Thursday, 2015-03-12

openstackgerrit	henry-nash proposed openstack/keystone: Support upload domain config files to database https://review.openstack.org/160364	00:02
openstackgerrit	henry-nash proposed openstack/keystone: Mark the domain config API as experimental https://review.openstack.org/160032	00:06
openstackgerrit	henry-nash proposed openstack/keystone: Support upload domain config files to database https://review.openstack.org/160364	00:07
*** joesavak has quit IRC		00:07
*** boris-42 has joined #openstack-keystone		00:15
openstackgerrit	henry-nash proposed openstack/keystone: Reload drivers when their domain config is updated https://review.openstack.org/163322	00:15
openstackgerrit	Brant Knudson proposed openstack/keystone: Sync oslo-incubator to f2cfbba https://review.openstack.org/163653	00:19
openstackgerrit	Merged openstack/keystone: Fix typo in name of variable in resource router https://review.openstack.org/162808	00:20
samueldmq	henrynash, hi - I am available to talk about 'Enable sensitive substitutions into whitelisted domain configs' if you have some time	00:21
*** arunkant has quit IRC		00:21
samueldmq	henrynash, or maybe tomorrow :)	00:23
henrynash	hi…sorry…about to hit the sack….I added a comment to the review	00:23
openstackgerrit	Brant Knudson proposed openstack/keystone: Update sample config file. https://review.openstack.org/163654	00:24
*** henrynash has quit IRC		00:29
*** gyee has quit IRC		00:31
*** spandhe has joined #openstack-keystone		00:31
*** spandhe_ has joined #openstack-keystone		00:34
*** spandhe has quit IRC		00:35
*** spandhe_ is now known as spandhe		00:35
*** vishy has quit IRC		00:41
*** vishy has joined #openstack-keystone		00:42
*** zzzeek has quit IRC		00:44
*** csoukup has quit IRC		00:47
stevemar	lhcheng, thanks so much for the chat :)	00:50
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix deprecated group for eventlet_server options https://review.openstack.org/163658	00:51
jamielennox	stevemar: does https://review.openstack.org/#/c/153910/ solve a need for the horizon websso thing?	00:51
lhcheng	stevemar: np, thanks for all the help in setting it up!	00:51
jamielennox	i feel like it did, but i'm not sure how to answer that last comment	00:51
stevemar	jamielennox, it all depends on if you provide a tokenAuth piece	00:54
*** chlong has quit IRC		00:55
stevemar	jamielennox, yeah, i think we depend on token auth	00:55
*** chlong has joined #openstack-keystone		00:55
stevemar	so it doesn't help just yet	00:55
stevemar	this is what we're doing for the sso bits https://review.openstack.org/#/c/136178/16/openstack_auth/backend.py	00:55
jamielennox	right, so i was thinking in the pluggable method you would just need to add a handler that did the backend bit	00:56
jamielennox	so the block at line 80 is easy to replace with a plugin	00:56
jamielennox	the block at line 118 is a problem	00:56
jamielennox	didn't we fix that?	00:56
*** _cjones_ has quit IRC		01:02
*** rwsu is now known as rwsu-afk		01:04
*** gokrokve has quit IRC		01:15
*** sigmavirus24 is now known as sigmavirus24_awa		01:19
dstanek	going to start doing some more reviews again tonight...any special requests?	01:23
dstanek	otherwise i'm going down the list of blockers	01:23
*** topol has joined #openstack-keystone		01:24
*** ChanServ sets mode: +v topol		01:25
*** markvoelker has quit IRC		01:27
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/162350	01:27
rodrigods	dstanek, https://review.openstack.org/#/c/159944/ o/	01:27
rodrigods	:)	01:27
*** markvoelker has joined #openstack-keystone		01:27
dstanek	rodrigods: k	01:30
rodrigods	dstanek, thanks	01:30
*** markvoelker has quit IRC		01:32
*** ayoung has joined #openstack-keystone		01:35
*** ChanServ sets mode: +v ayoung		01:35
*** wwriverrat has left #openstack-keystone		01:44
openstackgerrit	Eric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support https://review.openstack.org/160031	01:48
openstackgerrit	Eric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support https://review.openstack.org/160031	01:49
*** dims_ has quit IRC		01:53
*** tqtran_ has quit IRC		02:06
*** lhcheng has quit IRC		02:12
morganfainberg	stevemar, was https://bugs.launchpad.net/keystone/+bug/1428946 addressed by the cadf fixes?	02:20
openstack	Launchpad bug 1428946 in Keystone "add keystone service id to observer audit" [Undecided,New]	02:20
stevemar	morganfainberg, right - i was going to ask you about that just now	02:20
stevemar	we can tell say that if they want info about user_id and project_id, then use cadf	02:21
stevemar	however, it's in the payload, not the context	02:21
morganfainberg	surrre	02:21
morganfainberg	that one isn't the context one	02:21
morganfainberg	i closed the context one	02:22
morganfainberg	that one is the observer audit?	02:22
morganfainberg	service_id that is	02:22
morganfainberg	?	02:22
stevemar	user id == initiator id	02:22
stevemar	project_id == initiator.project_id	02:22
morganfainberg	"observer": {	02:22
morganfainberg	"typeURI": "service/security",	02:22
morganfainberg	"id": "openstack:3d4a50a9-2b59-438b-bf19-c231f9c7625a"	02:22
morganfainberg	},	02:22
stevemar	the 'observer' is keystone	02:22
morganfainberg	from the bug: The ID field should be the ID of the keystone/identity service.	02:22
morganfainberg	oh you filed it	02:23
morganfainberg	haha	02:23
morganfainberg	god.	02:23
stevemar	yes i did :)	02:23
morganfainberg	braindead	02:23
* morganfainberg needs food.		02:23
stevemar	i wasn't sure about how to get the keystone service Id	02:23
morganfainberg	oh	02:23
morganfainberg	uh	02:23
morganfainberg	uhhhhhh	02:23
stevemar	it's in the backends, but then i'd need access to the manager	02:23
stevemar	and thats uh... not as pretty if not accessing from a class	02:23
morganfainberg	well i think it	02:23
*** samueldmq has quit IRC		02:24
morganfainberg	s fair that keystone knows itself somehow	02:24
morganfainberg	it doesn't need to be found in the notification code, it could be found somewhere else	02:24
*** richm has quit IRC		02:24
*** _cjones_ has joined #openstack-keystone		02:24
morganfainberg	and notification code could just reference it	02:24
stevemar	true	02:24
morganfainberg	thats the route i'd take	02:24
morganfainberg	somewhere where we can access it and propagate it to something usable by notifications	02:25
morganfainberg	ok i need to get food before it's too late here	02:26
stevemar	go go	02:26
morganfainberg	and i need to check out... i'm a bit fried.	02:26
stevemar	check out away sir	02:26
stevemar	git checkout -b morgan	02:26
*** erkules_ has joined #openstack-keystone		02:28
*** erkules has quit IRC		02:31
openstackgerrit	Dolph Mathews proposed openstack/keystone: Replace the expiration timestamp in Fernet tokens with a ttl https://review.openstack.org/163683	02:40
*** david-lyle is now known as david-lyle_afk		02:45
*** rushiagr_away is now known as rushiagr		02:52
*** dims_ has joined #openstack-keystone		02:54
*** gokrokve has joined #openstack-keystone		02:54
*** rushiagr is now known as rushiagr_away		02:54
*** rushiagr_away is now known as rushiagr		02:55
*** samueldmq has joined #openstack-keystone		02:55
*** dims_ has quit IRC		02:59
*** lhcheng has joined #openstack-keystone		03:11
*** rushiagr is now known as rushiagr_away		03:12
*** drjones has joined #openstack-keystone		03:13
openstackgerrit	Merged openstack/keystone: Fix deprecated group for eventlet_server options https://review.openstack.org/163658	03:14
*** _cjones_ has quit IRC		03:16
*** radez_g0n3 is now known as radez		03:22
openstackgerrit	Steve Martinelli proposed openstack/pycadf: Add a section for audit maps https://review.openstack.org/162429	03:36
*** samueldmq has quit IRC		03:37
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	03:44
*** lhcheng has quit IRC		03:47
stevemar	ayoung, up for a few reviews :)	03:48
*** rushiagr_away is now known as rushiagr		03:53
openstackgerrit	Lance Bragstad proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	03:54
openstackgerrit	Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	03:55
*** drjones has quit IRC		03:59
*** gokrokve_ has joined #openstack-keystone		04:18
*** gokrokve has quit IRC		04:21
*** radez is now known as radez_g0n3		04:21
*** gokrokve_ has quit IRC		04:22
*** devlaps has quit IRC		04:25
nkinder	jamielennox: you around?	04:36
jamielennox	nkinder: yep	04:37
nkinder	jamielennox: This looks like a bug - http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/_discover.py#n84	04:37
nkinder	notice how num is never used unless we hit an exception?	04:37
nkinder	jamielennox: I think this is causing auth_version = v3 to not work	04:37
nkinder	jamielennox: that nova auth thing we worked on last week would work if you set 'auth_version = v3.0', but not plain 'v3'	04:38
jamielennox	nkinder: off the top of my head i think that works fine	04:38
jamielennox	because the output of that try/except should have version as a str	04:38
jamielennox	although i guess it's wrong because float("1.2") would work	04:39
nkinder	jamielennox: but it ends up returning at http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/_discover.py#n93	04:39
nkinder	and it returns (3,)	04:40
nkinder	I think we want it to return (3,0)	04:40
jamielennox	i think we want (3, 0) as well	04:40
nkinder	jamielennox: I think if 'num = float(version)' succeeds, we want to 'version = num'	04:41
nkinder	of just 'version = float(version)' in the try block	04:41
jamielennox	nkinder: but we want to version.split('.') in the next part	04:42
nkinder	yeah, we need to convert it to a string	04:42
