Friday, 2018-10-05

openstackgerritVishakha Agarwal proposed openstack/keystone master: Avoid using dict.get() in assertions
*** pooja_jadhav has quit IRC00:17
vishakhakmalloc : Ok. I think I should wait for the controller to be removed then. Thanks.00:23
*** rcernin has quit IRC00:27
*** rcernin has joined #openstack-keystone00:29
*** pooja_jadhav has joined #openstack-keystone00:29
kmallocvishakha: might be easier00:35
*** devx has quit IRC00:52
*** tbharath has joined #openstack-keystone01:03
tbharathkmalloc, Hi01:03
kmalloctbharath: hello01:05
tbharatham novice in ssl area. If I want to make openstack SSL based, is it enough to make keystone alone https or we have to make all services https based?01:05
kmalloci recommend TLS for all services01:05
kmallocthe use of bearer tokens means that if someone can sniff the traffic, the could collect and use your token to perform actions on your behalf01:06
kmallocSSL/TLS for everything is the best bet.01:06
tbharathokay ... is there a documentation to make Queens setup TLS based?01:07
*** dave-mccowan has quit IRC01:16
*** tbharath has quit IRC01:17
*** felipemonteiro has joined #openstack-keystone01:20
*** Dinesh_Bhor has joined #openstack-keystone01:23
*** felipemonteiro has quit IRC01:36
*** felipemonteiro has joined #openstack-keystone01:36
*** Dinesh_Bhor has quit IRC01:41
*** edmondsw has joined #openstack-keystone01:45
*** Dinesh_Bhor has joined #openstack-keystone01:49
*** gyee has quit IRC02:01
*** itlinux has joined #openstack-keystone02:05
*** felipemonteiro has quit IRC02:17
*** devx has joined #openstack-keystone02:22
*** annp has joined #openstack-keystone03:01
*** sapd1 has quit IRC03:10
*** sapd1 has joined #openstack-keystone03:10
*** felipemonteiro has joined #openstack-keystone03:12
vishakhakmalloc, cmurphy : According to the follow up comment for adding  'date' for purging flush, I have uploaded a new patch set
*** Dinesh_Bhor has quit IRC03:57
*** rcernin has quit IRC04:42
*** rcernin has joined #openstack-keystone04:46
*** kukacz has quit IRC04:52
*** jdennis has quit IRC04:52
*** openstackgerrit has quit IRC04:52
*** d0ugal has quit IRC04:52
*** shyamb has joined #openstack-keystone04:54
*** kukacz has joined #openstack-keystone04:57
*** jdennis has joined #openstack-keystone04:57
*** openstackgerrit has joined #openstack-keystone04:57
*** d0ugal has joined #openstack-keystone04:57
*** shyamb has quit IRC05:01
*** felipemonteiro has quit IRC05:03
*** shyamb has joined #openstack-keystone05:07
*** shyamb has quit IRC05:22
*** aojea has joined #openstack-keystone05:34
*** shyamb has joined #openstack-keystone05:35
*** shyamb has quit IRC05:47
*** aojea has quit IRC05:51
*** Emine has quit IRC05:56
*** shyamb has joined #openstack-keystone06:01
*** shyamb has quit IRC06:15
*** shyamb has joined #openstack-keystone06:15
*** markvoelker has joined #openstack-keystone06:40
*** aojea has joined #openstack-keystone06:43
*** markvoelker has quit IRC06:45
*** pcaruana has joined #openstack-keystone06:57
*** rcernin has quit IRC07:04
*** shyamb has quit IRC07:16
*** shyamb has joined #openstack-keystone07:28
*** shyamb has quit IRC08:01
*** cfriesen has quit IRC08:21
*** markvoelker has joined #openstack-keystone08:41
*** aojea has quit IRC08:44
*** aojea has joined #openstack-keystone08:50
*** shyamb has joined #openstack-keystone08:58
*** pjrusak has quit IRC09:04
*** pjrusak has joined #openstack-keystone09:04
*** markvoelker has quit IRC09:15
openstackgerritMerged openstack/keystone-specs master: fix tox python3 overrides
openstackgerritMerged openstack/oslo.limit master: Use openstackdocstheme for documentation
*** Emine has joined #openstack-keystone09:32
*** shyamb has quit IRC09:44
*** paiboinaritesh has joined #openstack-keystone09:45
paiboinariteshI was checking this document
paiboinariteshThere hare several sections in this page with heading "What’s New ....."09:46
paiboinariteshhow to know which version belongs to which openstack release , for example what is the version for keystone in Ocata release in that page09:47
paiboinariteshcan any please share information on this topic09:47
*** shyamb has joined #openstack-keystone09:47
*** shyamb has quit IRC09:55
kmallocvishakha: ++ nice!09:59
*** shyamb has joined #openstack-keystone10:03
cmurphypaiboinaritesh: I don't have a great answer but those numbers correspond to the version number that will be returned when you query the version API, e.g. GET http://keystone/v3 so if you know you have ocata then you can see what API version it reports10:04
cmurphykmalloc: good morning10:04
*** sheel has joined #openstack-keystone10:05
paiboinaritesh@cmurphy I am comparing API changes between openstack releases. Like what has changed b/w mitaka and newton ...b/w newton and ocata . So I was wondering what could be the best way to know that10:10
