Thursday, 2016-11-17

« Wednesday, 2016-11-16 Index Friday, 2016-11-18 »
*** guoshan has quit IRC00:01
*** diazjf has quit IRC00:02
*** phalmos has quit IRC00:02
*** cnf has quit IRC00:03
*** diazjf has joined #openstack-keystone00:06
*** Krenair has quit IRC00:09
openstackgerritMerged openstack/python-keystoneclient: Fix typo in access.py  https://review.openstack.org/39824400:11
*** Krenair has joined #openstack-keystone00:13
*** dave-mccowan has joined #openstack-keystone00:20
*** agrebennikov has quit IRC00:28
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Correct betamax fixture for more strict IDNA  https://review.openstack.org/39865400:28
morgan_stevemar: ^fixes betamax fixture00:28
morgan_stevemar: test*.00:28
*** asettle has joined #openstack-keystone00:31
*** spzala has joined #openstack-keystone00:31
*** Zer0Byte__ has quit IRC00:33
*** david-lyle_ is now known as david-lyle00:35
*** asettle has quit IRC00:35
*** hoangcx has joined #openstack-keystone00:37
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476900:38
*** thinrichs has joined #openstack-keystone00:41
*** thinrichs has left #openstack-keystone00:41
*** chrisplo has joined #openstack-keystone00:41
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476900:44
*** jaypipes has quit IRC00:45
*** cnf has joined #openstack-keystone00:49
*** guoshan has joined #openstack-keystone00:51
*** adrian_otto has quit IRC00:53
*** guoshan has quit IRC00:55
*** diazjf has quit IRC01:05
*** tqtran has quit IRC01:05
openstackgerritRon De Rose proposed openstack/keystone: WIP - Create idp_id as the domain_id for federated users  https://review.openstack.org/39866701:07
openstackgerritRon De Rose proposed openstack/keystone: WIP - Create idp_id as the domain_id for federated users  https://review.openstack.org/39866701:07
openstackgerritRon De Rose proposed openstack/keystone: WIP - Create idp_id as the domain_id for federated users  https://review.openstack.org/39866701:08
openstackgerritMerged openstack/keystone: Fix typo in doc  https://review.openstack.org/39859901:11
*** dave-mccowan has quit IRC01:18
openstackgerrithoward lee proposed openstack/keystoneauth: Add __ne__ built-in function  https://review.openstack.org/39829401:18
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476901:25
*** guoshan has joined #openstack-keystone01:34
*** zhangjl has joined #openstack-keystone01:35
*** spzala has quit IRC01:45
*** asettle has joined #openstack-keystone02:01
*** asettle has quit IRC02:06
*** blancos has joined #openstack-keystone02:09
blancosHi I'm interested in contributing to Keystone and I was wondering about the status of these blueprints: https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role and https://wiki.openstack.org/wiki/DynamicPolicies02:14
*** diazjf has joined #openstack-keystone02:18
*** diazjf has quit IRC02:21
stevemarmorgan_: thanks! you're the best :)02:22
stevemaraww i miss having morgan_ around in keystone{everything_else} land02:22
*** hoangcx has quit IRC02:23
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Using assertIsNotNone() instead of assertNotEqual(None)  https://review.openstack.org/39752102:23
*** adriant has quit IRC02:25
*** nkinder has joined #openstack-keystone02:29
*** adriant has joined #openstack-keystone02:35
*** namnh has joined #openstack-keystone02:43
*** dave-mccowan has joined #openstack-keystone02:49
*** blancos has quit IRC02:50
*** nkinder has quit IRC02:58
*** adrian_otto has joined #openstack-keystone02:59
*** adrian_otto has quit IRC03:04
*** adrian_otto1 has joined #openstack-keystone03:04
openstackgerritMerged openstack/keystoneauth: Correct betamax fixture for more strict IDNA  https://review.openstack.org/39865403:05
*** asettle has joined #openstack-keystone03:32
*** dave-mccowan has quit IRC03:33
*** asettle has quit IRC03:36
*** maestropandy has joined #openstack-keystone03:38
*** maestropandy has left #openstack-keystone03:39
*** udesale has joined #openstack-keystone03:39
*** spzala has joined #openstack-keystone03:46
*** spzala has quit IRC03:51
*** adrian_otto1 has quit IRC04:13
*** deep_1 has joined #openstack-keystone04:18
*** hoangcx has joined #openstack-keystone04:24
*** GB21 has joined #openstack-keystone04:37
*** nicolasbock has quit IRC04:40
*** diazjf has joined #openstack-keystone04:47
*** guoshan has quit IRC04:50
*** guoshan has joined #openstack-keystone04:51
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675204:51
