Monday, 2014-12-15

« Sunday, 2014-12-14 Index Tuesday, 2014-12-16 »
morganfainbergdstanek, and i'm seeing changes in the API doc.00:00
morganfainberglbragstad, ping, cc ^00:00
morganfainberghttps://review.openstack.org/#/c/138552/14 still has API Doc open: https://review.openstack.org/#/c/130277/00:01
morganfainbergtotally my mistake here.00:01
openstackgerritMorgan Fainberg proposed openstack/keystone: Revert "Inherited role assignments to projects"  https://review.openstack.org/14167400:05
morganfainbergdstanek, lbragstad, rodrigods, ^ see my comment on the review.00:08
morganfainbergjamielennox, did michael still get ahold of you?00:08
jamielennoxmorganfainberg: yea, he reached out - had to turn him down though00:08
morganfainbergjamielennox, boo.00:09
jamielennoxshame - could have been fun00:09
morganfainbergyeah00:09
rodrigodsmorganfainberg, ok... so I'll work to make it ready to ship ASAP. Tomorrow morning will address the current comments and ping you later. But until now, we haven't any suggestions to change the "format" of the API00:16
morganfainbergrodrigods, yeah just a heads up that if it can't get in by say tuesday i'm going to want to do the revert for k100:17
morganfainbergrodrigods, sorry that was totally my fault.00:17
morganfainbergi should have seen the API doc.00:17
rodrigodsmorganfainberg, no problem, we absolutely want it to ship until k-1, so it will be my number 1 priority00:18
morganfainbergrodrigods, great. thanks - i know i want it in K1 as well00:18
morganfainbergbut w/o the API-Doc i'm worried we ship something that doesn't match the specification00:19
morganfainbergif the aPI doc changes between k1 and such00:19
rodrigodsmorganfainberg, yes, you are right00:20
rodrigodsmorganfainberg, btw (my other priority), any news about the policy lib graduation?00:21
morganfainbergrodrigods, i'm actually on an airplane as we speak, but it is on my list for this week.00:22
rodrigodsmorganfainberg, ah, ok... thanks00:22
rodrigodsmorganfainberg, have a good flight00:22
morganfainbergtrying to :)00:22
morganfainbergsomewhere over ohio at the moment i think.00:22
rodrigodsheh :)00:23
*** zz_avozza is now known as avozza00:23
*** avozza is now known as zz_avozza00:33
jamielennoxmorganfainberg: was anyone stepping up to handle that?00:35
morganfainbergjamielennox, the talk?00:35
morganfainbergnot sure00:35
jamielennoxthe talk sure - but i meant the policy lib00:35
jamielennoxlast i heard it needed to be done but noone had been tasked00:37
jamielennoxmorganfainberg: or did oslo agree to take it?00:37
morganfainbergoh policy?00:38
morganfainbergwe're leaving it in oslo00:38
morganfainbergbut i'm still going to take on the lead for the library core team00:38
morganfainbergand mostly keystone folks will (likely) join in.00:38
jamielennoxmorganfainberg: cool - that makes sense, will review when it's available00:39
*** dimsum__ has joined #openstack-keystone00:46
*** oomichi_ has joined #openstack-keystone00:46
morganfainbergjamielennox, i think it's all ready just needs some blessings of "this is actually good"00:51
jamielennoxmorganfainberg: i want it to work directly with a new interface i've done00:51
jamielennoxwhich is really not hard00:51
jamielennoxand can just be a new function00:52
morganfainbergwell policy is graduating *as is* to start.00:52
morganfainbergthen we can add what is needed00:52
morganfainberghm.00:52
morganfainbergwhat time is it in the UK /me checks00:52
jamielennoxmorganfainberg: it's just the engine so that's fine00:52
jamielennoxmorganfainberg: late00:52
morganfainbergway late00:53
morganfainberglike... midnight +00:53
morganfainbergi need to bug henrynash about https://bugs.launchpad.net/keystone/+bug/139834700:53
uvirtbotLaunchpad bug 1398347 in keystone "LDAP backend should do filtered query instead of getting all data and then filtering" [Undecided,New]00:53
morganfainbergjamielennox, oh i could use your eyes on a tripleo change00:53
jamielennoxmorganfainberg: shoot00:53
morganfainbergjamielennox, i keep feeling like this change is wrong somehow...but plane + stuff is making it hard to say where00:53
morganfainbergjamielennox, https://review.openstack.org/#/c/138246/00:54
*** tylerdurden has quit IRC00:54
morganfainbergi feel like this type of "work around" shouldn't be needed.00:55
*** shakamunyi has joined #openstack-keystone00:55
jamielennoxmorganfainberg: ugh, i hate this issue00:57
morganfainbergyeah00:57
jamielennoxso it's largely solved00:57
jamielennoxand actually there it shouldn't matter00:57
morganfainbergit is clearly mattering some, else they wouldn't have aimed to "fix" it00:57
jamielennoxDiscover() will just give you back the urls that you get from GET :5000 /00:57
jamielennoxdiscover doesn't handle any hacking around v2/v3 it's not the right place00:58
jamielennoxmorganfainberg: it looks like what is happening is they are passing an auth_url with a /v2.0 suffix, discovery is failing to find a /v3 endpoint (because it's at /v2.0) so they just arbitrarily replace /v2.0 with /v300:59
morganfainbergright.00:59
jamielennoxmorganfainberg: would be solved by using plugins/session01:00
morganfainbergsure, so - need to get them there.01:00
morganfainbergunfortunately, i think this is the stopgap :(01:00
jamielennoxmorganfainberg: ah - so they're caching the auth_ref, this is the problem that plugins don't handle well yet01:01
morganfainbergyeah01:01
jamielennoxit's easy to fix from that client perspective01:01
jamielennoxbut i don't know how to handle it well from client01:01
jamielennoxmorganfainberg: is this monty's configuration library/01:03
morganfainbergthis is triple-o related i think01:03
jamielennoxunifying CLI options by file01:03
morganfainbergbut it might be that01:03
morganfainbergjamielennox, https://github.com/openstack/os-collect-config01:04
morganfainbergahhh01:05
morganfainbergit's meant to run for heat: https://wiki.openstack.org/wiki/OsCollectConfig01:05
jamielennoxmorganfainberg: commented01:06
morganfainbergthanks01:07
jamielennoxI need a "it works with sessions" hotkey01:07
*** rushiagr_away is now known as rushiagr01:09
*** Shohei has joined #openstack-keystone01:09
*** Shohei has quit IRC01:10
*** Shohei has joined #openstack-keystone01:10
*** boris-42 has quit IRC01:13
*** samuelms_ has joined #openstack-keystone01:15
*** jacer_huawei has quit IRC01:20
*** stevemar has joined #openstack-keystone01:20
*** ChanServ sets mode: +v stevemar01:20
*** zz_avozza is now known as avozza01:27
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add generic auth plugin documentation  https://review.openstack.org/14168001:27
*** ncoghlan has joined #openstack-keystone01:29
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add auth plugin params to doc  https://review.openstack.org/14168101:30
*** jacer_huawei has joined #openstack-keystone01:32
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Document the auth plugins that are loadable by name  https://review.openstack.org/14168301:32
*** samuelms_ has quit IRC01:47
*** samuelms_ has joined #openstack-keystone01:48
*** samuelms_ has quit IRC02:05
*** erkules_ has joined #openstack-keystone02:07
*** erkules has quit IRC02:09
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Fix up types within API documentation  https://review.openstack.org/14169302:18
*** diegows has quit IRC02:34
openstackgerritwanghong proposed openstack/keystonemiddleware: _get_token_expiration should return isotime  https://review.openstack.org/14098402:35
*** chrisshattuck has joined #openstack-keystone02:48
*** KanagarajM has joined #openstack-keystone02:49
*** nellysmitt has joined #openstack-keystone03:34
openstackgerritMerged openstack/keystone: Remove database setup duplication  https://review.openstack.org/12673403:39
*** nellysmitt has quit IRC03:39
*** oomichi_ has quit IRC03:50
*** rushiagr is now known as rushiagr_away03:51
*** ayoung has quit IRC03:52
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3  https://review.openstack.org/12541003:58
openstackgerritDavid Stanek proposed openstack/keystone: Updates Python3 requirements  https://review.openstack.org/13057903:58
openstackgerritDavid Stanek proposed openstack/keystone: Mocks out the memcache library for tests  https://review.openstack.org/12540903:58
openstackgerritDavid Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582703:58
*** Shohei has joined #openstack-keystone04:00
*** lhcheng has joined #openstack-keystone04:02
*** chrisshattuck has quit IRC04:05
*** rushiagr_away is now known as rushiagr04:23
*** lhcheng has quit IRC04:24
*** lhcheng has joined #openstack-keystone04:24
*** dimsum__ has quit IRC04:25
*** lhcheng has quit IRC04:29
openstackgerritDavid Stanek proposed openstack/keystone: WiP: Script to sync oslo  https://review.openstack.org/11430504:43
*** rm_work is now known as rm_work|away04:54
*** boris-42 has joined #openstack-keystone05:01
*** avozza is now known as zz_avozza05:03
*** stevemar has quit IRC05:16
*** lhcheng has joined #openstack-keystone05:25
*** lhcheng has quit IRC05:30
*** nellysmitt has joined #openstack-keystone05:36
*** nellysmitt has quit IRC05:40
*** jasondotstar has quit IRC05:54
*** KanagarajM has quit IRC06:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:05
*** jacer_huawei is now known as wanghong06:06
*** ajayaa has joined #openstack-keystone06:08
*** jraim has quit IRC06:26
*** jraim_ has joined #openstack-keystone06:26
*** lhcheng has joined #openstack-keystone06:36
*** ncoghlan has quit IRC06:48
morganfainbergjamielennox, have something to talk to you about for KSC tomorrow.07:04
morganfainbergfrom the ux perspective07:05
morganfainbergwill ping ya tomorrow on it07:05
*** nellysmitt has joined #openstack-keystone07:36
*** nellysmitt has quit IRC07:41
*** erkules_ is now known as erkules07:55
*** k4n0 has joined #openstack-keystone08:25
*** nellysmitt has joined #openstack-keystone08:37
*** zz_avozza is now known as avozza08:44
openstackgerritwanghong proposed openstack/keystone: don't allow user to operate role on disabled proj or domain  https://review.openstack.org/14174608:51
*** i159 has joined #openstack-keystone09:19
openstackgerrithenry-nash proposed openstack/keystone: Fix the way migration helpers check FK names.  https://review.openstack.org/13846809:22
*** dimsum__ has joined #openstack-keystone09:29
*** bjornar has joined #openstack-keystone09:31
*** dimsum__ has quit IRC09:34
openstackgerritMerged openstack/pycadf: sync oslo  https://review.openstack.org/13838109:44
