Tuesday, 2016-11-22

*** guoshan has joined #openstack-keystone00:05
*** richm has quit IRC00:08
*** guoshan has quit IRC00:09
*** agrebennikov has quit IRC00:12
*** antwash has quit IRC00:31
*** jlwhite has quit IRC00:32
*** Dave has quit IRC00:37
*** jlwhite has joined #openstack-keystone00:38
*** antwash has joined #openstack-keystone00:39
*** Dave_____ has joined #openstack-keystone01:00
*** Dave_____ is now known as Dave01:05
*** guoshan has joined #openstack-keystone01:06
*** guoshan has quit IRC01:10
*** zhangjl has joined #openstack-keystone01:26
lbragstadadriant that's a good question - i'm not entirely sure what uses cert...01:30
lbragstadthat might be a good usage question for the mailing list though01:30
*** dave-mccowan has joined #openstack-keystone01:31
*** guoshan has joined #openstack-keystone01:31
*** jperry has joined #openstack-keystone02:01
*** guoshan has quit IRC02:07
*** dave-mccowan has quit IRC02:07
*** chrisplo has quit IRC02:07
*** zhangjl has quit IRC02:08
*** guoshan has joined #openstack-keystone02:08
*** namnh has joined #openstack-keystone02:09
*** zhangjl has joined #openstack-keystone02:09
*** guoshan has quit IRC02:33
openstackgerritayoung proposed openstack/keystone: Refactor Authorization:  https://review.openstack.org/38716102:34
openstackgerritayoung proposed openstack/keystone: Refactor is_admin  https://review.openstack.org/38771002:35
*** tqtran has quit IRC02:36
*** guoshan has joined #openstack-keystone02:38
*** Alagar has joined #openstack-keystone02:38
adriantlbragstad: I thought it was something to do with tokenless auth via certs, but I just couldn't find any code that actually used the credential api :(02:41
adriantWill email the list.02:42
ayoungadriant, I did not.  That was gyee02:54
adriantayoung: ah, thanks. I found spec. Steve merged it, and gyee was the one who worked on it from what was there.02:56
*** richm has joined #openstack-keystone02:56
*** dikonoor has joined #openstack-keystone03:10
stevemaradriant: tokenless auth didn't actually use the certs from the credentials API03:11
stevemaradriant: the credentials API was largely unused for a long time03:11
adriantstevemar: hmmm ok. That makes more sense.03:12
stevemaradriant: when originally designed, it was deliberately made generic enough to support many type of credentials, by simply stating the 'type' and the 'blob'03:12
stevemaradriant: whats the original question about certs anyway?03:12
adriantYou've answered it. :)03:13
adriantI was trying to work out if it used the credentials api or not03:13
stevemaradriant: we eventually reworked the ec2 bits to actually store stuff in credentials, but even there... i'm not sure anyone uses the ec2 stuff03:13
adriantwe do03:13
adriantthe interoperability with openstack and AWS is useful.03:14
Alagari have installed openstack using devstack script top of xen hypervisor, in this open stack as a virtual machine.03:14
Alagarwhen i create instance in openstack,   the instance should create in xen hypervisor.  but its not happening.03:14
AlagarSome one could you please guide me please03:14
AlagarIam trying to integrate openstack with xen03:14
stevemaradriant: cool. that's good to know03:14
adriantAlagar: wrong channel perhaps?03:15
stevemaradriant: unfortunately, i dont think many people use it to store certs03:15
stevemarAlagar: you'll have better luck in #openstack-dev or #openstack-nova03:15
stevemaradriant: so what are you thinking about for certs and the credentials api?03:16
adriantOh nothing, just the OSClient lists the types for credentials as cert and ec203:16
adriantand i just couldn't actually find the code that used the cert type so was confused03:16
adriantstevemar: was mainly in relation to this spec https://review.openstack.org/#/c/34570503:17
adriantstevemar: and trying to figure out exactly what the credentials api is used for03:17
adriantstevemar: the main jist being that I'm not sure using the credentials API directly is a good idea, but as it stands i'm not sure how useful refactoring it is either. So I'm leaning towards new APIs for TOTP creds.03:20
stevemarit is AFAIK rarely used, only for ec2 stuff03:24
adriantstevemar: yeah, that's seems to be the case. Well that answers me questions. :)03:31
adriantoh stevemar: did you get a chance to look over the silly CIDR authentication I was playing with? http://paste.openstack.org/show/589067/03:32
stevemaradriant: its been on my to-read for days03:40
adriantstevemar: hah, np. :) It was a silly idea I had, and thought I'd test it with a quick and dirty prototype.03:41
stevemaradriant: the thing that came up in my mind was - load balancers, gotta make sure we're getting the right ip address03:41
