Tuesday, 2017-03-14

*** agrebennikov has quit IRC00:03
*** henrynash has quit IRC00:34
*** henrynash has joined #openstack-keystone00:35
*** browne has quit IRC00:37
adriantFrom memory, Keystone supports some sort of filtering on the API beyond the basic stuff. Is all of this documented somewhere?00:42
adriantWhat I'm hoping to do is call keystone project list with a filter like: "project_id in [...]"00:43
adriantbecause otherwise I have to do one API call be item in that list to project GET which is silly00:43
adriantcall per* item00:44
adriantI have a feeling this isn't supported, but I remember some spec somewhere for filters on some APIs so I thought I'd ask.00:44
*** henrynash has quit IRC00:45
*** Shunli has joined #openstack-keystone00:45
*** henrynash has joined #openstack-keystone00:46
*** rderose has quit IRC00:46
*** rdo_ has quit IRC00:49
*** henrynash has quit IRC00:56
*** edmondsw has joined #openstack-keystone00:56
*** rdo has joined #openstack-keystone00:57
*** jamielennox is now known as jamielennox|away00:58
notmorganadriant: the filtering is weird and only sortof really supported01:11
notmorganadriant: also note all the project data is available in the list call, so you could list and consume the data directly01:12
notmorganthe keystoneclient list, then get, is silly01:12
adriantyeah... but I'd prefer not to list ALL projects :P01:12
*** jamielennox|away is now known as jamielennox01:12
adriantI want to list, but filter for only the projects I care about01:13
notmorganproject_id in [...], asfaik wouldn't work even if filtering was well supported01:13
adriantwhy? That seems like a very normal list filter01:13
notmorganbecause we never implemented a filter like that01:13
notmorganthe filter is very very limited.01:14
adriantyeah, I can do list where name="..."01:14
adriantand such01:14
notmorganalso, it would have to be done in a URL-safe manner, which is wonky to represent short of01:14
notmorganit is a VERY limited filter.01:14
adriantyeah :(01:14
notmorganbut you can't do regexes really01:15
notmorgannor can you do a list of names01:15
adriantalthough I could avoid the need for this if I can get subtree_as_list to work01:15
adriantwhich for some reason it doesn't for me01:15
adriantam rebuilding my devstack to try again01:15
notmorgani have no idea if that ever worked. fwiw, i've never tested it01:15
notmorganand i don't know if we actually fully test it01:16
adriantsubtree_as_ids works01:16
notmorgansame comment ^01:16
adriantbut then.. I just have ids01:16
adriantugh, all these half baked features :P01:16
adriantI feel like I'm going to be throwing in a lot of bug reports at this rate01:16
*** browne has joined #openstack-keystone01:18
*** browne has quit IRC01:18
*** Shunli has quit IRC01:19
*** Shunli has joined #openstack-keystone01:20
adriantnotmorgan, although on url safe way to do filters is actually: ?'project_id__in=e9a2ff8c49824bee9406c2e31321cb86&project_id__in=556d8f4a9b654982b1d33068fe3653ea'01:22
adriantwait... no01:22
adriantugh that didn't format right01:22
openstackgerritAnthony Washington proposed openstack/oslo.policy master: Add additional param to policy.RuleDefault  https://review.openstack.org/43907001:23
adriantactually that would work in a way01:23
*** guoshan has joined #openstack-keystone01:28
adriantnotmorgan, ugh that's right.01:29
adriantyou can kind of do it if dump the filter in as a json string01:29
adriantwhich is a touch ugly01:29
adriantthat's how I got around the problem for something I was doing01:30
*** zhurong has joined #openstack-keystone01:32
*** namnh has joined #openstack-keystone01:37
*** tovin07 has joined #openstack-keystone01:42
notmorgani would say don't do that... at all.01:43
notmorganbut but then again i think our filtering is particularly bad01:44
notmorgansince it's very partially implemented01:44
