Thursday, 2015-04-16

*** mattamizer has quit IRC00:01
*** markvoelker_ has quit IRC00:02
*** carlosmarin has quit IRC00:04
*** drjones has quit IRC00:21
*** _cjones_ has joined #openstack-keystone00:21
*** _cjones_ has quit IRC00:25
*** ozialien has joined #openstack-keystone00:35
*** topol has joined #openstack-keystone00:36
*** ChanServ sets mode: +v topol00:36
*** r-daneel has quit IRC00:37
*** dims_ has quit IRC00:40
mfischcan someone point out where the database migrations live in the source tree?00:46
mfischaha under versions/00:47
*** lhcheng has quit IRC00:48
openstackgerritMerged openstack/keystone: Use correct LOG translation indicator for warnings
dstanekmfisch: got it?00:55
dstanekso our catalog unit tests are all sorts of bad - no isolation and the templated tests don't actually run00:56
*** ozialien has quit IRC01:06
*** jeffDeville has joined #openstack-keystone01:07
*** tqtran has quit IRC01:07
*** markvoelker has joined #openstack-keystone01:07
*** jeffDevi_ has joined #openstack-keystone01:09
*** jeffDeville has quit IRC01:09
*** sigmavirus24 is now known as sigmavirus24_awa01:11
*** browne has quit IRC01:12
*** jeffDevi_ has quit IRC01:18
*** alexsyip has quit IRC01:22
dstanekayoung: when you are not busy
*** markvoelker has quit IRC01:30
*** jeffDeville has joined #openstack-keystone01:30
*** jeffDeville has quit IRC01:31
*** _cjones_ has joined #openstack-keystone01:33
*** dims has joined #openstack-keystone01:40
ayoungdstanek, you mean, what should that method raise?01:42
*** trey has quit IRC01:42
*** erkules_ has joined #openstack-keystone01:45
*** trey has joined #openstack-keystone01:46
*** dims has quit IRC01:47
*** erkules has quit IRC01:47
*** jeffDeville has joined #openstack-keystone01:47
*** harlowja is now known as harlowja_away02:05
*** browne has joined #openstack-keystone02:13
*** sdake_ has joined #openstack-keystone02:16
*** sdake__ has joined #openstack-keystone02:19
*** sdake has quit IRC02:19
*** sdake_ has quit IRC02:22
*** jeffDeville has quit IRC02:29
*** Ephur has quit IRC02:30
*** davechen has joined #openstack-keystone02:30
*** Ephur has joined #openstack-keystone02:31
*** Ephur has quit IRC02:33
*** _cjones_ has quit IRC02:33
*** davechen1 has joined #openstack-keystone02:36
*** davechen has quit IRC02:37
*** davechen has joined #openstack-keystone02:44
*** davechen1 has quit IRC02:45
*** tqtran has joined #openstack-keystone02:46
*** dims has joined #openstack-keystone02:48
*** tqtran has quit IRC02:50
*** dims has quit IRC02:53
*** richm has quit IRC03:07
*** lhcheng has joined #openstack-keystone03:25
*** ChanServ sets mode: +v lhcheng03:25
*** _kiran_ has joined #openstack-keystone03:47
*** _kiran_ has quit IRC03:53
*** _cjones_ has joined #openstack-keystone04:00
*** rushiagr_away is now known as rushiagr04:10
*** vilobhmm1 has joined #openstack-keystone04:39
*** _cjones_ has quit IRC04:43
*** afazekas has quit IRC04:51
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove retry parameter
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env
*** stevemar has joined #openstack-keystone05:02
*** ChanServ sets mode: +v stevemar05:02
*** rushiagr is now known as rushiagr_away05:02
*** vilobhmm1 has quit IRC05:02
*** vilobhmm1 has joined #openstack-keystone05:05
*** telemonster has quit IRC05:12
*** telemonster has joined #openstack-keystone05:13
*** topol has quit IRC05:16
*** vilobhmm1 has quit IRC05:29
*** ajayaa has joined #openstack-keystone05:33
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins
*** stevemar has quit IRC05:40
*** stevemar has joined #openstack-keystone05:40
*** ChanServ sets mode: +v stevemar05:40
*** dims has joined #openstack-keystone05:45
*** kiran_ has joined #openstack-keystone05:47
*** kiran_ is now known as kiranr05:50
*** dims has quit IRC05:50
*** kiranr is now known as kiran-r05:50
*** rushiagr_away is now known as rushiagr05:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** ajayaa has quit IRC06:16
*** browne has quit IRC06:18
*** _cjones_ has joined #openstack-keystone06:21
*** lhcheng has quit IRC06:22
*** lhcheng has joined #openstack-keystone06:22
*** ChanServ sets mode: +v lhcheng06:22
*** stevemar has quit IRC06:25
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove retry parameter
*** ParsectiX has joined #openstack-keystone06:35
*** ajayaa has joined #openstack-keystone06:38
*** henrynash has joined #openstack-keystone06:46
*** ChanServ sets mode: +v henrynash06:46
*** viktors|afk is now known as viktors06:53
viktorsayoung: thanks!06:53
viktorsdstanek: still around?06:53
*** ParsectiX has quit IRC06:53
*** stevemar has joined #openstack-keystone06:54
*** ChanServ sets mode: +v stevemar06:54
*** ParsectiX has joined #openstack-keystone06:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache
*** stevemar has quit IRC07:00
*** jaosorior has joined #openstack-keystone07:01
openstackgerritDave Chen proposed openstack/keystone: Remove assigned protocol before removing IdP
*** henrynash has quit IRC07:05
*** _cjones_ has quit IRC07:13
*** krykowski has joined #openstack-keystone07:15
*** pnavarro has joined #openstack-keystone07:18
*** chlong has quit IRC07:40
*** jistr has joined #openstack-keystone07:43
*** pnavarro has quit IRC07:50
*** unixlike has joined #openstack-keystone07:56
unixlikeHi there !07:56
unixlikesorry for my english in advance07:56
unixlikeIs it possible to use MongoDB as db-backend instead of MySQL ?07:57
*** pnavarro has joined #openstack-keystone08:04
*** ParsectiX has quit IRC08:09
*** ParsectiX has joined #openstack-keystone08:09
*** lhcheng has quit IRC08:13
openstackgerritVictor Sergeyev proposed openstack/keystone: Run SQL migration tests on PostgreSQL and MySQL
