Tuesday, 2014-05-06

gyee	locked?	00:01
jamielennox	anyway, every time i've tried to convert a client i've ended up needing something like that, but you can always just implement what you need of it within barbican for now	00:01
jamielennox	the -SDK project is doing a 'presentation' layer so that you can abstract things like JSON vs XML	00:01
openstackgerrit	guang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes. https://review.openstack.org/84945	00:02
jamielennox	i don't consider service_type etc to be part of the 'presentation', but it's similar	00:02
jamielennox	gyee: also IMO, barbican shouldn't make it's own shell - it should just use OSC	00:03
jamielennox	i wrote a plugin for OSC the other day, it's not well explained but it's not that hard to figure out	00:03
gyee	jamielennox, does OCS allow all the keystone v3 args now?	00:04
jamielennox	gyee: it has the v3 CRUD operaions	00:04
jamielennox	i'm not sure about v3 auth	00:04
gyee	jamielennox, looks like it has the v3 auth args	00:13
gyee	https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L138	00:14
jamielennox	gyee: https://github.com/jamielennox/python-kiteclient/blob/testing/kiteclient/cli/v1.py is what i needed to create an external plugin to OSC	00:15
jamielennox	also the setup.cfg file	00:15
*** marcoemorais has quit IRC		00:16
gyee	jamielennox, I'll probably need to break it up into two patches	00:17
gyee	one for keystoneclient integration, and the other for OSC integration	00:17
*** marcoemorais has joined #openstack-keystone		00:18
jamielennox	gyee: yea, two very different issues, i was just looking through the comments on that review	00:18
bknudson	dstanek: ever get this running tox -e py33 -- db type could not be determined	00:18
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions https://review.openstack.org/81146	00:22
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog https://review.openstack.org/74599	00:22
*** dims has joined #openstack-keystone		00:24
*** nkinder has joined #openstack-keystone		00:25
dstanek	bknudson: in server or client?	00:27
bknudson	dstanek: client	00:27
dstanek	bknudson: i have not, but i'll try it a few times now	00:28
dstanek	do you get a stacktrace?	00:28
bknudson	ah, I removed .testrepository	00:28
*** gokrokve has joined #openstack-keystone		00:28
bknudson	now it seems to be working.	00:28
bknudson	prints out a bunch of stuff that py27 doesn't	00:29
bknudson	signing_dir mode is 0o775 instead of 0o700	00:29
bknudson	and was able to recreate the error	00:29
bknudson	for some reason I can't run a test by itself.	00:32
jamielennox	gyee: commented: https://review.openstack.org/#/c/84945/	00:37
dstanek	bknudson: you can't run any of them?	00:40
bknudson	dstanek: they're running now that I deleted .testrepository	00:40
bknudson	dstanek: I can run all the tests but can't run a test by itself.	00:40
dstanek	bknudson: i'm recreating venv now to play around a little bit	00:41
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator 2640847 https://review.openstack.org/92228	00:41
bknudson	dstanek: this worked on my system ^	00:41
bknudson	added a decode()	00:41
*** serverascode has quit IRC		00:42
*** serverascode has joined #openstack-keystone		00:43
dstanek	just got the same 'db type could not be determined' error	00:45
bknudson	dstanek: rm -r .testrepository	00:45
*** shakamunyi has joined #openstack-keystone		01:05
*** amcrn has quit IRC		01:09
gyee	jamielennox, thanks, another patch coming :)	01:13
gyee	jamielennox, you want a separate patch just for this? https://review.openstack.org/#/c/84945/8/keystone/auth/core.py	01:14
jamielennox	gyee: i assumed it was a mistake	01:14
jamielennox	you probably should it's not related to what you're doing	01:14
gyee	I just corrected a typo	01:14
*** zhiyan_ is now known as zhiyan		01:15
gyee	don't feel like creating a bug and everything	01:15
*** rodrigods has joined #openstack-keystone		01:15
*** shakayumi has joined #openstack-keystone		01:15
*** shakamunyi has quit IRC		01:18
openstackgerrit	guang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes. https://review.openstack.org/84945	01:19
*** dims has quit IRC		01:26
*** marcoemorais has quit IRC		01:30
jamielennox	i don't think you need bugs for that sort of thing	01:39
*** sbfox has joined #openstack-keystone		01:41
openstackgerrit	Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325	01:49
*** jimbaker has quit IRC		01:56
ayoung	bknudson, so...the revocation list for compressed is going to be a pain in the tuchus to implement	01:57
ayoung	I didn't plan on compressing the revocation list, but in order to generate it, I'll need to generate the tokens first, and then sign them, and then generate the revocation list	01:57
*** diegows has quit IRC		01:58
ayoung	question is whether I should bother compressing the revocation list, too	01:58
jamielennox	ayoung: isn't the 'id' based on the token that was issued?	01:59
ayoung	jamielennox, its a hash of it, yes	01:59
jamielennox	so if that's compressed then it should work the same way	01:59
ayoung	jamielennox, but not of the raw data	01:59
ayoung	oh, yeah, it will work the same way	01:59
jamielennox	as in if you take the hash of the compressed token	01:59
ayoung	its just the order of generating things in the example code.	02:00
ayoung	All of the old code was in shell script	02:00
ayoung	I am not even sure where the revocation list came from, but it looks hand jammed	02:00
jamielennox	for testing you mean?	02:00
ayoung	jamielennox, what the order needs to be is : sign the tokens, generate the revocation list, sign the revocation list	02:00
ayoung	jamielennox, yeah	02:00
ayoung	I can't just add the revocation list to the things to sign, because the signed data is different every time	02:01
*** sbfox has quit IRC		02:03
ayoung	jamielennox, so it would make more sense to generate the complete revocation list for the compressed token, and then to used the compressed list for compressed tokens and then uncompressed list for uncompressed tokens, but then reqaaly we should test the reverse too...and it is a big pain in the tuchas	02:06
jamielennox	ayoung: why don't you just do some compressed and some not	02:07
ayoung	jamielennox, "just?"	02:08
jamielennox	i'm going to put a filter on IRC for that sort of word	02:08
jamielennox	not sure what i do in person yet	02:08
ayoung	jamielennox, because I am in a state where I need to mix shell with python, or rewrite my shell in python	02:08
ayoung	and I don't want to do that	02:09
ayoung	I want to get this patch in, not cause more churn	02:09
jamielennox	so it's the generating of the list which is the issue?	02:11
ayoung	so, to do that, I guess I inject the pkiz signature (md5) into the revocation list and sign with cms....but I swear someone is going to complain about that hack when the review the code in examples	02:11
jamielennox	you might need to store everything in the shell variables	02:11
