Thursday, 2017-01-26

« Wednesday, 2017-01-25 Index Friday, 2017-01-27 »
*** lamt has quit IRC00:02
*** catintheroof has quit IRC00:03
*** browne has quit IRC00:07
morgandstanek, rderose, stevemar, breton, samueldmq, lbragstad, knikolla: oops 2 more tests to fix. fixed in a moment00:09
openstackgerritMorgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options  https://review.openstack.org/42433400:16
*** browne has joined #openstack-keystone00:19
*** Adobeman has joined #openstack-keystone00:23
Adobemanhi, anyone uses keystone with openldap directory service here?  I have issues with newton (RDO) keep getting reject when attempting to authenticate00:24
Adobemanif I were to just use a standard ldapsearch from the openstack system, it works perfectly fine.  But keystone refuse to authenticate ..00:25
*** portdirect is now known as portdirect_travl00:40
*** tovin07_ has joined #openstack-keystone00:49
*** dave-mcc_ has joined #openstack-keystone00:50
*** browne has quit IRC00:51
*** dave-mccowan has quit IRC00:53
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object  https://review.openstack.org/41862400:58
*** bjolo_ has joined #openstack-keystone01:06
*** martinus__ has quit IRC01:11
*** martinus__ has joined #openstack-keystone01:11
*** edmondsw has joined #openstack-keystone01:12
*** edmondsw has quit IRC01:17
*** dave-mccowan has joined #openstack-keystone01:20
*** dave-mcc_ has quit IRC01:22
*** phalmos_ has quit IRC01:22
knikollamorgan: looking now :)01:23
*** tqtran has quit IRC01:26
dstanekAdobeman: using the same credentials for keystone and on the command line?01:30
Adobemandstanek: yes01:42
Adobemanmanager01:43
*** catintheroof has joined #openstack-keystone01:44
dstanekAdobeman: if you have debugging on you should be able to get the exact command being run so that you can double check it01:45
AdobemanI did.. they look the same to me :x01:46
Adobemandebug was set at ... 401:47
Adobemanif I remember correctly01:47
Adobemanone sec01:47
dstanekhmmm...that's not good01:47
dstaneki don't really use ldap :-(01:47
dstanekmy next step would be to run that command on the same box that runs keystone under that same user that is running the service01:48
*** catintheroof has quit IRC01:49
Adobemanhttp://pastebin.com/pdDNXdqP01:49
Adobemanoh...01:50
*** erlon has quit IRC01:50
dstanekAdobeman: got something?01:53
Adobemanthat's just output of...01:53
Adobemanldapsearch, logs, keystone.conf..01:53
AdobemanI'm little suprised not many people out there actually done openldap + openstack :-(01:54
Adobemanmore people seem to be doing it with Active Directory01:54
stevemardstanek: soccer? i hope it's indoor01:55
*** dave-mcc_ has joined #openstack-keystone01:57
*** dave-mccowan has quit IRC01:59
*** thorst_ has joined #openstack-keystone02:01
knikollaAdobeman: you're getting user is disabled, so my guess is that something is wrong with your user_enabled_emulation_dn02:03
stevemargoing to rebase breton's patch on top of rderose's02:03
dstanekstevemar: yes, indoor :-)02:03
Adobemanknikolla: I dont fully understand how to 'fix that'...02:04
*** thorst_ has quit IRC02:06
knikollaAdobeman: i don't have much experience with setting up ldap. enabled_emulation is used to set users as enabled if they are part of the group in enabled_emulation_dn02:07
Adobemanok, I will look into that...02:08
Adobemanthanks02:08
knikollaAdobeman: in this case, your dn doesn't really point to a group. try making a group and adding testuser to it.02:09
Adobemanok02:10
openstackgerritSteve Martinelli proposed openstack/keystone: Enable trusts for federated users  https://review.openstack.org/41554502:17
*** jose-phillips has quit IRC02:44
*** thorst_ has joined #openstack-keystone02:50
*** thorst_ has quit IRC02:50
*** diazjf has joined #openstack-keystone02:57
*** d0ugal has quit IRC03:00
*** markvoelker has joined #openstack-keystone03:07
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Force users to change password upon first use  https://review.openstack.org/42550703:08
*** thorst_ has joined #openstack-keystone03:17
*** d0ugal has joined #openstack-keystone03:17
*** lamt has joined #openstack-keystone03:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add support for endpoint group filtering  https://review.openstack.org/18265803:18
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Force users to change password upon first use  https://review.openstack.org/42550703:23
*** markvoelker has quit IRC03:23
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/42550703:24
*** xiongjh1 has joined #openstack-keystone03:28
samueldmqstevemar: where is the list of things that need to be reviewed by the end of this week ?03:29
samueldmqstevemar: I remember we talking about it in the meeting but can't see in the meeting agenda03:29
*** bjolo_ has quit IRC03:31
*** markvoelker has joined #openstack-keystone03:33
gagehugohttps://etherpad.openstack.org/p/keystone-sprint-to-ocata03:36
gagehugosamueldmq: couldn't find a link in the meeting, but that was in my history recently03:37
gagehugoso it was linked sometime recently03:37
*** nicolasbock has quit IRC03:39
stevemargagehugo: thanks03:45
stevemarsamueldmq: yep, what gagehugo said03:46
stevemarmorgan: around-ish?04:14
openstackgerritTin Lam proposed openstack/keystoneauth: Fix ClientException message property not set properly  https://review.openstack.org/28575704:17
*** spotz is now known as spotz_zzz04:22
*** nkinder has quit IRC04:31
*** dave-mcc_ has quit IRC04:32
*** ianw is now known as ianw_pto04:34
*** nkinder has joined #openstack-keystone04:35
morganstevemar:o/04:47
morganstevemar: back from food04:47
*** spotz_zzz is now known as spotz04:50
morganrderose: comments on your patch.04:58
*** spotz is now known as spotz_zzz05:00
openstackgerritRichard Avelar proposed openstack/keystone: WIP get user  https://review.openstack.org/42553405:00
*** cburgess has quit IRC05:01
*** Guest58531 has quit IRC05:04
*** spotz_zzz has quit IRC05:04
*** chris_hultin|AWA has quit IRC05:06
*** woodburn has quit IRC05:06
*** ayoung has quit IRC05:06
*** ayoung has joined #openstack-keystone05:07
*** ChanServ sets mode: +v ayoung05:07
*** woodburn has joined #openstack-keystone05:07
*** comstud has quit IRC05:07
*** dtroyer has quit IRC05:07
*** cburgess has joined #openstack-keystone05:07
*** chris_hultin|AWA has joined #openstack-keystone05:07
*** spotz_zzz has joined #openstack-keystone05:07
*** mgagne has joined #openstack-keystone05:07
*** mgagne is now known as Guest3353905:07
*** chris_hultin|AWA is now known as chris_hultin05:07
*** comstud has joined #openstack-keystone05:08
*** dtroyer has joined #openstack-keystone05:08
*** antwash has joined #openstack-keystone05:08
openstackgerritMorgan Fainberg proposed openstack/keystone: Add 'options' as an explicit user schema validation  https://review.openstack.org/42553605:08
*** adriant has quit IRC05:17
*** thorst_ has joined #openstack-keystone05:18
*** thorst_ has quit IRC05:23
*** browne has joined #openstack-keystone05:23
stevemarbreton: morgan since you guys are the evening crew... if any of https://review.openstack.org/#/c/294535/ https://review.openstack.org/#/c/423561/ https://review.openstack.org/#/c/423753/  https://review.openstack.org/#/c/409874/ or https://review.openstack.org/#/c/423708/ come back as -2 from jenkins, just recheck or rebase or reapprove05:25
*** browne has quit IRC05:34
stevemarmorgan: o/05:37
stevemarso it looks like get'ting a user will now add 'options' if https://review.openstack.org/#/c/424334/ merges05:37
*** antwash_ has joined #openstack-keystone05:40
*** xiongjh1 has quit IRC05:40
stevemarhmm, doesn't seem to05:43
*** spotz_zzz is now known as spotz05:44
*** antwash_ has quit IRC05:45
stevemarhmm interesting, it doesn't affect existing users until an update is called05:46
stevemari suppose that is fine05:46
*** spotz is now known as spotz_zzz05:54
openstackgerritMerged openstack/keystone: Add DB operations tracing  https://review.openstack.org/29453506:22
openstackgerritMerged openstack/keystone: Add warning about using `external` with federation  https://review.openstack.org/42356106:22
*** diazjf has quit IRC06:26
morganstevemar: all is going well. about to clock out06:26
morganfor the night06:26
*** lamt has quit IRC06:27
*** spotz_zzz is now known as spotz06:38
openstackgerritMerged openstack/keystone: update entry points related to paste middleware  https://review.openstack.org/42375306:40
openstackgerritMerged openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987406:40
openstackgerritMerged openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370506:40