*** liujiong has joined #openstack-keystone01:48
*** knangia has quit IRC01:51
*** davechen has quit IRC01:51
*** davechen has joined #openstack-keystone01:52
*** wangqun has joined #openstack-keystone02:09
adriantnotmorgan, yeah... I know. It's ugly, but in my case I wanted filtering which I could convert to django orm filters, and since no one in their right mind would touch the API url directly, encoding the json string was easy.02:27
adriantalthough i do believe django-rest-framework implemented some sort of filtering...02:28
adriantnotmorgan, that's not a terrible approach ^02:30
adriantI should really switch my service to use that filtering style02:30
*** zzzeek has quit IRC02:30
*** zzzeek has joined #openstack-keystone02:31
adriantor "example.com/users/?email__contains!=gmail"02:32
adriantugh, used the wrong channel02:44
adriantnotmorgan, yeah, subtree_as_list does not appear to actually work... :(02:44
*** prashkre has joined #openstack-keystone02:48
*** masber has quit IRC02:51
adriantnotmorgan, no... it's a feature: https://review.openstack.org/#/c/167231/02:51
*** masber has joined #openstack-keystone02:51
*** MasterOfBugs has quit IRC02:54
*** dnalezyty has quit IRC02:59
*** namnh_ has joined #openstack-keystone02:59
*** namnh has quit IRC03:03
*** namnh_ has quit IRC03:07
*** nicolasbock has quit IRC03:13
*** aojea has joined #openstack-keystone03:31
*** aojea has quit IRC03:35
*** wxy has quit IRC03:38
*** namnh has joined #openstack-keystone03:40
*** Dinesh_Bhor has joined #openstack-keystone03:55
*** zsli_ has joined #openstack-keystone03:56
*** edmondsw has quit IRC03:58
*** Shunli has quit IRC03:59
*** prashkre has quit IRC03:59
*** guoshan has quit IRC04:05
*** prashkre has joined #openstack-keystone04:08
*** zsli__ has joined #openstack-keystone04:15
*** zsli__ has quit IRC04:18
*** zsli_ has quit IRC04:18
*** zsli__ has joined #openstack-keystone04:18
*** prashkre has quit IRC04:29
*** zsli_ has joined #openstack-keystone04:34
*** links has joined #openstack-keystone04:35
*** zsli__ has quit IRC04:36
*** MasterOfBugs has joined #openstack-keystone04:47
*** edmondsw has joined #openstack-keystone04:53
*** zsli_ has quit IRC04:55
*** edmondsw has quit IRC04:57
*** knangia has joined #openstack-keystone04:59
*** zsli_ has joined #openstack-keystone05:00
*** zsli_ has quit IRC05:00
*** richm has quit IRC05:43
*** dikonoor has joined #openstack-keystone05:57
*** h5t4_ has quit IRC06:11
*** adriant has quit IRC06:11
*** david-lyle has quit IRC06:27
*** belmoreira has joined #openstack-keystone06:29
*** Shunli has joined #openstack-keystone06:34
*** aojea has joined #openstack-keystone06:38
*** edmondsw has joined #openstack-keystone06:41
*** gyee has joined #openstack-keystone06:45
*** edmondsw has quit IRC06:46
*** gyee has quit IRC06:46
*** zsli_ has joined #openstack-keystone06:49
*** gyee has joined #openstack-keystone06:49
*** gyee has quit IRC06:50
*** Shunli has quit IRC06:51
*** zsli_ has quit IRC06:59
*** zsli_ has joined #openstack-keystone06:59
*** zsli__ has joined #openstack-keystone07:01
*** zsli_ has quit IRC07:04
*** h5t4 has joined #openstack-keystone07:08
*** tesseract has joined #openstack-keystone07:20
*** knangia has quit IRC07:21
*** zsli__ has quit IRC07:33
*** MasterOfBugs has quit IRC07:48
*** pcaruana has joined #openstack-keystone07:50
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** h5t4 has quit IRC08:10
*** jaosorior has joined #openstack-keystone08:24
*** edmondsw has joined #openstack-keystone08:29
*** edmondsw has quit IRC08:34
*** guoshan has joined #openstack-keystone08:40
*** guoshan has quit IRC08:52
*** henrynash has joined #openstack-keystone09:04
*** Shunli has joined #openstack-keystone09:08
*** Shunli has quit IRC09:09
*** Shunli has joined #openstack-keystone09:09
*** guoshan has joined #openstack-keystone09:18
openstackgerritJose Castro Leon proposed openstack/keystone master: Skip multifactor when using LDAP identity backend  https://review.openstack.org/44494909:23
*** Shunli has quit IRC09:37
*** wangqun has quit IRC09:49
*** zhurong has quit IRC09:54
*** aojea has quit IRC10:00
*** nicolasbock has joined #openstack-keystone10:04
*** namnh has quit IRC10:09
*** richm has joined #openstack-keystone10:13
*** edmondsw has joined #openstack-keystone10:17
*** aojea has joined #openstack-keystone10:21
*** liujiong has quit IRC10:21
*** edmondsw has quit IRC10:22
*** aojea has quit IRC10:26
dr_gogeta86hi guys10:29