jamielennox	i get str(float("3")) == "3.0"	04:42
nkinder	yeah, version = str(float(version))	04:43
nkinder	then the split line will end up making it (3, 0)	04:44
nkinder	right now, we do nothing with the result of float()	04:45
jamielennox	?	04:45
jamielennox	if the float call works the else will run	04:46
jamielennox	so it'll convert it back to a string	04:46
jamielennox	was a cheap way of making "3" -> "3.0"	04:46
jamielennox	so in my checkout	04:46
jamielennox	In [3]: d.normalize_version_number('v3')	04:46
jamielennox	Out[3]: (3, 0)	04:46
*** lhcheng has joined #openstack-keystone		04:48
nkinder	jamielennox: ah, right. I was looking at it wrong.	04:49
nkinder	jamielennox: I'm not sure why "v3" doesn't work for that nova issue though.	04:49
nkinder	jamielennox: but "v3.0" does	04:49
jamielennox	there did used to be a hardcoded check in auth_token	04:50
jamielennox	https://github.com/openstack/keystonemiddleware/blob/1.0.0/keystonemiddleware/auth_token.py#L1097	04:50
nkinder	jamielennox: ah, yeah. That looks like the culprit.	04:51
nkinder	jamielennox: I don't have my environment up right now, but I bet that's it.	04:51
jamielennox	yea, its a proper string compare so you have to have it right	04:52
jamielennox	it's gone now, but not that long ago	04:52
*** lhcheng has quit IRC		04:52
nkinder	jamielennox: yeah, I think it's still in RDO Juno	04:52
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	04:54
nkinder	jamielennox: https://bugs.launchpad.net/keystonemiddleware/+bug/1383853	04:55
openstack	Launchpad bug 1383853 in keystonemiddleware "auth_token middleware hard coded to check for version 3.0" [Medium,Fix released] - Assigned to wanghong (w-wanghong)	04:55
jamielennox	wow - more recent than i though	04:56
*** gokrokve has joined #openstack-keystone		04:58
nkinder	jamielennox: thanks for setting me straight on that	04:58
nkinder	jamielennox: I'm off to bed. Talk to you tomorrow.	04:58
jamielennox	nkinder: inght	04:58
openstackgerrit	Dolph Mathews proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	05:01
*** gokrokve_ has joined #openstack-keystone		05:04
*** david-ly_ has joined #openstack-keystone		05:04
*** telemons1er has joined #openstack-keystone		05:07
*** mestery_ has joined #openstack-keystone		05:07
*** mestery has quit IRC		05:08
morganfainberg	dolphm, https://review.openstack.org/#/c/161897/ i think this still has a hold-over on TTL/expires_at not being in the token. and there is an import issue with the test file (datetime was still used). otherwise this looks pretty good.	05:09
*** david-lyle_afk has quit IRC		05:09
*** telemonster has quit IRC		05:09
*** gokrokve has quit IRC		05:09
*** BAKfr has quit IRC		05:09
dolphm	morganfainberg: bah, alright	05:09
morganfainberg	dolphm, seriously lgtm except the minor issues.	05:10
dolphm	morganfainberg: i'm almost out of rebase hell - i'll finish the sequence and go back for that :)	05:10
morganfainberg	dolphm, ++ sounds good.	05:10
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic https://review.openstack.org/162338	05:12
*** BAKfr has joined #openstack-keystone		05:13
dolphm	morganfainberg: i was using deprecated config for vim-flake8 earlier today, and only recently it was giving me a deprecation warning about my config INSTEAD of reporting on any violations. hence the pep8 violation slipping in...	05:13
morganfainberg	the pep8 violation is the same as the test violation though :P	05:14
*** rushiagr is now known as rushiagr_away		05:14
morganfainberg	missing import	05:14
morganfainberg	i mean sure...	05:14
morganfainberg	same net effect though :)	05:14
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	05:15
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	05:17
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic https://review.openstack.org/162338	05:18
openstackgerrit	Dolph Mathews proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	05:18
stevemar	morganfainberg, let me know if you/gyee/hp find this patch useful: https://review.openstack.org/#/c/162866/	05:19
stevemar	i don't want to spend any more time on it if it's not going to be used :P	05:20
morganfainberg	stevemar, my only question is would it break anyone today	05:20
morganfainberg	if it would break someone, we can't do that.	05:20
stevemar	morganfainberg, no, and its k2k specific which was experimental	05:20
morganfainberg	is there any case making this assumption would be terminally bad	05:21
morganfainberg	?	05:21
morganfainberg	e.g. WebSSO [with browsers involved] future looking	05:21
morganfainberg	if the answer is no there too, we could potentially add it. (though i'd like to see jamielennox and marekd's opinion on it)	05:22
stevemar	sure	05:22
jamielennox	hmm?	05:22
morganfainberg	stevemar, but if the answer is "wont break anyone, isn't a bad idea, and jamielennox and marekd say 'cool'" i think it's worth it.	05:22
morganfainberg	i can see a benefit to making the response a client needs to consume less onerous	05:23
stevemar	morganfainberg, it's basically, instead of 'give me a saml assertion' we the ability to say 'give me a saml assertion that wrapped in SOAP, so i can hand it off to my ecp client'	05:24
stevemar	morganfainberg, but i get what you're saying!	05:24
openstackgerrit	Dolph Mathews proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	05:24
stevemar	if marek thinks it's useful then he's my prime concern	05:24
*** markvoelker has joined #openstack-keystone		05:25
stevemar	i'm just referring to rodrigods blog: http://blog.rodrigods.com/playing-with-keystone-to-keystone-federation/ he had to make a 'transform_assertion_into_ecp' function	05:25
*** markvoelker has quit IRC		05:30
*** topol has quit IRC		05:30
stevemar	morganfainberg, oh... can you do a quick once over on: https://review.openstack.org/#/c/152018/	05:33
morganfainberg	stevemar mayyyybew	05:33
stevemar	you +2'ed the previous ps	05:34
stevemar	and it's got the brant blessing	05:34
stevemar	if thats not the ingredients for +3, then i dunno what is?!	05:34
morganfainberg	stevemar, so https://review.openstack.org/#/c/161897/ should be a relatively easy review.	05:35
morganfainberg	stevemar, way simpler than the previous (ones) for fernet	05:35
*** DaveChen has quit IRC		05:35
*** davechen has joined #openstack-keystone		05:35
stevemar	alright, i'll trade you for https://review.openstack.org/#/c/159045/	05:36
morganfainberg	eiuuuuww cadf	05:36
* morganfainberg will get the context manager notifier working one of these days...		05:37
stevemar	morganfainberg, i dunno what you're smokin but that one isn't easy so far	05:37
stevemar	!	05:37
morganfainberg	stevemar, the fernet one? yeah it is:P	05:37
morganfainberg	stevemar, it's doing some date manipulation and removing created_at from the payload	05:38
stevemar	what's struct.unpack(">Q", timestamp_bytes)[0]	05:38
morganfainberg	Q unsigned long, < little endian	05:39
morganfainberg	erm > big endian	05:39
morganfainberg	so >Q is big endian unsigned long	05:39
morganfainberg	sorry unsigned long long	05:39
morganfainberg	https://docs.python.org/2/library/struct.html	05:39
stevemar	i see examples in lots of bitcoin code https://github.com/jgarzik/python-bitcoinlib/blob/master/bitcoin/messages.py	05:40
stevemar	dolphm, is trying to steal all my bitcoins	05:40
*** harlowja_ is now known as harlowja_away		05:41
morganfainberg	stevemar, hah	05:41
openstackgerrit	Dolph Mathews proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	05:43
stevemar	morganfainberg, it wasn't so bad :)	05:44
morganfainberg	nah	05:44
stevemar	morganfainberg, is getting fernet tokens to work for v2 a hard requirement?	05:46
morganfainberg	stevemar, yes.	05:46
morganfainberg	stevemar, fernet token SPFE was granted on the condition that the tokens matched all current use-cases of tokens (uuid/pki[z])	05:47
stevemar	gotcha	05:47
stevemar	good luck dolphm lbragstad	05:47
morganfainberg	they really aren't far off	05:48
morganfainberg	all the patches up until the v2 one should be near ready to gate	05:48
morganfainberg	the v2 one should be able to go in tomorrow / friday [i hope]	05:48
morganfainberg	that and henry's last ~2 for domain sql are the priorities	05:48
morganfainberg	i'm going to break apart the utf8 thing tomorrow so we can land whitelist/blacklist [that can easily FFE]	05:49
morganfainberg	s/whitelist\/blacklist/idp registration	05:49
morganfainberg	and whitelist/blacklist will be easier to land now that dstanek did a pass on it	05:49
stevemar	yeah, that was some slick work	05:50
morganfainberg	this one could go, lance's -1 was just because it needed a rebase	05:50
*** browne1 has quit IRC		05:56
*** rushiagr_away is now known as rushiagr		05:58
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/163705	06:02
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	06:08
*** bknudson has quit IRC		06:10
openstackgerrit	Dolph Mathews proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	06:11
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic https://review.openstack.org/162338	06:11
openstackgerrit	Dolph Mathews proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	06:11
openstackgerrit	Dolph Mathews proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	06:13
*** spandhe has quit IRC		06:18
*** gokrokve has joined #openstack-keystone		06:20
openstackgerrit	Merged openstack/keystone: Add documentation for key terms and basic authenticating https://review.openstack.org/152018	06:22
