Thursday, 2015-04-30

*** topol has quit IRC00:10
*** jaosorior has quit IRC00:22
*** zzzeek has quit IRC00:22
*** gyee has quit IRC00:22
dolphmrelease notes! edits welcome
*** topol has joined #openstack-keystone00:25
*** ChanServ sets mode: +v topol00:25
openstackgerritMerged openstack/python-keystoneclient: Add endpoint and service ids to fixtures
*** edmondsw has quit IRC00:33
*** packet has joined #openstack-keystone00:36
*** packet has quit IRC00:46
*** alexsyip has quit IRC00:53
*** packet has joined #openstack-keystone00:57
*** Rockyg has quit IRC00:58
*** lhcheng has quit IRC00:59
*** browne has quit IRC01:00
*** _cjones_ has quit IRC01:05
*** sigmavirus24 is now known as sigmavirus24_awa01:05
*** bknudson has joined #openstack-keystone01:09
*** ChanServ sets mode: +v bknudson01:09
*** stevemar has joined #openstack-keystone01:11
*** ChanServ sets mode: +v stevemar01:11
*** markvoelker has joined #openstack-keystone01:11
*** samueldmq has joined #openstack-keystone01:12
bknudsonjamielennox: see my responses on ?01:12
jamielennoxbknudson: not yet01:13
jamielennoxbknudson: hmm, i wonder where version started getting passed as a string01:13
bknudsonlooks like there's a bug in keystoneclient, so I posted a fix for it...
jamielennoxit must be because we are using the full ksc client now rather than our own get(..., version=X) functions01:14
jamielennoxthat would make sense01:14
bknudsonso we could wait for that in a keystoneclient release and then we wouldn't need the workaround in ksm.01:14
jamielennoxbknudson: it's not just us that uses adapters though so we would have problems with other clients01:15
bknudsonactually, I never really tried to see if it allows ksm to pass... I should try that.01:15
jamielennox(not that that matters fr ksm)01:15
bknudsonif other adapters are using strings rather than tuples then they also have bugs.01:15
bknudsonbecause the adapter says version is a tuple not a string.01:16
jamielennoxbknudson: i'm ok to use a string there if we need it01:17
jamielennoxbknudson: deep in discovery we normalize it
bknudsonI'm going to at least file a bug and put a comment in there.01:17
jamielennoxso in almost all situations it's not going to be a problem, it's just because we're not doing real discovery there it shows01:18
bknudsonmaybe it's time to do real discovery.01:18
samueldmqdolphm, hi, just reviewing the release notes01:18
samueldmqdolphm, I would replace 'Deployers can enable the Fernet [token] provider = keystone.token.providers.fernet.Provider in keystone.conf.'01:18
samueldmqdolphm, with 'Deployers can enable the Fernet **TOKEN PROVIDER USING** [token] provider = keystone.token.providers.fernet.Provider in keystone.conf.'01:19
samueldmqdolphm, also, there is a place where we use 'keystone' instead of 'Keystone'01:19
samueldmqdolphm, can I fix those?01:19
bknudsonif we're going to switch to doing real discovery some time then might as well keep the workaround.01:20
bknudsonand work on switching to using discovery01:20
bknudsonwe should be able to turn some of the ksm code over once it's using ksc.01:21
bknudsone.g., just create a keystoneclient (not v2 or v3) and call it, rather than having separate classes.01:21
bknudsonI didn't want to do all that in a single step.01:22
bknudsonalso we can mock at the keystoneclient level rather than at the requests level in the tests.01:22
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Adapter version is a tuple
samueldmqdolphm, reviewed! lgtm01:30
*** tqtran has quit IRC01:30
ayoungbknudson, I suggested a cross project policy talk as well.  I think we should merge your "role for service users" under that.  The hierarchical roles approach will address that, and we should do it in the context of a unified policy file.01:35
ayoungdolphm, should WebSSO go under Keystone or Horizon?  I'm guessing Horizon.01:36
ayoungOh..its there already, first thing!01:36
bknudsonthe role for service users shouldn't require much of a discussion... it's really not much of a change... just need to limit the capabilities of the service users.01:37
bknudsoncould do it today without any new features01:37
ayoungbknudson, the thing is that we need to identify which operations need that role01:37
ayoungand I guess it is not hierarchical, as you need "service" role on the "service" domain in order to execute it01:38
bknudsonwe know what operations auth_token is going to do.01:38
bknudsonwe know what operations nova is going to do on neutron and glance01:38
ayoungvalidate tokens, maybe fetch certs if they are still doing PKI.  Fetch policy in the future01:38
bknudsonand what operations neutron is going to do for nova.01:38
bknudsonand what operations heat needs to do?01:39
ayoungbknudson, nova ops on neutron and glance are done using the users token, right?01:39
bknudsonbut we can't require admin role for any of these.01:39
ayoungbknudson, we can and should make Heat its own thing if it is doing special operations01:39
bknudsonnot always.01:39
ayoungit creates a domain for one thing01:39
ayoungbknudson, it puts all its temporary users in that domain01:39
ayoungthen the users token is used to create trusts, delegating roles to those users01:40
bknudsonthat seems like a bad idea... require the admin to create the domain.01:40
bknudsonand use the domain that the admin set up01:40
ayoungit is done at install time...probably not by the heat user01:40
ayoungbut it does a lot more than other service users its my point01:40
ayoungmake HEAT its own role, I would think01:40
ayoungalloed to create and delete users in the heat domain...01:41
bknudsonit still doesn't need to have admin authority.01:41
ayoungcnothing really needs admin..I hate that term01:41
bknudsonyes, create a specific role for it.01:41
ayoungadmin needs to die01:41
bknudsonso that's what the session I proposed is about01:41
ayoungbknudson, so I want a unified policy file01:41
bknudsonsomehow we have to educate folks to not allow it.01:41
bknudsonThere's no reason we shouldn't be able to have a unified policy file.01:41
ayoungand a header section that defines the role hierarchy01:41
bknudsonmight have to figure out why neutron implemented their own rules.01:42
bknudsonand unwind that01:42
ayoungthat way, if we do have heat role it will have common definition across the other projects01:42
ayoungthey have one thing they do which is unuique..I'll link01:42
bknudsona unified policy file would make it easier to enforce these things.01:42
*** alex_xu has quit IRC01:43
ayoungso they do some enforcing on fields01:43
bknudsonayoung: do we want that in oslo.policy?01:43
ayoungI think so01:43
ayoungit is a generalizable rule, it should be common01:43
bknudsonshould be easy to just copy the class from neutron01:43
ayounglet me see if I can find the code definition for it01:43
bknudsonbecause ihar has been expecting to keep it in neutron.01:44
bknudsonI don't know why he thinks we don't want it in oslo.policy01:44
ayoung.RESOURCE_ATTRIBUTE_MAP[resource][field]  might be the reason...01:45
bknudsonthere's no reason you shouldn't be able to tell oslo.policy what your application's RESOURCE_ATTRIBUTE_MAP is.01:46
ayoungis that something that should be in the policy file itself?  Or maybe should be in a separate json file?01:46
bknudsonthat's another possibility01:47
ayoungIt might be an issue having a unified file.  May make more sense to compose the policy from multiple files, with just a common set of rules01:47
ayoungthat way, each of the projects can own their set of APIs, but inherit common logic for roles and so on01:48
*** dims has joined #openstack-keystone01:48
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient
*** topol has quit IRC01:51
*** stevemar has quit IRC01:52
ayoungbknudson, does  _discover.normalize_version_number(self.version) handle both the tuple and the "v3" forms of the version in,cm01:55
bknudsonayoung: yes, it's got code to accept an iterable (tuple) :
ayoungI thought I rememberd that01:57
bknudsonit's very permissive.01:57
jamielennoxbknudson: that was back when i was trying to please everyone01:58
bknudsonprobably because the services are inconsistent01:58
bknudsonjamielennox: you've given up on pleasing everyone?01:58
jamielennoxnow we have enough moment to just make them conform to us01:58
*** packet has quit IRC01:58
jamielennoxabsolutely - now we dictate the right way to do it01:59
*** richm has quit IRC02:00
bknudsonmaybe there's some way we could make it really hard to create a user with admin role.02:01
bknudsonmaybe a domain property.02:02
ayoungbknudson, I think the problem with admin is the policy enforcement accepts it everywhere02:02
