Tuesday, 2015-05-26

« Monday, 2015-05-25 Index Wednesday, 2015-05-27 »
*** _cjones_ has quit IRC00:12
*** chlong has joined #openstack-keystone00:15
*** mestery has joined #openstack-keystone00:38
*** mestery has quit IRC00:41
*** mestery has joined #openstack-keystone00:43
*** tobe has joined #openstack-keystone00:44
bretonwhere is that?00:47
*** marzif has quit IRC01:00
*** dimsum__ has joined #openstack-keystone01:12
*** dimsum__ has quit IRC01:15
*** dimsum__ has joined #openstack-keystone01:15
*** tellesnobrega has quit IRC01:16
*** ericksonsantos has quit IRC01:21
*** tellesnobrega has joined #openstack-keystone01:29
*** ericksonsantos has joined #openstack-keystone01:31
*** dimsum__ has quit IRC01:37
jamielennoxbreton: the webob stuff?01:40
morganfainbergbreton: great meeting you at the summit!01:40
*** dguerri`away has quit IRC01:41
*** dimsum__ has joined #openstack-keystone01:43
*** dguerri`away has joined #openstack-keystone01:45
*** dguerri`away is now known as dguerri01:45
bigjoolsanyone around at the moment who knows how to get SAML ECP working with the CLI? I seem to keep missing the right people :(01:54
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling  https://review.openstack.org/18038502:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420202:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420102:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420002:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419902:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419802:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419702:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419602:00
jamielennoxbigjools: what are you trying to do02:01
bigjoolsjamielennox: just get it working against testshib02:02
bigjoolshave websso working02:03
*** ayoung has joined #openstack-keystone02:03
*** ChanServ sets mode: +v ayoung02:03
*** zzzeek has quit IRC02:04
ayoungjamielennox, you made it home safe and sound, I take it?02:04
jamielennoxbigjools: i mean more what are you stuck with02:05
jamielennoxand what cli02:05
jamielennoxbecause each has special quirks02:05
bigjoolsok02:05
jamielennoxayoung: all good02:05
jamielennoxayoung: i gave stevemar your jumper as you didn't seem that worried about it and i didn't have your card to charge it to02:06
bigjoolsusing openstackclient. It sends a GET to the keystone v3 protected URL and the Shibboleth plugin redirects to the SSO endpoint rather than ECP02:06
ayoungjamielennox  thanks, that is a good solution02:06
ayoungbigjools, jamielennox maybe we need to treat ECP as a separate protocol from SAML WebSSO?02:06
bretonjamielennox: yep, that one02:07
ayoungOr, for each protocol, we need to distinguish between what to do between CLI and WebSOO paths, more likely02:07
bretonmorganfainberg: you too!02:07
jamielennoxbreton: https://github.com/Pylons/webob/issues/20102:08
bretonsummit completely broke my inner clock02:08
morganfainbergjamielennox: bigjools: I need to get a chance to see what the current websso (SAML) state of affairs is.02:08
bigjoolsit is adding the paos header but perhaps testshib metadata or the local shibd isn't configured right02:08
breton05:08 < breton> summit02:08
jamielennoxi can't help with shib at all02:09
jamielennoxbut afaik iff shib is wokring the existing federation plugins will call it correctly02:09
bigjoolsright, websso is all good02:10
morganfainbergbigjools: jamielennox: specifically what the rough edges are / pitfalls (if any are more than the ones we found during the keynote ramp up)02:10
bigjoolsbut there's a different binding for ecp, and I'm all out of ideas for that02:10
bigjoolsmorganfainberg: some docs would be nice :)02:10
morganfainbergbigjools: that's part of it :)02:10
jamielennoxbigjools: so it's set up and you're trying to figure out how to make OSC use it for auth02:10
jamielennox?02:10
morganfainbergayoung: ^ *cough*02:11
bigjoolsmorganfainberg: also the CLI gives no indication of what opts to pass, I had to look in the code02:11
morganfainbergbigjools: we need to make the docs a real thug this cycle.02:11
morganfainbergI agree.02:11
morganfainbergThing*02:11
morganfainbergSilly autocorrect.02:11
bigjoolsjamielennox: right - at least I think it's all set up, I don't know if anything else is needed for ECP02:11
jamielennoxbigjools: yea, the way OSC does auth options is anoying02:12
jamielennoxi've tried to fix that02:12
bigjoolsI'm happy to dive in and do some doc fixes once I understand how some more of these things work02:12
jamielennoxsomewhere i had a python function to show what you want02:13
ayoungjamielennox, so  I had a thought on Keystone agent02:13
ayoungand I can't really take credit or blame for it02:13
jamielennoxhttps://gist.github.com/jamielennox/7f5cfabd64a6922e643c#file-list-plugins-py02:13
bigjoolsall the examples I've seen talk directly to an ECP endpoint, but the v3unscopedsaml auth plugin does a GET to the /v3/OS-FEDERATION/identity_providers/{identity_providers}/... first02:14
morganfainbergjamielennox: btw had a nice chat w/ sdague. Seems like you worked out the things with him that was needed.02:14
morganfainbergPost conference.02:14
jamielennoxbigjools: you don't want the unscoped one02:14
ayounghttps://twitter.com/admiyoung/status/602531670793781250   lead to the response:  systemd02:14
ayoungso, what if we made systemd responsible for handling Keystone events for the local system and cache?02:15
bigjoolsjamielennox: ah! which one then?02:15
jamielennoxbigjools: good question, looking02:15
bigjoolsayoung: systemd is going to read email soon...02:15
ayoungbigjools, email is just an async notification.   Why not.02:16
bigjools:)02:16
ayoungbigjools, seriously, email is a reliable, scalable protocol.  It lacks authentication, whicm means you need to do that out of band.  But I've often thought about building systems based on email notificaitions.  However, for the moment, I would like to figure out how to get systmed t o respond to Keystone notifications via rabbitmq and oslo messaging02:17
bretonIt'd be great to get a list of functionality that need docs02:18
ayoungthen, if people don't want to run systemd, they can run their own daemon/agent like jamielennox origianlly suggested02:18
bretonI'd participate too02:18
jamielennoxayoung: so it's not systemd02:18
jamielennoxthough part of my reasoning for using domain sockets is that you can do systemd socket activation02:19
ayoungjamielennox, I would argue that, for a systemd based install, it makes as much sense as any other option.  It should not *have* to be systemd02:19
jamielennoxwhich makes it really easy to deploy one agent/machine02:19
ayoungright...and the socket could also be dbus02:19
*** lhcheng has quit IRC02:19
jamielennoxi thought dbus would be a harder sell - not particular reason why02:19
ayoungwe are already headed that way for mo_lookup_identity and for certmonger02:19
bretonI heard dbus is terribly slow02:20
*** samueldmq has quit IRC02:20
ayoungjamielennox, so we write a tool that should be able to work with systemd, and dbus, but does not require them.  Provide options based on how people want to deploy02:20
ayoungbreton, I suspect that there are anecdotals on that either way02:21
jamielennoxayoung: right02:21
bigjoolsmorganfainberg: fwiw, a really nice fix would be to make OSC respond with an error about what cli opt is missing instead of a stacktrace :/02:21
jamielennoxi don't know if there is an advantage for systemd02:21
jamielennoxahh dbus02:21
jamielennoxbecause the protocol will be easy02:21
ayoungHeh02:21
jamielennoxwhy can i not find this federatoin plugin02:22
jamielennoxi rewrote large chunks of it and it doesn't look like i remember02:23
ayoungjamielennox, anyway, I am going to drive on with getting an example of python code actually responding to Keystone events, and we can work together on the actual design for the agent based on that.02:23
jamielennoxayoung: i think message bus events is a seperate process/daemon/whatever to notifications that auth_token consumes02:24
ayoungjamielennox, probably.  Right now, I would be happy with just being able to read them first02:24
jamielennoxbigjools: i have a feeling that we are mid way through a refactor of the plugin i am thinking fo02:24
bigjoolsjamielennox: keystoneclient/contrib/auth/v3/saml2.py ?02:25
jamielennoxbigjools: it should work it's just old02:25