*** guoshan has quit IRC05:01
*** asettle has joined #openstack-keystone05:02
*** guoshan has joined #openstack-keystone05:03
*** asettle has quit IRC05:07
*** jrichli has joined #openstack-keystone05:14
*** jrichli has left #openstack-keystone05:14
*** deep_1 has quit IRC05:31
*** deep_1 has joined #openstack-keystone05:32
*** guoshan has quit IRC05:34
*** adriant has quit IRC05:50
*** asettle has joined #openstack-keystone06:03
*** diazjf has quit IRC06:07
*** asettle has quit IRC06:08
*** guoshan has joined #openstack-keystone06:13
*** jaosorior has joined #openstack-keystone06:14
*** belmoreira has joined #openstack-keystone06:25
*** deep_1 has quit IRC06:33
*** jaosorior has quit IRC06:41
*** richm has quit IRC06:41
*** jaosorior has joined #openstack-keystone06:42
*** deep_1 has joined #openstack-keystone06:42
*** spzala has joined #openstack-keystone06:46
*** spzala has quit IRC06:51
*** namnh has quit IRC07:03
*** asettle has joined #openstack-keystone07:04
*** asettle has quit IRC07:08
*** pcaruana has joined #openstack-keystone07:18
openstackgerritEric Brown proposed openstack/keystone: Remove entry_points to non-existent drivers  https://review.openstack.org/39879507:40
*** jvarlamova has quit IRC07:50
*** deep_1 has quit IRC07:50
*** deep_1 has joined #openstack-keystone07:53
*** asettle has joined #openstack-keystone08:05
*** asettle has quit IRC08:09
*** guoshan has quit IRC08:31
*** guoshan has joined #openstack-keystone08:32
*** deep_1 has quit IRC08:36
*** amoralej|off is now known as amoralej08:44
*** jpich has joined #openstack-keystone08:49
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
*** asettle has joined #openstack-keystone09:06
*** jaosorior is now known as jaosorior_lunch09:08
*** asettle has quit IRC09:10
*** deep_1 has joined #openstack-keystone09:15
*** deep_1 has quit IRC09:19
*** jaosorior_lunch is now known as jaosorior09:43
*** openstackgerrit has quit IRC09:48
*** openstackgerrit has joined #openstack-keystone09:48
*** henrynash has quit IRC10:03
*** GB21 has quit IRC10:05
*** asettle has joined #openstack-keystone10:06
*** asettle has quit IRC10:11
*** deep_1 has joined #openstack-keystone10:16
*** hoangcx has quit IRC10:17
*** deep_1 has quit IRC10:21
*** zhangjl has quit IRC10:31
*** asettle has joined #openstack-keystone10:36
*** guoshan has quit IRC10:42
*** spzala has joined #openstack-keystone10:47
*** GB21 has joined #openstack-keystone10:49
*** spzala has quit IRC10:52
*** khamtamtun has joined #openstack-keystone11:06
openstackgerritzhangyanxian proposed openstack/python-keystoneclient: Fix some spelling mistaks  https://review.openstack.org/39892911:06
openstackgerritzhangyanxian proposed openstack/python-keystoneclient: Fix some spelling mistaks in base.py & auth.py  https://review.openstack.org/39892911:08
openstackgerritzhangyanxian proposed openstack/python-keystoneclient: Fix some spelling mistaks in base.py & auth.py  https://review.openstack.org/39892911:09
*** richm has joined #openstack-keystone11:10
*** khamtamtun has quit IRC11:12
*** guoshan has joined #openstack-keystone11:13
*** kamtamtun has joined #openstack-keystone11:14
*** guoshan has quit IRC11:18
*** andreaf has quit IRC11:26
*** andreaf has joined #openstack-keystone11:26
*** nicolasbock has joined #openstack-keystone11:35
*** andreaf has quit IRC11:36
*** andreaf has joined #openstack-keystone11:36
*** andreaf has quit IRC11:39
*** andreaf has joined #openstack-keystone11:43
*** kamtamtun has quit IRC11:45
*** kamtamtun has joined #openstack-keystone11:52
*** kamtamtun has quit IRC11:53
*** aloga_ has joined #openstack-keystone11:55
*** zhugaoxiao has quit IRC12:01
*** zhugaoxiao has joined #openstack-keystone12:01
*** kamtamtun has joined #openstack-keystone12:04
*** kamtamtun has quit IRC12:05
*** guoshan has joined #openstack-keystone12:07
*** raildo has joined #openstack-keystone12:09
*** guoshan