ayoungthe idea is that admin is the root account, that can unstuck things02:03
morganfainbergbknudson: interesting idea02:03
ayoungI think that the right approach is more like this02:03
ayoungadmin must always be scoped02:03
ayoungwe use Hierarchical role assignements so that admin at the domain means admin on projects02:03
morganfainbergayoung: have some feedback/ideas that fit into delegation for the summit. :)02:04
ayounghave a single hierarchy, with a root domain02:04
bknudsony, but we don't want any admin.02:04
bknudsonok, maybe we want a user to be admin02:04
ayoungand admin becomes an aggregate role02:04
bknudsonbut service users shouldn't be admin02:04
ayoungit means "all permissions" but it still needs to be scoped02:04
morganfainbergayoung: fwiw, it is somewhere between what you and I have each talked about for a while. /me relaxes for the next flight02:04
ayoungright.. but not only service users need to perform those operations02:04
ayoungvalidate token...probably a service user02:05
ayoungbut would we say exclusively a service user?02:05
bknudsonno reason to do that02:05
bknudsonif you know what an application is going to do then limit application user to those operations02:06
ayoungbut even the service role should be scoped.  service role on the admin domain can validate a token..or on the service project or something02:06
bknudsone.g., you know auth_token is going to validate tokens so limit the auth_token user to validating tokens.02:06
ayoungassume that any proejct admin can assign any role to any user within their project02:07
ayoungso it can;'t just be the role name02:07
ayoungif always has to be "role in scope"02:07
bknudsonif we're going to have admins then it should be possible to limit their adminity02:09
bknudsonand limited admin should be the default02:09
ayoungbknudson, that is the goal02:10
ayoungbknudson, its been assigned to me for a long time:
openstackLaunchpad bug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] - Assigned to Adam Young (ayoung)02:11
ayoungtime to finally make progress on it02:11
bknudsononly since 2012.02:12
ayoungbknudson, so there are a couple problems.  The biggest is that we can't change the default policy out from under people.  That will break many apps.  The second is that we don;t have a good way to publish "this is the admin domain"  as you see in the v3 cloudsample file02:14
bknudsonone suggestion was to support a domain name rather than an ID.02:15
ayoungmaking it so installations can fetch their policy from Keystone  provides a way:  when an install cuts over, they get the new rules02:15
ayoungbknudson, that is better ,but still needs to be definied and distributed per installation02:15
ayoungYou would need to go and set it in every policy file.  And most people treat policy files as code distributed from the base installation, not a config file02:16
bknudsonwe also need to make progress on domains-are-projects02:16
bknudsonsince it should be admin project not admin domain02:17
ayoungbknudson, there are reviews out for that...I have one open right now02:17
openstackgerritliusheng proposed openstack/python-keystoneclient: Use openstack common util method to find name-or-id resource
ayoungsee the related patches02:17
ayoungbknudson, which reminds me:  isn't it time we added mysql to the test-requirements.txt file?02:18
bknudsonayoung: I think victor was working on that02:18
bknudsonopportunistic live testing.02:18
ayoungeven if we don't use it in the actualy tests, we should have it in the test file as just about everything needs it.  That way, if you create a tox environemnt, you can cut it over to a live mysql02:19
ayoungamong other things02:19
bknudsonthat would be nice to see since it's hard to fix migrations02:19
ayoungI can submit sec02:19
ayoungbknudson, requires mysql devel to be installed...maybe that is why we held off02:20
ayoungthat is a binary02:20
ayoungI'll submit anyway, we can always reject02:21
ayoungbknudson, if the license just says that OK?  I'm guessing V2 but it doesn;'t specify02:23
bknudsonfor tests I don't think it matters02:23
bknudsonit's Victor Sergeyev, not Victor Stinner02:24
bknudsonayoung: look at this:
*** stevemar has joined #openstack-keystone02:25
*** ChanServ sets mode: +v stevemar02:25
ayounggpl v2 and v3 for mysql ond psycopg02:29
bknudsonluckily redhat packages it for us so we don't have to try to ship it ourselves.02:30
*** dims has quit IRC02:31
*** fifieldt has joined #openstack-keystone02:36
*** stevemar has quit IRC02:38
*** alex_xu has joined #openstack-keystone02:44
*** browne has joined #openstack-keystone02:45
ayoungYeah.  Luck02:45
*** stevemar has joined #openstack-keystone02:48
*** ChanServ sets mode: +v stevemar02:48
*** ir2ivps8_ has quit IRC02:48
*** ir2ivps8 has joined #openstack-keystone02:48
*** harlowja has quit IRC02:56
*** harlowja has joined #openstack-keystone02:56
*** harlowja has quit IRC02:57
*** lhcheng has joined #openstack-keystone03:11
*** ChanServ sets mode: +v lhcheng03:11
openstackgerritJamie Lennox proposed openstack/keystoneauth: Reorganize exceptions
*** packet has joined #openstack-keystone03:20
openstackgerritJamie Lennox proposed openstack/keystoneauth: Rename _discover module
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove management_url from AccessInfo
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove auth_url property from AccessInfo
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove region_name from catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove the AccessInfo Factory
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove region_name from service catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Cannot retrieve a token from service catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Don't save version into the dictionary
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove the factory from service catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make ServiceCatalog take an actual catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: AccessInfo is not a dict
*** harlowja has joined #openstack-keystone03:27
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove cli functions from utils
jamielennoxthat was fun, alright real work...03:30
*** _cjones_ has joined #openstack-keystone04:10
morganfainbergjamielennox: will run through those tonight or tomorrow.04:22
morganfainbergjamielennox: once I know what things look like re: release notes.04:23
jamielennoxmorganfainberg: i'm not being super neat but trying to keep each change contained04:23
morganfainbergAnd I'm actually home.04:23
jamielennoxi'm also ripping out stuff that we may need again later, but i'd prefer to not have04:23
jamielennoxbecause we can always add it back04:23
morganfainbergjamielennox: I'm less worried about "neat" and more worried about getting things in the repo. This is still cleanup04:23
morganfainbergIn/out whatever. But getting things in shape for a release is the important part :)04:24
morganfainbergjamielennox: going to also do another ksm .z release for spammy log fix.04:25
morganfainberg(I know Thursday...)04:25
jamielennoxthe cinder thing?04:25
jamielennoxwhat did you fix on ksm side/04:25
*** packet has quit IRC04:26
samueldmqmorganfainberg, hi04:43
samueldmqmorganfainberg, in the release notes, the section Known Issues is still empty04:44
samueldmqmorganfainberg, is that related to security notes (like
samueldmqmorganfainberg, or is that issues we know and didnt solve04:45
*** samueldmq has quit IRC05:02
*** lhcheng has quit IRC05:17
*** josecastroleon has joined #openstack-keystone05:17
morganfainbergjamielennox: stopped logging a warning when no token is in headers05:18
jamielennoxmorganfainberg: stopped or downgraded to info?05:18
morganfainbergjamielennox: no logging for it05:18
jamielennoxor some other debug05:18
morganfainbergIt doesn't05:18
morganfainbergNeed to be debug we dump the headers and raise an error05:18
*** josecastroleon has quit IRC05:19
morganfainbergWas being hit millions of times per week in the gate. Very spammy, not useful.05:19
morganfainbergWhat does it tell an operator? Nothing really.05:19
morganfainbergNo request ids at that point etc. for a developer in debug, we already dump th full header dict.05:20
*** openstackgerrit has quit IRC05:22
*** lhcheng has joined #openstack-keystone05:22
*** ChanServ sets mode: +v lhcheng05:22
*** openstackgerrit has joined #openstack-keystone05:22
*** harlowja is now known as harlowja_away05:23
*** lhcheng has quit IRC05:26
*** kiran-r has joined #openstack-keystone05:40
*** ajayaa has joined #openstack-keystone05:46
*** josecastroleon has joined #openstack-keystone06:00
*** _cjones_ has quit IRC06:07
*** kiran-r has quit IRC06:14
*** topol has joined #openstack-keystone06:26
*** ChanServ sets mode: +v topol06:26
*** kiran-r has joined #openstack-keystone06:40
*** e0ne has joined #openstack-keystone06:45
*** stevemar has quit IRC06:46
*** kiran-r has quit IRC06:46
*** pnavarro has joined #openstack-keystone06:50
bretongood morning, folks06:53
