Monday, 2015-03-16

*** aix has quit IRC00:26
*** aix has joined #openstack-keystone00:30
*** iamjarvo has joined #openstack-keystone00:53
*** bknudson has quit IRC01:53
*** dims_ has quit IRC02:13
*** erkules_ has joined #openstack-keystone02:23
*** erkules has quit IRC02:26
*** chrisshattuck has joined #openstack-keystone02:33
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens
*** hogepodge has joined #openstack-keystone02:43
*** erkules_ is now known as erkules02:54
*** erkules has quit IRC02:55
*** erkules has joined #openstack-keystone02:55
*** browne has joined #openstack-keystone02:56
*** chrisshattuck has quit IRC03:05
*** iamjarvo has quit IRC03:12
*** dimsum__ has joined #openstack-keystone03:14
*** stevemar has joined #openstack-keystone03:19
*** ChanServ sets mode: +v stevemar03:19
*** dimsum__ has quit IRC03:19
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Rename requests mock object in testing
*** chrisshattuck has joined #openstack-keystone03:30
*** achudnovets_ has quit IRC03:37
*** iamjarvo has joined #openstack-keystone03:46
*** iamjarvo has quit IRC03:46
*** iamjarvo has joined #openstack-keystone03:47
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Rename requests mock object in testing
*** iamjarvo has quit IRC04:03
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow passing logger object to request
*** lhcheng has quit IRC04:25
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add Request ID to outbound calls when set
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add service token to user token plugin
*** gokrokve has joined #openstack-keystone04:40
*** Akshik has joined #openstack-keystone04:45
*** gokrokve has quit IRC04:45
*** gokrokve has joined #openstack-keystone04:46
*** gokrokve has quit IRC04:50
*** gokrokve has joined #openstack-keystone05:16
*** gokrokve has quit IRC05:18
*** gokrokve has joined #openstack-keystone05:18
*** gokrokve has quit IRC05:23
openstackgerritSteve Martinelli proposed openstack/keystone: Adds test for federation mapping list order issues
*** lhcheng has joined #openstack-keystone05:25
*** chrisshattuck has quit IRC05:27
*** lhcheng has quit IRC05:30
*** lhcheng has joined #openstack-keystone05:36
*** sluo_wfh has joined #openstack-keystone05:46
*** sluo_wfh has quit IRC05:55
*** stevemar has quit IRC05:55
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Provide a generic auth plugin loader
*** sluo_wfh has joined #openstack-keystone06:08
davechenmorganfainberg, steve, hi,06:11
davechenmorganfainberg, steve, I just drafted a blueprint here ( to follow some comments and discussion in the mailing list regarding to ondelete cascade/ondelete restrict.06:12
davechenmorganfainberg, steve, since the impact is a little bigger than expected, one or two bugs seems cannot hold the changes.06:14
davechenwould you pls take mins to look at that pages? I am not quite sure whether it's worthwhile to do that in 'L'? and is there any mistake or break something in the Keystone which I cann't see.06:17
*** gokrokve has joined #openstack-keystone06:18
davechenlurking... talk to you when you online, thx.06:21
*** gokrokve has quit IRC06:23
*** afazekas has joined #openstack-keystone06:23
openstackgerritJamie Lennox proposed openstack/keystone-specs: Add spec for request-helpers
*** topol has quit IRC06:41
*** pcaruana has quit IRC07:14
*** gokrokve has joined #openstack-keystone07:18
*** gokrokve has quit IRC07:20
*** gokrokve has joined #openstack-keystone07:20
*** browne has quit IRC07:22
*** gokrokve has quit IRC07:24
*** mflobo has quit IRC07:43
*** rwsu has joined #openstack-keystone07:43
*** mflobo has joined #openstack-keystone07:45
*** ajayaa has joined #openstack-keystone07:48
*** ncoghlan has quit IRC07:51
*** ParsectiX has joined #openstack-keystone08:13
*** gokrokve has joined #openstack-keystone08:18
*** gokrokve has quit IRC08:23
*** jorge_munoz has quit IRC08:28
*** jorge_munoz has joined #openstack-keystone08:29
*** nellysmitt has joined #openstack-keystone08:40
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
*** henrynash has quit IRC08:59
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Federation Service Providers CRUD operations
*** Akshik has quit IRC09:10
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Clean arguments in test_federation.*.test_create()
*** jistr has joined #openstack-keystone09:11
*** gokrokve has joined #openstack-keystone09:18
*** gokrokve has quit IRC09:22
*** amakarov_away is now known as amakarov09:37
*** dimsum__ has joined #openstack-keystone09:46
*** lhcheng has quit IRC09:50
*** gokrokve has joined #openstack-keystone10:18
*** gokrokve has quit IRC10:23
*** Akshik has joined #openstack-keystone11:02
*** dims_ has joined #openstack-keystone11:02
*** dimsum__ has quit IRC11:04
*** dims_ has quit IRC11:07
*** dimsum__ has joined #openstack-keystone11:13
*** gokrokve has joined #openstack-keystone11:18
*** aix has quit IRC11:21
*** Akshik has quit IRC11:22
*** gokrokve has quit IRC11:23
*** ajayaa has quit IRC11:24
*** fmarco76 has joined #openstack-keystone11:32
*** ajayaa has joined #openstack-keystone11:37
*** rushiagr_away is now known as rushiagr11:39
*** tsufiev_ is now known as tsufiev11:42
openstackgerritMerged openstack/keystonemiddleware: Update auth_token config docs
*** rushiagr is now known as rushiagr_away11:55
openstackgerritMerged openstack/python-keystoneclient: Crosslink to other sites that are owned by Keystone
openstackgerritMerged openstack/keystonemiddleware: Crosslink to other sites that are owned by Keystone
*** rushiagr_away is now known as rushiagr12:01
*** henrique_ has joined #openstack-keystone12:04
*** rm_work is now known as rm_work|away12:14
openstackgerritMerged openstack/keystonemiddleware: Move _memcache_pool into auth_token
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table
*** gokrokve has joined #openstack-keystone12:18
*** raildo has joined #openstack-keystone12:21
*** gokrokve has quit IRC12:23
*** dimsum__ has quit IRC12:32
*** dimsum__ has joined #openstack-keystone12:32
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation
*** radez_g0n3 is now known as radez12:38
*** ajayaa has quit IRC12:41
*** mattamizer has joined #openstack-keystone12:47
*** carlosmarin has joined #openstack-keystone12:49
*** openstackgerrit has quit IRC12:50
*** openstackgerrit has joined #openstack-keystone12:50
*** fifieldt has joined #openstack-keystone12:51
*** mattamizer has quit IRC13:01
*** ayoung has joined #openstack-keystone13:02
*** ChanServ sets mode: +v ayoung13:02
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Federation Service Providers CRUD operations
