a subclass of AuthProtocol which i'd called AuthToken01:05
jamielennoxAuthToken knows nothing about CONF, it just takes kwargs01:05
bknudsonthen AuthProtocol reads its conf and creates AuthToken using the options?01:05
jamielennoxwe could do AuthToken.load_from_conf that converted all those options to kwargs or something similar01:06
bknudsonI don't think a subclass is needed?01:06
jamielennoxbknudson: well AuthProtocol.__init__ is a public method01:06
jamielennoxand people do use it01:06
jamielennoxthe cases i know we need to solve are:01:07
jamielennox- swift, which doesn't use oslo.config and will load it all via paste01:07
jamielennox- zaqar, which uses oslo.config, but not the global one so needs to pass it in01:07
jamielennox- sahara, and other new ones that don't use paste01:08
bknudsonyou can already pass in app and conf to AuthProtocol.01:08
gyeemake them pass the conf object in from the req env01:08
jamielennox- and at least one i've seen (and don't remember) that specifies the options manually01:08
*** markvoelker has joined #openstack-keystone01:08
gyeelike the log object01:08
gyeethat's how Swift prefer to do it anyway01:08
*** kfox1111 has quit IRC01:09
gyeethat way, the can use oslo.conf or some_3rd_party.conf01:09
jamielennoxsure, so swift uses paste01:09
jamielennoxand we've covered a bunch of that already, i was just laying out the cases to see how they can fit together01:10
jamielennoxie not have to duplicate everything between a load_from_conf and a load_from_kwargs and load_from_conf_and_overrides01:10
gyeefirst look for conf object in the env, then global conf, then local conf01:10
jamielennoxgyee: swift has neither01:11
gyeethen they'll have to pass a conf object01:11
jamielennoxgyee: swift does not have a dependency on oslo.config01:11
jamielennox(it kinda does because it depends on auth_token - but directly)01:12
bknudsonI was just going to say auth_token has a dependency on oslo.config.01:12
gyeeso they'll get it for freee01:12
bknudsonso why can't they pass in a conf to AuthProtocol?01:13
*** markvoelker has quit IRC01:13
jamielennoxit actually works out worse for them because there are default values in the global conf object01:13
jamielennoxbknudson: they can, we just only supported loading auth plugins from config files01:13
bknudsonsupport loading auth plugins from somewhere else.01:13
jamielennoxbknudson: right01:15
bknudsonI can't even find this code anymore.01:15
jamielennoxthis the easy way, auth_plugin.load_with_getter or something01:15
gyeelike make them pass auth plugins via the env?01:15
*** markvoelker has joined #openstack-keystone01:15
bknudsonauth_plugin = auth.load_from_conf_options(CONF, _base.AUTHTOKEN_GROUP)01:16
bknudsonso that's using the global CONF01:16
bknudsonand we need them to be able to pass their own CONF01:16
jamielennoxgyee: i don't think so, i don't want other people creating plugins because the options will change01:17
bknudsonquestion is does that CONF have to be oslo.config01:17
*** zzzeek has quit IRC01:17
bknudsonor could it just be a dict that's built correctly01:17
jamielennoxbknudson: right well that was getting around the fact that there is an auth.load_from_conf_options and it would be ugly to do a auth.load_with_getter(self._conf_get)01:17
jamielennoxand we didn't know it was so widely used01:18
bknudsonif it quacks like a duck.01:18
gyeequack, quack01:19
jamielennoxbknudson: ages ago i wrote and
jamielennoxthe intention being that we could do like01:20
jamielennoxnew_config = CfgFilter(old_config)01:20
bknudsonit's just about to merge!01:20
*** markvoelker has quit IRC01:20
jamielennoxbknudson: they just released an oslo.config i saw though01:20
bknudsonthey release a new oslo.config every week.01:20
jamielennoxso you could set overrides on a different config object without afecting the global01:21
jamielennoxso i guess maybe we might need that after all01:21
*** tqtran has quit IRC01:21
bknudsonval = conf[group][opt.dest]01:21
bknudsonIf you've got a dict with the right values you should be fine.01:22
bknudsonthat's in load_from_conf_options01:22
jamielennoxconf gets sanitized on the way in though01:22
bknudsonyou mean the regular conf to auth_token?01:23
jamielennoxoh, no the overrides get sanitized the base CONF doesn't01:23
jamielennoxmaybe i just handle a regular auth.load_from_options01:24
bknudsonif they're passing in a conf we can also have an option on it that tells AuthProtocol to not mess with it.01:24
jamielennoxit wouldn't handle the case where you had some options in CONF and some in overrides but i don't think anyone would01:25
bknudsonthey could pass in a conf with a .auth_plugins_conf or something... do whatever you want.01:26
jamielennoxthere's already auth.get_plugin_class to get the class, then i could do klass.load_from_options(self._conf)01:27
jamielennoxah, no it will throw an error if it gets options it doesn't recognize01:27
*** jorge_munoz has joined #openstack-keystone01:27
*** jorge_munoz has quit IRC01:28
bknudsonwhere will it throw the error?01:28
jamielennoxload_from_options is just cls(**kwargs)01:29
jamielennoxso if you pass like cache_dir and other stuff from paste it would get passed to the auth plugin creation01:29
*** davechen has joined #openstack-keystone01:30
bknudsonload_from_conf_options just needs a conf that works like a dict of dict.01:30
jamielennoxbknudson: sure, but if i'm going to do that i could do it manually01:31
mfischjamielennox: is that puppet chaneg you made just a drop-in?01:31
jamielennoxdo klass = auth.get_plugin_class()01:32
jamielennoxmfisch: yea, it should work fine01:32
mfischjamielennox: awesome, can you fix puppet-keystone too ;) thats my last deprecation...01:32
mfischor I can just copy this01:32
jamielennoxmfisch: i've no real idea how to test it end to end, but i need the same change made on a system deployed with those modules01:33
jamielennoxmfisch: it shouldn't be in puppet-keystone01:33
mfischmaybe I'm thinking of something else01:33
jamielennoxmfisch: yea, you can't deploy auth_token in front of keystone because it needs a keystone to talk to01:34
mfischjamielennox: this is what I'm thinking of01:35
mfisch2014-08-05 07:02:09.608 1894 WARNING keystone.openstack.common.versionutils [-] Deprecated: keystone.middleware.core.XmlBodyMiddleware is deprecated as of Icehouse in favor of support for "application/json" only and may be removed in K.01:35
mfisch+2 on your puppet stuff01:35
jamielennoxmfisch: i'd probably leave that one for now01:35
jamielennoxmfisch: that removes XML from keysotne01:35
mfischcan we make a special deprecations flag that says "Jamie says no worries"01:35
jamielennoxlike the whole XML apis01:35
mfischyeah someone might want that01:35
mfischnot sure who but someone01:36
jamielennoxmfisch: god i hope not01:36
mfischsome .net developer somewhere ;)01:36
*** gyee has quit IRC01:36
jamielennoxwell they obviously love the pain anyway01:36
mfischjamielennox: I've been working on your auth_uri change in puppet along with dan prince01:37
mfischmostly cleaned up now01:37
jamielennoxmfisch: i'm going to change it on you again real soon :p01:37
mfischThats the viscious cycle01:38
jamielennoxi've no idea how puppet is going to handle auth plugins01:38
mfischwe file bugs, you deprecate in retaliation01:38
jamielennoxmfisch: actually have you seen the auth plugins in auth_token middleware stuff yet?01:38
mfischdont think so01:38
jamielennoxbecause you might know how puppet will handle it01:39
*** Akshik has joined #openstack-keystone01:39
jamielennoxbknudson: anyway - i can always do a manual klass.get_options and grab those options out of self._conf_get and then load via klass.load_from_options01:41
mfischjamielennox: I've honestly not looked into that at all but am happy to discuss the puppet side with you01:41
mfischafter dinner and what not here01:41
mfischin fact I need to look into what puppet needs to do for Keystone Light tokens01:42
jamielennoxbknudson: it's just this is so far auth_token is one of the primary use cases for these loaders and it's stupid i can't use the basic loaders01:42
jamielennoxbknudson: but it should be backwards compatible so i'll give it a go01:42
jamielennoxmfisch: great, whenever you like - it's not ready for all the service yet so i'm not pushing it for puppet yet01:42
jamielennoxmfisch: i'm just not sure how it would be configured when you can drop in any auth credentials at all - does puppet just need to pick a default?01:43
*** dims has quit IRC01:43
wanghongMorning. One question: does our identity ldap driver support windows server 2008 R2 AD?01:43
mfischjamielennox: a default or we can force people to make a choice, no default...01:44
bknudsonwanghong: since there's no gate test for it, no.01:44
jamielennoxmfisch: i think in 90% the password plugin is going to be correct, but if you want something different you don't want it continually being reset01:45
wanghongbknudson, do we have doc that shows which ldap servers that we support?01:45
bknudsonwanghong: I've never seen a doc that says which ldap servers are supported.01:46
bknudsonand there are no gate tests for any ldap server as far as I know.01:46
lbragstadmarekd: around?01:46
morganfainberglbragstad, my guess is it's super late for marekd right now.01:46
bknudsonmaybe when we get the in-tree functional testing going we can gate on OpenLDAP01:47
lbragstadmorganfainberg: he's about 7ish hours ahead?01:47
mfischjamielennox: we'd generally try to match what ubuntu/rh shipped as defaults there per platform and let people override01:47
jamielennoxmfisch: makes sense01:47
lbragstadmfisch: for fernet tokens, you should just have to switch the provider to keystone.token.providers.fernet.Provider and set up the key repository01:48
mfischyeah there will the keystone manage piece, no other options though?01:48
lbragstadmfisch: no other options for setting up keys?01:49
morganfainberglbragstad, i think so..01:49
wanghongbknudson, thanks. I searched on google, it seams that we support it. But, we don't have gate tests, so we can't say "yes"...01:50
bknudsonwanghong: what LDAP servers are supported?01:50
mfischI'll probably work on frenet stuff after the ops conf, thanks for the info lbragstad01:50
