Monday, 2014-08-25

openstackgerrit	Jamie Lennox proposed a change to openstack/identity-api: API for auth-specific-data routes https://review.openstack.org/115423	00:01
jamielennox	stevemar: think i figured it out ^	00:03
jamielennox	no rush	00:03
stevemar	jamielennox, ah i see what you mean	00:04
stevemar	i think endpoint policy is going to do the same thing	00:04
jamielennox	stevemar: i think that's clear enough though	00:05
stevemar	errr.... re: the versioning	00:06
stevemar	jamielennox, would you hate me if i had a minor wording issue :)	00:09
stevemar	jamielennox, can you change:	00:10
stevemar	Deprecate list projects and domains in favour of core functionality available in v3.3	00:10
stevemar	to:	00:10
stevemar	Deprecate list projects and domains in favour of core functionality available in Identity API v3.3	00:10
bknudson	should be favor	00:12
openstackgerrit	Jamie Lennox proposed a change to openstack/identity-api: API for auth-specific-data routes https://review.openstack.org/115423	00:12
jamielennox	stevemar: done	00:12
stevemar	bknudson, jamielennox and i live by the queens english!	00:13
jamielennox	bknudson: ah, that's one of those american things that my spell checker won't tell me	00:13
jamielennox	stevemar: find and replace everything throughout identity-api with proper english spelling	00:14
*** topol has joined #openstack-keystone		00:17
jamielennox	bknudson: did you have any luck with the nova/neutronclient thing?	00:17
jamielennox	or i should just ask you tomorrow and let you finish the weekend	00:17
bknudson	jamielennox: no. I told nova I wasn't going to get it done so have abandoned it.	00:18
jamielennox	bknudson: do you have any specific blockers i need to fix in keystoneclient?	00:18
*** alex_xu has joined #openstack-keystone		00:18
jamielennox	i was going to have another look at the nova/cinderclient bit	00:18
bknudson	jamielennox: this is where I got to: https://review.openstack.org/#/c/113735/	00:19
jamielennox	the bypass url bit i know already	00:19
bknudson	so the first change I was trying to make was to have sessions support for what nova is currently doing...	00:19
bknudson	which is token or userid/username + password	00:19
bknudson	first oddity is that neutronclient supports different auth_strategies.	00:20
jamielennox	yea, novaclient does that - as far as i'm aware no-one ever wrote any other auth_strategies	00:20
bknudson	sessions only works with keystone auth strategy, so I kept the old code for non-keystone auth strategy	00:20
bknudson	neutronclient does have another auth strategy... I think it's noauth	00:20
bknudson	I'm not sure if there's been a release of neutronclient with session support yet.	00:21
bknudson	then I ran into the issue with the v2 auth plugin didn't support userId, which I think is fixed now.	00:21
jamielennox	i'm scared to look	00:21
bknudson	and released	00:21
jamielennox	released?	00:21
bknudson	maybe it was keystonemiddlewaret that was released...	00:22
jamielennox	oh? cool didn't realize that	00:22
jamielennox	yea, i don't see any new release for ksc	00:22
bknudson	I think the token_endpoint plugin was the right one to use for when a token is given...	00:24
bknudson	I was hoping that I'd be able to get rid of the CONF.neutron.url	00:24
bknudson	but if nova has to support token auth then it's going to need the neutron URL	00:24
bknudson	maybe the catalog from auth should be used instead.	00:24
bknudson	or the new token auth plugin from auth_token middleware	00:25
jamielennox	bknudson: yea, it should be doing catalog but we can only move it so fast	00:25
bknudson	so that's the v2 auth	00:25
bknudson	then next step is to support v3 auth, which involves adding a bunch of config options	00:25
bknudson	then the step after that is to support version discovery.	00:25
jamielennox	i was hoping that nova would be a huge beneficiary of the auth plugin from middleware. However i don't know if they'll accept it going across as part of the context	00:25
jamielennox	so it's not the nova-api that's doing the work so it serializes everything and puts it in context	00:26
jamielennox	i wrote https://review.openstack.org/#/c/113163/ specifically for this	00:26
bknudson	jamielennox: the use case is nova connecting to neutron.	00:27
jamielennox	but i think there are stability requirements on that context object and i don't think they'll be happy adding a whole lot of redundant information to it	00:27
bknudson	for neutron comm we need the token and the catalog... isn't that what's in the plugin?	00:28
jamielennox	yes	00:28
bknudson	deprecate the other fields so we can get rid of them instead.	00:28
bknudson	make it so you can get the token and catalog from the plugin	00:28
jamielennox	https://github.com/openstack/nova/blob/master/nova/context.py#L47	00:28
jamielennox	https://github.com/openstack/nova/blob/master/nova/context.py#L122	00:29
jamielennox	this is the information that nova packages and sends as part of every RPC	00:29
jamielennox	because of that i think it needs to be stable because workers may be on different nova versions	00:29
bknudson	how could the auth_token be useful going across rpc?	00:29
*** richm has quit IRC		00:30
jamielennox	user_id, service_catalog all that stuff is from the user's token	00:30
bknudson	oh, it's got the service catalog too	00:30
jamielennox	not just that: https://github.com/openstack/nova/blob/master/nova/context.py#L82-L88	00:31
bknudson	I think they might strip the service catalog down.	00:31
jamielennox	it's got a modified service catalog	00:31
jamielennox	and i bet this is why neutron has it's own config URL because it's not actually part of the service catalog	00:31
jamielennox	they did that instead of adding it	00:31
bknudson	still I don't see the point of the auth_token... unless it's a trust token it could be revoked.	00:31
jamielennox	so the place i know it's used is in cinder, nova will need to mount volumes as part of the VM boot process	00:32
jamielennox	that's something that needs to be done by a worker, not the API process so it has to send all that info	00:32
jamielennox	i don't know about the interaction with neutron if there is anything that happens after boot	00:33
bknudson	right... neutron isn't done by the worker?	00:33
bknudson	I didn't look into it.	00:33
jamielennox	i honestly have no idea	00:33
*** hrybacki has quit IRC		00:33
bknudson	so anyways that's where the nova / neutron work went.	00:34
jamielennox	hmm, maybe this is why nova uses it's own auth to talk to neutron because it can't assume the user's token is valid	00:34
bknudson	since it didn't look like I'd be able to get it proposed by their cutoff I told them not to worry about it.	00:34
bknudson	I can imagine nova might just want to get neutron to do something when it's not on the user's behalf	00:35
jamielennox	ok, so particularly need a bypass url and to look more into the existing auth_strategy	00:35
bknudson	wouldn't nova have to talk to cinder to unmount the volume?	00:36
jamielennox	i guess this is a X-Service-Token situation	00:36
bknudson	or does it use the user's token for that too?	00:36
jamielennox	is that an explicit call? can it just drop the connection?	00:36
bknudson	good question	00:36
jamielennox	https://github.com/openstack/nova/blob/master/nova/volume/cinder.py	00:36
bknudson	I actually didn't look into whether neutron ever uses the username/password auth.	00:36
