Monday, 2017-06-12

*** piliman974 has quit IRC		00:10
*** thorst_afk has joined #openstack-keystone		00:19
*** thorst_afk has quit IRC		00:23
*** piliman974 has joined #openstack-keystone		00:32
*** gagehugo has quit IRC		01:00
*** chlong has quit IRC		01:04
*** edmondsw has joined #openstack-keystone		01:10
*** edmondsw has quit IRC		01:15
*** chlong has joined #openstack-keystone		01:19
*** thorst_afk has joined #openstack-keystone		01:20
*** thorst_afk has quit IRC		01:24
*** pnavarro has joined #openstack-keystone		01:24
*** dikonoo has joined #openstack-keystone		01:42
*** ducttape_ has quit IRC		01:50
*** ducttape_ has joined #openstack-keystone		01:51
*** ducttap__ has joined #openstack-keystone		01:52
*** ducttape_ has quit IRC		01:55
*** zhurong has joined #openstack-keystone		01:56
*** thorst_afk has joined #openstack-keystone		02:00
*** thorst_afk has quit IRC		02:00
*** Shunli has joined #openstack-keystone		02:01
*** piliman974 has quit IRC		02:05
*** ducttap__ has quit IRC		02:08
*** ducttape_ has joined #openstack-keystone		02:09
*** ducttape_ has quit IRC		02:13
*** piliman974 has joined #openstack-keystone		02:18
*** ducttape_ has joined #openstack-keystone		02:26
*** thorst_afk has joined #openstack-keystone		02:36
*** thorst_afk has quit IRC		02:36
*** ducttape_ has quit IRC		02:37
*** ducttape_ has joined #openstack-keystone		02:38
*** ducttape_ has quit IRC		02:42
*** edmondsw has joined #openstack-keystone		02:58
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Expose getting EndpointData on adapter and session https://review.openstack.org/469091	03:01
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add support for version ranges https://review.openstack.org/469090	03:01
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Support explicitly requesting the 'latest' version https://review.openstack.org/469089	03:01
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add flags to turn discovery on and off https://review.openstack.org/469088	03:01
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Plumb endpoint_override through get_endpoint_data https://review.openstack.org/469092	03:01
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Rename discover_versions to fetch_version_info https://review.openstack.org/470275	03:01
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Optimize matching version no microversion needed https://review.openstack.org/470274	03:02
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Rework EndpointData construction to normalize catalog first https://review.openstack.org/469085	03:02
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Move version discovery logic to keystoneauth1.discover https://review.openstack.org/469086	03:02
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add url manipulation and microversion collection https://review.openstack.org/469087	03:02
*** edmondsw has quit IRC		03:02
openstackgerrit	Merged openstack/oslo.policy master: Updated from global requirements https://review.openstack.org/473031	03:17
*** dikonoo has quit IRC		03:31
*** dikonoor has joined #openstack-keystone		03:31
*** piliman974 has quit IRC		03:32
*** thorst_afk has joined #openstack-keystone		03:37
*** gagehugo has joined #openstack-keystone		03:46
*** dave-mccowan has quit IRC		03:56
*** thorst_afk has quit IRC		03:56
*** Dinesh_Bhor has joined #openstack-keystone		04:10
*** namnh has joined #openstack-keystone		04:13
*** Dinesh_Bhor has quit IRC		04:24
*** Dinesh_Bhor has joined #openstack-keystone		04:25
*** zhurong has quit IRC		04:26
*** zhurong has joined #openstack-keystone		04:35
*** catintheroof has joined #openstack-keystone		04:36
*** pnavarro has quit IRC		04:39
*** catintheroof has quit IRC		04:42
*** zhurong has quit IRC		05:06
*** zhurong has joined #openstack-keystone		05:07
andreykurilin	morgan: I'm ok about complexity of password auth, but any way 5 seconds sounds very long for this operation	05:35
andreykurilin	morgan: `rally is not a great indicator in this regard and never has been`. any facts? or it is just words?	05:47
*** zsli_ has joined #openstack-keystone		05:49
*** Shunli has quit IRC		05:51
*** thorst_afk has joined #openstack-keystone		05:54
morgan	look at the delay in devstack and elsewhere, this is clearly not causing a 5-second delay on every single auth	05:56
morgan	rally has never been a good indicator on much of anything real world	05:56
morgan	the scenarios have been poor for keystone	05:56
morgan	and show contrived/limited data sets that do not mirror real world applications	05:57
