Friday, 2014-12-12

*** henrynash has quit IRC		00:07
*** henrynash has joined #openstack-keystone		00:08
*** ChanServ sets mode: +v henrynash		00:08
*** henrynash has quit IRC		00:09
*** _cjones_ has quit IRC		00:12
*** dims__ has quit IRC		00:15
*** dims__ has joined #openstack-keystone		00:15
*** dims__ has quit IRC		00:18
*** dims__ has joined #openstack-keystone		00:18
*** david-lyle is now known as david-lyle_afk		00:23
*** nellysmitt has joined #openstack-keystone		00:25
*** nellysmitt has quit IRC		00:30
openstackgerrit	Jorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers https://review.openstack.org/140175	00:35
*** nkinder_away has quit IRC		00:40
*** marcoemorais1 has quit IRC		00:41
*** dims__ has quit IRC		00:45
*** dims__ has joined #openstack-keystone		00:46
*** dims__ has quit IRC		00:50
bknudson	can we deprecate writing to LDAP?	00:59
bknudson	Document what the entries are that keystone server is looking for and then remove support next release.	00:59
bknudson	somebody using ldap can write their own tools.	00:59
*** _cjones_ has joined #openstack-keystone		01:13
*** afaranha_ has joined #openstack-keystone		01:18
*** afaranha_ has quit IRC		01:20
*** gyee has joined #openstack-keystone		01:21
*** ChanServ sets mode: +v gyee		01:21
jamielennox	is it reasonable for the headers from an auth plugin to clobber those provided with a request? or should the auth_plugin headers be added with a .setdefault()	01:22
jamielennox	I can't think of many reasons why anyone would send headers={'X-Auth-Token': 'some_value'} with a request - but if they do i assume it's a good one	01:23
openstackgerrit	Brant Knudson proposed openstack/keystone: Add a test for modifying a role to set the name the same https://review.openstack.org/141234	01:23
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix modifying a role with same name using LDAP https://review.openstack.org/141235	01:23
*** dims__ has joined #openstack-keystone		01:27
*** _cjones_ has quit IRC		01:29
*** _cjones_ has joined #openstack-keystone		01:29
*** diegows has quit IRC		01:34
*** sudorandom has quit IRC		01:35
*** sudorandom has joined #openstack-keystone		01:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix disabling entities when enabled is ignored https://review.openstack.org/141101	01:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Add a test for modifying a role to set the name the same https://review.openstack.org/141234	01:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix modifying a role with same name using LDAP https://review.openstack.org/141235	01:38
*** shakamunyi has joined #openstack-keystone		01:38
openstackgerrit	guang-yee proposed openstack/keystone-specs: X.509 SSL certificate authentication https://review.openstack.org/105913	01:40
*** sudorandom has quit IRC		01:44
*** sudorandom has joined #openstack-keystone		01:46
*** wanghong has quit IRC		01:46
*** gyee has quit IRC		01:47
*** _cjones_ has quit IRC		02:00
*** boris-42 has quit IRC		02:03
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	02:04
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	02:04
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor identity version handling to strategy pattern https://review.openstack.org/140765	02:04
bknudson	jamielennox: with https://review.openstack.org/140765 , it changes where the failure to load plugin occurs...	02:05
bknudson	since the IdentityServer object is created on AuthProcotol() it fails on startup	02:05
bknudson	rather than on the first request	02:05
*** zzzeek has quit IRC		02:08
jamielennox	bknudson: so it gives 401 rather than 504	02:10
jamielennox	?	02:10
openstackgerrit	Merged openstack/keystonemiddleware: Use new ksc features in User Token Plugin https://review.openstack.org/131048	02:11
bknudson	jamielennox: I think that change is because auth token eats the exception and turns it into a 401 whenever something goes wrong.	02:11
*** chrisshattuck has quit IRC		02:11
bknudson	during token validation	02:11
*** erkules_ has joined #openstack-keystone		02:12
jamielennox	id love to better target that except exception	02:13
*** wanghong has joined #openstack-keystone		02:13
*** erkules has quit IRC		02:14
jamielennox	bknudson: thinking about that i'm willing to bet one of those patches that went in in this version must have moved that as well	02:15
bknudson	there should be a place to catch ServiceError.	02:15
jamielennox	i tend to think where it is now, raising a 503 rahter than a 401 is better	02:15
jamielennox	so where the except Exception is you could just ad d an except ServiceError: raise	02:16
jamielennox	but that except Exception is a pain, every time i need to do any real debugging i have to comment that out	02:16
bknudson	I agree 503 is better than 401 if can't get the version.	02:16
