Saturday, 2015-03-28

lhchengrodrigods: it does have 'OS-FEDERATION' in the user object. I'll submit a patch to expose that in AccessInfo too00:04
*** henrynash has joined #openstack-keystone00:08
*** ChanServ sets mode: +v henrynash00:08
*** r-daneel has quit IRC00:09
*** gokrokve has quit IRC00:12
*** browne has quit IRC00:13
*** _cjones_ has joined #openstack-keystone00:18
*** timcline has quit IRC00:35
*** openstackgerrit has quit IRC00:35
*** openstackgerrit has joined #openstack-keystone00:35
*** zzzeek has quit IRC00:36
openstackgerritBrant Knudson proposed openstack/keystone: Document policy target for operation
*** jeffDeville has joined #openstack-keystone00:58
*** jeffDeville has quit IRC00:59
*** spandhe has quit IRC01:04
*** dimsum__ has joined #openstack-keystone01:16
*** henrynash has quit IRC01:16
*** markvoelker has joined #openstack-keystone01:19
*** _cjones_ has quit IRC01:21
*** markvoelker has quit IRC01:24
*** _cjones_ has joined #openstack-keystone01:26
*** henrynash has joined #openstack-keystone01:31
*** ChanServ sets mode: +v henrynash01:31
lhchengmorganfainberg: ping01:37
*** openstack has joined #openstack-keystone01:38
*** henrynash has quit IRC01:47
openstackgerritBrant Knudson proposed openstack/keystone: Document policy target for operation
*** _cjones_ has quit IRC01:54
*** rwsu has quit IRC02:01
*** erkules_ has joined #openstack-keystone02:09
*** jamielennox|away is now known as jamielennox02:11
*** erkules has quit IRC02:11
*** bknudson has quit IRC02:13
*** markvoelker has joined #openstack-keystone02:20
*** dimsum__ has quit IRC02:21
*** markvoelker has quit IRC02:24
*** browne has joined #openstack-keystone02:32
*** sigmavirus24 is now known as sigmavirus24_awa02:54
*** mhu has quit IRC03:04
*** mhu has joined #openstack-keystone03:06
*** browne has quit IRC03:08
*** browne has joined #openstack-keystone03:12
*** markvoelker has joined #openstack-keystone03:20
*** tqtran has quit IRC03:21
*** markvoelker has quit IRC03:25
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Expose audit_id via AccessInfo
*** ljfisher has joined #openstack-keystone03:45
morganfainberglhcheng, ping03:45
morganfainberglhcheng, erm pong03:45
lhchengmorganfainberg: question on usage of unscoped federated token03:49
morganfainberglhcheng: sure03:50
lhchengso I can use the  unscoped federated token to get the project list by using federation project list api03:50
lhchengthat works03:50
lhchengthen from the list of projects, I can scoped to a particular project using  unscoped federated token03:51
morganfainbergstandard workflow03:51
lhchengnow I have the project scoped token03:51
lhchengcan I used the project scoped token to list the user project?03:52
morganfainberglhcheng, to list all projects the user has? or to get project info?03:53
lhchengI suppose I need to use the unscoped federated token and call federation project list api if I need that.03:53
lhchengto list all projects user has03:53
morganfainberguser has access to that is?03:53
morganfainbergshould work the same, currently both scoped and unscoped tokens work that way03:54
lhchengso I should be able the project scoped token to call the normal list user project api  (not federation project list api)03:55
morganfainberglong term we want to make it so unscoped tokens are more of a "keystone scope" so you can do things like rescope a token, list projects, etc. and scoped tokens only work for their scope not the "unscoped"/session workflow03:55
morganfainberglhcheng, as far as i know, these should act as normal tokens03:55
morganfainbergthere may be some "assert user exists" checks that need to be fixed, but those would be oversights03:56
lhchengmorganfainberg: ++ that would clearer separation between the usage of the token03:58
morganfainberglhcheng, that is a long term goal03:58
* morganfainberg is getting sooooo tired of "flash out of date"03:59
lhchengmorganfainberg: bad news..  using the project scoped token to call the normal list user project api a user not found error04:01
morganfainberglhcheng, told you it was likely going to need to avoid an assert user exists04:01
lhchengmorganfainberg: going to submit a patch to remove that, going to nag you guys about that.04:02
