Friday, 2015-06-05

dstanekmorganfainberg: i don't think it's keystone caching - i'll take a deeper look in a bit though00:09
morganfainbergdstanek: look at keystonemiddleware caching00:10
morganfainbergdstanek: unless this is directly an issue in keystone itself00:10
dstanekmorganfainberg: i turned off memcache in my environment00:11
dstanekmorganfainberg: i do get this in the log, but can still see the page00:11
morganfainbergthe keystonemiddleware by default caches tokens for 300s00:11
*** dims__ has joined #openstack-keystone00:11
morganfainbergdstanek: there was an issue or three where horizon wouldn't log you out, but the page was still visible - you just couldn't do actions00:11
dstanekmorganfainberg: that may be is then because after about 5 minutes i can get in00:11
*** dims_ has quit IRC00:12
morganfainbergand ksm caches in memory-dict00:12
morganfainbergby default00:12
dstanekmorganfainberg: i don't get logged out, i see a little pink dialog after 5 minutes saying: unauthorized...00:12
morganfainbergyeah that is likely it00:12
morganfainbergsome endpoint is cachin the token validation00:12
dstanekmorganfainberg: ok, i'll futz a little bit more with it00:12
morganfainbergand/or horizon is.00:12
*** markvoelker has joined #openstack-keystone00:13
*** iamjarvo has quit IRC00:16
*** dims__ has quit IRC00:17
*** dims_ has joined #openstack-keystone00:17
*** markvoelker has quit IRC00:18
*** jaosorior has quit IRC00:22
*** lhcheng has quit IRC00:31
*** nkinder_ has quit IRC00:33
*** jsavak has quit IRC00:42
*** _cjones_ has quit IRC00:49
*** woodster_ has quit IRC00:50
*** chlong has quit IRC00:52
*** chlong has joined #openstack-keystone00:54
*** lhcheng has joined #openstack-keystone00:55
*** ChanServ sets mode: +v lhcheng00:55
bigjoolsmorganfainberg, marekd: FYI I got it all to work as I described by using this marvellous hack in Shibboleth:
bigjoolsyou can basically visit a second site and provided you know the secure access URL you tell shibboleth which Idp to use via url params01:02
*** alanf-mc has quit IRC01:05
*** woodster_ has joined #openstack-keystone01:10
openstackgerritMerged openstack/keystone-specs: Federated domain identified by ``id`` not ``name``
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Stop using function deprecated in py34
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Common base class for unit tests
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Unit tests catch deprecated function usage
*** tobe has joined #openstack-keystone01:38
*** markvoelker has joined #openstack-keystone02:02
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo
*** ayoung_ has joined #openstack-keystone02:06
*** markvoelker has quit IRC02:07
*** ayoung_ has quit IRC02:08
*** davechen has joined #openstack-keystone02:11
*** gordc has quit IRC02:13
*** iamjarvo has joined #openstack-keystone02:15
*** iamjarvo has quit IRC02:15
*** iamjarvo has joined #openstack-keystone02:15
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: _verify_*_token returns AccessInfo
*** spandhe has quit IRC02:16
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract method for offline validation
*** diabloneo has joined #openstack-keystone02:39
*** stevemar has quit IRC02:40
*** diabloneo has left #openstack-keystone02:42
openstackgerritliusheng proposed openstack/keystone: Add validity check of 'expires_at' in trust creation
openstackgerritMerged openstack/keystone: Order routes so most frequent requests are first
*** boris-42 has quit IRC02:58
*** dims_ has quit IRC03:07
*** lhcheng has quit IRC03:08
*** liusheng has joined #openstack-keystone03:19
*** richm has quit IRC03:32
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Serialize user auth plugin
*** csoukup has joined #openstack-keystone03:47
*** nkinder_ has joined #openstack-keystone03:47
*** csoukup has quit IRC03:47
*** markvoelker has joined #openstack-keystone03:50
*** markvoelker has quit IRC03:55
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases of list_role_assignments of v3 domains
*** dims_ has joined #openstack-keystone04:05
*** lhcheng has joined #openstack-keystone04:05
*** ChanServ sets mode: +v lhcheng04:05
*** lhcheng has quit IRC04:08
*** dims_ has quit IRC04:10
*** lhcheng has joined #openstack-keystone04:18
*** ChanServ sets mode: +v lhcheng04:18
*** lhcheng has quit IRC04:19
*** rushiagr_away is now known as rushiagr04:22
*** rushiagr is now known as rushiagr_away04:27
*** lhcheng has joined #openstack-keystone04:28
*** ChanServ sets mode: +v lhcheng04:28
*** henrynash has joined #openstack-keystone04:29
*** ChanServ sets mode: +v henrynash04:29
*** iamjarvo has quit IRC04:31
*** jamielennox is now known as jamielennox|away04:32
*** iamjarvo has joined #openstack-keystone04:36
*** rushiagr_away is now known as rushiagr04:40
*** sks has joined #openstack-keystone04:42
*** lhcheng has quit IRC04:48
*** ajayaa has joined #openstack-keystone04:49
*** Ephur has quit IRC04:55
*** lhcheng has joined #openstack-keystone04:56
*** ChanServ sets mode: +v lhcheng04:56
*** lhcheng has quit IRC05:01
*** esp has left #openstack-keystone05:12
*** iamjarvo has quit IRC05:32
*** markvoelker has joined #openstack-keystone05:39
*** mitz has quit IRC05:41
*** tobe has quit IRC05:41
*** tobe has joined #openstack-keystone05:42
*** tobe has quit IRC05:44
*** markvoelker has quit IRC05:44
*** chenhong has joined #openstack-keystone05:45
*** josecastroleon has joined #openstack-keystone05:50
*** jaosorior has joined #openstack-keystone05:54
*** belmoreira has joined #openstack-keystone05:55
*** lhcheng has joined #openstack-keystone05:58
*** ChanServ sets mode: +v lhcheng05:58
*** topol has quit IRC06:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** tobe has joined #openstack-keystone06:19
*** ajayaa has quit IRC06:28
*** ajayaa has joined #openstack-keystone06:40
*** dims_ has joined #openstack-keystone06:54
*** e0ne has joined #openstack-keystone06:54
*** jistr has joined #openstack-keystone06:57
*** dims_ has quit IRC06:59
*** ajayaa has quit IRC07:03
*** e0ne has quit IRC07:04
*** woodster_ has quit IRC07:10
*** lufix has joined #openstack-keystone07:12
marekdbigjools: great!07:13
