Wednesday, 2015-07-08

richmquestion about `openstack project set $proj --domain $domain`00:02
richmdoes this allow you to change the domain to which the project belongs, or does it allow you to specify the domain to which $proj belongs and change some other field like --description?00:02
richmIf I specify project set $project_id --domain newdomain, can I move $project_id to domain 'newdomain'?00:03
*** Guest7393 has quit IRC00:04
morganfainbergrichm: projects cannot be moved between domains00:06
morganfainbergrichm: for security reasons. it used to be allowed (and we have an option to turn that on)00:07
morganfainbergbut it is really insecure00:07
morganfainbergdon't do it00:07
richmmorganfainberg: ok - thanks - that makes my life a lot easier00:08
morganfainberghappy to make your life easier00:08
*** gyee has joined #openstack-keystone00:09
*** ChanServ sets mode: +v gyee00:09
jasonsbappreciate advice from anybody who would like to field a kilo keystone + openidc question00:11
jasonsbits close00:11
jasonsbbut keystone.contrib.federation.utils [-] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral'}, 'group_names': []} process /usr/local/keystone/keystonenv/local/lib/python2.7/site-packages/keystone/contrib/federation/
jasonsbAuthorization failed. Unable to find valid groups while using mapping idp1_map (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from ::100:11
*** anhhuynx has quit IRC00:11
*** mgarza has quit IRC00:11
jasonsbim missing something still00:11
*** chlong has joined #openstack-keystone00:11
gyeejasonsb, are you sure the group in the mapping is valid?00:14
jasonsbopenstack group list00:15
jasonsb| ID                               | Name       |00:15
jasonsb| dcca514a7d754f059a1a8d5e2d1fe04a | developers |00:15
jasonsbopenstack mapping show idp1_map00:15
jasonsb| Field | Value                                                                                                                                                         |00:15
jasonsb| id    | idp1_map                                                                                                                                                      |00:15
jasonsb| rules | [{u'remote': [{u'type': u'HTTP_OIDC_ISS', u'any_one_of': [u'http://localhost:8080']}], u'local': [{u'group': {u'id': u'dcca514a7d754f059a1a8d5e2d1fe04a'}}]}] |00:15
jasonsbgyee: think so00:15
jasonsbgyee: but i have no idea what i'm doing :)00:15
gyeeI am guessing you don't have HTTP_OIDC_ISS in the request env00:19
gyeeor it does not contain the value 'http://localhost:8080'00:19
jasonsbgyee: i think your right00:20
jasonsbgyee: i hadn't mentally got that far.  let me try00:21
jasonsbgyee: opps, no its there00:22
jasonsb'HTTP_OIDC_ISS': 'http://localhost:8080/openid-connect-server-webapp/'00:22
jasonsbgyee: but its not exact mathc.  i should fix that probably00:22
jasonsbgyee: yay  you were right00:23
*** dims has joined #openstack-keystone00:23
jasonsbString length exceeded.The length of string '01921.FLANRJQW%40http%3A//localhost%3A8080/openid-connect-server-webapp/' exceeded the limit of column user_id(CHAR(64)).00:23
jasonsbnext problem00:23
*** jamielennox is now known as jamielennox|away00:24
*** sigmavirus24 is now known as sigmavirus24_awa00:27
gyeeadd { "type": "openstack_user"}, to "remote"00:28
gyeeand add {"user": {"name": "{0}"}}, to "local"00:30
*** iurygregory has joined #openstack-keystone00:31
*** spandhe has quit IRC00:31
*** jamielennox|away is now known as jamielennox00:35
*** zzzeek has quit IRC00:39
*** spandhe has joined #openstack-keystone00:42
*** piyanai has joined #openstack-keystone00:42
openstackgerritMerged openstack/keystone: Do not specify 'objectClass' twice in LDAP filter string.
jasonsbgyee: i think we are close01:02
jasonsbgyee: http://localhost:5000/v3/OS-FEDERATION/identity_providers/idp1/protocols/oidc/auth/01:02
jasonsbgyee: gives01:02
jasonsbgyee: "token": {"methods": ["oidc"], "expires_at": "2015-07-08T02:01:58.973753Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "idp1"}, "protocol": {"id": "oidc"}, "groups": [{"id": "dcca514a7d754f059a1a8d5e2d1fe04a"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "01921.FLANRJQW", "name": "01921.FLANRJQW"}, "audit_ids": ["iPDB4PyxSPO4g73TUAZrpw"], "issued_at": "2015-07-08T01:01:58.973701:03
jasonsbgyee: i just need to get a keystone uuid token now i think01:03
gyeeright, you can rescope it to a scoped token and ready to do some damage :)01:04
jasonsbgyee: how to rescope?01:04
jasonsbgyee: i was just trying that01:04
jasonsbgyee: my v3 is weak01:04
gyeeyour unscoped token is in the X-Subject-Token header01:05
gyeeuse it to get a list of projects you have access to01:05
gyeecurl -H 'X-Auth-Token: <unscoped token>' http://localhost:5000/v3/OS-FEDERATION/projects01:07
gyeeand rescope to one of the projects you want to access01:07
*** btully has quit IRC01:09
ayoungjamielennox, so, once I do an automated install of ipa, I need to run some IPA commands.  The only account I have is admin, and I don't think I can kinit in an automated manner.  If I fetch a keytab, I lock out the admin user (keytab removes the ability to do password auth)01:16
ayoungI can't do the old hack of echo $PASSWORD | kinit admin01:17
ayoungI know this is a feature, but...I need to come up with a workaround for setting up the Federation stuff via ansible01:17
*** shaleh_ has joined #openstack-keystone01:17
ayoungI can do something locally like generate a krb5.conf file and use that to kinit with a custom ccache even.01:18
ayoungbut not from ansible...I think01:18
*** davechen1 has joined #openstack-keystone01:19
*** shaleh has quit IRC01:20
*** davechen has joined #openstack-keystone01:23
ayoungah...shelll command allows redirection01:23
*** dims_ has joined #openstack-keystone01:24
*** dims_ has quit IRC01:24
*** davechen1 has quit IRC01:25
*** dims has quit IRC01:27
*** hogepodge has quit IRC01:29
*** stevemar has joined #openstack-keystone01:29
*** stevemar has quit IRC01:30
jamielennoxayoung: can't you like ssh -A or whatever the command is for kerb01:31
ayoungjamielennox, yeah, I did01:31
jamielennoxi guess that would require you had a kinit on the local machine which you don't necesarily want01:31
ayoung- shell: echo FreeIPA4All | kinit admin01:31
*** woodster_ has quit IRC01:31
ayoungI'll replace the password with  {{ ipa_admin_password }}01:31
*** spandhe has quit IRC01:32
ayoungjamielennox, I have a feeling the ipa team is going to need to write some ansible modules in the not-too-distant-future.  Would be nice if the ipa-client could "be" that module01:34
openstackgerritjanonymous proposed openstack/keystone: Python 3: Replace assertRaisesRegexp to its six implementation
jamielennoxno idea how good they are01:35
jamielennoxbut if it can do a server that would be cool01:36
ayoungjamielennox, so, I mean more like "add a user" in an idempotent way01:36
*** shaleh_ has quit IRC01:36
ayoungmaybe just a "don't report the error if the user already exists" param for the cli01:36
jamielennoxstill i expect there will need to be something official01:37
*** hogepodge has joined #openstack-keystone01:41
jamielennoxmorganfainberg: can you take a look at - just a py3 issue on the keystoneclient/keystoneauth branch01:42
*** fangzhou has quit IRC01:55
jasonsbgyee: thank you01:57
jasonsbgyee: its working01:57
jasonsbgyee: i got unscoped token and passed it into projects and got the list01:58
jasonsbgyee: i dind't rescope it yet, but i'm sure its going to work01:58
jasonsbgyee: very very cool.  thanks a bunch01:58
*** Ctina has joined #openstack-keystone01:58
*** Ctina has quit IRC01:58
gyeejasonsb, you're welcome, have fun :)01:59
jasonsbgyee: will do.  this is fun01:59
*** jasonsb has quit IRC02:00
*** lhcheng has quit IRC02:02
*** chenhong has joined #openstack-keystone02:03
*** gyee has quit IRC02:04
*** btully has joined #openstack-keystone02:07
*** darrenc is now known as darrenc_afk02:12
*** piyanai has quit IRC02:21
*** piyanai has joined #openstack-keystone02:22
*** stevemar has joined #openstack-keystone02:30
*** piyanai has quit IRC02:30
*** piyanai has joined #openstack-keystone02:30
*** stevemar has quit IRC02:34
openstackgerritMerged openstack/keystone: Delete extra parentheses in assertEqual message
openstackgerritMerged openstack/keystone: Modified command used to run keystone-all.
