Tuesday, 2015-08-11

*** _cjones_ has quit IRC00:04
*** miguelgrinberg has quit IRC00:04
*** miguelgrinberg has joined #openstack-keystone00:05
*** zzzeek has quit IRC00:06
*** tsymanczyk has quit IRC00:11
*** roxanaghe has quit IRC00:17
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** geoffarnold has quit IRC00:23
*** bapalm has joined #openstack-keystone00:24
*** bapalm has quit IRC00:44
*** bapalm has joined #openstack-keystone00:45
*** bapalm has quit IRC00:46
*** bapalm has joined #openstack-keystone00:46
*** jasonsb has joined #openstack-keystone00:47
*** ankita_wagh has joined #openstack-keystone00:47
*** stevemar has joined #openstack-keystone00:51
*** ChanServ sets mode: +v stevemar00:51
*** ankita_w_ has quit IRC00:51
*** stevemar has quit IRC00:51
*** stevemar_ has joined #openstack-keystone00:51
*** ChanServ sets mode: +v stevemar_00:51
*** gyee has quit IRC00:53
*** nkinder has quit IRC00:57
*** elmiko_ has joined #openstack-keystone01:03
*** elmiko has quit IRC01:06
*** piyanai has joined #openstack-keystone01:11
*** elmiko_ has quit IRC01:11
*** ankita_wagh has quit IRC01:14
*** tobe_ has joined #openstack-keystone01:18
*** elmiko has joined #openstack-keystone01:20
*** bapalm has quit IRC01:21
*** bapalm has joined #openstack-keystone01:21
*** browne has quit IRC01:25
*** bapalm has quit IRC01:26
*** fangzhou has quit IRC01:31
*** davechen has joined #openstack-keystone01:31
*** piyanai has quit IRC01:33
*** ankita_wagh has joined #openstack-keystone01:35
*** mylu has joined #openstack-keystone01:37
*** ankita_wagh has quit IRC01:43
*** ankita_wagh has joined #openstack-keystone01:43
*** adamh_000_ has joined #openstack-keystone01:45
*** mylu has quit IRC01:46
*** mylu has joined #openstack-keystone01:47
*** elmiko_ has joined #openstack-keystone01:48
*** piyanai has joined #openstack-keystone01:50
*** adamh_000_ has quit IRC01:50
*** elmiko_ has quit IRC01:51
*** adamh_000_ has joined #openstack-keystone01:51
*** elmiko has quit IRC01:52
*** adamh_000__ has joined #openstack-keystone01:58
*** jdandrea has quit IRC02:00
*** adamh_000_ has quit IRC02:01
*** adamh_000_ has joined #openstack-keystone02:02
*** adamh_000__ has quit IRC02:05
*** tobe_ has quit IRC02:05
*** tobe_ has joined #openstack-keystone02:06
*** ngupta has joined #openstack-keystone02:07
*** ankita_w_ has joined #openstack-keystone02:08
*** adamh_000__ has joined #openstack-keystone02:09
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: WIP: Adds HTTP caching support  https://review.openstack.org/21139602:10
*** ankita_wagh has quit IRC02:12
*** adamh_000_ has quit IRC02:13
*** bknudson has quit IRC02:14
jamielennoxdstanek: interesting, i always envisioned people would just pass a requests.Session in that did this stuff for us for caching and didn't require a dependency on cachecontrol but i guess that messes up the TCPKeepAlive thing02:16
jamielennoxparticularly OSC was the main user i expected because CacheControl generally caches to a file from memory02:16
*** piyanai has quit IRC02:27
*** stevemar_ has quit IRC02:29
*** woodster_ has quit IRC02:30
*** stevemar has joined #openstack-keystone02:30
*** ChanServ sets mode: +v stevemar02:30
*** ngupta has quit IRC02:40
*** browne has joined #openstack-keystone02:41
*** ngupta has joined #openstack-keystone02:44
*** adamh_000__ has quit IRC02:46
*** tobe_ has quit IRC02:47
*** tobe_ has joined #openstack-keystone02:49
*** hakimo_ has joined #openstack-keystone02:52
*** hakimo has quit IRC02:54
*** ankita_w_ has quit IRC03:01
*** mylu has quit IRC03:05
*** lhcheng has quit IRC03:09
*** richm has quit IRC03:15
*** mylu has joined #openstack-keystone03:16
*** david-lyle has quit IRC03:21
*** ngupta has quit IRC03:26
dstanekjamielennox: haha, yeah i just responded on the review03:31
jamielennoxdstanek: gah, i hate it when a capitalized name like that isn't actually a class but a function03:34
*** mylu has quit IRC03:34
*** phalmos has joined #openstack-keystone03:35
dstanekjamielennox: i understand in some cases where you don't have to care, but in this case it hides the fact that it's actually mucking with the adapters03:35
jamielennoxright - it just means it works differently than i expected it would03:36
*** phalmos has quit IRC03:37
dstanekjamielennox: that why i create a new funky adapter subclass03:37
jamielennoxdstanek: yea, makes sense now03:38
*** ayoung has quit IRC03:44
*** lhcheng has joined #openstack-keystone03:44
*** ChanServ sets mode: +v lhcheng03:44
*** mylu has joined #openstack-keystone03:51
*** mylu has quit IRC04:01
*** jasondotstar has quit IRC04:06
*** tobe_ has quit IRC04:12
*** Ephur has quit IRC04:12
*** tobe_ has joined #openstack-keystone04:17
*** Nirupama has joined #openstack-keystone04:24
*** jecarey has joined #openstack-keystone04:31
*** david-lyle has joined #openstack-keystone04:40
*** dsirrine has quit IRC04:42
*** gildub has joined #openstack-keystone04:44
*** dsirrine has joined #openstack-keystone04:56
*** ankita_wagh has joined #openstack-keystone04:58
*** ankita_wagh has quit IRC04:58
*** ankita_wagh has joined #openstack-keystone04:59
*** hrou has joined #openstack-keystone05:06
*** dsirrine has quit IRC05:12
*** dsirrine has joined #openstack-keystone05:25
*** hrou has quit IRC05:28
*** belmoreira has joined #openstack-keystone05:43
*** jecarey_ has joined #openstack-keystone05:46
*** jecarey has quit IRC05:49
*** josecastroleon has joined #openstack-keystone05:57
*** jecarey_ has quit IRC06:04
*** ParsectiX has joined #openstack-keystone06:24
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint  https://review.openstack.org/17766106:37
*** stevemar has quit IRC07:10
*** stevemar has joined #openstack-keystone07:11
*** ChanServ sets mode: +v stevemar07:11
*** afazekas has joined #openstack-keystone07:13
*** stevemar has quit IRC07:13
*** ankita_wagh has quit IRC07:20
*** jasondotstar has joined #openstack-keystone07:44
bretonoh, nice passwords above.07:45
*** gildub has quit IRC07:46
*** lhcheng_ has joined #openstack-keystone07:47
bretonare we planning to use keystoneauth1 in ksm? I am poking samleon's x.509 and see that certificate-related stuff is already in ksc and ksa. However, there is nothing certificate-related in ksm.07:47
*** jasondotstar has quit IRC07:48
*** fhubik has joined #openstack-keystone07:50
*** fhubik is now known as fhubik_brb07:50
*** lhcheng has quit IRC07:50
*** browne has quit IRC07:50
*** fhubik_brb is now known as fhubik07:53
*** lhcheng_ has quit IRC07:56
*** jistr has joined #openstack-keystone08:04
openstackgerritMerged openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720208:05
*** boris-42 has quit IRC08:10
*** stevemar has joined #openstack-keystone08:13
*** ChanServ sets mode: +v stevemar08:13
*** links has joined #openstack-keystone08:13
*** eandersson has joined #openstack-keystone08:16
*** stevemar has quit IRC08:16
*** henrynash has joined #openstack-keystone08:22
*** ChanServ sets mode: +v henrynash08:22
*** lhcheng has joined #openstack-keystone08:37
*** ChanServ sets mode: +v lhcheng08:37
*** dikonoor has joined #openstack-keystone08:49
*** katkapilatova has joined #openstack-keystone08:49
*** dikonoo has joined #openstack-keystone08:49
*** jasondotstar has joined #openstack-keystone08:57
*** yottatsa has joined #openstack-keystone09:03
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierarchy and parent usage within the API  https://review.openstack.org/20062409:11
*** fhubik is now known as fhubik_brb09:21
*** lhcheng has quit IRC09:23
*** fhubik_brb is now known as fhubik09:24
*** marzif_ has joined #openstack-keystone09:29
*** yottatsa has quit IRC09:30
*** yottatsa has joined #openstack-keystone09:31
*** yottatsa has quit IRC09:32
*** yottatsa has joined #openstack-keystone09:35
*** yottatsa has quit IRC09:35
*** henrynash has quit IRC09:46
*** fhubik is now known as fhubik_brb09:52
*** davechen has quit IRC09:57
*** fhubik_brb is now known as fhubik10:14
*** stevemar has joined #openstack-keystone10:15
*** ChanServ sets mode: +v stevemar10:15
*** stevemar has quit IRC10:18
*** fhubik is now known as fhubik_brb10:24
*** fhubik_brb is now known as fhubik10:26
*** fhubik is now known as fhubik_brb10:26
*** henrynash has joined #openstack-keystone10:38
*** ChanServ sets mode: +v henrynash10:38
*** josecastroleon has quit IRC10:38
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917810:39
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162310:39
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196210:40
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430210:40
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389710:41
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448510:41
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899510:46
