Wednesday, 2017-01-11

*** ravelar has quit IRC00:00
morgan_no we dont' need to change those00:01
morgan_any more than with your plugin00:01
morgan_you can still make an out-of-tree plugin to work with the new system00:01
morgan_i am simply against making a "duplicate" password plugin that could cause massive failures if improperly setup for all users00:02
morgan_you still need to ensure the new auth plugin is used in ksa, (osc leans on ksa) and horizon may end up with the same workflow in either case. that is a UX discussion00:02
morgan_so i take it back, might be less wotrk on the horizon side, but the rest of the bits is still going to require a chunk oif the same work00:03
adriantKSA pretty much covers most of it, but to be able to do MFA with a rule ['password', 'totp'] would still require changes to actually make it usable for a standard user.00:04
adriantAlthough I guess in KSA and openstackclient we can stick a prompt in00:04
*** chris_hultin|AWA is now known as chris_hultin00:05
adrianthorizon is the place that's more annoying as django openstack auth would need to somehow interact with it and pass along the right data for the given auth methods. :/00:05
morgan_well KSA can't (and wont) prompt00:05
morgan_that is an OSC/other-client thing00:06
adriantThen what am I thinking of... I thought I remembered seeing a prompt in the KSA code.00:06
morgan_nope, i squashed that review00:07
morgan_with a -200:07
morgan_if it's there someone went around my -200:07
*** dave-mccowan has quit IRC00:07
*** jamielennox is now known as jamielennox|away00:07
morgan_and i'm going to make a stink (I am pretty sure it's not in there)00:07
adriantbut that's probably not what I'm thinking of00:07
morgan_that is saying the plugin is expecting input and may require the consuming client to prompt00:08
adriantso yes, that's what I'm thinking for the totp then.00:08
adriantsomething to tell OSC to prompt for the totp passcode00:08
adriantand OSC to know to expect it00:08
adriantand prompt (although it may do that automatically based on what KSA tells it?)00:09
*** harlowja has quit IRC00:09
adriantHorizon is the hardest one.00:09
adriantalthough even in OSC I don't think there is a way to auth with multiple auth methods.00:10
adriantit assumes only one00:10
*** gagehugo has quit IRC00:11
*** jamielennox|away is now known as jamielennox00:11
*** evrardjp has quit IRC00:11
*** ctracey has quit IRC00:11
*** andrewbogott has quit IRC00:11
*** markvoelker has quit IRC00:12
*** NikitaKonovalov has quit IRC00:12
morgan_i think OSC simply takes it's cues from00:12
morgan_so we just need updates to KSA.00:12
*** med_ has quit IRC00:12
*** afazekas has quit IRC00:12
adriantOSC has a param "auth type"00:12
*** markvoelker has joined #openstack-keystone00:12
adriantwhich i don't think can be a list, although might need to be changed to a comma separated value.00:13
morgan_olso.cfg is easy to work with on those lines00:13
*** NikitaKonovalov has joined #openstack-keystone00:14
adriantI'll need to check. the OSC + osc_lib code (+ cliff, + KSA) is hard to dig through sometimes.00:14
adriantBut I have a feeling that the auth type param tells OSC what it will use in KSA.00:14
*** Dave_____ has joined #openstack-keystone00:14
*** g2 has quit IRC00:15
*** andrewbogott has joined #openstack-keystone00:15
adriantSo if it isn't already, will need to be able to be multiple auth methods, and then get thr right prompts from KSA>00:15
jamielennoxthere is a parameter of ksa Opts that it can specify this option can/should be prompted if unavailable00:16
jamielennoxif that parameter is present then OSC should ask for it00:16
jamielennoxi don't remember how far we actually got with that because OSC's auth validation logic is kinda messy00:16
*** med_ has joined #openstack-keystone00:16
jamielennoxand by kinda messy, i mean eeek00:17
adriantjamielennox: yep, but I was more meaning OSC needs to tell KSA "I need to auth with 'password' AND 'totp'"00:17
*** med_ is now known as Guest4752000:17
adriantand I don't think it can. I think it's only auth method at a time right now00:17
*** ctracey has joined #openstack-keystone00:17
*** evrardjp has joined #openstack-keystone00:17
*** afazekas has joined #openstack-keystone00:17
*** BrAsS_mOnKeY has joined #openstack-keystone00:18
*** gagehugo has joined #openstack-keystone00:18
jamielennoxi'm not sure i follow that, it's not really OSC's job to tell KSA anything it just loads the appropriate plugin00:18
*** Guest47520 is now known as medberry00:19
*** medberry has quit IRC00:19
*** medberry has joined #openstack-keystone00:19
jamielennoxand all keystone and ksa will tell you is success or failure on auth00:19
adriantHow does KSA know which plugin to load?00:19
*** Dave has quit IRC00:19
adriantOSC has a "auth type" param, which can be token, password, etc00:19
adriantso I assume that's how KSA knows which plugin is being used.00:20
adriantso if I want to auth with both password AND totp, I'd need that param to allow multiple values.00:21
adriantjamielennox: does that make sense?00:22
adriantI could be way off the mark. I tried reading through all this code and it's a complicated mess that is hard to follow.00:23
*** tqtran has quit IRC00:23
jamielennoxadriant: yep, i get it, this is something i've considered before but don't have a solution to00:23
jamielennoxbasically there's two things ways you could do it00:23
jamielennox1) create a new plugin --os-auth-type passwordotp00:24
jamielennoxthere is something liek this already - i don't know what it does00:24
jamielennoxor i thought there was... where did it go00:25
*** BrAsS_mOnKeY has quit IRC00:25
adriantwe've mostly sidelined that plugin in favor of rules00:25
*** BrAsS_mO- has joined #openstack-keystone00:25
adriantthe spec is sitting in superseded00:25