morgan	my guess is your rally setup is binding up on other things.	05:57
morgan	you can tune the bcrypt and scrypt settings	05:58
morgan	i'm saying we are not reverting this without a look at rally and it's setup and/or may consider different default options	05:58
morgan	if it took 5 seconds to auth everyt time with that patch landed, no gate could pass	05:59
*** thorst_afk has quit IRC		05:59
*** tobberydberg has joined #openstack-keystone		06:10
*** mdnadeem has joined #openstack-keystone		06:18
*** rcernin has joined #openstack-keystone		06:19
*** liujiong has joined #openstack-keystone		06:21
*** edmondsw has joined #openstack-keystone		06:34
*** rcernin has quit IRC		06:36
*** edmondsw has quit IRC		06:39
*** rcernin has joined #openstack-keystone		06:40
openstackgerrit	Hemanth Nakkina proposed openstack/keystone master: Add functional test cases for v3-ext/OS-OAUTH1 https://review.openstack.org/473231	06:51
*** pcaruana has joined #openstack-keystone		06:52
*** thorst_afk has joined #openstack-keystone		06:55
*** thorst_afk has quit IRC		06:59
*** tesseract has joined #openstack-keystone		07:19
openstackgerrit	Hemanth Nakkina proposed openstack/keystone-tempest-plugin master: Add functional test cases for v3-ext/OS-OAUTH1 https://review.openstack.org/473245	07:27
andreykurilin	morgan: it is a poor devstack without custom settings. if default configs of keystone for devstack is not really good, it is not problem of rally. as for that scenario, it is quite simple, keystoneauth and keystonclient are used there. If it is possible to use them in the way that auth become so slow, again it is problem of user-interface of those libraries.	07:27
andreykurilin	let's do not discuss who is worse and try to find a solution to speed up password auth method	07:28
andreykurilin	morgan: `if it took 5 seconds to auth everyt time with that patch landed, no gate could pass`. Ok, please next time start your statement from asking more details about our scenarios. As I mentioned in the bug report, such bad timings we obtained while authenticating 20 concurrent users. It is not what your regular gates do. The min time is not so big - it is less that 1s (as it should be), the median 3.5-4s and the maximum 5.1s	07:32
openstackgerrit	Hemanth Nakkina proposed openstack/keystone-tempest-plugin master: Add functional test cases for v3-ext/OS-OAUTH1 https://review.openstack.org/473245	07:32
*** f13o has quit IRC		07:32
*** jpena\|off is now known as jpena		07:35
*** jpena has left #openstack-keystone		07:35
*** ducttape_ has joined #openstack-keystone		07:38
*** ducttape_ has quit IRC		07:43
openstackgerrit	zhengliuyang proposed openstack/keystonemiddleware master: Clean up code about hash algorithms https://review.openstack.org/473259	07:52
*** f13o has joined #openstack-keystone		07:54
*** thorst_afk has joined #openstack-keystone		07:56
*** tobberyd_ has joined #openstack-keystone		07:59
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** thorst_afk has quit IRC		08:00
*** tobberydberg has quit IRC		08:03
*** jaosorior has joined #openstack-keystone		08:16
*** edmondsw has joined #openstack-keystone		08:22
*** edmondsw has quit IRC		08:27
*** thorst_afk has joined #openstack-keystone		08:56
openstackgerrit	zhengliuyang proposed openstack/keystonemiddleware master: Clean up code about hash algorithms https://review.openstack.org/473259	09:03
*** thorst_afk has quit IRC		09:16
*** piliman974 has joined #openstack-keystone		09:18
*** nicolasbock has joined #openstack-keystone		09:24
*** tobberyd_ has quit IRC		09:24
*** tobberydberg has joined #openstack-keystone		09:24
*** tobberydberg has quit IRC		09:25
*** tobberydberg has joined #openstack-keystone		09:26
*** nicolasbock has quit IRC		09:28
*** zsli_ has quit IRC		09:36
*** mdnadeem has quit IRC		09:36
*** nicolasbock has joined #openstack-keystone		09:54
*** f13o has quit IRC		09:56
*** david-lyle has quit IRC		10:02
*** liujiong has quit IRC		10:03
*** edmondsw has joined #openstack-keystone		10:11
*** mvk has quit IRC		10:11
*** tobberydberg has quit IRC		10:11
*** tobberydberg has joined #openstack-keystone		10:11
*** zhurong has quit IRC		10:12
*** thorst_afk has joined #openstack-keystone		10:13
*** edmondsw has quit IRC		10:15
*** mariusv has quit IRC		10:16
*** piliman974 has quit IRC		10:16
*** thorst_afk has quit IRC		10:17
*** david-lyle has joined #openstack-keystone		10:24
*** piliman974 has joined #openstack-keystone		10:36
*** zhurong has joined #openstack-keystone		10:38
*** mvk has joined #openstack-keystone		10:39
*** Shunli has joined #openstack-keystone		10:43
*** Shunli has quit IRC		10:44
*** raildo has joined #openstack-keystone		11:02
*** nicolasbock_ has joined #openstack-keystone		11:06
*** nicolasbock_ has quit IRC		11:06
*** namnh has quit IRC		11:19
*** piliman974 has quit IRC		11:25
andreykurilin	morgan: btw, I think that it is not a good idea to put any mark at revert of your own patch ;)	11:32