*** markvoelker has joined #openstack-keystone10:12
*** Emine has quit IRC10:17
*** shyamb has quit IRC10:18
*** itlinux has quit IRC10:24
kmalloccmurphy: Allo. 3am... And I am toooooo awake.10:25
kmalloccmurphy: :)10:25
openstackgerritColleen Murphy proposed openstack/keystone master: Add release names to api-ref
paiboinariteshcmurphy: Thank you10:37
cmurphypaiboinaritesh: yw10:38
openstackgerritColleen Murphy proposed openstack/keystone master: Add 3.11 summary to api-ref
*** markvoelker has quit IRC10:44
*** shyamb has joined #openstack-keystone10:51
*** annp has quit IRC10:53
openstackgerritMerged openstack/keystonemiddleware master: Respect delay_auth_decision when Keystone is unavailable
*** markvoelker has joined #openstack-keystone11:41
*** felipemonteiro has joined #openstack-keystone12:07
openstackgerritMerged openstack/python-keystoneclient master: Use templates for cover and lower-constraints
openstackgerritMerged openstack/python-keystoneclient master: Import legacy keystoneclient-dsvm-functional
*** markvoelker has quit IRC12:15
*** aojea has quit IRC12:32
*** sheel has quit IRC12:34
*** aojea has joined #openstack-keystone12:36
*** paiboinaritesh has quit IRC12:37
*** aojea has quit IRC12:41
*** shyamb has quit IRC12:55
*** dims_ has quit IRC12:58
*** mchlumsky has joined #openstack-keystone13:03
*** dave-mccowan has joined #openstack-keystone13:15
*** dave-mccowan has quit IRC13:21
*** pjrusak has quit IRC13:30
*** felipemonteiro has quit IRC13:57
*** dansmith is now known as SteelyDan14:20
*** Emine has joined #openstack-keystone15:23
*** gyee has joined #openstack-keystone15:24
*** bnemec is now known as beekneemech15:27
*** pcaruana has quit IRC15:39
*** cwright has joined #openstack-keystone15:50
*** ayoung has joined #openstack-keystone15:52
*** mchlumsky has quit IRC15:57
ayoungcmurphy, so, I realize I was using the  the Hardcore definition of capabilities, as opposed to POSIX/Linux definition of Capabilites.
ayoungWhat we are proposing is a lot like the Posix one, so I propose we call the URLs capability and capabilities and drop the templates.15:59
ayoungso instead of "capability_template": {  we would have "capability": {15:59
ayoungand so on.  We can update the spec, and simplify the impl.  Work for you?16:00
cmurphyayoung: the template part is because there are substitutions in the strings16:03
cmurphyayoung: joining a meeting right now, might be in and out16:03
ayoungcmurphy, yeah.   I was thinking about that, though, and I think I've come to the conclusion that the templated form is what matches the posix defintion16:04
ayounglike, that is what you we can drop the template from it, as that is just an implementation detail.  Make sense?16:04
ayoungI think I originally stuck the term template in there when we were talking routes, and that was a template object16:05
ayoungwhereas here...I think we can go simpler.16:05
cmurphyayoung: my other worry is the name "capability" is a pretty overloaded word, if we change the endpoint name to /v3/capabilities then we conflict with this idea
*** itlinux has joined #openstack-keystone16:13
ayoungcmurphy, I think that is the same idea16:16
ayoungcmurphy, these capabilities would be from other services.   Those would explicitly be the ones from keystone16:17
ayoungbut...I see your concern.  We use the good url there16:17
ayoungcmurphy, somehow I don't think lbrags is going to be in any state to discuss it any time soon16:18
cmurphyayoung: i guess you're right it's sort of the same thing16:18
cmurphyayoung: agreed on that, but would be good to be forward-thinking16:19
cmurphyayoung: there's also the other type of capabilities as in what features are enabled for a service16:19
ayoungcmurphy, yeah.  I'm not sure that we should use the terms interchangably, but if we are going to use it in the "enabled" sense, we should change it for the "permissions" sense16:22
ayoungsecurity is "what am I capable of accessing" where as the other is "what is this service endpoint capable of performing"16:22
ayoungwe could call ours mini-roles. Rolettes, if you will.16:23
cmurphyayoung: i don't have any major objection to omitting the template part, just poking holes16:25
ayoungcmurphy, I think that the -template part won't mitigate the confusion with the capabilities API.  And,  Ithink the term capabilites in the non-security meaning is going to be hard to change, so we should accept that and modify our term.16:31
ayoungI'll stick with routes for now16:31
kmalloccmurphy: (see pic)16:31
ayoungkmalloc, neutering time?16:32
cmurphykmalloc: sad pup :'(16:33
kmallocBut yes.16:33
* cmurphy -> friday things16:33