adriantyeah, as long as they correctly pass along the request and don't pollute the IP. I'll need to check how that's handled in our deployment to see if it is viable.03:42
adriantstevemar: hmmm, yeah in our case we're using HAproxy and 'forwardfor' so it is being passed along, but likely as a header.03:47
adriantNeed to dig into that some more.03:47
*** dikonoor has quit IRC03:47
adriantstevemar: ah, found it: "HTTP_X_FORWARDED_FOR" is the ip as passed along by our load balancers. So the question is how can I access that data easily in keystone.03:49
stevemaradriant: i think someone had a patch for that so the IP is properly recorded in a notification03:51
* stevemar goes digging03:51
adriantstevemar: at any rate, provided your load balancer passes along the IP somehow, and the header/ip_location is configurable, we could totally do something like IP based authentication in keystone.03:53
stevemaradriant: https://review.openstack.org/#/c/367031/03:53
adriantstevemar: oh, fantastic.03:54
stevemaradriant: yeah, i haven't thought about the revoking bits yet03:54
*** guoshan has quit IRC03:55
*** jperry has quit IRC04:06
*** links has joined #openstack-keystone04:08
*** dikonoor has joined #openstack-keystone04:08
*** udesale has joined #openstack-keystone04:10
*** guoshan has joined #openstack-keystone04:18
*** adriant has quit IRC04:24
*** GB21 has joined #openstack-keystone04:33
*** Alagar has quit IRC04:33
*** Alagar has joined #openstack-keystone04:33
*** tqtran has joined #openstack-keystone04:34
*** edtubill has joined #openstack-keystone04:40
*** edtubill has quit IRC04:42
*** dikonoor has quit IRC04:52
*** Alagar has quit IRC05:04
*** Alagar has joined #openstack-keystone05:06
openstackgerritMerged openstack/keystone: Update configuration.rst documentation  https://review.openstack.org/39973005:26
*** GB21 has quit IRC05:28
*** chrisplo has joined #openstack-keystone05:30
*** chrisplo has quit IRC05:34
*** guoshan has quit IRC05:35
*** GB21 has joined #openstack-keystone05:46
*** guoshan has joined #openstack-keystone06:10
*** GB21 has quit IRC06:10
*** jaosorior has joined #openstack-keystone06:17
*** GB21 has joined #openstack-keystone06:22
*** richm has quit IRC06:41
*** jaosorior has quit IRC06:49
*** jaosorior has joined #openstack-keystone06:49
*** josecastroleon has joined #openstack-keystone06:56
*** belmoreira has joined #openstack-keystone07:23
*** belmoreira has quit IRC07:24
openstackgerritJuan Antonio Osorio Robles proposed openstack/keystoneauth: Add reauthenticate to generic plugins  https://review.openstack.org/40055007:29
*** daemontool has joined #openstack-keystone07:48
jaosoriorjamielennox: hey, actually, I don't really know where to put the tests for that07:50
jaosoriorwas browsing around the repo and there doesn't seem to be an appropriate place for them, any hints?07:51
*** belmoreira has joined #openstack-keystone07:53
*** pcaruana has joined #openstack-keystone07:56
jaosoriorjamielennox: nevermind, found a place07:58
openstackgerritJuan Antonio Osorio Robles proposed openstack/keystoneauth: Add reauthenticate to generic plugins  https://review.openstack.org/40055007:59
*** rcernin_ has joined #openstack-keystone08:14
*** daemontool has quit IRC08:37
*** tqtran has quit IRC08:38
openstackgerritMerged openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243308:38
*** amoralej|off is now known as amoralej08:40
*** hogepodge has quit IRC08:45
*** jpich has joined #openstack-keystone08:57
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
*** GB21 has quit IRC09:26
*** tqtran has joined #openstack-keystone09:35
*** tqtran has quit IRC09:40
*** GB21 has joined #openstack-keystone09:40
*** asettle has joined #openstack-keystone09:40
*** asettle has quit IRC09:41
*** asettle__ has joined #openstack-keystone09:41
*** chrisplo has joined #openstack-keystone09:42
*** asettle__ is now known as asettle09:42
*** chrisplo has quit IRC09:47
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947209:52
*** namnh has quit IRC09:59
*** GB21 has quit IRC10:13
openstackgerritMerged openstack/keystone: Lockout ignore user list  https://review.openstack.org/39857110:18
*** thiagolib has joined #openstack-keystone10:22
*** zhangjl has left #openstack-keystone10:31
*** GB21 has joined #openstack-keystone10:35
*** guoshan has quit IRC10:41
*** udesale has quit IRC10:43
*** GB21 has quit IRC10:52
*** hoonetorg has quit IRC10:53
openstackgerritJohannes Grassler proposed openstack/keystone-specs: Added spec on standalone trusts  https://review.openstack.org/39663410:56
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947210:58
