Thursday, 2015-07-30

*** topol has quit IRC00:02
bigjoolsI think I found a bug here then00:05
bigjoolsI am using multiple domain drivers00:05
bigjoolswhich requires _get_domain_id_for_list_request to find a domain in the request token00:06
bigjoolsbut the request is scoped to a project, which itself is part of a domain.00:07
lifelessI want to name something doseconds00:07
lifelessor doalters00:07
bigjoolslifeless: have you been smoking something? :)00:09
bigjoolsforcing my osc command to use a domain results in an error saying my admin user has no access to the default domain....!00:12
*** darrenc_afk is now known as darrenc00:14
dstanekbigjools: sorry that i'm not too responsive. it's 8pm here and i'm doing some family stuff00:14
*** _cjones_ has quit IRC00:21
bigjoolsdstanek: no worries, I figured.00:22
bigjoolsI'm going to file a bug00:23
bigjoolsok it worked as soon as I turned off domain-specific config00:26
*** tellesnobrega has joined #openstack-keystone00:33
*** edmondsw has quit IRC00:34
*** jiaxi has quit IRC00:34
*** tellesnobrega has quit IRC00:34
*** piyanai has joined #openstack-keystone00:47
*** geoffarnold has quit IRC00:54
*** lhcheng_ has quit IRC00:55
*** lhcheng has joined #openstack-keystone00:55
*** ChanServ sets mode: +v lhcheng00:55
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table
*** h00327910__ has joined #openstack-keystone00:58
*** lhcheng has quit IRC01:05
*** topol has joined #openstack-keystone01:11
*** ChanServ sets mode: +v topol01:11
*** bknudson has joined #openstack-keystone01:17
*** ChanServ sets mode: +v bknudson01:17
*** bhenderson has quit IRC01:21
*** bhenderson has joined #openstack-keystone01:22
bigjoolsdstanek: I recorded things in a bug:
openstackLaunchpad bug 1479578 in Keystone "Domain-specific config breaks some ops" [Undecided,New]01:25
*** mylu has joined #openstack-keystone01:28
*** chlong has joined #openstack-keystone01:29
*** browne has quit IRC01:29
*** jiaxi has joined #openstack-keystone01:31
*** dan has quit IRC01:50
*** mylu has quit IRC02:00
*** mylu has joined #openstack-keystone02:01
*** Kennan has quit IRC02:02
*** Kennan has joined #openstack-keystone02:02
*** ankita_wagh has joined #openstack-keystone02:05
*** davechen has joined #openstack-keystone02:06
*** davechen is now known as davehcne02:06
*** davehcne is now known as davechen02:06
*** mylu has quit IRC02:07
davechenbknudson: hi Brant,02:07
*** jasonsb has quit IRC02:07
davechenbknudson: Just thought these method may be also used by other modules (
*** jasonsb has joined #openstack-keystone02:07
bknudsondavechen: the methods in the clean can already be used by other modules.02:08
bknudsonthe clean module02:08
davechenbknudson: but it's not clear what means, and the should be the one for those kind of generic methods.02:09
bknudsondavechen: there should not be a we don't need a module that's a garbage dump.02:09
*** ankita_wagh has quit IRC02:10
bknudsonif "clean" doesn't make sense then rename it.02:10
*** ankita_wagh has joined #openstack-keystone02:10
davechenbknudson: so... all of the current methods implemeted in the maybe cleanup? and go to the specific modules?02:11
davechenbknudson: and how to define where those methods go to? since there maybe quite a lot of reference with those method.02:12
*** jasonsb has quit IRC02:12
bknudsondavechen: all the functions in should go to modules with more specific names.02:13
davechenbknudson: I am a little confused, if the is a garbage dump why there is such a module. :)02:13
bknudsondavechen: because people make mistakes.02:13
*** davechen1 has joined #openstack-keystone02:15
davechen1bknudson: cool, so suppose there is a method used by different subssytem, is it fine to just define the method in A and let B call the method from A?02:16
davechen1bknudson: just curious, is this a right pattern?02:16
bknudsondavechen1: that's generally a bad idea since it can lead to circular imports. you're better off creating a separate module that both A and B use.02:17
*** davechen has quit IRC02:17
*** davechen1 is now known as davechen02:17
*** dims has quit IRC02:19
*** dims has joined #openstack-keystone02:19
davechenbknudson: yep, this is why there is a utils I think. :)02:19
davechenbknudson: for some generic methods, i cannot see there is better way to handle with since it's may used in the different module, different subsystem.02:21
*** mylu has joined #openstack-keystone02:22
bknudsonthe name of the module doesn't depend on what uses it -- the name is based on what functions are in it.02:22
davechenbknudson: those kind of methods is not specific to one resource or identity, this is the keypoint I think, this is why I think they should go to the separate module like
davechenbknudson: anyway, this is just what I thought.02:26
*** topol has quit IRC02:30
*** piyanai has quit IRC02:36
*** bknudson has quit IRC02:43
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided
miguelgrinbergmarekd: one more quick question without any rush. I was wondering when you guys plan to push an updated version of keystoneauth to pypi. The current version there predates any of the recent federation changes. I'm also wondering if you plan on removing that scary "use at your own risk" warning any time soon. For the time being, I think I prefer to continue using curl...02:50
*** hakimo_ has joined #openstack-keystone02:52
*** hakimo has quit IRC02:54
*** jasonsb has joined #openstack-keystone02:57
*** dims has quit IRC02:57
*** stevemar has joined #openstack-keystone03:00
*** ChanServ sets mode: +v stevemar03:00
*** browne has joined #openstack-keystone03:02
*** lhcheng has joined #openstack-keystone03:04
*** ChanServ sets mode: +v lhcheng03:04
davechenbknudson: Thanks for the reference.03:08
*** richm has quit IRC03:13
*** woodster_ has quit IRC03:14
*** stevemar has quit IRC03:15
*** stevemar has joined #openstack-keystone03:16
*** ChanServ sets mode: +v stevemar03:16
*** stevemar has quit IRC03:19
*** markvoelker_ has quit IRC03:20
*** markvoelker_ has joined #openstack-keystone03:22
*** stevemar has joined #openstack-keystone03:23
*** ChanServ sets mode: +v stevemar03:23
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints
*** jamielennox|away is now known as jamielennox03:47
*** mylu has quit IRC04:00
*** btully has quit IRC04:16
*** topol has joined #openstack-keystone04:20
*** ChanServ sets mode: +v topol04:20
*** htruta_ has quit IRC04:26
*** jlvillal has quit IRC04:32
*** lhcheng has quit IRC04:33
*** jamielennox is now known as jamielennox|away04:33
*** stevemar has quit IRC04:39
*** tsymanczyk has quit IRC04:40
*** lhcheng has joined #openstack-keystone04:52
*** ChanServ sets mode: +v lhcheng04:52
*** darrenc is now known as darrenc_afk04:56
*** geoffarnold has joined #openstack-keystone05:12
*** geoffarnold has quit IRC05:15
*** geoffarnold has joined #openstack-keystone05:18
*** amickus has joined #openstack-keystone05:21
*** Ephur has joined #openstack-keystone05:27
*** btully has joined #openstack-keystone05:30
*** Ephur has quit IRC05:33
*** btully has quit IRC05:34
*** topol has quit IRC05:37
*** darrenc_afk is now known as darrenc05:40
*** lsmola has joined #openstack-keystone05:54
*** jtomasek has quit IRC05:56
*** Nirupama has joined #openstack-keystone05:56
*** josecastroleon has joined #openstack-keystone05:58
*** Kennan2 has joined #openstack-keystone06:03
*** Kennan has quit IRC06:03
*** hrou has quit IRC06:09
*** pballand has quit IRC06:16
*** lhcheng has quit IRC06:27
*** topol has joined #openstack-keystone06:38
*** ChanServ sets mode: +v topol06:38
*** topol has quit IRC06:43
*** david-lyle has quit IRC06:43
*** david-lyle has joined #openstack-keystone06:49
openstackgerritDave Chen proposed openstack/keystone: Remove services with no endpoints from catalog
*** stevemar has joined #openstack-keystone06:55
*** ChanServ sets mode: +v stevemar06:55
*** ankita_w_ has joined #openstack-keystone06:57
*** ankita_wagh has quit IRC06:57
*** stevemar has quit IRC06:58
*** belmoreira has joined #openstack-keystone07:10
*** browne has quit IRC07:10
*** chlong has quit IRC07:25
*** fhubik has joined #openstack-keystone07:27
*** ParsectiX has joined #openstack-keystone07:27
*** ankita_w_ has quit IRC07:29
*** ankita_wagh has joined #openstack-keystone07:29
*** ankita_wagh has quit IRC07:33
-openstackstatus- NOTICE: Our CI system is broken again today, jobs are not getting processed at all.07:40
*** ChanServ changes topic to "Our CI system is broken again today, jobs are not getting processed at all."07:41
*** amickus has quit IRC07:46
*** geoffarnold has quit IRC07:47
*** geoffarnold has joined #openstack-keystone07:47
marekdmiguelgrinberg: when to push ksa to pypi is rather for morganfainberg and jamielennox|away.. But we should be able to do that soon. As long as you are not using any production service, what stops you from using 'not stable' version of ksa? I doubt K2K plugin will change.07:50
-openstackstatus- NOTICE: CI system is broken and very far behind. Please do not approve any changes for a while.07:50
*** ChanServ changes topic to "CI system is broken and very far behind. Please do not approve any changes for a while."07:50
*** pnavarro has joined #openstack-keystone07:51
openstackgerritDave Chen proposed openstack/keystone: Remove services with no endpoints from catalog
*** jamielennox|away is now known as jamielennox07:57
*** pnavarro is now known as pnavarro|mtg08:04
openstackgerritMarek Denis proposed openstack/keystone: Better error message when unable to map user
marekddoug-fish: I don't mind having k2k auth plugin in ksc as long as you promise to propose patches for getting it rid of and depending on ksa once we have it released.08:16
*** fhubik is now known as fhubik_afk08:17
openstackgerritMarek Denis proposed openstack/keystone: Add groups in scoped federated tokens
*** kiran-r has joined #openstack-keystone08:25
*** jistr has joined #openstack-keystone08:25
*** fhubik_afk is now known as fhubik08:25
openstackgerritMerged openstack/keystone-specs: Project tree deletion
*** afazekas has joined #openstack-keystone08:33
*** fhubik is now known as fhubik_afk08:39
*** aix has joined #openstack-keystone08:47
*** pnavarro|mtg is now known as pnavarro08:56
*** jtomasek has joined #openstack-keystone08:56
*** fhubik_afk is now known as fhubik08:56
*** ChanServ changes topic to "Liberty-2 this week! Land Code! | MidCycle Etherpad:"08:59
-openstackstatus- NOTICE: CI is back online but has a huge backlog. Please be patient and if possible delay approving changes until it has caught up.08:59
*** e0ne has joined #openstack-keystone09:03
*** chlong has joined #openstack-keystone09:07
*** jtomasek has quit IRC09:09
openstackgerritMerged openstack/keystoneauth: Updated from global requirements
*** jamielennox is now known as jamielennox|away09:25
*** piyanai has joined #openstack-keystone09:28
*** ig0r_ has joined #openstack-keystone09:31
*** davechen has left #openstack-keystone09:46
*** dims has joined #openstack-keystone09:50
*** stevemar has joined #openstack-keystone09:55
*** ChanServ sets mode: +v stevemar09:55
*** marzif_ has joined #openstack-keystone09:57
*** stevemar has quit IRC09:59
openstackgerritMarek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens.
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Standardize federated auth token scoping
*** josecastroleon has quit IRC10:34
*** jiaxi has quit IRC10:37
*** aix has quit IRC10:39
*** fhubik is now known as fhubik_afk10:40
*** fhubik_afk is now known as fhubik10:44
*** fhubik is now known as fhubik_afk10:46
*** dims_ has joined #openstack-keystone11:02
*** dims has quit IRC11:02
*** jlvillal has joined #openstack-keystone11:04
*** aix has joined #openstack-keystone11:13
*** josecastroleon has joined #openstack-keystone11:14
*** geoffarnold has quit IRC11:17
*** geoffarnold has joined #openstack-keystone11:17
*** InfoAddict has joined #openstack-keystone11:29
*** InfoAddict has left #openstack-keystone11:31
*** pnavarro is now known as pnavarro|lunch11:42
*** e0ne has quit IRC11:47
*** piyanai has quit IRC11:51
*** gordc has joined #openstack-keystone11:54
*** topol has joined #openstack-keystone11:57
*** ChanServ sets mode: +v topol11:57
*** ParsectiX has quit IRC12:01
*** topol has quit IRC12:01
*** _kiran_ has joined #openstack-keystone12:06
*** kiran-r has quit IRC12:09
*** pnavarro|lunch is now known as pnavarro12:12
*** bknudson has joined #openstack-keystone12:18
*** ChanServ sets mode: +v bknudson12:18
*** piyanai has joined #openstack-keystone12:18
*** jaosorior has joined #openstack-keystone12:19
*** edmondsw has joined #openstack-keystone12:19
*** fhubik_afk is now known as fhubik12:20
*** _kiran_ has quit IRC12:20
*** ParsectiX has joined #openstack-keystone12:22
*** ericksonsantos has joined #openstack-keystone12:25
*** stevemar has joined #openstack-keystone12:26
*** ChanServ sets mode: +v stevemar12:26
*** samueldmq has joined #openstack-keystone12:26
*** stevemar has quit IRC12:28
*** yottatsa has joined #openstack-keystone12:29
*** yottatsa has quit IRC12:30
*** yottatsa has joined #openstack-keystone12:31
*** tellesnobrega has joined #openstack-keystone12:34
*** tellesnobrega has quit IRC12:34
*** jamielennox|away is now known as jamielennox12:35
*** tellesnobrega has joined #openstack-keystone12:35
*** fhubik has quit IRC12:38
*** fhubik has joined #openstack-keystone12:38
*** tellesnobrega has quit IRC12:38
*** Nirupama has quit IRC12:39
*** tellesnobrega has joined #openstack-keystone12:40
yottatsadstanek, morning!12:41
yottatsait's almost 4pm here in Moscow, but I just came to office, so it's morning12:42
marekdyottatsa: you like night shifts or you like working with your US folks ? :P12:42
*** fhubik has quit IRC12:43
*** fhubik has joined #openstack-keystone12:44
*** fhubik_afk has joined #openstack-keystone12:44
*** fhubik_afk is now known as fhubik_real12:44
yottatsamarekd, yesterday was a big-reboot-day, so I came late today )12:44
