Tuesday, 2016-06-14

openstackgerritSteve Martinelli proposed openstack/keystoneauth: Document named kerberos plugin  https://review.openstack.org/32914800:04
*** nkinder has quit IRC00:05
*** roxanaghe has quit IRC00:05
*** anteaya has joined #openstack-keystone00:11
*** ddieterly has joined #openstack-keystone00:14
*** aratus has quit IRC00:19
*** tqtran has quit IRC00:21
*** gyee has quit IRC00:21
*** adrian_otto has quit IRC00:26
*** opilotte- has quit IRC00:28
*** ktychkova has quit IRC00:29
*** ktychkova has joined #openstack-keystone00:30
*** opilotte- has joined #openstack-keystone00:31
*** browne has quit IRC00:41
*** raddaoui has quit IRC00:47
jamielennoxsamueldmq, notmorgan: there is some seperation between opts00:56
jamielennoxone function is in setup.cfg for oslo.config opts00:56
jamielennoxand they don't include the deprecated opts00:56
jamielennoxso there is no username opt in there00:56
jamielennoxfor example00:57
jamielennoxotherwise i think we had opts for dependency reasons00:57
jamielennoxsamueldmq: the main change i would make is i don't think we want those new symbols to be public00:58
jamielennoxsamueldmq: i have various changes up, i can't remember if i move those opts or not, but if they're public we need to maintain it if we ever do move it and i would like as little about auth_token to be public as possible00:58
*** adrian_otto has joined #openstack-keystone01:05
*** edtubill has joined #openstack-keystone01:12
ayoungjamielennox, I chatted a bit with notmorgan today, and we both agreed that I should just rewrite the scopetoken SAML auth plugin IAW the federated on I posted on my blog.  You cool with that?01:14
*** adrian_otto has quit IRC01:15
jamielennoxayoung: for ksc or ksa?01:15
ayoungjamielennox, both01:15
ayoungksa will be for the future01:15
jamielennoxayoung: because i think it should be already done that way for ksa01:15
ayoungksc for a bug fix for OSP01:15
ayoungis it...let me check01:15
jamielennoxayoung: see https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/extras/_saml2/v3/base.py#L2701:16
jamielennoxBaseSamlPlugin depends on federationbaseauth01:16
jamielennoxi think that should cover it01:16
ayounglook right01:17
jamielennoxsee https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/federation.py01:17
jamielennoxso if you present scoping data it will auto rescope as it should01:17
ayoungI wonder how these are going to work with ECP if some other authentication mechanism is used other than password01:17
jamielennoxyea, so i argued tat out with someone01:18
jamielennoxcan't remember who01:18
jamielennoxi think there is no choice regarding loading but to write a new plugin for each mechanism01:18
jamielennoxbut if you look at:01:18
patchbotjamielennox: patch 255056 - keystoneauth - Use SAML2 requests plugin01:18
ayoungProbably, but I bet we can reuse 98% of the code and make a Password, Kerberos, and X509SAML plugin.  Besurprised if we needed more thna that01:19
jamielennoxthe way i wrote that saml/ecp plugin is that it takes a requests plugin (like basic auth or kerberos or x509) as a param then handled the ECP bit on top01:19
ayoungjamielennox, is the size of the diff on the first file mostly due to formatting?01:20
patchbotayoung: patch 255056 - keystoneauth - Use SAML2 requests plugin01:20
jamielennoxayoung: no, it's a rearrange01:20
jamielennoxayoung: i extracted the SAML parts and made it a requests auth plugin instead of a keystoneauth plugin01:20
jamielennoxmy idea is if we can prove this out i can make the requests plugin part of the requests extensions rather than maintain it for ksa01:21
ayoungshould that move to upstream requests eventually?01:21
ayoungI like that01:21
jamielennoxso it's all the same code and work but it's a different mechanism01:21
jamielennoxbut basically i want to test it better and i haven't had an IPA setup for a while01:22
stevemarjamielennox: so a requests extension would handle all the ECP exchange?01:22
jamielennoxstevemar: yes, same way we use requests-kerberos for all the kerberos stuff01:22
stevemarjamielennox: ah01:22
ayoungjamielennox, do you need one?  I have ipa.younglogic.net still running01:23
jamielennoxthen the idea would be we have a number of plugins like kerberos and SAML that do exactly the same thing but take a different requests plugin01:23
ayoungjamielennox, and there is an ipsilon instance at https://ipa.younglogic.net/idp01:23
jamielennoxso we super generalize ksa plugins to some code that basically wraps calling a requests plugin01:23
*** edtubill has quit IRC01:24
jamielennoxayoung: yea, can i have an account on that?01:24
jamielennoxayoung: do you have a keystone attached to it?01:24
jamielennoxreally i want to test the SAML auth part, if that works i'm sure the keystone part works fine01:25
jamielennoxso it doesn't matter if not01:25
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744901:25
jamielennoxoh, i've had that open to review for a while now ^01:25
*** ddieterly is now known as ddieterly[away]01:28
*** pushkaru has quit IRC01:31
*** pushkaru has joined #openstack-keystone01:32
*** edtubill has joined #openstack-keystone01:33
*** ddieterly[away] has quit IRC01:33
*** EinstCrazy has joined #openstack-keystone01:33
*** pushkaru has quit IRC01:40
*** edtubill has quit IRC01:40
*** ddieterly has joined #openstack-keystone01:49
ayoungjamielennox, no keystone attached to it right now01:49
ayoungeasy enough to set up.01:50
jamielennoxayoung: that's ok, i guess i just need to authenticate against something that does a proper saml redirect01:50
*** EinstCra_ has joined #openstack-keystone01:51
ayoungjamielennox, heh...coulse, I might have just had to change all the passwords and then forgotten them...01:52
*** EinstCrazy has quit IRC01:55
jamielennoxhey, was there a consensus on good midcycle hotels?01:55
jamielennoxi see the google maps thing on the wiki01:56
jamielennoxbut none of that tells me if i can get away with not having  a car, or if anyone else is nearby01:56
ayoungtalk to topol, he had one set forthe IBMers01:57
*** EinstCra_ has quit IRC01:58
*** ddieterly has quit IRC01:59
*** EinstCrazy has joined #openstack-keystone01:59
*** EinstCrazy has quit IRC02:01
*** EinstCrazy has joined #openstack-keystone02:03
stevemarayoung: maybe topol is online ;O02:07
ayoungstevemar, how's the wee one?02:07
ayoungPun totally intended02:07
stevemarayoung: was great until yesterday, he was frantic for about 2 hours02:07
stevemarturns out is was really really bad gas02:08
stevemarhe's better today02:08
stevemari should be able to be online for most of the day time tomorrow, trying to ease back into things this week02:08
ayoungYou know the "put him in the car seat and swing it" approach to calming him down?02:09
openstackgerritMerged openstack/keystoneauth: Document named kerberos plugin  https://review.openstack.org/32914802:09
*** mfisch has quit IRC02:10
stevemarayoung: yep, i've done that, and the actual swing, which seems to work well for gas02:16
ayoungstevemar, that is pretty much the limit of my parenting skills.02:16
stevemarayoung: we weren't burping him properly before, i think i've got the hang of it now, heard a few belches02:17
stevemarayoung: i'm sure it's more than that :P02:17
ayoungstevemar, you going to the midcycle?02:17
stevemarayoung: yep, looking at hotels now02:18
stevemarayoung: only cause jamielennox reminded me about it :P02:18
ayounglet me know which you two pick and I'll dogpile on02:18
jamielennoxi've got no idea how to get around there and i'm trying to not be a long way from everyone02:18
jamielennoxand ideally not have a car02:18
jamielennoxso i'm trusting everyone else02:19
stevemarjamielennox: brad almost always rents a car, i can too02:19
stevemarjamielennox: brad told me the hotel he booked at, let me see if i can find it in our transcripts02:19
*** EinstCrazy has quit IRC02:20
stevemarjamielennox: he's at: Holiday Inn SAN JOSE - SILICON VALLEY 1350 North 1st Street,San Jose, CA 9511202:21
stevemarby the airport, dirt02:22
stevemar4 miles away from cisco though02:22
stevemarjamielennox: there's a hilton and a hyatt on tasman drive, i wonder why those aren't coming up in policy02:23
jamielennoxstevemar: so i'm pretty sure that didn't even come up on the map for me02:24
stevemarjamielennox: searching now02:25
dstaneki need to book a hotel soon too. i'd like to get one in walking distance02:26
EmilienMsamueldmq: thanks again02:28
EmilienMyou rocks02:28
*** EinstCrazy has joined #openstack-keystone02:29
*** julim has joined #openstack-keystone02:29
stevemarjamielennox: yeah, that one isn't showing up for me either02:30
stevemarjamielennox: closest one is about 6 km away02:30
ayoungThey have bike Share in Southbay yet?02:31
*** dave-mccowan has quit IRC02:32
jamielennoxso advantage of being near the airport is there is a tram line that looks to go from there to right outside cisco approx every 10 min02:35