morganfainberglhcheng, you should only remove that for federated tokens04:02
morganfainbergbasically i'd like to see a lot of OS-FEDERATION that duplicates main API functions just work with the main API04:02
lhchengmorganfainberg: trying to get the websso patch in horizon for RC04:03
morganfainberglhcheng, right.04:03
morganfainbergso we special case the assert user exists for federation. we know the user exists or we wouldn't have gotten a token04:03
morganfainbergactually wait04:03
morganfainbergthe issue is you need to know based on groups04:03
morganfainbergnot on the user_id04:03
morganfainbergthis might be a bit of a rabbit hole04:04
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Use UUID values in v3 test fixtures
lhchengmorganfainberg: hmm that'll be tricky04:08
lhchengmorganfainberg: even for groups, there is no indicator if that group is for federation. Is the somewhere in  group assignment?04:09
morganfainberglhcheng, no you need to act on the auth04:10
morganfainbergin that case04:10
*** mhu has quit IRC04:10
*** mhu has joined #openstack-keystone04:14
lhchengthe code for list user project is doing a lot, checking for role/group assignment. I suspect I have to remove the user assert check in more than one places :,(04:16
lhchengmorganfainberg: I'll dig into this04:17
lhchengthanks for confirming about "project scoped token to call the normal list user project api"04:17
morganfainberglhcheng, this may be a case where merging this functionality is a lot of work which is why it's in OS-FEDERATION at the moment04:18
lhchengwas already in the processing of adding a workaround in horizon to keep a separate call for list user project04:18
morganfainberglike i said, i'd like to see duplicated API functionality from what was originally an extension make it's way into the proper API04:18
morganfainberglhcheng, assume you wont land the change in Kilo to make this work with the normal APIs04:18
morganfainbergwork arounds until we can streamline in Liberty are just fine.04:19
lhchengmorganfainberg: not so excited putting a hack in horizon, we already have so many04:19
lhchengone more wouldn't hurt :P04:20
morganfainberglhcheng, unfortunately reworking APIs in Kilo for keystone is a tough sell right now04:20
morganfainbergwe are at FFE04:20
morganfainbergand WebSSO is not a FFE04:20
lhchengmorganfainberg: understood04:20
lhchengyeah, the WebSSO in keystone got in before FF04:20
morganfainbergadn i'm telling you now, I'm nixing any more FFEs04:21
morganfainbergnot even going to bring it up to release mgmnt group04:21
morganfainbergwe're at bug fix time.04:21
*** markvoelker has joined #openstack-keystone04:21
morganfainbergand getting RC smoothed out04:21
lhchengmorganfainberg: but isn't this a bug fix? :P since it is expected to work04:22
morganfainbergif it requires massive reworking of APIs and there is an alternative we can use for now04:22
morganfainbergyes but liberty04:22
lhchengmorganfainberg: gotcha04:23
lhchengI'll dig around for a bit to see how much work is needed04:23
morganfainbergsounds good04:24
morganfainbergremember, build the basic technology then improve it.04:24
lhchengmorganfainberg: gotcha04:24
morganfainberglhcheng, tht is also why we have the "expirimental" stuff now04:25
lhchengtime for late dinner04:25
morganfainbergi should also dinner later04:25
morganfainbergbut i was stupidly tired and took a nap at 5pm04:25
morganfainbergjust woke back up04:25
lhchengoh uh04:25
morganfainbergnah, was good04:25
morganfainbergwell just woke up = 1.5 hrs ago04:26
morganfainbergso 2.5hr nap04:26
morganfainbergmade up for the ~4hrs sleep i got last night04:26
morganfainbergfeeling pretty good.04:26
morganfainbergmore relaxed :)04:26
*** markvoelker has quit IRC04:26
lhchengnot that long, you should still be able to sleep later04:26
lhchengthat's more of a catch-up nap04:26
*** ljfisher has quit IRC04:27
lhcheng0 balance now, you can sleep normally later04:27
lhchengalright later, have a good dinner04:29
openstackgerritMerged openstack/keystone: Change the way values are migrated for 007_add_remote_id_table