jamielennox	why, it's just another id in the list?	02:12
ayoung	I think I am just going to generate the whole list on the fly, both pkiz and pki format.	02:12
jamielennox	right, you'll need to construct JSON in bash but it's not too bad	02:12
ayoung	nah, I'll do it in python	02:12
jamielennox	it doesn't have to be pretty json	02:13
*** mberlin has joined #openstack-keystone		02:13
jamielennox	the downside of doing it in python is the code is going to be almost exactly the same as the code you're testing	02:14
*** mberlin1 has quit IRC		02:14
jamielennox	but given that we shell out to openssl that could be said of the current stuff	02:14
*** richm has quit IRC		02:15
*** bach has quit IRC		02:23
*** rodrigods has quit IRC		02:25
*** dims has joined #openstack-keystone		02:28
*** zhiyan is now known as zhiyan_		02:37
openstackgerrit	Richard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values https://review.openstack.org/76002	02:46
*** morganfainberg is now known as morganfainberg_Z		02:46
*** praneshp_ has joined #openstack-keystone		02:49
*** praneshp has quit IRC		02:50
*** praneshp_ is now known as praneshp		02:50
*** daneyon has quit IRC		02:53
*** sbfox has joined #openstack-keystone		02:53
*** daneyon has joined #openstack-keystone		02:53
*** shakayumi has quit IRC		02:58
ayoung	git rebase origin/hamster	02:59
*** bach has joined #openstack-keystone		03:05
*** praneshp has quit IRC		03:13
*** sbfox has quit IRC		03:14
*** xianghui has joined #openstack-keystone		03:14
*** dims has quit IRC		03:17
*** sbfox has joined #openstack-keystone		03:18
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation https://review.openstack.org/71181	03:34
*** daneyon has quit IRC		03:39
*** harlowja is now known as harlowja_away		03:39
*** daneyon has joined #openstack-keystone		03:39
*** harlowja_away is now known as harlowja		03:45
*** ayoung has quit IRC		03:48
*** xianghui has quit IRC		03:51
*** xianghui has joined #openstack-keystone		03:58
*** marcoemorais has joined #openstack-keystone		04:05
*** sbfox has quit IRC		04:05
*** dstanek is now known as dstanek_zzz		04:08
*** dstanek_zzz is now known as dstanek		04:14
*** chandan_kumar has joined #openstack-keystone		04:20
*** chandan_kumar is now known as chandankumar		04:26
*** kfox1111 has quit IRC		04:33
*** daneyon has quit IRC		04:45
*** sbfox has joined #openstack-keystone		04:49
*** gabriel-bezerra is now known as gabriel-bezerra_		04:53
*** gyee has quit IRC		05:05
*** praneshp has joined #openstack-keystone		05:20
*** harlowja is now known as harlowja_away		05:22
*** toddnni has joined #openstack-keystone		05:24
*** praneshp_ has joined #openstack-keystone		05:26
*** praneshp has quit IRC		05:27
*** praneshp_ is now known as praneshp		05:27
*** dstanek is now known as dstanek_zzz		05:30
*** gokrokve has quit IRC		05:41
*** tomoiaga has joined #openstack-keystone		05:45
*** dstanek_zzz has quit IRC		05:53
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:01
*** gokrokve has joined #openstack-keystone		06:12
*** gokrokve has quit IRC		06:16
*** tomoiaga has quit IRC		06:20
*** sbfox has quit IRC		06:26
*** praneshp has quit IRC		06:28
*** bach has quit IRC		06:28
*** tomoiaga has joined #openstack-keystone		06:31
*** tomoiaga has quit IRC		06:32
*** sbfox has joined #openstack-keystone		06:33
*** sbfox has quit IRC		06:38
*** Abhijeet has joined #openstack-keystone		06:44
*** tomoiaga has joined #openstack-keystone		06:44
*** leseb has joined #openstack-keystone		06:47
*** stevemar has quit IRC		06:49
*** Manishanker has joined #openstack-keystone		07:11
*** gokrokve has joined #openstack-keystone		07:12
*** leseb has quit IRC		07:15
*** gokrokve has quit IRC		07:17
*** marcoemorais has quit IRC		07:19
*** jamielennox is now known as jamielennox\|away		07:29
*** jaosorior has joined #openstack-keystone		07:42
*** andreaf has joined #openstack-keystone		07:59
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter https://review.openstack.org/90656	07:59
*** andreaf has quit IRC		08:00
*** marekd\|away is now known as marekd		08:00
*** andreaf has joined #openstack-keystone		08:01
*** andreaf_ has joined #openstack-keystone		08:02
*** andreaf_ has quit IRC		08:03
*** andreaf has quit IRC		08:05
*** leseb has joined #openstack-keystone		08:06
*** gokrokve has joined #openstack-keystone		08:13
*** gokrokve has quit IRC		08:17
*** ekarlso has quit IRC		08:29
*** ekarlso has joined #openstack-keystone		08:29
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method https://review.openstack.org/88517	08:31
*** gokrokve has joined #openstack-keystone		09:14
*** gokrokve has quit IRC		09:18
*** xianghui has quit IRC		09:31
*** xianghui has joined #openstack-keystone		09:37
*** morganfainberg_Z has quit IRC		09:50
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor create_trust for readability https://review.openstack.org/90943	09:57
*** morganfainberg_Z has joined #openstack-keystone		09:59
openstackgerrit	A change was merged to openstack/python-keystoneclient: Synced jsonutils from oslo-incubator https://review.openstack.org/91080	10:03
*** gokrokve has joined #openstack-keystone		10:14
*** gokrokve has quit IRC		10:19
*** andreaf has joined #openstack-keystone		10:19
*** leseb has quit IRC		10:20
*** leseb has joined #openstack-keystone		10:21
*** jimbaker has joined #openstack-keystone		10:23
*** jimbaker has quit IRC		10:23
*** jimbaker has joined #openstack-keystone		10:23
*** leseb has quit IRC		10:25
*** bvandenh has joined #openstack-keystone		10:46
*** bvandenh has quit IRC		10:52
*** bvandenh has joined #openstack-keystone		10:52
*** xianghui has quit IRC		10:53
*** bvandenh has quit IRC		10:53
*** bvandenh has joined #openstack-keystone		10:54
*** bvandenh has quit IRC		10:54
*** bvandenh has joined #openstack-keystone		10:55
*** bvandenh has quit IRC		10:57
*** bvandenh has joined #openstack-keystone		10:57
*** bvandenh has quit IRC		11:05
*** leseb has joined #openstack-keystone		11:07
*** diegows has joined #openstack-keystone		11:12
*** leseb has quit IRC		11:12
*** dims_ has joined #openstack-keystone		11:12
*** gokrokve has joined #openstack-keystone		11:15
*** bvandenh has joined #openstack-keystone		11:18
*** gokrokve has quit IRC		11:20
*** leseb has joined #openstack-keystone		11:29
*** leseb has quit IRC		11:31
*** leseb has joined #openstack-keystone		11:31
*** leseb has quit IRC		11:35
*** Abhijeet has quit IRC		11:38
*** leseb has joined #openstack-keystone		11:43
*** leseb has quit IRC		11:44
*** leseb has joined #openstack-keystone		11:44
*** andreaf_ has joined #openstack-keystone		11:47
*** andreaf has quit IRC		11:49
*** lbragstad has quit IRC		11:52
*** lbragstad has joined #openstack-keystone		11:53
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166	11:58