*** fhubik_brb is now known as fhubik11:31
*** dikonoor has quit IRC11:31
*** piyanai has joined #openstack-keystone11:35
*** belmoreira has quit IRC11:35
*** henrynash has quit IRC11:37
*** josecastroleon has joined #openstack-keystone11:38
*** gordc has joined #openstack-keystone11:39
*** tobe_ has quit IRC11:50
*** tobe_ has joined #openstack-keystone11:52
*** tobe_ has quit IRC11:57
*** openstackgerrit_ has joined #openstack-keystone12:03
*** yottatsa has joined #openstack-keystone12:08
*** fhubik is now known as fhubik_brb12:10
*** samueldmq has joined #openstack-keystone12:11
*** marzif__ has joined #openstack-keystone12:14
*** marzif__ has quit IRC12:16
*** marzif__ has joined #openstack-keystone12:16
*** marzif_ has quit IRC12:17
*** yottatsa has quit IRC12:20
*** jecarey has joined #openstack-keystone12:20
*** yottatsa has joined #openstack-keystone12:24
*** bapalm has joined #openstack-keystone12:26
*** bapalm has quit IRC12:26
*** bapalm has joined #openstack-keystone12:27
*** Nirupama has quit IRC12:27
*** edmondsw has joined #openstack-keystone12:33
*** claudiub has joined #openstack-keystone12:37
claudiubhello. any keystoneclient person around here?12:39
claudiubI have a bit of an issue with it: https://github.com/openstack/python-keystoneclient/blame/master/keystoneclient/session.py#L91612:40
claudiubsocket.TCP_KEEPCNT doesn't exist in windows12:40
claudiubor TCP_KEEPINTVL12:40
*** katkapilatova has left #openstack-keystone12:42
*** bapalm_ has joined #openstack-keystone12:45
bretonyou could try doing something like on line 92312:46
claudiubbreton: sure, but still deserves a bug report, IMO. doing it now.12:47
*** links has quit IRC12:48
*** bapalm has quit IRC12:49
*** richm has joined #openstack-keystone12:49
*** openstackgerrit_ has quit IRC12:51
*** jsavak has joined #openstack-keystone12:53
*** openstackgerrit_ has joined #openstack-keystone12:57
*** elmiko has joined #openstack-keystone13:05
*** marzif_ has joined #openstack-keystone13:10
*** marzif_ has quit IRC13:11
*** marzif__ has quit IRC13:11
*** marzif_ has joined #openstack-keystone13:12
*** petertr7_away is now known as petertr713:17
*** yottatsa has quit IRC13:18
*** browne has joined #openstack-keystone13:18
*** yottatsa has joined #openstack-keystone13:20
*** nkinder has joined #openstack-keystone13:20
*** yottatsa has quit IRC13:21
*** yottatsa has joined #openstack-keystone13:22
*** jecarey has quit IRC13:24
*** yottatsa has quit IRC13:25
*** yottatsa has joined #openstack-keystone13:25
dstanekclaudiub: that's really interesting... have you created a bug?13:29
*** ajayaa has joined #openstack-keystone13:29
*** samueldmq has quit IRC13:30
*** hrou has joined #openstack-keystone13:32
*** ayoung has joined #openstack-keystone13:34
*** ChanServ sets mode: +v ayoung13:34
*** opilotte has joined #openstack-keystone13:34
*** david-lyle has quit IRC13:36
*** doug-fish has left #openstack-keystone13:42
bretondstanek: bug #148369613:42
openstackbug 1483696 in python-keystoneclient "socket.TCP_KEEPCNT and socket.KEEPINTVL do not exist in windows" [Undecided,New] https://launchpad.net/bugs/148369613:42
*** jecarey has joined #openstack-keystone13:44
*** fhubik_brb is now known as fhubik13:49
*** edmondsw has quit IRC13:51
lbragstadmarekd: around? I've added https://bugs.launchpad.net/keystone/+bug/1482701 to the list of agenda items on the meeting for today13:54
openstackLaunchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis)13:54
*** openstackgerrit_ has quit IRC13:55
marekdlbragstad: thanks.13:55
marekdlbragstad: so i tried to make DS work but i basically failed.13:56
*** openstackgerrit_ has joined #openstack-keystone13:56
*** afazekas has quit IRC13:56
*** piyanai has quit IRC13:58
claudiubdstanek: hi. yeah. I started doing the fix. working on the unit test atm13:59
*** r-daneel has joined #openstack-keystone14:00
*** diazjf has joined #openstack-keystone14:00
lbragstadmarekd: I saw the link in the mail14:00
marekdlbragstad: nah, i tried installing stuf that sits in /etc/shibboleth-ds/14:01
*** ngupta has joined #openstack-keystone14:01
lbragstadmarekd: what exactly did you try ?14:01
lbragstadjust curious14:01
marekdlbragstad: make DS work14:01
marekdi once did it14:01
marekdto make sure it basically does what i think it does14:01
marekdit was failing for some reason, maybe self signed certs or whatever.14:02
*** jsavak has quit IRC14:02
marekdanyway, i kind of like idea of subdomain in client's domain14:02
marekdthis may nice14:02
dstanekclaudiub: cool, you should assign the bug to yourself so people know that someone is working on it14:02
lbragstadmarekd: so, openstack-dashboard.coke.com14:03
marekdlbragstad: yes14:03
dstanekmarekd: it's really hard to get me to work14:03
marekddstanek:  ?14:03
dstanekmarekd: bad (maybe just delayed joke) "so i tried to make DS work but i basically failed."14:03
lbragstad"I keep assigning bugs to him but he's not doing anything!?14:04
marekddstanek: lol, took me good few secs to understand what you mean14:04
*** doug-fish has joined #openstack-keystone14:05
*** jistr is now known as jistr|mtg14:10
*** bapalm_ has quit IRC14:11
*** bapalm has joined #openstack-keystone14:11
*** jecarey has quit IRC14:11
*** ParsectiX has quit IRC14:13
*** sigmavirus24_awa is now known as sigmavirus2414:15
*** bapalm has quit IRC14:15
*** bapalm has joined #openstack-keystone14:15
*** stevemar has joined #openstack-keystone14:16
*** ChanServ sets mode: +v stevemar14:16
*** narengan has joined #openstack-keystone14:16
*** bapalm has quit IRC14:16
*** raildo has joined #openstack-keystone14:17
*** bapalm has joined #openstack-keystone14:17
*** openstackgerrit_ has quit IRC14:17
*** narengan has quit IRC14:18
*** openstackgerrit_ has joined #openstack-keystone14:18
*** narengan has joined #openstack-keystone14:19
*** jsavak has joined #openstack-keystone14:19
*** stevemar has quit IRC14:20
*** yottatsa has quit IRC14:22
*** narengan has quit IRC14:23
*** tellesnobrega has quit IRC14:23
*** yottatsa has joined #openstack-keystone14:24
*** tellesnobrega has joined #openstack-keystone14:24
*** edmondsw has joined #openstack-keystone14:24
*** tellesnobrega has quit IRC14:25
*** tellesnobrega has joined #openstack-keystone14:26
opilottei'll just leave this here... https://review.openstack.org/#/c/210581/14:29
*** fhubik has quit IRC14:29
*** openstackgerrit_ has quit IRC14:31
*** yottatsa has quit IRC14:37
*** stevemar has joined #openstack-keystone14:38
*** ChanServ sets mode: +v stevemar14:38
*** yottatsa has joined #openstack-keystone14:39
*** tellesnobrega_ has joined #openstack-keystone14:42
*** tellesnobrega_ has quit IRC14:42
*** tellesnobrega_ has joined #openstack-keystone14:42
*** jdandrea has joined #openstack-keystone14:43
*** tellesnobrega_ has quit IRC14:44
*** tellesnobrega_ has joined #openstack-keystone14:45
*** jecarey has joined #openstack-keystone14:46
*** piyanai has joined #openstack-keystone14:47
*** Ephur has joined #openstack-keystone14:47
*** tellesnobrega_ has quit IRC14:48
*** ajayaa has quit IRC14:48
*** tellesnobrega_ has joined #openstack-keystone14:51
*** ajayaa has joined #openstack-keystone14:52
*** Ephur has quit IRC14:52
*** jistr|mtg is now known as jistr14:59
*** narengan has joined #openstack-keystone15:01
*** tellesno` has joined #openstack-keystone15:03
*** samueldmq has joined #openstack-keystone15:03
*** zzzeek has joined #openstack-keystone15:05
*** tellesnobrega has quit IRC15:08
*** tellesno` has quit IRC15:09
*** tellesnobrega has joined #openstack-keystone15:10
*** tellesnobrega has quit IRC15:13
*** tellesnobrega has joined #openstack-keystone15:13
*** eandersson_ has joined #openstack-keystone15:15
*** david-lyle has joined #openstack-keystone15:15
openstackgerritOlivier Pilotte proposed openstack/keystone: allow Keystone to accept Group IDs from the IdP without any Domain reference  https://review.openstack.org/21058115:17
*** eandersson has quit IRC15:18
*** narengan has quit IRC15:25
*** narengan has joined #openstack-keystone15:25
*** narengan_ has joined #openstack-keystone15:26
*** bapalm has quit IRC15:27
openstackgerritBoris Bobrov proposed openstack/keystone: Fix docstring in mapped plugin  https://review.openstack.org/21163015:28
*** bapalm has joined #openstack-keystone15:28
*** josecastroleon has quit IRC15:28
*** narengan has quit IRC15:30
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Support Multiple SQL Backends  https://review.openstack.org/20748215:34
*** yottatsa has quit IRC15:36
*** lhcheng has joined #openstack-keystone15:44
*** ChanServ sets mode: +v lhcheng15:44
*** rudzha has joined #openstack-keystone15:46
*** rudzha has left #openstack-keystone15:47
*** woodster_ has joined #openstack-keystone15:47
*** petertr7 is now known as petertr7_away15:48
*** rm_work is now known as rm_work|away15:49
*** piyanai has quit IRC15:49
*** geoffarnold has joined #openstack-keystone15:49
*** geoffarnold has quit IRC15:51
*** geoffarnold has joined #openstack-keystone15:51
*** yottatsa has joined #openstack-keystone15:53
rodrigodshere it comes...15:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Creating tests for projects acting as domains  https://review.openstack.org/21121915:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913215:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742715:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733115:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185415:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Change policy to comply with is_domain in token  https://review.openstack.org/20606315:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593615:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Replicate domain info in projects table  https://review.openstack.org/21117015:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837215:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060015:56
