Tuesday, 2018-06-26

kmalloc	nvm, figured it out	00:00
*** josecastroleon has quit IRC		00:22
*** josecastroleon has joined #openstack-keystone		00:36
*** edmondsw has quit IRC		00:37
*** namnh has joined #openstack-keystone		00:58
kmalloc	lbragstad, knikolla, hrybacki, wxy: ^ ready for review. Tests are fully implemented	01:30
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer https://review.openstack.org/576639	01:30
kmalloc	lbragstad: knikolla wxy hrybacki: ^ erm.. THAT one.	01:30
kmalloc	lbragstad: i also think we need to add a couple more check types to oslo.policy we can discuss tomorrow.	01:35
*** gongysh has joined #openstack-keystone		01:43
*** harlowja has quit IRC		01:46
*** gongysh has quit IRC		01:47
*** mordred has quit IRC		01:49
*** itlinux has joined #openstack-keystone		02:05
*** mordred has joined #openstack-keystone		02:07
*** Dinesh_Bhor has joined #openstack-keystone		03:01
lbragstad	kmalloc: sorry - just got back in	03:08
kmalloc	lbragstad: looks like i have a bug -- part of it doesn't work on py27 (commented in the review)	03:11
kmalloc	lbragstad: i need to figure out how it even works (i think it just is an instantiation behind the scenes)	03:13
kmalloc	lbragstad: ok pushing a change that fixes the py27 failure(s)	03:33
kmalloc	turns out py3 is a lot less picky about what the "self" attribute is :P	03:34
kmalloc	i wonder if that is a bug...	03:34
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer https://review.openstack.org/576639	03:36
lbragstad	nice	03:36
*** annp has joined #openstack-keystone		03:39
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Don't treat sphinx warnings as errors https://review.openstack.org/577974	03:45
lbragstad	^ that should unblock our documentation gate	03:45
lbragstad	reaching out to the oauth maintainers to see if they would accept a change to fix those in oauthlib, at which point we could consider re-enabling that flag	03:46
*** AlexeyAbashkin has joined #openstack-keystone		03:47
kmalloc	lbragstad: ++ yay	03:49
kmalloc	lbragstad: +2	03:49
kmalloc	lbragstad: anyway, so i have another change coming in the series to update the scaffolding for flask_restful [should be small-ish]	03:50
kmalloc	and then i get another review to convert an API over. i'm guessing /limits might be the easiest.	03:50
lbragstad	ack	03:52
kmalloc	lbragstad: sorry for the 1000 line review in the rbac_enforcer... it's hard to implement something like that in bits.	03:53
lbragstad	yeah	03:53
lbragstad	i'm going to review that tomorrow	03:53
kmalloc	but more than half of those lines is tests. :)	03:53
lbragstad	i was just about to wrap up the token provider refactor today and hit the rabbit hole with sphinx	03:53
lbragstad	tomorrow morning i'll finish cleaning up the patches for that refactor and i should be able to do some reviews for office hours	03:54
kmalloc	so, before we land the tokenmodel, i want you to look at https://review.openstack.org/#/c/577655/n	03:54
kmalloc	so, before we land the tokenmodel, i want you to look at https://review.openstack.org/#/c/577655/ *	03:54
*** AlexeyAbashkin has quit IRC		03:54
*** AlexeyAbashkin has joined #openstack-keystone		03:54
kmalloc	only because it conflicts with your patch and i think i found a legit bug in the subject-token target population	03:55
lbragstad	whats the bug?	03:56
lbragstad	ahh	03:57
lbragstad	i read the comment	03:57
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer https://review.openstack.org/576639	04:02
