Monday, 2015-06-22

« Sunday, 2015-06-21 Index Tuesday, 2015-06-23 »
*** markvoelker has joined #openstack-keystone00:01
*** markvoelker has quit IRC00:05
*** bradjones has quit IRC00:22
*** bradjones has joined #openstack-keystone00:23
*** bradjones has quit IRC00:23
*** bradjones has joined #openstack-keystone00:23
*** diazjf has joined #openstack-keystone00:33
*** dimsum__ has quit IRC00:39
*** dimsum__ has joined #openstack-keystone00:41
*** dims_ has joined #openstack-keystone00:50
*** dimsum__ has quit IRC00:50
*** diazjf has quit IRC00:57
*** charlesw has joined #openstack-keystone01:13
*** browne has joined #openstack-keystone01:16
*** vilobhmm has joined #openstack-keystone01:17
*** dimsum__ has joined #openstack-keystone01:17
*** dims_ has quit IRC01:17
*** davechen has joined #openstack-keystone01:31
*** dims_ has joined #openstack-keystone01:40
*** dimsum__ has quit IRC01:41
*** diazjf has joined #openstack-keystone01:46
*** ncoghlan has joined #openstack-keystone01:48
*** markvoelker has joined #openstack-keystone01:50
*** markvoelker has quit IRC01:55
*** stevemar has joined #openstack-keystone01:57
*** ChanServ sets mode: +v stevemar01:57
davechensamueldmq: ping?01:59
*** linkedinyou has quit IRC02:06
*** woodster_ has joined #openstack-keystone02:10
*** iamjarvo has joined #openstack-keystone03:01
*** vilobhmm has quit IRC03:05
*** rm_work is now known as rm_work|away03:16
*** charlesw has quit IRC03:32
*** markvoelker has joined #openstack-keystone03:38
*** dims_ has quit IRC03:40
*** markvoelker has quit IRC03:43
*** mestery has joined #openstack-keystone03:44
*** charlesw has joined #openstack-keystone03:57
*** electrichead has quit IRC03:59
*** iamjarvo has quit IRC04:09
*** charlesw has quit IRC04:15
*** redrobot has joined #openstack-keystone04:16
*** redrobot is now known as Guest4778904:16
*** Guest47789 has quit IRC04:28
*** spandhe has joined #openstack-keystone04:39
*** dimsum__ has joined #openstack-keystone04:41
*** iamjarvo has joined #openstack-keystone04:43
*** dimsum__ has quit IRC04:46
*** mestery has quit IRC04:54
*** vilobhmm has joined #openstack-keystone04:56
*** diazjf has quit IRC05:04
*** vilobhmm has quit IRC05:05
*** vilobhmm has joined #openstack-keystone05:08
*** iamjarvo has quit IRC05:10
*** vilobhmm has quit IRC05:10
*** vilobhmm has joined #openstack-keystone05:12
*** vilobhmm has quit IRC05:12
*** stevemar has quit IRC05:19
*** iamjarvo has joined #openstack-keystone05:21
*** markvoelker has joined #openstack-keystone05:27
*** rushiagr_away is now known as rushiagr05:27
*** davechen has quit IRC05:30
*** markvoelker has quit IRC05:32
*** kiran-r has joined #openstack-keystone05:33
*** richm has quit IRC05:35
*** mabrams has joined #openstack-keystone05:44
*** spandhe has quit IRC05:56
*** spandhe has joined #openstack-keystone05:56
*** belmoreira has joined #openstack-keystone06:10
*** spandhe has quit IRC06:13
*** iamjarvo has quit IRC06:18
*** browne has quit IRC06:19
*** ihrachyshka has joined #openstack-keystone06:27
*** ihrachyshka has quit IRC06:49
*** rlt has joined #openstack-keystone06:57
*** markvoelker has joined #openstack-keystone07:16
*** markvoelker has quit IRC07:21
*** pnavarro has joined #openstack-keystone07:21
*** Guest87092 has quit IRC07:23
*** d0ugal has joined #openstack-keystone07:24
*** d0ugal is now known as Guest1487507:24
*** Guest14875 is now known as d0ugal07:25
*** d0ugal has quit IRC07:25
*** d0ugal has joined #openstack-keystone07:25
openstackgerrithenry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354307:26
*** dguerri` is now known as dguerri07:31
*** afazekas has joined #openstack-keystone07:31
*** dguerri is now known as dguerri`07:35
*** rlt has quit IRC07:37
*** chlong has quit IRC07:39
*** rlt has joined #openstack-keystone07:40
*** bradjones has quit IRC07:43
*** bradjones has joined #openstack-keystone07:45
*** bradjones has quit IRC07:45
*** bradjones has joined #openstack-keystone07:45
*** vg_ has joined #openstack-keystone07:47
openstackgerritMerged openstack/keystone-specs: Add spec for decoupling auth from API versions to backlog  https://review.openstack.org/17598307:48
*** woodster_ has quit IRC08:01
*** bradjones has quit IRC08:02
*** e0ne has joined #openstack-keystone08:05
*** fhubik has joined #openstack-keystone08:08
*** e0ne has quit IRC08:11
*** bradjones has joined #openstack-keystone08:14
*** bradjones has quit IRC08:14
*** bradjones has joined #openstack-keystone08:14
*** dguerri` is now known as dguerri08:20
*** josecastroleon has joined #openstack-keystone08:21
*** belmoreira has quit IRC08:22
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/19400808:27
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/19401708:27
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/19238608:27
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/19231908:27
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-saml2: Updated from global requirements  https://review.openstack.org/19232008:27
*** aix has joined #openstack-keystone08:36
*** bradjones has quit IRC08:38
*** bradjones has joined #openstack-keystone08:40
*** bradjones has quit IRC08:40
*** bradjones has joined #openstack-keystone08:40
*** amakarov_away is now known as amakarov08:52
*** marzif has joined #openstack-keystone08:56
*** linkedinyou has joined #openstack-keystone09:02
*** markvoelker has joined #openstack-keystone09:05
*** e0ne has joined #openstack-keystone09:05
*** belmoreira has joined #openstack-keystone09:07
*** markvoelker has quit IRC09:09
*** henrynash has quit IRC09:17
*** henrynash has joined #openstack-keystone09:19
*** ChanServ sets mode: +v henrynash09:19
*** dguerri is now known as dguerri`09:20
*** dguerri` is now known as dguerri09:20
*** jaosorior has joined #openstack-keystone09:21
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config  https://review.openstack.org/19197609:22
openstackgerrithenry-nash proposed openstack/keystone: Remove unused code in domain config checking  https://review.openstack.org/19405709:22
*** e0ne is now known as e0ne_09:22
*** davechen has joined #openstack-keystone09:22
*** henrynash has quit IRC09:23
*** e0ne_ is now known as e0ne09:27
*** ncoghlan has quit IRC09:30
*** fhubik is now known as fhubik_afk09:50
*** richm has joined #openstack-keystone10:03
*** rm_work|away is now known as rm_work10:10
vg_<samueldmq> there ?10:12
*** dimsum__ has joined #openstack-keystone10:14
vg_<+ayoung> there ?10:14
*** fhubik_afk is now known as fhubik10:17
*** jamielennox is now known as jamielennox|away10:25
*** fhubik is now known as fhubik_afk10:29
vg_hi guys , Keystone v2.0 API's didn't had the role of domains...10:32
*** fhubik_afk is now known as fhubik10:32
vg_I have v2.0 working for devstack .....if I have to change the v3 to be used for Identity Service , do i just need to change in stackrc Identity_Service_API =3.010:33
vg_?10:33
*** davechen has quit IRC10:43
*** jaosorior has quit IRC10:43
*** d0ugal has quit IRC10:43
*** kiran-r has quit IRC10:43
*** gabriel-bezerra has quit IRC10:43
*** lbragstad has quit IRC10:43
*** rm_work has quit IRC10:43
*** Kiall has quit IRC10:43
*** wasmum has quit IRC10:43
*** dolphm has quit IRC10:43
*** _d34dh0r53_ has quit IRC10:43
*** hockeynut has quit IRC10:43
*** eglute_s has quit IRC10:43
*** sigmavirus24_awa has quit IRC10:43
*** Guest11697 has quit IRC10:43
*** adam_g has quit IRC10:43
*** jacorob has quit IRC10:43
*** gus has quit IRC10:43
*** zigo has quit IRC10:43
*** Trozz_ has quit IRC10:43
*** comstud has quit IRC10:43
*** comstud has joined #openstack-keystone10:43
*** gus has joined #openstack-keystone10:43
*** Trozz_ has joined #openstack-keystone10:43
*** Kiall has joined #openstack-keystone10:43
*** kiran-r has joined #openstack-keystone10:43
*** rm_work has joined #openstack-keystone10:43
*** d0ugal has joined #openstack-keystone10:43
*** jacorob has joined #openstack-keystone10:43
*** adam_g has joined #openstack-keystone10:43
*** d0ugal is now known as Guest2901110:43
*** mgagne has joined #openstack-keystone10:43
*** mgagne is now known as Guest8120210:43
*** davechen has joined #openstack-keystone10:43
*** adam_g has quit IRC10:43
*** adam_g has joined #openstack-keystone10:43
*** lbragstad has joined #openstack-keystone10:44
*** hockeynut has joined #openstack-keystone10:44
*** zigo has joined #openstack-keystone10:44
*** Guest29011 is now known as d0ugal10:44
*** d0ugal has quit IRC10:44
*** d0ugal has joined #openstack-keystone10:44
*** e0ne is now known as e0ne_10:44
*** dolphm has joined #openstack-keystone10:44
*** eglute has joined #openstack-keystone10:44
*** sigmavirus24_awa has joined #openstack-keystone10:45
*** d34dh0r53 has joined #openstack-keystone10:45
*** wasmum has joined #openstack-keystone10:46
*** dimsum__ is now known as dims10:48
*** gabriel-bezerra has joined #openstack-keystone10:48
*** mabrams has quit IRC10:51
*** dims has quit IRC10:53
*** fhubik is now known as fhubik_afk10:53
*** e0ne_ is now known as e0ne10:53
*** markvoelker has joined #openstack-keystone10:53
*** fhubik_afk is now known as fhubik10:58
*** markvoelker has quit IRC10:58
*** linkedinyou has quit IRC11:04
*** dims has joined #openstack-keystone11:05
*** pnavarro is now known as pnavarro|lunch11:05
*** dguerri is now known as dguerri`11:07
*** dguerri` is now known as dguerri11:08
*** davechen1 has joined #openstack-keystone11:12
samueldmqmorning11:12
samueldmqvg_: hi, as you noticed, domain is a v3 concept11:14
*** davechen has quit IRC11:14
samueldmqvg_: we are still working towards having devstack fully compatible with v3 + other services using it properly11:15
*** daemontool_ has joined #openstack-keystone11:16
*** marzif has quit IRC11:18
vg_hi <samueldmq> thanks , so in v2.0 API if i I have to define the custom role and after adding the rule , how do I test if that works fine ? through command line API tests11:28
*** fhubik is now known as fhubik_afk11:31
samueldmqvg_: oh that's easy, once you created the role and assigned to someone, i) get a token as that users and ii) with that token, execute an API which is constrained by that role in the poliyc11:31
