Tuesday, 2015-06-09

« Monday, 2015-06-08 Index Wednesday, 2015-06-10 »
*** sbasam has quit IRC00:00
*** dims_ has joined #openstack-keystone00:05
*** _cjones_ has quit IRC00:05
*** dims has quit IRC00:08
*** g2` has quit IRC00:17
*** browne has quit IRC00:18
*** gyee_ has quit IRC00:32
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/18945700:33
openstackgerritBrant Knudson proposed openstack/keystone: Refactor extract function load_auth_method  https://review.openstack.org/18700400:43
openstackgerritBrant Knudson proposed openstack/keystone: Use stevedore for auth drivers  https://review.openstack.org/18210200:43
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file  https://review.openstack.org/18213800:43
openstackgerritBrant Knudson proposed openstack/keystone: Short names for auth plugins  https://review.openstack.org/18210700:43
openstackgerritBrant Knudson proposed openstack/keystone: Use stevedore for auth drivers  https://review.openstack.org/18210201:01
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file  https://review.openstack.org/18213801:01
openstackgerritBrant Knudson proposed openstack/keystone: Short names for auth plugins  https://review.openstack.org/18210701:01
*** spandhe has quit IRC01:05
*** sigmavirus24 is now known as sigmavirus24_awa01:06
*** dguerri is now known as dguerri`01:07
*** diegows has quit IRC01:09
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor _validate_token returns auth_ref only  https://review.openstack.org/18902001:10
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change TokenCache get() to return auth_ref  https://review.openstack.org/18902201:10
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967601:10
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor TokenCache store takes auth_ref  https://review.openstack.org/18901901:10
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor use auth_ref.version rather than _token_is_v*  https://review.openstack.org/18901801:10
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract method for offline validation  https://review.openstack.org/18865001:10
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo  https://review.openstack.org/17948601:10
*** tqtran_ has quit IRC01:11
*** noye has quit IRC01:16
*** sigmavirus24_awa is now known as sigmavirus2401:20
*** lastops has quit IRC01:20
*** lastops has joined #openstack-keystone01:21
*** ankita_wagh has quit IRC01:24
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Stop using function deprecated in Python 3  https://review.openstack.org/18914901:29
*** jamielennox|away is now known as jamielennox01:32
*** roxanaghe has quit IRC01:40
*** dims_ has quit IRC01:43
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage  https://review.openstack.org/18914501:47
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime  https://review.openstack.org/18914701:47
*** liusheng has quit IRC02:09
*** lhcheng has quit IRC02:16
*** bradjones has quit IRC02:17
*** lhcheng has joined #openstack-keystone02:18
*** ChanServ sets mode: +v lhcheng02:18
*** bradjones has joined #openstack-keystone02:18
*** bradjones has quit IRC02:18
*** bradjones has joined #openstack-keystone02:18
*** lhcheng has quit IRC02:22
*** iamjarvo has joined #openstack-keystone02:22
*** iamjarvo has quit IRC02:23
*** iamjarvo has joined #openstack-keystone02:23
*** tobe has joined #openstack-keystone02:27
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Use random strings for test fixtures  https://review.openstack.org/18953802:31
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Stop using tearDown  https://review.openstack.org/18953902:31
ayoungjamielennox, if I do  keystone = keystone_v3.Client(session=create_session())  I should be able to then call keystone.service_catalog.list()  or something right?02:37
jamielennoxprobably not, service-catalog isn't an option of the v3 api02:38
jamielennoxayoung: what are you trying to do02:41
jamielennoxthere really isn't a way to get the service catalog out of a plugin02:41
ayoungjamielennox, I want to see what the service catalog is associated with my tokens02:41
ayoungI could probably just dump the log02:41
jamielennoxi did this on purpose if we go to a DNS based catalog or something else that you can't iterate02:42
ayoungbut I figured I'd try to learn the IPA02:42
ayoungheh02:42
ayoungthe API02:42
ayoungand as a non-admin user, I can;'t query the SC directly02:42
ayoungjamielennox, so this came from a nova error:02:42
ayoungjamielennox, http://paste.fedoraproject.org/230196/14338177/  which I am guessing is cuz maybe I am calling a version of the Nova API that is not supported02:43
*** dims has joined #openstack-keystone02:43
jamielennoxayoung: no, that ones because you didn't provide an auth_url02:45
ayoungjamielennox, ah...that is right, this machine crashed and I had to restart...02:46
*** dguerri` is now known as dguerri02:46
ayoungjamielennox, so, I am working on a demo setup, and part of that involves Neutron work.  I have some examples now of doing Neutron with auth sessions02:47
ayoungactually, of sharing a session across a couple services...neutron and nova to start02:48
ayoungand, thanks, that did work02:48
jamielennoxayoung: sweet - yea, the error messages for this stuff needs to get better but it's a hard thing to enforce02:49
ayoungjamielennox, oh, yeah.  I should put a check in my code before I try to create the session02:50
ayoungthe hardest part has been reverse engineering how to call neutron client code02:50
jamielennoxi had some code that did these checks generically02:50
*** nkinder__ has joined #openstack-keystone02:50
*** dims has quit IRC02:50
jamielennoxi assume it's still in review somewhere02:50
jamielennoxhttps://review.openstack.org/#/c/148784/02:51
ayoungjamielennox, now I am trying to figure out how generic to make the nova code.  I couold hard-code the ids, but that won't work across two different deployments, and I know this particualr OS instance is going to get rebuilt.02:51
jamielennoxi wasn't sure it would make it because it was changing behaviour02:51
ayoungjamielennox, if you get something there you like, let me know and I'll review02:52
ayounganyway, the session stuff looks good.  Real good. It makes me want to have smarter API clients.02:52
ayoungI do think I we are going to want Kerberos on the session.  Could we do some sort of stevedore trick, where we list additional auth plugins as envrionment variables, and then the session  lodas them in?02:53
ayoungtrying to think how to get kerberos in there in a sane way02:53
*** ajayaa has joined #openstack-keystone02:54
*** rushiagr_away is now known as rushiagr02:54
ayoungjamielennox, did glance make the transition to sessions for their client?02:55
*** dguerri is now known as dguerri`02:56
ayounghttp://docs.openstack.org/developer/python-glanceclient/apiv2.html  does not look like it in the docs...02:57
*** markvoelker has joined #openstack-keystone02:59
jamielennoxayoung: no03:02
ayoungjamielennox, that is pretty lame, but I guess I can do all my glance work via Nova.03:02
ayoungGAH  I need to get all images just to map name to id!03:03
*** markvoelker has quit IRC03:04
*** briancurtin has quit IRC03:06
*** zhiyan has quit IRC03:06
*** jraim has quit IRC03:06
*** nzeer has quit IRC03:06
*** serverascode has quit IRC03:06
*** ctracey has quit IRC03:06
ayoungjamielennox, so I can't use the glance API directly, because I don't even know the endpoint, and, as we found before, I can't get it out of the service catalog.  GLanceclient has bit rotted into obscurity03:07
ayoungglance = Client('2', endpoint=OS_IMAGE_ENDPOINT, token=token)03:07
jamielennoxayoung: the way you do it is03:07
jamielennoxtoken = session.get_token()03:08
ayounghttp://docs.openstack.org/developer/python-glanceclient/apiv2.html03:08
jamielennoxendpoint = session.get_endpoint(service_type='image', version=(2, 0), interface='public')03:08
jamielennoxthen do glance with endpoint=endpoint, token=token03:08
ayoungok...let me try that03:08
jamielennoxassuming your auth plugin is attached to the session, otherwise you kind of invert the process and ask the auth plugin and provide the session03:09
*** lastops has quit IRC03:09
*** darrenc is now known as darrenc_lunch03:12
jamielennoxayoung: so i'm really not a fan of providing an array of project names, that just feels wrong, i don't know why we don't maintain the restriction for now and we can deal with it if it really becomes a problem for people03:12
ayoungjamielennox, sorry, I'm missing the context there.03:13
jamielennoxi sent an email reply to you a few days ago about how to identify projects by name in a hierarchy03:13
jamielennoxactually i have only seen chadwick's response to that03:14
jamielennoxsome people's email clients sent emails that just don't render on my phone03:14
ayoungjamielennox, ah...03:14
ayoungjamielennox, you mean the delimeter thing?03:14
jamielennoxright03:14
ayoungSo...I think I am OK with that approach, so long as it is a consensus03:15
ayoungI think that DNS style naming is the right way to go03:15
ayoungas we will eventually be able to append those to hostname to make deeply nested URLs03:15
ayoungI am guessing that it will be far more natural to refer to something as /dom1/p4/p5/p6  in the long run03:16
jamielennoxi don't know, it feels wrong03:17
ayoungjamielennox, we could also hack around the problem of a domain and a project in that domain having the same name buy calling the domain "/" no matter what03:17
jamielennoxwell domains will still alwyas have unique names right03:17
jamielennox?03:17
ayoungjamielennox, yes, if you refer to them as a domains03:18
ayoungI think the issue is that we have domains named, say redhat and a project under them also named redhjat03:18
ayoungand right now, we say that a project name must be unique03:18
ayoungwithin the domain03:18
jamielennoxi have a growing suspicion we're going about this all wrong03:19
ayounglovely...whereas the nova client blows up if I pass "name="   int image list, the glance client accepts it...and ignores it and returns all images03:19
jamielennoxwe're providing a bunch of flexibility i don't know if anyone wants yet and hacking up naming schemes to support it03:20
ayoungjamielennox, yes, people want hierarchical03:20
ayoungand this is a known issue.  The problem is, like most things, my fault, for insisting "a domain IS-A" project03:21
ayoungand...the real fault is mine for not insisting that, instead of domains, we make projects hierarchical back 3 years ago03:21
*** kiran-r has joined #openstack-keystone03:21
jamielennoxayoung: sure, if we didn't have domains already this would be simpler03:22
*** harlowja has quit IRC03:22
*** harlowja_ has joined #openstack-keystone03:22
jamielennoxmaybe we just need to scrap authing by project_name03:22
*** gordc has joined #openstack-keystone03:23
ayoungjamielennox, can't do that, either03:24
*** iamjarvo has quit IRC03:24
ayoungthat is, like, the most basic thing people do..it would break everything03:24
ayoungjamielennox, what do you suggest:  always get un unscoped token, then discover the list, then scope it?03:24
ayoungI'd love that03:24
ayoungbut they'd lynch us, I suspect03:25
jamielennoxright, but we can not extend it for nested environments03:25
jamielennoxif my project name involves a number of slashes i'm not going to be typing it out anyway03:25
ayoungjamielennox, people stick it in an Env var, or they select it from a list in horizon03:25
ayoungso  "/p1/p2/p3"  works with horizon03:26
ayoungthe combo box will get huge and ugly, but it works03:26
jamielennoxno, horizon will do their own thing, they'll list available projects and then do the scope by id03:26
jamielennoxthey'll find a better way to display it than that03:26
ayoungtree probably03:27
jamielennoxright03:27
ayoungthen show it as a breadcrumb03:27
ayoungjamielennox, so the real issue is existing CLI type use03:27
ayoungwhere OS_OPROJECT_NAME="p1"  is the norm03:28
ayoungyou are saying the, for nested projects, just force OS_PROJECT_ID?03:28
*** rushiagr is now known as rushiagr_away03:28
jamielennoxit's not just a CLI issue03:30
jamielennoxthe same would flow through to all the direct API usage03:30
jamielennoxunless project_name is directly under the domain then you can't scope to it via name in keystone03:30
openstackgerritMerged openstack/python-keystoneclient: Stop using function deprecated in Python 3  https://review.openstack.org/18914903:30
jamielennoxthat's backwards compatible03:30
*** _cjones_ has joined #openstack-keystone03:31
ayoungjamielennox, that would work for domain itself03:32
*** _cjones_ has quit IRC03:32
*** _cjones_ has joined #openstack-keystone03:33
ayoungwe could add support for either an empty project name or "/" or soemthing to allow a project scoped token for domain03:33