has quit IRC12:12
*** udesale has quit IRC12:18
*** raildo has quit IRC12:20
*** raildo has joined #openstack-keystone12:26
*** dave-mccowan has joined #openstack-keystone12:31
*** henrynash has joined #openstack-keystone12:38
*** ChanServ sets mode: +v henrynash12:38
*** rodrigods has quit IRC12:40
*** rodrigods has joined #openstack-keystone12:40
*** catintheroof has joined #openstack-keystone12:46
*** edmondsw has joined #openstack-keystone12:48
*** markvoelker has quit IRC12:50
*** amoralej is now known as amoralej|lunch12:51
*** aloga_ has quit IRC12:53
*** GB21 has quit IRC12:56
*** chlong has joined #openstack-keystone13:00
*** guoshan has joined #openstack-keystone13:01
*** spzala has joined #openstack-keystone13:03
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476913:03
*** guoshan has quit IRC13:06
*** spzala has quit IRC13:08
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476913:10
rodrigodsdstanek, around?13:11
*** lamt has joined #openstack-keystone13:14
*** henrynash has quit IRC13:14
*** deep_1 has joined #openstack-keystone13:20
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476913:22
*** deep_1 has quit IRC13:41
*** nk2527 has joined #openstack-keystone13:45
*** spzala has joined #openstack-keystone13:47
BlackDexHello there13:48
BlackDexi get these errors13:48
BlackDexkeystoneauth1.exceptions.http.NotFound: Could not find endpoint: e6fed1859ab64cef8a7fd22c80b53d7b (HTTP 404) (Request-ID: req-c5318008-d26b-4ede-b7fd-677dc2a1d240)13:48
BlackDexwhat is going wrong?13:48
*** markvoelker has joined #openstack-keystone13:51
*** spzala has quit IRC13:51
*** markvoelker has quit IRC13:56
*** guoshan has joined #openstack-keystone13:56
dstanekrodrigods: yes13:59
rodrigodsdstanek, maybe you know how to help... when configuring federation on Apache (the Location stuff for Shibboleth, for example)14:00
dstanekrodrigods: what's the trouble?14:00
rodrigodsit is not working well with the /identity URI vs using the port :5000, for example14:01
rodrigodsthis is for DevStack14:01
*** guoshan has quit IRC14:01
*** amoralej|lunch is now known as amoralej14:02
dstanekrodrigods: i've not had any issues that i can recall14:04
dstaneki do this: https://github.com/dstanek/ansible-role-keystone-sp/blob/master/tasks/_configure_apache.yml14:04
rodrigodsdstanek, hmmm /identity before /v3 in Location14:05
rodrigodsthink that's it :)14:05
dstanekrodrigods: yeah. in devstack the keystone URLs follow /identity14:06
rodrigodsdstanek, thought would be enough to have starting from /v3, but Location expects the correct URL - forgot about that14:06
dstanekrodrigods: yeah, that gets match by apache on the URL coming in14:07
rodrigodsthanks dstanek14:07
*** maestropandy has joined #openstack-keystone14:08
dstaneknp14:09
*** maestropandy has left #openstack-keystone14:09
*** jdennis has joined #openstack-keystone14:13
*** jperry has joined #openstack-keystone14:18
*** ravelar has joined #openstack-keystone14:23
*** phalmos has joined #openstack-keystone14:29
*** phalmos has quit IRC14:34
*** adrian_otto has joined #openstack-keystone14:35
openstackgerritMerged openstack/python-keystoneclient: Fix some spelling mistaks in base.py & auth.py  https://review.openstack.org/39892914:35
dstanek^ that's my favorite commit message14:35
*** asettle__ has joined #openstack-keystone14:36
*** asettle__ has quit IRC14:37
*** asettle__ has joined #openstack-keystone14:38
*** asettle has quit IRC14:38
*** adrian_otto has quit IRC14:40
*** asettle__ is now known as asettle14:40
*** jaosorior has quit IRC14:41
*** agrebennikov has joined #openstack-keystone14:41
*** phalmos has joined #openstack-keystone14:42
*** adrian_otto has joined #openstack-keystone14:43
*** chris_hultin|AWA is now known as chris_hultin14:43
*** henrynash has joined #openstack-keystone14:46
*** ChanServ sets mode: +v henrynash14:46
stevemardstanek: lol14:49
*** jaugustine has joined #openstack-keystone14:49
*** guoshan has joined #openstack-keystone14:50
*** chris_hultin is now known as chris_hultin|AWA14:53
*** guoshan has quit IRC14:55
openstackgerritayoung proposed openstack/keystone-specs: Token Verify Role Check  https://review.openstack.org/39162415:07