*** topol has joined #openstack-keystone		12:04
*** sbfox has joined #openstack-keystone		12:08
*** lbragstad has quit IRC		12:10
*** leseb has quit IRC		12:15
*** leseb has joined #openstack-keystone		12:16
*** dims_ has quit IRC		12:27
*** jimbaker has quit IRC		12:30
*** dims has joined #openstack-keystone		12:33
*** leseb_ has joined #openstack-keystone		12:38
*** dims has quit IRC		12:38
*** leseb has quit IRC		12:41
*** dims has joined #openstack-keystone		12:45
*** dstanek has joined #openstack-keystone		13:01
*** kun_huang has joined #openstack-keystone		13:02
*** jsavak has joined #openstack-keystone		13:04
*** lbragstad has joined #openstack-keystone		13:06
*** gokrokve has joined #openstack-keystone		13:17
*** dstanek has quit IRC		13:17
*** erecio has quit IRC		13:21
*** gokrokve has quit IRC		13:21
*** ayoung has joined #openstack-keystone		13:22
*** erecio has joined #openstack-keystone		13:22
*** bknudson has quit IRC		13:23
*** rodrigods has joined #openstack-keystone		13:23
*** rodrigods has joined #openstack-keystone		13:23
*** topol has quit IRC		13:29
*** david-lyle has joined #openstack-keystone		13:35
*** chandankumar is now known as chandankumar\|afk		13:37
*** david-lyle has quit IRC		13:37
*** vhoward has joined #openstack-keystone		13:38
*** david-lyle has joined #openstack-keystone		13:38
*** david-lyle has quit IRC		13:43
*** thiagop has quit IRC		13:46
*** bknudson has joined #openstack-keystone		13:46
*** nkinder has quit IRC		13:54
*** gokrokve has joined #openstack-keystone		14:10
rodrigods	dolphm, ping	14:15
dolphm	rodrigods: o/	14:16
rodrigods	dolphm, just to ask you to review https://review.openstack.org/#/c/91578/ (whenever possible) =)	14:16
dolphm	rodrigods: it's already in my queue!	14:17
rodrigods	dolphm, great! thanks!	14:17
*** dstanek has joined #openstack-keystone		14:18
*** dstanek has quit IRC		14:32
*** dstanek has joined #openstack-keystone		14:32
*** topol has joined #openstack-keystone		14:35
*** stevemar has joined #openstack-keystone		14:35
*** david-lyle has joined #openstack-keystone		14:35
*** david-lyle has quit IRC		14:35
*** bach has joined #openstack-keystone		14:35
*** david-lyle has joined #openstack-keystone		14:36
*** nkinder has joined #openstack-keystone		14:41
*** daneyon has joined #openstack-keystone		14:41
*** daneyon has quit IRC		14:46
*** daneyon has joined #openstack-keystone		14:47
*** shakayumi has joined #openstack-keystone		14:51
*** zhiyan_ is now known as zhiyan		15:01
*** thedodd has joined #openstack-keystone		15:19
*** andreaf_ has quit IRC		15:21
*** andreaf has joined #openstack-keystone		15:21
*** bvandenh has quit IRC		15:24
openstackgerrit	A change was merged to openstack/identity-api: Remove email as optional query parameter https://review.openstack.org/90656	15:27
*** sbfox has quit IRC		15:27
*** daneyon has quit IRC		15:28
*** daneyon has joined #openstack-keystone		15:28
*** shakayumi has quit IRC		15:31
*** bach has quit IRC		15:31
*** shakamunyi has joined #openstack-keystone		15:32
*** sbfox has joined #openstack-keystone		15:40
*** sbfox has quit IRC		15:43
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs https://review.openstack.org/89220	15:44
*** dims has quit IRC		15:46
*** zhiyan is now known as zhiyan_		15:47
*** bach has joined #openstack-keystone		15:50
*** richm has joined #openstack-keystone		15:51
stevemar	^^^	15:52
*** bach has quit IRC		15:53
*** bach has joined #openstack-keystone		15:53
*** dims has joined #openstack-keystone		15:57
*** praneshp has joined #openstack-keystone		15:59
*** daneyon has quit IRC		16:04
*** Manishanker has quit IRC		16:13
*** tomoiaga has quit IRC		16:14
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs https://review.openstack.org/89220	16:15
*** stevemar has quit IRC		16:20
*** stevemar has joined #openstack-keystone		16:20
*** dstanek has quit IRC		16:21
*** dstanek has joined #openstack-keystone		16:21
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166	16:21
*** jaosorior has quit IRC		16:21
*** sbfox has joined #openstack-keystone		16:24
*** gyee has joined #openstack-keystone		16:30
*** marcoemorais has joined #openstack-keystone		16:30
*** leseb_ has quit IRC		16:32
*** leseb has joined #openstack-keystone		16:33
*** amerine_ has joined #openstack-keystone		16:35
*** amerine has quit IRC		16:38
*** zhiyan_ is now known as zhiyan		16:42
*** amerine_ has quit IRC		16:42
*** shakamunyi has quit IRC		16:42
*** vhoward has left #openstack-keystone		16:42
*** leseb has quit IRC		16:43
*** daneyon has joined #openstack-keystone		16:45
*** amerine has joined #openstack-keystone		16:46
*** jimbaker has joined #openstack-keystone		16:47
openstackgerrit	Florent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API https://review.openstack.org/88620	16:53
*** zhiyan is now known as zhiyan_		16:53
*** gyee has quit IRC		16:58
*** amcrn has joined #openstack-keystone		17:04
*** harlowja_away is now known as harlowja		17:07
*** bach has quit IRC		17:08
*** kun_huang has quit IRC		17:11
*** andreaf has quit IRC		17:17
*** chandankumar\|afk has quit IRC		17:24
*** leseb has joined #openstack-keystone		17:31
*** dims has quit IRC		17:37
*** henrynash has joined #openstack-keystone		17:38
*** leseb has quit IRC		17:41
*** morganfainberg_Z is now known as morganfainberg		17:45
*** sbfox has quit IRC		17:47
*** sbfox has joined #openstack-keystone		17:51
morganfainberg	ayoung, for the compressed token / validation does it make sense to use the new fixture-type-thing that jamielennox\|away built rather than having a .json file on disk?	17:52
morganfainberg	ayoung, oh strike that, i see you need the matching revocation list.	17:52
morganfainberg	ayoung in the future we should work on using a consistent token generator even for this.	17:53
ayoung	morganfainberg, so..that whole chunk of code in example is actually unnecessary	17:54
ayoung	the revocation list is created in code, not read from disk	17:54
morganfainberg	ayoung, ah.	17:54
ayoung	Iti s a different test that uses the revocation list, and it still passes	17:54
ayoung	so, its not bad, just unnecessary. But I wrote it before I realized that	17:54
ayoung	didn't realize until I had to figure out why my test was still failing	17:54
morganfainberg	ayoung, ok so we should move to a single source of raw token data (jamie's fixture)	17:55
ayoung	I don't know	17:55
morganfainberg	ayoung, but i think that can wait at this point (follow on patch)	17:55
ayoung	I need to understand it better, but I don't want to use the same code to test itself. I like having the tokens read from disk	17:55
ayoung	In this case, that is not possible, of course, but in the future, any changes to the signing mechanism need to be backwards compat with these tokens	17:56
morganfainberg	ayoung, we should have a single fixture source for token examples across the board rather than having to maintain a .json file etc	17:56
morganfainberg	ayoung, i think i'll want to see that change once we have clear mechanism for validating token format	17:57
