Monday, 2015-06-01

*** ncoghlan has joined #openstack-keystone00:09
jamielennoxmorganfainberg: are you ok to handle however you want to do the keystoneauth -> keystoneauth1 transition00:15
morganfainbergjamielennox: I think I know how we will do it. Should be easy enough. Will post this week.00:17
*** emagana has joined #openstack-keystone00:30
*** emagana has quit IRC00:36
*** dimsum__ has quit IRC00:37
*** dims has joined #openstack-keystone00:44
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** markvoelker has quit IRC01:18
*** emagana has joined #openstack-keystone01:25
*** tobe has joined #openstack-keystone01:30
*** emagana has quit IRC01:30
openstackgerritliusheng proposed openstack/keystone: Remove the useless config_files parameter of service entry
*** dylan has joined #openstack-keystone01:34
*** dims has quit IRC01:37
*** dims has joined #openstack-keystone01:38
*** woodster_ has quit IRC01:40
*** dims has quit IRC01:43
jamielennox10 make devstack change01:54
jamielennox20 wait 20 minutes01:54
jamielennox30 goto 1001:54
*** samueldmq has joined #openstack-keystone02:08
*** emagana has joined #openstack-keystone02:19
*** emagana has quit IRC02:23
*** HT_sergio has joined #openstack-keystone02:28
*** markvoelker has joined #openstack-keystone02:34
*** woodster_ has joined #openstack-keystone02:37
*** HT_sergio has quit IRC02:37
*** markvoelker has quit IRC02:39
*** davechen_ has joined #openstack-keystone02:42
*** davechen__ has joined #openstack-keystone02:42
*** emagana has joined #openstack-keystone03:13
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add EC2 CRUD credential support to v3 API
*** emagana has quit IRC03:17
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add EC2 CRUD credential support to v3 API
*** samueldmq has quit IRC03:41
*** outsdset has quit IRC03:47
jamielennoxmorganfainberg: i create a 1.6 release for ksc on launchpad and targetted ^ to it with high priority03:59
jamielennoxi need it, then expose via OSC to do devstack with v303:59
jamielennoxso everyone please review04:00
*** emagana has joined #openstack-keystone04:07
*** emagana has quit IRC04:11
*** markvoelker has joined #openstack-keystone04:23
morganfainbergAh ok.04:26
*** markvoelker has quit IRC04:28
*** woodster_ has quit IRC04:40
*** davechen_ has joined #openstack-keystone04:48
*** rushiagr_away is now known as rushiagr04:52
openstackgerritMorgan Fainberg proposed openstack/python-keystoneclient: Add EC2 CRUD credential support to v3 API
*** gokrokve has joined #openstack-keystone04:57
*** tobe has quit IRC05:01
*** emagana has joined #openstack-keystone05:01
*** emagana has quit IRC05:06
*** tobe has joined #openstack-keystone05:07
*** liusheng has quit IRC05:21
*** liusheng has joined #openstack-keystone05:22
*** tobe has quit IRC05:44
*** mabrams has joined #openstack-keystone05:44
*** kiran-r has joined #openstack-keystone05:45
*** emagana has joined #openstack-keystone05:55
*** emagana has quit IRC06:00
*** tobe has joined #openstack-keystone06:03
marekdjamielennox: Hi. SO, to rename ksc-saml2 -> ksa-saml2 i basically need to recreate patches like you had done for the last project rename and that should be pretty much it?06:05
*** yasu_ has joined #openstack-keystone06:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** markvoelker has joined #openstack-keystone06:12
jamielennoxmarekd: yea, more or less06:12
jamielennoxmarekd: there hasn't been much change since then either so it will be very similar i think06:13
marekdjamielennox: just rename, and dep on ksa instead of ksc.06:13
jamielennoxthere is somewhat of an order to it though, you have to do governance first, and the project-config has to Depend-On: the governance one06:13
jamielennoxi think it has a special topic name in gerrit too because it's a manual process06:14
marekdjamielennox: i saw openstack/governance patch - is there any docs i could read about it more? I can blindly recreate the patch but it will be dumb copy/pasa patch.06:14
jamielennoxi don't know and googling doesn't show anything06:15
jamielennoxyou can ask in -infra i know i did last time06:16
marekdjamielennox: never mind06:16
marekdjamielennox: ok06:16
*** markvoelker has quit IRC06:16
*** gokrokve_ has joined #openstack-keystone06:49
*** emagana has joined #openstack-keystone06:50
*** gokrokve has quit IRC06:52
*** gokrokve_ has quit IRC06:54
*** emagana has quit IRC06:54
*** henrynash has joined #openstack-keystone07:08
*** ChanServ sets mode: +v henrynash07:08
*** afazekas has joined #openstack-keystone07:12
*** lufix has joined #openstack-keystone07:13
*** ncoghlan has quit IRC07:18
*** jith_ has joined #openstack-keystone07:19
*** gokrokve has joined #openstack-keystone07:20
*** gokrokve has quit IRC07:21
*** gokrokve has joined #openstack-keystone07:21
evrardjphello everyone07:27
*** Ephur has quit IRC07:30
*** dguerri`away is now known as dguerri07:30
*** tobe has quit IRC07:37
*** jistr has joined #openstack-keystone07:39
*** tobe has joined #openstack-keystone07:39
*** dylan has quit IRC07:43
*** lhcheng has quit IRC07:44
*** emagana has joined #openstack-keystone07:44
*** chlong has quit IRC07:45
*** henrynash has quit IRC07:46
*** fhubik has joined #openstack-keystone07:48
*** emagana has quit IRC07:49
*** fhubik is now known as fhubik_afk07:54
*** fhubik_afk is now known as fhubik07:54
*** fhubik is now known as fhubik_afk07:54
*** markvoelker has joined #openstack-keystone08:01
openstackgerritDave Chen proposed openstack/keystone: default policy
*** markvoelker has quit IRC08:06
*** marzif_ has joined #openstack-keystone08:21
*** tobe has quit IRC08:22
*** tobe has joined #openstack-keystone08:23
*** krykowski has joined #openstack-keystone08:23
*** ajayaa has joined #openstack-keystone08:32
*** emagana has joined #openstack-keystone08:38
*** emagana has quit IRC08:43
ajayaaHi guys. Does Cinder work with Keystone v3 api in Icehouse?08:44
ajayaajaimelennox ^^08:45
ajayaaIn my test environment it is using v2.0 api of Keystone and when it tries to verify a v3 token with v2.0 api, Keystone gives a 401.08:45
ajayaajamielennox ^^08:45
*** yogeshwars1 has joined #openstack-keystone08:46
ajayaaoperator99 ^^08:46
*** afazekas_ has joined #openstack-keystone08:55
*** afazekas has quit IRC08:59
*** e0ne has joined #openstack-keystone09:02
*** afazekas_ has quit IRC09:17
*** emagana has joined #openstack-keystone09:32
*** emagana has quit IRC09:37
*** aix has joined #openstack-keystone09:43
*** afazekas has joined #openstack-keystone09:45
*** e0ne is now known as e0ne_09:48
*** markvoelker has joined #openstack-keystone09:49
*** e0ne_ is now known as e0ne09:50
*** markvoelker has quit IRC09:54
*** fhubik_afk is now known as fhubik09:55
*** dims has joined #openstack-keystone09:55
*** davidckennedy has joined #openstack-keystone10:08
*** bdossant has joined #openstack-keystone10:09
davidckennedyAnyone got any time to approve
davidckennedyand ?10:10
*** fhubik is now known as fhubik_afk10:14
*** openstackstatus has quit IRC10:20
*** openstack has quit IRC10:20
*** openstack has joined #openstack-keystone10:25
*** openstackstatus has joined #openstack-keystone10:25
*** ChanServ sets mode: +v openstackstatus10:25
*** emagana has joined #openstack-keystone10:26
*** emagana has quit IRC10:31
*** kiran-r has joined #openstack-keystone10:33
*** kiran-r has quit IRC10:34
*** kiran-r has joined #openstack-keystone10:34
*** samueldmq has joined #openstack-keystone10:35
*** bdossant has quit IRC10:40
*** bdossant has joined #openstack-keystone10:41
*** fhubik_lunch has joined #openstack-keystone10:41
*** mitz has quit IRC10:43
*** fhubik_afk has quit IRC10:43
*** Zanatoz has quit IRC10:43
*** mordred has quit IRC10:43
*** mitz has joined #openstack-keystone10:43
*** mordred has joined #openstack-keystone10:44
*** Zanatoz has joined #openstack-keystone10:44
*** yasu_ has quit IRC10:45
bretonsamueldmq: morning11:03