*** piyanai has quit IRC02:45
*** piyanai has joined #openstack-keystone02:46
openstackgerritMerged openstack/keystone: Remove fileutils from oslo-incubator
*** hakimo_ has joined #openstack-keystone02:52
*** Kennan2 is now known as Kennan02:53
*** hakimo has quit IRC02:54
*** stevemar has joined #openstack-keystone02:56
chenhonghi, all. May I ask for review for these two changes: and
*** fangzhou has joined #openstack-keystone03:02
*** csoukup has joined #openstack-keystone03:10
*** Lactem has joined #openstack-keystone03:23
*** spandhe has joined #openstack-keystone03:25
*** dikonoor has joined #openstack-keystone03:25
openstackgerritSteve Martinelli proposed openstack/keystone: Remove
stevemarmorganfainberg: i have on idea why that file exists ^03:28
*** darrenc_afk is now known as darrenc03:29
*** spandhe_ has joined #openstack-keystone03:30
dstanekstevemar: nice; i proposed a patch to rip out all of the other incubator stuff03:30
stevemardstanek: saw it and commented :)03:32
*** spandhe has quit IRC03:32
*** spandhe_ is now known as spandhe03:32
dstanekstevemar: if people are interested i'll have to write a real commit message03:33
dstaneki really just wanted to see what it would look like03:33
stevemaryeah, i had the same opinion with my patch03:33
dstanekstevemar: to answer your question you can just run the testr commands03:34
dstanektox just automates running commands in a given venv; you can always run them yourself03:34
stevemardstanek: yep, it runs nose or whatever underneth the covers03:35
stevemarbut it wasn't as easy as just running run_tests03:36
stevemardstanek: looks like morganfainberg wants that sql script out :)03:38
morganfainbergi'm fine with it being removed.03:38
*** kiran-r has joined #openstack-keystone03:38
morganfainbergor to be caught in the incubator removal03:38
morganfainbergor whatever.03:39
stevemarmorganfainberg i have no idea why it's there03:39
dstanekit looks like termie added it when he was converting some mysql tests in 700a397a64bf984ef4c56aec8cc597f212e1f45903:40
davechendstanek: hi David,03:41
davechendstanek: there is patch which has a long history,
Lactemdavechen: Hey Dave!03:41
davechendstanek: you should know the context and backgroud.03:42
davechenLactem: hi,03:42
davechendstanek: Can we clean that up?03:42
LactemIRC after hours... I'm not sure if you remember me (one of the new interns).. You commented on my first bug. (It got merged by the way. Thanks.)03:42
davechenLactem: yes, I know you.03:43
davechendavechen: my pleasure. congrats.03:43
davechenLactem: type the wrong name, sorry. :)03:44
*** davechen is now known as davechen_away03:45
stevemardstanek: i am totally cool with removing it now - just looked at 700a397a64bf984ef4c56aec8cc597f212e1f45903:45
stevemaralso yay it seems like is passing jenkins now03:45
stevemar+41, -252703:46
*** piyanai has quit IRC03:46
*** zzzeek has joined #openstack-keystone03:46
*** zzzeek has quit IRC03:46
*** boris-42 has quit IRC03:52
openstackgerritDavid Stanek proposed openstack/keystone: Remove all traces of olso incubator
dstanekdavechen_away: do we not want to support third-party middleware?03:56
*** ayoung has quit IRC03:56
LactemThat's a nice leave message.03:56
dstanekstevemar: for some definition of passing :-)03:57
*** _cjones_ has quit IRC03:57
dstanekthat's about how i passed 9th grade English03:57
stevemardstanek: oh i meant it's passing in zuul :)03:58
stevemarlooking at the results after i rechecked03:58
stevemarthe dsvm jobs didn't crap out after 10 minutes, so i consider them passing :P03:59
stevemar+ tempest and py27 are successful too03:59
*** fangzhou has quit IRC04:02
*** stevemar has quit IRC04:05
*** stevemar has joined #openstack-keystone04:06
*** mtreinish has quit IRC04:07
*** r-daneel has joined #openstack-keystone04:13
*** c_soukup has joined #openstack-keystone04:14
*** kiran-r has quit IRC04:15
*** mtreinish has joined #openstack-keystone04:16
*** csoukup has quit IRC04:16
*** btully has quit IRC04:19
*** david-ly_ has joined #openstack-keystone04:19
*** david-lyle has quit IRC04:22
*** chenhong has quit IRC04:30
stevemardstanek: there we go!
*** stevemar has quit IRC04:35
*** chlong has quit IRC04:35
*** stevemar has joined #openstack-keystone04:35
*** Lactem has quit IRC04:40
*** chlong has joined #openstack-keystone04:44
*** chlong has quit IRC04:51
*** btully has joined #openstack-keystone04:51
*** davechen_away is now known as davechen04:57
davechendstanek: I think we should support third-party middleware.04:58
davechendstanek: so, you suggest not to deprectate it when it's third party middleware.04:59
davechendstanek: not sure whether I understand it correctly. :)05:00
davechenLactem: how long is your internship?05:01
openstackgerritMerged openstack/keystone: Adds some debugging statements
*** richm has quit IRC05:08
*** mabrams has joined #openstack-keystone05:10
*** fangzhou has joined #openstack-keystone05:10
*** dims has joined #openstack-keystone05:11
*** chlong has joined #openstack-keystone05:20
*** boris-42 has joined #openstack-keystone05:21
*** ajayaa has quit IRC05:22
openstackgerritMerged openstack/keystone: Remove
*** c_soukup has quit IRC05:34
*** davechen_afk is now known as jungler05:37
*** dims has quit IRC05:40
*** ajayaa has joined #openstack-keystone05:45
*** krykowski has joined #openstack-keystone05:50
*** hrou has quit IRC05:50
*** ig0r__ has joined #openstack-keystone05:51
*** ig0r_ has quit IRC05:52
*** browne has quit IRC05:56
*** andrey-mp has joined #openstack-keystone05:58
*** chenhong has joined #openstack-keystone06:03
jamielennoxstevemar: still around? can you approve
jamielennoxor look at it06:04
stevemari was just about to close my laptop06:05
jamielennoxstevemar: small python 3 fix only on the keystoneauth branch06:05
stevemarthis looks small06:05
jamielennoxstevemar: i have big ones if that's what you want....06:05
stevemari hate that i know keystone requests06:07
*** dguerri` is now known as dguerri06:07
jamielennoxyou and me both06:07
jamielennoxthanks mate06:07
*** kiran-r has joined #openstack-keystone06:12
stevemarjamielennox: np06:12
stevemarlooks like it the next release won't be meiji06:12
*** dguerri is now known as dguerri`06:14
*** stevemar has quit IRC06:14
*** tobe has joined #openstack-keystone06:19
lifelessif we get a resolution by tokyo06:28
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix missing "raise" when throwing exception.
*** fhubik has joined #openstack-keystone06:44
*** fhubik is now known as fhubik_afk06:45
*** spandhe has quit IRC06:49
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix log message.
*** fhubik_afk is now known as fhubik07:01
*** fhubik is now known as fhubik_afk07:08
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain.
*** fhubik_afk is now known as fhubik07:11
*** dtantsur|afk is now known as dtantsur07:14
*** stevemar has joined #openstack-keystone07:15
*** dtantsur has left #openstack-keystone07:15
*** stevemar has quit IRC07:18
*** lhcheng has joined #openstack-keystone07:18
*** ChanServ sets mode: +v lhcheng07:18
*** fhubik is now known as fhubik_afk07:23
*** e0ne has joined #openstack-keystone07:25
*** fhubik_afk is now known as fhubik07:26
*** fhubik has quit IRC07:32
*** fhubik has joined #openstack-keystone07:33
*** afazekas has joined #openstack-keystone07:34
*** fhubik is now known as fhubik_afk07:39
*** dims has joined #openstack-keystone07:41
*** dims_ has joined #openstack-keystone07:42
*** fhubik_afk is now known as fhubik07:43
*** jistr has joined #openstack-keystone07:43
*** dims has quit IRC07:45
*** btully has quit IRC07:46
*** dims_ has quit IRC07:46
*** tobe has quit IRC07:46
*** markvoelker has quit IRC07:47
*** e0ne is now known as e0ne_07:49
*** andrey-mp has quit IRC07:49
*** e0ne_ is now known as e0ne07:51
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix missing "raise" when throwing exception.