jamielennox	neutron did some nasty things to get itself going	00:37
*** mitz has joined #openstack-keystone		00:37
jamielennox	so there are explicit calls in there to detach from cinder - maybe this is ok because you need to make an explicit call to nova to drop the VM?	00:38
bknudson	there must be times when nova drops a vm on its own.	00:38
bknudson	maybe not	00:38
jamielennox	or on behalf of heat or someone	00:39
bknudson	I would think if the vm was misbehaving	00:39
bknudson	or if the vm went away on its own... like a local shutdown or something.	00:39
jamielennox	i think it just goes into an error state	00:39
jamielennox	but if that's true i would expect the same things of neutron	00:40
*** richm has joined #openstack-keystone		00:43
*** ncoghlan has joined #openstack-keystone		00:57
*** mitz has quit IRC		01:01
*** mitz has joined #openstack-keystone		01:04
*** mitz has quit IRC		01:13
*** mitz has joined #openstack-keystone		01:16
*** alex_xu has quit IRC		01:27
*** wwriverrat has quit IRC		01:43
*** oomichi has joined #openstack-keystone		01:52
*** alex_xu has joined #openstack-keystone		02:03
*** hrybacki has joined #openstack-keystone		02:08
*** richm has quit IRC		02:16
*** ukalifon1 has joined #openstack-keystone		02:29
*** diegows has quit IRC		02:41
*** dims has quit IRC		02:44
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow overriding endpoint URLs in session https://review.openstack.org/116543	02:45
jamielennox	bknudson: I assume you're not here but this should work for overriding the URL ^	02:46
*** dims has joined #openstack-keystone		02:47
*** dims has quit IRC		02:47
*** KanagarajM has joined #openstack-keystone		02:51
*** KanagarajM has quit IRC		02:54
*** hrybacki has quit IRC		02:55
*** jasondotstar has quit IRC		03:26
stevemar	bknudson, sometimes you have the best comments	03:36
stevemar	"Limitations: all of them."	03:36
*** ukalifon1 has quit IRC		03:46
*** dims has joined #openstack-keystone		03:48
*** gokrokve has joined #openstack-keystone		03:53
*** dims has quit IRC		03:53
*** amirosh has joined #openstack-keystone		03:58
*** stevemar has quit IRC		04:02
*** gokrokve has quit IRC		04:10
*** gokrokve has joined #openstack-keystone		04:15
*** ncoghlan is now known as ncoghlan_afk		04:25
*** gokrokve has quit IRC		04:27
*** gokrokve has joined #openstack-keystone		04:28
*** gokrokve has quit IRC		04:32
*** dims has joined #openstack-keystone		04:53
*** dims has quit IRC		04:59
*** ncoghlan_afk is now known as ncoghlan		05:00
*** topol has quit IRC		05:26
*** rushiagr_away is now known as rushiagr		05:32
*** ukalifon has joined #openstack-keystone		05:41
*** ajayaa has joined #openstack-keystone		05:45
*** miqui has quit IRC		06:00
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/111920	06:05
*** k4n0 has joined #openstack-keystone		06:05
*** afazekas has joined #openstack-keystone		06:11
openstackgerrit	A change was merged to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/116165	06:15
*** ajayaa has quit IRC		06:18
*** alex_xu has quit IRC		06:29
*** ajayaa has joined #openstack-keystone		06:38
*** alex_xu has joined #openstack-keystone		06:41
*** dims has joined #openstack-keystone		06:42
*** dims has quit IRC		06:47
*** nkinder has quit IRC		06:50
*** nkinder has joined #openstack-keystone		06:51
*** rushiagr is now known as rushiagr_away		07:00
*** rushiagr_away is now known as rushiagr		07:02
*** wanghong has quit IRC		07:10
*** jamielennox is now known as jamielennox\|away		07:33
*** praneshp has quit IRC		07:34
*** bvandenh has joined #openstack-keystone		07:35
*** ncoghlan has quit IRC		08:03
*** fmarco76 has joined #openstack-keystone		08:15
*** fmarco76 has left #openstack-keystone		08:15
*** mflobo has joined #openstack-keystone		08:20
*** dims has joined #openstack-keystone		08:31
*** dims has quit IRC		08:36
*** bdossant_ has joined #openstack-keystone		08:38
*** k4n0 has quit IRC		08:39
openstackgerrit	henry-nash proposed a change to openstack/keystone: controller for the endpoint policy extension https://review.openstack.org/115746	08:52
*** k4n0 has joined #openstack-keystone		08:53
*** KanagarajM has joined #openstack-keystone		08:55
*** rushiagr is now known as rushiagr_away		09:03
*** wanghong has joined #openstack-keystone		09:07
openstackgerrit	henry-nash proposed a change to openstack/keystone: backend for policy endpoint extension https://review.openstack.org/115362	09:09
openstackgerrit	henry-nash proposed a change to openstack/keystone: Make SQL the default backend for Identity & Assignment unit tests. https://review.openstack.org/116528	09:17
openstackgerrit	henry-nash proposed a change to openstack/keystone: Make SQL the default backend for Identity & Assignment unit tests. https://review.openstack.org/116528	09:18
*** ajayaa has quit IRC		09:31
*** ajayaa has joined #openstack-keystone		09:32
*** swartulv has quit IRC		09:42
openstackgerrit	henry-nash proposed a change to openstack/keystone: controller for the endpoint policy extension https://review.openstack.org/115746	09:44
*** swartulv has joined #openstack-keystone		09:45
ekarlso	is there a smart way to improve keystone performance ?	10:28
*** ChrisWentz has joined #openstack-keystone		10:42
ChrisWentz	Hi, does anyone know how to add a keystone tenant and user, i have tried to add it using the guides but it fails	10:43
*** ChrisWentz has quit IRC		10:46
*** k4n0 has quit IRC		10:47
*** k4n0 has joined #openstack-keystone		10:59
*** dims has joined #openstack-keystone		11:29
*** nkinder has quit IRC		11:36
openstackgerrit	Kanagaraj Manickam proposed a change to openstack/keystone: Endpoint table is missing reference to region table https://review.openstack.org/113183	11:37
*** KanagarajM has quit IRC		11:49
*** ukalifon2 has joined #openstack-keystone		11:54
*** ukalifon has quit IRC		11:55
*** f13o has joined #openstack-keystone		12:00
*** nkinder has joined #openstack-keystone		12:01
*** bvandenh has quit IRC		12:18
*** bvandenh has joined #openstack-keystone		12:19
*** hrybacki has joined #openstack-keystone		12:28
*** hrybacki has quit IRC		12:33
*** jasondotstar has joined #openstack-keystone		12:34
*** gordc has joined #openstack-keystone		12:39
openstackgerrit	A change was merged to openstack/keystone: Add CADF notifications for role assignment create and delete https://review.openstack.org/112204	12:49
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/111620	12:52
*** dims has quit IRC		13:06
*** Kui has quit IRC		13:06
*** dims has joined #openstack-keystone		13:06
*** saipandi has joined #openstack-keystone		13:13
*** richm has joined #openstack-keystone		13:14
*** bknudson has quit IRC		13:18
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	13:18
*** chandankumar has joined #openstack-keystone		13:20
*** stevemar has joined #openstack-keystone		13:31
*** bdossan__ has joined #openstack-keystone		13:32
*** bdossan__ has quit IRC		13:32
*** nkinder has quit IRC		13:33
*** bdossant_ has quit IRC		13:33
*** k4n0 has quit IRC		13:35
*** ukalifon2 has quit IRC		13:36
openstackgerrit	Stuart McLaren proposed a change to openstack/keystonemiddleware: Add composite authentication support https://review.openstack.org/108384	13:37
*** bknudson has joined #openstack-keystone		13:37
openstackgerrit	A change was merged to openstack/identity-api: JSON Home support https://review.openstack.org/109881	13:38