breton -- it seems to me that no one ever used memcache_pool in keystonemiddleware.11:04
samueldmqbreton, hi11:06
samueldmqbreton, see
samueldmqbreton, and _get_cache_pool instantiates _MemcacheClientPool11:06
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Refactor Keystone wsgi/eventlet app
ekarlsowhat's the biggest change for keystone in L ?11:10
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Refactor Keystone wsgi/eventlet app
samueldmqekarlso, hi11:12
samueldmqekarlso, i) Dynamic Policies (affects more than Keystone) and ii) Reseller11:12
samueldmqekarlso, I suppose you are talking about new features, right ?11:13
*** fhubik_lunch is now known as fhubik_afk11:16
samueldmqekarlso, Reseller is great11:16
*** emagana has joined #openstack-keystone11:20
*** e0ne has quit IRC11:21
*** woodster_ has joined #openstack-keystone11:24
*** emagana has quit IRC11:25
*** tobe has quit IRC11:25
*** mflobo has left #openstack-keystone11:26
*** mflobo has joined #openstack-keystone11:27
samueldmqekarlso, we will have only 5 API impacting priorities this cycle, see
*** e0ne has joined #openstack-keystone11:30
*** topol has joined #openstack-keystone11:32
*** topol is now known as Guest2697211:32
*** aix has quit IRC11:34
ekarlsowhat you guys think of what termie said then that keystone should not be ? :D11:35
*** markvoelker has joined #openstack-keystone11:35
marekdekarlso: he said glance should be deleted, not keystone11:35
*** Guest26972 has quit IRC11:36
marekdekarlso: keystone no longer needs to hide in the corner, especially since it features federation, reseller and stuff :-)11:37
*** fhubik_afk is now known as fhubik_lunch11:37
*** fhubik_lunch is now known as fhubik11:37
*** fhubik is now known as fhubik_afk11:37
ekarlsomarkvoelker: :p11:39
ekarlsoehm, marekd :P11:39
*** markvoelker has quit IRC11:40
bretonsamueldmq: yes, but look at the review11:40
bretonsamueldmq: there is a bug that would cause an exception if used anywhere11:41
*** aix has joined #openstack-keystone11:48
samueldmqmorganfainberg, I just updated Keystone Summit Etherpads page11:49
samueldmqmorganfainberg, I am not sure we should keep the etherpad link for 'Keystone Contributors Meetup' (Friday)11:50
samueldmqmorganfainberg, since the single information in there is : 'hi there!' :)11:50
dstaneksamueldmq: ...but it shows that we are a fun and inviting group11:51
*** fhubik_afk is now known as fhubik11:52
samueldmqdstanek, haha yes ... I was thinking it shows we are so united that we forgot to put anything in the pad ... and just talked to ourselves in there11:53
samueldmqdstanek, and indeed, had fun :)11:53
samueldmqbreton, if that pool works with the queue implementation you posted in your previous comment11:54
samueldmqbreton, it should not raise any exception, but accept 'put()' without a restriction .. is that right ?11:56
samueldmqbreton, well, that's weird11:56
*** rushiagr is now known as rushiagr_away11:57
bretonsamueldmq: it is much more weird with another parameter12:01
bretoneverything should crash if it is used like this12:01
*** emagana has joined #openstack-keystone12:15
*** belmoreira has joined #openstack-keystone12:15
*** emagana has quit IRC12:19
*** topol has joined #openstack-keystone12:29
*** ChanServ sets mode: +v topol12:29
mfloboquestion: is there any call to keystone to get the project list and the id of the owner y the same response?12:30
dstanekmflobo: when you say owner you mean those that will access to the project?12:33
dstaneki don't think there is a single call for all of that12:33
mfloboI would like to have, in the same json response, the information about the owner per project12:34
*** markvoelker has joined #openstack-keystone12:34
rodrigodsdstanek, maybe list role assignments call?12:35
*** fhubik is now known as fhubik_afk12:36
dstanekrodrigods: i don't think that will have all the project data and won't include projects with no assignments12:36
dstanekmflobo: what is your usecase?12:36
mflobodstanek, My use case: a list of projects, 3 colums, project_id | Project Name | Owner12:37
*** yasu_ has joined #openstack-keystone12:38
dstanekmaybe get a list of projects and role assignments? what are you doing now?12:39
bretonoh gawd12:40
bretonsamueldmq: that code doesn't work in Juno!12:40
bretonsince juno12:40
*** kiran-r has quit IRC12:40
mflobodstanek, Now: projects.list() then, iterate the projects and get role_list_assignments.list(role_id='owner' project_id=project_id)[0] per project. Finally I return a list of (project info + owner)12:41
mflobodstanek, That works nice with LDAP assignment backend, but with SQL assignment backend is veeery slow12:42
mflobodstanek, that's the reason because I'm looking for some call faster than execute len(project_list) * role_assignment.list calls12:43
*** fhubik_afk is now known as fhubik12:44
dstanekdo you have to specify the project to get the role assignments for?12:44
mfloboIdeally, I'd like a response like:12:44
mflobo    "project": {12:44
mflobo        "description": "the description",12:44
mflobo        "links": {12:44
mflobo          "self": "https://localhost:5000/v3/projects/000000000000000000000000000000"12:44
mflobo        },12:44
mflobo        "enabled": true,12:44
mflobo        "id": "00000000000000000000000000000",12:44
mflobo        "domain_id": "default",12:44
mflobo        "name": "Project name",12:44
mflobo          "owner": "the owner"12:44
samueldmqbreton, oh really ? what is the side effect ?12:44
dstanekmflobo: use paste :-)12:45
mflobodstanek, yes I do12:45
dstanekmflobo: i don't think we really have the concept of an owner12:45
samueldmqnot ctrl+v paste, but instead :-)12:45
samueldmqdstanek, ++12:45
mflobosamueldmq, sorry12:46
samueldmqmflobo, no worries, I am just making sure I let you know you could use paste.o.o :)12:46
bretonsamueldmq: well, if memcache_pool is used as the cache backend, ksm doesn't work at all.12:47
mflobodstanek, ok, thanks for your answers ;)12:48
mflobodstanek, I'll try it in other way...12:48
*** chlong has joined #openstack-keystone12:49
dstanekmflobo: if you can't just get all role assignments you can get the list of roles and iterate over that to get the assignments for those roles.12:49
mflobodstanek, mmm, interesting, I'll try that way. Thanks sagain12:50
samueldmqbreton, wow, thanks for testing that then12:50
dstanekmflobo: not idea, but should be much less calls12:50
mflobodstanek, sure12:51
dstanekmflobo: are you using the REST API to get this data?12:51
samueldmqmorganfainberg, breton ^ ksmiddleware + memcache_pool = doesn't work at all12:54
samueldmqmorganfainberg, breton we should consider backporting 'Correct memcached parameters in TokenCache' (
samueldmqbreton, thanks for having the time to test that yourself :)12:55
morganfainbergsamueldmq: this is because python-memcache is a trainwreck.12:55
morganfainbergsamueldmq: in my opinion12:55
morganfainbergand we're having to monkeypatch it basically to "work"12:55
samueldmqmorganfainberg, what are the alternatives ?12:55
morganfainbergsamueldmq: pymemcache12:56
morganfainbergmuch much better12:56
morganfainbergbut it's not a simple drop-in API12:56
morganfainbergjust like ldap3 doesn't have a compat layer (yet?) - so it's a bit of work12:56
samueldmqmorganfainberg, who is looking at that ? did any other project already migrate ?12:57
*** fhubik is now known as fhubik_afk12:57
morganfainbergsamueldmq: it is in global reqs iirc12:58
morganfainbergso, it's just writing the code to move over...12:58
morganfainbergand making sure it works >.<12:58
