Thursday, 2015-07-30

*** topol has quit IRC		00:02
bigjools	I think I found a bug here then	00:05
bigjools	I am using multiple domain drivers	00:05
bigjools	which requires _get_domain_id_for_list_request to find a domain in the request token	00:06
bigjools	but the request is scoped to a project, which itself is part of a domain.	00:07
lifeless	I want to name something doseconds	00:07
lifeless	or doalters	00:07
bigjools	lifeless: have you been smoking something? :)	00:09
bigjools	forcing my osc command to use a domain results in an error saying my admin user has no access to the default domain....!	00:12
*** darrenc_afk is now known as darrenc		00:14
dstanek	bigjools: sorry that i'm not too responsive. it's 8pm here and i'm doing some family stuff	00:14
*** _cjones_ has quit IRC		00:21
bigjools	dstanek: no worries, I figured.	00:22
bigjools	I'm going to file a bug	00:23
bigjools	ok it worked as soon as I turned off domain-specific config	00:26
*** tellesnobrega has joined #openstack-keystone		00:33
*** edmondsw has quit IRC		00:34
*** jiaxi has quit IRC		00:34
*** tellesnobrega has quit IRC		00:34
*** piyanai has joined #openstack-keystone		00:47
*** geoffarnold has quit IRC		00:54
*** lhcheng_ has quit IRC		00:55
*** lhcheng has joined #openstack-keystone		00:55
*** ChanServ sets mode: +v lhcheng		00:55
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	00:57
*** h00327910__ has joined #openstack-keystone		00:58
*** lhcheng has quit IRC		01:05
*** topol has joined #openstack-keystone		01:11
*** ChanServ sets mode: +v topol		01:11
*** bknudson has joined #openstack-keystone		01:17
*** ChanServ sets mode: +v bknudson		01:17
*** bhenderson has quit IRC		01:21
*** bhenderson has joined #openstack-keystone		01:22
bigjools	dstanek: I recorded things in a bug: https://bugs.launchpad.net/keystone/+bug/1479578	01:25
openstack	Launchpad bug 1479578 in Keystone "Domain-specific config breaks some ops" [Undecided,New]	01:25
*** mylu has joined #openstack-keystone		01:28
*** chlong has joined #openstack-keystone		01:29
*** browne has quit IRC		01:29
*** jiaxi has joined #openstack-keystone		01:31
*** dan has quit IRC		01:50
*** mylu has quit IRC		02:00
*** mylu has joined #openstack-keystone		02:01
*** Kennan has quit IRC		02:02
*** Kennan has joined #openstack-keystone		02:02
*** ankita_wagh has joined #openstack-keystone		02:05
*** davechen has joined #openstack-keystone		02:06
*** davechen is now known as davehcne		02:06
*** davehcne is now known as davechen		02:06
*** mylu has quit IRC		02:07
davechen	bknudson: hi Brant,	02:07
*** jasonsb has quit IRC		02:07
davechen	bknudson: Just thought these method may be also used by other modules (https://review.openstack.org/#/c/205886/)	02:07
*** jasonsb has joined #openstack-keystone		02:07
bknudson	davechen: the methods in the clean can already be used by other modules.	02:08
bknudson	the clean module	02:08
davechen	bknudson: but it's not clear what clean.py means, and the utils.py should be the one for those kind of generic methods.	02:09
bknudson	davechen: there should not be a utils.py. we don't need a module that's a garbage dump.	02:09
*** ankita_wagh has quit IRC		02:10
bknudson	if "clean" doesn't make sense then rename it.	02:10
*** ankita_wagh has joined #openstack-keystone		02:10
davechen	bknudson: so... all of the current methods implemeted in the utils.py maybe cleanup? and go to the specific modules?	02:11
davechen	bknudson: and how to define where those methods go to? since there maybe quite a lot of reference with those method.	02:12
*** jasonsb has quit IRC		02:12
bknudson	davechen: all the functions in utils.py should go to modules with more specific names.	02:13
davechen	bknudson: I am a little confused, if the utils.py is a garbage dump why there is such a module. :)	02:13
bknudson	davechen: because people make mistakes.	02:13
*** davechen1 has joined #openstack-keystone		02:15
davechen1	bknudson: cool, so suppose there is a method used by different subssytem, is it fine to just define the method in A and let B call the method from A?	02:16
davechen1	bknudson: just curious, is this a right pattern?	02:16
bknudson	davechen1: that's generally a bad idea since it can lead to circular imports. you're better off creating a separate module that both A and B use.	02:17
*** davechen has quit IRC		02:17
*** davechen1 is now known as davechen		02:17
*** dims has quit IRC		02:19
*** dims has joined #openstack-keystone		02:19
davechen	bknudson: yep, this is why there is a utils I think. :)	02:19
davechen	bknudson: for some generic methods, i cannot see there is better way to handle with since it's may used in the different module, different subsystem.	02:21
*** mylu has joined #openstack-keystone		02:22
bknudson	the name of the module doesn't depend on what uses it -- the name is based on what functions are in it.	02:22
davechen	bknudson: those kind of methods is not specific to one resource or identity, this is the keypoint I think, this is why I think they should go to the separate module like utils.py.	02:25
davechen	bknudson: anyway, this is just what I thought.	02:26
*** topol has quit IRC		02:30
*** piyanai has quit IRC		02:36
bknudson	davechen: https://lostechies.com/chrismissal/2009/06/01/anti-patterns-and-worst-practices-utils-class/	02:39
*** bknudson has quit IRC		02:43
openstackgerrit	Dave Chen proposed openstack/keystone: Show helpful message when request body is not provided https://review.openstack.org/195903	02:48
miguelgrinberg	marekd: one more quick question without any rush. I was wondering when you guys plan to push an updated version of keystoneauth to pypi. The current version there predates any of the recent federation changes. I'm also wondering if you plan on removing that scary "use at your own risk" warning any time soon. For the time being, I think I prefer to continue using curl...	02:50
*** hakimo_ has joined #openstack-keystone		02:52
*** hakimo has quit IRC		02:54
*** jasonsb has joined #openstack-keystone		02:57
*** dims has quit IRC		02:57
*** stevemar has joined #openstack-keystone		03:00
*** ChanServ sets mode: +v stevemar		03:00
*** browne has joined #openstack-keystone		03:02
*** lhcheng has joined #openstack-keystone		03:04
*** ChanServ sets mode: +v lhcheng		03:04
davechen	bknudson: Thanks for the reference.	03:08
*** richm has quit IRC		03:13
*** woodster_ has quit IRC		03:14
*** stevemar has quit IRC		03:15
*** stevemar has joined #openstack-keystone		03:16
*** ChanServ sets mode: +v stevemar		03:16
*** stevemar has quit IRC		03:19
*** markvoelker_ has quit IRC		03:20
*** markvoelker_ has joined #openstack-keystone		03:22
*** stevemar has joined #openstack-keystone		03:23
*** ChanServ sets mode: +v stevemar		03:23
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	03:33
*** jamielennox\|away is now known as jamielennox		03:47
*** mylu has quit IRC		04:00
*** btully has quit IRC		04:16
*** topol has joined #openstack-keystone		04:20
*** ChanServ sets mode: +v topol		04:20
*** htruta_ has quit IRC		04:26
*** jlvillal has quit IRC		04:32
*** lhcheng has quit IRC		04:33
*** jamielennox is now known as jamielennox\|away		04:33
*** stevemar has quit IRC		04:39
*** tsymanczyk has quit IRC		04:40
*** lhcheng has joined #openstack-keystone		04:52
*** ChanServ sets mode: +v lhcheng		04:52
*** darrenc is now known as darrenc_afk		04:56
*** geoffarnold has joined #openstack-keystone		05:12
*** geoffarnold has quit IRC		05:15
*** geoffarnold has joined #openstack-keystone		05:18
*** amickus has joined #openstack-keystone		05:21
*** Ephur has joined #openstack-keystone		05:27
*** btully has joined #openstack-keystone		05:30
*** Ephur has quit IRC		05:33
*** btully has quit IRC		05:34
*** topol has quit IRC		05:37
*** darrenc_afk is now known as darrenc		05:40
*** lsmola has joined #openstack-keystone		05:54
*** jtomasek has quit IRC		05:56
*** Nirupama has joined #openstack-keystone		05:56
*** josecastroleon has joined #openstack-keystone		05:58
*** Kennan2 has joined #openstack-keystone		06:03
*** Kennan has quit IRC		06:03
*** hrou has quit IRC		06:09
*** pballand has quit IRC		06:16
*** lhcheng has quit IRC		06:27
*** topol has joined #openstack-keystone		06:38
*** ChanServ sets mode: +v topol		06:38
*** topol has quit IRC		06:43
*** david-lyle has quit IRC		06:43
*** david-lyle has joined #openstack-keystone		06:49
openstackgerrit	Dave Chen proposed openstack/keystone: Remove services with no endpoints from catalog https://review.openstack.org/176383	06:52