*** ravelar has quit IRC06:42
*** Jack_V has joined #openstack-keystone06:42
*** spotz is now known as spotz_zzz06:48
*** stingaci has joined #openstack-keystone06:55
*** jperry has quit IRC06:57
*** stingaci has quit IRC07:00
*** tesseract has joined #openstack-keystone07:11
*** edmondsw has joined #openstack-keystone07:12
*** spotz_zzz is now known as spotz07:14
*** edmondsw has quit IRC07:16
*** rha has quit IRC07:17
*** frickler has quit IRC07:18
*** thorst_ has joined #openstack-keystone07:19
*** jperry has joined #openstack-keystone07:19
*** stingaci has joined #openstack-keystone07:20
*** AlexeyAbashkin has joined #openstack-keystone07:22
*** thorst_ has quit IRC07:23
*** jperry has quit IRC07:24
*** spotz is now known as spotz_zzz07:24
*** jperry has joined #openstack-keystone07:24
*** stingaci has quit IRC07:25
*** jperry has quit IRC07:30
*** jperry has joined #openstack-keystone07:32
*** thorst_ has joined #openstack-keystone07:34
*** rha has joined #openstack-keystone07:36
*** rha has quit IRC07:37
*** rha has joined #openstack-keystone07:37
*** frickler has joined #openstack-keystone07:37
*** thorst_ has quit IRC07:39
*** stingaci has joined #openstack-keystone07:46
openstackgerritMerged openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370807:47
*** stingaci has quit IRC07:51
*** stingaci has joined #openstack-keystone07:52
*** tovin07_ has quit IRC08:05
*** spotz_zzz is now known as spotz08:08
*** markvoelker has quit IRC08:12
*** markvoelker has joined #openstack-keystone08:15
*** spotz is now known as spotz_zzz08:18
*** frickler has quit IRC08:23
*** rha has quit IRC08:23
*** frickler has joined #openstack-keystone08:24
*** antwash_ has joined #openstack-keystone08:24
*** rha has joined #openstack-keystone08:25
*** rha has quit IRC08:25
*** rha has joined #openstack-keystone08:25
*** antwash_ has quit IRC08:29
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** spotz_zzz is now known as spotz09:02
*** AlexeyAbashkin has quit IRC09:10
*** spotz is now known as spotz_zzz09:12
openstackgerritMerged openstack/keystone: Catch potential SyntaxError in federation mapping  https://review.openstack.org/42161609:21
*** jperry has quit IRC09:23
*** pnavarro has joined #openstack-keystone09:25
*** thorst_ has joined #openstack-keystone09:35
*** thorst_ has quit IRC09:40
*** mvk has quit IRC09:47
*** jose-phillips has joined #openstack-keystone09:50
*** thorst_ has joined #openstack-keystone09:51
*** spotz_zzz is now known as spotz09:53
*** jose-phillips has quit IRC09:54
*** thorst_ has quit IRC09:56
*** spotz is now known as spotz_zzz10:03
robcresswellstevemar: So, I know the keystone/horizon meetings tailed off a little towards the end of the cycle. Is they any intention on the keystone side to keep them up next cycle? I'd like us to, because I feel its been very productive.10:07
robcresswelllbragstad, samueldmq ^^ Might be relevant since I see you're both running for PTL for Pike10:07
*** gema has quit IRC10:21
*** antwash_ has joined #openstack-keystone10:40
*** antwash_ has quit IRC10:45
*** spotz_zzz is now known as spotz10:48
*** edmondsw has joined #openstack-keystone10:48
*** edmondsw has quit IRC10:52
*** spotz is now known as spotz_zzz10:57
*** openstackgerrit has quit IRC11:17
*** masterjcool has quit IRC11:22
*** masterjcool has joined #openstack-keystone11:34
*** gitudaniel has joined #openstack-keystone11:37
*** spotz_zzz is now known as spotz11:42
*** nicolasbock has joined #openstack-keystone11:43
*** spotz is now known as spotz_zzz11:51
*** thorst_ has joined #openstack-keystone11:52
*** thorst_ has quit IRC11:57
dstanekgood morning all12:00
dstanekrobcresswell: ++ i think it's a good idea to keep that going12:00
*** stingaci has quit IRC12:00
*** raildo has joined #openstack-keystone12:09
*** mvk has joined #openstack-keystone12:16
*** spotz_zzz is now known as spotz12:18
robcresswelldstanek: Agreed. I was going to put in my PTL email to do so, but thought I better confirm with you guys first :p12:20
dstanekrobcresswell: i think it's a benefit to the community to have both teams working more closely12:21
robcresswelldstanek: ++12:22
*** erlon has joined #openstack-keystone12:27
*** catintheroof has joined #openstack-keystone12:27
*** spotz is now known as spotz_zzz12:27
*** openstackgerrit has joined #openstack-keystone12:28
openstackgerritDavid Stanek proposed openstack/keystoneauth: Fix ClientException message property not set properly  https://review.openstack.org/28575712:28
dstanekstevemar: lbragstad: rderose:  ^ the 3 line change that is taking forever to get through...12:36
*** catintheroof has quit IRC12:38
*** catintheroof has joined #openstack-keystone12:38
*** spotz_zzz is now known as spotz12:39
*** stingaci has joined #openstack-keystone12:41
*** stingaci has quit IRC12:45
*** thorst_ has joined #openstack-keystone12:47
*** lamt has joined #openstack-keystone12:49
*** spotz is now known as spotz_zzz12:49
*** lamt has quit IRC12:53
*** catinthe_ has joined #openstack-keystone12:57
*** catintheroof has quit IRC12:59
*** d-bark has joined #openstack-keystone13:02
*** edmondsw has joined #openstack-keystone13:14
*** markvoelker has quit IRC13:14
samueldmqmorning13:14
samueldmqrobcresswell: agree with what dstanek said13:14
robcresswellsamueldmq: Awesome13:18
*** richm has joined #openstack-keystone13:18
samueldmqmorgan: rderose I might need some help understanding the in-code options purpose13:29
samueldmqmorgan: rderose and how it relates to removing lockout_ignored_user_ids and ignore_password_expires_user_ids13:30
dstaneksamueldmq: one benefit is that certain types of things like an "ignore list" that we currently put into the config can be stored in the database13:30
dstanekso no restart is required to add a service user for instance13:31
*** nishaYadav has joined #openstack-keystone13:32
*** spotz_zzz is now known as spotz13:33
samueldmqdstanek: gotcha, but I see that user_option table associates user_id with option_id13:34
samueldmqdstanek: so it's per user, rather than to "all users"13:34
dstaneksamueldmq: it always is. take a list of user ids in the config file. that is per user13:34
stevemarrobcresswell: i think we ticked off most items on our initial list13:39
stevemarrobcresswell: buyt yeah, we can keep them up13:39
*** spotz is now known as spotz_zzz13:51
robcresswellstevemar: :D13:53
samueldmqdstanek: makehmm makes sense13:56
samueldmqmakehmm/hmm13:56
samueldmqdstanek: however, users who currently have access to update their own info (name, description)13:58
samueldmqwill then be able to set the config options to themselves13:59
dstaneksamueldmq: the plan is to put policy around individual options13:59
dstaneksomething like that should be done before rderose's patches merge14:00
samueldmqdstanek: kk or just update_user_options, if we do per option the policy file will explode in size14:00
samueldmqidentity:update_user_options14:00
dstaneksamueldmq: can't do that since some of the options should be admin only and other controlled by the user14:04
*** nishaYadav has quit IRC14:05
samueldmqdstanek: do you have an example of one that is controlled by the user?14:05
samueldmqdstanek: today none of them are, because it is in the config file14:05
*** spotz_zzz is now known as spotz14:06
dstaneksamueldmq: mfa14:07
samueldmq1 policy entry per option is going to be crazy :(14:08
*** richm has quit IRC14:09
stevemarrobcresswell: well, negotiate with whomever is ptl in 10 days :P14:11
dstaneksamueldmq: depends on the number of options. also we can have sane defaults and not have to put anything on our policy file if we don't want to14:13
stevemarrderose: morgan dstanek so how would the flow go for marking users as special with 'options' like ignore this user on password expiry?14:13
stevemarrderose: morgan dstanek just a simple update but include options.ignore_user_password = True14:14
stevemari guess the existing logic would have to look into the resource option (and the config option if it's marked)14:14
samueldmqdstanek: yeah, I'd say we should have identity:update_user_options that applies to all options but the ones user must update14:15
samueldmqidentity:update_user_options + identity:update_user_mfa (or whatever)14:15
*** jperry has joined #openstack-keystone14:15
*** haplo37_ has quit IRC14:15
dstaneksamueldmq: each one could have it's own policy in code14:17
dstanekyou could also implement groups so identity:pci_options policy would be consulted if there was not explicit identity:pci_options:expired_exempt14:18
dstanekmorgan: ^ thoughts?14:18
samueldmqalso this is bad for per-url policy, which is what we agreed for to do in middleware14:18
*** haplo37_ has joined #openstack-keystone14:18
dstaneksamueldmq: i never agreed to it because i think it's wrong14:19
samueldmqsince all of them have the same url14:19
samueldmqokay, just would like to let the team know the decisions we're making now are not really going in the same direction of that14:20
samueldmqdstanek: ^14:20
openstackgerritKen Johnston proposed openstack/keystone: Readability enhancements to architecture doc  https://review.openstack.org/42237514:20
dstanekif we do want options controlled by policy and policy middleware then we'd have to only allow changes using {PUT,DELETE} /user/{user_id}/options/{option_name}14:21
