Tuesday, 2018-06-26

kmallocnvm, figured it out00:00
*** josecastroleon has quit IRC00:22
*** josecastroleon has joined #openstack-keystone00:36
*** edmondsw has quit IRC00:37
*** namnh has joined #openstack-keystone00:58
kmalloclbragstad, knikolla, hrybacki, wxy: ^ ready for review. Tests are fully implemented01:30
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663901:30
kmalloclbragstad: knikolla wxy hrybacki: ^ erm.. THAT one.01:30
kmalloclbragstad: i also think we need to add a couple more check types to oslo.policy we can discuss tomorrow.01:35
*** gongysh has joined #openstack-keystone01:43
*** harlowja has quit IRC01:46
*** gongysh has quit IRC01:47
*** mordred has quit IRC01:49
*** itlinux has joined #openstack-keystone02:05
*** mordred has joined #openstack-keystone02:07
*** Dinesh_Bhor has joined #openstack-keystone03:01
lbragstadkmalloc: sorry - just got back in03:08
kmalloclbragstad: looks like i have a bug -- part of it doesn't work on py27 (commented in the review)03:11
kmalloclbragstad: i need to figure out how it even works (i think it just is an instantiation behind the scenes)03:13
kmalloclbragstad: ok pushing a change that fixes the py27 failure(s)03:33
kmallocturns out py3 is a lot less picky about what the "self" attribute is :P03:34
kmalloci wonder if that is a bug...03:34
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663903:36
*** annp has joined #openstack-keystone03:39
openstackgerritLance Bragstad proposed openstack/keystone master: Don't treat sphinx warnings as errors  https://review.openstack.org/57797403:45
lbragstad^ that should unblock our documentation gate03:45
lbragstadreaching out to the oauth maintainers to see if they would accept a change to fix those in oauthlib, at which point we could consider re-enabling that flag03:46
*** AlexeyAbashkin has joined #openstack-keystone03:47
kmalloclbragstad: ++ yay03:49
kmalloclbragstad: +203:49
kmalloclbragstad: anyway, so i have another change coming in the series to update the scaffolding for flask_restful [should be small-ish]03:50
kmallocand then i get another review to convert an API over. i'm guessing /limits might be the easiest.03:50
kmalloclbragstad: sorry for the 1000 line review in the rbac_enforcer... it's hard to implement something like that in bits.03:53
lbragstadi'm going to review that tomorrow03:53
kmallocbut more than half of those lines is tests. :)03:53
lbragstadi was just about to wrap up the token provider refactor today and hit the rabbit hole with sphinx03:53
lbragstadtomorrow morning i'll finish cleaning up the patches for that refactor and i should be able to do some reviews for office hours03:54
kmallocso, before we land the tokenmodel, i want you to look at https://review.openstack.org/#/c/577655/n03:54
kmallocso, before we land the tokenmodel, i want you to look at https://review.openstack.org/#/c/577655/ *03:54
*** AlexeyAbashkin has quit IRC03:54
*** AlexeyAbashkin has joined #openstack-keystone03:54
kmalloconly because it conflicts with your patch and i think i found a legit bug in the subject-token target population03:55
lbragstadwhats the bug?03:56
lbragstadi read the comment03:57
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663904:02
*** AlexeyAbashkin has quit IRC04:04
*** spilla has joined #openstack-keystone04:23
*** dims has quit IRC04:30
*** dims has joined #openstack-keystone04:35
*** pcichy has quit IRC04:45
*** lifeless has joined #openstack-keystone05:16
*** josecastroleon has quit IRC05:32
*** josecastroleon1 has joined #openstack-keystone05:32
*** ispp has joined #openstack-keystone05:33
*** isssp has quit IRC05:36
*** spilla has quit IRC05:41
*** Dinesh_Bhor has quit IRC05:44
*** isssp has joined #openstack-keystone05:53
*** josecastroleon1 has quit IRC05:54
*** ispp has quit IRC05:54
*** ispp has joined #openstack-keystone05:55
*** josecastroleon has joined #openstack-keystone05:55
*** isssp has quit IRC05:58
*** openstackgerrit has quit IRC06:04
*** pcichy has joined #openstack-keystone06:10
*** AlexeyAbashkin has joined #openstack-keystone06:13
*** issp has joined #openstack-keystone06:14
*** Alexey_Abashkin has joined #openstack-keystone06:15
*** Alexey_Abashkin1 has joined #openstack-keystone06:16
*** martinus__ has joined #openstack-keystone06:17
*** AlexeyAbashkin has quit IRC06:18
*** Alexey_Abashkin1 is now known as AlexeyAbashkin06:18
*** Alexey_Abashkin has quit IRC06:19
*** nicolasbock has joined #openstack-keystone06:40
*** peereb has joined #openstack-keystone06:48
*** peereb has quit IRC06:49
*** peereb has joined #openstack-keystone06:49
*** peereb has quit IRC06:50
*** AlexeyAbashkin has quit IRC07:05
*** namnh has quit IRC07:06
*** AlexeyAbashkin has joined #openstack-keystone07:07
*** rcernin has quit IRC07:08
*** gongysh has joined #openstack-keystone07:10
*** tesseract has joined #openstack-keystone07:14
*** aojea_ has joined #openstack-keystone07:18
*** pcaruana has joined #openstack-keystone07:20
*** aojea_ has quit IRC07:20
*** issp has quit IRC07:21
*** openstackgerrit has joined #openstack-keystone07:22
openstackgerritNeha Alhat proposed openstack/keystonemiddleware master: Register session conf options from keystoneauth  https://review.openstack.org/57800807:22
*** issp has joined #openstack-keystone07:27
*** amoralej|off is now known as amoralej07:28
*** tosky has joined #openstack-keystone07:41
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780708:26
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780708:30
*** jaosorior has quit IRC08:39
*** Dinesh_Bhor has joined #openstack-keystone08:42
*** mvk has quit IRC08:57
*** lifeless has quit IRC09:16
*** aloga has joined #openstack-keystone09:19
*** mvk has joined #openstack-keystone09:24
openstackgerritwangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit  https://review.openstack.org/57602509:25
openstackgerritwangxiyuan proposed openstack/keystone master: Add registered_limit_id column for limit  https://review.openstack.org/57775109:25
*** Dinesh_Bhor has quit IRC09:27
*** qwebirc77170 has joined #openstack-keystone09:53
qwebirc77170hello all. This is Parthiban here.09:54
qwebirc77170Recently I went through OpenStack Security guidelines and I'm trying to implement few of them.09:54
qwebirc77170#auth_timing_attack - I have verified the response time of OpenStack with successful & failed attempts, but I cannot figure out difference in response time to a valid vs a failed authentication attempt.09:54
qwebirc77170Has this feature already implemented in Openstack? I'm using OpenStack Queens. Can some one help on this?09:54
qwebirc77170Hope this is the right forum to post this query. if not, please guide me with this regard.09:54
*** mvk has quit IRC10:05
*** mvk has joined #openstack-keystone10:21
*** jaosorior has joined #openstack-keystone10:29
*** vishakha has joined #openstack-keystone10:50
vishakhapl review https://review.openstack.org/#/c/576433/10:50
*** annp has quit IRC10:58
vishakhalbragstad, Pl review https://review.openstack.org/#/c/576433/11:18
*** issp has quit IRC11:22
qwebirc77170Hello all, Can someone help me out on key revocation system to quickly deactivate potentially compromised keys in OpenStack - https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation11:42
*** issp has joined #openstack-keystone11:51
*** amoralej is now known as amoralej|lunch11:59
*** raildo has joined #openstack-keystone12:12
*** issp has quit IRC12:25
*** issp has joined #openstack-keystone12:33
*** mchlumsky has quit IRC12:33
*** mchlumsky has joined #openstack-keystone12:35
*** edmondsw has joined #openstack-keystone12:58
*** aloga has quit IRC13:02
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780713:03
*** frickler has quit IRC13:26
*** frickler has joined #openstack-keystone13:26
*** evrardjp has joined #openstack-keystone13:28
*** evrardjp_ has quit IRC13:30
kmallocqwebirc77170: what can I do to help? :)13:52
kmallocjaosorior: that policy driver bit is looking good.13:53
jaosoriorkmalloc: thanks13:54
jaosoriorkmalloc: still doesn't work properly with inheritance (glance has it's own enforcer object which inherits from oslo_policy's enforcer)13:56
jaosoriorgotta see why13:56
*** amoralej|lunch is now known as amoralej13:58
jaosoriorI thought that the proxy retrieved by "super" would also call __getattribute__... seems it doesn't13:58
*** jaosorior has quit IRC13:59
lbragstadknikolla: are you going to be at the edge meeting tomorrow?14:16
