Thursday, 2016-02-18

*** clenimar_ has joined #openstack-keystone00:00
*** aginwala has joined #openstack-keystone00:00
arunkantdims_ : If I add set of properties for transport configuration on audit middleware (if someone wants to override it). Will that work?00:02
*** roxanaghe has quit IRC00:03
*** lhcheng_ has joined #openstack-keystone00:20
*** clenimar_ has quit IRC00:21
*** lhcheng has quit IRC00:23
dims_arunkant : yes, let's add it. more importantly test it00:24
*** clenimar_ has joined #openstack-keystone00:25
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf
openstackgerritMerged openstack/keystone: Add tests in preparation of projects acting as a domain
arunkantdims_. Okay..will add that in next patch. Just added release notes in new patch. Thanks.00:27
*** RA__ has joined #openstack-keystone00:38
*** rcernin has quit IRC00:46
*** rk4n has joined #openstack-keystone00:47
*** jasonsb has joined #openstack-keystone00:50
*** rk4n has quit IRC01:01
*** sdake_ is now known as sdake01:05
*** spandhe has quit IRC01:08
*** doug-fish has joined #openstack-keystone01:08
*** daemontool__ has joined #openstack-keystone01:11
*** doug-fish has quit IRC01:11
*** annasort has joined #openstack-keystone01:14
*** EinstCrazy has joined #openstack-keystone01:17
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** Guest8151 has quit IRC01:22
*** x58 has joined #openstack-keystone01:22
*** diazjf has joined #openstack-keystone01:24
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
openstackgerritMerged openstack/keystone: Add list_limit to the white list for configs in db
openstackgerritMerged openstack/keystone: Fallback to list_limit from default config
openstackgerritMerged openstack/keystone: Enable support for posixGroups in LDAP
openstackgerritMerged openstack/keystone: Add is_domain filter to v3 list_projects
*** diazjf has quit IRC01:32
*** ebalduf has joined #openstack-keystone01:33
*** sdake has quit IRC01:34
openstackgerritMerged openstack/keystone: encode user id for notifications
*** ebalduf has quit IRC01:38
*** davechen has joined #openstack-keystone01:39
*** jbell8 has joined #openstack-keystone01:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** davechen1 has joined #openstack-keystone01:48
*** davechen has quit IRC01:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** sdake has joined #openstack-keystone02:03
*** sdake has joined #openstack-keystone02:04
*** su_zhang has quit IRC02:04
*** aginwala has quit IRC02:06
*** doug-fish has joined #openstack-keystone02:08
*** davechen has joined #openstack-keystone02:08
*** doug-fish has quit IRC02:08
*** aginwala has joined #openstack-keystone02:09
*** aginwala has quit IRC02:09
*** aginwala has joined #openstack-keystone02:10
*** davechen1 has quit IRC02:10
*** annasort has quit IRC02:11
*** mylu has joined #openstack-keystone02:14
ayoungjamielennox, question on client functional tests.  How is the test supposed to create a client?  This test is failing on first call to the server:
patchbotayoung: patch 280983 - python-keystoneclient - Implied Roles02:16
ayoungin the setup02:16
jamielennoxayoung: i haven't touched those in a while02:16
ayoungjamielennox, no one has02:16
ayoungjamielennox, IT IS TIME!02:17
jamielennoxayoung: i don't know if all that info is being passed into the test02:17
ayoungjamielennox, looking at the test_auth file, it is similar02:17
*** EinstCrazy has quit IRC02:17
ayoungjamielennox, but there are no other V3 tests02:18
*** EinstCrazy has joined #openstack-keystone02:18
ayoungjamielennox, but since this works:
ayoungit has to be similar02:18
ayoungjamielennox, maybe it is ID versus Name for the env vars02:19
jamielennoxayoung: what i mean is that here:
samueldmqjamielennox: ayoung: the way I introduced base classes for use in ksclient funcitonal tests02:19
ayoungI used what Kolla does, which may not match02:19
jamielennoxit looks like the information in the environment is not v302:19
jamielennoxso your envs won't work02:19
samueldmqis instantiating the client via os-client-config02:19
jamielennoxayoung: i would definetly recommend using samueldmq's base stuff02:20
ayoungsamueldmq, link?02:20
samueldmqjamielennox: ++02:20
samueldmqayoung: gimme a sec02:20
samueldmqayoung: and as an example of use02:21
ayoungsamueldmq, OK, let me test that02:21
ayoungsamueldmq, is get_client() gonna give me a V3 CLient?02:22
samueldmqayoung: yes, if your class inherits from V3ClientTestCase02:23
samueldmqayoung: what do you want to do with funtional tests in ksclient ?02:26
samueldmqayoung: I want to write a set of initial tests for our client, based on that base classes02:27
patchbotayoung: patch 280983 - python-keystoneclient - Implied Roles02:27
samueldmqayoung: it's on my todo for this cycle, but I wanted to focus on review for now02:27
ayoungsamueldmq, that is ok.  I think you al;ready wrote what I need02:28
samueldmqayoung: yeah, just inherit from it and use self.client02:28
samueldmqayoung: in the setup it already does self.client = get_client()02:28
*** jbell8 has quit IRC02:30
openstackgerritayoung proposed openstack/python-keystoneclient: Implied Roles
ayoungrock on sam.  It works with Kolla02:32
dstaneksamueldmq: it's sorta late for you, isn't it?02:32
samueldmqayoung: glad to hear :)02:34
samueldmqdstanek: 11:34pm; very quiet here02:34
samueldmqdstanek: I am willing to write some tests for ksclient02:35
ayoungsamueldmq, start by tearing ^^ apart02:36
ayoungsamueldmq, I'm going to put out the call to people wanting to get involved in OpenStack to backfill those tests02:37
ayounglets crowdsource that02:37
*** browne has quit IRC02:38
samueldmqayoung: it'd be nice if we got more people to help on the tests02:39
samueldmqayoung: I want to, at least, have some tests for the basic scenarios (CRUD of things on client)02:40
ayoungsamueldmq, to start, all KC reviews need functional tests02:40
*** aginwala has quit IRC02:40
ayounglets get others writing them first02:40
samueldmqayoung: yes, moking things isn't enough02:41
samueldmqayoung: and one of the goals is to have them to serve to improve our backward compatibility for client libraries02:41
samueldmqayoung: there is an ongoing effort ( see )02:42
*** annasort has joined #openstack-keystone02:45
*** clenimar_ has quit IRC02:51
*** wanghua has joined #openstack-keystone02:58
*** dan_nguyen has quit IRC03:02
*** doug-fish has joined #openstack-keystone03:04
samueldmqokay, I need some sleep, have a good night all03:07
*** doug-fish has quit IRC03:09
*** gildub has quit IRC03:11
*** david_cu has joined #openstack-keystone03:15
*** sdake has quit IRC03:20
*** browne has joined #openstack-keystone03:22
openstackgerritayoung proposed openstack/python-keystoneclient: Implied Roles
*** mylu has quit IRC03:24
stevemargnite samueldmq03:25
*** timcline has quit IRC03:25
ayoungstevemar, jamielennox think there might be something wrong with discovery in the functional test, which is going to be necessary for v2 and v3 to both test side by side03:28
ayoungtest runs OK when url has /v3 at the end03:28
ayoungbut not without03:28
ayoungcurl  $OS_AUTH_URL03:28
ayoung{"versions": {"values": [{"status": "stable", "updated": "2015-09-15T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.5", "links": [{"href": "", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "i03:28
ayoungd": "v2.0", "links": [{"href": "", "rel": "self"}, {"href": "", "type": "text/html", "rel": "describedby"}]}]}}03:28
ayoungecho  $OS_AUTH_URL03:28
*** dims_ has quit IRC03:30
ayoungeven setting  export OS_AUTH_TYPE=v3password03:31
ayoung  does not do it...maybe the discovery plugin ..03:31
*** dims has joined #openstack-keystone03:32
ayoungbut the v2 tests still fail...03:32
*** john5223 has joined #openstack-keystone03:33
*** mylu has joined #openstack-keystone03:35
*** gildub has joined #openstack-keystone03:35
*** woodster_ has quit IRC03:36
jamielennoxayoung: did you figure it out03:39
ayoungjamielennox, not quite03:40
ayoungjamielennox, I can't get the existing v2 tests to run no matter what, though03:40
jamielennoxayoung: failing at discovery?03:41
ayoungjamielennox, so, even if I bypass discovery, a lot of them fail03:41
ayoungwondering if there is sample data not set up by Kolla03:42
ayounglet me see if I can find one that passes, and try discover on that one...03:42
*** lhcheng_ has quit IRC03:42
ayoungtox -efunctional  -- keystoneclient.tests.functional.test_auth  runs OK without discovery...03:43
ayoungjamielennox, nah, discovery seems OK.03:44
ayoungjamielennox, test_auth works...ah but that does not use the client...03:44
*** timcline has joined #openstack-keystone03:45
ayoungbut that runs the keystone cli, and I don't care about that...03:46
ayoungmaybe we are good.  Let's see if my test passes CI03:47
*** EinstCra_ has joined #openstack-keystone03:49
*** dan_nguyen has joined #openstack-keystone03:51
*** EinstCrazy has quit IRC03:52
*** EinstCrazy has joined #openstack-keystone04:01
*** shoutm_ has joined #openstack-keystone04:03
*** EinstCra_ has quit IRC04:04
*** shoutm has quit IRC04:05
*** davechen1 has joined #openstack-keystone04:12
*** davechen has quit IRC04:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** lhcheng has joined #openstack-keystone04:27
*** ChanServ sets mode: +v lhcheng04:27
*** richm has quit IRC04:30
*** slogan_r has joined #openstack-keystone04:32
*** RA__ has quit IRC04:37
*** shoutm_ has quit IRC04:49
*** dan_nguyen has quit IRC04:51
*** dims_ has joined #openstack-keystone04:53
*** shoutm has joined #openstack-keystone04:53
*** dims has quit IRC04:55
*** shoutm has quit IRC04:58
*** diazjf has joined #openstack-keystone05:00
*** dims_ has quit IRC05:00
*** diazjf has quit IRC05:01
*** dims has joined #openstack-keystone05:02
*** dims has quit IRC05:02
*** shoutm has joined #openstack-keystone05:02
*** roxanaghe has joined #openstack-keystone05:09
*** diazjf has joined #openstack-keystone05:19
*** dan_nguyen has joined #openstack-keystone05:33
*** roxanaghe has quit IRC05:34
*** gyee has quit IRC05:35
openstackgerritPandiyan proposed openstack/keystone: Add driver details in architecture doc
*** dave-mccowan has quit IRC05:38
*** Nirupama has joined #openstack-keystone05:42
*** shoutm_ has joined #openstack-keystone05:44
*** shoutm has quit IRC05:44
openstackgerritSteve Martinelli proposed openstack/keystone: Updating sample configuration file
*** mylu has quit IRC05:49
*** jidar has quit IRC06:06
*** jidar has joined #openstack-keystone06:07
*** gildub has quit IRC06:13
*** jaosorior has quit IRC06:23
*** aginwala has joined #openstack-keystone06:24
*** jaosorior has joined #openstack-keystone06:24
*** GB21 has joined #openstack-keystone06:26
*** haneef_ has quit IRC06:37
*** mvk has joined #openstack-keystone06:49
stevemarquiet night tonight06:50
*** diazjf has quit IRC06:55
*** josecastroleon has joined #openstack-keystone06:58
*** su_zhang has joined #openstack-keystone07:02
*** jbell8 has joined #openstack-keystone07:06
davechen1good morning, breton!07:10
stevemarbreton: i am reviewing your final truncated patch!07:10
*** jbell8 has quit IRC07:10
*** jbell8 has joined #openstack-keystone07:11
bretonstevemar: yay07:13
* breton will pay back with reviews07:13
stevemarbreton: oh please do, just a few more bugs left07:14
stevemarbreton:,, are BP related (and shadow users)07:14
patchbotstevemar: patch 231289 - keystone - Projects acting as domains07:14
patchbotstevemar: patch 243585 - keystone - API support for project cascade update07:14
patchbotstevemar: patch 244248 - keystone - API support for project cascade delete07:14
bretonno totp in the list07:15
stevemarbreton: bugs:,,
openstackLaunchpad bug 1546562 in OpenStack Identity (keystone) "deleting role with implied role fails" [Critical,Triaged]07:16
patchbotstevemar: patch 281078 - keystone - validate domain specific config option values07:16
patchbotstevemar: patch 277436 - keystone - Return 404 instead of 401 for tokens w/o roles07:16
stevemarbreton: dstanek and i took a swing at TOTP07:17
stevemarits actually in decent shape now, gyee and dstanek helped a lot07:17
stevemari'm less worried about it07:17
bretonI am worried about it.07:17
stevemari'm still worried, just less worried now :)07:18
stevemarif you're feeling brave...
