Thursday, 2018-02-15

*** oikiki has quit IRC00:03
*** oikiki has joined #openstack-keystone00:03
*** spilla has quit IRC00:05
*** oikiki has quit IRC00:17
*** rmcall has joined #openstack-keystone00:20
*** rmcall has quit IRC00:20
*** dave-mccowan has joined #openstack-keystone00:54
*** r-daneel has quit IRC00:56
*** lbragstad has quit IRC01:45
*** itlinux has joined #openstack-keystone01:47
*** harlowja has quit IRC03:08
*** itlinux has quit IRC03:37
openstackgerritmelissaml proposed openstack/keystone-specs master: Replace Chinese quotes to English quotes
*** itlinux has joined #openstack-keystone04:00
*** agrebennikov has quit IRC04:13
*** gyee has quit IRC04:14
*** itlinux has quit IRC04:17
*** dave-mccowan has quit IRC04:25
*** masber has joined #openstack-keystone04:33
*** links has joined #openstack-keystone04:34
*** links has quit IRC04:42
*** links has joined #openstack-keystone04:45
*** r-daneel has joined #openstack-keystone04:57
*** threestrands_ has joined #openstack-keystone05:09
*** threestrands_ has quit IRC05:09
*** threestrands_ has joined #openstack-keystone05:09
*** threestrands has quit IRC05:09
*** threestrands_ has quit IRC05:10
*** threestrands_ has joined #openstack-keystone05:11
*** harlowja has joined #openstack-keystone05:15
*** threestrands has joined #openstack-keystone05:15
*** threestrands has quit IRC05:15
*** threestrands has joined #openstack-keystone05:15
*** threestrands_ has quit IRC05:18
*** threestrands has quit IRC05:28
*** jaosorior has quit IRC05:37
*** jaosorior has joined #openstack-keystone05:44
*** harlowja has quit IRC06:14
*** rcernin has quit IRC06:44
openstackgerritMerged openstack/keystone master: Add docs for application credentials
*** martinus__ has joined #openstack-keystone06:52
*** hoonetorg has quit IRC06:56
*** hoonetorg has joined #openstack-keystone06:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata
*** threestrands has joined #openstack-keystone07:09
*** threestrands has quit IRC07:09
*** threestrands has joined #openstack-keystone07:09
*** rcernin has joined #openstack-keystone07:28
*** pcaruana has joined #openstack-keystone07:40
*** edmondsw has joined #openstack-keystone07:41
*** edmondsw has quit IRC07:45
*** belmoreira has joined #openstack-keystone07:55
*** AlexeyAbashkin has joined #openstack-keystone08:08
*** tesseract has joined #openstack-keystone08:17
*** links has quit IRC08:35
*** links has joined #openstack-keystone08:52
*** sambetts|afk has quit IRC09:03
*** sambetts_ has joined #openstack-keystone09:07
*** threestrands_ has joined #openstack-keystone09:21
*** threestrands has quit IRC09:21
*** edmondsw has joined #openstack-keystone09:29
*** edmondsw has quit IRC09:34
*** sambetts_ is now known as sambetts10:21
*** d0ugal has quit IRC10:30
*** d0ugal has joined #openstack-keystone10:33
*** jistr is now known as jistr|mtg11:00
*** d0ugal has quit IRC11:20
*** d0ugal has joined #openstack-keystone11:39
*** dave-mccowan has joined #openstack-keystone12:10
*** raildo has joined #openstack-keystone12:14
*** jistr|mtg is now known as jistr12:23
*** edmondsw has joined #openstack-keystone13:06
*** edmondsw has quit IRC13:10
*** edmondsw has joined #openstack-keystone13:24
*** panbalag has joined #openstack-keystone13:47
*** McClymontS has joined #openstack-keystone13:56
*** jmlowe has quit IRC14:09
*** jmlowe has joined #openstack-keystone14:20
*** ayoung has quit IRC14:20
*** rmcall has joined #openstack-keystone14:21
*** dave-mccowan has quit IRC14:23
*** jaosorior has quit IRC14:23
*** lbragstad has joined #openstack-keystone14:29
*** ChanServ sets mode: +o lbragstad14:29
*** threestrands_ has quit IRC14:39
*** dtruong has quit IRC14:40
*** dtruong has joined #openstack-keystone14:41
*** ayoung has joined #openstack-keystone14:41
*** McClymontS has quit IRC14:53
*** rcernin has quit IRC15:01
*** r-daneel has quit IRC15:09
lbragstadkmalloc now that things settled down a bit should be the last of the stable reviews for RC215:12
lbragstadincluded the app creds documentation patch since we should be able to include that, too15:13
*** dave-mccowan has joined #openstack-keystone15:13
cmurphylbragstad: were you waiting for this translations patch too?