*** wxy| has joined #openstack-keystone14:16
knikollalbragstad: yes.14:16
lbragstadok - cool14:16
lbragstadthe one they are talking about right now14:17
knikollayeah, that's the opnfv one14:17
knikollai also have an item on the keystone meeting agenda for today about fed testing14:17
lbragstadgood deal14:18
*** felipemonteiro has joined #openstack-keystone14:26
*** itlinux has quit IRC14:29
*** felipemonteiro_ has joined #openstack-keystone14:29
*** felipemonteiro has quit IRC14:33
*** josecastroleon has quit IRC14:34
*** josecastroleon has joined #openstack-keystone14:34
*** josecastroleon has quit IRC14:38
*** josecastroleon has joined #openstack-keystone14:42
gagehugolbragstad may be late to the meeting today14:44
kmalloclbragstad: zoom.us thing right now? Or am I missing a different meeting?14:45
lbragstadno - the edge group meeting just ended - it's apparently duplicated in IRC, but i couldn't find the room?14:46
lbragstadthere is an OPNFV meeting tomorrow though14:46
kmalloclbragstad: we holding on the Sphinx change?14:48
kmallocOr are we unblocking by removing -W14:48
lbragstadi'm spinning up an alternate now14:48
lbragstadi'd like to keep treating warnings as error if we can help it14:48
kmallocLet me in +A that one then.14:48
kmallocLeaving the +2s in case we still need it.14:49
*** gongysh has quit IRC14:53
openstackgerritLance Bragstad proposed openstack/keystone master: Override oauthlib docstrings that fail with Sphinx 1.7.5  https://review.openstack.org/57812114:54
lbragstadkmalloc: ^14:54
*** josecastroleon has quit IRC14:59
*** josecastroleon has joined #openstack-keystone14:59
*** AlexeyAbashkin has quit IRC15:01
*** spilla has joined #openstack-keystone15:01
kmalloclbragstad: +2+A15:16
*** itlinux has joined #openstack-keystone15:16
*** felipemonteiro_ has quit IRC15:19
*** felipemonteiro_ has joined #openstack-keystone15:19
*** felipemonteiro has joined #openstack-keystone15:22
*** qwebirc77170 has quit IRC15:22
*** felipemonteiro_ has quit IRC15:24
*** cwright has quit IRC15:31
*** felipemonteiro has quit IRC15:32
*** felipemonteiro has joined #openstack-keystone15:32
*** felipemonteiro_ has joined #openstack-keystone15:33
*** felipemonteiro has quit IRC15:37
*** fiddletwix has quit IRC15:37
*** pcaruana has quit IRC15:42
*** aning_ has joined #openstack-keystone15:47
*** cwright has joined #openstack-keystone15:48
*** gyee has joined #openstack-keystone15:50
aning_Hi, a question regarding to fernet token ... I have two openstackt deployments, bothing using fernet token. The keys for the token are sync-ed. Will tokens issued on one cloud be valid on the other one?15:50
*** dklyle has quit IRC15:50
kmalloclbragstad: failed pep8 because "first line should be imperitive"15:51
kmalloclbragstad: i kindof want to just make the D401 check go away15:51
openstackgerritMorgan Fainberg proposed openstack/keystone master: Override oauthlib docstrings that fail with Sphinx 1.7.5  https://review.openstack.org/57812115:52
*** dklyle has joined #openstack-keystone15:53
lbragstadthanks kmalloc15:54
kmallocits about that time.15:59
*** issp has quit IRC16:01
lbragstadping ayoung, breton, cmurphy, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk16:01
*** gyee has quit IRC16:03
*** jmlowe has quit IRC16:11
*** harlowja has joined #openstack-keystone16:12
aning_Any body any idea about my fernet token question?16:12
lbragstadaning_: if you're replicating the keystone databse between the two, the tokens should work across deployments16:13
aning_and in my deployment, the keystones are NOT active/standby, they are totally different deployment, the user name are the same, but id are different.16:14
aning_yes, that's what I thought and observed ...16:14
lbragstadthen fernet tokens are not going to work across deployments16:14
aning_when keystone verify the token, it actually take the user id out of the token, and check if that's a valid user in its DB16:15
lbragstadeach keystone will be able to unpack the encrypted token payloads, but they won't be able to resolve what's inside (e.g. 404 when looking up the user)16:15
lbragstadaning_: yep - you're correct16:15