wanghongbknudson, windows server 2008 R2 AD01:50
lbragstadmfisch: no problem01:51
*** jamielennox is now known as jamielennox|lunc01:51
bknudsonwanghong: where does it say that?01:51
*** jaosorior has quit IRC01:52
wanghongbknudson, I searched on google: keystone windows server 2008 R2 AD01:52
bknudsonok... I'm not seeing anything there that says that it's officially supported by OpenStack.01:53
bknudsonmostly it's just facts about the keystone XL pipeline.01:54
morganfainbergbknudson, lol yeah.01:55
bknudsonwe need to buy that google adword.01:55
morganfainbergwe support some AD versions... and some other LDAP servers depending on how crazy you get with the config mapping of LDAP things to keystone things01:55
bknudsonif AD or LDAP was broken today we wouldn't know it.01:56
morganfainbergbut for the most part if python-ldap can connect to it (with standard binds), we support it01:56
morganfainbergbknudson, no we wouldn't.01:56
morganfainbergi think i can setup a gate job now for it since we can just assume LDAP assignment is broken unless marekd  and cern complain at us :P01:57
bknudsonif MS wants us to support it they can provide some CI.01:57
*** _cjones_ has quit IRC01:58
*** Akshik has quit IRC01:59
morganfainbergbknudson, i need to circle up w/ the MS folks we are supposed to do that02:01
openstackgerritBrant Knudson proposed openstack/keystone: Remove unnecessary import
bknudsoneasy one02:05
openstackgerritwanghong proposed openstack/keystone: apply endpoint_group filters on token catalog
*** iamjarvo has joined #openstack-keystone02:09
*** erkules_ has joined #openstack-keystone02:09
*** erkules has quit IRC02:12
openstackgerritMatthew Edmonds proposed openstack/keystone: 'Assignment' has no attr 'get_domain_by_name'
*** Akshik has joined #openstack-keystone02:13
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup test keeping unnecessary fixture references
*** stevemar has joined #openstack-keystone02:16
*** ChanServ sets mode: +v stevemar02:16
*** markvoelker has joined #openstack-keystone02:16
*** andreaf_ has joined #openstack-keystone02:20
*** rwsu_ has joined #openstack-keystone02:20
*** andreaf has quit IRC02:21
*** nkinder has quit IRC02:21
*** rwsu has quit IRC02:21
*** chmouel has quit IRC02:21
*** andreaf_ is now known as andreaf02:21
*** markvoelker has quit IRC02:21
*** chmouel has joined #openstack-keystone02:22
openstackgerritBrant Knudson proposed openstack/keystone: Fix typos in tests/unit/
*** ljfisher has joined #openstack-keystone02:23
*** nkinder has joined #openstack-keystone02:26
*** Akshik has quit IRC02:29
openstackgerritMatthew Edmonds proposed openstack/keystone: 'Assignment' has no attr 'get_domain_by_name'
*** davechen_ has joined #openstack-keystone02:32
*** david-lyle has joined #openstack-keystone02:33
*** rwsu_ is now known as rwsu-afk02:35
*** davechen has quit IRC02:35
*** dims has joined #openstack-keystone02:39
*** jamielennox|lunc is now known as jamielennox02:47
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
openstackgerritMatthew Edmonds proposed openstack/keystone: 'Assignment' has no attr 'get_domain_by_name'
*** rm_work is now known as rm_work|away03:02
*** ChristyF has quit IRC03:03
*** david-lyle has quit IRC03:07
openstackgerritBrant Knudson proposed openstack/keystone: Update testing docs
*** ljfisher has quit IRC03:16
*** markvoelker has joined #openstack-keystone03:17
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini
*** markvoelker has quit IRC03:22
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Return none for missing endpoints
*** iamjarvo has quit IRC03:28
*** spandhe has quit IRC03:30
*** browne has quit IRC03:34
*** jamielennox is now known as jamielennox|away03:45
*** sigmavirus24 is now known as sigmavirus24_awa03:47
*** richm has quit IRC04:01
*** jamiec has quit IRC04:11
*** jamiec has joined #openstack-keystone04:15
*** markvoelker has joined #openstack-keystone04:19
*** dims has quit IRC04:22
*** markvoelker has quit IRC04:23
*** browne has joined #openstack-keystone04:27
*** mfisch has quit IRC04:32
*** mfisch has joined #openstack-keystone04:33
*** mfisch is now known as Guest6389204:34
*** vishy has quit IRC04:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements
*** harlowja is now known as harlowja_away04:57
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-federation: Updated from global requirements
*** spandhe has joined #openstack-keystone05:07
*** ayoung has quit IRC05:11
*** stevemar has quit IRC05:13
*** spandhe_ has joined #openstack-keystone05:17
*** spandhe has quit IRC05:18
*** spandhe_ is now known as spandhe05:18
*** markvoelker has joined #openstack-keystone05:20
openstackgerritMerged openstack/keystone: fix import order in federation controller
*** dims has joined #openstack-keystone05:23
*** Akshik has joined #openstack-keystone05:23
*** markvoelker has quit IRC05:25
*** dims has quit IRC05:28
openstackgerritMerged openstack/keystone: Change headers to be byte string friendly
openstackgerritMerged openstack/keystone: Add support for whitelisting and partial domain configs
*** iamjarvo has joined #openstack-keystone05:53
*** sluo_wfh has joined #openstack-keystone05:56
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** spandhe has quit IRC06:03
*** sluo_wfh has quit IRC06:04
*** sluo_wfh has joined #openstack-keystone06:14
*** iamjarvo has quit IRC06:20
*** iamjarvo has joined #openstack-keystone06:21
*** spandhe has joined #openstack-keystone06:22
*** markvoelker has joined #openstack-keystone06:22
*** markvoelker has quit IRC06:27
*** lhcheng has quit IRC06:37
*** iamjarvo has quit IRC06:43
*** Krast has joined #openstack-keystone06:51
*** stevemar has joined #openstack-keystone06:55
*** ChanServ sets mode: +v stevemar06:55
*** arunkant has quit IRC07:03
*** markvoelker has joined #openstack-keystone07:22
*** lhcheng has joined #openstack-keystone07:28
*** markvoelker has quit IRC07:28
*** spandhe has quit IRC07:32
marekdmorganfainberg: yeah, it was kind of late (in general, lbragstad adds +7h and morganfainberg +9 and there you have my local time :-) )07:36
*** openstackgerrit has quit IRC07:36
*** openstackgerrit has joined #openstack-keystone07:36
openstackgerritDave Chen proposed openstack/keystone: Fix the typo in `tests/unit/`
openstackgerritMerged openstack/keystone: Move install of cryptography before six
*** Maike has joined #openstack-keystone07:51
MaikeHey, I'm using Ubuntu14.04 and keystone from master branch. I cloned it yesterday and get the following error:"keystone TypeError: _get_value() takes exactly 4 arguments (5 given)"07:52
Maikeis that a known problem?07:52
marekdMaike: and does it show where such error occurs (file, line, operation) ?07:52
*** Akshik_ has joined #openstack-keystone07:52
*** Akshik has quit IRC07:54
Maikemarekd: 2015-03-04 14:50:44.608 | + mysql -uroot -pdevstack -h127.0.0.1 -e 'DROP DATABASE IF EXISTS keystone;'08:03
Maike2015-03-04 14:50:44.635 | + mysql -uroot -pdevstack -h127.0.0.1 -e 'CREATE DATABASE keystone CHARACTER SET utf8;'08:03
Maike2015-03-04 14:50:44.643 | + /opt/stack/keystone/bin/keystone-manage db_sync08:03
Maike2015-03-04 14:50:45.391 | 28428 CRITICAL keystone [-] TypeError: _get_value() takes exactly 4 arguments (5 given)08:03
Maike2015-03-04 14:50:45.392 | 28428 TRACE keystone Traceback (most recent call last):08:03
Maike2015-03-04 14:50:45.392 | 28428 TRACE keystone   File "/opt/stack/keystone/bin/keystone-manage", line 44, in <module>08:03
Maike2015-03-04 14:50:45.392 | 28428 TRACE keystone     cli.main(argv=sys.argv, config_files=config_files)08:03
Maike2015-03-04 14:50:45.392 | 28428 TRACE keystone   File "/opt/stack/keystone/keystone/", line 310, in main08:03
Maike2015-03-04 14:50:45.392 | 28428 TRACE keystone     CONF.command.cmd_class.main()08:03
Maike2015-03-04 14:50:45.392 | 28428 TRACE keystone   File "/opt/stack/keystone/keystone/", line 73, in main08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone     migration_helpers.sync_database_to_version(extension, version)08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone   File "/opt/stack/keystone/keystone/common/sql/", line 204, in sync_database_to_version08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone     _sync_common_repo(version)08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone   File "/opt/stack/keystone/keystone/common/sql/", line 157, in _sync_common_repo08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone     engine = sql.get_engine()08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone   File "/opt/stack/keystone/keystone/common/sql/", line 188, in get_engine08:04
stevemarnext time use a paste site :)08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone     return _get_engine_facade().get_engine()08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone   File "/opt/stack/keystone/keystone/common/sql/", line 176, in _get_engine_facade08:04
marekdMaike: please use something like for such things08:04
Maike2015-03-04 14:50:45.393 | 28428 TRACE keystone     _engine_facade = db_session.EngineFacade.from_config(CONF)08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/oslo_db/sqlalchemy/", line 833, in from_config08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone     return cls(sql_connection=conf.database.connection,08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/oslo_config/", line 2502, in __getattr__08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone     return self._conf._get(name, self._group)08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/oslo_config/", line 2224, in _get08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone     value = self._do_get(name, group, namespace)08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/oslo_config/", line 2261, in _do_get08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone     return convert(opt._get_from_namespace(namespace, group_name))08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone   File "/usr/lib/python2.7/dist-packages/oslo/config/", line 598, in _get_from_namespace08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone     self._convert_value)08:04
Maike2015-03-04 14:50:45.394 | 28428 TRACE keystone TypeError: _get_value() takes exactly 4 arguments (5 given)08:04
