Thursday, 2015-06-11

*** gyee has quit IRC00:00
*** spandhe has joined #openstack-keystone00:06
*** belmoreira has joined #openstack-keystone00:11
*** darrenc_afk is now known as darrenc00:14
*** spandhe has quit IRC00:29
*** spandhe has joined #openstack-keystone00:34
*** ankita_wagh has quit IRC00:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** kiran-r has joined #openstack-keystone00:44
mordredjamielennox: I hear I can figure out my currently scoped domain from the keystone session, yeah?00:44
*** pece has quit IRC00:46
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** spandhe has quit IRC00:55
*** _cjones_ has quit IRC00:57
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
*** browne has joined #openstack-keystone01:02
*** bknudson has joined #openstack-keystone01:04
*** ChanServ sets mode: +v bknudson01:04
*** lhcheng has joined #openstack-keystone01:06
*** ChanServ sets mode: +v lhcheng01:06
*** lhcheng_ has joined #openstack-keystone01:07
*** rdo has quit IRC01:08
*** lhcheng has quit IRC01:10
*** rdo has joined #openstack-keystone01:10
*** ankita_wagh has joined #openstack-keystone01:11
*** chlong has quit IRC01:11
*** jdennis has left #openstack-keystone01:11
*** richm has quit IRC01:12
*** dims_ has joined #openstack-keystone01:18
*** dims has quit IRC01:21
*** tobe has joined #openstack-keystone01:24
*** iamjarvo has joined #openstack-keystone01:30
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
ayoungjamielennox, on  we've kindof made guang bounce back and forth on "separate middlewarea' versus "do it in "ATM"  and there are pros and cons for each one01:38
ayoungmorganfainberg, pretty much came down firmly on the side of "configuring it by adding it in all the service pipelines is bad"01:39
*** richm has joined #openstack-keystone01:39
ayoungI was mixed, but now that I see the number of config options, I think we are better off with it in ATM01:39
ayoungmordred, You settled it then?01:43
jamielennoxmordred: umm, not the currently scoped domain01:46
jamielennoxmordred: it's not really something i ever thought would be useful01:46
jamielennoxyou can get the current project id and the current user id01:46
jamielennoxand with the whole moving towards projects only i didn't figure it was required01:47
jamielennoxayoung: so you think in the same middleware as auth_token?01:47
jamielennoxi just think that endpoint_id is not the only thing you are going to want there01:47
jamielennoxi mean you can't even be sure that endpoint_id will be in the policy line, so we're going to have a bunch of enforce_* when they want to do something like you can only access this endpoint from this project01:48
ayoungjamielennox, so we had him write it generic enough that the endpoint Id is not the only thing it can enforce.  It is Global policy...anything that is not specific to one particular API01:48
jamielennoxayoung: right, but you need to pass the endpoint you want to enforce against for him to make the target dict01:48
ayoungbut endpoint_id (or maybe URL) will be pulled from context...I suspect the config file01:49
ayoungactually...good point, we should unify on URL01:49
jamielennoxand i imagine in future we're going to want to have policy middleware that checks policy at the URL layer - which is essentially this01:49
ayoungjamielennox, so, populating the context for the query aside, yes, I think it should be in ATM...I can see qana rgument either way, butwe have to chose one01:50
*** belmoreira has quit IRC01:50
jamielennoxso my feeling is that this is a consumer of the information that auth_token middleware provides01:50
jamielennoxand as soon as you have to have a flag that says enabled=True/False you can replicate that by in the pipeline vs out of it01:50
ayoungthere would be an implied ordering anyway, that the token has to be expanded prior to the middleware enforcing this01:50
ayoungbut it is a corss cutting concern, so it should be in middleware01:51
jamielennoxi'm not arguing the repo, just the file01:51
ayoungno, I mean that even if it were in a seaprate middelware, I'd have issues with it01:51
jamielennoxoh, me too - i'm not convinced it's a good idea at all01:51
ayoungcus it implies the midddlewars need to specified in an implied contract, and I really don't like that01:51
jamielennoxayoung: we have that for just about everything already01:52
jamielennoxyou can't do anything without auth info01:52
ayoungmorganfainberg, was prety convince that editing the pipeline everywhere wwould be a non-starter01:52
jamielennoxsounds like a puppet problem01:52
ayoungand...since it kindo needs other config values anyway, you'd end up having to change both paste and config in lock step01:53
ayoungpaste doesn't really thrill me01:53
*** ankita_wagh has quit IRC01:53
jamielennoxi think we do too much in middleware now, but there are some things like this whjch are properly optional components that happen before you get to the main app which are perfect for it01:53
*** stevemar has quit IRC01:53 I agree the question is ATM or other...01:53
jamielennoxand as you say, i'm really not convinced this is a great idea and if we put it in auth_token middleware we'll support it forever01:53
ayoungand...make a hard case for other and I think we'll let you and moprgan duke it out...I am "more ATM than other" but really just want progress01:54
jamielennoxhaving done a lot of refactoring on it recently it really is too big01:54
jamielennoxthen again you could argue that everything like bind checking should really be done in seperate middleware as well01:55
ayoungwell, two middlewares is just adifferent division of code, not less code01:55
jamielennoxand i see the point that not everyone uses paste01:55
jamielennoxa lot of the new projects hardcode auth_token middleware in place01:55
jamielennoxso they wouldn't be configurable in the same way01:56
mordredjamielennox: oh - so - kinda bu maybe not really01:56
jamielennoxmordred: do you mean the domain of the project or you've got a domain scoped token?01:56
mordredjamielennox: I'm punting right now and ooking in my input auth dict for a domain_id and using that as a default value if no domain is provided on api calls that want a domain01:56
jamielennoxwhat api calls want a domain?01:57
jamielennoxeven in keystone?01:57
mordredone sec01:57
mordredcreate project01:57
jamielennoxthe reason i exposed project_id from plugin is like nova and cinder apis that have a project_id in the URI so you have to fetch it from somewhere01:57
mordredand create user01:57
jamielennoxbut you really shouldn't ever need the domain id01:57
mordredit's in the python api parameter list01:58
jamielennoxayoung: do we default create_user to be the same domain as the token scope?01:58
jamielennoxthere was a conversation about that once01:58
ayoungjamielennox, I think so...I can check01:58
ayoungjamielennox, v3, right?01:58
jamielennoxi'd need to check code and i just got back from a run so need a shower first01:58
jamielennoxayoung: yea01:58
jamielennoxi *think* if you don't provide a domain_id it pulls it puts it in the same domain as the user is authed to01:59
ayoungjamielennox, OK starts here
ayoung_normalize_domain_id ... lets see waht that does01:59
*** fangzhou has quit IRC02:00
ayoungSo if not specified...02:00
jamielennoxmordred: ^ so if you don't specify the user should be created in whatever the domain you are currently scoped to02:01
ayoungbut that seesm to intend to leave the valeu submitted by the user02:01
jamielennoxayoung: it should allow a user to create a user in another domain, but by default you probably want to create them in the domain you're in now02:01
ayoungjamielennox, I think I disagree:  I would argue that the token should be scoped to the DOmain in which you want to create the user.02:02
jamielennoxballs - that's stupid02:02
jamielennoxwhy would you go user -> project -> domain and find domain that way02:03
jamielennoxcummon v4 api!02:03
*** fangzhou has joined #openstack-keystone02:06
mordredjamielennox: AWESOME! that is the behavior I wanted and was trying to achieve, I can remove some code02:08
mordredayoung: also, I don't know what I'm talking about, but I would like to agree with jamie here02:09
mordredhowever - I'd like to use slightly different words02:09
mordredlargely because I have never once in my life scoped a token to anything02:09
mordredI have a user, that user has the ability to do things.02:09
mordredone of the things that user might be able to do is create users in any domain, like a cloud admin, right?02:10
*** fangzhou has quit IRC02:10
mordredwould I expect the cloud admin user to present a new auth transaction to do that?02:11
mordredlike, would I say "keystone.Session(user='admin', domain='foo'); do something " then "keystone.Session(user='admin', domain='bar'); do something"02:12
mordredkeystone.Session(user='admin', domain='foo'); do_something(domain='bar')02:12
mordred(I've now talked myself into not having an opinion and ammerely curious)02:12
mordredayoung: hrm. I may have actually come around to completely agreeing with what I think you said above02:13
*** richm has quit IRC02:14
mordredbecause if that's the case, I don't EVER have to worry about domain as a parameter to any action I want to do - I need to auth to a particular domain to do work there, and once auth'd, that's where I do work02:14
mordredassuming that acloud admin can auth to a user's domain and project in order to do things like set up networks on their behalf as part of an accoutn creation automation02:15
openstackgerritDavanum Srinivas (dims) proposed openstack/keystonemiddleware: Remove install_venv_common and fix typo in memorycache
mordredcould I assume the same thing for create_user and project?02:17
openstackgerritDavanum Srinivas (dims) proposed openstack/python-keystoneclient: Remove unnecessary install_venv_common module
ayoungmordred, yeah, although we should still make people explicitly state what domain or project they are doing something in, and compare with the token, just so they don't accidentally do things in the worong project, etc02:17
ayoungmordred, SO, you touch on an interesting point02:18
ayoungwith "admin somewhere is admin everywhere"  like we have now, it is possible we have APIs where the cloud admin can't actually fix a broken situation...cuz it looks for context from the token02:18
mordredI mean, if I log in as foo@bar/projectA and run create user - you're saying you think I should still do create user bang@bar/projectA rather than just bang?02:19
ayoungmordred, there are some tricky things like with policy, where we need to fetch and object from the database to see what project it is in02:19
mordred(I ask for clarity, because it's quite a lot of work to do that with  the v2/v3 api differences)02:19
