Monday, 2016-02-01

« Sunday, 2016-01-31 Index Tuesday, 2016-02-02 »
*** chlong has quit IRC00:01
*** dims_ has joined #openstack-keystone00:02
*** dims has quit IRC00:05
*** alejandrito has quit IRC00:05
*** tpeoples has quit IRC00:08
*** tpeoples has joined #openstack-keystone00:10
*** roxanaghe has joined #openstack-keystone00:11
*** DuncanT has quit IRC00:15
*** DuncanT has joined #openstack-keystone00:16
*** chlong has joined #openstack-keystone00:17
*** roxanaghe has quit IRC00:17
*** su_zhang has joined #openstack-keystone00:17
*** shoutm_ has joined #openstack-keystone00:35
*** woodster_ has quit IRC00:36
*** shoutm has quit IRC00:38
*** Anticimex has quit IRC00:44
*** markvoelker has joined #openstack-keystone00:46
bigjoolsnotmorgan: I'm getting 404s using keystoneclient without a version in the auth URL, is this a bug given what you said a few days ago?00:46
*** Anticimex has joined #openstack-keystone00:48
jamielennoxbigjools: what do the __init__ params look like?00:50
bigjoolsI'm just filing a bug with gory details, one sec00:50
*** markvoelker has quit IRC00:50
bigjoolsjamielennox: https://bugs.launchpad.net/python-keystoneclient/+bug/154018000:51
openstackLaunchpad bug 1540180 in python-keystoneclient "404 from server unless version is in URL" [Undecided,New]00:51
bigjoolsI am probably doing something wrong...00:51
bigjoolsbut not the only one to get this00:51
jamielennoxbigjools: so there are generic and versioned plugins00:52
jamielennoxin ksc they're ksc.auth.identity.Password vs ksc.auth.identity.V3Password00:52
notmorganjamielennox: ++00:53
jamielennoxin the generic plugins they will do version discovery and figure out what version you should use00:53
bigjoolsaha00:53
jamielennoxso :5000/ works00:53
jamielennoxv3.X will expect a v3 url00:53
notmorganjamielennox: we have a similar issue that's hitting Shrews in shade i think.00:53
notmorganjamielennox: fwiw.00:53
jamielennoxnotmorgan: i've been off for a bit00:54
notmorganjamielennox: no worries i'm digging through it.00:54
bigjoolsis it just safest to leave the version in the url so both code paths work?00:54
notmorganbigjools: just don't add more entries with versions00:54
notmorganbigjools: also is this using keystone cli or as a lib00:54
notmorganbecause if it's the CLI, don't do that00:55
notmorganbigjools: use openstackclient00:55
bigjoolsI'm trying to get Rally to work00:55
jamielennoxbigjools: what i'd prefer is that you used the loading mechanisms00:55
notmorganjamielennox: i'll bet rally is just broken00:55
jamielennoxah, then you're stuck with what rally offers00:55
notmorganjamielennox: horribly00:55
bigjoolsquite :/00:55
notmorganjamielennox: like usual.00:55
notmorganbigjools: this might be a bug in rally then00:55
bigjoolsI was just trying to recreate a basic scenario and work out what I need to chnge in Rally code00:55
notmorganbigjools: where it uses the wrong loader(s)00:56
jamielennoxi did see there was a way to make rally work with v3 auth, but it's very much using there own way00:56
bigjoolsnotmorgan: I'm shocked :)00:56
notmorganbigjools: yeah figured.00:56
*** hogepodge has quit IRC00:56
bigjoolsDave passes his regards BTW00:56
notmorganbigjools: i very much dislike dealing with Rally because it's alwways "do something totally different than anywhere else"00:56
notmorganbigjools: dave?00:56
jamielennoxnotmorgan: i think i kind of gave up after http://boris-42.me/the-simplest-way-to-use-openstack-python-clients/00:56
bigjoolsDave L00:56
notmorganoh hah00:57
notmorganyeah have a drink with him for me00:57
jamielennoxnotmorgan: basically, ignore the shipped clients and use the rally clients00:57
notmorganjamielennox: *facepalm*00:57
notmorganSeriously?!. ok this makes me want to write rally off even more now.00:57
bigjoolsjamielennox: by loading mechanism you mean use the generic identity and client?00:57
jamielennoxbigjools: i've only recently started playing with rally, but i'd love it ifsomeone fixed there auth loading00:58
notmorganjamielennox: i'll tack it onto my backlog of fixing insane things00:58
notmorganjamielennox: we need them on OCC/KSA anyway00:58
jamielennoxbigjools: no i mean, ksc gives a very specific mechanism for loading any authentication mechanism that the clients specify00:58
notmorganjamielennox: so, i can justify doing that work.00:58
bigjoolsI started writing my own test harness to DTRT.... took a back burner for now00:58
jamielennoxbigjools: as opposed to just assuming that we're going to want to use a password and it's either v2 or v300:58
*** hogepodge has joined #openstack-keystone00:59
jamielennoxbigjools: http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/00:59
notmorganjamielennox: you're not stale core are you?00:59
notmorganjamielennox: stable*00:59
jamielennoxrally uses it's own configuration format, but the actual loaders are ~15 lines and rally could use the same concept to do it's own loader from whatever format is uses01:00
jamielennoxnotmorgan: no01:00
bigjoolsjamielennox: super, thanks01:00
notmorganjamielennox: darn, trying to get a patch into stable/<something>01:00
notmorganbigjools: i promise i'll get around to working on rally things when i have a few other things cleaned up01:01
notmorganbigjools: unless you want to take a stab at fixing their awful auth loader01:01
bigjoolsnotmorgan: it's a depressing area01:01
notmorganwhich case, jamielennox and I will review it01:01
jamielennoxyea, i loaded up rally the other day and found this for the first time01:01
notmorgan[see i tossed jamielennox under the bus for that]01:01
bigjoolshaha01:01
jamielennoxso it's on my list too01:01
notmorganjamielennox: oh i do need you to review something tomorrow01:01
notmorgansec01:01
notmorganjamielennox: https://review.openstack.org/#/c/253793/ need you to toss a +1, we corrected your -1 issue01:02
bigjoolsit's fairly high priority for me to get this working so I'll get on it soon once I work out exactly what to change, I'm not that familiar with rally code01:02
notmorganbigjools: the rough part is... not many are01:02
bigjoolswell ChrisStP is core dev so....01:02
jamielennoxbigjools: in a just make it work way, you can definetly use v3 auth in rally like https://github.com/openstack/rally/blob/master/samples/deployments/existing-keystone-v3.json01:02
jamielennoxi have no idea what will/wont work there though01:03
bigjoolsjamielennox: I think I was getting 404 for that because our catalog URLs are versionless01:03
bigjoolslet me try again01:03
notmorganjamielennox: also.. https://review.openstack.org/#/c/274085/5/keystone/common/manager.py <--- scary extra tracing debug stuff01:03
jamielennoxbigjools: ah, i have no idea then what rally is using for version discovery01:04
bigjoolsindeed01:04
jamielennoxbigjools: i would almost bet that it's not the standard tools01:04
*** dims_ has quit IRC01:04
bigjoolsI think it's doing what I did in the bug above01:04
bigjoolsor similar01:04
*** fpatwa has joined #openstack-keystone01:04
jamielennoxnotmorgan: what was my -1?01:04
bigjoolsI traced the code through and it ends up with a url without the version at the POST01:05
notmorganjamielennox: using a private interface01:05
notmorganjamielennox: in opt handling01:05
jamielennoxoh, yea - that was an easy one01:05
notmorganyah01:05
notmorganjamielennox: the patch hasn't changed much since01:05
notmorganjust a bunch of rebase hell01:05
bigjoolsjamielennox: oh I just noticed that example config URL has v3 in it01:07
jamielennoxnotmorgan: for future, my comment on https://review.openstack.org/#/c/253793/22/nova/network/neutronv2/api.py01:09
*** davechen has joined #openstack-keystone01:12
notmorganjamielennox: yeah we figured that out01:14
*** fpatwa has quit IRC01:23
*** fpatwa has joined #openstack-keystone01:23
bigjoolshttp://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#authenticating-using-sessions01:28
bigjoolsI think that example is wrong01:28
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate simple_cert extension  https://review.openstack.org/27447901:30
notmorganstevemar: ^ more deprecations OMG.01:32
stevemarnotmorgan: we gotta deprecate all the pki crap from middleware01:37
notmorganstevemar: ksm != server ;)01:37
notmorganstevemar: but yes01:37
*** shoutm_ has quit IRC01:40
*** shoutm has joined #openstack-keystone01:42
*** davechen1 has joined #openstack-keystone01:45
*** markvoelker has joined #openstack-keystone01:47
*** davechen has quit IRC01:47
*** henrynash has quit IRC01:48
stevemarnotmorgan: hehe, yeah, i was just looking at ksm and was like... ughh... stupid pki args01:49
stevemarrather, config opt01:49
stevemars01:49
*** EinstCrazy has quit IRC01:50
notmorganstevemar: going to have another couple "make things not extensions" patches going up01:51
notmorganstevemar: in a few minutes.01:51
notmorganstevemar: as a heads up01:51
*** shoutm has quit IRC01:52
notmorganstevemar: because i want to smush in our authcontext stuff into the main Service entrie01:52
*** markvoelker has quit IRC01:52
notmorganso we can kill this horrible horrible horrible horrible test01:52
notmorgan    LookupError: No section 'ec2_extension_extension' (prefixed by 'filter') found in config /home/notmorgan/keystone/etc/keystone-paste.ini01:52
stevemarec2_extension_extension01:53
stevemarawesome01:53
*** boris-42 has quit IRC01:53
notmorganyeah doing admin/user_crud01:54
notmorganthen will hit S3 and then Ec201:54
stevemarthose last 2 will be tricky01:54
notmorganthen compress in AuthContext, JsonBody, etc01:54
notmorgannah01:54
notmorganwont be hard01:54
notmorgan:)01:54
stevemarnotmorgan: i'm glad you're working on keystone server again :)01:54
stevemardeprecating and removing stuff is the fun part :)01:54
notmorganstevemar: i wish i could just rm -rf v2 things01:55
stevemarfirst step is done01:55
notmorganhm. how do i unstage just one file...01:55