*** afazekas has quit IRC07:56
*** e0ne is now known as e0ne_07:57
*** e0ne_ is now known as e0ne07:59
*** e0ne has quit IRC08:00
*** afazekas has joined #openstack-keystone08:09
*** tobe has joined #openstack-keystone08:16
*** chlong has quit IRC08:21
*** tobe has quit IRC08:25
*** tobe has joined #openstack-keystone08:25
*** chenhong has quit IRC08:29
*** boris-42 has quit IRC08:32
*** belmoreira has joined #openstack-keystone08:38
*** tobe has quit IRC08:40
*** dims has joined #openstack-keystone08:43
*** dims_ has joined #openstack-keystone08:44
*** dims__ has joined #openstack-keystone08:45
*** dims___ has joined #openstack-keystone08:46
*** christx2 has joined #openstack-keystone08:46
*** dims has quit IRC08:47
*** markvoelker has joined #openstack-keystone08:48
*** dims_ has quit IRC08:49
*** dims__ has quit IRC08:49
*** dims___ has quit IRC08:50
*** markvoelker has quit IRC08:53
*** christx2 has quit IRC08:58
*** christx2 has joined #openstack-keystone08:59
*** e0ne has joined #openstack-keystone09:03
*** r-daneel has quit IRC09:08
*** afazekas has quit IRC09:12
*** belmoreira has quit IRC09:12
*** tobe has joined #openstack-keystone09:20
*** e0ne is now known as e0ne_09:21
*** afazekas has joined #openstack-keystone09:21
*** belmoreira has joined #openstack-keystone09:24
*** fhubik is now known as fhubik_afk09:24
*** e0ne_ is now known as e0ne09:26
*** fhubik_afk is now known as fhubik09:31
*** piyanai has joined #openstack-keystone09:33
*** bdossant has joined #openstack-keystone09:36
*** e0ne is now known as e0ne_09:37
*** davechen has left #openstack-keystone09:53
*** aix has joined #openstack-keystone09:54
*** fhubik is now known as fhubik_afk09:59
*** e0ne_ is now known as e0ne10:00
*** fhubik_afk is now known as fhubik10:02
*** stevemar has joined #openstack-keystone10:04
*** stevemar has quit IRC10:06
*** e0ne is now known as e0ne_10:11
*** bradjones has quit IRC10:13
*** e0ne_ is now known as e0ne10:13
*** bradjones has joined #openstack-keystone10:15
*** bradjones has quit IRC10:15
*** bradjones has joined #openstack-keystone10:15
*** tobe has quit IRC10:29
*** afazekas has quit IRC10:29
*** afazekas has joined #openstack-keystone10:40
*** e0ne is now known as e0ne_10:40
*** e0ne_ is now known as e0ne10:42
*** markvoelker has joined #openstack-keystone10:49
*** markvoelker has quit IRC10:54
*** rdo has quit IRC10:59
*** afazekas has quit IRC11:13
*** fhubik_afk has joined #openstack-keystone11:17
*** fhubik_afk is now known as fhubik_11:17
*** _kiran_ has joined #openstack-keystone11:17
*** kiran-r has quit IRC11:17
*** fhubik has quit IRC11:18
*** lhcheng has quit IRC11:27
*** _kiran_ has quit IRC11:27
*** fhubik_ is now known as fhubik_afk11:27
*** krykowski_ has joined #openstack-keystone11:32
*** krykowski has quit IRC11:34
*** e0ne is now known as e0ne_11:34
*** e0ne_ is now known as e0ne11:35
*** jaosorior has joined #openstack-keystone11:37
*** e0ne has quit IRC11:38
*** amaretskiy has quit IRC11:39
*** amakarov_away is now known as amakarov11:39
*** dims has joined #openstack-keystone11:47
*** dims_ has joined #openstack-keystone11:48
*** dims__ has joined #openstack-keystone11:49
*** markvoelker has joined #openstack-keystone11:50
*** dims has quit IRC11:52
*** dims_ has quit IRC11:53
samueldmqdstanek: ping - I was looking at #137202, 'Improve List Role Assignments Filters Performance'11:53
*** stevemar has joined #openstack-keystone11:54
*** markvoelker has quit IRC11:54
*** dims__ has quit IRC11:54
samueldmqdstanek: you asked me to split that patch into 2: i) pass the filters to the driver and ii) move the role assignment expansion logic to the manager11:54
samueldmqdstanek: I agree that would be much clearer if it was split that way, however that would take a considerable effort, since the code has changed a lot ..11:55
samueldmqdstanek: I'd like to know if you see your comment there as something 'essential' or if that could be reviewed/approved that way11:55
*** stevemar has quit IRC11:56
samueldmqdstanek: dstanek the right behavior can be ensured by a ton of data-driven tests henrynash is adding in the next patch sets11:56
*** fhubik_afk is now known as fhubik_11:58
*** krykowski has joined #openstack-keystone12:04
*** fhubik_ has quit IRC12:04
*** fhubik_ has joined #openstack-keystone12:05
*** ajayaa has quit IRC12:06
*** gordc has joined #openstack-keystone12:06
*** krykowski_ has quit IRC12:07
*** afazekas has joined #openstack-keystone12:11
*** markvoelker has joined #openstack-keystone12:13
*** arunkant has joined #openstack-keystone12:14
*** kiran-r has joined #openstack-keystone12:14
*** arunkant_ has joined #openstack-keystone12:16
*** piyanai has quit IRC12:17
*** belmoreira has quit IRC12:17
*** arunkant__ has joined #openstack-keystone12:18
*** krykowski has quit IRC12:19
*** browne has joined #openstack-keystone12:19
dstaneksamueldmq: what did i ask to be split?12:20
*** arunkant has quit IRC12:20
samueldmqdstanek: see your comment on the controller12:21
samueldmqdstanek: since I've put the expansion logic (previously on the controller) in the manager12:22
samueldmqdstanek: we have a new representation for expanded role assignments12:22
dstaneksamueldmq: the one where i asked about formatting changes?12:22
*** arunkant_ has quit IRC12:22
samueldmqdstanek: yes, we had a conversation on irc after that I think ..12:23
*** belmoreira has joined #openstack-keystone12:23
samueldmqdstanek: we need that formatting changes, since that's how the manager tells the controller that the assignment is an expanded one (i.e came from group, or inherited)12:23
dstaneksamueldmq: no, you are misunderstanding. i am referring to the changes in the comment. it was hard to see what you changed since you renamed somethings and at the same time restructured12:25
dstaneksamueldmq: on another note i think the reason you are having a hard time getting people to review this patch is that there is a lot mixed into one patch12:27
samueldmqdstanek: yes I did misunderstood :(12:27
samueldmqdstanek: yes this patch has been there for almost an year now .. (it was in another change before .. )12:28
samueldmqdstanek: I'll fix your concerns and let's see what happens12:28
samueldmqdstanek: another point is that .. that code is just .. hard/complex, it includes too many cases of role assignment expansion, at the same time it tries to be clear enough12:29
dstaneksamueldmq: also, what are the helpers in the sql driver used for?12:29
samueldmqdstanek: let me see ..12:30
*** chlong has joined #openstack-keystone12:30
*** afazekas has quit IRC12:31
samueldmqdstanek: that would allow us to get, for example, role assignments for a user on both a project + a domain12:32
*** tellesnobrega_ has joined #openstack-keystone12:32
samueldmqdstanek: but I am not sure I am using that benefit at the manager at all, I'll remove it and see what happens12:32
dstaneksamueldmq: there a 5 helper methods that i don't see being used12:33
samueldmqdstanek: they're used in list_role_assignments() main method12:33
samueldmqdstanek: _get_assignment_types is used there .. which in turn uses the other 412:34
samueldmqdstanek: however I'll check whether I really need that12:34
samueldmqor not12:34
*** tellesnobrega__ has joined #openstack-keystone12:39
*** afazekas has joined #openstack-keystone12:42
*** tellesnobrega_ has quit IRC12:42
*** tellesnobrega_ has joined #openstack-keystone12:42
*** piyanai has joined #openstack-keystone12:43
*** piyanai has quit IRC12:44
*** stevemar has joined #openstack-keystone12:44
*** tellesnobrega__ has quit IRC12:46
*** ninag has joined #openstack-keystone12:49
*** dims has joined #openstack-keystone12:50
*** piyanai has joined #openstack-keystone12:50
*** dims has quit IRC12:54
*** afazekas has quit IRC12:55
*** piyanai has quit IRC12:56
*** fhubik_ is now known as fhubik_afk12:58
*** j_king has quit IRC12:59
samueldmqdstanek: those helper methods in sql are needed because we now need to check for the assignmenttype as well12:59
*** bradjones has quit IRC13:00
*** hrou has joined #openstack-keystone13:00
*** ninag has quit IRC13:00
*** nkinder has quit IRC13:00
samueldmqdstanek: i.e besides querying the actor/target, we query the expected assignment type13:00
*** mfisch has quit IRC13:00
*** jsavak has joined #openstack-keystone13:00
*** ninag has joined #openstack-keystone13:00
*** bradjones has joined #openstack-keystone13:00
*** bradjones has quit IRC13:00
*** bradjones has joined #openstack-keystone13:00
*** j_king has joined #openstack-keystone13:00
*** tellesnobrega__ has joined #openstack-keystone13:01
*** nkinder has joined #openstack-keystone13:01
*** tellesnobrega_ has quit IRC13:03
*** tellesnobrega_ has joined #openstack-keystone13:04
*** tellesnobrega__ has quit IRC13:06
*** mestery_ has joined #openstack-keystone13:06
*** tellesnobrega_ has quit IRC13:09
*** mestery has quit IRC13:09
*** tellesnobrega_ has joined #openstack-keystone13:09
samueldmqdstanek: I've added some documentation on the helper methods, thanks13:11
*** doug-fish has joined #openstack-keystone13:12
*** afazekas has joined #openstack-keystone13:15
*** lhcheng has joined #openstack-keystone13:15
*** ChanServ sets mode: +v lhcheng13:15
*** tellesnobrega__ has joined #openstack-keystone13:16
*** Ephur has joined #openstack-keystone13:16
*** tellesnobrega_ has quit IRC13:18
*** bknudson has joined #openstack-keystone13:19
*** ChanServ sets mode: +v bknudson13:19
*** lhcheng has quit IRC13:20
*** ayoung has joined #openstack-keystone13:20
*** ChanServ sets mode: +v ayoung13:20
ayoungsamueldmq, do you think there is some way we could "deduce" the URL from inside the call to middleware, so we don't need to explicitly set the URL used for policy in the config file?13:21
*** tellesnobrega_ has joined #openstack-keystone13:21
*** dims has joined #openstack-keystone13:22
*** tellesnobrega__ has quit IRC13:24
*** richm has joined #openstack-keystone13:25
samueldmqayoung: hello, I was waiting for you :)13:27
ayoungsamueldmq, I want to try and avoid making the installers updateall the conifg files13:27
*** tellesnobrega__ has joined #openstack-keystone13:27
samueldmqayoung: the url is in the service catalog, right ?13:27
ayoungseems unnecessary13:28
ayoungyes, the URL is in the endpoint entry13:28
ayoungI was thinking we could use the service user, but that is not mapped un-ambiguously to the endpoint13:28
samueldmqayoung: however for the endpoint contraint gyee is looking at, we'll possibly need ot specify the endpoint_id ?13:28
ayoungthe same service user could be used for multiple endpoints.   Too bad, that would be the right thing to do, I think13:28
*** woodster_ has joined #openstack-keystone13:29
samueldmqayoung: we'd need to solve that automatically as well, otherwise we'd still need that configured by the deployer13:29
ayoungonce we know one value we cal look up the others13:29
samueldmqayoung: exactly13:29
samueldmqayoung: however if we get to the url, that can map to multiple ids13:29
ayoungI think that is a non-issue.  There can only be one policy file executed for any given path through the web server13:30
samueldmqayoung: could endpoint constraint be enforced on the url as well ?13:30
ayoungthe is no way to distinguish upon the call that this is an "public" endpoint call vs, an "admin" endpoint  if the url is identitcal13:30
ayoungsamueldmq, yes, it could13:31
