Wednesday, 2015-06-10

*** josecastroleon has joined #openstack-keystone00:00
*** bradjones has joined #openstack-keystone00:00
*** bradjones has quit IRC00:00
*** bradjones has joined #openstack-keystone00:00
*** josecastroleon has quit IRC00:03
*** dims has quit IRC00:03
*** dims has joined #openstack-keystone00:03
*** josecastroleon has joined #openstack-keystone00:04
*** stevemar has quit IRC00:05
*** josecastroleon has quit IRC00:06
*** josecastroleon has joined #openstack-keystone00:07
*** bknudson has joined #openstack-keystone00:07
*** ChanServ sets mode: +v bknudson00:07
*** josecastroleon has quit IRC00:09
openstackgerritMerged openstack/keystoneauth: Encapsulate Service Providers in AccessInfo
*** jsavak has quit IRC00:09
*** josecastroleon has joined #openstack-keystone00:10
*** josecastroleon has quit IRC00:12
*** josecastroleon has joined #openstack-keystone00:13
*** josecastroleon has quit IRC00:15
*** josecastroleon has joined #openstack-keystone00:16
*** chlong-zzz has joined #openstack-keystone00:17
*** josecastroleon has quit IRC00:18
*** josecastroleon has joined #openstack-keystone00:19
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Stop using tearDown
*** josecastroleon has quit IRC00:21
*** markvoelker has joined #openstack-keystone00:21
*** josecastroleon has joined #openstack-keystone00:22
*** Rockyg has quit IRC00:22
*** josecastroleon has quit IRC00:24
*** josecastroleon has joined #openstack-keystone00:25
*** markvoelker has quit IRC00:26
*** josecastroleon has quit IRC00:27
*** josecastroleon has joined #openstack-keystone00:28
*** josecastroleon has quit IRC00:30
*** josecastroleon has joined #openstack-keystone00:31
*** josecastroleon has quit IRC00:33
*** josecastroleon has joined #openstack-keystone00:34
*** hichtakk has quit IRC00:34
*** hichtakk has joined #openstack-keystone00:35
*** josecastroleon has quit IRC00:36
*** josecastroleon has joined #openstack-keystone00:37
*** josecastroleon has quit IRC00:39
*** josecastroleon has joined #openstack-keystone00:40
*** josecastroleon has quit IRC00:42
*** josecastroleon has joined #openstack-keystone00:43
*** josecastroleon has quit IRC00:45
*** ankita_wagh has quit IRC00:46
*** josecastroleon has joined #openstack-keystone00:46
*** josecastroleon has quit IRC00:48
*** josecastroleon has joined #openstack-keystone00:49
*** josecastroleon has quit IRC00:51
*** josecastroleon has joined #openstack-keystone00:52
*** josecastroleon has quit IRC00:54
*** josecastroleon has joined #openstack-keystone00:55
*** josecastroleon has quit IRC00:57
*** samueldmq has joined #openstack-keystone00:58
*** josecastroleon has joined #openstack-keystone00:58
*** _cjones_ has quit IRC00:59
*** josecastroleon has quit IRC01:00
*** Guest5484 has quit IRC01:01
*** josecastroleon has joined #openstack-keystone01:01
*** josecastroleon has quit IRC01:03
*** josecastroleon has joined #openstack-keystone01:04
*** josecastroleon has quit IRC01:06
*** josecastroleon has joined #openstack-keystone01:07
*** josecastroleon has quit IRC01:09
*** ncoghlan has joined #openstack-keystone01:09
*** darrenc is now known as darrenc_afk01:10
*** josecastroleon has joined #openstack-keystone01:10
*** josecastroleon has quit IRC01:12
*** josecastroleon has joined #openstack-keystone01:13
*** josecastroleon has quit IRC01:15
*** toddnni has quit IRC01:16
*** josecastroleon has joined #openstack-keystone01:16
*** radez is now known as radez_g0n301:17
*** toddnni has joined #openstack-keystone01:18
*** tobe has joined #openstack-keystone01:18
*** josecastroleon has quit IRC01:18
samueldmqI thought an URL uniquely identified an endpoint ..01:19
*** josecastroleon has joined #openstack-keystone01:19
*** radez_g0n3 is now known as radez01:20
samueldmqbut actually an URL can match multiple endpoints01:21
*** josecastroleon has quit IRC01:21
*** fangzhou_ has joined #openstack-keystone01:21
samueldmqin devstack, for example, there are 3 endpoints for glance, defining public, internal and admin interfaces01:21
*** davechen_afk is now known as davechen01:21
*** josecastroleon has joined #openstack-keystone01:22
*** fangzhou has quit IRC01:22
*** fangzhou_ is now known as fangzhou01:22
*** markvoelker has joined #openstack-keystone01:22
*** dims has quit IRC01:23
davechensamueldmq: Is there anything wrong if one URL can match multiple ep?01:24
*** josecastroleon has quit IRC01:24
samueldmqI am thinking in the dynamic policies case01:24
samueldmqdavechen, let's say nova is running at http://controller:877401:25
samueldmqso that ksmiddleware will download the policy associated to that URL (endpoint)01:25
samueldmqbut actually it can match multiple endpoints, and as consequence, multiple policids01:25
*** josecastroleon has joined #openstack-keystone01:25
samueldmqI wonder what to do in that case, we need to be clear about that01:25
*** toddnni has quit IRC01:26
davechenthere ep are associated with each other.01:26
samueldmqI think we though an URL uniquely identified an endpoint .. in a talk with morganfainberg and ayoung01:26
samueldmqdavechen, I am not convinced that we could have different policies for diferent interfaces of the same endpoint01:27
samueldmqbut the fact is that we allow this today01:27
*** josecastroleon has quit IRC01:27
*** markvoelker has quit IRC01:27
*** josecastroleon has joined #openstack-keystone01:28
davechen+1, so the logic will be easier if we define the same policies for the different interfaces. :)01:28
*** josecastroleon has quit IRC01:30
lifelessjamielennox: hi so01:31
*** josecastroleon has joined #openstack-keystone01:31
lifelessjamielennox: pyconau, we're thinking to take two keystone talks; neither quite what folk proposed :).01:31
lifelessjamielennox: 1) deep dive into federation. 2) keystone project update and future plans.01:32
davechensamueldmq: You are already starting to coding for dynamic policy overview?01:32
lifelessjamielennox: what do you think of that idea?01:32
davechensamueldmq: Do you have any patches up for that?01:32
samueldmqdavechen, yes , and in that case it would be a policy for service01:33
samueldmqdavechen, and we already allow that01:33
samueldmqdavechen, no it wouldn't01:33
samueldmqdavechen, because we can have multiple endpoints per service01:33
*** darrenc_afk is now known as darrenc01:33
*** josecastroleon has quit IRC01:33
davechenwhat's morgan's or ayoung's concerns if we do like this?01:34
samueldmqdavechen, I don't think they were concerned about that ..01:34
samueldmqdavechen, we had decided as I explained01:34
samueldmqdavechen, howeer I caught this detail when implementing it :)01:35
davechensamueldmq: That's great.01:35
*** josecastroleon has joined #openstack-keystone01:35
samueldmqdavechen, I think we will have something demonstrable by the end of this week01:35
samueldmqdavechen, where we upload a policy for glance to keystone, update it on keystone and have enforcement affected in glance side01:36
samueldmqdavechen, i.e, ksmiddleware fetching and caching the policy for the endpoint :)01:36
davechensamueldmq: where is your demo? it's fast!!01:36
*** josecastroleon has quit IRC01:36
*** hichtakk has quit IRC01:37
samueldmqdavechen, well ... I am working locally for now01:37
*** josecastroleon has joined #openstack-keystone01:37
samueldmqdavechen, this is from last week ... where I set up a code 'skeleton'01:38
davechensamueldmq: seems like the overall implementation is already done, cool.01:38
samueldmqdavechen, based on that , I am adding the code to implement the fature01:38
samueldmqdavechen, yes I think we are close to have something very nice up and running :)01:38
davechensamueldmq: going to check the details from the patch. :)01:39
samueldmqdavechen, however the details on how to improve the policy definition + its management is the tricky part01:39
*** josecastroleon has quit IRC01:39
samueldmqdavechen, k, that's just a very very initial cahnge ....  I will be sending something more complete tomorrow01:40
davechensamueldmq:  you already did great!01:40
samueldmqdavechen, haha thanks :) but we still have a ton of work to do01:41
*** josecastroleon has joined #openstack-keystone01:41
samueldmqdavechen, spec freeze coming ... lots of things to be defined01:41
samueldmqdavechen, I want to have this working this week , also I need to check and update specs , etc01:41
davechensamueldmq:  I am a little lazy recently, just review couple of ayoung's spec.01:41
samueldmqdavechen, L1 is spec freeze01:41
samueldmqdavechen, lazy ? maybe you have other priorities from your employee01:42
samueldmqdavechen, that's understandable01:42
davechensamueldmq:  you understanding me, buddy :)01:42
*** josecastroleon has quit IRC01:42
samueldmqdavechen, yeah;  I think that happens to everyone01:43
samueldmqdavechen, I am having more time on this since my employer is paying me to work on that01:43
*** josecastroleon has joined #openstack-keystone01:44
davechensamueldmq:  you are lucky. we need convince and manage our boss. :)01:44
*** radez is now known as radez_g0n301:44
samueldmqdavechen, you have to sell the subject, so they get convinced that's interesting enouhg to put you on that box01:45
davechensamueldmq:  Are you still in the University?01:45
samueldmqdavechen, I work at a laboratory in the university01:45
*** toddnni has joined #openstack-keystone01:45
*** josecastroleon has quit IRC01:45
samueldmqdavechen, though I graduated last year01:46
*** tqtran_ has quit IRC01:46
samueldmqdavechen, in September  .. since then I am working a bit more on keystone :)01:46
*** bknudson has quit IRC01:46
davechensamueldmq:  so you can mentor some guys in your labs.01:46
*** josecastroleon has joined #openstack-keystone01:47
samueldmqdavechen, yes, at least I try to share knowledge with others01:47
davechensamueldmq: You may need change your affiliations since I notice you are independent from stackalytics.01:48
*** topol has joined #openstack-keystone01:48
*** lhcheng has joined #openstack-keystone01:48
*** ChanServ sets mode: +v lhcheng01:48
*** ChanServ sets mode: +v topol01:48
*** josecastroleon has quit IRC01:49
*** spandhe has quit IRC01:49
samueldmqdavechen, yeah .. although stackalytics sums up my reviews/commits to the university01:49
samueldmqdavechen, they're identified by my email ..