*** henrynash has joined #openstack-keystone06:54
*** ChanServ sets mode: +v henrynash06:54
*** kiran-r has joined #openstack-keystone06:55
*** rushiagr_away is now known as rushiagr06:57
openstackgerritguang-yee proposed openstack/keystonemiddleware: enforce endpoint constraint
*** afazekas has quit IRC07:08
*** e0ne has quit IRC07:09
*** browne has quit IRC07:09
*** vhoward has quit IRC07:13
*** vhoward has joined #openstack-keystone07:15
mabramsayoung: i did this but child's parent_project_id is ""; expecting "Parent"07:22
mabramsayoung: plus i need a "grandchild" project07:22
mabramsayoung: as well...07:23
*** chlong has quit IRC07:42
marekdbreton: hi07:45
bretonmarekd: \o07:59
*** kiran-r has quit IRC08:03
*** jistr has joined #openstack-keystone08:04
*** svasheka has joined #openstack-keystone08:13
ajayaamarekd, Hi. Looking at the tables it seems that the trust data is stored only on two tables. i.e. trust and trust_role. Is that right?08:16
openstackgerritJamie Lennox proposed openstack/keystoneauth: Change keystoneclient to keystoneauth in docs
*** krykowski has joined #openstack-keystone08:30
ajayaamarekd, I am asking this because we are working on a NoSql backend for Keystone and the schema seems to have changed since we created a POC.08:31
*** dobson` has quit IRC08:31
ajayaamarekd, there?08:31
*** topol has quit IRC08:36
*** pnavarro has quit IRC08:36
*** rlt_ has joined #openstack-keystone08:36
*** e0ne has joined #openstack-keystone08:37
*** dobson has joined #openstack-keystone08:49
*** Steap has joined #openstack-keystone08:50
*** kiran-r has joined #openstack-keystone08:56
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: enforce endpoint constraint
marekdajayaa: i am now.09:00
marekdajayaa: i am not master of trusts. I really suggest goning through the code and checking on when and what tables are used.09:02
*** pnavarro has joined #openstack-keystone09:02
ajayaaThat's what I did. Thanks.09:02
marekdit should be somewhere near or keystone/trust in general09:02
ajayaamarekd ^^09:02
marekdajayaa: if you examine the code you will have a better understanding on what's going on there and be able to better fit your PoC09:03
openstackgerritMarek Denis proposed openstack/keystone: Add openstack_user_domain to assertion
*** kodoku has joined #openstack-keystone09:15
kodokuHi, How Can I modify links when I request /v2.0  ? because links return http://serveur/v2.0 and my endpoint is http://serveur/identity/v2.009:16
kodokuand cinder no works because it use this links for contact keystone09:16
openstackgerritLin Yang proposed openstack/keystone: Fix tiny typo in comment message
openstackgerritAjaya Agrawal proposed openstack/keystone-specs: Spec for distributed database driver for Keystone
*** e0ne is now known as e0ne_09:48
openstackgerritMarek Denis proposed openstack/keystone: Refactor _create_attribute_statement IdP method
openstackgerritAjaya Agrawal proposed openstack/keystone-specs: Spec for distributed database driver for Keystone
jamielennoxkodoku: it's when you set up services and endpoints in keystone09:53
jamielennoxumm, the v2 cli had keystone service-create and endpoint-create09:53
jamielennoxit's slightly different in OSC but it shouldn't be hard to find09:54
*** kodoku has quit IRC09:55
*** dims has joined #openstack-keystone09:56
*** e0ne_ is now known as e0ne09:58
*** e0ne is now known as e0ne_10:13
*** openstackgerrit_ has joined #openstack-keystone10:16
*** e0ne_ is now known as e0ne10:16
*** krykowski has quit IRC10:26
*** krykowski_ has joined #openstack-keystone10:26
*** openstackgerrit_ has quit IRC10:31
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database
*** krykowski_ has quit IRC10:37
*** krykowski_ has joined #openstack-keystone10:38
*** _dguerri is now known as dguerri10:38
*** josecastroleon has quit IRC10:44
*** samueldmq has joined #openstack-keystone10:58
*** krykowski_ has quit IRC11:02
*** henrynash has quit IRC11:02
*** krykowski has joined #openstack-keystone11:02
*** henrynash has joined #openstack-keystone11:03
*** ChanServ sets mode: +v henrynash11:03
*** e0ne has quit IRC11:05
*** rushiagr is now known as rushiagr_away11:08
*** e0ne has joined #openstack-keystone11:10
*** kiran-r has quit IRC11:15
*** markvoelker has quit IRC11:18
*** josecastroleon has joined #openstack-keystone11:19
*** jamielennox is now known as jamielennox|away11:20
*** e0ne is now known as e0ne_11:20
*** e0ne_ is now known as e0ne11:21
*** aix has joined #openstack-keystone11:21
openstackgerritMerged openstack/keystone: Fix tiny typo in comment message
*** krykowski has quit IRC11:34
*** kiran-r has joined #openstack-keystone11:37
*** ajayaa has quit IRC11:38
*** kiran-r has quit IRC11:54
*** kiranr has joined #openstack-keystone11:54
*** raildo has joined #openstack-keystone11:58
*** kiranr has quit IRC11:59
marekdsamueldmq: Hi12:00
raildohenrynash, regarding yout comment here: I was thinking in send this part in a different patch. In a future I can update then with the rest of the code related to dual scoped token. What do you think?12:01
marekdsamueldmq: i wanted to ask "Groups appearing in federated identity assertions may now be automatically created as local groups with local user membership mappings." what spec were you referring to (ReleaseNotes)12:01
samueldmqmarekd, hello12:01
samueldmqmarekd, let me check12:02
samueldmqmarekd, I think this one was added by dolphm or stevemar12:04
samueldmqmarekd, is there somehting wrong with this assertion ?12:05
marekdsamueldmq: AFAIR the groups are not created, they will be auto mapped.12:06
marekddolphm: around ?12:06
samueldmqmarekd, hmm, so they are dynamically mapped .. so there are role assignments for groups that doesnt really exist /12:07
marekdlet me revisit specs12:08
marekdsamueldmq: take a look here:
marekdFirst half of the paragraph. It's statet, that groups must exist apriori12:10
marekdthey are automatically mapped, but not created locally.12:10
*** mabrams has left #openstack-keystone12:10
*** markvoelker has joined #openstack-keystone12:11
*** bdossant has joined #openstack-keystone12:13
marekdsamueldmq: i can edit that12:14
marekdor you can do this as well12:14
marekdbut i think this is not what we currently have in Keystone12:14
samueldmqmarekd, do it yourself :)12:15
samueldmqmarekd, also, do groups appear  in the assertion ?12:15
marekdsamueldmq: they may appear12:15
marekdsamueldmq: well, there is no format parameter for groups12:15
marekdyou are obliged to know what will come in the assertion (i.e. names of parameters)12:16
samueldmqmarekd, I am not sure about that sentence, something looks inconsistent, but I'd check with dolphm ir stevemar, just to clarify what is being said there12:16
marekdsamueldmq: ok, changed12:19
*** krykowski has joined #openstack-keystone12:27
*** gordc has joined #openstack-keystone12:32
*** jistr has quit IRC12:39
*** jistr has joined #openstack-keystone12:54
*** jistr is now known as jistr|biab12:55
openstackgerritMerged openstack/keystone: Updates the *py3 requirements files
*** topol has joined #openstack-keystone13:04
*** ChanServ sets mode: +v topol13:04
*** fifieldt has quit IRC13:04
*** Ctina has joined #openstack-keystone13:06
*** bknudson has quit IRC13:09
*** jaosorior has joined #openstack-keystone13:14
*** joesavak has joined #openstack-keystone13:17
*** stevemar has joined #openstack-keystone13:18
*** ChanServ sets mode: +v stevemar13:18
dolphmsamueldmq: marekd: o/13:22
marekddolphm: FYI. Hi. I edited ReleaseNotes a little bit13:22
marekddolphm: IdentityFederation section, to be more specific.13:23
dolphmmarekd: i was hoping you would!13:23
marekddolphm: hehe.13:24
*** nkinder has quit IRC13:25
dolphmmarekd: on the "Remote IDs" one -- i totally missed that feature. remote IDs of what? (IdPs?)13:25
marekddolphm: yes.13:25
marekddolphm: so now we can identify at the keystone level who issued this assertion. Before we knew it was "one of the guys we trust"13:26
*** jsavak has joined #openstack-keystone13:26
*** bdossant_ has joined #openstack-keystone13:29
*** lsmola_ is now known as lsmola13:29
*** joesavak has quit IRC13:30
*** richm has joined #openstack-keystone13:30
*** bdossant_ has quit IRC13:30
*** bdossant has quit IRC13:30
dolphmoh that's right, i remember that conversation13:37