*** lhcheng has quit IRC09:50
*** lhcheng has joined #openstack-keystone09:51
*** bdossant has joined #openstack-keystone09:51
*** aix has joined #openstack-keystone09:52
*** bdossant has quit IRC09:55
*** bdossant has joined #openstack-keystone09:55
*** samuelms_ has joined #openstack-keystone10:00
*** andreaf has joined #openstack-keystone10:07
marekdsamuelms_: hey10:14
*** avozza is now known as zz_avozza10:15
*** zz_avozza is now known as avozza10:16
*** avozza is now known as zz_avozza10:17
openstackgerritMarek Denis proposed openstack/keystone-specs: unified policy file  https://review.openstack.org/13465610:19
samuelms_marekd, morning10:20
marekdsamuelms_: hey10:20
marekdi have a couple of questions about https://review.openstack.org/#/c/133855/9/specs/kilo/domain-roles.rst10:21
samuelms_marekd, sure10:21
marekdand you are one of contributors, according to the spec, right?10:21
samuelms_marekd, yep10:21
marekdsamuelms_: great. so long story short the purpose of the spec is to make a domain roles that can act as a 'bags' (being a superset) of other classic roles we have today, right?10:22
samuelms_marekd, they'll be a group of the global roles (classic as you said) and will be able to contain other domain roles as well10:23
samuelms_marekd, further, they are owned by domains10:23
samuelms_marekd, meaning domain-admins can define their own set of roles10:23
samuelms_marekd, that are meaningful to them10:23
marekdsamuelms_: ok, so.10:23
marekdso, today, roles can be created only by global, cloud admins10:24
marekdand they are globally scoped10:24
marekdright?10:24
samuelms_yep10:24
marekdsamuelms_: waht about role assignments?10:24
samuelms_marekd, we'll be able to assign domain-roles as well10:25
marekdsamuelms_: no, i am asking about current capabilities.10:25
samuelms_marekd, but when issuing a token, we convert those domain-roles into global roles10:25
samuelms_marekd, about current capabilities? about what we can do with role assignments?10:26
samuelms_marekd, not sure I understood your question10:26
marekdlet's forget about the spec for now10:27
samuelms_ok10:28
samuelms_marekd, so that the current role assignments are for global roles10:28
marekdsamuelms_: so, roles can be added by modyfiung policy.json file and only by a cloud admin, not domain admins. What about role assignments - can *domain* admins add some role assignments to any users within their domains?10:28
samuelms_marekd, in fact we dont add roles into the policy, we add them via api10:29
marekdsorry, rules10:29
samuelms_marekd, but they'll be just names so far right?10:29
samuelms_marekd, in the policy we define *what* a role can do10:29
samuelms_marekd, I think that's what you mean10:29
marekdsamuelms_: yes, my mistake.10:29
samuelms_marekd, but how the domain admin sets what his own role can do? (his domain-role)?10:30
samuelms_marekd, it depends on the other roles it contains10:30
marekdsamuelms_: what can i do with my domain-scoped role at the moment?10:30
marekdcan i create a project withing this domain ?10:31
marekdremove it?10:31
samuelms_marekd, well, I think so.. you can do whatever you want with a role by configuring your own policy file10:31
marekdno, but lets say i am domain-admin only10:31
marekdand i cannot edit policy.json10:32
marekdcause i am not cloud-admin10:32
samuelms_marekd, yep10:33
marekdso, what can i do with my domain-admin role10:33
samuelms_marekd, but if cloud admin had create one global role per api operatioN,10:33
samuelms_?10:33
samuelms_marekd, so that cloud admins could define their own set of domain-roles with whatever they want10:33
samuelms_marekd, so a domain admin would be able to do: 'my-own-role':['identity:create_domain','nova:boot_instance',etc]10:34
samuelms_marekd, those global roles I'd call capabilities10:34
marekdbut he would need to ask  cloud admin to add it to policy.json, right?10:35
samuelms_marekd, no10:35
samuelms_marekd, in policy, we would have:10:35
samuelms_marekd, 'identity:create_domain': 'role:create_domain'10:35
samuelms_marekd, we could have one role per api10:36
samuelms_marekd, well, I'm writing an etherpad with all those ideas10:36
samuelms_marekd, I'll finish it  today and then I'll ping you :)10:37
samuelms_marekd, the idea is simple but amazing10:37
samuelms_marekd, need to go to lab now10:37
samuelms_marekd, back in few minutes10:37
marekdsamuelms_: ok10:37
*** samuelms_ has quit IRC10:42
samuelmsmarekd, well, I'm back :)10:42
marekdsamuelms: i wish i could go that quick to work ;/10:42
marekdsamuelms:10:42
marekdanyway10:42
marekdas i said, roles are global today.10:43
marekdnow, you can add roles to domains10:43
marekduser marekd has a domain_admin role on domain CERN10:43
marekdnow i login with Keystone, ask for a token scoped for domain CERN, i will get it10:44
marekdand what next?10:44
marekdwhat can i do by default (and without domain-roles spec implemented) with it?10:44
samuelmsmarekd, :)10:45
marekd:(10:46
samuelmsmarekd, well, you can do everything where there is an entry in the policy like : 'identity:do_something': '<other_rules> or role:domain_admin'10:47
marekdsamuelms: that's a helpful answer.10:47
samuelmsmarekd, glad to see that10:48
marekdand role:domain_admin will constrain my actions to my domain, of course10:48
samuelmsmarekd, not by itself10:48
samuelmsmarekd, you need to check that the domain you're trying to do something on is the same of the one you have a token for10:48
marekdsamuelms: ah, yes, of course10:48
samuelmsmarekd, by doing something like : 'domain_id:%(scope.domain_id)s'10:49
marekdi need to have token scoped to a domain.10:49
samuelmsmarekd, :)10:49
marekdi thought there was something more magical.10:49
samuelmsmarekd, no magics :p10:49
marekdok, and now, you spec (domain-roles) is all about being able to say: so, let's create a role vm-manager and whoever has this role on a domain CERN will automatically get roles 'vm-create, 'vm-delete', 'vm-update', right? And nothing more.10:50
marekdthat was question no.110:53
marekdsamuelms: i also have a question no.2: How would policy.json file need to looks like if i had a vm-create domain scoped role, and actually wanted to be able to boot a vm withing one of projects from that role? it looks like OS-INHERIT is also needed, here, right?10:54
samuelmsmarekd, yep for your question n110:56
samuelmsmarekd, notice that roles vm-create, 'vm-delete', 'vm-update' would be global and defined by the cloud admin10:56
samuelmsmarekd, they define capabilities10:56
marekdyes, but you still need role assignments10:58
marekdto be able to use this role/capability on a resource (like project)10:58
samuelmsmarekd, yep10:58
samuelmsmarekd, os-inherit is related to the how far role assignments are applied10:59
samuelmsmarekd, if you want to have a role assignment on all projects of a domain, put an inherited role on that domain10:59
samuelmsmarekd, now with hierarchical projects, if you want to put a role on every project inside a subtree, instead of adding a role assignment to each one of them11:00
samuelmsmarekd, add a inherited role asisngment to the root of that subtree11:00
samuelmsmarekd, that's what role assignment inheritance stands for11:01
marekdsamuelms: but that not domain-roles spec11:01
marekdor it is?11:01
samuelmsmarekd, no11:02
samuelmsmarekd, domain-roles are just group of roles11:02
samuelmsmarekd, and they belong to a domain, so that domain-admin put names on them11:03
samuelmsmarekd, but what you can do with a role is exactly the same what you can do with a domain-roles11:03
samuelmsmarekd, i.e., grating assignments, etc11:03
samuelmss/grating/granting11:03
marekdhm, vm-create make me think that admin will be able to boot a VM in every project within a domain11:04
marekdwhich turns out to not be true, as this is operation per project11:05
marekdnot per domain11:05
marekdsamuelms: you know what i mean?11:06
samuelmsmarekd, yes11:07
marekdsamuelms: and am i right? :P11:07
samuelmsmarekd, you need a project scoped token to create a vm on it11:07
samuelmsmarekd, yes you are11:07
marekdhm11:14
marekdsamuelms: so let's talk the example11:14
marekddomain cern11:14
marekdprojects cms and atlas11:14
marekdthere is a vm-create, vm-delete role11:14
marekdand user has role vm-create on project atlas11:15
marekdlet's say it's user A11:15
marekdmakes sense so far?11:15
marekdi think it does.11:15
marekdnow, we create role vm-manager and make it consist of roles [vm-create, vm-delete]11:16
samuelmsoops, sorry I was doing a review11:16
samuelmsyep, makes sense11:16
samuelmsmarekd, great, go on11:16
marekdnow, if user B can scope to a domain cern, and has a role vm-manager11:16
samuelmsmarekd, wait11:17
marekdthis means.....actually what? he still needs to scope later to project atlas to be able to boot a machine11:17
*** zz_avozza is now known as avozza11:17
marekdand he has no affiliation, no role assignment with that so far.11:17
samuelmsmarekd, first, domain-admin puts vm-manager domain-role to user B on project atlas, right?11:17
samuelmsmarekd, you cannot get a token if you have no assingment on that project/domain11:18
marekdah, this is what i was missing : i though domain-role means you can bind it with domain only.11:18
samuelmsmarekd, no! they belong to domains, as users do :)11:19
samuelmsmarekd, but they can be used everywhere inside that domain11:19
marekdok, so role assignment ties domain-role vm-manager with that particular project.11:20
marekdright?11:20
samuelmsmarekd, role assingment is composed by: *role/domain-role* for a *user/group* on a *project/domain*11:20
*** lhcheng has quit IRC11:22
samuelmsmarekd, role assingments are the link between identity (users/groups) and resources (projects/domain)11:22
samuelmsmarekd, using roles :)11:22
marekdsamuelms: yeah, i get it11:22
*** lhcheng has joined #openstack-keystone11:22
marekdso, when you assign a domain-for for a user B on a project ATLAS11:23
marekdthis will mean that user automatically has roles vm-create vm-delete without making expliict asignments of those roles to this user on this project?11:23
marekdsamuelms: if you are going to put something more in the etherpad, go ahead and i will read it and digest it again11:25
marekdi can understand concept of domains, domain admins and the fact that they now have some flexibility within their domains (create/delete users, add/remove role assignments), but have problems with understanding domain-roles. Maybe the name is somewhat misleading.11:26
samuelmsmarekd, yes, exactly11:26
samuelmsmarekd, yes maybe.. we can talk a little bit more later :)11:26
samuelmsmarekd, need to do something now11:27
marekdOK11:27
*** lhcheng has quit IRC11:27
*** avozza is now known as zz_avozza11:27
*** aix has quit IRC11:28
samuelmsmarekd, thanks for your review on 'Add support for domain specific roles.'11:34