*** josecastroleon has joined #openstack-keystone01:50
davechensamueldmq:  that's fine.01:50
*** josecastroleon has quit IRC01:52
*** josecastroleon has joined #openstack-keystone01:53
*** josecastroleon has quit IRC01:55
*** fangzhou has quit IRC01:55
*** josecastroleon has joined #openstack-keystone01:56
*** fangzhou has joined #openstack-keystone01:56
*** josecastroleon has quit IRC01:58
*** josecastroleon has joined #openstack-keystone01:59
*** josecastroleon has quit IRC02:01
*** josecastroleon has joined #openstack-keystone02:02
*** jsavak has joined #openstack-keystone02:02
*** josecastroleon has quit IRC02:04
*** josecastroleon has joined #openstack-keystone02:05
*** dan_ has joined #openstack-keystone02:05
*** dan_ is now known as Guest1956302:05
*** josecastroleon has quit IRC02:07
*** josecastroleon has joined #openstack-keystone02:08
jamielennoxlifeless: here now02:08
jamielennoxlifeless: ok, i am happy enough to do either of those, though you should probably give morganfainberg first pick02:09
*** josecastroleon has quit IRC02:10
*** ajayaa has joined #openstack-keystone02:10
*** josecastroleon has joined #openstack-keystone02:11
*** jsavak has quit IRC02:12
*** boris-42 has quit IRC02:12
*** dims has joined #openstack-keystone02:12
*** josecastroleon has quit IRC02:13
*** evrardjp has quit IRC02:13
*** josecastroleon has joined #openstack-keystone02:14
*** fangzhou has quit IRC02:15
*** evrardjp has joined #openstack-keystone02:16
lifelessjamielennox: sure02:17
jamielennoxlifeless: did you get many submissions this time around?02:17
lifelessmorganfainberg: when you get online; ping ^ :)02:17
lifelessjamielennox: it was close :)02:17
*** josecastroleon has quit IRC02:17
jamielennoxclose? close to getting one keysotne talk or not filling the spots ?02:17
jamielennoxonly one02:18
lifelesswe started the planning thinking we might be 3.5 hours short of content\02:18
jamielennoxooo, ouch02:18
*** josecastroleon has joined #openstack-keystone02:18
*** lhcheng has quit IRC02:20
*** josecastroleon has quit IRC02:20
*** josecastroleon has joined #openstack-keystone02:21
*** josecastroleon has quit IRC02:23
*** dims has quit IRC02:23
*** josecastroleon has joined #openstack-keystone02:24
*** spandhe has joined #openstack-keystone02:25
*** josecastroleon has quit IRC02:26
*** josecastroleon has joined #openstack-keystone02:27
*** spandhe_ has joined #openstack-keystone02:28
*** spandhe has quit IRC02:29
*** spandhe_ is now known as spandhe02:29
*** josecastroleon has quit IRC02:29
*** josecastroleon has joined #openstack-keystone02:30
*** josecastroleon has quit IRC02:32
*** josecastroleon has joined #openstack-keystone02:33
*** josecastroleon has quit IRC02:35
*** hichtakk has joined #openstack-keystone02:36
*** josecastroleon has joined #openstack-keystone02:36
*** josecastroleon has quit IRC02:38
lbragstadmfisch: don't we omit token ids from logging?02:38
*** josecastroleon has joined #openstack-keystone02:39
*** josecastroleon has quit IRC02:41
*** gyee is now known as operator9902:42
*** josecastroleon has joined #openstack-keystone02:43
mfischlbragstad: I dont think you did before, if not I wonder what that ID is that you have there02:44
*** josecastroleon has quit IRC02:44
lbragstadmfisch: the id of a fernet token is the fernet token I believe02:45
*** josecastroleon has joined #openstack-keystone02:46
*** varya has joined #openstack-keystone02:46
*** josecastroleon has quit IRC02:47
*** josecastroleon has joined #openstack-keystone02:49
*** josecastroleon has quit IRC02:50
*** bradjones has quit IRC02:52
*** josecastroleon has joined #openstack-keystone02:52
*** bradjones has joined #openstack-keystone02:53
*** bradjones has quit IRC02:53
*** bradjones has joined #openstack-keystone02:53
lbragstadmfisch: are you extracting the token from the logs for something?02:53
*** josecastroleon has quit IRC02:53
*** josecastroleon has joined #openstack-keystone02:55
*** varya_ has joined #openstack-keystone02:55
*** varya has quit IRC02:56
*** josecastroleon has quit IRC02:56
*** josecastroleon has joined #openstack-keystone02:58
*** josecastroleon has quit IRC02:59
*** josecastroleon has joined #openstack-keystone03:01
*** kiran-r has joined #openstack-keystone03:02
*** josecastroleon has quit IRC03:03
*** kiran-r has quit IRC03:04
*** josecastroleon has joined #openstack-keystone03:04
*** kiran-r has joined #openstack-keystone03:04
*** rushiagr_away is now known as rushiagr03:05
*** josecastroleon has quit IRC03:06
*** ajayaa has quit IRC03:07
*** josecastroleon has joined #openstack-keystone03:07
morganfainberglifeless: hmm?03:08
morganfainberglifeless: either or03:09
*** josecastroleon has quit IRC03:09
*** hichtakk has quit IRC03:10
*** josecastroleon has joined #openstack-keystone03:10
*** markvoelker has joined #openstack-keystone03:11
*** josecastroleon has quit IRC03:12
*** josecastroleon has joined #openstack-keystone03:13
*** josecastroleon has quit IRC03:15
*** markvoelker has quit IRC03:16
*** josecastroleon has joined #openstack-keystone03:16
*** josecastroleon has quit IRC03:18
morganfainberglbragstad: we should be hashing the token I'd to something anytime you see it in logs. Since tokens are considered privileged data03:19
morganfainbergmfisch: ^ cc03:19
*** josecastroleon has joined #openstack-keystone03:19
lifelessmorganfainberg: pick one; or we will :)03:20
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object
morganfainberglifeless: make jamielennox talk about federation ;)03:21
*** josecastroleon has quit IRC03:21
morganfainbergSince he does tons of client things.03:21
openstackgerritMerged openstack/keystone: Revocation engine refactoring
jamielennoxcrap, this is what happened for last pyconau03:21
morganfainbergjamielennox: seriously you want to talk future stuff instead? Happy to let you.03:22
jamielennoxi do the user side of all this, and i go back and learn all the server side weirdness03:22
jamielennoxthis makes more sense03:22
*** josecastroleon has joined #openstack-keystone03:22
*** kiran-r has quit IRC03:23
*** samueldmq has quit IRC03:23
jamielennoxmorganfainberg: i was talking with gyee earlier, i was going to make him do the policy/endpoint enforcement as seperate middleware. you don't want that/03:24
*** josecastroleon has quit IRC03:24
*** rushiagr is now known as rushiagr_away03:25
*** josecastroleon has joined #openstack-keystone03:25
*** josecastroleon has quit IRC03:27
*** josecastroleon has joined #openstack-keystone03:28
lbragstadmorganfainberg: yeah, that's what I was thinking... dolphm just shared that with me recently in a review...03:30
lbragstadmorganfainberg: let me dig it up03:30
*** sigmavirus24 is now known as sigmavirus24_awa03:32
lifelessjamielennox: whats your email?03:33
*** josecastroleon has quit IRC03:33
jamielennoxlifeless: or @gmail.com03:33
*** josecastroleon has joined #openstack-keystone03:34
*** richm has quit IRC03:35
*** josecastroleon has quit IRC03:36
*** josecastroleon has joined #openstack-keystone03:37
*** josecastroleon has quit IRC03:39
*** josecastroleon has joined #openstack-keystone03:40
*** josecastroleon has quit IRC03:42
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains
*** josecastroleon has joined #openstack-keystone03:43
*** josecastroleon has quit IRC03:45
*** josecastroleon has joined #openstack-keystone03:46
*** josecastroleon has quit IRC03:48
*** ankita_wagh has joined #openstack-keystone03:49
*** josecastroleon has joined #openstack-keystone03:49
*** josecastroleon has quit IRC03:51
*** josecastroleon has joined #openstack-keystone03:52
*** josecastroleon has quit IRC03:54
*** josecastroleon has joined #openstack-keystone03:55
*** josecastroleon has quit IRC03:57
*** josecastroleon has joined #openstack-keystone03:58
*** josecastroleon has quit IRC04:00
*** josecastroleon has joined #openstack-keystone04:01
*** josecastroleon has quit IRC04:03
*** josecastroleon has joined #openstack-keystone04:04
*** rushiagr_away is now known as rushiagr04:05
*** rushiagr is now known as rushiagr_away04:05
*** rushiagr_away is now known as rushiagr04:06
*** josecastroleon has quit IRC04:06
*** josecastroleon has joined #openstack-keystone04:07
*** josecastroleon has quit IRC04:09
*** josecastroleon has joined #openstack-keystone04:10
morganfainberglbragstad: yeah. We should fix that.04:11
morganfainberglifeless: I will do the updates probably tonight-ish04:12
*** josecastroleon has quit IRC04:12
*** spandhe has quit IRC04:13
*** josecastroleon has joined #openstack-keystone04:13
*** chlong-zzz is now known as chlong04:32
lbragstadmorganfainberg: do you mean that you want a hash added to that log message?04:32
morganfainbergWe should not log the token ID itself04:33
morganfainbergThat is all04:33
morganfainbergIf we are hashing it we should indicate we are.04:33
morganfainberg{SHA1} is what we prefix with elsewhere04:33
lbragstadmorganfainberg: ok, makes sense04:39
*** josecastroleon has quit IRC04:43
*** josecastroleon has joined #openstack-keystone04:44
*** josecastroleon has quit IRC04:46
*** josecastroleon has joined #openstack-keystone04:47
*** josecastroleon has quit IRC04:49
*** josecastroleon has joined #openstack-keystone04:51
*** josecastroleon has quit IRC04:52
*** josecastroleon has joined #openstack-keystone04:54
*** josecastroleon has quit IRC04:55
*** rushiagr is now known as rushiagr_away04:55
*** josecastroleon has joined #openstack-keystone04:56
*** josecastroleon has quit IRC04:58
*** ankita_wagh has quit IRC04:59
*** josecastroleon has joined #openstack-keystone05:00
*** markvoelker has joined #openstack-keystone05:00
*** josecastroleon has quit IRC05:03
*** josecastroleon has joined #openstack-keystone05:04
*** markvoelker has quit IRC05:04
*** josecastroleon has quit IRC05:06
*** josecastroleon has joined #openstack-keystone05:07
*** josecastroleon has quit IRC05:09
*** josecastroleon has joined #openstack-keystone05:10
*** ajayaa has joined #openstack-keystone05:10
*** josecastroleon has quit IRC05:12
*** josecastroleon has joined #openstack-keystone05:13
*** josecastroleon has quit IRC05:15
*** josecastroleon has joined #openstack-keystone05:16
*** josecastroleon has quit IRC05:18
*** josecastroleon has joined #openstack-keystone05:19
*** merlin_ has quit IRC05:19
*** josecastroleon has quit IRC05:21
*** josecastroleon has joined #openstack-keystone05:22
*** josecastroleon has quit IRC05:24
*** josecastroleon has joined #openstack-keystone05:25
*** rushiagr_away is now known as rushiagr05:25
openstackgerritMerged openstack/keystone: Merge tag '2015.1.0'
openstackgerritMerged openstack/keystone: Merge tag '2014.2'