jamielennox2) i've wondered how you could do a generic multi-plugin plugin00:25
*** thorst has joined #openstack-keystone00:25
*** harlowja has joined #openstack-keystone00:25
jamielennoxand then do like --os-auth-type-1 password --os-auth-type-2 otp00:26
jamielennoxbut then you have variable collisions and all sorts of problems00:26
jamielennoxand you have to distinguish between scope variables and auth variables (AuthN vs AuthZ00:26
adriantwhy not "--auth-type password,totp" or "--auth-type password --auth-type totp"00:26
adriantcan't we make it a list internally?00:26
adriantthe users would never know or need to so no backwards compat issues00:27
jamielennoxit's a matter of how you combine them00:27
adriantorder doesn't matter00:27
adriantat least it shouldn't really00:27
jamielennoxright, but there's not really a way to do two plugins on one request, you need to find a way to do combine them00:27
jamielennoxv3 has this ability00:27
adriantoh I see, KSA doesn't use multiple plugins00:28
adriantjust one at a time, and one of the KSA plugins can talk to multiple auth methods00:28
jamielennoxif you're doing it programatically it's kind of easy00:28
adriantthat's right, i played with a multiple method plugin in KSA ages ago...00:28
jamielennoxbut it's how you load multiple methods into one plugin00:28
*** BrAsS_mO- is now known as g200:29
adriantYeah and changing KSA now to allow auth with multiple KSA plugins would be hard00:30
jamielennoxprogramatically you need to do v3.Auth('https://keystone', [v3.PasswordMethod(...), v3.TotpMethod(...)], project_id='id')00:30
jamielennoxand I'd be on board with doing a v3multi plugin00:30
adriantwell for MFA we need it00:30
adriantbut we'd need a good way to pass the auth type(method) data from OSC to KSA00:31
jamielennoxbut we'd need to refactor a whole bunch of stuff in ksa loading to seperate the AuthN information from like v3password (user,password) from authz (project, scope)00:31
adriantbut that last part is mostly a UX think I guess00:31
adriantmorgan_: see above ^00:31
adriantmorgan_: that's what I was worried about00:31
jamielennoxnot sure if you can call it authn/authz in a request...00:31
*** woodster_ has quit IRC00:35
adriantjamielennox: should we put together a spec for this then?00:35
*** chris_hultin is now known as chris_hultin|AWA00:36
jamielennoxadriant: you can, but if you have a working multi plugin for ksa we'd probably just take it00:36
jamielennoxadding another plugin is generally easy, and in a really common case like this with password+totp the easiest thing to do would be to just create a new launcher00:37
adriantI don't, but the problem is we'd want a good long term solution that works with arbitrary plugins.00:37
adriantI do have a password+totp plugin somewhere, but it was a quick thing when testing something00:38
adriantbut with the way we want multi method rules to work in Keystone I'd assume we'd want a way in KSA to programatically do "auth me with these auth methods"00:39
adriantjamielennox: see this spec:
adriantif we don't do it programatically in KSA then we need a new plugin for each possible combination...00:41
jamielennoxi argued against those MFA specs :p00:41
*** thorst has quit IRC00:42
adriantjamielennox: I know! :P00:42
adriantbut we do need some sort of MFA, and this actually is a good solution00:42
*** thorst has joined #openstack-keystone00:42
jamielennoxso we would basically need a new stevedore entry point that would let you pick up auth method instead of auth plugin00:43
*** adrian_otto has joined #openstack-keystone00:44
jamielennoxlike password etc in there00:44
adriantbecause we don't care about 'plugins' but methods00:44
jamielennoxand let them specify options etc00:44
jamielennoxi'm ok with that00:44
jamielennoxthe interesting bit is going to be whether it is ok to mash the options of mutliple plugins togethre00:44
adriantso the plugins are more like the KSA copy of the Keystone methods they'd link up with00:44
jamielennoxright - and that's available already in KSA, just not the loading bit00:45
*** thorst has quit IRC00:46
jamielennoxfor example, PasswordMethod and TotpMethod both require user_id, username options00:47
* jamielennox bangs head on desk00:47
adriantYeah... I have a feeling this change may be a lot of work to make things nice :(00:48
jamielennoxin this case it's probably sufficient to have overlapping parameters sent to both parameters00:48
jamielennoxin this case it's probably sufficient to have overlapping parameters sent to both plugins00:48
adrianti guess, but... we need them all to group under the same request00:48
adriantand the request does require user_id for each method :/00:49
adriantsee the request json in this section:
jamielennoxso one of the good things we did in ksa vs ksc is split the plugin loading away from the plugin creation00:50
jamielennoxso if you can do it from python it's just a matter of figuring out how you genericise it to a loader00:50
adriantthat's the output multiple plugins/methods would need to merge into one request, then fire that off to keystone.00:50
morgan_jamielennox: we're not adding the multi plugin into keystone though00:51
jamielennoxmorgan_: ksa00:51
morgan_jamielennox: we have a spec for theper-user mfa rules00:51
adriantIf I remember right, the KSA plugins currently each setup their own request json00:51
jamielennoxadriant: we can construct that request pretty easily00:51
morgan_however it works outside keystone i was saying was about the same.00:51
jamielennoxadriant: from python that's easy00:51
morgan_regardless of the work in keystone00:51
jamielennoxthe multiple methods still become part of the same plugin00:52
adriantjamielennox: so we'd do "--auth-type multi" and "--auth-method password --auth-method totp" ?00:53
