Tuesday, 2015-10-06

« Monday, 2015-10-05 Index Wednesday, 2015-10-07 »
*** geoffarnold has quit IRC00:00
*** dsirrine has quit IRC00:08
*** mylu has joined #openstack-keystone00:16
*** gildub has joined #openstack-keystone00:16
lhchengjamielennox: does KSM do any caching of the service token?00:19
jamielennoxlhcheng: yes and no00:19
lhchengjamielennox: we talked about this morning, and wasn't sure about the current state.00:19
jamielennoxlhcheng: per thread the token is maintained for the lifetime of the token so you only authenticate the service user once per timeout period per thread00:20
*** geoffarn_ has quit IRC00:20
jamielennoxbut there is currently no cross-thread or cross-process caching00:20
*** geoffarnold has joined #openstack-keystone00:21
jamielennoxwe added a change recently to put a lock in that should allow cross-thread service token sharing00:21
jamielennox(when g-r catches up)00:21
jamielennoxbut it doesn't go to memcache or anything00:21
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/23046400:21
*** mylu has quit IRC00:22
jamielennoxactually it may take some more time to get per-process caching because of the paste conf options - would need to test that out00:22
*** roxanagh_ has quit IRC00:23
*** shadower has quit IRC00:23
*** mylu has joined #openstack-keystone00:23
*** shadower has joined #openstack-keystone00:23
lhchengjamielennox: so the caching of per timeout period per thread happens because of the use of Session object ?00:24
jamielennoxit does, but auth_token has always done that00:24
lhchengif we don't have cross-thread service token sharing yet, so this patch then is not useful? https://review.openstack.org/#/c/229361/00:26
boris-42SpamapS: heh so00:26
boris-42SpamapS: someday we can rename that stuff00:26
lhchengjamielennox: ^^00:26
lhchengjamielennox: do we still want to backport that?00:27
jamielennoxlhcheng: so that is the change i was refering to that would allow per-process00:27
jamielennoxlhcheng: in this case the target is not auth_token middleware but the nova service user00:27
*** mylu has quit IRC00:27
jamielennoxor nova admin user00:27
jamielennoxbasically they want to do exactly that, to allow per-process token caching00:28
jamielennoxat the moment they do that but it's got a reauthentication problem00:28
jamielennoxi'm not sure personally on whether we backport that00:29
jamielennoxbecause the fix that would require it didn't get into nova in liberty00:29
jamielennoxafaik00:29
lhchengjamielennox: I see00:30
lhchengjamielennox: let's just not backport it then.00:30
jamielennoxi wouldn't mind seeing what dimms wants it for00:30
lhchengjamielennox: actually we weren't sure if it was still useful,  I saw it was abandoned this morning then asked him why it got abandoned.00:32
lhchengtold dims I'll follow with you to confirm if we really do want it for backport00:32
lhcheng*follow-up00:32
jamielennoxi'm not sure what they came up with as a fix on the nova side, i think we abandon the back-port and solve the problem properly in mitake00:32
jamielennoxmitaka00:33
jamielennoxhave to get used to typing that00:33
lhchengjamielennox: probably the fix didn't make it, and dims forgot about the reason for abandoning that backport.00:36
*** ayoung has quit IRC00:37
*** _hrou_ has joined #openstack-keystone00:38
*** hrou has quit IRC00:41
*** geoffarn_ has joined #openstack-keystone00:42
*** geoffarnold has quit IRC00:46
*** gildub has quit IRC00:46
*** mylu has joined #openstack-keystone00:48
*** dims_ has joined #openstack-keystone00:50
*** Ephur has quit IRC00:52
*** mylu has quit IRC00:53
*** _cjones_ has quit IRC00:55
*** dims_ has quit IRC00:55
*** gyee has quit IRC00:57
*** browne has quit IRC00:57
*** dims_ has joined #openstack-keystone00:58
*** su_zhang_ has quit IRC00:59
openstackgerritMerged openstack/keystone: Use deepcopy of mapping fixtures in tests  https://review.openstack.org/22971400:59
*** agireud has quit IRC01:01
*** topol has joined #openstack-keystone01:02
*** ChanServ sets mode: +v topol01:02
openstackgerritMerged openstack/keystoneauth: auto-generate release history  https://review.openstack.org/22765701:02
*** geoffarn_ has quit IRC01:03
*** geoffarnold has joined #openstack-keystone01:03
*** ayoung has joined #openstack-keystone01:05
*** ChanServ sets mode: +v ayoung01:05
*** dsirrine has joined #openstack-keystone01:06
*** topol has quit IRC01:07
*** tqtran_ has quit IRC01:16
*** jbell8 has quit IRC01:17
*** geoffarnold has quit IRC01:24
*** geoffarnold has joined #openstack-keystone01:24
*** markvoelker has quit IRC01:28
*** dims_ has quit IRC01:30
*** btully has quit IRC01:41
*** geoffarn_ has joined #openstack-keystone01:46
*** geoffarnold has quit IRC01:46
openstackgerritMerged openstack/keystone: Ensure token validation works irrespective of padding  https://review.openstack.org/22178601:48
*** stevemar_ has quit IRC01:59
*** stevemar_ has joined #openstack-keystone02:00
*** ChanServ sets mode: +o stevemar_02:00
jamielennoxstevemar_: can you +A https://review.openstack.org/#/c/230232/ - stable/kilo, has 2 +202:06
*** geoffarn_ has quit IRC02:07
stevemar_jamielennox: aye aye02:07
*** geoffarnold has joined #openstack-keystone02:07
*** mylu has joined #openstack-keystone02:12
*** lhcheng has quit IRC02:14
*** mylu has quit IRC02:14
*** mylu has joined #openstack-keystone02:15
*** csoukup has joined #openstack-keystone02:18
*** csoukup has quit IRC02:22
*** mylu has quit IRC02:23
*** gildub has joined #openstack-keystone02:25
*** geoffarnold has quit IRC02:26
*** browne has joined #openstack-keystone02:26
*** geoffarnold has joined #openstack-keystone02:28
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128902:33
*** dsirrine has quit IRC02:34
*** topol has joined #openstack-keystone02:35
*** ChanServ sets mode: +v topol02:35
*** mylu has joined #openstack-keystone02:37
*** richm has joined #openstack-keystone02:37
*** mylu has quit IRC02:40
stevemar_jamielennox: thoughts on the latest comments from https://review.openstack.org/#/c/177227/02:41
*** stevemar_ has quit IRC02:41
*** stevemar_ has joined #openstack-keystone02:42
*** ChanServ sets mode: +o stevemar_02:42
*** alextricity has quit IRC02:43
*** stevemar_ has quit IRC02:43
*** stevemar_ has joined #openstack-keystone02:43
*** ChanServ sets mode: +o stevemar_02:43
*** mylu has joined #openstack-keystone02:49
*** sdake has joined #openstack-keystone02:49
*** richm has quit IRC02:50
*** jamielennox has quit IRC02:51
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128902:52
*** btully has joined #openstack-keystone02:55
*** lhcheng has joined #openstack-keystone02:56
*** ChanServ sets mode: +v lhcheng02:56
*** agireud has joined #openstack-keystone02:57
*** ayoung has quit IRC02:58
*** lhcheng_ has joined #openstack-keystone02:58
*** topol has quit IRC02:58
*** ngupta has joined #openstack-keystone02:59
*** btully has quit IRC03:00
*** lhcheng has quit IRC03:01
openstackgerritMerged openstack/keystone: Trivial fix of some typos found  https://review.openstack.org/23118903:03
*** markvoelker_ has joined #openstack-keystone03:05
*** sdake has quit IRC03:09
*** sdake has joined #openstack-keystone03:10
*** geoffarn_ has joined #openstack-keystone03:11
*** geoffarnold has quit IRC03:12
*** jamielennox has joined #openstack-keystone03:13
*** ChanServ sets mode: +v jamielennox03:13
*** sdake has quit IRC03:13
*** stevemar_ has quit IRC03:21
*** markvoelker has joined #openstack-keystone03:22
*** stevemar_ has joined #openstack-keystone03:22
*** ChanServ sets mode: +o stevemar_03:22
*** roxanagh_ has joined #openstack-keystone03:22
*** markvoelker_ has quit IRC03:25
*** markvoelker_ has joined #openstack-keystone03:26
*** su_zhang_ has joined #openstack-keystone03:27
*** su_zhang_ has quit IRC03:27
*** markvoelker has quit IRC03:28
*** su_zhang_ has joined #openstack-keystone03:28
*** roxanagh_ has quit IRC03:29
*** sdake has joined #openstack-keystone03:33
*** lhcheng has joined #openstack-keystone03:48
*** ChanServ sets mode: +v lhcheng03:48
*** lhcheng_ has quit IRC03:48
*** links has joined #openstack-keystone03:48
*** topol has joined #openstack-keystone03:51
*** ChanServ sets mode: +v topol03:51
*** geoffarn_ has quit IRC03:53
*** geoffarnold has joined #openstack-keystone03:53
*** topol has quit IRC04:05
*** topol has joined #openstack-keystone04:06
*** ChanServ sets mode: +v topol04:06
*** ngupta has quit IRC04:07
*** mylu has quit IRC04:13
*** geoffarnold has quit IRC04:14
*** geoffarnold has joined #openstack-keystone04:15
stevemar_lhcheng: around?04:30
lhcheng stevemar_: hey04:30
stevemar_lhcheng: in https://review.openstack.org/#/c/222469/4/openstackclient/api/object_store_v1.py you mention escaping stuff04:31
stevemar_what do you mean?04:31
*** browne has quit IRC04:32
stevemar_lhcheng: unicode characters?04:32
*** browne has joined #openstack-keystone04:32
lhchengI am wondering if it could be a potential security attack by using this value.04:34
lhcheng'X-Object-Meta-%s' % k04:34
lhchengk = "test:value;<malicous header/value>;test1"04:34
lhchengthe answer would depends on how the headers are passed by the create() method04:35
*** _hrou_ has quit IRC04:35
*** geoffarn_ has joined #openstack-keystone04:36
lhchengdunno if swift would be vulnerable to: http://dunnesec.com/category/attacks-defence/http-header-injection/04:38
*** btully has joined #openstack-keystone04:39
*** jaosorior has joined #openstack-keystone04:39
*** su_zhang_ has quit IRC04:40
*** geoffarnold has quit IRC04:40
stevemar_lhcheng: ah okay... i wonder if there's a library that already does that checking04:46