*** josecastroleon has quit IRC05:27
*** kiran-r has joined #openstack-keystone05:27
*** josecastroleon has joined #openstack-keystone05:28
*** josecastroleon has quit IRC05:30
*** josecastroleon has joined #openstack-keystone05:31
*** kwills has joined #openstack-keystone05:32
*** josecastroleon has quit IRC05:33
*** josecastroleon has joined #openstack-keystone05:34
*** josecastroleon has quit IRC05:36
*** josecastroleon has joined #openstack-keystone05:37
*** topol has quit IRC05:37
*** kwills has quit IRC05:38
*** kwills has joined #openstack-keystone05:39
*** josecastroleon has quit IRC05:39
*** josecastroleon has joined #openstack-keystone05:40
*** josecastroleon has quit IRC05:42
*** josecastroleon has joined #openstack-keystone05:43
*** josecastroleon has quit IRC05:45
*** josecastroleon has joined #openstack-keystone05:46
*** josecastroleon has quit IRC05:48
*** josecastroleon has joined #openstack-keystone05:49
*** josecastroleon has quit IRC05:51
*** josecastroleon has joined #openstack-keystone05:52
*** merlin_ has joined #openstack-keystone05:59
*** belmoreira has joined #openstack-keystone06:01
*** kwills has quit IRC06:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
marekdjamielennox: hello, sir!06:10
openstackgerritMerged openstack/python-keystoneclient-saml2: Updated from global requirements
*** lsmola has joined #openstack-keystone06:27
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements
openstackgerritMarek Denis proposed openstack/keystoneauth: Fetch Service Providers urls from auth plugins
*** jaosorior has joined #openstack-keystone06:39
*** henrynash has quit IRC06:42
openstackgerritMarek Denis proposed openstack/keystoneauth: Properly handle Service Provider in token fixtures
*** markvoelker has joined #openstack-keystone06:49
*** browne has quit IRC06:50
*** markvoelker has quit IRC06:53
*** rlt has joined #openstack-keystone07:00
*** kiran-r has quit IRC07:03
*** kiran-r has joined #openstack-keystone07:04
*** kiran-r has quit IRC07:04
*** kiranr has joined #openstack-keystone07:04
*** lufix has joined #openstack-keystone07:04
*** kiranr has quit IRC07:04
*** kiranr has joined #openstack-keystone07:05
*** kiranr is now known as kiran-r07:05
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation
*** pnavarro_ has joined #openstack-keystone07:21
openstackgerritMerged openstack/keystone: Updated from global requirements
jamielennoxmarekd: hey07:31
jamielennoxmarekd: i'm happy with needs some tests though07:32
*** jistr has joined #openstack-keystone07:37
marekdjamielennox: great, i will add tests.07:40
marekdfor the i explicitely want store remote-project-id and the rest of the remote-* as this is for remote clouds scoping information. the old paramters would still be needed for local plugin.07:43
marekdjamielennox: i'd like to make them orthogonal to each other - local plugin and remote.07:43
jamielennoxmarekd: so we're going to have to do something funky there regarding how we load the plugin from options07:43
*** toddnni has quit IRC07:44
marekdjamielennox: why ?07:44
jamielennoxhowever by inheriting BaseAuth those objects already have project_id and project_name etc options on them07:44
marekdi might be missing something, but i'd see it as:07:44
evrardjpgood morning everyone07:44
marekdopenstack --os-auth-plugin=password (for auth with local cloud) --os-project-id=uuid (local cloud) --os-remote-auth=k2k --os-service-provider=sp1 --os-remote-project-id=<remote project id> (remote cloud) remote token issue/remote server list07:45
marekdremote [command]07:46
marekdjamielennox: makes sense?07:46
jamielennoxmarekd: so --os-auth-plugin is the thing that describes the object that is going to be loaded, so that is going to have to be k2k07:47
jamielennoxotherwise i'm not sure how you'd tell it to load --os-remote-auth07:47
marekdis it a matter of osc or ksa ?07:48
jamielennoxwe only have one entrypoint for auth loading07:49
jamielennoxthe only way to do what you're suggesting is to add remote loading functionality to all the local plugins07:50
jamielennoxbut i don't think that parts a big deal07:50
jamielennoxit just means you specify --os-auth-plugin k2k --os-local-auth password07:50
marekdwhich will make me use remote cloud by default07:50
marekdand switching to my local one will mean options change.07:51
marekdi'd be easier to be able to have my local cloud as a primary,and switch between remotes by setting another SP_ID07:51
*** chlong has quit IRC07:51
jamielennoxok, but if we specify auth-plugin=password then we need to tell the Password plugin object how to load the k2k remote right? and share that amongst every available plugin type07:53
jamielennoxso Password.get_options would need to return remote-auth07:53
jamielennoxor are you looking to change it so that we always provide the ability to load two plugins from like auth.load_from_cli_options?07:54
marekdwhere is the code that prevents me from loading two entry points?07:54
jamielennoxso looking at
jamielennoxto register a plugins arguments on the CLI we look up the name of the plugin in stevedore from --os-auth-plugin and then hand off to that plugin to do a .get_options() and register it
jamielennoxso i guess we could add --os-remote-auth to register_argparse_arguments but that means it would show up all the time regardless of the local plugin07:57
jamielennoxor if k2k is even a possibility on the cloud07:57
marekdit would, just like os-auth-plugin shows.07:59
marekdshows up07:59
marekdwell, to me it'd simply be merging k2k into standard workflow08:00
*** toddnni has joined #openstack-keystone08:00
jamielennoxright, you'd be making k2k a very fundamental part of auth08:00
jamielennoxbut i mean is there a value of --os-remote-auth besides k2k that we'd ever expect?08:01
marekdnothing except for bursting capabilities.08:03
marekdi really don't nothing special about that - that would become another auth option and if not used, it'd be working as it works today.08:04
marekddo you want me to start a ML thread?08:04
marekdso others can weight08:04
jamielennoxyea it can't hurt08:05
jamielennoxi definitely see where you are coming from08:05
jamielennoxi had just always considered it slotting in as another plugin rather than a permanent change to auth08:05
marekdme too at the beginning, but later i concluded it may be easier to make it a way i am proposing. If we make k2k another auth plugin then we will need to work on hierarchical plugins, and something (I think) you proposed where K2K accepts local auth plugin as a parameter doesn't make much sense to me.08:07
jamielennoxit will only affect that last review that is currently out of date, the plugin implementation will still be required as is08:08
jamielennoxwe will still need to figure out some way to have a single plugin object08:09
marekdso you are against handling two auth plugins at the same time - one for local and another for remote clouds ?08:10
jamielennoxthere are so many places that would cause problems08:10
jamielennoxlooking through session there are a bunch of places we take auth= as a parametr08:11
marekdok, so i don't know how to make robust hierarchy of the plugins, especially in terms of options.08:11
jamielennoxright, the options are the problem08:11
marekdjamielennox: another thing i will be trying to push will be handling many remote clouds at the same time. so for each remote cloud i'd like to be able to define set of scoping information (project, domain, trust, etc.), so i can later ideally say openstack remote server list --sp=sp1, openstack remote server list --sp-sp208:12
jamielennoxmarekd: sure, that's an osc things and what os-client-config tries to solve08:13
jamielennoxsorry, re-reading i think it's a CLI thing08:13
marekdit's a matter of options grouping.08:14
marekdin the end i am afraid we will need to add some fundamental changes in the way we handle auth....08:15
jamielennoxok, i don't think i'm following you - why? in your example you'd still be executing each command with one set of auth options08:15
*** fhubik has joined #openstack-keystone08:15
marekdit's auth plugin that exposes options - project_id, domain_id etc etc08:16
marekdso projecT_id today is for my local cloud.08:16
marekdnow i need a smart way to distinguish whether project_id is for remote_cloud_1 or remote_cloud_208:16
marekdok, let me rephrase it08:17
marekdyou can setup your env and store all the information there so ksc/ksa will use them for scoping the token08:17
marekdOS_PROJECT_NAME etc08:17
marekdso in the cli you can use openstack server list08:17
marekdnow we are talking about adding something like OS_REMOTE_PROJECT_ID so this is used for scoping token in remote cloud.08:18
marekdbut that makes us limited to use k2k with only one remote cloud08:18
*** lhcheng has joined #openstack-keystone08:19
*** ChanServ sets mode: +v lhcheng08:19
jamielennox... erg, i have not figured out how to make this work with one remote cloud.... i haven't even considered multiple08:19
marekdi'd like to be able to setup all my remote clouds and later only type: openstack remote --sp=SP1 server list (one set of scpoping information wold be used) and right after that type: openstack --sp=sp2 remote server list08:19
jamielennoxso i think that is an OCC problem08:20
jamielennoxbecause that is a question of switching auth options08:20
*** afazekas has joined #openstack-keystone08:20
jamielennoxhave you seen OCC?08:20
marekdyep, but it's auth plugin (BaseAuthPlugin) that exposes the options like project_id etc, right?08:20
marekd#link ?08:21
jamielennoxok, so that's mordred's thing about managing multiple auths in a yaml file rather than ENV and CLI08:21
jamielennoxso you'll have everything in a file in home and you name your auth options so you can do openstack --cloud HP project list etc08:21
marekdalright, that's great08:22
marekdyet, even for one remote cloud we will need options like project_id and remote_project_id as we need scoping info for local cloud, for local token and scoping info for remote cloud.08:22
marekdthat's why i proposed remote-* options in
jamielennoxright, so i don't have an answer for how we chain through multiple08:23
jamielennoxso an auth flow like local cloud -> remote cloud -> public cloud08:23
marekdwhat's the difference between remote and public cloud? from your perspective that can be equal08:24
jamielennoxmarekd: i mean the relationships08:24
*** fhubik is now known as fhubik_afk08:24
*** Nikkau has joined #openstack-keystone08:24
jamielennoxso get local auth, k2k to remote cloud, k2k to public08:24
jamielennoxso you'd need --remote-remote-project-id08:25
marekdand that's why i proposed that08:25
jamielennoxthat is going to be a much larger problem08:26
*** lsmola has quit IRC08:27
jamielennoxand not something solved by passing around 2 plugins08:27
marekdeven in a hierarchy  ?08:28
jamielennoxso a command can only be authed to one place, so a hierarchy of 2 is not that different to a hierarchy of 1008:28
jamielennoxas in it will be a chain and not a tree08:29
jamielennoxit's just a matter of loading them08:29