*** gokrokve_ has quit IRC		06:23
*** lhcheng has joined #openstack-keystone		06:25
*** afazekas is now known as __afazekas		06:25
*** markvoelker has joined #openstack-keystone		06:26
*** markvoelker has quit IRC		06:32
*** dims_ has joined #openstack-keystone		06:32
*** dims_ has quit IRC		06:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion https://review.openstack.org/162866	06:53
stevemar	marekd, awake?	06:55
marekd	stevemar: yes, reading the logs from the night	06:56
marekd	(IRC logs)	06:56
marekd	stevemar: https://review.openstack.org/#/c/162866/ i don't have any objections against this. If we need a pure saml assertion we can always add ?noecp flag	06:57
marekd	morganfainberg: ^^	06:57
stevemar	marekd, i was leaving it open-ended	06:57
stevemar	if you think it'll help adoption then i am not against it either	06:58
stevemar	i can't seem to figure out the <generatedkey> tag though	06:58
marekd	stevemar: where?	06:58
marekd	stevemar: hehe, OpenStack will make ECP a real standard on top of SAML, not a super unpopular extension :P	06:59
stevemar	marekd, the bug has it: <samlec:GeneratedKey> https://bugs.launchpad.net/keystone/+bug/1426128	06:59
openstack	Launchpad bug 1426128 in Keystone "Add ECP related bits to saml generation code" [Undecided,In progress] - Assigned to Steve Martinelli (stevemar)	06:59
marekd	stevemar: ah, you are asking where this key value comes from?	07:00
stevemar	yeah, and i don't think pysaml2 has support for it either :)	07:00
stevemar	so i don't have those bits in the patch yet: https://review.openstack.org/#/c/162866/3/keystone/contrib/federation/idp.py	07:00
marekd	stevemar: i don't know now.	07:00
stevemar	i'm wondering how it ever worked for other people who i sent rodrigods example for? i would think they copy/pasted	07:01
marekd	very likely	07:01
marekd	noone wants to read and understand xml headers	07:01
stevemar	marekd, i wanted to ask about https://review.openstack.org/#/c/162547/	07:02
stevemar	as it's my last bug to fix :)	07:02
stevemar	and there is a +A'ed change that depends on it, ehehe	07:03
marekd	stevemar: yeah, so my question was whether you really want to somewhere later check if you have project_id attribute	07:03
marekd	not assign it always and sometimes put None value	07:04
marekd	but as long you say this is fine i am fine too :-)	07:04
stevemar	marekd, how would i sometimes add it if it has None value?	07:05
stevemar	ohhh	07:05
marekd	project_id can be None because of line 407 for instance,	07:05
stevemar	right rihgt	07:05
marekd	if you always call initialtor.project_id = project_id	07:05
marekd	then you will always add an attribute project_id	07:06
stevemar	you're asking why i only sometimes do it	07:06
marekd	you are doin it when project_id is not None	07:06
stevemar	right	07:06
stevemar	which is what i want	07:06
stevemar	if it's None then I don't want to report it	07:06
stevemar	keep it as it was before	07:07
marekd	aaaah, cause it would be used for reports.	07:07
marekd	ok, so i get it now.	07:07
stevemar	yep	07:07
marekd	voted :-)	07:07
stevemar	\o/	07:07
marekd	now you can rest	07:07
openstackgerrit	Merged openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	07:07
stevemar	oh my	07:08
stevemar	it is 3am	07:08
stevemar	i should sleep	07:08
marekd	stevemar: i am grepping this: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py and GeneratedKey doesn't seem to occur.	07:08
marekd	3 or 2 am?	07:08
stevemar	3 now, we did our silly daylight savings time thing last week	07:09
marekd	oooh	07:09
stevemar	which is why the last keystone meeting was funny	07:10
marekd	sadly, i had to skip it	07:10
stevemar	topol and i showed up early	07:10
marekd	and the rest?	07:12
stevemar	the rest showed up on time and laughed at us	07:15
stevemar	marekd, alright tomorrow i'm reviewing fernet patches and revisiting my ksc patches!	07:17
stevemar	oh and maybe sso docs	07:17
stevemar	lhcheng and i had some fun redoing the sso setup :)	07:17
stevemar	marekd, see you in < 8 hrs!	07:17
marekd	Fernet was a long chain last week, at some point i got lost what was where :-)	07:17
marekd	stevemar: redoing setup?	07:17
*** _cjones_ has joined #openstack-keystone		07:19
*** _cjones_ has quit IRC		07:21
*** stevemar has quit IRC		07:22
*** markvoelker has joined #openstack-keystone		07:28
*** markvoelker has quit IRC		07:33
*** leonchio_ has quit IRC		07:38
*** david8hu has quit IRC		07:39
*** david8hu has joined #openstack-keystone		07:39
*** leonchio__ has joined #openstack-keystone		07:39
*** sluo_wfh has joined #openstack-keystone		07:42
openstackgerrit	Marek Denis proposed openstack/keystone: Abstract the direct map concept into an object https://review.openstack.org/163569	07:51
openstackgerrit	Marek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules https://review.openstack.org/163570	07:52
*** sluo_wfh has quit IRC		07:53
*** david8hu has quit IRC		08:00
*** leonchio__ has quit IRC		08:00
*** leonchio__ has joined #openstack-keystone		08:00
*** david8hu has joined #openstack-keystone		08:00
*** jistr has joined #openstack-keystone		08:03
*** afazekas_ has joined #openstack-keystone		08:06
openstackgerrit	Merged openstack/keystone: Add scope info to initiator data for CADF notifications https://review.openstack.org/162547	08:07
openstackgerrit	Merged openstack/keystone: add cadf notifications for oauth https://review.openstack.org/159045	08:07
*** rushiagr is now known as rushiagr_away		08:11
*** gokrokve has quit IRC		08:14
*** gokrokve has joined #openstack-keystone		08:14
*** sluo_wfh has joined #openstack-keystone		08:18
*** gokrokve has quit IRC		08:19
*** henrynash has joined #openstack-keystone		08:28
*** ChanServ sets mode: +v henrynash		08:28
*** markvoelker has joined #openstack-keystone		08:29
openstackgerrit	Marek Denis proposed openstack/python-keystoneclient: Federation Service Providers CRUD operations https://review.openstack.org/159018	08:31
*** markvoelker has quit IRC		08:34
*** erkules_ is now known as erkules		08:40
*** erkules has quit IRC		08:40
*** erkules has joined #openstack-keystone		08:40
*** amakarov_away is now known as amakarov		08:40
*** gokrokve has joined #openstack-keystone		08:45
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	08:49
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	08:50
*** gokrokve has quit IRC		08:50
*** pnavarro has joined #openstack-keystone		08:51
*** henrynash has quit IRC		08:58
*** nellysmitt has joined #openstack-keystone		09:02
*** pnavarro is now known as pnavarro\|off		09:07
*** gokrokve has joined #openstack-keystone		09:14
*** gokrokve has quit IRC		09:15
*** gokrokve has joined #openstack-keystone		09:16
*** gokrokve has quit IRC		09:20
*** markvoelker has joined #openstack-keystone		09:30
*** markvoelker has quit IRC		09:35
*** leonchio__ has quit IRC		09:37
*** david8hu has quit IRC		09:37
*** leonchio_ has joined #openstack-keystone		09:38
*** david8hu has joined #openstack-keystone		09:38
*** bdossant has joined #openstack-keystone		09:39
*** dims__ has joined #openstack-keystone		09:54
openstackgerrit	Abhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool https://review.openstack.org/130824	09:59
*** topol has joined #openstack-keystone		10:15
*** ChanServ sets mode: +v topol		10:15
*** gokrokve has joined #openstack-keystone		10:16
*** gokrokve has quit IRC		10:21
*** _cjones_ has joined #openstack-keystone		10:22
*** _cjones_ has quit IRC		10:26
*** markvoelker has joined #openstack-keystone		10:31
*** BAKfr has quit IRC		10:35
*** BAKfr has joined #openstack-keystone		10:35
*** samueldmq has joined #openstack-keystone		10:35
*** markvoelker has quit IRC		10:36
*** jistr has quit IRC		10:36
openstackgerrit	Marco Fargetta proposed openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156	10:42
openstackgerrit	Marco Fargetta proposed openstack/keystone: Correct utf8/innodb issues with tables https://review.openstack.org/159803	10:42
*** BAKfr has quit IRC		10:44
*** BAKfr has joined #openstack-keystone		10:44
*** topol has quit IRC		10:52
*** jistr has joined #openstack-keystone		10:53
marekd	I am grepping glance source code and cannot really find any spot where keystonemiddleware/keystoneclient is called for user authentication/authorization.	10:57
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy: Switch to non-namespaced module imports https://review.openstack.org/163768	11:11
*** gokrokve has joined #openstack-keystone		11:14
rodrigods	marekd,isn't here https://github.com/openstack/glance/blob/master/etc/glance-api-paste.ini#L67-L69 ?	11:14
marekd	rodrigods: yeah	11:17
marekd	and how is that later used....	11:17
marekd	?	11:17
*** aix has joined #openstack-keystone		11:19
*** gokrokve has quit IRC		11:19
*** nellysmi_ has joined #openstack-keystone		11:24
*** fmarco76 has joined #openstack-keystone		11:24
*** nellysmitt has quit IRC		11:26
rodrigods	marekd, when you receive the request, the wsgi pipeline is executed. When its time for the authtoken, it authenticates the request: https://github.com/openstack/glance/blob/master/etc/glance-api-paste.ini#L15	11:28
marekd	rodrigods: i figured how the pipe is being actually choosen (flavor option in glance-*.)	11:30
marekd	rodrigods: next step	11:31
marekd	what is the first call executed in kmw ?	11:31
marekd	__init__.filter_factory()	11:32
*** markvoelker has joined #openstack-keystone		11:33
marekd	I think we might want to add some federation bits in keystonemiddleware.	11:36
*** markvoelker has quit IRC		11:37
rodrigods	marekd, hmm	11:38
rodrigods	yeah...	11:38
marekd	i may want to acutally issue my assertion and go directly to...say glance	11:39
marekd	kmw would then validate the assertion with keystone	11:39