ayoungmordred, from the WebUI, I think it makes sense that the user would see the domain in the listing, and not have to explicitly specify.  From the CLI....I can see either view, but err more on the side of "be explicit" over "infer"02:20
ayoungmordred, what I don't think you should be able to do is get a token scoped to one domain, and perform an action on another02:21
ayoungthe token has both a user scope and a project scope, and it is the project scope that counts02:21
jamielennoxmordred: so yea - it's not going to work that simply apparently, if you don't specify domain it will work from a domain scoped token otherwise it uses the CONF.default_domain_id which is horrible02:21
ayoungyou need to have a role on the project (or domain) to affect change in there02:21
ayoungjamielennox, and all that logic happens after the policy check, too02:22
jamielennoxand thinking about it i guess it's because you would have to make a choice between whether project_domain_id or user_domain_id took priority in the other case02:22
jamielennoxproject seems logical there, but whatever02:22
jamielennoxmordred: so there is a hacky way to do it that'll work 99% of the time02:23
* mordred is starting to think he's thinking about this too hard since this is an admin function ...02:23
jamielennoxauth.get_access(session) is an AccessInfo object which has domain_id (domain scope) user_domain_id and project_domain_id (project scoped)02:23
jamielennoxthat'll exist for all the keystone auth mechanisms02:24
jamielennoxit's going to fail for things like TokenEndpoint and maybe future SSL certs and stuff like that which won't get an actual keystone token02:24
jamielennoxthe method just won't exist on those plugins02:26
ayoungjamielennox, got this code sucks02:26
jamielennoxayoung: my stuff? :)02:26
mordredI think I'm going to try a version of ayoung's be-explicit thing02:26
ayoungmordred, what are you working on?02:27
mordredand since it's an admin api, I'm ok with exposing v2/v3 differences to the end user - or expecting them to grok them02:27
mordredso I'll accept domain as a param, and if the endpint is v3 and they don't give one, I'll throw an error02:27
mordredayoung: shade patches - leading towards ansible module02:27
mordredworking on ansible module really - but the shade patches are required to get there02:28
ayoungmordred, heh02:28
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements
ayoungmordred, I was working on setting up a demo, got fed up with the varuious CLIs, and started using the python API directly02:28
ayoungmordred, so far I got this
mordredayoung: :)02:29
ayoungit just creates a network and a VM02:29
mordredayoung: oh! you should use shade02:29
ayoungmordred, I might...02:29
ayoungmordred, jamielennox and I were both thinking that we had no permissions to clean up neutron stuff in our lab.  Turns out we just were not deleting all of the objects in the right order...02:30
jamielennoxayoung: oh? i tried a few different things02:31
ayoungthe lab techs themselves were fighting cleaning this up....02:31
ayoungjamielennox, you need to start by deleting the VMs attached to the network....02:31
ayounggetting it right is labor intensive02:31
jamielennoxand none of this was mentioned in the errors coming back from horizon02:31
jamielennoxi just got permission denied02:31
ayoungjamielennox, exactly02:31
ayoungjamielennox, I thought the same thing until wfoster or someone set me straight.  I still don't know why it let two subnets with overlapping subnets happen, as I got errors about that later, too02:32
jamielennoxayoung: i'm sure you're allowed to do that with neutron02:33
ayoungjamielennox, it sounds like they have a "tear down the network" script now02:33
ayoungjamielennox, maybe...02:33
*** dims_ has quit IRC02:33
ayoungyeah, maybe it was just two subnets in the same network that is explicitly disallowed, but not on different networks...that would reflect what I saw.  I think.02:33
openstackgerritMerged openstack/keystoneauth: removed custom assertDictEqual
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
mordredjamielennox, ayoung: updated that after this conversation - very helpful I think02:39
ayoungmordred, glad to hear it02:39
openstackgerritMerged openstack/keystonemiddleware: Fixes a spelling error in a test name
*** ankita_wagh has joined #openstack-keystone02:40
*** stevemar has joined #openstack-keystone02:41
*** ChanServ sets mode: +v stevemar02:41
openstackgerritMerged openstack/python-keystoneclient: Iterate over copy of sys.modules keys in Python2/3
*** henrynash_ has joined #openstack-keystone02:42
*** ChanServ sets mode: +v henrynash_02:42
jamielennoxmordred: looks sane at first glance, i think it's always best to throw errors first and if people complain you can come up with some defaults, you just can't go the other way02:43
*** varya has joined #openstack-keystone02:43
*** henrynash has quit IRC02:43
*** henrynash_ is now known as henrynash02:43
*** lhcheng_ has quit IRC02:44
*** tobe has quit IRC02:46
*** tobe has joined #openstack-keystone02:47
*** bknudson has left #openstack-keystone02:49
*** tobe has quit IRC02:50
*** kiran-r has quit IRC02:51
mordredjamielennox: yah02:51
*** ajayaa has joined #openstack-keystone02:51
mordredjamielennox: so - for user creation - I should really require both domain and project, yes?02:51
jamielennoxmordred: user creation domain only02:51
*** tobe has joined #openstack-keystone02:51
jamielennoxyou can accept default_project - i'd like the concept to die but we're along way from that02:52
ayoungmordred, project means nothing for users....I would say that today, it would be adomain scoped token, but we are also looking at "a domain IS-A prjoejct" so an appropriate scoped project token would make sense...but that is Liberty timeframe02:52
ayoungusers are owned by domains, not by projects.02:53
mordreddoes it make more sense in v2?02:53
mordredlike, in v2, I need a tenant_id for a user creation, right?02:53
ayoungjamielennox, let me finish reviewing this patch, and then I have something to run by you on the endpoint thing...02:53
jamielennoxmordred: umm, need... i'm not sure if you need it in v2 or it's optional02:54
jamielennoxi'll need to check that02:54
mordredkk. I'll poke02:54
jamielennoxmordred: it looks optional02:55
mordredjamielennox: if I juse used the keystone v3 name - default_project - for the parameter name, would that be totally bonghits in v2?02:57
mordred(like, ignoring that it's tenant in v2)02:57
jamielennoxmordred: yea, and because of the way keystone (stupidly) stores your random crap from the API i've no idea what would happen if you passed in default_project and then tried to read that user from v302:58
mordredoh - no, I'll transform it to tenant_id if it's v202:58
mordredI'm just thinking about the python api nming here ...02:58
jamielennoxactually based on the code it would probably work just fine, but you're going off spec02:59
mordredoh - I'm so far off spec :)02:59
ayoungjamielennox,, lets take the idea that policy should be a middleware and accept that it can't, because we need to fetch the object from the database.  I don't see that changing, as it would rqwuire redoing a bunch of APIs, like most of Keystone V3....but02:59
ayoungWe need to keep policy in a stage after token expansion, but nothing says it has to be in the middleware02:59
*** stevemar has quit IRC02:59
ayoungit could be part of the policy check02:59
jamielennoxquote of the day so far03:00
ayoungwhat the current policy check does not have right now is a concept of a "also check this on every rule"03:00
jamielennoxayoung: so let me offer what i've been thinking of first03:00
ayoungso, maybe the right solution is to make Oslo.policy have a global section03:01
ayoungin addition to the "per API" section03:01
ayoungah...go ahead03:01
jamielennoxnova is already keen to move to a URI based policy enforcement03:01
jamielennoxand i think thats a great idea because it's dumb you have to figure out what functoin /v3/users/XXX/projects maps to for policy03:01
jamielennoxwhy don't we just enforce policy twice?03:02
jamielennoxonce statically based on URI in middleware, it cannot have object specific information03:02
jamielennoxthat i think would cover a large number of uses03:02
jamielennoxthen once at like the Manager level03:02
ayoungand once later to make sure the project matches?03:03
jamielennoxso get_user is actually on get_user protecting the database03:03
ayoungso...I like that idea.  It aligns with something else I've been thinking03:03
jamielennoxthat would be enforced pretty much any time someone tried to access stored data03:03
ayoungwe don't really want users messing with that second stage03:03
jamielennox(caching etc)03:03
ayoungthe devs know where the project id is,  and chagnign that should be outside the realm of configuration03:03
ayoungthat check really should be in code03:04
*** david-lyle has joined #openstack-keystone03:04
*** varya_ has joined #openstack-keystone03:04
jamielennoxayoung: i'll be honest i think most of this should be in code but everyone wants to play with the options03:04
ayoungthe part that needs to be modifiable is "what role do we assign to the user to allow them to do this"03:04
jamielennoxso i don't know how practical that split is03:05
jamielennoxthere seems to be a lot of ownership testing going on03:05
ayoungI've been advocating it already as a "best practice"03:05
jamielennoxand i don't know if this is better or worse in projects other than keystone03:05
*** iamjarvo has quit IRC03:05
ayoungjamielennox, it varies...03:06
ayoungjamielennox, cielometer specifies a default rule and that is it...03:06
ayoungnova has really detailed rules03:06
jamielennoxayoung: i mean at the moment everyone just checks for admin role, so we can enforce that without object ownership03:06
ayoungjamielennox, so long as we check ownership as some point...but we need to scope in admin....03:07
ayoungthe cutrent system *is* broken03:07
jamielennoxayoung: it would take trying it really03:07
*** varya has quit IRC03:07
jamielennoxand i've got other fish03:07
ayoungjamielennox, this is my fish to dry...but...back to the origianl point03:07
jamielennoxpoor dry fish03:08
jamielennoxthat's just mean03:08
ayoungso if we could do policy on a per URL basis, and we did that in a middleware, then...the globarl thing still would work03:08
ayoungI forgot to put water in the fish bucket03:08
jamielennoxayoung: yep - also i don't want to call it global03:08
jamielennoxname it auth_token or something03:08
ayoungheh...I need a word that implies "applied on every rule"03:09
jamielennoxmeh, i think i prefer to name it based on where it's coming from03:10
jamielennoxbut either way03:10
ayoungso, putting aside the name, it would give us a way to do things like endpoint, but also the binding check, and so forth03:10
ayoungyou could call it a Macro...its automatically applied.03:11
openstackgerritMerged openstack/keystone: Fix spelling in configuration comment.
