Monday, 2015-03-30

« Sunday, 2015-03-29 Index Tuesday, 2015-03-31 »
jamielennoxayoung: you actually here?00:08
*** lhcheng has quit IRC00:08
*** ncoghlan has joined #openstack-keystone00:16
*** gokrokve has joined #openstack-keystone00:39
*** gokrokve has quit IRC00:44
*** arif-ali has quit IRC00:48
jamielennoxstevemar: are you here?00:54
bknudsonyou're alone.00:57
bretonnope00:58
stevemarjamielennox, here-ish01:00
stevemarbknudson, might be around too01:01
jamielennoxeveryone else shoulnd't be here, stevemar is just generally around all the time01:01
stevemarthat's true01:01
bknudsonI think he's got irc on his cell.01:01
jamielennoxstevemar: i think i figured out my problem - i though it was something deeply federation related, but it appears to just be if you POST to a URL that doesn't have a trailing / then django will add the / for you01:02
stevemarbknudson, i do, but typically i'm on my laptop01:02
stevemaroh01:02
jamielennoxbut browsers won't redirect POST to POST so i was ending up with a GET where i should have had POST01:02
stevemarjamielennox, what was your problem looking like initially?01:02
jamielennoxwell by the time i got a request to /auth/websso it was a GET and i had lost the token coming back01:03
openstackgerritBrant Knudson proposed openstack/keystone: Deprecate eventlet config options  https://review.openstack.org/16875201:03
stevemaryeah the token will get lost with a GET01:03
* jamielennox just got a federated horizon login :)01:03
stevemarnice01:04
stevemarjamielennox, whats your setup look like01:04
stevemardid you use the patches that tqtran and lhcheng have been pushing?01:05
bknudsonWhat's up with this: $ openstack --os-token secrete user list --> ERROR: openstack01:05
jamielennoxstevemar: i'm essentially rewriting https://review.openstack.org/#/c/136178/01:05
jamielennoxbknudson: generally means like an attributeerror or something weird from osc,01:06
jamielennoxif you use --debug it'll give you a full trace01:06
jamielennoxstevemar: the setup is the ipsilon setup nkinder was working on01:06
bknudsonraise exceptions.EndpointNotFound()01:06
bknudsonopenstack --debug --os-token secrete --os-auth-url http://localhost:5000/v3 --os-identity-api-version=3 user list01:08
bknudsonTypeError: __init__() got an unexpected keyword argument 'user_domain_id'01:08
openstackgerritMerged openstack/python-keystoneclient: Expose audit_id via AccessInfo  https://review.openstack.org/16821201:14
stevemarjamielennox, re-writing it eh? what are the big diffs?01:16
jamielennoxstevemar: what we were talking about with pulling it out of the DOA tree01:16
bknudsonseems like extra arguments should be ignored when loading auth plugins.01:16
stevemarlhcheng was getting a weird error on the server side, user not found01:16
jamielennoxi need https://github.com/jamielennox/django_openstack_auth/commit/ea7eab90f6d4ca36cb5c389ae10377b2ca9d7ca501:16
stevemarthat patch should land easily01:17
stevemarbknudson, i noticed the token stuff was acting weird on friday01:17
bknudsonfreaky friday01:17
openstackgerritRodrigo Duarte proposed openstack/keystone: Extract response headers to private method  https://review.openstack.org/16872001:18
jamielennoxthen https://github.com/jamielennox/django-openstack-auth-websso01:18
rodrigodsbknudson, stevemar thanks for the reviews ^01:18
jamielennoxso what's missing from that new repo is any soft of initial form prompt01:18
stevemaroh wow, you made that repo quickly01:19
jamielennoxstevemar: you haven't seen https://github.com/openstack-dev/cookiecutter01:20
jamielennoxalso it's almost exactly the same as what i did for the kerberos one01:20
stevemarjamielennox, does that pull in https://review.openstack.org/#/c/151842/ too?01:20
jamielennoxstevemar: no01:20
stevemari've seen cookiecutter, never used it though01:20
stevemardid you use that in your test evn?01:21
jamielennoxi haven't figured out how to do the initial form login yet01:21
jamielennoxno, i hit the keystone federation urls with evreything in place01:21
bknudsonstevemar: worked around openstack error, looks like keystone isn't accepting it for user list.01:22
jamielennoxi was kind of hoping not to have to modify the original /auth/login form01:22
jamielennoxbut i don't know enough django for that01:22
stevemarjamielennox, you mean you don't know everything?01:27
stevemarjamielennox, so now i'm wondering if https://review.openstack.org/#/c/151842/ is needed...01:27
jamielennoxstevemar: ha, not even a decent percentage01:27
stevemarif that is a part of the -websso package, then theres no need for it01:28
jamielennoxi really hate web stuff01:28
stevemarwhens the horizon meeting? some ugly morning time01:28
jamielennoxyea, i don't think it's good for me01:28
stevemarhopefully theres a time when we can all chat about this01:29
stevemarjamielennox, did you have to modify DOA much>01:30
stevemar?01:30
bknudsonthis is why nobody uses the web.01:30
stevemarfrom the patch that is proposed01:30
jamielennoxonly that project list patch01:30
jamielennoxalthough, i haven't implemented the whole thing01:30
jamielennoxi'm not sure what https://review.openstack.org/#/c/136178/25/openstack_auth/user.py is for01:31
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Ignore unexpected kwargs to auth plugins  https://review.openstack.org/16875601:31
jamielennoxi think it's for https://review.openstack.org/#/c/136178/25/openstack_auth/utils.py - but i just don't understand why they need that01:31
ayoungjamielennox, I am actually here.  I was actually wokring in Open Office, tryin to get down the ideas for my presentation01:31
ayoungJust didn't look at IRC til now01:32
jamielennoxayoung: no worries, i was having trouble with some of the federation stuff i know you were looking at, i think i got it01:32
stevemarayoung, is here now, i can go back to netflix01:33
ayoungjamielennox, cool.  I think we are waiting on lin for DOA and Thai Tran on Horizon proper01:33
ayoungNoe...Thai is tracking!01:33
ayounghttps://review.openstack.org/#/c/151842/01:33
jamielennoxthat memoize_by_kwarg thing is caching to a dict - that seems like such a bad idea for horizon01:33
jamielennoxayoung: hit it now01:34
ayounghit what now?01:34
jamielennoxhttp://controller.rdodom.test:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=http://controller.rdodom.test/dashboard/auth/websso/01:34
ayoung memoize_by_kwarg   ?01:34
ayoungjamielennox, ah...need to get inside the VPN etx.  Is that Kerberos or SAML?01:35
jamielennoxSAML01:35
ayoungYou got it working, too?  I got it rightat 5 On Friday01:36
stevemargood to know that y'all are interested in this too :)01:37
jamielennoxayoung: i got the federation -> horizon bit going01:37
stevemarshould be easier to get david lyle on board with it01:37
ayoungjamielennox, did you see rcrit's suggestion?  We can get devstack to use ipsilon via  a local user and PAM.  Simplelset was to get a SAML functional test01:37
ayoungstevemar, I'm doing the git review diff to confirm what you said, and I'll dogpile on that Horizon regview, too01:37
jamielennoxayoung: yea, i saw - devstack has plugins, it seems like we should be able to do something for it, just FreeIPA makes a mess of the httpd conf01:38
ayoungjamielennox, I know...It might be possible to get HTTP shared, but I don't want to put that on the short list01:38
jamielennoxanyway, so i've got saml->horizon working, i've current got nfi how to get horizon to throw to saml though01:39
*** gokrokve has joined #openstack-keystone01:39
ayoungjamielennox, congrats.  You've managed to confuse me.01:40
jamielennoxwell if you hit the keystone URLs correctly they redirect you back to horizon and it logs you in01:40
ayoungAh...so you can do the second half...put the url into Keystone and it redirects you to horizon?  Just not the frist part?01:40
ayoungOK...I can help01:40
jamielennoxi just need to see if i can modify https://review.openstack.org/#/c/151842/ and get it out of the horizon specific tree01:41
jamielennoxor maybe i'm too concerned about making this structurally seperate and should just let horizon do what they want01:41
ayoung?01:41
ayoungAh...you are trying to integrate it with you other work?01:41
jamielennoxso everything related to kerberos is contained in doa-kerberos01:41
jamielennoxwhich is easy because there is no front end to kerberos01:42
jamielennoxi was hoping i could do the same thing for websso, and i can as far as the actual login goes01:42
jamielennoxbut i don't know if i can get all the javascript and html stuff into that doa-websso repo, or whether i should even bother trying01:43
ayoungI think the answer is "don't bother"01:43
ayoungIf I understand where we are headed,  let's leave it as is01:43
ayoungI think FEderation is going to be the norm, even for Kerberos.01:43
*** gokrokve has quit IRC01:44
ayoungdoa-kerberos will be, I think, replaced by something like using Federation to Keystone without using SAML01:44
jamielennoxkerberos will be different even if we move it to a federation route01:44
ayoungSomethinkg like my SSSD  based FEderation, but just as a redirect, not as SAML one...if that makes sense>01:45
jamielennoxbecause kerberos requires putting an httpd module in front of horizon, not just keystone01:45
ayoungI actually came over here to talk with you about that01:45
*** stevemar has quit IRC01:45
jamielennoxand there will never be a form for kerberos, it should just log you in if a ticket is present01:45
ayoungright, so  the question is, if we can do Federation for everything...even if all of the Data is in Keystone's identity store01:45
*** stevemar has joined #openstack-keystone01:46
*** ChanServ sets mode: +v stevemar01:46
ayoungSo instead of a SAML redirect to Keystone, you would get a redirect to  keystone:5000/v3/OS-FEDERATION/keystone/kerberos  or something01:46
ayoungSo you get an unscoped token from Keystone using negotiate, and then that redirects you to the websso page to post the token back to Horizion, just like SAML01:47
ayoungMake sense?01:47
jamielennoxyou would need to select "kerberos" from the /auth/login page of horizon01:47
ayoungif it was one of multiple options,  but if it is the only option, no.   But that shouidl be the case for SAML as well01:48
ayoungThat is a Horizon decision01:48
ayoungspeaking of which01:48
ayoungthis will be cleared whe n you see what you need to do to get Horizon working...ok01:48
ayounglet me ssh to my machine to have a reference01:49
ayoungyou need to make some changes to local_settings in Horiozn.  Have you touched that yet?01:49
ayoungjamielennox, also, are you starting from devstack or packstack?01:50
*** erkules has joined #openstack-keystone01:50
jamielennoxi'm starting from the machine that nkinder set up last week01:50
ayoungOK,   I thin that was packstack01:51
jamielennoxit's packstack01:51
ayoungit means that things are in slightly different locations01:51
ayoungI'm in devstack, so thuings are in the git trees, but the file you need to work with is in01:51
ayoungsomething like /etc/horizon/openstack_dashboard01:51
ayounglocal_settings.py01:52
ayounghave you mulched that yet?01:52
*** erkules_ has quit IRC01:53
jamielennoxayoung: i've added some stuf to the end of local_settings, and i've uninstalled the rpm of DOA in favour of git with my patches on it01:53
jamielennoxoh, there was a patch i had to manually apply to horizon because the RPM version isn't new enough and i didn't want to have to set that up from git01:54
ayoungjamielennox, are youe doing V3 Auth yet?01:54
jamielennoxayoung:  it's wokring01:54
ayoungOh...you need the git version of Horizon01:54
ayoungunless you have the patch we were just discussing01:54
jamielennoxi'm not sure where you're going with this - what are you trying to show me?01:56
ayoungyou configured the set of options ther?01:58
ayoungWEBSSO_CHOICES = ("saml2", _("Security Assertion Markup Language"))01:58
ayoungand01:58
ayoungWEBSSO_INITIAL_CHOICE = "saml2"01:59