aning_for project scoped token, keystone will verify project and the user's role in that project16:16
aning_it's all using id instead of name, so the keystone DBs has to be sync-ed as well.16:17
lbragstadkeystone will pull out the user id and project id from the token and rebuild the user's roles from that information16:17
lbragstadaning_: correct - since ID are guaranteed to be unique16:17
aning_thanks for the confirmation.16:18
lbragstadnames for projects and users are only unique within a specific domain - so there is some namespacing involved there16:18
aning_BTW, any tools or ways to decode a fernet token?16:18
lbragstadyou just want to know what's inside it?16:19
aning_eg, to see the user, project etc in it?16:19
lbragstadi built https://github.com/lbragstad/fernet-inspector a long time ago16:19
lbragstadit's just a hacky script though16:19
lbragstadand it has to be run from a node that has access to the key repository used to create the token16:20
aning_Oh, that's cool. Will check it out.16:20
aning_thanks again16:20
lbragstadno problem16:21
kmallocwant to know something weird... i found out you can pass anything as "self" to a unbound python method in py316:27
kmallocbut in py2 it must be an instance of the method's class (or instance of a subclass)16:27
*** tesseract has quit IRC16:40
*** blake has joined #openstack-keystone16:47
lbragstad#startmeeting keystone-office-hours17:01
openstackMeeting started Tue Jun 26 17:01:30 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.17:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"17:01
*** ChanServ changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"17:01
openstackThe meeting name has been set to 'keystone_office_hours'17:01
kmallocif anyone has questions on the RBACEnforcer, i know it's super dense.17:01
kmallocI can speak to it and a lot of the quirks in our policy code.17:02
lbragstadi'm going to grab lunch quick and i'll be right back17:03
lbragstadknikolla: and i were going to try and tag team a few bugs today17:03
lbragstad#link https://bugs.launchpad.net/keystone/+bug/165864117:04
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)17:04
lbragstad#link https://bugs.launchpad.net/keystone/+bug/175702217:04
openstackLaunchpad bug 1757022 in OpenStack Identity (keystone) ""keystone-manage mapping_purge" ignores --type option" [Undecided,In progress] - Assigned to Dai Hanada (dai-hanada)17:04
lbragstad#link https://bugs.launchpad.net/keystone/+bug/177520717:04
openstackLaunchpad bug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] - Assigned to Pavlo Shchelokovskyy (pshchelo)17:04
*** wxy| has quit IRC17:04
* knikolla going for lunch17:05
kmalloclbragstad: i'm going to try and get the "move an API" patch up today.17:05
kmallocso its easier to see how the flask stuff actually shakes out.17:05
lbragstadthat'd help17:06
*** harlowja has quit IRC17:10
*** felipemonteiro_ has quit IRC17:14
*** felipemonteiro_ has joined #openstack-keystone17:14
*** mvk has quit IRC17:17
*** gyee has joined #openstack-keystone17:20
*** blake has quit IRC17:22
*** blake has joined #openstack-keystone17:22
kmalloclbragstad: yeah, so working on the scaffolding update patches now and then api move will be soon17:23
*** blake has quit IRC17:27
*** blake has joined #openstack-keystone17:33
*** felipemonteiro__ has joined #openstack-keystone17:44
*** felipemonteiro_ has quit IRC17:48
*** felipemonteiro__ has quit IRC17:49
*** felipemonteiro__ has joined #openstack-keystone17:49
*** felipemonteiro has joined #openstack-keystone17:53
*** felipemonteiro__ has quit IRC17:54
*** amoralej is now known as amoralej|off17:56
pas-halbragstad: hi, re bug 1775207, I noticed you've put an 'office-hours' tag on it - wdym and is my attention required/expected?18:01
openstackbug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] https://launchpad.net/bugs/1775207 - Assigned to Pavlo Shchelokovskyy (pshchelo)18:01
*** felipemonteiro has quit IRC18:01
*** felipemonteiro has joined #openstack-keystone18:01
lbragstadpas-ha: we use the office-hours tag as a way to focus on a specific set of bugs or reviews18:01
pas-haoh, ok, just saw it mentioned in the scrollback :)18:02