jamielennox	also it means you ahve to be really careful with negative testing because a KeyError or AttributeError coming from a test will get a 401 where it shouldn't	02:17
openstackgerrit	wanghong proposed openstack/keystonemiddleware: support micro version if sent https://review.openstack.org/130916	02:18
bknudson	jamielennox: it was an easy fix.	02:19
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	02:20
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor identity version handling to strategy pattern https://review.openstack.org/140765	02:20
bknudson	just added `except ServiceError:` before except Exception.	02:21
*** chrisshattuck has joined #openstack-keystone		02:25
*** nellysmitt has joined #openstack-keystone		02:26
*** nellysmitt has quit IRC		02:31
openstackgerrit	werner mendizabal proposed openstack/keystone-specs: Multifactor Authentication https://review.openstack.org/130376	02:40
openstackgerrit	werner mendizabal proposed openstack/keystone-specs: Multifactor Authentication https://review.openstack.org/130376	02:43
*** oomichi has joined #openstack-keystone		02:46
*** erkules_ has quit IRC		02:49
*** dims__ has quit IRC		02:49
*** dims__ has joined #openstack-keystone		02:50
*** erkules_ has joined #openstack-keystone		02:50
*** KanagarajM has joined #openstack-keystone		02:52
*** dims__ has quit IRC		02:54
*** shakamunyi has quit IRC		02:57
*** tylerdurden has joined #openstack-keystone		02:57
jamielennox	morganfainberg: did non-persistent tokens get in for Juno?	03:15
jamielennox	or bknudson ^	03:15
jamielennox	i don't think so but it's in the juno specs repo	03:15
*** lhcheng has quit IRC		03:18
*** lhcheng has joined #openstack-keystone		03:18
*** chrisshattuck has quit IRC		03:19
*** lhcheng has quit IRC		03:20
*** lhcheng has joined #openstack-keystone		03:20
*** lhcheng has quit IRC		03:28
*** richm has joined #openstack-keystone		03:30
*** harlowja is now known as harlowja_away		03:36
*** nkinder_away has joined #openstack-keystone		03:38
*** rushiagr_away is now known as rushiagr		03:42
dstanek	jamielennox: i don't think that was completed	03:52
*** wanghong has quit IRC		03:52
morganfainberg	It wasn't completed.	03:52
*** rushiagr is now known as rushiagr_away		03:52
morganfainberg	There is a kilo spec (k2) target for it.	03:52
morganfainberg	Kilo spec has not yet been approved has some fixed I need to do	03:53
*** lhcheng has joined #openstack-keystone		04:00
*** chrisshattuck has joined #openstack-keystone		04:01
*** wanghong has joined #openstack-keystone		04:05
*** oomichi has quit IRC		04:12
*** r-daneel has quit IRC		04:19
*** nellysmitt has joined #openstack-keystone		04:27
*** stevemar has joined #openstack-keystone		04:30
*** ChanServ sets mode: +v stevemar		04:30
*** lbragstad has quit IRC		04:32
*** nellysmitt has quit IRC		04:32
*** cyeoh has quit IRC		04:33
*** lbragstad has joined #openstack-keystone		04:33
*** zzzeek has joined #openstack-keystone		04:33
*** zzzeek has quit IRC		04:33
*** cyeoh has joined #openstack-keystone		04:34
openstackgerrit	Merged openstack/identity-api: Indicate repo is frozen in README https://review.openstack.org/141208	04:39
*** rushiagr_away is now known as rushiagr		04:41
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add get_headers interface to authentication plugins https://review.openstack.org/140894	04:44
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins https://review.openstack.org/141267	04:44
*** chrisshattuck has quit IRC		05:10
*** marcoemorais has joined #openstack-keystone		05:15
*** marcoemorais1 has joined #openstack-keystone		05:16
*** marcoemorais has quit IRC		05:19
*** _cjones_ has joined #openstack-keystone		05:23
*** richm has quit IRC		05:38
*** stevemar has quit IRC		05:43
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/136243	06:05
*** KanagarajM2 has joined #openstack-keystone		06:10
*** KanagarajM has quit IRC		06:11
*** KanagarajM2 has quit IRC		06:13
*** wanghong has quit IRC		06:14
*** nellysmitt has joined #openstack-keystone		06:28
*** wanghong has joined #openstack-keystone		06:31
*** nellysmitt has quit IRC		06:33
*** lhcheng has quit IRC		06:34
*** lhcheng has joined #openstack-keystone		06:34
*** erkules_ is now known as erkules		06:38
*** jamielennox is now known as jamielennox\|away		06:39
*** wanghong has quit IRC		06:52
*** ncoghlan has joined #openstack-keystone		06:58
*** oomichi has joined #openstack-keystone		07:11
*** oomichi has quit IRC		07:21
*** ncoghlan has quit IRC		07:31
*** ajayaa has joined #openstack-keystone		07:33
*** ajayaa has quit IRC		07:43
*** nellysmitt has joined #openstack-keystone		07:58
*** drjones has joined #openstack-keystone		08:04
*** _cjones_ has quit IRC		08:08
*** drjones has quit IRC		08:09
*** ajayaa has joined #openstack-keystone		