samueldmqdstanek: that's a good solution addressing both directions14:22
samueldmqdstanek: for me, the direction the role check is driving us is: get all the role checks in middleware, put the scope and other checks in the code.14:30
stevemarsamueldmq dstanek: well, we should only only give the user the right to change specific options14:37
stevemarsamueldmq dstanek: they shouldn't have the authorzation to change ignore_password_expires or PCI stuff14:38
stevemarjust their MFA bits14:38
samueldmqin that case we could have : identity:update_user_options and identity:update_user_mfa_options14:38
samueldmqstevemar: ^14:39
stevemarsamueldmq: sure, just treat it the same way we did /user/user_id/passwd14:39
samueldmqI am not sure there will be other options the users will  be able to change by themselves14:39
samueldmqmfa looks pretty specific14:39
stevemar"identity:change_password": "rule:admin_or_owner",14:39
stevemar"identity:change_mfa": "rule:admin_or_owner",14:40
stevemardoneee14:40
*** egonzalez has joined #openstack-keystone14:40
stevemarthe other options, it's unlikely that we'll allow a user to change them14:40
stevemaranyway14:41
samueldmqstevemar: if users can update themselves today (name, whatever)14:41
stevemarsamueldmq: they can't do that14:41
samueldmqstevemar: they will become able to update their options, all of a sudden after upgrade14:41
egonzalezHi guys, i'm testing zero downtime upgrade from newton to master and facing the following error while creating users, other commands work fine http://paste.openstack.org/show/596598/14:42
samueldmqstevemar: we just need to advertise that well in docs14:42
*** spotz is now known as spotz_zzz14:42
stevemarsamueldmq: the only thing a user can update is their password14:42
stevemarunless they are admin*14:42
samueldmqstevemar: not in default policy, but we need advertise deployers in the case tehir custom policy allow it14:42
stevemarupdate user is admin required -> "identity:update_user": "rule:admin_required",14:43
samueldmqstevemar: exactly, in default policy14:43
stevemaryesh14:43
samueldmqif deployers have customized it, there need to be a way to let them know the effects of that after this upgrade14:44
stevemarwhy would it affect them?14:44
bretonhow are roles evaluated for a federated user with fernet token?14:44
stevemar(are you assuming mfa will be landed or something? i'm missing something here...)14:45
stevemarbreton: hmm14:45
lbragstadbreton we use the group assignments or the direct assignments the federated user has14:45
bretonlbragstad: ok. Suppose i am a federated user. I authenticate in adfs and keystone says that i am in group G. After that i get a fernet token.14:46
lbragstadwell - and/or the direct assignemnts14:46
bretonlbragstad: after that i come to keystone with this fernet token again14:46
lbragstadyep14:46
bretonlbragstad: how does keystone know that i am in group G?14:46
lbragstadbreton this part threw me for a loop - but hopefully I can help14:46
* lbragstad grabbing a link14:46
*** agrebennikov__ has joined #openstack-keystone14:47
stevemarbreton: lbragstad dstanek samueldmq rderose morgan -- i'll be proposing the tip of master right now (169e66ab8800148c4052a46d2cb321af33e44f77) to be ocata-3. I will mark it as WIP as long as I can until the release team shouts at me :)14:47
lbragstadbreton https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/mapped.py#L188-L18914:48
stevemarbreton: lbragstad dstanek samueldmq rderose morgan if we want to squeeze anything else in (breton's fix, or morgan's options) we should get it approved in the morning14:48
lbragstadstevemar ack14:48
lbragstadbreton these are the tricky bits (that I thought I understood but didn't)14:49
lbragstadhttps://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/auth/plugins/mapped.py#L188-L18914:49
samueldmqstevemar: ack thanks14:49
bretonlbragstad: aha. Where does `mapped_properties['group_ids']` gets populated when a user comes back with a fernet token?14:49
stevemarbreton: lbragstad d-bark samueldmq rderose morgan we can still merge some patches next week, they'll go into the release candidate driver, we don't want too much here...14:49
bretonlbragstad: (both links you sent are the same)14:49
lbragstadbreton yep - i realized after I sent the first one I wasn't using a SHA14:50
bretonok14:50
bretonso14:50
lbragstad(i try to use SHA in those so that when I go back later it doesn't change)14:50
bretoni think that roles are not getting populated at all when a user comes back with a token.14:50
*** d-bark has quit IRC14:50
breton(if direct role assignments are not used)14:51
lbragstadbreton let's say you go to keystone to ask for a list of projects with an unscoped token you just got as a federated user - https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/auth/controllers.py#L647-L64814:51
stevemarrelease link https://review.openstack.org/#/c/425735/114:51
bretonlbragstad: stop14:52
bretonlbragstad: `14:52
bretongroup_ids = request.auth_context.get('group_ids')`14:52
bretonlbragstad: where do group_ids come from?14:52
stevemarbreton: those are from federated tokens i believe14:52
bretonstevemar: federated token has group ids?14:53
lbragstadbreton yeah - we get them from the mapping https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/auth/plugins/mapped.py#L21614:53
lbragstad(if the mapping applies and puts that user in a group based on the rules)14:53
stevemarbreton: https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L109-L11014:53
stevemaryes14:53
dstanekstevemar: i think samueldmq is saying if a cloud allows a user to update their information14:54
bretonoooh14:54
stevemarhttps://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L262-L26914:54
stevemarbreton: ^14:54
bretonfederated_info14:54
bretonthat's what i missed14:54
bretonthank you14:54
lbragstadbreton yeah - it's a little strange14:56
*** jrist has quit IRC14:56
lbragstadbreton and we have this https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/auth/controllers.py#L651-L660 which allows for group and direct role assignments to work for federated users14:57
*** markvoelker has joined #openstack-keystone14:57
bretonlbragstad: cool, thank you14:59
lbragstadbreton no problem15:00
*** spotz_zzz is now known as spotz15:04
*** antwash_ has joined #openstack-keystone15:04
*** antwash_ has quit IRC15:04
*** antwash_ has joined #openstack-keystone15:05
*** antwash_ has quit IRC15:05
*** phalmos has joined #openstack-keystone15:08
*** jrist has joined #openstack-keystone15:09
*** spzala has joined #openstack-keystone15:11
*** lamt has joined #openstack-keystone15:11
knikollao/ morning15:15
*** jaugustine has joined #openstack-keystone15:15
*** lamt has quit IRC15:21
rderosemorgan stevemar dstanek: we'll need to update the documentation for the new options attribute as it will now be returned in the user response object15:24
lbragstadrderose wasn't extras returned in the user response?15:28
rderoselbragstad: I don't think so: http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-user-details-detail15:29
rderoselbragstad: I'm not sure we're trying to deprecate extras15:30
rderose*if15:30
*** jaosorior has joined #openstack-keystone15:31
lbragstadrderose testing it15:34
dstaneklbragstad: rderose: extras should appear in the entities returned15:34
*** phalmos has quit IRC15:34
dstaneklbragstad: rderose: you don't see an 'extras' object though15:35
lbragstaddstanek right - the properties are just mapped to attributes of the user15:36
dstaneklbragstad: yep - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/sql/core.py#n13815:36
*** stevemar has quit IRC15:36
*** stevemar has joined #openstack-keystone15:37
lbragstaddstanek rderose http://cdn.pasteraw.com/bvd09d03hljr33xornvm8376jhrhxya15:38
lbragstadso morgan's work should be transparent from an API perspective15:38
lbragstad(I didn't test morgan's change locally - that's just the behavior of extras an master)15:38
dstaneklbragstad: what work are you talking about?15:39
lbragstaddstanek the options work15:39
dstanekoptions:15:39
lbragstadyeah15:39
*** catintheroof has joined #openstack-keystone15:39
dstanekthat will change the entities returned to have an options object embeded15:39
lbragstadah - really?15:39
dstanek yep15:42
*** catinthe_ has quit IRC15:42
lbragstaddstanek testing locally15:44
samueldmqlbragstad: dstanek: I thought options would go in {user:{options:[passwd_expires_at:null]}}15:44
samueldmqrather than {user:{passwd_expires_at:null}}15:44
samueldmqlbragstad: as per your paste above15:44
dstaneksamueldmq: yes, that's where they go15:45
lbragstaddstanek http://cdn.pasteraw.com/f2p02sqn6x6btu3bwn8t384v7bwdsql15:45
stevemarbreton: so, you think theres no need for the patch? except to add the test?15:45
lbragstadweird - stuff didn't migrated to options15:45
lbragstader... `stuff` didn't get migrated to `extras`15:45
dstaneklbragstad: what are you expecting to be migrated?15:46
lbragstadi created a user with `stuff` as an extra property15:46
