Tuesday, 2014-12-02

« Monday, 2014-12-01 Index Wednesday, 2014-12-03 »
*** chrisshattuck has quit IRC00:01
openstackgerritMerged openstack/python-keystoneclient: Replace magic numbers with named symbols  https://review.openstack.org/13512700:02
openstackgerritMerged openstack/python-keystoneclient: Remove middleware architecture doc  https://review.openstack.org/12708100:02
openstackgerritMerged openstack/python-keystoneclient: Cleanup exception logging  https://review.openstack.org/13129500:02
openstackgerritMerged openstack/python-keystoneclient: Warn that keystone CLI is pending deprecation  https://review.openstack.org/12768400:02
openstackgerritMerged openstack/python-keystoneclient: Rename the client API docs  https://review.openstack.org/12768900:02
*** russellb has joined #openstack-keystone00:04
*** wpf1 has quit IRC00:04
*** dims has quit IRC00:06
jamielennoxarghhh, sahara is relying on the auth_token options in config :(00:06
*** henrynash has quit IRC00:09
*** henrynash has joined #openstack-keystone00:10
*** ChanServ sets mode: +v henrynash00:10
*** henrynash has quit IRC00:11
*** wpf1 has joined #openstack-keystone00:15
openstackgerritWill Foster proposed openstack/keystone: skip assignment rows migrate if duplicate entry exists.  https://review.openstack.org/13694600:16
*** diegows has quit IRC00:17
morganfainbergjamielennox, :(00:18
*** oomichi has joined #openstack-keystone00:31
*** raildo_ has joined #openstack-keystone00:33
*** raildo_ has quit IRC00:37
*** henrynash has joined #openstack-keystone00:40
*** ChanServ sets mode: +v henrynash00:40
*** tellesnobrega__ has quit IRC00:47
*** dims has joined #openstack-keystone00:48
*** raildo_ has joined #openstack-keystone00:48
*** dims_ has joined #openstack-keystone00:50
*** nellysmitt has joined #openstack-keystone00:50
*** zzzeek has quit IRC00:52
*** topol has joined #openstack-keystone00:53
*** ChanServ sets mode: +v topol00:53
*** dims has quit IRC00:54
*** tellesnobrega__ has joined #openstack-keystone00:54
*** nellysmitt has quit IRC00:55
*** amcrn_ has quit IRC00:57
*** david-lyle is now known as david-lyle_afk01:03
*** jimhoagland has quit IRC01:03
*** htruta_ has joined #openstack-keystone01:10
*** _cjones_ has quit IRC01:12
*** dims_ has quit IRC01:14
openstackgerritDolph Mathews proposed openstack/keystone: improve error message when tenant ID does not exist  https://review.openstack.org/13125501:29
openstackgerritayoung proposed openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116601:29
*** kobtea has joined #openstack-keystone01:34
*** ncoghlan has joined #openstack-keystone01:34
ayoungdstanek, so yeah, the ML message is roughly connected to what I was going to talk to morganfainberg about on Thursday.  Bascially, I want to break apart service_v3 from our past pipeline.  It really only makes sense to do that, though, if we are going to keep the paste api.  I'm starting to wonder if it is time to resurrect  jamielennox 's pecan/wsme  effort01:37
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom string truth handling  https://review.openstack.org/13822001:37
jamielennoxayoung: :)01:37
jamielennoxi would love to see that get in01:37
jamielennoxit's harder than you think though01:37
ayoungjamielennox, does it remove the need for paste.ini?01:38
openstackgerritWill Foster proposed openstack/keystone: skip assignment rows migrate if duplicate entry exists.  https://review.openstack.org/13694601:38
jamielennoxayoung: it specifically doesn't touch paste - it was supposed to be be as unobtrusive as possible01:38
*** kobtea has quit IRC01:38
ayoungjamielennox, dagnabit01:40
ayoungpretty sure we had this exact exchange like a year ago01:40
jamielennoxayoung: so paste is a wsgi layer for middleware01:40
ayoungits broken01:40
jamielennoxyou can put it in or pull it out transparently to the underlying app01:40
ayoungwell, our use of paste01:40
jamielennoxayoung: i agree01:40
ayoungjamielennox, I was thinking to split out just the /auth pipeline, and...well we have all sorts of things that make that tricky01:41
ayoungthings like json_home and the OS-FEDERATION extension adding stuff into the /auth suburl01:41
jamielennoxayoung: i'd like that - i'd love to see if we can put auth_token middleware in front of everything that is not /auth01:41
*** tellesnobrega__ has quit IRC01:42
ayoung++01:42
ayoungjamielennox, so one thing that is messed up is that token validation needs a token01:43
jamielennoxthat would make auth_token so much easier01:44
ayoungso POST and GET /auth/tokens01:44
*** tellesnobrega__ has joined #openstack-keystone01:44
ayoungthe post to get a new token should not require a token...but should be able to handle it if one is passed in01:44
ayoungnow, if we do tokenless operations for validate....01:45
ayoungwhich we should probably support, then it works out01:45
jamielennoxhandle if one is passed to POST?01:45
ayoungjamielennox, token for token exchanges still go to /auth01:45
jamielennoxtoken to token auth doesn't look like x-auth-token requests01:46
ayoungah, right, it is in the body01:46
openstackgerritMerged openstack/python-keystoneclient: Docstring cleanup for return type  https://review.openstack.org/12785701:46
ayoungso really it is just the validate call.01:46
ayoungwhich we could really replace with basic-auth01:47
*** dims has joined #openstack-keystone01:50
*** r-daneel has quit IRC01:50
openstackgerritDolph Mathews proposed openstack/keystone: remove deprecated access log middleware  https://review.openstack.org/12570301:51
*** andreaf has quit IRC01:52
*** andreaf has joined #openstack-keystone01:52
openstackgerritDolph Mathews proposed openstack/keystone: Remove deprecated external authentication plugins  https://review.openstack.org/12570101:52
openstackgerritMerged openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768101:52
openstackgerritDolph Mathews proposed openstack/keystone: remove XML middleware from default paste config  https://review.openstack.org/13037101:59
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and session  https://review.openstack.org/11708902:03
*** marcoemorais has quit IRC02:03
*** gyee_ has quit IRC02:04
openstackgerritDolph Mathews proposed openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390502:07
*** tellesnobrega__ has quit IRC02:09
dolphmayoung: the other external authentication method still exist in https://review.openstack.org/#/c/125701/3/keystone/auth/plugins/external.py02:10
dolphmmethods*02:10
*** henrynash has quit IRC02:10
ayoungdolphm, line 151...the word "unintentionally" should not be there...that is what we need02:10
ayoungdolphm, couldn'02:11
ayoungdolphm, couldn't get it to work with the other plugins02:11
ayoungthere is supposed to be a setting for mod_auth_kerb that does a local user mapping, but it doesn't actually work right02:11
ayoungwith the mapping stuff, we can drop this, but not quite yet02:12
dolphmayoung: oh, i read your comment as if i had removed *all* the external auth methods02:12
ayoungleave the review up there, though02:12
ayoungI'll push it on through once the mapping works or I find some other workaround02:12
*** jdennis1 has quit IRC02:13
*** NM has joined #openstack-keystone02:15
*** tellesnobrega__ has joined #openstack-keystone02:16
*** Dafna has quit IRC02:16
*** erkules_ has joined #openstack-keystone02:25
*** richm has quit IRC02:25
*** erkules has quit IRC02:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Pass all adapter parameters through to adapter  https://review.openstack.org/13822802:29
*** jdennis has joined #openstack-keystone02:29
openstackgerritayoung proposed openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116602:41
*** dims has quit IRC02:42
*** nitish has joined #openstack-keystone02:48
*** htruta_ has quit IRC02:50
*** xxj has joined #openstack-keystone02:51
*** nellysmitt has joined #openstack-keystone02:51
*** dims has joined #openstack-keystone02:51
*** dims has quit IRC02:51
openstackgerritayoung proposed openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116602:54
openstackgerritayoung proposed openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268702:55
*** nellysmitt has quit IRC02:56
*** nitish has quit IRC02:56
ayoungjamielennox, do we have an auth plugin for the service_token yet?02:56
jamielennoxX-Service-Token?02:57
ayoungjamielennox, er not02:57
ayoungthe ADMIN_TOKEN02:57
jamielennoxoh endpoint/url?02:57
ayoungyeah02:57
jamielennoxksc.auth.token_endpoint:Token02:57
*** jdennis has quit IRC02:57
ayoungjamielennox, for a python script, should I use the entry points, or just the python path?02:58
ayoungcleaning up https://review.openstack.org/#/c/82687/16/examples/scripts/initialize_keystone.py,cm02:59
jamielennoxayoung: just use the python02:59
ayoungjamielennox, so     endpoint_plugin = keystoneclient.auth.token_endpoint.Token(03:00
ayoung        endpoint=OS_SERVICE_ENDPOINT,03:00
ayoung        token=OS_SERVICE_TOKEN)03:00
ayoungsession =  ksc.session.Session()03:00
ayoungand client = (session=session, auth=endpoint+plugin)03:01
ayounger03:01
ayoungand client = (session=session, auth=endpoint_plugin)03:01
jamielennoxyea, that won't work with ksc :(03:01
ayoung?03:02
jamielennoxhttps://review.openstack.org/#/c/138228/03:02
jamielennoxneed ^ for passing auth= to ksc03:02
jamielennoxin many ways ksc is the hardest to fix03:02
jamielennoxit's debatable if it's backwards compatible03:03
ayoungssshhhh03:03
jamielennoxbecause it will error out if you pass kwargs that weren't there originally03:03
ayoungjamielennox, "for now?"03:03
jamielennoxi think that's an error anyway03:03
jamielennoxjust attach it to the session03:04
jamielennoxSession(auth=endpoint_plugin)03:04
ayoungjamielennox, I want it to a be a teaching tool, so show session reuse03:05
jamielennoxthis is a problem for DOA as well03:05
jamielennoxayoung: so you need to change the auth plugin midway through?03:05
ayoungI can rebase on yours03:06
ayoungjamielennox, sort of03:06
jamielennoxif you are always using the same plugin then attaching doesn't matter03:06
ayoungjamielennox, I want to test that the newly created use works03:06
ayoungso use the ADMIN_TOKEN to create a user, and then assign a role etc....03:06
ayoungswitch to the auth plugin for the new user and check that they can log in03:06
jamielennoxok, put a +2 on that review if it works for you03:07
*** NM has quit IRC03:07
jamielennoxi want to have that review in for the next release because i need it for DOA03:07
jamielennoxwell, i want it03:08
*** nitish has joined #openstack-keystone03:09
ayoungjamielennox, we need it for the proper scoping of plug in and session, right?03:11
ayoungdolphm, morganfainberg can one of you (or both) look at https://review.openstack.org/#/c/138228/03:12
jamielennoxayoung: it works as advertised, just missing newer features03:12
jamielennoxayoung: the dependant review to make ksc use adapter only got in a few hours ago03:12
ayoungjamielennox, but auth= is required to create a client without auth being in the session, no?03:12
jamielennoxayoung: correct03:12
ayoungjamielennox, why does the comment say "for now?"03:13
jamielennoxi think i had this chat with dolphm as to whether we should allow the client __init__ to set service_type03:14
jamielennoxhe was pretty adament against it03:14
ayoungso that probably will be the long term setting...but maybe not.  Got it03:14
jamielennoxI've been of the opinion it is something we should default correctly and let user set if required03:15
jamielennoxand that's how most of the other clients work03:15
jamielennoxsome of them actually require setting service_type from config03:15
ayoungI do see an argument that 'admin' should go away.03:15
ayoungbut if we ever get there, we'll deal03:15
jamielennoxayoung: absolutely03:15
jamielennoxi'd really like to set interface to public by default03:15
jamielennoxat least for v303:16
jamielennoxbut that's a compatibility change03:16
ayoungyep03:16
jamielennoxactually i reckon we can leave that one as a default value, people should able to override that03:16
ayoungnother patch03:16
*** erkules_ is now known as erkules03:16
ayoungwould it be  problem for someone that needed to talk to keystone but only had access to the public interface?03:17
*** ncoghlan is now known as ncoghlan_afk03:20
ayoungjamielennox, http://paste.openstack.org/show/143142/03:25
jamielennoxayoung: problem? at the moment i just don't htink it would work with client03:26
ayoungthat is rebased on your commit03:26
jamielennoxayoung: crap - yea that will be new03:26
ayoungjamielennox, I'm going to post my review so I can keep it in sync with yours03:27
jamielennoxayoung: where's that coming from?03:27
openstackgerritayoung proposed openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268703:29
ayoung jamielennox ^^03:29