lbragstadwe had a user come through the channel yesterday and we noticed a few reviews related to keystone-manage that could use some attention18:02
lbragstadi added the tag to it so that we could hopefully get some eyes on it18:02
*** blake has quit IRC18:05
*** blake has joined #openstack-keystone18:06
*** felipemonteiro_ has joined #openstack-keystone18:08
knikollalbragstad: i have a meeting now, but will join you in 1 hr or so for the ldap stuff18:09
lbragstadsounds good - cleaning up one of the patches now, should be ready for review by then18:09
*** blake has quit IRC18:10
*** felipemonteiro has quit IRC18:11
*** jaosorior has joined #openstack-keystone18:13
*** blake has joined #openstack-keystone18:21
*** AlexeyAbashkin has joined #openstack-keystone18:25
*** andy_wrs has joined #openstack-keystone18:26
*** jmlowe has joined #openstack-keystone18:31
*** dmellado has quit IRC18:32
*** blake has quit IRC18:35
*** andy_wrs has quit IRC18:52
*** AlexeyAbashkin has quit IRC19:13
*** AlexeyAbashkin has joined #openstack-keystone19:13
*** AlexeyAbashkin has quit IRC19:14
*** felipemonteiro_ has quit IRC19:15
openstackgerritLance Bragstad proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option  https://review.openstack.org/55439719:15
lbragstadknikolla:  ^ those could be a bit more dry - but they're functional19:16
*** felipemonteiro has joined #openstack-keystone19:19
*** blake has joined #openstack-keystone19:23
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g  https://review.openstack.org/57818920:03
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819020:03
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819020:04
knikollalbragstad: looking20:10
*** vishakha has quit IRC20:17
*** spilla has quit IRC20:20
*** raildo has quit IRC20:20
knikollalbragstad: looks good to me. +220:28
lbragstadknikolla: cool - thanks20:29
lbragstadi'm a little worried about the duplication20:29
*** vishakha has joined #openstack-keystone20:29
lbragstadbut i'm open to refactoring it if we can find a better way20:30
knikollai generally like tests to be verbose.20:30
knikolladuplication in that case should be fine as it makes it pretty clear what the test is doing.20:31
lbragstadthat's fair20:31
knikollabut that's just my opinion :)20:31
aning_Hi lbragstad, I use your fernet-inspector to inspect a fernent-token, the result is this:20:36
aning_fernet-inspector -k /opt/cgcs/keystone/fernet-keys gAAAAABbMpejHDDFLNkopYu5_PrFMKo16qidKmOXe5NvctVmja1FxqNBglzJcpma5CqiWG9L7YIVHuXlL29KotzdeHdA50IThiPhzKGREGhpVtKHFoRkGHRRHNK9VRpKSQpj7eTaKBDrRDc61NJ46H1Hh2VARmj1kv3andlwZ9ztHUYvipv86Ng20:36
aning_[2, [True, '\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`'], 2, [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'], 1530045875.0, ['NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;']]20:36
aning_the Audit id from base64.urlsafe_b64encode('NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;') is20:37
aning_And the UUID from  uuid.UUID(bytes='\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`').hex is20:37
aning_ [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'] in the middel after the second number 2, what is it?20:38
aning_and what's Audit id?20:39
aning_where are user id and project id hidden in the decoded data?20:40
lbragstadthis is going to go into the implementation details a bit20:40
lbragstadbut keystone users different payload classes to pack up the payload before encrypting it20:41
*** blake has quit IRC20:41
lbragstadwhich keeps the two things separate20:41
lbragstad(building of the payload from the thing that actually does the encryption) ]20:41
lbragstadeach payload has a version20:41
*** blake has joined #openstack-keystone20:41
lbragstadwhich is the first thing in the list when you decrypt a token20:42
lbragstadso - in your example, you're dealing with a ProjectScopedPayload because the first element of the list is an integer of 220:42
*** spilla has joined #openstack-keystone20:43
lbragstadthe ProjectScopedPayload returns a tuple which gets used here - https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n15820:43
lbragstadnotice that the version is coming from the payload classes that was used to build the payload20:44