samueldmqvg_: makes sense ?11:31
vg_so I have created a role , assigned that role to the user , got the token of the user by simple curl call ...11:32
vg_now how do i test the next step11:32
vg_now to check this user ability to create new users11:33
vg_hey <samueldmq> can you explain 2nd point through a live call11:35
vg_exact call , how would i made that11:35
vg_i need to know if I use a user token in my API , how would it work through this policy11:36
samueldmqvg_: ok, you want to make that call using curl11:36
vg_yes11:36
*** daemontool_ has quit IRC11:38
*** marzif has joined #openstack-keystone11:39
samueldmqvg_: it should be something like 'curl -H "X-Auth-Token:<YOUR_TOKEN>" http://localhost:5000/v2.0/tenants'11:39
samueldmqvg_: where you put your token as the value in the specified header in the request (<YOUR_TOKEN>)11:39
vg_yes11:40
vg_earlier when i used to have project id i used to access projects in my call11:40
vg_I am trying this call though ...just a sec11:41
*** marzif_ has joined #openstack-keystone11:42
*** pnavarro|lunch is now known as pnavarro11:48
*** jdennis has joined #openstack-keystone11:50
*** HT_sergio has joined #openstack-keystone11:51
vg_curl -H "X-Auth-Token:82104fc385c8486ead81673b0f9f39a8" http://10.157.132.5:5000/v2.0/tenants {"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)",11:53
vg_<samueldmq> still the same..11:53
vg_my rule is below..11:53
samueldmqvg_: how list_projects looks like in your policy ?11:54
*** markvoelker has joined #openstack-keystone11:54
vg_  "identity:list_projects": "rule:admin_required",11:55
vg_ohh11:55
vg_ok11:55
vg_changing it..11:55
vg_   "identity:get_project": "rule:admin_required or rule:Tenant_Admin",     "identity:list_projects": "rule:admin_required or rule:Tenant_Admin",11:57
vg_no luck..11:57
vg_{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}11:57
*** markvoelker has quit IRC11:59
samueldmqvg_: list_projects11:59
samueldmqvg_: not get_project12:00
samueldmqvg_: oh sorry you changed that as well12:00
samueldmqvg_: wait .....12:00
vg_yes12:00
vg_ok12:00
samueldmqvg_: rule:Tenant_Admin should be role:Tenant_Admin12:00
samueldmqvg_: that should be role: instead of rule:12:00
vg_nopes it's role:project_admin12:01
samueldmqvg_: rules are what you define inside the policy12:01
samueldmqvg_: unless you have something like "Tenant_Admin":"role:Tenant_Admin" in your policyu12:01
samueldmqvg_: would you mind to paste your entire policy at http://paste.openstack.org/12:02
samueldmqvg_: so I could take a better look at12:02
samueldmqit12:02
vg_sure..12:02
*** markvoelker has joined #openstack-keystone12:03
*** fhubik_afk is now known as fhubik12:10
davechen1samueldmq, ayoung: hi,12:10
*** raildo has joined #openstack-keystone12:10
davechen1samueldmq, ayoung, are you there?12:10
vg_<samueldmq> done12:11
samueldmqvg_: please share the link with me :-)12:15
samueldmqdavechen1: hi I am here12:15
davechen1samueldmq: morning. :)12:15
*** davechen1 is now known as davechen12:16
openstackgerritMarek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities  https://review.openstack.org/18888112:16
davechensamueldmq: I read the wiki you created for the dynamic policy, it's really cool!12:16
davechensamueldmq: just one simply question.12:17
davechensamueldmq: what's the policy management API? is it incorporated in 'policy by URL'?12:17
*** e0ne is now known as e0ne_12:18
vg_http://paste.openstack.org/show/JBPdBXSUHVR9FrrUdJJH/12:18
vg_<samueldmq>12:18
davechensamueldmq: I think you didn't mean the CRUD API for the policy, right?12:18
davechensamueldmq: so what's it? just a little curious about it.12:18
*** e0ne_ is now known as e0ne12:19
*** HT_sergio has quit IRC12:19
*** edmondsw has joined #openstack-keystone12:22
*** chlong has joined #openstack-keystone12:25
*** chlong has quit IRC12:28
*** mestery has joined #openstack-keystone12:29
*** iurygregory has joined #openstack-keystone12:31
*** tobasco_ is now known as tobasco12:32
vg_@smuaeldmq> had a look ?12:34
*** rlt_ has joined #openstack-keystone12:38
*** rlt has quit IRC12:41
samueldmqvg_: and the user you get a token for has the role project_admin assigned to him/her ?12:42
vg_yep12:43
samueldmqvg_: that's weird12:46
samueldmqvg_: change the api to "" (nothing)12:47
samueldmqvg_: just to make sure it will work12:47
vg_ok trying12:48
*** dsirrine has joined #openstack-keystone12:50
*** pnavarro is now known as pnavarro|afk12:51
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267112:51
*** lufix has joined #openstack-keystone12:51
*** bradjones has quit IRC12:52
vg_<samueldmq> curl -H "" http://10.157.132.5:5000/v2.0/tenants12:52
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/19400812:52
vg_no luck ..:(12:53
vg_ curl -H "X-Auth-Token:" http://10.157.132.5:5000/v2.0/tenants12:53
samueldmqvg_: oh, you still need to pass the tokenb12:54
vg_yes12:54
samueldmqvg_: I meant "" in the policy12:54
samueldmqvg_: "list_projects":""12:54
*** bradjones has joined #openstack-keystone12:54
*** bradjones has quit IRC12:54
*** bradjones has joined #openstack-keystone12:54
vg_oh ok12:55
*** gordc has joined #openstack-keystone12:56
vg_ "identity:get_project": "",     "identity:list_projects": "",     "identity:list_user_projects": "rule:admin_or_owner",12:56
vg_still no luck after modifying this12:57
*** radez_g0n3 is now known as radez12:57
*** e0ne is now known as e0ne_12:58
*** e0ne_ is now known as e0ne12:59
marekdWhat was the proper way of reusing existing token with osc ? OS_TOKEN="my_token_here" OS_AUTH_TYPE=v3token openstack server list?12:59
bknudsonmarekd: I think you're also going to have to specify the endpoint for the request.12:59
bknudsonsince you didn't get a new token it doesn't have the catalog12:59
bknudsonalthough why doesn't the plugin fetch the catalog? http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#get-service-catalog13:00
marekdbknudson: exactly, but executing such command should *only* validate $OS_TOKEN13:00
*** woodster_ has joined #openstack-keystone13:01
marekdbknudson: it does, the thing is i am testing k2k plugins, and since there is no osc wrapper yet i simply developer my own wrapper,get a token and tried to use it later with OSC.13:01
bknudsonI was having some issues with authenticating using openstack CLI / auth plugins and the errors and responses really aren't helpful13:03
marekdbknudson: my error is very clear, i am wondering whether we have a severe bug in keystone or i am doing something wrong..like missing a parameter or something.13:03
bknudsonmarekd: if the error is clear then why are you asking here if you're doing something wrong?13:04
bknudsonwhat's the error?13:04
marekdbknudson: i get a scoped federated token (via k2k) and try to use it with OS_TOKEN=<token> OS_AUTH_TYPE=v3token openstack image list . I get the error that indicates that plugin wants to map the ephemeral user again.13:05
*** vg_ has quit IRC13:05
bknudsonwhen I do `openstack --os-token cff5453d74ec402986d4cb9b6831b9c9 user list` it says `Set a username with --os-username, OS_USERNAME, or auth.username`13:07
bknudsonbut I want to use a token and not a user13:07
marekdbknudson: --os-auth-type=v3token13:07
bknudsonthen it says to set a os-auth-url.13:07
bknudsonwhen I provide --os-auth-url it says `ERROR: openstack The service catalog is empty.`13:08
marekdbknudson: http://cdn.pasteraw.com/7oluioikgs1ynijjxasgs8tekek7zc313:08
marekdno the problem is that the roles,roles assignments,groups, projects setup is fine.13:09
*** rushiagr is now known as rushiagr_away13:10
bknudsonmarekd: I tried running with debug and the output shows that it's trying to get a new token even though I used --os-token.13:11
bknudsonthat doesn't make sense13:11
bknudsonDEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 33213:11
marekdbknudson: yeah....13:11
bknudsonmaybe v3token isn't the right plugin?13:11
marekdbknudson: maybe token_endpoint is the right here.13:14
marekdi will check.13:14
marekdthanks.13:14
bknudsonopenstack --os-token cff5453d74ec402986d4cb9b6831b9c9 --os-auth-type token_endpoint --os-url http://localhost:5000/v3 user list13:15
bknudsonworked for me.13:15
marekdyep13:18
marekdthanks!13:18
*** pnavarro|afk is now known as pnavarro13:21
*** 1JTAAA236 is now known as cloudnull13:22
*** fhubik is now known as fhubik_afk13:27
*** jdandrea has joined #openstack-keystone13:28
jdandreaA colleague is lamenting the use of HTTP headers (vs. the JSON response) o return tokens in POST /v3/auth/tokens. Can someone please point me to rationale/info as to why the header is used? (I'm not pro/against here. Just looking for info to share.)13:29
*** mestery has quit IRC13:30
samueldmqvg_ you then probably does not have a valid tokne13:31
samueldmqdon't13:31
jdandreaOr, as he put it: "Why doesn't the json response to v3/auth/tokens include the actual token that was generated?"13:31
*** kiran-r has quit IRC13:32
openstackgerritMarek Denis proposed openstack/keystone: Update federation driver name in documentation  https://review.openstack.org/19270613:35
*** csoukup has joined #openstack-keystone13:37
openstackgerritMarek Denis proposed openstack/keystone: Update docs: xmlsec1 required for K2K  https://review.openstack.org/19267413:38
*** ayoung has joined #openstack-keystone13:41
*** ChanServ sets mode: +v ayoung13:41
*** jasondotstar has joined #openstack-keystone13:42
*** jasondotstar has quit IRC13:42
*** jasondotstar has joined #openstack-keystone13:43
*** jasondotstar has quit IRC13:44
*** jasondotstar has joined #openstack-keystone13:46
*** zigo has quit IRC13:47
*** rushiagr_away is now known as rushiagr13:49
*** r-daneel has joined #openstack-keystone13:52
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858113:53
openstackgerritMarek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities  https://review.openstack.org/18888113:54
arif-alihi, we are migrating our Juno installation from keystone v2 to v3, we are on the last hurdle (we think) wrt policy.json file, where we get the following error message13:56
arif-aliERROR: openstack You are not authorized to perform the requested action: identity:list_users (HTTP 403)13:56
