Wednesday, 2016-02-03

*** browne has quit IRC00:01
*** shoutm has joined #openstack-keystone00:01
*** browne has joined #openstack-keystone00:02
*** jamielennox|away is now known as jamielennox00:02
*** jrist has quit IRC00:09
*** Guest80711 is now known as med_00:15
*** med_ has quit IRC00:15
*** med_ has joined #openstack-keystone00:15
*** fpatwa has joined #openstack-keystone00:31
*** spzala has quit IRC00:32
*** spzala has joined #openstack-keystone00:32
*** jed56 has quit IRC00:33
*** shoutm has quit IRC00:35
*** spzala has quit IRC00:36
*** shoutm has joined #openstack-keystone00:37
*** jamielennox is now known as jamielennox|away00:38
*** jamielennox|away is now known as jamielennox00:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use positional instead of keystoneclient version
openstackgerritRoxana Gherle proposed openstack/keystone: Make WebSSO trusted_dashboard hostname case-insensitive
*** EinstCrazy has joined #openstack-keystone00:50
*** fpatwa has quit IRC00:54
*** EinstCrazy has quit IRC00:55
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Deprecate adapter
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Deprecate auth plugins from keystoneclient
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Deprecate Session
openstackgerritJamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware
*** ninag has quit IRC01:12
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone
openstackgerritRoxana Gherle proposed openstack/keystone: Make WebSSO trusted_dashboard hostname case-insensitive
*** davechen has joined #openstack-keystone01:24
*** spzala has joined #openstack-keystone01:26
*** jamielennox is now known as jamielennox|away01:30
notmorganjamielennox|away: not a ton to cleanup01:32
notmorganjamielennox|away: looks like it's almost all clinets now01:32
notmorganjamielennox|away: i'm goin to hit swift and nova with a bat on this.01:32
notmorganjamielennox|away: then i think we can deprecate session01:32
*** jsavak has joined #openstack-keystone01:40
notmorganjamielennox|away: not that swiftclient uses ksc.session01:42
*** jsavak has quit IRC01:45
*** jsavak has joined #openstack-keystone01:45
*** su_zhang has quit IRC01:48
*** csoukup_ has joined #openstack-keystone01:55
*** _cjones_ has quit IRC02:01
*** EinstCrazy has joined #openstack-keystone02:17
*** browne has quit IRC02:18
*** jsavak has quit IRC02:24
*** jsavak has joined #openstack-keystone02:24
*** jamielennox|away is now known as jamielennox02:31
*** woodster_ has joined #openstack-keystone02:37
*** miyagishi_t has joined #openstack-keystone02:37
*** jsavak has quit IRC02:38
*** dims_ has quit IRC02:40
*** bill_az has quit IRC02:55
*** shoutm has quit IRC02:57
*** shoutm has joined #openstack-keystone03:00
*** links has joined #openstack-keystone03:06
*** browne has joined #openstack-keystone03:10
openstackgerritMerged openstack/keystonemiddleware: Use positional instead of keystoneclient version
*** gyee has quit IRC03:28
*** amakarov has quit IRC03:30
openstackgerritMerged openstack/keystone: Allow '_' character in mapping_id value
*** doug-fish has quit IRC03:34
*** doug-fish has joined #openstack-keystone03:35
*** doug-fish has quit IRC03:36
ayoungSCORE !  Triple Keystone HTTPD Passed CI.  For HA.  By By Keystone Eventlet!03:37
ayoungnotmorgan, now please get Implied roles moving?
*** gyee has joined #openstack-keystone03:38
*** ChanServ sets mode: +v gyee03:38
*** jrist has joined #openstack-keystone03:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
stevemarayoung: maybe use a #success03:41
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** esp_ has joined #openstack-keystone03:47
*** Nirupama has joined #openstack-keystone03:48
openstackgerritguang-yee proposed openstack/keystone: Make WebSSO trusted_dashboard hostname case-insensitive
notmorganayoung: I warn you I am hitting implied roles from a strict security perspective if I review it. I won't +2 without another core +2. But if I don't see flaws I will +1 until there are other eyes on it.03:50
notmorganayoung: but it also has to wait till I pack/start laundry for my trip tomorrow.03:51
*** esp_ has quit IRC03:51
*** diazjf has quit IRC04:01
openstackgerritguang-yee proposed openstack/keystone: wsgi: fix base_url finding
*** gyee has quit IRC04:07
*** jamielennox is now known as jamielennox|away04:09
*** su_zhang has joined #openstack-keystone04:13
*** spzala has quit IRC04:14
*** spzala has joined #openstack-keystone04:15
*** su_zhang has quit IRC04:15
*** su_zhang has joined #openstack-keystone04:16
lbragstadnotmorgan nice - just saw that04:18
lbragstadnotmorgan thanks!04:18
*** spzala has quit IRC04:19
notmorganlbragstad: super important link!04:20
*** su_zhang_ has joined #openstack-keystone04:26
*** su_zhang has quit IRC04:27
*** diazjf has joined #openstack-keystone04:32
*** diazjf has quit IRC04:33
*** diazjf has joined #openstack-keystone04:35
lhchengstevemar: ebay also have a similar thing like that - access keys04:43
stevemarjust looking at old blueprints04:43
stevemarlike this one
lhchengstevemar: tokenless auth using x509, that's available04:44
stevemaryeah, i was wondering if we could mark it as superceded04:44
lhchengand the base code for tokenless auth should allow for other types, like access key.04:45
stevemarayoung: ^ your bp, what do you say04:45
lhchengsince we already have the capability for access key to be plugged-in, I think that should be enough from keystone. we don't need to implement access key.04:45
lhchengthe tokenless auth allows plugging-in for different protocol, from our side, I think its done.04:46
stevemarlhcheng: what aobut
*** EinstCrazy has quit IRC04:53
*** jasonsb has joined #openstack-keystone04:53
lhchengstevemar: might be useful, its not a deal breaker for horizon. they won't likely spend an hour using horizon. if the token expires, we'll just redirect them to the login page.04:55
lhchengthis could help the issue with long running operations that some projects hits into04:55
stevemarmmm alright04:55
openstackgerritMerged openstack/keystone: Revert "Unit test for checking cross-version migrations compatibility"
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** Nirupama has quit IRC05:07
*** jrist has quit IRC05:08
*** jrist has joined #openstack-keystone05:08
*** shoutm_ has joined #openstack-keystone05:14
*** spzala has joined #openstack-keystone05:15
*** shoutm has quit IRC05:16
*** spzala has quit IRC05:21
*** jasonsb has quit IRC05:21
*** Nirupama has joined #openstack-keystone05:22
*** roxanagh_ has joined #openstack-keystone05:26
*** vgridnev has joined #openstack-keystone05:44
*** diazjf has quit IRC05:47
stevemarayoung: i'm pretty sure you create one blueprint per week05:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** roxanagh_ has quit IRC05:55
*** shoutm has joined #openstack-keystone06:00
*** jasonsb has joined #openstack-keystone06:04
*** shoutm_ has quit IRC06:04
stevemarjamielennox|away: around06:16
stevemari guess not :(06:16
*** woodster_ has quit IRC06:16
*** spzala has joined #openstack-keystone06:18
*** spzala has quit IRC06:23
stevemarnotmorgan: got blueprints down to 69!06:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata
*** jbell8 has joined #openstack-keystone06:40
*** oomichi has joined #openstack-keystone06:47
*** henrynash has quit IRC06:51
*** henrynash has joined #openstack-keystone06:51
*** ChanServ sets mode: +v henrynash06:51
henrynashstevemar: you still up?06:51
openstackgerritSteve Martinelli proposed openstack/keystone-specs: clean up spec repo
stevemarhenrynash: yep06:53
stevemarhenrynash: whats up senōr06:57
openstackgerritMerged openstack/keystone-specs: clean up spec repo
henrynashstevemar: imlied roles API….I think (despite the suggestions about alternatives) is something we should merge  (the backend changes are already merged). We have two +2s, and it is an agreed spec and marked as experimental. Fujitsu ScanSnap iX50007:02
henrynashstevemar: ignore the Fujitsu scanner quote!07:02
stevemarhenrynash: i'm looking at it now, my alarms were raised when you and guang both +2'ed07:02
stevemarhenrynash: but now i want that fujitsu scanner07:02
stevemarhenrynash: so, release notes?07:03
henrynashstevemar: :-) I’ll tell you if it’s any good!07:03
henrynashstevemar: fair comment, we do need an rn07:03
stevemarhenrynash: is it sufficiently documented? or just via specs/api?07:04
henrynashstevemar: I think it is just the specs/api….we an certainly add more, if required (a rn for sure)...07:05
stevemarhenrynash: root_role eh07:06
*** browne has quit IRC07:06
*** gildub has quit IRC07:08
*** lbragstad has quit IRC07:16
henrynashstevemar: happy to work with Adam on follow-up release notes, if that’s the only issue07:18
*** lbragstad has joined #openstack-keystone07:21
openstackgerritMerged openstack/keystone: Make WebSSO trusted_dashboard hostname case-insensitive
stevemarhenrynash: +W07:23
henrynashstevemar: thx07:24
openstackgerritlokesh s proposed openstack/pycadf: Adding ironic api specific audit map configuration
openstackgerritlokesh s proposed openstack/pycadf: Adding ironic api specific audit map configuration
*** shoutm has quit IRC07:30
*** shoutm has joined #openstack-keystone07:31
openstackgerritDave Chen proposed openstack/keystone: work with python34
openstackgerritDave Chen proposed openstack/keystone: Consolidate `` into ``
openstackgerritDave Chen proposed openstack/keystone: Initialize the policy engine where it is needed
*** shoutm has quit IRC07:44
*** shoutm has joined #openstack-keystone07:45
*** wanghua has joined #openstack-keystone07:45
*** belmoreira has joined #openstack-keystone07:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** richm has joined #openstack-keystone07:49
*** jbell8 has quit IRC07:52
*** mvk_ has quit IRC07:56
openstackgerritvenkatamahesh proposed openstack/keystone: Fix some word spellings
*** jistr has joined #openstack-keystone08:14
*** boris-42 has joined #openstack-keystone08:18
*** spzala has joined #openstack-keystone08:20
*** jistr is now known as jistr|mtg08:22
*** sinese has joined #openstack-keystone08:25
*** spzala has quit IRC08:25
*** davechen has left #openstack-keystone08:27
*** mvk_ has joined #openstack-keystone08:27
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user
*** lars2 has left #openstack-keystone08:30
*** miyagishi_t has quit IRC08:31
*** vgridnev has quit IRC08:32
*** su_zhang_ has quit IRC08:33
*** fhubik has joined #openstack-keystone08:36
*** oomichi is now known as oomichi_away08:38
*** shoutm has quit IRC08:39
*** jaosorior has joined #openstack-keystone08:39
*** Nirupama has quit IRC08:58
*** EinstCrazy has joined #openstack-keystone09:01
openstackgerritlokesh s proposed openstack/pycadf: Adding ironic api specific audit map configuration
*** Nirupama has joined #openstack-keystone09:14
*** chlong has quit IRC09:20
*** lhcheng has quit IRC09:27
*** EinstCrazy has quit IRC09:29
*** EinstCrazy has joined #openstack-keystone09:29
*** esp_ has joined #openstack-keystone09:32
*** esp_ has quit IRC09:39
*** e0ne has joined #openstack-keystone09:45
*** vgridnev has joined #openstack-keystone09:51
*** jaosorior has quit IRC09:53
*** jaosorior has joined #openstack-keystone09:54
*** gildub has joined #openstack-keystone09:58
*** vivekd has joined #openstack-keystone10:00
*** e0ne has quit IRC10:05
*** jaosorior has quit IRC10:09
*** vgridnev_ has joined #openstack-keystone10:14
*** vgridnev has quit IRC10:14
*** jaosorior has joined #openstack-keystone10:16
*** spzala has joined #openstack-keystone10:22
*** spzala has quit IRC10:27
*** fhubik is now known as fhubik_brb10:29
*** fhubik_brb is now known as fhubik10:29
*** d0ugal has quit IRC10:42
*** d0ugal has joined #openstack-keystone10:42
*** fhubik is now known as fhubik_brb10:46
*** fhubik_brb is now known as fhubik10:47
*** fhubik is now known as fhubik_brb10:47
*** fhubik has joined #openstack-keystone10:50
*** fhubik_brb has quit IRC10:50
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.