lbragstadbut when I list that user - it doesn't go into `options`15:47
samueldmqit shouldn't, that's not an option15:47
samueldmqthat's just extra stuff, correct ?15:47
*** openstackgerrit has quit IRC15:48
dstanekoptions are new. they are predefined and validated like any part of the normal entities. extras an unstructured and unvalidated data15:48
dstanekyou can't use an option that isn't defined15:48
stevemardstanek: yep15:52
lbragstaddstanek ah - so we will need to document that15:52
lbragstadi misunderstood that15:53
lbragstadand options are things that we can define in cod e15:53
dstaneklbragstad: i think morgan was going to add docs, but i'd be happy to if he is busy.15:53
lbragstadin order to make them validated15:53
lbragstad(instead of through configuration or something like that)15:53
lbragstadi'd be up for reviewing it since I've played with it locally now15:53
dstaneki sorta started with a blog post, but i could just finish that as keystone docs instead of a post15:53
lbragstaddstanek a blog post on detailing the reason why we want to move towards options would be useful :)15:54
*** spilla has joined #openstack-keystone15:55
dstaneklbragstad: it would be better in the docs. detailing design decisions on third party sites isn't great15:55
lbragstadas an operator I see options and think "cool, yet another key value store!"15:55
*** mvk has quit IRC15:55
dstaneklbragstad: you wouldn't see that as an operator. you'd see the docs that say use xyz key to do abc operation15:56
lbragstaddstanek true15:56
dstanekno different than defining user.username as a char(64)15:56
stevemardstanek: the dev guide would be a great place for them15:56
dstanekstevemar: yep, exactly15:57
*** ravelar has joined #openstack-keystone15:57
*** ravelar has quit IRC15:58
bretonstevemar: there is a need to the patch, i am just trying to rewrite it16:00
*** egonzalez has quit IRC16:00
bretonstevemar: rderose raised a good question about change of policy16:00
stevemarbreton: yeah, excellent point there16:03
*** ravelar has joined #openstack-keystone16:03
*** openstackgerrit has joined #openstack-keystone16:03
openstackgerritTravis Truman (automagically) proposed openstack/keystone: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528716:03
*** ChanServ sets mode: +o stevemar16:03
bretoni mean, maybe we can still live with that16:04
bretonbut if it can be fixed, i should probably do it16:04
bretonok, another question16:07
bretoncan i create a trust for project p1 with a token scoped to p2?16:08
*** jrist has quit IRC16:10
bretonlooks like i can.16:11
morganbreton: that is a big16:14
morganbug*16:14
morganI think. let me check. it might let you create trusts for any project you can scope to.16:14
*** richm has joined #openstack-keystone16:15
morganlbragstad: options on are used if defined. extra data stays in extra. also you have to specify the options in user[options] based on rderose and dstanek feedback on the first patch.16:15
morganimpl16:15
*** egonzalez has joined #openstack-keystone16:17
knikollabreton, morgan: https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L16716:17
knikollayou can create a trust if you have a role16:18
knikolladon't have to be scoped to that project16:18
bretonyep16:19
bretonand i don't think we can fix it.16:19
*** jrist has joined #openstack-keystone16:21
lbragstadmorgan ah16:24
lbragstadmorgan you mentioned earlier (within the last couple days) something about default_project_id16:25
lbragstadmorgan and there was something we could do with it based on options16:25
lbragstadmorgan what was that?16:25
lbragstadcc dstanek ^16:26
knikollathere's a db upgrade question on the mailing list16:26
knikollalbragstad, rderose ^^16:27
lbragstadknikolla I just saw that16:27
dstanekstevemar: breton: has https://review.openstack.org/#/c/415545/3 been discussed already?16:33
Adobemanumm so I try to create a group in ldap call "enabled_emulation_dn", its still rejecting my login into horizon..16:35
Adobemankeystone log still says my user is disabled16:35
*** gitudaniel has quit IRC16:36
Adobemananyone here done keystone/horizon with openldap ?16:36
Adobeman<- pulling hair here :x16:36
*** phalmos has joined #openstack-keystone16:38
dstanekAdobeman: can you turn off user emulation to test that is works without it?16:39
Adobemanok, let me try16:40
dstanekAdobeman: you may have to debug that code and see what data it gets right before it raises that error16:41
Adobemanso its now set to false16:41
Adobemandebug.. set to 4..16:41
Adobemanwait umm16:42
Adobemandebug under idenity?16:42
Adobemanor ldap16:42
dstanekdebug keystone16:43
Adobemanok, under [DEFAULT].. I'm setting debug = true16:45
openstackgerritBoris Bobrov proposed openstack/keystone: Enable trusts for federated users  https://review.openstack.org/41554516:45
dstanekAdobeman: no i mean go into the code with a debugger to see what is happening exactly16:46
bretondstanek: i agree with your -2. Please raise it for the new patchset.16:46
knikollabreton: -2 stick with newer patchsets16:46
bretonknikolla: yep. And that is why i am asking to remove it :)16:46
Adobemandstanek: turning emulation off give me this error  "You are not authorized for any projects or domains"16:46
dstanekAdobeman: or dramatically add more logging to get anything missing16:46
Adobemanactualllly I debug = true spit out a lot more crap..16:47
dstanekbreton: looking16:47
Adobemanwell, not crap. but data.. I'm seeing that error all over the places16:47
knikollabreton: right. python has made me associate the word 'raise' with bad things.16:47
dstanekbreton: it appears that group membership is ephemeral again in that patch. am i correct?16:49
bretondstanek: yes16:50
dstanekbreton: nice. lifting the -216:50
bretonhm, i think i broke it right before uploading.16:51
*** adrian_otto has joined #openstack-keystone16:52
dstanekbreton: k, then i'll wait before reviewing16:52
dstanekbreton: did you already have that change in the works or did you whip it up after my -2?16:53
*** lamt has joined #openstack-keystone16:53
*** jperry has quit IRC16:55
*** tesseract has quit IRC16:55
bretondstanek: already had in the workds16:56
morganlbragstad: i was looking at default_project_id moving into options in the initial iteration16:56
morganlbragstad: but with things in 'options' key, not as easy16:56
dstanekmorgan: any reason to do that? seem like more trouble than it's worth16:57
morganlbragstad: we'd need to include a little magic for it. the big next steps are: filtering/indexing on options, and options settable by users (policy check on individual options)16:57
lbragstadmorgan was there an issue with default_project_id before?16:57
morgandstanek: if it wasn't in [options] it made sense16:57
*** spzala has quit IRC16:57
dstanekhttps://review.openstack.org/#/c/422234/3 could use a little review love :-)16:58
morgandstanek: because default_project_id really is a special user-option thing that never should have been in keystone. it was a short-cut that was leaned on and then we were stuck with it because people relied on the behavior16:58
morgandstanek: but as options are not top-level now... no reason16:58
morganto move default_project16:58
morganlbragstad: what did you mean by the question: "where is the option key handled"?16:59
dstanekmorgan: he was wondering if you were going to move it from extras to options17:00
morganah no.17:00
dstanekmorgan: then we're on the same page!17:00
*** spzala has joined #openstack-keystone17:01
*** MasterOfBugs has quit IRC17:01
*** pramodrj07 has quit IRC17:01
*** PramodJ has joined #openstack-keystone17:01
*** MasterOfBugs has joined #openstack-keystone17:01
lbragstadso default_project_id will not move17:01
*** tqtran has joined #openstack-keystone17:04
*** spzala has quit IRC17:05
morganlbragstad: at this point no.17:11
morganlbragstad: it doesn't make sense to (also default_project is a top-level column, which is why i considered moving it)17:11
lbragstadmorgan ok - i remember you saying something about default_project_id but I was having trouble making the connection this morning17:12
lbragstadmorgan but moving forward - all user meta things "like" default_project_id will be considered and implemented as options, right?17:12
openstackgerritKen Johnston proposed openstack/keystone: Readability enhancements to architecture doc  https://review.openstack.org/42237517:14
lbragstadegonzalez o/17:16
lbragstadegonzalez about http://lists.openstack.org/pipermail/openstack-dev/2017-January/111052.html - what was the process you followed again?17:17
egonzalezHi guys, i'm preparing zero-downtime upgrade method for kolla, at this moment i'm stuck with the following error "Field 'domain_id' doesn't have a default value"17:17
lbragstadcc knikolla rderose ^17:17
*** diazjf has joined #openstack-keystone17:17
egonzalezupgrade from Newton to master17:17
lbragstadegonzalez and you can confirm that each of the migration repositories are at the right version17:17