ayoungjamielennox, so I wonder if the hierarchical thing that david is building into his engine could actually support this.  If we somehow said that: here is a check that every rule inherits...03:14
ayoungso long as the tool supported it, and the policy files were autogenerated, there would be no reason to make it an explicit check in the code.03:14
ayoungthat was my original approach to endpoint binding anyway03:15
ayoungbut...the way that gyee is going about it, it would depend on the endpoint actually chosing to enforce it or not...and with a global policy file, it would be applied evently everywhere03:16
openstackgerritMerged openstack/keystone: Avoid using the interactive interpreter for a one-liner
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol
openstackgerritMerged openstack/keystonemiddleware: Remove custom header handling
*** dims has joined #openstack-keystone03:33
*** varya_ has quit IRC03:35
*** kiran-r has joined #openstack-keystone03:42
openstackgerritMerged openstack/keystonemiddleware: Refactor request methods onto request object
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol
*** varya_ has joined #openstack-keystone03:51
jamielennoxayoung: is there a reason to cache PKI tokens in middleware?03:53
jamielennoxis there a useful advantage in memcache vs decrypting it again?03:53
*** noye has quit IRC03:54
ayoungjamielennox, I think it is considered a performance tuen, and even there, I would question that03:54
jamielennoxi'd be skeptical of the performance bump because you are commiting a lot of extra data to memcache03:55
ayoungespecially if we get CMS support from python-cryptography, and lose the cost of the  popen03:55
ayoungcrypto is CPU intensive03:55
ayoungmemcache is I/O03:55
jamielennoxayoung: do you think people would complain if i removed it? :p03:56
ayoungjamielennox, Ha...I don't know03:57
ayoungjamielennox, this is PKI token only?03:57
ayoungwould UUID tokens still be cached then?03:57
*** kiran-r has quit IRC03:57
jamielennoxsure, you'd still cache things you got from keystone03:57
jamielennoxjust always use pki to decode PKI tokens03:57
ayoungI'd be OK with that.  I think.03:58
*** fifieldt has joined #openstack-keystone03:58
*** ajayaa has quit IRC03:58
ayoungjamielennox, I wonder how many people are still using PKI tokens.  I suspect not many04:00
jamielennoxayoung: hmm, it might mess with the check_revocations_from_cache option - but that should exist anyay04:00
jamielennoxagain only for PKI tokens04:00
*** iamjarvo has joined #openstack-keystone04:01
ayoungnothing is it will always check revocations04:02
*** ankita_wagh has quit IRC04:03
*** tobe has quit IRC04:04
jamielennoxwhich is not what happens now04:04
*** ankita_wagh has joined #openstack-keystone04:06
ayoungthat should be OK...the revocation check is not a bad thing to do more frequently.04:09
ayoungBed time04:09
*** ayoung has quit IRC04:09
*** tobe has joined #openstack-keystone04:13
*** ajayaa has joined #openstack-keystone04:15
*** markvoelker has quit IRC04:26
*** Kennan2 has joined #openstack-keystone04:36
*** Kennan has quit IRC04:37
*** ajayaa has quit IRC04:50
*** tobe has quit IRC04:56
*** tobe has joined #openstack-keystone05:01
*** ankita_wagh has quit IRC05:08
*** varya_ has quit IRC05:15
*** kiran-r has joined #openstack-keystone05:15
*** varya has joined #openstack-keystone05:16
*** davechen has quit IRC05:17
*** belmoreira has joined #openstack-keystone05:22
*** markvoelker has joined #openstack-keystone05:27
*** markvoelker has quit IRC05:32
*** belmoreira has quit IRC05:38
*** rushiagr_away is now known as rushiagr05:41
*** stevemar has joined #openstack-keystone05:42
*** ChanServ sets mode: +v stevemar05:42
stevemarjamielennox, around?05:44
jamielennoxstevemar: yes05:44
marekdstevemar: oh-hai05:44
stevemarjamielennox, marekd oh shit, both of the guys i wanted to talk to!05:44
*** ajayaa has joined #openstack-keystone05:44
stevemari finally got around to making that oidc plugin :)05:44
marekdstevemar: i will be here whole day!05:45
marekdstevemar: great105:45
stevemarit helped that i was near the oidc experts all week long :)05:45
*** varya has quit IRC05:45
stevemarI'm trying to test it out with openstack CLI, but i'm getting funky behaviour05:45
*** varya has joined #openstack-keystone05:45
stevemarlike, it's not passing along --os-identity-provider or --os-protocol forward05:46
stevemari'll paste05:46
stevemaralso, it seems to mess up depending on the order of things05:48
marekdstevemar: lxml installed?05:50
stevemarif i put the command first: << this one gets farther05:50
stevemari'm not samlizing anything, but i think so05:50
marekdstevemar: there was a weird behaviour where without lxml i didn't see options like identity-provider in osc....05:50
stevemarmarekd, just checked, it's installed05:51
jamielennoxstevemar: so the second one looks like your new plugin has lots of required arguments to __init__05:51
marekdstevemar: do you see those options in openstack --help list?05:51
marekdstevemar: ok05:51
marekdstevemar: yeah, which review?05:51
stevemarjamielennox, it does, but for some reason identity-provider and protocol are not being passed in05:51
morganfainberghmmmmm.... zzzzzz05:52
stevemarlet me push a new version05:52
morganfainbergstevemar: oidc folks helped out with stuff huh? :)05:53
*** mabrams has joined #openstack-keystone05:53
jamielennoxalso OSC does stupid things with the auth options so it may come out werid05:53
stevemarjamielennox, yeah, i think that's occ not osc though :\05:53
stevemarbut it seems to remove identity-provider and protocol from auth options?05:54
jamielennoxstevemar: seems like a similar problem i was having05:54
stevemarmorganfainberg, yes, they were :)05:54
marekdstevemar: so native cli support is already baked in OIDC specs ?05:54
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
stevemarmarekd, sort of yes, but it's optional. google for instance doesn't support it05:55
marekdstevemar: ok, so it's a matter of popularizing this 'extension' not extending the's like with ECP05:55
marekdwith openstack we can make it more popular as people may be forced to start supporting this :P05:55
stevemarhehe, maybe05:56
stevemargoogle's stance on it, is that 2fa would never work05:56
stevemarthe *other* work around was to force users to authenticate with a browser, and copy a pin/code05:56
jamielennoxstevemar: so i would put in a pdb where OCC is compiling the options05:56
stevemarjamielennox, way ahead of you...05:56
jamielennoxcheck what's set on the argparse namespace05:57
jamielennoxand why OCC isn't picking up the right thing05:57
*** lsmola has joined #openstack-keystone05:57
stevemarjamielennox, actually, can you double check my get_options in here are kosher?
jamielennoxthe problem with v2 and v3 passwords was that it was changing the dest= of the options and so when OSC registered them altogether it was wrong05:57
jamielennoxbut i don't think that would be an issue with identity-provider05:58
jamielennoxstevemar: lol05:58
jamielennoxstevemar: line 2905:58
* marekd <-- heh05:58
stevemari feel like jamielennox is going to point out something silly i did06:00
jamielennoxstevemar: i was expecting you to look and see it instantly06:00
jamielennoxoptions = super(federated.FederatedBaseAuth, cls).get_options()06:00
stevemarit's late and i've been traveling all week :(06:00
jamielennoxoptions = super(OidcUnscopedToken, cls).get_options()06:00
stevemarhave mercy06:01
stevemaroh jeez06:01
jamielennoxyou're skipping the options for federatedbase06:01
ajayaaHi guys. I am trying to run tempest with a customized policy file for Keystone. Does tempest work with domain scoped tokens? For example, tempest would try to do "user list" and fail because it tries it with a project scoped token.06:01
stevemarjamielennox, lets just ignore that :)06:01
jamielennoxajayaa: not last time i tried, but admittedly it's been a few months06:01
jamielennoxstevemar: you also don't chain up in __init__06:02
jamielennoxthough it looks like you do handle all the options06:02
stevemarnowww they are in there, let me check..06:02
ajayaajamielennox, That should not be too hard to add in tempest given that OSC already supports it.06:02
ajayaastevemar ^^06:03
ajayaaone more question, Did OSC support domain scoped token in Icehouse?06:03
jamielennoxajayaa: so I added support to tempest to do domain based authentication, and i had one or two patches out there to get it started06:03
jamielennoxtempest doesn't use OSC06:04
*** stevemar2 has joined #openstack-keystone06:04
*** ChanServ sets mode: +v stevemar206:04
jamielennoxbut last i checked there was some issues with how it created projects and such for testing in that didn't work with the standard v3 policy file06:04
stevemar2jamielennox, hotel booted me off the connect06:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
stevemar2what did you mean by chain up in init?06:05
marekdstevemar: where are you now?06:05
ajayaajamielennox,  Since I am trying to test domain scoped tokens with tempest icehouse, I am almost sure that it's not there.06:05
jamielennoxmorganfainberg: do you want to have a look at and such06:06
jamielennoxstevemar2: super().__init__06:06
jamielennoxajayaa: i am pretty sure that won't work06:06
ajayaajamielennox, Thanks!06:06
*** stevemar has quit IRC06:06
ajayaaIf I get time, I will have a look at current status and try to improve it.06:07
stevemar2oh, what should i do about auth_ref? it's craping out there now06:07
jamielennoxajayaa: that would be great! we're waiting for a new OSC release then we can get devstack to run with v2 disabled at which point we should really be able to figure out what might not work from tempest06:07
marekdjamielennox: ah, btw, can you take a look at this: ? it's been there for a long time.06:07
marekdstevemar2: why aren't you returning AccessInfo in get_unscoped_auth_ref() ?06:10
jamielennoxmarekd: +A06:10
marekdjamielennox: thank you sir.06:10
jamielennoxmarekd: i'll be honest, it looked right but i don't have a way to test it and we've never released that lib so we won't break anyone06:10
jamielennoxmarekd: oh i have one for you though06:11
*** woodster_ has quit IRC06:11
jamielennoxcan you verify that works for you guys06:11
stevemar2marekd, i dunno06:11
jamielennoxI've destroyed all my kerberos environments and it will take me ages to get it going again06:12
stevemar2where'd all the saml plugin code go?06:12
marekdjamielennox: i don't have any kerb  env now, but will check it later on06:12
marekdstevemar2: ?06:12
jamielennoxmarekd: cern not running kerb anymore?06:12
marekdjamielennox: running, running!06:13
marekdjamielennox: i just don't have it configured on my local env.06:13
jamielennoxmarekd: ah, ok06:13
openstackgerritMerged openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins
stevemar2marekd, i dont know why i didn't use accessinfo06:15