*** e0ne has joined #openstack-keystone10:51
*** vgridnev_ has quit IRC10:52
*** vgridnev_ has joined #openstack-keystone10:54
*** jaosorior has quit IRC10:58
*** jaosorior has joined #openstack-keystone10:59
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.
openstackgerritChris Dent proposed openstack/keystonemiddleware: Remove clobbering of passed oslo_config_config
*** mhickey has joined #openstack-keystone11:12
*** cdent has joined #openstack-keystone11:12
cdentbknudson_, jamielennox|away : I've updated to make it a bit less crufty11:13
*** tyagiprince has joined #openstack-keystone11:16
tyagiprinceHi everyone.. I want to know if groups can be created in keystone kilo version..11:17
tyagiprinceI found the code to create a group in keystoneclient directory. There exists a file in v3 folder. I want to know if there is any command which can help me create a group.11:20
*** jaosorior has quit IRC11:21
*** jistr|mtg has quit IRC11:27
*** clenimar has joined #openstack-keystone11:28
openstackgerritMarek Denis proposed openstack/keystone: Service providers groups associations
*** topol has quit IRC11:36
*** topol_ has joined #openstack-keystone11:37
*** boris-42 has quit IRC11:43
*** pnavarro has joined #openstack-keystone11:44
*** vivekd_ has joined #openstack-keystone11:44
*** vivekd has quit IRC11:45
*** vivekd_ is now known as vivekd11:45
*** samueldmq has joined #openstack-keystone11:46
*** samueldmq has left #openstack-keystone11:47
*** samueldmq has joined #openstack-keystone11:47
samueldmqayoung: about
samueldmqbtw, morning all11:48
samueldmqayoung: I remember you mentioned yesterday that some services needed admin role, and that was related to log-running operations11:48
samueldmqayoung: I wanted to understand that better11:48
*** topol_ has quit IRC11:50
*** topol_ has joined #openstack-keystone11:54
samueldmqhenrynash: hi, about policies yesterday's discussion in the meeting :)11:56
*** vivekd_ has joined #openstack-keystone12:00
*** vivekd has quit IRC12:04
*** vivekd_ is now known as vivekd12:04
*** rodrigods has quit IRC12:11
*** rodrigods has joined #openstack-keystone12:11
*** links has quit IRC12:11
*** fhubik is now known as fhubik_brb12:17
*** raildo-afk is now known as raildo12:17
*** spzala has joined #openstack-keystone12:24
*** gildub has quit IRC12:25
dstanekdammit stevemar, you got to the specs before i had a chance12:26
*** spzala has quit IRC12:30
*** mhickey_ has joined #openstack-keystone12:32
*** dims has joined #openstack-keystone12:32
samueldmqdstanek: stevemar: yeah, nice cleanup12:33
samueldmqBTW, do we have a policy for abandoning old changes ?12:33
samueldmqlike: negative score and no updates in the last X days ?12:33
*** clenimar has quit IRC12:34
*** mhickey has quit IRC12:34
*** clenimar has joined #openstack-keystone12:34
dstaneksamueldmq: i don't know about official, but i've seen people do it after 60 days. if it's a bugfix i try to take it over rather than lose it12:35
samueldmqdstanek: nice, sounds a very good approach12:35
-openstackstatus- NOTICE: Infra running with lower capacity now, due to a temporary problem affecting one of our nodepool providers. Please expect some delays in your jobs. Apologies for any inconvenience caused.12:40
samueldmqopenstackstatus: :(12:41
*** pauloewerton has joined #openstack-keystone12:43
*** ChanServ sets mode: +v topol_12:48
*** topol_ is now known as topol12:48
*** henrynash has quit IRC12:50
*** daemontool has joined #openstack-keystone12:52
*** sinese has quit IRC12:56
*** jaosorior has joined #openstack-keystone12:57
*** sinese has joined #openstack-keystone12:57
*** samueldmq has quit IRC12:59
*** bill_az has joined #openstack-keystone13:00
*** sinese_ has joined #openstack-keystone13:01
*** openstackgerrit has quit IRC13:02
*** openstackgerrit has joined #openstack-keystone13:02
*** sinese has quit IRC13:04
*** fhubik_brb is now known as fhubik13:05
*** gildub has joined #openstack-keystone13:06
*** tyagiprince has quit IRC13:11
*** jistr|mtg has joined #openstack-keystone13:12
*** jsavak has joined #openstack-keystone13:26
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone
*** gordc has joined #openstack-keystone13:29
*** erlarese has joined #openstack-keystone13:30
*** tyagiprince has joined #openstack-keystone13:34
dimsfolks, i see a release request, any cores agree/disagree?
