Wednesday, 2015-10-21

« Tuesday, 2015-10-20 Index Thursday, 2015-10-22 »
*** stevemar_ has joined #openstack-keystone00:00
*** ChanServ sets mode: +o stevemar_00:00
*** jasonsb has joined #openstack-keystone00:02
*** stevemar_ has quit IRC00:04
*** shaleh has quit IRC00:09
*** krotscheck has quit IRC00:11
*** EinstCrazy has quit IRC00:13
*** EinstCrazy has joined #openstack-keystone00:13
*** breton has joined #openstack-keystone00:14
*** EinstCrazy has quit IRC00:18
*** breton has quit IRC00:19
*** krotscheck has joined #openstack-keystone00:19
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** NM has joined #openstack-keystone00:26
*** pumaranikar has joined #openstack-keystone00:30
*** NM has quit IRC00:34
*** pumaranikar has quit IRC00:35
*** topol has joined #openstack-keystone00:36
*** ChanServ sets mode: +v topol00:36
*** breton has joined #openstack-keystone00:44
*** breton has quit IRC00:48
*** EinstCrazy has joined #openstack-keystone00:55
openstackgerritMerged openstack/keystone: Explain default domain in docs for other services  https://review.openstack.org/23209800:58
*** boris-42 has quit IRC00:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/23680701:01
*** markvoelker has joined #openstack-keystone01:02
*** jasonsb has quit IRC01:03
*** pumaranikar has joined #openstack-keystone01:04
*** breton has joined #openstack-keystone01:08
*** tsymanczyk has quit IRC01:09
*** tsymancz2k has quit IRC01:09
*** breton has quit IRC01:13
*** richm has quit IRC01:13
*** gyee has quit IRC01:15
*** breton has joined #openstack-keystone01:18
*** ayoung has quit IRC01:21
*** ayoung has joined #openstack-keystone01:21
*** ChanServ sets mode: +v ayoung01:21
*** josecastroleon has joined #openstack-keystone01:22
*** breton has quit IRC01:23
*** dims has quit IRC01:34
*** bill_az has quit IRC01:39
*** crinkle has quit IRC01:49
*** crinkle has joined #openstack-keystone01:51
*** josecastroleon has quit IRC01:52
*** breton has joined #openstack-keystone01:53
*** pumaranikar has quit IRC01:55
*** breton has quit IRC01:58
*** lhcheng has quit IRC01:59
*** stevemar_ has joined #openstack-keystone02:02
*** ChanServ sets mode: +o stevemar_02:02
*** jasonsb has joined #openstack-keystone02:13
*** browne has quit IRC02:14
*** browne has joined #openstack-keystone02:15
*** pumaranikar has joined #openstack-keystone02:15
*** topol has quit IRC02:16
*** browne has quit IRC02:18
*** jbell8 has joined #openstack-keystone02:28
*** boris-42 has joined #openstack-keystone02:30
openstackgerritJamie Lennox proposed openstack/keystoneauth-saml2: Split ADFS and SAML2 plugins  https://review.openstack.org/23785302:39
openstackgerritJamie Lennox proposed openstack/keystoneauth-saml2: Update requests_mock syntax  https://review.openstack.org/23785402:39
jamielennoxstevemar_: hey, can we do a release of ksc-kerberos02:41
stevemar_jamielennox: does that just have auth plugins?02:42
jamielennoxyea02:42
*** markvoelker has quit IRC02:42
jamielennoxbut it's been released before so we may as well update regardless of ksa decisions02:42
jamielennoxstevemar_: also maybe you can tell me, for ECP is that first GET on the SP_URL always a get, or is it just that the keystone route is a GET?02:44
jamielennoxi _think_ the SP XML response should come back either way02:44
*** pumaranikar has quit IRC02:50
*** morgan has quit IRC03:00
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/23680703:05
stevemar_jamielennox: looking at a line of code in particular?03:08
*** jimbaker has quit IRC03:12
stevemar_jamielennox: poke03:16
stevemar_jamielennox: do you know of a clever way to test this: https://review.openstack.org/#/c/171916/19/keystone/tests/unit/test_sql_upgrade.py03:16
jamielennoxstevemar_: that should be almost trivial03:18
jamielennoxstevemar_: with the extension move we don't rename the tables or anything03:18
jamielennoxbut i guess you delete the old code03:18
*** lhcheng has joined #openstack-keystone03:19
*** ChanServ sets mode: +v lhcheng03:19
jamielennoxi guess you want to create the table in the test - and check that if the table exists before the migration nothing happens03:19
jamielennoxor looking at the migration more, set the extension_version = 1 and then ensure that nothing happens03:20
jamielennoxtable doesn't get created03:21
stevemar_jamielennox: i do that in test_sql_migrate_extensions03:21
stevemar_this is the case where the user actually had the tables from the migration, and then is running 083 (or whatever)03:22
jamielennoxstevemar_: re the ECP thing it turns out i currently can't access my SAML setup so that i'm going to have to leave that03:22
jamielennoxstevemar_: yep03:22
jamielennoxso set extension_version = 103:22
jamielennoxupgrade(081)03:22
jamielennoxassert table doesn't exist03:22
jamielennoxor otherwise that nothing happened03:22
*** mylu has joined #openstack-keystone03:24
*** mylu has quit IRC03:25
*** mylu has joined #openstack-keystone03:26
*** pumaranikar has joined #openstack-keystone03:36
*** topol has joined #openstack-keystone03:38
*** ChanServ sets mode: +v topol03:38
*** breton has joined #openstack-keystone03:40
*** topol has quit IRC03:43
*** jbell8 has quit IRC03:44
*** jbell8 has joined #openstack-keystone03:44
*** breton has quit IRC03:45
*** ajaya has joined #openstack-keystone03:46
*** gildub has quit IRC03:47
*** ajaya has quit IRC03:54
*** pumaranikar has quit IRC03:57
*** pumaranikar has joined #openstack-keystone03:57
*** Nirupama has joined #openstack-keystone04:08
*** links has joined #openstack-keystone04:11
*** jbell8 has quit IRC04:15
*** jbell8 has joined #openstack-keystone04:16
*** jbell8 has quit IRC04:18
*** jbell8 has joined #openstack-keystone04:18
*** breton has joined #openstack-keystone04:22
*** breton has quit IRC04:28
*** jbell8 has quit IRC04:32
*** lhcheng has quit IRC04:39
*** mylu has quit IRC04:46
*** mylu has joined #openstack-keystone04:46
*** jaosorior has quit IRC04:48
*** jaosorior has joined #openstack-keystone04:48
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: [WIP] Use keystoneauth  https://review.openstack.org/23509004:49
*** ajaya has joined #openstack-keystone04:50
*** mylu has quit IRC04:50
*** mylu has joined #openstack-keystone04:53
*** pumaranikar has quit IRC04:54
stevemar_jamielennox: what's wrong with the keystoneclient references in keystone?04:59
stevemar_seems like it's just used for cms and ec204:59
jamielennoxstevemar_: i'm not sure what's wrong with that04:59
jamielennoxwhat are you referring to04:59
stevemar_jamielennox: someone said in the meeting today that keystone wasn't even using keystoneauth properly?05:00
jamielennoxoh, i think that was in regard to using keystonemiddleware in front of keystone05:00
jamielennoxif we do that then there is really no need for cms to exist in keystoneclient05:00
jamielennoxit'd live in keystonemiddleware05:01
jamielennoxi don't think it's a big deal, we'll always have a dependency on keystoneclient from keystonemiddleware05:01
*** topol has joined #openstack-keystone05:02
*** ChanServ sets mode: +v topol05:02
stevemar_jamielennox: why's that, shouldn't it just be keystoneauth (except for the cms bits...)05:02
*** roxanagh_ has joined #openstack-keystone05:04
*** lhcheng has joined #openstack-keystone05:04
*** ChanServ sets mode: +v lhcheng05:04
*** pumaranikar has joined #openstack-keystone05:05
*** mylu has quit IRC05:09
*** mylu has joined #openstack-keystone05:09
jamielennoxstevemar_: no, you should still have keystoneclient handling things like: fetch revocation lists, validate token, fetch certs.. etc05:10
jamielennoxksa will just be the transport layer, ksc should still handle things that are keystone REST calls05:10
*** mylu has quit IRC05:13
*** tyagiprince2010 has joined #openstack-keystone05:15
*** topol has quit IRC05:15
tyagiprince2010hey need help... I installed keystone. now when i run any command like keystone user-list, it asks me for the os-username.05:15
tyagiprince2010need to know what do i add to my credentials file which ill have to source.05:16
tyagiprince2010i already have this in my credentials file.05:16
*** openstackgerrit has quit IRC05:16
*** morgan has joined #openstack-keystone05:16
*** ChanServ sets mode: +v morgan05:16
tyagiprince2010export OS_SERVICE_TOKEN=9377a7d91c1bedf2bad5 export OS_SERVICE_ENDPPOINT=http://localhost:35357/v2.005:16