ayoungkfox1111, lbragstad ^^ adds in the in_process check.15:08
lbragstadayoung ok i'll get around to reviewing that15:08
openstackgerritmelissaml proposed openstack/keystoneauth: Fix a typo in base.py  https://review.openstack.org/39906015:11
*** adrian_otto has quit IRC15:11
*** adrian_otto has joined #openstack-keystone15:11
*** henrynash has quit IRC15:25
openstackgerritmelissaml proposed openstack/keystone-specs: Fix typos in documents  https://review.openstack.org/39907415:25
*** diazjf has joined #openstack-keystone15:37
*** jdennis has quit IRC15:40
*** guoshan has joined #openstack-keystone15:45
*** jdennis has joined #openstack-keystone15:45
mfischbreton: I was going to add you to https://review.openstack.org/#/c/383333/ but then I realized I have no idea who you are ;)15:46
*** guoshan has quit IRC15:49
*** markvoelker has joined #openstack-keystone15:52
bretonmfisch: bbobrov@mirantis.com :)15:55
bretonmfisch: i am tackling it now and have no idea what's going on.15:55
mfischbreton: ah yes we met in Barcelona, I didnt connect the IRC nick thanks15:56
*** markvoelker has quit IRC15:57
*** spzala has joined #openstack-keystone15:59
bretonmfisch: you said that you don't run into it in production, right?16:01
openstackgerritKristi Nikolla proposed openstack/keystone-specs: Devstack Plugin for Keystone  https://review.openstack.org/39584116:01
*** nk2527 has quit IRC16:02
*** pcaruana has quit IRC16:10
*** ayoung has quit IRC16:10
*** adrian_otto has quit IRC16:15
bretonthe patch fails a lot of v2-v3 intermix tests16:15
*** chris_hultin|AWA is now known as chris_hultin16:16
bretonmfisch: why do you want it enabled by default?16:17
bretonmfisch: does it give you any increase in performance?16:18
mfischjust seems like it should be16:18
mfischbut beyond that the fact that it fails CI means to me that the feature is broken possibly16:18
bretonactually i don't see how it can help.16:18
mfischso I'm concerned to use it at all16:18
bretonbecause it takes the time to validate the token anyway16:19
bretonso non-cache validation happens at token issuing time anyway16:19
bretonso if issuing took 0.1s + validation 0.1s = 0.2s, now it takes issuing 0.15s + validation 0.05s16:20
bretonwhich is still 0.2s16:20
bretonwhat we need to do is to figure out whether it works in v2-v3 intermix cases when run under real server16:21
bretonif yes, fix only tests16:21
bretonif no, well...16:21
mfischim on a call right now, give me 10 min16:25
mfischbreton: I have no real perf data right now to tell if its useful16:27
*** chrisplo has quit IRC16:27
mfischbut yeah figuring out if its a test issue or a real issue is important16:27
mfischin my virtual openstack build I use I did not see issues with it16:27
mfischbut the load is very low16:27
*** adrian_otto has joined #openstack-keystone16:31
*** henrynash has joined #openstack-keystone16:33
*** ChanServ sets mode: +v henrynash16:33
*** belmoreira has quit IRC16:35
* lbragstad stevemar dstanek dolphm ping regarding the policy meeting - see ttx's comment here -= https://review.openstack.org/#/c/398500/316:40
*** guoshan has joined #openstack-keystone16:45
*** guoshan has quit IRC16:50
*** rarora has left #openstack-keystone16:52
*** browne has joined #openstack-keystone16:55
dstaneklbragstad: did we have not then just keystone peeps there?16:55
openstackgerritKristi Nikolla proposed openstack/keystone-specs: Devstack Plugin for Keystone  https://review.openstack.org/39584116:56
lbragstaddstanek if i recall correctly - i though nova had some sessions on policy previously17:00
lbragstadi assumed it to be a cross project meeting since whatever we do will more than likely affect other projects17:00
openstackgerritMerged openstack/keystone-specs: Fix typos in documents  https://review.openstack.org/39907417:04
dstaneklbragstad: they definitely had policy sessions at previous summits17:05
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Using assertIsNotNone() instead of assertNotEqual(None)  https://review.openstack.org/39752117:05
