Monday, 2014-12-22

« Sunday, 2014-12-21 Index Tuesday, 2014-12-23 »
*** Lexis has quit IRC00:08
*** jimbaker has quit IRC00:14
*** jimbaker has joined #openstack-keystone00:18
*** jimbaker has quit IRC00:19
*** jimbaker has joined #openstack-keystone00:19
*** hdd has joined #openstack-keystone00:22
*** hichtakk has joined #openstack-keystone00:32
*** rm_work is now known as rm_work|away00:34
*** hdd has quit IRC00:36
*** diegows has joined #openstack-keystone00:38
*** hichtakk has quit IRC00:41
*** wanghong has quit IRC00:46
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Basic AccessInfo plugin  https://review.openstack.org/14333800:47
*** avozza is now known as zz_avozza00:47
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Reference identity plugins from __init__.py  https://review.openstack.org/14333901:06
*** jacer_huawei has joined #openstack-keystone01:10
*** diegows has quit IRC01:16
*** stevemar has joined #openstack-keystone01:39
*** ChanServ sets mode: +v stevemar01:39
jamielennoxmorganfainberg: here?01:50
*** chrisshattuck has joined #openstack-keystone02:04
*** chrisshattuck has quit IRC02:09
*** diegows has joined #openstack-keystone02:14
*** jacer_huawei has quit IRC02:15
*** jacer_huawei has joined #openstack-keystone02:19
*** oomichi has joined #openstack-keystone02:23
*** diegows has quit IRC02:26
*** hdd has joined #openstack-keystone02:36
*** hichtakk has joined #openstack-keystone02:42
*** erkules_ has joined #openstack-keystone02:49
*** erkules has quit IRC02:49
*** rm_work|away is now known as rm_work02:50
*** hichtakk has quit IRC02:53
*** hdd has quit IRC02:59
*** dims has quit IRC03:10
*** dims has joined #openstack-keystone03:13
*** raildo_ has joined #openstack-keystone03:22
*** dims has quit IRC03:41
*** rushiagr_away is now known as rushiagr03:43
*** hichtakk has joined #openstack-keystone03:54
*** hichtakk has quit IRC03:59
*** stevemar has quit IRC04:01
*** stevemar has joined #openstack-keystone04:02
*** ChanServ sets mode: +v stevemar04:02
*** hichtakk has joined #openstack-keystone04:07
*** eglynn-regus has quit IRC04:11
*** eglynn-regus has joined #openstack-keystone04:12
*** serverascode____ has quit IRC04:16
*** mitz has quit IRC04:16
*** mitz has joined #openstack-keystone04:18
*** jamiec has quit IRC04:18
*** serverascode____ has joined #openstack-keystone04:18
*** jamiec has joined #openstack-keystone04:20
*** stevemar has quit IRC04:21
*** stevemar has joined #openstack-keystone04:21
*** ChanServ sets mode: +v stevemar04:21
*** hichtakk has quit IRC04:30
*** hichtakk has joined #openstack-keystone04:30
*** hichtakk has quit IRC04:35
*** dims has joined #openstack-keystone04:41
*** rushiagr is now known as rushiagr_away04:44
*** dims has quit IRC04:47
*** crinkle has quit IRC05:05
*** henrynash has quit IRC05:05
*** dobson has quit IRC05:05
*** crinkle has joined #openstack-keystone05:05
*** xianghui has quit IRC05:06
*** xianghui has joined #openstack-keystone05:06
*** vhoward has quit IRC05:09
*** vhoward has joined #openstack-keystone05:09
*** redrobot has quit IRC05:09
*** notmyname_ has joined #openstack-keystone05:10
*** therve` has joined #openstack-keystone05:10
*** dobson has joined #openstack-keystone05:11
*** notmyname has quit IRC05:11
*** nonameentername has quit IRC05:11
*** therve has quit IRC05:11
*** nonameentername has joined #openstack-keystone05:11
*** notmyname_ is now known as notmyname05:11
*** redrobot has joined #openstack-keystone05:12
*** redrobot is now known as Guest8746305:12
*** hichtakk has joined #openstack-keystone05:39
*** hdd has joined #openstack-keystone05:45
*** jamiec has quit IRC05:45
*** jamiec has joined #openstack-keystone05:45
*** rushiagr_away is now known as rushiagr05:46
*** linstatsdr_ has joined #openstack-keystone05:46
*** linstatsdr__ has joined #openstack-keystone05:47
*** linstatsdr__ has quit IRC05:48
*** LinstatSDR has quit IRC05:49
*** linstatsdr_ has quit IRC05:50
*** LinstatSDR has joined #openstack-keystone05:51
*** oomichi has quit IRC05:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:02
*** stevemar has quit IRC06:06
*** eglynn-regus has quit IRC06:20
*** topol has joined #openstack-keystone06:22
*** ChanServ sets mode: +v topol06:22
*** eglynn-regus has joined #openstack-keystone06:52
*** hdd has quit IRC06:59
*** raildo_ has quit IRC07:04
*** k4n0 has joined #openstack-keystone07:30
*** hichtakk has quit IRC07:42
*** zz_avozza is now known as avozza07:48
*** LinstatSDR has quit IRC07:58
*** jamielennox is now known as jamielennox|away08:15
*** dorry has quit IRC08:23
*** topol has quit IRC08:25
*** dims has joined #openstack-keystone08:50
*** rm_work is now known as rm_work|away08:53
*** dims has quit IRC08:54
*** rm_work|away is now known as rm_work09:00
openstackgerritwanghong proposed openstack/keystone: fix wrong self link in the response of endpoint_groups API  https://review.openstack.org/14340309:10