*** stevemar has joined #openstack-keystone		06:55
*** ChanServ sets mode: +v stevemar		06:55
*** ankita_w_ has joined #openstack-keystone		06:57
*** ankita_wagh has quit IRC		06:57
*** stevemar has quit IRC		06:58
*** belmoreira has joined #openstack-keystone		07:10
*** browne has quit IRC		07:10
*** chlong has quit IRC		07:25
*** fhubik has joined #openstack-keystone		07:27
*** ParsectiX has joined #openstack-keystone		07:27
*** ankita_w_ has quit IRC		07:29
*** ankita_wagh has joined #openstack-keystone		07:29
*** ankita_wagh has quit IRC		07:33
-openstackstatus- NOTICE: Our CI system is broken again today, jobs are not getting processed at all.		07:40
*** ChanServ changes topic to "Our CI system is broken again today, jobs are not getting processed at all."		07:41
*** amickus has quit IRC		07:46
*** geoffarnold has quit IRC		07:47
*** geoffarnold has joined #openstack-keystone		07:47
marekd	miguelgrinberg: when to push ksa to pypi is rather for morganfainberg and jamielennox\|away.. But we should be able to do that soon. As long as you are not using any production service, what stops you from using 'not stable' version of ksa? I doubt K2K plugin will change.	07:50
-openstackstatus- NOTICE: CI system is broken and very far behind. Please do not approve any changes for a while.		07:50
*** ChanServ changes topic to "CI system is broken and very far behind. Please do not approve any changes for a while."		07:50
*** pnavarro has joined #openstack-keystone		07:51
openstackgerrit	Dave Chen proposed openstack/keystone: Remove services with no endpoints from catalog https://review.openstack.org/176383	07:53
*** jamielennox\|away is now known as jamielennox		07:57
*** pnavarro is now known as pnavarro\|mtg		08:04
openstackgerrit	Marek Denis proposed openstack/keystone: Better error message when unable to map user https://review.openstack.org/206987	08:13
marekd	doug-fish: I don't mind having k2k auth plugin in ksc as long as you promise to propose patches for getting it rid of and depending on ksa once we have it released.	08:16
*** fhubik is now known as fhubik_afk		08:17
openstackgerrit	Marek Denis proposed openstack/keystone: Add groups in scoped federated tokens https://review.openstack.org/207167	08:23
*** kiran-r has joined #openstack-keystone		08:25
*** jistr has joined #openstack-keystone		08:25
*** fhubik_afk is now known as fhubik		08:25
openstackgerrit	Merged openstack/keystone-specs: Project tree deletion https://review.openstack.org/148730	08:32
*** afazekas has joined #openstack-keystone		08:33
*** fhubik is now known as fhubik_afk		08:39
*** aix has joined #openstack-keystone		08:47
*** pnavarro\|mtg is now known as pnavarro		08:56
*** jtomasek has joined #openstack-keystone		08:56
*** fhubik_afk is now known as fhubik		08:56
*** ChanServ changes topic to "Liberty-2 this week! Land Code! \| MidCycle Etherpad: https://etherpad.openstack.org/p/keystone-liberty-midcycle-meetup"		08:59
-openstackstatus- NOTICE: CI is back online but has a huge backlog. Please be patient and if possible delay approving changes until it has caught up.		08:59
*** e0ne has joined #openstack-keystone		09:03
*** chlong has joined #openstack-keystone		09:07
*** jtomasek has quit IRC		09:09
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/206819	09:25
*** jamielennox is now known as jamielennox\|away		09:25
*** piyanai has joined #openstack-keystone		09:28
*** ig0r_ has joined #openstack-keystone		09:31
*** davechen has left #openstack-keystone		09:46
*** dims has joined #openstack-keystone		09:50
*** stevemar has joined #openstack-keystone		09:55
*** ChanServ sets mode: +v stevemar		09:55
*** marzif_ has joined #openstack-keystone		09:57
*** stevemar has quit IRC		09:59
openstackgerrit	Marek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens. https://review.openstack.org/202176	10:05
openstackgerrit	Marek Denis proposed openstack/keystoneauth-saml2: Standardize federated auth token scoping https://review.openstack.org/177227	10:18
*** josecastroleon has quit IRC		10:34
*** jiaxi has quit IRC		10:37
*** aix has quit IRC		10:39
*** fhubik is now known as fhubik_afk		10:40
*** fhubik_afk is now known as fhubik		10:44
*** fhubik is now known as fhubik_afk		10:46
*** dims_ has joined #openstack-keystone		11:02
*** dims has quit IRC		11:02
*** jlvillal has joined #openstack-keystone		11:04
*** aix has joined #openstack-keystone		11:13
*** josecastroleon has joined #openstack-keystone		11:14
*** geoffarnold has quit IRC		11:17
*** geoffarnold has joined #openstack-keystone		11:17
*** InfoAddict has joined #openstack-keystone		11:29
*** InfoAddict has left #openstack-keystone		11:31
*** pnavarro is now known as pnavarro\|lunch		11:42
*** e0ne has quit IRC		11:47
*** piyanai has quit IRC		11:51
*** gordc has joined #openstack-keystone		11:54
*** topol has joined #openstack-keystone		11:57
*** ChanServ sets mode: +v topol		11:57
*** ParsectiX has quit IRC		12:01
*** topol has quit IRC		12:01
*** _kiran_ has joined #openstack-keystone		12:06
*** kiran-r has quit IRC		12:09
*** pnavarro\|lunch is now known as pnavarro		12:12
*** bknudson has joined #openstack-keystone		12:18
*** ChanServ sets mode: +v bknudson		12:18
*** piyanai has joined #openstack-keystone		12:18
*** jaosorior has joined #openstack-keystone		12:19
*** edmondsw has joined #openstack-keystone		12:19
*** fhubik_afk is now known as fhubik		12:20
*** _kiran_ has quit IRC		12:20
*** ParsectiX has joined #openstack-keystone		12:22
*** ericksonsantos has joined #openstack-keystone		12:25
*** stevemar has joined #openstack-keystone		12:26
*** ChanServ sets mode: +v stevemar		12:26
*** samueldmq has joined #openstack-keystone		12:26
samueldmq	morning	12:26
breton	morning!	12:27
*** stevemar has quit IRC		12:28
*** yottatsa has joined #openstack-keystone		12:29
*** yottatsa has quit IRC		12:30
*** yottatsa has joined #openstack-keystone		12:31
*** tellesnobrega has joined #openstack-keystone		12:34
*** tellesnobrega has quit IRC		12:34
*** jamielennox\|away is now known as jamielennox		12:35
*** tellesnobrega has joined #openstack-keystone		12:35
*** fhubik has quit IRC		12:38
*** fhubik has joined #openstack-keystone		12:38
*** tellesnobrega has quit IRC		12:38
*** Nirupama has quit IRC		12:39
*** tellesnobrega has joined #openstack-keystone		12:40
dstanek	morning!	12:40
yottatsa	dstanek, morning!	12:41
yottatsa	it's almost 4pm here in Moscow, but I just came to office, so it's morning	12:42
marekd	yottatsa: you like night shifts or you like working with your US folks ? :P	12:42
*** fhubik has quit IRC		12:43
*** fhubik has joined #openstack-keystone		12:44
*** fhubik_afk has joined #openstack-keystone		12:44
*** fhubik_afk is now known as fhubik_real		12:44
yottatsa	marekd, yesterday was a big-reboot-day, so I came late today )	12:44