lbragstadcmurphy to back port it?15:14
lbragstadi've been trying to get in touch with the backports team about backports -
lbragstadbased on what ian said, it sounds like don't have to backport translations? i asked for clarification ^15:16
cmurphylbragstad: okay got it15:17
lbragstadstill waiting on a response though15:17
*** jaosorior has joined #openstack-keystone15:27
openstackgerritLance Bragstad proposed openstack/keystone master: Address FIXMEs for listing revoked tokens
*** dave-mccowan has quit IRC15:43
*** spilla has joined #openstack-keystone15:45
*** agrebennikov has joined #openstack-keystone15:56
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata
lbragstadkmalloc are you around yet? i'm in the middle of refactoring the token provider and i have a couple ideas (probably bad ideas) about the token model15:57
*** r-daneel has joined #openstack-keystone15:58
lbragstadi think it would be beneficial to try and apply an MVC pattern15:58
lbragstadso - instead of generating version specific token data to generate the token model, it would work the other way around15:59
lbragstadyou pass a bunch of things to the token model and it gives you an object you and use to reason about the token response15:59
lbragstadthen the v3 token controller would build the token response based on the information provided in the model object16:00
lbragstaddoes that seem sane/16:00
lbragstadso - that would mean the whole V3TokenDataHelper object would get moved up to the controller layer16:02
lbragstador if anyone else has thought, comments, concerns?16:03
*** pcaruana has quit IRC16:09
knikollalbragstad: how is it handled currently?16:16
lbragstadwell - right now, we have an auth controller, a token provider (manager), a token driver (provider), and a token formatter16:16
lbragstadfrom top down, in that order16:17
lbragstadthe token controller pull information from the request and asks the token provider Manager for a token and a token response16:17
lbragstad(e.g. the project id, user id, trust information, domain info, etc...)_16:18
lbragstadso - that part would stay the same16:18
lbragstadsince the controller would be responsible for pulling that information from the actual authentication request16:18
lbragstadbut instead of *expecting*  a versioned response back from the token provider Manager, it would get a token_obj16:18
lbragstadso - it wouldn't just pass it back through to the user... instead, the controller would get more responsibility16:19
lbragstadand that would be to translate the token_obj to a v3 token response16:20
lbragstadso - essentially all this stuff
* lbragstad hopes he is making sense 16:21
*** links has quit IRC16:22
knikollalbragstad: makes sense.16:22
lbragstadthe token provider would only really care about taking some values from the controller, generating an object, getting a token id from a provider, and passing all that back to the controller16:23
knikollaand than the controller would call a view to render the token16:23
lbragstadso all version specific opinions about how a token should look in a response is isolated to the controller16:23
knikollafrom the model object16:23
lbragstadyes - exactly16:23
lbragstadso when we go to add a new version or a different token provider16:23
lbragstadit's kept separate from each other16:23
knikollamakes sense16:25
lbragstadok - cool16:25
lbragstadi feel better knowing if i've gone off the deep end, at least i'm not alone :)16:26
knikollalbragstad: that's me usually during refactoring16:28
*** jaosorior has quit IRC16:29
knikollalbragstad: would it make any sense at all to associate policy strings like identity:list_users to roles in keystone instead of having them in the policy.json files of projects?16:32
knikollasimilar to what we saw on aws16:33
lbragstadlike pulling all policies in to keystone?16:34
knikollalbragstad: yeah.16:34
lbragstadif i remember correctly, that's what the policy api was meant for16:35
knikollalbragstad: not really. as all it did was accept a blob of json.16:35
lbragstadright - i think it was meant for that kind of use case, but it was never really finished16:36
lbragstador completed16:36
knikollalbragstad: this is a one-to-many mapping between role -> action16:36
knikollakeystonemiddleware gets the role of the token, expands the list of actions the user can do16:36
knikollaand passes that to the service16:36
knikollaservice checks if action in list of actions.16:37
*** AlexeyAbashkin has quit IRC16:37
lbragstadits the rbac in middleware appraoch16:39
knikollalbragstad: rbac in middleware had enforcement in the middleware. this doesn't .16:39
lbragstadthe enforcement would be in keystone, then?16:40
knikollalbragstad: the enforcement will be in the service in the form of. keystonemiddleware expands role to list of actions; service checks if action is in list of actions provided by keystonemiddleware.16:41
knikollathe actions that a role can do are in keystone16:42
knikollasimilar to oauth scopes.