notmorganugh01:55
notmorganoh well this patch will be slightly bigger than expected01:55
*** davechen has joined #openstack-keystone01:57
*** henrynash has joined #openstack-keystone01:57
*** ChanServ sets mode: +v henrynash01:57
*** shoutm has joined #openstack-keystone01:58
notmorganstevemar: and then i'll wander back off into trying to fix other projects too01:58
notmorganstevemar: land.01:58
*** roxanaghe has joined #openstack-keystone01:59
stevemarnotmorgan: update https://github.com/openstack/keystone/blob/master/releasenotes/notes/extensions-to-core-a0d270d216d47276.yaml for simple cert02:00
*** davechen1 has quit IRC02:00
notmorganstevemar: mind if i do it as a followup for all of these?02:00
*** tonytan4ever has joined #openstack-keystone02:00
stevemarsure02:00
* notmorgan is a bit deep in the chain atm.02:00
stevemarjust a reminder02:00
notmorganstevemar: fwiw TRACE debugger is proposed, please poke at it02:01
notmorganstevemar: and i think we've resolved all the outstanding issues on the Cacher02:01
stevemarnotmorgan: *nod*02:01
notmorganstevemar: and the revert for token things on stable/kilo needs another stable core02:01
notmorganstevemar: i pushed the liberty one since brant's -1 was a comment fix he fixed02:02
notmorganand it had your +2 and then his.02:02
notmorgansplit across a comment-fix patch02:02
*** dims has joined #openstack-keystone02:02
stevemarnotmorgan: thanks for that, there are 5 more stable patches that can be punted through02:03
stevemarhttps://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/liberty02:03
stevemarthen i will finally be able to release a new liberty version!02:03
stevemarnotmorgan: also, the revert... https://review.openstack.org/#/c/265019/02:04
notmorgani'll smack the ksm options and such for pki once i'm done with ec2 ick02:04
notmorganstevemar: you know what is exciting...02:04
stevemarnotmorgan: i'll work on that tonight02:04
stevemarnotmorgan: nope, what?02:04
notmorganstevemar: if i can get everything behind a single API host...02:05
notmorganEC2 middleware can do 100% of the auth for the request02:05
notmorganno need to EC2 -> token -> request02:05
*** roxanaghe has quit IRC02:06
notmorganas in.. we can just verify EC2 things and cleanup the ksm ec2 thing02:06
notmorgana lot02:06
*** shoutm_ has joined #openstack-keystone02:07
*** shoutm has quit IRC02:08
stevemaryeah, if the ec2 middleware even works :\02:08
*** fpatwa has quit IRC02:09
*** shoutm has joined #openstack-keystone02:11
*** shoutm_ has quit IRC02:11
*** dims has quit IRC02:12
*** tonytan4ever has quit IRC02:12
*** dims has joined #openstack-keystone02:12
*** tonytan4ever has joined #openstack-keystone02:13
*** dims has quit IRC02:13
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate simple_cert extension  https://review.openstack.org/27447902:14
notmorgancrap.02:16
notmorgani need to unstage that and re-stage it... ugggghhhhh02:16
*** tonytan4ever has quit IRC02:18
*** tonytan4ever has joined #openstack-keystone02:18
*** tonytan4ever has joined #openstack-keystone02:19
*** fpatwa has joined #openstack-keystone02:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate simple_cert extension  https://review.openstack.org/27447902:26
openstackgerritMorgan Fainberg proposed openstack/keystone: Move user and admin crud to core  https://review.openstack.org/27448902:26
*** Nirupama has joined #openstack-keystone02:32
*** tonytan4ever has quit IRC02:37
*** boris-42 has joined #openstack-keystone02:38
*** su_zhang has quit IRC02:55
*** fpatwa has quit IRC02:57
*** shoutm has quit IRC03:13
*** LZ has quit IRC03:15
*** shoutm has joined #openstack-keystone03:22
*** roxanaghe has joined #openstack-keystone03:31
*** roxanaghe has quit IRC03:37
*** links has joined #openstack-keystone03:46
*** markvoelker has joined #openstack-keystone03:47
*** EinstCrazy has joined #openstack-keystone03:51
*** markvoelker has quit IRC03:52
*** EinstCrazy has quit IRC03:58
*** shoutm_ has joined #openstack-keystone04:03
*** shoutm has quit IRC04:03
*** roxanaghe has joined #openstack-keystone04:06
*** links has quit IRC04:19
*** roxanaghe has quit IRC04:40
*** fpatwa has joined #openstack-keystone04:49
*** links has joined #openstack-keystone04:53
*** chlong has quit IRC05:05
*** roxanaghe has joined #openstack-keystone05:16
*** chlong has joined #openstack-keystone05:17
*** jasonsb has joined #openstack-keystone05:21
*** chlong has quit IRC05:25
*** jasonsb has quit IRC05:25
*** jasonsb has joined #openstack-keystone05:29
*** shoutm_ has quit IRC05:29
*** Nirupama has quit IRC05:30
*** chlong has joined #openstack-keystone05:38
*** josecastroleon1 has joined #openstack-keystone05:41
*** DuncanT_ has joined #openstack-keystone05:42
*** darrenc_ has joined #openstack-keystone05:43
*** fpatwa_ has joined #openstack-keystone05:43
*** Tridde_ has joined #openstack-keystone05:44
*** Nakato_ has joined #openstack-keystone05:44
*** gus_ has joined #openstack-keystone05:45
*** Anticime1 has joined #openstack-keystone05:45
*** lifeless_ has joined #openstack-keystone05:45
*** tobasco_ has joined #openstack-keystone05:47
*** davechen1 has joined #openstack-keystone05:48
*** markvoelker has joined #openstack-keystone05:48
*** med_ has joined #openstack-keystone05:48
*** med_ is now known as Guest8071105:49
*** fpatwa has quit IRC05:49
*** davechen has quit IRC05:49
*** Anticimex has quit IRC05:49
*** DuncanT has quit IRC05:49
*** _fortis has quit IRC05:49
*** lifeless has quit IRC05:49
*** mgagne has quit IRC05:49
*** agireud has quit IRC05:49
*** dtroyer has quit IRC05:49
*** Guest65103 has quit IRC05:49
*** errr_ has quit IRC05:49
*** josecastroleon has quit IRC05:49
*** tobasco has quit IRC05:49
*** john5223 has quit IRC05:49
*** comstud has quit IRC05:49
*** Tridde has quit IRC05:49
*** gus has quit IRC05:49
*** jamielennox has quit IRC05:49
*** Nakato has quit IRC05:49
*** darrenc has quit IRC05:49
*** d34dh0r53 has quit IRC05:49
*** dolphm has quit IRC05:49
*** eglute has quit IRC05:49
*** cloudnull has quit IRC05:49
*** sigmavirus24_awa has quit IRC05:49
*** mgagne_ has joined #openstack-keystone05:49
*** dolphm has joined #openstack-keystone05:50
*** dtroyer has joined #openstack-keystone05:50
*** DuncanT_ is now known as DuncanT05:51
*** agireud has joined #openstack-keystone05:51
*** d34dh0r53 has joined #openstack-keystone05:52
*** tobasco_ has quit IRC05:52
*** comstud has joined #openstack-keystone05:52
*** tobasco has joined #openstack-keystone05:52
*** markvoelker has quit IRC05:53
*** sigmavirus24_awa has joined #openstack-keystone05:55
*** eglute has joined #openstack-keystone05:55
*** _fortis_ has joined #openstack-keystone05:55
*** errr_ has joined #openstack-keystone05:57
*** shoutm has joined #openstack-keystone06:05
*** jamielennox|away has joined #openstack-keystone06:07
*** jamielennox|away is now known as jamielennox06:07
*** ChanServ sets mode: +v jamielennox06:07
*** _fortis_ is now known as _fortis06:07
*** jasonsb has quit IRC06:08
*** su_zhang has joined #openstack-keystone06:09
*** davechen1 is now known as davechen06:10
stevemarnotmorgan: why am i not seeing the trace logs :\06:15
*** roxanaghe has quit IRC06:23
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235806:36
*** cloudnul- has joined #openstack-keystone06:39
*** Nakato_ has quit IRC06:40
*** chlong has quit IRC06:41
*** Nirupama has joined #openstack-keystone06:42
*** Nakato has joined #openstack-keystone06:42
*** shoutm has quit IRC06:43
*** chlong has joined #openstack-keystone06:46
*** jasonsb has joined #openstack-keystone06:47
*** cloudnul- is now known as cloudnull06:51
*** fpatwa_ has quit IRC06:52
*** EinstCrazy has joined #openstack-keystone06:56
openstackgerritRen Qiaowei proposed openstack/keystone: Replace exit() by sys.exit()  https://review.openstack.org/27451906:58
*** gildub has quit IRC07:01
*** Nirupama has quit IRC07:01
*** EinstCrazy has quit IRC07:03
*** jasonsb has quit IRC07:08
*** shoutm has joined #openstack-keystone07:16
*** shoutm has quit IRC07:18
*** richm has joined #openstack-keystone07:20
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Use extras for memcache, messaging and crypto dependencies  https://review.openstack.org/27440007:25
*** jaosorior has joined #openstack-keystone07:26
*** jaosorior has quit IRC07:26
*** jaosorior has joined #openstack-keystone07:27
notmorganstevemar: did you enable Trace level in keystone?07:29
notmorganstevemar: if you don't specifically set log levels to trace you wont see em07:30
stevemarnotmorgan: probably not :O07:30
stevemarnotmorgan: in the oslo.log setting?07:30
notmorganstevemar: trace is < Debug07:30
stevemarnotmorgan: yeah07:30
notmorganso you'll need to set the logger levels to Trace then.07:30
notmorgani also expect that trace logging to slow everything down massively07:30
notmorganas trace logging is want to do07:30
stevemarnotmorgan: i could have figured it out, just wanted to complain that there is no docs :P07:31
notmorgandocs are hard.07:31
notmorgani have code to rip out/deprecate :P07:31
stevemardocs are fun!07:32
stevemari have 4 people sending me emails about federation07:32
* notmorgan lets stevemar write all the docs07:32
stevemarone is even a follow up07:32
* stevemar feels like replying with https://twitter.com/stevebot/status/66744493114171801807:33
*** shoutm has joined #openstack-keystone07:34
notmorganstevemar: HTTP 40207:35
notmorganstevemar: so.. while i don't like that it's not IANA recognized... and IIS specific... https://en.wikipedia.org/wiki/HTTP_403#403_substatus_error_codes_for_IIS07:36
notmorganstevemar: having something defined semi-like that would be nice for our errors where we can [not security issue]07:36
stevemarsub error codes?07:38
notmorganjust well defined error code that are included with the HTTP ones07:38
* stevemar gives morgan a crazy look07:38