*** aojea has joined #openstack-keystone		11:33
*** nicolasbock has quit IRC		11:35
*** nicolasbock has joined #openstack-keystone		11:36
*** ducttape_ has joined #openstack-keystone		11:39
*** thorst_afk has joined #openstack-keystone		11:43
*** ducttape_ has quit IRC		11:43
*** ducttape_ has joined #openstack-keystone		11:59
*** tobberydberg has quit IRC		12:04
*** tobberydberg has joined #openstack-keystone		12:05
openstackgerrit	zhengliuyang proposed openstack/keystonemiddleware master: Clean up code about hash algorithms https://review.openstack.org/473259	12:10
*** ducttape_ has quit IRC		12:11
*** ducttape_ has joined #openstack-keystone		12:11
*** ducttape_ has quit IRC		12:16
*** zhurong has quit IRC		12:16
*** catintheroof has joined #openstack-keystone		12:27
*** catintheroof has quit IRC		12:28
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Expose getting EndpointData on adapter and session https://review.openstack.org/469091	12:30
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add support for version ranges https://review.openstack.org/469090	12:30
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Support explicitly requesting the 'latest' version https://review.openstack.org/469089	12:31
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add flags to turn discovery on and off https://review.openstack.org/469088	12:31
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Plumb endpoint_override through get_endpoint_data https://review.openstack.org/469092	12:31
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Rename discover_versions to fetch_version_info https://review.openstack.org/470275	12:31
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Optimize matching version no microversion needed https://review.openstack.org/470274	12:31
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Move version discovery logic to keystoneauth1.discover https://review.openstack.org/469086	12:31
openstackgerrit	Monty Taylor proposed openstack/keystoneauth master: Add url manipulation and microversion collection https://review.openstack.org/469087	12:31
*** edmondsw has joined #openstack-keystone		12:38
*** dave-mccowan has joined #openstack-keystone		12:39
*** ducttape_ has joined #openstack-keystone		12:52
*** ducttape_ has quit IRC		12:57
*** dikonoo has joined #openstack-keystone		13:01
*** dikonoor has quit IRC		13:01
*** pnavarro has joined #openstack-keystone		13:07
*** ducttape_ has joined #openstack-keystone		13:08
*** ducttap__ has joined #openstack-keystone		13:10
*** ducttape_ has quit IRC		13:12
*** ducttap__ has quit IRC		13:16
*** aojea has quit IRC		13:22
*** ducttape_ has joined #openstack-keystone		13:25
*** lucasxu has joined #openstack-keystone		13:29
*** ducttape_ has quit IRC		13:31
*** ducttape_ has joined #openstack-keystone		13:33
*** ducttape_ has quit IRC		13:49
*** catintheroof has joined #openstack-keystone		13:52
*** ducttape_ has joined #openstack-keystone		13:57
*** ducttape_ has quit IRC		13:58
*** ducttape_ has joined #openstack-keystone		13:59
*** spzala has joined #openstack-keystone		13:59
*** ducttape_ has quit IRC		14:05
*** ma9_ has joined #openstack-keystone		14:18
ma9_	When trying to map users coming from SAML federation to Keystone, I would like to have a mapping which can map multiple groups (e.g. coming from the variable: MELLON_groups: 'firstgroup;secondgroup;thirdgroup') to multiple Keystone projects…. is there a way to do this?	14:21
*** ducttape_ has joined #openstack-keystone		14:21
ma9_	is it possible to split them on the ';' separator with a mapping rule?	14:21
*** dikonoo has quit IRC		14:23
lbragstad	ma9_: that's a good question, i think that specific mapping would be handled by mod_shib or mod_mellon	14:25
ma9_	I found this page, maybe it's documented here.. https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html I'll check it out	14:25
lbragstad	ma9_: I was just about to suggest that page	14:26
lbragstad	ma9_: i'm not sure there is a way to parse an attribute like that in keystone directly	14:26
lbragstad	ma9_: but the parsing and mapping of attributes from the actual SAML is done by either mod_shib or mod_mellon	14:26