*** c0m0 has joined #openstack-keystone08:31
openstackgerritVictor Sergeyev proposed openstack/keystone: Run SQL migration tests on PostgreSQL and MySQL
*** sdake__ has quit IRC08:36
*** sdake has joined #openstack-keystone08:39
*** mestery has joined #openstack-keystone08:40
*** mestery_ has quit IRC08:43
*** jimbaker has quit IRC08:53
*** jimbaker has joined #openstack-keystone08:55
*** jimbaker has quit IRC08:56
*** jimbaker has joined #openstack-keystone08:56
*** ParsectiX has quit IRC09:09
*** rm_work is now known as rm_work|away09:13
*** dims has joined #openstack-keystone09:19
*** dims has quit IRC09:24
*** aix has joined #openstack-keystone09:44
*** ishant has joined #openstack-keystone09:45
*** afazekas has joined #openstack-keystone09:47
*** davechen has quit IRC09:52
*** tqtran has joined #openstack-keystone10:01
*** dims has joined #openstack-keystone10:06
*** jsheeren has joined #openstack-keystone10:11
*** tqtran has quit IRC10:27
*** topol has joined #openstack-keystone10:30
*** ChanServ sets mode: +v topol10:30
*** topol has quit IRC11:01
*** aix has quit IRC11:17
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.
*** henrynash has joined #openstack-keystone11:25
*** ChanServ sets mode: +v henrynash11:25
dstanekayoung: yeah, that's all i was wondering11:41
dstanekviktors: i am now11:41
*** aix has joined #openstack-keystone11:45
*** jamielennox is now known as jamielennox|away11:47
*** fhubik has joined #openstack-keystone11:49
viktorsdstanek: hi! I've un-wiped yesterday's patch with migration tests -  Feel free to review it.11:53
dstanekviktors: great thanks11:54
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware
*** ishant has quit IRC11:56
*** joesavak has joined #openstack-keystone11:56
samueldmqdstanek, ping - I've got a question regarding tokens and middleware :-)11:57
samueldmqayoung, cc ^11:57
dstaneksamueldmq: what's the question?11:58
samueldmqonce keystonemiddleware validates the token and enfoces the policy, it needs to pass the token info to the service (eg nova)11:58
samueldmqdstanek, right?11:58
samueldmqdstanek, how is that info? is that what we call AccessInfo ?11:58
samueldmqdstanek, I am trying to figure out what the hard-coded checks in the services would look like (which make them to not work with v3 properly)11:59
dstaneksamueldmq: so other services don't work when keystone is using v3 tokens?12:00
samueldmqdstanek, I think there are hard-coded checks which do not allow it to work 100%12:00
dstaneksamueldmq: for all services or do you know of one specifically that is broken?12:01
samueldmqdstanek, I am starting to investigate12:01
samueldmqdstanek, I was talking to morganfainberg and jogo yesterday12:01
samueldmqdstanek, basically I am going to deploy a fresh devstack and remove v2 completely, and see what broken12:02
samueldmqdstanek, morgan also agree with me that may exist hard-coded checks into the services12:02
samueldmqdstanek, so then I am trying to figure out how the keystonemiddleware passes the token info for the service12:03
samueldmqdstanek, to understand how those hard-coded look like12:03
dstaneksamueldmq: i'm pretty sure it's all environment variables12:04
dstaneki don't think it's different between v2 and v3 tokens12:04
samueldmqdstanek, ah makes sense, that's how dolphm validates different tokens on his keystone-deploy tests12:06
dstaneksamueldmq: i don't understand the relationship between v2 and v3 tokens as compared to v2 and v3 api12:06
samueldmqdstanek, yeah, I need to have a look at both formats as well12:06
dstaneki don't think the format will matter for this because i think the same info gets stuck in the env12:07
openstackgerritVictor Sergeyev proposed openstack/keystone: Add server_default to relay_state_prefix in service_provider model
samueldmqdstanek, k so what you mean by "i don't understand the relationship between v2 and v3 tokens as compared to v2 and v3 api"12:08
dstaneksamueldmq: i think they are orthogonal things, but i'm not sure12:10
dstaneki think they just happen to have the same name, which is unfortunate12:10
samueldmqdstanek, well, I agree that if the same env vars are loaded independently of the version, everything should work pretty well12:11
samueldmqdstanek, yes, was re-reading the logs from yesterday ... everything should work, but we may expect minor errors in the services due to hard-coded12:14
samueldmqdstanek, so the approach is to try and see what breaks :-)12:14
*** dims has quit IRC12:14
dstaneksamueldmq: the last time i tried (quite a while ago) some services had trouble talking to the v3 api12:15
*** dims__ has joined #openstack-keystone12:17
samueldmqdstanek, nice, I will dig on it a bit more.. I will keep you updated if you want :)12:19
*** stevemar has joined #openstack-keystone12:21
*** ChanServ sets mode: +v stevemar12:21
*** henrynash has quit IRC12:24
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy
dstaneksamueldmq: sure12:27
*** gordc has joined #openstack-keystone12:28
*** fhubik is now known as fhubik_afk12:29
*** gordc has quit IRC12:31
*** raildo has joined #openstack-keystone12:32
*** gordc has joined #openstack-keystone12:38
*** jsavak has joined #openstack-keystone12:43
*** joesavak has quit IRC12:46
*** mattamizer has joined #openstack-keystone12:50
*** bknudson has joined #openstack-keystone12:52
*** ChanServ sets mode: +v bknudson12:52
*** fhubik_afk is now known as fhubik13:02
*** nkinder has quit IRC13:09
*** richm has joined #openstack-keystone13:14
*** fhubik is now known as fhubik_afk13:19
*** fhubik_afk is now known as fhubik13:20
*** davidckennedy has joined #openstack-keystone13:25
*** sdake_ has joined #openstack-keystone13:26
*** davidckennedy has quit IRC13:27
*** jamie_h has joined #openstack-keystone13:29
*** sdake has quit IRC13:29
*** markvoelker has joined #openstack-keystone13:30
*** davidckennedy has joined #openstack-keystone13:33
*** unixlike has quit IRC13:33
*** unixlike has joined #openstack-keystone13:33
*** afaranha has joined #openstack-keystone13:37
*** rushil has joined #openstack-keystone13:42
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix mysql_engine and FK in project_endpoint_group table