marekdsamuelms: api is required i think now...11:34
rodrigodsmarekd, samuelms, yes. the API is the strongest point of discussion11:35
samuelmsmarekd, rodrigods we have a patch taht proposes the api changes11:36
rodrigodssamuelms, for both specs?11:36
samuelmshttps://review.openstack.org/#/c/139531/11:37
samuelmsrodrigods, I don't see two specs11:37
samuelmsrodrigods, we were talking about domain roles11:37
rodrigodssamuelms, just remembered your working point weren't a spec11:37
rodrigodsjust an API spec11:38
samuelmsrodrigods, yes. domain-role API changes for domain-roles spec11:38
rodrigodssamuelms, it should have at least a dependency11:38
samuelmsrodrigods, agreed, I think we need to reference that in the spec11:39
rodrigodsthe commit message is wrong as well, since does not point to the bp11:39
samuelmsrodrigods, will do now, thanks11:39
samuelmsrodrigods, will ask henrynash to put a reference soon11:39
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Add domain roles APIs  https://review.openstack.org/13953111:40
samuelmsrodrigods, ^11:40
*** zz_avozza is now known as avozza11:48
*** aix has joined #openstack-keystone11:56
*** raildo has joined #openstack-keystone11:59
*** avozza is now known as zz_avozza12:00
*** nellysmitt has quit IRC12:02
*** diegows has joined #openstack-keystone12:07
*** nellysmitt has joined #openstack-keystone12:07
*** afaranha has quit IRC12:09
*** diegows has quit IRC12:19
*** bjornar is now known as tziom12:19
*** amakarov_away is now known as amakarov12:23
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027712:29
*** dimsum__ has joined #openstack-keystone12:32
*** diegows has joined #openstack-keystone12:35
openstackgerritAlexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring  https://review.openstack.org/14135212:36
*** nellysmitt has quit IRC12:36
*** dimsum__ has quit IRC12:37
*** EmilienM is now known as EmilienM|afk12:37
openstackgerritAlexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring  https://review.openstack.org/14135212:40
marekdrodrigods: samuelms so i think this https://review.openstack.org/#/c/139531/ should be merged with bp spec.12:42
*** zz_avozza is now known as avozza12:47
*** dimsum__ has joined #openstack-keystone12:52
openstackgerritAlexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens  https://review.openstack.org/14139712:53
*** afaranha has joined #openstack-keystone12:59
*** andreaf has quit IRC13:02
*** nellysmitt has joined #openstack-keystone13:10
openstackgerritAlexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens  https://review.openstack.org/14139713:12
*** EmilienM|afk is now known as EmilienM13:17
*** jistr has joined #openstack-keystone13:28
openstackgerritDavid Stanek proposed openstack/keystone: Fixes HTTP status code when creating/updating endpoints  https://review.openstack.org/11734113:30
samuelmsdstanek, morning13:31
samuelmsdstanek, could you please take a look at bu #140233913:31
samuelmsdstanek, bug #140233913:32
uvirtbotLaunchpad bug 1402339 in keystone "Status code from HEAD requests must be consistent" [Undecided,New] https://launchpad.net/bugs/140233913:32
samuelmsdstanek, :)13:32
morganfainbergmorning13:34
*** nellysmitt has quit IRC13:35
*** jistr has quit IRC13:36
samuelmsmorning13:36
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027713:40
rodrigodsmorganfainberg, ^13:40
rodrigodsmorganfainberg, addressed previews comments, can you review it whenever you have a moment? (will have my full attention for immediate fixes)13:41
*** avozza is now known as zz_avozza13:41
*** andreaf has joined #openstack-keystone13:42
dstaneksamuelms: sure13:44
dstanekmorganfainberg: morganfainberg13:44
dstanekmorganfainberg: did you get your revert commit through?13:45
morganfainbergdstanek, it's holding13:45
morganfainberghttps://review.openstack.org/#/c/141674/13:45
morganfainbergso if the API changes go through and the functionality doesn't change i'll abandon the revert13:46
dstanekayoung_: thoughts on https://review.openstack.org/#/c/111312/1 ? /cc anyone else that uses Fedora13:46
dstanekmorganfainberg: i start at the API change then13:47
morganfainberg++13:47
dstanekmorganfainberg: i took care of most of my older reviews last night, but went to sleep before finishing the last 1 (maybe 2)13:47
morganfainbergcool13:47
morganfainbergthanks13:47
* morganfainberg has to get moving today and get some coffee.13:48
*** gordc has joined #openstack-keystone13:48
dstanekmorganfainberg: that API makes me want a real REST API badly13:49
rodrigodsdstanek, available to immediately address your comments in the API :)13:55
dstanekrodrigods: was this also added to identity-api yet?13:58
rodrigodsdstanek, the hierarchical projects bits, yes13:58
rodrigodsdstanek, already merged13:59
dstanekmorganfainberg: rodrigods: if that's the case then we can just approve the spec right? no need to go over the API too much since it should have been done in that review13:59
rodrigodsdstanek, I think in the identity-api we do not point changes from extensions14:00
morganfainbergdstanek, i think we didn't have much of the api to review previously in this case on the OS-INHERIT side14:01
morganfainbergdstanek, so we do need to review the API being added, but it should be less work because os-inherit already exists14:01
rodrigodsmorganfainberg, ++ it is following the same pattern as the domains part14:02
*** dimsum__ is now known as dims14:02
dstanekrodrigods: sure we do http://git.openstack.org/cgit/openstack/identity-api/tree/v3/src/markdown/identity-api-v3-os-inherit-ext.md14:04
rodrigodsdstanek, sorry, didn't know about it14:04
rodrigodsdstanek, ah no...14:05
rodrigodsdstanek, thought you were talking about this one http://git.openstack.org/cgit/openstack/identity-api/tree/v3/src/markdown/identity-api-v3.md14:05
dstanekmorganfainberg: seems like we need to wait for the API change too then14:06
rodrigodsdstanek, the API spec change is up here ^14:06
rodrigodshttps://review.openstack.org/13027714:06
*** wanghong has quit IRC14:07
*** rushiagr is now known as rushiagr_away14:08
dstanekrodrigods: is there an API change for this already?14:09
rodrigodsdstanek, are you reviewing it? already addressed henrynash's comment14:09
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027714:09
rodrigodsdstanek, ^14:09
dstanekrodrigods: that's the spec, not the API14:10
rodrigodsdstanek, all the API weren't moved to the keystone-specs repo?14:10
*** richm1 has joined #openstack-keystone14:10
dstanekrodrigods: oh, wait...nm14:11
dstaneki have to update my tooling14:11
*** lhcheng has joined #openstack-keystone14:12
dstaneki still have markdown format checks and other things :-(14:12
rodrigodsdstanek, heh :(14:12
*** lhcheng has quit IRC14:16
dstanekrodrigods: but yes once i'm done with what i'm working on i'll review the API14:22
*** wanghong has joined #openstack-keystone14:23
rodrigodsdstanek, thank you, in a sprint here to make it land before we need to revert the code change :)14:23
dstaneki don't see why we wouldn't be able to approve the API today14:24
rodrigods++14:24
*** zz_avozza is now known as avozza14:25
samuelmsmorganfainberg, remember the 'capabilities' thing we were discussing about last Tuesday?14:26
raildomarekd, samuelms I answers your comments in the Reseller spec: https://review.openstack.org/#/c/139824/ I'll send a new patch :)14:33
*** bdossant_ has joined #openstack-keystone14:33
marekdraildo: thanks.14:34
*** bdossant has quit IRC14:34
raildomarekd, If you can look at the comment about the dual token, I think we can discuss better about it :)14:35
marekdraildo: probably some more explanation about dual scoped tokens could be useful, as it may have a huge impact on everything?14:41
marekdunless, there is already something like that...but i doubt14:41
*** nellysmitt has joined #openstack-keystone14:42
raildomarekd, I think that is not a huge impact, since the domains will be a project with some more functionalities. So the idea is when a request a token with the domain scope, the keystone will send a token with the domain and project scope, so you can use the same token in Keystone (as a domain or project scoped) and in other services (as a project scoped token)14:45
marekdraildo: but you want to have two "scope" entries in a token?14:46
raildomarekd, IMO yes14:47
marekdraildo: maybe some example of a token or reference read ?14:47
raildomarekd, Ok, I will put a example about that14:47
raildomarekd, thanks :)14:48
marekdraildo: cause i think this may ring some bells to some reviewers...14:48
marekdraildo: no problem :-)14:48
*** bdossant has joined #openstack-keystone14:49
raildomarekd, and I'm really waiting for this reviewers hahahaha14:50
marekd.....14:51
dstanekrodrigods: completed a first pass14:51
lbragstadmorganfainberg: thanks for the heads up on the XML patch Jenkins failures. I was struggling with that one14:52
rodrigodsdstanek, thanks, will address them14:52
marekdraildo: you are concerned about lack of reviewers of the fact that they will for sure be okay with that multi scoped tokens ?14:53
dstanekmarekd: hi14:53
*** bdossant_ has quit IRC14:53
dstanekrodrigods: let me know if you have question. some of my comments were just questions14:53
marekddstanek: hi14:54
raildomarekd, this idea about the dual tokens was discuss in the summit, (I just don't remember now who suggested this idea)14:54
rodrigodsdstanek, thanks14:54
dstanekmarekd: just wanted to let you know that i got to the point in my identity federation that the SP was trying to verify something signed my the idp - i just have metadata incorrect or something14:55
raildomarekd, I just think that this spec will  be much discussed14:55
marekdraildo: ++14:55
marekddstanek: what are the symptomps?14:56
marekderrors etc.14:56
*** stevemar has joined #openstack-keystone14:56
*** ChanServ sets mode: +v stevemar14:56
dstanekmarekd: jas - i'll log into that vm14:56
raildomarekd, I know that the reseller will be a huge impact in keystone, so we need to discuss a lot about this :)14:56
dstanekmarekd: it just says that it can't verify the message14:57
samuelmsraildo, ok thanks, waiting the new patch :)14:58
marekddstanek: yeah, gabriel-bezerra and myself got into same issue last week14:59
marekdi am thinking there might be something wrong with pysaml2 ;/14:59
marekdi will ping author14:59
marekdfor that14:59
dstanekmarekd: cool, i'm going to start debugging the pysaml2 idp code to see what is happening14:59
marekddstanek: i had another idea15:00
marekdmaybe i will start working on that before i leave today.15:00
marekdi know testshib or other idps worked15:00