openstackLaunchpad bug 1546562 in OpenStack Identity (keystone) "deleting role with implied role fails" [Critical,Triaged]07:18
bretonthe issue I mentioned in is pretty serious07:18
patchbotbreton: patch 274901 - keystone - Time-based One-time Password07:18
bretonand it will be very hard to debug it, if someone runs into it07:19
stevemarbreton: true07:19
bretonand I don't see a quick way to fix it07:19
stevemarbreton: it'll return the limit after the filtering right?07:20
bretonwell, one could hack up a new method in credential_api...07:20
bretonstevemar: in case of SQL it will be a `LIMIT N` in query07:21
stevemarbreton: also, i'm OK if there is a limitation, as long as we document and tell folks how to get around it07:22
bretonfrankly, after working with list_limit for so long, I'm starting to dislike it07:22
*** jbell8 has quit IRC07:23
*** jbell8 has joined #openstack-keystone07:23
stevemarbreton: commented on the issue07:24
stevemarbreton: that's why we were to pro-filtering for so long07:24
stevemardolphm: when you wake up, can you comment on -- there's a lot of history there and i'm unsure what to make of it, i think the issue has been resolved?07:29
openstackLaunchpad bug 1473567 in OpenStack Identity (keystone) "Fernet tokens fail tempest runs" [High,In progress] - Assigned to Lance Bragstad (lbragstad)07:29
*** ianw has quit IRC07:30
*** ianw has joined #openstack-keystone07:31
*** shoutm has joined #openstack-keystone07:35
*** jbell8 has quit IRC07:35
*** shoutm_ has quit IRC07:35
*** jbell8 has joined #openstack-keystone07:36
*** GB21 has quit IRC07:40
*** e0ne has joined #openstack-keystone07:41
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add back a bandit tox job
*** davechen1 is now known as davechen07:46
davechenstevemar: yep, let's see what bknudson_ want to say.07:49
davechenstevemar: it won't be merged without +A though.07:49
*** rcernin has joined #openstack-keystone07:51
*** EinstCra_ has joined #openstack-keystone07:55
*** shoutm has quit IRC07:57
*** shoutm_ has joined #openstack-keystone07:57
*** e0ne has quit IRC07:58
*** EinstCrazy has quit IRC07:59
stevemardavechen: yep, no worries08:01
*** pcaruana has joined #openstack-keystone08:05
stevemarbreton: why did you have to change ?08:05
patchbotstevemar: patch 266989 - keystone - Use the driver to get limits08:05
*** GB21 has joined #openstack-keystone08:06
*** su_zhang has quit IRC08:08
*** lhcheng has quit IRC08:10
bretonstevemar: yes. It compared domainN_config with the one uploaded from config_files/08:13
stevemarbreton: nice08:15
*** pnavarro has joined #openstack-keystone08:20
*** shoutm_ has quit IRC08:23
*** shoutm has joined #openstack-keystone08:30
*** belmoreira has joined #openstack-keystone08:34
*** josecastroleon has quit IRC08:35
*** fhubik has joined #openstack-keystone08:53
*** fhubik is now known as fhubik_brb08:53
*** fhubik_brb is now known as fhubik08:56
*** josecastroleon has joined #openstack-keystone09:01
*** fhubik is now known as fhubik_brb09:01
*** fhubik_brb is now known as fhubik09:14
openstackgerritguang-yee proposed openstack/keystone: Create notification when invalid user name provided
*** browne has quit IRC09:17
*** EinstCrazy has joined #openstack-keystone09:19
*** EinstCra_ has quit IRC09:21
*** rudolfvriend has joined #openstack-keystone09:29
openstackgerritMerged openstack/keystone: Use the driver to get limits
*** aginwala has quit IRC09:33
*** e0ne has joined #openstack-keystone09:35
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** fhubik is now known as fhubik_brb09:38
*** doug-fish has joined #openstack-keystone09:40
*** mhickey has joined #openstack-keystone09:41
*** shoutm_ has joined #openstack-keystone09:44
*** doug-fish has quit IRC09:44
*** shoutm has quit IRC09:45
*** lhcheng has joined #openstack-keystone09:53
*** ChanServ sets mode: +v lhcheng09:53
*** davechen has left #openstack-keystone09:55
*** fhubik_brb is now known as fhubik09:57
*** mvk has quit IRC09:57
*** lhcheng has quit IRC09:58
*** openstackgerrit has quit IRC10:02
*** openstackgerrit has joined #openstack-keystone10:02
*** EinstCrazy has quit IRC10:03
*** mvk has joined #openstack-keystone10:06
openstackgerritKonstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting
*** rk4n has joined #openstack-keystone10:11
*** lhcheng has joined #openstack-keystone10:14
*** ChanServ sets mode: +v lhcheng10:14
*** fhubik is now known as fhubik_brb10:16
*** jbell8 has quit IRC10:25
*** fhubik_brb is now known as fhubik10:31
*** Nirupama has quit IRC10:37
*** shoutm_ has quit IRC10:38
*** Nirupama has joined #openstack-keystone10:40
*** doug-fish has joined #openstack-keystone10:41
*** daemontool__ has quit IRC10:41
*** daemontool has joined #openstack-keystone10:41
*** fhubik is now known as fhubik_brb10:41
*** daemontool has quit IRC10:43
*** daemontool_ has joined #openstack-keystone10:43
*** shoutm has joined #openstack-keystone10:45
*** doug-fish has quit IRC10:46
*** daemontool has joined #openstack-keystone10:49
*** daemontool_ has quit IRC10:50
openstackgerritRudolf Vriend proposed openstack/keystone: Adds user_description_attribute mapping support to the LDAP backend
*** jed56 has joined #openstack-keystone10:54
*** dims has joined #openstack-keystone10:59
*** daemontool has quit IRC11:04
*** daemontool has joined #openstack-keystone11:04
*** tobe has joined #openstack-keystone11:11
*** jbell8 has joined #openstack-keystone11:14
*** lhcheng has quit IRC11:20
*** dims_ has joined #openstack-keystone11:30
*** dims has quit IRC11:31
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** henrynash has quit IRC11:47
*** fhubik_brb is now known as fhubik11:49
*** EinstCrazy has joined #openstack-keystone11:59
*** raildo-afk is now known as raildo12:09
*** fpatwa has joined #openstack-keystone12:09
openstackgerritSergey Nikitin proposed openstack/keystone: Added .idea to the .gitignore
*** GB21 has quit IRC12:14
samueldmqmorning all12:17
samueldmqI see great progress in
samueldmqwhich is nice!12:17
dstanekbreton: stevemar: nonameentername: i'll have another patch in a few minutes addressing most of the comments. been working on tests and that'll come later todau (re: totp)12:20
dstanekbreton: what worries do you have with totp?12:21
samueldmqayoung: you around ?12:23
samueldmqayoung: you working on bug 1546562 ?12:23
openstackbug 1546562 in OpenStack Identity (keystone) "deleting role with implied role fails" [Critical,Triaged]
*** dave-mccowan has joined #openstack-keystone12:26
*** fhubik is now known as fhubik_brb12:27
*** fhubik_brb is now known as fhubik12:28
*** fpatwa has quit IRC12:36
*** daemontool has quit IRC12:37
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** fpatwa has joined #openstack-keystone12:48
samueldmqbknudson_: hi, regarding change 27751212:50
samueldmqbknudson_: would you be fine with updating the docs to say it returns an ordered representation of the tree ?12:50
*** fpatwa has quit IRC12:51
*** dikonoor has joined #openstack-keystone12:52
*** ninag has joined #openstack-keystone12:54
*** doug-fish has joined #openstack-keystone12:54
*** fhubik is now known as fhubik_brb13:02
*** rodrigods has quit IRC13:04
*** rodrigods has joined #openstack-keystone13:04
patchbotbreton: patch 274901 - keystone - Time-based One-time Password13:05
*** fhubik_brb is now known as fhubik13:05
dstanekbreton: just the list limit thing?13:06
*** EinstCrazy has quit IRC13:09
dstaneki don't see that as a big issue. we could either just say 'we only support storing {list_limit} totp credential' or fix the decorator to not be so overbearing13:09
*** EinstCrazy has joined #openstack-keystone13:09
bretonI see another way: new method in credentials api13:11
dstaneka credential specific methon?13:11
*** gordc has joined #openstack-keystone13:12
*** e0ne has quit IRC13:13
*** e0ne has joined #openstack-keystone13:14
dstanekif i saw someone trying to do that i'd -2 it. it's not very OO and causes backend disruption only because we have issues in other places in our code13:14
*** mylu has joined #openstack-keystone13:27
*** mylu has quit IRC13:29
bretonin credentials all methods are credential-specific. Such as delete_credentials_for_project or delete_credentials_for_user.13:29
dstanekbreton: no, those are context specific. you use the same one for password, s3, totp, etc right?13:33
dstanekbreton: are you suggesting 'list_without_limits_because_other_code_is_broken()' ?13:34
*** shoutm has quit IRC13:35
openstackgerritDavid Stanek proposed openstack/keystone: Time-based One-time Password
*** edmondsw has joined #openstack-keystone13:39
*** sdake has joined #openstack-keystone13:41
*** edmondsw has quit IRC13:41
*** edmondsw has joined #openstack-keystone13:42
*** GB21 has joined #openstack-keystone13:43
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Clarify projects subtree as list option docs
samueldmqtjcocozz: bknudson_: ^13:46
tjcocozzsamueldmq, hey I was thinking it would be good to add a docstring to list_projects_in_subtree() aswell13:46
tjcocozzsamueldmq, about Rodrigo's comment
patchbottjcocozz: patch 277512 - keystone - Test list project hierarchy is correct for a large...13:47
tjcocozzsamueldmq, isn't it required to be admin to list_projects_in_subtree13:48
samueldmqtjcocozz: yes, bknudson_ also refered to manager method docs13:51
samueldmqtjcocozz: but you can add it in your patch, that is in openstack/keystone13:51
samueldmqtjcocozz: this one is keystone-specs13:52