*** tellesnobrega has quit IRC		12:45
yottatsa	I usually working with you guys from home )	12:46
*** raildo has joined #openstack-keystone		12:46
samueldmq	dstanek: morning, you around ?	12:48
dstanek	samueldmq: yes. polishing a few reviews that i need to push.	12:48
*** iurygregory has joined #openstack-keystone		12:48
samueldmq	dstanek: quick question, should we care about mitm attack when fetching the policy ?	12:48
samueldmq	dstanek: in that case, adding a sort of checksum to the response ?	12:49
marekd	samueldmq: we should, but its should be covered by proper TLS ?	12:49
*** fhubik_afk has joined #openstack-keystone		12:49
*** jsavak has joined #openstack-keystone		12:49
dstanek	samueldmq: isn't that what TLS does for us? you could make the argument that we would have to do that everywhere	12:49
marekd	yottatsa: i am no us based :-)	12:49
*** fhubik_lunch has joined #openstack-keystone		12:50
yottatsa	marekd, where are you from?	12:50
marekd	samueldmq: dstanek is rigt. puppet doesn't solve it for us either	12:50
marekd	yottatsa: i live in switzerland now	12:50
*** fhubik_real has quit IRC		12:50
*** fhubik has quit IRC		12:50
*** pnavarro is now known as pnavarro\|afk		12:50
samueldmq	marekd: dstanek yeah, I will clarify that in the spec, that was a concern from lhcheng	12:50
samueldmq	I was wondering if we needed to add another layer .. as policy is a very sensitive info	12:51
dstanek	samueldmq: if you add a checksum, how do you know it's valid? you'd have to have a pub/priv key exchange	12:51
marekd	samueldmq: i was thinking about it too (and some other similar topics), but the alternative isn't any better. AFAIR Puppet doesn't have any super auth mechanisms.	12:51
dstanek	samueldmq: which review is that on?	12:51
samueldmq	dstanek: https://review.openstack.org/#/c/134655/	12:51
marekd	samueldmq: just make TLS correctly and don't break when something's wrong	12:51
samueldmq	dstanek: fetch & cache	12:51
dstanek	samueldmq: i'll take a look and comment	12:51
samueldmq	dstanek: nice thanks	12:52
samueldmq	marekd: yeah, we should care about that in keystone, as we can do that thorugh other layers/existing mechanisms	12:52
samueldmq	marekd: we should NOT care about that in keystone, I meant	12:52
*** e0ne has joined #openstack-keystone		12:54
marekd	dstanek: Hi, I have 3 reviews for you dolphm, lbragstad and I were looking at: https://review.openstack.org/#/c/207167/	12:54
*** fhubik_lunch has quit IRC		12:54
*** fhubik_afk has quit IRC		12:55
doug-fish	marekd: with regard to getting rid of the k2k from keystoneclient that I haven't proposed yet ... is the plan to remove all of the auth plugins from ksc and have only the ones from keystoneauth available?	12:55
*** htruta has joined #openstack-keystone		12:55
*** fhubik has joined #openstack-keystone		12:55
marekd	doug-fish: yes	12:55
marekd	well, ksa would be responsible for auth plugins, and ksc would import it if needed.	12:55
doug-fish	FWIW it seems we had poor results in horizon's django_openstack_auth library when we tried to mix ksa/ksc versions of the plugins	12:56
doug-fish	so my point is that we'll need to covert all of d_o_a to use the ksa based plugins when that time comes	12:56
marekd	i think so too.	12:56
marekd	yeah, i am kind of stalled too as I cannot work on some tooling and new plugins as ksa is not yet released.	12:57
doug-fish	I know pauloewerton has started looking at that, but if we can get k2k without the conversion I think there may still be a shot at getting this in liberty	12:57
marekd	which conversion ?	12:57
marekd	k2k to ksc ?	12:57
doug-fish	conversion = changing the d_o_a plugins from ksc to ksa	12:57
marekd	doug-fish: uh, you will just make it longer imho.	12:58
doug-fish	how so?	12:58
marekd	but if you want to move k2k class into ksc - go ahead.	12:58
doug-fish	I think I want to, but that was with the intent of getting it in sooner	12:59
marekd	doug-fish: ok, propose a patch then :)	12:59
doug-fish	if you think it may slow me down that concerns me - I'd like to hear more	12:59
marekd	doug-fish: well, i mean in general maybe im too optimistic on releasing ksa 'soon', but porting anything back to kscmay actually mean you will port it now, use it and spend another cycle or something for switching to ksa and deprecating old stuff.	13:00
marekd	one thing i've learnt here is that you cannot just add the code because later you have to live with that...	13:01
marekd	and wait at least 2 cycles for removing it.	13:01
doug-fish	got it - I see where you are coming from.	13:02
marekd	doug-fish: anyway, if you are ok with later taking care of removing k2k plugin from ksa please go ahead and propose patch	13:02
doug-fish	yep understood - thx for taking the time to explain your thoughts	13:02
*** tellesnobrega has joined #openstack-keystone		13:03
marekd	doug-fish: i will be happy to review	13:03
marekd	and even test	13:03
doug-fish	cool! thanks	13:03
*** jamielennox is now known as jamielennox\|away		13:06
samueldmq	dstanek: just saw your comment	13:07
samueldmq	dstanek: you meant the ksclient using CacheCOntrol and then the cache control mechansim being delegated there ?	13:08
dstanek	marekd: cool, i'll take a look	13:08
marekd	dstanek: thank you	13:08
*** browne has joined #openstack-keystone		13:08
samueldmq	dstanek: hm, saw your comment inline (I am probably dumb)	13:09
*** ig0r_ has quit IRC		13:10
samueldmq	as much as I work in specs, discussions on architecture, etc I understand better why code is cheap	13:12
*** hrou has joined #openstack-keystone		13:12
*** btully has joined #openstack-keystone		13:13
dstanek	samueldmq: no, i'm just saying we don't actually need to implement support for that on the server side	13:13
samueldmq	dstanek: sure, I saw your comment, I had asked without noticing there was an inline comment	13:14
samueldmq	:)	13:14
samueldmq	sorry	13:14
samueldmq	dstanek: actually, if we implemented IMS calls in keystone, we would avoid transfering lots of info, since the policy won't change that often	13:16
*** ParsectiX has quit IRC		13:16
samueldmq	dstanek: but that is probably an optimizaiton, that couldn't be in the scope for now ..	13:16
dstanek	samueldmq: i don't know that there is anything to address now...probably just a cleanup patch after implementation	13:16
*** ig0r_ has joined #openstack-keystone		13:16
samueldmq	dstanek: yes, definitely makes sense, I am updating the spec right now :)	13:16
samueldmq	thanks	13:17
*** dims_ has quit IRC		13:20
dstanek	what happened to the cloning URLs on git.openstack.org?	13:20
*** dims has joined #openstack-keystone		13:20
*** jsavak has quit IRC		13:20
*** marzif_ has quit IRC		13:21
*** marzif_ has joined #openstack-keystone		13:22
*** marzif_ has quit IRC		13:22
*** jsavak has joined #openstack-keystone		13:22
openstackgerrit	Merged openstack/keystone: Handle non-numeric files in key_repository https://review.openstack.org/206177	13:22
*** e0ne has quit IRC		13:22
*** woodster_ has joined #openstack-keystone		13:24
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Fetch and Cache https://review.openstack.org/134655	13:25
samueldmq	dstanek: marekd ^ should be good enough now :)	13:25
*** mylu has joined #openstack-keystone		13:27
*** piyanai has quit IRC		13:30
*** ig0r_ has quit IRC		13:31
*** e0ne has joined #openstack-keystone		13:31
*** piyanai has joined #openstack-keystone		13:32
*** TheIntern has joined #openstack-keystone		13:34
*** piyanai has quit IRC		13:35
*** ParsectiX has joined #openstack-keystone		13:36
*** yottatsa has quit IRC		13:37
*** stevemar has joined #openstack-keystone		13:38
*** ChanServ sets mode: +v stevemar		13:38
openstackgerrit	Konstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting https://review.openstack.org/207456	13:39