Maikeit orrurs by running ./ (devstack)08:05
stevemarMaike, try updating oslo.config08:06
*** Bsony has joined #openstack-keystone08:06
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Templated catalog backend not implemented
Maikestevemar: where can I find oslo.config?08:13
stevemartry `sudo pip install --upgrade oslo.policy`08:14
openstackgerritMerged openstack/keystone: Updated from global requirements
*** browne has quit IRC08:15
*** henrynash has joined #openstack-keystone08:16
*** ChanServ sets mode: +v henrynash08:16
openstackgerritMerged openstack/keystone: refactor: extract and document audit ID generation
openstackgerritMerged openstack/pycadf: Updated from global requirements
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
*** henrynash has quit IRC08:21
*** henrynash has joined #openstack-keystone08:23
*** ChanServ sets mode: +v henrynash08:23
*** oguz has joined #openstack-keystone08:24
*** markvoelker has joined #openstack-keystone08:25
*** ogzy has quit IRC08:27
*** markvoelker has quit IRC08:29
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements
*** Krast has quit IRC08:33
*** afazekas has joined #openstack-keystone08:33
openstackgerritMerged openstack/oslo.policy: Updated from global requirements
*** jaosorior has joined #openstack-keystone08:46
*** cyeoh has quit IRC08:49
*** jistr has joined #openstack-keystone08:49
*** davechen_ has quit IRC08:53
*** Akshik_ has quit IRC08:55
*** karimb has joined #openstack-keystone09:00
*** dims has joined #openstack-keystone09:01
*** nellysmitt has joined #openstack-keystone09:03
*** stevemar has quit IRC09:03
*** stevemar has joined #openstack-keystone09:04
*** ChanServ sets mode: +v stevemar09:04
*** dims has quit IRC09:06
*** browne has joined #openstack-keystone09:14
*** Akshik has joined #openstack-keystone09:16
*** elmiko has quit IRC09:20
*** elmiko has joined #openstack-keystone09:20
*** Akshik has quit IRC09:25
*** Akshik has joined #openstack-keystone09:26
*** markvoelker has joined #openstack-keystone09:26
*** markvoelker has quit IRC09:31
*** lhcheng has quit IRC09:39
*** erkules_ is now known as erkules09:39
*** lhcheng has joined #openstack-keystone09:42
*** oguz_ has joined #openstack-keystone09:54
*** oguz has quit IRC09:57
*** lhcheng has quit IRC10:04
*** jlk has quit IRC10:06
*** browne has quit IRC10:11
*** sluo_wfh has quit IRC10:22
*** markvoelker has joined #openstack-keystone10:27
*** markvoelker has quit IRC10:31
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Templated catalog backend not implemented
*** dstanek has quit IRC10:33
*** fmarco76 has joined #openstack-keystone10:37
samueldmqhenrynash, hi - you around ?10:43
henrynashsamueldmq: hi10:44
samueldmqhenrynash, do we support driver_hints on ldap? I think we have added support for it in the last days :)10:44
henrynashsamueldmq: yes, I added that…and it has merged….although we don’t support list limit10:45
samueldmqhenrynash, but I can't find an example of its use, or where the method is placed (for sql it is in common/sql/
henrynash(only filters)10:45
samueldmqhenrynash, do you remember where the logic is placed?10:46
samueldmqfor ldap ..10:46
samueldmqhenrynash, oh.. that was just my branch that needed a rebase :/10:48
samueldmqhenrynash, that's the reason I couldn't find the code :)10:48
samueldmqhenrynash, thanks10:48
*** aix has joined #openstack-keystone10:55
*** dims has joined #openstack-keystone10:55
openstackgerritAbhishek Talwar proposed openstack/python-keystoneclient: User-password-update accepts blank as password
*** bjornar has joined #openstack-keystone11:25
*** Akshik has quit IRC11:26
*** stevemar has quit IRC11:28
*** markvoelker has joined #openstack-keystone11:28
*** markvoelker has quit IRC11:32
*** henrynash has quit IRC11:42
*** amakarov_away is now known as amakarov11:42
*** henrynash has joined #openstack-keystone11:45
*** ChanServ sets mode: +v henrynash11:45
*** henrynash has quit IRC11:51
*** oguz__ has joined #openstack-keystone12:02
*** oguz has joined #openstack-keystone12:04
*** EmilienM|afk is now known as EmilienM12:04
*** oguz_ has quit IRC12:05
*** oguz__ has quit IRC12:08
*** afazekas has quit IRC12:08
*** iamjarvo has joined #openstack-keystone12:10
*** afazekas has joined #openstack-keystone12:22
*** Maike_ has joined #openstack-keystone12:28
*** markvoelker has joined #openstack-keystone12:29
*** afazekas has quit IRC12:31
*** Maike has quit IRC12:31
*** markvoelker has quit IRC12:34
*** markvoelker has joined #openstack-keystone12:38
*** afazekas has joined #openstack-keystone12:43
*** ccard__ has quit IRC12:43
*** raildo_away is now known as raildo12:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug in SQL/LDAP when honoring driver_hints
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints
*** ccard__ has joined #openstack-keystone12:55
openstackgerritDave Chen proposed openstack/keystone: envlist option defaults to the list of all environments
*** Bsony_ has joined #openstack-keystone13:24
*** Bsony has quit IRC13:26
*** henrynash has joined #openstack-keystone13:26
*** ChanServ sets mode: +v henrynash13:26
openstackgerritDave Chen proposed openstack/keystone: envlist option defaults to the list of all environments
*** gordc has joined #openstack-keystone13:33
*** aix has quit IRC13:34
*** joesavak has joined #openstack-keystone13:42
*** dstanek has joined #openstack-keystone13:45
*** ChanServ sets mode: +v dstanek13:45
*** dims has quit IRC13:51
*** dims has joined #openstack-keystone13:52
*** karimb has quit IRC13:53
*** jsavak has joined #openstack-keystone13:53
*** ljfisher has joined #openstack-keystone13:54
*** joesavak has quit IRC13:57
openstackgerrithenry-nash proposed openstack/keystone: Add checking for existing group/option to update domain config
*** aix has joined #openstack-keystone14:02
*** ayoung has joined #openstack-keystone14:02
*** ChanServ sets mode: +v ayoung14:02
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables
openstackgerrithenry-nash proposed openstack/keystone: Add checking for existing group/option to update domain config
openstackgerrithenry-nash proposed openstack/keystone: Add checking for existing group/option to update domain config
*** iamjarvo has quit IRC14:07
openstackgerritMatthew Edmonds proposed openstack/keystone: 'Assignment' has no attr 'get_domain_by_name'
*** richm has joined #openstack-keystone14:14
*** henrynash has quit IRC14:17
*** radez_g0n3 is now known as radez14:18
*** karimb has joined #openstack-keystone14:24
*** oguz is now known as ogzy14:28
*** ogzy has joined #openstack-keystone14:28
*** zzzeek has joined #openstack-keystone14:29
*** mattfarina has joined #openstack-keystone14:35
*** henrynash has joined #openstack-keystone14:35
*** ChanServ sets mode: +v henrynash14:35
*** topol has joined #openstack-keystone14:36
*** ChanServ sets mode: +v topol14:36
*** Maike_ has quit IRC14:38
*** iamjarvo has joined #openstack-keystone14:39
*** browne has joined #openstack-keystone14:45
*** r-daneel has joined #openstack-keystone14:46
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests
*** krykowski has joined #openstack-keystone14:50
*** henrynash has quit IRC14:50
*** elmiko has left #openstack-keystone14:51
*** zzzeek has quit IRC14:52
*** ccrouch-afk has joined #openstack-keystone14:54
*** radez is now known as radez_g0n314:56
ccrouch-afkquick question:14:58
ccrouch-afkI was just trying a GET request on /v2.0/users/​{user_id}​/roles against Juno keystone14:58
ccrouch-afkand am getting back 501: User roles not supported: tenant ID required14:58
ccrouch-afkwould there be any interest in a patch to update the docs at to note this?14:58
*** sigmavirus24_awa is now known as sigmavirus2414:59
*** krtaylor has quit IRC14:59
*** karimb has quit IRC15:02
*** karimb has joined #openstack-keystone15:03
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints
samueldmqdstanek, ping - you around ?15:10
samueldmqdstanek, I submitted a new patch set for 'Exposes bug in SQL/LDAP when honoring driver_hints', because in fact this bug affects both SQL and LDAP15:11
samueldmqdstanek, then I modified the test to cover both .. please consider revisiting that (the old patch set had your +2)15:11
samueldmqdstanek, this affects our reseller implementation15:11
*** henrynash has joined #openstack-keystone15:13
*** ChanServ sets mode: +v henrynash15:13
*** nellysmitt has quit IRC15:17
*** timcline has joined #openstack-keystone15:18
dstaneksamueldmq: sure15:21
*** timcline has quit IRC15:21
*** timcline has joined #openstack-keystone15:22
samueldmqdstanek, thanks15:22
dolphmlbragstad: p.s. this is where i got stuck yesterday with fernet:
dolphmlbragstad: same tests are passing against pki and uuiz15:24
lbragstaddolphm: interesting15:24
*** iamjarvo has quit IRC15:24
lbragstadwhere is
samueldmqhenrynash, hi - addressed your concerns on the driver_hitns patch15:24
lbragstadis that new?15:24
bknudsoncompressed UUID tokens?15:24
henrynashsamueldmq: yep…just about to look at it15:24
samueldmqhenrynash, thanks for your review there, we hope to that merged asap, since we depends on that for reseller (we add is_domain hints to look at thte project table )15:25
samueldmqhenrynash, great! thanks15:25
*** krtaylor has joined #openstack-keystone15:26
dolphmlbragstad: root directory15:26
dolphmbknudson: uuiz = base64.urlsafe_b64encode(uuid.uuid4().bytes)15:26
bknudsondolphm: could even chop off the trailing =15:27
dolphmbknudson: uuiz_max_compression = base64.urlsafe_b64encode(uuid.uuid4().bytes)[:-2]15:27
lbragstadmarekd: I'm trying to figure out the best way to test the federated token formatter15:27
*** spandhe has joined #openstack-keystone15:27
lbragstadmarekd: and there is a bunch of setup federation stuff in that lives in the FederatedTokenTests module15:28
lbragstadmarekd: would you be opposed to having that stuff broken out somewhere common so that it's easier to share across test modules versus inheriting them?15:28
dolphmbknudson: or .rstrip('=') i suppose15:28
henrynashsamueldmq: see comment15:29
openstackgerritDoug Fish proposed openstack/python-keystoneclient-federation: WIP: add Saml2KeystoneUnscoped for K2K federation