*** sinese_ has quit IRC13:36
*** edmondsw has joined #openstack-keystone13:38
*** daemontool has quit IRC13:39
*** sinese_ has joined #openstack-keystone13:39
openstackgerritAlexander Makarov proposed openstack/keystone: Move region configuration to a critical section
*** vivekd has quit IRC13:46
openstackgerritClenimar Filemon Sousa proposed openstack/keystone: Allow deleting specific project assignment type
*** fhubik is now known as fhubik_brb13:51
*** fhubik_brb is now known as fhubik13:56
*** spzala has joined #openstack-keystone13:58
*** spzala has quit IRC13:58
*** spzala has joined #openstack-keystone13:58
*** petertr7_away is now known as petertr714:01
*** Nirupama has quit IRC14:05
*** henrynash has joined #openstack-keystone14:06
*** ChanServ sets mode: +v henrynash14:06
*** ninag has joined #openstack-keystone14:06
*** daemontool has joined #openstack-keystone14:10
*** csoukup_ has quit IRC14:12
henrynashsamuedlmq: hi14:14
*** jistr|mtg is now known as jistr14:20
*** su_zhang has joined #openstack-keystone14:23
*** vgridnev_ has quit IRC14:27
*** vgridnev_ has joined #openstack-keystone14:27
*** daemontool has quit IRC14:27
*** fhubik is now known as fhubik_brb14:43
*** fhubik_brb is now known as fhubik14:43
*** fhubik is now known as fhubik_brb14:49
*** fhubik_brb is now known as fhubik14:49
*** anteaya has quit IRC14:49
*** samueldmq has joined #openstack-keystone14:51
*** tyagiprince has quit IRC14:52
ayoungwhat is the thing for adding release notes again?14:54
*** anteaya has joined #openstack-keystone14:54
bknudson_ayoung: reno14:54
*** pushkaru has joined #openstack-keystone14:54
*** jsavak has quit IRC14:55
ayoungbknudson_, going to be really confusintg when we chose that as the name of the R release in OpenStack14:55
*** slberger has joined #openstack-keystone14:55
*** jsavak has joined #openstack-keystone14:56
*** fhubik is now known as fhubik_brb14:57
openstackgerritTom Cocozzello proposed openstack/keystone: WIP Deprecate Saml2 auth plugin
*** fhubik_brb is now known as fhubik15:02
*** fhubik is now known as fhubik_brb15:07
*** henrynash has quit IRC15:08
*** csoukup_ has joined #openstack-keystone15:10
*** jed56 has joined #openstack-keystone15:13
*** ajayaa has joined #openstack-keystone15:14
*** ajayaa has quit IRC15:14
*** ajayaa has joined #openstack-keystone15:15
*** boris-42 has joined #openstack-keystone15:16
*** timcline has joined #openstack-keystone15:19
*** jsavak has quit IRC15:22
*** jsavak has joined #openstack-keystone15:23
*** sigmavirus24_awa is now known as sigmavirus2415:24
*** jbell8 has joined #openstack-keystone15:25
*** fhubik_brb is now known as fhubik15:26
*** samueldmq has quit IRC15:30
*** doug-fish has joined #openstack-keystone15:39
*** iurygregory has quit IRC15:53
*** jgriffith_away is now known as jgriffith16:00
*** gildub has quit IRC16:02
*** vgridnev_ has quit IRC16:02
*** diazjf has joined #openstack-keystone16:03
*** roxanagh_ has joined #openstack-keystone16:03
*** woodster_ has joined #openstack-keystone16:05
*** jorge_munoz1 has joined #openstack-keystone16:13
*** jorge_munoz1 has left #openstack-keystone16:13
*** jorge_munoz1 has joined #openstack-keystone16:13
*** spzala has quit IRC16:17
*** spzala has joined #openstack-keystone16:18
*** diazjf has quit IRC16:21
*** diazjf has joined #openstack-keystone16:22
*** spzala has quit IRC16:22
*** spzala has joined #openstack-keystone16:24
*** belmoreira has quit IRC16:28
*** iurygregory has joined #openstack-keystone16:38
*** mgarza_ has joined #openstack-keystone16:39
*** cdent has quit IRC16:41
*** iurygregory has quit IRC16:45
*** iurygregory has joined #openstack-keystone16:46
*** ktychkova_ has quit IRC16:47
*** ktychkova has joined #openstack-keystone16:48
*** su_zhang has quit IRC16:53
*** spandhe has joined #openstack-keystone16:56
*** EinstCrazy has quit IRC16:56
*** henrynash has joined #openstack-keystone16:57
*** ChanServ sets mode: +v henrynash16:57
*** jistr has quit IRC16:57
*** belmoreira has joined #openstack-keystone16:57
*** _cjones_ has joined #openstack-keystone16:58
*** _cjones_ has quit IRC16:58
*** _cjones_ has joined #openstack-keystone16:58
*** _cjones_ has quit IRC16:58
*** e0ne has quit IRC16:59
*** _cjones_ has joined #openstack-keystone16:59
*** phalmos has joined #openstack-keystone17:00
*** rderose has joined #openstack-keystone17:00
*** gyee has joined #openstack-keystone17:01
*** ChanServ sets mode: +v gyee17:01
*** itlinux has quit IRC17:02
*** fhubik is now known as fhubik_brb17:02
*** phalmos has quit IRC17:03
*** dims has quit IRC17:04
*** dims has joined #openstack-keystone17:06
*** fhubik_brb is now known as fhubik17:09
*** fhubik has quit IRC17:11
*** dims has quit IRC17:12
*** sinese_ has quit IRC17:13
ninaghi..worked for in17:14
*** drjones has joined #openstack-keystone17:16
*** _cjones_ has quit IRC17:16
*** mvk_ has quit IRC17:16
*** dims has joined #openstack-keystone17:18
stevemardstanek: it felt good to clean out all those specs and blueprints :)17:18
*** drjones has quit IRC17:20
*** _cjones_ has joined #openstack-keystone17:21
*** samueldmq has joined #openstack-keystone17:21
*** mhickey_ has quit IRC17:21
dstanekstevemar: we should declare bug and bp bankruptcy and delete them all. it's usually better to start over anyway.17:23
*** _cjones_ has quit IRC17:23
*** _cjones_ has joined #openstack-keystone17:24
*** jgriffith is now known as jgriffith_away17:25
notmorgandstanek: hehe17:28
openstackgerritClenimar Filemon Sousa proposed openstack/keystone: Allow deleting specific project assignment type
*** jgriffith_away is now known as jgriffith17:39
*** belmoreira has quit IRC17:45
*** rderose has quit IRC17:45
*** jaosorior has quit IRC17:46
*** richm has quit IRC17:48
*** pnavarro has quit IRC17:49
openstackgerritSteve Martinelli proposed openstack/pycadf: Adding ironic api specific audit map configuration
openstackgerritSteve Martinelli proposed openstack/pycadf: Adding ironic api specific audit map configuration
openstackgerritTom Cocozzello proposed openstack/keystone: WIP Deprecate Saml2 auth plugin
samueldmqhenrynash: hi17:55
henrynashsamueldmq: hi17:55
samueldmqhenrynash: just saw your comment on
samueldmqhenrynash: males sense, was going to argue the same in that case17:56
samueldmqhenrynash: BTW, I'd to discuss with you about the policy changes ...17:56
henrynashsamueldmq: Ok…:-017:56
samueldmqhenrynash: hehe17:58
samueldmqhenrynash: so, what kind of admins do we want ?17:58
samueldmqhenrynash: for our cloudsample policy17:59
*** jorge_munoz has quit IRC17:59
samueldmqhenrynash: cloud admin (or global admin); domain admin and project admin17:59
samueldmqright ?17:59
*** jorge_munoz1 has quit IRC17:59
henrynashI would say so17:59
*** su_zhang has joined #openstack-keystone17:59
*** richm has joined #openstack-keystone17:59
samueldmqhenrynash: so, domain admin and project admin always need a scope check18:00
henrynashsamueldmq: indeed18:00
samueldmqhenrynash: i.e, the domain admin must be acting on his domain; same for project admin18:00
samueldmqhenrynash: ok, so if we put the scope check in the code, that behavior is kept for them18:00
henrynashsamueledmq: but what if the target can be either global or domain specific18:01
*** su_zhang has quit IRC18:01
samueldmqhenrynash: didn't get it18:02
henrynashhow do you say teh domain scope can be ignored if the target is global, but must be enforced if domain specific?18:02
samueldmqhenrynash: what is a global target ?18:02
henrynashlike a role18:02
*** su_zhang has joined #openstack-keystone18:02
samueldmqonly cloud admin should be able to touch global things18:03
henrynashcan be global or domain speciific - and different rules aply depending on which it is18:03
henrynashnot true!18:03
samueldmqif roles are domain specific, check for domain scope18:03
samueldmqif roles are global, check for cloud admin (global scope)18:03
henrynasha domain admin and a rpoject admin can see, list global roels…but can only see/list domain specific ones if they are fro tehir own daomin18:03
samueldmqdoesn't that make sense ?18:03
*** richm has quit IRC18:04
*** diazjf has quit IRC18:04
samueldmqyes, and we can skip scope check for operations that make sense18:04
samueldmqsuch as list roles (global)18:04
*** sinese has joined #openstack-keystone18:04
samueldmqhenrynash: the rationale is that people don't need to customize the role check, we put defaults in the code that make sense18:05
samueldmqhenrynash: they will only customize ROLES18:05
*** su_zhang has quit IRC18:07
*** su_zhang_ has joined #openstack-keystone18:07
*** petertr7 is now known as petertr7_away18:07
henrynashsamueldmq: so I get that we don’t want they rule writer to have to know where to find teh project/domain ID for a type of call (e.g. its a get, so its a paramater, its a list so its a filter, its a delete its in the target)...18:07
henrynashsamuedlmq: putting that in code makes a lot of sense to me....18:08
*** jasonsb has quit IRC18:08
samueldmqhenrynash: that's another benefit18:08
henrynashsamueldmq: I’m just concerned we are somehow opionating the rest of the  check…and I am very uneasy about that18:08
samueldmqhenrynash: and changing scope checks isn't easy; just changing roles is safe18:09
samueldmqhenrynash: nova, for example, check project matches for all its calls18:09
samueldmqhenrynash: keystone is a bit different, because not all resources are tied to projects18:10
samueldmqhenrynash: so the idea is: check for project for resources that are under projects; same logic applies for domains18:10
samueldmqhenrynash: and admin_project (global admin / cloud admin) doesn't have any scope check18:11
henrynashsamueldmq: and how do you override the standard checks (form the policy file)?18:11
samueldmqhenrynash: how the new policy would look like ?18:12
henrynashsamuedlmq: say I don’t want the checks in teh code and I want my policy rule to win, how do I do that18:12
*** jorge_munoz has joined #openstack-keystone18:12
samueldmqhenrynash: your policy is the source of truth for RBAC (role checks)18:13
samueldmqhenrynash: sorry you can't change scope checks18:13
henrynashsamueldmq: hmmm18:13
henrynashsamueldmq: that troubles me18:14
samueldmqhenrynash: if you need to change scope checks, you're probably opening security holes in your cloud ?18:14
henrynashsamueldmq: Not sure I accept that, you mean keytsone v3cloudsample is insecure?18:14
henrynashhow so?18:14
samueldmqhenrynash: not that it is insecure, but hard to write and we'll want the same level of security18:15
