Thursday, 2015-05-28

« Wednesday, 2015-05-27 Index Friday, 2015-05-29 »
morganfainbergvilobhmm: there was a nova spec... let me see if i can find it00:00
morganfainbergthat was meant for cleanup/new quota allocations etc00:00
morganfainbergvilobhmm: https://review.openstack.org/#/c/92507/ and https://review.openstack.org/#/c/160605/00:02
vilobhmmthanks morganfainberg00:06
*** mattfarina has quit IRC00:08
openstackgerritDave Chen proposed openstack/keystone: Remove the deprecated external authentication methods  https://review.openstack.org/18554100:08
morganfainbergyay Dave Chen doing cleanup stuff! yay!00:12
* morganfainberg doesn't know Dave Chen's irc...so...00:12
morganfainbergstill cheering!00:12
morganfainbergzigo: since i see you're around... did we finally get keystoneclient happier w/ py3 packaging?00:14
zigomorganfainberg: Nop, we need pysaml2 to understand Py3, and Clint Byrum is working on that.00:15
zigomorganfainberg: He did lots of it already.00:15
morganfainbergzigo: great just checking in00:15
morganfainbergzigo: thanks!00:15
zigomorganfainberg: All the rest has been done already.00:15
morganfainbergzigo: woohoo00:15
zigomorganfainberg: Victor wrote a huge patch for memcached ! :)00:15
zigoIt's not merged upstream yet, but I already uploaded the package with the patch to Sid.00:16
jamielennoxzigo: memcached for auth_token middleware?00:18
morganfainbergzigo: fwiw we are still planning to move to pymemcache00:18
zigojamielennox: Yup.00:19
morganfainbergzigo: and ditch python-memcache altogether00:19
jamielennoxis there a use for dogpile there?00:19
morganfainbergjamielennox: same issue, but yes.00:19
morganfainbergwe should move to dogpile.00:19
jamielennoxmorganfainberg: same issue - but not our issue :)00:19
zigomorganfainberg: Yeah, but it's *done*, so that is already out of the way for Py3 support.00:19
morganfainbergjamielennox: there is a wonderful person (she was one of the women in openstack scholarship winners from HP) who is helping oslo team do better cache w/ dogpile00:20
morganfainbergjamielennox: thats what I want us to use.00:20
morganfainbergzigo: sure.00:20
morganfainbergzigo: hope we can have keystone fully py3 friendly this cycle00:20
morganfainbergzigo: move to ldap3 is one of the major blockers.00:20
zigomorganfainberg: I hope we can have that AND all of oslo too.00:20
morganfainbergzigo: but i am optimistic it will happen00:20
morganfainbergzigo: oslo - i can't make promises00:21
zigomorganfainberg: qpid is the blocker here.00:21
morganfainbergzigo: oh. i don't really care about qpid.00:21
morganfainbergat all00:21
zigomorganfainberg: I don't either, but it's still on our way to get stuff moved to Py3.00:21
morganfainbergisn't qpid going away? </heard rumors>00:21
zigoSo we should either remove it completely, or port it to Py3.00:21
zigomorganfainberg: It's planned for in 2 releases.00:21
morganfainbergi think it is deprecated / will be00:22
morganfainbergand going away00:22
morganfainbergthen.. in 2 releases boom00:22
morganfainberg:)00:22
zigoSo that's not an option to say "it's going to be releases".00:22
zigoI'm not going to wait another year...00:22
zigoPorting Qpid to Py3 will be faster.00:22
morganfainbergzigo: maybe we can split qpid bits out to their own little world00:22
zigoI'd be all for it.00:22
morganfainbergand say "must run py27 if you want it"00:22
zigoIt's contained into oslo.messaging, but everything depends on that...00:22
* morganfainberg has no horse in this race00:22
zigoIncluding a bunch of other oslo libs.00:22
morganfainbergzigo: it might be possible to just split that bit out.00:23
morganfainberg*might*00:23
morganfainberglike we're working on for the auth plugins00:23
zigoThe issue is that unit test listing must also work in py3, and that cannot be done if we keep a single "import qpid"00:23
morganfainbergzigo: ah see that is why you do it like dogpile does. lazy import00:23
zigomorganfainberg: Any chance to get a SQRL pluggin for Horizon one day? :)00:23
morganfainbergSQRL?00:24
* morganfainberg is unfamiliar with that initialism00:24
zigomorganfainberg: It's a login system without login/password pairs.00:24
morganfainbergoh00:24
zigoJust identity based or keys.00:24
zigoThe server doesn't even store anything for you, so you don't have to trust it.00:24
morganfainbergwell... WebSSO is there, meaning you can login w/ whatever IdP you have00:24
zigoIt only knows who you are.00:24
morganfainbergwhich *could* be cert-only00:25
morganfainbergor similar00:25
zigoWith SSO, you trust *less* server, but you still trust someone to store your login/pass in a db.00:25
morganfainbergzigo: you still trust someone to verify who you are00:25
morganfainbergthe IdP may only use keys00:25
morganfainbergnothing saying it has to be username/password00:25
kfox1111Ah... client.service_catalog.catalog.... very interesting.00:25
zigohttps://www.grc.com/sqrl/sqrl.htm00:25
morganfainbergit could also just translate a DN from a cert to something useful00:26
morganfainbergi don't see a win for SQRL like login since we still need the authz metadata, i'd push off to an IdP that does SQRL then00:26
morganfainbergi don't want to support every form of auth ;) i want to have a few standards that let anyone convey authn to us00:27
morganfainbergOIDC, SAML, etc00:27
zigoAnyway, I'm getting-up in a few hours, I shouldn't be up this late.00:27
zigoBye.00:27
morganfainbergzigo: have a good night00:27
jamielennoxmorganfainberg: was there a plan to do another ksc release before 2.000:28
morganfainbergjamielennox: yes00:28
morganfainbergjamielennox: was on my list to do today00:28
jamielennoxah00:28
morganfainbergjamielennox: will still happen today-ish00:29
morganfainbergjust got meeting wrapped up and stuff.00:29
jamielennoxany chance i could get https://review.openstack.org/#/c/179563/00:29
morganfainberg(and booking travel)00:29
jamielennoxi came across another cli today doing things completely wrong and abusing sessions, but i'm not going to rewrite that cli plugin every time00:29
morganfainbergjamielennox: find me another +2, i want it gating in the next 20mins so i can actually release today00:30
morganfainbergjamielennox: i don't mind waiting if we can dig up a second +2 for it00:30
jamielennoxayoung: awake?00:30
jamielennoxgyee: awake?00:30
morganfainbergjamielennox: and we are holding 2.0 for KSA *and* cli/middleware removal00:31
jamielennoxyea, that's going to take some time00:31
morganfainberglets not wait too long on it if possible00:31
morganfainbergbut more important is to get ksa out the door00:32
morganfainbergwe can lag a little on the convert to using ksa00:32
*** tobe has joined #openstack-keystone00:32
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076900:35
*** tobe has quit IRC00:36
jamielennoxit's glorious: https://viswaug.files.wordpress.com/2008/11/http-headers-status1.png00:43
morganfainbergoh.. wow00:44
*** zzzeek has quit IRC00:45
gyeejamielennox, yes sir00:46
gyeescrolling back00:46
*** timcline has joined #openstack-keystone00:47
jamielennoxhttps://review.openstack.org/#/c/179563/00:47
gyeelooking00:47
jamielennoxgyee: ^ can you  hace a look at that one00:47
*** kfox1111 has quit IRC00:47
*** vilobhmm has quit IRC00:47
gyeejamielennox, where's the bp/bug?00:49
* gyee puts on the bknudson hat00:49
morganfainberggyee: careful with that hat... with great power.... something something something00:49
jamielennoxdamn, if it's not linked i didn't do one00:49
jamielennoxi always forget to do a bug00:49
gyeeha00:49
jamielennoxit never seems right for a new feature00:49
gyeewe need to doc it, hence bp/bug00:50
jamielennoxyea00:50
gyee-1!00:50
jamielennoxok, -1 it, morganfainberg can release without it00:50
morganfainbergwe don't *have* to wait for a 2.0 for it to land00:50
morganfainbergwe just have enough backed up we need a 1.4 this week00:51
morganfainbergso maybe we will have a 1.5 mini release prior to 2.x00:51
*** timcline has quit IRC00:51
morganfainbergooooor we just say "f-it" and when the time comes to merge in ksa we 2.0 branch all the things00:51
jamielennoxoh yea, i wouldn't say this will be the last 1.x it was just something i always put off because i don't want to fix people's crappy clis00:52
jamielennoxbut the ironic one is super broken00:52
*** dsirrine has joined #openstack-keystone00:53
*** dsirrine has quit IRC00:54
*** dsirrine has joined #openstack-keystone00:54
*** rushiagr_away is now known as rushiagr00:56
morganfainbergand we want ironic people to be happy00:57
*** _cjones_ has quit IRC00:59
*** _cjones_ has joined #openstack-keystone00:59
*** gyee has quit IRC01:07
*** alanf-mc_ has quit IRC01:16
*** tobe has joined #openstack-keystone01:18
*** vilobhmm has joined #openstack-keystone01:20
*** rushiagr is now known as rushiagr_away01:24
*** lhcheng has joined #openstack-keystone01:27
*** ChanServ sets mode: +v lhcheng01:27
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: A Default CLI plugin  https://review.openstack.org/17956301:27
*** lhcheng_ has joined #openstack-keystone01:29
*** browne has quit IRC01:29
*** markvoelker has quit IRC01:30
*** markvoelker_ has joined #openstack-keystone01:30
*** Rockyg has quit IRC01:31
*** lhcheng has quit IRC01:32
openstackgerritDave Chen proposed openstack/keystone: Add testcases to test DefaultDomain  https://review.openstack.org/18585501:34
*** dims_ has quit IRC01:35
*** dsirrine has quit IRC01:38
*** vilobhmm has quit IRC01:38
*** vilobhmm has joined #openstack-keystone01:38
openstackgerritayoung proposed openstack/keystone: IAM Models  https://review.openstack.org/18465101:47
*** sigmavirus24 is now known as sigmavirus24_awa01:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Serialize user auth plugin  https://review.openstack.org/16718101:50
*** vilobhmm has quit IRC01:55
*** gokrokve has joined #openstack-keystone02:00
*** _cjones_ has quit IRC02:04
openstackgerritQiming Teng proposed openstack/keystone: Enable service role to list/get users  https://review.openstack.org/18129802:05
mfischhere's my first fernet bug: https://bugs.launchpad.net/keystone/+bug/145948302:06
openstackLaunchpad bug 1459483 in Keystone "able to verify a Fernet token with garbage at the end" [Undecided,New]02:06
mfischthat should say "Validate" ^02:07
*** rushiagr_away is now known as rushiagr02:08
*** liusheng has quit IRC02:08
*** liusheng has joined #openstack-keystone02:08
*** spandhe has quit IRC02:15
*** gokrokve has quit IRC02:17
*** gokrokve has joined #openstack-keystone02:23
*** gokrokve has quit IRC02:29
*** browne has joined #openstack-keystone02:29
ayoungmfisch, why is that a bug?02:29
*** gokrokve has joined #openstack-keystone02:30
ayoungmfisch, works as designed02:30
*** gokrokve has quit IRC02:31
*** alanf-mc has joined #openstack-keystone02:32
*** lhcheng_ has quit IRC02:37
jamielennoxhmm, i'd consider it a bug but fairly low priority02:39
jamielennox if nothign else there is an element of known plaintext there, probably not a big problem though02:39
*** rwsu has quit IRC02:46
*** rushiagr is now known as rushiagr_away02:55
*** alanf-mc_ has joined #openstack-keystone02:59
*** alanf-mc has quit IRC03:01
*** alanf-mc_ has quit IRC03:01
*** alanf-mc has joined #openstack-keystone03:03
openstackgerritayoung proposed openstack/keystone: IAM Models  https://review.openstack.org/18465103:06
*** samueldmq has quit IRC03:08
morganfainbergmfisch: not sure if it's a bug or the way b64decoder is working03:16
morganfainbergmfisch: does any garbage work?03:16
morganfainbergmfisch: or just urlencoded junk03:16
morganfainbergif it's the latter, i'd say we're ok, because urlencoded junk is really not allowed in the token id.03:17
morganfainbergand if it's in the middle it is def. not going to validate03:17
morganfainbergand %3D is '=' which could be padding.03:18