dolphmlbragstad: git checkout fernet-tokens && git diff master15:31
*** hockeynut has quit IRC15:31
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests
*** jorge_munoz has joined #openstack-keystone15:32
*** hockeynut has joined #openstack-keystone15:32
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints
openstackgerrithenry-nash proposed openstack/keystone: Add checking for existing group/option to update domain config
*** iamjarvo has joined #openstack-keystone15:33
samueldmqhenrynash, ^15:33
samueldmqhenrynash, thanks15:33
*** iamjarvo has quit IRC15:33
*** iamjarvo has joined #openstack-keystone15:33
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config
*** krykowski has quit IRC15:33
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
*** ccrouch-afk is now known as ccrouch15:36
*** edmondsw has joined #openstack-keystone15:46
*** edmondsw has quit IRC15:47
*** edmondsw has joined #openstack-keystone15:47
*** edmondsw has quit IRC15:47
*** edmondsw has joined #openstack-keystone15:48
*** krtaylor has quit IRC15:50
dolphmjorge_munoz: o/ someone else here can probably answer better than i15:50
dolphmjorge_munoz: is_admin is set as a result of the user having the "admin" role as defined in policy.json15:51
jorge_munozYes, thanks.15:51
jorge_munozCan someone point me to where the is_admin attribute is set for an auth request?15:52
*** jorge_munoz has quit IRC15:53
*** tmcpeak has joined #openstack-keystone15:54
tmcpeakwelp… I've done something ridiculous15:54
tmcpeakI have system level access on my undercloud box15:55
*** browne has quit IRC15:55
tmcpeakbut I have removed the admin user from the admin role15:55
*** jorge_munoz has joined #openstack-keystone15:55
tmcpeakany way to fix that?15:55
tmcpeakor pave and nuke?15:55
dolphmjorge_munoz: i think there's a decorator on v2 controller methods15:57
dolphmtmcpeak: yep! the keystone.conf [default] admin_token is intended for bootstrapping your deploy15:58
dolphmtmcpeak: use that as your --os-token combination with a raw --os-endpoint={keystone} to reassign the admin user that role15:58
tmcpeakdolphm: sweet!15:59
jorge_munozThanks, I'll take a look16:00
tmcpeakdolphm: thanks, I'll give that a shot16:00
lbragstadjorge_munoz: there is also some stuff for is_admin in keystone's middlware code
tmcpeakthought you guys might have some magic :)16:00
jorge_munozlbragstad: Ok,but thats for the admin token. I was wondering more of a user with the admin role.16:01
*** spandhe has quit IRC16:01
*** krtaylor has joined #openstack-keystone16:02
lbragstadjorge_munoz: I was just looking for places in the code that had is_admin anywhere16:02
dolphmjorge_munoz: ++16:03
dolphmjorge_munoz: v2 controller methods explicitly call is_admin(), which is defined in keystone/common/wsgi.py16:04
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental
dolphmjorge_munoz: it checks to see that you either used the admin_token (bootstrapping) or that you pass the 'admin_required' policy in policy.json16:05
dolphmjorge_munoz: which i think is just defined as 'role:admin' by default16:05
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database
jorge_munozdolphm: so, when authenticating and a user has an admin role, should the is_admin attribute be set to 1?16:07
dolphmjorge_munoz: in the token response, you mean?16:08
dolphmjorge_munoz: i suppose... yes. but absolutely *nothing* should depend on that because it's not a defined API16:08
dolphmthat's a big "should" though16:08
jorge_munozdolphm: thanks, I'll try it on master and see whats the behavior.16:10
*** browne has joined #openstack-keystone16:10
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config
dolphmlbragstad: didn't we pull the created at time out of the fernet tokens? or did that never get into gerrit16:13
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
dolphmlbragstad: ... i don't think that ever got into gerrit.16:15
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Add domain_id checking in create_project
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Honor domain operations in project table
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Change project name constraint
openstackgerritCyril Roelandt proposed openstack/python-keystoneclient: Prevent a UnicodeDecodeError in the s3token middleware
lbragstaddolphm: I don't think so16:17
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database
lbragstaddolphm: trying to figure out the common federated test case setup stuff16:19
dolphmlbragstad: stuff
*** stevemar has joined #openstack-keystone16:21
*** ChanServ sets mode: +v stevemar16:21
lbragstaddolphm: oo nice16:22
lbragstaddolphm: I'd like to pick one of those up when I get through the federation stuff16:22
dolphmlbragstad: you're welcome to - let me know which / when. i just wrote a wip to remove the token expiration in favor of returning the max datetime python supports lol16:23
*** tellesnobrega has quit IRC16:24
jorge_munozdolphm: lbragstad I tested adding the admin role to a user on master with default provider. This is what i get:
jorge_munozis_admin attribute is not set.16:28
lbragstadinteresting... that's misleading16:28
*** tellesnobrega has joined #openstack-keystone16:29
lbragstadso where ever is_admin is being set it's getting copied into the metadata for v2?16:29
dolphmjorge_munoz: good! it's garbage anyway. it must only kick in for the admin_token, which you don't have to worry about16:29
dolphmlbragstad: it's set by that middleware you linked to, for admin_token16:30
dolphmlbragstad: i thought maybe it was set elsewhere too, but guess not16:30
lbragstaddolphm: jorge_munoz that makes sense then16:30
dolphmif it's always false, we should remove it from the v2 tokens we emit16:30
*** david-lyle has joined #openstack-keystone16:30
lbragstaddolphm: ++16:30
*** Bsony_ has quit IRC16:30
dolphmno one could possibly depend on it besides us16:30
lbragstaddolphm: and if we do have to keep it in there for some reason it should be renamed16:30
dolphmand we only use it internally16:31
openstackgerritSteve Martinelli proposed openstack/oslo.policy: deprecate policy_dirs option
*** Guest63892 is now known as mfisch16:31
*** mfisch has joined #openstack-keystone16:31
jorge_munozlbragstad: dolphm cool, I'll add a comment on the patch.16:34
*** ChristyF has joined #openstack-keystone16:35
raildohenrynash: I saw you are the author of the last drop table in keystone... have you seen something like "DatabaseAlreadyControlledError" in the migration tests?16:36
lbragstaddolphm: question in pulling the created at time out of the fernet token. The revocation event doesn't pull that information from the token data does it? It generates it as the event is created, yeah?16:38
iamjarvoi am trying to view the keystone catalog and its asking for -os-auth-url is that the keystone endpoint16:38
*** spandhe has joined #openstack-keystone16:40
morganfainberglbragstad: probably not16:41
dolphmlbragstad: i don't understand the first question, but the second question is a yes: revocation events have timestamps which reflect the time at which the event occurred. if the creation time of a token is before that event, then it is impacted by the revocation event.16:41
morganfainbergCreated at isn't super relevant for event though.16:41
dolphmlbragstad: so we still need to be able to get create times out of tokens, but we should get it from the fernet encoding instead of from the payload16:42
morganfainbergOh wait dolphm is right. Deep16:42
lbragstaddolphm: perfect,16:42
dolphmmorganfainberg: i prefer "deep"16:42
lbragstadthat works16:42
* dolphm This has been dolphm on token philosophies.16:42
* dolphm Join us next time for a throught proking discussion of expiration dates.16:43
*** rwsu-afk is now known as rwsu16:43
* dolphm ... or "provoking," whatever.16:43
*** spandhe has quit IRC16:44
openstackgerritMerged openstack/keystone: Make the LDAP dependency clear between identity, resource & assignment
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
dolphmlbragstad: ^16:46
dolphmlbragstad: fun fact- removing the expiration time reduces the size of fernet tokens from 187 chars to 167 chars16:47
dolphmlbragstad: i assume removing the created time will be similar16:47
stevemardolphm, depends on the month :O16:47
morganfainbergdolphm: you should go with "thought poking"16:47
lbragstaddolphm: I didn't expect the time ints to be that big16:48
dolphmstevemar: they're stored as integers since unix epoch - so not quite!16:48
stevemaroh noes16:48
dolphmmorganfainberg: =)16:48
henrynashraildo: not on a clean run…but if you get an error and re-run, often the tables are still “locked” in some way16:48
henrynashraildo: if it’s a clean test, is this sqllite, mysql or what?16:49
*** krtaylor has quit IRC16:49
dolphmstevemar: if we're going to keep timestamps for whatever reason, i was going to argue that sacrifice precision by dividing them by 60 or 3600 to save a magnitude or three16:49
morganfainbergAs long as that data is available it doesn't matter where it lives. Though tbh, it probably should be in a secure (signed?) location16:51
*** Akshik has joined #openstack-keystone16:51
morganfainbergSo people can't craft / muck with it.16:51
*** Akshik_ has joined #openstack-keystone16:52
morganfainbergSo, I've not looked at how fernet wrapper stores that vs when it is in the token encoded area.16:52
raildohenrynash: we could drop the table, and re-create it, but when we run all the tests, we got this error.16:53
morganfainbergdolphm: however expires can be derived from created, you just need to encode the Ttl in the token, not the whole expires time. So usually no more than 5 digits in an int.16:53
raildohenrynash, yes, it's run in sqlite16:54
*** tmcpeak has left #openstack-keystone16:55
*** Akshik has quit IRC16:55
henrynashraildo: so slqlite doesn’t support some things…but it does support drop table…what you can get is the fact that it hasn’t really realised that it has dropped it….so you might need to refresh the mapping you haev (I forget how I experimented wth this before)16:59
*** Bsony has joined #openstack-keystone16:59
raildohenrynash: I see... I've been trying to follow the steps on this commit of yours:
*** krtaylor has joined #openstack-keystone17:01
raildoit's pretty much the same steps, but I'm still getting the error in some tests like test_sql_upgrade.VersionTests.test_unversioned_extension17:01
henrynashraildo: ahh…..right so you in an extension…..17:02
*** zzzeek has joined #openstack-keystone17:03
*** iamjarvo has quit IRC17:03
*** iamjarvo_ has joined #openstack-keystone17:03
*** jorge_munoz_ has joined #openstack-keystone17:04
henrynashraildo: now I do remember some weirdness that a test in an extension repo was failing due to what had happend in the main repo….the main repo still had something mapped or the like…sadly it’s too long ago…but there definitely was something about teh interaction between the main repo and an extenions repo17:05
dstaneksqlite foreign keys!!17:06
raildohenrynash: I see...17:07
raildodstanek, I've removed the foreign keys migration and I'm only doing the drop itself, and it's still not working17:07
*** jistr has quit IRC17:08
dstanekraildo: what issue are you having?17:08
* morganfainberg looks forward to most of the extension repos collapsing into the main schema repo.17:08
morganfainbergbreton_: ping. Are you going to do the sql collapse or should I? (Don't want to duplicate effort if it isn't needed)17:09
raildodstanek: I'm writing the drop domain table migration script and I succesfully can do and undo this drop17:09
raildobut I'm getting two kinds of errors: the DatabaseAlreadyControlledError in test_sql_upgrade.VersionTests.test_extension_migrated, for example17:10
henrynashstevemar, ayoung, gyee: nice byte-sized fix for a Thursday morning:
dstanekraildo: which patch is it?17:11
amakarovmorganfainberg, he is ill today. not sure if he'll even respond17:12
raildoI have not submitted it yet17:12
dstanekraildo: let me know when you do and i can start poking at it17:12
morganfainbergamakarov: no worries. I figure irc is mostly async communication.17:12
morganfainbergdstanek: raildo ++. Feel free to post it if you need extra eyes to help debug it.17:13
*** _cjones_ has joined #openstack-keystone17:13
raildodstanek, morganfainberg: cool. I'll submit it and let you guys know17:13
*** _cjones_ has quit IRC17:14
*** _cjones_ has joined #openstack-keystone17:15
morganfainbergdstanek: so bknudson had the same question I did about .extend vs .append. I think this is sufficient to say we need to clarify that code. It will likely break because it doesn't make a lot of sense.17:17
morganfainbergIn a future fix that is.17:17
*** _cjones_ has quit IRC17:17
*** henrynash has quit IRC17:17
bknudsonmorganfainberg: I thought I was just stupid.17:18
*** _cjones_ has joined #openstack-keystone17:18
dolphmmorganfainberg: creation time is signed, but not encrypted in fernet17:18
morganfainbergbknudson: no it's related to late eval and handing the data diffidently when you're stopping out group info.17:19
dolphmmorganfainberg: and yeah, when i originally thought about dropping the expiration time, we weren't using fernet, so my solution is actually outdated. we can/should just dynamically compute expiration time based on fernet's creation time + CONF token lifespan17:19
morganfainbergbknudson: in short it should be a data structure.17:19
amakarovmorganfainberg, I have a fix for quite a long time, don't want to be noisy, but I'd realy like to land it in this release - it fixes some weird revocation logic Fernet tokens will suffer from.17:19
bknudsonit's going to require a lot of documentation for special-casing.17:19
bknudsonalso, I doubt the example that says {1} works.17:19
morganfainbergbknudson: yeah. So I think this is enough to justify a "go make this a data structure" and don't assume this makes sense.17:20
morganfainbergAt least that becomes more usable.17:20
dstanekbknudson: haha, me too - i had to have it explained to me slowly and in small words17:21
morganfainbergdstanek: I think we all did17:21
bknudsonif they want to make it specific to groups then they can document it that way.17:21
morganfainbergdstanek: so, let's ask it to be changed.17:21
bknudsonalso, if it's specific to groups then maybe don't try to make it generic at all... it looks like it can be used anywhere.17:21
morganfainberg3 cores needing small words for it, that is a good canary for "this is wrong"17:22
bknudsonstevemar figured it out.17:22
morganfainbergbknudson: we're not all cool like stevemar ;)17:23
marekdlbragstad: i don't really mind :-) go ahead :-)17:24
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter
openstackgerritLance Bragstad proposed openstack/keystone: Add unscoped token formatter for Fernet tokens
openstackgerritLance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data
lbragstadmarekd: attempting to do it here
dolphmamakarov: targeted to kilo-3 and added the review to our list of release blocking reviews
openstackLaunchpad bug 1401926 in Keystone "Role revocation invalidates tokens on all user projects" [Medium,In progress] - Assigned to Alexander Makarov (amakarov)17:26
stevemarlbragstad, nice17:26
amakarovdolphm, thanks, Horizon guys will appreciate this fix :)17:27
dolphmamakarov: we will too :)17:28
openstackgerritDoug Fish proposed openstack/python-keystoneclient-federation: WIP: add Saml2KeystoneUnscoped for K2K federation
morganfainbergamakarov: fyi, you can't revoke by Id here. We need the groups to be in the token for revocation events to be able to revoke by it.17:30
openstackgerritDoug Fish proposed openstack/python-keystoneclient-federation: WIP: add Saml2KeystoneUnscoped for K2K federation
morganfainbergWhich at the moment I think is not the case. Which is why the bug exists.17:31
*** krtaylor has quit IRC17:31
pmathdriver = keystone.catalog.backends.templated.TemplatedCatalog --> ImportError: Class TemplatedCatalog cannot be found. What's the new name here?17:32
*** spandhe has joined #openstack-keystone17:32
stevemarpmath, almost the same  keystone.catalog.backends.templated.Catalog17:33
pmaththanks stevemar17:33
*** browne has quit IRC17:33
morganfainbergstevemar: did we break someone with a rename? Because if we did. We need to provide an alias symbol.17:33
morganfainbergpmath: when did you hit that?17:34
stevemarmorganfainberg, it was deprecate and targeted for removal in L17:34
stevemarerr K17:34
morganfainbergstevemar: ah ok. Just checking.17:34
amakarovmorganfainberg, that's cool - I don't want the second table by size of the token table :)17:34
*** ericpeterson has joined #openstack-keystone17:35
*** ericpeterson has left #openstack-keystone17:35
morganfainbergamakarov: also I think you're going to run into issue with this code being over zealous in revocations in a different way. But I'll be honest this is not something I can definitely score via a mobile device ;)17:35
pmathmorganfainberg: I updated a really old keystone install from about 2 years ago17:36
*** ericpeterson has joined #openstack-keystone17:36
morganfainbergSo... I'll do more in depth review when I'm at a real screen.17:36
morganfainbergpmath: ah ok.17:36
amakarovmorganfainberg, ok, I'll be careful :)17:37
*** krtaylor has joined #openstack-keystone17:37
morganfainbergamakarov: I'll comment if I find anything.17:37
ericpetersonquestion on looking at    That page leads me to believe I can get a new token, once I have an existing token.  (see the /v3/auth/tokens section).   Is that possible?17:37
morganfainbergericpeterson: yes. But the token's expiration (new one) is the same as the original one.17:38
morganfainbergThis is used to allow people to change scope (what project/tenant) they are working on.17:38
ericpetersonthat cuts to the chase, exactly what I was wondering17:38
ericpetersonthanks morganfainberg   :)17:39
morganfainbergericpeterson: I've Answered that question a few times. Usually the expiration and rescoping are the relevant bits people are interested in.17:39
* ericpeterson lurks back to the horizon room - his people. appreciates the help17:40
*** ericpeterson has left #openstack-keystone17:40
*** jorge_munoz_ has quit IRC17:43
fmarco76morganfainberg: my patch was planned for kilo and the code is ready but waiting for the bug Is there the possibility to land both in kilo?17:43
*** timcline has quit IRC17:44
morganfainbergfmarco76: yes. But I removed the targeting until we solved the bug. Let's get the bugfix landed and then your code can be landed. If it looks to be landing in k3 we will retarget the bp.17:44
*** timcline has joined #openstack-keystone17:44
morganfainbergfmarco76: the bugfix is also something we need to possibly backport.17:45
fmarco76morganfainberg: thanks, I am waiting for the bug to be reviewd17:45
morganfainbergfmarco76: yeah I think I stuck that as a blocker for k317:45
fmarco76morganfainberg: yes17:46
morganfainbergfmarco76: targeted bug and added to the gist.17:46
fmarco76morganfainberg: what is gist?17:47
morganfainbergThe link in the channel comment for high priority reviews.17:47
morganfainbergChannel topic*17:47
*** amakarov is now known as amakarov_away17:47
fmarco76morganfainberg: OK (I am quite new here :) )17:47
morganfainbergfmarco76: :)17:48
fmarco76morganfainberg: OK, thanks17:49
*** lhcheng_ has joined #openstack-keystone17:49
*** jlk has joined #openstack-keystone17:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** harlowja_away is now known as harlowja17:58
*** fmarco76 has left #openstack-keystone17:58
*** radez_g0n3 is now known as radez18:09
*** jlk has left #openstack-keystone18:10
ccrouch(08:58:33 AM) ccrouch: quick question:18:11
ccrouch(08:58:33 AM) ccrouch: I was just trying a GET request on /v2.0/users/​{user_id}​/roles against Juno keystone18:11
ccrouch(08:58:33 AM) ccrouch: and am getting back 501: User roles not supported: tenant ID required18:11
ccrouch(08:58:33 AM) ccrouch: would there be any interest in a patch to update the docs at to note this?18:11
ccrouchanyone have any thoughts ^ ?18:11
morganfainbergccrouch: oh I think "user" global roles have never been supported. So sure fixing that would probably be good.18:15
*** karimb has quit IRC18:16
ccrouchok, great, thanks for the confirmation18:16
*** karimb has joined #openstack-keystone18:17
breton_morganfainberg: I am going, will put on review either tomorrow or on Saturday18:17