*** dims_ has joined #openstack-keystone04:46
lhchenglooking at the code, it leverages the session object and internally just use the request object04:47
stevemar_i think i just have to check if \r or \n are present04:51
stevemar_hmm04:51
stevemar_open a bug04:51
stevemar_we can fix it in another patch i think04:51
lhchenghmm it is just fine04:51
stevemar_if you're okay with that04:52
lhchengI'm not sure either if there's security issue, the headers are passed to the requests anyway04:52
lhchengyeah, that was just a comment. we can look at it if needed.04:53
lhchengstevemar_: the -1 is for not escaping the string used in the url04:54
stevemar_lhcheng: cool cool04:54
stevemar_new patch coming up anyway04:54
lhchenggreat04:54
stevemar_lhcheng: do you have an opinion on showing the properties?04:55
stevemar_should we remove the 'x-metadata-container-%s'?04:55
*** geoffarn_ has quit IRC04:57
*** geoffarnold has joined #openstack-keystone04:57
lhchengthought we just remove "x-container-", similar to what you did for:05:00
lhcheng'meta-owner': response.headers.get('x-container-meta-owner', None),05:00
*** _fortis has quit IRC05:02
*** charz has quit IRC05:02
*** morgan has quit IRC05:02
*** redrobot has quit IRC05:03
*** atiwari1 has joined #openstack-keystone05:03
*** atiwari has quit IRC05:03
*** mfisch has quit IRC05:03
*** baffle has quit IRC05:03
*** amakarov_away has quit IRC05:03
*** baffle has joined #openstack-keystone05:04
*** tristanC has quit IRC05:04
*** tristanC has joined #openstack-keystone05:05
*** mfisch has joined #openstack-keystone05:06
*** mfisch is now known as Guest8345405:06
*** morgan has joined #openstack-keystone05:06
*** ChanServ sets mode: +v morgan05:06
*** redrobot has joined #openstack-keystone05:08
*** redrobot is now known as Guest2867805:09
*** charz has joined #openstack-keystone05:09
*** amakarov_away has joined #openstack-keystone05:09
*** sdake_ has joined #openstack-keystone05:09
*** geoffarnold has quit IRC05:11
*** sdake has quit IRC05:13
*** _fortis has joined #openstack-keystone05:15
stevemar_lhcheng: i think i'm going to postpone that one, i think dtroyer will have an opinion on it05:15
lhchengstevemar_: sure, we can followup on thurs05:16
stevemar_lhcheng: oh noes, i forgot about this chain of patches! https://review.openstack.org/#/c/226749/605:16
*** lhcheng_ has joined #openstack-keystone05:18
*** topol has quit IRC05:19
*** geoffarnold has joined #openstack-keystone05:19
*** lhcheng has quit IRC05:21
lhcheng_stevemar_: oops, there's still one more day05:22
lhcheng_stevemar_: two more (I thought it is already Tuesday)05:23
lhcheng_stevemar_: I'll help on moving some of the patches forward, I'll look at some tomorrow05:23
*** lhcheng has joined #openstack-keystone05:24
*** ChanServ sets mode: +v lhcheng05:24
stevemar_\o/05:26
stevemar_lhcheng_: it'll be neat to have some of these extra swift and glance commands in osc for liberty :P05:26
*** lhcheng_ has quit IRC05:27
stevemar_lhcheng_: helping someone use OSC 1.0.3 is so very frustrating05:28
stevemar_damn packaging policy05:29
* lhcheng have to scroll through OSC releases to find 1.0.3 :(05:29
lhchengthat's ancient?05:30
stevemar_lhcheng: yep05:32
stevemar_lhcheng: it's what ubuntu 14.04 has as it's latest update http://packages.ubuntu.com/search?keywords=openstackclient&searchon=names&suite=all&section=all05:33
lhchengstevemar_: how do we enable the plugins in OSC?05:33
stevemar_wee 15.0505:33
stevemar_lhcheng: whatcha mean? which plugins? auth plugins?05:33
lhchengstevemar_: I'm interested particularly in ironic plugins: https://github.com/openstack/python-openstackclient/blob/master/doc/source/plugins.rst05:33
stevemar_lhcheng: pip install the latest version and it'll automatically be detected by osc05:34
lhchengwhoa!05:34
lhchengsweet!05:34
stevemar_i'll do it now, too05:34
stevemar_just to test05:34
stevemar_stevemar@ubuntu:/opt/stack/python-openstackclient$ sudo pip install python-ironicclient05:35
stevemar_stevemar@ubuntu:/opt/stack/python-openstackclient$ openstack baremetal list05:35
stevemar_lhcheng: whammo ^05:35
stevemar_i got a service not found, but that was expected :)05:36
lhcheng\o/05:36
lhchengwe haven't started using OSC, but will try to push it more on our next upgrade05:36
lhchengthe ironic plugin is a great selling point05:37
stevemar_lhcheng: how so?05:37
*** sdake_ has quit IRC05:38
stevemar_lhcheng: i'm happy to hear that, but i'm just confused as to why it makes a difference for ironic05:38
stevemar_lhcheng: looks like barbicanclient needs a release05:39
lhchengif OSC didn't have ironic plugin, we can't standardize on just using OSC05:40
stevemar_lhcheng: we == yahoo?05:43
lhchengyeah05:43
stevemar_lhcheng: gotcha!05:43
stevemar_that took me too long to figure out05:43
lhchengsorry, wasn't clear there. I was wearing my ops hat :P05:44
stevemar_lhcheng: i imagine that ironic support is pretty bleh, but they will probably happily accept patches05:44
stevemar_hehe05:44
stevemar_it's all good05:44
lhchengstevemar_: not sure if you've already seen this: https://etherpad.openstack.org/p/operator-local-patches05:46
lhchengminimal local keystone patches05:46
lhcheng\o/05:46
stevemar_i have not seen this05:47
jamielennoxstevemar_: what is this on meeting agenda: For auth plugins in keystoneauth: Separate repo or use setuptools "extras"?05:47
stevemar_lhcheng: nice, very minimal05:49
stevemar_jamielennox: thoughts on the latest comments from https://review.openstack.org/#/c/177227/05:49
stevemar_jamielennox: ^05:49
lhchengstevemar_: yeah, that means we're doing things mostly right :P05:49
lhchenglol05:49
stevemar_jamielennox: basically why have seperate repos for saml2? because we don't want to have lxml in requirements? well use "extras" in pbr/setuptools05:50
stevemar_jamielennox: https://bugs.launchpad.net/keystone/+bug/147996205:50
openstackLaunchpad bug 1479962 in Keystone "Use extras for deployment-specific package requirements" [Low,In progress] - Assigned to Brant Knudson (blk-u)05:50
stevemar_like ^ but with keystoneauth[saml2]05:51
stevemar_it sounds sane enough to work!05:51
jamielennoxstevemar_: yea, i'd be fine with [extras]05:51
lhchengstevemar_: there's one perf concern on keystone in: https://etherpad.openstack.org/p/openstack-performance-issues  sounds related to catalog caching discussion earlier in the day.05:52
jamielennoxit was purely dependencies that caused a problem05:52
stevemar_jamielennox: damn05:52
stevemar_so we can remove the entire keystoneauth-saml2 project05:52
jamielennoxit could be confusing because when you do --os-auth-type they will all be there05:52
stevemar_marekd - i'm sorry :(05:52
stevemar_hmm05:52
stevemar_true...05:53
jamielennoxso it's not like with most things where you know ahead of time what features you will use05:53
jamielennoxbut if there was some way we could protect against that i would be happy to roll them together05:53
jamielennoxstevemar_: if that's all it is then i don't have to get up for tomorrow's meeting05:54
jamielennoxstevemar_: with federation i shouldn't need to specify a user_id right?05:55
jamielennoxmapping05:56
jamielennoxi thought i specified name and it generated id based on something + idp_id05:56
stevemar_right05:56
jamielennoxString length exceeded.The length of string 'neutron/openstack.jamielennox.oslab.test%40JAMIELENNOX.OSLAB.TEST' exceeded the limit of column user_id(CHAR(64)).05:56
stevemar_thats interesting05:57
stevemar_jamielennox: you're federating things i assume?05:58
jamielennoxyes05:58
jamielennoxmapping http://paste.openstack.org/show/475399/05:58
jamielennoxand i'm not sure why it's doing things with user_id05:59
*** geoffarnold has quit IRC06:00
*** geoffarnold has joined #openstack-keystone06:01
openstackgerritMerged openstack/keystone: Improving domain_id update tests  https://review.openstack.org/23004206:01
stevemar_jamielennox: i would think it sends off an audit request, and potentially shoves the user_id in the token06:04
jamielennoxi don't think this is audit, seems to be SQL related06:08
*** Nirupama has joined #openstack-keystone06:12
stevemar_jamielennox: is it storing the token?06:12
jamielennoxstevemar_: i think that's where the problem is coming from06:12
jamielennoxit's trying to create a tokenmodel06:13
jamielennoxbut why is the id that...06:13
stevemar_jamielennox: looks like it should just be remote_user06:14
stevemar_is that what remote_user is?06:14
jamielennoxyes, that's remote_user06:14
*** topol has joined #openstack-keystone06:15
*** ChanServ sets mode: +v topol06:15
jamielennoxstevemar_: but i don't set the remote_user as name, not id06:16
stevemar_jamielennox: part of the token contract is to have a user ID06:17
stevemar_so if one is not supplied, we URL encode the name06:17
jamielennoxstevemar_: i thought we generated one06:17
jamielennoxbagh06:18
jamielennoxso i'm pretty much stuffed06:18
stevemar_jamielennox: https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/mapped.py#L217-L22206:19
*** topol has quit IRC06:19
jamielennoxwhat happend to hash(username) + domain_id06:19
stevemar_jamielennox: what domain would we use in this case?06:20
stevemar_maybe idp_id?06:20
jamielennoxsorry, that's what i meant06:20
jamielennoxwe were going to create super long user ids that mean you could identify what idp a user came from06:21
stevemar_jamielennox: the idp is in the token anyway, so having it in the user ID wasn't gaining us much06:21
jamielennoxi think it was for uniqueness06:21