*** joesavak has joined #openstack-keystone		13:39
*** chandankumar has quit IRC		13:46
*** nkinder has joined #openstack-keystone		13:48
*** ajayaa has quit IRC		13:52
*** topol has joined #openstack-keystone		13:55
*** ukalifon1 has joined #openstack-keystone		13:57
*** radez_g0n3 is now known as radez		14:02
*** oomichi has quit IRC		14:12
*** david-lyle has joined #openstack-keystone		14:17
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Create additional docs for role assignment events https://review.openstack.org/114813	14:18
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: Update region entries to include URLs https://review.openstack.org/114118	14:22
*** david-lyle has quit IRC		14:23
*** david-lyle has joined #openstack-keystone		14:23
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355	14:24
*** radez is now known as radez_g0n3		14:25
*** jraim__ has joined #openstack-keystone		14:29
*** cjellick has joined #openstack-keystone		14:30
*** electrichead has joined #openstack-keystone		14:31
*** mgagne_ has joined #openstack-keystone		14:32
*** Clabbe has quit IRC		14:32
*** mgagne has quit IRC		14:32
*** dolphm has quit IRC		14:32
*** jdennis has quit IRC		14:32
*** Ephur has quit IRC		14:32
*** jimbaker has quit IRC		14:32
*** dtroyer has quit IRC		14:32
*** lbragstad has quit IRC		14:32
*** jraim has quit IRC		14:32
*** Jean-Daniel has quit IRC		14:32
*** arunkant has quit IRC		14:32
*** russellb has quit IRC		14:32
*** therve has quit IRC		14:32
*** redrobot has quit IRC		14:32
*** Clabbe has joined #openstack-keystone		14:32
*** lbragstad has joined #openstack-keystone		14:32
*** dolphm has joined #openstack-keystone		14:32
*** Jean-Daniel1 has joined #openstack-keystone		14:32
*** jimbaker` has joined #openstack-keystone		14:32
*** dtroyer has joined #openstack-keystone		14:32
*** therve has joined #openstack-keystone		14:33
*** arunkant has joined #openstack-keystone		14:33
*** Ephur has joined #openstack-keystone		14:33
*** jdennis has joined #openstack-keystone		14:33
openstackgerrit	David Stanek proposed a change to openstack/keystone: Implement validation on Assignment V3 API https://review.openstack.org/86484	14:33
*** russellb has joined #openstack-keystone		14:33
openstackgerrit	David Stanek proposed a change to openstack/keystone: Implement validation on Assignment V3 API https://review.openstack.org/86484	14:34
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Create additional docs for role assignment events https://review.openstack.org/114813	14:38
*** cjellick has quit IRC		14:48
*** cjellick has joined #openstack-keystone		14:49
*** rharwood_ has joined #openstack-keystone		14:49
*** Ephur has quit IRC		14:50
*** Clabbe has quit IRC		14:50
*** rharwood has quit IRC		14:50
*** lbragstad has quit IRC		14:50
*** rharwood_ is now known as rharwood		14:50
*** dtroyer has quit IRC		14:50
*** dolphm has quit IRC		14:50
*** Clabbe has joined #openstack-keystone		14:50
*** lbragstad has joined #openstack-keystone		14:50
*** dtroyer has joined #openstack-keystone		14:50
*** dolphm has joined #openstack-keystone		14:50
*** Ephur has joined #openstack-keystone		14:50
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Move endpoint group filter to Kilo https://review.openstack.org/116633	14:50
openstackgerrit	A change was merged to openstack/keystone: Enhance V3 routers to store basic resource description https://review.openstack.org/111573	14:50
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Update blueprint text value for filter credentials https://review.openstack.org/116635	14:55
stevemar	where is our PTL?	14:56
dstanek	stevemar: in front of a Mac?	14:56
stevemar	dstanek, very very very likely	14:57
*** gokrokve has joined #openstack-keystone		14:59
*** electrichead is now known as redrobot		15:04
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Move trust redelegation to Kilo https://review.openstack.org/116639	15:04
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Move explicit unscoped token to Kilo https://review.openstack.org/116641	15:06
*** mikedillion has joined #openstack-keystone		15:09
*** radez_g0n3 is now known as radez		15:13
openstackgerrit	Matthew Edmonds proposed a change to openstack/keystone: assignment controller error path was not updated when dictionary format changed https://review.openstack.org/116647	15:15
openstackgerrit	Matthew Edmonds proposed a change to openstack/keystone: assignment controller error path fix https://review.openstack.org/116647	15:19
*** amirosh has quit IRC		15:22
*** amirosh has joined #openstack-keystone		15:23
*** ukalifon1 has quit IRC		15:25
*** amirosh has quit IRC		15:27
stevemar	dstanek, can i get a review of https://review.openstack.org/#/c/114813/9/doc/source/event_notifications.rst when you have a minute	15:31
stevemar	it should be painless :)	15:32
dstanek	stevemar: sure thing - in the middle of rebase/fixing things - as soon as i'm done i'll take a look	15:33
stevemar	dstanek, yeah, no rush, only asking you since you're the only person who wrote anything in the channel all morning :)	15:34
dstanek	:-)	15:34
dstanek	lesson learned	15:34
stevemar	d'oh!	15:34
*** gokrokve has quit IRC		15:35
openstackgerrit	Stuart McLaren proposed a change to openstack/keystonemiddleware: Add composite authentication support https://review.openstack.org/108384	15:41
*** gokrokve has joined #openstack-keystone		16:01
*** wwriverrat has joined #openstack-keystone		16:01
*** zzzeek has joined #openstack-keystone		16:03
*** bvandenh has quit IRC		16:04
*** henrynash has joined #openstack-keystone		16:07
*** ukalifon has joined #openstack-keystone		16:13
*** wwriverrat has left #openstack-keystone		16:14
openstackgerrit	Kanagaraj Manickam proposed a change to openstack/keystone: Endpoint table is missing reference to region table https://review.openstack.org/113183	16:16
*** praneshp has joined #openstack-keystone		16:19
*** amirosh has joined #openstack-keystone		16:23
*** dims_ has joined #openstack-keystone		16:23
*** wwriverrat has joined #openstack-keystone		16:24
*** dims has quit IRC		16:24
*** wwriverrat has left #openstack-keystone		16:25
*** ukalifon has quit IRC		16:26
*** radez is now known as radez_g0n3		16:26
*** amirosh_ has joined #openstack-keystone		16:27
*** amirosh has quit IRC		16:28
*** wwriverrat has joined #openstack-keystone		16:32
*** amirosh_ has quit IRC		16:33
*** amirosh has joined #openstack-keystone		16:33
*** wwriverrat has left #openstack-keystone		16:33
*** dims has joined #openstack-keystone		16:35
*** dims_ has quit IRC		16:35
samuelmz	lbragstad, ping	16:36
*** amirosh has quit IRC		16:38
dstanek	this would be so much faster if our test ran in under 30 seconds	16:46
*** radez_g0n3 is now known as radez		16:47
lbragstad	samuelmz: hi	16:48
*** wwriverrat has joined #openstack-keystone		16:49
samuelmz	lbragstad, could you take a look at https://bugs.launchpad.net/keystone/+bug/1360406 ? I replied your comment	16:49
uvirtbot	Launchpad bug 1360406 in keystone "Wrong return from list role assignments on KVS" [Undecided,New]	16:49
*** wwriverrat has left #openstack-keystone		16:49
lbragstad	samuelmz: cool, thanks! I've added it to my queue	16:51
*** afazekas has quit IRC		16:53
openstackgerrit	David Stanek proposed a change to openstack/keystone: Implement validation on Assignment V3 API https://review.openstack.org/86484	16:53