lbragstad(expand, migrate, contract)17:18
egonzalezprocess: stop first keystone service, -> then expand, migrate, contract -> restart service17:18
lbragstadegonzalez aha17:19
egonzalezlbragstad: how can I check migration repositories?17:19
lbragstadegonzalez http://cdn.pasteraw.com/tjcg94fuyoous7zrezcrvkqazxds86s17:19
dstanekegonzalez: you get that error during the migration step right?17:20
lbragstadegonzalez I want to document your process here - https://etherpad.openstack.org/p/keystone-newton-master-upgrade-issue17:20
dstanekor maybe during the contract?17:20
egonzalezhttp://paste.openstack.org/show/596620/17:20
egonzalezno error during upgrade, after upgrade cannot create users, but other commands work17:21
dstanekegonzalez: so that means that the new code isn't adding the domain_id. after contract are you still running old instances?17:22
lbragstadegonzalez so after you run the contract - do you have newton and master code running at the same time/17:22
lbragstadegonzalez before you run the contract - all code should be at master17:22
dstaneklbragstad: i hope not. after migration all the code much be updated before running contract17:22
openstackgerritRichard Avelar proposed openstack/keystone: WIP create_user  https://review.openstack.org/42579717:23
morganstevemar, lbragstad: we'll be gating (blocking) on v3-only in Pike right?17:24
morganvs. non-vote17:24
*** lamt has quit IRC17:27
egonzalezlbragstad: found the issue, sorry for making loose your time. When replacing containers, by an error in my code old container was restarted instead of replaced with the new17:27
lbragstadegonzalez ahh - that would do it17:27
lbragstadegonzalez no worries - does that make sense?17:27
dstanekegonzalez: glad it was somethign easy17:27
lbragstad(the switch update between --migrate and --contract?)17:28
*** lamt has joined #openstack-keystone17:28
egonzalezyep, makes sense, thanks17:28
lbragstadegonzalez awesome - let us know if you run into anything else.17:29
egonzalezi'll rework what I made, thanks a lot17:29
morganlbragstad: btw, we have 81,450,625 possible option_ids with only printable ascii characters per resource type, as each resource type will have it's own options/registry17:29
morganlbragstad: i think that is enough variation17:29
morganlbragstad: a two-character string would have been 9025 options17:30
lbragstadmorgan was there a reason for only having it at 4 chars though?17:30
dstanekfamous last words17:30
morganlbragstad: about the same size as a stored int17:30
lbragstadmorgan database simplicity?17:30
lbragstadmorgan versus having a varchar64 column defined?17:30
morganlbragstad: usability for devs and db simiplicity17:31
morgancould habve gone int(32) but i like strings being more human readable17:31
*** kencjohnston has joined #openstack-keystone17:32
kencjohnstonI feel like I've asked this here before, but does Keystone natively support or plan to support 2FA/MFA authentication or is that functionality provided only by backends (AD/LDAP)?17:33
knikollamorgan ^^17:36
lbragstadkencjohnston yeah - morgan and andriant were working on implementing that in keystone17:39
lbragstadkencjohnston we were going to target it for ocata, but it was pushed to pike17:39
kencjohnstonlbragstad: Natively, but it works today when AD or LDAP enable it?17:39
lbragstadkencjohnston yeah - if you hook something up to keystone that does MFA you can get it today17:40
lbragstadkencjohnston what morgan was working on was specifically native support17:40
kencjohnstonlbragstad: Thanks!17:41
dstanekyou could also do a custom auth plugin if you wanted to17:41
lbragstadkencjohnston another option is using federation (in which case the identity provider you use could enforce MFA)17:41
*** egonzalez has left #openstack-keystone17:49
morganlbragstad: it will be rebased on the new options stuff very soon17:49
*** jose-phillips has joined #openstack-keystone17:49
morganlbragstad: and get the api support needed17:49
dstanekmorgan: what are we going to do about policy for editing those attributes? for now just let the {create,update}_entity policy handle it?17:54
morgandstanek: the MFA stuff is going to get it's own API because validation requirements are higher17:55
morgandstanek: but most options (in Pike) will get a policy checker that we can handle via policy.json17:55
morganand i am thinking we open up .update_user to be more attribute aware17:55
morganvs strictly admin-only17:55
morgansimilar with most resource-types managed by keystone17:55
morgansmarter policy vs simple api level RBAC17:56
morgandstanek: it's why this was built with code-specific objects17:56
morganso the option object can have smarts on it17:57
morganalso in Pike options will provide (via a schema bit) smarts to dynamically build json schema validation in the options dict17:57
morganso i see each option adopting a .schema, that then is compiled into a .property that is pulled into schema.py and built for the resources under options17:58
dstanekmorgan: and for stuff getting in for this cycle the create/update policy will just apply right?17:58
morganyep17:58
morganexcept MFA if it land, which will get it's own api since it's auth-related17:59
morganyou can set it via update/create17:59
*** david-lyle has quit IRC17:59
morganbut it will get an end-user api like change_password17:59
* morgan is debating requiring when setting new rules each of the methods "secrect" value, so if setting a totp rule and you don't have one, you must specify the secret for the TOTP rule18:00
morganor ... an auth-secret (not the key)18:00
*** lamt has quit IRC18:02
*** diazjf has quit IRC18:08
*** spzala has joined #openstack-keystone18:15
*** spzala has quit IRC18:19
*** xek_ has joined #openstack-keystone18:22
*** xek has quit IRC18:22
*** stingaci has joined #openstack-keystone18:32
*** rcernin has joined #openstack-keystone18:32
stevemaro/18:35
*** v1k0d3n has quit IRC18:35
*** lamt has joined #openstack-keystone18:37
*** lamt has quit IRC18:37
*** mvk has joined #openstack-keystone18:42
*** lamt has joined #openstack-keystone18:43
*** v1k0d3n has joined #openstack-keystone18:43
ayoungSamYaple, OK, I think I am ready to try out your containers18:45
SamYapleayoung: ohboi ohboi ohboi18:46
ayoungSamYaple, which is the right repo again?18:46
SamYapleayoung: https://github.com/yaodu/docker-keystone/18:46
ayoungIts not yaodu18:47
ayoungah that is the top level name18:47
ayounggot it18:47
SamYaplereadme.md18:47
ayoungI was looking at https://github.com/SamYaple/yaodu18:47
SamYapleyea samyaple/yaodu is an old thing i have decommed not removed18:47
SamYapleayoung: and as an added fyi, you can apparently docker build pointed at a git repo. so thats what we recommend18:48
ayoung?18:48
SamYapleayoung: if you have plans to build these images with a patch or similiar, you dont have to git clone github.com/yaodu/docker-keystone18:49
ayoungdocker build https://github.com/yaodu/docker-keystone.git   --file dockerfiles/Dockerfile-centos   --tag yaodu/keystone:latest18:49
SamYapleyea18:49
SamYaplei wasnt aware of that. but portdirect wrote the docs and showed me that18:50
SamYaplethought it was cool18:50
*** spzala has joined #openstack-keystone18:50
ayoungSamYaple, running now.  I need to kuberfy it after and get it to run with a MySQL server.  Any notes?18:51
SamYapleayoung: thats where my time has been recently. kubernetes and helm18:52
SamYaplethe container itself is fine (we have it working in opentsack-helm), but the otehr logic... well we are working through it too18:52
*** spzala has quit IRC18:55
ayoungSamYaple, short of that, how do you suggest I run it?18:57
*** harlowja has quit IRC19:02
SamYapleayoung: bind in the appropriate apache.conf and /etc/keystone stuff. then launch with entrypoint+command "apache2 -DFOREGROUND"19:04
ayoungSamYaple, you don't have an example of that do you?19:04
SamYapleif you are using uwsgi, then uwsgi.conf and the uwsgi start command19:04
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/42550719:04
SamYapleayoung: in openstack-helm, yea. but its not a docker run commadn there. no19:04
ayounglink?19:05
SamYaplehttps://github.com/att-comdev/openstack-helm/tree/master/keystone19:05
ayoungTY19:05
SamYapledocker run -d -t -v <host>:/etc/keystone/ -v <host>:/etc/apache2/sites-enabled/000-default.conf yaodu/keystone apache2 -DFOREGROUND19:06
*** spzala has joined #openstack-keystone19:06
SamYaplethats how ive run it before (from memory)19:06
openstackgerritDavid Stanek proposed openstack/keystone: Adds tests showing how mapping locals are handled  https://review.openstack.org/41846019:06
SamYaplefor debian/ubuntu you need to source /etc/apache2/envvars. for uwsgi, just bind in the appropraite config and run uwsgi command appropriately19:07
ayoungSamYaple, OK  so you -v in stuff from the local machine.  I'm not running Ubuntu so the apache2 stuff is all different19:07
ayoungOK19:07
SamYapleno virtualenv, we removed that until we can prove issues without it19:08
