Friday, 2016-06-17

*** ddieterly has joined #openstack-keystone		00:05
dstanek	ayoung: are you going to be messing with ipa...?	00:09
*** adrian_otto has quit IRC		00:09
ayoung	dstanek, nope	00:09
ayoung	dstanek, I hope not	00:09
ayoung	dstanek, ipa server seems to be down. Restarting the processes	00:11
ayoung	dstanek, I think a package upgrade failed.	00:12
*** roxanaghe has joined #openstack-keystone		00:17
*** aratus has quit IRC		00:17
dstanek	ayoung: coolio	00:18
*** roxanaghe has quit IRC		00:21
ayoung	dstanek, something wrong with the server. I see this in journalctl trying to start the httpd instance	00:21
ayoung	Unregistered Authentication Agent for unix-process:10168:9529 (system bus name :1.28, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UT	00:21
ayoung	and its not SELinux either	00:22
ayoung	(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443	00:24
ayoung	(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443	00:24
*** ddieterly has quit IRC		00:25
*** ddieterly has joined #openstack-keystone		00:28
ayoung	dstanek, jamielennox I could continue to troubleshoot, or I could reinstall..I might do the latter, and get rippowam working with Centos Again...after family time	00:30
jamielennox	ayoung: whatever you like	00:30
dstanek	ayoung: i have nothing on there worth saving or that i can't recreate easily	00:31
dstanek	ayoung: enjoy the family time	00:31
*** ddieterly has quit IRC		00:42
*** ddieterly has joined #openstack-keystone		00:51
*** sdake has joined #openstack-keystone		00:58
*** sdake has quit IRC		01:14
*** sdake has joined #openstack-keystone		01:16
*** roxanaghe has joined #openstack-keystone		01:17
*** jsavak has joined #openstack-keystone		01:20
*** EinstCrazy has joined #openstack-keystone		01:21
*** roxanaghe has quit IRC		01:22
*** sdake_ has joined #openstack-keystone		01:22
jamielennox	stevemar: so, any chance you've seen https://review.openstack.org/#/c/330329/	01:24
patchbot	jamielennox: patch 330329 - keystone-specs - Reservations (a working title)	01:24
*** sdake has quit IRC		01:24
openstackgerrit	Sam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz https://review.openstack.org/283905	01:27
*** ddieterly has quit IRC		01:42
*** jsavak has quit IRC		01:48
iurygregory_	Hi jamielennox, sorry to bother you. I have question about the keystone middleware configuration, can i set auth_url or just auth_uri (they are the same?)	01:51
iurygregory_	i'm following http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html	01:51
jamielennox	iurygregory_: they're not quite the same but in practice you'll probably want to set them to the same thing	01:52
iurygregory_	oh so i can set both?	01:52
jamielennox	iurygregory_: auth_uri ends up in the headers of 401 Unauthenticated responses	01:52
jamielennox	and points to a public discoverable keystone base (so no prefix)	01:52
*** ddieterly has joined #openstack-keystone		01:53
jamielennox	auth_url is where the service user is going to authenticate to	01:53
jamielennox	so depending how you're set up auth_url is internal URL and auth_uri is public	01:53
iurygregory_	tks jamielennox =)	01:54
jamielennox	np	01:54
*** jorge_munoz_ has joined #openstack-keystone		01:56
*** jorge_munoz has quit IRC		01:57
*** jorge_munoz_ is now known as jorge_munoz		01:57
ayoung	jamielennox, what is the difference? I've had trouble distinguishing to people in the past	01:58
ayoung	I still don't understand the difference between url and uri	01:58
jamielennox	ayoung: auth_uri ends up in "WWW-Authenticate: Keystone uri=%s" header	01:59
jamielennox	that's its only job	01:59
ayoung	jamielennox, and what is that meant to do?	01:59
ayoung	tell someone where they need to go to authenticate?	01:59
jamielennox	heh, yea, it gets added to all 401 responses and then i'm pretty sure everyone ignores it	02:00
ayoung	jamielennox, so, they should be the same thing, then, right?	02:02
ayoung	I mean, we say that the Keystone server that you authenticate against is the one that nova is going to use to validate the token	02:02
jamielennox	ayoung: depends, most people use an internal URL for auth_url but auth_uri would get exposed to the public	02:02
ayoung	and the version should match	02:02
ayoung	ah	02:02
jamielennox	there should be no version in auth_uri	02:02
ayoung	so auth_uri=main auth_url=admin in v2.0 speak	02:03
jamielennox	yea	02:03
jamielennox	more or less	02:03
ayoung	Blog post. You want to write it or shall I?	02:03
ayoung	I'm bascially just going to edit this convo...	02:04
jamielennox	ideally we could default it way better than that, like auth.get_endpoint('identity', interface='public')	02:04
jamielennox	but that gets funny	02:04
jamielennox	mm, blog, i haven't written one of those for a while	02:04
*** dan_nguyen has quit IRC		02:07
jamielennox	ayoung: so i'm looking for someone to tell me my reservations thing won't work	02:08
ayoung	jamielennox, ?	02:08
jamielennox	https://review.openstack.org/#/c/330329/	02:08
patchbot	jamielennox: patch 330329 - keystone-specs - Reservations (a working title)	02:08
jamielennox	ayoung: cause to me it solves token timeouts and probably dynamic policy	02:08
ayoung	jamielennox, reading	02:12
ayoung	A reservation is therefore singlue use replacement for a token for interservice	02:13
ayoung	communication but that only authenticates the bearer to perform a specific	02:13
ayoung	operation and any flow on operations.	02:13
ayoung	ignroring the tpyo for a moment...this sounds like a single use trust	02:13
ayoung	jamielennox, yep, I think I like	02:14
jamielennox	yea, i've been thinking about it for a while, but it was a fairly quite write up	02:15
ayoung	jamielennox, so, essentially a reservation is like a trust but stored in fernet format, and created on the fly when a user requests something from (e.gh.) Nova that spans multiple services	02:16
iurygregory_	we can still use admin_tenant_name in the keystone_authtoken section? (in my mind project_name is a replace for this)	02:16
*** sdake has joined #openstack-keystone		02:16
ayoung	iurygregory_, tenant is dead long live project	02:16
jamielennox	ayoung: kind of a single use trust, but it's not something a project establishes on purpose	02:16
jamielennox	ayoung: it's just done for them intead of token validation and isn't stored in the db	02:16