*** stevemar has quit IRC		13:39
*** stevemar has joined #openstack-keystone		13:40
*** ChanServ sets mode: +v stevemar		13:40
*** yottatsa has joined #openstack-keystone		13:40
*** jecarey has joined #openstack-keystone		13:42
*** richm has joined #openstack-keystone		13:44
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Distribution Mechanism https://review.openstack.org/197980	13:45
*** zzzeek has joined #openstack-keystone		13:45
*** stevemar has quit IRC		13:45
*** fhubik is now known as fhubik_afk		13:46
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Distribution Mechanism https://review.openstack.org/197980	13:47
*** ayoung has joined #openstack-keystone		13:57
*** ChanServ sets mode: +v ayoung		13:57
*** ninag has joined #openstack-keystone		14:04
*** vince_ has joined #openstack-keystone		14:05
vince_	looking for some help when trying to configure federation	14:06
*** markvoelker_ has quit IRC		14:06
vince_	I cannot work with identity providers, as any command would return a 404, as in	14:06
vince_	openstack identity provider list	14:06
vince_	ERROR: openstack The resource could not be found. (HTTP 404) (Request-ID: req-5080ef53-8a1e-4a8d-aef3-23d94fc75266)	14:06
*** dguerri is now known as dguerri`		14:06
marekd	vince_: hi, are you using V3 API ?	14:07
vince_	marekd: I think I am, even openstack --os-identity-api-version=3 identity provider list does the same	14:07
marekd	you are admin, right?	14:07
marekd	because obviously this is admin-only operation	14:08
*** jiaxi has joined #openstack-keystone		14:08
vince_	yes, admin on a packstack installation	14:08
vince_	with just swift and keystone	14:08
marekd	and what does logs say ?	14:08
samueldmq	try specifying both --os-url and --os-identity-api-version	14:08
doug-fish	marekd: I've been thinking more about your concerns with creating a k2k plugin in python-keystoneauth - I just comprehended that's where the extra supported bit comes in, and I have fuller understanding of what you were saying. Do you have a feeling/prediction on how soon openstackauth might be ready? Think it's 2 weeks or less?	14:08
breton	also try adding --debug	14:09
samueldmq	that's how jamielennox\|away did in some patches to use v3 in devstack, like https://review.openstack.org/#/c/186682	14:09
samueldmq	marekd: vince_ ^	14:09
doug-fish	s/openstackauth/keystoneauth	14:09
*** ParsectiX has quit IRC		14:09
jiaxi	jenkin is ill for too long. when will it become healthy ?	14:09
marekd	samueldmq: i doubt os-url is required	14:09
vince_	marekd: nothing useful from keystone.log, I try with debug	14:10
marekd	doug-fish: i don't have any feeling and it's jamielennox\|away who drives this initiative to be honest. I would't risking it will be less than 2 weeks.	14:10
marekd	vince_: yes, set to debug.	14:10
vince_	samueldmq: same with --os-url:	14:10
vince_	openstack --os-url=http://192.168.0.12:35357/v3 --os-identity-api-version=3 identity provider list	14:10
vince_	ERROR: openstack The resource could not be found. (HTTP 404) (Request-ID: req-6cf3a315-a093-494a-8ecd-613a3c5cacef)	14:10
samueldmq	--debug should tell something else I think	14:11
*** ayoung is now known as ayoung-mtg		14:11
marekd	--debug --verbose	14:11
doug-fish	marekd: thanks! I think I'll keep preparing a ksc based k2k plugin	14:12
marekd	doug-fish: yeah	14:12
*** ajayaa has joined #openstack-keystone		14:12
*** sigmavirus24_awa is now known as sigmavirus24		14:13
*** amakarov_away is now known as amakarov		14:14
vince_	http://pastebin.com/CjcMrcMC	14:14
vince_	this resource doesn't exist: http://192.168.0.12:35357/v3/OS-FEDERATION/identity_providers	14:15
vince_	hence the 404	14:15
samueldmq	marekd: does the extension need to be enabled ^ ?	14:15
*** Kennan2 has quit IRC		14:16
*** Kennan has joined #openstack-keystone		14:16
*** fhubik_afk is now known as fhubik		14:17
marekd	samueldmq: i don't know what RedHat does with their distros...	14:17
marekd	vince_: do you know where your paste file is?	14:17
marekd	i think it may be somewhere in the /usr/share/keystone/keystone-paste.ini or something	14:17
marekd	ayoung-mtg: ^^ ?	14:18
vince_	marked: let me check	14:18
vince_	marekd: let me check	14:18
ayoung-mtg	Ugh, yeah we do something horrible there	14:18
*** jecarey has quit IRC		14:18
ayoung-mtg	so...copy the pipeline over to /etc/keystone, I think you can over ride the paste value in /etc/keystone/keystone.conf	14:19
ayoung-mtg	vince_, ^^	14:19
vince_	http://pastebin.com/XsEM4EEm	14:19
ayoung-mtg	vince_, worst case, you have to hack the file in /usr/share	14:20
vince_	ayoung-mtg: ehm, feel so newbie :D	14:21
vince_	what do you mean by copy the pipeline over to /etc/keystone?	14:22
ayoung-mtg	vince_, don't feel bad. I work for Redhat, I've been doing nothing but Keystone for 3+ years, and it caught me off guard	14:22
ayoung-mtg	vince_, that file you had in the paste.	14:22
vince_	ayoung-mtg: and then set config_file = <that file> in the [paste_deploy] section?	14:23
ayoung-mtg	vince_, yeah. In general, you should not be editing files in /usr/share, so if you need to override values for the paste pipelines, copy the file to /etc/keystone and make sure the keystone.conf explicitly points to the right paste file	14:24
vince_	alright, so the content of the paste file from the pastebin ^ is correct for federation?	14:25
vince_	ayoung-mtg, ok, I see, I have federation_extension in the pipeline in /home/centos/keystone/etc/keystone-paste.ini but not in /usr/share/keystone/keystone-dist-paste.ini	14:26
*** markvoelker has joined #openstack-keystone		14:27
*** markvoelker_ has joined #openstack-keystone		14:28
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Support Multiple SQL Backends https://review.openstack.org/207482	14:28
samueldmq	ayoung-mtg: dstanek waht about this ? ^	14:28
samueldmq	not sure it needs a spec, but there is a good place to put comments, have a discussion	14:29
*** fhubik has quit IRC		14:30
*** ig0r_ has joined #openstack-keystone		14:32
*** markvoelker has quit IRC		14:32
vince_	ayoung-mtg: many thanks to you and the others, working perfectly :)!	14:33
ayoung-mtg	vince_, Your Welcome.	14:33
ayoung-mtg	or You're Welcome...either way	14:33
vince_	:D	14:33
ayoung-mtg	marekd, I tried making the call: openstack identity provider set --remote-id SSSD sssd , which I used for a Proof of concept a while ago. It fails with an "UNknown Attribute exception" in the latest openstack CLI	14:36
*** flwang1 has joined #openstack-keystone		14:37
flwang1	greeting, anybody can give me a tip how to config keystone policy.json to allow a role can only 'create project'?	14:39
flwang1	i tried this way "identity:create_project": "rule:admin_required or role:tenant_creator" but it doesn't work, did i miss anything? thanks a lot	14:40
flwang1	lbragstad: ^	14:41
*** piyanai has joined #openstack-keystone		14:41
vince_	flwang1: afaik you need keystone v3	14:42
flwang1	vince_: why keystone doesn't honour my config?	14:42
marekd	ayoung-mtg: let me try	14:42
ayoung-mtg	flwang1, need more info	14:43
ayoung-mtg	that looks roughly correct	14:43
*** bapalm_ has joined #openstack-keystone		14:43
flwang1	ayoung-mtg: the user case is we need role can only create tenant and user to limit a user's permission, we have a signup service, we don't want to put admin user in the service	14:44
flwang1	so we hope there is a moderator with limited permission	14:44
flwang1	ayoung-mtg: so the basic requirement is having a role can only create tenant and user, or something like that	14:45
flwang1	so what I did is creating a new role in keystone and then config it in policy.json	14:45