marekddolphm: yep13:37
*** packet has joined #openstack-keystone13:39
*** bknudson has joined #openstack-keystone13:43
*** ChanServ sets mode: +v bknudson13:43
stevemardolphm, marekd it's a neat feature - allows for lots of external idps to use a single IDP resource13:44
*** krykowski has quit IRC13:44
*** sigmavirus24_awa is now known as sigmavirus2413:44
dolphmcould you hear me okay yesterday?13:44
dolphmlbragstad: ^13:44
lbragstaddolphm: yep13:45
marekdstevemar: we can say that :-)13:45
*** jistr|biab is now known as jistr13:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policy Overview
samueldmqayoung, henrynash, dstanek, morganfainberg and everyone else ^13:53
samueldmqI modified the spec to address dynamic policy in terms of what problems we are trying to solve13:54
ayoungsamueldmq, thanks.  looking13:54
samueldmqAnd how to incrementally get there :)13:54
samueldmqayoung, yes please, let me know if I missed any detail or any other suggestion13:55
*** chlong has joined #openstack-keystone13:56
*** edmondsw has joined #openstack-keystone13:59
ayoungsamueldmq, that is a great summary of the RBAC process14:01
samueldmqayoung, yeah I tried to contextualize a bit more :-)14:03
samueldmqayoung, you think it still need more details ? big changes ?14:03
samueldmqayoung, I kept your original general idea/steps14:04
*** browne has joined #openstack-keystone14:04
*** amakarov_away is now known as amakarov14:10
*** iamjarvo has joined #openstack-keystone14:11
*** iamjarvo has quit IRC14:11
*** nkinder has joined #openstack-keystone14:11
*** iamjarvo has joined #openstack-keystone14:11
*** lsmola has quit IRC14:12
gordchey folks, is PROJECT_NAME unique or is only PROJECT_ID guaranteed to be unique14:12
bknudsongordc: name is not unique across domains14:13
gordcbknudson: cool cool. as i guessed. thanks for confirming14:13
stevemarmfisch, do you have any AD experience?14:15
ayoungsamueldmq, reminds me of the "Situation" section of an Operations Order: gordc With HMT, what I want is project name is unique within the parent project only14:18
mfischstevemar: a small amount14:18
ayoungstevemar, we have some on our end.   not me directly, I'll deny it, but other team members.14:19
stevemarmfisch, ayoung okay cool - i might call on you guys soon :)14:19
samueldmqayoung, ++14:20
ayoungsamueldmq, hey can you adjust the "policy from client" spec to "emnforce policy from middleware?"14:20
samueldmqayoung, looking at your comments now14:21
samueldmqayoung, sure will do14:21
ayoungsamueldmq, the big difference is going to be that the middleware mananges the cache, and calls oslo.policy.  I don't think we need KC in there.14:21
ayoungoslo will assume it is presented a policy file, but we should make it so that it can accecpt the policy as parsed JSON as well.  THat might be a separate spec....14:22
ayoungjust have middleware handle the cache for now14:22
samueldmqayoung, k, but middleware will use kc to get the policy right (either json or file)14:23
samueldmqright ?14:23
*** Ctina has quit IRC14:23
ayoungsamueldmq, that is correct14:23
ayoungbut KC should already have policy crud.  If it does not, that is a separate spec14:23
*** Ctina has joined #openstack-keystone14:24
samueldmqayoung, what I was saying is that middleware enforces, based on the policy it gets using kc14:24
samueldmqayoung, maybe clarify this ?14:24
ayoungsamueldmq, heh...even more complex.14:24
*** e0ne is now known as e0ne_14:25
ayoungmiddleware exposes a Policy Enforcement Point (PEP) API that nova et alles call in to.  It won't be straight middleware.  The PEP API  does the following14:25
ayoung1.  Fetches policy from KC14:25
samueldmqayoung, ahhhhhhhhhhhhhhhhh14:25
samueldmqayoung, got it14:25
dolphmanyone know if keystone fails silently (no logging) when you enable caching but there's no memcache available/14:25
ayoung2.  stores in cache14:25
ayoung3. calls into oslo policy14:25
samueldmqayoung, middleware does not know about the kc or whatever the policy was fetched with14:25
samueldmqayoung, it just has the code to enforce14:26
ayoungsamueldmq, I think you mean Oslo14:26
samueldmqayoung, everything is still coordinated by the service, who connects the actions of fetch, enforce, etc14:26
ayoungmiddleware knows about KC and Oslo14:26
samueldmqayoung, ah .. step back, middleware calls kc to fetch the policy, caches it, and enforces it using tthe common code in oslo14:28
*** mattfarina has joined #openstack-keystone14:28
samueldmqayoung, as I was thinking all the time, just got confused for a few momnets14:28
*** e0ne_ is now known as e0ne14:30
morganfainbergdolphm: samueldmq: release notes look great!14:32
morganfainbergThank you!!!14:32
bknudsonguten morganfainberg14:32
dolphmmorganfainberg: /salute14:32
samueldmqmorganfainberg, hi, nice ... anytime!14:33
* morganfainberg yawns.14:33
morganfainbergFeels good to be home.14:34
*** josecastroleon has quit IRC14:35
ayoungsamueldmq, one sec,  before you edit, I am going to add an ascii flow to that spec14:35
bretonkilo got released!14:35
samueldmqayoung, go ahead, I will edit it only this afternoon14:35
samueldmqayoung, lunch time now14:36
samueldmqhenrynash, appreciate your quick feedback on the spec, thanks14:37
*** lhcheng has joined #openstack-keystone14:39
*** ChanServ sets mode: +v lhcheng14:39
dstanekdolphm: i would not expect failure at all...generally speaking the memcache client will just not save the data and will report back that it didn't get any data14:43
*** dims has quit IRC14:44
*** lhcheng has quit IRC14:44
*** dims has joined #openstack-keystone14:44
raildodstanek, can you review this bug later? :)
gordcbknudson: one more q: is there ever a chance there will be HTTP_X_PROJECT_ID, HTTP_X_SERVICE_PROJECT_ID, HTTP_X_TENANT_ID (more than one) in a single request? if so, would they be different values?14:48
bknudsonPROJECT_ID is a rename of TENANT_ID14:48
bknudsonSERVICE_PROJECT_ID can be different than the PROJECT_ID... it's expected to be.14:48
gordcbknudson: you have a pointer to some docs that highlights the purpose of each?14:50
gordcoh service related user?14:50
bknudson ??14:50
gordcbknudson: just using this
bknudsonthat's not even rendered.14:51
gordcbknudson: i'll read through. thanks14:52
bknudsongordc: and
*** chlong has quit IRC14:53
amakarovmorganfainberg, hi! I've addressed you concern about TRL update on revoke: Would you please look into?14:57
morganfainbergamakarov: thanks I am back home now so more able to do reviews.14:58
amakarovmorganfainberg, that's cool!14:58
morganfainbergamakarov: :)14:58
*** zzzeek has joined #openstack-keystone14:58
amakarovAnd a spec for KMW on the same topic :)14:59
*** edmondsw has quit IRC15:00
morganfainbergOh middleware :)15:03
*** topol has quit IRC15:03
amakarovmorganfainberg, is "KSM" a correct abbreviation? ))15:06
morganfainbergamakarov: both work.15:07
morganfainbergamakarov: my brain is just getting going though.15:07
marekdmorganfainberg: drink more coffeeeeeeeeee15:07
amakarovmarekd, as for me green tea is more effective btw15:08
ayoungwhich spec has an ascii flow diagram in it?   Ican't get mine to pass tox, want to compare.  Anyone?15:21
bknudsondstanek: I posted a similar comment to yours on -- I don't see the point of it.15:21
bknudsonalso, not sure what to do with it other than to just let it sit there forever unmerged.15:21
bknudsonunless we just -2 it15:21
bknudsonmaybe morganfainberg as PTL has an opinion15:22
morganfainbergbkundson: The only question I have is for zzzeek on if it materially changes the same in a positive way. Afaict, this just is harder to read15:25
bknudsonif zzzeek said this was an improvement then I'd +215:25
*** e0ne is now known as e0ne_15:25
morganfainbergI think this does lower overhead in the Python sense because it doesn't call .filter_by over and over15:26
bknudsonthen profile it15:26
bknudsonI stopped trusting my gut as far as performance improvements since I've been burned in the past.15:26
morganfainbergSo less method mro lookups. But I mean. It's not worth spending hours on it unless someone has profiled it. I don't expect cores to profile things like this15:27
morganfainbergThe code proposer should be showing us why this is better. Not just for the sake of shuffling code15:28
bknudsonthat's my opinion too. otherwise somebody's going to come along later and just change it back.15:28
bknudsonsince we have no reason to pick one or the other15:29
morganfainbergzzzeek: if you have a moment to let us know about some sql-a stuff, your insight would be really appreciated.15:29
zzzeekmorganfainberg: i see the pages am trying to jam out some code before a 12 pm call15:29