stevemar2i keep copying and pasting my password into the example script,  i'm totally going to check it in06:15
marekdstevemar2: other thing is i don't know whether you want to code in ksc. Depending on when ksa is going to be released (did it got delayed or it's happening in ~2weeks /cc morganfainberg  jamielennox ). Otherwise you may need some extra work with moving it to ksa soon - base classes has changed a littlebit.06:16
morganfainbergjamielennox: looking.06:17
jamielennoxmarekd: it's really waiting for me and i haven't done much about it in the last week or so06:17
jamielennoxi started posting cut over patches to keystoneclient to get it working with auth06:17
jamielennoxthey haven't been reviewed much06:17
marekdstevemar2: i would also refrain from calling entrypoint oidcunscoped, because new base classes allow for retuning both scoped and unscoped token (depending on whether you passed scoping info or not).06:17
jamielennoxat the summit dtroyer and mordred were on to me that we should split plugin loading out from the base plugins themselves - i *think* i have a way to do it06:18
stevemar2marekd, leave remarks in the patch!06:18
marekdjamielennox: like this one: ?06:19
marekdstevemar2: ok06:19
jamielennoxmarekd: yep, then the follow up06:19
marekdoh, maybe i will add such trick in and up06:20
stevemar2does the plugin need an auth_ref property?06:20
marekddon't think so.06:20
jamielennoxstevemar2: no..., it should have the object automatically though06:21
jamielennoxstevemar2: if you called super().__init__06:21
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
morganfainbergmarekd: I expect another ksa release in the next week or so. Trying to keep it moving through iterations so we can test/poke at things.06:24
stevemar2jamielennox, marekd ^06:24
marekdstevemar2: looking06:25
jamielennoxstevemar2: still getting the auth_ref problem?06:25
stevemar2jamielennox, yessum06:25
stevemar2i shall paste06:25
stevemar2jamielennox, le paste ^06:26
*** iamjarvo has quit IRC06:26
marekdreturn super(OidcUnscopedToken, self).get_auth_ref(session, **kwargs)  ?06:27
marekdlast line of uidc.py06:27
marekdstevemar2: ^^06:28
*** markvoelker has joined #openstack-keystone06:28
stevemar2marekd, i figured that was the way to get it to stop complaining about auth_ref06:29
jamielennoxstevemar2: commented on review but i don't see what's wrong06:31
*** lhcheng has joined #openstack-keystone06:32
*** ChanServ sets mode: +v lhcheng06:32
*** markvoelker has quit IRC06:32
*** pnavarro_ has joined #openstack-keystone06:34
marekdstevemar2: ah, remove get_auth_ref completely from your plugin and only implement get_unscoped_auth_Ref()06:36
morganfainbergjamielennox: does pbr support the git link? I read somewhere i think?06:37
stevemar2marekd, hmm thats how i had it before...06:37
morganfainbergjamielennox: otherwise... Sure.06:37
jamielennoxmorganfainberg: it seems to work06:37
morganfainbergNo problem with that.06:37
jamielennoxmorganfainberg: i had to remove the requirements job from that branch, but i think that's ok06:37
marekdstevemar2: 0_o06:37
morganfainbergjamielennox: sure. Just remember we need to cleanup that stuff before we merge back into master.06:38
jamielennoxmorganfainberg: oh yea, it's a while off yet06:38
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
stevemar2cleaning up some of the comments y'all made06:38
*** lhcheng_ has joined #openstack-keystone06:39
marekdstevemar2: erm, can you paste again what's failing now?06:40
morganfainbergjamielennox: +206:40
stevemar2marekd, y, 1 sec06:41
*** lhcheng has quit IRC06:41
marekdstevemar2: and your Python script (in the review) works fine?06:42
marekdopenstack federation project list <<- did we hange the way we pass commands?06:44
marekdi don't recall 'federation' in osc....06:44
*** lufix has joined #openstack-keystone06:44
stevemar2marekd, its a real command06:45
stevemar2is that not what you do?06:45
marekdi haven't used osc since a while.06:46
marekdstevemar2: you try pdb here?06:47
marekdi wonder what's returned by self.auth_get_auh_ref() or what self.auth is (as well as it's dir(self.auth) )06:48
marekdstevemar2: (didn't put space between link and 'did')06:49
*** rushiagr is now known as rushiagr_away06:50
stevemar2let me see06:50
*** toddnni has joined #openstack-keystone06:51
stevemar2marekd, p self.auth results in AttributeError at line 175 :P06:53
marekdstevemar2: did you do python install in keystoneclient after the changes? :P06:54
stevemar2marekd, excessively so :P06:54
jamielennoxstevemar2: is that review most recent? i'll try and run it myself06:55
stevemar2yep, i have to make 1 change to OSC06:55
stevemar2jamielennox, if you or marekd +1 that i'll push it through, i think dtroyer and terry are out this week06:56
jamielennoxstevemar2: i really dislike that section06:57
stevemar2jamielennox, i hate it with the fury of a thousand fires06:57
stevemar2its meant to be a patch until something comes in and replaces it, but we needed it, or we force users to specify DOMAIN ALL THE THINGS!06:58
jamielennoxstevemar2: what's your command line06:58
stevemar2thurrr ^06:58
morganfainbergstevemar2: I have some cleanup on the preso we worked on. I'll share the link to you so we can continue to clean it up before converting to html for publication type things.07:01
morganfainbergstevemar2: also isn't it silly late for you? Or are you still west coast?07:02
stevemar2morganfainberg, i put it up at: btw07:02
stevemar2morganfainberg, still on west coast til tomorrow07:02
stevemar2i made a few other minor changes07:02
morganfainbergAh. I'll share what I've done. You might like some of the cleanup.07:03
jamielennoxstevemar2: what is line 11407:03
jamielennoxthat's not right at all07:03
jamielennoxis that trying to do requests_auth somehow?07:03
jamielennoxlike basic auth?07:03
stevemar2jamielennox, that's according to the spec, you supply the client ID and secret as basic auth07:03
jamielennoxok, use requests_auth=auth07:04
jamielennoxauth= thinks your trying to do a ksc plugin07:04
*** darrenc is now known as darrenc_afk07:04
jamielennoxi think you want to say authenticated=False there as well07:04
jamielennoxotherwise the ksc.session will try and use your plugin to put a token on the request07:04
morganfainbergstevemar2: I was doing some changes to make it more "already know OpenStack" targeted.07:04
* morganfainberg lets you get back to chatting with Jamie.07:05
jamielennoxalso you probably want to say json=payload07:05
jamielennoxalthough i don't know how requests handles that otherwise07:05
stevemar2jamielennox authenticated=False for both post calls?07:05
jamielennoxstevemar2: i assume so, otherwise it will call back into your plugin and infinite recursion occurs07:06
marekdstevemar2: yes07:06
marekd -> here it's authenticate=False everywhere07:07
*** e0ne has joined #openstack-keystone07:08
marekdmorganfainberg: you are in Tel Awiw now ?07:12
marekdor still Berlin ?07:12
*** e0ne has quit IRC07:12
stevemar2jamielennox, blah, lots of changes to make it use KSC sessions07:14
stevemar2jamielennox, do ksc sessions not like verify=False?07:15
jamielennoxstevemar2: shouldn't be that many changes07:15
jamielennoxverify=False is fine i think07:15
jamielennoxi mean you probably shouldn't but you know07:17
morganfainbergmarekd: Berlin still.07:17
stevemar2jamielennox, yeah, i intend to remove that but my idp has an expired cert :)07:17
stevemar2jamielennox, now my python example is le fail07:19
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
stevemar2jamielennox, uploaded a new version to make it ksc session friendly07:20
jamielennoxstevemar2: so what errors?07:21
jamielennoxunless it's pre the actual auth step i won't be able to help07:22
stevemar2i think it is07:22
jamielennoxoo, that's a 500 returned from somewhere07:24
jamielennoxstevemar2: turn on debug07:25
jamielennoxlogging.basicConfig(level=logging.DEBUG) in a script07:25
stevemar2oh its that damn positional thing07:25
*** ajayaa has quit IRC07:27
*** bradjones has quit IRC07:27
jamielennoxwhy is that coming back as a 500?07:27
jamielennoxand also excellent, that's what it's for07:27
*** e0ne has joined #openstack-keystone07:28
stevemar2looks like an encoding issue07:28
stevemar2the idp is barfing07:28
*** bradjones has joined #openstack-keystone07:29
*** bradjones has quit IRC07:29
*** bradjones has joined #openstack-keystone07:29
*** e0ne has quit IRC07:29
stevemar2probably failing to encode
*** ajayaa has joined #openstack-keystone07:30
*** jaosorior has joined #openstack-keystone07:31
*** jistr has joined #openstack-keystone07:33
stevemar2hmm using requests it's fine07:36
stevemar2but if i switch auth=client_auth, data=payload, to requests_auth=client_auth, json=payload it goes caput07:36
stevemar2there we go07:38
stevemar2jamielennox, i needed to use ksc sessions for the calls07:38
stevemar2but i might have to use requests for the first one...07:38
stevemar2which i think is okay07:38
jamielennoxstevemar2: i'd prefer we didn't have to07:38
jamielennoxcan you look at what's different between the two?07:39
stevemar2jamielennox, i will tomorrow07:39
jamielennoxthe only thing i can think of between those two is that json= uses jsonutils to encode07:39
jamielennoxbut i don't see why that would do anything there07:39
stevemar2that might be it07:39
stevemar2i doubt its the basic auth, cause those are both alphanumeric characters07:40
stevemar2the json payload contains at least an @ symble07:40
jamielennoxyea, but i can't see why that would do anything07:40
jamielennoxi didn't know that passing a dictionary to data= was even legal in requests07:40
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
jamielennoxwhat if you leave it as data= instead of json=07:41
stevemar2lemme see07:41
jamielennoxis there any funny redirections happening in oidc?07:44
stevemar2jamielennox, nope07:44
*** browne has quit IRC07:45
stevemar2jamielennox, keeping it as data= works07:45
jamielennoxthat's weird07:45
jamielennoxi'd be interested to know what requests does there that is different to session07:46
stevemar2jamielennox, CLI works too07:47
stevemar2i dunno07:47
stevemar2i'll submit another and use KSC session07:47
stevemar2but keep it as data=07:47
jamielennoxstevemar2: ok, at least it works!07:48
stevemar2i didn't know all the nuances to the KSC session07:49
stevemar2like authenticated=False07:49
stevemar2i thought that was a request-ism07:49
stevemar2it's not07:49
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support
stevemar2i'll add some tests tomorrow07:50
stevemar2but i think it's in decent shape-ish07:50
stevemar2re: KSA, i dont care about resubmitting it there, i'd prefer to have something sooner rather than later though, i have a team breathing down my neck for it :)07:51
stevemar2i could always give them a patch07:52