bretonmorganfainberg: what's better in pymemcache?12:58
morganfainbergbreton: the whole architecture12:58
morganfainbergground up12:58
morganfainbergalso, not explicitly requiring a thread.local to function12:59
morganfainbergwhich is why we have the hacky-ness in memcachepool12:59
morganfainbergchanging to pymemcache is not backportable though12:59
bretonwell, everything doesn't work not because of that12:59
morganfainbergand it will break again12:59
morganfainbergand again12:59
morganfainbergand again12:59
morganfainbergit's really awful13:00
bretonmaybe we should drop it in ksm13:00
morganfainbergi think we've had 3 breaks in memcachepool now.13:00
samueldmqmorganfainberg, I am not sure I have enough time to go in that direction (implement) .. but I can take a look to at very least get more familiar and review code when someone is up to do that :)13:00
morganfainbergbecause python-memcache changes.13:00
morganfainbergsamueldmq: nah, we should just backport the fix.13:00
morganfainbergand/or i need to release ksm13:00
bretonmorganfainberg: I've put an item to tomorrow meeting's agenda about dropping memcache_pool in ksm13:00
morganfainbergbreton: we can't backport a drop of memcachepool.13:01
samueldmqmorganfainberg, k13:01
morganfainbergwe should ditch memcachepool all together.13:01
*** bknudson has quit IRC13:01
morganfainbergnot just in ksm13:01
samueldmqmorganfainberg, we can't backport a drop of anything, right ?13:01
morganfainbergsamueldmq: correct13:01
bretonthe problem is that it is completely untested13:03
*** ajayaa has quit IRC13:04
morganfainbergbreton: and it will remain untested until we have functional testing scenarios up13:04
bretonand I mean completely. Insert "assert False" anywhere in memcache_pool, run ksm tests and they will all pass13:04
morganfainbergyou can't really unit test memcachepool13:04
bretonmorganfainberg: functional tests at least could catch
breton*unit tests13:05
*** topol has quit IRC13:05
morganfainbergbreton: the issue is it is almost not unit testable13:06
morganfainbergit's going to be mocking everything13:06
morganfainbergso sure we can test small bits, but it really isn't going to keep it sane/working13:06
morganfainbergi'd rather drop memcache pool completly13:06
bretonI wonder if we need memcache_pool after we dropped eventlet13:07
morganfainbergbreton: we wont13:07
*** toddnni has quit IRC13:07
morganfainbergbreton: it *might* buy a minor performance increase.13:07
*** fhubik_afk is now known as fhubik13:07
*** dsirrine has joined #openstack-keystone13:07
morganfainbergin KSM, it is more important13:07
morganfainbergsince KSM runs in eventlet based things13:07
bretonin ksm everybody uses in-process caching13:07
morganfainbergbut KSM could easily move to pymemcache13:07
bretonthat bug is there since juno13:07
morganfainbergno, lots of people us ememcache13:07
morganfainbergbut i think no one uses memcachepool13:08
bretonwe can have memcache and not memcachepool in ksm?13:08
morganfainbergthe DOS that can occur is likely attributed to other bad performance in ksm13:08
morganfainbergthe whole reason for memcachepool13:08
morganfainbergwas to mitigate the DOS-like event for socket/FD limits13:09
*** emagana has joined #openstack-keystone13:09
bretonoh, _CachePool13:09
bretonksm uses keystonemiddleware.openstack.common.memorycache anyway. Maybe we could switch to pymemcache there.13:10
morganfainbergbreton: i'd like to drop memorycache13:10
morganfainbergit is bad13:10
morganfainbergit also has awful performance implications due to scanning the whole dict when not using memcache13:11
morganfainbergevery get13:11
*** jimbaker has quit IRC13:12
morganfainbergbut we could easily just not use that for the memcache mode.13:12
morganfainbergiirc that is the last incubator thing we have in ksm13:12
*** jimbaker has joined #openstack-keystone13:12
*** jimbaker has quit IRC13:12
*** jimbaker has joined #openstack-keystone13:12
bretondo we need to have backends pluggable in ksm?13:13
*** emagana has quit IRC13:13
morganfainbergwe need to support memcache and in-memory13:13
morganfainbergi'd like to see it move to dogpile13:14
*** gokrokve_ has joined #openstack-keystone13:14
morganfainbergbut i was waiting for the olso.cache work to be done (there is someone actively working on that)13:14
*** gokrokve has quit IRC13:17
*** radez_g0n3 is now known as radez13:18
*** fhubik is now known as fhubik_afk13:19
*** ajayaa has joined #openstack-keystone13:20
*** Ephur has joined #openstack-keystone13:21
*** jsavak has joined #openstack-keystone13:26
*** mattfarina has joined #openstack-keystone13:26
*** yasu_ has quit IRC13:27
samueldmqbreton, just to make sure ... you tested applying that patch on juno and then ksm + memcache_pool worked, right ?13:31
*** bknudson has joined #openstack-keystone13:32
*** ChanServ sets mode: +v bknudson13:32
*** jsavak has quit IRC13:32
*** amakarov_away is now known as amakarov13:32
*** jsavak has joined #openstack-keystone13:33
*** e0ne has quit IRC13:35
*** dhellmann has left #openstack-keystone13:44
*** fhubik_afk is now known as fhubik13:48
ayoungmorganfainberg, samueldmq I think I am going to split  "Hierarchical Roles" into two pieces.  The first is going to be assignement:  If  Auser is assigend one role, they *can* get any other roles implied by that role13:56
ayoungwe'll do enforcement later13:56
ayoungand "implied" roles will not show up in the token13:56
ayoungI have a spec in already that allows a user to explicitly request a role13:57
*** ajayaa has quit IRC13:57
ayoungany implied roles should be possible to have if explicitly requested13:57
ayoungmake sense?  I'm trying to keep thie granular13:57
*** jsavak has quit IRC14:00
*** jsavak has joined #openstack-keystone14:00
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** blewis has joined #openstack-keystone14:02
*** emagana has joined #openstack-keystone14:03
*** csoukup has joined #openstack-keystone14:05
*** sigmavirus24_awa is now known as sigmavirus2414:07
*** emagana has quit IRC14:08
*** bdossant has quit IRC14:09
*** mattfarina has quit IRC14:10
*** fhubik is now known as fhubik_afk14:11
*** henrynash has joined #openstack-keystone14:16
*** ChanServ sets mode: +v henrynash14:16
*** jith_ has quit IRC14:21
*** timcline has joined #openstack-keystone14:25
*** jsavak has quit IRC14:26
*** fhubik_afk is now known as fhubik14:26
morganfainbergayoung: ack14:26
*** jsavak has joined #openstack-keystone14:26
*** krykowski has quit IRC14:28
*** mabrams has quit IRC14:39
openstackgerritNikita Konovalov proposed openstack/python-keystoneclient: Fix logging of binray contentent in request
*** dguerri is now known as dguerri`away14:40
*** dguerri`away is now known as dguerri14:40
*** nkinder has joined #openstack-keystone14:44
*** gokrokve has joined #openstack-keystone14:47
*** radez is now known as radez_g0n314:47
*** topol has joined #openstack-keystone14:48
*** ChanServ sets mode: +v topol14:48
*** topol_ has joined #openstack-keystone14:49
*** ChanServ sets mode: +v topol_14:49
*** gokrokve_ has quit IRC14:50
*** radez_g0n3 is now known as radez14:51
*** e0ne has joined #openstack-keystone14:52
*** e0ne is now known as e0ne_14:52
*** topol has quit IRC14:53
*** topol_ is now known as topol14:53
*** e0ne_ is now known as e0ne14:56
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** mattamizer has joined #openstack-keystone14:56
*** fhubik has quit IRC14:57
*** afazekas has quit IRC14:57
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** stevemar has joined #openstack-keystone15:04