*** ajayaa has joined #openstack-keystone07:23
*** markvoelker has joined #openstack-keystone07:28
*** markvoelker has quit IRC07:33
*** dguerri` is now known as dguerri07:39
*** jistr is now known as jistr|biab07:47
*** rwsu has joined #openstack-keystone07:48
*** abhishekk has joined #openstack-keystone07:51
*** ajayaa has quit IRC08:04
*** pnavarro__ has joined #openstack-keystone08:08
*** ajayaa has joined #openstack-keystone08:16
*** bdossant has joined #openstack-keystone08:16
*** dguerri is now known as dguerri`08:22
*** dguerri` is now known as dguerri08:22
*** dguerri is now known as dguerri`08:22
*** dguerri` is now known as dguerri08:22
*** Nikkau has joined #openstack-keystone08:23
*** ajayaa has quit IRC08:23
*** amaretskiy has joined #openstack-keystone08:31
*** chlong has quit IRC08:34
*** rwsu has quit IRC08:36
*** merlin_ has quit IRC08:46
*** jistr|biab is now known as jistr08:50
*** jistr has quit IRC08:59
abhishekkHi all, I want to add role to x-service-token, how can I do that? any help is appreciated09:03
*** ajayaa has joined #openstack-keystone09:07
*** e0ne has joined #openstack-keystone09:09
*** henrynash has quit IRC09:10
*** markvoelker has joined #openstack-keystone09:17
*** lhcheng has quit IRC09:17
*** jistr has joined #openstack-keystone09:19
*** marzif_ has joined #openstack-keystone09:21
*** markvoelker has quit IRC09:22
*** chenhong has quit IRC09:27
*** chenhong has joined #openstack-keystone09:27
*** afazekas_mtg has joined #openstack-keystone09:33
*** aix has joined #openstack-keystone09:34
*** davechen is now known as davechen_afk09:37
*** Nikkau has quit IRC09:38
*** dims_ has joined #openstack-keystone09:43
*** dims__ has joined #openstack-keystone09:47
*** dims_ has quit IRC09:48
*** e0ne is now known as e0ne_10:07
*** e0ne_ is now known as e0ne10:12
*** markvoelker has joined #openstack-keystone10:17
*** boris-42 has joined #openstack-keystone10:20
*** markvoelker has quit IRC10:23
*** ajayaa has quit IRC10:31
*** lufix has quit IRC10:33
*** ajayaa has joined #openstack-keystone10:34
*** lufix has joined #openstack-keystone10:40
*** ajayaa has quit IRC10:47
*** wasmum has quit IRC10:55
*** ajayaa has joined #openstack-keystone11:04
*** e0ne is now known as e0ne_11:05
*** lhcheng has joined #openstack-keystone11:05
*** ChanServ sets mode: +v lhcheng11:05
*** e0ne_ is now known as e0ne11:07
*** lhcheng has quit IRC11:10
*** marzif_ has quit IRC11:11
*** marzif_ has joined #openstack-keystone11:12
*** marzif_ has quit IRC11:13
*** marzif_ has joined #openstack-keystone11:13
*** markvoelker has joined #openstack-keystone11:18
*** wasmum has joined #openstack-keystone11:19
*** markvoelker has quit IRC11:22
*** radez is now known as radez_g0n311:23
*** amakarov_away is now known as amakarov11:35
*** tobe has quit IRC11:42
*** rwsu has joined #openstack-keystone11:43
*** dguerri is now known as dguerri`11:48
abhishekkhi, how to use/enable service token?11:51
*** iamjarvo has joined #openstack-keystone11:54
*** sks has quit IRC11:56
*** sks has joined #openstack-keystone12:09
marekdrodrigods: are you going to work on k2k the plugin today or I can change a little bit of the structure?12:11
*** e0ne is now known as e0ne_12:21
*** e0ne_ is now known as e0ne12:22
*** bdossant has quit IRC12:24
*** woodster_ has joined #openstack-keystone12:27
*** sks has quit IRC12:31
*** markvoelker has joined #openstack-keystone12:34
*** dguerri` is now known as dguerri12:35
*** markvoelker has quit IRC12:38
*** pnavarro_ has joined #openstack-keystone12:39
*** pnavarro__ has quit IRC12:39
*** gordc has joined #openstack-keystone12:41
*** pnavarro_ has quit IRC12:43
*** bknudson has joined #openstack-keystone12:44
*** ChanServ sets mode: +v bknudson12:44
*** sks has joined #openstack-keystone12:44
*** fhubik has joined #openstack-keystone12:46
*** mattfarina has joined #openstack-keystone12:48
*** radez_g0n3 is now known as radez12:52
*** ajayaa has quit IRC12:54
*** lhcheng has joined #openstack-keystone12:55
*** ChanServ sets mode: +v lhcheng12:55
*** pnavarro_ has joined #openstack-keystone12:56
*** fhubik has quit IRC12:56
*** lhcheng has quit IRC13:00
*** fhubik has joined #openstack-keystone13:02
*** rlt has joined #openstack-keystone13:04
*** ajayaa has joined #openstack-keystone13:06
*** topol has joined #openstack-keystone13:07
*** ChanServ sets mode: +v topol13:07
*** iamjarvo has quit IRC13:08
*** dims__ has quit IRC13:09
*** dims_ has joined #openstack-keystone13:10
*** topol has quit IRC13:14
*** mestery is now known as mestery_afk13:16
*** mattfarina has quit IRC13:17
openstackgerritGuojian Shao proposed openstack/keystone-specs: fix wrong title for OS-INHERIT Extension spec
*** boris-42 has quit IRC13:18
*** lhcheng has joined #openstack-keystone13:18
*** ChanServ sets mode: +v lhcheng13:18
*** richm has joined #openstack-keystone13:20
*** fhubik is now known as fhubik_afk13:21
*** lhcheng has quit IRC13:23
*** geoffarnold_ has joined #openstack-keystone13:28
*** rushiagr is now known as rushiagr_away13:28
*** geoffarn_ has joined #openstack-keystone13:29
*** pnavarro_ has quit IRC13:30
*** mattfari_ has joined #openstack-keystone13:32
*** iamjarvo has joined #openstack-keystone13:32
*** iamjarvo has quit IRC13:32
*** geoffarn_ has quit IRC13:37
*** e0ne is now known as e0ne_13:39
*** e0ne_ is now known as e0ne13:39
*** afazekas_mtg has quit IRC13:40
*** boris-42 has joined #openstack-keystone13:41
*** HT_sergio has joined #openstack-keystone13:42
openstackgerritCorey Bryant proposed openstack/python-keystoneclient: Use python-six shim for assertRaisesRegex/p
