Wednesday, 2014-05-21

« Tuesday, 2014-05-20 Index Thursday, 2014-05-22 »
dstanekbknudson: can we do that now or is there work to be done?00:04
*** sbfox has quit IRC00:05
bknudsondstanek: We could do it today... run keystone in apache00:05
bknudsonor it could be handled by any wsgi container00:06
dstanekbknudson: don't we need two different server ports? one for each pipeline?00:07
bknudsonthey could be on different paths... e.g., https://localhost/identity/admin/v2.0 https://localhost/identity/public/v2.0 https://localhost/identity/v300:08
bknudsona deployer might want to have an internal pipeline for v3 and a public one I suppose... if they wanted to provide different extensions?00:09
bknudsonalso, I wouldn't expect different ports for internal vs public. Would expect to be listening on different interfaces00:11
dstaneki think i just need to hack up my devstack...trying to get a load test running00:12
*** browne has quit IRC00:23
*** bobt_ has joined #openstack-keystone00:26
gyeedstanek, after we split out identity into a separate service, you'll have 4 ports to deal with :D00:28
*** richm has quit IRC00:32
*** browne has joined #openstack-keystone00:34
ayounggyee, no, just 44300:34
ayoungeverything will run in Apache using standard policy00:34
*** dstanek is now known as dstanek_zzz00:37
*** praneshp has quit IRC00:38
*** browne has quit IRC00:44
*** rodrigods has quit IRC00:48
gyeeayoung, when can we get apache into the gates00:48
*** ayoung has quit IRC00:51
*** bobt has quit IRC00:57
*** bobt_ has quit IRC00:57
*** stevemar has joined #openstack-keystone01:03
*** daneyon has joined #openstack-keystone01:09
*** amcrn_ has quit IRC01:20
*** ChanServ sets mode: +o morganfainberg01:21
*** dstanek_zzz is now known as dstanek01:23
*** amcrn has joined #openstack-keystone01:27
*** ayoung has joined #openstack-keystone01:28
nkindergyee: morganfainberg is working on httpd in the gates01:32
*** dstanek is now known as dstanek_zzz01:33
stevemaris keystone-specs available yet?01:38
*** ayoung has quit IRC01:39
morganfainbergstevemar, https://review.openstack.org/#/c/94119/01:39
stevemari see01:39
stevemarmorganfainberg, cool01:39
*** nkinder has quit IRC01:45
*** shakamunyi has quit IRC01:45
*** dstanek_zzz is now known as dstanek01:47
*** thedodd has joined #openstack-keystone01:48
*** rodrigods has joined #openstack-keystone01:50
*** rodrigods has joined #openstack-keystone01:50
*** thedodd has quit IRC01:50
*** dstanek is now known as dstanek_zzz01:57
*** shakamunyi has joined #openstack-keystone01:59
*** xianghui has joined #openstack-keystone02:01
*** shakamunyi has quit IRC02:05
*** daneyon has quit IRC02:07
openstackgerritBrant Knudson proposed a change to openstack/keystone: Adds function to compare DNs  https://review.openstack.org/9451302:08
*** daneyon has joined #openstack-keystone02:08
*** ayoung has joined #openstack-keystone02:12
*** lbragstad has joined #openstack-keystone02:14
openstackgerritBrant Knudson proposed a change to openstack/keystone: Adds function to compare DNs  https://review.openstack.org/9451302:18
*** bknudson has quit IRC02:24
*** amcrn has quit IRC02:35
*** gyee has quit IRC02:36
*** dstanek_zzz is now known as dstanek02:38
*** praneshp has joined #openstack-keystone02:38
*** rwsu has quit IRC02:44
*** nkinder has joined #openstack-keystone02:45
*** mberlin has quit IRC02:45
*** thedodd has joined #openstack-keystone02:48
*** radez is now known as radez_g0n302:56
*** hipster has quit IRC02:56
*** thedodd has quit IRC02:56
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Mapping engine does not handle regex properly  https://review.openstack.org/9451803:00
*** mberlin has joined #openstack-keystone03:01
*** dims_ has joined #openstack-keystone03:03
*** harlowja is now known as harlowja_away03:05
rodrigodsanyone has time for a code review? =) https://review.openstack.org/#/c/91578/03:17
ayoungmorganfainberg, requests-kerberos v0.5 is on PyPI03:33
ayoungnkinder, ^^03:33
ayoungrodrigods, always time for a -2...hehehe03:34
ayoungrodrigods, its on my radar, but I want to actually try running it...so tomorrow.03:34
rodrigodsayoung, great!03:35
rodrigodsayoung, but there is always hope for a +203:36
rodrigods=)03:36
ayoungrodrigods, it looks pretty straight forward.03:36
ayoungrodrigods, I've got a bunch of client scripts that will be in lkeystoneclient/examples/scripts.  I'll write one using your code as a way to learn it.03:37
rodrigodsayoung, yeah! and it's interesting how i ended up submitting this patch. it all began with a horizon performance issue03:37
ayoungrodrigods, for example https://review.openstack.org/#/c/82687/03:37
rodrigodsayoung, really useful! right now i'm writing policies tests using keystone client03:38
ayoungrodrigods, submit them!03:38
rodrigodsthey a more to find bugs caused by hard coded policies checks inside the code03:40
rodrigodslike: what if my 'admin' role would be called 'master'?03:40
rodrigodsand, is it possible to define a new role that would be like a project admin?03:40
rodrigodsdomain admin, etc03:41
ayoungrodrigods, you are a Horizon person?  Got an idea to float by you:03:45
ayoungRun Keystone as part of Horizon.  Just the "main"  or AUTH_URL part, and stick the token sha in a session cookie, and pass the token to Horizion via memcached.03:45
rodrigodsayoung, i just started working with openstack, and this Horizon bug was assigned to me hehehe03:47
rodrigodsayoung, i think you met some of my colleagues in the summit? telles and raildo03:48
ayoungHeh.  I am working on Kerberos for Horizon, and its kindof making me wonder if we can simplify03:48
ayoungyeah, good guys03:48
rodrigodsi'm new in the team here, just ended my first month03:49
ayoungKeep up the good work03:49
rodrigodsthanks03:49
rodrigodsayoung, your Kerberos work on Horizon has a patch already?03:51
ayoungNo03:51
rodrigodsah, ok03:51
ayoungrodrigods, the problem is that Kerberos to Horizon doesn't give us a way to request a token from Keystone without another step03:52
ayoungits called Service for User to Rpoxy, or S4U2Proxy for short03:52
ayoungand I'm trying to find a way to avoid it03:52
ayoungRpoxy ->  Proxy03:53
ayoungIf I had a Keystone that issued tokens in Session cookies instead of special headers I'd be all set03:53
ayoungI think03:54
ayounganyway, I'm headed to bed...I want to think this through some more.  I'll look at your patch in the morning03:55
rodrigodsyou mean, store the token in localStorage, for example?03:55
*** ayoung is now known as ayoung_zzzz03:55
morganfainbergayoung, are we blocked on the token compression on a new release of ksc?03:55
ayoung_zzzzmorganfainberg, that merged03:55
ayoung_zzzzah...yes03:55
*** ayoung_zzzz is now known as ayoung03:55
ayoungmorganfainberg, we need a new release of the client03:55
morganfainbergayoung_zzzz, hm. ok lets coordinate w/ dolph on that and see what the timeline of the next release will be.03:56
morganfainbergayoung, catch ya tomorrow03:56
morganfainbergayoung, (i'll be around late at best, have an appt in the morning here)03:56
ayoungmorganfainberg, although, getting Kerberos in there would be killer03:56
ayoungdid you see my note before?03:56
morganfainbergayoung, which note?03:56
ayoungmorganfainberg, they release a new version of request-kerberos03:56
morganfainbergayoung, i've been doing cleanup code port for internal stuff before the end of the week03:56
*** lbragstad has quit IRC03:57
ayoungmorganfainberg, https://github.com/requests/requests-kerberos/issues/30#issuecomment-4370372403:57
morganfainbergayoung, next week should start opening up time for me to be back to full focus on code/reviews/etc03:57
morganfainbergah03:57
morganfainbergcool.03:57
morganfainberganyway,. catch ya tomrrow03:57
morganfainberggotta get going myself here shortly.03:57
ayounggnight03:57
*** ayoung is now known as ayoung-zzzzz03:57
morganfainbergrodrigods, if i can, i'll poke at that tomorrow afternoon pacific (if no one else catches it)03:58
rodrigodsmorganfainberg, great!03:58
ayoung-zzzzzmorganfainberg, I want Horizon to issue unscoped tokens.04:15
*** ayoung-zzzzz is now known as ayoung04:15
morganfainbergayoung, so, TGT style for solving the session issues?04:16
ayoungIf Horizon is Kerberized, or has access to the Federation data, it can do a lot of things04:16
morganfainbergayoung, aye.04:16
ayoungIts unscoped tokens can only be handed to the real Keystone endpoint for scoped tokens04:17
ayoungOnly Keystone would have a signing cert for Horizon, and so only Keystone would ever accept its tokens04:17