*** mattfarina has joined #openstack-keystone13:47
*** fhubik is now known as fhubik_afk13:47
*** topol has joined #openstack-keystone13:56
*** ChanServ sets mode: +v topol13:56
*** sigmavirus24_awa is now known as sigmavirus2413:56
*** zzzeek has joined #openstack-keystone13:56
*** fhubik_afk is now known as fhubik14:02
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion
*** nkinder has joined #openstack-keystone14:06
*** ayoung has quit IRC14:09
*** HenryG_ is now known as HenryG14:11
*** markvoelker_ has joined #openstack-keystone14:16
*** davechen1 has joined #openstack-keystone14:19
*** markvoelker has quit IRC14:19
openstackgerritDave Chen proposed openstack/keystone: Update Get API version Curl example
*** markvoelker has joined #openstack-keystone14:23
*** unixlike has quit IRC14:23
*** ajayaa has quit IRC14:24
*** markvoelker_ has quit IRC14:26
*** kiran-r has quit IRC14:27
*** sdake has joined #openstack-keystone14:29
*** sdake_ has quit IRC14:33
*** markvoelker has quit IRC14:34
*** davechen1 has left #openstack-keystone14:36
openstackgerritAlexander Makarov proposed openstack/keystone: Make memcache client reusable across threads
openstackgerritMerged openstack/keystone: Refactor sql filter code for clarity
*** jsheeren has quit IRC14:41
*** ajayaa has joined #openstack-keystone14:41
openstackgerritMerged openstack/keystone: Don't provide backends from __all__ in persistence
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy
mfischstevemar: you around this morning?14:50
stevemarmfisch, yessir14:55
mfischstevemar: I was looking more into the CADF stuff this morning. Is there a simple path to have something on my keystone node consume audit events and dump them into a log file? Without using rabbit and ceilometer14:56
morganfainbergstevemar: that shady fellow stevemar2 isn't though.14:56
*** fhubik is now known as fhubik_afk14:56
stevemarmfisch, change the notification_driver option to 'log'14:57
mfischthats it?14:57
mfischis so thats all I need then14:57
stevemarand set notification_format = cadf14:57
stevemarif you want fancy cadf events14:57
mfischdo I need to enable the audit middleware?14:57
stevemarnot on keystone, no14:57
stevemarthe audit middleware can only be used in the same spot as the keystonemiddleware14:58
mfischI think basic is all I need14:58
mfischCADF is way too standardsy14:58
mfischwhich means more info than I need14:58
stevemarmfisch, sure. give it a shot if you can :D it has some good info14:59
mfischwill so14:59
stevemarlike who actually did the request14:59
stevemarand what project they did it under14:59
mfischthe main request was stemmed from "when was project X deleted?" a question from someone here and we had no way to find out14:59
stevemaryeah, basic would suffice for that15:00
*** fhubik_afk is now known as fhubik15:00
mfischI'll reply to my own -dev posting once I try this15:00
stevemareventually that question will turn into, "when project X was deleted, who did it?"15:00
mfischwho can we fire!15:00
stevemargah, my filters must have missed that post15:00
stevemari didn't see a post from you in the last few days15:00
mfischcan I make notifications get set to warnings?15:01
stevemarmfisch, nope, just info15:01
stevemarthat's hardcoded somewhere in keystone/notifications.py15:01
mfischoh I sent this one to operators15:01
mfischtry to start there first15:01
mfischso with INFO i just need to find out how to get my LB checks to stop logging in the eventlet15:02
stevemargood luck with that :\15:03
mfischafter looking at teh code for 5 mins I have no idea where it comes from15:03
*** pnavarro is now known as pnavarro|mtg15:04
*** markvoelker has joined #openstack-keystone15:04
*** jsheeren has joined #openstack-keystone15:05
*** ajayaa has quit IRC15:09
mfischstevemar: looks like notification_format is a Kiloism?15:10
*** markvoelker has quit IRC15:11
*** rushiagr is now known as rushiagr_away15:12
*** rushil has quit IRC15:12
*** rushil has joined #openstack-keystone15:15
*** rushil has quit IRC15:16
*** rm_work|away is now known as rm_work15:18
*** browne has joined #openstack-keystone15:21
stevemarmfisch, yes sir15:26
lbragstadquick question regarding the resource API refactor. I have keystone deployed from source and I have fatal_deprecations=true, with with resource driver and assignment drivers set. I try getting domain scoped token and it fails because of a deprecation error. I'm wondering if anyone else has this issue
lbragstadnevermind... not sure what I did but I fixed my problem...15:31
*** ozialien has joined #openstack-keystone15:32
davidckennedyI was looking at Jamie's patch for password prompt on CLI and I can't see how to make request to v3 api using keystone client.  I presume it's never been implemented and will never because it's now in python-openstackclient.  Any hints?15:36
davidckennedy(keystone client on CLI that is - which is the only place that we'd expect a password prompt).15:36
*** ozialien has left #openstack-keystone15:38
*** fhubik has quit IRC15:43
dtroyerdavidckennedy: I'm not sure why Jamie wants to do that, IMnsHO he's already putting too much CLI/app layer stuff into the plugins…15:43
*** ihrachyshka has joined #openstack-keystone15:47
ihrachyshkahey all! I'm from neutron, and I'm searching for someone involved into oslo.policy that could assess a new feature and/or exposing some of library internals for projects to consume15:47