flwang1	as above	14:45
flwang1	but it doesn't work	14:45
flwang1	did I missed anything?	14:46
marekd	ayoung-mtg: http://cdn.pasteraw.com/e7icksu3fkv3rmwks79wc1zkx39bgy7 this is what i got... maybe you didn't specify --remote-id twice? (it's one --remote-id switch per parameter)	14:46
ayoung-mtg	marekd, does it need to be set on the initial create? I'll trythat...	14:47
marekd	ayoung-mtg: it doesnt	14:47
marekd	ayoung-mtg: no, it doesnt	14:48
marekd	just confirmed	14:48
flwang1	ayoung-mtg: ^	14:51
*** tjcocozz has joined #openstack-keystone		14:51
*** topol has joined #openstack-keystone		14:54
*** ChanServ sets mode: +v topol		14:54
*** afazekas has quit IRC		14:55
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	14:59
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	14:59
*** ankita_wagh has joined #openstack-keystone		15:02
*** ig0r_ has quit IRC		15:03
*** ig0r__ has joined #openstack-keystone		15:03
*** piyanai has quit IRC		15:03
*** piyanai has joined #openstack-keystone		15:06
jiaxi	dstanek: Hello, David	15:06
jiaxi	dstanek: My patch set maybe change a lot because of coments of Brant Knudson	15:07
jiaxi	dstanek: But I'm sure, whether should I change ,because it's a huge change. And my code looks okay	15:08
*** jbonjean has quit IRC		15:08
jiaxi	Brant Knudson: Hi	15:08
*** ig0r_ has joined #openstack-keystone		15:09
*** ig0r__ has quit IRC		15:09
*** vince_ has quit IRC		15:09
openstackgerrit	Ajaya Agrawal proposed openstack/keystone: Validate Fernet tokens for nil values https://review.openstack.org/207499	15:10
*** jbonjean has joined #openstack-keystone		15:10
ajayaa	Hi cores. Please review the above trivial patch. :)	15:13
*** ig0r__ has joined #openstack-keystone		15:13
*** ig0r__ has quit IRC		15:15
*** ig0r_ has quit IRC		15:15
*** diazjf has joined #openstack-keystone		15:15
*** piyanai has quit IRC		15:16
*** pnavarro\|afk is now known as pnavarro		15:19
*** piyanai has joined #openstack-keystone		15:24
*** dguerri` is now known as dguerri		15:25
*** geoffarnold has quit IRC		15:25
*** stevemar has joined #openstack-keystone		15:32
*** ChanServ sets mode: +v stevemar		15:32
*** topol_ has joined #openstack-keystone		15:32
*** ChanServ sets mode: +v topol_		15:32
*** dguerri is now known as dguerri`		15:34
*** topol has quit IRC		15:35
*** arun_kant has quit IRC		15:42
lbragstad	yottatsa: you had some fernet questions yesterday?	15:45
jiaxi	bknudson: Hello, are you here ?	15:52
*** ig0r_ has joined #openstack-keystone		15:52
*** pnavarro has quit IRC		15:53
*** woodster_ has quit IRC		15:55
*** jaosorior has quit IRC		15:55
*** Protux has quit IRC		15:55
*** h00327910__ has quit IRC		15:55
yottatsa	lbragstad, hi, could you please look at https://review.openstack.org/#/c/206921/2/keystone/token/providers/fernet/token_formatters.py ?	15:57
jiaxi	dstanek: Hello, david.	15:58
miguelgrinberg	marekd: Thanks for your reply. We are about to release a production version of the federation stuff based on kilo. Would you still use keystoneauth in that situation?	15:58
dstanek	jiaxi: hello	15:58
*** amickus has joined #openstack-keystone		15:59
*** dguerri` is now known as dguerri		15:59
*** geoffarnold has joined #openstack-keystone		16:01
lbragstad	yottatsa: makes sense to me	16:04
lbragstad	yottatsa: but I agree with the comments on the patch, they could be fixed in a follow on patch, too.	16:04
*** TheIntern has quit IRC		16:05
*** arunkant_ has joined #openstack-keystone		16:05
jiaxi	dstanek: I don't agree with bknudson's comment	16:06
jiaxi	dstanek: I argue about it in the review. But he didn't reply any more... remain a -1	16:06
*** TheIntern has joined #openstack-keystone		16:07
yottatsa	lbragstad, do you like rev 1 variant more? https://review.openstack.org/#/c/206921/1/keystone/token/providers/fernet/token_formatters.py	16:07
jiaxi	dstanek: A little sad :( Maybe he is angry ??	16:08
dstanek	jiaxi: i doubt it. he's probably busy	16:08
*** lsmola has quit IRC		16:09
dstanek	jiaxi: technically speaking he is correct, but i don't think it's a big enough deal to hold up the review	16:09
jiaxi	dstanek: Maybe you are right again	16:09
lbragstad	yottatsa: I think the way you have it now makes sense and I agree with dolphm's comment. Where you could do the `if not isinstance(token, six.binary_type):` check first in the method and bailout early	16:09
jiaxi	dstanek: Can you see my reply ? Not in draft now .	16:10
dstanek	jiaxi: yes	16:10
lbragstad	yottatsa: I can propose a follow on patch	16:11
jiaxi	dstanek: You don't agree with my reply ?	16:11
dstanek	lbragstad: damn....i'm still working on my changes to fix the binary/string problems in fernet	16:11
dstanek	lbragstad: it's not what i want, but let me push what i have	16:11
lbragstad	dstanek: you mean the six.binary_type part?	16:11
dolphm	dstanek: this is related, i think https://review.openstack.org/#/c/206921/2/keystone/token/providers/fernet/token_formatters.py	16:11
openstackgerrit	David Stanek proposed openstack/keystone: pemutils isn't used anymore https://review.openstack.org/207524	16:11
openstackgerrit	David Stanek proposed openstack/keystone: Fixes a docstring to reflect actual return values https://review.openstack.org/207525	16:11
openstackgerrit	David Stanek proposed openstack/keystone: WIP Fernet on Python 3 https://review.openstack.org/207526	16:12
openstackgerrit	David Stanek proposed openstack/keystone: Fixes Py3 string/bytes issues for tokens https://review.openstack.org/207527	16:12
dstanek	lbragstad: ^ look at the fernet patch	16:12
lbragstad	dstanek: checking	16:12
dstanek	dolphm: did you see typist?	16:12
jiaxi	dstanek: I mean rfc3987 is for general validation. Here is a little special.	16:12
dstanek	jiaxi: no, i disagree with validating the entire URL. i don't remember why, but we decided not to do that right now. but checking for the explicit space is a bit of an over reach	16:13
*** jasonsb has quit IRC		16:13
dolphm	dstanek: ha, no.. but looking at it now	16:13
dstanek	dolphm: i wrote it to help test this particular patches and all my future patches like it	16:14
*** jasonsb has joined #openstack-keystone		16:14
dolphm	dstanek: looks super useful	16:14
dolphm	dstanek: can we apply it to every datetime object everywhere ever please	16:14
dolphm	i hate that we pass strings around as dates :(	16:14
jiaxi	dstanek: In the launchpad, "http://127.0.0.1:8774 /v1.1/\$(tenant_i d)s"	16:14
dstanek	dolphm: i'm going to be updating lots of docstrings this weekend :-)	16:15
jiaxi	dstanek: Two errors	16:15
dstanek	jiaxi: right, but if you boil the bug down to why you get an error it's because the key doesn't exist; a space in other places in the URL, while being incorrect, will not cause a 500 error	16:15
dolphm	dstanek: did you just upload this?	16:15
dolphm	dstanek: i've never seen a project with zero downloads on pypi lol	16:16
jiaxi	dstanek: 1. a space after 8774 2 tenant_i d is not right	16:16
dstanek	i wrote it last weekend and uploaded last night	16:16
bknudson	dstanek: Could not find a version that satisfies the requirement typist (from versions: )	16:16
dstanek	bknudson: blah, doing a pip install?	16:17
bknudson	dstanek: $ .tox/py27/bin/pip install typist	16:17
dstanek	bknudson: interesting...looking. i haven't tried to install it	16:17
bknudson	dstanek: I was trying to give it a download	16:17
bknudson	so you didn't feel so bad about it	16:18
*** ankita_w_ has joined #openstack-keystone		16:18
jiaxi	bknudson : Hello	16:18
dstanek	bknudson: lol	16:18
*** jasonsb has quit IRC		16:18
jiaxi	bknudson: Could you reply me ? https://review.openstack.org/#/c/200512/36/keystone/catalog/core.py	16:19