*** ChanServ sets mode: +o dolphm09:18
openstackgerritwanghong proposed openstack/keystonemiddleware: support micro version if sent  https://review.openstack.org/13091609:41
*** rm_work is now known as rm_work|away09:44
*** aix has joined #openstack-keystone10:10
*** nellysmitt has joined #openstack-keystone10:12
*** Lexis has joined #openstack-keystone10:34
*** toddnni has quit IRC10:57
*** tristanC has quit IRC11:01
*** tristanC has joined #openstack-keystone11:02
*** toddnni has joined #openstack-keystone11:03
*** tristanC has quit IRC11:06
*** diegows has joined #openstack-keystone11:07
*** tristanC has joined #openstack-keystone11:07
*** dims has joined #openstack-keystone11:45
*** Lexis has quit IRC11:47
*** Lexis has joined #openstack-keystone11:52
*** Lexis has quit IRC11:52
*** dims has quit IRC11:58
*** avozza is now known as zz_avozza12:02
*** zz_avozza is now known as avozza12:02
*** fifieldt__ has quit IRC12:02
*** fifieldt has joined #openstack-keystone12:07
*** dims has joined #openstack-keystone12:18
*** Lexis has joined #openstack-keystone12:33
*** dims_ has joined #openstack-keystone12:39
*** dims has quit IRC12:42
*** dims_ has quit IRC13:13
bretonare we going to have a meeting this Tuesday?13:13
*** dims has joined #openstack-keystone13:17
*** Lexis has quit IRC13:17
*** avozza is now known as zz_avozza13:18
*** henrynash has joined #openstack-keystone13:24
*** ChanServ sets mode: +v henrynash13:24
*** ayoung has joined #openstack-keystone13:42
*** ChanServ sets mode: +v ayoung13:42
*** LinstatSDR has joined #openstack-keystone13:50
*** topol has joined #openstack-keystone14:01
*** rushiagr is now known as rushiagr_away14:01
*** topol is now known as Guest9660014:01
*** Guest96600 has quit IRC14:01
lbragstadbreton: I doesn't look like there is much on the schedule https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting14:04
lbragstadbreton: but morganfainberg will have to make the call on that14:04
bretonI have a number of topics I want to discusss about my alembic stuff14:18
bretonand I'm not sure that I can do it here, out of the meeting14:18
*** larsks|alt is now known as larsks14:18
breton(and I have a bp that I think can be no-spec)14:18
*** dims has quit IRC14:26
*** amakarov_away is now known as amakarov14:26
*** jungleboyj has quit IRC14:30
*** dims has joined #openstack-keystone14:31
*** zz_avozza is now known as avozza14:39
*** raildo_ has joined #openstack-keystone14:43
*** raildo has joined #openstack-keystone14:45
*** gordc has joined #openstack-keystone14:48
*** avozza is now known as zz_avozza14:49
*** jaosorior has joined #openstack-keystone14:57
*** topol has joined #openstack-keystone15:01
*** ChanServ sets mode: +v topol15:01
*** rushiagr_away is now known as rushiagr15:14
*** jungleboyj has joined #openstack-keystone15:21
*** stevemar has joined #openstack-keystone15:23
*** ChanServ sets mode: +v stevemar15:23
dstanekmorning15:27
*** ayoung has quit IRC15:28
raildomorning15:36
*** jorge_munoz has joined #openstack-keystone15:38
*** henrynash has quit IRC15:38
*** henrynash_ has joined #openstack-keystone15:38
*** ChanServ sets mode: +v henrynash_15:38
*** zz_avozza is now known as avozza15:40
*** EmilienM is now known as EmilienM|afk15:47
*** topol has quit IRC15:55
*** hdd has joined #openstack-keystone15:57
lbragstadmarekd: not sure if you've seen the response here or not? https://review.openstack.org/#/c/130376/1915:58
lbragstadmarekd: wondering if you have input16:00
*** ayoung has joined #openstack-keystone16:04
*** ChanServ sets mode: +v ayoung16:05
openstackgerritMerged openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154116:07
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982416:08
marekdlbragstad: i am looking at it.16:09
lbragstadok16:09
marekdlbragstad: he still didn't say anything how to handle information between two  authN calls16:11
marekdlbragstad: i am curious if it's already in the library or somewhere in Keystone.16:12
lbragstadmarekd: so the session question?16:13
marekdlbragstad: yes16:13
lbragstadhmmm16:14
lbragstadmarekd: I think that could be done a couple ways16:14
lbragstadif a user who has MFA enabled tried to authenticate for a token, keystone could return a "partial" token that the user would have to provide back to Keystone with the otp-password16:15
lbragstador, it could all be made in the same request.16:16
marekdlbragstad: yes, but I think it's important enough to mention it in the spec :-)16:16
*** chrisshattuck has joined #openstack-keystone16:17
lbragstadmarekd: would you think there is anything wrong with those two solutions/16:17
marekdlbragstad: not at all.16:18
marekdlbragstad: werner is not you, right? :p16:18
lbragstadlol16:18