lbragstad	ma9_: the mapping in keystone takes the things that were pulled out of the SAML assertion by mod_shib or mod_mellon and maps them to keystone (so there are two kinds of mappings really)	14:27
*** ducttape_ has quit IRC		14:28
ma9_	mm ok, what would be the ideal way to get a user mapped to multiple projects then (variable number)?	14:31
ma9_	do I need to create a variable for project or something like that?	14:31
*** pnavarro has quit IRC		14:31
lbragstad	ma9_: so you want a user to get a role assignment on a project if they have specific variables?	14:35
*** tobberyd_ has joined #openstack-keystone		14:35
lbragstad	it looks like all the projects you want to map to are in a single attribute	14:36
lbragstad	ma9_: we do support auto-provisioning, which sounds like that might help? https://docs.openstack.org/developer/keystone/federation/federated_identity.html#auto-provisioning	14:36
*** tobberydberg has quit IRC		14:38
*** tobberyd_ has quit IRC		14:40
*** jlvacation is now known as jlvillal		14:41
ma9_	the thing is that I want to map a user to more than one project…. I receive all the projects from SAML, at the moment they are listed in a single variable, separated by a semicolumn	14:44
ma9_	in that auto-provisioning section it seems like it-s possible to map users to more than one project, but only one project is derived from a SAML variable	14:44
ma9_	I would like to be able to get more than one from SAML	14:45
lbragstad	ma9_: right the federated auto provisioning stuff is new as of ocata	14:45
*** ducttape_ has joined #openstack-keystone		14:45
ma9_	yes.. I'm fine to do this on Ocata	14:45
lbragstad	ma9_: if there is a way to get mod_shib or mod_mellon to separate that specific attribute into multiple variables, then the auto-provisioning stuff might help	14:46
lbragstad	ma9_: otherwise, i don't think there is a way to support that in keystone directly	14:46
ma9_	ok.. but then again it would be a dynamic list of variables	14:46
ma9_	0 to many	14:46
lbragstad	ma9_: right	14:46
lbragstad	ma9_: that makes sense	14:47
*** phalmos has joined #openstack-keystone		14:47
lbragstad	ma9_: we do have some work proposed for keystone that hasn't landed yet, but it pulls more of the SAML logic into keystone	14:47
lbragstad	ma9_: so instead of having to setup a mapping for shibboleth or mellon and keystone, you'd specify a single mapping and keystone would handle the saml directly	14:48
lbragstad	and map it to projects/groups/etc...	14:48
ma9_	I see.. so I guess it's still a bit early for this	14:48
lbragstad	it's not supported today, but your use case sounds like it would be important for that feature	14:48
ma9_	in our setup we use Keycloak (RH-SSO) and we use it to fetch Users and Groups from LDAP+KRB (as Keystone does not work with passwords stored in KRB)	14:49
ma9_	so we would have liked to get full user + group mapping from LDAP to Keycloak to Keystone	14:49
lbragstad	since keystone would be the only thing dealing with the SAML, we could explore adding something that makes it handle a list of attributes with a delimiter	14:49
lbragstad	ma9_: oh - interesting	14:50
lbragstad	ma9_: we do have a few folks here who are familiar with keycloak	14:50
lbragstad	cc jdennis and hrybacki ^	14:50
ma9_	we managed to get the full list of users and groups into Keycloak… we got all users and 'primary groups' into keystone, but we are missing all the other groups	14:51
ma9_	which would need to come from that list inside of a variable ;)	14:51
lbragstad	ma9_: i see	14:51
lbragstad	ma9_: i'm not sure if they've attempted that specific use case, but it might be worth checking	14:52
ma9_	I'll check with them thanks!	14:53
lbragstad	ma9_: absolutely, if you end up coming up with a solution, we should document it	14:54
*** ducttape_ has quit IRC		15:03
*** ducttape_ has joined #openstack-keystone		15:04
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth master: Pass kwargs to the plugin getter https://review.openstack.org/473494	15:06
*** dklyle has joined #openstack-keystone		15:07
*** david-lyle has quit IRC		15:10
*** aselius has joined #openstack-keystone		15:11
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Cleanup colon usage in domain config docs https://review.openstack.org/473496	15:11
lbragstad	lamt: fixed ^	15:12
lamt	lbragstad :)	15:12
lbragstad	lamt: thanks for the review	15:13
lamt	lbragstad not a problem	15:13
*** aojea has joined #openstack-keystone		15:21
andreykurilin	stevemar: hi!	15:25
jdennis	lbragstad: helping ma9 now ...	15:25
ma9_	if others are interested, this should work for me: https://docs.openstack.org/developer/keystone/federation/federated_identity.html#mappings-examples	15:26