arif-alianyone have any clues where to look on getting this to work?13:56
*** cbrown2_ocf has joined #openstack-keystone13:56
*** e0ne is now known as e0ne_13:57
*** e0ne_ is now known as e0ne13:57
*** jasondotstar has quit IRC14:02
*** iamjarvo has joined #openstack-keystone14:02
marekddstanek: Hi, does my answer (and suggestion) make you happy enough to positively vote on the patch? https://review.openstack.org/#/c/192674/2..3/doc/source/federation/federation.rst14:02
*** iamjarvo has quit IRC14:03
*** iamjarvo has joined #openstack-keystone14:03
openstackgerritBrant Knudson proposed openstack/keystone: Switch to oslo.service  https://review.openstack.org/19373214:04
*** stevemar has joined #openstack-keystone14:04
*** ChanServ sets mode: +v stevemar14:04
*** zigo has joined #openstack-keystone14:05
marekdstevemar: https://review.openstack.org/#/c/134700/ i assume it worked for you? :-)14:11
*** charlesw has joined #openstack-keystone14:11
*** sigmavirus24_awa is now known as sigmavirus2414:12
*** tellesnobrega_ is now known as tellesnobrega14:22
*** henrynash has joined #openstack-keystone14:26
*** ChanServ sets mode: +v henrynash14:26
*** vg_ has joined #openstack-keystone14:31
vg_<samueldmq> sorry i was coomuting , I am back do you get anything from my policy.json ?14:31
*** nkinder has joined #openstack-keystone14:31
samueldmqvg_: so, you changed policy.json to have "list_projects":"" and it still didn't work14:32
samueldmqvg_: I suppose your token isn't valid then14:32
vg_nopes man...14:32
vg_nopes it's correct..14:32
vg_i generated through the curl call...14:33
vg_I can paste you the output...14:33
samueldmqvg_: please paste the whole requests (token + tenant api) and responses14:34
samueldmqayoung: bknudson henrynash is /tenants available on pulbic api in v2.0 (5000) ?14:35
*** mfisch` is now known as mfisch14:36
bknudsonsamueldmq: see the docs: http://developer.openstack.org/api-ref-identity-v2.html14:36
*** mfisch is now known as Guest8229014:36
samueldmqbknudson: oh thanks, it is14:37
bknudsonsamueldmq: note that the operation is different on public vs admin api14:37
samueldmqbknudson: I didn't know we had two docs for admin vs public14:37
samueldmqbknudson: thanks, I really don't know that much when we talk about how things worked in v2.014:38
*** marzif_ has quit IRC14:39
bknudsonyou should forget 2.0 and focus on v3.14:39
samueldmqbknudson: yes, in the public it returns only the projects the user has access to14:39
samueldmqbknudson: sure, just trying to help people using v2.0 (cc vg_ _ :)14:39
*** marzif_ has joined #openstack-keystone14:39
bknudsonthe best way to help would be to tell them to use v3.14:40
samueldmqbknudson: yes, once all services are able to talk v3 properly, and devstakc works fine with v3 :)14:40
*** MaxV has joined #openstack-keystone14:40
bknudson?? service are using /v2.0/tenants ?14:40
*** jaosorior has joined #openstack-keystone14:41
bknudsonI think the v3 equivalent to public v2.0/tenants is /v3/auth/projects14:41
MaxVHello I am writing some documentation for the openstack-sdk project and I have a question about the /extensions resource14:41
samueldmqbknudson: no, vg_ has a runnning devstack and is trying some customization around the policies14:41
MaxVI do not find a clear explanation of what is the namespace property14:41
samueldmqbknudson: and he can't use v3 since he still want to use horizon (so no domain_admin in the policy)14:42
MaxVon keystone documentation it looks like some sort of openstack docs14:42
bknudsonsamueldmq: this is insane... what does one have to do with the other?14:42
samueldmqbknudson: he is doing some tests around the policy, but he could definitely be using v3 for testing14:42
bknudsonI've used v3 with horizon just fine. Horizon doesn't even support domain-scoped tokens as far as I know14:43
stevemarmarekd, ping?14:43
bknudsonand horizon has no use for them.14:43
*** HT_sergio has joined #openstack-keystone14:43
samueldmqbknudson: yes he wanted to use domian scoped tokens, which is not supported14:43
samueldmqbknudson: but I agree he could use v3 for testing around the policy, however cannot be using domain_admin anyway14:44
marekdstevemar: hello14:44
bknudsonyou can use domain admin it's just not going to work in horizon. use the CLI.14:45
bknudsonor write your own gui14:45
samueldmqvg_: yes you could be using v3 keystone v3 to your policy tests14:45
samueldmqbknudson: sure14:45
samueldmqvg_: try this http://adam.younglogic.com/2013/09/keystone-v3-api-examples/14:46
stevemarmarekd, is my blog confirmation enough for the oidc plugin?14:46
samueldmqbknudson: I've missed to give the advice 'do not use v2.0 anymore', thanks14:47
raildothat why I want to propose project scoped token to project.is_domain=True... just saying :P14:47
marekdstevemar: i think so.14:48
samueldmqbknudson: however ... I am still abit confused ... how do horizon use v3 tokens if services cannot use them ?14:48
samueldmqbknudson: or do horizon just use the v3 endpoint ot get v2 tokens anyway ?14:48
bknudsonsamueldmq: what services can't use v3 tokens?14:49
samueldmqbknudson: hard-coded format? etc ?14:49
bknudsonsamueldmq: if you use the v3 API to get a token you get a v3 token, you can't get a v2 token using the v3 API14:49
vg_ok14:49
vg_so how do i convert v2.0 API to 3.014:49
samueldmqbknudson: I think that's the whole thing on v3 compability we've been looking at14:50
vg_i tried changing stackrc for Identity_API to 3.014:50
*** kfox1111 has quit IRC14:50
samueldmqbknudson: on that v3 only gate job and jamielennox|away working on the clients, etc14:50
bknudsonsamueldmq: there are some services that can't get a token using the v3 API.14:50
bknudsonsamueldmq: but that doesn't mean that you can't use v3 for anything.14:50
bknudsonas far as I know every service accepts v3 tokens just fine.14:51
*** redrobot has joined #openstack-keystone14:51
*** redrobot is now known as Guest4440514:51
samueldmqbknudson: so if providing a token v3 to them will work14:51
bknudsonso if you don't disable the v2 api you'll be fine.14:51
samueldmqbknudson: k so the may issue we have may be only the clients14:51
*** MaxV has quit IRC14:51
samueldmqs/may/main14:51
*** MaxV has joined #openstack-keystone14:52
*** fhubik_afk is now known as fhubik14:52
bknudsonsamueldmq: I think the only issue is the clients.14:52
bknudsonso, let's fix that, but don't spread rumors that v3 doesn't work.14:52
*** browne has joined #openstack-keystone14:53
*** Guest44405 is now known as redrobot14:53
samueldmqbknudson: yes we're definitely fixing that, and I am all for that, I created that v3 only jobs to make it happen14:53
samueldmqbknudson: I just thought there were issues with the services themselves14:53
bknudsonsamueldmq: has that v3-only job shown any issues with the services?14:53
samueldmqbknudson: I didn't say v3 doesn't work to anyone, I said we cannot have domain_admin as other services don't talk about domains14:54
bknudsonwhy would services care about domain_admin?14:54
samueldmqbknudson: horizon managing users + groups ?14:54
bknudsonoh, sure. I don't consider horizon a service.14:55
bknudsonit's a GUI14:55
samueldmqbknudson: k so the issue I was talking with vg_ was about using horizon and domain_amdin14:55
*** marzif has quit IRC14:55
samueldmqbknudson: I think domain_amdins shoudl be able to do anything inside a domain, if the policy is configured that way14:56
samueldmqbknudson: and not sure we can do taht today if we can't add domain_id checks in the policies14:56
*** vg_ has quit IRC14:56
samueldmqbknudson: makes snes ?14:56
samueldmqsense*14:57
bknudsonsamueldmq: I think that's going to require a lot of work to get the other services to support it.14:57
bknudsonand also not sure that it's worth it14:57
bknudsonif you can convert a domain-scoped token to a project-scoped one.14:57
bknudsonbut if the services are just looking at roles then it shouldn't matter if it's a domain token or project token.14:58
bknudsononly problem is services tend to have projects embedded in URLs, etc., and enforce that the token must have a project14:59
samueldmqbknudson: yes, but in this case I think it would be needed to check scope, since a domain_amdin wouldn't be able to touch instances from a project in another domain14:59
henrynashsamueldmq: this as the point of inherited role assignments….if you place an inherited assignment on the top level project, then you get it for all projects in the tree…..I think this is how you get rights to everything in a tree, not via a domain scoped token15:00
*** c_soukup has joined #openstack-keystone15:00
*** lufix has quit IRC15:00
bknudsoncan't I get a project-scoped token given a domain-scoped one?15:00
samueldmqhenrynash: so a domain_admin shouldn't be able to manage everythin inside his/her domain usign his domain scoped token15:00
samueldmqhenrynash: if the deployer choose that in his policy ?15:01
henrynashsamueldmq: no, I have always objected to that view (and the orginal v3sample i wrote did not try and do this)15:01
samueldmqhenrynash: ok so in this view, other projects definitely do not need to know anything about domains15:02
samueldmqbknudson: ^15:02
henrynashsamueldmq: correct15:02
bknudsonthis seems to be a pretty common use case, where somebody wants to be able to get status for all servers in all projects15:02
bknudsonand they're thinking that the solution involves domain-scoped tokens15:03
*** charlesw has quit IRC15:03
*** csoukup has quit IRC15:03
henrynashsamueldmq: I am hard over now on: a domain is just a special type of project (and only special in that it can hold users and groups), teh current domain API should be frozen (and in the end depreciated), if we add is_domain to  a project token for a project acting as a domain (as per https://review.openstack.org/#/c/193543/) then we can deprecate domain tokens as well15:04
*** charlesw has joined #openstack-keystone15:05
bknudsonwhy do we is_domain in tokens?15:05
*** kiran-r has joined #openstack-keystone15:05
bknudsondo token consumers care if the token is scoped to a domain project?15:06