jamielennoxayoung: looks like you're passing management_url=something - ksc never accepted that argument03:29
ayoungjamielennox, that was working before03:30
jamielennoxayoung: right because **kwargs just ignored everything that wasn't known03:31
jamielennoxit didn't do anything it just wasn't an error03:31
*** raildo_ has quit IRC03:31
ayoungwell, let me write it correctly, but..is this a non-backwards compat change we need to be concerned with03:31
jamielennoxthis is what i meant by 'technically compatible'03:31
ayoung?03:31
jamielennox<jamielennox> it's debatable if it's backwards compatible03:32
jamielennox<ayoung> ssshhhh03:32
*** nitish has quit IRC03:33
jamielennoxayoung: it's a lot of rearchitecting to make it work when it's a situation we should never have supported03:39
ayoungdeal03:39
jamielennoxwhy the hell would we ever have allowed unknown kwargs03:39
*** nitish has joined #openstack-keystone03:45
ayoungjamielennox, OK,  got it working.  Need to populate the user identity.  Seems like there is not  user_client.user_id or  user_client.username set, even after list of projects03:48
jamielennoxayoung: it's not set on client.03:49
jamielennoxthat's correct03:49
jamielennoxit should never have been03:49
jamielennox*grumble03:49
ayoungjamielennox, is there any way to populate it or a comparable value on some other object?03:49
jamielennoxayoung: what are you looking for ?03:49
ayoungcurrent user id, if set by name03:50
ayoungusername if set by id03:50
jamielennoxfrom what plugin?03:50
*** ncoghlan_afk is now known as ncoghlan03:50
ayoungpassword03:50
jamielennoxgeneric.password or v3.Password?03:50
ayounggeneric03:50
ayoungtrying to make this a shining example to the world03:51
jamielennoxayoung: so best would be auth_plugin.get_access(session).user_id03:52
ayoungjamielennox, and from the client?03:52
ayoungwould that be03:52
ayounguser_client.auth_plugin.get_access(session).user_id03:52
jamielennoxyou can do auth_plugin.auth_ref.user_id however that would assume you know that auth_ref is present and valid03:53
jamielennoxayoung: i'd have just held on to the plugin if you need to use the plugin03:53
ayoungI don';t have the auth plugin available directly at this point03:53
ayoungthere is no way to query the current user data from the client itself?03:54
jamielennoxdoes make it more complicated, i'm trying to keep things of the opinion that the client shouldn't know03:55
jamielennoxno, you can't access it via client, you need to have the plugin03:55
ayoungso if I have only, say the user id, what should a client consumer do03:55
ayoungdo another get?03:55
jamielennoxwhat do you mean - if you have user_id you will still need a token right?03:56
ayoungsay I have user_id, but  want the username03:56
ayoungor the other way around03:56
jamielennoxthere's nothing you can do, have to auth03:56
jamielennoxwell you can do user_id -> user with GET /user/{id} i think03:56
jamielennoxi don't know if there is a username search03:56
ayoung user = user_client.users.list(name=OS_USERNAME,03:57
ayoung                                  domain='default')[0]03:57
ayoung^^ jamielennox that worked03:57
jamielennoxcool03:58
*** samuelms has quit IRC04:01
openstackgerritayoung proposed openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268704:05
ayoungjamielennox, checkout those scripts.  Do those fit your vision of how the plugins and session should be used?  If not, well, please comment.04:06
* ayoung gonna get ready for bed04:06
stevemarare we enforcing API changes in the same patch set as the spec?04:10
stevemarcause there are none that have them04:11
*** _cjones_ has joined #openstack-keystone04:13
*** _cjones_ has quit IRC04:13
*** _cjones_ has joined #openstack-keystone04:14
*** _cjones_ has quit IRC04:19
*** tellesnobrega__ has quit IRC04:29
openstackgerritSteve Martinelli proposed openstack/keystone: Use new oslo.config generator  https://review.openstack.org/12844004:32
*** ayoung has quit IRC04:35
openstackgerritSteve Martinelli proposed openstack/keystone: sync oslo  https://review.openstack.org/13825304:41
*** nitish has quit IRC04:51
*** nellysmitt has joined #openstack-keystone04:52
*** chrisshattuck has joined #openstack-keystone04:57
*** nellysmitt has quit IRC04:57
*** sluo_laptop has quit IRC05:01
*** kobtea has joined #openstack-keystone05:11
*** lhcheng has quit IRC05:13
*** lhcheng has joined #openstack-keystone05:13
*** kobtea has quit IRC05:16
*** lhcheng has quit IRC05:18
*** ajayaa has joined #openstack-keystone05:25
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit b19af08  https://review.openstack.org/13825305:28
*** ajayaa has quit IRC05:35
*** chrisshattuck has quit IRC05:36
*** ajayaa has joined #openstack-keystone06:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:07
*** topol has quit IRC06:09
openstackgerritDave Chen proposed openstack/keystone: Refactor the code to simplify the function invocation  https://review.openstack.org/13313506:11
openstackgerritDave Chen proposed openstack/keystone: Refactor the code to join multiple criteria together  https://review.openstack.org/13313506:14
*** lhcheng has joined #openstack-keystone06:26
*** ukalifon1 has joined #openstack-keystone06:36
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit b19af08  https://review.openstack.org/13825306:43
*** harlowja_ is now known as harlowja_away06:45
*** afazekas has joined #openstack-keystone06:50
*** lhcheng has quit IRC06:51
*** lhcheng has joined #openstack-keystone06:52
*** nellysmitt has joined #openstack-keystone06:53
*** nellysmitt has quit IRC06:58
*** jimhoagland has joined #openstack-keystone07:03
openstackgerritSteve Martinelli proposed openstack/keystone: Use new oslo.config generator  https://review.openstack.org/12844007:07
openstackgerritSteve Martinelli proposed openstack/keystone: Use new oslo.config generator  https://review.openstack.org/12844007:14
*** lhcheng has quit IRC07:16
*** lhcheng has joined #openstack-keystone07:16
*** lhcheng has quit IRC07:21
*** k4n0 has joined #openstack-keystone07:21
*** DaveChen has joined #openstack-keystone07:29
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool  https://review.openstack.org/13082407:33
DaveChentest...07:36
bretonpassed07:40
DaveChenthe first time join in, thx. :)07:43
*** mflobo has joined #openstack-keystone07:47
openstackgerritSteve Martinelli proposed openstack/keystone: User ids that begin with 0 cannot authenticate through ldap  https://review.openstack.org/13744908:02
openstackgerritSteve Martinelli proposed openstack/keystone: User ids that begin with 0 cannot authenticate through ldap  https://review.openstack.org/13744908:04
*** ukalifon1 has quit IRC08:04
*** ncoghlan has quit IRC08:05
*** ncoghlan has joined #openstack-keystone08:06
*** jimhoagland has quit IRC08:12
*** stevemar has quit IRC08:23
*** ncoghlan has quit IRC08:30
*** yasu_ has quit IRC08:31
*** henrynash has joined #openstack-keystone08:35
*** ChanServ sets mode: +v henrynash08:35
*** henrynash has quit IRC08:39
*** ukalifon has joined #openstack-keystone08:42
*** nellysmitt has joined #openstack-keystone08:45
*** aix has quit IRC08:45
*** kobtea has joined #openstack-keystone08:48
*** kobtea has quit IRC08:53
*** aix has joined #openstack-keystone08:58
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom string truth handling  https://review.openstack.org/13822008:59
*** RockKuo_Office has joined #openstack-keystone09:15
*** jistr has joined #openstack-keystone09:18
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803509:21
*** aix has quit IRC09:27
*** svasheka_ has quit IRC09:40
*** aix has joined #openstack-keystone09:40
*** lsmola has quit IRC09:43
*** yasu_ has joined #openstack-keystone09:48
*** Dafna has joined #openstack-keystone09:57
*** lsmola has joined #openstack-keystone09:58
*** svasheka has joined #openstack-keystone10:01
*** yasu_ has quit IRC10:13
*** RockKuo_Office has quit IRC10:14
*** samuelms has joined #openstack-keystone10:20
*** samuelms has quit IRC10:27
*** yasu_ has joined #openstack-keystone10:31
*** lsmola has quit IRC10:34
*** tellesnobrega has joined #openstack-keystone10:37
*** jamielennox is now known as jamielennox|away10:40
*** tellesnobrega has quit IRC10:46
*** lsmola has joined #openstack-keystone10:50
*** tellesnobrega has joined #openstack-keystone10:53
*** yasu_ has quit IRC10:55
*** Qlawy has joined #openstack-keystone11:02
*** tellesnobrega has quit IRC11:03
*** NM has joined #openstack-keystone11:08
*** henrynash has joined #openstack-keystone11:14
*** ChanServ sets mode: +v henrynash11:14
*** NM has quit IRC11:17
*** NM has joined #openstack-keystone11:30
*** raildo_ has joined #openstack-keystone11:36
*** yasu_ has joined #openstack-keystone11:37
*** jistr is now known as jistr|training11:42
*** raildo_ has quit IRC11:43
*** tellesnobrega_ is now known as tellesnobrega11:47
*** diegows has joined #openstack-keystone11:48
openstackgerritBogun Dmitriy proposed openstack/keystone: FIX multiple SQL backend usage validation  https://review.openstack.org/13811311:49
*** kobtea has joined #openstack-keystone11:53
*** samuelms has joined #openstack-keystone11:54
*** afaranha has quit IRC11:56
*** kobtea has quit IRC11:57
samuelmshenrynash, morning11:59
henrynashsamulems: good mrning11:59
samuelmshenrynash, regarding the domain-roles changes ..11:59
henrynashsamulems: yes11:59
samuelmshenrynash, how do you plan to split tasks ?11:59
samuelmshenrynash, can we start that or do you plan to have that after assingmnet split?12:00
henrynashsamuelms: so I’m open to suggestions….haven’t really planned it out yet….12:00
henrynashsamulems: we can start now, I don’t see why not…pretty sure we are close to agreement on the spec12:01
samuelmshenrynash, ok .. I'd to start the first points  :) I  think you're busy enough with the assignment split12:01
samuelmshenrynash, perfect12:01
henrynashsamuelms:  i guess one quetsion is where does the code for domain-roles go?12:01
samuelmshenrynash, that's why you said ' Agree API changes for domain-role CRUD', right?12:02
henrynashsamuelms: I think I know where I think it goes, but interested in your view12:02
samuelmshenrynash, the first bullet point12:02
henrynashsamuelms: yes, fist thing is to propose teh new API spec12:02
henrynashsamuelms: which I think is pretty easy (famous last words)…..it’s just a mirrot of the existing grant APIs12:03
samuelmshenrynash, so we should have inside the same grant api, right?12:04
henrynashsamuelms: I think so, yes12:04
samuelmshenrynash, that should now accept both role and role-groups when granting a role12:04
henrynashsamuelms: exactly12:04
samuelmss/role-groups/domain-roles12:04
samuelms:p12:04
henrynash:-)12:04
samuelmshenrynash, great  .. can I start that spec?12:05
henrynashsamuelms: taht would be great12:05
samuelmshenrynash, and then we can move fast to domain-roles12:05
samuelmshenrynash, cool .. thanks12:05
henrynashsamuems: no, thanks to you!12:05
samuelmshenrynash, have some meetings today but I'll try to submit a first version of that12:05
samuelmshenrynash, :-)12:06
rodrigodshenrynash, https://review.openstack.org/#/c/138186/ :)12:07
rodrigodshenrynash, guess the assignment split should be rebased based on it12:08
henrynashrodigods: excellent!!  I think HM is a worth winner of the race!12:08
rodrigodshenrynash, \o/12:08
rodrigodsbut there is some more patches12:08
henrynashrodigods: a little task for me later today - just adding an sql upgrade to my split12:09
henrynashrodigods: should I hold of an a rebase then?12:09
rodrigodshenrynash, in this merge we have a dependency to patch that does a sql upgrade (parent_id)12:10
rodrigodsmy only doubt is... if what is the best rebase strategy12:11
rodrigodsrebase assignment splint with https://review.openstack.org/#/c/117787/12:11
rodrigodsor rebase https://review.openstack.org/#/c/117786/ against the last change of the split series12:11
*** henrynash has quit IRC12:18
*** tellesnobrega_ has joined #openstack-keystone12:20
*** k4n0 has quit IRC12:28
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838312:47
*** jdennis has joined #openstack-keystone12:49
*** radez_afk is now known as radez12:52
*** pc-m has joined #openstack-keystone12:54
*** yasu_ has quit IRC13:05
openstackgerritBogun Dmitriy proposed openstack/keystone: Remove irrelative comment  https://review.openstack.org/13835513:09
*** henrynash has joined #openstack-keystone13:17
*** ChanServ sets mode: +v henrynash13:17
*** henrynash has quit IRC13:17
*** henrynash has joined #openstack-keystone13:20
*** ChanServ sets mode: +v henrynash13:20
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803513:24
*** tellesnobrega_ has quit IRC13:26
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803513:30