ayoungWEBSSO_ENABLED=True01:59
ayoungOPENSTACK_KEYSTONE_URL="http://federate.cloudlab.freeipa.org:5000/v3"01:59
ayoungand01:59
ayoungOPENSTACK_API_VERSIONS = {    "identity": 3,}01:59
ayoungalso, I had an issue with Hostname versus IP address02:00
ayoungI do all hostname for this to work02:00
ayoungOPENSTACK_HOST="federate.cloudlab.freeipa.org"02:00
ayoungjamielennox, I think that was all the Horizon side I needed to make work02:00
*** _cjones_ has joined #openstack-keystone02:03
ayoungjamielennox, which machine is controller.rdodom.test?02:03
*** yasu_ has joined #openstack-keystone02:04
*** _cjones_ has quit IRC02:09
ayoungstevemar, guess what I figured out today?02:09
ayoungWe can use policy to do endpoint binding of tokens with no new Python code, just policy02:10
*** BAKfr has quit IRC02:11
*** BAKfr has joined #openstack-keystone02:13
*** david8hu has quit IRC02:13
*** david8hu has joined #openstack-keystone02:14
jamielennoxayoung: yea, i think if we are going to go down that path then i'm not sure it's worth having a seperate repo for the like login logic of websso02:15
ayoungjamielennox, the Kerberos via Federation approach?   Yeah.  It was you that got me thinking that way02:16
jamielennoxayoung: kerberos via federation is right - we'll do that longer term02:18
ayoungWe can do it now, I thin, with a minor tweak to only Horizon.02:19
jamielennoxand for that project having kerberos login in a serperate repo to DOA make sense02:19
jamielennoxayoung: it's too late in the cycle - we're going S4U2 this time02:19
ayoungYeah, I know, and that is fine02:19
ayoungI'm talking about longer term, we can make the whole thing more streamlined.  My head is already in Liberty and Mike02:20
ayoungMitsubishi?  Musashi?02:20
ayoungI like Musashi!02:21
jamielennoxbut i was pushing lhcheng and others that websso should be the same out of tree for dependencies and stuff, but i don't know if it's worth trying to do extensible forms via django02:21
ayoungjamielennox, anyway...can you make your horizon work with the local settings I posted?02:24
samueldmq_ayoung, mitsubishi lol02:24
jamielennoxayoung: oh, yea, i know what the patch is doing, i can figure that bit out - it was more about hosting the UI code outside of horizon02:25
jamielennoxwhich is really something i need to talk to the horizon people about02:25
ayoungjamielennox, you mean so we don't for SAML, OpenID connect, etc on all of the deployemtns, just the ones that wnat them?02:26
ayoungI think that is a discussion to have at the summit02:26
jamielennoxright02:26
ayoungjamielennox, so you were able to make it work?02:26
jamielennoxbecause for example the keystoneclient plugins will go that way02:26
jamielennoxayoung: i haven't tried the front end bit02:26
ayoungOK.02:26
jamielennoxwill do so in a bit02:26
jamielennoxit was more the token submission i was looking to get wokring02:27
stevemarif we could still squeeze in the horizon bits, and release a separate doa-websso when needed... i could live with that02:28
stevemarbut you'll run into the issue of a user potentially turning on a feature in horizon and not realizing they need another package for it to work02:29
ayoungDoes Horizon even need SAML specific logic?  I thought that actaully started once it hit Keystone.02:38
stevemarayoung, yeah, it does start when you hit keystone, but having horizon know about protocols makes it more user friendly02:39
stevemarrather than knowing the idp id02:39
*** gokrokve has joined #openstack-keystone02:39
ayoungstevemar, how did you confirm the only change was a minimal one on https://review.openstack.org/#/c/151842/  ?02:40
stevemarayoung, compared ps 34 and 3502:41
ayoungI'm getting a slew of differences02:41
ayoungnot from this patch...I guess those files are identical?02:41
stevemarsome other changeset must have included those02:41
stevemari am referring to https://review.openstack.org/#/c/151842/34..35/horizon/static/angular/login/login.js02:42
ayoungtyhat's the onluy difference?  Good.  I can +1 that02:42
*** gokrokve has quit IRC02:44
stevemarthe patch hasn't changed much since... ps 28/2902:44
stevemarmostly nits and rebasing when merge conflicts happened02:44
ayoungstevemar, we'll encourage some Horizon folks to review and process it tomorrow02:47
stevemarayoung, i've been trying that for weeks02:47
stevemarit's been just lhcheng and david-lyle02:47
ayoungstevemar, david-lyle's been doing his part.  I 'll bug Mrunge02:47
stevemari think the keystone parts, and messing around with authN bits scares folks02:48
ayoungLet's see who else we can bug...02:48
*** lhcheng has joined #openstack-keystone02:48
ayounghttps://launchpad.net/~horizon-drivers/+members#active02:49
ayoungThai and Lin should +2 each other's patches, even if they don't want to pull the trigger02:49
stevemarayoung, well the DOA patch is now up in the air i thought02:50
ayoungWhy?02:50
stevemari thought it was not going to land and we will make it a part of jamie's DOA-sso repo02:51
ayoungHorizon meeting is tomorrow?02:51
ayounglet me see when it is...02:51
david-ly_ayoung: Wed02:52
*** david-ly_ is now known as david-lyle02:52
ayoungdavid-ly_, sorry to wake you!@02:52
ayoungWas trying to tiptoe02:52
david-lyleI'll review the horizon patch again in the morning, there's still something messed up with the help string, but it should be a minor fix. Was playing with it earlier.02:52
david-lyleno worries02:52
ayoungIN general, are we good as is?02:52
ayoungI'm afraid that trying to make it perfect will mess up good enough02:53
ayoungthat refers to the DOA part02:53
david-lylein general, my problem is a string shows up and says "if you don't know what auth mechanism to use, contact your admin" when you only have credentials02:53
david-lyleon the DOA, I think we're good, have to talk to Lin tomorrow02:54
ayounggood.02:54
ayoungdavid-lyle, I'm going to try and hack some devstack support for SAML in.02:55
david-lyleok02:55
ayoungNO promises, but I think I can make it work with Ipsilon in a fairly light manner02:55
ayoungshould give us a path to functional testing of this code02:55
david-lyleso supporting that and credential based auth?02:55
david-lylea way easy test against it would be great02:56
david-lyleme type not much, apparently02:56
lhchengayoung: the DOA part, it is now in better shape.  The project switching in horizon now works.02:57
ayounglhcheng, ah...hadn't realized that was dead...It messed me up in the Kerberso work before02:57
ayounglhcheng, let me try your rebased patch...02:58
lhchengayoung: I have to put a workaround though, there is a issue in keystone where /users/{user_id}/projects returns 404 UserNotFound02:58
lhchengayoung: we still have some hanging assert user check, and it fails for federated user :(02:58
ayoungof course it does...there is no user there....02:58
ayoungwhat is the workaround?02:58
lhchengI had to store the federated unscoped token, and make a separate call to /federation/projects list02:59
*** dims has quit IRC02:59
*** dims has joined #openstack-keystone02:59
david-lylelhcheng: oooh, more stored tokens!02:59
stevemarlhcheng, we could take out the check on the keystone side02:59
david-lyleto simplify the confusion :)03:00
lhchenghad a chat with morgan, the project scoped token should still with /users/{user_id}/projects03:00
*** dims has quit IRC03:00
lhchengbut it would require some significant changes in the code and it won't get into RC03:00
stevemarbooo03:00
david-lylelhcheng: is your patch ready then?03:01
lhchengdavid-lyle: yeah, it works now03:01
lhchengdavid-lyle: but there's another idea that jamielennox brought up03:02
david-lyleoh?03:02
lhchengdavid-lyle: do we really want to put this logic into horizon + doa03:02
ayoungYes we do03:02
lhchengdavid-lyle: why not have a doa-websso03:02
ayoungwe want Fedeartion to be the norm here03:02
ayoungNah03:02
ayoungtoo far03:02
ayoungthere is no external dependencies03:03
lhchengayoung: I don't mind it to be in horizon03:03
ayounglet's live with the ugly hack for a first approximation and clean it up03:03
lhchengayoung: it works with different protocol03:03
lhchengayoung: seems generic enough03:03
david-lyleone DOA is all I want to manage for now03:03
ayoungdavid-lyle, it is one more than I really want myself03:03
david-lylecan hardly get anyone to look at it, much less a federation specific one03:04
david-lyleayoung: I didn't want to say that, but agree03:04
ayoungdavid-lyle, we should probably split it, move all of the auth code to a Keystone repo, and keep just the UI in the horizon one...but not for Keeeeeeelow03:04
ayounglet's put this to bed for now...03:05
david-lyleone week before RC should be plenty of time03:05
david-lyleyeah we can discuss at the summit03:05
ayoung"perfect" is the enemy of "good enough"03:05
david-lylelhcheng: let's get your patch merged03:05
david-lyleand figure out a better road in L03:05
stevemarayoung, i'm so glad you voiced that. i think another repo is a better move architecturally, but i'd rather see something than nothing03:06
jamielennoxlhcheng: you're here! i'm slowly converting more people to operate in my timezone03:07
david-lylehave to run, will review in the morning03:07
lhchengdavid-lyle: I think there is just one minor comment from stevemar, should be an easy fix.03:07
jamielennoxlhcheng: https://github.com/jamielennox/django-openstack-auth-websso03:07
ayoungstevemar, so, no, I don't think that is the right architecture.  I think the right architecture is getting the stuff that the Keystone team should be managing into a Keystone managed repo03:07
lhchengdavid-lyle: I haven't tested the horizon code yet. but I expect there are couple of stuff that needs to be fixed there03:07
lhchengdavid-lyle: related to fetching the user's project03:08
ayoungDOA is doing too much, and some of it either belongs in client or in some non-django-speciific-webessessoh repo03:08
jamielennoxlhcheng: so that handles the DOA side of things - i don't like needing all that stuff in horizon but i don't know how we can break it up and have it for kilo03:08
stevemarayoung, i'm happy either way03:08
lhchengjamielennox: hah03:08
jamielennoxlhcheng: i don't like storing the unscoped federated token like you did in that patch, still trying to figure out how to work around it03:09
stevemarlhcheng, yeah minor stuff, you did an awesome job cleaning it up03:09
lhchengjamielennox: would we still have an opportunity to update g-r after ksc release?03:09
ayoungdavid-lyle, BTW, you can propose someone as core for DOA and not all of Horizon.  It might make sense to formalize the Keystone/Horizon cooperation in that repo.  We recently Made topol core for spces, although not for code.03:09
jamielennoxlhcheng: not at this point i think03:09
lhchengjamielennox: if ksc gets release, I can switch DOA to /auth/projects03:10
jamielennoxlhcheng: also there is not even a review for the project listing yet03:10
lhchengjamielennox: /auth/projects is already in keystone though right?03:10
jamielennoxlhcheng: yep, i'll work on exposing it via ksc today03:10
jamielennoxbut it won't make it03:10
lhchengjamielennox: perhaps I'll just make a direct API call to it.03:11
lhchengjamielennox: would be easier to strip out later when KSC bumps up03:11
jamielennoxlhcheng: tempted to agree03:11
jamielennoxlhcheng: only problem is that was added for juno, so you need a fallback03:11
ayoungjamielennox, why a fallback?  None of this will work with Juno or earlier03:12
lhchengjamielennox: I'll only make that call for federated user.03:12
lhchengjamielennox: still not as clean as I wanted to, but at least I won't be storing an extra token03:13
ayoungWe should be able to store either the federated token or the unscoped token.  There should be no need for an unscoped token if you have a federated stored03:14
jamielennoxayoung: because if you use /auth/tokens that would work for regular tokens as well03:15