*** jimbaker` is now known as jimbaker		16:53
afaranha	Hello, did someone work with Policies API in Keystone? How does it works and whats the meaning of these policies, since as I read these policies are for projects not for endpoints?	16:55
*** marcoemorais has joined #openstack-keystone		16:56
openstackgerrit	Raildo Mascena de Sousa Filho proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355	16:56
samuelmz	lbragstad, ok thanks	16:56
*** wwriverrat has joined #openstack-keystone		16:57
*** openstackgerrit has quit IRC		17:00
*** harlowja has joined #openstack-keystone		17:01
*** wwriverrat has left #openstack-keystone		17:01
*** wwriverrat has joined #openstack-keystone		17:05
*** nkinder has quit IRC		17:05
*** wwriverrat has left #openstack-keystone		17:06
*** wwriverrat has joined #openstack-keystone		17:08
morganfainberg	dolphm, i'm looking at that expires mismatch bug	17:10
*** wwriverrat has left #openstack-keystone		17:10
morganfainberg	dolphm, not sure how that is occuring.	17:10
*** mgagne_ has quit IRC		17:11
*** mgagne_ has joined #openstack-keystone		17:11
*** openstackgerrit has joined #openstack-keystone		17:12
openstackgerrit	Samuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance https://review.openstack.org/116682	17:14
*** mikedill_ has joined #openstack-keystone		17:15
*** wwriverrat has joined #openstack-keystone		17:17
*** mikedillion has quit IRC		17:19
*** wwriverrat has left #openstack-keystone		17:19
*** nkinder has joined #openstack-keystone		17:24
*** esmute has quit IRC		17:24
*** aix has quit IRC		17:24
*** amerine has joined #openstack-keystone		17:27
*** rushiagr_away is now known as rushiagr		17:30
*** esmute has joined #openstack-keystone		17:37
*** radez is now known as radez_g0n3		17:39
*** mgagne_ is now known as mgagne		17:39
*** gyee has joined #openstack-keystone		17:48
*** david-ly_ has joined #openstack-keystone		17:49
*** zzzeek has quit IRC		17:51
*** zzzeek has joined #openstack-keystone		17:51
*** david-lyle has quit IRC		17:53
*** gokrokve_ has joined #openstack-keystone		17:54
dstanek	stevemar: topol: either of you guys get the link to the OpenStack CADF spec?	17:56
stevemar	dstanek, the so called openstack profile for cadf?	17:56
stevemar	dstanek, i think it's in the works, not delivered yet, according to the cadf website	17:57
stevemar	dstanek, http://www.dmtf.org/standards/cadf -> ctrl+f -> "CADF Profile For OpenStack"	17:57
dstanek	stevemar: i thought there was a work in progresss somewhere	17:58
stevemar	mmmm	17:58
*** gokrokve has quit IRC		17:58
*** gokrokve_ has quit IRC		17:58
stevemar	dstanek, not that i know of... topol ?	17:59
dstanek	stevemar: during our conference call Matt said he would email it out	18:00
*** esmute has quit IRC		18:00
stevemar	dstanek, let me go beat up matt and topol	18:00
*** esmute has joined #openstack-keystone		18:00
dstanek	stevemar: sounds good	18:01
dstanek	stevemar: that was quick...thanks!	18:09
stevemar	dstanek, np	18:10
stevemar	dstanek, oh he replied	18:10
stevemar	dstanek, even better	18:10
*** gokrokve has joined #openstack-keystone		18:13
topol	dstanek, wow I feel torches and pitchforks in my back :-)	18:15
dstanek	topol: haha, is stevemar on the war path?	18:17
stevemar	dstanek, i've been on a war path since FPF	18:18
*** david-ly_ is now known as david-lyle		18:18
topol	dstanek, stevemar is on my ass to get my rebase done too :-)	18:19
morganfainberg	dolphm, aha found it, bug in the test.	18:20
morganfainberg	should have been extracting events[1] not events[0]	18:20
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	18:21
*** rushiagr is now known as rushiagr_away		18:21
stevemar	morganfainberg, damn, good on you for finding that bug	18:23
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api https://review.openstack.org/113429	18:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model https://review.openstack.org/113430	18:27
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api https://review.openstack.org/109462	18:27
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api https://review.openstack.org/115012	18:27
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api https://review.openstack.org/115045	18:27
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove wsgi and base controller dependency on token_api https://review.openstack.org/115205	18:27
*** cjellick has quit IRC		18:29
*** jasondotstar has quit IRC		18:30
*** cjellick has joined #openstack-keystone		18:30
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Notification Constant Cleanup and internal notify type https://review.openstack.org/115337	18:30
*** jasondotstar has joined #openstack-keystone		18:31
* morganfainberg sighs		18:32
morganfainberg	more rebase issues.	18:32
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	18:32
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api https://review.openstack.org/113429	18:32
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model https://review.openstack.org/113430	18:32
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api https://review.openstack.org/109462	18:33
*** cjellick_ has joined #openstack-keystone		18:33
*** cjellick_ has quit IRC		18:33
*** cjellick_ has joined #openstack-keystone		18:34
*** cjellick_ has quit IRC		18:34
*** cjellick has quit IRC		18:35
*** cjellick has joined #openstack-keystone		18:35
*** jasondotstar has quit IRC		18:38
morganfainberg	stevemar, yeah that was subtle.	18:38
*** amirosh has joined #openstack-keystone		18:38
stevemar	morganfainberg, now to review all your code again :D	18:39
morganfainberg	lol	18:39
morganfainberg	hold up, doing rebase	18:39
morganfainberg	will take a nother couple minutes	18:39
stevemar	of course	18:39
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Notification Constant Cleanup and internal notify type https://review.openstack.org/115337	18:46
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove assignment_api dependency on token_api https://review.openstack.org/115338	18:46
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove wsgi and base controller dependency on token_api https://review.openstack.org/115205	18:46
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api https://review.openstack.org/115045	18:46
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove oauth controller dependency on token_api https://review.openstack.org/115343	18:46
morganfainberg	stevemar, sigh	18:54
morganfainberg	stevemar, well i really broke something.	18:54
stevemar	morganfainberg, MOAR rebase	18:54
morganfainberg	stevemar, i think the assignment rebase failed.	18:54
morganfainberg	stevemar, some conflict with the grant method changes	18:55
afaranha	dstanek: Hi, I was reading the patch https://review.openstack.org/#/c/74538/ , and I wonder why is it abandoned? Was this refactoring merged in another patch? Thanks	18:55
stevemar	morganfainberg, uh oh, hope that wasn't me	18:58
morganfainberg	stevemar, i probably was, but thats the risk of a long patch chain. something will merge and break you	18:58
morganfainberg	stevemar, :P	18:58
dstanek	stevemar: it's just the value of target that's a little fuzzy for me	18:59
stevemar	morganfainberg, just added a decorator :) easy rebase	18:59