*** tellesnobrega_ has quit IRC13:31
samueldmqayoung: ok, so if we know the url, we could solve both (assuming other agree on that approach)13:32
ayoungsamueldmq, I was thinking we could deduce the URL out of the request values upon first request, but we might be behind a load balancer or proxy, and thus it might not match the hostname of the endpoint URL13:32
ayoungneed to look at what comes through the request, there may be something in there we can use13:32
samueldmqayoung: yes, we can't use the hostname ..13:32
samueldmqayoung: also, looking at the existing middleware configs may help13:33
samueldmqayoung: why don't service endpoints register themselves against keystone automatically ? using the service token ..13:35
ayoungsamueldmq, not much we can count on there.13:35
ayoungsamueldmq, only the[auth_token] section13:35
ayoungsamueldmq, so, they do. But they don't record their own ID13:35
ayoungtechincally, they don't register themselves13:35
samueldmqayoung: do they ? really ?13:35
ayoungits done by the setup process13:36
ayoungwhich is outside the service, and has to be for security reasons13:36
samueldmqayoung: so that is done by the deployer .. at bootstrap time13:36
ayoungthere is no easy way to ask Keystone "what endpoint do you think I am?"13:36
ayoungyeah, at boot13:36
*** radez_g0n3 is now known as radez13:37
samueldmqayoung: yep, there isn't, because the deployer registered the endpoint in keystone, and there could be too much network abstraction being used, such as haproxy etc13:37
ayoungsamueldmq, so each of the nova servers have a serviceuser added to them, and that is who they use to authenticate when validating tokens13:37
samueldmqayoung: that the endpoint itself can't tell keystone about13:37
samueldmqif that makes sense13:37
ayoungyes, makes sense to me...13:38
dstanekthe services don't actually register themselves do they? i thought the bootstrap process was handled by ansible, puppet, etc.13:38
ayoungif there was no load balancer, the endpoint could look at a request and send that in the "get policy" call.  Keystone could do a parital match of the URL13:38
ayoungdstanek, you are correct13:39
samueldmqayoung: so .. the deployer has to tell to the endpoint who it is .. :(13:39
ayoungdstanek, behind a load balancer, the WSGI app does not get the real hostname in the request URL, doees it?13:39
samueldmqayoung: setting any of its id/url13:39
dstanekayoung: yes, it should; because virtual hosting works behind a load balancer too13:39
dstanekunless your LB isn't configured correctly13:40
ayoungdstanek, so, we could deduce the URL from the request?13:40
dstanekayoung: yes13:40
*** mylu has joined #openstack-keystone13:40
ayoungdstanek, then the only thing we need to be aware of is that the URL might not match;  request by IP address is different than Hostname13:40
dstanekayoung: which is why i don't like URL - there could be two different URLs pointing to the same VIP13:40
dstanekayoung: yeah, that too13:41
ayoungdstanek, its not just the hostname, it is the whole URL, down to the version13:41
*** LukeHinds has joined #openstack-keystone13:42
ayoungdstanek, say you have an all-in-one deployment, with nova and glance behind the same load balancer.  Then,13:42
ayoungthe URL would be something like13:42
ayounghttp://hostname/nova/  vs13:42
ayounghttp://hostname/glance/  vs13:42
ayoungwith finer distinctions for keystone main vs admin, for example13:42
ayoungheh, those should all be https of course13:43
ayoungdstanek, is that clear?13:44
*** mabrams has quit IRC13:45
dstanekayoung: sure13:46
*** mylu has quit IRC13:46
ayoungdstanek, so, lets say we make the query for policy such that you pass an URL to Keystone and it gives you back the endpoint id.  Then you use the endpoint id to fetch the policy itself.13:47
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache
ayoungthat is chatty, but so what.  It means that we have a little clearer view of how the decision is made, which might just help debugging.13:47
*** mylu has joined #openstack-keystone13:48
ayoungSo, we drop the assign/fetch by URL, just provide an URL to endpoint mapping function13:48
ayoungsamueldmq, ^^ does that seem cleaner to you?13:48
*** jacorob_ has joined #openstack-keystone13:48
*** mestery_ has quit IRC13:48
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraint
dstanekayoung: are you saying that the URL you would use is the one from the request or one hard coded into the config?13:49
samueldmqayoung: I am concerned about how that function 'f(url) -> id' looks like, since url doesn't map uniquely to the id, and it could not match at all13:49
samueldmqayoung: that looks interesting though13:49
*** mylu has quit IRC13:49
*** mylu has joined #openstack-keystone13:50
*** TheIntern has joined #openstack-keystone13:52
*** jecarey has joined #openstack-keystone13:55
samueldmqayoung: another point is, if the policy is still by enpoint id, the deployer will need to get the endpoint_id anyway .. whcih was the motivation to use URL (and what morgan was trying to avoid)13:56
*** arunkant_ has joined #openstack-keystone13:56
samueldmqayoung: notice that I am not against this solution at all .. I find it very very interesting since it would reduce the deployer bootstrap configuration, I am just pointing out the potential issues I  am seeing :)13:57
ayoungdstanek, the URL you would use is the one from the request13:57
ayoungsamueldmq, yeah, it might not be unique.  Then ATM would pick one at random13:58
*** csoukup has joined #openstack-keystone13:58
samueldmqayoung: i.e you might pick the one which has not the policy associated with :/13:59
*** arunkant has joined #openstack-keystone13:59
*** arunkant__ has quit IRC14:00
ayoungsamueldmq, if you have two different endpoints with exactly the same URL, we should force them all to have the same policy file.  There is no way to distinguish between them14:00
samueldmqayoung: if I understand correctly, we need a policy per service process, correct?14:01
samueldmqayoung: yes I agree, but today we don't enforce that at all14:01
ayoungsamueldmq, well, sort of.  It really is per-service-process-that-reads-the-same-config-file14:01
samueldmqayoung: what identifies a service process uniquely ? what are the possibilities ?14:02
*** tellesnobrega_ has joined #openstack-keystone14:02
*** arunkant_ has quit IRC14:02
samueldmqayoung: so a per-service-process-that-reads-the-same-config-file may group multiple endpoint ids (as represented in keystone)14:02
samueldmqalthoguh we don't enforce that today14:02
ayoungsamueldmq, none of this is used yet.  Not siginifcantly14:02
ayoungthe endpoint-policy stuff was prep for this14:02
dstanekayoung: so you will need to define a policy for each URL that a service serves? i'm assuming this is really each base URL (,, etc)14:03
samueldmqayoung: so we can just deprecate and create anything else if needed14:03
*** btully has joined #openstack-keystone14:03
ayoungdstanek, so, lets drop the policy-url mapping for a moment.  Instead, lets say that for each requested URL, we use the URL value in the endpoint to try to match it14:04
ayoungis would be a partial match (base url as you say)14:04
*** edmondsw has joined #openstack-keystone14:05
ayoungso it would be requestedurl -> endpoint.url -> -> policy file14:05
*** tellesnobrega__ has quit IRC14:05
samueldmqif we'd have a single endpoint entity (single id) that contains multiple interfaces (and URLs), that'd be solved I think .. however we have different ids for different interfaces14:06
samueldmqI think the current design of endpoints doesn't help :(14:06
*** tellesnobrega__ has joined #openstack-keystone14:06
*** tellesnobrega_ has quit IRC14:06
*** jsavak has quit IRC14:07
dstanekayoung: what if the requestedurl doesn't match any endpoints? or if that endpoint has no policy associated with it?14:07
ayoungdstanek, let me take those separately14:07
ayoungif the requested URL doesn't match any endpoints, we have an error, and we deny the request (maybe a 500 error would even be appropriate here)14:08
ayoungif the endpoint has no policy, we have a couple choices14:08
*** kiran-r has quit IRC14:08
ayoungfirst, there is the stock policy shipped with the server.  We default to that.14:08
samueldmq++ to this first option14:09
ayoungBut, the most common case would be to use the rest of the endpoint-policy rules to get a more general policy file14:09
ayoungthat happens automatically14:09
ayoungso, that is why I want the unified policy file14:09
ayoungthat should be the default.  When a request comes in, the check should start with most specific to most general:14:09
ayoungactually there is one in the middle14:11
ayoung- A policy associated to any endpoint of a given service type in a given region14:11
*** fhubik_afk is now known as fhubik_14:12
*** jsavak has joined #openstack-keystone14:12
ayoungsamueldmq, I actually do not like the "stock policy" fallback, as I think it is a security weakness, but it can be a transition strategy until we get dynamic policy as the default14:13
brad[]Do the keystone command line tools support API v3 oriented commands at this time?14:13
*** mylu has quit IRC14:13
samueldmqayoung: ++14:13
stevemarbrad[]: use openstackclient14:13
*** fhubik_ is now known as fhubik14:13
*** fhubik has quit IRC14:14
stevemarerr rather
stevemarthe keystone CLI is being removed (soon)14:14
ayoungstevemar, I thought that was your boss, but I realize that, in python, he'd be brad(,)14:14
stevemarayoung: he's normally topol, but i'd be lying if that thought didn't cross my mind14:15
stevemarmaybe he's testing me14:15
*** mylu has joined #openstack-keystone14:15
*** fhubik has joined #openstack-keystone14:15
ayoungyou say topol, I say tuple14:15
stevemarsamueldmq: don't trust folks with brackets in their name, any brackets14:15
brad[]Is openstackclient able to be used with Juno? We haven't yet upgraded14:15
dstanekayoung: how do real deployments deal with internal URLs to services? like having nova use a different URL to bypass the load balancer. endpoint filtering?14:15
ayoungbrad[], it should work14:15
samueldmqstevemar: hehe :)14:15
ayoungdstanek, I think it varies.14:16
ayoungdstanek, I'd really need to go beat up our support guys to get real answers14:16
stevemarbrad[]: should be, you might run into requirements issues, but *shrugs* - it's meant for client machines, don't need to install it on the same machine as the server14:16
brad[]stevemar: nod14:16
stevemarbrad[]: it's intallable via pypi14:16
ayoungor Yum14:17
stevemaryou'll get the latest and greatest that way, the ones that come bundled with RHEL/Ubuntu are a bit older14:17
ayoungor APT14:17
stevemarayoung: i think if you install it on ubuntu 12.04lts you get v0.4.2 :(14:17
stevemarand even 14.04, you get 1.0.314:17
stevemarand they don't change, which upsets me14:18
ayoungstevemar, so, we don't even install it on RHEL.  You need the OSP product to get it.  We are working to change that14:18
ayoungit will be interesting when OpenStack code gets spread across multiple product lines.14:19
ayoungbest to stick to Curl14:19
dstanekayoung: i wonder because each one of those base URLs will have to be associated with the policy14:19
*** mfisch has joined #openstack-keystone14:19
*** mfisch has quit IRC14:20
*** mfisch has joined #openstack-keystone14:20
ayoungdstanek, the more we talk about this, the more paranoid I start thinking.  I wonder if we want to lock down a "secure" endpoint to only work with a specific policy file..but I think if anyone needs that, they would disable dynamic policy.14:20