jamielennoxayoung: so like replace the standard DOA logic, but then that will only work for post Juno03:15
stevemarayoung, i believe someone can be core for just DOA03:15
*** iamjarvo has joined #openstack-keystone03:16
stevemarclu is core for just horizon and not DOA03:16
ayoungOk...headed to bed....I'm still on 9-5 Easter time due to the kids..03:16
david-lylestevemar: she's core on both03:16
*** iamjarvo has quit IRC03:16
stevemardavid-lyle, one of those times i'm glad to be wrong :)03:16
david-lylehorizon-core for both03:16
stevemarshows how much i know wth is going on03:17
david-lylebut most are afraid to look in that repo, you know keystoney things happen in there03:17
jamielennoxlhcheng: i just saw how https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L38 works - that's such a bad idea for horizon03:17
david-lylejamielennox: we used to hit keystone on every request for that info03:18
lhchengcaching project list for a token?03:18
lhchengjamielennox: what could be the side effect?03:18
david-lyleso every page load03:18
jamielennoxthat _PROJECT_CACHE exists on the process, of which you could have 10 different processes03:18
jamielennoxif you get another process on another call then the cache is empty and you still take the hit03:19
jamielennoxdepending on the process it also doesn't get cleaned up when you delete the token either03:19
jamielennoxso that cache would just continue to grow03:20
jamielennoxor am i missing something hre03:20
*** ayoung is now known as ayoung_ZZzz__03:21
lhchengstevemar, jamielennox: I am going to split the token plugin code, into a separate patch. Seems like a good idea to reduce the scope of the websso patch, make it easier to review.03:22
lhchengjamielennox: hmm yeah, good point about the cleanup03:22
lhchengmaybe it should only be cache per request03:23
lhchengdavid-lyle: store in session? :P03:23
stevemarlhcheng, for sure03:23
david-lylesadly, that's the best option we have03:23
jamielennoxwell, it just needs to go to memcache or something external to the process03:23
jamielennoxor do you not deal with that level in django?03:23
lhchengjamielennox: don't want to add more external dependency if possible03:24
*** iamjarvo has joined #openstack-keystone03:24
jamielennoxright, i know you configure memcache as a cache store, i don't really know how the persistence works within django though03:24
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867803:26
stevemari got bknudson to say03:29
stevemar'neat'03:29
stevemarhttps://review.openstack.org/#/c/168212/03:29
jamielennoxtrendsetter03:29
jamielennoxthat was a quick one actually03:29
lhchengjamielennox: perhaps for short team, we could cache for the scope of the request. Just to make sure nothing blows up.03:29
lhchengstevemar: lol that's impressive03:30
jamielennoxlhcheng: it's been there since october 2013, i'd worry about that one after release03:30
lhchengjamielennox: heh true03:31
jamielennoxit was yours too03:31
stevemarjamielennox, i've been trying to pay more attention to client03:31
lhchengjamielennox: yeah, I'm the trouble maker03:32
jamielennoxheh03:32
jamielennoxit can't be too big a problem, i would have though a big deployment would have seen memory leaks from it03:32
lhchengjamielennox: hmm we did hit out of memory error before03:35
stevemarone week left and we can all celebrate03:35
lhchengjamielennox: we release so often and have a lot of node on standby, that there was still no user impact03:36
jamielennoxlhcheng: i'm getting more and more of that opinion, if it doesn't make it now 6 months is not that long03:36
* jamielennox 's views does not represent those of his employer03:37
*** gokrokve has joined #openstack-keystone03:39
lhchengyeah, we're definitely moving fast03:40
*** gokrokve has quit IRC03:43
*** iamjarvo has quit IRC03:47
*** samueldmq_ has quit IRC03:47
*** spandhe has quit IRC04:12
*** dims has joined #openstack-keystone04:15
openstackgerritJamie Lennox proposed openstack/keystone: Bump advertised API version to 3.4  https://review.openstack.org/16877104:16
stevemarjamielennox, btw - i've got 2 client side patches up04:18
stevemari wasn't sure if they should go into regular ksc or ksc-federation04:19
jamielennoxstevemar: umm, they don't do any XML processing themselves do they04:20
stevemarjamielennox, nope04:20
stevemarjust return xml04:21
*** dims has quit IRC04:21
jamielennoxstevemar: i think they're find to be in keystoneclient regular, it's generally only the actualy auth bits that have the aditional dependencies04:21
stevemaryep04:21
jamielennoxthe general federation management stuff belongs in ksc04:21
stevemarcool04:21
stevemaryeah04:21
stevemarno new deps04:21
openstackgerritMerged openstack/keystone: Extract response headers to private method  https://review.openstack.org/16872004:24
*** davechen has joined #openstack-keystone04:30
openstackgerritrajiv proposed openstack/python-keystoneclient: Now keystone enables listing of user by name  https://review.openstack.org/16754304:30
*** pnavarro|off has quit IRC04:31
*** pnavarro|off has joined #openstack-keystone04:34
*** haneef_ has quit IRC04:39
*** gokrokve has joined #openstack-keystone04:39
*** gokrokve has quit IRC04:44
*** _cjones_ has joined #openstack-keystone05:10
*** _cjones_ has quit IRC05:14
*** lhcheng_ has joined #openstack-keystone05:20
*** lhcheng_ has quit IRC05:20
*** lhcheng_ has joined #openstack-keystone05:21
*** lhcheng has quit IRC05:22
*** nkinder has quit IRC05:22
*** lhcheng_ has quit IRC05:27
*** lhcheng has joined #openstack-keystone05:27
*** nkinder has joined #openstack-keystone05:29
*** lhcheng has quit IRC05:32
stevemarjamielennox, thx for the review05:44
jamielennoxstevemar: np05:45
jamielennoxstevemar: i left a comment saying you don't need saml in create_saml_assertion, but i didn't relaize that the following patch had create_ecp_assertion05:45
jamielennoxi see why you would want to distinguish those two, so i don't mind what you do there05:46
openstackgerritJamie Lennox proposed openstack/keystone: Bump advertised API version to 3.4  https://review.openstack.org/16877105:46
stevemaryeah, i'll keep as-is, i found the naming for this patch to not be easy05:46
stevemari don't like federation.saml.xyz much either05:47
stevemarbut i guess it works05:47
jamielennoxi see why we named the initial blueprint 'federation' but we need to start rolling its usage back05:47
jamielennoxthe word05:48
stevemari also realized there isn't a client call for /metadata either. i'd have to ask marek about that, most of the time it's done through a browser05:49
jamielennoxif horizon doesn't need it there may be no use for it in client05:50
stevemarjamielennox, it's definitely something that can wait06:08
stevemarjamielennox, do you watch cricket?06:09
jamielennoxstevemar: not really - i know we won though06:10
jamielennoxconvincingly06:10
stevemarjamielennox, yep - the games from the world cup have been playing on some local stations06:10
jamielennoxstevemar: getting much interest?06:10
jamielennoxit was pretty much the same teams in the finals06:11
stevemari watched a 1 hr replay of the aus vs india match, pretty interesting stuff06:11
stevemari think there is interest from the locals in toronto to see the matches. (afaik anyway)06:12
stevemarit was neat06:12
stevemaranyway, just wanted to let it be known that matches were being played (live) and replayed on some stations06:13
jamielennoxthere's a fairly high indian, pakistan, and NZ population so there was a lot of rivalry in it06:13
jamielennoxok, i'm out06:17
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Support discovery on the AUTH_INTERFACE  https://review.openstack.org/16879106:18
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Support /auth routes for list projects and domains  https://review.openstack.org/16879206:18
jamielennoxcan finish that one tomorrow06:18
stevemarhave fun06:18
*** jamielennox is now known as jamielennox|away06:20
*** markvoelker has joined #openstack-keystone06:22
*** stevemar has quit IRC06:27
*** markvoelker has quit IRC06:27
*** stevemar has joined #openstack-keystone06:27
*** ChanServ sets mode: +v stevemar06:27
*** stevemar has quit IRC06:34
*** stevemar has joined #openstack-keystone06:34
*** ChanServ sets mode: +v stevemar06:34
*** ParsectiX has joined #openstack-keystone06:38
*** mflobo has quit IRC06:39
*** mflobo has joined #openstack-keystone06:41
*** erkules has quit IRC06:43
*** erkules has joined #openstack-keystone06:43
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token  https://review.openstack.org/15902207:00
*** afazekas has joined #openstack-keystone07:02
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867807:10
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867807:12
openstackgerritEli Qiao proposed openstack/oslo.policy: Don't reload policy files in policy.d every time  https://review.openstack.org/16879807:12
*** stevemar has quit IRC07:19
*** markvoelker has joined #openstack-keystone07:23
*** markvoelker has quit IRC07:27
*** lhcheng has joined #openstack-keystone07:27
*** spandhe has joined #openstack-keystone07:34
*** henrynash has joined #openstack-keystone07:50
*** ChanServ sets mode: +v henrynash07:50
*** spandhe has quit IRC07:50
*** dims has joined #openstack-keystone07:53
*** dims has quit IRC07:58
*** browne has quit IRC08:08
*** jistr has joined #openstack-keystone08:09
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL  https://review.openstack.org/16800308:19
*** krykowski has joined #openstack-keystone08:21
*** lhcheng has quit IRC08:35
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL  https://review.openstack.org/16800308:45
openstackgerrithenry-nash proposed openstack/keystone: Update configuration documentation for domain config  https://review.openstack.org/16575408:54
*** henrynash has quit IRC08:55
*** henrynash has joined #openstack-keystone09:05
*** ChanServ sets mode: +v henrynash09:05
*** rdo has quit IRC09:11
*** rdo has joined #openstack-keystone09:13
*** ncoghlan has quit IRC09:17
*** markvoelker has joined #openstack-keystone09:24
*** markvoelker has quit IRC09:29
*** jacer_huawei has quit IRC09:30
*** lhcheng has joined #openstack-keystone09:36
*** lhcheng has quit IRC09:40
*** henrynash has quit IRC09:48
*** davechen has left #openstack-keystone09:49
*** dims has joined #openstack-keystone09:54
*** henrynash has joined #openstack-keystone10:08
*** ChanServ sets mode: +v henrynash10:08
*** jacer_huawei has joined #openstack-keystone10:13
*** pnavarro|off has quit IRC10:19
*** samueldmq-away is now known as samueldmq10:22
samueldmqhenrynash, hi, morning10:23
henrynashsamueldmq: moring10:23
samueldmqhenrynash, I am having a look at 'Adds inherited column to RoleAssignment PK' again10:24
henrynashmorining10:24
henrynashok10:24
samueldmq:-)10:24
samueldmqhha10:24
samueldmqso I better to do not rebase on morgan's patch, since it can land or not in kilo, right?10:24
henrynashi think it has already landed10:24
henrynashso just a rebase on master is fine10:25
samueldmqoh, I am so out-of-date :/10:25
*** markvoelker has joined #openstack-keystone10:25
henrynashi know…a couple days and the world has changed10:25
samueldmqI think you noticed I was a bit disappeared from this channel :/10:26
samueldmqyeah, I've been working on horizon for hierarchical projects10:26
samueldmqwe then have an initial implementation :-)10:26
henrynashvery cool10:26
samueldmqI'll write a blog post and put have a point on our tomorrow's meeting, so we can get feedback and let ppl know10:27
henrynashthat would be great10:27
samueldmqand I hope to be definitively back to keystone again this week :-)10:27
samueldmqI think here is my place haha10:27
henrynashno worries…now’s a good time to be spending tme on other things….10:29
*** markvoelker has quit IRC10:30
samueldmqhenrynash, yeah, it isn't bad to at least know other projects10:31
samueldmqhenrynash, I dont see myself working a long time on front-end, but that was great to know10:31