*** ChanServ sets mode: +v stevemar15:04
*** HT_sergio has joined #openstack-keystone15:04
*** cyeoh has quit IRC15:08
*** emagana has joined #openstack-keystone15:09
*** emagana has quit IRC15:09
*** emagana has joined #openstack-keystone15:09
*** emagana has quit IRC15:10
*** hemnabeer is now known as hemna15:11
*** emagana has joined #openstack-keystone15:11
*** emagana has quit IRC15:12
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** emagana has joined #openstack-keystone15:13
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** emagana has quit IRC15:14
*** zzzeek has joined #openstack-keystone15:15
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** david-ly_ is now known as david-lyle15:21
openstackgerritLance Bragstad proposed openstack/keystone: Log warning for Fernet tokens over 255 chars
*** emagana has joined #openstack-keystone15:25
openstackgerritLance Bragstad proposed openstack/keystone: Log info for Fernet tokens over 255 chars
*** nkinder_ has joined #openstack-keystone15:27
*** nkinder has quit IRC15:31
*** nkinder_ has quit IRC15:33
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** bjornar has quit IRC15:38
*** dims has quit IRC15:41
*** dims_ has joined #openstack-keystone15:42
*** mattamizer has quit IRC15:42
morganfainberglbragstad: also we have another fernet bug it looks like with v2 tokens.15:43
*** nkinder_ has joined #openstack-keystone15:44
dolphmmorganfainberg: is there a bug report?15:44
morganfainbergYes. Sec.15:44
dolphmah i’m guessing this is Jake? -Dolph15:45
dolphmlol bad paste15:45
dolphm *15:45
openstackLaunchpad bug 1460225 in keystonemiddleware "Fernet + Memcache causes validation failures" [Medium,In progress] - Assigned to Morgan Fainberg (mdrnstm)15:45
lbragstadmorganfainberg: reviewing15:45
openstackLaunchpad bug 1459791 in Keystone "Juno to Kilo upgrade breaks default domain id" [Undecided,New]15:45
morganfainbergdolphm: ^15:45
morganfainbergDid I typo in the review?15:45
morganfainbergSorry the memcache one is separate from the one I just linked for review.15:46
morganfainbergLet me say that again.15:46
morganfainbergMemcache is that one you linked Dolph.15:46
morganfainbergThe other one is separate and *not* memcache related.15:46
dolphmi think i got it straight, reviewing both15:46
* morganfainberg can't brain before coffee settles in.15:47
dolphmso this is a v2 token being checked for domain-ness by filter_domain()15:48
*** gyee has joined #openstack-keystone15:48
*** ChanServ sets mode: +v gyee15:48
dolphmoh, the OP says he's using UUID, not fernet15:49
*** e0ne is now known as e0ne_15:50
sigmavirus24morganfainberg: I feel your pain re braining before coffee has reached the blood flow15:50
dolphmimmediately solution? "if 'domain' in ref:" should be "if ref.get('domain')" but i'd like to know the root cause15:50
*** jsavak has quit IRC15:50
*** e0ne_ is now known as e0ne15:51
morganfainbergdolphm: I think it's a v215:52
morganfainbergToken with a None in the ref already.15:52
morganfainbergdolphm: the filter / clean methods could stand a hard look there.15:53
*** _cjones_ has joined #openstack-keystone15:53
*** jsavak has joined #openstack-keystone15:53
lbragstadmorganfainberg: was this an issue with Fernet?
openstackLaunchpad bug 1459791 in Keystone "Juno to Kilo upgrade breaks default domain id" [Undecided,New]15:54
lbragstadmorganfainberg: looks like the default token provider was still being used15:54
morganfainberglbragstad: turns out no.15:54
morganfainberglbragstad: bigger issue it seems.15:54
lbragstadmorganfainberg: ok, just checking15:55
morganfainbergbknudson: I think we determined wsme won't help us / work for us already.15:56
bknudsonmaybe it doesn't support the extras15:56
morganfainbergbknudson: specifically because of the lobs we have.  Yeah. Extra field issues.15:57
*** mattfarina has joined #openstack-keystone15:58
*** jsavak has quit IRC16:01
*** jsavak has joined #openstack-keystone16:01
*** _cjones_ has quit IRC16:02
*** _cjones_ has joined #openstack-keystone16:02
*** zzzeek has quit IRC16:02
*** zzzeek_ has joined #openstack-keystone16:02
*** lufix has quit IRC16:04
*** belmoreira has quit IRC16:05
*** jistr has quit IRC16:11
*** browne has joined #openstack-keystone16:16
*** richm has joined #openstack-keystone16:24
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands
openstackgerrithenry-nash proposed openstack/keystone-specs: Transition the domain config management API to stable
dstanekhas anyone given thought to how we want to handle "optional" middleware? i'm getting rid of paste usage in my flask branch!16:31
dstaneki'm assuming we still need to handle loading middleware from a config file (the pipeline or at least part of it)16:31
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands
bknudsondstanek: stevedore allows for plugins16:35
dstanekbknudson: that doesn't help with middleware since you still need a place to say what plugins to load16:35
dstanekbknudson: how can you build a configurable pipeline using that?16:37
*** stpierre has joined #openstack-keystone16:38
dstanekisn't that name hardcoded in code? and/or what it resolves to?16:38
stpierremorganfainberg: ping re: keystone event notifications16:38
morganfainbergstpierre: heyya16:38
stpierrehey -- you gave me some pointers to event notification docs a while back. is there any prior art for integration with those? i.e., have any projects (that you know of) start consuming them?16:39
bknudsondstanek: the name is hardcoded, but the functions that get called aren't hardcoded.16:39
morganfainberghmm.. i don't know. ceilometer does consume most notifications16:39
dstanekbknudson: how do you configure that?16:39
morganfainbergbut not sure about anything actively consuming keystone ones yet16:39
stpierreokay, cool16:39
bknudsondstanek: I think it's in your setup.cfg16:40
bknudsonceilometer consumes notifications16:40
dstanekbknudson: ah. that won't work then.16:40
stpierredo you think there'd be interest in an oslo library for consuming them? if i start work on this in nova, i'm wondering how generic i should aim to be16:40
*** blewis has quit IRC16:40
dstanekbknudson: you can say "pipeline = X Y Z app" where X isn't in the Keystone codebase16:40
bknudsonthe setup.cfg can be in a different codebase16:41
*** afazekas has joined #openstack-keystone16:41
bknudsonthe names wind up being global somehow16:41
dstanekbknudson: so as a deployer you'd have to create an installable python package that depends on keystone?16:41
bknudsonhow are we going to consume oslo middleware if there's no paste pipeline?16:41
bknudsonit doesn't have to depend on keystone, it just has its setup.cfg define the entry points16:42
dstanekbknudson: do you know how order would be controlled? i have ideas on what to do with the paste config (to keep the pipeline), but not use paste16:43
bknudsondstanek: I don't know how you control the order... probably a good question for oslo16:44
bknudsondocs don't mention how to control the order16:45
samueldmqayoung, hi, reading up16:45
*** jsavak has quit IRC16:45
*** gokrokve_ has joined #openstack-keystone16:45
samueldmqayoung, if we don't put the implied roles (the leaf ones) in the token, the enforcer side will need to know the role hierarchy, right ?16:46
*** gokrokve_ has quit IRC16:46
*** gokrokve_ has joined #openstack-keystone16:46
bknudsondstanek: you can't do flask + paste?16:46
dstanekbknudson: you can, but i was hoping to get rid of the extra dep16:47
bknudsonif it gives us middleware support then seems like it's better to keep paste16:47
*** davidckennedy has quit IRC16:48
*** gokrokve has quit IRC16:49
*** afazekas has quit IRC16:49
*** henrynash has quit IRC16:51
*** jsavak has joined #openstack-keystone16:54
*** ajayaa has joined #openstack-keystone16:55
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** e0ne has quit IRC16:55
ayoungsamueldmq, eventuaslly16:57