bigjoolsthere's v3scopedsaml too but I'm just figuring out what opts it wants02:26
jamielennoxand you'd have to ask marekd how he uses it i think02:26
bigjoolsyeah, he said he'd talk to me about it02:28
bigjoolsoh weird, the v3scopedsaml path takes it into v2_0 territory02:29
*** _cjones_ has joined #openstack-keystone02:30
jamielennoxso from memory the scoped parts in there are just because you have to provide a token created with SAML to a different URL that normal02:30
jamielennoxso i think the scoped saml plugins actually take an existing token02:30
jamielennoxthere's a base class i did in ksc that handles scoping for you, and i thought we had the plugin based on that02:30
jamielennoxat least in the ksc-saml2 repo, but it doesn't appear to be there either02:31
morganfainbergayoung: unrelated to federation, https://www.percona.com/live/mysql-conference-2013/sessions/extensible-data-modeling-mysql <-- this is leading into how we kill extra attrs in a clean way02:31
*** tobe has quit IRC02:31
ayoungClass Table Inheritance and Serialized BLOB I know.  Let me see about the third02:32
morganfainbergayoung: yah02:32
morganfainbergi just was reading it, figured i'd toss the link in02:32
morganfainberghadn't gotten through all the slides yet02:32
ayoungmorganfainberg, ah, that is a way to mitigate BLOBs02:33
ayoung"Create a new table for each field of the LOB that you want to address individually: "02:33
morganfainbergah02:33
ayoungfeh.  not having any of it.02:33
morganfainbergyeah02:33
morganfainbergwe already have serialized blob02:33
morganfainberg*ick*02:33
morganfainbergEAV is closer to what we probably want.02:34
morganfainbergbut still far from optimial02:34
ayoungmorganfainberg, I think the short of it is that if some other service needs per user data, they are responsible for their own "user table"02:34
ayoungand we should excise everything from Keystone but what we are contractually required to support02:34
morganfainbergayoung: this is related to your concept of DNSSEC lookup02:34
ayoungyou mean for domain name?02:35
morganfainbergayoung: and a way we can make extra definitions clear not "oh i shoved things into the table"02:35
ayoungor is that just how you got interested in it?02:35
ayoungif we do the DNSSEC thing, we do it right.  Haven't thought through it deeply enough yet.02:35
morganfainbergayoung: looking for a proper generic way to solve your need for that and to move away from extra data being just a "whatever else we stick in there"02:35
ayoungI thin that if we do DNSSEC on the domain level, it has to be a core part of the contract, and not just a "neat feature" type thing02:36
morganfainbergayoung: a way to define a business-logic-use-case specific field w/o needing to be "top level" in the table02:36
ayoungIt does  mean that the information is public, and the might be the deal breaker02:36
morganfainbergayoung: i disagree. not everyone wants that. it should use a formalized way of extending the schema in a sane way w/o alters02:36
morganfainbergayoung: it also solves arvind's case and gives us a story for how extra attrs are validated vs. just "oops i added something else in here"02:37
ayoungI thought we were not doing extensions anymore?02:37
ayoungmaybe...but that slide show doesn't give us anything new, just enumerates the pros-and-cons of what we've already evaluated02:37
morganfainbergayoung: this isn't extension. this is how we make extra attrs a validated part of the entity w/o taking away the feature that a lot of people/deployers use02:37
ayoungmayyyyyybe.02:38
morganfainbergayoung: this was just a slide deck i saw that highlighted a couple interesting takes02:38
morganfainbergayoung: i ran across it somehow from looking into existing standards for federating all the things02:38
morganfainbergnot just identity02:38
ayoung++02:38
morganfainbergi think we could EAV it tbh.02:39
morganfainbergbut i am looking to see if we have more options - and i'm going to get back to federated-stuff-not-identity soon02:39
morganfainbergFSNI "fiz-ni"?02:40
*** tobe has joined #openstack-keystone02:41
*** dimsum__ has quit IRC02:45
*** dimsum__ has joined #openstack-keystone02:46
morganfainbergayoung: so looking at this, inverted index plus maybe a requirement to define each attr (for jsonschema fun) might do what we're looking for re: making extra less sucky.02:50
jamielennoxmorganfainberg: i haven't read everything above but yuk - just kill extra02:51
morganfainbergjamielennox: we *cant*.02:51
ayoungmorganfainberg, not something that keeps me up nights.  I think extra is strange, but...one of the manyh things I inherited.  Would not continue the pattern myself02:51
*** dimsum__ has quit IRC02:51
morganfainbergjamielennox: it's used.02:51
jamielennoxmorganfainberg: i know, but i'd prefer to put us on the path to removing it than to add extra stuff that will help it live longer02:51
morganfainbergayoung: it bothers me a lot that we have essentially non-validated things going into the DB.02:52
ayoungmorganfainberg, much more interested in solving the "auto provisioning and cleanup"  issues that Tim Bell was concerned about02:52
morganfainbergayoung: especially things that people use/want to lookup against. which leads to very very very icky "load everything and examine the blob" patterns02:52
ayoungmorganfainberg, we sell chainsaws. We don't encourage people to juggle02:53
morganfainbergayoung: mostly i am looking for a clean/easy way to ensure we don't end up with accidental things in the extra fields (it's happened before). maybe just the defined attr/value-type so we can reject requests that dont conform is enough.02:54
morganfainbergayoung: anyway, time to keep looking at existing ways to federate other stuff. now.02:55
* morganfainberg goes back to tyring to refine google-fu for odd rfcs.02:55
ayoungmorganfainberg, what if we said "extra in the user table etc is going away" and instead  forced people to use a second table to actually model their data correctly.02:55
morganfainbergayoung: that's moving towards EAV but it was some stuff that crossed my mind a while back.02:56
morganfainbergayoung: something to mull over i guess.02:56
ayoungmorganfainberg  deal.  Mull away.02:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling  https://review.openstack.org/18038502:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420202:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420102:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420002:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419902:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419802:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419702:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419602:57
*** _cjones_ has quit IRC02:57
morganfainbergayoung: i think we need to re-think how we reference a given resource in openstack to achieve anything-federated03:00
morganfainbergayoung: moving to a full link reference model is looking like the correct approach, not the uuid.03:00
ayoungmorganfainberg, Heh...you just catching up to that now?03:01
ayoungwith you 100%03:01
morganfainbergayoung: no. re-asserting it based on previous conversations03:01
* morganfainberg is formulating the argument to make in a x-project spec03:01
ayoungmorganfainberg, ok,  next step beyond that...I know where the thing is...now how do I get a token for it?03:01
morganfainbergayoung: can we make trusts an oauth-thing and use that as a x-cloud authorization?03:02
ayoungmorganfainberg, so,  yes,   trusts and oauth get unified  first off03:03
morganfainbergayoung: yes.03:03
morganfainbergayoung: if trusts *are* oauth03:03
ayoungand we go to a resource and get a "you need to give me this priv" response to get at it03:03
morganfainbergwe could inter-deployment them03:03
ayoungyep03:03
morganfainbergand for the non-exposed cloud, we say "sorry you need to copy things" e.g. (my cloud is behind a firewall, and i can't get at the resource from the remote cloud)03:04
ayoungor redirect to a proxy03:05
ayoungbut, yes03:05
* morganfainberg is thinking how to model this in Keystone [since we still would need to house the oauth info, i don't want nova to try and hold onto it, and glance, etc]03:05
morganfainbergor at least keystone<->barbican/something similar03:05
ayoungmorganfainberg, we need to push to the remote services some of the oauth capabilities, but we might be able to do that behind ATM03:05