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance
samueldmqhenrynash: dstanek ^ updated ! :)14:21
ayounghenrynash, read up our discussion, too, as I think it addresses some of your questions WRT dynamic policy14:22
dstanekayoung: this is the fear i had when discussing with samueldmq last week.14:22
ayoungdstanek, I'd ask the folks with the tinfoil hats....14:22
dstanekright now it is so simple and has no corner cases. a service deploys a policy file and that is used to enforce policy.14:22
dstanekin the new world we have cascading policy lookups from the specific (endpoint id) to the generic (service or whatever)14:23
dstanekthat means deployers have to make the generic policy very locked down14:24
ayoungdstanek, yeah, but there is no continuity in meaning between the policy files deployed by Nova vs Glance.  bug 96869614:24
openstackbug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] - Assigned to Adam Young (ayoung)14:24
henrynashayoung; Thx, tied up rght now (not literally)…..will get to themlater14:24
dstanekayoung: sure, but maybe there are other ways to handle that. i'm just thinking of this policy solution14:24
ayoungdstanek, so, lets say we cut the fetch and store aspect.  We'd depend on Ansible or Puppet to keep things in sync14:26
ayoungit would be a different integration, and outside of our hands14:26
ayoungbut...there is nothing to prevent someone from doing that with the dynamic policy approach, it would just take additional work14:26
ayoungthey would use the same calls to get the policy out of Keystone, etc.14:27
ayoungdstanek, if you triggered the ansible/puppet call automatically, you would basically have the same system14:28
*** arunkant_ has joined #openstack-keystone14:28
ayoungdstanek, which is another argument for doing url-endpointid as a deliberate call.14:29
samueldmqdstanek: ayoung I gotta go afk for a bit now, will be back in a bit, sorry14:30
*** arunkant has quit IRC14:31
*** tellesnobrega__ has quit IRC14:32
*** mylu has quit IRC14:39
*** fangzhou has quit IRC14:39
*** mylu has joined #openstack-keystone14:40
*** tellesnobrega_ has joined #openstack-keystone14:41
*** mylu has quit IRC14:41
*** mylu has joined #openstack-keystone14:42
*** ajayaa has joined #openstack-keystone14:46
*** belmoreira has quit IRC14:53
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin
*** jdandrea has quit IRC14:54
*** ninag has quit IRC15:00
*** Lactem has joined #openstack-keystone15:00
*** ninag has joined #openstack-keystone15:01
Lactemdstanek: That was a fast +2. Thanks!15:01
*** csoukup has quit IRC15:01
gordcstevemar: you know of any examples where policy is enforced pre-query?15:02
gordcie, we query based on policy rules rather than filter results using policy15:03
*** dims has quit IRC15:04
*** Akshay04 has joined #openstack-keystone15:04
*** lhcheng has joined #openstack-keystone15:05
*** ChanServ sets mode: +v lhcheng15:05
*** dims has joined #openstack-keystone15:05
*** tellesnobrega_ has quit IRC15:06
*** diazjf has joined #openstack-keystone15:07
*** ninag has quit IRC15:07
*** jsavak has quit IRC15:08
ayounggordc, what are you asking?15:09
*** lhcheng has quit IRC15:09
*** dims has quit IRC15:10
gordcayoung: we have this patch:
ayounggordc, policy does not work that way, if you are talking RBAC.15:10
gordcayoung: i am talking rbac.15:10
gordci also should add disclaimer i didn't write our implementation nor do i know much about policy15:11
*** Lactem has quit IRC15:11
gordcbut currently, the implementation is to run query, and loop through each record and validate if it passes policy rules15:11
ayounggordc, I...I did not know such code existed.  The Horror. The Horror.15:11
gordci won't name names...15:12
ayounggordc, so...that is very different from how policy is used elsewhere15:12
ayounggordc, let me take a look at the policy file that goes with sec15:12
gordcayoung: can you point to 'best practice' example for reference.15:12
ayounggordc, hold on.  Still wrapping my head around what you are doing here15:13
ayoung  is pretty sparse...15:13
ayoung is a little more explicit.15:13
stevemargordc: i was wondering about that, normally is easy for us because the URL or backend defines the owner15:14
ayounggordc, I actually kindof like that code, and kindof hate is making me think.  THat hurts my brain15:14
gordcstevemar: owner == user id?15:15
*** Akshay04 has quit IRC15:15
ayoungstevemar, they are trying to check ownership on a per-event basis, and then apply policy to it>15:16
gordcthe result we're trying to achieve is if user_id/project_id exists in record, use it against defined policy. if not, it's admin only.15:17
stevemarayoung: it's not unreasonable, they only want stuff that affects that15:17
ayounggordc, what policy rule do you match15:17
gordcayoung: yeah, that's the current patch, trying to see if we can build query param from policy to avoid post filtering15:18
gordc"user_id:%(user_id)s" "project_id:%(project_id)s" role:admin "role:admin or user_id:%(user_id)s"15:18
gordcthat's the example that was provided.15:18
stevemargordc: so we have a similar issue with trusts/credential/oauth in keystone, but its easy for us to do things pre-query. since when a trust/oauth/credential is created we set an owner/user id in a db somewhere15:18
*** browne has quit IRC15:19
stevemarwhen we list or get, we just query against that user_id15:19
ayounggordc,  getting a query parameter from policy is not going to work15:19
stevemarthe trouble is ceilometer events doesn't have a way to query for a user_id / project_id15:19
ayoungyou need to filter15:19
gordcstevemar: we can.15:19
*** browne has joined #openstack-keystone15:19
ayoungtry not to do "user" and only do project15:20
ayounguser is the wrong abstraction.  Just because a userid is somehow part of an audit event does not imply an ownership relationship. It should be pure RBAC for this15:20
*** boris-42 has joined #openstack-keystone15:21
ayounggordc, so...role:admin is unscoped.  We are on a quest to get rid of unscoped policy rules15:22
*** browne has quit IRC15:22
ayounggordc, so I would simplify your problem to: every audit event needs a project to own it.  If an event comes in with out a project ID, put it into the admin project15:23
*** dims has joined #openstack-keystone15:23
ayounghrm...admin domain...15:23
gordcayoung: can the admin project be an assumed value rather than stored default value?15:23
*** jsavak has joined #openstack-keystone15:23
ayounggordc, we are trying to make it something queried from Keystone. Link...15:24
*** wrale has joined #openstack-keystone15:26
*** browne has joined #openstack-keystone15:27
dstanekgordc: my first ceilometer review!15:28
openstackgerritayoung proposed openstack/keystone-specs: query configuration via web API
*** lhcheng has joined #openstack-keystone15:29
*** ChanServ sets mode: +v lhcheng15:29
gordcdstanek: should review in a few weeks. i'm hoping for net loss of 5000 lines of code this cycle.15:30
dstanekgordc: i can help you out with that one! unless you need the thing to work when i am done...15:31
gordcdstanek: nah, we're making no guarantees it'll work either.15:32
gordcso we have a get_limited_to method
gordcit seems like we can grab user/project info using that... i'm assuming that's wrong way to use policies?15:32
*** lhcheng has quit IRC15:33
*** jdandrea has joined #openstack-keystone15:33
*** arunkant__ has joined #openstack-keystone15:34
*** arunkant__ has quit IRC15:34
*** arunkant has joined #openstack-keystone15:34
ayounggordc, why user_id?15:35
stevemarmorganfainberg: heads up on
openstackLaunchpad bug 1472503 in Keystone "python-ldap 2.4.20 causing install issues" [Undecided,New]15:35
morganfainbergstevemar: I think we need to just buckle down and replace that. :(15:36
morganfainbergOh that15:36
morganfainbergNo that is a setup tools/pbr issue15:37
stevemaroh phew15:37
morganfainbergSomeone has an old devstack methinks.15:37
morganfainbergPeople need to stop reusing devstacks and make new vms15:37
ayounggordc, the event is the target of the policy.  Is the idea that some users should only be able to see events that they themself generated?15:38
*** arunkant_ has quit IRC15:38
morganfainbergIt has been a repeat issue (or do a full update of Python libs too)15:38
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
*** piyanai has joined #openstack-keystone15:39
gordcayoung: we use that method currently for meters. the idea being they can see users can see only their data (if not admin).15:40
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
*** e0ne has joined #openstack-keystone15:40
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments
morganfainbergstevemar: question asked marked as incomplete.15:40
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests
gordcayoung: we can also limit to just project... i'm just curious if that's even a valid use of policy the (the way we use it in method)15:41
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests
ayounggordc, and the point is that you want to know ahead of time if a user should see only their own, project scoped, or larger.15:41
ayoungSo you are querying all, and then removing ones based on policy.  Inefficient, but the most conservative15:41
*** piyanai has quit IRC15:41
*** david-ly_ is now known as david-lyle15:42
ayounggordc, is that something you really want conifgurable via policy?15:42
gordcayoung: that is the proposal yes. i'm hoping to not have to query all but restrict query to project15:42
gordcor whatever the policy is.15:42
ayounggordc, cuz the way you wrote it, you could have different roles for different events, too15:43
gordcthe get_limited_to method seems to return me a user and/or project... which seems useful to avoid query all15:43
ayoungyou could have "storage_auditor" that could only see one class of events, and "network_auditor" that could only see neutron type things15:43
ayoungyou wouldn't know until you got the results back which would apply15:43
ayoungpolicy is designed to be configurable15:44
*** piyanai has joined #openstack-keystone15:44
ayoungso, I would almost think you would want to make the queries pre-canned, from most general, to most specific, and put the RBAC check on the query itself, before executing.15:45
*** Akshay04 has joined #openstack-keystone15:45
gordc" put the RBAC15:46
gordc                check on the query itself, before executing"15:46
*** kiran-r has joined #openstack-keystone15:46
ayounggordc, it seems you know the query you are executing, to include the filters, prior to hitting the database.15:46
ayoungso lets say you have 3 queries15:46
gordchow do you do that? in ceilometer you can filter on whatever attributes you want.15:46
ayoungA) select all events15:46
ayoungB) select all events for a project15:47
henrynashlooking for someone to tip over the edge…..15:47
ayoungC) select all events for a user in a project15:47
ayounghenrynash, 1 sec and I'll look15:47
henrynashayoung: merci, mon capotan15:47
ayounggordc, so, you do do a policy check for A, it fails, do it for B, it fails, do it for C and it succeeds,  So execute C15:47
gordchow do you get the project and/or user based on policy? using method similar to get_limited_to?