marekdso that would be better to compare how assertion from idp that work and pysaml look like.15:00
*** avozza is now known as zz_avozza15:02
rodrigodsdstanek, regarding the PUT operation (create a role_assignment), do you think we need to make clear it doesn't have a body?15:04
*** rushiagr_away is now known as rushiagr15:05
*** nellysmitt has quit IRC15:05
bknudsonrodrigods: say that the body is ignored15:09
bknudsonif that's what happens.15:09
rodrigodsbknudson, ++15:10
dstanekbknudson: ++15:11
*** bknudson has quit IRC15:11
dstanekrodrigods: what is the usecase for getting the inherited roles15:12
dstanek?15:12
rodrigodsdstanek, the effective, or direct ones?15:14
*** bknudson has joined #openstack-keystone15:18
*** ChanServ sets mode: +v bknudson15:18
*** samuelms_ has joined #openstack-keystone15:20
*** samuelms_ has quit IRC15:26
*** jaosorior has joined #openstack-keystone15:28
*** timcline has joined #openstack-keystone15:30
*** timcline has quit IRC15:31
morganfainberglbragstad, it should be working now w/ a recheck15:31
*** timcline has joined #openstack-keystone15:31
lbragstadmorganfainberg: yep, stevemar issued a recheck on it and it passed15:32
morganfainbergdstanek, checking in with you on the SQL test bp.15:32
stevemarah the xml stuff15:33
dstanekmorganfainberg: howdy15:33
morganfainbergdstanek, this whole east coast time thing is throwing me for a bit of a loop :P15:34
morganfainbergbut the bagels here are awesome.15:34
*** nkinder_away has joined #openstack-keystone15:36
*** topol has joined #openstack-keystone15:39
*** ChanServ sets mode: +v topol15:39
*** samuelms_ has joined #openstack-keystone15:40
*** bdossant has quit IRC15:41
openstackgerritAlexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring  https://review.openstack.org/14135215:43
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027715:44
dstanekmorganfainberg: you're here on the east coast?15:46
rodrigodsdstanek, sent another patchset, but if you think some of your comments the replies weren't enough please let me know15:46
morganfainbergdstanek, in manhattan until thursday15:46
morganfainbergdstanek, and will probably come back in january.15:47
dstanekmorganfainberg: nice15:47
dstanekrodrigods: thx, i'll take a look15:47
bknudsonmaybe we'll have a summit there someday15:48
morganfainbergbknudson, hehe i'd dig having the summit in NYC15:48
bknudsonbloomberg would be all over it.15:49
*** nellysmitt has joined #openstack-keystone15:50
*** richm1 has quit IRC15:50
*** radez_g0n3 is now known as radez15:51
rodrigodsmorganfainberg, ^ API spec with a +2 from henrynash \o/15:55
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095415:55
morganfainbergrodrigods, nice.15:55
*** nkinder_away is now known as nkinder15:55
morganfainbergdstanek, is https://review.openstack.org/#/c/126030/ a realistic target for k1? should i bump the BP to k2?15:58
dstanekmorganfainberg: k2 - the patch that i was waiting on just merged yesterday and there is still a bit more work to be done15:59
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K  https://review.openstack.org/13560415:59
morganfainbergdstanek, done.15:59
morganfainbergstevemar, https://review.openstack.org/#/c/125753/9/doc/source/setup.rst are we getting an update for K1 on this? (cc lbragstad )15:59
*** bdossant has joined #openstack-keystone16:00
lbragstadmorganfainberg: stevemar I can rebase that if you want16:00
marekdgabriel-bezerra: did you make mod_Shib w/ pysaml2 work?16:00
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095416:00
stevemarmorganfainberg, lbragstad yeah i'll do it now16:01
lbragstadstevemar: or if you just hit the 'rebase' button it should work, now that the XML removal patch is passing16:01
*** nellysmitt has quit IRC16:01
morganfainberglbragstad, yeah we just need to fix the outstanding comment[s] as needed - though lxml might still be needed? for federation16:01
bknudsonhasta la vista xml.16:01
marekdmorganfainberg: for k2k16:01
morganfainbergmarekd, right.16:01
marekdotherwise it's heavily used in keystoneclient, but i think you are not talking about it.16:02
morganfainbergmarekd, less worried on the keystoneclient front16:02
morganfainbergmarekd, this is just keystone server16:02
*** ajayaa has quit IRC16:02
stevemarmorganfainberg, lbragstad i'll wait til the patch is actually merged, i don't want to mess anything up16:02
marekdmorganfainberg: that's what i was thinking.16:02
lbragstadcool16:02
morganfainbergstevemar, rebase button wont mess anything up16:02
* lbragstad salutes the Keystone XML codebase 16:02
stevemarmorganfainberg, it is rebased? AFAICT16:02
morganfainbergstevemar, rebase locally and push to gerrit is a bit more dicy at times.16:03
morganfainbergstevemar, so if we do need lxml for k2k we might want to leave that in there16:03
bknudsonwhy rebase? if it's not in merge conflict?16:03
morganfainbergi think thats the only comment atm16:03
morganfainbergbknudson, steve said rebase in his comment reply16:03
morganfainbergbknudson, thats all16:03
stevemarmorganfainberg, oh that was cause of the suse steps16:03
morganfainbergcould use some eyes on these bugs: https://bugs.launchpad.net/keystone/+bug/140036216:05
uvirtbotLaunchpad bug 1400362 in keystone "check and delete  policy_association_for_region_and_service  performs create" [High,In progress]16:05
morganfainberghttps://bugs.launchpad.net/keystone/+bug/139847016:05
uvirtbotLaunchpad bug 1398470 in keystone "sql migration helpers incorrectly inspect for FKs" [High,In progress]16:05
morganfainberghttps://bugs.launchpad.net/keystone/+bug/138367616:05
uvirtbotLaunchpad bug 1383676 in keystone "endless loop when deleting region" [High,In progress]16:05
morganfainbergand associated reviews16:05
*** ayoung has joined #openstack-keystone16:05
*** ChanServ sets mode: +v ayoung16:05
*** bdossant has quit IRC16:10
*** bdossant has joined #openstack-keystone16:11
*** wanghong has quit IRC16:13
*** chrisshattuck has joined #openstack-keystone16:14
*** wanghong has joined #openstack-keystone16:14
*** richm1 has joined #openstack-keystone16:15
bknudsonwe need more of https://blueprints.launchpad.net/keystone/+spec/removed-as-of-kilo .16:17
amakarovmorganfainberg, good day! I have a question about group role revocation: is it by design, that if user is in group, which role is being revoked on some project, then this user's tokens are ALL invalid ?16:17
morganfainbergamakarov, there is something along those lines that was a limitation of how we store the data16:20
morganfainbergbknudson, hehe16:20
morganfainbergbknudson, i retargeted it to k2 since some stuff is outstanding still...so we can get more in there.16:20
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982416:21
morganfainbergdstanek, last question: https://review.openstack.org/#/c/131516/ is that still k1? or should i bump that as well to k216:22
raildomarekd, ^16:22
morganfainbergdstanek, i'm thinking k2 just so there isn't any craziness at the last minute to get it in for k116:22
dstanekmorganfainberg: i'm planning on addressing the comments today, but k2 would be fine16:22
morganfainbergdstanek, great16:22
dstanekmorganfainberg: the hardest part is getting all of these reviews through16:22
morganfainbergdstanek, right. we're pretty close on a lot of them16:23
morganfainbergdstanek, but getting them done *today* is unlikely16:23
marekdraildo: thanks.16:23
dstanekmorganfainberg: ++ and ++16:23
amakarovmorganfainberg, I've run into issue https://bugs.launchpad.net/keystone/+bug/1401926 and don't know whether it's a bug or a feature :)16:24
uvirtbotLaunchpad bug 1401926 in keystone "Role revocation invalidates tokens on all user projects" [Undecided,In progress]16:24
morganfainbergok so we're down to the three bugs i linked above ^^ and the HMT API change16:24
marekdraildo: how can i distinguish if roles from the token are for project or domain?16:24
bknudsonmorganfainberg: are they in https://gist.github.com/dolph/651c6a1748f69637abd0 ?16:24
morganfainbergbknudson, yeah, i'm making sure they are16:25
rodrigodsmarekd, good point, guess they will be able to perform both types of operations?16:25
dstanekrodrigods: i was referring to the list APIs in that document - was the existing list roles changed to get inherited roles?16:26
marekdrodrigods: raildo: is it by definition of the spec? Otherwise what if such user should have roleA on a project this token is scoped to and roleB on domain only.16:26
morganfainbergbknudson, they should be now16:27
bknudsonthanks16:28
rodrigodsdstanek, ahh ok, yes16:28
rodrigodsdstanek, it gets the effective roles depending on the query16:29
morganfainbergamakarov, that looks like actually 2 bugs - 1 a bug in revocation events (i need to dig further on it) and that we are somewhat limited on groups or at least we used ot be16:29
raildomarekd, that a good question :P16:29
marekdraildo: do you have an answer? :-)16:29
raildoI think that we need to change the role in the token, to explain the target (domain/project)16:30
amakarovmorganfainberg, what can I do?16:30
morganfainbergamakarov, well revocation events is harder to debug16:30
raildomarekd, like... admin (in projetct)... member ( in domain)16:31
raildomarekd, what do you think?16:31
marekdraildo: that's why i asked for some example, as I was hoping such things would be resolved (and the description would be ommited). And that's why said that this may have some impact on other services for instance.16:31
amakarovmorganfainberg, may I propose changes here, or it need your investigation first?16:31
*** packet has joined #openstack-keystone16:31
morganfainbergamakarov, feel free to propose changes16:31
marekdraildo: spliting and moving roles would be fine16:31
morganfainbergamakarov, you *never* need to wait for my investigation16:31
morganfainbergto propose a change/fix/etc16:32
marekdraildo: but i cannot say it it will be backwards comatible.16:32
marekdraildo: rodrigods let's ask the boss here16:32
marekdmorganfainberg: o/16:32
rodrigodsmarekd, ++16:32
dstanekrodrigods: ok it inherited roles are included when some what asks 'what roles does this user have on this project' i''m less concerned16:32
raildomarekd, I'll put this point in the Keystone meeting, tomorrow, so we can discuss this with the keystone core16:32
morganfainbergmarekd, oh hai16:32
marekdraildo: ++16:32
marekdhttps://review.openstack.org/#/c/139824/6/specs/kilo/reseller.rst look at line 17716:33
*** samuelms_ has quit IRC16:33
marekdso raildo , rodrigods and the rest want to have tokens scoped to two entities, say project and domain at the same time. However it's hard do see what roles applies to what resource16:33
