Thursday, 2016-09-22

« Wednesday, 2016-09-21 Index Friday, 2016-09-23 »
bknudsonI assume 1 for x-subject-token, 1 for x-auth-token, 1 for validate_token ?00:00
bknudsonshould be able to get rid of the one for validate_token since it's x-subject-token.00:00
jamielennoxi think there is still some overlap now that auth_token middleware is in front of keystone00:00
bknudsondoes auth_token care about x-subject-token ?00:01
jamielennoxi removed most but those auth paths are fraught with danger and i probably left it00:01
jamielennoxyes00:01
jamielennoxi'm not sure what's going on here with common/cache, it's being stored on the context which is stored on TLS00:02
jamielennox?00:02
bknudsonseems like that would be left to keystone, since x-subject-token gets returned so keystone needs the token data.00:02
bknudsonjamielennox: yes, the cache values are stored on the context which is in TLS.00:03
bknudsonnot sure why it's not it's own bit of TLS?00:03
jamielennoxthe token data is there after auth_token middleware - we should just move it into the context itself rather than wrappers00:03
bknudsony, that would be handy, then validate_token would just be return context.subject_token00:04
jamielennoxwhy? x-subject-token gets validated which is what auth_token does. it can access the info in the same way as any other service00:04
jamielennoxyep, i want to make request.context actually useful00:04
jamielennoxi had a POC that actually attached a bunch of caching on context but it meant that you needed to have the backends all registered on the context00:05
jamielennoxand the dependency manager thing is not good with that00:05
bknudsoncontext should be able to get all the managers if it wants.00:06
bknudsonthey're essentially globals00:06
dstanekbknudson: yeah, that's terrible00:07
jamielennoxbknudson: i'd be ok with that if it wasn't for the dependency resolver system00:08
*** EinstCrazy has joined #openstack-keystone00:09
*** EinstCrazy has quit IRC00:10
openstackgerritRichard Avelar proposed openstack/keystone: Change python code revocation search to sql  https://review.openstack.org/35937100:17
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143500:24
*** itsuugo has quit IRC00:25
*** tqtran has quit IRC00:27
*** itsuugo has joined #openstack-keystone00:28
*** roxanaghe has quit IRC00:36
*** ddieterly has joined #openstack-keystone00:39
*** itsuugo has quit IRC00:41
*** itsuugo has joined #openstack-keystone00:43
*** markvoelker has joined #openstack-keystone00:45
*** markvoelker has quit IRC00:49
*** itsuugo has quit IRC00:49
openstackgerritMerged openstack/keystone: Revert "Allow compatibility with keystonemiddleware 4.0.0"  https://review.openstack.org/37428400:50
*** itsuugo has joined #openstack-keystone00:52
*** spzala has joined #openstack-keystone00:53
*** spzala has quit IRC00:53
*** spzala has joined #openstack-keystone00:54
openstackgerritSean Perry proposed openstack/keystone: Add domain check in domain-specific role implication  https://review.openstack.org/37446300:56
*** spzala has quit IRC00:58
*** davechen has joined #openstack-keystone01:00
*** esp has quit IRC01:02
*** sdake has quit IRC01:06
*** itsuugo has quit IRC01:07
*** itsuugo has joined #openstack-keystone01:08
stevemarbreton: rodrigods ouch, stable/newton needs the backported patch too: https://review.openstack.org/37444501:09
*** itsuugo has quit IRC01:18
*** itsuugo has joined #openstack-keystone01:19
*** itsuugo has quit IRC01:23
*** itsuugo has joined #openstack-keystone01:25
*** guoshan has joined #openstack-keystone01:26
stevemarwow we went crazy with deprecations in Mitaka eh01:29
stevemarhttps://blueprints.launchpad.net/keystone/+spec/removed-as-of-ocata01:29
stevemarusing oslo.cache and making extensions always enabled really moved a lot of things around01:29
*** EinstCrazy has joined #openstack-keystone01:32
*** r-daneel has quit IRC01:42
*** namnh has joined #openstack-keystone01:42
*** markvoelker has joined #openstack-keystone01:46
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens  https://review.openstack.org/37447901:49
stevemarbreton: oh, i forgot i had a patch that removed PKI, again it was done on a flight and i'm not sure if it's passing tests, want to take it over? ^^^01:49
*** woodster_ has quit IRC01:50
*** markvoelker has quit IRC01:50
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: remove LDAP write support  https://review.openstack.org/37448201:51
stevemarknikolla: found the ldap remove patch ^01:51
knikollastevemar: awesome!01:52
stevemarknikolla: you can try to break it up into smaller patches if it makes things easier01:54
stevemarbut *shrug*01:54
stevemarknikolla: apparently i did a better job of cleaning up the PKI stuff01:55
knikollastevemar: must have been a long flight.01:56
stevemarknikolla: i think toronto to texas? i'm not sure :P01:56
knikollastevemar: next up barcelona!01:57
stevemarknikolla: you coming?02:02
knikollastevemar: yep, i've also got a vbrownbag talk.02:03
stevemarknikolla: nice, what are you gonna talk about?02:03
knikollastevemar: resource federation in a multi-landlord cloud. we've built a proxy which uses k2k to let users access resources from federated clouds.02:04
knikollastevemar: we were planning to make the changes in nova, but in the midcycle they favored the proxy approach.02:05
knikolla(which explains why i missed the keystone midcycle)02:05
stevemarknikolla: ah, i was wondering why :)02:05
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448902:08
*** spzala has joined #openstack-keystone02:08
*** namnh has quit IRC02:08
*** itsuugo has quit IRC02:16
*** itsuugo has joined #openstack-keystone02:16
*** spzala has quit IRC02:18
*** itsuugo has quit IRC02:21
*** ddieterly has quit IRC02:22
*** itsuugo has joined #openstack-keystone02:22
*** itsuugo has quit IRC02:27
*** itsuugo has joined #openstack-keystone02:29
openstackgerritSteve Martinelli proposed openstack/keystone: remove cache backends  https://review.openstack.org/37449602:31
*** itsuugo has quit IRC02:34
openstackgerritSteve Martinelli proposed openstack/keystone: remove memcache token persistence backends  https://review.openstack.org/37449902:34
*** itsuugo has joined #openstack-keystone02:34
openstackgerritSteve Martinelli proposed openstack/keystone: remove httpd/keystone.py  https://review.openstack.org/37450002:36
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450402:39
*** ddieterly has joined #openstack-keystone02:42
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450402:43
*** itsuugo has quit IRC02:44
openstackgerritSteve Martinelli proposed openstack/keystone: remove saml2 auth plugin  https://review.openstack.org/37450802:44
*** itsuugo has joined #openstack-keystone02:45
openstackgerritSteve Martinelli proposed openstack/keystone: remove keystone/service.py  https://review.openstack.org/37450902:46
*** markvoelker has joined #openstack-keystone02:46
*** itsuugo has quit IRC02:50
*** itsuugo has joined #openstack-keystone02:50
*** markvoelker has quit IRC02:51
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448902:52
*** ddieterly has quit IRC02:53
davechenstevemar: wow, you are proposing like patch bot.  :)02:54
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450402:54
stevemardavechen: haha, this is the easy stuff!02:54
stevemardavechen: git rm <file>02:54
davechenstevemar: what's got updated  for this one - https://review.openstack.org/#/c/374489/02:55
openstackgerritSteve Martinelli proposed openstack/keystone: remove memcache token persistence backends  https://review.openstack.org/37449902:56
stevemardavechen: the catalog_sql backend, i am not removing it right now02:57
stevemardavechen: i don't think we deprecated it :(02:57
stevemardavechen: well, it also caused random tests to fail, so i wanted to post my other changes before looking at the failures02:58
stevemardavechen: feel free to remove it in a follow on :P02:58
davechenstevemar: ah, that bit, we are trying to conslidate into catalog long long time ago!02:59
*** itsuugo has quit IRC02:59
davechenstevemar: iirc, there is still a patch to address that.02:59
*** itsuugo has joined #openstack-keystone03:00
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448903:01
stevemardavechen: ^^ pep8 fixes03:01
*** david-lyle has quit IRC03:03
*** itsuugo has quit IRC03:05
*** itsuugo has joined #openstack-keystone03:05
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450403:07
openstackgerritColleen Murphy proposed openstack/keystone: Update, correct, and enhance federation docs  https://review.openstack.org/37121003:07
*** sdake has joined #openstack-keystone03:08
*** itsuugo has quit IRC03:10
*** itsuugo has joined #openstack-keystone03:11
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450403:13
stevemarcrinkle: pumped to read your doc update03:16
*** roxanaghe has joined #openstack-keystone03:19
*** roxanaghe has quit IRC03:22
*** ravelar has quit IRC03:22
crinklestevemar: \o/03:26
*** roxanaghe has joined #openstack-keystone03:26
stevemarcrinkle: i owe you many drinks of your choice in barcelona03:26
*** itsuugo has quit IRC03:27
* crinkle looks up expensive champagnes03:27
stevemarcrinkle: also, if you're interested: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm and https://etherpad.openstack.org/p/keystone-newton-retrospective -- i'm looking for feedback and such03:27
crinklestevemar: i'll take a peek03:27
*** itsuugo has joined #openstack-keystone03:28
*** roxanaghe has quit IRC03:30
stevemarcrinkle: i think https://www.tripadvisor.ca/ShowUserReviews-g187443-d4086816-r219835826-Mercado_Provenzal-Seville_Province_of_Seville_Andalucia.html is better than champagne03:32
stevemar"In Seville, for your 40 cents small beer"03:32
*** itsuugo has quit IRC03:33
*** itsuugo has joined #openstack-keystone03:34
crinklehahaha03:37