lbragstadso - keystone has to maintain the mapping of roles -> actions16:44
lbragstadwhat happens when new operations are added to the service?16:46
lbragstador actions?16:46
lbragstadsomething has to update keystone, right?16:47
knikollalbragstad: yes, this is also a question for the current approach when we introduce some default roles that are openstack-wide.16:48
knikollawe can exploit those default roles to provide sane defaults.16:48
lbragstadkeystone would have to add those during bootstrap16:49
lbragstadi guess we need to work through the upgrade case, in both situations16:50
knikollalbragstad: another approach exploits the current system scoping16:51
knikollanova for example gets access to system:nova:policy16:51
lbragstadi think this would be good to run by other projects at the PTG16:51
lbragstadnova gets that by default?16:52
knikollalbragstad: the admin would grant it on the nova service user16:52
lbragstadyeah - i think moving to something like that would be useful16:54
lbragstadit would be nice to restrict service users to only what they need to do in other services16:54
lbragstadknikolla adding a snippet for this in
knikollalbragstad: i'll sketch out a spec16:56
* knikolla goes for lunch16:57
lbragstadi'll read the auth0 doc16:57
lbragstadsometime today16:57
*** oikiki has joined #openstack-keystone17:04
*** sambetts is now known as sambetts|afk17:19
*** harlowja has joined #openstack-keystone17:19
*** pcaruana has joined #openstack-keystone17:20
*** belmoreira has quit IRC17:27
*** itlinux has joined #openstack-keystone17:47
*** tesseract has quit IRC17:52
*** AlexeyAbashkin has joined #openstack-keystone18:01
*** AlexeyAbashkin has quit IRC18:06
*** kukacz has quit IRC18:15
*** kukacz_ has joined #openstack-keystone18:20
*** oikiki has quit IRC18:28
*** oikiki has joined #openstack-keystone18:29
openstackgerritMerged openstack/keystone-specs master: Fix typos in keystone-specs
*** rmascena has joined #openstack-keystone18:43
*** panbalag has left #openstack-keystone18:43
*** raildo has quit IRC18:46
*** rmcall has quit IRC18:55
*** harlowja has quit IRC19:00
*** gyee has joined #openstack-keystone19:03
openstackgerritColleen Murphy proposed openstack/keystoneauth master: Add pep8 import order validation
mordredcmurphy: ^^ TIL19:12
cmurphymordred: :D19:13
cmurphywas looking at another change and wondering why the hell that wasn't being caught19:14
mordredcmurphy: you know what would be neat? a script that would fix those ...19:14
lbragstaddid flake get updated recently?19:16
lbragstadi'm seeing a bunch of that stuff in keystone,t oo19:16
cmurphythe violations i found in ksa had been there a while19:20
lbragstadmust be the version i have locally then19:26
*** r-daneel has quit IRC19:27
mordredcmurphy, lbragstad: feel like +3ing ?19:33
cmurphyyes will look19:34
cmurphysorry, i keep promising to look at it and then drop it on the floor19:34
*** harlowja has joined #openstack-keystone19:35
*** harlowja_ has joined #openstack-keystone19:37
*** harlowja has quit IRC19:39
openstackgerritMerged openstack/keystone master: Remove unused class variables from token provider
openstackgerritMerged openstack/keystoneauth master: Fix a spelling error
*** pcaruana has quit IRC20:03
mordredcmurphy: no worries - I promised to write a feature for keystone last cycle and i'm pretty sure you did 100% of the work, so I don't think I get to complain :)20:09
*** AlexeyAbashkin has joined #openstack-keystone20:15
*** kukacz_ has quit IRC20:17
*** AlexeyAbashkin has quit IRC20:19
cmurphymordred: :)20:19
*** r-daneel has joined #openstack-keystone20:31
*** panbalag has joined #openstack-keystone20:36
openstackgerritLance Bragstad proposed openstack/keystone master: Remove needs_persistence property from token providers
openstackgerritLance Bragstad proposed openstack/keystone master: Refactor token cache invalidation callbacks
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify token persistence callbacks
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify federation and oauth token callbacks
*** panbalag has left #openstack-keystone20:43
ayoungHolleee crap.  I might have just used Hierarchical Multi Tenancy to fix a disconnect between CloudForms and Nova....20:53
*** oikiki has quit IRC21:05
*** oikiki has joined #openstack-keystone21:06
*** oikiki has quit IRC21:10
openstackgerritMerged openstack/keystoneauth master: Split request logging into four different loggers
openstackgerritMerged openstack/keystoneauth master: Add some comments explaining split_loggers flag logic
openstackgerritMerged openstack/keystoneauth master: Remove PYTHONHASHSEED setting
*** oikiki has joined #openstack-keystone21:23
*** pcaruana has joined #openstack-keystone21:31
gagehugokmalloc ah the certs part makes sense21:32
kmallocgagehugo: yeah21:32
*** rmascena has quit IRC21:41
*** openstack has joined #openstack-keystone21:44
*** ChanServ sets mode: +o openstack21:44
*** pcaruana has quit IRC21:48
*** rcernin has joined #openstack-keystone21:50
*** martinus__ has quit IRC22:05
*** neex_io has joined #openstack-keystone22:07
*** belmoreira has joined #openstack-keystone22:11
*** neex_io has quit IRC22:25
openstackgerritMerged openstack/keystoneauth master: Add pep8 import order validation
*** threestrands has joined #openstack-keystone22:43
*** threestrands has quit IRC22:43
*** threestrands has joined #openstack-keystone22:43
lbragstadstepping away for a bit, i'll be back on tonight though23:06
*** itlinux has quit IRC23:09
*** spilla has quit IRC23:15
*** belmoreira has quit IRC23:17
*** r-daneel has quit IRC23:24
SamYapleif i wanted to compare x509 auth to fernet tokens, speed-wise, is there any existing tooling in the project that can help with that?23:41
*** oikiki has quit IRC23:42
SamYapleor, possibly, has this been tested and i can just go view the results?23:42
*** oikiki has joined #openstack-keystone23:42

Generated by 2.15.3 by Marius Gedminas - find it at!