*** josecastroleon has quit IRC10:59
*** GB21 has joined #openstack-keystone11:05
*** richm has joined #openstack-keystone11:10
*** mvk has quit IRC11:15
*** guoshan has joined #openstack-keystone11:42
*** mvk has joined #openstack-keystone11:43
*** guoshan has quit IRC11:46
*** nicolasbock has joined #openstack-keystone11:49
*** chrisplo has joined #openstack-keystone12:09
jaosoriorrodrigods: can you revisit https://review.openstack.org/#/c/400550/ ?12:10
rodrigodsjaosorior, done :)12:11
jaosoriorrodrigods: thanks12:13
*** chrisplo has quit IRC12:14
openstackgerritRodrigo Duarte proposed openstack/keystone: Improvements in error messages  https://review.openstack.org/40071512:16
*** aloga has quit IRC12:18
*** aloga has joined #openstack-keystone12:18
openstackgerritMerged openstack/keystone: refactor notification test to work with either format  https://review.openstack.org/39993712:18
*** tesseract has joined #openstack-keystone12:19
*** tesseract is now known as Guest378712:19
*** jvarlamova has quit IRC12:27
*** jperry has joined #openstack-keystone12:31
*** guoshan has joined #openstack-keystone12:43
*** GB21 has quit IRC12:45
*** guoshan has quit IRC12:47
*** dave-mccowan has joined #openstack-keystone13:05
*** amoralej is now known as amoralej|lunch13:06
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947213:07
*** GB21 has joined #openstack-keystone13:10
*** jperry has quit IRC13:10
openstackgerritRodrigo Duarte proposed openstack/keystone: Upload service provider metadata to testshib  https://review.openstack.org/40074713:11
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476913:14
*** jvarlamova has joined #openstack-keystone13:15
openstackgerritMerged openstack/keystone: Enable CADF notification format by default  https://review.openstack.org/39733913:16
*** josecastroleon has joined #openstack-keystone13:19
*** GB21 has quit IRC13:22
openstackgerritMerged openstack/keystone: Swap the notification formats in the docs  https://review.openstack.org/39993813:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Federated authentication via ECP functional tests  https://review.openstack.org/32476913:24
rodrigodsstevemar, knikolla https://review.openstack.org/#/c/400747/ https://review.openstack.org/#/c/400750/13:26
*** lamt has joined #openstack-keystone13:28
*** chlong has joined #openstack-keystone13:36
*** tqtran has joined #openstack-keystone13:36
*** tqtran has quit IRC13:41
*** guoshan has joined #openstack-keystone13:43
*** guoshan has quit IRC13:48
*** deep_1 has joined #openstack-keystone14:05
deep_1 Is it possible to use ldap backend for storing s3 credentials ??14:05
*** daemontool has joined #openstack-keystone14:13
*** alex_xu has quit IRC14:14
*** alex_xu has joined #openstack-keystone14:18
*** amoralej|lunch is now known as amoralej14:18
bretondeep_1: no14:20
*** jperry has joined #openstack-keystone14:21
stevemardeep_1: nope14:24
deep_1@breton, @stevemar : So even when keystone is configured with ldap, one will need to create the credential in database14:26
stevemardeep_1: yep, only identity (users and groups) can be pulled from ldap14:28
*** daemontool has quit IRC14:28
openstackgerritSteve Martinelli proposed openstack/keystone: Improvements in error messages  https://review.openstack.org/40071514:33
bknudsondeep_1: keystone provides a plugin interface so you can plug in your own backend for credentials.14:40
*** daemontool has joined #openstack-keystone14:41
*** guoshan has joined #openstack-keystone14:44
*** guoshan has quit IRC14:49
*** jaosorior has quit IRC14:49
*** jaosorior has joined #openstack-keystone14:50
lbragstadjamielennox o/ curious if you've seen this - https://review.openstack.org/#/c/396634/3/specs/keystone/ocata/standalone-trusts.rst14:50
*** jaosorior has quit IRC14:51
*** jaosorior has joined #openstack-keystone14:51
lbragstadayoung too - https://review.openstack.org/#/c/39663414:55
openstackgerritSteve Martinelli proposed openstack/keystone: clean up developer docs  https://review.openstack.org/39978114:59
deep_1breton: thanks15:06
deep_1stevemar: thanks15:06
*** agrebennikov has joined #openstack-keystone15:14
*** chris_hultin|AWA is now known as chris_hultin15:26
*** hoonetorg has joined #openstack-keystone15:37
*** chris_hultin is now known as chris_hultin|AWA15:42
*** chris_hultin|AWA is now known as chris_hultin15:44
*** Alagar has quit IRC15:44
*** Alagar has joined #openstack-keystone15:45
*** ayoung has quit IRC15:45
*** guoshan has joined #openstack-keystone15:45
*** daemontool has quit IRC15:46
*** jaugustine has joined #openstack-keystone15:48
*** guoshan has quit IRC15:49
*** edtubill has joined #openstack-keystone15:51
*** udesale has joined #openstack-keystone15:53
*** jaosorior has quit IRC15:55
*** dave-mccowan has quit IRC15:55
*** anush has joined #openstack-keystone16:01
*** links has quit IRC16:04
*** rcernin_ has quit IRC16:06
*** deep_1 has quit IRC16:10
*** dave-mccowan has joined #openstack-keystone16:11
*** ravelar has joined #openstack-keystone16:12
*** Guest3787 has quit IRC16:16
*** belmoreira has quit IRC16:18
*** chrisplo has joined #openstack-keystone16:24
*** nk2527 has joined #openstack-keystone16:26
*** udesale has quit IRC16:26
*** ayoung has joined #openstack-keystone16:27
*** ChanServ sets mode: +v ayoung16:27
*** Alagar has quit IRC16:30
*** Alagar has joined #openstack-keystone16:31
knikollastevemar: o/16:43