*** itsuugo has quit IRC03:43
*** itsuugo has joined #openstack-keystone03:44
*** roxanaghe has joined #openstack-keystone03:45
*** esp has joined #openstack-keystone03:46
*** itsuugo has quit IRC03:49
*** itsuugo has joined #openstack-keystone03:51
*** guoshan has quit IRC03:52
*** adriant has quit IRC03:52
*** itsuugo has quit IRC03:56
*** itsuugo has joined #openstack-keystone03:57
*** roxanaghe has quit IRC04:00
openstackgerritTony Xu proposed openstack/pycadf: Add oslo.i18n to requirements  https://review.openstack.org/37452204:02
*** itsuugo has quit IRC04:04
*** roxanaghe has joined #openstack-keystone04:04
*** nicolasbock has quit IRC04:04
*** roxanaghe has quit IRC04:05
*** roxanaghe has joined #openstack-keystone04:06
*** itsuugo has joined #openstack-keystone04:06
*** gagehugo has quit IRC04:07
openstackgerritTony Xu proposed openstack/pycadf: Add oslo.i18n to requirements  https://review.openstack.org/37452204:09
*** itsuugo has quit IRC04:11
*** tristanC has quit IRC04:11
*** itsuugo has joined #openstack-keystone04:13
*** code-R has joined #openstack-keystone04:13
*** itsuugo has quit IRC04:20
*** vaishali_ has joined #openstack-keystone04:22
*** itsuugo has joined #openstack-keystone04:22
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448904:22
*** roxanaghe has quit IRC04:23
*** itsuugo has quit IRC04:26
*** itsuugo has joined #openstack-keystone04:28
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450404:41
*** itsuugo has quit IRC04:43
*** itsuugo has joined #openstack-keystone04:44
*** code-R has quit IRC04:47
*** itsuugo has quit IRC04:49
*** dikonoor has joined #openstack-keystone04:50
*** itsuugo has joined #openstack-keystone04:51
*** ravelar has joined #openstack-keystone04:52
*** roxanaghe has joined #openstack-keystone04:52
*** dikonoor has quit IRC04:57
*** itsuugo has quit IRC04:59
*** itsuugo has joined #openstack-keystone05:00
*** dikonoor has joined #openstack-keystone05:04
*** jaosorior has joined #openstack-keystone05:07
*** itsuugo has quit IRC05:15
*** itsuugo has joined #openstack-keystone05:15
*** itsuugo has quit IRC05:20
*** itsuugo has joined #openstack-keystone05:21
*** ianw has quit IRC05:23
*** ianw has joined #openstack-keystone05:27
*** itsuugo has quit IRC05:28
*** itsuugo has joined #openstack-keystone05:29
*** roxanaghe has quit IRC05:30
*** itsuugo has quit IRC05:34
bretonmorning, keystone05:34
*** itsuugo has joined #openstack-keystone05:36
*** esp has quit IRC05:37
openstackgerritTony Xu proposed openstack/oslo.policy: Remove oslo.utils from requirements  https://review.openstack.org/37453905:38
*** richm has quit IRC05:40
*** itsuugo has quit IRC05:43
*** itsuugo has joined #openstack-keystone05:45
*** dikonoor has quit IRC05:49
bretonstevemar: pki patch is good, just some imports left05:50
*** tonytan_brb has quit IRC05:56
*** itsuugo has quit IRC05:56
*** itsuugo has joined #openstack-keystone05:57
openstackgerritTony Xu proposed openstack/oslo.policy: Remove oslo.utils from requirements  https://review.openstack.org/37453905:58
*** guoshan has joined #openstack-keystone06:00
*** rcernin has joined #openstack-keystone06:07
*** itsuugo has quit IRC06:10
*** dikonoor has joined #openstack-keystone06:10
*** itsuugo has joined #openstack-keystone06:11
*** itsuugo has quit IRC06:16
*** itsuugo has joined #openstack-keystone06:18
*** vaishali_ has quit IRC06:26
openstackgerritRoman Bogorodskiy proposed openstack/python-keystoneclient: Fix non-ascii attributes  https://review.openstack.org/37455206:29
*** vaishali_ has joined #openstack-keystone06:38
*** roxanaghe has joined #openstack-keystone06:40
*** AlexeyAbashkin has quit IRC06:44
*** roxanaghe has quit IRC06:44
*** AlexeyAbashkin has joined #openstack-keystone06:46
openstackgerritMerged openstack/keystone: Tweak status code in api-ref doc for v3 users  https://review.openstack.org/36776706:49
*** vaishali_ has quit IRC06:57
openstackgerritQiming Teng proposed openstack/keystone: Reorder APIs in api-ref doc for v3 users  https://review.openstack.org/37366007:04
*** vaishali_ has joined #openstack-keystone07:09
*** asettle has joined #openstack-keystone07:09
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups status codes  https://review.openstack.org/36779307:11
*** asettle has quit IRC07:14
openstackgerritQiming Teng proposed openstack/keystone: Reorder APIs in api-ref for v3 groups  https://review.openstack.org/37457707:16
*** amoralej|off is now known as amoralej07:28
*** sdake has quit IRC07:30
*** jpena|off is now known as jpena07:34
*** marekd2 has joined #openstack-keystone07:35
*** roxanaghe has joined #openstack-keystone07:41
*** sto has left #openstack-keystone07:41
*** marekd2 has quit IRC07:41
*** roxanaghe has quit IRC07:45
*** acoles_ is now known as acoles07:46
*** ravelar has quit IRC07:53
*** tonytan4ever has joined #openstack-keystone07:57
*** namnh has joined #openstack-keystone07:57
*** code-R has joined #openstack-keystone07:58
*** zzzeek has quit IRC08:00
openstackgerritgengchc2 proposed openstack/keystone: Replace assertEqual(None, *) with assertIsNone in tests  https://review.openstack.org/37459808:00
*** zzzeek has joined #openstack-keystone08:00
*** tonytan4ever has quit IRC08:02
*** jamielennox is now known as jamielennox|away08:09
*** itsuugo has quit IRC08:13
*** itsuugo has joined #openstack-keystone08:14
*** rakhmerov has quit IRC08:17
*** rakhmerov has joined #openstack-keystone08:17
*** namnh_ has joined #openstack-keystone08:25
*** code-R has quit IRC08:25
*** namnh has quit IRC08:25
*** namnh_ has quit IRC08:26
*** namnh has joined #openstack-keystone08:26
*** itsuugo has quit IRC08:35
*** itsuugo has joined #openstack-keystone08:36
*** asettle has joined #openstack-keystone08:40
*** itsuugo has quit IRC08:43
*** itsuugo has joined #openstack-keystone08:44
*** itsuugo has quit IRC08:51
*** itsuugo has joined #openstack-keystone08:52
*** itsuugo has quit IRC08:57
*** itsuugo has joined #openstack-keystone08:58
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy: Doc: declare YAML/JSON support  https://review.openstack.org/37463209:16
*** jamielennox|away is now known as jamielennox09:18
*** itsuugo has quit IRC09:18
*** itsuugo has joined #openstack-keystone09:20
*** ig0r_ has joined #openstack-keystone09:25
*** itsuugo has quit IRC09:25
*** asettle has quit IRC09:26
*** itsuugo has joined #openstack-keystone09:26
*** asettle has joined #openstack-keystone09:27
*** asettle has quit IRC09:28
*** asettle has joined #openstack-keystone09:28
*** itsuugo has quit IRC09:31
*** itsuugo has joined #openstack-keystone09:32
*** mvk has quit IRC09:35
*** itsuugo has quit IRC09:40
*** code-R has joined #openstack-keystone09:41
*** itsuugo has joined #openstack-keystone09:42
*** code-R_ has joined #openstack-keystone09:43
*** code-R has quit IRC09:47
*** itsuugo has quit IRC09:47
*** vaishali_ has quit IRC09:47
*** itsuugo has joined #openstack-keystone09:48
*** markvoelker has joined #openstack-keystone09:52
*** itsuugo has quit IRC09:55
*** markvoelker has quit IRC09:56
*** marekd2 has joined #openstack-keystone09:56
*** itsuugo has joined #openstack-keystone09:57
*** tonytan4ever has joined #openstack-keystone09:58
*** tonytan4ever has quit IRC10:02
*** EinstCrazy has quit IRC10:05
*** EinstCrazy has joined #openstack-keystone10:05
*** EinstCrazy has quit IRC10:05
*** mvk has joined #openstack-keystone10:06
*** EinstCrazy has joined #openstack-keystone10:06
*** asettle has quit IRC10:07
*** itsuugo has quit IRC10:09
*** EinstCrazy has quit IRC10:11
*** itsuugo has joined #openstack-keystone10:11
*** richm has joined #openstack-keystone10:11
*** asettle has joined #openstack-keystone10:13
*** marekd2 has quit IRC10:19
*** itsuugo has quit IRC10:19
*** itsuugo has joined #openstack-keystone10:21
*** davechen has left #openstack-keystone10:23
*** vaishali_ has joined #openstack-keystone10:25
*** asettle has quit IRC10:26
*** asettle has joined #openstack-keystone10:27
*** bjolo has joined #openstack-keystone10:27
*** itsuugo has quit IRC10:31
*** itsuugo has joined #openstack-keystone10:33
*** nicolasbock has joined #openstack-keystone10:35
*** guoshan has quit IRC10:36
*** ddieterly has joined #openstack-keystone10:42
*** itsuugo has quit IRC10:43
*** itsuugo has joined #openstack-keystone10:43
*** asettle has quit IRC10:48
*** asettle has joined #openstack-keystone10:48
*** asettle has quit IRC10:48
*** itsuugo has quit IRC10:48
*** asettle has joined #openstack-keystone10:49
*** itsuugo has joined #openstack-keystone10:49
*** markvoelker has joined #openstack-keystone10:53
*** itsuugo has quit IRC10:54
*** itsuugo has joined #openstack-keystone10:55
*** markvoelker has quit IRC10:57
*** itsuugo has quit IRC11:00
*** marekd2 has joined #openstack-keystone11:00
*** itsuugo has joined #openstack-keystone11:00
*** marekd2 has quit IRC11:01
*** marekd2 has joined #openstack-keystone11:01
*** marekd2 has quit IRC11:03
*** marekd2 has joined #openstack-keystone11:03
*** GB21 has joined #openstack-keystone11:05
*** hoonetorg has joined #openstack-keystone11:06
*** dikonoor has quit IRC11:10
*** marekd2 has quit IRC11:10
*** guoshan has joined #openstack-keystone11:19
*** jistr is now known as jistr|mtg11:20
*** dikonoor has joined #openstack-keystone11:21
*** code-R_ has quit IRC11:35
*** itsuugo has quit IRC11:36
*** code-R has joined #openstack-keystone11:36
*** itsuugo has joined #openstack-keystone11:38
*** ddieterly has quit IRC11:38
*** guoshan has quit IRC11:41
*** guoshan has joined #openstack-keystone11:41
*** itsuugo has quit IRC11:43
bretonstevemar: do we need revocation lists API if PKI is removed?11:44
*** itsuugo has joined #openstack-keystone11:44
*** guoshan has quit IRC11:46
*** dikonoor has quit IRC11:46
*** markvoelker has joined #openstack-keystone11:50
*** jpena is now known as jpena|lunch11:53
*** asettle has quit IRC11:53
*** itsuugo has quit IRC11:54
*** zigo has quit IRC11:54
*** itsuugo has joined #openstack-keystone11:56
*** code-R has quit IRC11:56
*** code-R_ has joined #openstack-keystone11:56
*** srobert has joined #openstack-keystone11:57
*** gordc has joined #openstack-keystone11:58
*** gordc has quit IRC11:58
bretoni think that we can remove it11:58
*** zigo has joined #openstack-keystone11:58
bretonbut ceph is known for calling it from time to time11:58