jamielennoxand for like tagging resource ownership06:22
*** e0ne has joined #openstack-keystone06:22
jamielennoxwas one of henry's ideas, adam was arguing about something06:22
*** markvoelker_ has quit IRC06:24
stevemar_jamielennox: i do not recall :(06:27
*** ParsectiX has joined #openstack-keystone06:27
stevemar_jamielennox: are you doing an experiment now?06:27
jamielennoxyea, playing with it now06:28
jamielennoxlooks like its failing when adding user_id to token model06:28
stevemar_jamielennox: maybe we need a case where if user ID is greater than 64 then we do something different06:28
stevemar_is the user_name itself shorter?06:28
jamielennoxthat's kind of it06:28
jamielennoxit's kerberos format06:29
jamielennoxservice/host@domain06:29
stevemar_jamielennox: also, you can set the user ID in the mapping06:29
jamielennoxbut to what..06:29
stevemar_jamielennox: ... you could use some dumb value now, as a workaround06:29
stevemar_i'm just shooting from the hip here06:30
*** e0ne has quit IRC06:30
stevemar_i seem to have broken my osc06:31
jamielennoxoh, that happens06:31
jamielennoxalright - that's annoying, will need to think on that one06:34
jamielennoxi want to make mapping optional06:34
stevemar_jamielennox: and use what instead?06:35
jamielennoxpython06:35
stevemar_?06:35
*** markvoelker has joined #openstack-keystone06:35
jamielennoxeither configure a script directly in httpd so you manipulate the env and then do keystone.token_issue(stuff, that, i, know)06:36
jamielennoxor instead of mapping have an entry point06:36
jamielennoxthat returns similar stuff to mapping06:36
jamielennoxbut the first one06:36
jamielennoxthen i could just do sha256(name)06:36
stevemar_possible06:37
jamielennoxit's a scheme i've been thinking about, will tell you in tokyo06:37
stevemar_jamielennox: coolio06:38
stevemar_bed time for this guy06:38
jamielennoxstevemar_: night06:38
stevemar_see you in ~12 hrs for the meeting06:38
jamielennoxstevemar_: mayb06:38
stevemar_of course06:38
jamielennoxnot much that i really need to be a part of in agenda06:38
*** stevemar_ has quit IRC06:38
*** markvoelker has quit IRC06:40
*** jamielennox is now known as jamielennox|away06:41
*** geoffarnold has quit IRC06:43
*** geoffarnold has joined #openstack-keystone06:43
*** markvoelker has joined #openstack-keystone06:45
*** gildub has quit IRC06:48
*** woodster_ has quit IRC06:49
*** markvoelker has quit IRC06:50
*** henrynash has joined #openstack-keystone06:52
*** ChanServ sets mode: +v henrynash06:52
*** lhcheng has quit IRC06:52
*** lhcheng has joined #openstack-keystone06:53
*** ChanServ sets mode: +v lhcheng06:53
*** lhcheng has quit IRC06:57
*** ekarlso has quit IRC06:58
*** markvoelker has joined #openstack-keystone07:00
*** geoffarnold has quit IRC07:04
*** markvoelker has quit IRC07:04
*** geoffarnold has joined #openstack-keystone07:04
*** lhcheng has joined #openstack-keystone07:09
*** ChanServ sets mode: +v lhcheng07:09
*** jbell8 has joined #openstack-keystone07:12
*** dikonoor has joined #openstack-keystone07:13
*** jbell8 has quit IRC07:13
marekdjamielennox|away: one of the ways for mapping engine v2 is to start embedding PYthon code as a mapping rules instead of some sort of 'language' we have today.07:13
*** markvoelker has joined #openstack-keystone07:14
*** jbell8 has joined #openstack-keystone07:14
*** btully has quit IRC07:16
*** markvoelker has quit IRC07:19
*** ekarlso has joined #openstack-keystone07:25
*** browne has quit IRC07:26
*** markvoelker has joined #openstack-keystone07:29
*** lhcheng has quit IRC07:32
*** markvoelker has quit IRC07:33
openstackgerritDivya K Konoor proposed openstack/pycadf: Change ceilometer endpoint name from telemetry to metering  https://review.openstack.org/23134307:36
*** markvoelker has joined #openstack-keystone07:43
*** jbell8 has quit IRC07:45
*** jbell8 has joined #openstack-keystone07:46
*** geoffarn_ has joined #openstack-keystone07:46
*** markvoelker has quit IRC07:48
*** geoffarnold has quit IRC07:50
*** fhubik has joined #openstack-keystone07:53
*** ParsectiX has quit IRC07:54
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314207:55
marekdmorgan: impressive that you managed to get a irc handle being just your name...07:58
*** markvoelker has joined #openstack-keystone07:58
*** ParsectiX has joined #openstack-keystone07:58
*** markvoelker has quit IRC08:02
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314208:07
*** geoffarn_ has quit IRC08:07
*** geoffarnold has joined #openstack-keystone08:08
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314208:08
*** btully has joined #openstack-keystone08:08
*** markvoelker has joined #openstack-keystone08:13
*** btully has quit IRC08:13
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325808:13
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325808:14
*** itlinux has joined #openstack-keystone08:17
*** markvoelker has quit IRC08:18
*** jbell8 has quit IRC08:20
*** jbell8 has joined #openstack-keystone08:21
*** jistr has joined #openstack-keystone08:25
*** pnavarro has joined #openstack-keystone08:27
*** markvoelker has joined #openstack-keystone08:27
*** geoffarnold has quit IRC08:29
*** geoffarnold has joined #openstack-keystone08:29
*** mjb has quit IRC08:30
*** mjb has joined #openstack-keystone08:30
*** markvoelker has quit IRC08:32
*** jbell8 has quit IRC08:32
*** jbell8 has joined #openstack-keystone08:33
*** blackjack1 has left #openstack-keystone08:34
*** markvoelker has joined #openstack-keystone08:42
openstackgerrithenry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/20815208:43
openstackgerrithenry-nash proposed openstack/keystone: Rationalize list role assignment routing  https://review.openstack.org/22033508:45
openstackgerrithenry-nash proposed openstack/keystone: Add API route for list role assignments for tree  https://review.openstack.org/22045208:45
*** markvoelker has quit IRC08:47
*** aix has quit IRC08:48
*** yottatsa has joined #openstack-keystone08:48
*** jaosorior has quit IRC08:48
*** jaosorior has joined #openstack-keystone08:49
*** geoffarnold has quit IRC08:50
*** geoffarnold has joined #openstack-keystone08:50
*** markvoelker has joined #openstack-keystone08:56
*** markvoelker has quit IRC09:01
*** aix has joined #openstack-keystone09:06
*** markvoelker has joined #openstack-keystone09:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/23137109:06
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314209:08
*** markvoelker has quit IRC09:10
*** geoffarnold has quit IRC09:11
*** askb has joined #openstack-keystone09:11
*** geoffarnold has joined #openstack-keystone09:12
*** markvoelker has joined #openstack-keystone09:13
*** askb has quit IRC09:15
*** markvoelker has quit IRC09:18
*** markvoelker has joined #openstack-keystone09:22
*** markvoelker has quit IRC09:26
*** markvoelker has joined #openstack-keystone09:32
*** geoffarnold has quit IRC09:33
*** geoffarn_ has joined #openstack-keystone09:33
*** yottatsa has left #openstack-keystone09:37
*** markvoelker has quit IRC09:39
*** aix has quit IRC09:45
*** gildub has joined #openstack-keystone09:46
*** markvoelker has joined #openstack-keystone09:46
*** markvoelker has quit IRC09:50
*** exploreshaifali has joined #openstack-keystone09:52
*** geoffarn_ has quit IRC09:54
*** geoffarnold has joined #openstack-keystone09:54
*** aix has joined #openstack-keystone09:57
*** markvoelker has joined #openstack-keystone10:01
*** e0ne has joined #openstack-keystone10:03
*** markvoelker has quit IRC10:05
*** markvoelker has joined #openstack-keystone10:11
*** jamielennox|away is now known as jamielennox10:14
*** pnavarro has quit IRC10:14
*** geoffarnold has quit IRC10:15
*** markvoelker has quit IRC10:16
*** geoffarnold has joined #openstack-keystone10:16
*** markvoelker has joined #openstack-keystone10:17
*** pnavarro has joined #openstack-keystone10:18
*** amakarov_away is now known as amakarov10:19
*** yottatsa has joined #openstack-keystone10:21
*** markvoelker has quit IRC10:22
*** yottatsa has quit IRC10:23
*** markvoelker has joined #openstack-keystone10:26
*** rudolfvriend has joined #openstack-keystone10:26
*** jbell8 has quit IRC10:28
*** rudolfvriend has quit IRC10:29
*** itlinux has quit IRC10:30
*** rudolfvriend has joined #openstack-keystone10:30
*** yottatsa has joined #openstack-keystone10:31
*** markvoelker has quit IRC10:34
*** geoffarnold has quit IRC10:36
*** geoffarnold has joined #openstack-keystone10:37
*** fhubik is now known as fhubik_afk10:46
*** itlinux has joined #openstack-keystone10:50
*** topol has joined #openstack-keystone10:50
*** ChanServ sets mode: +v topol10:50
*** sdake has joined #openstack-keystone10:52
*** markvoelker has joined #openstack-keystone10:55
*** geoffarnold has quit IRC10:58
*** geoffarnold has joined #openstack-keystone10:58
*** markvoelker has quit IRC11:01
*** markvoelker has joined #openstack-keystone11:05
*** gildub has quit IRC11:08
*** markvoelker has quit IRC11:10
*** pnavarro is now known as pnavarro|lunch11:18
*** markvoelker has joined #openstack-keystone11:19
*** geoffarn_ has joined #openstack-keystone11:20
*** geoffarnold has quit IRC11:23
*** markvoelker has quit IRC11:24
*** gildub has joined #openstack-keystone11:24
samueldmqmorning11:25
samueldmqhenrynash: ping - looking at list role assignments subtree11:32
samueldmqhenrynash: and have some questions11:32