*** guoshan has joined #openstack-keystone16:46
*** diazjf has joined #openstack-keystone16:46
*** mvk has quit IRC16:48
*** diazjf has quit IRC16:48
knikollawe'll be offering a cloud computing course at BU next semester, and we're looking for class projects. maybe a feature/spec in keystone that is easy to tackle but still has enough work to keep a team busy for the entire student semester would be a great way to introduce some students to the open source community. thoughts?16:48
knikollathe end of the class in the beginning of May aligns pretty well with the boston summit.16:49
lbragstadknikolla interesting - we tried that a couple times with various capstone groups at NDSU16:50
*** guoshan has quit IRC16:50
knikollalbragstad: how did that go?16:51
lbragstadknikolla well - we did several different approaches... my first experience with it was 2012 and I was in the group16:52
lbragstadit was myself and 3 other students and we had to deploy openstack cactus and diablo for the computer science department at NDSU16:53
lbragstadthat was an interesting experience and it was very operator centric16:53
lbragstadwe did hardly any development, except hacking small bits together to get authentication to tie into keystone somehow16:54
morgan_lbragstad: sounds like most development around cactus timeframe16:54
lbragstadthe next year - i was one of the mentors for the group that took over the deployment we had laid down the year prior16:54
lbragstadmorgan_ right?16:54
morgan_lbragstad: well... even until grizzly :P16:54
lbragstadknikolla we had the group after us build on the usecases we originally established, perform an upgrade, and add a couple new services to the deployment16:55
lbragstadknikolla so still very operator centric16:55
knikollalbragstad: i see. i was thinking something development related.16:56
lbragstadknikolla the year after that we wanted to try out development, so we had a different group start writing a tool for organizing the meeting structure for openstack16:56
knikollait's the first time we offer the course, and we always had projects be about developing things16:56
lbragstadknikolla which ultimately turned into https://github.com/openstack-infra/irc-meetings16:56
lbragstadand https://github.com/openstack-infra/yaml2ical16:57
lbragstadwe wanted to have them do some development... but of the three groups, the operator-oriented projects seemed to go a little smoother for both the mentors and the mentees16:58
lbragstadknikolla i think the reason for that was because we were expected under-graduates to be familiar with all the openstack concepts and ready to contribute code by the first two weeks of the semester in order to stay on track with the release16:59
lbragstadthe operator-focused projects allowed them to see how the different projects interact with each other, understand how to fix things, and experience first hand what needs improvement, etc...17:00
lbragstadwhich was useful because they started to get a pretty good understanding of openstack as they went, versus having them develop something they'd never used before17:01
*** browne has joined #openstack-keystone17:01
knikollalbragstad: true.17:01
lbragstadknikolla if we had the opportunity to work with the group for two semesters, it would have been easier to get into development17:02
*** Alagar has quit IRC17:02
lbragstadbut at the time, the spring semester fell halfway through the release, and for students unfamiliar with some of the concepts - we didn't want to set them up to fail by giving them a feature to implement by milestone 317:03
*** anush has quit IRC17:04
knikollalbragstad: the timing would be that pike would open up for development around 1 month after the class starts17:04
lbragstadknikolla that would be much better timing than when we tried this17:04
lbragstadsince the semester would flow naturally in the release instead of awkwardly in the middle of it17:05
lbragstadknikolla i'm all *completely* for the idea, just wanted to share the experiences we've had17:05