*** zigo is now known as Guest8360111:59
*** guoshan has joined #openstack-keystone11:59
*** edmondsw has joined #openstack-keystone12:02
*** itsuugo has quit IRC12:02
*** dikonoor has joined #openstack-keystone12:03
*** namnh has quit IRC12:03
*** Guest83601 has quit IRC12:03
*** itsuugo has joined #openstack-keystone12:04
*** porunov has joined #openstack-keystone12:08
porunovHello! Does somebody know how to use policy.json? I want to use it for keystone and swift. But I don't know where to find those files and how to run swift or keystone with a special policy.json file.12:08
*** jdennis has joined #openstack-keystone12:09
*** guoshan has quit IRC12:09
*** nk2527 has quit IRC12:10
*** guoshan has joined #openstack-keystone12:10
*** amoralej is now known as amoralej|lunch12:10
*** zigo_ has joined #openstack-keystone12:12
*** guoshan_ has joined #openstack-keystone12:14
*** guoshan has quit IRC12:14
*** itsuugo has quit IRC12:16
*** zigo_ has quit IRC12:17
*** itsuugo has joined #openstack-keystone12:17
*** zigo_ has joined #openstack-keystone12:18
*** pauloewerton has joined #openstack-keystone12:21
*** itsuugo has quit IRC12:22
*** rodrigods has quit IRC12:24
*** rodrigods has joined #openstack-keystone12:24
*** itsuugo has joined #openstack-keystone12:24
*** ddieterly has joined #openstack-keystone12:30
*** asettle has joined #openstack-keystone12:31
*** itsuugo has quit IRC12:35
*** jistr|mtg is now known as jistr12:36
*** itsuugo has joined #openstack-keystone12:36
*** guoshan_ has quit IRC12:38
*** srobert has quit IRC12:38
*** guoshan has joined #openstack-keystone12:39
*** roxanaghe has joined #openstack-keystone12:39
*** ddieterly has quit IRC12:40
*** roxanaghe has quit IRC12:43
*** itsuugo has quit IRC12:45
*** guoshan has quit IRC12:46
*** vaishali_ has quit IRC12:46
*** guoshan has joined #openstack-keystone12:46
*** vaishali_ has joined #openstack-keystone12:46
*** itsuugo has joined #openstack-keystone12:47
*** guoshan has quit IRC12:47
*** zigo_ has quit IRC12:48
*** zigo_ has joined #openstack-keystone12:51
*** david-lyle has joined #openstack-keystone12:57
bretonporunov: they are usually in /etc/{component}/policy.json12:58
bretonporunov: for example in /etc/keystone/policy.json12:58
bretonporunov: samples are also in out repo, in etc/ directory12:59
bretonporunov: there are 2 samples -- policy.json and policyv3cloudsample.json12:59
*** tonytan4ever has joined #openstack-keystone12:59
*** jpena|lunch is now known as jpena13:00
*** tonytan4ever has quit IRC13:05
*** itsuugo has quit IRC13:06
*** itsuugo has joined #openstack-keystone13:08
*** GB21 has quit IRC13:09
*** GB21 has joined #openstack-keystone13:10
*** jaosorior has quit IRC13:12
*** jaosorior has joined #openstack-keystone13:13
*** vaishali_ has quit IRC13:13
*** GB21 has quit IRC13:16
*** code-R has joined #openstack-keystone13:16
*** jpena has left #openstack-keystone13:17
*** guoshan has joined #openstack-keystone13:18
bknudsonbreton: we can't remove any APIs without going to a new version of the identity API13:19
*** woodster_ has joined #openstack-keystone13:20
*** code-R_ has quit IRC13:20
bknudsonI mean a major version ( v4 )13:20
bknudsonit's only PKI tokens that are being removed as far as I know.13:21
*** spzala has joined #openstack-keystone13:27
*** itsuugo has quit IRC13:27
*** itsuugo has joined #openstack-keystone13:29
*** ayoung has quit IRC13:30
*** itsuugo has quit IRC13:34
*** lamt has joined #openstack-keystone13:35
*** itsuugo has joined #openstack-keystone13:36
bretonbknudson: ok. So revocation lists can return just an empty list on each request if PKI are removed?13:39
bknudsonbreton: if you're using uuid then there's a revocation list.13:41
*** asettle has quit IRC13:42
bknudsonisn't there?13:42
*** asettle has joined #openstack-keystone13:47
*** code-R has quit IRC13:48
*** code-R has joined #openstack-keystone13:48
*** spedione|AWAY is now known as spedione13:52
*** srobert has joined #openstack-keystone13:52
*** ngupta has joined #openstack-keystone13:58
*** woodburn has joined #openstack-keystone14:00
*** tonytan4ever has joined #openstack-keystone14:00
*** r-daneel has joined #openstack-keystone14:01
*** tonytan4ever has quit IRC14:05
*** ddieterly has joined #openstack-keystone14:05
*** sdake has joined #openstack-keystone14:06
*** tonytan4ever has joined #openstack-keystone14:18
*** daemontool has joined #openstack-keystone14:22
*** roxanaghe has joined #openstack-keystone14:25
dstanekwhen does master open back up for O?14:25
*** zzzeek has quit IRC14:27
bknudsondstanek: it's open!14:29
bknudsonit's open when there's a stable/newton14:29
*** roxanaghe has quit IRC14:29
*** jaosorior has quit IRC14:29
*** zzzeek has joined #openstack-keystone14:31
dstanekbknudson: yay!14:31
bknudsongo to town14:32
*** amoralej|lunch is now known as amoralej14:33
*** edtubill has joined #openstack-keystone14:43
*** dikonoor has quit IRC14:45
*** ayoung has joined #openstack-keystone14:49
*** ChanServ sets mode: +v ayoung14:49
*** catintheroof has joined #openstack-keystone14:50
*** mfisch has joined #openstack-keystone14:51
*** esp has joined #openstack-keystone14:51
*** guoshan has quit IRC14:51
*** mfisch has quit IRC14:51
*** mfisch has joined #openstack-keystone14:51
*** daemontool has quit IRC14:54
*** daemontool has joined #openstack-keystone14:55
*** nkinder has joined #openstack-keystone14:59
*** ravelar has joined #openstack-keystone15:00
*** rcernin has quit IRC15:07
*** arahal_ has joined #openstack-keystone15:09
*** nkinder has quit IRC15:09
*** wajdi has joined #openstack-keystone15:13
*** r-daneel has quit IRC15:13
*** EinstCrazy has joined #openstack-keystone15:13
wajdihello15:13
*** zigo_ is now known as zigo15:14
samueldmqhi keystone15:15
dstanekhi samueldmq15:15
samueldmqdstanek: o/15:15
*** slberger has joined #openstack-keystone15:16
amakarovhi all! I found a question in openstack questionary: https://ask.openstack.org/en/question/69026/websso-with-keystone-idp/15:16
amakarovand actually ran into the same issue15:16
amakarovWho was able to set up working federation recently?15:16
amakarovI've set it up in kilo, and now I can't do that in mitaka15:17
*** lamt has quit IRC15:18
dstanekamakarov: not recently, but i'm pretty sure i've used mitaka and test-shib15:18
amakarovdstanek, can you please provide a link to the scenario?15:19
dstanekamakarov: ?15:20
*** nkinder has joined #openstack-keystone15:20
amakarovdstanek, for example: https://bigjools.wordpress.com/2015/05/22/saml-federation-with-openstack/15:21
wajdiI've been playing around with trusts, and I'm having difficulty with the following scenario. As an admin, I want to provide a trust from userA to userB. I am unable to accomplish this. Is this an expected behaviour? I was able to successfully apply a trust if my client was logged in as the trustor. I'm wondering if there is something obvious I am missing to allow my flow to work, or if this is as designed behaviour?15:21
dstanekamakarov: oh, i don't have a blog post about it. let me see if my ansible stuff still works to create this15:21
amakarovwajdi, yes - admin can do that15:21
dstanekamakarov: what idp are you uisng?15:21
amakarovdstanek, keystone in another cloud15:22
amakarovdstanek, can you access this bug? https://bugs.launchpad.net/mos/+bug/162647115:22
openstackLaunchpad bug 1626471 in Mirantis OpenStack "Shibboleth doesn't recognize keystone IdP metadata" [Undecided,New] - Assigned to MOS Keystone (mos-keystone)15:22
dstanekamakarov: does your metadata look correct?15:22
amakarovdstanek, it looks correct for me, though shibboleth disagree15:23
dstanekamakarov: what is MOS?15:23
wajdiamakarov: thanks for the response. So, I must be clearly missing something that is not allowing me to do this. I keep getting a Forbidden when trying to create the trust as admin. Is there anywhere you can point me in the right direction to ensure that I have covered the proper configuration to allow this behvaiour to work?15:23
amakarovdstanek, Mirantis OpenStack - consider it a clone :)15:23
dstanekah, ok15:24
*** nk2527 has joined #openstack-keystone15:25
*** gagehugo has joined #openstack-keystone15:25
*** EinstCrazy has quit IRC15:26
*** slberger has quit IRC15:26
dstanekamakarov: ok, i'm going to try to setup k2k using my own scripts and see what happens15:27
dstaneki haven't run them for quite a while so i hope they still work15:27
amakarovdstanek, thank you, our first-class citizen fate is in your hands!15:28
*** slberger has joined #openstack-keystone15:29
dstanekamakarov: lol, ok.15:29
stevemardstanek: amakarov if you're looking for k2k setup... crinkle just went through it and update the docs https://review.openstack.org/#/c/371210/15:29
dstanekamakarov: i'm going to use ubuntu 15.10 and mitaka15:29
dstanekstevemar: nice, i'll use that as a resource in my roles don't work15:30
amakarovwajdi, I have a silly quiestion: have you enabled trusts in config? (just in case)15:30
dstanekstevemar: crinkle: as i side effect i'll be in the right frame of mind for that review15:31
dstanekamakarov: or not...it looks like Rackspace doesn't have a 15.04 image anymore so i'm going to use 16.0415:32
amakarovdstanek, I assume it's irrelevant :)15:33
bretonstevemar: i worked on your patch to remove PKI. The big issue is token revocation lists. We have an API that returns it. The API signs the list with same keys as PKI tokens.15:33
wajdi@amakarov That is definitely not a silly question. Jumping in to Keystone for the first time, it is entirely possible something was missed. I *assumed* it would work because the call worked when not an admin. Let me validate.15:33
bretonstevemar: i see 2 options here. The first is to leave signing part in keystone completely. The second is to create a hardcoded null key15:34
dstanekbreton: can we keep that while just removing the tokens?15:34
bretondstanek: yep, message above15:35
dstanekthat's what i would do to limit breaking folks using that api15:35
wajdi@amakarov So under [trust], enabled = true15:36
*** ntpttr has quit IRC15:36
amakarovwajdi, well, let me take a closer look into the code15:37
