Wednesday, 2017-04-12

*** aojea has joined #openstack-keystone00:00
*** aojea has quit IRC00:05
*** lamt has quit IRC00:06
*** lamt has joined #openstack-keystone00:08
*** thorst has quit IRC00:09
*** lamt has quit IRC00:10
*** lamt has joined #openstack-keystone00:11
*** lamt has quit IRC00:11
*** shuyingya has joined #openstack-keystone00:29
*** shuyingya has quit IRC00:33
*** rajpatel is now known as rajpatel_away00:33
*** shuyingya has joined #openstack-keystone00:33
*** rajpatel_away has quit IRC00:34
*** thorst has joined #openstack-keystone00:35
*** shuyingya has quit IRC00:38
*** zhurong has joined #openstack-keystone00:40
*** thorst has quit IRC00:46
*** adriant has joined #openstack-keystone00:52
*** shuyingya has joined #openstack-keystone01:02
*** aojea has joined #openstack-keystone01:02
*** shuyingya has quit IRC01:03
*** shuyingya has joined #openstack-keystone01:03
*** aojea has quit IRC01:06
*** stradling has joined #openstack-keystone01:14
*** thorst has joined #openstack-keystone01:17
*** liujiong has joined #openstack-keystone01:18
*** lucasxu has joined #openstack-keystone01:24
*** thorst has quit IRC01:24
*** MasterOfBugs has quit IRC01:25
*** pramodrj07 has quit IRC01:25
openstackgerritD G Lee proposed openstack/keystonemiddleware master: Remove log translations
*** lucasxu has quit IRC01:38
*** lucasxu has joined #openstack-keystone01:39
*** rderose_ has quit IRC01:42
*** lucasxu has quit IRC01:46
*** lucasxu has joined #openstack-keystone01:46
*** aojea has joined #openstack-keystone02:03
*** stradling has quit IRC02:04
*** jamielennox is now known as jamielennox|away02:07
*** aojea has quit IRC02:07
*** thorst has joined #openstack-keystone02:21
*** lucasxu has quit IRC02:22
*** thorst has quit IRC02:41
*** chason has joined #openstack-keystone02:51
chasonHi, is there anybody knows the IRC channel of  "keystone-specs" ?02:51
*** chlong has joined #openstack-keystone03:03
*** chlong_ has joined #openstack-keystone03:03
*** nicolasbock has quit IRC03:03
*** aojea has joined #openstack-keystone03:03
*** aojea has quit IRC03:08
*** lamt has joined #openstack-keystone03:14
*** jamielennox|away is now known as jamielennox03:23
*** lamt has quit IRC03:43
*** lamt has joined #openstack-keystone03:56
*** dave-mccowan has joined #openstack-keystone03:57
*** rcernin has joined #openstack-keystone03:59
*** rcernin is now known as rcernin|wfh|mtg03:59
*** links has joined #openstack-keystone04:03
*** aojea has joined #openstack-keystone04:04
*** zhurong has quit IRC04:06
*** lamt has quit IRC04:08
*** aojea has quit IRC04:08
*** lamt has joined #openstack-keystone04:09
*** dave-mccowan has quit IRC04:16
*** dave-mccowan has joined #openstack-keystone04:17
*** lamt has quit IRC04:19
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements
*** zhurong has joined #openstack-keystone04:34
*** lucasxu has joined #openstack-keystone04:36
*** thorst has joined #openstack-keystone04:37
*** thorst has quit IRC04:42
*** lamt has joined #openstack-keystone04:43
chasonHi team,  I am fixing this bug :
openstackLaunchpad bug 1681950 in openstack-manuals "Broken links in federated identity docs" [Medium,Triaged] - Assigned to Chason (chen-xing)04:44
chasonThis link is dead now.04:45
chasonI find the content of this link here:
chasonBut there is no html page which is generated by this rst file..04:47
chasonI google the key words in this page and it just show me a txt file:
*** dave-mccowan has quit IRC04:50
chasonPlease tell me whether I miss something, thanks!04:51
*** lamt has quit IRC04:52
*** ravelar has quit IRC04:52
*** lamt has joined #openstack-keystone04:54
*** chlong_ has quit IRC05:03
*** chlong has quit IRC05:03
*** lamt has quit IRC05:08
*** rcernin|wfh|mtg has quit IRC05:11
*** jaosorior_away is now known as jaosorior05:13
*** rcernin has joined #openstack-keystone05:20
*** MasterOfBugs has joined #openstack-keystone05:32
*** pramodrj07 has joined #openstack-keystone05:32
*** thorst has joined #openstack-keystone05:39
*** lucasxu has quit IRC05:40
*** richm has quit IRC05:42
*** thorst has quit IRC05:43
*** lamt has joined #openstack-keystone05:49
*** lamt has quit IRC05:58
*** Aqsa has joined #openstack-keystone06:00
*** Dinesh_Bhor has quit IRC06:04
*** gyee has quit IRC06:08
*** browne has quit IRC06:11
*** voelzmo has joined #openstack-keystone06:23
*** voelzmo has quit IRC06:26
*** voelzmo has joined #openstack-keystone06:26
*** pcaruana has joined #openstack-keystone06:30
*** pramodrj07 has quit IRC06:32
*** MasterOfBugs has quit IRC06:32
*** Dinesh_Bhor has joined #openstack-keystone06:38
*** belmoreira has joined #openstack-keystone06:49
*** tesseract has joined #openstack-keystone06:49
*** jistr has quit IRC06:54
*** SamYaple has quit IRC06:55
*** SamYaple has joined #openstack-keystone06:55
*** jistr has joined #openstack-keystone06:56
*** rcernin has quit IRC06:59
*** aojea has joined #openstack-keystone07:02
*** d0ugal has joined #openstack-keystone07:03
*** d0ugal has quit IRC07:03
*** d0ugal has joined #openstack-keystone07:03
*** Aurelgad1o has quit IRC07:09
*** Aurelgadjo has joined #openstack-keystone07:14
*** adriant has quit IRC07:15
*** rcernin has joined #openstack-keystone07:16
*** aojea has quit IRC07:16
*** aojea has joined #openstack-keystone07:17
*** Aurelgadjo has quit IRC07:19
*** brad[] has joined #openstack-keystone07:24
*** aojea has quit IRC07:25
*** rcernin has quit IRC07:37
*** rcernin_ has joined #openstack-keystone07:37
*** rcernin_ has quit IRC07:38
*** rcernin_ has joined #openstack-keystone07:38
*** thorst has joined #openstack-keystone07:40
*** Aurelgadjo has joined #openstack-keystone07:42
*** thorst has quit IRC07:45
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** xuhaigang has quit IRC08:04
*** xuhaigang has joined #openstack-keystone08:18
*** links has quit IRC08:35
*** thorst has joined #openstack-keystone08:41
*** links has joined #openstack-keystone08:52
*** thorst has quit IRC09:00
*** links has quit IRC09:20
*** liujiong_lj has joined #openstack-keystone09:30
*** liujiong has quit IRC09:31
*** links has joined #openstack-keystone09:33
*** liujiong_lj is now known as liujiong09:34
*** thorst has joined #openstack-keystone09:57
*** thorst has quit IRC10:01
*** richm has joined #openstack-keystone10:12
*** shuyingya has quit IRC10:32
*** shuyingya has joined #openstack-keystone10:32
*** nicolasbock has joined #openstack-keystone10:33
*** xuhaigang has quit IRC10:38
*** xuhaigang has joined #openstack-keystone10:38
*** shuyingy_ has joined #openstack-keystone10:40
*** shuyingya has quit IRC10:44
*** liujiong has quit IRC10:56
*** davechen has quit IRC11:09
*** raildo has joined #openstack-keystone11:11
*** zhurong has quit IRC11:26
*** mvk has quit IRC11:31
*** thorst has joined #openstack-keystone11:41
*** chlong_ has joined #openstack-keystone11:52
*** chlong has joined #openstack-keystone11:52
*** chlong_ has quit IRC11:54
*** mvk has joined #openstack-keystone12:03
dstanekchason: this is the right place for that question12:03
*** Aqsa has quit IRC12:07
dstanekchason: i commented on the bug12:11
*** edmondsw has joined #openstack-keystone12:13
*** Aqsa has joined #openstack-keystone12:21
*** xuhaigang has quit IRC12:25
*** shuyingy_ has quit IRC12:26
*** shuyingya has joined #openstack-keystone12:27
*** shuyingy_ has joined #openstack-keystone12:30
*** shuyingya has quit IRC12:33
rodrigodsdstanek, hey, any new thoughts about ?12:35
*** markvoelker has joined #openstack-keystone12:37
dstanekrodrigods: just that we shouldn't be dropping foreign keys12:38
rodrigodsdstanek, heh did you send the email about this already?12:39
rodrigodscould not find it in my filters12:39
*** Tahvok has quit IRC12:39
*** shuyingy_ has quit IRC12:41
*** stradling has joined #openstack-keystone12:45
*** lamt has joined #openstack-keystone12:47
*** lamt has quit IRC12:48
*** dougshelley66 has left #openstack-keystone12:50
dstanekrodrigods: i started drafting one, but got busy. since my meeting this morning was cancelled i'll go ahead an finish now12:51
rodrigodsdstanek, i know the feeling12:51
rodrigodsdstanek, i only bother because we have a backport for it:
rodrigods(the version which doesn't drop the fks)12:52
rodrigodslbragstad, hey, i'm going to finally write some docs about our functional tests12:54
rodrigodslbragstad, is the correct place, right?12:55
*** rmascena has joined #openstack-keystone12:57
*** lamt has joined #openstack-keystone12:57
*** rmascena has quit IRC12:57
*** rmascena has joined #openstack-keystone12:58
dstanekrodrigods: that's probably a good place to start. we can always move them out later if it gets big enough\12:58
*** raildo has quit IRC12:59
rodrigodsdstanek, ++12:59
*** Tahvok has joined #openstack-keystone13:02
*** lamt has quit IRC13:07
*** aojea has joined #openstack-keystone13:12
*** Tahvok has quit IRC13:13
*** Tahvok has joined #openstack-keystone13:15
*** lamt has joined #openstack-keystone13:16
*** rocky_ has joined #openstack-keystone13:16
*** links has quit IRC13:17
*** erlon has joined #openstack-keystone13:22
dstanekrodrigods: samueldmq: commented on that review about .idea13:23
*** catintheroof has joined #openstack-keystone13:27
lbragstadrodrigods yeah - that'd be a good place for them, thanks :)13:28