knikollalbragstad: i know, i understand. i'm carefully optimistic about the scope of asking students to contribute code.17:06
knikollalbragstad: and i love that the summit will be here in boston just as the semester ends.17:07
knikollalbragstad: so that would grant students a ticket to it without requiring travel.17:07
lbragstadand obviously - being able to give a group of student a feature or spec depends on their programming experience, etc...17:07
lbragstadknikolla right - that's a really nice situation17:07
stevemarit also ususally means someone handholding for a while17:08
stevemarthat can eat up day(s)17:08
knikollastevemar: i'd be the on-site mentor17:08
knikollaalong with whoever wants to help through hangouts/irc17:09
knikollawe can limit the project to students who say they have prior python experience17:09
knikollaand most students here do have python experience as that's what we teach some classes with17:09
lbragstadknikolla for a development specific course?17:10
lbragstadknikolla nice17:10
stevemarthats handy17:10
knikollathis is last year's course page with project list17:11
lbragstadknikolla so - if you realistically wanted to have them target something for Pike, you'd have to condense all the "how to contribute" information and patterns into 1 month?17:11
knikollalbragstad: correct17:11
*** tqtran has joined #openstack-keystone17:11
lbragstadas well as have a few specs (or even refactors for that matter) loaded and in the pipe when the semester starts17:11
openstackgerritGage Hugo proposed openstack/keystone: Add reason to CADF notifications in docs  https://review.openstack.org/40088217:12
knikollalbragstad: one spec for 1 group would be enough.17:12
lbragstadknikolla how big would the group be?17:12
knikollalbragstad: 3-517:13
knikollalbragstad: with 5-8 hours of work expected per student, during 13 weeks17:13
lbragstadknikolla cool - so a pretty small group17:13
knikollaaround 90 hours per person of dev time17:13
lbragstad5 - 8 hours of work expected per student per week?17:13
knikollalbragstad: yes17:13
knikolla5-8 per week. 90 total per student.17:13
lbragstadthat's always an interesting metric since it varies widely with experience17:14
lbragstadbut that's a lot of time!17:14
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675217:14
lbragstadknikolla it sounds do-able... depending on the specification or work you're planning on giving them17:15
lbragstadthe big thing is that you'd have a pretty small group, and the prerequisite language knowledge would be there17:15
knikollalbragstad: there will be no midterms/finals. so the project and reading a few papers is the only thing they'll be doing.17:15
lbragstadknikolla and reviews?17:15
*** tqtran has quit IRC17:16
knikollalbragstad: they'll be presenting the ongoing work to the class every 2 weeks. so we can also give them review from the keystone side every 2 weeks as they work on it.17:16
knikollathis won't be a hide in a corner and work a month project.17:16
lbragstadknikolla oh - i specifically meant code reviews17:17
lbragstadknikolla do you plan on having them review code weekly, or at all, etc?17:17
knikollalbragstad: them reviewing other code, or us reviewing their code?17:17
*** asettle has quit IRC17:18
lbragstadwell - we're obligated to reviewing their code.. i specifically meant them reviewing other code...17:18
lbragstadthe whole "in order to have your code reviewed you need to review other's code"17:18
knikollalbragstad: hmm… maybe we can set 1-2 hours a week for them to review code.17:19
knikollathat makes sense as part of the open source community17:19
lbragstadknikolla just thinking about the visibility it provides17:19
lbragstadand teaching the review process can be as intense or detailed as you want it to be17:20
lbragstadbut solid reviews from new contributors is a great way to ensure they get noticied17:20
lbragstadknikolla i also think about what things would be like for me today if i started contributing to open-source soon in my academic career ;)17:21
lbragstadknikolla http://lbragstad.com/why-you-should-contribute-to-open-source-in-college/17:21
knikollalbragstad: i was actually one of the students in the course last year. that's why i'm here now.17:22
lbragstadknikolla nice! we share quite a bit in common then17:23
knikollalbragstad: nice :)17:25
*** josecastroleon has quit IRC17:28
lbragstadknikolla so - since you were in those shoes a year ago and given your python experience at the time, what would have been a *reasonable* task for you and your group?17:29
lbragstadwithin keystone or openstack?17:30