adriantor make --auth-type and method mutually exclusive and if --auth-method is used ONLY use the multi plugin00:54
adriantand the v3 multi plugin is special with steveadore loaded methods?00:55
jamielennoxyou would need to specify both type and method00:56
jamielennoxtype to load the multi loader, and then the multi loader could look at the methods00:56
adriantyeah, that would work.00:57
adriantit's still not the greatest UX, but without know what auth rules a user has before login, or a challenge response system it's the best we can do without tooo much pain...00:58
*** oomichi has quit IRC00:58
jamielennoxyea, it's not great UX however most people don't see this stuff00:58
*** diazjf has joined #openstack-keystone00:58
adriantyeah, getting the UX right in django openstack auth is where it will be very important00:59
jamielennoxagain for password + totp which is going to be a really common combo i would suggest just doing a standalone plugin00:59
*** agrebennikov has quit IRC00:59
jamielennoxfor weird combos like this it alls gets generated by the provided and dropped in a clouds.yaml file00:59
jamielennoxthat's been my justification with all the OS_ auth params up till now, there are very few people who remember them all anyway01:00
adriantjamielennox: fair enough. Just would hope to avoid too many custom plugins for odd combinations as it limits the flexibility you can have with rules.01:00
*** oomichi has joined #openstack-keystone01:00
jamielennoxadriant: yep, not saying we don't need the generic multi - just that for really common things we shouldn't have to jump through that many hoops01:00
adriantand yeah, you can easily set your OS_AUTH_TYPE in your clouds.yaml or your openstack.rc file01:02
adriantso you don't ever really need to deal with it once the params are set01:02
*** diazjf has quit IRC01:03
adriantmorgan_: that make sense to you?01:03
morgan_reading up.01:03
adriantbrb, getting tea01:04
morgan_sure. makes sense re ksa/osc/horizon01:04
*** stewie925 has quit IRC01:05
jamielennoxalso for horizon i'd skip all this and do it in python01:09
*** adrian_otto has quit IRC01:09
jamielennoxthe multi stuff is relevant for OSC and anything CLI01:09
*** agrebennikov has joined #openstack-keystone01:11
*** thorst has joined #openstack-keystone01:11
*** dave-mccowan has joined #openstack-keystone01:11
*** liujiong has joined #openstack-keystone01:13
adriantdammit, out of tea leaves.01:15
adriantjamielennox: what exactly do you mean in Horizon by doing it in python?01:15
*** thorst has quit IRC01:16
adriantI don't think the user should need to specify a set of auth methods when logging in01:16
jamielennoxso the loaders are just a way of exposing to CLI and CONF files how to create a valid auth_plugin01:16
jamielennoxbut what you end up from the loader is just an auth plugin01:17
adriantin horizon we'd need some dynamic way to get the passcode from the user in a more standard challenge response style.01:17
adriantat least for TOTP01:17
adriantI don't think weird MFA rules and Horizon really make sense01:18
jamielennoxhorizon currently doesn't expose every option of the "password" plugin to the user on login page, it has it's own version of a loader01:18
adriantyeah, openstack django auth or some such01:18
jamielennoxsomething that loads a generic.Password plugin from a web page01:18
adriantIt's not too complicated01:18
adriantI've extended in the past to allow an optional MFA field though01:18
jamielennoxright, so you can pick the things in horizon that you want to expose, and TOTP would be one of them01:19
adriantbut it's not the nicest way of doing it01:19
jamielennoxand then you just create an auth plugin directly, i mentioned it earlier but if you do01:19
jamielennox v3.Auth('https://keystone', [v3.PasswordMethod(...), v3.TotpMethod(...)], project_id='id')01:19
jamielennoxyou get the auth plugin you want01:20
jamielennoxso you have horizon do its own challenge that if it sees TOTP is required then add a field and construct a plugin with the TotpMethod01:20
adriantjamielennox: me and morgan_ talked about an option to mimic challenge response as well. One was to just do a standard password auth, and based on the errors to rebuild with a totp field. or... do a new token type that is 'partially authed' or some such and needs the other MFA rules before turning into a full token.01:22
adriantin the token case, you'd password auth, get a mostly useless token that still requires TOTP. With with token and TOTP, and bam, full token.01:22
adriantbut not sure how to do that one well, and dynamic/challenge response based on errors also kind of doesn't sound good.01:23
jamielennoxit's information leakage but i think i would have keystone tell you that auth failed because you missed a method01:24
morgan_you can't do token totp really01:24
morgan_it'll break most of openstack01:24
jamielennoxso still a 401, but just a message (which you only see if password is correct)01:24
adriantjamielennox: yeah, that's what we were thinking. "auth failed because missing methods"01:24
morgan_jamielennox: yeah the plan is to be explicit and say not enough auth forms supplied01:24
morgan_jamielennox: i am ok with this information leakage01:24
morgan_it is no different than say google auth01:25
adriantit's yep, it's reasonably safe data01:25
morgan_"you authed... oh time to give me your totp thing now"01:25
jamielennoxhorizon can look at the 401, see that not everything failed and reuse the user password from the first login screen to do another attempt01:25
adriant"this user has MFA enabled"01:25
jamielennox+ MFA this time01:25
adriantjamielennox: yep, exactly that01:25
morgan_jamielennox: yep.01:25
morgan_jamielennox: that was one option01:25
adriantreuse password feels a little ugly though01:25