morganfainbergin normal b6403:18
*** mabrams has joined #openstack-keystone03:29
ayoungmorganfainberg, he appended garbage on to the token.  THe encoded part probably has a length, and ignores anything beyond that, but then it gets copied in as the ID later in the process03:41
ayoungwe should probably have a length check in in there ,and reject if there is anything outside the encoded portion, but, meh...not a huge deal.  Should be fixed, though03:41
*** ayoung has quit IRC03:42
morganfainbergsure03:42
*** rushiagr_away is now known as rushiagr04:00
*** spandhe has joined #openstack-keystone04:01
*** spandhe_ has joined #openstack-keystone04:05
*** jaison has joined #openstack-keystone04:05
*** spandhe has quit IRC04:06
*** spandhe_ is now known as spandhe04:06
*** tobe has quit IRC04:36
*** openstackgerrit has quit IRC04:50
*** openstackgerrit has joined #openstack-keystone04:51
*** lhcheng has joined #openstack-keystone04:56
*** ChanServ sets mode: +v lhcheng04:56
*** lhcheng_ has joined #openstack-keystone04:57
*** mdrnstm has joined #openstack-keystone04:58
*** ChanServ sets mode: +v mdrnstm04:58
*** davechen has joined #openstack-keystone05:00
*** lhcheng has quit IRC05:01
mdrnstmsure is quiet this evening05:01
*** cloudm2 has quit IRC05:02
*** gokrokve has joined #openstack-keystone05:03
*** stevemar has joined #openstack-keystone05:06
*** ChanServ sets mode: +v stevemar05:06
mdrnstmstevemar: we need to finish up a slide deck05:06
mdrnstmstevemar: sorry been swamped with meetings. i'll be working on the k2k diagram and the keystone architecture diagram shortly05:06
stevemarmdrnstm, same05:09
stevemarmdrnstm, i spoke with the guy from CIS, he said friday EOD is good05:09
stevemarso we have some buffer05:09
mdrnstmstevemar: great05:09
stevemarwhat the heck is app-catalog05:09
*** gokrokve has quit IRC05:10
*** gokrokve has joined #openstack-keystone05:10
mdrnstmstevemar: a name that is not correct. i need to step in here shortly05:10
mdrnstmand say "uhhhhhhhhhhhhh"05:10
mdrnstmor something useful05:10
stevemarselect all -> delete05:11
*** gokrokve has quit IRC05:11
mdrnstmstevemar: '; drop tables apps;05:11
mdrnstm>.>05:11
*** gokrokve has joined #openstack-keystone05:12
stevemarhehe05:12
stevemaromgggg someone is going to do cinder v2 stuff for osc05:12
stevemarand it's not ME!05:12
*** qianli has joined #openstack-keystone05:16
*** gokrokve has quit IRC05:17
*** gokrokve has joined #openstack-keystone05:18
*** jaison has quit IRC05:18
*** kiran-r has joined #openstack-keystone05:21
*** kiranr has joined #openstack-keystone05:22
*** gokrokve has quit IRC05:23
*** kiran-r has quit IRC05:24
*** kiranr is now known as kiran-r05:24
*** kiranr has joined #openstack-keystone05:25
*** fifieldt has joined #openstack-keystone05:25
*** kiran-r has quit IRC05:25
*** kiran-r has joined #openstack-keystone05:25
*** kiran-r has quit IRC05:26
*** kiranr has quit IRC05:26
*** kiran-r has joined #openstack-keystone05:27
*** mdrnstm is now known as morgan05:31
*** lhcheng_ has quit IRC05:37
*** lhcheng has joined #openstack-keystone05:38
*** ChanServ sets mode: +v lhcheng05:38
openstackgerritMerged openstack/keystone-specs: Fix assertion examples  https://review.openstack.org/18598505:40
*** harlowja_ has quit IRC05:40
*** gokrokve has joined #openstack-keystone05:41
*** setmason has quit IRC05:44
*** spandhe has quit IRC05:58
*** tobe has joined #openstack-keystone06:04
*** krykowski has joined #openstack-keystone06:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/18627906:07
*** setmason has joined #openstack-keystone06:12
*** setmason_ has joined #openstack-keystone06:14
*** lhcheng has quit IRC06:15
*** setmason has quit IRC06:17
*** setmason_ is now known as setmason06:17
*** _cjones_ has joined #openstack-keystone06:18
*** _cjones_ has quit IRC06:19
*** _cjones_ has joined #openstack-keystone06:19
*** stevemar has quit IRC06:25
*** lhcheng has joined #openstack-keystone06:28
*** ChanServ sets mode: +v lhcheng06:28
*** drjones has joined #openstack-keystone06:28
*** _cjones_ has quit IRC06:31
openstackgerritMerged openstack/python-keystoneclient: Fixe example code in Using Sessions page  https://review.openstack.org/17513506:41
*** setmason has quit IRC06:41
*** setmason has joined #openstack-keystone06:42
openstackgerritMerged openstack/python-keystoneclient: Fixed grammatical errors in the V2 Client API doc  https://review.openstack.org/18607406:43
*** alanf-mc has quit IRC06:43
*** ajayaa has joined #openstack-keystone06:54
*** vilobhmm has joined #openstack-keystone06:59
*** drjones has quit IRC07:03
*** vilobhmm has quit IRC07:10
*** setmason has quit IRC07:10
*** rlt_ has joined #openstack-keystone07:13
*** browne has quit IRC07:21
openstackgerritDave Chen proposed openstack/keystone: `api_curl_examples.rst` is out of date  https://review.openstack.org/18631007:44
*** jistr has joined #openstack-keystone07:54
*** kiran-r is now known as help08:00
*** help is now known as Guest3227108:00
*** Guest32271 is now known as kiran-r08:01
*** dims_ has joined #openstack-keystone08:02
*** lufix has joined #openstack-keystone08:05
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Remove oslo.i18n dependency  https://review.openstack.org/18579908:06
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Remove lxml test-requirement  https://review.openstack.org/18579008:06
*** dims_ has quit IRC08:08
*** User17 has joined #openstack-keystone08:22
*** qianli has quit IRC08:23
User17hi all.. where i can get the passwords of user in keystone database08:24
*** dguerri`away is now known as dguerri08:30
davechenUser17: you cannot, the password is hashed.08:32
davechenUser17: The hashed value is in the table of user.08:34
User17davechen: oh ok thanks.. i cant even change it with admin role??08:34
davechenUser17: I don't aware of a approach to update the password.08:35
davechenUser17: you can try this command: user-password-update08:35
davechenUser17: keystone user-password-update  ...08:36
morgandavechen, User17: you can update the user with an admin role. via the update user API08:37
openstackgerritMerged openstack/keystoneauth: Remove old request method  https://review.openstack.org/18549208:37
morganthe "user-password-update" action is meant to be used if you have the user's current password (non-admin, so a user can update their own password)08:37
User17davechen:ok thank u.. i installed keystone from source...  i added the user details.. i could be able to display it using keystone user-list.. but when i enter into keystone database.. the user table has nothing..08:38
davechenmorgan: Ah! you are still working. :)08:38
morgandavechen: shhhh don't tell anyone08:39
davechenmorgan: everyone is dreaming... except three guys.08:39
davechenUser17: it's not make sense, keystone user-list is actually read the database.08:41
User17I can able to use  --os-auth-url with two ports 5000 and 35357 and corresponding username and password credentials... what is the purpose of two ports over there.. I installed glance from source..It is using one one port for endpoint creation08:42
User17<davechen>: thanks.. will check it08:43
davechenUser17: one is public port and another is admin port, there is some action which could be only done with admin port imo.08:44
lhchengUser17: davechen is correct. port 5000 is for authentication, token validation.  While port 35357 is the admin port, used for managing keystone user/group/roles.08:44
morganlhcheng, davechen, User17: with V3 (and proper RBAC) all APIs are available on both ports. the strict admin vs non-admin break was specific to the Keystone V2 API08:45
User17thanks davechen,lhcheng,morgan08:46
morganugh. 178 open reviews in keystone :(08:48
morgansooooo much to review08:48
davechenUser17: welcome. I am interesting in your db issue.08:49
User17after installation of keystone and creation of keystone db.. what keystone db_sync will do?? will it create the tables with the schema provided in keystone source??08:49
User17thanks davechen.. :)08:50
*** mkoderer has quit IRC08:50
davechenmorgan: fortunately, there is not much new patches recently, keep reviewing...  :P08:50
lhchengmorgan: wow.. a lot of review to catch up to.  :( should be able to spend more time reviewing later next week just have some more internal stuff to finish up.08:52
morganlhcheng: realize i also just did a gertty sync, so it's missing a bunch of reviews i've already looked at08:52
lhchengmorgan: I hope it is not the review count that's keeping you up late. :P08:52
morgannah08:52
morgansetting up new laptop08:52
morganand all the toys that comes with that08:52
*** mkoderer has joined #openstack-keystone08:53
morganplus needing to release a new python-keystoneclient08:53
lhchenggot the new macbook?08:53
openstackgerritMerged openstack/keystoneauth: Make utils file private  https://review.openstack.org/18580608:53
openstackgerritMerged openstack/keystoneauth: Remove oslo.utils dependency  https://review.openstack.org/18580708:53
morganlhcheng: X1 Carbon 3rd Gen08:53
User17<davechen> : same db issue was there.. user table still show empty.. but the command user-list is listed with few users...08:54
davechenUser17: yep, db_sync will handle with DB migration for you.08:54
morganugh... we lost a release somewhere in keystoneclient :(08:55
lhchengmorgan: thought you were going for the macbook some time back08:55
morganlhcheng: tired of yosemite08:56
morganand linux works better on the X1C08:56
morganso, using linux as the primary os for my work/travel laptop now08:56
morganthe 12" MacBook (i want it for many reasons) is out because the "core M" processor08:57
morganthat is a deal breaker08:57
lhchengmorgan: ah yosemite, I had a terrible experience when I upgraded.  Keeps on freezing, turned off the graphics power save mode seem to fixed it.08:57
User17<davechen> : thanks really... db_sync works perfectly in keystone.... i installed glance from source... and tried with glance-manage db_sync.. it throws an error " TRACE glance ValueError: Invalid target type: None" any idea?08:57
lhchengmorgan: ugh, understood08:59
davechenUser17: How do you install openstack, from source or from the packages?08:59
davechenUser17: I have no idea about the glance DB issue, sorry abou that.09:00
lhchengmorgan: okay, I'm out. It's been a long day.09:00
lhchenggood night everyone09:00
davechenlhcheng: good night.09:01
bretonafternoon!09:01
davechenmorgan: have a good dream.09:01
morganbreton: did you see my ping from much earlier re: alembic spec?09:01
User17i installed keystone component seperately from source..09:01
lhchengand good day too for some folks :)09:01
morganbreton: lets get that retargeted to Liberty and get some work done on it as we discussed at the summit :)09:01
User17davechen:  i installed keystone component seperately from source.. thanks :)09:02
bretonmorgan: haven't seen, but now have. https://review.openstack.org/#/c/177220/09:02
*** lhcheng is now known as lhcheng_afk09:02
morganbreton: perfect!09:02
*** lhcheng_afk has quit IRC09:08
*** markvoelker_ has quit IRC09:16
*** e0ne has joined #openstack-keystone09:22
openstackgerritMerged openstack/keystone: Don't fail on converting user ids to bytes  https://review.openstack.org/18612009:29
*** e0ne is now known as e0ne_09:30
*** e0ne_ has quit IRC09:35
*** davechen has left #openstack-keystone09:54
*** e0ne has joined #openstack-keystone09:57
*** dims_ has joined #openstack-keystone09:57
*** hogepodge has quit IRC10:11
*** afazekas_ has joined #openstack-keystone10:11
*** hogepodge has joined #openstack-keystone10:13
*** markvoelker has joined #openstack-keystone10:17
*** samueldmq has joined #openstack-keystone10:20
samueldmqmorning10:21
*** markvoelker has quit IRC10:23
*** lufix has quit IRC10:26
bretonsamueldmq: morning!10:27
bretondolphm: great blogpost!10:27