*** piyanai has joined #openstack-keystone15:58
*** yottatsa has quit IRC16:00
*** jasondotstar has quit IRC16:00
*** jistr has quit IRC16:01
*** gyee has joined #openstack-keystone16:03
*** ChanServ sets mode: +v gyee16:03
*** pgbridge has quit IRC16:06
*** yottatsa has joined #openstack-keystone16:07
*** marzif_ has quit IRC16:08
*** openstackgerrit_ has joined #openstack-keystone16:08
*** geoffarnold has quit IRC16:10
*** geoffarnold has joined #openstack-keystone16:11
*** _cjones_ has joined #openstack-keystone16:12
*** tellesnobrega_ has quit IRC16:13
*** piyanai_ has joined #openstack-keystone16:14
*** piyanai has quit IRC16:17
*** piyanai_ is now known as piyanai16:17
*** ankita_wagh has joined #openstack-keystone16:19
*** jasondotstar has joined #openstack-keystone16:20
*** ig0r_ has joined #openstack-keystone16:20
*** mylu has joined #openstack-keystone16:28
*** raildo__ has joined #openstack-keystone16:29
*** raildo-afk has joined #openstack-keystone16:32
*** raildo-afk has quit IRC16:34
*** raildo-afk has joined #openstack-keystone16:35
*** raildo__ has quit IRC16:35
*** bapalm_ has joined #openstack-keystone16:35
*** bapalm has quit IRC16:39
*** htruta has quit IRC16:41
*** htruta has joined #openstack-keystone16:43
*** htruta has quit IRC16:44
*** ig0r_ has quit IRC16:48
*** jasonsb has quit IRC16:49
*** jasonsb has joined #openstack-keystone16:50
*** yottatsa has quit IRC16:51
*** petertr7_away is now known as petertr716:53
*** raildo has quit IRC16:53
*** roxanaghe has joined #openstack-keystone16:53
*** bapalm_ has quit IRC16:54
*** yottatsa has joined #openstack-keystone16:54
*** jasonsb has quit IRC16:54
*** bapalm has joined #openstack-keystone16:54
*** raildo has joined #openstack-keystone16:55
*** htruta has joined #openstack-keystone16:55
*** bapalm_ has joined #openstack-keystone16:55
*** tellesnobrega has quit IRC16:56
*** ankita_wagh has quit IRC16:56
*** tellesnobrega has joined #openstack-keystone16:56
*** tellesnobrega has quit IRC16:57
*** tellesnobrega has joined #openstack-keystone16:57
*** piyanai has quit IRC16:58
*** mylu has quit IRC16:58
*** tellesnobrega has quit IRC16:58
*** tellesnobrega has joined #openstack-keystone16:59
*** browne has quit IRC16:59
*** bapalm has quit IRC16:59
*** mylu has joined #openstack-keystone16:59
*** bapalm_ has quit IRC17:00
*** tellesnobrega has quit IRC17:01
*** narengan_ has quit IRC17:01
*** tellesnobrega has joined #openstack-keystone17:01
*** narengan has joined #openstack-keystone17:02
*** piyanai has joined #openstack-keystone17:02
*** ajayaa has quit IRC17:04
gyeedolphm, your patch actually fix two critical issues, https://review.openstack.org/#/c/208069/, do you want to update the commit msg or you want me to do it17:06
gyeeI can go ahead and approve it after the update17:06
*** narengan has quit IRC17:06
*** henrynash has joined #openstack-keystone17:16
*** ChanServ sets mode: +v henrynash17:16
*** piyanai has quit IRC17:20
*** raildo has quit IRC17:21
*** mylu has quit IRC17:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create Cached Policy Table  https://review.openstack.org/21167917:25
*** piyanai has joined #openstack-keystone17:26
*** tqtran has joined #openstack-keystone17:27
*** raildo-afk is now known as raildo17:27
*** piyanai has quit IRC17:27
*** raildo is now known as raildo-afk17:28
*** ankita_wagh has joined #openstack-keystone17:28
*** raildo has joined #openstack-keystone17:29
*** raildo has quit IRC17:29
*** yottatsa has quit IRC17:31
openstackgerritLance Bragstad proposed openstack/keystone: Update endpoint filter documentation  https://review.openstack.org/21168117:32
*** raildo-afk is now known as raildo17:32
*** boris-42 has joined #openstack-keystone17:32
*** jasonsb has joined #openstack-keystone17:33
*** yottatsa has joined #openstack-keystone17:34
openstackgerritClaudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager  https://review.openstack.org/21168617:35
*** piyanai has joined #openstack-keystone17:36
*** ayoung has quit IRC17:37
lhchengdolphm: if we add the region filter to List Endpoints, I have to do create a bp/spec too right? same thing that raildo did last week17:37
lhchengdolphm: related to https://bugs.launchpad.net/keystone/+bug/148277217:38
openstackLaunchpad bug 1482772 in python-openstackclient "Region filtering for endpoints does not work" [Undecided,New] - Assigned to Lin Hua Cheng (lin-hua-cheng)17:38
jamielennoxsigmavirus24: bug #148369617:38
openstackbug 1483696 in python-keystoneclient "socket.TCP_KEEPCNT and socket.KEEPINTVL do not exist in windows" [Medium,In progress] https://launchpad.net/bugs/1483696 - Assigned to Claudiu Belu (cbelu)17:38
lhchengjamielennox: Just saw your presentation on pyconau, I've reported the horizon page issue to mrunge17:38
jamielennoxlhcheng: i think it's a rhel thing17:39
lhchengjamielennox: the bug is on the red hat customization17:39
jamielennoxlhcheng: it always seemed to work on upstream horizon17:39
*** browne has joined #openstack-keystone17:39
lhchengjamielennox: yup, I think mrunge maintains the horizon-rhel for you guys17:39
jamielennoxlhcheng: yep, he does, i reported it internally i just haven't chased him to see if he's actually seen the bug17:40
raildolhcheng: it's very similiar to my case...17:40
lhchengjamielennox: anyway, I gave him a headsup :)17:40
jamielennoxlhcheng: thanks17:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism  https://review.openstack.org/20969517:41
*** bknudson has joined #openstack-keystone17:47
*** ChanServ sets mode: +v bknudson17:47
*** harlowja has quit IRC17:51
openstackgerritDavid Stanek proposed openstack/keystone: WIP: please don't review me  https://review.openstack.org/21169317:53
*** eandersson_ has quit IRC17:54
*** harlowja has joined #openstack-keystone17:54
* morgan_503 lurks in the corner17:55
stevemarmorgan_503: i finally got the joke17:56
stevemar503, unavailable17:56
*** mylu has joined #openstack-keystone17:56
morgan_503stevemar: hehe17:56
*** bapalm has joined #openstack-keystone17:56
raildostevemar: thanks for explain! I didn't get17:57
morgan_503 /nick morgan_40417:57
morgan_503or /nick morgan_41017:58
morgan_503there we go.17:58
* dstanek is trying to update the meeting wiki...quickly..quickly...17:58
*** jsavak has quit IRC17:58
morgan_503dstanek: hurrrrrrrrrrrrrrrrrrrry17:59
morgan_503#startmeeting Keystone17:59
openstackMeeting started Tue Aug 11 17:59:51 2015 UTC and is due to finish in 60 minutes.  The chair is morgan_503. Information about MeetBot at http://wiki.debian.org/MeetBot.17:59
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:59
openstackThe meeting name has been set to 'keystone'17:59
morgan_503Agenda: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting18:00
morgan_503#link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting18:00
*** jsavak has joined #openstack-keystone18:00
rodrigodswrong channel morgan_503 ?18:00
openstackMeeting ended Tue Aug 11 18:00:34 2015 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)18:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-11-17.59.html18:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-11-17.59.txt18:00
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-11-17.59.log.html18:00
*** mylu has quit IRC18:00
*** bapalm has quit IRC18:01
*** ayoung has joined #openstack-keystone18:01
*** ChanServ sets mode: +v ayoung18:01
*** mylu has joined #openstack-keystone18:02
*** htruta_ has joined #openstack-keystone18:02
*** mylu has quit IRC18:03
*** mylu has joined #openstack-keystone18:04
*** bapalm has joined #openstack-keystone18:05
*** openstackgerrit_ has quit IRC18:06
*** dikonoo has quit IRC18:10
odyssey4meinteresting - you can use meetbot in the normal channel?18:11
odyssey4methat's handy18:11
*** phalmos has joined #openstack-keystone18:11
sigmavirus24jamielennox: thanks for the pointer18:12
sigmavirus24odyssey4me: you can18:12
openstackgerritMerged openstack/keystone-specs: Centralized Policies Distribution Mechanism  https://review.openstack.org/19798018:13
*** mylu has quit IRC18:15
*** mylu has joined #openstack-keystone18:16
*** ig0r_ has joined #openstack-keystone18:17
*** ig0r_ has quit IRC18:18
*** pgbridge has joined #openstack-keystone18:19
*** mylu has quit IRC18:22
*** geoffarnold has quit IRC18:22
*** htruta_ has quit IRC18:24
sigmavirus24jamielennox: https://review.openstack.org/#/c/211686/ I added a review asking that they use the proper Windows settings for that bug18:24