jamielennoxso i don't think it's real leakage because you'd only see it if password auth suceeded01:25
adriantas it then needs to store it for the second attempt01:25
jamielennoxadriant: agreed, but otherwise the user would need to re-enter password for the second attempt01:26
adriantyes, and reentering password would be bad UX01:26
adriantcookie maybe?01:26
adriantstore password in cookie if failed attempt with missing auth and reuse for totp?01:26
adriantthat's why I theoretically prefer the unfinished token approach as it's closer to true challenge response, and password doesn't need to be sent twice.01:28
adriantbut would mean more work01:28
morgan_unfinished token is a lot weirder code wise and not great01:28
morgan_we're adding another token type01:28
adriantand no info leakage01:28
morgan_doesn't really make sense01:29
jamielennoxyea, it's a lot to support on the keystone side for this case01:29
jamielennoxbecause you do have a token, you just can't use it01:29
jamielennoxi guess it's kind of like unscoped, but i think it'd expose a lot of bugs01:29
adriantbut with that you can then possibly do the same in the CLI and when using the "multi" plugin it would respond and ask for the missing pieces if you only supplied password01:30
adriantbut again, not simple01:30
adriantno need to actually specify methods01:31
morgan_cli asking for more items is terrible01:31
morgan_prompting that is01:31
morgan_just send the request again with the full set of info01:31
morgan_for horizon/web it's better to prompt like google auth workflow is: auth, totp01:31
morgan_vs auth, fail, auth+totp (cli)01:32
adriantalright, I think for CLI/KSA we're mostly on the same page, and then Horizon we'll need to work out with their team.01:34
*** briancurtin has joined #openstack-keystone01:35
adriantmorgan_: so what's next in Keystone? You did the patch for the db table, next is the controller/routers for that01:36
adriantthen adding the code to the auth layer to actually use the rules?01:36
morgan_next is the code that will use that table when logging in01:37
morgan_then the controller/routes to setup the rules01:37
adriantIf you want I can probably start putting together the controllers/routers while you do the auth.01:39
*** namnh has joined #openstack-keystone01:39
*** jperry has joined #openstack-keystone01:39
adriantbased on the db model those should be reasonably simple unless we want some sort of special validation for incoming rules (are these valid methods?).01:41
*** ravelar has joined #openstack-keystone01:43
*** markvoelker has quit IRC01:43
*** markvoelker has joined #openstack-keystone01:44
*** markvoelker has quit IRC01:49
*** gyee has quit IRC02:00
*** thorst has joined #openstack-keystone02:02
*** thorst has quit IRC02:02
*** browne has quit IRC02:08
*** jose-phillips has quit IRC02:12
*** asettle has joined #openstack-keystone02:16
*** asettle has quit IRC02:23
*** voelzmo has joined #openstack-keystone02:32
*** chlong has quit IRC02:32
*** voelzmo has quit IRC02:37
openstackgerritLance Bragstad proposed openstack/keystone: Implement shadow mapping
*** spzala has quit IRC02:52
*** rreimberg has quit IRC02:54
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Only log application/json in session to start
stevemarlbragstad: morgan_ do you guys have an opinion on and the follow-on?03:06
stevemarwant it done in one patch or two?03:06
stevemarjamielennox: i proposed your patch to ksa ^ please review03:07
jamielennoxstevemar: i think it's fine to merge them03:09
stevemarjamielennox: you stink :P03:10
stevemarthats more work for me!03:10
jamielennoxyea, but it'll clear dolph's -103:10
jamielennoxand i can't +A it anyway03:10
stevemarjamielennox: just asking for opinions, i think dolphm is being pedantic here :P (yeah you better read this in the morning!)03:12
*** dave-mccowan has quit IRC03:17
*** thorst has joined #openstack-keystone03:20
stevemardolphm: jamielennox: there, done, you guys made me do extra work :P03:20
*** tqtran has joined #openstack-keystone03:21
*** tqtran has quit IRC03:23
*** nicolasbock has quit IRC03:31
*** jperry has quit IRC03:32
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Only log application/json content type
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Only log application/json in session to start
*** markvoelker has joined #openstack-keystone03:36
*** agrebennikov has quit IRC03:40
*** spzala has joined #openstack-keystone03:47
*** links has joined #openstack-keystone03:47
*** ayoung has quit IRC03:53
*** spzala has quit IRC04:19
*** jose-phillips has joined #openstack-keystone04:27
*** jose-phillips has quit IRC04:30
*** voelzmo has joined #openstack-keystone04:33
*** sheel has joined #openstack-keystone04:34
*** tqtran has joined #openstack-keystone04:40
*** tqtran has quit IRC04:42
*** voelzmo has quit IRC04:46
*** adriant has quit IRC04:47
*** dikonoor has joined #openstack-keystone05:07
*** thorst has joined #openstack-keystone05:09
stevemardolphm: organized it all up:
stevemarmorgan_: if you're interested, too ^05:10
*** thorst has quit IRC05:14
*** dikonoor has quit IRC05:40
*** adrian_otto has joined #openstack-keystone05:42
*** diazjf has joined #openstack-keystone05:44
*** adrian_otto has quit IRC05:46
*** adrian_otto has joined #openstack-keystone05:47
*** diazjf has quit IRC05:47
*** adrian_otto has quit IRC05:58
*** itisha has quit IRC06:12
*** dims has quit IRC06:13
*** pcaruana has joined #openstack-keystone06:25
morgan_thnx will look06:31
*** sheel has quit IRC06:37
*** richm has quit IRC06:43
*** tesseract has joined #openstack-keystone07:08
*** gsilvis has quit IRC07:18
*** gsilvis has joined #openstack-keystone07:18
*** AlexeyAbashkin has joined #openstack-keystone07:42
*** hogepodge has quit IRC07:56
*** chrome0 has joined #openstack-keystone08:01
*** chrome0 has quit IRC08:02
*** chrome0 has joined #openstack-keystone08:05
openstackgerritJulia Varlamova proposed openstack/keystone: Do not merge: TEST PATCH