bretondolphm: I would love to see a follow-up about how clients should navigate the catalog10:28
bretondolphm: and what $(tenant_id)s is for, if it should not be used10:35
samueldmqbreton, hmm, going to take a look at such post :)10:37
*** e0ne is now known as e0ne_10:39
*** e0ne_ has quit IRC10:45
*** lufix has joined #openstack-keystone10:45
*** e0ne has joined #openstack-keystone10:53
*** mabrams has quit IRC10:58
*** hogepodge has quit IRC10:59
*** dobson has quit IRC11:00
*** hogepodge has joined #openstack-keystone11:02
*** dobson has joined #openstack-keystone11:03
*** e0ne is now known as e0ne_11:11
*** e0ne_ is now known as e0ne11:12
*** aix has joined #openstack-keystone11:13
*** dims_ has quit IRC11:16
*** dims_ has joined #openstack-keystone11:17
*** e0ne is now known as e0ne_11:20
*** baffle_ is now known as baffle11:24
*** e0ne_ has quit IRC11:25
*** dims_ has quit IRC11:28
*** dims_ has joined #openstack-keystone11:28
*** tobe has quit IRC11:30
*** dims_ has quit IRC11:33
*** e0ne has joined #openstack-keystone11:34
samueldmqjamielennox, fyi, devstack change for identity v3 only has merged11:35
samueldmqjamielennox, project-config change has +2, just waiting for mtreinish to take a look, since it's adding experimental jobs for tempest/devstack11:36
samueldmqjamielennox, https://review.openstack.org/#/c/179661/11:36
*** dobson has quit IRC11:37
*** openstackgerrit has quit IRC11:39
*** dobson has joined #openstack-keystone11:39
*** openstackgerrit has joined #openstack-keystone11:39
*** dims_ has joined #openstack-keystone11:39
*** tobe has joined #openstack-keystone11:39
*** afazekas_ is now known as afazekas11:42
*** radez_g0n3 is now known as radez11:43
jamielennoxsamueldmq: yep - i've been watching it11:43
*** aix has quit IRC11:44
samueldmqjamielennox, great11:44
jamielennoxi'm keen, there's a few things i want to try once we get that bit in11:44
*** dobson has quit IRC11:47
*** rushiagr is now known as rushiagr_away11:48
samueldmqjamielennox, nice, I hope it isn't taking longer to merge than you were expecting to :)11:49
jamielennoxsamueldmq: these things always take time11:49
*** dobson has joined #openstack-keystone11:53
*** aix has joined #openstack-keystone11:59
openstackgerritFlavio Percoco proposed openstack/keystonemiddleware: Don't assume everyone uses `CONF`  https://review.openstack.org/14306311:59
*** dsirrine has joined #openstack-keystone12:00
*** ajayaa has quit IRC12:00
*** markvoelker has joined #openstack-keystone12:02
*** fhubik has joined #openstack-keystone12:19
*** ajayaa has joined #openstack-keystone12:19
*** dsirrine has quit IRC12:22
*** ajayaa has quit IRC12:28
dolphmlbragstad: will you backport 186120 to stable/kilo?12:29
*** dsirrine has joined #openstack-keystone12:30
samueldmqI think this is fair enough to be backported :)12:30
samueldmqalthough I do not know what exactly defines if a fix should be backported or not12:31
dolphmbreton: we're stuck with tenant_ids in urls because swift12:32
*** e0ne is now known as e0ne_12:32
dolphmsamueldmq: https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy12:33
samueldmqswift is very different from other services.. I mean in the access control, they don't even have a policy file12:34
samueldmqlooks like one openstack role is mapped there, and one with such role is able to do anything12:34
samueldmqdolphm, thanks for this link12:34
*** ajayaa has joined #openstack-keystone12:40
*** e0ne_ has quit IRC12:43
*** e0ne has joined #openstack-keystone12:47
*** pauloewerton has quit IRC12:51
dolphmlbragstad: we should log a warning when keystone generates a Fernet token > 255 chars12:58
lbragstaddolphm: yeah, that's a good idea.12:59
*** krykowski has quit IRC12:59
*** krykowski has joined #openstack-keystone12:59
lbragstaddolphm: and yes, I can do the backport12:59
rodrigodsdolphm, ping... we want to backport this changes: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/kilo+topic:bug/1442787,n,z , bknudson is alreay ok with them, can you take a look whenever you have a moment?13:01
*** Ephur has joined #openstack-keystone13:02
lbragstaddolphm: morganfainberg backport to stable/kilo https://review.openstack.org/#/c/186376/13:05
*** krykowski has quit IRC13:06
*** krykowski has joined #openstack-keystone13:07
samueldmqlbragstad, I was looking at your patch ..13:07
samueldmqlbragstad, isn't that the case to use attemp_ for trust_id as well ?13:08
*** tobe has quit IRC13:08
samueldmqlbragstad, hmm .. actually that is just the trust_id, not the trustor/trustee ...13:09
samueldmqlbragstad, but what about group_id13:09
lbragstadsamueldmq: yep13:09
lbragstadsamueldmq: I'm not sure about group ids13:10
lbragstadif they can be created externally with non uuid ids then that should be changed too.13:10
*** fifieldt has quit IRC13:11
samueldmqlbragstad, group_id = cls.convert_uuid_bytes_to_hex(group_id_in_bytes)13:11
samueldmqlbragstad, yeah that's the point, and I do thing groups may be imported from LDAP as well13:11
lbragstadsamueldmq: ok, I can push a second patch then13:11
samueldmqlbragstad, yes that makes sense13:13
samueldmqlbragstad, https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L109513:13
*** bknudson has joined #openstack-keystone13:19
*** ChanServ sets mode: +v bknudson13:19
*** radez is now known as radez_g0n313:19
*** ayoung has joined #openstack-keystone13:20
*** ChanServ sets mode: +v ayoung13:20
*** nkinder has quit IRC13:21
samueldmqlbragstad, also, even if it's not very used ... projects may also be coming from LDAP (https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L992)13:21
samueldmqlbragstad, I think we should be compatible, but I let you decide if we should support that with fernet :)13:22
samueldmqlbragstad, if we don't, I think we should document that13:22
lbragstadsamueldmq: yeah, that makes sense. but at the same time the functionality is deprecated (shrug?)13:22
lbragstadmorganfainberg: ^13:23
samueldmqlbragstad, LDAP for resource ? I know LDAP for assignment is13:23
dolphmlbragstad: i was going to suggest doing the same for projects, but LDAP assignments is also deprecated. still minimal effort to support it, though13:23
lbragstadI can roll it into the patch I'm working on13:23
samueldmqgreat :)13:24
lbragstadnice catch samueldmq13:24
dolphmlbragstad: groups can come from LDAP, but i know of literally no one that's using that... nor how they would go about using it effectively, it's never made sense to me13:24
samueldmqlbragstad, thanks, sorry for not reviewing that before13:24
*** fhubik is now known as fhubik_afk13:24
lbragstadsamueldmq: no worries,13:24
dolphmlbragstad: subsequent patch right, not a backport13:24
lbragstaddolphm: so we're not going to backport the group_id/project_id patch?13:25
lbragstadright/13:25
samueldmqdolphm, yeah, I don't know if someone uses LDAP for resource as well (project, domain), but we should be compatible as well IMO13:25
samueldmqdolphm, as it is not a big effort (as you said)13:25
jamielennoxaww crap, it's US morning time already13:26
ayoungjamielennox, run away13:27
ayounggot to bed13:27
lbragstadgood evening jamielennox !13:27
jamielennoxi am, i am13:27
ayoungdolphm, do we need "id_to_bytes" for the various IDs that go in the token now?13:28
*** radez_g0n3 is now known as radez13:28
samueldmqjamielennox, still there ?13:29
*** jamielennox is now known as jamielennox|away13:29
ayoungsamueldmq, let him go!13:29
dolphmayoung: context?13:29
samueldmqayoung, oh sure, I meant ayoung (not really) but ..13:29
ayoungdolphm, I saw the bug about Fernet with LDAP13:29
samueldmqjamielennox|away, go, good night13:29
dolphmayoung: oh that just saves space. hex encoding isn't particularly efficient13:29
dolphmwhen you know it's hex13:30
ayoungand I think that it might just be a general issue with serializing objects to the fernet format13:30
ayoungdolphm, as for groups from LDAP, I'd actually expect it to be fairly common, just it would be a single group that is actually used:  I'd expect that the organization that the user works in (team, office, whatever) has a project in a shared environment.13:32
ayoungwhat I think you were getting at is that more people want some form of Grouping out of SQL as well....13:33
ayoungI hope HMT gives us that13:33
dolphmayoung: i've just never seen or heard of a deployment using user groups from LDAP13:34
*** mattfarina has joined #openstack-keystone13:34
samueldmqlbragstad, btw, I left a couple of comments on the main change, just to document that projects/groups need to/will be addressed :)13:36
ayoungdolphm, id expect it more for internal cloud.  Its a fairly common pattern in enterprise apps13:36
*** krykowski has quit IRC13:37
*** dims_ has quit IRC13:37
dolphmayoung: have you seen a production openstack deployment use user groups out of LDAP or are you just theorizing?13:37
ayoungdolphm, they don't let me anywhere near production deployments.13:37
*** dims_ has joined #openstack-keystone13:38
ayoungBut I am extrapolating from what other applications do13:38
*** vhoward has joined #openstack-keystone13:39
*** ajayaa has quit IRC13:41
dolphmmfisch: ping13:41
*** vhoward has left #openstack-keystone13:41
dolphmmfisch: i'm sort of baffled by what's going on in https://bugs.launchpad.net/keystone/+bug/145948313:41
openstackLaunchpad bug 1459483 in Keystone "able to validate a Fernet token with garbage at the end" [Undecided,New]13:41
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose base check classes as part of public API  https://review.openstack.org/17668313:42
*** kiran-r has quit IRC13:43
*** setmason has joined #openstack-keystone13:47
*** fhubik_afk is now known as fhubik13:47
openstackgerritLance Bragstad proposed openstack/keystone: Don't assume group IDs are UUID format  https://review.openstack.org/18639213:51
openstackgerritLance Bragstad proposed openstack/keystone: Don't assume project IDs are UUID format  https://review.openstack.org/18639313:51
*** dsirrine_ has joined #openstack-keystone13:53
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove region reference from service provider  https://review.openstack.org/18639513:58
mfischdolphm: fixed that bug, sorry I missed that CURL13:58
mfischyou add anything to the end of the token in the CURL and it gets added onto the ID13:58
dolphmmfisch: i actually just verified the issue13:58
mfischI assume the code knows the length of the token and ignores anything past it13:58
mfischcool13:58
dolphmmfisch: it's an issue in pypi/cryptography though13:59
mfischnot sure how big of an issue it is but our tests caught it13:59
dolphmmfisch: so, filing upstream with steps to repro that removes keystone13:59
dolphmmfisch: good tests :)13:59
mfischI'll let Kim know, it was her suite13:59
lbragstaddolphm: mfisch can you paste  link to the upstream bug when possible?14:00
openstackgerritLance Bragstad proposed openstack/keystone: Log warning for long Fernet tokens  https://review.openstack.org/18639614:00
mfischeverything else still okay so far, having a shower debate with myself this morning on whether we'll wait for the new keystone-middleware which we get with K before rolling this out more14:00
*** krykowski has joined #openstack-keystone14:02
openstackgerritRodrigo Duarte proposed openstack/keystone: Update testing keystone2keystone doc  https://review.openstack.org/18639514:02
*** sigmavirus24_awa is now known as sigmavirus2414:02
*** radez is now known as radez_g0n314:04
dolphmlbragstad: mfisch https://bugs.launchpad.net/keystone/+bug/1459483/comments/314:04
openstackLaunchpad bug 1459483 in Keystone "able to validate a Fernet token with garbage at the end" [Medium,Confirmed]14:04
lbragstaddolphm: thanks14:05
dolphmlbragstad: perhaps more importantly... the token ID included in the JSON response is NOT url encoded :( see the = at the end? that should be %3D as it is in the request14:05