morganfainbergso the unscoped is effectively the krb TGT equiv? [perhaps reduced feature set]04:18
ayoungIt would work for the Federated cases too04:18
ayounghorizon/auth does the redirects etc, and uses the mapping data to create an unscoped token04:18
morganfainbergayoung, if we allow those token to live longer than the standard token lifespan, it makes the horizon sessioning problem go away.04:18
ayoungyeha, unscoped is TGT04:18
ayoungnah, Horizon issues then when it needs them04:18
ayoungE-PHEM-ER_AL04:19
morganfainbergayoung, oh oh, horizon issues the token directly04:19
ayoungonly the unscoped04:19
morganfainbergayoung, hmmm. not opposed to that, want to mull it over before i 100% agree04:19
ayoungmorganfainberg, an unscoped token means "User has authenticate to Horizon"04:19
ayoungand only that04:19
ayoungauthenticated04:20
morganfainbergayoung, but it seems reasonable04:20
ayoungmorganfainberg, it gives real weight to the identity/assignment split04:20
morganfainbergthat makes sense, a specific role that allows use of horizon as well.04:20
morganfainbergmeans you could make it so a API-only service user could exist (no web interface)04:21
morganfainbergwell, something to gate on the horizon service at least.04:21
ayoungIn theory, you could authenticate to Nova with Kerberos, and then Nova could make a call to Keystone GET /role_assignments/user/project04:22
ayoungOK,  I think I can sleep now.04:24
morganfainbergnight04:24
*** ayoung is now known as ayoung_ZZZzzz04:24
*** dims_ has quit IRC04:29
*** Abhijeet has joined #openstack-keystone04:39
*** morganfainberg is now known as morganfainberg_Z04:42
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert auth_token to use session  https://review.openstack.org/7490804:45
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Auth Plugin invalidation  https://review.openstack.org/9452904:45
*** ctracey has quit IRC04:48
*** ctracey has joined #openstack-keystone04:51
*** rodrigods has quit IRC04:55
*** sbfox has joined #openstack-keystone05:00
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add openID Connect auth plugin for federation  https://review.openstack.org/6166205:01
*** marcoemorais has joined #openstack-keystone05:03
*** marcoemorais1 has joined #openstack-keystone05:04
*** marcoemorais has quit IRC05:07
*** dstanek is now known as dstanek_zzz05:23
*** stevemar has quit IRC05:23
*** daneyon has quit IRC05:25
*** stevemar has joined #openstack-keystone05:29
*** sbfox has quit IRC05:43
*** dstanek_zzz is now known as dstanek05:44
*** sbfox has joined #openstack-keystone05:48
*** dstanek is now known as dstanek_zzz05:54
*** sbfox1 has joined #openstack-keystone05:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:01
*** sbfox has quit IRC06:01
*** kashifatsalaar has joined #openstack-keystone06:06
*** leseb has joined #openstack-keystone06:12
*** sbfox1 has quit IRC06:27
*** sbfox has joined #openstack-keystone06:27
*** sbfox has quit IRC06:31
*** stevemar has quit IRC06:39
*** dstanek_zzz is now known as dstanek06:45
openstackgerritAndreas Jaeger proposed a change to openstack/keystone: Remove all mostly untranslated PO files  https://review.openstack.org/9454106:54
*** dstanek is now known as dstanek_zzz06:55
*** kashifatsalaar has quit IRC07:02
*** harlowja_away has quit IRC07:10
*** marcoemorais1 has quit IRC07:11
*** BAKfr has joined #openstack-keystone07:13
*** Ju has joined #openstack-keystone07:17
*** Abhijeet has quit IRC07:33
*** henrynash has quit IRC07:43
*** dstanek_zzz is now known as dstanek07:46
*** jaosorior has joined #openstack-keystone07:54
*** praneshp has quit IRC07:55
BAKfrHi, I try to do a Keystone extension but i don't find out how to set config parameters.08:15
BAKfrI've a separate repository with my 3rd-party extension, and I would add my own config options.08:16
BAKfrBut It seems to me that all config options must be set in keystone/config.py08:16
BAKfrAnyone know how to set them in my 3rd party extension ?08:18
*** dstanek is now known as dstanek_zzz08:38
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method  https://review.openstack.org/8657808:57
*** henrynash has joined #openstack-keystone09:01
*** andreaf has joined #openstack-keystone09:07
*** Abhi__ has joined #openstack-keystone09:11
*** henrynash has quit IRC09:23
*** AJaeger has joined #openstack-keystone09:42
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Fixed wrong behavior when updating tenant with LDAP backends  https://review.openstack.org/9338609:50
*** mberlin has quit IRC10:10
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Cleanup of ldap assignment backend  https://review.openstack.org/9456910:10
*** xianghui has quit IRC10:13
*** xianghui has joined #openstack-keystone10:24
*** hipster has joined #openstack-keystone10:41
*** hipster has quit IRC10:49
*** Abhi__ has quit IRC11:36
*** lbragstad has joined #openstack-keystone11:39
*** lbragstad has left #openstack-keystone11:40
*** lbragstad has joined #openstack-keystone11:46
*** saju_m has joined #openstack-keystone11:47
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor driver_hints  https://review.openstack.org/9399211:55
*** bvandenh has joined #openstack-keystone11:59
*** radez_g0n3 is now known as radez12:01
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/9460012:13
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851712:16
*** xianghui has quit IRC12:26
*** Camisa has quit IRC12:26
*** diegows has joined #openstack-keystone12:26
*** Camisa has joined #openstack-keystone12:39
*** Camisa has quit IRC12:39
*** Camisa has joined #openstack-keystone12:39
*** rodrigods has joined #openstack-keystone12:46
*** jaosorior has quit IRC12:51
*** daneyon has joined #openstack-keystone12:53
*** afazekas has joined #openstack-keystone12:53
*** joesavak has joined #openstack-keystone13:19
*** afaranha has joined #openstack-keystone13:27
*** bknudson has joined #openstack-keystone13:31
*** dhellmann_ is now known as dhellmann13:35
*** stevemar has joined #openstack-keystone13:42
*** hipster has joined #openstack-keystone13:49
*** erecio_2 has quit IRC13:58
*** saju_m has quit IRC13:59
*** erecio has joined #openstack-keystone14:02
*** erecio has quit IRC14:07
*** vhoward has joined #openstack-keystone14:07
AJaegercould I get a review of this patch, please? https://review.openstack.org/#/c/94541/ - since translations come in every day, this patch will reduce what gets submitted significantly...14:09
*** thedodd has joined #openstack-keystone14:14
*** rwsu has joined #openstack-keystone14:15
BAKfrHi, I try to do a 3rd-party keystone extension, but I can't find out the proper way to  add custom config options14:25
BAKfrIt seems that option must be defined in keystone/config.py, otherwise they are not available14:27
*** mattinator has joined #openstack-keystone14:28
BAKfrSo, is it possible to define config options in my 3rd-party extension ?14:28
*** gokrokve has joined #openstack-keystone14:29
mattinatorI'm trying to configure a middleware proxy (repose) to authenticate against keystone.  It seems the default behavior of repose is to authenticate without defining a tenant.  It seems I need to define a role to a user, but I don't see how to do that in a "global" way (i.e. regardless of tenant).  Does anyone know how I might accomplish this?14:30
*** shakamunyi has joined #openstack-keystone14:31
*** erecio has joined #openstack-keystone14:33
*** david-lyle has joined #openstack-keystone14:37
*** xianghui has joined #openstack-keystone14:41
*** andreaf has quit IRC14:52
*** gordc has joined #openstack-keystone15:02
*** mberlin has joined #openstack-keystone15:03
*** gokrokve has quit IRC15:04
*** gokrokve has joined #openstack-keystone15:04
*** gokrokve has quit IRC15:04
*** jsavak has joined #openstack-keystone15:05
*** joesavak has quit IRC15:08
*** gokrokve has joined #openstack-keystone15:12
*** joesavak has joined #openstack-keystone15:14
openstackgerritFlorent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API  https://review.openstack.org/8862015:15
tristanCHello folks, what is the status of #1309228 ? Are https://review.openstack.org/#/c/94470/ and 94396 good to be approved ?15:15
*** jsavak has quit IRC15:16
*** dstanek_zzz is now known as dstanek15:16
*** jsavak has joined #openstack-keystone15:16
*** joesavak has quit IRC15:19
*** bvandenh has quit IRC15:25
*** joesavak has joined #openstack-keystone15:29
*** jsavak has quit IRC15:31
*** jsavak has joined #openstack-keystone15:33
*** joesavak has quit IRC15:37
*** gyee has joined #openstack-keystone15:50
*** sbfox has joined #openstack-keystone15:54
nkindertristanC: I believe that the LDAP one needs some rework15:55