08:10
*** zz_avozza is now known as avozza		08:13
*** tellesnobrega has quit IRC		08:14
*** jimbaker has quit IRC		08:14
*** davechen has quit IRC		08:14
*** bdossant has joined #openstack-keystone		08:15
*** DaveChen has joined #openstack-keystone		08:15
*** avozza is now known as zz_avozza		08:15
*** bdossant has quit IRC		08:17
*** jimbaker has joined #openstack-keystone		08:17
*** jimbaker has quit IRC		08:17
*** jimbaker has joined #openstack-keystone		08:17
*** tellesnobrega has joined #openstack-keystone		08:21
*** marcoemorais1 has quit IRC		08:28
*** andreaf has joined #openstack-keystone		08:41
*** Dafna has quit IRC		08:48
*** bdossant_ has joined #openstack-keystone		09:03
*** jacer_huawei has joined #openstack-keystone		09:07
*** raildo_ has joined #openstack-keystone		09:14
*** ajayaa has quit IRC		09:16
*** eglynn-regus has quit IRC		09:16
*** lhcheng has quit IRC		09:17
*** lhcheng has joined #openstack-keystone		09:18
*** jistr has joined #openstack-keystone		09:19
*** eglynn-regus has joined #openstack-keystone		09:22
*** lhcheng has quit IRC		09:22
*** raildo_ has quit IRC		09:32
openstackgerrit	henry-nash proposed openstack/keystone: Fix the way migration helpers check FK names. https://review.openstack.org/138468	09:34
*** eglynn-regus has quit IRC		09:34
*** eglynn has joined #openstack-keystone		09:34
*** bdossant_ has quit IRC		09:36
*** ajayaa has joined #openstack-keystone		09:41
*** DWang has quit IRC		09:57
*** bdossant_ has joined #openstack-keystone		10:02
*** bdossant_ has quit IRC		10:04
*** Shohei_ has quit IRC		10:05
*** Shohei has joined #openstack-keystone		10:05
*** bdossant has joined #openstack-keystone		10:08
*** sluo_laptop has quit IRC		10:09
*** Shohei has quit IRC		10:10
*** bdossant_ has joined #openstack-keystone		10:15
*** nellysmitt has left #openstack-keystone		10:16
*** bdossant has quit IRC		10:19
*** yasu_ has joined #openstack-keystone		10:27
*** bdossant_ has quit IRC		10:30
*** yasu_ has quit IRC		10:31
*** samuelms_ has joined #openstack-keystone		10:32
*** yasu_ has joined #openstack-keystone		10:34
*** aix has joined #openstack-keystone		10:37
*** bdossant has joined #openstack-keystone		10:44
*** yasu_ has quit IRC		10:48
*** dims__ has joined #openstack-keystone		10:56
*** tellesnobrega_ has quit IRC		10:57
*** dims__ has quit IRC		11:00
*** topol has joined #openstack-keystone		11:03
*** ChanServ sets mode: +v topol		11:03
*** diegows has joined #openstack-keystone		11:10
*** bdossant has quit IRC		11:14
*** topol has quit IRC		11:17
*** jasondotstar has joined #openstack-keystone		11:31
*** dims__ has joined #openstack-keystone		11:45
*** marekd\|away is now known as marekd		11:48
*** dims__ has quit IRC		11:49
*** dims__ has joined #openstack-keystone		11:49
*** dims__ has quit IRC		11:54
*** boris-42 has joined #openstack-keystone		11:55
*** aix has quit IRC		11:55
*** dims__ has joined #openstack-keystone		11:56
*** bdossant has joined #openstack-keystone		12:04
*** bdossant has quit IRC		12:14
*** bdossant has joined #openstack-keystone		12:29
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring https://review.openstack.org/141352	12:44
*** dims__ has quit IRC		12:48
*** jasondotstar has quit IRC		12:48
*** dims__ has joined #openstack-keystone		12:48
*** dims__ has quit IRC		12:52
*** henrynash has joined #openstack-keystone		12:53
*** ChanServ sets mode: +v henrynash		12:53
*** aix has joined #openstack-keystone		12:59
*** ajayaa has quit IRC		13:00
*** dims__ has joined #openstack-keystone		13:01
*** bdossant has quit IRC		13:05
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring https://review.openstack.org/141352	13:06
*** afaranha has quit IRC		13:07
*** amakarov_away is now known as amakarov		13:14
*** bdossant has joined #openstack-keystone		13:16
*** bdossant has quit IRC		13:21
*** dims__ has quit IRC		13:26
*** dims__ has joined #openstack-keystone		13:27
*** bdossant has joined #openstack-keystone		13:27
*** bdossant has quit IRC		13:31
*** dims__ has quit IRC		13:31
*** bdossant has joined #openstack-keystone		13:32
*** henrynash has quit IRC		13:36
*** jasondotstar has joined #openstack-keystone		13:37
samuelms_	amakarov, hi, just left a couple of comments on you patch regarding create_grant refactoring	13:41
*** Adam_ has joined #openstack-keystone		13:43
*** Adam_ is now known as ayoung_		13:44
*** ayoung has joined #openstack-keystone		13:49
*** ChanServ sets mode: +v ayoung		13:49
*** ayoung has quit IRC		13:49
*** bjornar has quit IRC		13:57
*** zz_avozza is now known as avozza		13:57
*** ayoung_ has quit IRC		13:59
*** dims__ has joined #openstack-keystone		14:02
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	14:12
marekd	gabriel-bezerra: did you manage to setup mod_Shib + pysaml2 ?	14:14