stevemarokay that's different :P07:38
stevemardefined error codes are OK07:38
notmorganit's IIS' way of doing that07:38
stevemarfictional http codes ...07:38
stevemar:)07:38
notmorganand communicating it to the client07:39
stevemari'm just teasing you, it's not terrible, but probably something that needs x-project approval07:41
*** jaosorior has quit IRC07:41
notmorganor we just start defining our errors07:41
stevemarnotmorgan: oh oh, liberty backports if you have a few minutes... https://review.openstack.org/#/q/project:openstack/keystone+branch:stable/liberty+status:open hoping to get that and ksm out early this week07:41
notmorganugh i can't get on corp VPN :(07:42
stevemaror i can bug dolph07:42
* notmorgan glares at ubuntu...07:42
*** RA_ has quit IRC07:44
notmorganstevemar: translations?07:44
notmorgani'd just single-core those07:44
notmorganfwiw07:44
notmorganstevemar: in fact... i try to always just single core those through07:44
notmorganguess i missed the liberty ones07:44
stevemarnotmorgan: yeah, wasn07:45
stevemarnotmorgan: wasn't 100% on what the policy was for backporting translation07:45
stevemarlooks like it's open season07:45
notmorganhave i mentioned what a trainwreck the new gerrit interface is?07:45
notmorganstevemar: nah, zanata does that now for loiberty07:45
notmorganwas a deliberate choice iirc07:46
*** chlong has quit IRC07:46
notmorganbut meh, if the bot posted it we can always revert it.07:46
notmorganif it was an individual posting it i'd have squashed it and said no07:46
notmorgani hate our LDAP code..07:48
*** markvoelker has joined #openstack-keystone07:49
notmorganstevemar: i don't see a point to https://review.openstack.org/#/c/274140/1/keystone/tests/unit/test_validation.py07:50
notmorganbackporting just tests seems odd07:51
stevemarnotmorgan: it has a dependent patch07:51
stevemarnotmorgan: just easier to backport that one too, instead of all the conflicts07:51
stevemarnotmorgan: the conflicts were ... problematic07:52
stevemarnotmorgan: bknudson and i decided to just backport the patch that fixed up the tests07:52
notmorganmeh07:53
notmorganok07:53
*** markvoelker has quit IRC07:54
stevemarand now i need to sleep07:54
stevemari'll get to this mountain of work tomorrow07:54
*** belmoreira has joined #openstack-keystone07:55
*** sinese has joined #openstack-keystone08:09
*** gildub has joined #openstack-keystone08:09
*** mkoderer has quit IRC08:14
*** su_zhang has quit IRC08:23
*** rcernin has joined #openstack-keystone08:26
*** shoutm has quit IRC08:28
*** d0ugal_ has quit IRC08:30
*** d0ugal has joined #openstack-keystone08:30
*** Nirupama has joined #openstack-keystone08:31
*** richm has quit IRC08:51
*** richm has joined #openstack-keystone08:52
*** fpatwa has joined #openstack-keystone08:53
*** davechen has left #openstack-keystone08:56
*** fpatwa has quit IRC08:57
*** fhubik has joined #openstack-keystone08:59
*** fhubik has quit IRC09:08
*** richm has quit IRC09:20
*** jistr has joined #openstack-keystone09:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947909:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947909:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947909:25
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947909:26
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343809:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947909:27
*** fhubik has joined #openstack-keystone09:35
*** richm has joined #openstack-keystone09:37
*** fhubik is now known as fhubik_brb09:41
*** fhubik_brb is now known as fhubik09:41
*** markvoelker has joined #openstack-keystone09:50
*** ramishra_ is now known as ramishra09:53
*** mhickey has joined #openstack-keystone09:53
*** markvoelker has quit IRC09:54
*** gpaz has joined #openstack-keystone09:56
*** shoutm has joined #openstack-keystone10:00
*** vgridnev has joined #openstack-keystone10:02
*** openstackgerrit has quit IRC10:02
*** openstackgerrit_ has joined #openstack-keystone10:02
*** openstackgerrit_ has quit IRC10:03
gpazHi guys,  I m working on a different project but I m seeing some strange behavior of keystone endpoint-list . I m installing Murano with puppet and as part of the installation Murano is registering as a service & endpoint on Keystone. I do see the record in the endpoint DB but column legacy_endpoint_id is NULL  and as result when I m doing endpoint-list the endpoint not returned (Login with postman to OS do return the endpoin10:04
*** EinstCrazy has joined #openstack-keystone10:04
*** richm has quit IRC10:06
*** mkoderer__ has joined #openstack-keystone10:21
*** daemontool_ has joined #openstack-keystone10:25
*** daemontool has quit IRC10:28
*** marekd has quit IRC10:34
*** gildub has quit IRC10:36
*** marekd has joined #openstack-keystone10:42
*** asimov.freenode.net sets mode: +v marekd10:42
*** fpatwa has joined #openstack-keystone10:54
*** fhubik is now known as fhubik_brb10:56
*** fpatwa has quit IRC10:59
*** fhubik_brb is now known as fhubik11:03
*** su_zhang has joined #openstack-keystone11:03
*** richm has joined #openstack-keystone11:07
*** su_zhang has quit IRC11:08
*** dims has joined #openstack-keystone11:09
*** mhickey has quit IRC11:15
*** davechen has joined #openstack-keystone11:15
*** lifeless_ is now known as lifeless11:17
*** RA_ has joined #openstack-keystone11:19
*** fhubik is now known as fhubik_brb11:21
*** davechen has quit IRC11:25
*** davechen has joined #openstack-keystone11:29
*** mhickey has joined #openstack-keystone11:30
*** mvk has quit IRC11:32
*** jaosorior has joined #openstack-keystone11:36
*** clenimar has joined #openstack-keystone11:37
*** mvk has joined #openstack-keystone11:49
*** john5223 has joined #openstack-keystone11:50
*** markvoelker has joined #openstack-keystone11:50
*** fpatwa has joined #openstack-keystone11:53
*** openstackgerrit has joined #openstack-keystone11:53
*** iurygregory has joined #openstack-keystone11:53
*** openstackgerrit has quit IRC11:54
*** openstackgerrit_ has joined #openstack-keystone11:54
*** openstackgerrit_ is now known as openstackgerrit11:55
*** markvoelker has quit IRC11:55
*** fpatwa has quit IRC11:55
*** davechen has quit IRC11:56
*** davechen has joined #openstack-keystone11:56
*** openstackgerrit has quit IRC11:59
*** davechen has left #openstack-keystone12:01
*** raildo-afk is now known as raildo12:05
*** openstackgerrit has joined #openstack-keystone12:07
*** pauloewerton has joined #openstack-keystone12:11
*** tellesnobrega_af is now known as tellesnobrega12:12
*** tellesnobrega has left #openstack-keystone12:13
*** rodrigods has quit IRC12:13
*** rodrigods has joined #openstack-keystone12:13
*** gordc has joined #openstack-keystone12:16
*** fpatwa has joined #openstack-keystone12:18
*** jaosorior has quit IRC12:21
*** jaosorior has joined #openstack-keystone12:21
*** fhubik_brb is now known as fhubik12:36
*** doug-fish has joined #openstack-keystone12:42
gpazsomeone can advise please ?12:43
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343812:51
*** markvoelker has joined #openstack-keystone12:51
*** markvoelker has quit IRC12:56
*** Anticime1 is now known as Anticimex12:58
*** fpatwa has quit IRC13:00
*** jaosorior has quit IRC13:00
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485413:05
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343813:05
*** dims has quit IRC13:06
*** dims has joined #openstack-keystone13:09
*** xek__ is now known as xek13:12
*** markvoelker has joined #openstack-keystone13:14
*** pauloewerton has quit IRC13:14
*** pauloewerton has joined #openstack-keystone13:15
*** edmondsw has joined #openstack-keystone13:15
*** fhubik is now known as fhubik_brb13:19
*** fhubik_brb is now known as fhubik13:21
*** fhubik has quit IRC13:21
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343813:23
*** sinese has quit IRC13:29
*** sinese has joined #openstack-keystone13:31
*** mvk has quit IRC13:32
*** sinese has quit IRC13:37
*** sinese has joined #openstack-keystone13:37
openstackgerritDavid Stanek proposed openstack/keystone: Raise more precise exception on keyword mapping errors  https://review.openstack.org/17598013:42
*** ninag has joined #openstack-keystone13:44
*** mvk has joined #openstack-keystone13:46
*** su_zhang has joined #openstack-keystone13:51
*** bill_az has joined #openstack-keystone14:04
*** ayoung has joined #openstack-keystone14:06
*** ChanServ sets mode: +v ayoung14:06
ayoungdstanek, notmorgan henrynash, can you +2 the Implied Role API please?  I won't https://review.openstack.org/#/c/242614/  Its time.  73 revisions is quite a lot.14:08
ayoungSince Nov 6...3 months on this effort.14:09
*** amakarov has joined #openstack-keystone14:12
*** fawadkhaliq has joined #openstack-keystone14:17
marekdstevemar: bknudson  dstanek: so i am writing an db upgrade script where i would like to add a FK to an existing table that was added on earlier upgrade script. Right now I get an error: "sqlalchemy.exc.NoReferencedTableError: Foreign key associated with column 'service_providers_group_members.service_provider_id' could not find table 'service_provider' with which to generate a foreign key to14:17
marekdtarget column 'id'14:17
marekd"14:17
*** fawadkhaliq has quit IRC14:18
marekdany idea on how to make my migration script aware of that table?14:18
bknudsonwhat database are you using? mysql?14:18
*** fawadkhaliq has joined #openstack-keystone14:20
amakarovstevemar, ayoung: hi! I'm about to submit a summit presentation as a preview to unified delegations. Is there any, or somebody may be willing to join?14:20
marekduh, 20 minutes of code search, a question to you and 5 secs later i found it14:21
marekdsp_table = sql.Table('service_provider', meta, autoload=True) <--- something like that will be enough14:21