*** browne has joined #openstack-keystone03:33
*** davechen_afk is now known as davechen03:33
ayoungie.  to get a proejct scoped token for the default domain, you  request a token with OS_PROJECT_NAME="",  OS_DOMAIN_NAME="Default"03:34
*** _cjones_ has quit IRC03:36
*** darrenc_lunch is now known as darrenc03:37
*** sigmavirus24 is now known as sigmavirus24_awa03:40
*** richm has quit IRC03:42
openstackgerritdarren-wang proposed openstack/keystone: Adding 'domain_id' filter to list_user_projects()  https://review.openstack.org/18256903:47
*** ankita_wagh has joined #openstack-keystone03:50
*** iamjarvo has joined #openstack-keystone03:52
*** iamjarvo has quit IRC03:52
*** iamjarvo has joined #openstack-keystone03:53
*** spandhe has joined #openstack-keystone03:55
*** rushiagr_away is now known as rushiagr04:07
*** spandhe has quit IRC04:08
*** kiran-r has quit IRC04:14
*** ajayaa has quit IRC04:15
*** lhcheng has joined #openstack-keystone04:16
*** ChanServ sets mode: +v lhcheng04:16
*** lhcheng has quit IRC04:16
*** lhcheng has joined #openstack-keystone04:17
*** ChanServ sets mode: +v lhcheng04:17
*** kiran-r has joined #openstack-keystone04:19
*** lhcheng_ has joined #openstack-keystone04:20
*** morgan has joined #openstack-keystone04:20
*** ChanServ sets mode: +v morgan04:20
*** mabrams has joined #openstack-keystone04:23
*** mabrams has left #openstack-keystone04:23
*** mabrams has joined #openstack-keystone04:23
*** ChanServ sets mode: +o morgan04:23
*** lhcheng has quit IRC04:23
morganoookay04:23
morgantime to get a new IRC client for the phone :(04:24
*** dguerri` is now known as dguerri04:35
*** morgan has quit IRC04:40
*** ayoung has quit IRC04:41
*** varya has joined #openstack-keystone04:43
*** dguerri is now known as dguerri`04:45
*** dims has joined #openstack-keystone04:46
*** markvoelker has joined #openstack-keystone04:48
*** morgan has joined #openstack-keystone04:49
*** ChanServ sets mode: +v morgan04:49
*** dims has quit IRC04:51
*** markvoelker has quit IRC04:53
*** boris-42 has quit IRC05:04
*** tobe has quit IRC05:05
*** e0ne has joined #openstack-keystone05:29
*** henrynash has joined #openstack-keystone05:31
*** ChanServ sets mode: +v henrynash05:31
*** iamjarvo has quit IRC05:32
*** kiranr has joined #openstack-keystone05:33
*** kiranr has quit IRC05:35
*** kiranr has joined #openstack-keystone05:35
*** kiranr has quit IRC05:37
*** ankita_wagh has quit IRC05:37
*** kiran-r has quit IRC05:37
*** kiranr has joined #openstack-keystone05:37
*** ankita_wagh has joined #openstack-keystone05:38
*** tqtran has joined #openstack-keystone05:39
*** belmoreira has joined #openstack-keystone05:39
*** kiranr has quit IRC05:41
*** kiran-r has joined #openstack-keystone05:42
*** kiran-r has quit IRC05:44
*** kiran-r has joined #openstack-keystone05:44
*** kiran-r has quit IRC05:47
*** kiran-r has joined #openstack-keystone05:47
*** e0ne has quit IRC05:47
*** kiran-r has quit IRC05:48
*** kiran-r has joined #openstack-keystone05:48
*** kiran-r has quit IRC05:50
*** kiran-r has joined #openstack-keystone05:50
*** kiran-r has quit IRC05:54
*** lsmola has joined #openstack-keystone05:54
*** kiran-r has joined #openstack-keystone05:55
*** kiran-r has quit IRC05:55
*** kiran-r has joined #openstack-keystone05:55
*** kiran-r has quit IRC05:56
*** kiran-r has joined #openstack-keystone05:57
*** kiran-r has quit IRC05:58
*** kiran-r has joined #openstack-keystone05:58
*** kiran-r has quit IRC05:59
*** kiran-r has joined #openstack-keystone05:59
*** kiran-r has quit IRC06:00
*** kiran-r has joined #openstack-keystone06:00
*** kiran-r has quit IRC06:00
*** josecastroleon has quit IRC06:00
*** kiran-r has joined #openstack-keystone06:00
*** kiran-r has quit IRC06:01
*** kiran-r has joined #openstack-keystone06:01
*** kiran-r has quit IRC06:02
*** kiran-r has joined #openstack-keystone06:02
*** kiran-r has quit IRC06:03
*** kiran-r has joined #openstack-keystone06:05
*** kiran-r has quit IRC06:06
*** kiran-r has joined #openstack-keystone06:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/18627906:06
*** kiran-r has quit IRC06:07
*** kiran-r has joined #openstack-keystone06:07
*** kiran-r has quit IRC06:09
*** kiran-r has joined #openstack-keystone06:09
*** nzeer has joined #openstack-keystone06:13
*** kiran-r has quit IRC06:14
*** kiran-r has joined #openstack-keystone06:14
*** jraim has joined #openstack-keystone06:17
*** kiran-r has quit IRC06:18
*** kiran-r has joined #openstack-keystone06:19
*** kiran-r has quit IRC06:21
*** kiran-r has joined #openstack-keystone06:22
*** kiran-r has quit IRC06:23
*** kiran-r has joined #openstack-keystone06:23
*** dguerri` is now known as dguerri06:24
*** lhcheng_ has quit IRC06:24
*** kiran-r has quit IRC06:26
*** kiran-r has joined #openstack-keystone06:26
*** Nikkau has joined #openstack-keystone06:27
*** kiran-r has quit IRC06:28
*** kiran-r has joined #openstack-keystone06:28
*** kiran-r has quit IRC06:29
*** ctracey has joined #openstack-keystone06:30
*** kiran-r has joined #openstack-keystone06:30
*** kiran-r has quit IRC06:30
*** kiran-r has joined #openstack-keystone06:31
*** kiran-r has quit IRC06:31
*** kiran-r has joined #openstack-keystone06:31
*** kiran-r has quit IRC06:31
*** kiran-r has joined #openstack-keystone06:32
*** dguerri is now known as dguerri`06:34
*** serverascode has joined #openstack-keystone06:39
*** tobe has joined #openstack-keystone06:45
*** zhiyan has joined #openstack-keystone06:46
*** ankita_w_ has joined #openstack-keystone06:47
*** kiran-r has quit IRC06:50
*** kiran-r has joined #openstack-keystone06:50
*** kiran-r has quit IRC06:51
*** ankita_wagh has quit IRC06:51
*** kiran-r has joined #openstack-keystone06:51
jamielennoxmorganfainberg: i'm not going to be at the meeting tomorrow, but it doesn't look like there is anything specific i need to be there for06:51
*** kiran-r has quit IRC06:52
*** kiran-r has joined #openstack-keystone06:52
*** kiran-r has quit IRC06:52
*** kiran-r has joined #openstack-keystone06:53
*** woodster_ has quit IRC06:53
*** kiran-r has quit IRC06:53
*** kiran-r has joined #openstack-keystone06:53
*** kiran-r has quit IRC06:55
*** kiran-r has joined #openstack-keystone06:55
*** kiran-r has quit IRC06:56
*** kiran-r has joined #openstack-keystone06:57
*** kiran-r has quit IRC06:58
*** kiran-r has joined #openstack-keystone06:59
*** kiran-r has quit IRC07:00
*** kiran-r has joined #openstack-keystone07:00
*** ankita_w_ has quit IRC07:00
*** kiran-r has quit IRC07:00
*** lufix has joined #openstack-keystone07:01
*** abhishekk has joined #openstack-keystone07:09
*** briancurtin has joined #openstack-keystone07:09
*** dguerri` is now known as dguerri07:10
*** tqtran has quit IRC07:15
*** browne has quit IRC07:27
mfloboMorning guys07:28
mfloboquestion: how can I  avoid this message in the logs? Deprecated: keystone.common.kvs.Base is deprecated as of Icehouse in favor of keystone.common.kvs.KeyValueStore and may be removed in Kilo.07:29
*** woodster_ has joined #openstack-keystone07:34
*** dguerri is now known as dguerri`07:36
*** markvoelker has joined #openstack-keystone07:37
*** pnavarro_ has joined #openstack-keystone07:39
morganfainbergjamielennox: sounds good.07:43
*** markvoelker has quit IRC07:43
marekdjamielennox: still here?07:47
jamielennoxmarekd: yep07:47
marekdjamielennox: got 15 minutes to discuss k2k auth plugin ?07:47
jamielennoxmarekd: sure07:47
jamielennoxwhere are we at?07:47
marekdjamielennox: https://review.openstack.org/#/c/188426/4 and up.07:47
*** evrardjp has joined #openstack-keystone07:48
marekdjamielennox: i think we should treat it as a 'extra' auth plugin. So, imagine you have your local cloud, use v3.Password for authenticating with that. Suddently you want to burst into remote cloud, then, you would use K2K plugin, simply, pass your local plugin v3.Passwd to it and pass some scoping info for remote cloud in remote_project_name, remote_domain_name etc. K2K should point to remote cloud (including auth_url).07:49
evrardjpgood morning everyone07:49
jamielennoxthat's more or less what i thought, i wasn't thinking remote_ for attributes07:50
*** jaosorior has joined #openstack-keystone07:50
marekdfrom osc perspective i'd see it this way: openstack --os-auth-plugin=v3.Password --os-auth-remote-plugin=v3.k2k --os-project-name=<local project> --os-remote-project-name=<remote plugin> remote token issue07:50
marekdby having 'remote' command osc would actually burst into remote cloud.07:51
jamielennoxoh, osc07:51
jamielennoxright07:51
marekdwithout 'remote' we would be using local cloud.07:51
marekdmy point is that local cloud should be a priority, and behave like it does always.07:51
*** bdossant has joined #openstack-keystone07:52
marekdthat's  why i proposed --remote-xxxx equivalents options in https://review.openstack.org/#/c/188881/07:52
jamielennox # Store the Service Provider response to prevent re-posting the ECP wrapped assertion a 2nd time07:55
jamielennoxmarekd: why?07:55
marekdjamielennox: part of it wrote Rodrigo, i think he made that comment. He probably wanted some sort of caching...07:56
marekdi guess we  can cache only if scoping info hasn't changed, right?07:56
jamielennoxmarekd: because the ECP assertion lasts longer than a token request?07:56
jamielennoxa token?07:57
marekdjamielennox: if they do, it's not a significant difference. you just need to wrap a token into xml.07:57
jamielennoxmarekd: commented on https://review.openstack.org/#/c/188581/07:59
marekdjamielennox: thanks. hm, having sp_url and sp_aurth_url would let user pass those parameters from comandline/options I think...?08:01
jamielennoxmarekd: i guess a) do we want that? b) they are currently required08:01
*** lhcheng has joined #openstack-keystone08:01
*** ChanServ sets mode: +v lhcheng08:01
*** dguerri` is now known as dguerri08:02
marekdjamielennox: a) good question - however I cannot think about a situation where I'd like to do that....08:02
marekdi cannot override nova's ip address by passing some options in the cli, can i ?08:03
marekdjamielennox: ^^08:03
marekdservice catalog is the primary and the only source of endpoint knowledge, right?08:03
jamielennoxmarekd: you can override it, in nova i think it's --bypass-url08:04
jamielennoxi don't mind having the ability but at the moment it's required08:05
marekdnova like nova cli ?08:05
jamielennoxmarekd: right08:05
marekdjamielennox: ok i will remove it.08:05
*** amaretskiy has joined #openstack-keystone08:05
jamielennoxmarekd: so i think there is still a review missing there which exposes the sp_auth_url and sp_url from the plugin08:06
jamielennoxbecause there's not really a way to get AccessInfo from the plugin08:06
jamielennoxso you'd need something similar to08:07
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/base.py#L20208:07
jamielennoxand08:07
*** kiran-r has joined #openstack-keystone08:07
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L25908:07
marekdjamielennox: https://review.openstack.org/#/c/188581/9/keystoneauth/auth/identity/v3/federation.py lines 193 and below ?08:08
marekdK2K.load_from_plugin(v3.Password(), 'my_service_provider_id')08:08
*** kiran-r has quit IRC08:09
jamielennoxi don't think auth_plugin.service_providers exists08:09
marekdhttps://review.openstack.org/#/c/188426/408:09
*** kiran-r has joined #openstack-keystone08:09
marekdwell it's in access info08:10
marekdyou are right.08:10
jamielennoxyep, auth_plugin != accessinfo08:10
marekdso that would be something like access.create(auth_plugin.auth_token).service_providers ?08:10
jamielennoxmarekd: i was thinking you'd do it within the plugin08:11
jamielennoxrather than at load08:11
marekdin the __init__ ,right?08:11
*** fhubik has joined #openstack-keystone08:12
jamielennoxmarekd: no, because you don't have session at __init__08:12
*** kiran-r has quit IRC08:12
*** kiran-r has joined #openstack-keystone08:12
jamielennoxi can't quite remember the federated method names08:12
jamielennoxbut08:12
jamielennoxin get_auth_ref you'd do08:12
*** kiran-r has quit IRC08:13
*** kiran-r has joined #openstack-keystone08:13
jamielennoxauth_url = local_cloud_plugin.get_sp_auth_url(session, self.service_provider)08:13
jamielennoxurl = local_cloud_plugin.get_sp_url(session, self.service_provider)08:13
jamielennoxsession.post(sp_url, ...)08:14
jamielennoxresp = session.get(sp_auth_url, ...)08:14
marekdlocal_cloud_plugin would already be a AccessInfoV3 object.08:14
jamielennoxreturn access.create(resp)08:14
jamielennoxwhy?08:14
jamielennoxif it's already an AccessInfo you can't refresh it if the local cloud token expires08:15
marekdotherwise  we would need to add get_sp_url() somewhere in base.Auth08:15
marekdyou ok with that?08:15
jamielennoxyea, that's what i mean before when i linked the stuff about get_project_id08:16
jamielennoxwe will need to expose this from the plugin directly somehow, with a standard implementation that uses AccessInfo in auth.identity.base08:16