jamielennox	so yea, more or less	02:16
ayoung	jamielennox, so would we have reservation templates?	02:17
iurygregory_	ayoung, yeah i know is just because the docs point that it's possible to use XD	02:17
jamielennox	iurygregory_: it will still work but it's an old config option and you should probably update it if you're going through it	02:17
jamielennox	ayoung: templates?	02:17
ayoung	maybe a mapping from "if I call create_vm user the create_vm reservation template" say?	02:17
ayoung	like a 'fill in the blanks" trust	02:17
*** ddieterly has quit IRC		02:17
ayoung	I, state your name, do hereby grant to nova the right to mount my partition from cinder	02:18
jamielennox	ayoung: so i don't see it as template	02:18
iurygregory_	jamielennox, tks i'm providing a patch for puppet-keystone with keystonemiddleware valid options =)	02:18
*** roxanaghe has joined #openstack-keystone		02:18
ayoung	jamielennox, here's a dumb idea	02:18
*** sdake_ has quit IRC		02:19
jamielennox	my initial thought is that nova (eg) would provide the url that it's hitting, and if you passed the reservation it wouldn't recheck policy	02:19
ayoung	what if keystone auth passed the requested operation on to keystone when getting a token, and that token was the reservation, too	02:19
jamielennox	but i don't think that would work	02:19
ayoung	there are two expirys	02:19
ayoung	one is for the user, and the other is for the reservation	02:19
jamielennox	ayoung: i see passing reservation as a replacement for passing a token	02:19
jamielennox	ayoung: because we can't validate a token that has expired at all - api limitations	02:19
jamielennox	this was the initial problem and why we couldn't just accept a buffer time	02:20
ayoung	we can if we don't call it a token, though	02:20
jamielennox	ayoung: well if it's not a token we can do what we like	02:20
jamielennox	a reservation would be valid for like 15 minutes from time of creation	02:20
jamielennox	and validatable for that period	02:20
jamielennox	that's the only thing you would validate and any information you need from the token would get copied into the reservation	02:21
ayoung	wait	02:21
ayoung	15 minutes? I thought they were for long running tasks?	02:21
jamielennox	how long do you want?	02:21
ayoung	hell, we have operations that take over an hour	02:21
ayoung	the whole image upload thing	02:21
ayoung	was it snapshot?	02:22
jamielennox	so by default nothing can handle that	02:22
jamielennox	i would be ok with making that longer but one of the issues raised on the service users spec is that it cant be unlimited	02:22
ayoung	when nova validates a token, it can get back a reservation	02:22
*** roxanaghe has quit IRC		02:23
jamielennox	i was thinking 15 minutes was greater than almost all http timeouts and would therefore sufice	02:23
ayoung	the thing I don't like about that is the user has no control at that point what roles Nova would get, so the user should ideally limit them in the intial token creation	02:23
jamielennox	ayoung: the roles would be copied from the token	02:24
ayoung	which was this spec https://review.openstack.org/#/c/186979/	02:24
patchbot	ayoung: patch 186979 - keystone-specs - Tokens with subsets of roles	02:24
jamielennox	yep, i remember that one	02:25
jamielennox	so this wouldn't have any effect on that	02:25
jamielennox	because the reservation would have the same roles as the token did	02:25
ayoung	So, I like this, but I think you are going to have trouble selling it to morgan. I'll back you up. I think we can do this	02:26
jamielennox	ayoung: i don't think notmorgan will be that hard really	02:26
ayoung	its an additional step in token validation: "here is the token you use for the next step"	02:26
ayoung	he wants "validate at the edges only"	02:26
ayoung	which I really don't like	02:26
jamielennox	ayoung: right - but it's transparent to the user so we only need to fix the services	02:27
jamielennox	"only"	02:27
ayoung	I'm less concerned with Nova than Trove Sahara, and other *aaS	02:27
ayoung	we can even do this in the keystone middleware	02:27
jamielennox	right, there's no way i'm doing this on an individual basis, i was working on context etc to pass all this around automatically already	02:27
jamielennox	ayoung: yep, like 90% keystonemiddleware	02:28
ayoung	so, you said this might solve dynamic policy?	02:28
jamielennox	the service would only need to forward the reservation id instead of the token	02:28
ayoung	just call it a new token	02:28
ayoung	really, it is just a token with an extended lifespan	02:28
jamielennox	too overloaded, and it'll have a different format	02:28
ayoung	does it really need a different format?	02:29
jamielennox	this makes it so users deal with tokens, services deal with reservations	02:29
jamielennox	ayoung: it'll be almost the same but it means we don't have to keep some of the rules about tokens around	02:29
jamielennox	like not extending lifetimes and rescoping etc	02:29
jamielennox	just easier to be its own concept	02:29
jamielennox	ayoung: so dynamic policy	02:29
jamielennox	ayoung: when you request a reservation you send the user's token, the service's token and the operation they are trying to perform	02:30
ayoung	ah, so the user would do this up front?	02:30
jamielennox	ayoung: keystone denies creating a reservation if the user isn't allowed to, based on polic	02:30
jamielennox	y	02:30
ayoung	or would nova?	02:30
jamielennox	keystone controls policy	02:30
ayoung	yeah, but start from the CLI doing openstack server create ....	02:31
ayoung	I have no token, what happens there?	02:31
jamielennox	ayoung: when auth_token middleware gets a token it would try to transform it into a resrevation	02:31
jamielennox	so the reservation creation happens on the service side the first time a token is received	02:31
jamielennox	once you have a reservation you can ditch the user token	02:32
jamielennox	that gives you edge validation because service to service will use reservations	02:32
ayoung	ah, but there is a problem: you have to trust the service to tell you what operation the user is trying to perform	02:32
jamielennox	users will have no ability to create reservations, that would be service only	02:32
ayoung	if I want to kill a server, it could cheat and ask for a reservation to create a server	02:32