*** _cjones_ has joined #openstack-keystone04:55
*** rushiagr_away is now known as rushiagr04:57
*** _cjones_ has quit IRC04:59
*** browne has quit IRC05:21
*** markvoelker has joined #openstack-keystone05:22
*** markvoelker has quit IRC05:26
*** stevemar has joined #openstack-keystone05:32
*** ChanServ sets mode: +v stevemar05:32
morganfainbergstevemar: I think we are down to ~two feature patches for ffes05:39
morganfainbergAnd most bugs are in-progress05:40
stevemarmorganfainberg, btw - you and gyee approved the ECP patches, but they depend on
stevemarjust a minor change to keystone-specs05:42
morganfainbergCrap thought that merged.05:43
stevemarmorganfainberg, the new routes was merged05:43
stevemarbut not the change to the relay state prefix05:43
morganfainbergYou +1 on gyee's changes?05:44
morganfainbergLooks like we still have ss:temp: in some places.05:45
stevemarmorganfainberg, ss:temp: was for the update case05:46
stevemargyee just wanted to make sure there was a second colon at the end05:47
stevemarwe might have to bug gyee to +2 it05:50
stevemarmarek is afk for a week or so05:50
morganfainbergI'm tempted to take your +1 for gyee's changes and his +1 as a plus205:52
morganfainbergBut it can wait till Monday.05:53
morganfainbergGyee is also on vacation next week iirc05:53
stevemarmorganfainberg, i'm also tempted to do that05:55
stevemarsince we could close the other 2 patches and the ffe bp05:55
stevemarmorganfainberg, i could bug topol to review on monday05:55
morganfainbergi dunno dstanek might be still lurking around05:59
jamielennoxmorganfainberg: the user exists check in the project listing are supposed to be there05:59
morganfainbergjamielennox, it's more of a collapsing the case for federated users05:59
jamielennoxmorganfainberg: those are the legacy routes for non-federated users, federated specific has /OS-FEDERATION/{something} and then the new route is /auth/projects which handles both06:00
morganfainbergah the new route is waht i was looking for06:00
morganfainberglhcheng, ^^06:00
morganfainbergjamielennox, thanks.06:00
jamielennoxmorganfainberg: yep, i'm talking to lhcheng in horizon, which is what made me realize what you were discussing earlier06:00
morganfainbergjamielennox, hard to keep track of all this (especially when just waking from a nap)06:00
stevemarlhcheng, i was just thinking, is there a call in DOA/horizon that calls list domains?06:01
stevemarthat would have to be updated too06:01
morganfainbergjamielennox, also... should be an easy +2.06:01
morganfainbergjamielennox, if you have but a moment to look06:01
lhchengstevemar: list domains is in horizon06:02
lhchengbut yeah, that would need some love too06:02
morganfainbergthere is clearly federated auth ux cleanup to do06:02
stevemarmorganfainberg, it should just be around listing domains and projects06:03
jamielennoxmorganfainberg: i have no idea what the use case for that prefix is06:03
stevemarjamielennox, there are details in the blueprint, i could explain it quickly06:04
lhchengstevemar: list domain/project/roles/groups all works fine with the project scoped token06:04
jamielennoxi mean the review looks fine, just for +A purposes i don't know what it's doing06:04
lhcheng(i know it should be domain scoped token)06:04
lhchengbut horizon is not there yet06:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
morganfainbergstevemar, uh...06:04
morganfainbergstevemar, <Sessions lifetime="7200" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="; path=/; secure; HttpOnly">06:05
morganfainbergstevemar, is "ss:mem:" wrong?06:05
morganfainbergand "ss:mem" supposed to be used (no trailing : )06:05
morganfainbergor is that doc wrong06:05
morganfainbergoh nvm06:06
stevemarmorganfainberg, the doc isn't wrong. the setting in shibboleth should be ss:mem (no trailing)06:06
morganfainbergthe trailing : is correct06:06
morganfainbergfor us06:06
* morganfainberg brain drizzles06:06
stevemarmorganfainberg, yeah, the actual assertion would be prefix + ':' + <some_id>06:07
stevemarlike: ss:mem:456e74900b306b5ed54ec9fb23c614f9fa73ece1c97ec004ed06:07
*** browne has joined #openstack-keystone06:07
*** arif-ali has quit IRC06:07
stevemaralso, it's a config option now, so even more flexibility06:07
