Friday, 2016-11-18

*** ayoung has quit IRC00:02
*** catintheroof has joined #openstack-keystone00:11
*** chris_hultin is now known as chris_hultin|AWA00:15
*** guoshan has joined #openstack-keystone00:22
*** guoshan has quit IRC00:26
*** ravelar has joined #openstack-keystone00:34
*** ravelar has quit IRC00:35
*** spzala has quit IRC00:39
openstackgerritMerged openstack/keystoneauth: Using assertIsNotNone() instead of assertNotEqual(None)
*** cheran has joined #openstack-keystone00:41
*** Zer0Byte__ has quit IRC00:43
*** ayoung has joined #openstack-keystone00:49
*** ChanServ sets mode: +v ayoung00:49
*** gyee has quit IRC00:53
*** diazjf has quit IRC00:54
*** hoangcx has joined #openstack-keystone00:54
*** catintheroof has quit IRC00:54
*** ayoung has quit IRC01:06
*** chlong has quit IRC01:11
*** phalmos has quit IRC01:18
*** guoshan has joined #openstack-keystone01:25
*** chrisplo has quit IRC01:27
*** zhangjl has joined #openstack-keystone01:32
*** zhugaoxiao has quit IRC01:47
*** browne has quit IRC01:54
lbragstadstevemar yo01:59
stevemarlbragstad: oy01:59
lbragstadstevemar quick question - how is an alternate to enhancing the mapping engine?01:59
lbragstadstevemar i saw that as a note in here -
stevemarlbragstad: i guess in my mind it was02:10
stevemarlbragstad: but you can disregard my comment02:12
lbragstadstevemar no worries - i was just parsing the document and read that...02:12
lbragstadand it made me curious02:13
rderoselbragstad: that's what I tend to do when comes to stevemar02:13
stevemarsometimes i write things down a bit too fast02:14
stevemari only glanced at the title and thought it was an alternative02:14
stevemari probably shouldn't have broadcasted it02:14
rderosestevemar I've taken a couple shots at you today and no response, what's up02:15
*** markvoelker has quit IRC02:18
*** adrian_otto has quit IRC02:19
*** guoshan has quit IRC02:20
*** guoshan has joined #openstack-keystone02:24
*** spzala has joined #openstack-keystone02:39
*** spzala has quit IRC02:44
*** dave-mccowan has joined #openstack-keystone02:47
*** chrisplo has joined #openstack-keystone02:47
*** browne has joined #openstack-keystone02:48
*** browne has quit IRC02:49
openstackgerrithoward lee proposed openstack/python-keystoneclient: Replace 'assertFalse(a in b)' with 'assertNotIn(a, b)'
*** tqtran has quit IRC03:07
adriantlbragstad: re, I'm proposing a set of new API endpoints, so the lack of blob being returned is no a backward compatibility issue.03:13
adriantnot* a03:14
lbragstadadriant ah - so we'll have two apis for credentials?03:14
adriantwe already do, see EC203:14
lbragstadso - we'll have thre e03:14
adriantyes, the other solution would be to have one, and allow functional logic and validation on a per type basis03:15
adriantwhich is... a refactor and a lot of work on the credential code :/03:15
adriantand change the policy stuff.03:15
lbragstadadriant hmm from a maintainence perspective, i almost lean towards that03:16
lbragstadadriant do you use the ec2 controller today/03:16
adriantYeah, we've had clients who have done things via the EC2 APIs with their ec2 creds03:17
*** guoshan has quit IRC03:17
adriantlbragstad: I agree, the best long term solution is to merge the EC2 functionality into an expanded set of credentials controllers, with maybe plugins for each credential type.03:18
adriantbut that's a hell of a lot of work03:18
*** markvoelker has joined #openstack-keystone03:19
adriantWorthwhile, but still huge. All while maintaining backward compatibility!03:19
*** dikonoor has joined #openstack-keystone03:19
*** guoshan has joined #openstack-keystone03:19
lbragstadadriant wouldn't it be a large refactor?03:20
lbragstadadriant do you expect maintain backwards compat with that refactor to be a problem?03:20
lbragstad(i'm not all that familiar with the ec2 api so i apologize)03:21
adriantlbragstad: not sure.03:21
adriantthe EC2 api and controller is reasonably simple, but it has EC2 specific logic, which doesn't make sense in the core credential code.03:21
lbragstadadriant true, how is the ec2 controller invoked?03:22
adriantcurrently the credentials endpoints don't care about type validation, or anything. They are pretty much a glorified key:value store it seems.03:22
lbragstadit has it's own endpoints, right?03:22
adrianthence this spec suggestion.03:23
adriantto do something like the EC2 stuff, but for TOTP03:23
adriantand then we can do totp specific policy on those new endpoints03:23
adriantas well as totp specific logic and validation03:23
lbragstadtotp specific logic and validation?03:23
lbragstadhave an example?03:23
adriantserver side generation of a TOTP secret03:24
adriantor when uploading your own some sort of strength/length requirements03:24
adriantthe second part being configurable03:24
*** markvoelker has quit IRC03:25
adriantalthough I believe the secret also has to be a specific encoding... so that needs validation03:25
lbragstadright - a TOTP secret is specific to TOTP, right?03:26
adriantyeah pretty much03:26
lbragstadbecuase it has to be plugged into an algorithm in order to be effective03:26
lbragstadhow do you validate a TOTP secret?03:26
lbragstadwithout using it?03:27