*** markvoelker has quit IRC13:37
*** markvoelker has joined #openstack-keystone13:40
*** zhurong has joined #openstack-keystone13:47
*** lamt has quit IRC13:49
*** rajpatel has joined #openstack-keystone13:52
*** lamt has joined #openstack-keystone13:53
*** Tahvok has quit IRC13:54
*** Tahvok has joined #openstack-keystone13:56
*** shuyingya has joined #openstack-keystone13:56
*** Tahvok has quit IRC13:56
*** Tahvok has joined #openstack-keystone13:57
*** aojea has quit IRC13:58
*** zhurong_ has joined #openstack-keystone14:00
*** zhurong has quit IRC14:01
*** aojea has joined #openstack-keystone14:01
*** aojea has quit IRC14:01
*** rajpatel has quit IRC14:06
*** browne has joined #openstack-keystone14:08
*** browne has quit IRC14:08
*** lucasxu has joined #openstack-keystone14:10
*** richm has quit IRC14:11
*** rocky_ has quit IRC14:11
*** david-lyle has quit IRC14:15
*** aojea has joined #openstack-keystone14:16
*** aojea has quit IRC14:16
*** aojea has joined #openstack-keystone14:20
*** lamt has quit IRC14:21
*** aojea has quit IRC14:23
*** aojea has joined #openstack-keystone14:27
*** links has joined #openstack-keystone14:33
*** chris_hultin|AWA is now known as chris_hultin14:34
*** shuyingya has quit IRC14:34
*** shuyingya has joined #openstack-keystone14:34
*** links has quit IRC14:36
*** lamt has joined #openstack-keystone14:42
samueldmqgood morning keystone!14:43
samueldmqgagehugo: o/14:43
samueldmqdstanek: thanks sir!14:43
dstaneksamueldmq: np.... i'm glad you mentioned me on that review. i really dislike personal things in the ignore file14:45
*** rajpatel has joined #openstack-keystone14:46
*** chris_hultin is now known as chris_hultin|AWA14:47
samueldmqdstanek: nice, I was sure you would have a good view on that one! :)14:47
*** AmazT has joined #openstack-keystone14:49
*** rajpatel_ has joined #openstack-keystone14:49
*** rajpatel_ has quit IRC14:50
*** rajpatel_ has joined #openstack-keystone14:51
*** rajpatel has quit IRC14:52
*** rajpatel_ has quit IRC14:53
*** rajpatel has joined #openstack-keystone14:54
*** zhurong_ has quit IRC14:57
*** lucasxu has quit IRC14:57
*** dougshelley66 has joined #openstack-keystone14:58
* lbragstad was this -> <- close to sending out the pre-meeting ping for the policy meeting14:59
*** jaosorior is now known as jaosorior_away15:02
*** AmazT has quit IRC15:03
*** rcernin_ has quit IRC15:04
*** voelzmo has quit IRC15:05
*** agrebennikov has joined #openstack-keystone15:05
*** lucasxu has joined #openstack-keystone15:18
*** lamt has quit IRC15:20
*** shuyingya has quit IRC15:21
*** richm has joined #openstack-keystone15:23
*** lamt has joined #openstack-keystone15:27
dstanekrodrigods: email sent15:27
openstackgerritMerged openstack/keystone master: Updated from global requirements
*** d0ugal has quit IRC15:30
*** d0ugal has joined #openstack-keystone15:30
*** d0ugal has quit IRC15:30
*** d0ugal has joined #openstack-keystone15:30
*** d0ugal has quit IRC15:31
*** d0ugal has joined #openstack-keystone15:31
*** d0ugal has quit IRC15:31
*** d0ugal has joined #openstack-keystone15:31
*** belmoreira has quit IRC15:32
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Shift additional_user_agent in the stack
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Allow setting client name on the Session
mordredjamielennox, morgan, samueldmq: ^^15:33
samueldmqmordred: interesting.. shade uses the clients (python-*clients), so it should sit in between the app and client, which is the current behavior15:36
samueldmqmordred: am I missing anything ?15:37
mordredsamueldmq: shade is moving to using keystoneauth adapter directly15:37
mordredsamueldmq: so this is really in support of setting user agents properly for the places where we'r enot using python-*client15:37
mordredor, rather, I found the issue while adding support for that:)15:38
*** richm has quit IRC15:38
samueldmqmordred: hmm, isn't there another app that should be sitting in between app and client right now ?15:38
samueldmqmordred: I mean, couldn't this break anything ? if not I am happy to just change it so that it works properly for shade15:40
samueldmqmordred: I got it, thigns go to the app->additional_user_agent to then reach keystoneauth15:43
samueldmqI see your examples15:43
mordredsamueldmq: here's a patch: (that won't work yet, needs an OCC patch first) to plumb it through to shade15:48
samueldmqmordred: in it should be "shade/1.19.1 os-client-config/1.26.1 keystoneauth1/2.18.0"15:49
samueldmqrather than "os-client-config/1.26.1 shade/1.19.1 keystoneauth1/2.18.0" (with current code)15:49
*** rocky has joined #openstack-keystone15:50
mordredsamueldmq: yes- that's what I believe / how I understand the parameters15:51
samueldmqmordred: nice15:52
*** lamt has quit IRC15:53
*** rajpatel is now known as rajpatel_away15:55
*** tesseract has quit IRC15:58
*** rajpatel_away has quit IRC15:58
*** shuyingya has joined #openstack-keystone15:58
*** shuyingya has quit IRC16:03
*** rocky has quit IRC16:16
*** mvk has quit IRC16:18
*** lamt has joined #openstack-keystone16:27
*** rocky has joined #openstack-keystone16:31
*** richm has joined #openstack-keystone16:40
openstackgerritTin Lam proposed openstack/keystonemiddleware master: Replace pycrypto with cryptography