ayoung	morganfainberg link ?	17:57
morganfainberg	ayoung, after meeting :)	17:57
*** chandan_kumar has joined #openstack-keystone		17:58
ayoung	jamielennox\|away, MEETING TIME!	18:00
*** jamielennox\|away is now known as jamielennox		18:05
openstackgerrit	A change was merged to openstack/keystone: Refactor create_trust for readability https://review.openstack.org/90943	18:07
*** bach has joined #openstack-keystone		18:16
*** bach has quit IRC		18:19
*** bach has joined #openstack-keystone		18:20
*** htruta has joined #openstack-keystone		18:21
*** chandan_kumar has quit IRC		18:22
*** sbfox has quit IRC		18:22
htruta	hello, guys. i'm trying to run a keystone v3 command through openstack client. even when I pass the "--os-identity-api-version 3" param, it still gets a v2.0 token. I think it's some configuration on keystone client. Can anyone help me?	18:23
*** bach_ has joined #openstack-keystone		18:23
morganfainberg	htruta, the keystone irc meeting is happening right now (will be over in ~35minutes)	18:23
*** bach has quit IRC		18:23
morganfainberg	htruta, if you don't mind waiting i'm sure we can help you some at that point	18:23
htruta	morganfainberg: no problem. I can wait. thanks	18:24
morganfainberg	htruta, or at least give you an idea of the state of affairs (i don't want to give a bad answer and there are folks who just worked on that kind of stuff recently)	18:25
*** nkinder has quit IRC		18:30
*** sbfox has joined #openstack-keystone		18:31
jamielennox	htruta: most likely the identity endpoint in your service catalog has a /v2.0 url	18:32
*** tstevenson has quit IRC		18:34
*** leseb has joined #openstack-keystone		18:45
openstackgerrit	Florent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API https://review.openstack.org/88620	18:49
htruta	jamielennox: how can I change this idendity endpoint?	18:49
jamielennox	htruta: using the keystone CLI it's when you do keystone endpoint-create you use keystone_url:5000/v3 instead of /v2.0	18:51
jamielennox	however that has a lot of ramifications as the other services don't necessarily support v3 yet	18:51
jamielennox	htruta: ideally OSC would be doing a hack around that for you, stevemar do you know if OSC does the v2/v3 endpoint hack?	18:53
stevemar	jamielennox, we don't,	18:54
stevemar	jamielennox, htruta it depends on what was specified in the endpoint	18:54
jamielennox	stevemar: do you know if that's something that would be automatically fixed by the hack being available in keystoneclient or is it to do with how you setup auth?	18:55
*** leseb has quit IRC		18:56
jamielennox	because without checking i would expect that setting --os-identity-api-version 3 would mean using the v3 client which does have the hack	18:56
stevemar	jamielennox, i feel like it would be fixed... OSC is pretty 'dumb', it's just a wrapping the clients	18:57
morganfainberg	ayoung, part of ephemeral tokens we need to use a unified internal token structure, (working on that). and the fixture https://github.com/openstack/python-keystoneclient/tree/master/keystoneclient/fixture should be used for any "example" tokens (might need some massaging)	18:59
htruta	thanks, guys. I solved the problem with "--os-identity-api-version 3 --os-auth-url http://10.1.0.23:5000/v3"	18:59
morganfainberg	ayoung, eventually, we should have a single source of exampl tokens (each version) vs. a bunch of different locations on disk to maintain	18:59
morganfainberg	ayoung, i don't think it's needed right now, however.	19:00
ayoung	morganfainberg, Agreed. I want to make the gen_pkiz.py script the start of how we generate, and then have the tokens themselves in the subdir. All other sources should point to that.	19:01
*** gokrokve has quit IRC		19:01
*** leseb has joined #openstack-keystone		19:02
*** praneshp has quit IRC		19:06
*** praneshp has joined #openstack-keystone		19:06
stevemar	ayoung, if you clean this up https://review.openstack.org/#/c/79096/9/keystoneclient/v3/regions.py you get a +2 :D	19:06
stevemar	that or beer, i'm open to bribes	19:07
ayoung	Both	19:07
ayoung	Tuesday night is Guiness Stout Float Night for those that chose to Eschew the pre-cannedfun	19:08
ayoung	stevemar, we don't have atox docs job for clilent, do we?	19:08
*** praneshp has quit IRC		19:10
stevemar	yes, there is	19:10
stevemar	ayoung, ^	19:10
ayoung	stevemar, how to kick it off then?	19:11
ayoung	[testenv:docs] ?	19:11
stevemar	tox -e docs	19:11
ayoung	OK, lets see if it fails.	19:12
stevemar	where my second comment is, that one has crazy spacing :P	19:12
ayoung	stevemar, Oh, I agree with the comment. I just want to have a way to confirm I have the formatting correct	19:13
ayoung	stevemar, it must be rebuilding the venv. Taking a long while	19:18
stevemar	ayoung, :(	19:19
ayoung	stevemar, it should reuse the venv for py27 instead of creating its own, but, oh well	19:19
stevemar	ayoung, but tox is special like that	19:20
*** gokrokve has joined #openstack-keystone		19:21
marekd	jamielennox: o/	19:22
jamielennox	marekd: hey	19:23
dstanek	morganfainberg: i've been doing some password hacking, but i'm not sure i can easily remove password from the identity filter	19:23
*** gokrokve_ has joined #openstack-keystone		19:24
*** gokrokve has quit IRC		19:26
marekd	jamielennox: In the SAML2 auth workflow i think i need to reimplement Auth class, as some methods will be certainly different (token_url for sure, but also get_auth_ref()) Now, since the Auth classes are instantiated here https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/client.py#L158 i think we will have to somehow change this workflow, either by extendind Auth._factory() method, or add kind of 'if' conditio	19:26
marekd	jamielennox: i am guessing some 'dynamic' modules mechanism could be used here.	19:27
jamielennox	marekd: so i don't want to edit /v3/client.py	19:30
jamielennox	the new workflow should be session.Session(auth=SamlPlugin())	19:30
jamielennox	then client = Client(session)	19:30
marekd	it's still v3.Client(httpclient.HTTPClient), right?	19:32
jamielennox	yes	19:32
jamielennox	marekd: sorry flicking between here and the -sdk meeting	19:33
jamielennox	if you load the SAML auth plugin that way do we still need to change the workflow?	19:34
marekd	ok, so where this session should be actualy created? The v3.Client docstring example says something like: keystone = client.Client(username=USER, password=PASS) .Apparently i couldn't find it in the basecode :(	19:34
marekd	jamielennox: i don't think so.	19:34
jamielennox	so the docs are somewhat in conflict	19:35
marekd	jamielennox: what i basically need is to control where (to what url) certain requests will be sent and what will be the body.	19:35
jamielennox	i've been pushing everyone to creating the session first, but i need to keep compatibility with the existing stuff	19:35
marekd	jamielennox: i don't want to send any body, and want to start my federated authn by hitting url different than /v3/auth/tokens	19:36