ayoungso long as we can query policy to get the answer03:06
morganfainbergayoung: sure. I'm actually thinking we go a step further. ATM gets smart enough to handle the oauth directly for *specific* resources.03:06
ayoungit can be a fake policy call:  We don't admit to having the object, but if we did ...here is what you would need to look at it03:06
morganfainberglet ATM round-trip to keystone behind the scenes to validate, but the Oauth is less RBAC and more resource-specific03:07
morganfainbergor do we need it to be RBAC tied?03:07
morganfainbergayoung: and sure on the fake-y policy thing03:08
ayoungrbac is what defuines the response03:08
ayoungit is what tells the user what they need to request in the token to delegate03:08
ayoung"you need a token with Role R on project P"03:08
morganfainbergoh wait derp, resource + role, oauth is the combination authorization that ATM can validate with03:08
ayoungwiht P maybe being something that the user needs to figure out themselves as we dopn;'t admit to having the resource in the frist place03:09
morganfainbergaure03:09
morganfainbergsure*03:09
ayoungso...something esle to build on dynamic policy03:09
ayoungmorganfainberg, on last thing before I turn in....on the autoprovisioning, we should state something like this:03:12
ayoung"Autoprovisioning is a multi project problemt, and will not be solved by keystone alone.  INstad, the range of solutions should be covered by the big tent...."03:13
*** notmyname has joined #openstack-keystone03:13
ayoungI think the right answer is "Ceilometer listens to events and kicks off workflows, but does not define them03:13
ayoungMistral defines workflows, but does not listen to events03:14
morganfainbergnot sure if ceilometer is up for that as of yet03:14
ayoungthe big tent approach is to use those two, although either can be replaced03:14
morganfainbergwe should corner gordc and see what ceilo can do.03:14
ayoungmorganfainberg  see this:03:15
morganfainbergit may simply not be there.03:15
morganfainbergbut it could be an excuse for it to get the ability to do so03:15
ayoung  https://twitter.com/admiyoung/status/60253167079378125003:15
ayoungJulians response....03:16
ayoungand Yuriy's03:16
ayoungI suspect both projects would be better off if they agreed to work together on this, and clearly delineated responsibility03:17
ayoungmistral already has a scheduler for the cron type things03:17
ayoungand...bed.03:19
*** ayoung is now known as ayoung_ZZZZzzzz_03:19
*** darrenc is now known as darrenc_afk03:22
*** tobe has quit IRC03:34
*** tobe has joined #openstack-keystone03:47
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337703:58
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove old request method  https://review.openstack.org/18549204:00
*** links has joined #openstack-keystone04:27
*** ncoghlan has joined #openstack-keystone04:38
*** darrenc_afk is now known as darrenc04:42
*** User17 has joined #openstack-keystone04:52
*** tobe has quit IRC04:56
*** lhcheng has joined #openstack-keystone05:01
*** ChanServ sets mode: +v lhcheng05:01
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337705:04
*** tobe has joined #openstack-keystone05:13
*** rdo has quit IRC05:14
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove oslo serialization dependency  https://review.openstack.org/18549705:14
*** rdo has joined #openstack-keystone05:15
*** blewis` has joined #openstack-keystone05:18
*** blewis has quit IRC05:21
*** kiran-r has joined #openstack-keystone05:26
*** kiran-r has quit IRC05:33
User17hi all,Installed glance from git source in ubuntu machine by following the steps in http://docs.openstack.org/developer/glance/installing.html.  Edited two files glance-registry.conf and glance-api.conf to include keystone authentication and image path etc.. and I started the server. but when I try to sync the db using glance-manage db sync, It ended with an import error “ImportError: No module named wsme.rest”05:34
*** kiran-r has joined #openstack-keystone05:35
User17pls guide05:35
*** dimsum__ has joined #openstack-keystone05:36
*** mabrams has joined #openstack-keystone05:37
*** lhcheng has quit IRC05:41
*** dimsum__ has quit IRC05:41
*** krykowski has joined #openstack-keystone05:43
*** lhcheng has joined #openstack-keystone05:45
*** ChanServ sets mode: +v lhcheng05:45
*** lhcheng has quit IRC05:46
*** e0ne has joined #openstack-keystone05:46
*** lhcheng has joined #openstack-keystone05:46
*** ChanServ sets mode: +v lhcheng05:46
*** kiran-r has quit IRC05:53
*** e0ne has quit IRC05:53
*** tobe has quit IRC06:04
*** lhcheng has quit IRC06:07
*** mflobo has joined #openstack-keystone06:10
*** rdo has quit IRC06:19
*** rdo has joined #openstack-keystone06:21
*** tobe has joined #openstack-keystone06:23
*** ncoghlan has quit IRC06:28
*** chlong has quit IRC06:30
*** jaosorior has joined #openstack-keystone06:33
openstackgerritliusheng proposed openstack/keystone: Remove the deprecated ec2 token middleware  https://review.openstack.org/18550906:45
*** kiran-r has joined #openstack-keystone06:50
jamielennoxUser17: this is the keystone channel, try #openstack-glance for glance problems06:54
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins  https://review.openstack.org/14126707:05
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Fix auth required message translation  https://review.openstack.org/18551307:05
*** lufix has joined #openstack-keystone07:14
*** krykowski has quit IRC07:25
*** jistr has joined #openstack-keystone07:39
*** e0ne has joined #openstack-keystone07:39
*** e0ne is now known as e0ne_07:40
*** belmoreira has joined #openstack-keystone07:49
*** e0ne_ is now known as e0ne07:49
*** pnavarro has joined #openstack-keystone07:55
*** tobe has quit IRC08:10
*** bdossant has joined #openstack-keystone08:15
*** davechen has joined #openstack-keystone08:27
*** davechen1 has joined #openstack-keystone08:30
*** davechen has quit IRC08:33
*** davechen has joined #openstack-keystone08:35
*** fhubik has joined #openstack-keystone08:35
*** davechen1 has quit IRC08:36
*** kiran-r has quit IRC08:39
*** kiran-r has joined #openstack-keystone08:39
*** davechen has left #openstack-keystone08:39
*** davechen has joined #openstack-keystone08:40
*** e0ne is now known as e0ne_08:42
*** e0ne_ is now known as e0ne08:43
*** turul has joined #openstack-keystone08:56
*** turul is now known as afazekas08:56
*** aix has joined #openstack-keystone09:08
openstackgerritDave Chen proposed openstack/keystone: Remove the deprecated external authentication methods  https://review.openstack.org/18554109:12
*** fhubik is now known as fhubik_afk09:17
*** fhubik_afk is now known as fhubik09:17
*** rdo has quit IRC09:20
*** rdo has joined #openstack-keystone09:22
*** fhubik is now known as fhubik_afk09:49
*** davechen has left #openstack-keystone09:51
*** e0ne is now known as e0ne_10:08
User17how to install the dependency packages for keystone is in requiremnt.txt10:13
*** fhubik_afk is now known as fhubik10:16
*** e0ne_ has quit IRC10:19
*** afazekas_ has joined #openstack-keystone10:21
*** e0ne has joined #openstack-keystone10:28
*** samueldmq has joined #openstack-keystone10:35
samueldmqmorning10:35
*** e0ne is now known as e0ne_10:39
*** marzif has joined #openstack-keystone10:39
*** e0ne_ has quit IRC10:49
*** boris-42 has joined #openstack-keystone10:49
*** henrynash has joined #openstack-keystone11:00
*** ChanServ sets mode: +v henrynash11:00
samueldmqhenrynash, hey o/11:04
*** lufix has quit IRC11:04
samueldmqhenrynash, missed you at the summit :)11:05
*** lufix has joined #openstack-keystone11:10
*** aix has quit IRC11:14
*** kiranr has joined #openstack-keystone11:15
henrynashsamueldmq: hi…I missed you all as well!11:15
*** aix has joined #openstack-keystone11:15
*** kiran-r has quit IRC11:16
*** kiranr is now known as kiran-r11:19
samueldmqhenrynash, I hope you everything has gone well with you moving home last week11:24
samueldmqhenrynash, and now I am happy because we have a lot of interesting things to work for L :)11:24
henrynashsamueldmq: yes, now in new pad….have the essentials (light, heat, wifi)11:24
samueldmqhenrynash, great11:24
henrynashsamueldmq: yes, L should be good!11:25
samueldmqhenrynash, btw .. what is that repo where common code live before the graduation process ?11:26
henrynashsamueldmq: teh backlog specs?11:28