*** Tedster has joined #openstack-keystone15:06
henrynashbknudson: if we were to add is_domain=true to tokens issued for projects acting as a domain, then policy files could use that in place of where today they expect domain tokens (you need to provie SOME differentiaton in order to stop someone adding roles to a regular project in order to try and give themselves extra powers)15:08
henrynashbknduson: only if you want to restrict operations like add_user, for instance to someone with a token to the project acting as the domain15:08
bknudsonhenrynash: can I run servers in projects acting as a domain?15:08
henrynashbkundson: we don’t prevent it15:09
samueldmqhenrynash: yes I see15:09
henrynashbknudson: it would be upto policy files to determin if that should be allowed15:10
*** c_soukup has quit IRC15:10
bknudsonadmins might want to stop that I guess. seems like they could do it just as well using role assignments15:10
*** kiran-r has quit IRC15:11
samueldmqbknudson: henrynash  have we ever thought about multi-scoped tokens ?15:11
samueldmqlike, gimme a token scope for projects where I am admin15:11
henrynashsamueldmq: do you mean a project and a domain, or multiple projects?15:11
samueldmqhenrynash: multiple projects (would be the result of a effetive call in a inherited domain role, for example)15:12
henrynashsamueldmq: I think token bloat would be the problem15:12
bknudsonwhat does the catalog look like for a multi-scoped token?15:12
henrynashsamueldmq: you’d have to have an list of project IDs, each with a list of roles15:13
samueldmqhenrynash: yes, and the catalog ? as bknudson asked ..15:13
bknudsonseems like OpenStack is complicated enough without adding all these wacky features.15:13
marekdmorganfainberg: hello sir, will you find 1 min to +1 this infra patch https://review.openstack.org/#/c/190631/ ?15:14
henrynashsamueldmq: this kind of thing also really goes against good secuirty practices…you want bearer tokens to be as limited in scope as possible15:14
henrynashsamueldmq: a bearer token that gave me cart-blanche to everything in a domain is a scary thing15:14
samueldmqhenrynash: bknudson ok fair enough15:15
samueldmqhenrynash: however ..15:15
samueldmqhenrynash: could a check in the policy like : domain_scoped and inherited role to projects role + this project is part of that domain = that role in this project15:16
*** cbrown2_ocf has quit IRC15:16
bknudsontokens already give you access to everything, since using a token I can get another token15:16
samueldmqhenrynash: that goes in the same direction, but complicate things15:16
*** ChanServ sets mode: +o dolphm15:16
samueldmqbknudson: ok so tokens have to be specific to certain workflows (dealing with a givne project, for exmaple)15:16
*** aix has quit IRC15:16
bretonfolks15:18
bretonwhy did we need domains?15:18
marekdbreton: for better separation of resources i guess...15:19
samueldmqbreton: they're the containers of users and groups, so they own identity15:19
samueldmqbreton: and they own projects as well, where resourcer like vms, volumes etc are created15:19
samueldmqbknudson, henrynash this was a very good conversation, thanks for clarifying some points15:20
samueldmqhave to go afk for a bit now, back soon15:20
bretonsamueldmq: what was the usecase when projects by themselves were not sufficient?15:20
*** pballand has joined #openstack-keystone15:20
henrynashsamueldmq: np….there are many ways to skin this particualr feline15:20
bretonI mean, I know there is 96869615:20
samueldmqbreton: 968696 is about not checking the scopes when checking api permissions15:21
samueldmqbreton: so if you just check for role:admin, that's not enough15:21
samueldmqbreton: since you get have role:admin from project X and be changing thngs in project Y (you don't have role:admin there)15:21
samueldmqbreton: because we dont check scope properly15:21
samueldmqbreton: so it's said: 'admin anywhere is amdin eveywhere', if that makes sense15:22
samueldmqbreton: need to go now, sorry15:22
marekdbreton: you have a client, who wants to have multiple projects. To me it looks like a easy way to logically separate for instance clients...or experiments (competing, but in a healthy manner!) at cern :-)15:22
*** afazekas has quit IRC15:23
*** kfox1111 has joined #openstack-keystone15:24
*** jasondotstar has joined #openstack-keystone15:25
*** davechen has left #openstack-keystone15:26
*** belmoreira has quit IRC15:28
*** haneef__ has quit IRC15:30
*** vg_ has joined #openstack-keystone15:34
morganfainbergbknudson: ++ on OpenStack being too complex already15:35
*** jasondotstar has quit IRC15:35
*** Guest81202 is now known as mgagne15:36
*** mgagne has joined #openstack-keystone15:36
rodrigodsstevemar, ping... can you take a look in https://review.openstack.org/#/c/123539/ ? it is important for the HMT support in OSC15:38
*** jasondotstar has joined #openstack-keystone15:39
*** zzzeek has joined #openstack-keystone15:40
*** csoukup has joined #openstack-keystone15:40
MaxVHello I am writing some documentation for the openstack-sdk project and I have a question about the /extensions resource15:40
MaxVI do not find a clear explanation of what is the namespace property15:40
MaxVon keystone documentation it looks like some sort of openstack docs15:40
*** marzif_ has quit IRC15:41
*** marzif_ has joined #openstack-keystone15:41
*** janonymous_ has joined #openstack-keystone15:43
*** vg_ has quit IRC15:44
stevemarrodrigods, will do15:44
rodrigodsstevemar, ty15:45
morganfainbergbknudson henrynash: so we could also just say !is_domain in the policy when it checks against the context passed down from middleware.15:46
morganfainberghenrynash: did I read that correctly that you're supporting making domain scope go away?15:47
henrynashmorganfaiberg: yes15:47
henrynash(oops)15:47
morganfainbergYay15:47
morganfainbergI like this plan15:47
morganfainbergThis seems like a much simpler approach than introducing all the edge cases of something is a domain...sometimes,.. But a project maybe others.15:48
henrynashmorganfainberg: we need to somehome provide the ability on policy checks to differentiate when you can do “domainy” things (like create users)….but I’d like us not to have a totally duplicate set of things (like tokens) in order to do this15:49
henrynashsee https://review.openstack.org/#/c/193543/15:50
morganfainbergI'm fine with checking the project for the domain flag15:50
morganfainbergThat is a lot lower overhead than a whole domain scope token15:50
bknudsonso without policy I could create a user under any project, not just a domain-project?15:51
openstackgerritMerged openstack/python-keystoneclient: Add openid connect client support  https://review.openstack.org/13470015:51
*** janonymous_ has quit IRC15:52
henrynashbknduson: well, right now our code would stop that (since we check in crete user that the thing is a domain)….but I think it would make policy rules less obvious if haev they checks are in code and half in rules15:52
bknudsonit's just a limitation of non-domain-projects that user domain can't be set to it.15:53
henrynashbknduson: indeed15:53
*** cinerama` is now known as cinerama15:53
bknudsonthen I don't see what policy has to do with it. You can set policy any way you want it's not going to allow you to have a user in non-domain-project15:54
morganfainbergbknudson: exactly, middleware just needs to pass down the "is this a domain" info15:56
morganfainbergIf anyone cares about it.15:56
henrynashbknudson, morganfainberg: I guess we could just do it that way…..dictate that although plicy might not block it, our code will…..I’ll have to think through if there are any other back doors this might open (you always have to think about whether a  project admin could add roles to their pojects that somehow give them teh right to do somthing broader)15:56
*** MaxV has quit IRC15:56
*** MaxV has joined #openstack-keystone15:56
morganfainbergThen policy can just check the value - we could even update default policies to reject is_domain (in nova for example) preemptive lay and have no effect today15:56
samueldmqhenrynash: morganfainberg and yes, lines 38-42 summarizes things :)15:57
samueldmqwe do "project_id:%(user.domain_id)s and is_domain:True" for domain checks15:57
bknudsonpreemptive lay...15:57
morganfainbergsamueldmq: yes.15:57
morganfainbergbknudson: autocorrect fail15:57
morganfainbergYes I am on my mobile tiny screen device.15:57
*** pnavarro has quit IRC15:58
*** afazekas has joined #openstack-keystone15:58
*** charlesw_ has joined #openstack-keystone15:58
samueldmqmorganfainberg: nice, I was discussing that approach to affect the policy with henrynash last friday15:59
samueldmqmorganfainberg: glad to see you like it :)15:59
*** jasondotstar has quit IRC15:59
henrynashindeed: it was samueldmq’s idea…he gets the credit16:00
*** charlesw has quit IRC16:00
morganfainbergCool.16:00
*** jasondotstar has joined #openstack-keystone16:00
*** charlesw_ is now known as charlesw16:00
morganfainbergMuch better design than the explicit domain scoped tokens imo16:00
samueldmqhenrynash: well, thanks, we had that idea together (on the policy side)16:00
morganfainbergAnd the domain APIs can be frozen (not deprecated) unless we have a clear reason to poke them.16:01
samueldmqmorganfainberg: ++ we check for domainess in a smooth way16:01
samueldmq:-)16:01
morganfainbergsamueldmq: don't use "domainess" it is not a good word and will confuse people.16:01
samueldmqok, you just got me confused16:01
morganfainbergEven in chat here, try to use "is_domain"16:01
samueldmqmorganfainberg: ^ :_)16:01
henrynashyou could also do the following if you don’t want a project acting as a domain to being able to hold VMs: compute: create_server: ”project_id:%(project_id)s and is_domain:False”16:01
morganfainberghenrynash: yep16:02
kfox1111morganfainberg: get a chance to review the nova instance user spec? It sounds like the final deadline's the 25th. And I need to get some nova folks to review too. But they don't seem to want to unless both barbian and keystone folks have weighed in on the idea.16:02
samueldmqhenrynash: yeah we provide flexibility that way :-)16:02