*** nkinder has joined #openstack-keystone02:40
*** ddieterly has joined #openstack-keystone02:44
*** EinstCrazy has quit IRC02:45
*** EinstCrazy has joined #openstack-keystone02:45
*** ddieterly has quit IRC02:46
*** woodster_ has quit IRC02:48
stevemarayoung: someone one the ops mailing list said federation is wonderful! wonderful!02:55
ayoungstevemar, meh02:55
stevemar*lowered expectaaaaations*02:55
*** edtubill has joined #openstack-keystone02:56
*** richm has quit IRC02:59
*** edtubill has quit IRC03:01
*** EinstCrazy has quit IRC03:01
*** EinstCrazy has joined #openstack-keystone03:04
stevemarjamielennox: samueldmq does ksm need a new release? https://review.openstack.org/#/c/329091/ just merged03:06
patchbotstevemar: patch 329091 - keystonemiddleware - Move auth token opts calculation into auth_token (MERGED)03:06
stevemarnvm, i see https://review.openstack.org/#/c/319715/ introduced it, so someone was using master03:07
patchbotstevemar: patch 319715 - keystonemiddleware - Create a Config object (MERGED)03:07
*** links has joined #openstack-keystone03:08
stevemarjamielennox: also https://review.openstack.org/#/c/276350/ just merged, we will finally be able to use KSA plugins from OSC03:09
patchbotstevemar: patch 276350 - python-openstackclient - Moving authentication from keystoneclient to keyst... (MERGED)03:09
stevemarthat's kind of huge for federation :D03:09
stevemarjust need a new release of osc first03:10
*** openstackgerrit has quit IRC03:11
*** openstackgerrit has joined #openstack-keystone03:11
*** afred312 has quit IRC03:26
*** iurygregory_ has quit IRC03:33
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745603:38
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/26800303:44
*** ayoung has quit IRC03:56
*** edtubill has joined #openstack-keystone03:59
openstackgerritMerged openstack/keystone: Add 'links' to implied roles response  https://review.openstack.org/30019504:04
*** edtubill has quit IRC04:15
*** markvoelker has quit IRC04:16
openstackgerritMerged openstack/python-keystoneclient: Use /v3/auth/projects and /v3/auth/domains  https://review.openstack.org/32919304:27
*** afred312 has joined #openstack-keystone04:27
*** afred312 has quit IRC04:33
*** pcaruana has quit IRC04:39
*** edtubill has joined #openstack-keystone04:57
*** sheel has joined #openstack-keystone05:04
*** jaosorior has joined #openstack-keystone05:11
*** markvoelker has joined #openstack-keystone05:17
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/32926805:20
*** markvoelker has quit IRC05:22
*** wangqun has joined #openstack-keystone05:24
*** GB21 has joined #openstack-keystone05:39
*** EinstCrazy has quit IRC05:40
wangqunHi all05:45
wangqun Does the feature of the keystone federation with openID need mannually to set up?05:45
wangqunDoes it have the feature if I install keystone by devstack in kilo version ?05:45
wangqunCan any one answer to me ?05:48
*** GB21 has quit IRC05:53
*** GB21 has joined #openstack-keystone05:53
*** roxanaghe has joined #openstack-keystone06:00
*** roxanaghe has quit IRC06:00
*** edtubill has quit IRC06:08
wangqunping notmorgan06:10
wangqunAre you here?06:11
*** rcernin has joined #openstack-keystone06:11
*** edtubill has joined #openstack-keystone06:12
*** GB21 has quit IRC06:15
*** pcaruana has joined #openstack-keystone06:16
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118806:18
*** edtubill has quit IRC06:24
*** henrynash_ has joined #openstack-keystone06:30
*** ChanServ sets mode: +v henrynash_06:30
*** GB21 has joined #openstack-keystone06:31
*** EinstCrazy has joined #openstack-keystone06:32
*** EinstCrazy has quit IRC06:39
*** EinstCrazy has joined #openstack-keystone06:41
notmorganwangqun: unfortunately it is almost mignight here and i need to sleep :(. All of the federation work from keystone requires more than "automatic" setup. http://docs.openstack.org/developer/keystone/extensions/openidc.html https://developer.ibm.com/opentech/2015/06/17/use-websphere-liberty-as-an-openid-connect-provider-for-openstack/06:43
notmorganwangqun: i'd offer to help a bit more if i wasn't about to pass out.06:43
notmorganwangqun: hopefully that can get you started06:43
*** EinstCrazy has quit IRC06:44
*** EinstCrazy has joined #openstack-keystone06:44
wangqunHi notmorgan, Thank you to answer my question. I will learn it. :)06:45
*** openstackgerrit has quit IRC06:48
*** openstackgerrit has joined #openstack-keystone06:48
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118806:49
*** tesseract has joined #openstack-keystone06:56
*** amoralej|off is now known as amoralej06:58
*** EinstCrazy has quit IRC06:59
*** EinstCrazy has joined #openstack-keystone07:00
*** markvoelker has joined #openstack-keystone07:18
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/32926807:18
*** pece has joined #openstack-keystone07:21
*** markvoelker has quit IRC07:22
*** dmk0202 has joined #openstack-keystone07:32
*** pece has quit IRC07:32
*** jaosorior is now known as jaosorior_brb07:35
*** EinstCrazy has quit IRC07:37
*** EinstCrazy has joined #openstack-keystone07:40
*** EinstCrazy has quit IRC07:45
*** EinstCrazy has joined #openstack-keystone07:45
*** GB21 has quit IRC07:47
*** EinstCrazy has quit IRC07:49
*** EinstCrazy has joined #openstack-keystone07:50
*** EinstCrazy has quit IRC07:55
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** EinstCrazy has joined #openstack-keystone08:01
*** pnavarro has joined #openstack-keystone08:08
*** danpawlik has joined #openstack-keystone08:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** lhinds_ has joined #openstack-keystone08:12
*** GB21 has joined #openstack-keystone08:18
*** mvk has quit IRC08:24
*** shewless has quit IRC08:25
*** pece has joined #openstack-keystone08:28
*** afred312 has joined #openstack-keystone08:29
*** henrynash_ has quit IRC08:29
*** afred312 has quit IRC08:34
*** jaosorior_brb has quit IRC08:39
*** jaosorior_brb has joined #openstack-keystone08:40
*** srushti has left #openstack-keystone08:45
*** mvk has joined #openstack-keystone08:51
*** EinstCrazy has quit IRC08:52
*** jaosorior_brb is now known as jaosorior08:53
*** EinstCrazy has joined #openstack-keystone08:54
*** vgridnev has quit IRC09:03
*** EinstCrazy has quit IRC09:10
*** EinstCrazy has joined #openstack-keystone09:10
*** EinstCrazy has quit IRC09:18
*** EinstCrazy has joined #openstack-keystone09:18
*** GB21 has quit IRC09:25
*** nisha_ has joined #openstack-keystone09:32
*** EinstCrazy has quit IRC09:33
*** EinstCrazy has joined #openstack-keystone09:33
*** EinstCrazy has quit IRC09:41
*** EinstCrazy has joined #openstack-keystone09:41
*** EinstCrazy has quit IRC09:45
*** EinstCrazy has joined #openstack-keystone09:46
*** nisha_ has quit IRC09:47
*** mvk has quit IRC09:50
*** mvk has joined #openstack-keystone09:51
*** henrynash_ has joined #openstack-keystone09:52
*** ChanServ sets mode: +v henrynash_09:52
*** GB21 has joined #openstack-keystone09:52
*** EinstCrazy has quit IRC09:53
*** EinstCrazy has joined #openstack-keystone09:53
*** dulek has joined #openstack-keystone09:59
dulekHi. Is it possible to access and edit extras column in projects table to store some additional information related to a project?09:59
*** EinstCrazy has quit IRC10:03
*** EinstCrazy has joined #openstack-keystone10:03
*** nisha_ has joined #openstack-keystone10:04
samueldmqmorning keystone10:06
*** links has quit IRC10:07
samueldmqdulek: hi. any attributes passed to a create/update project call that are not defined by keystone will end up in the 'extras' column10:08
samueldmqdulek: which is a blob10:08
*** dmk0202 has quit IRC10:08
*** wangqun has quit IRC10:14
*** rk4n has joined #openstack-keystone10:20
*** links has joined #openstack-keystone10:20
*** nisha__ has joined #openstack-keystone10:21
*** nisha_ has quit IRC10:25
*** EinstCrazy has quit IRC10:25
samueldmqstevemar: hi. you're right, that broke some gates (master code)10:29
*** afred312 has joined #openstack-keystone10:31
*** EinstCrazy has joined #openstack-keystone10:32
*** afred312 has quit IRC10:35
*** EinstCrazy has quit IRC10:36
*** nisha__ is now known as nisha_10:42
nisha_hey samueldmq10:42
samueldmqnisha_: hi, morning10:43
*** EinstCrazy has joined #openstack-keystone10:45
*** rmizuno has joined #openstack-keystone10:49
nisha_samueldmq, I had a small doubt, https://github.com/openstack-attic/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#list-domains-get-domains10:55
nisha_When I list the domains, without passing anything, it returns all the domains10:55
nisha_samueldmq, the doc says there are 2 Optional query parameters, but I don't see any difference in the output when I use them in the GET method10:56
*** nisha__ has joined #openstack-keystone10:58
*** nisha_ has quit IRC11:02
*** permalac has quit IRC11:09
samueldmqnisha__: those are filters... you may use them like : GET /v3/domains?enabled=true11:11
samueldmqnisha__: thus only enabled domains will be returned11:11
samueldmqnisha__: same applies to name filtering11:11