morganfainbergwell, i think we talked about this from a concept of merging projects and domains16:34
*** david-lyle_afk is now known as david-lyle16:34
amakarovbknudson, can you please review my change (I hope I satisfied your concern there)? https://review.openstack.org/#/c/118590/16:34
morganfainbergwhich case, you'd *only* have that for the domain itself16:34
morganfainbergeverything else would be just project16:34
morganfainbergand it wouldn't matter which role is scoped to where.16:34
morganfainbergsince it's the same entity16:34
dstanekrodrigods: so basically in my mind those APIs are just crud and not really application APIs16:35
marekdmorganfainberg: hm, if i have a token scoped to two resources16:35
marekdi may have different roles on resourceA and different on resourceB16:35
dstanekrodrigods: should we have a note in the list user roles call that says if doesn't include all inherited roles the user has?16:35
rodrigodsdstanek, they are16:35
morganfainbergmarekd, the only time that should occur is when that resource is just known as project or domain16:35
morganfainbergmarekd, you should never have a token scoped to two different resources16:36
dstanekrodrigods: they are?16:36
rodrigodsdstanek, wait16:36
morganfainbergmarekd, domain roles are not ever used on a project16:36
rodrigodsdstanek, can you paste here the HTTP call?16:36
dstanekrodrigods: the list one i'm talking about?16:36
rodrigodsdstanek, yes16:36
marekdmorganfainberg: so, this double scoping would be in just one particular, well known case16:36
morganfainbergmarekd, thats the way i see it16:37
marekdmorganfainberg: ok16:37
marekdraildo: maybe such explanation could be added?16:37
morganfainbergmarekd, it's to get around the case where domain == project and prevents us from breaking things.16:37
dstanekrodrigods: /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/inherited_to_projects16:37
marekdmorganfainberg: ok16:37
marekdmorganfainberg: thanks.16:37
morganfainbergmarekd, now... if that *isn't* what they're proposing here, i don't like it ;)16:37
raildomarekd, sure. I'll add the morganfainberg comment in the spec :)16:37
morganfainbergmarekd, i'm reading the change and i *think* thats what is being proposed here16:38
marekdraildo: is it what you are proposing ? :-)16:38
marekdmorganfainberg: ok16:38
morganfainbergraildo, but if i'm wrong please correct me ;)16:38
marekdso you can -2 it :P16:38
raildomorganfainberg, no, you're right :)16:38
rodrigodsdstanek, ok, now I understand... The semantics of this call is to retrieve the roles in a role assignment with such <project_id>, <user_id> and with the inherited_to_projects flag active16:38
raildohahahah16:38
morganfainbergmarekd, eh probably -1 in that case :P16:38
rodrigodsdstanek, without the group ones16:38
morganfainbergmarekd, we're not at "OMG WHAT THE HECK IS THAT"16:39
morganfainberg;)16:39
bknudsoncan we deprecate r/w ldap? Probably requires making sure docs describe how Keystone uses LDAP.16:39
marekdmorganfainberg: ok :)16:39
rodrigodsdstanek, this role assignment isn't even effective16:39
bknudsondeprecate writing to ldap16:39
morganfainbergbknudson, so no.16:39
morganfainbergbknudson, people *actually* use it :(16:39
bknudsonpeople use XML16:39
morganfainbergthat being said... RAX is proposing a proper R/W ldap w/ schema16:39
dstanekrodrigods: right just the direct crud stuff - seeing the URL and reading the doc doesn't seem to say that16:39
morganfainbergbknudson, no people don't really use XML :P16:39
morganfainbergbknudson, they use java and turn XML into tracebacks16:40
morganfainberggreat api for that16:40
rodrigodsdstanek, ok... do you have any suggestions to improve the description?16:40
marekdmorganfainberg: i have also a question. why in policy.json there is only one rule concerning role_assignments?16:40
morganfainbergbknudson, if RAX is willing to build the read/write LDAP and schema - and migration scripts (yep, they said they want this), i'd be willing to deprecate the current r/w ldap for that. but there are real deployments that make use of r/w/ ldap16:41
morganfainbergbknudson, as it is today16:41
samuelmsmarekd, because we only have listing there16:41
marekdsamuelms: how do you add RAs then ?16:41
samuelmsmarekd, using the grant api16:41
bknudsonI'd think they'd be happier having their own scripts to update the LDAP directory.16:41
samuelmsmarekd, granting roles to someone16:42
marekdsamuelms: which is a role assignment to me...16:42
rodrigodsdstanek, maybe "Lists all roles assigned to a user on a given project with the inherited_to_projects flag active."16:42
samuelmsmarekd, that's the same16:42
marekdsamuelms: ah, naming16:42
marekdthat's all16:42
dstanekrodrigods: i would call our that it doesn't get all of the effective roles - is the difference between effective roles and <direct DB records?> called out anywhere?16:42
bknudsona migration script from LDAP to LDAP seems pretty crazy16:42
marekdsamuelms: makes sense, thanks.16:42
samuelmsmarekd, I dont know the reason why role assingments are separated from grants (some historical discussion there) maybe morganfainberg may remember16:42
samuelmsmarekd, np16:42
rodrigodsdstanek, list role assignments with effective flag and list_projects_for_user16:43
dstanekrodrigods: that's a false statement because i doesn't actually return all of the roles right?16:43
rodrigodsdstanek, all the roles where this conditions are true?16:43
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests  https://review.openstack.org/13702116:43
*** KanagarajM has joined #openstack-keystone16:44
dstanekrodrigods: this is a hard one because that reads to be like i can use it to get a list of all inherited roles for a user and roles that they inherit via a group will not be included16:44
rodrigodsdstanek, ahh ok... so I think the note suggestion can be used16:45
amakarovmorganfainberg, 1 more thing: there is trust redelegation still waiting :) https://review.openstack.org/#/c/131541/ and https://review.openstack.org/#/c/126897/ I've turned allow_redelegation to parameter as we discussed - it's stored no more.16:45
morganfainbergamakarov, i know.16:46
morganfainbergamakarov, thanks16:46
rodrigodsdstanek, copying from the domains part "The list only contains those role assignments to the project that were specified as being inherited to projects within that project."16:48
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095416:51
dstanekrodrigods: that's probably good16:53
rodrigodsdstanek, great, will update with that description16:54
dstanekrodrigods: thanks16:55
openstackgerritgordon chung proposed openstack/pycadf: deprecate audit middleware  https://review.openstack.org/13838616:55
*** KanagarajM has quit IRC16:56
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027716:56
dstanekmarekd: gabriel-bezerra: fyi...this is what i was using to test http://paste.openstack.org/show/151299/16:57
rodrigodsdstanek, ^16:57
dstanekmarekd: gabriel-bezerra: it requires lxml since i am parsing the form and i didn't was to keep using the browser for testing16:57
*** k4n0 has quit IRC16:59
*** rm_work|away is now known as rm_work16:59
*** nellysmitt has joined #openstack-keystone17:00
*** shakamunyi has quit IRC17:03
openstackgerritHaneef Ali proposed openstack/keystone: Fix wrong log message in token flush  https://review.openstack.org/14079017:06
*** gyee has joined #openstack-keystone17:06
*** ChanServ sets mode: +v gyee17:06
*** bdossant has quit IRC17:07
*** zz_avozza is now known as avozza17:09
openstackgerritAlexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens  https://review.openstack.org/14139717:10
morganfainbergamakarov, I think that is not going to revoke pki tokens properly17:15
morganfainbergamakarov, the token wont end up in the revocation list17:16
amakarovmorganfainberg, hmm, I see your point... I filed a bug for group revocation problem, so I think I just mark it WIP17:18
amakarovmorganfainberg, maybe even abandon it later17:18
morganfainbergThis is a hard one.17:19
morganfainbergNot an invalid bug.17:19
morganfainbergBut def a bit weird.17:19
afaranhaayoung, hey, are you there?17:19
amakarovI want to add "group_id" to revocation tree17:19
amakarovmorganfainberg, I'm digging for revocation architecture now - it looks strange, really :)17:20
amakarovbut makes sense. The task it solves isn't trivial too17:21
*** henrynash has joined #openstack-keystone17:24
*** ChanServ sets mode: +v henrynash17:24
henrynashrodigods: ping17:24
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14139717:24
*** lhcheng has joined #openstack-keystone17:25
rodrigodshenrynash, hey17:25
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185417:26
*** i159 has quit IRC17:26
henrynashrodigods: hi…not sure I understood your last respone to my comment17:27
morganfainberghenrynash: I moved the split to k2. Fyi.17:27
henrynashrodigods: I agree it is the same as the GET /role_assignment statement you gave…but insn’t that what my text says?  Or do you interpret it differently?17:27
henrynashmorganfainberg: when’s teh cut off?17:28
ayoungafaranha, yeah17:28
*** avozza is now known as zz_avozza17:28
*** zz_avozza is now known as avozza17:29
rodrigodshenrynash, I interpret it differently... "The list only contains those role assignments anchored to this project that were specified as being inherited to its subtree." is weird because: role assignments (it returns roles) and the last part about the subtree17:29
morganfainberghenrynash: k1 cut off is tomorrow I think. It releases on thurs.17:29
morganfainbergAfaik.17:29
* morganfainberg 2x checks.17:29
henrynashmorganfainberg: ok, makes sense17:29
lbragstadI like how the whisky question on the Hackathon survey is required.17:30
rodrigodshenrynash, do you agree with my last suggestion?17:30
henrynashrodigods: isn’r “projects within that project” the subtree?17:30
rodrigodshenrynash, yes... you are right, just worried about the first sentence with "role assignments"17:31
rodrigodshenrynash, need to change to something like "roles assigned"17:31
henrynashrodigods: ok…fine on that part, “roles assigned to the project” is better17:32
openstackgerritAlexander Makarov proposed openstack/keystone: Role revocation invalidates too many tokens  https://review.openstack.org/14139717:32
rodrigodshenrynash, "The list only contains those roles assigned to this project that were specified as being inherited to its subtree."17:32
rodrigodsdstanek, "The list only contains those roles assigned to this project that were specified as being inherited to its subtree."17:32
rodrigodsdstanek, your feedback too :)17:32
henrynashrodigods: works for me17:34
rodrigodshenrynash, great!17:34