jamielennoxit's something i've always punted on for other v3 plugins - like how to do mutliple auth methods in v308:29
*** lhcheng has quit IRC08:29
*** woodster_ has quit IRC08:31
marekdok, so i don't know how to handle that all.....08:31
jamielennoxit's also a good argument for what dtroyer has been saying about how the code for loading plugins should be seperate from the plugins themselves08:32
jamielennoxbecause that way we could a 'compexk2k' plugin type that still loads the same k2k plugin internally but presents its options in a way that can be nested08:32
* jamielennox hand waves what that would be08:33
*** fhubik_afk is now known as fhubik08:33
marekdso it's OSC thing/08:34
*** lsmola has joined #openstack-keystone08:34
jamielennoxno, we were talking a library that would be somewhere in the middle08:34
marekdjamielennox: ok, so i think working on the exiting k2k patches in a current shape doesn't make much sense08:34
jamielennoxbecause i don't want this to only be consumed by OSC, i want there to be a standard way to load plugins from CONF files and from other CLIs so it would need to be reusable08:34
jamielennoxi've no idea how to write all this in a way that is compatible with current code :(08:36
jamielennoxmarekd: i would continue the reviews around the k2k plugin itself and put a raise NotImplemented in the cls.load_from_options() method08:37
jamielennoxand get_options()08:37
*** markvoelker has joined #openstack-keystone08:37
jamielennoxbecause the structure of the plugin itself is correct and it will allow us to test k2k from python scripts08:37
marekdyeah, i am trying to figure next steps for making this happen - who to talk with etc.08:37
jamielennoxwe just don't have a way to load it from the cli or anything08:38
jamielennoxi guess i'd ask the OSC guys what their ideal CLI interface would be and explain the nesting08:38
jamielennoxthen we can see if it's possible to match it08:39
jamielennoxI will have another go at seperating the loading logic from the plugin itself08:39
jamielennoxi haven't had a lot of enthusiasm for that because it's going to make compatibility a nightmare08:40
*** bradjones has quit IRC08:40
jamielennoxbecause then we can have a 'simplek2k' option which is just one cloud and continue to come up with ideas for what 'complexk2k' looks like08:41
marekdas far as i can tell we have problem with making simplek2k happen.08:41
*** markvoelker has quit IRC08:42
marekdand i think with ksa we can not care about backward compatibility?08:42
*** bradjones has joined #openstack-keystone08:42
*** bradjones has quit IRC08:42
*** bradjones has joined #openstack-keystone08:42
jamielennoxwe don't care from ksa, but we were looking to make ksc rely on ksa and move as much as possible over08:42
jamielennoxand we can't break ksc08:43
jamielennoxit might be the only way to do that would be to leave the code in ksc for a while and look to deprecate it as fast as possible08:44
marekdok, so for blanking load_from_options() and get_options() - i can still accept remote-* like parameters in the Keystone2KeystoneAuthPlugin.__init__() ?08:44
jamielennoxi don't think you need to from __init__08:45
jamielennoxyou can just use the normal params08:45
jamielennoxI mean seperate the use case of loading from CLI and what you'd use if you were writing a script08:45
marekdoh, so you want to get a local token (scoped), and in another step pass that token and scoping info would be for remote cloud.08:45
*** dguerri` is now known as dguerri08:45
jamielennoxif you do K2KAuth(local_plugin, project_id=XXX) that still makes sense without the remote-* prefix08:46
jamielennoxoo, i gotta run08:46
marekdproject_id is for remote or local cloud?08:46
marekdsure, thanks.08:46
marekdi will ping you more.08:46
jamielennoxit would be for remote08:46
marekdso, a local token would already need to exist and be passes from external source...08:47
jamielennoxit would be the standard scoping info for the plugin in the remote cloud08:47
jamielennoxa local plugin08:47
marekdthat would still make TWO OSC runs.08:47
jamielennoxseperate the OSC case from what the python case looks like08:48
jamielennoxwe can make the OSC options different to the __init__ options08:48
jamielennoxwe can make load_from_options do whatever we like - it just so happens that most plugins up until now have been fairly simple and just need to pass everything to __init__08:48
jamielennoxdo you get what i mean by that?08:49
marekdmore or less.08:50
jamielennoxmarekd: so if you were operating plugins directly from your own python script we could nest this as far as we like08:54
jamielennoxa = Password(auth_url, ...)08:54
jamielennoxb = K2K(a, service_provider='XX', project_id='YY')08:54
jamielennoxc = K2K(b, service_provider='AA', project_id='BB')08:55
jamielennoxd = K2K(c, service_provider='CC', project_id='DD')08:55
jamielennoxall of the stuff regarding options and loading is just a way of constructing those patterns that can be used from the CLI or a CONF file08:56
jamielennoxthe K2K plugin you've got up for review looks good in terms of this pattern, we just need to find a better way of doing the loading part08:57
marekdjamielennox: sure.08:58
jamielennoxthere's no requirement that the options are all named exactly the same between get_options() and __init__08:58
jamielennoxand that's why not all params in __init__ are in get_options()08:58
marekdok, i need to run too. cheers.09:01
*** fhubik is now known as fhubik_afk09:13
*** fhubik_afk is now known as fhubik09:13
*** toddnni has quit IRC09:13
*** dims has joined #openstack-keystone09:27
*** dims has quit IRC09:31
*** aix has joined #openstack-keystone09:34
*** varya_ has quit IRC09:40
*** varya_ has joined #openstack-keystone09:42
openstackgerritDave Chen proposed openstack/keystone-specs: query configuration via web API
*** rushiagr is now known as rushiagr_away09:49
*** pnavarro_ has quit IRC09:50
*** dims has joined #openstack-keystone09:51
*** dims_ has joined #openstack-keystone09:52
*** e0ne has joined #openstack-keystone09:55
*** dims has quit IRC09:56
*** ncoghlan has quit IRC09:59
*** e0ne is now known as e0ne_10:01
*** Kennan2 has joined #openstack-keystone10:03
*** Kennan has quit IRC10:04
*** fhubik is now known as fhubik_afk10:05
*** e0ne_ has quit IRC10:07
*** fhubik_afk is now known as fhubik10:08
*** boris-42 has joined #openstack-keystone10:09
*** toddnni has joined #openstack-keystone10:14
*** fhubik is now known as fhubik_afk10:17
*** lhcheng has joined #openstack-keystone10:18
*** ChanServ sets mode: +v lhcheng10:18
*** lhcheng has quit IRC10:22
*** markvoelker has joined #openstack-keystone10:23
*** markvoelker has quit IRC10:27
*** e0ne has joined #openstack-keystone10:35
*** varya_ has quit IRC10:42
*** Kennan2 is now known as Kennan10:42
*** samueldmq has joined #openstack-keystone10:54
*** spandhe has joined #openstack-keystone11:01
*** spandhe_ has joined #openstack-keystone11:02
*** fhubik_afk is now known as fhubik11:04
*** spandhe has quit IRC11:06
*** spandhe_ is now known as spandhe11:06
*** amakarov_away has quit IRC11:12
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: Switch keystone over to oslo_log versionutils
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator
*** amakarov has joined #openstack-keystone11:18
*** mabrams1 has joined #openstack-keystone11:18
*** mabrams has quit IRC11:20
*** markvoelker has joined #openstack-keystone11:24
dstaneksamueldmq: morning11:24
*** markvoelker has quit IRC11:28
openstackgerritAlexander Makarov proposed openstack/keystone: Tuple constants in revocation engine
*** varya has joined #openstack-keystone11:37
samueldmqdstanek, hi11:44
samueldmqdstanek, we do need functional tests, see
*** rdo has quit IRC11:45
samueldmqdstanek, :(11:45
*** rdo has joined #openstack-keystone11:47
*** tobe has quit IRC11:47
*** markvoelker has joined #openstack-keystone11:54
marekdsamueldmq: everybody needs them!11:56
samueldmqmarekd, ++ :(12:03
samueldmqmarekd, in that case, our internal test passes ... :(12:03
*** fhubik is now known as fhubik_afk12:04
*** rushiagr_away is now known as rushiagr12:06
*** lhcheng has joined #openstack-keystone12:07
*** ChanServ sets mode: +v lhcheng12:07
*** varya has quit IRC12:08
*** grantbow has joined #openstack-keystone12:09
*** grantbow has joined #openstack-keystone12:09
*** lhcheng has quit IRC12:12
*** aix has quit IRC12:14
*** raildo has joined #openstack-keystone12:25
*** bradjones has quit IRC12:26
*** bradjones has joined #openstack-keystone12:27
*** bradjones has quit IRC12:27
*** bradjones has joined #openstack-keystone12:27
*** chlong has joined #openstack-keystone12:29
*** fhubik_afk is now known as fhubik12:30
*** lhcheng has joined #openstack-keystone12:31
*** ChanServ sets mode: +v lhcheng12:31
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: Switch keystone over to oslo_log versionutils
*** jsavak has joined #openstack-keystone12:32
*** lhcheng has quit IRC12:36
rodrigodsdolphm, ping12:40
*** lufix2 has joined #openstack-keystone12:44
*** iurygregory has joined #openstack-keystone12:44
*** e0ne is now known as e0ne_12:47
*** woodster_ has joined #openstack-keystone12:48
*** e0ne_ is now known as e0ne12:50
*** aix has joined #openstack-keystone12:50
*** bknudson has joined #openstack-keystone12:53
*** ChanServ sets mode: +v bknudson12:53
*** sigmavirus24_awa is now known as sigmavirus2412:58
*** richm has joined #openstack-keystone13:11
*** HT_sergio has quit IRC13:14
*** ajayaa has quit IRC13:15
*** rushiagr is now known as rushiagr_away13:20
lbragstadfor the mid-cycle, I assume most will be flying into Boston Logan since it's close to Boston University?13:22
*** radez_g0n3 is now known as radez13:32
morganfainberglbragstad: dunno13:34
lbragstadmorganfainberg: ok, just curious. Google is telling me Boston Logan is 5.7 miles from BU13:34
lbragstadwhich doesn't seem too bad13:34
morganfainbergthat is probably the place to fly into... unless you want to hit NYC up before heading up to Boston13:37
morganfainbergor something13:37
dstaneklbragstad: morganfainberg: not i have to pick a hotel - seems like the group may be spread out quite a bit13:49
lbragstaddstanek: I'm really leaning towards the BU dorms option13:50
lbragstaddstanek: but I need to sync with ayoung on that again13:50
lbragstaddstanek: the walking distance part would be awesome13:50
lbragstaddstanek: and I did something similar to that when I lived in Nashville (I stayed in the dorms at Vanderbilt) and it was a really cool way to experience the city/college13:51