marekd	ok, so those two lines session = Session(), client = v3.Client(session=session) would be done not inside the python-keystoneclient, but rather openstackclient, for instance?	19:37
marekd	or you'd expect to see such lines in a keystoneclient patch?	19:37
marekd	because how i understand it now it's the v3.Client you can basically import, pass some params and expect it to magically work, correct?	19:38
jamielennox	yes, within openstackclient	19:38
marekd	jamielennox: ok, that's what I wanted to know :-)	19:38
jamielennox	or whatever you have that is actually consuming keystoneclient	19:38
marekd	right.	19:38
marekd	jamielennox: ok, thanks,	19:39
jamielennox	marekd: no problem - i haven't tried to do a federated auth plugin yet so let me know any changes that need to be done to accomodate them	19:40
marekd	i think we will squeeze everything to Auth inheriting class :-)	19:41
marekd	jamielennox: the veeeery early drafter WIP is here: https://review.openstack.org/#/c/92166/	19:41
marekd	jamielennox: the thing we might want to think about is again kinda authentication mechanism inside the saml2 authn plugin :-)	19:43
jamielennox	marekd: so that makes the assumption that the auth_url will be the ferated endpoint?	19:43
jamielennox	marekd: will you be at summit?	19:43
marekd	jamielennox: yes.	19:43
marekd	jamielennox: ^^ i meant: i will	19:43
jamielennox	marekd: excellent, because there's some more about this workflow i'd like to know	19:44
jamielennox	because that assumes i think that you need to pass the federation endpoint as auth_url?	19:44
marekd	jamielennox: hm, how does typically auth_url looks like?	19:44
marekd	is it just https://keystone.openstack.local ?	19:45
jamielennox	marekd: it's the same as --os-auth-url	19:47
*** gabriel-bezerra_ is now known as gabriel-bezerra		19:47
jamielennox	so for now typically it's https://keystone:5000/v2.0	19:48
jamielennox	and for the v2 plugins i've been assuming a suffix of /v2.0 and for v3 a suffix of /v3	19:48
jamielennox	the intention being that there would be a higher level plugin that accepted https://keystone:5000/ and figured out whether it should use v2.0 or v3	19:49
marekd	ok, so i think i was right. so for the federated auth it will be https://keystone:5000/v3/OS-FEDERATION/identity_providers/{idp_name}/protocols/saml2//auth	19:49
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Regions Management https://review.openstack.org/79096	19:49
jamielennox	eg https://review.openstack.org/#/c/81147/	19:49
marekd	and this is handled by my token_url property	19:49
ayoung	lbragstad, you trying to make me cry?	19:50
ayoung	is "Keys" meant to be capitalized? NO. I took German in College, and it taught me that all Nouns should be capitalized	19:50
lbragstad	ayoung: :)	19:51
lbragstad	ayoung: this looks better though, nice catches by stevemar https://review.openstack.org/#/c/79096/10	19:51
ayoung	lbragstad, yeah. There are some errors, but not from my code	19:51
ayoung	I might submit a separate patch for those	19:51
jamielennox	marekd: yea, so i didn't have that use case in mind initially	19:52
jamielennox	marekd: does hitting that endpoint give you a token, or data to pass to /auth/tokens?	19:52
lbragstad	ayoung: for the region management?	19:52
ayoung	lbragstad, nah, the errors are in	19:52
ayoung	/opt/stack/python-keystoneclient/keystoneclient/openstack/common/apiclient/client.py:docstring of keystoneclient.openstack.common.apiclient.client.HTTPClient.request:9: WARNING: Block quote ends without a blank line; unexpected unindent.	19:52
ayoung	/opt/stack/python-keystoneclient/keystoneclient/openstack/common/apiclient/base.py:docstring of keystoneclient.openstack.common.apiclient.base.HookableMixin.run_hooks:5: WARNING: Inline strong start-string without end-string.	19:52
*** dims has joined #openstack-keystone		19:52
lbragstad	ahh, gotcha	19:53
jamielennox	grrr, apicient...	19:53
marekd	jamielennox: neither. the workflow is as follows: HTTP GET to /v3/OS-FEDERATION/[...], get SOAP message, play with it, and send a HTTP POST to an external Identity_provider url (passed as an argument to the plugin). Now...authenticate against IdP, for instance via HttpBasicAuth, maybe one day kerberos or similar, get SOAP message again, again play with that, and send to Keystone (it's url is stored in the SOAP received from either SP or I	19:54
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation https://review.openstack.org/71181	19:56
jamielennox	ok yea, so what is that second URL that you hit on keystone?	19:56
jamielennox	once you've gotten your external auth data	19:57
*** leseb has quit IRC		19:57
lbragstad	jamielennox: I like the SimpleCreate here...	19:57
lbragstad	https://review.openstack.org/#/c/92031/1/keystone/tests/test_validation.py	19:57
marekd	jamielennox: hmm,would have to check that second url, but it's to send the SAML2 assertion issued by a IdP to the ServiceProvider (keystone).	19:57
jamielennox	lbragstad: yea, i much prefer that as an object	19:58
lbragstad	easier to read	19:58
jamielennox	lbragstad: it means that we can put properties on the objects that are passed as well which i'm quite excited for	19:58
marekd	jamielennox: i know it will work, because I could get the token using external Python piece of code. I now just need to marry it with keystoneclient.	19:58
lbragstad	thats for sure	19:58
jamielennox	lbragstad: as in we can encode the information and helpers onto the object and then our controller code needs to know less of the format of the messages	19:59
jamielennox	marekd: yea - what i'm hoping though is that the second URL is /auth/tokens	19:59
lbragstad	jamielennox: right, that makes sense, I like it... still working through the review but I like it	19:59
marekd	jamielennox: ah, no no	19:59
jamielennox	i'm sure i argued for that a while ago	19:59
marekd	jamielennox: this is completely SAML2 internal url	20:00
lbragstad	jamielennox: the models.py is just for building the validator right? https://review.openstack.org/#/c/92031/1/keystone/validation/models.py	20:00
marekd	jamielennox: more than sure it's not /auth/tokens - i'd say it's either /v3/OS-FEDERATION/identity_providers and stuff, or something like /Shibboleth.sso/SAML2/ECP	20:00
marekd	jamielennox: why would you hope for /auth/tokens?	20:01
*** harlowja has quit IRC		20:01
marekd	jamielennox: SAML2 session, cookies are handled by mod_shib and standalone shibd daemon, not keystone.	20:01
*** marcoemorais has quit IRC		20:02
jamielennox	lbragstad: yes and no, i expect that certain requests have validation requirements that are not expressable as jsonschema so i would like them to be able to override the validate() comand	20:02
marekd	jamielennox: do you expect any problems with that? all in all i understand Auth.get_auth_ref() is supposed to return a token, right?	20:02