*** edtubill has quit IRC08:13
openstackgerritJulia Varlamova proposed openstack/keystone: Do not merge: TEST PATCH
*** voelzmo has joined #openstack-keystone08:25
*** voelzmo has quit IRC08:28
*** haplo37_ has quit IRC08:54
*** Dave_____ is now known as Dave08:55
*** haplo37_ has joined #openstack-keystone08:57
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** chrome0_ has joined #openstack-keystone09:05
*** chrome0_ has quit IRC09:05
*** asettle has joined #openstack-keystone09:09
*** namnh has quit IRC09:20
*** mvk has quit IRC09:32
*** tqtran has joined #openstack-keystone09:44
*** tqtran has quit IRC09:45
*** mvk has joined #openstack-keystone10:10
*** liujiong has quit IRC10:11
*** Alexey_Abashkin has joined #openstack-keystone10:18
*** AlexeyAbashkin has quit IRC10:19
*** Alexey_Abashkin has quit IRC10:31
*** thiagolib has joined #openstack-keystone10:39
*** AlexeyAbashkin has joined #openstack-keystone11:02
*** Alexey_Abashkin has joined #openstack-keystone11:06
*** AlexeyAbashkin has quit IRC11:07
*** Alexey_Abashkin_ has joined #openstack-keystone11:09
*** Alexey_Abashkin has quit IRC11:11
samueldmqmorning keystone11:13
*** richm has joined #openstack-keystone11:13
*** nicolasbock has joined #openstack-keystone11:35
*** dims has joined #openstack-keystone11:39
*** haplo37_ has quit IRC11:40
*** haplo37_ has joined #openstack-keystone11:43
*** AlexeyAbashkin has joined #openstack-keystone11:58
*** Alexey_Abashkin_ has quit IRC11:59
*** mvk has quit IRC12:03
*** ayoung has joined #openstack-keystone12:14
*** ChanServ sets mode: +v ayoung12:14
*** mvk has joined #openstack-keystone12:15
*** AlexeyAbashkin has quit IRC12:20
*** raildo has joined #openstack-keystone12:35
*** thorst has joined #openstack-keystone12:41
*** jperry has joined #openstack-keystone12:42
*** edmondsw has joined #openstack-keystone12:43
*** chlong has joined #openstack-keystone13:08
*** jperry has quit IRC13:17
*** mvk has quit IRC13:21
*** mvk has joined #openstack-keystone13:33
*** AlexeyAbashkin has joined #openstack-keystone13:35
dstanekgood morning samueldmq13:36
*** aloga has quit IRC13:39
openstackgerritMerged openstack/python-keystoneclient: Only log application/json in session to start
*** masterjcool has quit IRC13:52
*** aloga has joined #openstack-keystone13:54
*** david-lyle has quit IRC13:56
*** AlexeyAbashkin has quit IRC13:57
*** crinkle_ has quit IRC13:59
*** crinkle_ has joined #openstack-keystone13:59
*** david-lyle has joined #openstack-keystone13:59
*** AlexeyAbashkin has joined #openstack-keystone13:59
*** lamt has joined #openstack-keystone14:01
*** links has quit IRC14:02
*** ayoung has quit IRC14:03
*** masterjcool has joined #openstack-keystone14:05
*** itisha has joined #openstack-keystone14:11
*** jperry has joined #openstack-keystone14:14
*** jamielennox is now known as jamielennox|away14:14
*** david-lyle has quit IRC14:16
*** jvarlamova____ has joined #openstack-keystone14:24
*** jvarlamova has quit IRC14:27
*** dave-mccowan has joined #openstack-keystone14:31
*** jgrassler has joined #openstack-keystone14:32
*** chlong has quit IRC14:37
stevemarsamueldmq: morning14:39
*** lamt has quit IRC14:40
*** cloudm2 has joined #openstack-keystone14:51
*** stewie925 has joined #openstack-keystone14:53
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table
*** spzala has joined #openstack-keystone15:06
*** spzala has quit IRC15:06
*** spzala has joined #openstack-keystone15:06
*** jaosorior has joined #openstack-keystone15:13
*** edtubill has joined #openstack-keystone15:14
knikollao/ morning15:16
*** david-lyle has joined #openstack-keystone15:17
*** david-lyle has quit IRC15:21
*** lucas__ has joined #openstack-keystone15:22
*** adu has joined #openstack-keystone15:24
*** nklenke has joined #openstack-keystone15:25
*** markvoelker has quit IRC15:28
*** jaugustine has joined #openstack-keystone15:29
*** markvoelker has joined #openstack-keystone15:29
*** chris_hultin|AWA is now known as chris_hultin15:29
*** chris_hultin is now known as chris_hultin|AWA15:30
* breton yawns15:31
bretonwhat to review?15:32
*** ayoung has joined #openstack-keystone15:32
*** ChanServ sets mode: +v ayoung15:32
*** nklenke_ has joined #openstack-keystone15:33
*** markvoelker has quit IRC15:35
*** spilla has joined #openstack-keystone15:35
*** ayoung has quit IRC15:38
*** lucas__ has quit IRC15:42
*** spzala has quit IRC15:44
*** spzala has joined #openstack-keystone15:44
*** spzala has quit IRC15:45
*** spzala has joined #openstack-keystone15:45
stewie925dstanek: hello15:46
*** mvk has quit IRC15:48
*** ravelar has joined #openstack-keystone15:49
*** chris_hultin|AWA is now known as chris_hultin15:49
*** ayoung has joined #openstack-keystone15:50
*** ChanServ sets mode: +v ayoung15:50
openstackgerritLance Bragstad proposed openstack/keystone: Implement shadow mapping
*** markvoelker has joined #openstack-keystone15:57
lbragstaddstanek ^ done15:57
lbragstadping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar16:00
*** adrian_otto has joined #openstack-keystone16:00
lbragstadpolicy meeting in #openstack-meeting-cp16:00
*** lucas__ has joined #openstack-keystone16:02
*** lamt has joined #openstack-keystone16:03
*** phalmos has joined #openstack-keystone16:08
*** phalmos has quit IRC16:10
*** chlong has joined #openstack-keystone16:11
dstaneklbragstad: gracias16:22
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS
*** AlexeyAbashkin has quit IRC16:32
*** lucas__ has quit IRC16:33
*** lucas__ has joined #openstack-keystone16:44
*** lucas__ has quit IRC16:45
stewie925dstanek: hi, I think I may have found the 'keystone service create' issue - but would like to request your input16:49