samueldmqhenrynash, no .. for example, oslo.policy code was in such repo before being oslo.policy11:29
henrynashoh, you mena teh incubator?11:29
samueldmqhenrynash, yeah11:29
henrynashactually, I’m not sure if it was a single repo for incuabtion….or they just were in random places11:30
samueldmqhenrynash, yeah I think oslo-incubator is the place I am looking for11:32
samueldmqhenrynash, that has the code synchronized with https://github.com/openstack/keystone/tree/master/keystone/openstack/common11:32
samueldmqhenrynash, thanks :)11:32
samueldmqhenrynash, I still feel very young in the openstack ecosystem :/11:32
*** jistr is now known as jistr|class11:33
samueldmqI am working now on having oslo.policy adopted on other services11:42
samueldmqdoes anyone know if this requires a cross-project spec ? for adoption ?11:43
*** ctina__ has joined #openstack-keystone11:43
*** fhubik is now known as fhubik_afk11:44
*** e0ne has joined #openstack-keystone12:00
*** henrynash has quit IRC12:07
*** dguerri is now known as dguerri`away12:10
zigomorganfainberg: Could you review this? https://review.openstack.org/#/c/185187/312:11
zigoIt's a bit annoying for me at the distribution level, I'd love to get this out of the way.... :)12:11
*** ekarlso has quit IRC12:16
*** ekarlso has joined #openstack-keystone12:16
*** fhubik_afk is now known as fhubik12:17
*** gordc has joined #openstack-keystone12:31
*** htruta has joined #openstack-keystone12:31
*** henrynash has joined #openstack-keystone12:43
*** ChanServ sets mode: +v henrynash12:43
*** blewis` has quit IRC12:46
*** sigmavirus24_awa is now known as sigmavirus2412:48
*** dimsum__ has joined #openstack-keystone12:49
*** bknudson has joined #openstack-keystone12:49
*** ChanServ sets mode: +v bknudson12:49
*** dguerri`away is now known as dguerri12:50
*** dimsum__ is now known as dims12:56
*** jistr|class is now known as jistr13:00
*** sigmavirus24 is now known as sigmavirus24_awa13:02
*** sigmavirus24_awa is now known as sigmavirus2413:02
*** e0ne is now known as e0ne_13:10
*** rushiagr_away is now known as rushiagr13:13
*** stevemar has joined #openstack-keystone13:14
*** ChanServ sets mode: +v stevemar13:14
*** e0ne_ has quit IRC13:21
*** mabrams1 has joined #openstack-keystone13:23
*** e0ne has joined #openstack-keystone13:26
*** links has quit IRC13:29
*** Ephur has joined #openstack-keystone13:35
*** blewis has joined #openstack-keystone13:39
*** Ephur has quit IRC13:40
*** dims has quit IRC13:45
*** kiran-r has quit IRC13:49
*** blewis has quit IRC13:50
*** ayoung has joined #openstack-keystone13:52
*** ChanServ sets mode: +v ayoung13:52
*** blewis has joined #openstack-keystone13:53
*** zzzeek has joined #openstack-keystone13:55
*** edmondsw has joined #openstack-keystone13:55
*** blewis` has joined #openstack-keystone13:57
*** blewis has quit IRC13:58
*** radez_g0n3 is now known as radez14:01
*** bdossant_ has joined #openstack-keystone14:01
*** ayoung has quit IRC14:02
*** bdossant has quit IRC14:04
*** bdossant_ has quit IRC14:08
*** mattfarina has joined #openstack-keystone14:10
*** bdossant has joined #openstack-keystone14:15
*** gokrokve has joined #openstack-keystone14:15
*** bdossant has quit IRC14:15
*** bdossant has joined #openstack-keystone14:16
*** ayoung has joined #openstack-keystone14:18
*** ChanServ sets mode: +v ayoung14:18
*** rushiagr is now known as rushiagr_away14:19
*** bdossant_ has joined #openstack-keystone14:22
*** bdossant_ has quit IRC14:22
*** bdossant_ has joined #openstack-keystone14:22
*** bdossant has quit IRC14:23
*** Bjoern__ has joined #openstack-keystone14:24
*** timcline has joined #openstack-keystone14:26
*** dims has joined #openstack-keystone14:35
openstackgerritDavid Stanek proposed openstack/keystone: Removes deprecated revoke KVS backend  https://review.openstack.org/18562714:40
*** emagana has joined #openstack-keystone14:41
*** e0ne is now known as e0ne_14:41
*** e0ne_ has quit IRC14:41
*** dguerri is now known as dguerri`away14:44
stevemarayoung, this is what i learned from the policy talk: you hate bug 96869614:45
openstackbug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)14:45
*** Ephur has joined #openstack-keystone14:49
dstaneki now dream of 968696, 968696, 968696 ...14:52
*** bdossant has joined #openstack-keystone14:52
*** bdossant_ has quit IRC14:56
*** e0ne has joined #openstack-keystone14:58
*** mabrams has quit IRC15:00
*** ayoung has quit IRC15:01
*** hemnafk is now known as hemna15:01
*** ayoung has joined #openstack-keystone15:08
*** ChanServ sets mode: +v ayoung15:08
*** kiran-r has joined #openstack-keystone15:09
*** mattfarina has quit IRC15:13
*** fhubik is now known as fhubik_afk15:14
*** alejandrito has joined #openstack-keystone15:14
*** mabrams1 has quit IRC15:28
*** lhcheng has joined #openstack-keystone15:32
*** ChanServ sets mode: +v lhcheng15:32
*** mattfarina has joined #openstack-keystone15:33
*** markvoelker has joined #openstack-keystone15:34
*** henrynash has quit IRC15:35
*** mattfarina has quit IRC15:36
*** mattfarina has joined #openstack-keystone15:37
*** lhcheng has quit IRC15:37
*** fhubik_afk is now known as fhubik15:38
*** jistr has quit IRC15:40
*** gyee has joined #openstack-keystone15:42
*** ChanServ sets mode: +v gyee15:42
*** e0ne is now known as e0ne_15:43
*** kiran-r has quit IRC15:44
*** kiranr has joined #openstack-keystone15:44
*** kiranr is now known as kiran-r15:45
*** nkinder has joined #openstack-keystone15:46
*** e0ne_ is now known as e0ne15:46
*** winggundamth has joined #openstack-keystone15:48
*** henrynash has joined #openstack-keystone15:49
*** ChanServ sets mode: +v henrynash15:49
winggundamthhi all. I having problem with keystone authen with s3. I did as here http://docs.openstack.org/kilo/config-reference/content/configuring-openstack-object-storage-with-s3_api.html15:49
winggundamthafter I created access and secret and try to list with s3cmd. it shown 403 forbidden error. When I check the log on keystone. it shows "could not find token" every time15:50
winggundamthI'm not sure that I have to config anything on keystone? I think those doc refer to swauth but not keystoneauth15:51
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable retrieval of default values of domain config options  https://review.openstack.org/18565015:51
*** afazekas_ has quit IRC15:54
*** iamjarvo has joined #openstack-keystone15:58
bknudsonhenrynash: missed you at the summit15:58
*** belmoreira has quit IRC15:59
henrynashbknudson: ths….yep, really missed being there….15:59
*** g2` has quit IRC15:59
*** rwsu has joined #openstack-keystone16:02
*** Bjoern__ is now known as BjoernT16:02
*** e0ne is now known as e0ne_16:04
*** fhubik has quit IRC16:04
*** e0ne_ is now known as e0ne16:06
*** henrynash has quit IRC16:07
*** g2` has joined #openstack-keystone16:08
*** henrynash has joined #openstack-keystone16:08
*** ChanServ sets mode: +v henrynash16:08
*** ctina__ has quit IRC16:12
dstanekwinggundamth: did you get your issue figured out?16:19
winggundamthnot yet16:20
stevemarhenrynash, the whole summit is online on youtube and twitter anyway :P16:21
*** ayoung has quit IRC16:22
dstanekwinggundamth: i've never done what you are trying to do. are you using the s3_token middleware?16:22
*** lhcheng has joined #openstack-keystone16:22
*** ChanServ sets mode: +v lhcheng16:22
winggundamthdstanek: yes16:23
winggundamthI installed it with apt-get install swift-plugin-s3 because swift-python-s3 not found16:23
dstanekwinggundamth: no, i mean the keystone middleware?16:25
winggundamthdstanek: I'm not sure what do you mean16:25
*** _cjones_ has joined #openstack-keystone16:26
*** bdossant has quit IRC16:27
lbragstadhey all, quick question on the summit. Not sure if I missed this session or if it was rolled into a different time, but did we want to discuss the state of the upstream database migrations and the possibility of moving to something like what Nova is doing (http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/online-schema-changes.html) ?16:27
winggundamthdstanek: I didn't config anything on keystone that related to s3.16:28
*** miguelgrinberg has joined #openstack-keystone16:28
*** _cjones_ has quit IRC16:28
*** _cjones_ has joined #openstack-keystone16:29
*** henrynash has quit IRC16:29
dstanekwinggundamth: i can't find any docs right now using Google, but i think there is middleware needed for this to work in keystone. also did you setup the credentials you are using in keystone?16:30