*** praneshp has joined #openstack-keystone		20:03
jamielennox	marekd: it can be made to work i'm sure but i'll admit i was hoping that it would go through the standard mechanism at some point	20:03
*** marcoemorais has joined #openstack-keystone		20:03
*** harlowja has joined #openstack-keystone		20:04
marekd	it's been already argued - no chances at this posint, as this workflow is governed by SAML2 authn workflow so mod_shib and stuff.	20:04
jamielennox	marekd: given that auth is pluggable, once you've done all you need to regarding interaction with your own idp i see no reason that the final submission of data isn't the same as passing a password or other secret to keystone	20:04
jamielennox	because you still need to exchange it for a token as the last step	20:04
*** leseb has joined #openstack-keystone		20:05
marekd	jamielennox: but this would need implementing SAML2 assertion parser in the Keystone.	20:05
marekd	jamielennox: now it's mod_shib that does the dirty work for us.	20:05
marekd	jamielennox: secondly, you would somewhat break the protocol workflow...is it worth doing that?	20:05
jamielennox	marekd: oh, so you have a seperate route setup with apache guarding it	20:05
marekd	jamielennox: i have to.	20:06
marekd	jamielennox: https://review.openstack.org/#/c/89220/15/doc/source/configure_federation.rst line 64	20:06
jamielennox	marekd: no i don't want to break the correct workflow, i just assumed that given we are going to return a keystone token anyway that we are already doing something non-standard	20:06
marekd	jamielennox: understand your concerns, but as long as we use apache for SAML2 federation dance we have to deal with 'non standard' auth workflow in the OpenStack.	20:07
jamielennox	marekd: yep, and honestly i'd like to keep the standards as much as possible	20:09
jamielennox	ok	20:09
jamielennox	so i take it that we can't do keystone multi factor auth this way	20:10
marekd	jamielennox: me too :-) Just wanted to clarify couple of things and thanks to you i did.	20:10
jamielennox	marekd: so is <Location /Shibboleth.sso> prescribed by the standard or something we set?	20:16
marekd	jamielennox: it's just to ensure that urls starting with /Shibboleth.sso will not be swallowed by Keystone wsgi.	20:16
*** marcoemorais has quit IRC		20:17
marekd	jamielennox: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-MakingURLsUsedbymod_shibGetProperlyRouted	20:17
jamielennox	marekd: ok, but that route itself is a standard one	20:18
marekd	jamielennox: what do you mean?	20:19
marekd	jamielennox: it's standard for shibboleth, yes. Is that what you meant?	20:19
*** lbragstad has quit IRC		20:20
jamielennox	marekd: as in defined by the protocol that it should do interaction with the server at that URL, it's not a URL returned from the initial call to gET /v3/OS-FEDERATION/[...]	20:20
ayoung	marekd, can we rename configure_federation.rst to configure_shibolleth.rst ?	20:21
ayoung	It won't be the only Federation approach, just the first one.	20:21
jamielennox	ayoung: right, <LocationMatch /v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth> looks too generic to me	20:22
marekd	ayoung: so i vote for somehow splitting it into multiple files - general configuration, like enablig plugin, adding idps, mappings, protocol will stay.	20:23
ayoung	marekd, ++	20:23
ayoung	jamielennox, Did you see how I did it with Kerberos?	20:23
jamielennox	so how is /v3/OS-FEDERATION/identity_providers/XXX/protocols/XXX/auth determined, or is it just known?	20:23
ayoung	I did:	20:23
*** gyee has joined #openstack-keystone		20:24
ayoung	https://hostname/keystone/krb/	20:24
ayoung	you use that as the AUTH_URL, and then leave the endpoint at	20:24
ayoung	https://hostname/keystone/main/ and /admin	20:24
marekd	jamielennox: well for now the second xxx will be only saml2, but the first is a IdP name you, as a user should know apriori.	20:25
marekd	and it's equal to the object id of the identity_provider stored in the Keystone backend.	20:25
jamielennox	so what i think we need here is some way to discover all this	20:25
jamielennox	marekd: but as a configurer you should know that ahead of time	20:25
ayoung	marekd, never liked the fact that the token is coming from an extension instead of a Auth plugin.	20:25
jamielennox	ayoung: ++++	20:25
jamielennox	ayoung: i was just saying that, but apparently it can't be helped	20:26
jamielennox	so auth_plugins are very much defined around the standard entry point /auth/tokens and what you send to it	20:26
ayoung	jamielennox, I suspect the location should be	20:26
marekd	guys, it's done at a different layer - apache, that cannot understand the request body, and it doesn't realy care. what it cares is the url	20:26
marekd	and it's binary - either you have an access or you don't.	20:27
ayoung	marekd, put all of SAML under its own location, I think	20:27
ayoung	https://hostname/keystone/saml/	20:27
ayoung	marekd, so if You want to use SAML, you do OS_AUTH_URL=https://hostname/keystone/saml/	20:28
marekd	and if you want to auth what is the url: https://hostname/keystone/saml/v3/auth/tokens ?	20:30
jamielennox	marekd: so the data sent is in a header then? in which case it's a similar workflow to the external plugin we have now	20:30
marekd	soaps transmited between peers (SP and IdP) are in the request body.	20:31
marekd	for the normal websso similar i would say.	20:31
jamielennox	marekd: ok, so because we never construct the standard v3 auth body, you can't use multiple auths with SAML right	20:34
jamielennox	multiple auths within keystone where there are multiple 'methods'	20:34
marekd	no.	20:34
jamielennox	ok, so you should never need to make a v3.AuthMethod	20:35
jamielennox	because that maps to a 'method' in a normal auth structure	20:35
marekd	jamielennox: yep. just created it to follow the pattern (in fact it would raise an exception if somebody called get_auth_data() on it)	20:36
jamielennox	you can do v3.Auth(auth_url, methods=[v3.PasswordMethod(), v3.TokenMethod()]) to do multi factor auth	20:36
marekd	v3.PasswordMethod(), v3.TokenMethod() are not correlated in any way, are they?	20:37
jamielennox	no	20:37
marekd	i can choose only v3.PasswordMethod(), e.g. and will get a legitimate token.	20:38
marekd	ok.	20:38
jamielennox	yep, that's what AuthConstructor is doing, just mapping the method into the base auth class	20:38
jamielennox	marekd: so how do you specify things like domain_id, project_id etc to SAML?	20:39
marekd	you are asking about the server side?	20:39
*** dims_ has joined #openstack-keystone		20:39
jamielennox	marekd: so i'm looking at the base v3.Auth object that you inherit from	20:40
marekd	i don't know yet.	20:41
jamielennox	def __init__(self, auth_url, auth_methods, trust_id=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None):	20:41
jamielennox	which are the same as the --os-trust-id etc flags	20:41
*** dims has quit IRC		20:41
jamielennox	i'm wondering how you scope a token with SAML	20:41