*** pnavarro|off has joined #openstack-keystone10:31
henrynashsamueldmq: i think it’s a positive advantage10:31
samueldmqhenrynash, I am also starting to work on openstack infra, ppl are so smart there too :-)10:32
henrynashsamueldmq: anytrhing that conects developers more to the eventual end users is good10:32
samueldmqhenrynash, yes it is, but sometimes hard due to UX, etc10:32
*** iamjarvo has joined #openstack-keystone10:46
openstackgerritKonstantin Maximov proposed openstack/keystone: Improved policy setting in the 'v3 filter' tests  https://review.openstack.org/15659710:59
samueldmqhenrynash, you still around ?11:08
henrynashindeed11:08
samueldmqhenrynash, by default, we run sql live tests on a db called test_keystone11:09
samueldmqhenrynash, I run tests once, then create tables, apply migrations, etc11:09
samueldmqhenrynash, since the db state is kept, maybe I won't be able to run the tests again just after that11:09
*** yasu_ has quit IRC11:09
samueldmqhenrynash, makes sense?11:10
henrynashsamuledmq: depends if the tests clean up after themselves11:12
samueldmqhenrynash, yeah, I am not sure we drop all after tests11:12
samueldmqhenrynash, digging a bit more on it11:13
*** ParsectiX has quit IRC11:13
*** henrynash has quit IRC11:13
samueldmqhenrynash, do you add mysql-python to your test-requirements when you need to run live tests?11:13
*** henrynash_ has joined #openstack-keystone11:13
*** ChanServ sets mode: +v henrynash_11:13
samueldmqhenrynash_, ops11:13
samueldmqhenrynash_, do you add mysql-python to your test-requirements when you need to run live tests?11:14
samueldmqhenrynash_, just to make sure I am using the right library to python-MySQLdb11:14
henrynash_I do pip install MySQL-python11:16
henrynash_or pip install psycopg211:17
henrynash_for postgres11:17
samueldmqhenrynash_, k got it11:17
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332211:19
*** amakarov_away is now known as amakarov11:22
*** lhcheng has joined #openstack-keystone11:25
*** markvoelker has joined #openstack-keystone11:26
*** henrynash_ has quit IRC11:26
bretonand I do .tox/py27/bin/pip install <>11:28
*** lhcheng has quit IRC11:29
*** markvoelker has quit IRC11:31
*** jaosorior has joined #openstack-keystone11:34
*** iamjarvo has quit IRC11:37
samueldmqbreton, hmm thanks for this, it is better than add to test-requirements and then forget to remove it :p11:43
bretonthere are issues with live tests though11:44
samueldmqbreton, I am getting some migrate.exceptions.DatabaseAlreadyControlledError11:44
samueldmqbreton, on master11:44
samueldmqbreton, any idea?11:44
bretonyep11:44
bretontwo11:44
bretoneven three11:44
bretonfirtsth, drop your database and recreate it before each test11:44
breton*first11:45
samueldmqbreton, yes that's what I was talking to henrynash11:45
bretonsecond -- use TEST_RUN_CONCURRENCY=111:45
samueldmqbreton, as now we don't do downgrades anymore, the db state is kept11:45
samueldmqbreton, and then we can't run them a second time11:45
bretonthat's not really true. Db state is not always kept.11:45
bretonthere is some cleanup afaik11:45
samueldmqbreton, ah then I am wrong11:46
bretonthird -- don't run all tests, run only one test using tox -e py27 test_some_stuff11:46
bretonin fact, live tests are broken. I think I should file some bugs on them11:47
samueldmqbreton, what's the problem indeed?11:47
*** iamjarvo has joined #openstack-keystone11:47
samueldmqbreton, hmm, cool, I 'll be glad if I can help, please feel free to ping me if you need help11:47
bretonwill, first is that migrate.exceptions.DatabaseAlreadyControlledError11:47
bretonsecond -- I had some issues with postgres11:48
samueldmqbreton, I am trying 'tox -e py27 -- use TEST_RUN_CONCURRENCY=1 test_sql_livetest'11:49
samueldmqbreton, but it's running all tests11:49
samueldmqbreton, I should add this '-- use', right?11:49
samueldmqbreton, or is this just a venv to export ? :p11:50
bretonerr, it's a shell variable. do "TEST_RUN_CONCURRENCY=1 tox -e py27 ..."11:51
* samueldmq facepalm11:51
samueldmqbreton, hmm so all these errors imply we do not have gate jobs to run tests in live dbs (mysql, prostgres, etc)11:53
samueldmqbreton, maybe it could be good to have them11:53
bretonsamueldmq: dstanek does some work on functional testing11:56
*** iamjarvo has quit IRC11:57
samueldmqbreton, yeah, he may have some good idea on how to have it11:58
samueldmqbreton, will bug him later11:58
samueldmqbreton, btw, I could run the tests, thanks11:58
*** ParsectiX has joined #openstack-keystone12:01
*** raildo has joined #openstack-keystone12:04
*** jistr has quit IRC12:07
*** jistr has joined #openstack-keystone12:08
*** markvoelker has joined #openstack-keystone12:10
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764012:15
openstackgerritVictor Sergeyev proposed openstack/keystone: Share engine between migration helpers.  https://review.openstack.org/13777812:15
openstackgerritVictor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763912:15
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table.  https://review.openstack.org/13763712:15
*** dims has quit IRC12:17
*** dims has joined #openstack-keystone12:18
openstackgerritVictor Sergeyev proposed openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355812:18
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063012:18
*** krtaylor has quit IRC12:19
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Restore name to services listed in catalog  https://review.openstack.org/16767512:22
*** gordc has joined #openstack-keystone12:28
*** ayoung_ZZzz__ is now known as ayoung_short12:28
*** ayoung_short is now known as ayoung_cough12:28
*** ayoung_cough is now known as ayoung_yawn12:29
*** ayoung_yawn is now known as ayoung12:29
ayoungGood morning....12:29
raildoayoung, morning :)12:31
ayoungraildo, samueldmq so...I figured out that we can do endpoint binding of tokens today with policy12:31
ayounghaven't done a proof of concept yet12:32
ayoungbut...12:32
ayoungyou would create a rule something like12:32
ayoungthe role rule we have12:33
ayounghmmm....can we do that today...?12:33
ayoungwe'd need a "contains" check, wouldn't we?12:34
raildoyou mean create rule that contains other rule (and a role)?12:34
ayoungnot quite12:35
ayoungI mean a rule that says12:35
ayoungwell, this is what role does12:35
ayoungreturn self.match.lower() in [x.lower() for x in creds['roles']]12:36
ayoungso12:36
ayoungreturn self.match.lower() in [x.lower() for x in token.service_catalog['endpoints']]12:36
ayoungbut that is not right, since the endpoints are not in a single list12:36
ayounglets see...12:36
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/examples/pki/cms/auth_v3_token_scoped.json#n2812:37
raildoayoung, hum... i get it...12:38
ayoungLet me try some code against that...12:38
*** Ephur has joined #openstack-keystone12:39
samueldmqayoung, good morning, reading up ...12:40
samueldmqayoung, well, not sure I follow, what problem are we trying to solve?12:42
dstanekmorning all12:43
ayoungsamueldmq, endpoint binding of tokens12:43
ayoungsamueldmq, ensuring a token can only be used with a specific endpoint or set of endpoints12:43
ayoungnow,  we do know the service, so we could filter on that, or12:44
*** pnavarro|off has quit IRC12:47
ayoungraildo, samueldmq http://paste.openstack.org/show/197536/12:50
*** timcline has joined #openstack-keystone12:52
*** timcline has quit IRC12:52
*** timcline has joined #openstack-keystone12:53
samueldmqayoung, looking12:57
*** iamjarvo has joined #openstack-keystone12:59
*** timcline has quit IRC12:59
*** krtaylor has joined #openstack-keystone13:00
raildoayoung, so... what happen if I got  a unscoped token, since this token doesn't have a catolog, right?13:01
ayoungraildo, you can't use an unscoped token on remote endpoints anyway13:01
raildoayoung, Do you need considerer this case?13:01
raildoayoung, ok13:01
samueldmqayoung, so let me say what I understood and you check if I am right13:01
ayoungthe real question is what happens if a place decides to shut off the service catalog13:01
samueldmqayoung, you add constraints in the policy for endpoints to be used13:01
ayoungyou could even do this as a stand alone middleware piece13:02
samueldmqayoung, to check the endpoint you're trying to use is one in the list of endps in your token13:02
samueldmqayoung, right?13:02
ayoungand you load a specific rule, maybe even from a separate policy file13:02
ayoungthat would allow it to vary per endpoint without compromising our goal of a unified policy file13:03
ayoungsamueldmq, yes13:03
samueldmqayoung, nice so I got it :-)13:03
*** pnavarro|off has joined #openstack-keystone13:04
samueldmqayoung, today the issue is that you could use an endpoint you get an id somehow13:04
samueldmqayoung, you could possibly ..13:04
ayoungyeah, we want to limit the damage that can be done with a token, so limit it to a specific set of endpoints13:04
raildoayoung, sounds good to me13:05
samueldmqayoung, the same ones that are in your list inside your token, right?13:05
samueldmqayoung, that would then be applied to all API endpoints, wouldnt it?13:05
ayoungsamueldmq, yeah,13:05
*** bknudson has quit IRC13:05
samueldmqayoung, oh nice idea imo :-)13:05
ayoungnote that my paste there is reading an example token from rthe client repo13:05
samueldmqayoung, yeah, ran it13:06
ayoungsamueldmq, I thuink the trick is that finding the endpoint ID is going to require python code.  I wonder if it is soemthig we can make generic13:06
samueldmqayoung, it will be placed on middleware, tight?13:06
samueldmqright*13:06
ayoungsamueldmq, well, eventually13:07
samueldmqayoung, and how the middleware knows the service that is using it ?13:07
ayoungI want soemthing that can be done with the exisitng policy setup,  so in my presentation, I wanted to use this as an example13:07
ayoungbut it might not be possible.  I don;'t know how to find that endpoint id using the existing set of checks.  I don't think we can13:07
ayoungso, I might try to get a new check in, one that looks for a value in a nested dictionary13:08
ayoungsamueldmq, you would edit the policy file on the host running the service13:08
ayoungkinda like the cloudsample policy file  and admin domain id13:09
*** iamjarvo has quit IRC13:09
samueldmqayoung, so hard-coded ?13:09
ayoungpolicy files are designed to be like config files.   Soft coded13:10
samueldmqayoung, any($my_service_id in endpoint['id'] for endpoint in token['endpoints'])13:10
ayoungsamueldmq, close13:11
samueldmq:-)13:11
ayoungthat doesn't deal with the nesting, and, of course we don't have an any check yet13:11
samueldmqayoung, yeah, that was a pseudo-python-like code13:12
ayoungso the language would have to be clear.13:12
ayoungsomething like13:12
ayoungany:token.catalog.[].endpoints.id( "1df0b44d92634d59bd0e0d60cf7ce432")13:14
*** nkinder has quit IRC13:16
samueldmqayoung, how do we bind a policy to a service endpoint?13:18
ayoungsamueldmq, read up.  I thought I answered that one already13:20
*** joesavak has joined #openstack-keystone13:23
samueldmqayoung, we could simply set 'service_ids:[]' in the policy and then middleware would enforce to check if any in this list match something in the token's catalog13:25
samueldmqayoung, 'service_ids:[]' could be set by keystone once we have dynamic policies13:26
samueldmqayoung, makes sense?13:26
ayoungsamueldmq, so...sort of what I'm thinking, but more like this:13:26
ayoung1.  For Kilo, we get an extension in to policy that will let us check the endpoint  as part of the existing policy check;   it would have to be appended to the rule for eaach  compuet:blah13:27
ayoungmeanwhile, we start work on a middleware piece that would allow checking the service is in the token based on  the policy engine, but using a separate policy file13:27
ayoungthat file can be generated after the server is registered with Keystone, so we know what Id to put in it13:28