lbragstadthe second integer is a compressed representation of the authentication methods associated with that token20:45
knikollalbragstad: my brain is fried for now. i'll head home and then work on https://review.openstack.org/#/c/487579/ later tonight20:45
lbragstadwe do this instead of passing method: ['password', 'token']20:45
lbragstadknikolla: sounds good20:45
*** blake has quit IRC20:46
lbragstadaning_: because using methods: ['password', 'token'] in a token payload bloats it significantly, so we convert the configured authentication methods to a unique integer that can be reinflated at validation time20:46
lbragstadsee https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/core.py#n4620:47
lbragstadand https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/core.py#n6320:47
*** mvk has joined #openstack-keystone20:47
*** blake has joined #openstack-keystone20:49
*** jmlowe has quit IRC20:51
*** blake has quit IRC20:53
*** martinus__ has quit IRC21:00
*** felipemonteiro has quit IRC21:10
aning_Sorry I was pulled away for while ... these are very valuable information.21:12
aning_but jus from a high level, I saw three hex strings21:12
aning_The first one is UUID, the last one is Audit ID, what's the middle one?21:12
aning_If I guess, it should be password21:15
lbragstadthis is the payload21:16
lbragstador the format of the payload21:16
aning_or token depends on the integer before it, since that integer is the auth method.21:16
lbragstadso version = 221:17
*** jmlowe has joined #openstack-keystone21:17
lbragstadb_user_id is [True, '\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`']21:17
lbragstad2 is the methods21:17
aning_right, version = 2 in my example.21:17
lbragstadb_project_id is [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X']21:17
lbragstadexpires_at_int is 1530045875.021:17
lbragstadand b_audit_ids is ['NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;']21:18
aning_so audit id contains credentials?21:18
lbragstadnope - audit ids are a specific property of a token21:19
aning_probably not, since there is no need for credentials in token ...21:19
aning_Ok got it21:19
lbragstadan audit id is generated whenever you create a token21:19
lbragstadwe call them audit ids because they help us track which tokens are related21:20
lbragstadso - for example21:20
lbragstadif you authenticate for a token using your username and password you'll get back a token21:20
lbragstadwhich will have an audit id21:20
lbragstadif you use that token to reauthenticate for a new token21:20
lbragstadyour new token will contain a list of audit ids, one of which will be the audit id of the first token you authenticated for with your password21:21
lbragstadsince tokens are non-persistent, audit ids help us when a user wants to "delete" a specific token21:22
*** cmurphy_vacation is now known as cmurphy21:22
lbragstadwe can persist the audit id of the deleted token, and flag it as invalid if we ever attempt to validate a token with that audit (decrypted from the token payload)21:22
lbragstadthat's a lot of details about the internal guts of keystone token system... hopefully it makes sense21:25
aning_Yes, it all makes sense ... wouldn't get them anywhere else. Fantastic!21:26
aning_Rather complicated, need time to dig and digest.21:28
kmalloclbragstad: i'm trying to avoid a massive rebase/reset the stack https://review.openstack.org/#/c/577586/21:28
kmallocthats all21:28
aning_Thanks a lot21:28
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819021:28
*** jmlowe has quit IRC21:29
kmallocthis stack is a bit unweildy as is.21:29
kmallocjust because it is a LOT of moving parts.21:29
lbragstadaning_: no problem21:29
kmallocand keeping my brain in one place at a given time has been hard, touches a lot of really overly complex parts.21:29
lbragstadkmalloc: do we need this bit though? https://review.openstack.org/#/c/577586/1/requirements.txt21:30
lbragstadshouldn't we be able to get away with just Flask>=1.0.221:31
kmallocwell, we need to adhere to what is in reqirements21:32
kmalloci suck and forgot to remove that part :P21:32
kmalloci dunno if the checker will get cranky or not with removing that21:33
kmalloci know this stack is getting deep =/21:33