*** AlexeyAbashkin has quit IRC		04:04
*** spilla has joined #openstack-keystone		04:23
*** dims has quit IRC		04:30
*** dims has joined #openstack-keystone		04:35
*** pcichy has quit IRC		04:45
*** lifeless has joined #openstack-keystone		05:16
*** josecastroleon has quit IRC		05:32
*** josecastroleon1 has joined #openstack-keystone		05:32
*** ispp has joined #openstack-keystone		05:33
*** isssp has quit IRC		05:36
*** spilla has quit IRC		05:41
*** Dinesh_Bhor has quit IRC		05:44
*** isssp has joined #openstack-keystone		05:53
*** josecastroleon1 has quit IRC		05:54
*** ispp has quit IRC		05:54
*** ispp has joined #openstack-keystone		05:55
*** josecastroleon has joined #openstack-keystone		05:55
*** isssp has quit IRC		05:58
*** openstackgerrit has quit IRC		06:04
*** pcichy has joined #openstack-keystone		06:10
*** AlexeyAbashkin has joined #openstack-keystone		06:13
*** issp has joined #openstack-keystone		06:14
*** Alexey_Abashkin has joined #openstack-keystone		06:15
*** Alexey_Abashkin1 has joined #openstack-keystone		06:16
*** martinus__ has joined #openstack-keystone		06:17
*** AlexeyAbashkin has quit IRC		06:18
*** Alexey_Abashkin1 is now known as AlexeyAbashkin		06:18
*** Alexey_Abashkin has quit IRC		06:19
*** nicolasbock has joined #openstack-keystone		06:40
*** peereb has joined #openstack-keystone		06:48
*** peereb has quit IRC		06:49
*** peereb has joined #openstack-keystone		06:49
*** peereb has quit IRC		06:50
*** AlexeyAbashkin has quit IRC		07:05
*** namnh has quit IRC		07:06
*** AlexeyAbashkin has joined #openstack-keystone		07:07
*** rcernin has quit IRC		07:08
*** gongysh has joined #openstack-keystone		07:10
*** tesseract has joined #openstack-keystone		07:14
*** aojea_ has joined #openstack-keystone		07:18
*** pcaruana has joined #openstack-keystone		07:20
*** aojea_ has quit IRC		07:20
*** issp has quit IRC		07:21
*** openstackgerrit has joined #openstack-keystone		07:22
openstackgerrit	Neha Alhat proposed openstack/keystonemiddleware master: Register session conf options from keystoneauth https://review.openstack.org/578008	07:22
*** issp has joined #openstack-keystone		07:27
*** amoralej\|off is now known as amoralej		07:28
*** tosky has joined #openstack-keystone		07:41
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	08:26
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	08:30
*** jaosorior has quit IRC		08:39
*** Dinesh_Bhor has joined #openstack-keystone		08:42
*** mvk has quit IRC		08:57
*** lifeless has quit IRC		09:16
*** aloga has joined #openstack-keystone		09:19
*** mvk has joined #openstack-keystone		09:24
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit https://review.openstack.org/576025	09:25
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add registered_limit_id column for limit https://review.openstack.org/577751	09:25
*** Dinesh_Bhor has quit IRC		09:27
*** qwebirc77170 has joined #openstack-keystone		09:53
qwebirc77170	hello all. This is Parthiban here.	09:54
qwebirc77170	Recently I went through OpenStack Security guidelines and I'm trying to implement few of them.	09:54
qwebirc77170	#auth_timing_attack - I have verified the response time of OpenStack with successful & failed attempts, but I cannot figure out difference in response time to a valid vs a failed authentication attempt.	09:54
qwebirc77170	Has this feature already implemented in Openstack? I'm using OpenStack Queens. Can some one help on this?	09:54
qwebirc77170	Hope this is the right forum to post this query. if not, please guide me with this regard.	09:54
*** mvk has quit IRC		10:05
*** mvk has joined #openstack-keystone		10:21
*** jaosorior has joined #openstack-keystone		10:29
*** vishakha has joined #openstack-keystone		10:50
vishakha	pl review https://review.openstack.org/#/c/576433/	10:50
*** annp has quit IRC		10:58
vishakha	lbragstad, Pl review https://review.openstack.org/#/c/576433/	11:18
*** issp has quit IRC		11:22
qwebirc77170	Hello all, Can someone help me out on key revocation system to quickly deactivate potentially compromised keys in OpenStack - https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation	11:42
*** issp has joined #openstack-keystone		11:51
*** amoralej is now known as amoralej\|lunch		11:59
*** raildo has joined #openstack-keystone		12:12
*** issp has quit IRC		12:25
*** issp has joined #openstack-keystone		12:33
*** mchlumsky has quit IRC		12:33
*** mchlumsky has joined #openstack-keystone		12:35
*** edmondsw has joined #openstack-keystone		12:58
*** aloga has quit IRC		13:02
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	13:03