*** karimb has quit IRC18:18
morganfainbergbreton_: no worries. Just making sure i knew you were working on it. :) that way I don't need to worry about doing it myself and just watch for the review.18:18
breton_in fact, I am working on it right now.18:19
*** breton_ is now known as breton18:19
morganfainbergThat can land even after k3 if needed. So there isn't a huge rush (though, of course I won't say no to it landing earlier)18:20
*** iamjarvo_ has quit IRC18:25
*** iamjarvo has joined #openstack-keystone18:31
openstackgerritDavid Stanek proposed openstack/keystone: Spelling and grammar cleanup
openstackgerritDavid Stanek proposed openstack/keystone: Fixes minor whitespace issues
*** ljfisher has quit IRC18:32
*** zzzeek has quit IRC18:33
stevemardstanek, neat18:34
dstanekstevemar: ?18:34
stevemaryour patches18:34
stevemari am saying they are neat18:35
stevemaras in... neato18:35
bknudsonpep8 should catch the whitespace issues.18:36
*** ljfisher has joined #openstack-keystone18:36
dstanekstevemar: ah - i have to fix stupid stuff as i review other patches :-)18:36
dolphmlbragstad: did you do any work to pull out the creation timestamp? if not, it'd be easier for me to depend the expires_at change on top of that18:36
dolphmlbragstad: because now i want to compute the expiration time on validation based on create time18:37
openstackgerritMerged openstack/oslo.policy: deprecate policy_dirs option
stevemar\o/ policy merge@18:37
lbragstaddolphm: go for it18:39
dolphmlbragstad: alrighty18:39
lbragstaddolphm: working on federated fernet testing18:39
*** aix has quit IRC18:40
*** krtaylor has quit IRC18:45
rodrigodsmorganfainberg, ping... re: did domain config in db get the FFE?18:50
*** topol_ has joined #openstack-keystone18:54
*** ChanServ sets mode: +v topol_18:55
*** topol has quit IRC18:55
*** topol_ is now known as topol18:55
*** krtaylor has joined #openstack-keystone18:59
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: rename the "standard" token formatter to "scoped"
dolphmlbragstad: ^18:59
lbragstaddolphm: cool18:59
lbragstaddolphm: I'll review18:59
*** dims_ has joined #openstack-keystone19:01
*** ljfisher has quit IRC19:01
*** gyee has joined #openstack-keystone19:01
*** ChanServ sets mode: +v gyee19:01
*** ljfisher has joined #openstack-keystone19:02
*** _cjones_ has quit IRC19:02
*** dims has quit IRC19:04
stevemarlhcheng_, osc meeting in -meeting19:05
*** ljfisher has quit IRC19:06
dolphmlbragstad: you made a change somewhere to have audit_ids always be a list, right?19:06
lhcheng_stevemar: thanks!19:07
dolphmlbragstad: i'm wonding if i'm looking at old code: audit_ids = audit_ids.pop()19:07
lbragstaddolphm: yes I did19:07
dolphmah that's right19:09
lbragstadthat should make audit ids always be a list19:09
dolphmlbragstad: thanks!19:09
lbragstaddolphm: yep19:09
dolphmlbragstad: dstanek has a good point there -- the commit message could just say "to a list of bytes before sending them to msgpack"19:12
morganfainbergrodrigods, i think we're set for it to land19:12
rodrigodsmorganfainberg, great19:13
dolphmlbragstad: i also wrote a unittest module for the other two b64 functions that you could add to19:13
morganfainbergdstanek, audit ids should always be a list in the resulting token19:13
morganfainbergdstanek, with either 1 element (this token is an original authentication, no rescope) or 2 elements (current audit id for the token and the original token in the chain)19:14
morganfainbergdstanek, if fernet didn't do that, it was wrong :P19:14
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking
dstanekdolphm: i didn't know if that was right19:15
lbragstaddolphm: where was your unit test?19:15
dolphmdstanek: it was desirable as a simplification19:15
dstanekmorganfainberg: :-) we should have a test for that19:15
morganfainbergdstanek, i think we do actually.19:15
dolphmdstanek: more consistency / fewer edge case19:15
morganfainbergdstanek, but it doesn't check the token data in fernet, just the resulting token body on validate/issue.19:16
morganfainbergdstanek, we don't care what the data encoded in the fernet id actually is as long as keystone can provide real data on issue/validate responses to be consumed19:16
morganfainbergso maybe in fernet's id it wasn't a list?19:17
dolphmlbragstad: i think you might be returning unscoped tokens when prompted for a domain scoped token, fyi19:17
dstanekmorganfainberg: no idea what that translated into when the token is changed into a datastructure19:18
morganfainbergdstanek, ah19:18
lbragstaddolphm: is that on the new patch?19:18
lbragstaddolphm: or master?19:18
morganfainbergdstanek, ok so in the tokne id it wasn't a list before now it is. cool got it19:18
dstanekmorganfainberg: the code that was changed moved from a string to a list and didn't say why19:18
dolphmlbragstad: no i mean that's probably the issue i'm seeing in keystone-deploy ... i see some suspicious code in fernet.core19:18
morganfainbergi see what your comment was about now19:19
lbragstaddolphm: link?19:19
*** lhcheng_ is now known as lhcheng19:19
morganfainbergok so i don't get the bug
openstackLaunchpad bug 1428600 in Keystone "Domain Config updates for specific group/option don't honor NotFound" [High,In progress] - Assigned to Henry Nash (henry-nash)19:19
morganfainbergthe words are all valid but what is the actual issue?19:20
morganfainbergthat the option must be set in the main config before it can be overridden?19:20
dolphmlbragstad: you only ever pass a project id -- the domain ID is ignored
dolphmlbragstad: probably need a domain-scoped formatter :P19:20
dolphmlbragstad: even if it's not used long-term19:20
dolphmlbragstad: (post hierarchical multitenancy)19:21
dolphmlbragstad: don't worry about that today though19:21
lbragstaddolphm: that should be a oneline fix if we wanted to roll it into the token formatter we already have19:22
lbragstadline 10419:22
lbragstadwe could determine if we're scoping to a project or a token19:22
dolphmlbragstad: that's how i idenfified the issue actually19:22
dolphmlbragstad: but when you decode the token, how do you know if the ID you have is a project or domain?19:23
* lbragstad has way to many conversations going on, excuse the context jumping!19:23
lbragstaddolphm: we would have to call to the assignment api19:23
lbragstaddolphm: to determine what is what19:23
dolphmlbragstad: (unless we're ready to say all domain IDs are also project IDs? <-- morganfainberg, raildo)19:23
morganfainbergdolphm, that patch has not landed. :P19:23
dolphmlbragstad: yeah, that would suck19:23
lbragstaddolphm: that's something we could get around if we introduced a new domain-scoped formatter19:24
dolphmmorganfainberg: is it likely to land this cycle?19:24
morganfainbergdolphm, it has a chance to.19:24
dolphmlbragstad: right19:24
morganfainbergdolphm, it is not guaranteed to.19:24
dolphmmorganfainberg: ack19:24
morganfainbergdolphm, it's part of the reseller work19:24
dolphmlbragstad: so, let's drag our feet on the issue and see if that has a chance to change. if it doesn't look like it's going to, it's easy for us to workaround with that fourth format19:25
morganfainbergso assume it will not land, if we need to yank a formatter out... the cost is low if it does land19:25
dolphmlbragstad: or that ^19:25
dolphmsame effect19:25
morganfainbergformatters are relatively cheap for us19:25
lbragstadyank a formatter out? so pull out the domain formatter if we land it?19:25
raildodolphm, morganfainberg is right :)19:25
dolphmmorganfainberg: and working on making them cheaper!19:25
dolphmlbragstad: yeah, just delete it19:25
lbragstadand use the "project formatter" for everything "scoped"19:26
lbragstadlike we are doing today?19:26
morganfainberglbragstad, domain scope != project scope today19:26
morganfainbergand it may not in the future either19:26
morganfainbergassume you need to diffierentiate19:26
morganfainbergi don't care how you do that ;)19:26
morganfainbergif it means we need another formatted (even for a short bit) that is nbd19:26
morganfainbergwe can always remove it. - in short, solve domain scopes however is easiest for you to do19:27
morganfainbergbut don't assume domain scope == project scope (since it doesn't)19:28
*** david-lyle has quit IRC19:29
dstanekdolphm: lbragstad: found another issue in
dstanekthe -2 slicing is likely to cause bugs if the string should be decodable19:31
lbragstaddstanek: I can refactor19:31
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking
lbragstaddstanek: ^19:34
*** rm_work|away is now known as rm_work19:34
morganfainbergdstanek, ah sure .rstrip is fine, it was sliced initially because it was a fixed/known length it always had 2 '=='19:34
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Mirror domain entries to project table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye bye domain table
morganfainbergraildo, LOL the name on that commit is awesome19:36
raildomorganfainberg, hahaha =D19:37
rodrigodsraildo, morganfainberg ++19:37
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: don't require token formatters to understand "token_data"
dolphmlbragstad: more refactarrrrr19:38
dolphmlbragstad: next step is to remove the formatter's dep on v3_token_data_helper19:38
raildodstanek, morganfainberg, this last patch is WIP,  we don't know how to resolve that problem when we drop the domain table.19:39
htrutadstanek, morganfainberg: this patch will break thousands of tests... our focus for a while is only the sql upgrade ones19:40
dstanekraildo: cool, i'll take a look19:41
raildodstanek, thanks :)19:41
*** browne has joined #openstack-keystone19:41
lbragstaddolphm: this makes it so that fernet.core is still doing most of the logic19:42
lbragstadwhich goes against the idea of pushing more of the token context to the formatters (per the integrity protected token format conversation)19:42
lbragstadjust curious if that's still the direction we want to move?19:43
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: WIP: Bye bye domain table
dolphmlbragstad: it is... i'm just going DRY DRY DRY until i can think of an elegant way to push versions into the tokens themselves...19:43
raildojust change the commit msg to put WIP :P19:43
lbragstaddolphm: makes sense,19:43