*** openstackgerrit has joined #openstack-keystone05:17
jamielennoxtyagiprince2010: you're getting your CLIs confused unfortunately. those ENVs work in openstackclient but not in keystone cli05:17
jamielennoxso that should work in openstack user list, but not keystone user-list05:18
*** stevemar_ has quit IRC05:19
*** stevemar_ has joined #openstack-keystone05:19
*** ChanServ sets mode: +o stevemar_05:19
*** hidekazu has joined #openstack-keystone05:21
*** roxanagh_ has quit IRC05:21
tyagiprince2010<+jamielennox> : I ran the command openstack user list.. it gives me this error... ERROR: cliff.app You must provide a username via either --os-username or env[OS_USERNAME]05:21
tyagiprince2010I guess i need to add something to my credentials file...05:22
jamielennoxstevemar_: that's your ^05:22
jamielennoxare the OSC options not OS_SERVICE_*05:22
*** stevemar_ has quit IRC05:22
tyagiprince2010when i add this to my command --os-username admin, it asks me for the password...05:22
tyagiprince2010I dont understand which password it is asking.05:23
jamielennoxtyagiprince2010: it's ignoring the OS_SERVICE_TOKEN/ENDPOINT and telling you you need to add a username/password to authenticate05:23
jamielennoxjust need to see why it's ignoring that05:23
jamielennoxtyagiprince2010: try just OS_TOKEN OS_URL instead05:24
jamielennoxi don't see any reference to OS_SERVICE_X in openstackclient, and i don't remember it from keystoneclient05:25
tyagiprince2010ok i guess it worked.. I changed the credentials file and now it is giving a different error..INFO: urllib3.connectionpool Starting new HTTP connection (1): localhost05:26
jamielennoxthat's not an error05:27
jamielennoxi'm not sure why you're specifying a token in env anyway, why not just auth with user/pass05:27
tyagiprince2010what i need is a basic setup of keystone... and then have it configured with mysql database and make it use pki token instead of uuid05:28
tyagiprince2010how do i do the auth with user/pass05:28
jamielennoxfrom memory OS_AUTH_URL OS_USERNAME OS_PASSWORD OS_PROJECT_NAME05:29
jamielennoxbut this would be documented somewhere05:29
jamielennoxin many places05:29
tyagiprince2010I'll try that..05:34
tyagiprince2010could you tell me what should i look for..05:34
tyagiprince2010there is pki mechanism i need to configure05:35
tyagiprince2010and second is i have to make poc for every authentication and authorization model05:35
jamielennoxhave you tried setting this up with devstack or something first? it produces an accrc with all the information you need05:35
tyagiprince2010and cant find any documentation for that05:35
tyagiprince2010I have devstack as well.05:36
jamielennoxpki requires some certs and an option in keystone, i'd worry about that after you have the basics working05:36
jamielennoxumm POC for every authn/z is really jumping in the deep end05:37
jamielennoxi'm not even sure we have a list of them05:37
jamielennoxi guess it's mostly looking at the different backends05:38
jamielennoxguess there's not that many05:39
tyagiprince2010for the authorization mechanisms, i just need to look at pki and uuid.. and for the initial authentication, i guess i have to look at different ways possible there.05:42
*** breton has joined #openstack-keystone05:42
tyagiprince2010which document should i look at.. being a beginner dont know much about it..05:42
*** lhcheng has quit IRC05:44
*** morgan has quit IRC05:45
*** roxanagh_ has joined #openstack-keystone05:47
*** breton has quit IRC05:47
*** breton has joined #openstack-keystone05:50
*** roxanagh_ has quit IRC05:51
*** pumaranikar has quit IRC05:52
*** breton has quit IRC05:54
*** grantbow has quit IRC06:00
*** jaosorior has quit IRC06:00
*** jaosorior has joined #openstack-keystone06:01
*** morgan has joined #openstack-keystone06:01
*** ChanServ sets mode: +v morgan06:01
*** josecastroleon has joined #openstack-keystone06:06
*** su_zhang has quit IRC06:08
*** mylu has joined #openstack-keystone06:10
jamielennoxSorry, on my phone so bit hard to look stuff up.06:10
jamielennoxIf you stay away from federation mostly it's just SQL or LDAP. I don't know the docs off the top of my head06:13
*** ParsectiX has joined #openstack-keystone06:15
*** mylu has quit IRC06:15
*** zqfan_afk has joined #openstack-keystone06:19
*** browne has joined #openstack-keystone06:25
*** pumaranikar has joined #openstack-keystone06:31
*** e0ne has joined #openstack-keystone06:32
*** lsmola_ has quit IRC06:33
*** pnavarro|off has joined #openstack-keystone06:34
*** breton has joined #openstack-keystone06:34
*** pumaranikar has quit IRC06:35
*** jamielennox is now known as jamielennox|away06:37
*** breton has quit IRC06:39
*** pnavarro|off has quit IRC06:40
*** e0ne has quit IRC06:42
*** josecastroleon has quit IRC06:46
*** lsmola_ has joined #openstack-keystone06:46
*** e0ne has joined #openstack-keystone06:47
*** jaosorior has quit IRC06:47
*** jaosorior has joined #openstack-keystone06:48
*** roxanagh_ has joined #openstack-keystone06:48
*** roxanagh_ has quit IRC06:53
*** pumaranikar has joined #openstack-keystone06:53
*** tyagiprince2010 has quit IRC06:58
*** pumaranikar has quit IRC06:58
*** josecastroleon has joined #openstack-keystone07:00
*** jaosorior has quit IRC07:16
*** urulama is now known as urulama|afk07:20
*** e0ne has quit IRC07:27
*** jongchoi has joined #openstack-keystone07:30
*** e0ne has joined #openstack-keystone07:31
*** jaosorior has joined #openstack-keystone07:35
*** jaosorior has quit IRC07:37
*** jaosorior has joined #openstack-keystone07:37
*** EinstCrazy has quit IRC07:42
*** EinstCrazy has joined #openstack-keystone07:43
*** breton has joined #openstack-keystone07:43
*** fhubik has joined #openstack-keystone07:45
*** urulama|afk has quit IRC07:45
*** urulama|afk has joined #openstack-keystone07:45
*** tyagiprince2010 has joined #openstack-keystone07:48
*** breton has quit IRC07:48
*** ParsectiX has quit IRC07:49
*** roxanagh_ has joined #openstack-keystone07:49
*** browne has quit IRC07:51
*** jsheeren has joined #openstack-keystone07:54
*** lhcheng has joined #openstack-keystone07:55
*** ChanServ sets mode: +v lhcheng07:55
*** roxanagh_ has quit IRC07:55
*** urulama|afk is now known as urulama07:58
*** browne has joined #openstack-keystone07:58
*** dims has joined #openstack-keystone07:58
*** ParsectiX has joined #openstack-keystone07:59
*** lhcheng has quit IRC07:59
*** ParsectiX has quit IRC08:00
*** EinstCrazy has quit IRC08:01
*** EinstCrazy has joined #openstack-keystone08:02
*** breton has joined #openstack-keystone08:02
*** browne has quit IRC08:02
*** dims has quit IRC08:05
*** breton has quit IRC08:07
*** pnavarro|off has joined #openstack-keystone08:10
*** josecastroleon has quit IRC08:11
*** Harsh has joined #openstack-keystone08:13
*** jsheeren has quit IRC08:14
HarshHi guys08:14
*** Harsh is now known as Guest5283508:14
Guest52835need help on SSO implementation of Openstack KILO08:14
Guest52835has anybody done this08:15
*** josecastroleon has joined #openstack-keystone08:20
*** jistr has joined #openstack-keystone08:23
*** davechen has joined #openstack-keystone08:24
mordredjamielennox|away: remind me at some point to talk to you about making a keystoneauth1.session from an existing session08:26
*** davechen1 has joined #openstack-keystone08:27
*** ParsectiX has joined #openstack-keystone08:27
*** davechen has quit IRC08:29
*** fawadkhaliq has joined #openstack-keystone08:31
*** davechen has joined #openstack-keystone08:35
*** davechen1 has quit IRC08:37
*** e0ne has quit IRC08:37
*** zqfan_afk is now known as zqfan08:37
*** Guest52835 has quit IRC08:40
*** jongchoi has quit IRC08:48
*** roxanagh_ has joined #openstack-keystone08:52
tyagiprince2010hey i am unable to run this pip command : pip install -r requirements.txt08:53
tyagiprince2010it gives me an exception "Expected ',' or end-of-list in",line,"at",line[p:] ValueError: ("Expected ',' or end-of-list in", "Routes!=2.0,!=2.1,>=1.12.3;python_version=='2.7'", 'at', ";python_version=='2.7'")08:55
*** ParsectiX has quit IRC08:56
*** roxanagh_ has quit IRC08:57
*** links has quit IRC09:00
*** openstackgerrit has quit IRC09:01
*** openstackgerrit has joined #openstack-keystone09:02
tyagiprince2010got it right.. after commenting out the Routes requirement..09:02
*** akanksha_ has joined #openstack-keystone09:07
*** ajaya has quit IRC09:14
*** links has joined #openstack-keystone09:15
*** e0ne has joined #openstack-keystone09:17
openstackgerritDave Chen proposed openstack/keystone: No request body or empty resource acceptable in the validation  https://review.openstack.org/23744809:19