*** henrynash has joined #openstack-keystone13:10
*** ChanServ sets mode: +v henrynash13:10
*** aix has joined #openstack-keystone13:10
*** henrynash has quit IRC13:15
*** gokrokve has joined #openstack-keystone13:18
*** gokrokve has quit IRC13:22
*** bknudson has joined #openstack-keystone13:30
*** ChanServ sets mode: +v bknudson13:30
*** jdennis has quit IRC13:33
*** dimsum__ is now known as dims13:33
*** Ctina_ has joined #openstack-keystone13:35
*** henrynash has joined #openstack-keystone13:35
*** ChanServ sets mode: +v henrynash13:35
*** jdennis has joined #openstack-keystone13:39
*** Ctina_ is now known as ctina13:39
henrynashhaving an issue mocking out the LOG.warn as part of a test for invalid domain configs:
henrynashdoesn’t seem to catch it….anyone have expereince of trying this?13:41
*** jaosorior has joined #openstack-keystone13:43
*** ajayaa has joined #openstack-keystone13:47
rodrigodshenrynash, hey... fixed here13:49
rodrigodshenrynash, the error is because you are mocking with the create_config call, not with get_config_with_sensitive_info13:49
rodrigodshenrynash, should I submit the changes here?13:50
henrynashrodigods: duuuuhhhhhhhh13:50
henrynashrodigods: no, I get it!!!!!13:50
henrynashrodigods: thanks….one of those things I stared at…and couldn’t see the problem!13:50
rodrigodshenrynash, great! reviewed some nits there13:50
rodrigodshenrynash, np :)13:50
henrynashrodigods: yep, saw those, thanks!13:50
*** richm has joined #openstack-keystone13:51
*** gokrokve has joined #openstack-keystone13:56
*** radez is now known as radez_g0n313:58
*** samueldmq has quit IRC14:00
*** gokrokve_ has joined #openstack-keystone14:00
*** ctina has quit IRC14:01
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
*** gokrokve has quit IRC14:04
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
openstackgerritBrant Knudson proposed openstack/keystone: Update sample httpd config file
*** mattfarina has joined #openstack-keystone14:08
*** henrynash has quit IRC14:08
ParsectiXI'm trying to get this test = keystone_admin.roles.get("heat_stack_owner") but I'm getting Could not find role: heat_stack_owner (HTTP 404)14:12
ParsectiXwhen I put the UUID in () it returns the user14:12
ParsectiXwhy I can't search with name ?14:12
*** Akshik has joined #openstack-keystone14:15
*** ljfisher has joined #openstack-keystone14:19
*** timcline has joined #openstack-keystone14:23
*** krykowski has joined #openstack-keystone14:23
*** amerine has quit IRC14:24
*** sigmavirus24_awa is now known as sigmavirus2414:25
*** Akshik has quit IRC14:32
*** stevemar has joined #openstack-keystone14:40
*** ChanServ sets mode: +v stevemar14:40
*** angular_mike has joined #openstack-keystone14:42
*** topol has joined #openstack-keystone14:47
*** ChanServ sets mode: +v topol14:47
*** iamjarvo has joined #openstack-keystone14:49
*** atiwari has joined #openstack-keystone14:54
*** krykowski has quit IRC14:55
*** browne has joined #openstack-keystone14:56
*** gordc has joined #openstack-keystone14:59
dstanekFYI - I'm in training this week so I won't be very responsive to requests15:00
dstanekmorganfainberg: lbragstad: dolphm: ayoung: marekd: bknudson: stevemar: marekd: ^15:00
*** zzzeek has joined #openstack-keystone15:01
lbragstaddstanek: sounds good15:01
bknudsondstanek: training for what?15:01
marekddstanek: sure :-)15:01
dstanekbknudson: OpenStack!15:01
bknudson(can't imagine how dstanek could get any better)15:01
stevemarsales training?15:01
dstaneklbragstad: where do you sit at Castle?15:01
lbragstaddstanek: you're here?!15:01
dstanekbknudson: <315:01
marekddstanek is going to sell what we all do here.15:01
bknudsondstanek should be training them.15:02
lbragstaddstanek: in the back dark corner by the bookstore15:02
*** rushiagr is now known as rushiagr_away15:02
stevemardstanek, thanks for letting us know15:02
dstanekbknudson: i am learning to set up my own cloud!15:02
zigo_It's looking like to me that current trunk of Keystone needs a higher version of python-cryptography than just 0.4.15:02
dstaneklbragstad: i'm up on floor 3 right now, but i'll be here all week15:02
* zigo_ is currently trying to build with cryptography 0.8.15:03
lbragstaddstanek: nice! let me know if they let you out for food15:03
lbragstadcc dolphm ^15:03
bknudsonglobal-requirements only has 0.4 for now15:03
bknudsonlatest is 0.815:04
bknudsonzigo:     AttributeError: 'module' object has no attribute 'MultiFernet'15:08
bknudsonthat's with cryptography==0.415:08
bknudsonzigo: 0.7 worked, 0.6.1 didn't15:12
bknudsonI'll post a change to g-r.15:12
*** chrisshattuck has joined #openstack-keystone15:13
*** david-lyle_afk is now known as david-lyle15:15
zigo_bknudson: Cheers!15:17
zigo_bknudson: Indeed, I just tried the unit tests with 0.6, it failed, but 0.8 worked.15:17
* zigo_ is trying to package everything from trunk this week, to get ahead of beta3 release ...15:17
bknudsonI could update to 0.8? probably doesn't matter to anyone if 0.7 or 0.8 is used.15:17
zigo_bknudson: I currently can't rebuild 0.8 in Jessie, because of unit tests failing with the SSLv3 stuff in Debian. Though since 0.8 is in Experimental, I guess it doesn't change much for me.15:19
*** thedodd has joined #openstack-keystone15:21
*** rm_work|away is now known as rm_work15:30
*** rushiagr_away is now known as rushiagr15:30
*** _cjones_ has joined #openstack-keystone15:31
*** arunkant has quit IRC15:35
*** Akshik has joined #openstack-keystone15:36
*** krykowski has joined #openstack-keystone15:36
*** lhcheng has joined #openstack-keystone15:45
*** iamjarvo has quit IRC15:46
*** _cjones_ has quit IRC15:48
*** tqtran has joined #openstack-keystone15:51
*** rushiagr is now known as rushiagr_away15:53
*** gokrokve_ has quit IRC15:53
*** arunkant has joined #openstack-keystone15:54
*** ljfisher has quit IRC15:56
*** gokrokve has joined #openstack-keystone15:57
*** gyee has joined #openstack-keystone15:59
*** ChanServ sets mode: +v gyee15:59
*** ljfisher has joined #openstack-keystone16:00
*** rushiagr_away is now known as rushiagr16:02
dolphmlbragstad: one test is fixed since friday, but i'm still getting a bunch of 401's when sending fernet tokens to auth_token?
lbragstaddolphm: do you get anything logged from the echo service?16:09
lbragstadwrt AuthProtocol?16:09
*** Akshik has quit IRC16:10
*** Akshik has joined #openstack-keystone16:10
*** openstackgerrit has quit IRC16:11
*** openstackgerrit has joined #openstack-keystone16:11
*** iamjarvo has joined #openstack-keystone16:12
*** Akshik has quit IRC16:12
*** samueldmq has joined #openstack-keystone16:13
*** Akshik has joined #openstack-keystone16:13
*** Akshik has quit IRC16:14
*** vhoward has left #openstack-keystone16:14
*** aix has quit IRC16:16
*** Akshik has joined #openstack-keystone16:16
*** fmarco76 has left #openstack-keystone16:16
*** radez_g0n3 is now known as radez16:16
dolphmlbragstad: not that travis logs - but i could change that16:17
lbragstaddolphm: just curious since there looks to be a bit of logging in AuthProtocol that could help narrow down what's happening16:18
*** browne has quit IRC16:18
lbragstaddolphm: might be hitting?