*** josecastroleon has joined #openstack-keystone18:24
*** tjcocozz has joined #openstack-keystone18:25
rodrigodshenrynash, can you check my reply here? https://review.openstack.org/#/c/157427/91/keystone/tests/unit/test_v3_assignment.py18:28
rodrigodsalso, in the commit message18:28
*** ig0r_ has joined #openstack-keystone18:28
*** tqtran_ has joined #openstack-keystone18:32
*** diazjf has quit IRC18:34
*** tqtran has quit IRC18:35
*** geoffarnold has joined #openstack-keystone18:37
samueldmqone spec merged, there is one left18:37
*** geoffarnold is now known as geoffarnoldX18:38
ayoungdstanek, , jamielennox, I think the way the cachine should work for my case is session.disable_cache....make calls....session.enable_cache....18:38
samueldmqany core want to approve it ? dstanek henrynash gyee lhcheng  ^18:38
dstaneksamueldmq: it needs to get into liberty!18:39
*** narengan has joined #openstack-keystone18:41
dstanekayoung: maybe we could add a kwarg like ignore_cache to the calls...i'll have to experiment a little to see what APIs i like18:41
ayoungdstanek, ++18:41
*** jsavak has quit IRC18:41
lhchengmorgan_503: I added one item in the meeting agenda, should take 2 min. or we could also move it to next week if we don't have enough time.18:42
morgan_503possibly next week possibly this. lets see18:42
*** jsavak has joined #openstack-keystone18:42
samueldmqdstanek, yes, as it already have +2 and the other merged already, I am gonna to  propose moving both in a follow-on pathc18:43
samueldmqdstanek, if that makes sense18:43
lhchengmorgan_503: sure, np18:43
*** geoffarnoldX is now known as geoffarnold18:44
*** annasort has joined #openstack-keystone18:45
bretongyee: providing a token with x509 will require an auth plugin in keystone, won't it?18:48
morgan_503lhcheng: that looks like a simple bug18:48
morgan_503lhcheng: i'd say just fix it18:48
gyeebreton, yes, but its like a no-op plugin18:48
*** diazjf has joined #openstack-keystone18:49
bretongyee: like mapped.py?18:49
gyeebreton, no18:49
gyeejust use the OS-FEDERATION path18:49
lhchengmorgan_503: okay, wanted to check-in if I should open a bp/spec like raildo did last week - since it requires api change to support new filter18:49
morgan_503it's a bug18:49
morgan_503make it a no-spec question for next week18:50
morgan_503but i think it's a bug18:50
morgan_503 slash oversight18:50
lhchengmorgan_503: cool  :)18:50
lhchengmorgan_503: sounds good18:50
bretongyee: can issue_token fetch domain-id from auth context?18:50
gyeebreton, yes, I think the req env is passed down as part of context18:52
gyeeI'll need to double check18:52
*** piyanai has quit IRC18:52
*** yottatsa has quit IRC18:53
gyeebreton, yes, looks like we have req env in the context18:54
*** geoffarnold has quit IRC18:54
*** rm_work|away is now known as rm_work18:54
*** josecastroleon has quit IRC18:55
*** geoffarnold has joined #openstack-keystone18:55
*** piyanai has joined #openstack-keystone18:55
bretonvalidationerror happens in AuthInfo.create now18:57
*** ig0r_ has quit IRC18:59
jamielennoxmarekd: here?19:00
*** haneef has joined #openstack-keystone19:00
lbragstaddolphm: dstanek ^19:01
lbragstadjamielennox: dolphm dstanek marekd we still want to meet?19:01
* lbragstad is free19:01
gyeeayoung, jamielennox, can I get some love on this one? https://review.openstack.org/#/c/177661/19:01
jamielennoxlbragstad: yep19:01
samueldmqgyee, I will look at it as well19:02
*** geoffarnold has quit IRC19:02
gyeesamueldmq, thanks!19:02
jamielennoxso the best idea i have for IDP listing is essentially add a tag to IDPs19:02
*** jsavak has quit IRC19:02
*** yottatsa has joined #openstack-keystone19:02
jamielennoxwhen you create an IDP or maybe protocol you say tag=coke.com19:02
samueldmqgyee, and if have time, could you approve this one ? as result of the meeting vote https://review.openstack.org/#/c/134655/19:02
rodrigodshenrynash, too much stuff to remember in reseller, replied you again19:02
*** samleon has joined #openstack-keystone19:03
jamielennoxthen from a horizon instance listing IDPs you do the list with ?tags=coke.com19:03
gyeesamueldmq, sure, but do you want to move it out of backlog dir?19:03
jamielennoxso that only IDPs relevant to that instance are going to show up19:03
lbragstadjamielennox: how does horizon know to look for coke?19:03
jamielennoxi think ayoung's public/private is not fine grained enough for that19:03
samueldmqgyee, I am going to propose a follow-on cahnge to move this one and hte other which merged already19:03
jamielennoxlbragstad: i was thinking hardcoded19:03
jamielennoxah, like in local_settings19:03
samueldmqgyee, so we move both together, if that makes sense, and we don't loose the +2s there19:03
*** geoffarnold has joined #openstack-keystone19:03
*** ayoung has quit IRC19:04
gyeesameuldmq, k, done19:04
lbragstadso, the user goes to horizon and they say "I'm a part of coke and I want to federate against coke's IDP"19:04
jamielennoxwhen you look at whitelabelling something is it typically a new horizon instance or just an interface?19:04
*** ig0r_ has joined #openstack-keystone19:04
samueldmqgyee, thanks19:04
*** bapalm has quit IRC19:04
samueldmqgyee, one of the possible checks in endpoint constraint is by endpoint_id19:04
gyeesamueldmq, yes, its governed by a policy rule19:05
samueldmqgyee, which is the same config we use for the policy fetch19:05
gyeeso it can be anything19:05
*** bapalm has joined #openstack-keystone19:05
*** jsavak has joined #openstack-keystone19:05
samueldmqgyee, ok so that's far more generic than the endpoint_id config we need for fetching policy19:05
gyeesamueldmq, yes, its using the service policy file19:05
jamielennoxlbragstad: you could set it from ENV variable passed down from apache, so in the <VirtualEnv> EnvVar IDP_TAG coke.com just for that interface19:05
jamielennoxi don't really know or mind on that just i would expect you to want to share some as well19:06
samueldmqgyee, yeah got it, we add a check in there19:06
samueldmqgyee, as a policy rule19:06
jamielennoxlike coke.com sees corp login and possibly a google login that another customer would see19:06
dstanekjamielennox: lbragstad: rights, having a separate URL for the customer is the only way i can think of to make it work19:06
gyeesamueldmq, yeah, we made it generic so it can filter on anything from the catalog19:06
*** petertr7 is now known as petertr7_away19:07
lbragstaddstanek: that would be the only way to make it work without exposing all idps to the user?19:07
jamielennoxdstanek: is that unreasonable in the situation where someone is giving you access to a corp saml interface?19:07
samueldmqgyee, makes sense, and can be as tight as deployers want it to be19:07
*** bapalm_ has joined #openstack-keystone19:08
openstackgerritMerged openstack/keystone-specs: Centralized Policies Fetch and Cache  https://review.openstack.org/13465519:08
dstaneklbragstad: yes, unless you liked my bad idea :-)19:08
dstanekjamielennox: not to me19:08
jamielennoxlbragstad: it's the only way i can think of it working when you want to limit what is available in a drop down like that19:08
jamielennoxwhere you are customizing a page based on URL19:09
*** bapalm has quit IRC19:09
jamielennoxdstanek: so what would be cool there is if you could seperate the horizon login from the rest of the horizon app19:09
*** tjcocozz has quit IRC19:09
jamielennoxi mean beyond login there's a good white-labelling of horizon opportunity for you guys there19:10
lbragstadjamielennox: so the user would hit the login page firs t19:10
*** yottatsa has quit IRC19:10
dstaneklbragstad: they would hit a branded login page19:10
jamielennoxbut so that you don't have to operate a complete horizon instance per customer, just the login page and then redirect back over to a common horizon instance19:10
lbragstaddstanek: and that would be something that coke manages19:10
dstaneklbragstad: or their cloud provider19:11
jamielennoxlbragstad: in whatever way people currently skin horizon19:11
*** petertr7_away is now known as petertr719:11
dstanekit's just that the user has to know something about what IdP to use and having them know their companies banded login makes the most sense19:11
lbragstadok, so from there they shouldn't need to specify their idp because we should already know it based on where they are coming from19:11
jamielennoxlbragstad: we could probably bounce from horizon direct to idp if the list is 1 entry long19:12
jamielennoxbut this is where i don't really know if dynamic listing matters19:12
jamielennoxfor some people (CERN) sure there will be a lot of IDPs coming and going19:13
jamielennoxfor a public cloud you would expect one or maybe two that don't really change much19:13
lbragstadso Horizon would understand that some user came from customer-dashboard.coke.com and horizon should understand that it needs to make /v3/OS-FEDERATION/identity_providers/coke/protocol/saml2/websso19:14
*** geoffarnold has quit IRC19:14
*** mestery_ has joined #openstack-keystone19:14
lbragstadjamielennox: and that call doesn't exist yet because that is what was proposed by your spec19:14