tristanCnkinder: I see, is it still about the "if assignment_dn_norm.endswith(user_tree_dn_norm)" check that does not cover every case ?16:00
*** joesavak has joined #openstack-keystone16:01
*** BAKfr has quit IRC16:02
*** jsavak has quit IRC16:03
dolphmtristanC: just +A's the SQL patch on master16:03
*** jsavak has joined #openstack-keystone16:04
dolphmnkinder: what needs to be done to the LDAP patch on master?16:04
*** ayoung_ZZZzzz is now known as ayoung16:04
tristanCdolphm: thanks!16:05
ayoungdolphm, the LDAP patch tests the subtrees16:05
ayoungbut it needs to really test the objectclasses16:05
ayoungand that is a non trivial operation16:05
*** joesavak has quit IRC16:05
nkinderyes, users and groups might be in the same subtree16:05
ayoungdolphm, we discussed a handful of potential approaches last night, but they were all leaning toward Directory Server specific implementations16:06
dolphmayoung: nkinder: is someone working on an new patchset that can be backported to icehouse?16:07
*** xianghui has quit IRC16:08
nkinderdolphm: give me a few minutes to wrap up a meeting, then we can hash out the way forward on this one16:08
bknudsonI don't see how testing the objectclass is going to do it either. an entry could have both user and group objectclasses16:09
*** richm has joined #openstack-keystone16:09
ayoungbknudson, then that is fine16:09
ayoungyou assign the role to the user, and the user is the group, you assing the role to all members of the group16:09
ayoungthat is likely only the case for user-private groups anyway16:10
ayoungbknudson, conversely, if you assign it to the group, you probably mean to assign it to the user that links to the user-private group.16:10
*** gokrokve has quit IRC16:11
bknudsonboth the group and the user would get the role16:11
bknudsonsince keystone doesn't know if it's a group or user assignment16:12
ayoungbknudson, so it looks like jdennis is not going to have his DN patch ready any  time soon.  I'm going to have him send you a link to it, and we can discuss whether you want to port it, or pursue your exisitng approach for comparing DNs.  I suspect you will like his code better.16:12
ayoungbknudson, I think that is fine.16:12
*** gokrokve has joined #openstack-keystone16:12
bknudsonwhat's the license on the code?16:12
ayoungbknudson, its FreeIPA, so GPL I think16:13
bknudsonok... can we use that in openstack code?16:13
ayounghttps://git.fedorahosted.org/cgit/freeipa.git/tree/COPYING16:13
lbragstadhttp://www.apache.org/licenses/GPL-compatibility.html16:14
ayoungyes.  If there is any issue, Red Hat owns copyright and can re-issue16:14
bknudson"GPLv3 software cannot be included in Apache projects."16:14
lbragstadWe avoid GPLv3 software because merely linking to it is considered by the GPLv3 authors to create a derivative work.16:15
ayounghmmm.  I suspect that is not really an issue, as it would be a rewrite for OpenStack, and John wrote the original16:16
ayoungBut I can have him submit it as WIP so it is not copied from FreeIPA if that helps16:16
*** gokrokve has quit IRC16:17
nkinderayoung, bknudson: let's not gate this on the DN compare stuff16:17
*** marcoemorais has joined #openstack-keystone16:17
ayoungnkinder, nah, separate patch16:18
*** marcoemorais has quit IRC16:18
*** marcoemorais has joined #openstack-keystone16:18
ayoungnkinder, brant submitted a general DN compare patch, but I though John was reworking his DN approach here.16:18
bknudsonthe LDAP fix using braindead DN compare is https://review.openstack.org/#/c/94470/16:19
ayoungnkinder, so, is the LDAP problem even really a problem?  I mean, if I have a user named ayoung and a group named ayoung, it means that anyone in the ayoung group gets my roles, but in practice, is that wrong?16:20
nkinderayoung: yes, if the user is not in the group, they shouldn't get the group roles16:21
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/9122516:22
nkinderit's the other way around, not how you described it16:22
dolphmdo we have a bug documenting the fact that the sql driver dumps queries into JSON error messages somewhere?16:22
ayoungnkinder, so we need to test the objectclass16:22
ayoungand since DN is not a real attribute, we have to query them one at a time16:23
*** jdennis has joined #openstack-keystone16:23
ayoungdolphm, nkinder BTW some good news https://review.openstack.org/#/c/84740/  Kerberos requests is on its way16:23
*** sbfox has quit IRC16:24
dolphmayoung: no bp link?16:24
nkinderdolphm, ayoung: I'm curious to get your input on this - https://blog-nkinder.rhcloud.com/?p=10116:24
nkinderdolphm, ayoung: if it seems like a correct approach, I'll work up a spec16:24
ayoungnkinder, is that "request a token with fewer roles?"16:25
nkinderayoung: that's part of it16:25
ayoungnkinder, we need a changeto how Horizon uses tokens16:25
nkinderbut also adding restrictions to using a token to get a new token16:25
*** praneshp has joined #openstack-keystone16:25
nkinderayoung: yes, I cover that16:25
ayoungnkinder, more than that16:26
ayoungwe need , basically, a session16:26
nkinderayoung: yes, with an unscoped token tied to the session16:26
nkinderayoung: I cover that in my write-up16:26
ayoungthe one hour time out means we are going to kick people out randomly in the middle of work,  but a session scoped token should be refreshable.  What if Horizon itself could issue this token?16:26
ayoungIf Horizon had a signing cert, we would know that the token came from Horizon.  If only Keystone honored the cert, the token would only be usable on Keystone16:27
nkinderwhy automatically refresh?  Isn't a timeout a good thing?16:27
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/9124016:28
ayoungnkinder, the general web approach is extend the session if the user is active16:28
ayoungso if a user leaves for 10 minutes , they need to log back in16:28
ayoungbut if they keep actively doing work, keep refreshing16:29
ayoungIf we split the Identity and assignment sides of Keystone, Horizon would be confined to only working with the Identity side until it needed to do work somewhere else16:29
nkinderayoung: I think that's a second step.16:30
ayoungjdennis, can you submit your DN patch as a WIP to Gerrit? There is some concern from bknudson (IBM) that we should not be copying GPL code into an Apache license project, but since you/we are the copyright holder, we can just submite it directly16:30
ayoungnkinder, I was thinking about this last night in the context of Kerberos.  We could skip the S4U2Proxy if Instead Horizon could sign a token and deliver it to keystone16:31
ayoungit would make SAML etc work with a visual web tool without a need for the CLI extensions16:32
nkinderayoung: let's defer that discussion.  I want to get the LDAP assignment thing hammered out16:32
nkinderayoung: I'm not sure that the extra suffix/objectclass check is needed16:33
ayoungnkinder, OK...back to LDAP....why not?16:33
jdennisayoung: yes I can submit it, but not until it's fixed and I have to get ready for a design discussion tommorow16:33
nkinderayoung: at line 98, the patch does this...16:33
nkinderassignment_id = self.user._dn_to_id(assignment.user_dn)16:34
ayoungNo, submit it as a draft or WIP, broken, so you can hand off to Brant16:34
nkinderso we know that the assignment is referring to a user and not a group since it's using 'assignment.user_dn'16:34
nkinderayoung: this means assignment_id will only be the id of a user16:35
ayoungnkinder, and the gordian knot is cut16:35
nkinderayoung: we then compare that with the passed in user_id like so...16:35
nkinderif assignment_id != user_id16:35
openstackgerritRichard Megginson proposed a change to openstack/keystone: test_user_mixed_case_attribute fails - mail, not email  https://review.openstack.org/9466816:36
ayoungnkinder, I'm kindof mad.  I was so close to that last night....dagnabit for stealing my save16:36
nkinderayoung: so I don't think there is a change that it's a group16:36
nkinderayoung: ...but it would be nice to prove this with a test give that this is an OSSA issue16:37
nkinders/give/given/16:37
nkinderI don't want to make assumptions just based off of reading the code16:37
ayoungnkinder, I'm not 100% certain16:38
ayoungnkinder, so the internal object calls it that, but I am not certain if just setting the member_of field is sufficient for the association to distinguish when doing a query16:39
*** arborism has joined #openstack-keystone16:40
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/backends/ldap.py#n54316:40