*** dims has joined #openstack-keystone13:32
*** palendae has quit IRC13:38
*** bknudson has joined #openstack-keystone13:40
*** ChanServ sets mode: +v bknudson13:40
*** tellesnobrega_ has joined #openstack-keystone13:40
*** bknudson1 has joined #openstack-keystone13:42
*** bknudson has quit IRC13:44
*** palendae has joined #openstack-keystone13:46
*** dims has quit IRC13:53
*** dims has joined #openstack-keystone13:54
*** aix has quit IRC13:54
samuelmsdstanek, ping .. you're working with the needed 'infra' to run functional tests on top of it, right?13:56
dstaneksamuelms: yes13:56
samuelmsdstanek, how close is that to be merged? do you have any code review?13:56
dstaneksamuelms: i have code that i can push today that runs the tests13:57
samuelmsdstanek, in fact we'd like to help .. and I'd like to find some place13:57
samuelmsdstanek, great!13:57
samuelmsdstanek, so with that code we can start writing functional tests for federation, right?13:57
dstaneksamuelms: almost - there is still a little federation stuff that i didn't work out yesterday13:59
dstaneksamuelms: and once i push the federation stuff i have to get some opinions on if i'm doing it how infra would14:00
dstaneksamuelms: for example i am running a Python process in the background to act as an IdP, but they may prefer it controlled by the init process14:00
*** gordc has joined #openstack-keystone14:00
dstaneksamuelms: actually we can work in parallel on the tests14:07
dstaneksamuelms: you should be able to write federation tests against keystone right now and once i get my stuff in tree yours can be put on top of it14:07
vsilvahi dstanek14:08
openstackgerritgordon chung proposed openstack/keystonemiddleware: documentation for audit middleware  https://review.openstack.org/13034414:09
vsilvathat sounds about right. we can start drafting out what we want to test and once your stuff is in we'll adapt it14:09
openstackgerritLance Bragstad proposed openstack/keystone: Remove XML support  https://review.openstack.org/12573814:10
samuelmsvsilva, :-)14:11
samuelmsvsilva, looks good14:14
openstackgerritLance Bragstad proposed openstack/keystone: Add positive test case for content types  https://review.openstack.org/13059114:14
*** richm has joined #openstack-keystone14:15
*** jimhoagland has joined #openstack-keystone14:22
dstanekvsilva: hi14:24
*** stevemar has joined #openstack-keystone14:28
*** ChanServ sets mode: +v stevemar14:28
*** ayoung has joined #openstack-keystone14:30
*** ChanServ sets mode: +v ayoung14:30
openstackgerritSteve Martinelli proposed openstack/keystone: Update docs to no longer show XML support  https://review.openstack.org/12575314:31
*** ayoung has quit IRC14:32
*** ayoung has joined #openstack-keystone14:38
*** ChanServ sets mode: +v ayoung14:38
openstackgerritgordon chung proposed openstack/pycadf: sync oslo and bring in versionutils  https://review.openstack.org/13838114:39
dstanekstacking and unstacking takes forever14:43
*** lhcheng has joined #openstack-keystone14:48
*** nellysmitt has quit IRC14:49
*** richm has quit IRC14:50
*** NM1 has joined #openstack-keystone14:51
*** joesavak has joined #openstack-keystone14:52
*** NM has quit IRC14:52
ayoungdstanek, cut out all of the services but the ones you need.  What are you stacking/unstacking for?14:54
bknudson1I usually just run with keystone14:55
bknudson1and glance is easy to start, too14:55
ayoungbknudson1, yep, that is the path I tend towards too, unless I need Horizon14:56
bknudson1ENABLED_SERVICES=key,mysql,rabbit14:57
dstanekayoung: right now i am only enabling keystone+dbs, but it still takes a few mins14:57
bknudson1enable_service g-api,g-reg14:57
*** samuelms has quit IRC14:57
ayoungdstanek, why are you unstacking?  Just restart keystone14:58
ayoungsystemctl restart httpd.service14:58
dstanekayoung: i'm building the scripts to setup functional testing environments14:58
ayoungor whatever the ebian fork you are running uses14:58
ayoungah...yeah, then it is going to take some time14:58
*** topol has joined #openstack-keystone14:58
*** topol is now known as Guest6284714:59
ayoungGuest62847, you are not fooling anyone topol!14:59
*** r-daneel has joined #openstack-keystone15:00
openstackgerritgordon chung proposed openstack/pycadf: deprecate audit middleware  https://review.openstack.org/13838615:00
marekdayoung: nkdinder should be around reasonably soon or he is on some sort of holiday still?15:01
marekdnkinder*, sorry15:01
ayoungmarekd, he was out sick yesterday15:01
marekd:(15:01
ayoungmarekd, he's usually in by now...7AM west coast time15:01
*** stevemar has quit IRC15:01
marekdayoung: allrighty, thanks.15:02
ayoungmarekd, no email from him saying one way or the other, though15:02
*** stevemar has joined #openstack-keystone15:02
*** ChanServ sets mode: +v stevemar15:02
marekdayoung: uhm. just wanted him to take a look at a spec. may shoot him an e-mail and he will respond whenever he can.15:02
*** zzzeek has joined #openstack-keystone15:02
*** Guest62847 has quit IRC15:03
marekdhenrynash: so for now i simply changed that groups must pre-exist in keystone, so we can use current roles assignments API. Could you take a look then? https://review.openstack.org/#/c/138035/15:04
*** nellysmitt has joined #openstack-keystone15:04
henrynashmarekd: sure15:04
marekdhenrynash: (the first proposal, more kickass is put into alternatives with indication that there is a huuge dependency)15:04
marekdhenrynash: thanks.15:04
*** richm has joined #openstack-keystone15:05
*** NM1 has left #openstack-keystone15:06
henrynashmarekd: added comments15:16
openstackgerritayoung proposed openstack/keystone-specs: Access Info  https://review.openstack.org/13577415:17
*** jimhoagland has quit IRC15:17
*** aix has joined #openstack-keystone15:22
*** david-lyle has joined #openstack-keystone15:23
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228115:27
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Auth token tests create temp cert directory  https://review.openstack.org/12228015:27
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240315:27
*** aix has quit IRC15:28
*** aix has joined #openstack-keystone15:28
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/10224415:30
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154115:30
*** amakarov_away is now known as amakarov15:30
*** chrisshattuck has joined #openstack-keystone15:32
*** ukalifon has left #openstack-keystone15:34
*** radez is now known as radez_g0n315:34
ayoungmorganfainberg, can you add me and stevemar to the approver group for pycadf?15:34
ayounghttps://review.openstack.org/#/c/138381/1  has 2 +1s, and it will sit there until someone can approve it.15:35
*** lhcheng has quit IRC15:35
*** topol has joined #openstack-keystone15:35
*** ChanServ sets mode: +v topol15:35
ayoungmarekd, actually, I see you are core15:36
*** lhcheng has joined #openstack-keystone15:36
amakarovstevemar, hi! What project the file you asked me to edit belongs to? https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-trust-ext.rst15:37
amakarovstevemar, I doubt forking it on github is a correct way )15:37
ayoungamakarov, nah, but if you clone it, and then do a git review, it will show up on gerrit15:37
amakarovayoung, magic!15:38
ayoungNecromancy15:38
amakarovsourcery ))15:38
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803515:40
*** chrisshattuck has quit IRC15:40
*** lhcheng has quit IRC15:40
marekdayoung: ?15:40
ayoungmarekd, pycadf core15:40
*** radez_g0n3 is now known as radez15:41
ayoungmarekd, which I realize was not soemthing from this chat room....15:41
marekdayoung: i am not aware of core anywhere.15:41
marekdof being core anywhere *15:42
ayoungmarekd, I might have messed that up...let me see15:42
marekdayoung: stackalytics don't list me as pycafd core either15:44
ayoungah...15:44
stevemaramakarov, i assume you are good :)15:45
ayoungstevemar, sorry to rain on your YAWebsso parade.15:46
ayoungI was pretty hopeful when I first read it, but I think it is fundamentally flawed15:46
marekdayoung: you are going to work on your websso proposal?15:46
marekdayoung: it looks like untouched for a while :(15:47
ayoungmarekd, its one thing I need to talk to nkinder about today.  I'm trying to get a sense of our priorities.  We had a diversion based on some other, Rails based project, but I think that is a dead end15:47
marekdayoung: understand.15:47
ayoungmarekd, but the code is already written, right?  I can just steal what you and Jose have done....15:48
stevemarmarekd, ayoung yeah, if we could figure it out soon that would be great :)15:48
stevemarayoung, thats essentially what my spec is :)15:48
ayoungstevemar, OK...so if we wanted to leave the webui in Horizon, we'd need to do something like this:15:48
stevemari am the best of the theives!15:48
ayoungstevemar, your spec is the Cern implemention?15:49
* ayoung missing a vowel or two15:49
ayoung implementation?15:49
marekdayoung: the code is written and available at github.com/cernops (branch cern-patches)15:49
stevemarayoung, basically, i did a GET request instead of a POST request back to horizon, but i listed a POST request as an alternative15:49
marekdayoung: yet i think for the upstream we would need to add one or two features. but all in all it should be good.15:49
*** david-lyle has quit IRC15:50
ayoungstevemar, what about the dynamic url thing?15:50
stevemarayoung, but yeah, its basically the cern code, what dynamic url thing?15:50
ayoungstevemar, one sec, I'll quote15:50
marekdayoung: https://github.com/cernops/keystone/commit/66dabd94b4ad32abca171cef9192210fec28923515:51
stevemaryeah, too many specs going around15:51
ayoungstevemar,  `django_openstack_auth` will dynamically create a URL based on the15:51
ayoung   predictable URL format of the protected federation URLs, and perform a GET,15:51
marekdayoung: https://github.com/cernops/django_openstack_auth/commit/b7e5b28a83a88b259bfaddbd754c70e1bb42044715:51
stevemaroh that15:51
ayoungstevemar, we can't be leaving state on Horizon15:52
marekdayoung: what do you mean by that?15:52
stevemarayoung, so basically i want 1 new function from keystone, list public idps, so it'll return {idp: google, protocol: oidc, idp: ipa, protocol: saml} - and horizon will craft the URL based on the idp and protocol values15:52
ayoungmarekd, read https://review.openstack.org/#/c/136610/3/specs/kilo/websso.rst,cm15:52
stevemarthats what i mean by dynamically15:53
ayoungstevemar, let's get yours and mine into a single spec15:53
ayoungI think we are saying almost the same thing15:53
*** joesavak has quit IRC15:53
stevemarkeystone-host+'os-federation'+selected_idp+protocol+id+'auth'15:53
stevemari figured there was overlap15:53
stevemari just really don't want to mess around with the pipeline :(15:54
ayoungpipeline?15:54
stevemarallow me to quote15:54
stevemar* Refactor paste file to reduce duplication of common filters.20715:55
stevemar* Splite the v3 service APIs into separate pipelines.20815:55
stevemar* Remove POST /v3/auth/tokens from the remainder of the auth pipeline15:55
stevemarhttps://review.openstack.org/#/c/133529/1/specs/kilo/websso-portal.rst15:55
ayoungstevemar, ah...that is optional I realize15:55
ayoungit could easily be postponed15:55
ayoungstevemar, I was messing with that yesterday.   The issues are actually different than I list there.15:55
stevemarin that case they are the same spec :)15:56
stevemarfor the most part15:56
marekdstevemar: did we discuss DS ?15:56
marekd(Discover service)15:56
stevemarno :(15:56
marekdi think we don't need dynamic url building, and we dont need public idps15:57
ayoungstevemar, I think that we need to be able to consume multiple routes from Apache.15:57
ayoungmarekd, ?15:57
stevemarmarekd, please go on15:57
marekdok, normally, when you configure classic web sso you have one url, say host.com/secure. You point your browser there and you must somehow need to choose and idp of your choice. and this is called Discover Service, AFAIR it's another piece of software e.g. from shibboleth.15:59
marekdat cern, actually we don't build dynamic url15:59
marekdi made an extra route /OS-FEDERATION/websso15:59
dstanekuggg...new problem - has anyone seen the ArgsAlreadyParsedError error when running in Apache?16:00
ayoungdstanek, nope16:00
marekdand extended identity_providers with one parameter - entityId (unique id of the idp squeezed into every assertion)16:00
ayoungdstanek, make that yep16:00
dstanekayoung: is it because of multi threading?16:01
ayoungdstanek, yes16:01
marekdayoung: stevemar https://github.com/cernops/keystone/blob/cern-patches/keystone/contrib/federation/controllers.py#L270-L28116:01
dstanekgood times16:01
ayoungdstanek, it was a while ago...forgot how I triggered or got around it.16:01
marekdShib-Identity-Provider is a param comming from the SAML assertion.16:01
ayoungdstanek, it might be that It is a difference in defaults between Fedora nad Debian...prefork versus threading16:02
ayoungbut it shouldn't be.16:02
