Wednesday, 2015-04-01

*** harlowja has quit IRC00:02
*** harlowja has joined #openstack-keystone00:03
*** gokrokve_ has quit IRC00:17
*** iamjarvo has quit IRC00:22
*** lhcheng_afk is now known as lhcheng00:23
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug in Federation list projects endpoint
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call
*** raildo has quit IRC00:45
jamielennoxmorganfainberg: i'm not sure this pecan can be done in any way that it will be accepted00:53
jamielennoxit's just so intertwined00:53
*** _cjones_ has quit IRC00:54
*** ncoghlan has joined #openstack-keystone00:58
morganfainbergjamielennox, :(00:59
jamielennoxmorganfainberg: step one is probably remove extensions from paste pipeline00:59
jamielennoxthose things need to be controlled by config01:00
morganfainbergjamielennox, well that is on it's way in liberty01:00
morganfainbergno more extensions ;()01:00
jamielennoxit's the way we enable/disable that's the issue01:00
jamielennoxmorganfainberg: by god it's necessary though, this is pretty horrible01:03
*** jimbaker has joined #openstack-keystone01:03
morganfainbergjamielennox, yeah01:06
morganfainbergjamielennox, this is why "extensions are going away01:06
*** david-lyle has joined #openstack-keystone01:15
*** devlaps has quit IRC01:16
*** tqtran is now known as tqtran_afk01:24
*** diegows has quit IRC01:25
openstackgerritayoung proposed openstack/keystone-specs: Unified Access Info
*** lhcheng has quit IRC01:26
openstackgerritayoung proposed openstack/keystone-specs: Unified Access Info
openstackgerritayoung proposed openstack/keystone-specs: Merge role id and role name
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug in Federation list projects endpoint
openstackgerritayoung proposed openstack/keystone-specs: Policy rules managed from a database
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in Federation list projects endpoint
*** lhcheng has joined #openstack-keystone01:47
*** erkules has quit IRC01:49
*** erkules_ has joined #openstack-keystone01:49
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call
openstackgerritayoung proposed openstack/keystone-specs: Template for testing document
ayoungdims_, if you stop updating the damn thing I'll review it!01:53
ayoungdims_, heh.  I guess it is getting attention anyway.  THanks for doing that.01:54
dims_ayoung: was trying to fix what brant pointed out. i think i have it now01:54
dims_py34,py27,pep8 pass locally as well01:54
ayoungthe mtime thing, dims_ ?01:54
*** david-lyle has quit IRC01:55
dims_bknudson: i pick the latest mtime from the list of files in a directory and use that01:56
ayoungdims_, the way you are putting those magic cosntants in for times feels icky01:56
ayoungI assume that you are going with "some randomish number"  rsn+1 srn+201:57
dims_ayoung: it's today's unix time :)01:57
dims_y i can change it to something else01:57
ayoungdims_, I'd rather that were actually tested against a real Loonix file system01:57
ayoungonce can overmock01:58
dims_i was trying to avoid sleep(s)01:58
dims_and touch(es)01:58
ayoungI manage to avoid sleep without trying...wait are we still talking about code?01:58
dims_:) ya01:58
ayoungyeah, I understand, but I think that, in this case, the real FS work means we know it actually works01:58
*** iamjarvo has joined #openstack-keystone02:00
dims_k i can fix that02:00
ayoungdims_, just the fact that you and bknudson had that conversation makes me want it going against the real fs.  I don't trust myself to get stuff like that right.  I trust you only marginally more.02:01
ayoungThanks.  I'll add this to the review.02:01
dims_ayoung: thanks!02:01
ayoungdims_, this is good stuff.02:03
ayoungI might actually use this as the start of a general caching mechanism.  We kindof need that02:03
ayoungI also need to figure out a way to generalize fetching files and sticking them in the cache.02:04
ayoungjamielennox,  I want the code in policy to be usable by other projects, not just Keystone.  We need a generalizable way to say "fetch the poplicy file using this api and cache it"02:05
ayoungmaybe that doesn't belong in the policy library, though...02:05
samueldmqmorganfainberg, you around ? would like to talk about 'Reload drivers when their domain config is updated'02:06
jamielennoxayoung: ideally some sort of middleware - and something that can respond to messages from rabbit02:07
ayoungjamielennox, so...can we really do policy from middleware?  I mean, I could see doing the endpoint-binding as a policy call, but most of the other things need to fetch objects from the database first02:08
ayoungwe had the same thing in Keystone:  certain policy required fetching the object first02:08
jamielennoxayoung: i'm not sure, i was thinking we'd be able to check it piece by piece but i don't know02:09
jamielennoxprobably not02:09
ayoungfor create, you can get away with checking on the request itself,  but update, read, and delete all need to deduce the project from the object.02:09
morganfainbergsamueldmq, hmm?02:09
ayoungjamielennox, its why the cloudsample policy is so complicated...soemthing I'd love to be able to simplify02:10
jamielennoxayoung: right, we need to move those checks out of decorators02:10
morganfainbergjamielennox, ++02:10
jamielennoxmorganfainberg: that's as far as i got with pecan last time02:10
*** lhcheng has quit IRC02:10
morganfainbergjamielennox, just like notifications are moving out.02:10
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call
samueldmqmorganfainberg, the thread safe thing ..02:11
samueldmqmorganfainberg, that's not introduced by that patch, right?02:11
dims_ayoung: done.02:11
morganfainbergsamueldmq, we talked about it in the meeting. we're just going to document the shortcomings for this cycle02:11
ayoungthat was fast!02:11
samueldmqmorganfainberg, ah sorry I missed that ..02:11
samueldmqmorganfainberg, so we raise a bug and fix this for L02:12
ayoungdims_, you still have the magic numbers in there.  THat just an oversite?02:12
jamielennoxayoung: so long as we build those components from base principals it'll be ok, we can do policy distribution as we figure this stuff out02:12
jamielennoxayoung: because same for auth_token - i'd love to have like some external but local process that responds to the bus and caches certain information across all worker processes02:13
samueldmqmorganfainberg, the whole keystone engine (controllers, managers, drivers) need to be stateless in order to make keystone thread-safe02:13
ayoungjamielennox, you mean instead of polling for updates?02:14
jamielennoxayoung: right02:14
morganfainbergsamueldmq, no02:14
morganfainbergsamueldmq, we mostly already are02:14
morganfainbergthis is a SQL implementation issue02:14
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call
dims_ayoung: oops. ya02:15
morganfainbergsamueldmq, sync up w/ henrynash before opening bugs for L on this02:15
samueldmqmorganfainberg, k will go through the meeting log and talk to him tomorrow02:16
samueldmqmorganfainberg, thx02:16
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call
ayoungjamielennox, how this needs to work:  user calls nova, auth token unpacks the token,  nova fetches the resource and calls policy...all as done today.  Now, if the policy file is out opf date (the stuff dims_ is working on) the enforcement needs to fetch a new copy.  That code needs to be common across all of the openstack servcies.  I go back and forth between thinking it should be in oslo.policy or if we externalize02:29
ayoungd the fetch02:29
*** harlowja is now known as harlowja_away02:29
jamielennoxdon't have a policy enforcement library know anything about http02:30
ayoungjamielennox, ok, so we put a shim libraray in keystonemiddleware.  It knows enough to call keystone (with a token) to get the policy file02:32
ayoungand... dims_ code needs to trigger a refetch?  (not tonight dims_ ,you can drive on as you are working now)02:33
*** topol has joined #openstack-keystone02:33
*** ChanServ sets mode: +v topol02:33
jamielennoxayoung: i don't know, i don't know if i want middleware driving this either02:35
ayoungjamielennox, keystone client?  I don't want to make oslo.policy depend on kc02:35
ayoungits "almost" middleware02:35
jamielennoxright, but we are getting to the point where we have a lot of state being copied around02:36
*** _cjones_ has joined #openstack-keystone02:36
jamielennoxcan i have keystonecached?02:36
ayoungjamielennox, yes, yes you can02:37
jamielennoxi talked about this in atlanta i think, we need a process on each auth_token service that can cache all this stuff02:37