*** gokrokve has joined #openstack-keystone16:42
ayoungdolphm, how should I link a Keystone blueprint on a global requirements fix?  By the whole Url?16:43
ayounghttps://blueprints.launchpad.net/keystone/+spec/kerberos-authentication16:43
nkinderayoung: I'm setting up devstack with LDAP to see if this is even a problem16:44
*** browne has joined #openstack-keystone16:44
*** gokrokve has quit IRC16:47
*** afazekas has quit IRC16:53
*** BAKfr has joined #openstack-keystone16:53
*** saju_m has joined #openstack-keystone16:55
*** jsavak has quit IRC16:56
*** jamielennox is now known as jamielennox|away17:00
*** dstanek is now known as dstanek_zzz17:01
*** dstanek_zzz is now known as dstanek17:05
*** harlowja has joined #openstack-keystone17:06
radezayoung: until so I threw together a temp fix for TryStack to get rid of the side database with the extra passwords in it.17:18
radezayoung: I installed this custom middleware into keystone in the admin_api pipeline https://github.com/trystack/python-django-horizon-facebook/blob/master/horizon/facebook/middleware.py17:18
radezayoung: then make a call using httplib directly to the api to get a token on behalf of the user as the adminstrator17:19
radezhttps://github.com/trystack/python-django-horizon-facebook/blob/master/horizon/facebook/backend.py#L15417:19
ayoungradez, we have that with the external auth plugin17:20
radezthis requires the admin_token from keystone to be passed and for the call to be made on the admin port17:20
openstackgerritRyan Bak proposed a change to openstack/keystone: LDAP: Added documentation for debug_level option  https://review.openstack.org/9467917:20
radezayoung: I had to make the call from inside django so I couldn't use the remote_user stuff directly17:20
ayoungah17:20
radezbut the external handler and the service token code are basically mashed together to make it work17:21
ayoungradez, can't that be hacked?17:21
ayoung body = json.loads(request.body)17:21
ayoung            username = body['auth']['passwordCredentials']['username']17:21
ayoungor do you have a check that makes sure...17:22
ayoungwha>17:22
radezyou would have to have the serivce token17:22
* radez looks at it again to make sure I'm not missing something17:23
ayoungradez, what is to keep someone from crafting their own message body and bypassing security?17:23
radezayoung: ha, I get the token and took out the line that checks that it's the right token... crap.17:24
radezgood catch17:24
* radez fixes17:24
ayoungminor point, hardly worth mentioning17:25
radezayoung: yea maybe I'll just skip it... I'll be fine17:27
radezayoung: refresh that middleware.py17:27
radezglad I circled back for a peer review :)17:27
ayoungradez, went from 10 lines to about 16017:28
ayoung18417:28
radezhu?17:28
ayoungwrong link17:28
ayoung3517:29
radezlol17:29
radezthat's it17:29
ayoungum, don't do that17:29
radezno?17:29
ayoungadmin token is for setting up the system and should be disabled after that17:29
ayoungbut... nkinder and I were just discussing an offshoot of your problem radez17:30
radezayoung: should I just establish a new shared secret for keystone and horizon for this purpose?17:30
ayoungI want to make Horizon sign tokens17:30
radezoh that's a idea17:31
ayoungso, yeah, should be a shared secret between Horizon and Keystone, probably an X509 for a real deployment.  Or kerberos.17:32
ayoungIf Horizon is trusted, it can throw away the password17:32
ayoungradez, does trystack allow direct access to nova and keystone, or is it all through horizon?17:33
radezayoung: direct17:33
*** daneyon has quit IRC17:33
ayoungradez, how does the end user talk direct to Keystone?  Do you hand them back a password?17:35
radezayoung: yea, they first login with facebook, then there's a horizon plugin I built that generates a password displays it once and sets it in keystone for them17:37
ayoungradez, good for how long?17:39
radezayoung: until they reset it, but they can only see it once so if they forget it they have to generate a new one17:40
radezcan keystone enforce an EOL on a password?17:40
ayoungradez, as good a solution as any.17:40
ayoungradez, nope17:40
ayoungbut you can always disable a user17:41
radezyea so if I get rid of my side db then I have no way to know how long they've had the pw17:41
radezyes, I also clear out the users when I upgrade so about every 6 months the use db gets cleaned17:41
ayoungtrue.  but it doesn't know if they've been active or not anyway17:41
radezsooner if I have troubleshooting problem and ecide to rebuild the db17:41
radezright17:42
ayoungthey keep using it against keystone without going through the web portal17:42
*** gokrokve has joined #openstack-keystone17:43
bknudsonnkinder: replied to your comment on https://review.openstack.org/#/c/94470/ -- hopefully it's clear17:43
ayoungradez, how's the  Facebook group approval proces work?  Do you do it by hand?17:44
*** bobt has joined #openstack-keystone17:46
*** gokrokve has quit IRC17:47
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation.  https://review.openstack.org/7497417:48
openstackgerritA change was merged to openstack/keystone: SQL fix for get_roles_for_user_and_project user=group ID  https://review.openstack.org/9439617:48
openstackgerritA change was merged to openstack/keystone: Remove all mostly untranslated PO files  https://review.openstack.org/9454117:48
radezayoung: yup, I see you want in17:50
* radez thinks long and hard about this17:50
radezayoung: btw the api password function has to be updated, I probably broke it putting in the updates to the authenticaiton17:50
nkinderbknudson: yeah, I just reproduced it and was seeing the same thing in pdb17:52
bknudsonnkinder: the field is incorrectly named.17:54
bknudsonin the original code http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/backends/ldap.py#n10917:54
bknudsonit does a.user_dn.upper() == group_dn.upper()] ?!17:54
bknudsonin _get_roles_for_group_and_project17:54
radezayoung: huh, we I just was able to get an api password. see if you can get one17:55
bknudsonI think it makes sense to try to move the determining of user or group down to role.get_role_assignments ... would be willing to try it.17:55
ayoungradez, well, I'm in on Horizon, but where is the password?17:56
*** arborism is now known as amcrn17:57
nkinderbknudson: ok, so I see one gap in the patch18:01
nkinderbknudson: that would be the case where users and groups are in the same subtree18:01
nkinderbknudson: this is a corner case, but it still has a security problem18:01
*** browne1 has joined #openstack-keystone18:02
bknudsonnkinder: right... this is where the only way to be "more sure" is to check the objectclass18:02
bknudsonalthough even then the code could be confused by an entry that was both person and group18:02
nkinderbknudson: but in that case, the assignment is ambiguous18:03
bknudsonright, we just don't have enough info in that case18:03
nkinderbknudson: the assignment is to a DN, and if it's a user and a group you are assigning to both in effect18:03
*** browne has quit IRC18:04
ayoungnkinder, yeah, that is my view, too18:07
ayoungnkinder, but it seems like this should be a manageable issue.  Like, maybe we overreport on roles, but before we enumerate users for a group, make sure that it really is a group we are looking at.18:08
ayoungwe should only have to check for a single user, never for the whole group18:09
ayoungOK...we arebeing dumb here.  We have the whole DN from the assignments collection18:11
ayoungwe need to compare the actual DN from self.role.get_role_assignments  with the users actual DN18:12
ayoungand not be doing id to dn and back again18:12
nkinderayoung: we need to go from id->dn then18:13
nkinderayoung: not a big deal18:14
ayoungyep18:15
ayoungI'm on it18:15
ayoungbknudson, http://paste.fedoraproject.org/103899/06962281 nkinder18:17
ayoungthe group one is already OK18:17
*** browne1 has quit IRC18:18
nkinderayoung: I just tested a patch with that approach, and it works18:20
ayoungnkinder, I'm about to resubmit18:20
*** joesavak has joined #openstack-keystone18:20
nkinderayoung: I would combine the upper() calls on the same line18:20
nkinder...as we will want to replace that with a call to the DN compare function when it lands18:20
nkinderayoung: I like bknudson's code cleanup as well though.  Much more readable IMHO18:22
ayoungnkinder, so call upper every time?  gross, but I see how it is clearer18:22
nkinderayoung: eh, I see the point about calling upper() once18:22
ayoungnkinder, I'll keep it the same as the group one for now18:22