*** ddieterly has joined #openstack-keystone		02:33
jamielennox	ayoung: so in practice that would be done via auth_token middleware, but yes that is open for exploit	02:33
ayoung	I mean, auth_token would do the right thing, but the service would not necessarily run an unmodified auth_token	02:33
jamielennox	however it's still a hundred times better than now	02:33
ayoung	agreed.	02:33
jamielennox	because you're using the user's token the service could still only ask for a reservation the user could actually do	02:33
jamielennox	and it can't store it for later	02:34
ayoung	so, lets make it implicit. When the service user validates the token, if it passes in the operation, we grant it a reservation	02:34
ayoung	to lock down in the future, we can have a rule that says "the reservation has the same roles or less than the token origianlly granted"	02:34
ayoung	so if we really need to make it secure, we can still have the user request a token with a specific subset of roles	02:35
jamielennox	right, though in practice i don't know how you'd scale it back	02:35
ayoung	sdo if create VM is a different role than delete, and they send dlete, the reservation for create would be denied	02:35
jamielennox	ayoung: yep, users deal with tokens, this wouldn't affect them at all	02:35
ayoung	OK, I'll call your mechanism here "necessary but not sufficient" and say that it is a big step forward	02:35
jamielennox	right, now i have no answers how to manage all that	02:36
jamielennox	we are still going to have the same problem of all the services wanting to provide their own default policies	02:36
jamielennox	and i have no idea how to collate it all and all the rules you would need to say that "fetch_an_image" is a valid sub operation of "create_a_vm"	02:37
jamielennox	however _if_ we can figure that out we get all the things you are looking for	02:37
jamielennox	"what can this user do"	02:37
jamielennox	dynamic policy, centralized policy	02:37
ayoung	its ok. this is progress	02:37
jamielennox	not to mention audit essentially would get centralized into keyston e	02:38
jamielennox	ayoung: anyway, i'm trying to figure out anything i've missed or any reason it wouldn't work	02:40
ayoung	jamielennox, it sounds sane to me	02:41
ayoung	that may be "Damned by faint praise" though	02:41
jamielennox	ayoung: meh, praise comes if/when it's implemented and works - i just don't want to do a whole bunch of work and then figure out it's not going to work	02:42
*** adrian_otto has joined #openstack-keystone		02:45
*** ddieterly has quit IRC		02:48
*** jamielennox is now known as jamielennox\|away		03:03
*** gyee has quit IRC		03:07
ayoung	jamielennox\|away, http://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/	03:10
*** jamielennox\|away is now known as jamielennox		03:19
*** roxanaghe has joined #openstack-keystone		03:19
jamielennox	ayoung: lol, quick and dirty	03:19
*** iurygregory_ has quit IRC		03:19
jamielennox	i like it	03:19
ayoung	:)	03:19
*** dan_nguyen has joined #openstack-keystone		03:21
*** richm has quit IRC		03:23
*** roxanaghe has quit IRC		03:24
stevemar	jamielennox: nice bug clean up	03:24
jamielennox	stevemar: swatting the easy ones	03:25
stevemar	jamielennox: it's appreciated nonetheless	03:25
*** markvoelker has quit IRC		03:47
*** GB21 has joined #openstack-keystone		04:02
*** lamt has quit IRC		04:11
*** links has joined #openstack-keystone		04:20
*** rha_ has joined #openstack-keystone		04:29
*** rha has quit IRC		04:29
jamielennox	stevemar: where should we send things like: https://bugs.launchpad.net/keystonemiddleware/+bug/1580397	04:32
openstack	Launchpad bug 1580397 in keystonemiddleware " s3token config with auth URI" [Undecided,New]	04:32
jamielennox	it looks like it was auto created because of the DocImpact flag, but it seems dumb to have DocImpact open bugs in the same proejct	04:33
*** dan_nguyen has quit IRC		04:34
stevemar	jamielennox: we should triage the bug by adding content to it, enough so the docs team can make a change, then re-assign	04:35
stevemar	jamielennox: or we submit a patch to docs	04:35
*** tqtran has quit IRC		04:36
jamielennox	stevemar: https://review.openstack.org/#/c/330329/ - because i'm trying to make people read it	04:42
patchbot	jamielennox: patch 330329 - keystone-specs - Reservations (a working title)	04:42
*** markvoelker has joined #openstack-keystone		04:47
*** sdake_ has joined #openstack-keystone		04:50
*** markvoelker has quit IRC		04:52
*** sdake has quit IRC		04:53
*** GB21 has quit IRC		04:53
*** roxanaghe has joined #openstack-keystone		05:19
*** roxanagh_ has joined #openstack-keystone		05:20
*** roxanaghe has quit IRC		05:23
*** roxanagh_ has quit IRC		05:25
*** browne has joined #openstack-keystone		05:25
*** links has quit IRC		05:27
*** sdake has joined #openstack-keystone		05:27
*** links has joined #openstack-keystone		05:28
*** sdake_ has quit IRC		05:31
*** GB21 has joined #openstack-keystone		05:34
stevemar	jamielennox: hehe "In which he ponders"	05:35
*** sdake_ has joined #openstack-keystone		05:38
*** sdake has quit IRC		05:41
*** sdake_ has quit IRC		05:50
*** belmoreira has joined #openstack-keystone		06:06
*** browne has quit IRC		06:07
*** nisha_ has joined #openstack-keystone		06:21
*** rcernin has joined #openstack-keystone		06:23
*** david-lyle has quit IRC		06:26
*** pcaruana has joined #openstack-keystone		06:29
*** sheel has joined #openstack-keystone		06:50
*** ebarrera has joined #openstack-keystone		07:10
*** tesseract has joined #openstack-keystone		07:10
*** henrynash_ has joined #openstack-keystone		07:11
*** ChanServ sets mode: +v henrynash_		07:11
*** hogepodge has quit IRC		07:12
*** adrian_otto has quit IRC		07:15
*** henrynash_ has quit IRC		07:17
*** nisha_ has quit IRC		07:21
*** roxanaghe has joined #openstack-keystone		07:22
*** GB21 has quit IRC		07:23
*** roxanaghe has quit IRC		07:27
*** dmk0202 has joined #openstack-keystone		07:32
*** dmk0202 has quit IRC		07:33
*** EinstCra_ has joined #openstack-keystone		07:38
*** amoralej\|off is now known as amoralej		07:39
*** EinstCrazy has quit IRC		07:40
*** nisha_ has joined #openstack-keystone		07:42
*** EinstCra_ has quit IRC		07:43
*** EinstCrazy has joined #openstack-keystone		07:43
*** rcernin has quit IRC		07:45
*** GB21 has joined #openstack-keystone		07:49
*** yolanda has joined #openstack-keystone		07:55
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	08:03