*** frickler has quit IRC		13:26
*** frickler has joined #openstack-keystone		13:26
*** evrardjp has joined #openstack-keystone		13:28
*** evrardjp_ has quit IRC		13:30
kmalloc	qwebirc77170: what can I do to help? :)	13:52
kmalloc	jaosorior: that policy driver bit is looking good.	13:53
jaosorior	kmalloc: thanks	13:54
jaosorior	kmalloc: still doesn't work properly with inheritance (glance has it's own enforcer object which inherits from oslo_policy's enforcer)	13:56
jaosorior	gotta see why	13:56
kmalloc	Yah.	13:57
*** amoralej\|lunch is now known as amoralej		13:58
jaosorior	I thought that the proxy retrieved by "super" would also call __getattribute__... seems it doesn't	13:58
jaosorior	brb	13:59
*** jaosorior has quit IRC		13:59
knikolla	o/	14:04
lbragstad	knikolla: are you going to be at the edge meeting tomorrow?	14:16
*** wxy\| has joined #openstack-keystone		14:16
knikolla	lbragstad: yes.	14:16
lbragstad	ok - cool	14:16
lbragstad	the one they are talking about right now	14:17
knikolla	yeah, that's the opnfv one	14:17
knikolla	i also have an item on the keystone meeting agenda for today about fed testing	14:17
lbragstad	good deal	14:18
*** felipemonteiro has joined #openstack-keystone		14:26
*** itlinux has quit IRC		14:29
*** felipemonteiro_ has joined #openstack-keystone		14:29
*** felipemonteiro has quit IRC		14:33
*** josecastroleon has quit IRC		14:34
*** josecastroleon has joined #openstack-keystone		14:34
*** josecastroleon has quit IRC		14:38
*** josecastroleon has joined #openstack-keystone		14:42
gagehugo	lbragstad may be late to the meeting today	14:44
kmalloc	lbragstad: zoom.us thing right now? Or am I missing a different meeting?	14:45
lbragstad	no - the edge group meeting just ended - it's apparently duplicated in IRC, but i couldn't find the room?	14:46
lbragstad	there is an OPNFV meeting tomorrow though	14:46
kmalloc	lbragstad: we holding on the Sphinx change?	14:48
kmalloc	Or are we unblocking by removing -W	14:48
lbragstad	i'm spinning up an alternate now	14:48
kmalloc	Ok	14:48
lbragstad	i'd like to keep treating warnings as error if we can help it	14:48
kmalloc	Let me in +A that one then.	14:48
kmalloc	Un*	14:49
kmalloc	Leaving the +2s in case we still need it.	14:49
*** gongysh has quit IRC		14:53
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Override oauthlib docstrings that fail with Sphinx 1.7.5 https://review.openstack.org/578121	14:54
lbragstad	kmalloc: ^	14:54
*** josecastroleon has quit IRC		14:59
*** josecastroleon has joined #openstack-keystone		14:59
*** AlexeyAbashkin has quit IRC		15:01
*** spilla has joined #openstack-keystone		15:01
kmalloc	lbragstad: +2+A	15:16
*** itlinux has joined #openstack-keystone		15:16
*** felipemonteiro_ has quit IRC		15:19
*** felipemonteiro_ has joined #openstack-keystone		15:19
*** felipemonteiro has joined #openstack-keystone		15:22
*** qwebirc77170 has quit IRC		15:22
*** felipemonteiro_ has quit IRC		15:24
*** cwright has quit IRC		15:31
*** felipemonteiro has quit IRC		15:32
*** felipemonteiro has joined #openstack-keystone		15:32
*** felipemonteiro_ has joined #openstack-keystone		15:33
*** felipemonteiro has quit IRC		15:37
*** fiddletwix has quit IRC		15:37
*** pcaruana has quit IRC		15:42
*** aning_ has joined #openstack-keystone		15:47
*** cwright has joined #openstack-keystone		15:48
*** gyee has joined #openstack-keystone		15:50
aning_	Hi, a question regarding to fernet token ... I have two openstackt deployments, bothing using fernet token. The keys for the token are sync-ed. Will tokens issued on one cloud be valid on the other one?	15:50
*** dklyle has quit IRC		15:50
kmalloc	lbragstad: failed pep8 because "first line should be imperitive"	15:51