adriantno clue, I've never had to, but I'm basically thinking, does it match a format we can use for the algorithm03:27
adriantplus does it meet the min strength requirement03:28
lbragstadhmm - we might have to do some digging into the TOTP spect03:28
openstackgerritLance Bragstad proposed openstack/keystone: Add developer docs for keystone-manage doctor
adriantlbragstad: mainly the check would need to be, is the secret base32, and does it meet the min length (google authenticator requires 16chars min)03:31
lbragstadstevemar gagehugo ^ addressed the latest comments - thanks for the reviews03:31
lbragstadadriant i assume GA implements a spec, right?03:32
adriantyes, I can find that... sec03:32
lbragstadso validation on our side wouldn't have to change depending on what type of validator the user is using?03:32
adriantalthough I don't see a min length listed there, just base32. I only know it's 16 chars because I checked manually a while ago.03:34
*** diazjf has joined #openstack-keystone03:35
lbragstadyeah - same here ...03:35
adriantWe can have the base32 check for everything, and then the min length as a configurable value (with 16+ as default)03:36
adriantlbragstad: At least this give you some idea of why that spec is there. I wanted to add self management for TOTP for MFA, and between the options of a large refactor and a set of simple second APIs, the extra APIs seemed safer. :(03:38
adriantI may want to add train of thought to the spec itself.03:39
lbragstadadriant yeah - that would be helpful03:39
lbragstador at least include the alternatives03:40
adriantyeah, adding it to alternatives is a good idea03:40
lbragstadI think including the refactor as an alternative would be good03:40
lbragstadi think the most significant part of that spec is that fact we're adding yet another credential api to keystone03:43
adriantlbragstad: As for the admin enabled TOTP, that's a hard one. Although the only solution is to include a value in the 'extra' json on the credential type and have the logic check for that. Which is messy.03:43
lbragstadadriant right - historically, we've had a lot of tension around extras03:44
lbragstadwhich makes me nervous to rely on it for an API03:44
adriantSo best would be just ignore that edge case and assume TOTP is entirely self managed.03:44
*** chrisplo has quit IRC03:45
lbragstadadriant wouldn't that allow users the ability to disable totp credentials put in place by an administrator?03:45
lbragstadadriant what about making self-managed a first class attribute of credentials?03:46
adriantThat could work.03:46
adriantAnd if 'false' a user can't remove, only replace.03:46
lbragstadyeah - a migration would be needed to ensure everything defaults to false03:47
adriantThe problem there though is also that if an admin imposes a TOTP credential on you, they had to get that secret to you.03:47
lbragstadwhich would maintain the existing behavior03:47
adriantSo there is a security risk if that secret isn't transmitted safely03:48
lbragstadsur e03:48
adriantand enforcing: "this user has no roles until they setup totp" is too big to do easily.03:48
*** diazjf has quit IRC03:49
adriantit's all a giant can of worms. So I'm trying for low hanging fruit and getting the easy but still very useful stuff done.03:49
lbragstadadriant that would be something that we'd probably have to include in the user, right?03:49
adriantlbragstad: yes, and probably changes in the policy code... and auth code...etc03:50
lbragstadyeah auth code would have to check an attribute of the user in order to determine if MFA or TOTP is require for that user :/03:51
adriantbut would still give them access to setup MFA03:51
adriantit's a mess03:51
adriantdynamic policies could work for something like this, but that's something Keystone has been discussing for ages.03:52
adriantand then it would depend on implementation if it works for this case too03:52
lbragstadso - are there other systems that setup totp for a user and transmit the secret to them?03:52
*** chrisplo has joined #openstack-keystone03:52
adriantWell, for our deployment, yes. We've built a proxy service that does a lot of keystone related stuff on behalf of the user.03:53
lbragstadright - i wouldn't want to wait on that in order to accomplish this  - instead i would start by making whatever the admin does the law of the land and rework it once dynamic policy is addressed03:53
adriantOur users don't really touch keystone apart from for auth and listing their own projects.03:53
*** dave-mccowan has quit IRC03:56
*** guoshan has quit IRC03:57
adriantlbragstad: so in our deployment, what I'm doing is this service of mine will start a MFA setup task, which generates a secret and sends it to the user. The user then has to confirm they have the secret to the service by sending a passcode, after which the service places the totp secret in keystone, and the user now has MFA enabled.03:57
adriantSo I can enforce "you can't remove MFA" through this as well. But basically all of this is work around limitations in Keystone.03:58
lbragstadso does this service have an administrator account on keystone?03:58
lbragstadgot it03:58