gyeejamielennox, lbragstad, dstanek, you guys see how google doc works?19:14
jamielennoxgyee:  for login?19:15
jamielennoxgyee: yea, google uses the @domain as part of the login19:15
gyeeyou auth with your normal credential, if it requires your corp cred19:15
jamielennoxwhich would be awesome but works for them because they tie it to an actual @domain19:15
gyeeit will forward you back to your corp to auth19:15
jamielennoxit could work for a provider who decided that as a customer you got a domain that was strictly named after your actual web domain19:16
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Moves Dynamic Policy specs to Liberty dir  https://review.openstack.org/21172019:16
samueldmqgyee, dstanek ^19:16
gyeejamielennox, yes, we can't be having a drop down exposing all the IdPs19:16
jamielennoxlbragstad: so really the only thing i'm trying to propose in that spec is to skip the shibboleth discovery and let horizon do that19:16
gyeeour security team will never let us do that19:17
gyeeyou'll need to find out which user is authenticating, i.e. domain19:17
*** mestery has quit IRC19:17
gyeethen use the appropriate auth mechanism configured for that user19:17
jamielennoxchadwick had an interesting note in an email thread that he thought you could direct from horizon to the idp login and have that redirect back to keystone19:17
jamielennoxbut my understanding was that couldn't happen19:17
jamielennoxthat we had to have keystone initiate that exchange19:17
lbragstadyeah, i'm not sure how that would work19:18
dstanekgyee: that is similar to my crappy idea19:18
jamielennoxi replied to that thread but he hasn't answered that bit19:18
gyeedstanek, that's not a crappy idea19:18
lbragstadjamielennox: in that case, we would have to have the path location aliased in apache19:18
gyeethat's now it works in the "real world"19:18
*** yottatsa has joined #openstack-keystone19:18
jamielennoxlbragstad: which path?19:19
dstanekThe other, much less ideal, thing we could do it a 2 step login process similar to what banks do. On the first page a user types in their username/email and when they submit a lookup happens to find out what IdP to use based on what domain they are defined in. Hopefully you could redirect to the IdP in such a way that the username/email is prepopulated, but I'd bet that doesn't work for everything.19:19
dstanekgyee: ^ from an email19:19
lbragstadjamielennox: /v3/OS-FEDERATION/identity_providers/{idp_ip}/protocol/{protocol_id}/websso19:19
jamielennoxlbragstad: oh, yea you would need to set that up for each new idp19:19
*** mestery_ is now known as mestery19:19
jamielennoxbut i'm not sure if that's happening anyway because we use /v3/OS-FEDERATION/identity_providers/{idp_ip}/protocol/{protocol_id}/auth for CLI login19:20
gyeedstanek, I don't see how we can really avoid 2 step login, unless we have a distinct URL for each customer19:20
lbragstadyeah, doesn't that pass to federated_sso_auth()?19:20
jamielennoxi don't know how hard it is to reboot apache in a live env like that19:20
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Moves Dynamic Policy specs to Liberty dir  https://review.openstack.org/21172019:20
dstanekgyee: exactly :-)19:20
gyeefor cloud hosting, that may be the case19:20
gyeefor public cloud, we have to know the domain19:21
jamielennoxgyee: that's exactly where we are, a per-url login19:21
lbragstadjamielennox: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L29919:21
jamielennoxlbragstad: so most of that is reusable19:21
jamielennoxwell some19:22
jamielennoxyou don't need https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L300-L31319:22
jamielennoxbecause that's finding the idp url from the assertion and looking up remote_id on idps to figure out where the response came back from19:22
lbragstadjamielennox: oh, looks like that is this call - https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/routers.py#L80-L8119:22
jamielennoxyou would know this based on url19:22
gyeejamielennox, we sorta do some tricks at Apache side for Federation anyway19:22
lbragstadjamielennox: so, that's the part we would be addressing with your spec, right?19:23
jamielennoxgyee: you have to do apache tricks19:23
gyeeperhaps have a header to dictate which IdP to forward to19:23
jamielennoxlbragstad: right19:23
jamielennoxgyee: but then how do you handle the header?19:23
gyeejamielennox, there's all kinds of stuff you can do with it19:23
gyeelike redirect based on client DNS?19:23
jamielennoxyou would need a shiboleth discovery page that looks for the header, looks up the associated URL and forwards you19:23
gyeeclient IP, region, whatever19:23
*** bapalm_ has quit IRC19:24
*** bapalm has joined #openstack-keystone19:24
*** alejandrito has joined #openstack-keystone19:24
gyeeif you present a list to the end users, there's a very good chance they'll pick the wrong one19:25
*** bapalm has quit IRC19:25
lbragstadgyee: a list of idps?19:26
gyeethey have to know prior to authenticating, just like auth_url19:26
*** bapalm has joined #openstack-keystone19:26
gyeelbragstad, yes19:26
lbragstadgyee: that and there is also security concerns, like you said19:26
jamielennoxif you use the current global /websso route do you need to reboot apache for a new IDP?19:26
jamielennoxyou must right, you have to tell apache how to validate the assertion19:27
lbragstadjamielennox: yes, I believe so19:27
lbragstadso every addition of a new idp, will require a bounce of apache19:27
gyeehow often do you add a new IdP?19:27
gyeeonce every 3 blue moons?19:27
jamielennoxgyee: apparently it's a thing19:27
jamielennoxbut mainly CERN/kent as i understand it19:28
*** geoffarnold has joined #openstack-keystone19:28
jamielennoxbut i expect even offering this in a public cloud situation it's going to be rare19:29
gyeewow, so their drop down list occupied the whole screeen then? :)19:29
lbragstadit's a big list19:29
jamielennoxand it's going to be a support ticket that's going to take a few days19:29
jamielennoxgyee: openstack.cern.ch19:30
*** piyanai has quit IRC19:30
*** bapalm has quit IRC19:31
gyeek man, I have to drop off for an hour or so, ya'll have fun :)19:31
jamielennoxi don't know where the university one is19:31
*** gyee has quit IRC19:31
*** bapalm has joined #openstack-keystone19:31
lbragstadjamielennox: dstanek so, what do you guys think?19:31
dstaneklbragstad: hostess cupcakes are better than oreos19:32
samueldmqis Keystone FFE 3rd September?19:32
jamielennoxso my main thing is i want to do discovery via horizon and not shib cause then we've got to do it again for mellon, for oidc and figure something out for kerberos19:32
lbragstaddstanek: fact, I can't argue with that19:33
jamielennoxdstanek: i've got no idea19:33
*** bapalm has quit IRC19:33
jamielennoxif there's another way to make that happen i'm keen but i haven't found one19:33
dstanekjamielennox: i've not read the discovery spec yet, just the Oracle article.19:34
*** bapalm has joined #openstack-keystone19:34
lbragstadwhat about the idp certs/metadata,19:34
jamielennoxdstanek: i don't know if that means it's handled the same way for all implementations19:34
lbragstadthat wouldn't require a change to apache (or bouncing apache) if the IdP gives a url to fetch metadata from, right?19:34
jamielennoxlbragstad: i *think* you need that anyway19:35
dstaneklbragstad: yep, at least for now19:35
lbragstadjamielennox: need what? the certs?19:35
jamielennoxsorry, misread19:35
lbragstadwe have a way to give shib a url to fetch metadata,19:35
jamielennoxat runtime? nice19:36
lbragstadso as long as that doesn't change, we shouldn't have to bounce apache if the IdP certs change19:36
lbragstadjamielennox: https://github.com/lbragstad/keystone-deploy/blob/federation/playbooks/roles/service_provider/templates/shibboleth2.xml#L1119:36
*** ankita_wagh has quit IRC19:37
*** gordc has quit IRC19:37
lbragstadbut if shib only fetches metadata on start up, then we might need to bounce shib in order to get it to grab new metadata19:37
*** jsavak has quit IRC19:38
jamielennoxdoes keystone support that /saml2/metadata or is that yours?19:38
stevemarit does19:38
* jamielennox needs to read that 19:38
*** bapalm has quit IRC19:38
dstaneklbragstad: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider#IdPMetadataProvider-AboutReloadingMetadataProviders19:38
*** jsavak has joined #openstack-keystone19:39
jamielennoxoh, i thought that was just for K2K?19:39
lbragstaddstanek: oh, nice.19:39
dstanekit's for any IdP19:39
lbragstaddstanek: so you can tell shib to get metadata periodically19:40
*** phalmos has quit IRC19:40
dstaneklbragstad: it's automatic based on cache headers19:41
*** bapalm has joined #openstack-keystone19:41
jamielennoxdstanek: it still looks to me like /metadata is the assertion for using keystone as an IDP, not how to fetch data about IDPs configured in keystone19:41
lbragstaddstanek: awesome, so we shouldn't have to kick shib because some idp changed their metadata19:41
jamielennoxbased on https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#retrieve-metadata-properties19:41