wajdiamakarov: Sure! Thank you for taking a look. Really appreciate it.15:37
*** ravelar has quit IRC15:38
stevemarbreton: yes, you are right, i remember that part now when i was working on it15:39
stevemarbreton: so lets see...15:39
amakarovwajdi, sorry, I was mistaken: https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L12615:39
stevemarbreton: give me a minute to look at the patch, i just rebased it and pushed15:39
amakarovwajdi, there is a strict requirement for trust creator to be the trustor15:39
wajdiamakarov: Ah! Excellent. I have the full picture now. This lets me make a more confident design choice now for my solution.15:40
amakarovwajdi, btw you can set debug=true in config to see verbose responses15:40
wajdiamakarov: Yes. Will definitely need to be more diligent with analyzing my errors. Probably would have caught that one if debug was True.15:41
bretonstevemar: you want to do it yourself? I planned to push it soon-ish today15:42
stevemarbreton: oh go ahead15:42
stevemarbreton: i like never have time to do actual code15:42
stevemarbreton: thats why i do the removal patches lol15:42
wajdiamakarov: Thank you for your time!15:43
*** arahal_ has quit IRC15:46
*** ravelar has joined #openstack-keystone15:47
*** ddieterly is now known as ddieterly[away]15:50
*** ddieterly[away] is now known as ddieterly15:53
*** esp has quit IRC15:54
*** itsuugo has quit IRC15:55
*** itsuugo has joined #openstack-keystone15:57
*** ngupta has quit IRC15:58
*** ngupta has joined #openstack-keystone15:59
*** ngupta has quit IRC16:00
*** ngupta has joined #openstack-keystone16:00
*** code-R has quit IRC16:01
*** arahal_ has joined #openstack-keystone16:01
*** gyee has joined #openstack-keystone16:04
*** ddieterly is now known as ddieterly[away]16:05
*** ddieterly[away] is now known as ddieterly16:05
*** ddieterly is now known as ddieterly[away]16:06
*** ravelar has quit IRC16:13
*** itsuugo has quit IRC16:18
*** itsuugo has joined #openstack-keystone16:20
*** rcernin has joined #openstack-keystone16:20
*** code-R has joined #openstack-keystone16:24
*** code-R has quit IRC16:26
*** code-R has joined #openstack-keystone16:26
*** spedione is now known as spedione|AWAY16:28
*** ddieterly[away] is now known as ddieterly16:31
*** edtubill has quit IRC16:39
*** zigo has quit IRC16:41
*** mvk has quit IRC16:41
*** asettle has quit IRC16:41
*** asettle has joined #openstack-keystone16:42
openstackgerritMerged openstack/keystone: remove saml2 auth plugin  https://review.openstack.org/37450816:42
openstackgerritMerged openstack/oslo.policy: Remove oslo.utils from requirements  https://review.openstack.org/37453916:43
*** asettle has quit IRC16:46
*** code-R has quit IRC16:47
*** esp has joined #openstack-keystone16:47
*** ravelar has joined #openstack-keystone16:49
*** zigo has joined #openstack-keystone16:51
*** zigo is now known as Guest1865616:52
*** Guest18656 has quit IRC16:56
*** zigo_ has joined #openstack-keystone16:59
*** browne has joined #openstack-keystone17:01
*** ravelar has quit IRC17:02
*** GB21 has joined #openstack-keystone17:04
amakarovdstanek, keystone generated metadata is attached to the bug 162647117:05
openstackbug 1626471 in Mirantis OpenStack "Shibboleth doesn't recognize keystone IdP metadata" [Undecided,New] https://launchpad.net/bugs/1626471 - Assigned to MOS Keystone (mos-keystone)17:05
*** roxanaghe has joined #openstack-keystone17:06
dstanekamakarov: thx17:07
*** zigo_ has quit IRC17:07
*** artmr has joined #openstack-keystone17:08
*** zigo_ has joined #openstack-keystone17:11
openstackgerritMerged openstack/keystone: remove httpd/keystone.py  https://review.openstack.org/37450017:18
*** ravelar has joined #openstack-keystone17:22
*** code-R has joined #openstack-keystone17:28
*** spedione|AWAY is now known as spedione17:29
*** acoles is now known as acoles_17:29
*** roxanaghe_ has joined #openstack-keystone17:33
*** edtubill has joined #openstack-keystone17:34
*** roxanaghe__ has joined #openstack-keystone17:34
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support  https://review.openstack.org/37448217:37
*** roxanaghe has quit IRC17:37
*** shaleh has quit IRC17:37
*** spedione is now known as spedione|AWAY17:38
*** roxanaghe_ has quit IRC17:39
*** amoralej is now known as amoralej|off17:43
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support  https://review.openstack.org/37448217:43
*** lamt has joined #openstack-keystone17:44
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: test revocation search to sql  https://review.openstack.org/37499917:48
rodrigodsstevemar, ravelar ^ creative way to test https://review.openstack.org/#/c/359371/17:48
*** jdennis has quit IRC17:51
*** roxanaghe_ has joined #openstack-keystone17:56
*** itsuugo has quit IRC17:57
*** itsuugo has joined #openstack-keystone17:58
ravelarrodrigods nice!17:58
*** tqtran has joined #openstack-keystone17:59
*** roxanaghe__ has quit IRC17:59
*** code-R_ has joined #openstack-keystone18:03
*** gyee has quit IRC18:04
*** code-R has quit IRC18:06
*** jdennis has joined #openstack-keystone18:07
*** ngupta_ has joined #openstack-keystone18:09
*** ig0r_ has quit IRC18:09
*** jdennis has quit IRC18:11
*** ngupta has quit IRC18:12
*** ddieterly is now known as ddieterly[away]18:14
*** jdennis has joined #openstack-keystone18:20
*** ngupta_ has quit IRC18:20
*** ngupta has joined #openstack-keystone18:20
*** spedione|AWAY is now known as spedione18:21
*** GB21 has quit IRC18:22
*** ngupta_ has joined #openstack-keystone18:22
*** ayoung has quit IRC18:25
*** ngupta_ has quit IRC18:25
*** ngupta_ has joined #openstack-keystone18:26
*** arunkant__ has joined #openstack-keystone18:26
*** ngupta has quit IRC18:26
*** code-R_ has quit IRC18:29
*** code-R has joined #openstack-keystone18:30
*** ngupta_ has quit IRC18:30
*** jdennis has quit IRC18:34
*** ddieterly[away] is now known as ddieterly18:44
bknudsonrodrigods: we need something repeatable on every commit not a one-off.18:45
bknudsonif there's a concern that the revocation sql change isn't tested adequately then improve the tests in keystone18:46
openstackgerritBoris Bobrov proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens  https://review.openstack.org/37447918:48
bknudsonthere's actually 3 calls to list_events when a token is validated:18:50
bknudson1) validate the x-auth-token18:50
bknudson2) in @protected decorator!18:50
bknudson3) in validate_token18:50
bknudsonboth 2 and 3 validate the subject token18:50
bknudsonso those 2 should be combined.18:51
bknudsonwe can cut down on an entire token validation and call to list_events.18:51
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support  https://review.openstack.org/37448218:51
*** ngupta has joined #openstack-keystone18:53
*** porunov has quit IRC18:53
*** arahal_ has quit IRC18:58
bknudsonjamielennox: here's where the extra validate_token of the subject token comes from : http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n136 -- it's not in auth_token.19:02
*** itsuugo has quit IRC19:04
*** itsuugo has joined #openstack-keystone19:04
*** jdennis has joined #openstack-keystone19:09
*** ddieterly is now known as ddieterly[away]19:10
*** daemontool has quit IRC19:12
lbragstadi'm working on implementing mvc for the token API - and I was I have so far kind of confuses me19:12
lbragstadcc jamielennox dstanek ^19:12
bknudsoncan't imagine anyone finding token processing confusing.19:13
lbragstadbknudson I was on a roll yesterday - but now i'm lost19:13
*** daemontool has joined #openstack-keystone19:13
dstaneklbragstad: what's wrong?19:14
lbragstadso far - i've collapsed all the token provider validate token methods into a single self.token_provider_api.validate_token(token_id) method19:14
lbragstaddstanek everything19:14
lbragstad:)19:14
*** ayoung has joined #openstack-keystone19:14
*** ChanServ sets mode: +v ayoung19:14
*** ayoung has quit IRC19:14
lbragstadso I made token_provider_api.validate_token(token_id) accept a token ID, it looks it up, takes out the important values, and then passes it to the token model19:15
lbragstadwhich is in keystone/models/token_model.py:KeystoneToken19:15
lbragstadmakes sense right?19:15
lbragstadso instead of having validate_v2_token, validate_v3_token, validate_token, validate_non_persistent_token, and _validate_token in the keystone.token.provider.py we have two methods - a validate_token and _validate_token (for caching purposes)19:16
lbragstadand that will return a KeystoneToken model19:16
lbragstadwhich goes back to the controller - with instantiates a View to translate it into the proper request19:16
lbragstadbut my spider senses are going off because the V2 token view and the V3 token view have a lot of duplicate logic19:17
*** itsuugo has quit IRC19:18
lbragstadfor example - we should probably consider a token to be invalid if the token_model.user_id (or the user of the token) is disabled19:18
lbragstadso should that check just live in the token provider?19:18
bknudsonwhy do we need validate_token and _validate_token?19:18
lbragstadbknudson caching purposes?19:18
*** daemontool_ has joined #openstack-keystone19:18
*** daemontool has quit IRC19:19
lbragstadthe whole cache on issue stuff apparently expects a private method to be there...19:19
dstaneklbragstad: refactor in smaller steps to make it easier? are you making small commits that you can share?19:19
bknudsonthat's only if there's an optional parameter since the wrapper doesn't support optional parameters.19:19
lbragstaddstanek not really :( because everything is so tightly coupled with the token api19:19
lbragstadif you change a little thing here you'll have to change a bunch of stuff over there kind of stuff19:19
lbragstadI was having a really hard time trying to figure out how to break it apart - so I just said screw it and started hammering out a bunch of changes just to prove that it works19:20
*** itsuugo has joined #openstack-keystone19:20
lbragstadI was going to push a monolithic patch to review as WIP and hope I could get some help figuring out how to break it apart19:21