samueldmqhenrynash: and also the default policy would become secure (with scope checks) all of a sudden18:15
samueldmqhenrynash: and btw how scope checks should make sense would be information to be extract from our current v3cloudsample18:16
henrynashas it would if we made v3cloudsample the default (whcih I thought was the plan)18:16
henrynashI remain very very skecptical18:17
henrynashfor keystone especially18:17
henrynashI can imagine many different version fo v3cloudsample that deployes might want….I don’t see how we code for them all18:17
*** lhcheng has joined #openstack-keystone18:18
*** ChanServ sets mode: +v lhcheng18:18
notmorganayoung: i remain unconvinced endless deep implied roles vs a flat level of implied roles buys us anything except massive complexity i am not blocking your api, just like you don't belive we need SQL enhancements, i'm skeptical that the implied roles of implied roles of implied roles adds any real value18:18
henrynash(i remain a very bad speller too)18:18
samueldmqhenrynash: if you want to do something in a project; you MUST have a token scoped to it18:18
samueldmqsame is valid for domain18:18
samueldmqif you have superpowers (global admin) forgot the two sentences above18:18
henrynashsamueldmq: that’s our view of it18:18
*** lhcheng_ has joined #openstack-keystone18:18
samueldmqhenrynash: should that differ for other views ?18:19
notmorganayoung: this is following up on the review i promised even though it was already approved. so far there appears to be a few minor followups needed. but nothing that would have justified a -118:19
henrynashsamueldmq: it should be up to teh deployer18:19
*** jbell8 has quit IRC18:19
henrynashsamueldmq: maybe he wants to give domain admin super powers to everything in that domain and is teh same as project admin, except for apis 1, 2 and 318:20
samueldmqhenrynash: so we allow the deployer to define whether its authz implements scope isolation or not18:20
*** jsavak has quit IRC18:20
henrynashsamueldmq: we do today18:20
samueldmqhenrynash: so I guess other projects don't18:20
*** iurygregory has quit IRC18:20
*** timcline has quit IRC18:20
samueldmqhenrynash: why are we special ?18:20
henrynashsamueldmq: (well they do, but by mistake :-) )18:20
notmorganayoung: also ftr, i don't really like the config that only one role can't be an implied role, before mitaka rolls out i would like that to be a list opt18:21
notmorganif we are using that pattern18:21
samueldmqhenrynash: so would it make sense for nova to allow one with a project scoped token to touch any project ??18:21
*** timcline has joined #openstack-keystone18:21
henrynashsamueldmq: ok, I gotta run, sadly, I’ll mull on it some more…just feels to we are taking away flexibility18:22
*** lhcheng has quit IRC18:22
samueldmqhenrynash: sure, talk to you later18:22
openstackLaunchpad bug 1541540 in OpenStack Identity (keystone) "Implied role "root_role" config needs to be expanded" [High,Triaged] - Assigned to Adam Young (ayoung)18:24
notmorganayoung: also what is the correct pattern if someone changes that value and restarts keystone?18:24
*** e0ne has joined #openstack-keystone18:24
notmorganayoung: i think this needs to be not a config-time option.18:25
notmorganayoung: but possibly some element of the role itself18:25
notmorganayoung: and if you make it non-imply-able the system needs to strip it out of implied roles.18:25
*** jsavak has joined #openstack-keystone18:26
notmorganhenrynash: we are too flexible for our own good. fwiw the volume of "we are everything to everyone" is a detriment to openstack as a whole.18:28
notmorganhenrynash: we do a lot of stuff poorly and nothing very very well18:28
notmorgansome things are "ok-ish"18:28
* notmorgan is a fan of dropping flexability for consistency18:28
notmorganstevemar: fwiw the config option is a bad pattern.18:29
openstackLaunchpad bug 1541540 in OpenStack Identity (keystone) "Implied role "root_role" config needs to be expanded" [High,Triaged] - Assigned to Adam Young (ayoung)18:29
*** vgridnev has joined #openstack-keystone18:31
stevemarnotmorgan: list is good18:33
ayoungnotmorgan, I suspect the right degree of abstraction will be about 3 deep.18:33
ayoungat the lowest level is the operation18:33
ayoungat the top level is the role assigne to the user18:33
ayoungin the middle is the workflows18:33
samueldmqnotmorgan: yes; I agree with you, but as we already are too flexible at this point, I am planning an intermediate solution18:34
notmorganayoung: right i might want to see us add a limit option in. but i want to talk that over before we decide the exact limit if so18:34
ayoungnotmorgan, I'm OK with saying more than one role is excluded.  I think I went back and forth on that 2-3 times before opting for the simpler one, but that was due to test burden, not design18:34
stevemaryowza, check queue is at 38218:35
notmorganayoung: right. i would rather not have the option in config at all and add the limit into the api next cycle fwiw18:35
samueldmqnotmorgan: split the policy file into 2 (scope and role checks); ask in the ML if anyone is customizing the scope checks; be sure no one is; then remove the file18:35
samueldmqnotmorgan: should have the same result18:35
notmorganayoung: the config file option makes my skin crawl.18:35
ayoungnotmorgan, As a property of the role itself?  Sure!18:35
notmorganayoung: absolutely! on the role itself as the way i'd go for it18:35
notmorganayoung: :)18:35
notmorganayoung: that way it's not crossing CMS vs API18:36
notmorganayoung: specifically that is the issue i have with the config option, the "it needs to be one and only one" is a side effect we could solve if making it a role property is too hard18:36
ayoungnotmorgan, let's work up the API spec change.  If we can all agree on what it should look like, I think it would bea safe addition for Mitaka, and not too hard to implement.  If not...we have something that will cover the delta for now18:37
notmorganayoung: ++18:37
notmorganayoung: i filed this as a bug since it felt like it was the right approach, feel free to punt it out of m-3 if we can't agree.18:38
notmorganayoung: i think going with the simplest option is "attribute on the role"18:38
*** jbell8 has joined #openstack-keystone18:38
ayoungnotmorgan, I think I can get behind it, just might need to get someone else to implement so I can approve!18:38
notmorganthankfully it really is a simple set of changes and a new "optional" attribute18:39
ayoungnotmorgan, did I mention Keystone HTTPD for Tripleo passed CI, to include HA18:39
*** su_zhang_ has quit IRC18:39
notmorganayoung: you did18:39
ayoungnotmorgan, it makes me happy18:39
notmorganayoung: i was half asleep and couldn't be excited when you said it originally18:40
*** su_zhang has joined #openstack-keystone18:40
*** jsavak has quit IRC18:40
notmorganayoung: also i just need to fix a grenade issue18:40
notmorganayoung: admin_token_auth should be ready to die officially :)18:40
*** jsavak has joined #openstack-keystone18:40
ayoungnotmorgan, so one thing bothering me is how to enfore that admin_project_id gets set before we start pushing it into the policy files for all the other services18:41
*** mvk_ has joined #openstack-keystone18:41
ayoungis that something we could use bootstrap to do?18:41
ayoungI don't want to have to make the change in Keystone, and then devstack, then the puppet modulse, and then tripleo....18:42
notmorganayoung: yep18:42
notmorganwe can make bootstrap do things like that18:42
ayoungnotmorgan, are we planning on using bootstrap to update config on upgrade, too?18:43
notmorganit is in-fact exactly what bootstrap should do. get the basic things in place for setting up your cloud18:43
notmorganayoung: keystone.conf? no.18:43
notmorganoh wait..18:44
notmorganno sorry, bootstrap can't do that18:44
notmorganbootstrap is only able to do API/manager interactions18:44
*** clenimar has quit IRC18:44
notmorganmaybe we should bootstrap in an "admin" [like default domain] id'd project as the admin_project_id default?18:45
*** doug-fish has quit IRC18:45
*** jsavak has quit IRC18:46
notmorganso it would have a non-uuid id, like _OpenStack_Admin_Project_18:46
* notmorgan is unsure on that front.18:46
*** jsavak has joined #openstack-keystone18:46
stevemarnotmorgan: what exactly is being removed in the O release here?
*** csoukup_ has quit IRC18:47
notmorganstevemar: admin_token_auth, the stubs for all the former contribs18:48
notmorganstevemar: doubling down on bootstrap and "use real users"18:49
*** diazjf has joined #openstack-keystone18:49
notmorganstevemar: i expect to also have authcontext, url_normalize, and json_body be rolled in baseline [so stubs for those removed too]18:49
*** esp_ has joined #openstack-keystone18:51
*** browne has joined #openstack-keystone18:52
*** jgriffith is now known as jgriffith_away18:53
*** mc_nair_ has joined #openstack-keystone18:55
*** mc_nair_ is now known as mc_nair18:56
*** jgriffith_away is now known as jgriffith18:57
stevemarnotmorgan: we really need to publish the compat APIs better18:58
stevemarin our specs repo18:58
*** esp_ has quit IRC18:58
ayoungnotmorgan, this is the problem with out policy stuff in general.  We can build all the required features, but then have no way to distribute them, and get a catch 22 trying to do so.19:01
notmorganstevemar: you mean EC2 and S3?19:03
notmorganstevemar: and yes. we need to doc them better19:03
stevemarnotmorgan: yes19:03
notmorganstevemar: inc. in specs repo19:03
stevemarnotmorgan: is there a spot where the APIs were doc'ed before?19:03
notmorganstevemar: unlikely19:03
*** browne has quit IRC19:03
stevemarnotmorgan: same with simple cert19:03
notmorganstevemar: ignore simple_cert... it's dying :P19:04
notmorganbut before this cycle, i'd agree19:04
*** samueldmq has quit IRC19:05
notmorganayoung: so.. if we made "admin project" or "domain" not wedged in the config file...19:05
notmorganayoung: [not really advocating this, but thinking outloud]19:05
stevemarnotmorgan: left one comment on ec2 to get it passing grenade19:05
notmorganstevemar: yeah hadn't circled up on that yet, was on my short list19:05
ayoungnotmorgan, yep...19:05
*** browne has joined #openstack-keystone19:05
notmorganayoung: it makes it boot-strapable, and we can do a keystone-manage upgrade19:06
*** mylu has joined #openstack-keystone19:06
ayoungnotmorgan, then it becomes something we can change at run time, but we still would not know, on an existing ddeployment, which one to indicate is the admin domain/proejct19:06