*** ayoung has joined #openstack-keystone17:10
*** ChanServ sets mode: +v ayoung17:10
*** adrian_otto has quit IRC17:12
*** chrisplo has joined #openstack-keystone17:26
*** adrian_otto has joined #openstack-keystone17:41
openstackgerritMerged openstack/keystoneauth: Fix a typo in base.py  https://review.openstack.org/39906017:46
*** Zer0Byte__ has joined #openstack-keystone17:47
*** ayoung has quit IRC17:55
*** asettle has quit IRC18:00
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39915718:02
*** browne has quit IRC18:02
rodrigodsrderose, so... it is expected that i can't delete a protocol after the federated_user is created? i mean... we have the foreign_key there, but this looks like a bug to me18:02
rderoserodrigods: hmm...18:03
rderoserodrigods: it's because of the foreign key?18:04
rderosewhat's the error?18:04
openstackgerritLance Bragstad proposed openstack/keystone: Add developer docs for keystone-manage doctor  https://review.openstack.org/39916318:04
rodrigodsrderose, http://paste.openstack.org/raw/589631/18:04
rderoserodrigods: yeah, it's a bug18:05
rderoserodrigods: just not sure how we should handle it18:05
rodrigodsrderose, i'd say to cascade delete everything18:05
rodrigodswill create the ticket in launchpad18:05
rderoserodrigods: if you delete the protocol, should we delete the federated users associated with that protocol?18:05
rodrigodsrderose, i guess yes? so it could be recreated with a different protocol?18:06
*** markvoelker has joined #openstack-keystone18:07
*** henrynash has quit IRC18:07
rderoserodrigods: sounds reasonable18:07
*** henrynash has joined #openstack-keystone18:08
*** ChanServ sets mode: +v henrynash18:08
rderoserodrigods: it will get trickier with account linking18:08
rderoserodrigods: lets say an ldap user and federated user are the same user18:08
rderoserodrigods: removing the protocol shouldn't delete the user, only the row in federated user18:09
rderoserodrigods: can the same protocol be used for multiple IdPs?18:09
knikollaas far as i know, a protocol is specific to a idp18:10
rderoseknikolla: yeah, just looking at the api, it's specific to the idp18:10
rodrigodsrderose, https://bugs.launchpad.net/keystone/+bug/164269218:12
openstackLaunchpad bug 1642692 in OpenStack Identity (keystone) "Protocol can't be deleted after federated_user is created" [Undecided,New]18:12
rodrigodsrderose, hmm, right18:12
rodrigodsjust the federated user, i guess18:12
*** tqtran has joined #openstack-keystone18:13
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39915718:17
*** guoshan has joined #openstack-keystone18:18
*** henrynash has quit IRC18:18
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39915718:18
*** ayoung has joined #openstack-keystone18:21
*** ChanServ sets mode: +v ayoung18:21
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39915718:21
ayoungrderose, YES!18:22
ayoungI've been waiting for domain->idp18:22
*** guoshan has quit IRC18:22
rderoseayoung: :)18:22
rderoseayoung: it's been giving me so much headaches18:23
rderoseayoung: lbragstad too :)18:23
rderosetime to bite the bullet18:23
ayoungrderose, I wonder how we are going to deal with porting people forward?18:23
ayoungsay an Idp does not have one right now, what do we do with it?  Make it the default or federated domain to start?18:24
rderoseayoung: we can get the domain_id from the group in the mapping18:24
rderoseayoung: if it doesn't exist, we can auto create a federated_domain18:24
ayoungrderose, would be awesome if we could deduce from mappings18:25
rderoseayoung: we should be able to; planning to start that next18:25
ayoungif an IdP has a mapping set up for one of its protocols that maps to a specific domain, grab it18:25
ayoungcool18:25
rderoseright18:25
ayoungrderose, so, one issue I am concerned with is mapping people to the same domain via LDAP and SAML18:27
ayoungsomeday oauth, but SAML is the current problem18:27
rderoseayoung: hmm...18:28
ayoungsay we already have an LDAP set up, and they have been using the identity mapping code.  How would Federated uses get correctly mapped to existing accounts?18:28
rderoseayoung: right, you connect thru ldap at work and federated at starbucks...  the user should be under the same domain, correct?18:29
rderoseayoung: hmm... either way, we need to think this part through18:32