winggundamthdstanek: yes. swift command working fine with it16:31
*** henrynash has joined #openstack-keystone16:31
*** ChanServ sets mode: +v henrynash16:31
gyeewinggundamth, when using s3, make sure you have delay_auth_decision set to False for auth_token middleware16:33
winggundamthlet me check it16:33
dstanekgyee: this is also needed http://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddleware.html#module-keystonemiddleware.s3_token right?16:34
gyeeyes16:34
*** ayoung has joined #openstack-keystone16:35
*** ChanServ sets mode: +v ayoung16:35
morganfainberglbragstad: it is on the radar, but not really slated for a specific release.16:35
morganfainberglbragstad: I think the stable interfaces would be a better move (personally) before we try and move to versioned objects.16:36
lbragstadmorganfainberg: do you think that it something we can hash out in a meeting?16:36
morganfainbergSure. But it is not a small task to do fwiw.16:36
morganfainbergJust keep that in mind.16:37
lbragstadmorganfainberg: yeah, that's kinda why I wanted to visit about it16:37
morganfainbergI think it took nova at least 2 full cycles to do it.16:37
lbragstadok16:37
morganfainbergAnd my concern is it will cause an entire cycle of rebase hell. Also we have to support ldap16:38
lbragstadmorganfainberg: but this would just be for the sql upgrade schemas16:38
morganfainberglbragstad: we want to have the same object coming out of all backends, right?16:38
morganfainberglbragstad: object-type. It doesn't work if sql gives us thing x And ldap something totally different. So we'd be translating anyway.16:40
lbragstadmorganfainberg: I was in a discussion with dstanek about this before the summit and the idea driving it was that it would be nice to make our sql migrations easier for operators to run without incurring downtime.16:40
*** alanf-mc has joined #openstack-keystone16:41
morganfainberglbragstad: zero downtime upgrades are a nice idea. I am worried it will be awful to do until we have some other debt cleaned up.16:42
morganfainberglbragstad: merging the extension migrations into the main repo, etc16:43
lbragstadmorganfainberg: ok16:43
morganfainbergAnd I'd like to see stable driver interfaces so we can version the interface and have a clear expected object - not "welp, now you need to pass another object type back"16:43
morganfainbergBut that second part is personal view.16:44
lbragstadmakes sense16:44
*** e0ne has quit IRC16:45
samueldmqwhat's the advantage of versioned objects ? do you have any link to resources (I saw you said nova uses that)16:46
samueldmqmorganfainberg, lbragstad ^16:46
morganfainbergI'm not opposed to it. I just want to make sure we are careful to not make zero downtime schema upgrades consume all time instead of smoothing up the ux on very important things deployers are using.16:46
dstanekmorganfainberg: versioned objects sound heavy handed16:50
*** henrynash has quit IRC16:52
samueldmqayoung, ping - do we need a cross-project spec (should be a really simple one) to make services adopt oslo.policy ?16:53
*** gokrokve has quit IRC16:53
samueldmqmorganfainberg, cc ^16:54
dstaneksamueldmq: are some projects not using it?16:54
morganfainbergdstanek: most are not using the library.16:54
samueldmqdstanek, afaik only keystone was using it (just discovered today glance is)16:55
samueldmqmorganfainberg, yes16:55
dstanekso they're all still using the old incubated module? ouch16:56
ayoungsamueldmq, not sure...we can probably just execute, but a spec might be worthwhile.  Or just a bug.16:56
samueldmqdstanek, yeah16:56
ayoungI think a bug and indicate which project it effects is the right level, as it will be a means to deploy a fix is a serious issuer comes up.16:57
ayoungissue16:57
samueldmqayoung, conceptually it would not be a bug, but something nice to have, then a blueprint .. but I think a bug fits well with our lp workflows ..16:58
samueldmqayoung, does anyone want to express an opinion on this ?   ^16:59
samueldmqmorganfainberg, dstanek cc ^16:59
dstaneksamueldmq: i think a bug is probably fine - i wouldn't ask for a spec/bp it this was a request of keystone17:00
morganfainbergdstanek: ++17:02
samueldmqdstanek, morganfainberg nice .. thanks17:02
morganfainbergdstanek: Oslo.policy didn't land for g-r in kilo iirc.17:02
morganfainbergstevemar: slide deck.17:04
morganfainbergstevemar: let me17:04
*** kiran-r has quit IRC17:04
morganfainbergKnow when you have  time.17:04
*** arunkant has joined #openstack-keystone17:06
*** harlowja has joined #openstack-keystone17:07
*** blewis` has quit IRC17:08
stevemarmorganfainberg, any time, we have the same conflict at 2pm :P17:08
stevemar(keystone meeting)17:08
*** blewis has joined #openstack-keystone17:08
dstanekstevemar: cancelled!17:08
stevemardstanek, oh yay17:09
stevemarmorganfainberg, any time then17:10
*** blewis has quit IRC17:13
*** browne has joined #openstack-keystone17:15
*** arunkant has quit IRC17:15
*** arunkant has joined #openstack-keystone17:18
*** jsavak has joined #openstack-keystone17:19
samueldmqayoung, bug #145894517:23
openstackbug 1458945 in OpenStack Compute (nova) "Use graduated oslo.policy instead of oslo-incubator code" [Undecided,New] https://launchpad.net/bugs/145894517:23
samueldmqayoung, nova, heat, cinder and neutron (since glance is already using it)17:23
ayoungsamueldmq, good.  Swift?17:24
ayoungI think they can use policy, so if they are doing anything, it should be the library version, too17:24
samueldmqayoung, I think swift is the one that does not even use rbac17:24
*** arunkant is now known as arunkant_17:25
ayoungsamueldmq, look into the *aaS ones as well.  Don't feel the need to drive on with all of them yourself, but get them tagged on the bug.  Let the projects remove if it is not relevant....17:25
david8huya, last i checked swift was not using policy.17:25
*** ctina__ has joined #openstack-keystone17:25
samueldmqdavid8hu, ++17:25
*** arunkant_ is now known as arunkant17:26
ayoungincluded them on the bug anyway17:26
samueldmqayoung, hmm, yeah makes sense .. I had assigned myself to the keystone one (I removed it later ... since keystone already supports it)17:26
samueldmqayoung, so all of them are now as assigned .. ok I will include swift as well17:26
samueldmqayoung, and the others **aaS, sir17:27
*** arunkant has quit IRC17:27
ayoungrock on, compatriota17:29
*** arunkant has joined #openstack-keystone17:29
*** arunkant has quit IRC17:29
*** arunkant has joined #openstack-keystone17:29
samueldmqayoung, o/17:30
ayoungsamueldmq, aside from that, which specs are you planning on attacking?17:30
samueldmqayoung, ceilometer is weird ... they have a policy.json, but do not include the policy.py from oslo-incubator17:30
*** winggundamth has quit IRC17:30
*** spandhe has joined #openstack-keystone17:30
ayoungsamueldmq, tag them on the bug anyway17:30
samueldmqayoung, I am not sure yet, do you need me on anything specific ?17:31
ayoungwe'll get it straightened out17:31
samueldmqayoung, ++17:31
ayoungsamueldmq, the tasks are designed to be incrementatl, so the earlier in the task list the better17:31
ayounglet's see...17:31
ayoungyou were updating the global spec....let me make sure I have that tracked17:31
stevemarmorganfainberg, please tell me i have 8 days to make a slide deck and not 117:32
samueldmqayoung, yeah I am .. we have a review from david tough .. I need to update that I think17:32
ayoungsamueldmq, but I assume you want to write code, too17:32
ayoungsince you are on the oslo side, do you want to work on "fetch policy from keystone?"17:33
ayoungWe need to front load the API changes.17:33
morganfainbergstevemar: hehe 1 for a draft. And no meeting today.17:33
morganfainbergThis is why I was pinging you.17:33
morganfainberg28th should be fine for the draft btw. So 2 days.17:34
stevemarmorganfainberg, umm, do you have *anything* i can re-use? partially or otherwise17:34
morganfainbergstevemar: let me setup at the coffee shop and we can start. I have some material.17:34
stevemarmorganfainberg, alright17:35
samueldmqayoung, yeah I do want to write code as well .. I will be discussing with my manager today and I ping you later about "fetch policy from keystone?"17:35
stevemari will be busy with submitting travel requests17:35
ayoungsamueldmq, so the API changes we need are for hierarchical roles and for default policy (I think)17:35