*** ljfisher has quit IRC16:26
*** iamjarvo has quit IRC16:29
*** nellysmitt has quit IRC16:30
*** ljfisher has joined #openstack-keystone16:30
*** iamjarvo has joined #openstack-keystone16:32
lbragstaddolphm: I'm working on a patch for the rest of the methods stuff.16:32
lbragstaddolphm: I'm wondering if that is related?16:32
*** gokrokve has quit IRC16:34
dolphmlbragstad: i sort of doubt it - i'm not aware of anything that cares about methods yet16:34
*** gokrokve has joined #openstack-keystone16:36
*** iamjarvo has quit IRC16:36
*** krykowski has quit IRC16:37
*** haneef has joined #openstack-keystone16:40
*** samueldmq has quit IRC16:40
haneefbknudson: Regarding defect  that is merged ,
openstackLaunchpad bug 1421825 in Keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress] - Assigned to Brant Knudson (blk-u)16:41
uvirtbotLaunchpad bug 1421825 in keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress]16:41
uvirtbotLaunchpad bug 1421825 in keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress]
haneefI'm not sure about validation. I think it was done intentionally. If some one gets your token, by doing validation they can get more information about the user from that token. To avoid this token validation was intentionally restricted to service and admin16:41
morganfainbergoh uvirtbot is back.16:41
bknudsonhaneef: it's not merged.16:41
haneefDo we really want user to validate his token?  -16:42
bknudsonI'll have to think about it.16:42
morganfainberghaneef, i think we need to allow it16:42
morganfainbergthere are things that people, unfortunate, need to figure out based on their token16:42
morganfainberge.g. scope16:42
bknudsonif I had a token I'd just try stuff and see what worked.16:43
haneefwhy, it will cause security implications. if some one gets a token from log, they can do find out more information about th caller16:43
morganfainberghaneef, the PII leaking into tokens should not be the reason why we don't allow it16:43
morganfainberghaneef, from a security perspective, it's at best security through obscurity to not allow someone to get other information about what they can do with a token16:44
bknudsonhaneef: is there any issue with revoke? only validate?16:44
haneefIt is not about PII, you can get the roles associated with the user from that tokek, then can you can more harm16:44
bknudsonI can split up the patch.16:44
haneefOnly validate16:44
morganfainberghaneef, security through obscurity is not security16:44
bknudsonif I got the token from a log then I've probably got a good idea of what I can do with it.16:45
bknudsone.g., whatever the log says they were trying to do.16:45
morganfainbergbknudson, ++16:45
haneefIt need  not be from log,  -- since our token are  bearer tokens16:45
*** henrynash has joined #openstack-keystone16:46
*** ChanServ sets mode: +v henrynash16:46
haneefI beleive dolph may know this. It was done intentionally16:46
morganfainberghaneef, again, i have a token i got from smewhere, i can just keep doing things until i find something that works. it's not really security.16:46
morganfainberghaneef, bad UX for false sense of security isn't good.16:46
haneefAgreed, But I can validate now and figure out what it can do in a second which I want to avoid16:46
*** henrynash has quit IRC16:47
bknudsonwell, anyone can avoid it just edit your policy.json to disallow.16:47
bknudsonthese policies are actually a little weird... since if I've got the token I can use it on itself.16:48
haneefbknudson: Agree, but in reality many don't do that16:48
morganfainberghaneef, so nothing in a token should be considered sensitive data ever.16:48
morganfainberghaneef, the token id should be considered sensitive16:48
morganfainberghaneef, if we can't make that assertion we are in the wrong. with PKI tokens, you can decode them w/o the keys since ASN1 is just signing. this adds no level of security above obscurity16:49
*** Akshik has quit IRC16:50
ayoungstevemar, so making the blacklist check "is None"  SHOULD BE PART OF THIS PATCH?  yOU SURE IT IS NOT SCOPE CREEP?  i'M WILLING TO DO IT,  but not retype this after realizing my caps lock was on16:51
* ayoung needs to rip caps lock off this keyboard16:51
morganfainbergayoung, linux, can't you just make capslock do nothing?16:52
haneefMy questions was, if some one gets the token, do we want to make it easier  ( even for lay man) to gets token capability . Easier --> as simple as rest call16:52
ayoungTechnically, it would be X, I suspect16:52
ayounghaneef, basic-auth?16:52
ayoungor you talking validation?16:53
*** angular_mike has quit IRC16:53
morganfainbergayoung, he's arguing it is a security risk to let someone self validate their token to get information.16:54
*** openstackgerrit has quit IRC16:54
*** openstackgerrit has joined #openstack-keystone16:54
*** browne has joined #openstack-keystone16:54
bknudsonI'm actually fine with not changing the sample policy to not allow validating a token... I can see haneef's point.16:54
* bknudson sometimes proposes changes to see what others think.16:56
morganfainbergbknudson, eh i think we're focusing on the wrong place here. but i'm not willing to really argue it.16:56
morganfainbergbknudson, just keep in mind we only use -sign for cms, meaning we haven't encrypted anything in PKI tokens.16:56
ayounghaneef, you are probably right.  Let me look16:57
morganfainberghaneef, i think admin only validate wasn't intentional on a security front, i think it was a hold-over from v2.0 where we didn't have a strong policy language fwiw16:58
ayounghaneef, the user can swap one token for another anyway.  All that would happen here is they can validate the token to get the data in it, but a user can do that anyway16:58
*** nellysmitt has joined #openstack-keystone16:58
ayounghaneef, a user can list projects for themself...essential workflow16:58
haneefActually, it was supposed to be admin and service and all services accounts are supposed to have "service" role.   But unfortunately every one used "admin" role, Even our config field names are called "admin tenant" instead of service tenant16:59
ayoungnow...knowin that a token is good for a specific project....hmmm.16:59
ayoungmorganfainberg, actually,  he has a point16:59
ayounga token should never be validatable using itself16:59
bknudsonhaneef: I had a change to change "admin" to "service" in middleware... abandoned it because we've got auth plugins now.16:59
ayoungI would argue that only an unscoped token should be used to validate a users own token16:59
bknudsonwe'd need a special rule for unscoped token.17:00
bknudson(I think)17:00
morganfainbergbknudson, maybe.17:00
*** iamjarvo has joined #openstack-keystone17:01
morganfainbergayoung, why should i not be able to get info about the token? I can already do a ton of things with the token. maybe we should disallow any keystone-operations (all) for non-keystone-service-scoped tokens?17:01
*** iamjarvo has quit IRC17:01
*** wpf has quit IRC17:01
*** henrique_ has quit IRC17:02
*** wpf has joined #openstack-keystone17:02
*** htruta has quit IRC17:02
*** iamjarvo has joined #openstack-keystone17:02
*** iamjarvo has quit IRC17:02
*** htruta has joined #openstack-keystone17:03
*** iamjarvo has joined #openstack-keystone17:03
*** iamjarvo has quit IRC17:04
*** iamjarvo has joined #openstack-keystone17:05
ayoungmorganfainberg, agreed;  unscoped are for keystone only, and only unscoped.17:07
ayoungAnd they are not validatable17:08
morganfainbergayoung, so lets get out of the weeds, we can't do the unscoped only today17:10