morganfainbergbknudson: I'd err to the side of readability in all cases here.15:29
morganfainbergzzzeek: sounds good. No rush. Post call then :)15:29
bknudsonboth of them are equally readable to me.15:30
morganfainbergOr post lunch. Or. Whenever you have some spare moments.15:30
morganfainbergbknudson: the change of indent in a couple of them makes my eyes hurt more :P in the new version.15:30
*** _cjones_ has joined #openstack-keystone15:31
bknudsonthere should be a pep8-style tool for eyehurt15:31
morganfainbergbknudson: yessssss15:31
marekdamakarov: for sure initial K2K had some ascii flows15:32
marekdayoung: ^^15:32
marekdamakarov: sorry, meant ayoung15:32
marekdamakarov: i was juno15:32
marekdmorganfainberg: you mentioned some questions for me on Tuesday (some metadata sort of stuff)15:34
*** _cjones_ has quit IRC15:34
*** _cjones_ has joined #openstack-keystone15:34
morganfainbergHmm brain is fried. Can't remember. Maybe post coffee I will15:34
*** e0ne_ is now known as e0ne15:35
morganfainbergBut i did have questions.15:35
marekdmorganfainberg: sorry, you didn't provide me any more info at that time, so i will not help you15:35
morganfainbergmarekd: I think it was around handling the aggregate metadata for the groups that have many many ISPs.15:36
*** arunkant_ has joined #openstack-keystone15:36
marekdmorganfainberg: ISPs or IDPs (which still may sound weird)15:37
morganfainbergSo university systems.15:37
morganfainbergThey have a large number of idps. Shib based. They provide an aggregate metadata for them.15:37
*** rm_work|away is now known as rm_work15:38
morganfainbergBut then you also need to isolate the idp for say $deployer reasons (aka billing etc)15:38
morganfainbergI think I need to look at this model a bit more closely.15:38
morganfainbergWhich is why I held off on asking on Tuesday15:39
morganfainbergThe question wasn't ripe. So the question is a weird one ATM15:39
morganfainbergmarekd: give me a little more time to see how this is constructed. Then I can ask the question the right way.15:39
morganfainbergMight be @ the summit.15:39
marekddo you have some specific feature/usecase you want to add/solve?15:40
morganfainbergOr be a non-question15:40
zzzeekmorganfainberg: if we’re talking abotu filter_by(a=, b=, c=, ..), +1, I think its more concise.  clearly either form is fine, do whichever one you find easier to read.  Theres no performance impact either way15:40
openstackgerritayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient
*** jdennis has joined #openstack-keystone15:40
*** emagana has joined #openstack-keystone15:40
morganfainbergYeah. But I am missing some details before I can type out the use case.15:41
morganfainbergmarekd: ^15:41
zzzeekmorganfainberg: originally, filter()’s predecessor did both the *clasues and the **kw.  that’s my favorite, but people didnt understand the calling signature15:41
morganfainbergzzzeek: thanks. :)15:41
morganfainbergbknudson: ^^15:41
emaganaKeystone Experts! Could anyone tell me when the concept of the "hybrid" driver was included in keystone to authenticated against both mysql and ldap15:41
marekdmorganfainberg: sure.15:41
morganfainbergemagana: the per-domain drivers became usable in Juno.15:42
morganfainbergemagana: prior to that, you would have needed custom drivers.15:42
stevemaremagana, it became awesome in kilo15:42
openstackgerritMerged openstack/python-keystoneclient-saml2: Remove unused private classes on tests
emaganamorganfainberg and stevemar: So, prior to Juno I need to use something like: ??15:43
*** richm has quit IRC15:43
morganfainbergemagana: yes something like that.15:43
morganfainbergemagana: and there were many variations on that theme.15:43
*** richm has joined #openstack-keystone15:43
emaganamorganfainberg: Thanks! We are still in Icehouse :-(  Trying to move to Juno ASAP15:43
stevemaremagana, skip juno and go right up to kilo ;)15:44
emaganaI'd love that..!15:44
dstanekthat's not exactly the same as domain specific backends. we don't really have a hybrid backend.15:44
dstanekit depends on the usecase you have15:44
morganfainbergemagana: and you should! Juno was waaaay better. Though I am biased. Kilo is even better (fernet tokens/non-persistent drivers) are better15:44
emaganamorganfainberg: I heard about that!15:44
stevemardstanek, it's what was made available :(15:44
morganfainbergdstanek: almost all cases the hybrid auth was used, per-domain backends is what was wanted.15:44
morganfainbergdstanek: the fall through is for service accounts15:45
emaganaI just need to authenticated against LDAP but I can't create openstack service users in this LDAP, so I need hybrid15:45
morganfainbergNot for mixed / different sources of passwords for he same user.15:45
dstanekmorganfainberg: sure, but i don't know what emagana uses it for15:45
emaganadstanek: Just mentioned !15:45
morganfainbergIn fact, I'd say anyone who wants mixed sources of passwords and isn't using federation is insane ;)15:45
dstanekemagana: the domain backends should work for you then15:46
morganfainbergemagana: yeah your use case is 100% the common reason for hybrid backend15:46
emaganadstanek: I need to get familiar with it. It was introduced in Juno, right?15:46
dstanekinsane, but that was SUSE enabled :-(15:46
dstanekemagana: i believe so yes. it's actually really easy to use15:46
emaganadstanek: That SUSE driver has a performace issue!15:46
morganfainbergCtina: ping. here is tokenless auth code we talked about.15:47
marekdstevemar: some juicy stuff for ya:
Ctina@morganfainberg I was just searching for that, thanks!15:48
morganfainbergCtina: :)15:48
emaganaThanks All!!15:48
morganfainbergCtina: it should be super close to being ready to land.15:48
Ctinamorganfainberg good to hear15:49
stevemarit's definitely on it's way to landing15:49
*** iamjarvo has quit IRC15:49
marekdsamueldmq: ayoung: what API call is henry talking in ?15:49
dstanekuggg...i really hate giving presentations. i don't know why i put myself through this15:49
* morganfainberg swaps dstanek's name in for his own for 2 more presentations at the summit >.>15:50
bknudsondstanek: you look good in a suit.15:50
morganfainbergstevemar: so, I now have more time to look at slides. So... Summit-y things soon? (Sorry for being less-available until now)15:51
* dstanek will hide all summit! He needs the beer time anyway.15:51
morganfainbergdstanek: are you talking on stage at the summit?15:51
morganfainbergOr this a presentation elsewhere?15:51
dstanekmorganfainberg: nope. i conference here in Ohio15:51
dstaneki am talking OpenStack though15:52
morganfainbergstevemar: you should convince Topol to send you to cloud identity summit in San Diego15:52
*** jaosorior has quit IRC15:52
*** Ctina is now known as ctina15:52
morganfainbergdstanek: aha nice15:52
stevemarmorganfainberg, i suspect that wouldn't be hard15:53
stevemarmorganfainberg, just finishing up a demo today, then i'm all presentations for the next 2 weeks15:54
morganfainbergstevemar: it's expensive but it's where all the identity companies that do IAM things talk about identity.15:54
stevemarmorganfainberg, you going?15:54
morganfainbergstevemar: I'm going because I was asked to talk about keystone on the IaaS track (aws, azure, and google are the others)15:54
morganfainbergThey wanted OpenStack representation.15:55
stevemarmakes sense15:55
morganfainbergSo I think it'll be worth it from a networking pov and to see what others are doing in the IAM cloudy space.15:55
ayoungbknudson, stevemar morganfainberg, "The initial  default policy file will cover the rules currently provided by15:55
ayoungpolicy files from  Nova, Neutron, Glance, Cinder, and Keystone."  Are there any other Services I should add in there?15:55
*** EmilienM is now known as EmilienM|afk15:55
morganfainbergMaybe it makes sense for a couple keystone folks show up.15:55
morganfainbergstevemar: the conference ticket is like $1600 though since you're not speaking there (I have a $200 off code if that helps)15:56
*** emagana has quit IRC15:57
morganfainbergayoung: any project tagged as part of the integrated release15:57
ayoungmorganfainberg, we have a list of those?15:57
morganfainbergayoung: the governance repo should be able to tell you that in the project tank15:57
morganfainbergreally autocorrect. yaml -> tank?!15:58
bknudsonayoung: ceilometer15:58
ayoung  ?15:59
morganfainbergctina: let me know if you want me to chase down any other information / reviews for you.15:59
*** emagana has joined #openstack-keystone15:59
morganfainbergIt will have a name: integrated-release16:00
ayoungmorganfainberg, do you think it is OK if default policy round one does a subset of those?16:00