adriantthe source is on github, although it needs to be updated... and I intend to move it to the openstack gerrit after the current release.03:59
adriantThe more i can do in keystone the better, but at least in my case I've got alternative ways to do things as long as the core functionality is there.04:00
adriantincluding password reset emails :)04:01
lbragstadbut you want the user management of totp credentials04:01
adriantOnce my password+totp plugin is merged it would be useful to have that in upstream yes04:01
adrianteven if we won't use it ourselves.04:01
adriantotherwise there is no point having MFA support in keystone if only admins can manage it04:02
lbragstaduse what specifically? user management of credentials?04:02
lbragstadsince you have a service that does it?04:02
adriantyes, specifically user management of credentials. Because we want the challenge/confirm step.04:03
adriantand I'm not sure how/if we can do that challenge/confirm step in raw keystone.04:03
lbragstadthe challenge confirm step is currently done by your service04:04
adriantNot yet, we've backlogged MFA until the upstream support is mostly merged.04:04
adriantplus we're only just on liberty keystone, so I tend to backport the auth plugin anyway.04:05
lbragstadgot it04:05
*** cheran has quit IRC04:08
adriantI need to fix the tests, but here is the totp auth plugin for the spec that was recently merged:
lbragstadah - nice04:09
adriantThe user self management spec is meant to be a follow up to this04:10
*** nicolasbock has quit IRC04:32
*** adrian_otto has joined #openstack-keystone04:34
*** chrisplo_ has joined #openstack-keystone04:36
*** chrisplo has quit IRC04:39
*** ayoung has joined #openstack-keystone04:43
*** ChanServ sets mode: +v ayoung04:43
*** namnh has joined #openstack-keystone04:44
*** guoshan has joined #openstack-keystone04:58
*** zhangjl has quit IRC05:01
*** guoshan has quit IRC05:03
*** GB21 has joined #openstack-keystone05:06
*** zhangjl has joined #openstack-keystone05:09
*** udesale has joined #openstack-keystone05:18
*** markvoelker has joined #openstack-keystone05:20
*** markvoelker has quit IRC05:25
*** phalmos has joined #openstack-keystone05:25
*** spzala has joined #openstack-keystone05:40
*** spzala has quit IRC05:44
*** phalmos has quit IRC05:46
*** akscram has quit IRC05:46
*** akscram has joined #openstack-keystone05:47
*** haplo37 has quit IRC05:52
*** guoshan has joined #openstack-keystone05:59
*** guoshan has quit IRC06:03
openstackgerritJamie Lennox proposed openstack/keystone: Allow fetching an expired token
*** mgagne has quit IRC06:18
*** adrian_otto has quit IRC06:18
*** timburke has quit IRC06:20
*** mgagne has joined #openstack-keystone06:21
*** mgagne is now known as Guest5228506:21
*** timburke has joined #openstack-keystone06:23
*** guoshan has joined #openstack-keystone06:30
*** jamielennox is now known as jamielennox|away06:36
*** richm has quit IRC06:41
*** haplo37_ has joined #openstack-keystone07:05
*** tesseract has joined #openstack-keystone07:18
*** tesseract is now known as Guest9031307:18
openstackgerritMerged openstack/python-keystoneclient: Replace 'assertFalse(a in b)' with 'assertNotIn(a, b)'
*** jaosorior has joined #openstack-keystone07:39
*** pcaruana has joined #openstack-keystone07:45
*** GB21 has quit IRC07:51
*** belmoreira has joined #openstack-keystone07:51
*** adriant has quit IRC07:55
*** henrynash has quit IRC07:55
*** GB21 has joined #openstack-keystone07:56
*** jamielennox|away is now known as jamielennox08:03
*** openstackgerrit has quit IRC08:03
*** openstackgerrit has joined #openstack-keystone08:03
*** amoralej|off is now known as amoralej08:12
*** hogepodge has quit IRC08:15
*** GB21 has quit IRC08:40
*** lifeless has quit IRC08:45
*** GB21 has joined #openstack-keystone08:45
*** lifeless has joined #openstack-keystone08:47
*** jpich has joined #openstack-keystone08:55
openstackgerritmelissaml proposed openstack/keystone-specs: Fix a typo in identity-api-v3.rst
*** hoangcx has quit IRC08:59
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** namnh has quit IRC09:00
*** belmoreira has quit IRC09:03
openstackgerrithenry-nash proposed openstack/keystone: [api] add changelog from 3.0 -> 3.7
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone
*** spzala has joined #openstack-keystone09:40
*** spzala has quit IRC09:45
*** denezhkin has joined #openstack-keystone09:47
*** denezhkin is now known as pikwick09:48
*** AlexeyAbashkin has joined #openstack-keystone09:53
pikwickHello! I have issius with python installation. I cloned sources from git, but then i do pip install -r requirements.txt I receive error: error: command 'gcc' failed with exit status 109:53
pikwickHow to fix such issues.09:54
*** AlexeyAbashkin has quit IRC10:16
*** GB21 has quit IRC10:16
*** belmoreira has joined #openstack-keystone10:17
amoralejhi, i'm hitting an issue with keystoneauth1 when using admin_token,
openstackLaunchpad bug 1642897 in os-client-config "osc commands fail when using os-client-config >= 1.23.0" [Undecided,New]10:17
*** guoshan has quit IRC10:32
openstackgerritDave Chen proposed openstack/keystone: WIP - Bootstrapping keystone for identity ldap backend.