marekdstevemar: ayoung i think it should be ennough for horizon to simply always go to keystone/v3/OS-FEDERATION/websso and this url should be protected AND enriched with service discovery.16:03
ayoungmarekd, would that be a visual page?16:03
ayoung"go to" meaning "redirect to"16:04
marekdayoung: yes.16:04
ayoungmarekd, and the set of IdPs in a drop down?16:04
marekdayoung: go to openstack.cern.ch16:04
marekdhttps://openstack.cern.ch16:04
marekdyou will be redirected to a DS page16:04
marekdyou must put your cred, use a certificate but you can also use the your home idp.16:04
ayounghttps://login.cern.ch/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fkeystone.cern.ch%2FShibboleth.sso%2FADFS&wct=2014-12-02T16%3A04%3A46Z&wtrealm=https%3A%2F%2Fkeystone.cern.ch%2FShibboleth.sso%2FADFS&wctx=cookie%16:05
* ayoung chopped off the cookie16:05
marekdonce authenticated, trust me...you will se horizon and your vms.16:05
ayoungmarekd, what about for companies that don't want to be publicly listed?16:06
ayoungI was thinking this:16:06
stevemarhmm, i just don't know enough about DS16:06
marekdayoung: it'sa matter of configuration of the DS16:06
stevemarmarekd, what are the changes needed to the apache conf file for DS?16:06
stevemarrather, for all of this16:07
marekdstevemar: for shibboleth...personally i have never cofigured it but had a guy who did some tests with that.16:07
*** saipandi has joined #openstack-keystone16:07
ayoungstevemar, so this is like you are pointing right at Keystone.  Each of the methods has its own suburl16:07
marekdstevemar: i just think we shold try going this way first.16:08
ayoungstevemar, if you mouse over, you'll see how differnt they each are16:08
stevemarmarekd, i mean the vhost file for keystone, did you do anything else to it?16:08
marekdit's rather a matter oh shibboleth configuration.16:08
marekdof*16:08
*** chrisshattuck has joined #openstack-keystone16:09
*** chrisshattuck has quit IRC16:09
ayoungmarekd, so this page....is it running "in" keystone?16:09
*** _cjones_ has joined #openstack-keystone16:09
marekdayoung: not at all.16:09
*** chrisshattuck has joined #openstack-keystone16:09
marekdthis is IdP already16:09
marekdlogin.cern.ch16:09
ayoungmarekd, so what is the process to get a token to Horizon from here?16:09
ayoungsay I enter userid and password16:10
marekdby going to openstack.cern.ch you were redirected to protected keystone.cern.ch.v3.OS-FEDERATION/websso that redrected you to our ADFS instance which returns you said page16:10
ayoungit is passed through to keystone, just like Horizon would, and then this app generates javascript to post the token toe DOA?16:10
ayoungBut for Federation...is this site "trusted" byu Keystone?16:11
marekdyou login, get back to /websso keystone's url, tassertion is mapped, token generated and keystone returns with HTML page with JS that does a POST to openstack.cern.ch horizon webpage. this time also with a unscoped fed. token.16:11
ayoungis the SAML assertion parsed by this app, and then it could impersonate anyone?16:11
marekdayoung: no impresionation. it/s pure saml16:12
ayoungsay I click one of the eduGAIN links.  The first thing is that I'm redirected to Keystone?16:12
marekdayoung: no, you will be redirected to IdP you chose.16:13
ayoungthen who processes the SAML assertion?  it is login.cern.ch...which is not Keystone16:14
marekdlogin.cern.ch is in fact ADFS instance, an IDP16:14
marekdit issues the assertion16:14
marekdit's keystone who processes the assertion.16:14
marekdayoung: let me walk you from step 116:14
marekdopenstack.cern.ch is horizon. It doesnt recognize any openstck token and redirects to shibboleth protected keystone url: keystone.cern.ch/v3/OS-FEDERATION/websso16:15
marekdwebsso is shib protected and has login.cern.ch configured as a IdP16:16
marekdso you broweser is redirected to websso, and hence no active session it will redirect you to login.cern.ch (our IdP)16:16
marekdin fact ADFS does also some Discovery service, so you can now login, either with CERN creds or choose other IdPs which are federated with CERN.16:17
marekdok, you are authenticated, you have your SAML assertion and get back to keystone.cern.ch/v3/OS-FEDERATION/websso16:17
marekdnow its pretty standard, mapping, unscoped token and so on.16:18
*** jimhoagland has joined #openstack-keystone16:18
marekdbut instead of returning pure unscoped token, keystone returns a HTML with JS with auto post <form> so the browser is redirected to openstack.cern.ch again, this time with unscoped token.16:18
marekdSince horizon recognizes a request with token it will let you through.16:19
marekdviola, you are done16:19
marekdSAML communication is only between keystone.cern.ch and login.cern.ch16:19
marekdthere is no impersonation and no similar threats.16:20
stevemarmarekd, what about logging in to horizon as a service user?16:21
ayoungmarekd, OK, that is how I understood it to work.  The difference is just in how we were specifying to do the webUI portion.  I was saying put it in Keystone...you have it in ADFS?16:21
marekdayoung: yes, otherwise each of our 12k SPs would need to have webUI, right?16:22
ayoungSo how does Kerberos login work?16:22
ayoungS4U2?16:22
marekdwhat's S4U2?16:22
marekdstevemar: what service user?16:23
ayoungNevermind...it is a Kerberos thing, but we do't need it here16:23
marekdayoung: ok16:23
marekdayoung: with the arch i just described horizon would not need to query keystone for public idps.16:24
marekdit would be handled by a DS, something that simply needs to be configured.16:24
marekdwe don't need to maintain it ourselves and so on.16:24
ayoungno. but your login bridge (ADFS here) does need to know the public IdPs16:24
marekdbut it's configured in ADFS not in Keystone.16:25
stevemarmarekd, like the admin user16:25
stevemarmarekd, any sql users16:25
marekdstevemar: you are asking for combining 'classic' and federated login ?16:26
marekdi don't see any problem with that.16:26
marekdit's a matter of using what we have today or redirecting to keystone.cern.ch/v3/OS-FEDERATION/websso16:26
marekdit's one extra 'if' somewhere in the code.16:27
ayoungmarekd, do you have some code that says "and at the end, redirect back only to openstack.cern.ch, and no other sites?16:28
marekdunfortunately yes. it fits our use case, we have that static url well load balanced etc. it unfortunately doesn't fit general upastream use-case.16:29
marekdayoung: this is what i was trying to tell stevemar.16:29
marekdwe would need to figure out a 'original url' and keep it for a session.16:29
marekdso we know where to redirect back the request.16:30
ayoungmarekd, no, that is OK for WebUI.  We could put Horizon in the service catalog, and limit it to Service catalog entries for CLI base Federation16:30
marekdayoung: doesn't it break todays architecture?16:30
marekdayoung: today "ANY" horizon can point to a single keystone16:30
marekdno need to register such horizon in Keystone, right?16:31
ayoungmarekd, we have a use case for a separate (rails based app) web ui to do the same thing...16:32
ayoungso we would need both horizon and cloudforms to be acceptable targets of that final post16:32
ayoungbut no other services...16:32
ayoungyes, today, multiple webuis can point to a single keystone16:32
marekdayoung: are we good to limit this?16:33
ayoungmarekd, I need to think it through, but probably16:34
marekdstevemar: ayoung i am super happy to help with that i simply want to work on somethig that has general approval :-)16:36
stevemarmarekd, understandable, i think ayoung and myself are just trying to get up to speed at this point :)16:36
marekdcool16:36
stevemarwe all want the same thing16:36
*** tellesnobrega_ has quit IRC16:36
stevemarmarekd, can you point to where in the code you would put that conditional (for the service / sql users)16:37
*** htruta has quit IRC16:38
stevemarcause i definitely don't want to break the current flow16:38
*** samuelms has joined #openstack-keystone16:38
*** tellesnobrega_ has joined #openstack-keystone16:38
marekdstevemar: how about adding a button to a login screen that would simply does a 302 redirect to keystone ?16:39
marekdlike, you type: horizon.example.com16:39
marekdand have old login page16:39
marekdwith a button "Federated login" or something like that.16:39
*** htruta has joined #openstack-keystone16:39
marekdmakes sense?16:40
stevemarand that `federated login` button goes to the protected/discovery page?16:40
openstackgerritAlexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859016:41
marekdit goes to keystone protected url, hich will automatically redirect you to the discovery page :-)16:41
stevemarmarekd, whats in the vhost file for the /websso location?16:42
marekdstevemar: exactly the same configuration like for our identity_providers/*/protocols/*/auth16:43
marekd /websso simply lets configure horizon to always redirect there, instead of building the dynamic url.16:43
marekdwithout that horizon would need to be able to list idps and so on.16:44
marekdwhich would pointless and completely redundant, as login.cern.ch already does the DS16:44
marekdstevemar: ayoung https://wiki.shibboleth.net/confluence/display/SHIB2/DiscoveryService16:45
ayoungcool16:45
marekdayoung: stevemar does all what i said past 30 minutes make sense to you?16:47
dolphmmorganfainberg: fun news- January 19-24 is restaurant week in san antonio. getting hotel rooms might be hard16:47
marekd(it does to me)16:47
*** tellesnobrega_ has quit IRC16:47
dolphmmorganfainberg: http://culinariasa.org/san-antonio/restaurant-week/16:48
*** david-lyle has joined #openstack-keystone16:49
*** david-lyle has quit IRC16:49
morganfainbergdolphm: cool16:49
stevemarmarekd, only a bit :) i need to do it myself16:50
marekdit really takes litle code changes in Keystone and django_openstck_auth.16:50
marekdyou actually did it, didn't you?16:50
* marekd BRB16:51
*** david-lyle_afk is now known as david-lyle16:52
rodrigodsmorganfainberg, ping will rebase https://review.openstack.org/#/c/117786/ (and the other 3 follow up patches) against https://review.openstack.org/#/c/138186/ . Considering the changes from the split assignment patch, I *think* will be easier rebase the split against our patches, instead the contrary. Just checking if you are OK with this16:53
morganfainbergYep16:54
morganfainbergWorks for me16:54
morganfainbergTalk with henrynash and work out the detailsplease16:54
rodrigodsmorganfainberg, thanks! will do16:55
henrynashrodigods: hi16:55
rodrigodshenrynash, ^16:55
morganfainbergayoung: is nkinder around? Or is he out / busy?16:55
ayoungmorganfainberg, mayeb still sick16:55
morganfainbergCrud.16:55
rodrigodshenrynash, if you are ok with this, we can help with the split assignment rebase against our stuff16:56
henrynashso just want to make sure I understand…you are proposing to put in all your patches, and then I should rebase mine on your last one?16:56
bknudson1there was some kind of conference going on last time we were in SA16:56
morganfainbergOk have backup plan will execute on it.16:56
rodrigodshenrynash, yes, if it works for you16:56
henrynashrodigods: Ok, yes, I’m fine with that - HM is more important feature than the assignment split, let’s get it in asap16:57
henrynashthen I’ll line up some coffees and go into rebase mode :-)16:57
samuelmshenrynash, rodrigods ++16:57
samuelms(-:16:57
henrynashrodigods: just point me at the last one I should be rebase to16:57
samuelmshenrynash, ok we'll rebase them today and will ping you once we've it done16:58
rodrigodshenrynash, samuelms ++16:58
*** packet has joined #openstack-keystone16:58
henrynashsamuelms: okeeedokkkeee16:58
henrynash(said in strange british accent)16:59
samuelmshenrynash, haha :p16:59
*** kobtea has joined #openstack-keystone17:00
*** packet has quit IRC17:00
marekdreview17:01
marekdsorry :(17:01
dolphmmorganfainberg: i'll be completely offline monday & tuesday next week17:01
dolphmmorganfainberg: internal workshoppy thing17:01
*** gyee_ has joined #openstack-keystone17:03
*** packet has joined #openstack-keystone17:04
*** kobtea has quit IRC17:05
marekdstevemar: speaking about mapping enhancements.In fact it could be a good idea to have two keywords: "group", and "groups".  group would be single group with id and groups a list of name-identified groups.17:06
*** packet has quit IRC17:07
*** nkinder has joined #openstack-keystone17:09
ayoungstevemar, OK, you have my permission to hack the pipeline stuff out of the webSSO spec.  marekd please feel free to update it as well17:11
ayounglets make this a unified effort17:11
ayounghttps://review.openstack.org/#/c/133529/1/specs/kilo/websso-portal.rst,cm17:12
stevemarayoung, agreed17:12
*** joesavak has joined #openstack-keystone17:12
marekdayoung: ++17:12
ayoungstevemar, so the two changes to DOA are:17:12
ayoung1.  give it a conf url to redirect17:13