ayoungIf we do dynamic policy, then, yes, we can dynamically put the service endpoint id into the file13:28
*** sirushti has joined #openstack-keystone13:28
samueldmqexactly13:28
samueldmqayoung, ++13:29
ayoungso the short term task is to figure out the language for the nesting13:29
samueldmqayoung, so for now you just want to change the policy ? and you are wondering if its possible13:29
ayoungwould this syntax work?  any:token.catalog.[].endpoints.[].id,  1df0b44d92634d59bd0e0d60cf7ce43213:30
ayounguse [] to imp;ly iterate through all of the elements of an array13:30
samueldmqayoung, give me an example of nested endpoitns13:31
samueldmqayoung, looked into that one on keystoenclient you posted, but they are flat there13:31
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/examples/pki/cms/auth_v3_token_scoped.json#n2813:31
ayoungno...the catalog has multiple entries in an array13:31
samueldmqayoung, ah got it13:32
ayoungwe could do something like13:32
ayoungany:token.catalog.[type:timage].endpoints.[].id,  1df0b44d92634d59bd0e0d60cf7ce43213:32
samueldmqayoung, this any:token.catalog.[].endpoints.[].id,  1df0b44d92634d59bd0e0d60cf7ce43213:32
samueldmqayoung, makes sense to me13:32
ayoungmake that any:token.catalog.[type:image].endpoints.[].id,  1df0b44d92634d59bd0e0d60cf7ce43213:32
samueldmqayoung, yeah applying filtering if we need13:32
samueldmqayoung, but not necessary for now13:33
samueldmqayoung, since the simple form workds13:33
samueldmqworks*13:33
ayoungwell, we would want to be able to write rules that say "this token is good for glance but no other service ,  and ignore the endpoint_id13:33
ayoungany:token.catalog.[], type:image  ?13:34
samueldmqayoung, so you just return glance endpoint in the token?13:34
samueldmqayoung, what will define where a token can be used is the service list in the catalog13:35
*** chlong has joined #openstack-keystone13:36
ayoungsamueldmq, sorry, didn't understand.  was that a question, or were you confirming?13:37
samueldmqayoung, you want to define that a token is only valid for glance, for example, irght?13:38
ayoungsamueldmq, sure13:38
samueldmqayoung, imo, the solution for this is that you only return Glance service endpoint in such token13:38
samueldmqthat's all13:38
ayoungexactly13:39
samueldmqayoung, no need to [type:image]13:39
ayoungand, yes, we'd need a machanism to do that13:39
samueldmqayoung, just need to enforce any:token.catalog.[].endpoints.[].id,  1df0b44d92634d59bd0e0d60cf7ce43213:39
samueldmqayoung, if there is no other service than glance in the token's catalog, this will fail for other services13:40
ayoungsamueldmq, \that would be in the policy file for the cases where you don't want to say "this specific endpoint" but rather "all glance instances are OK"13:40
samueldmqit's indeed ;)13:40
samueldmqayoung, but this is part of binding policy files with specific endpoints, which is on keystone, right?13:40
ayounga arnage of options13:41
ayoungrange13:41
samueldmqayoung, yeah I agree it's useful now (with this usecase you said), but we will need to make it conssitent in keystone, so it will be possible to generate it dynamically in the future13:41
ayoungso,  need to get the grammar correct.  I don;t want to build a mechanism specific to Service catalogm, but something generic for the policy engine to use for any problem set13:42
samueldmqayoung, ok, it's like a OCL language, where we are navigating through the token properties :)13:43
samueldmqayoung, http://en.wikipedia.org/wiki/Object_Constraint_Language13:44
samueldmqayoung, ok I agree with you13:44
samueldmqayoung, let's make the policy language much more powerful13:44
samueldmqo/13:44
ayoungXACML13:44
*** joesavak has quit IRC13:44
samueldmqayoung, I can find some time to be with you in this battle if you want help13:44
*** bknudson has joined #openstack-keystone13:45
*** ChanServ sets mode: +v bknudson13:45
ayoungsamueldmq, so,  lets say first we do a "ContainsCheck"  which defines a path in the context and a value to look for13:47
ayoungand it will allow for []  to imply  iterate through all the values in an list13:47
ayoungand returns true upon first match,  false if no matches13:48
samueldmqayoung, ++13:48
samueldmqayoung, what about13:51
samueldmqayoung, (token.catalog.[].type, image).[].endpoints.[].id, 1df0b44d92634d59bd0e0d60cf7ce43213:51
samueldmqayoung, a = token.catalog.[].type, image13:52
samueldmqayoung, b = a.[].endpoints.[].id, 1df0b44d92634d59bd0e0d60cf7ce43213:52
samueldmqayoung, then a is a list of services whose match type = image13:52
*** stevemar has joined #openstack-keystone13:52
*** ChanServ sets mode: +v stevemar13:52
samueldmqayoung, having that list, you apply other function, to get only those in that first list (a) that match the given id13:52
samueldmqayoung, b will then be either [something] or []13:53
samueldmqayoung, [somehting] is evaluated to True, [] to False13:53
ayoungso....we have to be careful.  We could do something where the list function returns  the value instead of "True"  but we want to make sure we don;t get into a case where it returns a Falsey  value13:54
samueldmqayoung, k gotta to go now, talk to you later13:56
*** gokrokve has joined #openstack-keystone14:02
*** nkinder has joined #openstack-keystone14:06
*** sigmavirus24_awa is now known as sigmavirus2414:09
*** ParsectiX has quit IRC14:11
stevemardolphm, lbragstad ping14:19
*** timcline has joined #openstack-keystone14:20
lbragstadstevemar: pong14:23
*** mattfarina has joined #openstack-keystone14:23
*** davechen has joined #openstack-keystone14:24
*** davechen has left #openstack-keystone14:26
stevemarlbragstad, have any docs on how to set up fernet-y stuff?14:28
lbragstadstevemar: yes, I believe dolphm did do some stuff around that. Let me grab them for you14:28
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Restore name to services listed in catalog  https://review.openstack.org/16767514:29
stevemarlbragstad, eggcellent14:29
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Change ECP wrapped SAML assertion term in API  https://review.openstack.org/16892814:30
lbragstadstevemar: http://docs.openstack.org/developer/keystone/configuration.html#uuid-pki-pkiz-or-fernet14:30
rodrigodsstevemar, ^ liked the term you used in the keystoneclient patch14:30
lbragstadstevemar: http://docs.openstack.org/developer/keystone/configuration.html#encryption-keys-for-fernet14:30
lbragstadstevemar: this is essentially the different in setting up fernet against master https://github.com/dolph/keystone-deploy/compare/fernet-tokens14:31
lbragstadstevemar: does that help?14:37
*** david8hu has quit IRC14:37
stevemarlbragstad, oh hai - yes, it does14:37
stevemarsorry, was busy reading them14:37
*** david8hu has joined #openstack-keystone14:37
lbragstadstevemar: cool, let me know if anything doesn't make sense and I'll get a patch pushed up14:39
stevemarlbragstad, yessir14:40
*** krykowski has quit IRC14:40
*** me has joined #openstack-keystone14:42
*** me is now known as Guest5445914:43
Guest54459hello guys !14:49
Guest54459newbie question : I am trying to deploy keystone, when i run : su -s /bin/sh -c "keystone-manage db_sync" keystone , it tell me : su : authentification failure, however  i put the correct passwd of root. any ideas ?14:49
*** timcline has quit IRC14:49
stevemarGuest54459, you're not providing a login to the su command14:52
stevemartry that syntax with a non-openstack command14:53
stevemarrunning that command with sudo instead of su should work14:54
*** thedodd has joined #openstack-keystone14:56
*** timcline has joined #openstack-keystone14:57
*** Guest96413 is now known as redrobot14:58
ayoungsamueldmq, so I think we messed up on the catalog definition.  We could, I think, make it work on the GenericCheck if we had, instead of doing the Services as a list, used the "type"  field as the name in a a dictionary15:00
*** timcline_ has joined #openstack-keystone15:00
ayoungit is the [] part that doesn't work.  We probably should have done that all the way down the service catalog.15:00
ayoungwe could have done:15:01
*** rwsu has joined #openstack-keystone15:01
*** lhcheng has joined #openstack-keystone15:02
*** timcline has quit IRC15:03
*** iamjarvo has joined #openstack-keystone15:04
ayoungid:token.catalog.image.endpoints.id15:06
*** lhcheng has quit IRC15:07
openstackgerritVictor Sergeyev proposed openstack/keystone: Add server_default to relay_state_prefix in service_provider model  https://review.openstack.org/16894715:15
*** afazekas has quit IRC15:16
*** zzzeek has joined #openstack-keystone15:16
Guest54459Stevemar, i've tried severral times with sudo, it gives the following error http://paste.openstack.org/show/197568/15:17
ayoungdstanek, is there a way in python to create a single iteration from nested list, short of doing something like this:15:17
ayoungdef endpoints_from_token(jdoc):15:17
ayoung    for service in jdoc['token']['catalog']:15:17
ayoung        for endpoint in service['endpoints']:15:17
ayoung            yield endpoint['id']15:17
rodrigodsayoung, zip() ?15:17
rodrigodsayoung, ah... no15:18
rodrigodsdon't know*15:18
dstanekayoung: not really. because you are not really flattening a set of nested lists15:18
dstanekayoung: do you not like what you did there?15:20
ayoungdstanek, I want a way to write, in our policy grammar:  at least one of token.catalog(all).endpoints(all).id  == <literal>15:21
ayoungdstanek, I want to see if I can do it with the current generic check15:21
stevemarGuest54459, that error looks a lot more helpful :)15:22
ayoungdstanek, https://github.com/openstack/oslo.policy/blob/master/oslo_policy/_checks.py#L28015:22
ayoungit uses AST15:22
stevemarGuest54459, looks like something is wrong with the mysql settings in keystone.conf15:22
dstanekayoung: "<literal> in endpoints_from_token()" ?15:23
ayoungGuest54459, the root Unix password is different from the database password for the Root user15:23
dstanekayoung: i think that GenericCheck isn't right for this15:23
ayoungdstanek, It is close15:24
*** joesavak has joined #openstack-keystone15:24
ayoungI want to see if I could force it with Generic, and if not, write the most straightforward extension to it15:24
ayoungand if there was something that AST could operate on  for doing the collections, that would make the most sense...I think15:25
*** chlong has quit IRC15:26
*** browne has joined #openstack-keystone15:27
Guest54459sudo grep connection= /etc/keystone/keystone.conf15:31
Guest54459connection=mysql://keystone:swift@172.16.200.91/keystone15:31
Guest5445915:31
Guest54459guess it is write like that15:31
dstanekGuest54459: can you connect to mysql from the command line client?15:32
Guest54459 i can15:34
Guest54459and when i ran $ keystone-manage db-sync15:34
Guest54459it perform no output, but when i check the keystone database, i found no tables15:35
ayoungGuest54459, is 172.16.200.91  the same host?15:37
ayoungCould you be lookoing on the wrong machine?15:37
ayoungdstanek, for a path to, say the catalog, I write token.catalog  which would return an array.  If I knew it was the frist entry I could probably do15:39
ayoungtoken.catalog[0]15:39
ayoungand if I knew which value the endpoint was supposed to be15:39
ayoungtoken.catalog[0].endpoints[0]15:39
ayoungtoken.catalog[0].endpoints[0].id15:39
Guest54459ayoung, yes it is the running interface onthe host15:40
dstanekayoung: how would you know that you are looking for the first one?15:40
ayoungdstanek, I don't15:40
ayoungjuwst trying to find a syntax that makes sense15:40
ayoungMoving from a path traversal to a search...It is  certainly an expansion on the scope of the check15:41
ayoungso,  yeah ,more than what Generic does15:41
Guest54459but, the think is, when i run $ mysql -u keystone@172.16.200.91 -pswift15:41
ayoungOTOH, we should have made the service catalog more regualr15:41
ayoungGuest54459, try with the -H option15:42