*** rlt has joined #openstack-keystone08:17
marekdjamielennox: allright, let me extend  class BaseIdentityPlugin(base.BaseAuthPlugin):08:17
jamielennoxcool, that'll probably be a standalone review after the accessinfo one08:18
jamielennoxis there any way we can make the K2K plugin inherit FederationBaseAuth08:18
marekdyep, accessinfo, BaseIdentityPlugin, K2K.08:18
marekdjamielennox: not really, in FederationBaseAuth we require user to pass params like identity-provider and  protocol08:19
jamielennoxyea, was just looking myself, it just feels like there is a lot of overlap08:19
jamielennoxthe basic implementation of get_auth_ref that looks for scoping data should be the same08:20
marekdjamielennox: i wanted to inherit it first, but hit the wall with significantly different workflow and information we really need to make it happen.08:20
*** kiran-r has quit IRC08:20
marekdjamielennox: we can pull some code (not much), and make one  basic level, and then inherit FederationBaseAuth and K2KAuth.08:20
*** kiran-r has joined #openstack-keystone08:20
jamielennoxyea, i think don't worry about it for now and maybe it can be a cleanup later08:21
marekdjamielennox: exactly.08:21
marekdok, i will add the missing code.08:22
*** gordc has quit IRC08:22
jamielennoxmarekd: commented on https://review.openstack.org/#/c/188426/08:30
jamielennoxnot sure if you are working on that one as well08:30
marekdjamielennox: i am basically helping to make k2k happend so whatever is needed.08:31
marekdso you claim, that get_service_provider should be private or return something like AccessInfo object but for service providers ?08:32
*** kiran-r has quit IRC08:36
jamielennoxmarekd: i'd say for now just make it private08:36
jamielennoxmarekd: is there something we need from it?08:36
marekdjamielennox: i don't think so08:36
*** kiran-r has joined #openstack-keystone08:36
*** pnavarro_ has quit IRC08:39
*** e0ne has joined #openstack-keystone08:46
openstackgerritMarek Denis proposed openstack/keystoneauth: Encapsulate Service Providers in AccessInfo  https://review.openstack.org/18842608:49
marekdjamielennox: ^^08:49
*** kiran-r has quit IRC08:49
*** kiran-r has joined #openstack-keystone08:50
*** kiran-r has quit IRC08:50
marekdjamielennox: opus, didnt notice you added new comments on that patch08:50
*** kiran-r has joined #openstack-keystone08:50
*** pnavarro_ has joined #openstack-keystone08:50
jamielennoxmarekd: yea, i'm going back through and being a bit more details rather than big picture08:50
marekdsure08:51
marekdlet me address remaining comments.08:51
jamielennoxmarekd: comment on that too08:52
jamielennox{.. for ..} is py27 syntax08:52
*** chlong has quit IRC08:52
marekdjamielennox: it won't work in py3 ?08:53
jamielennoxmarekd: it won't work in py27608:53
jamielennoxmarekd: it won't work in py2608:53
marekdoh gosh, we are still supporting py26 in ksc?08:53
marekdoh, right08:53
lifelessplease dog no08:53
lifelesslet vendors do that if they want, the 2000's called and want their python back08:54
jamielennoxi'm not actually sure, but i'd prefer to have a better reason than dict syntax to break it08:54
jamielennoxyep - we still gate on it08:54
lifelessI'll quote ncoghlan: open source projects should start saying no to 2.6 :)08:54
lifelessjamielennox: AIUI we make a project wide decision to stop caring08:55
lifelessjamielennox: I suggest removing the gates... in particular the constraints stuff I'm working on won't generates constraints files for 2.6, because there's no python 2.6 on the node we run periodic jobs on08:55
jamielennoxlifeless: that's a good reason to drop it08:56
jamielennoxlifeless: i'm so used to writing for 2.6 now i don't notice, let's just go 308:56
lifeless2.7 == 3 for all intents and purpoises :)08:56
*** Mohhh has joined #openstack-keystone08:56
jamielennoxthe dictionary comprehension syntax is about the only thing i can think of that's missing from 2.6 that isn't about upgrading to 308:57
jamielennoxie - things we'd use six for anyway08:57
lifelesssecure TLS08:57
*** rushiagr is now known as rushiagr_away08:58
lifelessthats in 2.7.10, not in 2.6 at all [upstream]08:58
jamielennoxah, right - i was thinking from a syntax and libraries perspective08:58
lifelessalso set literals?08:58
lifelessI don't remember when they came in08:58
lifeless{1,2,3}08:59
jamielennoxapparently they came in 2.708:59
lifelessso yeah, them08:59
jamielennoxi've never been a fan because i always end up with a set when i mistype a dictionary08:59
*** rushiagr_away is now known as rushiagr09:00
jamielennoxanyway - i don't mind09:00
jamielennoxbut we currently have a gate job and otherwise you'll have to wait whilst it gets removed09:01
*** Mohhh has quit IRC09:03
lifelessoh shiny09:04
lifelessswift 2 (the language) to be open sourced, with a port to linux on day 109:04
*** aix has joined #openstack-keystone09:05
jamielennoxport to linux?09:06
jamielennoxthat's cool - i wonder if it will be useful?09:07
*** fhubik is now known as fhubik_afk09:08
*** Mohhh has joined #openstack-keystone09:08
MohhhHi experts. I have a problem with keystone. I created a project using curl and I want to set project quota using: {"quota_set": {"floating_ips": floating_ip_count, "cores": vcpu, ... "}. But all of the item limits are properly applied(cores, ...) except floating-ips.09:08
lifelessseems to be gaining popularity on iOS very quickly, so its worth a look-at09:08
MohhhI set "floating-ips" limit to 10, but after the project created, I check it and it sets to 50. Always sets to 50.09:09
jamielennoxMohhh: keystone doesn't manage quotas09:09
jamielennoxthat would be handled by the individual services09:09
jamielennoxbbl09:09
Mohhhjamielennox: Thanks for your response. How can I set quota for project?09:10
*** lhcheng has quit IRC09:10
Mohhh+jamielennox: I used: request = {"quota_set": {"floating_ips": floating_ip_count, "cores": vcpu, "instances": instances, "ram": ram}} in my curl command.09:14
*** afazekas has joined #openstack-keystone09:19
MohhhAny idea?09:19
*** markvoelker has joined #openstack-keystone09:27
*** tellesnobrega has quit IRC09:28
*** htruta has quit IRC09:28
marekdjamielennox: re https://review.openstack.org/#/c/188426/5/keystoneauth/service_providers.py inline what? make _normalize_service_providers internal in the __init__ ?09:28
*** nicodemos has quit IRC09:28
*** ericksonsantos has quit IRC09:28
*** markvoelker has quit IRC09:32
openstackgerritMarek Denis proposed openstack/keystoneauth: Encapsulate Service Providers in AccessInfo  https://review.openstack.org/18842609:39
*** lufix_ has quit IRC09:40
*** davechen is now known as davechen_afk09:40
*** woodster_ has quit IRC09:41
dstanekmorganfainberg, lbragstad: 30% wall clock time right? https://review.openstack.org/#/c/165295/409:45
*** fhubik_afk is now known as fhubik09:45
*** dims has joined #openstack-keystone09:48
*** aix has quit IRC09:53
*** dims has quit IRC09:54
openstackgerritMarek Denis proposed openstack/keystoneauth: Fetch Service Providers urls from auth plugins  https://review.openstack.org/18962509:55
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858109:55
*** e0ne is now known as e0ne_10:02
*** aix has joined #openstack-keystone10:05
*** fhubik is now known as fhubik_afk10:08
*** dims has joined #openstack-keystone10:09
*** e0ne_ has quit IRC10:12
*** e0ne has joined #openstack-keystone10:21
morganfainbergdstanek: yes I believe so.10:22
marekdjamielennox: still at work ?10:23
jamielennoxmarekd: still at my computer at least10:23
jamielennoxi'm on (my) west coast for the next week or so - so it's not that late10:23
jamielennoxi'm not going to make the meeting tomorrow - like 2am10:24
morganfainbergdstanek: was planning on circling up on that when we get to the hotel10:24
dstanekmorganfainberg: ok10:24
marekdhttps://review.openstack.org/#/c/189625/1 -> i admit i forgot about auth.base (why is it not enforced, via abstractmethod or something? :/), but I don't fully know what shall i reimpleent regarding accessinfo on auth.identity.base .10:25
*** kiranr has joined #openstack-keystone10:25
jamielennoxmarekd: you just return None on the base class, you can't add abstractmethod on an existing class because it will break external subclasses10:26
marekdjamielennox: fine for that, but what about accessinfo ?10:26
jamielennoxdstanek: are you still looking at flask?10:26
dstanekjamielennox: yes, i have it partially implemented10:27
dstanekactually that's probably a good thing to give an update on at the meeting today10:27
jamielennoxmarekd: accessinfo has NotImplementeds on the base class and then you refine them in subclasses10:28
*** kiran-r has quit IRC10:28
marekdjamielennox: ah, you are talking not property service_providers10:28
marekdAccessInfo.service_providers in the base class10:29
jamielennoxdstanek: cool, i was doing some more on my jsonhome thing and was wondering how we could tie it into flask10:29
jamielennoxmarekd: on accessinfo i don't know, it probably doesn't matter10:30
jamielennoxthe only precedent we have is the way service catalog is done10:31
dstanekjamielennox: right now i'm still doing the same kind of registration that we are currently doing10:31
jamielennoxi don't know if that's a good thing or not10:31
jamielennoxdstanek: sure, make it the easiest change that is possible10:31
*** fhubik_afk is now known as fhubik10:32
*** tobe has quit IRC10:32
*** tobe has joined #openstack-keystone10:33
openstackgerritDavid Stanek proposed openstack/keystone: WIP: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603010:34
MohhhWhich openstack service controls the floating_ips quota and limitation?10:40
openstackgerritDavid Stanek proposed openstack/keystone: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603010:44
*** samueldmq has joined #openstack-keystone10:46
samueldmqmorning10:46
*** tobe has quit IRC10:47
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3  https://review.openstack.org/12541010:47
*** Mohhh has quit IRC10:47
*** tobe has joined #openstack-keystone10:49
dstaneksamueldmq: morning10:49
samueldmqdstanek, hi :)10:51
samueldmqdstanek,  I was looking  at that patch ^10:52
samueldmqdstanek, 11 patch sets, nothing change between them, just rebases :(10:52
dstaneksamueldmq: sqlite one?10:53
morganfainbergsamueldmq: morning10:53
samueldmqmorganfainberg, hi, I guess almost afternoon for you :)10:53
dstanekjust the commit message - and keeping it out of conflict10:53
morganfainberg1300 here.10:53
*** boris-42 has joined #openstack-keystone10:53
*** tobe has quit IRC10:53
dstaneknot even 0700 here :-(10:55
samueldmqmorganfainberg, still in budapest ? hope everything went well with your yesterday's talk10:56
*** mabrams has quit IRC10:56
morganfainbergsamueldmq: in Berlin now.10:56
samueldmqdstanek, almost 8 here :) that's great, we have a big day ahead :)10:57
morganfainbergYeah talk went ok. I have a bunch more work to do on the slides themselves. But it's turning into a good talk10:57
dstanekmorganfainberg: that's good to hear. was it recorded at all?10:58
samueldmqmorganfainberg, yeah the content was good imo, just had found some nits/typos10:58
morganfainbergdstanek: nope.10:58
dstanekthat's too bad10:59
morganfainbergsamueldmq: it's changed a bunch from when you read it.10:59
morganfainbergdstanek: I'll give you a link to the slides. It's an adaptation of what stevemar presented at CISID yesterday (targeted at an OpenStack aware audience)10:59
samueldmqmorganfainberg, and I personally prefer to have  less text in slides (only some of them had a lot) .. but maybe it's a matter of preference10:59
morganfainbergsamueldmq: look now. There is a lot less text.11:00
*** rushiagr is now known as rushiagr_away11:00
samueldmqmorganfainberg, nice, looking :)11:01
morganfainbergA few more slides need the same treatment.11:01
morganfainbergBut it's improving.11:01
*** ajayaa has joined #openstack-keystone11:01
dstanekmorganfainberg: we should come up with some formal rules about older reviews/specs - a sort of policy for getting rid of them11:22
*** pnavarro_ has quit IRC11:22
dstanekjamielennox: these are really old reviews. can any of them be abandoned or revised? http://bit.ly/1S0ZOKR11:27
*** markvoelker has joined #openstack-keystone11:29
*** liusheng has joined #openstack-keystone11:32
*** fhubik is now known as fhubik_afk11:33
*** markvoelker has quit IRC11:34
*** e0ne is now known as e0ne_11:34
morganfainbergdstanek: yes we should.11:36
morganfainbergdstanek: I got a ton of pushback when I tried to abandon things last time. This time I'm just going through and doing it for really old things.11:37
dstanekmorganfainberg: i've started to draft one - i was planning on submitting it as a doc review11:37
dstanekmorganfainberg: i'm in the process of doing a little of that now :-)11:37
morganfainbergdstanek: ++11:37
morganfainbergThnx.11:37