nkinderayoung: let me submit the patch, as I'm testing it with a real setup18:23
dolphmanyone understand what's being fixed here? :-/ (refactors db setup for sql testing...) https://review.openstack.org/#/c/93556/18:23
ayoungnkinder, but I came up with the solution....18:23
ayoungbut whatever...18:23
ayoungcoauthors all18:24
*** bobt_ has joined #openstack-keystone18:24
bknudsondolphm: I'd taken a quick look and am not sure what it fixes... also there's a follow on patch that removes it all anyways.18:24
nkinderayoung: ok, go ahead and submit then if you like18:24
ayoungnkinder, and...here is where I pay for working on stable branch...recreating tox.  I need git stash for my tox envs18:27
*** browne has joined #openstack-keystone18:29
*** matsuhas_ has joined #openstack-keystone18:29
dstanekdolphm: i have no idea what they are doing there18:31
dstanekdolphm: maybe the result of the migrations is different from the declared models...18:33
ayoungdstanek, I'm going to take that commit message and run it through google translate back to the origianl romanian and then back.18:34
stevemarall - could i get eyes on https://review.openstack.org/#/c/93496/2 and the patch it's needed by?18:35
ayoungstevemar, looks good on 96/218:36
ayoungand on...18:36
ayoungstevemar, what is the other review? https://review.openstack.org/#/c/81981/12  ?18:37
stevemarayoung, yes, 8198118:37
dolphmbknudson: dstanek: functional tests would be way faster this way... mirantis put up another patch to ensure models matched the schema- did that merge?18:38
dolphmmodels matched migrations*18:38
ayoungstevemar, what did 81981 change beside moving to contrib?18:39
bknudsondolphm: btw - I tried running the follow on patch tests and there was no result on performance.18:39
openstackgerritayoung proposed a change to openstack/keystone: LDAP fix for get_roles_for_user_and_project user=group ID  https://review.openstack.org/9447018:40
stevemarayoung, i'm confused 81981 isn't in yet, it's the auth plugin for oauth18:40
ayoungstevemar, I know, and I am reviewing it18:41
ayoungbut I see jamielennox|away asked you to move the code to the contrib/oauth subdir, which I agree with18:41
ayoungwhat else is different?  It looks the same to my eye18:41
stevemarayoung, oh, i made it fail gracefully if oauthlib isn't installed18:41
stevemarayoung, so as to not break the upgrades/gate jobs18:42
ayoungstevemar, ++18:42
dstanekso if we only have the ids in the token the client will need to call back to keystone to get the actual catalog info?18:43
*** gokrokve has joined #openstack-keystone18:43
ayoungdstanek, yes.  Once and cache18:43
dstanekdolphm: i'm not sure - they proposed a big chain of patches18:44
dstanekayoung: they why have any catalog info in the token?18:44
ayoungdstanek, token binding to endpoint, of course18:44
* ayoung ducks18:44
stevemardstanek, question about https://review.openstack.org/#/c/81981/12/keystoneclient/tests/v3/test_oauth1.py18:45
ayoungdstanek, I think compressed tokens deals well enough with it.18:45
stevemarif I extend TestCase, won't I lose the functionality to unload the library?18:45
*** gokrokve has quit IRC18:47
dstanekstevemar: ?18:48
dstanekstevemar: is that actually running as a test?18:48
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/9122518:48
tristanCbknudson: ayoung: dolphm: Looks like you found middle ground to fix our OSSA bug! Stable/icehouse grenade test will still fail because of https://bugs.launchpad.net/keystone/+bug/1320670, though we are ok to reference stable/icehouse reviews and send the OSSA even if jenkins put -1 because of this18:51
uvirtbotLaunchpad bug 1320670 in grenade "404 on GET /v3/OS-SIMPLE-CERT/ca at grenade" [Undecided,In progress]18:51
bknudsontristanC: I can re-do the stable/icehouse change.18:52
tristanCso if you can submit backport fix I'll proceed to OSSA. Thanks in advance :)18:52
tristanCbknudson: that would be perfect, thanks!18:52
ayounggrenade fix went in, I thought18:53
tristanCayoung: sadly the fixing review is still in progress: https://review.openstack.org/#/c/94627/18:53
*** matsuhas_ has quit IRC18:54
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.  https://review.openstack.org/8494518:55
*** shakamunyi has quit IRC18:57
*** jamielenz has joined #openstack-keystone18:57
stevemardstanek, gorram reavers18:57
*** jamielennox|away has quit IRC19:00
*** cds has quit IRC19:00
dstanekstevemar: wha?19:00
*** jamielennox|away has joined #openstack-keystone19:00
stevemardstanek, you were right - it wasn't being run19:00
*** jamielenz has quit IRC19:02
nkinderdolphm: the LDAP assignment issue has been ironed out.  Want to give it a review so we can wrap it up?19:02
nkinderdolphm: https://review.openstack.org/#/c/94470/19:02
stevemardstanek, during the test, the library is successfully disabled, but when I try to create the oauth plugin object - it actually works19:04
*** harlowja is now known as harlowja_away19:04
dolphmnkinder: thanks!19:04
dolphmbknudson: +A when jenkins +1's19:06
dolphmtristanC: second part of that patch is getting ready to enter the gate ^19:07
stevemardstanek, i think i can use reload?19:07
bknudsontristanC: dolphm: ayoung: here's the icehouse fix: https://review.openstack.org/#/c/94397/19:08
bknudsonI can fix up the commit message online19:08
bknudsonfixed, added the coauthors!19:09
tristanCdolphm: bknudson: wonderful, thanks! I'll prepare the OSSA announce, could you check the backport is in good shape ?19:09
*** dims has joined #openstack-keystone19:09
dolphmbknudson: clean backport still?19:10
bknudsondolphm: yep19:10
*** browne has quit IRC19:10
dolphmbknudson: the tests are different, and there's a comment the docstr of https://review.openstack.org/#/c/94396/2/keystone/tests/test_backend_ldap.py that can be removed19:12
dolphmbknudson: oh i'm comparing the wrong file19:13
bknudsondolphm: the icehouse backport doesn't have the test_backend_ldap test. It was added because it didn't include the LDAP fix19:13
dolphmbknudson: yeah, i clicked the wrong thing :P19:14
dolphmbknudson: +2 on backport19:14
ayoungnkinder, now that we've dealt with LDAP...back to Horizon?19:15
nkinderayoung: jumping into a meeting in 15, but sure...19:16
ayoungnkinder, OK,  so the question is, do we trust Horizon?19:16
ayoungright now, a user is willing to give it his password19:16
nkinderyes, which is a lot of trust...19:17
*** marcoemorais has quit IRC19:17
ayoungSo if a user authenticates to Horizon,  whatever the means...how far do we trust it in the future?19:18
ayoungnkinder, in a kerberized world, with S4U2, the Horizon admin that hits the Credentials cache can do pretty much anything that Keystone gives access too19:19
ayoungto19:19
dolphmayoung: nkinder: bknudson: thanks again for the ldap effort :)19:20
ayoungSo, why not let Horizon sign unscoped tokens?   The difference would  be service ticket signout versus...whenever we identified a Horizon server was compromised19:20
bknudsondolphm: someday all this code will be gone!19:21
nkinderbknudson: ++!19:21
ayoungbknudson, you are such an optimist19:22
nkinderayoung: ok, so you are saying that horizon will issue an unscoped token and sign it (acting like Keystone itself minus roles/projects/domains)19:23
ayoungnkinder, yes, but.  that token would only be valid to Keystone19:23
nkinderayoung: and I assume that Keystone will trust this token19:23
ayoungand only Keystone19:23
nkinderayoung: so this token contains the user and basically says "trust me, the user authenticated to horizon"19:24
ayoungIt would be valid for 10 minutes.  It could be used to trade up to a scoped token with a default duration19:24
nkinderayoung: how does this get away from trusting horizon?19:25
nkinderayoung: it seems to me like horizon would be able to spoof any user19:25
ayoungnkinder, it doesn't19:25
ayoungcorrect.  but that is the case now, too19:25
nkinderayoung: how?19:25
ayoungS4U2 would then be a hardening beyond that19:25
nkinderayoung: can it spoof a user who never authenticated?19:25
ayoungnkinder, because the user submits their password19:26
ayoungah, true19:26
ayoungit can only spoof users that have submitted passwords19:26
nkinderayoung: we're making horizon as powerful as keystone itself19:26
ayoungisn't lready, though?19:26
ayoungso, how do we limit it19:26
ayoungS4U2 is a Kerberos specific method, won't work for, say, SAML19:27
*** harlowja_away is now known as harlowja19:27
*** saju_m has quit IRC19:27
nkinderright now, horizon can't authenticate as a user who never gave horizon it's password.  It's powerful, but not all powerful.19:27