*** diazjf has joined #openstack-keystone19:15
*** browne has joined #openstack-keystone19:24
ayoungSamYaple, why do so many of the Docker Files put a shell script in place of just calling the executable?19:26
lbragstadmorgan rderose do https://review.openstack.org/#/c/424220/ and https://review.openstack.org/#/c/423909/ still need to get rebased on top of https://review.openstack.org/#/c/424334/ (or are we just waiting until https://review.openstack.org/#/c/424334/ merges)?19:27
rderoselbragstad: I don't believe the deprecation patches have to merge for ocata19:28
rderoselbragstad: but those patches do need to be rebased on top of the new 'options' patch19:29
morganlbragstad: i will be adding those as a rebase shortly19:29
morganbut they can wait to land. (deprecations) i'd like them to land in ocata19:29
lbragstadrderose morgan cool - just double checking19:29
morganbut i don't need them to19:30
lbragstadrderose morgan 2 cycle deprecation process for configuration options?19:30
SamYapleayoung: set up other permissions or otherwise make it more usable19:30
morganthat's the plan here19:30
morganfor sure19:31
lbragstadmorgan ok19:31
morganat least 2 cycles19:31
SamYapleayoung: rather than bake every config and permission and folder imaginable into the image, its more like a binary where yo uneed to set the configs up later19:31
ayoungSamYaple, OK...think I am going to use yours as a template, but run my own, using RPMs and hard coding in the HTTP setup19:31
ayoungSamYaple, I'll share when I get it working, and we can discuss further19:31
SamYapleok19:31
ayoungI need to figure out the k8s stuff19:31
ayoungSamYaple, I'm less worried about the rest, cuz I kind of think you have it figured out....19:32
SamYaplethe openstack-helm is not _my_ stuff. im working with those guys while i figure out k8s as well19:32
lbragstadmorgan rderose implementation question but when we add the ignore_password_lockout column, are we adding it to the local_user table or the options table?19:32
rderoselbragstad: options19:32
lbragstadok19:32
rderoselbragstad: it won't be a new column though19:33
lbragstadrderose I was reading your comment here https://review.openstack.org/#/c/424220/1/keystone/common/sql/expand_repo/versions/016_expand_lockout_ignore.py19:33
lbragstadrderose ah - right19:33
lbragstadrderose it will be added as a registered option19:33
rderoseright19:33
lbragstadthen the migration will go through and it can pull the existing user ids from config and persist them, right?19:33
rderoseyeah, exactly19:34
lbragstadaha19:34
lbragstadso if a deployment upgrades to ocata (if these deprecation patches land in ocata), and they are using the ignore_password_lockout stuff - they will automatically be using the options work - even if they haven't updated their configs to remove the deprecated configuration option19:35
rderoseyep19:36
rderosewell...19:36
*** adrian_otto has quit IRC19:36
lbragstadok - then we change the PCI implementation to always pull the information from options and it ignores the ignore_password_lockout list of ids?19:36
rderoselbragstad: I'll have to look at the patch again, but I think it will check both19:36
rderoselbragstad: until actually removed from the config19:37
ayoungmorgan, did I ever tell you that you were right about Signed requests and wrong to not push for it?19:37
* lbragstad is wondering what happens when the configuration list gets out of sync with the options 19:37
rderoselbragstad: deprecated in ocata, so they shouldn't be adding to it19:37
morganayoung: heh19:37
morganayoung: i tried.19:37
morganayoung: i got shot down over and over and over and over19:37
ayoungmorgan, I just couldn't see how to make it work for Horizon.  I can now.19:38
morgan:)19:38
morganwe could still do it...19:38
morgani have a backlog thing to split auth up somewhat... and we can control how ksm works....19:38
ayoung++19:38
ayoungBe a good summer internship project19:39
morganyah19:39
morganonce we split auth up19:39
morganthat is not a good internship thing19:39
morganit's gonna be a PITA19:39
morganthe signed requests bit, for sure :)19:39
openstackgerritRichard Avelar proposed openstack/keystone: WIP create_user  https://review.openstack.org/42579719:39
morganhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/decouple-auth-from-api-version.html19:39
morganif we do that, it opens a lot of doors to make auth better19:40
lbragstadrderose is patch set 4 still waiting on some things here? https://review.openstack.org/#/c/425507/419:40
morganbecause i never want to change how auth works in v3 (fundamentally) due to ... well ick19:40
rderoselbragstad: it's pretty much ready, just working on adding schema validation19:41
morganayoung: anyway ;)19:41
lbragstadrderose cool - i'll pick up that review next19:41
rderoselbragstad: for some reason, I can't get our validation tests to fail :)19:41
morganayoung: i have had a few things i was "right about" long after the fact ;). and some thing we landed I was wrong about19:41
morganugh my coffee is ... cold19:42
lbragstadrderose uh oh19:42
stevemarmorgan: :(19:42
rderoselbragstad: http://paste.openstack.org/show/596642/19:42
morganrderose: heh19:42
rderoselbragstad: and this succeeds: http://paste.openstack.org/show/596643/19:42
morganrderose: hmm.19:43
stevemarrderose: morgan lbragstad we have 1 week left before rc is tagged19:43
morganuh19:43
morganrderose: don't you need to use the string value?19:43
morganor is parameter_type.boolean the same as saying.. "boolean"19:44
morganoh huh19:44
morganoptions type: 'object' ?19:44
morganas well needed?19:44
rderosemorgan: if I pass boolean to the option value, I think it casts correctly19:44
*** david-lyle has joined #openstack-keystone19:45
rderosemorgan: thinking I can enforce boolean at the API request19:45
rderosemorgan: not worry about string values19:45
morganwell you can enforce it on the save in the option atm19:45
morganwith a validator func. but i would rather it all be in schema19:45
rderosemorgan: would like to do both19:45
morgan++19:46
morgani'll work on some dynamic schema reference stuff next... but probably for pike19:46
morganthe options are limited enough for now to do each in schema.py19:46
morganoooh19:46
morgani wonder.19:46
* morgan checks something19:47
morgani wonder if json schema is doing bool('string')19:47
morganto validate.19:47
morgansince 'whatever' is infact "true" in python19:47
morganif you cast to bool19:48
rderosehmm... lbragstad? ^19:48
rderosedo you know19:48
*** MasterOfBugs has quit IRC19:49
*** PramodJ has quit IRC19:49
lbragstadrderose let me check - i know i've worked on those tests before19:52
*** stingaci has quit IRC19:56
stevemarmorgan: rderose are either of you working on the "Deprecate `ignore_password_*` conf option" patches?19:56
stevemarmorgan: i assume you are busy rebasing the MFA stuff?19:56
stevemarand rderose is still busy with PCI stuff?19:56
*** diazjf has quit IRC19:56
rderosestevemar: yeah, trying to finish up PCI19:57
rderosestevemar: I could help with deprecate stuff after19:57
*** markvoelker has quit IRC20:00
*** Guest33539 is now known as mgagne20:01
*** mgagne has quit IRC20:01
*** mgagne has joined #openstack-keystone20:01
morganstevemar: yeah i'm going to hit those shortly20:08
morganstevemar: was doing some other stuff that needed eyes immediately20:08
*** diazjf has joined #openstack-keystone20:09
*** harlowja has joined #openstack-keystone20:09
*** diazjf has quit IRC20:11
*** stingaci has joined #openstack-keystone20:11
lbragstadare we not having a keystone+horizon meeting today?20:11
dstanekmorgan: i hope it's not just booling20:14
rderoselbragstad: looks like I just needed to set the type as object: http://paste.openstack.org/show/596644/20:14
*** diazjf has joined #openstack-keystone20:14
rderosemorgan: 'True' fails: 'options/ignore_password_expiry': 'True' is not one of [True, False]20:14
rderosemorgan: so not casting20:14
ayoungSamYaple, why all the && instead of new RUN lines?20:15
SamYapleayoung: new docker directives (RUN ADD COPY ENV) create new layers20:15
ayoungSamYaple, isn't that a good thing?20:15
SamYaplenew layers don't "squash". so the image size bloats up up and up20:15
SamYapleno20:15
SamYapleit really isnt20:15
*** stingaci has quit IRC20:16
ayoungbut changed versions build faster, because they checksum, right?20:16
SamYaplewithout the && (which is recommened way to do things by Docker) the image size would be ~700MB, not 80MB20:16
ayoungAh20:16
ayoungminor point...but worth mentioning.20:17
SamYaplethe docker build cache can be used. when it works properly if you dont use &&20:17
SamYaplebut the size and speed of build make it impracticle to use RUN instead of &&20:17
SamYapleits been an ongoing fight for many years in Docker in general20:17
dstanekmorgan: do you need any help rebasing any of that stuff?20:19
morgandstanek: nah, i can hack it, it's pretty easy stuff.20:22
morgandstanek: i just need to sit down and do it20:22