notmorganayoung: no, but we wouldn't need to encode it in <X> id19:07
notmorganjust <does auth_context have "admin_flag">19:07
*** csoukup_ has joined #openstack-keystone19:07
notmorganayoung: but we could make it easier to handle19:07
*** diazjf has quit IRC19:08
notmorganayoung: and we could make keystone-manage upgrade handle the db_sync [make db_sync say "nope, do upgrade instead"]19:09
notmorganayoung: which then it would verify a project/domain was specified for "admin"19:09
notmorganayoung: it's a lot of moving bits. but it could be done.19:10
notmorganayoung: and it squashes another CMS vs API config boundry cross.19:10
notmorganayoung: not sure if this is even remotely a good idea though19:10
notmorganayoung: and KSM can populate the _is_admin_context_ from the token directly as a top-level attr/header19:11
notmorganayoung: at least that is what my gut says when i think about how to approach that19:11
*** jbell8 has quit IRC19:12
*** jbell8 has joined #openstack-keystone19:12
*** petertr7_away is now known as petertr719:14
openstackgerritMorgan Fainberg proposed openstack/keystone: Move EC2 extension to core
*** esp_ has joined #openstack-keystone19:17
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate admin_token_auth
*** jgriffith is now known as jgriffith_away19:18
*** weshay_xchat has joined #openstack-keystone19:19
weshay_xchatayoung, ping.. looking for the setting to change the keystone auth version in openstack rc file.. is there such a env variable.. e.g. like export COMPUTE_API_VERSION=1.119:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate admin_token_auth
*** esp_ has quit IRC19:21
openstackgerritMerged openstack/keystone: Implied Roles API
notmorganstevemar: ^ all corrected.19:23
*** roxanagh_ has quit IRC19:29
*** jgriffith_away is now known as jgriffith19:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** su_zhang has quit IRC19:32
*** su_zhang has joined #openstack-keystone19:33
*** su_zhang has quit IRC19:33
*** su_zhang has joined #openstack-keystone19:34
*** e0ne has quit IRC19:35
*** daemontool has joined #openstack-keystone19:38
ayoungweshay_xchat, IDENTITY_API_VERSION19:39
weshay_xchatperfect. thanks!19:39
ayoungnotmorgan, I'm reading up called in to a meeting19:40
*** su_zhang has quit IRC19:40
notmorganayoung: no worries19:42
notmorganayoung: i was doing laundry and packing19:43
ayoung keystone-manage upgrade19:43
ayoungyeah, I think that is what I want19:43
*** vgridnev has quit IRC19:43
notmorganbut not something that touches .conf, it would have the same requirement as bootstrap19:43
*** boris-42 has quit IRC19:43
ayoungnotmorgan, its always questionable with config options, of course.  We have a puppet based install process, and that overwrites config changes19:43
notmorgancan act on managers/db/etc19:43
notmorganthough to be fair, upgrade would need to know state of things, so it would need something like Alembic19:44
notmorganor sql-a-migrate to know what upgrade steps have occured19:44
notmorganjust in concept for ordering, so upgrades aren't re-run, unless the upgrade will always be idempotent19:45
notmorganand can verify that things are "sane"19:45
*** su_zhang has joined #openstack-keystone19:46
*** mgarza__ has joined #openstack-keystone19:50
*** daemontool has quit IRC19:51
*** daemontool has joined #openstack-keystone19:53
*** mgarza_ has quit IRC19:53
ayoungDB upgrade is Idempotent.  It should be soemthing comparable I think19:55
*** samueldmq has joined #openstack-keystone19:55
ayoungI need to layout the use cases/19:55
ayoung1. new install, devstack19:55
ayoung2. New install, Tripleo19:55
ayoung3. Upgrade Tripleo19:55
ayoungI think if I can get an answer for those three, I'll be solid19:56
*** jsavak has quit IRC19:58
*** jsavak has joined #openstack-keystone19:58
*** vgridnev has joined #openstack-keystone20:02
ayoungIMplied Roles merged.  W00t!20:05
samueldmqayoung: manager + API ?20:07
ayoungsamueldmq, ^^ yep20:08
*** diazjf has joined #openstack-keystone20:08
*** timcline has quit IRC20:09
samueldmqayoung: nice, congrats :D20:09
*** diazjf has quit IRC20:09
*** timcline has joined #openstack-keystone20:09
ayoungsamueldmq, productive day20:10
samueldmqayoung: ++20:10
*** jsavak has quit IRC20:16
tjcocozzbknudson_, do you have time to meet to walk through the keystoneclient?20:17
*** jsavak has joined #openstack-keystone20:17
ayoungsamueldmq, now I need to stop and think through the backlog of stuff that is possible with the tools we've gotten into this release, and figure out how to use them20:18
*** diazjf has joined #openstack-keystone20:18
*** mgarza__ has quit IRC20:19
samueldmqayoung: perfect20:20
samueldmqayoung: and we need to figure out what tools make sense to come together in a single cycle20:21
samueldmqayoung: in policy, for example, it should be nice to get add of scope checks that allow for global admin20:21
samueldmqayoung: in addition to the admin_project thing, that ensures back compat in the case anyone still want global admin20:22
notmorgansamueldmq: don't rush it. don't hesistate to land basic functionality and build on it.20:22
notmorgantrying to land "everything in a single cycle" nets broken20:22
notmorganin almost every case20:22
notmorganso focus on basic needs with real use-case20:22
notmorganand clearly think hard as an end user "does this make using openstack better or worse"20:23
*** mylu has quit IRC20:23
ayoungsamueldmq, I do need to loop back around on "request a token with a specific role"20:23
notmorganbecause if it's rough for deployers but easy for users, deployers can work around it.20:23
samueldmqnotmorgan: yes, so what ayoung said really makes sense20:23
ayoungand make sure that works with implied roles20:23
samueldmqnotmorgan: look at the tools and pland the backlog carefully20:23
notmorganif it's terrible for end users and great for deployers, no one will want to use it20:23
ayoungand that is depdendant on getting Fernet stable20:24
notmorganayoung: i would fix service->service first too20:24
notmorganbecause right now having a token with role "X" is suspect20:24
notmorganbecause knowhing the depth of what role X is is very hard20:24
ayoungnotmorgan, service to service meaning Nova to Glance etc for boot, long running tasks, token expiry, that whole mess?20:25
samueldmqnotmorgan: what's that ? communication between services should need a token ?20:25
notmorganayoung: yep20:25
notmorgansamueldmq: bascially no token for service to service20:25
samueldmqhow's that supposed to be fixed ? certs ?20:25
notmorganstop using the user's authz for nova to glance20:25
notmorganwell first, certs, but second, the "can i do this?!" check every step of the way is pointless20:25
ayoungnotmorgan, so, no token, but instead a role assignment ID that can be verified.  Unified delegation was my take on that20:26
notmorgancheck to see if the user can boot an instance, if so, the rest is authorized20:26
ayoungif I call Nova with a "Member" token20:26
*** mylu has joined #openstack-keystone20:26
notmorganayoung: unified delegation doesn't really solve it, that solves the end user UX side, which i'm fine with20:26
ayoungwhen Nova calls glance, it would pass allong "userid=ayoung, role_assignment=<uiuiod htat means member on project>20:26
notmorgani don't want to need to "delegate" to nova the whole stack20:26
notmorganor even need to construct magic to make it work20:26
ayoungnah, it is just a shorthand way of saying "adam hs role r on proejct p"20:27
ayoungbut we could pass those on separately and it would still work20:27
notmorgani actually want glance to not ask keystone20:27
ayoungso pass on a tuple "userid, project, role"20:27
notmorganfor the user authz [as an extreme take]20:27
ayoungnah, you have to20:27
notmorganyou don't20:27
stevemartjcocozz: did bknudson_ walk you through?20:27
notmorganyou need to know nova is allowed to make this request20:27
stevemartjcocozz: there's a lot of cruft that's being removed there20:28
notmorganyou don't need to ask keystone every step of the way if this was allowed.20:28
ayoungnotmorgan, it fails on multi-jump calls20:28
bknudson_stevemar: tjcocozz is here right now20:28
ayoungnova knows what it is going to call on glance, but does not know that glance is going to call wift20:28
notmorganayoung: that is the part i want to focus on, having to still ask keystone every step is stupid.20:28
bknudson_keystone CLI has some wacky code that looks up every method that starts with "do_"20:28
notmorganit doesn't matter20:28
notmorganyou gate on the user->service call20:28
notmorganthe rest has to be allowed20:28
samueldmqnotmorgan: ayoung: actually the token could be passed in, just for getting info from it (such as scope and roles), but glance wouldn't need to validate it if nova already did20:28
stevemarbknudson_: it sure does!20:28
samueldmqright ?20:28
notmorganyou auth "boot instance"20:28
bknudson_I guess everybody loves the keystone CLI and doesn't want to use openstack CLI20:29
notmorgannot "boot instance", "glance" "swift" etc.20:29
bknudson_also they don't want to use identity v3.20:29
ayoungnotmorgan, ok...lets play this out20:29
ayoungI think it will work:20:29
stevemarbknudson_: they also don't want domains or groups20:29
notmorganayoung: now, quickly - i am saying we need to have a way to know for sure it was service->service not user->service [that is still to know if the path works]20:29
notmorganand if we need to ask keystone :)20:29
notmorganayoung: ok lets wargame it20:29
ayoungnova records the roles in the token that it has validated, and passes on the validated token body when it calls glance, along with "I can do this, I am Nova" cert20:30
stevemartjcocozz: in the only bits you have to be concerned with are v2_0 and v3, you can ignore the rest :)20:30
ayoungwe drop service catalog for size20:30
stevemarand i guess fixture :P20:30
* tjcocozz is looking now20:30
notmorganyes, catalog is dropped glance keeps it's own copy of it if it's needed20:30
ayoungand we pass roles in ID-only form to keep it from getting too huge20:30
ayoungso now all glance has to do is the policy check with the data that it was passed20:30
notmorganand glance verifies nova has passed this on.20:30
*** timcline_ has joined #openstack-keystone20:30
notmorganand glance can take the same bundle of data, and pass it on to swift with the "hey i am glance"20:30
notmorganif needed20:31