*** markvoelker has joined #openstack-keystone11:34
*** richm has joined #openstack-keystone11:35
*** yottatsa has quit IRC11:38
*** markvoelker has quit IRC11:38
*** yottatsa has joined #openstack-keystone11:38
*** richm has quit IRC11:42
*** fhubik_afk is now known as fhubik11:43
*** gordc has joined #openstack-keystone11:46
*** markvoelker has joined #openstack-keystone11:48
henrynashsamueldmq: hi11:49
*** yottatsa_ has joined #openstack-keystone11:53
*** markvoelker has quit IRC11:53
samueldmqhenrynash: hi11:55
samueldmqhenrynash: so ... I am looking at the first patch in the chain, the one for manager changes11:55
henrynashok11:56
samueldmqhenrynash: include_subtree is only intended to work for projects, right ?11:56
henrynashcorrect11:56
samueldmqhenrynash: so I can't pass a domain_id and request include_subtree11:56
*** yottatsa has quit IRC11:56
henrynashno…but once we make projects act as domains….then you can!11:56
samueldmqhenrynash: ok so once reseller goes in, we will be able t odo so11:57
henrynashyep11:57
samueldmqinteresting .. so it will be able to use it with both domain_id or project_id11:57
henrynashyes (since in that case domain_id will be a project_id)11:58
samueldmq++11:58
samueldmqhenrynash: include_subtree is independent of effective, right?11:58
henrynashthat’s way I did it this way, to make it more generic11:58
henrynashyes11:58
samueldmqhenrynash: okay makes sense, we will just need to take care in the case we have subdomains, where the role assignments aren't propagated12:00
samueldmqhenrynash: that means, using include_subtree for a domain won't include assignments for a subdomain, even with reseller12:00
samueldmqhenrynash: is that right ? so that we keep the domain isolation12:00
*** markvoelker has joined #openstack-keystone12:03
*** markvoelker has quit IRC12:07
*** yottatsa_ has quit IRC12:09
*** sdake has quit IRC12:09
*** sdake has joined #openstack-keystone12:10
henrynash(sorry, back)12:10
samueldmqhenrynash: np12:10
henrynashsamuledmq: agreed, it should only be possible for “leaf domains”12:11
*** markvoelker has joined #openstack-keystone12:14
samueldmqhenrynash: no, it can be for non-leaf domains, but in that case, it won't include any domain-project or their subprojects12:16
samueldmqhenrynash: only the non-domain project subtrees of the non-leaf domains if that makes sense12:16
*** exploreshaifali has quit IRC12:17
*** richm has joined #openstack-keystone12:17
samueldmqhenrynash: look at this https://etherpad.openstack.org/p/19MqVTBbRZ12:17
henrynashsamueldmq: I’m just not sure of the advantacge (over the confusion) of allowing this on anything than a refular project or a lead domain-project12:17
samueldmqhenrynash: there is just a single rule, domains are isolated, that means that role assignments don't pass the domain borders, neither for reading (list) nor writting (creating inherited assignments)12:19
*** markvoelker has quit IRC12:19
samueldmqhenrynash: does that make sense ? Even though I sold you part of my cloud, I am able to use include_subtree in my domain, so that I can control my own use12:20
henrynashI’m not sure…seems like a recipe for consuftion to me12:21
*** richm has quit IRC12:22
*** pnavarro|lunch is now known as pnavarro12:22
*** richm has joined #openstack-keystone12:23
*** geoffarnold has joined #openstack-keystone12:23
henrynashsamueldmq: ah, Ok, sorry, now I get what you are saying12:24
*** geoffarn_ has quit IRC12:24
samueldmqhenrynash: does that make sense now ? :)12:24
henrynash(i thought B and C were domains in your example)12:24
*** hrou has joined #openstack-keystone12:25
samueldmqhenrynash: C is domain, B isn't12:25
samueldmqhenrynash: the idea is, projects under a domain are isolated, it doesn't matter if the domains have some relationship (hierarchical) or not (top level domains)12:27
samueldmqprojects under different domains are isolated*12:27
samueldmqhenrynash: that's exactly how inherited role assignmetns will behave, they will be expanded for the non-domain subtrees12:28
*** markvoelker has joined #openstack-keystone12:29
henrynashsamueldmq: Ok…I *think* I agree with you :-)12:29
*** roxanagh_ has joined #openstack-keystone12:30
samueldmqhenrynash: cool, hehe12:30
samueldmqhenrynash: I am trying to review as much as I can, I am reviwing that chain right now12:31
samueldmqhenrynash: and will look at reseller later in the week12:31
henrynashgreat12:31
*** roxanagh_ has quit IRC12:34
*** markvoelker has quit IRC12:36
*** ekarlso has quit IRC12:38
*** markvoelker has joined #openstack-keystone12:44
*** geoffarn_ has joined #openstack-keystone12:45
*** geoffarnold has quit IRC12:45
*** edmondsw has joined #openstack-keystone12:45
*** fhubik is now known as fhubik_afk12:46
*** markvoelker has quit IRC12:48
*** ekarlso has joined #openstack-keystone12:56
openstackgerritMerged openstack/pycadf: Change ceilometer endpoint name from telemetry to metering  https://review.openstack.org/23134312:58
*** markvoelker has joined #openstack-keystone12:58
*** markvoelker has quit IRC12:59
*** markvoelker has joined #openstack-keystone12:59
*** markvoelker_ has joined #openstack-keystone13:01
*** fhubik_afk is now known as fhubik13:01
*** markvoelker has quit IRC13:03
*** dsirrine has joined #openstack-keystone13:05
*** yottatsa has joined #openstack-keystone13:05
*** geoffarn_ has quit IRC13:06
*** markvoelker has joined #openstack-keystone13:06
*** geoffarnold has joined #openstack-keystone13:06
openstackgerritMerged openstack/pycadf: No need for Oslo Incubator Sync  https://review.openstack.org/23085113:08
*** sdake has quit IRC13:09
*** markvoelker_ has quit IRC13:10
*** sdake has joined #openstack-keystone13:10
*** fhubik is now known as fhubik_afk13:11
*** EinstCrazy has joined #openstack-keystone13:11
lbragstaddolphm: wondering if https://review.openstack.org/#/c/221799/ can be looked at again since the first patch has merged to master; it's also required to get https://review.openstack.org/#/c/231057/ pass on stable/kilo13:12
*** sdake_ has joined #openstack-keystone13:13
*** sdake has quit IRC13:14
*** EinstCrazy has quit IRC13:14
*** raildo-afk is now known as raildo13:15
*** markvoelker has quit IRC13:17
*** fhubik_afk is now known as fhubik13:17
*** yottatsa has quit IRC13:17
*** markvoelker has joined #openstack-keystone13:17
*** wwwjfy_ has quit IRC13:19
*** yottatsa has joined #openstack-keystone13:19
*** gildub has quit IRC13:21
openstackgerritOlivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21058113:23
*** itlinux_ has joined #openstack-keystone13:24
*** itlinux has quit IRC13:25
*** woodster_ has joined #openstack-keystone13:25
openstackgerritMerged openstack/pycadf: Document and update existing hacking violations  https://review.openstack.org/23025513:25
openstackgerritLance Bragstad proposed openstack/keystone: Expose method list inconsistency in federation api  https://review.openstack.org/22912513:26
*** thiagop has joined #openstack-keystone13:27
*** geoffarnold has quit IRC13:27
*** geoffarnold has joined #openstack-keystone13:27
*** wwwjfy_ has joined #openstack-keystone13:28
*** Nirupama has quit IRC13:28
*** ParsectiX has quit IRC13:29
openstackgerritBrant Knudson proposed openstack/keystone: Documentation for other services  https://review.openstack.org/20480113:31
*** itlinux has joined #openstack-keystone13:36
*** itlinux_ has quit IRC13:36
samueldmqhenrynash: the new code for the assignments logic looks great, doesnt it ? :)13:41
henrynashsamueldmq: which bit?13:42
samueldmqhenrynash: all the code of expansion, effective, etc, as we've refactored13:43
henrynashsamueldmq: so, it works well…and adding the subtree was pretty easy13:44
samueldmqhenrynash: yes, that' what I nticed too13:46
samueldmqehnI am finishing the review, just doing another tet :)13:46
*** ParsectiX has joined #openstack-keystone13:46
openstackgerritBrant Knudson proposed openstack/keystone: Enable try_except_pass Bandit test  https://review.openstack.org/22573813:50
openstackgerritBrant Knudson proposed openstack/keystone: Enable subprocess_without_shell_equals_true Bandit test  https://review.openstack.org/22569213:50
openstackgerritBrant Knudson proposed openstack/keystone: Enable hardcoded_bind_all_interfaces Bandit test  https://review.openstack.org/22569013:50
openstackgerritBrant Knudson proposed openstack/keystone: Enable password_config_option_not_marked_secret Bandit test  https://review.openstack.org/22569113:50
*** itlinux has quit IRC13:52
marekddstanek: re https://review.openstack.org/#/c/203142/14/tox.ini i see what you are doing here but to me it still doesn't really work.13:53
marekddstanek: did it for ya?13:53
dstanekmarekd: yes, you don't get your env vars?13:54
marekddstanek: not reallly, i fact i copies passenv values to [debug] env cause i want to breakpoint13:55
marekdi am http://cdn.pasteraw.com/rl2l05qcgs9qj56xg0e4lt5owgv82f913:55
marekdthis is my env when running tests13:55
dstanekmarekd: and what is in your environment?13:56
marekdin a standard shell ?13:56
dstanekmarekd: yes, that's where those come from13:56
*** ParsectiX has quit IRC13:58
*** henrynash has quit IRC13:58
dstanekmarekd: when i ran 'KSSTEST_PUBLIC_URL=http://xxx tox -e functional' i get failures because it couldn't resolve xxx as a name13:58
*** ParsectiX has joined #openstack-keystone13:58
lbragstadhave we released rc2 yet?13:59
marekdoups, it worked now. I basically rebuild everything again, removed pyc files by hand and executed in new terminal.13:59
marekddstanek: sorry for a hassle.14:00
marekddstanek: anyways, i remember some convos about cleaning data once the tests are executer - tearDown() was a way to do so ?14:01
dstanekmarekd: no hassle :-)14:01