morganfainbergayoung, is there any real benefit to not allowing a user to use both x-auth and x-subject tokens being the same. they can aloready do a ton of things with a token17:11
*** gokrokve has quit IRC17:11
ayoungmorganfainberg, Considering how close we are to K3, I consider all design discussions to be about L17:11
morganfainbergayoung, this is a patch that is proposed today.17:11
morganfainbergto let a user self-validate their token17:11
ayoungmorganfainberg, So, lets styart by assuming the token is sniffed17:11
ayoungif it is a scoped token,  keystone should provide no more information to the sniffer17:12
*** zzzeek has quit IRC17:12
ayoungit should be, for all intensive porposes, useless against Keystone17:12
ayoungSo Keystone can't say "here is the project you should try to hack over on glance17:12
ayoungThe problem is that the token carries the information about who the user is.  With only the token, we can give up a lot more information17:13
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table
morganfainbergayoung, i'm going to hurt you because "intensive purposes"17:14
morganfainbergayoung, :P17:14
morganfainbergstupid autocorrect17:14
morganfainbergayoung, i don't think we should ever assume anything in the token should be priviledged info17:14
morganfainbergin fact we've done a remarkably good job of not letting priv. info leak into the token17:16
ayoungmorganfainberg, in a PKI token, there is a lot of data, but in a UUID, there is none.  In Ferent, there is probably a comparable amoput to PKI17:16
*** leonchio_ has joined #openstack-keystone17:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: [WIP]Update inherited role assignments behavior
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id
dstanekdo we still need public_endpoint and admin_endpoint set in config?17:21
dstanekmorganfainberg: dolphm: ^17:21
stevemarayoung, the blacklist check can wait til another patch17:24
ayoungstevemar, k17:24
ayoungstevemar, I'll queu it up behind this one, started doing it a lready17:25
ayoungI think the only test that would break if I did this is mine...17:25
morganfainbergayoung, fernet is actually encrypted17:26
morganfainbergayoung, fernet is opaque like uuid, pki is not17:26
ayoungmorganfainberg, I thought that was optional17:26
morganfainbergayoung, nope, fernet payload is always encrypted17:26
ayoungI thought we were going with HMAC due to size issues17:26
morganfainbergayoung, using fernet means that17:26
morganfainbergayoung, it is HMAC(creation_time, AES(payload)) [roughly]17:26
morganfainbergfernet is HMAC(AES())17:27
morganfainbergwe looked at HMAC only if we were implementing it17:27
morganfainbergbut since fernet gave us both w/o implementing it ourselves, why not?17:27
*** harlowja has joined #openstack-keystone17:28
morganfainbergand size issues seem to be mostly addressed17:28
*** leonchio_ has quit IRC17:30
openstackgerritMerged openstack/python-keystoneclient: Federation Service Providers CRUD operations
*** rushiagr is now known as rushiagr_away17:36
openstackgerritMerged openstack/keystone: Mark the domain config API as experimental
openstackgerritayoung proposed openstack/keystone: Distinguish between unset and empty blac and white lists
morganfainbergayoung, 'blac'!17:37
openstackgerritayoung proposed openstack/keystone: Distinguish between unset and empty black and white lists
ayoungmorganfainberg, was already on it.17:38
*** gokrokve has joined #openstack-keystone17:39
morganfainbergayoung, i like that typo :P17:40
ayoungblac and whyt?17:40
openstackgerritLin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2
*** trey has quit IRC17:43
morganfainbergayoung, hahaha17:43
openstackgerritLin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2
ayoungstevemar, does update_mapping wipe out the old mapping, and replace it with the new one, or does it add the rules?17:44
*** afazekas has quit IRC17:44
ayoungI did delete/create to make sure I wasn't fooling myself17:44
*** trey has joined #openstack-keystone17:45
openstackgerritayoung proposed openstack/keystone: Ignore unknown groups in lists for Federation
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database
stevemarayoung, it wipes out the old mapping17:47
morganfainbergmarekd, ping: i just responded to your question.17:48
morganfainbergmarekd, let me know if you have any other questions.17:48
ayoungstevemar, OK, I'll test it out17:48
*** jistr has quit IRC17:51
*** sigmavirus24 is now known as sigmavirus24_awa17:51
openstackgerritayoung proposed openstack/keystone: Ignore unknown groups in lists for Federation
*** ajayaa has quit IRC17:57
ayoungmorganfainberg, when is cut off for K3 changes?17:57
morganfainbergayoung, thursday is k317:57
morganfainbergso.. gating today17:57
morganfainbergbecause gate is going to be icky17:58
ayoungmorganfainberg, mapping update looks good.  The only change for that BP is to tests.
morganfainbergso, is the #1 priority to review, and whatever else we can trickle in.17:59
morganfainbergayoung, ++ yeah and test expansions can land post k317:59
morganfainbergif needed.17:59
ayoungRemove manager-driver assignment metadata construct  seems almost liek a purely internal work18:00
morganfainbergayoung, reseller is probably going to be our FFE18:00
ayoungI'll review, but if it misses, it can got in post k3, maybe?18:00
*** amerine has joined #openstack-keystone18:01
morganfainbergayoung, remove-role-metadata can probably just land post k3, it looks to be tech-debt paydown18:01
ayoungreseller not on the k3 list18:01
morganfainbergayoung, reseller is not going to be k3.18:01  Fernet18:01
morganfainbergayoung, fernet has 2 outstanding patches, 1: v2.0, 2: use current token tests18:02
morganfainbergthe v2.0 bit is the realllllllly important part to land18:02
ayoungwhat about Federation?  I saw a bug on that18:02
ayoungfernet + federation works?18:02
morganfainbergayoung, the formatter for it is there.18:03
*** amerine has quit IRC18:03
morganfainbergayoung, it looks to work, but i've been holding on some end-to-end because v2.0 is needed as well.18:03
ayoungmorganfainberg, I'm guessing jorge_munoz  has a new patch incipient, but I'll look through what he has there18:04
*** amakarov is now known as amakarov_away18:04
ayoungwould be so much easier with my builder code...oh well18:04
morganfainbergayoung, the v2.0 looks complete based on no more TODOs etc18:05
morganfainbergthe testing is the followup patch which i think is the new patchset if anything jorge_munoz is working on18:05
ayoungI meant converting from 3 to 2 would be easier...18:05
morganfainbergayoung, oh yes it would18:06
morganfainbergayoung, but alas,18:06
ayounga lass a lass is what I lack,  alas a alack I lack a lass alas alack18:06
ayoungor summat like that18:07
*** iamjarvo has quit IRC18:08
openstackgerritSteve Martinelli proposed openstack/keystone: Distinguish between unset and empty black and white lists
stevemarjust a rebase ^18:14
*** rushiagr_away is now known as rushiagr18:17
ayoungmorganfainberg, can you bless:  or explicitly tell me it is too big a change for K3?  I think it i an under-the-threshold type changes18:18
*** iamjarvo has joined #openstack-keystone18:18
morganfainbergayoung, this looks like a bug. meaning it can land either now or later, but more important i'd like marek's +2 on it.18:20
ayoungmorganfainberg, thanks18:20
ayoungI'm fine waiting for Marek so long as it is OK for Kilo18:20
morganfainbergayoung, not a crazy change to land in k3, just want marek bless it.18:20