dstanekstewie925: go ahead and ask away. if i'm not ina position to help someone else here might be16:51
stewie925dstanek: will do, thank you!16:54
*** dikonoor has joined #openstack-keystone16:57
ayoungsamueldmq, sure17:00
samueldmqayoung: so I think I've mentioned with you already an idea for policy validation17:00
samueldmqbasically, one would define RBAC in a DSL, and that would be checked against openstack17:01
edmondswdstanek why don't you think we can pick a single value that works for both use cases? I thought ayoung's example did exactly that17:01
ayoungsamueldmq, read through my proposal...I think it covers yours.17:01
samueldmqayoung: something like
samueldmqayoung: I think it should be based on yours actually. I'd be writting a tool17:02
dstanekedmondsw: i think we have to decide how we want the policy to work and do it. if we like the cloud semantics then we should use them.17:02
ayoungsamueldmq, yeah...I like that.17:02
samueldmqayoung: that needs to know what role is needed for a given operation (which is yours)17:02
ayoungsamueldmq, it would explicitly be for the RBAC stuff, and assume the scope check is performed deeper in the code?17:02
*** cloudm2 has quit IRC17:03
samueldmqayoung: the definitions in the DSL can be even written by someones in another level in the organization, who may not even know how to code17:03
samueldmqayoung: the operator will implement that, and check with that tool17:03
samueldmqthe conformity17:03
edmondswdstanek I would expect what we codify to more closely resemble v3cloudsample than the other json file, if that's what you're getting at17:03
ayoungSo, yeah, should be able to support that with the REST Call from Keystone to support the RBAC Middleware17:03
edmondswdstanek but it should work just as well for both cases17:03
samueldmqayoung: exactly, I only care for the role stuff, pute rbac17:03
samueldmqayoung: pure17:04
ayoungedmondsw, yeah probably necesassary.  The one thing I don't like is it might lock us in to making things be "admin" for domain operations if it is in the policy file, but tI can't see an easy way to transition around that17:04
dstanekedmondsw: that is exactly it17:04
samueldmqayoung: that'd be: "let me see if I've registered RBAC roles in keystone as defined by my boss"17:05
samueldmqayoung: that will be in an academic context, so I think that conformity checker will make sense17:06
samueldmqto make sure rules are defined as expected17:06
samueldmqayoung: I should write usecases for that, it'll be easier to present to idea to others and get feedback17:06
ayoungsamueldmq, sounds good17:07
samueldmqayoung: how do you see your effort and policy in the code effort in the future?17:07
samueldmqayoung: would you like to see all role checks in middleware and policy in the code for the rest ( scope, etc ) ?17:07
ayoungsamueldmq, you nailed it.17:08
ayoung role checks in middleware and scope check (and service specific policy) in the code17:09
samueldmqayoung: yeah, I am trying to think how we could migrate from things on the code (separate repos) to centralized in keystone17:10
samueldmqayoung: it'd be awesome if we get to that point17:10
*** briancurtin has quit IRC17:11
ayoungsamueldmq, migration is factored in17:12
*** pcaruana has quit IRC17:12
*** jose-phillips has joined #openstack-keystone17:13
*** akrzos is now known as akrzos-mtg17:14
stewie925hello all - I have an issue with creating keystone service using Openstack kilo instructions - I provided the information in   Input appreciated.17:14
ayoungthe default role would be "Member"  .  Admin implies Member.17:15
*** tqtran has joined #openstack-keystone17:16
samueldmqstewie925: iirc kilo is no longer maintained17:17
samueldmqstevemar: there is no branch stable/kilo anymore, that's why the file can't be found, then the HTML returned is stored, rather than the .py file17:18
samueldmqstewie925: ^17:18
stewie925samueldmq: oh...17:18
stewie925samueldmq: thats what I am afraid of - the kilo instructions had been pulled offline recently17:19
samueldmqstewie925: ty it with"curl \ | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin"17:19
samueldmqthat *may* work, not sure how much that script has changed between those versions17:19
stewie925samueldmq: I'll give this a shot, thanks so much17:19
samueldmqstewie925: you're welcome17:19
*** tesseract has quit IRC17:20
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object
dstanekstewie925: your /var/www/cgi-bin/keystone/admin is html instead of the python code17:22
stewie925dstanek: yeah, thats what I figured :(17:23
dstanekoh i see samueldmq already fouund that17:23
stewie925dstanek: so I will try re-executing using samueldmq17:23
stewie925using samueldmq's link instead (pointing to stable/mitaka) see if it will pull a wsgi script17:23
dstanekstewie925: if you go to the file in github you just have to grab the 'raw' link17:24
stewie925dstanek: thank you17:25
*** asettle has quit IRC17:26
lbragstadstevemar dstanek samueldmq ayoung gagehugo edmondsw rderose
stevemarlbragstad: ++17:29
* dstanek hopes for some useful dialog17:30
lbragstaddstanek me too17:34
lbragstadstevemar i sent a note to henry's ibm address17:34
lbragstadstevemar but I'll rely on the stevemar-over-sametime protocol as a backup communication effort ;)17:35
dstanekstewie925: what made you choose kilo?17:39
stevemarlbragstad: not online :P17:39
stevemarlbragstad: henrynash isn't online, that is17:39
lbragstadstevemar bah!17:39
stevemarlbragstad: it is 5:30 for him now, probably out at a pub17:39
* lbragstad resorts to carrier pigeon 17:39
lbragstadstevemar i don't blame him ;)17:40
stewie925dstanek: hi, I am testing internal project that requires a kilo install17:40
dstanekstewie925: gotcha17:40