marekd	in the federation you get an unscoped token, and can now scope it (at /auth/tokens actually). I am not sure it should be done within Auth object..	20:42
marekd	just wanted to make a more or less good shape of the code retrieving unscoped tokens.	20:42
jamielennox	yea, i'm just trying to think how it's supposed to be abstracted	20:43
jamielennox	for example given the CLI use case	20:44
jamielennox	and if i define that an auth_plugin should get all those arguments then i expect the plugin to have the scoped data	20:44
marekd	and do all the calls behind the scenes...	20:45
ayoung	jamielennox, self._client.get(base_url, **kwargs) How do I tell that about a param that I am sending to the server?	20:45
jamielennox	which means the plugin should be responsible for getting an unscoped token and rescoping it - which is a bit nasty	20:45
jamielennox	but at least then the auth_url makes sense :)	20:46
ayoung	https://review.openstack.org/#/c/81166/11/keystoneclient/v3/contrib/revoke.py,cm line 29ish	20:46
morganfainberg	dstanek, really?	20:46
ayoung	32 is the call	20:46
morganfainberg	dstanek, (sorry lunch just got back)	20:46
dstanek	morganfainberg: np, i think i'll have to fix kvs and maybe other things too	20:47
morganfainberg	dstanek, ah, yeah kvs probably needs fixing as well doh	20:48
*** bknudson has quit IRC		20:48
dstanek	morganfainberg: there are lots of other little things that bother me, but i have something that seems to work and passes existing tests	20:48
ayoung	jamielennox, so GET /OS-REVOKE/events?since=<timestampt> works, but I realize I was not enabling that in the Client call.	20:48
morganfainberg	dstanek, ok well thats a start	20:48
dstanek	i'm working on new tests now to verify the behavior	20:49
*** bknudson has joined #openstack-keystone		20:49
dstanek	ah, and i still need to migrate the passwords	20:49
morganfainberg	dstanek, ++	20:49
jamielennox	ayoung: why aren't you inheriting from manager?	20:50
jamielennox	i hate managers as well, but they are there for this purpose	20:50
morganfainberg	dstanek, what are we filtering these days? just password?	20:51
morganfainberg	dstanek, if we have limited overlap in what we filter out maybe we make the filter emthod part of the driver	20:51
ayoung	jamielennox, becasue the CRUD is one function, and so I had more code shutting things on than I needed to write enabling things	20:51
morganfainberg	dstanek, so if the driver needs to filter passwd, we filter it.	20:51
jamielennox	ayoung: yea, the managers suck like that	20:51
ayoung	jamielennox, but I forgot uintil just now looking at some other code that I was doing that	20:51
marekd	jamielennox: ++ ;/	20:52
jamielennox	marekd: unfortunately they are now 'standardized' in apiclient so i can't just rip it out	20:52
dstanek	morganfainberg: lots - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n53	20:52
jamielennox	ayoung: so if you don't use the Manager base class you'll have to construct the path yourself	20:52
morganfainberg	dstanek, huh.	20:52
ayoung	jamielennox, uh huh...looking now	20:53
jamielennox	ayoung: make it part of base_url	20:53
morganfainberg	dstanek, oh there is a lot of KVS-isms there	20:53
morganfainberg	dstanek, bleh	20:53
jamielennox	ayoung: there is a constructor thing that helps you build query params in one of the std libs	20:53
ayoung	Oh dear god my eyes. I can't unsee that code	20:53
ayoung	def find(self, **kwargs):	20:54
morganfainberg	dstanek, ok so we can probably just get the password stuff for SQL in the new place, we can "fix" kvs to not make silly assumptions (and be dogpile based)	20:54
ayoung	loads the entire list then filters on the Python side.	20:54
jamielennox	in manager?	20:54
morganfainberg	ayoung, wow.	20:54
morganfainberg	dstanek, if we "fix" kvs, we can probably simplify that a bunch	20:55
ayoung	morganfainberg, please don't think that Jamie is at fault here. That approach predates him	20:55
morganfainberg	ayoung, nope	20:55
jamielennox	god i want that whole thing to die	20:55
ayoung	jamielennox, ManagerWithFind	20:55
morganfainberg	ayoung, i wouldn't blame anyone here for it	20:55
morganfainberg	ayoung, i'd just assume it was inherieted and we should fix it when we get a chance	20:56
jamielennox	but then if i kill managers, and i kill the base client, then i'm not sure what's left from the basic stuff	20:56
dstanek	morganfainberg: lots to do, lots to do	20:56
morganfainberg	dstanek, yep	20:56
jamielennox	i recently won the debate in -sdk to completely kill off the manager approach so you would do User.find(), i want to see if that approach works out before trying to bring it to other clients	20:58
ayoung	KILL IT ALL!	20:58
ayoung	Ahem. Sorry	20:58
jamielennox	i guess they did client side filtering because there isn't a standard filter operation for resources on the server	20:59
*** bach_ has quit IRC		21:00
jamielennox	morganfainberg: can you re-affirm discovery: https://review.openstack.org/#/c/81146/8 it needed a rebase	21:01
morganfainberg	jamielennox, looking now	21:02
*** bach has joined #openstack-keystone		21:03
*** bach has quit IRC		21:04
*** topol has quit IRC		21:04
*** marcoemorais has joined #openstack-keystone		21:04
*** harlowja has quit IRC		21:05
*** dstanek has quit IRC		21:10
stevemar	jamielennox, how are you even up?	21:12
stevemar	do you stay up? or wake up early?	21:12
*** harlowja has joined #openstack-keystone		21:12
jamielennox	stevemar: always for keystone meeting	21:12
stevemar	jamielennox, yeah, i know, but that ended > 2 hrs ago	21:13
jamielennox	though our actual team meeting was cancelled this morning - and i was tempted to skip it as i'll see everyone next week	21:13
jamielennox	stevemar: yea, but it's 7am now - that's too late to go back to bed	21:13
stevemar	dedication	21:13
jamielennox	also i made them change the -sdk meeting to directly after the keystone meeting, so i feel like i have to attend that one now	21:15
stevemar	jamielennox, makes sense	21:15
stevemar	jamielennox, bknudson if you all want to have another look at oauth1 client stuff ... that https://review.openstack.org/#/c/81980/ hoping to squeeze this in before summit. I think the mess with the import of oauthlib is finally sorted out	21:17
*** marcoemorais has quit IRC		21:17
jamielennox	stevemar: ok, wil have a look but i assume it's much the same?	21:18
*** ayoung has quit IRC		21:18
stevemar	jamielennox, pretty much, new handling for how oauthlib was being imported. there was push back to adding it to stable/havana requirements, so it should fail gracefully	21:19
stevemar	jamielennox, anyway, wrapping up early today, i'll likely see you online later, see ya	21:21
jamielennox	stevemar: later	21:21
*** marcoemorais has joined #openstack-keystone		21:24
*** stevemar has quit IRC		21:25
*** nkinder has joined #openstack-keystone		21:27
*** leseb has quit IRC		21:37
morganfainberg	jamielennox, sorry got dragged into a meeting	21:37