jiaxi	bknudson: It's 00:20am in China. I'm waiting for your reply.	16:21
*** ankita_wagh has quit IRC		16:22
dstanek	jiaxi: you should just go to bed :-) not worth it tonight	16:22
*** ankita_w_ has quit IRC		16:23
*** _cjones_ has joined #openstack-keystone		16:23
jiaxi	bknudson: After you done your work on hand, I hope that you can spare 1 minutes in replying my reply. Thank you. I'm going go to bed. Good night, everyone.	16:23
jiaxi	dstanek: Yes, a little too tired. Palyed basketball for two hours.	16:23
*** jistr has quit IRC		16:24
*** jiaxi has quit IRC		16:25
*** jaosorior has joined #openstack-keystone		16:27
*** pballand has joined #openstack-keystone		16:27
*** e0ne has quit IRC		16:29
*** TheIntern has quit IRC		16:31
*** aix has quit IRC		16:31
*** josecastroleon has quit IRC		16:32
*** woodster_ has joined #openstack-keystone		16:33
*** dims has quit IRC		16:33
*** lhcheng has joined #openstack-keystone		16:36
*** ChanServ sets mode: +v lhcheng		16:36
*** lhcheng_ has joined #openstack-keystone		16:38
*** lhcheng has quit IRC		16:38
*** piyanai has quit IRC		16:38
*** pnavarro has joined #openstack-keystone		16:39
dolphm	dstanek: if you can't install it, that would explain the 0 downloads	16:40
dolphm	dstanek: "No matching distribution found for typist==0.0.1"	16:41
dstanek	dolphm: yeah, i haven't had time to dig into that yet	16:42
*** gordc has quit IRC		16:57
*** dims has joined #openstack-keystone		16:57
*** belmoreira has quit IRC		16:58
dstanek	dolphm: ok...waiting on ansible build! must fix the typist	17:01
*** jasonsb has joined #openstack-keystone		17:01
*** ankita_wagh has joined #openstack-keystone		17:02
*** tsymanczyk has joined #openstack-keystone		17:02
*** tsymanczyk is now known as Guest90923		17:02
*** piyanai has joined #openstack-keystone		17:03
dstanek	dolphm: lol, i go over to the tab where i was working on typist last night and it's sitting on the upload command failed because it said my password was incorrect	17:05
dstanek	which is odd because i ran the command right after the registration command asked me if i wanted to save my password	17:05
*** henrynash has joined #openstack-keystone		17:06
*** ChanServ sets mode: +v henrynash		17:06
henrynash	morganfainberg: ping	17:07
*** Protux has joined #openstack-keystone		17:08
*** h00327910__ has joined #openstack-keystone		17:08
henrynash	morganfainberg, rodigods: although i approved https://review.openstack.org/#/c/148730/ maybe this was a mistake - do we have an exception granted for this (it changes the API)?	17:15
*** raildo has quit IRC		17:18
*** raildo has joined #openstack-keystone		17:18
*** piyanai has quit IRC		17:19
*** pnavarro has quit IRC		17:19
*** tjcocozz has quit IRC		17:19
dolphm	dstanek: =)	17:20
dstanek	dolphm: so it turns out that disutils added another [pypi] section to my .pypirc instead of just changing the password	17:21
dolphm	dstanek: so settings got ignored?	17:21
*** piyanai has joined #openstack-keystone		17:21
*** e0ne has joined #openstack-keystone		17:22
*** piyanai has quit IRC		17:22
dstanek	dolphm: it picked the second section (i guess last one wins) that had my old password	17:22
dstanek	lhcheng_: yeah, if there is a MITM attack possible for policy then they would technically have access to lots of keystone tokens	17:23
*** e0ne has quit IRC		17:23
*** e0ne has joined #openstack-keystone		17:23
*** bapalm_ has quit IRC		17:25
*** piyanai has joined #openstack-keystone		17:25
lhcheng_	dstanek: yeah, I guess that's true.. if the operators turned off the TLS for communication within the datacenter, the assumption is all communication is already secured there.	17:25
*** dims has quit IRC		17:26
*** lhcheng_ is now known as lhcheng		17:26
*** ChanServ sets mode: +v lhcheng		17:26
yottatsa	omg six https://gist.github.com/yottatsa/680692dd3c4aa39fa26e	17:30
lhcheng	dstanek: okay, I'm fine with the bp not adding the signing option for the policy file.	17:30
*** jecarey has joined #openstack-keystone		17:30
yottatsa	lbragstad do you know is six.string_types works in python3?	17:33
*** browne has quit IRC		17:33
*** ajayaa has quit IRC		17:33
stevemar	dstanek: what was using pemutils?	17:36
*** boris-42 has joined #openstack-keystone		17:37
*** diazjf has quit IRC		17:37
openstackgerrit	Vladimir Eremin proposed openstack/keystone: Explicitly check incorrect token input https://review.openstack.org/206921	17:39
lbragstad	yottatsa: yeah, i'm pretty sure it does	17:41
lbragstad	yottatsa: dstanek would know for sure though	17:41
yottatsa	lbragstad, check out https://gist.github.com/yottatsa/680692dd3c4aa39fa26e	17:41
*** gordc has joined #openstack-keystone		17:41
yottatsa	dstanek too	17:41
*** geoffarnold has quit IRC		17:43
openstackgerrit	Alexander Makarov proposed openstack/keystone: Materialized path mixin https://review.openstack.org/198418	17:43
*** diazjf has joined #openstack-keystone		17:49
*** piyanai has quit IRC		17:50
yottatsa	What if my want to backport patch to kilo, but I can't just 'git review -X'? Can I specify that my backport requires another patch before?	17:51
*** piyanai has joined #openstack-keystone		17:52
*** geoffarnold has joined #openstack-keystone		17:52
*** TheIntern has joined #openstack-keystone		17:54
*** piyanai has quit IRC		17:54
yottatsa	oh, there is a git review -d	17:54
stevemar	dolphm: around?	17:55
*** piyanai has joined #openstack-keystone		17:56
dolphm	stevemar: o/	17:56
*** ayoung-mtg is now known as ayoung		17:57
*** samleon has joined #openstack-keystone		17:57
dstanek	stevemar: no idea, but it seems nothing right now	17:58
dstanek	lbragstad: yottatsa: what would i know?	17:58
ayoung	flwang1, forgetting HMT for the moment, the policy rule should be something like	17:58
*** Ephur has joined #openstack-keystone		17:59
ayoung	"identity:create_project": "domain_id:%(domain_id) and role:tenant_creator"	18:00
lbragstad	dstanek: https://gist.github.com/yottatsa/680692dd3c4aa39fa26e	18:00
dstanek	yottatsa: oh, maybe your gist? that's what i would expect to see	18:00
ayoung	and then make sure the token reflects that the user actually has the tenant_creator role on the domain when calling the API	18:00
dstanek	'' in python2 is not '' in python3	18:01
yottatsa	dstanek, isn't it a six bug?	18:02
dstanek	yottatsa: no	18:03
yottatsa	python3 -c 'import six; print(isinstance(b"", six.string_types))' -> False	18:03
yottatsa	python -c 'import six; print(isinstance(b"", six.string_types))' -> True	18:03
dstanek	encode goes from string to bytes	18:03
dstanek	''.encode() returns bytes (str) in python2 and bytes (bytes) in python3	18:04
dstanek	bytes in python2 is an alias to str and in python3 it is a real type that is not a string	18:05
dstanek	yottatsa: does that make sense?	18:07
*** gordc has quit IRC		18:07
*** gordc has joined #openstack-keystone		18:10
*** browne has joined #openstack-keystone		18:12
openstackgerrit	Alexander Makarov proposed openstack/keystone: Materialized path mixin https://review.openstack.org/198418	18:12
dstanek	yottatsa: the strange typing: https://gist.github.com/dstanek/5c4398add7f674aa5221 - this is why i wrote typist. so i could make sure things were getting called with what i expected	18:16
yottatsa	dstanek that's what I'm talking about ;)	18:16
yottatsa	BTW I'll check typist	18:17
dstanek	yottatsa: so since encode returns binary it isn't a string type in py3	18:17
dstanek	yottatsa: after thinking about this a lot i think that six.string_types is actually a really bad thing because of the ambiguity	18:18
dstanek	we should care that something is text or binary; string_types is both	18:19