*** aloga has quit IRC		15:28
*** aloga has joined #openstack-keystone		15:29
*** aojea has quit IRC		15:30
*** pcaruana has quit IRC		15:31
lbragstad	jdennis: awesome - thank you!	15:39
lbragstad	ma9_: did you get it figured out?	15:39
*** tobberydberg has joined #openstack-keystone		15:43
ma9_	It seems the link has the necessary information, I need to read it with calm a little later	15:44
ma9_	I'll let you know if it works	15:45
*** rcernin has quit IRC		15:45
*** tobberydberg has quit IRC		15:47
*** dklyle has quit IRC		15:49
*** david-lyle has joined #openstack-keystone		15:49
knikolla	o/	15:51
*** raildo has quit IRC		15:52
*** aojea has joined #openstack-keystone		15:54
*** raildo has joined #openstack-keystone		15:54
lbragstad	ma9_: sounds good	15:59
ma9_	thanks to you all ;)	16:01
*** rderose has joined #openstack-keystone		16:04
*** gyee has joined #openstack-keystone		16:04
*** ma9_ has left #openstack-keystone		16:07
knikolla	lbragstad: regarding your changes adding HEAD support. I think updating api-ref in most of them is unnecessary.	16:10
knikolla	when they are checking the existence of a resource or relationship, like HEAD identity_providers/idp1 or /role/role1/implies/role2 they make sense. but doing head on identity_providers or default config isn't really checking anything and therefore of limited use	16:13
*** spzala has quit IRC		16:16
lbragstad	knikolla: what do you mean by checking?	16:23
*** sjain has joined #openstack-keystone		16:23
cmurphy	HEAD has specific meaning for checking the existence of certain objects or for checking relationships like HEAD /projects/{}/users/{}/roles/{}, but for list operations it's not "checking" anything, it'll return 200 whether there are 0 or 100 items in the list	16:27
lbragstad	it's specifically important for cache management	16:27
lbragstad	https://www.pragmaticapi.com/blog/2013/02/14/restful-patterns-for-the-head-verb/	16:27
*** sjain has quit IRC		16:27
cmurphy	++ for making HEAD work for that reason, it just doesn't need to be explicitly documented	16:28
*** sjain has joined #openstack-keystone		16:30
morgan	cmurphy: ++ yay	16:33
morgan	HEAD shouldn't need to ever be explicitly documented.	16:33
morgan	it should just work, identically to any GET op	16:33
morgan	though for lists... unless we support etag data, could be short circuted	16:34
*** charz has quit IRC		16:34
lbragstad	ok - we should go through the existing documentation then and make sure we're consistent with HEAD across the board	16:35
lbragstad	some APIs reference it and some don't	16:35
morgan	lbragstad: yeah, we could support etags which case HEAD on a list is interesting	16:35
lbragstad	s/reference/document/	16:35
morgan	but otherwise, shrug	16:35
cmurphy	lbragstad: the APIs that reference it are the ones that give special meaning to it, like role checking	16:35
cmurphy	i think it's otherwise consistent	16:36
*** charz has joined #openstack-keystone		16:36
morgan	cmurphy: fair, we could just revamp that to make GETs the canonical operation and HEAD being notated in all GETs as "working as expected with HTTP"	16:36
morgan	provided we have GETs for everything	16:37
lbragstad	so - we have HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	16:38
lbragstad	but GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} isn't documented	16:38
lbragstad	?	16:38
cmurphy	i guess that always made sense to me because the only value that's important is the 200 or 404, there's no reasonable body to return	16:40
lbragstad	sure	16:40
lbragstad	https://github.com/openstack/keystone/blob/c528539879e824b8e6d5654292a85ccbee6dcf89/keystone/assignment/routers.py#L112	16:40
lbragstad	i guess the part i'm stumbling over is the consistency in the docs then?	16:40
lbragstad	get support GET and HEAD for /v3/projects/{project_id}/users/{user_id}/roles/{role_id}	16:41
lbragstad	but we don't document HEAD	16:41
lbragstad	in other APIs we support GET and HEAD but only document GET	16:41
lbragstad	and assume HEAD to be implied?	16:41
lbragstad	just want to make sure I'm on the same page as everyone	16:42
cmurphy	HEAD looks documented here https://developer.openstack.org/api-ref/identity/v3/index.html#check-whether-user-has-role-assignment-on-project	16:42
lbragstad	cmurphy: yep - do we document GET for that API?	16:43
lbragstad	GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} that is?	16:43
cmurphy	no we don't	16:43
lbragstad	ok	16:43
lbragstad	should we be?	16:43
morgan	yes	16:44
morgan	we should	16:44