openstackgerritMerged openstack/keystone: Prohibit invalid ids in subtree and parents list
morganfainbergayoung: sure, just target by release to include the integrated tagged projects16:01
*** alexsyip has joined #openstack-keystone16:01
morganfainbergayoung: it can be done bit-by-bit one project at a time if you want.16:02
morganfainbergIt's easy to add new projects once you have a few working.16:02
ayoungmorganfainberg, since it is a deconflicting thing, we need to learn the peculiarities.  So far, Neutron is by far the most peculiar16:02
marekdsamueldmq: ping16:03
morganfainbergLike I said, aim for a few and expand. You could start with nova, neutron, cinder, glance, swift, keystone16:03
morganfainbergayoung: that would be a very basic OpenStack deployment16:03
*** edmondsw has joined #openstack-keystone16:04
morganfainbergI think swift is going to be the really odd one if it even does policy enforcement like anyone else.16:04
*** Bjoern___ has joined #openstack-keystone16:05
*** gyee has joined #openstack-keystone16:07
*** ChanServ sets mode: +v gyee16:07
*** jdennis has quit IRC16:12
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver
*** Bjoern___ has left #openstack-keystone16:14
*** amakarov is now known as amakarov_away16:36
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog
*** gyee has quit IRC16:37
*** lhcheng has joined #openstack-keystone16:38
*** ChanServ sets mode: +v lhcheng16:38
*** iamjarvo has joined #openstack-keystone16:41
samueldmqmarekd, hi, I am back16:43
samueldmqdstanek, hmm, will there be any broadcasting on your talk ?16:45
ctinamorganfainberg will do, sorry went to grab lunch :)16:47
*** samleon has joined #openstack-keystone16:47
morganfainbergctina: lunch > IRC :)16:47
* morganfainberg is doing coffee and breakfast.16:48
*** dims has quit IRC16:48
*** dims has joined #openstack-keystone16:49
*** e0ne is now known as e0ne_16:49
*** e0ne_ is now known as e0ne16:50
*** e0ne has quit IRC16:51
dstaneksamueldmq: no, they are recording audio and will pair it up with the slide - i'm going to submit the same talk to PyOhio which does usually record videos16:52
samueldmqdstanek, nice, please share  the links with me if they are open :)16:54
morganfainbergOoh we should rewrite keystone in nodejs :P16:55
* morganfainberg hides from the angry mobs.16:55
dstaneksamueldmq: will do - but it's nothing new for you16:55
samueldmqdstanek, yeah I know, I am interested on getting better on presentations, talk correctly according to the audience etc :p16:56
samueldmqdstanek, not on how to start contributing to openstack, I hope I already started :p16:57
dstaneksamueldmq: ah, then you're out of luck - i suck at them - i do them in hopes that i'll get better16:57
dstanekinstead of toastmasters i do trial by fire16:58
samueldmqdstanek, hehe nah .. I think you're good :p17:00
*** emagana has quit IRC17:00
samueldmqdstanek, please just share, I liked the subject, sometimes it's hard to explain the basics when you're too deep in  : )17:01
samueldmqmorganfainberg, nodejs ?17:01
dstaneksamueldmq: that's hipster coding17:02
samueldmqmorganfainberg, k give me a weekend ? want it to the summit ?17:02
dstaneksamueldmq: yeah, i go over very high level architecture concepts ( just enough for people to understand the size/scope ) and spend most of the time showing how to push and modify changesets17:03
samueldmqdstanek, hipster coding ? what is it ?17:03
*** rm_work is now known as rm_work|away17:03
samueldmqdstanek, nice17:03
morganfainbergsamueldmq: should use rust and toml if we want to go crazy. /s17:03
dstanekmorganfainberg: brainf*ck17:03
morganfainbergdstanek: might be too readable17:04
dstaneki've been meaning to leave that anyway17:04
morganfainbergSwift in go - interesting concept.17:04
morganfainbergIf you missed the ML Topic17:04
*** emagana has joined #openstack-keystone17:06
morganfainbergHmm. I see a distinct lack of topol in the channel.17:07
morganfainbergI might have to resort to email. :P17:07
*** ayoung is now known as ayoung-afk17:10
*** harlowja_away is now known as harlowja17:11
samueldmqhenrynash, hi , 'Adds inherited column to RoleAssignment PK' already has a +217:21
samueldmqhenrynash, please consider revisiting it17:22
samueldmqbreton, lhcheng cc ^17:22
*** emagana has quit IRC17:35
*** dims_ has joined #openstack-keystone17:37
openstackgerritMerged openstack/keystone: Add openstack_project_domain to assertion
*** BAKfr has quit IRC17:40
*** topol has joined #openstack-keystone17:43
*** ChanServ sets mode: +v topol17:43
*** cburgess_ has joined #openstack-keystone17:45
*** dims has quit IRC17:46
*** samleon has quit IRC17:46
*** edmondsw has quit IRC17:46
*** ayoung-afk has quit IRC17:47
*** cburgess has quit IRC17:47
*** jistr has quit IRC17:47
*** Ephur has quit IRC17:47
*** gabriel-bezerra has quit IRC17:47
*** grantbow has quit IRC17:47
*** samueldmq has quit IRC17:47
*** mflobo has quit IRC17:47
*** junhongl has quit IRC17:47
*** mkoderer has quit IRC17:47
*** morganfainberg has quit IRC17:47
*** wpf has quit IRC17:47
*** ptoohill has quit IRC17:47
*** bigjools has quit IRC17:47
*** raildo has quit IRC17:48
*** raildo has joined #openstack-keystone17:49
rodrigodshi, how can I propose for a bug to be backported?17:49
*** samueldmq has joined #openstack-keystone17:49
*** mflobo has joined #openstack-keystone17:49
*** junhongl has joined #openstack-keystone17:49
*** mkoderer has joined #openstack-keystone17:49
*** morganfainberg has joined #openstack-keystone17:49
*** wpf has joined #openstack-keystone17:49
*** ptoohill has joined #openstack-keystone17:49
*** bigjools has joined #openstack-keystone17:49
*** sets mode: +v morganfainberg17:49
bknudsonrodrigods: add kilo-backport-potential to the bug tags17:51
*** edmondsw has joined #openstack-keystone17:53
*** ayoung-afk has joined #openstack-keystone17:53
*** gabriel-bezerra has joined #openstack-keystone17:54
bknudsonwe should have a python-to-go compiler and then compile that17:54
rodrigodsbknudson, thanks... you already did it in the bugs was intending to add :)17:56
*** rlt_ has quit IRC17:57
*** harlowja has quit IRC17:58
*** e0ne has joined #openstack-keystone18:02
*** BAKfr has joined #openstack-keystone18:02
bknudsonDo we need a new bp for ?18:06
bknudsonmorganfainberg: ptl question ^18:06
*** aix has quit IRC18:07
*** iamjarvo has quit IRC18:08
openstackgerritRodrigo Duarte proposed openstack/keystone: Refactor _create_attribute_statement IdP method
openstackgerritRodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion
*** EmilienM|afk is now known as EmilienM18:11
*** emagana has joined #openstack-keystone18:12
rodrigodsbknudson, should I repropose targeting to stable/kilo?18:13
bknudsonrodrigods: sure18:14
*** iamjarvo has joined #openstack-keystone18:14
openstackgerritMerged openstack/keystoneauth: Change keystoneclient to keystoneauth in docs
*** rm_work|away is now known as rm_work18:23
*** mattfarina has quit IRC18:31
*** rm_work is now known as rm_work|away18:35
*** esmute has quit IRC18:35
*** esmute has joined #openstack-keystone18:35
*** ctina_ has joined #openstack-keystone18:37
*** ctina has quit IRC18:41
*** ctina_ has quit IRC18:42
*** iamjarvo has quit IRC18:43
*** iamjarvo has joined #openstack-keystone18:47
*** rm_work|away is now known as rm_work18:48
*** topol has quit IRC18:58
*** iamjarvo has quit IRC19:03
stevemarlhcheng, around?19:12
lhchengstevemar: yes19:12
*** iamjarvo has joined #openstack-keystone19:13
stevemarlhcheng, when you played with websso, did you try assigning a user 2 roles on different projects?19:13
stevemari think DOA is having some issues with that19:13
samueldmqayoung-afk, let me know when you're available19:14
stevemaror i'm using an old version19:14
samueldmqayoung-afk, have something to discuss regarding the spec, we've got some reviews on there19:14
lhchengstevemar: only 1 role but multiple projects19:15
lhchengstevemar: the initial patch from thai doesn't work on multiple projects19:15
stevemarlhcheng, oh?19:16
lhchengstevemar: should be fixed with the merged patch19:16
stevemarlhcheng, when was it merged?19:16
stevemarlhcheng, the one we reviewed right?19:16
lhchengstevemar: yes19:16
lhchengstevemar: april 1st19:17
stevemarhmm weird19:18
stevemarstill having trouble with multi projects19:18
stevemarmaybe it's just me19:18
lhchengstevemar: are you testing from master?19:19
lhchengstevemar: ah, I think I know what's the problem19:19
lhchengstevemar: did you change the session backend for horizon?19:20
lhchengstevemar: try this:
stevemarlhcheng, i am testing from master19:25
stevemarand no, i didn't touch that setting, should i?19:25