stevemarihrachyshka, o/15:48
stevemarihrachyshka, myself or ayoung or dstanek or morganfainberg15:48
*** pnavarro|mtg is now known as pnavarro15:49
davidckennedydtroyer maybe.  But is it so that v2 is the only v supported for the CLI?15:50
*** jsheeren has quit IRC15:50
ihrachyshkacool! so in neutron, we have some neat policy feature that is implemented in-house that allows to introduce additional policies that are *appended* to "main" rules. see: and
ihrachyshkathough the syntax is similar to e.g. nova policy rules, the behaviour is a bit different15:51
ihrachyshkasyntax is target:attr:sub-attr15:51
ihrachyshkawhich means that if action is checked, and target contains an attr set, then we append a rule-check to main action rule, and if a sub-attr should be validated, then, again, another rule-check is appended for sub-attr15:52
dtroyerdavidckennedy: yes, and IIRC there has been a notice somewhere that even the v2 CLI in KSC was to be deprecated15:52
ihrachyshkaso we get a complex rule to check against that has multiple entries - for target, for target:attr, and for target:attr:sub-attr, all joined with AndCheck15:53
ihrachyshkaso neutron builds a more complex rule than those rules written policy.json, and then validate against those complex rules15:53
*** bknudson has quit IRC15:53
stevemarihrachyshka, and you want to propose to add that logic to oslo.policy?15:54
ihrachyshkathere are policies of similar syntax in nova xxx:yyy:zzz, but there semicolons do not mean anything, and action code just uses them to have some kind of namespaces for ease and comfort15:54
ihrachyshkastevemar, since the syntax in nova does not mean the same as in neutron, I'm not sure we can introduce the feature15:55
ihrachyshkasince then it would change behaviour for nova (and maybe other projects that follow their lead)15:55
*** _cjones_ has joined #openstack-keystone15:55
ihrachyshkait seems to me that neutron feature overrides default behaviour in a way that would be hard to introduce as a general mechanism15:55
ihrachyshkaI first thought that I'll be able to introduce it in oslo.policy, but now I'm not sure15:56
ihrachyshkaand if we are not able to introduce the feature, then we may want to expose policy checks used by neutron to implement the feature15:56
ihrachyshkaAndCheck and RuleCheck from oslo_policy/_checks.py15:57
stevemarihrachyshka, i think those are exposed today15:57
stevemarthe checks15:57
ihrachyshka(we also have RoleCheck used in other places of neutron policy code, but it seems we will be able to just kill the usage)15:57
ihrachyshkastevemar, no, they are not. they are in _checks, meaning private symbols15:57
ihrachyshkaI asked to introduce them in Kilo, but I was said that neutron should instead work on introducing the feature in oslo.policy15:58
ihrachyshkaand I originally agreed15:58
ihrachyshkabut now I'm not confident it's the best way15:58
*** bknudson has joined #openstack-keystone15:58
*** ChanServ sets mode: +v bknudson15:58
*** henrynash has joined #openstack-keystone15:59
*** ChanServ sets mode: +v henrynash15:59
stevemarihrachyshka, ah right, we just exposed _check.Check15:59
ihrachyshkaright, so that we can implement custom checks15:59
davidckennedydtroyer OK.  Thank you, I'll stop trying to use v3 via the CLI then ;)15:59
ihrachyshka(and neutron does it, but that's for rule part, not target)15:59
ihrachyshkatarget seems to be opaque for oslo.policy16:00
ihrachyshkastevemar, what's your take as an Expert? ;)16:04
rodrigodshenrynash, just to confirm, I need a spec for and
henrynashrodigods: I think it might be sensible (one spec to cover both, should be fine)….should be short and sweet16:05
rodrigodshenrynash, thanks... another question, if fixed, there is the possibility to be backported?16:06
rodrigodsfor kilo, I mean16:06
*** gyee_ has joined #openstack-keystone16:06
henrynashsure, we can always suggest backporting……16:07
*** markvoelker has joined #openstack-keystone16:08
*** jistr has quit IRC16:08
rodrigodshenrynash, nice! thx... when raildo is back we are going to ping you again to discuss dual scoped tokens16:09
*** afazekas has quit IRC16:11
*** markvoelker has quit IRC16:13
raildoi'm here :D16:15
*** rushiagr_away is now known as rushiagr16:15
*** davidckennedy has quit IRC16:17
*** mattamizer has quit IRC16:22
*** _kiran_ has joined #openstack-keystone16:24
*** tqtran has joined #openstack-keystone16:24
*** _kiran_ is now known as kiran-r16:27
*** c0m0 has quit IRC16:35
*** EmilienM is now known as EmilienM|afk16:39
*** gyee_ has quit IRC16:43
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: New attributes for SAML assertion
*** kiran-r has quit IRC16:45
*** afazekas has joined #openstack-keystone16:47
*** lhcheng has joined #openstack-keystone16:47
*** ChanServ sets mode: +v lhcheng16:47
*** kiran-r has joined #openstack-keystone16:49
openstackgerritRodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion
openstackgerritRodrigo Duarte proposed openstack/keystone: Add openstack_project_domain to assertion
openstackgerritRodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion
openstackgerritRodrigo Duarte proposed openstack/keystone: Refactor _create_attribute_statement IdP method
*** henrynash has quit IRC16:56
samueldmqhi, in our domain-specific documentation we have example ldap urls like : "url": "http://myldap/root"16:58
samueldmqbut ldap has its own protocol, right ? then it would be something like ldap://16:58
*** harlowja_away is now known as harlowja16:58
dstaneksamueldmq: sounds like a patch waiting to happen17:03
samueldmqdstanek, nice, will put here on my todo list and submit a patch later today :-)17:05