dr_gogeta86any saml master here ... again :-D10:29
*** Raildo has joined #openstack-keystone10:31
*** nicolasbock has quit IRC10:46
*** nicolasbock has joined #openstack-keystone10:48
*** henrynash has quit IRC11:07
*** Raildo is now known as raildo11:13
*** guoshan has quit IRC11:21
*** aasthad has quit IRC11:32
*** links has quit IRC11:36
*** namnh has joined #openstack-keystone11:38
*** namnh has quit IRC11:43
*** namnh has joined #openstack-keystone11:43
*** links has joined #openstack-keystone11:48
*** namnh has quit IRC11:52
*** dave-mccowan has joined #openstack-keystone12:00
*** yuval has joined #openstack-keystone12:04
*** yuval has quit IRC12:06
*** yuval has joined #openstack-keystone12:07
*** rvba` has quit IRC12:11
*** rvba has joined #openstack-keystone12:16
*** rvba has quit IRC12:17
*** rvba has joined #openstack-keystone12:17
*** edmondsw has joined #openstack-keystone12:22
*** edmondsw_ has joined #openstack-keystone12:26
*** edmondsw has quit IRC12:27
*** yuval has quit IRC12:31
*** yuval has joined #openstack-keystone12:31
*** aojea has joined #openstack-keystone12:45
*** links has quit IRC12:52
*** links has joined #openstack-keystone12:53
*** spilla has joined #openstack-keystone12:57
*** catintheroof has joined #openstack-keystone12:58
*** catintheroof has quit IRC12:59
*** catintheroof has joined #openstack-keystone12:59
rodrigodslbragstad, notmorgan, what we discussed yesterday: https://bugs.launchpad.net/keystone/+bug/167271313:02
openstackLaunchpad bug 1672713 in OpenStack Identity (keystone) "Dependency between subsystems at the DB layer" [Undecided,New]13:02
*** lamt has joined #openstack-keystone13:03
*** chlong has joined #openstack-keystone13:05
*** markvoelker has quit IRC13:11
*** lamt has quit IRC13:12
*** aojea has quit IRC13:15
*** markvoelker has joined #openstack-keystone13:16
*** josecastroleon has joined #openstack-keystone13:21
EmilienMis it required to restart keystone when doing fernet keys rotation?13:32
lbragstadEmilienM nope - keystone will read the keys from disk without needing a restart13:32
EmilienMthat's an excellent news13:32
*** henrynash has joined #openstack-keystone13:35
josecastroleonwe are getting a very nice exception while authenticating in keystone with LDAP backend13:36
openstackLaunchpad bug 1672425 in OpenStack Identity (keystone) "No 'options' attribute in user_ref when using LDAP identity backend" [Undecided,In progress] - Assigned to Jose Castro Leon (jose-castro-leon)13:37
lbragstadEmilienM this is the bit of code the keystone uses to decrypt and encrypt tokens - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L45-L6913:38
-openstackstatus- NOTICE: Gerrit is going to be restarted due to performance problems13:39
*** ChanServ changes topic to "Gerrit is going to be restarted due to performance problems"13:39
lbragstadEmilienM this is the line that makes sure we read new keys from the repository on every request https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L6313:39
EmilienMlbragstad: excellent13:39
EmilienMlbragstad: i'm currently writting a spec for TripleO, where we discuss about fernet key rotations, I'll let you know the link when it's pushed13:40
lbragstadEmilienM awesome - i'd be happy to review13:40
EmilienMlbragstad: thanks. And maybe move some workflow somewhere else, so others can re-use it13:40
*** catinthe_ has joined #openstack-keystone13:41
lbragstadEmilienM ++13:41
*** catintheroof has quit IRC13:41
lbragstadEmilienM that sounds like something the openstack-ansible folks might be interested in13:42
EmilienMlbragstad: yes13:42
*** knangia has joined #openstack-keystone13:44
*** catintheroof has joined #openstack-keystone13:45
-openstackstatus- NOTICE: Gerrit has been successfully restarted13:45