*** rcernin has joined #openstack-keystone		08:10
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	08:10
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	08:10
*** nisha_ has quit IRC		08:21
*** nisha_ has joined #openstack-keystone		08:21
*** redrobot has quit IRC		08:21
*** jlvillal has quit IRC		08:22
*** jlvillal has joined #openstack-keystone		08:22
*** henrynash_ has joined #openstack-keystone		08:22
*** ChanServ sets mode: +v henrynash_		08:22
*** Daviey_ has quit IRC		08:23
*** roxanaghe has joined #openstack-keystone		08:23
*** Daviey has joined #openstack-keystone		08:23
*** redrobot has joined #openstack-keystone		08:24
*** redrobot is now known as Guest31553		08:24
*** dmk0202 has joined #openstack-keystone		08:27
*** roxanaghe has quit IRC		08:28
*** daemontool has joined #openstack-keystone		08:28
*** nisha_ has quit IRC		08:35
*** bj0rnar has joined #openstack-keystone		08:36
*** mkrcmari__ has joined #openstack-keystone		08:36
*** rmstar has joined #openstack-keystone		08:36
*** jlvillal has quit IRC		08:37
*** woodburn has quit IRC		08:39
*** henrynash_ has quit IRC		08:39
*** rodrigods has quit IRC		08:40
*** ebarrera has quit IRC		08:40
*** rodrigods has joined #openstack-keystone		08:41
*** henrynash_ has joined #openstack-keystone		08:41
*** harlowja_ has quit IRC		08:41
*** jlvillal has joined #openstack-keystone		08:42
*** daemontool_ has joined #openstack-keystone		08:42
*** anteaya has quit IRC		08:42
*** mvk_ has quit IRC		08:42
*** rmstar_ has quit IRC		08:42
*** ekarlso has quit IRC		08:42
*** woodburn has joined #openstack-keystone		08:42
*** bj0rnar- has quit IRC		08:43
*** mdavidson has quit IRC		08:43
*** tlbr has quit IRC		08:43
*** henrynash has quit IRC		08:43
*** xek has quit IRC		08:43
*** xek has joined #openstack-keystone		08:43
*** mtreinish has quit IRC		08:44
*** daemontool has quit IRC		08:44
*** tlbr has joined #openstack-keystone		08:44
*** mdavidson has joined #openstack-keystone		08:44
*** anteaya has joined #openstack-keystone		08:45
*** ebarrera has joined #openstack-keystone		08:45
*** mtreinish has joined #openstack-keystone		08:46
*** tpeoples has quit IRC		08:47
*** tpeoples has joined #openstack-keystone		08:49
*** ekarlso has joined #openstack-keystone		08:51
*** EinstCrazy has quit IRC		08:55
*** EinstCrazy has joined #openstack-keystone		08:59
openstackgerrit	Merged openstack/keystone: Use http_proxy_to_wsgi from oslo.middleware https://review.openstack.org/327418	09:00
*** EinstCra_ has joined #openstack-keystone		09:06
*** EinstCrazy has quit IRC		09:09
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	09:10
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move scope into _OidcBase https://review.openstack.org/330463	09:10
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: add discovery document support https://review.openstack.org/330464	09:10
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: remove grant_type argument https://review.openstack.org/330465	09:10
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: refactor unit tests https://review.openstack.org/330966	09:10
*** openstackgerrit has quit IRC		09:18
*** openstackgerrit has joined #openstack-keystone		09:18
*** alex_xu has quit IRC		09:26
*** alex_xu has joined #openstack-keystone		09:28
*** mjb has quit IRC		09:48
*** mjb has joined #openstack-keystone		09:55
*** mjb has quit IRC		09:56
*** zengchen has quit IRC		09:58
*** mjb has joined #openstack-keystone		09:59
*** openstackgerrit has quit IRC		10:03
*** openstackgerrit has joined #openstack-keystone		10:03
*** ashokt has quit IRC		10:05
*** rcernin has quit IRC		10:05
*** GB21 has quit IRC		10:09
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	10:10
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: add discovery document support https://review.openstack.org/330464	10:12
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: remove grant_type argument https://review.openstack.org/330465	10:12
*** roxanaghe has joined #openstack-keystone		10:24
*** roxanaghe has quit IRC		10:29
*** Daviey has quit IRC		10:29
*** Daviey has joined #openstack-keystone		10:29
*** henrynash has joined #openstack-keystone		10:37
*** ChanServ sets mode: +v henrynash		10:37
*** GB21 has joined #openstack-keystone		10:40
*** bunting has left #openstack-keystone		10:41
*** permalac has joined #openstack-keystone		10:47
*** hogepodge has joined #openstack-keystone		10:54
*** henrynash has quit IRC		10:58
*** GB21 has quit IRC		10:59
*** GB21 has joined #openstack-keystone		11:06
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: Validate impersonation in trust redelegation https://review.openstack.org/330045	11:20
*** roxanaghe has joined #openstack-keystone		11:25
*** amoralej is now known as amoralej\|lunch		11:26
*** roxanaghe has quit IRC		11:29
*** bjornar_ has joined #openstack-keystone		11:31
*** rcernin has joined #openstack-keystone		11:47
*** EinstCra_ has quit IRC		11:53
*** nisha_ has joined #openstack-keystone		11:54
*** nisha_ has quit IRC		11:55
*** EinstCrazy has joined #openstack-keystone		11:57
*** jsavak has joined #openstack-keystone		11:58
*** EinstCra_ has joined #openstack-keystone		12:00
*** EinstCrazy has quit IRC		12:02
*** EinstCrazy has joined #openstack-keystone		12:03
*** dave-mccowan has joined #openstack-keystone		12:04
*** markvoelker has joined #openstack-keystone		12:04
*** dmk0202 has quit IRC		12:05
*** EinstCra_ has quit IRC		12:06
*** jdennis has quit IRC		12:10
*** EinstCra_ has joined #openstack-keystone		12:11
*** rreimberg has joined #openstack-keystone		12:11
*** EinstCra_ has quit IRC		12:11
*** EinstCra_ has joined #openstack-keystone		12:13
*** EinstCrazy has quit IRC		12:14
*** ddieterly has joined #openstack-keystone		12:16
*** jsavak has quit IRC		12:18
samueldmq	morning keystone	12:21
*** EinstCra_ has quit IRC		12:21
*** GB21 has quit IRC		12:23
*** roxanaghe has joined #openstack-keystone		12:26
*** ddieterly has quit IRC		12:26
*** jdennis has joined #openstack-keystone		12:29
*** roxanaghe has quit IRC		12:30
*** pauloewerton has joined #openstack-keystone		12:34
*** jsavak has joined #openstack-keystone		12:34
*** edmondsw has joined #openstack-keystone		12:34
*** jsavak has quit IRC		12:38
*** jsavak has joined #openstack-keystone		12:39
*** lamt has joined #openstack-keystone		12:39
shewless	astanek: thanks. I got federation working with testshib! I am encountering a weird problem on first login which I think is a bug. will try and grab some logs later on	12:40