*** Nirupama has quit IRC14:28
*** jsavak has joined #openstack-keystone14:31
*** Ephur has joined #openstack-keystone14:34
*** Ephur has quit IRC14:34
*** Ephur has joined #openstack-keystone14:36
*** RA_ has quit IRC14:40
*** Ephur has quit IRC14:41
*** AJaeger has joined #openstack-keystone14:44
AJaegernotmorgan: are you around to discuss https://review.openstack.org/270370 ?14:45
AJaegerIs there any keystoneclient core that can review and approve https://review.openstack.org/#/c/273510/ , please? This is part of a translation setup consolidation14:46
*** daemontool has joined #openstack-keystone14:47
*** daemontool_ has quit IRC14:47
*** daemontool has quit IRC14:53
*** csoukup_ has quit IRC14:53
ayoungamakarov, I'd be happy to join14:54
ayoungamakarov, I think today is the deadline, so make it fast.  I have an account there already14:54
notmorganAJaeger: hey14:54
amakarovayoung, already doing )14:54
*** mvk has quit IRC14:55
ayoungamakarov, cool.  That will be great to have14:55
notmorganAJaeger: yea happy to approve that14:55
AJaegerhey, notmorgan. could you reconsider your -1, please? We're not gating on argparse anymore and python 2.6 has been removed from that repository already some time ago14:55
amakarovayoung, what's you email there?14:55
AJaegernotmorgan: 270370 or 273510 - or both? ;)14:56
notmorganAJaeger: the argparse one was a soft -114:56
*** fpatwa has joined #openstack-keystone14:56
notmorganAJaeger: and i am ok with that going through14:56
ayoungamakarov, ayoung@redhat.com14:56
notmorganthe other one is easy14:56
amakarovayoung, ack14:56
AJaegerthanks, notmorgan !14:56
ayoungamakarov, https://www.openstack.org/summit/austin-2016/call-for-speakers/manage/6873/speakers14:56
notmorganAJaeger: done and sone14:57
AJaegerthanks, notmorgan14:58
*** KarthikB has joined #openstack-keystone14:58
ayoungamakarov, I need to plus up that submission on "Why we are killing the PKI token format" if I want it seriously considered.14:58
ayoungI might just drop that if you are putting in a better one on RBAC14:59
ayounger...unified delegation.14:59
* notmorgan is actually fairly happy to not have any pending talks this time around [again]14:59
*** daemontool has joined #openstack-keystone14:59
*** rderose has joined #openstack-keystone14:59
amakarovayoung, I soppose the talk description will be editable for some time :)15:00
ayoungamakarov, send me a link when you have it in, and I can provide some feedback15:00
notmorganomg15:06
notmorgannova now uses ksa not ksc!!15:06
notmorganfinally bloody landed15:06
* notmorgan is happy!15:06
*** mvk has joined #openstack-keystone15:07
*** shoutm has quit IRC15:08
*** KarthikB has quit IRC15:08
amakarovayoung, https://www.openstack.org/summit/austin-2016/call-for-speakers/manage/8201/15:08
*** sigmavirus24_awa is now known as sigmavirus2415:09
amakarovayoung, can you see it?15:09
amakarovLink should be working, and I haven't submitted it yet15:09
*** ChanServ sets mode: +o dolphm15:10
ayoungamakarov, "You can't edit this presentation" so it is there but I can't see it15:10
ayoungamakarov, submit it, and there will be an option to edit the speakres list15:11
amakarovayoung, right: I see the same for yours15:11
ayoungyou can then continue to edit the presentation up until the end of the day today (I assume)15:11
amakarovI've already added you15:11
amakarovayoung, https://etherpad.openstack.org/p/unified-delegation-austin-presentation15:16
*** woodster_ has joined #openstack-keystone15:16
amakarovayoung, let's do it this way )15:16
*** alejandrito has joined #openstack-keystone15:17
ayoungamakarov, focus on getting the presentation submitted on the link.  THere are a lot of fields there now15:18
amakarovayoung, it says an email is sent to you15:19
ayoungamakarov, looking15:19
amakarovayoung, well, it's still editable15:19
lbragstadnotmorgan ping15:22
lbragstadnotmorgan wondering you if you could double check something for me?15:22
*** slberger has joined #openstack-keystone15:24
*** AJaeger has left #openstack-keystone15:24
*** links has quit IRC15:24
ayoungamakarov, I made some quick changes, take a look.  I need to head to the city for a meeting, but I'll check back in in a few.15:26
amakarovayoung, got it15:26
*** csoukup_ has joined #openstack-keystone15:28
*** timcline has joined #openstack-keystone15:28
*** jorge_munoz has joined #openstack-keystone15:29
*** ayoung has quit IRC15:30
*** fpatwa has quit IRC15:32
*** richm has quit IRC15:33
*** fpatwa_ has joined #openstack-keystone15:34
dolphmooh, at some point testr grew an --until-failure option, to loop the test suite until you trigger a transient failure15:37
notmorganlbragstad: yeah15:41
notmorganlbragstad: what ya need?15:42
lbragstadtoken provider stuff15:43
lbragstadnotmorgan so - i'm tracing the call paths for both v2 and v3 validate token15:43
notmorganlbragstad: and?15:44
notmorganbesides the insanity that we've slooooowly been cleaning up15:44
lbragstadv2 validate starts in keystone/token/routers.py -> keystone/token/controllers.py:validate_token() -> keystone/token/provider.py:validate_v2_token()15:44
lbragstadyeah15:45
lbragstadand then v3 goes like:15:45
lbragstadkeystone/auth/routers.py -> keystone/auth/controllers.py:validate_token() -> keystone/token/provider.py:validate_v3_token()15:46
dolphmmgagne_: would love to hear your feedback on https://review.openstack.org/#/c/272007/ - it should eliminate *all* redundant sql queries15:46
lbragstadso, from a v2 and v3 validate token path, it doens't look like https://github.com/openstack/keystone/blob/c5ed8bd81e776746c7ea2d0df6c8b40409097706/keystone/token/provider.py#L204-L211 is used at all?15:47
notmorgandolphm: not on list queries and only things we currently cache (not 100% coverage)15:47
notmorganmgagne_: ^ cc15:47
notmorganlbragstad: looking15:47
lbragstad^ that method looks like it's only purpose it to be able to pass a uuid token to it - and it will validate it regardless of it being v2 or v3 format15:48
dolphmnotmorgan: with the exception of service providers, we should never list things more than once though, ever... right?15:48
notmorgandolphm: i would hope so, it should be list from an end user request15:48
dolphmand service providers is an exception because the federation code just does something wonky trying to populate the token15:48
notmorganalso... i have a patch proposed to dogpile.cache that will allow us to cache with kwargs15:48
notmorganvs always positional... which will let us cleanup stuff/make it easier.15:49
dolphmnotmorgan: you also mispelled requst in the commit summary *shrug*15:49
notmorgandolphm: lol. typo =/15:49
*** mgarza_ has joined #openstack-keystone15:49
notmorganlbragstad: so... let me check this is where i start needing to do grep. because ... ugh15:49
lbragstadnotmorgan yeah - i had to whiteboard it :-/15:50
notmorganoh i need to stash these changes.. have a change that is 90% done to deprecate admin_token_auth15:50
dolphmnotmorgan: i'm also considering this for backporting to stable/liberty -- it does not apply cleanly, and you've got a Depends-On which does not seem critical (more like a related change-id ?)15:50
*** richm has joined #openstack-keystone15:51
lbragstadI *think* I have an idea of what's going on - it looks like self.token_provider_api.validate_token() was introduced to replace the validate_v3_token and validate_v2_token stuff15:51
dolphmnotmorgan: otherwise, i can't think of a reason not to backport. thoughts?15:51
notmorgandolphm: it wont apply cleanly, but it is possible to backport15:51
notmorgandolphm: and the dependson was specifically to ensure testing was against a full cache stack15:51
notmorganmemcache both endpoints and in keystone15:52
notmorganso it can be dropped for backport purposes15:52
dolphmnotmorgan: but it's totally useful without the devstack patch15:52
dolphmin prod15:52
dolphmnotmorgan: worth putting a comment in the backported commit message about why the Depends-On was dropped15:52
*** daemontool_ has joined #openstack-keystone15:52
notmorgandolphm: it is. this was because i had 3 variations going15:53
notmorganthe dependson could have been dropped anyway15:53
notmorganlbragstad: ok still chasing this... wow... i can't wait for this to be cleaned up15:54
*** daemontool has quit IRC15:54
lbragstadnotmorgan yeah15:54
lbragstadnotmorgan i think we can get there soon though15:54
notmorganlbragstad: uh15:55
notmorganlbragstad: looks like it's used in the auth plugin15:55
lbragstadnotmorgan exactly - that and in the federated controller15:55
*** Ephur has joined #openstack-keystone15:55
notmorganyep15:55
notmorganand mapped auth plugin15:55
lbragstadthe federated controller should just use self.token_provider_api.validate_v3_token()15:56
lbragstadright?15:56
lbragstador...15:56
*** browne has joined #openstack-keystone15:56
notmorgan_build_policy_check_credentials in keystone.common.controller15:56
notmorgankeystone.contrib.user_crud.core.UserController.set_user_password15:56
lbragstadnotmorgan the issue with that design and fernet is that token_provider_api.validate_token relies on the fact the token is persisted somewhere15:57
notmorganfederation controller15:57
notmorganlbragstad: right.15:57
lbragstadnotmorgan so - could we add a kwarg to that method?15:57
notmorganwhat would the kwarg do?15:57
lbragstadtoken_provider_api.validate_token(version=None)15:57
lbragstadwhere we can pass in V2 or V3?15:57
lbragstadfrom all of these different places?15:58
notmorganwell federation is easy, move it to always use the v3 version15:58
*** rcernin has quit IRC15:58
lbragstadnotmorgan wasn't the goal of token_provider_api.validate_token() to remove calling validate_v*_token directly?15:58
lbragstadthat way we only end up with a since validate_token call?15:59
notmorganlbragstad: originally i think so.15:59
lbragstadnotmorgan ah15:59
notmorganlbragstad: but adding kwargs feels like a dodge15:59
lbragstadnotmorgan yeah15:59