*** jasondotstar has quit IRC16:02
morganfainbergkfox1111: I am back to closer to 100% here this week.16:02
morganfainbergkfox1111: catching up from trying to take last week off and failing miserably at it.16:02
morganfainbergSo I did ready16:03
morganfainbergRead it. Just have not scored it.16:03
*** jasondotstar has joined #openstack-keystone16:03
kfox1111morganfainberg: Ok. Sorry to keep bugging you. The deadline's really a pain. :/16:03
morganfainbergIt didn't look too crazy.16:03
henrynashmorganfainberg, samueldmq: what we DO need however, to make this work, is a way of asking for a token on a project acting as a domain…..I actually don’t care so much “how” we specifiy teh scope, just as long as we can16:03
kfox1111ok. thanks.16:03
morganfainbergkfox1111: no worries. I get it.16:03
samueldmqhenrynash: yes, I think this is what guys here are taking care, cc raildo htruta ...16:04
morganfainberghenrynash: the same way we do today, just ask for the token. If you scope request as a domain, it just fails if it isn't, it gives a project scoped token if it is a domain. If you ask for it as a project, it gives you a token as a project.16:05
morganfainbergAnd I think the answer is passing the hierarchy for anything at depth.16:05
morganfainberg*think* I don't re,beer if we had full resolution on that point.16:05
*** iamjarvo has quit IRC16:06
*** gyee has joined #openstack-keystone16:06
*** ChanServ sets mode: +v gyee16:06
*** afazekas has quit IRC16:06
henrynashmorganfainberg: let’s make sure we nail this in teh next few days….doing these two things would be a great thing to get into L16:07
samueldmqmorganfainberg: having something related to is_domain when asking for a token would be consistent with what is used in the policy checks though16:08
samueldmqhenrynash: cc ^16:08
samueldmqand what we get back in a token for an is_domain project (is_domain=True)16:09
*** thedodd has joined #openstack-keystone16:10
morganfainberghenrynash: and if there is a conflict on determining a single depth (domain -> project, nothing deeper than first tier) scope for some reason (though I don't know how we would run into this - domains should always be owned by their parent domain or "none" afair) we would need to fall back to the project itself - for compatibility)16:10
*** Guest82290 is now known as mfisch16:10
*** mfisch has quit IRC16:10
*** mfisch has joined #openstack-keystone16:10
*** fhubik has quit IRC16:11
*** e0ne has quit IRC16:11
*** arunkant has joined #openstack-keystone16:12
samueldmqayoung: morganfainberg I asked sdague to be in our meeting tomorrow to discuss about dynamic policies16:12
samueldmqayoung: morganfainberg he will be able to attend it, sounds good ?16:12
morganfainbergGreat.16:12
*** e0ne has joined #openstack-keystone16:13
samueldmqmorganfainberg: ayoung so we talk about their requirements and how we can synchronize with our first iteration on roadmap/scope16:13
samueldmq:)16:13
*** richm has quit IRC16:13
*** dtroyer has joined #openstack-keystone16:14
henrynashmorganfainberg, samueldmq: (not sure if this is what you just said, morgan, but); we could not make any changes to the token request scope at all…..if you ask for a project by name, and you get a conflict you always get the project.  If you have clashing names for project and domain, then we don’t support getting the “project acting as a domain”, by name16:14
*** afazekas has joined #openstack-keystone16:14
morganfainberghenrynash: that is exactly what i just said. Except that if your project is waaaaaaaaay deep in a hierarchy (more than 1 level) you must always pass the hierarchy16:15
samueldmqhenrynash: ++16:15
morganfainberghenrynash: but it should be impossible to get a conflict between the domain and the project - the owning domain of the domian (ugh bad wording) should always be its parent.16:16
henrynashmorganfainberg: I would say that the hierarachy part is an options extenion to that….and only needed if we want to solve the “let’s make project name only have to be unique to their immediate parent” problem16:16
morganfainberghenrynash: the issue is chasing into a deep hierarchy. My view is always pass the hierarchy when you're more than the model of domain with one layer under it16:17
morganfainbergBut if projects have to be unique names no matter the demon under the domain, that solves it too16:17
morganfainbergDemon = depth16:17
samueldmqmorganfainberg: haha ++16:18
henrynashmorganfainberg: which is true *today*, but understand the goal of moveing away from that….and it’s at that point we need to support passing the hierachy into the request16:18
*** david-ly_ is now known as david-lyle16:18
morganfainberghenrynash: yeah. We may want to force that point sooner vs later so we don't have an api contract break.16:19
morganfainbergBut... Eh....16:19
henrynashgoing offline or a bit…16:21
*** henrynash has quit IRC16:21
*** MaxV has quit IRC16:22
*** david8hu has joined #openstack-keystone16:26
*** richm has joined #openstack-keystone16:28
*** kiran-r has joined #openstack-keystone16:29
*** kiran-r has quit IRC16:32
*** kiran-r has joined #openstack-keystone16:32
*** tqtran has joined #openstack-keystone16:32
*** kiranr has joined #openstack-keystone16:33
ayoungsamueldmq, nice....and, now I head in to another meeting16:36
*** kiran-r has quit IRC16:37
*** jasondotstar has quit IRC16:41
*** RichardRaseley has joined #openstack-keystone16:41
*** dguerri is now known as dguerri`16:42
samueldmqayoung: good luck :-)16:44
*** lhcheng has joined #openstack-keystone16:44
*** ChanServ sets mode: +v lhcheng16:44
*** rwsu has joined #openstack-keystone16:45
*** afazekas has quit IRC16:49
*** henrynash has joined #openstack-keystone16:50
*** ChanServ sets mode: +v henrynash16:50
*** afazekas has joined #openstack-keystone16:54
ayoungsamueldmq, I'm rereading my http://adam.younglogic.com/2015/06/dyn-policy-microversions/  to see if that is what I still think is the right approach.16:56
*** cinerama has quit IRC16:58
*** vilobhmm has joined #openstack-keystone16:59
*** cinerama has joined #openstack-keystone17:00
*** afazekas has quit IRC17:00
samueldmqayoung: sure, also see https://dague.net/2015/06/05/the-nova-api-in-kilo-and-beyond-2/17:02
samueldmqayoung: I am still looking at it17:02
ayoungsamueldmq, I've rad that, but good to review as well17:02
ayoungsamueldmq, I think that what he's really going to want is to split the policy, and have the code responsible for the scope, and have a decent  default rule for the role.17:03
ayoungthen, enforcing scope is done in code, as he origianally suggested is not such a horrible idea17:03
samueldmqayoung: so people there do want a /policy API, so keysotne reads from endpoint_url/policy in a given timeout17:04
samueldmqayoung: instead of having CMS uploading the primary source of truth17:05
samueldmqayoung: I think this is the main point of divergence now, since this is opposite to unified policy17:05
ayoungsamueldmq, let's discuss that with him.  I think it would make far more sense for that the be pushed into keystone instead of a timeout.  Just practically speaking, there is no thread in keystone to do that work17:05
samueldmqayoung: sure17:05
*** e0ne has quit IRC17:05
ayoungbut, that does not mean that it could not be pushed mulitple locations...it could be sent to Horizon as well.17:06
ayoungand, we have to make sure we don't overwrite anything custom on the system, we need to nail down what would be acceptable by such an update.17:06
samueldmqayoung: well, I guess keystonemiddleware could do such work, connecting /policy of the service it's serving with keystone server17:06
samueldmqayoung: yes, we can do role checking (at least) when updating17:07
ayoungAlso, another problem with /policy is it would report a different answer than keystone would give, unless it was based on fetching the policy from Keystone first...so, maybe if it is limited to "query what this nova endpoitn can do" it makes sense, but that is beyond the scope of what we need to solve17:07
samueldmqayoung: that would be loaded to keystone as the primary source of truth17:08
ayoungsamueldmq, we can't have it both ways17:08
samueldmqayoung: as I've planned to be done by the CMS when installing17:08
ayoungif it is the priamry source of truth, it will be out of sync with a customized keystone17:08
*** dims has quit IRC17:09
samueldmqayoung: at install, keystone loads the Stock policy, that comes from /policy17:09
ayoungwhere are we at with the diagrams...17:09
* ayoung looking17:09
samueldmqayoung: customized will be a diff, that applies on the stock policy17:09
*** dims has joined #openstack-keystone17:09
samueldmqayoung: https://wiki.openstack.org/w/images/4/41/Dynamic-policies-install.png17:09
samueldmqayoung: step 4 will change, that's all17:10
samueldmqayoung: it will be using /policy from nova17:10
ayoungsamueldmq, dumb question...you've continued to update the description of the diagrams with the code use to generate them, right?17:10
samueldmqayoung: yes they've the code in there as well17:11
samueldmqayoung: as you did first17:11
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystonemiddleware: WIP - Fetch Policy File by Service Endpoint  https://review.openstack.org/18856117:12
samueldmqayoung: ^ this PoC gets the policy from keystone and stores at policy.json :)17:13
samueldmqayoung: although I am still having trouble when saving to the file, after that oslo.policy is having trouble to open/read such file17:13
*** rwsu has quit IRC17:19
rushiagrI am interested in stable driver interfaces work. I would appreciate if somebody can tell me where can I look to contribute to it.. Basically, I want to know what is the direction we're moving ahead..17:19
ayoungsamueldmq, https://review.openstack.org/#/c/188561/  is "by endpoint URL" correct?17:19
samueldmqdavechen_: hi, sorry for not replying you earlier17:19
ayoungrushiagr,  morganfainberg is driving that.17:20
samueldmqayoung: yes, though it is using GET /policies?endpoint_url=<> .. and getting the first on the list17:20
ayoungsamueldmq, I think that is OK17:20