ayoungFine by me18:20
ayoungmorganfainberg, the follow on one is probably the right approach:  distinguish between bnlacklist = [] and no explicitly set blacklist18:21
* morganfainberg knows enough about the federation to review it... but sometimes it's better to defer to the smart guys who wrote this stuff. (stevemar and marekd being the best matches in this case)18:21
ayoungbut that to me is a behaviro change, and also sometjhing I'd want to test better18:21
*** packet has joined #openstack-keystone18:21
ayoungand..we can work around it18:21
morganfainbergayoung, yeah please test that further18:21
stevemarwho in the what18:22
ayoungMe, in the library, with the lead pipe18:22
ayoungdamnit, I have the library card18:22
stevemarthat's solid evidence18:23
ayoungMust have been in the Billiards room18:23
ayoungClue is one game you can solidly loose without there being an obvious winner18:23
stevemarmorganfainberg, yeah i'm not sure what the protocol is for a change in behaviour18:24
stevemarayoung, i really want this in, rather than make a deployer define blacklist = ['made up group']18:24
ayoungstevemar, really it should be whitelist='*'18:25
stevemaryeah, i'm meh on that18:25
morganfainbergayoung, it's far more amusing when you mess clue up and end up with soemthing like: the lead pipe, with the candlestick in the study18:25
stevemarits the `group not found` issue18:25
morganfainbergayoung, oh look, no murder happened in this game.18:26
ayoungmorganfainberg, maybe in that Castle from Disney's version of Beauty and the Beast.  That Candlestick with the Lead pipe actually would make more sense.  I'd argue it was likely, and he even had the motive.  That clock had it coming.18:27
morganfainbergayoung, or "mr. green with ms. scarlet in the lounge" hey wait... that isn't a murder.18:28
ayoungThe Adult version of Clue?18:28
morganfainbergayoung, must be18:28
ayoungIt was Col Musteard with Mr. Gree ..."Hey, don't ask don't tell!"18:28
morganfainbergayoung, i think i'd still go with "hey that isn't a murder"18:29
ayoungTechnically, it is not even a crime in today's Army.18:29
morganfainbergthere we go.18:30
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database
openstackgerritBrant Knudson proposed openstack/keystone: Create a fixture for key repository
stevemarevery project needs a bknudson of their own18:44
stevemaror maybe  bknudson can work on cleaning up every project18:44
openstackgerritMatthew Edmonds proposed openstack/keystonemiddleware: v3 to v2 catalog conversion missing id
*** afazekas has joined #openstack-keystone18:57
*** sigmavirus24_awa is now known as sigmavirus2419:04
*** samueldmq has joined #openstack-keystone19:05
*** iamjarvo has quit IRC19:08
*** atiwari has quit IRC19:12
*** afazekas has quit IRC19:13
openstackgerritayoung proposed openstack/keystone-specs: Policy rules mangaged from a database
openstackgerritayoung proposed openstack/keystone-specs: Policy rules mangaged from a database
openstackgerritayoung proposed openstack/keystone-specs: Policy rules managed from a database
*** afazekas has joined #openstack-keystone19:21
*** ayoung has quit IRC19:29
*** afazekas has quit IRC19:30
*** iamjarvo has joined #openstack-keystone19:30
*** jimbaker has joined #openstack-keystone19:33
dolphmlbragstad: so, it looks like a bunch of changes to auth_token (to use plugins) caused my v3 credentials to be passed to v219:35
dolphmlbragstad: even though i was explicitly setting api_version to 319:35
lbragstaddolphm: really?19:36
lbragstaddolphm: do you have it narrowed down to a commit?19:37
dolphmlbragstad: anyway, switching to auth_plugin = password, etc, eliminated the 501's19:37
*** packet has quit IRC19:37
dolphmlbragstad: now i'm getting 401's on the same tests, without 501's to blame19:37
dolphmlbragstad: also, the unscoped test passed once, and is now failing...19:37
lbragstaddolphm: logs?19:38
lbragstadecho logs?19:38
lbragstader, echo *service* logs19:38
dolphmlbragstad: i'm getting a Could not find project: {id} in echo's error logs19:38
lbragstaddolphm: from AuthProtocol?19:40
dolphmlbragstad: yes, which is logging teh response body from keystone19:40
lbragstaddolphm: ok, so it is getting to the online validation part19:41
dolphmlbragstad: yes, and getting a 404 in response19:41
lbragstaddolphm: what did you use to set it up?19:41
*** rushiagr is now known as rushiagr_away19:42
lbragstaddolphm: I can't remember if keystone-deploy sets stuff up19:42
dolphmlbragstad: [16/Mar/2015:19:41:58 +0000] "GET /v3/auth/tokens HTTP/1.1" 404 341 "-" "python-keystoneclient"19:42
dolphmlbragstad: keystone-deploy fernet-tokens19:42
dolphmlbragstad: with this patch
*** packet has joined #openstack-keystone19:43
dolphmlbragstad: the first bit is not relevant19:43
dolphmof the diff19:43
lbragstaddolphm: ok, makes sense. I have it pulled down locally19:43
lbragstaddolphm: I think my old keystone-deploy vagrant was in a bad state, so I'm rebuilding it19:44
*** Akshik has joined #openstack-keystone19:46
lbragstaddolphm:  you ever get this?
*** uvirtbot has quit IRC19:50
stevemarmorganfainberg, your input is required for the abfab bp19:53
morganfainbergstevemar: on what part?19:54
stevemarmorganfainberg, if it's going in kilo or not...19:54
morganfainbergIf it is doc only it can land anytime.19:54
*** nellysmitt has quit IRC19:54
stevemarmorganfainberg, that's what the claim is19:54
stevemarits only a config issue19:55
morganfainbergAnd I'd say yes, but post k3.19:55
morganfainbergIf it is doc only. :)19:55
morganfainbergCause the gate is going to be rough till k3 at this point.19:55
stevemarmorganfainberg, thats the problem, we don't know if it's doc only; thats whats being claimed19:55
morganfainbergSo we go with "doc only = yes, if it works" otherwise liberty.19:56
morganfainbergVery simple. We can revert the docs prior to rc if needed if it is more than docs.19:56
morganfainbergBut it won't go in if t is more than docs due to timing19:56
dolphmlbragstad: oh, yes19:57
dolphmlbragstad: ansible-galaxy install -r ansible-requirements.txt19:57
*** afazekas has joined #openstack-keystone19:57
dolphmlbragstad: i stopped testing with vagrant, but that's in the README now ^19:57
dolphmlbragstad: that should be a pre-req to 'vagrant up' now19:57
lbragstaddolphm: do you have to sudo that?19:58
*** r-daneel has joined #openstack-keystone19:58
lbragstadI'm assuming so?19:58
dolphmlbragstad: you *can*, but instead ...19:58
stevemarmorganfainberg, okay, the uKent folks have a patch up for config docs, i think it's good to go, but i haven't verified the steps19:58
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy to allow user to revoke own token
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy to allow user to check own token
dolphmlbragstad: add --roles-path=playbooks/roles/19:58
dolphmlbragstad: so it installs the new role locally to the project, instead of system-wide19:59
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support
dolphmlbragstad: just updated all branches on keystone-deploy with more robust tests20:01
lbragstaddolphm: cool, is add an ansible command?20:01
lbragstadi'm dumb20:01
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support
lbragstadit's monday20:01
dolphmlbragstad: D) all of the above20:02
dolphmlbragstad: new tests are running on non-master branches now ^20:02
lbragstaddolphm: nice20:02
dolphmlbragstad: the best part is that v3-only is passing with auth_plugin support (thanks jamielennox!!)20:03