marekd	dstanek: same question for you	14:14
*** k4n0 has quit IRC		14:17
*** ayoung_ has joined #openstack-keystone		14:20
*** jasondotstar has quit IRC		14:23
marekd	Dec 18 is K-1 i think. Is it the latest day for the specs to be accepted so the implementation is later in Kilo release?	14:23
openstackgerrit	Victor Silva proposed openstack/keystone: Fixes indentation in contrib/federation/utils.py https://review.openstack.org/141383	14:24
*** timcline has joined #openstack-keystone		14:25
openstackgerrit	Brant Knudson proposed openstack/keystone: Cleanup eventlet use in tests https://review.openstack.org/140835	14:27
*** timcline has quit IRC		14:29
gabriel-bezerra	marekd: I could set it up, but it is not working well	14:30
marekd	gabriel-bezerra: same here	14:30
marekd	well, validation also doesn't work here.	14:30
marekd	gabriel-bezerra: i am going to compare assertion issued by a pysaml2 and other idps that worked for me.	14:30
gabriel-bezerra	marekd: it claims about "Unable to establish security of incoming assertion"	14:30
marekd	yes	14:30
marekd	gabriel-bezerra: if i don't find anything i will ask the autor or other users.	14:31
gabriel-bezerra	marekd: I put an assertion of mine in here: http://www.lsd.ufcg.edu.br/~gabrielb/assertion.xml	14:31
*** ayoung_ has quit IRC		14:36
*** nkinder_away has quit IRC		14:49
*** ayoung has joined #openstack-keystone		14:50
*** ChanServ sets mode: +v ayoung		14:50
*** samuelms_ has quit IRC		14:52
*** rushiagr is now known as rushiagr_away		14:57
*** r-daneel has joined #openstack-keystone		15:00
*** richm has joined #openstack-keystone		15:06
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix disabling entities when enabled is ignored https://review.openstack.org/141101	15:08
openstackgerrit	Brant Knudson proposed openstack/keystone: Add a test for modifying a role to set the name the same https://review.openstack.org/141234	15:08
openstackgerrit	Brant Knudson proposed openstack/keystone: Add tests for enabled attribute ignored https://review.openstack.org/140895	15:08
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix modifying a role with same name using LDAP https://review.openstack.org/141235	15:08
openstackgerrit	Alexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens https://review.openstack.org/141397	15:09
openstackgerrit	Alexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens https://review.openstack.org/141397	15:10
*** topol has joined #openstack-keystone		15:13
*** ChanServ sets mode: +v topol		15:13
amakarov	Hi all! I think we have a problem with our revoke extension: when I revoke role assingment to one project, created revocation event matches all my tokens to other projects too - is it normal?	15:17
*** timcline has joined #openstack-keystone		15:19
*** timcline has quit IRC		15:22
*** timcline has joined #openstack-keystone		15:23
*** andreaf has quit IRC		15:27
*** andreaf has joined #openstack-keystone		15:28
*** avozza is now known as zz_avozza		15:32
*** nkinder_away has joined #openstack-keystone		15:33
*** tellesnobrega_ has joined #openstack-keystone		15:34
*** timcline has quit IRC		15:41
*** timcline has joined #openstack-keystone		15:41
*** tellesnobrega_ has quit IRC		15:47
*** gordc has joined #openstack-keystone		15:57
*** mflobo has quit IRC		15:59
*** marcoemorais has joined #openstack-keystone		16:01
*** marcoemorais1 has joined #openstack-keystone		16:02
dstanek	marekd: gabriel-bezerra: yes i think i had it working last night	16:04
dstanek	gabriel-bezerra: your issue is probably the certs	16:04
*** marcoemorais has quit IRC		16:05
*** tylerdurden has quit IRC		16:06
*** tellesnobrega_ has joined #openstack-keystone		16:07
*** bdossant has quit IRC		16:08
*** richm has quit IRC		16:11
openstackgerrit	Alexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens https://review.openstack.org/141397	16:12
*** wwriverrat has joined #openstack-keystone		16:15
gabriel-bezerra	dstanek: did you have the same problem? how did you fix it?	16:17
wwriverrat	Need some quick advice I’m not finding via Google: Is it a good or bad idea to use keystone’s “extras” project metadata for our own purposes? (for instance “env”: “prod”). Support teams want a way to know which projects are dev/test/prod.	16:20
*** chrisshattuck has joined #openstack-keystone		16:23
*** thedodd has joined #openstack-keystone		16:23
*** bdossant has joined #openstack-keystone		16:28
*** chrisshattuck has quit IRC		16:32
*** zz_avozza is now known as avozza		16:32
*** marcoemorais1 has quit IRC		16:32
*** boris-42 has quit IRC		16:32
*** dims__ has quit IRC		16:33
*** dims__ has joined #openstack-keystone		16:34
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring https://review.openstack.org/141352	16:37