samueldmqayoung: as we'd discussed before, that could return multiple policies17:20
ayoungis  GET /policies?endpoint_url=<> implemented?17:20
samueldmqayoung: yes it is, however we agreed to not do that way anymore17:21
samueldmqayoung: and with you'll be defining in your new spec called ...17:21
samueldmqayoung: Policy by URL (https://review.openstack.org/#/c/192422/1/)17:21
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767517:21
samueldmqayoung: it was implemented here before (https://review.openstack.org/#/c/186874/)17:22
rushiagrhi morganfainberg17:22
morganfainbergrushiagr: hi.17:22
morganfainbergrushiagr: so, I'll have some more details tomorrow on where we stand with that spec.17:22
morganfainbergTrying to find out where the resources who committed to working on it are going to be time wise.17:23
*** dramakri has joined #openstack-keystone17:23
rushiagrmorganfainberg: okay. Please let me know too if I can help17:23
morganfainbergrushiagr: absolutely. If you catch gyee online he can give updates as well, as he is also helping to drive that.17:24
morganfainbergrushiagr: I should have more info tomorrow after the keystone meeting (meeting is 1800utc)17:24
rushiagrmorganfainberg: okay, that sounds great17:25
*** jasondotstar has joined #openstack-keystone17:25
david8huayoung, I am trying to figure out what we can do for better default policy for liberty.  Do you think the unified policy feature will land in liberty?17:27
*** harlowja has joined #openstack-keystone17:28
*** iurygregory has quit IRC17:33
*** spandhe has joined #openstack-keystone17:34
*** iamjarvo has joined #openstack-keystone17:35
*** rwsu has joined #openstack-keystone17:36
*** marzif_ has quit IRC17:39
david8huayoung, I am trying to figure out how I can help with better default policy and move forward.  I replied to your -2 on https://review.openstack.org/#/c/189486/.  Any thoughts?17:42
*** amakarov is now known as amakarov_away17:43
samueldmqdavid8hu: actually unified policy is still under discussion17:46
samueldmqdavid8hu: people from other projects are against it, and have fair reasons (there are messages in the ML from nova guys from a couple of weeks ago)17:47
samueldmqdavid8hu: we will be discussing with someone from nova (Sean Dague - sdague) in our IRC meeting tomorrow17:47
samueldmqdavid8hu: I hope a lot of points will be clarified, including whether unify or not17:48
david8husamueldmq,  Thanks for the info !17:49
samueldmqdavid8hu: np17:51
*** iurygregory has joined #openstack-keystone17:52
*** kiranr has quit IRC17:56
*** kiran-r has joined #openstack-keystone17:57
morganfainbergkfox1111: commented on the spec. No score but I indicated it was in line with what we discussed.18:04
morganfainbergkfox1111: have a concern about metadata service directly handing a keystone token back to the vm.18:04
*** kiran-r has quit IRC18:04
*** jasondotstar has quit IRC18:06
ayoungdavid8hu, I am not certain.  i think that there are a few things we need to blanace out18:08
ayoungwe can't break people assuming that that the default policy as they have them now will change18:08
ayounglet me say that better18:08
*** jasondotstar has joined #openstack-keystone18:08
ayoungwe can't change the meaning of the default policies currently shipped from the proejcts18:09
ayoungto do so will break people upon upgrade18:09
*** jasondotstar has quit IRC18:09
samueldmqayoung: ++18:09
ayoungthus, policy needs to be dynamic, so that people can ship their own custom policieis18:09
ayoungwe need a  unified view of policy so that admin means the same things everywhere:  a scopeed user that can perform sensitive operations18:10
ayoungand that a clouad/superadmin can also exist18:10
ayoungbut that a local admin cannot accidentally (or intentionally) create a superadmin18:10
samueldmqayoung: yes, 100% on the unified view, but we can have a cross-project effort on policies, to make all of them v3cloud or something so :)18:10
*** fangzhou has joined #openstack-keystone18:10
ayoungwe need make the meaning of superadmin the same across multiple endpoints18:11
ayoungsamueldmq, I know you know this..just anserwing david8hu 's question18:11
samueldmqayoung: I think that is exactly what people from my team started last year (cloud sample policy for all projects)18:11
ayoungsamueldmq, yeah, and I think that unified is the right approach18:11
ayoungI'm really not too worrieds about microversions18:11
*** rlt_ has quit IRC18:12
*** e0ne has joined #openstack-keystone18:12
samueldmqayoung: k sure, we will discuss better tomorrow :-)18:12
ayoungif we get the base policy written correctly, it should be trivial to keep up with microversions, even if it is in a common repo18:12
*** afazekas has joined #openstack-keystone18:12
*** jasondotstar has joined #openstack-keystone18:13
*** browne has quit IRC18:13
david8huayoung, samueldmq, perhaps the way to have a better default is by providing sample policy.  Deployer has o make a concious decision to deploy it over the default.18:13
*** browne has joined #openstack-keystone18:13
david8huayoung, base policy meaning the default policy?18:14
*** jasondotstar has quit IRC18:14
ayoungdavid8hu, I think what you are saying is we should have a sample unified policy18:16
ayoungdavid8hu, if so, then I agree, 100%18:16
ayoungwe can't force it on people, but it is the starting point for dynamic policy18:16
ayoungdavid8hu when I say "default" I mean "the one you get from the keystone api if one has not ben assiged specifically ot the endpoint, or to the service..."18:17
david8huayoung, yes.  Base deployment, use the default.  Service admin segregation deployer, use sample_admin_seg_policy.json.18:17
ayoungso...yes, the default18:17
*** jasondotstar has joined #openstack-keystone18:17
*** arunkant_ has joined #openstack-keystone18:17
ayoungdavid8hu, and to distinguish18:17
ayoungthe policy that ships from Nova as their policy.json is the "stock" policy18:17
david8huayoung, default is overloaded :)18:17
*** jasondotstar has quit IRC18:18
ayoungdavid8hu, so, unified is the default, and then, when an operator customized for a given deployment, they would redefine a subset of targets on top of that18:19
ayoungdavid8hu, so, lets assume we had a system like this...what would happen with a microversion change18:20
ayoungwe have (at least) 2 options18:20
*** arunkant has quit IRC18:20
ayoung1.  default policy does not know about the microversion, so the default rule would be applied.18:20
ayoung2.  THe new microversion policy would get pushed up to the keystone server and applied to all policies18:21
ayoungwhich is less scary?18:21
*** fangzhou has quit IRC18:21
*** fangzhou has joined #openstack-keystone18:21
david8huNow, I am getting my vocabulary straight.  Samueldmq did mentioned stock policy last Friday.  Now stock policy is officially registering in my head :)18:23
*** e0ne is now known as e0ne_18:23
*** e0ne_ is now known as e0ne18:24
*** jasondotstar has joined #openstack-keystone18:25
*** jasondot_ has joined #openstack-keystone18:25
*** belmoreira has joined #openstack-keystone18:26
david8huayoung, 1 is less scary, if microversion is part of the rule, we do not need to even know about microversion18:36
ayoungdavid8hu, that is what I think, too18:37
ayoungdavid8hu, so, an update to the stock policy should probably have no impact on the custom policy.  But what Sean is saying is it should be the policy rule executed.  You see the disconnect?18:38
dolphmstevemar: doesn't OS-FEDERATION only include groups in unscoped tokens? or does it include groups in scoped tokens as well?18:38
david8huayoung, What does it mean "...it should be the policy rule executed"?18:39
stevemardolphm, only groups in unscoped18:40
stevemardolphm, marekd, asked the same question last week18:40
*** tqtran is now known as tqtran_afk18:40
dolphmstevemar: then the spec has a mistake18:40
david8huayoung, does it mean calling policy enforcement api and give version as an arg?18:40
dolphmstevemar: see the scoped token example https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-a-scoped-os-federation-token18:41
dolphmstevemar: i'll propose a patch to clean that up then18:41
*** afazekas has quit IRC18:42
ayoungdavid8hu, let me try to say that clearer.18:43
ayoungSean is asying that if they add a new microversion, the policy should be bundled with the microversion code and that is what should be executed, not the dynamic policy.18:44
ayoungdavid8hu, now,  I think the solution uses the Widom of King Solomon.  We cut the baby in half.18:44
ayoungIn this case, the baby is policy, and we actually cut it in half, not just threaten18:44
ayoungthe two halves are "scope" and "role"18:45
*** kiran-r has joined #openstack-keystone18:45
ayoungscope is "where do I find the project Id when calling this API"18:45
ayoungrole is "what role does the user have on that scope when calling this api"18:46
ayoungscope can (and probably should) be enforced in code like Sean is suggesting18:46
ayoungrole, on the other hand, can be safely defaulted.18:46
ayoungHowever, if we split the two, and allow for "update dynamic policy when Nova is updated"  all it would be updating is the role side of dynamic policy18:47
ayoungdavid8hu, does that makes sense, of have I finally slipped into my dotage?18:47
*** afazekas has joined #openstack-keystone18:49
*** jasondot_ has quit IRC18:51
*** Rockyg has joined #openstack-keystone18:51
openstackgerritDolph Mathews proposed openstack/keystone-specs: Groups are not included in federated scoped tokens  https://review.openstack.org/19430018:53
dolphmstevemar: ^18:53
dolphmmarekd: ^18:53
mgagneI'm running Keystone Icehouse and somehow when running with Apache WSGI, v2.0 is not advertised under the admin endpoint (35357) but it's there with keystone-all eventlet. Any idea?18:54
mgagnecould it be that controllers.register_version('v2.0') is missing from https://github.com/openstack/keystone/blob/stable/icehouse/keystone/service.py#L97 ? But why different between eventlet vs WSGI ?18:55
*** gsilvis_ is now known as gsilvis18:55
mgagnelooks like icehouse is missing a patch found in juno19:02