*** mattfari_ has quit IRC13:45
*** geoffarnold_ has quit IRC13:47
*** chenhong has quit IRC13:50
openstackgerritGuojian Shao proposed openstack/keystone-specs: fix wrong title for OS-INHERIT Extension spec
* breton trying gertty13:57
*** afazekas has joined #openstack-keystone13:58
*** zzzeek has joined #openstack-keystone14:01
*** jsavak has joined #openstack-keystone14:03
openstackgerritDolph Mathews proposed openstack/keystone: rename policy.v3cloudsample.json to policy.future.json
*** markvoelker has joined #openstack-keystone14:05
*** ajayaa has quit IRC14:06
*** dsirrine has joined #openstack-keystone14:06
*** topol has joined #openstack-keystone14:07
*** ChanServ sets mode: +v topol14:07
openstackgerritDolph Mathews proposed openstack/keystone: rename policy.v3cloudsample.json to policy.future.json
*** henrynash has joined #openstack-keystone14:08
*** ChanServ sets mode: +v henrynash14:08
*** iamjarvo has joined #openstack-keystone14:09
*** iamjarvo has quit IRC14:09
amakarovayoung, hi! Are you here?14:09
*** markvoelker has quit IRC14:09
ayoungamakarov, depends one where "here" is.  Aren't you like in Russia or something?14:10
ayoungI am not here in Russia.14:10
*** iamjarvo has joined #openstack-keystone14:10
amakarovayoung, I think, according your logic, for your perspective "here" is just where you are :)14:11
ayoungamakarov, then, by definition, I am always here.  Just here is not there.14:11
amakarovI'm about revocations14:11
ayoungI'm about the Pentiums14:11
*** sigmavirus24_awa is now known as sigmavirus2414:12
amakarovMy patch solves issue only partially :(14:12
*** topol has quit IRC14:12
amakarovIf the user has role in project AND belongs to the group having the same role, his personal role assignment will be also revoked upon group role revocation14:13
ayoungamakarov, yep14:14
ayoungamakarov, view is that tokens are way to long lived anyway, and getting a new token should be cheap. But I can see how this might mess up a long running workflow14:15
amakarovThe solution I see is to store group in revocation event, but in this case we'll have to obtain the group for the user in KSM too14:15
ayoungamakarov, that is one solution.   But headed the wrong direction, IMO14:15
*** abhishekk has quit IRC14:15
ayoungamakarov, it is putting more work in place to make it easy to keep long lived tokens around14:16
ayoungand making tokens bigger, and committing to a larger contract14:16
*** e0ne is now known as e0ne_14:16
ayoungamakarov, I'm not going to hold it up, but don't expect me to get excited about it or support it14:17
*** merlin_ has joined #openstack-keystone14:17
ayoungamakarov, I can see how it is likely to play of unintended consequences14:17
ayoungpeople can then enforce policy based on group instead of role/project14:18
ayoungand then they are going to realize that groups come only from the IdP, except for mapping14:18
amakarovayoung, well, as I see in you comment, you suggest to revoke by role, and don't care about some innocent tokens got killed? )14:18
*** rushiagr_away is now known as rushiagr14:18
ayoungamakarov, tokens are never innocent14:18
ayoungtokens suffer from origianal sin14:18
amakarovayoung, origi-what?? )))14:19
ayoungwell, my name is Adam....14:19
amakarovpleased to meet you, grandpa14:19
ayoungamakarov, I know that I am associated with revocations, but that is because I lack common sense.  I should never have agreed to do revocations14:20
ayoungI should have let the people that actually care about them do them14:20
*** henrynash has quit IRC14:20
ayoungbut I was strongarmed into them when I wrote PKI tokens14:20
ayoungI spent the whole release getting the feature ready, only to have someone (I want to blame RussellBryant) said that we could not have tokens that couldn;'t be revoked14:21
ayoungI pointed out that we already had that, as tokens went in to Memcache and were never revalidated14:21
ayoungI should have held my ground,14:21
ayoungNow we have bad idea on top of bad idea.14:21
*** timcline has joined #openstack-keystone14:22
ayoungand the CLI still gets a new token for every operation14:22
amakarovayoung, I see, interesting... So your point is to let tokens live their short life and die young?14:22
ayoungand Horizon still hashes the PKIZ tokens, and we are headed to Fernet tokens but getting revocation events split off them14:22
ayoungamakarov, yes yes yes14:22
ayoungdie die die!14:22
ayoungAs Billy Joel says, Only the good die young.14:23
ayoungand, since my last name is young, and I am going to die someday, I must be good14:23
*** jsavak has quit IRC14:23
amakarovLet's go kill something already! Maybe something small! Anything!! Huh?? (c) Lilarcor14:24
ayoungamakarov, I liked your earlier suggestion of just revoking by role assignments14:24
ayoungin Federation, we won't have the user list14:24
ayounglets not stick the groups in the tokens, and just revoke all for a role-on-project14:25
amakarovayoung, hm, that ruins the idea of revoking by user14:25
ayounguser suck14:25
ayoungusers suck14:25
ayoungall users14:25
dolphmamakarov: group stuff recently came up on the mailing list, so i put this together yesterday
ayoungdolphm, I saw that.  Was holding off on commenting.14:26
ayoungdolphm, what if we just kill revocations?14:26
*** e0ne_ has quit IRC14:26
ayoungacross the board14:26
dolphmayoung: user expectations14:26