*** e0ne_ has quit IRC11:40
openstackgerritMerged openstack/keystone: Add testcases to test DefaultDomain  https://review.openstack.org/18585511:45
*** woodster_ has joined #openstack-keystone11:48
*** amakarov_away is now known as amakarov11:51
*** diegows has joined #openstack-keystone11:53
*** josecastroleon has joined #openstack-keystone11:54
*** diegows has quit IRC11:54
*** fhubik_afk is now known as fhubik12:02
*** Guest84699 has quit IRC12:03
*** samueldmq has quit IRC12:08
*** raildo has joined #openstack-keystone12:11
*** tellesnobrega has joined #openstack-keystone12:11
*** dencaval has joined #openstack-keystone12:12
*** e0ne has joined #openstack-keystone12:14
*** htruta has joined #openstack-keystone12:17
*** dan_ has joined #openstack-keystone12:19
*** dan_ is now known as Guest548412:19
*** e0ne is now known as e0ne_12:21
*** e0ne_ is now known as e0ne12:21
*** samueldmq has joined #openstack-keystone12:21
openstackgerritMarek Denis proposed openstack/keystoneauth: Fetch Service Providers urls from auth plugins  https://review.openstack.org/18962512:29
*** e0ne is now known as e0ne_12:30
*** e0ne_ has quit IRC12:35
*** chlong has joined #openstack-keystone12:37
*** pnavarro_ has joined #openstack-keystone12:39
*** sigmavirus24_awa is now known as sigmavirus2412:41
*** bknudson has quit IRC12:41
*** iurygregory has joined #openstack-keystone12:49
*** e0ne has joined #openstack-keystone12:55
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837213:02
*** kiranr has quit IRC13:02
*** varya has quit IRC13:03
*** varya has joined #openstack-keystone13:03
*** raildo has quit IRC13:04
*** henrynash has quit IRC13:04
*** varya has quit IRC13:05
lbragstaddstanek: let me grab you the real numbers from that test13:05
*** henrynash has joined #openstack-keystone13:06
*** ChanServ sets mode: +v henrynash13:06
*** varya has joined #openstack-keystone13:06
*** varya has quit IRC13:07
lbragstaddstanek: according to the monitoring; we were spending ~105 ms in Python with crypt_strength = 40000 (the default), and after we bumped it to 10000 we were spending 71 ms in Python.13:08
*** raildo has joined #openstack-keystone13:08
*** lhcheng has joined #openstack-keystone13:12
*** ChanServ sets mode: +v lhcheng13:12
jamielennoxdstanek: https://review.openstack.org/#/c/117089/ was always good to go13:13
jamielennoxi'd still like it merged13:13
*** noye has joined #openstack-keystone13:13
jamielennoxhttps://review.openstack.org/#/c/168546/ is also fine13:13
jamielennoxanything that's old like that that i don't know about generally is marked WIP13:15
*** josecastroleon has quit IRC13:16
jamielennoxhttps://review.openstack.org/#/c/168792/2 should also be merged13:16
*** ayoung has joined #openstack-keystone13:16
*** ChanServ sets mode: +v ayoung13:16
jamielennoxlhcheng has a -1 on it, but it's not a strong one13:16
jamielennoxi think i countered the main reason for a -113:16
*** lhcheng has quit IRC13:17
*** josecastroleon has joined #openstack-keystone13:17
lbragstaddstanek: updated with a comment for more clarity (https://review.openstack.org/#/c/165295/)13:18
dstanekjamielennox: i'll take a look at those13:18
dstaneklbragstad: thx13:18
*** josecastroleon has quit IRC13:19
samueldmqayoung, besides the config options needed for fetching the policy from server ...13:19
*** HT_sergio has joined #openstack-keystone13:19
samueldmqayoung, should we have a config switch at middleware to define whether try to fetch it or not ?13:20
dstaneklbragstad: i just commented too that we could clarify the comment with "30% clock time" or something like that13:20
ayoungsamueldmq, I think so13:20
*** josecastroleon has joined #openstack-keystone13:20
samueldmqayoung, or should we assume that, if the configs are defined we try to do so ..13:20
samueldmqayoung, k makes sense to me13:20
ayoungsamueldmq, there is real comfort to operators in being able to turn something off.13:20
*** lastops has joined #openstack-keystone13:21
samueldmqayoung, nice, and in the case they enabled it but not defined any of the needed configs ?13:21
ayoungsamueldmq, then it breaks13:21
samueldmqayoung, we need policy_cache_timeout endpoint_url policy_dirs policy_file13:21
jamielennoxdstanek: cheers13:21
samueldmqayoung, k makes sense13:22
ayoungsamueldmq, I'd love to avoid the timeout option by using the headers from Keystone13:22
*** josecastroleon has quit IRC13:22
ayoungthe policy_dirs  yes..policy_file not so sure.13:22
samueldmqayoung, but we have to be based on somehting in the case we can't find the headers13:22
samueldmqayoung, well ... we need to know the file where we will be writing to13:23
ayoungsamueldmq, fair enough, and we can put acomment in there saying that this is the max time for caching,  the actualy time will be the lesser of the two values13:23
*** josecastroleon has joined #openstack-keystone13:23
samueldmqayoung, ++13:23
*** jamielennox is now known as jamielennox|away13:23
ayoungsamueldmq, I don't know if we need a single name or not...part of me wants to autogenerate the name, or have it based on something from the fetch...but...code it as you see fit, and we can adjust if we get a better idea.13:24
*** josecastroleon has quit IRC13:25
samueldmqayoung, great13:25
samueldmqayoung, I really think we can have a demo running by the end of this week13:25
samueldmqayoung, where we upload, lets say, a nova policy to keystone, get that fetched on its endpoint13:25
samueldmqayoung, update policy on keystone and see enforcement being affected on nova side13:26
*** josecastroleon has joined #openstack-keystone13:26
*** richm has joined #openstack-keystone13:26
*** abhishekk has quit IRC13:27
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376313:28
*** josecastroleon has quit IRC13:28
samueldmqayoung, btw we need to run with specs , deadline is 25 right ? :(13:28
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839813:28
*** josecastroleon has joined #openstack-keystone13:29
ayoungsamueldmq, yeah13:30
*** radez_g0n3 is now known as radez13:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418013:32
*** browne has joined #openstack-keystone13:32
*** richm has left #openstack-keystone13:35
*** richm has joined #openstack-keystone13:36
*** bknudson has joined #openstack-keystone13:38
*** ChanServ sets mode: +v bknudson13:38
*** toddnni has quit IRC13:40
*** diegows has joined #openstack-keystone13:51
*** henrynash has quit IRC13:52
*** kiran-r has joined #openstack-keystone13:54
ayoungraildo, I have someone running QA on HMT.   https://etherpad.openstack.org/p/hierarchical-projects13:55
ayoungraildo, htruta I'll see If I can get him to add some detail to how he is doing the role assignments13:56
raildoayoung, nice, some days ago, I had reviewed this document14:00
ayoungraildo, need to get some of the details nailed down, I think14:01
raildoayoung, yes14:02
ayoungraildo, can we do everything we need to test this with the CLIs yet?14:03
ayoungraildo, specificall, hierarchical role assignments?14:03
raildoayoung, we have this patch in review: https://review.openstack.org/#/c/167613/14:06
*** dguerri is now known as dguerri`14:06
raildoayoung, we need to approve this patch, to do all the HMT operations on keystone client14:06
*** iamjarvo has joined #openstack-keystone14:11
*** spandhe has joined #openstack-keystone14:15
*** spandhe has quit IRC14:20
*** elmiko has joined #openstack-keystone14:20
elmikodstanek: ping14:21
*** mabrams has joined #openstack-keystone14:22
*** Ephur has joined #openstack-keystone14:25
openstackgerritBoris Bobrov proposed openstack/keystoneauth: removed custom assertDictEqual  https://review.openstack.org/18932014:33
bretonmorganfainberg: I've updated a commit message ^. Please note that gate-keystoneauth-python26 is OK with the change.14:34
morganfainbergbreton: the gate may be ok with it, but the reason we have it there is to mirror the dict check from py2714:35
morganfainbergbreton: i am concerned that if we remove that before we drop py26, we're going to end up with a case we're going to need to add it bac14:35
morganfainbergk14:35
*** toddnni has joined #openstack-keystone14:37
*** rushiagr_away is now known as rushiagr14:37
openstackgerritMerged openstack/keystone: Fix sample policy to allow user to check own token  https://review.openstack.org/16484814:40
bretonmorganfainberg: tests use testtools, testtools require unittest2, unittest2 define assertDictEqual14:40
openstackgerritBoris Bobrov proposed openstack/keystoneauth: removed custom assertDictEqual  https://review.openstack.org/18932014:42
morganfainbergbreton: what you just told me would be the best thing you can put in the commit message14:56
morganfainbergbreton: that way there is no confusion on what we rely on for testing14:57
bretonmorganfainberg: done ^14:58
morganfainbergbreton: nice much better14:58
*** fhubik is now known as fhubik_afk15:02
*** afazekas has quit IRC15:06
*** markvoelker has joined #openstack-keystone15:07
*** henrynash has joined #openstack-keystone15:07
*** ChanServ sets mode: +v henrynash15:07
*** e0ne is now known as e0ne_15:08
dstanekelmiko: hi15:09
*** chlong is now known as chlong-zzz15:10
elmikodstanek: hey, i'm just following up on https://review.openstack.org/#/c/183698/15:10
elmikoi'm curious if you have any suggestion for better language to use than "HTTP framework"?15:10
*** g2` has joined #openstack-keystone15:11
dstaneknot really - it wasn't clear to me what that meant - do just read sigmavirus24's definition and that's how i initially read it15:11
dstanekelmiko: ^15:12
elmikook, i'll probably just change "must not" to "should not" and call it a day15:12
*** pnavarro_ has quit IRC15:12
*** markvoelker has quit IRC15:12
*** g2` has quit IRC15:12
dstanekelmiko: so that means no custom 500 handling in the project itself?15:12
sigmavirus24I wish we wouldn't use "should" ever15:12
* elmiko sad panda15:12
sigmavirus24"Do or do not, there is no try" =P15:12
elmikodstanek: it just means we advise not doing it in the project, if you have reason to then by all means do it.15:13
sigmavirus24dstanek: I mean, there's nothing to stop you. But someone will probably complain a lot that you're not following the guidelines if you make a new API that returns a 50015:14
sigmavirus24To be entirely clear, this guideline should only affect new development. The API-WG has no illusions that existing APIs will be retrofitted15:14
sigmavirus24We have some illusions about people following the guidelines eventually though ;)15:14
elmikoi'm just stumped on whether this one needs another spin or not15:14
dstaneki guess i don't understand what this is trying to prevent? and what i'd do differently from what Keystone is currently doing15:15
sigmavirus24dstanek: API authors should never explicitly return a 5xx error15:15
elmikodstanek: in your case it might not change anything, but for folks who are considering adding a new 500 return this guideline should help them reconsider if they need to do that.15:15
dstanekis there an example that you can point to and say it's bad?15:16
*** iamjarvo has quit IRC15:17
elmikogood question, i don't have one at hand15:17
*** HT_sergio has quit IRC15:17
sigmavirus24I can give a hypothetical but I'm tempted to say any code that explicitly returns a 5xx is bad15:17
*** kiran-r has quit IRC15:17
*** iamjarvo has joined #openstack-keystone15:17
dstanekelmiko: for example, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/wsgi.py#n787 - is that OK?15:17
dstaneksigmavirus24: how do you control the response body?15:18
* elmiko reads15:18
sigmavirus24The hypothetical situation is a deployer who wants to eventually enable a feature that is currently returning a 5xx. If they have clients that store the fact that 5xx was previously returned, then that means that those clients (if they use all the allowances the RFCs afford) will never be able to use that feature once it's enabled15:18
sigmavirus24I don't think anyone wants that15:18
*** e0ne_ has quit IRC15:18
dstaneksigmavirus24: are you talking 500 or 501?15:19
sigmavirus24yes15:19
bknudsonI wouldn't stop using a feature if the server returned 500. I'd report a bug.15:19
dstanek500 would be returned for unhandled brokenness right?15:19
*** dims has quit IRC15:19
sigmavirus24bknudson: I'm not talking about a human. A well written client would keep record of the fact that something returned a 5xx status and never allow another request to be made to that endpoint again15:20
dstanekfor example, configuration is broken, db connection is down, we detect a disturbance in the force, etc15:20
sigmavirus24Or at least (Method, Resource) would be baned15:20
elmikodstanek: assuming i understand the usage of this function, imo i don't see an issue, you are attempting to reformat the exception message. this could easily be code that resides in the framework if errors were raised in a standard manner.15:20