lbragstadnope16:18
marekd:-)16:18
lbragstadbut he is out for the holiday s16:19
marekdlbragstad: i think your ideas are fine, but I don't know how werner wants to accomplish it. And he wants to use some 3rd party library16:19
marekdand i don't know lib's interface so i don't know it its doable in a easy way.16:19
marekdthat's why i asked him to explain what's his plan.16:20
lbragstadby library you mean a something to manage the sessions16:20
lbragstad?16:20
lbragstadcorrect?16:20
marekdlbragstad: i mean anything that will handle MFA16:20
marekdincluding TOTP etc.16:20
*** avozza is now known as zz_avozza16:22
marekdlbragstad: hmm, i thought i had seen something mentioning use of external libraries.16:22
lbragstadmarekd: I think the idea nonameentername (werner) had initially was to write a new auth plugin that would implement the TOTP implementation16:23
marekdlbragstad: uuu :(16:23
marekdlbragstad: do you think is safe? I don't know TOTP16:23
marekdlbragstad: but it looks like another algorithm heavily dealing with security, randomness and crypto16:23
lbragstadhttps://tools.ietf.org/html/rfc623816:24
lbragstadI know I've seen examples of it written in python,16:25
lbragstadtrying to dig those up16:25
*** thedodd has joined #openstack-keystone16:25
marekdlbragstad: ok, so he wants to have 2 authn plugins: 'password' and 'otp-password'. 'password' would have to handle both standard authn (so, user/password only) as well first half of MFA, whereas otp-password would handle this 'possession' code, right?16:28
lbragstad"password" would be the existing password auth plugin16:28
marekdlbragstad: did you see his comment from line 205 ?16:29
marekdlbragstad: looks like he wants to inherint from auth.plugins.Password16:29
lbragstadthe plugin for otp-password could enherit from password if they share similar logic16:30
marekdlbragstad: ok, let me try to clarify.16:30
*** dims has quit IRC16:31
marekdlbragstad: so, he wants to keep classic user/password authN workflow, right?16:31
lbragstadmarekd: correct, this would be an opt in type of feature16:31
*** dims has joined #openstack-keystone16:31
lbragstadMFA wouldn't be something that is on by default16:31
marekdand have MFA only for certain domains/projcts.16:31
marekdlbragstad: correct.16:32
marekdlbragstad: so, in MFA we have 2 stages: user providers user/password, and in anoter request provides some TOTP code.16:32
marekdit's possible we have two separate  HTTP calls (it's not mentioned in the spec so I assume this is a valid use-case)16:32
*** chrisshattuck has quit IRC16:33
marekdso, what i am saying that it maybe easier to have one plugin for 1st MFA authN stage, and call the driver otp-password (and specify this metho in the token) and second, e.g. otp-code16:34
marekdinstead of using one authn method 'password' and tryin to combine both MFA stage 1 and classic user/pass authnetication.16:34
marekdbecause it will complicate plugin's logic.16:34
*** chrisshattuck has joined #openstack-keystone16:35
lbragstadmarekd: so you'd suggest using one auth plugin for all opt related calls?16:36
lbragstadmarekd: and leave the current password auth plugin untouched?16:37
marekdit'd suggest to leave auth method 'password' alone,  because my understanding is that Werner wants to use this auth method to handle both user/pass authN AND 1 stage of MFA.16:37
marekdlbragstad: exactly.16:37
lbragstadmakes sense,16:38
lbragstadI understand that.16:38
marekdlbragstad: unless i misunderstood something, i don't see any clear way to distinguish between classic authN and MFA. How is plugin going to know that? checking if the projcet/domain user is scoping to has some flag "MFA" set to True?16:39
openstackgerritJulien Danjou proposed openstack/keystonemiddleware: Use oslo.utils to validate boolean string  https://review.openstack.org/14348816:39
*** chrisshattuck has quit IRC16:39
marekdIMHO this should be an alternative authN workflow, so let's not mix it with other authN methods.16:39
lbragstadmarekd: I think the idea was that the user would have the flag16:39
marekdflag where..in the request?16:40
lbragstadmarekd: no, on the resource16:41
lbragstadmarekd: so an admin could enable MFA on a user, project, or domain16:41
lbragstadthat part is in the first couple paragraphs of 'Proposed Change'16:41
marekdlbragstad: yes, i know that.16:41
lbragstadas well as the 'Work Itmes'16:41
marekdlbragstad: the question is if we want Password plugin to query for project and only then see if it's MFA or not?16:42
*** zz_avozza is now known as avozza16:44
lbragstadmarekd: we do some calls like that in the current password plugin16:44
lbragstadmarekd: I guess it would be similar to asserting the domain is enabled before authenticating: https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/password.py#L4516:45