*** tqtran has joined #openstack-keystone17:30
knikollalbragstad: i'm not sure. my project was mostly from an openstack api user perspective. basically make an hpc application use openstack for scheduling. so the code changes where mostly done to the application hosted on top of openstack.17:31
lbragstadknikolla aha - sure17:31
lbragstadthat makes sense17:31
knikollalbragstad: though form my experience as an openstack newbie contributor. keystone isn't too hard to get up to speed with, compared to nova/etc.17:32
lbragstadknikolla yeah - this is true17:32
lbragstadknikolla when i was a student and we deployed openstack, that was were we all really started to understand the scale of each project17:33
*** spilla has joined #openstack-keystone17:33
*** sirushti has joined #openstack-keystone17:35
knikollalbragstad: same. that was my first job as an intern though.17:38
*** Alagar has joined #openstack-keystone17:39
knikollawent from user to deployer when the class ended.17:39
lbragstadknikolla interesting - sounds like fun (and familiar!)17:40
*** mvk has joined #openstack-keystone17:41
*** guoshan has joined #openstack-keystone17:46
*** anush has joined #openstack-keystone17:49
*** guoshan has quit IRC17:51
stevemardo i go for lunch during the keystone meeting? :)17:54
*** raildo has quit IRC17:57
stevemarhoping someone else runs the show!17:58
SamYaplestevemar: ill take care of it17:58
stevemarSamYaple: :)17:58
* stevemar pokes lbragstad17:59
*** raildo has joined #openstack-keystone17:59
*** chrisplo has quit IRC18:00
*** chrisplo has joined #openstack-keystone18:00
SamYaplenah its cool stevemar. ive got this. we might end up reverting all this domain/project nonsense though. also PKI tokens 4 life.18:03
SamYaplesmall price to pay for lunch IMO18:03
*** henry_ has joined #openstack-keystone18:05
*** hyakuhei has quit IRC18:08
*** henry_ has quit IRC18:09
*** Alagar has quit IRC18:11
*** Alagar has joined #openstack-keystone18:14
*** hyakuhei has joined #openstack-keystone18:15
*** henrynash has joined #openstack-keystone18:17
*** ChanServ sets mode: +v henrynash18:17
*** anush has quit IRC18:27
*** hyakuhei has quit IRC18:28
*** hyakuhei has joined #openstack-keystone18:28
*** hyakuhei has quit IRC18:28
*** hyakuhei has joined #openstack-keystone18:28
*** henrynash has quit IRC18:31
*** asettle has joined #openstack-keystone18:32
*** henrynash has joined #openstack-keystone18:34
*** ChanServ sets mode: +v henrynash18:35
*** Alagar has quit IRC18:46
*** guoshan has joined #openstack-keystone18:47
*** Alagar has joined #openstack-keystone18:49
*** anush has joined #openstack-keystone18:49
*** guoshan has quit IRC18:52
*** henrynash has quit IRC18:55
*** asettle has quit IRC18:57
*** asettle has joined #openstack-keystone18:58
*** henrynash has joined #openstack-keystone19:00
*** ChanServ sets mode: +v henrynash19:00
*** asettle has quit IRC19:02
*** henrynash has quit IRC19:06
ayoungdstanek, GAH, you know that thing in Python where if you add a comma on the end of a dictionary definition you get a tuple?  Man I can't stand that19:08
*** Alagar has quit IRC19:22
lbragstadayoung still around?19:35
ayounglbragstad, yep19:35
lbragstadayoung so step 1 from the meeting discussion was to break the URL pattern into it's own spec19:36
ayounglbragstad, yes19:36
ayoungthe management API and the middleware enforcement19:36
ayoungthose can be one or two specs19:37
ayoungand then the enforcement via token validation is a separate spec as well19:37
lbragstadmiddleware enforcement was the second step - right?19:37
lbragstadayoung i'm probably going to mix implementation and design/spec questions together here19:37
ayoungfire away19:38
lbragstadbut keystone would consider a URL pattern an entity that it owns, just like a user or a project, right?19:38
ayounglbragstad, yes19:38
ayounglbragstad, I'm adding it to the role backend19:38
lbragstadayoung would that just live here - https://github.com/openstack/keystone/tree/613c048b6f4bda91de1c0e9618abd0bda78ccc50/keystone/policy ?19:38
ayoungleaving the policy backend alone19:38
lbragstadso where and how do URL patterns fit into the role backend?19:39
ayoungthey have a one to many relationship with (non-domain-specific) roles19:39
ayoungmaybe I have that backwards19:40
ayoungeach URL pattern has exactly one role19:40
ayoungone role has multple url patterns19:40
lbragstadayoung well19:40
lbragstadis it not many-to-many?19:40
lbragstadGET /servers/ for example can be done as member and admin for example19:41
ayounglbragstad, https://paste.fedoraproject.org/488619/98436681/19:41
dstanekayoung: not a dict - x = 3, is equal to x = (3, )19:41
ayounglbragstad, we will use implied roles for that19:41
ayoungyou only ever especify the lowest role for an url pattern19:41
lbragstadayoung so this is built entirely on implied roles19:41