*** jasondotstar has joined #openstack-keystone		19:03
*** Ugallu has joined #openstack-keystone		19:10
*** Ugallu has quit IRC		19:10
amirosh	dstanek: hi, have a question - I was trying to run ldap test cases with pg (or mysql) by changing [database] connection setting, found that it doesn't work because of # NOTE(dstanek): The database must be setup prior to calling the parent's setUp.	19:10
amirosh	dstanek: parent's setUp read config, but db session has been created already with the default settings	19:12
dstanek	afaranha: i fixed it to fix the import dependency i caused, but i didn'tlike it enough to resubmit	19:13
dstanek	amirosh: you are trying to run the unit tests against pg?	19:13
morganfainberg	stevemar, then i broke somewhere else up the patch chain. but yeah	19:13
amirosh	dstanek: right	19:14
*** wwriverrat has joined #openstack-keystone		19:15
*** nkinder has quit IRC		19:15
amirosh	dstanek: there is another issue - no psycopg2 in test-requirements, but the first issue is applicable to any db	19:16
*** mriedem has joined #openstack-keystone		19:18
mriedem	you guys aware of this hashseed failure? http://logs.openstack.org/19/111519/4/gate/gate-keystone-python26/7003102/console.html.gz#_2014-08-22_05_00_00_019	19:18
mriedem	tempest had the same problem last week with lxml	19:19
amirosh	dstanek: even mongo lib presents in test-reqs, looks like the conspiracy against pg	19:20
dstanek	amirosh: what config are you trying to change? i'm not sure the unit tests will work on pg	19:21
dstanek	amirosh: mongo is in the requirements because there is some mongo specific functionality that is tested	19:21
mriedem	should be a relatively easy gate fix here for someone https://bugs.launchpad.net/keystone/+bug/1361337	19:23
uvirtbot	Launchpad bug 1361337 in keystone "keystone.tests.test_serializer.XmlSerializerTestCase.test_collection_member random fails; lxml hashseed?" [Undecided,New]	19:23
amirosh	dstanek: backend_ldap.conf, but there are many confs with #To Test PostgreSQL: ..	19:23
dstanek	amirosh: IIRC the problem that we have have with real databases is the need to drop all tables are create the DB for each test	19:23
amirosh	dstanek: I understand and I'm fine with that. There is a bug, probably outdated, specific to 'real' dbs only https://bugs.launchpad.net/keystone/+bug/1262360	19:26
uvirtbot	Launchpad bug 1262360 in keystone "Unable to delete domain if user from other domain was added" [Medium,Triaged]	19:26
amirosh	dstanek: Just want to run this test against pg, forgot my mysql root password:)	19:28
*** jamielennox\|away has quit IRC		19:30
*** jamielennox\|away has joined #openstack-keystone		19:32
dstanek	mriedem: i would have expected this https://review.openstack.org/#/q/I99dc6401e73be4c61bb265c3258b6245f2e7bb34,n,z to have fixed that, but it looks likt it didn't	19:33
mriedem	dstanek: guess not, that merged on the 19th and logstash is showing hits on the 22nd	19:34
dstanek	mriedem: the fix is to add the PYTHONHASHSEED env var to tox right?	19:39
mriedem	dstanek: no	19:39
mriedem	dstanek: that's what clarkb was doing for projects until they got their tests straightened out	19:39
mriedem	dstanek: i think we're basically in whack a mole mode until then	19:39
mriedem	dstanek: so i guess it's up to the project	19:40
dstanek	mriedem: we've already had that in there for quite a while	19:40
mriedem	lxml is the problem i think	19:40
mriedem	but not sure why setting it in keystone's tox.ini wouldn't resolve that, maybe because lxml is native?	19:40
dstanek	i'll have to look at the matcher again and see if there is more to do there	19:41
*** mikedill_ has quit IRC		19:41
mriedem	just remove xml support :)	19:42
lbragstad	++	19:43
*** amirosh has quit IRC		19:45
*** amirosh has joined #openstack-keystone		19:46
openstackgerrit	Brad Topol proposed a change to openstack/keystone: Add audit support to keystone federation https://review.openstack.org/114337	19:46
dstanek	mriedem: yes!	19:47
lbragstad	mriedem: not that it's the immediate fix, but XmlBodyMiddleware is staged for removal	19:47
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L153-L157	19:47
mriedem	so gone in K?	19:48
mriedem	assuming that's what +2 means	19:48
dstanek	mriedem: yes	19:48
lbragstad	mriedem: believe so, dstanek wrote that	19:48
topol	dolphm, did your new credential stuff make its way to pypi?	19:49
topol	dolphm, do I need to do anything special in my local environment for it to find the new pycadf or will it magically pick it up?	19:50
*** amirosh has quit IRC		19:50
stevemar	topol, you can update requirements.txt to point to 0.6.0	19:54
dstanek	topol: you'll have to recreate your venv too	19:54
topol	dstanek, well that always goes well :-)	19:55
stevemar	is there a patch to update requirements?	19:55
stevemar	https://review.openstack.org/#/c/116360/	19:56
stevemar	yes there is	19:56
*** marcoemorais has quit IRC		20:01
*** joesavak has quit IRC		20:01
*** fifieldt_ has joined #openstack-keystone		20:02
*** cjellick_ has joined #openstack-keystone		20:03
*** cjellick has quit IRC		20:05
*** joesavak has joined #openstack-keystone		20:05
*** nkinder has joined #openstack-keystone		20:06
*** fifieldt has quit IRC		20:06
*** jsavak has joined #openstack-keystone		20:06
dstanek	stevemar: it may be a good idea to have Matt review https://review.openstack.org/#/c/114813	20:07
stevemar	dstanek, added him as a reviewer, can't believe i spelled him last name correctly in one shot	20:08
dstanek	impressive	20:08
*** cjellick_ has quit IRC		20:08
*** joesavak has quit IRC		20:10
*** dans_ has joined #openstack-keystone		20:12
dans_	It's easy for a user to check what projects they are in, but I can't find a way for an admin to check what projects a user is in	20:13
dans_	Any ideas?	20:13
*** henrynash has quit IRC		20:16
*** cjellick has joined #openstack-keystone		20:17
*** cjellick has quit IRC		20:18
*** marcoemorais has joined #openstack-keystone		20:18
*** cjellick has joined #openstack-keystone		20:18
*** mikedillion has joined #openstack-keystone		20:23
rodrigods	dans_, you can use GET /role_assignments passing the user id and project id	20:28
rodrigods	dans_, or just the user id	20:28
*** diegows has joined #openstack-keystone		20:29
*** gokrokve has quit IRC		20:29
*** henrynash has joined #openstack-keystone		20:38
dans_	rodrigods, what's the route?	20:38
dans_	rodrigods, curl -i -X GET http://192.168.55.253:35357/v2.0/role-assignments -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: 3f1d8be1cf044b3b8ae613c4a9db56b1" - 404 not found	20:39
dans_	rodrigods, similar to http://192.168.55.253:35357/v2.0/tenants/43c1dcd2fe6e4da2a26212f9a9af9914/users/25a57028b7534dcc8dec6ff28ec8a6e7/roles ?	20:39
*** henrynash has quit IRC		20:39
dstanek	dans_: you are using role-assignments instead of role_assignments	20:42
dans_	ah sorry, still no luck tho with http://192.168.55.253:35357/v2.0/role_assignments	20:43
dans_	hmm	20:43
*** wwriverrat has left #openstack-keystone		20:43
lbragstad	mriedem: were there other bugs opened similar to https://bugs.launchpad.net/keystone/+bug/1361337	20:43
uvirtbot	Launchpad bug 1361337 in keystone "keystone.tests.test_serializer.XmlSerializerTestCase.test_collection_member random fails; lxml hashseed?" [Undecided,New]	20:43
dstanek	lbragstad: a few for different projects	20:44
mriedem	lbragstad: yeah there are others for other projects	20:44