*** topol_ has joined #openstack-keystone02:37
ayoungyou mean something that proxies the keystoneclient calls, and only makes the actual remote call if the cahce is invalid?02:38
jamielennoxespecially as we push things to httpd where there isn't caching between processes02:38
*** topol_ has quit IRC02:38
jamielennoxayoung: right, something on a unix socket, or something else quick02:38
ayoungdoes it need to be a process?02:38
jamielennoxthat can give yes/no answers fast02:38
*** topol has quit IRC02:38
*** topol has joined #openstack-keystone02:38
jamielennoxayoung: i don't know what else you can do that can be shared across worker threads02:38
*** ChanServ sets mode: +v topol02:38
*** topol has quit IRC02:38
*** topol has joined #openstack-keystone02:39
*** ChanServ sets mode: +v topol02:39
*** lhcheng has joined #openstack-keystone02:40
jamielennoxayoung: because i would want this to be like a TPM, no certs, keys, tokens, user/pass escapes, you ask for a validation, or you ask for if it's available and it responds yes/no02:40
jamielennoxhmm, that doesn't necessarily track with what i've been pushing for with X-Subject-Token - would need to think some more there02:40
dims_so...update. if passes the check jobs. it's good to go. addressed all comments from everyone AFAICT :)02:40
ayoungdims_, don't port to nova.  Make nova use oslo.policy instead02:41
dims_ayoung: y missed the boat on that one02:42
dims_first thing when trunk reopens02:42
dims_ayoung: i have it on my list -
ayoungdims_, read up the conversation I just had with jamielennox about policy.  Trying to get the rest of the dynamic policy BP laid out02:44
ayoungjamielennox, the idea of a dedicate process bothers me.  Maybe I am being to particular, but I would rather do the work in the thread handling the request02:45
ayoungof course, the precludes listening for messaging02:46
ayoungOK,  let's throw it out as a straw man:  we have a dedicated process that listens to the queues:  one from keystone, one from the webserver, and responds to events from both sides.02:49
ayoungwhat if we treated that as an optimization?  The real deal is that we need to keep a cache fresh, and that we can always fetch from Keystone if the cache is stale.  Then the helper process is reduced to keeping the cache fresh.  Nova then looks at the cache, and, if it is stale, will m,ake the request via keystone client02:50
ayoungthat way, if the helper process dies, we degrade gracefully.02:51
ayoungit will not listen to request from the web server, only from the message queues02:52
ayoungit is responsible for responding to those messages, but also for making requests if the caches are stale.02:52
*** _cjones_ has quit IRC02:52
*** _cjones_ has joined #openstack-keystone02:53
*** dims_ has quit IRC02:55
jamielennoxayoung: what i want to get away from is polling everywhere for all these things02:55
jamielennoxwe have a message bus02:55
jamielennoxi don't like a dedicated process either02:56
ayoungbut if the service is down, we miss messages.  We need to prime the pump.  So we start by fetching.  Then bring up the listener.02:56
jamielennoxwhat _would_ be good is writing this stuff as a proper apache module so it gets handled before mod_wsgi02:56
ayounghmmm...wring side of the wire, I think02:59
ayoungjamielennox, that won't work02:59
jamielennoxayoung: it won't be accepted anyway03:00
ayoungnah...I mean that the cache needs to be on the client side of the web connection, not the server side03:00
jamielennoxayoung: so maybe the thinking here is wrong in that we expect to be able to do this client side03:03
jamielennoxayoung: say we made keystone a proper PEP03:03
jamielennoxayoung: such that we had to make an online request to keystone to test policy03:03
ayoungyou mean fire all policy decision over to PEP to check.03:04
jamielennoxayoung: and then we write a caching process that can run on a local machine, or closer to the service, that can handle this instead of keystone03:04
jamielennoxstandard distributed PEP03:04
jamielennoxdistributed PEP gets notifications from keystone, fallback to checking via keystone if not avilable03:04
jamielennoxmuch better integration with something like congress03:04
ayoungso  we don't "cache" at all in the services,  we always make a remote call.  THen hide the fact that the remote call is just to the cache03:05
ayounginteresting idea....very03:05
jamielennoxwell, it's still an external process, just on the same machine03:05
jamielennoxnow that we don't have to replicate the token table around this is what people have been wanting from a repliated keystone anyway03:06
jamielennoxi like it a lot actually, need to think some more on this03:06
ayoungdeal...adbn with that, I'm headed to bed03:07
*** ayoung is now known as ayoung_ZZZzzz__z03:07
jamielennoxayoung_ZZZzzz__z: night03:07
*** jacer_huawei has quit IRC03:09
*** samueldmq has quit IRC03:10
*** jacer_huawei has joined #openstack-keystone03:11
*** david-lyle has joined #openstack-keystone03:13
*** tqtran_afk has quit IRC03:28
openstackgerritdarren-wang proposed openstack/keystone: Correcting the name of directory holding dev docs in developing.rst.
jamielennoxnkinder: like that idea a lot ^03:35
*** jacer_huawei has quit IRC03:45
*** jacer_huawei has joined #openstack-keystone03:46
*** _cjones_ has quit IRC03:47
*** rushiagr_away is now known as rushiagr03:54
*** iamjarvo has quit IRC04:02
*** lhcheng has quit IRC04:17
*** rushiagr is now known as rushiagr_away04:22
openstackgerritdarren-wang proposed openstack/keystone: Correcting the name of directory holding dev docs in developing.rst. Closes-Bug: #1438983 Change-Id: I4afa0194f5f7cab3c562806b052be6f4a8d38357
openstackbug 1438983 in Keystone "The directory holding dev docs is "doc" instead of "docs"." [Undecided,Fix released] - Assigned to DWang (darren-wang)04:25
*** lhcheng has joined #openstack-keystone04:25
*** krtaylor has quit IRC04:48
*** krtaylor has joined #openstack-keystone04:50
*** lhcheng has quit IRC04:56
*** topol has quit IRC04:57
*** rushiagr_away is now known as rushiagr05:14
nkinderjamielennox: it reminds me of an OCSP responder approach in a way (to offload handling of OSCP checks from a CA)05:17
*** rushiagr is now known as rushiagr_away05:23
*** topol has joined #openstack-keystone05:25
*** ChanServ sets mode: +v topol05:25
*** topol has quit IRC05:34
*** lhcheng has joined #openstack-keystone05:40
*** lhcheng has quit IRC05:46
*** packet has quit IRC06:07
*** henrynash has joined #openstack-keystone06:13
*** ChanServ sets mode: +v henrynash06:13
bretonI like that thingy from ms word06:15
*** henrynash has quit IRC06:18
*** davechen has joined #openstack-keystone06:18
*** KrustyB has joined #openstack-keystone06:19
*** afazekas has joined #openstack-keystone06:21
*** ParsectiX has joined #openstack-keystone06:29
*** ishant has joined #openstack-keystone06:41
*** stevemar has joined #openstack-keystone06:45
*** ChanServ sets mode: +v stevemar06:45
*** stevemar has quit IRC06:48
*** henrynash has joined #openstack-keystone07:00
*** ChanServ sets mode: +v henrynash07:00
*** henrynash has quit IRC07:02
*** erkules_ is now known as erkules07:03
*** markvoelker has quit IRC07:09
*** KrustyB has quit IRC07:10
*** jistr has joined #openstack-keystone07:14
*** KrustyB has joined #openstack-keystone07:16
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog
openstackgerritSteve Martinelli proposed openstack/keystone: Correcting the name of directory holding dev docs
*** rushiagr_away is now known as rushiagr07:30
*** stevemar has joined #openstack-keystone07:36
*** ChanServ sets mode: +v stevemar07:36
*** rushiagr is now known as rushiagr_away07:37
*** dims_ has joined #openstack-keystone07:50
*** stevemar has quit IRC07:50
*** pnavarro|off has quit IRC07:51
*** dims_ has quit IRC07:55
*** ncoghlan has quit IRC08:00
*** ccard__ has quit IRC08:04
openstackgerritJamie Lennox proposed openstack/keystone: Make Pecan the root routing framework
*** davidckennedy has joined #openstack-keystone08:09
davidckennedyWhy do I see a paperclip in gerrit now?  Is there a good reason?08:10
bretondavidckennedy: gerrit is based on old MS review tool08:18
bretondavidckennedy: maybe it is some bug08:18
*** lhcheng has joined #openstack-keystone08:20
openstackgerritJamie Lennox proposed openstack/keystone: Make Pecan the root routing framework
*** hogepodge has quit IRC08:46
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog
*** rushiagr_away is now known as rushiagr09:01
*** davidckennedy has quit IRC09:07
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper
openstackgerritVictor Sergeyev proposed openstack/keystone: Share engine between migration helpers.