ayoungOK...taht should work.  How do we separate the Nova user from the human users?  Safely?20:31
samueldmqnotmorgan: ayoung: how does glance know the request came from service and not user ?20:31
samueldmqjust checking it the call was using service certs ?20:31
notmorganayoung: ideally i'd use the x509 with hard cert validation on the CA [client certs]20:31
notmorganayoung: as the default mode. but at the least we could so service token20:31
*** jsavak has quit IRC20:31
tjcocozzstevemar, what got me was it was reading in the command from the cli and str replacing '-' with '_' and starting it with 'do_'.  made it very hard to walk through the code.20:32
notmorganayoung: and encode in a safe way this is a service user.20:32
notmorganayoung: ideally client certs solves it all 100%20:32
notmorganbut not everyone will relish the thought of client certs =/20:32
notmorganand i concede that we need a non-x509 story.20:33
*** timcline has quit IRC20:33
stevemartjcocozz: like i said just worry about v2_0 and v3 :P20:33
stevemarthe rest of the directories are being removed (aside from fixtures and tests)20:33
*** jsavak has joined #openstack-keystone20:33
notmorganayoung: the next step after that setup becomes "what is nova allowed to do on glance" which we can start determining and turning those screws down rather than "nova is allowed to call glance"20:34
notmorganbut the first step is getting it so we can either skip keystone or only need 1 keystone "request" vs 2 for svc->svc20:34
tjcocozzstevemar, I will have to put my blinders on when i am working with the client :p20:34
notmorgansamueldmq: ^20:34
samueldmqnotmorgan: looks like we miss something to define workflow in openstack20:34
notmorgansamueldmq: not really,20:34
samueldmqnotmorgan: like, for running an instance, you need compute:create, glance:read_image, etc ..;20:35
notmorgansamueldmq: you only will ever need to check nova->glance20:35
notmorgannot nova->glance->swift if i get my way20:35
notmorgansince then you are chekcing glance->swift in isolation20:35
notmorganfor example20:35
notmorgansamueldmq: the "workflow" thing can be a series of warn/fails via policy checks20:36
*** phalmos has joined #openstack-keystone20:36
notmorgandoesn't need to be more complex than that to start. eventually we'll be able to track request_ids too.20:36
samueldmqnotmorgan: and even a tool to check against policy files (like cli tool)20:36
notmorganbut first step: svc -> svc only checking the service data is valid, not passing the user's authz on20:36
samueldmqnotmorgan: warning if you are able to compute:create but you can't even read an image20:37
samueldmqnotmorgan: ++20:37
notmorgangetting clients and services on KeystoneAuth and having KSM drop the data in oslo.context will make this all super easy20:37
samueldmqnotmorgan: how should we do it ? making keystonemiddleware instance trust each other ?20:37
samueldmqgiven that each service has a ksmiddleware on it ?20:38
notmorganso, get the clients on keystoneauth and using OCC20:38
notmorganthat way i can work "around" needing to change nova's code to prove it/test it20:38
samueldmqocc == oslo context ?20:38
stevemartjcocozz: yeah, the auth directory is now keystoneauth20:38
samueldmqgot it20:38
ayoungnotmorgan, OK...let's think about "what is nova allowed to do on glance"20:39
stevemartjcocozz: generic is just more keystone CLI20:39
notmorgansamueldmq: step 2: finish jamielennox|away 's work to have KSM drop auth context data sanely in oslo.context's thread.local20:39
ayoungwe have the Service token that would go separate from the user auth data20:39
notmorgansamueldmq: step 3, new auth plugin that shows this all works. and then step 4, limit what Service A can do to Service B so it's not just "wide open"20:39
ayoungso, again, if we split policy, we are talking about stuff that can be encapsulated in middleware20:40
notmorganayoung: X-Service-Token i think.20:40
*** cdcasey has joined #openstack-keystone20:40
notmorganayoung: aye.20:40
*** su_zhang has quit IRC20:40
samueldmqayoung: yep20:40
ayoungrole check only, does not need the actual resource from the DB20:40
notmorganayoung: and this is just "can i call", not "can i act on resource"20:40
ayoungwhat if we use dynamic policyh just for that20:40
samueldmqnotmorgan: nice, I need to know more about oslo.context20:40
ayoungsay that we have a policy file for RBAC only20:40
tjcocozzstevemar, why are they split when in the end they are both talking to keystone?20:40
samueldmqnotmorgan: what a service will be passing to other service will be that oslo.context (encrypted) ?20:41
ayoungfertched from Keysteon, based on Endpoint URL20:41
notmorganayoung: i'm not super concerned if it's dynamic policy or just basic policy20:41
stevemartjcocozz: why was what split?20:41
notmorgani'd like both to work20:41
notmorganto be honest20:41
tjcocozzstevemar, yes20:41
notmorganthere is no reason this can't work both ways.20:41
ayoungnotmorgan, right...anything dynamic can be done statically, except for all the issues on upgrade...20:41
samueldmqnotmorgan: I agree this service -> service is a more important issue now20:41
tjcocozzstevemar, lol keystoneauth and keystoneclient20:41
ayoungso, we have a service-policy.json20:42
notmorganayoung: aye20:42
ayoungreally it would just be an enumeration of the calls that a service user is allowed to make20:42
stevemartjcocozz: in most cases the other openstack services, like nova and cinder, etc... just want to auth with keystone, not perform any CRUD operations20:42
stevemartjcocozz: auth is a heavy enough library that it should stand on it's own20:43
ayoungwe could get that data back when validating the service users token20:43
samueldmqnotmorgan: should I write a spec for that ?20:43
notmorgancould be done with a stacked policy (static) where you get a logical or between the columns, and the service user isn't given any allowance in the normal roles20:43
stevemartjcocozz: if someone wants CRUD support for our APIs, they can use keystoneclient20:43
bknudson_keystoneclient should be pretty lean once we take out the cli20:43
stevemartjcocozz: projects like openstackclient and horizon would still use keystoneclient20:43
notmorganbknudson_: +++++++20:44
stevemarbknudson_: zomg, so lean20:44
stevemarbknudson_: i have 2 patches queued up for removing cruft from ksc20:44
bknudson_even now it's pretty lean20:44
notmorganayoung: it's pretty straight forward i think to break user->svc and svc->svc20:44
tjcocozzstevemar, oh cool. that makes sense.  I think i need some more practice with using the keystoneauth and client from the other projects point of view20:44
stevemarbknudson_: and
bknudson_we only have stevedore because of apiclient?20:45
notmorganthe hard part is getting everyone on ksa and clients on ksa/occ20:45
notmorganmost services are already on ksa iirc20:45
stevemarbknudson_: and jamielennox posted this whole chain too
bknudson_stevemar: on you should be able to remove stevedore from requirements.txt20:45
notmorganheat is not on KSA, but heat is special.20:46
*** gordc has quit IRC20:46 lets say anything that comes in with an X-Service-Token goes into a different policy check20:46
ayoungand it looks like this:20:46
ayoungdefault: Deny20:46
ayoungcompute_blah: role:service20:46
notmorganayoung: as phase 2, yes.20:46
ayoungnah, as phase one20:46
notmorganno, phase 1 is scaffolding20:46
ayoungthat path can be done from middleware20:47
notmorganneed ksm to populate userdata20:47
notmorganand we need everyone on ksa/occ20:47
notmorganwithout that it's going to be hard to be consistent workable20:47
stevemarbknudson_: probably, i haven't gotten around to looking at cleaning up reqs20:47
notmorganphase 2 is def. separate policy for svc user20:47
ayoungnotmorgan, OK, we call that phase 1, service token policy stage 220:47
stevemarbknudson_: looks like it's still used here:
ayoungnotmorgan, we could fetch the service token policy from Keystone20:48
notmorganbecause with stage 1, we can duplicate 100% of today easily and skip a bunch of overhead.20:48
stevemarbknudson_: you can comment on all those if you want :]20:48
bknudson_stevemar: then move it into test-requirements.txt20:48
stevemartru tru20:48
notmorganayoung: i'm fine with both modes. i just want to be sure this doesn't require dynamic policy20:48
ayounglet's say we create a special policy file with an id of _service_token_only.json20:48
*** su_zhang has joined #openstack-keystone20:48
ayoungnotmorgan, right, this is just to jumpstart deployment20:48
ayoungwe can do it manually, too20:49
stevemarit should just be six/keystoneauth/debtcollector/positional/requests/oslo stuff20:49
*** mylu has quit IRC20:49
notmorganayoung: yep. so lets talk what the enforcement looks like vs. "getting the policy to the endpoint"20:49
*** mylu has joined #openstack-keystone20:49
bknudson_remember when it had all sorts of middleware reqs?20:49
bknudson_that's what everyone really complained about20:49
notmorganso we have a new policy, _svc_token_only20:50
stevemarwe should probably drop oslo.serialization for regular 'import json', no sense is carrying that around if we're just using it for json20:50
notmorganstevemar: oslo json serializer is more intelligent20:50
ayoungsamueldmq, can you refresh your dynamic policy patches?20:50
notmorganbut it comes with msgpack overhead20:50
ayoungI think...we can use that approach20:50
stevemarnotmorgan: yes it is, yes it does20:50
ayoungsamueldmq, that was the policy check for Nova, but what if we modified it to fetch the policy external to the one from Nova...leave Nova alone, but add an additional fetch and check?20:51
stevemarnotmorgan: bknudson_ we're using it for trivial json loads/dumps...20:51
notmorganayoung: so, with this new policy file, wherever it comes from, the enforcement is Deny?20:51
notmorganayoung: and it's just an enumerate calls allowed by <identifier> [role_or_user]20:52
ayoungnotmorgan, yeah.  It is an additional Deny step on top of what the services ship themselves20:52
notmorganayoung: ok i think we might want to add a flat deny rule and flat accept [explicit] in oslo.policy DSL20:52
notmorganayoung: so we can say like iptables: Default DENY20:52
ayoungthe services then are OK to just focus on "does this project id match " and "is the user have any role"20:53
notmorganayoung: exactly.20:53
stevemarbknudson_: jamie has patches for deprecating plugins and adapter, they are in the same chain as deprecating session20:53