dstanekmarekd: i don't think it will really be feasible to cleanup after these tests14:01
marekddstanek: from the jenkins jobs it doesn't matter, but for me, testing stuff on some devstack beforehand...people will maintain some scripts either way.14:02
marekdi was thnking about switch in the env14:03
openstackgerritMerged openstack/keystone: Filters is_domain=True in v2 get_project_by_name  https://review.openstack.org/22484214:03
marekdby default it's false, but keystone can clean after itself if you want him to do so.14:03
dstanekmarekd: i don't think it's worth the effect. just against a database that you can trash and recreate14:03
marekddstanek: OK14:04
*** ParsectiX has quit IRC14:04
openstackgerritMerged openstack/oslo.policy: Fix coverage configuration and execution  https://review.openstack.org/22996814:04
dstanekconsider a call the /blah that makes records in 4 tables; you tests will have to know about all of the records; if someone changes that in include more records the test is unlikely to get updated because it will still work.14:04
marekdtearDown() is executed after every test ?14:05
*** chao_li has joined #openstack-keystone14:06
marekddstanek: i was rather thinking about something more brutal, at least for CRUD tests - just clean all the entities afterwards (i.e. identity providers, mappng, protocols)14:06
chao_liHi, Just wonder does anyone who has integrated CADF with swift before?14:07
marekddstanek: so nothing like 'remembering on what was added'14:07
dstanekat that point your just creating a new database anyway14:09
*** sigmavirus24_awa is now known as sigmavirus2414:10
*** ngupta has joined #openstack-keystone14:13
*** Guest28678 is now known as redrobot14:13
*** ayoung has joined #openstack-keystone14:19
*** ChanServ sets mode: +v ayoung14:19
*** Guest83454 is now known as mfisch14:19
*** mfisch is now known as Guest9449014:20
*** tonytan4ever has joined #openstack-keystone14:27
*** stevemar_ has joined #openstack-keystone14:28
*** ChanServ sets mode: +o stevemar_14:28
*** fawadkhaliq has joined #openstack-keystone14:28
*** geoffarnold has quit IRC14:29
*** geoffarnold has joined #openstack-keystone14:30
*** chao_li has quit IRC14:30
*** markvoelker_ has joined #openstack-keystone14:32
*** roxanagh_ has joined #openstack-keystone14:33
*** roxanagh_ has quit IRC14:33
*** roxanagh_ has joined #openstack-keystone14:33
*** yottatsa has quit IRC14:35
*** markvoelker has quit IRC14:36
*** markvoelker_ has quit IRC14:38
*** jaosorior has quit IRC14:39
*** jaosorior has joined #openstack-keystone14:39
stevemar_dun dun dunnnnnnnnnn14:41
stevemar_RC2!!!!!!!!!!!!!!!!14:41
*** yottatsa has joined #openstack-keystone14:41
samueldmqstevemar_: o/14:42
stevemar_samueldmq: /o14:42
openstackgerritBrant Knudson proposed openstack/keystone: Common arguments for fernet payloads assembly  https://review.openstack.org/23016514:42
openstackgerritBrant Knudson proposed openstack/keystone: Normalize fernet payload disassembly  https://review.openstack.org/23018114:42
openstackgerritBrant Knudson proposed openstack/keystone: De-duplicate fernet payload tests  https://review.openstack.org/23019314:42
*** yottatsa has quit IRC14:43
dstanekstevemar_: woot!14:45
*** slberger has joined #openstack-keystone14:46
*** daemontool_ has quit IRC14:49
*** ngupta has quit IRC14:50
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314214:50
*** pnavarro is now known as pnavarro|afk14:50
*** geoffarnold has quit IRC14:50
*** geoffarnold has joined #openstack-keystone14:51
*** yottatsa has joined #openstack-keystone14:54
*** yottatsa has left #openstack-keystone14:54
*** markvoelker has joined #openstack-keystone14:55
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325814:57
*** browne has joined #openstack-keystone14:57
*** phalmos has joined #openstack-keystone14:57
morganstevemar_: nicely done15:00
*** ngupta has joined #openstack-keystone15:02
*** csoukup has joined #openstack-keystone15:03
marekd++15:04
stevemar_\o/15:05
*** david-ly_ is now known as david-lyle15:06
*** itlinux has joined #openstack-keystone15:06
*** zzzeek has joined #openstack-keystone15:07
openstackgerritOlivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21058115:08
*** geoffarnold has quit IRC15:11
*** geoffarnold has joined #openstack-keystone15:12
*** diazjf has joined #openstack-keystone15:12
*** itlinux has quit IRC15:12
*** tonytan4ever has quit IRC15:15
dims_stevemar_: yay!15:15
stevemar_dims_: :)15:15
stevemar_dims_: question for you, whens the next nova meeting15:15
* bknudson can't wait for rc3!15:16
stevemar_bknudson: don't say such bad things15:16
marekdbknudson: you can easily make it - just do some reviews.15:17
*** diazjf has quit IRC15:22
*** sdake_ is now known as sdake15:23
stevemar_marekd: don't encourage him15:24
marekdyes sir15:25
stevemar_hehe15:25
*** wasmum has quit IRC15:25
*** dims_ has quit IRC15:27
*** Daviey_ has quit IRC15:30
*** Daviey has joined #openstack-keystone15:30
*** dims_ has joined #openstack-keystone15:32
*** geoffarnold has quit IRC15:33
*** geoffarnold has joined #openstack-keystone15:34
dolphmlbragstad: SpamapS: more performance improvement potential for token validation https://bugs.launchpad.net/keystone/+bug/150331215:41
openstackLaunchpad bug 1503312 in Keystone "Optimization: Don't rebuild revoke-tree in each validate-token call" [Undecided,New] - Assigned to Sonali (sonali-pitre)15:41
*** links has quit IRC15:42
*** alextricity has joined #openstack-keystone15:44
*** geoffarnold is now known as geoffarnoldX15:45
*** kbringard has joined #openstack-keystone15:47
kbringardhey guys, question about fernet_tokens15:48
kbringardI've run keystone-manage fernet_setup with the user and group who should own my tokens. I see the tokens get created in /etc/keystone/fernet-tokens15:48
*** phalmos has quit IRC15:48
*** jistr_ has joined #openstack-keystone15:48
kbringardkeystone can access them, but every time I try to issue a token it tells me no encryption keys found15:48
*** lsmola_ has joined #openstack-keystone15:48
kbringardand to run setup to bootstrap one15:49
*** aix_ has joined #openstack-keystone15:49
kbringardthis is with Kilo (2015.1.0)15:49
*** jistr has quit IRC15:50
*** fhubik has quit IRC15:50
*** fhubik has joined #openstack-keystone15:50
lbragstadkbringard: so you do have keys in your /etc/keystone/fernet-keys/ directory, right?15:51
kbringardyeppers15:51
kbringardand I verified the keystone user can access them15:51
dstanekkbringard: how did you verify that?15:51
kbringardhttp://paste.openstack.org/show/475490/15:52
*** lsmola has quit IRC15:52
kbringardthe parent dir is 777 because I was fiddling with perms to double make sure15:52
*** aix has quit IRC15:52
*** lsmola_ has quit IRC15:53
*** aix_ has quit IRC15:53
*** jistr_ has quit IRC15:53
lbragstadkbringard: how come key 2 has different permissions than the rest of the keys? manually testing things?15:53
lbragstadkbringard: you didn't happen to change the key_repository config option in between adding the keys and running keystone, did you?15:54
kbringardyea, I'd 777'd the whole dir15:54
kbringardthen did a rotate to see if I needed more keys15:54
kbringardI did not change any config options, no15:54
*** geoffarnoldX has quit IRC15:54
dstanekkbringard: do you have debug logging on?15:54
kbringardI do15:54
kbringardwanna see the paste?15:54
dstaneksure15:55
kbringardkk, one sec15:55
*** geoffarnold has joined #openstack-keystone15:55
kbringardhttp://paste.openstack.org/show/b3jUfrY3nFIrQ8VDHYwn/15:56
kbringardserver and client15:56
*** topol has quit IRC15:56
kbringardand in the [fernet_tokens] sections of the keystone.conf I have:15:57
kbringard # Directory containing Fernet token keys. (string value)15:57
kbringardkey_repository = /etc/keystone/fernet-keys/15:57
kbringardI uncommented it just to make sure there wasn't something missing in the default15:57
lbragstadkbringard: makes sense, that should wokr15:58
lbragstadwork*15:58
kbringardindeed15:58
kbringardhence my confusion15:58
kbringardI'd imagine it should ignore the token persistence driver in this case, so that value in the config shouldn't matter15:59
kbringard(I have nothing set, but it's using sql.Token as the default)15:59
dstanekdefinitely looks like a permissions issue of some sort16:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/23056416:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/23046416:00
kbringardyea, that's what I thought, but I couldn't figure out how16:00
kbringardoh, I wonder if selinux is somehow messing me up16:00
lbragstadkbringard: yeah, it should bypass the persistence stuff16:00
kbringardlet me disable that nonsense16:01
*** phalmos has joined #openstack-keystone16:01
dstanekkbringard: this appears to be where it's failing http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/utils.py#n2816:01
kbringardfunny16:02
kbringardensure the key repository isn't world-readable16:02
kbringardmaybe setting to 777 messed me up16:02
lbragstaddstanek: kbringard here is the diff between master and stable/kilo wrt that file dstanek just linked - http://cdn.pasteraw.com/bxtnndaz7fez6i45z17qm7edg2kux8m16:02
lbragstadI don't think there was any specific "permission" issues backported to stable/kilo that would have an issue with this.16:02
dstanekkbringard: world readable means insecure!16:03
kbringardwell right16:03
lbragstadkbringard: i have an idea16:03
kbringardthis is just a test setup16:03
kbringardand I only changed the perms when it wasn't working16:03
kbringardI changed it all back, same issue16:04