*** ParsectiX has joined #openstack-keystone09:20
*** urulama has quit IRC09:20
*** urulama has joined #openstack-keystone09:21
*** aix has joined #openstack-keystone09:21
zqfanhi, good afternoon, need help for this: https://bugs.launchpad.net/python-keystoneclient/+bug/150837409:22
openstackLaunchpad bug 1508374 in python-keystoneclient "using session construct client will miss service_catalog property" [Undecided,New]09:22
*** breton has joined #openstack-keystone09:26
*** openstackgerrit has quit IRC09:31
*** ajaya has joined #openstack-keystone09:31
*** openstackgerrit has joined #openstack-keystone09:32
openstackgerritDave Chen proposed openstack/keystone: Using the right format to render the docstring correctly  https://review.openstack.org/22622509:33
*** nisha has joined #openstack-keystone09:34
*** davechen has left #openstack-keystone09:37
*** breton has quit IRC09:39
*** ParsectiX has quit IRC09:40
*** exploreshaifali has joined #openstack-keystone09:43
openstackgerrithenry-nash proposed openstack/keystone-specs: Policy rule name spacing via catalog  https://review.openstack.org/23774309:49
*** nisha has quit IRC09:52
*** fawadkhaliq has quit IRC09:53
*** roxanagh_ has joined #openstack-keystone09:54
*** roxanagh_ has quit IRC09:58
*** bigjools has quit IRC10:04
*** lhcheng has joined #openstack-keystone10:07
*** ChanServ sets mode: +v lhcheng10:07
*** fhubik is now known as fhubik_brb10:08
*** lhcheng has quit IRC10:12
*** fawadkhaliq has joined #openstack-keystone10:13
*** mylu has joined #openstack-keystone10:13
*** bigjools has joined #openstack-keystone10:16
*** bigjools has quit IRC10:16
*** bigjools has joined #openstack-keystone10:16
*** mylu has quit IRC10:17
*** flaper87 has quit IRC10:29
*** ajaya has quit IRC10:30
*** EinstCrazy has quit IRC10:33
*** dims has joined #openstack-keystone10:34
*** EinstCrazy has joined #openstack-keystone10:34
*** flaper87 has joined #openstack-keystone10:35
*** flaper87 has quit IRC10:35
*** flaper87 has joined #openstack-keystone10:35
*** fawadkhaliq has quit IRC10:35
*** stevemar_ has joined #openstack-keystone10:35
*** ChanServ sets mode: +o stevemar_10:35
*** stevemar_ has quit IRC10:38
*** topol has joined #openstack-keystone10:41
*** ChanServ sets mode: +v topol10:41
*** links has quit IRC10:41
*** topol has quit IRC10:45
*** topol has joined #openstack-keystone10:45
*** ChanServ sets mode: +v topol10:45
*** roxanagh_ has joined #openstack-keystone10:55
*** roxanagh_ has quit IRC10:59
*** links has joined #openstack-keystone10:59
*** tyagiprince2010 has quit IRC11:00
*** breton has joined #openstack-keystone11:03
samueldmqmorning11:05
*** ajaya has joined #openstack-keystone11:05
*** tyagiprince2010 has joined #openstack-keystone11:06
*** fhubik_brb is now known as fhubik11:10
*** fawadkhaliq has joined #openstack-keystone11:10
*** henrynash has quit IRC11:16
*** EinstCrazy has quit IRC11:16
*** ajaya has quit IRC11:16
*** tyagiprince2010 has quit IRC11:19
*** doug-fish has joined #openstack-keystone11:20
*** aix has quit IRC11:24
*** pnavarro|off has quit IRC11:25
*** ajaya has joined #openstack-keystone11:30
*** e0ne has quit IRC11:37
*** exploreshaifali has quit IRC11:38
*** fawadkhaliq has quit IRC11:40
*** EinstCrazy has joined #openstack-keystone11:42
openstackgerritMehdi Abaakouk (sileht) proposed openstack/python-keystoneclient: Fix token lock race condition  https://review.openstack.org/23800111:42
*** gordc has joined #openstack-keystone11:49
*** fawadkhaliq has joined #openstack-keystone11:50
*** breton has quit IRC11:50
*** amakarov_away is now known as amakarov11:51
*** ParsectiX has joined #openstack-keystone11:52
*** Nirupama has quit IRC11:52
*** e0ne has joined #openstack-keystone11:54
*** roxanagh_ has joined #openstack-keystone11:55
*** fawadkhaliq has quit IRC11:55
*** fawadkhaliq has joined #openstack-keystone11:56
*** dikonoor has joined #openstack-keystone11:57
*** arunkant has quit IRC11:57
*** ajaya has quit IRC11:58
*** EinstCrazy has quit IRC11:59
*** roxanagh_ has quit IRC11:59
*** aix has joined #openstack-keystone12:01
*** bdossant has joined #openstack-keystone12:01
*** Ephur has joined #openstack-keystone12:01
*** ajaya has joined #openstack-keystone12:02
odyssey4mehmm, has anyone noticed that the 'project source' link on http://docs.openstack.org/developer/keystone/ has an extra '/p' in the URL12:04
*** fawadkhaliq has quit IRC12:04
*** Ephur has quit IRC12:06
openstackgerritMehdi Abaakouk (sileht) proposed openstack/python-keystoneclient: Fix token lock race condition  https://review.openstack.org/23800112:07
*** breton has joined #openstack-keystone12:14
*** openstackgerrit has quit IRC12:16
*** openstackgerrit has joined #openstack-keystone12:17
*** arunkant has joined #openstack-keystone12:28
*** pnavarro|off has joined #openstack-keystone12:31
*** NM has joined #openstack-keystone12:33
*** markvoelker has joined #openstack-keystone12:35
*** edmondsw has joined #openstack-keystone12:35
*** breton has quit IRC12:38
*** boris-42 has quit IRC12:38
samueldmqodyssey4me: hey12:40
odyssey4mehiya samueldmq12:40
samueldmqodyssey4me: yes that's true12:41
samueldmqodyssey4me: wanna fix ?12:41
odyssey4mesamueldmq sure - it seems to be a problem for all projects12:41
samueldmqodyssey4me: hm something from the template ?12:41
*** henrynash has joined #openstack-keystone12:41
*** ChanServ sets mode: +v henrynash12:41
odyssey4mesamueldmq yep, but the only template I can find is the new one for docs: https://github.com/openstack/openstackdocstheme12:42
odyssey4meit's the one for the manuals, which I'm not sure that the projects can use12:42
samueldmqodyssey4me: http://lists.openstack.org/pipermail/openstack-dev/2015-October/077229.html12:44
odyssey4mesamueldmq nice find!12:46
odyssey4mesamueldmq ah, it looks like it merged yesterday: https://review.openstack.org/#3609112:49
odyssey4mewhoops: https://review.openstack.org/23609112:49
*** ajaya has quit IRC12:49
samueldmqodyssey4me: yes :)12:50
samueldmqodyssey4me: that looks to add a new option to let individual projetcs to set their link12:50
odyssey4mesamueldmq yep, lemme smash up a review12:51
samueldmqodyssey4me: ++12:51
*** richm has joined #openstack-keystone12:53
*** roxanagh_ has joined #openstack-keystone12:56
openstackgerritJesse Pretorius proposed openstack/keystone: Add theme fix for browsable source code  https://review.openstack.org/23804712:59
odyssey4mesamueldmq ^13:00
*** roxanagh_ has quit IRC13:01
samueldmqodyssey4me: nice, I wonder why we keep guessing, if it's wrong for most of projects ?13:02
odyssey4mesamueldmq it doesn't seem to work in a local build - looks like it needs more work13:02
samueldmqdhellmann: ping - about https://review.openstack.org/#/c/236091/13:03
*** breton has joined #openstack-keystone13:03
*** stevemar_ has joined #openstack-keystone13:03
*** ChanServ sets mode: +o stevemar_13:03
*** petertr7_away is now known as petertr713:04
odyssey4mesamueldmq oh, it seems that the local build renders differently13:05
odyssey4mesee https://review.openstack.org/238042 as an example13:05
odyssey4memaybe it's my tox venv13:06
*** stevemar_ has quit IRC13:07
samueldmqodyssey4me: try tox with -r to recreate it13:07
*** stevemar_ has joined #openstack-keystone13:09
*** ChanServ sets mode: +o stevemar_13:09
samueldmqodyssey4me: I am trying it too13:09
*** stevemar_ has quit IRC13:12
samueldmqodyssey4me: that's weird, now it's linking to http://git.openstack.org/cgit/openstack/keystone.git13:17
*** stevemar_ has joined #openstack-keystone13:17
*** ChanServ sets mode: +o stevemar_13:17
samueldmqodyssey4me: I don't know where that .git came from13:17
odyssey4mehmm, odd13:18
*** kiran-r has joined #openstack-keystone13:21
*** nisha has joined #openstack-keystone13:22
*** ParsectiX has quit IRC13:25
openstackgerritJesse Pretorius proposed openstack/keystone: Add theme fix for browsable source code  https://review.openstack.org/23804713:28
*** kiran-r has quit IRC13:30
*** bill_az has joined #openstack-keystone13:30
marekddolphm: LOL, don't scare stevemar_ and let him do his thing :P13:40
stevemar_marekd: uh oh?13:40
marekdstevemar_: nothing :-)13:40
dolphmstevemar_: don't worry about it13:41
stevemar_dolphm: you scamp13:41
dolphmstevemar_: gate breaking critical bug, no biggie13:41