*** sheel has quit IRC11:15
samueldmqjamielennox: hi, there are a couple of changes in keystoneclient for returning x-openstack-request-id in the responses11:17
samueldmqjamielennox: it'd be super valuable to get your feedback on them https://review.openstack.org/#/q/status:open+project:openstack/python-keystoneclient+branch:master+topic:bp/return-request-id-to-caller11:17
*** EinstCrazy has quit IRC11:22
*** rk4n has quit IRC11:25
*** gordc has joined #openstack-keystone11:30
*** rodrigods has quit IRC11:35
*** rodrigods has joined #openstack-keystone11:35
danpawlikHello, I want to ask about keystonemiddleware and its configuration file. I want to add misssing parameters into keystone_authtoken section, but I don't know which parameters are deprecated which not. So if you have some time, pls check https://review.openstack.org/#/c/328620/1/manifests/resource/authtoken.pp and comment me which are and which not ;)11:38
patchbotdanpawlik: patch 328620 - puppet-keystone - Add misssing parameters to keystone_authtoken11:38
*** jed56 has quit IRC11:45
*** rk4n has joined #openstack-keystone11:46
samueldmqdanpawlik: hi, I added myself as a reviewer to your change11:46
samueldmqdanpawlik: I will look at it later today11:46
*** ddieterly has joined #openstack-keystone11:49
*** ashokt has joined #openstack-keystone11:51
ashoktHI all, can anyone help me on this issue, while installing devstack on centos.. I faced the issue like11:53
ashoktusage: keystone-manage [db_sync|db_version|domain_config_upload|fernet_rotate|fernet_setup|mapping_purge|mapping_engine|pki_setup|saml_idp_metadata|ssl_setup|token_flush] keystone-manage: error: argument command: invalid choice: 'bootstrap' (choose from 'db_sync', 'db_version', 'domain_config_upload', 'fernet_rotate', 'fernet_setup', 'mapping_purge', 'mapping_engine', 'pki_setup', 'saml_idp_metadata', 'ssl_setup', 'token_11:53
ashokthelp me how to resolve this?11:53
*** raildo-afk is now known as raildo11:54
*** jed56 has joined #openstack-keystone12:02
*** daemontool has joined #openstack-keystone12:11
*** markvoelker has joined #openstack-keystone12:13
EmilienMsamueldmq: hey!12:14
EmilienMI think I still see the issue in Sahara :(12:14
EmilienMsamueldmq: I'll try again to make sure I have latest keystonemiddleware12:15
*** ddieterly has quit IRC12:16
*** pauloewerton has joined #openstack-keystone12:16
*** nisha__ is now known as nisha_12:17
danpawliksamueldmq: ok, thanks12:25
*** lamt has joined #openstack-keystone12:30
*** afred312 has joined #openstack-keystone12:32
*** afred312 has quit IRC12:37
*** ddieterly has joined #openstack-keystone12:37
*** ddieterly is now known as ddieterly[away]12:46
*** amoralej is now known as amoralej|lunch12:48
*** GB21 has quit IRC12:51
*** nisha_ has quit IRC12:56
*** amakarov_away is now known as amakarov13:06
*** afred312 has joined #openstack-keystone13:14
*** dave-mccowan has joined #openstack-keystone13:20
*** ddieterly has joined #openstack-keystone13:28
*** ericksonsantos has joined #openstack-keystone13:29
*** woodster_ has joined #openstack-keystone13:33
*** lhinds_ has quit IRC13:34
*** richm has joined #openstack-keystone13:36
*** amoralej|lunch is now known as amoralej13:37
*** edtubill has joined #openstack-keystone13:38
*** edmondsw has joined #openstack-keystone13:41
*** edtubill has quit IRC13:41
*** darosale has joined #openstack-keystone13:44
*** fifieldt has joined #openstack-keystone13:47
*** ddieterly is now known as ddieterly[away]13:47
*** EinstCrazy has joined #openstack-keystone13:50
*** nisha_ has joined #openstack-keystone13:55
*** ddieterly[away] is now known as ddieterly13:58
*** rderose has joined #openstack-keystone13:58
*** vnogin has joined #openstack-keystone14:01
*** jaosorior has quit IRC14:05
*** edtubill has joined #openstack-keystone14:10
*** lucas___ has joined #openstack-keystone14:10
*** links has quit IRC14:14
dstanekrodrigods: did you have a case for keeping driver versioning?14:15
rodrigodsdstanek, not at all14:15
rodrigodsi'm +1 for dropping it - with proper operators feedback, of course14:15
*** henrynash_ has quit IRC14:16
rodrigodsknikolla, ping... regarding tests setup in federation14:20
knikollarodrigods: hi14:20
dstanekrodrigods: is sounded like you comment was hinting at a usecase related to hierarchical project naming14:21
*** EinstCrazy has quit IRC14:21
rodrigodsdstanek, raildo?14:21
rodrigodsknikolla, i'm inclined in doing the setup in the tests itself: create idp, mapping, sp, protocol14:22
rodrigodsusing some configs14:22
raildoit was me14:22
knikollarodrigods: including apache config?14:22
rodrigodsknikolla, no... this can't be controlled by us14:22
rodrigodsi mean the keystone stuff14:23
knikollarodrigods: the devstack plugin can do that, waiting on breton to test it with generic federation and submit a patchset14:23
rodrigodsknikolla, i know, but if we want to test in different envs14:24
rodrigodsand also modify a bit the scenarios14:24
raildodstanek: I think that the better person to make this question is henrynash, since he was the guy who implemented it.14:24
rodrigodswould be much harder by having to manually setup stuff in these different envs or having to modify the plugin to include a twist in the scenario14:24
raildolike on this patch https://review.openstack.org/#/c/305315/14:24
patchbotraildo: patch 305315 - keystone - Create V9 driver for identity backend14:24
knikollarodrigods: sure, that would work.14:25
knikollarodrigods: this is what we have till now on the k2k test, https://github.com/rodrigods/keystone/compare/liberty/tempest_plugin...wjdan94:liberty/tempest_plugin14:26
rodrigodsknikolla, cool!14:27
*** ayoung has joined #openstack-keystone14:36
*** ChanServ sets mode: +v ayoung14:36
*** jrist has quit IRC14:38
dstanekraildo: i thought that project naming stuff hasn't been implemented yet14:40
*** BjoernT has joined #openstack-keystone14:40
dstanekrodrigods: right tab-completion fail14:40
raildodstanek: and it isn't merged, as henrynash says on the commit message ""14:41
raildoUpcoming changes will add new methods to the identity drivers, so14:41
raildoin preparation for that we create a new versioned driver.14:41
raildoops, sorry, copy and paste..14:41
dstanekraildo: this is one of those cases i argued at the begining of the versioned driver impl. the adapter approach will break down with anything sufficiently complicated being added to the driver14:43
samueldmqEmilienM: hi. yes, please check you have the latest middleware code14:43
samueldmqEmilienM: it should be running fine at this point14:44
EmilienMsamueldmq: ack nevermind my comment earlier14:45
raildodstanek: I totally agree with the idea to don't use driver versioning, I'm just concern that we probably have some issues to implement on this way, we just need to be clear, how we will handle with this issues, if we decide to don't follow this approach...14:45
samueldmqEmilienM: :)14:45
raildodstanek: for example fix this bug: https://launchpad.net/bugs/152336914:45
openstackLaunchpad bug 1523369 in OpenStack Identity (keystone) "clean a user's default project if the project has been deleted" [Wishlist,In progress] - Assigned to Kalaswan Datta (kalaswan-datta)14:45
*** timcline has joined #openstack-keystone14:47
*** julim has quit IRC14:47
*** timcline has quit IRC14:48
*** timcline has joined #openstack-keystone14:49
*** jrist has joined #openstack-keystone14:50
raildodstanek: maybe put this as a topic on the today's meeting?14:52
dolphmrderose: https://www.postgresql.org/docs/current/static/functions-datetime.html#FUNCTIONS-DATETIME-CURRENT14:57
dolphmrderose: plus http://docs.sqlalchemy.org/en/latest/core/defaults.html#server-side-defaults14:57
rderosedolphm: thanks15:00
*** phalmos has joined #openstack-keystone15:00
dstanekraildo: are we still talking about the driver versioning?15:01
samueldmqdstanek: there's a topic in today's meeting about it :D15:04
*** gagehugo has joined #openstack-keystone15:04
dstaneksamueldmq: yep15:05
*** fifieldt has quit IRC15:08
*** frontrunner has joined #openstack-keystone15:09
samueldmqdstanek: I don't know what your view on that is, but I fully support it if we have enough feedback from operators15:09
*** aratus has joined #openstack-keystone15:09
samueldmqdstanek: to let us decide that it's not worth it to keep supporting it15:09
*** rcernin has quit IRC15:11
*** julim has joined #openstack-keystone15:14
*** pece has quit IRC15:15
*** phalmos has quit IRC15:17
*** rmizuno_ has joined #openstack-keystone15:20
*** rderose has quit IRC15:22
*** jaugustine has joined #openstack-keystone15:22
*** jaugustine has quit IRC15:23
notmorganhenrynash: i'm sorry i'm going to be a hard -2 on relaxing the uniqueness constraing and dropping v3.6 for a very very very (read 4+ cycles) long time15:23
*** rderose has joined #openstack-keystone15:24
notmorganhenrynash: breaking compatibility of clients is not ok like that. microversions provide us provisions for moving forward, but you can't break the old versions, and dropping the old versions becomes just as bad in most cases as breaking the contract.15:25