rodrigodsthanks for the reviews henrynash, since our first HM patch :)17:35
henrynashrodigods: yw17:35
afaranhaayoung, hey, could you send the current implementation of the policies?17:35
ayoungno17:35
afaranhaany news? I will work on that now, I read the discussion that you had with samuelms , I'll continue the work on that17:36
ayoungafaranha, I'm breaking things left and right17:36
ayoungafaranha, right now I am trying to figure out what to do the get_member_from_driver thing17:36
ayoungI know I kindof want it as  lambda17:36
dstanekrodrigods: henrynash: does that still read as getting effective roles?17:37
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027717:37
ayoungafaranha, It is kindof morphing into the cleanup of the keystone policy enforcement code that I have wanted to do for a whjile17:38
ayoungafaranha, let be try the lambda thing, and then I'll post a new WIP, ok?17:38
afaranhaWha do do you mean by get_member_from_driver?17:39
henrynashdstanek: i don’t think so….but if you interpret it differently then it’s not good enough!17:39
afaranhaayoung, Sure.17:39
ayoungafaranha, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n12017:39
ayoungthat ties us to the Keystone controller class hierarchy, but it is an artificial tie17:40
ayoungif we instead had an optional lambda in the decorator definition we would have the same thing17:40
ayoungsomething like17:40
*** eglynn is now known as eglynn-officeafk17:40
ayounglambda: member: self.identity_api.get_user17:41
ayoungbut that is not quite the right thing, either, because we need to parse the arguments.  I want a single, reusable callback function that can be specified on the function definition17:41
rodrigodshenrynash, dstanek, still missing the "groups" part? Making clear we do not list effective roles inherited from groups?17:42
ayoungmaybe it should be something more like:17:42
afaranhaayoung, this member is for users, domains, projects and groups right?17:42
ayoungmember_accessor=None or member_accessor=self17:42
ayoungyeah17:42
ayoungafaranha, look in the identity/controllers.py file17:42
*** nellysmitt has quit IRC17:43
*** nellysmitt has joined #openstack-keystone17:44
ayoungafaranha, so what we want is a function that is called to get the member from the api.  we want everything prepped so that, once we have the request, we can make a single call17:44
dstanekrodrigods: henrynash: i'm looking at it from an outsider's point of view; what would you expect back from The list only contains those roles assigned to this project that were specified as being inherited to its subtree."?17:44
ayoungif each API object only managed a single type of entity, and took a primary key in the get_member function we would have excatly what we needed by specifying just the API object17:45
henrynash(back on later)17:46
*** henrynash has quit IRC17:46
dstanekrodrigods: henrynash: is that the same as saying "you get back all roles a user has for a project" or "you get back only roles assigned to a user id, but this user may have more roles based on the groups they are in"17:47
rodrigodsdstanek, the second17:47
rodrigodsI mean, should be the second17:47
dstanekrodrigods: what says that the list is limited or that it only include a subset of the overall roles?17:48
afaranhaayoung, just to get me in context, this work is to be able to use a rule like this, right? 'create_user': 'role:domain_admin on scope:domain'17:49
afaranhawe need to get the domain_id from the user, but the user is not an object yet17:50
rodrigodsdstanek,  "only contains those roles assigned to this project" and "specified as being inherited to its subtree"17:50
rodrigodsdstanek, I might be missing something17:50
dstanekrodrigods: so all roles a user has on the project or only those mapped directly to a user id?17:51
rodrigodsdstanek, only those mapped directly to a user id17:52
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982417:52
*** wanghong has quit IRC17:52
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982417:53
dstanekmorganfainberg: you own the oldest Keystone review!17:53
*** wanghong has joined #openstack-keystone17:53
dstanekopen review that is17:53
*** nellysmitt has quit IRC17:56
morganfainbergdstanek, lol nice18:01
morganfainbergdstanek, haven't done the abandon sweep yet18:01
*** ajayaa has joined #openstack-keystone18:01
*** marcoemorais has joined #openstack-keystone18:02
*** marcoemorais has quit IRC18:02
*** marcoemorais has joined #openstack-keystone18:02
*** rustlebee is now known as russellb18:09
bknudsonI usually go with this : http://russellbryant.net/openstack-stats/keystone-openreviews.html18:17
bknudsonto look for old reviews18:17
samuelmsdolphm, thanks for marking bug #1402339 as triaged ... will start working on that18:19
uvirtbotLaunchpad bug 1402339 in keystone "Status code from HEAD requests must be consistent" [Low,Triaged] https://launchpad.net/bugs/140233918:19
samuelmsmorganfainberg, ^ that's related to a patch you submitted regarding HEAD apis18:19
morganfainbergyeah18:19
morganfainbergdang it... forgot to ask henrynash about something again18:19
morganfainberg...18:19
samuelmsgyee, ping .. would be glad to have your review here https://review.openstack.org/#/c/139531/2/api/v3/identity-api-v3.rst18:23
samuelmsgyee, that's regarding domaiin-role api18:23
topoldstanek, you there18:26
dstanektopol: lunching,but sorta. What's up?18:28
topoldstanek, I had a question on your DI spec but I can wait till you are done with lunch. Just ping me18:28
morganfainbergdstanek, it *is* kindof lunchtime isn't it18:29
* morganfainberg feels like he's been up since 4am... oh wait I have ... based on Pacific time18:30
*** harlowja has joined #openstack-keystone18:33
dstanekmorganfainberg: yep18:33
topolmorganfainberg I had lamb kabobs for lunch. They were quite tasty18:34
morganfainbergtopol, nice18:34
morganfainbergtopol, i had ... haven't had lunch yet18:34
topolmorganfainberg, clock out and eat. you need to keep your strength up18:35
morganfainberglol18:35
morganfainbergtopol, i will, just haven't decided *what* I want to eat yet18:35
morganfainbergthats the problem with being out here... too much good stuff18:35
topolmorganfainberg, everything is in walking distance or you have to take your bike?18:36
morganfainbergtopol, in manhattan... i'd say it's all walking - just depends on how much subway is involved for the further distances18:36
topolmorganfainberg, I always goto the Carnegie Deli when Im there18:37
gyeesamuelms, k, looking18:41
*** gyee_ has joined #openstack-keystone18:42
gabriel-bezerramarekd, dstanek: I'm trying to get it working with the browser before trying to automate it in a script. Could not move forward yet. Did you make any progress? Are you all stuck in the same place as I am: "Unable to establish security of incoming assertion"?18:42
*** gyee_ has quit IRC18:43
dstanekgabriel-bezerra: just prior to going to lunch I started to debug pysaml18:43
gabriel-bezerradstanek: from the documentation, it seems like they invested much more in the SP side. It makes it less surprising if they didn't work to have the IdP side working properly.18:46
*** rushiagr is now known as rushiagr_away18:46
*** ayoung has quit IRC18:46
*** ayoung_ has quit IRC18:46
openstackgerritBrant Knudson proposed openstack/keystone: Avoid multiple instances for a provider  https://review.openstack.org/12459918:47
*** ayoung has joined #openstack-keystone19:00
*** ChanServ sets mode: +v ayoung19:00
*** marcoemorais has quit IRC19:04
*** aix has quit IRC19:04
bknudsonmorganfainberg: you've got a +2 on https://review.openstack.org/#/c/130474/ but not on the parent review19:04
*** marcoemorais has joined #openstack-keystone19:05
gyeesamuelms, commented on the spec, I don't think its necessary to create a new resource for domain-owned role definitions19:10
gyeethis is essentially the same argument for merging domains with projects19:10
gyeelets try to keep the paradigm consistent19:10
gyeeI made the same argument to henrynash's spec awhile back19:11
*** amakarov is now known as amakarov_away19:12
samuelmsgyee, well.. not sure I agree19:13
samuelmsgyee, I will mull it19:13
samuelmsgyee, also, let's see what henry thinks19:13
gyeesamuelms, they are essentially "role definitions"19:15
*** ajayaa has quit IRC19:17
*** dims has quit IRC19:17
*** dims has joined #openstack-keystone19:17
samuelmsgyee, well, they're like users and groups I think19:18
samuelmsgyee, domain-roles are groups of roles, and they're namespaced19:18
samuelmsgyee, the only difference between roles/domain-roles and users/groups is that groups cannot contain other groups, but domain-roles can19:19
gyeewell, domain are project groups :)19:20
stevemarrodrigods, gyee, marekd do we have a bug for the k2k signing bug that rodrigods found?19:21
gyeestevemar, I think marekd filed a bug already19:21
*** dims has quit IRC19:21
samuelmsgyee, but at some point users/groups are different from projects/domains19:22
samuelmsgyee, groups have the concept of membership19:22
samuelmsgyee, we think that approach fits better with roles/domain-roles: member roles ...19:23
gyeesamuelms, how's that different from domain-project relationship?19:23
samuelmsgyee, just the way we treat them when managing users on groups19:23
samuelmsgyee, if they really would be the same, we should then put a flag on user's table ? so say that user is in fact a group?19:24
gyeesamuelms, that's a different argument19:25
samuelmsgyee, well .. we have two approaches: one does like we have domain/projects, and other does like groups/users19:25
samuelmsgyee, just to make clear, we're still talking about CRUD of entities (still not discussing about grant api)19:26
gyeeby creating a new resource, we are adding more complexity to the grant APIs for sure19:28
topoldstanek, you still eating lunch or are you watching a repeat of yesterdays Browns-Bengals game on ESPN Classic?19:29
*** marcoemorais has quit IRC19:29
gyeemy understanding is that domain-owned roles are NOT necessary role definition groups19:29
* topol topol ducks19:29
*** marcoemorais has joined #openstack-keystone19:29
gyeeit may have that restriction initially, but that's not all that they are designed to do19:30
samuelmsgyee, yes I agree. we would then be able to handle user/group on domain/project with role/domain-role19:30
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit b19af08  https://review.openstack.org/13825319:30
samuelmsgyee, hmm. but they are groups of roles .. if they weren't (i.e just domain-scope roles) I'd agree with you19:30
gyeetopol, don't remind me of the Browns19:30
bknudsonjohnny football!19:31