*** david-lyle has joined #openstack-keystone16:45
*** gyee has joined #openstack-keystone16:46
*** chris_hultin|AWA is now known as chris_hultin16:47
*** mpjetta has joined #openstack-keystone16:49
*** edtubill has joined #openstack-keystone16:55
*** edtubill has quit IRC16:56
ayoungjohnthetubaguy, what do you mean by "CLosed by default?"17:02
johnthetubaguyso any role in a project gives you access to something17:02
johnthetubaguylike you have role "foo" and you can boot instances in that project17:03
ayoungjohnthetubaguy, OK, I think we have common ground there17:03
ayoungjohnthetubaguy, I took that to mean something different.  Namely, I want it publicly avaialbe to figure out what role you need to perform an operation.  That is what I would mean by "Open By Default"17:04
ayoungso,  very different meaning17:04
johnthetubaguyoh, yeah, thats different17:04
lbragstadfwiw - we need to document and understand each problem like the one above ^ and then take our best guess as to the priority/severity of each17:04
edmondswI'm definitely on board with fixing "closed by default", but that's lower priority than solving the "admin let's me do things in other projects" problem17:04
ayoungSo one goal is to have and explicit role check for each operation instead of "any role"17:04
lbragstadedmondsw you have a pretty indepth/complicated set of roles17:05
lbragstadedmondsw i'd but very curious to get your opinion on
lbragstadayoung ++ I would think that is the solution to implementing "closed by default"17:06
lbragstador *a* solution17:06
edmondswlbragstad will try to look it over and get back to you... been extremely swamped lately17:06
ayounglbragstad, ok, so a bad solution there will lock us in to a specific role17:06
lbragstadedmondsw no worries - it was an attempt to try and define different roles in a hierarchy17:06
ayoungif we solve only that, we really have not solved anything17:06
johnthetubaguyedmondsw: ++17:07
lbragstadayoung my interpretation of that is having the project compare the role in the token to the role for the permission in policy17:07
ayoungwell,  we will have solved something, but at the expense of making real RBAC syuopport harder17:07
ayounglbragstad, BTW, beyond Trove, I think HA might be a very powerful use case to discuss.17:08
johnthetubaguyso operators are making lots of use of policy today, we stop them cutting their hands off so much17:08
johnthetubaguybut trove, et al, is the important longer term thing here17:09
ayoung"I have limited resources.  I need to make an application highly available. How do I set up an HA monitor process that can do only the minimum to keep my application running"17:09
johnthetubaguyayoung: maybe, thats one good use case to thinking about17:09
ayoungjohnthetubaguy, we you talking with anand about Trove?17:09
edmondswwhat's the trove issue here?17:10
johnthetubaguyso I want tove, heat, etc, to consume my regular user quota17:10
johnthetubaguybut I don't want to user to kill those instances either, ideally17:11
ayoungedmondsw, the Trove team wants to be able to keep a user from messing up the Hosts that Trove manages, but to be able to have quota come from the user17:11
lbragstadjohnthetubaguy so not giving a service all the rights you have to do a minimal job17:11
ayoungits an impossible problem with today's definition17:11
lbragstadjohnthetubaguy ayoung ah - never mind17:11
ayounglbragstad, there is that, too17:12
johnthetubaguyyeah, I think both things are up there17:12
edmondswayoung did you mean instances where you said hosts?17:12
johnthetubaguythere is an added fun on for magnum17:12
lbragstadso how does policy come into the quota bits for trove?17:12
ayoungAs I see it, the best solution, based on how trove wants to do it, is to transfer a portion of quota over to Trove, but that makes Quota into currency17:12
ayoungand, it falls down on network issues17:12
ayoungedmondsw, yes17:13
ayoungedmondsw, I meant VMs to be specific17:13
johnthetubaguyayoung: I currently like the idea of creating a project for trove, that is a child of the user's usual project, but I have gone through several ideas in my head, this is just the current one17:13
edmondswsounds like per-user policy17:13
edmondswand storing ownership info for vms17:14
edmondswtoday there's the userid that created it, but that's not sufficient because you can't pass ownership to someone else, or indicate that 3 people should own the same VM together17:14
edmondswI would love to see that fixed... totally apart from Trove17:14
johnthetubaguyedmondsw: permissions are per project, I feel we should try keep them that way, if we can17:15