*** tellesnobrega has quit IRC12:45
yottatsaI usually working with you guys from home )12:46
*** raildo has joined #openstack-keystone12:46
samueldmqdstanek: morning, you around ?12:48
dstaneksamueldmq: yes. polishing a few reviews that i need to push.12:48
*** iurygregory has joined #openstack-keystone12:48
samueldmqdstanek: quick question, should we care about mitm attack when fetching the policy ?12:48
samueldmqdstanek: in that case, adding a sort of checksum to the response ?12:49
marekdsamueldmq: we should, but its should be covered by proper TLS ?12:49
*** fhubik_afk has joined #openstack-keystone12:49
*** jsavak has joined #openstack-keystone12:49
dstaneksamueldmq: isn't that what TLS does for us? you could make the argument that we would have to do that everywhere12:49
marekdyottatsa: i am no us based :-)12:49
*** fhubik_lunch has joined #openstack-keystone12:50
yottatsamarekd, where are you from?12:50
marekdsamueldmq: dstanek is rigt. puppet doesn't solve it for us either12:50
marekdyottatsa: i live in switzerland now12:50
*** fhubik_real has quit IRC12:50
*** fhubik has quit IRC12:50
*** pnavarro is now known as pnavarro|afk12:50
samueldmqmarekd: dstanek yeah, I will clarify that in the spec, that was a concern from lhcheng12:50
samueldmqI was wondering if we needed to add another layer .. as policy is a very sensitive info12:51
dstaneksamueldmq: if you add a checksum, how do you know it's valid? you'd have to have a pub/priv key exchange12:51
marekdsamueldmq: i was thinking about it too (and some other similar topics), but the alternative isn't any better. AFAIR Puppet doesn't have any super auth mechanisms.12:51
dstaneksamueldmq: which review is that on?12:51
marekdsamueldmq: just make TLS correctly and don't break when something's wrong12:51
samueldmqdstanek: fetch & cache12:51
dstaneksamueldmq: i'll take a look and comment12:51
samueldmqdstanek: nice thanks12:52
samueldmqmarekd: yeah, we should care about that in keystone, as we can do that thorugh other layers/existing mechanisms12:52
samueldmqmarekd: we should NOT care about that in keystone, I meant12:52
*** e0ne has joined #openstack-keystone12:54
marekddstanek: Hi, I have 3 reviews for you dolphm, lbragstad and I were looking at:
*** fhubik_lunch has quit IRC12:54
*** fhubik_afk has quit IRC12:55
doug-fishmarekd: with regard to getting rid of the k2k from keystoneclient that I haven't proposed yet ... is the plan to remove all of the auth plugins from ksc and have only the ones from keystoneauth available?12:55
*** htruta has joined #openstack-keystone12:55
*** fhubik has joined #openstack-keystone12:55
marekddoug-fish: yes12:55
marekdwell, ksa would be responsible for auth plugins, and ksc would import it if needed.12:55
doug-fishFWIW it seems we had poor results in horizon's django_openstack_auth library when we tried to mix ksa/ksc versions of the plugins12:56
doug-fishso my point is that we'll need to covert all of d_o_a to use the ksa based plugins when that time comes12:56
marekdi think so too.12:56
marekdyeah, i am kind of stalled too as I cannot work on some tooling and new plugins as ksa is not yet released.12:57
doug-fishI know pauloewerton has started looking at that, but if we can get k2k without the conversion I think there may still be a shot at getting this in liberty12:57
marekdwhich conversion ?12:57
marekdk2k to ksc ?12:57
doug-fishconversion = changing the d_o_a plugins from ksc to ksa12:57
marekddoug-fish: uh, you will just make it longer imho.12:58
doug-fishhow so?12:58
marekdbut if you want to move k2k class into ksc - go ahead.12:58
doug-fishI think I want to, but that was with the intent of getting it in sooner12:59
marekddoug-fish: ok, propose a patch then :)12:59
doug-fishif you think it may slow me down that concerns me - I'd like to hear more12:59
marekddoug-fish: well, i mean in general maybe im too optimistic on releasing ksa 'soon', but porting anything back to kscmay actually mean you will port it now, use it and spend another cycle or something for switching to ksa and deprecating old stuff.13:00
marekdone thing i've learnt here is that you cannot just add the code because later you have to live with that...13:01
marekdand wait at least 2 cycles for removing it.13:01
doug-fishgot it - I see where you are coming from.13:02
marekddoug-fish: anyway, if you are ok with later taking care of removing k2k plugin from ksa please go ahead and propose patch13:02
doug-fishyep understood - thx for taking the time to explain your thoughts13:02
*** tellesnobrega has joined #openstack-keystone13:03
marekddoug-fish: i will be happy to review13:03
marekdand even test13:03
doug-fishcool! thanks13:03
*** jamielennox is now known as jamielennox|away13:06
samueldmqdstanek: just saw your comment13:07
samueldmqdstanek: you meant the ksclient using CacheCOntrol and then the cache control mechansim being delegated there ?13:08
dstanekmarekd: cool, i'll take a look13:08
marekddstanek: thank you13:08
*** browne has joined #openstack-keystone13:08
samueldmqdstanek: hm, saw your comment inline (I am probably dumb)13:09
*** ig0r_ has quit IRC13:10
samueldmqas much as I work in specs, discussions on architecture, etc I understand better why code is cheap13:12
*** hrou has joined #openstack-keystone13:12
*** btully has joined #openstack-keystone13:13
dstaneksamueldmq: no, i'm just saying we don't actually need to implement support for that on the server side13:13
samueldmqdstanek: sure, I saw your comment, I had asked without noticing there was an inline comment13:14
samueldmqdstanek: actually, if we implemented IMS calls in keystone, we would avoid transfering lots of info, since the policy won't change that often13:16
*** ParsectiX has quit IRC13:16
samueldmqdstanek: but that is probably an optimizaiton, that couldn't be in the scope for now ..13:16
dstaneksamueldmq: i don't know that there is anything to address now...probably just a cleanup patch after implementation13:16
*** ig0r_ has joined #openstack-keystone13:16
samueldmqdstanek: yes, definitely makes sense, I am updating the spec right now :)13:16
*** dims_ has quit IRC13:20
dstanekwhat happened to the cloning URLs on
*** dims has joined #openstack-keystone13:20
*** jsavak has quit IRC13:20
*** marzif_ has quit IRC13:21
*** marzif_ has joined #openstack-keystone13:22
*** marzif_ has quit IRC13:22
*** jsavak has joined #openstack-keystone13:22
openstackgerritMerged openstack/keystone: Handle non-numeric files in key_repository
*** e0ne has quit IRC13:22
*** woodster_ has joined #openstack-keystone13:24
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Fetch and Cache
samueldmqdstanek: marekd ^ should be good enough now :)13:25