ayoungsay "if you are doing something long lived use a delegation"  we can even push OAUTH as the way to do it since it is something like a standard14:27
ayoungwith Fernet, tokens are always going back to Keystone to the round trip is expected.14:27
*** sks has quit IRC14:28
ayoungWe can just make it easier to get new tokens instead of trying to solve all the issues with revocation14:28
ayoungdolphm, lets put the band aid on revocations:  if a group loses a role, revoke all by role-assignment.  Its not perfect, but it is the current status quo14:29
dolphmwhat's henrynash's current email address?14:29
dolphmbknudson: ? ^14:29
ayoungdolphm, I have it, one sec14:29 ? ?14:29
ayoungdolphm, I have the first one14:29
ayoungdid it change?14:29
dolphmpossibly, he moved to a new group in IBM14:29
dolphmwithin the last cycle14:30
*** jsavak has joined #openstack-keystone14:30
amakarovayoung, dolphm: we can drop revocations, but we'll have to make other components to create trusts if they want delegation. Ideally it will be some sort of one-time ticket instead of token14:32
openstackgerritBoris Bobrov proposed openstack/keystone: Remove custom assertions for python2.6
openstackgerritDolph Mathews proposed openstack/keystone: Avoid using the interactive interpreter for a one-liner
ayoungamakarov, so, right now, there is no limit on what a user can do with a token.  If I pass a token to nova, it can turn around and use it to make a trust in Keystone.  Heat does that already.  I don;t loveit, but it shows the right general direction14:34
ayoungwhat we should do is make the trust mechanism limited by default:14:34
openstackgerritDolph Mathews proposed openstack/keystone: Avoid using the interactive interpreter for a one-liner
ayoungthat way, a revocation is done by revoking a trust, not a token14:35
*** geoffarnold has quit IRC14:35
dolphmayoung: how is that the right general direction?14:35
ayoungI think, to do it right, would require the dynamic policy stuff14:35
amakarovayoung, what about merging trusts with assignments?14:35
ayoungamakarov, yes14:35
ayoungunified delegation14:35
dolphmamakarov: ++.14:35
ayoungdolphm, points in right direction...not the right solution at the moment14:36
ayoungdolphm, have not written it yet, as I am truying to get policy going fiirst, but...14:36
*** packet has joined #openstack-keystone14:37
ayoungeer.. amakarov that is...I have not written the spec yet, as I still don't really know all the steps.  I do know that we need to make it easy to make and use  delegations, and to make them limited by default, and that trusts, role assignments, and oauth should al use the same mechanism14:38
amakarovayoung, maybe we can start with a blueprint, describe use-cases there and spec will be obvious?14:39
ayoungthere are some interesting issues to solve when merging trusts and assignements.  Lets say that bknudson  works for topol, and gets his roles assigned from topol.  If topol then moves to a different position, where he can no longer delegate to bknudson what happens to bknudson 's assignemnts14:39
ayoungamakarov, go for it...I have my hands full with policy.  I was thinking that unified delegations would be a topic for the next summit14:40
ayounggetting it started now would be fantastic.14:40
*** sks has joined #openstack-keystone14:40
*** jsavak has quit IRC14:40
ayoungamakarov,  you note that it was my starting point for dynamic policy14:41
bknudsonI don't work for topol!14:41
ayoungdolphm, I am not going to get in your way if you want to drive on with roles in the tokens.  I think they might have additional uses in the future, but make sure you are ok with those uses please.  They are not inheriantly a bad idea14:42
ayoungbknudson, heh14:42
ayoungbknudson, and then you lost all the roles he assigned you!14:42
* amakarov writing a post-it "spec for unified delegation"14:42
*** belmoreira has quit IRC14:42
ayoungamakarov, +++++++14:42
ayoungamakarov, please include out existing oauth extension  in there14:43
ayoungamakarov, please include*our* existing oauth extension  in there14:43
amakarovayoung, ++14:43
*** jsavak has joined #openstack-keystone14:43
amakarovayoung, so for now I modify my patch to revoke by role14:44
*** stevemar has joined #openstack-keystone14:44
*** ChanServ sets mode: +v stevemar14:44
ayoungamakarov, role + scope14:44
ayounglike you had origianlly, right?14:44
amakarovayoung, ok14:44
*** zzzeek has quit IRC14:45
*** e0ne has joined #openstack-keystone14:45
ayoungdolphm, you OK with amakarov doing that?14:45
*** zzzeek has joined #openstack-keystone14:46
*** zzzeek has quit IRC14:46
dolphmabsolutely, trusts should have been backed by assignments in the first place14:48
amakarovayoung, 1 more thing:
dolphmthey're the exact same thing, one just has a bunch of extra metadata and dynamic behaviors layered on top14:48
ayoungdolphm, yep.  One reason I called them trusts instead of delegation is I was aware I was experien\menting, and that this was not the only, not even the dominant delegation mechanism.  And now I can see it was cus we lacked some of the structure we needed in the core assignments14:49
ayoungbeing able to maintain the chain of delegation was missing, and if we get that into the core assignments mechanism, trusts become a trivial extension14:50
*** nkinder_ has quit IRC14:51
dolphmayoung: but unfortunately, you weren't experimenting at all, even if that's what it felt like. you were pushing to ship a stable implementation of a user-accessible feature.14:52
*** topol has joined #openstack-keystone14:53
*** ChanServ sets mode: +v topol14:53
openstackgerritBoris Bobrov proposed openstack/keystone: Remove custom assertions for python2.6