dstanek	dans_: i think this is a v3 thing	20:44
morganfainberg	lbragstad, mriedem keystone does some bad stuff with assuming we can do dict.items -> list and hashseed breaks it badly	20:44
morganfainberg	lbragstad, dstanek, mriedem, i tried to fix it earlier but it's going to require some rather heavy sorting or changes to how we store data. lxml being c-lib does things differently in some cases than the internal python dict. :( i saw lxml issues in the hashseed tests i was trying to fix	20:45
dans_	dstanek, yea! thank you!	20:46
dstanek	morganfainberg: i'm expecting that i can deal with it in the xmlmatcher - i haven't started looking at it, but that's where all or the comparing happens	20:46
morganfainberg	dstanek, yeah. the bulk of the issue is actually in keystone where we need to stop exploding dict key:value and expecting the list to be in the same order.	20:48
morganfainberg	dstanek, some of it is test-specific but same issue	20:48
morganfainberg	we have to keep xml till K right?	20:49
* morganfainberg would love to see lxml go away.		20:49
lbragstad	I believe so	20:49
dstanek	morganfainberg: yes	20:49
morganfainberg	oh except the saml things	20:49
morganfainberg	lame	20:49
morganfainberg	lxml might not go away even in K	20:49
dstanek	morganfainberg: you think that things beyond the tests care about the order?	20:49
morganfainberg	:(	20:49
morganfainberg	dstanek, well, i think that it's going to be really hard to write tests if we expect keys to come out in the same order	20:50
dstanek	morganfainberg: that's what the matcher does - takes two XML docs and checks to see if they are the same	20:51
dans_	rodrigods, I'm just not sure how to properly give a user id to GET /role_assignments	20:51
morganfainberg	dstanek, but we do care about list order in a lot of places we might need to be really sure we're not expecting an order that isn't maintained because of hashseed. i don't think of anything that stands out but we do a lot of dict -> list stuff	20:52
rodrigods	dans_, /role_assignments?user.id={user_id}	20:54
dans_	thx	20:55
openstackgerrit	Thiago Paiva Brito proposed a change to openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only) https://review.openstack.org/115770	20:55
dans_	found the docs shotly after, sorry	20:55
morganfainberg	stevemar, yeah just checked something in the assignment_api fix went sideways trying to rebase	20:55
morganfainberg	stevemar, oh	20:56
morganfainberg	stevemar, oh... wow	20:56
morganfainberg	stevemar, yeah your decorator change really broke my logic	20:57
stevemar	morganfainberg, ugh	20:57
stevemar	shit	20:57
morganfainberg	stevemar, i can fix it, i'll just not assume @deleted i'll move to using @internal	20:57
morganfainberg	stevemar, it's fine just an extra notification through the callback system	20:58
morganfainberg	oh.. crap can't don't have @internal yet. uhhhh	20:58
stevemar	yeah you do that in a later patch :\	20:58
stevemar	shit shit	20:58
morganfainberg	stevemar, i guess its time to re-order the patches.	20:59
dans_	rodrigods, great success :)	21:01
*** topol has quit IRC		21:01
morganfainberg	stevemar, oh... wait i might already have internal here	21:03
*** joesavak has joined #openstack-keystone		21:04
*** jsavak has quit IRC		21:04
*** david-lyle has quit IRC		21:06
hockeynut	hello keystoners (is that a thing)? I have expired signing_cert.pem on my test system. I think I need to use keystone-manage pki-setup but want to be sure before I hose everything :-)	21:06
morganfainberg	hockeynut, it might be a thing :P ayoung at least refers to us that way.	21:07
hockeynut	I figured I wasn't the first	21:07
morganfainberg	hockeynut, someone recently ran into this	21:07
morganfainberg	hockeynut, but in production let me see if i can find that information	21:07
hockeynut	that would be fantastic, thx!	21:08
morganfainberg	hockeynut, hm. well i don't see the info on it but... i think pki-setup wont overwrite the current cert info. the best bet is to issue a new cert from the CA (/etc/keystone/ssl) and update the config to point to it. that being said old tokens would be invalid immidiately	21:09
morganfainberg	hockeynut, you might need to delete the cache of the signing cert info for the other services and restart them to pick up the new certificate	21:10
hockeynut	morganfainberg cache means /etc/keystone/ssl/certs ?	21:10
morganfainberg	hockeynut, no, the auth_token middleware downloads a copy of the cert into /tmp. i think a restart should be sufficient of those services unless you've set https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L264-L273 those values for the auth_token middleware (in either the pase-ini or config for nova/cinder/glance/etc)	21:12
morganfainberg	hockeynut, /etc/keystone/ssl/certs (if you used pki setup) should be the place the cert/key/ca/etc is housed	21:12
morganfainberg	iirc	21:12
hockeynut	ah, ok. I am working on Barbican so this is on the Barbican machine...I know where they live	21:12
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove assignment_api dependency on token_api https://review.openstack.org/115338	21:13
*** rodrigods has quit IRC		21:13
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove oauth controller dependency on token_api https://review.openstack.org/115343	21:13
hockeynut	morganfainberg I would think this process would be on a wiki somewhere?	21:14
morganfainberg	hockeynut, i dunno if there is, we should document it if it hasn't been documented (check bugs.lauchpad.net/keystone and see if it's there, if not would be good to open a bug saying we need this info) :)	21:14
hockeynut	morganfainberg I shall	21:15
morganfainberg	hockeynut, also look in https://github.com/openstack/keystone/blob/master/doc/source/configuration.rst and see if it's there first	21:15
* morganfainberg hasn't looked there in a few.		21:15
*** gokrokve has joined #openstack-keystone		21:16
morganfainberg	hockeynut it doesn't look like it's there at a glance	21:16
hockeynut	morganfainberg ok - will poke around. thx for the pointers!	21:17
*** mikedillion has quit IRC		21:21
*** dans_ has quit IRC		21:25
openstackgerrit	A change was merged to openstack/keystone-specs: Fix minor RST and spelling errors in hierarchical multitenancy https://review.openstack.org/116423	21:25
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Mark methods on token_api deprecated https://review.openstack.org/115347	21:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add extra guarding to revoke_by_audit_id methods https://review.openstack.org/115147	21:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api https://review.openstack.org/115012	21:26
morganfainberg	stevemar, ok all rebased	21:26
morganfainberg	stevemar, finally :P	21:26
stevemar	morganfainberg, yay!	21:26
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Create additional docs for role assignment events https://review.openstack.org/114813	21:29
openstackgerrit	A change was merged to openstack/identity-api: Change location of OS-ENDPOINT-POLICY name in API urls. https://review.openstack.org/116358	21:39