jamielennoxstevemar2: submit it to ksc, we're going to have to merge everything else anyway07:52
jamielennoxit'll get migrated with everything eles07:52
stevemar2expect a blog post07:52
stevemar2with what will no doubt look like the rantings and ravings of a mad man07:53
jamielennoxstevemar2: but no body believes you07:53
jamielennoxbecause after all that the plugin is 128 lines of code and i'm guessing less than half that is actual code07:54
stevemar2jamielennox, indeed07:54
stevemar2i should have gone to CIS last year and figured this all out!07:54
jamielennoxoh the people breathing down your neck are from conferences?07:55
stevemar2 is the man07:55
jamielennoxi assumed ibm07:55
stevemar2jamielennox, i meant internal, but that was just a joke :P07:55
jamielennoxi'd believe it07:55
*** darrenc_afk is now known as darrenc07:56
*** davechen has joined #openstack-keystone07:58
stevemar2well that was fun!08:00
stevemar2that was the most code i've done in weeks08:00
stevemar2now i can go to bed and i won't have nightmares of oauth tokens and openid connect claims08:00
stevemar2thanks for all your help jamielennox ! i owe you a beer in tokyo08:01
jamielennoxstevemar2: sounds good08:01
*** ajayaa has quit IRC08:03
*** krykowski has joined #openstack-keystone08:04
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Add specification for validating/indexing extra attributes
*** noye has joined #openstack-keystone08:08
*** fhubik has joined #openstack-keystone08:09
*** stevemar2 has quit IRC08:09
morganfainbergjamielennox: ^ since you care about the extra attr headache08:14
jamielennoxmorganfainberg: make it burn!08:15
morganfainbergjamielennox: this puts us on a path to remove them but not break people - and allow people to still manage the extra data they need for business logic08:15
jamielennoxmorganfainberg: can we have a flag to just turn it off as well?08:16
morganfainbergjamielennox: we can but that wont ever be used08:16
morganfainbergbecause we can't default it on08:16
morganfainbergwe have to maintain compatibility08:16
jamielennoxbecause i imagine we can't enforce that you can only set extra that conforms to schema by dfeault either08:16
*** markvoelker has joined #openstack-keystone08:16
morganfainbergand we have to assume we can't take the feature away08:16
morganfainbergso, make it so that when we get microversions (we will get them after flask)08:17
jamielennoxi think we have to be more aggressive in our "upgrade notes"08:17
jamielennoxtehse are things that you need to do to get from stable version to stable versoin08:17
jamielennoxgrrr, microversions08:17
jamielennoxsuch a bad idea08:17
*** rlt has joined #openstack-keystone08:18
jamielennoxalso i don't think that will help here because microversions are an API concept08:18
*** markvoelker has quit IRC08:21
*** Nikkau has joined #openstack-keystone08:22
morganfainbergthat spec ^ is leading towards not removing the feature but also not making extra attributes a trainwreck08:23
morganfainbergit does need some work but that is a first pass08:24
morganfainberge.g. needs to addres some key concerns about how handling the non-SQL backends, etc08:24
jamielennoxmorganfainberg: i don't think we should support indexes - at least not in the first step08:24
morganfainbergcomment that08:25
morganfainbergbut the big push i'm getting is the index side not the validator side08:25
morganfainbergi'd rather we didn't need to index08:25
morganfainbergbut looking at every record to see if an extra is set - ugly08:25
morganfainbergor broken.08:25
openstackgerritMarek Denis proposed openstack/keystone: Mapping Engine CLI
jamielennoxmorganfainberg: i can understand the desire to restrict extra if we can't remove it, but adding indexes is improving it08:26
morganfainbergjamielennox: it is.08:26
morganfainbergunfortunately, we are getting that push and i'm worried we are going to see a lot more push for this08:27
*** jistr has quit IRC08:27
morganfainbergheck adam is pushing for DNSSEC validated attributes (which I'm against)08:27
morganfainbergit shouldn't be everything needs to be a first-class attr, but you need to do searches for these values.08:27
morganfainbergand right now people do: iterate across all objects to find it08:28
morganfainbergso my view is we force the validator to get indexing08:28
jamielennoxmorganfainberg: comment08:29
morganfainbergthis is also trying to kill the namespace thing arvind was pushing. give a generic tool that means we don't have an explosion of deployment-specific top-level attributes.08:30
morganfainbergjamielennox:  thanks08:30
jamielennoxadam keeps coming back to DNS for ideas, and i don't see any of it08:30
morganfainbergjamielennox: i don't either.08:30
morganfainbergjamielennox: really i don't08:30
jamielennoxalso no to what arvind's thing was at summit08:30
morganfainbergjamielennox: exactly what this is meant to address - without breaking people08:31
jamielennoxso as you say the current option is people have to iterate through objects to find things08:32
jamielennoxwhich is bad08:32
jamielennoxwhich is good because hopefully it means they'll use something better instead08:32
jamielennoxi get we can't remove it, but i'm of the same opinion of "fixing" extra as i am of improving the user model in keystone - let's just push people another way08:33
morganfainbergexcept the issue is they aren't they're changing keystone code afaik08:33
morganfainbergwhich isn't good either08:33
jamielennoxi forsee this giant comment in the resource model08:35
jamielennox# HEY YOU! yea you! back away from the keyboard08:35
morganfainbergi have a few other followup plans - notably we can also make the cleaners better - only let top-level attributes and/or validated attributes back out08:35
morganfainbergwhich eliminates PII leaking08:35
jamielennoxmorganfainberg: right i was going to bring that up - is there an issue if the schema changes whilst there is info in the db?08:36
marekdmorganfainberg: FYI, i wasn't at the meeting last Tuesday so I don't know what was your opinion on the idea to squeeze two auth plugins next to each other (one --os-auth-plugin for local cloud and --os-remote-auth-plugin=k2k for remote cloud) but from yesterday's convo w/ jamielennox looks like we will need to make users put --os-auth-plugin=k2k and probably make user make it 2-step operation - get local token, switch configuration (plugin, scopin08:36
jamielennoxat which point you start needing default values etc..08:36
morganfainbergmarekd: hadn't thought about that08:36
morganfainbergjamielennox: this is why i tossed the first pass spec up08:36
marekdmorganfainberg: ah, ok.08:37
morganfainbergjamielennox: more comments/discussion to be done, i expect it08:37
jamielennoxso i see the UI improvement by having your --os-auth-plugin the same regardless if it's local or remote cloud08:38
jamielennoxbut that is a fairly significant change to auth08:38
marekdjamielennox: i know.08:38
jamielennoxwhereas if you specify a k2k plugin then we can do whatever we like uniquely to that plugin08:38
jamielennoxmarekd: catching morganfainberg up08:38
morganfainbergjamielennox: i agree08:39
morganfainberghaving the UX be the same is better08:39
morganfainbergbetween local/remote08:39
morganfainbergjamielennox: where the k2k one can be a bit more specialized08:40
morganfainbergmarekd: i'm willing to be convinced otherwise08:40
morganfainbergmy concern is we might end up chaining through clouds08:41
*** afazekas has joined #openstack-keystone08:41
morganfainbergA -> B -> C -> A08:41
morganfainbergwould we need 5 options that way?08:41
marekdmorganfainberg: so you agree with jamielennox that for now we should make ppl do --os-auth-plugin=k2k ?08:41
*** ajayaa has joined #openstack-keystone08:42
morganfainbergi'm inclined to say that the plugin may need to be specific like that08:42
marekdi don't know how that would solve cloud-chaining problem.08:42
morganfainbergi'm mixing it up08:43
morganfainbergcli vs non-cli08:43
morganfainbergfor cli08:43
*** jistr has joined #openstack-keystone08:43
morganfainbergi worry that two separate auth options are suboptimal08:43
morganfainbergbut there is someone i want to specifically ask about this08:43
marekdmorganfainberg: unless there is a nice way to easily switch configurations for clouds (esp. scoping info) it's fine, but i think having user to do login to local cloud, saving token manually and passing it to the command with openstack --os-auth-plugin=k2k and bursting will also be a terrible thing.08:44
morganfainbergsomeone who uses cli a lot08:44
morganfainbergi don't think i can say which is better more i think about it08:44
jamielennoxmarekd: no i don't want to make users deal with tokens - ever08:44
jamielennoxmarekd: if nothing else it doesn't work for CONF files08:44
morganfainbergi think we might want to make it where it's something else (not a direct auth plugin)08:45
morganfainbergthat the users utilize for the burst cases08:45
* morganfainberg will think a bit more on it today08:45
marekdjamielennox: ok, so we will need make OSC to first know how to auth with local cloud, switch the plugin and burst....08:45
morganfainbergchanigng the auth pliugin later may be bad in general08:45
marekdjamielennox: and this all with multiple combinations and only one --os-auth-plugin and --os-project_id etc (whee we need different for each cloud, local and remote)08:46
morganfainbergthrough the --auth-plugin option08:46
morganfainbergsince it forces the user to know tokens08:46
jamielennoxso it's never a matter of knowing tokens08:46
jamielennoxso --os-auth-plugin is just a way to indicate in what way should i load the other plugins08:47
jamielennoxi'm actually working on dtroyer's idea now of splitting the plugin loading away from the actual plugin and i think i can make it work08:47
jamielennoxit may or may not be worth making it it's own repo but i think either way i will want to keep the split08:47
jamielennoxif nothing else it will allow multiple named ways of loading the same plugin08:47
jamielennoxfor example we could have 3 types of 'password' plugin that took different options, like read this from a file, or somewhere08:48
jamielennoxbut underneath they all load the same plugin object with those values it has discovered08:48
jamielennoxso we can do complex parsing that way08:49
marekdjamielennox: do you have something on gerrit ?08:49
jamielennox--os-auth-plugin k2kcomplex --os-innerplugin password --os-username XX ... --os-inner-plugin password --os-username YY or some such and parse them in order08:49
jamielennoxmarekd: not yet08:49
jamielennoxmarekd: still trying to make tests work and then see how it relates to existing keystoneclient08:50
jamielennoxbut i think i can handle that08:50
marekdfur sure08:50
jamielennoxi *think* it will give me a way to remove oslo.config as well08:50
marekdjamielennox: i wonder how you want to handle env variables08:51