*** afazekas has quit IRC19:03
*** Lactem has joined #openstack-keystone19:03
*** afazekas has joined #openstack-keystone19:04
*** gordc is now known as gordc_afk19:04
*** e0ne has quit IRC19:04
*** e0ne has joined #openstack-keystone19:05
Lactemdolphm: I did more tests on that bug on this other laptop. After creating the endpoint normally (without the space between i and d), I listed the endpoints. I deleted and listed the endpoints again after that. I repeated the process using the endpoint name that the bug reporter said caused problems (with a space between i and d). Both times, the ne19:06
Lactemw endpoint was deleted properly. I pasted my logs here: https://paste.ee/p/pdyrS The bug is located here: https://bugs.launchpad.net/keystone/+bug/109856419:06
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete] - Assigned to Theodore Ilie (theoilie-ti)19:06
dolphmLactem: GREAT to hear!19:06
LactemSo should I post those logs in a new comment on the bug page? Is it now proved invalid?19:08
*** rushiagr is now known as rushiagr_away19:08
LactemMy first bug. :D19:08
dolphmLactem: i'll leave that up to you. we can certainly mark it as invalid, but it'd also be handy to write a functional test proving that it's invalid so that we avoid any regressions. that part is up to you- interested?19:09
LactemOf course.19:09
LactemSo I need to actually write some code for this?19:09
rodrigodsdolphm, ping... can you take a look in the k2k auth plugin changes? https://review.openstack.org/#/c/188581/ and follow up patch19:10
dolphmyep!19:10
dolphmrodrigods: probably not today, i'm getting ready to go to an event. i'll put it on my list for tomorrow19:10
rodrigodsdolphm, np! thanks19:10
*** dsirrine has quit IRC19:11
dolphmLactem: there's a bunch of functional API tests in keystone.tests.unit.test_v3_* (nevermind the package name). i believe there's one for test_v3_catalog19:11
*** Lactem has quit IRC19:12
*** roxanaghe has joined #openstack-keystone19:13
*** rwsu has quit IRC19:15
stevemardolphm, can i run an ansible playbook that installs stuff on my local machine?19:19
*** afazekas has quit IRC19:19
ayoungstevemar, heh19:19
ayoungI was just asking ths ame question19:19
ayoungstevemar, yes you can19:19
stevemarayoung, hehe19:20
ayoungstevemar, one sec...let me find it in my history19:20
ayoungstevemar, https://docs.ansible.com/playbooks_delegation.html#local-playbooks19:20
ayoungstevemar, and... the other think we just discovered is you can use update the view of the inventory in mememory19:20
ayoungso if you want to, say create a new vm via nova, you can then add that to your inventory for later calls in the same  playbook19:21
stevemarinteresting19:21
ayoungI was just about to start trying this stuff out19:21
stevemari was hoping to use it to setup my dev env19:21
stevemarsomething basic19:21
stevemaras a first exercise19:21
*** jasondot_ has joined #openstack-keystone19:24
*** mgarza has joined #openstack-keystone19:33
openstackgerritMerged openstack/python-keystoneclient: add --slowest flag to testr  https://review.openstack.org/17972519:33
*** e0ne is now known as e0ne_19:35
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285019:35
*** e0ne_ is now known as e0ne19:35
*** diazjf has joined #openstack-keystone19:37
*** rwsu has joined #openstack-keystone19:38
kfox1111morganfainberg: Thanks for reviewing. I'll add comments addressing your questions shortly.19:39
*** marzif_ has joined #openstack-keystone19:39
*** rwsu has quit IRC19:40
*** tqtran_afk has quit IRC19:40
*** rwsu has joined #openstack-keystone19:40
*** fangzhou has quit IRC19:41
dolphmstevemar: yes19:44
stevemardolphm, have any easy ansible playbooks that i can copy?19:44
*** dramakri has quit IRC19:52
*** dramakri has joined #openstack-keystone19:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040519:54
stevemarbknudson, can you confirm if this bp is complete? https://blueprints.launchpad.net/keystone/+spec/stevedore19:57
*** afazekas has joined #openstack-keystone19:57
bknudsonstevemar: I can confirm it's not complete.19:57
stevemardoh19:58
bknudsonstevemar: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/stevedore,n,z19:58
stevemary, looking there now19:59
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/19238620:00
openstackgerritBrant Knudson proposed openstack/keystone: Simplify fernet rotation code  https://review.openstack.org/19433520:01
morganfainbergbknudson, stevemar: +2 on that chain (stevedore)20:04
*** edmondsw has quit IRC20:04
stevemarthx morganfainberg i have a few patches opened up and reviewing now (while i craft a note)20:05
*** marzif_ has quit IRC20:07
*** kiran-r has quit IRC20:09
*** Lactem has joined #openstack-keystone20:10
*** rwsu has quit IRC20:10
Lactemdolphm: Did you say anything before? I timed out.20:10
*** iurygregory has quit IRC20:14
*** gordc_afk is now known as gordc20:15
*** jasondotstar has quit IRC20:18
*** afazekas has quit IRC20:19
*** belmoreira has quit IRC20:21
*** afazekas has joined #openstack-keystone20:21
*** iurygregory has joined #openstack-keystone20:31
openstackgerritMerged openstack/keystone: Add missing keystone-manage commands to doc  https://review.openstack.org/19366320:31
*** jasondot_ has quit IRC20:33
openstackgerritMerged openstack/keystone: Fix Fernet key rotation  https://review.openstack.org/19278220:34
openstackgerritMerged openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279220:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040520:34
*** Rockyg has quit IRC20:34
*** fangzhou has joined #openstack-keystone20:36
kfox1111morganfainberg: Sorry for the delay. I hope I addressed your concern in the comments. If not, I'll update it asap.20:36
kfox1111thanks again for reviewing.20:36
*** iurygregory has quit IRC20:37
*** mestery has joined #openstack-keystone20:38
david8huayoung, let me digest the information20:42
*** iurygregory has joined #openstack-keystone20:44
*** iurygregory has quit IRC20:44
*** afazekas has quit IRC20:50
*** gordc has quit IRC20:53
*** gordc has joined #openstack-keystone20:54
*** mestery has quit IRC20:56
*** afazekas has joined #openstack-keystone20:58
*** jasondotstar has joined #openstack-keystone20:59
morganfainbergkfox1111: just responded21:01
morganfainbergkfox1111: i think you're just moving the concern of a leaving project admin and sortof hiding the issues - it's not really adding more security having the metadata service issue the tokens21:02
*** raildo has quit IRC21:02
*** e0ne has quit IRC21:03
*** mestery has joined #openstack-keystone21:03
morganfainbergit *might* be slightly less overhead for the VM's admin, but I'm not convinced that this wont turn into a vector of DOS attack that is hard to chase down without impacting people relying on the new cert structures.21:03
*** aix has joined #openstack-keystone21:05
*** e0ne has joined #openstack-keystone21:06
*** Lactem has quit IRC21:07
*** e0ne has quit IRC21:09
*** rwsu has joined #openstack-keystone21:10
openstackgerritSergey Vilgelm proposed openstack/keystone: Switch to oslo.service  https://review.openstack.org/19438221:10
*** Lactem has joined #openstack-keystone21:13
LactemSorry I keep timing out for some reason.21:13
*** HT_sergio has quit IRC21:13
Lactemdolphm: So what exactly do I need to do to finish off this bug?21:13
*** iamjarvo has quit IRC21:17
openstackgerritBrant Knudson proposed openstack/keystone: Switch to oslo.service  https://review.openstack.org/19373221:20
*** marzif_ has joined #openstack-keystone21:20
openstackgerritBrant Knudson proposed openstack/keystone: Simplify fernet rotation code  https://review.openstack.org/19433521:21
openstackgerritBrant Knudson proposed openstack/keystone: Tests for correct key removed  https://review.openstack.org/19438821:21
*** Lactem has quit IRC21:22
*** jasondotstar has quit IRC21:27
openstackgerritBrant Knudson proposed openstack/keystone: Update sample configuration file  https://review.openstack.org/19387921:28
*** jasondotstar has joined #openstack-keystone21:28
*** henrynash has quit IRC21:28
*** afazekas has quit IRC21:28
*** arunkant__ has joined #openstack-keystone21:30
bknudsonjamielennox|away: https://pypi.python.org/pypi/requests-cache21:31
*** arunkant has joined #openstack-keystone21:33
*** arunkant_ has quit IRC21:34
*** kfox1111 has quit IRC21:36
*** arunkant__ has quit IRC21:36
*** jasondot_ has joined #openstack-keystone21:37
openstackgerritgordon chung proposed openstack/pycadf: ensure id is not empty  https://review.openstack.org/19439721:39
stevemargordc, we need another branch for pycadf dev !21:41
stevemardiazjf, mapping regex fail eh?21:43
*** zigo has quit IRC21:43
diazjfstevemar yup21:43
*** brad[] has quit IRC21:43
diazjfdoesn't seem to be supported by the mapping-engine because of the parsing21:44
*** ayoung has quit IRC21:44
stevemarthat's funny21:44
stevemari wouldn't have thought that at all21:44
diazjfsetup a break point21:46
diazjfhttps://github.com/openstack/keystone/blob/master/keystone/cli.py#L59821:46
diazjfcauses it to fail21:46
diazjf:/21:46
*** Lactem has joined #openstack-keystone21:48
*** zigo has joined #openstack-keystone21:49
stevemardiazjf, what's causing read_rules to fail? it doesn't like regex?21:50
stevemarjsonutils.load?21:50
stevemarmaybe the input is wrong?21:50
*** Lactem has quit IRC21:50
stevemardiazjf, also, sorry for not replying to your email earlier :P21:50
diazjfno worries I know you guys are busy :-D21:51
diazjfinput is correct, iyt just doesn't like boolean values21:51
diazjfso True can't be used21:51
*** nkinder has quit IRC21:53
stevemarany takers for https://blueprints.launchpad.net/keystone/+spec/liberty-sql-squash ?21:54
stevemardiazjf, ohhh21:54
stevemarmaybe not related to regex then... since that's all stringified21:54
*** jasondotstar has quit IRC21:54
*** telemonster has quit IRC21:54
*** telemonster has joined #openstack-keystone21:55
*** kfox1111 has joined #openstack-keystone21:55
*** jasondotstar has joined #openstack-keystone21:55
diazjfalso if True is set as a string, then we get an error at https://github.com/openstack/keystone/blob/master/keystone/cli.py#L59921:55