*** timcline has quit IRC20:04
*** rushiagr_away is now known as rushiagr20:07
*** tsufiev is now known as tsufiev_20:10
*** afazekas has quit IRC20:15
*** afazekas has joined #openstack-keystone20:16
*** timcline has joined #openstack-keystone20:18
brownebknudson, stevemar: I'm here (Eric Brown)20:18
bknudsonbrowne: we were all excited about the cryptography patch.20:19
brownebknudson: thanks!  I like to do more of the same work all over where exec of openssl command line is used.  Only issue is that it gets much harder with some of the commands because the cryptography lib doesn't have as many convenient functions.20:21
bknudsonopenssl has too many options.20:22
*** afazekas has quit IRC20:23
openstackgerritLin Hua Cheng proposed openstack/keystone: WIP - Validate user exist when assigning roles in V2
dolphmlbragstad: pkiz-tokens branch just failed the same way fernet is -- i'm thinking something might be wrong with auth_token20:25
*** gokrokve has quit IRC20:27
*** gokrokve has joined #openstack-keystone20:27
*** rushiagr is now known as rushiagr_away20:27
dolphmlbragstad: PKI, PKIZ & fernet all failing with 401's20:28
lbragstaddolphm: yeah, I'm getting the same thing20:29
lbragstaddolphm: I get one to pass20:29
dolphmlbragstad: exactly20:29
*** Akshik has quit IRC20:30
lbragstaddolphm: I'm not seeing the 404s though20:33
*** afazekas has joined #openstack-keystone20:38
dolphmlbragstad: for projects?20:38
lbragstaddolphm: right20:38
*** lhcheng is now known as lhcheng_afk20:41
stevemarbrowne, ah, the ol' lastname first irc handle20:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** thedodd has quit IRC20:44
stevemarbrowne, nice to have you helping us out :) great job reviewing and pushing new code20:44
morganfainbergsamueldmq, btw, what you sent me in a direct message on IRC regarding those tests - feel free to add yourself as co-author and push those changes up20:45
dolphmlbragstad: (i'm trying to repro again, i've been messing with other branches)20:47
*** afazekas has quit IRC20:47
lbragstaddolphm: I can consistently get 3 failures (project-scoped, domain-scoped, and unscoped-token test)20:47
brownestevemar: thanks, no problem20:48
*** afazekas has joined #openstack-keystone20:49
*** packet has quit IRC20:50
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
morganfainberglbragstad, for all forms of token?20:50
lbragstadmorganfainberg: I've been testing strictly keystone-deploy against fernet, but dolphm's been able to recreate with everything except uuid20:51
lbragstadI think20:51
* morganfainberg goes back to reviewing v2.0 for fernet.20:51
lbragstadmorganfainberg: ++20:52
morganfainbergfwiw, it looks pretty damn good.20:52
lbragstadmorganfainberg: agreed, I like the test20:52
morganfainbergi need to actually compare the v2 output(s) so... but otherwise i'm not seeing anything crazy20:52
dolphmlbragstad: in /var/log/apache2/echo.error.log: [Mon Mar 16 20:50:02 2015] [error] WARNING:keystonemiddleware.auth_token:Identity response: {"error": {"message": "Could not find project: 76fd9194a52c4d9ba3592fa2d08f838b", "code": 404, "title": "Not Found"}}20:52
dolphmlbragstad: and then running tests again, i get even more 404's20:54
jamielennoxbknudson: what tests do you think are required for , it's purely a split of a file into a module20:54
dolphmlbragstad: something about the tests is passing when auth_token first starts up, and then failing later on20:54
bknudsonjamielennox: it's creating new public symbols, so have a test that asserts that those symbols are there.20:54
bknudsonso that we don't lose them and break everybody20:55
*** thedodd has joined #openstack-keystone20:55
jamielennoxbknudson: ok, will re-look - i didn't think i added anything new in that20:55
bknudsonI can do keystoneclient.auth.identity.v3.password.PasswordMethod now?20:56
jamielennoxbknudson: that was always available20:56
bknudsonpassword is a new module?20:57
lbragstaddolphm: strange... I get failures, but i can't seem to find 404s20:57
jamielennoxoh, right - ksc.auth.identity.v3.PasswordMethod was always available and still is, but you want to test the new locations as well20:57
bknudsonright, if they're public20:57
bknudsonor keep them private20:58
*** harlowja is now known as harlowja_away20:58
*** packet has joined #openstack-keystone21:00
*** sigmavirus24 is now known as sigmavirus24_awa21:00
morganfainbergdolphm, caching21:02
morganfainbergdolphm, in ATM21:02
morganfainbergdolphm, set cache time to 021:02
morganfainbergdolphm, does it start behaving more consistently21:03
dolphmmorganfainberg: let me try21:04
dolphmlbragstad: ignore the random spaces inserted in there21:05
dolphmlbragstad: line wrapping gone awry21:05
* lbragstad shakes head 21:05
dolphmlbragstad: (those look totally fine to me, just sharing in case you spot something)21:05
lbragstaddolphm: those look fine21:05
openstackgerritHenrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains
samueldmqmorganfainberg, k will do in a few hours (the tests)21:06
lbragstaddolphm: you got those directly from keystone-deploy's keystone?21:06
dolphmlbragstad: yes21:06
samueldmqmorganfainberg, I wasn't sure you would like to work on that by yourself :)21:06
samueldmqmorganfainberg, thnaks21:06
dolphmlbragstad: like this
*** htruta has quit IRC21:06
*** iamjarvo has quit IRC21:06
jamielennoxbknudson, morganfainberg: any opinion on ?21:08
openstackLaunchpad bug 1425345 in python-keystoneclient "Can't load auth_plugin by full-class-name of plugin class" [Wishlist,In progress] - Assigned to Yuki Nishiwaki (uckey-1067)21:09
lbragstadmorganfainberg: I don't get any behavior difference setting token_cache_time = 021:09
lbragstaddolphm: ^21:09
bknudsonjamielennox: I assumed you needed the qualified class name?21:09
bknudsonhow does it find it if it's not qualified?21:09
*** ayoung has joined #openstack-keystone21:09
*** ChanServ sets mode: +v ayoung21:09
jamielennoxbknudson: it uses entry points21:09
jamielennoxit all loads via stevedore21:09
bknudsonjamielennox: is that a bug in stevedore then?21:10
jamielennoxI'm not sure why you would want to use keystoneclient.auth.identity.generic.Password instead of just password21:10
jamielennoxbknudson: no, he's wanting to specify full class names in config for like auth_plugin =  keystoneclient.auth.identity.generic.Password21:10
bknudsonright, why doesn't stevedore support that?21:10
jamielennoxstevedore has always been about endpoints, i don't think it falls back to full classnames21:11
dolphmlbragstad: only with a new deployment do i see 2 tests fail; with subsequent test runs, 3 tests always fail21:11
jamielennoxs/endpoints/entry points21:11
lbragstaddolphm: hmm, that does sound like a cache problem21:11
bknudsonstevedore should use the service catalog!21:11
jamielennoxlol, leads to catalog bloat21:12
bknudsonjamielennox: I think we're using stevedore correctly, so if they want that support add it to stevedore.21:12
*** tellesnobrega has quit IRC21:13
jamielennoxi'm pretty sure stevedore won't take it, it's not really its job - i'm just not sure if i have good reason to say no besides why would i want that?21:13
jamielennoxand 'being done in neutron' is not a great reason21:13
bknudsonjamielennox: I don't want to see us copy-paste code from neutron.21:14
dolphmlbragstad: added a sort-of negative test btw
lbragstaddolphm: you mean test_unauthorized_request21:15
*** ljfisher has quit IRC21:16
bknudsonwe should use stevedore to load all our backends.21:16