*** mylu has joined #openstack-keystone13:27
*** piyanai has quit IRC13:30
*** ig0r_ has quit IRC13:31
*** e0ne has joined #openstack-keystone13:31
*** piyanai has joined #openstack-keystone13:32
*** TheIntern has joined #openstack-keystone13:34
*** piyanai has quit IRC13:35
*** ParsectiX has joined #openstack-keystone13:36
*** yottatsa has quit IRC13:37
*** stevemar has joined #openstack-keystone13:38
*** ChanServ sets mode: +v stevemar13:38
openstackgerritKonstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting
*** stevemar has quit IRC13:39
*** stevemar has joined #openstack-keystone13:40
*** ChanServ sets mode: +v stevemar13:40
*** yottatsa has joined #openstack-keystone13:40
*** jecarey has joined #openstack-keystone13:42
*** richm has joined #openstack-keystone13:44
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Distribution Mechanism
*** zzzeek has joined #openstack-keystone13:45
*** stevemar has quit IRC13:45
*** fhubik is now known as fhubik_afk13:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Distribution Mechanism
*** ayoung has joined #openstack-keystone13:57
*** ChanServ sets mode: +v ayoung13:57
*** ninag has joined #openstack-keystone14:04
*** vince_ has joined #openstack-keystone14:05
vince_looking for some help when trying to configure federation14:06
*** markvoelker_ has quit IRC14:06
vince_I cannot work with identity providers, as any command would return a 404, as in14:06
vince_openstack identity provider list14:06
vince_ERROR: openstack The resource could not be found. (HTTP 404) (Request-ID: req-5080ef53-8a1e-4a8d-aef3-23d94fc75266)14:06
*** dguerri is now known as dguerri`14:06
marekdvince_: hi, are you using V3 API ?14:07
vince_marekd: I think I am, even openstack --os-identity-api-version=3 identity provider list does the same14:07
marekdyou are admin, right?14:07
marekdbecause obviously this is admin-only operation14:08
*** jiaxi has joined #openstack-keystone14:08
vince_yes, admin on a packstack installation14:08
vince_with just swift and keystone14:08
marekdand what does logs say ?14:08
samueldmqtry specifying both --os-url and --os-identity-api-version14:08
doug-fishmarekd: I've been thinking more about your concerns with creating a k2k plugin in python-keystoneauth - I just comprehended that's where the extra supported bit comes in, and I have fuller understanding of what you were saying. Do you have a feeling/prediction on how soon openstackauth might be ready? Think it's 2 weeks or less?14:08
bretonalso try adding --debug14:09
samueldmqthat's how jamielennox|away did in some patches to use v3 in devstack, like
samueldmqmarekd: vince_  ^14:09
*** ParsectiX has quit IRC14:09
jiaxijenkin is ill for too long. when will it become healthy ?14:09
marekdsamueldmq: i doubt os-url is required14:09
vince_marekd: nothing useful from keystone.log, I try with debug14:10
marekddoug-fish: i don't have any feeling and it's jamielennox|away who drives this initiative to be honest. I would't risking it will be less than 2 weeks.14:10
marekdvince_: yes, set to debug.14:10
vince_samueldmq: same with --os-url:14:10
vince_openstack --os-url= --os-identity-api-version=3 identity provider list14:10
vince_ERROR: openstack The resource could not be found. (HTTP 404) (Request-ID: req-6cf3a315-a093-494a-8ecd-613a3c5cacef)14:10
samueldmq--debug should tell something else I think14:11
*** ayoung is now known as ayoung-mtg14:11
marekd--debug --verbose14:11
doug-fishmarekd: thanks! I think I'll keep preparing a ksc based k2k plugin14:12
marekddoug-fish: yeah14:12
*** ajayaa has joined #openstack-keystone14:12
*** sigmavirus24_awa is now known as sigmavirus2414:13
*** amakarov_away is now known as amakarov14:14
vince_this resource doesn't exist:
vince_hence the 40414:15
samueldmqmarekd: does the extension need to be enabled  ^ ?14:15
*** Kennan2 has quit IRC14:16
*** Kennan has joined #openstack-keystone14:16
*** fhubik_afk is now known as fhubik14:17
marekdsamueldmq: i don't know what RedHat does with their distros...14:17
marekdvince_: do you know where your paste file is?14:17
marekdi think it may be somewhere in the /usr/share/keystone/keystone-paste.ini or something14:17
marekdayoung-mtg: ^^ ?14:18
vince_marked: let me check14:18
vince_marekd: let me check14:18
ayoung-mtgUgh,  yeah we do something horrible there14:18
*** jecarey has quit IRC14:18
ayoung-mtgso...copy the pipeline over to /etc/keystone, I think you can over ride the paste value in /etc/keystone/keystone.conf14:19
ayoung-mtgvince_, ^^14:19
ayoung-mtgvince_, worst case, you have to hack the file in /usr/share14:20
vince_ayoung-mtg: ehm, feel so newbie :D14:21
vince_what do you mean by copy the pipeline over to /etc/keystone?14:22
ayoung-mtgvince_, don't feel bad.  I work for Redhat, I've been doing nothing but Keystone for 3+ years, and it caught me off guard14:22
ayoung-mtgvince_, that file  you had in the paste.14:22
vince_ayoung-mtg: and then set config_file = <that file> in the [paste_deploy] section?14:23
ayoung-mtgvince_, yeah.  In general, you should not be editing files in /usr/share, so if you need to override values for the paste pipelines, copy the file to /etc/keystone and make sure the keystone.conf explicitly points to the right paste file14:24
vince_alright, so the content of the paste file from the pastebin ^ is correct for federation?14:25
vince_ayoung-mtg, ok, I see, I have federation_extension in the pipeline in /home/centos/keystone/etc/keystone-paste.ini but not in /usr/share/keystone/keystone-dist-paste.ini14:26
*** markvoelker has joined #openstack-keystone14:27
*** markvoelker_ has joined #openstack-keystone14:28
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Support Multiple SQL Backends
samueldmqayoung-mtg: dstanek waht about this ?  ^14:28
samueldmqnot sure it needs a spec, but there is a good place to put comments, have a discussion14:29
*** fhubik has quit IRC14:30
*** ig0r_ has joined #openstack-keystone14:32
*** markvoelker has quit IRC14:32
vince_ayoung-mtg: many thanks to you and the others, working perfectly :)!14:33
ayoung-mtgvince_, Your Welcome.14:33
ayoung-mtgor You're Welcome...either way14:33
ayoung-mtgmarekd, I tried making the call:   openstack identity provider set --remote-id SSSD sssd  , which I used for a Proof of concept a while ago.  It fails with an "UNknown Attribute exception"  in the latest openstack CLI14:36
*** flwang1 has joined #openstack-keystone14:37
flwang1greeting, anybody can give me a tip how to config keystone policy.json to allow a role can only 'create project'?14:39
flwang1i tried  this way "identity:create_project": "rule:admin_required or role:tenant_creator" but it doesn't work, did i miss anything? thanks a lot14:40
flwang1lbragstad: ^14:41
*** piyanai has joined #openstack-keystone14:41
vince_flwang1: afaik you need keystone v314:42
flwang1vince_: why keystone doesn't honour my config?14:42
marekdayoung-mtg: let me try14:42
ayoung-mtgflwang1, need more info14:43
ayoung-mtgthat looks roughly correct14:43
*** bapalm_ has joined #openstack-keystone14:43
flwang1ayoung-mtg: the user case is we need role can only create tenant and user to limit a user's permission, we have a signup service, we don't want to put admin user in the service14:44