*** zhangjl has left #openstack-keystone10:38
*** udesale has quit IRC10:50
*** jvarlamova has joined #openstack-keystone10:57
*** jperry has joined #openstack-keystone11:04
*** jaosorior is now known as jaosorior_lunch11:04
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone
*** richm has joined #openstack-keystone11:10
*** guoshan has joined #openstack-keystone11:12
*** guoshan has quit IRC11:16
*** nicolasbock has joined #openstack-keystone11:21
*** khamtamtun has joined #openstack-keystone11:35
*** jaosorior_lunch is now known as jaosorior11:44
openstackgerritMerged openstack/keystone-specs: Fix a typo in identity-api-v3.rst
openstackgerritMerged openstack/keystone: [api] add changelog from 3.0 -> 3.7
*** Adri2000 has joined #openstack-keystone12:05
Adri2000how may I debug a keystone instance that takes literally 4 minutes to respond to an http call (like "token issue") ?12:06
Adri2000logs don't help, even with verbose+debug. indeed, nothing crashes or errors. it just takes a *lot* of time12:07
*** GB21 has joined #openstack-keystone12:07
Adri2000that mitaka's version, SQL backend, fernet tokens...12:07
*** khamtamtun has quit IRC12:12
*** guoshan has joined #openstack-keystone12:13
*** guoshan has quit IRC12:15
*** asettle has joined #openstack-keystone12:17
*** asettle has quit IRC12:18
*** raildo has joined #openstack-keystone12:20
openstackgerritJohannes Grassler proposed openstack/keystone-specs: Added spec on standalone trusts
*** hogepodge has joined #openstack-keystone12:31
*** spzala has joined #openstack-keystone12:40
*** spzala has quit IRC12:44
bretonAdri2000: try to add more debug prints and find out where the slow parts are12:52
Adri2000breton: you mean in the code?12:53
bretonAdri2000: yes12:53
*** GB21 has quit IRC12:56
bretonamoralej: hey13:04
amoralejhi breton13:05
bretonamoralej: i reported earlier13:05
openstackLaunchpad bug 1642301 in python-openstackclient "__init__() got an unexpected keyword argument 'project_domain_id'" [Undecided,In progress] - Assigned to Boris Bobrov (bbobrov)13:05
bretonamoralej: with the same error as you have13:05
amoralejok, let me see13:06
amoralejso fix is in openstackclient13:07
bretonamoralej: i am wondering whether this is the correct fix13:07
*** tqtran has joined #openstack-keystone13:08
bretoni am also getting reports that mitaka is affected13:08
amoraleji'm not sure, breton, i'm only hitting it in master13:08
amoralejafter os-client-config update to 1.23.013:09
amoralejstevemar, i guess you have already seen the "__init__() got an unexpected keyword argument 'project_domain_id'" issue, right?13:11
*** tqtran has quit IRC13:12
*** jperry has quit IRC13:13
*** lamt has joined #openstack-keystone13:15
*** edmondsw has joined #openstack-keystone13:16
openstackgerritSteve Martinelli proposed openstack/keystone: Add developer docs for keystone-manage doctor
*** dave-mccowan has joined #openstack-keystone13:18
bretoni feel that also the correct fix would be in openstackclient, it will not be enough13:21
bretonand that we need to either fix os-client-config, or cap os-client-config in newton and mitaka13:22
bretonstevemar: what13:22
bretonstevemar: *what's your opinion?13:22
stevemarcatching up13:22
breton*although the correct fix would be in openstackclient13:22
bretonwhat's the channel for osc?13:23
stevemarbreton: -sdks13:23
*** asettle has joined #openstack-keystone13:24
stevemarbreton: amoralej is os-client-config introduced the change, then it should be reverted?13:24
amoralejstevemar, os-client-config may have only uncover it, i'm not sure13:26
amoralejas, even with previous versions of os-client-config, it failed if --os-auth-type admin_token was used instead of token_endpoint13:27
amoralejbut, puppet uses token_endpoint, that's why it was not discovered before13:28
*** asettle has quit IRC13:28
openstackgerritJose Castro Leon proposed openstack/keystone: Adds support for array in the values of the endpoint group definition
stevemaramoralej: ah okay13:30
stevemarbreton: i suppose your fix looks fine13:30
amoraleji'm testing it in my env13:30
amoralejworked like a charm breton13:35
bretonstevemar: mitaka is broken too13:37
bretonand probably newton13:37
*** spzala has joined #openstack-keystone13:41
stevemarbreton: can you beef up the commit message with more reasoning13:42
*** jaosorior has quit IRC13:42
*** amoralej is now known as amoralej|lunch13:42
bretonstevemar: will do13:43
stevemarbreton: i have no idea why adding that line fixes the problem, or what it has to do with proejct_domain_id13:45
openstackgerritJose Castro Leon proposed openstack/keystone: Avoid encoding of project id in fernet tokens
*** markvoelker has joined #openstack-keystone13:49
*** dmellado is now known as dmellado|lunch13:50
*** baffle has quit IRC13:51
*** baffle has joined #openstack-keystone13:52
*** dave-mcc_ has joined #openstack-keystone13:54
*** dave-mccowan has quit IRC13:55
stevemari wish people who filed blueprints would be online :(14:00
*** phalmos has joined #openstack-keystone14:10
*** dmellado|lunch is now known as dmellado14:12
*** daemontool has joined #openstack-keystone14:13
*** phalmos has quit IRC14:13
*** jperry has joined #openstack-keystone14:20
*** daemontool has quit IRC14:21
*** daemontool has joined #openstack-keystone14:21
*** amoralej|lunch is now known as amoralej14:42
*** tqtran has joined #openstack-keystone14:42
*** spzala has quit IRC14:42
*** spzala has joined #openstack-keystone14:43
*** GB21 has joined #openstack-keystone14:44
*** lamt has quit IRC14:46
*** spzala has quit IRC14:48
*** pikwick has quit IRC14:51
*** lamt has joined #openstack-keystone14:51
*** dikonoor has quit IRC14:52
lbragstadstevemar looking at any in particular?14:52