*** henrynash_ has joined #openstack-keystone15:26
*** ChanServ sets mode: +v henrynash_15:26
henrynashnotmorgan: no issues with you being tough on this at all15:30
notmorganhenrynash: cool :)15:30
henrynashnotmorgan: I’m ( i think) actually trying to be even tougher…i.e. I didn’t want the path names to bleed back to any 3.6 client15:30
notmorganhenrynash: right and i get that.15:31
*** aratus has quit IRC15:31
henrynashnotmorgan: and that’s when you have to look at micrpvesion removal…and sure, I get the issue that this is not ideal!15:31
notmorganhenrynash: i do think we can use the unique path as a name -- with some rare exceptions for deconflicting - and we can look at the ux around that.15:32
*** aratus has joined #openstack-keystone15:32
notmorganbut since things are created within a domain, if someone has a project named "/domain/x/y/x" but it's not a hierarchy, it might be sane to say "uhm.... no"15:32
henrynashnotmorgan: so one thing I didn’t quote understand was your statement of  “A list projects would show projects with both forms. “15:32
notmorganhenrynash: right, both forms, was not clear, "old => name, new => path"15:32
notmorgannot "old => name,path, new => name,path"15:33
notmorganbasically i'm arguing that name == "path" for all projects created >= 3.715:33
henrynashnotmorgan: right15:33
notmorganand that keeps compat with 3.6, you say "i want to auth with project x/y/z"15:34
notmorganthat is the name15:34
notmorganand if you rename a 3.7 project in 3.6, it can convert between [icky ux] but still has the same uniqueness requirements15:34
henrynashnotmorgan: I guess one concern I have is that return the name as a path to a 3.6 client, might we surprise existing clients….15:35
*** woodburn has quit IRC15:35
*** woodburn has joined #openstack-keystone15:36
henrynashnotmorgan: obviously this would be for a “3.7 created” poject15:36
notmorganname is just a string in 3.615:36
notmorgankeep treating it like a string15:36
henrynashnotmorgan: I’m worried that people have build 3.6 UIs that e.g., only have 64 chars to display the project name15:37
*** lucas___ has quit IRC15:38
*** permalac has joined #openstack-keystone15:38
*** lucas___ has joined #openstack-keystone15:38
henrynashnotmorgan: …although I’m not sure we declare anywhere that it is 64 chars?15:39
*** adrian_otto has joined #openstack-keystone15:39
henrynashnotmorgan: at the APi level, that is15:39
notmorganhenrynash: we don't for the response :)15:39
henrynashnotmrogan: ha!15:39
notmorganwe block > 64 chars on input15:39
henrynashnotmorgan: agreed15:39
notmorganlbragstad: input not response.15:40
henrynashnotmorgan: Ok, so let me work through the issues for this way  of doing thinsg….I’ll abandon the relax name  constraints version of this and felsh out thsi new appraoch15:40
notmorganhenrynash: appreciate it. I think it is the right (tm) path.15:40
notmorganhenrynash: the biggest concern is renames change the hierarchy/path15:41
henrynashnotmorgan: one slight fly in the ointment is that currently teh strict ul naming defaults to off…and we need this on in order to haev reliable oathers15:41
notmorganhenrynash: yes, but that might be something we make a 3.7 thing15:41
*** roxanaghe has joined #openstack-keystone15:41
henrynashnotmorgan: agreed, maybe you ahve to haev it on…15:41
henrynashnotmorgan: nut not sure quite what we do if someoen turns it off (and we can’t really remove that option sicne we ahev not depreacted it)15:42
notmorganhenrynash: in 3.7 it is defaulted on15:42
henrynashnotmorgan: agreed15:43
notmorganin 3.6 you can't create a project that conflicts with a path of another project15:43
henrynashnotmorgan: agreed15:43
*** lucas____ has joined #openstack-keystone15:43
notmorganin 3.7 if you happen to be trying to create a project with a path that conflicts with a name...15:43
notmorganwe provide a pleasant error message15:43
notmorganif a project is named /domain/x/y/z15:43
*** lucas___ has quit IRC15:43
notmorganbut isn't in the hierarcht domain/x/y15:43
notmorganwe can properly error and say "project X conflicts, rename is required before this can happen"15:44
notmorganit should be a seriously edge-of-edge-of-edge case15:44
henrynashnotmorgan: yeah, I’ll try and work through those15:44
notmorganand for compat '/' can be '\/' in 3.7 for the path15:44
notmorganor similar escape for a 3.6 project with non-strict naming15:45
notmorgani am also ok with pushing people towards using full_path for everything instead of name15:45
notmorganpost 3.715:45
notmorganalso consider immutable names15:46
*** roxanaghe has quit IRC15:46
notmorgannot sure if that is useful or not.15:46
notmorganbecause it changes the path of *everything* under it15:46
*** lucas____ has quit IRC15:47
*** danpawlik has quit IRC15:47
dstanekwhen creating a project in 3.7 would you have to specify the hierarchy?15:48
notmorgandstanek: you'd need to specify the parent15:48
notmorgandstanek: at least. or it's rooted at the domain15:49
notmorgandstanek: and the response can be name => 'path'15:49
dstanekis this by id or by name?15:49
notmorgandstanek: you could do either "put it at the end of path X" or "put it under id Y"15:49
dstaneki'm trying to visualize how the reseller case would work with name only15:49
notmorgandstanek: i think.15:49
notmorgandstanek: i do not thing specifying the name as "path" should be valid15:50
notmorgandstanek: but i'd be open to that if you think it is a better UX15:50
dstanektbh i don't know at this point15:51
notmorgandstanek: i think that is worth conversing about15:51
*** rmizuno_ has quit IRC15:52
* notmorgan still thinks 99% of the cases don't need either of these things15:52
* notmorgan still thinks domains are sufficient and better models for this regardless15:52
dstaneknotmorgan: domains better than project heirarchy?15:53
notmorgandstanek: the unique constraint is fine within a domain.15:53
notmorgankeep the hierarchy, but the reseller case is absolutely better served with more domains15:54
*** nisha__ has joined #openstack-keystone15:55
notmorganand in the case of /domain/accounting/dev and /domain/ops/dev  it already requires unique names, either create an accounting domain or tell them to call it "acc_dev" or similar. [this is the only bit i see as a win with henry's change]15:55
*** rmizuno_ has joined #openstack-keystone15:55
*** nisha_ has quit IRC15:56
henrynashnotmorgan: when you said “i do not thing specifying the name as "path" should be valid”, you mean create_proejct by specifying a path, rather than a parent_id + (simple) name?16:00
notmorganhenrynash: yah, assuming if i say "create project: name => /domain/x/y/z" would fail16:00
notmorgannot sure about path =>16:01
notmorgani'm open to discussing that ux bit16:01
henrynashnotmorgan: you mean having a separate attribute ‘path”? or just something you can specify as part of the create construct?16:02
*** rderose_ has joined #openstack-keystone16:02
*** aratus has quit IRC16:02
notmorganhenrynash: if you are creating by path, you allow path (new attr) to be set in the create body16:03
notmorganhenrynash: otherwise it's the same as today: domain, parent, name16:03
notmorganhenrynash: i am not sure if it makes sense to "create by path" and inferr the name16:04
notmorganbut i would NOT make it accept name with the path16:04
henrynashnotmorgan: if we are retunring the name as a path, what’s the objection to that?16:04
*** rderose has quit IRC16:05
notmorganhenrynash: mostly implementtion details16:05
notmorgani worry about the validators and diverging code paths.16:05
notmorganfor the same attribute on input16:05
notmorgani am willing to be convinced otherwise16:05
notmorganthis is not a hard stance, just a "if i were designing it..."16:05
henrynashnotmorgan: ok…and it’s also something we could enable in a future microversion16:05
notmorganthe other reason is it doesn't encourage "path" names being set in 3.6 for older clients who also work with 3.716:06
notmorganandbeyuond on some deployment16:06
notmorgantotally a consistency thing - but like i said, open to further discussion on that/wouldn't be upset if name can be the path on input16:07
dstanekraildo: i don't think that needs driver versioning to be fixed.16:07
*** rderose_ has quit IRC16:08
*** jaugustine has joined #openstack-keystone16:08
raildodstanek: I just put the link, since the patch to driver versioning have a related-bug tag to this bug16:08
*** rderose has joined #openstack-keystone16:09
*** ddieterly is now known as ddieterly[away]16:09
*** aratus has joined #openstack-keystone16:09
*** lucas___ has joined #openstack-keystone16:12
*** ddieterly[away] is now known as ddieterly16:12
*** GB21 has joined #openstack-keystone16:14
*** permalac has quit IRC16:16
*** anush__ has joined #openstack-keystone16:16
*** lucas___ has quit IRC16:17
*** jaugustine has quit IRC16:18
*** lucas___ has joined #openstack-keystone16:18
*** lucas___ has quit IRC16:19
*** lucas___ has joined #openstack-keystone16:19
*** timcline has quit IRC16:20
*** timcline has joined #openstack-keystone16:21
lbragstadstevemar o/16:24