ayoung2.  accept a token for login17:13
ayoungthe rest is done in the SSO portal17:13
*** packet has joined #openstack-keystone17:13
ayoungI was planning on hosting the portal inside of Keystone, but it sounds like it does not have to be17:13
ayoungIt sounds like it should be a stand alone app17:14
morganfainbergdolphm: no big deal. Can skip the release thingie.17:14
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095417:15
*** marcoemorais has joined #openstack-keystone17:17
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803517:19
morganfainbergayoung: I'm moving token provider cleanup to k2. Fyi.17:19
ayoungmorganfainberg, sounds good17:19
*** lhcheng has joined #openstack-keystone17:21
ayoungstevemar, lets just make sure you and marekd communicate so you are not overwriting each others changes.  Or do you guys want to work through me for this?17:22
stevemarayoung, marekd i was thinking we could put it on an etherpad first17:23
ayoungstevemar, wouldn'17:24
ayoungt it be nice if we could back etherpad to gerrit17:24
ayoung?17:24
stevemarone day17:24
ayoungOK...lets do that17:24
ayoungstevemar, I'll create it17:24
marekdayoung: stevemar ok.17:26
ayoungmarekd, stevemar https://etherpad.openstack.org/p/websso-spec17:26
marekdayoung: thank you.17:27
*** chrissha_ has joined #openstack-keystone17:27
ayoungstevemar, BTW, I started on the step Remove POST /v3/auth/tokens from the remainder of the auth pipeline17:28
*** chrisshattuck has quit IRC17:28
ayoungit turns out that it is not so bad, but I need to make some changes to the federation code since that mounts suburls under /auth17:28
ayoungI'll post what I have WIP17:28
ayoungit also means working with the JSON home code to make sure we still generate the same home data.17:29
openstackgerritayoung proposed openstack/keystone: split auth from other services in paste  https://review.openstack.org/13845217:30
*** chrisshattuck has joined #openstack-keystone17:30
stevemarthanks for the etherpad link, will start playing when i'm done lunching17:30
ayoung++17:31
ayoungstevemar, see that review I just posted for the pipeline split changes ,too17:31
*** chrisshattuck has quit IRC17:31
*** chrisshattuck has joined #openstack-keystone17:32
*** chrissha_ has quit IRC17:33
lhchenghi folks, quick question.  Can I use the project scoped token to get a domain scoped token?17:35
david-lylefollow on question, if a domain is just a project now, why do I need a special token for a domain? why not just a project scoped token?17:36
david-lyleexcuse me, "special project"17:36
samuelmslhcheng, you don't need a token to get another token :p17:36
david-lylesamuelms: not about need, it's about working with what you have17:36
samuelmslhcheng, you just have to get the domain token as you have nothing :)17:36
david-lylewithout storing a password17:37
gyee_there's no restriction on token rescope afaik17:37
samuelmslhcheng, david-lyle yes .. you can call POST /v3/auth/tokens to change authorization scope17:38
samuelmsin that case, you pass your previous token17:38
samuelmsjust read that from the api http://developer.openstack.org/api-ref-identity-v3.html17:38
samuelmsgyee_ ++17:38
openstackgerritAlexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859017:38
gyee_we haven't implemented the spatial project yet17:38
gyee_david-lyle ^^17:39
david-lylegyee, when you do, what happens to domain scoped tokens?17:39
gyee_interchangeable17:39
*** ajayaa has quit IRC17:39
gyee_I hope :)17:39
*** _cjones_ has quit IRC17:40
*** _cjones_ has joined #openstack-keystone17:40
david-lyleI ask because I'm about to add a ton of convoluted logic to DOA and Horizon to support this second token type, if it's going away, I sure don't want go that way17:40
lhcheng#itjustworks :)17:40
gyee_its NOT going away17:40
samuelmslhcheng, ++17:40
gyee_otherwise, we'll be in the world of shit17:41
david-lylelhcheng: ™17:41
lhchenggyee_ is there already a draft specs out for the spatial project?17:41
david-lylebut if they are interchangeable, why not wait for that and save on logic?17:41
david-lyleand wasted effort and complexity17:41
david-lyleI want the flavor of the month, not the flavor of the week17:42
samuelmslhcheng, s/spatial/special17:42
gyee_lhcheng, not sure, morganfainberg may know17:42
ayoungdavid-lyle, working on it17:42
*** aix has quit IRC17:42
david-lyleayoung: on which?17:43
ayoungit is only an agreement that we are going to make domains into projects...not a done deed17:43
gyee_ayoung, in the implementation sense17:43
ayoungdavid-lyle, I would think it would work like this:17:43
gyee_on the public facing side, it still the same17:43
ayoungcertain projects are also domains17:43
david-lyleayoung: so should I wait and get identity operations on domains for free in kilo?17:43
samuelmsayoung, ++17:44
ayoungif you get a token scoped to that domain, it should have all the roles17:44
samuelmsdavid-lyle, yes so I think we'll still define the flavor of the month :p17:44
ayoungand you don't need to specify "domain scoped" or "proejct scoped"17:44
ayoungbut certain roles would not make sense to have assigned to projects that were not in themselves domains17:44
david-lyleayoung: that makes sense, but role assignments would be the only difference17:45
ayoungyeah.17:45
david-lylethat's much cleaner17:45
gyee_its all about the scope :)17:45
*** jistr|training has quit IRC17:45
ayoungdavid-lyle, I don't think Horizon should have to deal with the distinction...it should be on the object you are requesting, not having to request a special type17:45
david-lyleayoung: that would be a vast improvement17:46
david-lylewhat type of timeframe are we looking at realistically though?17:46
david-lyleK, L, M?17:46
ayounggood question...matter of priorities.17:46
david-lyleI'm trying to figure out mine as well17:47
ayoungdavid-lyle, I think it needs to work in after the hierarchical multitenacy changes17:47
david-lyleso with HM, in the first pass I would still need two types of tokens?17:48
ayoungyeah17:48
morganfainbergdavid-lyle, ayoung ++17:48
morganfainbergdavid-lyle, the reseller-case-support in HM will be where that change would come in.17:48
ayoungmorganfainberg, what if we changed the enforcement in policy.  someth8ing like  role:admin  and project:is_a(domain)17:49
morganfainbergayoung, we'll need to extend the policy langauge, but sure?17:50
ayoungmorganfainberg, or project_id == domain_id17:51
morganfainbergayoung, that is probably easier.17:51
morganfainbergbut... i am going to guess we still need to extend the policy lang17:51
morganfainbergiirc it only know how to match <resource> to <info in context>17:51
morganfainbergnot <info in context> == <other info in context>17:52
gyee_if we are returning both project_id and domain_id, we don't have to change policy lang17:52
morganfainbergor info in context == <some other thing on resource without custom code>17:52
gyee_iirc17:52
*** boris-42 has joined #openstack-keystone17:52
ayoungmorganfainberg, I think it is  contex(project_id)  =  fetch_object(domain_id)17:53
ayoungI think we can do that in the current language17:53
david-lyleyou can build up the credentials dict however you want17:53
morganfainbergayoung, ok.17:53
ayoungdavid-lyle, it is not the credentials dict in this case...it is...17:53
ayoungwell let me show you17:53
ayoungthere is code that fetches an object from the backend before policy is run17:53
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n11817:54
ayoungget_member_from_driver17:54
ayoungref = self.get_member_from_driver(kwargs[key])  and then policy_dict['target'] = {self.member_name: ref}17:54
ayoungso somethinkg like17:55
boris-42ayoung: hey there17:55
boris-42ayoung: do you have a minute to discuss functional testing in keystone17:55
boris-42ayoung: I didn't understand your email, what is the purpose of having separated framework for that?)17:55
ayoung"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",17:56
ayoungwould become17:56
ayoung"admin_and_matching_target_project_domain_id": "rule:admin_required and project_id:%(target.project.domain_id)s",17:56
boris-42ayoung:  why not useing tempest-lib or rally or something already existing?)17:56
ayoungboris-42, no different framework,  just a way to test our code17:56
ayoungboris-42, I was talking about using keystone as both the client and server17:56
gyee_ayoung, that code is for fetch object only17:57
ayoungso the client part of keystone would run auth_token middleware etc, and talk to the server version17:57
boris-42ayoung: so maybe I can try to sell you rally lol for that puprose?17:57
ayounggyee_, right,  but those are the rules david-lyle needs to access17:57
ayoungboris-42, I think you misunderstand17:57
gyee_ayoung, not for authorization for user management17:57
boris-42ayoung: I mean I can make a proposal (as a speck)17:57
ayoungrally would still be part of it17:57
gyee_for domain/project update, yes17:57
boris-42ayoung: I mean there will be soon one more feature17:57
boris-42ayoung:  that will allow to use 1 devstack installation to test v2/v3 and so on17:58
boris-42ayoung: with ssl without ssl17:58
ayounggyee_, so anything that is a domain specific rule would instead match the project_id to the domain id17:58
boris-42ayoung: or it's different from what you are proposing?)17:58
*** krish has joined #openstack-keystone17:58
ayoungboris-42, different.  I'll walk you thorugh it in a moment17:58
boris-42ayoung: sure17:58
*** krish is now known as Guest351617:59
gyee_ayoung, right, if both domain_id and project_id are in the cred dict, we don't have to change anything17:59
*** Guest3516 has quit IRC17:59
boris-42ayoung: I am just thinking from side of operators that would like to check their clouds with one red button* =)17:59
ayoungrodrigods, gyee_, I think the big thing we need is to ensure that for HMT the root project that is a domain needs to have an ID that matches the domain id17:59
*** krish1979 has joined #openstack-keystone17:59
ayoungis that in our current implementation?  morganfainberg do you know?17:59
gyee_ayoung, right, the IDs has to be the same17:59
gyee_or we have ourselves a security problem18:00
ayoungboris-42, we have the Keystone wekly meeting right now18:00
ayoungin #openstack-meeting18:00
rodrigodsayoung, nope18:00
rodrigodsonly in the reseller one18:00
ayoungrodrigods, lets make that work...18:00
*** jamielennox|away is now known as jamielennox18:01
rodrigodsright now we do not mix up the project/domain concepts18:01
ayoungdomainid must match projectid, or we are kinda screwed18:01
rodrigodsayoung, we left domain <-> project questions out of the table18:01
rodrigodswe are just adding the projects hierarchy / inherited roles do projects18:02
ayoungrodrigods, when we do a create domain, are we creating a project for it, too?18:02
*** kobtea has joined #openstack-keystone18:02
rodrigodsayoung, no18:02
rodrigodsAFAIK18:02
ayoungrodrigods, ok, lets figure this out after the weekly meeting18:03
rodrigodsayoung, ++18:03
*** kobtea has quit IRC18:06
*** rwsu has joined #openstack-keystone18:07
openstackgerrithenry-nash proposed openstack/keystone: Fix the way migration helpers check FK names.  https://review.openstack.org/13846818:14
*** saipandi has quit IRC18:14
*** radez is now known as radez_g0n318:15
*** marg7175 has joined #openstack-keystone18:20
*** marg7175 has quit IRC18:23
*** marg7175 has joined #openstack-keystone18:24
*** sriram has joined #openstack-keystone18:26
*** tellesnobrega_ has joined #openstack-keystone18:26
*** saipandi has joined #openstack-keystone18:27
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095418:27
*** harlowja_away is now known as harlowja_18:31
*** rwsu has quit IRC18:38
*** jimhoagland has quit IRC18:44
*** amcrn has joined #openstack-keystone18:49
dolphmmorganfainberg: side note, if i can't get the $114/night group rate at valencia (it's $199 otherwise), then i have a recommendation for another nearby hotel that is $107-119 depending on how you book, without a discount18:51
morganfainbergdolphm, ++18:51
morganfainbergsounds good.18:51
*** browne has joined #openstack-keystone18:52
*** saipandi has quit IRC18:56
*** radez_g0n3 is now known as radez18:58
morganfainbergdolphm, i'm offically going to drop OS X as a supported keystone platform...18:58
dolphmmorganfainberg: what's broken this time?18:58
morganfainbergdolphm, i'm not seeing apple play nice going forward and some deep down libs are all ancient/horked/not easy to replace18:58
morganfainbergdolphm, all of LDAP.18:59
dolphmmorganfainberg: i've been mostly using debian recently anyway18:59
morganfainbergdolphm, yeah.18:59
morganfainbergdolphm, ubuntu here.18:59
*** saipandi has joined #openstack-keystone18:59
dolphmmorganfainberg: but because of battery life required to run tox, not because of compat18:59