ayoungThe only alternative for SAML/OpenID connect is to go direct to Keystone, get a token, and hand that to Horizon via a header19:27
nkinderayoung: or the kerberos approach, where horizon only has power until the kerberos ticket expires19:28
nkinderayoung: for password, there's not much that can be done if horizon keeps the password19:29
nkinderayoung: gotta jump into a meeting now... last one of the day if things go as planned19:29
*** schofield has joined #openstack-keystone19:30
ayoungstevemar, what is your plan for oauth?  Anything regarding Horizon?19:35
*** browne has joined #openstack-keystone19:35
stevemarayoung, no plans on the horizon (pun intended)19:35
ayoungstevemar, I'm trying to figure out how Federation and Horizon are going to interoperate19:36
ayoungFor Kerberos, I can use a delegation mechanism specific to Kerberos19:36
stevemarayoung, yeah. thats a huge hurdle19:36
ayoungstevemar, the best I can think is that we put a web UI on a subset of Keystone functionality19:37
ayoungstevemar, for example, if we allowed a user to go via any auth mechanism to a webUI and get an unscoped token, it could pass that token to Horizon.  Either via CORS or something with OAuth, or via memcached and a session cookie19:38
stevemarayoung, also, the matter of where would the code live19:39
ayoungstevemar, you mean in Horizon or in Keystone?19:39
stevemarayoung, yep19:39
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Move DisableModuleFixture to utils  https://review.openstack.org/9349619:40
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth  https://review.openstack.org/8198119:40
*** henrynash has joined #openstack-keystone19:42
*** marcoemorais has joined #openstack-keystone19:43
*** gokrokve has joined #openstack-keystone19:43
ayoungdolphm, have you given any thought to Federation and Horizon?  Short of the user going direct to Keystone, I'm stumped.  Only Kerberos provides a delegation mechanism.19:45
*** gokrokve_ has joined #openstack-keystone19:45
openstackgerritBrant Knudson proposed a change to openstack/keystone: Adds function to compare DNs  https://review.openstack.org/9451319:45
*** gokrokve has quit IRC19:48
*** gokrokve_ has quit IRC19:50
ayoungbknudson, just read the commit message https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-1-2&id=94d457e83c172320707fbf13f7a1587dad128ece19:51
bknudsonayoung: that would be nice to have in keystone19:52
bknudsonwould be a change from what we're doing now19:52
bknudsonsome people seem to like working with strings for some reason19:52
ayoungbknudson, jdennis is working on it, but he just got pulled into some OpenDaylight work.  And he's like a coding Orson Welles:  he will post no code...before its time.19:53
*** marcoemorais has quit IRC19:54
bknudsonI've found that posting code early gets you good feedback.19:54
*** marcoemorais has joined #openstack-keystone19:54
bknudsonwe could learn from http://www.neary-consulting.com/index.php/2010/12/08/curing-shy-developer-syndrome/19:54
ayoungit also increases the likelihood it will make it in before deadlines19:54
ayoungyeah...that ain't me19:55
ayoungbknudson, so...lets make a pact to just keep his IRC client jumping until he posts it.19:56
* ayoung actually has his home number, but he also has mine19:56
tristanCThank you all for your time on that LDAP issue.19:59
*** marcoemorais has quit IRC20:01
*** marcoemorais has joined #openstack-keystone20:01
*** marcoemorais has quit IRC20:01
*** marcoemorais has joined #openstack-keystone20:02
openstackgerritBrant Knudson proposed a change to openstack/keystone: LDAP fix for get_roles_for_user_and_project user=group ID  https://review.openstack.org/9447020:02
openstackgerritBrant Knudson proposed a change to openstack/keystone: Adds function to compare DNs  https://review.openstack.org/9451320:02
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use DN comparison function  https://review.openstack.org/9471420:02
ayoungradez, what is the OS_AUTH_URL for Trystack?20:03
ayounggot it20:05
ayoungOS_AUTH_URL=http://x86.trystack.org:5000/v2.020:05
*** marcoemorais has quit IRC20:07
*** marcoemorais has joined #openstack-keystone20:08
dolphmbknudson: just ran the test suite in < 10 minutes with the patch to rip migrations out of test setup20:14
radezayoung: I think it's a duplicate config value that points to the keystone endpoint20:14
radezayoung: oh... ha you found it...20:14
bknudsondolphm: it takes 10 mins to run the tests??20:14
ayoungradez, yeah...just launching an instance...20:14
bknudsonnot running in parallel?20:14
radezayoung: ayoung lol, not tomention I totally misinterprated what you were asking me20:15
ayoungradez, still working out a kink with the networking...I assume I need to set up a network, and route internal to external?20:15
radezayoung: did you get an api passwod ok?20:15
ayoungradez, yep20:16
ayoungradez, I thought Horizon had an option to let you download an RC file20:16
radezayoung: yup external is provided, setup an internal and a router and stringthem all together20:16
radezayoung: not that I know of, I've always gotten mine from trystack20:16
ayoungradez, this is very well done...20:16
radezer, packstack20:16
radezayoung: thx man, it's what I've been working on for the past year :)20:17
ayoungradez, need a way to make it possible for people to share, add them to their own projects etc20:18
ayoungGeneral Keystone problem20:18
ayoungradez, this is Icehouse, or still Havana?20:19
ayoungI know the announcement on FB said Ice, but the trystack page says Havana20:19
radezayoung: icehouse, since U320:19
ayounghttp://trystack.org/  next to the button...20:20
radezayoung: oh I should get them to update that. I don't maintain that page20:20
* radez sends email20:20
dolphmbknudson: umm, is that fast or slow?20:20
ayounganyway, the reason I ask is on the security page it should give the option for the admin password.  See our internal Horizon...20:20
ayoungLaunch Instance->access and security20:21
*** marcoemorais has quit IRC20:21
*** marcoemorais has joined #openstack-keystone20:22
nkinderayoung: so back to tokens, horizon, etc...20:23
nkinderayoung: the horizon case seems really tough outside of kerberos20:24
dolphmbknudson: so it turns out the db patch actually slows my test run down... and it's been awhile since i've run the whole suite locally20:24
radezayoung: It was in havana but didn't ever seem to work. It disappeared when I upgraded to icehouse20:24
ayoungnkinder, yep20:24
nkinderayoung: horizon is simply going to have a lot of power20:24
*** marcoemorais has quit IRC20:24
ayoungradez, I was having DHCP issues with a Centos Image.  Just trying a Fedora one....20:24
*** marcoemorais has joined #openstack-keystone20:24
nkinderayoung: did my writeup make sense with regards to how I think tokens should work?20:24
ayoungnkinder, I should have written that long ago20:24
ayoungyes, it makes sense20:25
dolphmayoung: regarding horizon & federation, i assume a JS client would talk directly to keystone20:25
radezayoung: story of my life... dhcp issues on trystack20:25
*** daneyon has joined #openstack-keystone20:25
nkinderayoung: will breakin ghte ability to change projects be a problem for anything other than horizon?20:25
ayoungnkinder, one thing is, right now, with a trust, you can create a token with a subset of roles, but not via direct token request20:25
dolphmayoung: and no, i haven't thought about it too much. there's someone around here that is going to work on that in juno though20:25
nkinderayoung: but a trust token can't be used to auth and get a different token20:25
nkinderayoung: the code already prevents that20:25
ayoungand...should we make people define a separate role for each API funcion, or just let them delegate accessto a specific set of APIs?20:25
dolphmbknudson: so, you were right about performance.20:26
ayoungnkinder, If I wanted to create a token that only had one role on it, the only way I could do it is create a trust where I was both trustor and trustee20:26
nkinderayoung: yes, that's sort of the next step... figuring out how to set up roles and policy so you know what roles are needed ahead of time20:26
ayoungthen execute that trust20:26
*** amerine_ has joined #openstack-keystone20:27
ayoungI kindof think  I'd rather delegate the rule name in the policy file.20:27
ayoungHeh20:27
ayoungSo I need to create a token with the role, plus  I add an addition restriction :  can only be used against rules identity:create_user20:27
*** amerine has quit IRC20:28
ayoungbut...that is not what we really need.20:28