*** krykowski has joined #openstack-keystone09:21
*** lhcheng has quit IRC09:24
*** links has joined #openstack-keystone09:27
*** KrustyB has quit IRC09:38
*** davechen has left #openstack-keystone09:45
*** krykowski has quit IRC09:48
*** lhcheng has joined #openstack-keystone09:51
*** dims_ has joined #openstack-keystone10:00
*** dims__ has joined #openstack-keystone10:01
*** lhcheng has quit IRC10:01
*** dims_ has quit IRC10:04
*** rushiagr is now known as rushiagr_away10:19
*** rushiagr_away is now known as rushiagr10:22
*** jistr has quit IRC10:23
*** krykowski has joined #openstack-keystone10:28
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver
*** samueldmq has joined #openstack-keystone10:35
*** jistr has joined #openstack-keystone10:36
samueldmqjamielennox, yeah, now I can see that clippy too o/10:36
*** ishant has quit IRC10:44
*** nellysmitt has joined #openstack-keystone10:50
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver
*** lhcheng has joined #openstack-keystone11:01
*** lhcheng has quit IRC11:05
*** jistr is now known as jistr|demo11:11
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
*** rushiagr is now known as rushiagr_away11:28
*** rushiagr_away is now known as rushiagr11:28
bretonsamueldmq: re 142472: good to know! Good luck with the issue11:32
samueldmqbreton, yeah, thanks11:32
samueldmqbreton, in fact I have a question ...11:33
samueldmqbreton, do you know if we do need to drop indexes manually? aren't they dropped when we drop the table?11:33
samueldmqbreton, (I committed even with this issue to let you guys know I am still working on this :))11:33
bretonthey should be dropped, yes11:35
bretonoh, wait11:35
* breton misread11:35
bretonthey are be dropped automatically when you drop the table11:36
samueldmqbreton, hmm ok, so maybe my code works removing the drop of the index ... let me check11:36
bretonDROP TABLE always removes any indexes, rules, triggers, and constraints that exist for the target table11:36
samueldmqbreton, ++ nice :)11:37
*** amakarov_away is now known as amakarov11:44
*** bdossant has joined #openstack-keystone11:48
*** davidckennedy has joined #openstack-keystone11:59
*** lhcheng has joined #openstack-keystone12:03
*** lhcheng has quit IRC12:07
*** edmondsw has joined #openstack-keystone12:13
*** henrynash has joined #openstack-keystone12:14
*** ChanServ sets mode: +v henrynash12:14
*** markvoelker has joined #openstack-keystone12:14
*** david-lyle_ has joined #openstack-keystone12:28
*** atiwari2 has joined #openstack-keystone12:28
*** david-lyle_ has quit IRC12:28
*** Guest37649 has joined #openstack-keystone12:29
*** ChanServ sets mode: +v Guest3764912:29
*** links has quit IRC12:30
*** gordc has joined #openstack-keystone12:30
*** atiwari1 has quit IRC12:31
*** jeffDeville has joined #openstack-keystone12:31
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated
samueldmqhenrynash, ping - would like to talk about ^12:37
henrynashsamueldmq: sure12:38
samueldmqhenrynash, let me say what I understood and you correct me if I am wrong12:39
samueldmqhenrynash, we have a loop to load specific drivers12:39
samueldmqhenrynash, and any_sql bool is updated when the first sql driver is found12:40
henrynashso there is a bug in that code anyway…I’m fixing in a separate defect…but go in12:40
samueldmqhenrynash, in a multithread env, one thread may load one sql driver and update any_sql to true12:40
henrynashwe don;t call that method anymore in the case of Idenity API configs12:41
samueldmqhenrynash, but in the time between those two actions (load sql driver and set the flag), another thread may check the flag, see it as false and then load another sql driver12:41
henrynashhave you seen the new patch?12:41
samueldmqhenrynash, not yet, but that was the issue, right ? ^12:42
samueldmqhenrynash, will take a look12:42
*** hogepodge has joined #openstack-keystone12:42
henrynashyes that was one of the issues…so now we don’t allow it!12:43
*** jeffDeville has quit IRC12:43
samueldmqhenrynash, so no specific identity sql driver12:43
samueldmqhenrynash, makes sense12:44
samueldmqhenrynash, why not always have the default as sql12:44
henrynashno, not allowed….although you can, of cause, set a specific driver for teh default domain, plus other specific LDAP domains…and then leave sql driver in the main config file for another other domains12:44
samueldmqhenrynash, so ..12:45
samueldmqhenrynash, that makes things simpler12:45
samueldmqhenrynash, and
samueldmqhenrynash, and we can change this ^12:46
samueldmqhenrynash, right?12:46
*** diegows has joined #openstack-keystone12:46
henrynashremember we still support it fore file-based domain-specific configurations12:47
henrynash(didn’t want to take it away since it is already out there)12:47
henrynashso we can’t fix that bit of code, no12:47
samueldmqhenrynash, oh yes, I was going to break ppl :/12:47
samueldmqhenrynash, ++12:48
samueldmqhenrynash, so this is just for new deployments using the API config setup, right?12:48
samueldmqhenrynash, you made something in keystone manage to migrate files to database, right?12:49
henrynashyes…keystone-manage supports a migration12:50
samueldmqhenrynash, this wouldnt break if ppl already using domain-specific config from files do:12:50
samueldmqhenrynash, i) load files using the keytone manage12:50
samueldmqhenrynash, ii) setup their keystone12:50
samueldmqhenrynash, shouldn't them be expecting that to work as previously?12:51
samueldmqif you understand my point ...12:51
henrynashsamueldmq: it would, yes…and I have made a note in tehe configuration.rst that sql drives are not supported iwth this experimental feature12:51
*** diegows has quit IRC12:51
henrynashand since we don’t remove the files, the could switch back off the API version, and the files based ones we leap back into use12:52
samueldmqhenrynash, configs from files is stable?12:52
samueldmqhenrynash, k then12:52
henrynash(at least we have never said it’s not!)12:52
henrynashit was in icehouse12:52
samueldmqhenrynash, now just another thing .. why cant we support mulitple sql?12:52
henrynashor even before?12:53
samueldmqhenrynash, yes I think it's stable12:53
henrynashso I’m working onthat…’s meant to be due to sqlaclhemy not supporting multiple instantiations of itself…but I’ve never actually tried it12:53
henrynashthat’s on my list of L12:53
samueldmqhenrynash, nice, will be a great step to have it12:54
samueldmqhenrynash, I feel like a kid waiting for Christmas12:54
samueldmqhenrynash, L will be great!12:55
samueldmqhenrynash, btw, thank you for your review on that federation bug12:55
henrynashnp…good to get that fix in12:55
samueldmqhenrynash, any remaining bug on inheritance will go away with the refactoring of list_role_assignments12:56
samueldmqhenrynash, where methods that need that logic will call list_role_assignments on manager layer12:56
henrynashyeah…let;s get that in early in L12:56
samueldmqhenrynash, yeah12:56
henrynashmaster will open up fo L maybe end of next week….12:57
*** raildo|away is now known as raildo12:57
henrynashso no tlong to wait12:57
samueldmqhenrynash, great!12:57
samueldmqhenrynash, btw, did you see the clippy in the gerrit review page?12:57
samueldmqhenrynash, Happy April Fool's Day! :)12:57
henrynashI bloody did…..that’s a real blast from the past!12:58
samueldmqhaha yeah12:58
henrynashok, be back on line later…12:59
*** mattfarina has joined #openstack-keystone12:59
dims__hi anyone here comfortable enough to +2A a oslo.policy change?