johnthetubaguygetting a smooth experience there is tricky17:15
johnthetubaguythe simple ways all seem to fall apart :(17:15
ayoungjohnthetubaguy, OK, so, I walked through that with Anand17:15
edmondswjohnthetubaguy I probably mispoke... I don't mean you'd have different policy files per user or anything like that17:15
ayoungin order to do that, I would then need to be able to delegate some subset of my quote explicitly to that project17:16
ayounglets call it MTP for my-trove-project17:16
ayoungI then need to delegate to Trove, somehow, the ability to operator with in that project17:16
edmondswjohnthetubaguy but you might have a rule that checked something like "role:admin or <I am one of this resource's owners>"17:16
ayoungso, say I wave a majik wand:17:16
ayoungend state, trove has roles on the project, but I don't17:17
johnthetubaguyayoung: so hierarchical quotas, there are many ways to cut it, many ways, this just "works"17:17
*** lamt has quit IRC17:17
ayoungthen, I later, I want to reclaim it, but trove has since been decommisioned17:17
johnthetubaguyayoung: some models, its super hard17:17
edmondswI've never really bought the notion that "if you want to keep user A from messing with user B's vms then you have to put them in separate projects"17:17
ayoungI need to remove trove from the role assignements, and add myself back to them17:17
johnthetubaguyayoung: right, so if you allow all sub projects to consume all the parents resource, this kinda works17:17
johnthetubaguyayoung: yeah, that role assignment stuff is messy aftwarwards17:18
johnthetubaguyedmondsw: what about sub projects?17:18
ayoungedmondsw, you need some form of grouping, and explicitly assigning ownership to an individual does not scale well.  At least you need a way to reclaim resources from that individual17:18
edmondswjohnthetubaguy eh... maybe17:19
edmondswayoung totally agree that if you setup ownership you have to be able to change it, as I said above17:19
edmondswI think subprojects could work if we do it right17:19
johnthetubaguyedmondsw: +1, and thats one of those bit "ifs"17:21
johnthetubaguyoops, s/bit/big/17:21
edmondswI'm a couple hours past my normal lunch break... if we've stalled out, I'm gonna go eat :)17:23
lbragstadedmondsw sounds good17:23
lbragstadedmondsw ayoung johnthetubaguy this all sounds like things that we can work into goals on the etherpad, too17:24
johnthetubaguyedmondsw: food is good!17:24
johnthetubaguyyeah, I should get my dinner in a bit actually17:24
ayounglbragstad, TBH, while the trove use case does make things clear, I think actually trying to solve it might be too far.   If the end user maintains full control of the systems, but with an understand that if he messes with them, things get broke, I think that will be as far as we can reasonable get17:25
lbragstadayoung that's fine for now17:26
lbragstadayoung it seems like a problem we can work on eventually17:26
lbragstadbut just documenting the use case and the end goal/user experience might help us keep that in mind as we work on other goals17:26
dstanekayoung: right in line with discoverability it would be great to know all of the things that we must have17:31
ayoungdstanek, you mean a catalog of operations?17:40
lbragstadsamueldmq is there anything left that needs to go into python-keystoneclient for ?17:46
dstanekayoung: i mean just generally.... we have a list of problems and a list of solutions, but not really something that defines where we want to be... i don't even care about implementation yet... we all need to argue about what should be17:46
lbragstadsamueldmq I'd like to do a release of python-keystoneclient for pike17:46
dstaneklike...discovery is good and each solution needs to address it17:46
ayoungdstanek, If we define it in terms of Nova, we get a nova Specific solution.  If we define it in terms of Delegation, we get a general Delegation mechanism that applies to other services17:47
dstanekrodrigods: i just replied to you on the ML, but wanted to follow up here. does that backport review introduce a new bug?17:47
rodrigodsdstanek, not that i'm aware of17:48
ayoung"If I am not for myself, who will be for me? But if I am only for myself, who am I? If not now, when?" Ethics of the Fathers, 1:14. Hillel17:48
dstanekayoung: exactly. that's what i want to see an architecture that is mostly absent of openstacky things17:48
ayoungTotally using that in my presentation17:48
ayoungdstanek, The Army17:48
ayoungDelegation in the extreme17:49
lbragstadsamueldmq looks like is the only thing left for that?17:49
ayoungvoid of all openstack17:49
dstanekayoung: you'll notice that my diagrams used 'service', 'policy store' and other generic terms :-)17:49