*** hemnafk is now known as hemna14:58
ayoungdolphm I stnad by the implementation.  Just the name was an ack that it was not the only form of delegation14:59
ayoungI also thought of delagation as serer to server14:59
*** andrewbogott has joined #openstack-keystone15:00
*** esp has joined #openstack-keystone15:01
ayoungserver to server.15:01
andrewbogottWhat determines what url the keystone client uses for the keystone API?15:03
*** jsavak has quit IRC15:03
*** jsavak has joined #openstack-keystone15:04
ayoungandrewbogott, two things15:05
ayoungfirst the AUTH_URL env var tells the client where to go to get a token (and a couple other early stage things like listing projects)15:05
ayoungandrewbogott, then it gets a service catalog back with that token that the client will use for any other scoped operations on Keystone15:06
andrewbogottayoung: is AUTH_URL the same as —os-auth-url?15:06
ayoungand it depends on the operation which URL it uses, admin or main, in the v2 world.15:06
ayoungandrewbogott, yes15:06
ayoungandrewbogott, the CLI arg to openstack client (and keystone CLI) overrides the env var15:06
andrewbogott$ keystone --os-auth-url "" service-list15:07
andrewbogottUnable to establish connection to
andrewbogottSo, what’s happening there?  Does labcontrol1001 have a catalog that sends me to virt1000 for… the catalog?15:07
ayoungandrewbogott, looks like a netowkr issue15:07
ayoungandrewbogott, its not a 40415:08
andrewbogottayoung: note that the url in the error message is different from the url I requested15:08
andrewbogottI don’t think my network is rewriting urls15:08
ayoungandrewbogott, but the hostname is the same...15:08
ayoungno it is not15:08
ayoungok, so that is probably coming from the service catalog15:08
andrewbogott—service-list is redirected through the service catalog?15:09
ayoungandrewbogott, yep15:09
andrewbogottSo I can never actually see the service catalog on labcontrol1001?15:09
ayoungandrewbogott, not if you can't see the admin host15:09
ayoungandrewbogott, there are possibly hacks you can do to get around it15:10
ayoungbut it is a setup issue,15:10
bretondolphm: > It would enable token revocation events to be issued per user group15:10
andrewbogottI can think why this would happen.  labcontrol1001 and virt1000 share a common db server, so probably the new server is pulling the catalog that I set up for the old host15:10
andrewbogottayoung: I think this is making sense now.  So, in fact, I probably /do/ need to just fix my network.15:11
andrewbogottAnd then, actually, this is good, because I can move services over one at a time.15:11
bretondolphm: what's the problem with issuing token revocations per group and match user's group dynamically in revocation code?15:11
bretondolphm: without including the group to the token15:12
andrewbogottayoung: thank you for the explanation.15:12
dolphmbreton: the goal is to be able to match revocation events in keystonemiddleware.auth_token, not just in keystone15:12
*** lsmola has quit IRC15:12
bretongot it.15:12
dstanekdolphm: did you see my note on that security bug?15:16
dolphmdstanek: the one i just closed?15:17
dstanekdolphm: maybe :-) i didn't see that email yet15:17
openstackLaunchpad bug 1461095 in OpenStack Security Advisory "Token is not revoked when removing a user from project in Horizon" [Undecided,Won't fix]15:17
dolphmdstanek: thanks for reproducing!15:19
dstanekdolphm: cool, glad it's closed. i was up too late last night so having trouble getting into the groove this morning15:19
dolphmdstanek: curl coffee | git apply15:20
*** Ephur has joined #openstack-keystone15:24
*** lufix has quit IRC15:26
*** e0ne is now known as e0ne_15:29
*** e0ne_ is now known as e0ne15:30
*** markvoelker has joined #openstack-keystone15:30
*** e0ne is now known as e0ne_15:30
*** e0ne_ is now known as e0ne15:30
bknudsonI hope there's no git revert15:32
*** markvoelker has quit IRC15:34
*** thedodd has joined #openstack-keystone15:36
*** gyee_ has joined #openstack-keystone15:38
*** david-lyle has quit IRC15:46
*** david-lyle has joined #openstack-keystone15:46
openstackgerritMerged openstack/keystone-specs: fix wrong title for OS-INHERIT Extension spec
*** _cjones_ has joined #openstack-keystone15:55
openstackgerritBoris Bobrov proposed openstack/keystone: Remove custom assertions for python2.6
sigmavirus24So about the stuff Sean wants from the policy work, it seems like what he really wants is a way of saying, "introspect this rule and apply these constraints" which seems reasonable, but probably belongs in oslo.policy instead of in each service, no? It should be plausible to do it, but I'm not sure if A) it's something most services will use or B) if it should be checked when the server is running or be provided as part of16:00
sigmavirus24 ayoung's tool for testing policy files16:00
*** jistr has quit IRC16:03
openstackgerritMarek Denis proposed openstack/keystone: Mapping Engine CLI
openstackgerritMarek Denis proposed openstack/keystone: Mapping Engine CLI
dstanekmarekd: nice ^16:06
marekddstanek: ty16:06
sigmavirus24ayoung: reading16:08
*** dsirrine has quit IRC16:11
*** jsavak has quit IRC16:12
*** dguerri is now known as dguerri`16:13
*** jsavak has joined #openstack-keystone16:13
*** fhubik_afk is now known as fhubik16:18
ayoungsigmavirus24, I realize it does not answer exactly what you were saying16:19
ayoungbut the whole discussion is huge, and I think this is the heart of it16:19
sigmavirus24ayoung: yeah, it just seems like we're all talking a bit past each other16:19
*** geoffarnold has joined #openstack-keystone16:19
sigmavirus24I understand Sean's concerns16:19
sigmavirus24I also understand that they're a bit tangential and can be addressed later16:19