dolphmlbragstad: i don't really care where what responsibilities are, as long as they're only in one place19:44
*** dims_ has quit IRC19:44
*** dims has joined #openstack-keystone19:45
morganfainbergdolphm, couldn't you make fernet prefix F_ then make the first element the format 00, 01, 02, 03, then the formatter handles the rest with that being stripped off?19:45
dolphmmorganfainberg: that's the direction i'm going with
openstackLaunchpad bug 1427485 in Keystone "Fernet tokens contain a version identifier that is not integrity verified" [Medium,New] - Assigned to Dolph Mathews (dolph)19:45
morganfainbergdolphm, ah19:45
dolphmmorganfainberg: except the last paragraph on the bug report also makes argument against any external prefixing (F_)19:46
*** jlk has joined #openstack-keystone19:47
jlkHey all, I'm trying to setup keystone as a federated SP, and in the shibboleth setup it talks about a scriptalias, and it's trying to alias a path and send it to /var/www/keystone/main   which seems to me like an odd path, since that path doesn't exactly exists on the filesystem. Is it instead supposed to reference the CGI alias in some way?19:48
jlk is what I'm speaking of19:49
morganfainbergdolphm, well we need to external prefix so we can differentiate MII from Fernet [since MII isn't gone] and uuid.19:49
jlkmorganfainberg: ^19:49
morganfainbergdolphm, but that is a simple external-prefix not a complex one19:49
dolphmmorganfainberg: only if you're going to have one keystone deployment validating both online19:49
lbragstaddolphm: so are we thinking about dropping the F** all together?19:50
dolphmlbragstad: that's my goal atm19:50
morganfainbergdolphm, i'll need to stew on that some19:50
lbragstadand when middleware gets to the point of being able to decrypt/verify we put the token version back on?19:50
jlkwhoops, n/m, I see what's going on here19:50
morganfainbergjlk, ah was just about to respond, you got it?19:50
jlklooks like instead of /var/www/keystone/main it should be /var/www/cgi-bin/keystone/main (since we put our in /var/www/cgi-bin/19:51
morganfainbergjlk: s/respond/look at the questoon19:51
morganfainbergah, yeah wherever you actually put the main19:51
jlkmain is the name of the function within the file19:51
morganfainbergthe doc writer just used /var/www/keystone/* vs. what you've picked /var/www/cgi-bin19:52
jlkyeah, the same doc uses /var/www/cgi-bin/ on
jlkso the two should probably be reconciled19:53
dolphmmorganfainberg: ++19:54
openstackgerritMerged openstack/keystone: Exposes bug in SQL/LDAP when honoring driver_hints
dolphmmorganfainberg: i can't think of an argument to keep it, anyway. still working on getting there in the first place, so you'll have a review to vote on at some point19:55
morganfainbergjlk, yeah probably some doc mis-matches19:55
jlkmorganfainberg: do we need a OS-FEDERATION script alias for both the standard port vhost and the admin port vhost?19:57
jorge_munozlbragstad: dolphm Fernet tokens in v3 are not populating the audit_id.20:00
jorge_munozon authenticate request.20:00
dolphmjorge_munoz: as in, they're not in the token's payload? or they're not returned to the user in the response body?20:01
morganfainbergstevemar, ^ jlk's question (i need to run to lunch)20:02
jorge_munozdolphm: yes, its not in the token response body.20:02
dolphmjorge_munoz: does self.v3_token_data_helper.get_token_data() take audit_info in it's def?20:03
dolphmwondering if maybe the argument name is wrong or something20:03
lbragstadyes, it takes audit_info20:04
morganfainbergjlk, for v3 admin/standard are the same thing (We don't differentiate)20:06
lbragstaddolphm: jorge_munoz
morganfainbergjlk, in the long run we're hoping to drop one of those (like as soon as v2 dies)20:07
jlkthat'd be nice20:07
morganfainberglong term i want to get keystone always deployed on port :443.20:07
morganfainbergand use web/url semantics to say "this is keystone" vs other things20:07
*** jsavak has quit IRC20:08
morganfainbergbut having to choose a non-80/443 port, 5000 would be used because then the 35735 or whatever it is that is in the default linux ephemeral range is a non-issue20:08
lbragstaddolphm: jorge_munoz it looks like the audit_info is passed to the get_token_data method20:08
morganfainbergjlk, so i'd say best bet is for federation/v3 work assume both ports should be the same.20:09
jlkyeah, we'd have to arrange some things differently, set up our vhosts differently so provide both horizon and keystone (and whatever else we toss behind apache) on the same host, but that's all do-able.20:09
jlkdoesn't work so well if you want to run different httpd processes for each service20:09
jlkthey can't all listen on the same port, would have to put a proxy in place20:09
jorge_munozlbragstad: dolphm It seems that the issue is that the create_token does not update the token_data with the audit_ids20:11
bknudsonyou can already deploy keystone that way... it's just apache config.20:11
*** fifieldt has quit IRC20:11
*** fifieldt_ has joined #openstack-keystone20:11
*** timcline has quit IRC20:12
*** timcline has joined #openstack-keystone20:13
openstackgerritMerged openstack/keystone: Updated from global requirements
lbragstadjorge_munoz: on create token, it should populate that information here?
lbragstadin which case, I think think it is touched when creating the token_id in the formatters20:14
openstackgerritMerged openstack/keystone: Fix places where role API calls still called assignment_api
jorge_munozlbragstad: The audit ids are being popped here: /home/jorge/source/keystone/keystone/token/providers/fernet/
lbragstadjorge_munoz: you're right20:17
morganfainbergwe put audit ids in for juno right?20:17
morganfainbergwe can probably make them required for kilo and beyond20:18
dolphmmorgdo not know20:18
dolphmmorganfainberg: tab-complete fail!20:18
morganfainbergdol we should find out20:18
morganfainbergi can fail to tab too! ;)20:19
lbragstadjorge_munoz: try that same tests with this
lbragstadjorge_munoz: that change just gets rid of some of the token_data logic in the formatters20:20
jorge_munozlbragstad: this is the problem if isinstance(audit_ids, list) and len(audit_ids) == 1:20:20
lbragstadjorge_munoz: yep,20:20
lbragstadjorge_munoz: that needs to go away20:20
lbragstadjorge_munoz: dolphm has a patch up to fix it20:20
dolphmhow convenient!20:21
morganfainberglet me check on when audit ids were added20:21
morganfainbergif they were added in juno we can just make all tokens require them. the reason we didn't before was to support upgrades20:21
morganfainbergwhere some older tokens may not have had it20:21
morganfainberg(seems like a weird edge case but ... meh?)20:22
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove Fernet formatter's dep on trust_api / v3 token helper
*** chrisshattuck has joined #openstack-keystone20:23
*** chrisshattuck has quit IRC20:24
jorge_munozlbragstad: sweet, that would fix the v2 stuff too.20:24
lbragstadjorge_munoz: ++20:24
*** chrisshattuck has joined #openstack-keystone20:25
*** openstackgerrit has quit IRC20:25
*** openstackgerrit has joined #openstack-keystone20:25
samueldmqdstanek, thanks for your +2 on 'Fixes bug in SQL/LDAP when honoring driver_hints' (
samueldmqmorganfainberg, stevemar could you please take a look at this ? ^ we already have 2x +2 there :)20:27
samueldmqand we do need this fix for reseller, since we add is_domain filter to query for domains in the project table20:27
*** afazekas has quit IRC20:29
lbragstadjorge_munoz: that change should also make the tokens a little smaller since it converts them to bytes before sending them to msgpack20:30
lbragstads/them/the audit_ids/20:32
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove Fernet formatter's dep on trust_api / v3 token helper
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove token formatters dep on 'token_data' on create()
dolphmlbragstad: address your comments ^20:35
lbragstaddolphm: thanks, lgtm20:36
lbragstadjorge_munoz: new patch up for your reviewing pleasure ^20:36
dolphmlbragstad: i also think you'll like the first changed line here
dolphmbknudson: would like it too ^20:37
*** g2` has quit IRC20:38
lbragstadjorge_munoz: I lied about the audit_ids being shorter, that change lives here20:38
jorge_munozlbragstad: I'll take a look20:41
*** g2` has joined #openstack-keystone20:43
*** david-lyle_afk has joined #openstack-keystone20:45
*** _cjones_ has joined #openstack-keystone20:46
*** david-lyle_afk has quit IRC20:47
*** david-lyle_afk has joined #openstack-keystone20:47
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
*** chrisshattuck has quit IRC21:00
*** boris-42 has quit IRC21:02
*** chrisshattuck has joined #openstack-keystone21:02
*** raildo is now known as raildo_away21:03
*** david-lyle_afk is now known as david-lyle21:03
lbragstadstevemar: have a minute for a federation testing question?21:06
stevemarlbragstad, i'm barely here21:06
lbragstadstevemar: no worries, I'll keep tinkering with it21:06
stevemarlbragstad, shoot away though21:07
lbragstadstevemar: I'm attempting to use the federation setup testing code for fernet tokens21:07
stevemari saw the mixin patch, what else is up21:08
lbragstadstevemar: I seem to have pulled everything in the right place so it can be used by both the FederatedTokenTests as well as the FederatedFernetTokenTets21:08
lbragstadI want to do a def test_federated_unscoped_token(self):21:08
lbragstadand call resp = self._issue_unscoped_token()21:08
lbragstadas my first test case21:08
lbragstadbut get this instead,21:09
lbragstadstevemar: which leads me to believe I don't have everything setup properly21:10
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
morganfainberglbragstad, dolphm, audit ids were added for juno: we could now make them mandatory for all tokens21:16
dolphmmorganfainberg: are audit IDs emitted in CADF?21:17
morganfainbergdolphm, hm. i don't think they are.21:17
openstackgerritMerged openstack/keystone: Fix a minor coding nit in Fernet testing
lbragstaddolphm: how does fernet know what we want the expiration time to be?21:18
morganfainberglbragstad, DATETIME(created_at) + TIMEDELTA(ttl) ?21:18
stevemarlbragstad, hmm21:19
stevemarlink to patch?21:19