stevemarjamielennox, an ECP wrapped assertion is a SAML assertion wrapped with ECP headers06:08
stevemarone of the tags is RelayState, which contains data like: ss:mem:<some_id>06:09
stevemarbut that prefix is configurable on each service provider06:09
jamielennoxthat's annoyin06:10
stevemarwasn't our choice, it's an option that shibboleth provides06:10
stevemarand if we send an assertion from an idp to an sp with different relay state prefix, it is rejected06:11
stevemarfrom what i can tell, most use the default (ss:mem)06:11
stevemarbut just in case, we wanted to give the user the ability to set it on a per SP basis, so when an assertion is sent over, it's not rejected06:11
morganfainbergit's silly06:12
morganfainbergis what it is06:12
jamielennoxspec by committee06:12
morganfainbergoh well :(06:12
morganfainbergwe need to support it06:12
jamielennoxalright +Aed, seems like we need it06:12
*** browne has quit IRC06:13
openstackgerritMerged openstack/keystone-specs: Add a relay_state_prefix to the service provider resource
stevemaryeah, unfortunately we don't want anyone to be wedged06:15
stevemarmorganfainberg, oh man, i can't believe brant added a test for this:
stevemarthat is amazing06:15
stevemartest for a doc change06:15
*** markvoelker has joined #openstack-keystone06:23
stevemarmorganfainberg, i don't think the depends-on tag works properly :(06:27
*** markvoelker has quit IRC06:28
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion
openstackgerritSteve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider
morganfainbergstevemar hm. it should.06:29
morganfainbergstevemar, but maybe not06:29
stevemarmorganfainberg, it's been 15 minutes and nothing was kicked off06:29
morganfainbergstevemar, it also might have just needed a recheck06:29
morganfainbergbasically i think depends-on just blocks it from running not auto queues it06:29
stevemarlast time i tried that, with the dependent patch merged, i rechecked the one i wanted; and it just passed check, not gate06:30
stevemargate didn't even start06:30
morganfainbergfile a bug w/ infra?06:30
morganfainbergon zuul i think06:31
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion
stevemarmorganfainberg, hope you don't mind my approving them06:31
morganfainbergnah all hoodf06:32
stevemari'm leaving a message explaining why06:32
stevemarmorganfainberg, i feel you are on mobile06:32
morganfainbergstevemar, nah just tired.07:03
morganfainbergstevemar, and sorta sleepy07:03
stevemarmorganfainberg, was gonna say... we should bump this bug:
openstackLaunchpad bug 1424500 in Keystone "Federation list projects endpoint does not honor project inherited role assignments" [Medium,Triaged] - Assigned to Samuel de Medeiros Queiroz (samueldmq)07:05
*** lhcheng is now known as lhcheng_afk07:17
*** markvoelker has joined #openstack-keystone07:23
*** wpf has quit IRC07:24
*** junhongl has quit IRC07:24
*** markvoelker has quit IRC07:28
*** wpf has joined #openstack-keystone07:32
*** junhongl has joined #openstack-keystone07:33
*** redrobot has quit IRC07:34
*** jdennis has quit IRC07:34
*** amaurymedeiros has quit IRC07:34
*** jdennis has joined #openstack-keystone07:35
*** amaurymedeiros has joined #openstack-keystone07:35
*** amaurymedeiros has joined #openstack-keystone07:35
*** redrobot has joined #openstack-keystone07:35
*** redrobot is now known as Guest9641307:36
openstackgerritwanghong proposed openstack/keystone: remove useless nocatalog tests of endpoint_filter
*** stevemar has quit IRC08:16
openstackgerritMerged openstack/keystone: Add relay_state_prefix to Service Provider
openstackgerritMerged openstack/keystone: Add API to create ecp wrapped saml assertion