openstackgerritayoung proposed openstack/keystone-specs: Fetch policy.json from server  https://review.openstack.org/13465516:48
openstackgerritayoung proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381416:48
openstackgerritayoung proposed openstack/keystone-specs: unified policy file  https://review.openstack.org/13465616:48
openstackgerritayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient  https://review.openstack.org/13348016:48
openstackgerritayoung proposed openstack/keystone-specs: Default Policy  https://review.openstack.org/13465716:48
marekdlbragstad: ok, so let's say for the 1st stage we use 'password' method. some inherited plugin is fired, user/pass is checked and it looks like MFA is required for project 'X'. What next?16:49
marekdAnother branch in the flow?16:49
*** jell has joined #openstack-keystone16:49
marekdif mfa_required: return self._mfa_1st_stage_response()16:49
openstackgerritJulien Danjou proposed openstack/keystonemiddleware: Use oslo.utils to validate boolean string  https://review.openstack.org/14348816:50
lbragstadmarekd: so that would give the user trying to authenticate a "session id"16:51
lbragstadmarekd: something they can use to combine with their otp (hmac or time based) to finish the authentication process.16:52
marekdlbragstad: okay. and this session id would be stored in keystone's SQL/LDAP with expiration set to ...say 5 minutes?16:53
ayoungmarekd, my thought is that MFA should be enforced on the endpoint, and not be based on the token16:53
ayoungwho cares how many forms of authentication I show when I get the token if the token then gets stolen?16:53
lbragstadmarekd: sure16:53
marekdayoung: endpoint like nova?16:53
ayoungyes16:53
lbragstadmarekd: I think that could be more of an implementation detail16:53
ayoungmarekd, use the token-binding feature16:54
ayoungso use kerberos to get the token, then enforce endpoint binding to that same principal16:54
marekdayoung: it's not my bp. but feel free to state your opinions here https://review.openstack.org/#/c/142591/16:54
ayoungadd in a second form of auth16:54
marekdayoung: ++16:54
ayoungmarekd, I've been saying this all along.16:54
marekdayoung: i know16:55
ayoungNot going to derail, as I just don't care that much16:55
ayoung:)16:55
marekdayoung: sure :-)16:55
marekdayoung: i remember our disqos from Paris - well, IMHO what you suggest is simply plans for OpenStack2 with authN/authZ model completely changed.16:55
ayoungmarekd, but the endpoint needs to specifiy the factors required, and if they are not present in the token or context, they operation is denied.  Go back to Keystone and get a new token16:55
*** gyee has joined #openstack-keystone16:56
*** ChanServ sets mode: +v gyee16:56
marekdlbragstad: i assume keystone would return some JSON with sesion-id and auth method set to 'password'. ksc now needs some logic again to distinguish that this is a part of MFA, so it's not a token itself.16:57
lbragstadright16:58
ayounglbragstad, I would say that, assuming the heavy lifting with crypto is done in Apache HTTPD, the user would request a token with one form of auth, and then request a second token with the frist + the new form of auth16:58
*** avozza is now known as zz_avozza16:58
ayoungI don't know if Keystone should direct the user through this process.16:58
marekdlbragstad: as much as i understand that we may want to standardize the process, but i foresee some branches just because we combine few somewhat similar workflows, that are not that similar :/16:58
ayoungHow would a user know that they need MFA?  I would assume that would be an endpoint specific policy requirements16:59
marekdlbragstad: that's why i asked Werned to be more specific here and there.16:59
lbragstadfrom what i understand, mfa is something that is enabled on an account17:00
*** openstack has joined #openstack-keystone17:00
-sendak.freenode.net- [freenode-info] please register your nickname...don't forget to auto-identify! http://freenode.net/faq.shtml#nicksetup17:00
lbragstadmarekd: I think that is the case were having the otp password plugin inherit from password would be more helpful17:01
marekdlbragstad: there, yes.17:02
lbragstadsince it has everything in the request to do both17:02
lbragstadcarrying the logic specific to otp in the otp-password auth plugin17:02
marekdi don't mind if he inherits classes or not. I do mind if he wants to mix authentication flows :-)17:02
marekdlbragstad: does werner work with you ?17:02
marekdin RAX, TX?17:02
*** lbragstad has quit IRC17:03
*** jacorob has quit IRC17:03
*** jacorob has joined #openstack-keystone17:06
*** lbragstad has joined #openstack-keystone17:07
marekdlbragstad: if we are going to use only one HTTP call 'password' may be fine.17:07
lbragstadok17:08