kmallocand it's not super easy to follow because of what it touches to begin with21:34
kmallocbut fwiw, the "dummy API" will be stood up in https://review.openstack.org/#/c/578190/ [the full end-to-end test]21:34
kmallocnow that I have json_home scaffolding in place.21:35
kmallocfwiw, my brain is fried as hell working on these now =/ testing the RBACEnforcer took 3 days to write the tests.21:35
lbragstadthe good thing is that most of the stack leading up to that looks good21:36
lbragstadat least IMO21:36
lbragstadgetting those through the gate will give us time to parse the RBACEnforcer change21:37
*** lifeless has joined #openstack-keystone21:38
kmallocthe NITs on the 404/418 one, do you want me to fix and rebase or as a side-addendum patch21:39
lbragstadi'm not sure i have a solution for it...21:39
lbragstadi'm not sure what the fix would be, it was just a concern21:39
kmalloci meant the other nits21:39
kmallocthe 418 bit, i can pick another status_code [any]21:39
kmalloci also added the expressive comment to explain this is a testing-only-thing and what it means21:40
kmallocright below your review-comment (the code-comment is expressive that is)21:40
lbragstadthat one is pretty late in the chain21:40
lbragstadif you rebase it's only going to affect 4 patches, right?21:41
kmallocyeh, the enforcer patch and the newest ones on top of it21:42
kmalloci am hesitant to rebase the enforcer if people are actively reviewing...21:42
lbragstadoh - sure21:42
kmallocbut i also realize that is unlikely with the current preceeding patches not fully reviewed21:42
lbragstadi'm just about to wrap up my review of the RBACEnforcer patch21:43
kmalloci'll add an addendum patch to the 418 one to address the nits and we can swap out the expected_status bit to a different code if we want at anytime21:43
kmallocit's 2 lines to swap to someting else... 4 if you count the comment and the error msg21:44
*** rcernin has joined #openstack-keystone21:47
openstackgerritMorgan Fainberg proposed openstack/keystone master: Address minor comments to 404 error detection  https://review.openstack.org/57821621:48
*** itlinux has quit IRC21:54
*** afazekas has quit IRC21:56
*** afazekas has joined #openstack-keystone21:59
*** openstack changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"22:00
openstackMeeting ended Tue Jun 26 21:59:57 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-06-26-17.01.html22:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-06-26-17.01.txt22:00
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-06-26-17.01.log.html22:00
kmalloclbragstad: responded to your comments22:02
kmallocon the enforcer patch, looks like it's a couple cleanup items.22:02
*** edmondsw has quit IRC22:04
lbragstadsounds good22:06
lbragstadi think i made my way through most of that series22:06
*** edmondsw has joined #openstack-keystone22:07
lbragstadkmalloc: we should step through https://review.openstack.org/#/q/topic:bug/1777892+(status:open+OR+status:merged) sometime22:07
kmalloclets plan for tomorrow afternoon?22:08
kmalloci have a morning thing22:08
lbragstadeven if it's asynch22:08
kmallocalso, i don't know if i could pivot brain today to limits post enforcer22:08
lbragstadthat's fair lol22:08
lbragstadalright - stepping away for a bit but i'll be back on a little later22:10
kmallocalso, you have to admin with self.test_client() as c:22:10
kmallocis a nice way to test the stack22:10
*** felipemonteiro has joined #openstack-keystone22:10
*** edmondsw has quit IRC22:11
*** felipemonteiro_ has joined #openstack-keystone22:12
*** felipemonteiro has quit IRC22:12
*** felipemonteiro__ has joined #openstack-keystone22:13
*** jmlowe has joined #openstack-keystone22:14
*** felipemonteiro_ has quit IRC22:17
*** mchlumsky has quit IRC22:35
*** threestrands has joined #openstack-keystone22:38
*** threestrands has quit IRC22:38
*** threestrands has joined #openstack-keystone22:38
*** blake has joined #openstack-keystone22:50
*** blake has quit IRC22:55
*** felipemonteiro__ has quit IRC23:01
*** nicolasbock has quit IRC23:06
*** tosky has quit IRC23:08
*** fiddletwix has joined #openstack-keystone23:14
*** spilla has quit IRC23:58

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!