lbragstadstevemar_ move along, nothing to see here... move along13:41
stevemar_lbragstad: dolphm keynote starts in 20 minutes, plenty of time13:42
marekdstevemar_: where are you keynoting?13:42
stevemar_marekd: i'm at the last row watching the keynote13:42
odyssey4mesamueldmq I dunno if you saw the -infra discussion13:42
stevemar_hiding in the back like an outcast13:42
marekdstevemar_: what's the conf ?13:43
odyssey4methe fix is not yet in a tagged version of oslosphinx, so this should work right once the next tag is done13:43
dolphmEnterprise Risk Management for Corporate Counsel conference? it's the only one i can find in toronto today13:43
stevemar_marekd: small local one, mostly ibm'ers, only 100 or so folk13:43
samueldmqodyssey4me: nice, so once it's released we should be okay with tht13:43
odyssey4mesamueldmq yep13:43
samueldmqodyssey4me: will that remove the .git at the end ? or fix everything automatically ,13:44
*** ParsectiX has joined #openstack-keystone13:44
samueldmqodyssey4me: ?13:44
odyssey4mesamueldmq it'll set it to the configured URL - whatever that value is...13:44
odyssey4mewhat you're seeing is the 'guesswork'13:44
dolphmstevemar_: that just sounds like a meeting13:44
stevemar_dolphm: lol13:44
samueldmqodyssey4me: I am still not convinced why we can't just guess right .. where the guess fits most of the projects13:44
stevemar_dolphm: most of our meetings are <100 :P13:45
lbragstad"most"13:45
dolphmlbragstad: ++13:45
*** dims has quit IRC13:45
*** ParsectiX has quit IRC13:46
*** dims has joined #openstack-keystone13:46
*** ParsectiX has joined #openstack-keystone13:46
*** nisha_ has joined #openstack-keystone13:46
*** petertr7 is now known as petertr7_away13:46
*** nisha has quit IRC13:47
*** nisha_ is now known as nisha13:47
odyssey4mesamueldmq you'll see in the review that fungi suggested some additional changes which would likely work, but the review was pushed through13:47
*** jsavak has joined #openstack-keystone13:48
*** erhudy has joined #openstack-keystone13:48
samueldmqodyssey4me: okay, it'd be nicer if we could fix eveyone in a shot :)13:50
amakarovbknudson, hi! Can you please suggest me what to do with this test? https://review.openstack.org/#/c/222173/6/keystone/tests/unit/test_kvs.py,cm13:53
samueldmqamakarov: oh gerrit ahs a new interface now o/13:54
*** stevemar_ has quit IRC13:54
*** petertr7_away is now known as petertr713:54
amakarovI don't know any simple way to expose a race condition and I'm stuck with a question "if there is a need for this test?"13:54
samueldmqamakarov: ah no, it was just the ,cm at the end :)13:55
amakarovsamueldmq, :)13:55
samueldmqamakarov: you going to attend the summit ,13:55
amakarovsamueldmq, what tests do you usually provide to expose a race condition?13:55
amakarovsudorandom, yes13:56
amakarovsamueldmq, yes13:56
amakarovsudorandom, sorry, tab failed me :)13:56
*** roxanagh_ has joined #openstack-keystone13:57
samueldmqamakarov:I think in that case bknudson is suggesting you to remove the if statement13:57
samueldmqamakarov: and assertFalse(store.is_configured) before pursuing with the test13:58
amakarovsamueldmq, that I understand, but the test itself is weird :)13:58
amakarovits result doesn't depend on the fact the issue was fixed13:59
amakarovsamueldmq, it just shows what happens in race condition - a comment about it is enough14:00
amakarovsamueldmq, I'm not sure this test is worthy to remain there14:00
*** roxanagh_ has quit IRC14:01
*** henrynash has quit IRC14:01
*** zqfan is now known as zqfan_afk14:02
dstanekdolphm: our use of locking at all there seem hokey14:02
*** e0ne has quit IRC14:03
*** tristanC has quit IRC14:07
*** jongchoi has joined #openstack-keystone14:08
*** ParsectiX has quit IRC14:09
samueldmqamakarov: so that kvs.get_key_value_store('token-driver') returns the same obj for both threads14:10
samueldmqamakarov: but configure can only be called once, that's why the lock there, right ?14:10
amakarovsamueldmq, right14:10
*** pumaranikar has joined #openstack-keystone14:13
*** henrynash has joined #openstack-keystone14:14
*** ChanServ sets mode: +v henrynash14:14
*** nkinder has quit IRC14:14
*** csoukup has joined #openstack-keystone14:16
openstackgerritAlexander Makarov proposed openstack/keystone: Move region configuration to a critical section  https://review.openstack.org/22217314:18
amakarovsamueldmq, ^^14:18
amakarovsamueldmq, have you ment something like this?14:19
*** diazjf has joined #openstack-keystone14:19
samueldmqamakarov: yep14:20
amakarovsamueldmq, will you be in Tokyo?14:21
samueldmqamakarov: yep, travelling tomorrow night, arriving Saturady afternoon14:22
samueldmqamakarov: long travel14:22
amakarovsamueldmq, very long14:23
*** raildo-afk is now known as raildo14:26
*** tonytan4ever has joined #openstack-keystone14:27
samueldmqamakarov: so .. in a single patch you wanna expose the race condition and fix it14:28
samueldmqamakarov: one of both will fail: your fix or your test :)14:28
*** jongchoi has quit IRC14:28
*** ankurgupta has joined #openstack-keystone14:28
samueldmqgotta run now, will be back soon14:28
samueldmqamakarov: nvm, you called get_key_value_store directly14:30
*** njohnston is now known as nate_gone14:32
*** nate_gone is now known as njohnston14:34
*** sseago has quit IRC14:36
*** su_zhang has joined #openstack-keystone14:37
dolphmdstanek: agree with your comment on https://review.openstack.org/#/c/238001/ but did you see the (brief) explanation in the commit message?14:38
*** slberger has joined #openstack-keystone14:39
*** phalmos has joined #openstack-keystone14:41
*** su_zhang has quit IRC14:42
dstanekdolphm: yes, im trying to look for what the side effects might be of doing this14:45
dolphmdstanek: i'm looking for an easy refactor to let it release the lock between retries - perhaps raise an exception somewhere and break out of the context manager14:47
dstanekdolphm: for example, is the 401 retry thing mentioned in the commit message bounded and are there other cases where the recursion can now happen14:47
dolphmah14:47
*** jaosorior has quit IRC14:47
dolphmdstanek: where recursion can now happen *because* the lock is reentrant?14:48
*** jaosorior has joined #openstack-keystone14:48
dstanekthe lock originally said "only do this once" and with a single character change we've changed to code semantics; add in the multithreading aspect and you have me nervous14:48
dstanekdolphm: even if your refactor didn't release the lock, if it just cut down the recursion14:50
*** links has quit IRC14:50
dstanekdolphm: it seems there isn't good layering here; what should be the most inner layer (doing the auth) is calling the out layer (the thing doing the orchestration14:51
dstanekfeels like the abstraction is either messed up or missing14:51
dolphmdstanek: .... yes.14:51
dolphmthat.14:51
dstanekdolphm: are you working on a refactor patch as a replacement for that one?14:51
dolphmdstanek: just shopping for one right now14:52
*** pnavarro|off has quit IRC14:52
*** petertr7 is now known as petertr7_away14:53
*** stevemar_ has joined #openstack-keystone14:55
*** ChanServ sets mode: +o stevemar_14:55
*** stevemar_ has quit IRC14:56
*** e0ne has joined #openstack-keystone14:56
*** roxanagh_ has joined #openstack-keystone14:58
*** su_zhang has joined #openstack-keystone14:58
*** fawadkhaliq has joined #openstack-keystone14:58
*** stevemar_ has joined #openstack-keystone14:59
*** ChanServ sets mode: +o stevemar_14:59
*** alejandrito has joined #openstack-keystone15:01
*** nisha has quit IRC15:02
*** alejandrito has quit IRC15:02
*** alejandrito has joined #openstack-keystone15:02
*** roxanagh_ has quit IRC15:02
*** f13o has joined #openstack-keystone15:03
*** phalmos has quit IRC15:04
*** fawadkhaliq has quit IRC15:04
*** roxanagh_ has joined #openstack-keystone15:12
*** tirc has joined #openstack-keystone15:12
*** stevema__ has joined #openstack-keystone15:13
*** ChanServ sets mode: +o stevema__15:13
*** phalmos has joined #openstack-keystone15:14
*** stevemar_ has quit IRC15:16
*** fawadkhaliq has joined #openstack-keystone15:17
*** EinstCrazy has joined #openstack-keystone15:17
*** fawadkhaliq has quit IRC15:17
*** Ephur has joined #openstack-keystone15:17
*** urulama has quit IRC15:21
*** urulama has joined #openstack-keystone15:22
*** bdossant has quit IRC15:23
*** roxanagh_ has quit IRC15:27
*** dims_ has joined #openstack-keystone15:31
*** annasort has joined #openstack-keystone15:32
*** lhcheng has joined #openstack-keystone15:33
*** ChanServ sets mode: +v lhcheng15:33
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: pass on @abc.abstractmethods  https://review.openstack.org/23814215:33