*** mriedem has quit IRC		21:42
*** radez_g0n3 is now known as radez		21:48
*** dims has quit IRC		21:50
*** dims has joined #openstack-keystone		21:50
*** stevemar has quit IRC		21:53
*** amerine has quit IRC		21:53
*** radez is now known as radez_g0n3		21:54
*** david-lyle has joined #openstack-keystone		21:55
*** dims has quit IRC		21:55
*** dims has joined #openstack-keystone		21:59
*** dims_ has joined #openstack-keystone		21:59
*** cjellick_ has joined #openstack-keystone		22:00
*** serverascode has quit IRC		22:01
*** jamielennox\|away has quit IRC		22:01
*** serverascode has joined #openstack-keystone		22:02
*** jasondotstar is now known as jasondotstar\|afk		22:02
*** dims has quit IRC		22:03
bknudson	what do you think about changing common.router.Router to allow no key?	22:03
*** cjellick has quit IRC		22:03
*** jamielennox\|away has joined #openstack-keystone		22:03
bknudson	I guess it would break backwards compatibility. :(	22:03
bknudson	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/router.py#n20	22:04
morganfainberg	bknudson, i was wondering what the use-case was before worrying about compat	22:04
*** cjellick_ has quit IRC		22:04
morganfainberg	because there might be another approach that doesn't break compatibility	22:04
bknudson	morganfainberg: role assignments doesn't support key	22:04
morganfainberg	ah	22:04
bknudson	you can do GET /role_assignments	22:04
bknudson	but there's no GET /role_assignments/{role_assignment_id}	22:04
morganfainberg	bknudson, maybe this is where we need a lower-level router for something like that?	22:05
bknudson	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/controllers.py#n881	22:05
*** dims has joined #openstack-keystone		22:05
bknudson	looks like it's going to return NotImplemented	22:06
morganfainberg	ah.	22:06
bknudson	(where I would have expected a 404 Not Found	22:06
morganfainberg	yeah	22:06
*** dims_ has quit IRC		22:06
*** gordc has quit IRC		22:06
morganfainberg	mmm.	22:06
*** mitz has quit IRC		22:06
morganfainberg	yeah looks like it would break compat :(	22:06
bknudson	there are ways to work around it.	22:07
bknudson	we could have a controller that returns NotImplemented for get(), update(), delete() for the RoleAssignments case	22:07
bknudson	and for other cases if the key is None then don't make the routes	22:08
bknudson	morganfainberg: what do you think of that?	22:08
*** dims has quit IRC		22:08
morganfainberg	bknudson, that seems reasonable.	22:08
bknudson	I'll give it a shot.	22:08
*** dims has joined #openstack-keystone		22:09
*** david-ly_ has joined #openstack-keystone		22:09
*** dims has quit IRC		22:10
*** dims_ has joined #openstack-keystone		22:10
*** david-lyle has quit IRC		22:10
*** HenryG_ has joined #openstack-keystone		22:12
*** toddnni has quit IRC		22:14
*** HenryG has quit IRC		22:15
*** david-ly_ is now known as david-lyle		22:18
*** gokrokve has quit IRC		22:24
*** gokrokve has joined #openstack-keystone		22:31
*** shakamunyi has joined #openstack-keystone		22:32
*** shakamunyi has quit IRC		22:40
*** joesavak has quit IRC		22:48
*** amerine has joined #openstack-keystone		22:54
*** shakamunyi has joined #openstack-keystone		22:54
*** bknudson has quit IRC		23:03
*** wanghong has quit IRC		23:06
openstackgerrit	Yukinori Sagara proposed a change to openstack/python-keystoneclient: fix the AWS Signature Version 4 calculation, in the case of POST https://review.openstack.org/116523	23:09
*** navidp has joined #openstack-keystone		23:13
navidp	hi	23:14
navidp	do you know how to make .pem .pkiz for json in examples in keystone client	23:15
*** oomichi has joined #openstack-keystone		23:16
*** oomichi is now known as oomichi_away		23:17
*** jamielennox\|away is now known as jamielennox		23:17
*** navidp has quit IRC		23:22
*** amerine has quit IRC		23:23
*** alex_xu has quit IRC		23:24
morganfainberg	dolphm, gyee, dstanek, jamielennox, lbragstad, so I'm looking at refactoring the issue_token and validate_token paths now (so we can get to non-persistent-tokens). does it make sense to make the provider manager responsible for a lot of this work - we have the vXX data helper objects that do cross-manager work, it seems like we've pushed code down to the driver that doesn't need to be the driver. basically the driver needs 1	23:28
morganfainberg	thing at this point: get_token_id	23:28
morganfainberg	the rest of it is kindof superfluous to have in the swappable manager unless we expect a driver to change token format?	23:29
morganfainberg	methods that would be lifted to the manager: validate, issue. the v2/v3 versions of that code would get redirected to pass some "smart" arguments to do the "right" thing	23:30
morganfainberg	he driver would really be either "Generate UUID" or "sign" or "sign pkiz"	23:30
morganfainberg	and the persistence backend would then do "save_token"	23:30
jamielennox	morganfainberg: i've never liked that the token driver knows the difference between a v2 and a v3 token, that's a bad abstraction	23:32
morganfainberg	jamielennox, thats kindof my thought	23:32
jamielennox	generate_uuid is wrong as well though	23:33
morganfainberg	jamielennox, is it? for UUID tokens?	23:33
jamielennox	it would be create_id or such from a token model	23:33
*** gokrokve_ has joined #openstack-keystone		23:33
jamielennox	because create_id for UUID is a UUID and for PKI is a CMS hash	23:33
morganfainberg	jamielennox, sure, it would be similar to the get_token_id we have now	23:33
morganfainberg	"Generate UUID", "Sign", or "Sign PKIZ" is the functionality not the name	23:34
jamielennox	oh, i might have misread	23:34
jamielennox	yes they would be the implementations of a create_id	23:34
morganfainberg	yep	23:34
morganfainberg	which would be basically all the provider would do	23:34
jamielennox	+1	23:34
morganfainberg	now i just need to figure out all the permutations of crap that can be passed to issue_v2_token	23:35
jamielennox	heh, i tried this once before - it's tough because that is actually a driver interface so if you change it you need to keep compatibility for a cycle of two	23:35
morganfainberg	jamielennox, the plan is passing info to issue_v2_token would just pass through to the driver's old impl.	23:36
*** gokrokve has quit IRC		23:36
morganfainberg	and the new code would all reference 'issue_token' and 'validate_token'	23:36
morganfainberg	no version specifics	23:36
jamielennox	that's not the issue, you can do what you like on the manager	23:37
jamielennox	but it's a lot of if hasattr(backend, 'issue_token') else if hasattr(backend, 'issue_v2_token')	23:37
morganfainberg	negative	23:37
morganfainberg	manager implements the full stack of issue_token	23:37
morganfainberg	the issue_XX_token methods are really uninteresting and do cross-manager calls	23:38
jamielennox	oh? ok - it's been a while since i've looked	23:38
morganfainberg	i mean that would be the proposal	23:38
morganfainberg	if you call issue_vX_token you'd pass through to the old functionality	23:38
morganfainberg	the manager would have those methods deprecated	23:38
morganfainberg	everything in keystone would reference issue_token / validate_token instead of (issue\|validate)_v(2\|3)_token	23:39
jamielennox	right, but if someone has a custom implementation of a token provider that doesn't have our new methods it should still work	23:39
morganfainberg	the only method the driver would require is create_token_id(token_data)	23:40
morganfainberg	the manager would have all the other logic	23:40
morganfainberg	revoke_token is all by id (anyway) and 100% manager implemented	23:40
morganfainberg	persistence is a sub-manager now	23:40
morganfainberg	instead of token_api	23:41