morganfainbergstevemar: I did a chunk of that last night.17:35
samueldmqayoung, but ... what can we do by now in that front ? make the keystone policy api more granular ? implement support on ksclient ?17:35
ayoungalthough Default is not an API change, just a server side change17:35
samueldmqayoung, yeah .. I agree let's have hierarchical roles/domain-roles agreed with henrynash and then get it done17:36
samueldmqand others as well ... :)17:36
*** lhcheng_ has joined #openstack-keystone17:37
ayoungsamueldmq, wh6y don't you take the fetch?  That needs to be done before anything else can work, aside from the "single poicy file"17:38
ayoungthe thing about the fetch is it needs to be a plugin.17:38
ayoungand it needs to be enabled/disabled from the conf file that auth_token middleware reads]17:38
ayounghmmm...let me take that one, and you can review17:38
samueldmqayoung, what's the fetch ? is it the implementation on ksmiddleware (using ksclinet ) ?17:39
ayoungyou also started on unified policy...17:39
ayounggah...too much17:39
*** lhcheng has quit IRC17:39
samueldmqayoung, to fetch and then cache it ?17:39
ayoungsamueldmq, sort of...17:39
ayoungsamueldmq, here is how it needs to work, as best I can tell17:39
samueldmqayoung, yeah .. I need to have a very clear vision on it17:40
ayoungwe need to leave the default as it is now: read from a flat file17:40
samueldmqayoung, please go ahead .. I am listening17:40
ayoungif, however, the auth_token middelware gets a value from the conf file, we swap the "fetcher" to code that calls into keystoneclient to fetch the policy file and stick it into a file in the filesystem17:40
ayoungthis shouild (for now) looks like the file used for storing the certificates for PKI tokens17:41
ayoungso we need a way to define a class that oslo loads to fetch the file.  I think this is a stevedore entry point17:41
ayoungwe don't want a hard depednecy from oslo.policy to keystoneclient17:42
*** HenryG has quit IRC17:42
ayoungwe do entrypoint type stuff in the keystoneclient to load the auth plugins.  So the config file should say "policy fetcher entrypoint"17:42
samueldmqayoung, k, so the first step is to have ksmiddleware updating the file that will be read and used for enforcement at the service level (still there)17:43
ayoungand the default would be "static-fetcher" or something17:43
ayoungsamueldmq, I think the "directory" but yes17:43
samueldmqayoung, great, I still need to get familiar to ksmiddleware code to make such change, but ok, I got it17:44
ayoungsamueldmq, I would start with a proof of concept that dynamically loads an entrypoint from code in keystonemiddleware (the fetcher) into oslo policy17:44
samueldmqayoung, that would be great17:44
ayoungdon't actually try to fetch anything, just make sure you can swap it out via config file options17:45
samueldmqayoung, meanwhile, I will start making services use the oslo.policy17:45
ayounglet me see if I can point you at an example17:45
samueldmqayoung, and keep updating the overview spec17:45
*** HenryG has joined #openstack-keystone17:46
ayoungsamueldmq, I think the overview spec would be less confusing if you indicate on each of the paragraphs whcih of the subordinate specs are referenced.  "see below  spec for default policy"17:46
*** blewis has joined #openstack-keystone17:46
ayoungso we don't have more people like David coming in and getting confused by the "overview" aspect of this spec17:47
ayoungI'm less concerned with getting the overview approved than the individual specs themselves, though17:47
ayoungsamueldmq, in this spec, I showed how to load drivers from stevedore:  https://review.openstack.org/#/c/115463/7/openstack_auth/utils.py,cm17:48
ayoungso we would need a good namespace\17:48
ayoungsomething like oslo.policy.fetcher17:49
ayoungand then the config option would give the last link in the chain:17:49
samueldmqayoung, hmm.. looking17:49
samueldmqayoung, regarding the spec, I agree, I will change that as well17:49
ayoungfetcher = fetcher_manager.driver(CONF.policy_fetcher)17:50
morganfainbergstevemar: ok at the coffee shop17:50
morganfainbergstevemar: going to spin up a google docs slide deck17:50
ayoungand I don't love the weord fetcher, I am just using it too much17:50
ayoungmorganfainberg, LATEX!17:50
morganfainbergstevemar: unless you already have one17:50
morganfainbergayoung: terrible for collaboration17:50
ayoung:)17:50
ayounggithub!17:50
morganfainbergayoung: also not really good for collaboration17:50
ayoungGerrit!17:50
ayoungmorganfainberg, what are you presenting on?17:51
ayoungmorganfainberg, I'll lurk at 2PM and tell people there is no Keystone meeting this week17:51
*** cloudm2 has joined #openstack-keystone17:52
stevemarmorganfainberg, i don't have anything setup yet on gdocs17:52
morganfainbergayoung: http://paste.openstack.org/show/238226/17:54
ayoungmorganfainberg, talk to nkinder , as he has a slew of slides for just that17:55
*** BjoernT has left #openstack-keystone17:57
morganfainbergstevemar: empty gdoc created17:57
morganfainbergand shared.17:57
stevemar\o/17:58
samueldmqayoung, bug #145894518:00
openstackbug 1458945 in Trove "Use graduated oslo.policy instead of oslo-incubator code" [Undecided,New] https://launchpad.net/bugs/145894518:00
lhcheng_ayoung: can you add me to trello for dynamic-policy: os.lcheng@gmail.com18:00
samueldmqayoung, I added almost every *aaS, except for tripleo I guess, and oslo, documentation, etc18:00
ayoungmorganfainberg, stevemar please  amke sure you mention that Kerberos/SSSD also works with Federation and WebSSO18:00
ayoungsamueldmq, sounds good18:00
ayounglhcheng_, doing so now...18:01
samueldmqayoung, there are some projects that are not affected by that bug18:01
*** HenryG has quit IRC18:01
samueldmqayoung, let people come and say hey, this does not affect me18:01
stevemarayoung, mention it where?18:01
samueldmqayoung, so we can keep track of everything18:01
ayoungstevemar, when you talk about the various forms of Federation\18:01
*** HenryG has joined #openstack-keystone18:01
stevemarayoung, mokay dokay18:02
*** jaosorior has quit IRC18:02
ayoungstevemar, I assume you will have a slide that talks about Federation, and pulling in remote  IdPs.  I would add a line like:18:02
ayoungFederation can be used to integrate Keystone with existing Kerberos deployments backed with LDAP  via SSSD18:03
stevemarfor the cloud identity summit?18:03
ayoungyes18:03
ayoungstevemar, and X50918:03
stevemarayoung, ah okay18:03
ayoungjkust make sure they understand that SAML is not the only thing we addressed, just the one getting the most press18:04
stevemari am literally at creating a title page, and have no idea what i will talk about :P18:04
stevemargotcha18:04
ayoungbetter than propgating the lie that I had the slightest clue about what I was doing when I did the LDAP support18:04
*** harlowja_ has joined #openstack-keystone18:06
*** harlowja has quit IRC18:06
david8huayoung, samueldmq, for the dyanamic policy overview spec, a paragraph that summarize what it is trying to achieve would be helpful for reviewers.  Something that ties everything together.18:07
ayoungdavid8hu, yeah.  I thought I had that, but it seems to have been lost in the rewrites...let me see what I put on the blog...18:08
*** dguerri`away is now known as dguerri18:08
ayoung96869618:08
david8huayoung, ATM card password?18:09
ayoungMy luggage18:09
*** alanf-mc has quit IRC18:09
ayoungdavid8hu, "Establish an iterative process solve the long-standing bug that a user with admin on any scope has admin on all scoped."18:09
ayoungOK, that is part of it...let's see if I can do better18:10
david8huayoung, By having unified policy or db backend for policy does not solve that :)18:11
lhcheng_ayoung: got the invite, thanks!18:11
david8huayoung, a better default policy will do.18:11
ayoungdavid8hu, both are necessary steps,  but not sufficient18:11
david8huayoung, I agreed.18:11
*** blewis has quit IRC18:11
*** alanf-mc has joined #openstack-keystone18:12
ayoungOPK...so, yeah, bug 968696 is just the impetus18:12
openstackbug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)18:12
ayoungBlucher!18:12
*** haneef has joined #openstack-keystone18:13
ayoungsamueldmq, can you bug the other members of team Brazil to sign up for specific tasks?18:13
ayoungOK,  so one goal:  build a mechanism to allow a deployment to customize the access control policy for their organization.18:14