rodrigodsdims__, looking13:02
dims__rodrigods: thanks13:05
rodrigodsdims__, done13:10
*** bknudson has quit IRC13:10
*** jaosorior has joined #openstack-keystone13:11
*** nkinder has quit IRC13:17
*** davidcke1 has joined #openstack-keystone13:21
*** viktors has joined #openstack-keystone13:22
*** davidckennedy has quit IRC13:23
*** joesavak has joined #openstack-keystone13:26
-openstackstatus- NOTICE: gerrit has been restarted to restore event streaming. any change events missed by zuul (between 12:48 and 13:28 utc) will need to be rechecked or have new approval votes set13:28
*** Guest37649 has quit IRC13:29
*** Olena has joined #openstack-keystone13:31
*** lastops has joined #openstack-keystone13:32
*** erkules has quit IRC13:32
*** erkules has joined #openstack-keystone13:32
henrynashmorganfainberg, ayoung, dstanek: new patch for last domain-sql change is now available:
dstanekhenrynash: nice. is this one of the FFEs?13:38
henrynashdtsanek: yep, as dsicussed in irc meeting yesterday….13:38
dstanekhenrynash: great, i'll have another look13:39
openstackgerritMatt Fischer proposed openstack/keystone: Add a Lotto token provider
mfischguys I'm really hoping I can get a Feature Freeze Exception on that ^13:40
dstanekmfisch: lol13:40
dstanekmfisch: i should +2A to make the joke complete13:41
*** diegows has joined #openstack-keystone13:46
samueldmqhenrynash, left a comment on the domain-sql, let me know if that makes sense or if you have any comment on my review13:46
samueldmqmfisch, ahha :-)13:48
*** sigmavirus24_awa is now known as sigmavirus2413:48
Olenahi everyone! Does anyone know about keyring support?13:51
*** henrynash has quit IRC13:52
OlenaI am new in OS (I work as a tech writer). And I'm stuck with a bug (patch
openstackLaunchpad bug 1419990 in openstack-manuals "Keyring support" [Medium,In progress] - Assigned to ologvinova (ologvinova)13:52
OlenaDoes the page contain info about python-keystoneclient only, or both python-keystoneclient and python-openstackclient? And should we remove the keyring support part here, or do some re-wording?13:53
*** sigmavirus24 is now known as sigmavirus24_awa13:55
*** iamjarvo has joined #openstack-keystone13:59
samueldmqmfisch, reviewd your patch, there is an issue in there14:00
samueldmqmfisch, fixing that should make this be merged today on master, thanks!14:00
*** nkinder has joined #openstack-keystone14:00
mfischyeah I can't believe I misspelled fernet!14:00
mfischoh wow good catch!14:01
samueldmqmfisch, yeah that one too (in fernet name) ;)14:01
mfischman I need to do better testing14:02
mfischand on that number thing, no wonder I never win14:02
samueldmqmfisch, also fix power_ball range, if it needs to include 35 :)14:03
mfischI dont even know for sure ;)14:03
samueldmqmfisch, we have no time for tests, this needs to arrive asap, please just fix those issues and let's have it14:03
*** ParsectiX has quit IRC14:04
samueldmqmfisch, :-)14:04
*** sigmavirus24_awa is now known as sigmavirus2414:04
samueldmqmfisch, need to go now, have a happy April fool's day!14:04
mfischthanks you too ;)14:04
openstackgerritMatt Fischer proposed openstack/keystone: Add a Lotto token provider
*** rushiagr is now known as rushiagr_away14:14
*** timcline has joined #openstack-keystone14:21
*** bdossant_ has joined #openstack-keystone14:23
*** bdossant has quit IRC14:25
*** bknudson has joined #openstack-keystone14:28
*** ChanServ sets mode: +v bknudson14:28
*** davidcke1 has quit IRC14:36
*** diegows has quit IRC14:43
*** carlosmarin has joined #openstack-keystone14:43
*** timcline_ has joined #openstack-keystone14:49
*** timcline has quit IRC14:49
*** timcline has joined #openstack-keystone14:51
*** timcline_ has quit IRC14:53
*** davechen has joined #openstack-keystone14:59
*** Bsony has joined #openstack-keystone15:00
*** nellysmi_ has joined #openstack-keystone15:03
*** nellysmitt has quit IRC15:04
*** nellysmitt has joined #openstack-keystone15:04
davechenHi, I have setup a multi-node OpenStack environment, and compute services are running on each node, but I found there is no information about the compute service except the controller node.15:04
davechenIs this correct?15:04
*** packet has joined #openstack-keystone15:04
davechenI assume there should be some endpoints track the services on different nodes, am I wrong?15:05
*** nellysmitt has quit IRC15:05
davechenIf there is a way I can know from Keystone about the services running on different nodes?15:07
*** nellysmi_ has quit IRC15:08
*** bdossant_ has quit IRC15:09
*** rushiagr_away is now known as rushiagr15:11
*** arunkant has quit IRC15:16
*** bdossant has joined #openstack-keystone15:17
*** bdossant has quit IRC15:21
amakarovdavechen, have you tried nova cli?15:21
*** bdossant has joined #openstack-keystone15:21
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info
*** henrynash has joined #openstack-keystone15:25
*** ChanServ sets mode: +v henrynash15:25
*** arunkant has joined #openstack-keystone15:29
*** ayoung_ZZZzzz__z is now known as ayoung_snort15:30
*** ayoung_snort is now known as ayoung_yawn15:31
*** ayoung_yawn is now known as ayoung_grumble15:31
*** ayoung_grumble is now known as ayoung15:31
*** davechen has quit IRC15:33
henrynashsamueldmq: does delattr actually take a “None” third param?15:34
*** davechen has joined #openstack-keystone15:34
*** toabctl has joined #openstack-keystone15:35
toabctlhow can I associate policies in juno? seems that it's possible to create new policies with v3 API and the openstackclient but I can't find a way to associate the created policy with a endpoint or service.15:36
toabctlis that WIP?15:36
davechenamakarov: It's told me I am not authorized, I guess my ENV is broken. :-(15:36
davechenamakarov: Horizon shows the same error message.15:37
amakarovdavechen, if you deploy devstack you have to source ~./openrc in order to use cli: did you?15:38
david-lyletoabctl: the only way to use that API is have the service push the policy blob and then consume it via the uuid returned15:39
david-lyleit's not actually useful, IMO15:39
david-lylecentralized policy management is slated for a take 2 in Liberty15:40
david-lyleayoung has some efforts there15:40
*** lhcheng has joined #openstack-keystone15:40
ayoungWait, what?15:40
david-lyletoabctl: asked about the existing policy API15:40
david-lyleI'm trying to say RUN! kindly15:41
ayoungtoabctl, lots of Blueprints for it15:41
toabctldavid-lyle: hm. so is there any way to override the policy without changing /etc/keystone/policy.json ? I recognzed that there is the policy_dirs var, but that's just for kilo15:41
davechenamakarov: sure, I sourced it. I think I need reinstallation to see what's in it.15:41
ayoungtoabctl, Nope15:41
toabctlayoung: "no" for the override question?15:41
david-lylehence the need for a centralized solution15:41
ayoungtoabctl, treate it as a config file, and manage with Puppet, Chef, Ansible, CFEngine, or JbossOperationalNetwork15:41
ayoungtoabctl, you must chagne the policy file15:41
ayoungyou want to change the policy file15:42