dstanek:-)20:26
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/42550720:30
stevemarlbragstad: i think both us and horizon are swamped with ocata-320:30
stevemarrderose: so question about the force reset20:31
rderoseyeah20:32
stevemarrderose: hows the workflow gonna look like...20:33
*** pnavarro has quit IRC20:33
stevemarrderose: the config option is set to false by default, and all users are opted out of resetting password20:34
stevemari guess you will update users that you want to ignore, and then "flip the switch" (set the config option to true) in a maintenance window?20:34
rderoseyeah, exactly20:34
rderosemaintenance window because of the config change?20:35
dstanekrderose: yep20:35
rderosethen yeah20:35
dstanekrderose: is that still in wip or is it ready for review?20:37
rderoseready20:37
rderosedstanek: I think I want to reword the config option, but I may just do that in the doc patch20:37
rderosegot for it20:37
dstanekrderose: perfect, on it20:38
openstackgerritDavid Stanek proposed openstack/keystone: Adds tests showing how mapping locals are handled  https://review.openstack.org/41846020:42
openstackgerritRichard Avelar proposed openstack/keystone: WIP create_user  https://review.openstack.org/42579720:43
*** diazjf has quit IRC20:43
rderosestevemar re: https://bugs.launchpad.net/keystone/+bug/129115720:45
openstackLaunchpad bug 1291157 in OpenStack Identity (keystone) "idp deletion should trigger token revocation" [Medium,Confirmed] - Assigned to Anthony Washington (anthony-washington)20:45
stevemarrderose: i have no idea about that one :D20:45
rderosestevemar: if the idp is deleted, the users would be deleted, so tokens would be invalid, right?20:45
rderose:)20:45
stevemarrderose: oh yeah, i guess rodrigods made that one invalid20:46
rodrigodsgood side effect :)20:46
rderose:)20:47
rodrigodsabout to submit around 10 patches to tempest20:48
rodrigodsi wish we had keystoners cores there :(20:48
stevemarrodrigods: yowza!20:49
rodrigodsstevemar, tests for reseller, implied roles and domain specific roles20:50
morgandstanek: almost done rebasing the change on mine and rderose's patches20:51
morgandstanek: you'll like how much smaller the change is (cc rderose )20:51
morganthe first one (password_expiry)20:51
dstanekmorgan: ++20:52
rderosestevemar rodrigods: it's still a bug (maybe) rodrigods patch cascades based on the protocol deletion; not idp (looking...)20:53
rodrigodsrderose, deletion of either idp or protocol should delete the user20:53
rodrigodsdue the composite key20:53
rderoserodrigods: ah20:53
rderoserodrigods: just thought protocol could be used for several IdPs20:54
rderoserodrigods: but I see, it's a composite fk20:54
rderosegot it20:54
rodrigodsyeah20:54
morganhmmmmmmmm.20:56
*** gema has joined #openstack-keystone20:56
*** stingaci has joined #openstack-keystone20:58
Adobemansorry...21:00
Adobemanwent away...21:00
Adobemanhttp://pastebin.com/TDqb7qhu  <- logs from keystone..21:00
Adobemanlooks like I donot have role..?21:00
AdobemanI dont know how I can modify roles when I cant even login to ostack21:01
Adobemanwith ldap turn on21:01
Adobemandisable ldap (use sql) will allow me to login as admin21:01
*** raildo has quit IRC21:01
*** stingaci has quit IRC21:02
dstanekrderose: is your patch still allowing an authentication and now forcing a reset on first auth?21:02
Adobemanuser testuser have no oaccess to _populate_roles21:03
rderoseyeah, it is21:03
rderoseas opposed to just setting it to expired for update and create21:03
morganooh found a bug in the resource options code.21:03
rderosemorgan: oh know21:03
morganrderose: ^ create isn't assigning the resource options21:03
morganbut update does.21:03
morgan*blink* i'll get it fixed.21:03
rderosemorgan: cool21:04
*** jperry has joined #openstack-keystone21:04
morgannot looking at the schema stuff atm21:04
morganrderose: was that the bug you were running into (the create one?)21:04
rderosemorgan: no21:04
morganthe schema bits21:04
morganthough21:04
*** spzala has quit IRC21:04
morgananything else ?21:04
Adobemananyone have any input?21:05
rderosemorgan: hmm... I'm only setting the value with update21:05
morganright i'm tyring to do a test with create21:05
morganand it's failing21:05
dstanekAdobeman: have you found out why the user is disabled?21:06
*** diazjf has joined #openstack-keystone21:07
Adobemanits not disabled21:07
AdobemanI dont know why keystone think its disabled21:07
AdobemanI can use ldap+linux ssh its fine21:08
dstanekAdobeman: i think you need to dig in there and see why keystone thinks that21:08
Adobemanwell, disable only show up when I enable emualtion...21:09
Adobemandisable emulation just says I dont have access..21:09
dstanekAdobeman: the key is to figure out why so you'll know what needs to change21:10
morganrderose: oh... because you are bypassing identity_api.create_user *and* the sql driver create_user.21:12
morganand the logic is needed from sql driver to work21:12
morgani shall fix this21:12
rderosemorgan: bypassing? I'm creating the user and then calling identity_api.update_user21:12
rderoseto update the options21:13
rderoseit's using the sql driver21:13
lbragstadrderose you were having issues with these bits? https://review.openstack.org/#/c/425507/5/keystone/identity/schema.py,unified21:13
rderosemorgan: nevermind, i think i understand what you are saying21:14
rderoselbragstad: it's working now21:14
rderosemissed the "type": object21:14
lbragstadrderose patch set 5 is working?21:14
rderoseyeah21:14
lbragstadahhh - sure21:14
* lbragstad goes back to reviewing 21:14
*** stingaci has joined #openstack-keystone21:16
*** ravelar has quit IRC21:18
*** edmondsw_ has joined #openstack-keystone21:18
*** edmondsw_ has quit IRC21:18
morganrderose: hehe :)21:19
morganrderose: i think have this fixed.21:19
rderosemorgan: cool21:19
rderosemorgan: I'll rebase21:19
dstanekrderose: what are the chances of getting that patch to not allow a login with the admin generated password?21:20
morganrderose: my change goes on top of your PCI-DSS thing21:20
rderosemorgan: ah, okay21:20
rderosedstanek: would be an easy change21:20
*** stingaci has quit IRC21:20
rderoseso basically create user with expired password?21:20
morganyeah, i am fixing your test case21:20
morgansec21:21
dstaneki think the current behavior is unexpected21:21
morganhttps://www.irccloud.com/pastebin/4igiqvis/21:21
morganrderose: ^21:21
rderosedstanek: originally, first use should allow first auth21:21
morganinstead of calling the specific user-add logic in _create_user21:21
dstanekrderose: what do you mean?21:22
dstaneki've not seen anything do that before21:22
*** gema has quit IRC21:22
morganrderose: with self-service password change that doesn't require a token21:22
morganit would be possible to not need a real login (token)21:23
morganthe first time21:23
morganit could simply be "nope - change the password"21:23
rderosedstanek: my thought was you should be able to use the password at least once to change it21:23
morganyou already need the password to use self-service pw change21:23
morgansoooo21:23
dstanekrderose: like morgan said that's been fixed already21:23
rderosedstanek: but I see your point, especially now that this has been changed21:23
rderosewhere you don't need a token21:23
morganyep21:24
rderosedstanek: will change this in the next patch21:24
rderoseexpired on create and update21:24
dstanekthen you can do most of the work when setting the password21:24
*** Jack_V has quit IRC21:24
rderosedstanek: right and I'll save on having to do an extra db write21:24
rderosegive me a few21:25
rderoselbragstad: another PCI patch coming :)21:25
dstanekrderose: i had a few other comments in there too21:25
lbragstadrderose i'm still reviewing ps5 :)21:26
rderosedstanek: okay, I'll address it21:26
rderoselbragstad: okay, cool21:26
rderose*address them :)21:27
*** diazjf has quit IRC21:27
*** gema has joined #openstack-keystone21:29
*** adrian_otto has joined #openstack-keystone21:34
*** ravelar has joined #openstack-keystone21:38
*** spzala has joined #openstack-keystone21:40
*** spzala has quit IRC21:40
*** spzala has joined #openstack-keystone21:40
*** spzala has quit IRC21:40
*** spzala has joined #openstack-keystone21:41
morganrderose: going to wait for your next patch, but i think i'm ready to go on this21:43
morgani have a change for the identity.backends.resource_options that eliminates the list21:45
*** spzala has quit IRC21:45
*** spzala has joined #openstack-keystone21:45
morganthat i am adding after rderose's patch for PCI things21:45
morganlbragstad, dstanek: ^21:45
lbragstadmorgan cool21:46
*** catintheroof has quit IRC21:47
morgandstanek, lbragstad: lets let the use of _resource_option_mapper go through here. I'll add a followup that implements a .get_resource_option on the model21:48
morganso we can avoid exposing the resource_option_mapper and we can make the "access private member" issue less of an icky feeling21:49
morganrderose: ^21:49