lbragstadbut I ended up getting stumped on where the token validation lives when each token version has some specific validation cases they validate for19:22
bknudsonv2 apparently has a "belongs-to" feature19:22
lbragstadbknudson yep19:22
lbragstadthat's a v2ism19:22
lbragstadbut it now lives in the token provider19:22
lbragstadwhich doesn't make anysense because it should really only need to be used in the keystone.token.controller (v2 token controller)19:23
dstaneklbragstad: can you share what you've done?19:24
*** daemontool_ has quit IRC19:24
*** daemontool_ has joined #openstack-keystone19:25
dstaneklbragstad: another approach may be to stash what you did, try some simple rafactoring to simplify the code more and they try again19:25
openstackgerritLance Bragstad proposed openstack/keystone: WIP: Reorganize the entire token provider api  https://review.openstack.org/37506919:26
lbragstaddstanek ^ that's what I have so far19:26
lbragstaddon't judge me - it's gross19:26
dstaneklol19:27
lbragstadone of the tricky things that i'm struggling with is that I think the token provider should just return a token model when it validates a token19:28
lbragstadbut that means we're going to have to push some token validation logic into the views for both v2 and v319:28
dstaneklbragstad: the keystone.auth.plugins change looks to be independent of views. could that be a separate commit?19:30
*** bjolo has quit IRC19:30
*** zigo_ is now known as zigo19:30
dstanekalso the token_model changes appear separate too19:30
lbragstaddstanek also - we have a ton of really complicated logic here - https://github.com/openstack/keystone/blob/c024505b55021057114da8affd5262a8e61ce1d2/keystone/token/providers/common.py#L431-L52119:30
lbragstaddstanek should the token model just have a .role_ids() property that returns a list of role_ids regardless of it being domain_scoped, project_scoped, oauth_scoped, or trust_scoped?19:31
lbragstaddstanek the weird thing is that the KeystoneToken model relies on a properly formatted auth_response (which seems backwards)19:33
lbragstadtoken_model.KeystoneToken(token_id=token_id, token_data=self.token_provider_api.validate_token(token_id))19:33
lbragstad^ that's how we currently use it19:33
*** itsuugo has quit IRC19:35
dstaneklbragstad: just taking a brief look i'm not sure about the property because you counldn't replace that method with it19:35
dstanekyou'd still need all that conditional logic based on function params somewhere19:36
*** itsuugo has joined #openstack-keystone19:37
lbragstaddstanek what do you mean?19:37
dstaneklbragstad: but if you did want to just move the method because you think that logic fits better in the model then i say create a separate command and make sure that you are very specific about why that logic should be moved in the commti message19:37
lbragstadah19:37
ravelarbknudson: I have a question about the unit test comment for https://review.openstack.org/#/c/359371/19:37
ravelarbknudson: so far there is pretty good test coverage in test_revoke, test_auth, test_v3_auth, and test_v3_os_revoke. I was curious as to what you were looking for specifically?19:37
lbragstaddstanek you mean the _populate_roles method?19:38
*** ddieterly[away] is now known as ddieterly19:38
dstaneklbragstad: yes19:38
lbragstadso that is suppose to put the roles in the token ref19:38
lbragstadbut it's suppose to do that for project_scoped, domain_scoped, trust_scoped, oauth_scoped19:39
bknudsonravelar: there should be tests that call the sql backend is_revoked directly to show that it works as expected so that if it doesn't work we don't have to dig through a bunch of code.19:39
*** ddieterly has quit IRC19:39
lbragstaddstanek so instead of having the v2 view and v3 view implementing _populate_roles - would it make more sense to implement in the model?19:40
lbragstadyou could then just ask the model for a list of role ids it has19:41
*** spzala has quit IRC19:41
*** woodburn has quit IRC19:41
*** woodburn has joined #openstack-keystone19:42
*** spzala has joined #openstack-keystone19:42
dstaneklbragstad: probably. is there any difference between the two implementations?19:42
lbragstaddstanek not really?19:42
lbragstadoutside of how the token format looks19:43
*** itsuugo has quit IRC19:43
lbragstadi think each just provides a list of {'id': role['id'], 'name': role['name']} for every role assignment19:43
dstaneklbragstad: i'm not sure how i feed about the model needing the manager too19:44
lbragstaddstanek me either19:44
*** itsuugo has joined #openstack-keystone19:45
lbragstaddstanek I feel like tons of crap in the token provider needs a BUNCH of managers everywhere19:45
*** spzala_ has joined #openstack-keystone19:45
dstanekfeels like things will get complicated manager uses models that use managers. right now it's easy to see our circular dependencies, but with that they would be lost19:45
lbragstadcan't we isolate all the manage dependencies somehwere?19:45
lbragstadthe way i see if - where ever the manager dependencies are that's where we are going to have to do the validation19:46
lbragstadbecause that's the whole reason behind building the token on every validate call19:46
*** spzala has quit IRC19:46
dstanekis there any reason why you don't start by refactoring v2 and v3 implementations into the manager layer somewhere?19:47
lbragstadwe use the managers to make sure the user has roles on the project, domain, etc...19:47
lbragstaddstanek how do you mean?19:47
dstaneklbragstad: have one _populate_roles that both v2 and v3 uses19:48
lbragstaddstanek well - we kind of have that already19:49
lbragstaddstanek https://review.openstack.org/#/c/372655/19:49
*** spzala_ has quit IRC19:49
lbragstaddstanek see line 794 here https://review.openstack.org/#/c/372655/3/keystone/token/providers/common.py19:50
dstaneklbragstad: i think that's as far as i'd go with that part.19:50
lbragstadwhen we validate v2 tokens, we take all the token values from a v2 auth response and pass them to the v3 get_token_data method, which returns a v3 response19:50
lbragstadthen we convert the v3 response to a v2 response19:51
*** ayoung has joined #openstack-keystone19:51
*** ChanServ sets mode: +v ayoung19:51
*** ngupta has quit IRC19:51
dstanekmoving manager dependencies into the model starts to fundamentally change how i see that layer. it actually mixes the model and manager responsibilities19:51
lbragstaddstanek yeah19:51
lbragstadso - what benefit does the model provide then?19:52
ayoungsamueldmq, jamiec can one of you guys give some love to an implied roles fix to KC  needed for OSC https://review.openstack.org/#/c/368288/19:52
*** ngupta has joined #openstack-keystone19:52
dstaneki'd save that part for a rainy day19:52
ayoungnot jamiec I meant jamielennox19:52
ayoungdstanek, um ...what?19:52
dstaneklbragstad: models as they are today are more like Java DTO style objects19:52
ayoungthere should be no manager deps in the modles19:52
ayoungmodels19:52
dstanekayoung: agreed. that's what i'm saying too :-)19:53
*** srobert has quit IRC19:53
lbragstadok19:53
bknudsondo we want to be able to load some values lazily? If so the model will need the manager19:53
lbragstadso - what we could do, is in the token provider (which is a manager), we use all the other manager to get all the information we need and then pass that to the model19:53
bknudsonfor example, the catalog may never be needed19:53
lbragstadmaking it so that the model doesn't need any managers19:54
lbragstadbknudson yeah - that's a good question, too19:54
bknudsonwhen validating the x-auth-token keystone doesn't need the catalog.19:54
dstanekright now i think we'd want to just give the model any relevant data19:54
*** ngupta_ has joined #openstack-keystone19:54
dstanekthe model shouldn't know about some of that stuff anyway19:55
lbragstaddstanek so the only responsiblility of the model is to relay that data, and not validate any of it19:55
bknudsontoken model shouldn't include the catalog? (I'm fine with that)19:55
bknudsoncontroller can load the catalog separately19:55
lbragstadbknudson for the catalog - i would almost leave that exclusively to the views19:55
lbragstadthe controller can ask a view for a v2 auth response with a catalog19:56
dstanekbknudson: yeah, that's the way i'd do it. because in your example the token model shouldn't know anything about the headers anyway, that's for the controller layer19:56
lbragstadand pass it a token model19:56
*** ngupta has quit IRC19:56
openstackgerritMerged openstack/keystone: remove cache backends  https://review.openstack.org/37449619:56
lbragstadso something like auth_response = view.response(token_model, include_catalog=True)19:57
*** ayoung has quit IRC19:57
openstackgerritMerged openstack/keystone: remove memcache token persistence backends  https://review.openstack.org/37449919:57
bknudsonview has the reference to the catalog manager?19:58
* lbragstad shrug19:58
lbragstadit can?19:58
lbragstadit has to format the catalog according to the api (v2 or v3)19:58
bknudsonthe roles can also be left off of the token model19:59
lbragstadbknudson why is that?20:00
bknudsonbecause you can calculate the roles from the project20:00
bknudsonand user20:00
bknudsonor domain20:00
lbragstador trust20:00
*** gagehugo has quit IRC20:00
lbragstador oauth roles20:00
*** ddieterly has joined #openstack-keystone20:11
*** itsuugo has quit IRC20:12
*** ddieterly has quit IRC20:14
*** itsuugo has joined #openstack-keystone20:14
*** ngupta_ has quit IRC20:16
*** ngupta has joined #openstack-keystone20:17
*** ngupta has quit IRC20:21
dstanekkeystone seems to do quite a bit of role playing20:21
*** spzala has joined #openstack-keystone20:24
lbragstaddstanek i think it would be nice to have all of that handled by the model20:24
*** ddieterly has joined #openstack-keystone20:25
lbragstadsince it might help isolate some of that logic20:25
lbragstadall the role stuff is super confusing20:25