*** pcaruana has joined #openstack-keystone16:42
*** ayoung has quit IRC16:43
*** dims has joined #openstack-keystone16:46
*** pcaruana has quit IRC16:50
*** felipemonteiro has joined #openstack-keystone17:41
*** felipemonteiro has quit IRC17:49
openstackgerritDoug Hellmann proposed openstack/keystone master: change the dist name to 'openstack-keystone'
*** felipemonteiro has joined #openstack-keystone18:06
*** ayoung has joined #openstack-keystone18:10
ayoungcmurphy, I was going to propose that we call them URNs (Names) but that includes the hostname, just not the protocol18:10
ayoungso, maybe SubURNs, but, again, that does not include the Templatization18:11
ayoungroutes was taken from the python API.18:11
ayoungkmalloc, I +2ed the auth patch.  I think all of the erros we've seen thus far have been transitory.  A lot of work is stacked up behind that one.18:21
*** imacdonn has quit IRC18:22
*** imacdonn has joined #openstack-keystone18:22
kmallocayoung: thanks18:30
kmallocayoung: also ++ on URN18:30
kmallocayoung: hopefully i'll get users and projects rebased, then can finish up / close the cycle on the flask stuff18:30
ayoungkmalloc, is it OK to abuse the term URN that way?18:31
kmalloci don't see a problem with it18:31
ayoungMaybe RRN  for Relative Resource Name?18:31
kmallocRRN is probably better18:31
kmallocand i can't think of someone using RRN before, so it is def. not overloaded18:31
kmallocor at least it is minimally used.18:32
ayoungRelate Resource Name Template.  Pronounced like RUNT18:32
kmalloci really like that tbh18:32
kmallocso RRN (Run) and RRNT (Runt)18:32
kmallocthats good.18:32
kmallocand pretty unique18:33
* ayoung struggling not to make a Run DMC pun18:33
kmallocDO IT18:33
* kmalloc runs off to take care of... a thing.18:34
kmallocbe back in a few.18:34
kmallocayoung: also, looks like we can't use keycloak for Infra, it appears keycloak doesn't talk OpenID 2.0, just OIDC18:34
kmallocand we need OpenID and OIDC =/18:34
kmallocmeaning i'll be looking at writing a small python identity broker until we can see about bring keystone up to par.18:35
kmalloc(flask based, simple, translate identity source -> identity source for pool of SPs.18:35
kmallocit all comes down to ubuntu one doesn't talk OIDC.18:36
kmallocand we need to front it as well as openstackid.18:36
ayoungso we need an OIDC library for python to do that, right?18:38
ayoungOpenID 2.018:39
kmallocthere is one18:39
ayoungOh, I figured there was18:40
kmallocauthlib does it afaict18:40
kmalloc(might be issues with the license)_18:40
ayoungkmalloc, what about adding it to Ipsilon18:40
kmallocbut there is also some flask-specific extensions for oidc/oid18:40
kmallocpossible. it might simply be a single IDP broker that does OID->OIDC and then use keycloak18:41
kmallocfor the time being18:41
ayoungI bet we could enlist cheims to help18:41
kmallocipsilon was very very veryn rough around the edges last i looked.18:41
kmalloclike... mostly not usable18:41
ayoungWe had it working18:41
kmallocworking and full featured are two different things18:41
ayoungjamielennox, and I did the whole Keystone integration with it via SAML back a couple year18:41
kmallocfull featured enough for production use*18:42
ayoungIts Fedora Account Services18:42
kmallocit looks like it might suffer from the asme issues keycloak does.18:43
ayounghow could I tell if that was 2.0?18:43
ayoungfrom openid.server.server import ProtocolError, EncodingError18:44
kmallocah it looks ok18:44
kmallocyeah oid is 2.0 in like 200718:44
kmallocso i would be shocked if it supported OID and not OID 2.018:44
kmalloci'll poke at ipsilon it might work as a broker18:44
ayoungkmalloc, the rippowam code is old, but I bet we could resurrect, too...18:45
ayoung2015...boy time does pass doesn't it18:46
ayoungkmalloc, a secondary win would be if we could tie in to FAS for stuff...18:46
*** felipemonteiro has quit IRC18:49
openstackgerritAndreas Jaeger proposed openstack/keystone master: Follow Zuul job rename
*** raildo has quit IRC18:59
*** raildo has joined #openstack-keystone18:59
*** felipemonteiro has joined #openstack-keystone19:14
*** dave-mccowan has joined #openstack-keystone19:24
*** felipemonteiro has quit IRC19:30
*** Emine has quit IRC19:47
*** raildo has quit IRC20:22
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate
*** itlinux has quit IRC21:50
*** aojea has joined #openstack-keystone22:12
*** itlinux has joined #openstack-keystone22:19
*** itlinux has quit IRC22:22
*** cfriesen has joined #openstack-keystone22:44
*** aojea has quit IRC22:45
*** jmlowe has quit IRC23:00
*** jmlowe has joined #openstack-keystone23:03
*** aojea has joined #openstack-keystone23:17
*** felipemonteiro has joined #openstack-keystone23:24
*** gyee has quit IRC23:31
*** aojea has quit IRC23:51
*** felipemonteiro has quit IRC23:56

Generated by 2.15.3 by Marius Gedminas - find it at!