kmalloc	lbragstad: i kindof want to just make the D401 check go away	15:51
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Override oauthlib docstrings that fail with Sphinx 1.7.5 https://review.openstack.org/578121	15:52
*** dklyle has joined #openstack-keystone		15:53
lbragstad	thanks kmalloc	15:54
kmalloc	its about that time.	15:59
*** issp has quit IRC		16:01
lbragstad	ping ayoung, breton, cmurphy, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk	16:01
*** gyee has quit IRC		16:03
*** jmlowe has quit IRC		16:11
*** harlowja has joined #openstack-keystone		16:12
aning_	Any body any idea about my fernet token question?	16:12
lbragstad	aning_: if you're replicating the keystone databse between the two, the tokens should work across deployments	16:13
aning_	and in my deployment, the keystones are NOT active/standby, they are totally different deployment, the user name are the same, but id are different.	16:14
aning_	yes, that's what I thought and observed ...	16:14
lbragstad	then fernet tokens are not going to work across deployments	16:14
aning_	when keystone verify the token, it actually take the user id out of the token, and check if that's a valid user in its DB	16:15
lbragstad	each keystone will be able to unpack the encrypted token payloads, but they won't be able to resolve what's inside (e.g. 404 when looking up the user)	16:15
lbragstad	aning_: yep - you're correct	16:15
aning_	for project scoped token, keystone will verify project and the user's role in that project	16:16
lbragstad	correct	16:17
aning_	it's all using id instead of name, so the keystone DBs has to be sync-ed as well.	16:17
lbragstad	keystone will pull out the user id and project id from the token and rebuild the user's roles from that information	16:17
aning_	right	16:17
lbragstad	aning_: correct - since ID are guaranteed to be unique	16:17
aning_	thanks for the confirmation.	16:18
lbragstad	names for projects and users are only unique within a specific domain - so there is some namespacing involved there	16:18
aning_	BTW, any tools or ways to decode a fernet token?	16:18
lbragstad	you just want to know what's inside it?	16:19
aning_	eg, to see the user, project etc in it?	16:19
aning_	yes	16:19
lbragstad	i built https://github.com/lbragstad/fernet-inspector a long time ago	16:19
lbragstad	it's just a hacky script though	16:19
lbragstad	and it has to be run from a node that has access to the key repository used to create the token	16:20
aning_	Oh, that's cool. Will check it out.	16:20
aning_	thanks again	16:20
lbragstad	no problem	16:21
kmalloc	want to know something weird... i found out you can pass anything as "self" to a unbound python method in py3	16:27
kmalloc	but in py2 it must be an instance of the method's class (or instance of a subclass)	16:27
*** tesseract has quit IRC		16:40
*** blake has joined #openstack-keystone		16:47
lbragstad	#startmeeting keystone-office-hours	17:01
openstack	Meeting started Tue Jun 26 17:01:30 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:01
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		17:01
*** ChanServ changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"		17:01
openstack	The meeting name has been set to 'keystone_office_hours'	17:01
kmalloc	if anyone has questions on the RBACEnforcer, i know it's super dense.	17:01
kmalloc	I can speak to it and a lot of the quirks in our policy code.	17:02
lbragstad	awesome	17:03
lbragstad	i'm going to grab lunch quick and i'll be right back	17:03
lbragstad	knikolla: and i were going to try and tag team a few bugs today	17:03
lbragstad	#link https://bugs.launchpad.net/keystone/+bug/1658641	17:04
openstack	Launchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)	17:04
lbragstad	#link https://bugs.launchpad.net/keystone/+bug/1757022	17:04
openstack	Launchpad bug 1757022 in OpenStack Identity (keystone) ""keystone-manage mapping_purge" ignores --type option" [Undecided,In progress] - Assigned to Dai Hanada (dai-hanada)	17:04