morgan	GET may not return anything else interesting	16:44
morgan	we might need to impl a get?	16:44
morgan	but GET should be the default (imo)	16:44
lbragstad	morgan: we seem to through get_head_action	16:44
morgan	HEAD should be implemented for all GETs.	16:44
morgan	yeah	16:44
morgan	i think we do	16:44
morgan	but just confirm.	16:44
cmurphy	i'd be fine with documenting get instead of head	16:44
morgan	before we adjust documents ;)	16:45
cmurphy	just rationalizing why it always made sense to me so far	16:45
morgan	cmurphy: i think it's more consistent to always document GET.	16:45
morgan	even if it returns no data besides a 200 OK	16:45
cmurphy	morgan: sure, seems reasonable to me	16:45
morgan	or a 204, or whatever 2XX it returns today w/ the HEAD	16:45
lbragstad	cool	16:46
lbragstad	so what if we go through, document all GET and have a blanket statement that says all GET APIs support HEAD, too?	16:46
morgan	that would be perfect	16:47
morgan	imo	16:47
*** spilla has joined #openstack-keystone		16:47
cmurphy	++	16:47
lbragstad	sweet!	16:47
lbragstad	i will update my patches then	16:47
lbragstad	knikolla: cmurphy morgan thanks for the help :)	16:47
cmurphy	o7	16:48
lbragstad	does it bother anyone else when you have two of the exact same monitors but there is something different between the two that causes font to render ever-so-slightly different?!	16:51
cmurphy	i use linux, i'm just feeling lucky i got it to stop mirroring :P	16:53
lbragstad	lol	16:53
lbragstad	i'm surprised that worked for me out of the box with fedora 25	16:54
*** sjain has quit IRC		17:02
*** morgan is now known as mordgan		17:03
*** mordgan is now known as morgan		17:03
*** piliman974 has joined #openstack-keystone		17:08
*** mvk has quit IRC		17:09
*** jose-phillips has quit IRC		17:12
knikolla	lbragstad: :)	17:12
samueldmq	lbragstad: that question... I am using 2 of the same monitors in the last 2 weeks	17:15
samueldmq	and now I am looking carefully to see if I can find differences :(	17:16
*** jose-phillips has joined #openstack-keystone		17:18
*** lucasxu has quit IRC		17:24
*** aojea has quit IRC		17:33
*** jaosorior is now known as jaosorior_away		17:41
*** tesseract has quit IRC		17:54
*** spzala has joined #openstack-keystone		17:55
*** lucasxu has joined #openstack-keystone		18:08
morgan	lbragstad: i have that problem	18:13
morgan	lbragstad: you know what it is for me... 2 different graphics card	18:13
morgan	lbragstad: a gtx 1080 and the integrated one.	18:13
lbragstad	morgan: really?!	18:13
morgan	the integrated one causes a different brightness	18:13
lbragstad	ah - interesting	18:14
morgan	other issue is not using the same cables	18:14
morgan	if you use HDMI for one and displayport for the other	18:14
morgan	you need to calibrate them individually	18:14
morgan	if it is all 100% the same	18:14
morgan	(1 video card, same port types, etc)	18:14
morgan	then it could be minor differences in the panel	18:14
lbragstad	yeah	18:14
morgan	some monitor companies source panels from different vendors	18:14
lbragstad	I'd believe that	18:15
morgan	it's why i try and buy monitors from folks who make their own panels (aka not Sony, not Apple)	18:15
morgan	breton: it isn't about offending someone in that patchset to revert. I am 100% open to tuning defaults (though lets be careful not to make it insecure). Auth by nature must be relatively slow if your hashes are meant to be secure.	18:16
morgan	breton: we need to help people re-use tokens and maybe tune devstack (it is lower powered) differently. However, the real-world impact here is "we can have insecure password hashes, that are easy to break" or we can have slower auth. For a system that is trying to be more secure, we have to err to the latter	18:17
morgan	we allow people to tune their deployments, and in this case, really it is about tuning the deployments. Devstack does not have a lot of processes, so it will be slower.	18:18
*** spzala has quit IRC		18:18
morgan	this is also why rally is a very poor mechanism for evaluating keystone. Some things we do are, frankly, by design CPU and Ram intensive. it cannot be evaluated against a devstack easily nor in a way that represents a real deployment	18:19
morgan	this is the trade off on security.	18:20
morgan	lbragstad: ^ cc	18:21
lbragstad	reading	18:21
morgan	we should default to more secure password hashes. if speed is really a serious concern, there are ways to speed up (and make hashes less secure).	18:22
lbragstad	looking at the original bug reports - we should support alternative password hash mechanisms	18:23
morgan	we do.	18:23