rodrigods	++	11:42
marekd	I am wondering what morganfainberg and jamielennox think about it.	11:43
rodrigods	yep, let's discuss this when they appear online :)	11:46
openstackgerrit	Telles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398	11:49
openstackgerrit	Telles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id https://review.openstack.org/161378	11:49
breton	I'm researching https://bugs.launchpad.net/keystone/+bug/1430433 now. I hope no one minds that it's slow, because I use it as a possibility to understand Fernet tokens and the whole auth flow better	11:57
openstack	Launchpad bug 1430433 in Keystone "Fernet token validation doesn't return catalog and role information for domain scoped tokens" [Undecided,New] - Assigned to Boris Bobrov (bbobrov)	11:57
*** lhcheng has quit IRC		11:58
*** aix has quit IRC		11:59
*** ljfisher has joined #openstack-keystone		12:04
*** gokrokve has joined #openstack-keystone		12:14
*** markvoelker has joined #openstack-keystone		12:15
*** gokrokve has quit IRC		12:16
*** gokrokve has joined #openstack-keystone		12:16
*** gokrokve has quit IRC		12:21
*** rushiagr_away is now known as rushiagr		12:28
*** dims__ has quit IRC		12:35
*** dims_ has joined #openstack-keystone		12:36
*** ljfisher has quit IRC		12:42
*** bdossant has quit IRC		12:43
*** radez_g0n3 is now known as radez		12:48
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project https://review.openstack.org/159944	12:48
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	12:54
*** aix has joined #openstack-keystone		12:58
*** lhcheng has joined #openstack-keystone		12:58
*** ljfisher has joined #openstack-keystone		13:00
*** lhcheng has quit IRC		13:02
*** raildo has joined #openstack-keystone		13:06
*** mestery_ has quit IRC		13:08
*** gokrokve has joined #openstack-keystone		13:14
*** gokrokve has quit IRC		13:18
*** stevemar has joined #openstack-keystone		13:18
*** ChanServ sets mode: +v stevemar		13:18
*** mestery has joined #openstack-keystone		13:20
*** bknudson has joined #openstack-keystone		13:26
*** ChanServ sets mode: +v bknudson		13:26
*** richm has joined #openstack-keystone		13:28
rodrigods	marekd, looking at SP code... I think there is some attributes that mandatory, right?	13:42
*** gordc has joined #openstack-keystone		13:43
*** joesavak has joined #openstack-keystone		13:48
*** sigmavirus24_awa is now known as sigmavirus24		13:51
stevemar	gdi bknudson !	13:53
bknudson	stevemar: what's up?	13:54
stevemar	how were you not picky about the commit message on https://review.openstack.org/#/c/163768/	13:54
stevemar	it's an oslo sync	13:54
stevemar	and i mean this in a very fun and loving way	13:54
bknudson	stevemar: I didn't look at the filename...	13:54
bknudson	-2 it.	13:54
stevemar	i spent several minutes looking up commit numbers only to come back to the patch and realize it's +A'ed :P	13:55
stevemar	meh, i don't mind, it's 1 character change	13:55
stevemar	and that is the only difference	13:55
marekd	rodrigods: ksc?	13:55
bknudson	surprised that we have oslo-incubator in a library as small as oslo.policy	13:55
stevemar	bknudson, it's that silly fileutils guy	13:56
bknudson	read_cached_file seems like something that only oslo.policy would use.	13:57
stevemar	bknudson, i plan on graduating him in L	13:57
rodrigods	marekd, keystone, actually	13:57
marekd	rodrigods: name the line :D	13:58
stevemar	probably	13:58
marekd	rodrigods: what's that you dont like?	13:58
rodrigods	marekd, I was reviewing the ksc code and was about to suggest a test to avoid creation of SPs without mandatory fields	13:58
amakarov	ayoung, Hi! Are you here?	13:58
stevemar	bknudson, the plan was to call that library oslo.io but no one has picked up the work yet	13:58
rodrigods	when I look keystone code	13:58
rodrigods	marekd, we can create SPs without auth_url and sp_url	13:58
ayoung	amakarov, no, I'm way over here	13:59
rodrigods	marekd, which doesn't make sense to me	13:59
rodrigods	should have noticed during the review process :(	13:59
marekd	rodrigods: now i am trying to recall if i had done it on purpose.	13:59
amakarov	ayoung, cool! When you get back, can you please suggest what to do with group role revocation? And is there any bp/spec about revocation optimization?	14:00
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: WIP - add support to samlize a token https://review.openstack.org/159022	14:00
ayoung	amakarov, nuke it from orbit	14:01
ayoung	The reason I was so draconian in the first place was due to limitations in the token enumeration	14:01
bknudson	./neutron/neutron/openstack/common/policy.py: reloaded, data = fileutils.read_cached_file(	14:01
bknudson	neutron still hasn't switched to oslo.policy	14:01
ayoung	amakarov, if groups were in the token, we'd have an obvious approach	14:01
amakarov	ayoung, ++	14:01
bknudson	and ceilometer	14:01
ayoung	but we don't know at the token level that the role assignment cam via group membership	14:01
amakarov	ayoung, alas they are not )	14:01
bknudson	and cinder... I guess nobody has switched to oslo.policy.	14:02
rodrigods	marekd, https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L323-L324 seems like this would fail	14:02
bknudson	maybe I should be bringing this up with the other oslo liaisons.	14:02
bknudson	./nova/nova/utils.py:def read_cached_file(filename, cache_info, reload_func=None):	14:03
marekd	rodrigods: it wouldn't fail	14:03
amakarov	ayoung, so postpone it and double-check against Fernet?	14:03
*** r-daneel has joined #openstack-keystone		14:03
marekd	it would return None	14:03
bknudson	several projects have their own implementation of read_cached_file outside of oslo-incubator even.	14:03
ayoung	amakarov, yeah	14:03
rodrigods	marekd, not the get(), but if None, the next steps would fail	14:03
stevemar	bknudson, ceilometer should have switched over yesterday to oslo.policy	14:03
ayoung	amakarov, maybe make it something that can be disabled? I don't now	14:04
ayoung	know	14:04
*** krykowski has joined #openstack-keystone		14:04
bknudson	I don't think ceilometer even uses policy.json.	14:04
rodrigods	marekd, likes 339 and 348	14:04
bknudson	http://git.openstack.org/cgit/openstack/ceilometer/tree/etc/ceilometer/policy.json -- actually, they've got one now!	14:04
stevemar	rodrigods, marekd make a schema for for the request	14:04
stevemar	bknudson, thats rough	14:05
marekd	stevemar: jsonschema?	14:05
amakarov	ayoung, will Fernet tokens have group_id?	14:05
stevemar	marekd, yeah, we do that for a few others	14:05
marekd	yeah	14:05
stevemar	amakarov, dolphm and lbragstad are working on that	14:05
stevemar	marekd, we probably just overlooked it	14:05
stevemar	file a bug and fix it	14:06
marekd	++	14:06
ayoung	amakarov, for Federation tokens, yes	14:06
ayoung	and maybe that is the answer...for all fedeartion tokens, PKI included, we add in the groups	14:06
ayoung	actually, we may still be stuck	14:06
rodrigods	stevemar, marekd, I'm on this right now... will be full time k2k for the next week or so	14:07
ayoung	I think federation tokens only have groups in the unscoped tokebns. marekd is that right ?	14:07
rodrigods	will file a bug	14:07
amakarov	ayoung, stevemar, the 2nd question: is current revocation engine performance enough?	14:07
marekd	ayoung: negative. The OS-FEDERATION obj is part of the user.	14:08
amakarov	I'm surprized that sql backend doesn't used for tree storage/search	14:08
*** mattfarina has joined #openstack-keystone		14:08
amakarov	s/doesn't/isn't/	14:08
marekd	ayoung: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-a-scoped-os-federation-token	14:08
ayoung	marekd, so every federated token can and will have the groups in it?	14:08
marekd	ayoung: yes, that's the only information that defines what you can do in the system	14:09
ayoung	marekd, so, I'm thinking that we make everything behave the same in the future.	14:10
ayoung	Let's make the Federation path the normal path in Liberty	14:10
stevemar	ayoung, i want that more than anyone and i don't see it happening in L	14:11
ayoung	stevemar, good topic for Vancouver	14:11
marekd	let's make SAML assertion a standard token.	14:11
ayoung	marekd, different issue	14:11
marekd	ayoung: a topic for vancouver is how to actually make inter clouds.	14:12
amakarov	marekd, and use XML ))	14:12
stevemar	for sure, it'll be a great topic	14:12
marekd	amakarov: let it be oidc as long as it's as powerful as saml	14:14
ayoung	marekd, I mean that instead of going to /auth/token to get an unscoped, we use the Federation approach, to include the idp and protocol data	14:14
rodrigods	stevemar, marekd https://bugs.launchpad.net/keystone/+bug/1431377	14:14
openstack	Launchpad bug 1431377 in Keystone "service provider object accepts null values for mandatory fields" [Low,Confirmed]	14:14
marekd	rodrigods: thanks	14:14
marekd	what do you think about buildin some federation bits in keystonemiddleware ?	14:14
*** gokrokve has joined #openstack-keystone		14:14
dstanek	marekd: do you have thoughts on what would need to go in there?	14:14
*** rushiagr is now known as rushiagr_away		14:14
marekd	dstanek: a use case you mean or a way how to do this?	14:15
*** iamjarvo has joined #openstack-keystone		14:18
marekd	a use case...i think i do. Let's say image sharing between the clouds. I want my local glance to fetch an image available at other federated cloud. I would issue an assertion with my local keystone, pass it to the glance and request for fetching an image X from glance X-g. The glance (or client in general) would pass the assertion to glance. Keystonemiddleware would have to pass it to the Keystone, because it's keystone that knows (along wi	14:18