*** ChanServ changes topic to "Gerrit has been successfully restarted"13:45
*** catinthe_ has quit IRC13:45
*** ChanServ changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h"13:52
-openstackstatus- NOTICE: Gerrit has been successfully restarted13:52
openstackgerritRodrigo Duarte proposed openstack/keystone master: Drop federated_user table foreign keys  https://review.openstack.org/44550513:56
*** links has quit IRC13:57
*** jaugustine has joined #openstack-keystone14:01
*** agrebennikov has joined #openstack-keystone14:09
*** lucasxu has joined #openstack-keystone14:11
*** chris_hultin|AWA is now known as chris_hultin14:16
*** dave-mccowan has quit IRC14:36
*** lamt has joined #openstack-keystone14:37
*** edmondsw has joined #openstack-keystone14:40
*** dikonoor has quit IRC14:45
*** dave-mccowan has joined #openstack-keystone14:51
*** edmondsw has quit IRC14:53
jaosoriorhey folks, we're trying to deploy OpenStack with versionless endpoints, and this required some changes to how some services instantiate keystoneclient/keystoneauth. It turns out, some folks are having issues with discovery due to the way they set up keystone behind a loadbalancer that terminates SSL connections in their deployments. So, it comes back to the issue where getting the hrefs from14:57
jaosoriorkeystone's json home returns some URLs with http instead of https. Now, I know the recommended approach is to use the public_endpoint configuration option for older deployments, and to use oslo.middleware's http_proxy_to_wsgi in newer ones. However, I was wondering if it would be acceptable to work around this in keystoneclient.  It could remember the initial protocol specified in the auth_url,14:57
jaosoriorand try if the protocol given by the resulting href from the json-home fails. What do you think?14:57
jaosoriorrodrigods, lbragstad ^^14:57
*** henrynash has quit IRC15:00
*** henrynash has joined #openstack-keystone15:00
lbragstadnotmorgan didn't we have a bug similar to this opened after the resource options work? https://bugs.launchpad.net/keystone/+bug/167242515:01
openstackLaunchpad bug 1672425 in OpenStack Identity (keystone) "No 'options' attribute in user_ref when using LDAP identity backend" [Undecided,In progress] - Assigned to Jose Castro Leon (jose-castro-leon)15:01
rodrigodsjaosorior, good question :)15:03
* rodrigods doesn't have good knowledge about this15:03
*** lucasxu has quit IRC15:04
*** aasthad has joined #openstack-keystone15:06
*** brad[] has quit IRC15:07
*** jaugustine has quit IRC15:13
*** adrian_otto has joined #openstack-keystone15:15
*** jaugustine has joined #openstack-keystone15:15
*** lucasxu has joined #openstack-keystone15:17
*** brad[] has joined #openstack-keystone15:19
*** nishaYadav has joined #openstack-keystone15:21
*** nishaYadav is now known as Guest5836315:22
*** Guest58363 has quit IRC15:22
*** nishaYadav_ has joined #openstack-keystone15:22
nishaYadav_hey all o/15:23
openstackgerritLance Bragstad proposed openstack/keystone master: Add reno conventions to developer documentation  https://review.openstack.org/44495515:23
gagehugonishaYadav_ o/15:23
nishaYadav_gagehugo, hey!15:24
*** rderose has joined #openstack-keystone15:40
dr_gogeta86anyone configured saml with mod_auth_mellon ?15:49
cmurphydr_gogeta86: I have, I don't know if I'd be able to help but it's a good idea to ask your question and someone can probably help15:50
dr_gogeta86cmurphy, did you configured keystone as mapped or saml2  ?15:50
cmurphydr_gogeta86: use 'mapped'15:51
dr_gogeta86with wich idp ?15:52
cmurphyas long as you only have one idp, mapped should work for shibboleth or mellon or oidc15:53
*** markvoelker has quit IRC15:56
*** markvoelker has joined #openstack-keystone15:58
dr_gogeta86in future can I have many16:03
*** jaugustine has quit IRC16:03
cmurphythere is some weirdness with setting remote_id_attribute in keystone.conf if you have different types of idps https://docs.openstack.org/developer/keystone/federation/websso.html#keystone-changes16:11
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-keystoneclient master: Workaround for unmatching scheme in discovery  https://review.openstack.org/44555916:12