rodrigodsdstanek, btw... i've put the reviews there just to illustrate the discussion - the details of the reviews themselves or if there is stuff missing in one of them, is not in the scope of my intents17:49
*** rajpatel has joined #openstack-keystone17:51
dstanekrodrigods: right. just wondering if there is a bug in that review17:52
openstackgerritayoung proposed openstack/keystone master: Route based RBAC Management Interface
rodrigodsdstanek, the WIP one has a bug, not sure where17:52
rodrigodsthe functional tests are failing17:52
*** AmazT has joined #openstack-keystone17:52
rodrigodsdidn't try to debug it17:52
dstanekrodrigods: what about the potential bug i mentioned?17:53
rodrigodsdstanek, the user_id FK is still there17:58
dstanekrodrigods: aren't you removing it?18:00
* dstanek checking the review again18:00
rodrigodsdstanek, no... only the idp_id and protocol_id + idp_id18:01
dstanekrodrigods: ah, so do we do checks there or is that already done?18:01
rodrigodsdstanek, the review adds the checks / collateral effects18:02
dstaneki was remembering the relationship in reverse18:02
dstanekredrobot: where?18:03
dstanekooops...not redrobot18:03
dstanekrodrigods: where?18:03
*** edtubill has joined #openstack-keystone18:04
rodrigodsdstanek, here: ? not sure if i understood your question18:04
dstanekrodrigods: what prevents an invalid idp_id?18:05
*** MasterOfBugs has joined #openstack-keystone18:06
*** pramodrj07 has joined #openstack-keystone18:06
*** pramodrj07 has quit IRC18:06
*** MasterOfBugs has quit IRC18:06
rodrigodsdstanek, ah, ok... the validation is done before we try to shadow the user18:06
*** MasterOfBugs has joined #openstack-keystone18:06
*** pramodrj07 has joined #openstack-keystone18:06
rodrigodssince we only create the fed_user entry after a successful authentication18:06
dstanekrodrigods: is that true? i though we were working toward creating a specified user through the APi so that an operator can preload.18:07
dstanekrodrigods: either way, that validation is one of the problems i have with not having FKs18:07
rodrigodsdstanek, right... this is not covering that... the code that does that didn't land yet18:08
dstanekrodrigods: keep that in mind if this goes through. we would have to ensure we are manually adding "FK" validation18:09
rodrigodsdstanek, yep... i believe the code itself that will add these APIs will need to have unit tests for invalid idp IDs18:10
*** rderose has joined #openstack-keystone18:11
dstanekrodrigods: only if this change goes through :-)18:13
*** lamt has joined #openstack-keystone18:14
lbragstadlamt for the pycrypto -> cryptography switch, does that involve a bounce of the service which drops the data in the cache?18:29
lamtlbragstad: no, the memcache server does not need to be bounce18:30
lamtlbragstad: going to test that later this week, but the switch should just be using cryptography instead of pycrypto to do the decryption18:31
*** ayoung has quit IRC18:31
lbragstadlamt will cryptography be able to decrypt things encrypted with pycrypto?18:31
lbragstadlamt or is that what you're going to validate?18:32
lamtlbragstad: there is no algorithm change18:32
lbragstadok - i didn't think so but wasn't 100% sure18:32
*** rderose has quit IRC18:32
lamtlbragstad I did that already, I added a pastebin18:32
lbragstadlamt aha - indeed you did18:32
lbragstadlamt lol - i like the example18:33
*** rderose has joined #openstack-keystone18:33
*** Aqsa has quit IRC18:34
*** amac has joined #openstack-keystone18:35
lamtlbragstad it took me a bit, since there was some padding I forgot to account for18:37
*** stradling has quit IRC18:38
lbragstadlamt the values of dec_crypto_with_pycrypto and dec_crypto_with_cryptography come back as empty strings for me?18:40
lamtlbragstad lemme check after this meeting18:41
lbragstadlamt this is what i have locally - which results in
lbragstadlamt ack - ping me whenever18:42
lamtlbragstad will do18:43
*** edtubill has quit IRC18:46
*** ravelar has joined #openstack-keystone18:52
*** rajpatel has quit IRC19:03
*** voelzmo has joined #openstack-keystone19:12
*** lucasxu has quit IRC19:18
*** lucasxu has joined #openstack-keystone19:20
*** lamt has quit IRC19:22
*** amac has quit IRC19:26
*** edmondsw_ has joined #openstack-keystone19:34
*** amac has joined #openstack-keystone19:37
*** edmondsw_ has quit IRC19:40
*** Aqsa has joined #openstack-keystone19:43
*** rderose has quit IRC19:45
*** rderose has joined #openstack-keystone19:46
*** lamt has joined #openstack-keystone19:53
*** lamt has quit IRC19:54
*** ravelar has quit IRC19:55
*** ravelar has joined #openstack-keystone19:56
*** lamt has joined #openstack-keystone20:03
*** ravelar has quit IRC20:07
*** jose-phillips has joined #openstack-keystone20:19
*** ayoung has joined #openstack-keystone20:26
*** AmazT has left #openstack-keystone20:33
*** voelzmo has quit IRC20:34
*** Aqsa has quit IRC20:37
*** rajpatel has joined #openstack-keystone20:56
*** thorst has quit IRC21:01
*** thorst has joined #openstack-keystone21:02
*** amac has quit IRC21:05
*** thorst has quit IRC21:06
*** lucasxu has quit IRC21:09
*** lucasxu has joined #openstack-keystone21:13
lamtlbragstad There are additional bytes in the pycrypto-encrypted ciphertext.  I will look to see why the ciphertext for cryptography is truncated at the end and get back to you.21:14