lbragstadnotmorgan do you think we'll always have a dodge as long as we support v2 token types?15:59
*** richm has quit IRC15:59
notmorgantrying to think what the fall out of adding a kwarg ends up being16:00
notmorgani really want to avoid encoding a "use X version of the token"16:00
lbragstadtrue16:00
notmorganso, lets step back16:00
notmorganinternally we don't care what the token version is16:00
notmorganso lets always validate to v3 - and in the specific cases we need to, we have a v3->v2 method, we can translate.16:02
*** jsavak has quit IRC16:02
lbragstadnotmorgan so - change everything to use token_provider_api.validate_v3_token?16:02
notmorganthe controller is in charge of "rendering"16:02
*** ninag has quit IRC16:02
*** jsavak has joined #openstack-keystone16:03
*** ninag has joined #openstack-keystone16:03
notmorganor just make .validate always use v3 and stop using .validate_vX_token16:03
*** fawadkhaliq has quit IRC16:03
notmorgan.validate is in charge of collecting the raw token data, controller is in charge of rendering16:03
lbragstadso - token_provider_api.validate_token is just a wrapper for validate_v3_token16:03
notmorganbasically16:03
lbragstadhmm ok16:04
notmorganand we make the validate_v2_token do validate_v3 + translate16:04
notmorganand deprecate it16:04
notmorganlong term: validate to a plain data format and then "render" to the version16:05
lbragstadok16:05
*** ninag has quit IRC16:05
lbragstadnow i'm wondering if this needs to be done before the rest of the fernet consolidation?16:05
*** ninag has joined #openstack-keystone16:06
notmorgani'd consolidate and call the .validate_VX methods16:06
notmorganthen continue with the cleanup16:06
notmorganmove to fernet is more important than internal cleanup that we've been living with16:06
lbragstadok16:06
notmorganrestructuring code and how we handle tokens internally is going to be more work and conflict with lots of things16:07
*** vgridnev has quit IRC16:07
notmorganlbragstad: be sure to put some TODOs and NOTEs in when you change it over16:08
tpeoplesI have a service that is trying to instantiate a number of clients (nova, neutron, keystone, etc.).  I was trying to use keystoneauth1.loading to load a session from my service's keystone_auth CONF group, but keep running into duplicate opt errors.  Should I instead be using keystoneclient's auth / session libraries?16:08
openstackgerritMerged openstack/keystoneauth: Remove argparse from requirements  https://review.openstack.org/27037016:08
lbragstadnotmorgan will do16:08
lbragstadnotmorgan the consolidation of v2 token validate is the only patch not passing16:09
notmorganlbragstad: cool.16:09
lbragstadconsolidation of validate v3 and issue v2 are passing16:09
lbragstadand ready for review16:09
*** belmoreira has quit IRC16:10
*** sinese has quit IRC16:11
*** alexvictorchan has quit IRC16:12
*** henrynash has quit IRC16:14
*** richm has joined #openstack-keystone16:16
*** esp has quit IRC16:16
*** samueldmq has quit IRC16:18
*** anteaya has quit IRC16:18
dolphmnonameentername: if you're not working on a revision to the totp spec at the moment, i'd be happy to address the outstanding concerns https://review.openstack.org/#/c/130376/16:24
*** diazjf has joined #openstack-keystone16:25
*** mvk has quit IRC16:26
*** diazjf has quit IRC16:30
*** jistr has quit IRC16:33
*** diazjf has joined #openstack-keystone16:34
openstackgerritDolph Mathews proposed openstack/pycadf: Add docstring validation  https://review.openstack.org/23025716:36
*** sigmavirus24 is now known as sigmavirus24_awa16:39
*** rcernin has joined #openstack-keystone16:40
*** sigmavirus24_awa is now known as sigmavirus2416:41
*** daemontool has joined #openstack-keystone16:42
*** pushkaru has joined #openstack-keystone16:42
*** daemontool_ has quit IRC16:44
*** mhickey has quit IRC16:45
*** fpatwa_ has quit IRC16:46
*** henrynash has joined #openstack-keystone16:53
*** ChanServ sets mode: +v henrynash16:53
stevemardolphm: please do16:54
*** alexvictorchan has joined #openstack-keystone16:55
*** jasonsb has joined #openstack-keystone16:57
dolphmstevemar: just wanted to make sure i'm not doing work in parallel with him16:58
openstackgerritDolph Mathews proposed openstack/keystone: Test revocation race conditions  https://review.openstack.org/22799516:59
stevemardolphm: ack16:59
dolphmlbragstad: notmorgan: do we still need / want this after last week? https://review.openstack.org/#/c/227995/16:59
*** EinstCrazy has quit IRC16:59
lbragstaddolphm that and https://review.openstack.org/#/c/243742/17:00
dolphmlbragstad: so, yes?17:00
stevemardolphm: in my mind, the other spec directories should be for things like: removing CLI support, adding a new middleware, not just adding support to our server side bits17:00
dolphmstevemar: fair enough - but it doesn't seem like anyone knows where the line is17:01
lbragstaddolphm I think both of those are conditional based on notmorgan's discussion with mtreinish17:01
stevemardolphm: yeah, i'll admit it isn't clear17:02
notmorganand mtreinish is at LCA17:02
*** diazjf has quit IRC17:02
*** rcernin has quit IRC17:02
*** richm has quit IRC17:02
lbragstadnotmorgan so - he's about 17 hours ahead of me and 15 hours ahead of you17:03
notmorganyeah17:03
*** diazjf has joined #openstack-keystone17:03
openstackgerritMerged openstack/keystone: Raise more precise exception on keyword mapping errors  https://review.openstack.org/17598017:03
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414917:04
openstackgerritHenrique Truta proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591617:04
*** EinstCrazy has joined #openstack-keystone17:04
lbragstadnotmorgan so maybe at 2 - 3 your time he will be on17:05
lbragstad2 - 3 pm17:05
*** vgridnev has joined #openstack-keystone17:05
*** browne has quit IRC17:10
*** jgriffith_away is now known as jgriffith17:16
*** su_zhang has quit IRC17:16
*** gyee has joined #openstack-keystone17:17
*** ChanServ sets mode: +v gyee17:17
*** richm has joined #openstack-keystone17:19
*** _cjones_ has joined #openstack-keystone17:20
openstackgerritDolph Mathews proposed openstack/keystone-specs: Time-based One-time Password  https://review.openstack.org/13037617:25
dolphmlbragstad: nonameentername: stevemar: ^17:27
dolphmadded a new paragraph to the problem description to better illustrate the spec vs the new MFA spec, but otherwise it's just small fixes as requested17:27
*** diazjf has quit IRC17:28
*** mgagne_ has quit IRC17:32
*** mgagne_ has joined #openstack-keystone17:32
*** diazjf has joined #openstack-keystone17:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947917:33
*** sinese has joined #openstack-keystone17:33
*** mgagne_ is now known as mgagne17:34
lbragstaddolphm spec failed tests - one line was too long17:36
*** Guest70118 is now known as tsymanczyk17:37
*** diazjf has quit IRC17:37
*** itlinux has joined #openstack-keystone17:46
*** diazjf has joined #openstack-keystone17:51
*** jgriffith is now known as jgriffith_away17:51
gyeemordred, notmorgan, when will be expecting a os-client-config release now that the domain-scoped token issue is fixed?17:52
*** esp has joined #openstack-keystone17:58
*** ninag has quit IRC17:59
*** ninag has joined #openstack-keystone17:59
*** browne has joined #openstack-keystone18:00
*** ninag_ has joined #openstack-keystone18:01
*** ninag has quit IRC18:04
*** jaosorior has joined #openstack-keystone18:05
*** esp has quit IRC18:05
*** ninag_ has quit IRC18:09
*** jasonsb has quit IRC18:09
*** ninag has joined #openstack-keystone18:09
*** ninag has quit IRC18:10
*** ninag has joined #openstack-keystone18:10
*** ninag has quit IRC18:10
*** ninag has joined #openstack-keystone18:11
*** richm has quit IRC18:11
*** esp has joined #openstack-keystone18:11
openstackgerritDolph Mathews proposed openstack/keystone-specs: Time-based One-time Password  https://review.openstack.org/13037618:12
dolphmlbragstad: fixeded ^18:12
lbragstaddolphm awesome - thanks18:13
lbragstaddolphm nonameentername +2 my comments were addressed.18:13
*** ninag has quit IRC18:15
*** esp has quit IRC18:15
*** thebloggu has joined #openstack-keystone18:16
*** roxanaghe has joined #openstack-keystone18:19
*** shaleh has joined #openstack-keystone18:20
*** ebalduf has joined #openstack-keystone18:20
openstackgerritHenrique Truta proposed openstack/keystone-specs: Fix cascade operations documentation  https://review.openstack.org/27483618:21
*** dims_ has joined #openstack-keystone18:21
*** dims has quit IRC18:22
openstackgerritMerged openstack/keystone-specs: Time-based One-time Password  https://review.openstack.org/13037618:23
*** jistr has joined #openstack-keystone18:23
openstackgerritHenrique Truta proposed openstack/keystone-specs: Fix cascade operations documentation  https://review.openstack.org/27483618:24
lbragstadnotmorgan still working through the consolidation stuff - we seem to support trusts on v2 with uuid, but we don't support v2 trusts with fernet - https://github.com/openstack/keystone/blob/836dbfca4200a1573c722809710cd7f0fa13f2d7/keystone/token/providers/fernet/core.py#L215-L21818:25
lbragstadnotmorgan thoughts/18:25
lbragstadcan we just kill v2 trusts all together?18:25
notmorganlbragstad: v2 had trusts?18:26
raildolbragstad: ++18:26
dolphmlbragstad: what happens if you drop support? (gate failures or anything?)18:26
dolphm"support"18:26
notmorgandolphm: ++ that is the way i'd look at it18:26
notmorganlet me check something18:26
lbragstadnotmorgan dolphm raildo I assume so - because : https://github.com/openstack/keystone/blob/836dbfca4200a1573c722809710cd7f0fa13f2d7/keystone/token/providers/common.py#L63-L7018:27
notmorganwe don't have APIs for trusts18:27
notmorganin v218:27
notmorganfwiw18:27
lbragstadin that method we actually *convert* from v3 trust to a v2 trust...18:27