rderoseayoung: currently, we don't have a way to do this. we've have to expand mapping engine and also shadowing18:32
rderoseayoung: mapping would be easy, this federated user is this local user, but currently shadowing would create a new user18:34
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476918:36
ayoungrderose, that was why Iwas so insistant that we use the same id-mapping mechanism18:42
ayoungrderose, but eventhen I suspect we would have a problem with the values being slightly different for protocol.18:43
ayoungrderose, the real path I want is from LDAP to Federation using SSSD and Kerberos or LDAP to X509 (or both) as those are more secure authN mechs18:44
ayoungBut all of them should map to the same set of users18:44
ayoungrderose, say a user comes in via LDAP now.  What would be the steps (even if required to hack the database) to make a federated user map to that same account today?18:45
openstackgerritKristi Nikolla proposed openstack/keystone: Devstack plugin to federate with testshib.org  https://review.openstack.org/39393218:47
*** jpich has quit IRC18:47
rderoseayoung: to do that, you would simply have to have a record in the federated_user table for the LDAP user18:49
*** diazjf has quit IRC18:49
rderoseayoung: now the user could auth via ldap and federation18:49
ayoungrderose, we don't have an API that can dothat yet, do we?18:49
*** browne has joined #openstack-keystone18:49
rderoseno, working on it:18:49
rderosehttps://review.openstack.org/#/c/397410/18:49
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741018:50
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741018:51
ayoungrderose, need to be able to delete, too.  But I like that spec18:52
*** diazjf has joined #openstack-keystone18:52
rderoseayoung: oh yeah18:52
rderoseayoung: as I think about it, I keep adding to the spec, but I think it makes sense18:52
ayoungrderose, its still not really scalable, just reactionary, though18:52
ayoungwe should be able to pre-seed the LDAP users en mass.18:53
ayoungI guess you could iterate to do that,though18:53
rderoseayoung: shadow mapping will do that for us18:53
rderoseayoung: but you still will want to do things like trusts and our user API should support all of that18:53
*** dhellmann has joined #openstack-keystone18:54
openstackgerritKristi Nikolla proposed openstack/keystone: Devstack plugin to federate with testshib.org  https://review.openstack.org/39393218:54
*** amoralej is now known as amoralej|off18:55
rderoseayoung: and you may not want to bulk load all of your users, right? you may require users to request, approve, and then you can provision access18:55
*** edtubill has joined #openstack-keystone18:56
*** adrian_otto has quit IRC18:56
*** henrynash has joined #openstack-keystone18:56
*** ChanServ sets mode: +v henrynash18:56
ayoungrderose, different business requirement there.  LDAP usually means "if I can query you, yo uare a Keystone user" .  But  I could see an approach that links from Federation to an existing domain of  users, maybe matching on exitin username to some exteranl attribute18:57
rderoseyeah, that would work18:58
rderoseayoung: so shadow mapping will do the en mass, extending the API will let you do everything else (delegation, account linking...)18:59
ayoungrderose, excellent.  I'll track your spec, and maybe post a mailing list thread where we can talk through it.  OK?19:00
rderoseayoung: sounds good19:00
*** edtubill has quit IRC19:03
*** guoshan has joined #openstack-keystone19:19
mfischbreton: stevemar I will do some perf tests wrt cache_on_issue today19:20
*** guoshan has quit IRC19:23
chrisplorderose: I know our product doesn't want to mass import from LDAP, as it is we have custom liberty changes to prevent user list from listing LDAP, just users we've added to id_mapping19:29
*** iurygregory has quit IRC19:29
rderosechrisplo: I see, and that would still work19:30
rderosechrisplo: so you are doing this through federation or ldap plugin?19:31
chrisplothat particular piece was for LDAP, I'm working on ephemeral SAML integration now19:32
rderosechrisplo: cool19:33
rderosechrisplo: prior to newton the api won't return federated users via the API19:36