*** rreimberg has left #openstack-keystone		12:41
*** gordc has joined #openstack-keystone		12:46
amakarov	ayoung, o/	12:51
*** ddieterly has joined #openstack-keystone		12:53
openstackgerrit	Liam Young proposed openstack/keystone: Correct domain_id and name constraint dropping https://review.openstack.org/329855	13:01
*** amoralej\|lunch is now known as amoralej		13:03
*** ddieterly has quit IRC		13:11
*** mwheckmann has joined #openstack-keystone		13:14
*** jefrite has quit IRC		13:19
*** andreykurilin has joined #openstack-keystone		13:23
*** roxanaghe has joined #openstack-keystone		13:27
*** henrynash has joined #openstack-keystone		13:31
*** ChanServ sets mode: +v henrynash		13:31
*** roxanaghe has quit IRC		13:31
amakarov	dstanek, hi! Are you here?	13:34
*** richm has joined #openstack-keystone		13:37
amakarov	dstanek, I want to change assignment driver and your code stops the tests. How can I replace a driver for _assert_backends() to pass? https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L50	13:38
*** ddieterly has joined #openstack-keystone		13:38
*** Dinesh_Bhor has quit IRC		13:45
*** links has quit IRC		13:46
dstanek	amakarov: that just ensures that the backends that are supposed to be loaded are loaded	13:48
dstanek	amakarov: for example, https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L1065	13:48
amakarov	dstanek, aha, just as I thought. What should I do if I want to use another backend?	13:50
*** ametts has joined #openstack-keystone		13:50
dstanek	amakarov: what are you trying to do?	13:50
amakarov	dstanek, I'm writhing an assignment driver	13:51
dstanek	amakarov: do you have example code to share?	13:51
*** edtubill has joined #openstack-keystone		13:52
amakarov	dstanek, https://review.openstack.org/#/c/291318/16/keystone/delegation/backends/sql.py	13:52
patchbot	amakarov: patch 291318 - keystone - WIP/DNM Unified delegation assignment driver	13:52
*** rodrigods has quit IRC		13:52
*** rodrigods has joined #openstack-keystone		13:52
*** jorge_munoz has quit IRC		13:54
*** jorge_munoz has joined #openstack-keystone		13:58
dstanek	amakarov: i can't get that to work at all. lots of recursion errors	14:02
*** raddaoui has joined #openstack-keystone		14:02
amakarov	dstanek, I know, I just don't want to push failing code )	14:03
*** henrynash has quit IRC		14:06
*** ddieterly is now known as ddieterly[away]		14:06
*** sigmavirus24_ is now known as sigmavirus24		14:06
openstackgerrit	Alexander Makarov proposed openstack/keystone: WIP/DNM Unified delegation assignment driver https://review.openstack.org/291318	14:07
amakarov	dstanek, ^	14:08
*** adrian_otto has joined #openstack-keystone		14:10
amakarov	dstanek, tox -e py27 keystone.tests.unit.test_backend_ldap	14:10
amakarov	dstanek, AssertionError: subsystem assignment expected <class 'keystone.assignment.backends.sql.Assignment'>, but observed <class 'keystone.assignment.backends.base.V10AssignmentWrapperForV9Driver'>	14:11
dstanek	amakarov: it looks like you are trying to reuse tests that have a very specific backend requirement	14:12
*** sdake has joined #openstack-keystone		14:12
amakarov	dstanek, but I need to change the backend	14:13
*** ddieterly[away] is now known as ddieterly		14:13
dstanek	amakarov: new test class? if you need to share tests then they may need to be broken out	14:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/331166	14:15
amakarov	dstanek, broken out? What do you mean?	14:15
dstanek	amakarov: something you are doing is changing the backend that test_backend_ldap uses	14:18
amakarov	dstanek, as a result of my work the backend gets changed, so I want tests to pass with my new backend. What can I do for that?	14:20
dstanek	amakarov: you want the existing test to use your new backend?	14:20
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/331180	14:20
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/331181	14:20
amakarov	dstanek, If I disable _assert_backends, test_backend_ldap passes	14:20
amakarov	dstanek, yes	14:20
dstanek	amakarov: but it gets run with the incorrect backends, right?	14:21
dstanek	amakarov: which tests do you want to run against your new backend?	14:21
amakarov	dstanek, all of them actually	14:22
dstanek	amakarov: all from that module?	14:22
*** ebarrera has quit IRC		14:23
dstanek	amakarov: the short answer is not to us the LDAPIdentity setup	14:23
amakarov	dstanek, imagine keystone.assignment.backends.sql.Assignment is removed and keystone.delegation.backends.sql.AssignmentDriver is user instead of it	14:25
amakarov	*is used	14:26
*** roxanaghe has joined #openstack-keystone		14:28
amakarov	dstanek, I assume all existing tests should pass	14:28
dstanek	amakarov: sure	14:28
amakarov	dstanek, so I want all the tests from keystone and all the tests from that module in partucular :)	14:29
dstanek	amakarov: LDAPIdentity is just setup not tests. make your own class that provides its own setup and uses the same tests	14:29
amakarov	dstanek, no problem, but what have I to do with failing tests based on LDAPIdentity? They won't go anywhere	14:31
dstanek	amakarov: don't change the backend used by LDAPIdentity	14:31
*** david-lyle has joined #openstack-keystone		14:32
*** roxanaghe has quit IRC		14:32
amakarov	dstanek, please suggest me, how can I not to change backend for a special test using adapters?	14:33
amakarov	https://review.openstack.org/#/c/291318/16/keystone/assignment/core.py	14:33
patchbot	amakarov: patch 291318 - keystone - WIP/DNM Unified delegation assignment driver	14:33
dstanek	amakarov: don't use the LDAPIdentity class. write your own that provides your own setup	14:35
amakarov	dstanek, I've done nothing to it and I don't use it	14:36
amakarov	dstanek, it just fails because of system-wide driver change	14:36
amakarov	dstanek, and it's not my custom driver - it's just a new vorsion of driver with adapter	14:37
dstanek	amakarov: so you'll need to figure out why the driver for its tests is getting changed	14:37