bknudsonthe whole resource? what if it was related to a query parameter or a header the client sent?15:20
sigmavirus24*banned15:21
sigmavirus24So 501 is the only one that explicitly says it can be cached https://tools.ietf.org/html/rfc7231#section-6.615:21
sigmavirus24But I've seen implementations of clients that stop sending requests to resources that return certain 5xx responses15:21
dstaneksigmavirus24: then those clients are broken :-P15:22
sigmavirus24dstanek: I didn't say they were right15:22
sigmavirus24But keystone should be conservative in what it sends15:22
sigmavirus24keystone generating its own 5xx errors is not being conservative15:22
dstaneksigmavirus24: what would be better?15:23
sigmavirus24The guideline has a recommendation15:23
*** belmoreira has quit IRC15:23
*** e0ne has joined #openstack-keystone15:23
dstaneksigmavirus24: let the framework handle it?15:24
sigmavirus24dstanek: no, if you have to return an error status, it should be a 4xx, specifically I believe the guideline recommends 40015:24
sigmavirus24I'm not totally sold on 400 and it's not perfect for every case15:24
sigmavirus24But the guideline admits that iirc15:25
dstanek'400 Our Database Is Down' seems incorrect15:25
bknudsonwe might as well just return 400 for everything and use codes in the body.15:25
dstaneki think that 405 is better than 501 for our use case, but a server error is a server error15:25
*** fhubik_afk is now known as fhubik15:27
*** varya has joined #openstack-keystone15:28
dstaneksigmavirus24: ah, your talking about https://review.openstack.org/#/c/183456 (which i think is a little incorrect since 405 could also be used)15:28
dstaneksigmavirus24: we started talking about https://review.openstack.org/#/c/183698/2/guidelines/http.rst15:28
sigmavirus24Ah, there are too many 5xx related guidelines up right now15:29
*** aix has quit IRC15:29
dstanek:-) that second one doesn't have any rationale15:29
dstanekalso even in most frameworks you'll have code in your project that deals with formatting error bodies and then returning that to a framework15:29
dstanekit's unclear if that's OK15:29
elmikoi think formatting and error and essentially re-reraising is not that big a deal. you are still dealing with the underlying idea of exception being returned through the frameworks 5xx reporting mechanisms15:31
elmiko*an error15:31
*** josecastroleon has quit IRC15:32
dstanekelmiko: in our case we are actually returning the WSGI response15:33
*** bdossant has quit IRC15:33
*** josecastroleon has joined #openstack-keystone15:33
*** lufix has quit IRC15:33
dstanekelmiko: i still don't know if i am doing it wrong :-(15:34
*** gyee_ has joined #openstack-keystone15:34
elmikodstanek: yea, i see that. i'm not sure about the wrongness of it, for me i don't see an issue with attempting to provide better formatting for something as is going to be raised as an exception anyways.15:35
elmikothe way i read the guideline is more that you shouldn't explicitly be writing code that chooses to create a new 5xx instead of allowing the exception, for example, to be raised15:35
*** josecastroleon has quit IRC15:35
sigmavirus24== elmiko15:35
sigmavirus24adding more info to exceptions is good15:36
dstanekelmiko: when you say new 5xx are you saying a new status code like '550 Keystone Is Sleeping'?15:36
elmikodstanek: so, in the example you posted i don't have an issue with that15:36
*** josecastroleon has joined #openstack-keystone15:36
elmikodstanek: i mean more like the code catching an exception and then doing some programatic magic to decide what 5xx should be returned15:37
dstanekelmiko: i think that review is missing the 'why' and a more detailed 'what' - there really isn't anything actionable15:37
*** ajayaa has quit IRC15:37
elmikodstanek: ok, good point. i'll think about it a little more15:37
elmikodstanek: thanks for the input =)15:38
*** josecastroleon has quit IRC15:38
*** lhcheng has joined #openstack-keystone15:39
*** ChanServ sets mode: +v lhcheng15:39
dstanekelmiko: what i'm most confused about is that the app knows when a 500 internal server error happened because it is the thing that detected it - i can see you not wanted apps to mess with 503/504/etc15:39
dstanekelmiko: my pleasure. hopefully i'm being more helpful than a pain :-)15:39
*** josecastroleon has joined #openstack-keystone15:39
elmikodstanek: definitely helpful, for me at least =)15:40
elmikoand yea, the app may know about the 500 and does a little formatting, that seems fine for me.15:40
elmikoi think the real issue is when the app makes a decision to return a 500, instead of it being the result of an unexpected code path15:41
*** aix has joined #openstack-keystone15:41
elmikoso like, you catch some exception, you know it's a 500, but just reformat the error and respond15:41
*** josecastroleon has quit IRC15:41
elmikoas opposed to the app seeing some error and then deciding to return a 50015:42
elmikoif that makes sense15:42
*** josecastroleon has joined #openstack-keystone15:42
dstanekelmiko: to me it's about evaluating the error to see if it's server or client problems15:43
elmikodstanek: and then choosing the appropriate status code?15:44
*** josecastroleon has quit IRC15:45
*** josecastroleon has joined #openstack-keystone15:46
*** samleon has quit IRC15:46
dstanekelmiko: for an app i can only see using 50015:47
*** samleon has joined #openstack-keystone15:47
elmikodstanek: like, if some unhandled exception is raised?15:47
*** samleon has quit IRC15:47
*** samleon has joined #openstack-keystone15:48
*** josecastroleon has quit IRC15:48
*** josecastroleon has joined #openstack-keystone15:49
*** hemnafk is now known as hemna15:49
ayounghttp://www.duffelblog.com/2013/02/enemy-hackers-deem-ako-mypay-not-even-worth-hacking/15:50
*** josecastroleon has quit IRC15:51
ayoungelmiko, I'm working on a script to set up a demo, and it has to call Neutron, nova, maybe some other...I cannot wait for a unified Python client API15:51
*** josecastroleon has joined #openstack-keystone15:52
elmikoayoung: unified client api would be cool, but slightly out of scope for the api-wg ;)15:52
ayoungelmiko, but....but....gah!15:53
elmikolol15:53
ayoungelmiko, actually, just having docs for Neutron would be an improvement15:53
elmikoha!15:53
elmikoayoung: are these http://developer.openstack.org/api-ref-networking-v2.html out of date?15:53
*** josecastroleon has quit IRC15:54
elmikogranted thats just the rest15:54
*** josecastroleon has joined #openstack-keystone15:55
dstanekelmiko: yes, and anytime an issue is detected that can't be fixed by the user15:56
ayoungelmiko, and how do you create a route?15:56
ayoungelmiko, or connect the internal network to the external?15:56
*** josecastroleon has quit IRC15:57
elmikodstanek: i think the latter condition is what gets complicated. seems to me that there is wide opinion about what type of error should be returned if the app detects something that cannot be fixed by the user, and that is definitely a sticking point.15:57
ayoungelmiko, I needed to do some revese engineering before I discoved I needed to do this:  https://github.com/admiyo/ossipee/blob/master/rhosidm.py#L9115:58
*** josecastroleon has joined #openstack-keystone15:58
elmikoayoung: i see some router info in http://developer.openstack.org/api-ref-networking-v2-ext.html but, i'm not a neutron api expert by any means15:58
*** iamjarvo has quit IRC15:58
elmikoayoung: but isn't reverse engineering the fun part ;)15:59
*** pnavarro_ has joined #openstack-keystone15:59
*** henrynash has quit IRC15:59
ayoungelmiko, that would have been very useful this weekend.  Wish it had turned up in either  google search or a reasonably discoverable link taxononmy....what did I miss?15:59
elmikoayoung: keep this link handy, http://developer.openstack.org/api-ref.html =)16:00
*** henrynash has joined #openstack-keystone16:00
*** ChanServ sets mode: +v henrynash16:00
ayoungelmiko, thanks....now if only the glance client had been modernized enough to use keystone sessions....16:00
elmikoayoung: lol, i can only help so much ;)16:00
ayoungelmiko, IT is good for me, as a dev, to sometimes feel the end users pain16:01
ayoungit was there and I missed it...16:01
elmikoayoung: yea, definitely helps to build better understanding16:01
*** henrynash has quit IRC16:01
*** josecastroleon has quit IRC16:02
*** e0ne is now known as e0ne_16:03
*** josecastroleon has joined #openstack-keystone16:04
*** Nikkau has quit IRC16:04
*** varya has quit IRC16:04
*** josecastroleon has quit IRC16:05
*** josecastroleon has joined #openstack-keystone16:07
*** diegows has quit IRC16:08
*** josecastroleon has quit IRC16:08
*** e0ne_ is now known as e0ne16:09
*** _cjones_ has joined #openstack-keystone16:09
*** josecastroleon has joined #openstack-keystone16:10
dstanekelmiko: yeah, i totally agree. things like DB outage are obvious, but other things like bad data in the DB are not16:10
*** gyee_ has quit IRC16:10
*** josecastroleon has quit IRC16:11
samueldmqhow do we test changes in ksmiddleware in devstack ?16:11
elmikodstanek: totally, and i can see something like the latter being a valid case for allowing the error to be reformatted and raised16:12
samueldmqI've put LIBS_FROM_GIT=keystonemiddleware and then devstack downloaded its source code ... however changes on it are not being applied ..16:12
samueldmqdstanek, ayoung  any thought on this ? ^16:12
*** josecastroleon has joined #openstack-keystone16:13
*** josecastroleon has quit IRC16:14
*** josecastroleon has joined #openstack-keystone16:16
bknudsonsamueldmq: I don't know how LIBS_FROM_GIT works.. I git clone into /opt/stack/keystonemiddleware and then pip install -e . in /opt/stack/keystonemiddleware16:16
dstaneksamueldmq: did you do that after the ./stack.sh (i'm not sure, but i can see why that wouldn't work)16:17
dstaneksamueldmq: i do what bknudson mentioned16:17
*** josecastroleon has quit IRC16:17
openstackgerritMarek Denis proposed openstack/keystoneauth: Properly handle Service Provider in token fixtures  https://review.openstack.org/18980316:17
*** josecastroleon has joined #openstack-keystone16:19
samueldmqbknudson, dstanek trying ...16:19
samueldmqdstanek, yes I did the changes after ./stack.sh16:19
*** varya has joined #openstack-keystone16:20
bknudsonI wonder LIBS_FROM_GIT doesn't include keystonemiddleware , keystoneclient?16:20
bknudsonby default16:20
*** josecastroleon has quit IRC16:20
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858116:21
samueldmqbknudson, I think it doesn't include anything by default :/16:21
samueldmqbknudson, I always need to set it to the client I want to test16:21
*** roxanaghe has joined #openstack-keystone16:22
*** josecastroleon has joined #openstack-keystone16:22
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789916:22
*** josecastroleon has quit IRC16:24
*** josecastroleon has joined #openstack-keystone16:25
*** josecastroleon has quit IRC16:27
samueldmqbknudson, dstanek I am making the changes ... running 'pip install -I -e .' and then 'openstack server list'16:28
samueldmqthis should be hitting keystone middleware code, right ?16:28
dstaneksamueldmq: did you start the service behind the middleware?16:28
*** josecastroleon has joined #openstack-keystone16:28
samueldmqdstanek, devstack already do this, doesn't it ? it doesn't make sense it doesn't do it16:29
dstaneksamueldmq: so it was started after the new middleware version was installed?16:30
*** josecastroleon has quit IRC16:30
samueldmqdstanek, yes16:30
dstaneksamueldmq: hmmm...no idea then. if should have picked up your changes when the server started16:31
samueldmqdstanek, actually ....16:31
*** josecastroleon has joined #openstack-keystone16:31
samueldmqdstanek, it installed ksmiddleware and then started the server ..16:31
samueldmqdstanek, after that I made the changes ... I probably need to restart the services16:32
dstaneksamueldmq: ah, exactly16:32
*** josecastroleon has quit IRC16:33
*** tqtran_ has joined #openstack-keystone16:33
*** amaretskiy has quit IRC16:33
*** josecastroleon has joined #openstack-keystone16:34
*** varya has quit IRC16:34
*** josecastroleon has quit IRC16:36
*** lsmola has quit IRC16:37
*** josecastroleon has joined #openstack-keystone16:37
*** e0ne has quit IRC16:38
*** aix has quit IRC16:39
*** josecastroleon has quit IRC16:39
openstackgerritJeremy Stanley proposed openstack/keystone: Merge tag '2014.2'  https://review.openstack.org/12893016:40
*** josecastroleon has joined #openstack-keystone16:40
*** dguerri` is now known as dguerri16:40
*** elmiko is now known as _elmiko16:41
*** josecastroleon has quit IRC16:42
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593616:42
*** josecastroleon has joined #openstack-keystone16:43
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858116:44