marekdlbragstad: but i think client will need to specify other auth plugin either way.17:08
marekdlbragstad: all in all, client will need to know if he needs to specify TOTP code for project X or not.17:08
*** zzzeek has joined #openstack-keystone17:09
marekdI also mention that user will be informed that MFA is required, and not only HTTP 401 is raised with vague message "Cannot authenticate".17:09
lbragstadmarekd: yeah, i'd assume that would be done too17:10
marekdlbragstad: ok.17:10
marekdare you somehow tied to this bp? You want to start implementing it now?17:11
openstackgerritayoung proposed openstack/keystone: default policy  https://review.openstack.org/14011317:12
marekdlbragstad: ok, i need to go for now.17:13
marekdin fact i am on holiday too :-)17:13
*** k4n0 has quit IRC17:13
lbragstadmarekd: no, i just told nonameentername that I'd keep an eye on it17:14
lbragstadmarekd: figured I'd check in and see if there were an way that I could clear up your questions, not sure if i did though ;)17:15
lbragstadmarekd: enjoy your holiday!17:16
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers  https://review.openstack.org/14017517:18
*** ayoung has quit IRC17:19
*** gyee has quit IRC17:19
*** EmilienM|afk is now known as EmilienM17:19
*** raildo has quit IRC17:20
*** raildo_ has quit IRC17:20
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers  https://review.openstack.org/14017517:23
amakarovstevemar, hi! Can you please look at https://review.openstack.org/#/c/141854/ ? I really have concerns about my solution and your thoughts as an author would be most welcome.17:30
*** gyee has joined #openstack-keystone17:36
*** ChanServ sets mode: +v gyee17:36
*** EmilienM is now known as EmilienM|afk17:42
*** nellysmitt has quit IRC17:43
*** jungleboyj has quit IRC17:44
*** pcaruana has quit IRC17:53
*** jorge_munoz has left #openstack-keystone17:55
*** lhcheng has joined #openstack-keystone17:58
morganfainbergunless anyone has any complaints i'm release ksc 1.0.1 to include the fix bknudson rolled up late last week18:00
morganfainbergerm18:00
morganfainbergmiddleware 1.3.1 not ksc18:00
*** dims has quit IRC18:01
*** dims has joined #openstack-keystone18:02
*** abhirc has joined #openstack-keystone18:03
morganfainbergmarekd, as a point i disagree with ayoung - making the MFA token only enforced on the endpoint simply makes for an awful UX - and it breaks *how* people use MFA today18:06
*** dims has quit IRC18:06
morganfainbergmarekd, if i'm reading his suggestion, where thr token doesn't include the MFA? /me isn't clear on that18:06
* morganfainberg admits to maybe misreading the suggestion18:07
*** hichtakk has joined #openstack-keystone18:08
amakarovmorganfainberg, greetings! I have a revocation fix we discussed last week: https://review.openstack.org/#/c/141854/, can you please review it? I'm not sure about notification logic.18:11
morganfainbergamakarov, i am reading it now. yeah not sure about the logic there atm, is where i'm spending time.18:12
morganfainbergi'll def. post what I see/think18:12
amakarovmorganfainberg, btw if we want non-persistent AE tokens, do we need revocation rewritten?18:14
morganfainbergamakarov, not totally re-written, minor changes.18:14
morganfainbergamakarov, most of the revocation event work has been done18:14
amakarovmorganfainberg, I'd like to see indexing there. For now revocation engine don't look well-done to me. IMHO, of course :)18:16
morganfainbergamakarov, the revocation events is fine - the revocation list is awful18:16
morganfainbergamakarov, revocation events needs some cleanup but isn't terrible (it's complex, hence the need to cleanup)18:17
amakarovmorganfainberg, ++ I'm talking about list :)18:17
morganfainbergamakarov, the list for non-persistent tokens will need to be removed.18:17
morganfainbergnot re-written18:17
morganfainbergwe will only rely on the events in that case18:17
amakarovmorganfainberg, I see18:18
morganfainbergsince we wont be able to search all tokens for information in them. we don't have them stored anywhetre18:19
morganfainbergthe whole point of revocation evnets is to replace the token revocation list18:19
morganfainbergwith something waaaaay better18:19
morganfainbergand something that works in the case we don't have a canonical list of tokens to scrub through to revoke things based on "user-id" or "group-id" etc18:21
amakarovmorganfainberg, about stored events: if we want events-based token validation, we need the way to find out quickly if there is a corresponding event stored. To do so we need some sort of indexing, and as far as I see, we have none for now.18:27
morganfainbergamakarov, we have that in the revocation events backend.18:28
morganfainbergamakarov, trust me, it's there - it is complex is what it's doing.18:28
morganfainbergamakarov, there is some re-writes we need to do18:28