*** gokrokve has quit IRC		14:19
marekd	now, for 'transport layer' i would try to use bittorrent protocol but it's a kind of different story and also there might be a problem with keeping the infrastructure under control.	14:21
amakarov	ayoung, maybe I missed something, wasn't there an idea to merge assignments and trusts? As for me, they have much in common. And having assignment id attached as we have trust id now can be useful for revocation purposes	14:22
marekd	dstanek: as how to do this: I think it's more like passing the assertion and checking whether the assertion is validated or not.	14:23
marekd	dstanek: and probably more work would be on keystone side, where one can list accessible projects in one step, with the assertion as an input, not assertion -> unscoped token -> /auth/projects / /auth/domains	14:24
dstanek	marekd: if the client passes he assertion to keystone why would the middleware need to check the assertion?	14:25
marekd	dstanek: the point is not to pass the assertion to the keystone	14:25
dstanek	"Keystonemiddleware would have to pass it to the Keystone"	14:26
dstanek	marekd: a picture or flow diagram may be the easiest way to talk through the flow of data	14:26
marekd	dstanek: local glance ----- (SAML assertion) ---> remote glance (with help of kmw) --(SAML ASSERTION)--> Keystone	14:28
marekd	dstanek: see, here, we never have an openstack token	14:28
*** timcline has joined #openstack-keystone		14:28
marekd	SAML assertion is a 'token' here	14:28
*** jorge_munoz has joined #openstack-keystone		14:29
marekd	and myself, or a service acting on my behalf contacts directly a remote service	14:29
openstackgerrit	Merged openstack/oslo.policy: Switch to non-namespaced module imports https://review.openstack.org/163768	14:29
marekd	dstanek: picture it as fetching a image from local glance where you put your uuid token in the request. Glance will validate it with the keystone.	14:30
*** csoukup has joined #openstack-keystone		14:31
marekd	is the overall idea of using mapping engine ALWAYS with every token auth a good idea?	14:31
marekd	just asking for a future reference.	14:31
*** mattfarina has quit IRC		14:31
rodrigods	stevemar, for the db migration (not allowing auth_url and sp_url to be null), we'd need to add a default value if we already have stored SPs with such fields null	14:32
rodrigods	stevemar, any suggestions?	14:32
rodrigods	marekd, ^	14:32
*** gokrokve has joined #openstack-keystone		14:33
*** samueldmq_ has joined #openstack-keystone		14:33
marekd	rodrigods: localhosts	14:35
marekd	or make sure controllers wil not blow up when the null is there and deal with that.	14:35
rodrigods	marekd, think the second is more informative, we can raise an exception telling the user to update such fields	14:36
stevemar	rodrigods, what db migration is needed? and it should be fine to add a new one, we just introduced them a few weeks ago	14:36
marekd	stevemar: he wants to make sp_url and auth_url not nullable in db	14:37
stevemar	rodrigods, okay, add a new migration then, should be fine to add, don't need to worry about existing setups, it was either introduced in K or experimental in J	14:39
rodrigods	stevemar, great, thanks	14:39
stevemar	if we have a schema though, it'll ensure that auth_url and sp_url are never null. but i guess for good practice we should make the column nullable=False also	14:40
stevemar	rodrigods, can you split that into 2 patches?	14:40
openstackgerrit	Lance Bragstad proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	14:40
rodrigods	stevemar, absolutely :)	14:41
*** r-daneel has quit IRC		14:42
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	14:44
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	14:44
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	14:44
*** r-daneel has joined #openstack-keystone		14:45
*** lhcheng has joined #openstack-keystone		14:47
samueldmq_	have we converged on the way to represent experimental APIs?	14:48
samueldmq_	'hints': 'experimental' inside a resource ?	14:48
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis token backend https://review.openstack.org/150844	14:52
*** lhcheng has quit IRC		14:52
*** thedodd has joined #openstack-keystone		14:53
*** obutenko has joined #openstack-keystone		14:54
openstackgerrit	Lance Bragstad proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	14:58
*** mattfarina has joined #openstack-keystone		15:00
openstackgerrit	Lance Bragstad proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	15:04
breton	I'm getting TypeError: 'NoneType' object has no attribute '__getitem__' if I don't send "X-Subject-Token". It's not normal, yes?	15:04
breton	(please don't fix it if it's not normal, I want to try myself)	15:04
*** gokrokve_ has joined #openstack-keystone		15:07
*** chrisshattuck has joined #openstack-keystone		15:09
*** gokrokve has quit IRC		15:11
openstackgerrit	Merged openstack/pycadf: Add a section for audit maps https://review.openstack.org/162429	15:21
*** david-ly_ is now known as david-lyle		15:23
*** joesavak has quit IRC		15:23
stevemar	dstanek, poke - https://review.openstack.org/#/c/162428/	15:24
*** nellysmi_ has quit IRC		15:24
*** joesavak has joined #openstack-keystone		15:26
dstanek	stevemar: were the docs themed at some point?	15:26
stevemar	if they ever were, they aren't now	15:27
lbragstad	dolphm: I reviewed the api agnostic patch. There was some commented out code in the tests, should that be removed?	15:27
stevemar	dstanek, it was never used https://github.com/openstack/pycadf/commit/1d5428afa7c4442762737fdca8bad3d533f5e275	15:29
stevemar	just copy pasta	15:29
*** rushiagr_away is now known as rushiagr		15:30
dstanek	stevemar: should we also remove the dir from the conf file?	15:30
stevemar	i suppose!	15:31
*** arunkant_ has joined #openstack-keystone		15:31
*** chrisshattuck has quit IRC		15:32
*** rwsu-afk is now known as rwsu		15:33
lbragstad	dolphm: s/api agnostic/domain-scoped fernet tokens/	15:35
*** _cjones_ has joined #openstack-keystone		15:40
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone. https://review.openstack.org/163878	15:43
dolphm	lbragstad: hmm, those _validate_tokens don't work (i think) because we're using the same user as both the admin in those tests and the subject of the test	15:44
dolphm	lbragstad: so i think they should be there, but it would take a refactor to get them working	15:45
lbragstad	dolphm: ok, makes sense	15:46
iamjarvo	is the service that runs on port 35357 the adimin interface?	15:46
dolphm	iamjarvo: for v2, yes	15:47
openstackgerrit	Steve Martinelli proposed openstack/pycadf: Remove empty _templates folder https://review.openstack.org/162428	15:47
stevemar	dstanek, ^	15:47
dolphm	iamjarvo: /v3/ is the same on both :5000 and :35357	15:47
stevemar	35357 is only useful for admin actions with the v2 api	15:47
breton	it also seems that admin_token is not fully supported with fernet tokens, right?	15:47
stevemar	breton, why would that be? admin_token creates no auth_context	15:48
breton	at least yet	15:48
dolphm	breton: admin_token?	15:48
breton	I'm trying to create user with "X-Auth-Token:ADMIN" and getting "This is not a recognized Fernet formatted token: ADM"	15:49
breton	something happens in _get_domain_id_from_token	15:49
breton	dolphm: [DEFAULT]admin_token of keystone.conf	15:50
stevemar	breton, sounds like a bug, but i expect it to work	15:51
dolphm	breton: and ADMIN is the value you have configured?	15:51
breton	dolphm: yep	15:51
breton	ok, bugreport then	15:52
dolphm	breton: include a backtrace!	15:52
breton	there is none for this concrete issue	15:52
dolphm	breton: (assuming you're getting one)	15:52
openstackgerrit	ayoung proposed openstack/keystone-specs: Template for testijng document https://review.openstack.org/163882	15:53
richm	breton: are you using the v3 api?	15:53
richm	breton: and are you using the v3 policy file?	15:53
breton	richm: yes, v3 api. I have no idea about policy file. How do I check?	15:54
richm	breton: as root - ls -al /etc/keystone	15:55
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone. https://review.openstack.org/163883	15:56
breton	richm: there is no policy.json. Still need full output?	15:56
richm	breton: grep policy_file /etc/keystone/keystone.conf	15:56
breton	#policy_file=policy.json	15:57
*** browne has joined #openstack-keystone		15:57
richm	hmm - so no policy - so what policy does it use if there is no policy specified in the keystone.conf?	15:58
richm	The reason I'm asking is that I ran into a similar problem - the admin_token would not work in many cases when using the v3 api and v3 policy	15:58
richm	I had to add "is_admin:1" to many of the rules in the v3 policy - the problem is that the admin_token has no domain, so many of the rules fail because they require a domain in the token	15:59
richm	but in your case - what policy is it using?	15:59
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone. https://review.openstack.org/163878	15:59
*** thedodd has quit IRC		16:00
*** carlosmarin has quit IRC		16:02
*** samueldmq_ has quit IRC		16:02
marekd	rodrigods: did you manage to hack something ?	16:02
*** tqtran has joined #openstack-keystone		16:04
marekd	dstanek: https://review.openstack.org/#/c/163569/3 are you planning on adding anything else here?	16:04
dstanek	marekd: no	16:05
dstanek	marekd: thanks for the update	16:05
marekd	it's nothing.	16:05
breton	dolphm: https://bugs.launchpad.net/keystone/+bug/1431434	16:06