*** markvoelker has joined #openstack-keystone08:24
*** markvoelker has quit IRC08:29
*** wanghong has quit IRC08:34
*** jacer_huawei has joined #openstack-keystone08:37
*** markvoelker has joined #openstack-keystone09:25
*** henrynash has joined #openstack-keystone09:28
*** ChanServ sets mode: +v henrynash09:28
*** markvoelker has quit IRC09:29
*** jamielennox is now known as jamielennox|away09:56
*** markvoelker has joined #openstack-keystone10:26
*** markvoelker has quit IRC10:30
*** jasondotstar has quit IRC10:37
*** jasondotstar has joined #openstack-keystone10:38
*** lhcheng__ has joined #openstack-keystone11:07
*** lhcheng_afk has quit IRC11:11
*** lhcheng__ has quit IRC11:17
*** mhu has quit IRC11:23
*** mhu has joined #openstack-keystone11:27
*** markvoelker has joined #openstack-keystone13:28
*** markvoelker has quit IRC13:33
*** sigmavirus24_awa is now known as sigmavirus2413:41
*** iwi has joined #openstack-keystone13:43
*** sigmavirus24 is now known as sigmavirus24_awa13:48
*** atiwari has quit IRC13:50
*** iwi has quit IRC13:53
*** iwi has joined #openstack-keystone13:55
*** iwi has quit IRC13:58
*** iwi has joined #openstack-keystone14:10
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog
*** iamjarvo has joined #openstack-keystone14:18
*** iwi has quit IRC14:25
*** markvoelker has joined #openstack-keystone14:29
*** markvoelker has quit IRC14:34
*** iwi has joined #openstack-keystone14:50
*** markvoelker has joined #openstack-keystone14:52
*** iwi has quit IRC14:54
*** markvoelker has quit IRC14:57
*** rushiagr is now known as rushiagr_away15:07
*** rushiagr_away is now known as rushiagr15:07
*** erkules_ is now known as erkules15:31
*** erkules has joined #openstack-keystone15:31
*** markvoelker has joined #openstack-keystone15:53
*** markvoelker has quit IRC15:57
*** joesavak has joined #openstack-keystone16:00
*** timcline has joined #openstack-keystone16:08
*** dims has joined #openstack-keystone16:14
*** timcline has quit IRC16:19
*** gokrokve has joined #openstack-keystone16:21
*** joesavak has quit IRC16:23
*** gokrokve_ has joined #openstack-keystone16:39
*** gokrokve has quit IRC16:42
*** markvoelker has joined #openstack-keystone16:54
*** markvoelker has quit IRC16:58
*** browne has joined #openstack-keystone17:16
*** gokrokve_ has quit IRC17:17
*** lhcheng has joined #openstack-keystone17:19
*** browne has quit IRC17:36
*** browne has joined #openstack-keystone17:37
*** browne has quit IRC17:37
*** pnavarro|off has joined #openstack-keystone17:40
*** markvoelker has joined #openstack-keystone17:54
*** markvoelker has quit IRC17:59
*** Ephur has quit IRC18:18
*** markvoelker has joined #openstack-keystone18:55
*** markvoelker has quit IRC19:00
*** f13o has quit IRC19:05
*** pnavarro|off has quit IRC19:30
*** pnavarro|off has joined #openstack-keystone19:47
*** hogepodge has joined #openstack-keystone19:49
*** markvoelker has joined #openstack-keystone19:56
*** markvoelker has quit IRC20:01
*** Ephur has joined #openstack-keystone20:07
*** Ephur has quit IRC20:51
*** sigmavirus24_awa is now known as sigmavirus2420:51
*** markvoelker has joined #openstack-keystone20:57
*** markvoelker has quit IRC21:01
*** rushiagr is now known as rushiagr_away21:04
*** rushiagr_away is now known as rushiagr21:08
*** jamielennox|away is now known as jamielennox21:20
*** pnavarro|off has quit IRC21:30
*** haneef_ has quit IRC21:30
*** nkinder has quit IRC21:30
*** breton has quit IRC21:30
*** rodrigods has quit IRC21:30
*** vhoward- has quit IRC21:30
*** rodrigods has joined #openstack-keystone21:30
*** haneef_ has joined #openstack-keystone21:30
*** breton has joined #openstack-keystone21:31
*** pnavarro|off has joined #openstack-keystone21:31
*** nkinder has joined #openstack-keystone21:31
*** rushiagr is now known as rushiagr_away21:33
*** vhoward has joined #openstack-keystone21:34
*** iamjarvo has quit IRC21:35
*** Guest90957 is now known as mfisch21:36
*** mfisch has joined #openstack-keystone21:36
*** browne has joined #openstack-keystone21:37
*** pnavarro|off has quit IRC21:44
*** markvoelker has joined #openstack-keystone21:57
*** markvoelker has quit IRC22:02
*** henrynash has quit IRC22:08
*** samueldmq has joined #openstack-keystone22:20
*** browne has quit IRC22:23
*** jdennis has quit IRC22:24
*** jdennis has joined #openstack-keystone22:24
*** markvoelker has joined #openstack-keystone22:58
*** markvoelker has quit IRC23:03
*** iwi has joined #openstack-keystone23:07
*** dims has quit IRC23:38
*** browne has joined #openstack-keystone23:44
*** browne has quit IRC23:48
*** iwi has quit IRC23:57
*** markvoelker has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!