*** pnavarro has joined #openstack-keystone		18:19
*** yottatsa has quit IRC		18:20
*** spandhe has joined #openstack-keystone		18:23
*** jasonsb has quit IRC		18:23
*** ig0r__ has joined #openstack-keystone		18:24
*** dims has joined #openstack-keystone		18:26
*** arun_kant has joined #openstack-keystone		18:31
*** josecastroleon has joined #openstack-keystone		18:31
*** jraim_ has joined #openstack-keystone		18:31
*** briancurtin_ has joined #openstack-keystone		18:31
*** ayoung has quit IRC		18:32
*** jasonsb has joined #openstack-keystone		18:33
*** amickus has quit IRC		18:33
*** gordc has quit IRC		18:34
*** jlvillal_ has joined #openstack-keystone		18:34
*** briancurtin has quit IRC		18:34
*** jraim has quit IRC		18:34
*** ericksonsantos has quit IRC		18:34
*** jlvillal has quit IRC		18:34
*** flwang1 has quit IRC		18:34
*** arunkant_ has quit IRC		18:34
*** ericksonfgds has joined #openstack-keystone		18:34
*** briancurtin_ is now known as briancurtin		18:34
*** jeffDeville has joined #openstack-keystone		18:35
*** jraim_ is now known as jraim		18:35
*** jlvillal_ is now known as jlvillal		18:35
*** ankita_wagh has quit IRC		18:43
*** ig0r_ has quit IRC		18:50
*** amakarov is now known as amakarov_away		18:53
*** flwang1 has joined #openstack-keystone		18:54
*** jeffDevi_ has joined #openstack-keystone		18:58
*** jeffDeville has quit IRC		18:59
*** bapalm_ has joined #openstack-keystone		19:00
*** josecastroleon has quit IRC		19:01
*** ankita_wagh has joined #openstack-keystone		19:02
*** ankita_wagh has quit IRC		19:03
*** ig0r_ has joined #openstack-keystone		19:04
*** bapalm_ has quit IRC		19:05
*** ankita_wagh has joined #openstack-keystone		19:10
*** pauloewerton has joined #openstack-keystone		19:10
*** geoffarnold has quit IRC		19:11
*** Guest90923 has quit IRC		19:16
*** piyanai has quit IRC		19:17
*** tsymanczyk has joined #openstack-keystone		19:17
*** flwang1 has quit IRC		19:20
*** jeffDevi_ has quit IRC		19:22
*** jeffDeville has joined #openstack-keystone		19:23
*** gordc has joined #openstack-keystone		19:25
*** e0ne has quit IRC		19:25
*** piyanai has joined #openstack-keystone		19:26
openstackgerrit	Doug Fish proposed openstack/python-keystoneclient: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/207585	19:28
openstackgerrit	Doug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K https://review.openstack.org/207585	19:29
*** piyanai has quit IRC		19:33
samueldmq	dstanek, henrynash, lhcheng, dolphm: hey, the specs are updated and I think they are good enough now, I would appreciate your reviews and some weight on them	19:33
samueldmq	https://review.openstack.org/#/c/134655/ and https://review.openstack.org/#/c/197980/	19:33
samueldmq	btw, some of you already had gave +1/+2 on them :)	19:34
*** piyanai has joined #openstack-keystone		19:35
*** piyanai has quit IRC		19:40
*** jeffDeville has quit IRC		19:40
*** jeffDeville has joined #openstack-keystone		19:40
*** ayoung has joined #openstack-keystone		19:46
*** ChanServ sets mode: +v ayoung		19:46
*** openstackgerrit has quit IRC		19:46
*** openstackgerrit has joined #openstack-keystone		19:47
*** piyanai has joined #openstack-keystone		19:48
*** TheIntern has quit IRC		19:51
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain. https://review.openstack.org/196942	19:51
*** geoffarnold has joined #openstack-keystone		19:52
*** ig0r_ has quit IRC		19:56
*** ninag has quit IRC		19:56
*** belmoreira has joined #openstack-keystone		19:57
*** piyanai has quit IRC		19:57
*** piyanai has joined #openstack-keystone		20:00
*** piyanai has quit IRC		20:01
*** jeffDeville has quit IRC		20:02
*** browne has quit IRC		20:02
*** piyanai has joined #openstack-keystone		20:02
*** browne has joined #openstack-keystone		20:03
*** piyanai has quit IRC		20:09
*** e0ne has joined #openstack-keystone		20:11
*** arun_kant has quit IRC		20:12
*** TheIntern has joined #openstack-keystone		20:12
*** piyanai has joined #openstack-keystone		20:12
openstackgerrit	Brant Knudson proposed openstack/keystone: Use extras for ldap dependencies https://review.openstack.org/207602	20:12
*** piyanai has quit IRC		20:12
*** piyanai has joined #openstack-keystone		20:13
samueldmq	henrynash: what about supporting mutliple SQL backends by having support to multiple sqlalchemy engines ?	20:13
henrynash	samueldmq: well, I’d like to support multiple sql backends, but sqlalchemy makes that pretty hard right now I think	20:14
*** openstackgerrit has quit IRC		20:16
*** openstackgerrit has joined #openstack-keystone		20:17
hogepodge	morganfainberg: why do I need to be admin to get service ids?	20:22
hogepodge	get /v3/services	20:22
dstanek	hogepodge: that's just the default policy rule right? that can change for a deployment	20:27
*** yottatsa has joined #openstack-keystone		20:27
hogepodge	dstanek: we just had a good laugh about that (long long story)	20:28
samueldmq	henrynash: I am not sure about that, I will do some testing and get back to you :)	20:29
hogepodge	dstanek: I'm asking because we want to use ids as external identifiers for public cloud testing, but if it's admin only that falls down.	20:30
dstanek	hogepodge: i don't know the reason for it, but i think things are locked down by default	20:30
hogepodge	dstanek: morganfainberg: is there room to change that default?	20:30
dstanek	hogepodge: change it so it's not in your deployment	20:30
*** piyanai has quit IRC		20:30
dstanek	what would you change it to?	20:30
hogepodge	dstanek: we're interested in deployments we don't own	20:30
hogepodge	dstanek: make getting service ids non-admin by default.	20:31
samueldmq	henrynash: also, I've started a small spec, just to keep the idea and some details as they come https://review.openstack.org/#/c/207482	20:31
hogepodge	dstanek: (I'm speaking with my defcore/interoperability hat on)	20:31
dstanek	hogepodge: i'm sure some of those could just be loosen up to anyone with a token	20:32
dstanek	hogepodge: but if you don't own the cloud they can still restrict it via policy	20:32
*** piyanai has joined #openstack-keystone		20:37
hogepodge	dstanek: yes, but most clouds will have it off by default. we'd like to encourage it to be on by default.	20:37
*** yottatsa has quit IRC		20:38
hogepodge	dstanek: I understand if there are reasons to not have that default, just throwing out a use case we face today	20:39
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	20:41
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	20:41
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	20:42
*** browne has quit IRC		20:43
*** dguerri is now known as dguerri`		20:43
*** browne has joined #openstack-keystone		20:44
*** openstackgerrit has quit IRC		20:46
*** openstackgerrit has joined #openstack-keystone		20:47
*** raildo has quit IRC		20:48
*** pnavarro has quit IRC		20:48
*** yottatsa has joined #openstack-keystone		20:51
*** TheIntern has quit IRC		20:52
*** flwang1 has joined #openstack-keystone		20:55
*** jamielennox\|away is now known as jamielennox		20:57
*** woodster_ has quit IRC		21:00
openstackgerrit	Brant Knudson proposed openstack/keystone: Use extras for memcache and MongoDB packages https://review.openstack.org/207620	21:00
*** openstack has joined #openstack-keystone		21:08
*** openstack has joined #openstack-keystone		21:08
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token() https://review.openstack.org/197647	21:10
flwang1	lbragstad: ping	21:12
lbragstad	flwang1: pong	21:12
flwang1	lbragstad: how are you? a quick question about keystone policy.json	21:13
flwang1	i'm trying to create a role in keystone which can only crate new tenant, is that possible?	21:13
lbragstad	that should be	21:15