amakarov	dstanek, driver is getting changed because I introduce a new driver version, so driver is changed to adapter	14:38
amakarov	dstanek, in this case the old driver is called using an adapter	14:38
amakarov	dstanek, it is the very same driver	14:39
amakarov	dstanek, but wrapped with adapter	14:39
amakarov	base.V10AssignmentWrapperForV9Driver	14:39
dstanek	amakarov: don't the tests always expect the latest version?	14:41
amakarov	dstanek, no	14:41
mwheckmann	hello. Can anyone help be with a federation problem when combined with the new sample v3 policy.json?	14:41
amakarov	dstanek, not this one	14:41
dstanek	amakarov: it should. i think _assert_backends actually matches the string 'sql' against the entrypoint	14:43
amakarov	dstanek, more or less - it matches the driver class	14:44
*** phalmos has joined #openstack-keystone		14:44
amakarov	dstanek, the class from entrypoint against the calss of actual driver	14:44
dstanek	amakarov: is that the latest class?	14:45
amakarov	dstanek, actual driver is of latest class, expected class is assignment.backends.sql.Assignment	14:46
amakarov	without any versioning	14:46
mwheckmann	basically, I have SAML federation working beautifully, but the problem is that all users that come in from federation are in the "Federated" domain.	14:48
*** nisha_ has joined #openstack-keystone		14:48
mwheckmann	This means that I can't map any user to be a domain admin in other domains	14:49
*** timcline has joined #openstack-keystone		14:50
dstanek	amakarov: in my env it looks like it expects the latest and get a wrapper around the old	14:54
*** pcaruana has quit IRC		14:54
dstanek	amakarov: the tests (except the legacy tests) should always be using the latest drivers	14:55
amakarov	dstanek, can you please give me an error message?	14:55
dstanek	AssertionError: subsystem assignment expected <class 'keystone.assignment.backends.sql.Assignment'>, but observed <class 'keystone.assignment.backends.base.V10AssignmentWrapperForV9Driver'>	14:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Integration tests cleanup https://review.openstack.org/330537	14:56
dstanek	amakarov: are you not getting the same thing?	14:56
amakarov	dstanek, yes	14:56
amakarov	dstanek, it expects not the latest one	14:56
amakarov	but the particular one	14:56
amakarov	keystone.assignment.backends.sql.Assignment is not the latest	14:57
amakarov	dstanek, V10AssignmentWrapperForV9Driver is used to adapt it	14:57
dstanek	amakarov: isn't keystone.assignment.backends.sql.Assignment the latest driver?	14:58
amakarov	dstanek, no. it's v9 and I'm introducing v10	14:58
dstanek	amakarov: that's why you are broken then	14:58
*** roxanaghe has joined #openstack-keystone		14:59
dstanek	amakarov: our drivers should be the latest	14:59
dstanek	amakarov: it's vendor drivers that need the wrapper. we should never be using the wrapper ourselves	14:59
amakarov	dstanek, so I should upgrade alod driver to be v10 to pass this test?	15:00
dstanek	amakarov: probably	15:00
dstanek	keystone always uses the latest driver. we just support the old interface for vendors that can't keep up	15:00
amakarov	dstanek, understood. thanks, will hack okd driver then	15:01
*** roxanaghe has quit IRC		15:03
*** tesseract has quit IRC		15:05
dstanek	amakarov: np	15:06
*** rcernin has quit IRC		15:07
*** bjornar_ has quit IRC		15:10
*** adrian_otto has quit IRC		15:11
*** browne has joined #openstack-keystone		15:15
*** dan_nguyen has joined #openstack-keystone		15:18
*** sdake has quit IRC		15:20
*** afazekas\|dentist is now known as afazekas		15:25
*** nisha__ has joined #openstack-keystone		15:27
*** jorge_munoz_ has joined #openstack-keystone		15:27
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	15:27
*** jorge_munoz has quit IRC		15:27
*** jorge_munoz_ is now known as jorge_munoz		15:27
nisha__	samueldmq, Please have a look :)	15:27
*** nisha_ has quit IRC		15:30
*** dan_nguyen has quit IRC		15:32
*** dan_nguyen has joined #openstack-keystone		15:36
*** belmoreira has quit IRC		15:40
*** phalmos has quit IRC		15:41
*** phalmos has joined #openstack-keystone		15:43
*** ddieterly is now known as ddieterly[away]		15:47
*** henrynash has joined #openstack-keystone		15:49
*** ChanServ sets mode: +v henrynash		15:49
*** Guest31553 is now known as redrobot		15:50
*** sdake has joined #openstack-keystone		15:51
*** dan_nguyen has quit IRC		15:51
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: Validate impersonation in trust redelegation https://review.openstack.org/330045	15:52
samueldmq	nisha__: done, I left another couple of comments, mostly nits (minor suggestions/changes)	15:52
nisha__	samueldmq, Sure, will work on them	15:53
*** aratus has joined #openstack-keystone		15:53
*** aratus has left #openstack-keystone		15:56
*** tonytan4ever has joined #openstack-keystone		15:59
*** dan_nguyen has joined #openstack-keystone		15:59
*** permalac has quit IRC		16:03
*** roxanaghe has joined #openstack-keystone		16:06
*** sdake has quit IRC		16:07
*** dmk0202 has joined #openstack-keystone		16:09
*** mdavidson has quit IRC		16:11
*** ddieterly[away] is now known as ddieterly		16:14
*** roxanaghe has quit IRC		16:15
*** roxanaghe has joined #openstack-keystone		16:22
*** jsavak has quit IRC		16:25
*** jsavak has joined #openstack-keystone		16:26
-openstackstatus- NOTICE: zuul was restarted for a software upgrade; events between 16:08 and 16:30 were missed, please recheck any changes uploaded during that time		16:33
*** gyee has joined #openstack-keystone		16:42
*** ChanServ sets mode: +v gyee		16:42
*** pushkaru has joined #openstack-keystone		16:47
ayoung	dstanek, notmorgan how do we publish the entrypoints for the SAML2 and kerberos plugins in keystoneauth? THey are not listed in /usr/lib/python2.7/site-packages/keystoneauth1-2.4.1-py2.7.egg-info/entry_points.txt	16:49
*** ddieterly is now known as ddieterly[away]		16:50
*** manjrem has joined #openstack-keystone		16:51
*** daemontool_ has quit IRC		16:52
*** harlowja has joined #openstack-keystone		16:53
*** adrian_otto has joined #openstack-keystone		16:57
dstanek	ayoung: do we have saml2 stuff in keystoneauth?	17:00
ayoung	dstanek, yeah, in extras	17:00
ayoung	dstanek I think we just need an entrypoint	17:00
dstanek	maybe there's no entrypoint since it's in extras	17:00