*** dims has quit IRC15:35
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Docstring spelling and function-vs-method fixes  https://review.openstack.org/23814415:39
dolphmdstanek: poke me if you have a patch - i tossed up the random crap i came across and am moving on ^15:42
*** EinstCrazy has quit IRC15:42
dolphm(i'm fine with RLock unless plugins are doing something crazy)15:43
*** jsavak has quit IRC15:46
dstanekdolphm: i've been poking at it, but i'm not sure how i can test it yet.15:46
*** jsavak has joined #openstack-keystone15:47
dolphmdstanek: that too. i'm not sure it's reasonable to demand a test as part of this patch, considering there aren't any tests for lcoks already.15:48
*** petertr7_away is now known as petertr715:50
*** fawadkhaliq has joined #openstack-keystone15:53
*** EinstCrazy has joined #openstack-keystone15:53
*** fawadk has joined #openstack-keystone15:55
*** fawadkhaliq has quit IRC15:56
*** stevema__ has quit IRC16:00
*** sseago has joined #openstack-keystone16:01
*** fhubik has quit IRC16:01
*** exploreshaifali has joined #openstack-keystone16:05
*** jistr has quit IRC16:08
*** john5223 is now known as zz_john522316:09
*** EinstCrazy has quit IRC16:11
*** petertr7 is now known as petertr7_away16:13
*** tirc` has joined #openstack-keystone16:13
*** tirc has quit IRC16:13
*** e0ne has quit IRC16:16
ayoungdolphm, You originally wrote this;  still think it is the right approach?  https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens16:16
*** e0ne has joined #openstack-keystone16:17
*** su_zhang has quit IRC16:17
*** sseago has quit IRC16:17
*** slberger has quit IRC16:17
*** dikonoor has quit IRC16:17
*** sseago has joined #openstack-keystone16:17
*** EinstCrazy has joined #openstack-keystone16:18
*** slberger has joined #openstack-keystone16:21
dolphmayoung: kind of. depends on how you define a "service", or the boundaries between similar "services"16:24
*** sseago has quit IRC16:24
dolphmayoung: i.e. does having a role on "compute" mean you have a role on "compute" in both regions of a deployment? does having a role on "compute" mean you can consume that role on both the public endpoint and the admin endpoint? what if you have two versions of the same service deployed?16:25
dolphmetc16:25
ayoungdolphm, HMT based on the service catalog would let us vary16:25
ayoungdolphm, I would assume the simple case is assign role to user on "catalog" gets everything.  For more real production deplioyments, assign role on the endpoints16:26
dolphmif you do role assignments on service IDs, i think you give the deployer a lot of flexibility in how they structure their catalog and how they assign service roles, but *shrug*16:26
ayoungI think role on compute is the same for public and admin16:26
dolphmayoung: then that's a role on the service, not the endpoint?16:27
*** petertr7_away is now known as petertr716:27
ayoungdolphm, right...use the same rules as we do for HMT now, with catalog->services->endpoints16:27
dolphmi haven't followed HMT enough to know what you're talking about at all :-/16:28
ayoungso you *could* do it all the way to the endpoint if that makes sense:  dev team can destroy their own Nova and neutron servers,16:28
ayoungdolphm, on a role assignment, you specify if it is to be inherited.  If it is, you can get a token scoped to any of the child nodes16:28
ayoungso if proj1 has childred p2 and p3  and p2 has p4 etc16:29
ayoung_member_  on proj1  means _member on p2, p3 ,p416:29
ayoungYou still need to ask for a token scoped to p2 to get that role16:30
*** sseago has joined #openstack-keystone16:31
bknudsonin what case does session.post() call BaseIdentityPlugin.invalidate()?16:31
ayoungdolphm, so, there are two ways we could implement this.  One is that we add a new set of targets in the role assignment table.  The other is that we treat the service catalog as a "read-only" backend for  "resource"16:31
*** jasonsb has quit IRC16:32
ayoungessentially, saying that "if you create a service or endpoint, you are creating a project with the same id"16:32
ayoungpros and cons to each method16:32
ayoungI think the "every catalog item is a project" approach breaks fewer things.16:32
bknudsonmaybe there's something we can do to reset the session auth first rather than have to make the lock reentrant16:33
*** c_soukup has joined #openstack-keystone16:34
*** dims_ has quit IRC16:36
*** stevemar_ has joined #openstack-keystone16:36
*** ChanServ sets mode: +o stevemar_16:36
*** dims has joined #openstack-keystone16:36
dolphmayoung: i don't think we should be conflating services with projects16:38
*** exploreshaifali has quit IRC16:38
*** csoukup has quit IRC16:38
*** doug-fish has quit IRC16:40
*** doug-fish has joined #openstack-keystone16:41
*** stevemar_ has quit IRC16:41
*** EinstCrazy has quit IRC16:41
*** roxanagh_ has joined #openstack-keystone16:42
*** gyee has joined #openstack-keystone16:45
*** ChanServ sets mode: +v gyee16:45
*** doug-fish has quit IRC16:45
*** roxanagh_ has quit IRC16:46
openstackgerritKent Wang proposed openstack/keystone: Add schema validation to fix v2 code error returns  https://review.openstack.org/23816016:47
*** roxanagh_ has joined #openstack-keystone16:48
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Address hacking check H405.  https://review.openstack.org/23816116:49
*** jaosorior has quit IRC16:50
*** jaosorior has joined #openstack-keystone16:50
*** diazjf has quit IRC16:50
*** petertr7 is now known as petertr7_away16:52
*** doug-fish has joined #openstack-keystone16:56
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation migration  https://review.openstack.org/23704716:56
*** tirc` has quit IRC16:57
*** zigo_ has quit IRC16:59
*** zigo has joined #openstack-keystone17:00
*** jsavak has quit IRC17:01
*** tsymanczyk has joined #openstack-keystone17:04
*** tsymanczyk is now known as Guest1645117:04
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec  https://review.openstack.org/18981617:06
*** tsymancz4k has joined #openstack-keystone17:09
*** su_zhang has joined #openstack-keystone17:12
*** tirc` has joined #openstack-keystone17:17
*** haneef has quit IRC17:18
*** shaleh has joined #openstack-keystone17:22
*** tirc` has quit IRC17:23
*** kfox1111 has quit IRC17:25
*** kfox1111 has joined #openstack-keystone17:26
*** ajaya has joined #openstack-keystone17:27
*** jasonsb has joined #openstack-keystone17:28
*** sseago has quit IRC17:29
*** shadower has quit IRC17:29
*** ajaya has quit IRC17:32
*** stevemar_ has joined #openstack-keystone17:32
*** ChanServ sets mode: +o stevemar_17:32
*** njohnston is now known as nate_gone17:34
*** henrynash has quit IRC17:37
*** exploreshaifali has joined #openstack-keystone17:40
*** zqfan_afk is now known as zqfan17:42
morgandolphm: I agree, I don't like project <-> service conflation17:43
*** nate_gone is now known as njohnston17:45
*** brad[] has quit IRC17:48
*** brad[] has joined #openstack-keystone17:48
*** e0ne has quit IRC17:49
*** roxanag__ has joined #openstack-keystone17:50
*** roxanagh_ has quit IRC17:50
ayoungmorgan, no one is allowed to say "No" to my suggestions without at least offering an alternative.17:52
*** exploreshaifali has quit IRC17:53
ayoungOtherwise, we suffer gridlock17:53
ayoungso...please tell me what you would prefer.  Otherwise I can't make progress.17:53
ayoungmorgan, dolphm are you saying you would rather have endpoint as a scope in tokens?17:54
ayoungWe can do that, it just requires more work.  It changes Horizon and all the client calls as well as authtoken, and the remote service policy files17:54
dolphmayoung: i don't always know the solution to a problem17:55
ayoungdolphm, I thought you had a good start ion it with the BP17:55
ayoungdolphm, sorry to come across so harsh.  I know you are working lots of different issues.17:56
dolphmayoung: it's still only a potential solution meant for discussion, and it's not completely thought through, obviously17:57
*** harlowja has quit IRC17:57
morganayoung: I am not saying "no" I was saying I don't like it17:57
ayoungdolphm, I kindof like the abstraction that "everything is a project"17:57