lbragstad	https://bugs.launchpad.net/keystone/+bug/1668503 and https://bugs.launchpad.net/keystone/+bug/1543048	18:23
openstack	Launchpad bug 1668503 in OpenStack Security Advisory "sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing" [Undecided,Incomplete]	18:23
morgan	we support bcrypt, scrypt, AND pbkdf2 now	18:23
openstack	Launchpad bug 1543048 in OpenStack Identity (keystone) "support alternative password hashing in keystone" [High,Fix released] - Assigned to Morgan Fainberg (mdrnstm)	18:23
morgan	we no longer support sha512_Crypt	18:23
lbragstad	i think the importance of doing so is well described there, too	18:23
morgan	as that is considered relatively insecure	18:23
morgan	bcrypt is considered industry standard	18:23
lbragstad	then that's what we should be doing by default - which i think we are	18:24
morgan	but pbkdf2 is "ok". it however is much more breakable with ASIC and FPGAs	18:24
morgan	we are doing bcrypt with standard passlib defaults	18:24
morgan	except in our unit tests.	18:24
morgan	because we aren't testing bcrypt security	18:24
lbragstad	morgan: which we lower in order to get performance benefits	18:24
lbragstad	right	18:24
morgan	correct	18:24
morgan	you can lower the rounds needed for bcrypt	18:24
morgan	which increases speed for the cost of security	18:25
morgan	i would have defaulted to scrypt, but it actually has a significant ram cost	18:25
morgan	and i don't want to move that way by default	18:25
morgan	bcrypt is mostly sufficient	18:25
morgan	annnyway	18:27
morgan	that is my stance on this.	18:27
morgan	and why i -2'd the revert	18:27
morgan	i am 100% ok with saying devstack should tune for it's resources	18:27
morgan	i am also ok with considering changing our default (somewhat)	18:27
lbragstad	morgan: we did that once with the old implementation i believe	18:28
morgan	but i don't want to see us revert a security hardening that is important like this because of the known tradeoff between security and speed	18:28
morgan	lbragstad: we did	18:28
morgan	we tuned down our default	18:29
morgan	in this case i'd be more inclined to tune devstack	18:29
morgan	devstack is not testing if bcrypt is secure, or scrypt, or pbkdf2	18:29
lbragstad	i think that's the right direction as well	18:29
morgan	and rally will continue to be a poor indicator on performance in auth for this exact reason (it can be much more indicative for say token validation)	18:29
morgan	since that is more consistent even in devstack.	18:30
*** catinthe_ has joined #openstack-keystone		18:31
*** catintheroof has quit IRC		18:33
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add HEAD API to domain config https://review.openstack.org/472876	18:35
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Cleanup colon usage in domain config docs https://review.openstack.org/473496	18:35
morgan	lbragstad: anyway, going to be very picky about changing the default rounds in keystone. We should tune devstack first (commented on the patch)	18:38
*** erlon has joined #openstack-keystone		18:38
lbragstad	morgan: yeah - i did too	18:38
lbragstad	sounds like another revision is on the way	18:38
morgan	boris indicated (boris42) he was going to propose changing the default rounds	18:39
morgan	not in devstack	18:39
morgan	so, like i said, be very careful, as that really impacts how secure the hashes are	18:39
morgan	i'd like to see real deployment figures with actual resources with bcrypt defaults	18:39
morgan	not devstack ones, before we actually do something	18:40
lbragstad	sure - i think that's fair	18:40
lbragstad	i wouldn't be opposed to using that information to write a guide if we can't point to an existing one	18:40
morgan	the sha512_crypt round change was based upon a "real-ish" deployment on real hardware used by dolphm at rax	18:41
morgan	++	18:41
lbragstad	yeah - that was mostly virtual machines deployed across rax datacenters	18:41
lbragstad	but we modeled it after production deployments	18:42
lbragstad	we wanted to know how much keystone we needed to handle the volume of requests we see in public cloud deployments	18:42
lbragstad	i think i included the password hashing analysis in the report i wrote on it, but i don't have access to it anymore	18:42
morgan	yeah	18:44
morgan	it was one thing	18:44
*** jose-phillips has quit IRC		18:46
*** spzala has joined #openstack-keystone		18:47
*** jose-phillips has joined #openstack-keystone		18:47
*** spzala has quit IRC		18:47
*** spzala has joined #openstack-keystone		18:47
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add HEAD API to auth https://review.openstack.org/472881	18:50