notmorganright but it's an auth-only thing18:27
lbragstadi've removed that logic and replaced it with an unauthorized exception - running tests now18:27
dolphmlbragstad: propose a delete and see what happens18:27
notmorganlbragstad: sure18:28
lbragstadnotmorgan what do you mean "auth-only"18:28
notmorgandolphm: do we always provide a www-authenticate [or whatever it is?] when we 401?18:28
notmorgancause....18:28
notmorganlbragstad: you cannot make a trust via V218:28
lbragstadtrue18:28
notmorganyou can only make them in v3, you might have a trust scope during auth18:29
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Adds is_domain field in create project  https://review.openstack.org/23983218:29
notmorganbut i am unsure how [or if it would work]18:29
*** spandhe has joined #openstack-keystone18:29
*** su_zhang has joined #openstack-keystone18:30
*** thebloggu has quit IRC18:31
notmorgandolphm: https://bitbucket.org/zzzeek/dogpile.cache/pull-requests/46/add-a-key-word-arg-aware-cache-key/diff kwarg enabled keygenerator for dogpile not sure if we need/want this.18:31
notmorgandolphm: or if it would make keystone easier.18:32
raildolbragstad: notmorgan we consume this trust information on the v2 token https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L14818:32
dolphmnotmorgan: www-authenticate only comes from auth_token afaik18:32
dolphmon 40118:32
notmorgandolphm: right. we might need to revisit that in keystone too18:32
*** doug-fish has quit IRC18:32
lbragstadraildo hmm18:33
notmorganto be "correct".18:33
notmorganraildo: in authenticate possibly18:33
dstaneknotmorgan: that would make it so that we don't have to for code not to use kwargs18:33
raildonotmorgan: yes18:33
notmorgandstanek: yeah. eyes on that would be nice. i can pull it to oslo.cache, but will need to chat w/ zzzeek on if it's appropriate for dogpile.cache18:34
notmorgandstanek: there are questions on how much we want in dogpile.cache vs being more of just a pattern of use. vs lots of dispirate backends etc18:34
*** jsavak has quit IRC18:35
*** jsavak has joined #openstack-keystone18:35
notmorgandstanek: so it would be easy to add it to oslo.cache18:36
*** doug-fish has joined #openstack-keystone18:36
notmorgandstanek: but it has a lot of overhead compared to the normal keygen18:37
dstaneknotmorgan: i'll go through it in more detail a little later. i have a *long* meeting soon18:37
notmorgandstanek: hah.18:37
notmorgandstanek: good luck on the long meeting18:38
*** doug-fis_ has joined #openstack-keystone18:40
*** doug-fish has quit IRC18:41
*** doug-fis_ has quit IRC18:41
*** doug-fish has joined #openstack-keystone18:41
*** jaosorior has quit IRC18:41
*** timcline has quit IRC18:44
*** timcline has joined #openstack-keystone18:45
*** doug-fish has quit IRC18:45
*** fpatwa has joined #openstack-keystone18:46
*** jgriffith_away is now known as jgriffith18:48
*** edmondsw has quit IRC18:49
*** esp has joined #openstack-keystone18:50
*** jistr has quit IRC18:51
*** fpatwa has quit IRC18:51
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust redelegation tests  https://review.openstack.org/27323218:55
openstackgerritJorge Munoz proposed openstack/keystone: Add tests for trust using impersonation  https://review.openstack.org/27327918:55
*** rderose has quit IRC18:57
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trusts in v2.0  https://review.openstack.org/27485018:58
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/27485118:58
openstackgerritLance Bragstad proposed openstack/keystone: Remove validate_v2_token from Fernet provider  https://review.openstack.org/27485218:58
*** richm has joined #openstack-keystone18:59
lbragstadnotmorgan dolphm ^18:59
notmorganlbragstad: cool18:59
notmorganlets see how it shakes out18:59
lbragstadthat passes locally for me18:59
*** jgriffith is now known as jgriffith_away19:00
*** doug-fish has joined #openstack-keystone19:01
*** su_zhang has quit IRC19:01
*** jbell8 has joined #openstack-keystone19:01
*** su_zhang has joined #openstack-keystone19:01
*** richm has quit IRC19:03
*** doug-fis_ has joined #openstack-keystone19:04
*** ninag has joined #openstack-keystone19:04
*** doug-fis_ has quit IRC19:04
*** doug-fis_ has joined #openstack-keystone19:04
*** doug-fish has quit IRC19:05
*** ninag has quit IRC19:06
*** ninag has joined #openstack-keystone19:06
notmorgancool19:09
notmorganlbragstad, dolphm, stevemar: your eyes on https://bitbucket.org/zzzeek/dogpile.cache/pull-requests/46/add-a-key-word-arg-aware-cache-key/diff would be super helpful too.19:10
notmorgani really want to make sure i didn't make a stupid assumption.19:10
*** browne has quit IRC19:14
*** su_zhang has quit IRC19:19
*** su_zhang has joined #openstack-keystone19:19
*** marekd has quit IRC19:21
*** browne has joined #openstack-keystone19:22
openstackgerritSean Perry proposed openstack/keystone: Add subjectAltName to generated ssl cert  https://review.openstack.org/15407419:23
shalehdstanek: ^^ that is what we were talking about on Friday19:24
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948619:29
shalehstevemar: I asked dstanek before I made that commit. He thought it was being used for devstack / developer stuff. Is this no longer the case?19:31
shalehstevemar: I am fine if the code is dead. But the bugs were not updated to reflect this either.19:32
*** marekd has joined #openstack-keystone19:32
*** asimov.freenode.net sets mode: +v marekd19:32
*** edmondsw has joined #openstack-keystone19:33
*** ebalduf has quit IRC19:33
*** jbell8 has quit IRC19:33
notmorganstevemar: haha i -1'd the same thing with roughtly the same question19:33
*** jbell8 has joined #openstack-keystone19:34
*** jsavak has quit IRC19:35
*** jbell8 has quit IRC19:35
*** jsavak has joined #openstack-keystone19:35
*** srini_ has joined #openstack-keystone19:37
shalehgood to see Bug Friday continues to be a waste of time19:37
*** jbell8 has joined #openstack-keystone19:37
*** diazjf has quit IRC19:38
notmorganshaleh: the PKI bit is the only bit i'm worried about, the addition to the SSL block if we are continuing to use it would be good.19:38
shalehmost tickets I look at after some amount of investigation turn out to be either dead or using abandoned stuff somewhere19:39
shalehnotmorgan: well, stevemar removed all exercise of the SSL bits and the SSL in his patch. What are we still using the PKI bits for now that PKI token is also dead?19:40
notmorganshaleh: PKI tokens are deprecated with "we're ditching this down the line" because fernet is the direction we're going19:40
notmorganshaleh: like i said, happy to continue with the SSL stuff if it makes sense / continues to be useful [i'll defer on that]19:41
notmorganshaleh: and the altnames makes a lot of sense on that front19:41
shalehnotmorgan: but if this code only exists for eventlet and pki tokens it appears to be the last polar bear on an ice flow19:41
notmorganshaleh: ah right that is veyr mcuh eventlet19:42
notmorganderp19:42
notmorgansorry i'm elbow deep in looking at dogpile stuff/discussing bits for that19:42
shalehnotmorgan: no worries19:42
notmorgangetting the fixes we need for dogpile lined up upstream19:42
*** henrynash has quit IRC19:43
shalehoh well, I learned that using the cryptography package to parse x509 certs is pretty trivial. caveat the usual x509 boneheadedness that is always there and has nothing to do with Python19:46
*** ninag has quit IRC19:48
*** amakarov has quit IRC19:48
*** jbell8 has quit IRC19:48
*** jbell8 has joined #openstack-keystone19:48
*** srini_ has quit IRC19:51
notmorganshaleh: yep19:51
notmorganshaleh: sadly19:51
shalehWhat are the steps to take over the review so I can abandon it? Since I was updating an existing one I do not have the option to abandon currently.19:52
*** diazjf has joined #openstack-keystone19:52
notmorganshaleh: ask a core to do it19:54
notmorganyou can't "take over" a review19:55
notmorganthe owner is always the same19:55
notmorganhappy to abandon it if you want19:55
shalehnotmorgan: If the consensus is it is a polar bear, no sense wasting people's time on it19:55
notmorganshaleh: i can always restore it19:55
notmorganso if you're content for an abandon - i'll do that now and then we restore it if needed19:56
shalehnotmorgan: someone also needs to deal with the bug that led to the patch19:56
shalehnotmorgan: abandon it19:56
*** jgriffith_away is now known as jgriffith19:56
notmorgani'll poke the bug too19:56
stevemarsorry - on a call :[19:56
*** jsavak has quit IRC19:59
*** jsavak has joined #openstack-keystone20:00
*** maxabidi has joined #openstack-keystone20:00
notmorganshaleh: done and bug closed20:00
shalehnotmorgan: thanks20:00
*** ninag has joined #openstack-keystone20:01
shalehwell, I closed the bug......20:01
shalehtake one down, pass it around, 101 bugs on the wall20:01
notmorgani did a massive pass on bug closing a cycle or so ago20:01
notmorgani might block off a week or two and do the same thing again.20:01
notmorgananyway...20:02
notmorgani need to book a hotel for seattle this week20:02
notmorganlets see if the VPN works again *yet*20:02
notmorgancause... i've been unable to access it or OWA for the last 3 days20:03
*** ninag has quit IRC20:05
*** shaleh is now known as shaleh|away20:06
*** henrynash has joined #openstack-keystone20:08
*** ChanServ sets mode: +v henrynash20:08
*** henrynash has quit IRC20:13
*** jbell8 has quit IRC20:13
*** rderose has joined #openstack-keystone20:14
bretonI thought we postpone totp to another cycle20:14
*** mhickey has joined #openstack-keystone20:18
stevemarreminds everyone to add to the agenda: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda20:19
stevemarbreton: there was desire from a lot of people to give it an exemption20:20
notmorganbreton: we posponed the MFA stuff, the totp as a simple auth-type is easy to land20:20