Guest54459it said  Access Denied15:42
ayoungerr  --host15:42
ayoung--host=host_name, -h host_name15:42
ayoungso it would be15:42
ayoungmysql keystone  --host=172.16.200.91 --user=keystone --password15:43
Guest54459ERROR 2003 (HY000): Can't connect to MySQL server on '172.16.200.91' (111)15:44
ayoungGuest54459, maybe mysql is not listening on a port15:45
*** haneef has quit IRC15:49
samueldmqayoung, do policy still accepts http urls to be evaluated ?15:50
ayoungyep15:50
ayoungsamueldmq, but that way leads to madness15:50
samueldmqayoung, yes, I agree :)15:50
samueldmqayoung, do you have an example?15:50
ayoungNope15:50
samueldmqayoung, just to me to try something out15:50
ayoungjust see in the code that it is still supported15:51
samueldmqayoung, k will get one myself15:51
ayoungplease don15:51
ayoung't15:51
ayoungI'd rather deprecate that15:51
samueldmqayoung, HttpCheck, right?15:51
ayoungyeah15:51
samueldmqayoung, what do you think about going through resources in the cloud and doing arbitrary checks15:52
samueldmqayoung, for example15:52
samueldmqayoung, any(user.projects.number_instances < 20)15:52
*** iamjarvo has quit IRC15:52
Guest54459i've got another prob, i just changed the bind address in /etc/mysql/my.conf then the mysql service wouldn't restart.... guess i'm gonna start the deploy on an other clean VM, anyway thank you guys !15:53
ayoungsamueldmq, I suspect that the Congress folks are thinking along those lines15:53
samueldmqayoung, hmm, will dig a bit on this there15:53
samueldmqayoung, thx15:53
dstanekayoung: samueldmq: it seems to me that you are almost inventing/needing a new xpath language15:55
samueldmqdstanek, hmm, nice catch, need to revisit xpath15:56
samueldmqdstanek, what I was thinking was to provide a PoC in which we could do those arbitrary checks, using HttpChecks15:56
samueldmqdstanek, so that if you ask user.projects, the server on that url will then deduce: 'hmmm, that user's projects', let me call keystone to get this .. and so on15:57
*** breton has quit IRC15:57
samueldmqdstanek, and then apply logical expressions to validate anything, or not :-)15:57
dstaneksamueldmq: wouldn't that lead to a ton of keystone calls?15:58
*** breton has joined #openstack-keystone15:58
samueldmqdstanek, complex expressions would be expensive to evaluate (taht's indeed)15:58
samueldmqdstanek, if you evaluate something already in the token (as we have today) then it's cheap15:59
dstaneksamueldmq: right but you are adding a way to fetch more data right?15:59
*** gokrokve_ has joined #openstack-keystone16:00
samueldmqdstanek, yes16:01
samueldmqdstanek, if you want to do checks against more data, I need to get the data to do your checks agains16:01
samueldmqt16:01
*** tqtran has joined #openstack-keystone16:02
*** edmondsw has joined #openstack-keystone16:02
*** gokrokv__ has joined #openstack-keystone16:02
*** gokrokve_ has quit IRC16:02
dstaneksamueldmq: that means that for every rule in the policy for every call to the service there will be a keystone hit16:03
bknudsonhttp://goessner.net/articles/JsonPath/16:03
*** breton has quit IRC16:03
*** _cjones_ has joined #openstack-keystone16:04
*** gokrokve has quit IRC16:04
samueldmqdstanek, yeah, keystone hit, or nova hit (if you want to assert something on instances state, etc)16:04
samueldmqdstanek, cons: with this approach, lots of added requests16:05
samueldmqdstanek, pros: too much flexibility added to policy checks16:05
samueldmqdstanek, do you think it is worth to make a PoC of this?16:05
dstaneksamueldmq: it would be interesting, but i don't know how practical16:06
dstanekis someone asking for something like this?16:06
samueldmqdstanek, as for now, only my mind is asking for this16:06
samueldmqdstanek, to have a lot of flexibility and make the engine much more powerful16:06
samueldmqdstanek, if we find it really interesting, we can find a better way to do so16:07
samueldmqdstanek, if not, well, that was fun16:07
dstanekit would probably be interesting16:07
dstanekmy caution would be that complexity is the enemy of security16:07
samueldmqdstanek, yeah I understand your concern16:10
samueldmqdstanek, I'll think a bit more about this, and how hard would be to implement a poc (at a glance, I think not too much effort)16:10
*** thedodd has quit IRC16:10
openstackgerritVictor Sergeyev proposed openstack/keystone: Drop sql.transaction() usage in migration  https://review.openstack.org/16898716:12
*** samueldmq_ has joined #openstack-keystone16:23
*** lhcheng has joined #openstack-keystone16:23
*** ericksonsantos has joined #openstack-keystone16:26
samueldmqsamueldmq_, hi - what's the motivation behind creating an IRC name almost equals to mine?16:27
samueldmqsamueldmq_, pm'ed you16:29
dstaneksamueldmq: are you talking to yourself?16:30
raildolol16:30
ayoungdstanek, so...no, we don't need a new language.  What I think I want to do is to extend the generic check such that, if a link in the chain is an array, it will search in each value of the array.  It has to be in the generic checkl, I thin, otherwise we don;'t have enough information to idenityfy the value.16:30
samueldmqdstanek, haha no .. but I saw someone else registered samueldmq_, and linked samueldmq-away to it :/16:31
ayoungsamueldmq, want me to kick them?16:31
ayoungsamueldmq, and, are you sure it in not your own nick in an additional xchat type window16:31
ayoungI know that if I spin up two windows, the second will have an _ at the end of the namne16:32
dstaneksamueldmq: it's on from Brazil; home computer?16:32
samueldmqdstanek, let me check with my wife :-)16:32
samueldmqbut anyway, someone else registered samueldmq_ on FreeNode16:32
*** krykowski has joined #openstack-keystone16:33
ayoungits the risk of IRC.16:33
samueldmqwait16:34
*** samueldmq has quit IRC16:34
*** samueldmq-away has joined #openstack-keystone16:37
*** samueldmq-away is now known as samueldmq16:37
lbragstadsamueldmq: fixed?16:39
samueldmqlbragstad, well, that was my pc from home that got the second option ... but that still doesn't solve the issue someone else registered samueldmq_ on FreeNode :/16:40
* ayoung writing lisp code in python16:40
lbragstadsamueldmq: hmmm16:41
samueldmqlbragstad, maybe it's better to ask FreeNode staff about it :-)16:42
samueldmqlbragstad, or do not use samueldmq_ anymore, never! :p16:42
lbragstadsamueldmq: either would be an option.16:43
*** krykowski has quit IRC16:43
samueldmqlbragstad, that makes me wonder how could we validate ppl 'token' in IRC :/16:44
*** jistr has quit IRC16:44
lbragstadsamueldmq: I think that's handled by registering your nick with Freenode, but I'm not 100% sure (cc dstanek)16:45
samueldmqlbragstad, yeah I registered samueldmq, but someone else registered samueldmq_ (and linked samueldmq-away) to it :/16:46
dstaneksamueldmq: is it possible that you registered it?16:46
dstanekor that your client did it for you?16:47
lbragstada long time ago possibly?16:47
dstaneklbragstad: i think if you register the nick you need a password to use it16:47
samueldmqdstanek, only if my memory does not work anymore16:47
dstanekit was registered recently16:47
dstanekrunning this will tell you: /msg nickserv info samueldmq_16:48
dstaneksamueldmq: what irc client do you use at home?16:48
samueldmqdstanek, xchat16:48
samueldmqdstanek, I dont think it did it for me16:49
samueldmqdstanek, I registered samueldmq by myself16:49
samueldmqwell, don't want to take your time with this :/ will ask FreeNode staff16:51
dstaneksamueldmq: i'd go into the freenode channel and ask about it16:51
samueldmqdstanek, I went in there16:57
samueldmqdstanek, I ran: /msg NickServ SENDPASS samueldmq_16:58
samueldmqdstanek, that sent an email to change the password, and it didnt do to any of my email addresses16:58
samueldmqdstanek, freenode staff told me to wait untill it expires, there is nothing to do16:58
samueldmqdstanek, cool!16:58
*** bknudson has quit IRC17:04
lbragstadhas anyone had issues with pbr.version recently running db_sync ?17:12
lbragstadthis is what I get when running latest keystone-deploy (eventlet branch) http://cdn.pasteraw.com/d44642a1dd67pogna457zs4ynmqwt8p17:13
*** pnavarro|off has quit IRC17:14
*** spandhe has joined #openstack-keystone17:19
*** krykowski has joined #openstack-keystone17:20
ayoungIf you register it with a password, you need the password to kick someon.  But iF you are not on IRC, someone else can use the Nick17:20
ayounglbragstad, that looks familiar.17:21
ayounglbragstad, rings a bell....but seems like it was an old version of PBR, or....pbr Version pulling in some dependnecy that was not resolved17:21
ayounglbragstad, as I recall, it was due to how pbr version used the generated version string from setup.py  in the git repo.17:22
ayoungWe had issues along those lines when building RPMs17:23
ayoungPBR was doing things that should have been left to the RPM database, IIRC17:23
lbragstadayoung: ahhh.. yeah I'm hitting issues with pip too though... trying to fix those first17:23
ayoungrelated17:23
lbragstadvery17:23
*** harlowja_away is now known as harlowja17:25
*** gokrokve has joined #openstack-keystone17:25
*** iamjarvo has joined #openstack-keystone17:26
*** krykowski has quit IRC17:27
*** gokrokv__ has quit IRC17:28
*** gokrokve has quit IRC17:30
*** amakarov is now known as amakarov_away17:40
*** jaosorior has quit IRC17:42
*** ljfisher has joined #openstack-keystone17:45
*** iamjarvo has quit IRC17:49
*** browne has quit IRC17:59
*** jaosorior has joined #openstack-keystone18:02
samueldmqthere is a test on test_backend_ldap failing due to a translation18:03
samueldmqit is ok if the os language is english, but fails if it isnt18:03
samueldmqhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1348-L135318:03
samueldmqdstanek, ^ do you have a minute ? :-)18:04
samueldmqbut there is something beyond that is making me confused ... why do the test just below passes ?18:05
*** greghaynes has quit IRC18:07
*** bknudson has joined #openstack-keystone18:10
*** ChanServ sets mode: +v bknudson18:10
*** bknudson has left #openstack-keystone18:12
dstaneksamueldmq: looking now18:14
*** bknudson has joined #openstack-keystone18:14
*** ChanServ sets mode: +v bknudson18:14
bknudsonin case you were wondering: https://wiki.openstack.org/wiki/VersionDiscovery -- there's a wiki on version discovery.18:15
dstaneksamueldmq: is the translation happening? i thought it was lazy and nothing was translated in the tests18:16
samueldmqdstanek, yes the translation is happening for the test_wrong_ldap_scope18:18
samueldmqdstanek, but not for test_wrong_alias_dereferencing18:18
samueldmqit's ericksonsantos with his pt-br ubuntu18:19
*** gokrokve has joined #openstack-keystone18:26
*** samueldmq_ has quit IRC18:35
stevemarsamueldmq, ping18:37
samueldmqstevemar, hi18:39
*** krykowski has joined #openstack-keystone18:39
stevemarsamueldmq, hmm, what happened to that bug, about federation not honoring inherited flag?18:41
stevemari was going to bug you about moving it to L release, but now i can't find it18:42
samueldmqstevemar, bug #142450018:42
openstackbug 1424500 in Keystone "Federation list projects endpoint does not honor project inherited role assignments" [Medium,Triaged] https://launchpad.net/bugs/1424500 - Assigned to Samuel de Medeiros Queiroz (samueldmq)18:42
samueldmqstevemar, I can work on this for kilo if you think it is important18:42
stevemarsamueldmq, well it relied on a bunch of other work, that's why i was going to re-target it18:43
stevemarif you think you can rebase it against master and merge it in 4 days, then go ahead :)18:43
samueldmqstevemar, the optimal solution was to do it after the list_role_assignments refactoring18:44
samueldmqstevemar, but I probably better remove the dependency18:44
stevemarsamueldmq, it can wait til L then18:44
samueldmqstevemar, that's not a hard dependency, was just nice to have them together18:44
stevemardoes it change any key functionality? or resolve a bug/error that a user was facing?18:44