jamielennoxmarekd: i've got no idea08:51
marekdjamielennox: right now you rely on position and order of the attributes.08:51
jamielennoxi think maybe we just don't for that case08:51
marekdjamielennox: makes names static_dynamic08:52
jamielennoxwe find some way to utilize OCC such that it knows how to handle mutliple plugins in yaml08:52
jamielennoxand we just say you have to do it that way08:52
jamielennoxhmm, even that i'm not sure because it mixes in env variables08:52
marekdjamielennox: you know...i might accept keeping my passwd in my env but surely i don't want to put it everytime in comandline...08:52
marekdso saying 'no' to env is probably wrong and will make people frustrated08:53
jamielennoxmarekd: yea, i still want to keyring it at some point08:53
jamielennoxmarekd: ok, selective env, you can just do the basic options because you will never need to specify 'password' twice08:53
jamielennoxafter the first cloud it's always token handling08:53
marekdjamielennox: i wsa rather thinking about labeling plugins....08:54
marekdosc --os-auth-plugin=password --label=plugin108:54
jamielennoxmarekd: we can have plugins that work in different ways :)08:54
marekdand have OS_PROJECT_PLUGIN1=skdfs08:54
jamielennoxmarekd: that seems statefull?08:54
marekdyou mean?08:55
* marekd be back in 5 minutes08:56
jamielennoxare you saying that you somehow have osc store this information?08:56
marekdjamielennox: no08:56
jamielennoxlike you preload it with auth information in seperate calls - and then at the end you retrieve it all08:56
*** amaretskiy has joined #openstack-keystone08:57
marekdjamielennox: i might miss some dependency here but rather wanted OSC to label a plugin with and later load options from env with that label in the name...08:57
marekdopenstack --os-auth-plugin=password --label=passwd1 list servers08:57
marekdand env var for that plugin would be called OS_PROJECT_NAME_PASSWD108:57
marekdosc would look for *_PASSWD108:58
marekdi know that is not the smartest idea, but...08:58
marekdmaybe it's something.08:58
jamielennoxcould work08:58
jamielennoxas mentioned we can do plugins in a number of different ways and try it out08:59
jamielennoxi'm certainly willing to give it a try09:00
openstackgerritMerged openstack/keystone: Imported Translations from Transifex
*** lhcheng_ has quit IRC09:04
marekdjamielennox: morganfainberg it's acceptable to +A it, right?09:07
jamielennoxmarekd: which?09:07
marekdjamielennox: hah, sorry:
jamielennoxmarekd: yea09:07
marekdso it approved now.09:08
jamielennoxso it begins09:08
*** dguerri` is now known as dguerri09:08
marekduntil when are you today working?09:08
jamielennoxme? i'll probably sneak a little more in later but not much09:10
evrardjpgood morning09:10
jamielennoxmarekd: i'm in perth (australia west coast) so it's just gone 5:10 here09:10
jamielennoxwhich is why i've been around the last few days09:10
marekdjamielennox: yes, i know you are on aus west coast, just didnt bother to check what time is there and when do you plan to end your shift....09:11
lifelessjamielennox: I thought you lived in syd?09:11
marekdi think.09:11
lifelessmarekd: that was then09:11
jamielennoxsydney - but that's east09:11
jamielennoxlifeless: just for a week or two09:11
jamielennoxthe in-laws are here09:11
marekdjamielennox: you moved to syd?09:12
lifelessjamielennox: nice, lovely area09:12
jamielennoxmarekd: yea, start of the year09:12
marekdjamielennox: oh, didn't know that09:12
jamielennoxlifeless: it's sooo much warmer09:12
marekdjamielennox: so what are the temps there09:13
lifelessjamielennox: he says, speaking to the person that left syd cause it was too hot :)09:13
jamielennoxwe've been getting around 2009:13
jamielennoxit's more that sydney has been horrible09:13
jamielennoxhowever once finished here we're going to visit some people in canberra and bathurst - that's going to be cold09:14
jamielennoxcanberra mins have been around -4 the last week or so09:14
jamielennoxi got too used to brisbane for that sort of weather09:15
marekdjamielennox: ok, so it's 20 but it's almost winter, right?09:18
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation
*** dims_ has joined #openstack-keystone09:44
*** kiran-r is now known as kiran-r|afk09:46
*** kiran-r|afk is now known as kiran-r09:46
*** dims has quit IRC09:47
*** e0ne has joined #openstack-keystone09:47
*** e0ne is now known as e0ne_09:54
*** amakarov has joined #openstack-keystone09:54
*** Daviey has quit IRC09:55
*** Daviey has joined #openstack-keystone09:55
*** e0ne_ has quit IRC10:00
*** varya has quit IRC10:01
*** e0ne has joined #openstack-keystone10:01
*** markvoelker has joined #openstack-keystone10:05
*** markvoelker has quit IRC10:10
*** ajayaa has quit IRC10:12
*** ajayaa has joined #openstack-keystone10:16
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator
*** e0ne is now known as e0ne_10:33
*** e0ne_ is now known as e0ne10:34
samueldmqhi, morning10:46
*** noye has quit IRC10:54
samueldmqmorganfainberg, hi, you around ?10:55
samueldmqmorganfainberg, I had a discussion yesterday with operator99 (gyee) about the fetching policy by endpoint in middleware10:56
samueldmqmorganfainberg, I'd like to have your view on that, since it was you who proposed to fetch them by endpoint_url10:56
*** mabrams has left #openstack-keystone10:57
morganfainbergplease please use the endpoint_url as the id10:57
samueldmqmorganfainberg, great10:58
samueldmqmorganfainberg, basically, an URL does not uniquely identify an endpoint10:58
morganfainbergdon't use uuids they are awful ux10:58
morganfainbergit uniquely identifies a set of endpoints10:58
samueldmqmorganfainberg, but as we allow the association of a policy per endpoint_id10:58
morganfainbergeach endpoint should be the same, if things are different behind an HAProxy it's broken10:58
morganfainbergno we should remove that10:58
morganfainbergthat should go away10:58
samueldmqmorganfainberg, what do I do in the case I get multiple policies from a given url ?10:58
morganfainbergok first off, the substitution stuff and per-project policy needs to be set aside10:59
morganfainbergwe aren't doing per-project10:59
morganfainbergnot today, and definitely not tomorrow, maybe down the line10:59
samueldmqmorganfainberg, ok so we should implement policy per URL, right ?10:59
morganfainbergit doesn't change that the endpoint itself can't really have a separate policy10:59
morganfainbergif it's got the same URL as a similar/neighbor behind like haproxy11:00
morganfainbergurl = host + URI in this case [to be clear]11:00
samueldmqbut can we assume they are behind a HAproxy ? shouldn't we still provide this flexibitiy ?11:00
morganfainbergi'm of the opinion we make it too flexible it is unusable11:00
samueldmqthough in the case nobody uses, there is no need to maintain11:00
morganfainbergstart with less flexible move to more usable11:01
morganfainbergerm more flexible11:01
samueldmqyes I agree11:01
morganfainbergas we have use-cases11:01
morganfainbergso start with url11:01
morganfainbergwe also know url apriori (we have to)11:01
samueldmqbut we are already too flexible in the policy binding11:01
morganfainbergsince we have to populate the catalog11:01
morganfainbergno one uses policy from keystone11:01
morganfainbergthey can't11:01
morganfainbergit's broken, awful, and unusable11:01
samueldmqok, so ... I was thinking about 'namespace' policy ..11:02
samueldmqso a namespace may be a url for now11:02
morganfainbergthat i need to put a blob of things in keystone first and get a uuid, then reconfigure the endpoint to use that id11:02
morganfainbergmakes it bad11:02
samueldmqand could be a project, domain, etc in a whille11:02
morganfainbergso my view is the endpoint_url *is* the id11:02
morganfainbergwe also need to not be doing substitution in the catalog11:02
morganfainbergthe clients should know how to do that11:02
morganfainbergit shouldn't require the catalog to be smart11:02
morganfainbergso we should drive that way11:03
morganfainbergif that makes sense11:03
samueldmqk I understood the direction you want to go11:04
samueldmqdid you see the idea on namespace ^ just above ?11:04
morganfainbergwhat is a namespace11:04
morganfainbergexplain what you're solving11:04
morganfainbergbecause i really want to avoid the idea that we overload namespace for things it doesn't help with.11:04
morganfainbergbut if it's a real use case i'm willing to entertain it of course, but knowing what you're trying to do helps.11:05
samueldmqpolicy binding on whatever we want to allow (for now url, in the future domain, project ?)11:05
morganfainbergwaht is policy binding11:05
morganfainbergi'm asking what you are really trying to solve.11:05
samueldmqpolicy association11:05
morganfainbergagain, building flexibility for the sake of flexibility makes the ux worse11:05
morganfainbergbe specific of the use-case11:06
samueldmqok so forget this11:06
morganfainbergnot just an idea11:06
samueldmqwe need to provide a CRUD of policy based on URL11:06
morganfainbergthe way i want to approach things like this is: specific use-case, general use-case, does this still make sense11:06
morganfainbergright we need a CRUD based on url11:06
*** fhubik is now known as fhubik_afk11:06
*** aix has quit IRC11:07
samueldmqI wanted something flexible enough so it would be easy to add policy per url, domain, project, etc11:07
samueldmqso the policy table would be somehting like (service, api, role, scope_constraint)11:07
samueldmqand 'namespace' as a column as well, so we could easily have policies per url, project, domain, etc11:08
samueldmqif that makes sense11:08
samueldmqbut I agree that 'namespace' could be confusing at API level ... and make UX bad (or not, I am just not sure how it would look like)11:09
samueldmqmorganfainberg, ^11:09
samueldmqor we could just have different tables for association ... (policy_id, url)  ,  (policy_id, domain_id) and so on11:12
samueldmqwhich is better since we are not trying to solve the world with something called namespace11:12
*** openstackgerrit has quit IRC11:13
*** openstackgerrit has joined #openstack-keystone11:14
*** varya has joined #openstack-keystone11:19
*** varya has quit IRC11:19
samueldmqmorganfainberg, /policies/<pid>/endpoints/<enpoint_url> .. and if it isn't a UUID, then I assume it is an URL ?11:19
samueldmqmorganfainberg, how could we solve this, since we already have this URL ^ expecting an uuid11:19
openstackgerritMerged openstack/keystone: Add validity check of 'expires_at' in trust creation
morganfainbergSo let's start by throwing out what we have.11:21
*** e0ne is now known as e0ne_11:21
morganfainbergPretend we do not have an api for this or we are doing a new one.11:21
*** markvoelker has joined #openstack-keystone11:21
morganfainbergThat's what I'd start with.11:21
samueldmqmorganfainberg, hmm, sounds like a good approach ... learning time!11:22