*** e0ne is now known as e0ne_13:51
*** zzzeek has joined #openstack-keystone13:51
*** fhubik is now known as fhubik_afk13:57
*** radez is now known as radez_g0n313:57
*** lastops has joined #openstack-keystone13:59
*** e0ne_ is now known as e0ne13:59
*** topol has joined #openstack-keystone14:03
*** ChanServ sets mode: +v topol14:04
*** fhubik_afk is now known as fhubik14:06
*** fangzhou has joined #openstack-keystone14:06
*** kiran-r has quit IRC14:08
*** lufix2 has quit IRC14:11
*** dencaval has quit IRC14:20
*** radez_g0n3 is now known as radez14:21
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation
*** timcline has joined #openstack-keystone14:25
*** varya has joined #openstack-keystone14:30
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation
*** elmiko has left #openstack-keystone14:34
*** fangzhou has quit IRC14:39
*** openstackgerrit has quit IRC14:41
*** openstackgerrit has joined #openstack-keystone14:41
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec
*** belmoreira has quit IRC14:57
*** HT_sergio has joined #openstack-keystone14:57
*** afazekas has quit IRC14:59
*** dims_ has quit IRC15:03
*** dims has joined #openstack-keystone15:08
*** dims has quit IRC15:08
*** dims has joined #openstack-keystone15:08
*** mikedillion has joined #openstack-keystone15:16
*** mikedillion has quit IRC15:18
*** ajayaa has joined #openstack-keystone15:23
*** jsavak has quit IRC15:32
*** jsavak has joined #openstack-keystone15:33
*** kiran-r has joined #openstack-keystone15:40
*** radez is now known as radez_g0n315:44
*** Daviey has quit IRC15:44
*** radez_g0n3 is now known as radez15:45
*** lhcheng has joined #openstack-keystone15:45
*** ChanServ sets mode: +v lhcheng15:45
*** Ephur has joined #openstack-keystone15:45
*** lhcheng has quit IRC15:46
*** lhcheng has joined #openstack-keystone15:46
*** ChanServ sets mode: +v lhcheng15:46
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec
*** kiran-r has quit IRC15:48
*** Daviey has joined #openstack-keystone15:50
*** ayoung has joined #openstack-keystone15:53
*** ChanServ sets mode: +v ayoung15:53
*** varya has quit IRC15:55
*** fhubik has quit IRC15:55
*** toddnni has quit IRC15:55
*** browne has joined #openstack-keystone15:56
*** fangzhou has joined #openstack-keystone16:02
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** rushiagr_away is now known as rushiagr16:06
*** fangzhou has quit IRC16:08
*** _cjones_ has joined #openstack-keystone16:13
*** jistr has quit IRC16:14
*** varya has joined #openstack-keystone16:14
*** Nikkau has quit IRC16:18
*** e0ne is now known as e0ne_16:25
*** varya has quit IRC16:25
*** e0ne_ is now known as e0ne16:25
*** pnavarro_ has joined #openstack-keystone16:30
*** stevemar has joined #openstack-keystone16:31
*** ChanServ sets mode: +v stevemar16:31
*** spandhe has quit IRC16:32
*** browne has quit IRC16:33
lbragstadayoung: o/ question on the dorms at BU16:40
ayounglbragstad, fire 'way16:40
lbragstaddo I have to reach out to someone to get one reserved?16:40
lbragstadlike at BU?16:40
lbragstadayoung: ^16:42
*** jsavak has quit IRC16:46
*** pnavarro_ has quit IRC16:47
*** ajayaa has quit IRC16:48
*** amaretskiy has quit IRC16:50
*** ankita_wagh has joined #openstack-keystone16:50
*** mabrams1 has left #openstack-keystone16:54
*** esmute has joined #openstack-keystone16:55
*** dguerri is now known as dguerri`16:56
*** esmute has quit IRC17:00
*** topol has quit IRC17:00
*** spandhe has joined #openstack-keystone17:06
*** mordred has joined #openstack-keystone17:07
mordredok - so, I know I've asked this again, but someone help me out with my brainhole here17:07
mordredif I'm a normal user in a normal install of a cloud with keystone v317:07
mordredI can create users and projects associated with a domain17:08
mordreddo _I_ create roles? or does my cloud admin create roles?17:08
mordredcurrently I'm mapping out create_endpoint, create_service, create_domain as things a cloud admin does, and create_user, create_project as things a non-admin user and an admin user might do17:09
stevemarmordred, create role is probably a cloud admin thang17:10
*** e0ne has quit IRC17:11
*** amakarov has quit IRC17:11
mordredwhat about role grant/revoke?17:12
*** browne has joined #openstack-keystone17:13
samueldmqmordred, hi17:18
mordredhi samueldmq !17:18
samueldmqmordred, I'd say CRUD user/groups would be domain admin17:18
mordredsamueldmq: right - but not cloud admin17:18
samueldmqmordred, regarding roles, I'd say every admin could grant roles17:18
samueldmqmordred, ++17:18
samueldmqmordred, cloud admin shouln't touch people's domains17:18
mordredsamueldmq: so as a person who gets an account on a cloud that gets me my own domain, I should be able to create users and projects in that domain and to give them roles17:18
samueldmqmordred, exactly17:19
mordrednow - I'm assuming I cannot grant the global cloud admin role to any of my users ...17:19
samueldmqmordred, btw... the way we define roles and what they can do will e improving soon ;.. with dynamic policies17:19
mordredoh good. I was worried that it wasn't complex enough17:20
samueldmqmordred, I'd suggest you to create different roles for cloud_admin, domain_admin and project_admin17:20
samueldmqmordred, (remembering other services do not know about domain)17:20
mordredwell - I'm working on a general library17:21
samueldmqmordred, in dynamic policies, we will be adding some relationship between roles ... so let's say a domain_admin cannot grant cloud_admin role, and so on17:21
mordredso I don't actually have a cloud I'm running in this case17:21
samueldmqmordred, you should be able to delegate a subset of your roles17:21
mordredas much as trying to make sure that I expose the right things into ansible modules17:21
samueldmqmordred, nice17:22
mordredsamueldmq: when I grant a role to a user, I am granting it to a user for a given project, right?17:22
*** esmute has joined #openstack-keystone17:22
samueldmqmordred, or for a given domain17:22
mordredoh - so I can grant a role for a user in a project scope, or for a user in a domain scope, yeah?17:22
mordredI grok now17:22
samueldmqmordred, exactly, that's what we call role assignment17:23
samueldmqmordred, that is composed by (actor, target, role), where actor in (user, group) and target in (domain, project)17:23
mordredwhat's a group?17:25
*** tsufiev has quit IRC17:25
*** tsufiev has joined #openstack-keystone17:25
samueldmqmordred, group of users17:25
mordredexcellent. so is that something a domain admin can create too?17:25
samueldmqmordred, so granting a role assignment to a group has the same effect as granting to every user on that group separately17:25
samueldmqmordred, yes, as users, they are at the same level (domain), representing identity :)17:26
*** esmute_ has joined #openstack-keystone17:30
*** esmute has quit IRC17:30
*** esmute_ has quit IRC17:30
*** belmoreira has joined #openstack-keystone17:30
*** esmute has joined #openstack-keystone17:31
*** aix has quit IRC17:33
*** fangzhou has joined #openstack-keystone17:40
*** roxanaghe has joined #openstack-keystone17:46
*** lastops has quit IRC17:49
*** dguerri` is now known as dguerri17:51
*** harlowja has quit IRC17:58
*** dguerri is now known as dguerri`18:00
*** fangzhou_ has joined #openstack-keystone18:01
*** harlowja has joined #openstack-keystone18:02
*** fangzhou has quit IRC18:02
*** fangzhou_ is now known as fangzhou18:02
*** lastops has joined #openstack-keystone18:02
*** dguerri` is now known as dguerri18:05
ayounglbragstad, I'll let the BU administrator know that you are interested.18:09
lbragstadayoung: ok, am I suppose to reach out to them?18:10
ayounglbragstad, I'll find out18:10
*** stevemar has quit IRC18:10
lbragstadayoung: thanks!18:10
samueldmqayoung, I have something to discuss with you related to getting policy per endpoint18:11
samueldmqayoung, let me know when you have some minutes18:11
ayoungsamueldmq, ok,  2 minutes18:11
samueldmqayoung, you have 2 minutes (in this case I just waste 1 already) or are you asking me to wait 2 mins ? :)18:12
ayoungsamueldmq, nah, I just had to finish up another task...what is up?18:14
samueldmqayoung, you, morganfainberg and I talked about endpoint_url uniquely identifying an endpoint a few days ago ..18:15
ayoungsamueldmq, right18:15
samueldmqayoung, however .. a given url can be mappend in several endpoints18:15
samueldmqayoung, in a devstack installation localhost:9292 maps to 3 galnce endpoints18:16
samueldmqayoung, for public, internal and admin interfaces18:16
samueldmqayoung, so GET /policies?endpoint_url=<encoded_url> could return a set of policies, instead of a single one18:17
*** rlt has quit IRC18:19
*** iamjarvo has joined #openstack-keystone18:21
ayoungsamueldmq, so you are concerned that we might set different policy for different endpoint_ids, and then a single URL points to multiple endpoints, as we can't determine which to use?18:22
samueldmqayoung, exactly18:22
*** rushiagr is now known as rushiagr_away18:23
*** bradjones has quit IRC18:23
*** bradjones has joined #openstack-keystone18:24
*** bradjones has quit IRC18:24
*** bradjones has joined #openstack-keystone18:24
ayoungsamueldmq, ok, so let's say we do what you say, we still have the problem of selecting the right policy for the request18:26
ayoungthe endpoint does not know its own endpoint id18:26
ayoungso, what we are really saying is we need to assign policy per URL, not per endpoint id18:27
ayoungand I think we will all agree to that.18:27
samueldmqayoung, yes!!! and that will be easier to the CSM to handle endpoint per URL (imho)18:27
ayoungthat would be a constraint on the endpoint_policy API:  multiple endpoints that share the same URL cannot have different policies assigned18:27
samueldmqayoung, CRUD on policies per URL18:28
samueldmqayoung, ++18:28
ayoungso, what happens if someone tries to assign different policies?  I would say "last one wins"18:28
samueldmqayoung, but how to migrate ? tehre are interesting questions to answer18:28
ayoungthe alternative is report an error18:28
*** gyee has joined #openstack-keystone18:29
*** ChanServ sets mode: +v gyee18:29
ayoungsamueldmq, we don't have a "time it was assigned" value, do we?18:29
samueldmqayoung, checking ..18:29
ayoungso we chose one at random and make that the policy for all the endpoints for the same URL18:29
samueldmqayoung, no we don't18:30
*** fangzhou has quit IRC18:30
ayoungsamueldmq, does the policy have a "last updated time on it"?18:30
ayoungguessing no18:30
samueldmqayoung, we should be able to CRUD policies per namespace, it doesn't matter what that namespace is (domain, project, endpoint, url, parents or dog names)18:30
ayoungsamueldmq, yeah, just a question of what to do for migrations if things are broken.18:31
ayoungthat has some interesting ....18:32
ayounglets stick to endpoints for now.  I think that we need to make all endpoints with the same URL have the same policy.  We need to figure out how to enforce that18:33
openstackgerritMerged openstack/keystone: Switch keystone over to oslo_log versionutils