ayoungso admin implies member, you say an url pattern matches member19:42
ayounglbragstad, yes19:42
ayoungthat was why I needed implied roles first19:42
ayoungto be able to do stuff like this19:42
ayoungyou could do it without impliedroles, but then you lose the delegatability19:42
ayoungwell,the ability to delegate only the operation, and not all operations that a role allows19:42
lbragstadayoung how so?19:43
ayoungso lets say you want to be able to delegate just ... image fetch19:43
ayoungif you said that member or admin were allowed roles for that URL, then you have to give someone a token (via trust or oauth say) that has either one of those roles19:44
ayoungbut say you do admin implies member, and member implies 'image-get'19:44
ayoungyou now specify that the image-get operation requires the image-get role.  And anyone with the member role has that by implication19:45
lbragstadbut - member isn't solely used for image-get, right?19:45
lbragstadmember can also GET /servers/19:45
ayoungand, if a user then wants to delegate only image-get, they can create a trust with only the image-get role, and since they have that via implication, it works19:45
ayounglbragstad, right.  So if you need to deleaget all of the member operations, you can do so19:45
ayoungor any subset of them19:45
ayoungnow, lets say you tried to do this withou implied roles19:46
ayoungyou creae a new role calls image-get19:46
*** amoralej is now known as amoralej|off19:46
ayoungbut non of your member have that role, so you have to explicitly assign it to them19:46
ayoungOr they can't delegate just that operation19:46
lbragstadok - so to achieve the same outcome you'd need a bunch more role assignments19:47
*** guoshan has joined #openstack-keystone19:48
ayounglbragstad, and then they would have to be done manually19:50
lbragstadso - the relationship between url patterns and roles is one to many? One url pattern to many roles (through implied roles)19:50
ayounglbragstad, this gives the deployer a lot more ability to tweak.  It also allows Horizon to answer the question:  based on this role, what operations can I perform19:50
ayounglbragstad, yes,  through the chaining, it will be multiple effective roles, only one that is explicitly linked to the url Pattern19:51
ayoungand, the thing that is somewhat counterintuitive is that the chaining is backwards from the current Role API.19:52
ayoungrole API links from admin->memeber->getimage19:52
ayoungthis works from getimage which is implied by member which is implied by admin19:52
*** guoshan has quit IRC19:52
lbragstada url pattern can only imply a single role, but a role can be implied by multiple url patterns19:54
*** chlong has quit IRC19:55
*** odyssey4me has quit IRC19:56
ayoungUgh... the word implied is a little backwards there...20:01
*** chlong has joined #openstack-keystone20:01
lbragstada better statement would be, a url pattern can only have *one* role, a role can be used by multiple url patterns20:01
ayoungaccess to an url can only be directly assigned by a single role but a role may imply multple URL patterns20:01
ayoungso, what is implied isthe role-assignment20:01
ayoungone role can imply another, and one role can imply access to multiple URL patterns20:02
*** odyssey4me has joined #openstack-keystone20:02
ayoungI was originally going to subclass Role for the URL patterns, but the naming is horriblew20:02
ayoungI also might consider renaming url_pattern to operation20:02
ayoungan operation is an url-pattern + Verb20:03
ayoungGET /v3/users  for Keystone20:03
lbragstadsure - that makes sense20:03
ayounglbragstad, this is not a 100% solution for amny things.  URL parameters are one thingI am putning on for now20:07
ayoungas is anything inside the request body20:07
ayounglets see if this makes an impact before driving on with anything more invasive20:07
lbragstadayoung ok - so how would keystonemiddleware use this resource in comparison to they it does already?20:09
*** dave-mccowan has quit IRC20:10
lbragstadcomparison to what it does already?*20:10
openstackgerritMerged openstack/keystone: Remove trailing "d" from -days param of OpenSSL command  https://review.openstack.org/40043320:10
openstackgerritMerged openstack/keystone: Normalizes use of ForbiddenAction in trusts  https://review.openstack.org/40038720:11
*** catinthe_ has joined #openstack-keystone20:11
*** catintheroof has quit IRC20:13
*** catintheroof has joined #openstack-keystone20:16
*** catinthe_ has quit IRC20:20
*** akrzos has quit IRC20:20
*** agrebennikov has quit IRC20:24
*** adriant has joined #openstack-keystone20:26
*** raildo has left #openstack-keystone20:39
*** raildo has quit IRC20:39
openstackgerritMerged openstack/keystone: Fix doc example  https://review.openstack.org/40033320:48