lhchengstevemar: for keystone v3, the size of the catalog is larger.  the default session backend of horizon can't handle it.19:26
stevemarso what do i do about that?19:27
stevemaroh if there are 2 projects in the catalog it'll crap out?19:27
lhchengstevemar: for dev setup, update the with
lhchengstevemar: it could even crap out with just 1 project, if the deployment have  a lot  of services configured (bigger catalog)19:29
*** dguerri is now known as _dguerri19:32
marekdmorganfainberg: i knew sooner or later somebody would try to implement part of OpenStack in Go! I should have said that earlier on Twitter to have some proof (maybe i will find some IRC logs  as i am sure i said it here!)19:33
morganfainbergmarekd: haha19:33
*** wolsen has quit IRC19:33
*** d0ugal has quit IRC19:33
*** grantbow has joined #openstack-keystone19:33
*** wolsen_ has joined #openstack-keystone19:33
*** grantbow has quit IRC19:33
*** grantbow has joined #openstack-keystone19:33
dstanekmarekd: i'm just wondering what happens when Google abandons Go like it does with everything else19:33
*** trey has quit IRC19:33
*** navid__ has quit IRC19:33
morganfainberglhcheng: stevemar: we need to figure out how to handle the SC in horizon19:33
morganfainbergstevemar: stevemar: I think we can probably be a lot smarter about it.19:33
*** cburgess_ has quit IRC19:34
morganfainberglhcheng: ^19:34
*** navid__ has joined #openstack-keystone19:34
*** cburgess has joined #openstack-keystone19:34
*** d0ugal has joined #openstack-keystone19:34
lhchengmorganfainberg: I put a topic in the etherpad to discuss the token mgmt and SC in horizon19:34
lhchengmorganfainberg: not sure though if that should go into a working session19:34
morganfainbergok so i'm going to put together a proposal for summit sessions19:34
*** trey has joined #openstack-keystone19:35
marekddstanek: i think this has enough or might get enough momentym  to be picked by the 'community' and later some companies with $$$19:35
lhchengor discuss it on Friday19:35
morganfainbergwill bug people to review shortly19:35
morganfainbergbefore i push to cheddar ( proxy thing)19:35
marekddstanek: who stands behind Python? who pays for that?19:35
marekddstanek: or a Go Fundation will be created :-)19:35
openstackgerritJamie Lennox proposed openstack/keystoneauth: Reorganize exceptions
openstackgerritJamie Lennox proposed openstack/keystoneauth: Rename _discover module
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove cli functions from utils
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove region_name from catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove the AccessInfo Factory
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove management_url from AccessInfo
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove auth_url property from AccessInfo
openstackgerritJamie Lennox proposed openstack/keystoneauth: Don't save version into the dictionary
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove the factory from service catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove region_name from service catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Cannot retrieve a token from service catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make ServiceCatalog take an actual catalog
openstackgerritJamie Lennox proposed openstack/keystoneauth: AccessInfo is not a dict
marekd^^^ whoa19:38
marekdmorganfainberg: dstanek: wow, suprisingly the ML thread has a very positive feedback.19:40
marekdi was expecting something opposite.19:40
dstaneki haven't read the thread, but not i'm curious19:42
*** afaranha has joined #openstack-keystone19:49
lhchengmorganfainberg: from the list of things we want to do for Liberty:
lhchengmorganfainberg: how do I figure out which don't have anyone working on it yet?19:53
morganfainberglhcheng: I am [now that I'm home] going to send out our priority list19:53
morganfainbergthat we discussed in the Meeting.19:53
morganfainbergor well maybe i'll just update that etherpad with the definitive list.19:53
* morganfainberg shrugs.19:54
lhchengmorganfainberg: okay, I might be able to help out on a couple. I can take whichever work that doesn't have an owner yet.19:54
morganfainberglhcheng: great19:55
*** e0ne has quit IRC20:01
ayoung-afkstevemar, I'm back20:06
*** ayoung-afk is now known as ayoung20:06
stevemarayoung, wonderful, but i wasn't pinging you hehe20:07
stevemarmaybe it was samueldmq ?20:07
*** gordc has quit IRC20:10
ayoungstevemar, samueldmq vhat is deeeeference?20:13
*** gordc has joined #openstack-keystone20:18
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Deprecate auth_token authentication
*** harlowja has joined #openstack-keystone20:20
*** jdennis has joined #openstack-keystone20:21
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient
ayoungbknudson, we still chasing that?  I thought it was in long ago20:26
bknudsonayoung: it was blocked for a long time on keystoneclient release and global-requirements update.20:27
ayoungbknudson, it can go in now?20:27
bknudsonayoung: yes, global-requirements was updated with the version of keystoneclient that has the new apis that were needed.20:28
ayoungbknudson, excellent.  lets get that in.  THanks for caring20:28
bknudsonI think it should make things a lot cleaner.20:28
*** emagana has quit IRC20:30
*** alexsyip has quit IRC20:33
*** _dguerri is now known as dguerri20:36
*** alexsyip has joined #openstack-keystone20:37
*** harlowja has quit IRC20:45
*** harlowja has joined #openstack-keystone20:45
*** htruta has quit IRC20:46
*** raildo has quit IRC20:46
*** edmondsw has quit IRC20:52
*** pnavarro has quit IRC20:59
marekdBTW seen that: ?21:04
*** josecastroleon has joined #openstack-keystone21:04
*** jdennis has quit IRC21:07
*** harlowja has quit IRC21:07
*** josecastroleon has quit IRC21:07
stevemarnkinder, marekd ayoung talk me off the ledge here...21:08
stevemarhow can i have two idps for single sign on that are both openid connect?21:08
stevemarif i create two idp entries - and they have distinct remote-ids...21:09
stevemar2 different protocols work21:09
stevemarbut not 2 idps with same protocol?21:09
ayoungstevemar, today you cannot.  I raised that in the websso work and it was too late for Kilo21:10
stevemarwell, work for liberty21:10
stevemari don't even know how i want to approach taht21:10
marekdstevemar: DS?21:12
marekdstevemar: Discovery Service21:12
stevemarmarekd, right, that magical thing21:13
openstackgerritBrant Knudson proposed openstack/keystone-specs: Deprecations
bknudson^ is simply proposing to use debtcollector for deprecations in keystoneclient.21:13
bknudsonI thought we'd use regular python warnings but debtcollector provides some more functionality, and it's oslo so might as well support it.21:14
ayoungstevemar, so, I don;'t think we awant to enumerate by protocol21:14
ayoungpeople know who they are supposed to talk to21:14
ayoungso we enumerate by IdP21:14
ayoungif one IdP wants to support mutliplt protocols...they show up as two entries21:15
ayoungon the horizon side, we make each entry a 3pl21:15
stevemarayoung, i thought we were against enumerating idps, for $security_reason21:15
ayoung"String to show user"  , "idp_id", "protocol"21:15
ayoungstevemar, we need both21:15
marekdayoung: why would even an IdP (with one url) would need to support more than protocol ?21:16
ayoungBut if we enumerate "anything" an attacker gets that info21:16
ayoungmarekd, I don;t know21:16
ayoungmarekd, maybe they are transitioning21:16
ayoungmarekd, the short of it is we need both pieces of info21:16
ayoungidp_id and protocol21:17
ayoungthe user visible string is attached to that tuple21:17
marekdstevemar: before kilo, i made a poc setup of a DS21:18
marekdprovided by a shib21:18
marekdstevemar: i am more than sure i was posting you the links, also pasting them in some reviews.21:18
*** joesavak has joined #openstack-keystone21:19
marekdayoung: nkinder ^^21:20
ayoungmarekd, stevemar so I would think that Horizon would show the public list of IdPs, and for anything that people want to keep private, you would run a dedicated Horizon on a suburl or something21:21
*** iurygregory has quit IRC21:22
stevemari suppose we can chat about this at the summit21:22
*** jsavak has quit IRC21:22
ayoungSince there is going to be a redirect, and the redirect is going to have the public URL of the IdP id, you can't enumerate without advertising "Hey,  here is my client list"21:22
marekdstevemar: we can.21:23
marekdstevemar: for far you can try configuring distinct URLs so they 'server' distinct oidc idps21:24
marekdidp/steve/protocols/oidc/auth will redirect to Steve's IdP, while /idp/marek/protocols/oidc/auth to mine.21:25