jaosoriorlbragstad, rodrigods: Here's a WIP patch regarding what I mentioned before: https://review.openstack.org/44555916:12
lbragstadjaosorior nice16:13
lbragstadcc jamielennox ^16:13
dr_gogeta86cmurphy, is possible to don't find mapped onto mitaka16:14
openstackgerritRon De Rose proposed openstack/keystone master: Policy in code (part 4)  https://review.openstack.org/43575516:15
bknudson_jaosorior: keystoneclient isn't using json-home as far as I know16:15
jaosoriorbknudson_: thought the root was json-home (not entirely compliant but yeah). And that's used by discovery. Unless I'm confusing concepts.16:16
jaosoriorbknudson_: either way, that doesn't change the fact that the hrefs returned have the wrong scheme16:16
jaosoriorbknudson_: in the case described in the commit message.... and in the long text I posted above.16:16
bknudson_you can override the URLs in the version responses using public_endpoint and admin_endpoint: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n1916:17
bknudson_also, there's this setting http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n93 (which is deprecated)16:18
jaosoriorbknudson_: so, we have that issue solved in our deployments. However, when someone uses somebody else's cloud, they can't really control how their provider configures keystone16:20
cmurphydr_gogeta86: I don't see mapped as an entrypoint for mitaka in http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg?h=stable/mitaka so it probably won't work16:20
dr_gogeta86so ?16:20
cmurphydr_gogeta86: so use 'saml2' as the name of the federation protocol16:21
jaosoriorbknudson_: this is what motivates that patch. To try to make user's life easier16:21
jaosoriorbknudson_: even though, yes, the deployer could address that as well.16:21
jaosoriorbknudson_: but basically this is a blocker for more folks to use discovery: "the version of the client without discovery worked... and starting to use discovery broke me"16:22
cmurphydr_gogeta86: I've got to go but there are lots of knowledeable people here so keep asking questions16:22
bknudson_jaosorior: the problem is we've put workarounds into the client libraries before and we get complaints because it's masking deployment problems.16:26
bknudson_see http://lists.openstack.org/pipermail/openstack-dev/2017-March/113210.html16:27
bknudson_actually, it was feb: http://lists.openstack.org/pipermail/openstack-dev/2017-February/112943.html16:27
jaosoriorI see16:28
jaosoriorbknudson_: so, this is currently blocking me from getting glance deployed over swift to use versionless endpoints... So, is this that nasty of a workaround that it should be blocked?16:29
bknudson_jaosorior: looks like what's blocking you is that keystone isn't configured correctly to work with the proxy.16:31
jaosoriorbknudson_: it's not just one case16:31
*** Dinesh_Bhor has quit IRC16:37
*** lucasxu has quit IRC16:38
lbragstadjust a reminder that due to DST the keystone meeting will be one hour later today16:39
*** belmoreira has quit IRC16:39
*** david-lyle has joined #openstack-keystone16:42
*** Dinesh_Bhor has joined #openstack-keystone16:48
*** henrynash has quit IRC16:50
*** adrian_otto has quit IRC16:52
*** d0ugal has quit IRC16:55
*** nishaYadav has joined #openstack-keystone17:00
*** nishaYadav_ has quit IRC17:02
*** david-lyle_ has joined #openstack-keystone17:13
*** david-lyle has quit IRC17:13
*** henrynash has joined #openstack-keystone17:14
*** henrynash has quit IRC17:20
notmorganlbragstad: QUICK CHANGE THE MEETING TO BE EARLIER! ;)17:27
EmilienMlbragstad: https://review.openstack.org/#/c/445592/117:29
*** nishaYadav has quit IRC17:33
jaosoriorstevemar: what do you think of https://review.openstack.org/#/c/445559/ ?17:33
EmilienMstevemar: hey sir, can you look ^ when you got time? :)17:34
*** agrebennikov has quit IRC17:35
*** luzC has joined #openstack-keystone17:37
*** jaosorior has quit IRC17:45
*** agrebennikov has joined #openstack-keystone17:47
*** tesseract has quit IRC17:49
lbragstadEmilienM awesome - i just saw your note17:52