*** henrynash has joined #openstack-keystone16:57
*** ChanServ sets mode: +v henrynash16:57
*** jsavak has quit IRC16:58
ayoungsamueldmq, so, first I want to just say "When I assign Admin, I also Assign Member"16:58
ayoungBut if someone gets a token, they will only get the "Admin" role on the token16:58
ayoungnothing else changes16:58
*** jsavak has joined #openstack-keystone16:59
*** spandhe has joined #openstack-keystone17:00
samueldmqayoung, ok, but we must be careful ... because if we allow people to create role hierarchies, tehy will be expecting to have the subordinate roles implied17:01
samueldmqayoung, what if we get at the end of the release and we don't get the enforcement part merged ? :p17:01
ayoungsamueldmq, I think the ordering I want is this:17:01
samueldmqayoung, (I am not agains that, just want to make sure we have the roadmap well defined)17:01
samueldmqayoung, k, go ahead17:02
ayoung1.  Subset Tokens
ayoung2. Implied roles17:03
ayoung(this conversation)17:03
ayoung3.  Generate policy from hierarchical roles17:03
ayoungI don't want to change the mechanism for what goes in the token in the middle, so the implied roles is just admin to start17:04 just administrative overhead to start17:04
*** spandhe_ has joined #openstack-keystone17:07
*** spandhe has quit IRC17:08
*** spandhe_ is now known as spandhe17:08
*** someara2 has joined #openstack-keystone17:09
*** henrynash has quit IRC17:09
*** alanf-mc has joined #openstack-keystone17:10
*** ajayaa has quit IRC17:14
samueldmqayoung, what if we put effective roles (the leaf ones) in the token ..17:14
samueldmqayoung, I know .. the token would increase etc ... but that would work in our current architecture17:14
samueldmqayoung, and then we would improve it later17:15
ayoungsamueldmq, nah, cuz changes there would still require changes to policy17:15
ayoungI think we just make this an interim step.17:16
ayoungsamueldmq, siomething like "only explicitly assigned roles will appear in the token by default"17:16
ayoung"If you want the implied roles, you have to request them expressly."17:16
*** radez is now known as radez_g0n317:16
samueldmqayoung, ok .. I will take a look at subset tokens later today17:16
samueldmqayoung, need to go now (meeting), sorry17:17
ayoungsamueldmq, it needs an API spec. I will work on that17:17
samueldmqayoung, ++17:17
morganfainbergamakarov: ping17:18
amakarovmorganfainberg, pong17:18
morganfainbergamakarov: why are we refactoring the eventlet stuff massively to be a class hierarchy when it is going to be deleted next cycle?17:18
morganfainbergamakarov: not saying no, just curious as to the intent of this.17:19
*** lhcheng has joined #openstack-keystone17:19
*** ChanServ sets mode: +v lhcheng17:19
amakarovmorganfainberg, I've paused the work17:20
morganfainbergamakarov: ok. i just figure we can probably keep it as is until next cycle (mostly) and then merge it all down into the WSGI-only form17:20
morganfainbergamakarov: save some code/reviewing for the sake of code/reviewing :)17:20
amakarovmorganfainberg, it looks more like "Let's clean it, paint, polish and throw away"17:20
morganfainbergyeah. lets not clean it and paint it if we're tossing it out :)17:21
dstanekmorganfainberg: i've actually been making some changes to the wsgi code for flask integration17:21
morganfainbergdstanek: that is the other thing didn't want to stomp on your work17:21
morganfainbergunless that ^^ change is a win for Flask, which case we can absolutely grab it17:22
* morganfainberg defers to dstanek and jamielennox on that17:23
bknudsonmaybe the refactoring of the wsgi / eventlet startup code that's needed is to split it up more17:24
bknudsonso that it's easy to get rid of the eventlet code17:24
bknudsonand easier to modify the wsgi code17:24
dstanekbknudson: yes, that's exactly what i was having to do17:25
morganfainbergbknudson: thats a good reason to accept the code.17:25
* morganfainberg wants to avoid refactoring code that is going away unless we have a real benefit.17:25
morganfainbergotherwise it just introduces more potential bugs we need to suss out.17:26
dstanekmorganfainberg: i don't think that refactoring is worth it at this point17:26
morganfainbergdstanek: ok17:27
morganfainbergstevemar: is trying to take the record from you on the "most number of patchsets for a single review"17:28
ayoungwhat version are we up to now in the Specs changes?  3.4 still, right?17:30
morganfainbergayoung: probably17:30
ayoungah, 3.5 now, right?  3.4 went out last go round?17:32
morganfainbergi'd defer what is in the repo17:36
* morganfainberg will look into that more - once i'm off this call17:37
*** afazekas has joined #openstack-keystone17:40
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** blewis has joined #openstack-keystone17:43
*** someara2 has quit IRC17:44
*** packet has joined #openstack-keystone17:44
*** someara2 has joined #openstack-keystone17:46
*** afazekas has quit IRC17:47
*** someara2_ has joined #openstack-keystone17:47
*** someara2 has quit IRC17:51
*** jsavak has quit IRC17:52
*** jsavak has joined #openstack-keystone17:58
*** blewis` has joined #openstack-keystone17:59
*** someara2_ has quit IRC18:02
*** blewis has quit IRC18:02
*** someara2 has joined #openstack-keystone18:02
ayoungdstanek, bknudson I want to add in an additiona requirement to token-request.  I want to be able to specify a subset of the endpoints in the catalog.  WOuld it make sense to have  ServiceCatalog element in the request dictionary, right under scope, or to put the constrains inside of "scope"18:02
*** jsavak has quit IRC18:03
*** jsavak has joined #openstack-keystone18:03
bknudsonayoung: if there's no scope then there's no catalog, right?18:03
bknudsonso seems like you'd want it with the scope18:04
ayoungbknudson, that is right18:04
dstanekayoung: i think in the scope because it's going to be used as a part of the scope18:04
*** aix has quit IRC18:04
ayoungbknudson, I could make a bunch of values, all parallel, like scope.endpoint_ids and scope.service_types18:04
bknudsoncan't you already specify a subset of the endpoints using endpoint filtering?18:04
ayoungbknudson, not on the token request18:04
ayoungthat is only for all tokens for that project18:05
ayoungbknudson, this is designed to work in conjunction with gyee 's endpoint-binding18:05
ayoungbknudson, I'm also adding in the ability to request a token with a subset of roles18:05
bknudsonit would be interesting if we could get a full story of how delegation is going to work with these18:06
bknudsonhow do I know what endpoints are needed when I give a token to heat?18:06
bknudsonor nova18:06
ayoungbknudson, heh...trying to get there18:06
ayoungbknudson, there are two ways I can see it playing out18:06
*** someara2 has quit IRC18:07
ayoung1.  When you request an operation from, say, Heat, but without a token,  it responds back with a "401: please provide tokens with the following roles"18:07
ayoungwithout a token or with an invalid token would be equivalent18:08
ayoungthe second would be to know a-priori18:08
ayoungeither way, we need things to be somewhat introspective18:08
ayoungbknudson, scary in a security way or scary in an "security just broke everything way?"18:08
ayoungI think that the later is closer to true18:08
bknudsonit's scary giving a client information when they're not authenticated.18:08
ayoungbknudson, we wouldn't tell the user anything that is not-public knowledge18:08
ayoungfor example, if we don;t know the project id for the resource, we would not look it up for them and tell them18:09
bknudsonthe names of roles18:09
ayoungits so much better than what we do today18:09
ayoungtoday we have most of the service not even checking roles18:09
ayoungjust accepting all tokens with ""18:09