morganfainbergBut if we can fix it for kilo that'd be really nice.18:45
morganfainbergIt can be deferred.18:45
morganfainbergIt isn't a show stopping bug.18:45
*** breton has joined #openstack-keystone18:45
samueldmqstevemar, yes that bug affects the user, ofc18:45
samueldmqmorganfainberg, yes I agree18:45
morganfainbergBut if we can fix it for kilo that'd be nice.18:45
stevemari looked at the review and it was just test changes18:45
samueldmqmorganfainberg, stevemar I will work on that later today18:45
stevemarsamueldmq, alright18:45
morganfainbergstevemar: our priority today is to get the last two items from henrynash's bp in18:46
stevemarmorganfainberg, also, i'm going to call it and say this is bumped to L18:48
stevemarhttps://bugs.launchpad.net/keystone/+bug/140105718:48
openstackLaunchpad bug 1401057 in Keystone "Direct mapping in mapping rules don't work with keywords" [High,In progress] - Assigned to Marek Denis (marek-denis)18:48
stevemarmarek is away this week18:48
morganfainbergUnless you can fix it ;)18:49
morganfainbergBut sure.18:49
morganfainbergWe should at least document the limitation this cycle.18:49
morganfainbergstevemar: mind doing that?18:49
stevemarmorganfainberg, we probably need to do a better job of documenting 'how to use this crazy mapping engine' anyway18:50
*** iamjarvo has joined #openstack-keystone18:51
*** iamjarvo has quit IRC18:51
*** iamjarvo has joined #openstack-keystone18:52
stevemardstanek, morganfainberg this could use a review: https://review.openstack.org/#/c/167501/18:52
dstanekstevemar: i can do that next18:52
openstackgerritayoung proposed openstack/oslo.policy: Lists for Generic Checks  https://review.openstack.org/16904518:54
ayoungdstanek, samueldmq raildo ^^ there ya go!18:54
*** krykowski has quit IRC18:55
ayoungmorganfainberg, so with ^^ we can do endpoint binding of tokens with the current policy mechanism.18:59
stevemarayoung, did you have to bust out your comp sci 101 text book for the recursion?18:59
ayoungstevemar, never18:59
ayoungstevemar, I recurse naturally18:59
stevemaryou should get that looked at18:59
ayoungstevemar, you might recall the the revocation checks code I origianlly wrote was also recursive19:00
ayoungstevemar, its like Turettes,  treatable with medication, but oh so much fun to watch19:00
morganfainbergRecursive probably would be more readable than the tree thing.19:00
morganfainbergIn revocation events.19:01
morganfainbergayoung: I shall read policy code post coffee.19:02
morganfainbergI do not expect to succeed precoffee19:02
ayoungmorganfainberg, to give some context:19:02
ayoungservice catalog has two lists in it, which messed up the attempt to use policy to enforec an endpoint binding19:03
morganfainbergRight.19:03
ayoungand, if we were to say "you need to know the index of the object in the list"  it would be fragile, and not succeeded if the service catalog were reordered somehow19:03
samueldmqayoung, nice, will take a look later, thanks19:03
ayoungso,  this makes the decision to look at all the elements of the list,  the Or rule.19:04
morganfainbergWait, are we putting endpoint binding in Oslo.policy or in middleware ?19:04
ayoungmorganfainberg, not decided yet19:04
*** ljfisher has quit IRC19:04
ayoungI think it should be done as a separate middleware19:04
samueldmqdstanek, any thought on why the string is being translated on that test?19:04
samueldmqdstanek, or any entry point into the code that could make that lazy?19:04
ayounglayered after auth token, so it has the expanded token data19:04
ayoungbut can use its own, local policy file.19:04
dstaneksamueldmq: i don't know if i have a way to test it, but i'm pretty sure it should not be translating at all19:05
dstaneksamueldmq: can you find out where the translation is actually happening?19:05
ayoungHowever, if we just make the above change, at least we could enforce endpoint binding of a token in the exisint policy scheme.  It would be messy, but possible.  Right now, it is not possible19:05
samueldmqdstanek, the place the exception is thrown?19:06
dstaneksamueldmq: is it?19:06
ayoungmorganfainberg, this change also would be a potential, generic replacement for the role:  Check, which is the only  Keystone specific check in oslo policy19:06
ayoungnow, let that sink, go get Coffee, and it will all make sense...I hope19:07
samueldmqdstanek, yes https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L208-L21519:07
*** krykowski has joined #openstack-keystone19:07
samueldmqdstanek, this raises the exception caught at https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1348-L135319:07
samueldmqdstanek, and it's translated, and failing19:07
samueldmqdstanek, but for the test just below (https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1355-L1361) it does not translate19:08
samueldmqdstanek, raised at https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L187-L19419:08
samueldmqdstanek, that's so weird19:08
dstaneksamueldmq: that is where the string is wrapped for translation - where is it actually translated? usually this happens when you str() it, but that shouldn't be the case here19:08
dstanekusing _() doesn't actually translate anything - it returns a Message object19:09
samueldmqdstanek, so I have no idea where it gets translated, need to dig a bit more19:09
morganfainbergayoung: I'm currently drinking coffee. Just waiting until that is done before I try and grok the code.19:10
samueldmqdstanek, well, keystone i18n uses oslo one .. isnt there where it gets translated? by oslo ..19:10
dstanekit gets translated when it is used not when it is wrapped19:11
dstaneksamueldmq: it's a wierd thing because the act of observing the object may cause it to be translated19:13
samueldmqdstanek, ah, so when we try to access the config property (identity.backends.ldap.Identity)19:13
dstanekthe config property isn't translated19:13
dstaneksamueldmq: when you _('something') you should get an instance of http://git.openstack.org/cgit/openstack/oslo.i18n/tree/oslo_i18n/_message.py#n3019:14
samueldmqdstanek, yeah so that's what in the ValueError exception19:17
ayoungsamueldmq, I wonder if you are seeing somethig due to native language settings on your machine19:17
samueldmqayoung, yes19:18
samueldmqayoung, ericksonsantos is19:18
samueldmqayoung, this test (https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1348-L1353)19:18
ayoungsamueldmq, so maybe something was not defined for the common case, and instead onlyh explcitly for en_US?19:18
*** iamjarvo has quit IRC19:18
dstaneksamueldmq: does it show you the strings' values?19:19
ericksonsantoshttp://paste.openstack.org/show/197610/19:19
samueldmqdstanek, ayoung ^19:19
ayoungHA!19:20
samueldmqdstanek, yes it does19:20
dstanekand that's the only test that fails?19:20
ayoungassertRaisesRegexp19:21
samueldmqdstanek, yes, and I have no idea why, since the test just bellow does exactly the same19:21
ayoungRegex is not aparsing19:21
ayoungparsing19:21
ayoungWho wrote that?19:21
*** krykowski has quit IRC19:21
samueldmqayoung, but why the first one fails and the second one doesnt19:21
samueldmqayoung, https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1348-L136119:21
dstaneksamueldmq: what happens if you run the failing test isolation?19:22
samueldmqdstanek, it fails, and the passing one passes19:23
*** henrynash has joined #openstack-keystone19:23
*** ChanServ sets mode: +v henrynash19:23
ayoungYep, I+2ed that19:23
ayounghttps://review.openstack.org/#/c/21664/19:23
ayoungJust drop the REgexp part of the check19:23
dstaneksamueldmq: i have no idea why that's translating - if you can't figure it out in a little bit i can come back to it19:24
ayoungcould be an issue with venv...19:24
samueldmqdstanek, ok will try thanks19:24
ayoungit choses based on an Env var.  Somehting might force it one way19:24
samueldmqayoung, k will delete venv and try again19:24
ayoungsamueldmq, nah19:24
ayoungjust change the check to not be a regexp19:25
ayoungit is cute, but not necessary19:25
dstaneki don't think it would be venv based - env based is possible19:25
ayoungassertRaises is sufficient19:25
samueldmqayoung, but why the other test doesnt fail19:25
samueldmq?19:25
samueldmqayoung, look https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1348-L136119:26
samueldmqayoung, the first one fails, and the second passes19:26
dstaneksamueldmq: what is the LANG set to?19:27
ayoungMaybe only one has a translation in Brazilian Portuguese19:28
ayoungAnyway, change them both, as there is obviously a problem when assuming error messages from LDAP match certain patterns.  It is not part of the interface, just a message for the end user that can easily change.19:29
samueldmqdstanek, pt_BR19:29
*** raildo has left #openstack-keystone19:30
*** raildo has joined #openstack-keystone19:30
samueldmqayoung, yeah I know that solves the issue, just trying to figure out why the behavior is not consistent19:30
ayoungsamueldmq, because someone didn't get around to translating all of the error messages in the LDAP code19:30
ayoungNot sure if it is from Python or from the underlying LDAP libraries19:30
ayoungThey are two different error messages.19:31
dstanekayoung: that shouldn't matter because it's always matching english; i am under the impression that we don't translate at all during unit tests19:32
ayoungdstanek, it isn't us doing the translating19:32
dstanekmaybe that changed when we moved to oslo.i18n19:32
*** _cjones_ has quit IRC19:32
dstaneks/we don't/translations don't happen/19:33
samueldmqayoung, dstanek yeah, we have a translation for the first one, but not to the second19:33
samueldmqlet me get a link ...19:33
samueldmqthis one has a translation https://github.com/openstack/keystone/blob/master/keystone/locale/pt_BR/LC_MESSAGES/keystone.po#L889-L89219:33
samueldmqand this one does not https://github.com/openstack/keystone/blob/master/keystone/locale/pt_BR/LC_MESSAGES/keystone.po#L877-L88019:34
samueldmqthis is bad :p19:34
dstaneksamueldmq: so i think the thing to figure out is why the translation is happening (maybe bknudson knows)19:34
samueldmqdstanek, ++19:34
bknudsonI don't know... might depend on if the translation library finds the compiled files or not.19:35
bknudsonwhat's the issue?19:35
dstanekthat's interesting19:35
dstanekbknudson: a test in failing because the error message is being translated19:35
samueldmqbknudson, yeah https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1348-L136119:36
samueldmqbknudson, the first one has a translation and is being translated, the second one hasnt and then is kept as it is19:36
*** topol has joined #openstack-keystone19:36
*** ChanServ sets mode: +v topol19:36
bknudsondoesn't seem like a good idea to try to match the translated part of the message.19:36
bknudsonjust try to match the non-translated part.19:36
bknudsone.g., change the regex from  'Invalid LDAP scope: %s. *' % CONF.ldap.query_scope to just CONF.ldap.query_scope19:37
ayoungDon't match the message19:37
samueldmqyes, do not match the message is the solution19:37
ayoungJust make it an assertRaises19:37
samueldmqbut I guess dstanek is asking why it is getting translated, since translations should not happen in tests19:38
samueldmq:p19:38
bknudsonwhy shouldn't translations happen in tests?19:38
bknudsonthere's probably a way to totally disable it.19:38
bknudsonyou could mock out the translation library I guess.19:38
bknudsonor the tests could set LANG=C or whatever.19:38
dstaneki'm pretty sure there are other places where we match English against an error message. those will also break if there is a translation available.19:39
samueldmqbknudson, maybe .. there is no need to translate messages for tests, since we do not use to make any assertions on the errors messages19:39
bknudsonI agree it's better for the tests to not try to translate since it's not going to be set up.19:39