samueldmqmorganfainberg, actually I'd not call it /endpoints, since the url doesn't identify an endpoint, and a set of them instead11:24
samueldmqmorganfainberg, but I don't think we have a name for a set of endpoints which are represented by an url11:24
samueldmqmorganfainberg, how would you do it ?11:25
*** markvoelker has quit IRC11:25
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split plugin loading
jamielennoxmorganfainberg: ^11:31
jamielennoxmarked WIP11:32
*** e0ne_ has quit IRC11:32
morganfainbergjamielennox: cool.11:32
*** e0ne has joined #openstack-keystone11:36
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Remove services with no endpoints from catalog
*** radez_g0n3 is now known as radez11:40
jamielennoxmorganfainberg: with PKI we don't cache or otherwise decrypt it on the server side do we?11:53
jamielennoxit's purely read by ID from the database11:54
jamielennoxwould it cause issues if i fixed that?11:54
*** viktors has joined #openstack-keystone11:56
*** markvoelker has joined #openstack-keystone11:56
viktorslbragstad: hi!11:58
morganfainbergjamielennox: hmm?11:59
morganfainbergOh we read from the db. Because we have the short hash token.11:59
morganfainbergSince pki and UUID should be interoperable.12:00
morganfainbergAccording to the specification12:00
jamielennoxmorganfainberg: so i'm looking at auth_token in front of keysotne12:01
jamielennoxand what level of refinement we need to provide12:01
jamielennoxand ideally auth_token would handle decrytping PKI tokens the same way on both sides12:01
jamielennoxbut that's not really what we do now and i'm wondering if the change would be a problem12:02
openstackgerritMarek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities
*** iamjarvo has joined #openstack-keystone12:03
*** jdennis has joined #openstack-keystone12:08
*** jdennis has quit IRC12:08
*** aix has joined #openstack-keystone12:09
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation
*** afaranha has joined #openstack-keystone12:13
*** afaranha has left #openstack-keystone12:13
*** fhubik_afk is now known as fhubik12:13
marekdlbragstad: i have something for you:
marekdmorganfainberg: can we change the repo name from python-keystoneclient-saml2 (not released) to keystoneauth-saml2  (instead of python-keystoneauth-saml2) ?12:29
morganfainbergSure. Need to ask infra really really nicely.12:31
morganfainbergAnd check with jamielennox12:31
jamielennoxmarekd: should be fine12:31
marekdjamielennox: morganfainberg ok, so i am pushing the patch and preparing my anthem for infra :-)12:31
morganfainbergjamielennox: it would t be a huge problem. Just make sure to support the UUID mode of pki validation.12:31
morganfainbergmarekd: and link me the review so I can +1 it12:32
marekdof course.12:32
jamielennoxmorganfainberg: i think i can do it in smaller increments12:32
jamielennoxmorganfainberg: as in i think i can change around how i'm writing it and we can figure out those changes later12:33
morganfainbergjamielennox: you still will need the UUID validation of pki tokens but yes.12:33
jamielennoxmorganfainberg: but like it's dumb that we cache PKI tokens at all12:34
morganfainbergBecause of UUID validation.12:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** dsirrine has joined #openstack-keystone12:36
marekd /cc morganfainberg  jamielennox12:39
*** fhubik is now known as fhubik_afk12:39
*** fhubik_afk is now known as fhubik12:40
viktorslbragstad: around?12:40
*** jdennis has joined #openstack-keystone12:42
*** davechen has quit IRC12:43
*** davechen has joined #openstack-keystone12:43
*** jdennis has quit IRC12:45
*** jdennis has joined #openstack-keystone12:45
*** woodster_ has joined #openstack-keystone12:51
*** fifieldt has quit IRC12:53
lbragstadviktors: o/12:55
lbragstadviktors: I am now12:55
*** tobe has quit IRC12:55
*** tobe has joined #openstack-keystone12:57
*** bknudson has joined #openstack-keystone12:57
*** ChanServ sets mode: +v bknudson12:57
*** ajayaa has quit IRC12:58
*** ajayaa has joined #openstack-keystone12:59
*** fhubik is now known as fhubik_afk13:00
*** fhubik_afk is now known as fhubik13:01
*** ajayaa has quit IRC13:01
*** tobe has quit IRC13:02
*** josecastroleon has quit IRC13:05
marekdmorganfainberg: jamielennox :
marekdjamielennox: allright, how do i proceed with ? I need to wait for infra to actually create/rename python-keystoneclient-saml2 to keystoneauth-saml2 so i can really clone it and play with the content ?13:10
*** zzzeek has joined #openstack-keystone13:21
amakarovmorganfainberg, hi! Tell me please, who can provide me an invitation letter to get visa? If I our US office issue this letter for me then I'll have to go to Boston through LA :)13:23
amakarovs/If I/If/13:23
*** fhubik is now known as fhubik_afk13:23
morganfainbergamakarov: for? The midcycle?13:24
amakarovmorganfainberg, yes13:24
viktorslbragstad: hi! I would like to clarify some details, regarding your yesterdays reviews.13:25
morganfainbergHow soon do you need it?13:25
*** richm has joined #openstack-keystone13:25
lbragstadviktors: sure!13:25
morganfainbergamakarov: I can ask Lauren Sell about it.13:25
amakarovmorganfainberg, next week, I guess... I don't think visa takes a full month to issue13:26
viktorslbragstad: as for `find a way to test` database state - it this task an actual at the moment?13:27
lbragstadviktors: this is regarding the change to update to the InnoDB engine, right?13:28
viktorslbragstad: yes13:29
lbragstadI was just curious if we could test it so that we don't have regression in the future, and reintroduce the bug13:29
viktorslbragstad: I've tried to make a test for synk sql-db state and model description, but this patch wasn't reviewed for a long time (13:30
viktorslbragstad: this one -
*** radez is now known as radez_g0n313:31
lbragstadviktors: looks like it's having some issues passing Jenkins,13:31
lbragstadI can try and take a look at it today13:31
*** krykowski has quit IRC13:31
*** HT_sergio has joined #openstack-keystone13:32
viktorslbragstad: I can rebase it and fix to satisfy Jenkins, but the only I want to ask - is to review it sometime )13:33
lbragstadviktors: I'll add it to my review queue for today :)13:33
viktorslbragstad: thanks! Will wait for your feedback and rebase then. :)13:34
lbragstadviktors: if you want to rebase it before hand, go for it.13:34
*** jaosorior has quit IRC13:35
viktorslbragstad: i'm not sure, that I will have time for it today, but I'll work on this patch tomorrow13:37
lbragstadviktors: sounds good13:37
*** jaosorior has joined #openstack-keystone13:50
*** fangzhou has joined #openstack-keystone14:04
*** sigmavirus24_awa is now known as sigmavirus2414:10
*** browne has joined #openstack-keystone14:16
*** fhubik_afk is now known as fhubik14:21
openstackgerritDarren Hague proposed openstack/keystone-specs: v3 credentials project_id is not optional for type=ec2
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs
*** timcline has joined #openstack-keystone14:31
*** fhubik is now known as fhubik_afk14:34
*** e0ne is now known as e0ne_14:34
*** ayoung has joined #openstack-keystone14:36
*** ChanServ sets mode: +v ayoung14:36
*** kiran-r has quit IRC14:44
*** e0ne_ has quit IRC14:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching
*** fhubik_afk is now known as fhubik14:53
*** browne has quit IRC14:58
*** dims_ has quit IRC15:02
*** dims has joined #openstack-keystone15:02
*** geoffarnold has quit IRC15:03
*** thedodd has joined #openstack-keystone15:04
*** fhubik is now known as fhubik_afk15:07
*** fangzhou has quit IRC15:12
*** zzzeek has quit IRC15:13
*** dguerri is now known as dguerri`15:13
*** jistr is now known as jistr|mtg15:17
*** fhubik_afk is now known as fhubik15:24
*** lufix has quit IRC15:33
*** jistr|mtg is now known as jistr15:35
*** hemnafk is now known as hemna15:40
*** afazekas has quit IRC15:45
*** browne has joined #openstack-keystone15:45
*** arunkant_ has joined #openstack-keystone15:45
*** fhubik has quit IRC15:52
*** geoffarnold has joined #openstack-keystone15:57
*** Nikkau has quit IRC16:10
*** radez_g0n3 is now known as radez16:10
*** kiran-r has joined #openstack-keystone16:10
*** _cjones_ has joined #openstack-keystone16:15
*** lufix has joined #openstack-keystone16:17
*** kiran-r has quit IRC16:22
*** davechen has quit IRC16:25
*** davechen has joined #openstack-keystone16:25
*** amaretskiy has quit IRC16:25
*** lufix has quit IRC16:26
*** e0ne has joined #openstack-keystone16:27
*** r-daneel has joined #openstack-keystone16:27
*** roxanaghe has joined #openstack-keystone16:37
*** Ephur has joined #openstack-keystone16:38
*** lhcheng has joined #openstack-keystone16:48
*** ChanServ sets mode: +v lhcheng16:48
*** ayoung has quit IRC16:54
*** stevemar has joined #openstack-keystone16:54
*** ChanServ sets mode: +v stevemar16:54
*** fangzhou has joined #openstack-keystone16:59
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag
*** RichardRaseley has joined #openstack-keystone17:08
*** ankita_wagh has joined #openstack-keystone17:09
*** e0ne has quit IRC17:09
*** amakarov is now known as amakarov_away17:10
*** spandhe has joined #openstack-keystone17:13
*** ayoung has joined #openstack-keystone17:19
*** ChanServ sets mode: +v ayoung17:19
*** RichardRaseley has left #openstack-keystone17:21
samueldmqayoung, hi, do you have some time to discuss dynamic policies roadmap, meeting time, etc?17:21
ayoungsamueldmq, yeah...did you see what I just posted to the mailing list?17:22
samueldmqdiscuss about*17:22
samueldmqayoung, no, going to check now17:22
david8huayoung, I see the evolution17:22
ayoungsamueldmq, please do.  We need buy in from the other teams, or this is going to go no-where, and that is an attempt to get there.17:23
ayoungdavid8hu, yeah...hard to track all the different things that have gone in to getting here...17:23
david8hu@ayoung, maybe we should go to other team's mid cycle meetup as well :)17:23
ayoungdavid8hu, heh...only ifI don't have to travel17:24
ayoungdavid8hu, you coming to the Keystone midcycle?17:24
*** iamjarvo has quit IRC17:24
*** pnavarro_ has quit IRC17:24
david8huayoung, I need to be there.  Have not gotten approval yet.17:24
samueldmqayoung, just saw that17:24
samueldmqayoung, david8hu what I want to define is the next steps ... we need to:17:25
samueldmqi) have agreement on the roadmap with other services17:25
samueldmqii) define the scope for Liberty17:26
samueldmqotherwise, we won't get this stuff in L, or in the best case just a little part of it (possibly not used by every service)17:26
samueldmqayoung, makes sense ?17:26
samueldmqayoung, great, I just created this17:27
david8husamueldmq,  agreed.  bulk of it is still eveolving.17:27
samueldmqayoung, as an start point to define the roadmap, I am also looking at the existing meetings17:27