ayoungfor policy rules18:09
*** topol_ has joined #openstack-keystone18:09
ayoungnova just checks that the projectID matches18:09
*** ChanServ sets mode: +v topol_18:09
bknudsonI don't see the relationship18:10
ayoungbknudson, but, we could make it an additional call to Keystione, too, which we would only answer to an authenticated user18:10
bknudsonthat makes more sense18:10
ayoung"what roles do I need to make this API?"   "Member"18:10
*** gokrokve has joined #openstack-keystone18:11
bknudsonkeystone would have to know if nova is using nova-networking or neutron18:11
ayoungbknudson, nah,  I want to get away from that, too18:11
*** opilotte has joined #openstack-keystone18:11
dstanekso i'm not entirely sold on endpoint binding - i still like the idea i had about capability based binding18:11
ayoungI'm still wokring through the details, but more like;  nova can exchange one token for another of comparable scope, but for a different endpoint, based on a transitionws rules table18:11
*** topol has quit IRC18:12
opilottedid anyone test federation extension with heat? I get weird errors and I wonder if it's a configuration issue, rather than a problem with the federation18:12
*** topol_ is now known as topol18:12
opilotteI get 400 bad requests: Actually, having considered this for a while, I propose two changes:18:12
opilotte1. Stop using heat_stack_owner, and instead delegate _member_, which is the default role created by keystone since grizzly and used to indicated project membership (thus all users should already have it, avoiding this situation)18:12
ayoungdstanek, I think that I'd like that, but not sure how to implement.  What did you have in mind?18:13
opilottesorry about that, was a bad cut and paste18:13
ayoungopilotte, probably ask the heat team before asking here18:13
*** gokrokve_ has quit IRC18:13
ayoungopilotte, we just build the mechanism, not monitor all the usages.18:13
ayoungopilotte, but _member_ was a hack to avoid a potential conflict18:14
morganfainbergayoung amakarov: I marked the bug re trusts and services making trusts invalid. if we are changing that workflow we should not be considering it a bug, it is in-fact working as intended.18:14
ayoungnot, necessaryily, something we should consider part of the contract.  Instead...well, I'm pushing toward dynamic policy18:14
morganfainbergayoung amakarov: as an FYI18:14
dstanekayoung: come up with a list of all capabilities across openstack - then create a dependency tree18:14
*** jsavak has quit IRC18:14
opilotteayoung: well, thanks for you answer, I wanted to know if you guys would have known any issue with Heat18:15
ayoungmorganfainberg, I agree, and think that rthe ability to create a trust should be a role, and should be on the token and enforced in the policy on the keystone server18:15
amakarovmorganfainberg, I knew it's a feature! ))18:15
*** jsavak has joined #openstack-keystone18:15
*** gokrokve has quit IRC18:15
morganfainbergamakarov: but it's something we will need a microversion API for *or* V4.18:16
ayoungso if a use does not want to let another service create a trust, they request a token without the createtrust role...based on the API spec I am wrirting right now18:16
morganfainbergamakarov: to be upfront.18:16
morganfainbergcc, ayoung ^^18:16
dolphmayoung: would appreciate your feedback on
openstackLaunchpad bug 1456797 in Keystone "Old revocation events must be purged" [Low,Incomplete] - Assigned to Deepti Ramakrishna (dramakri)18:16
dstanekayoung: consider making a tree like where you scope the token to "capability:do-stuff"18:16
dstanekayoung: this is could be used for any other capability under the tree18:16
ayoungdolphm, heh, I had forgotten I wrote that.  THin the mechanism will work for list, but maybe not when we go to a push model18:16
morganfainbergamakarov: this does roll up reasonably well into the policy work that is being hashed out.18:17
*** someara2 has joined #openstack-keystone18:17
ayoungdstanek, there are about 5000 capapbiolties defined already for Nova, CInder, Glance, Keystone, and neutron.18:17
ayoungdstanek, not sure if enumerating them is the right approach.18:18
ayoungdstanek, but endpoint binding would still be needed18:18
ayoungI want it used on endpoint1 and not on endpoint218:18
ayoungcuz I get charged differntly18:18
morganfainbergdstanek, lbragstad, dolphm:(put this on the backburner for thought) looking over the crypto-hashing rounds patchset. I think we should go for 10k, a 30% savings seems worth it, and above glibc, since we're not going with the 300ms default (the other option is the 300ms default).18:19
dstanekayoung: you can only do endpoint binding at the initial call right? bind to heat, but not to the nova, etc it uses18:19
ayoungdolphm, so, I think the "delete on each list" is the best I could come up with to avoid the token flush, but could potentially slow things down under load.18:19
ayoungdstanek, yes18:19
ayoungdstanek, but...heat is a different thing anyway:18:20
ayoungit will have to do some magic to create a trust.  The real issue is the nova to glance case18:20
dstanekayoung: same thing for nova and glance18:20
ayoungor the cinder to swift18:20
*** amakarov is now known as amakarov_away18:20
ayoungdstanek, for a first rev, I would have both glance and nova and neutron all on the token,.  Then work towards mechanisms to let us do better token-for-token transitions18:21
dolphmmorganfainberg: there's a patch for that?!18:21
dolphmmorganfainberg: linky!18:21
morganfainbergdolphm: you even commented on it!18:21
dstaneki like the idea that as an end user i can auth and get an unscoped token that is cached on disk and then when the openstack client is used it generated a token that is specific to the operation i am asking it to perform18:21
dolphmmorganfainberg: i'm down with 10k18:21
dolphmmorganfainberg: oh18:21
lbragstaddolphm: yeah, I commented on it with the performance results18:21
morganfainbergdolphm: i specifies 5k atm, i was going to bump it to 10k18:21
morganfainbergand then +2 it18:21
dolphmwho wrote the patch that i commented on18:21
dstaneki don't have any issues with 10k18:22
* dolphm is afraid this is my own patch18:22
*** samuel-dmq has joined #openstack-keystone18:22
dstanekayoung: is there an actual list of capabilities?18:22
dstanekbeyond what openstack client shows18:23
*** jsavak has quit IRC18:23
dstanekmaybe i should write up a quick spec to explain my ideas and give examples18:23
*** radez_g0n3 is now known as radez18:24
morganfainbergdolphm: sorry you didn't comment lbragstad did18:24
morganfainbergi read that last pre-coffee18:24
ayoungdstanek, there is not yet an overall list of capabilities18:27
ayoungdstanek, the "unified policy file" spec attempts to generate one18:28
ayoungbut even then, we will forever play catch up as more and more camels stick their noses into the big tent18:28
*** jsavak has joined #openstack-keystone18:29
openstackgerritMorgan Fainberg proposed openstack/keystone: Use lower default value for sha512_crypt rounds
*** timcline has quit IRC18:30
morganfainbergdolphm: ^^ 10k18:30
dolphmmorganfainberg: dammit, just as i post a review18:30
*** gokrokve has joined #openstack-keystone18:31
morganfainbergfeel free to update/fix. I'm +2 on the 10k based on your benchmarks18:31
dolphmmorganfainberg: i'm +2 on 10k18:31
morganfainberg5k was too low imo18:32
morganfainbergbut 40k was excessive [unless we wanted the 300ms default]18:32
dolphmbig performance improvement with a sufficient level of security for a default value18:32
morganfainbergwe either go with a nice balance, or bias to security18:32
morganfainbergbut 40k was very very arbitrary18:32
dolphmas is 10k ;)18:33