*** chlong has joined #openstack-keystone14:53
*** asettle has joined #openstack-keystone14:54
*** adrian_otto has joined #openstack-keystone14:57
*** asettle has quit IRC14:58
stevemarlbragstad: these two new ones:
*** chris_hultin|AWA is now known as chris_hultin15:06
lbragstadstevemar i'll leave some comments on the uuid id one...15:08
*** edtubill has joined #openstack-keystone15:11
*** ravelar has joined #openstack-keystone15:26
*** adrian_otto has quit IRC15:27
*** chrisplo has joined #openstack-keystone15:28
*** chrisplo_ has quit IRC15:31
openstackgerritJose Castro Leon proposed openstack/keystone: Adds support for array in the values of the endpoint group definition
*** diazjf has joined #openstack-keystone15:33
*** josecastroleon has joined #openstack-keystone15:35
stevemaryayyy jury duty is over15:36
stevemari can go home15:36
lbragstadstevemar nice15:36
lbragstadstevemar that took a while15:36
josecastroleonstevemar: what do you think about the bugs I sent?15:36
stevemarjosecastroleon: you didn't need to abandon the patches, just file bugs instead of blueprints15:38
stevemarjosecastroleon: i can't believe someone is using endpoint grouping15:38
josecastroleoni filed them15:38
stevemarjosecastroleon: and the uuid one, i suppose that one is fine15:38
*** diazjf has quit IRC15:38
lbragstadjosecastroleon do you have links to the bugs?15:38
stevemarjosecastroleon: just add a few tests to the patch and they should be OK to merge15:38
josecastroleonthey are just WIP15:39
josecastroleonwe use them here but it could make sense for everyone15:39
*** asettle has joined #openstack-keystone15:41
openstackgerritMerged openstack/keystone: Add developer docs for keystone-manage doctor
stevemarjosecastroleon: will you ensure the patches get merged? or are you just leaving them here and are going to maintain your own fork?15:43
*** GB21 has quit IRC15:44
stevemarback in 20 minutes, walking home15:44
josecastroleonstevemar: I'd rather prefer to have them merged15:45
stevemarravelar: i appreciate the gusto, but don't go assigning yourself 10 different bugs :)15:46
*** jdennis1 has joined #openstack-keystone15:46
stevemarravelar: you're only human! lets all share the pain and break things together15:47
ravelarstevemar, just 4 to keep me busy :) but i can un assign a couple lol15:47
*** spzala has joined #openstack-keystone15:47
*** edtubill has quit IRC15:48
*** jdennis has quit IRC15:48
openstackgerritJose Castro Leon proposed openstack/keystone: Avoid encoding of project id in fernet tokens
josecastroleonthat's the second one15:49
*** pcaruana has quit IRC15:50
*** ruan_04 has quit IRC15:50
*** HenryG has quit IRC15:50
*** HenryG has joined #openstack-keystone15:51
*** adrian_otto has joined #openstack-keystone15:55
*** tqtran has quit IRC15:55
dtroyerayoung: (since I don't see you in -sdks this morning)  quick revisit on (the project_domain_id bug):  we've already done the wrong thing for user_domain_id, plus the plugin has not been instantiated yet so we can't query it here.  I agree this is wrong, but two wrongs of the same next to each other are not much worse than one…15:56
ayoungdtroyer, so long as you don't mind breaking people and locking us into long term mistakes15:57
dtroyerwe already have done that15:57
ayoungI know.  Its called Keystone15:57
* dtroyer checks which room this is15:57
*** belmoreira has quit IRC15:57
dtroyerThis should get removed in the upcoming merge of this sort of login into os-client-config.  there are many bad hacks yet that will be taken care of15:58
dtroyerI can live with this new one for now15:58
*** GB21 has joined #openstack-keystone15:58
ayoungdtroyer, I'd prefer to have jamielennox chime in first15:58
ayoungif he can be convinced, I'd accept it15:58
bretoni have one more question15:58
bretonwhat do we do with older clients?15:58
*** nkinder has joined #openstack-keystone15:58
dtroyerok.  I +2 it, but not +A15:58
ayoungmy concern is that we are going to force people to use password.  Then again, we elected Trump, so maybe bad is the new good.15:59
*** anush has joined #openstack-keystone15:59
*** phalmos has joined #openstack-keystone15:59
ayoungdtroyer, but I'd rather blacklist the plugins we know it breaks than whitelist a subset16:00
dtroyerof course, the plugins might choose to just ignore things they do not expect…  we only look at them here to do educated guesses at what the users intend16:02
lbragstadjosecastroleon what's the rational behind ?16:03
openstackLaunchpad bug 1642988 in OpenStack Identity (keystone) "Avoid encoding of project id in fernet tokens" [Undecided,In progress] - Assigned to Jose Castro Leon (jose-castro-leon)16:03
lbragstadjosecastroleon we opted to encode the uuid, if possible, because it saves space in the overall payload16:03
lbragstadmaking the entire token smaller16:03
lbragstadjosecastroleon are you guys unpacking the tokens somewhere and inspecting the payload?16:04
*** phalmos has quit IRC16:04
*** daemontool has quit IRC16:05
*** Guest90313 has quit IRC16:09
*** anush has quit IRC16:10
*** anush has joined #openstack-keystone16:12
ayoungblast from the past....have not heard from josecastroleon for a while16:12
*** anush has quit IRC16:12
*** anush has joined #openstack-keystone16:13
*** anush has quit IRC16:13
*** anush has joined #openstack-keystone16:14
*** anush has quit IRC16:14
*** anush has joined #openstack-keystone16:16
*** anush has quit IRC16:21
stevemardtroyer: o/16:24
stevemarbreton: cap o-c-c for older versions?16:24
bretonтфрб ш дшув16:24
bretonnah, i lied16:24
stevemardtroyer: i +A'ed16:24
bretonold clients are not broken16:24
stevemarbreton: i'm very confused :)16:25
bretonthere is some other error. That looks similiar. But not the same.16:25
bretonstevemar: that was russian crypto, you were supposed to get confused16:25