samueldmqtjcocozz: sounds good ?13:52
*** mylu has joined #openstack-keystone13:53
* tjcocozz is reading it now13:53
*** Nirupama has quit IRC13:55
*** richm has joined #openstack-keystone13:56
tjcocozzsamueldmq, i don't think that is a depth first search13:59
*** mylu has quit IRC14:01
samueldmqtjcocozz: no ?14:01
tjcocozzdepth-first search exhausts its children before it continues onto the next subtree14:02
tjcocozzsamueldmq, as the search tree is deepened as much as possible on each child before going to the next sibling. -wiki14:03
tjcocozzsamueldmq, it is a Breadth-first search14:03
*** petertr7_away is now known as petertr714:04
samueldmqtjcocozz: looking at the code14:04
samueldmqtjcocozz: it isn't bfs either I think14:04
samueldmqtjcocozz: yes it is :)14:05
samueldmqtjcocozz: you're correct14:05
tjcocozzsamueldmq, :p14:06
samueldmqtjcocozz: good catch14:06
tjcocozzsamueldmq, should i add a docstring to list_project_subtree() still?14:07
bretondstanek: funny thing14:07
bretondstanek: there is already a method I'm suggesting14:07
samueldmqtjcocozz: just submitted another version14:07
tjcocozzsamueldmq, voted L)14:07
samueldmqtjcocozz: which curiously didn't show up here i nthe channel, ist the bot broken?14:07
tjcocozzsamueldmq, I think they have a time so people don't blow up the channel with a bunch of reviews14:08
tjcocozzsamueldmq, atleast they were talking about it yesturday.14:09
*** dave-mccowan has quit IRC14:09
*** dave-mccowan has joined #openstack-keystone14:10
samueldmqtjcocozz: ++14:10
marekdstevemar: ping.14:12
*** su_zhang has joined #openstack-keystone14:21
*** dikonoor has quit IRC14:22
*** archers has joined #openstack-keystone14:22
*** jaosorior has quit IRC14:24
*** jaosorior has joined #openstack-keystone14:25
*** mylu has joined #openstack-keystone14:30
ayoungsamueldmq, I hadn't started on it yet14:30
*** jsavak has joined #openstack-keystone14:31
*** knikolla has joined #openstack-keystone14:34
*** mvk has quit IRC14:38
*** mvk has joined #openstack-keystone14:39
*** esp has joined #openstack-keystone14:39
*** jsavak has quit IRC14:42
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** fhubik is now known as fhubik_brb14:43
*** jsavak has joined #openstack-keystone14:44
*** fhubik_brb is now known as fhubik14:46
*** esp has quit IRC14:46
*** mylu has quit IRC14:46
*** mylu has joined #openstack-keystone14:48
*** dave-mccowan has quit IRC14:48
*** fpatwa has joined #openstack-keystone14:52
openstackgerritRaildo Mascena proposed openstack/keystone: Constraint to prevent duplicate endpoints
*** fpatwa has quit IRC14:56
*** tobe has quit IRC14:57
*** jaosorior has quit IRC14:58
*** jaosorior has joined #openstack-keystone14:59
*** belmoreira has quit IRC14:59
*** belmorei_ has joined #openstack-keystone14:59
*** mvk has quit IRC15:00
*** dave-mccowan has joined #openstack-keystone15:02
*** sigmavirus24_awa is now known as sigmavirus2415:05
*** sdake has quit IRC15:05
*** sdake has joined #openstack-keystone15:08
*** mylu has quit IRC15:12
*** henrynash has joined #openstack-keystone15:12
*** ChanServ sets mode: +v henrynash15:12
*** archers has quit IRC15:14
*** slberger has joined #openstack-keystone15:15
*** mylu has joined #openstack-keystone15:19
*** GB21 has quit IRC15:19
*** timcline has quit IRC15:30
ayounghenrynash,  htruta,   what is burning in the review queue?  And has gyee given up on totp?15:32
notmorgandstanek: test. [ignor this]15:33
henrynashayoung: i’m about to post a new project-as-a-domain patch (but we’re still waiting on cinder before it can pass tempest)15:33
amakarov_awayayoung, hi! Is anybody fixing this bug?
openstackLaunchpad bug 1546562 in OpenStack Identity (keystone) "deleting role with implied role fails" [Critical,Triaged]15:35
*** amakarov_away is now known as amakarov15:35
ayounghenrynash, sounds good. Also, can you look at the Client review for Implied ROles to make sure it looks good to you?
patchbotayoung: patch 280983 - python-keystoneclient - Implied Roles15:36
henrynashayoung: will do15:36
mnaseri've done some reading (but i don't believe a solution for this exists) but is there a way to setup an equiv of instance profiles with keystone:
ayoungamakarov, I have not started on it.  samueldmq asked about it earlier.  Either of you are welcome to work on it.  Just take it in Launchpad15:37
ayoungmnaser, can you give the summary?15:37
mnaserayoung: you can deploy a new instance and assign it a role, the instance then can use api credentials assigned to it to make api requests15:37
ayoungmnaser, upon a quick read, I would say it sounds like Trusts15:37
ayoungmnaser, so, in order to do that, you would need to be able to create a "service" user for that instance15:38
mnaserexample: create a role to be able to kill the vm itself, assign it to that vm, app can pull credentials from inside the vm and use them to call the openstack api15:38
* mnaser goes to read about trusts15:38
*** spzala has joined #openstack-keystone15:39
ayoungmnaser, so, IN the past, I toyed with the idea of using Nova as a Federation IdP.  Each VM would be a user.15:39
mnaserbasically the use case here is that our client wants the an instance to be able to terminate itself for example15:39
ayoungBut I don't think a VM knows its own Identity.  There would have to be some work15:39
*** woodster_ has joined #openstack-keystone15:39
mnaseryes, ideally they should have something to kill the instance from outside, but, i can see value in other things similar to this (access to swift from nova instances?)15:40
ayoungmnaser, 1 create a service user,  2. create a trust.  3 service user on VM uses trust to execute the call15:40
*** pushkaru has joined #openstack-keystone15:40
mnaseri'll do more reading on trusts15:40
*** tobe has joined #openstack-keystone15:40
ayoungI think I will write up a spec for Nova as a Federated Identity Provider for the VMs.15:41
mnaserit would be nice if the openstack project policies could be sitting in keystone15:41
mnasermaking trusts far more flexible, than us having to write up roles in our policy.json and advising customers to use them15:42
*** timcline has joined #openstack-keystone15:43
amakarovayoung, if I want to change index on the table, should I create a ne migration or just change the existing one? I'm about 087_implied_roles15:44
*** phalmos has joined #openstack-keystone15:44
ayoungamakarov, new migration15:44
amakarovayoung, ack15:45
*** clenimar has quit IRC15:48
*** iurygregory has quit IRC15:51
*** EinstCrazy has quit IRC15:51
*** phalmos has quit IRC15:54
*** dikonoor has joined #openstack-keystone15:54
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains
*** iurygregory has joined #openstack-keystone15:57
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Implied roles index with cascading update/delete
amakarovayoung, ^15:58
*** jsavak has quit IRC15:58
*** jsavak has joined #openstack-keystone15:59
*** krotscheck_dcm is now known as krotscheck16:00
*** raildo is now known as raildo-afk16:02
*** phalmos has joined #openstack-keystone16:02
*** belmorei_ has quit IRC16:03
*** belmoreira has joined #openstack-keystone16:03
*** zigo has quit IRC16:03
*** zigo has joined #openstack-keystone16:05
*** mylu has quit IRC16:14
*** pcaruana has quit IRC16:15
*** raildo-afk is now known as raildo16:17
*** rcernin has quit IRC16:17
*** mylu has joined #openstack-keystone16:18
*** mylu has quit IRC16:20
*** timcline_ has joined #openstack-keystone16:21
*** mylu has joined #openstack-keystone16:22
*** dikonoor has quit IRC16:23
*** roxanaghe has joined #openstack-keystone16:23
*** timcline_ has quit IRC16:25
*** josecastroleon has quit IRC16:33
*** rudolfvriend has quit IRC16:33
openstackLaunchpad bug 1546663 in python-openstackclient "should not pass kwargs to get" [Undecided,In progress] - Assigned to Tom Cocozzello (tjcocozz)16:34
*** clenimar has joined #openstack-keystone16:34
*** belmoreira has quit IRC16:34
*** josecastroleon has joined #openstack-keystone16:35
*** timcline_ has joined #openstack-keystone16:41
*** timcline_ has quit IRC16:42
tjcocozzedmondsw, read the second bullet point :-)
*** spzala has quit IRC16:44
edmondswtjcocozz, yep, exactly... tx for the ammo :)16:45
tjcocozzedmondsw, lol no problem16:45
*** spzala has joined #openstack-keystone16:45
*** spzala_ has joined #openstack-keystone16:46
*** browne has joined #openstack-keystone16:48
*** phalmos has quit IRC16:48
*** spzala has quit IRC16:50
*** dims has joined #openstack-keystone16:50
*** spzala_ has quit IRC16:50
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** aginwala has joined #openstack-keystone16:51
*** dims_ has quit IRC16:51
*** rderose has joined #openstack-keystone16:51
*** fpatwa has joined #openstack-keystone16:53
amakarovstevemar, ayoung This bug has no fix while marked as "in progress":
openstackLaunchpad bug 1545789 in OpenStack Identity (keystone) "keystone ADMIN_TOKEN set by default can lead to default insecure deployment" [Medium,In progress] - Assigned to Adam Young (ayoung)16:55
amakarov addresses it as "partial-bug"16:56
ayoungamakarov, there is another that is marked as fixes...16:56
dolphmrderose: going to have a patchset ready for review today?16:56
rderoseWorking on finishing up a patch for "Shadow users - Separate user identities" based on our discussion. I should have that done today.16:56
rderoseOne thing I did change was the table names. Decided to use 'user' instead. The name matches better with the names used in the sql backend16:56