henrynash(Henry just returned from vacation in France…but still can’t spell)15:48
ayounghenrynash, ok, that one falls into "no brainer, should not even require a spec"  +2A15:48
ayounggordc, only if it is not explicit in the request itself.  I don't love the "magic based on the token values" approach, but it works15:50
ayoungI'd rather keep the token separate, and make someone explicitly ask for one or the other15:50
ayoungdifferent APIs or at least query params15:51
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin
gordcayoung: i see. yeah our access is dependent on what token you're using. there's no explicit way to pass in the user/project info (either in body or in url)(15:53
ayounggordc, so, instead of checking policy on the events themselves, make 3 queries, check policy on the query, and execute the most general one that passes.15:54
*** jistr has quit IRC15:56
*** tellesnobrega_ has joined #openstack-keystone16:00
openstackgerritMerged openstack/keystone-specs: Support data driven test plans for role assignment testing
*** geoffarnold has quit IRC16:01
gordcayoung: cool cool. i'll work around that. i'm not sure we need 3 queries since we can define variable filter parameters on our queries16:01
ayounggordc, so the way you are doing it is the most conservative, just puts more load on the webserver.  BUt if you are building the filters dynamically, you can check policy based on the set of filters you are planning on applying...if that makes sense16:05
*** jsavak has quit IRC16:06
*** jsavak has joined #openstack-keystone16:06
henrynashayoung: thx16:07
*** kiran-r has quit IRC16:08
*** dontalton has joined #openstack-keystone16:10
*** annasort has joined #openstack-keystone16:11
*** jsavak has quit IRC16:12
*** jsavak has joined #openstack-keystone16:12
*** bdossant has quit IRC16:13
gordcayoung: yeah, i think the goal is apply query filters based on policy.16:14
ayounggordc, that makes more sense than checking policy on results, one-by-one16:15
*** dims has quit IRC16:15
*** dims has joined #openstack-keystone16:16
gordcayoung: agreed. especially when it's in tens/hundreds of thousands.16:17
ayounggordc, want me to respond on that code review?16:19
gordcayoung: sure. that'd be good.16:20
*** dims has quit IRC16:21
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix log message in one of the v3 create call methods.
*** piyanai has quit IRC16:25
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix log message in one of the v3 create call methods.
*** _cjones_ has joined #openstack-keystone16:28
*** fangzhou has joined #openstack-keystone16:30
*** ajayaa has quit IRC16:33
*** browne has quit IRC16:36
*** dims has joined #openstack-keystone16:40
*** dontalton is now known as bitblt16:41
*** bitblt has quit IRC16:41
*** bitblt has joined #openstack-keystone16:41
*** bitblt has quit IRC16:42
*** afazekas has quit IRC16:42
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable retrieval of default values of domain config options
*** Akshay04 has quit IRC16:43
henrynashbknudson, gyee, btopol: you previously commented on: - any other issues are we OK on this one?16:45
*** TheIntern has quit IRC16:49
*** _hrou_ has joined #openstack-keystone16:51
*** hrou has quit IRC16:52
*** _hrou_ has quit IRC16:54
*** _hrou_ has joined #openstack-keystone16:54
*** geoffarnold has joined #openstack-keystone16:56
*** ayoung has quit IRC16:59
*** shaleh has joined #openstack-keystone17:02
*** piyanai has joined #openstack-keystone17:06
*** pnavarro has joined #openstack-keystone17:07
*** spandhe has joined #openstack-keystone17:09
samueldmqhenrynash: hi, welcome back :) I hope you enjoyed France17:11
samueldmqhenrynash: have you visited Lyon ? :)17:11
*** jsavak has quit IRC17:15
*** piyanai has quit IRC17:17
*** tellesnobrega_ has quit IRC17:19
*** crc32 has joined #openstack-keystone17:19
*** fhubik has quit IRC17:20
*** jsavak has joined #openstack-keystone17:20
henrynashsamueldmq: absolutely, have…although this time we were i our favourite family-run hotel in Provence, (in a town called Mouriès)17:21
samueldmqhenrynash: nice, France is great :)17:22
samueldmqhenrynash: I lived in Lyon for a year, during my undergraduation17:22
samueldmqhenrynash: that was a great experience .. that's a great city17:23
henrynashsamueldmq: I lived in both Antibes and Paris for a year17:23
*** browne has joined #openstack-keystone17:23
henrynashsamueldmq: je parle le Franglais un peu17:24
samueldmqhenrynash: ah great, so on peut avoir des discussions en français :-)17:24
*** piyanai has joined #openstack-keystone17:24
samueldmqhenrynash: hehe17:24
henrynashsamueldmq: bien sûr17:24
samueldmqhenrynash: it's a long time I don't practice my French, get a better English is my priority now, since I need it more :)17:26
samueldmqhenrynash: but French is a very interesting and beautiful language17:26
henrynashsamueldmq: indeed17:26
*** e0ne has quit IRC17:28
samueldmqhenrynash: I was looking at your changes for data-driven assignment testing17:30
samueldmqhenrynash: you rebased them .. however they seem to be in merge conflict17:30
*** crc32 has quit IRC17:34
*** pnavarro has quit IRC17:35
*** christx2 has quit IRC17:35
*** bknudson has quit IRC17:38
*** dims has quit IRC17:39
*** dims has joined #openstack-keystone17:39
*** piyanai has quit IRC17:47
*** marzif_ has joined #openstack-keystone17:49
*** TheIntern has joined #openstack-keystone17:51
*** TheIntern has quit IRC17:56
samueldmqdear Keystoners .. I'd appreciate a couple of eyes on the dynamic policies oslo.policy spec17:57
*** aix has quit IRC17:57
samueldmq"Dynamic Policies Overlay"
samueldmqhenrynash: morganfainberg cc ^ the idea is to get that merged and then its code asap, since that essential part won't change :)17:58
samueldmqdstanek: cc ^17:59
samueldmqI will start the code, as we try to find a good solution for middleware ftching the right policy (url, id, or whatever)17:59
*** mestery has joined #openstack-keystone18:01
*** TheIntern has joined #openstack-keystone18:03
*** bknudson has joined #openstack-keystone18:03
*** ChanServ sets mode: +v bknudson18:03
*** jasonsb has joined #openstack-keystone18:05
dstaneki'll take a look18:06
* samueldmq wonders why #keystone is that quiet today :)18:06
samueldmqdstanek: ha .. nice thanks18:06
jasonsbstevemar: hallo sir.  wanted to let you know i built keystone from master and openstack identity provider create idp1  went through fine18:06
*** _hrou_ has quit IRC18:07
jasonsbstevemar: everything is working (thank you goes out to gyee)18:07
*** hrou has joined #openstack-keystone18:07
*** tellesnobrega_ has joined #openstack-keystone18:08
*** ayoung has joined #openstack-keystone18:11
*** ChanServ sets mode: +v ayoung18:11
*** jsavak has quit IRC18:12
*** jsavak has joined #openstack-keystone18:13
stevemarjasonsb: oh nice, what did gyee do?18:14
jasonsbstevemar: helped me with Authorization failed. Unable to find valid groups while using mapping idp1_map (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from ::118:15
jasonsbstevemar: gyee pointed me to the map to double check in the debug output that18:16
jasonsbstevemar: 'HTTP_OIDC_ISS': 'http://localhost:8080/openid-connect-server-webapp/'18:16
jasonsbstevemar: matched up with the mapping18:16
stevemarah yeah18:17
stevemarthat'll differ from deployment to deployment18:17
jasonsbstevemar: in my case, HTTP_OIDC_ISS was present, but i only had http://localhost:808018:17
jasonsbstevemar: i changed it to the whole string and it worked18:17
jasonsbstevemar: +1 on yay18:17
jasonsbstevemar: it was very cool to see it work18:18
stevemarjasonsb: agreed, once it's all setup it's pretty spiffy18:18
jasonsbstevemar: maybe should write it up?18:18
stevemardid the write up help? anything i missed?18:18
jasonsbstevemar: its mitreid idp18:18
jasonsbstevemar: writeup is good.  i had a little bit trouble figuring out what to change for mitre and i'm super weak in v318:19
jasonsbstevemar: so verifying that it is working threw me a little bit18:19
stevemarahh, let me know if theres need for edits18:20
jasonsbstevemar: but considering the complexity of the thing, i think keystone has done an amazing job18:20
*** ajayaa has joined #openstack-keystone18:20
jasonsbstevemar: biggest hurdle i think is to assemble all of the pieces (apache config, keystone config, and procedure to config)18:21
jasonsbstevemar: since they are sourced from separate places (and hence reflect different points in time)18:21