*** dims__ has quit IRC		16:38
*** dims__ has joined #openstack-keystone		16:44
*** david-lyle_afk is now known as david-lyle		16:49
*** jaosorior has joined #openstack-keystone		16:53
lbragstad	wwriverrat: there is a lot of talk about making the 'extras' stuff go away	16:53
lbragstad	wwriverrat: so we don't encourage it	16:53
wwriverrat	doh! OK. Guess I liked the idea of being able to attach deployment-specific info. Thanks for the heads up	16:54
lbragstad	wwriverrat: no problem	16:55
*** marcoemorais has joined #openstack-keystone		17:02
wwriverrat	lbragstad, discussed with co-workers. We’re hoping ‘extras’ stick around. Our initial plan was to attach {“env”: “dev”} into the extras dictionary. When vm is spun up, we’d also attach to vm. this would give our support personnel a means of ignoring dev/test VMs and focus on prod. Our vote: keep em’ around.	17:05
lbragstad	wwriverrat: so you want to separate projects into dev/test/prod?	17:06
wwriverrat	yes. differing SG rules for each	17:08
wwriverrat	different quotas	17:08
lbragstad	wwriverrat: ok, so why do you need to have extra stuff in the project reference when the project is 'prod', 'test', or 'dev'?	17:09
lbragstad	wwriverrat: just trying to understand the whole flow	17:09
gabriel-bezerra	wwriverrat: what lbragstad means by projects is what used to be called tenants	17:09
wwriverrat	dev/test is where they prove out their deployments/apps exosed internally. prod exposed externally. dev/test doesnt allow prod IPs, prod doesnt allow dev/test IPs	17:10
wwriverrat	yep tenants	17:10
*** avozza is now known as zz_avozza		17:10
gabriel-bezerra	wwriverrat: you can use projects (formerly "tenants") to do that	17:11
*** richm has joined #openstack-keystone		17:11
gabriel-bezerra	wwriverrat: along with security groups	17:11
gabriel-bezerra	wwriverrat: just create a project for each of {dev,test,prod}	17:12
wwriverrat	sure. we are using puppet to deploy. Each environment gets different settings. test proves out the config before its blessed to go prod	17:12
wwriverrat	prod would allow public ips to perform work via security group rules. dev and test non-externally reachable	17:13
wwriverrat	we have 80 or so different applications that could cross talk that want our internal cloud space. They want a free and easy playground (dev), semi-stable integration env (test), and naturally externally exposed apps	17:14
gabriel-bezerra	wwriverrat: sure. In openstack concepts, how are you dividing those "environments"?	17:16
wwriverrat	back to topic: If we put the “env” data somewhere, we’d like to keep it at the project level (where quotas, SG rules, etc) live.	17:16
wwriverrat	currently each app can allocate 3 environments by creating 3 projects(tenants): groovyapp-dev, groovyapp-test, groovyapp-prod	17:17
wwriverrat	we dont want to use a naming convention to determine which is which. We’d rather push it into the “extras” metadata :)	17:19
*** tellesnobrega_ has quit IRC		17:20
*** gyee has joined #openstack-keystone		17:22
*** ChanServ sets mode: +v gyee		17:22
dstanek	wwriverrat: what about using the project name so that you won't be sad when extras is removed	17:24
dstanek	like dev-projectname	17:24
gabriel-bezerra	dstanek: that's what s/he said: "we dont want to use a naming convention to determine which is which"	17:25
wwriverrat	we have around 1300 projects currently allocate we have no idea which env they belong to. and i feel squeemish using naming conventions. Would need to modify horizon/keystone to enforce a naming convention specific to our deployment	17:25
dstanek	wwriverrat: what are you changing to add the extra data now?	17:27
openstackgerrit	Alexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens https://review.openstack.org/141397	17:27
wwriverrat	no. But next project I work on is to figure out what vm belongs to what env and how it is stable going forward	17:27
gabriel-bezerra	I see this is likely a case for hierarchical projects: it would be 3 huge dev/test/prod projects	17:28
gabriel-bezerra	and a subproject in each of them for each app	17:28
wwriverrat	Our support personnel freaking out not knowing “which of these alerts is REAL!”	17:28
openstackgerrit	Alexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens https://review.openstack.org/141397	17:28
wwriverrat	They only want to focus on prod	17:28
*** tylerdurden has joined #openstack-keystone		17:29
*** topol has quit IRC		17:30
gabriel-bezerra	wwriverrat: how those alerts come to them?	17:30
gabriel-bezerra	wwriverrat: is it based on the ip address?	17:30
gabriel-bezerra	wwriverrat: if so, you could have different networks in Neutron for each environment, and they would just monitor one of the networks	17:31
wwriverrat	When vm is spun up, we register the vm with our master system SMDB. It wants to know dev/test/prod. If prod, auto-magically hook up monitoring. Without the environment, they hook them all up.	17:33