ayoung	dstanek, http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extras	17:01
ayoung	dstanek, so, as I understand it, enumerating the extras would load the classes, causing failuers for the ones that have external dependencies	17:01
ayoung	does just loading a class via entrypoints enumerate the same way?	17:02
ayoung	I think I can test this...	17:02
*** jsavak has quit IRC		17:02
*** jsavak has joined #openstack-keystone		17:02
dstanek	ayoung: ah, yeah. that's probably it. you can still use it by using the fully qualified path	17:04
*** sheel has quit IRC		17:05
ayoung	dstanek, so we broke everyone using entrypoints this way. I have a meeting now...	17:06
*** tonytan4ever has quit IRC		17:07
*** mvk_ has joined #openstack-keystone		17:11
*** ddieterly[away] is now known as ddieterly		17:13
*** mkrcmari__ has quit IRC		17:15
*** GB21 has joined #openstack-keystone		17:15
*** browne has quit IRC		17:19
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/331166	17:22
*** adrian_otto has quit IRC		17:23
*** nisha__ has quit IRC		17:26
*** nisha__ has joined #openstack-keystone		17:27
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	17:28
*** nisha__ is now known as nisha_		17:34
*** adrian_otto has joined #openstack-keystone		17:35
*** sdake has joined #openstack-keystone		17:40
*** adrian_otto has quit IRC		17:42
*** pauloewerton has quit IRC		17:43
nisha_	samueldmq, did the changes, thanks for suggestions :)	17:44
*** jed56 has quit IRC		17:45
*** GB21 has quit IRC		17:45
*** pauloewerton has joined #openstack-keystone		17:50
samueldmq	nisha_: thx	17:53
openstackgerrit	Sam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz https://review.openstack.org/283905	17:54
*** gyee has quit IRC		17:55
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	17:55
*** manjrem has quit IRC		17:57
*** tonytan4ever has joined #openstack-keystone		17:57
*** ddieterly is now known as ddieterly[away]		18:03
*** harlowja has quit IRC		18:04
*** browne has joined #openstack-keystone		18:08
*** adrian_otto has joined #openstack-keystone		18:09
*** amakarov is now known as amakarov_away		18:10
*** adrian_otto has quit IRC		18:10
*** al_loew has joined #openstack-keystone		18:12
*** mkrcmari__ has joined #openstack-keystone		18:25
*** mvk_ has quit IRC		18:28
*** timcline has quit IRC		18:30
*** timcline has joined #openstack-keystone		18:30
*** timcline has quit IRC		18:35
*** pushkaru has quit IRC		18:36
shewless	Hi team. I think I have found a bug with keystone federation using Shibboleth. I'm running Mitaka and when I restart shibd I always receive a 404 error (Not Found: /v3/auth/OS-FEDERATION/websso/saml2) for the FIRST time I try and "connect" from Horizon. Subsequent attempts all work perfectly, until I restart shibd again.	18:36
shewless	Is anyone around to help me validate that?	18:36
*** jsavak has quit IRC		18:37
shewless	I don't see any errors in keystone.log, I see an access error in apache for "not found", and the shib transaction log logs "nothing" when it's working.. but on the first attempt it logs that it's creating a new session	18:37
*** jsavak has joined #openstack-keystone		18:38
*** simondodsley has joined #openstack-keystone		18:40
shewless	Actually the problem is much worse then that. Every time a new transaction is created in shibboleth this problem occurs. So If I use a new browser the problem occurs or if 10 different users login from their computers they would see "page not found" on the first time through	18:45
shewless	The timestamp for shibd to create the transaction is the exact timestamp that the "not found" error is generated in apache. Is this a "race condition"?	18:47
*** jsavak has quit IRC		18:52
*** jsavak has joined #openstack-keystone		18:53
dstanek	shewless: that happens before you are redirected to the IdP?	18:53
dstanek	if so then it would be a shib bug i think	18:53
shewless	dstanek: I think so. not quite sure	18:55
dstanek	shewless: you won't find keystone logs for requests that are handled by mod_shib	18:55
*** nisha_ has quit IRC		18:56
shewless	dstanek: hmm. thanks. any hints how I would track that down?	18:56
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/331180	18:57
shewless	dstanek: but it times out accessing: /v3/auth/OS-FEDERATION/websso/saml2	18:57
shewless	dstanek: wouldn't that be a keystone thing?	18:57
*** timcline has joined #openstack-keystone		18:58
*** ddieterly[away] has quit IRC		19:03
*** amoralej is now known as amoralej\|off		19:03
*** al_loew has quit IRC		19:09
dstanek	shewless: you probably have that in your apache config as being handled by mod_shib	19:14
dstanek	shewless: is there anything in your apache error logs or the shibboleth logs?	19:15
*** gyee has joined #openstack-keystone		19:17
*** ChanServ sets mode: +v gyee		19:17
*** al_loew has joined #openstack-keystone		19:18
*** ddieterly has joined #openstack-keystone		19:27
*** pushkaru has joined #openstack-keystone		19:31
*** harlowja has joined #openstack-keystone		19:32
*** tonytan4ever has quit IRC		19:39
*** slberger has joined #openstack-keystone		19:44
*** jsavak has quit IRC		19:48
*** samueldmq has quit IRC		19:49
*** pauloewerton has quit IRC		19:49
*** markvoelker has quit IRC		19:55
*** ddieterly is now known as ddieterly[away]		19:57
*** raildo is now known as raildo-afk		19:57
*** ddieterly[away] is now known as ddieterly		20:01
*** slberger has quit IRC		20:03
*** slberger has joined #openstack-keystone		20:06
shewless	dstanek: apache just says that it can't find /v3/auth/OS-FEDERATION/websso/saml2	20:09
*** dan_nguyen has quit IRC		20:09
shewless	dstanek: and shibboleth just says that it's starting a new session (no errors that I can see)	20:09
*** markvoelker has joined #openstack-keystone		20:10
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	20:11
*** edtubill has quit IRC		20:12
*** ddieterly has quit IRC		20:14
shewless	dstanek: sorry I lied. I tried it on a fresh browser and the error happens after the IDP part	20:22
shewless	dstanek: does that mean it's a keystone problem?	20:24
*** mwheckmann has quit IRC		20:30
*** mvk_ has joined #openstack-keystone		20:34
dstanek	shewless: not sure. you said you get a 404 before keystone gets a chance to serve the request right?	20:38
*** mkrcmari__ has quit IRC		20:38
dstanek	is it maybe missing the port?	20:38