dstanekkbringard: if it's just a test delete it and let keystone recreate with the perms that it expects16:04
kbringardI'm going to disable selinux and see if that helps16:04
*** rudolfvriend has quit IRC16:05
dstanekkbringard: also the manage command should be run by the same user that runs keystone or maybe chown all the things?16:05
*** aix_ has joined #openstack-keystone16:05
*** wasmum has joined #openstack-keystone16:06
*** lsmola_ has joined #openstack-keystone16:06
kbringardkk, I blasted the dir and ran16:06
kbringardkeystone-manage fernet_setup --keystone-user keystone --keystone-group keystone16:06
kbringarddrwx------.  2 keystone keystone  4096 Oct  6 16:05 fernet-keys16:06
lbragstadthat looks ok16:06
kbringardyea, and it recreated the keys16:06
kbringardbut still same error16:06
*** jistr_ has joined #openstack-keystone16:06
dstanekkbringard: are you running apache or keystone-all?16:06
kbringardtrying to issue a token16:06
lbragstadodyssey4me: what permissions does OSA use for the fernet key repository again?16:06
kbringardkeystone-all16:06
kbringarddidn't want to add complication before I had it working16:07
dstanekhmm...running as keystone is assume16:07
odyssey4melbragstad as I recall, it's 2750 - lemme look it up quickly16:07
*** e0ne has quit IRC16:08
kbringardyea, running as keystone16:08
lbragstadkbringard: you could give that a shot, that is what OpenStack Ansible deploys with16:08
*** topol has joined #openstack-keystone16:08
*** ChanServ sets mode: +v topol16:08
lbragstadodyssey4me: perfect, thank you. I always lose those bits :)16:08
kbringardkk, let me try one sec16:08
odyssey4melbragstad https://github.com/openstack/openstack-ansible/blob/master/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml#L7316:08
kbringardeverything in there, or just the dir?16:08
lbragstadodyssey4me: pre_install.yml!16:08
lbragstadkbringard: do it on the directory and everything below16:09
kbringardkk, I just rm'd everything in the dir, fixed the perms, then did fernet_setup again16:09
lbragstadkbringard: ok16:10
kbringardsame error :-/16:10
marekddstanek: AFAIK setUp() is executet every time *before* the actual test is executed. Can we use __init__ as a couterpart for class-wise setUp()? I am ok creating the user once per class16:11
marekdclass object16:11
dstanekkbringard: i would debug by openign interactive python and checking the access16:11
dstanekmarekd: https://docs.python.org/2/library/unittest.html#setupclass-and-teardownclass16:12
*** gyee has joined #openstack-keystone16:12
*** ChanServ sets mode: +v gyee16:12
lbragstadkbringard: yeah, and you're running keystone-all from the keystone user, right?16:12
kbringarddstanek, lbragstad, it's selinux16:13
kbringard:-/16:13
kbringardI set it to permissive and suddenly it works16:13
kbringard:smh16:13
lbragstadhmmm16:13
dstanekodyssey4me: why the setgid bit?16:13
marekddstanek: ok16:13
kbringardthis was on a fresh install of RHEL7, so I need to dig into why it's hating on that dir16:14
*** nicodemos has joined #openstack-keystone16:14
lbragstadkbringard: interesting16:14
odyssey4medstanek dunno, maybe cloudnull can answer - lemme get him in here16:14
kbringardI had a similar issue with bind, where it didn't like the default zones dir16:14
dstanekodyssey4me: i wouldn't think we are executing scripts out of there16:14
*** cloudnull has joined #openstack-keystone16:14
cloudnullo/16:14
dstanekcloudnull: : why the setgid bit on the fernet dir?16:15
kbringardthanks for the help, I'll sort out why this is broken and either open a BZ with redhat or maybe submit a doc update16:15
odyssey4mecloudnull fyi -  https://github.com/openstack/openstack-ansible/blob/master/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml#L7316:15
dstanekcloudnull: : i wouldn't think we are executing scripts out of there16:15
SpamapSdolphm: oh yeah very interesting.16:15
SpamapSdolphm: I don't see a patch associated with bug #150331216:15
openstackbug 1503312 in Keystone "Optimization: Don't rebuild revoke-tree in each validate-token call" [Medium,Triaged] https://launchpad.net/bugs/1503312 - Assigned to Sonali (sonali-pitre)16:15
lbragstadkbringard: that would be perfect, if we can update docs that would be awesome. let us know if there is anything else you need16:15
odyssey4medstanek that may just have been based on something we saw in an environment, rather than an intentional specific for a reason - if it's not needed then it's an easy patch :)16:16
*** geoffarnold has quit IRC16:16
openstackgerritMarek Denis proposed openstack/keystone: Functional tests for federation mapping CRUD  https://review.openstack.org/23157416:16
*** geoffarnold has joined #openstack-keystone16:16
kbringardlbragstad: will do, thanks again16:16
dstanekselinux ftw again!16:16
openstackgerritMarek Denis proposed openstack/keystone: Functional tests for federation mapping CRUD  https://review.openstack.org/23157416:16
cloudnulldstanek: we're setting the bit so that the directory is group / user owned by keystone and that the group does not change.16:17
*** topol has quit IRC16:17
lbragstadkbringard: np16:17
cloudnullthe rotate script is in /opt16:17
cloudnulland forces a user change to keystone16:17
*** Guest94490 is now known as mfisch16:17
cloudnullthe general idea is to make sure that if anything ever happens in a rotate that keystone is still able to read the files.16:18
*** mfisch is now known as Guest6262516:18
cloudnullthis is the rotate script https://github.com/openstack/openstack-ansible/blob/master/playbooks/roles/os_keystone/templates/keystone-fernet-rotate.sh.j216:18
cloudnulldstanek:  why is there something up with that ?  should we change it ?16:19
dstanekcloudnull: no, i've never seen setguid used like that before.16:19
cloudnullwe're using it simply as a way to enforce ownership which should help protect the system from its users .16:21
cloudnull:)16:21
dstanekcloudnull: i'm assuming this is because the user running the scripts could be a different user16:21
cloudnullit could be16:21
dstanekcloudnull: thx16:22
*** links has joined #openstack-keystone16:23
cloudnullanytime16:23
*** jistr_ has quit IRC16:23
dstanek1.install Fedora; 2. install LXC; 3. expect it to work; 4. nope. must google to find the right blog posts16:28
kbringarddstanek: so I created a custom policy to allow it and now it works with selinux set to enforcing16:31
kbringardI'm going to open a case with redhat to get this added… I don't think we should have to do anything on the OS side to work around selinux16:31
dstanekkbringard: i'm just getting used to selinux and i now love the audit2policy thing16:32
*** jbell8 has joined #openstack-keystone16:32
kbringardyea, that's exactly how I did it16:32
kbringardalthugh I did audit2allow16:32
*** _cjones_ has joined #openstack-keystone16:33
kbringardhttp://paste.openstack.org/show/475496/16:35
kbringarddstanek: ^^16:37
*** geoffarnold has quit IRC16:37
*** dims_ has quit IRC16:37
*** geoffarnold has joined #openstack-keystone16:38
dstanekkbringard: will that work when you start running under apache?16:39
bknudsonwe should have audit2policy for keystone policy.json16:39
kbringardunsure, I've not tested that yet16:40
*** dims_ has joined #openstack-keystone16:41
*** dims_ has quit IRC16:41
*** dims_ has joined #openstack-keystone16:42
*** fhubik has quit IRC16:42
*** dims__ has joined #openstack-keystone16:44
*** btully has joined #openstack-keystone16:44
dstanekbknudson: that would be pretty neat16:44
*** dims_ has quit IRC16:45
*** lhcheng_ has joined #openstack-keystone16:47
*** jaosorior has quit IRC16:51
*** jaosorior has joined #openstack-keystone16:52
*** dikonoor has quit IRC16:53
stevemar_bknudson: audit2policy?16:54
*** geoffarnold has quit IRC16:58
*** geoffarnold has joined #openstack-keystone16:59
*** mylu has joined #openstack-keystone17:00
*** sdake has quit IRC17:03
*** gyee has quit IRC17:05
*** sdake has joined #openstack-keystone17:05
*** tonytan4ever has joined #openstack-keystone17:06
*** itlinux has joined #openstack-keystone17:06
dstanekstevemar_: when selinux blocks something it writes to an audit log; then there's tools that can take a log entry and write a policy around allowing that action17:08
*** browne has quit IRC17:11
*** phalmos has quit IRC17:16
*** e0ne has joined #openstack-keystone17:16
*** aix_ has quit IRC17:17
openstackgerritMerged openstack/keystoneauth: Make RST section delineation length match title  https://review.openstack.org/23109617:20
*** geoffarn_ has joined #openstack-keystone17:20
*** david-ly_ has joined #openstack-keystone17:21
*** david-lyle has quit IRC17:21
*** david-ly_ is now known as david-lyle17:22
*** geoffarnold has quit IRC17:24
*** harlowja has quit IRC17:25
*** raildo is now known as raildo-afk17:26
*** topol has joined #openstack-keystone17:28
*** ChanServ sets mode: +v topol17:28
*** Ephur has joined #openstack-keystone17:28
*** dims_ has joined #openstack-keystone17:29
*** dims__ has quit IRC17:32
*** harlowja has joined #openstack-keystone17:35
ayoungDamnit Henrynash where are you?!?!17:37
*** mylu has quit IRC17:38
*** su_zhang has joined #openstack-keystone17:40
*** geoffarn_ has quit IRC17:41
*** geoffarnold has joined #openstack-keystone17:41
*** fawadkhaliq has quit IRC17:42
stevemar_ayoung: he's not online on our messaging system either17:42
stevemar_probably eating tea and crumpets17:42
*** fawadkhaliq has joined #openstack-keystone17:43
ayoungstevemar_, at this time of night I'm guessing he's not drinking caffeine17:43