amakarovmorganfainberg, well, it'll always a place for wonders in this world! I'll consider it a magic :)18:30
*** jorge_munoz has joined #openstack-keystone18:30
*** hichtakk has quit IRC18:32
morganfainbergamakarov, it builds a tree of the events then does a iteration through the tree to find matches, if it matches - we are revoked18:33
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/model.py#L11718:33
morganfainbergamakarov, it's way too complex.18:33
morganfainbergamakarov, but it does handle things fairly well18:33
amakarovmorganfainberg, np, I have some computer science background :)18:34
morganfainbergamakarov, it's not the CS background that bothers me - it's that it's *very* hard to read the code and get a good understanding18:34
morganfainbergamakarov, the CS side helps, but it isn't very maintainable in python as is18:34
*** jorge_munoz has quit IRC18:35
amakarovmorganfainberg, so the task in to simplify the code?18:35
morganfainbergamakarov, thats part of it. there are some edge cases it doesn't catch yet18:35
*** thedodd has quit IRC18:35
morganfainbergamakarov, we have a simplified version, we just need to dredge it up - it *might* actuially cover the edge cases we fall over with now.18:35
amakarovmorganfainberg, is it in code-review state? Where can I look for it?18:36
morganfainbergamakarov, ayoung has it. he has an alternative version, and i'm sure would be happy for help to make it "ready for use" - we've discussed the simplification a lot18:37
morganfainbergthe other issue is that with the tree we're hitting slowdown due to hashtable key lookups in the dicts18:38
morganfainbergso his other version should help there (some) at least18:38
morganfainbergamakarov, i'd be happy for you to take on the simplification work if you want.18:39
amakarovmorganfainberg, thanks, I'll ask him about it. 1 more thing: https://review.openstack.org/#/c/140681/ - it's HA quick fix with +2 from Dolph :)18:39
*** dims has joined #openstack-keystone18:40
morganfainbergamakarov, i'm sure ayoung would be too. I just don't want to have you duplicate work if you don't need to :) [though it might be just asking ayoung and being told "oh yeah the old one isn't really uasable anymore]18:40
amakarovmorganfainberg, ++ competition will not work here18:41
*** stevemar has quit IRC18:41
morganfainbergamakarov, :) glad you see where i'm coming from here18:42
amakarovmorganfainberg, I saw trust redelegation spec merged - the implementation is ready and waiting :)18:45
morganfainbergyay!18:45
morganfainbergyeah i wanted to make sure the spec changes landed first18:46
morganfainbergbefore blessing/reviewing the code too much in depth.18:46
morganfainbergyou know incase things changed18:46
amakarovmorganfainberg, me too, but I couldn't wait and implemented it :)18:47
morganfainbergamakarov, and i don't blame you. it wasn't likely to change much18:47
morganfainbergamakarov, thanks for working on this.18:48
*** harlowja has joined #openstack-keystone18:50
amakarovmorganfainberg, np - Heat guys will owe me a cake for it :)18:50
morganfainbergamakarov, hah nice!18:50
morganfainbergamakarov, enjoy an extra big slice for me while you're at it18:50
amakarovmorganfainberg, of course I shall :)18:52
*** thedodd has joined #openstack-keystone18:52
lbragstaddstanek: around?18:57
lbragstaddstanek: http://pastebin.ca/289109218:57
lbragstaddstanek: that is pretty much your WIP branch, but I tried to make it so that we could use the other attributes in _keywords to generate the schema18:58
lbragstaddstanek: kind of? idk, metaprogramming makes my head hurt18:58
*** rushiagr is now known as rushiagr_away18:59
*** amakarov is now known as amakarov_away19:01
*** ayoung has joined #openstack-keystone19:10
*** ChanServ sets mode: +v ayoung19:10
morganfainberglbragstad, makes a lot of people's heads hurt19:11
lbragstadmorganfainberg: ++19:11
morganfainberglbragstad, you may want to look even more closely at descriptors19:12
lbragstadmorganfainberg: it's taken me about two days to reverse engineer what dstanek did in ~80 LOC19:12
morganfainberglbragstad, they may *actually* be what you're looking for19:12
lbragstadmorganfainberg: yeah, I doubt we're done investigating19:12
morganfainbergok i'm off to get coffee... FYI gate is broken. pip 619:13
morganfainbergi think i'm going to release middleware post coffee. but with gate broken i'm a little hesitent19:13
*** hdd has quit IRC19:14
openstackgerritayoung proposed openstack/keystone-specs: API changes for explicit unscoped  https://review.openstack.org/14351519:19
bretonHello, I'm again with those db migrations.19:21
bretonAs we know, Alembic doesn't have db_sync(version, ...) method, it has separate upgrade/downgrade and also a bunch of other useful stuff19:21