flwang1so we hope there is a moderator with limited permission14:44
flwang1ayoung-mtg: so the basic requirement is having a role can only create tenant and user, or something like that14:45
flwang1so what I did is creating a new role in keystone and then config it in policy.json14:45
flwang1as above14:45
flwang1but it doesn't work14:45
flwang1did I missed anything?14:46
marekdayoung-mtg: this is what i got... maybe you didn't specify --remote-id twice? (it's one --remote-id switch per parameter)14:46
ayoung-mtgmarekd, does it need to be set on the initial create?  I'll trythat...14:47
marekdayoung-mtg: it doesnt14:47
marekdayoung-mtg: no, it doesnt14:48
marekdjust confirmed14:48
flwang1ayoung-mtg: ^14:51
*** tjcocozz has joined #openstack-keystone14:51
*** topol has joined #openstack-keystone14:54
*** ChanServ sets mode: +v topol14:54
*** afazekas has quit IRC14:55
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraints
*** ankita_wagh has joined #openstack-keystone15:02
*** ig0r_ has quit IRC15:03
*** ig0r__ has joined #openstack-keystone15:03
*** piyanai has quit IRC15:03
*** piyanai has joined #openstack-keystone15:06
jiaxidstanek: Hello, David15:06
jiaxidstanek: My patch set maybe change a lot because of coments of Brant Knudson15:07
jiaxidstanek: But I'm sure, whether should I change ,because it's a huge change. And my code looks okay15:08
*** jbonjean has quit IRC15:08
jiaxiBrant Knudson: Hi15:08
*** ig0r_ has joined #openstack-keystone15:09
*** ig0r__ has quit IRC15:09
*** vince_ has quit IRC15:09
openstackgerritAjaya Agrawal proposed openstack/keystone: Validate Fernet tokens for nil values
*** jbonjean has joined #openstack-keystone15:10
ajayaaHi cores. Please review the above trivial patch. :)15:13
*** ig0r__ has joined #openstack-keystone15:13
*** ig0r__ has quit IRC15:15
*** ig0r_ has quit IRC15:15
*** diazjf has joined #openstack-keystone15:15
*** piyanai has quit IRC15:16
*** pnavarro|afk is now known as pnavarro15:19
*** piyanai has joined #openstack-keystone15:24
*** dguerri` is now known as dguerri15:25
*** geoffarnold has quit IRC15:25
*** stevemar has joined #openstack-keystone15:32
*** ChanServ sets mode: +v stevemar15:32
*** topol_ has joined #openstack-keystone15:32
*** ChanServ sets mode: +v topol_15:32
*** dguerri is now known as dguerri`15:34
*** topol has quit IRC15:35
*** arun_kant has quit IRC15:42
lbragstadyottatsa: you had some fernet questions yesterday?15:45
jiaxibknudson: Hello, are you here ?15:52
*** ig0r_ has joined #openstack-keystone15:52
*** pnavarro has quit IRC15:53
*** woodster_ has quit IRC15:55
*** jaosorior has quit IRC15:55
*** Protux has quit IRC15:55
*** h00327910__ has quit IRC15:55
yottatsalbragstad, hi, could you please look at ?15:57
jiaxidstanek: Hello, david.15:58
miguelgrinbergmarekd: Thanks for your reply. We are about to release a production version of the federation stuff based on kilo. Would you still use keystoneauth in that situation?15:58
dstanekjiaxi: hello15:58
*** amickus has joined #openstack-keystone15:59
*** dguerri` is now known as dguerri15:59
*** geoffarnold has joined #openstack-keystone16:01
lbragstadyottatsa: makes sense to me16:04
lbragstadyottatsa: but I agree with the comments on the patch, they could be fixed in a follow on patch, too.16:04
*** TheIntern has quit IRC16:05
*** arunkant_ has joined #openstack-keystone16:05
jiaxidstanek: I don't agree with bknudson's comment16:06
jiaxidstanek: I argue about it in the review. But he didn't reply any more... remain a -116:06
*** TheIntern has joined #openstack-keystone16:07
yottatsalbragstad, do you like rev 1 variant more?
jiaxidstanek: A little sad :(  Maybe he is angry ??16:08
dstanekjiaxi: i doubt it. he's probably busy16:08
*** lsmola has quit IRC16:09
dstanekjiaxi: technically speaking he is correct, but i don't think it's a big enough deal to hold up the review16:09
jiaxidstanek: Maybe you are right again16:09
lbragstadyottatsa: I think the way you have it now makes sense and I agree with dolphm's comment. Where you could do the `if not isinstance(token, six.binary_type):` check first in the method and bailout early16:09
jiaxidstanek: Can you see my reply ? Not in draft now .16:10
dstanekjiaxi: yes16:10
lbragstadyottatsa: I can propose a follow on patch16:11
jiaxidstanek: You don't agree with my reply ?16:11
dstaneklbragstad: damn....i'm still working on my changes to fix the binary/string problems in fernet16:11
dstaneklbragstad: it's not what i want, but let me push what i have16:11
lbragstaddstanek: you mean the six.binary_type part?16:11
dolphmdstanek: this is related, i think
openstackgerritDavid Stanek proposed openstack/keystone: pemutils isn't used anymore
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a docstring to reflect actual return values
openstackgerritDavid Stanek proposed openstack/keystone: WIP Fernet on Python 3
openstackgerritDavid Stanek proposed openstack/keystone: Fixes Py3 string/bytes issues for tokens
dstaneklbragstad: ^ look at the fernet patch16:12
lbragstaddstanek: checking16:12
dstanekdolphm: did you see typist?16:12
jiaxidstanek: I mean rfc3987 is for general validation. Here is a little special.16:12
dstanekjiaxi: no, i disagree with validating the entire URL. i don't remember why, but we decided not to do that right now. but checking for the explicit space is a bit of an over reach16:13
*** jasonsb has quit IRC16:13
dolphmdstanek: ha, no.. but looking at it now16:13
dstanekdolphm: i wrote it to help test this particular patches and all my future patches like it16:14
*** jasonsb has joined #openstack-keystone16:14
dolphmdstanek: looks super useful16:14
dolphmdstanek: can we apply it to every datetime object everywhere ever please16:14
dolphmi hate that we pass strings around as dates :(16:14
jiaxidstanek: In the launchpad, " /v1.1/\$(tenant_i d)s"16:14
dstanekdolphm: i'm going to be updating lots of docstrings this weekend :-)16:15
jiaxidstanek: Two errors16:15
dstanekjiaxi: right, but if you boil the bug down to why you get an error it's because the key doesn't exist; a space in other places in the URL, while being incorrect, will not cause a 500 error16:15
dolphmdstanek: did you *just* upload this?16:15
dolphmdstanek: i've never seen a project with zero downloads on pypi lol16:16
jiaxidstanek:  1.   a space after 8774          2  tenant_i d  is not right16:16
dstaneki wrote it last weekend and uploaded last night16:16
bknudsondstanek: Could not find a version that satisfies the requirement typist (from versions: )16:16
dstanekbknudson: blah, doing a pip install?16:17
bknudsondstanek: $ .tox/py27/bin/pip install typist16:17
dstanekbknudson: interesting...looking. i haven't tried to install it16:17
bknudsondstanek: I was trying to give it a download16:17
bknudsonso you didn't feel so bad about it16:18
*** ankita_w_ has joined #openstack-keystone16:18
jiaxibknudson : Hello16:18
dstanekbknudson: lol16:18
*** jasonsb has quit IRC16:18
jiaxibknudson: Could you reply me ?