*** josecastroleon has quit IRC16:45
*** jimbaker has quit IRC16:46
*** josecastroleon has joined #openstack-keystone16:46
openstackgerritAlexander Makarov proposed openstack/keystone: Tuple constants in revocation engine  https://review.openstack.org/18981016:47
*** lufix has joined #openstack-keystone16:47
*** josecastroleon has quit IRC16:48
*** jimbaker has joined #openstack-keystone16:49
*** jimbaker has quit IRC16:49
*** jimbaker has joined #openstack-keystone16:49
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858116:49
*** josecastroleon has joined #openstack-keystone16:49
*** josecastroleon has quit IRC16:51
bknudsondstanek: did you go to this talk about design patterns? https://dague.net/2015/06/09/python-design-patterns/16:52
*** josecastroleon has joined #openstack-keystone16:52
dstanekyeah, i've seen that before16:53
lbragstaddstanek: bknudson looking interesting16:53
lbragstads/looking/looks/16:53
*** spandhe has joined #openstack-keystone16:54
*** josecastroleon has quit IRC16:54
*** josecastroleon has joined #openstack-keystone16:55
*** markvoelker has joined #openstack-keystone16:56
*** lufix has quit IRC16:56
*** josecastroleon has quit IRC16:57
*** thedodd has joined #openstack-keystone16:58
*** josecastroleon has joined #openstack-keystone16:58
*** fhubik has quit IRC16:59
*** josecastroleon has quit IRC17:00
*** markvoelker has quit IRC17:01
*** josecastroleon has joined #openstack-keystone17:01
*** kfox1111 has joined #openstack-keystone17:02
kfox1111Can some keystone cores please have a look at https://review.openstack.org/#/c/18661717:02
kfox1111its the nova instance user thing we talked about at the summit.17:03
*** josecastroleon has quit IRC17:03
*** josecastroleon has joined #openstack-keystone17:04
samueldmqdstanek, yeah, just got that working ... I am able to see prints in the n-api screen session :)17:05
samueldmqdstanek, just need to restart the server ... no need to reinstall ksmiddleware17:05
samueldmqdstanek, bknudson thanks for your help17:05
*** josecastroleon has quit IRC17:06
*** josecastroleon has joined #openstack-keystone17:07
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec  https://review.openstack.org/18981617:08
*** josecastroleon has quit IRC17:09
*** josecastroleon has joined #openstack-keystone17:10
*** josecastroleon has quit IRC17:12
*** josecastroleon has joined #openstack-keystone17:13
*** josecastroleon has quit IRC17:15
*** iamjarvo has joined #openstack-keystone17:15
*** topol has joined #openstack-keystone17:16
*** josecastroleon has joined #openstack-keystone17:16
*** ChanServ sets mode: +v topol17:16
openstackgerritJeremy Stanley proposed openstack/keystone: Merge tag '2015.1.0'  https://review.openstack.org/17928817:17
*** josecastroleon has quit IRC17:18
*** ericksonsantos has joined #openstack-keystone17:19
*** josecastroleon has joined #openstack-keystone17:19
*** josecastroleon has quit IRC17:21
*** josecastroleon has joined #openstack-keystone17:22
*** spandhe has quit IRC17:23
*** e0ne has joined #openstack-keystone17:24
*** josecastroleon has quit IRC17:24
*** josecastroleon has joined #openstack-keystone17:25
*** josecastroleon has quit IRC17:27
*** josecastroleon has joined #openstack-keystone17:29
*** spandhe has joined #openstack-keystone17:30
*** josecastroleon has quit IRC17:30
*** josecastroleon has joined #openstack-keystone17:32
*** josecastroleon has quit IRC17:33
*** g2` has joined #openstack-keystone17:34
*** josecastroleon has joined #openstack-keystone17:35
*** josecastroleon has quit IRC17:36
*** josecastroleon has joined #openstack-keystone17:38
*** josecastroleon has quit IRC17:39
*** josecastroleon has joined #openstack-keystone17:41
*** josecastroleon has quit IRC17:42
*** josecastroleon has joined #openstack-keystone17:44
*** dguerri is now known as dguerri`17:44
*** josecastroleon has quit IRC17:45
*** htruta_ has joined #openstack-keystone17:46
*** josecastroleon has joined #openstack-keystone17:47
*** josecastroleon has quit IRC17:48
*** g2` has quit IRC17:49
*** zzzeek has joined #openstack-keystone17:50
*** josecastroleon has joined #openstack-keystone17:50
*** josecastroleon has quit IRC17:51
openstackgerritCorey Bryant proposed openstack/python-keystoneclient: Iterate over copy of sys.modules keys in Python2/3  https://review.openstack.org/18983417:52
*** _elmiko is now known as elmiko17:52
*** josecastroleon has joined #openstack-keystone17:53
marekdmorganfainberg: i am afraid i will not attend today's meeting. Sorry.17:53
openstackgerritDavid J Hu proposed openstack/keystone: IAM Formatter  https://review.openstack.org/18983617:53
morganfainbergmarekd: that's ok.17:54
*** josecastroleon has quit IRC17:54
*** g2` has joined #openstack-keystone17:55
*** g2` has quit IRC17:55
*** josecastroleon has joined #openstack-keystone17:56
*** dims has joined #openstack-keystone17:56
*** rlt has quit IRC17:56
morganfainbergi think... it's that time17:57
morganfainbergayoung: time check - we at meeting time?17:57
ayoungmorganfainberg, 3 minutes...17:57
morganfainbergsince i'm ~+9hrs from my normal timezone17:57
morganfainbergayoung: cool.17:57
*** henrynash has joined #openstack-keystone17:57
*** ChanServ sets mode: +v henrynash17:57
*** josecastroleon has quit IRC17:57
*** samleon has left #openstack-keystone17:58
*** josecastroleon has joined #openstack-keystone17:59
*** josecastroleon has quit IRC18:00
*** g2` has joined #openstack-keystone18:01
*** josecastroleon has joined #openstack-keystone18:02
*** gyee_ has joined #openstack-keystone18:02
*** g2` has quit IRC18:02
*** thedodd has quit IRC18:03
*** josecastroleon has quit IRC18:03
*** hichtakk has joined #openstack-keystone18:04
*** josecastroleon has joined #openstack-keystone18:05
*** josecastroleon has quit IRC18:06
*** timcline has joined #openstack-keystone18:07
*** bradjones is now known as bradjones|away18:07
*** josecastroleon has joined #openstack-keystone18:08
*** g2` has joined #openstack-keystone18:08
*** dguerri` is now known as dguerri18:08
*** geoffarnold has joined #openstack-keystone18:09
*** josecastroleon has quit IRC18:09
*** dguerri is now known as dguerri`18:11
*** josecastroleon has joined #openstack-keystone18:11
*** josecastroleon has quit IRC18:12
*** josecastroleon has joined #openstack-keystone18:14
*** josecastroleon has quit IRC18:15
*** josecastroleon has joined #openstack-keystone18:17
*** harlowja_ has quit IRC18:18
*** josecastroleon has quit IRC18:18
*** amaretskiy has joined #openstack-keystone18:19
*** josecastroleon has joined #openstack-keystone18:20
*** fangzhou has joined #openstack-keystone18:20
*** josecastroleon has quit IRC18:21
*** arunkant has quit IRC18:21
*** josecastroleon has joined #openstack-keystone18:23
*** josecastroleon has quit IRC18:24
*** harlowja has joined #openstack-keystone18:25
*** josecastroleon has joined #openstack-keystone18:26
ayoungjamielennox|away, upstream...18:27
*** josecastroleon has quit IRC18:27
*** rushiagr is now known as rushiagr_away18:28
*** josecastroleon has joined #openstack-keystone18:29
*** josecastroleon has quit IRC18:30
*** josecastroleon has joined #openstack-keystone18:32
*** belmoreira has joined #openstack-keystone18:33
*** josecastroleon has quit IRC18:33
*** josecastroleon has joined #openstack-keystone18:35
*** josecastroleon has quit IRC18:36
*** iurygregory has quit IRC18:37
*** iurygregory has joined #openstack-keystone18:37
*** josecastroleon has joined #openstack-keystone18:38
*** josecastroleon has quit IRC18:39
*** josecastroleon has joined #openstack-keystone18:41
*** josecastroleon has quit IRC18:42
*** josecastroleon has joined #openstack-keystone18:44
*** markvoelker has joined #openstack-keystone18:45
*** josecastroleon has quit IRC18:46
*** josecastroleon has joined #openstack-keystone18:47
*** openstackgerrit has quit IRC18:48
*** josecastroleon has quit IRC18:49
*** openstackgerrit has joined #openstack-keystone18:49
*** markvoelker has quit IRC18:49
*** josecastroleon has joined #openstack-keystone18:50
*** mabrams1 has joined #openstack-keystone18:50
*** mabrams has quit IRC18:51
*** josecastroleon has quit IRC18:52
dstanekhenrynash: i don't get the overall vision here. we are letting a project<is_domain=True> act as a project. will the user know that it is actually a domain too?18:52
htruta_dstanek: just finish for now, in case of ambiguity, we use the old behavior18:53
*** mabrams has joined #openstack-keystone18:53
*** josecastroleon has joined #openstack-keystone18:53
htruta_ops. was supposed to go in the other channel18:53
htruta_anyway18:53
dstanekhtruta_: i think that's broken18:53
*** mabrams1 has quit IRC18:55
*** josecastroleon has quit IRC18:55
htrutadstanek: why?18:55
dstanekhtruta: like i said i don't get the vision, but... what if i list projects i have access to looking for a name so that i can create some resource.18:56
*** josecastroleon has joined #openstack-keystone18:56
dstaneklet's assume it's A and that A is an is_domain project - is there any way i would mean to use it, but accidentally get A.A?18:57
*** josecastroleon has quit IRC18:58
ayoungdstanek, I tried that and got sent to AAA18:58
ayoungat least I wasnt send to AA18:58
htrutaayoung: lol18:58
*** josecastroleon has joined #openstack-keystone18:59
ayoungand then this greasy dude in a leather jacket cme by and said AAAAAAYYYYYY! with both thumbs up in the air....18:59
htrutadstanek: yes, you can... but in the current behaviour, we are not able to get to A, only to A.A18:59
htrutaso, nobody will try to get a project scoped token to A, unless it has really read the documentation and he's sure about that19:00
dstanekhtruta: be we don't tell them that; we assume we know what they want and just go ahead and do it19:00
rodrigodsbknudson, k2k auth plugin returns a scoped token that works in the remote cloud, this token will contain the remote cloud catalog19:02
morganfainberghttps://blueprints.launchpad.net/keystone/+spec/role-descriptions - i have no issue with this not requiring a spec19:02
morganfainbergcores, when you're done with the current discussion please look and let me know19:02
morganfainbergif you agree19:02
henrynashmorganfainberg: I agree19:02
dstanekmorganfainberg: lost review - https://review.openstack.org/#/c/128930/19:03
*** josecastroleon has quit IRC19:03
*** htruta_ has quit IRC19:03
gyee_henrynash, for http://paste.openstack.org/show/278495/19:03
gyee_I think we may need GET /projects/id/role_assignments19:03
htrutadstanek: I got your point now19:04
*** josecastroleon has joined #openstack-keystone19:04
bknudsonok, so I can do "openstack server create" and create a server on my local cloud or I can create one on a remote cloud...19:04
bknudsonhow do I tell "openstack server create" which cloud to use?19:04
dolphmgyee_: don't we already have GET /v3/role_assignments?project_id={project_id}19:04
gyee_dolphm, no, scope.project.id only19:04
gyee_GET /projects/id/role_assignments is more natural19:05
dolphmgyee_: that's what i meant. what's the difference?19:05
rodrigodsbknudson, ok... that's the idea of having two different auth plugins parameters: openstack --os-auth-plugin=password --project-id=<local_project> --os-remote-auth-plugin=k2k --os-remote-projectid=<remote_plugin19:05
gyee_dolphm, we need domain admin to be able to lookup project assignments for a project in that domain19:05
gyee_dolphm, horizon currently can't lookup assignments with a domain admin token19:06
*** josecastroleon has quit IRC19:06
bknudsonI don't think it should depend on the auth plugin... make it explicit19:06
dolphmbknudson: i haven't reviewed this yet, but i assume that's what this provides https://review.openstack.org/#/c/188581/19:06
bknudsonopenstack --idp=whatever server create19:06
bknudsonthe auth plugin stuff I'd probably want to come from a config file19:06
dolphmrodrigods: is there seriously a reason to require remote project ID?19:07
rodrigodsdolphm, this is to request scoped tokens19:07
*** josecastroleon has joined #openstack-keystone19:07
*** kfox1111 has quit IRC19:07
raildogyee, horizon can't handle with domain scoped token, that why get a project scoped token for a project is_domain can make the horizon work easier.19:07
rodrigodsdolphm, a further step after getting a federated unscoped token19:07
dolphmrodrigods: the locally scoped project is passed as part of the SAML assertions right?19:08
gyee_raildo, my feeling is that we may ended up with namespaces19:08
rodrigodsdolphm, right19:08
gyee_otherwise, it will be chaos19:08
dstanekbknudson: why would we not just use what osc already has to specify clouds19:08
*** josecastroleon has quit IRC19:09
dolphmrodrigods: is there not already a way to create the local project remotely? with matching ID and name?19:09
rodrigodsdolphm, not really... it will depend on the mapping19:09
dstanekbknudson: i think it's --os-cloud19:09