*** lhcheng_afk is now known as lhcheng21:16
*** afazekas has quit IRC21:16
*** browne has quit IRC21:16
*** radez is now known as radez_g0n321:16
*** tellesnobrega has joined #openstack-keystone21:18
bknudsonjamielennox: I asked in -oslo... this is more of a question for stevedore, I think.21:18
*** iamjarvo has joined #openstack-keystone21:20
*** iamjarvo has quit IRC21:21
*** iamjarvo has joined #openstack-keystone21:21
*** browne has joined #openstack-keystone21:22
*** browne has quit IRC21:23
*** afazekas has joined #openstack-keystone21:23
*** packet has quit IRC21:27
openstackgerritJames Page proposed openstack/keystone: Deal with PEP-0476 certificate chaining checking
*** browne has joined #openstack-keystone21:28
*** afazekas has quit IRC21:29
bknudsonjamielennox: weren't we going to provide auth plugins in different repos? (e.g., federation)21:31
jamielennoxbknudson: that was and generally still is the plan21:32
jamielennoxbknudson: issue is that federation is a really broad term that kind of just means 'use the mapping' which is useful for x509 and kerberos and other things as well21:32
jamielennoxbknudson: so we killed ksc-federation, am going to add a base plugin in ksc, and then we can pull out ksc-saml2 specifically21:32
bknudsonjamielennox: so turns out you can have [entry_points]  in the other repo's setup.cfg...21:33
jamielennoxbknudson: yep21:33
*** mattfarina has quit IRC21:33
jamielennoxbknudson: kind of the point of entry points, let these plugins be named but exist out of tree21:34
bknudsonso you'd have keystoneclient.auth.plugin =21:34
bknudsonmyplugin = myplugin:MyPlugin21:34
bknudsonor whatever21:34
jamielennoxi don't believe OSC should be doing this but they are and it works21:34
bknudsony, no need to register plugins when you can change the code...21:35
*** iamjarvo has quit IRC21:35
bknudsonif these are so great put them in keystoneclient.21:35
jamielennoxright, OSC is exporting things into the public pool - and particularly token_endpoint i wanted to export that from ksc - cause there's is specific to OSC use case21:35
jamielennoxbut particularly for -kerberos and such we will do thta21:36
bknudsonshould have called it keystoneclient_kerberos.v3 rather than v3kerberos, then can have best of both worlds.21:37
bknudsonor keystoneclient_kerberos.v3.Kerberos ?21:38
jamielennoxso that's what that bug wanted, the full path to the class21:38
jamielennoxbut the case for stevedore should always be when you don't know what class will be used21:39
bknudsonit's neutron that should get rid of their crappy workaround code... apparently it's just there for backwards-compat.21:39
jamielennoxif you are ever in your code writing stevedore.load('password') (not real code) you are wrong because you already know what plugin you want and the path to it21:39
jamielennoxit's really for the case of people using --os-auth-plugin password or auth_plugin = password in CONF that we want these short names21:40
bknudsonwe could have the long names, too.21:40
jamielennoxbknudson: well we still have that in keystone, you have to specify all the backends by full class name, hopefully we will move that to stevedore entry points one day21:40
jamielennoxbackend = ldap  # yay!21:40
morganfainbergjamielennox, sooner [think liberty]21:41
bknudsonnow that I have some understanding how it works I'll dig up that old review.21:41
morganfainbergjamielennox, but it'll need to support old-style loading21:41
morganfainbergjamielennox, as well21:41
bknudsonI didn't trust it.21:41
morganfainbergjamielennox, maybe the answer is new options and deprecate the old options21:41
morganfainbergjamielennox, /me hasn't thought about it much21:41
jamielennoxmorganfainberg: the way i've seen it done in others is to specify the full class name as an entrypoing21:42
morganfainbergoh hm.21:42
morganfainbergexcept we have people using custom drivers21:42
jamielennox[entry_points] keystone.x.y.z = keystone.x.y.z21:42
morganfainbergwhich would massively break21:42
bknudsonthey can provide their own entry_points.21:42
jamielennoxsure - it's easy to do a fallback, but we expect them to need to do some work between cycles21:42
jamielennoxthat's what neutron is doing with the fallback and why i'm not wanting to copy it21:42
morganfainbergjamielennox, yeah i've not thought too much about the best experience for changing it over21:42
morganfainbergjamielennox, entry points might be sufficient21:43
jamielennoxi looked at it a while ago, i can't remember there was something that prevented me from doing the stevedore rewrite21:43
jamielennoxi'm guessing it was all the dependency loading stuff21:43
morganfainbergthe other option is to do stevedore load, if it fails try old load warn if that succeeds, then re-raise exception if it still failed21:44
*** browne_ has joined #openstack-keystone21:44
*** browne_ has quit IRC21:44
ayoungjamielennox, So...I suspect SOA will evolve like this:  It will know about how to create plugins, and create them based on the stevedore plugin name passed from horizon.  It will always do federation, and we make the existing authentication mechanism be a subset of Federation21:44
*** browne1 has joined #openstack-keystone21:44
*** browne1 has quit IRC21:44
bknudsonmorganfainberg: that's what neutron does.21:45
morganfainbergbknudson, then thats prob. what we should do.21:45
bknudsonas long as it's deprecated.21:45
morganfainbergbknudson, cool.21:45
morganfainbergbknudson, ++ i don't want to keep loading w/ old import logic.21:45
morganfainbergbknudson, i expect this to be a 1 cycle deprecation.21:46
jamielennoxayoung: you referring to my -dev email?21:46
ayoungjamielennox, nah, just the comments above.  Let me see the mail...21:46
*** topol has quit IRC21:47
*** browne_ has joined #openstack-keystone21:47
*** sigmavirus24_awa is now known as sigmavirus2421:47
jamielennoxayoung: i wrote two reviews for DOA, the one i had originally which was creating DOA specific plugins, one where i subclassed DOA and made a kerberos specific django auth backend and used the django loading21:47
ayoungjamielennox, I was actually referring to our earlier exchange about kerberos using  standard mechinsm, and you saying "use Federation" though21:47
ayounglet me seee....21:47
jamielennoxi put a mail on the list but i wont be able to make the meeting21:47
*** browne has quit IRC21:47
ayoungjamielennox, that was the reusable...21:48
lbragstaddolphm: I'm running out of ideas. I generated tokens from Keystone and again, they look fine.21:48
morganfainberglbragstad, if you validate the token yourself, what do you get?21:49
lbragstadmorganfainberg: checking21:49
morganfainberglbragstad, and is the system somewherre i could poke at it? i can set it up myself, but i don't have working vagrant atm.21:49
morganfainbergso it'd be more time to replicate the environment21:50
jamielennoxalso stevemar, lhcheng david-lyle ^21:50
*** zzzeek has joined #openstack-keystone21:50
david-lylejamielennox: so originally backend was the pluggable part, but it's evolved to be less clean21:51
david-lyleerr, very dirty21:51
jamielennoxdavid-lyle: yea, there is a pretty tight coupling between DOA and dashboard21:51
jamielennoxalso we can do this in #horizon if you like21:51
david-lylepersonally I don't see much benefit to having a separate project any longer21:52
david-lyleit wasn't really written in a reusable way21:52
david-lyleunless you want a django UI for openstack that is backed by keystone21:53
david-lylevery broad21:53
jamielennoxdavid-lyle: well what i'd like is to not see DOA start having dependencies on kerberos and SSO libs21:53