*** code-R has quit IRC20:25
*** spzala has quit IRC20:28
*** ngupta has joined #openstack-keystone20:30
openstackgerritLance Bragstad proposed openstack/keystone: move _belongs_to logic to v2 controller  https://review.openstack.org/37509720:31
*** ddieterly is now known as ddieterly[away]20:32
lbragstadbknudson dstanek ^20:32
*** spzala has joined #openstack-keystone20:33
*** ddieterly[away] is now known as ddieterly20:37
*** ddieterly is now known as ddieterly[away]20:43
openstackgerritLance Bragstad proposed openstack/keystone: move _belongs_to logic to v2 controller  https://review.openstack.org/37509720:44
*** itsuugo has quit IRC20:50
*** asettle has joined #openstack-keystone20:51
*** itsuugo has joined #openstack-keystone20:52
*** raildo has quit IRC20:52
*** ddieterly[away] has quit IRC20:53
*** roxanaghe__ has joined #openstack-keystone20:53
*** pauloewerton has quit IRC20:55
*** roxanaghe_ has quit IRC20:57
openstackgerritBoris Bobrov proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens  https://review.openstack.org/37447921:03
openstackgerritBoris Bobrov proposed openstack/keystone: Undeprecate options used for signing  https://review.openstack.org/37510921:03
*** ddieterly has joined #openstack-keystone21:05
*** markvoelker has quit IRC21:07
*** ddieterly is now known as ddieterly[away]21:10
*** itsuugo has quit IRC21:10
*** spzala has quit IRC21:10
*** wajdi has quit IRC21:11
*** itsuugo has joined #openstack-keystone21:11
openstackgerritBoris Bobrov proposed openstack/keystone: WIP: remove support for PKI and PKIz tokens  https://review.openstack.org/37447921:11
openstackgerritBoris Bobrov proposed openstack/keystone: Simplify tests after PKI removal  https://review.openstack.org/37512121:11
stevemarbreton: thanks for working on the PKI bits21:13
jamielennoxbknudson, lbragstad: yea we should no longer need the subject_token_id thing in controller at all21:15
jamielennoxauth_token will handle that21:15
*** itsuugo has quit IRC21:16
bknudsonjamielennox: auth_token isn't handling it as far as I can see.21:16
jamielennoxlbragstad: that's ambitious, i've wanted to refactor token validation for ages but there are so many small edge cases and tests wrapped up in their21:16
bknudsonwhy would auth_token handle subject token?21:17
jamielennoxlbragstad: my hope was if we could get the context stuff everywhere and then the views stuff we could at least standardize on one token model21:17
*** itsuugo has joined #openstack-keystone21:17
jamielennoxbknudson: oh - sorry, subject token not service token21:17
jamielennoxi confuse those all the time21:18
bknudsonI suppose one could pass auth token, service token, and subject token.21:18
jamielennoxwell it would all be checked if you did21:19
*** gagehugo has joined #openstack-keystone21:20
*** ddieterly[away] has quit IRC21:20
stevemarjamielennox: bknudsonif you haven't added to this yet: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm21:23
stevemarjamielennox: i think we can remove all the auth and session parts from ksc now?21:24
stevemarjamielennox: did you have anything major you wanted to add to ksm / ksc / ksa this go around?21:24
jamielennoxstevemar: i haven't, but mostly i want to do some view model refactoring in keystone itself which i feel i got approval for at the last midcycle21:24
jamielennoxoh, and the expired tokens thing, which i don't feel we need to talk about again21:25
jamielennoxstevemar: re the ksc session stuff i have some reviews up to see just how badly that will fail21:25
lbragstadjamielennox yeah - that would be awesome21:25
lbragstadbut - it's a total pita to refactor21:26
lbragstadbecause *everything* is so tightly coupled21:26
jamielennoxstevemar: this being the end of the pile; https://review.openstack.org/#/c/359708/ that we can recheck every now and then21:26
jamielennoxstevemar: it's good for finding who is misusing stuff21:26
jamielennoxstevemar: and ksa is pretty stable, mostly just bugfixes and small features i don't think really need talking about21:27
*** gyee has joined #openstack-keystone21:27
*** ChanServ sets mode: +v gyee21:27
jamielennoxlbragstad: yea, that's where i was going with the views start, i want to do models that traverse the backend boundary instead of dicts21:27
jamielennoxlbragstad: but it's the tests as much as anything else that hurt21:28
lbragstadjamielennox yes - the tests shouldn't have to rely on the token_provider_api to validate stuff21:28
jamielennoxright, i made a start on this but basically if your testing an API you should never call the providers directly21:29
lbragstadmaybe one thing we can do is refactor all the tests to not use the manager lay and actually make it do a real api call21:29
jamielennoxand a whole bunch of other problems21:29
lbragstadlayer*21:29
jamielennoxso ages ago i added a whole bunch of testing using webtest so that facility is in there21:30
jamielennoxwhat we would need to do around that is all the test startup/teardown and i was hoping to put that into proper fixtures.Fixture objects21:30
jamielennoxthey will still call the manager layer but at least you could change it in one place unlike the current spread21:31
jamielennoxits just one of those things that will take up a whole lot of time that i should probably be spending elsewhere atm21:31
*** ddieterly has joined #openstack-keystone21:32
*** flwang has joined #openstack-keystone21:33
lbragstadjamielennox yeah - it's a massive refactor - but it would be so nice21:33
bknudsonwith PKI going away in keystone we could remove it from auth-token, too.21:33
*** rcernin has quit IRC21:34
flwangstevemar: ping21:34
lbragstadjamielennox in your opinion the model should just relay information right - it shouldn't be the thing that validates anything21:34
jamielennoxlbragstad: basically yea, i don't mind if they grow a function or two eventually but typically they're just structured information21:35
*** spzala has joined #openstack-keystone21:35
jamielennoxsomewhere i have a branch with an example, but i'm doubting i can find it21:35
flwangstevemar: zaqar client is trying to move from keystoneclient to keystoneauth, i know you did it for glance client, so would you mind helping to review the patch? thanks https://review.openstack.org/#/c/348118/21:35
*** ravelar has quit IRC21:36
lbragstadjamielennox got it21:36
lbragstadjamielennox so what about the views21:36
lbragstaddo they validate anythign?21:36
lbragstadanything*21:36
*** spzala has quit IRC21:36
*** slberger has quit IRC21:36
*** chianingwang has quit IRC21:37
*** bradjones has quit IRC21:37
*** Trident has quit IRC21:37
*** amitkqed has quit IRC21:37
*** aloga has quit IRC21:37
*** jhesketh has quit IRC21:37
*** ddieterly has quit IRC21:37
*** daemontool_ has quit IRC21:37
*** jdennis has quit IRC21:37
*** edmondsw has quit IRC21:37
*** richm has quit IRC21:37
*** jlvillal has quit IRC21:37
*** baffle has quit IRC21:37
*** akrzos has quit IRC21:37
*** evrardjp has quit IRC21:37
*** DuncanT has quit IRC21:37
*** artmr has quit IRC21:37
*** AlexeyAbashkin has quit IRC21:37
*** acoles_ has quit IRC21:37
*** charz has quit IRC21:37
*** madorn has quit IRC21:37
*** d34dh0r53 has quit IRC21:37
*** boris-42 has quit IRC21:37
*** dobson has quit IRC21:37
*** BlackDex has quit IRC21:37
*** cburgess has quit IRC21:37
*** mnikolaenko has quit IRC21:37
*** kragniz has quit IRC21:37
*** sigmavirus has quit IRC21:37
*** samueldmq has quit IRC21:37
*** melwitt has quit IRC21:37
*** barclaac has quit IRC21:37
*** rderose has quit IRC21:37
*** tsufiev has quit IRC21:37
*** zhiyan has quit IRC21:37
*** nikhil has quit IRC21:37
*** mugsie has quit IRC21:37
*** tqtran has quit IRC21:37
*** mfisch has quit IRC21:37
*** rodrigods has quit IRC21:37
*** nicolasbock has quit IRC21:37
*** freerunner has quit IRC21:37
*** jlopezgu has quit IRC21:37
*** hugokuo has quit IRC21:37
*** mkoderer__ has quit IRC21:37
*** akscram has quit IRC21:37
*** stevemar has quit IRC21:37
*** topol has quit IRC21:37
*** brad[] has quit IRC21:37
*** eglute has quit IRC21:37
*** gsilvis has quit IRC21:37
*** zzzeek has quit IRC21:37
*** tonytan4ever has quit IRC21:37
*** yarkot has quit IRC21:37
*** jamielennox has quit IRC21:37
*** knikolla has quit IRC21:37
*** cargonza has quit IRC21:37
*** gus has quit IRC21:37
*** diltram has quit IRC21:37
*** zeus has quit IRC21:37
*** raddaoui has quit IRC21:37
*** andrewbogott has quit IRC21:37
*** BrAsS_mOnKeY has quit IRC21:37
*** clenimar has quit IRC21:37
*** haplo37_ has quit IRC21:37
*** dtroyer_zz has quit IRC21:37
*** lbragstad has quit IRC21:37
*** notmorgan has quit IRC21:37
*** bigjools has quit IRC21:37
*** HenryG has quit IRC21:37
*** dstanek has quit IRC21:37
*** andreaf has quit IRC21:37
*** mgagne has quit IRC21:37
*** artmr has joined #openstack-keystone21:38
*** AlexeyAbashkin has joined #openstack-keystone21:38
*** acoles_ has joined #openstack-keystone21:38
*** charz has joined #openstack-keystone21:38
*** madorn has joined #openstack-keystone21:38
*** boris-42 has joined #openstack-keystone21:38
*** dobson has joined #openstack-keystone21:38
*** BlackDex has joined #openstack-keystone21:38
*** cburgess has joined #openstack-keystone21:38
*** kragniz has joined #openstack-keystone21:38
*** mnikolaenko has joined #openstack-keystone21:38
*** sigmavirus has joined #openstack-keystone21:38
*** samueldmq has joined #openstack-keystone21:38
*** melwitt has joined #openstack-keystone21:38
*** barclaac has joined #openstack-keystone21:38
*** rderose has joined #openstack-keystone21:38
*** tsufiev has joined #openstack-keystone21:38
*** zhiyan has joined #openstack-keystone21:38
*** nikhil has joined #openstack-keystone21:38
*** mugsie has joined #openstack-keystone21:38
*** orwell.freenode.net sets mode: +v samueldmq21:38
*** asettle is now known as 7JTABTGDJ21:40
*** asettle has joined #openstack-keystone21:40
*** zzzeek has joined #openstack-keystone21:40
*** tonytan4ever has joined #openstack-keystone21:40
*** yarkot has joined #openstack-keystone21:40
*** jamielennox has joined #openstack-keystone21:40
*** knikolla has joined #openstack-keystone21:40
*** gus has joined #openstack-keystone21:40
*** diltram has joined #openstack-keystone21:40
*** zeus has joined #openstack-keystone21:40
*** BrAsS_mOnKeY has joined #openstack-keystone21:40
*** dtroyer_zz has joined #openstack-keystone21:40
*** clenimar has joined #openstack-keystone21:40
*** haplo37_ has joined #openstack-keystone21:40
*** lbragstad has joined #openstack-keystone21:40
*** notmorgan has joined #openstack-keystone21:40
*** bigjools has joined #openstack-keystone21:40
*** HenryG has joined #openstack-keystone21:40
*** dstanek has joined #openstack-keystone21:40
*** andreaf has joined #openstack-keystone21:40
*** mgagne has joined #openstack-keystone21:40
*** orwell.freenode.net sets mode: +vv jamielennox dstanek21:40
*** spzala has joined #openstack-keystone21:40
*** slberger has joined #openstack-keystone21:40
*** chianingwang has joined #openstack-keystone21:40
*** bradjones has joined #openstack-keystone21:40
*** Trident has joined #openstack-keystone21:40
*** amitkqed has joined #openstack-keystone21:40
*** aloga has joined #openstack-keystone21:40
*** serverascode has quit IRC21:41
*** 7JTABTGDJ has quit IRC21:41
*** jhesketh has joined #openstack-keystone21:41
*** d34dh0r53 has joined #openstack-keystone21:41
*** ddieterly has joined #openstack-keystone21:41
*** daemontool_ has joined #openstack-keystone21:41
*** jdennis has joined #openstack-keystone21:41
*** edmondsw has joined #openstack-keystone21:41
*** richm has joined #openstack-keystone21:41
*** jlvillal has joined #openstack-keystone21:41
*** baffle has joined #openstack-keystone21:41
*** akrzos has joined #openstack-keystone21:41
*** evrardjp has joined #openstack-keystone21:41
*** AndyWojo has quit IRC21:41
*** boris-42 has quit IRC21:41
*** zhiyan has quit IRC21:41
*** nikhil has quit IRC21:41
jamielennoxand we're back21:41
lbragstadjamielennox  in the token case - when we validate a v2 token - the v2 token controller will get a token model and pass the model to the token view21:42
lbragstadand the view is suppose to format an auth response how v2.0 likes it based on the model21:42
*** daemontool_ has quit IRC21:42
lbragstadright?21:42
*** tqtran has joined #openstack-keystone21:42
*** mfisch has joined #openstack-keystone21:42
*** rodrigods has joined #openstack-keystone21:42
*** nicolasbock has joined #openstack-keystone21:42
*** freerunner has joined #openstack-keystone21:42
*** jlopezgu has joined #openstack-keystone21:42
*** hugokuo has joined #openstack-keystone21:42
*** mkoderer__ has joined #openstack-keystone21:42
*** akscram has joined #openstack-keystone21:42
*** stevemar has joined #openstack-keystone21:42
*** topol has joined #openstack-keystone21:42
*** brad[] has joined #openstack-keystone21:42
*** eglute has joined #openstack-keystone21:42
*** gsilvis has joined #openstack-keystone21:42
*** orwell.freenode.net sets mode: +ov stevemar topol21:42
jamielennoxyea, the model is version independant, the view is what makes it a 2.021:43
jamielennoxin which case the view can raise an exception if it can't render it21:43
stevemarflwang: of course, i suggest you get jamielennox to review https://review.openstack.org/#/c/348118/ too :)21:43
flwangstevemar: sure, thank you very much21:43
stevemarjamielennox: i'd place the token expiry stuff above the model view bits21:44
lbragstadjamielennox so the v2 view would raise an exception if the model is scoped to a domain that isn't the default domain for example?21:44
jamielennoxflwang: what i'd really love is to be able to pass an existing session into zaqar client21:44
stevemarjamielennox: in terms of priority21:44
jamielennoxflwang: zaqar, monasca and mistral are the 3 clients i know of that don't let you do that - and i know this because heat was complaining about it21:44
jamielennoxstevemar: yea, i know, actual features21:45
bknudsonv2 should probably pass an indicator that says the token has to be in a particular domain so that processing can short-circuit.21:45
*** asettle has quit IRC21:45
jamielennoxlbragstad: yea, most likely - but it's a pretty unlikely case because it's the v2 controller that is saying i want a token rendered as v221:46
jamielennoxlbragstad: and there's no way from the v2 controller to pass in information that can't be rendered in v221:46
lbragstadif we want the model to not care about the version that leaves the provider and the view as the only places left to validate that kind of stuff21:46
*** spzala has quit IRC21:47
jamielennoxso you'd have a check in there as kind of a runtimeerror, but i don't know how you'd actually hit it21:47
jamielennoxoh, i guess you could ask for an existing v3 token as a v2 token21:47
lbragstadjamielennox would you hit that case if you had a v3 domain scoped token and passed it to the v2 api?21:47
bknudsonlbragstad: the model doesn't have to know the version, only the allowed domain21:47
*** andrewbogott has joined #openstack-keystone21:48
bknudsonit doesn't need to know the version just that a specific domain is required or not21:48
lbragstadbknudson which it currently does - through the domain scope21:48
jamielennoxlbragstad: you can make v2 calls with a v3 token, you just can't ask for it to be rendered or exchange it for something else21:48
lbragstadjamielennox right - if you validate a token on v2.0 you get a v2.0 format back21:48
lbragstadbut if it's a v3 token being validated against v2.0 it's up to the view to catch those things21:49
lbragstador cases where v2.0 doesn't honor v3-isms of the model21:49
jamielennoxso yea, you can probably short circuit the logic there but if it's caught in the view rather than in the validate it's not a big deal21:49
bknudsonI thought we deprecated v2? can't we just remove it?21:49
jamielennoxbknudson: ahhahaha21:50
lbragstadword on the street is that we will always have it deprecated21:50
lbragstaddeprecated - but never removed21:50
bknudsoncan we separate out the code into its own part of the repo and just forget about it?21:50
jamielennoxbknudson: yes, views/v2.021:50
lbragstadyeah21:50
lbragstadthat would be idea21:51
lbragstadthen if there is something about v2.0 that is bothering you and you need to figure it out - you only have to look in one spot :)21:51
jamielennoxwhich would be awesome21:51
*** slberger has left #openstack-keystone21:51
jamielennoxand a flake8 check that slaps anyone who says is version == X21:52
lbragstadit's easier to sift through garbage when it's all in one pile21:52
jamielennoxpart of what would be so nice about this is to have one place to look when you want to figure out what's called when you hit a specific api21:52
lbragstadyeah21:53
jamielennoxrather than have to know which provider/backend thing implements it21:53
lbragstadjamielennox so the token_provider_api should return a model, right?21:53
jamielennoxtoken_providers are interesting and i'm not sure21:54
lbragstadbecause it's not exactly a controller21:54
lbragstadit doesn't care about web stuff21:54
lbragstadbut it certainly isn't a view either21:54
jamielennoxso a token_provider is basically a persistance backend right?21:54
jamielennoxsql, kvs, fernet21:54
lbragstadsure21:54
lbragstadsomething that provides a token21:54
lbragstadwhich makes me think it should return a token model21:55
jamielennoxso i guess os21:55
jamielennoxi was somehow thinking it should be created before that21:55
jamielennoxbecause what i'd kind of like to see is isinstance(token.user, UserModel)21:55
lbragstadyeah21:56
lbragstadthe issue token stuff is a bit messy though21:56
jamielennoxand i don't think that should be resolved via token provider21:56
lbragstadyou should just pass auth context into the token provider and it should persist what it needs to21:56
*** ayoung has joined #openstack-keystone21:56
*** ChanServ sets mode: +v ayoung21:56
lbragstadi.e. in the token or sql or whatever21:56
lbragstadand then it should give you back a token model21:56
lbragstadwhich would get back to the controller -> and view to translate21:57
ayoungI've been in and out, going to go read up on Evesdrop21:57
*** mvk has joined #openstack-keystone21:58
ayoungthere is a gap between the end of evesdrop and this21:58
jamielennoxwe ahd a netsplit in there21:58
flwangjamielennox: what do you mean 'don't let you do that'? do you mean 'doesn't support'?21:59
lbragstadayoung http://cdn.pasteraw.com/ch05svpakwmvkwi3sojwfl90qmd2lff21:59
jamielennoxflwang: i haven't looked at zaqarclient in a bit, but i want to do z = zaqarclient.Client(session=session)21:59
ayounglbragstad, thanks!22:00
lbragstadayoung np22:00
flwangjamielennox: oh, yep, that's on my to-do list acutally22:00
jamielennoxflwang: because i've already got my auth figured out and i don't need zaqarclient to do it again22:00
flwangjamielennox: exactly22:00
jamielennoxflwang: cool, i'll have a look at the review but that's where i hope we get to22:00
*** raddaoui has joined #openstack-keystone22:01
jamielennoxand i know that's what heat says they are missing22:01
flwangjamielennox: awesome, and that's one thing i'd like to get your suggestion22:01
flwangif i should do that in the same patch22:01
flwangor it's better to do it in the following patch22:01
ayoungOK...start at the beginning of that flow:  the v2 token controller gets JSON and determines which version it is.  It uses the appropriate view to convert from JSON to a model, with the view throwing an exception if the JSON contains something that is not valid in that view.  Right?22:01
jamielennoxflwang: i think i'd do it in a follow up, it's already going to be hard to get people to review and you don't want to overload them with stuff22:02
lbragstadayoung well - the v2 token controller can assume a version based on the path22:02
lbragstadright?22:02
bknudsonthe v2 token controller can only get v2 JSON22:02
*** ddieterly is now known as ddieterly[away]22:02
jamielennoxflwang: however (forexample) the swiftclient version of use keystoneauth is like 5 lines of code where they auth via a plugin and then go right back to there old ways22:02
jamielennoxso i just wanted to make sure zaqarclient was at least planning on the other way as well22:03