morganfainbergwe have benchmarks on 10k though18:33
morganfainbergso ... less arbitrary18:33
morganfainbergbtw... linux is a usable desktop now18:33
* morganfainberg is amazed18:33
morganfainberg1.5 yrs ago i still had issues w/ it.18:33
morganfainbergthen agian... OS X 10.10 :(18:34
*** someara2 has quit IRC18:36
morganfainbergthough... i'm trying to figure out why ubuntu keeps wanting to use the british spellings of words (extra "u"s added everywhere) when i told it i was in the US.18:38
dstanekmorganfainberg: maybe it doesn't believe you18:39
morganfainbergdstanek: lol18:40
morganfainbergdstanek: somehow my outlook calendar got wedged in UTC18:40
dolphmmorganfainberg: this one would be good to put on the meeting agenda to find an assignee it's surprising, to say the least18:41
openstackLaunchpad bug 1459828 in Keystone "keystone-all crashes when ca_certs is not defined in conf" [Undecided,New]18:41
morganfainbergdstanek: it's kind of funny - freaked me out the first time "OMG MEETING NOW".. oh wait.18:41
morganfainbergdolphm: yeah we just got back the info on the environment recently18:41
morganfainbergdolphm: i wasn't able to duplicate it before. now maybe with the info I can.18:41
*** someara2 has joined #openstack-keystone18:42
dolphmmorganfainberg: it sounds like it should be assigned to you then!18:42
morganfainbergit was incomplete until today.18:42
morganfainbergso. now i am trying to duplicate ;)18:42
morganfainbergso i can triage18:42
dolphmif you can duplicate, you can fix18:42
dolphmthe way it's described, it's already Critical (default configuration fails terribly in our default deployment environment) so consider it triaged!18:44
* morganfainberg dockers a 6.5 env. but needs to run errands :(18:45
*** timcline has joined #openstack-keystone18:45
*** alanf-mc has quit IRC18:48
*** samuel-dmq has quit IRC18:57
openstackgerritMerged openstack/keystone: Log info for Fernet tokens over 255 chars
*** henrynash has joined #openstack-keystone19:07
*** ChanServ sets mode: +v henrynash19:07
*** e0ne has joined #openstack-keystone19:10
openstackgerritMerged openstack/keystone: updates sample_data script to use the new openstack commands
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subsets of roles or endpoints
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint
*** e0ne has quit IRC19:24
*** belmoreira has joined #openstack-keystone19:41
*** alanf-mc has joined #openstack-keystone19:43
*** radez is now known as radez_g0n319:47
*** blewis` has quit IRC19:49
*** blewis has joined #openstack-keystone19:49
*** blewis has quit IRC19:53
*** belmoreira has quit IRC19:56
*** opilotte has quit IRC20:07
*** henrynash has quit IRC20:13
*** belmoreira has joined #openstack-keystone20:21
*** radez_g0n3 is now known as radez20:35
dolphmi assume you can still provide an out-of-tree driver using a full package path with stevedore loading, i.e. ?20:36
* stevemar stevedore20:36
stevemardolphm, reporting for duty sir20:37
*** stevemar is now known as stevedore20:37
stevedoredolphm, reporting for duty sir20:37
* dolphm le sigh20:37
dolphmsergeant stevedore, i need you to support out of tree drivers. can you do that for me?20:38
* stevedore rubs his chin in a ponderous manner...20:38
stevedoreprivate dolphm, i believe we can.20:39
bknudsonyour package needs to have a setup.cfg with [entrypoints]
bknudsonlike keystone does20:40
* lbragstad thinks we just came up with new nick friday names... 20:40
bknudsonI always though dolphm was in the navy20:40
*** belmoreira has quit IRC20:40
lbragstadbknudson: that would make sense20:40
bknudsonlbragstad is cavalry for sure.20:41
lbragstaddolphins and water, you know...20:41
dolphmbknudson: oh, that's easy enough20:41
lbragstadugh, I hate riding horses!20:41
bknudsonso if you have your own token provider it would be keystone.token.provider = mytokenprovider = mypackage.token.providers.mytokenprovier:Provider20:42
bknudsonyou can call it whatever you want, but I guess it better not conflict20:43
bknudsonI haven't tried any of this myself, but dhellman described it to me.20:43
*** samueldmq has quit IRC20:45
bknudsondolphm: that's if you want to use stevedore -- keystone still supports loading using the old qualified class name.20:45
dolphmbknudson: no, that makes sense - i totally forgot it was just based on entry points.20:45
dolphmbknudson: but not forever, i assume20:45
bknudsondolphm: loading using the qualified class name is deprecated20:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
dolphmstevedore: when you respawn correctly, i have a question on horizon vs k2k20:48
rodrigodsdolphm, curious about the horizon vs k2k question20:51
dolphmstevedore: rodrigods: i'm just wondering what the state of horizon support is as of stable/kilo20:52
stevedoredolphm, back20:52
stevedorefor SSO or for k2k?20:52
dolphmstevedore: k2k20:52
stevedoredne in kilo20:52
dolphmstevedore: hrm, was there not something in progress ahead of kilo's release?20:53
rodrigodsdolphm, stevedore,n,z20:53
stevedoredolphm, yes, refer to and
rodrigodsthe current impl is using the region selector though... we need to change to a "service provider" selector20:54
rodrigodsstevedore, we have someone working in this front, btw20:54
stevedorerodrigods, awesome20:54
rodrigodshe will send an email to doug-fish soon20:54
stevedorewe need to get the k2k plugin for ksc (or ksc-fed) in for this to become real20:54
rodrigodsand I'll try to make the k2k plugin work20:54
rodrigodsstevedore, will do... this week20:55
dolphmstevedore: rodrigods: if we get this stuff completed & merged, is there anything in django_openstack_auth / keystoneclient that would prevent them from working with a kilo deploy?20:55
dolphmassuming we get another stable release of each soon thereafter?20:55
rodrigodsdolphm, a keystone server stable/kilo?20:55
stevedoredolphm, dont think so20:56
*** stpierre has quit IRC20:56
dolphmrodrigods: keystone, yes, along with the rest of openstack20:56
stevedoredolphm, just an updated ksc and doa20:56
*** samueldmq has joined #openstack-keystone20:56
rodrigodsstevedore, ++20:56
stevedoredolphm, are you poking around this for fun or is someone at rax interested?20:56
stevedorecause with the right motivation i'd raise the priority of these work items for myself20:57
dolphmdjango_openstack_auth does have a stable/kilo release branch too though20:57
dolphmstevedore: rax private cloud is interested in putting it into production20:57
rodrigodsdolphm, awesome20:58
stevedoredolphm, we need to decide if that plugin is going into ksc vanilla or ksc-fed20:58
rodrigodsdolphm, will ping you for reviews in the ksc plugin20:58
rodrigodsstevedore, vanilla20:58
dolphmrodrigods: thank you, i'll bookmark the ones you linked above too20:58
rodrigodsdiscussed with jamielennox and marekd in the summit20:58
stevedorerodrigods, awesome sauce20:58
*** jsavak has quit IRC20:58
stevedorerodrigods, jamie had an interesting comment on the patch20:59
rodrigodsdolphm, this one is for the auth plugin that I should be updating this week20:59
*** jsavak has joined #openstack-keystone20:59
stevedorei think he found an easier way to do things?20:59
dolphmrodrigods: should that be WIP until then, or is that piece ready for review?20:59
rodrigodsdolphm, WIP, thanks for the reminder21:00
*** pauloewerton has joined #openstack-keystone21:00
rodrigodsstevedore, we will get the SP info from the token (need to update AccessInfoV3)21:00
rodrigodsstevedore, btw, pauloewerton is our horizon guy21:01
rodrigodsdolphm, ^21:01
pauloewertonrodrigods, stevedore, dolphm hey guys ;)21:05
dolphmpauloewerton: o/21:05
stevedorepauloewerton, o/21:05
*** mattfarina has quit IRC21:07
dolphmpauloewerton: ping me directly if you have any k2k-related reviews21:07