morganayoung: if that is the best option, I wouldn't block it17:57
ayoungit means that we use the same name of things for all remote labels.17:57
ayounger17:57
ayoungremote resources17:57
ayounglocal ones too, except for domains17:57
*** stevemar_ has quit IRC17:58
ayoungIt does have some weirdness, in that you could then use catalog item-backed projects to do things other than service level operations.  jamielennox|away was commenting on that the other night.17:58
shalehrunning projects a long way from tenants and user expectations are you?17:58
ayoungshaleh, me?17:59
ayoungI am actually trying to go along with admins expectations here.  This is "the path of least resisitance" approach17:59
dolphmayoung: but a project has been traditionally defined as a container for tenant-owned resources. services have never been owned by tenants, they're owned by the operator and serve multiple tenants17:59
shaleh++ dolphm18:00
ayoungdolphm, right.  The origianly view of roles is that they were global.  I did some git tracing to see when that changed, and I think it was before they started committing to the python Keystone git repo.   Scoped roles are in Keystone Light18:00
*** diazjf has joined #openstack-keystone18:01
ayoungdolphm, and operations on services were expected to use that unscoped admin role.18:01
morgannon-scoped (global) roles did have a comment at one point saying "no we don't do this"18:01
morganbut it wasn't clear why that choice was made18:01
morganwe could easily support a global role again if desired.18:01
*** harlowja has joined #openstack-keystone18:02
*** slberger has quit IRC18:02
morganand I think the impact to horizon here would be minimal18:02
* morgan shrugs.18:02
*** slberger has joined #openstack-keystone18:02
ayoungmorgan, not sure that is true.  Getting horizon to deal with Domains was already painful18:02
*** dims has quit IRC18:03
morganayoung: nah, i don't think a global role would be a hard change. domains are much further reaching18:03
ayoungmorgan, is that the direction you want to go?18:04
morganbut like i said, i wouldn't block service-is-a-project if we don't have another option. I would prefer another option18:04
ayoungOr are you just brainstorming?18:04
morganbut I don't have a solid answer.. more brainstorming18:04
*** dims has joined #openstack-keystone18:04
bknudsonI wasn't able to recreate https://bugs.launchpad.net/python-keystoneclient/+bug/1508424 in a unit test using any of our plugins.18:04
openstackLaunchpad bug 1508424 in python-keystoneclient "BaseIdentityPlugin.get_access hang" [High,In progress] - Assigned to Mehdi Abaakouk (sileht)18:04
shalehso now i need to glue multiple projects together to get nova + neutron + cinder working?18:05
shalehwhy are you not using regions for this?18:05
ayoungmorgan, so project or not, I think we want to scope the role assignments to catalog items.  That meets gyee 's repeated request to be able to distinguish between admins for different  services and endpoints18:05
ayoungshaleh, regions are service catalog constructs and are also available as things that can have roles assigned under this proposal18:06
ayoungshaleh, so, yes, regions, too, just need to be clear on the ordering between regions and services in the hierarchy18:06
shalehso why push all the way to project == service?18:06
shalehregions with proper endpoint filtering (once all of the movement settles) seems to get you there18:06
*** lsmola_ has quit IRC18:07
ayoungshaleh, so you are suggesting limiting it to regionw <-> project?18:07
ayoungEndpoints don't kniow what region they are in right now18:07
ayoungAll an endpoint knows is its URL, and even that is somewhat problematic18:08
ayoungwe need to map from URL to endpoint id.  Region would be an additional layer of mapping. Possible, though18:08
shalehthen why are all of the unit tests embedding regions in the endpoint refs?18:08
*** henrynash has joined #openstack-keystone18:08
*** ChanServ sets mode: +v henrynash18:08
shalehclearly something knows the mapping18:08
*** stevephone has joined #openstack-keystone18:08
ayoungshaleh, unit tests are different from services deployed18:08
stevephoneo/18:09
ayoungshaleh, so, the test code knows the mapping18:09
shalehOSC does too, I say endpoint --region foo18:09
bknudsonstevephone: still no znc?18:09
*** tqtran has joined #openstack-keystone18:10
ayoungshaleh, so...this is one reason I would say l;ets map things to projects.  It keeps us from having to update everything when we decide to use yet another abstraction as a scope for RBAC18:11
openstackgerritMerged openstack/python-keystoneclient: pass on @abc.abstractmethods  https://review.openstack.org/23814218:11
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation driver  https://review.openstack.org/20960018:12
ayoungright now, the only scope Nova has to worry about is project scope.  We could add an endpoint scope on there, and a project, and a region, and so on, but think what the policy to enforce that would look like18:12
shalehbut multiple projects could be using the same endpoint right?18:12
*** aix has quit IRC18:12
ayoungshaleh, ah...not for this...let me clarify18:12
stevephonebknudson, not yet, part way through the configuration18:12
ayoungshaleh, this is only for endpoint scoped operations.  Not for projects that end users work with.18:13
shalehwhat is "endpoint scoped"?18:13
ayoungshaleh, I wrote it up clearer here: http://adam.younglogic.com/2015/10/admin/18:13
ayoungIts on the mailing list, too18:13
*** henrynash has quit IRC18:13
shalehk, I have not drank from the firehouse this morning :-)18:13
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation driver  https://review.openstack.org/20960018:15
*** topol has quit IRC18:15
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913218:16
openstackgerritHenrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418018:16
*** petertr7_away is now known as petertr718:16
gyeeayoung, I am all for endpoint scoping and admin segregations, no argument here :)18:17
ayounggyee, yeah.  Did you get a chance to read that?  Any thought on how to expose the catalog information in the token?18:18
gyeeyou don't need to18:19
shalehI like admin segration for sure.18:19
shalehjust not sold on the other part18:19
gyeeGET /v3/auth/tokens?endpoint_id=xxx18:19
gyeeif token is not scoped to the given endpoint, reject it18:19
shalehSo as an admin I would need to auth to each service I wanted to work on?18:20
shalehWould there be a way to let me admin nova + cinder simulatenously but not neutron?18:20
ayounggyee, " token is not scoped to the given endpoint"18:21
ayoungshaleh, not in the first pass.  You could have role assignments for each, but the token would be scoped to the endpoint18:22
ayoungshaleh, why would you need a token scoped to both nova and cinder for an admin operation?18:22
raildoayoung: whereas v2 will be deprecated, keystone still accepting bug fixes only to v2 or they are considered "invalid"?18:22
gyeeayoung, so there are two ways we can enforce endpoint binding18:22
shalehwhy would i want to auth twice and switch between tokens?18:23
ayoungraildo, depends on how serious18:23
gyee1) at the middleware by examing the SC18:23
gyee2) at the server during token validation18:23
ayounggyee, not binding18:23
morganraildo: v2 bug fixes for security issues: absolutely accepted18:23
ayoungthis is separate from "this token can only be used on the endpoiitn"18:23
morganraildo: v2 minor issues - nope18:23
ayoungthis means "this token is for admin operations on the endpoint"18:23
ayoungyour binding stuff would still be usable by normal users18:23
raildomorgan: ayoung, ok, got it, thanks :)18:23
morganraildo: even fairly major-non-security issues with v2 would probably be passed on for v218:23
* morgan makes a non-binding resolution for binding that is binding for normal users via binding.18:24
* morgan goes to get breakfast or is it lunch...18:24
gyeeayoung, right, so there are two checks, 1) can the given token even allowed for the given endpoint, and 2) can the given token allow to perform admin operations for the given service18:25
shalehayoung: I need a token to talk to the endpoint. If I am working on debuging/fixing a problem I might need to access both nova and cinder. Switching back and forth between two tokens seems like another level of annoyance.18:25
ayounggyee, right18:25