dolphmrodrigods: i don't see why i have to use a *different* globally unique identifier for my project19:09
bknudsondstanek: y, if they have --os-cloud then use that.19:09
dolphmthat's why they're UUIDs19:09
gyee_dstanek, what's --os-cloud, service provider id in the token response?19:10
*** josecastroleon has joined #openstack-keystone19:10
*** amakarov is now known as amakarov_away19:10
dstanekbknudson: i have 2 clouds configured in my yaml file (one for personal use and one for rax)19:10
bknudsonos-cloud should map to a service provider if it's a remote cloud.19:10
rodrigodsdolphm, your local project can map to what ever entity in the remote cloud side19:10
bknudsondstanek: that's exactly what I'm thinking of... so they've already essentially got it.19:11
rodrigodsdolphm, we only know that by asking what projects/domains we have access to19:11
rodrigodsdolphm, after we have the federated unscoped token19:11
bknudsonbut I assume it doesn't support K2K.19:11
dstanekbknudson: http://docs.openstack.org/developer/python-openstackclient/configuration.html#configuration-files19:11
dolphmrodrigods: that made sense in the non-k2k case... i don't know that it makes any sense to me to have to ask for another scoped token in the k2k case19:11
dstanekdoubt it, but it's a logic base to build on top of19:11
*** josecastroleon has quit IRC19:12
bknudsony, build it on that rather than trying to make insanely complicated CLI args.19:12
dstanekbknudson: right now you set up your creds for each one - i can see instead of username/password having a way to specify the IdP19:12
rodrigodsdolphm, hmm I see what you mean... once the remote cloud accepted my SAML assertion, why can't I use my local token, right?19:12
bknudsonmaybe it's just like --local ds-admin --remote infra ?19:12
dolphmrodrigods: no, not local token19:12
dstanekor maybe in addition to19:12
dolphmrodrigods: just the project ID i'm already aware of19:12
*** josecastroleon has joined #openstack-keystone19:13
rodrigodsdolphm, it's because in k2k we didn't change the keystone that is consuming the federated identity19:13
dstanekwhy not 'openstack --os-cloud remote server create' and have osc figure out what IdP to use based on the config?19:13
bknudsondstanek: that would be awesome.19:13
dstanekinstead of an auth_url you can have an IdP url or  something like that19:13
rodrigodsdstanek, service provider you mean?19:13
bknudsonbut, it wouldn't fit into the openstack model of terrible UX.19:14
dolphmrodrigods: well that's a good philosophy, but the resulting UX is odd19:14
dolphmrodrigods: especially asking for a second project ID on the CLI19:14
dstanekrodrigods: nope the service provider is what you specify with --os-cloud19:14
*** josecastroleon has quit IRC19:15
dstanekrodrigods: you are you telling osc that for this cloud you need to auth a certain way - there documented way is auth_url + username/password or token19:15
rodrigodsdolphm, yeah... I know, this gets even worse if we want to make it handle multiple remote clouds19:15
dolphmrodrigods: yep19:15
*** e0ne has quit IRC19:15
dolphmrodrigods: if my remote keystone trusts the identity asserted by my local keystone, why can't it mirror my project?19:16
rodrigodsdstanek, so OSC will know that it needs to use k2k auth plugin and pass the default plugin to it?19:16
*** josecastroleon has joined #openstack-keystone19:16
dolphmit's just an arbitrary ID19:16
dstanekrodrigods: sure19:16
rodrigodsdstanek, makes sense... will present this idea to marekd :)19:16
rodrigodsdolphm, this sounds like a reasonable improvement to the mapping engine19:17
rodrigodsdolphm, and something discussed in the summit iirc19:17
*** josecastroleon has quit IRC19:18
dolphmrodrigods: perhaps on Friday? i missed the federation discussion that day19:18
rodrigodsdolphm, yeah, that day... there is a blueprint of this idea somewhere19:18
raildohenrynash, gyee, dstanek, morganfainberg, ayoung, htruta , rodrigods  so.. you guys have any suggestions to reach a solution for the project name problem?19:19
*** josecastroleon has joined #openstack-keystone19:19
ayoungraildo, aside from the  entirely sensible one I already gave?19:19
raildoayoung,  haha19:19
rodrigodslets vote? +1 for ayoung suggestion19:20
rodrigodswe want to approve this spec super fast19:20
raildoayoung, I like your suggestions but  we need a agreement :P19:20
*** josecastroleon has quit IRC19:21
raildoWhat is the best way to come to an consensus about this? write a google form with the options and vote?19:21
raildoI don't know...19:21
*** josecastroleon has joined #openstack-keystone19:22
rodrigodsraildo, maybe we can find 2 cores to approve the spec and that's it? :)19:22
dolphmmorganfainberg: +1 stop supporting project names in auth requests19:22
rodrigodsdolphm, the blueprint I was reffering https://blueprints.launchpad.net/keystone/+spec/cross-cloud-project-sync19:23
dolphmrodrigods: i 100% agree with the use case; was joesavak around when it was discussed?19:23
*** josecastroleon has quit IRC19:24
dolphmalthough, what's "image federation" specifically, in the "customer perceived priority"?19:24
rodrigodsdolphm, yep... this bp was the "result" of the discussion19:24
rodrigodsdolphm, it was a different discussion that came to the same topic (don't ask me how)19:25
dolphmraildo: write up all the options in an etherpad or on the meeting wiki, along with the reasoning for/against each one, and hold a vote in the next keystone meeting19:25
*** josecastroleon has joined #openstack-keystone19:25
dolphmraildo: but the options need to be well-defined in advance19:25
raildodolphm, ok, I'll do that19:25
openstackgerritIan Wienand proposed openstack/keystone: Use lower default value for sha512_crypt rounds  https://review.openstack.org/16529519:26
*** josecastroleon has quit IRC19:27
htrutadolphm: isn't next meeting too late?19:27
htrutacause we still need to write the spec with the decision19:27
htrutawe'd only have a week to write and get it approved19:27
*** thedodd has joined #openstack-keystone19:27
*** josecastroleon has joined #openstack-keystone19:28
dolphmhtruta: too late for SPF on june 22nd?19:29
dolphmhtruta: or too late for what?19:29
*** josecastroleon has quit IRC19:30
dstanekhtruta: if you get a vote it shouldn't be too hard to get it approved19:30
dolphmhtruta: there's actually a Problem Description and Alternatives sections in the specs template -- you could start with those two sections alone before touching any of the rest. that way you have a giant head start on the spec writing19:30
dolphmdstanek: ++19:31
*** HT_sergio has joined #openstack-keystone19:31
htrutadolphm: yes, I'm considering that date19:31
*** josecastroleon has joined #openstack-keystone19:31
htrutadstanek, dolphm: ok, then :)19:31
rodrigodsbut htruta will ping you forever to review it, be warned :)19:32
raildome too \o19:32
htrutalol19:33
dstanek:-)19:34
*** josecastroleon has quit IRC19:34
*** josecastroleon has joined #openstack-keystone19:35
*** josecastroleon has quit IRC19:37
*** gyee_ has quit IRC19:38
*** josecastroleon has joined #openstack-keystone19:38
*** josecastroleon has quit IRC19:40
*** josecastroleon has joined #openstack-keystone19:41
ekarlsois there any thing for CORS with the keystone middleware ?19:41
dolphmekarlso: http://docs.openstack.org/developer/oslo.middleware/cors.html19:42
*** josecastroleon has quit IRC19:43
*** josecastroleon has joined #openstack-keystone19:44
ekarlsokewls dolphm !19:44
richmgyee: ping - nkinder said you have been trying to get shibboleth working with HA proxy doing SSL termination?19:47
richmgyee: I was wondering if you got it working and, if so, how?19:47
morganfainbergdolphm: sounds good to me19:53
*** belmoreira has quit IRC19:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18990119:58
*** jamielennox|away is now known as jamielennox20:01
*** ayoung has quit IRC20:04
*** Rockyg has joined #openstack-keystone20:11
*** josecastroleon has quit IRC20:15
dolphmdstanek: i was going to -1, but since you're not the primary author: i don't think it's "fair" to include "incorrectly-configured" just because it's swift. that just feels like including garbage? why not just exclude non-oslo projects from the useragent altogether? https://review.openstack.org/#/c/180769/10..12/keystonemiddleware/auth_token/__init__.py,unified20:16
*** josecastroleon has joined #openstack-keystone20:16
*** josecastroleon has quit IRC20:18
dimsfolks, where exactly in BU is the mid-cycle?20:18
*** josecastroleon has joined #openstack-keystone20:19
*** noye has quit IRC20:19
*** ayoung has joined #openstack-keystone20:20
*** ChanServ sets mode: +v ayoung20:20
*** timcline has quit IRC20:20
*** josecastroleon has quit IRC20:21
*** bradjones|away has quit IRC20:21
*** samueldmq has quit IRC20:21
*** boris-42 has quit IRC20:22
*** josecastroleon has joined #openstack-keystone20:22
*** bradjones has joined #openstack-keystone20:23
*** bradjones has quit IRC20:23
*** bradjones has joined #openstack-keystone20:23
*** iamjarvo has quit IRC20:24
*** josecastroleon has quit IRC20:24
*** boris-42 has joined #openstack-keystone20:24
dstanekdolphm: i could do that20:25
*** josecastroleon has joined #openstack-keystone20:25
raildodims, Boston university20:26
*** timcline has joined #openstack-keystone20:26
*** josecastroleon has quit IRC20:27
dimsraildo: y, which building i should have asked :)20:27
raildodims, https://wiki.openstack.org/wiki/Sprints/KeystoneLibertySprint20:27
dimsraildo: i went to school there :)20:28
*** josecastroleon has joined #openstack-keystone20:28
*** josecastroleon has quit IRC20:30
bknudsondims: which building do you want it to be in?20:31
*** josecastroleon has joined #openstack-keystone20:31
dimsha, i get to choose? :)20:31
*** josecastroleon has quit IRC20:33
dolphmdstanek: is there any case where _get_project_version would fail if _conf_get('project') had already succeeded?20:34
*** markvoelker has joined #openstack-keystone20:34
*** josecastroleon has joined #openstack-keystone20:34
gyeerichm, yes, got it working20:36
*** josecastroleon has quit IRC20:36
dstanekdolphm: not that i know of20:36
*** lastops has quit IRC20:37
*** josecastroleon has joined #openstack-keystone20:37
dolphmdstanek: if you're going to post another rev, i assume L2670 is an easy change, assuming there's no justification https://review.openstack.org/#/c/180769/10..12/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py,unified20:38
openstackgerritMerged openstack/python-keystoneclient: Use random strings for test fixtures  https://review.openstack.org/18953820:38
*** markvoelker has quit IRC20:39
*** josecastroleon has quit IRC20:39
lbragstadayoung: do you know if there is anything special I have to do to get into the dorms at BU for the mid-cycle?20:40
*** josecastroleon has joined #openstack-keystone20:40
dstanekdolphm: that was from another test that i copied20:41
dstanekit could probably be a uuid20:41
*** josecastroleon has quit IRC20:42
gyeelbragstad, 23 Jump Street?20:43
lbragstadgyee: yes20:43
*** josecastroleon has joined #openstack-keystone20:43
gyeeyou need a side-kick20:44
lbragstadgyee: despite the fact that 21 and 22 jump street drop my IQ a little every time I watch them, I still do it...20:44
gyeeme 2 :)20:45
*** josecastroleon has quit IRC20:45
*** josecastroleon has joined #openstack-keystone20:46
*** josecastroleon has quit IRC20:48
richmgyee: so you were able to configure apache to use http, but have clients use https urls?20:49
*** josecastroleon has joined #openstack-keystone20:49
gyeerichm, no, we can't change the request url20:50
*** josecastroleon has quit IRC20:51
*** stevemar has joined #openstack-keystone20:51
*** ChanServ sets mode: +v stevemar20:51
gyeerichm, we had to configure haproxy to do forwarding and maintain session affinity20:51
gyeeotherwise, redirect will break20:51
dstanekgyee: it needed session affinity?20:52
gyeeyes, otherwise, redirect will fail20:52
*** josecastroleon has joined #openstack-keystone20:52
dstanekthat's odd. i wonder why20:52
*** raildo has quit IRC20:52
gyeedstanek, I haven't found that magic config option to not do redirect yet20:53
*** arunkant has joined #openstack-keystone20:54
*** josecastroleon has quit IRC20:54
dstanekeven with a redirect why would it need to get back to the same keystone server. we don't actually keep session state20:54
gyeedstanek, shibboleth does20:54
*** iurygregory has quit IRC20:54
gyeethere's a session cookie in there20:54
*** josecastroleon has joined #openstack-keystone20:55
dstanekgyee: that keystone uses?20:56
gyeedstanek, that's how shibboleth workflow, which k2k depends on20:56
dstanekgyee: ah, so it's mod_shib that requires affinity20:57
dstanekthat makes sense20:57
gyeeyeah, its a two step process20:57
*** josecastroleon has quit IRC20:57
gyeebetween mod_shib and shibd20:57