gabriel-bezerra	wwriverrat: you could also have some configuration management that would allow you to set the place where the alerts should go. Then the configuration for production would be different from the other environments, and you would not depend on the kind of cloud iaas you are deploying to.	17:33
*** openstackgerrit has quit IRC		17:34
*** openstackgerrit has joined #openstack-keystone		17:34
wwriverrat	we could, we’re just trying to automate the process by providing them the environment when vm is spun up.	17:34
gabriel-bezerra	you can put that in the metadata of the instances too	17:35
wwriverrat	yes! exactly. but when vm is spun up, it needs to get it from somewhere. We’d ike to tag it to project (tenant)	17:35
gabriel-bezerra	wwriverrat: what version of openstack are you using? if you don't mind changing it when the extras field be removed, why not?	17:38
wwriverrat	icehouse. planning on juno soon	17:38
gabriel-bezerra	juno still have the field	17:38
gabriel-bezerra	so... if you don't mind changing your deployment scripts when you upgrade to a version where "extras" is removed, why not use it?	17:39
gabriel-bezerra	just be aware that it is likely to happen in future	17:39
gabriel-bezerra	some time in future	17:40
wwriverrat	we’re likely going to use it. If it goes away, we’ll likely steal the description field :( . I didnt mean to start a large discussion. I just wanted you all to know, we have a usecase that may help others for keeping extras.	17:40
*** zzzeek has joined #openstack-keystone		17:41
gabriel-bezerra	lbragstad may have a better feeling of when. I have no idea.	17:41
lbragstad	wwriverrat: I don't have a good meter of when, but I know there has been a lot of discussion about it	17:42
lbragstad	morganfainberg: would probably have a better timeline	17:42
gabriel-bezerra	wwriverrat: no problem. Thank you for pointing that.	17:43
wwriverrat	thanks for your time. I appreciate your insights :-)	17:43
gabriel-bezerra	dstanek: did you have the same problem I and marekd have had?	17:47
gabriel-bezerra	dstanek: how did you fix it?	17:47
gabriel-bezerra	dstanek: I'm talking about the pysaml2 example idp issue	17:48
dstanek	gabriel-bezerra: which issue are you still having?	17:48
*** openstackgerrit has quit IRC		17:49
*** openstackgerrit has joined #openstack-keystone		17:49
gabriel-bezerra	dstanek: the same about "Unable do establish security of incoming assertion"	17:49
gabriel-bezerra	dstanek: you said it could be something with certificates	17:50
gabriel-bezerra	dstanek: did you change the certificate of you deployment?	17:50
*** marcoemorais has quit IRC		17:50
dstanek	gabriel-bezerra: in your idp_conf.py you should change the key_file and cert_file to point to what is in /etc/shibboleth	17:50
*** tellesnobrega_ has joined #openstack-keystone		17:50
*** marcoemorais has joined #openstack-keystone		17:50
*** lhcheng has joined #openstack-keystone		17:55
*** dims__ is now known as dimsum__		17:57
*** thedodd has quit IRC		18:03
*** topol has joined #openstack-keystone		18:04
*** ChanServ sets mode: +v topol		18:04
*** bdossant has quit IRC		18:10
*** bdossant has joined #openstack-keystone		18:11
*** jistr has quit IRC		18:14
morganfainberg	If we remove extra there will be an alternative and/or it'll be optional because a lot of people use it.	18:14
breton	hey	18:16
breton	I finally started working on https://blueprints.launchpad.net/keystone/+spec/alembic, sorry for being silent about it for so long	18:17
*** harlowja_away is now known as harlowja		18:17
*** chrisshattuck has joined #openstack-keystone		18:19
*** kobtea has joined #openstack-keystone		18:20
breton	there is this module in oslo.db -- https://github.com/openstack/oslo.db/tree/master/oslo/db/sqlalchemy/migration_cli . It seems to be not documented though -- http://docs.openstack.org/developer/oslo.db/	18:21
breton	so, 1. Can it be used?	18:22
*** amakarov is now known as amakarov_away		18:24
*** kobtea has quit IRC		18:24
*** russellb is now known as rustlebee		18:29
gabriel-bezerra	dstanek: thanks. I'll try that.	18:32
breton	2. are we okay with changing command line options? I'd like to drop that "db_version" and "db_sync" and change it to "db version/upgrade/downgrade/etc"	18:32
dstanek	gabriel-bezerra: let me know how it goes	18:33
gabriel-bezerra	dstanek: you mean sp-{cert,key}.pem ?	18:36
gabriel-bezerra	dstanek: that belong to _shibd:_shibd ?	18:37
morganfainberg	breton: don't worry about being quiet on that front. We know people are busy and / or working on things. The cli options will need to have at least a deprecation cycle before they're fully changed n	18:37
morganfainberg	breton: so you can change them, but you're going to need to support and/or at least clearly communicate how the old options translate to the new ones.	18:38