ayoungI mean, we do, but we also need:20:28
ayoungI want radez to create a project for me, and then give you access to it20:28
ayoungthat should be "I" give you acccess to it20:28
bknudsondolphm: yea, I didn't see any diff...20:29
ayoungI should be able to create a role:  project_admin, and then if a user has that role, they should be able to assign users the _member_ rule on a project in which they have that role assigned20:29
bknudsondolphm: although the patch says we won't be able to test with sqlite anymore when we move to alembic20:29
bknudsonso maybe it's a lot faster when we run our tests with mysql (or db2?)20:30
bknudsonthat might take more than 10 mins20:30
*** stevemar has quit IRC20:32
ayoungnkinder, but back to Keystone,  So if we don't trust Horizon, the next best thing we can do is trust a Keystone proxy20:32
ayoungI mean, right now, a user can't go to Keystone, get a token, and hand that to Horizon.  But they really should be able to20:33
ayoungand, if it could be done manually, it could be automated20:33
ayoungnkinder, If I were really paranoid, I would insist on creating the whole workflow from my machine, and sign it with a private key.20:35
ayoungSo we've already made a leap of faith in trusting Nova to talk to the other services on our behalf20:35
*** r-daneel has joined #openstack-keystone20:38
ayoungradez, do I still need to explicitly open port 22?  The default security zone looks the same as our internal20:41
amerine_"we don't trust horizon"? Who's "we"?20:42
ayoungamerine_, me and you20:43
*** amerine_ is now known as amerine20:43
*** gokrokve has joined #openstack-keystone20:43
ayoungamerine, so, what I was really saying was "how much risk are we willing to accept if Horizon gets hacked in a certain deployment"20:43
ayoungor "exposure" instead of "risk" is probably more correct20:44
radezayoung: yup20:44
ayoungradez, yup as in...I need to add 22?20:44
ayoungradez, I'm still not sure my problems aren't network related.  After that neutron issue you helped me with I'm very suspicious of networking20:45
radezayoung: it porbably is networking related... it's not been super solid20:46
ayoungradez, also, should this page list port 80 or 443?  http://docs.openstack.org/grizzly/openstack-compute/admin/content/part-ii-getting-virtual-machines.html20:47
ayoungdown at the openpub security group def?20:47
nkinderayoung: I don't think we shoudl stress over horizon just yet.  Kerberos auth helps there.  We should focus on restricting what services can do with tokens in the other services (nova, etc.)20:47
*** afazekas has joined #openstack-keystone20:47
ayoungnkinder, it ties in with how I tackle the Kerberizing of Horizon20:48
*** gokrokve has quit IRC20:48
ayoungif Kerberos is going to be completely different from any other protocol, so be it. But I'd like to at least consider the alternative20:48
ayoungand I don't want to work at cross purposes with the Federation BP20:48
*** afazekas is now known as afazekas_wfp20:50
nkinderayoung: horizon is going to need an unscoped token to switch between projects (I don't see a way around that)20:51
nkinderayoung: so it's all in how you get that unscoped token.  If you provide a credential that does not expire, horizon can reuse that over and over to get a new unscoped token until it forgets that credential (or it is changed)20:52
nkinderayoung: the only way I see around that is if the user uses a credential that expires to authenticate to horizon20:53
ereciosdf20:55
*** erecio has quit IRC20:59
*** afazekas_wfp has quit IRC20:59
*** clu_ has joined #openstack-keystone21:00
*** rodrigods has quit IRC21:02
*** gokrokve has joined #openstack-keystone21:04
*** jsavak has joined #openstack-keystone21:06
mfischI saw I got a +2 today but am waiting on workflow. Are all the steps of +1, +2, workflow, gate, smoke etc documented? It's not in the Gerrit Workflow wiki page21:08
*** joesavak has quit IRC21:10
*** amcrn_ has joined #openstack-keystone21:10
*** bknudson has quit IRC21:11
*** amcrn has quit IRC21:13
radezayoung: yea that page should probably include a web port21:14
radezayoung: seems that dhcp has bombed again... I'm considering switching over to vxlan21:14
*** marcoemorais has quit IRC21:34
*** marcoemorais has joined #openstack-keystone21:35
*** marcoemorais has quit IRC21:35
*** marcoemorais has joined #openstack-keystone21:35
*** andreaf has joined #openstack-keystone21:41
*** leseb has quit IRC21:47
*** dstanek is now known as dstanek_zzz21:47
*** marcoemorais has quit IRC21:47
*** bknudson has joined #openstack-keystone21:48
nkinderayoung: that LDAP patch doesn't work when we have ',' characters in the user_id attribute :(21:48
bknudsondid that work before?21:49
nkinderayoung: if we have 'cn=last, first', the assignment has a dn with 'cn=last\\2C first' and the user_dn has 'cn=last\, first'21:50
nkinderbknudson: well, we weren't doing a DN comparison there21:50
bknudsonwe need more tests21:50
nkinderbknudson: I suspect it worked, as I can't get a token as a user with a ',' in their user_id (which is something you fixed recently)21:50
nkinderbknudson: You fixed a problem where we got a 500 error, but now we get a 40121:51
nkinderbknudson: this is where a real DN comparison function would help :)21:51
bknudsonnkinder: does it work with https://review.openstack.org/#/c/94714/ ?21:51
nkinderbknudson: let me try it...21:52
bknudsonhopefully str2dn handles the escaping, because I didn't add any code to do it.21:54
*** hipster has quit IRC21:55
*** daneyon has quit IRC21:58
nkinderbknudson: success!21:59
bknudsonthat code works better than I thought it would22:00
bknudsonI should add a testcase for it.22:00
*** browne has quit IRC22:00
nkinderbknudson: you might have covered this with the testcase you added for the other 500 error issue22:00
bknudsonthat only fixed the group query -- https://review.openstack.org/#/c/85402/222:01
nkinderbknudson: ok, I'll add a comment with the test I used22:03
nkinderbknudson: which review do you think it belongs with?  The one that adds the DN comparison methods, or the one that uses it in the assignments driver?22:03
nkinderI'm leaning towards the assignments driver one since that's where it needs the fix22:04
nkinderlet me rephrase. '...since that is the patch that fixes this issue'22:04
bknudsonwell, are we going to reject the current version of "LDAP fix for get_roles_for_user_and_project user=group ID" since it causes a regression?22:05
nkinderbknudson: yes, we should if it hasn't merged yet IMHO22:06
*** joesavak has joined #openstack-keystone22:06
bknudsonnkinder: https://review.openstack.org/#/c/94470/ hasn't merged yet.22:06
nkinderok, I'll reject it and provide my test that highlights the regression22:07
bknudsony, I'd like to write a unit test for it.22:07
*** dstanek_zzz is now known as dstanek22:08
bknudsonwe've got test_user_id_comma in test_backend_ldap but it just does self.identity_api.list_groups_for_user22:08
*** browne has joined #openstack-keystone22:09
*** jsavak has quit IRC22:09
*** henrynash has quit IRC22:10
bknudsonI'm not sure how well our fakeldap will handle it anyways22:10
*** gokrokve has quit IRC22:12
*** gordc has quit IRC22:13
nkinderbknudson: see my comment in https://review.openstack.org/#/c/94470/22:13
nkinderbknudson: you should probably add a -2 to block it22:13
nkinderdolphm, tristanC: ^^^ sorry, one more problem uncovered with the LDAP patch22:14
bknudsonI'll make it wip22:14
tristanCnkinder: do you know if it also impact stable/icehouse ?22:15
openstackgerritRichard Megginson proposed a change to openstack/keystone: test_user_mixed_case_attribute fails - mail, not email  https://review.openstack.org/9466822:15
harlowjaany keystone folks around mind looking/checking/commenting on https://review.openstack.org/#/c/88419/22:17
harlowjajust a question there on domains22:17
nkindertristanC: the previous fix introduces a regression that I'm fairly certain will impact any of the stable releases if we merge it there22:17
bknudsonthis is only backported to icehouse22:18
*** dims has quit IRC22:18
bknudsonalthough I didn't look into the LDAP issue on older releases.22:18
*** dstanek is now known as dstanek_zzz22:18
nkinderbknudson: me either22:18
*** marcoemorais has joined #openstack-keystone22:21
*** dstanek_zzz is now known as dstanek22:27
bknudsonnkinder: wrote a unit test but it didn't fail... probably due to fakeldap not working like real ldap.22:28
bknudsonhttp://paste.openstack.org/show/81106/22:28
nkinderbknudson: yes, I was using real LDAP22:29
nkinderbknudson: I expect that it is returning the DN in a search escaped differently (\2C vs \,)22:29