*** josecastroleon has joined #openstack-keystone20:58
*** lhcheng has quit IRC21:01
*** dguerri` is now known as dguerri21:04
*** lhcheng has joined #openstack-keystone21:05
*** ChanServ sets mode: +v lhcheng21:05
*** zzzeek has quit IRC21:06
dolphmgyee: any idea what shib keeps in the session?21:09
gyeedolphm, relay state I think21:09
dolphmgyee: i mean, what's in the state?21:10
gyeedolphm, just a random number to prevent replay attack I am guessing21:10
gyeebut I don't know the shibd internals well21:10
jamielennoxgyee: can you have another look at https://review.openstack.org/#/c/141267/10 when you get a chance21:14
gyeejamielennox, sure21:15
*** Swanson has left #openstack-keystone21:15
gyeejamielennox, https://review.openstack.org/#/c/179486/21:15
*** jaosorior has quit IRC21:15
gyeeI remember I reviewed one of your patches which also does refactoring in this area21:16
gyeethe scary thing is that I can't find it in my history21:16
jamielennoxgyee: yea, bknudson and i were doing a lot of refactoring in the same space but i don't think that will conflict21:17
gyeejamielennox, k, just want to confirm21:18
bknudsondon't worry about conflicts with my changes... I'll just rebase.21:18
bknudsonif you want to get jamielennox's in first go ahead21:18
gyeebknudson, k, I was afraid one may override the other21:19
jamielennoxbknudson: i think mine have caught up, there are no reviews on the current one21:19
bknudsonI think we're all moving in the same direction21:19
dolphmdstanek: gyee: found this when looking into shibboleth session stuff https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPClustering21:19
bknudsonalthough jamielennox probably has bigger plans than I do.21:20
jamielennoxbknudson: i was looking through those patches, are you working towards something in particular?21:21
jamielennoxi can see the moving around and i don't have any problem with them i'm just not sure why in a few places21:21
*** ayoung has quit IRC21:21
bknudsonjamielennox: I think it's cleaner to work with objects and a single representation. The single representation being AccessInfo.21:22
gyeedolphm, um, I need to give it a try21:23
dolphmgyee: you could try the other options, but i'd opt for what you're doing already myself21:23
gyeedolphm, I am also waiting for the mod_mellon alternative as well, to see which one offers less complexity21:24
dolphmthe shared process model sounds far more fault-prone21:24
dolphmgyee: looks like mod mellon has the same basic requirements, but fewer deployment options21:25
gyeedolphm, not sure of mellon support ECP wrap yet, nkinder mentioned at the summit that they are making good progress21:26
dolphmgyee: to make shibd HA, you still need sticky sessions between your keystone nodes and the shibd nodes lol21:26
dolphmfor the "shared process" model21:26
gyeeyes!21:26
gyeewe need session affinity in both cases21:26
dolphmi'd either do sticky session in front of keystone, or a shared db21:26
stevemarquit making things sticky21:26
dolphmand i'm not sure i want shib touching my db21:26
dolphmi don't want my db to be sticky21:27
gyeeheh21:27
dolphmgyee: but you're right, i can't find any indication that it's solving anything other than xsrf21:28
gyeetake the default, which is to store the relaystate in its local cache21:28
nkinder__gyee: patches for ECP are proposed upstream for lasso (the underlying library that mellon uses), and mellon patches are being sent out today21:28
*** josecastroleon has quit IRC21:28
gyeenkinder__, awesome!21:28
dolphmi want a mellon patch21:28
nkinder__:)21:28
gyeethat's when you know summer has arrived21:29
*** josecastroleon has joined #openstack-keystone21:29
*** josecastroleon has quit IRC21:31
stevemaryou are all mellon heads21:32
gyeethat a band name?21:32
*** geoffarnold has quit IRC21:32
*** josecastroleon has joined #openstack-keystone21:32
*** josecastroleon has quit IRC21:34
*** josecastroleon has joined #openstack-keystone21:35
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and session  https://review.openstack.org/11708921:35
stevemargyee, it could be21:37
*** josecastroleon has quit IRC21:37
*** ayoung has joined #openstack-keystone21:37
*** ChanServ sets mode: +v ayoung21:37
*** josecastroleon has joined #openstack-keystone21:38
*** josecastroleon has quit IRC21:40
*** josecastroleon has joined #openstack-keystone21:41
*** samueldmq has joined #openstack-keystone21:42
*** josecastroleon has quit IRC21:43
*** josecastroleon has joined #openstack-keystone21:44
*** ankita_wagh has joined #openstack-keystone21:45
*** josecastroleon has quit IRC21:46
*** josecastroleon has joined #openstack-keystone21:47
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add service token to user token plugin  https://review.openstack.org/14161421:48
*** josecastroleon has quit IRC21:49
*** josecastroleon has joined #openstack-keystone21:50
openstackgerritDavid J Hu proposed openstack/keystone-specs: Unified namespaced is_admin policy  https://review.openstack.org/18948621:51
*** josecastroleon has quit IRC21:52
*** iamjarvo has joined #openstack-keystone21:53
*** josecastroleon has joined #openstack-keystone21:53
*** josecastroleon has quit IRC21:55
*** iamjarvo has quit IRC21:56
*** josecastroleon has joined #openstack-keystone21:56
*** josecastroleon has quit IRC21:58
*** josecastroleon has joined #openstack-keystone21:59
*** josecastroleon has quit IRC22:03
*** josecastroleon has joined #openstack-keystone22:04
*** Ephur has quit IRC22:04
*** josecastroleon has quit IRC22:06
*** josecastroleon has joined #openstack-keystone22:07
*** josecastroleon has quit IRC22:09
*** josecastroleon has joined #openstack-keystone22:10
*** josecastroleon has quit IRC22:12
*** josecastroleon has joined #openstack-keystone22:13
*** bknudson has quit IRC22:13
*** HT_sergio has quit IRC22:14
*** josecastroleon has quit IRC22:15
*** josecastroleon has joined #openstack-keystone22:16
*** pnavarro_ has quit IRC22:17
*** jsavak has joined #openstack-keystone22:17
*** josecastroleon has quit IRC22:18
*** josecastroleon has joined #openstack-keystone22:19
*** josecastroleon has quit IRC22:21
*** josecastroleon has joined #openstack-keystone22:22
openstackgerritMerged openstack/python-keystoneclient: Add get_communication_params interface to plugins  https://review.openstack.org/14126722:23
*** josecastroleon has quit IRC22:24
*** jsavak has quit IRC22:24
*** jsavak has joined #openstack-keystone22:24
*** josecastroleon has joined #openstack-keystone22:25
*** josecastroleon has quit IRC22:27
*** josecastroleon has joined #openstack-keystone22:28
openstackgerritMerged openstack/keystonemiddleware: validate_token returns AccessInfo  https://review.openstack.org/17948622:30
*** josecastroleon has quit IRC22:30
*** topol has quit IRC22:30
*** josecastroleon has joined #openstack-keystone22:31
*** josecastroleon has quit IRC22:33
*** josecastroleon has joined #openstack-keystone22:34
*** stevemar has quit IRC22:35
*** josecastroleon has quit IRC22:36
*** josecastroleon has joined #openstack-keystone22:37
*** josecastroleon has quit IRC22:39
*** josecastroleon has joined #openstack-keystone22:40
jamielennoxgyee: i left some comments on https://review.openstack.org/#/c/177661/22:41
jamielennoxi'm still not sure i like using olso.policy for endpoint enforcement22:41
jamielennoxwe are still going to end up with enforce_endpoint_id and enforce_service_id in the config so why not do it the old way?22:42
*** ayoung has quit IRC22:44
mfischlbragstad: how do I match fernet token IDs up with what the log file shows?22:50
mfischthe log file is still showing UUID-looking things in the logs22:50
mfischfor example22:51
*** timcline has quit IRC22:51
mfischCould not find token: a1d6d526aa86423ca6b99f80332819c22:51
mfischthats not a fernet ID, could be a piece of one I guess22:51
mfischor maybe a hash or something?22:52
mfischif so would love to know how to decode for debugging22:52
*** chlong-zzz has quit IRC22:58
*** HT_sergio has joined #openstack-keystone22:58
*** thedodd has quit IRC23:02
*** josecastroleon has quit IRC23:10
*** samueldmq has quit IRC23:11
*** josecastroleon has joined #openstack-keystone23:11
*** josecastroleon has quit IRC23:13
morganfainbergmfisch: uhm23:14
morganfainbergmfisch: did it say {SHA1}<thing>?23:14
*** josecastroleon has joined #openstack-keystone23:14
*** josecastroleon has quit IRC23:17
*** josecastroleon has joined #openstack-keystone23:19
*** toddnni has quit IRC23:19
*** josecastroleon has quit IRC23:20
*** markvoelker has joined #openstack-keystone23:21
*** josecastroleon has joined #openstack-keystone23:22
*** toddnni has joined #openstack-keystone23:22
*** josecastroleon has quit IRC23:23
*** josecastroleon has joined #openstack-keystone23:25
*** markvoelker has quit IRC23:26
*** josecastroleon has quit IRC23:26
*** josecastroleon has joined #openstack-keystone23:28
*** josecastroleon has quit IRC23:29
*** ankita_wagh has quit IRC23:30
*** josecastroleon has joined #openstack-keystone23:31
*** mikedillion has joined #openstack-keystone23:31
*** mikedillion has quit IRC23:32
*** josecastroleon has quit IRC23:32
*** stevemar has joined #openstack-keystone23:33
*** ChanServ sets mode: +v stevemar23:33
*** josecastroleon has joined #openstack-keystone23:34
*** josecastroleon has quit IRC23:35
*** mikedillion has joined #openstack-keystone23:36
*** josecastroleon has joined #openstack-keystone23:37
*** toddnni_ has joined #openstack-keystone23:37
*** toddnni has quit IRC23:37
*** toddnni_ is now known as toddnni23:37
gyeejamielennox, thanks, reason for the global target is that it will be generic, not just endpoint constraint enforcement23:39
gyeejamielennox, endpoint_id can be configured in either the global target or middleware  conf23:39
jamielennoxgyee: so i think having this as standalone middleware makes sense23:40
*** dguerri is now known as dguerri`23:40
gyeejamielennox, right, eventually23:40
*** josecastroleon has quit IRC23:40
jamielennoxgyee: why wait?23:41
gyeejamielennox, we had a conversation with both morganfainberg and ayoung, reason is easier deployment23:41
gyeemy understanding is that pipeline changes are a bit mroe disruptive on upgrade23:42
*** josecastroleon has joined #openstack-keystone23:42
gyeewe want to keep the config changes to a minimum right now, till we expend on the functionality23:42
*** harlowja has quit IRC23:42
jamielennoxi kind of disagree23:43
*** harlowja has joined #openstack-keystone23:43
gyeeI don't have a problem separating it into a new middleware filter, just code :)23:43
*** josecastroleon has quit IRC23:43
jamielennoxi don't like to have an explicit enable step, and ideally i'd like to not make auth_token much bigger23:44
*** ankita_wagh has joined #openstack-keystone23:44
*** josecastroleon has joined #openstack-keystone23:45
gyeejamielennox, the other reason is that endpoint constraint is really part of "token validation"23:45
gyeesame as token binding23:45
jamielennoxgyee: i would have agreed if we were doing it manually, but there's no guarantee that there's even a reference to endpoitn_id in the policy line23:46
jamielennoxfeels much more like generic policy enforcement on the token23:46
gyeejamielennox, you can setup a target with endpoint_id in it23:46
*** josecastroleon has quit IRC23:46
gyee"endpoint_constraint": "token.catalog.endpoints.id:12345",23:47
gyeeor23:48
*** mikedillion has quit IRC23:48
*** josecastroleon has joined #openstack-keystone23:48
gyee"token_binding": "rule:endpoint_constraint and token.binding.kerberos.principal:foo"23:48
jamielennoxis it really that specific? so it's tied to the version of the token?23:49
*** josecastroleon has quit IRC23:49
gyeejamielennox, right now it has to be token format specific, but once we canonicalize the token to AccessInfo we can have something more consistent23:50
gyeeright now its basically enforced against a flatten token dict23:50
*** josecastroleon has joined #openstack-keystone23:51
jamielennoxwe aren't doing the cannonicalized thing23:51
jamielennoxi mean we can make that work in a different way23:51
gyeemy point is there are rooms for improvement, but they are not showstoppers23:51
jamielennoxmorganfainberg: are you set on having policy enforcement be in auth_token middleware rather than its own middleare23:52
jamielennox?23:52
*** josecastroleon has quit IRC23:52
gyeejamielennox, I need to step out for about 30 mins, lets catch morganfainberg and ayoung once they are back online23:53
*** jsavak has quit IRC23:53
jamielennoxgyee: ok23:53
*** josecastroleon has joined #openstack-keystone23:54
*** jsavak has joined #openstack-keystone23:54
*** josecastroleon has quit IRC23:55
*** josecastroleon has joined #openstack-keystone23:57
*** bradjones has quit IRC23:58
*** josecastroleon has quit IRC23:58
*** lhcheng has quit IRC23:59
*** roxanaghe has quit IRC23:59
« Monday, 2015-06-08 Index Wednesday, 2015-06-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!