*** boris-42 has joined #openstack-keystone21:19
lbragstadstevemar: this is the outdated one
lbragstadstevemar: I'm still hacking on it21:19
dolphmlbragstad: morganfainberg ++21:19
dolphmmorganfainberg: the ttl isn't encoded in the token though, it's applied at validation time based on the current CONF21:20
stevemarlbragstad, search for auth_plugin_config_override21:20
* dolphm more stateless all the things21:21
lbragstaddolphm: I think I'm missing the part where we tell fernet what our token ttl is21:21
dolphmlbragstad: see L203 - L210 on the right
morganfainbergdolphm, TTL needs to be in the token afaik21:22
dolphmmorganfainberg: why? if it was it'd be encrypted anyway21:23
morganfainbergdolphm, because otherwise i change the conf and tokens that weren't valid can become valid again21:23
dolphmmorganfainberg: correct21:23
morganfainbergor vice versa21:23
morganfainbergchange the conf and tokens that are valid are no longer21:23
dolphmmorganfainberg: you can also permamently invalidate by doing key rotation21:23
morganfainbergwe've always maintained a token has a fixed life when it is issued.21:23
morganfainbergthis is a behavior change.21:23
dolphmmorganfainberg: yeah, i'm suggesting we change that21:23
lbragstaddolphm: so fernet doesn't determine if the token is invalid based on expiration?21:24
morganfainbergdolphm, it also wouldn't be reflected in cached tokens at endpoints if KSM is caching21:24
dolphmmorganfainberg: the above change still informs the client of the intended expiration. unless the deployer changes the CONF before that expiration date arrives, it'll hold true21:24
morganfainbergdolphm, i think this isn't a good change.21:24
morganfainbergyou end up with potentially different behavior depending on configuration of KSM, keystone, etc.21:25
morganfainbergi am inclined to say we should encode the TTL in the token.21:25
morganfainbergi mean, i wont block this with it as is.21:25
* morganfainberg would like to keep behavior as consistent as possible once a token has been issued.21:25
lbragstaddolphm: one comment21:25
dolphmmorganfainberg: sort of correct on the cache thing, i think. pretty sure we use the expiration as the cache timeout, right? so if you shortened the expiration in keystone on a live server, and had caching enabled in auth_token up to the token's intended expiration, the new, lowered CONF would take effect until new tokens are issued21:26
dolphmassuming perfect caching, etc21:26
morganfainbergif we cached a token [it was already used], lets assume a shared memcache between endpoints21:27
morganfainbergthen we use the token on an endpoint w/o a cache21:27
*** joesavak has joined #openstack-keystone21:27
morganfainbergthe token would be rejected, but on the endpoint with the cache it would be accepted21:27
morganfainbergwe don't use TTL as cache time, it's a fixed cache window21:28
morganfainberglike 300s21:28
morganfainbergor some such21:28
*** Akshik_ has quit IRC21:29
morganfainbergoh. crap21:30
morganfainbergthis is potentially icky21:31
dolphmmorganfainberg: which part?21:31
*** Akshik_ has joined #openstack-keystone21:31
morganfainbergwe might store tokens in-process by default [the option comment says we do]21:31
morganfainbergmeaning potentially validating tons of tokens causes memory bloat/21:31
*** topol has quit IRC21:31
morganfainbergin services using KSM21:31
morganfainbergif they don't explicitly -1 cache time or use memcache21:32
lbragstadstevemar: cool, that worked, it's still giving me UUID tokens, but I'll keep poking it21:33
morganfainbergdolphm, and crap performance:
* stevemar shrugs21:34
morganfainbergif we have a lot of tokens that need to be purged21:34
stevemarlbragstad, tokens is your domain (pun intended)21:34
morganfainbergyeah... not good.21:34
* morganfainberg has an in-memory caching idea to make cleanup less crap for dogpile and memorycache bad thing21:34
* lbragstad tips hat to stevemar 21:34
dolphmmorganfainberg: uhh, i'm not following, which part is icky? the state of today, or with the proposed change?21:35
morganfainbergdolphm, the state of today21:35
morganfainbergdolphm, proposed change makes no difference21:35
dolphmoh, eek21:35
morganfainbergif you validate a ton of tokens and don't set memorycache you explode memory usage... and on each get we "cleanup" the cache21:35
dolphmmorganfainberg: keep stewing on it. i'm just running with the narrative that fernet tokens are mostly stateless and everything occurs at validation time21:35
morganfainbergmeaning we could bind up a lot of things.21:35
dolphmmorganfainberg: gotcha lol21:36
morganfainbergAND worse we aren't threadsafe and so ksm could in theory seriously explode memory use21:36
morganfainbergbecause threadsafe/shared info is still important even with eventlet with multiple worker-things21:36
dolphmmorganfainberg: but only with in-memory caching?21:36
morganfainbergyeah, for memcache we are only dealing with complete crap library, but we've worked around that using the advanced pool21:36
*** Akshik_ has quit IRC21:37
* morganfainberg hangs head.21:39
morganfainbergso uhm... i *think* i want to just drop memorycache in ksm for dogpile.21:39
bknudsonyou mean oslo.cache.21:39
morganfainbergbknudson, no because oslo.cache doesn't exist yet21:40
morganfainbergi mean.. just use dogpile directly and when oslo.cache becomes a reality make it better.21:40
* morganfainberg also needs to go propose a pull request for upstream dogpile now.21:40
dstaneki wouldn't think memcache itself (not just the library) would work all that well with our tokens21:40
morganfainbergdstanek, it offloads a lot of validation / call back to keystone if you share the cache21:41
morganfainbergdstanek, it works fine.21:41
bknudsonthe revocation list breaks it21:41
morganfainbergthe revocation list is an issue.21:41
morganfainbergbknudson, we do have someone who has expressed interest in doing oslo.cache directly21:41
morganfainbergi think you know that cause you were at the meeting21:41
bknudsonI was at the meeting.21:42
morganfainbergso let me go propose this in-memory caching backend that doesnt suck as badly to upstream dogpile.21:42
morganfainbergand then i think i'll rip out memorycache from ksm and use something better.21:43
morganfainbergcause this is no-bueno21:43
dstanekmorganfainberg: i'm surprised that is works that well at scale because of the way the slabs work and the tremendous waste of memory21:43
morganfainbergdstanek, its better than asking keystone every time... but honestly, i think people don't use the memcahce part... they use the in-process cache, which has some serious issues.21:44
*** joesavak has quit IRC21:44
* morganfainberg tries to remember bitbucket password21:44
* morganfainberg wonders if we could get dogpile moved over to under gerrit...21:45
*** iamjarvo has quit IRC21:53
*** _cjones_ has quit IRC21:53
*** iamjarvo has joined #openstack-keystone21:54
*** jamielennox|away is now known as jamielennox21:56
*** _cjones_ has joined #openstack-keystone21:57
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: refactor: scoped tokens are always scoped
*** junhongl has quit IRC22:04
*** junhongl has joined #openstack-keystone22:05
*** edmondsw has quit IRC22:07
*** samueldmq_ has joined #openstack-keystone22:07
*** Bsony has quit IRC22:07
openstackgerritDavid Stanek proposed openstack/keystone: Fixes minor whitespace issues
morganfainbergwell that is *not* cool.22:09
*** tqtran has joined #openstack-keystone22:09
*** tqtran has quit IRC22:09
* morganfainberg was going to use something clever22:10
morganfainbergbut it's broken in python22:10
*** tqtran has joined #openstack-keystone22:17
dstanekmorganfainberg: clever not good usually anyway22:17
morganfainbergdstanek, thing = [[]] * 1022:17
morganfainbergdstanek, thing[0].append('stuff')22:18
morganfainberg[['stuff'], ['stuff'], ['stuff'], ['stuff'], ['stuff'], ['stuff'], ['stuff'], ['stuff'], ['stuff'], ['stuff']]22:18
morganfainbergyeah... there goes using a mutable as the input for that22:18
morganfainbergi know why that is happening. it doens't mean it makes me happy22:19
dstanekyay, for references!22:19
morganfainbergsometimes python is a little wierd in when it chooses to use the reference and not22:19
dstanekthing = [[] for _ in range(10)]?22:19
samueldmq_lol makes sense but weird22:19
morganfainbergyeah that'd work.22:19
*** stevemar has quit IRC22:20
*** stevemar has joined #openstack-keystone22:20
*** ChanServ sets mode: +v stevemar22:20
*** ayoung has quit IRC22:24
samueldmq_morganfainberg, and as 'thing = ([] for _ in range(10))' it becomes a generator ...22:26
morganfainbergsamueldmq_, yeah22:26
samueldmq_morganfainberg, think I didnt knew about generators in python ... it's interesting22:27
*** lhcheng has quit IRC22:33
*** gordc has quit IRC22:38
*** richm has quit IRC22:41
*** lhcheng has joined #openstack-keystone22:42
bknudsonitertools.repeat([], 10)22:44
dstanekbknudson: i think that will have the same issue22:46
bknudsonit does, it's a ref.22:47
morganfainbergi think ^^ that would make in-memory caches better [even if we just applied the same kind of logic to the oslo-incubator thing]22:59
morganfainbergsome added logic is likely needed for memorycache since it doesn't store all the expiry w/ the value23:00
*** mattfarina has quit IRC23:02
*** haneef_ has quit IRC23:06
*** _cjones_ has quit IRC23:09
*** _cjones_ has joined #openstack-keystone23:17
*** jorge_munoz has quit IRC23:18
*** _cjones_ has quit IRC23:22
*** _cjones_ has joined #openstack-keystone23:28
*** _cjones_ has quit IRC23:29
*** sigmavirus24 is now known as sigmavirus24_awa23:32
*** cyeoh has joined #openstack-keystone23:41
*** _cjones_ has joined #openstack-keystone23:43
*** openstack has joined #openstack-keystone23:52
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy instead of incubated version
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubated version of oslo policy
openstackgerritSteve Martinelli proposed openstack/keystone: Cleanup policy related tests
openstackgerritSteve Martinelli proposed openstack/keystone: Remove policy parsing exception
*** ayoung has joined #openstack-keystone23:57
*** ChanServ sets mode: +v ayoung23:57

Generated by 2.14.0 by Marius Gedminas - find it at!