*** electrichead has joined #openstack-keystone22:29
nkinderbknudson: let me test with ldapadd/ldapsearch...22:29
bknudsonI was also running with master and not the patch. Let me try switching to the patch.22:30
*** electrichead is now known as Guest9247722:30
nkinderbknudson: in the meantime, I added a few minor comments to https://review.openstack.org/#/c/9451322:30
*** Mikalv has quit IRC22:31
*** Mikalv has joined #openstack-keystone22:32
nkinderbknudson: OpenLDAP returns the DN with \2C even if you add an entry with the \, style escaping22:32
nkinderbknudson: that explains why your test with fakeldap didn't see the problem22:32
bknudsonI can change fakeldap to do that22:32
nkinderbknudson: you could mock the search result in a test to force it22:32
nkinder...or tweak fakeldap to mimic OL22:33
*** toddnni_ has joined #openstack-keystone22:34
*** gabrielbezerra has joined #openstack-keystone22:36
*** amcrn_ has quit IRC22:36
*** redrobot has quit IRC22:38
*** anteaya has quit IRC22:38
*** toddnni has quit IRC22:38
*** gabriel-bezerra has quit IRC22:38
*** r-daneel has quit IRC22:41
*** gokrokve has joined #openstack-keystone22:43
*** jamielennox|away is now known as jamielennox22:43
*** gokrokve has quit IRC22:47
*** bobt has quit IRC22:49
*** richm has quit IRC22:49
*** rwsu has quit IRC22:49
*** joesavak has quit IRC22:51
bknudsonSo I'm getting [u'CN=Doe\\, John,OU=Users,CN=example,CN=com', u'CN=two,OU=Users,CN=example,CN=com', u'CN=badguy,OU=Users,CN=example,CN=com']22:55
bknudsonbut for openldap it turns to CN=Doe\\2C John,OU=Users,CN=example,CN=com22:55
bknudsonldapadd with "member: cn=Doe\, John,ou=Users,dc=openstack,dc=org", then do ldapsearch and you get back "cn=Doe\2C John,ou=Users,dc=openstack,dc=org" instead!22:55
bknudsonldap is one crazy bitch of a protocol22:55
lbragstadlol22:56
*** anteaya has joined #openstack-keystone22:57
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add a test for getting grant for a user with a , in ID  https://review.openstack.org/9474023:01
dstanekanyone know off-hand what the most common operation is in keystone? getting tokens?23:01
lbragstadthat would be my guess23:01
bknudsonnkinder: https://review.openstack.org/94740 is the test23:02
bknudsonworks without https://review.openstack.org/#/c/94470/ but fails with it.23:02
bknudsonand using the new DN compare function it passes again.23:06
bknudsonso let me fix up the DN compare functions based on nkinder comments.23:06
nkinderbknudson: the test looks good.  Just +1'd it.23:07
nkinderfun times with LDAP... :)23:08
nkinderdstanek: I would think that is correct, but I don't have any real data to back it up with23:09
bknudsondstanek: probably depends on the setting for cache times... auth_token used to fetch the revocation list every second.23:09
nkinderdstanek: with UUID tokens, it was probably validating tokens23:09
bknudsonif you set the token cache time really short it would be validating tokens23:09
nkinderbknudson: yeah, that might have hammered keystone...23:10
*** richm has joined #openstack-keystone23:11
*** rwsu has joined #openstack-keystone23:12
*** bobt has joined #openstack-keystone23:13
*** thedodd has quit IRC23:16
ayoungnkinder, in Dad mode at the moment.  You have things covered?23:17
nkinderayoung: yup23:17
ayoungbknudson, what are we defaulting to in the new client for token hashing?  sha256 or sha1?23:21
nkinderayoung: md5 IIRC23:22
ayoungnkinder, nah, in the replacement23:22
ayoungits md5 now23:22
bknudsoncurrent client only has md523:22
*** andreaf has quit IRC23:22
nkinderayoung: I thought it couldn't be changed without affecting backwards compatibility23:22
bknudsonmd5 isn't going to change23:22
ayoungI know, new client will have support for configurable23:22
bknudsonthe default isn't going to change23:22
nkinderayoung: it's 'hardcoded md5' now23:22
nkindernew == configurable with md5 as the default23:22
bknudsonhopefully we'll be able to deprecate md523:23
ayoungbknudson, and move to sha256?23:23
bknudsonright, the default would be sha25623:23
bknudsonI think people still like "crypto" protocols to be configurable23:23
nkinderbknudson: +123:23
bknudsonin case someone finds a way to break sha25623:23
dstaneklbragstad, nkinder, bknudson: thanks - i made a bunch of experimental changes that make authing about 25% faster in my test env23:24
lbragstad++23:24
lbragstadnice!23:24
dstanekdoes anyone have access to anonymized Keystone Apache logs?23:25
bknudsondstanek: we've got the rally job so we should be able to see the results23:25
dstaneki'd love to see in a real deployment what the most frequent method/urls are23:25
*** jogo has joined #openstack-keystone23:25
jdennisnkinder, bknudson: sorry for jumping in late, but OpenLDAP and 389DS escape differently, both legit, that's why you have to compare in a normalized canonical form, even in tests23:25
jogoit looks like https://bugs.launchpad.net/cinder/+bug/1285833 is back23:26
uvirtbotLaunchpad bug 1285833 in cinder "Keystone client racing on certificate lookups causing 401 Unauthorized on API calls" [High,Confirmed]23:26
*** rodrigods has joined #openstack-keystone23:26
dstanekbknudson: i'll start breaking this stuff up into logical commits23:26
*** david-lyle has quit IRC23:26
dstanekeverything right now is in my working dir - gevent conversion/uswgi/speed enhancements/much, much more!23:26
nkinderjdennis: yep, there's no one 'right way' to express a DN23:27
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use DN comparison function  https://review.openstack.org/9471423:27
openstackgerritBrant Knudson proposed a change to openstack/keystone: Adds function to compare DNs  https://review.openstack.org/9451323:27
nkinderbknudson: I'm on it...23:27
bknudsonnkinder: ^ fixed it up based on your comments23:27
ayoungnkinder, I was responding to the Swift question about the size of PKI tokens, and wanted to give precise info.  I rewrote that email at least three times.23:28
jdennisnkinder, bknudson: I'll post my DN module (actually it's a DN class), I had been holding off because I know one significant behavior is specific to Python2 and won't work in a Python3 environment23:29
bknudsonso I think what I'd do is, put 94740 (grant test with ,) first, then 94513 (DN compare functions), then 94470 squashed with 94714 (LDAP fix + use DN compare in LDAP fix)23:29
nkinderbknudson: ok, I think I reviewed them all23:30
bknudsonfor the backport to stable/icehouse it would be SQL + LDAP fix + 94740 + 94513 + 94714 all squashed.23:31
*** xianghui has joined #openstack-keystone23:33
*** harlowja has quit IRC23:33
*** harlowja_ has joined #openstack-keystone23:33
nkinderbknudson: that looks like the right order to me too23:34
nkinderbknudson: I've +1'd 94740 and 94513.  When 94470 and 94714 are squashed, I'll review that too.23:35
bknudsonso I just want to make sure that everyone's ok with the DN compare functions as is...23:36
jdennisMy dog was quilled by a porcupine a little bit ago, I have to take him to the vet23:36
bknudsonwe could wait for a more baked solution from jdennis23:36
nkinderjdennis: ouch...  good luck.23:36
bknudsonor switch to the jdennis approach when that's in23:37
nkinderbknudson: we shouldn't.  There's an OSSA tied to this.23:37
lbragstadjdennis: I've had that happen to mine before, good luck23:37
nkinderjdennis: hopefully not his face23:37
bknudsontake the dog or the porcupine to the vet?23:38
nkinderbknudson: I think the DN methods are a good step forward.  We can improve it further in master, but what you have now should only improve the situation.23:39
bknudsonalright, I'm ok with it so I'll get about doing the squashing. I'm going to eat dinner and let jenkins run23:39
nkinderbknudson: sounds good.  I'm off to open house for my kids in a bit, so I'll check back and review them this evening.23:41
nkinderbknudson: good work sorting this out!23:41
*** jogo has left #openstack-keystone23:41
*** browne has quit IRC23:42
*** morganfainberg_Z is now known as morganfainberg23:42
*** gokrokve has joined #openstack-keystone23:44
*** bobt_ has quit IRC23:46
*** bobt has quit IRC23:47
*** gokrokve has quit IRC23:49
*** openstackgerrit has quit IRC23:49
*** openstackgerrit has joined #openstack-keystone23:50
*** dstanek is now known as dstanek_zzz23:52
*** clu__ has joined #openstack-keystone23:53
*** dstanek_zzz is now known as dstanek23:54
*** clu_ has quit IRC23:55
*** clu__ is now known as clu_23:55
« Tuesday, 2014-05-20 Index Thursday, 2014-05-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!