jiaxibknudson: It's 00:20am in China. I'm waiting for your reply.16:21
*** ankita_wagh has quit IRC16:22
dstanekjiaxi: you should just go to bed :-) not worth it tonight16:22
*** ankita_w_ has quit IRC16:23
*** _cjones_ has joined #openstack-keystone16:23
jiaxibknudson: After you done your work on hand, I hope that you can spare 1 minutes in replying my reply. Thank you. I'm going go to bed. Good night, everyone.16:23
jiaxidstanek: Yes, a little too tired. Palyed basketball for two hours.16:23
*** jistr has quit IRC16:24
*** jiaxi has quit IRC16:25
*** jaosorior has joined #openstack-keystone16:27
*** pballand has joined #openstack-keystone16:27
*** e0ne has quit IRC16:29
*** TheIntern has quit IRC16:31
*** aix has quit IRC16:31
*** josecastroleon has quit IRC16:32
*** woodster_ has joined #openstack-keystone16:33
*** dims has quit IRC16:33
*** lhcheng has joined #openstack-keystone16:36
*** ChanServ sets mode: +v lhcheng16:36
*** lhcheng_ has joined #openstack-keystone16:38
*** lhcheng has quit IRC16:38
*** piyanai has quit IRC16:38
*** pnavarro has joined #openstack-keystone16:39
dolphmdstanek: if you can't install it, that would explain the 0 downloads16:40
dolphmdstanek: "No matching distribution found for typist==0.0.1"16:41
dstanekdolphm: yeah, i haven't had time to dig into that yet16:42
*** gordc has quit IRC16:57
*** dims has joined #openstack-keystone16:57
*** belmoreira has quit IRC16:58
dstanekdolphm: ok...waiting on ansible build! must fix the typist17:01
*** jasonsb has joined #openstack-keystone17:01
*** ankita_wagh has joined #openstack-keystone17:02
*** tsymanczyk has joined #openstack-keystone17:02
*** tsymanczyk is now known as Guest9092317:02
*** piyanai has joined #openstack-keystone17:03
dstanekdolphm: lol, i go over to the tab where i was working on typist last night and it's sitting on the upload command failed because it said my password was incorrect17:05
dstanekwhich is odd because i ran the command right after the registration command asked me if i wanted to save my password17:05
*** henrynash has joined #openstack-keystone17:06
*** ChanServ sets mode: +v henrynash17:06
henrynashmorganfainberg: ping17:07
*** Protux has joined #openstack-keystone17:08
*** h00327910__ has joined #openstack-keystone17:08
henrynashmorganfainberg, rodigods: although i approved maybe this was a mistake - do we have an exception granted for this (it changes the API)?17:15
*** raildo has quit IRC17:18
*** raildo has joined #openstack-keystone17:18
*** piyanai has quit IRC17:19
*** pnavarro has quit IRC17:19
*** tjcocozz has quit IRC17:19
dolphmdstanek: =)17:20
dstanekdolphm: so it turns out that disutils added another [pypi] section to my .pypirc instead of just changing the password17:21
dolphmdstanek: so settings got ignored?17:21
*** piyanai has joined #openstack-keystone17:21
*** e0ne has joined #openstack-keystone17:22
*** piyanai has quit IRC17:22
dstanekdolphm: it picked the second section (i guess last one wins) that had my old password17:22
dstaneklhcheng_: yeah, if there is a MITM attack possible for policy then they would technically have access to lots of keystone tokens17:23
*** e0ne has quit IRC17:23
*** e0ne has joined #openstack-keystone17:23
*** bapalm_ has quit IRC17:25
*** piyanai has joined #openstack-keystone17:25
lhcheng_dstanek: yeah, I guess that's true.. if the operators turned off the TLS for communication within the datacenter, the assumption is all communication is already secured there.17:25
*** dims has quit IRC17:26
*** lhcheng_ is now known as lhcheng17:26
*** ChanServ sets mode: +v lhcheng17:26
yottatsaomg six
lhchengdstanek: okay, I'm fine with the bp not adding the signing option for the policy file.17:30
*** jecarey has joined #openstack-keystone17:30
yottatsalbragstad do you know is six.string_types works in python3?17:33
*** browne has quit IRC17:33
*** ajayaa has quit IRC17:33
stevemardstanek: what was using pemutils?17:36
*** boris-42 has joined #openstack-keystone17:37
*** diazjf has quit IRC17:37
openstackgerritVladimir Eremin proposed openstack/keystone: Explicitly check incorrect token input
lbragstadyottatsa: yeah, i'm pretty sure it does17:41
lbragstadyottatsa: dstanek would know for sure though17:41
yottatsalbragstad, check out
*** gordc has joined #openstack-keystone17:41
yottatsadstanek too17:41
*** geoffarnold has quit IRC17:43
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin
*** diazjf has joined #openstack-keystone17:49
*** piyanai has quit IRC17:50
yottatsaWhat if my want to backport patch to kilo, but I can't just 'git review -X'? Can I specify that my backport requires another patch before?17:51
*** piyanai has joined #openstack-keystone17:52
*** geoffarnold has joined #openstack-keystone17:52
*** TheIntern has joined #openstack-keystone17:54
*** piyanai has quit IRC17:54
yottatsaoh, there is a git review -d17:54
stevemardolphm: around?17:55
*** piyanai has joined #openstack-keystone17:56
dolphmstevemar: o/17:56
*** ayoung-mtg is now known as ayoung17:57
*** samleon has joined #openstack-keystone17:57
dstanekstevemar: no idea, but it seems nothing right now17:58
dstaneklbragstad: yottatsa: what would i know?17:58
ayoungflwang1, forgetting HMT for the moment, the policy rule should be something like17:58
*** Ephur has joined #openstack-keystone17:59
ayoung "identity:create_project": "domain_id:%(domain_id) and role:tenant_creator"18:00
dstanekyottatsa: oh, maybe your gist? that's what i would expect to see18:00
ayoungand then make sure the token reflects that the user actually has the tenant_creator role on the domain when calling the API18:00
dstanek'' in python2 is not '' in python318:01
yottatsadstanek, isn't it a six bug?18:02
dstanekyottatsa: no18:03
yottatsapython3 -c 'import six; print(isinstance(b"", six.string_types))' -> False18:03
yottatsapython -c 'import six; print(isinstance(b"", six.string_types))' -> True18:03
dstanekencode goes from string to bytes18:03
dstanek''.encode() returns bytes (str) in python2 and bytes (bytes) in python318:04
dstanekbytes in python2 is an alias to str and in python3 it is a real type that is not a string18:05
dstanekyottatsa: does that make sense?18:07
*** gordc has quit IRC18:07
*** gordc has joined #openstack-keystone18:10
*** browne has joined #openstack-keystone18:12
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin
dstanekyottatsa: the strange typing: - this is why i wrote typist. so i could make sure things were getting called with what i expected18:16
yottatsadstanek that's what I'm talking about ;)18:16
yottatsaBTW I'll check typist18:17
dstanekyottatsa: so since encode returns binary it isn't a string type in py318:17
dstanekyottatsa: after thinking about this a lot i think that six.string_types is actually a really bad thing because of the ambiguity18:18
dstanekwe should care that something is text or binary; string_types is both18:19