jasonsbstevemar: if i had referred to devstack more it probably would have helped me a bit18:22
*** boris-42 has quit IRC18:22
stevemarjasonsb: which, we're (not i) working on through better ansible and puppet support for federation18:22
jasonsbstevemar: how about kolla?18:23
jasonsbstevemar: we would like to use kolla so maybe could contribute kolla+configs+ansible18:24
stevemarjasonsb: no one has brought it up yet, first i'm hearing of kolla support for federation-y things18:27
jasonsbstevemar: oh sorry, this isn't something i've discussed with kolla peeps.  but if it interests you something we maybe could help with18:28
ayoungmorganfainberg, so, a propsal I discussed with samueldmq and dstanek this morning.  Instead of  fetch by url, we use the URL to look up the id, and fetch by id.  And...we deduce the URL 9if possible) from the request.18:28
*** doug-fish has quit IRC18:29
ayoungmorganfainberg, if we do this right, we should be able to make it work without further changes to the install process18:32
ayoungsomething like this:18:32
ayoungwe get the full URL out of the request.  Send it to Keystone in a "get endpoint_id for url" call  Keystone goes through the URLs in the ednspoints until it comes up with a partial match:18:33
ayoungbeginswith (reuqest.url(endpoint.url)) > 018:35
ayoungor some somethjing valid like that18:35
ayoungthe question I have is, when running behind a load balancer, are we going to have valid URLs that match to begin with, or are they going to get re-written.  dstanek seemed to think they would be valid18:35
*** jaosorior has quit IRC18:36
dstanekthey have to be valid from the path on otherwise keystone can't serve the request - the domain should be correct is the LB is properly configured (think virtual hosting) - an the protocol will be there maybe in a different header is the LB does the SSL termination18:37
*** rdo has joined #openstack-keystone18:39
dstaneksamueldmq: your RST is a bit rusty18:41
*** piyanai has joined #openstack-keystone18:43
*** piyanai has quit IRC18:44
*** doug-fish has joined #openstack-keystone18:44
*** piyanai has joined #openstack-keystone18:44
*** dikonoor has quit IRC18:46
*** jamielennox is now known as jamielennox|away18:47
*** g2` has quit IRC18:48
*** g2` has joined #openstack-keystone18:53
*** jamielennox|away is now known as jamielennox18:54
*** lhcheng has joined #openstack-keystone18:56
*** ChanServ sets mode: +v lhcheng18:56
*** sigmavirus24_awa is now known as sigmavirus2418:56
dstanekbknudson: hola18:56
bknudsondstanek: aloha18:57
dstanekif swift doesn't use oslo.config how do we properly get their settings?18:58
bknudsondstanek: for anything?18:58
bknudsondstanek: that's a good question18:58
bknudsonbut it must work since swift has been around for a while18:58
*** shaleh has quit IRC18:58
samueldmqdstanek: :(18:59
samueldmqdstanek: please gimme suggestions on how to improve that o/18:59
dstanekbknudson: haha, ok18:59
dstaneksamueldmq: links are more like `text`_18:59
dstanekbknudson: so anyway the reason i treated CONF.project in a special way is that it is special!18:59
*** gordc has quit IRC18:59
dstanekwhen a project does CONF('project name') it will set the CONF.project property on the object19:00
bknudsonI didn't know that19:00
*** piyanai has quit IRC19:00
samueldmqdstanek: k will fix :-)19:00
dstanekif the project (like swift?) doesn't do this the oslo.config's __getattr__ is called since they don't set a reasonable default19:00
samueldmqdstanek: I don't know why I defined it like that, maybe to allow one to print the html and still see the link lol19:01
dstanekbknudson: i was going to submit a patch to oslo.config that fixes the issue, but breaks the current interface so I'm not sure they'll take it /cc dhellmann19:02
dstanekwith a bug report first, of course19:02
bknudsondstanek: ok, so maybe just add to the comment that CONF.project is a special config property.19:03
*** piyanai has joined #openstack-keystone19:03
dstanekbknudson: in the process of making a quick edit there now to make it a little more clear19:03
bknudsonso this gets from 1) auth_token middleware config in paste, 2) keystone_authtoken in .conf, or 3) special CONF.project value19:04
bknudsonmight be worth it to put this bit in a method rather than inline19:04
bknudsone.g., self._get_project()19:04
bknudsonor just self._project ?19:04
dstaneksure, that would probably make it more readable19:04
samueldmqayoung: while we keep fighting on that url vs id thing, i.e specs, I will be writing the other pieces to get a demo of dynamic policies running19:05
samueldmqayoung: considering what we have defined today in specs19:05
samueldmqayoung: that'd be great if we could have something to show at the midcycle19:06
ayoungsamueldmq, I'll write the "map url to endpoint_id" spec19:06
samueldmqayoung: this will keep me sane .. thinking about specs 100% of the time is getting me crazy19:06
samueldmqayoung: ok for this first iteration, I am going to set endpoint_id as a config option in middleware19:07
samueldmqayoung: in this patch
ayoungsamueldmq, tell you what,  try coding up a proof of concept that pulls the URL out of the request19:07
ayoungsamueldmq, that is a good first step19:08
*** e0ne has joined #openstack-keystone19:09
*** odyssey4me_ has joined #openstack-keystone19:10
*** odyssey4me has quit IRC19:10
*** jsavak has quit IRC19:13
samueldmqayoung: I think we can easily get that from the webob request object19:13
*** bitblt has joined #openstack-keystone19:13
dstanekbknudson: tests are running is what i ended up with:
*** geoffarnold has quit IRC19:14
samueldmqayoung: req.environ['HTTP_HOST']19:14
*** odyssey4me_ is now known as odyssey4me19:14
*** jsavak has joined #openstack-keystone19:14
*** Rockyg has joined #openstack-keystone19:15
dstaneksamueldmq: the tricky one is getting the correct protocol19:15
dstaneksamueldmq: also i think there is a request property that does the HTTP_HOST stuff too19:17
lbragstaddolphm: here are a couple commits to help get keystone-deploy's master branch passing again
samueldmqdstanek: I don't get it ... 'correct protocol', what would be the protocol you refer to ther E?19:18
dstanekhttp vs. https19:19
*** jsavak has quit IRC19:19
dstaneki'm pretty sure servers take core of the header magic and set the wsgi.url_scheme header, but i'd have to verify19:19
*** jsavak has joined #openstack-keystone19:20
*** ajayaa has quit IRC19:22
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()
*** r-daneel has joined #openstack-keystone19:23
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()
dolphmlbragstad: looking!19:27
*** woodster_ has quit IRC19:31
openstackgerritDavid Stanek proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone
*** csoukup has joined #openstack-keystone19:32
lbragstadstevemar: ping, i'm working on a quick ansible script to help setup federated keystone nodes and following the directions here19:33
samueldmqdstanek: makes sense, thanks for pointing that out :)19:33
lbragstadstevemar: oh, wait...19:35
lbragstadstevemar: the WSGIScriptAliasMatch part is giving me some issues.19:36
*** arunkant has quit IRC19:42
*** arunkant has joined #openstack-keystone19:44
*** e0ne has quit IRC19:47
*** ajayaa has joined #openstack-keystone19:47
stevemarlbragstad: sry, was helping out diazjf :)19:48
stevemarque pasa with your federation19:49
lbragstadstevemar: wait, it might be my lack of knowledge. trying something out quick19:49
stevemar*wait and see approach worked!*19:49
*** piyanai has quit IRC19:50
*** piyanai has joined #openstack-keystone19:57
openstackgerritDavid Stanek proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone
*** crc32 has joined #openstack-keystone19:58
*** Ephur has quit IRC20:01
*** shaleh has joined #openstack-keystone20:06
dstanekbknudson: where you saying on that you want to be able to create a user without specifying the domain?20:07
morganfainbergdstanek: it makes me all sorts of sad we need to accept config from paste-ini in ksm20:07
*** gyee has joined #openstack-keystone20:07
*** ChanServ sets mode: +v gyee20:07
dstanekmorganfainberg: fire swift20:07
morganfainbergnotmyname, ^ there has to be a better way20:08
*** vilobhmm has joined #openstack-keystone20:08
dstaneki'm assuming that they are the ones doing it since they are not use oslo.config20:08
dstanekmorganfainberg: if everyone used oslo.config we could potentially remove lots of cruft20:09
*** openstackgerrit has quit IRC20:10
* morganfainberg throws oslo.config at swift to see if it sticks... 20:10