*** geoffarnold has quit IRC16:22
*** geoffarnold has joined #openstack-keystone16:22
ayoungsigmavirus24, If default policy comes from the service, and we always layer a new policy down on top of an old one, we get the behavior he wants, but not the warning16:23
*** e0ne is now known as e0ne_16:23
ayoungsigmavirus24, also, if the default policy is not uploaded to the central server, queries about "what can I do" against the central server m,ight be wrong16:23
*** e0ne_ has quit IRC16:24
ayoungsigmavirus24, so, I think the warning he wants needs to be done at the policy server16:25
ayoungand...that should be auditable anyway16:25
gyee_ayoung, OpenStack deployment various a lot because of security and compliance, there's really no golden "default". Warning will make it counterintuitive.16:25
*** davidckennedy has quit IRC16:25
ayounggyee_, I think he's on the right track, but maybe has not gone far enough:16:25
gyee_if I have to bet on it, default will just be either "admin" or "owner" :)16:26
ayounggyee_, default should actually be "NOTHING!"16:27
gyee_ayoung, how do you think we got into bug 968696 in the first place?16:27
openstackbug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] - Assigned to Adam Young (ayoung)16:27
gyee_default to "admin" for everything16:27
ayounggyee_, I think the first thing we do is throw out the default.  Then everything has to be explicit, or it gets denied16:28
gyee_isn't that what we are trying to avoid?16:28
ayoungsecond is to get common header...the common policy file was the start for that16:28
ayoungno,  we want an explicit rule for each16:28
ayoungotherwise, we end up with ceilometer16:28
gyee_yeah, that's pretty what the "default" looks like16:30
*** amaretskiy has quit IRC16:33
*** geoffarnold has quit IRC16:39
*** e0ne has joined #openstack-keystone16:40
*** roxanaghe has joined #openstack-keystone16:42
*** e0ne has quit IRC16:43
*** spandhe has joined #openstack-keystone16:43
*** henrynash has joined #openstack-keystone16:47
*** ChanServ sets mode: +v henrynash16:47
*** fhubik is now known as fhubik_afk16:51
*** alanf-mc has joined #openstack-keystone16:52
*** geoffarnold has joined #openstack-keystone16:56
rodrigodshi marekd, I won't work on it today, please do the changes you are suggesting and add yourself as co-author :)16:57
marekdrodrigods: let me add another patch on top of that, ok?16:57
marekdso i don't destroy your work in case mine is a crap :-)16:57
*** jsavak has quit IRC16:59
rodrigodsi'm sure it won't be :)16:59
*** alanf-mc_ has joined #openstack-keystone17:00
*** alanf-mc has quit IRC17:02
*** geoffarnold has quit IRC17:08
*** alanf-mc_ has quit IRC17:11
*** alanf-mc has joined #openstack-keystone17:11
*** yottatsa has joined #openstack-keystone17:14
yottatsahello everybody17:14
yottatsajust dug into new keystone and have some questions about Fernet17:14
dolphmyottatsa: some questions answered
*** dguerri` is now known as dguerri17:16
yottatsathanks dolphm, but there is a question not from FAQ )17:17
*** lhcheng has joined #openstack-keystone17:18
yottatsaActually, why don't just impersist usual PKI token? It already validates offline, so keystone could validate it same way?17:18
stevemaryottatsa, PKI had size issues :(17:19
*** markvoelker has joined #openstack-keystone17:19
dolphmyottatsa: yep, just because they're too big17:19
yottatsastevemar, yup I know it veeeery bad, I had 6 region setup full of services17:19
dolphmyottatsa: otherwise, they share the same basic advantages17:19
yottatsadolphm, so why don't just remove catalog from PKI token?17:21
ayoungIn keeping with the wonderful naming patterns of Boston, BU grounds East are East of, and slightly to the south of, BU grounds south.17:22
dstanekyottatsa: if you removed the catalog and stopped putting them in the database it would be great for PKI, but still not as lightweight as fernet17:23
dstanekayoung: sorry, can't parse17:23
*** markvoelker has quit IRC17:24
* yottatsa is rewriting federation/sso on new framework now.. (((17:26
*** henrynash has quit IRC17:26
ayoungdstanek, things to be aware of before the midcycle:
marekdyottatsa: i am curious what do you mean by new framework ?17:27
*** harlowja has quit IRC17:27
yottatsain Yandex, we have sso and federation with existing token system calles Yandex.Passport since havana17:28
*** lhcheng has quit IRC17:28
marekdyottatsa: so your goal is to start using upstream version of federation/sso or propose Yandex.Passport to the upstream, because you think it's better?17:29
yottatsamarekd, our goal is to start using upstream version instead of ours custom auth.token driver17:30
marekdyottatsa: ah, ok :-)17:30
dstanek"It's not a purse, it's a pockabook."17:31
*** lhcheng has joined #openstack-keystone17:32
*** harlowja has joined #openstack-keystone17:32
*** lastops has joined #openstack-keystone17:33
*** amakarov is now known as amakarov_away17:34
stevemaryottatsa, how were you guys doing federation before?17:36
yottatsastevemar, yandex.passport is a sort of token issue/validation system, that provides you with web cookie or oauth token, and service for validation17:39
dolphmyottatsa: we've actually introduced an API to remove the catalog from PKI tokens already - authenticate with ?nocatalog17:39
*** rushiagr is now known as rushiagr_away17:40
stevemaryottatsa, you should be able to use that with the federation extension, i thinks17:41
*** jsavak has joined #openstack-keystone17:42
yottatsastevemar, so customer could validate cookie or OAuth with the keystone's /v3/auth/token17:42
yottatsakeystoneclient.session.Session(auth=keystoneclient.auth.identity.v3.Token(auth_url=auth_uri, token=cookie))17:43
dolphmstevemar: rodrigods: marekd: questions on k2k workflow!