rderoseimplementation e.g. User model, create_user, get_user_list...16:56
rderoseAnd less refactoring needed16:57
rderoseuser -> local_user16:57
rderose     -> federated_user16:57
rderose     -> ldap_user...16:57
rderoseOne user table to rule them all :)16:57
*** diazjf has joined #openstack-keystone16:57
*** fpatwa has quit IRC16:57
amakarovayoung, which one?16:58
patchbotayoung: patch 280467 - keystone - Disable Admin tokens set to None (MERGED)16:58
rderosebut yes dolphm, patch should be ready today16:58
ayoungamakarov, ^^16:58
amakarovayoung, thank you16:58
ayoungrderose, is that in your latest review?16:59
*** e0ne has quit IRC16:59
dolphmrderose: lol so the "user" table remains, just with a few dropped columns?17:00
rderoseayoung review not ready yet, still Work in progress, but 278570 is the latest so far17:00
rderosedolphm yes17:00
ayoungrderose, I'm going to look17:00
rderoseayoung be gentle :)17:00
ayoungthat raises the hairs on the back of myh neck17:00
ayoungrderose, I suspect we can get by with one table and an additional colum,n17:01
ayoungrderose, why separate tables?17:01
*** gyee has joined #openstack-keystone17:01
*** ChanServ sets mode: +v gyee17:01
rderoseseparate tables for user and local_user because we want to separate the locally managed date from the identity17:01
*** su_zhang has quit IRC17:02
rderoselocal_user and local_user_password to support future use cases around passwords17:02
rderose*data not date17:02
ayoungrderose, ok...that sounds really suspect.  I'm not going to derail it, but it should be one table, with passwords external17:03
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
ayoungand even that is probably optional17:03
*** spzala has joined #openstack-keystone17:04
stevemarrderose: looking forward to reviewing it :)17:04
ayoungrderose, and I even suspect the password could end up in the credentials backend17:04
*** josecastroleon has quit IRC17:04
*** jsavak has quit IRC17:04
rderoseokay ayoung let me finish up the changes based on conversations with dolphm, dstanek, and stevemar17:04
*** jsavak has joined #openstack-keystone17:05
ayoungrderose, so long as is works, I'll let it go forward.  We can clean it up post Mitaka, or maybe even post M3 if it is all internal17:05
*** josecastroleon has joined #openstack-keystone17:05
*** fhubik has quit IRC17:05
*** aginwala has quit IRC17:07
*** ChanServ sets mode: +v marekd17:07
*** spzala has quit IRC17:08
notmorganoh that is annoying...17:09
notmorganweechat changed all the colors for the nicks i was used to :(17:09
*** ericksonsantos has joined #openstack-keystone17:11
*** dmsimard is now known as rdobot17:11
*** rdobot is now known as dmsimard17:13
*** tobe has quit IRC17:13
*** mhickey has quit IRC17:13
stevemarnotmorgan: what color am i now?17:17
dtroyerstevemar: you are #99ccff here17:18
*** spzala has joined #openstack-keystone17:19
*** mylu has quit IRC17:21
*** yarkot has joined #openstack-keystone17:23
*** spzala has quit IRC17:23
*** rk4n has quit IRC17:24
stevemardtroyer: thats a good color17:24
*** rk4n has joined #openstack-keystone17:25
*** spzala has joined #openstack-keystone17:25
*** krotscheck is now known as krotscheck_dr17:27
*** spzala has quit IRC17:29
*** spzala has joined #openstack-keystone17:31
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** spzala has quit IRC17:35
*** josecastroleon has quit IRC17:35
*** josecastroleon has joined #openstack-keystone17:36
*** rcernin has joined #openstack-keystone17:36
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** su_zhang has joined #openstack-keystone17:53
*** browne has quit IRC17:58
*** mylu has joined #openstack-keystone17:59
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities
*** lhcheng has joined #openstack-keystone18:02
*** ChanServ sets mode: +v lhcheng18:02
*** spzala has joined #openstack-keystone18:03
*** pnavarro has quit IRC18:05
*** e0ne has joined #openstack-keystone18:07
*** cburgess has quit IRC18:07
*** Ephur has quit IRC18:08
*** cburgess has joined #openstack-keystone18:08
*** josecastroleon has quit IRC18:09
*** raildo is now known as raildo-afk18:10
*** josecastroleon has joined #openstack-keystone18:11
*** stevemar sets mode: +v samueldmq18:12
*** aginwala has joined #openstack-keystone18:13
*** samueldmq has quit IRC18:14
*** samueldmq has joined #openstack-keystone18:15
*** e0ne has quit IRC18:16
*** dmsimard has left #openstack-keystone18:17
*** mylu has quit IRC18:18
*** raildo-afk is now known as raildo18:22
*** stevemar sets mode: +v samueldmq18:22
*** notmorgan has quit IRC18:22
*** notmorgan has joined #openstack-keystone18:23
*** notmorgan has joined #openstack-keystone18:23
*** ChanServ sets mode: +o notmorgan18:23
*** aginwala has quit IRC18:23
*** jed56 has quit IRC18:23
*** ChanServ sets mode: +v samueldmq18:24
*** spzala has quit IRC18:26
*** samueldmq has quit IRC18:26
*** samueldmq has joined #openstack-keystone18:26
*** aginwala has joined #openstack-keystone18:27
*** ChanServ sets mode: +v samueldmq18:27
*** spzala has joined #openstack-keystone18:28
notmorgansamueldmq: you can also now change topic if you want with a /msg to chanserv18:28
samueldmqnotmorgan: /msg chanserv new-topic18:29
notmorganor topicappend18:29
notmorgan /msg chanserv help18:29
samueldmqnotmorgan: perfect, thanks18:29
notmorganand look at it there18:29
*** e0ne has joined #openstack-keystone18:30
*** vivekd has joined #openstack-keystone18:31
*** rk4n has quit IRC18:32
*** rk4n has joined #openstack-keystone18:32
*** petertr7 is now known as petertr7_away18:34
*** tsymancz1k has quit IRC18:35
*** mvk has joined #openstack-keystone18:38
*** josecastroleon has quit IRC18:40
*** josecastroleon has joined #openstack-keystone18:41
*** browne has joined #openstack-keystone18:42
*** gyee has quit IRC18:44
*** tsymancz1k has joined #openstack-keystone18:45
*** phalmos has joined #openstack-keystone18:51
*** fpatwa has joined #openstack-keystone18:54
edmondswrodrigods, re:
patchbotedmondsw: patch 281381 - keystone - Update default domain's description18:55
edmondswThe default domain is the only domain that is used for v2, but it is not specific to v2. Since the domain itself is not specific to v2, its description should not be specific to v2.18:55
edmondswannasort ^18:55
rodrigodsedmondsw, agree... maybe rephrase but not removing the reference to v2?18:56
edmondswrodrigods having a reference to v2 is confusing on v3-only deployments18:57
edmondswas anna pointed out18:57
edmondswAnd it's not actually necessary correct, either... you can configure which domain you want to be the default18:57
edmondswthe default default is default, but you can change it :)18:57
*** fpatwa has quit IRC18:58
rodrigodsedmondsw, there is a reason for the default domain to exist, right?18:58
edmondswyes, multiple reasons. Only one of them has anything to do with v218:59
edmondswe.g. bootstrapping18:59
samueldmqhtruta: raildo: could we please get updated ?18:59
*** spzala has quit IRC18:59
edmondswyou have to have a domain in order to have users in order to do anything18:59
rodrigodsok... so rephrase to give examples of its usages?18:59
edmondswrodrigods keystone-manage bootstrap19:00
*** clenimar has quit IRC19:01
edmondswrodrigods that clear, or you're still looking for me to explain?19:02
rodrigodsedmondsw, it is clear, but saying "The default domain" is not helpful either19:02
rodrigodsrephrase so you can give examples of its usages19:02
rodrigodslike you just gave19:03
edmondswrodrigods, sorry, I'm not following... are you asking for another example besides bootstrapping?19:03
*** spzala has joined #openstack-keystone19:03
raildosamueldmq: I'll make it depend on and the change will be smaller19:03
patchbotraildo: patch 243585 - keystone - API support for project cascade update19:03
rodrigodsedmondsw, in the patch19:03
edmondswah, ok... annasort ^19:04
edmondswrodrigods do you have something in mind?19:04
*** jaosorior has quit IRC19:04
notmorganedmondsw: i probably wouldn't change the default domain description at runtime in a production cloud.19:04
notmorganedmondsw: just generally speaking as an upgrade it seems ... odd?19:05
edmondswnot sure what would be clearer than simply saying it's the default19:05
bknudson_tjcocozz: btw -- check this out -- -- I was looking into this same issue a few months ago, just never had time to fix it.19:05
patchbotbknudson_: patch 202760 - python-openstackclient - Same exception handling for gets() in find_resource19:05
notmorganfor new clouds i could see it being changed and making sense19:05
notmorganbut if it's something already running, it could be updated via the API too19:05
samueldmqrodrigods: perfect, I am reviewing that one right now19:05
notmorganedmondsw: feel free to explain why we should change the name in an upgrade and the benefit and i'm happy to support it, just triggers an odd "eh, is this needed" feeling in my head19:06
samueldmqrodrigods: oops, meant raildo ^19:06
edmondswnotmorgan, shouldn't matter, really. But let's say it did... are you suggesting that keystone-manage bootstrap not use migration_helpers.get_default_domain?19:06
raildosamueldmq: thanks19:06
rodrigodsedmondsw, no better suggestions :(19:06
notmorganedmondsw: ah wait man i misread that19:06
notmorganedmondsw: sigh19:06
notmorganedmondsw: brain is context switching19:06
notmorganedmondsw: ignore my comments :P19:07