*** kiran-r has quit IRC17:10
*** ajayaa has joined #openstack-keystone17:12
*** markvoelker has joined #openstack-keystone17:12
*** luminalf1ux has left #openstack-keystone17:23
*** krykowski has quit IRC17:26
*** ryanpetrello has joined #openstack-keystone17:27
*** alexsyip has joined #openstack-keystone17:27
ryanpetrelloanybody know if there's a way in Keystone to do role assignment with no tenant?17:30
ryanpetrellowe've been using OpenStack and Keystone for quite some time (since ~Folsom)17:30
ryanpetrelloand it seems at some point this functionality went away:
ryanpetrellois there a sanctioned way to do this sort of thing in present-day Keystone?17:31
*** j_king_ is now known as j_king17:31
ryanpetrelloe.g., "User <X> belongs to Role <VIP Customers>"17:31
samueldmqryanpetrello, hi17:32
samueldmqryanpetrello, no, a role assignment is always composed by (actor, target, role)17:33
amakarov_awayryanpetrello, aren't groups intended for it?17:33
samueldmqryanpetrello, where actor can be one of (user, group) and target one of (project, domain)17:33
samueldmqamakarov_away, no17:33
samueldmqamakarov_away, it is not possible to have a role assignments without a target ('tenant' as he described)17:34
*** amakarov_away is now known as amakarov17:34
amakarovsamueldmq, but can we mark a user as a group member?17:35
*** joesavak has joined #openstack-keystone17:35
amakarove.g "User <X> belongs to Group <VIP Customers>"17:35
samueldmqamakarov, ryanpetrello well, yeas through grouping we can do something similar17:35
samueldmqamakarov, yes, but this is not a role assignment17:36
samueldmqamakarov, and we still need to have role assignments for that group on targets17:36
amakarovsamueldmq, ++17:36
amakarovlooks like I failed to explain clear )17:36
samueldmqryanpetrello, could you provide more details on how this worked before ? maybe we can find a similar way to get it working today17:37
samueldmqamakarov, np :)17:37
*** jsavak has quit IRC17:38
*** browne has quit IRC17:39
*** amerine has joined #openstack-keystone17:39
*** ihrachyshka has quit IRC17:40
*** markvoelker has quit IRC17:43
*** clayton has joined #openstack-keystone17:43
morganfainbergryanpetrello, the answer is no, we don't support global roles at this time17:43
krotscheckIs master open yet?17:43
*** EmilienM|afk is now known as EmilienM17:43
ryanpetrellothanks morganfainberg17:44
morganfainbergryanpetrello, it was a design choice to not so do.17:44
morganfainbergkrotscheck, yes17:44
krotscheckOh good :)17:44
morganfainbergkrotscheck, liberty development is open17:44
ryanpetrellomorganfainberg: any idea when (release-wise) that changed?17:44
morganfainbergryanpetrello, grizzly17:44
ryanpetrellookay, thanks17:44
krotscheckmorganfainberg: I've got a global-requirements patch that's failing on keystone, because stevedore's a couple of versions out of date.17:44
morganfainbergkrotscheck, fun. sounds like something worth quickly fixing17:45
*** ryanpetrello has left #openstack-keystone17:45
krotscheckmorganfainberg: Yep, that's why I asked.17:45
morganfainbergkrotscheck, please file a bug on it for tracking, but feel free to toss a patch up to keystone, and poke at the cores here17:46
*** amerine has quit IRC17:46
morganfainbergkrotscheck, should be an easy(no-brainer) thing to get pushed through17:46
krotscheckmorganfainberg: I17:46
*** amakarov is now known as amakarov_away17:46
krotscheckmorganfainberg: Easy for someone familiar with these things I'm sure :)17:46
morganfainbergkrotscheck: or file the bug and we will circle up on it soon(ish) i hope.17:46
*** amerine has joined #openstack-keystone17:46
morganfainbergkrotscheck: things are moving a *little* slow atm since we're in RC and haven't specc'd work for liberty17:47
*** jsavak has joined #openstack-keystone17:47
morganfainbergkrotscheck: bknudson is also working on converting things over to use stevedore in keystone. so he might be a good resource to ask about the bug/fix [he might have fixed it in his patch-series]17:47
*** jsavak has quit IRC17:47
krotscheckmorganfainberg: That's good to know :)17:48
* krotscheck is still trying to figure out how to trace down the _actual_ error in his global-requirement failures.17:48
*** esp has quit IRC17:50
*** joesavak has quit IRC17:51
claytonfor keystone v3, is it required to specify the domain by id in the policy.json cloud_admin rule?17:53
claytonor is there a better way to do that?17:53
openstackgerritDoug Hellmann proposed openstack/keystonemiddleware: Uncap library requirements for liberty
*** EmilienM is now known as EmilienM|afk17:55
claytonhaving to put the admin domain id in the policy.json file is kind miserable from a deployment standpoint, since I can't anticipate what id will be assigned to a given name17:57
*** aix has quit IRC17:57
*** Ephur has joined #openstack-keystone17:57
*** joesavak has joined #openstack-keystone17:57
*** sdake_ has joined #openstack-keystone17:59
*** afazekas has quit IRC17:59
*** esp has joined #openstack-keystone17:59
*** sdake has quit IRC18:02
stevemarmorganfainberg, ^18:03
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Uncap library requirements for liberty
claytonand I'll apologize in advance, I don't know all that much about domains.  I'm trying to convince myself that domain_id in this case is actually the name, not a uuid18:07
mfischstevemar: can I tweak whats getting into the notifications?18:08
stevemarmfisch, not unless you tweak the code18:08
stevemaryou also can't tweak which notifications you get18:08
mfischThe auth notification is gonna be chatty18:09
lhchengclayton: unfortunately yes, you have to put the domain_id where the cloud admin would be.18:09
claytonI'm starting to feel a little ill18:10
lhchengclayton: could update the policy.json on the deployment script, shouldn't be too bad.18:10
claytonsure, if I could know what uuid would be assigned ahead of time18:10