ayoungshaleh, so lets assume that we made a common "admin" project across the two.  How would we communicate what that project_id is to the two services?18:26
dstanekbknudson: i also ran into a wall writing a test case18:27
gyeeshaleh, nothing says you can't scope to multiple endpoints at once18:27
shalehayoung: why do we need to? Once I auth and bind, my token will be accepted. Isn't that the point of role assignment?18:27
raildomorgan: I was think in inavlidate this bug: https://bugs.launchpad.net/keystone/+bug/1455298 since they are only modifying the error message in v2, and on v3 this is already checked.18:27
openstackLaunchpad bug 1455298 in Keystone "unreasonable error message returned when an empty body was posted to POST request" [Low,In progress] - Assigned to Kent Wang (k.wang)18:27
bknudsondstanek: could probably write a custom auth plugin that doesn't pass authenticated=False?18:27
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839818:28
*** lhcheng has quit IRC18:28
bknudsonbut that wouldn't be a valid auth plugin.18:28
dstanekbknudson: do you think that's what they were doing?18:28
dstanekthe client code is very hard to read18:28
*** lhcheng has joined #openstack-keystone18:29
*** ChanServ sets mode: +v lhcheng18:29
bknudsondstanek: that's the only way I can think of the reentry would happen.18:29
ayounggyee, we need a way to communicate the acceptable scope of the token to the endpoints.18:29
gyeedstanek, its easier to read in a debugger :)18:29
bknudsonso maybe one of our auth plugins isn't passing authenticated=False or maybe they've got their own.18:29
ayoungIt can be endpoint ID.  We could also have the policy check query the catalog, and allow tokens scoped wider than just a single endpoint18:29
*** lhcheng has quit IRC18:30
shalehayoung: why is definning "vm_admin" and assigning "vm_admin" to the endpoint(s) not sufficient?18:30
gyeeayoung, that's essentially what endpoint filter and endpoint groups are for, restrict access to a set of endpoints18:30
shalehexactly18:30
*** exploreshaifali has joined #openstack-keystone18:31
shalehif we just made it easier to define admin roles it seems like all of the other pieces are in play right now18:31
ayoungshaleh, what do you mean by 'assigning "vm_admin" to the endpoint'18:31
*** zqfan is now known as zqfan_afk18:31
ayoungshaleh, devil is in the details.  Walk it through from role assignmnet, to token request and issue, to token validation18:32
ayoungthe issue is that for many policy checks 'admin' is not scoped to anything.18:32
*** tonytan4ever has quit IRC18:32
ayoungbut in other cases it is18:32
ayoungthe cases where it is not scoped are things like "add hypervisor"18:33
ayoungservice wide.18:33
ayoungTHe cases where it is scoped are things like "set quota"18:33
ayoungso we need to distinguish between these two cases18:33
shalehayoung: we need to be better about defining "admin"ness. Customers are asking for more fine grained definitions of "read only admin", "vm admin", etc.18:33
*** tonytan4ever has joined #openstack-keystone18:33
ayoungshaleh, I know.18:33
shalehif we stick to your suggestion of a "admin project" that I bind a token to, my user is then part of the role assignment18:34
ayoungshaleh, that is solvable,l too18:34
ayoungshaleh, yes18:34
shalehendpoint asks "does this token have perms?"18:34
shalehwhat am I mssing?18:34
ayoungshaleh, what is in the token validation response for the scope of the token?18:35
ayoungproject_id for the admin proejct, right?18:35
ayounghow did we communicate this ID to the endpoint?18:35
*** amakarov is now known as amakarov_away18:36
shalehthe code should be asking "is this action ok by policy for this token"18:36
shalehno, I am not asking for dynamic policy here.18:36
ayoungshaleh, and how will policy be able to say yes or no to that?18:36
gyeeayoung, when are you arriving tokyo? lets grab a drink and have a pre conf talk, what say you?18:37
ayounggyee, I show up on Monday....let me see the time18:37
ayounggyee,  5:05pm18:38
shalehgyee: don't we have an HP meet and greet Monday night?18:38
dstanekbknudson: i couldn't find one that didn't explicitly pass authenticated=False; even our contrib SAML stuff does18:38
ayounggyee, what hotel are you in?18:39
bknudsondstanek: a backtrace in the bug report would sure help here.18:39
ayoungI'm in Shinagawa Prince Hotel18:39
gyeeayoung, the Grant Prince18:39
bknudsonwe should just have the design conference in the hotel lobby18:40
stevephonedolphm, what ended up happening with that ksc bug?18:40
dstanekstevephone: not enough info to reproduce18:40
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Mark abstractmethod bodies with nocover  https://review.openstack.org/23820918:40
stevephonebknudson needs easy access to booze to listen to our wacky keystone ideas18:41
*** tsymancz4k is now known as tsymanczyk18:41
gyeebknudson, at a bar in the hotel lobby :)18:41
stevephonedstanek, kk thx :)18:41
shalehgyee: ++18:41
gyeecan't do any design when thirsty18:41
shalehayoung: so you are saying policy cannot take a valid token and an endpoint and return up/down for the user accessing it?18:42
dstaneklobby hacking sounds great - lbragstad and i land at 4:00 on Sunday18:42
shalehI can be around Sunday night for sure18:43
bknudsondstanek lbragstad: through MSP ?18:43
dstanekyep18:43
bknudsonwe'll all be on the same flight18:43
dstanekare you on that flight too?18:43
ayoungshaleh, right now?  No, it can't.  For two reasons.  1.  There is no way to scope a token to an endpoint and two policy does not know the endpoint id anyway. BUt both of those are solvable problems18:43
dstaneknice18:43
bknudsonthat'll be a long day for you guys.18:44
ayoungshaleh, so  we could do one of two things for " way to scope a token to an endpoint"18:44
shalehHP folk are flying in Sat night.18:44
shalehso Sunday evening is open for business18:44
ayoungeither we add a new target in the token for scope;  endpoint.  Or, we map the endpoint to an admin project.  Both hae pros/cons18:44
dolphmshaleh: do you work for HP, btw?18:45
ayoungshaleh, either way, we can use the same mechanism as gyee was building for endpoint binding of tokens;  basically look up the endpoint ID from the service catalog based on the URL18:45
shalehdolphm: I do, I work right next to Guang18:45
lbragstadbknudson yep18:45
dolphmshaleh: oh cool, good to know i have another path to poking gyee18:45
shalehdolphm: for sure :-)18:46
lbragstaddolphm ++18:46
gyeehahahah18:46
gyeedolphm, just don't ask him to throw stuff at me18:46
lbragstadshaleh do you have access to Nerf guns?18:46
shalehnah the office dynamics are not Nerf gun friendly18:46
lbragstadahhh18:46
shalehlbragstad: I was typing that before you posted it :-)18:46
bknudsonlbragstad: they're not in texas18:46
lbragstadlol, Nerf gun ban?18:47
bknudsoncan't just open carry nerf guns there18:47
shalehtoo straight laced for that. Not a startup18:47
dolphmshaleh: can you throw things at gyee right now, btw? gyee needs a good throwing-at every now and then to keep him on his toes18:47
lbragstadhold on, i need a silencer for my nerf guns18:47
dolphmlbragstad: use the pipe at my desk18:47
shalehdolphm: no, we are both at home18:47
dolphmshaleh: this is an unfortunate colocation arrangement18:48
lbragstaddolphm do we have to fill out paper work for that class III?18:48
shalehdolphm: :-) I see him two days a week. He likes to hide.18:48
dolphmshaleh: regardless, please optimize for throwing distance and report back18:48
shalehdolphm: ++18:48
*** jbell8 has joined #openstack-keystone18:49
shalehon the plus side, in my experience the more Nerf guns the more likely the company will tank18:50
*** wwwjfy has quit IRC18:52
*** roxanag__ has quit IRC18:54
*** su_zhang has quit IRC18:55
*** sseago has joined #openstack-keystone18:56
*** petertr7 is now known as petertr7_away18:56
stevephonedolphm dont endorse nerf based violence18:57
*** gordc has quit IRC18:57
shalehstevephone: tennis balls then? :-)18:57
odyssey4medolphm dstanek is devstack gating on all keystone v3 yet?18:58
lbragstadshaleh rubber-band wars18:59
*** roxanagh_ has joined #openstack-keystone19:00
*** sseago has quit IRC19:00
stevephoneodyssey4me i believe it is19:02
odyssey4mestevephone the reason I ask is that we're looking to set openstack-ansible for Liberty to default to v3 only19:02
odyssey4mewe've not had much success until these last moments... and still heat is a bit of an issue19:03