jamielennoxlbragstad: yea, jsonschema will kill anything coming to a v2 endpoint that's not expected22:03
jamielennoxby being a v2 endpoint it knows the version already22:04
lbragstadbut in the validation case - the v2 token controller needs to be able to pass a model to the v2 view22:04
*** cargonza has joined #openstack-keystone22:04
jamielennoxayoung: also view is a display thing, so for model -> json, json->model is probably handled by the controller22:04
lbragstadmaking the view responsible for catching any v3-isms22:04
flwangjamielennox: no, not the way like swiftclient i think22:04
jamielennoxflwang: excellent!22:05
flwangwhat i want to see is zaqarcleint = client.Client(session) , just like you said above22:05
*** ddieterly[away] is now known as ddieterly22:05
ayoungin an interactive app, the view is the UI component, so edit cn be different from report, say.  Here, I would have classified the controller *as* the view.  So we are kindof duplicating the use of the term.  Version and view are related, but different22:05
lbragstadfor example - if we took that approach and the v2 view saw that model.oauth_scoped == True - then we should bail22:06
ayounglbragstad, v2 and v3 are "views" of the token, no?22:06
jamielennoxayoung: honestly in this case if the controller handled the view i wouldn't be too worried - however the current controllers are so overloaded that i don't know how to get from here to there without seperating them out22:07
lbragstadayoung yep22:07
jamielennoxlike if the controller did the rendering instead of handing to a view object22:07
*** boris-42 has joined #openstack-keystone22:07
ayoungjamielennox, the controllers need to be divested of any business logic and only do view stuff22:07
lbragstadthat's the part the confuses me22:07
jamielennoxayoung: there will always be a little logic in the controllers, there has to be some22:07
lbragstadbecause that would mean the view wouldn't be able to invalidate tokens22:07
ayoungjamielennox, only HTTP specific logic.  If we had another protocol, say Rabbit, it would be much easier to keep thing separate22:08
*** DuncanT has joined #openstack-keystone22:08
*** edtubill has quit IRC22:09
*** roxanaghe__ has quit IRC22:09
*** AndyWojo has joined #openstack-keystone22:11
lbragstadjamielennox ayoung - i gotta run, it's my wife's birthday... and so far what i've learned is that the only thing worse than forgetting your wife's birthday is working after hours on her birthday22:12
bknudsoncontrollers manipulate, not views22:12
bknudsonhttps://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller#/media/File:MVC-Process.svg22:12
lbragstadbut in this case we would have to rely on the view's manipulating (even just throwing errors)22:12
lbragstadah! I'll read the scroll back tonight22:13
lbragstado/22:13
ayounglbragstad, RUN!22:13
bknudsondon't you work from home?22:13
lbragstadlol - she does, too22:14
*** serverascode has joined #openstack-keystone22:14
jamielennoxyea, my definition has always been that the controller is the thing that creates a model, does stuff on the model, renders the view and returns it22:15
jamielennoxlbragstad: say happy birthday from all of us, i'm sure that'll help22:15
jamielennoxbknudson: model updates view is interesting, i always had the controller making a view from a model22:15
*** ngupta has quit IRC22:15
*** nikhil has joined #openstack-keystone22:16
bknudsonif you've got a gui your view listens to the model to get updates.22:16
*** ngupta has joined #openstack-keystone22:16
*** zhiyan has joined #openstack-keystone22:16
bknudsonlike to show how many bytes are downloaded or whatever22:16
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143522:16
jamielennoxoh, right, yea that makes sense in a gui/responsive way, rather than a web way22:17
bknudsonweb would be using push or websockets22:17
bknudsonso like subscribe to notifications for a user ?22:17
bknudsonthat would be odd22:17
bknudsonwell, we've got notifications, so you could do that22:18
bknudsonI assume we do notifications now in the manager.22:18
bknudsonyep - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n97322:19
*** jrist has quit IRC22:19
bknudsonso if we did mvc then the User model would send the notification on update.22:19
*** ngupta has quit IRC22:20
*** esp has quit IRC22:23
bknudsonI'm getting a couple of failures running tox -e py27:22:24
bknudsonkeystone.tests.unit.credential.test_fernet_provider.TestFernetCredentialProviderWithNullKey.test_warning_is_logged_when_encrypting_with_null_key22:24
bknudsonkeystone.tests.unit.credential.test_fernet_provider.TestFernetCredentialProviderWithNullKey.test_encryption_with_null_key22:24
*** lamt has quit IRC22:24
bknudsonanyone seen this?22:24
bknudsonhttp://paste.openstack.org/show/582675/22:24
bknudsonmaybe it's finding existing credential keys?22:24
jamielennoxhmm, i don't know, i would probably have had the controller doing notifications, but i'm not sure22:28
openstackgerritBrant Knudson proposed openstack/keystone: Request cache should not update context  https://review.openstack.org/37514222:29
*** ngupta has joined #openstack-keystone22:30
bknudsonI think the point is you could have multiple controllers?22:31
stevemarbknudson: whats the error with the tests?22:36
bknudsonstevemar: http://paste.openstack.org/show/582675/22:37
stevemarlol @ lbragstad, go eat dinner ya bum22:37
stevemarthx bknudson22:37
bknudsonstevemar: if I "rm /etc/keystone/credential-keys/*" the tests pass22:38
stevemarbknudson: ah, that's good, at least it's not busted22:38
*** esp has joined #openstack-keystone22:46
stevemarbknudson: bug for https://review.openstack.org/#/c/375142/1 ?22:49
bknudsonstevemar: it doesn't have any visible effect ... I think I explained that in the commit message.22:50
*** iurygregory_ has joined #openstack-keystone22:50
bknudsonI just found it annoying when I set a breakpoint to see where the context was getting reset and saw a bunch of useless ones.22:50
stevemarbknudson: you normally always have proof for the most vague change :P22:50
stevemarah22:50
stevemarbknudson: no need to backport to newton then, i assume22:51
bknudsonno... while the context cache was resetting the thread request context all the time it wasn't actually changing the value.22:52
bknudsonwas just setting the value to what it already was.22:52
bknudsonand according to the code that's all it would ever do.22:52
*** mvk has quit IRC22:52
*** ngupta has quit IRC22:54
*** ngupta has joined #openstack-keystone22:54
*** ddieterly has quit IRC22:58
*** ngupta has quit IRC22:59
*** ngupta has joined #openstack-keystone23:00
*** adriant has joined #openstack-keystone23:03
stevemarayoung: when you get a chance, please review: https://review.openstack.org/#/c/374479/ i've left a comment asking what we can do for a few things that are leftover23:06
stevemarbknudson -- you're familiar with PKI too, if you get a chance ^23:07
*** itsuugo has quit IRC23:08
*** mvk has joined #openstack-keystone23:08
stevemarwe don't even have /auth/tokens/OS-PKI/revoked and /OS-SIMPLE-CERT advertised in the API ref, ughhhh23:08
* stevemar goes to file bugs23:09
*** lamt has joined #openstack-keystone23:09
*** itsuugo has joined #openstack-keystone23:10
jamielennoxstevemar: how do i propose a cross project summit session?23:12
*** martinus__ has quit IRC23:12
jamielennoxi was expecting to see something on the ML - have you heard anything?23:12
*** ayoung has quit IRC23:13
*** itsuugo has quit IRC23:15
*** itsuugo has joined #openstack-keystone23:16
stevemarjamielennox: there was something out there23:17
jamielennoxstevemar: found it right after asking, i just had to go back furhter23:17
jamielennoxsry23:17
stevemarjamielennox: share it anyway, i lost the link23:17
jamielennoxhttps://etherpad.openstack.org/p/ocata-cross-project-sessions23:17
stevemarhttps://bugs.launchpad.net/keystone/+bug/1626778 and https://bugs.launchpad.net/keystone/+bug/1626779 make me sad23:17
openstackLaunchpad bug 1626778 in OpenStack Identity (keystone) "[api] document /auth/tokens/OS-PKI/revoked" [Medium,Confirmed]23:17
openstackLaunchpad bug 1626779 in OpenStack Identity (keystone) "[api] document OS-SIMPLE-CERT routes" [Medium,Confirmed]23:17
*** ngupta has quit IRC23:18
*** martinus__ has joined #openstack-keystone23:18
*** ngupta has joined #openstack-keystone23:18
stevemardolphm: thanks for proposing the upgrade story for cross-project, i was gonna do that if you didn't ;)23:18
jamielennoxdolphm: and jumping in with johnthetubaguy for cross-project communications, that's basically what i was going to propose23:19
stevemarjamielennox: do you have time to work on the token expiry bp?23:19
stevemarnot just the spec, but the work23:19
jamielennoxstevemar: yea, if we do it as proposed in the midcycle it's not actually that much work23:20
stevemarjamielennox: get on it then :P23:20
jamielennoxjust post midcycle i didn't have time, so i let it lag23:20
stevemarjamielennox: ocata-1, go!23:20
stevemarjk :)23:20
stevemareat time23:20
jamielennoxdmanit, alright23:20
jamielennoxwell it would be good to have a POC up for barcelona23:20
jamielennoxspec + code23:21
*** roxanaghe has joined #openstack-keystone23:21
*** ngupta has quit IRC23:23
jamielennoxdamn, i remember now, it was actually ksm that caught this up because i have to change around the model i just finished making public23:25
*** ngupta has joined #openstack-keystone23:28
*** HenryG has quit IRC23:28
*** HenryG has joined #openstack-keystone23:28
*** roxanaghe has quit IRC23:33
*** spedione is now known as spedione|AWAY23:37
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143523:41
*** ddieterly has joined #openstack-keystone23:42
*** ddieterly has quit IRC23:45
*** itsuugo has quit IRC23:50
*** ngupta has quit IRC23:51
*** itsuugo has joined #openstack-keystone23:51
*** ngupta has joined #openstack-keystone23:51
*** arunkant__ has quit IRC23:56
*** itsuugo has quit IRC23:56
*** itsuugo has joined #openstack-keystone23:57
« Wednesday, 2016-09-21 Index Friday, 2016-09-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!