*** diazjf has joined #openstack-keystone16:26
*** adrian_otto has quit IRC16:26
breton'Execution of '/usr/bin/openstack role list --quiet --format csv' returned 1: __init__() got an unexpected keyword argument 'read_timeout' (HTTP 400) (Request-ID: req-5692b819-eb8c-446c-b09b-4d7d44e19b2d)'. Retrying for 165 more seconds16:26
* breton sighs16:26
stevemardtroyer: did you want to propose a point release ?16:29
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers
*** dikonoor has joined #openstack-keystone16:49
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers
*** tqtran has joined #openstack-keystone16:52
*** agrebennikov has joined #openstack-keystone16:54
*** tqtran has quit IRC16:56
stevemarrderose: so how do you plan on solving the issue if an existing idp and domain name match?16:59
stevemarrderose: i imagine you are going through the idp list and creating domain entries for all of those? as part of a migration?16:59
rderosefor existing IdPs, I'll pull the domain from the mapping; if it doesn't exist, I'll create a new domain17:00
rderoseyes, as part of the migration17:00
stevemarrderose: and if it conflicts with an existing domain?17:00
rderoseconflicts? the new domain that I create?17:00
stevemari had domainA name "test" and an idp named "test"17:01
rderoseoh, I will give a unique name based on the IdP id (I think)17:01
rderoseidp doesn't have a name17:02
stevemarhmm, ok, the idp_id won't be used as the domain name?17:02
rderoseonly id and description17:02
rderosestevemar: was thinking like idp_id_123456789 as the domain name17:02
rderosebut hopefully, most idps will have a domain in the mapping17:02
stevemarrderose: i wouldn't bank on that :(17:03
*** adrian_otto has joined #openstack-keystone17:04
rderosestevemar: still playing with this idea. I know it's a better design to have the domain_id as part of the IdP17:04
rderosebut implementation could be complicated (working thru it now)17:04
*** Zer0Byte__ has joined #openstack-keystone17:25
*** Guest52285 is now known as mgagne17:33
*** mgagne has quit IRC17:33
*** mgagne has joined #openstack-keystone17:33
*** ravelar has quit IRC17:48
*** jpich has quit IRC17:53
*** tqtran has joined #openstack-keystone17:53
*** diazjf has quit IRC17:54
*** jperry has quit IRC17:57
*** tqtran has quit IRC17:58
*** adrian_otto has quit IRC17:58
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers
*** asettle has quit IRC18:06
*** ravelar has joined #openstack-keystone18:09
*** adrian_otto has joined #openstack-keystone18:12
*** ravelar has quit IRC18:13
*** ravelar has joined #openstack-keystone18:14
stevemarlbragstad: about to propose a patch that touches a lot of configuring.rst18:27
stevemardon't bike shed lol18:27
lbragstadstevemar sounds good18:28
*** Zer0Byte__ has quit IRC18:28
openstackgerritRichard Avelar proposed openstack/keystone: Don't invalidate all user tokens of roleless group
*** GB21 has quit IRC18:35
lbragstadmfisch are you around?18:40
lbragstadmfisch have you had a chance to dig into ?18:41
lbragstadI might have a diff for you if you haven't18:41
mfischno, breton is18:41
mfischbut I did some perf measurements18:42
lbragstadmfisch what were the results?18:42
mfischits a small improvement and possibly in the range of error/std deviation18:42
mfischand I've had no issues with it18:42
mfischso it might be a test problem18:42
mfischbut I'm not going to enable it until I see this pass ;)18:42
mfischgonna push newton to staging after the thanksgiving break18:42
mfischlbragstad: I will be in Texas actually18:43
lbragstadmfisch cool - newton went fine I heard?18:43
mfischyeah actually no blip even18:43
mfischnot so many breaking db changes18:43
lbragstadwell - that's good !18:44
*** chris_hultin is now known as chris_hultin|AWA18:45
lbragstadmfisch it seems that on your patch fixes the failing tests...18:45
lbragstadcc breton ^18:45
lbragstadstill running tests locally though18:45
mfischwhat does if self._needs_persistence: do18:46
lbragstadmfisch it check if the configured token provider requires a persistent backend for the tokens18:46
openstackgerritSteve Martinelli proposed openstack/keystone: Update configuration.rst documentation
lbragstadmfisch for example -
lbragstadmfisch or
*** chris_hultin|AWA is now known as chris_hultin18:47
stevemarmfisch: oh i assumed it was a test problem18:48
*** arunkant has joined #openstack-keystone18:51
mfischlbragstad: so thats why I dont see it then18:51
mfischthis affects uuid18:51
*** dikonoor has quit IRC18:51
lbragstadmfisch yeah - it looks like it fails a lot of uuid tests.18:52
mfischso its a legit bug18:52
lbragstadit looks like the uuid format of a newly issued token is missing some sort of information18:52
lbragstadbecause it fails on a KeyError18:53
mfischthis is a great way to force people to stop using UUID!18:53
lbragstadwhich is kind of mind blowing18:53
lbragstad"we broke this, on purpose, you're welcome"\18:53
* mfisch for PTL18:53
openstackgerritSteve Martinelli proposed openstack/keystone: Update configuration.rst documentation
*** chris_hultin is now known as chris_hultin|AWA18:57
*** lamt has quit IRC18:58
lbragstadbreaking to get lunch19:02
*** asettle has joined #openstack-keystone19:08
mfischlbragstad: let me know what else you find out, I'm done for the week in a few hours19:08
nicolasbockHi! Is it possible to change the keystone {admin,public,internal} urls _after_ I have run bootstrap already?19:08
nicolasbockSay I want to switch from http to https19:08
mfischyou can delete and recreate them pretty easily19:09
nicolasbockmfisch, do I need to do that directly in the database?19:09
mfischopenstack endpoint delete openstack endpoint cerate19:10
nicolasbockso I would do that first, reconfigure keystones wsgi mod and then restart apache?19:10
nicolasbockin that order?19:10
mfischyou dont need to restart apache to change an endpoint19:11
mfischwait you mean in the catalog?19:11
nicolasbockWhat's that exactly?19:11