notmorganthough i would probably still keep that is is meant to hold v2 users and projects for compat in there.19:07
notmorganedmondsw: also remember default domain can be changed via a config option19:08
*** spzala has quit IRC19:08
edmondswnotmorgan, well, as I was saying above, that's not necessarily true... you can configure which domain is used for that CONF.identity.default_domain_id19:08
edmondswcould be a different domain and not this one19:08
samueldmqraildo: left a comment in
patchbotsamueldmq: patch 243585 - keystone - API support for project cascade update19:08
samueldmqraildo: I am a +2 after that (mostly nits)19:08
notmorganwhich i never really liked as a concept. but i get why we did it.19:08
edmondswnotmorgan, I had to change default_domain_id for the last year or so in our product, so I for one am glad it was changeable :)19:09
raildosamueldmq: fixing now19:09
notmorganedmondsw: oh like i said i get it, i don't like that it's changable - there could have been other solutions to the problem. but this was an easy fix [it did cause some weird bugs though, and it's not well exercised code wise]19:10
*** josecastroleon has quit IRC19:11
edmondswnotmorgan rodrigods I'm not coming up with any better description than simply saying "The default domain", or maybe just leaving it blank entirely...19:11
*** josecastroleon has joined #openstack-keystone19:12
notmorganedmondsw: "Default domain for v3 api compatiblity containing users and projects acted upon via the v2.0 API" ? or something like that19:12
rodrigodsnotmorgan, good one!19:13
notmorganedmondsw: verbiage needing some massaging.19:13
edmondswnotmorgan, that doesn't solve the problem... that a) it's talking about v2 even in v3-only deployments and b) even in v2 deployments another domain may be configured with default_domain_id and that would be totally inaccurate19:14
edmondswwe need to KISS here19:14
notmorganno that is saying it is the default19:14
notmorganfor that19:14
edmondswnotmorgan, that's confusing19:15
notmorganedmondsw: i would encourage you/deployers to deleete "default" domain in the case you just outlined19:15
notmorganor redescribe it at least at runtime19:15
notmorganvia the API19:15
edmondswnotmorgan can't... been using it for years, would break backward compat19:16
bknudson_is there some way we could have an option to not create the default domain?19:16
bknudson_it must be created by keystone-manage db_sync19:16
notmorganbknudson_: we could change it now if we move to bootstrap only19:16
edmondswwe could change the description, I guess... but why make each deployer do that?19:16
edmondswbknudson_ bootstrap creates it19:17
bknudson_notmorgan: the problem is if the deployment had v2 users they need to be put in a domain19:17
notmorganbknudson_: right. we could make it not auto-created in the SQL migration19:18
bknudson_bootstrap will create a domain for the admin user19:18
edmondswyes... that is this domain19:18
bknudson_notmorgan: or only create it if there's a user?19:18
notmorganbknudson_: possibly.19:18
notmorgani mean, i always disliked injecting data into the DB like the default domain, i actually wanted the default domain to just be a code construct :(19:19
bknudson_we actually don't migrate users anymore, that code is too old19:19
notmorganthat is really virtual strictly for the v2/v3 compat stuff.19:19
bknudson_so we don't need db_sync to create the domain19:19
notmorganbknudson_: correct we could do away with it and only create it if really needed at runtime19:19
bknudson_and we can leave it up to bootstrap19:19
notmorganor via bootstrap19:20
notmorganwhich is easier to enhance to make for alternative default domain configs/values19:20
bknudson_if created by bootstrap it can use a different description19:20
*** jasonsb has quit IRC19:20
notmorganayoung: i am still not convinced we should be warning if admin_token_auth is in the pipeline but maybe when its configured and in the pipeline? or when it authorizes a user?19:21
notmorganayoung: just a thought since we have docs still pending.19:22
edmondswbknudson_ you volunteering to go make the changes you were just talking about? :)19:22
notmorganbknudson_: the only thing to consider is some folks may still use admin_token_auth to bootstrap, so we'd need the default domain.19:22
notmorganbut i *think* we also create it at runtime if needed19:22
ayoungnotmorgan, I think having it there at startup is appropriate.19:22
edmondswnotmorgan does admin_token_auth really need a domain to exist?19:22
edmondswI didn't think so19:23
bknudson_edmondsw: I'll work on those changes now if nobody else is.19:23
notmorganedmondsw: well because bootstrapping doesn't say you must create a domain.19:23
bknudson_if you create a user using v2 you're going to need a default domain19:23
edmondswthis all started from such a simple change:
patchbotedmondsw: patch 281381 - keystone - Update default domain's description19:23
notmorganayoung: except again we're shipping a default thing that yells at a deployer even if it's not "turned on" due to config19:23
notmorganayoung: which i'm against since RDO for example treates paste-ini as non-editable19:24
ayoungnotmorgan, ah, you mean my argument that paste is not config, so people can't remove it and edit it?19:24
notmorganayoung: pretty much. :(19:24
notmorganayoung: it's somewhat config19:24
edmondswthose silly RedHat guys... am I right, ayoung? ;)19:24
ayoungnotmorgan, hmm.  OK.  So if admin_token is set to None, we should shut off the warning?19:25
notmorganayoung: so i think we need to not warn unless it's enabled/configured.  heck i'd make it warn on everyn auth ;)19:25
ayoungI'll buy that19:25
*** aginwala has quit IRC19:25
notmorganayoung: make it really nosiy :P OMG INSECURE AUTH OMG :P19:25
bknudson_if they set an admin token password then make their /etc/passwd available because they obviously don't care about security.19:26
notmorganayoung: yeah that is my only concern. otherwise i'm pretty happy with the changes. i'm also inclined to say we merge admin_token_auth into auth_context and then the deprecation becomes code removal once folks don't need it [newton?] - and we can revisit removing the stub from the pipeline19:26
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support creation of domain specific roles
notmorgannot newton removal of code, but newton merge of the things19:26
ayoungnotmorgan, ++19:27
ayoungnotmorgan, "I like this plan.  I'm proud to be a part of it!"19:28
*** spzala has joined #openstack-keystone19:28
*** spzala has quit IRC19:28
*** spzala has joined #openstack-keystone19:28
ayoungNOt sure if I am really the Venkman of Keystone, though19:28
*** d0ugal has quit IRC19:29
*** d0ugal has joined #openstack-keystone19:30
*** d0ugal has quit IRC19:30
*** d0ugal has joined #openstack-keystone19:30
*** su_zhang has quit IRC19:31
ayoungActually, I am fairly certain I'm Spangler19:33
*** jsavak has quit IRC19:34
*** jsavak has joined #openstack-keystone19:35
*** aginwala has joined #openstack-keystone19:38
*** daemontool has joined #openstack-keystone19:39
*** josecastroleon has quit IRC19:42
*** josecastroleon has joined #openstack-keystone19:43
stevemarcan i be Stantz?19:49
notmorganstevemar: Ray, when someone asks you if you're a god, you say "YES"!19:51
stevemaruh oh, we got our first "annoying warning" about the session/client deprecation that happened in keystoneclient19:54
notmorganstevemar: oh where?19:54
samueldmqis it okay to use ?option for POSTing at an API ?19:54
samueldmqnotmorgan:  ^19:54
stevemarnotmorgan: check mailing list19:55
*** rcernin has quit IRC19:55
stevemarsamueldmq: sounds weird19:55
notmorgansamueldmq: it is. but it looks weird.19:55
notmorganstevemar: hmm... what was the title? i'm not seeing it yt19:55
stevemarnotmorgan: "annoying warning" no tag19:56
samueldmqstevemar: notmorgan: same weirdness for PATCH right ?19:56
samueldmqPATCH /projects/{project_id}?cascade19:56
notmorgansamueldmq: yep19:56
stevemarnotmorgan: not on -dev19:56
notmorganstevemar: ahh19:56
samueldmqnotmorgan: cool, I argue it to be as POST /v3/users/{user_id}/password19:56
samueldmqnotmorgan: PATCH /projects/{project_id}/cascade19:56
notmorganstevemar: oh that, that is something about their config19:57
notmorgansamueldmq: i don't think that is the same thing, we've warned on that for a looong time19:57
notmorgansamueldmq: sorry stevemar ^19:57
*** daemontool has quit IRC19:57
*** gyee has joined #openstack-keystone19:58
*** ChanServ sets mode: +v gyee19:58
notmorganstevemar: that is ksm warning19:58
stevemarnotmorgan: tru tru19:58
stevemarnotmorgan: i jumped too soon19:58
notmorganstevemar: don't worry you'll get that email soon enough19:58
stevemarfor sure19:59
stevemarwaiting for people to upgrade their ksc19:59
samueldmqraildo: htruta: ^19:59
notmorganit's going to be the same as urllib3 complaining when using requests and verify=False19:59
samueldmqraildo: htruta: why not PATCH /projects/{project_id}/cascade rather than PATCH /projects/{project_id}?cascade19:59
notmorganstevemar: basically turn logging off for ksc.session.Session >.>20:00
notmorganstevemar: :P20:00
*** rderose has quit IRC20:00
samueldmqthe delete one is using slash, so should be okay20:00
*** daemontool has joined #openstack-keystone20:00
raildosamueldmq: we discussed this a lot of times here... we never reached an agreement20:01
raildosamueldmq: we implemented in the first way, and the people asked us to change for query string20:01