lbragstaddolphm: https://review.openstack.org/#/c/186392/ and https://review.openstack.org/#/c/186393/ should address the project/group id stuff14:06
*** bandwidth has joined #openstack-keystone14:06
lbragstaddolphm: I noticed that too14:06
bknudsonis the token ID used in URLs?14:06
bknudsonwhy does it need to be URL encoded?14:06
dolphmbknudson: v214:06
bandwidthis it possible to use the clients (nova, cinder, glance...) with OS-FEDERATION enabled?14:06
lbragstaddolphm: that's v2 specific14:06
*** zzzeek has joined #openstack-keystone14:07
*** krykowski has quit IRC14:13
*** ayoung has quit IRC14:14
*** dsirrine__ has joined #openstack-keystone14:15
openstackgerritRodrigo Duarte proposed openstack/keystone: Add "enabled" to create service provider example  https://review.openstack.org/18640214:16
*** dsirrine_ has quit IRC14:18
*** dsirrine has quit IRC14:18
*** HT_sergio has joined #openstack-keystone14:25
*** timcline has joined #openstack-keystone14:25
*** csoukup has joined #openstack-keystone14:27
*** nkinder has joined #openstack-keystone14:28
bknudsonbandit is running on keystonemiddleware now: http://logs.openstack.org/07/178707/1/check/gate-keystonemiddleware-tox-bandit/85d81b0/console.html14:31
bknudsonnon-voting14:31
bknudsonfor keystoneclient, we need https://review.openstack.org/#/c/182912/14:33
*** ayoung has joined #openstack-keystone14:33
*** ChanServ sets mode: +v ayoung14:33
*** dsirrine has joined #openstack-keystone14:33
*** dsirrine__ has quit IRC14:37
*** afazekas has quit IRC14:39
*** ayoung has quit IRC14:46
*** gokrokve has quit IRC14:48
*** ajayaa has joined #openstack-keystone14:49
*** afaranha has joined #openstack-keystone14:51
*** ducttape_ has joined #openstack-keystone14:51
ducttape_ping mfisch14:51
*** stevemar has joined #openstack-keystone14:51
*** ChanServ sets mode: +v stevemar14:51
mfischlbragstad: our testers found another issue14:52
*** Daviey has joined #openstack-keystone14:52
mfischlbragstad: when you rescope a token its dropping the MS portion of the expiration14:52
mfischand the issue14:52
mfisch      "issued_at": "2015-05-27T22:17:51.102223Z",14:52
mfisch      "expires": "2015-05-28T00:17:51.102148Z",14:52
mfischthen14:52
mfisch      "issued_at": "2015-05-27T22:17:51.000000Z",14:52
mfisch      "expires": "2015-05-28T00:17:51.000000Z",14:52
mfischFernet issue I should be clear ^14:53
lbragstadmfisch: I think that's because we convert the timestamp to an epoch14:53
lbragstadand then back to a timestamp14:53
mfischthat'd do it14:53
* ducttape_ is pretty sure keystone is stealing time to be used later14:53
mfischI'll file this one but it doesn't seem serious14:53
lbragstadmfisch: it will serve as documentation at the very least14:54
mfischI'll bump token expiration to 7201 and nobody can complain ;)14:54
lbragstadmfisch: that works14:55
ducttape_thanks for explanation lbragstad14:55
lbragstadducttape_: no problem, thanks for your testing14:55
lbragstadworst case is that your token expires .102148 seconds early14:55
lbragstad:)14:55
bknudsonthe milliseconds get sent to lbragstad's swiss account.14:56
lbragstadbknudson: shhh!14:56
*** User17 has quit IRC14:56
ducttape_thats my concern, lbragstad will use all that extra time as paid vacation14:56
*** david-lyle_ has joined #openstack-keystone14:56
* lbragstad busted 14:56
bknudsonwe need superman to stop this.14:56
bknudsonhttps://www.youtube.com/watch?v=iLw9OBV7HYA14:57
ducttape_using 1980s videos to help explain how openstack works, does not instill confidence14:58
*** vhoward has joined #openstack-keystone14:58
mfischducttape_: those rows of cabinets are the disks we use for our DB servers14:59
ducttape_that would be a sweet sweet improvement14:59
*** gordc has joined #openstack-keystone14:59
*** e0ne is now known as e0ne_15:00
*** emagana has joined #openstack-keystone15:00
*** e0ne_ is now known as e0ne15:00
*** krykowski has joined #openstack-keystone15:01
*** spandhe has joined #openstack-keystone15:02
*** spandhe_ has joined #openstack-keystone15:05
*** ayoung has joined #openstack-keystone15:06
*** ChanServ sets mode: +v ayoung15:06
*** spandhe has quit IRC15:06
*** spandhe_ is now known as spandhe15:06
*** dsirrine_ has joined #openstack-keystone15:12
*** dsirrine_ has quit IRC15:13
*** dsirrine has quit IRC15:13
*** dsirrine has joined #openstack-keystone15:13
*** mattfarina has quit IRC15:17
stevemargordc, whats up with the ceilometer policy file?15:18
dolphmlbragstad: the issue would be that we're returning a non-zero decimal in the first place :P15:20
dolphmmfisch: ^15:20
dolphmthe non-zero decimal never goes into the token15:21
*** kiran-r has joined #openstack-keystone15:21
dolphmso the JSON response is just a lie15:21
*** edmondsw has joined #openstack-keystone15:23
*** radez_g0n3 is now known as radez15:23
*** fhubik is now known as fhubik_afk15:25
*** browne has joined #openstack-keystone15:26
gordcstevemar: ... am i suppose to tell you or are you going to tell me?15:26
*** ayoung has quit IRC15:27
gordcstevemar: need to some context.15:27
*** ducttape_ has quit IRC15:30
*** iamjarvo has joined #openstack-keystone15:36
*** lufix has quit IRC15:36
*** kiran-r has quit IRC15:36
*** jorge_munoz has quit IRC15:38
*** arunkant_ has joined #openstack-keystone15:41
*** gyee has joined #openstack-keystone15:43
*** ChanServ sets mode: +v gyee15:43
*** ajayaa has quit IRC15:45
stevemargordc, why are policy.json.sample and policy.json so different?15:46
*** amakarov_away is now known as amakarov15:46
openstackgerritMerged openstack/oslo.policy: Expose base check classes as part of public API  https://review.openstack.org/17668315:47
*** raildo has left #openstack-keystone15:47
*** raildo has joined #openstack-keystone15:47
*** jorge_munoz has joined #openstack-keystone15:51
amakarovhello everybody! What's the workflow for security issues - can you please point me to any doc?15:51
*** chlong has quit IRC15:54
gordcstevemar: looing15:55
*** bandwidth has quit IRC15:55
gordclooking*15:55
*** jistr has quit IRC15:56
openstackgerritLance Bragstad proposed openstack/keystone: Log warning for long Fernet tokens  https://review.openstack.org/18639615:59
gordcstevemar: the sample is just an example of how the new rbac stuff works.16:00
bknudsonamakarov: https://security.openstack.org/vmt-process.html16:00
gordcstevemar: the policy.json is the legacy while we've always had.16:00
gordcstevemar: basically policy.json is the unrestricted copy and policy.json.sample is the 'hey you can do some crazy sh*t copy'... that's my understanding of the patch.16:01
amakarovbknudson, thank you16:02
stevemargordc, nuke policy.json!16:02
*** krykowski_ has joined #openstack-keystone16:02
*** gokrokve has joined #openstack-keystone16:03
gordcstevemar: i have on powers. every time i try to do something, someone yells 'backward compatibility!'16:03
dolphmBACKWARD COMPATIBILITY!16:04
gordcsee! it haunts me.16:04
*** guest34578 has joined #openstack-keystone16:05
*** krykowski has quit IRC16:05
guest34578BACKWARD COMPATIBILITY!16:05
*** guest34578 has quit IRC16:06
stevemarBACKWARD COMPATIBILITY!16:06
*** chlong has joined #openstack-keystone16:07
morganfainbergI... Think stevemar and dolphm covered it.16:08
dims_morganfainberg: others: is there a schedule for removing eventlet support in keystone?16:09
*** fhubik_afk is now known as fhubik16:09
morganfainbergdims_: yes. The m-release.16:09
dims_thanks16:09
dolphmLiberty will be the last with eventlet16:09
morganfainbergYes!!16:11
morganfainberg:)16:11
bknudsondolphm: what about BACKWARD COMPATIBILITY!16:11
* morganfainberg does a dance on the eventlet code from keystone's grave.16:11
nkinderwh ois going to write the eulogy?16:11
*** lhcheng_afk has joined #openstack-keystone16:11
morganfainbergnkinder: you just got voluntossed into it! Congrats! ;)16:11
dolphmwe should require eulogy's in commit messages for massive deletes16:12
dolphmeulogies?16:12
dstaneknkinder: it's done. "It took too long to get rid of you. You won't be missed."16:12
morganfainbergI'd ask termie to... But ... We all know how that'd work.16:12
dolphm$ git rm -r * && git commit --author="termie"16:13
*** _cjones_ has joined #openstack-keystone16:13
*** lhcheng__ has joined #openstack-keystone16:13
morganfainbergdolphm: ahaha16:14
morganfainbergdstanek: so the x1carbon is working pretty damn well.16:15
dstanekmorganfainberg: what are you running on it?16:15
morganfainbergUbuntu 15.0416:15
morganfainbergIt just... Works.16:15
morganfainbergHaven't tried suspend yet.16:16
morganfainbergThat was one of the questions.16:16
*** rwsu has joined #openstack-keystone16:16
morganfainbergAnd fingerprint reader I just don't care about.16:16
* sigmavirus24 knows someone else really enjoying their x1 carbon with *nix on it16:16
*** lhcheng_afk has quit IRC16:16
dolphmhow much memory does yours have?16:16
*** david-lyle_ has quit IRC16:16
morganfainbergdolphm: sadly it caps at 8gb16:16
gordcmorganfainberg: 2015 x1carbon or 2014?16:16
dolphmand which display?16:16
morganfainberggordc: 3rd gen16:17
dstanekmorganfainberg: do you run any VMs on it or do you just use the cloud for all that jazz?16:17
morganfainbergdolphm: high-rez touch (but only cause high Rez with touch was the option for high Rez)16:17
morganfainbergdstanek: that's the plan. I can run a vm16:17
gordcmorganfainberg: does it have the single trackpad or separate buttons for the trackpoint? i hate my x1 because of the damn trackpad.16:18
morganfainbergdstanek: if needed. I also plan on using docker docker docker docker docker docker for isolation in testing.16:18
bknudsonmorganfainberg: install openstack on it16:18
morganfainberggordc: yes it has hardware buttons again and non-stupid function keys.16:18
bknudsonI hear it can be used for vms and docker16:19
lbragstadba-dum-psh16:19
morganfainbergdolphm: I really wanted the MacBook 12" to be good. Keyboard was a win, track pad was a win.  Core M processor was a deal breaker.16:19
morganfainbergYosemite kindof sucks majorly as a developer OS unless you're developing apple things.16:20
dolphmwell there's cloud16:20
morganfainbergAlso battery on the MacBook was suspect.16:20
gordcmorganfainberg: yeah, i want that. i can't stand the touch buttons.16:21
morganfainbergx1c will charge (I think) to 85% in 35 min16:21
dstanekOSX is malware16:21
lbragstaddev tools for mac == ssh16:21
morganfainbergdstanek: pretty much. Yosemite turned it into a virus. ;(16:21
morganfainbergI also figure if I don't like the x1c I know lots of people who will take it off my hands.16:22
* morganfainberg also sees why desktop developers like systemd now. And I hate it even more than before.16:22
*** spandhe has quit IRC16:23
sigmavirus24== lbragstad16:25
*** kiran-r has joined #openstack-keystone16:29
*** kiranr has joined #openstack-keystone16:30
*** lufix has joined #openstack-keystone16:31
*** kiran-r has quit IRC16:33
*** kiranr is now known as kiran-r16:34
openstackgerritLance Bragstad proposed openstack/keystone: Log warning for long Fernet tokens  https://review.openstack.org/18639616:37
david8huayoung, where is my invite to join to dynamic policy work group? :)16:37
*** henrynash has joined #openstack-keystone16:41
*** ChanServ sets mode: +v henrynash16:41
henrynashcan anyone point me to the liberty design summit etherpads for Keystone?  The don’t seem to be listed here: https://wiki.openstack.org/wiki/Design_Summit/Liberty/Etherpads#Keystone16:44
morganhenrynash: blame me16:44
henrynashmorgan: far be it from me….16:45
morganhenrynash: i sucked at filling out those wiki things.. this time16:45
morganthey are all linked from the sched.org sessions16:45
morgani'll fill it out today16:45
henrynashok16:45
henrynashthx16:45
morganbut not sure when16:45