openstack	Launchpad bug 1431434 in Keystone "user creation with fernet tokens results in 401" [Undecided,New]	16:06
dolphm	breton: thank you, sir! would you be willing to test a patch that's still in review?	16:09
openstackgerrit	ayoung proposed openstack/keystone-specs: Template for testing document https://review.openstack.org/163882	16:10
breton	dolphm: yep	16:10
dolphm	breton: this one will certainly impact the check you're running into https://review.openstack.org/#/c/162031/	16:10
marekd	Do we have functional tests for osc working?	16:13
*** amakarov is now known as amakarov_away		16:13
breton	dolphm: 401: The request you have made requires authentication.	16:13
*** iamjarvo has quit IRC		16:14
dolphm	breton: slightly different error?	16:14
breton	dolphm: yes	16:14
dolphm	marekd: i'd consider devstack's use of osc to be in that camp	16:14
dolphm	marekd: although they probably lean more towards integration tests	16:15
marekd	dolphm: ack	16:15
morganfainberg	marekd, you're going to run into some issues with folks running reverse proxies for keystone.	16:18
morganfainberg	marekd, and i need to mull over the federation bits in middleware	16:19
*** iamjarvo has joined #openstack-keystone		16:19
ayoung	marekd, stevemar please kick this one ahead. It is a pre-req to the group mapping stuff we want to land	16:19
*** iamjarvo has quit IRC		16:19
ayoung	and should be pretty non-contentious	16:19
marekd	morganfainberg: you are talking now about fed + keystonemiddleware?	16:19
morganfainberg	marekd, yeah	16:19
*** iamjarvo has joined #openstack-keystone		16:20
marekd	:(	16:20
ayoung	dstanek, is https://review.openstack.org/#/c/142573/17 ready for primt time? IF so, add a +1 to it. I realize you wrote it, so +2 is a bit much, but a lot of cores are touching that, and I'd expect a bunch of +1s from the different authors	16:20
marekd	morganfainberg: so, looks like there is really any other way than making a client that will be fully stateful and juggle with tokens.	16:22
marekd	isn't	16:22
dstanek	ayoung: just added a +1	16:25
ayoung	dstanek, very cool. So you solved the `extends` issue?	16:25
dstanek	ayoung: the issues isn't solved, but it is abstracted away	16:26
ayoung	dstanek, Since this is only admin right now, I assume the risk of breakage is small?	16:26
*** afazekas_ has quit IRC		16:27
*** amerine has quit IRC		16:27
dstanek	ayoung: we could be breaking the mapping code	16:28
ayoung	dstanek, explain please?	16:29
dstanek	ayoung: all of these changes are about federation mappig	16:29
*** jsavak has joined #openstack-keystone		16:29
*** iamjarvo has quit IRC		16:29
*** joesavak has quit IRC		16:32
*** joesavak has joined #openstack-keystone		16:34
morganfainberg	ayoung, for https://review.openstack.org/#/c/159803/ i think we need to go back to the original code that fixes utf8, where federation is in the migration_helpers, then backport, then we move forward with a better fix	16:37
*** jsavak has quit IRC		16:37
morganfainberg	ayoung, the better fix will not land/be viable until after k3, and this blocks up something that is otherwise ready for review/landing in k3	16:37
ayoung	morganfainberg, right. So one :disable sanity check, 2 go to the origianl fix	16:38
morganfainberg	no	16:38
ayoung	3 something generic like this	16:38
morganfainberg	fix where it does the change in-line	16:38
morganfainberg	as it was before	16:39
morganfainberg	backport,	16:39
ayoung	you mean in the core code?	16:39
morganfainberg	then disable sanity check	16:39
morganfainberg	then move forward	16:39
morganfainberg	yes	16:39
ayoung	why?	16:39
morganfainberg	it needs to be backported	16:39
ayoung	just due to time?	16:39
morganfainberg	i dont want to backport devstack crazy	16:39
ayoung	I don't understand	16:39
*** zzzeek has joined #openstack-keystone		16:40
morganfainberg	i just don't want to try and implement fixes for the sanity check in devstack for gate.	16:40
ayoung	I'm supportive, and willing to be pragmatic	16:40
morganfainberg	etc	16:40
ayoung	just make it clear	16:40
morganfainberg	sorry let me rephrase	16:40
ayoung	ah	16:40
ayoung	is sanity check run outside of keystone code?	16:40
morganfainberg	i don't want to try and backport stuff for devstack to fix this	16:40
morganfainberg	sanity check is run out of oslo.db code	16:40
morganfainberg	it's inline via the keystone-manage cli,	16:40
morganfainberg	so my thought is we backport the simplest fix, where everything was in migration_helpers	16:41
ayoung	so if some other project ran it, it might break	16:41
morganfainberg	then we fix it better post k3	16:41
morganfainberg	well not in how we're trying to fix it	16:41
morganfainberg	it wont affect anyone else, but i really am hesitant to backport changing the sanity check	16:41
ayoung	morganfainberg, ok, tell you what, repost it to the state that you think it needs to be in, and I'll review that	16:41
morganfainberg	sounds good.	16:42
morganfainberg	ayoung, was just a heads up that because we need a backport here, we should fix it in-line, then do the disable sanity check + fixes in devstack for forward looking	16:42
ayoung	++	16:42
*** jistr has quit IRC		16:45
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Adding utf8 to federation tables https://review.openstack.org/159803	16:46
morganfainberg	ayoung, ^	16:47
morganfainberg	ayoung, back to the simplest version of the change.	16:47
morganfainberg	ayoung, and updated commit to reflect the plan	16:47
openstackgerrit	Morgan Fainberg proposed openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156	16:48
ayoung	morganfainberg, OK if I just +2a that now?	16:49
morganfainberg	ayoung, if you like the code.	16:49
ayoung	yeah, it is fine	16:49
openstackgerrit	Steve Martinelli proposed openstack/keystone: Implements whitelist and blacklist mapping rules https://review.openstack.org/142573	16:49
morganfainberg	ayoung, since it is no longer my code i also +2'd	16:49
ayoung	I mean, I don't want the core stuff staying long term	16:49
ayoung	but I'm pragmatic here	16:49
morganfainberg	ayoung, neither do i. i think we can fix that post k3 in some cleanup	16:50
*** amerine has joined #openstack-keystone		16:50
ayoung	works for me	16:50
morganfainberg	ayoung, but the key was i was looking at backportability, and it started making my skin crawl. this is backportable	16:50
stevemar	ayoung, oh btw did you end up using an empty blacklist in your mapping?	16:50
ayoung	stevemar, I put a junk value in there	16:50
ayoung	['nevermore']	16:50
ayoung	['closeenoughforadamswork']	16:51
stevemar	ayoung, okay, i think we will want to change the conditional for the black/white list to check `if blacklist is not None`	16:51
morganfainberg	ayoung, ['TheEnd']	16:51
ayoung	sure	16:51
breton	"and \"	16:51
breton	https://review.openstack.org/#/c/159803/17/keystone/common/sql/migration_helpers.py	16:51
stevemar	cause the empty list caused it to not enter the direct mapping logic	16:51
breton	seriously?	16:51
marekd	stevemar: i think we will have to redefine mapping language :P	16:51
stevemar	marekd, hehe	16:52
marekd	stevemar: dstanek changes are good but...are they perfect?	16:52
marekd	stevemar: or at least constraint a 'grammar' there a little bit.	16:52
morganfainberg	breton, bike shed?	16:52
stevemar	marekd, it's a logical step forward for now	16:52
marekd	personally i would go away from using {0} and format()	16:52
marekd	let's trat everything as objects and serialize at the very end.	16:52
marekd	s/trat/treat/	16:53
morganfainberg	breton, 'and \' is less friendly, but ultimately a minor issue and we're re-writing the whole way this works soon.	16:53
stevemar	marekd, yep, we can definitely improve on things	16:53
morganfainberg	breton, this code was (at this patch level) ready except the forward looking stuff was sub-optimal.	16:53
dstanek	marekd: you also need a way to represent lists	16:53
marekd	dstanek: hm?	16:53
marekd	in the rules?	16:54
dstanek	marekd: yes, in the local	16:54
marekd	dstanek: i am starting to regret we didn't provider versions from the very beginning	16:54
marekd	we would simply go with the next(version) and have two separate paths.	16:55
dstanek	marekd: versioning is easy; add a 2.0 to new mappings and assume that if you don't have a version it is the original value	16:55
marekd	dstanek: ++	16:55
breton	morganfainberg: I think I missed the discussion about how and when it's going to be rewrited. Got any link to it?	16:55
morganfainberg	breton, in the irc channel backscroll, but in short, we need to backport this.	16:55
morganfainberg	breton, the new stuff wont be backportable.	16:56
morganfainberg	breton, so the ultimate fix will be to change when/how we sanity check so we can't wedge developers, it'll involve how devstack runs. we migrate, then we sanity check	16:56
morganfainberg	breton, catches errors where utf8 doesn't exist, but wont wedge deployers in bad ways in real deployments. basically kesytone-manage db_sanity_check	16:57
stevemar	dstanek, marekd mappingv2 for the win!	16:57
morganfainberg	breton, but backporting a fix for the tables and working to make devstack happy for juno et al becomes more dicy. so we fix it the simplest way in-tree for backport, then work on the forward looking cleanup	16:58
marekd	stevemar: i guess it's standard developers work to cycle around the same things all the time...	16:58
stevemar	marekd, happens to the best of intentions	16:58
morganfainberg	breton, solving the immidiate problem and letting us address the bigger re-write post FF since it's not a feature change, it's a tech-debt paydown that is easy to sell	16:58