ayoungalso:18:14
ayoungreduce the risk of token compromise by minimizing the access provided by individual tokens18:16
david8huayoung, yes, I think dynamic policy does provide the machanism.  Operator needs a better policy than what is currently the default.  Else, things will remain pretty much the same from user perspective unless there is a better policy.18:19
ayoungdavid8hu, idally, we would be able to even provide this as a service to applications running in the cloud as well as the Undercloud management18:21
david8huayoung, We do not want to break operators who do enjoy the current super admin does it all policy.  Perhaps, a sample functional policy file that sperates all service admins.18:23
*** pnavarro has quit IRC18:25
*** gokrokve has joined #openstack-keystone18:25
*** aix has quit IRC18:25
*** alanf-mc has quit IRC18:28
*** alanf-mc has joined #openstack-keystone18:31
*** erhudy has joined #openstack-keystone18:34
gsilvisayoung: bug NINE SIX EIGHT SIX NINE SIX18:34
ayounggsilvis, would that work as the time signature for a song?18:35
gsilvisayoung: I don't think that's how time signatures work18:35
gsilvisayoung: if you just want a measure subdivided that way, then, sure, why not18:35
ayoungThat is not what Dave Brubeck taught us18:36
ayoungdavid8hu, that is what the "uinified policy" spec is supposed to provide18:37
*** gyee has quit IRC18:37
ayounga good default that at least would provide a static alternative to 968696ness18:37
*** alejandrito has quit IRC18:38
*** vilobhmm1 has joined #openstack-keystone18:39
*** csoukup has joined #openstack-keystone18:40
*** iamjarvo has quit IRC18:40
*** vilobhmm1 has quit IRC18:42
morganfainbergbknudson: going to do a ksc release (liberty) today18:46
bknudsonmorganfainberg: this is the last 1.x release?18:47
morganfainbergbknudson: that is the idea18:47
bknudsonlet's pile on the cleanups for 2.018:47
david8huayoung, brings all the policy files together18:48
morganfainbergbknudson: 2.0 milestone is already there and ready for targeting18:48
morganfainbergbknudson: and yes, CLI removal (cc dolphm) is planned for that18:48
david8huayoung, into 1 file18:48
*** vilobhmm has joined #openstack-keystone18:50
*** e0ne has joined #openstack-keystone18:53
dolphmmorganfainberg: do i need to propose a patch?18:53
morganfainbergdolphm: you said you wanted the honor of it ;)18:54
dolphmmorganfainberg: i mean, like ASAP?18:54
bknudsonwe should look at anything else that's deprecated18:55
bknudsonunfortunately there's a lot of things that weren't deprecated correctly18:55
dolphmbknudson: right... i can't think of anything else off the top of my head that could be gracefully removed18:55
morganfainbergdolphm: no not ASAP18:56
*** sigmavirus24 is now known as sigmavirus24_awa18:56
morganfainbergbut sooner vs. later (please post it *after* 1.4.x ships/tags18:56
morganfainbergdolphm: jamielennox also wants to make 2.0.0 consume KSA18:56
bknudsonwe're going to need a branch so that we can backport fixes to the 1.x branch18:57
bknudsonbut we've already got stable/kilo, so not sure what you call it18:57
morganfainbergbknudson: 2.x will be part of liberty18:58
morganfainbergbknudson: stable/kilo preceeds 1.4.x18:58
morganfainbergbknudson: the 1.4 release is mostly to tie up before we do mass deprecation for sanity reasons.18:59
morganfainbergthe way i see it18:59
ayoungamakarov_away, let me know if I misundertood your patch on https://review.openstack.org/#/c/141854/23  fully willing to accept if I am wrong18:59
bknudsonit might be 1.5 ? didn't we updated requirements?18:59
bknudsonI think this is going to be 1.5.019:00
morganfainbergbknudson: oh 1.5, sure i thought 1.4 was next19:01
* morganfainberg will need to 2x check19:01
morganfainbergi'll do that before tagging19:01
*** _cjones_ has quit IRC19:01
bknudsonI wonder why we cap pbr? pbr>=0.11,<2.019:02
bknudsonrequirements were updated: http://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=9f630bc178915f27df5dec7e570ef11fe4aee94819:02
ayoungI wonder if we can kneecap PBR19:03
*** _cjones_ has joined #openstack-keystone19:14
*** iamjarvo has joined #openstack-keystone19:15
*** henrynash has joined #openstack-keystone19:16
*** ChanServ sets mode: +v henrynash19:16
*** HT_sergio has joined #openstack-keystone19:23
HT_sergioHey all! I've been having an issue where restarting keystone and memcache causes other services (nova, glance, etc) to fail on all user requests. Apparently the services were caching their tokens, so their attempts to verify the user's token were being rejected19:27
HT_sergioDebugging this was really difficult until I made a little change to keystone. Instead logging "RBAC: invalid token" I made it include the reason (ie. not found in token store) which made the issue far more obvious19:28
HT_sergiodo you think this is something I should open a bug for, or otherwise contribute a patch ?19:28
HT_sergiolooking in launchpad doesn't show any related issue19:29
HT_sergio*any similar issue19:29
*** lufix_ has joined #openstack-keystone19:32
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Remove the entire CLI  https://review.openstack.org/18571619:43
*** e0ne has quit IRC19:55
*** e0ne has joined #openstack-keystone20:00
*** alanf-mc has quit IRC20:01
*** alanf-mc_ has joined #openstack-keystone20:02
gsilvisrodrigods, jamielennox: Do you want to talk about https://review.openstack.org/#/c/172155/ at some point?  We talked about it a bit at the summit on Friday, but we didn't write much down20:03
*** radez is now known as radez_g0n320:04
*** ayoung has quit IRC20:05
*** ctina__ has quit IRC20:05
*** timcline has quit IRC20:08
bknudsonwe need a keystoneclient functional test that doesn't use the cli20:08
rodrigodsgsilvis, I think we came to a final design (look jamielennox's comment)20:08
rodrigodsgsilvis, the paste one20:08
jamielennoxbknudson: i think there is 120:08
bknudsongood. I was worried we'd have no functional tests left.20:09
rodrigodsping morganfainberg and dolphm: are you in favor of backporting this patch chain? https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/kilo+topic:bug/1442787,n,z20:10
*** iamjarvo has quit IRC20:11
gsilvisrodrigods: ah, I didn't look at the paste there20:11
gsilvisrodrigods: that plan looks good to me20:11
rodrigodsgsilvis, great20:12
*** iamjarvo has joined #openstack-keystone20:12
*** samueldmq has quit IRC20:15
*** ayoung has joined #openstack-keystone20:18
*** ChanServ sets mode: +v ayoung20:18
*** sigmavirus24_awa is now known as sigmavirus2420:18
*** sbasam has joined #openstack-keystone20:20
*** pnavarro has joined #openstack-keystone20:25
*** radez_g0n3 is now known as radez20:26
*** timcline has joined #openstack-keystone20:26
*** ayoung has quit IRC20:27
*** gyee has joined #openstack-keystone20:28
*** ChanServ sets mode: +v gyee20:28
david8huayoung,  can you please add me to the dynamic policy group?  Maybe I missed the invite?20:30
*** setmason has joined #openstack-keystone20:32
setmasonIs there a way to have keystone return a unique swift endpoint (Public URL) per Project/tenant?20:32
*** samueldmq has joined #openstack-keystone20:33
bknudsonsetmason: the service catalog allows you to put $(tenant_id)s which gets replaced with the token's project... you can see http://git.openstack.org/cgit/openstack/keystone/tree/etc/default_catalog.templates for an example20:35
morganfainbergstevemar: back20:38
morganfainbergstevemar: from lunch20:38
*** alanf-mc has joined #openstack-keystone20:39
*** alanf-mc_ has quit IRC20:39
*** alanf-mc has quit IRC20:41
*** alanf-mc has joined #openstack-keystone20:42
*** ayoung has joined #openstack-keystone20:42
*** ChanServ sets mode: +v ayoung20:42
morganfainbergayoung: having a chat with thingee, i think we're going to run into bigger issues with the MOC model.20:44
morganfainbergayoung: i'll catch you later this week for a bit more in depth..20:44
morganfainbergayoung: but it's not going to be "just a token"20:44
gsilvismorganfainberg: can I drop in on that conversation too?20:45
gyeemorganfainberg, do I understand correctly that only security bugs can be backported?20:45
morganfainberggsilvis: sure.20:45
morganfainberggyee: uhm. for which thing?20:45
gyeemorganfainberg, bug 139834720:46