gabriel-bezerra	dstanek: or you mean something in shibboleth2.xml file?	18:38
morganfainberg	breton: and zzzeek or dhellmann can probably answer about that oslo.db module more easily.	18:39
*** rushiagr_away is now known as rushiagr		18:39
breton	morganfainberg: the problem is that old options might be not usable with alembic. I am not sure that alembic can determine whether it should upgrade/downgrade by version number	18:39
dstanek	gabriel-bezerra: change idp_conf.py to point to the pem files in the /etc	18:40
breton	but yes, I guess I need zzzeek's opinion on that	18:40
zzzeek	otp	18:40
*** aix has quit IRC		18:40
morganfainberg	breton: we have zzzeek who is an awesome resource for this stuff and asking him helps us not do silly things that makes him cry when we find it was based on broken assumptions n	18:41
morganfainberg	zzzeek: hi! ;)	18:41
morganfainberg	S/cry/post on Twitter that $projects$ should read documentation and/or ask questions before wondering why things are horribly not working.	18:42
ekarlso-	is keystone migrating to alembic or ?	18:43
breton	ekarlso-: it is	18:43
morganfainberg	ekarlso-: all of openstack is afaik b	18:43
morganfainberg	But we want to do it this cycle.	18:43
ekarlso-	oh	18:43
ekarlso-	I would too for Designate	18:43
ekarlso-	if there's a ok migration path :/	18:43
morganfainberg	ekarlso-: I think we are doing a "use sqlamigrate until this cycle migrations then alembic. But breton can say more or tell me I am wrong.	18:44
morganfainberg	So all new	18:45
morganfainberg	Migrations end up alembic.	18:45
breton	yep, and old migrations stay sa-m	18:45
breton	and there is that migration_cli in oslo.db	18:46
breton	but I can neither find anything using it nor any docs	18:46
*** bdossant has quit IRC		18:49
*** afaranha has joined #openstack-keystone		18:50
breton	the code is simple though. But i'm not sure about its state	18:51
*** mikedillion has joined #openstack-keystone		18:53
marekd	dstanek: and by chaning it worked?	18:56
marekd	dstanek: strange, as i was doing similar thing and it didn't work	18:57
marekd	dstanek: so i simply copied shibboleth files and then pointed to them in idp_conf.py	18:57
rodrigods	marekd, ping what's the differences between "any_one_of" and "whitelist"? Is that whitelist compares a list against a list, while any_one_of compares a single value against a list?	18:58
*** raildo has quit IRC		19:00
*** marcoemorais has quit IRC		19:01
*** marcoemorais has joined #openstack-keystone		19:01
*** marcoemorais has quit IRC		19:02
*** marcoemorais has joined #openstack-keystone		19:02
*** boris-42 has joined #openstack-keystone		19:03
*** marcoemorais has quit IRC		19:15
*** marcoemorais has joined #openstack-keystone		19:15
marekd	rodrigods: if i was to make an analogy in Python I'd say: any_one_of: [a,b,c] --- if attribute in [a,b,c]: return True else return False. white list will be: whitelist = [a,b,c], input = [a,b,z] ---- return input.intersect(whitelist)	19:17
gabriel-bezerra	marekd, dstanek: I've got the same error. It didn't even change the AuthenticatingAuthority value	19:30
gabriel-bezerra	of the assertion	19:30
gabriel-bezerra	dstanek: are you using a valid certificate?	19:31
*** mikedillion has quit IRC		19:38
*** thedodd has joined #openstack-keystone		19:40
*** andreaf has quit IRC		19:41
ayoung	rodrigods, so, I had a change of mind since yesterday. I think I want to go back to putting the onus on the person specifying where to enforce policy to say what they want checked. Just like the "member" value says check policy on this value from the target, I think we want to say "check policy on this expected part of the create payload"	20:03
ayoung	So we would have somethinkg like:	20:03
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove XML support https://review.openstack.org/125738	20:03
ayoung	the check we have here for get_memeber_from_driver, but based on the request. http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n120	20:04
*** thedodd has quit IRC		20:06
*** marcoemorais has quit IRC		20:08
*** marcoemorais has joined #openstack-keystone		20:08
*** wwriverrat has left #openstack-keystone		20:09
*** tellesnobrega_ has quit IRC		20:15
*** thedodd has joined #openstack-keystone		20:16
*** kobtea has joined #openstack-keystone		20:21
dstanek	marekd: gabriel-bezerra: let me catch up on the conversatoin	20:23
*** jaosorior has quit IRC		20:23
*** kobtea has quit IRC		20:25
gabriel-bezerra	dstanek, marekd: it can be useful: https://pythonhosted.org/pysaml2/howto/config.html#metadata	20:41
*** aix has joined #openstack-keystone		20:43
dstanek	gabriel-bezerra: did you get it working?	20:44
gabriel-bezerra	dstanek: no, I didn' :(	20:46
gabriel-bezerra	dstanek: how about you?	20:46