*** raildo-afk is now known as raildo17:43
stevemar_ayoung: a pint at the pub instead?17:45
ayoungstevemar_, I sure hope so, although as I reacll he was more a Red Wine drinker17:45
stevemar_i think you're right17:46
ayoungstevemar_, I'm reading his Virtual Roles  spec.  I think it can be mostly implemented with my implied roles spec;  mine is a subset of the behavior he describes17:47
ayoungI want to hash that out so we can get the specs approved at the summit, and actually make progress next cycle.  This is big17:48
openstackgerritBrant Knudson proposed openstack/keystone: Update test modules passing on py34  https://review.openstack.org/23163517:48
*** mylu has joined #openstack-keystone17:49
*** mylu has quit IRC17:49
*** exploreshaifali has joined #openstack-keystone17:50
*** pnavarro|afk has quit IRC17:52
*** dims_ has quit IRC17:53
bknudsonpy34 fails on keystone.tests.unit.token.test_fernet_provider.TestPayloads.test_time_string_to_int_conversions with '2015-10-06T17:52:21.729385Z' != '2015-10-06T17:52:21.729384Z'17:53
bknudsonhow odd is that17:53
bknudsonI thought we decided that fernet didn't use subsecond precision anyways.17:53
stevemar_0.000001s off17:53
*** browne has joined #openstack-keystone17:55
morganThat is an amazing resolution miscalculation17:56
bknudsonprobably due to heisenberg uncertainty principle.17:57
*** su_zhang_ has joined #openstack-keystone17:58
*** henrynash has joined #openstack-keystone18:01
*** ChanServ sets mode: +v henrynash18:01
*** dims_ has joined #openstack-keystone18:01
*** samleon_ has joined #openstack-keystone18:02
*** su_zhang has quit IRC18:02
*** geoffarnold has quit IRC18:02
*** geoffarnold has joined #openstack-keystone18:03
*** timcline has joined #openstack-keystone18:04
*** samleon_ has quit IRC18:04
*** dims_ has quit IRC18:05
*** dims_ has joined #openstack-keystone18:06
*** timcline has quit IRC18:07
*** timcline has joined #openstack-keystone18:07
*** su_zhang_ has quit IRC18:09
*** su_zhang has joined #openstack-keystone18:10
*** itlinux has quit IRC18:10
*** diazjf has joined #openstack-keystone18:11
*** links has quit IRC18:13
*** itlinux has joined #openstack-keystone18:15
*** gyee has joined #openstack-keystone18:16
*** ChanServ sets mode: +v gyee18:16
samueldmqhenrynash: I actually wonder if it woudln't be clearer if we had: list_role_assignments?tree=<root_project_id>, instead of having to define project_id=<project_id>&include_subtree18:19
samueldmqhenrynash: I know the bp has been approved already .. I am just sharing to make sure we have thought about this possibility too18:20
henrynashsamueldmq: so we could do it that way, it just seemed logic to add it as a wualifier to teh current sigle project version...18:21
dolphmayoung: we could put something in the release notes about PKI "pending deprecation in the next release" ? that's something i'd want to communicate as early as possible18:24
*** geoffarn_ has joined #openstack-keystone18:24
*** ayoung_ has joined #openstack-keystone18:24
*** geoffarnold has quit IRC18:25
samueldmqdolphm: ++18:28
lbragstaddolphm: ++18:29
samueldmqhenrynash: I am not against that .. have you thought about that and you have opted for the current implementation ?18:31
morgandolphm: if fernet is the default in devstack I think it would be fair to say "PKI tokens are being evaluated for deprecation in favor of fernet in the next release"18:33
dolphmwe're still a few patches away from that being possible, though18:34
dolphm(fernet being the default in devstack)18:34
henrynashsamueldmq: my gut feel was for the one I suggested, and I think it still is18:34
morgandolphm: exactly18:35
morganI would hold off on adding that verbiage until we are confident fernet is the default18:35
*** geoffarn_ is now known as geoffarnold18:37
*** su_zhang has quit IRC18:38
*** topol has quit IRC18:40
*** su_zhang has joined #openstack-keystone18:41
*** diazjf has left #openstack-keystone18:42
*** geoffarnold has quit IRC18:45
*** geoffarnold has joined #openstack-keystone18:45
*** itlinux has quit IRC18:46
*** itlinux has joined #openstack-keystone18:46
*** itlinux has quit IRC18:46
*** _cjones_ has quit IRC18:51
*** _cjones_ has joined #openstack-keystone18:52
*** su_zhang has quit IRC18:52
*** topol has joined #openstack-keystone18:55
*** ChanServ sets mode: +v topol18:55
*** fawadkhaliq has quit IRC18:57
*** fawadkhaliq has joined #openstack-keystone18:58
ayoung_thanks guys.  more optimistic than I have been in a while about this18:59
*** jaosorior has quit IRC19:00
*** jaosorior has joined #openstack-keystone19:01
dstanekconsider ayoung_ ... pacified19:01
henrynashayoung_: I still worry abour complexity, we need to work together to make sure it’s as sobvious to sue as posibe;19:01
gyeewho's ready for some fugu?!!!19:01
dstanekgyee: pass19:01
*** nicodemos has quit IRC19:02
bknudsongyee is really into the fugu19:02
gyeeeither that or bungee jumping19:02
bknudsongyee might be trying to poison us.19:02
gyeehah19:03
dstanekjust watched a video on fugu. not sure i want to eat a poisonous fish19:03
*** nicodemos has joined #openstack-keystone19:04
morganI wont be eating it. shrug. Not my idea of exciting. /me goes to get adrenaline rush riding downhill on a bicycle19:04
dstaneki like being shot out of a cannon19:05
*** csd has quit IRC19:06
*** csd has joined #openstack-keystone19:07
bknudsonI just submit a change to keystone.19:08
morganbknudson: your definition of exciting is wildly different than mine :P19:09
stevemar_morgan: depends on how much the patch changes19:12
*** nicodemos has quit IRC19:13
*** amakarov is now known as amakarov_away19:14
openstackgerritCorey Bryant proposed openstack/python-keystoneclient: Iterate over copy of session.adapters keys in Python2/3  https://review.openstack.org/23166719:17
*** nicodemos has joined #openstack-keystone19:18
*** e0ne has quit IRC19:23
*** henrynash has quit IRC19:24
*** chao_li has joined #openstack-keystone19:30
*** e0ne has joined #openstack-keystone19:32
ayoung_dstanek, is your apporach using URI records likethis: https://tools.ietf.org/html/rfc7553#page-419:34
dstanekayoung_: yes19:35
dstaneki wanted to have something tangible to show for the summit19:35
*** ayoung has quit IRC19:36
*** ayoung_ is now known as ayoung19:37
*** exploreshaifali has quit IRC19:40
*** timcline_ has joined #openstack-keystone19:42
*** timcline has quit IRC19:45
*** geoffarnold has quit IRC19:48
*** geoffarnold has joined #openstack-keystone19:48
*** timcline_ has quit IRC19:49
*** timcline has joined #openstack-keystone19:49
*** roxanagh_ has quit IRC19:50
*** fawadkhaliq has quit IRC19:53
*** fawadkhaliq has joined #openstack-keystone19:54
bknudsonwhy is token_formatters using six when it doesn't even have python3 test support.19:56
*** chao_li has quit IRC19:57
*** timcline_ has joined #openstack-keystone19:57
*** nicodemos has quit IRC19:58
*** timcline has quit IRC20:01
*** mylu has joined #openstack-keystone20:02
*** ayoung has quit IRC20:06
*** geoffarnold is now known as geoffarnoldX20:07
*** su_zhang has joined #openstack-keystone20:08
*** su_zhang has quit IRC20:08
*** su_zhang has joined #openstack-keystone20:08
*** geoffarnoldX has quit IRC20:09
*** geoffarnold has joined #openstack-keystone20:10
*** akanksha_ has joined #openstack-keystone20:14
*** timcline_ has quit IRC20:16
*** timcline has joined #openstack-keystone20:17
*** mylu has quit IRC20:18
*** ayoung has joined #openstack-keystone20:21
*** ChanServ sets mode: +v ayoung20:21
*** pnavarro|afk has joined #openstack-keystone20:26
*** njohnston has joined #openstack-keystone20:27
*** sdake has quit IRC20:27
*** sdake has joined #openstack-keystone20:28
*** fawadkhaliq has quit IRC20:29
*** hrou has quit IRC20:35
*** mtaylor has joined #openstack-keystone20:38
*** wolsen has quit IRC20:39
*** Nakato has quit IRC20:39
*** wolsen has joined #openstack-keystone20:40
*** Nakato has joined #openstack-keystone20:40
*** mordred has quit IRC20:42
*** mtaylor is now known as mordred20:42
*** Ephur has quit IRC20:43
*** lhcheng_ has quit IRC20:43
*** wwwjfy_ has quit IRC20:43
*** richm has quit IRC20:43
*** mjb has quit IRC20:43
*** jamielennox has quit IRC20:43
*** flwang has quit IRC20:43
*** zigo has quit IRC20:43
*** amit213 has quit IRC20:43
*** tonyb has quit IRC20:43
*** krotscheck has quit IRC20:43
*** rharwood has quit IRC20:43
*** gus has quit IRC20:43
*** sigmavirus24 has quit IRC20:43
*** eglute has quit IRC20:43
*** d34dh0r53 has quit IRC20:43
*** cloudnull has quit IRC20:43
*** serverascode has quit IRC20:43
*** jraim has quit IRC20:43
*** dolphm has quit IRC20:43
*** lbragstad has quit IRC20:43
*** comstud has quit IRC20:43
*** jacorob has quit IRC20:43
*** hockeynut has quit IRC20:43
*** Guest68187 has quit IRC20:43
*** pkarikh has quit IRC20:43
*** dtroyer has quit IRC20:43
*** sudorandom has quit IRC20:43
*** mgagne has quit IRC20:43
*** breton has quit IRC20:43
*** phalmos has joined #openstack-keystone20:46
*** Ephur has joined #openstack-keystone20:46
*** lhcheng_ has joined #openstack-keystone20:46
*** cloudnull has joined #openstack-keystone20:46
*** wwwjfy_ has joined #openstack-keystone20:46
*** richm has joined #openstack-keystone20:46
*** mjb has joined #openstack-keystone20:46
*** jamielennox has joined #openstack-keystone20:46
*** flwang has joined #openstack-keystone20:46
*** zigo has joined #openstack-keystone20:46
*** amit213 has joined #openstack-keystone20:46
*** tonyb has joined #openstack-keystone20:46
*** krotscheck has joined #openstack-keystone20:46
*** rharwood has joined #openstack-keystone20:46
*** gus has joined #openstack-keystone20:46
*** sigmavirus24 has joined #openstack-keystone20:46
*** eglute has joined #openstack-keystone20:46
*** d34dh0r53 has joined #openstack-keystone20:46
*** serverascode has joined #openstack-keystone20:46
*** jraim has joined #openstack-keystone20:46
*** dolphm has joined #openstack-keystone20:46
*** lbragstad has joined #openstack-keystone20:46
*** comstud has joined #openstack-keystone20:46
*** jacorob has joined #openstack-keystone20:46
*** hockeynut has joined #openstack-keystone20:46
*** Guest68187 has joined #openstack-keystone20:46
*** pkarikh has joined #openstack-keystone20:46
*** dtroyer has joined #openstack-keystone20:46
*** mgagne has joined #openstack-keystone20:46
*** sudorandom has joined #openstack-keystone20:46
*** breton has joined #openstack-keystone20:46
*** cameron.freenode.net sets mode: +vo jamielennox dolphm20:46
*** serverascode has quit IRC20:46
*** pnavarro|afk has quit IRC20:47
openstackgerritEric Brown proposed openstack/keystone: Handle 16-char non-uuid user IDs in payload  https://review.openstack.org/22612120:47