notmorganayoung: i need to think on the x509 story, cause we don't ask keystone there20:53
ayoungand we can put in a more complex "admin override" for henrynash 's use cases, too20:53
notmorganayoung: but we support x509 svc->svc iirc20:53
*** jbell8 has quit IRC20:53
ayoungX509 we support for calls from service to keystone only20:54
bknudson_stevemar: I know he does, but notmorgan -1d the chain.20:54
ayoungnot nova to neutron20:54
stevemarbknudson_: damn notmorgan!20:54
notmorganbknudson_: only until we are closer on the ksa conversion20:54
notmorgani don't want to emit DEPRECATED OMG20:54
notmorganon everything in the release20:54
stevemarnotmorgan: we've got nova and neutron moved over :P20:54
bknudson_might have to wait for N.20:55
notmorganheat, novaclient, barbicanclient, sahara, saraha-client, cinder, ec2-api (meh, they can fight for themselves)20:55
notmorganwe can get the core projects and clients over this cycle20:55
notmorganand then i'm ok with it20:55
notmorganbut if cinder, glance, and barbican are emitting deprecation warnings20:55
bknudson_projects just got on keystoneclient session and now they have to start over again.20:55
notmorganwe need to wait20:55
stevemarbknudson_: yeah =\20:55
*** dims has quit IRC20:56
bknudson_this is why everyone hates us.20:56
notmorganbknudson_: for the most part it's s/from keystoneclient import session/from keystoneauth1 import session/20:56
notmorganbknudson_: it's also why we ( mordred and I ) have been pushing the changes directly20:56
bknudson_he he : keystoneclient/ -- we can't even keep up!20:56
notmorganinstead of assuming the project would do it themselves20:56
ayoungNot true.  People hate me for many more reasons than just this.20:56
notmorganreally... WE JUST FIXED NEUTRON20:57
notmorgani want to break some fingers for that.20:57
notmorgani know we removed ksc from neutron when we did it20:57
notmorganthis means someone added it back in.20:58
notmorgani think we need a hacking check20:58
bknudson_new broken code is being added faster than we can remove it.20:58
stevemarnotmorgan: lol20:59
stevemarthats awesome20:59
bknudson_probably because there's no docs for keystoneauth --
bknudson_and the keystoneclient docs say to use keystoneclient session --
samueldmqayoung: so nova would need to fetch and apply neutron policy ?21:00
notmorganbknudson_: that ... i think is fixed.21:00
notmorganbknudson_: now.21:00
notmorganor should be in a soon-release(tm)21:00
ayoungsamueldmq, nah,21:00
ayoungif nova calls neutron, it calls it with the service token and the roles/userid from the user token that called it21:01
ayoungneutron fetches neutron policy for RBAC and executes it21:01
samueldmqayoung: or just executes the static policy as it is today21:01
ayoungsamueldmq, not "or"21:01
samueldmqayoung: this is separate from dynamic policy right ?21:01
ayoung"and it also executes static policy"21:02
samueldmqI think this was how to enforce policy, and not how do we get policy21:02
ayoungsamueldmq, dynamic policy is a layer on top of static policy. Both need to pass for an operation to execute21:02
*** diazjf has quit IRC21:02
samueldmqayoung: yes I know, but this whole mechanism we were talking with notmorgan about svc -> svc doesn't require anything from dynamic policy21:03
samueldmqit can be done with our current policies today, right ?21:03
*** phalmos has quit IRC21:03
ayoungsamueldmq, 2 stages21:03
ayoungtoday, we can;t say "this is what you can do with a service token"21:03
ayoungbut we could modifuy ATM to allow a service token in, and trust that the authdata(roles) passed from the calling services  are all valid21:04
ayoungso dynamic policy is an additional check for services, and can be an additional check for RBAC, too.21:04
samueldmqwhy do we need service tokens at all ? this makes me think services need to get a token in keystone21:05
samueldmqcouldn't we just make services trust each other ?21:05
*** su_zhang has quit IRC21:05
*** dims has joined #openstack-keystone21:05
notmorgandynamic policy can mix in21:06
notmorganbut it's not needed21:06
notmorgansamueldmq: there was a request to limit actions svc->svc21:06
notmorganwhich is fair21:06
notmorganbut i punt that to a stage 221:06
notmorganbecause we need scaffolding first to support it and be consistent21:07
samueldmqnotmorgan: that's how I see, dp is not a requirement for this at all21:07
*** mylu has quit IRC21:07
*** mylu has joined #openstack-keystone21:07
samueldmqnotmorgan: btw svc -> svc policy isn't something we want deployers to customize at all right ?21:07
notmorgansamueldmq: ideally no.21:08
notmorgansamueldmq: but i don't want to jump down that path until we have the stage one things on the way21:08
notmorganstevemar: going to add a warning on import of ksc.session21:08
notmorganstevemar: so we can use logstash21:08
samueldmqnotmorgan: okay, all this should be written somewhere21:09
stevemarnotmorgan: why not use jamie's patch?21:09
samueldmqnotmorgan: a spec ? under keystone ? cross-proj ?21:09
*** jbell8 has joined #openstack-keystone21:09
notmorganstevemar: we don't want to emit a warning on session, just on import until at least the core projects are converted21:09
notmorganon session obj. itself it's scarier21:09
*** pauloewerton has quit IRC21:10
notmorganstevemar: i mean. we can just deprecate as long as the message is emitted once21:10
notmorganbut on import of ksc.session might be easier.21:10
notmorganright now it would warn on every session init21:10
notmorgancould be a lot of warnings21:11
*** raildo is now known as raildo-afk21:11
notmorgansamueldmq: stage 1 is things people will take [projects] because ksa is the right way21:11
notmorgansamueldmq: and impacting keystonemiddleware21:11
notmorgansamueldmq: stage 2 is likely x-project stuff21:12
ayoungnotmorgan, ok, so stage one is the ability to create a session using service token, and to add user auth data to a specific call, or would it be a session per user-auth-data?21:12
*** jbell8 has quit IRC21:13
notmorganayoung: stage 1 is everyone using ksa, ksm depositing the auth-data in oslo.context (so we can access it anytime), ksm accepting service-token and userdata, and an auth-plugin to override behavior for svc->svc communication bundling up the user data instead of sending the raw token21:13
notmorganayoung: auth-plugin for ksa that is21:14
notmorganayoung: so nova config could just use it and get the behavior without needing to write special nova code.21:14
notmorganwhen talking to glance.21:14
*** clayton has quit IRC21:14
ayoungnotmorgan, so for each call from Nova to Glance, Nova is going to have to swap the auth plugin, based on the user that called?21:14
stevemarbknudson_: can't get rid of stevedore as a req >.<21:14
*** ajayaa has quit IRC21:14
stevemarit's used in ksc.auth.base21:14
notmorganit's in the config.21:14
*** boris-42 has joined #openstack-keystone21:14
*** ajayaa has joined #openstack-keystone21:15
notmorgannova -> glance has a user/passowrd/whatever + auth_type in nova.conf21:15
*** ajayaa has quit IRC21:15
notmorganso it would construct a session using the "svc-to-svc' plugin21:15
notmorganwhich would grab the oslo.context data ksm dropped in from thread.local21:15
notmorganthen talk to glance w/ the service token and that data21:15
notmorganso the data passed on would change, but the auth_type would be servce-to-service21:16
*** esp_ has joined #openstack-keystone21:16
notmorganwhich does the magic [long term we can update nova's code, but this also means we're 100% reverse compat]21:16
samueldmqso user token arrives in nova, nova uses its own token with added info to talk to others21:17
*** ajayaa has joined #openstack-keystone21:17
samueldmqwhere added info is going to be user info (roles, whatever)21:17
*** ajayaa has quit IRC21:17
*** su_zhang has joined #openstack-keystone21:17
*** jbell8 has joined #openstack-keystone21:17
bknudson_stevemar: ok... should be able to get rid of that in favor of keystoneauth21:17
notmorganand since we control ksa and keystonemiddleware, it's easy for us to make these changes w/o needing to update every project everywhere they do it.21:17
notmorganwe just need them on ksa w/ proper config values.21:18
*** drjones has joined #openstack-keystone21:18
notmorganand we can move the system the direction we need in a straightforward manner21:18
notmorganand be reverse compat if someone wants to keep doing silly old-style-user-authz-passed-around21:18
*** vgridnev has quit IRC21:18
*** _cjones_ has quit IRC21:19
notmorganok i need to pack up and drive to seattle21:19
stevemarbknudson_: yeah, looking at that now21:20
*** gordc has joined #openstack-keystone21:20
*** esp_ has quit IRC21:21
stevemarnotmorgan: ayoung easy one:
samueldmqnotmorgan: safe trips21:22
stevemarnotmorgan: samueldmq!
notmorganstevemar: 2.6 too! make sure 2.6 workarounds are gone21:22
stevemarnotmorgan: i think they are21:22
notmorganstevemar: delete keyring!21:22
notmorgandelete keyring!21:22
stevemarthere are actually very few open patches in ksc :O21:23
samueldmqoh first one got double +A :-)21:23
notmorganstevemar: ksc isn't seeing a lot of work because not a lot in keystone has moved until recently21:24
*** _cjones_ has joined #openstack-keystone21:24
notmorganoh and client .. haha client...21:24
stevemarsamueldmq: double A is okay :)21:24
*** daemontool_ has joined #openstack-keystone21:25
notmorganstevemar: triple +A it!21:25
bknudson_half the patches to keystoneclient are making changes the cli21:25
notmorganbknudson_: which is nice to be able to say "nope" to most of the time21:25
*** drjones has quit IRC21:25
*** daemontool has quit IRC21:27
*** _cjones_ has quit IRC21:28
*** _cjones_ has joined #openstack-keystone21:29
*** timcline_ has quit IRC21:29
bknudson_keystoneclient 3.0!21:29
*** samueldmq has quit IRC21:29
openstackgerrithenry-nash proposed openstack/keystone: Add tests for role management with v3policy file
stevemarbknudson_: numbers are cheap :P21:30
stevemarbknudson_: bug? it's removing dead code *sheepish grin*21:31
openstackgerrithenry-nash proposed openstack/keystone: Add CRUD support for domain specific roles
*** rderose has joined #openstack-keystone21:31
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles
bknudson_releasenotes should be easily searchable, so bugs/blueprints aren't as necessary anymore.21:31
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments
*** jsavak has quit IRC21:32
bknudson_stevemar: so are we removing the CLI or not?