rderosechrisplo: however, we're shadowing federated users in newton, so the user API will return federated users19:37
rderosechrisplo: only federated users that have authenticated that is19:38
chrisploi was looking at the spec this morning, I'm sadly not up to date19:38
*** gyee has joined #openstack-keystone19:38
*** ChanServ sets mode: +v gyee19:38
chrisploshadow-users-newton spec that is, if that's what you're referring to19:40
*** openstackgerrit has quit IRC19:48
*** openstackgerrit has joined #openstack-keystone19:48
*** edtubill has joined #openstack-keystone19:55
openstackgerritLance Bragstad proposed openstack/keystone: Add developer docs for keystone-manage doctor  https://review.openstack.org/39916320:08
lbragstadgagehugo thanks for the feedback!20:08
gagehugolbragstad anytime! I really do wish that doc existed before, I had some issues with how doctor worked and that would have saved me a bunch of time20:09
lbragstadgagehugo lol, me too20:09
*** spzala has quit IRC20:13
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39915720:16
gagehugolbragstad I left a comment, but other than that one thing, I think it's good20:24
*** adrian_otto has joined #openstack-keystone20:27
dstanek"--os-auth-type: invalid choice: u'v3unscopedsaml'" .... grrrrrr20:32
dstanekrodrigods: any thoughts ^20:40
*** ayoung has quit IRC20:59
*** spzala has joined #openstack-keystone21:00
*** edtubill has quit IRC21:00
*** raildo has quit IRC21:00
bretondstanek: we dropped that name21:02
bretondstanek: it is now v3saml or just saml21:02
bretondstanek: let me check21:02
dstanekbreton: v3samlpassword seems to work. v3{un}scopedsaml is listed in my setup.cfg, but it doesn't appear to be working21:03
bretondstanek: right, v3samlpassword.21:04
*** guoshan has joined #openstack-keystone21:20
*** guoshan has quit IRC21:25
*** jamielennox is now known as jamielennox|away21:40
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39915721:45
stevemari have so many patches to review!!!!21:51
mfischcatch up next week when the US is out21:56
stevemarmfisch: seriously though, it's an awesome week for all non-US people21:57
stevemarmfisch: its like the whole world shits down a gear or two21:58
mfischyou all start your 8 weeks of paid vacations21:58
gagehugoeveryone is sedated from too much turkey21:58
mfischstevemar: so a quick update on cache_on_issue21:59
mfischit seems to speed things up a small amount but it's within the error limit21:59
mfischaround 6%21:59
mfischthe runs were (in ms): without caching: 144, 118, 14322:00
mfischwith caching: 127, 129, 12222:00
mfischso I dont think thats definitive22:00
stevemaryou mean without pre_caching and with pre_caching?22:01
*** adriant has joined #openstack-keystone22:01
stevemarmfisch: yeah, the improvement wasn't going to be huge, i assumed22:02
mfischcache_on_issue yeah22:02
mfischserially its about 2%22:02
mfischstevemar: also for newton we switched to pyMySQL - have you heard of any issues with that? I know mySQL-Python was deprecated ages ago22:03
stevemarmfisch: you asked at the summit, i haven't heard of any issues22:03
mfischok22:03
mfischI'm going to ask ops22:04
mfischrather know now than find out that 0.01% chance of dropping all tables or something22:04
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675222:05
ravelarstevemar quick question on https://bugs.launchpad.net/keystone/+bug/164182122:09
openstackLaunchpad bug 1641821 in OpenStack Identity (keystone) "admin guide: Cleanup LDAP" [Low,New] - Assigned to Richard (csravelar)22:09
*** edmondsw has quit IRC22:09
*** jaugustine has quit IRC22:09
openstackgerritLance Bragstad proposed openstack/keystone: Add developer docs for keystone-manage doctor  https://review.openstack.org/39916322:16
stevemarravelar: yessum22:18
ravelarstevemar, just wanted clarification when you mentioned that the keystone team recommended something other than a single ldap22:19
stevemarravelar: https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/22:20
stevemarbasically that22:20
stevemarravelar: you should be setting up another domain for the ldap22:20
*** guoshan has joined #openstack-keystone22:21
ravelarstevemar, ahh I see thanks :)22:21