morgani just don't want people setting the resource_option_mapper directly21:49
morganit could lead to weirdness21:49
morganand overwriting the options not intended21:49
*** richm has quit IRC21:55
*** spzala has quit IRC21:55
*** spzala has joined #openstack-keystone21:56
lbragstadmorgan ok21:58
rderosemorgan: sounds good22:00
rderosemorgan: one question22:00
*** spzala has quit IRC22:00
morgansure?22:01
*** diazjf has joined #openstack-keystone22:01
rderosemorgan: why is the resource_options_registry defined in the User model again?22:01
rderosehttps://review.openstack.org/#/c/424334/8/keystone/identity/backends/sql_model.py22:01
rderoseseems strange22:01
rderosemorgan: if you have a 1000 items in the registry, we'll load all 1000 for every user?22:01
*** stingaci has joined #openstack-keystone22:02
morganthe registry is a constant just has a name in the model so you don't have to import identity.backends.resource_options if you're just inspecting the model (circular dependency issues) with say keystone.common.resource_options22:03
rderosemorgan: well, I guess its a copy of the registry for every user22:03
morganit isn't a copy22:03
morganit's a class-level attribute22:03
morganshared instance across all instances of User()22:03
morganjust like the column definitions are shared (they use magic to load the data)22:04
morganbut that is SQL-Alchemy22:04
morganbut the value is class-level, as it is populated at import time22:04
morganerm, object22:04
morgannot value.22:04
rderoseah, gotcha22:04
rderoseokay, thx22:04
morganand each model will have it's own registry22:04
morgansince each model has it's own options table22:05
rderoseeach model?22:05
morganGroup is going to have GroupOptions22:05
rderoseoh right, this could be used for other object types22:05
rderosegotcha22:05
morganyep22:05
morganit's generic template for making Group, Project, etc have resource options22:06
*** stingaci has quit IRC22:06
rderoseokay, I get it now22:07
rderosemorgan: thanks22:07
*** Jack_V has joined #openstack-keystone22:07
morganlbragstad: i lied, %r doesn't show type22:07
morganlbragstad: it does show things like strings in "" and Booleans not. etc22:07
morganand custom classes show as:22:07
morgan'<__main__.Test object at 0x7f1039313190>'22:08
morganunless say you define __repr__ method22:08
morganhuh. doe authenticate cache?22:08
morgandoes*22:08
*** Jack_V has quit IRC22:11
lbragstadmorgan huh - interesting22:12
*** ravelar has quit IRC22:12
lbragstadI use %r all the time in debugging but i didn't know if it did, or didn't print the type22:12
*** chris_hultin is now known as chris_hultin|AWA22:12
*** diazjf has quit IRC22:14
*** thorst_ has quit IRC22:15
morganhehe22:20
morganhttps://www.irccloud.com/pastebin/UhDJSr60/22:21
morganlbragstad: ^22:21
*** diazjf has joined #openstack-keystone22:22
lbragstadmorgan huh - interesting22:22
*** martinlopes has joined #openstack-keystone22:22
*** MasterOfBugs has joined #openstack-keystone22:23
*** edmondsw has quit IRC22:29
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup for resource-specific options  https://review.openstack.org/42595722:30
morganrderose, lbragstad, dstanek: ^22:30
rderosemorgan: ack22:30
morgandidn't run pep8 or tox on it22:30
morganbut still.22:30
morganthat is the change(s) I recommend.22:31
*** pramodrj07 has joined #openstack-keystone22:31
morganrderose: and i am waiting for your re-spin of the PCI patch with the updates and i'll base my changes for deprecating the option(s) on that22:32
rderosemorgan: cool, almost done22:32
*** adriant has joined #openstack-keystone22:39
*** spotz is now known as spotz_zzz22:41
*** spotz_zzz is now known as spotz22:43
rderosedstanek: I just remember why I didn't want to do it this way (expire password on create/update)22:43
rderosedstanek: what about existing users?22:44
rderosedstanek: this would mean that existing users wouldn't be required to change their passwords22:44
morganrderose: still check self_service22:44
rderosemorgan: during auth?22:45
rderoseso do both?22:45
morganalso existing users shouldn't be required to change when the option is flipped it is only for admin-set passwords22:45
morganreally22:45
rderosemorgan: so only going forward22:45
morganyeah22:45
morganthat would be how i do it22:45
rderosestevemar: you'll really like this :)22:45
morgansame as how like AD does it... you could offer an option in keystone conf "expire all pw before X"22:45
rderosemorgan: okay, cool22:46
morganor a DB value... somewhere22:46
morganbut i'd add that not in this patch22:46
stevemarrderose: oh? i'll like what?22:46
morganfocus on core functionality "require a password change on admin password set"22:46
rderosestevemar: changing PCI... to expire passwords at create/update user22:46
rderosestevemar: so not at auth22:47
stevemarrderose: ahhh22:47
*** thorst_ has joined #openstack-keystone22:47
morgan:)22:47
rderosestevemar: this means existing users won't be affected22:47
rderosestevemar: only going forward22:47
stevemarrderose: if the admin resets your password, then you can't use APIs, you have to call the change password one22:47
rderoseyes22:47
stevemarrderose: will we even need an option for that?22:47
stevemarrderose: just mark the password as expired :)22:48
rderosestevemar: regardless :)22:48
stevemarif the PCI bits are enabled, then we look at the expired flag, otherwise, we don't right?22:48
stevemarrderose: yay for less code22:48
rderosestevemar: that's true, but you may want password to expire every 90 days, but not force users to change password at first user???22:49
rderosehmm...22:49
lbragstadi gotta hit the post office before they close - but i'll be on a bit later22:49
rderosemorgan: thoughts?22:49
*** stingaci has joined #openstack-keystone22:50
morganrderose: we can add functionality to password setting down the line22:50
rderosestevemar: nah, lets make it setting, as it is a separate PCI rule22:50
morganrderose: but in 90% of the environments, it's here is your password, now go change it22:50
rderosemorgan: true22:50
morganfocus on one feature at a time22:50
rderosemorgan: right22:50
rderose:)22:50
morganthis one is forced change after admin set22:50
morganif we want to expand options, we can22:51
*** spzala has joined #openstack-keystone22:51
rderosethat's what happens when you let stevemar into the mix22:51
morganor people can not set this thing when they create users.22:51
morganthen they can set this .... or whatever22:51
rderoseyep22:51
*** thorst_ has quit IRC22:51
rderoseokay, back testing...22:51
rderose*back to testing22:51
*** spotz is now known as spotz_zzz22:52
stevemarrderose: hehe, 3rd redesign is the charm right!?22:53
rderoseha22:53
rderose:)22:53
stevemarrderose: i definitely like this one best22:53
rderoseyeah, I know you'd say that :)22:53
stevemarrderose: this is what i was getting at when i asked earlier about the flow22:53
stevemarcause it still seemed weird to me22:54
stevemarah well, i'll leave you alone22:54
rderoseokay, flow is better now22:54
stevemari'll rebase the other ignore user id patches tonight22:54
rderosewill have the patch up soon22:54
rderosecool22:54
stevemarrderose: this also means we can achieve it without a maintenance window :D22:54
rderoseoh yeah!22:54
*** stingaci has quit IRC22:55
*** spzala has quit IRC22:55
*** diazjf has quit IRC22:56
openstackgerritGage Hugo proposed openstack/keystone: Address follow-up comments from previous patchset  https://review.openstack.org/42596622:58
gagehugolbragstad: ^ that is just fixing some of the comments you left from that change_password change. Sorry about the delay, it's been a busy week23:01
*** phalmos has quit IRC23:01
* morgan is happy to help contribute to the "make keystone better and require less headaches of maintenance windows".23:05
rderosemorgan: ++23:05
* morgan also avoids endorsing "no downtime upgrades" that involve schema changes to the DB.23:06
* morgan still feels that is a request nearing absurdity.23:06
rderose:)23:07
*** jperry has quit IRC23:07
*** stingaci has joined #openstack-keystone23:12
*** spilla has quit IRC23:12
*** jaugustine has quit IRC23:13
*** stingaci has quit IRC23:17
*** spotz_zzz is now known as spotz23:18
*** spzala has joined #openstack-keystone23:24
*** stingaci has joined #openstack-keystone23:28
*** spotz is now known as spotz_zzz23:28
*** stingaci has quit IRC23:33
*** chris_hultin|AWA is now known as chris_hultin23:35
*** chris_hultin is now known as chris_hultin|AWA23:36
*** martinlopes has quit IRC23:38
*** martinlopes has joined #openstack-keystone23:41
*** spzala has quit IRC23:43
*** david-lyle has quit IRC23:51
*** jaosorior has quit IRC23:53
*** david-lyle has joined #openstack-keystone23:54
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/42550723:56
*** rcernin has quit IRC23:56
*** rcernin has joined #openstack-keystone23:57
*** rcernin has quit IRC23:59
« Wednesday, 2017-01-25 Index Friday, 2017-01-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!