dolphmpauloewerton: or really, any federation reviews21:08
*** jacorob has quit IRC21:08
*** jacorob has joined #openstack-keystone21:08
*** hockeynut has quit IRC21:09
pauloewertondolphm, I will, thanks21:10
*** hockeynut has joined #openstack-keystone21:12
*** topol has quit IRC21:25
dolphmmorganfainberg: would appreciate your eyes on
*** timcline has quit IRC21:32
*** afazekas has joined #openstack-keystone21:34
*** jsavak has quit IRC21:35
*** jsavak has joined #openstack-keystone21:36
HT_sergioDoes anyone know if morganfainberg will be on at all today ?21:41
HT_sergiodolphm, rodrigods: maybe you guys would know ?21:41
morganfainbergI swear I'm not here :P21:41
HT_sergiohaha well now I look silly21:42
HT_sergiothat issue you helped me debug last week in keystonemiddleware v1.0.0 with the service token not being reset correctly21:42
morganfainbergHT_sergio: I have a meeting in like 10minutes and then travel. But I'm checking IRC some :)21:42
HT_sergioI'm about to create a launchpad issue, just so others can find it21:42
bknudsonI thought we deprecated the service token garbage.21:42
HT_sergiosorry, I mean the token that the service was using. The service's token21:43
morganfainbergHT_sergio: I think we solved that or there was a bug / review to fix it.21:43
morganfainbergbknudson: this was the service user token for validating.21:43
morganfainbergNot the x-service-token thing.21:43
HT_sergiomorganfainberg: yes it was already solved, but there's no launchpad issue, so I'm thinking about making one for other people that run into this issue21:44
HT_sergiobecause Ubuntu repos for 14.04 distribute the version w/ the bug21:44
morganfainbergHT_sergio: hmm I though we had a LP bug for it too.21:44
HT_sergio(and for 14.10)21:44
HT_sergiomorganfainberg: this is what I'm asking :)21:44
HT_sergioI didn't find a LP bug21:44
HT_sergiobut maybe you would know better21:44
*** timcline has joined #openstack-keystone21:45
bknudsonmaybe we can remove this for keystonemiddleware 2.021:46
dolphmbknudson: x-service-token is already deprecated?21:46
morganfainbergdolphm: no. Admin_token21:46
bknudsondolphm: x-service-token is still supported.21:46
bknudsonnot sure if anyone has been able to use it yet21:47
morganfainbergbknudson: this was an issue where session wasn't refreshing the service user token.21:47
dolphmoh, i might have run into that too21:47
morganfainbergBecause it was setting .auth_token to None not ._auth_token21:47
morganfainbergI think lbragstad fixed it.21:47
bknudsonoops. blame python.21:47
morganfainbergbknudson: yeah I blame Python.21:47
HT_sergioit was fixed right away, in v1.1.021:48
HT_sergiowhich is already "old21:48
morganfainbergOh right.21:49
HT_sergiobut Ubuntu (for some reason) distributes it so I just want to make sure there's a record of the bug somewhere. So others will know21:49
morganfainbergBecause Ubuntu hasn't released a newer version.21:49
HT_sergiocrummy, I know :p21:49
*** nkinder__ has joined #openstack-keystone21:49
morganfainbergUhmm. I think you need to open a bug against Ubuntu saying the old version of middleware is broken.21:50
HT_sergioyes I'm doing that too21:50
*** timcline has quit IRC21:50
HT_sergioso, should I not bother opening one against keystonemiddleware also ?21:50
morganfainbergNot sure how we handle a bug against 1.1.0 when we don't use that as a stable for any branch ATM21:50
HT_sergiosince it's an old version21:50
morganfainbergHT_sergio: you can and I'll close it as "already fixed" if it helps ;)21:50
*** marzif_ has quit IRC21:50
HT_sergiosounds good!21:51
morganfainbergBut you don't need to open against keystonemiddleware if you don't want to.21:51
*** e0ne has joined #openstack-keystone21:51
openstackLaunchpad bug 1460833 in keystonemiddleware "admin token is not properly refreshed if it expires in v1.0.0" [Undecided,New]21:53
HT_sergiothank you btw!21:53
*** nkinder_ has quit IRC21:54
*** afazekas has quit IRC21:54
*** nkinder__ has quit IRC21:55
*** emagana has quit IRC22:00
bknudsondid keystonemiddleware py34 test break by itself somehow?22:00
*** kwills has joined #openstack-keystone22:01
*** openstackgerrit has quit IRC22:07
*** nkinder__ has joined #openstack-keystone22:07
*** openstackgerrit has joined #openstack-keystone22:08
*** emagana has joined #openstack-keystone22:09
bknudsonno, it didn't... something in the changes did it.22:10
*** emagana has quit IRC22:10
*** jsavak has quit IRC22:13
openstackgerritEric Brown proposed openstack/keystone: Replace blacklist_functions with blacklist_calls
*** bknudson has quit IRC22:17
*** chlong has quit IRC22:18
*** zzzeek_ has quit IRC22:21
*** e0ne has quit IRC22:22
*** jsavak has joined #openstack-keystone22:29
*** jsavak has quit IRC22:30
*** markvoelker_ has joined #openstack-keystone22:35
*** markvoelker has quit IRC22:37
*** HT_sergio has quit IRC22:37
*** lhcheng has quit IRC22:38
*** lhcheng has joined #openstack-keystone22:38
*** ChanServ sets mode: +v lhcheng22:38
*** zzzeek has joined #openstack-keystone22:48
*** mattfarina has joined #openstack-keystone22:50
*** openstackgerrit has quit IRC22:51
*** csoukup has quit IRC22:52
*** openstackgerrit has joined #openstack-keystone22:52
*** dims__ has joined #openstack-keystone22:53
*** stevedore is now known as stevemar22:55
*** dsirrine has quit IRC22:55
*** stevemar is now known as stevedoor22:55
morganfainbergah HT_sergio disappeared22:55
*** dims___ has joined #openstack-keystone22:56
*** dims_ has quit IRC22:56
*** dims__ has quit IRC22:58
*** nkinder__ has quit IRC22:58
*** zzzeek has quit IRC23:00
jamielennoxcan i get some eyes on
jamielennoxi need it in a release so i can do OSC for v3 devstack23:06
*** Ephur has quit IRC23:07
jamielennoxstevedoor: ^23:09
*** dguerri is now known as dguerri`away23:09
*** csoukup has joined #openstack-keystone23:09
*** mattfarina has quit IRC23:10
*** sbasam has quit IRC23:12
*** zzzeek has joined #openstack-keystone23:12
*** sigmavirus24 is now known as sigmavirus24_awa23:12
*** csoukup has quit IRC23:14
*** chlong has joined #openstack-keystone23:41
*** stevedoor is now known as stevemar23:47
stevemarjamielennox, rgr dgr23:48
stevemarit was already in an open tab in chrome, just needed to get to it eventually23:48
stevemari was reviewing your devstack stuff23:48
*** blewis has joined #openstack-keystone23:50
jamielennoxstevemar: yea, it's all interrelated23:50
bigjoolshey morganfainberg, can I generalise that k2k stuff from Friday as 1. write SP switcher for Horizon, 2. generate saml assertions in d-o-a23:51
jamielennoxstevemar: i got excited when samueldmq said that there was only a couple of problems running devstack without v2 and tried it :(23:51
stevemarbigjools, we already have some PoC code for SP switcher in horizon :O23:52
stevemarand DOA should not generate the saml assertions, but rather use an auth plugin23:52
* stevemar finds reviews23:52
bigjoolsoh I vagely remember seeing a review for that23:53
stevemarbigjools, k2k auth plugin:
bigjoolsthat's the badger23:53
jamielennoxyea, we need to do some more on the k2k plugin23:53
stevemarbigjools, horizon stuff:
stevemarjamielennox, yes, good feedback on that btw23:53
*** hemna is now known as hemnafk23:54
jamielennoxthere's a review or a bug or something for exposing service providers via accessinfo which we need, and then a way to expose service providers via auth plugin23:54
*** blewis has quit IRC23:54
bigjoolsnice one, thanks23:54
bigjoolsstevemar: is there anything else that needs doing?23:55
stevemarbigjools, reviews are always welcomed! and super necessary23:55
bigjoolsyeah :)23:56
bigjoolsI'll dive in this week some time23:56
bigjoolshow strict do you want it? :)23:56

Generated by 2.14.0 by Marius Gedminas - find it at!