stevemarbreton: they have until friday to post some code20:21
notmorgandolphm: ^ is nonameentername going to post code cause...20:21
notmorganif not, i'll write up an auth plugin tonight20:21
notmorganit'll be very rough but it'll be easy to iterate on20:21
*** jsavak has quit IRC20:22
*** ctracey has joined #openstack-keystone20:23
*** jsavak has joined #openstack-keystone20:23
*** su_zhang has quit IRC20:23
*** maxabidi has quit IRC20:34
*** jsavak has quit IRC20:35
*** jsavak has joined #openstack-keystone20:36
dolphmnotmorgan: we're in a long meeting at the moment, but i believe so20:46
notmorgandolphm: ok chase him down post "long meeting of doom, doom I say"(tm)20:46
*** fpatwa has joined #openstack-keystone20:47
*** doug-fis_ has quit IRC20:47
*** ayoung has joined #openstack-keystone20:47
*** ChanServ sets mode: +v ayoung20:47
*** doug-fish has joined #openstack-keystone20:48
*** ninag has joined #openstack-keystone20:48
*** lhcheng has joined #openstack-keystone20:49
*** ChanServ sets mode: +v lhcheng20:49
*** fpatwa has quit IRC20:51
*** diazjf1 has joined #openstack-keystone20:55
*** slberger1 has joined #openstack-keystone20:56
*** shaleh|away is now known as shaleh20:56
*** diazjf has quit IRC20:57
*** tsymanczyk has quit IRC20:57
*** ngupta has quit IRC20:58
*** ebalduf has joined #openstack-keystone20:58
*** slberger has quit IRC20:58
*** ngupta has joined #openstack-keystone21:00
*** fpatwa has joined #openstack-keystone21:01
*** dims has joined #openstack-keystone21:02
*** dims_ has quit IRC21:03
*** clenimar has quit IRC21:04
*** ebalduf has quit IRC21:06
*** vivekd has joined #openstack-keystone21:06
*** jsavak has quit IRC21:06
*** doug-fish has quit IRC21:06
*** jsavak has joined #openstack-keystone21:07
*** doug-fish has joined #openstack-keystone21:07
*** doug-fis_ has joined #openstack-keystone21:09
notmorganlbragstad: SO CLOSE on the remove validate_v2.21:10
*** doug-fi__ has joined #openstack-keystone21:11
*** doug-fish has quit IRC21:11
*** timcline has quit IRC21:13
*** timcline has joined #openstack-keystone21:13
*** fpatwa has quit IRC21:13
*** doug-fis_ has quit IRC21:13
ayoungnotmorgan, I'd be happy to see that go21:14
*** doug-fi__ has quit IRC21:15
*** mgarza_ has quit IRC21:16
*** fpatwa_ has joined #openstack-keystone21:18
*** rcernin has joined #openstack-keystone21:19
*** erlarese has joined #openstack-keystone21:19
*** darrenc_ is now known as darrenc21:19
openstackgerritMerged openstack/keystone-specs: Unified delegation  https://review.openstack.org/18981621:20
openstackgerritBrant Knudson proposed openstack/keystone: Correct docstrings  https://review.openstack.org/27489521:23
*** doug-fish has joined #openstack-keystone21:23
*** sinese has quit IRC21:24
*** pauloewerton has quit IRC21:24
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358521:24
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358521:26
*** jsavak has quit IRC21:26
*** jsavak has joined #openstack-keystone21:27
*** raildo is now known as raildo-afk21:27
*** doug-fis_ has joined #openstack-keystone21:27
*** doug-fish has quit IRC21:28
*** su_zhang has joined #openstack-keystone21:30
openstackgerritJorge Munoz proposed openstack/keystone: Do not allow creating redelegated trust when using impersonated token.  https://review.openstack.org/27425021:31
*** doug-fis_ has quit IRC21:32
ayounglookin jorge_munoz21:32
jorge_munozo/, Hey, whats up/21:32
*** doug-fish has joined #openstack-keystone21:33
ayoungjorge_munoz, if trust['trustor_user_id'] == original_trust['trustor_user_id']:  looks strange21:33
ayoungjorge_munoz, what is your logic there?21:33
notmorganayoung: right?!21:34
ayoungthe first check looks good21:34
ayoungbut the second one is, I think, going to far21:34
notmorganstevemar: almost done moving s3 to core, then just need to move ec221:34
*** fpatwa_ has quit IRC21:34
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490121:34
jorge_munozayoung: So, this is we a user uses impersonation and passes the trustor’s id matching the original trustor.21:34
*** su_zhang has quit IRC21:34
jorge_munozMeaning they user bypass the policy file check.21:35
jorge_munozthe*21:35
ayoungjorge_munoz, the check looks wrong...seems to me that it should be21:35
ayoungjorge_munoz, is that check inside the redelegation check?21:36
*** mhickey_ has joined #openstack-keystone21:37
jorge_munozNo, its a check when impersonating.21:37
jorge_munozIt is a check on a delegated auth.21:37
ayoungjorge_munoz, I think what you are trying to say is that if the user is authenticated via trust, limit them to redelegation, not creating a new trust21:37
lbragstadnotmorgan I know - just a couple more steps21:38
*** mhickey has quit IRC21:39
jorge_munozWe should not allow a user to create a trust using impersonation, if he is trying to by pass policy check by passing the original’s trustor id on the newly created trust.21:39
ayoungjorge_munoz, I think the way you wrote it will prevent trust redelegation for the impersonation case21:40
ayoungredelegated_trust_id=self.trust['id']21:40
ayoungredelegation that way should be allowed, but if there is no redelegation, if it is a new trust, it should be forbidden21:41
jorge_munozright and i think that is correct. A redelegated trust should never allow creating a trust with impersonation.21:41
ayoungand you catch that above21:41
ayoungwhy not?21:41
ayoungit should not allow a new trust with an expanded set of roles21:42
ayoungit should allow you to redelegate the existing trust, or a subset of the roles on the exising trust, but continue to impersonate.21:42
ayoungI really think you will break things with this patch21:42
jorge_munozAllows trusted users to creat new trust with impersonation would grant them the ability to give premission on behave of another users.21:43
jorge_munozIt doesn’t seem right21:43
*** rcernin has quit IRC21:44
*** pgbridge_ has quit IRC21:46
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764721:48
openstackgerritLance Bragstad proposed openstack/keystone: Remove validate_v2_token from Fernet provider  https://review.openstack.org/27485221:48
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trusts in v2.0  https://review.openstack.org/27485021:48
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687721:48
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/27485121:48
*** fpatwa has joined #openstack-keystone21:50
*** edmondsw has quit IRC21:50
*** fpatwa has quit IRC21:50
lbragstadjorge_munoz ayoung so - if jorge_munoz wanted to create a trust with impersonation set to True and then I went to create a trust - that trust would be create between me and whoever I wanted to create that trust with.21:53
lbragstadTo me, that doesn't seem like redelegation21:54
lbragstadand that is the current behavior in master21:54
lbragstadcorrect: that trust would be created between jorge_munoz and whoever *I* wanted to create that trust with.. that's the part that doesn't seem like redelegation21:55
lbragstadcorrection* I can't type today...21:55
ayounglbragstad, If I create a trust (trustor=ayoung, delegation=true, trustee=lbragstad) and then you use that trust to get a token, and then create a new trust, that is wrong.  But if It is a redelegation from you to jorge_munoz  of the original trust, it should be (trustor=ayoung, redelegation=true, trustee= jorge_munoz )21:56
ayoungthe new trust should point to the original trust, and, if I revoke the original, the redelegate trust should be invalid21:57
lbragstadayoung ok - so what happens if you add impersonation to that mix?21:57
ayounglbragstad, I did...that example was with impersonation set to true21:58
lbragstadayoung that example was with redelegation set to True21:58
ayounglbragstad, I set this all up and pass it to Mistral.  Mistral will then call heat.  Heat will then call Barbican21:58
ayoungyes, only ith redelegation21:58
ayoungredelegation and impoersonation are not mutually exclusive21:59
lbragstadayoung is the following behavior intended21:59
*** pgbridge has joined #openstack-keystone22:00
lbragstadI create a trust (trustor=lbragstad, impersonation=True, trustee=jorge_munoz) and then jorge_munoz goes to create a trust between himself and you (trustor=jorge_munoz, trustee=ayoung). That results in a trust looking like (trustor=lbragstad, trustee=ayoung)... Should that be allowed?22:01
ayounglbragstad, so, uyes, but within limits. WHen a trust is redelegated, it is techncioally a new trust chained to the old trust22:02
jorge_munozlbragstad: ayoung Yes, thats the case I’m trying to cover.22:02
ayoung (trustor=lbragstad, impersonation=True, trustee=jorge_munoz, redelegatio0n=true, roles=[r1, r2,r3])22:02
ayoungthat is our original trust22:02
ayoungnow this gets and ID22:03
ayoungwe'll call that T122:03
ayoungthis should be allowed:22:03
lbragstadsure22:03
ayoung (trustor=lbragstad, impersonation=True, trustee=ayoung, redelegatio0n=true, roles=[r1, r2,r3], original_trust=T1)22:03
ayoungbut only that22:03
ayoungturning off impersonation...sure, that could be done22:04
*** su_zhang has joined #openstack-keystone22:04
ayoungremoving some of the roles is OK, too22:04
ayoungcannot add roles, and cannot work without the  original_trust=T122:04
ayoungwhatever the key is...22:04
jorge_munozIt don’t seem rigth to have impersonation and redelegation both true. How would you redelegate a trust with an impersonated token?22:05
jorge_munozayoung: lbragstad ^22:06
lbragstadwhen impersonation and redelegation are both set to true - you can't get a redelegated trust, right?22:07
ayoungjorge_munoz, If I have a workflow where impersonation is needed, I might not be able to delegate that directly to the final executor22:07
lbragstadwhat's the workflow?22:07
ayoungI might delegate to msitral, but then mistral has to delegate to heat22:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/27279022:07