morganfainbergdolphm, but basically ldap lib in yosemite isn't compatible with python-ldap 2.4, and replacing that is a nightmare19:00
gyee_ouch!19:00
morganfainbergdolphm, because like openssl, apple has thier own opendirectory lib19:00
morganfainbergso expect that to wither to be even less usable19:00
morganfainbergi can fix it, but it requires manual changes to setup.cfg each tiem.19:01
morganfainbergfor python-ldap19:01
morganfainbergnot suitable for tox.19:01
morganfainbergor virtualenv19:01
dstanekmorganfainberg: i have never been able to get all of the Keystone unit tests to pass on my Air19:01
gyee_dstanek, it was working for me before the Yosemite upgrade19:02
dolphmmorganfainberg: fair enough. shall i rip out OS X docs?19:02
dolphmmorganfainberg: p.s. still unconfirmed but i asked for confirmation to use the same space we used last time, in which case, new hotel is just a block from our last hotel https://goo.gl/maps/Y8Tpn19:02
jamielennoxmorganfainberg: what are the midcycle dates19:02
morganfainbergdolphm, either you or i. i was about to do that.19:02
dolphmjamielennox: Jan 19-2119:02
morganfainbergjamielennox, ^^19:02
dstanek gyee_ i could say the same about wireless and a host of other things :-)19:02
dolphmmorganfainberg: i wrote most of them, i'll rip em out :)19:03
morganfainbergdolphm, ok sounds good, i'll plan to +2 it19:03
ayoungmorganfainberg, henrynash samuelms rodrigods :  Do we want to enforce the rule that, for the root project in a domain, projectid == domainid  So to test if a given project is a domain, we do if  project.id == project.domain_id?19:03
ayoungIf so, then we need to add that logic to create_domain19:04
morganfainbergayoung, that is an easy work-around to making projects == domains19:04
openstackgerrithenry-nash proposed openstack/keystone-specs: Add support for domain specific roles.  https://review.openstack.org/13385519:04
morganfainberghenrynash, rodrigods, raildo, let me know if you need any help prioritising the order of HMT vs Split patches. but i assume you guys have a handle on it.19:05
morganfainbergthat is to say post merge commit passing19:05
rodrigodsmorganfainberg, I guess yes, will help henrynash to rebase against https://review.openstack.org/#/c/117787/3819:05
henrynashmorgandainberg: I think we’re good….I’ll rebase at the end…I know enough about what HM has done to be able to work out what to do19:06
rodrigodsmorganfainberg, question: can I send the same patches to master using the same change-id?19:06
ayoungmorganfainberg, OK...so two patches.  First is for create_domain doing a create project.  Second is a migration to add the project entry for all existing domains19:06
*** mikedillion has joined #openstack-keystone19:07
ayoungmorganfainberg, does it need a spec?19:08
ayoungor is it a detail under HMT?19:08
morganfainbergrodrigods, sure.19:08
morganfainbergayoung, this should be part of the HMT reseller case iirc.19:08
morganfainbergayoung, so that can be part of that spec.19:08
rodrigodsmorganfainberg, ayoung, ++19:08
morganfainbergayoung, (the second HMT spec) not the one we're doing the master merge for now.19:08
rodrigodsraildo is writing that spec, you let him know about this specific detail19:09
rodrigodsor it can be part from the "hm improvements"19:09
rodrigodsspec19:09
openstackgerritMorgan Fainberg proposed openstack/keystone: Ignore H302 - bug 1398472  https://review.openstack.org/13849119:09
uvirtbotLaunchpad bug 1398472 in hacking "H302 isn't handling oslo_concurrency namespace change" [Undecided,Fix released] https://launchpad.net/bugs/139847219:09
ayounghttps://review.openstack.org/#/c/135309/  morganfainberg that one?  "Hierarchical Multitenancy Improvements"19:09
openstackgerritMorgan Fainberg proposed openstack/keystone: Ignore H302 - bug 1398472  https://review.openstack.org/13849119:10
morganfainbergayoung, thats the one19:10
ayoungrodrigods, htruta raildo I'm going to edit that one, ok?19:10
rodrigodsayoung, np :)19:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Ignore H302 - bug 1398472  https://review.openstack.org/13849119:11
uvirtbotLaunchpad bug 1398472 in hacking "H302 isn't handling oslo_concurrency namespace change" [Undecided,Fix released] https://launchpad.net/bugs/139847219:11
rodrigodsayoung, thank you19:11
ayoungrodrigods, falls under my directive to "make domains work"19:11
morganfainberglbragstad, ^ there ya go fixed.19:11
stevemarmorganfainberg, oh shoot, forgot to bring this up in the meeting...19:12
morganfainbergstevemar, ?19:12
stevemarare we enforcing the need to have API changes along with the spec?19:12
dolphmstevemar: please19:12
stevemarcause theres a lot of specs being proposed, and i thought we were enforcing that API changes should be included19:12
morganfainbergstevemar, i think we generally said: if you can provide them this is *much much much* preferred! if not, you can add them after, but API changing code *cannot* merge until they are in the repo.19:13
morganfainbergstevemar, so, it would be better to have the API changes *in* the spec.19:13
morganfainbergbut in some cases it needs to be hashed out independent of the "is this a good idea" phase19:13
stevemarmorganfainberg, ok, send out a broadcast or something to make sure folks get the message :)19:13
stevemarof course19:13
morganfainbergstevemar, i'll add a note in the README for specs19:14
morganfainbergand will send something to the ML today/tomorrow19:14
dolphmmorganfainberg: WHY DOES tox -e sample_config NOT WORK FOR ME ON DEBIAN NOW AGHH19:15
morganfainbergdolphm, ... i uh19:16
morganfainbergdunno?19:16
ayoungrodrigods, OK, walk me through this.  Today,  if I create a domain,  there is no project at the root of the domain.  If I create a project, it shows the domain ID , but it will have no parent_project_id?19:16
rodrigodsayoung, exactly19:16
ayoungrodrigods, OK,  here is how I propose changing things19:16
ayoung1.  create_domain will create a project with a matching id19:17
ayoung2.  migration that will create a proejct for all domains with a matching id19:17
* dolphm cries19:17
ayoung3.  migration that will set initialize paretn_project_id19:17
*** jsavak has joined #openstack-keystone19:18
ayoungon step 3, if  proejct-id= domain_id, do nothing19:18
stevemardolphm, nuke your .tox/sample_config and try again?19:18
ayoung if  project-id != domain_id, and parent_project_id is none, parent_project_id = domain_id19:18
dolphmstevemar: i just built a new one19:18
stevemardolphm, then it hates you19:18
*** amakarov is now known as amakarov_away19:19
rodrigodsayoung, sounds good19:19
morganfainbergdolphm, i've never had issues with tox -esample_config19:19
morganfainberg:(19:19
morganfainbergwish i could explain why it doesn't work19:20
rodrigodsayoung, we just need to remember to add a constraint somewhere, that if project_id == domain_id, parent_id *must* be none19:20
openstackgerritDolph Mathews proposed openstack/keystone: drop developer support for OS X  https://review.openstack.org/13849619:21
dolphmstevemar: but you don't hate me, right? will you regenerate sample conf here and re-review? ^^19:21
openstackgerritLance Bragstad proposed openstack/keystone: Bump hacking to be atleast 0.9.4  https://review.openstack.org/13849719:21
stevemarlol sure19:21
*** joesavak has quit IRC19:21
morganfainberglbragstad, either my fix or yours, both work for me.19:21
lbragstadmorganfainberg: ok19:21
lbragstadI was able to run with hacking 0.9.4 locally and it doesn't break on o-c19:22
ayoungrodrigods, I'm going to remove the policy stuff from that spec, too.19:22
ayoungInstead, lets get that to reference the policy specs we already have19:23
ayoungfor example, we cant do: The policy.v3cloudsample.json should become the default policy.json for   Keystone:19:23
*** stevemar has quit IRC19:23
henrynashayoung: that’s already proposed19:23
ayoungrodrigods, ++19:23
*** stevemar has joined #openstack-keystone19:24
*** ChanServ sets mode: +v stevemar19:24
ayounghenrynash, the data in that file should be the start of it, but it is a bigger discussion19:24
ayoungwe need more support than just swapping that file19:24
henrynashayoung: there’s a series of patches someehere that first fixes up v2cloudsample, and then 2ns makes it the default19:24
rodrigodshenrynash, ++ https://review.openstack.org/#/c/123509/19:25
rodrigodsayoung, ^19:25
stevemaralmost there dolphm19:25
ayounghenrynash, you've seen my thoughts on policy19:26
ayoungrodrigods, if you have not read https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/  please do so19:28
ayounglets not work at cross purposes, nor make more work for ourselves19:28
ayoungI think we are all thinking along the same lines19:28
rodrigodsayoung, you are right (I've read your blog post)... It's just some two directions in the team19:29
ayoungI'll leave the policy sections alone for now.19:29
ayoungin the HMT spec19:29
ayoungbut we should revise it19:29
rodrigodsok19:29
rodrigodsayoung, but we believe that this improvement is necessary for now (Kilo)... The dynamic policy part, seems a long term effort to us19:30
rodrigodsfor L, or late K19:30
ayoungrodrigods, unified policy at least should replace the cloudsample, though19:31
*** jimhoagland has joined #openstack-keystone19:31
ayoungrodrigods, we don't need the dynamic roles in order to clean up policy for HMT19:31
ayoungrodrigods, its ok,  I think the cloudsample file is the right direction.19:32
rodrigodsayoung, true19:32
ayoungIt makes a better basis for a unified policy file than the base policy.json19:33
ayoungso I don't actually hae any problem with the proposal19:33
rodrigodsayoung, great :)19:34
*** tellesnobrega_ has quit IRC19:34
dolphmstevemar: git-review19:37
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Pass all adapter parameters through to adapter  https://review.openstack.org/13822819:37
bknudson1don't you have to fill in the admin_domain_id in the policy.v3cloudsample.json ? so how can it be the default?19:38
*** nellysmitt has quit IRC19:40
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Pass all adapter parameters through to adapter  https://review.openstack.org/13822819:40
dolphmstevemar: tox -e sample_config && git add etc/keystone.conf.sample && GIT_EDITOR=true git commit --amend && git-review19:40
*** afazekas has quit IRC19:41
openstackgerritLance Bragstad proposed openstack/keystone: Bump hacking to be at least 0.9.4  https://review.openstack.org/13849719:42
sriramhey guys, I have some questions with regards to python keystone middleware. Is this the right place to ask?19:43
dolphmstevemar is letting me down19:43
dolphmsriram: yep!19:43
openstackgerritayoung proposed openstack/keystone-specs: Hierarchical Multitenancy Improvements  https://review.openstack.org/13530919:43
stevemardolphm, pypi is letting me down19:43
ayoungrodrigods, ^^19:44
dolphmstevemar: you just had to nuke your .tox19:44
stevemari did19:44
rodrigodsayoung, thanks!19:44
stevemari was playing around with the new oslo.config generator19:44
dolphmsomeone beat stevemar to the punch! $ git-review -d 138496 && tox -e sample_config && git add etc/keystone.conf.sample && GIT_EDITOR=true git commit --amend && git-review19:44
*** amcrn has quit IRC19:45
dolphmstevemar: i was thinking about fixing brant's bug in it soon19:45
dolphmmaybe end of next week19:45
dolphmand then maybe we can have it in keystone19:45
dolphmcause that works, otherwise19:45
bknudson1dolphm: you mean the ordering of parameters?19:45
sriramcool, I'm just wondering if you guys have ever encountered an issue were keystone middleware intermittently flagged valid tokens. The tokens are cached in memcache.19:45
dolphmbknudson1: yes19:46
bknudson1dolphm: I think there's a fix proposed by dhellmann19:46
dolphmbknudson1: ooh!19:46
srirams/were/where19:46
bknudson1dolphm: https://review.openstack.org/#/c/136482/19:46
*** nellysmitt has joined #openstack-keystone19:46
dolphmbknudson1: Ben's comment is something i wanted to address too19:47
bknudson1dolphm: I meant to try it sometime and see what it looks like.19:48
dolphmbknudson1: i'll post a result for you in a minute19:51
stevemardolphm, there we go, that was weird19:52
ayoungsriram, are you using PKI tokens?  Is this happening for every token, or just that randomly tokens are flagged as invalid that should be valid?19:52
openstackgerritSteve Martinelli proposed openstack/keystone: drop developer support for OS X  https://review.openstack.org/13849619:52
dolphmstevemar: there's another random change in there - i assume that's in master?19:53
sriramayoung: its pretty random, 5-8 requests would go through fine. and then requests will fail with 401s19:54
stevemarit's not in master, but probably someone changed config and didn't update19:54
stevemarlet me check with master19:54
ayoungsriram, once a token is invalid, is it ever valid again?19:54
*** jsavak has quit IRC19:55
sriramayoung: nope.19:55