*** gildub has joined #openstack-keystone20:48
*** fawadkhaliq has joined #openstack-keystone20:48
*** trey has quit IRC20:48
njohnstonHi!  I am trying to experiment with Keystone, using Devstack.  When I am in Devstack and I would like to restart Keystone so I can update it's configuration (/etc/keystone/keystone.conf), what is the proper method to accomplish that?20:50
bknudsonnjohnston: restart apache20:50
*** trey has joined #openstack-keystone20:51
njohnstonThanks!20:51
*** geoffarnold has quit IRC20:52
*** morgan has quit IRC20:52
*** morgan has joined #openstack-keystone20:52
*** ChanServ sets mode: +v morgan20:52
*** geoffarnold has joined #openstack-keystone20:52
*** sdake has quit IRC20:53
*** serverascode has joined #openstack-keystone20:58
*** sdake has joined #openstack-keystone20:58
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet key writing for python 3  https://review.openstack.org/23171020:59
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3  https://review.openstack.org/23171120:59
*** pnavarro|afk has joined #openstack-keystone21:00
*** topol_ has joined #openstack-keystone21:00
*** ChanServ sets mode: +v topol_21:00
*** gyee has quit IRC21:01
*** topol has quit IRC21:02
*** phalmos has quit IRC21:02
*** fawadkhaliq has quit IRC21:07
*** fawadkhaliq has joined #openstack-keystone21:08
*** raildo is now known as raildo-afk21:09
*** geoffarnold has quit IRC21:13
*** geoffarnold has joined #openstack-keystone21:14
*** edmondsw has quit IRC21:14
*** fawadk has joined #openstack-keystone21:18
*** fawadkhaliq has quit IRC21:22
*** e0ne has quit IRC21:24
ayoungmarekd, stevemar_ bknudson, do you know if the Federation code uses the id_mapping backend?  Is there something special we need to do to tell Federation to map the IDs?21:25
stevemar_ayoung: it does not use the id_mapping backend, AFAIK that is only used by the multi domain stuff21:26
stevemar_map the user ID the same way you map the user Name in the mapping21:26
bknudsonayoung: what would it use it for?21:26
dstaneki love watching the x-project meeting; gives me time to unwind and nap :-)21:27
ayoungbknudson, if we had two protocols that needed to map to existing users, and one was a preexisint database...21:27
openstackgerritTom Cocozzello proposed openstack/keystone: Fix direct paths inside filter_factory  https://review.openstack.org/23172221:28
*** hrou has joined #openstack-keystone21:33
*** pnavarro|afk has quit IRC21:34
*** geoffarnold has quit IRC21:35
*** geoffarnold has joined #openstack-keystone21:35
*** su_zhang has quit IRC21:36
*** henrynash has joined #openstack-keystone21:40
*** ChanServ sets mode: +v henrynash21:40
*** ayoung has quit IRC21:43
*** jbell8 has quit IRC21:43
*** topol_ has quit IRC21:44
*** gyee has joined #openstack-keystone21:45
*** ChanServ sets mode: +v gyee21:45
*** harlowja has quit IRC21:46
bknudsonlooks like the py3 time format issue might have to do with rounding21:46
bknudsonbecause I saw it pass once21:46
*** topol has joined #openstack-keystone21:46
*** ChanServ sets mode: +v topol21:46
bknudsonthe fernet code all says it's converting time strings to ints but they're actually floats.21:47
bknudsonare they really supposed to be ints?21:48
dolphmbknudson: are they calling float() ?21:48
dolphmbknudson: floats would preserve the subsecond precision of the expiration date's timestamp, and we have tests for that, so the method names would be wrong21:49
*** samleon has quit IRC21:49
bknudsonnot really, maybe it's just the way it's getting called in the tests.21:49
dolphmunless it actually is an int and it's multiplying those floats by 100000 to preserve accuracy lol21:50
bknudsonI bet it would return an int if the timestamp passed in was only accurate to the second, but the test is doing utils.isotime(subsecond=True)21:50
dolphmnope, definitely a float: 1442487859.843989 came out of a real token21:50
dolphmbknudson: scroll down to the last example of the raw fernet payload, and scroll over to the right -- http://dolphm.com/inside-openstack-keystone-fernet-token-payloads/21:51
*** topol has quit IRC21:51
dolphmbknudson: second to last field is the expiration21:51
bknudsonthe blog also has "2015-09-17T11:04:19.843989Z"21:52
bknudsonwhat I'm looking at is http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/token_formatters.py#n32521:55
bknudson_convert_time_string_to_int and _convert_int_to_time_string(cls, time_int):21:55
bknudsonwhich this is really working with floats21:55
*** stevemar_ has quit IRC21:55
*** stevemar_ has joined #openstack-keystone21:56
*** ChanServ sets mode: +o stevemar_21:56
*** harlowja has joined #openstack-keystone21:57
bknudsonhere's one test that's using subsecond precision: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/token/test_fernet_provider.py#n13021:57
bknudsontest_time_string_to_int_conversions21:57
dolphmbknudson: needs a rename! :(21:58
*** stevemar_ has quit IRC21:58
dolphmlbragstad: ^21:58
bknudsondolphm: unless it's really supposed to be int? I thought fernet only supported second precision21:59
*** richm has quit IRC21:59
bknudsonI also thought that expiration time wasn't in the token data21:59
dolphmbknudson: for the creation date, yes, because we're handicapped by the spec21:59
*** gordc has quit IRC22:00
dolphmbknudson: and although fernet also supports a TTL, it's from a client config perspective, not something that's encoded into the token, and so morgan wanted it encoded into the token separately. so we added a floaty int to the payload.22:00
dolphmbknudson: there was no expiration encoded into fernet until pretty late in the game22:01
*** fawadk has quit IRC22:01
*** kbringard has quit IRC22:02
*** tonytan4ever has quit IRC22:03
bknudsonok, I'll update the names22:03
bknudsonless confusing22:03
bknudsonthen I also have to figure out what's going on with py3 and the odd timestamp differences.22:04
bknudson(or how to work around it)22:05
*** stevemar_ has joined #openstack-keystone22:07
*** ChanServ sets mode: +o stevemar_22:07
*** boris-42 has quit IRC22:09
*** henrynash has quit IRC22:13
*** geoffarnold has quit IRC22:17
*** geoffarn_ has joined #openstack-keystone22:18
*** su_zhang has joined #openstack-keystone22:25
*** mylu has joined #openstack-keystone22:25
*** csoukup has quit IRC22:26
*** timcline has quit IRC22:27
*** ngupta has quit IRC22:31
*** su_zhang has quit IRC22:34
*** geoffarn_ is now known as geoffarnoldX22:37
*** Ephur has quit IRC22:38
*** geoffarnoldX has quit IRC22:38
*** geoffarnold has joined #openstack-keystone22:39
*** stevemar_ has quit IRC22:43
*** stevemar_ has joined #openstack-keystone22:43
*** ChanServ sets mode: +o stevemar_22:43
*** stevemar_ has quit IRC22:46
*** mylu has quit IRC22:47
*** mylu has joined #openstack-keystone22:48
*** boris-42 has joined #openstack-keystone22:53
openstackgerritHaneef Ali proposed openstack/python-keystoneclient: Remove hardcoded endpoint filter for update password  https://review.openstack.org/23174922:56
*** geoffarnold has quit IRC23:00
*** geoffarnold has joined #openstack-keystone23:00
*** chlong has quit IRC23:06
*** su_zhang has joined #openstack-keystone23:07
*** sigmavirus24 is now known as sigmavirus24_awa23:16
*** geoffarnold has quit IRC23:21
*** geoffarnold has joined #openstack-keystone23:21
*** roxanagh_ has joined #openstack-keystone23:24
notmynamebknudson: in the meeting today you were talking about how the tenant_id is in the token from keystone23:28
notmynameis that true for UUID tokens? PKI tokens? fernet tokens?23:28
notmynamethis is in relation to the cross-project tenant_id-ectomy spec23:31
*** agireud has quit IRC23:32
*** uiyice has joined #openstack-keystone23:33
*** dsirrine has quit IRC23:35
*** uiyice has quit IRC23:40
*** uiyice has joined #openstack-keystone23:40
*** sdake_ has joined #openstack-keystone23:41
*** sdake has quit IRC23:43
*** geoffarn_ has joined #openstack-keystone23:43
*** geoffarnold has quit IRC23:46
*** roxanagh_ has quit IRC23:48
*** stevemar_ has joined #openstack-keystone23:50
*** ChanServ sets mode: +o stevemar_23:50
*** darrenc is now known as darrenc_afk23:51
*** dsirrine has joined #openstack-keystone23:52
*** sdake_ has quit IRC23:52
*** slberger has left #openstack-keystone23:53
*** mylu has quit IRC23:55
*** mestery has quit IRC23:56
*** mestery has joined #openstack-keystone23:56
« Monday, 2015-10-05 Index Wednesday, 2015-10-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!