ayoungdavid8hu, sorry to -2, but merge that doc into the namespaced roles spec if you can, or the hierarchcial roles spec...I think it draws a little bit from each18:38
samueldmqayoung, yes .. do you think we should add the capability to CRUD based on the URL ?18:38
ayoungsamueldmq, probably18:38
samueldmqayoung, or keep it as it is for now .. and enforce that constraint (same url -> same policy)18:38
ayoungsamueldmq, CRUD would be more useful, I think18:39
samueldmqayoung, ++18:39
samueldmqayoung, and we could deprecate the current policy CRUD ..18:39
david8huayoung, split it into 2, then merge?  I thought it gives a little more focus as seperate spec:)18:40
*** topol has joined #openstack-keystone18:43
*** ChanServ sets mode: +v topol18:43
ayoungdavid8hu, I want is_admin to die18:45
david8hu@ayoung, any suggestions?18:45
david8hu@ayoung, now is the time to do it right :)18:46
ayoungdavid8hu, namespaced roles is the most direct competition for your spec18:46
david8huDo you have a pointer?18:46
ayoungyou are essentially describing a subset of namespacing roels,   with compute:admin  etc...18:46
ayoungyeah one sec18:46
gyeeayoung, david8hu, commented on the spec, can't we take baby steps?18:48
ayounggyee, I think that he's addressing the same problem as Henrynash was targetting with "Domain scoped roles."  If you say that all roles should be namespaced, then domain becomes just another namespace18:49
ayounggyee, and that is the heart of what david8hu is proposing, just that I want to keep Henry's spec as the canonical version18:50
gyeeayoung, domain owned roles are different than service admin segregation though18:50
ayounggyee, they can be handled by the same mechanism18:50
gyeeI would think they are orthogonal18:50
ayounggyee, and, it is also hierarchical roles18:51
gyeeayoung, I agree the end goal is dynamic policies18:51
gyeebut we can take incremental improvements18:51
ayounggyee, heh, I am trying18:51
david8hu@ayoung, I am solving a slightly different problem.  Say once unified policy goes through, having context_is_admin for global is a diaster.18:52
*** e0ne has joined #openstack-keystone18:52
gyeecontext_is_admin needs to disappear eventually18:52
ayoungdavid8hu, so, splitting admin by servic is only one way to divvy it up18:53
*** iamjarvo has quit IRC18:53
ayoungso...I tihnk you are on the right general track, just have not gone far enough in thinking it through...18:53
*** zzzeek has quit IRC18:54
samueldmqayoung, an endpoint with several interfaces should still be a single enpoint which has several interfaces18:55
samueldmqayoung, and not different endpoint objects (different ids) that only differ in 'interface' attribute18:56
gyeesamueldmq, not in v318:56
gyeeendpoint ids are different18:56
samueldmqgyee, why ?18:56
gyeesamueldmq, an endpoint is just a set of attributes18:57
gyeeURL doesn't make an endpoint unique18:57
samueldmqgyee, why do we need, let's say for glance, have 3 different endpoints only differing in the interface18:57
*** fangzhou has joined #openstack-keystone18:57
samueldmqgyee, what does an URL identify ?18:57
samueldmqgyee, does it uniquely identify anything ?18:57
david8hu@ayoung, are you suggesting context_is_admin should be global?  Currently, each service has its only context_is_admin policy, eventhough the definition might be the same.18:57
*** e0ne has quit IRC18:57
gyeesamueldmq, no, url is just a url18:58
gyeeendpoint is uniquely identified by its id right now18:58
david8hu@ayoung  I mean in the context of unified policy.18:58
ayoungdavid8hu, I am saying context_is_admin should die a fiery death18:58
samueldmqgyee, so we want to CRUD policy per URL18:58
ayoungdavid8hu, rules should be written like this:18:59
ayoung" namespace:api"  :" scope and role "18:59
samueldmqgyee, the motivation behind this is that CMS already knows the URL a priori when configuring the cloud, does that make sense ?18:59
ayoungscope is the proejct or domain matching18:59
ayoungrole is hierarchical18:59
gyeesamueldmq, a url can be many things, in production, it is likely a VIP19:00
ayounggyee, that is not the answer, thought19:00
ayoungthe reason is that different operations require differnt endpoints for hysterical raisons19:00
*** e0ne has joined #openstack-keystone19:00
ayoungadmin versus main for v2 in Keystone for example19:01
ayoungand, the asumption was that you could run those servcies on different machines if necessary19:01
gyeeayoung, there are good reasons for them19:01
*** lastops has quit IRC19:01
gyeefor example, infra services can use internal URLs because they are more efficient19:01
gyeethey don't have to go through firewall19:02
gyeerate limit, and a bunch of other stuff19:02
ayoungbut you could have the interanl and extnreal endpoints served by the same URL out of the service catlaaog19:02
samueldmqgyee, but they should all have the same policy at the end .. is that right ?19:02
gyeethis also offers deployment flexibility, for example, we can split Keystone out into two groups19:03
gyeethe admin group APIs hits are less frequent than the public APIs hits19:03
gyeetherefore, I can optimized on the public APIs19:03
*** pece has joined #openstack-keystone19:04
ayoungsamueldmq, so, one thought:  the endpoint itself could request "list endspoins for URLS' and then chose which endpoint id to use19:04
*** iamjarvo has joined #openstack-keystone19:04
ayoungOr event, get the whole service catalog, look through, find the URLs that matche, and then pull out the appropriate endpoint ID19:04
*** iamjarvo has quit IRC19:05
gyeeso in production, services likely shared a single public endpoint19:05
ayoungit would need to know how to distinguish between two endpoints, though19:05
gyeesorry I mean single public URL19:05
*** e0ne has quit IRC19:05
*** iamjarvo has joined #openstack-keystone19:05
*** iamjarvo has quit IRC19:05
*** iamjarvo has joined #openstack-keystone19:06
*** iamjarvo has quit IRC19:06
samueldmqayoung, how do we filter per endpoint id ? I think this is the thing we were trying to stay away ..19:06
*** iamjarvo has joined #openstack-keystone19:07
samueldmqayoung, if the CMS will need to configure the endpoint_id, it shouldn't need to configure the url as well19:07
*** iamjarvo has quit IRC19:07
ayoungsamueldmq, nah, it would still set the URL19:07
ayoungjust thinking19:07
samueldmqayoung, gyee we need to synchronize on this as well .. I saw there is a token endpoint binding thing19:07
david8hu@ayoung, unified policy spec alone won't address " namespace:api"  :" scope and role ".  It just a merge of policy policies from OpenStack Services.  Probably,l need another spec to get rid iff context_is_admin.19:07
*** iamjarvo has joined #openstack-keystone19:07
*** iamjarvo has quit IRC19:07
samueldmqayoung, gyee that is based on the endpoint id, right ?19:08
ayoungsamueldmq, lets say we could make no changes to the server right now...but we could to Middleware, we'd do what I just said19:08
peceWhich version of python-openstackclient is compatible with Juno?19:08
ayoungie.  map url to endpoint in middleware19:08
gyeesamueldmq, it can be based on anything, its just a general policy rule19:08
*** iamjarvo has joined #openstack-keystone19:08
*** iamjarvo has quit IRC19:08
gyeeendpoint_id, service type, service name, region, etc19:08
*** iamjarvo has joined #openstack-keystone19:09
*** iamjarvo has quit IRC19:09
samueldmqgyee, ok I need to review that work to have a better opinion on that point :)19:09
ayoungsamueldmq, and then middleware could use  the current API to fetch policy by the  endpoint_id it pulled out of the service catalog19:09
*** iamjarvo has joined #openstack-keystone19:09
*** iamjarvo has quit IRC19:09
ayoungsamueldmq, probably the best option is to make it explicit, which means assigning policy per URL, not endpoint, but, that is better long run anyway19:10
*** iamjarvo has joined #openstack-keystone19:10
samueldmqayoung, how does middleware know the endpoint id19:10
*** iamjarvo has quit IRC19:10
dtroyerpece: any recent one should be, we try to keep things compatible for all supported releases19:10
samueldmqayoung, the service catalog may contain  several endpoints for, let's say, nova19:10
*** iamjarvo has joined #openstack-keystone19:10
gyeesamueldmq, its provisioned as part of bootstrap19:10
*** iamjarvo has quit IRC19:11
samueldmqgyee, yes .. but I need to know exactly what CSM will put into the middleware config19:11
david8hu@ayoung Getting rid off context_is_admin will need additional collboration effort with other service.  Doable, but is going to be massive.  For example, nova has a is_admin chk.  It needs to be retrained.19:11
samueldmqgyee, the endpoint_id specifically ?19:11
*** iamjarvo has joined #openstack-keystone19:11
*** iamjarvo has quit IRC19:11
pecedtroyer, thx ... I meant compatible in requirements.txt means19:11
gyeesamueldmq, we don't any control over the deployment options19:12
*** iamjarvo has joined #openstack-keystone19:12
*** iamjarvo has quit IRC19:12
samueldmqgyee, sure .. but we need to define what the options are19:12
dtroyerpece: ah, that's totally different, you'd have to look at release dates, we didn't intentionally time a release to match juno, but there should be one close19:12
*** iamjarvo has joined #openstack-keystone19:12
*** iamjarvo has quit IRC19:13
samueldmqgyee, and we are adding a new option, which is dynamic fetch of policies... so we need to tell the deplyer how to enable it19:13
dtroyerpece: from my notes, 1.0.1 should be close19:13
gyeesamueldmq, see
*** iamjarvo has joined #openstack-keystone19:13
gyeewe expect the endpoint_id to be configured as part of auth_token middleware configuration19:13
*** iamjarvo has quit IRC19:14
pecedtroyer, ok thank you :)19:14
samueldmqgyee, yes that's the point19:14
*** iamjarvo has joined #openstack-keystone19:14
*** iamjarvo has quit IRC19:14
gyeesamueldmq, it would a global option, just like any oslo options19:14
samueldmqgyee, morganfainberg, ayoung and I had agreed that defining the URL would be better to CMS than the endpoint id19:14
*** iamjarvo has joined #openstack-keystone19:15
samueldmqgyee, since it already knows the URL a priori19:15
*** iamjarvo has quit IRC19:15
gyeein your case, it would probably be a new option in oslo.policy19:15
samueldmqgyee, but it looks like it is not going ot work19:15
*** iamjarvo has joined #openstack-keystone19:15
samueldmqgyee, no, ksmiddleware fetches the policy19:15
*** iamjarvo has quit IRC19:15
gyeesamueldmq, you have the same complexity with url19:15
samueldmqgyee, oslo policy only does the enforcement (at least for now)19:15
gyeeurl changes19:16
*** iamjarvo has joined #openstack-keystone19:16
*** iamjarvo has quit IRC19:16
samueldmqgyee, if we are going to have a config option for endpoint_id, we should use that in my case as well19:16
*** iamjarvo has joined #openstack-keystone19:17
samueldmqgyee, if we go with url (not sure this works) you should use that as well19:17