stevemarlbragstad: i get to run the meeting today!16:25
*** timcline has quit IRC16:25
lbragstadstevemar whoop!16:27
*** daemontool has quit IRC16:28
*** daemontool has joined #openstack-keystone16:29
*** clenimar has joined #openstack-keystone16:29
*** anush__ has quit IRC16:33
*** anush__ has joined #openstack-keystone16:34
*** gyee has joined #openstack-keystone16:35
*** ChanServ sets mode: +v gyee16:35
henrynash_notmorgan: had you imagined that teh auth request (in 3.7) would just take path in the existing name field? or a separate path field?16:37
notmorganhenrynash_: separate attr16:37
notmorganhenrynash_: "path" or whatever16:37
henrynash_notmorgan: agreed16:37
notmorganhenrynash_: i also would seriously like to revisit the split auth from CRUD api spec16:37
notmorganhenrynash_: so we can version auth independantly of the CRUD api - and encode auth-version in the body of the request rather than the header (the header seems weird for auth)16:38
henrynash_notmorgan: do you have a spec for that?16:38
*** anush__ has quit IRC16:38
*** timcline has joined #openstack-keystone16:39
notmorganhenrynash_: yes. its on the backlog, sec16:39
*** roxanaghe has joined #openstack-keystone16:39
notmorganhenrynash_: would move auth to /auth16:39
henrynash_notmorgan: (back to this specifics of naming)….although if auth takes ‘path’ (say), GET /auth/projects returns the attribute ‘name’ as the path…confusing?16:40
notmorganhenrynash_: and likely want to move catalog to either /catalog ot /auth/catalog16:40
notmorganhenrynash_: for compat, you might respond with name & path16:40
notmorganyou might only respond with path?16:41
henrynash_notmorgan: (although not for 3.6 clients of course)16:41
notmorgani think you should reach out to piet and UX team for that.16:41
notmorgan3.6 clients wouldn't use /auth/projects :P16:42
notmorganso... doesn't matter ;)16:42
notmorganin fact... in 3.6 /auth/projects wouldn't exist.16:42
notmorganif its a new thing16:42
henrynash_notmorgan: but it exists today, no?16:42
notmorgandoes it?16:42
* notmorgan does't know.16:42
*** daemontool has quit IRC16:43
*** tesseract has quit IRC16:43
notmorgani haven't looked at that, i assumed it was a nw thing.16:43
notmorganbut same deal, yeah 3.6 doesn't change response16:43
notmorgani'm inclined to say 3.7 should still respond with name (auth is kind of special, and doesn't really version the same way as the CRUD api)16:43
*** nisha__ has quit IRC16:43
*** nisha_ has joined #openstack-keystone16:43
notmorgansending coherant data for various client types might be worth it from a base v3 auth standpoint16:44
henrynash_notmorgan: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#get-available-project-scopes16:44
notmorganalso... with auth not under CRUD apis, it becomes easier [if we ever need to] to do a harder/bigger change to the crud apis16:44
notmorgansuch as a v4 or whatever16:44
notmorganall the pain in converting v2 -> v3 has been because auth was "tied" to crud16:45
*** mvk has quit IRC16:47
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848816:56
*** browne has joined #openstack-keystone16:56
*** pushkaru has joined #openstack-keystone16:59
*** rderose has quit IRC17:00
*** rderose has joined #openstack-keystone17:04
notmorganstevemar, ayoung, dolphm: we need to find a group to do threat analysis of keystoneauth and keystonemiddleware17:06
notmorganthose should be VMT managed17:06
ayoungnotmorgan, ask nkinder17:06
notmorganeven though keystonemiddleware historically has been, it isn't explicitly listed17:07
ayoungwe have groups that do that kind of stuff already17:07
ayoungor do you mean as part of upstream?17:07
notmorganayoung: right i mean publically for it.17:07
notmorganso we can get the tags and officially have the VMT cover them.17:07
notmorganjust noticed that ksm and ksa didn't have the tags17:08
notmorganksc did.17:08
notmorgani'll ask the others in the team re KSA17:08
notmorgansince it really was a split of ksc, same with ksm17:08
*** timcline has quit IRC17:11
*** timcline has joined #openstack-keystone17:12
*** ddieterly is now known as ddieterly[away]17:15
notmorganayoung, nkinder: and this is something we need to fire up pretty quickly imho.17:16
*** timcline has quit IRC17:16
notmorganand we are going to want to do the same for keystone proper17:18
*** mvk has joined #openstack-keystone17:18
notmorganrather than later17:18
notmorganleading the charge on getting that info out/published/etc in openstack for us should be an easy sell.17:18
*** raddaoui has joined #openstack-keystone17:21
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848817:22
*** alex_xu has quit IRC17:22
*** alex_xu has joined #openstack-keystone17:25
stevemarnotmorgan: that's not that easy, we can't just toss people at the problem17:27
notmorganstevemar: it is very important to find folks to do it17:27
notmorganand it needs to be something we can publically publish17:27
notmorganfor ksa/ksm17:27
notmorganstevemar: right now keystoneauth and keystonemiddleware are not officially managed by the VMT -- and they should be17:27
openstackgerritLance Bragstad proposed openstack/keystone: Move TestAuth unscoped token tests to TokenAPITests  https://review.openstack.org/32958917:28
notmorganand as a future looking bit, keystone is going to need to do the same work once it is more formalized (all projects are going to need to)17:28
notmorganso we should lead on this front17:28
stevemarnotmorgan: i've got folks from at&t itching to contribute17:29
notmorganso here is what we're looking for https://review.openstack.org/#/c/300698/ as guidance17:29
patchbotnotmorgan: patch 300698 - governance - Tidy of item 5 of the vulnerability:managed tag17:29
notmorganstevemar: ftr: the reason ksa/ksm are not managed was an oopse when we split them. but they'd also be eventually required to do this.17:30
notmorganso, it works out well to do this now, get the tag officially applied17:30
*** tqtran has joined #openstack-keystone17:32
*** shewless has joined #openstack-keystone17:39
shewlessdstanek: Hi I've had a chance to start from scratch and working to get federation to work with testshib.org as a IDP. I'm wondering what you have your "trusted_dashboard" set to in /etc/keystone/keystone.conf17:40
*** tonytan4ever has joined #openstack-keystone17:41
*** pnavarro has quit IRC17:41
gyeenotmorgan, stevemar, what's the difference between VMT and OSS?17:41
notmorgangyee: vulnerability management team, that is fungi, tristan, grant and me17:42
notmorgangyee: we're the ones who do the OSSAs etc.17:42
gyeeand OSSN?17:42
notmorgangyee: openstack security group (OSSG, OSSP), are the rest of the team17:42
notmorganOSSN is done by OSSG not VMT iirc17:42
notmorganwe request CVEs send out notifications for OSSAs17:43
notmorganhandle embargoed patches (the vmt does)17:43
notmorganit's  avery small group, OSSG is a bit bigger17:43
*** roxanagh_ has joined #openstack-keystone17:43
gyeenotmorgan, I see17:43
gyeenotmorgan, is VMT also responsible for the bandit gate?17:44
stevemargyee: thats the security team17:44
notmorganthats the general security team17:45
notmorganthe VMT really is all about managing vulnerabilities, ebargos, and communications around vulnerabilitys17:45
gyeeis there an official wiki/doc that explains the team charters? I just want to have it for reference17:45
notmorgangyee: the vmt process (anbd what we do) is here: https://security.openstack.org/vmt-process.html17:46
notmorganthe security team is more i think on security.openstack.org (proper(17:46
fungigyee: http://governance.openstack.org/reference/projects/security.html links to https://wiki.openstack.org/wiki/Security for the ossp/ossg17:46
notmorganfungi: ++17:46
notmorganfungi: to the rescue!17:46
gyeegood stuff! thanks guys!17:46
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests  https://review.openstack.org/32959817:46
fungigyee: and yes, notmorgan has also linked you to the vmt documentation as well (which is linked from the wiki i mentioned)17:46
*** timcline has joined #openstack-keystone17:47
*** roxanagh_ has quit IRC17:47
gyeenice! that's exactly what I am looking for17:48
openstackgerrithenry-nash proposed openstack/keystone-specs: Support hierarchical project naming  https://review.openstack.org/31860517:49
samueldmqnisha_: there we go! ^ commits also appear here in the channel, see a few lines above17:49
nisha_samueldmq, Yes :D17:51
*** timcline has quit IRC17:51
*** GB21 has quit IRC17:53
*** nisha__ has joined #openstack-keystone17:56
*** jaugustine has joined #openstack-keystone17:57
stevemarmeeting time :O17:58
*** nisha_ has quit IRC17:59
*** shaleh has joined #openstack-keystone17:59
*** nisha__ is now known as nisha_18:00
*** timcline has joined #openstack-keystone18:01
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848818:03