yottatsastevemar, actually the problem is to provide users with cli and python API for using this federation17:44
marekddolphm: looking17:44
*** henrynash has joined #openstack-keystone17:44
*** ChanServ sets mode: +v henrynash17:44
dolphmstevemar: marekd: rodrigods: i'm trying to figure out if the bold bits are correct, and if so, why? the rest looks good to me17:45
*** marzif_ has quit IRC17:45
*** dsirrine has joined #openstack-keystone17:45
marekddolphm: you copied those steps from some documentation ?17:45
dolphmmarekd: i was given this - i'm not sure where that person got them from ;)17:45
rodrigodsdolphm, the service provider entry is not "inside" the catalog17:46
dolphmmarekd: i googled and couldn't find a source17:46
rodrigodsis right below it17:46
marekddolphm: no worries17:46
rodrigodsdolphm, i made this blog post about the setup as well:
*** e0ne has joined #openstack-keystone17:48
*** jsavak has quit IRC17:49
*** jsavak has joined #openstack-keystone17:49
*** henrynash has quit IRC17:50
dolphmrodrigods: nice!17:50
*** andrewbogott has left #openstack-keystone17:51
*** marzif_ has joined #openstack-keystone17:51
*** dsirrine has quit IRC17:53
stevemardolphm, bold bits?17:53
stevemarthe etherpad17:53
dolphmstevemar: yeah, i think they answered my questions17:53
stevemari was writing an email17:53
* stevemar too slow!17:53
dolphmstevemar: i think you directed me to this review earlier the remaining todo list there is pretty simple, but looks like worked stopped at summit time :)17:56
dolphmstevemar: any idea if that could land as part of django_openstack_auth 1.4.0 ?17:56
yottatsasoooo, should I use this boilerplate as an auth plugin base?17:57
marekdyottatsa: yes, however bear in mind, we are going to use in the nearest future. much cleaner17:58
marekdand simpler17:59
marekdand this will be the interface-class for those plugins.17:59
marekdyottatsa: if you are writing something that can wait few weeks i'd recommend building on top on, not federated.py17:59
yottatsamarekd, does it mean that python-ksc is now splitting on keystoneauth, keystonemiddleware and pure keystone client?18:01
marekdyottatsa: yes18:01
marekdyottatsa: and some auth plugins will be pulled out into separate repositories, for instance saml2 auth plugins and kerberos18:02
* yottatsa didn't interested in saml2 and kerberos though )18:04
*** rwsu has quit IRC18:04
openstackgerritMarek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPLugin scoping capabilities
marekdgerrit shouldn't run tests on patches marked as WIP - it's intended to not be review-ready so why waste resources....18:06
dolphmmarekd: i'm glad it does though - although i agree that they shouldn't receive equal priority18:10
marekddolphm: why are you glad?18:11
marekdpatches marked WIP are more like a place where developer may keep his unfinished work, so why run tests on them. he can ask for gerrit tests when he is ready.18:13
*** jsavak has quit IRC18:13
bknudsonis draft still supported?18:13
openstackgerritMarek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPLugin scoping capabilities
marekdok, i am out of here for a while. bye!18:16
*** yottatsa has quit IRC18:21
*** brad[] has joined #openstack-keystone18:25
*** yottatsa has joined #openstack-keystone18:27
*** jsavak has joined #openstack-keystone18:28
*** Zanatoz has quit IRC18:29
*** sks has quit IRC18:33
*** jsavak has quit IRC18:35
*** jsavak has joined #openstack-keystone18:36
*** fhubik_afk is now known as fhubik18:38
yottatsacould you please show me any example of federation auth?18:43
yottatsanot k2k or kerb?18:43
*** iamjarvo has quit IRC18:44
*** lhcheng has quit IRC18:46
*** harlowja has quit IRC18:46
*** mattfarina has joined #openstack-keystone18:47
*** gyee_ has quit IRC18:47
*** fhubik has quit IRC18:48
*** iamjarvo has joined #openstack-keystone18:50
*** htruta has quit IRC18:52
*** harlowja has joined #openstack-keystone18:53
*** ctracey has quit IRC18:54
*** serverascode has quit IRC18:54
*** nzeer has quit IRC18:54
*** jraim has quit IRC18:54
*** briancurtin has quit IRC18:54
*** zhiyan has quit IRC18:54
*** lhcheng has joined #openstack-keystone18:54
*** sumanth has joined #openstack-keystone18:54
sumanthI am new to openstack developement18:55
dstaneksumanth: welcome18:56
*** yottatsa has quit IRC18:58
*** lastops has quit IRC19:00
sumanthI need some help with intergating our organizations sso19:05
*** ayoung has quit IRC19:05
sumanthwith openstack19:05
sumanthThank you dstanek19:05
*** iamjarvo has quit IRC19:06
sumanthI was wondering if that is possible19:06
sumanthis so how do I go about doing it?19:06
bigjoolsWhat sort of SSO is it? SAML? Kerberos?19:07
*** markvoelker has joined #openstack-keystone19:08
*** lastops has joined #openstack-keystone19:10
*** jaosorior has quit IRC19:12
*** markvoelker has quit IRC19:12
sumanthBigjools: it shibboleth authentication19:14
sumanthwhich generates a SAML19:15
*** lastops has quit IRC19:15
*** radez is now known as radez_g0n319:15
*** iamjarvo has joined #openstack-keystone19:19
bigjoolssumanth: you're in luck, I wrote a blog post
sumanthcool thanks a lot !19:20
sumanthI will go through it19:20
*** ayoung has joined #openstack-keystone19:20
*** ChanServ sets mode: +v ayoung19:20
bigjoolsI am neck deep in Shibboleth config right now19:20
bigjoolsyou will swear a lot19:20
*** lastops has joined #openstack-keystone19:22
sumanthI dont mind that , thats reason I do programing :D19:22
sumanthIf I have any questins while I configure, can I ping you directly ?19:23
*** lastops has quit IRC19:25
*** iamjarvo has quit IRC19:31
bigjoolssumanth: sure19:33
stevemardolphm, how important is irc in openstack development?19:33
bigjoolsI am travelling over the weekend so catch me before then19:33
bknudsondolphm: if openstack was a tree, what species would it be?19:36
*** iamjarvo has joined #openstack-keystone19:37
*** iamjarvo has quit IRC19:37
bknudsonit's deep questions for dolphm friday.19:38
*** iamjarvo has joined #openstack-keystone19:38
*** e0ne has quit IRC19:39
dstanekbknudson: is there one that blooms every 6 months?19:40