*** ericksonsantos_ has joined #openstack-keystone19:03
*** jasonsb has quit IRC19:04
bknudsonheat only works with v3 due to creating users in the non-default domain19:05
*** stevemar_ has joined #openstack-keystone19:07
*** ChanServ sets mode: +o stevemar_19:07
*** lhcheng has joined #openstack-keystone19:07
*** ChanServ sets mode: +v lhcheng19:07
*** lhcheng_ has joined #openstack-keystone19:08
*** jasonsb has joined #openstack-keystone19:11
*** roxanagh_ has quit IRC19:11
*** bill_az has quit IRC19:12
*** lhcheng has quit IRC19:12
*** stevemar_ has quit IRC19:15
*** stevemar_ has joined #openstack-keystone19:16
*** ChanServ sets mode: +o stevemar_19:16
*** mylu has joined #openstack-keystone19:16
dstanekodyssey4me: is heat your only issue?19:17
odyssey4meheat's keystone configuration is somewhat fragmented https://review.openstack.org/23597819:17
odyssey4methere is the keystone_authtoken bit19:18
odyssey4methen there's the trustee bit, and the clients bit19:18
odyssey4meand if you don't populate one, it uses old config entries from another19:18
odyssey4mehence the keytsone_authtoken nonsense in here: http://docs.openstack.org/liberty/install-guide-ubuntu/heat-install.html#install-and-configure-components19:19
odyssey4memiguelgrinberg is ferreting the right config out for us :)19:19
bknudsonodyssey4me: keystone_authtoken is the config for the auth_token middleware -- it should be the same for heat as it is for every service.19:20
odyssey4mebut dstanek https://review.openstack.org/205192 passed for the first time in months not long ago19:20
*** stevemar_ has quit IRC19:20
odyssey4mebknudson the trouble is that other parts of heat use that config as a back-stop19:20
bknudsonit's broken if applications are using keystone_authtoken for their own config.19:20
miguelgrinbergbknudson: yes, it was broken. We tried to fix it not long ago.19:20
odyssey4mebknudson that's exactly right, and they're on their way to fix it19:21
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Update middlewarearchitecture for paste config  https://review.openstack.org/23821719:22
dstanekodyssey4me: miguelgrinberg: as a back-stop for what?19:22
miguelgrinbergdstanek: heat managed its own domain users using the creds in keystone_authtoken.19:23
odyssey4medstanek http://i.imgur.com/fTTBLia.gif19:23
dstanekmiguelgrinberg: ah, i see19:24
miguelgrinbergdstanek: we now put a separate config for that, called [trustee]19:24
*** fifieldt_ has joined #openstack-keystone19:26
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733119:26
*** stevephone has quit IRC19:27
*** fifieldt has quit IRC19:29
*** fawadkhaliq has joined #openstack-keystone19:31
*** fawadk has quit IRC19:32
openstackgerritKent Wang proposed openstack/keystone: Add schema validation to fix v2 code error returns  https://review.openstack.org/23816019:34
*** mylu has quit IRC19:37
*** fawadk has joined #openstack-keystone19:40
*** mylu has joined #openstack-keystone19:41
*** fawadkhaliq has quit IRC19:43
*** su_zhang has joined #openstack-keystone19:43
*** petertr7_away is now known as petertr719:45
*** harlowja has quit IRC19:50
*** pumaranikar has quit IRC19:50
*** mylu has quit IRC19:59
*** mylu has joined #openstack-keystone19:59
*** mylu has quit IRC20:04
*** ericksonsantos_ has quit IRC20:05
*** ankurgupta has quit IRC20:05
*** openstackstatus has joined #openstack-keystone20:07
*** ChanServ sets mode: +v openstackstatus20:07
*** browne has joined #openstack-keystone20:15
*** dims has quit IRC20:18
*** dims has joined #openstack-keystone20:18
*** fawadk has quit IRC20:20
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Adding 'domain_id' filter to list_user_projects().  https://review.openstack.org/18291520:25
*** ankurgupta has joined #openstack-keystone20:36
*** harlowja has joined #openstack-keystone20:39
*** harlowja_ has joined #openstack-keystone20:40
*** alejandrito has quit IRC20:42
*** browne has quit IRC20:44
*** harlowja has quit IRC20:44
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721820:46
*** doug-fis_ has joined #openstack-keystone20:50
*** doug-fi__ has joined #openstack-keystone20:50
*** doug-fi__ has quit IRC20:51
*** doug-fi__ has joined #openstack-keystone20:51
openstackgerritMerged openstack/python-keystoneclient: Docstring spelling and function-vs-method fixes  https://review.openstack.org/23814420:52
*** doug-fish has quit IRC20:53
*** raildo is now known as raildo-afk20:54
*** pnavarro has joined #openstack-keystone20:54
*** doug-fis_ has quit IRC20:54
*** pnavarro has quit IRC21:03
*** annasort has quit IRC21:06
*** roxanagh_ has joined #openstack-keystone21:07
*** jongchoi_ has joined #openstack-keystone21:10
*** stevemar_ has joined #openstack-keystone21:11
*** ChanServ sets mode: +o stevemar_21:11
*** ankurgupta has left #openstack-keystone21:13
*** darrenc is now known as darrenc_afk21:17
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Address hacking check H405.  https://review.openstack.org/23816121:21
*** petertr7 is now known as petertr7_away21:23
*** zz_john5223 has quit IRC21:31
*** doug-fi__ has quit IRC21:32
*** doug-fish has joined #openstack-keystone21:33
*** zz_john5223 has joined #openstack-keystone21:33
*** doug-fis_ has joined #openstack-keystone21:34
*** henrynash has joined #openstack-keystone21:35
*** ChanServ sets mode: +v henrynash21:35
*** doug-fish has quit IRC21:37
*** doug-fish has joined #openstack-keystone21:38
*** diazjf has quit IRC21:39
*** doug-fis_ has quit IRC21:39
*** darrenc_afk is now known as darrenc21:39
*** doug-fish has quit IRC21:42
*** jbell8 has quit IRC21:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/23826421:49
*** doug-fish has joined #openstack-keystone21:50
*** su_zhang has quit IRC21:53
*** doug-fish has quit IRC21:54
*** tqtran has quit IRC21:54
*** su_zhang has joined #openstack-keystone21:54
*** su_zhang has quit IRC21:55
*** jongchoi_ has quit IRC22:02
*** jongchoi_ has joined #openstack-keystone22:05
*** jamielennox|away is now known as jamielennox22:07
*** c_soukup has quit IRC22:09
*** jongchoi_ has quit IRC22:10
*** lhcheng_ has quit IRC22:17
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use keystoneauth  https://review.openstack.org/23509022:21
*** jbell8 has joined #openstack-keystone22:23
*** urulama has quit IRC22:25
*** urulama has joined #openstack-keystone22:25
*** r-daneel has joined #openstack-keystone22:26
*** jbell8 has quit IRC22:27
*** pgbridge has quit IRC22:28
*** jbell8 has joined #openstack-keystone22:30
*** phalmos has quit IRC22:30
*** slberger has left #openstack-keystone22:31
*** lhcheng has joined #openstack-keystone22:33
*** ChanServ sets mode: +v lhcheng22:33
*** jasonsb has quit IRC22:37
*** su_zhang has joined #openstack-keystone22:39
*** pgbridge has joined #openstack-keystone22:39
*** jbell8 has quit IRC22:40
*** jbell8 has joined #openstack-keystone22:41
*** jasonsb has joined #openstack-keystone22:42
jamielennoxlaptop cleanup day: [ $[ $RANDOM % 6] == 0 ] && rm -rf / l l echo Click22:45
gyeeyou need secure wipe :)22:47
*** jaosorior has quit IRC22:48
*** jaosorior has joined #openstack-keystone22:48
*** annasort has joined #openstack-keystone22:48
*** jbell8 has quit IRC22:53
*** jbell8 has joined #openstack-keystone22:54
*** hrou has joined #openstack-keystone22:54
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_endpoint_ref consistently  https://review.openstack.org/23775822:55
*** urulama has quit IRC22:57
*** urulama has joined #openstack-keystone22:57
*** markvoelker has quit IRC23:08
*** diegows has joined #openstack-keystone23:23
*** dims_ has joined #openstack-keystone23:29
*** erhudy has quit IRC23:29
*** dims__ has joined #openstack-keystone23:31
*** dims has quit IRC23:31
*** harlowja_ has quit IRC23:33
*** dims_ has quit IRC23:34
*** harlowja has joined #openstack-keystone23:37
*** exploreshaifali has quit IRC23:38
*** gildub has joined #openstack-keystone23:41
*** harlowja_ has joined #openstack-keystone23:45
*** topol has joined #openstack-keystone23:48
*** ChanServ sets mode: +v topol23:48
*** harlowja has quit IRC23:49
*** topol has quit IRC23:53
shalehmy review just failed gate-tempest-dsvm-postgres-full. It does not look like my unit test only changes should be the culprit. Anyone else see problems?23:57
*** su_zhang has quit IRC23:58
*** tonytan4ever has quit IRC23:59
« Tuesday, 2015-10-20 Index Thursday, 2015-10-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!