lbragstad	#link https://bugs.launchpad.net/keystone/+bug/1775207	17:04
openstack	Launchpad bug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] - Assigned to Pavlo Shchelokovskyy (pshchelo)	17:04
*** wxy\| has quit IRC		17:04
* knikolla going for lunch		17:05
kmalloc	lbragstad: i'm going to try and get the "move an API" patch up today.	17:05
kmalloc	so its easier to see how the flask stuff actually shakes out.	17:05
gagehugo	o/	17:05
lbragstad	that'd help	17:06
*** harlowja has quit IRC		17:10
*** felipemonteiro_ has quit IRC		17:14
*** felipemonteiro_ has joined #openstack-keystone		17:14
*** mvk has quit IRC		17:17
*** gyee has joined #openstack-keystone		17:20
*** blake has quit IRC		17:22
*** blake has joined #openstack-keystone		17:22
kmalloc	lbragstad: yeah, so working on the scaffolding update patches now and then api move will be soon	17:23
*** blake has quit IRC		17:27
*** blake has joined #openstack-keystone		17:33
*** felipemonteiro__ has joined #openstack-keystone		17:44
*** felipemonteiro_ has quit IRC		17:48
*** felipemonteiro__ has quit IRC		17:49
*** felipemonteiro__ has joined #openstack-keystone		17:49
*** felipemonteiro has joined #openstack-keystone		17:53
*** felipemonteiro__ has quit IRC		17:54
*** amoralej is now known as amoralej\|off		17:56
pas-ha	lbragstad: hi, re bug 1775207, I noticed you've put an 'office-hours' tag on it - wdym and is my attention required/expected?	18:01
openstack	bug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] https://launchpad.net/bugs/1775207 - Assigned to Pavlo Shchelokovskyy (pshchelo)	18:01
*** felipemonteiro has quit IRC		18:01
*** felipemonteiro has joined #openstack-keystone		18:01
lbragstad	pas-ha: we use the office-hours tag as a way to focus on a specific set of bugs or reviews	18:01
pas-ha	oh, ok, just saw it mentioned in the scrollback :)	18:02
lbragstad	we had a user come through the channel yesterday and we noticed a few reviews related to keystone-manage that could use some attention	18:02
lbragstad	i added the tag to it so that we could hopefully get some eyes on it	18:02
*** blake has quit IRC		18:05
*** blake has joined #openstack-keystone		18:06
*** felipemonteiro_ has joined #openstack-keystone		18:08
knikolla	lbragstad: i have a meeting now, but will join you in 1 hr or so for the ldap stuff	18:09
lbragstad	sounds good - cleaning up one of the patches now, should be ready for review by then	18:09
*** blake has quit IRC		18:10
*** felipemonteiro has quit IRC		18:11
*** jaosorior has joined #openstack-keystone		18:13
*** blake has joined #openstack-keystone		18:21
*** AlexeyAbashkin has joined #openstack-keystone		18:25
*** andy_wrs has joined #openstack-keystone		18:26
*** jmlowe has joined #openstack-keystone		18:31
*** dmellado has quit IRC		18:32
*** blake has quit IRC		18:35
*** andy_wrs has quit IRC		18:52
*** AlexeyAbashkin has quit IRC		19:13
*** AlexeyAbashkin has joined #openstack-keystone		19:13
*** AlexeyAbashkin has quit IRC		19:14
*** felipemonteiro_ has quit IRC		19:15
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option https://review.openstack.org/554397	19:15
lbragstad	knikolla: ^ those could be a bit more dry - but they're functional	19:16
*** felipemonteiro has joined #openstack-keystone		19:19
*** blake has joined #openstack-keystone		19:23
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g https://review.openstack.org/578189	20:03
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents https://review.openstack.org/578190	20:03
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents https://review.openstack.org/578190	20:04
knikolla	lbragstad: looking	20:10
*** vishakha has quit IRC		20:17
*** spilla has quit IRC		20:20
*** raildo has quit IRC		20:20
knikolla	lbragstad: looks good to me. +2	20:28
lbragstad	knikolla: cool - thanks	20:29
lbragstad	i'm a little worried about the duplication	20:29