*** openstackgerrit has joined #openstack-keystone20:10
bknudsondstanek: you can create a user without specifying the domain20:11
bknudsonthat's what the code allows now20:11
*** piyanai has quit IRC20:11
*** e0ne has joined #openstack-keystone20:11
*** e0ne has quit IRC20:12
openstackgerritDavid Stanek proposed openstack/keystonemiddleware: Fixes modules index generated by Sphinx
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: Fixes modules index generated by Sphinx
dstanekstevemar: any reason not to +A ?20:14
morganfainberglbragstad: poke you here?20:17
*** piyanai has joined #openstack-keystone20:17
morganfainbergneed to ask you a question20:17
lbragstadmorganfainberg: o/20:17
*** belmoreira has joined #openstack-keystone20:18
dstanekwhat is keystoneauth1?20:18
*** stevemar has quit IRC20:19
morganfainbergdstanek: the propernamespace for keystoneauth20:21
morganfainbergto make sure if can be installed side-by-side if we need a major version rev in the future20:21
dstanekmorganfainberg: really?20:21
dstaneklooks like i am behind the times20:22
morganfainbergdstanek: it's a future proof20:22
morganfainbergdstanek: i hope we don;t need a major version change20:22
morganfainbergbut if we do...20:22
*** woodster_ has joined #openstack-keystone20:23
dstanekinteresting approach20:26
*** geoffarnold has joined #openstack-keystone20:26
morganfainbergdstanek: yeah taking a page from glibc :P20:27
morganfainbergand other similar libraries20:28
morganfainbergthis is becasue it will be used by services, sdk, and things like shade20:28
morganfainbergit just needs to not break things because something demands a newer version of it20:28
*** crc32 has quit IRC20:29
openstackgerritDavid Stanek proposed openstack/keystone: Adds proper isolation to templated catalog tests
*** christx2 has joined #openstack-keystone20:34
*** marzif_ has quit IRC20:34
*** crc32 has joined #openstack-keystone20:38
*** annasort has quit IRC20:38
*** shaleh has quit IRC20:40
*** arunkant_ has joined #openstack-keystone20:48
*** shaleh has joined #openstack-keystone20:50
*** piyanai has quit IRC20:51
*** arunkant has quit IRC20:52
*** jinsong has joined #openstack-keystone20:55
*** radez is now known as radez_g0n320:55
*** piyanai has joined #openstack-keystone20:57
jinsongHi: I'm looking at the Keystone v3 credential management and was wondering how it may be used. For example, if created an ec2 credential, how would it be used later? Thanks.20:57
jinsongI'm talking about the /v3/credentials API20:59
*** shaleh has quit IRC21:02
*** shaleh has joined #openstack-keystone21:02
*** jsavak has quit IRC21:04
*** iurygregory has quit IRC21:05
*** tellesnobrega_ has quit IRC21:07
*** ankita_wagh has joined #openstack-keystone21:10
*** annasort has joined #openstack-keystone21:13
*** stevemar has joined #openstack-keystone21:19
*** amakarov is now known as amakarov_away21:23
*** stevemar has quit IRC21:23
*** tellesnobrega_ has joined #openstack-keystone21:23
ayoungwho's jenious Idea was it to embed K2K into the middle of Federation?  Most federation does not need saml2, or any saml....or any other protocol specific code.  Packaging PITA....21:24
ayoungseriously considering patching it out and disabling it ....21:24
*** jsavak has joined #openstack-keystone21:25
*** henrynash has quit IRC21:25
gyeeayoung, uh cause SAML2 sound sexy?21:26
*** tellesnobrega_ has quit IRC21:26
*** e0ne has joined #openstack-keystone21:29
dstanekno, SAML2 *is* sexy21:29
*** christx2 has quit IRC21:30
*** fifieldt has quit IRC21:30
lbragstadI think ayoung is ready for some happy hour :)21:33
*** belmoreira has quit IRC21:34
ayounglbragstad, quite21:34
ayoungdstanek, SAML2 is quite possible the least sexy part of distributed programming I've seen21:34
ayoungBut...seriously,  K2K is really not Federation like the rest of federation.  It builds on it, but it is not core21:35
ayoungI realize we want to do away with Extensions, but if anything should be an extension, it should be K2K21:36
*** pnavarro has joined #openstack-keystone21:36
*** ajayaa has quit IRC21:36
lbragstaddolphm: I'm poking at adding a branch to keystone-deploy that will setup k2k federation. I have most everything built into a role for federation but I'm thinking that I should break it into two (one for the sp and one for the ipd), any recommendations?21:36
ayoungI'm just annoyed because I've avoided becoming a package maintainer this long, and it looks like I am going to be stuck with it, and it really is not something I even want us to support.21:36
bigjoolsI always thought it was a little odd too, since it was just adding a SAML IdP21:37
*** e0ne has quit IRC21:37
*** ankita_w_ has joined #openstack-keystone21:37
ayoungbigjools, I think I'd be OK if we said we were going to do SAML inside of a single cloud, instead of tokens.  But we are not21:37
*** jsavak has quit IRC21:38
*** ankita_wagh has quit IRC21:40
*** Rockyg has quit IRC21:42
*** jsavak has joined #openstack-keystone21:43
*** fifieldt has joined #openstack-keystone21:43
*** navid__ has joined #openstack-keystone21:43
ayoungHey bigjools wanna be a co-presenter in Tokyo?21:44
bigjoolswhat for? :)21:44
ayoungI've got a presentation proposal for Kerberos with Openstack21:44
dstanekbigjools: do it! do it!21:45
*** bknudson has quit IRC21:45
bigjoolsI have no experience at presenting, and I've never been to ODS before.21:45
bigjoolsso it could be a disaster :)21:45
bigjoolsalso I'm not using Kerberos any more21:46
ayoungbigjools, if there were no potential for disaster, what fun could it really be?21:46
dstanekthe edge of disaster is where the fun it at21:46
ayoungAh well21:46
bigjoolsone sec, I am in a meeting21:46
dstanekayoung: i think bigjools is running away :-)21:47
*** jorge_munoz has quit IRC21:47
*** diazjf has left #openstack-keystone21:48
ayoungI asked marekd or josecastroleon  too, but I suspect that all their Kerberos is hidden behind SAML now21:50
openstackgerritDavid Stanek proposed openstack/keystone: Removed dependency.provider
openstackgerritDavid Stanek proposed openstack/keystone: Removed optional dependency support
openstackgerritDavid Stanek proposed openstack/keystone: Decouple notifications from DI
*** jkomg has joined #openstack-keystone21:52
*** jsavak has quit IRC21:55
*** jsavak has joined #openstack-keystone21:56
*** TheIntern has quit IRC21:57
*** boris-42 has joined #openstack-keystone22:04
*** anhhuynx has joined #openstack-keystone22:04
*** annasort has quit IRC22:04
*** jsavak has quit IRC22:09
*** ankita_wagh has joined #openstack-keystone22:10
*** ankita_w_ has quit IRC22:10
*** pnavarro has quit IRC22:11
*** piyanai has quit IRC22:18
*** mylu has quit IRC22:22
openstackgerritSolomon proposed openstack/keystone: Updated ~/keystone/keystone/cmd/
*** piyanai has joined #openstack-keystone22:30
*** piyanai has quit IRC22:35
*** doug-fish has quit IRC22:35
*** sigmavirus24 is now known as sigmavirus24_awa22:35
*** browne has quit IRC22:42
*** piyanai has joined #openstack-keystone22:44
*** bknudson has joined #openstack-keystone22:47
*** ChanServ sets mode: +v bknudson22:47
*** piyanai has quit IRC22:47
*** edmondsw has quit IRC22:50
*** boris-42 has quit IRC22:56
*** crc32 has quit IRC22:56
*** csoukup has quit IRC22:57
*** boris-42 has joined #openstack-keystone22:57
*** stevemar has joined #openstack-keystone23:09
*** piyanai has joined #openstack-keystone23:11
*** ankita_w_ has joined #openstack-keystone23:12
openstackgerritSolomon proposed openstack/keystone: Updated ~/keystone/keystone/cmd/
*** ankita_w_ has quit IRC23:13
*** ankita_wagh has quit IRC23:13
*** ankita_wagh has joined #openstack-keystone23:13
*** stevemar has quit IRC23:13
*** piyanai has quit IRC23:13
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
openstackgerritBrant Knudson proposed openstack/keystone: Fixes docstring to make it more precise
*** hrou has quit IRC23:17
*** tortle has joined #openstack-keystone23:28
*** anhhuynx has quit IRC23:28
*** tortle has quit IRC23:28
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move enforcement and time validation to base class
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move common request processing to base class
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate parts of auth_token
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
openstackgerritMerged openstack/oslo.policy: Fixes up the API docs and module index
*** hrou has joined #openstack-keystone23:49
*** jkomg has quit IRC23:54

Generated by 2.14.0 by Marius Gedminas - find it at!