*** iamjarvo has quit IRC19:17
samueldmqgyee, my point is that we should be consistent between these two features, since we need something that maps to th esma19:17
samueldmqthe same*19:17
*** iamjarvo has joined #openstack-keystone19:17
*** iamjarvo has quit IRC19:17
*** lastops has joined #openstack-keystone19:17
gyeesamueldmq, sure if we are doing policy enforcement via middleware19:17
*** iamjarvo has joined #openstack-keystone19:18
*** iamjarvo has quit IRC19:18
samueldmqgyee, does it make sense to have different policies for different endpoints (which only differ in the interface attribute) ?19:18
*** iamjarvo has joined #openstack-keystone19:18
*** iamjarvo has quit IRC19:19
*** iamjarvo has joined #openstack-keystone19:19
*** iamjarvo has quit IRC19:19
*** iamjarvo has joined #openstack-keystone19:20
*** iamjarvo has quit IRC19:20
gyeesamueldmq, sure it make sense19:20
*** iamjarvo has joined #openstack-keystone19:21
*** iamjarvo has quit IRC19:21
*** iamjarvo has joined #openstack-keystone19:21
gyeeyou can't what's running behind it by just looking at the url19:21
gyeeyou can't tell19:21
*** iamjarvo has quit IRC19:22
samueldmqgyee, so that *could* be the same url or not19:22
samueldmqgyee, so a url may be define a group of endpoints19:22
*** iamjarvo has joined #openstack-keystone19:22
*** henrynash has joined #openstack-keystone19:22
*** ChanServ sets mode: +v henrynash19:22
gyeeit could be a bunch of service running behind a proxy for all we know :)19:22
samueldmqgyee, and providing a CRUD of policiies which can be bind to URL makes sense as well19:23
gyeesamueldmq, service is a group of endpoints :)19:23
samueldmqgyee, yes but in a public cloud env we need something between the service and endpoints19:23
gyeeand region is a group of services19:23
samueldmqgyee, a group of endpoints which are not all the endpoints of a service19:24
gyeeyes, we do have endpoint group too19:24
*** ankita_wagh has quit IRC19:24
samueldmqgyee, how do we group endpoints ? what is that ?19:24
gyeebetter yet, dynamic endpoint groups19:25
samueldmqayoung, let me know what you know :)19:25
gyeesamueldmq, dynamic endpoint groups is just a set of filters19:25
gyeebased on region, interface, and service19:25
samueldmqgyee, and those filters have ids ?19:25
gyeesamueldmq, yes, endpoint group have unique ids19:26
*** ankita_wagh has joined #openstack-keystone19:26
samueldmqgyee, hmm ... this is opening my mind I think19:26
samueldmqgyee, the policy fetch should be somehting more generic19:26
*** ankita_wagh has quit IRC19:26
samueldmqgyee, you could ask for the policy for a region/service/endpoint/whatever makes sense19:26
samueldmqgyee, and that would be configurable at middleware ... (I think this is kind of what you are doing for the token binding)19:27
samueldmqgyee, makes sense ? ^19:27
gyeesamueldmq, ++ on flexibility19:28
samueldmqgyee, great19:28
*** ankita_wagh has joined #openstack-keystone19:28
samueldmqayoung, morganfainberg ^19:28
gyeesamueldmq, about the endpoint hierarchy region->(sub-region)*->service->endpoint19:29
gyeeI though we also allow override mechanism, no?19:29
samueldmqgyee, where we get the most specific policy, right ?19:30
*** lhcheng has quit IRC19:30
gyeesay if a policy is set on region, it got inherited down, and can be overridden at the child19:30
samueldmqgyee, ++19:30
*** stevemar has joined #openstack-keystone19:30
*** ChanServ sets mode: +v stevemar19:30
samueldmqgyee, but in the case there is a policy for the endpoint ksmiddleware is and the deployer has explicitly set the region policy to be used19:31
samueldmqgyee, we should use the region one19:31
samueldmqgyee, in other hand, if he has set ksmiddleware to fetch the policy for that endpoint and there is no policy directly associated to it19:31
samueldmqgyee, look at its service -> subregions -> region until find a valid one19:31
gyeesamueldmq, I don't think we have a use case for setting the region id in middleware right now19:33
gyeemaybe some sort of customized region API proxy or something, but that's too much of an imagination :)19:34
samueldmqgyee, but we allow policies per region, so I think we should allow that option as well19:34
samueldmqgyee, we allow you to get a policy for anything you can bind one to (endpoint, service, region)19:35
samueldmqgyee, and we apply endpoint hierarchy in the case we don't find a policy associated to the direct entity that was defined (endpoint -> service -> region)19:36
gyeesamueldmq, isn't that how the endpoint policy behaves today? Walk up the hierarchy till you find a policy19:39
samueldmqgyee, I don't know .. maybe it is, I will check19:41
samueldmqgyee, however ... step back .. should we only allow the deployer to define the endpoint_id and then get its policy19:41
samueldmqgyee, without adding the options to explicitely get policies per service/region at middleware?19:42
samueldmqgyee, (I am just trying to make sure we have a good and consistent proposal)19:42
gyeesamueldmq, yes, endpoint_id should be adequate for now19:43
samueldmqgyee, ok so in few words ... endpoint_id instead of URL (which does not uniquely identify an endpoint)19:44
openstackgerritLance Bragstad proposed openstack/keystone: Fix spelling in configuration comment.
samueldmqgyee, I will revisit this with ayoung and morganfainberg19:44
gyeesamueldmq, sure19:45
samueldmqgyee, nice thanks19:45
gyeesamueldmq, no thank you! :)19:46
*** ayoung has quit IRC19:46
*** iamjarvo has quit IRC19:50
*** aix has joined #openstack-keystone19:53
*** e0ne has joined #openstack-keystone20:00
*** iamjarvo has joined #openstack-keystone20:01
dstaneklooking at rooms now20:05
*** lhcheng has joined #openstack-keystone20:09
*** ChanServ sets mode: +v lhcheng20:09
*** lhcheng_ has joined #openstack-keystone20:12
*** roxanaghe has quit IRC20:13
*** lhcheng has quit IRC20:15
*** lastops has quit IRC20:18
*** ayoung has joined #openstack-keystone20:26
*** ChanServ sets mode: +v ayoung20:26
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint
*** timcline has quit IRC20:29
*** radez is now known as radez_g0n320:32
*** lhcheng_ has quit IRC20:34
*** timcline has joined #openstack-keystone20:34
*** e0ne has quit IRC20:35
*** hemna is now known as hemnafk20:38
*** stevemar has quit IRC20:38
*** dguerri is now known as dguerri`20:46
mordredare there any keystone v3 enabled devstacks yet?20:51
*** stevemar has joined #openstack-keystone20:52
*** ChanServ sets mode: +v stevemar20:52
lbragstadmordred: I think dolphm was interested in that ^20:52
*** dguerri` is now known as dguerri20:52
mordredlbragstad: ossum20:52
mordreddolphm: I'm about to write some fairly blind code in shade to deal with keystone v3 and would love to have a good way to have funtional tests ... so let me know if there are things I can help with wrt keystonev3 and devstack20:52
lbragstadmordred: actually, I think we're all interested in it :) but I want to say I heard someone was trying to get things wired up (I can't remember who that was)20:53
mordredyah. interested in and working on are two different things :)20:53
richmmordred: I think jamielennox was working on this20:53
*** zzzeek has joined #openstack-keystone20:54
bknudsonv3 is used in a devstack setup20:56
bknudsonfor the auth_token middleware20:56
mordredbknudson: does that mean I can create domains in a devstack?20:56
bknudsonthere's a lot of code that makes the mistake of requiring configuring the auth version rather than doing discovery20:57
bknudsonmordred: you can create domains in devstack20:57
mordredbknudson: neat! that's all I need20:57
mordredI mean, I want to create all the things - but I figure if the cloud groks domains it'll grok the other things to20:58
openstackgerritMerged openstack/keystone: Use lower default value for sha512_crypt rounds
bknudsonright now you might have to override the --os-identity-api-version 3 when running openstack add domain20:58
bknudsonopenstack --os-identity-api-version 3 --os-auth-url domain create ldap20:58
mordredI should not need to20:58
bknudsondoes devstack create a clouds.yaml?20:59
*** spandhe has quit IRC21:00
*** radez_g0n3 is now known as radez21:01
*** belmoreira has quit IRC21:04
*** ayoung has quit IRC21:08
*** topol has quit IRC21:12
*** pnavarro_ has joined #openstack-keystone21:17
gyeebknudson, come to think of it, why can't we default os-identity-api-version to 3?21:20
bknudsongyee: I can't think of a reason that it shouldn't be 3.21:20
gyeebknudson, lets do this!21:20
bknudsonI think that's in the openstack CLI21:20
gyeeyeah, lemme submit a patch to see what breaks21:21
bknudsongyee: the list of what works might be shorter.21:21
stevemarbknudson, it doesn't just yet...21:22
gyeewell what do ya mean?!21:22
bknudsonstevemar are there deployments out there that don't have v3 enabled?21:22
bknudsonor at least enough of them that we shouldn't default to v321:23
gyeebknudson, stevemar, sheeit! the params are not backward compat21:24
bknudsonthat's what I was worried might happen21:24
gyeeso with v3, I can't just specify --os-tenant-name and get away with it21:24
bknudsonmaybe there's some kind of shim we could do21:24
bknudson(like support --os-tenant-name)21:24
bknudsonwe need to figure out some way to be able to change the default to 3, otherwise we're stuck forever21:25
*** radez is now known as radez_g0n321:25
gyeebknudson, ++21:26
bknudsonmaybe have a --version=v3compat that looks just like v2 but converts everything to v3?21:26
gyeewe should make it smarter21:26
gyeeso if version is not specified and --os-tenant-name is there, behave like v321:27
gyeeI think jamielennox crated a version independent auth plugin just for that purpose21:27
gyeewe should be able to use the same logic for openstack cli21:27
bknudsonopenstack cli uses the auth plugins21:27
gyeebknudson, what I mean is we need to map the commands as well21:28
gyeetenant list -> project list21:28
bknudsony, so how to do that?21:28
bknudsonwe have a tenant list command that just does project list?21:28
bknudsonand spits out a deprecation warning21:29
bknudsonmaybe it's not even listed in the help text21:29
gyeeright we need to canonicalize the commands21:29
gyeein the same way as accessinfo perhaps21:29
bknudsony, seems like openstack CLI is working at the wrong level. there should be an abstraction layer.21:30
gyeebknudson, yeah I agree21:30
bknudsonuser doesn't care if they're doing v2 or v3.21:30
*** zzzeek has quit IRC21:30
gyeeuser cares about UX21:31
gyeedevelopers cares about flexibility21:31
bknudsonthey just want to create a project or tenant... they don't care if it uses v2 or v3.21:31
bknudsonmaybe we can get a list of the identity v2 commands21:32
bknudsonand a list of the v3 commands21:32
bknudsonand then create v2 compat commands in v321:33
bknudsonlike tenant list21:33