stewie925but yeah kilo is ancient17:40
stevemarlbragstad: your [0] reference in the email to henry does not exist17:41
lbragstadstevemar you're right17:42
lbragstadalright - it's about that time to go get lunch17:43
*** jaugustine has quit IRC17:45
stevemarlbragstad: same17:46
*** browne has joined #openstack-keystone17:46
*** AlexeyAbashkin has joined #openstack-keystone17:55
*** AlexeyAbashkin has quit IRC17:58
*** AlexeyAbashkin has joined #openstack-keystone17:58
*** mvk has joined #openstack-keystone17:59
*** tqtran has quit IRC18:03
*** dikonoor has quit IRC18:03
*** stewie925 has quit IRC18:04
*** stewie925 has joined #openstack-keystone18:05
openstackgerritRodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk
*** phalmos has joined #openstack-keystone18:12
*** stewie925 has quit IRC18:13
*** adrian_otto has quit IRC18:13
*** adrian_otto has joined #openstack-keystone18:15
*** david-lyle has joined #openstack-keystone18:15
*** david-lyle has quit IRC18:16
*** david-lyle has joined #openstack-keystone18:16
*** jaugustine has joined #openstack-keystone18:20
*** Alexey_Abashkin has joined #openstack-keystone18:21
*** lucas__ has joined #openstack-keystone18:23
*** AlexeyAbashkin has quit IRC18:24
*** adrian_otto has quit IRC18:25
*** chlong has quit IRC18:46
*** stewie925 has joined #openstack-keystone18:46
*** dave-mccowan has quit IRC18:54
*** dave-mcc_ has joined #openstack-keystone18:54
*** tqtran has joined #openstack-keystone18:57
*** thiagolib has quit IRC18:58
*** chlong has joined #openstack-keystone18:59
ayounglbragstad, looks good19:00
openstackgerritKam Nasim proposed openstack/keystone: Set connection timeout for LDAP configuration
*** spzala has quit IRC19:07
*** spzala has joined #openstack-keystone19:07
*** briancurtin has joined #openstack-keystone19:09
*** spzala has quit IRC19:12
stewie925I was able to point to stable/mitaka and download the wsgi script to /var/www/cgi-bin/keystone/admin, though I encountered another issue :
dstanekstewie925: did you pull down the correct version of the file? there will be a branch for each release19:14
*** dave-mcc_ has quit IRC19:15
stewie925dstanek: yeah I think I'll go ahead and reinstall with a later version of openstack19:16
stewie925some kilo components are no longer available19:17
stevemarmorgan_: hi, can you take a final look at the open patches here:
morgan_stevemar: jenkins doesn't like a bunch of them19:23
morgan_oh abandoned19:23
morgan_lol oh that bug19:27
*** diazjf has joined #openstack-keystone19:27
*** diazjf has quit IRC19:30
stevemarmorgan_: ty19:33
*** jaosorior has quit IRC19:46
*** Alexey_Abashkin has quit IRC19:48
*** voelzmo has joined #openstack-keystone19:51
*** AlexeyAbashkin has joined #openstack-keystone19:51
*** jaosorior has joined #openstack-keystone19:56
*** Alexey_Abashkin has joined #openstack-keystone19:56
*** AlexeyAbashkin has quit IRC19:57
*** morgan_ is now known as morgan19:58
*** ayoung has quit IRC20:06
*** Alexey_Abashkin_ has joined #openstack-keystone20:11
*** Alexey_Abashkin has quit IRC20:13
*** akrzos-mtg is now known as akrzos20:13
*** spzala_ has joined #openstack-keystone20:15
*** Alexey_Abashkin_ has quit IRC20:20
*** spzala_ has quit IRC20:20
*** spzala has joined #openstack-keystone20:21
*** diazjf has joined #openstack-keystone20:22
*** diazjf has quit IRC20:22
*** jaugustine has quit IRC20:23
*** jaugustine has joined #openstack-keystone20:24
*** lucas__ has quit IRC20:25
*** jaugustine_ has joined #openstack-keystone20:26
*** jaugustine has quit IRC20:26
*** lucas__ has joined #openstack-keystone20:28
*** browne has quit IRC20:28
*** Alexey_Abashkin_ has joined #openstack-keystone20:28
*** asettle has joined #openstack-keystone20:29
*** lucas__ has quit IRC20:31
*** voelzmo has quit IRC20:32
*** browne has joined #openstack-keystone20:33
*** asettle has quit IRC20:33
*** voelzmo has joined #openstack-keystone20:33
*** asettle has joined #openstack-keystone20:33
*** nklenke has quit IRC20:35
*** lucas__ has joined #openstack-keystone20:37
*** voelzmo has quit IRC20:37
*** asettle has quit IRC20:38
*** jaosorior has quit IRC20:39
*** adrian_otto has joined #openstack-keystone20:42
*** nklenke_ has quit IRC20:42
*** diazjf has joined #openstack-keystone20:54
*** Alexey_Abashkin_ has quit IRC21:00
*** jamielennox|away is now known as jamielennox21:01
*** raildo has quit IRC21:02
*** diazjf has quit IRC21:02
*** adriant has joined #openstack-keystone21:04
adriantstevemar: out of curiosity, when does security support for Keystone in liberty end (I though it already had)?21:05
adriantmorgan: you about?21:07
*** adrian_otto has quit IRC21:11
*** adrian_otto has joined #openstack-keystone21:12
stevemaradriant: EOL stuff is here:
adriantstevemar: Saw that, just was confused by the EOL vs non-sec support :(21:16
adriantso it is EOL, but still mostly security supported then?21:17
stevemarohh right21:18
stevemaradriant: you might want to ask fungi about security supported21:18
adriantyeah, the EOL for Liberty has passed, but the status still reads Security-supported :P21:18
adriantI'm partly asking because the stable branches for liberty seem gone in a bunch of the repos.21:19
adriantstevemar: thanks by the way, may ask fungi when he's about. :)21:20
*** diazjf has joined #openstack-keystone21:20
*** asettle has joined #openstack-keystone21:21
*** lucas__ is now known as lucasxu21:24
morganadriant: here21:24
adriantmorgan: Ah! Same question as yesterday, do you want me to start on the router/controller for the rules while you handle the auth layer?21:27
adriantThey should be reasonably independent, although I assume I'd update the controllers as you find problems while doing the auth21:27
adriantmorgan: If not, I've got plenty else I can do. Just thought I'd offer to do something reasonably easy to help get this done faster. :)21:31