*** mylu has quit IRC		21:16
*** oug-fish has joined #openstack-keystone		21:16
lbragstad	flwang1: what are you doing now?	21:17
*** mylu has joined #openstack-keystone		21:18
*** yottatsa has quit IRC		21:18
*** hrou has quit IRC		21:18
*** mylu has quit IRC		21:19
*** Doug-fish-remote has joined #openstack-keystone		21:20
*** oug-fish has quit IRC		21:20
flwang1	lbragstad: i created a new role named 'tenant_creator' and updated the policy.json of keystone like "identity:create_project": "rule:admin_required or role:tenant_creator",	21:21
flwang1	lbragstad: restart keystone	21:21
flwang1	create a new user, add the role 'tenant_creator' for the new user, try to create a tenant, failed	21:21
lbragstad	flwang1: what error do you get, a 401?	21:22
flwang1	yep, i assume it should be 403, but it's a 401	21:22
lbragstad	how did you grant that user the "tenant_creator" role?	21:23
flwang1	keystone user-role-add --user tenant_creator_A --tenant demo --role tenant_creator	21:23
*** Doug-fish-remote has quit IRC		21:23
flwang1	should I add it into the admin tenant?	21:24
lbragstad	no, I don't think that will help	21:24
flwang1	ok	21:24
lbragstad	give that user the same role assignment but do it on the default domain, or the damain that you're operating within	21:24
*** marzif_ has joined #openstack-keystone		21:26
flwang1	lbragstad: i'm using v2 :(	21:27
lbragstad	ahh...	21:27
lbragstad	then I'm not 100% sure	21:27
flwang1	ok, so is there any way to do that in v3?	21:28
*** geoffarnold has quit IRC		21:29
lbragstad	yeah, I would look into creating a rule like this	21:29
lbragstad	https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L39	21:29
lbragstad	but instead of rule:admin_required	21:29
lbragstad	it would be role:tenant_creator	21:30
*** topol_ has quit IRC		21:31
*** marzif_ has quit IRC		21:32
lbragstad	flwang1: does that make sense?	21:32
flwang1	will it impact if all our current components are using v2?	21:33
flwang1	we have a customized service is talking with keystone, can we just let it use v3 and keep the others using v2?	21:33
*** marzif_ has joined #openstack-keystone		21:34
lbragstad	it should only impact users with that role assigned.	21:34
lbragstad	yeah, as long as your keystone has a v3 pipeline configured	21:35
*** marzif_ has quit IRC		21:35
lbragstad	and you can make v3 calls to it	21:35
flwang1	lbragstad: ok, btw, can v3 support invite another user into current tenant?	21:35
lbragstad	invite another user? like an ephemeral user?	21:35
*** marzif_ has joined #openstack-keystone		21:36
lbragstad	or a user that doesn't exist in the local keystone's db?	21:36
flwang1	lbragstad: not ephemeral	21:36
flwang1	the later one	21:36
flwang1	or another scenario is the user is existing, but don't have access to current tenant	21:36
lbragstad	when you say 'invite' you mean like for a certain amount of time, this user can play around in this tenant?	21:38
flwang1	lbragstad: sort of	21:38
lbragstad	you might be able to accomplish that with a trust	21:39
gordc_	hi, is there a super-admin concept? basically an admin not scoped to project or admin for all projects?	21:39
*** gordc_ is now known as gordc		21:39
flwang1	two scenarios: 1. i'm a project owner, now i want to add more memebers of my team to this tenant	21:39
flwang1	2. they may or may not existing in keystone db yet	21:40
*** diazjf has left #openstack-keystone		21:41
lbragstad	for scenario 1, i'd just say that the project owner assigns the people they want in their project a role on the project	21:41
gordc	stevemar: ^	21:41
lbragstad	with scenario 2, you're going to be looking at something like federation	21:41
*** geoffarnold has joined #openstack-keystone		21:42
flwang1	lbragstad: but now the user-role-add command only can be run by admin, right?	21:42
flwang1	lbragstad: so does that mean, we may need another 'reseller' admin role for the project owner?	21:43
*** geoffarn_ has joined #openstack-keystone		21:43
*** jecarey has quit IRC		21:46
*** markvoelker_ has quit IRC		21:46
*** geoffarnold has quit IRC		21:47
*** ig0r__ has quit IRC		21:51
stevemar	gordc: nah	21:54
stevemar	gordc: that's where the admin-token comes in, but not for a user, no	21:54
*** marzif_ has quit IRC		21:54
stevemar	some folks are tossing around terms like 'cloud admin'	21:54
stevemar	morganfainberg: dolphm ^	21:54
lbragstad	flwang1: reseller?	21:55
flwang1	lbragstad: ok, project owner	21:55
flwang1	generally, you know, project owner also only has the member role	21:55
flwang1	not an 'admin' role	21:56
openstackgerrit	Brant Knudson proposed openstack/keystone: Extras for bandit https://review.openstack.org/207645	21:56
lbragstad	I think you'd just need to make sure what ever role the project owner has, it has the ability to add other users to their project	21:57
flwang1	i'm not familiar with v3, so not sure if there is any new solution for that	21:57
gordc	stevemar: was cloud admin comment to me?	21:57
flwang1	lbragstad: right, yes. that's what i'm trying to figure out	21:57
stevemar	gordc: yes sir	21:57
stevemar	it doesn't exist yet, but folks are asking for the same thing	21:58
gordc	oh. i guess that's what edmondsw was talking about.	21:58
flwang1	lbragstad: i think keystone works fine with 'admin' role, but i haven't succeed to do an 'admin' action with a non-admin role yet	21:58
*** haneef_ has joined #openstack-keystone		21:58
stevemar	gordc:	21:58
flwang1	even though i have configured it in policy.json	21:58
stevemar	gordc: probably	21:58
stevemar	i'm out	21:58
gordc	same. lates	21:59
*** stevemar has quit IRC		21:59
lbragstad	flwang1: that's probably because the policy is denying the action	21:59
*** gordc has quit IRC		21:59
*** stevemar has joined #openstack-keystone		21:59
*** ChanServ sets mode: +v stevemar		21:59
haneef_	dolphm: fernet token always seems to end with %3D, Is that part of sepc	22:02
*** zzzeek has quit IRC		22:02
*** e0ne has quit IRC		22:02
*** stevemar has quit IRC		22:03
*** markvoelker has joined #openstack-keystone		22:08
*** jamielennox is now known as jamielennox\|away		22:15
flwang1	lbragstad: but i have set it :)	22:16
*** samleon has quit IRC		22:31
*** markvoelker_ has joined #openstack-keystone		22:32
*** piyanai has quit IRC		22:33
*** geoffarnold has joined #openstack-keystone		22:34
*** markvoelker has quit IRC		22:35
*** belmoreira has quit IRC		22:37
*** geoffarn_ has quit IRC		22:37
*** jsavak has quit IRC		22:42
*** harlowja has quit IRC		22:44
*** jaosorior has quit IRC		22:44
*** harlowja has joined #openstack-keystone		22:44
*** piyanai has joined #openstack-keystone		22:58
*** boris-42 has quit IRC		23:00
*** markvoelker_ has quit IRC		23:14
*** tqtran has joined #openstack-keystone		23:18
*** piyanai has quit IRC		23:20
*** _cjones_ has quit IRC		23:24
*** htruta has quit IRC		23:26
*** jungler has quit IRC		23:27
*** jungler has joined #openstack-keystone		23:28
*** htruta has joined #openstack-keystone		23:28
*** dims_ has joined #openstack-keystone		23:31
*** dims_ has quit IRC		23:31
*** htruta is now known as htruta_		23:31
*** htruta_ has quit IRC		23:32
*** htruta has joined #openstack-keystone		23:32
*** dims has quit IRC		23:35
dstanek	haneef_: that may because they are base64 encoded and i think that's the = sign	23:36
dolphm	dstanek: ++ cc- haneef_	23:38
*** jiaxi has joined #openstack-keystone		23:39
jiaxi	biknudson: Hello,sir.	23:40
jiaxi	bknudson	23:40
jiaxi	bknudson: Are you here?	23:40
jiaxi	bknudson: Are you here ? In you last comment, it seems that you give me several options. That's not fair. You should only give one.	23:41
*** doug-fish has quit IRC		23:44
*** doug-fish has joined #openstack-keystone		23:45

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!