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Unified delegation assignment driver  https://review.openstack.org/29131818:03
*** ddieterly[away] is now known as ddieterly18:08
*** dmk0202 has joined #openstack-keystone18:09
*** richm has quit IRC18:10
*** elmiko has joined #openstack-keystone18:11
*** jaugustine has quit IRC18:11
elmikohi, i'm doing some testing with keystone and in the past i had monitored the log outputs to see token issuances, has this logging gone away or do i perhaps need to turn up the log level or something?18:12
*** mvk_ has joined #openstack-keystone18:14
*** mvk has quit IRC18:17
elmikohmm, nvm, me thinks this is a case of pbkac18:17
*** aratus has quit IRC18:22
dolphm#success gyee doesn't always agree with dstanek, but not this time18:27
openstackstatusdolphm: Added success to Success page18:27
gyeeoh dolphm, you one funny dude :-)18:27
*** richm has joined #openstack-keystone18:28
*** dmk0202 has quit IRC18:30
*** harlowja has quit IRC18:30
*** harlowja has joined #openstack-keystone18:32
*** anush__ has joined #openstack-keystone18:33
shalehnotmorgan: ping me tomorrow to discuss specs. I will be in meetings rest of the day18:37
notmorganshaleh: haha funny so am I today18:37
*** dan_nguyen has joined #openstack-keystone18:40
notmorganlbragstad: i have a specific question: what is a specific question? #meta18:40
*** lucas___ has quit IRC18:43
*** lifeless has quit IRC18:46
*** lucas___ has joined #openstack-keystone18:47
*** lucas___ has quit IRC18:47
*** lifeless has joined #openstack-keystone18:47
*** lucas___ has joined #openstack-keystone18:47
shewlessdstanek: I think of made some more progress. I get this fancy error: A valid authentication statement was not found in the incoming message. I'm looking at the testshib logs to make more sense of it but haven't had too much luck yet.18:48
raildojamielennox: ping, do you have any updates about this contact with TC about this: http://lists.openstack.org/pipermail/openstack-dev/2016-May/095047.html ?18:51
shewlessdstanek: also do I need to setup and create sso_callback_template in keystone.conf18:52
jamielennoxraildo: ahhh, no18:52
jamielennoxraildo: crap18:52
raildojamielennox: np, if there is anything that I can help, I'm here  :)18:53
*** rk4n has quit IRC18:54
jamielennoxraildo: i was supposed to present a proposal to the TC, there's apparently no format for doing that and then i got busy on some other stuff18:55
jamielennoxraildo: i'll try and get it done this week and on the TC meeting in the next week or two18:55
*** ddieterly is now known as ddieterly[away]18:55
raildojamielennox: awesome, thank you sir!18:55
*** nisha_ has quit IRC18:55
*** amoralej is now known as amoralej|off18:57
*** lucas___ has quit IRC19:00
gyeestevemar, I keep asking the product managers to throw me a bone on HMT, I got nothing!19:00
ayoungnotmorgan, so the acceptable approach that has made it through is /domain/projectZ/Porgy/Bess/19:00
jamielennoxhenrynash_: so it would work if you follow the GET /auth/projects then use that to feed your auth call19:00
dstanekgyee: what do you want?19:00
henrynash_ayoung, notmorgan: as speced, it a string starting / has the domain in it, without a / it is relative to teh domain19:01
notmorganayoung: basically19:01
*** darosale has quit IRC19:01
jamielennoxhenrynash_: but it doesn't work for all the people out there who have PROJECT_NAME in an accrc or something19:01
gyeedstanek, real world use cases19:01
ayounghenrynash_, how would it work in a URL?19:01
jamielennoxhenrynash_: and then we allow people to add a second project name from the one they've got stored19:01
notmorganayoung: url-encoded.19:01
*** jaugustine has joined #openstack-keystone19:01
henrynash_jamielennox: yes, you can take teh name from GET /auth/projects and plug it into auth ad we guarntee that works in 3.6 and 3.719:01
*** lucas___ has joined #openstack-keystone19:02
notmorganayoung: it's the standard answer to non-safe-control characters. but we also have very few things that "look up by name" in a URI19:02
henrynash_jamielennox: did follow your:  but it doesn't work for all the people out there who have PROJECT_NAME in an accrc or something19:02
dstanekgyee: i would love that!19:02
*** lucas___ has quit IRC19:02
stevemargyee: product managers don't care about HMT!19:03
*** lucas___ has joined #openstack-keystone19:03
*** amakarov is now known as amakarov_away19:03
dstanekstevemar: then who does?19:03
jamielennoxamakarov: so closure tables and a number of other things work for actually storing the data, the problem is changing the API19:03
henrynash_jamielennix: didn’t follow….19:03
dstanekor can we rip it out like versioned drivers?19:03
dstanekshewless: trusted_dashboard=http://{my_ip}/dashboard/auth/websso/19:03
notmorganstevemar: most users don't care about HMT :P19:04
henrynash_jamielennox: “but it doesn't work for all the people out there who have PROJECT_NAME in an accrc or something” could you expand?19:04
shalehdstanek: apparently we are supposed to throw as much out as possible to be added back in more on demand later19:04
shewlessdstanek: cool.. IP or DNS name? :)19:04
jamielennoxhenrynash_: so if i have a clouds.yaml/accrc that was given to me that i always use to authenticate it doesn't go via /auth/projects - that PROJECT_NAME is now fragile19:04
*** lucas___ has quit IRC19:04
*** lucas___ has joined #openstack-keystone19:04
notmorganjamielennox: assume it's not python19:04
jamielennoxnotmorgan: sure - i'm just saying previously stored authentication19:04
dstanekshaleh: gotta trim the fat before you start packing on the muscle19:04
notmorganjamielennox: if previously the API accepts <name[this can change]> and <domain>19:04
henrynash_jamielennox: so we gurantee that a project created via 3.6 can also be auth’d using the “simple” name19:05
notmorganand now it's </thing/thing/thing/[name]> <domain>19:05
notmorganbut nothing but the server version changed19:05
notmorganyou're broken19:05
shalehdstanek: nonsense. Look at the world strongest man competitions. They aint small.19:05
dstanekshewless: i also have: sso_callback_template = /opt/stack/keystone/etc/sso_callback_template.html19:05
notmorganand you broke the API contract19:05
notmorganit's more of "the api broke you" not "your auth creds are fragile"19:05
shalehdstanek: our idealized physique is that of Greek statues not actual humans19:05
*** dmk0202 has joined #openstack-keystone19:05
dstanekshaleh: they have a different muscular goal than i19:05
jamielennoxhenrynash_: also i feel i/we owe you an apology because you tried to bring this up once before and we convinced you to maintain the uniqueness constraint because it was easy to remove later19:05
henrynash_jamielennox: :-)19:06
shewlessdstanek: I snagged this.. do you think it's right? https://github.com/openstack/keystone/blob/stable/mitaka/etc/sso_callback_template.html19:06
notmorganjamielennox: if we removed the uniqueness constraint backe then.. we also would have massively broke everything19:06
shewlesssince I can't find that file anywhere on my system locally19:06
shalehtime for the commute. Laters all19:06
notmorganjamielennox: it was the right call to NOT remove it then (same as today)19:06
*** shaleh has quit IRC19:06
*** sdake has quit IRC19:06
notmorganjust smaller scope because fewer things were leaning on V3... but still massive brokenness19:06
jamielennoxnotmorgan: it's one of those things that i think we just didn't think through the HMT consequences far enough19:06
dstanekshewless: that's probably fine. i'm just using the one included in the current master19:07
jamielennoxbut it's done19:07
*** sdake has joined #openstack-keystone19:07
notmorganjamielennox: basically HMT needed to be baked into v3 at the start... or be a v4 thing19:07
gyeeI am motorcyclepooling with shaleh19:07
notmorganjamielennox: we never could have changed it even with the full concequence by the time it was proposed19:07
notmorganjamielennox: short of massivily disrupting the api users.19:07
henrynash_notmorgan: or maybe when we first invented domains, we could have also changed this….19:07
notmorganhenrynash_: baked into v3 at the start ;)19:08
*** adrian_otto has quit IRC19:08
shewlessdstanek: thanks.. still getting that werid error though.. maybe an attribute mapping problem.. maybe you can help?19:08
notmorganpersonally i get the UX desire for /domain/dev/PROJECTA19:08
dstanekshewless: can you paste it?19:08
notmorganand /domain/ops/PROJECTA19:08
notmorganbut i kindof think that could be solved with domains still19:08
notmorganand reseller is clearly solved with domains19:09
jamielennoxi haven't read the last few ML posts, but i've had a draft for a while i just don't know if i have any ideas here19:09
notmorganbasically lean on domains harder19:09
shewlessdstanek: http://pastebin.com/HN26Xg0B19:09