*** vishakha has joined #openstack-keystone		20:29
lbragstad	but i'm open to refactoring it if we can find a better way	20:30
knikolla	i generally like tests to be verbose.	20:30
knikolla	duplication in that case should be fine as it makes it pretty clear what the test is doing.	20:31
lbragstad	that's fair	20:31
knikolla	but that's just my opinion :)	20:31
aning_	Hi lbragstad, I use your fernet-inspector to inspect a fernent-token, the result is this:	20:36
aning_	fernet-inspector -k /opt/cgcs/keystone/fernet-keys gAAAAABbMpejHDDFLNkopYu5_PrFMKo16qidKmOXe5NvctVmja1FxqNBglzJcpma5CqiWG9L7YIVHuXlL29KotzdeHdA50IThiPhzKGREGhpVtKHFoRkGHRRHNK9VRpKSQpj7eTaKBDrRDc61NJ46H1Hh2VARmj1kv3andlwZ9ztHUYvipv86Ng	20:36
aning_	[2, [True, '\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`'], 2, [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'], 1530045875.0, ['NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;']]	20:36
aning_	the Audit id from base64.urlsafe_b64encode('NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;') is	20:37
aning_	'TlAw_ghUQ6SDwsXb5DuIOw=='	20:37
aning_	And the UUID from uuid.UUID(bytes='\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`').hex is	20:37
aning_	'd35db37b1c7b42ed8e9be8c160814d60'	20:38
aning_	[True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'] in the middel after the second number 2, what is it?	20:38
aning_	and what's Audit id?	20:39
aning_	where are user id and project id hidden in the decoded data?	20:40
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n452	20:40
lbragstad	this is going to go into the implementation details a bit	20:40
lbragstad	but keystone users different payload classes to pack up the payload before encrypting it	20:41
*** blake has quit IRC		20:41
lbragstad	which keeps the two things separate	20:41
lbragstad	(building of the payload from the thing that actually does the encryption) ]	20:41
lbragstad	each payload has a version	20:41
*** blake has joined #openstack-keystone		20:41
lbragstad	which is the first thing in the list when you decrypt a token	20:42
lbragstad	so - in your example, you're dealing with a ProjectScopedPayload because the first element of the list is an integer of 2	20:42
*** spilla has joined #openstack-keystone		20:43
lbragstad	the ProjectScopedPayload returns a tuple which gets used here - https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n158	20:43
lbragstad	notice that the version is coming from the payload classes that was used to build the payload	20:44
lbragstad	the second integer is a compressed representation of the authentication methods associated with that token	20:45
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n464	20:45
knikolla	lbragstad: my brain is fried for now. i'll head home and then work on https://review.openstack.org/#/c/487579/ later tonight	20:45
lbragstad	we do this instead of passing method: ['password', 'token']	20:45
lbragstad	knikolla: sounds good	20:45
*** blake has quit IRC		20:46
lbragstad	aning_: because using methods: ['password', 'token'] in a token payload bloats it significantly, so we convert the configured authentication methods to a unique integer that can be reinflated at validation time	20:46
lbragstad	see https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/core.py#n46	20:47
lbragstad	and https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/core.py#n63	20:47
*** mvk has joined #openstack-keystone		20:47
*** blake has joined #openstack-keystone		20:49
*** jmlowe has quit IRC		20:51
*** blake has quit IRC		20:53
*** martinus__ has quit IRC		21:00
*** felipemonteiro has quit IRC		21:10
aning_	Sorry I was pulled away for while ... these are very valuable information.	21:12
aning_	but jus from a high level, I saw three hex strings	21:12
aning_	The first one is UUID, the last one is Audit ID, what's the middle one?	21:12
aning_	If I guess, it should be password	21:15
lbragstad	this is the payload	21:16