* ayoung drinking too much April 1st Kool Aid15:42
amakarovdavechen, sounds like "90% of notebook failures may be solved with a vacuum cleaner" :)15:42
*** lhcheng has quit IRC15:44
davechenamakarov: pity, I am not using laptop, but it failed as well. :P15:44
ayoungamakarov, s/laptop/puppy/15:44
* amakarov wanders what puppy issues ayoung solved with vacuum cleaner15:45
ayoungamakarov, s/solved/exacerbated/15:46
toabctlayoung: thanks for the link. so for kilo, there will be the policy_dirs var to override policies, right? or is the api already usable in kilo?15:46
ayoungtoabctl, why are you making me be the one to give you all the bad news?15:47
ayoungtoabctl, we just got policy graduated as a library15:47
ayoungonly Keystone is using the policy library15:47
toabctlayoung: you seems to be willing to answer :-)15:47
*** _cjones_ has joined #openstack-keystone15:47
ayoungso the other services are still doing the "clone from oslo incubator" approach15:47
ayoungwhich means it really depends on when they cloned wht features they have15:47
ayoungI'm pretty sure the policy code for the dir went in early enough that most of them picked it up, but to be honest, you;d have to inspect each project to be sure15:48
toabctlayoung: but at least there's the policy_dirs . that's already an improvement..15:48
ayoungtoabctl, for Keystone, sure15:48
ayoungwell, I'm not 100% certain it is an improvement, but if it solves your problem, good15:48
ayoungI suspect it is actually going to be problematic long term, but I15:49
ayoung''m an optimist15:49
*** Guest54459 is now known as h_m15:49
ayoungI think we need to acutally merge the policy files inside the keystone server, and then have each service use one and only one, otherwise we'll have the potential for rules conflicts...we might have that anyway15:49
ayoungnot certain how the dirs thing is supposed to wrok...let me go read up on it...15:50
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated
*** henrynash has quit IRC15:52
ayoungtoabctl, shudder.15:53
*** iamjarvo has quit IRC15:53
ayoungtoabctl, its as bad as I thought15:53
david-lyleayoung: the problem is a "default" rule that works across services15:53
david-lylewhen trying to combine15:53
ayoungdavid-lyle, default is one of many problems, yes15:54
ayoungdavid-lyle, then there is the whole "where do we find the project_id to match against the token" rule, as it varies from object to object15:54
david-lyleone of many15:54
david-lyleand other ownership targets15:55
*** davechen has left #openstack-keystone15:55
ayoungand domains will make it even more fun.  So far, domains are confined to Keystone, but I assure you one of the othe projects will find they desperately need them soon15:55
david-lyle2 years later15:55
ayoungand other ownership targets, like user, and I'm sure someone is going to want Openstack specific groups that are not projects15:55
ayoungOK,  I'm going to add a slide to my policy presentation "the dangers of policy.d"15:56
*** krykowski has quit IRC15:56
david-lyleayoung, I know I'm going to regret this, but I'm willing to fight the policy fight with you15:56
ayoungdavid-lyle, I know you guys need it.  It is part of what drove the design15:57
ayoungThe thing we haven;t done yet is provided you with a  way to do "if I have this token, what can I do with it"15:57
david-lyleyes, and I'm embarrassed by what we have now15:57
ayoungWhich is, basically:  [rule for rule in policy where rule.matches(...)]15:58
david-lyleayoung: that would be ideal, but that mapping becomes very difficult15:58
david-lyleI suppose as long as you return the rule id with the approved, we can map15:59
david-lylethe problem is if new rules are added15:59
david-lyleso horizon knows about action X, what if it's not in the policy file15:59
*** bdossant has quit IRC15:59
david-lyleit won't return approved15:59
david-lyleso if someone starts changing the policy rules mapped, I get lost on the consumption side16:00
david-lyleso then do you return the exhaustive list of allowed/not-allowed?16:01
david-lyleand I allow the others?16:01
david-lylebut that list is potentially huge depending on the size of my service catalog16:01
ayoungI suspect that the horizon solution would be to cherry pick rules16:02
ayoung"in order to show the create vm page, make sure the compute:create_vm rule passes" type things16:03
david-lyleayoung, yes, but what if the operator removes the entry for compute:create_vm16:04
ayoungif the policy files are changed, we need a way to synchronize across the cluster.  jamielennox and I were discussing last night.16:04
ayoungI don't thing "remove" is going to be possible for a customized policy file, just "override"16:04
david-lylethe more likely case is Horizon supports an extension that requires a rule that may not be mapped yet16:04
ayoungwe are going to need an inventory of rules16:04
ayoungthat inventory may be a subset, but will be the minimal required set16:05
ayoungdavid-lyle, the SQL backend will help with all this16:05
ayoungas will the default policy file and fetch the files from Keystone16:05
ayoungand all that deopends on this patch believe it or not:
ayoungI need a unified access info so we can standarize the policy execution16:06
ayoungand...I need a place to put that and make it work...which probably should not be in oslo.policy16:06
ayoungwe were talking about middleware, but it can't be a straight middleware piece.16:07
ayoungIt needs to be a library call.16:07
ayoungMany of the calls need to fetch an object from the database before we can enforce policy on them16:07
ayoungI thihnk Horizon is going to be limited to checking the policy rules that do not require fetching the objects16:08
ayoungcreate and list16:08
ayoungnot modify or delelte16:08
david-lyleI'm not sure that's sufficient16:09
david-lylehmm, we let the user do all the work and then have the API reject them16:09
david-lylenot a great user experience16:10
david-lylebecause it's about gets too16:10
david-lyleget the details of an object16:11
david-lyleI provide a link, then the call fails and reports errors16:11
*** devlaps has joined #openstack-keystone16:13
ayoungdavid-lyle, well, Horizon could fake it.  Youi don't need a real object,  justo ne that looks like, say, a glance image or a nova VM16:14
ayoungso long as you check the project id matches16:14
ayoungmaybe some sort of adapter pattern  where we register a bunch of objects and you pass on object, it checks the type, and gets you the project id off of it.  THne you could do a mock one based on the exisiting project id?16:15
*** tqtran_afk has joined #openstack-keystone16:16
ayoungdavid-lyle, I get the first slot to talk about all this:
ayoungthe more stuff you throw at me ahead of time, the better that talk will be16:17
*** tqtran_afk is now known as tqtran16:18
*** ayoung has quit IRC16:41
*** sigmavirus24 is now known as sigmavirus24_awa16:43
*** sigmavirus24_awa is now known as sigmavirus2416:43
*** jistr|demo has quit IRC16:47
*** dims__ has quit IRC16:53
*** dims_ has joined #openstack-keystone16:53
*** ayoung has joined #openstack-keystone16:55
*** ChanServ sets mode: +v ayoung16:55
*** lhcheng has joined #openstack-keystone16:56
ayoungdavid-lyle, care to push the button on this one:
david-lyleayoung: looking17:00
*** amakarov is now known as amakarov_away17:01
*** harlowja_away is now known as harlowja17:02
*** pnavarro|off has joined #openstack-keystone17:04
*** _cjones_ has quit IRC17:06
*** _cjones_ has joined #openstack-keystone17:13
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3
*** iamjarvo has joined #openstack-keystone17:19
*** stevemar has joined #openstack-keystone17:20
*** ChanServ sets mode: +v stevemar17:20
*** pnavarro|off has quit IRC17:23
*** zzzeek has joined #openstack-keystone17:27
morganfainbergayoung: david-lyle so I've been thinking on the policy front a lot. What if we really focused down the policy bits to the surface API only. The classic example is nova boot. If I am granted the ability to nova boot we work to make that role (plus the appropriate service token) sufficient to perform all actions needed to do instance create.17:30
ayoungmorganfainberg, way ahead of you17:30
morganfainbergThe backscroll was a bit in depth so I may have missed where you covered that.17:31
ayoungmorganfainberg, nah, I meant in the policy work17:32
*** jaosorior has quit IRC17:32
morganfainbergRight. That is what I was referencing.17:32
ayoungmorganfainberg, but that is kindof what I meant by cherry picking17:32
ayounginstead of horizon needing to look at all the rules, it picks the ones that are most representative of what it needs to show17:33
ayoungmorganfainberg, btw, don't both him right now, as he is reviewing an ultra critical patch for us!17:33
morganfainbergAnnnnd as entertained as I am by the April 1 infra joke... I am sad that it gets in the way of mobile useage of gerrit. :(17:35
morganfainbergIt jumps around randomly and you can't move it.17:36
stevemardolphm, lbragstad arounds? i have fernet questions17:37
*** diegows has joined #openstack-keystone17:37
morganfainbergstevemar: dolphm won't be around. lbragstad might be.17:37
morganfainbergstevemar: you should just ask about fernet tokens ;) someone else may be able to answer.17:38
stevemarmorganfainberg, i was just going to do that17:38
stevemarhow is a single fernet token invalidated?17:38
stevemarand how can we invalidate the token for a specific user?17:40
morganfainbergstevemar: we can. You invalidate it by audit Id17:40
morganfainbergIt's the same way we achieved parity with the TRL for revocation events for uuid/pki tokens.17:41
morganfainbergUsually you should not invalidate a specific token though.17:41
*** bandwidth has joined #openstack-keystone17:42
morganfainbergInvalidate for all tokens for a user is again a revocation event: user, timestamp that indicate tokens issued before are no longer valid.17:42
bknudsonfernet doesn't support DELETE ?17:42
morganfainbergstevemar: then that is a bug that is a release blocker.17:43
* morganfainberg sighs.17:43
morganfainbergbknudson: ^ if that is the case17:43
morganfainbergNot stevemar :P17:43
bknudsonwhy wouldn't it?17:43
morganfainbergIt should! ;)17:43
morganfainbergAs far as I know it does.17:44
morganfainbergBut if it doesn't it would be a release blocker.17:44
stevemarblah, i need to read the spec more, are there any awesome docs on this?17:44
bknudsonthere should be a need for fernet to say it supports DELETE of the token.17:45
stevemarmorganfainberg, for specs that didn't land in Kilo, do you want them in a liberty approved specs directory, or in the backlog?17:45
*** edmondsw has quit IRC17:45
bandwidthI'm trying to integrate keystone (OS-FEDERATION) with Shibboleth, I have issues while trying to obtain an unscoped token (Unable to locate metadata for identity provider)17:46
*** edmondsw has joined #openstack-keystone17:46
morganfainbergbknudson: fernet should just support delete.17:46
morganfainbergbknudson: it's part of the provider base.17:46
morganfainbergbknudson: it should be specific magic to accomplish it.17:46
bandwidthis there any configuration samples out there that I could use? the documentation is not clear to me17:46
morganfainbergstevemar: we should probably backlog them. Unless we are fast approving them (see my email to the ml on opening liberty specs)17:47
*** spandhe has joined #openstack-keystone17:48
* morganfainberg has to run to meeting now.17:48
*** ljfisher has joined #openstack-keystone17:48
stevemarbandwidth, there is an awesome doc here:
stevemarsection 4.1 talks about metadata17:50
ayoungdelete would be handled by the revocation API, and would revoke on....17:50
bandwidthstevemar: wow, thank you very much! I should have asked here before 2 days ago ;)17:51
ayoungaudit id?17:51
ayoungYeah, revoke by audit id or audit chain17:51
ayoungmorganfainberg, pretty sure it does.  Unit tests would not have run for it if it didn;t support delete17:52
stevemarbandwidth, never hesitate to bug the #openstack-keystone channel with questions! helping each other is why were all here17:52
morganfainbergayoung: exactly.which is why I said it would be a release blocker if it didn't17:52
morganfainbergayoung: it wouldn't be just Fernet broken.17:53
bandwidthstevemar: thanks!17:53
*** afazekas has quit IRC17:53
dstanekstill 12 bugs to go!17:55
*** timcline has quit IRC17:57
stevemarayoung, thats a pretty good convo18:00
ayoungstevemar, I want to unify oauth and trusts.  The18:01
ayoungoauth consumers can be transient users in a specific domain18:01
ayoungwe didn't have that abstraction back then18:02
*** diegows has quit IRC18:02
stevemarayoung, my mind is not in the right head space for delegation right now. but it could work18:03
ayoungstevemar, its at the tail end of the policy work  "unified delegation mechanism"18:03
stevemarunify all the things!18:03
ayoungthe front end of the policy work is me getting a late lunch18:03
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Move specs that didn't land in Kilo to the backlog
stevemarmorganfainberg, ayoung, bknudson ^18:08
*** stevemar has quit IRC18:09
*** stevemar has joined #openstack-keystone18:10
*** ChanServ sets mode: +v stevemar18:10
raildostevemar, and for specs that are not yet approved? We need to change something?18:11
ayoungraildo, all should be submitted against backlog, not a release18:12
raildoayoung,ok  thanks :)18:12
stevemargot disconnected there for a sec18:13
lbragstadstevemar: whats up?18:13
iamjarvohey, so when using ldap and i create a user and add a role to the user using keystone.roles.grant a record does not seem to be added in the assignment table18:14
stevemariamjarvo, it should be... thats a bit weird if it doesn't18:15
stevemarlbragstad, had fernet questions, let me dig them up18:15
stevemarlbragstad, do you have any other docs for fernet? blog or otherwise?18:17
openstackgerritMerged openstack/keystone-specs: Move specs that didn't land in Kilo to the backlog