bknudsonand hopefully we can have the v2 compat commands not show up in help and print a deprecated message when used.21:33
bknudsonthen we can change the cli to default to v321:33
bknudson(or, even better, change the cli to use version discovery by default)21:34
stevemarwhy would be support compat?21:35
stevemarits a new project21:35
stevemaryou can set OS_TENANT_NAME and use that21:35
bknudsonopenstack project create / openstack tenant create21:35
bknudsonmaybe we should have v3 compat commands in v2.21:36
samueldmqmordred, bknudson, gyee I have set up devstack + tempest experimental jobs with keystone v3 only (v2 disabled), so we can work towards having everything with v3 by default21:36
gyeebknudson, I don't think we need compat commands21:36
gyeejust some AI to make it smarter21:37
bknudsony, could just call an AI web service.21:37
gyeelike if user specify v2 params, just use v221:37
bknudsonlike siri or cortana21:37
stevemarthey are already switching from issuing a "keystone" command to an "openstack" command....21:37
gyeelike my self learning thermostat21:37
stevemarthe user can just use project21:38
stevemarkill tenant in a fire21:38
bknudsondoesn't devstack use openstack command now?21:38
gyeestevemar, damn straight21:38
samueldmqjamielennox already have some patches to make devstack use v3 to set up its own resources21:38
stevemarbknudson, yes it does21:38
bknudsondoes it do tenant create or project create?21:38
gyeesamueldmq, nice!21:38
bknudson./exercises/    openstack project create $121:39
bknudsonso it's already using v3?21:39
stevemardevstack uses v221:40
bknudsonopenstack CLI has project create for v2...21:41
stevemarwe even ditched the 'tenant' name in osc21:41
bknudsonI thought gyee said it used tenant for something?21:41
bknudsonis that just auth?21:41
stevemarit'll support OS_TENANT_NAME in your auth if you set it21:41
gyeestevemar you mean one can do this? openstack --os-identity-api-version 2.0 project create21:42
*** dguerri is now known as dguerri`21:42
bknudsondevstack is doing that already21:42
bknudson./tools/        eval $(openstack project create -f shell -c id $name)21:43
bknudsonstevemar: why is the default for identity-api-version 2?21:43
gyeestevemar, if that's the case, then we should just default identity-api-version to 321:44
stevemarbknudson, because devstack will fall on it's face if it's 321:44
bknudsonwhy? all the commands are compatible21:44
stevemarat least when i tried it a while ago21:44
stevemarsubmit a patch and see?21:44
bknudsonthat sounds like a dare21:47
gyeeyou have my moral support21:49
morganfainbergmoral support gyee, should i be worried?21:50
morganfainbergstevemar: btw: how was CISID21:50
stevemarmorganfainberg, not bad21:50
stevemarmorganfainberg, learning a lot21:50
morganfainbergstevemar: i'd like to grab a time to sync up w/ you re: what you've gathered from the conf and how it impacts us21:51
*** iamjarvo has quit IRC21:51
stevemarmorganfainberg, sure, monday-ish?21:51
morganfainbergyeah sounds good. i should be home by then21:51
gyeewhat's CISID?21:52
morganfainbergCloud Identity Summit21:52
*** radez_g0n3 is now known as radez21:52
*** iamjarvo has joined #openstack-keystone21:55
*** ayoung has joined #openstack-keystone21:56
*** ChanServ sets mode: +v ayoung21:56
*** spandhe has joined #openstack-keystone21:56
*** HT_sergio has quit IRC21:56
*** pnavarro_ has quit IRC21:56
stevemargyee, SO FANCY!21:58
*** radez is now known as radez_g0n321:58
stevemarthe projector just died during a guys talk21:59
stevemarpoor guy21:59
bknudsonI'm looking forward to reviews from stevemar -- -2, at CISID we decided to frobnaz the gipplezorp.22:00
*** esmute has quit IRC22:00
stevemarbknudson, umm, thats so last year, it's all about the rufflebits now22:00
stevemarit's like you don't even work on identity, pfft22:01
bknudsonhopefully it's all recorded.22:01
bknudsonthen I can catch up22:01
stevemari think it is22:01
*** lsmola has quit IRC22:01
stevemarbut they didn't get the super mega package like openstack gets22:01
stevemarits all uploaded after the summit, not 10 minutes after the session22:02
morganfainbergyah FNTech is amazing22:02
bknudson$1,695 !22:02
morganfainberghard to find a similar production company22:03
morganfainbergbknudson: have you looked at the price of the OpenStack summit (full price?)22:03
bknudsonthat's why I commit something.22:03
bknudsonthey mentioned at the summit they might tighten the reqs for the free pass.22:05
*** __afazekas has quit IRC22:05
bknudson -- these do look interesting22:06
bknudson"Beyond Identity & Federation"22:06
*** stevemar has quit IRC22:06
bknudsonthese guys are way behind since there are no docker talks.22:10
bknudson"SAML in SAML out (or maybe WS-Fed)                                                                                                                     "22:11
morganfainbergbknudson: is that like garbage in garbage out?22:12
bknudsonhere's a competitor to stevemar: Identity across Google for Work and Google Cloud Platform22:12
bknudsonsome of these look like sales pitches22:13
bknudsonah, it's FIDO and SCIM that are the new hotness.22:14
bknudsonI'm glad we've got someone there from OpenStack since our competitors are there.22:14
gyeemorganfainberg, ayoung, can you guys address jamielennox questions on patch 14 when you have a chance?
gyeenow I need to figure out wtf's wrong with jenkins22:15
gyeeeverything's green, but a -1 from jenkins22:15
ayounggyee, is that endpoint bindings?22:15
morganfainbergbknudson: yeah that was my goal, make sure we had someone there.22:15
bknudsongyee: incompatible requirements22:15
morganfainbergbknudson: it's good to know what the state of other technologies are22:15
gyeeayoung, yes, jamielennox was asking for separate middleware22:15
morganfainbergesp. the Identity-As-A-Service crowd22:15
gyeebknudson, which one?22:16
*** timcline has quit IRC22:16
bknudsonoslo.policy>=0.3.1 does not match openstack/requirements value oslo.policy>=0.5.022:16
bknudsonit's a moving target you're trying to hit.22:16
bknudsonby the time you update to 0.5.0 it'll be 1.0.022:17
gyeebut at least jenkins should show red somewhere right?22:17
bknudsongyee: probably, but don't complain to -infra or you'll have to fix it22:18
bknudsonif you toggle CI it shows the failure22:18
ayoungWhat if we said "OK, SAML it is"22:18
ayoungthen make Swift accept a SAML assertion instead of the tiny token they wanty22:18
gyeebknudson, got it, thanks for the tip!22:20
bknudsonwe could provide a service to take your SAML and turn it into a short token for ref22:20
ayoungKeystone would export the mapping, perform it all in middleware22:20
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint
bknudsonayoung: what's the mapping? attributes to roles?22:23
ayoungbknudson, yeah22:23
*** merlin_ has quit IRC22:23
ayoungbknudson, get rid of tokens22:24
bknudsonI don't see why not.22:24
bknudsonSCIM is a REST API -- -- we could implement that in keystone22:25
bknudsonor leave it to an identity provider22:25
ayoungbknudson, replace PKI tokens with in this
*** Ephur has quit IRC22:25
gyeebknudson, any reference impl of SCIM out there?22:26
gyeeayoung, you mean like AWS access keys? brilliant! :)22:27
*** ankita_w_ has joined #openstack-keystone22:27
*** harlowja has quit IRC22:27
*** noye has joined #openstack-keystone22:28
ayounggyee, I mean nothing like AWK access keys22:28
ayounggyee, I mean like we let SAML do SAML things, and provide a sane alternative to XACML for the rest22:29
*** ankita_wagh has quit IRC22:29
*** stevemar has joined #openstack-keystone22:29
*** ChanServ sets mode: +v stevemar22:29
bknudsonthese jerks are stealing keystone's thunder:
bknudsonOSIAM is a secure identity management solution providing REST based services for authentication and authorization22:30
bknudsonWe achieve this by implementing two important open standards.22:30
bknudsonopen standards!22:30
bknudsonlooks like they're doing oauth rather than saml22:31
*** harlowja has joined #openstack-keystone22:32
bknudsonit's java22:33
gyeebknudson, but we have federation and trust delegation and all the fancy terminologies22:33
*** dsirrine has quit IRC22:33
gyeejava? booo22:33
bknudsonmaybe they're just converting keystone to java?22:34
bknudsonRequestMapping(value = "/token")22:34
bknudson@RequestMapping(value = "/revocation", method = RequestMethod.POST)22:34
bknudson@RequestMapping(value = "/revocation/{userId}", method = RequestMethod.POST)22:34
bknudsonmaybe there's only one way to do it.22:35
stevemarbknudson, did you make that patch yet? punk?22:36
bknudsonstevemar: I'm too scared.22:36
gyeebknudson, tell stevemar you need no standing inline for ID check when you ask for an adult beverage :)22:37
stevemargyee, i'm trying to be intimidating22:37
bknudsongrow a beard22:37
bknudsonand add some grey extensions22:37
gyeeand shave your head22:37
bknudsonalways a good decision22:38
bknudsonno lice22:38
bknudsonstevemar: you have to find these osiam jokers and get them to contribute to keystone instead22:38
stevemarbknudson, forcefully get the to contribute?22:39
*** lufix has quit IRC22:39
stevemari wonder if this will work bknudson
bknudsonyes... you're very intimidating22:39
bknudsonfrom keystoneclient.v2_0 import client as identity_client_v2 ?22:40
stevemarwhat about it?22:40
bknudsonshould be v322:40
stevemari think that's fine. we only use that to override tenant stuff22:41
stevemaridentity_client = utils.get_client_class() is what actually gets the client22:42
bknudsonkeystoneclient has that functionality built in.22:42
openstackgerritMerged openstack/keystone: Remove identity_api from AuthInfo dependencies
*** sigmavirus24 is now known as sigmavirus24_awa22:46
*** dsirrine has joined #openstack-keystone22:48
*** bknudson has quit IRC22:54
mordredhey all23:01
mordredI ahve two different sets of code I'm looking at for user creation23:02
mordredin one, it creates a user with a project as a parameter, in another with a domain23:02
*** geoffarnold has joined #openstack-keystone23:02
mordredwhen I look at keystone clieent, I see that both are possible input parameter23:03
mordredwhen I look at keystone clieent, I see that both are possible input parameters23:03
mordredI think I just answered my own question23:03
*** jaosorior has quit IRC23:05
*** ankita_wagh has joined #openstack-keystone23:07
*** ankita_w_ has quit IRC23:07
*** iamjarvo has quit IRC23:20
*** browne has quit IRC23:34
*** david-lyle has quit IRC23:40
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** dsirrine has quit IRC23:48
*** dsirrine has joined #openstack-keystone23:48
*** spandhe has quit IRC23:49
*** darrenc is now known as darrenc_afk23:54
*** harlowja has quit IRC23:54
*** harlowja has joined #openstack-keystone23:55
*** dsirrine has quit IRC23:56

Generated by 2.14.0 by Marius Gedminas - find it at!