stevemar	we needed something immediately and didn't know all the combinations	16:58
stevemar	it happens	16:58
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add JSON schema validation for service providers https://review.openstack.org/163903	16:59
morganfainberg	stevemar, we are allowed to fix bugs and iterate on design ;)	16:59
marekd	stevemar: oh, i am not complainint - the engine was complete at that time!	16:59
morganfainberg	marekd, ^ cc	16:59
*** afazekas has joined #openstack-keystone		16:59
marekd	morganfainberg: but it makes us so error prone and so imperfect :-)	16:59
morganfainberg	marekd, OMG really?! :P	16:59
morganfainberg	marekd, ^_^	16:59
rodrigods	stevemar, marekd ^json schema patch	16:59
stevemar	:D	16:59
stevemar	thanks rodrigods	17:00
* morganfainberg goes to meeting.		17:00
marekd	morganfainberg: and makes me feel this is not professional - how could I not predict it ? :P	17:00
marekd	morganfainberg: does it also happen in closed-source software? :P	17:00
rodrigods	stevemar, missing the DB part, kind unsure how to handle it	17:00
stevemar	marekd, haha, everything comes out perfect with closed-source	17:01
stevemar	it's all as-designed	17:01
breton	morganfainberg: thank you. So, when you're talking about backporting in the backscroll, you meant backporting to juno?	17:01
morganfainberg	yes	17:01
marekd	stevemar: this is called 'visibility', because this is how i see it :D	17:02
marekd	(due to closed ticketing system)	17:02
marekd	stevemar: heard that oracle db has ~10 000 open bugs	17:03
dstanek	marekd: one of them is mine!	17:03
*** krykowski has quit IRC		17:03
stevemar	dstanek, you are just always helping	17:04
marekd	stevemar: heard oracle has ~9999 open bugs and one from dstanek	17:04
stevemar	hehe	17:05
dstanek	stevemar: i'm glad i don't have to deal wit that anymore	17:05
marekd	seriously?	17:05
marekd	mysql is better?	17:05
marekd	postgres is better?	17:05
marekd	hadoop is better?	17:05
*** harlowja_away is now known as harlowja_		17:06
dstanek	much	17:06
dstanek	well, not hadoop	17:06
samueldmq	morganfainberg, have we decided the way we'll mark a resource as experimental?	17:06
dstanek	i hating dealing with Oracle and all the strange issues	17:07
samueldmq	morganfainberg, I want this info to be able to review this ( https://review.openstack.org/#/c/160032/ )	17:07
* samueldmq wonders if it will be 'hints': 'experimental', doing something similar to what is proposed in the json home spec		17:09
*** lhcheng has joined #openstack-keystone		17:11
stevemar	morganfainberg, when is the next juno release happening?	17:17
morganfainberg	no idea	17:17
stevemar	ah	17:17
morganfainberg	samueldmq, the hints bit is how we show it in code.	17:17
stevemar	i've been trying to get this one https://review.openstack.org/#/c/151411/ un -2'ed for ages now	17:18
morganfainberg	samueldmq, api spec will show in our docs.	17:18
morganfainberg	samueldmq, etc	17:18
morganfainberg	stevemar, i think we are close, i saw some FFE.	17:18
stevemar	marekd, we found the same issue, yay!	17:19
marekd	:D	17:19
samueldmq	morganfainberg, but here (https://review.openstack.org/#/c/160032/21/keystone/common/wsgi.py) we are specifically adding it to the wsgi resource	17:19
samueldmq	morganfainberg, exactly how it will be exposed via json home, right?	17:20
morganfainberg	samueldmq, yes.	17:20
samueldmq	morganfainberg, ok, that was my original question, maybe I wasnt clear	17:20
marekd	stevemar: jsonschema validates request body	17:20
marekd	not the response, right?	17:20
marekd	i mean..it does not validate the response	17:20
marekd	???	17:20
marekd	lbragstad: bknudson ^^ ?	17:21
samueldmq	morganfainberg, in addtion, will we have 'status': 'stable' for stable apis? or just nothing means stable	17:21
samueldmq	?	17:21
lbragstad	marekd: correct	17:22
bknudson	marekd: yes, it's the request body	17:22
bknudson	it could be used to validate the response in tests I guess.	17:22
bknudson	not sure what the point would be for the server responses.	17:22
lbragstad	there are some places where that is used. I believe tempest does that	17:22
bknudson	we should plan do to that in our functional tests.	17:23
lbragstad	bknudson: ++	17:23
rodrigods	stevemar, marekd, can I update a sp id?	17:24
stevemar	rodrigods, nope	17:24
rodrigods	thanks	17:24
* morganfainberg needs food and disappears for this magical thing and coffee... did i mention coffee?		17:24
*** aix has quit IRC		17:25
*** devlaps has joined #openstack-keystone		17:26
dstanek	bknudson: use jsonschema to validate responses in tests?	17:29
bknudson	dstanek: yes.	17:29
bknudson	makes sure the response doesn't change on us.	17:29
bknudson	especially tokens for example.	17:30
dstanek	bknudson: why would we not just assert what we expect the response to be?	17:30
bknudson	dstanek: that's what jsonschema does.	17:30
dstanek	bknudson: not really; it says i expect this thing and i'll be this data type. in tests i would rather be much stronger in our assertions	17:31
*** joesavak has quit IRC		17:32
bknudson	dstanek: some things might take a lot of work in assertions in python... like saying this field is an int or bool or string.... if you could put that in the JSON Schema it would be a quick check before getting to the interesting aspects of the response.	17:33
bknudson	it's easy to check for falsy, but checking if it's actually an empty string or actually the bool false, requires some work that could be handled by the json schema.	17:34
dstanek	bknudson: but i want to say this field should be equal to True, not that it's supposed to be a boolean	17:34
dstanek	or that i get a specific string back and not just any string	17:35
bknudson	y, you have to do that too.	17:35
bknudson	if you just check if a field is True then that might mean it's a non-zero number or a non-empty string.	17:36
*** fmarco76 has quit IRC		17:37
dstanek	i think you can get by without needing to do jsonschema; i couldn't even imagine the size of the schemas in the testing code	17:37
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add JSON schema validation for service providers https://review.openstack.org/163903	17:38
ayoung	morganfainberg, I just +2Aed https://review.openstack.org/#/c/142573/18 since it has 2 +1s from cores beyond me (they both touched the code) but if you want me to kaibosch it, tell me now and I will	17:38
openstackgerrit	ayoung proposed openstack/keystone: ignore unknown groups https://review.openstack.org/162788	17:38
*** iamjarvo has joined #openstack-keystone		18:00
*** dims__ has joined #openstack-keystone		18:03
*** dims__ has quit IRC		18:03
*** dims__ has joined #openstack-keystone		18:04
dstanek	dolphm, lbragstad: you guys are all about the classmethods	18:06
dolphm	dstanek: that's mostly me	18:06
*** dims_ has quit IRC		18:07
lbragstad	dstanek: I'm all about the class methods by way of building on dolphm's stuff	18:09
*** dims__ has quit IRC		18:09
*** edmondsw has joined #openstack-keystone		18:13
openstackgerrit	Merged openstack/keystone: Abstract the direct map concept into an object https://review.openstack.org/163569	18:17
samueldmq	dolphm, err.. 404 on your gist :/	18:26
dolphm	samueldmq: ?	18:26
*** samueldmq has left #openstack-keystone		18:26
*** afazekas has quit IRC		18:26
*** samueldmq has joined #openstack-keystone		18:26
dolphm	samueldmq: the link in the /topic works for me, if that's what you mean? updated 9 minutes ago	18:27
samueldmq	dolphm, ah, forget .. I think I edited the channel topic by myself in my irc client	18:27
samueldmq	dolphm, facepalm :/	18:27
dolphm	samueldmq: lol no worries. i moved the bot to it's own server so i won't mess with it unnecessarily	18:28
dolphm	samueldmq: should be pretty stable until we can turn it into a real site	18:28
samueldmq	dolphm, o/	18:28
samueldmq	dolphm, you uploaded the bot's code to git ?	18:29
* samueldmq would like to see how your bot works :)		18:29
*** htruta has joined #openstack-keystone		18:35
*** dims has joined #openstack-keystone		18:35
*** nellysmitt has joined #openstack-keystone		18:35
*** pnavarro\|off has quit IRC		18:45
*** chrisshattuck has joined #openstack-keystone		18:46
dolphm	samueldmq: it's just this configured to query for starred reviews in keystone https://github.com/dolph/launchpad/blob/master/patches_in_review.py and append the output to a markdown file	18:47
samueldmq	dolphm, nice, thanks! I like to see hacking things	18:48
ayoung	dolphm, just got this test failure with fernet http://paste.openstack.org/show/191906/	18:49
ayoung	is that a known issue?	18:50
dolphm	ayoung: that looks like the issue brant fixed a couple days ago - what's your system timezone?	18:50
ayoung	Easter I think	18:51
samueldmq	ayoung, lol daylight saving times	18:51
ayoung	Ha. Prolly	18:51
bknudson	ayoung: https://review.openstack.org/#/c/162489/	18:51
ayoung	Thu Mar 12 14:51:32 EDT 2015	18:51
bknudson	do you have that?	18:51
ayoung	bknudson, nope., was testing a different patch	18:52
ayoung	let me cherry pick	18:52
bknudson	I don't know why that appeared after the time change, but the fix was to work in utc.	18:53
ayoung	dolphm, with fernet tokens...if we disable "revoke on role change" type rules, we'll pick up the updated role assignments when the token is validated, right?	18:53
ayoung	I'm thinking specifically for groups. When a role assignment for a group changes, we have to invalidate a lot of tokens	18:53
ayoung	and we can't really do that for Federation, cuz we don't know group membership	18:54
dolphm	ayoung: test against master!	18:54