morgani'm still chasing down how i lost a release in keystoneclient so i can get 1.4 or 1.5 or whatever cut16:46
henrynashnp!16:46
henrynashthat sounds kinda of more important16:46
*** morgan is now known as mdrnstm16:46
dolphmhenrynash: are you looking for a particular etherpad?16:47
henrynashdolphm: just wanted to make sure I was upto speed with the stuff we decided….dynamic policy for one16:47
dolphmhenrynash: dynamic policy wasn't a design session, it was just ayoung16:48
dolphmhenrynash: so, no etherpad that i'm aware of16:49
henrynashdolphm: ahh16:49
*** kiran-r has quit IRC16:53
gyeehenrynash, need your opinion on role assignment listing16:54
gyeehttps://bugs.launchpad.net/keystone/+bug/143740716:54
openstackLaunchpad bug 1437407 in Keystone "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,In progress] - Assigned to Priti Desai (priti-desai)16:54
henrynashgyee: syre16:54
gyeehenrynash, so we have some tough choices16:54
gyeeI can do 'GET /v3/role_assignments?scope.domain.id=<id>&all' to get all the assignments for resources within that domain16:55
*** kiran-r has joined #openstack-keystone16:55
gyeebecause right now, '?scope.domain.id' only get you the assignments on the domain16:55
*** lhcheng__ is now known as lhcheng16:56
*** ChanServ sets mode: +v lhcheng16:56
*** gsilvis has quit IRC16:56
gyeeeither way we need custom callback to handle authorization on that one, just like the role grants APIs16:56
*** ayoung has joined #openstack-keystone16:56
*** ChanServ sets mode: +v ayoung16:56
gyeeayoung!16:57
ayounggyee!16:57
raildogyee ayoung!16:57
gyeeayoung, policy stuff, so {'endpoint_constraint': 'token.catalog.endpoints.id:1234'} works for a v3 token16:57
gyeebut won't work for a v2 token16:57
ayoungright16:57
*** gsilvis has joined #openstack-keystone16:58
gyeeayoung, is there a generic one I can use?16:58
ayounggyee, we need to convert v2 tokens to v316:58
gyeethat works for both?16:58
henrynashgyee: I’ll take a look a bit later if that’s Ok…16:58
ayoungand to do that we need to be able to read deafult domain id out of the config from Keystone16:58
gyeehenrynash, that's fine, thanks!16:58
gyeeraildo!16:58
openstackgerritMerged openstack/keystone-specs: Do not add new 'db' command and subcommands for it  https://review.openstack.org/17721916:58
openstackgerritMerged openstack/keystone-specs: Target Alembic for Liberty  https://review.openstack.org/17722016:59
raildogyee, we need to continue our discussion later about project scoped token :P16:59
gyeeayoung, I'll see what I can do, but I was trying to avoid the conversion16:59
*** alanf-mc has joined #openstack-keystone16:59
ayounggyee, nah, we need to convert16:59
ayounggyee, otherwise, things are going to expect V2.0 format for evar!17:00
gyeeayoung, k17:00
*** gokrokve has quit IRC17:00
gyeeayoung, how about "if you want endpoint constraint, use V3!" :)17:00
ayoungnope17:00
*** gokrokve has joined #openstack-keystone17:01
ayoungpolicy is enforced on V3 token format17:01
ayoungit allows us to enforce on any portion of the token.  It gives us admin domain for admin tasks, too17:01
gyeeayoung, what about accessinfo?17:01
ayounggyee, jamielennox|away killed it17:01
gyeethat's a dict too right?17:01
ayoungyep17:02
gyeeso we can just flatten it and do the enforcement17:02
ayoungand it has to live in their17:02
ayoungsure17:02
ayoungso long as both parts make it look the same17:02
*** browne has quit IRC17:02
gyeeright, at least a consistent representation of a token17:02
*** rushiagr_away is now known as rushiagr17:03
*** pnavarro has joined #openstack-keystone17:03
*** lufix has quit IRC17:04
*** aix has quit IRC17:04
gyeeraildo, sorry, I have to run, be back in an hour17:04
*** gyee has quit IRC17:04
*** harlowja has joined #openstack-keystone17:05
*** gokrokve has quit IRC17:05
*** dguerri is now known as dguerri`away17:06
*** krykowski_ has quit IRC17:08
*** krykowski has joined #openstack-keystone17:08
*** e0ne has quit IRC17:08
*** david-lyle_ has joined #openstack-keystone17:09
*** iamjarvo has quit IRC17:10
*** pnavarro has quit IRC17:11
david8huayoung, ping17:12
david8huayoung, did you forget about me17:12
ayoungdavid8hu, who are you again?17:13
david8hudavid hu.  lol17:13
david8huayoung, how do I joing the dynamic policy work group and sign up for stuff17:13
ayoungdavid8hu, so, you might have sent something while my machine was bouncing up and down network wise17:13
ayoungdavid8hu, thought I added you, but it was a mad crush at the time...let me see17:14
*** kiran-r has quit IRC17:14
samueldmqayoung, hi! need talk to you17:14
ayoungdavid8hu, what email address?17:14
samueldmqayoung, fetch policy using ksmiddleware17:14
david8huayoung, ok17:14
ayoungdavid8hu, what email address?17:14
ayoungshould I uise for trello?17:15
david8huayoung, david.hu@hp.com17:15
*** krykowski has quit IRC17:15
ayoungdavid8hu, sign in to trello using that email address and you should have access17:15
ayoungsamueldmq, WHAT ABOUT IT?17:15
ayounggah CAPS LOCK!17:15
david8huayoung, thx17:16
samueldmqayoung, sorry, nothing :(17:16
samueldmqayoung, hehe I thought you were screaming " WHAT ABOUT IT?"17:16
samueldmqayoung, so ... first, how do the ksmiddleware knows the service/endpoint he is serving, to then be able to fetch the right policy ?17:17
ayoungsamueldmq, I think it needs to be a config option17:17
ayoungI can't see any way around that17:17
mdrnstmayoung: capslock is cruisecontrol for awesome *duck*17:18
ayoungmdrnstm, is it Casual Nick Thursday?17:18
mdrnstmayoung: new laptop17:18
*** david-lyle_ has quit IRC17:18
mdrnstmnot connected via znc atm17:18
ayoungah17:18
* mdrnstm points at morganfainberg 17:18
ayoungsoftling17:19
ayoungmdrnstm, did you see samueldmq 's question?  Am I right, it needs to be a config file option?17:19
mdrnstmthe Lenovo screen is so much easier to read than the glossy-apple screen17:19
* mdrnstm reads scrollback17:19
ayoungit makes it a pain, as it means you need to create the endpoint prior to kicking off the service, or you need to reboot the service17:20
ayoungbut the endpoint has not way of going "what is my own ID"17:20
mdrnstmayoung: it probably should be URL based for fetching17:20
mdrnstmthat way you don't get into things that make heat an everyone cry17:21
mdrnstmwhere you need to pre-create the endpoint17:21
mdrnstmyou already know what the url will be17:21
*** woodster_ has joined #openstack-keystone17:21
ayoungmdrnstm, actually, I agree, but there are three problems with that17:21
mdrnstmbut yes, it has to be config based.17:21
samueldmqbut in any way the middleware has no idea who it is serving17:21
ayoung1.  Webservers don't know their own hostnames either17:21
ayoung2.  We do IDs by UUID for fetch policy by UUID, so we need to build that17:22
mdrnstmeasier to know what the hostname/url will be for a given endpoint, but yes.17:22
mdrnstm2: that is one of the reasons our policy api has been fairly useless for distributing the policy files17:22
ayoung3. Most things provision by IP address, and stack multiple servicews on the same thing, so the URL is not guaranteed to be unique17:22
*** dguerri`away is now known as dguerri17:22
mdrnstmno "friendly" way to know wtf the uuid means17:22
ayoungUUIDs suck, I agree17:23
mdrnstmeven programatically... it is unfriendly17:23
mdrnstmso we should fix it.17:23
ayoungOK.17:23
* mdrnstm is good with deprecating "policy" api as is17:23
mdrnstmand making it a new thing "policy-distribution"17:23
mdrnstmor something17:23
mdrnstmthe policy api is... mostly useless atm and internally we namespace collide with our own policy enforcement code17:24
samueldmqmdrnstm, in a new service ?17:24
mdrnstmsamueldmq: no just new subsystem/module in keystone, like "identity" is not the same as "resource"17:24
samueldmqmdrnstm, yeah, that should be good17:24
*** dan has joined #openstack-keystone17:24
samueldmqmdrnstm, though I think it already is https://github.com/openstack/keystone/tree/master/keystone/policy17:25
*** pnavarro has joined #openstack-keystone17:25
mdrnstmsamueldmq: that is the point, that is useless.17:25
ayoungmdrnstm, we have "fetch policy for endpoint" which is what I planned on using17:25
*** vilobhmm has joined #openstack-keystone17:26
mdrnstmayoung: sure. my only point is that whole rest api as it sits is very unfriendly. we can improve it significantly17:26
mdrnstmand dodge the uuid ick17:26
ayoungmdrnstm, from endpoint we know service.  And it was dolphm 's suggestion we unify all into a single large policy file.  BUt that might bite us on defaults...still, we could expand out the defaults on a per service basis17:26
mdrnstmor make it silently go into the night.17:26
mdrnstmright17:27
ayoungmdrnstm, I'd call it an API, not sure if it is REST17:27
ayoungits just kind of webby17:27
mdrnstmayoung: sure. and i'd call it only sort of an API :P17:27
mdrnstmcurrently17:27
ayoungmdrnstm, however, lets assume that each web server allowed the endpoint to have it's own URL17:28
mdrnstmsure17:28
ayounghow, then, would we fetch policy?  Or would we follow termies suggestion and do all the enforcement in Keystone for each call?17:28
mdrnstmayoung: ok so here is where i'd start17:30
mdrnstman endpoint (or HA grouping of endpoints) has a known URL17:30
mdrnstmand you have to know this.17:31
mdrnstmthere are many reasons [inc. SSL] that this is in the realm of CMS17:31
mdrnstmuse that as the means to fetch the policy, just dodge the uuid/unique id issue17:31
*** iamjarvo has joined #openstack-keystone17:31
mdrnstmthe URL *is* the endpoint17:31
mdrnstmi don't want 1 of say 3 HA'd novas getting a different policy behind the same endpoint URL17:32
mdrnstmyou can do things in keystone to cascade defaults for all novas because you know endpoint url X is a nova, so it gets "nova" policy, then it's specific policy17:32
ayoungWe can't put an url in an url, so would it be:17:33
mdrnstmso, b64 it.17:33
mdrnstmor something we can say "this is how you get the id" and it's programatic in a way CMS doesn't need to work too hard at it17:34
ayoungGET https://keystone.hostname/v3/policy?enopoint=https://one.nova.hstname/v2.817:34
mdrnstmthat works too17:34
ayoungwe can make the endpoint URL a parameter, that works fine17:34
mdrnstmit'd be urlencoded but thats perfectly fine17:34
ayoungmdrnstm, we just have it by endpoint ID right now.17:34
*** rlt_ has quit IRC17:34
ayoungand the endpoint itself knows neither17:35
mdrnstmyeah, the id is going to be a high barrier to entry17:35
ayoungso...it would have been better if you had mentioned this back when I suggested "fetch policy by endpoint"17:35
mdrnstmsorry :(17:35
mdrnstmi've been saying this on and off for a while17:35
ayoungjust adds another delay to getting to dynamic policy.  How strong do you feel about this?17:35
*** gsilvis has quit IRC17:36
ayoungDo we fetch by ID for nw, and change to URL?17:36
mdrnstmi honestly think we will get exactly zero adoption using uuids17:36
*** iamjarvo_ has joined #openstack-keystone17:36
ayoungmdrnstm, we'll get the same either way17:36
*** iamjarvo_ has quit IRC17:36
ayoungit is not the form of the identifier that is the problem17:36
mdrnstmno, the ID since it has to be pre-generated by pushing things into keysotne is the issue17:36
ayoungsolution!17:37
*** iamjarvo_ has joined #openstack-keystone17:37
ayoungwe put a "fetch policy URL" into the config file17:37
ayoungit can be by ID, or by endpoint, or whatever we want in the future17:37
mdrnstmif we can re-use data that the cms is already aware of (in many cases the URL is) that can go in the config. then it's really easy to after the fact create the endpoint policy in keystone17:38
mdrnstmit's a known value17:38
ayoungcms?17:38
*** iamjarvo has quit IRC17:38
ayoungContent management system?17:38
mdrnstmconfig management17:38
mdrnstmyeah17:38