marekdit's a matter of apache/mod configuration.21:25
stevemarmarekd, but horizon/doa will always point to os-federation/websso21:26
marekdstevemar: ah, right, forgot that.21:26
marekdanyway, i suspect shib DS could also work for OIDC21:27
marekdi saw the source code and it wasn't complicated.21:27
marekdmostly html21:27
marekdso it wasn't even 'code'21:27
stevemarmarekd, yeah, it wouldn't work right now -- federated_sso_auth is expecting an env. var that identifies the idp (remote_id)21:29
stevemarby that time it's already been configured21:29
*** jdennis has joined #openstack-keystone21:29
marekdstevemar:  hum ? federated_sso_auth is keystone, right?21:30
stevemarmarekd, yeah21:30
stevemarhorizon will always point to /v3/auth/OS-FEDERATION/websso/{protocol}21:31
marekdi know that.21:31
nkinderthe protocol is just a name, so you *could* do something hacky like make it oidc1, oidc2, right?21:31
stevemarwhich can only be protected by one mod entry:
stevemarnkinder, hmm21:31
stevemarmaybe maybe21:32
nkinderlike I said, hacky...21:32
nkinderbut protocol is just used as a string IIRC21:32
*** iamjarvo has quit IRC21:32
stevemarsomething to try :D21:32
marekdstevemar: hold on, you are worried that mod_oidc will let you configure only one trusted IdP ?21:32
nkindergotta drop to drive home... bbiab21:32
*** nkinder has quit IRC21:32
stevemarmarekd, no no, i know it can configure many21:33
stevemarmarekd, meh, know what, let me hack around with this for a bit21:33
stevemaras nkinder just said, i also have to go21:34
stevemarmarekd, o/21:34
marekdme too21:35
*** alexsyip has quit IRC21:38
*** emagana has joined #openstack-keystone21:39
*** stevemar has quit IRC21:39
*** alexsyip has joined #openstack-keystone21:50
*** jdennis has quit IRC21:52
*** jdennis has joined #openstack-keystone21:55
*** jsavak has joined #openstack-keystone21:55
openstackgerritBrant Knudson proposed openstack/keystone: Remove setUp for RevokeTests
*** Rockyg has joined #openstack-keystone21:58
*** lhcheng has quit IRC21:58
*** joesavak has quit IRC21:58
*** emagana has quit IRC21:59
*** bknudson has quit IRC22:01
*** jdennis has quit IRC22:03
*** dims has joined #openstack-keystone22:04
*** dims_ has quit IRC22:05
*** lhcheng has joined #openstack-keystone22:05
*** ChanServ sets mode: +v lhcheng22:05
*** arunkant_ has quit IRC22:11
*** jsavak has quit IRC22:11
*** gyee has joined #openstack-keystone22:13
*** ChanServ sets mode: +v gyee22:13
*** jamielennox|away is now known as jamielennox22:16
*** iamjarvo has joined #openstack-keystone22:19
*** richm has quit IRC22:23
*** jdennis has joined #openstack-keystone22:26
*** sigmavirus24 is now known as sigmavirus24_awa22:27
*** packet has quit IRC22:30
*** topol has joined #openstack-keystone22:34
*** ChanServ sets mode: +v topol22:34
*** chlong has joined #openstack-keystone22:36
*** emagana has joined #openstack-keystone22:36
*** richm has joined #openstack-keystone22:40
*** emagana has quit IRC22:42
*** jdennis has quit IRC22:45
*** nkinder has joined #openstack-keystone22:46
*** emagana has joined #openstack-keystone22:46
lhchenggyee: is this issue similar to what you hit before?
openstackLaunchpad bug 1450344 in Keystone "Invalid SQL Identity Assertion - Load Config from Database" [Undecided,New]22:49
lhchenggyee: I recall you reported a bug related to loading config from SQL.22:50
lhchenggyee: nm, found the bug you reported, not the same.22:58
*** gordc has quit IRC22:58
gyeelhcheng, no, mine was related to keystone-manage not being initialized properly22:58
gyee1450344 is interesting, looks like there's a change of functionality22:59
lhchenggyee: yeah, this seems critical23:00
lhchenghaven't got the chance to reproduce it yet23:00
gyeedomain-specific driver for the non-default domain can't be sql versus only one domain-specific driver can be sql23:01
gyeeI don't think we ever make that point clear23:01
lhchenggyee: non-default domain can't be on non-sql identity backend?23:03
lhchengwhy not?23:03
gyeelooks like a backward incompatible change23:04
gyee"Although Keystone supports multiple LDAP backends via domain specific configuration files, it currently only supports one SQL backend. This could be either the default driver or a single domain-specific backend, perhaps for storing service users in a predominantly LDAP installation."23:05
morganfainberggyee: that has been the case since inception of per-domain backends23:05
morganfainberggyee: you cannot have more than one SQL driver23:05
gyeeyeah, you're right23:05
gyeewe probably didn't enforce it correctly in Juno23:06
morganfainbergwe had a bug in the enforcement logicx23:06
morganfainbergbut it would cause weird errors23:06
morganfainbergif you managed to do it23:06
morganfainbergi also love that we don't get people testing this stuff via RC window.23:07
gyeeso do we have a tough-shit-wont-fix status for the bug? :)23:07
*** iamjarvo has quit IRC23:07
morganfainbergi'm responding to the bug now23:08
lhchenggyee: that note is confusing..  So the SQL backend can be used only for default domain?23:09
gyeelhcheng, yes, as a former ESL student that's my interpretation :)23:10
*** darrenc is now known as darrenc_afk23:11
gyeemorganfainberg, any part of Keystone can be reimplemented in Go?23:16
lhchenggyee: in our unit tests, the Default is configured with SQL and the non-default with LDAP :P23:16
lhchenggyee: sorry, I meant the other way around23:17
lhcheng Default is configured with LDAP and the non-default with SQL :P23:17
gyeelhcheng, so even our unit tests confirmed that23:18
lhchengmorganfainberg: so this should be the other way around?23:18
gyeeI thought there's a blog out there that uses this technique: use LDAP as default and SQL as non-default23:19
gyeethough I can't seem to find it at the moment23:19
morganfainberglhcheng: so wait what?23:23
morganfainberglhcheng: we can support a single SQL driver.23:24
morganfainberglhcheng: the correct configuration is the default driver is SQL, a specific domain is overridden with LDAP23:24
lhchengmorganfainberg: confirming if the unit tests is wrong: Default is configured with LDAP and the non-default with SQL23:25
*** _cjones_ has quit IRC23:25
*** _cjones_ has joined #openstack-keystone23:26
morganfainberglhcheng: we have a test allowing that right?23:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Merge tag '2015.1.0'
morganfainberglhcheng: we previously supported a single SQL driver. Either a per-domain config *or* as the default, but not default driver *and* per-domain23:26
lhchengmorganfainberg: in the config above, the Default is configured with LDAP23:27
morganfainbergthat should work fine23:27
*** rm_work is now known as rm_work|away23:27
morganfainbergas long as the main keystone.conf [identity]/driver=LDAP23:27
*** rm_work|away is now known as rm_work23:27
morganfainbergand the per-domain [domain1] is SQL23:27
morganfainbergif [domain1] is SQL and main conf is also SQL, boom23:28
morganfainbergno go23:28
*** rm_work is now known as rm_work|away23:29
lhchengmorganfainberg: ah okay, it is clearer now.  I got confused with the term "default driver", not really sure what it is referring to.23:29
lhchengmorganfainberg: that makes sense23:30
morganfainbergyeah the main driver is configured in keystone.conf23:30
morganfainbergyou then can supply a config for a specific domain23:30
morganfainbergno matter how it is configured, you can have 1 and only 1 driver be the SQL driver.23:30
morganfainbergit is recommended that the SQL driver be the one specified in the ksytone.conf23:30
morganfainbergvs. a per-domain specific one23:30
morganfainbergbecause then you can have multiple domains w/o needing a specific driver for them23:31
morganfainbergand only override the domains you want to source form a non-specific backend23:31
*** darrenc_afk is now known as darrenc23:36
lhchengmorganfainberg: sounds like a best practice worth documenting :) maybe something that could go into the publications idea you mentioned in the previous meeting23:37
*** emagana has quit IRC23:38
gyeemorganfainberg, lhcheng, so there's a difference between "default driver" versus "defaut domain driver"?23:40
gyeeI think that's the confusing part23:40
lhchenggyee: heh I mis-interpreted that part.  But when morganfainberg mentioned that default driver refers to keystone.conf [identity]/driver=LDAP , everything makes sense.23:41
*** emagana has joined #openstack-keystone23:41
*** jdennis has joined #openstack-keystone23:46
*** ncoghlan has joined #openstack-keystone23:51
openstackgerritJamie Lennox proposed openstack/keystoneauth: Base Documentation changes

Generated by 2.14.0 by Marius Gedminas - find it at!