gabriel-bezerra	dstanek: this is what I get in shibd.log when the POST comes from the browser https://gist.github.com/gabriel-bezerra/4885b36b40475bbd8e63	20:59
gabriel-bezerra	marekd: ^	20:59
dstanek	gabriel-bezerra: i thought i got past that, but it looks like i did not	21:04
lbragstad	oh geez https://review.openstack.org/#/c/125738/	21:15
*** topol has quit IRC		21:19
dstanek	lbragstad: passing? nice	21:25
lbragstad	mhmmm!	21:26
dstanek	gabriel-bezerra: marekd: i don't understand how to setup metadata for mod_shib. i just keep getting: No MetadataProvider available.	21:26
dstanek	lbragstad: nice	21:26
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add positive test case for content types https://review.openstack.org/130591	21:28
lbragstad	dstanek: did you get a spec pushed up for the functional testing bit?	21:29
*** jdennis has quit IRC		21:29
*** boris-42 has quit IRC		21:33
*** jdennis has joined #openstack-keystone		21:35
dstanek	lbragstad: almost - i reformatted most of it, but i can't break away from getting the IdP working	21:37
dstanek	lbragstad: today is actually a vacation day so that i can work on the two tutorials i'm giving at a conference next month, but i can't break away :-(	21:37
lbragstad	dstanek: IdP, the federation testing stuff?	21:39
*** jdennis has quit IRC		21:40
*** jdennis has joined #openstack-keystone		21:44
*** timcline_ has joined #openstack-keystone		21:48
*** timcline has quit IRC		21:48
dstanek	lbragstad: yep	21:51
*** boris-42 has joined #openstack-keystone		21:55
*** marekd is now known as marekd\|away		21:55
*** nellysmitt has joined #openstack-keystone		22:16
*** tylerdurden has quit IRC		22:20
*** shakamunyi has joined #openstack-keystone		22:20
*** nellysmitt has quit IRC		22:20
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/134794	22:21
*** kobtea has joined #openstack-keystone		22:22
*** timcline_ has quit IRC		22:23
openstackgerrit	Jorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers https://review.openstack.org/140175	22:24
*** kobtea has quit IRC		22:27
*** r-daneel has quit IRC		22:35
morganfainberg	dolphm, lbragstad, i think i found an issue with RAX cloud server building	22:36
*** stevemar has joined #openstack-keystone		22:36
*** ChanServ sets mode: +v stevemar		22:36
dolphm	morganfainberg: ?	22:36
morganfainberg	dolphm, lbragstad, but i think it errors when i use a 8192 length ssh key	22:36
* morganfainberg is trying again sans ssh key		22:37
morganfainberg	but - i remember something about this when i was at metacloud trying to use rax servers	22:37
morganfainberg	yep	22:37
dolphm	morganfainberg: i don't think i've used a key that long	22:37
morganfainberg	if i use my 8192 public key it fails the server build	22:38
dolphm	morganfainberg: using a seeded key from the web UI?	22:38
morganfainberg	nope, supplying my own	22:38
morganfainberg	oh i mean yeah via the key i input in the web ui	22:38
morganfainberg	yes i know... 8192 is crazypants	22:38
dolphm	morganfainberg: yeah... can you login with the provided password?	22:38
morganfainberg	no the VM fails to build.	22:38
dolphm	morganfainberg: oh ha	22:39
morganfainberg	yeah	22:39
dolphm	that's fun	22:39
morganfainberg	not supplying the key - no issue building	22:39
dolphm	morganfainberg: wonder if that's a known issue... #rackspace might be able to help, or open a ticket	22:39
dolphm	morganfainberg: or setup a weaker key for use with rax in sshconfig ..	22:40
* morganfainberg doesn't really care		22:40
morganfainberg	i can use the password for initial login	22:40
morganfainberg	i mean this is really a 1-off POC / dev box	22:40
morganfainberg	i wont have more than one	22:40
morganfainberg	cause i don't want to pay real $ for it.	22:40
morganfainberg	its just nice to have a stable place to poke at things when on an airplane rather than needing to burn battery on a VM	22:41
dolphm	morganfainberg: i was asking if you could login to check the state of authorized_keys ... thinking maybe it was getting truncated or something. but didn't realize you weren't getting that far	22:43
*** gordc has quit IRC		22:43
morganfainberg	and that is the level of work i'll put into it. toss some messages into #rackspace and go about my day. -	22:45
*** Haneef has quit IRC		22:49
*** dimsum__ has quit IRC		22:51
*** dimsum__ has joined #openstack-keystone		22:52
*** henrynash has joined #openstack-keystone		22:54
*** ChanServ sets mode: +v henrynash		22:54
*** aix has quit IRC		22:56
*** dimsum__ has quit IRC		22:57
openstackgerrit	Merged openstack/keystone: Cleanup eventlet use in tests https://review.openstack.org/140835	23:02
*** nkinder_away has quit IRC		23:13
*** jdennis has quit IRC		23:39
*** jdennis has joined #openstack-keystone		23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!