stevemardolphm, yeah it's appearing in master too, it's cool19:55
ayoungsriram, PKI or UUID tokens?19:55
srirampki19:55
stevemardolphm, a left over bit from oslo.db19:56
sriramand usually flushing memcache makes it go away for some period of time.19:56
*** nellysmitt has quit IRC19:56
ayoungsriram, hmmm.19:56
ayoungsriram, once you have a failure, do tokens start working again with no other changes?19:56
sriramyeah, after few a 401's they do start working again.19:57
openstackgerritDolph Mathews proposed openstack/keystone: update sample conf using oslo-config-generator  https://review.openstack.org/13850819:57
sriramit could range from a few minutes to few hours.19:57
dolphmbknudson1: https://review.openstack.org/#/c/138508/1/etc/keystone.conf.sample19:57
sriramits tough to repro, it doesnt always happen.19:57
ayoungstrange19:57
*** joesavak has joined #openstack-keystone19:58
bknudson1dolphm: we need to get rid of this option! #sqlite_db = oslo.sqlite19:58
bknudson1ugh, it was in there before.19:59
sriramayoung: this is usually what we hit: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L95519:59
ayoungsriram, if the auth_token middleware cannot fetch the revocation list from the server it willl 40119:59
ayounglooking19:59
sriramI dont think it would be a request timeout, thats the other place where it is logged.19:59
bknudson1maybe we could have a separate entry point for the options so we don't have to pull some in.19:59
ayoungthat is not a connection error20:00
ayoungsriram, self._LOG.debug('Token validation failure.', exc_info=True)20:00
ayoungbut you don't have debug enabled, do you/20:00
sriramnope. :|20:00
bknudson1dolphm: so it looks like now it's just the oslo lib options that have changed order... and the order of the sections made no difference20:01
sriramwe are trying to get this going in a different environment to test, with debug turned on.20:01
ayoungsriram, can you edit the file?  Change self._LOG.debug  to self._LOG.warn20:01
*** packet has quit IRC20:01
sriramayoung: I can do it to test locally, but not in the environment for now.20:02
ayoungsriram, I see at least one problem with that code right now20:03
ayounghttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L924  would get caught by its own try/except20:03
ayoungsriram, need more data.  Could be a handful of different things. I'd instrument that code differently to deduce where in that hughe try block things are failing20:04
sriramyeah, we need to an environment going to test it.20:05
*** radez is now known as radez_g0n320:07
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851920:13
*** r-daneel has quit IRC20:17
*** r-daneel has joined #openstack-keystone20:17
*** joesavak has quit IRC20:18
*** tellesnobrega_ has joined #openstack-keystone20:19
*** samuelms-away has quit IRC20:29
*** gabriel-bezerra has quit IRC20:29
*** tellesnobrega_ has quit IRC20:30
*** htruta has quit IRC20:30
*** samuelms has quit IRC20:30
*** tellesnobrega has quit IRC20:30
*** raildo has quit IRC20:30
*** gabriel-bezerra has joined #openstack-keystone20:42
*** htruta has joined #openstack-keystone20:42
*** samuelms-away has joined #openstack-keystone20:42
*** raildo has joined #openstack-keystone20:42
*** tellesnobrega has joined #openstack-keystone20:42
*** jogo has joined #openstack-keystone20:48
jogomorganfainberg: https://review.openstack.org/#/c/92507/ can use another round of keystone core reviewing20:48
morganfainbergJogo. On my radar post x-project meeting.20:52
jogomorganfainberg: excellent20:55
*** krish1979 has quit IRC20:58
*** jimhoagland has quit IRC20:58
*** joesavak has joined #openstack-keystone20:58
*** marcoemorais has quit IRC21:03
stevemardolphm, ha, i also had a patch for this21:05
stevemarhttps://review.openstack.org/#/c/128440/21:05
*** radez_g0n3 is now known as radez21:12
*** henrynash has quit IRC21:15
*** henrynash has joined #openstack-keystone21:15
*** ChanServ sets mode: +v henrynash21:15
*** topol has quit IRC21:25
*** nellysmitt has joined #openstack-keystone21:29
*** nellysmitt has quit IRC21:30
*** stevemar2 has joined #openstack-keystone21:30
*** ChanServ sets mode: +v stevemar221:30
*** stevemar has quit IRC21:31
*** mikedillion has quit IRC21:32
stevemar2ayoung, can you help me expand on `proposed changes` here: https://etherpad.openstack.org/p/websso-spec21:33
*** openstackgerrit has quit IRC21:34
*** openstackgerrit has joined #openstack-keystone21:34
*** henrynash has quit IRC21:36
*** henrynash has joined #openstack-keystone21:37
*** ChanServ sets mode: +v henrynash21:37
*** andreaf has quit IRC21:37
morganfainbergstevemar2, shady man shady21:37
*** andreaf has joined #openstack-keystone21:38
morganfainbergjogo, i lied, i need to run an errand post meeting [time sensitive] but when i'm back... it's on the radar.. then $HP Things To Do$21:38
*** stevemar2 is now known as stevemar21:38
stevemarmorganfainberg, better? :)21:38
ayoungstevemar, depends on whether the discovery service is inside Keystone or not21:39
*** stevemar2 has joined #openstack-keystone21:39
stevemar2stevemar: yes, cause now....21:39
*** kobtea has joined #openstack-keystone21:39
ayoungstevemar, let's write the spec as if the changes are  inside Keystone, and, if they end up being a separate service, we'll work on splitting them out21:39
ayoungstevemar2, depends on whether the discovery service is inside Keystone or not21:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Add parent_id field to projects  https://review.openstack.org/13854821:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Base methods to handle hierarchical projects  https://review.openstack.org/13854921:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/13855021:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds correct checks in LDAP backend tests  https://review.openstack.org/13855121:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects  https://review.openstack.org/13855221:40
ayoungstevemar2, let's write the spec as if the changes are  inside Keystone, and, if they end up being a separate service, we'll work on splitting them out21:40
stevemar2>.>21:40
stevemar2<.<21:40
rodrigodsmorganfainberg, henrynash ^21:40
*** andreaf has quit IRC21:41
*** andreaf has joined #openstack-keystone21:41
stevemarayoung, that was morganfainberg playing all sorts of tricks21:41
morganfainbergstevemar, lies >.>21:42
morganfainberg<.<21:42
stevemar2and deciet21:42
*** ayoung is now known as moregainfainburp21:42
*** stevemar2 has quit IRC21:42
moregainfainburpno I wasn't21:42
*** moregainfainburp is now known as ayoung21:42
stevemarayoung, i ripped out a bunch from https://etherpad.openstack.org/p/websso-spec hope that's OK21:42
ayoungstevemar, well, I still have it in the reviewrequest, so nothing ever disappears21:43
ayoungstevemar, the question is what to do about the websso landing page21:43
ayoungI mean...it does look like we could do all that in Horizon21:43
ayoungexcept for the redirects to Keystone itself21:44
stevemarright, marekd was saying that it should just be a change in the vhost file to direct the user to a discoery service21:44
*** kobtea has quit IRC21:44
ayoungthe discovery service could be in Horizon, Keystone, or a standalone page.  It could probably be static21:44
openstackgerritRodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects  https://review.openstack.org/13855221:45
openstackgerritRodrigo Duarte proposed openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/13855021:45
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds correct checks in LDAP backend tests  https://review.openstack.org/13855121:45
ayoungbut, since Keystone itself needs to be exposed in this case, lets plan on putting it in Keystone for simplicity21:45
ayoung we can split it out when/if we need21:45
stevemarmakes sense21:46
ayoungat least here we'll avoid the overhead of cross project work etc21:46
stevemarright21:46
ayoungok...I'm headed over to etherpadland21:46
stevemarso DOA needs an update to allow a user to select 'log me in via federation' (which goes to a log in page), so that's at least 2 work items for DOA21:46
stevemarayoung, 1) a new setting, and 2) a new button21:47
rodrigodshenrynash, so we need to rebase the assignment split with this patch https://review.openstack.org/#/c/138552/21:47
henrynashrodigods: Ok, I’ll do that tonight21:48
*** marg7175 has quit IRC21:49
rodrigodsmorganfainberg, so I guess we can eliminate the feature branch :)21:50
morganfainbergif that merge commit merged to master, yes21:50
morganfainbergbut not till then.21:50
ayoungstevemar, yep21:50
ayoungstevemar, you missed the big one21:51
ayoungDOA needs to not only accept a token for login, but validate it21:51
ayoungDOA becomes more like auth_token middleware21:51
ayoungand consumes more of Keystone client21:51
stevemarah right21:51
rodrigodsmorganfainberg, hmm right21:51
*** ayoung has left #openstack-keystone21:52
stevemarayoung, so totally agree that DOA needs to authN with a token now, which should be OK21:52
stevemarhe just left :(21:52
stevemarwhat did i do?21:52
*** ayoung has joined #openstack-keystone21:52
*** ChanServ sets mode: +v ayoung21:52
*** joesavak has quit IRC21:52
stevemarayoung, so I was under the impression that the 'discovery page' was created by the IdP?21:53
ayoungstevemar, use IRC for discussions, and etherpad to capture21:53
*** rharwood has joined #openstack-keystone21:53
ayoungstevemar, not really21:53
ayoungstevemar, assume there are multiple IdPs21:53
*** mikedillion has joined #openstack-keystone21:53
*** marg7175 has joined #openstack-keystone21:53
ayoungthe discovery page is an organizational thing21:54
ayoungbut the organization is the service providers org,21:54
ayoungwhere service is provided to users from many IdPs21:54
stevemarhmm OK21:55
stevemarayoung, so keystone would have to create a discovery page?21:56
ayoungstevemar, I think so21:57
ayoungthat can actually live anywhere, but Keystone does need that final response page21:57
ayoungwhich means it is simpler if everything is in Keystone21:57
stevemari didn't think that's what marekd was getting at21:57
ayoungstevemar, so I am thinking we do this in OS-WEBSSO21:57
stevemarso walk me through the flow21:58
ayoungThe WebUI does not *need* to live in Keystone21:58
stevemaroh21:58
stevemarwhere does it live?21:58
ayoung1.  go to horizon.  No token or session, so get rediect to discovery page21:58
morganfainbergi would prefer it doesn't live in keystone... unless we have no alternative.21:58
ayoungmorganfainberg, we put an implementation in Keystone.21:58
ayoungmorganfainberg, live deploy does not need to use it21:58
ayoungmorganfainberg, Keystone needs to be on the public web no matter wyhat21:58
ayoungwhat21:58
ayoungbut we can put both in their own suburl to protect them differently21:59
ayoungOK,  so from discovery page...lets assume saml....redirect to the appropriate saml provider (based on selection of combo box)21:59
ayoungwith the return URL being the Keystone URL that creates a token from SAML and posts that token to Horizon22:00
ayoungmorganfainberg, I think I'm going to propose that we put all of this stuff under /v3/websso22:00
ayoungthat way, it is an apache config whether it gets exposed to the outside world or not22:01
*** andreaf has quit IRC22:01
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037622:02
ayounghttps://github.com/cernops/keystone/commit/66dabd94b4ad32abca171cef9192210fec28923522:02
ayoungcern is using ADFS.  We'll provide a limited equivalent22:03
*** joesavak has joined #openstack-keystone22:04
stevemarayoung, keep dumping as much info as you can into the etherpad, something isn't clicking for me22:05
ayoungstevemar, ok, start with what cern has22:06
*** jimhoagland has joined #openstack-keystone22:07
stevemari'm still hung up on the discovery page, it sounds like we need to generate a whole bunch of HTML now, and create a page that can authN with different mechanisms22:07
ayounglets assume that we are going to provide a baseline implementation of the discovery page22:07
ayoungThat is going to be fairly static22:07
ayoungwhat needs to be dynamic is the list of Idps22:07
bknudson1if they run in apache they can just write up their own html.22:08
ayoungThere is nothing that says a live deployment can't use their own discovery page, or that the discovery part of Keystone that we write can't be separately deployed22:08
ayoungbknudson1, exactly22:08
ayoungwhat keystone needs to provide is something that lets you login via each of those mechanisms, creates a token, and then generates the appropraite javascript to post that token back to Horizon22:09
ayoungstevemar,   look for  render_html_response  in  https://github.com/cernops/keystone/commit/66dabd94b4ad32abca171cef9192210fec28923522:10
stevemarayoung, yep, i'm familiar with that22:11