samueldmqto try to find time for our dynamic policy meeting17:27
samueldmqI am looking at
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint
samueldmq(actually I loaded that into google calendar, that is not human readable as it is)17:28
samueldmqlooks like any day between 11:00 and 14:00 UTC would have free slots17:29
ayoungsamueldmq, lets get the list of specs up there17:30
*** ankita_wagh has joined #openstack-keystone17:31
samueldmqayoung, ok I will associate that with the points I've defined in the roadmap, if you agree on them17:31
samueldmqayoung, in that roadmap points, I am not talking about how to implement them *at all*17:32
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table
samueldmqayoung, it just define the directions, so it will be easier to start a cross-project understanding and agreement17:32
ayoungsamueldmq, but, this is essentially the same thing as the think we should move over?17:32
*** pnavarro_ has joined #openstack-keystone17:33
samueldmqayoung, maybe .. at least etherpad will be better for cross-project collaboration/discussions/action points17:33
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Remove domain table references
*** zzzeek has joined #openstack-keystone17:33
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table
samueldmqayoung, please check if you agree with the points defined at the main roadmap items: 'Out-of-band policy management' and 'Better delegation'17:35
*** jistr has quit IRC17:35
samueldmqayoung, let's start breaking those things in a high level ot have agreement on the ideas, after then we go to implementation17:35
openstackgerritKevin Fox proposed openstack/keystone-specs: Unscoped Service Catalog
samueldmqayoung, that's why I am trying to do, hope you agree in such approach17:35
samueldmqayoung, roadmap maps to our overview spec17:36
*** kfox1111 has joined #openstack-keystone17:37
samueldmqayoung, after agreement in the meeting, we get overview spec merged and then start looking at individual specs (implementation details)17:37
*** rlt has quit IRC17:38
ayoungsamueldmq, lets keep this on Trello...too many tools, and I have the Kent folks engaged over there17:43
samueldmqayoung, I am not wanting to stop our trello thing17:44
ayoungsamueldmq, lets not split it then17:44
samueldmqayoung, I am just summarizing the needed content to be discussed in the meeting17:44
ayoungput what you need in trello17:45
samueldmqayoung, I am not sure trello is good to define the overview ... though it is good to do the implementation tracking17:45
ayoungsamueldmq, then put an overcard on there and put it in there17:46
samueldmqayoung, and we copy-paste from there at meeting time ? not sure trello is adequate to the cross-project discussions17:46
ayoungsamueldmq, it will do fine17:47
samueldmqayoung, I will add a list called Roadmap17:48
samueldmqayoung, and that defines the roadmap specification, without implemnetation details17:48
samueldmqayoung, as I've defined in the pad, ok?17:48
david8husamueldmq, I see a roadmap card show up instantly17:50
samueldmqdavid8hu, a new list ? I just created it17:50
david8husamueldmq, :)  I think I saw the one you created17:51
*** iamjarvo has joined #openstack-keystone17:51
samueldmqdavid8hu, nice :)17:51
*** iamjarvo has quit IRC17:51
*** iamjarvo has joined #openstack-keystone17:52
*** iamjarvo has quit IRC17:52
samueldmqayoung, done17:56
ayoungsamueldmq, thanks17:57
samueldmqayoung, np ... let me know if you agree with what is in those cards17:57
ayoungsamueldmq, looking now17:57
samueldmqayoung, and if it's complete/correct17:57
ayoungsamueldmq, nothing you wrote there is wrong.17:58
samueldmqayoung, and contains, in a high-level, everything we are going to address, right ?17:59
samueldmqayoung, first meeting we will i) agree on that with others, ii) get the overview spec approved, and iii) define scope for L18:00
*** hemna is now known as hemnafk18:01
ayoungsamueldmq, there are cards already for most of your line items.18:02
roxanaghedstanek, do you want me to try to address the feedback from the review of ?18:02
samueldmqayoung, and that's great, since the specific cards map what is in the roadmap18:03
samueldmqayoung, as individual specs map to what is in hte overview one18:03
samueldmqif that makes sense18:03
*** sigmavirus24 is now known as sigmavirus24_awa18:19
*** ankita_wagh has quit IRC18:20
*** ankita_wagh has joined #openstack-keystone18:24
dstanekroxanaghe: i started to address them - i'll push up what i have in a few and then we can see what's left18:25
*** spandhe has quit IRC18:26
*** spandhe has joined #openstack-keystone18:29
*** operator99 has quit IRC18:32
*** iamjarvo has joined #openstack-keystone18:32
*** iamjarvo has quit IRC18:33
*** iamjarvo has joined #openstack-keystone18:33
*** iamjarvo has quit IRC18:33
*** iamjarvo has joined #openstack-keystone18:35
*** iamjarvo has quit IRC18:35
*** csoukup has joined #openstack-keystone18:41
*** gyee has joined #openstack-keystone18:41
*** ChanServ sets mode: +v gyee18:41
*** hemnafk is now known as hemna18:43
*** ayoung has quit IRC18:49
*** aix has quit IRC18:49
*** e0ne has joined #openstack-keystone18:51
*** e0ne is now known as e0ne_18:51
*** dsirrine has quit IRC18:51
*** e0ne_ is now known as e0ne18:53
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table
*** e0ne is now known as e0ne_19:00
stevemari found ayoungs equivalent at cloud identity summit19:01
*** greghaynes has quit IRC19:05
*** greghaynes has joined #openstack-keystone19:06
*** jdennis has quit IRC19:08
*** jdennis has joined #openstack-keystone19:09
*** stevemar has quit IRC19:12
*** cuddyt has joined #openstack-keystone19:24
*** dsirrine has joined #openstack-keystone19:34
*** e0ne_ is now known as e0ne19:35
*** stevemar has joined #openstack-keystone19:40
*** ChanServ sets mode: +v stevemar19:40
htrutastevemar: is it supposed to be a good thing?19:42
samueldmqhtruta, I guess at very least it is expected to be someone with a lot of energy :)19:43
*** hemna is now known as hemnafood19:44
*** dguerri` is now known as dguerri19:44
*** jaosorior has quit IRC19:45
htrutahey guys, in case you haven't seen in the ML, raildo sent an email with the etherpad describing the options of getting a project scoped token after reseller19:45
htrutathis is the etherpad:
htrutain case you have any questions, we have until keystone meeting on tuesday to discuss, improve and maybe add alternatives19:48
*** dguerri is now known as dguerri`19:49
stevemarhtruta, it's a fun thing :)19:55
openstackgerritBrant Knudson proposed openstack/keystone: Fix tests failing on slower system
htrutastevemar: hehe20:00
*** lhcheng_ has joined #openstack-keystone20:05
*** lhcheng has quit IRC20:08
*** HT_sergio has quit IRC20:08
*** spandhe has quit IRC20:27
*** spandhe has joined #openstack-keystone20:28
*** spandhe has quit IRC20:28
*** stevemar has quit IRC20:30
*** radez is now known as radez_g0n320:38
*** dguerri` is now known as dguerri20:39
*** bknudson has quit IRC20:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Remove domain table references
*** e0ne has quit IRC20:54
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains
*** raildo has quit IRC21:04
-openstackstatus- NOTICE: Gerrit has been restarted to terminate a persistent looping third-party CI bot21:07
*** thedodd has quit IRC21:08
*** ayoung has joined #openstack-keystone21:09
*** ChanServ sets mode: +v ayoung21:09
*** sbfox has joined #openstack-keystone21:09
roxanaghedstanek, ok - thanks21:09
sbfoxHi all, I have a question I cant find the answer to. Can I mix mysql (for admin and services) identity and LDAP (users etc) identity?21:12
*** timcline has quit IRC21:12
brad[]sbfox: Yes you can21:13
sbfoxGreat! that'll keep my boss happy :) do you happen to have a doc/howto I could follow?21:14
brad[]sbfox: I'm in the late stages of research on the topic myself, but tbh ayoung's blog was the best starting point for me21:16
ayoungsbfox, coun't a said it better myself21:16
sbfoxFab, thanks for the links21:17
ayoungsbfox, the later the openstack version, the better it works21:17
sbfoxIm on Juno21:17
ayoungsbfox, should be good enough21:18
ayoungI figured brad[] was topol.   But in python that would be (brad)21:18
ayoungor is that (brad,)21:18
ayoungactually, I guess brad(,)21:19
*** hemnafood is now known as hemna21:21
*** dguerri is now known as dguerri`21:21
brad[]fortunately it's not lisp (brad() ))))))))21:22
*** geoffarnold has quit IRC21:22
sbfoxSo (if im reading this correctly), users are separated into a domain with the ldap identity driver?21:23
sbfoxIs the domain name arbitrary?21:23
*** spandhe has joined #openstack-keystone21:30
*** ayoung has quit IRC21:33
*** spandhe_ has joined #openstack-keystone21:35
*** spandhe has quit IRC21:37
*** spandhe_ is now known as spandhe21:37
*** dims_ has joined #openstack-keystone21:44
*** dims has quit IRC21:46
*** bknudson has joined #openstack-keystone21:47
*** ChanServ sets mode: +v bknudson21:47
*** pnavarro_ has quit IRC21:51
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable listing of role assignments in a project hierarchy
*** RichardRaseley has joined #openstack-keystone22:20
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor use auth_ref.version rather than _token_is_v*
*** ayoung has joined #openstack-keystone22:22
*** ChanServ sets mode: +v ayoung22:22
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor TokenCache store takes auth_ref
*** RichardRaseley has quit IRC22:32
*** csoukup has quit IRC22:43
*** geoffarnold has joined #openstack-keystone22:49
*** drjones has joined #openstack-keystone22:53
*** _cjones_ has quit IRC22:54
*** _cjones_ has joined #openstack-keystone22:54
*** dsirrine has quit IRC22:56
*** geoffarnold has quit IRC22:57
*** drjones has quit IRC22:57
*** lhcheng_ has quit IRC22:58
*** lhcheng has joined #openstack-keystone22:58
*** ChanServ sets mode: +v lhcheng22:58
*** geoffarnold has joined #openstack-keystone22:59
*** lhcheng has quit IRC23:02
*** zzzeek has quit IRC23:05
*** cuddyt has quit IRC23:06
*** ayoung has quit IRC23:07
*** markvoelker has quit IRC23:11
*** geoffarnold has quit IRC23:14
*** geoffarnold has joined #openstack-keystone23:14
*** zzzeek has joined #openstack-keystone23:15
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract method for offline validation
*** roxanaghe has quit IRC23:34
*** sbfox has quit IRC23:35
*** chlong has joined #openstack-keystone23:35
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reuse token_ref fetched in AuthContextMiddleware.
*** sigmavirus24_awa is now known as sigmavirus2423:39
*** hemna is now known as hemnafk23:45
*** ankita_wagh has quit IRC23:52
*** zzzeek has quit IRC23:52
*** ankita_wagh has joined #openstack-keystone23:54
*** lhcheng has joined #openstack-keystone23:56
*** ChanServ sets mode: +v lhcheng23:56

Generated by 2.14.0 by Marius Gedminas - find it at!