*** guoshan has joined #openstack-keystone20:49
SamYapleayoung: that comma this is a thing for lists and strings and other things as well20:52
*** guoshan has quit IRC20:53
openstackgerritMerged openstack/keystone: move content from configuringservices to configuration  https://review.openstack.org/39978720:53
*** ayoung has quit IRC20:55
*** nk2527 has quit IRC20:56
*** ayoung has joined #openstack-keystone20:56
*** ChanServ sets mode: +v ayoung20:56
*** ayoung has quit IRC21:01
-openstackstatus- NOTICE: Gerrit is offline until 21:30 UTC for scheduled maintenance: http://lists.openstack.org/pipermail/openstack-dev/2016-November/107379.html21:09
*** ChanServ changes topic to "Gerrit is offline until 21:30 UTC for scheduled maintenance: http://lists.openstack.org/pipermail/openstack-dev/2016-November/107379.html"21:09
*** phalmos has joined #openstack-keystone21:13
*** phalmos has quit IRC21:17
*** agrebennikov has joined #openstack-keystone21:20
*** jpich has quit IRC21:23
*** phalmos has joined #openstack-keystone21:25
*** diazjf has joined #openstack-keystone21:38
*** ChanServ changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Ocata goals: https://docs.google.com/spreadsheets/d/156q820cXcEc8Y9YWQgoc_hyOm3AZ2jtMQM3zdDhwGFU/edit?usp=sharing"21:40
*** ayoung has joined #openstack-keystone21:46
*** ChanServ sets mode: +v ayoung21:46
*** guoshan has joined #openstack-keystone21:49
*** chris_hultin is now known as chris_hultin|AWA21:52
*** guoshan has quit IRC21:54
*** edtubill has quit IRC22:02
*** asettle has joined #openstack-keystone22:03
lbragstadjamielennox curious to see what your take on https://bugs.launchpad.net/keystonemiddleware/+bug/1643422 would be22:05
openstackLaunchpad bug 1643422 in keystonemiddleware "auth_token sems to ignore settings for auth_url and use catalog endpoint for keystone" [Undecided,New]22:05
*** masuberu has joined #openstack-keystone22:05
*** edtubill has joined #openstack-keystone22:06
*** asettle has quit IRC22:08
*** masber has quit IRC22:08
*** edtubill has quit IRC22:10
jamielennoxlbragstad: works as expected?22:12
jamielennoxyou auth to a url and then you use the catalog22:12
*** jaugustine has quit IRC22:12
lbragstadbut it is keystoneauth making that decision, and not middleware, right?22:13
jamielennoxi'm really wondering what is going on if they can't access the url in the catalog22:13
lbragstadjamielennox it's almost like the services are all deployed on a single node (or controller services anyway) and therefore are expected to be able to use localhost22:14
lbragstadinstead of the vip in the catalog22:14
jamielennoxyea but Failed to contact the endpoint at https://keystone.example.org:35357/v2.0/ for discovery22:14
jamielennoxand is what they want, so something is screwy22:15
*** nicolasbock has quit IRC22:18
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675222:18
*** lamt has quit IRC22:20
*** anush has quit IRC22:21
*** spilla has quit IRC22:22
*** phalmos has quit IRC22:22
*** diazjf has quit IRC22:26
lbragstadjamielennox is that a typical setup?22:28
lbragstadjamielennox I wouldn't assume so, but...22:28
*** jperry has quit IRC22:34
jamielennoxno, i'm guessing this is something they ewre doing in a test environment and has changed22:40
*** anush has joined #openstack-keystone22:44
openstackgerritMerged openstack/keystone: Move docs from key_terms to architecture  https://review.openstack.org/39976022:49
openstackgerritMerged openstack/keystone: Remove extension and auth_token middleware docs  https://review.openstack.org/39976722:49
*** guoshan has joined #openstack-keystone22:50
*** chlong has quit IRC22:52
*** guoshan has quit IRC22:55
*** bknudson has left #openstack-keystone22:55
*** diazjf has joined #openstack-keystone23:03
*** akrzos has joined #openstack-keystone23:16
*** jamielennox is now known as jamielennox|away23:24
*** jamielennox|away is now known as jamielennox23:24
*** asettle has joined #openstack-keystone23:27
*** asettle has quit IRC23:30
*** diazjf has quit IRC23:30
*** asettle has joined #openstack-keystone23:31
*** asettle has quit IRC23:35
*** browne has quit IRC23:36
*** asettle has joined #openstack-keystone23:39
morgan_is stevemar out today?23:40
morgan_i need to bug him about a bug.23:40
*** asettle has quit IRC23:42
*** catintheroof has quit IRC23:46
*** jperry has joined #openstack-keystone23:46
*** catintheroof has joined #openstack-keystone23:47
*** guoshan has joined #openstack-keystone23:51
*** catintheroof has quit IRC23:51
*** guoshan has quit IRC23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!