ayoungPuppet?17:38
*** browne has joined #openstack-keystone17:38
mdrnstmpuppet, chef, etc17:38
mdrnstmthis allows you to *avoid* needing to push things into keystone to get the id, then reconfigure the endpoint and restart17:38
mdrnstmthat is my concern17:38
ayoungOK, so what we should have done it made the URL of the endpoint the ID in the first place17:39
*** kbringard has joined #openstack-keystone17:39
ayoungUUIDs are not a great approach for host naming17:39
mdrnstmespecially if you are layering policy like you're talking about: all nova's get policy X, then i ant to add policy y, i need to create a sane id etc then reconfigure/restart17:39
ayoungBut we can't create the ID for the endpoint17:39
mdrnstmayoung: how far down the uuid path are we at this point17:40
ayoungmdrnstm, ok, what, ideally, should tell a service endpoint its name?17:40
mdrnstmand how painful is it to move to url?17:40
mdrnstmi think an endpoint is cannonically defined by it's url17:41
mdrnstmat least that is how i see it17:41
ayoungmdrnstm, but the endpoint itself can't even tell you that17:41
mdrnstmif you say my url is http://x.y.z/nova that is the endpoint17:41
ayounglook at tjhe hoops we go through in keystone in versions.py17:41
ayoungwe have to set it in the keystone.conf17:41
mdrnstmmost deployers have that info because they are SSLing/HAproxying infront of a series of endpoints17:41
mdrnstmthis is something you can know apriori17:42
mdrnstmvs. needing to use something generated by keystone17:42
ayoungLet's say we do "fetch policy for URL"17:42
ayoungthen we look up the URLs in the endpoint table, etc17:43
mdrnstmyes.17:43
ayoungwe need to make sure that the endpoint can send us that data17:43
ayoungit can't right now17:43
*** gsilvis has joined #openstack-keystone17:43
mdrnstmright, but we need to solve sending that data even if it was a uuid17:43
ayoungbut, we can add the endpoint_url to the auth_tojken sec tion and use that value17:43
ayoungand the CMS will know that value A-priori17:44
ayoungWhy is it we only start doing things properly when I have a deadline?17:44
mdrnstmayoung: because we're still digging out tech debt from many cycles ago17:45
ayoungmdrnstm, we are still digging out technical debt from before Keystone was incubated17:45
mdrnstmand trying to change course/realizing where we have issues is a slow process17:45
mdrnstmbut we *are* getting better at it17:45
mdrnstmat least we have a deadline and some direction, not fully implemented "well crap now what" issues17:46
ayoungOK...so  fetch policy by endpoint was a wasted effort.17:46
ayoungAnd the way that this dealys things, we now need a spec and an implementation of fetch policy by url17:46
mdrnstmayoung: sorry =/ i mean we can make it work17:46
ayoungso this will effectively derail dynamic policy unless we fasttrack it17:47
mdrnstmi just think we're going to see almost no adpotion by uuid.17:47
mdrnstmso lets fasttrack it.17:47
mdrnstmthis should not be hyper controversial17:47
ayoung I wish we could somehow phase this17:48
ayounglike...make use of the UUID today, buyt use the URL if we get it in by the ned opf the cycle17:48
ayoungend17:48
*** vilobhmm has left #openstack-keystone17:49
ayoungmdrnstm, how about this17:49
mdrnstmi expect no one will want to use dynamic poilcy (even as nice as it is) with something keysotne generates17:49
ayoungin ATM we allow a policy URL17:49
mdrnstmjust looking at past experience - it will be a massive uphill battle17:49
ayoungwe can set that to use one of the existing mechanisms17:49
ayoungif it does not exist, we write one that falls back to fetch_policy_by_endpoint_url17:50
ayoungthat way, we have a working mechanism with its own value by the end opf the cycle, but a plan that will work better with the CMS, too17:50
*** gsilvis has quit IRC17:51
ayoungyeah, I hear you, and as I said, I kindof have felt this way for a while, too17:51
ayoungjust trying not to boil more than one ocean at a time17:51
mdrnstmok i need to hop on a call17:51
mdrnstmand get food.17:51
ayoungand I need to run an errand17:51
mdrnstmugh is it really almost 1117:51
mdrnstm:(17:51
* mdrnstm sighs17:51
ayoungsamueldmq, read up.  we can discuss later or tonight17:51
mdrnstmgetting into bad habbits again17:51
samueldmqayoung, yes .. trying to follow your quick fingers ...17:52
ayoungsamueldmq, I added a card to trello17:52
samueldmqmdrnstm, I kind of agree with your url definition for endpoint17:52
ayoungfETCH opOLICY BY url17:52
ayoungdamn cpas lock17:52
samueldmqmdrnstm, if I have multiples keystone (without HAproxy in fornt of them), I can use differet policies17:52
ayoungsamueldmq, but I have to go pick up my son and take him to an appt, so I can't stick around right now17:53
ayoungI'll be back online shortly17:53
samueldmqmdrnstm, since urls would be different (keystone1.com, keyston2...)17:53
*** gsilvis has joined #openstack-keystone17:53
ayoungsamueldmq, can you work up a spec for the server side fgetch?  real minimal17:53
samueldmqayoung, great, I will re-read carefully17:53
ayoungfetch policy by URL,  uses the url to look up the endpoint, uses the fetch policy buy endpoint internals after that17:53
samueldmqayoung, yes, I will re-read and we discuss more when you're back17:53
ayoungdeal.  thanks a bunch17:53
samueldmqnp17:53
*** ayoung has quit IRC17:54
*** mattfarina has joined #openstack-keystone17:57
*** fhubik is now known as fhubik_afk18:00
*** nkinder has quit IRC18:03
*** e0ne has joined #openstack-keystone18:06
*** mattfarina has quit IRC18:09
*** bknudson has quit IRC18:13
*** gyee has joined #openstack-keystone18:17
*** ChanServ sets mode: +v gyee18:17
*** bknudson has joined #openstack-keystone18:18
*** ChanServ sets mode: +v bknudson18:18
samueldmqmdrnstm, dolphm, jamielennox|away identity v3 only jobs are now merged! o/18:18
lhchengsamueldmq: nice! \o/18:19
samueldmqlhcheng, yeah, I am happy, need another mug of coffee o/18:20
*** e0ne has quit IRC18:21
lhchengsamueldmq: can you send me the link the patch that got merged, curious to see the change needed18:24
*** nkinder has joined #openstack-keystone18:24
lhchengsamueldmq: heh one step closer to moving to v3 default, thanks for the good work!18:25
*** Swanson has joined #openstack-keystone18:26
*** fhubik_afk is now known as fhubik18:26
*** fhubik has quit IRC18:27
samueldmqlhcheng, thanks .. however jamielennox|away is the one who is responsible for getting sessions in the other clients, in order to enable v3 easily :)18:27
samueldmqlhcheng, he has been doing most of the work, I've only worked in this job so far .. :)18:27
samueldmqlhcheng, and here is the link https://review.openstack.org/#/q/status:merged+branch:master+topic:identity-v3-only-jobs,n,z18:28
*** jimbaker has quit IRC18:30
samueldmqlhcheng, btw, I have a devstack change and I am waiting that job to be ran agaisnt it18:35
samueldmqlhcheng, see https://review.openstack.org/#/c/186523/ (I left a 'check experimental' comment in there)18:35
lhchengsamueldmq: to be able to display the "domain" field in the horizon login page, this flags need to be set to: https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L5818:39
lhchengsamueldmq: something we can add later. Without that flag, horizon won't expose panel for creating additional domains.18:42
lhchengsamueldmq: cool, hopeful that job will just pass :)18:42
*** jimbaker has joined #openstack-keystone18:43
*** edmondsw has quit IRC18:43
*** browne has quit IRC18:45
mdrnstmsamueldmq: nice!!18:47
*** nkinder has quit IRC18:49
*** jimbaker has quit IRC18:53
*** ayoung has joined #openstack-keystone18:54
*** ChanServ sets mode: +v ayoung18:54
samueldmqmdrnstm, lhcheng and the first 'check experimental' has successfully failed :D18:56
samueldmqhttps://jenkins02.openstack.org/job/check-tempest-dsvm-neutron-identity-v3-only-full/1/18:56
*** csoukup has quit IRC18:58
mdrnstmsamueldmq: w00t, good news. we have a way to identify where things are broken19:01
*** elmiko has joined #openstack-keystone19:01
*** nkinder has joined #openstack-keystone19:01
elmikoayoung: hey, i'm looking at the sahara policy file and i want to clean up the namespaces. is there any further docs/guidance than your talk from summit?19:01
ayoungelmiko, for the namespaces?  Link?19:02
elmikohttps://github.com/openstack/sahara/blob/master/etc/sahara/policy.json19:02
ayoungelmiko, in general, I would recommend treating the rules as two pars:19:02
ayoungparts19:02
samueldmqmdrnstm, ++ I will dig a bit more on that tonight, jamielennox also told me he has a bunch of things to test :)19:02
ayoung1.  how to match the scope.  2.  WHat role to assign19:02
ayounglooking19:02
elmikothanks19:02
ayoungelmiko, so default is ""19:03
* elmiko nods19:03
ayoungI would get a common namespace in front of all of them19:03
elmikook, so like "sahara-*"?19:03
ayoungelmiko, otherwise, things like image is going to conflict with clance and so on19:03
elmikoayoung: yea, that's what i thought. most of our are pretty specific except that one19:04
ayoungelmiko, yea, although we can still treat it like a path19:04
ayoungand use the good name, not the project code name19:04
ayounglike, we use identity, not keystone19:04
elmikoahh, ok19:04
elmikoit better to go with "data-processing:*" or "data-processing-*" ?19:04
ayoungwhat is the service type for sahara?19:04
elmikodata processing19:04
*** jimbaker has joined #openstack-keystone19:05
ayoungI'd go with the colon form19:05
ayoungtreat it like just another namespace, and not flat19:05
elmikocool, thanks. i need to write up a quick bug and then i'll patch them up19:05
ayoungyou have a bunch already, so you can leave them as is, just one level under19:05
elmikoand the main concern here is that our namespaces could collide with other projects?19:05
ayoungelmiko, so,  why are the rules all empty?19:05
ayoungyes, avoid collisions,  so if we have a unified  policy file you can participate19:06
elmikogood question, i'm guessing that we use default for everything. but i am just starting to investigate this.19:06
ayoungelmiko, what would you want it to look like?19:07
ayoungin general it should be a projectid match and a role19:07
elmikoayoung: well, for starters i want to implement better scoping. i'm not sure where to go with our roles though19:07
elmikois "role:member" a valid permission for a givent project?19:08
ayoungyou can start with member, or you can define a new one. It is this problem that  the hierarchical roles spec is supposed to address19:08
ayoungyep19:08
ayoungbut we also need to know where to match the project id19:08
elmikois there an example of how to use the project id?19:09
ayoungand that, unfortunately, is resource specific19:09
ayoungelmiko, it depends on the call.  If you are creating a resource, you tend to know the project ID from the URL19:09
elmikomaybe i'll just start with the namespace scoping and the do more research on the role stuff19:09
*** alanf-mc has quit IRC19:10
ayoungwhereas, if you are callling on some resource, you tend to have to fetch the resourcefirst in order to know the project19:10
ayoungwhich is suboptimal19:10
ayoungI'd rather we had the project in the URL everywhere, kindof like how you access a file by its path, not by its inode19:10
elmikook, currently that works for us as we have the project id in the url19:11
ayoungexcellent19:11
ayounglet me see if I can find you an example19:11
elmikoawesome, thanks!19:11
ayoungelmiko, so we have rules like http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json that are kindof...all over the place19:15
elmikoayoung: interesting...19:15
ayoungthe role comes out of the token, but the project_id is typcally converted into a parameter in the call19:15
ayoungfor example, list credentials19:16
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n6819:16