*** diegows has joined #openstack-keystone18:22
iamjarvostevemar it does! I was using it incorrectly. I do have a question though: I am running into problems with knowing when to pass in an actual object or the name or id in string format. i.e def grant(self, role, user=None, group=None, domain=None, project=None)  i assumed domain should be a domain object. What's the best way to figure it out? I read the method in question but still seems vague18:26
*** Bsony_ has joined #openstack-keystone18:27
*** Bsony has quit IRC18:27
stevemariamjarvo, if you're using keystoneclient then usually it's smart enough to accept both object and uuid. it should be doc'ed in the APIs, lemme pull them up18:28
ayoungiamjarvo, and there is no error?18:32
iamjarvostevemar based on the behavior that we are seeing i think it wants "domain_id"18:32
iamjarvoayoung nope just doesnt get created18:32
ayoungthat is not friendly18:32
ayoungI assume the API is supposed to return a 404 if it can't find any of the components of the assignment18:32
*** Bsony_ has quit IRC18:36
lbragstadstevemar: we have the docs that exist in the keystone code-base18:36
lbragstadstevemar: I think those live in configuration.rst?18:36
iamjarvoayoung you are right it does give a 404 for resource not found.keystone.roles.grant(user=user, role=role, project=project) / project needs an object. keystone.roles.grant(user=user, role=role, project="admin") fails with 40418:37
ayoung"You'll laugh, you'll cry, and you'll probably want to rewrite everything in Go."  --termie18:38
*** jaosorior has joined #openstack-keystone18:38
rodrigodsayoung, will be there18:38
lbragstadstevemar: I have unofficial documentation scattered around too though18:39
*** pnavarro|off has joined #openstack-keystone18:42
*** carlosmarin has quit IRC18:54
*** carlosmarin has joined #openstack-keystone18:56
ayounglbragstad, dolphm dstanek, we should look at what it would take to use Kite to share keys between keystone servers in a Fernet deployment18:59
morganfainbergayoung: or... We give recommendations like ansible in our docs.19:00
morganfainbergayoung: unless we make it so kite is independent of keystone itself (optional). I don't want keystone to be responsible to mange key distribution (built-in)19:01
morganfainbergIs all19:01
morganfainbergEven if it is via another service, the builtin part isn't what we need to be doing.19:02
ayoungmorganfainberg, As I said, we should look into it.  I think  Kite will probably be a better tool for it than Ansible, and we are the Kite umbrella project, unless we are going to kill it.19:02
*** iamjarvo has quit IRC19:02
morganfainbergNo Barbican is19:03
dstanekkite would be interesting. if someone is using it (and we can take advantage or it) it would be pretty cool to enable19:03
morganfainbergAnd kite is fine, just I want to make sure we clearly make it "not keystone" synchronizing the keys ;)19:03
ayoungAh, right.  OK,  if its not us, we don't have to field the questions19:04
ayoungdstanek, yeah,  Kite is actually designed for symmetric key sharing amongst groups, perfect for the Fernet use case19:05
dstaneki know next to nothing about it - i'll have to stand it up and poke at it19:05
morganfainbergayoung: synchronizing keys and such is a good Devops problem. We can make recommendations / best practices opinions. But keystone should be just the consumer and exactly right, we don't own/lock in a single solution we have to permanently maintain.19:06
ayoungmorganfainberg, I was thinking we owned Kite.19:06
ayoungIt not being our problem makes me less concerned19:06
morganfainbergNope. We handed off to Barbican. And afaik it died.19:06
ayoungI wonder if  we could Use Kerberos for Key management...I'll ask Simo.19:07
morganfainbergSince no one was using it / wanted to.19:07
*** tellesnobrega_ has joined #openstack-keystone19:07
bknudsonkite was requested for securing the message bus... did that whole project go away?19:08
*** tellesnobrega_ has quit IRC19:08
morganfainbergbknudson: afaik yes.19:08
bknudsonthere's no way to secure the message bus?19:08
morganfainbergThat initiative didn't go anywhere last I saw.19:08
*** pnavarro|off has quit IRC19:10
lhchenglbragstad: qq, fernet tokens is also available for keystone v2?19:10
lbragstadlhcheng: yep19:10
*** lifeless has quit IRC19:11
lhchenglbragstad: cool. I am a bit late, going to try it out.  Thanks!19:12
lbragstadlhcheng: no problem19:12
*** iamjarvo has joined #openstack-keystone19:12
*** iamjarvo has quit IRC19:12
*** iamjarvo has joined #openstack-keystone19:13
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller
*** rushiagr is now known as rushiagr_away19:21
lbragstadso if you decide that you only need to rotate every 3 hours, it changes from 1440 / 180 = 819:21
*** jbonjean has quit IRC19:24
ayoungSo, the message bus itself can be secured, but the issue is that the messages themselves are not signed.  I don't know if Rabbit Supports TLS, but I would assume it goes to check, and then I have a surprise...19:25
ayoungWe are also looking into SASL support for Rabbit.  No promises, but we might be able to do something to integrate Rabbit with Kerberos.19:25
*** jbonjean has joined #openstack-keystone19:28
edmondswbesides signing, it would be nice for the message bus traffic to be encrypted in a way that rabbit can't decrypt and therefore can't log, etc.19:30
edmondswif kite really has gone away, that's very disappointing19:31
ayoungedmondsw, nah, it is just resting.19:37
ayoungIts all shagged out from a prolonged squawk19:37
*** lifeless has joined #openstack-keystone19:40
*** htruta has quit IRC19:40
*** obedmr has joined #openstack-keystone19:43
*** rm_work is now known as rm_work|away19:43
obedmrhi all, I'm getting a SSL exception when connecting to a (SSL enabled keystone), I'm posting some details here ; thanks for your help.19:43
ayoungobedmr, what error?19:44
obedmrhi ayoung: it's not giving so much details, even when I enabled the debug mode19:44
ayoungobedmr, can you hit the Keystone server from CURL or a web browser?19:45
ayoungIf the issue is SSL, it is probably going to show up in any web request19:45
ayoungobedmr, running in HTTPD or Eventlet?19:45
obedmrayoung: it's running with Eventlet19:46
ayoungUSe HTTPD for SSL19:46
obedmrayoung: is there any documentation for doing it with HTTPD?19:47
ayoungIts the default now.19:47
ayoungobedmr, this a new install?19:47
ayoungHow are youn installing/running?19:48
obedmrI'm installing it in CentOS 7.0, using vagrant19:48
ayoungI know nothing of Vagrant19:49
obedmrwell, basically it's hosted in VirtualBox VMs19:49
ayoungobedmr, using the RDO packages or straight from repos or what does it do?19:50
ayoungAh,  precanned VMs with Keystone in them?19:50
obedmrI followed the Offical documentation from docs.openstack, step by step19:50
obedmrthe Installagion guide for Red Hat, CentOS, etc19:51
ayoungobedmr, ok,  so running in HTTPD is pretty straight forward, but I always do it by hand...19:51
ayoungyou can look at what Devstack does.19:51
iamjarvoI am wondering why this domain isn't being found i am thinking it might be the ldap setup19:52