*** jsavak has joined #openstack-keystone21:33
stevemarbknudson_: i'm not sure about the ramifications of that21:34
ayoungKILL THE CLI!21:34
bknudson_stevemar: it'll break everybody and everybody will hate us even more.21:34
ayoungthey can't hate me more than they already do21:34
ayounghenrynash, I guess I better get on reviewing those, eh?21:34
bknudson_might have to wear bullet-proof vests in austin.21:34
henrynashayoung: :-)21:35
bknudson_although that would be a good idea anyways21:35
ayounghenrynash, it starts with the testsonly one21:35
henrynashayoung: yep21:35
stevemarbknudson_: ayoung we should send an email to the ops and dev mailing list first21:35
tjcocozzstevemar, if they are using the cli wouldn't they just need to cap the version?21:36
*** drjones has joined #openstack-keystone21:36
*** _cjones_ has quit IRC21:36
ayounghenrynash, ok, that one looks reall good21:36
stevemartjcocozz: yep21:36
stevemartjcocozz: and we've been emitting deprecations for a loooong time now21:36
henrynashayoung: I’d be worried that was contentious!21:36
ayounghenrynash, and that was just a rebase, right?21:36
henrynashayoung: last patch, yep21:37
henrynashayoung: cool21:37
stevemarbknudson_: OTOH - we can easily wait til beginning of N at this point21:37
stevemarand claim it's been a whole extra release :O21:37
bknudson_stevemar: waiting to N would be nice of us.21:38
tjcocozzstevemar, I don't know much... but i know it should go :)21:38
bknudson_but as soon as N is open it's done!21:38
stevemarbknudson_: agreed21:38
stevemarbknudson_: and the old incubator dir21:38
bknudson_what about the old incubator dir?21:39
*** rderose has quit IRC21:39
*** daemontool_ has quit IRC21:39
stevemarbknudson_: there were about 5 projects importing it21:39
*** daemontool_ has joined #openstack-keystone21:40
stevemari fixed them up, but they are unreleased21:40
bknudson_stevemar: so don't merge ?21:40
*** weshay_xchat has quit IRC21:40
stevemarbknudson_: already -W'ed it21:40
stevemarbknudson_: you can +2 the remove CLI patch :P21:40
stevemari think folks are finally starting to warm up to osc, let's give them til N before we wipe keystoneCLI21:41
*** su_zhang has quit IRC21:41
bknudson_once you go osc you'll never go back.21:41
bknudson_you can put that on the web site.21:42
stevemar"once you go osc you'll never go back"21:42
stevemar"cause keystone cli is missing a good chunk of stuff!"21:42
bknudson_better than the new gerrit motto which is -- you'll wish you were using the old gerrit21:43
*** clayton has joined #openstack-keystone21:43
*** drjones has quit IRC21:43
*** timcline has joined #openstack-keystone21:45
*** cdcasey has quit IRC21:46
*** _cjones_ has joined #openstack-keystone21:46
*** jistr has joined #openstack-keystone21:46
*** jistr has quit IRC21:47
*** drjones has joined #openstack-keystone21:49
*** _cjones_ has quit IRC21:50
stevemarnotmorgan: can you comment on
*** Ephur has joined #openstack-keystone21:51
openstackgerrithenry-nash proposed openstack/keystone: Add is_domain filter to v3 list_projects
*** mylu has quit IRC21:52
*** mylu has joined #openstack-keystone21:53
*** shoutm has joined #openstack-keystone21:54
*** _cjones_ has joined #openstack-keystone21:54
*** drjones has quit IRC21:54
*** jsavak has quit IRC21:55
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone
*** mylu has quit IRC21:56
*** mylu has joined #openstack-keystone21:56
*** mylu has quit IRC21:56
*** DinaBelova has joined #openstack-keystone21:56
*** drjones has joined #openstack-keystone21:56
*** _cjones_ has quit IRC21:57
DinaBelovaKeystone reviewers, o/ I'm kindly asking you to review osprofiler Oslo lib related changes: - to keystone itself and - to openstackclient (as functional changes should not be added anymore to keystoneclient, i did needed change in openstack client)21:58
ayounghenrynash, if domain_id is set when calling list roles, are we supposed to see global roles, or only domains specific roles for the specified domain?22:01
*** cdcasey_ has joined #openstack-keystone22:01
bretonstevemar: have a look at please22:03
stevemarbreton: hmm, i thought dhellmann wanted that chained up with his other patches22:03
stevemari just realized i never commented on it22:03
bretonhe overwrote some of my changes with his rebasing22:04
*** su_zhang has joined #openstack-keystone22:04
bretonindeed. I will rebase the patch on top of his patches22:05
cdcasey_rebasing kills22:05
stevemarbreton: ++22:05
*** PsionTheory has joined #openstack-keystone22:05
stevemarcdcasey_: rebase all the things22:06
*** petertr7 is now known as petertr7_away22:06
*** erlarese has quit IRC22:07
stevemarthanks breton22:07
openstackgerritMerged openstack/keystone: Store config in drivers and use it to get list_limit
*** cdcasey_ has quit IRC22:09
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider
openstackgerritLance Bragstad proposed openstack/keystone: Remove validate_v2_token from Fernet provider
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trusts in v2.0
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()
stevemarhenrynash: dolphm are domain specific roles and changing the policy.json different approaches to the same problem?22:12
bknudson_does keystoneauth belong on or ?22:13
*** cdcasey has joined #openstack-keystone22:14
bknudson_I'm leaning towards
bknudson_there should be lots of links from to keystoneauth anyways.22:14
dolphmstevemar: the billion roles approach tackles at a significant part of the same use cases as domain specific roles (many of the roles you *might* need in a domain *might* already be defined), and role policy dynamic stuff except for the queryability, since policy is static and not exposed to the API (but it gives you conventions you might not have to query about)22:14
bknudson_correction - there should be lots of links from to keystoneauth22:15
*** henrynash has quit IRC22:16
*** gordc has quit IRC22:16
stevemardolphm: we'll need to hash this all out22:16
stevemardolphm: i don't want henry working on dsr if we can avoid it22:17
*** dims_ has joined #openstack-keystone22:17
*** su_zhang has quit IRC22:17
stevemarbknudson_: dolphm can one of you comment on ? i'm about to head out22:17
*** mylu has joined #openstack-keystone22:18
stevemardolphm: tonight and tomorrow i'm all shadow users22:18
*** sinese has quit IRC22:18
dolphmstevemar: sweet!22:19
dolphmstevemar: is that barbican/nova change totally missing the point?22:20
*** dims has quit IRC22:21
*** diazjf has joined #openstack-keystone22:21
*** spzala has quit IRC22:22
*** spzala has joined #openstack-keystone22:23
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider
openstackgerritLance Bragstad proposed openstack/keystone: Remove validate_v2_token from Fernet provider
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trusts in v2.0
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()
ayounglbragstad, we need all of those to get the default to work?22:26
lbragstadayoung yep22:26
ayounglbragstad, awesome.  reviewing now22:26
*** pushkaru has quit IRC22:26
lbragstadayoung start here
ayounglbragstad, nope22:26
*** jsavak has joined #openstack-keystone22:26
ayoungthat is 34, you pushed 35...22:26
* ayoung already on it. smarmy git22:27
lbragstadayoung start here -
*** dims_ has quit IRC22:27
*** gildub has joined #openstack-keystone22:28
*** spzala has quit IRC22:28
*** jsavak has quit IRC22:31
*** jsavak has joined #openstack-keystone22:31
*** drjones has quit IRC22:33
*** _cjones_ has joined #openstack-keystone22:34
*** timcline has quit IRC22:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** su_zhang has joined #openstack-keystone22:52
*** mylu has quit IRC22:53
*** diazjf has quit IRC22:54
*** mylu has joined #openstack-keystone22:54
*** jsavak has quit IRC22:55
*** topol has quit IRC23:00
*** spzala_ has joined #openstack-keystone23:01
*** topol_ has joined #openstack-keystone23:02
*** jbell8 has quit IRC23:02
*** roxanagh_ has joined #openstack-keystone23:04
openstackgerritMerged openstack/keystone: Expose method list inconsistency in federation api
*** spzala_ has quit IRC23:06
*** ninag has quit IRC23:07
*** csoukup_ has quit IRC23:07
*** ninag has joined #openstack-keystone23:07
*** ninag has quit IRC23:12
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** ninag has joined #openstack-keystone23:18
*** mylu has quit IRC23:21
*** jimbaker has joined #openstack-keystone23:22
*** e0ne has joined #openstack-keystone23:24
*** slberger has left #openstack-keystone23:25
*** mylu has joined #openstack-keystone23:25
*** mylu has quit IRC23:26
andrewbogottI’m in the process of migrating from ldap assignment to keystone assignment.  I’ve changed my keystone config to remove the ldap lines about roles, and now I’m trying to create an initial keystone tenant to bootstrap migration.23:28
andrewbogottThat’s failing, which makes me think I’m not understanding how my config should look.  Here’s what I have:
andrewbogott(Users will still be in ldap)23:28
andrewbogottI’m using kilo, with the 2.0 api23:30
*** sigmavirus24 is now known as sigmavirus24_awa23:30
*** csoukup_ has joined #openstack-keystone23:31
*** e0ne has quit IRC23:33
*** mylu has joined #openstack-keystone23:44
andrewbogottAh, the answer seems to be23:47
andrewbogottdriver = keystone.assignment.backends.sql.Assignment23:47
*** jamielennox|away is now known as jamielennox23:47
*** mylu has quit IRC23:48
*** mylu has joined #openstack-keystone23:48
*** edmondsw has quit IRC23:49
*** crinkle has quit IRC23:55
*** crinkle has joined #openstack-keystone23:57

Generated by 2.14.0 by Marius Gedminas - find it at!