openstackbug 1398347 in Keystone "LDAP backend should do filtered query instead of getting all data and then filtering" [Wishlist,Fix released] https://launchpad.net/bugs/1398347 - Assigned to Henry Nash (henry-nash)20:46
gyeeldap performance20:46
morganfainberggyee: depending on the impact / size of the backport, this could be considered singnificant UX improvement and worth backporting20:47
gyeemorganfainberg, definitely a UX improvement, especially if we lots of users in LDAP20:47
morganfainberggyee: but it's going to really depend on the scope of the change.20:47
bknudsonfor kilo you can backport pretty much anything.20:47
morganfainbergbknudson: ++20:47
gyeekilo to juno20:47
bknudsongyee: https://wiki.openstack.org/wiki/Releases -- Juno is Security-only20:48
gyeeyikes20:48
morganfainbergbknudson: oh hadn't realized.20:49
bknudsonstable support team might be more willing to support longer if companies would step up with support.20:49
morganfainbergnow i have heard we can do more than security on those... but it reaaaaaaaaaaally needs to be justified20:49
bknudsonmore like the release team.20:49
gyeesecurity and performance should be easier to justify, I hope20:50
samueldmqgyee, ++20:50
bknudsonI think performance would be hard to justify.20:50
bknudsoneveryone just forks openstack stable anyways20:51
gyeehah20:51
*** henrynash has quit IRC20:51
morganfainberggyee: solution: ping the stable maintainers (hint: dolphm and bknudson are the first line of defense for keystone)20:51
gyeebknudson, dolphm, what do you guys think?20:52
bknudsongyee: it's not security-related, so I think no backport.20:52
*** HT_sergio has quit IRC20:53
gyeeah fork it :)20:53
morganfainberggyee: spork it!20:53
morganfainbergbecause sporks are weird20:53
gyeedah!20:53
*** iamjarvo has quit IRC20:54
stevemarmorganfainberg, also backish20:55
morganfainbergstevemar: but x-project meeting about to start20:57
morganfainberg:(20:57
*** gokrokve has quit IRC21:01
*** gokrokve has joined #openstack-keystone21:02
*** HenryG has quit IRC21:04
*** jsavak has quit IRC21:05
*** HenryG has joined #openstack-keystone21:07
*** lhcheng_ is now known as lhcheng21:10
*** ChanServ sets mode: +v lhcheng21:10
*** lufix_ has quit IRC21:15
*** mattfarina has quit IRC21:15
*** ayoung has quit IRC21:17
*** ayoung has joined #openstack-keystone21:19
*** ChanServ sets mode: +v ayoung21:19
*** iamjarvo has joined #openstack-keystone21:25
*** timcline has quit IRC21:30
*** iamjarvo has quit IRC21:31
*** jsavak has joined #openstack-keystone21:44
samueldmqdstanek I replied your comments at # 137202 (Improve List Role Assignments Filters Performance)21:47
samueldmqamakarov_away, ^21:47
samueldmqI really would appreciate reviews on that, since I have been working on that for a cycle at this moment : )21:48
samueldmqactually I started that before Kilo summit at Paris21:50
lbragstaddstanek: how is your gerrty review stuff coming along with vim script?21:50
*** gokrokve has quit IRC21:50
*** jsavak has quit IRC21:57
*** jsavak has joined #openstack-keystone21:58
*** gokrokve has joined #openstack-keystone21:59
*** gokrokve has quit IRC22:05
*** gokrokve has joined #openstack-keystone22:06
dstaneksamueldmq: which review is that?22:07
*** iamjarvo has joined #openstack-keystone22:08
dstaneklbragstad: i started working on some other gertty changes while i'm waiting for my gertty changes to merge22:08
samueldmqdstanek, Improve List Role Assignments Filters Performance22:08
samueldmqdstanek, you have a comment there22:08
dstaneksamueldmq: why is that comment block changing? you renamed domain to project in examples and it's not clear to me why22:11
samueldmqdstanek, it was not just that I changed domain to project22:12
samueldmqdstanek, it was "'project_id': domain_id," and I fixed it22:13
samueldmqdstanek, also, I changed the format in which we represent the assignments (now the expanded assignments, in the manager level)22:13
dstaneksamueldmq: that's why i voted -1; several different change in the patch22:14
dstanekthe entire method was rewritten and it was hard to tell if the doc changes were caused by that or if the change was for another reason22:14
samueldmqdstanek, yes .. but as we are moving the expansion logic from controller to manager, manager has to have its own way to represent the expanded assignments22:14
samueldmqdstanek, well .. I could split that patch into two ... one passes the filters to the drivers and keep the expasion logic/formatting at controller level22:17
samueldmqdstanek, the second moves the expasion logic to the manager22:17
samueldmqdstanek, and keep only the formatting logic at the controller level22:17
*** iamjarvo has quit IRC22:21
*** edmondsw has quit IRC22:22
morganfainberghmm.. dtroyer think we can drop "python-" from keystoneclient with the 2.0.0 release as well? :P22:23
* morganfainberg does not like that convention22:23
*** fangzhou has joined #openstack-keystone22:24
*** dims has quit IRC22:25
*** gordc has quit IRC22:27
*** dims has joined #openstack-keystone22:28
dstaneksamueldmq: that sounds sane22:28
dstanekmorganfainberg: ++22:28
bknudsonwhat if we have a js-keystoneclient?22:29
samueldmqdstanek, ok I will be working on that ... maybe that's been there for a long time because it's hard to review, not sure but that's a fair possibility22:29
bknudsonshould be emcascript-keystoneclient22:30
samueldmqgo-keystoneclient !!22:30
samueldmqshould be fun :)22:30
gyeelets do this22:30
bknudsonI'd like to see it.22:30
dtroyermorganfainberg: I'm all for that.  IIRc it was a debian-ism that prompted it in the first place22:30
dtroyerand I've regretted with OSc since day 322:31
gyeehahahah22:31
gyeedtroyer, took you 3 days?! :)22:31
dtroyerI was an ignorant young (python)-pup back then22:31
*** radez is now known as radez_g0n322:34
*** lifeless has quit IRC22:35
dstanek if you don't have the python- prefix how will pip know you what the Python version of the client?22:39
*** ayoung has quit IRC22:41
dstanekjamielennox: i started hacking on flask today22:49
*** zzzeek has quit IRC22:51
jamielennoxdstanek: ok, cool. i've been reading some of the docs but i was going to check with you first22:51
*** lhcheng_ has joined #openstack-keystone22:51
morganfainbergdstanek: i.. i don't have words for that...22:52
morganfainbergdstanek: *cry*22:52
morganfainbergdstanek: the pip + python question that is22:52
samueldmqheheh22:52
dstanekmorganfainberg: i'm just concerned that it'll accidentally install the ruby versio22:53
*** lhcheng has quit IRC22:53
*** e0ne has quit IRC22:53
morganfainbergdstanek: you know... this *is* on eavesdrop... be careful... someone might think youre serious22:55
*** csoukup has quit IRC22:56
dstanekmorganfainberg: that would be too funny - just to be a jerk i was register ruby-keystoneclient on pypi22:56
*** dguerri is now known as dguerri`away22:57
morganfainbergdstanek: now if you made pip install it by calling out to the ruby equivalent installer and install a ruby binding22:57
morganfainbergdstanek: i might... i might have to tip my hat.22:57
morganfainbergand owe you a beer or 722:57
morganfainbergbecause that'd be serious commitment to a joke22:57
*** stevemar has quit IRC22:58
dstaneka little too much maybe23:01
*** bknudson has quit IRC23:05
*** Ephur has quit IRC23:06
*** jsavak has quit IRC23:07
*** chlong has joined #openstack-keystone23:09
*** chlong has quit IRC23:15
*** markvoelker has quit IRC23:15
*** darrenc is now known as darrenc_afk23:26
*** gokrokve has quit IRC23:27
*** hemna is now known as hemnafk23:31
jamielennoxmorganfainberg: i'll be back in like an hour. can you hold down the session questions?23:32
morganfainbergjamielennox: ok so, tell everyone to dogpile you when you're back. check.23:33
morganfainbergjamielennox: ;)23:33
morganfainbergjamielennox: yeah i think the questions are mostly in order now / should taper off.23:33
morganfainbergjamielennox: thanks for jumping in23:33
*** sigmavirus24 is now known as sigmavirus24_awa23:35
*** darrenc_afk is now known as darrenc23:37
*** fangzhou has quit IRC23:37
*** jamielennox is now known as jamielennox|away23:42
*** chlong has joined #openstack-keystone23:44
*** alanf-mc has quit IRC23:48
*** lifeless has joined #openstack-keystone23:54
*** csoukup has joined #openstack-keystone23:54
*** vilobhmm has quit IRC23:57
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076923:57
« Monday, 2015-05-25 Index Wednesday, 2015-05-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!