morganfainberg	jamielennox, +A now.	21:38
jamielennox	morganfainberg: finally... :) thanks	21:38
*** jsavak has quit IRC		21:41
*** dims_ has quit IRC		21:41
*** marcoemorais has quit IRC		21:42
bknudson	what do you think about a backport of https://review.openstack.org/#/c/88109/ ?	21:43
bknudson	it's kind of a feature but it's also kind of a security fix	21:43
dolphm	potential mid-cycle hackathon dates: July 9, 10, 11	21:46
*** dstanek has joined #openstack-keystone		21:47
*** bach has joined #openstack-keystone		21:47
dolphm	that's 1 week before earliest proposed juno-m2 deadline; 2 weeks before oscon; 3 weeks before last potential juno-m2 deadline	21:48
*** david-lyle has quit IRC		21:48
morganfainberg	dolphm, looking at my schedule	21:48
morganfainberg	dolphm, i'm for 9,10,11 personally	21:49
*** dolphm changes topic to "Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)"		21:51
*** nkinder has quit IRC		21:53
*** dims has joined #openstack-keystone		21:55
morganfainberg	bknudson, i think a backport to I is (possible)	22:03
morganfainberg	bknudson, but i would be concerned about moving it any further back	22:03
morganfainberg	bknudson, i know a bunch changed between H and I	22:04
dolphm	bknudson: the bug report doesn't illustrate any actual affect on end users; i'd want to see that before discussing the possibility of a backport	22:06
*** ayoung has joined #openstack-keystone		22:06
morganfainberg	bknudson, i do see the benefit of getting that backwards into I. I'd claim it is less feature and more security fix.	22:06
morganfainberg	dolphm, fair enough.	22:06
*** bach has quit IRC		22:06
morganfainberg	dolphm, the only real change to users is that if keystone manages passwords, they can use {ssha} or whatever hashing on the backend vs. having to accept the {md5}? we previously used	22:07
morganfainberg	dolphm, s/users/deployers	22:07
dolphm	morganfainberg: except we previously used "ldap_salted_sha1"	22:08
bknudson	the only thing that deployers should see is that their LDAP configuration for password hashing will now be used	22:08
morganfainberg	dolphm, oh we used ssha?	22:09
dolphm	passlib.hash.ldap_salted_sha1.encrypt(password_utf8)	22:09
morganfainberg	dolphm, so we did	22:09
morganfainberg	ok so, what bknudson just said, whatever is configured will be used vs hard-set ssha	22:09
bknudson	for example, some methods require the passwords in plain text in the directory	22:10
bknudson	so then you'd change your LDAP config for plaintext passwords	22:10
bknudson	before this you couldn't even do that.	22:10
bknudson	deployments might also want a stronger password hash	22:10
morganfainberg	and some deployments explicitly disallow hashed passwords so they can control it (password history, etc)	22:11
morganfainberg	depending on the implementation (of course)	22:11
bknudson	I guess it's only used in r/w mode and not to check passwords	22:13
dolphm	morganfainberg: that doesn't seem like a good compromise	22:13
morganfainberg	dolphm, to let the admins of the LDAP server configure the hashing to be used?	22:13
morganfainberg	dolphm, vs. forcing {ssha}?	22:14
dolphm	i've never thought about implementing "unique password history" with salted hashed passwords before...	22:14
morganfainberg	dolphm, it's not hard to do, but some implementations are bad.	22:14
*** marcoemorais has joined #openstack-keystone		22:14
dolphm	morganfainberg: oh you mean disallowing hashed passwords so deployers can control the hashing?	22:15
morganfainberg	dolphm, correct.	22:15
dolphm	morganfainberg: how do you check that a new password isn't in your last 10 passwords, if your last 10 passwords are all salted hashes?	22:15
*** dims has quit IRC		22:15
morganfainberg	dolphm, you know the salt, you can hash the password against with each salt and see if it matches	22:15
*** dstanek has quit IRC		22:15
dolphm	morganfainberg: ahh, there you go	22:16
morganfainberg	dolphm, otherwise how could you compare the password w/o it being plain text :P	22:16
dolphm	simple solution ftw	22:16
morganfainberg	dolphm, doesn't mean someone doesn't have some reason to track plain-text (i really don't want to know why). it should be LDAP admin's choice on the hashing algo if at all possible	22:17
morganfainberg	some tools even require passwords to be {md5}	22:17
morganfainberg	like the google apps sync. (that would be a strange mix, keystone to manage users, then syncing to google apps)	22:17
*** bknudson has quit IRC		22:25
*** marekd is now known as marekd\|away		22:25
*** bach has joined #openstack-keystone		22:30
*** dims_ has joined #openstack-keystone		22:34
*** rodrigods_ has joined #openstack-keystone		22:38
*** dims_ has quit IRC		22:39
*** dims_ has joined #openstack-keystone		22:39
*** thedodd has quit IRC		22:43
openstackgerrit	A change was merged to openstack/python-keystoneclient: Discovery URL querying functions https://review.openstack.org/81146	22:45
*** gabriel-bezerra is now known as gabriel-bezerraa		22:46
morganfainberg	jamielennox, ^ yay!	22:47
jamielennox	morganfainberg: :) now have to try and resurrct the dependencies	22:48
morganfainberg	jamielennox, hehe yeah	22:48
morganfainberg	jamielennox, hey slowly marching forward!	22:48
jamielennox	slowly slowly	22:48
jamielennox	the problem is getting it syned to requirements so i can make use of it elsewhere	22:49
jamielennox	i just put an email to -dev list because it was wanted by novaclient first	22:49
morganfainberg	jamielennox, yeah	22:49
jamielennox	on the other hand though, the keystoneclient hacks are horrible because it was incremental. The novaclient conversion is actually really nice	22:50
jamielennox	everything deprecated/changed in one review	22:51
morganfainberg	jamielennox, as much as it sucks, they benefit from our pain.	22:53
morganfainberg	jamielennox, probably the better way to do things than force the pain on them	22:53
jamielennox	morganfainberg: yep, and at least i know the crap that goes on in ours rather than having to maintain it for someone else	22:53
morganfainberg	jamielennox, ++	22:53
*** bach has quit IRC		22:56
*** dims_ has quit IRC		22:56
*** dims_ has joined #openstack-keystone		22:57
*** bach has joined #openstack-keystone		22:59
*** dims_ has quit IRC		22:59
*** bach has quit IRC		23:00
*** dims_ has joined #openstack-keystone		23:00
*** dims_ has quit IRC		23:08
*** dims has joined #openstack-keystone		23:08
*** nkinder has joined #openstack-keystone		23:13
*** rodrigods_ has quit IRC		23:25
*** bach has joined #openstack-keystone		23:27
*** sbfox has quit IRC		23:35
*** sbfox has joined #openstack-keystone		23:36
*** bach has quit IRC		23:36
*** bknudson has joined #openstack-keystone		23:40
*** bknudson has left #openstack-keystone		23:42
*** daneyon has quit IRC		23:42
*** rodrigods_ has joined #openstack-keystone		23:48
*** sbfox has quit IRC		23:52

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!