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n469	21:16
lbragstad	or the format of the payload	21:16
aning_	or token depends on the integer before it, since that integer is the auth method.	21:16
lbragstad	so version = 2	21:17
*** jmlowe has joined #openstack-keystone		21:17
lbragstad	b_user_id is [True, '\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`']	21:17
lbragstad	2 is the methods	21:17
aning_	right, version = 2 in my example.	21:17
lbragstad	b_project_id is [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X']	21:17
lbragstad	expires_at_int is 1530045875.0	21:17
lbragstad	and b_audit_ids is ['NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;']	21:18
aning_	Great	21:18
aning_	so audit id contains credentials?	21:18
lbragstad	nope - audit ids are a specific property of a token	21:19
aning_	probably not, since there is no need for credentials in token ...	21:19
lbragstad	right	21:19
aning_	Ok got it	21:19
lbragstad	an audit id is generated whenever you create a token	21:19
lbragstad	we call them audit ids because they help us track which tokens are related	21:20
lbragstad	so - for example	21:20
lbragstad	if you authenticate for a token using your username and password you'll get back a token	21:20
lbragstad	which will have an audit id	21:20
lbragstad	if you use that token to reauthenticate for a new token	21:20
lbragstad	your new token will contain a list of audit ids, one of which will be the audit id of the first token you authenticated for with your password	21:21
lbragstad	since tokens are non-persistent, audit ids help us when a user wants to "delete" a specific token	21:22
*** cmurphy_vacation is now known as cmurphy		21:22
lbragstad	we can persist the audit id of the deleted token, and flag it as invalid if we ever attempt to validate a token with that audit (decrypted from the token payload)	21:22
aning_	ok	21:23
lbragstad	that's a lot of details about the internal guts of keystone token system... hopefully it makes sense	21:25
aning_	Yes, it all makes sense ... wouldn't get them anywhere else. Fantastic!	21:26
aning_	Rather complicated, need time to dig and digest.	21:28
kmalloc	lbragstad: i'm trying to avoid a massive rebase/reset the stack https://review.openstack.org/#/c/577586/	21:28
kmalloc	thats all	21:28
aning_	Thanks a lot	21:28
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents https://review.openstack.org/578190	21:28
*** jmlowe has quit IRC		21:29
lbragstad	aha	21:29
kmalloc	this stack is a bit unweildy as is.	21:29
kmalloc	just because it is a LOT of moving parts.	21:29
lbragstad	yeah	21:29
lbragstad	aning_: no problem	21:29
kmalloc	and keeping my brain in one place at a given time has been hard, touches a lot of really overly complex parts.	21:29
lbragstad	kmalloc: do we need this bit though? https://review.openstack.org/#/c/577586/1/requirements.txt	21:30
lbragstad	shouldn't we be able to get away with just Flask>=1.0.2	21:31
kmalloc	well, we need to adhere to what is in reqirements	21:32
kmalloc	i suck and forgot to remove that part :P	21:32
kmalloc	https://github.com/openstack/requirements/blob/master/global-requirements.txt#L62	21:32
kmalloc	oops	21:32
kmalloc	i dunno if the checker will get cranky or not with removing that	21:33
kmalloc	i know this stack is getting deep =/	21:33
kmalloc	and it's not super easy to follow because of what it touches to begin with	21:34
kmalloc	but fwiw, the "dummy API" will be stood up in https://review.openstack.org/#/c/578190/ [the full end-to-end test]	21:34
lbragstad	ok	21:35
kmalloc	now that I have json_home scaffolding in place.	21:35
kmalloc	fwiw, my brain is fried as hell working on these now =/ testing the RBACEnforcer took 3 days to write the tests.	21:35
lbragstad	yeah...	21:35
lbragstad	the good thing is that most of the stack leading up to that looks good	21:36
lbragstad	at least IMO	21:36
lbragstad	getting those through the gate will give us time to parse the RBACEnforcer change	21:37