ayoungstevemar, I think they have different patches for dealing with baisc auth and kerberos22:11
ayounghttps://github.com/cernops/keystone/commit/8ea8b8d9ca2b30385d52505018cb33a284839827  maybe22:12
ayoungnah22:12
ayoungstevemar, I think that all of their options on https://login.cern.ch/  go to adfs, and are then treated like SAML22:13
stevemarayoung, naw, they have google+ and facebook log ins22:15
ayoungstevemar, OK...I think we can split the work like this22:15
ayoungstevemar I think we basically need that patch22:16
ayoungthat won't give us the iscovery service, but it will make Keystone able to handle the discovery service22:16
ayoungthen, we could possibly use K2K  and treat keystioen Identity just like any other SAML provider22:16
joesavak(yay)22:17
ayoungjoesavak, have you sen the cern discovery page?22:17
joesavakyups22:18
ayoungjoesavak, it would be something more like:  go to keystone with userid/password via a webUI, and get a SAML assertion, which goes over to another Keystone server to get a token....everything goes via federation on the second keystone server22:19
joesavaksaw it in paris - adfs federate to keystone demo22:19
joesavak(yay)22:19
ayoungright...so we turn the identity portion of Keystone into an ADFS clone22:19
ayoungand by We I mean someone22:19
ayoungI'm more concerned with the other side...the side that issues tokens22:19
ayoungthat is only going to accept SAML (or other federated Identity)  as it is on the public web....I think?22:20
joesavakyes - it could be on public web, or a shared network with the issuer22:22
joesavakor client rather22:22
ayoungjoesavak, so I'm inclined to put all of the visible web stuff under one suburl, like /v3/websso22:23
*** mikedillion has quit IRC22:23
joesavakok22:24
stevemari think any web page we make is going to look like crud compared to anything else22:25
ayoungjoesavak actually, two suburls...one for the discovery service, one for the redirect.22:25
ayoungstevemar, we put in a configurabnle field which is the CSS22:25
ayounglet people upload their own and keep the HTML dead simple22:25
ayoungit is not up to us to determine how it looks.  But this is also just the default discovery service for people that have Identity in Keystone already22:26
stevemarayoung, i'm pretty sure morganfainberg is going to have our heads on a pike if do any html/css22:26
ayoungstevemar, we can't avoid it, but we can minimize it22:27
ayoungits pretty minimal22:27
stevemarso the username/password flow (that's for service users) ?22:27
morganfainbergI'll need to read the backlog later.22:27
stevemarnot sure why i used brackets22:28
ayoungstevemar, we'll keep it in a separate commit, and if we decide that we need to put it in a separate service, we can always pay the price to do that later22:28
ayoungstevemar, not just service users.22:28
ayoungstevemar, userid/password is for people in sql identiyt22:28
stevemarright, like horizon has today22:28
ayoungyes22:28
stevemari dont think that should be in the discovery service22:28
ayoungstevemar, it starts off in Keystone.  We move it if we need to22:29
ayoungits in its own suburl and is completely isolatable22:29
ayounglets say we do it in /v3/discovery22:29
ayoungand then the javascript piece goes int /v3/websso22:30
ayoungstevemar, don't focus too much on where the discovery service lives.  Its a default.  For people with ADFS, or something comparable, they won't use it anyway.22:31
ayoungIt could easily live inside Horizon, too.22:32
stevemaralright, this will take a few more iterations to get right22:34
stevemarlets let marek weigh in22:34
ayoungstevemar, its not really in the discovery service.  A webUI that converst userid/password to SAML based on K2K would actually live in Keystone.  There would be no visible web there, but the web server would process the request and handle redirects22:34
*** marg7175 has quit IRC22:34
*** marg7175 has joined #openstack-keystone22:34
ayoungthis is what cern is doing already22:34
ayoungtheir discovery service is in adfs22:34
stevemari'm all for getting this done, i need this done or topol will crush me, but i don't want to let my need for it cloud my judgement22:34
stevemarthats true22:35
stevemari was wondering about that flow22:35
ayoungstevemar, so focus on getting their patch integrated22:35
stevemarand keystone doesn't have a login page for k2k22:35
ayoungstevemar, take this patch but make it work in its own suburl:   https://github.com/cernops/keystone/commit/66dabd94b4ad32abca171cef9192210fec28923522:35
ayoungmake a websso module under contrib or next to identity.22:36
ayoungIt could even live in the federated module, but I suspect it belongs in its own22:36
* stevemar shrugs22:36
stevemari'm gonna get to cookin dinner22:36
stevemarthat doesn't confused me as much as discovery services22:37
ayoungstevemar, I'm gonna head home myself.22:37
stevemarhave fun22:37
ayoungstevemar, I'll try hacking on the discovery service22:37
*** boris-42 has quit IRC22:37
ayoungI'll do it as an extension, and we can treat it as "for testing only"22:38
*** ayoung is now known as buhbye22:39
*** buhbye has quit IRC22:39
*** sriram has quit IRC22:40
*** marg7175 has quit IRC22:46
*** marg7175 has joined #openstack-keystone22:47
*** tellesnobrega_ has joined #openstack-keystone22:47
*** raildo_ has joined #openstack-keystone22:50
*** marcoemorais has joined #openstack-keystone22:55
*** tellesnobrega_ has quit IRC22:57
*** jorge_munoz has quit IRC22:57
openstackgerrithenry-nash proposed openstack/keystone-specs: Add support for domain specific roles.  https://review.openstack.org/13385522:57
*** Dafna has quit IRC22:58
*** marcoemorais1 has joined #openstack-keystone22:58
*** diegows has quit IRC22:58
*** Dafna has joined #openstack-keystone22:59
rodrigodshenrynash, ping re: your comments here https://review.openstack.org/#/c/138550/2/keystone/assignment/core.py22:59
henrynashrodigdods: hu22:59
henrynashhi, even22:59
rodrigodshenrynash, remember the subtree visibility discussion?22:59
henrynashrodigods: sure…so where is teh code taht actually does this check?23:00
*** marcoemorais has quit IRC23:00
*** htruta has quit IRC23:00
*** tellesnobrega_ has joined #openstack-keystone23:01
rodrigodshenrynash, same file, in the list_projects_in_subtree() implementations23:01
henrynashrodigods: no, I mean, this chaneg is passing something new to thr driver…where’s teh drive code that users it?23:03
*** marcoemorais1 has quit IRC23:03
rodrigodshenrynash, hmm... so if the driver doesn't use it, we don't need the user_id parameter, right?23:03
rodrigodsjust in the manager layer?23:04
henrynashdoes the driver have that method at all?23:04
rodrigodshenrynash, it does23:04
rodrigodshenrynash, previous patch23:04
rodrigodshenrynash, https://review.openstack.org/#/c/117785/30/keystone/assignment/backends/sql.py23:05
henrynashrodigods: ah, right - so yes, you don;t need to add the paramter to the abstract method..since we are not passing the user_id to the driver23:05
rodrigodshenrynash, great!23:05
rodrigodsthanks for the reviews, will address your comments asap23:06
*** marcoemorais has joined #openstack-keystone23:06
henrynashrodigods: np23:06
*** harlowja_ is now known as harlowja_away23:07
*** browne has quit IRC23:10
*** zzzeek has quit IRC23:10
*** htruta has joined #openstack-keystone23:12
*** harlowja_away is now known as harlowja_23:12
openstackgerrithenry-nash proposed openstack/keystone: Fix the way migration helpers check FK names.  https://review.openstack.org/13846823:13
*** joesavak has quit IRC23:15
raildo_henrynash, can you answer me, two questions about domain role and HMT?23:15
henrynashraildo_: maybe :-)23:15
raildo_if I create a role in a sub-domain, can I grant this role to a user created in a parent domain?23:16
henrynashraildo_: no23:16
raildo_ok23:16
henrynashraildo_: ah sorry…grant it on which domain?23:16
raildo_if I create a user in a sub-domain, can i grant a role to a parent domain, or a other domain in other hierarchy?23:16
raildo_imagine that i have a parent domain A - and a subdomain B... and I create a domain role "role_in_subdomain_b" in subdomain B. If i created a user in the domain A, can I grant a role assignment using this  role_in_subdomain_b?23:19
henrynashraildo_: so assuming that HM allows users to be inherited down the tree, then yes23:20
henrynashraildo_: you can grant it do something in subdomain B23:21
henrynashraildo_: but you could not grant it to domain A23:22
raildo_henrynash, Ok, that's what I thought.23:22
morganfainbergbah missed ayoung23:23
*** gordc has quit IRC23:23
raildo_henrynash, and the second question? :P23:23
*** zzzeek has joined #openstack-keystone23:23
henrynashdrum role23:24
henrynashcan a user be granted a role on a parent domain…I don’t think so23:25
*** kobtea has joined #openstack-keystone23:28
*** henrynash has quit IRC23:29
raildo_henrynash, ok. thanks!23:29
*** nellysmitt has joined #openstack-keystone23:31
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin  https://review.openstack.org/13857523:32
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make session use the Loadable interface  https://review.openstack.org/13857623:32
*** kobtea has quit IRC23:33
morganfainberglbragstad, i'm pushing the ignore patch through since yours is still checking23:34
morganfainberglbragstad, for hacking check23:34
morganfainberglbragstad, once we get new hacking we can revert the tox.ini change23:34
*** radez is now known as radez_g0n323:35
*** nellysmitt has quit IRC23:36
marekdstevemar: looking at your and ayoung's convo about discovery service. PLease reflect the proposals in the etherpad, and I will try to write down all the available possibilities i can see, but by having DS I am fearing we kind of implement another part into Keystone, hence, trying to make it legitimate Service Provider, Identity Provider and so on.23:38
marekdstevemar: that would be great, but it's extremely easy to completely screw it up.23:39
morganfainbergmarekd, tomorrow/thursday i want to chat w/ you about the ECP wrap crypto stuff, make sure i understadn what is going on there.23:39
marekdmorganfainberg: sure.23:39
morganfainbergmarekd, if you have time.23:39
morganfainbergmarekd, cool will ping you then.23:39
stevemarmarekd, yeah, thats what i'm worried about, i don't want to do that either23:39
marekdmorganfainberg: of course i do.23:40
* morganfainberg is *very* concerned about any HTML/css in keystone23:40
stevemarmarekd, i don't know enough about discovery service to make any helpful comments23:40
morganfainbergi understand it might be needed, but... *very* concerned.23:40
marekdmorganfainberg: ecp does not have anything with html/css23:40
morganfainbergmarekd, no was re other convo with stevemar and ayoung23:40
morganfainbergmarekd, sorry crossed the streams.23:40
marekdstevemar: i confess i know it exists, but it's pretty standard thing in a classic websso.23:42
marekdstevemar: anyway, if you want to have it checked, just try to configure your POC and make it work with more than one IdP.23:42
stevemarmarekd, yeah, i don't think it will unless I have the list of idps become public23:43
marekdif you really want to make it that way, you will then need to configure separate Locations for every IdP (in your vhost config)23:45
marekdand build dynamic urls23:45
marekdthis is also possible, i admit, but for instance for our use-case that would be completely useless :-)23:46
stevemaryep23:46
stevemarbecause you have 100s23:46
marekdyes, and we have ADFS that does this job for us  for free.23:46
marekdhttps://review.openstack.org/#/c/138035/ <--- can anybody please take a look at it? It already has one +2.23:48
stevemarlooking23:49
stevemari already +2'ed it!23:49
*** chrisshattuck has quit IRC23:49
stevemarmarekd, so i think something like tivoli FIM has a discovery service23:49
stevemarbut i'm wondering about connect to something like google?23:50
marekdstevemar: google only?23:50
stevemaryeah23:50
stevemarthats the only idp23:50
marekdstevemar: so you don't need DS - it's only one default idp available23:51
marekdthere is no choice23:51
marekdGoogle or nothinf.23:51
stevemarso how does websso work?23:51
marekdlook, DS i basically a bridge, that allows you to choose from list of IdPs you somehow trust.23:52
marekdif there is no such choice, perhaps because you only have one default IdP you simply don't configure DS.23:52
marekdok, i think we can even implement two ways.23:53
marekdit's really not that big deal.23:54
marekdok, need to go to bed. see you soon.23:57
marekdjamielennox: dstanek: stevemar: https://review.openstack.org/#/c/130593/ - this one should be interesting as well (sadly, no +2s yet)23:58
*** marekd is now known as marekd|away23:59
« Monday, 2014-12-01 Index Wednesday, 2014-12-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!