htrutasamueldmq: the delete one will be rebased to use the query filter too. Most people we discussed in here agreed on the query, that's why we decided20:01
samueldmqhtruta: raildo: I was just discussing it with notmorgan and stevemar, PATCH using a query string sounds weird20:02
tjcocozzI keep coming accross this term 'roll grants' are they the same as role assignments?20:03
samueldmqtjcocozz: role grants yes20:03
tjcocozzsamueldmq, thanks!20:03
samueldmqtjcocozz: assignments came in when we implemented lsit_role_assignmetns20:03
samueldmqtjcocozz: which has a different and more complete return than /roles20:04
samueldmqtjcocozz: then a new API was created for backward compat20:04
bknudson_I thought changing the migration to not create the default domain would cause all sorts of tests to fail but there was only 1 failure.20:04
samueldmqtjcocozz: I believe there was another ways to do it, but well, that's it :)20:04
tjcocozzsamueldmq, okay that makes sense.20:05
samueldmqayoung: ping, you around ? re: /cascade or ?cascade20:05
samueldmqayoung: I saw you had a comment in
patchbotsamueldmq: patch 244248 - keystone - API support for project cascade delete20:05
htrutasamueldmq: ayoung is frying bigger fishes20:05
ayoungsamueldmq, cascading means all of the included projects20:05
samueldmqhtruta: ?20:06
ayoungso if P1->P2  and P2->P2 P2->P4  and so on  you check policy against all of those20:06
samueldmqayoung: it means make the API apply in the subtree as well20:06
htrutasamueldmq: both of the alternatives make sense, following what we already have in keystone. I tend to go with the ?cascade20:07
samueldmqhtruta: exactly the opposite20:07
samueldmqhtruta: we have ? for query params in GET calls20:07
*** henrynash_ has joined #openstack-keystone20:07
*** ChanServ sets mode: +v henrynash_20:07
samueldmqhtruta: and / for POST20:07
*** annasort_ has joined #openstack-keystone20:07
*** markvoelker_ has joined #openstack-keystone20:07
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update
samueldmqhtruta: like POST /v3/users/{user_id}/password20:09
*** petertr7z has joined #openstack-keystone20:09
*** petertr7z is now known as petertr720:09
*** notmorga1 has joined #openstack-keystone20:09
*** notmorga1 has quit IRC20:09
*** notmorga1 has joined #openstack-keystone20:10
htrutasamueldmq: one thing to consider is that we shouldn't add endpoints to every single subset operation20:10
htrutaof operation*20:10
samueldmqhtruta: raildo: /inherited_to_projects when granting role assignments is also a good example20:11
*** tjcocozz_ has joined #openstack-keystone20:11
*** annasort has quit IRC20:12
*** john5223 has quit IRC20:12
*** henrynash has quit IRC20:12
*** petertr7_away has quit IRC20:12
*** notmorgan has quit IRC20:12
*** markvoelker has quit IRC20:12
*** henrynash_ is now known as henrynash20:12
*** tjcocozz has quit IRC20:12
*** kevinbenton has quit IRC20:12
*** BAKfr has quit IRC20:12
*** stevemar has quit IRC20:12
*** tristanC has quit IRC20:12
samueldmqwe do /users/x/proejcts/y/roles/r/inherited to projects rather than ?inherited_to_projects20:12
*** annasort_ is now known as annasort20:12
htrutasamueldmq: as I said, I'm ok with both approaches, but we decided to go with ?cascade because it had better acceptance20:12
samueldmqhenrynash: hi, you around ? need your view on something20:12
*** vivekd has quit IRC20:12
samueldmqhtruta: who accept it better ? :p20:12
*** josecastroleon has quit IRC20:12
*** kevinbenton has joined #openstack-keystone20:12
*** tristanC has joined #openstack-keystone20:13
samueldmqhtruta: for me it sounds very weird, and notmorgan and stevemar as I said20:13
*** stevemar has joined #openstack-keystone20:13
samueldmqI'd like to get henrynash's view on it20:13
htrutasamueldmq: AFAIR, henrynash, ayoung, gyee20:13
raildosamueldmq: I'm not in favor or agains any of this options, as I said, we had discussed this like 5 times, and we  didn't have any agreement or any RFC pattern to make this clear or something like that...20:13
*** BAKfr has joined #openstack-keystone20:13
*** ChanServ sets mode: +o stevemar20:13
*** josecastroleon has joined #openstack-keystone20:13
openstackgerritBrant Knudson proposed openstack/keystone: db_sync doesn't create default domain
*** daemontool has quit IRC20:16
*** boris-42 has quit IRC20:16
*** aginwala has quit IRC20:16
htrutaraildo: ++20:16
*** boris-42 has joined #openstack-keystone20:18
*** daemontool has joined #openstack-keystone20:19
*** jsavak has quit IRC20:20
*** daemontool has quit IRC20:21
*** boris-42 has quit IRC20:24
*** aginwala has joined #openstack-keystone20:27
*** jsavak has joined #openstack-keystone20:28
openstackgerritBrant Knudson proposed openstack/keystone: Remove migration_helpers.get_default_domain
notmorga1bknudson_: wooo20:34
*** amakarov is now known as amakarov_away20:35
bknudson_notmorga1: I want to try this out but I don't think bootstrap would create the default domain correctly...20:36
notmorga1bknudson_: really? i tried it and it seemed to work.20:37
samueldmqnotmorga1: stevemar: so I'd argue it to be POST /projects/{id}/cascade20:37
bknudson_and it's used
samueldmqnotmorga1: stevemar: I was looking at
samueldmqand PATCH things are for single entities20:37
bknudson_it's going to have all this "extra" junk?20:37
notmorga1bknudson_: ah. hm.20:38
samueldmqnotmorga1: stevemar: and POST for changing server states somehow, so a POST would be more appropriate20:38
bknudson_or can you actually do a create with extra: and it gets loaded right?20:38
*** notmorga1 is now known as notmorgan20:38
htrutasamueldmq: that's an update. It is a PATCH20:38
samueldmqhtruta: no always20:38
stevemarsamueldmq: hmm20:38
*** notmorgan is now known as Guest804620:38
samueldmqand update in a *single* entity is a PATCH20:38
samueldmqhtruta: ^20:38
* Guest8046 kicks nickserv20:39
samueldmqstevemar: I was discussing it with sdague20:39
stevemarsamueldmq: whats the API wg say?20:39
*** Guest8046 is now known as morganfainberg20:39
*** morganfainberg is now known as Guest9946420:40
samueldmqstevemar: I can't talk for all the api-wg, but sdague (who is a member) told me exaclty what I said above20:40
*** Guest99464 is now known as maelfius20:40
*** maelfius is now known as notmorgan120:40
samueldmqstevemar: PATCH is for a single entity, so it always ends with /{id}20:41
* samueldmq 's looking20:41
stevemarsamueldmq: POST seems weird20:42
htrutasamueldmq, stevemar: using POST to create AND to bulk update is not user friendly for me20:42
samueldmqstevemar: htruta: have a moment to go to #openstack-sdks ?20:43
*** josecastroleon has quit IRC20:43
samueldmqwe could talk to some guys from api-wg there and get some guidance20:43
stevemaralways there20:43
*** pnavarro has joined #openstack-keystone20:43
* htruta is going20:44
*** notmorgan1 is now known as notmorgan20:44
*** notmorgan has quit IRC20:44
*** notmorgan has joined #openstack-keystone20:44
*** ChanServ sets mode: +o notmorgan20:44
*** josecastroleon has joined #openstack-keystone20:44
*** notmorgan is now known as morgan20:44
*** morgan is now known as notmorgan20:45
*** e0ne has quit IRC20:45
*** e0ne has joined #openstack-keystone20:45
*** notmorgan is now known as captainmorgan20:46
*** captainmorgan is now known as notmorgan20:46
*** notmorgan is now known as needscoffee20:46
*** e0ne has quit IRC20:46
*** needscoffee is now known as notmorgan20:47
* notmorgan fixes irc nicks...20:47
bknudson_notmorgan: the domain created by bootstrap doesn't have a description as far as I can tell from this devstack test.20:50
bknudson_notmorgan: with it's got a description20:53
patchbotbknudson_: patch 282049 - keystone - Remove migration_helpers.get_default_domain20:53
notmorganbknudson_: oh no it doesn't20:53
notmorganbecause the only reason bootstrap does that is sqlite in tests doesn't run migrate :P20:53
notmorganit does model.reflection_create [not actual method]20:54
dstanekhas anyone had any luck mounting a cloud node's filesystem to a local machine?20:54
*** fpatwa has joined #openstack-keystone20:54
openstackgerritBrant Knudson proposed openstack/keystone: Remove migration_helpers.get_default_domain
notmorgandstanek: uhm... explain what you're trying to do?20:57
notmorgandstanek: a VM -> hypervisor?20:57
dstaneknotmorgan: VM -> MacBook Air20:58
notmorganlike under say virtualbox?20:58
notmorganwhile the VM is running or just as a "loopback so i can muck with things"20:58
*** esp has joined #openstack-keystone20:59
dstaneknotmorgan: except i want to mount a VM; sshfs is slow as hell and the fuse driver i was trying to use seems broken now20:59
* notmorgan has done both, but the former is NFS or SMB or AFP share only.20:59
*** fpatwa has quit IRC20:59
notmorgani used NFS except OS X sucks at nfs now.20:59
dstaneknotmorgan: the VM is in the Rax public cloud20:59
notmorgandstanek: OH.20:59
notmorganso i'd use NFS TCP tunneled over the SSH connection21:00
notmorganor openvpn.21:00
notmorgansshfs was ... wonky :(21:00
notmorganespecially on OS X21:00
dstanekwonky is an understatement; i had this working OK on fedora back in the day, but my OSX setup is not loving it21:01
notmorganand chances are tunneled NFS will be about as fast/reliable as FUSE sshfs21:01
notmorganthe issue is sshfs is fuse and fuse sucks on OS X21:01
*** samueldmq1 has joined #openstack-keystone21:01
notmorgandstanek: so easiest/least problematic would prob. be openvpn21:02
notmorgandstanek: and then NFS or SMB or AFP21:02