lbragstadlamt sounds good21:16
lbragstadlamt i guess the interesting part is that when you decrypt the cryptography ciphertext, it comes back as an empty string regardless of decrypting it with pycrypto or cryptography21:17
lamtlbragstad I think the algorithm used to decrypt should be the same regardless of the library used.  Whatever that was chopped at the end is causing it to decrypt to an empty string using either library.  I guess that's good (?) in a sense.21:21
lamtlbragstad it would be worse if they get decrypted to different things :)21:22
lbragstadlamt that's a good question :)21:22
lamtlbragstad the cyphertext for both seem to match at the beginning - I think it might be an error on my end to encrypt using cryptography.  I will poke around more.21:24
lbragstadlamt yeah - i noticed the same thing21:25
lbragstadlamt digging into the docs21:25
-openstackstatus- NOTICE: Restarting Gerrit for our weekly memory leak cleanup.21:25
lbragstadlamt > encryptor.finalize() is returning an empty string21:28
lamtlbragstad hmm lemme look21:28
*** lucasxu has quit IRC21:31
*** edmondsw has quit IRC21:33
*** edmondsw has joined #openstack-keystone21:34
*** edmondsw has quit IRC21:38
*** chris_hultin is now known as chris_hultin|AWA21:42
openstackgerritayoung proposed openstack/keystone master: Route based RBAC Management Interface
dstanek.b 2721:47
*** pcaruana has quit IRC21:51
*** mriedem has joined #openstack-keystone21:54
mriedemno bknudson?21:54
mriedemanyone know where rule:admin_api is defined for policy? nova uses it in the policy sample but i don't see it defined in nova, or keystone
mriedemoh nvm found it21:55
mriedem#"admin_api": "is_admin:True"21:55
mriedemit's a nova-ism21:55
lbragstadmriedem yep21:55
lbragstadmriedem also21:57
lbragstadmriedem policy.v3cloudsample.json isn't really used21:57
lbragstadmriedem that's technically just an example of a more evolved/opinionated policy that happens to take project and domains a little more seriously21:58
mriedemso what is?21:58
lbragstadmriedem we moved everything into code21:58
lbragstadmriedem similar to what nova did21:58
*** lamt has quit IRC21:59
mriedemmight be nice to generate a real sample22:00
mriedemis that in your docs somewhere?22:00
mriedemlike this?
lbragstadmriedem not yet - it literally just landed22:01
* lbragstad makes a reminder note to generate a sample and add it to the docs22:03
*** lamt has joined #openstack-keystone22:04
mriedemwhere is is_admin_project defined?22:04
mriedem ?22:05
mriedemor is that something you define when you create the project?22:05
mriedemso you can have the global admin, that passes any is_admin check, and a project admin, which is the is_admin_project=True flag?22:06
*** MasterOfBugs has quit IRC22:06
*** pramodrj07 has quit IRC22:06
lbragstadif you have the 'admin' role on the super-special is_admin project you get god-mode22:06
lbragstadwhich makes you admin across the deployment22:06
*** pramodrj07 has joined #openstack-keystone22:06
*** MasterOfBugs has joined #openstack-keystone22:06
lbragstadit's essentially a workaround for22:07
mriedemyeah what johnthetubaguy refers to global context in
lbragstadis_admin everywhere22:07
lbragstadmriedem yes - exactly22:07
mriedemso i want global god admin for my hosting admin, and project admin for my hosted tenant people in a hybrid cloud thingy22:07
lbragstadmriedem right22:07
mriedeme.g. the ibm guy at bluebox is god admin and the admin at acme is the project admin22:08
mriedemok cool22:08
mriedemlet's call him jimbob22:08
mriedemat acme co22:08
lbragstadmriedem not all service have adopted this though22:08
mriedemjimbob makes poor life choices22:08
*** edmondsw has joined #openstack-keystone22:10
*** rajpatel has quit IRC22:10
lbragstadyeah - so because jimbob is admin and makes poor life choices doesn't mean it has to result in foobar'ing your entire deployment because jimbob just deleted all projects in a domain he's not suppose to have access to22:10
lbragstador one of the other million dumb things that could happen22:10
lbragstadmriedem ayoung has a bunch of patches up somewhere to get that incorporated into the various projects22:12
*** edmondsw has quit IRC22:14
lbragstadmriedem but there are conversations to try and get better rbac support, which hopefully mean we don't have to keep that bandaid forever22:15