morganfainberg	all this is doing is lifting the vXX token formatting stuff up to the manager (if someone has their own implementation of formatting the tokens, likely, it wont work anyway with auth_token)	23:41
openstackgerrit	Jamie Lennox proposed a change to openstack/identity-api: API for auth-specific-data routes https://review.openstack.org/115423	23:42
jamielennox	morganfainberg: ok	23:42
jamielennox	hey, completely change topic, do you know anything about the congress service?	23:42
morganfainberg	jamielennox, in my opinion, it's a bad idea	23:43
morganfainberg	jamielennox, yay lets ask a service about enforcing policy everytime we want to do something. it's a lot of what we've been fighting to solve from keystone's original design	23:43
jamielennox	i'm thinking about next steps and i was looking at ways we could do user defined and per project policy in keystone	23:43
morganfainberg	jamielennox, you're going to have scale issues.	23:43
jamielennox	this is a large part of what i'm hitting	23:43
morganfainberg	jamielennox, congress is going to have all the same issues and then some.	23:44
*** diegows has quit IRC		23:44
jamielennox	right, well i was just at the point of trying to figure out if it's doable and i honestly can't tell if this is a goal of congress or not	23:44
morganfainberg	jamielennox, it was afaict originally and when pressed for "how do you solve that issue" the answer was "well we do non-enforcing only to start"	23:45
morganfainberg	jamielennox, which in my mind says "we have no clue"	23:45
morganfainberg	so i've stayed very far away from that project	23:45
morganfainberg	i think per-endpoint policy is solid, per service policy same.	23:46
morganfainberg	i also think that enforcing which endpoints a token can interact with is good (whats in the catalog id list or some such)	23:46
morganfainberg	per domain might be doable, but i'm starting to worry about how we stack the policy enforcemnet rules	23:47
jamielennox	i'm still not sure on per-endpoint	23:47
morganfainberg	and per project/per user is likely silly. - we should focus on better RBAC or ABAC enforcement not make it so you can enforce differently based on the user's id	23:47
* morganfainberg would love to see ABAC		23:47
jamielennox	i see why but i've always considered that endpoints are essentially the same service	23:48
*** dims_ has quit IRC		23:48
jamielennox	what i want to do is allow admins to create there own roles	23:48
jamielennox	kind of reverse what we have now	23:48
*** dims has joined #openstack-keystone		23:48
jamielennox	so create a role that lets you do identity-api:create_user, identity-api:XXXX and a bunch of others	23:48
morganfainberg	jamielennox, i think per-endpoint is solved in the same way as what-endpoint-can-i-interact-with	23:49
jamielennox	let us do policy and role enforcement from horizon would be the goal	23:49
morganfainberg	jamielennox, erm, use-case is solved by	23:49
gyee	morganfainberg, about the token refactorying, I remember the reason we have this issue_v2_token stuff was because of PKI tokens	23:50
jamielennox	the only way i can see this working is that as part of your token request your roles are expanded into (let's call them) capabilities	23:50
gyee	originally I explored the idea of formatting token at middleware	23:50
gyee	just like the way we handle xml/json translation	23:50
morganfainberg	gyee, and if we have a formatter that says "format data as XXX" before signing it solves the same issue	23:50
gyee	but signing has to be done at issue time	23:51
morganfainberg	gyee, the flow would be: (for now) get_token_data, format_token_data, sign/generate_id, return data_Struct	23:51
gyee	as we can break the cryptographic signature	23:51
gyee	s/can/can't/	23:51
jamielennox	so your token comes with a list of identity:get_credential, identity:get_credential, identity:create_consumer or whatever	23:51
gyee	morganfainberg, absolutely, we did bounce the idea of having all that in a wsgi pipeline style	23:51
jamielennox	but that is only practical with UUID	23:51
*** dims has quit IRC		23:52
morganfainberg	gyee, i think this moves us closer to that if i can get this bit done	23:52
*** dims has joined #openstack-keystone		23:52
gyee	morganfainberg, sure, I am all for incremental improvement	23:52
morganfainberg	jamielennox, yeah i don't have a good answer. but per-user/per-project policy makes my skin crawl	23:52
gyee	eventually, I like the idea of pipeline	23:52
morganfainberg	gyee, the main thought is all the code that makes the token except the id generator (sign/uuid/pkiz) comes from the manager itself	23:53
morganfainberg	there is no real reason the code needs to stay in the provider driver	23:53
jamielennox	morganfainberg: i see nothing wrong with the idea from a security perspective, i just see it being really difficult to distribute	23:53
morganfainberg	jamielennox, i am looking from a scaleability perspective	23:53
morganfainberg	jamielennox, and there are security considerations, but not insurmountable	23:54
morganfainberg	jamielennox, i don't see how we can make it scale	23:54
jamielennox	well as i said i think it could be done with UUID, really got no idea for PKI	23:54
morganfainberg	jamielennox, though if keystone jammed signed (HMAC) token data into a "Fast" data store that auth_token could directly access instead of needing to decode the PKI data, we could do it	23:54
morganfainberg	it doesn't make tokens non-persistent, but it solves a lot of the issues with UUID tokens.	23:55
jamielennox	so we briefly talked about this at summit last time, and i was considering it again here	23:55
gyee	morganfainberg, we customized the token to add additional info	23:55
gyee	i.e. multi-region support	23:55
jamielennox	if auth_token was a middleware component that talked to a local service backed by memcache we get some wins, but not enough for this i think	23:56
morganfainberg	gyee, oh HP is jamming more data into the token	23:56
morganfainberg	gyee, well crap.	23:56
gyee	:)	23:56
morganfainberg	gyee, i really dislike that we don't have a defined token format and random crap is shoved into it	23:56
*** saipandi has quit IRC		23:56
jamielennox	gyee: are you guys doing PKI or UUID for that	23:56
gyee	for example, by looking at token ID, I can tell where's being issued	23:56
morganfainberg	that sounds kindof awful and awesome all at the same time	23:57
gyee	jamielennox, still using UUID in production	23:57
morganfainberg	more awful than awesome, but still a little awesome in it	23:57
jamielennox	i'm really interested in the results of morganfainberg's survey, i really think we need to look at UUID as the primary again	23:57
morganfainberg	jamielennox, oh i forgot to send that out	23:58
gyee	morganfainberg, I think its call "necessary evil" :D	23:58
morganfainberg	but it closed already	23:58
jamielennox	if anything we are getting more information that needs to go into the token and it's just not doable with PKI	23:58
morganfainberg	gyee, i think it's a "keystone sucked at defining token format so people abuse that"	23:58
morganfainberg	gyee, not a nessicary evil	23:58
gyee	morganfainberg, enterprise software, by definition, is custom software anyway	23:59
gyee	least from my past experience	23:59
jamielennox	morganfainberg: got a link to the raw results?	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!