ayounglbragstad, right now, the issue is Barbican, where secrets are owned by a person22:07
ayoungnot a project22:07
jorge_munozayoung: and in that case you need to impersonate the user?22:08
*** su_zhang has quit IRC22:08
ayoungjorge_munoz, yes22:09
lbragstaddoes that flow require both impersonation and redelegation on the same trust?22:09
*** su_zhang has joined #openstack-keystone22:09
*** vgridnev has quit IRC22:09
ayoungjorge_munoz, it needs to be possible until we can kill impersonation, but I think that won't happen22:09
lbragstadcan't that just be done with impersonation?22:09
ayounglbragstad, yes22:09
ayoungnope22:09
ayounglbragstad, the executor is the heat service user, that does not exist when the origianl trust is created22:09
*** su_zhang has quit IRC22:10
*** chlong has joined #openstack-keystone22:10
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Shadow federated users  https://review.openstack.org/27476122:10
*** su_zhang has joined #openstack-keystone22:10
*** erlarese has quit IRC22:13
jorge_munozayoung: Well if that is the intended behavior, then I can change it. But it seems that granting a trustee user a the ablility to create trust with impersonation set to true, is giving too many permission to the trustee.22:15
ayoungjorge_munoz, is it a new trust or a redelegation of an existing trust?  THat is the essential, and currently allowed, distinction22:16
jorge_munozIf impersonation is used, it would be a new trust.22:16
jorge_munozI was thinkg that if a trust is created with impersonation you can’t redelegate that trust.22:17
ayoungnope22:17
ayoungjorge_munoz, ok. lets look at the datastructure....22:18
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/sql/migrate_repo/versions/044_icehouse.py#n12422:18
ayoungjorge_munoz, we don;'t chain the trust ids?22:20
jorge_munozYes, they are linked by the redelegated_trust_id22:21
ayoungso commit 0b89e8b2a414ac1c5b0c32974fbf741bd775c1c0  added the redelegation...let's see22:22
ayoungjorge_munoz, did all the variations on the trust table get merged to the main repo, or is it still in an extension?22:23
notmorganstevemar, dstanek soooooo found a test case that isn't run at all22:23
notmorganever22:23
notmorgan...22:23
stevemarnotmorgan: nice22:23
ayoungredelegated_trust_id22:24
ayoungwhere is that defined...22:24
jorge_munozayoung: it should be on the main migration repo22:26
ayoungjorge_munoz, it is not recorded22:26
*** mhickey_ has quit IRC22:26
ayoungit is not part of the database schema, AFAICT22:27
ayoungjorge_munoz, did we lose that when the trust extension got merged into main?22:27
jorge_munozI don’t know, but if it does not define we need to add it.22:28
*** RA_ has joined #openstack-keystone22:28
ayoungtrusts was never an out of tree extension for migrations...it predated that22:29
ayoungjorge_munoz, yeah, trying to see what happened22:29
*** alejandrito has quit IRC22:30
ayoungkeystone/trust/schema.py22:30
ayoungwhat is that...22:30
ayoungjorge_munoz, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/trust/backends/sql.py  does not have it in the backend either22:31
*** timcline has quit IRC22:31
*** timcline has joined #openstack-keystone22:32
notmorganlbragstad: we win22:32
notmorganlbragstad: kill subsecond everywhere in keystone22:32
notmorganmtreinish: ^ cc22:32
lbragstadZOMG!22:32
notmorganlbragstad: mtreinish wants it consistent22:32
notmorgannot "osme backends are subsecond some are not"22:33
*** ninag has quit IRC22:33
notmorganpick a side, drive that direction to make it consistent22:33
jorge_munozOk, yes. The schema seems to be missing those attributes. Those attributes were on the docuemenation for trust.22:33
jorge_munozayoung: ^22:33
notmorgansquash subsecond down to second, and make sure to handle the case subsecond exists and truncate to second level precision [aka old data]22:33
lbragstadnotmorgan we can abandon this then - https://review.openstack.org/#/c/243742/22:33
notmorganlbragstad: ++ yes22:33
*** ninag has joined #openstack-keystone22:33
lbragstad\o/22:33
ayoungjorge_munoz, um that is bad22:33
notmorganlbragstad: :)22:33
lbragstadcc: dolphm ^22:33
ayoungjorge_munoz, I'm going to try a test here.22:34
ayoungjorge_munoz, I can't help but feel we are missing something22:35
openstackgerritBrant Knudson proposed openstack/keystoneauth: DOC TEST DONT MERGE  https://review.openstack.org/27491322:35
ayoungjorge_munoz, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n323422:35
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n336922:36
mtreinishnotmorgan, lbragstad: I'd also like to see a doc that clarifies that second resolution is all that's expected from the api even if subsecond timestamps are returned22:37
notmorganmtreinish: 100%22:37
notmorganlbragstad: lets put that in the developer docs22:37
mtreinishjust to cover cases with older clouds22:37
jorge_munozayoung: Yes, I feel the same way. So the test were setup to do impersonation with redelegation. The change I made was to set impersonation to false and allow redelegation.22:38
*** ninag has quit IRC22:38
ayoungjorge_munoz, but those tests look bonkers22:38
*** diazjf1 has quit IRC22:38
ayoungjorge_munoz, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n3374  says Verify the two remaining trust have been deleted  but then calls delete on them22:39
ayounglet me change that to a GET which is what they should be doing22:39
*** daemontool has quit IRC22:39
notmorganmtreinish: yep. makes sense to me22:40
jorge_munozayoung: ok, yea I did not change behavior of the test thou. That is what it was doing before, except not check the chain, but only the last one.22:40
*** rderose has quit IRC22:41
ayoungjorge_munoz, right, I was more worried about it already being broken. I still suspect that it is22:42
ayoungbut if I change this delete call to a get, the test still passes http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n338222:42
ayoungI wonder ,though, if that is due to policy and not due to the trust being deleted22:43
*** lhcheng has quit IRC22:44
jorge_munozayoung: delete trust loops to all redeleaged trust and deletes them.22:44
ayoungjorge_munoz, how?22:44
*** lhcheng has joined #openstack-keystone22:44
*** ChanServ sets mode: +v lhcheng22:44
dolphmnonameentername: ping - meant to ask you about the otp implementation today22:44
jorge_munozhttps://github.com/openstack/keystone/blob/master/keystone/trust/core.py#L10222:44
jorge_munozayoung: by the redelegated_trust_id22:45
ayoungah...ahdn;t looked in core, just the driver...22:45
ayoungjorge_munoz, let me see if that is in the database...22:45
openstackgerritMerged openstack/python-keystoneclient: Update translation setup  https://review.openstack.org/27351022:46
jorge_munozayoung: currently redelegated_trust_id is stored in extras.22:47
ayoungah22:47
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27282522:47
dolphmnonameentername: just noticed the spec merged :) https://review.openstack.org/#/c/130376/22:47
ayoungjorge_munoz, I must not have reviewed that patch. THat is grounds for a beating in my book22:47
ayoungjorge_munoz, just glad I don't have to file the CVE22:48
ayoungjorge_munoz, OK, so, with that intact, yes, redelegation of a token with impersonation set is allowed22:49
*** su_zhang has quit IRC22:50
*** su_zhang has joined #openstack-keystone22:50
notmorganstevemar: ping - need your view. do i delete this test or try and wire it up?22:52
notmorganstevemar: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_singular_plural.py#L2422:53
notmorganstevemar: cause..... it isn't run at all22:53
lbragstadayoung wasn't this the original implementation of redelegation? https://review.openstack.org/#/c/126897/3122:53
jorge_munozayoung: So is the next step define the redeleaged_trust_id?22:53
jorge_munozand making it part of the schema22:54
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865022:55
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778122:55
*** timcline has quit IRC22:59
*** jsavak has quit IRC23:00
notmorgandolphm: ^ see the link i made for steve... i think we just delete it23:00
notmorganit's been... uh...23:00
notmorganuntouched since like 201223:00
notmorgani think it's a dead test.23:00
*** RA_ has quit IRC23:02
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove un-used test code  https://review.openstack.org/27492923:06
*** slberger1 has left #openstack-keystone23:06
*** henrynash has joined #openstack-keystone23:10
*** ChanServ sets mode: +v henrynash23:10
*** david-lyle has quit IRC23:15
*** RA has joined #openstack-keystone23:19
*** RA is now known as Guest5147823:20
*** sigmavirus24 is now known as sigmavirus24_awa23:22
*** vivekd has quit IRC23:27
*** henrynash has quit IRC23:27
*** henrynash has joined #openstack-keystone23:32
*** ChanServ sets mode: +v henrynash23:32
*** csoukup_ has quit IRC23:34
*** csoukup_ has joined #openstack-keystone23:34
*** gordc has quit IRC23:36
*** gildub has joined #openstack-keystone23:36
*** jamielennox is now known as jamielennox|away23:36
*** kragniz_ is now known as kragniz23:38
*** csoukup_ has quit IRC23:40
*** markvoelker has quit IRC23:41
*** shoutm has joined #openstack-keystone23:50
*** henrynash has quit IRC23:50
*** fpatwa has joined #openstack-keystone23:51
*** amakarov has joined #openstack-keystone23:53
*** nkinder has quit IRC23:54
openstackgerritMerged openstack/keystone: Replace unicode with six.text_type  https://review.openstack.org/26125323:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947923:56
*** fpatwa has quit IRC23:56
amakarovayoung: what do you want me to add about PKI removal to the presentation?23:56
amakarovayoung: aha, I see your changes...23:57
*** jrist has quit IRC23:58
« Sunday, 2016-01-31 Index Tuesday, 2016-02-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!