notmorganand push to where "if you really need non-unique constraints" domains make the most sense19:09
notmorganor.. be willing to make names unique (/domain/accounting/projcect_a_accounting /domain/dev/project_a_dev)19:10
jamielennoxnotmorgan: for me, if we're going to push forward the domains are projects thing then we should actually embrace using projects everywhere19:10
notmorganjamielennox: i mean from a HMT standpoint for henrynash_'s use cases19:11
jamielennoxalso i don't know where we are with reseller but it kind of tanks that19:11
notmorganjamielennox: i'm fine with everything being a project or not -- that is a separate convo i think19:11
henrynash_notmorgan: which would (and I know it’s still in its infancy) make quota management hard without expsoing domains to the quota setting19:11
jamielennoxbecause every domain is a unique name and that would leak across boundaries19:11
dstanekshewless: what is that from?19:11
shewlessdstanek: shibboleth idp log19:11
notmorganhenrynash_: i think it's fine to approach it as a unified set of quoats19:11
dstanekshewless: how far is your request flow going?19:12
notmorganjamielennox: call domains account IDs, call the account_id_xxxxxxx, call them sha256(account_id_domain)19:12
notmorganjamielennox: the "leaking the name across boundries" -- is this a real actual use case or theoretical19:13
shewlessdstanek: not sure how to check.. the idp logs seem like it's making it somewhat far.  trying to see if there are relavent logs on my system. NOt much in apache/keystone that I can see19:13
notmorgani see every cloud i use that consumes domains properly using an id (or the same name as the domain id) as the domain_name19:13
dstanekshewless: when you initiate the flow do you get redirected to the browser to login?19:14
jamielennoxnotmorgan: well say you're now creating an accounting domain at your company so that you can auth against it, now someone in another domain elsewhere can't create the accounting domain because those names are unique19:14
*** anush__ has quit IRC19:14
notmorganfor UX perspective, make it more friendly, but adding a prefix of some sort is fine.19:14
*** jaugustine has quit IRC19:14
jamielennoxso you've just pushed the uniqueness constraint elsewhere19:14
notmorganjamielennox: to a much narrower set19:14
shewlessdstanek: ah.. yes I do! I login as "myself/myself" and then I get that error19:14
jamielennoxnotmorgan: depends how hard you advocate for people to use domains for this problem19:14
notmorganjamielennox: is this a realworld use case or theoretical19:15
notmorganbecause this has been 100% theoretical every time it comes up19:15
jamielennoxATM everything here is theoretical19:15
dstanekshewless: after you login are you redirected back to keystone?19:15
notmorganso i'm willing to say "uniquness is fine"19:15
notmorganespecially at the domain level19:15
notmorgandon't call it "accounting"19:15
jamielennoxbut i don't want to come back in 3 cycles and go through the same problem we are having now with domains19:15
notmorganlets also look at real world uses, how often is something called "accounting" in an org19:16
notmorgannever really.19:16
jamielennoxbut you're advocating using domains more so that people can get around the uniqueness constraint19:16
notmorgancall it an ldap-style name :P19:16
henrynash_jamielennox: and this is as differnet exmaple of the reseller case…and one of the reasons I want to solve the uniquenes problem is eventually I do want to be abel to have proejcts that are actings as domains to also only have to be uniqye within their parent domain19:16
notmorganthe uniqueness constraing in projects19:16
jamielennoxso let's say it's domain=dev19:16
notmorganhenrynash_: i will never ever ever be for domains in domains19:16
henrynash_notmorgan: and I know that :-)19:17
jamielennoxthat's going to come up a lot19:17
*** aratus has joined #openstack-keystone19:17
notmorganhenrynash_: now, likelyhood of me stepping down from keystone if that get steam, is high19:17
notmorganbecause i don't want to be a blocker if i'm the minority19:17
*** ddieterly[away] is now known as ddieterly19:17
notmorganhenrynash_: i have yet to see a real use case for any of this --19:18
henrynash_notmorgan: well I hope that isn’t true (stepping down), but I’m not proposing that right now19:18
henrynash_notmorgan: absolutely the riht question19:18
dstaneknotmorgan: i would have actually preferred the domains in domains idea. just like filesystem structures19:18
notmorganhenrynash_: it is true, i wont sign off/support something when i'm a minority case and i feel the project is going the wrong direction.19:18
jamielennoxstevemar: so +A https://review.openstack.org/#/c/318658 ?19:18
henrynash_dstanek: I actually proposed that instead of HMT!19:19
notmorganhenrynash_: but i also wont be a blocker.19:19
shewlessdstanek: after I login the address bar is: https://myloud.foo.com/Shibboleth.sso/SAML2/POST19:19
jamielennoxdstanek: ++ the idea of this for me is to make domains less special and go to just a project/folder structure19:19
notmorganhenrynash_: i just don't want to feel stressed/annoyed/angry at people for tech solutions that i just don't agree with.19:19
*** jaugustine has joined #openstack-keystone19:19
henrynash_notmorgan: ahh, you have to get over some of that!19:20
shewlessdstanek: and the error is: opensaml::FatalProfileException .. .. .. opensaml::FatalProfileException at (https://mycloud.foo.com/Shibboleth.sso/SAML2/POST) .. .. A valid authentication statement was not found in the incoming message.19:20
notmorganhenrynash_: it is also not my full time job to work on keystone19:20
notmorganhenrynash_: if it was, it would be different19:20
notmorganhenrynash_: my job is to work on zuul/nodepool/ci software19:20
henrynash_notmorgan: I still don’t agree with teh way were doing shadow users, but I’m in the minorty so I’ll supprot it19:21
henrynash_(yep, understand the different)19:21
notmorganhenrynash_: i can't be 150% invested on both fronts ;) if i disagree with the general direction of the project i'm not focused on, i need to not be as involved19:21
dstanekshewless: and the log you posted earlier was from mod_shib?19:21
henrynash_notmorgan: that;;s fair19:21
bknudsonif the other guy is giving 110%, you give 120%19:21
*** anush__ has joined #openstack-keystone19:21
notmorganhenrynash_: basicallyt i should be at about 20-30% of time on keystone.19:21
shewlessdstanek: no the log was from testshib.org's logs. I'll look for some shib logs19:22
henrynash_notmorgan: yep, I know you ahve the other stuff now19:22
notmorganso, it tells you where i have to draw a line. and context switching keystone <-> zuul is already straining me19:22
dstanekshewless: if you are getting that error on the service provider's url it would likely be a mod_shib thing19:22
henrynash_notmorgan: I can imagine so19:22
notmorganhenrynash_: it isn't you or your idea or a (don't propose it)19:22
shewlessdstanek: ah.. ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt assertion: Unable to resolve any key decryption keys.19:23
notmorganhenrynash_: it's a hey, i want to support keystone the best i can, it isn't a "threat" :) please don't take it that way ^_^19:23
dstanekshewless: are you storing the IdP's metadata on the SP?19:23
shewlessdstanek: no.. it's a link to the IDP19:24
shewlessdstanek:         <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"              backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000" />19:24
jamielennoxbknudson: can i get you to have a look at https://review.openstack.org/#/c/326782/ - not having much luck getting oslo cores19:24
patchbotjamielennox: patch 326782 - oslo.middleware - Expose sample config opts for http-proxy-to-wsgi19:24
notmorgandstanek: so domains in domains... is more like LVM in LVM19:24
notmorgandstanek: and projects contain the resources (files) such as vms, volumes, etc19:25
notmorgandstanek: at least in my brain mapping of openstack19:25
*** tonytan4ever has quit IRC19:25
shewlessdstanek: I don't know what that "brackingFilePath" is though... that file "testshib-two-idp-metadata.xml" certainly doesn't exist on my side19:25
notmorganthe domain is the actual block devices... if you want to use that analogy19:25
dstaneknotmorgan: i don't know about the LVM reference but i thought the model was simplier19:25
*** aratus has quit IRC19:25
bknudsonjamielennox: I've starred it so it's on my short list... but I haven't had time for doing reviews lately.19:25
dstanekadd 1 join table and some apis to model the hierarchy19:26
dstanekand the the existing project based things continue to work19:26
notmorgandstanek: block device (domain), project (filesystem/directory structure)19:26
notmorgandstanek: is how i always saw it.19:26
jamielennoxbknudson: that's good, thanks19:26
*** aratus has joined #openstack-keystone19:26
dstaneknotmorgan: i map domain to directory (orgainzation of content) and project to files (content)19:27