dstaneki'll give that a try. thx notmorgan21:03
notmorgandstanek: or alternative, you could do VM on OS X that does sshfs that re-exports to the local machine21:03
*** tsymancz2k has joined #openstack-keystone21:03
notmorgangosh that is a lot of moving parts.21:03
dstaneki with i could mount over mosh21:03
*** tsymancz2k has quit IRC21:03
*** tsymanczyk has quit IRC21:03
*** tsymancz1k has quit IRC21:03
dstaneknotmorgan: not terrible because i already have a vpn between my lappy and another cloud node that i can test with21:03
notmorganwell, you could mount over mosh with a bit of custom code, a application on the remote end and a FUSE driver locally21:03
notmorganbut it's custom code.21:04
* notmorgan really wants to have mosh-friendly daemons like that at some point21:04
notmorganmaybe i'll start writing them ;)21:04
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete
notmorganbut i would guess mosh would make the atomicity of a file operation very difficult21:04
*** jsavak has quit IRC21:05
*** esp has quit IRC21:05
*** jsavak has joined #openstack-keystone21:05
*** roxanaghe has quit IRC21:06
*** raildo is now known as raildo-afk21:06
*** roxanaghe has joined #openstack-keystone21:06
*** samueldmq1 has quit IRC21:07
*** tsymanczyk has joined #openstack-keystone21:08
*** tsymancz1k has joined #openstack-keystone21:08
*** tsymanczyk is now known as Guest8675121:08
*** dstanek has quit IRC21:09
*** dstanek has joined #openstack-keystone21:10
*** ChanServ sets mode: +v dstanek21:10
*** josecastroleon has quit IRC21:14
*** josecastroleon has joined #openstack-keystone21:15
*** rk4n has quit IRC21:21
*** rk4n has joined #openstack-keystone21:21
*** josdotso has joined #openstack-keystone21:27
josdotsoHi folks. is gone it seems. how to start keystone-all for development.. re:
*** tsymancz2k has joined #openstack-keystone21:35
*** tsymancz1k has quit IRC21:35
*** Guest86751 has quit IRC21:35
*** e0ne has joined #openstack-keystone21:38
stevemardolphm: around?21:44
dolphmstevemar: sort of21:44
*** pgbridge has quit IRC21:44
*** josecastroleon has quit IRC21:45
*** josecastroleon has joined #openstack-keystone21:46
stevemardolphm: should be quick...21:47
dolphmstevemar: i'm packing up now...21:48
stevemardolphm: dammit21:48
openstackLaunchpad bug 1473567 in OpenStack Identity (keystone) "Fernet tokens fail tempest runs" [High,In progress] - Assigned to Lance Bragstad (lbragstad)21:48
*** gildub has joined #openstack-keystone21:48
stevemardolphm: oh nvm, notmorgan put up a patch to close it21:48
stevemarmy bad21:48
dolphmstevemar: yay21:48
dolphmnotmorgan: thanks for things21:48
notmorgandolphm: :)21:48
stevemarnotmorgan: mark the keystone part of the bug as invalid?21:49
stevemarsince we're not going to fix the subsecond issue?21:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Get revocation list with only audit ids
notmorganstevemar: uhm.21:52
notmorganstevemar: "wont fix"21:52
stevemarnotmorgan: thank you!21:53
notmorganstevemar: since it's not that it's an invalid bug, just that it's not the thing we're fixing21:53
stevemar1 less bug, woo hoo21:53
notmorganmaybe i should do another pass of "cloes all the bugs"21:53
notmorgansee if we can smash down the total open number another 20-3021:53
notmorganlike a couple weeks ago21:53
notmorgani had 1 false positive in the smash bugs... so i felt good about that21:54
stevemarnotmorgan: i am referring to the ones targeting mitaka-321:54
notmorganstevemar: right, i look at all the bugs when i do it. sometimes it closes bugs targeting a release.21:54
*** rk4n has quit IRC21:55
*** rk4n has joined #openstack-keystone21:55
*** su_zhang has joined #openstack-keystone21:57
*** chlong has quit IRC21:57
*** chlong_ has joined #openstack-keystone21:58
notmorganstevemar: i just tossed you under the buss on the ML to look into the annoying warning more21:58
stevemarnotmorgan: gdi21:58
stevemarnotmorgan: apparently someone really wants better policy21:59
notmorganstevemar: i saw.21:59
stevemarmention domain and implied roles?21:59
samueldmqstevemar: have a link to the ML thread ?21:59
notmorganstevemar: implied ... maybe, but point at the spec dolphm and jamielennox are championing first21:59
notmorganstevemar: that plus implied might get you there.22:00
*** pgbridge has joined #openstack-keystone22:00
notmorganstevemar: but i'd be wary about talking about implied roles until it's baked a little more, it's still pretty early on22:00
notmorganstevemar: i would def. not talk about domain-specific-roles yet.22:00
stevemartoo much info will just muddy the water22:01
jamielennoxi'm coming more to the view that you don't need it, if the provider used a really fine grained policy file then domain admins can decide who to give what roles to22:01
notmorgani think the billion-roles spec will get them ~80% of the way there, implied is anothr 10-15% and dsr may or may not even cover anything more22:02
jamielennoxwith implied roles you can make those fine grained roles easier to use22:02
notmorganjamielennox: that is generally my view22:02
bknudson_the name of that blueprint should have been "a billion roles"22:02
jamielennoxper-domain roles is just implied roles that are domain only22:02
notmorganjamielennox: but i get that some folks are asking for remix roles like implied roles that logically make sense for my little corner of the cloud22:02
jamielennoxi think people over estimate what policy should do22:03
notmorganjamielennox: so i get that there is some usability features there. i'm inclined to say it's pretty edge case usability22:03
notmorganjamielennox: but we wont know until implied gets some more drive time22:03
*** josdotso has quit IRC22:03
openstackgerritBrant Knudson proposed openstack/keystone: Use ldap3 for DN comparison
notmorganbknudson_: ++22:03
notmorganbknudson_: also yay ldap3!22:03
jamielennoxi think we should say that policy files are capabilities and use implied-roles to build actual roles22:03
jamielennoxand hopefully people will confuse them less22:04
bknudson_notmorgan: that is step 1 of a much larger change that I'm not working on currently.22:04
notmorganjamielennox: ++ actually i need to propose a change to oslo_policy to make any API an implict role that can be created22:04
notmorganbknudson_: very happy to see it though, that one is a big step in the right direction22:04
bknudson_notmorgan: we looked at pyldap since it supposedly has py3 support now but ldappool is still broken.22:04
notmorganldap3 is the best option, it does everything right and really works in a more pythonic way imo22:04
bknudson_maybe it would be easier to cleanup ldappool22:05
samueldmqstevemar: thx22:05
bknudson_notmorgan: that's my opinion, pyldap and the C ldap library are turds22:05
notmorgansince it uses dicts vs dicts in *some* cases and lists of tuples in others22:05
*** tsymanczyk has joined #openstack-keystone22:05
notmorganbknudson_: drive towards ldap3, i'll commit to helping to review as long as i have time to do so, i think it's a much much much better approach22:05
*** tsymanczyk is now known as Guest4941322:05
notmorganbknudson_: but i also think we can isolate all the ldap code out of keystone.common into the driver itself22:05
notmorganw/ ldap3 since we ditched assignment and role and resource22:06
notmorganso i am also a fan of "new ldap driver that isn't silly"22:06
notmorganbut will support either direction you go22:06
bknudson_notmorgan: that makes sense, no need for common ldap since there is only 1.22:06
notmorganbknudson_: exactly22:06
bknudson_I also am liking that... our ldap3 driver is read-only22:06
bknudson_if you want read-write use the deprecated one and forget about py3 support.22:07
*** petertr7 is now known as petertr7_away22:07
notmorganas long as new driver works [and produces same data for idneitty] we cna just say "use this instead, and it'll be the py3 way forward]22:08
notmorganit also means we don't carry silly behaviors to be cross-backend friendly forward.22:08
bknudson_that sounds like less work than trying to get all our existing code changed over.22:08
*** spzala has quit IRC22:08
notmorganand in O (or p cycle) keystone.common.ldap gets rm -rf'd22:08
*** knikolla has quit IRC22:09
bknudson_we might be able to move keystone.common.ldap to keystone.identity.ldap already?22:09
notmorganbut not sure if that is worth it22:09
notmorganit's a lot of code shuffle and still need stubs laying around for compat for a couple cycles22:10
notmorganbut i defer to you since you're working on it :)22:10
notmorganthe only downside is we need a new "extras" install, ldap3? since "[ldap]" is already consumed by py2-crappy-version22:10
notmorganor we could just make ldap3 a hard-requirement since it's pure python22:11
openstackgerritMerged openstack/keystonemiddleware: Add back a bandit tox job
bknudson_notmorgan: y, it'll probably be ldap322:11
bknudson_or ldap-the-next-generation22:11
stevemarbknudson_: everything is TNG22:12
stevemarkeystone TNG22:12
notmorganstevemar: API V4!22:13
stevemarno! only TNG22:13
notmorganstevemar: API vTNG screw SEMVER!22:13
stevemarand the TNNG22:13
*** jsavak has quit IRC22:13
*** aginwala has quit IRC22:14
*** doug-fis_ has joined #openstack-keystone22:15
stevemarnotmorgan: whats the policy on modifying migration files?22:15
notmorganstevemar: don't.22:15
stevemarif we haven't shipped22:15
notmorganstevemar: oh22:15
notmorganwell still22:15
stevemarin case folks are runinng from master22:15