ayoungthat gets called from....19:16
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/credential/controllers.py#n8419:16
ayoungand we have some decorator majik we invoke19:16
elmikook, i think the roles are going to require more research on my part before we start implementing19:17
elmikoi can, at least, start making headway though19:17
ayoungelmiko, sounds good19:19
elmikoayoung: thanks again for the help =)19:19
ayoungelmiko, what you have currently is basically "valid token"19:19
ayoungthere is nothing matching the token to the resource at either the project or role level19:19
ayoungI'd probably recommend you design a series of specialized roles19:20
elmikoi think it would be cool to implement a more fine-grained approach, i just need to figure out *what* we want to do19:20
elmikoyea19:20
ayoungread and writer per resource type19:20
ayoungwhat are your resources... looking19:20
ayoungcluster, cluster-templats,19:20
ayoungmaybe templates in general?19:21
elmikomainly, images, clusters, cluster templates, node group templates, jobs, and data sources/job binaries19:21
ayoungok. so would you expect one person to be modifying all these resources, or do people fall into distinct roles for operations?19:22
*** gordc has quit IRC19:22
elmikoand by default we give carte blanche access to a user in their project19:22
ayoungI would recommend  separaating write access from read access19:22
elmikowe are just starting to get into the type of scenarios that might require more roles19:22
ayoungthen at least you can have an audit process that does not change state19:22
elmikoyea, that makes a great deal of sense19:22
ayoungif you start with a data-processing role, you can compose it out of smaller roles like this19:22
elmikowe are also just starting to explore the topic of how we advise users to segregate their project and what not, so this will dovetail nicely19:23
elmikoexcellent, i like the sound of that19:23
ayoungrule:role_data_processor:  role:data_reader or role:data_writer19:23
elmikoexactly19:23
ayoungand then on the individual rule, match using the rule_ form19:23
ayoungso you can specify at the lowest level, but then infer that big roles inherit the privs of smller roles19:24
ayoungand _member_ can inherit them all19:24
ayoungas can admin19:24
elmikoyea, definitely makes sense19:24
ayoungcool19:24
ayoungthen, if *You* set up a cluster for *her*  you can deleage only those roles that *she* should have19:25
elmikothat would be kick ass19:26
ayoungrodrigods, can you and samueldmq sort out who is working on the "fetch policy from middleware"19:31
elmikoayoung: i'll probably add you to the CRs i create just for sanity, fair warning19:31
ayoungelmiko, thanks19:32
ayoungI'll try to keep up, but feel free to ask me directly, too, if they are malingering19:32
samueldmqayoung, hi19:34
samueldmqayoung, I read and understood the convertation you had with morgan19:34
ayoungsamueldmq, I just saw the rodrigods was asking questions on the trello card about "fetch' and want to make sure you guys agre who is working on it19:34
ayoungsamueldmq, ah19:34
*** csoukup has joined #openstack-keystone19:34
rodrigodsayoung, it is samueldmq, was just asking questions alway19:34
samueldmqyep :)19:35
ayoungrodrigods, cool.  Are you taking any piece of dyanmic policy?19:35
rodrigodsayoung, nope19:35
samueldmqayoung, so the policy by url is in the highest priority now right ?19:37
samueldmqayoung, is there anything else to be decided or can I start the spec ?19:38
ayoungsamueldmq, I think we can say it is top priority19:38
samueldmqayoung, sure19:38
ayoungits an API change, and those need to be in early19:38
ayoungand the other thingscan't go forward until that one is in19:38
samueldmqayoung, and you need me to start that, right ?19:38
samueldmqayoung, great, I will start the spec/api spec19:39
ayoungsamueldmq, yes, please19:39
ayoungsamueldmq, it should be a modification of the endpoiunt_policy spec19:39
ayoungwhich was a separate extension, and is now moving in to core19:39
ayoungbut  let's do it in the existing spec19:39
ayounger...existing API19:40
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst19:40
ayoungsamueldmq, OK,  the API is here http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst#n22019:44
ayoungI think is needs to be19:44
*** spandhe has joined #openstack-keystone19:45
ayoung GET /OS-ENDPOINT-POLICY/policy?url=<endpointurl>19:46
ayoungdolphm, you wrote the endpoint-policy spec (at least git claims you did)  do you agree with the "fetch policy by URL" approach where the url is then matched with the endpoint?19:48
ayoungand, if so, is GET /OS-ENDPOINT-POLICY/policy?url=<endpointurl>  the right form of the fetch url for it?19:49
*** mdrnstm has quit IRC19:55
*** iamjarvo_ has quit IRC19:57
*** gokrokve has joined #openstack-keystone19:59
*** nkinder has quit IRC19:59
*** ayoung has quit IRC20:01
*** HT_sergio has quit IRC20:09
*** rushiagr is now known as rushiagr_away20:10
*** alanf-mc has joined #openstack-keystone20:13
*** mattfarina has joined #openstack-keystone20:16
*** browne has joined #openstack-keystone20:20
*** timcline has quit IRC20:23
morganfainbergIs it really only like 1330 west coast time? If feels like it should be 5pm20:24
*** timcline has joined #openstack-keystone20:25
evrardjpthink about the time it is in Europe :p20:27
*** mattfarina has quit IRC20:27
raildomorganfainberg, here it's 5pm \o/20:29
*** mattfarina has joined #openstack-keystone20:31
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands  https://review.openstack.org/18656020:37
*** HT_sergio has joined #openstack-keystone20:39
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands  https://review.openstack.org/18656020:40
*** mattfarina has quit IRC20:43
dstanekbknudson: how about "Templated backend doesn't correctly implement write operations"?20:50
bknudsondstanek: works for me.20:51
dstanekbknudson: it actually doesn't work for anyone. that's the problem :-)20:54
*** samueldmq has quit IRC20:58
morganfainbergTemplates backend bothers me a lot :(21:00
morganfainbergIn its current form.21:00
*** someara2 has joined #openstack-keystone21:00
*** radez is now known as radez_g0n321:02
*** blewis has joined #openstack-keystone21:03
morganfainbergIt seems to21:04
bknudsonit's unmaintained21:04
bknudsonwhich usually means it's a candidate for deprecation21:04
bknudsonunless someone wants to step up to maintain it21:04
morganfainbergMe that the template should be the same kind of hard-set template we have in swl if we keep it. And let people supply yaml or such as the input21:04
morganfainbergIf we keep it that is.21:04
morganfainbergIn its current form it is useless.21:05
morganfainbergOr worse: broken21:05
*** dguerri is now known as dguerri`away21:06
*** lhcheng has quit IRC21:08
*** dguerri`away is now known as dguerri21:08
*** dguerri is now known as dguerri`away21:09
morganfainbergWonder if we have any real feedback on how much templated is used.21:11
morganfainbergcburgess: you've moved to the sql catalog right?21:12
*** samueldmq has joined #openstack-keystone21:12
morganfainberglbragstad: btw - already hearing feedback that is positive about fernet. Just a bit of info telling you it is looking good.21:13
*** lhcheng has joined #openstack-keystone21:14
*** ChanServ sets mode: +v lhcheng21:14
*** dguerri`away is now known as dguerri21:17
*** dguerri is now known as dguerri`away21:18
*** ayoung has joined #openstack-keystone21:29
*** ChanServ sets mode: +v ayoung21:29
stevemarlbragstad, yeah you have a fan in mfisch with fernet tokens21:32
dolphmmorganfainberg: i'm enjoying the bug reports :)21:32
dolphmworking on my fernet deep dive now... that effort ended prematurely last friday21:33
dstanekmorganfainberg: i think mfisch uses it21:33
dstanekmorganfainberg: i think all that's left to do is remove write capabilities from it21:33
*** jamielennox|away is now known as jamielennox21:34
*** openstackgerrit has quit IRC21:36
*** openstackgerrit has joined #openstack-keystone21:37
ayoungstevemar, check me on this: we don't have the ability to directly query keystone conf, but we could craft a service catalog URL with a replacement string that could be set with any of the values from the conf file.21:40
ayoungwould it make more sense to allow the query of those non-blacklisted values via an API?  That would let us enforce policy on admin domain, and convert a V2 token to a v3 token with default domain set21:42
*** mdrnstm_ has joined #openstack-keystone21:43
stevemarayoung, is the point of this to not use keystone.conf?21:43
ayoungstevemar, we don't have it in a remote service21:43
dstanekayoung: what info from the conf does the remote service need?21:44
ayoungdstanek, so far just those two values: admin domain and default domain21:44
*** kbringard has quit IRC21:44
ayoungwhat do we have whitelisted...21:45
mdrnstm_FYI: I am releasing 1.5.0 KeystoneClient in a couple minutes21:45
*** mdrnstm_ is now known as morgan21:45
morganPlease let me know if i need to wait21:45
morganthis will be tagged from master.21:45
*** morgan is now known as Guest9968721:46
Guest99687.21:47
* Guest99687 mutters21:47
stevemarmorganfainberg, i think you are suffering from an identity crisis21:48
*** Guest99687 is now known as mdrnstm21:48
*** blewis has quit IRC21:48
mdrnstmstevemar: shush21:48
mdrnstmissri just got confused21:48
mdrnstmconnected me 4 times21:48
*** mdrnstm is now known as Guest9697221:48
Guest96972needed to kill a connection21:48
Guest96972yep21:48
Guest96972there it goes again21:48
ayoungstevemar, actully bknudson removed the feature I was thinking of in commit 93311737973866fc0c459f6aabaec0b55db21b2321:49
*** Guest96972 has quit IRC21:49
ayoungwhitelisted properties were WHITELISTED_PROPERTIES = [21:49
ayoung+        'tenant_id', 'user_id', 'public_bind_host', 'admin_bind_host',21:49
ayoung+        'compute_host', 'compute_port', 'admin_port', 'public_port',21:49
ayoung+        'public_endpoint', 'admin_endpoint', ]21:49
openstackgerritKent Wang proposed openstack/keystone: Allows for reset of dependency injections  https://review.openstack.org/18657121:49
stevemarayoung, luckily reverting stuff is easy in software21:50
stevemarnot so much when building a bridge21:50
ayoungwe wouldn't need any of those values21:50
ayoungstevemar, a bridge only existing at one place and one point in time.  Software replicates and mutates endlessly21:51
*** mdrnstm has joined #openstack-keystone21:51
*** ChanServ sets mode: +v mdrnstm21:51
mdrnstmstevemar: ok back21:52
mdrnstmlets see if irssi is less confused now21:52
ayoungand...back into the car.  this day has been one of constant shuttling...21:52
*** timcline has quit IRC21:52
*** someara2_ has joined #openstack-keystone21:53
*** dguerri`away is now known as dguerri21:53
bknudsonthere was a security vulnerability where if you set the endpoint to $(admin_token)s you could get the admin token.21:53
bknudsonyou'd need authority to create whatever endpoints you want so it's only admin by default anyway21:54
lbragstadmorganfainberg: stevemar \o/21:54
*** topol has joined #openstack-keystone21:55
*** someara2 has quit IRC21:55
*** ChanServ sets mode: +v topol21:55
*** someara2 has joined #openstack-keystone21:55
*** dguerri is now known as dguerri`away21:56
openstackgerritFernando Diaz proposed openstack/python-keystoneclient: WIP - Add openid connect client support  https://review.openstack.org/13470021:56
*** ayoung has quit IRC21:56
stevemartopol is on!21:58
*** someara2_ has quit IRC21:59
topolstevemar hi!22:00
stevemartopol, nice of you to show up22:00
*** Ephur has quit IRC22:00
topolstevemar, we didnt all take a mental margarita for a few days to decompress from the summit?22:01
stevemartopol, few days? i need a week22:01
topolstevemar I am now back in the game. What did I miss?22:01