shewless	dstanek: I get a 404 error while at the same time shib is creating the session. I don't think there are any keystone logs..	20:39
shewless	dstanek: not sure why it would work every subsequent time if it's a port issue	20:40
dstanek	shewless: are you restart shibd to fix the issue?	20:41
shewless	dstanek: restarting shibd basically creates the issue. so if I restart shibd and then I try and connect I'll always hit the error the first time.. then after that it works fine	20:42
*** pushkaru has quit IRC		20:44
shewless	dstanek: in the "broken" case keystone logs this (and only this): 192.168.216.117 - - [17/Jun/2016:20:42:44 +0000] "GET /v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/ HTTP/1.1" 302 1999 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"	20:44
shewless	dstanek: in the "working" case keystone logs that same line (as far as I can tell) and then a bunch more stuff	20:44
shewless	dstanek: Does the number after the GET matter? In the bad case it's 302 and in the good case it's 200.. GET /v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/ HTTP/1.1" 200 884 "	20:47
dstanek	i think the 302 is trying to redirect you to the IdP and the 200 is after it thinks you have successfully logged in	20:48
dstanek	shewless: when are you getting the 404?	20:49
shewless	dstanek: not sure what you mean	20:51
shewless	dstanek: ran out of time for today. I'd like to catch up with you on Monday if possible. Hav ea good weekend	20:54
*** mkrcmari__ has joined #openstack-keystone		20:54
dstanek	shewless: you too	20:57
*** mvk_ has quit IRC		20:57
*** mvk has joined #openstack-keystone		21:01
*** mkrcmari__ has quit IRC		21:02
notmorgan	stevemar: soooooo many rap battles of history today.	21:06
notmorgan	stevemar: soooooo many...	21:06
henrynash	so I’m a little confused….what is the relationship between keystonemiddleware and keystone/middleware?	21:11
henrynash	the later if to build teh variou server pipeline processes I assume?	21:12
henrynash	and the former is for clients to auth?	21:12
*** daemontool has joined #openstack-keystone		21:12
*** ametts has quit IRC		21:13
notmorgan	henrynash: keystone/middleware is the implementation of basically keystonemiddleware that keystone uses since it can access the db has to validate the token internalylt rather than use a rEST interface to do so	21:13
henrynash	notmorgan: ah	21:13
notmorgan	henrynash: long term there is a desire to split keystonemiddleware.auth_token out into peices that keystone/middleware can consume	21:13
henrynash	notmorgan: right, that would be good	21:14
notmorgan	henrynash: but keystone/middleware just constructs the auth context that is specific to keystone, right now auth_token can't be run in front of keystne bceause it doesn't know how to ask keystone internals how to validate a token	21:14
henrynash	and keystone/tests/unit/test_middleware ends up calling keystonemiddleware….which I found confusing?	21:14
notmorgan	henrynash: jamielennox has been working on that conversion fwiw	21:15
henrynash	(at least I think that’s what is happening)	21:15
*** slberger has quit IRC		21:16
henrynash	notmorgan: thx	21:19
*** edtubill has joined #openstack-keystone		21:19
*** slberger has joined #openstack-keystone		21:20
*** gordc has quit IRC		21:21
*** markvoelker has quit IRC		21:21
*** edtubill has quit IRC		21:22
*** dave-mccowan has quit IRC		21:26
*** dmk0202 has quit IRC		21:33
*** dmk0202 has joined #openstack-keystone		21:34
EmilienM	today I'm sad	21:49
EmilienM	https://bugs.launchpad.net/python-openstackclient/+bug/1593664 is really annoying	21:49
openstack	Launchpad bug 1593664 in python-openstackclient "openstackclient fails with --os-token and --os-url" [Undecided,New] - Assigned to Adam Young (ayoung)	21:49
ayoung	it doesnm't fail;	21:50
EmilienM	is it wrong to run keystone-manage boostrap using admin token ?	21:50
ayoung	it is the deprcatiopn warning	21:50
*** dmk0202 has quit IRC		21:50
ayoung	you should just kill admin_token for this	21:50
EmilienM	ayoung: is it a parsing issue in our ruby provider?	21:50
EmilienM	ayoung: look at https://paste.fedoraproject.org/380739/18780514/ - yea it's seems to fail	21:51
ayoung	ah...no the problem is the OSC	21:52
ayoung	let's see if we can suprress that	21:52
ayoung	EmilienM, you have that machine available?	21:52
EmilienM	no but I can give one to you	21:52
EmilienM	ayoung: let me 10 min	21:53
*** daemontool has quit IRC		21:53
ayoung	export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available, ignore:... "	21:53
ayoung	not sure what to put there	21:53
ayoung	EmilienM, I'm kindof in Family mode at the moment. EMail me the login info and I will get to it later tongiht	21:56
*** edtubill has joined #openstack-keystone		21:56
EmilienM	ayoung: ack	21:56
*** edtubill has quit IRC		21:58
*** slberger has left #openstack-keystone		22:00
*** phalmos has quit IRC		22:01
*** pushkaru has joined #openstack-keystone		22:10
*** henrynash has quit IRC		22:17
*** haneef has joined #openstack-keystone		22:33
*** dan_nguyen has joined #openstack-keystone		22:37
*** sdake has quit IRC		22:38
*** mvk_ has joined #openstack-keystone		22:39
*** sdake has joined #openstack-keystone		22:41
*** mvk has quit IRC		22:42
*** edtubill has joined #openstack-keystone		22:44
*** edtubill has quit IRC		22:51
*** edtubill has joined #openstack-keystone		22:52
*** timcline has quit IRC		22:56
*** timcline has joined #openstack-keystone		22:57
*** edmondsw has quit IRC		22:59
*** timcline has quit IRC		23:01
*** edtubill has quit IRC		23:08
*** markvoelker has joined #openstack-keystone		23:16
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Pass X_IS_ADMIN_PROJECT header from auth_token https://review.openstack.org/331374	23:16
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Pass X_IS_ADMIN_PROJECT header from auth_token https://review.openstack.org/331374	23:21
*** dave-mccowan has joined #openstack-keystone		23:22
*** dave-mccowan has quit IRC		23:26
*** pushkaru has quit IRC		23:37
*** jorge_munoz has quit IRC		23:41
*** gyee has quit IRC		23:46
*** pushkaru has joined #openstack-keystone		23:47
*** raddaoui has quit IRC		23:47
*** al_loew has quit IRC		23:51
*** lamt has quit IRC		23:51

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!