mfischstevemar: is there a reason that only IDs are logged and not names? I'm thinking of wanting to review a log 3 months later about a project deletion, a project for which I may no longer have the ID18:11
openstackgerritDoug Hellmann proposed openstack/pycadf: Uncap library requirements for liberty
stevemarmfisch, there in lies the deficiencies of the 'basic' format18:12
mfischokay so cadf solves all my problems ;)18:12
stevemarthe 'basic' format was used for what you're trying to do now, and for triggering events, like a callback function18:12
stevemarthe thinking was "IDs are unique, so that's all we'll ever need"18:12
claytonstevemar: sure, if you keep the logs forever :)18:13
openstackgerritDoug Hellmann proposed openstack/python-keystoneclient: Uncap library requirements for liberty
mfischI'll get the cadf format when we upgrade18:13
openstackgerritDoug Hellmann proposed openstack/python-keystoneclient-federation: Uncap library requirements for liberty
stevemarand "ids are enough to know that if a project is deleted, i can delete the tokens that are scoped to the project"18:13
openstackgerritDoug Hellmann proposed openstack/python-keystoneclient-kerberos: Uncap library requirements for liberty
stevemarmfisch, yeah, cadf will have the name :)18:13
mfischso it was more to notify other services in this format18:13
*** sdake has joined #openstack-keystone18:13
mfischa user was made, you may want to do something18:13
stevemarlet me double check that it has the name, i'm 99% sure it does18:14
mfischI started to read the CADF slides but it looks like something I could spend the rest of my career on18:14
lhchengclayton: maybe a script  (using admin_token) to query all the domain and fetch one that matches the domain name?18:15
mfischthanks for the info stevemar18:15
stevemarmfisch, gah, no it doesn't have the name, i lied18:15
lhchengclayton: I know it's painful :(18:15
mfischstevemar: hmm ok18:15
stevemarmfisch, it has the user's name (the guy who did the request)18:16
mfischthats not as useful for my case but then at least I'd know who to ask about a deletion18:16
stevemarliberty feature/bug? (add the name and domain name/id)18:16
dstanekjust out of curiosity, what is the added value of having the name?18:17
*** sdake_ has quit IRC18:17
mfischso I can look in a log 3 months later and do some correlations18:17
mfischdstanek: "when was project X deleted?"18:17
mfischand by whom18:17
dstanekmfisch: if you have the project id and user id, don't you get that?18:18
mfischyou do18:18
mfischis that info still avail after the deletion?18:18
mfischI'll admit I didnt check the DB18:18
dstanekthe actual record?18:18
mfischwhere would I still have that info is my question18:18
dstaneki doubt it would be in the database18:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
mfischdstanek: so there's my case, unless I have that info saved off somewhere18:19
bknudsonopenstack role list: error: unrecognized arguments: --group 785034808b2740db825218b9cec511f5 -- not sure why I'm getting this when running devstack.18:19
dstanekmfisch: so your use case is someone about what happened to a project (by name only) so only logging the id won't help18:19
bknudsonI've got the latest python-openstackclient.18:20
stevemarbknudson, theres a bug in devstack18:20
stevemarbknudson, this should fix it:
dstanekmfisch: but over time you may have multiple ids for the same name18:20
stevemari *may* have introduced it18:20
bknudsonmust not be a very bad bug if the gate's still passing.18:20
stevemaryeah, it's not a set_or_die thing18:21
mfischdstanek: what do you mena?18:21
dstanekmfisch: i create a project 'awesome' and then delete it - a while later the same thing happens - how do you answer the question about who deleted 'awesome'?18:23
stevemarmfisch, he means you can create project 'x', it has an ID, delete it; then create project 'x', it has another ID, then delete it - repeat18:23
mfischah ok18:23
mfischso thats in theory, but would not happen in my environment, but I get your point18:23
*** browne has joined #openstack-keystone18:23
*** mhu has quit IRC18:26
dstanekreally for a 'true' audit log you really have to attach the entire record in the case of a delete/add or the before and after records for an update18:26
mfischMy basic use case is that "user dstanek was deleted by mfisch on April 16" ends up in a log that I can send to splunk. That's it. I am not doing compliance auditing, I am not going to spend 3 months on some crazy solution. These notifications seemed like a simple path18:27
*** vilobhmm1 has joined #openstack-keystone18:27
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend
openstackgerritDavid Stanek proposed openstack/keystone: Adds proper isolation the templated catalog tests
*** vilobhmm11 has joined #openstack-keystone18:29
morganfainbergstevemar, we should support domain name in the policy file.18:29
dstanekmfisch: yes, i agree. notifications would be good for you.18:29
morganfainbergstevemar, that *should* be in the context actually18:30
morganfainbergstevemar, and domain names are (today) unique18:30
*** mhu has joined #openstack-keystone18:30
morganfainbergstevemar, it might just work today18:30
morganfainbergstevemar, today = kilo18:30
morganfainbergclayton, ^18:30
dstaneki don't know if this is frowned upon, but it may be possible to create your own middleware has callbacks that log to the log. may not be possible18:30
claytonmorganfainberg: having to specify the domain by uuid in the policy.json makes supporting automation of this with Puppet dramatically more horrible.  If it's supported in Kilo that would be great to know18:31
claytonI've been trying to dig through the code to figure that out, but I'm just not familiar enough with the codebase to tell for sure18:31