EmilienMlbragstad: it's really a draft17:52
EmilienMbe nice with me17:52
*** lucasxu has joined #openstack-keystone17:52
*** browne has joined #openstack-keystone17:55
lbragstadEmilienM it's nice to at least have it documented somewhere - i think it's a smart effort17:57
*** agrebennikov has quit IRC17:57
*** agrebennikov has joined #openstack-keystone17:58
*** d0ugal has joined #openstack-keystone17:58
EmilienMlbragstad: and again, the idea is to find a solution that would work outside tripleo17:59
EmilienMlbragstad: wdyt about the etcd (or something else, like tooz) backend to store the fernet keys?17:59
EmilienMlbragstad: and keystone would directly find them17:59
EmilienMlbragstad: a bit like therve is doing with https://etherpad.openstack.org/p/oslo.config_etcd_backend18:00
*** henrynash has joined #openstack-keystone18:00
EmilienMkeystone could talk to etcd to get the keys and also have a periodic task that does rotation18:00
EmilienMit would be scalable and natively multi-node18:00
*** aojea has joined #openstack-keystone18:02
lbragstadping agrebennikov, amakarov, annakoppad, antwash, ayoung, bknudson, breton, browne, chrisplo, cmurphy, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nishaYadav, nkinder, notmorgan, portdirect raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, SamYaple, shaleh, spilla, srwilkers,18:02
lbragstad StefanPaetowJisc, stevemar, topol, shardy, ricolin18:02
lbragstadmeeting in keystone for those who are interested18:02
*** pcaruana has quit IRC18:03
*** d0ugal has quit IRC18:04
*** mgagne_ is now known as mgagne18:05
*** henrynash has quit IRC18:05
*** henrynash has joined #openstack-keystone18:07
*** henrynash has quit IRC18:13
*** henrynash has joined #openstack-keystone18:18
openstackgerritAnthony Washington proposed openstack/keystone master: Add policy sample generation  https://review.openstack.org/44334418:26
openstackgerritAnthony Washington proposed openstack/keystone master: Add policy sample generation  https://review.openstack.org/44334418:29
*** spotz is now known as spotz_zzz18:32
*** spotz_zzz is now known as spotz18:33
lbragstadrderose notmorgan o/19:00
notmorganif we are making application-specific-passwords, please don't make it work differently than passwords.19:01
notmorganit becomes a VERY confusing ux then19:01
rderosenotmorgan: okay, what do you mean by work differently?19:02
rderosenotmorgan: http://paste.openstack.org/show/602739/19:02
lbragstadi assume that means if we do api-keys don't make it so users have to exchange them for a token19:03
lbragstadbut i'll let notmorgan elaborate19:03
lbragstadbecause that was my WAG19:03
openstackgerritAnthony Washington proposed openstack/keystone master: Policy in code (part 4)  https://review.openstack.org/43575519:04
rderoseI think part of the use case was that typical users didn't have permissions to create users or trusts19:05
rderosebut had a need for something like access keys19:05
notmorganwhat lbragstad said19:08
notmorganif we create password, and app-password19:08
bknudson_what we need is to have openstack work like every other web application out there and accept access keys.19:08
notmorganas an example19:08
notmorganwhy should it result in different responses.. we already have trusts when you're doing password-like-operations19:09
notmorganbknudson_: ++19:09
*** henrynash has quit IRC19:09
openstackgerritRon De Rose proposed openstack/keystone master: Policy in code (part 2)  https://review.openstack.org/43575119:12
openstackgerritRon De Rose proposed openstack/keystone master: Policy in code  https://review.openstack.org/43560919:12
openstackgerritRon De Rose proposed openstack/keystone master: Policy in code (part 3)  https://review.openstack.org/43575419:12
openstackgerritRon De Rose proposed openstack/keystone master: Policy in code (part 4)  https://review.openstack.org/43575519:12
*** henrynash has joined #openstack-keystone19:13
*** henrynash has quit IRC19:13
*** henrynash has joined #openstack-keystone19:14
*** henrynash has quit IRC19:15
*** henrynash has joined #openstack-keystone19:16
*** henrynash has quit IRC19:20
*** raildo_ has joined #openstack-keystone19:23
lbragstadrderose whoa - nice!19:24