bretonTo change that I have a bp -- https://blueprints.launchpad.net/keystone/+spec/cli-db-commands .19:21
bretonDo I need a spec for that?19:21
ayounglbragstad, when you can context switch, want to chat about https://review.openstack.org/#/c/142847/  registry of token formats?19:21
ayoungbreton, I started one19:22
bretonayoung: you started a spec for alembic19:22
ayoungbreton, https://review.openstack.org/#/c/131531/  please take it over and run with it19:22
ayoungIts all yours.  Really19:22
lbragstadayoung: sure, trying to wrap up some jsd stuff quick19:23
*** stevemar has joined #openstack-keystone19:23
*** ChanServ sets mode: +v stevemar19:23
bretonayoung: and I'm talking about changing/adding cli commands19:23
bretonayoung: also, no spec is required for alembic, so you spec can be safely abandoned, I think19:24
breton*your19:24
ayoungbreton, no spec is required for alembic" according to whom?  I think you will find the Keystone core disagrees with you on that.19:27
bretonayoung: according to morganfainberg -- https://blueprints.launchpad.net/keystone/+spec/alembic19:28
morganfainbergayoung, i think we can put it on the list to consider as an exception19:29
morganfainbergbut we did say it doesn't *really* need a spec based on IRC meetings19:29
morganfainbergor at least IRC conversation(s).19:29
bretonbut I suggest to forget alembic for a second19:30
ayoungIt needs a spec.  Look at all the details in mine about how to make them work together.  There should not be a separate set of CLI operations either19:30
morganfainbergayoung, sure not different cli options.19:32
bretonayoung: I suggest not to use a separate set of cli operations, but a set of new operations, that will comply with migration_cli from oslo.db19:33
ayoungmorganfainberg, actually, I see now what he is proposing.  It should all be one spec19:33
morganfainbergayoung, yes - if anything.19:33
ayoungbreton, add that to my spec.  Alembic is going to need those operations to be usable,  but they don't make sense without alembic19:34
ayoungGerrit and Launchpads decisions to log me out randomly raise my stress level unnecessarily19:34
morganfainbergayoung, you have multiple windows open and crossing sessions19:35
*** hichtakk has joined #openstack-keystone19:35
morganfainbergayoung, might need to close windows/tabs19:35
ayoungmorganfainberg, no, need to change the SSO mechanism for Gerrit19:35
ayoungso it is somethjing that doesn't suck19:35
morganfainbergayoung, it wont change with the new SSO, other SSOs do the same thing.19:35
morganfainbergit's not *just* the SSO system.19:36
ayoungI know one that doesn't....19:36
ayoung:)19:36
morganfainbergayoung, it is likely a gerrit-ism too19:36
morganfainbergand no it wont be IPA19:36
morganfainbergor ipsilon..or whatever :P19:36
morganfainbergat least to start.19:36
ayoungI can dream, can't I?19:36
morganfainbergi dunno, ;)19:36
morganfainbergayoung, i think it has potential to head there eventually19:37
ayoungmorganfainberg, did we  back off on the "submit a stub of the spec first and the full thing later" approach we were shooting for, oh, 4 months ago?19:37
morganfainbergbut they're using the PHP thing for now since it starts.19:37
morganfainbergand it's running19:37
morganfainbergi've been pushing for something else as soon as we can though.19:38
morganfainbergayoung, yes we did, if you're submitting a stub of a spec and it's not in backlog it's getting marked up19:38
morganfainbergayoung, putting it tagged ot a release if we're not completing the spec in full.19:39
ayoungAh..backlog, that's it19:39
morganfainbergayoung, :)19:39
ayoungshould I move Alembic there, or is breton going forward with it?19:39
morganfainbergayoung, dunno.19:40
*** afaranha has joined #openstack-keystone19:40
morganfainbergayoung, i'd ask brenton19:41
morganfainbergayoung, breton19:41
morganfainbergayoung, if he's taking on the cli stuff, an everything else sure. if he's not, then push to backlog.19:41
ayoungbreton, ?  that is for you.  If you are actively working on it, please claim the spec, otherwise imobacklogit19:42
morganfainbergayoung, and i removed my comment about non-spec stuff on the bp19:44
ayoung++19:44
bretonok, will clai,19:44
*** nellysmitt has joined #openstack-keystone19:44
breton*will claim19:44
ayoungbreton, thanks a bunch19:45
ayoungmorganfainberg, I'll check with dchadwick about the SQL-Policy stuff.  If that is not going to be submitted in time for this release, I'll backlog that as well19:45
morganfainbergayoung, ++19:46
bretonerr, where is the button for it?19:46
*** nellysmitt has quit IRC19:49
ayoungbreton, HA!19:51
ayoungbreton, it's git now19:51
ayounggot and checkout the spec using git review -d19:51
bretonoh, ok19:52
ayoungbreton, SQL-A to Albmic  is going to be a tricky transition, and I'm more than willing to help you walk through the process19:52