morganfainbergclayton, i *think* domain name would work in the policy file since it would be in the auth context18:31
*** vilobhmm11 has left #openstack-keystone18:31
morganfainbergbut i'd need to setup a test environment to figure it out18:31
claytonyeah, that's what I was trying to avoid myself :)18:31
morganfainbergclayton, unfortunately, that wont be this week [stuck in lots of meetings]18:31
claytonI was hoping I could find out where in the code domain_id was populated and see if the name was there also18:32
morganfainbergclayton, but i'd like to say we could support either.18:32
dstanekmorganfainberg: you may need to talk me off a ledge. i'm considering submitting a review to 'git rm keystone/catalog'18:32
morganfainbergdstanek, no18:32
stevemardo it. do it do it18:32
morganfainbergdstanek, step back from the letdge18:32
*** vilobhmm1 has quit IRC18:32
morganfainbergdstanek, talk us through the issue.18:32
dstanekmorganfainberg: take a look at
morganfainbergdstanek, and i might have an answer already18:32
morganfainbergdstanek, so i think we *really* need the templated catalog to go die18:33
morganfainbergand not be "based on KVS"18:33
stevemardstanek, i can submit one for `git rm keystone\policy\not rules`18:33
morganfainbergat the very least18:33
stevemaryes please18:33
dstanekmorganfainberg: i've fixed that issue (the kvs one)18:33
*** EmilienM|afk is now known as EmilienM18:33
morganfainbergi don't see how we can make the templated catalog ever really match the DB schema one clearly unless we totally change how it works18:34
morganfainbergand move to a DSL-like construct to define the catalog18:34
*** rdo has quit IRC18:34
bknudsonI guess JSON would make more sense, then could just return it as-is.18:35
morganfainbergbasically we've given people a very short rope and it's likely they can hang themselves18:35
morganfainbergsince it reads arbitrary templates from disk18:35
morganfainbergbknudson, i'd say yaml or json with validatable structure, and we expand it18:36
morganfainbergwith the extra stuff18:36
dstaneki'm ok with deprecating it and not worrying about the lack of testing - i had to strategies in mind to fix, but if we'll deprecate it then i won't bother wasting my day today18:36
morganfainbergdstanek, put that on the list to discuss on tuesday18:36
morganfainbergdon't worry about it today18:36
dstanekotoh, if it's used by more that mfisch maybe it should stay around18:36
morganfainberg(the etherpad for "tech debt paydown"_18:36
morganfainbergi think we need to keep it, but we can make a better templated catalog18:36
*** rdo has joined #openstack-keystone18:36
morganfainbergso people like mfisch can not hate us.18:37
dstanekthis is where i removed kvs and implemented the read methods:
*** ayoung has joined #openstack-keystone18:37
*** ChanServ sets mode: +v ayoung18:37
* mfisch better catch up18:37
morganfainbergdstanek, it might be simple declarative description of the elements vs. the kludge-y current template18:38
morganfainbergdstanek, and then we apply the same kind of "transform" we do from the SQL db.18:38
morganfainbergjust read that data from disk instead.18:38
dstanekmorganfainberg: cool, we can discuss that in more detail at the summit18:38
morganfainbergdstanek, exactly18:38
morganfainbergdstanek, but the templated catalog needs love. and people do like it. so lets deprecate the bad version and give it love and make it supportable18:39
bknudsonLooks like devstack gives nova admin role on the service project rather than service: | admin       | nova     |       | service  |        |18:39
dstanekfor testing i wanted to break up the CatalogTests class into CatalogCrud and CatalogReadOnly18:39
bknudson| service     | cinder   |       | service  |        |18:39
bknudsonmost of them have service role on service project18:39
dstanekand then have a subclass for each backend - that's easy and logic IMO18:39
morganfainbergdstanek, hm. sure.18:39
morganfainbergdstanek, makse sense to me18:40
mfischdstanek: we're not using the templated catalog so rm -rf away18:40
morganfainbergmfisch: lots of people do use it though18:40
dstanekthe problem comes with the RO - our typical testing is uuids everywhere so that means i'd have to do magic in the templated subclass to make a fake file to be read18:40
morganfainbergmfisch: even if you don't18:40
mfischI was just responding to making me not hate you ;)18:40
morganfainbergmfisch, haha18:41
dstanekmfisch: nice, i thought you still were18:41
morganfainbergdstanek: i'd expect you'll need to do that *or* put it in the same kind of way we do some legacy conf-file testing18:41
dstanekor i keep a hard coded catalog on disk and change use hardcoded 'RegionOne' ids in the test class18:41
*** markvoelker has joined #openstack-keystone18:42
*** bernardo-silva has joined #openstack-keystone18:46
*** rdo has quit IRC18:49
*** rdo has joined #openstack-keystone18:51
*** bernardo-silva has quit IRC18:54
openstackgerritEric Brown proposed openstack/keystone: Update developer doc to reference Ubuntu 14
lhchengclayton: this is what you're looking for:
lhchengclayton: don't see the domain_name being set18:55
morganfainberglhcheng, so we might need to add it ot the context18:58
claytonlhcheng: well, that's unfortunate, but I really appreciate that you dug it up :)18:58
*** ozialien has joined #openstack-keystone18:59
lhchengmorganfainberg: yup, should be easy since the name is already in the token.19:01
lhchengmorganfainberg: I can add that if anyone haven't started19:01
lhchengclayton: yeah.  something to look forward to for L :)19:02
claytonWe'll probably have to solve the problem before then :/19:04
gyeewhat's the problem?19:06