dolphmstevemar: marekd: has anyone tested Fernet in a federated deployment?22:02
dolphmthere's a few considerations in Fernet for federation, but i haven't tested it myself22:02
topolbesides morganfainberg cleaning house on old abandoned specs?22:02
stevemardolphm, not myself personally22:03
stevemari could swing it easily i think22:03
lbragstadI don't think there would be any specific migration steps for a federated deployment versus anything else?22:04
*** lhcheng has quit IRC22:06
*** lhcheng has joined #openstack-keystone22:06
*** ChanServ sets mode: +v lhcheng22:06
*** ChanServ sets mode: +o mdrnstm22:07
*** pnavarro has quit IRC22:07
mdrnstm1.5.0 keystoneclient was just pushed to gerrit22:08
jamielennoxmdrnstm: now just have to see what happens to the gate22:10
mdrnstmjamielennox: yep22:11
openstackgerritFernando Diaz proposed openstack/python-keystoneclient: WIP - Add openid connect client support  https://review.openstack.org/13470022:12
*** iamjarvo has joined #openstack-keystone22:15
*** iamjarvo has quit IRC22:15
*** ayoung has joined #openstack-keystone22:16
*** ChanServ sets mode: +v ayoung22:16
*** iamjarvo has joined #openstack-keystone22:16
*** iamjarvo has quit IRC22:16
*** mdrnstm has quit IRC22:16
*** iamjarvo has joined #openstack-keystone22:17
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support  https://review.openstack.org/13470022:17
*** nkinder has joined #openstack-keystone22:17
morganfainbergWell crap.22:18
stevemarsigmavirus24, dstanek asking for a review of  ^ https://review.openstack.org/#/c/134700/ (helping out one of our new guys)22:18
morganfainbergMy router died.22:18
morganfainberg*sigh*22:18
morganfainberglike. It's not transmitting wifis anymore.22:18
ayoungmorganfainberg, I'm using my phone22:18
stevemarmorganfainberg, you are always plagued with technology woes22:18
morganfainbergstevemar: I've only had this router for 2yrs.22:19
sigmavirus24stevemar: is this a ploy to make me review more keystone things?22:19
morganfainbergSo... Probably about time for it to just die.22:19
morganfainbergsigmavirus24: ploy?! Hah. It's not a ploy. >.>22:19
stevemarsigmavirus24, nah, it involves requests ... so i figured you know a thing or two about it22:19
morganfainbergstevemar: maybe I have an entropic field that just makes things break. :(22:20
bknudsonhttps://review.openstack.org/#/c/134700/7/testo.py22:20
stevemari am beginning to think so22:20
jamielennoxstevemar: that's one's a bit odd22:20
jamielennoxstevemar: why doesn't it use v3.FederatedBase?22:20
stevemaryeah, that'll be removed22:20
stevemarjamielennox, excellent feedback!22:20
jamielennoxodd because it's parsing a form22:21
stevemarit's his first real patch so be brutal22:21
stevemarjamielennox, yeah, i am not crazy about that either22:21
bknudsonstevemar is a new guy?22:22
*** mdrnstm has joined #openstack-keystone22:22
jamielennox:) brutal to the new guy?22:22
*** mdrnstm has quit IRC22:22
*** mdrnstm has joined #openstack-keystone22:22
*** ChanServ sets mode: +v mdrnstm22:22
stevemarbknudson, someone is taking over it, he pushed ps 5 and 6.22:22
*** csoukup has quit IRC22:23
ayoungrodrigods, on https://review.openstack.org/#/c/184651/   I didn't do Service providers because they were not needed for policy or for tokens.  I agree they should be in there, but that can be a follow on review, no?22:23
dstanekstevemar: sure, i can review that22:23
rodrigodsayoung, as long as we have them, I'm ok with the change22:23
rodrigodsayoung, just created a bug to add service provider support in AccessInfoV3 (keystoneclient)22:24
ayoungrodrigods, yeah, I think it won't be too hard to add them, but would rather not hold up this change.22:24
mdrnstmjamielennox: if you have a couple mins to rubber stamp the ksa changes through22:24
mdrnstmjamielennox: i'd like to get another pre-release out the door that limits the deps before we start too much integration work22:24
jamielennoxmdrnstm: will look22:24
mdrnstmjamielennox: really easy changes.22:24
jamielennoxmdrnstm: really don't see the point in keeping _() around - but i don't care22:25
mdrnstmjamielennox: easier to make it a no-op and cleanup as we go22:26
rodrigodsayoung, removed the -1, didn't +1 because hadn't reviewed the whole change yet22:26
mdrnstmthe cleanup can happen even after 1.0 is cut22:26
ayoungrodrigods, Service providers only show up in Federated tokens, right?22:26
mdrnstmi just started hitting rebase ick trying to strip the hints out22:26
mdrnstmso, solution: no op, and cleanup as we can. eventually delete the i18n file once we're done22:26
ayoungdo we have a sample Federated token in our fixtures?22:26
rodrigodsayoung, no... every token alongside the service catolog22:26
rodrigodsthe link I posted in the change shows how they show up in the token22:27
ayoungAh...then, yeah, we need them in there22:27
ayoungleave the -122:27
rodrigodsyou can add in a follow up patch ayoung22:27
ayoungI'll get them in.  Need some updated sample data22:27
rodrigodsthe change is already big enough :)22:27
ayoungrodrigods, if there are no ServiceProviders, is there still a field for them in the token's service catalog?22:28
ayoungtrue22:28
rodrigodsayoung, let me check22:28
*** darrenc is now known as darrenc_afk22:28
ayoungrodrigods, if there is, then the sample code I have is invalid anyway22:28
ayoungthe sample tokens are invalid rather22:29
rodrigodsayoung, https://review.openstack.org/#/c/159865/6/keystone/token/providers/common.py they entry is only added if we have a non-empty list22:29
rodrigodsthe*22:30
ayoungrodrigods, OK...then I think it can be a follow on22:31
rodrigodsayoung, ++22:31
rodrigodsit absolutely can22:32
*** gokrokve has quit IRC22:32
jamielennoxsamueldmq: so i'm looking at the failure caused by v3 only devstack, are you intending to start fixing those issues? otherwise i'll start looking22:32
*** iamjarvo has quit IRC22:32
jamielennoxsamueldmq: i don't mind, i just don't want us to be both working on the same thing22:34
mdrnstmayoung: the accessinfo spec - is it still a bit dated? or is it accurate now in your opinion?22:34
mdrnstmoh APR 122:35
mdrnstmnvm22:35
*** Raildo_ has joined #openstack-keystone22:36
rodrigodsmdrnstm, I'll keep ping you until you take a look in the changes we're willing to back port :)22:36
*** darrenc_afk is now known as darrenc22:37
mdrnstmrodrigods: i'm going through lots of reviews now22:37
mdrnstm:)22:37
mdrnstmthis is the one with the config opitons right?22:37
ayoungmdrnstm, I've been working on some things for years.  Doesn't mean I've abandonded them, just that our process is so slow22:37
rodrigodsmdrnstm, the ones that add new attributes to the SAML assertion generated by keystone, https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/kilo+topic:bug/1442787,n,z22:38
jamielennoxbknudson: i fixed up the auth_token cache review, can you have another look when you have time22:38
mdrnstmayoung: the abandon spree are -2 specs targeted to not backlog22:38
mdrnstmayoung: and you can always restore things that get abandoned22:38
ayounglet me see if I have any of those, but I thinkI moved everything to backlog22:38
mdrnstmayoung: all yours were backlog'd22:39
*** gokrokve has joined #openstack-keystone22:39
*** csoukup has joined #openstack-keystone22:40
mdrnstmayoung: we also *should* reduce the number of open reviews in general - if it isn't being worked on it can be restored. if we let things sit forever it makes on boarding new reviewers harder because they can't identify active reviews or inactive/importance until juno the system would have auto abandoned. i'm thinking if it hasn't been active for > 1 cycle it should be shelved for later. but tha22:41
mdrnstmt is a different discussion than the cleanup i'm doing now.22:41
mdrnstmayoung: and all your specs were backlog'd i did check22:41
rodrigodsmdrnstm, btw, started some clean ups in the docs, mostly in federation stuff22:42
mdrnstmrodrigods: nice22:42
cburgessmorganfainberg: yes we have22:43
* stevemar hands rodrigods the crown and scepter of being the officially doc guy22:43
mdrnstmcburgess: great.22:43
rodrigodsnot too fast stevemar22:43
rodrigodshaha22:43
mdrnstmcburgess: tryin to figure out if we can kill it.22:43
rodrigodsnot so fast*22:43
cburgessmdrnstm In L?22:43
mdrnstmrodrigods: no give-sie-back-sies.22:43
mdrnstmcburgess: deprecate in L22:43
mdrnstmcburgess: but it's not been well maintained (clearly)22:44
cburgessmdrnstm: Oh yeah no complaints here. Kill it22:44
mdrnstmor find someone to step up and maintain [preferably allow for yaml input vs. a free-form template]22:44
mdrnstmcburgess: you up north today?22:44
cburgessmdrnstm: Last day in LA, then east coast for 10 days.22:44
mdrnstmcburgess: ah. east coast. coffee?22:44
mdrnstmor you chillin at home?22:44
*** bknudson has quit IRC22:45
ayoungdo we have a way to run tox tests short circuit?22:45
mdrnstmayoung: in what way? as in stop on first failure? --failfast?22:45
ayoungyeah22:45
mdrnstmayoung: there is an option... i need to look everytime for what it is22:45
ayoungmdrnstm, that was not the testr option IIRC22:45
cburgessmdrnstm: In the office, going to replace my cracked phone screen at 4:10 though. How fast can you get here?22:45
mdrnstmayoung: but i *know* it exists22:45
mdrnstmcburgess: 15 mins?22:45
mdrnstmit's about how long it takes to walk22:46
cburgessmdrnstm: OK.. if you can get here by 4 we can make my 4:10 appintment if you want to hang out with me at the a store.22:46
mdrnstmsounds good omw22:46
ayoungmorganfainberg, mdrnstm https://wiki.openstack.org/wiki/Testr#How_can_I_exit_a_test_run_after_the_first_failure.3F22:48
*** mdrnstm has quit IRC22:50
*** someara2 has quit IRC22:51
*** chlong has quit IRC22:52
stevemari think we lost morganfainberg for now22:53
* morganfainberg is not here.22:53
morganfainbergI swear.22:53
samueldmqjamielennox, sorry I was afk22:58
samueldmqjamielennox, you can start looking at that :)22:58
samueldmqjamielennox, I have a spec/some implementation in the dynamic policy stuff for now22:58
samueldmqjamielennox, but I will watch that to get familiar on how the fixes will look like22:59
samueldmqjamielennox, works for you?22:59
jamielennoxsamueldmq: yep, sounds good22:59
jamielennoxsamueldmq: i think the first ones will just be converting devstack to use v3 always22:59
*** topol has quit IRC22:59
samueldmqjamielennox, great22:59
samueldmqjamielennox, yes, I guess too23:00
samueldmqjamielennox, maybe the first is to set osclient to use v3 (I didn't look deeply)23:00
jamielennoxsamueldmq: yea, i've had patches for that in the past for testing that i never submitted23:00
samueldmqjamielennox, but yes, devstack use v3 always, as you just said23:00
samueldmqjamielennox, great, it will help us to move quicker23:01
*** ayoung has quit IRC23:04
*** Raildo_ has quit IRC23:17
openstackgerritMerged openstack/keystoneauth: Remove oslo.i18n dependency  https://review.openstack.org/18579923:17
*** dims_ has quit IRC23:17
*** hemna is now known as hemnafk23:18
*** setmason has quit IRC23:18
*** dims_ has joined #openstack-keystone23:20
openstackgerritMerged openstack/keystoneauth: Remove lxml test-requirement  https://review.openstack.org/18579023:20
openstackgerritMerged openstack/keystoneauth: Replace datetime calculations with utility functions  https://review.openstack.org/18607623:20
*** csoukup has quit IRC23:21
openstackgerritMerged openstack/keystonemiddleware: Create new user plugin tests  https://review.openstack.org/16718023:24
*** gokrokve has quit IRC23:34
*** gokrokve has joined #openstack-keystone23:35
*** gokrokve has quit IRC23:40
*** alanf-mc has quit IRC23:50
*** alanf-mc has joined #openstack-keystone23:51
« Wednesday, 2015-05-27 Index Friday, 2015-05-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!