*** pnavarro has joined #openstack-keystone18:19
*** yottatsa has quit IRC18:20
*** spandhe has joined #openstack-keystone18:23
*** jasonsb has quit IRC18:23
*** ig0r__ has joined #openstack-keystone18:24
*** dims has joined #openstack-keystone18:26
*** arun_kant has joined #openstack-keystone18:31
*** josecastroleon has joined #openstack-keystone18:31
*** jraim_ has joined #openstack-keystone18:31
*** briancurtin_ has joined #openstack-keystone18:31
*** ayoung has quit IRC18:32
*** jasonsb has joined #openstack-keystone18:33
*** amickus has quit IRC18:33
*** gordc has quit IRC18:34
*** jlvillal_ has joined #openstack-keystone18:34
*** briancurtin has quit IRC18:34
*** jraim has quit IRC18:34
*** ericksonsantos has quit IRC18:34
*** jlvillal has quit IRC18:34
*** flwang1 has quit IRC18:34
*** arunkant_ has quit IRC18:34
*** ericksonfgds has joined #openstack-keystone18:34
*** briancurtin_ is now known as briancurtin18:34
*** jeffDeville has joined #openstack-keystone18:35
*** jraim_ is now known as jraim18:35
*** jlvillal_ is now known as jlvillal18:35
*** ankita_wagh has quit IRC18:43
*** ig0r_ has quit IRC18:50
*** amakarov is now known as amakarov_away18:53
*** flwang1 has joined #openstack-keystone18:54
*** jeffDevi_ has joined #openstack-keystone18:58
*** jeffDeville has quit IRC18:59
*** bapalm_ has joined #openstack-keystone19:00
*** josecastroleon has quit IRC19:01
*** ankita_wagh has joined #openstack-keystone19:02
*** ankita_wagh has quit IRC19:03
*** ig0r_ has joined #openstack-keystone19:04
*** bapalm_ has quit IRC19:05
*** ankita_wagh has joined #openstack-keystone19:10
*** pauloewerton has joined #openstack-keystone19:10
*** geoffarnold has quit IRC19:11
*** Guest90923 has quit IRC19:16
*** piyanai has quit IRC19:17
*** tsymanczyk has joined #openstack-keystone19:17
*** flwang1 has quit IRC19:20
*** jeffDevi_ has quit IRC19:22
*** jeffDeville has joined #openstack-keystone19:23
*** gordc has joined #openstack-keystone19:25
*** e0ne has quit IRC19:25
*** piyanai has joined #openstack-keystone19:26
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2KeystoneAuthPlugin for K2K federation
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K
*** piyanai has quit IRC19:33
samueldmqdstanek, henrynash, lhcheng, dolphm: hey, the specs are updated and I think they are good enough now, I would appreciate your reviews and some weight on them19:33
samueldmq and
samueldmqbtw, some of you already had gave +1/+2 on them :)19:34
*** piyanai has joined #openstack-keystone19:35
*** piyanai has quit IRC19:40
*** jeffDeville has quit IRC19:40
*** jeffDeville has joined #openstack-keystone19:40
*** ayoung has joined #openstack-keystone19:46
*** ChanServ sets mode: +v ayoung19:46
*** openstackgerrit has quit IRC19:46
*** openstackgerrit has joined #openstack-keystone19:47
*** piyanai has joined #openstack-keystone19:48
*** TheIntern has quit IRC19:51
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain.
*** geoffarnold has joined #openstack-keystone19:52
*** ig0r_ has quit IRC19:56
*** ninag has quit IRC19:56
*** belmoreira has joined #openstack-keystone19:57
*** piyanai has quit IRC19:57
*** piyanai has joined #openstack-keystone20:00
*** piyanai has quit IRC20:01
*** jeffDeville has quit IRC20:02
*** browne has quit IRC20:02
*** piyanai has joined #openstack-keystone20:02
*** browne has joined #openstack-keystone20:03
*** piyanai has quit IRC20:09
*** e0ne has joined #openstack-keystone20:11
*** arun_kant has quit IRC20:12
*** TheIntern has joined #openstack-keystone20:12
*** piyanai has joined #openstack-keystone20:12
openstackgerritBrant Knudson proposed openstack/keystone: Use extras for ldap dependencies
*** piyanai has quit IRC20:12
*** piyanai has joined #openstack-keystone20:13
samueldmqhenrynash: what about supporting mutliple SQL backends by having support to multiple sqlalchemy engines ?20:13
henrynashsamueldmq: well, I’d like to support multiple sql backends, but sqlalchemy makes that pretty hard right now I think20:14
*** openstackgerrit has quit IRC20:16
*** openstackgerrit has joined #openstack-keystone20:17
hogepodgemorganfainberg: why do I need to be admin to get service ids?20:22
hogepodgeget /v3/services20:22
dstanekhogepodge: that's just the default policy rule right? that can change for a deployment20:27
*** yottatsa has joined #openstack-keystone20:27
hogepodgedstanek: we just had a good laugh about that (long long story)20:28
samueldmqhenrynash: I am not sure about that, I will do some testing and get back to you :)20:29
hogepodgedstanek: I'm asking because we want to use ids as external identifiers for public cloud testing, but if it's admin only that falls down.20:30
dstanekhogepodge: i don't know the reason for it, but i think things are locked down by default20:30
hogepodgedstanek: morganfainberg: is there room to change that default?20:30
dstanekhogepodge: change it so it's not in your deployment20:30
*** piyanai has quit IRC20:30
dstanekwhat would you change it to?20:30
hogepodgedstanek: we're interested in deployments we don't own20:30
hogepodgedstanek: make getting service ids non-admin by default.20:31
samueldmqhenrynash: also,  I've started a small spec, just to keep the idea and some details as they come
hogepodgedstanek: (I'm speaking with my defcore/interoperability hat on)20:31
dstanekhogepodge: i'm sure some of those could just be loosen up to anyone with a token20:32
dstanekhogepodge: but if you don't own the cloud they can still restrict it via policy20:32
*** piyanai has joined #openstack-keystone20:37
hogepodgedstanek: yes, but most clouds will have it off by default. we'd like to encourage it to be on by default.20:37
*** yottatsa has quit IRC20:38
hogepodgedstanek: I understand if there are reasons to not have that default, just throwing out a use case we face today20:39
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraints
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()
*** browne has quit IRC20:43
*** dguerri is now known as dguerri`20:43
*** browne has joined #openstack-keystone20:44
*** openstackgerrit has quit IRC20:46
*** openstackgerrit has joined #openstack-keystone20:47
*** raildo has quit IRC20:48
*** pnavarro has quit IRC20:48
*** yottatsa has joined #openstack-keystone20:51
*** TheIntern has quit IRC20:52
*** flwang1 has joined #openstack-keystone20:55
*** jamielennox|away is now known as jamielennox20:57
*** woodster_ has quit IRC21:00
openstackgerritBrant Knudson proposed openstack/keystone: Use extras for memcache and MongoDB packages
*** openstack has joined #openstack-keystone21:08
*** openstack has joined #openstack-keystone21:08
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()
flwang1lbragstad: ping21:12
lbragstadflwang1: pong21:12
flwang1lbragstad: how are you? a quick question about keystone policy.json21:13
flwang1i'm trying to create a role  in keystone which can only crate new tenant, is that possible?21:13
lbragstadthat should be21:15
*** mylu has quit IRC21:16
*** oug-fish has joined #openstack-keystone21:16
lbragstadflwang1: what are you doing now?21:17