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Move domain config to DocumentedRuleDefault https://review.openstack.org/449337	18:53
lbragstad	alright - stepping away for a bit to get a run in and mow the lawn	18:54
*** aojea has joined #openstack-keystone		19:08
*** ducttape_ has quit IRC		19:21
*** ducttape_ has joined #openstack-keystone		19:21
*** tobberydberg has joined #openstack-keystone		19:21
*** tobberydberg has quit IRC		19:34
*** tobberydberg has joined #openstack-keystone		19:34
*** aojea has quit IRC		19:38
*** tobberydberg has quit IRC		19:39
*** catintheroof has joined #openstack-keystone		19:39
*** aojea has joined #openstack-keystone		19:41
*** catinthe_ has quit IRC		19:42
*** aojea has quit IRC		19:43
*** jose-phillips has quit IRC		19:51
*** jose-phillips has joined #openstack-keystone		19:54
*** jose-phillips has quit IRC		19:57
*** jose-phillips has joined #openstack-keystone		20:10
*** piliman974 has quit IRC		20:12
*** nicolasbock has quit IRC		20:14
*** raildo has quit IRC		20:27
*** piliman974 has joined #openstack-keystone		20:35
*** aojea has joined #openstack-keystone		20:48
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add HEAD API to domain config https://review.openstack.org/472876	20:53
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Move domain config to DocumentedRuleDefault https://review.openstack.org/449337	20:53
*** spzala has quit IRC		20:57
*** harlowja has quit IRC		21:02
*** lucasxu has quit IRC		21:12
*** thorst_afk has quit IRC		21:25
*** thorst_afk has joined #openstack-keystone		21:45
*** aojea has quit IRC		21:45
*** aojea has joined #openstack-keystone		21:48
*** thorst_afk has quit IRC		21:49
*** edmondsw has quit IRC		21:50
*** spilla has quit IRC		21:56
*** edmondsw has joined #openstack-keystone		21:59
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add HEAD APIs to federated API https://review.openstack.org/472858	22:01
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Make federation documentation consistent https://review.openstack.org/472875	22:01
*** edmondsw has quit IRC		22:03
*** edmondsw has joined #openstack-keystone		22:05
*** harlowja has joined #openstack-keystone		22:06
*** dave-mccowan has quit IRC		22:09
*** edmondsw has quit IRC		22:09
*** edmondsw has joined #openstack-keystone		22:11
*** edmondsw_ has joined #openstack-keystone		22:14
*** edmondsw has quit IRC		22:15
*** spzala has joined #openstack-keystone		22:15
*** edmondsw_ has quit IRC		22:18
*** boris-42_ has joined #openstack-keystone		22:20
boris-42_	Hi everybody	22:20
boris-42_	@morgan hi	22:20
boris-42_	@morgan so this patch https://review.openstack.org/#/c/473571/1 sets proper value in devstack and resotres performance https://review.openstack.org/#/c/473571/1 and unblocks rally gates	22:21
morgan	Jenkins is cranky with that oy35 (might just need a recheck)	22:22
morgan	otherwise looks good to me	22:22
breton	boris-42_: we can even stop encrypting passphrases completely and performance will be O(len(password)) ;)	22:28
boris-42_	@morgan ya i did recheck	22:28
boris-42_	@breton 4 rounds is like 2 ** 4 which is 16 Ops	22:29
boris-42_	which is like quite quick=)	22:31
boris-42_	btw bcrypt lib is slow (even if it is designed to be slow)	22:33
boris-42_	it could use all cores	22:34
boris-42_	so it will generate faster stuff for core keeping the same amount of resources required	22:34
boris-42_	for developer*	22:34
*** spzala has quit IRC		22:40
*** edmondsw has joined #openstack-keystone		22:42
*** edmondsw has quit IRC		22:46
*** rderose has quit IRC		22:47
*** sjain_ has joined #openstack-keystone		22:47
*** catintheroof has quit IRC		22:47
*** gagehugo has quit IRC		22:59
morgan	breton: no, we cannot, the code does not allow that.	23:03
morgan	boris-42_: we set the value to the floor in our unit tests	23:04
*** gagehugo has joined #openstack-keystone		23:04
morgan	so, it is as fast as it can be	23:04
morgan	that is acceptable for devstack as well	23:04
*** piliman974 has quit IRC		23:15
openstackgerrit	Merged openstack/keystone master: Updated from global requirements https://review.openstack.org/472807	23:18
*** yushiro has joined #openstack-keystone		23:20
*** ducttape_ has quit IRC		23:31
*** piliman974 has joined #openstack-keystone		23:34
*** adriant has quit IRC		23:35
*** phalmos has quit IRC		23:38
*** liujiong has joined #openstack-keystone		23:43
*** catintheroof has joined #openstack-keystone		23:45
*** aojea has quit IRC		23:51
*** gagehugo has quit IRC		23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!