*** rmascena has quit IRC22:15
ayounglbragstad, is_admin_project stuff?22:16
lbragstadayoung yeah22:16
lbragstadayoung mriedem was asking about it22:17
ayounglets see...22:17
mriedemi'm just reading through and trying to understand all of the terms and concepts first22:17
mriedembefore i can possibly understand what johnthetubaguy is proposing to change22:17
ayoungmriedem, the nova patch is here:22:17
ayoungI think that one is actually ready to go22:18
mriedemnot if i dont understand anything about it, i wouldn't +2 it, that's why i'm here22:18
mriedembut i'm trying to get through johnthetubaguy's spec, which is why i'm here22:19
ayoungbut, you know how OpenStack reviews get...and I am not certain I willhave the time to chase it down again in a timely manner.  I don't have free reign on my time dedicated to Openstack anymore, and this is all borrowed time for me22:19
ayoungmriedem, which spec?  He has a few22:19
ayoungOK, so, sure22:20
ayoungbut if we do that, we should just kill policy22:20
mriedemmaybe you and johnthetubaguy should talk at some point then?22:20
ayoungwe talk regularly22:20
mriedemthe same language?22:20
ayounghe's awesome, he's just coming up to speed on stuff I've spent a couple years on22:21
ayoungand...Keystone has to solve RBAC for a far more than Nova22:21
ayoungBut, he is right;  scope check should not be configurable22:21
ayoungjust, that is not screwing things up right now as much as others22:22
ayoungand, everytime someone touches something like that, it makes me worried we are going to get even more committed to the things that are broken,22:22
ayoungmriedem, does that make sense?22:22
mriedemnot to me no, i don't have the background context22:22
ayoungI've done a lot to work around the broken aspects of RBAC as implemented today.22:23
ayoungmriedem, are you coming to the Boston Summit?22:23
mriedemi am22:23
mriedem is approved22:23
ayoungexcellent.  I am presenting on my approach there, and can also dedicate a lot of time to anyone interested in this stuff then22:23
mriedemso i assume some of this might be discussed during that?22:23
mriedemor you have some actual talk to give?22:24
ayoungmriedem, so, yes, we want to split Role check from scope check22:24
ayoungyes, I have an actual talk.22:24
mriedemlink me up22:24
mriedemyeah ok22:25
ayoungmriedem, we are going to do a video call next Wednesday during the Policy meeting.22:26
*** ianw is now known as ianw_pto22:26
ayoungThere are a lot of things to discuss, and a lot of people are looking for level setting22:26
mriedemgeh i wish i could add things to my schedule like the old days22:27
ayoungmriedem, at a minimum, please review  and you should get a sense of what I am pushing for here22:29
ayoungmriedem, haveto switch to dad mode here.22:29
lbragstadlamt it looks like the padding might be causing issues22:32
lbragstadlamt for example - here we're enc(data + pad)
*** ayoung has quit IRC22:34
lamtlbragstad yeah, am trying to see how to do the same with the cryptography enc with the same padding22:34
openstackgerritGage Hugo proposed openstack/keystonemiddleware master: Added "warning-is-error" sphinx check for docs
*** rajpatel has joined #openstack-keystone22:36
lbragstadlamt i ran your example by one of our crypto guys - here is a summary of our conversation
lbragstadlamt it was redrobot that pointed out the padding bits in both the pycrypto encrypt and decrypt functions22:39
lbragstadlamt i'm going to step away for a bit - but i'll probably check back in later22:42
lbragstadlamt we can pick this up tomorrow, too22:42
*** lamt has quit IRC22:47
*** catintheroof has quit IRC22:48
*** lamt has joined #openstack-keystone22:59
lamtlbragstad thanks, I need to step out for a bit too - I will read the paste and poke around later tonight, and I will follow up tomorrow.23:00
*** adriant has joined #openstack-keystone23:02
*** rderose has quit IRC23:04
*** lamt has quit IRC23:08
*** agrebennikov has quit IRC23:11
*** lamt has joined #openstack-keystone23:11
*** lamt has quit IRC23:12
*** lamt has joined #openstack-keystone23:13
*** lamt has quit IRC23:13
*** lamt has joined #openstack-keystone23:15
*** lamt has joined #openstack-keystone23:16
*** lamt has quit IRC23:17
*** raildo has joined #openstack-keystone23:18
*** thorst has joined #openstack-keystone23:20
*** thorst has quit IRC23:21
*** raildo has quit IRC23:27
*** raildo has joined #openstack-keystone23:27
*** erlon has quit IRC23:35
*** rajpatel has quit IRC23:41
*** stradling has joined #openstack-keystone23:43
*** raildo has quit IRC23:43
*** ayoung has joined #openstack-keystone23:43
*** agrebennikov has joined #openstack-keystone23:53
*** raildo has joined #openstack-keystone23:55
*** stradling has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!