mfischthe keystone catalog19:11
mfischwhere all the endpoints are?19:11
*** josecastroleon1 has joined #openstack-keystone19:12
mfischbottom line is I'm not exactly sure what you are asking but you can change endpoints after bootstrap yes19:12
nicolasbockI don't know. Let's say I install keystone and run keystone-manage bootstrap --bootstrap-admin-url http://....19:12
nicolasbockEverything is running, then I decide to switch keystone to use https19:12
josecastroleon1ayoung: hi19:13
mfischopenstack endpoint delete .... openstack endpoint create19:13
mfischplay with it locally19:13
mfischhttps would also require more config or ssl offload19:13
stevemarbreton: we'll release osc 3.4.1 on monday morning19:13
nicolasbockmfisch, ok, I will19:13
nicolasbockmfisch, thanks!19:13
mfischstevemar: can you get rid of that horrible warning19:13
mfischits so annoying19:13
mfischand not useful for end users19:13
stevemarmfisch: what warning?19:13
*** ravelar has quit IRC19:14
*** josecastroleon1 is now known as josecastroleon_19:14
mfischWARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils. This warning is caused by an out-of-date import in /usr/local/lib/python2.7/site-packages/designateclient/osc/plugin.py19:14
mfischeverytime I run a ^&%^& command19:14
mfischoh hmm19:14
mfischmaybe thats my fault19:14
stevemarmfisch: "/usr/local/lib/python2.7/site-packages/designateclient/osc/"19:14
mfischyeah dang it19:14
stevemarupdate your designateclient homie19:14
mfischour designate is like from 199619:14
stevemari bet it's seen space jam19:15
mfischI think I installed a special version at one point I will go clean up19:15
*** josecastroleon_ has left #openstack-keystone19:15
stevemarlooks like the fix is in the latest:
lbragstadmfisch I'll keep poking at it19:17
* mfisch heads to lunch19:17
stevemarlbragstad: take a look at my doc patch :D19:17
stevemari think you'll like it19:17
lbragstadstevemar you changed 500 lines in configuration.rst19:18
stevemarlbragstad: yeah... most of it is moving things or removing things19:18
*** chris_hultin|AWA is now known as chris_hultin19:19
stevemarlbragstad: if i undo the moves, it'll be <20019:19
stevemarwant that?19:19
lbragstadstevemar naw - i'll get through it19:20
stevemarlbragstad: i'll add comments in the review19:20
*** Zer0Byte__ has joined #openstack-keystone19:20
lbragstadstevemar cool - that will help19:20
morgan_stevemar: omg reviews!19:28
*** edtubill has joined #openstack-keystone19:29
stevemarlbragstad: added notes19:29
*** tqtran has joined #openstack-keystone19:29
lbragstadstevemar sweet19:30
lbragstadstevemar thoughts on this?
openstackLaunchpad bug 1642988 in OpenStack Identity (keystone) "Avoid encoding of project id in fernet tokens" [Undecided,In progress] - Assigned to Jose Castro Leon (jose-castro-leon)19:30
lbragstadspecifically the 4th comment19:30
stevemarlbragstad: if their patch works for them, they can carry it19:33
stevemarid rather not have a weird option for a project id format we don't support19:33
lbragstadstevemar random question - does OS_AUTH_TYPE need to be set in order to do federated authentication?19:39
stevemarlbragstad: it's been so long i coulnd't answer you confidently,19:39
stevemarlbragstad: put it definitely would help, it'll look for that plugin specifically19:39
stevemarinstead of trying to guess19:39
ayoungjosecastroleon, did my suggestion make sense?19:39
lbragstadjosecastroleon you could essentially get that behavior by making your own token formatting and all you'd have to change is this -
lbragstadnot all formats would need to change - the only one that would need to change would be the base formatter since that is what is supplying the conversion methods for all the other formatters to use19:43
lbragstadthen you don't need a configuration option either19:44
lbragstadif you always know that your IDs will be using the dashed representation19:44
*** chris_hultin is now known as chris_hultin|AWA19:47
*** chris_hultin|AWA is now known as chris_hultin19:49
*** amoralej is now known as amoralej|off19:51
*** diazjf has joined #openstack-keystone19:52
*** edtubill has quit IRC20:01
bretonstevemar: yey! But also lets discuss ksc on Tuesday20:03
stevemarbreton: yep20:05
lbragstadbreton o/20:06
lbragstaddo you know if or what you have to set OS_AUTH_TYPE to when using federation?20:06
lbragstad(SAML specifically)?20:06
openstackgerritayoung proposed openstack/keystone-specs: Token Verify Role Check
ayounglbragstad, I'm going for a new record.  Longest Spec.20:09
lbragstadayoung thats probably going to be a tough one to beat20:09
ayounglbragstad, keep up the good questions.  I'm working on an implementation in parallel, and it is raising lots of questions.20:10
ayoungHere is the big one right now:  I kindof want to make it one role per URL-Pattern20:10
lbragstadayoung but what about the action being taken on the url?20:11
ayounglink, if you need to have 2 roles for the same operation , use implied roles to link them somehow20:11
lbragstadi would think that needs to be taken into consideration20:11
ayounglbragstad, the URL pattern entity is :  id, Service, Verb, pattern20:11
ayoungI have a second table right now which is role_to_url_pattern that I think I want to remove20:11
ayoungand instead make url pattern:20:12
ayoung id, Service, Verb, pattern,role_id20:12
ayoungperhaps url_pattern is not a good name, either20:12
ayoungbut I don't have a better one, so I used it so I could make progress20:12
ayounglbragstad, if you wanted, say, 5 different roles that all implied one operation, you could either have one role that the other 4 imply, or create an operation specific role and have all 5 imply that one.20:15
ayoungI think it makes it easier for deployers if there is only ever one role specified per operation20:15
lbragstadi'm going to ask you for an example...20:16