*** jamie_h has quit IRC19:08
*** rushiagr is now known as rushiagr_away19:08
*** markvoelker has quit IRC19:14
claytongyee: in Kilo, configuring cloud_admin requires hard coding the uuid of the admin domain into the policy.json file19:21
claytonspecifically the issue is that it's a uuid that keystone is going to generate randomly, there isn't any apparent way to specify that you want a specific one19:26
claytonpuppet does all of it's templating on the server side, and there is no easy way to retrieve that information from keystone once the domain is generated19:27
dstanekclayton: i thought you could have a snippet of code call out to keystone to get the info19:28
claytonso, custom functions can be used in templates, but they run server side19:32
claytonbefore the domain will have been created19:32
richmdstanek: The folks on #puppet-openstack tell me that's not possible to do in this case19:32
*** nkinder has quit IRC19:32
dstanekrichm: that's unfortunate.19:33
*** ajayaa has quit IRC19:43
-openstackstatus- NOTICE: gerrit has been restarted to clear a problem with its event stream. any gerrit changes updated or approved between 19:14 and 19:46 utc will need to be rechecked or have their approval reapplied for zuul to pick them up19:47
*** amerine has quit IRC20:04
*** amerine has joined #openstack-keystone20:04
ayoungmorganfainberg, "the templated catalog needs love."  I think it needs the Lenny treatment from "Of Mice and Men"20:09
*** markvoelker has joined #openstack-keystone20:12
bretonnoce, sqlalchemy 1.0 released20:13
bretonzzzeek: congrats20:13
*** topol has quit IRC20:17
*** pnavarro has quit IRC20:24
*** joesavak has quit IRC20:30
*** joesavak has joined #openstack-keystone20:32
*** jsavak has joined #openstack-keystone20:34
*** henrynash has joined #openstack-keystone20:35
*** ChanServ sets mode: +v henrynash20:35
*** pnavarro has joined #openstack-keystone20:36
*** joesavak has quit IRC20:37
*** ozialien has quit IRC20:38
*** markvoelker has quit IRC20:44
*** nkinder has joined #openstack-keystone20:45
*** cburgess_ has quit IRC20:58
*** cburgess has joined #openstack-keystone20:58
*** gyee_ has joined #openstack-keystone21:11
*** harlowja is now known as harlowja_away21:11
*** EmilienM is now known as EmilienM|afk21:13
*** dims__ has quit IRC21:23
*** pnavarro has quit IRC21:28
*** mattfarina has quit IRC21:31
*** jamielennox|away is now known as jamielennox21:39
*** stevemar has quit IRC21:39
*** markvoelker has joined #openstack-keystone21:42
*** henrynash has quit IRC21:54
*** EmilienM|afk is now known as EmilienM21:55
*** jdennis has quit IRC21:55
jamielennoxmm, gerrit completely screwed up handling of my ksm patch chain21:58
*** lhcheng has quit IRC22:03
*** mattfarina has joined #openstack-keystone22:03
*** mattfarina has quit IRC22:05
*** dims__ has joined #openstack-keystone22:08
*** lhcheng has joined #openstack-keystone22:10
*** ChanServ sets mode: +v lhcheng22:10
*** gordc has quit IRC22:10
*** lhcheng has quit IRC22:11
*** lhcheng has joined #openstack-keystone22:11
*** ChanServ sets mode: +v lhcheng22:11
*** sigmavirus24 is now known as sigmavirus24_awa22:12
*** harlowja_away is now known as harlowja22:13
*** markvoelker has quit IRC22:13
*** Raildo_ has joined #openstack-keystone22:16
*** Raildo__ has joined #openstack-keystone22:16
*** Raildo__ has quit IRC22:17
*** sdake_ has joined #openstack-keystone22:28
*** jsavak has quit IRC22:31
*** sdake has quit IRC22:31
*** sdake_ has quit IRC22:33
openstackgerritLin Hua Cheng proposed openstack/keystone: Expose domain_name in the context for policy.json
*** EmilienM is now known as EmilienM|afk22:40
*** bknudson has quit IRC22:43
*** markvoelker has joined #openstack-keystone22:48
*** markvoelker_ has joined #openstack-keystone22:49
*** dims__ has quit IRC22:50
*** markvoel_ has joined #openstack-keystone22:50
*** markvoe__ has joined #openstack-keystone22:51
*** markvoelker has quit IRC22:53
*** gyee_ has quit IRC22:53
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend
openstackgerritDavid Stanek proposed openstack/keystone: Adds proper isolation the templated catalog tests
*** markvoelker_ has quit IRC22:54
*** markvoel_ has quit IRC22:55
*** jdennis has joined #openstack-keystone22:55
*** nkinder has quit IRC22:59
*** chlong has joined #openstack-keystone23:02
*** jdennis has quit IRC23:02
*** Raildo_ has quit IRC23:04
*** zzzeek has quit IRC23:07
lhchengdstanek: for  are you looking for new unit tests token_to_auth_context() ?23:07
lhchengdstanek: tried to look for existing one before submitting, but didn't find any.23:08
dstaneklhcheng: i'd be happy with anything that prevents a regression - probably a new one in this case23:08
dstanekthere are several tests in that exercise that method, but maybe not in the way that we need23:08
*** gyee_ has joined #openstack-keystone23:09
lhchenghmm maybe it is exercised indirectly..  anyway, I can add unit tests that invoke token_to_auth_context() directly23:10
dstaneklhcheng: i'd have to take a look, but i think it's called in the setup of some tests23:10
dstaneki don't remember why though23:10
*** EmilienM|afk is now known as EmilienM23:10
lhchengdstanek: it's okay. I'll look it up.23:11
lhchengdstanek: thanks for the revie23:11
dstanekma pleasure23:11
*** jaosorior has quit IRC23:12
*** stevemar has joined #openstack-keystone23:12
*** ChanServ sets mode: +v stevemar23:12
*** stevemar has quit IRC23:17
*** rdo has quit IRC23:20
*** rdo has joined #openstack-keystone23:22
*** dguerri is now known as _dguerri23:23
*** _dguerri is now known as dguerri23:24
*** sdake has joined #openstack-keystone23:34
*** browne has quit IRC23:46
*** sdake_ has joined #openstack-keystone23:55
*** markvoe__ has quit IRC23:58
*** sdake has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!