bknudsonhave the tests set LANG=C or whatever.19:40
dstanekbknudson: you may have hit the nail on the head when you said that maybe it was because the library could find the translations19:40
samueldmqdstanek, ++ yeah, we're fixing for pt_BR, but what about the other languages?19:40
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517119:40
*** timcline_ has quit IRC19:41
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517119:44
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517119:45
*** _cjones_ has joined #openstack-keystone19:48
*** pnavarro|off has joined #openstack-keystone19:52
htrutabknudson, rodrigods: about these role tests: https://review.openstack.org/#/c/116081/12/keystoneclient/tests/unit/v3/test_roles.py19:54
*** iamjarvo has joined #openstack-keystone19:54
htrutaI was just following the same pattern of the other tests...19:54
htrutawhat about keeping it as it is and sending a follow patch fixing this whole test_roles module?19:55
htrutadoes it make sense?19:55
bknudsonhtruta: ok, submit the patch.19:55
rodrigodshtruta, ++19:56
htrutaI meant after this one. is that ok?19:56
bknudsonhtruta: that's ok... I'm not going to +2 this one until I see the other patch19:56
htrutabknudson: cool19:57
bknudsonso it really doesn't make any difference.19:57
dstanekif that's the case it might as well be rolled into the original, right?19:57
*** pnavarro|off has quit IRC19:57
samueldmqdstanek, ++ fix the first and in a follow-on fix remaining19:58
bknudsonseems best to just roll it into the original, but if it's easier for whatever reason to separate it I'm fine with it.19:58
bknudsonor, submit the patch to fix the other ones first and rebase 116081 on that19:59
*** pnavarro|off has joined #openstack-keystone20:00
htrutabknudson, dstanek: ok... I think I'll roll it into the original first, and then I send another fixing the remaining20:01
*** iamjarvo has quit IRC20:06
*** timcline has joined #openstack-keystone20:22
*** timcline has quit IRC20:22
*** timcline has joined #openstack-keystone20:23
*** samueldmq has quit IRC20:27
*** afazekas has joined #openstack-keystone20:27
*** samueldmq has joined #openstack-keystone20:27
*** afazekas has quit IRC20:34
*** afazekas has joined #openstack-keystone20:37
*** afazekas has quit IRC20:44
*** raildo is now known as raildo|away21:04
*** afazekas has joined #openstack-keystone21:06
*** joesavak has quit IRC21:10
stevemardstanek, ping21:17
stevemarwhat do you mean by thread here? https://bugs.launchpad.net/keystone/+bug/141676721:17
openstackLaunchpad bug 1416767 in Keystone "event_type for role assignment notifications is incorrect" [Medium,In progress] - Assigned to Lin Hua Cheng (lin-hua-cheng)21:17
*** boris-42 has quit IRC21:18
dstanekstevemar: was there any discussion or anything with the people that deal with the auditing? i was hoping to see confirmation that this wouldn't mess anyone up21:18
*** afazekas has quit IRC21:18
stevemarno discussion, just that it didn't match the convention that we usually use21:20
stevemardstanek, ^21:20
dstanekis there any possibility that this could mess up someone's auditing processes?21:20
stevemardstanek, i posted something21:21
stevemarf5 that page21:21
stevemaror whatever it is on mac21:21
dstanekshould we add docimpact or something to flag that the change should be documented (maybe in release/upgrade notes)? or was that notification new for kilo?21:23
*** boris-42 has joined #openstack-keystone21:30
*** mattfarina has quit IRC21:32
*** jamielennox|away is now known as jamielennox21:36
stevemardstanek, good call on the release notes21:36
stevemarthat's a good spot for it, the notification was new in Juno21:36
openstackgerritSteve Martinelli proposed openstack/keystone: Rename notification for create/delete grants  https://review.openstack.org/16750121:37
stevemardstanek, added docImpact21:37
dstanekstevemar: thx!21:40
stevemarnp dstanek fantastic suggestion21:40
*** timcline has quit IRC21:43
*** jamielennox is now known as jamielennox|away21:46
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Support /auth routes for list projects and domains  https://review.openstack.org/16879221:47
*** topol has quit IRC21:51
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Use UUID values in v3 test fixtures  https://review.openstack.org/16854621:52
*** jamielennox|away is now known as jamielennox21:53
samueldmqmorganfainberg, stevemar looking at the federation bug now21:54
lhchengjamielennox: tried out the /auth/projects call, it also returns an empty project list if I used a project scoped token from a federated user.22:02
jamielennoxlhcheng: umm, that's plausible - i remember when we were discussing it we were talking how we want to enforce that you should only rescope an unscoped token22:02
jamielennoxhorizon doesn't persist the unscoped token now?22:03
david-lylejamielennox: yes it does22:03
jamielennoxlhcheng: so that it won't work with the unscoped token then?22:04
david-lylehttps://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/backend.py#L19522:04
lhchengjamielennox: it works with unscoped token22:04
lhchengjamielennox: but not with project scoped token22:05
jamielennoxyea, that makes sense22:05
bknudsonhopefully we allow a user to get an unscoped token even when they have a default project.22:05
lhchengjamielennox: the project scoped token is still not backward compatible22:05
jamielennoxbknudson: there is a call for that somewhere... but in horizon's case it's easy because they are controlling that initial login request and just don't specify scoping information for the first auth call22:06
lhchengfrom what I understand, the project scoped token should still work for list user project22:06
jamielennoxlhcheng: we are specifically moving away from that being allowed, there is actually a config option we introduced this cycle that disallows that22:06
bknudsonjamielennox: if the client doesn't specify the scope then they get a token scoped to the default project.22:06
bknudsonthe user's default project22:07
jamielennoxbknudson: yes, what was ayoung's thing for this... did it ever make it to client22:07
bknudsonI doubt the client was updated... it would have to be in the auth plugins22:08
bknudsonor wherever the scope is set22:08
lhchengjamielennox: I got a workaround to make it work in DOA, just trying to cleanup as much as possible.22:08
jamielennoxlhcheng: yea, so i think for now it might be best to do federated project listing via the federated routes22:09
lhchengjamielennox: yeah, sounds like no choice for now.22:09
jamielennoxif you go via the plugin it will always work, there was somewhere though that you call utils.list_projects or something that i didn't know how to redirect to the plugin22:09
lhchengjamielennox: yeah, we should do that22:10
lhchengjamielennox: was planning to do that, but it seems not straight-forward22:11
lhchengjamielennox: will look at it as followup22:11
jamielennoxright, because the plugin information will be lost between calls22:11
lhchengbknudson: would federated user have concept of default project?22:11
jamielennoxlhcheng: are you still looking at the doa-websso package or just combining into doa22:11
lhchengjamielennox: just combining into doa22:12
jamielennoxdamn, but makes sense22:12
bknudsonlhcheng: when you do federated auth you get an unscoped token22:12
lhchengayoung's thought was federation should be default in the long term22:12
*** nkinder has quit IRC22:13
lhchengbknudson: yeah, thought so.  was confused when you mentioned that token scope will default to default project.22:13
lhchengbut would only apply to non-federated user22:14
lhchengjamielennox: okay, I'll continue with what I have.  Should be ready soon.22:14
ayoungreading up...kindof in family mode though22:16
*** gokrokve has quit IRC22:21
*** henrynash has quit IRC22:21
*** henrynash has joined #openstack-keystone22:21
*** ChanServ sets mode: +v henrynash22:21
lhchengjamielennox: what's the name of the config that limit project scoped token to only actions it supposed to?22:25
lhchengjamielennox: ah found it, allow_rescope_scoped_token22:26
lhchengjamielennox:  Using the unscoped token here fits nicely then for the long term.22:28
jamielennoxlhcheng: yep, i'm just looking at how to ignore the default_project_id and get an unscoped token so can add that to auth plugins22:29
*** ajayaa has joined #openstack-keystone22:37
*** iamjarvo has joined #openstack-keystone22:38
*** iamjarvo has quit IRC22:38
*** iamjarvo has joined #openstack-keystone22:39
*** _cjones_ has quit IRC22:41
lhchengjamielennox: I got the final version of the patch up: https://review.openstack.org/#/c/136178/22:41
lhchengdone with the clean-ups22:41
*** harlowja has quit IRC22:45
*** harlowja_ has joined #openstack-keystone22:45
*** _cjones_ has joined #openstack-keystone22:46
jamielennoxlhcheng: comments22:47
lhchengjamielennox: thanks, looking22:47
*** jaosorior has quit IRC22:52
*** markvoelker has quit IRC22:57
*** gordc has quit IRC22:58
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow requesting an unscoped Token  https://review.openstack.org/16911123:05
jamielennoxlhcheng: ^23:05
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug in Federation list projects endpoint  https://review.openstack.org/15816323:06
jamielennoxthough i guess you don't really care until it's in global requirements23:06
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in Federation list projects endpoint  https://review.openstack.org/16911323:06
samueldmqstevemar, morganfainberg, henrynash ^23:07
lhchengjamielennox: thanks, I'll open a bug to use that in DOA23:09
jamielennoxi only realized how  much ksc is missing when i started working with other projects23:10
jamielennoxand still is missing23:10
jamielennoxmorganfainberg: do you remember why we didn't do https://review.openstack.org/#/c/168771/ in Juno?23:12
jamielennoxi think it was raised but there was a reason we couldn't do it23:12
*** zzzeek has quit IRC23:13
jamielennoxbknudson: ^23:13
morganfainbergIno idea23:13
morganfainbergno*23:13
jamielennoxI have a feeling there was something about auth_token middleware and matching the 'v3.0' directly - but i can't remember the details23:13
stevemarsamueldmq, thx23:13
samueldmqstevemar, np23:15
*** yasu_ has joined #openstack-keystone23:16
jamielennoxstevemar: can you review https://review.openstack.org/#/c/162529/ - i'd like that in before we do another ksc release, especially if the release is to update auth_token middleware23:16
*** samueldmq has quit IRC23:16
jamielennox(i pick on you because you were trying to do more client reviews)23:16
*** ajayaa has quit IRC23:17
jamielennoxmorganfainberg: did you get far with keystoneauth lib?23:17
morganfainbergjamielennox, i have most if it ready. just was wiloing to wait a little longer23:18
morganfainbergsince we were up against FFE stuff23:18
morganfainbergi figurte i'll push a 1st pass this week/weekend23:18
*** stevemar has quit IRC23:18
jamielennoxmorganfainberg: push? like pypi?23:18
morganfainbergto github23:19
morganfainbergso we can get it into gerrit23:19
jamielennoxok23:19
morganfainbergw/ assoaciated governance/infra changes23:19
*** dims has quit IRC23:38
*** iamjarvo has quit IRC23:39
*** Tahmina has joined #openstack-keystone23:43
bknudsonjamielennox: we didn't up the version in juno or icehouse or havana...23:47
bknudsonmaybe figured it wouldn't be backwards compatible.23:47
*** yasu_ has quit IRC23:47
*** _cjones_ has quit IRC23:52
*** _cjones_ has joined #openstack-keystone23:52
*** markvoelker has joined #openstack-keystone23:53
*** zzzeek has joined #openstack-keystone23:54
*** _cjones_ has quit IRC23:56
*** iamjarvo has joined #openstack-keystone23:56
*** iamjarvo has quit IRC23:57
*** iamjarvo has joined #openstack-keystone23:57
*** samueldmq has joined #openstack-keystone23:59
« Sunday, 2015-03-29 Index Tuesday, 2015-03-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!