morganadriant: sure. remember 2 things. controller  just handles the request and validates it21:32
morganadriant: and the businesslogic goes in the manager21:32
morganand then driver (backend, thing) only does "store" and "retrive" (so 3 things)21:32
morganmanager is usually in core.py21:32
adriantmorgan: yeah, I'm basically meaning that whole thing. Just wrong terms.21:32
morgani'm going to need to do some of the work to make the auth bits work21:33
morgani think21:33
morganmaybe not.21:33
adriantShouldn't have to'21:33
morgani'll have to poke at it.21:33
morganit depends on how the ORM does loading.21:33
fungiadriant: stevemar: i think it was an oversight in the releases repo, i've just proposed so we'll see what they say about it21:33
adriantother than odd rules and validation you'd want to add so the rules don't break the auth21:33
morganyeah basically need to do lots of parsing and validation in the auth path21:33
morgani know how that has to look already21:34
morganthe controller will need JSON schema as well for request validation21:34
morgani plan to use the exact layout in the spec for the auth path21:34
*** asettle has quit IRC21:34
morganof the json stored that is21:34
morganhopefully it doesn't need much extra work.21:34
adriantI'll leave it to you for now then and review as needed.21:35
adriantmorgan: Oh and, as a side note. We're likely to use that password+totp plugin ourselves until we get this MFA fully supported across the required projects (I doubt we'll get that all done in Ocata), but moving to using the rules should be easy. :)21:36
adriantfungi: thanks, thought that was the case! Good to know.21:40
*** jaosorior has joined #openstack-keystone21:44
morganadriant: right makes sense21:44
adriantmorgan: We have a fairly urgent need for MFA, and that plugin gives us a quick way that doesn't break anything, and with how the rules will work I can migrate to using them later.21:45
adriantAlthough I will need to write a script or do some sql: "for all users with totp creds, create rule password+totp"21:46
morganyeah it wont be terrible21:46
adriantbut that's easy and only a one time thing21:46
morganyou could just use the same totp cred type21:46
morganoh yeah need the rules, but that should be easy21:47
adriantwell, more need the rules and switch to the proper password + totp as two methods rather than the single plugin21:47
adriantbut we'd need to issue a deprecation warning to customers to make sure they upgrade their keystoneauth/clients etc21:48
adriantbecause it never ceases to surprise me how old some of the installed libraries people use are :(21:48
adriant"Why are you still using the keystoneclient for cli?!"21:49
lbragstadstevemar does my response here make sense?
openstackLaunchpad bug 1655013 in OpenStack Identity (keystone) "double assignment of user to group does not give error" [Undecided,Invalid]21:51
bknudsonseems like everybody wants errors from keystone all the time21:51
bknudsonshould just replace it with a server that returns 400.21:51
*** lucasxu has quit IRC21:52
*** dave-mccowan has joined #openstack-keystone21:54
*** lucas__ has joined #openstack-keystone21:54
*** thorst has quit IRC21:54
bknudson402 Payment Required21:55
adriantlbragstad: It's one of those weird things where yes a 409 would make sense, but you asked for an action to be done, and hey, your action was already completed, have a 2** code.21:55
adriantWhy would you need to care if you did it, or someone else did it? Maybe if data was changed, but that doesn't happen here.21:56
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table
lbragstadit feels like it's automation related...21:57
*** thorst has joined #openstack-keystone21:57
*** thorst has quit IRC22:02
*** spzala has quit IRC22:09
stevemarbknudson: lol22:11
*** ayoung has joined #openstack-keystone22:13
*** ChanServ sets mode: +v ayoung22:13
*** diazjf has quit IRC22:15
*** spzala has joined #openstack-keystone22:16
*** lucas__ has quit IRC22:18
*** spzala has quit IRC22:20
*** spzala has joined #openstack-keystone22:28
*** spzala has quit IRC22:28
*** markvoelker has quit IRC22:29
*** markvoelker has joined #openstack-keystone22:32
*** edtubill has quit IRC22:34
*** markvoelker has quit IRC22:34
*** markvoelker has joined #openstack-keystone22:34
*** markvoelker_ has joined #openstack-keystone22:39
*** markvoelker has quit IRC22:39
*** phalmos has quit IRC22:43
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object
*** spilla has quit IRC22:49
*** catintheroof has quit IRC22:50
*** catintheroof has joined #openstack-keystone22:51
*** ayoung has quit IRC22:51
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS
*** ravelar has quit IRC22:53
*** chlong has quit IRC22:55
*** catintheroof has quit IRC22:55
*** chris_hultin is now known as chris_hultin|AWA22:59
*** spzala has joined #openstack-keystone23:01
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS
*** spzala has quit IRC23:09
*** spzala has joined #openstack-keystone23:09
*** jperry has quit IRC23:10
*** dave-mccowan has quit IRC23:11
*** lamt has quit IRC23:11
*** tqtran has quit IRC23:17
*** spzala has quit IRC23:18
*** adrian_otto has quit IRC23:25
*** tqtran has joined #openstack-keystone23:29
*** markvoelker_ has quit IRC23:32
*** adrian_otto has joined #openstack-keystone23:33
*** edmondsw has quit IRC23:36
*** edtubill has joined #openstack-keystone23:36
*** markvoelker has joined #openstack-keystone23:40
*** edtubill has quit IRC23:40
*** thorst_ has joined #openstack-keystone23:48
*** thorst_ has quit IRC23:53
openstackgerritKam Nasim proposed openstack/keystone: Set connection timeout for LDAP configuration
*** jaosorior has quit IRC23:54

Generated by 2.14.0 by Marius Gedminas - find it at!