jamielennoxand to not have those things in the regular DOA library21:54
david-lylebut I'm probably not reintegrating DOA into horizon very soon21:54
david-lyleyes, as we discussed before I would like to have some form of plugin mechanism21:55
jamielennoxdavid-lyle: so i did two forms of plugins that i mentioned in the email, and two horizon patches that i think are required regardless21:56
jamielennoxdavid-lyle: the subclass DOA feels a little bit cleaner - but i really struggle to say why other than it's reusing Django concepts21:57
jamielennoxi guess it seems like it'll be easier to extend, for example i can see the k2k patch is already adding data to the User model but you could make that a public function either way..21:59
*** timcline has quit IRC22:00
lbragstadmorganfainberg: I'll see if I can get one setup22:00
morganfainberglbragstad, no problem if it's a lot of work22:01
morganfainbergi can just spin up some stuff here locally. just will take longer22:01
morganfainbergif the vm was already just out there i'd have just said "oh let me jump on it"22:01
*** iamjarvo has joined #openstack-keystone22:10
*** harlowja_away is now known as harlowja22:11
ayoungjamielennox, so, no responses to that22:12
*** gordc has quit IRC22:12
*** stevemar has quit IRC22:13
jamielennoxayoung: i'll be honest i think there's like 3 people who know anything about this on the horizon team22:14
ayoungjamielennox, it would be nice if we could take this out of DOA.  Ir really feels like that should be split22:14
jamielennoxdavid-lyle, lhcheng, and doug-fish, and stevemar is poking around for sso as well22:14
ayoungthere is some UX portion that should be DOA, and some library portion that should not be Django specific at all22:15
ayoungTBH, I would think the authentication should be done by Apache.  Which means mod_keystone might not be such a terrible idea after all22:15
david-lylevery little of DOA is authentication22:16
morganfainbergayoung, staying out of this conversation due to trauma due to bucketbridgade code in apache mods from a past job.22:16
david-lyleif we want to pull that out, I don't care22:16
*** browne_ has quit IRC22:16
ayoungdavid-lyle, I know.  And that is the part we want to be able to swap out22:16
david-lylebut most of that just builds on django provide22:16
ayoungdavid-lyle, so if an org wants to use Kerberso or SAML, Horizon will need to be fronted by the appropriate apache module anyway22:17
*** browne has joined #openstack-keystone22:18
*** mattfarina has joined #openstack-keystone22:18
david-lylejamielennox: in all honestly I try to stay off the mailing list as much as possible. I read all of it, but prefer to have more real time conversations22:18
*** mattfarina has quit IRC22:18
david-lyleayoung: sure, and once we expanded beyond simple credential auth, I think we've left the scope of DOA22:18
jamielennoxdavid-lyle: no problem, i just wanted to make sure it got some attention and i could point at it rather than explain it to everyone22:18
jamielennoxayoung: the problem is the amount of stuff that DOA sets up on the request22:19
david-lylejamielennox: session?22:19
jamielennoxthat 'contract' seems to have been established very hap hazard22:19
jamielennoxdavid-lyle: probably - i don't know my django terms22:19
ayoungsession is standard web thing.  It is a secure cookie that maps to the data passed back and forth on each request22:20
david-lylejust trying to clarify22:20
david-lylerequest to keystone vs session data22:21
*** bknudson has quit IRC22:22
jamielennoxok, so on session it's not too bad, the UserModel is a bit big, but i don't want to maintain compatibility with all the recent_project stuff, just have it in one place22:23
david-lylejamielennox: I would say I hope to move that to the client side, but I have too much django content left22:24
david-lylebut yes, the session data is too large22:25
jamielennoxdavid-lyle: i won't be able to make the horizon meeting, if you could just make people aware of the email i can make either scheme work22:26
jamielennoxi don't see that we'll honestly have that many auth mechanisms anyway22:26
jamielennoxif we have a decision i can work on getting it ready before landing the SSO patches22:27
david-lyleI'd prefer that, because the SSO patches are a bit of a hack22:29
david-lylelet me dig a little more22:31
david-lylebut, I'm happy to raise it in the horizon meeting22:31
jamielennoxdavid-lyle: cheers22:32
david-lyleand thanks for raising the issue22:32
openstackgerritMerged openstack/keystone: Make the default cache time more explicit in code
*** dims has quit IRC22:43
*** sigmavirus24 is now known as sigmavirus24_awa22:43
*** dims has joined #openstack-keystone22:46
openstackgerritMerged openstack/keystone: Address nits for default cache time more explicit
*** dims has quit IRC22:47
*** dims has joined #openstack-keystone22:47
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract BaseAuth out of Auth Plugin
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add a FederatedBase v3 plugin
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Split v3 authentication file into module
*** chrisshattuck has quit IRC23:00
*** iamjarvo has quit IRC23:07
*** jaosorior has quit IRC23:12
*** samueldmq_ has joined #openstack-keystone23:13
*** thedodd has quit IRC23:14
*** gyee has quit IRC23:16
*** dims has quit IRC23:18
*** dims has joined #openstack-keystone23:18
*** r-daneel has quit IRC23:19
openstackgerritMorgan Fainberg proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens
morganfainbergdstanek, ^ addressed your comments.23:22
*** lnr has joined #openstack-keystone23:32
*** lnr has left #openstack-keystone23:32
*** atiwari has joined #openstack-keystone23:33
morganfainberglbragstad, just commented here23:37
morganfainberglbragstad, please keep the scope super small here. i'd like to see that gating today if at all possible.23:38
*** r-daneel has joined #openstack-keystone23:42
*** r-daneel has quit IRC23:47
atiwariall, I am trying to setup a custom auth middleware as per instruction given in seem it is not triggering. any idea?23:48
atiwarithanks for the help in advance23:48
*** gokrokve has quit IRC23:49
*** henrynash has joined #openstack-keystone23:54
*** ChanServ sets mode: +v henrynash23:54
morganfainbergatiwari, you're writing your own middleware or you're trying to use external auth?23:54
atiwariI am writing my own23:54
atiwarimorganfainberg, ^23:54
morganfainbergatiwari, did you add it to the paste pipeline for the service it is protecting?23:54
*** bknudson has joined #openstack-keystone23:55
*** ChanServ sets mode: +v bknudson23:55
morganfainbergatiwari, i think it needs a __call__ function23:55
morganfainbergatiwari, s/function/method23:55
morganfainbergatiwari, what behavior are you seeing?23:55
morganfainbergatiwari, not trggering at all?23:56
atiwari1 sec23:56
morganfainbergatiwari, is it after the normal auth_token middleware? and is the normal auth_token rejeciting. because a reject anywhere in the pipeline beforee your filter will cause it to fail23:56
morganfainbergalso your new filter needs to be in the pipeline where the normal auth_token is, remember requests go through the filters serially23:57
atiwarimorganfainberg, yes it is after that23:57
atiwarias per the link I am adding it after "url_normalize token_auth admin_token_auth json_body"23:58
atiwariis that not correct?23:58
morganfainbergoh this is for keystone not to replace auth_token middleware23:58
atiwari is the link23:58

Generated by 2.14.0 by Marius Gedminas - find it at!