ayoungI'm, sure there are instructions somewhere, too19:52
ayoungiamjarvo, LDAP identity? Doesn't support multiple domains.  So I assumme SQL identity, domain specific backned?19:52
iamjarvoayoung but its aware if you do the conf file for each domain19:53
ayoungthat sounds right19:53
ayoungbut it should be able to find the domain...maybe giev an error if the config is bad19:53
*** bandwidth has quit IRC19:55
* obedmr taking a look on devstack's ssl configuration19:55
edmondswobedmr, this doesn't look terribly complete but it's a start:
ayoungobedmr, if you run devstack, it sets up  Keystone in HTTPD.  You can then copy over the config files etc.  to your new setup if you want.19:57
iamjarvoayoung are you saying we should write code to error if the config is bad?19:58
ayoungiamjarvo, try using the domain id19:58
ayoungI think name doesn;t work, as it has to go and do the name to id lookup....19:58
ayoungdomain is eithe a domain object or a domain id19:58
obedmrok, excellent, thanks edmondsw and ayoung19:58
ayoungso if you do the find first, you can pass the result into the keystone.roles.grant(role, user=admin, domain=domdahdomdom)19:59
ayoungedmondsw, Oh, sure, if you want to do it the easy way!19:59
obedmredmondsw: ayoung: just a final question, the best practice for SSL in keystone is to use HTTPD as the front?19:59
edmondswobedmr, definitely yes20:00
ayoungobedmr, drop the SSL, and the statment holds true20:00
ayoungthe best practice for Keystone is to use HTTPD.  SSL doubly so20:00
stevemarayoung, we should probably not support deployments that don't use ssl, but it makes testing much easier20:01
obedmrexcellent, thanks guys, I really apreciate the help20:01
ayoungedmondsw, In general, you don't want to do cryptography in python, but rather use native libraries.  Eventlet, being single theaded, has no way to scale out an SSL traffic20:01
edmondswayoung, oh, I don't disagree with you at all20:02
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id
*** lastops has quit IRC20:15
*** pnavarro|off has joined #openstack-keystone20:24
*** mattfarina has quit IRC20:37
*** ljfisher has quit IRC20:38
*** rm_work|away is now known as rm_work20:47
*** rm_work is now known as rm_work|away20:53
iamjarvoayoung domain id worked. i was passing in name instead of id20:53
ayoungtold you so!20:53
ayoungiamjarvo, I expect you to field this question here in IRC next time someone asks20:54
iamjarvoi will!20:54
iamjarvolearning lots20:54
iamjarvoback the drawing board though :( "Error getting domain scoped token."20:55
ayoungiamjarvo, are you trying to get a domain scoped token?20:58
ayoungand , if so, how?20:59
iamjarvoi am trying to login using the users ive created20:59
*** samueldmq has quit IRC20:59
*** samueldmq has joined #openstack-keystone21:00
ayoungiamjarvo, Horizon?21:04
ayoungiamjarvo, Horizon knows nothing about domain scoped tokens.21:04
iamjarvousing this patch21:07
*** devlaps1 has joined #openstack-keystone21:10
*** devlaps has quit IRC21:10
*** diegows has quit IRC21:10
*** nkinder has quit IRC21:11
*** jaosorior has quit IRC21:12
*** _cjones_ has quit IRC21:14
dstanekwhat exactly is happening in the ssl 2way tests?21:16
*** pnavarro|off has quit IRC21:18
*** dims_ has quit IRC21:19
*** htruta has joined #openstack-keystone21:19
*** htruta has quit IRC21:20
*** _cjones_ has joined #openstack-keystone21:20
*** boris-42 has quit IRC21:28
*** edmondsw has quit IRC21:29
bknudsondstanek: it should be testing that the eventlet server can be configured to require a client cert.21:34
*** edmondsw has joined #openstack-keystone21:35
dstanekbknudson: i'm trying to debug an issue on debian where that's not working21:43
bknudsondstanek: are the certificates invalid?21:43
dstanekthey are the ones we bundle with our tests21:44
bknudsondstanek: are you able to recreate the issue?21:44
dstanekthe 1way tests pass, but the 2way are not happy21:44
bknudsondstanek: try recreating the sample certs21:45
dstanekalready did that and still have the issue21:45
bknudsonso client authenticatoin doesn't work on debian?21:46
dstanekmaybe not - i'm creating a more bare bones test case now21:46
bknudsonwhat's the error?21:48
bknudsondidn't like the client certificate21:49
bknudsonbut that's test_1way_ssl_ok21:49
bknudsonI thought you were looking at 2way?21:49
dstanekhmmm...maybe i just broke that too21:49
bknudsonif it's 1-way then that's the client didn't like the server cert.21:49
dstanekmaybe out cert gen is just broken now that debian has been fixing up the SSL issues21:50
*** stevemar has quit IRC21:52
*** bknudson has quit IRC21:54
*** iamjarvo has quit IRC21:56
*** boris-42 has joined #openstack-keystone21:57
*** sigmavirus24 is now known as sigmavirus24_awa22:01
*** ekarlso has quit IRC22:04
*** ekarlso has joined #openstack-keystone22:04
*** iamjarvo has joined #openstack-keystone22:05
*** iamjarvo has quit IRC22:05
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
ayoungmorganfainberg, time to make V3 Identiyt API the default in devstack22:17
morganfainbergayoung, didn't we already do that?22:17
morganfainbergor you mean in horizon?22:17
ayoungmorganfainberg, not in the env var set when you connect22:17
morganfainbergafaik middleware defaults to v3 unless someone does something silly.22:17
morganfainbergthat part22:18
ayoung$ echo $OS_AUTH_URL22:18
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
* morganfainberg wonders what will break.22:18
ayoung$ echo $OS_IDENTITY_API_VERSION22:19
*** henrynash has joined #openstack-keystone22:22
*** ChanServ sets mode: +v henrynash22:22
*** gordc has quit IRC22:25
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
henrynashmorganfainberg: the patch for domain-config has been updated as we discussed:
morganfainberghenrynash, thanks22:25
morganfainbergoh look clippy22:25
morganfainbergtoo bad this didn't land:
*** rhagarty_ has joined #openstack-keystone22:26
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
*** nkinder has joined #openstack-keystone22:34
rhagarty_hello - I'm new to keystone. Was wondering if there is a way to simply store and retrieve a user/pwd from the keystone service?22:39
*** henrynash has quit IRC22:42
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
*** carlosmarin has quit IRC22:56
*** bknudson has joined #openstack-keystone23:06
*** ChanServ sets mode: +v bknudson23:06
*** chlong has joined #openstack-keystone23:07
morganfainbergayoung, bknudson, dstanek, jamielennox, could use eyes on
* bknudson can't wait until clippy goes away.23:08
morganfainbergbknudson, you could just adblock the .js out23:09
morganfainbergbknudson, and it wont load anymore23:09
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Increase minimum token life required
*** joesavak has quit IRC23:21
*** packet has quit IRC23:24
*** harlowja has quit IRC23:31
*** harlowja has joined #openstack-keystone23:32
*** devlaps1 has quit IRC23:37
*** zzzeek has quit IRC23:43
*** harlowja has quit IRC23:49
*** harlowja has joined #openstack-keystone23:50

Generated by 2.14.0 by Marius Gedminas - find it at!