jamielennoxnotmorgan: i'm not sure how that's the model and you advocate people to use more domains when they need uniqueness constraints19:27
dstanekthen a reseller would own (sub domains)19:27
jamielennoxi need to try and get some more sleep - stuff on today, later19:29
notmorganjamielennox: i see it as domains are free and can namespace many things.19:30
notmorganjamielennox: and can be given less-friendly names overall.19:30
notmorganbut again... w/e my $0.0219:30
jamielennoxso i mostly care about domains from a root of auth perspective19:30
jamielennoxOS_DOMAIN_NAME=IBM.COM makes sense to me19:31
jamielennoxthe structure beneath that is projects19:31
bknudsonmight as well just make it a url.19:32
jamielennoxanyway, back later19:33
*** ayoung_ has joined #openstack-keystone19:34
*** gyee has quit IRC19:36
*** lucas___ has quit IRC19:39
shewlessdstanek: looks like I'm having 2 problems. 1 is that decryption key problem. Which shibboleth docs say: "The SP received encrypted XML (usually an EncryptedAssertion) and couldn't decrypt it. The SP's metadata probably doesn't contain the same public key(s) the SP is configured to use (or the credentials didn't load)."19:44
*** roxanagh_ has joined #openstack-keystone19:44
*** harlowja_ has joined #openstack-keystone19:45
shewlessdstanek: the second problem is that when I first click "login" in horizon it is accessing the "server name" instead of my "public name" - and I'm not sure if that's causing the first problem.  On my computer it doesn't matter because my browser can access both host names.. but I don't know if that cuases problems with keys19:46
*** roxanagh_ has quit IRC19:49
*** harlowja has quit IRC19:49
shewlessdstanek: I'll try reuploading my metadata in case I did it before I generated the keys19:50
*** jsavak has joined #openstack-keystone19:50
stevemarjamielennox: i'm going to punt https://review.openstack.org/#/c/318658/ through, any last minute objections?19:52
patchbotstevemar: patch 318658 - keystone - Pass a request to controllers instead of a context19:52
stevemarjamielennox: i see you already asked me that lol19:53
*** aratus has quit IRC19:54
shewlessdstanek: Okay after I re-uploaded the meta data I got past that part. I'm now seeing "The page you were looking for doesn't exist You may have mistyped the address or the page may have moved."19:54
shewlessdstanek: and this in the shibd.log: http://paste.ubuntu.com/1733854019:55
*** adrian_otto has joined #openstack-keystone20:00
*** aratus has joined #openstack-keystone20:02
stevemardoes anyone have an opinion on http://lists.openstack.org/pipermail/openstack-dev/2016-June/096712.html ?20:03
*** jsavak has quit IRC20:03
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428420:04
*** jsavak has joined #openstack-keystone20:05
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428420:12
*** anush__ has quit IRC20:13
*** anush__ has joined #openstack-keystone20:13
*** anush__ has quit IRC20:17
*** anush__ has joined #openstack-keystone20:17
*** anush__ has quit IRC20:22
*** dmk0202 has quit IRC20:26
*** dmk0202 has joined #openstack-keystone20:26
*** dmk0202 has quit IRC20:33
*** jsavak has quit IRC20:33
*** jsavak has joined #openstack-keystone20:33
*** jaugustine has quit IRC20:36
*** ddieterly is now known as ddieterly[away]20:37
rderoselbragstad: what should the default be for max_active_keys?20:38
rderoselbragstad: for fernet tokens20:38
lbragstadrderose the current default is 320:38
rderoselbragstad: does it just depend on how often you rotate20:38
lbragstadrderose the number of max_active_keys does depend on how often you rotate but we don't use rotation frequency to generate the default20:39
*** mkrcmari__ has joined #openstack-keystone20:39
rderoselbragstad: sorry, does it depend on how many servers you have keystone deployed on?20:41
lbragstadrderose nope20:41
lbragstadrderose number of servers hosting a keystone deployment shouldn't matter20:41
rderoselbragstad: have ali here and we're trying to understand why the default is 320:41
lbragstadrderose i'll grab a link20:42
rderoselbragstad: cool20:42
*** mvk_ has quit IRC20:43
lbragstadrderose i was referencing a video we did in austin20:44
rderoselbragstad: oh yeah20:44
*** mvk_ has joined #openstack-keystone20:45
lbragstadrderose we chose 3 as the default because if you have less than 3 keys in your key repository you end up running into issues where you'll remove keys used to encrypt tokens that are still valid.20:45
lbragstad^ it's lengthy20:45
*** roxanagh_ has joined #openstack-keystone20:45
rderoselbragstad: thx20:47
rderoselbragstad: last question, are you familiar with enforce_token_bind setting?20:47
*** raildo is now known as raildo-afk20:47
lbragstadrderose i haven't used it but i believe it is for using bind to authenticate for a token (which isn't supported by fernet tokens)20:48
rderoselbragstad: perfect, thx20:48
*** mkrcmari__ has quit IRC20:48
*** gagehugo has quit IRC20:49
lbragstadrderose no problem20:50
*** roxanagh_ has quit IRC20:50
*** edmondsw has quit IRC20:52
*** yolanda has quit IRC20:52
stevemarjamielennox: i went with the airport hotel :(20:56
*** ayoung_ has quit IRC20:57
*** ayoung has quit IRC20:57
*** mvk has joined #openstack-keystone20:58
*** anush__ has joined #openstack-keystone20:59
*** mvk_ has quit IRC20:59
openstackgerritMerged openstack/keystone: Pass a request to controllers instead of a context  https://review.openstack.org/31865821:01
*** anush__ has quit IRC21:03
*** darrenc is now known as darrenc_afk21:03
*** anush__ has joined #openstack-keystone21:04
*** gyee has joined #openstack-keystone21:06
*** ChanServ sets mode: +v gyee21:06
*** ddieterly[away] is now known as ddieterly21:06
*** edtubill has quit IRC21:08
*** pauloewerton has quit IRC21:11
*** julim has quit IRC21:12
*** woodster_ has quit IRC21:18
*** adrian_otto has quit IRC21:26
*** anush__ has quit IRC21:33
*** edtubill has joined #openstack-keystone21:34
*** pushkaru has quit IRC21:36
*** pushkaru has joined #openstack-keystone21:36
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428421:39
*** rderose has quit IRC21:43
*** sileht has quit IRC21:51
*** sileht has joined #openstack-keystone21:52
bknudsonstevemar: which airport?21:52
*** frontrunner has quit IRC21:53
*** darrenc_afk is now known as darrenc21:54
*** ddieterly is now known as ddieterly[away]21:58
*** ddieterly[away] is now known as ddieterly22:01
*** browne has quit IRC22:08
*** sigmavirus24 is now known as sigmavirus24_awa22:23
*** openstackstatus has quit IRC22:25
*** openstack has joined #openstack-keystone22:25
*** catintheroof has joined #openstack-keystone22:25
*** gordc has quit IRC22:25
*** pushkaru has quit IRC22:25
*** openstackstatus has joined #openstack-keystone22:26
*** ChanServ sets mode: +v openstackstatus22:26
*** rk4n has joined #openstack-keystone22:26
*** browne has joined #openstack-keystone22:27
*** timcline has quit IRC22:27
*** timcline has joined #openstack-keystone22:28
*** rcernin has joined #openstack-keystone22:28
stevemarbknudson: the SJ airport i assume22:29
stevemarbknudson: https://goo.gl/vdkR5222:29
*** catintheroof has quit IRC22:30
stevemarbknudson: apparently there is a shuttle or bus that goes there every 15 minutes, takes about 30 minutes22:31
stevemarbknudson: i also rented a car22:31
*** rk4n has quit IRC22:32
stevemar170 W Tasman Dr is the cisco office22:32
stevemarby car its about 15 minutes22:32
*** timcline has quit IRC22:33
*** jsavak has quit IRC22:33
*** ddieterly has quit IRC22:35
*** iurygregory_ has joined #openstack-keystone22:40
notmorganstevemar: we need to bug cburgess and find out what room and all we're going to be in22:46
notmorganbut cburgess is on a cruise in the baltic22:47
*** roxanagh_ has joined #openstack-keystone22:47
stevemarnotmorgan: poor signal out there :P22:47
*** rk4n has joined #openstack-keystone22:48
*** rk4n has quit IRC22:50
*** roxanagh_ has quit IRC22:51
*** rk4n has joined #openstack-keystone22:52
*** rk4n has quit IRC22:54
*** mvk_ has joined #openstack-keystone22:58
*** rmizuno_ has quit IRC23:00
*** mvk has quit IRC23:01
*** rk4n has joined #openstack-keystone23:02
notmorganstevemar: must be :P or ... someone doesn't suck at vacation23:02
*** dan_nguyen has quit IRC23:04
*** edtubill has quit IRC23:16
*** ayoung has joined #openstack-keystone23:17
*** ChanServ sets mode: +v ayoung23:17
notmorganstevemar: so.. why is a raven like a writing desk?23:17
*** BjoernT has quit IRC23:24
*** dan_nguyen has joined #openstack-keystone23:25
*** adrian_otto has joined #openstack-keystone23:28
*** browne has quit IRC23:30
*** sdake has quit IRC23:32
*** sdake has joined #openstack-keystone23:33
*** browne has joined #openstack-keystone23:35
*** rderose has joined #openstack-keystone23:39
*** rcernin has quit IRC23:40
*** rk4n has quit IRC23:53
*** rk4n has joined #openstack-keystone23:56
*** ninag has joined #openstack-keystone23:58
*** ninag has quit IRC23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!