*** mylu has joined #openstack-keystone21:18
*** yottatsa has quit IRC21:18
*** hrou has quit IRC21:18
*** mylu has quit IRC21:19
*** Doug-fish-remote has joined #openstack-keystone21:20
*** oug-fish has quit IRC21:20
flwang1lbragstad: i created a new role named 'tenant_creator' and updated the policy.json of keystone like "identity:create_project": "rule:admin_required or role:tenant_creator",21:21
flwang1lbragstad: restart keystone21:21
flwang1create a new user, add the role 'tenant_creator' for the new user,   try to create a tenant, failed21:21
lbragstadflwang1: what error do you get, a 401?21:22
flwang1yep, i assume it should be 403, but it's a 40121:22
lbragstadhow did you grant that user the "tenant_creator" role?21:23
flwang1keystone user-role-add --user tenant_creator_A --tenant demo --role tenant_creator21:23
*** Doug-fish-remote has quit IRC21:23
flwang1should I add it into the admin tenant?21:24
lbragstadno, I don't think that will help21:24
lbragstadgive that user the same role assignment but do it on the default domain, or the damain that you're operating within21:24
*** marzif_ has joined #openstack-keystone21:26
flwang1lbragstad: i'm using v2 :(21:27
lbragstadthen I'm not 100% sure21:27
flwang1ok, so is there any way to do that in v3?21:28
*** geoffarnold has quit IRC21:29
lbragstadyeah, I would look into creating a rule like this21:29
lbragstadbut instead of rule:admin_required21:29
lbragstadit would be role:tenant_creator21:30
*** topol_ has quit IRC21:31
*** marzif_ has quit IRC21:32
lbragstadflwang1: does that make sense?21:32
flwang1will it impact if all our current components are using v2?21:33
flwang1we have a customized service is talking with keystone, can we just let it use v3 and keep the others using v2?21:33
*** marzif_ has joined #openstack-keystone21:34
lbragstadit should only impact users with that role assigned.21:34
lbragstadyeah, as long as your keystone has a v3 pipeline configured21:35
*** marzif_ has quit IRC21:35
lbragstadand you can make v3 calls to it21:35
flwang1lbragstad: ok, btw, can v3 support invite another user into current tenant?21:35
lbragstadinvite another user? like an ephemeral user?21:35
*** marzif_ has joined #openstack-keystone21:36
lbragstador a user that doesn't exist in the local keystone's db?21:36
flwang1lbragstad: not ephemeral21:36
flwang1the later one21:36
flwang1or another scenario is the user is existing, but don't have access to current tenant21:36
lbragstadwhen you say 'invite' you mean like for a certain amount of time, this user can play around in this tenant?21:38
flwang1lbragstad: sort of21:38
lbragstadyou might be able to accomplish that with a trust21:39
gordc_hi, is there a super-admin concept? basically an admin not scoped to project or admin for all projects?21:39
*** gordc_ is now known as gordc21:39
flwang1two scenarios: 1. i'm a project owner, now i want to add more memebers of my team to this tenant21:39
flwang12. they may or may not existing in keystone db yet21:40
*** diazjf has left #openstack-keystone21:41
lbragstadfor scenario 1, i'd just say that the project owner assigns the people they want in their project a role on the project21:41
gordcstevemar: ^21:41
lbragstadwith scenario 2, you're going to be looking at something like federation21:41
*** geoffarnold has joined #openstack-keystone21:42
flwang1lbragstad: but now the user-role-add command only can be run by admin, right?21:42
flwang1lbragstad: so does that mean, we may need another 'reseller' admin role for the project owner?21:43
*** geoffarn_ has joined #openstack-keystone21:43
*** jecarey has quit IRC21:46
*** markvoelker_ has quit IRC21:46
*** geoffarnold has quit IRC21:47
*** ig0r__ has quit IRC21:51
stevemargordc: nah21:54
stevemargordc: that's where the admin-token comes in, but not for a user, no21:54
*** marzif_ has quit IRC21:54
stevemarsome folks are tossing around terms like 'cloud admin'21:54
stevemarmorganfainberg: dolphm ^21:54
lbragstadflwang1: reseller?21:55
flwang1lbragstad: ok, project owner21:55
flwang1generally, you know, project owner also only has the member role21:55
flwang1not an 'admin' role21:56
openstackgerritBrant Knudson proposed openstack/keystone: Extras for bandit
lbragstadI think you'd just need to make sure what ever role the project owner has, it has the ability to add other users to their project21:57
flwang1i'm not familiar with v3, so not sure if there is any new solution for that21:57
gordcstevemar: was cloud admin comment to me?21:57
flwang1lbragstad: right, yes. that's what i'm trying to figure out21:57
stevemargordc: yes sir21:57
stevemarit doesn't exist yet, but folks are asking for the same thing21:58
gordcoh. i guess that's what edmondsw was talking about.21:58
flwang1lbragstad: i think keystone works fine with 'admin' role, but i haven't succeed to do an 'admin' action with a non-admin role yet21:58
*** haneef_ has joined #openstack-keystone21:58
flwang1even though i have configured it in policy.json21:58
stevemargordc: probably21:58
stevemari'm out21:58
gordcsame. lates21:59
*** stevemar has quit IRC21:59
lbragstadflwang1: that's probably because the policy is denying the action21:59
*** gordc has quit IRC21:59
*** stevemar has joined #openstack-keystone21:59
*** ChanServ sets mode: +v stevemar21:59
haneef_dolphm:  fernet token always seems to end with %3D, Is that part of sepc22:02
*** zzzeek has quit IRC22:02
*** e0ne has quit IRC22:02
*** stevemar has quit IRC22:03
*** markvoelker has joined #openstack-keystone22:08
*** jamielennox is now known as jamielennox|away22:15
flwang1lbragstad: but i have set it :)22:16
*** samleon has quit IRC22:31
*** markvoelker_ has joined #openstack-keystone22:32
*** piyanai has quit IRC22:33
*** geoffarnold has joined #openstack-keystone22:34
*** markvoelker has quit IRC22:35
*** belmoreira has quit IRC22:37
*** geoffarn_ has quit IRC22:37
*** jsavak has quit IRC22:42
*** harlowja has quit IRC22:44
*** jaosorior has quit IRC22:44
*** harlowja has joined #openstack-keystone22:44
*** piyanai has joined #openstack-keystone22:58
*** boris-42 has quit IRC23:00
*** markvoelker_ has quit IRC23:14
*** tqtran has joined #openstack-keystone23:18
*** piyanai has quit IRC23:20
*** _cjones_ has quit IRC23:24
*** htruta has quit IRC23:26
*** jungler has quit IRC23:27
*** jungler has joined #openstack-keystone23:28
*** htruta has joined #openstack-keystone23:28
*** dims_ has joined #openstack-keystone23:31
*** dims_ has quit IRC23:31
*** htruta is now known as htruta_23:31
*** htruta_ has quit IRC23:32
*** htruta has joined #openstack-keystone23:32
*** dims has quit IRC23:35
dstanekhaneef_: that may because they are base64 encoded and i think that's the = sign23:36
dolphmdstanek: ++ cc- haneef_23:38
*** jiaxi has joined #openstack-keystone23:39
jiaxibiknudson: Hello,sir.23:40
jiaxibknudson: Are you here?23:40
jiaxibknudson: Are you here ?  In you last comment, it seems that you give me several options. That's not fair. You should only give one.23:41
*** doug-fish has quit IRC23:44
*** doug-fish has joined #openstack-keystone23:45

Generated by 2.14.0 by Marius Gedminas - find it at!