dstanekjamielennox: that's exactly what that is - it's an IdP's metadata19:42
lbragstaddstanek: so, we are back to only bouncing apache when we add new IdPs19:42
dstanekyou will have to restart to add/remove IdPs19:42
*** gordc has joined #openstack-keystone19:42
dstaneklbragstad: yes, for now. i think someone is working on that from Redhat19:42
dstanekwell, at least for mellon19:42
jamielennoxyea, but not for shib19:42
jamielennoxdstanek: so based on the code you could use it for anything https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L50219:43
*** yottatsa has quit IRC19:44
jamielennoxwhich makes it a fairly cool hack that you'd be able to list all your remote IDPs data in their19:44
*** browne1 has joined #openstack-keystone19:44
jamielennoxbut i think the intent is for that to serve the saml2 metadata for keystone when using k2k19:44
stevemarjamielennox: right, its only supposed to be for k2k19:45
dstanekjamielennox: that class is just what implements the /metadata for k2k. the shib directive is for all of federation19:45
openstackgerritMerged openstack/keystone: Fix docstring in mapped plugin  https://review.openstack.org/21163019:46
*** browne has quit IRC19:47
*** ayoung has joined #openstack-keystone19:47
*** ChanServ sets mode: +v ayoung19:47
jamielennoxoh, i may have misread https://github.com/lbragstad/keystone-deploy/blob/federation/playbooks/roles/service_provider/templates/shibboleth2.xml#L1119:48
dstanekjamielennox: that's lbragstad's template for doing k2k19:48
jamielennoxthat's setting up keystone as an idp not as a sp?19:48
jamielennoxok, right, misunderstood what was happening there19:48
openstackgerritMerged openstack/keystone-specs: Moves Dynamic Policy specs to Liberty dir  https://review.openstack.org/21172019:49
dstanekjamielennox: yeah, that's configuring a Keystone as an IdP19:50
*** bapalm has quit IRC19:51
*** bapalm has joined #openstack-keystone19:51
jamielennoxlbragstad: looking at that task, out of interest, how does shib-keygen work if you have HA keystones? do you need to copy around private keys?19:51
*** yottatsa has joined #openstack-keystone19:51
*** yottatsa has quit IRC19:52
*** piyanai has joined #openstack-keystone19:54
*** bapalm has quit IRC19:55
*** bapalm has joined #openstack-keystone19:55
openstackgerritCorey Bryant proposed openstack/python-keystoneclient: Iterate over copy of sys.modules keys in Python2/3  https://review.openstack.org/21173119:58
lbragstadjamielennox: I'm not sure,19:58
lbragstadjamielennox: I didn't get that far with ansible19:58
lbragstadand federated setups19:58
*** ig0r_ has quit IRC19:58
jamielennoxlbragstad: no worries, i just saw it and was wondering if that worked - i assume not19:59
jamielennoxi've been trying to figure out the "correct" way to do secrets in ansible and i'm still not sure19:59
*** bapalm has quit IRC20:01
lbragstadjamielennox: so we've hammered out at least one option and that is 1.) user goes to customer specific login page 2.) customer specific login page goes to horizon 3.) horizon figures out which customer idp to use 4.) horizon calls /v3/OS-FEDERATION/identity_providers/{idp_ip}/protocol/{protocol_id}/websso based on the idp id20:01
*** bapalm has joined #openstack-keystone20:01
*** hrou has quit IRC20:01
lbragstadjamielennox: and that solution will require a restart/reload of apache and mod_shib every time you add a new IdP do you deployment20:02
lbragstadjamielennox: so, based on that, do we want to move forward with an SPFE?20:04
*** bapalm_ has joined #openstack-keystone20:04
*** opilotte has quit IRC20:05
*** opilotte has joined #openstack-keystone20:05
*** bapalm has quit IRC20:05
*** ig0r_ has joined #openstack-keystone20:08
*** claudiub has quit IRC20:11
*** mylu has joined #openstack-keystone20:13
*** geoffarnold has quit IRC20:15
*** samueldmq has quit IRC20:21
*** petertr7 is now known as petertr7_away20:22
jamielennoxbknudson: can you have another look at https://review.openstack.org/#/c/188329/320:22
jamielennoxyou just wanted a bug filed20:23
jamielennoxthe follow up patch has 2 +2s20:23
*** morgan_503 is now known as morgan_40420:23
morgan_404now that I have coffee lunch ... and stuff20:24
* morgan_404 looks at code reviews and email20:24
*** bapalm_ has quit IRC20:25
*** bapalm has joined #openstack-keystone20:25
*** phalmos has joined #openstack-keystone20:26
*** petertr7_away is now known as petertr720:29
*** bapalm has quit IRC20:30
*** bapalm has joined #openstack-keystone20:31
*** bapalm has quit IRC20:35
htrutahenrynash: are you there?20:36
*** opilotte has quit IRC20:41
jamielennoxmorgan_404: if you're looking for code reviews can you look at that one a few lines ago20:42
jamielennoxa testing change in client-kerberos20:42
jamielennoxbut then i can merge the one that deps on it20:42
morgan_404jamielennox: i was looking at the split loading in keystoneauth20:44
jamielennoxmorgan_404: ah, that too20:45
jamielennoxi think that ones ok, there's a follow up to move session loading over there as well which is correct but doesn't feel as right20:45
morgan_404yeah but both take real eyes20:45
morgan_404since it's a lot of shuffling things around20:46
morgan_404not just "oh yeah this is easy"20:46
*** opilotte has joined #openstack-keystone20:46
jamielennoxno, it's a pain20:46
*** diazjf has quit IRC20:48
*** ngupta has quit IRC20:48
*** opilotte_ has joined #openstack-keystone20:51
*** opilotte has quit IRC20:54
*** opilotte has joined #openstack-keystone20:55
*** opilotte has quit IRC20:57
*** mylu has quit IRC20:57
*** ig0r_ has quit IRC20:58
morgan_404jamielennox: so.. session loading going to punt on that one for a few20:58
morgan_404not sure how i feel about that one20:58
morgan_404it's not wrong... but you're right... it doesn't feel "right"20:58
*** rdo has quit IRC20:59
*** ankita_wagh has joined #openstack-keystone21:00
morgan_404jamielennox: whole chain(s) approved21:00
stevemardolphm: poke21:00
*** opilotte has joined #openstack-keystone21:00
morgan_404session loading, k2k plugin, and uhhhhh prompt for password21:00
morgan_404jamielennox: ^ not approved.21:00
*** opilotte has quit IRC21:00
jamielennoxin keystoneauth?21:01
jamielennoxi thought i abandonded all those on client21:01
jamielennoxor some21:01
*** rdo has joined #openstack-keystone21:01
*** opilotte has joined #openstack-keystone21:01
stevemarlbragstad: dstanek poke?21:02
morgan_404stevemar: poke bowl?21:03
stevemarmorgan_404: i'll settle for you :P21:04
*** morgan_404 is now known as morgan_41021:04
stevemarmorgan_404: i was wondering if theres any logic behind this: https://developer.rackspace.com/blog/introducing-rack-global-cli/21:04
stevemaraside from stomping all over what osc is trying to do21:04
*** morgan_410 is now known as morgan_40421:05
morgan_404stevemar: uhhh21:05
stevemaris it meant for just their public (or private) cloud, i forget which one isn't fully openstack friendly21:05
morgan_404stevemar: vendor lockin ?21:05
morgan_404the public cloud is not fully openstack, afaik the private cloud offerings are21:05
morgan_404i think it's 2-3 things21:06
morgan_4041) they control the UX21:06
morgan_404so the can smoothover the ick we may have in OSC/clients21:06
morgan_4042) mindshare (typing "rack" enforces it is rackspace vs "openstack")21:07
*** petertr7 is now known as petertr7_away21:07
stevemarmorgan_404: 1) help the project instead? 2) wtf21:07
morgan_4043) vendor lockin (see #2, while unsure if it was the intentional starting place)21:07
stevemarif it were to smooth over some weirdness that maybe the non-openstack APIs have, i get21:08
stevemarjust want to see that in writing though21:08
stevemarAFAICT, it's pretty much just a go-ified version of osc21:08
stevemardstanek: refer to above ^21:09
dstanekstevemar: lbragstad and i were discussing websso flow earlier21:09
dstanekstevemar: no idea21:09
stevemardstanek: whats up with websso? or just saying why you were both away?21:10
dstanekstevemar: i may have a question for you...21:11
dstanekstevemar: this seems wrong...but what i came up with bit.ly/1JaStaY21:11
jamielennoxoo, rack cli :(21:11
dstanekstevemar: then i decided to make the mod_shib part more obvious and came up with bit.ly/1WgfrRV21:12
dstanekstevemar: now i have no idea what's happening between steps 7 and 821:12
jamielennoxbut i mean not dealing with *client and python deps, i can kind of see why21:12
dstanekstevemar: unless the dashboard always frontends keystone21:12
dstaneklooks like someone wanted to experiment with go21:13
stevemarjamielennox: i'd rather have seen folks helping the project instead of running off and creating and their own21:13
stevemarit's not like we turn down help21:13
stevemarnow we're just going to have 2 projects that are lagging behind21:14
*** gyee has joined #openstack-keystone21:17
*** ChanServ sets mode: +v gyee21:17
stevemarthis is really upsetting :\ seems like a great example of not working with the community21:17
stevemarhopefully i'm just mis-interpreting all of this, but it doesn't seem that way21:18