bretonayoung: that's why I was talking about oslo.db's migration_cli19:53
bretonhelping to migrate from sa-m to Alembic is what it does19:53
ayoungbreton, yeah, but we need to support the intermediate states of SQL-A too19:53
breton(or at least tries to)19:53
ayoungAh19:53
ayoungcoolness....I wonder if it will be sufficient.19:54
ayoungWe have a few things in non-main repos.19:54
ayoungthe extensions have their own19:54
bretonayoung: yep, I already coded stuff for that19:55
bretonthat's why I wanted to have migration_cli first and Alembic after it.19:55
*** jungleboyj has joined #openstack-keystone19:57
*** jorge_munoz has joined #openstack-keystone20:02
ayoungbreton, awesome20:04
ayoungshould simplify that spec significanty20:04
*** hichtakk has quit IRC20:07
*** hichtakk has joined #openstack-keystone20:07
openstackgerritayoung proposed openstack/keystone: Unscoped to Scoped only  https://review.openstack.org/14259120:10
openstackgerritayoung proposed openstack/keystone: Explicit Unscoped  https://review.openstack.org/14252120:10
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers  https://review.openstack.org/14017520:12
*** rm_work|away is now known as rm_work20:13
openstackgerritayoung proposed openstack/keystone: policy refactoring  https://review.openstack.org/14196920:14
ayoungdhellmann, care to reverse the -1 on https://review.openstack.org/#/c/142813/  as the spec has been approved?20:14
openstackgerritayoung proposed openstack/keystone: policy exception handling  https://review.openstack.org/14220720:16
openstackgerritayoung proposed openstack/keystone: policy exception handling  https://review.openstack.org/14220720:17
*** hichtakk has quit IRC20:17
*** rm_work is now known as rm_work|away20:20
openstackgerritAndre Aranha proposed openstack/keystone: policy refactoring  https://review.openstack.org/14196920:20
afaranhaayoung, Sorry, I didn`t see your commit :P20:22
ayoungafaranha, no problem, it was just a rebase.  I only cleaned up the formatting of the commit message20:22
ayoungafaranha, I'm just trying to clean up all my -1s before taking off for the week.20:23
ayoungafaranha, which is futile right now anyway since it looks like the gate is broken20:24
*** hichtakk has joined #openstack-keystone20:25
afaranhaayoung, I started my holidays friday, I'm just fixing the policies :)20:25
ayoungafaranha, one more day for me20:25
afaranhaayoung, do you know when the gate gonna be fixed? Today or friday?20:26
ayoungnope20:27
*** EmilienM|afk is now known as EmilienM20:34
openstackgerritSteve Martinelli proposed openstack/identity-api: Include a link to keystone-specs in the README  https://review.openstack.org/14353020:36
*** afaranha has quit IRC20:55
*** harlowja_ has joined #openstack-keystone20:58
*** raildo has joined #openstack-keystone21:00
*** harlowja has quit IRC21:00
*** raildo_ has joined #openstack-keystone21:00
*** LinstatSDR has quit IRC21:04
*** hichtakk has quit IRC21:11
*** hichtakk has joined #openstack-keystone21:11
*** jorge_munoz has quit IRC21:17
*** dims has quit IRC21:20
*** dims has joined #openstack-keystone21:21
*** dims has quit IRC21:23
*** dims has joined #openstack-keystone21:23
rodrigodsayoung, oslo.policy graduation: what's next step?21:24
rodrigodsmorganfainberg, ^21:24
*** nellysmitt has joined #openstack-keystone21:45
*** nellysmitt has quit IRC21:50
*** hichtakk has quit IRC21:53
*** hichtakk has joined #openstack-keystone21:53
*** rm_work|away is now known as rm_work22:01
*** nellysmitt has joined #openstack-keystone22:01
*** LinstatSDR has joined #openstack-keystone22:03
*** rm_work is now known as rm_work|away22:06
*** rm_work|away is now known as rm_work22:07
*** nellysmitt has quit IRC22:08
*** harlowja_ has quit IRC22:21
*** jamielennox|away is now known as jamielennox22:22
*** raildo has quit IRC22:22
*** raildo_ has quit IRC22:23
*** diegows has quit IRC22:28
*** diegows has joined #openstack-keystone22:29
*** hdd has joined #openstack-keystone22:34
*** gordc has quit IRC22:38
*** EmilienM is now known as EmilienM|afk22:38
*** Guest87463 is now known as redrobot_away22:48
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095422:51
openstackgerrithenry-nash proposed openstack/keystone: My First ABAC: An example alternative assignments engine  https://review.openstack.org/14355722:51
*** hichtakk has quit IRC23:19
*** hichtakk has joined #openstack-keystone23:19
openstackgerrithenry-nash proposed openstack/keystone: My First ABAC: An example alternative assignments engine  https://review.openstack.org/14355723:21
*** andreaf has quit IRC23:23
*** andreaf has joined #openstack-keystone23:23
*** henrynash_ has quit IRC23:34
*** dims has quit IRC23:35
*** stevemar has quit IRC23:45
« Sunday, 2014-12-21 Index Tuesday, 2014-12-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!