*** henrynash has joined #openstack-keystone19:25
rderoselbragstad: just trying help antwash fix the merge conflicts :)19:25
antwashrderose : conflicts re putting up a fight19:26
*** dave-mccowan has quit IRC19:26
*** raildo has quit IRC19:27
*** raildo_ has quit IRC19:27
*** raildo has joined #openstack-keystone19:28
*** raildo has quit IRC19:29
*** raildo has joined #openstack-keystone19:35
*** henrynash has quit IRC19:38
lbragstadbreton i'd be curious to hear what you think about https://review.openstack.org/#/c/445592/1/specs/pike/keystone_fernet_rotation.rst19:55
lbragstadcc EmilienM ^19:55
lbragstadEmilienM re: using etcd19:55
lbragstadEmilienM you started pinging on the use of etcd and we just started the keystone meeting (sorry for the delayed response)19:56
EmilienMno worries19:56
EmilienMnow we have TC meeting :D19:56
EmilienMin 4 min19:56
lbragstadEmilienM breton was looking into writing something that would allow pluggable backend for fernet keys19:56
lbragstadEmilienM ah - you're right19:56
EmilienMlbragstad: awesome, it would be cool to let keystone talk to etcd or another backend directly instead of file19:57
lbragstadEmilienM yeah - having that kind of flexibility would be nice (several people have asked for it, it just a matter of settling on the implementation )19:59
lbragstadEmilienM we had a spec for it - but we removed it from our backlog until we had a better direction - https://review.openstack.org/#/c/439194/20:00
EmilienMlike usual :D20:00
EmilienMok I'll read it20:00
lbragstadEmilienM there is a link to the meeting topic in the commit message20:00
* lbragstad heads to the TC meeting20:00
*** david-lyle_ is now known as david-lyle20:12
*** r-daneel has joined #openstack-keystone20:18
*** henrynash has joined #openstack-keystone20:29
*** henrynash has quit IRC20:33
openstackgerritAnthony Washington proposed openstack/oslo.policy master: Add additional param to policy.RuleDefault  https://review.openstack.org/43907020:39
bretonEmilienM: lbragstad: some folks told me that etcd is not secure enough for fernet keys20:40
EmilienMbreton: what isn't secure?20:40
EmilienMI mean20:40
EmilienMa file is secure? lol20:40
EmilienMIMHO a key/value store that support TLS & auth is much more secure than a file on a filesystem20:40
bretonEmilienM: they told there is now authentication and anybody can access it. File is protected by ssh :)20:41
EmilienMno auth?20:41
bretoni didn't check20:41
EmilienMthey probably run an old version20:41
bretonmaybe :)20:42
EmilienMetcd sounds secure to me and i've seen a lot of use cases in actual deployments, I would be surprised if it would not be secure20:42
EmilienMit's worth a try anyway20:42
*** MasterOfBugs has joined #openstack-keystone20:43
bretonthere is a chain of patches20:45
bretonbut neither author nor i can work on them any longer20:46
*** lucasxu has quit IRC21:04
openstackgerritGage Hugo proposed openstack/keystone-specs master: Add Project tags  https://review.openstack.org/43178521:04
*** lucasxu has joined #openstack-keystone21:05
*** raildo has quit IRC21:15
*** spilla has quit IRC21:26
*** catintheroof has quit IRC21:46
*** edmondsw_ has quit IRC21:52
*** edmondsw has joined #openstack-keystone21:55
*** edmondsw has quit IRC21:59
*** chris_hultin is now known as chris_hultin|AWA22:13
*** edmondsw has joined #openstack-keystone22:18
*** erhudy has quit IRC22:20
*** edmondsw has quit IRC22:22
*** lamt has quit IRC22:25
*** aojea has quit IRC22:41
*** aojea has joined #openstack-keystone22:42
*** aojea has quit IRC22:46
*** chris_hultin|AWA is now known as chris_hultin23:06
*** chris_hultin is now known as chris_hultin|AWA23:07
*** henrynash has joined #openstack-keystone23:21
*** henrynash has quit IRC23:26
*** henrynash has joined #openstack-keystone23:27
*** henrynash has quit IRC23:32
*** adriant has joined #openstack-keystone23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!