*** phalmos has quit IRC21:19
dstanekyeah, i don't know why they would just up and write an osc clone21:21
*** phalmos has joined #openstack-keystone21:21
*** yottatsa has joined #openstack-keystone21:21
dstanekit would have been simpler to have a project that updates a user's bashrc to have 'alias rack=openstack" for the branding :-)21:22
*** henrynash has quit IRC21:25
*** raildo is now known as raildo-afk21:26
*** henrynash has joined #openstack-keystone21:28
*** ChanServ sets mode: +v henrynash21:28
stevemardstanek: steps 7 and 8 eh21:31
*** rdo has quit IRC21:31
*** rdo has joined #openstack-keystone21:33
openstackgerritguang-yee proposed openstack/keystone: Validate domain ownership for v2 tokens  https://review.openstack.org/20806921:40
*** alejandrito has quit IRC21:41
*** yottatsa has quit IRC21:41
*** bapalm has joined #openstack-keystone21:42
gyeemorgan_404, dolphm, I just updated the commit msg on https://review.openstack.org/208069 to include the bug on the v2 token request21:43
gyeeI am going to approve it as only the commit msg has changed21:43
gyeeyell if you guys have a problem with this21:43
jamielennoxstevemar, dstanek: right, they could have done some interesting things with branding like force set all the correct API versions, force set the correct auth_urls etc that make OSC more difficult21:45
*** nkinder has quit IRC21:46
stevemarjamielennox: apparently the single binary package was a hard requirement21:46
dstanekstevemar: dumb requirement if the install instructions have you use go to install21:48
jamielennoxbinary is tough there, they could have vendored the clients21:48
jamielennoxbut python isn't good for that stuff21:48
stevemardstanek: jamielennox and the ability to only provide non-admin commands21:48
jamielennoxright, it wouldn't be a difficult fork21:49
*** bapalm has quit IRC21:49
stevemarbut that shouldnt be hard to change the entrypoints of setup.cfg to fix21:49
* stevemar shakes head21:49
stevemari dunno21:49
*** bapalm has joined #openstack-keystone21:49
stevemardstanek: going offline, email me if you have websso questions21:51
jamielennoxunrelated: i need a coffee, but can i get people to have a look at https://review.openstack.org/#/c/188329/21:51
jamielennoxstevemar: oo21:51
jamielennoxi did have one that i thought marekd was going to have to answer21:51
jamielennoxis it possible to do websso without going via keystone for the first hop21:51
jamielennoxchadwick was suggesting we could redirect from horizon to the idp login page and set the keystone url as the return21:52
jamielennoxi was under the impression we couldn't do that, we had to go horizon to keystone then to idp21:52
stevemarjamielennox: horizon to keystone is the only way that makes sense to me, unless you want to store stuff in horizon21:52
stevemarjamielennox: we're not even going to "keystone" we're going to a protected URL21:52
jamielennoxstevemar: his suggestion did involve horizon knowing the idp login url21:53
jamielennoxstevemar: right, but the redirect is initiated from keystone21:53
stevemarjamielennox: so whats the advantage we get?21:53
stevemarone less hop on something that is already a stupid amount of hops21:53
*** henrynash has quit IRC21:53
jamielennoxstevemar: it was the debate about whether we should do idp specific websso that has gone on way too long21:53
*** henrynash has joined #openstack-keystone21:54
*** ChanServ sets mode: +v henrynash21:54
jamielennoxand listing idps21:54
marekdjamielennox: hard question you ask21:54
jamielennoxhe was saying the idp login url would be added to keystone idp data and that horizon wouuld go straight there21:54
stevemarif rax is fine with listing all their idps then i'm okay with it too21:54
jamielennoxignoring the hops and whether it's a good idea to expose idp login urls like that (because you have to double handle the url, once in apache and once in keystone)21:55
jamielennoxi was just wondering if it's possible21:55
marekdjamielennox: stevemar i think there is a way to skip firrst pass to keystone.21:55
jamielennoxi thought apache set up like a CSRF style thing on that first request that was part of it21:55
stevemarjamielennox: i'm not even sure if it's possible tbh21:55
marekdbut horizon would need to keep lots of info on idp, or use somethink like DisoFeed i linked today21:56
jamielennoxIMO it's passing too much protocol knowledge to django_openstack_auth, i just want to know if it's doable21:56
*** bapalm has quit IRC21:56
jamielennoxmarekd: chadwick's suggestion was it be included in the idp data so it was available when you listed them21:57
*** bapalm has joined #openstack-keystone21:57
*** Raildo has joined #openstack-keystone21:57
marekdjamielennox: idp data fetched from keystone?21:57
marekdso the way the DS works it  basically redirect to the IdP with three GET parameters so IdP knows where to get back - return, target and something else.21:59
*** stevemar has quit IRC21:59
marekdjamielennox: but i am not super sure if there is no signed request involved there.21:59
marekdi'd need to investigate21:59
*** Raildo has quit IRC21:59
*** stevemar has joined #openstack-keystone22:00
marekdi will probably have to sit and tcpdump all the trafick and decrypt everything request by request.22:00
*** ChanServ sets mode: +v stevemar22:00
marekdjamielennox: you may try to play/read/understand this: https://github.com/ucldc/js-embedded-discovery to get better view22:01
jamielennoxmarekd: the problem with DS is that i don't think it works the same way in mellon, i want a solution that doesn't require a provider to implement there own discovery page, it works differently for OIDC and others in future, it requires exposing IDPs via protocol in horizon, i don't see how it works for kerberos or like ssl client certs22:02
dstanekstevemar: no specific questions...i just need to read a little more about how it might work using horizon22:02
dstanekmarekd: you;re up late?22:02
marekddstanek: midnight or something so i wont; be here long.22:02
jamielennoxanyway, i need a coffee, back later22:03
*** stevemar has quit IRC22:03
dstanekmarekd: : lbragstad and i were talking websso and this seems wrong...but what i came up with bit.ly/1JaStaY22:03
jamielennoxmarekd: can you have a look at https://review.openstack.org/#/c/188329/ i want to get the reliant one merged22:03
*** dguerri` is now known as dguerri22:03
marekdjamielennox: so propose your spec as exception22:03
dstanekmarekd: the i tried bit.ly/1WgfrRV to show how mod_shib does the redirects and now i have no idea how horizon gets a token22:03
marekdi m not trying to block anything22:04
jamielennoxmarekd: i don't care if it's exception or next cycle22:04
jamielennoxthis isn't a day job issue, just something i think is wrong22:04
marekdjamielennox: and i don't think this form of discovery service will work for ssl or kerberos.22:04
marekdjamielennox: all right, understood22:04
marekddstanek: sure22:05
dstanekmarekd: we can discuss tomorrow, just looking to see how off base i am22:05
dstanekmarekd: was planning on reading more on websso tonight anyway22:05
*** narengan has quit IRC22:06
*** narengan has joined #openstack-keystone22:06
lbragstaddstanek: marekd I guess we're just trying to come up with a flow that works with what jamielennox proposed and essentially the public cloud case that was brought up on the mailing list22:06
morgan_404gyee: back now.22:07
morgan_404gyee: sorry got distracted with coffee tasting22:07
lbragstador, actually, who does what and when22:07
marekddstanek: so let's discuss this bit.ly/1WgfrRV, ok ?22:10
dstanekmarekd: shore22:11
*** bapalm has quit IRC22:11
marekdit's minor but step 4 is handled by mod_shib, not Keystone SP (which i assume is already real Python code)22:11
*** narengan has quit IRC22:11
dstanekmarekd: s/user/browser/ in the diagram22:11
*** bapalm has joined #openstack-keystone22:11
marekddstanek: it's the same eventually :-)22:11
*** jecarey has quit IRC22:12
dstanekmarekd: actually step 4 should be from mod_shib to user - i musta borked the diagram there22:12
*** r-daneel has quit IRC22:12
marekddstanek: that's what i just said :-)22:12
marekdbut it's minor :-)22:12
marekdthere is a ? between step 7 and 822:13
marekdwhen an unscoped token is returned by server ot user22:13
dstanekyeah,7-8 is where i am clueless22:13
marekdso, this is done by keystone, python code.22:13
dstanekactully 7 is correct and then request goes from mod_shib into Python right?22:14
marekdyes, all the mapping magic and sstuff22:14
dstanekthen that token goes back to the browser?22:15
marekdsince you are logged in, session is active, the gatekeeper (mod_shib) will eventually let you in, and here is where Keystone code is being touched for the first time.22:15
marekddstanek: no22:15
marekdwe need to transfer token back to dashboard.22:15
*** doug-fish has left #openstack-keystone22:15
*** claudiub has joined #openstack-keystone22:15
dstanekhow would it get there is not sent to the browser so that it could give it to horizon via a form or something?22:16
marekdso what we do is we return a <html> form with a <form> where we actually keep a token and JS load that redirects us to horizon...scary, huh?22:16