diazjfsince the schema isn't matched21:56
gordcstevemar: eh?21:57
kfox1111morganfainberg: Thanks for the review. Your argument is compelling. I'll update the spec accordingly. I think it also ties in with redrobot's suggesting of not storing the certs in the novadb. if its not issuing the tokens, then the call can passed through to barbican for fetching the cert since its only done once.21:57
diazjfhttps://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L88-L9021:59
diazjfjsonutils.load(file) won't work with regex since True is not a string22:01
diazjfand if it is a String then it won't be supported22:01
diazjfso this needs to be fixed22:01
morganfainbergkfox1111: yeah.22:04
*** mgarza has quit IRC22:04
*** mancdaz has quit IRC22:04
kfox1111though I think there is one workflow issue there.22:04
kfox1111so the nova server create needs to support a flag to return the instance user's id.22:05
kfox1111so its gota go from nova -> barbican (create cert) then to keystone (get user id).22:05
kfox1111I think barbican's cert api is async only.22:05
*** iamjarvo has joined #openstack-keystone22:06
kfox1111so I'm not sure how to make that work.22:06
diazjfstevemar: should https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L88-L90 be changed to allow string values.22:06
*** sigmavirus24 is now known as sigmavirus24_awa22:06
*** mancdaz has joined #openstack-keystone22:06
diazjfthat way json can be parsed22:07
kfox1111one possible way around that would be to allow fetching the user_id from keystone before a cert is associated with it. would that be viable?22:07
kfox1111you could then nova -> kesytone (get user id) -> async create barbican cert and return.22:07
*** jasondotstar has quit IRC22:07
kfox1111nova would kick off the barbican cert creation but not wait for return.22:08
kfox1111return/completion.22:08
*** afazekas has joined #openstack-keystone22:08
*** henrynash has joined #openstack-keystone22:09
*** ChanServ sets mode: +v henrynash22:09
stevemardiazjf, yeah, if we can make regex be string || boolean, that would be cool22:10
stevemardiazjf, maybe change that line to: { "type": ["number", "string"] }22:12
stevemardiazjf, try it out, open a bug, make the fix with a test :)22:12
*** jasondot_ has quit IRC22:12
*** rushiagr_away has quit IRC22:13
*** afazekas has quit IRC22:13
*** zigo has quit IRC22:15
diazjfstevemar, gotcha. Gonna take some refactoring but I'll work on it :)22:16
*** marzif__ has joined #openstack-keystone22:16
*** zigo has joined #openstack-keystone22:17
openstackgerritBrant Knudson proposed openstack/keystone: Bandit config updates  https://review.openstack.org/19441722:17
*** marzif_ has quit IRC22:19
*** marzif__ has quit IRC22:21
*** mestery has quit IRC22:25
*** rushiagr_away has joined #openstack-keystone22:28
openstackgerritBrant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret  https://review.openstack.org/19442022:31
*** stevemar has quit IRC22:37
*** diazjf has quit IRC22:38
kfox1111morganfainberg: think it would be possible to pre'return the id from keystone without the cert beign created?22:39
*** aix has quit IRC22:41
*** arunkant_ has joined #openstack-keystone22:41
*** aix has joined #openstack-keystone22:41
*** jasondotstar has joined #openstack-keystone22:43
*** arunkant has quit IRC22:45
*** charlesw has quit IRC22:46
*** Lactem has joined #openstack-keystone22:49
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file  https://review.openstack.org/18213822:50
openstackgerritBrant Knudson proposed openstack/keystone: Short names for auth plugins  https://review.openstack.org/18210722:50
Lactemdolphm: I got disconnected again after messaging you. Sorry about that. I'm trying to figure out what exactly you want me to do about that bug. My tests show that it gets deleted like it should, so should it be marked as invalid22:52
*** pballand has quit IRC22:54
*** iamjarvo has quit IRC22:54
*** rwsu has quit IRC23:00
morganfainbergkfox1111: the user id?23:00
morganfainbergkfox1111: we'd need the cert to know what the id would map to. Since we take a part of the data (cert) and hash it with the domain_id23:01
kfox1111which part of the cert do you need to know?23:02
*** Lactem has quit IRC23:02
kfox1111the plan was to make available the instance's id as part of the cert. that should be unique.23:02
kfox1111if I passed the domain and the instance id, would that be enough to build the user id?23:02
kfox1111then the cert request and the keystone request could happen in parallel.23:03
morganfainbergkfox1111: depends on what would be generated. i think we'd need a bit of the DN23:04
morganfainbergkfox1111: the API to generate the user_id isn't really done atm, we'd need to implement it ;)23:05
morganfainbergkfox1111: means it is a bit of a questionmark23:05
kfox1111well, I think the dn would come from nova, woudln't it?23:05
kfox1111I should be able to send the full dn in that case.23:05
morganfainbergkfox1111: I *think* this is a implementation detail that we can work on down the line.23:05
morganfainbergas in, not required right this second.23:05
kfox1111well, I'd like to redo the spec to include barbican creating the cert,23:06
kfox1111but I'm worried it can only do async creation.23:06
morganfainbergit feels like an optimisation to support in parallel vs. issue cert and then ask for keystone23:06
kfox1111which means the flow as defined now won't work.23:06
morganfainbergto generate the id23:06
kfox1111if I can syncronously get the user id without having the cert done, it allows the nova create call to still be syncronous.23:06
morganfainbergsince the API doesn't exist in keystone, no reason we can't make it work that way23:07
kfox1111ok. perfect. I'll write it in the spec that way, and we'll work out the details later then. thanks. :)23:07
morganfainbergbut to be fair, i don't know what part of the cert is needed, since tokenless auth isn't done23:07
morganfainbergit may be hard™ to make it work like you're asking23:08
kfox1111I'm thinking the spec is mostly advisory anyway. there's going to be some devil in the details when we go to implement it anyway.23:08
morganfainbergyeah like i said... i'd not specify it has to work in parallel23:08
morganfainbergi'd specify that keystone will return the user_id23:08
kfox1111I just want to get a rough concensus on the algorithm so we can get it approved and start working on finding those devils. :)23:08
morganfainberghow that works becomes implementation specific depending on what shakes out on barbican vs keystone vs nova sides23:09
kfox1111I'd like to mention the barbican request is async or else people might hold up the spec further. :/23:09
morganfainbergreally?23:09
morganfainbergthey'd hold it up because you didn't say "this is async"23:09
morganfainbergi try and leave sync vs. async out of these things unless it's important23:09
morganfainbergthis doesn't feel like it's super important to specify23:09
kfox1111It feels like the spec was held up a lot due to lack of specifics. :/23:09
* morganfainberg is also not dealing with the nova team23:10
kfox1111ok. I'll leave it out and see how it goes.23:10
morganfainbergi'd call that bikeshedding. but you know, different people different views23:10
kfox1111I'm guessing a +1 from a ptl will have more weight then a -1 from someone wanting specifics.23:10
kfox1111I hope.23:10
kfox1111Yeah. bikeshedding is a major drawback to the openstack review process. :/23:10
morganfainbergi think that if you clearly say "barbican will create cert" and "based on cert data [even if it's not something you would need the signed cert for] keystone returns the user_id"23:11
morganfainbergi think that is sufficient23:11
kfox1111yeah. that sounds good.23:11
morganfainbergthe [] was not meant to be in the spec that is23:11
morganfainbergbut, you know what i meant23:11
* kfox1111 nods23:11
*** david-lyle_ has joined #openstack-keystone23:12
*** david_lyle__ has joined #openstack-keystone23:12
*** david_lyle__ has quit IRC23:13
*** thedodd has quit IRC23:13
*** jaosorior has quit IRC23:15
*** markvoelker has quit IRC23:16
kfox1111wait...23:19
kfox1111one other problem with config drive.23:19
kfox1111you probably don't want it to always create it.23:19
kfox1111I guess you just require precreate for use with configdrive. if you don't specify precreate, it won't ever get one.23:20
*** gordc has quit IRC23:23
kfox1111I was returning the keystone endpoint and the region name as part of the returned document as well as the token.23:23
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file  https://review.openstack.org/18213823:24
openstackgerritBrant Knudson proposed openstack/keystone: Document entrypoint namespaces  https://review.openstack.org/19443523:24
morganfainbergyep23:24
kfox1111but with returning the cert, I can just return the pem file.23:24
kfox1111so the other stuff probably belongs in a different api endpoint?23:24
kfox1111if so, what to call it? the endpoint for the cert cloud be: http://169.254.169.254/openstack/latest/instance_user_key23:24
kfox1111s/cloud/could/23:25
kfox1111http://169.254.169.254/openstack/latest/keystone.json ?23:25
kfox1111http://169.254.169.254/openstack/latest/about_cloud.json? :/23:25
*** jasondotstar has quit IRC23:29
*** RichardRaseley has quit IRC23:29
*** vilobhmm has quit IRC23:36
*** vilobhmm has joined #openstack-keystone23:36
openstackgerritBrant Knudson proposed openstack/keystone: admin and public httpd files  https://review.openstack.org/19444223:40
*** nkinder has joined #openstack-keystone23:42
*** csoukup has quit IRC23:43
*** darrenc is now known as darrenc_afk23:44
*** lhcheng has quit IRC23:45
*** kfox1111 has quit IRC23:46
*** kfox1111 has joined #openstack-keystone23:46
*** sigmavirus24_awa is now known as sigmavirus2423:48
*** gyee has quit IRC23:48
*** sigmavirus24 is now known as sigmavirus24_awa23:51
kfox1111arg.... wordwrapping and rst's painful.23:53
*** jasondotstar has joined #openstack-keystone23:54
*** vilobhmm has quit IRC23:57
kfox1111there we go. should be fixed.23:59
« Sunday, 2015-06-21 Index Tuesday, 2015-06-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!