*** lifeless has joined #openstack-keystone		21:38
kmalloc	the NITs on the 404/418 one, do you want me to fix and rebase or as a side-addendum patch	21:39
lbragstad	i'm not sure i have a solution for it...	21:39
lbragstad	i'm not sure what the fix would be, it was just a concern	21:39
kmalloc	i meant the other nits	21:39
kmalloc	the 418 bit, i can pick another status_code [any]	21:39
kmalloc	i also added the expressive comment to explain this is a testing-only-thing and what it means	21:40
kmalloc	right below your review-comment (the code-comment is expressive that is)	21:40
lbragstad	ahh	21:40
lbragstad	that one is pretty late in the chain	21:40
lbragstad	if you rebase it's only going to affect 4 patches, right?	21:41
kmalloc	yeh, the enforcer patch and the newest ones on top of it	21:42
kmalloc	i am hesitant to rebase the enforcer if people are actively reviewing...	21:42
lbragstad	oh - sure	21:42
kmalloc	but i also realize that is unlikely with the current preceeding patches not fully reviewed	21:42
lbragstad	i'm just about to wrap up my review of the RBACEnforcer patch	21:43
kmalloc	cool.	21:43
kmalloc	i'll add an addendum patch to the 418 one to address the nits and we can swap out the expected_status bit to a different code if we want at anytime	21:43
kmalloc	it's 2 lines to swap to someting else... 4 if you count the comment and the error msg	21:44
*** rcernin has joined #openstack-keystone		21:47
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Address minor comments to 404 error detection https://review.openstack.org/578216	21:48
*** itlinux has quit IRC		21:54
*** afazekas has quit IRC		21:56
*** afazekas has joined #openstack-keystone		21:59
lbragstad	#endmeeting	21:59
*** openstack changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"		22:00
openstack	Meeting ended Tue Jun 26 21:59:57 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	22:00
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-06-26-17.01.html	22:00
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-06-26-17.01.txt	22:00
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-06-26-17.01.log.html	22:00
kmalloc	lbragstad: responded to your comments	22:02
kmalloc	on the enforcer patch, looks like it's a couple cleanup items.	22:02
*** edmondsw has quit IRC		22:04
lbragstad	sounds good	22:06
lbragstad	i think i made my way through most of that series	22:06
*** edmondsw has joined #openstack-keystone		22:07
lbragstad	kmalloc: we should step through https://review.openstack.org/#/q/topic:bug/1777892+(status:open+OR+status:merged) sometime	22:07
kmalloc	sure.	22:07
kmalloc	lets plan for tomorrow afternoon?	22:08
kmalloc	i have a morning thing	22:08
lbragstad	wfm	22:08
lbragstad	even if it's asynch	22:08
kmalloc	also, i don't know if i could pivot brain today to limits post enforcer	22:08
kmalloc	:P	22:08
lbragstad	that's fair lol	22:08
lbragstad	alright - stepping away for a bit but i'll be back on a little later	22:10
kmalloc	also, you have to admin with self.test_client() as c:	22:10
kmalloc	is a nice way to test the stack	22:10
*** felipemonteiro has joined #openstack-keystone		22:10
*** edmondsw has quit IRC		22:11
*** felipemonteiro_ has joined #openstack-keystone		22:12
*** felipemonteiro has quit IRC		22:12
*** felipemonteiro__ has joined #openstack-keystone		22:13
*** jmlowe has joined #openstack-keystone		22:14
*** felipemonteiro_ has quit IRC		22:17
*** mchlumsky has quit IRC		22:35
*** threestrands has joined #openstack-keystone		22:38
*** threestrands has quit IRC		22:38
*** threestrands has joined #openstack-keystone		22:38
*** blake has joined #openstack-keystone		22:50
*** blake has quit IRC		22:55
*** felipemonteiro__ has quit IRC		23:01
*** nicolasbock has quit IRC		23:06
*** tosky has quit IRC		23:08
*** fiddletwix has joined #openstack-keystone		23:14
*** spilla has quit IRC		23:58

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!