samuelmsgyee, but they contain other roles, they hae membership, as users/groups19:31
* gyee fleshes the money sign19:31
bknudsonmaybe it was a different football -- soccer or australian rules.19:31
topolgyee, I can only assume you lost money betting on them...19:32
gyeesamuelms, they don't contain other roles, they contains the "tags" for the policy APIs19:32
samuelmsgyee, they contain global roles (as you call tags for the policy, but they're roles as we call today) and may also contain other domain-roles19:33
gyeetopol, hell no!19:33
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit 1cf2c6  https://review.openstack.org/13825319:33
topolgyee, you a browns fan?19:34
gyeetopol, since 198719:34
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit 1cf2c6  https://review.openstack.org/13825319:34
topolgyee, wow. you and dstanek can commiserate19:34
openstackgerritSteve Martinelli proposed openstack/keystone: sync to oslo commit 1cf2c6  https://review.openstack.org/13825319:34
gyeetopol, for the record, I didn't piss on Modell's grave19:34
topolgyee, thanks for the visual.  Im a Steelers fan19:35
gyeeyeah, they won a few since19:36
openstackgerritSteve Martinelli proposed openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390519:36
*** dims has joined #openstack-keystone19:37
openstackgerritSteve Martinelli proposed openstack/keystone: update sample conf using oslo-config-generator  https://review.openstack.org/13850819:39
gyeesamuelms, no, role to API (in policy.json) is not one to one right now19:39
*** david-lyle is now known as david-lyle_lunch19:39
gyeesamuelms, aren't we going to create a distinct role/tag/whatever for each API in policy.json?19:40
*** zzzeek has joined #openstack-keystone19:41
dstanektopol: back19:41
stevemarrequesting folks to look at https://review.openstack.org/#/c/138253 *and the other 'needed by' changes* to start using oslo.config instead of the old sample generator cc dstanek morganfainberg bknudson19:41
dstanekgabriel-bezerra: it was faster to write the script than to go through the browser a few times :-)19:42
gyeedstanek, I bet Bonnie Kosar still QB for the Browns :)19:42
gyees/still/can still/19:42
topoldstanek, did you see my comments on https://review.openstack.org/#/c/135931/5/specs/kilo/object-dependency-lifecycle.rst19:43
dstanekgyee: i've let the browns know on twitter several times that i'm available19:43
topoldstanek, I seem to be the sole "jerk" that -1 you :-).  So maybe Im missing something in what you described19:44
dstanektopol: ++19:44
rodrigodsstevemar, gyee marekd regarding the credentials part or mappings using {0}?19:45
*** rwsu has joined #openstack-keystone19:45
samuelmsgyee, I'd like to have one role per api, and call that capability19:45
topoldstanek, was everyone so sick of the DI magic that they are willing to give up on auto wiring?  And just enjoy much more readable code (with manual wiring necessary)?19:45
samuelmsgyee, but that's another story19:45
topoldstanek, I thought you were going to bring to the table a best practices DI structure that had readability and auto-wiring.  But it seemed like the nirvana state was a future and it you were just proposing we go back to a Java like approach with no DI autowiring magic19:47
bknudsonjava has frameworks for di19:48
gyeesamuelms, well, UX is going to suck with you have one role per API, imagine what 'GET /roles' is going to return19:48
dstanektopol: commented on the review19:48
dstanektopol: well, yes and no19:49
dstanektopol: it's not that it's the java way, that's the IoC pattern in general19:49
gyeesamuelms, all I saying is that it doesn't matter what we call them, but think about consistency and usability19:50
dstanekone of the problems that led me to write the spec is that i couldn't find what dependencies were actually being constructed19:50
topoldstanek. so what part of what you propose makes you happy? That the code becomes more readable with out the DI?19:50
dstanekthey happen because of the import19:50
samuelmsgyee, ok19:50
dstanektopol: more readable, more configurable and more predictable19:51
topoldstanek, I agree. and when you need to add a new one you add it in manually and it looks like the others in the init19:51
gyeerodrigods, good question, I thought stevemar was referring to the signature validation bug19:51
stevemargyee, yes that one19:51
*** nellysmitt has joined #openstack-keystone19:51
bknudsondstanek: for extensions the registration happens on import... not for the core drivers.19:52
dstanektopol: yes at least for now19:52
bknudsonbut then we've got a spec to get rid of extensions.19:52
topoldstanek huge +! on more readable and more configurable.  Any idea why Keystone put the DI magic in to begin with? Theymust have thought they were improving something beyond making the code brutally hard for newbies to understand19:52
*** david-lyle_lunch is now known as david-lyle19:53
*** david-lyle is now known as david-lyle_t19:53
*** david-lyle_t is now known as david-lyle19:53
bknudsontopol: https://review.openstack.org/#/c/18395/19:53
dstanektopol: not sure, but morganfainberg or dolphm would probably know19:53
topoldstanek, what could the future look like. (when you say at least for now)19:54
dolphmdstanek: topol: ?19:54
dolphmtopol: oh DI backstory ... don't mind me.19:54
rodrigodsgyee, stevemar think the signature validation one still need to be reported19:54
bknudsonmaybe we can just revert https://review.openstack.org/#/c/18395/19:55
dolphmtopol: i only wrote DI to win an argument19:55
topoldolphm, Im all ears. DI backstory plz...19:55
bknudsonso we passed all the drivers to the controllers19:55
topoldolphm, so you added the DI magic and obfuscated the code to win a bet?  Are you  living out the plot to the movie Trading Places???19:56
dolphmtopol: it was better than the alternative19:56
dolphmtopol: i didn't want to let the alternative land19:56
topoldolphm who gave you a dollar to ruin our lives ? :-)19:56
* topol topol forgets dolphm too young for the movie reference19:57
*** jorge_munoz has joined #openstack-keystone19:57
topoldolphm, what was the alternative just curiously?19:57
dolphmtopol: yes, the alternative was too young19:57
gyeeso DIY instead of DI :)19:59
topoldstanek, I appreciate the explanation.  You have a +1 from me. Im really looking fwd to this change and the magic going away20:02
topoldstanek was it you in the crowd that pushed the bengals player down when he tried to jump in the stands?20:02
bknudsondstanek: does the DI spec require henrynash's no extensions spec? https://review.openstack.org/#/c/133809/20:03
*** zzzeek has quit IRC20:08
dstanekgabriel-bezerra: it their IdP really isn't up to the task what is the easiest IdP is install/configure/use for this?20:12
*** nellysmitt has quit IRC20:16
*** avozza is now known as zz_avozza20:27
*** zz_avozza is now known as avozza20:28
*** DavidHu has quit IRC20:30
*** redrobot has quit IRC20:30
*** vhoward has quit IRC20:30
*** crinkle has quit IRC20:30
*** grantbow has quit IRC20:30
*** telemonster has quit IRC20:30
*** avozza is now known as zz_avozza20:30
*** zz_avozza is now known as avozza20:31
*** DavidHu has joined #openstack-keystone20:31
*** vhoward has joined #openstack-keystone20:31
*** redrobot has joined #openstack-keystone20:31
*** telemonster has joined #openstack-keystone20:31
*** crinkle has joined #openstack-keystone20:31
*** grantbow has joined #openstack-keystone20:31
gabriel-bezerradstanek: I have no idea. All I've used is testshib and this example idp.20:32
dstanekgabriel-bezerra: testshib is a remote service right? nothing to install locally?20:32
gabriel-bezerradstanek: I've never installed an IdP before20:32
gabriel-bezerradstanek: right20:32
gabriel-bezerradstanek: I've even written an script to automate using testshib20:33
dstanekautomate in what way?20:33
gabriel-bezerradstanek: it would register the sp in their idp and another part would also do the authentication20:33
gabriel-bezerradstanek: but I'm not sure they would like to have our jenkins registering themselves and running automated tests tens of times a day20:34
dstanekyeah, i would doubt it20:35
*** amcrn has joined #openstack-keystone20:41
*** marcoemorais has quit IRC20:45
openstackgerritDavid Stanek proposed openstack/keystone-specs: Adds a spec for fixing Keystone's DI  https://review.openstack.org/13593120:45
*** marcoemorais has joined #openstack-keystone20:46
*** zzzeek has joined #openstack-keystone20:50
lbragstadstevemar: ++ on the rechecking_into_submission tag20:51
*** henrynash has joined #openstack-keystone20:52
*** ChanServ sets mode: +v henrynash20:52
stevemari try20:53
*** raildo has quit IRC20:56
*** Shohei_ has joined #openstack-keystone21:00
*** zzzeek_ has joined #openstack-keystone21:00
*** david-ly_ has joined #openstack-keystone21:00
*** Shohei has quit IRC21:01
*** zzzeek has quit IRC21:02
*** topol has quit IRC21:02
*** diegows has quit IRC21:02
*** ekarlso- has quit IRC21:02
*** zzzeek_ is now known as zzzeek21:02
*** david-lyle has quit IRC21:02
*** davechen_ has quit IRC21:02
*** lvh has quit IRC21:02
*** lvh has joined #openstack-keystone21:03
*** davechen_ has joined #openstack-keystone21:04
*** amcrn has quit IRC21:13
*** ekarlso- has joined #openstack-keystone21:15
*** diegows has joined #openstack-keystone21:15
*** topol has joined #openstack-keystone21:16
*** ChanServ sets mode: +v topol21:16
*** thiagop has joined #openstack-keystone21:22
*** diegows has quit IRC21:39
rodrigodsmorganfainberg, ayoung, ok... we need a final +2 so we don't need to revert the change from inherited role assignments to projects: https://review.openstack.org/#/c/130277/21:42
morganfainbergrodrigods, as long as we've addressed dstanek's issues [reading it over now] i don't see why that'll be hard to do21:43
*** topol has quit IRC21:43
openstackgerritgordon chung proposed openstack/keystonemiddleware: documentation for audit middleware  https://review.openstack.org/13034421:44
*** lihkin has joined #openstack-keystone21:46
*** marcoemorais has quit IRC21:46
*** marcoemorais has joined #openstack-keystone21:47
morganfainbergrodrigods, it looks like no functional/code changes21:47
morganfainbergrodrigods, will be needed.21:47
rodrigodsmorganfainberg, yes, we kept the same URLs and so on21:47
rodrigodsthanks morganfainberg and sorry we've forgot about the API spec being a requirement of the code itself21:49
openstackgerritMerged openstack/keystone-specs: API doc for Inherited Role Assignments to Projects  https://review.openstack.org/13027721:49
*** openstackgerrit has quit IRC21:50
*** openstackgerrit has joined #openstack-keystone21:50
samuelmshenrynash, ping21:59