lbragstadlike - make it more dumber so i can understand it :)20:16
ayounglbragstad, just phrasing it that way makes me think that I am right to go for the simpler solution...OK, let me see if I can come up with one20:17
lbragstadwhy would a single operation need five roles?20:17
ayounglbragstad, that is an extreme example, but  let me see if I can come up with something more realistic20:17
lbragstadayoung are you saying that in order to boot an instance a user needs to have the 'observer' role, the 'creator' role, etc... ?20:17
ayounglbragstad, not "and"20:18
ayoungin order to boot an instance they can have either 'booter' or 'rebooter'  or 'creator' or 'admin' or 'member'20:18
ayounglbragstad, so, lets say that it starts off with the following set up:20:19
ayoungwe have a system where admin implies member20:19
ayoungshorthand is admin->member20:19
ayoungso we say that the operation POST /compute/boot requires the member role20:20
ayoungnow someone comes up with a new role, say a process that is just supposed to create VMs automatically, but nothing else20:20
ayoungcall this the booter role20:20
ayoungwe could do two things:20:20
ayoung1. say that member->booter and then   POST  /compute/boot requires the booter role20:21
ayoungor, create a role called compute_boot, say member->compute_boot  booter->compute_boot and  POST  /compute/boot requires compute_boot20:21
ayoungthat example would be clearer if instead of 'booter' I made it 'helper'20:22
ayounglets say we create a helper role that can do that and, say, one other thing, like upload a snapshot20:22
ayoungeither member->helper,  helper->compute_boot, helper->image_upload  or we do  member->compute_boot, member->image_upload, helper->compute_boot, helper->image_upload20:24
ayoungbut in all cases, the operation itself only requires a single role20:24
openstackgerritSteve Martinelli proposed openstack/keystone: Move docs from key_terms to architecture
ayoungthe alternative is that we make an operation directly allow multiple  roles, but that makes it harder to do specified delegation20:25
ayounglbragstad, I realize this is a little esoteric, but getting it right is important to making the API usable20:25
openstackgerritSteve Martinelli proposed openstack/keystone: Move docs from key_terms to architecture
lbragstadayoung hmmm20:27
lbragstadayoung but an operation can require a member role20:30
lbragstadwhich requires like 3 other things20:30
ayounglbragstad, so the starting point, pre customization, will be that all operations require only the member rol20:30
*** raildo has quit IRC20:35
lbragstadalright - actually breaking for lunch this time... for real...20:35
*** asettle has quit IRC20:45
*** edtubill has joined #openstack-keystone20:46
stevemarcrinkle: yay +1 from you20:47
stevemarlbragstad: :)20:47
openstackgerritSteve Martinelli proposed openstack/keystone: Remove extension doc
openstackgerritSteve Martinelli proposed openstack/keystone: Remove extension doc
*** chlong has quit IRC20:53
openstackgerritSteve Martinelli proposed openstack/keystone: Remove extension and auth_token middleware docs
*** clenimar has quit IRC20:56
crinklestevemar: yay docs20:58
stevemarcrinkle: trying to figure out how to get rid of services.html20:58
stevemarcrinkle: it overlaps with
crinklestevemar: does it need to go away? are all the other services okay with v3 now?21:04
stevemari think mostly, but it's nice to have history there21:08
stevemarcrinkle: i guess just the 'glossary' bugs me :)21:08
*** dave-mcc_ has quit IRC21:18
stevemarcrinkle: any doc suggestions we want to pass along? :)21:24
*** adrian_otto has quit IRC21:24
openstackgerritSteve Martinelli proposed openstack/keystone: Move docs from key_terms to architecture
*** anush has joined #openstack-keystone21:28
*** catintheroof has joined #openstack-keystone21:31
*** edtubill has quit IRC21:31
*** edmondsw has quit IRC21:43
*** diazjf has quit IRC21:44
ayoungI'm want to rip out the json_home tests.  They are horrible21:55
*** dave-mcc_ has joined #openstack-keystone21:56
*** dave-mcc_ has quit IRC21:59
*** asettle has joined #openstack-keystone22:03
*** diazjf has joined #openstack-keystone22:08
bretonlbragstad: v3samlpassword22:13
openstackgerritSteve Martinelli proposed openstack/keystone: clean up developer docs
stevemarlbragstad: crinkle if you want another
stevemarayoung: they are not the worst22:14
ayoungno but they are useless22:15
openstackgerritSteve Martinelli proposed openstack/keystone: Update configuration.rst documentation
*** chris_hultin is now known as chris_hultin|AWA22:26
openstackgerritSteve Martinelli proposed openstack/keystone: move content from configuringservices to configuration
openstackgerritSteve Martinelli proposed openstack/keystone: Update configuration.rst documentation
openstackgerritSteve Martinelli proposed openstack/keystone: move content from configuringservices to configuration
openstackgerritSteve Martinelli proposed openstack/keystone: Move docs from key_terms to architecture
openstackgerritSteve Martinelli proposed openstack/keystone: Remove extension and auth_token middleware docs
*** spzala has quit IRC22:32
*** adrian_otto has joined #openstack-keystone22:33
openstackgerritSteve Martinelli proposed openstack/keystone: clean up developer docs
stevemarokay i am done for today22:35
stevemari am finally happy with our docs22:35
stevemarlook at the last patch if you want to see what it looks like22:35
lbragstadstevemar cool thanks - still reviewing22:36
openstackgerritRon De Rose proposed openstack/keystone: Lockout ignore user list
*** rakhmerov has quit IRC23:04
*** anush has quit IRC23:07
*** rakhmerov has joined #openstack-keystone23:08
*** anush has joined #openstack-keystone23:09
*** anush has quit IRC23:12
*** diazjf has quit IRC23:19

Generated by 2.14.0 by Marius Gedminas - find it at!