marekddstanek: let me link the code22:16
*** bapalm has quit IRC22:16
dstanekmarekd: ok, so it does go back to the browser then22:16
marekddstanek: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L299 and https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html22:17
*** edmondsw has quit IRC22:17
marekddstanek: ok, it goes to browser (everything goes through browser), but as HTTP 30222:17
marekdand browser gets back to dashboard with the token.22:18
lbragstadso step 7 just goes straight to Keystone Service Provider22:18
marekdlbragstad: no22:19
marekdit's saml22:19
marekdso it's sib22:19
marekdkeysetone doesn't know anything about any potocol.22:19
lbragstadbut shib does something with the Keystone SErvice provider to finish getting the unscoped token22:19
marekdstep ? between 7 and 8 goes FROM Keystone Service Provider22:19
dstanekmarekd: so more like bit.ly/1hwrY3n22:19
lbragstadthat looks better22:20
marekdlbragstad: so, it opens a session, and says 'hey client, you are authenticated, you can go in' which means in practice that you start running python code, do the mapping and stuff22:20
marekddstanek: yes22:21
dstanekok, i think i have now mastered the federations22:21
marekddstanek: yay22:21
dstanekmarekd: yay, if it were true22:22
marekddstanek: at least your charts look awesome :-022:22
lbragstadbut some of that flow doesn't exist yet22:22
marekdlbragstad: which one?22:22
marekdlbragstad: what does not exist is the route /v3/OS-FEDERATION/identity_providers/.... compatible with browsers22:23
dstanekmarekd: websse with ipd_id22:23
lbragstadI thought that was based on the fact that jamielennox wanted to implement that path22:23
marekdlbragstad: yes22:23
lbragstadso /v3/OS-FEDERATION/identity_providers/{idp_id}/protocol/{protocol_id}/websso needs to be implemented in Keystone22:24
marekddon't have to be websso suffix22:24
lbragstadand that's the missing piece as far as keystone is concerned (excluding the discovery page)22:24
marekdwe can reuse old existing routes and check http headers22:24
*** bapalm has joined #openstack-keystone22:24
marekdwhether it's content-type is application/json (then return pure json as we do with cli today) otherwise return our html form.22:25
dstanekmarekd: that's a really great idea22:25
marekdi hope you are not being sarcastic now :-)22:25
dstanekmarekd: ha, no.22:26
marekdso rackspace is goilg to be ok to list all federated idps ?22:26
lbragstadmarekd: no, we get around that by having the Coke Customer Dashboard part22:27
marekdlbragstad: neat22:27
lbragstadmarekd: I think dstanek collapsed the Coke Dashboard and Horizon into the same entity in that diagram22:28
marekdthen having multiple sso routes makes sense to me22:28
marekdas i call it 'many two-peer federations'22:28
marekdwhich is probably not very popoular :-)22:28
dstanekso really we can just can controllers.Auth.federated_authentication and dispatch based on content type22:29
lbragstadmarekd: so, because the customer (user) is coming from Coke Dashbaord, Horizon should now which IdP they belong to22:29
dstaneklbragstad: are you thinking that the code dashboard would only be the first hit? instead of branding the entire thing?22:30
marekdlbragstad: i thnk it will rather work "becausre use hits this particular url" he must want to use Coke IdP.22:30
marekddstanek: pretty much that;s all we need to do + all this origin parameter validation22:31
marekddstanek: and similar stuff22:31
lbragstaddstanek: marekd it would be these bits, right? https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L314-L31722:31
marekdlbragstad: without DS that would be configure in Shib : "URL /v3/OS-FEDERATION/idp/COKE/protocols/saml2/auth" -> redirect to coke idp "22:32
dstaneklbragstad: i think this is the existing controller method -> https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L28022:33
lbragstaddstanek: correct,22:33
dstaneklbragstad: we'd do the ssl logic it that's hit the a text/html content type22:33
dstaneklbragstad: so, yes Horizon (or apache rule in front of it) will have to translate openstack.coke.com to /OS-FED.../coke/../SAML/.../blah22:34
marekddstanek: correct22:34
lbragstaddstanek: and the Horizon you're talking about is the Service Provider's Horizon22:34
*** phalmos has quit IRC22:34
marekdcokes horizon22:35
dstanekwhat marekd said22:35
dstanekspecifically whatever listens on openstack.coke.com22:36
marekddstanek: ++22:36
morgan_404dolphm: this is quite interesting: http://smalltownbrewery.com/our-beers/22:36
lbragstadso, the service provider's horizon doesn't get involved until step 10?22:36
morgan_404"not your father's root beer"22:36
marekdlbragstad: there is no rackspace horizon capabl of federation :-)22:36
marekdthat's my understanding of your idea22:36
dstanekwhat is the service provider's horizon?22:37
marekddstanek: the one provided by rackspace22:37
marekdi think22:37
lbragstadyeah, that's what I was thinking,22:37
dstanekwhy isn't code just using openstack.coke.com?22:38
marekdlbragstad: so i think the new idea tailored for you is "instead of provifing one webpage where users choose their idps, let's integrate their horizons so they know what idp to choose"22:38
dstaneklbragstad: i was thinking openstack.coke.com was a CNAME (or something like it) to openstack.rackspace.com22:39
marekdso, when i go to openstack.coke.com (i keep typing code instead of coke, what's wrong with me) everybody will know i am coke's user22:39
dstanekare you thinking it's private cloud dashboard?22:39
lbragstadopenstack.coke.com is a private cloud dashboard, right?22:39
*** gordc has quit IRC22:40
lbragstadand from there you want to federate to some public cloud22:40
marekdso ok, now even i am lost :P22:40
dstanekif openstack.coke.com were their private cloud dashboard they wouldn't need federation to use their own AD/LDAP/whatever22:41
dstanekthat only comes in to play with then using the public dashboard and wanting to use their IdP right?22:41
lbragstadyes, makes sense..22:41
marekddstanek: they may want to use their private dashboard to browser resources of a public cloud (federated with them)22:41
lbragstadsorry i'm lost in the weeds22:42
*** bapalm has quit IRC22:42
dstanekmarekd: wouldn't that be k2k between the clouds?22:42
*** bapalm has joined #openstack-keystone22:42
marekddstanek: dont think so.22:43
dstaneki see this is going in circles - two distinct usecases with the same solution22:43
marekddstanek: does horizon have some static conf regarding other services?22:44
marekdlhcheng: ^^22:44
marekdprobably yes22:44
marekdi am sure it has22:44
marekddstanek: so no, it must be rackspace dashboard for everyone, sorry i errored you, lbragstad22:44
lhchengmarekd: horizon pulls the endpoint of other services from the service catalog22:46
marekdlhcheng: yes, but when i type my user/pas it must know auth_url22:46
marekdbefore i do anything...22:46
lhchengmarekd: ah yes22:46
marekdas at first i am unauthentcated user.22:46
*** bapalm has quit IRC22:47
lhchengmarekd: that is configured in the local_settings.py, you can setup multiple keystone endpoints too22:47
lhchengmarekd: somewhere in : https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L15422:48
marekdlhcheng: wait, so let's say horizon is configured to work with auth_url X and suddently a token w/ its service catalog has auth_url Y . Will horizon start servig requests to/from that other cloud?22:48
marekdi will start seeing VMs from another cloud?22:49
marekdok i need to log out22:51
lhchengmarekd: yes, it will try to send the request to Y keystone endpoint for the identity operations.22:51
lbragstadmarekd: thanks for the help22:51
marekdi will thing about your use case, dstanek/lbragstad22:51
marekdlbragstad: no problemo22:51
marekdgood night!22:51
lbragstadmarekd: later!22:51
dstanekmarekd: night22:51
lhchengmarekd: good night22:52
*** henrynash has quit IRC22:52
openstackgerritMerged openstack/keystoneauth: Import service catalog tests from keystoneclient  https://review.openstack.org/21026622:55
openstackgerritMerged openstack/keystoneauth: Allow searching a catalog on service or endpoint id  https://review.openstack.org/21026722:55
*** jsavak has quit IRC23:01
*** dguerri is now known as dguerri`23:06
*** zzzeek has quit IRC23:12
*** sigmavirus24 is now known as sigmavirus24_awa23:15
*** elmiko has quit IRC23:23
*** marzif has joined #openstack-keystone23:26
*** morgan_404 has quit IRC23:29
*** morganfainberg has joined #openstack-keystone23:31
*** ChanServ sets mode: +v morganfainberg23:31
*** morganfainberg is now known as morgan_40423:32
*** ChanServ sets mode: +o morgan_40423:37
*** morgan_404 changes topic to "Review code, feature freeze is rapidly approaching."23:38
dstanekmorgan_404: Not Found23:41
*** rm_work is now known as rm_work|away23:46
morgan_404Better than 410 - gone23:47
*** alejandrito has joined #openstack-keystone23:57
*** david-lyle has quit IRC23:58
*** david-lyle has joined #openstack-keystone23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!