*** diegows has joined #openstack-keystone22:02
samuelmshenrynash, I wrote an etherpad describing some ideas on policy/rbac/domain-roles/capabilities22:02
samuelmshenrynash, please take a look and give me your review22:03
samuelmshenrynash, https://etherpad.openstack.org/p/keystone-policy-rbac22:03
stevemarrodrigods, ping22:06
rodrigodsstevemar, hey22:07
stevemarrodrigods, did you ever run into a '"WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Message was signed, but signature could not be verified."' error when doing k2k?22:08
rodrigodsstevemar, yes22:08
rodrigodsstevemar, are you in the mail thread with gyee and marekd ?22:09
rodrigodsI think I described how further I got in that issue22:09
stevemarrodrigods, yep, but this is different from that nullsecurity issue isn't it?22:09
rodrigodsstevemar, I think is the same issue22:10
rodrigodsstevemar, the NullSecurity policy was how I got through it22:10
*** david-ly_ is now known as david-lyle22:11
rodrigodsstevemar, also... I think the issue dstanek, marekd and gabriel-bezerra are having to set up pysaml2 as IdP is the same22:11
*** DavidHu has quit IRC22:13
*** DavidHu has joined #openstack-keystone22:13
*** marcoemorais has quit IRC22:14
gyeerodrigods, I have had a chance to debug it further yet, I'll dive back into it later today22:15
*** marcoemorais has joined #openstack-keystone22:15
gyees/have/have not/22:15
rodrigodsgyee, great! did you plan any next steps?22:16
gyeeyeah, I'll generate a cert chain, and run it with strace to see where they are loading22:16
rodrigodsgyee, hmm22:19
rodrigodscool, please let us know the outcome :)22:19
gyeesure22:20
dstanekrodrigods: stevemar: there error i get in HTML is 'Unable to establish security of incoming assertion'22:20
rodrigodsdstanek, have you tried to use the NullSecurityPolicy?22:21
rodrigodsdstanek, last note here http://rodrigods.com/playing-with-keystone-to-keystone-federation/22:21
stevemardstanek, rodrigods, is there a separate mail thread for this stuff or just the one we're currently on22:24
rodrigodsstevemar, dstanek I'm in just one thread22:24
dstanekrodrigods: replace this (http://paste.openstack.org/show/151435/) with that?22:24
dstanekstevemar: is there an email thread?22:24
stevemardstanek, yes, i'll add you in!22:25
rodrigodsdstanek, no... the file itself22:25
dstanekrodrigods: ah ok, let me try22:26
rodrigodsdstanek, /etc/shibboleth/security-policy.xml22:26
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct incorrect rst in docstrings  https://review.openstack.org/14192422:28
dstanekrodrigods: that looks very not secure, but seems to work for me22:29
rodrigodsdstanek, yes, it helps to not being blocked in a step for too much time22:30
rodrigodsstevemar, it's confirmed, is the same issue22:30
dstanekrodrigods: i'm getting a 401 now, but probably means that keystone is not configured properly22:30
rodrigodsdstanek, ++22:30
*** hdd has joined #openstack-keystone22:31
dstanekrodrigods: so after i POST to http://localhost:5000/Shibboleth.sso/SAML2/POST i get redirected back to http://localhost:5000/v3/OS-FEDERATION/identity_providers/pysaml2-idp/protocols/saml2/auth where i get a 40122:33
rodrigodsdstanek, looks like a problem with the mapping/assertion attributes22:33
dstanekrodrigods: looks like i may be getting an AuthMethodNotSupported so maybe federation isn't wired in22:34
rodrigodsdstanek, hmm yeah22:35
*** ncoghlan has joined #openstack-keystone22:35
stevemarrodrigods, if I do: curl -i -X POST -d <saml_assertion> "http://keystone.sp/Shibboleth.sso/SAML2/ECP" -H "Content-Type: application/vnd.paos+xml" it should work right - i shouldn't need to wrap it in all the ECP stuff?22:37
rodrigodsstevemar, it should refuse anything that isn't SOAP in that step22:38
*** htruta_ has joined #openstack-keystone22:39
*** topol has joined #openstack-keystone22:44
*** ChanServ sets mode: +v topol22:44
*** cretz has joined #openstack-keystone22:49
*** henrynash has quit IRC22:50
cretzusing the identity v3 API, what's the recommended way to get all users for a project? I can limit it by role if necessary22:50
rodrigodscretz, one way is GET v3/role_assignments/project_id=X22:51
rodrigodsbut it will return groups as well22:51
cretzah, I should have clarified, I was wanting usernames, not just the user ID's22:51
rodrigodscretz, one way is GET v3/role_assignments?project_id=X22:51
samuelms?22:51
samuelmsrodrigods, yep.. with ? for query_params :)22:51
cretzI can make many calls to /users/ID to get the usernames for each ID22:51
cretzI don't see a way, like with the neutron API, where I can provide column selection or ask for /users w/ the filter by a collection of user ID's22:52
cretzI was wanting to avoid N calls, one per user22:53
*** jaosorior has quit IRC22:53
*** gordc has quit IRC22:53
samuelmscretz, I think the wont be a better way. In Keystone users dont belong to projects22:53
samuelmscretz, so you can't list users of a project22:54
cretzI suppose the question is more of a general "how can I get a collection of users if I have a collection of user ID's from another call, be it group, role, project, etc"22:54
samuelmscretz, you can list users that have any ROLE on a project, i.e a role assingment22:54
cretzright, I have done that successfully...I am afraid I phrased my question wrong...it's more about obtaining collections of user details22:55
*** lihkin has quit IRC22:55
samuelmscretz, if you have a collection of ids, and you want to get a collection of refs (dicts with name, etc) you need to query each on separately22:55
cretzk, thanks22:55
samuelmscretz, np22:55
samuelmsmorganfainberg, could that be useful ? ^22:56
samuelmsmorganfainberg, besides retrieving an entity from its id22:57
samuelmsmorganfainberg, to retrieve a set of entities from a set of ids22:57
samuelms?22:57
openstackgerritDolph Mathews proposed openstack/keystone-specs: Fix RST formatting issues  https://review.openstack.org/14193022:57
*** dims has quit IRC22:58
cretzsamuelms, I believe it could be, an IN clause to the database is better than O(n) HTTP roundtrips IMO22:58
*** packet has quit IRC22:59
samuelmscretz, yes .. that is. but we need to have a concrete use case to implement that23:01
dstanekah, no i have to figure out what my federation prefix should be23:03
*** andreaf has quit IRC23:03
samuelmsdolphm, what about adding automate spell and rst format checks to our keystone-specs ?23:03
*** dims has joined #openstack-keystone23:03
dstaneksamuelms: the format should be checked during rendering23:04
dstaneksamuelms: spelling would be great to add23:04
samuelmsdstanek, yep :) I see a lot of comments on reviews regarding typo23:05
samuelmsdstanek, I always comment like : s/wrong/corrent :p23:05
morganfainbergdolphm, wow that is a big changeset.23:05
samuelmss/corrent/correct23:05
*** charz has quit IRC23:06
richm1dtroyer: stevemar: ping - can you guys throw some weight behind https://bugs.launchpad.net/ubuntu/+source/python-openstackclient/+bug/1393873 ?23:07
uvirtbotLaunchpad bug 1393873 in python-openstackclient "MUCH MUCH NEWER NEEDED" [Undecided,New]23:07
richm1This one of the main blockers for getting python-openstackclient support (and Keystone v3 support) into puppet-openstacklib et. al.23:08
*** charz has joined #openstack-keystone23:09
*** topol has quit IRC23:11
*** henrynash has joined #openstack-keystone23:12
*** ChanServ sets mode: +v henrynash23:12
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add fetch revocations for v2.0  https://review.openstack.org/14193523:19
jamielennoxmorning all23:19
samuelmsmorning lol23:19
*** timcline_ has joined #openstack-keystone23:19
samuelmsjamielennox, just remembered you're based in Australia :-) 10 20 am23:20
jamielennoxsamuelms: brisbane time, so 9:2023:21
*** timcline has quit IRC23:23
*** timcline_ has quit IRC23:24
morganfainbergmorning jamielennox23:24
jamielennoxmorganfainberg: i'm just seeing the abandoning rampage23:25
openstackgerrithenry-nash proposed openstack/keystone-specs: Add support for domain specific roles.  https://review.openstack.org/13385523:25
*** dims has quit IRC23:25
samuelmsjamielennox, cool :-)23:29
dstanekmarekd: gabriel-bezerra: i'm super close now - i just don't see anything coming back to map against23:31
samuelmsdstanek, o/23:32
samuelmsdstanek, dont know exactly where you are .. but I like the super clode :-)23:33
samuelmsclose23:33
dstaneksamuelms: hi23:33
jamielennoxmorganfainberg: i had a pop up saying you wanted to talk about something ksc, but i can't find it in scrollback. what's up?23:35
morganfainbergjamielennox, i need to remember23:38
morganfainbergjamielennox, doh!23:38
morganfainbergjamielennox, i didn't abandon in -specs23:39
morganfainbergbut hit the other repos23:39
morganfainbergjamielennox, you had a bunch, but feel free to re-instate them23:39
samuelmsdstanek, hi .. so finally you're getting pysaml2 to talk to keystone sp properly?23:40
jamielennoxmorganfainberg: yea - that's fine, a lot i feel like we'll need eventually but just aren't pressing enough to push through atm23:40
dstaneksamuelms: mostly, what i don't know is how to tell it to include some attributes in the assertion23:43
samuelmsdstanek, nice! I pinged Gabriel, will ask him to take this point with you :) think he can help23:45
samuelmsdstanek, gotta  to go home now, will be back in few hours23:45
dstaneksamuelms: sounds good23:45
*** samuelms is now known as samuelms-away23:45
dstanekmaybe this is a mod_shib problem - what do i have to do with attribute-map.xml?23:48
dstanekstevemar: marekd: ^23:48
*** henrynash has quit IRC23:50
gyeedstanek, just add these23:52
gyee<Attribute name="openstack_user" id="openstack_user"/>23:52
gyee    <Attribute name="openstack_roles" id="openstack_roles"/>23:52
gyee    <Attribute name="openstack_project" id="openstack_project"/>23:52
dstanekgyee: won't i need something in the data called openstack_* for those to match against?23:53
*** marcoemorais1 has joined #openstack-keystone23:53
gyeeno23:54
*** marcoemorais has quit IRC23:54
gyeeidp.py look for them23:54
gyeesee keystone/contrib/federation/idp.py23:54
dstanekgyee: where doe shib get the data to fill in?23:56
gyeefrom the asssertion23:57
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add validate token for v2.0  https://review.openstack.org/14194423:58
gyeedstanek, IdP Keystone stuff the token data into those attributes23:58
*** avozza is now known as zz_avozza23:59
dstanekgyee: ah, i'm not doing k2k federation - i have a pysaml2 idp setup23:59
gyeeoh23:59
gyeeyou are testing with ADFS?23:59
« Sunday, 2014-12-14 Index Tuesday, 2014-12-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!