stevemarravelar: and a separate keystone.<domain_name>.conf file should be created for each (i think parts of the admin-guide already say this)22:22
*** chris_hultin is now known as chris_hultin|AWA22:23
*** jamielennox|away is now known as jamielennox22:24
*** guoshan has quit IRC22:25
*** ravelar has quit IRC22:28
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Using assertIsNotNone() instead of assertNotEqual(None)  https://review.openstack.org/39752122:34
rderosestevemar: I think we need granular and domain level security compliance22:38
stevemarmmm22:38
rderosestevemar: you may want all users to have a certain password strength, but some passwords should never expire22:39
rderosestevemar: and by having a lockout ignore list, doesn't prevent us from having domain level blacklist/whitelist22:39
stevemarrderose: agreed.22:39
stevemarrderose: a list of domains that will not have PCI compliance would be the most backwards compatible i think22:40
rderosestevemar: true22:40
stevemaror the least amount for of changes for people to do22:41
stevemarso [security] blacklist_domain = Default22:41
stevemarbut hmm, that still seems like a half measure, what if i want compliance for some parts of default domain, but not others22:42
rderosestevemar: yeah22:42
stevemarotherwise we'll end up being forced to use some options, or none of them22:43
stevemarrderose: maybe we can get henrynash to do the work ;)22:44
stevemarsince he did it for ldap22:44
rderosestevemar: ha22:44
rderosestevemar: sure22:44
rderosestevemar: what did he do for ldap?22:44
rderosedomain-level config?22:45
stevemarrderose: yep22:45
stevemarthe whole, define ldap settings in a keystone.domainA.conf file22:45
rderoseah22:45
rderosestevemar: yeah, I think we'll granular and domain-level, but not sure I like doing this all in the config22:46
rderosestevemar: wanted to think thru the domain-level part, but in the meantime add the lockout ignore list22:47
rderosesince that was an easy one22:47
rderosedam stevemar, another -1! why don't you just -1 everything I do :)22:49
rderoseoh, that was just a soft -1 :)22:50
*** jperry has quit IRC23:01
openstackgerritMerged openstack/keystone: Remove entry_points to non-existent drivers  https://review.openstack.org/39879523:08
*** ayoung has joined #openstack-keystone23:10
*** ChanServ sets mode: +v ayoung23:10
openstackgerritRon De Rose proposed openstack/keystone: Lockout ignore user list  https://review.openstack.org/39857123:12
openstackgerritRon De Rose proposed openstack/keystone: Lockout ignore user list  https://review.openstack.org/39857123:14
*** catintheroof has quit IRC23:29
*** chris_hultin|AWA is now known as chris_hultin23:30
*** catintheroof has joined #openstack-keystone23:30
stevemardavid-lyle: you gonna propose a release of doa-kerb?23:35
*** catintheroof has quit IRC23:35
*** lamt has quit IRC23:37
david-lylestevemar: sure23:39
*** agrebennikov has quit IRC23:41
*** dave-mccowan has quit IRC23:42
david-lylestevemar: last released version was from jamielennox's github repo23:44
stevemardavid-lyle: lol23:44
stevemarterrible23:44
jamielennoxergh really?23:44
david-lyleyeah23:44
stevemari guess we can't release it easily? is it even a real project?23:44
david-lyleopenstack-ci is an owner too23:44
stevemarlike under governance23:45
stevemaroh thats good23:45
jamielennoxso the docs might say that, but i find it unlikely because i hate releasing myself23:45
jamielennoxi'd much prefer to make zuul do it23:45
david-lylesource link is correct on PyPI23:45
david-lyleI'll add it to release so we can kill it23:46
stevemarah there it is: https://github.com/openstack/governance/blob/master/reference/projects.yaml#L575-L57723:46
stevemardavid-lyle: yeah, i will propose the patch to kill it23:46
stevemarjamielennox: want me to kill ksc-kerb too?23:46
david-lyleok23:46
jamielennoxstevemar: yea, ksa all the way23:47
stevemarit's been deprecated for 9 mos23:47
openstackgerritSteve Martinelli proposed openstack/keystone: [api] add changelog from 3.0 -> 3.7  https://review.openstack.org/39930123:59
« Wednesday, 2016-11-16 Index Friday, 2016-11-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!