*** zzzeek has joined #openstack-keystone19:41
dstanek...and can't agree on how to bloom the next time :-)19:42
bknudsondstanek: that's a tough one.19:42
*** sumanth has quit IRC19:46
*** sumanth has joined #openstack-keystone19:50
lbragstadbknudson: dstanek Sheep-Eating Plant19:52
lbragstadapparently they take a *really* long time to bloom19:53
bknudsonlbragstad: plus they eat sheep19:53
lbragstadbknudson: yes, yes they do, they actually shoot mace like flowers19:54
bknudsonlike openstack19:54
lbragstadhow's that for usability!19:54
lbragstadit's fun *and* dangerous19:55
dstaneki can respect a good sheep eater19:56
lbragstadthey take 15 - 20 years to bloom19:56
bknudsonI could use a deer-eater here.19:56
*** henrynash has joined #openstack-keystone19:56
*** ChanServ sets mode: +v henrynash19:56
lbragstadthat's a long development cycle19:56
bknudsonit'll probably take us 15-20 years to get rid of v2.19:57
*** dims__ has joined #openstack-keystone19:57
*** henrynash_ has joined #openstack-keystone20:00
*** ChanServ sets mode: +v henrynash_20:00
*** dims_ has quit IRC20:00
*** timcline has quit IRC20:00
*** henrynash has quit IRC20:01
*** henrynash_ is now known as henrynash20:01
*** boris-42 has quit IRC20:02
*** henrynash has quit IRC20:10
*** thedodd has quit IRC20:11
*** thedodd has joined #openstack-keystone20:11
*** dims__ has quit IRC20:11
*** jsavak has quit IRC20:12
*** jsavak has joined #openstack-keystone20:13
stevemarbknudson, be more optimistic about it, maybe 5-10 :P20:16
*** e0ne has joined #openstack-keystone20:16
*** tellesnobrega_ has joined #openstack-keystone20:17
bknudson# Deprecated group/name - [ldap]/tenant_tree_dn -- when did this happen?20:19
bknudsonoh, never mind.20:20
bknudsonI was scared by the [ldap]... thought it had moved.20:20
bknudsonbut the name just changed20:20
*** markvoelker has joined #openstack-keystone20:24
stevemarbknudson, as soon as devstack can run v3 alone, i am submitted a patch to deprecate v2.0 :P20:25
ayoungbigjools, use Mellon and Ipsilon20:25
*** topol has quit IRC20:25
*** markvoelker has quit IRC20:28
bknudsonput a sleep(10) in the v2 controllers.20:29
*** lhcheng has quit IRC20:29
*** henrynash has joined #openstack-keystone20:32
*** ChanServ sets mode: +v henrynash20:32
*** nzeer has joined #openstack-keystone20:36
*** tellesnobrega_ has quit IRC20:38
*** jraim has joined #openstack-keystone20:38
*** tellesnobrega_ has joined #openstack-keystone20:39
*** iamjarvo has quit IRC20:39
*** ayoung has quit IRC20:44
*** e0ne has quit IRC20:45
*** ctracey has joined #openstack-keystone20:46
stevemarthat would be nasty20:47
*** roxanaghe has quit IRC20:48
*** e0ne has joined #openstack-keystone20:48
*** serverascode has joined #openstack-keystone20:51
*** zhiyan has joined #openstack-keystone20:54
bknudsonmake it go up over time... sleep(months since some date)20:55
lbragstadbknudson: ++20:56
*** mattfarina has quit IRC20:59
*** boris-42 has joined #openstack-keystone21:00
*** ayoung has joined #openstack-keystone21:00
*** ChanServ sets mode: +v ayoung21:00
*** briancurtin has joined #openstack-keystone21:05
*** e0ne has quit IRC21:06
*** lhcheng has joined #openstack-keystone21:06
*** lhcheng_ has joined #openstack-keystone21:08
*** Ephur has quit IRC21:11
*** lhcheng has quit IRC21:11
*** tellesnobrega_ has quit IRC21:11
*** iamjarvo has joined #openstack-keystone21:12
*** iamjarvo has quit IRC21:12
*** iamjarvo has joined #openstack-keystone21:13
*** toddnni has joined #openstack-keystone21:16
*** csoukup has joined #openstack-keystone21:18
*** jsavak has quit IRC21:18
*** lastops has joined #openstack-keystone21:18
*** yottatsa has joined #openstack-keystone21:22
*** lastops has quit IRC21:23
*** jsavak has joined #openstack-keystone21:27
*** jorge_munoz has quit IRC21:27
*** sumanth has quit IRC21:28
*** sumanth has joined #openstack-keystone21:29
*** jorge_munoz has joined #openstack-keystone21:29
*** henrynash has quit IRC21:31
*** iamjarvo has quit IRC21:31
*** jsavak has quit IRC21:33
*** zzzeek has quit IRC21:37
*** iamjarvo has joined #openstack-keystone21:38
stevemardolphm, i added to your etherpad21:41
*** openstack has joined #openstack-keystone21:41
*** jsavak has joined #openstack-keystone21:47
*** lhcheng_ has quit IRC21:51
*** csoukup has quit IRC21:51
*** lhcheng has joined #openstack-keystone21:54
*** alanf-mc has quit IRC22:00
*** marzif_ has quit IRC22:01
*** Kennan2 has joined #openstack-keystone22:02
*** Kennan has quit IRC22:03
*** jsavak has quit IRC22:06
*** thedodd has quit IRC22:07
bknudsonAuthorizationFailure: No valid authentication is available22:12
bknudsonnot helpful22:12
*** stevemar has quit IRC22:12
*** markvoelker has joined #openstack-keystone22:12
*** markvoelker has quit IRC22:17
*** nkinder has joined #openstack-keystone22:22
*** gordc has quit IRC22:29
*** alanf-mc has joined #openstack-keystone22:30
*** gabriel-bezerra has quit IRC22:35
*** geoffarnold has joined #openstack-keystone22:36
*** openstackgerrit has quit IRC22:37
*** iamjarvo has quit IRC22:37
*** openstackgerrit has joined #openstack-keystone22:37
*** yottatsa has quit IRC22:39
*** gabriel-bezerra has joined #openstack-keystone22:40
*** ozialien has joined #openstack-keystone22:49
*** bradjones is now known as bradjones_away23:00
*** ozialien has quit IRC23:02
*** ozialien has joined #openstack-keystone23:05
*** hemna is now known as hemnafk23:09
*** jsavak has joined #openstack-keystone23:11
*** bradjones_away is now known as bradjones23:20
*** geoffarnold has quit IRC23:27
*** geoffarnold has joined #openstack-keystone23:27
*** jsavak has quit IRC23:29
*** ozialien has quit IRC23:33
*** iamjarvo has joined #openstack-keystone23:38
*** bradjones has quit IRC23:42
*** bradjones has joined #openstack-keystone23:42
*** bradjones is now known as bradjones_away23:47
*** bradjones_away is now known as bradjones|away23:52
*** _cjones_ has quit IRC23:58
*** lhcheng has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!