*** josecastroleon has quit IRC22:15
notmorganpeople chase master, make a new migration22:15
stevemari figured that was the case )22:16
notmorganyou can fix the old one and make a new one idempotent22:16
notmorganto catch the minority of people doing close-to-cd-like-things22:16
*** aginwala has joined #openstack-keystone22:16
notmorganif itsn't breaking people to get that migration a subsequent one is a lot less work22:16
*** josecastroleon has joined #openstack-keystone22:17
*** doug-fish has quit IRC22:18
stevemartrue day22:18
*** doug-fis_ has quit IRC22:19
*** mylu has joined #openstack-keystone22:21
dstanekstevemar: so i'm not liking the extra code added in to ensure base32 on the password. i think that should be enforced when storing credentials and not on validation. thoughts?22:21
dstaneki don't think we have a good generic way of doing that yet22:22
openstackgerritMatthew Edmonds proposed openstack/keystone: Allow user list without specifying domain
*** dave-mccowan has quit IRC22:26
*** diazjf has quit IRC22:31
*** mylu has quit IRC22:33
notmorgandstanek: base32 on the password?22:34
notmorgandstanek: what are you looking at, i'm very intrigued by this new code thing22:35
dstaneknotmorgan: _get_totp_token22:35
patchbotdstanek: patch 274901 - keystone - Time-based One-time Password22:35
bknudson_base32 encrypt the password22:36
dstaneknotmorgan: cryptography craps itself when the secret isn't quite right22:36
notmorganso i would enforce on store, if we are managing the storage not through the generic credential API22:37
dstanekbknudson_: that's what i was thinking, but when creating the record22:37
notmorganif we're using the generic credential API we *should* provide some level of validation22:37
notmorganwhen consuming it22:37
notmorgan*cough* "encrypt" *cough*22:38
notmorgandstanek: but we're not adding an API to generate/upload a validated TOTP secret22:38
dstanekso i was thinking though, if we screw with it when it's being saved that the shared secret is no longer shared and the client may not be able to properly generate a passcode22:38
notmorganit's just a blob someone is responsible for doing it.22:38
*** mylu has joined #openstack-keystone22:39
notmorganso.. the question becomes: does our credendial api becomes smart enough to handle this22:40
dstaneknotmorgan: i was actually thinking that maybe we need a type based validator on create/update22:40
notmorgansure. i'm ok with that22:40
openstackgerritBrant Knudson proposed openstack/oslo.policy: Deprecate load_json() in favor of load()
openstackgerritBrant Knudson proposed openstack/oslo.policy: Change default behavior for YAML
notmorgandstanek: so just register a hook to tell credential API "validate type as X" and that is a method? maybe a stevedore entry?22:43
notmorgandstanek: and if there is nothing to load for that type, it's stored as given?22:43
stevemarbknudson_: list of projects that are using load_json
dstaneknotmorgan: maybe. not sure we need to get that fancy yet22:43
notmorganwould open the door to easily do full encryption down the line [future proof]22:43
*** mylu has quit IRC22:44
dstaneknotmorgan: yes, if it's not there then just store like we do today22:44
notmorgandstanek: or at least leave the architecutre open to something like that down the line, even if it doesn't do it22:44
dstaneknotmorgan: yeah, i don't think i can prevent it even if i wanted to :-), but i don't want to give anyone the ability to override the totp validation22:45
notmorgandstanek: yeah i like that better than the "base32" mucking in the plugin on every load/validate22:45
*** mylu has joined #openstack-keystone22:45
bknudson_stevemar: neat... that's handy22:46
*** josecastroleon has quit IRC22:46
stevemarbknudson_: you broke my sarcasm detector22:46
bknudson_oh, should have that's REAL handy22:47
*** josecastroleon has joined #openstack-keystone22:47
bknudson_I think upside-down happy face is sarcasm indicator.22:47
*** edmondsw has quit IRC22:49
notmorganbknudson_: what not using an "⸮" [warning UTF-8 needed!] for it22:49
*** pnavarro has quit IRC22:50
bknudson_the kids probably have an emoji22:51
stevemarnotmorgan: no, we dont support storing that in openstack22:51
stevemarrefer to the x-project spec22:51
notmorganstevemar: awww. right utf-8-4-byte-character22:51
notmorganstevemar: dude, but i want to call my project <poo emojii>22:52
stevemarnotmorgan: totally a legit use case22:52
stevemarthat's the one issue i keep hearing that customers want22:52
stevemarmore support for emojis22:52
notmorganstevemar: wow, mosh/my terminal doesn't support it :(22:52
notmorganah just my terminal22:53
notmorganthe weechat android client sees that just fine *facepalm*22:53
*** fpatwa has joined #openstack-keystone22:55
dstanekstevemar: when you say 'corrupt credential' here: ; what are you thinking?22:58
patchbotdstanek: patch 274901 - keystone - Time-based One-time Password22:58
*** gildub has quit IRC22:59
stevemardstanek: beats me, i was wondering why that was added in the first place22:59
stevemardstanek: i was just correcting the spelling22:59
*** fpatwa has quit IRC22:59
dstanekstevemar: the padding was added because we are expecting base32 encoded secrets with the padding stripped23:00
stevemardstanek: oh, i am referring to: like 51
patchbotstevemar: patch 274901 - keystone - Time-based One-time Password23:00
stevemarerr 5223:00
dstanekstevemar: ah, hmmmm... i'll figure out how to trigger it and get it tested. this module will be 100% covered, including whatever cases i can think of23:02
*** aginwala has quit IRC23:02
stevemardstanek: looking at
patchbotstevemar: patch 274901 - keystone - Time-based One-time Password23:02
stevemarit looks like a catch was introduced incase the json.loads failed?23:03
stevemarand it somehow made its way outside and around the iterator for the list?23:03
stevemardstanek: it looks like we were doing a json loads before, and now we're not :\23:05
*** e0ne has quit IRC23:06
stevemardstanek: i want to say we don't need the try/except there, but i wanted the author to point that out :)23:06
*** gordc has quit IRC23:06
*** aginwala has joined #openstack-keystone23:06
dstanekstevemar: i didn't even notice that. i'll take a close look after dinner. going to push now, but ignore it because i have not run the tests to see if it works :-)23:07
*** henrynash has quit IRC23:07
stevemardstanek: cool beans23:08
stevemardstanek: i'm also good if this won't play nice with list limit, i don't see that as a blocker23:08
stevemarif you include that limitation in the docs and release note, then i'm good23:09
stevemarwe can tell folks to increase the limit23:09
stevemarand work on adding a function for the credentials backend next cycle23:09
notmorganstevemar: ++23:10
stevemarnotmorgan: --23:11
openstackgerritDavid Stanek proposed openstack/keystone: Time-based One-time Password
dstanekdinner time!23:11
stevemardstanek: running time!23:12
*** timcline has quit IRC23:12
*** pushkaru has quit IRC23:13
*** josecastroleon has quit IRC23:17
*** jbell8 has joined #openstack-keystone23:17
*** slberger has left #openstack-keystone23:18
*** josecastroleon has joined #openstack-keystone23:18
*** jamielennox is now known as jamielennox|away23:20
*** tobe has joined #openstack-keystone23:28
*** nkinder has quit IRC23:28
*** timcline has joined #openstack-keystone23:31
*** ninag has quit IRC23:32
openstackgerritSteve Martinelli proposed openstack/keystone: Implied roles index with cascading update/delete
stevemaramakarov_away: i fixed this up a bit, it could still use some work ^23:33
stevemarayoung: this is up your alley23:34
stevemarayoung:  ^23:34
ayoungstevemar, did you test against mysql?23:34
notmorganstevemar: can they really clobber each other?23:34
stevemarayoung: not yet23:35
stevemarnotmorgan: they did in sqlite23:35
ayoungstevemar, Sqlite does not enforce.  Meaningless.23:35
stevemarnotmorgan: i ran it and listed the consrtaints and only 1 was there23:35
stevemarayoung: i did it more so to add a test and make it pass jenkins23:35
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password
ayoungstevemar, ++23:35
*** tobe has quit IRC23:35
ayoungstevemar, I'll test in a bit23:36
*** dims_ has joined #openstack-keystone23:36
ayoungI'm elbow deep in Puppet ATM23:36
notmorganstevemar: SQLite != real FK23:37
*** dims has quit IRC23:38
notmorganit really shouldn't be possible for FK changes to clobber eachother..but this is more sane23:38
*** dave-mccowan has joined #openstack-keystone23:41
*** slogan_r has left #openstack-keystone23:41
*** openstackgerrit has quit IRC23:47
*** openstackgerrit_ is now known as openstackgerrit23:47
*** openstackgerrit_ has joined #openstack-keystone23:47
*** josecastroleon has quit IRC23:48
*** openstackgerrit_ is now known as openstackgerrit23:48
*** openstackgerrit_ has joined #openstack-keystone23:48
*** josecastroleon has joined #openstack-keystone23:49
*** tobe has joined #openstack-keystone23:49
*** gildub has joined #openstack-keystone23:50
*** chlong_ has quit IRC23:52
*** sigmavirus24 is now known as sigmavirus24_awa23:53
*** mylu has quit IRC23:55
*** openstackgerrit_ has quit IRC23:55
*** phalmos has quit IRC23:55
*** openstackgerrit_ has joined #openstack-keystone23:56
openstackgerritSteve Martinelli proposed openstack/keystone: deprecate using the ADMIN_TOKEN
stevemarnotmorgan: ayoung ^23:59
*** shoutm has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!