ayoung	IN this case, the tokens would still be valid, but they would not have the role assignments.	18:54
dolphm	ayoung: and yes	18:54
ayoung	Do you think that is the right approach? I don;t like the change of roles with the same token	18:55
ayoung	but I can't see a way around it	18:55
dolphm	ayoung: but events occurring when your authorization is reduced should trigger earlier cache invalidation so the new authorization takes effect faster	18:55
dolphm	(because you were forced to get a new token)	18:55
*** thedodd has joined #openstack-keystone		18:55
ayoung	would you be forced to get a new token?	18:56
ayoung	I don't think so, we have no link from group to the token	18:56
marekd	rodrigods: i voted.	18:56
dolphm	ayoung: depends on the enforcement of revocation events in keystonemiddleware	18:57
ayoung	dolphm, yeah, but lets assume that we are not doing that, and instead are doing just online validation, which I think is the norm	18:57
ayoung	we don't have revoke in the client yet	18:57
dolphm	ayoung: then it entirely depends on caching config in keystonemiddleware	18:58
ayoung	dolphm, right, but that is true anyways...I was just talking about initial validation	18:58
ayoung	I know tokens don't tend to get used more than once from the CLI, but from Horizon I could see it happening	18:59
dolphm	ayoung: then it's computed by keystone on that first validation	18:59
ayoung	dolphm, and cached?	18:59
dolphm	ayoung: not in keystone	18:59
ayoung	right...so on second validation, if the roles have updated, the token will show the update role assignments	18:59
dolphm	ayoung: you could - and should - put a cache in front of keystone	18:59
dolphm	ayoung: correct	19:00
dolphm	lbragstad: jorge_munoz: briancurtin: i get this with novaclient too - any timeline update for rackspace identity? https://github.com/rackspace/pyrax/issues/528	19:02
ayoung	I would think that the cache would need to be invalidated upon role assignment change.	19:02
dolphm	ayoung: that's where token revocation events should come into play	19:03
briancurtin	dolphm: last i heard that environment would be updated middle of this month	19:03
ayoung	dolphm, ok, then what is the right behaviour on group role-change: revoke tokens for all users in that group in the known identity sources?	19:04
dolphm	ayoung: role removal?	19:05
ayoung	dolphm, yeah...we have an outstanding bug for dealing with that	19:05
dolphm	ayoung: and token validation responses don't include groups?	19:06
ayoung	right...there is no way to see the groups for the user in the token...and I think we want to continue that patern, otherwise the fernet side of things will explode	19:06
dolphm	ayoung: that seems like the simplest solution	19:07
dolphm	ayoung: (adding an enumeration of groups to the token used to produce the included authorization)	19:07
ayoung	dolphm, on the PKI token side...the situation is worse	19:07
ayoung	there is no way to revoke the tokens for users that don't show up persisted in groups	19:07
ayoung	there, I could see the argument that we should have groups in the token	19:07
ayoung	and then process a revoke by group id	19:08
ayoung	dolphm, and...if we put the group id in the response, it would work for cached fernet tokens as well when we get to middleware side token revocation event checks	19:09
ayoung	but...we wouldn't have any way to add the groups to the Fernet tokens...cuz we don't record the group membership dangit	19:10
morganfainberg	zzzeek: so if I were to convert dogpile to using pymemcache would you want a transition period? Supporting both? Or not relevant.	19:14
morganfainberg	zzzeek: this is important because I need to fix something in keystonemiddleware soon. And I'd like to ditch some baaaaaaaaaad code for dogpile in the process	19:14
morganfainberg	ayoung: maybe we need a new class of revocation event: cache invalidate. It doesn't mean a token is bad, just don't rely on the cache. Then again that is mucking up what revocation events are ... Bah I don't like it as I type it.	19:16
ayoung	morganfainberg, still doesn't solve the problem	19:16
ayoung	morganfainberg, the issue is that a user has a role due to group membership, but that membership is only recorded in the assertion that came in, and the application of the mapping	19:17
morganfainberg	Not for pki. For fernet. And we could just wedge the group data in the. It would work.	19:17
morganfainberg	Then*	19:17
morganfainberg	or we could move to allowing for revocations on roles but that gets wonky to match on.	19:18
ayoung	morganfainberg, none of that works	19:18
morganfainberg	But an event per user in a group per role does.	19:18
ayoung	the onl;y thing that works is recording group membership somehow	19:18
morganfainberg	In federation it works for the group: so issue for group, then for any non federated users in group issue event for role if they don't still have the role (we can calculate that)	19:19
morganfainberg	It's not pretty but it would work.	19:19
ayoung	wha	19:19
ayoung	morganfainberg, a scoped fernet token does not have the groups in it	19:20
ayoung	only unscoped	19:20
ayoung	and more than one group can go in to the scoping of a token	19:20
*** rushiagr is now known as rushiagr_away		19:20
morganfainberg	Federation you mean? I thought marekd said all federation tokens had it.	19:20
ayoung	let me confirm	19:21
*** edmondsw has quit IRC		19:21
morganfainberg	We did this and I'm almost positive all federation tokens had roles.	19:21
morganfainberg	Erm groups	19:21
morganfainberg	Sorry.	19:21
morganfainberg	Groups	19:21
ayoung	morganfainberg, so when I hand in an unscoped token to get a scoped token, and that origianl unscoped token was a federation token, we add groups to it?	19:21
ayoung	THat is waht marekd seemed to say	19:22
morganfainberg	I think we maintain the groups in it. Not just add. So the scoped has the same group info as the unscoped.	19:22
morganfainberg	That was my understanding.	19:22
ayoung	I'd like to move toward a system where there is only "one" of anything...one role in a token, one group, etc...hierarchical	19:23
morganfainberg	That's not today though.	19:23
ayoung	nope	19:23
ayoung	buit would fix the max size of the tokens,	19:24
ayoung	so fdifferent revocation check for federated tokens then unfederated	19:24
morganfainberg	So let's stick with today issues for k3	19:24
ayoung	someone needs to write that	19:24
morganfainberg	We can't fix that this cycle.	19:24
marekd	ayoung: morganfainberg groups are essentially part of the user object in the fed tokens	19:24
ayoung	should be written as a backportable fix if someone decdies it is a security concern	19:25
morganfainberg	marekd: thought so.	19:25
morganfainberg	ayoung: won't be back ported.	19:25
morganfainberg	It's aassive amount of new code.	19:25
morganfainberg	Massive*	19:25
ayoung	morganfainberg, no, I mean revoke by group	19:27
ayoung	that would not be massive	19:27
ayoung	but won't happen for k3	19:27
morganfainberg	Ah right.	19:27
*** sigmavirus24 is now known as sigmavirus24_awa		19:27
morganfainberg	That is likely a bug more than a feature.	19:27
morganfainberg	Fwiw	19:27
*** sigmavirus24_awa is now known as sigmavirus24		19:28
lbragstad	dstanek: answer to your msgpack question http://cdn.pasteraw.com/gp45itmhposwmqljqdi75gysc72rv74	19:28
rodrigods	morganfainberg, so I want to write a migration to change sp_url and auth_url to not be nullable (https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/migrate_repo/versions/005_add_service_provider_table.py#L23-L27)	19:32
morganfainberg	rodrigods, what does the API say? i think it's reaosnable to do so	19:32
morganfainberg	API doc that is	19:32
rodrigods	morganfainberg, I created a bug regarding those fields being null	19:33
rodrigods	would break k2k auth	19:33
rodrigods	morganfainberg, need to update the API as well, right?	19:33
rodrigods	morganfainberg, my doubt regarding the migration is: since it merged in Kilo, do I need to take care of old data in db? and what should be the approach, a new migration script or a method to fix it in the __init__	19:34
openstackgerrit	Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	19:34
dstanek	lbragstad: that's what i thought	19:34
lbragstad	dstanek: we can wrap map with list() and it should work with both 2 and 3	19:34
lbragstad	dstanek: I posted responses here with traces with each https://review.openstack.org/#/c/160993/22/keystone/token/providers/fernet/token_formatters.py	19:35
bknudson	python 3 change map from a function to a constructor?	19:35
bknudson	https://docs.python.org/3.4/library/functions.html#map	19:36
bknudson	it's the same.	19:36
dstanek	bknudson: it's now am object	19:36
lbragstad	bknudson: yeah, map() returns an object	19:36
bknudson	ahh, ok.	19:36
lbragstad	versus always returning a list like it did in 2	19:36
*** iamjarvo has quit IRC		19:37
dstanek	they made it more list imap	19:37
bknudson	there's a six.map()	19:37
rodrigods	morganfainberg, the API doesn't say anything about being null https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#service-providers	19:37
rodrigods	or not null	19:37
lbragstad	bknudson: we just need it to be a list before passing to msgpack	19:38
bknudson	msgpack should take an iterator.	19:38
*** timcline has quit IRC		19:38
bknudson	maybe it needs the len	19:38
*** _cjones_ has quit IRC		19:39
lbragstad	bknudson: dstanek I checked the type returned from map in python 3 and is was of type `map`.	19:39
dstanek	lbragstad: yep, your list(map(...)) is what i do for code i'm converting	19:39
*** openstackgerrit has quit IRC		19:40
*** openstackgerrit has joined #openstack-keystone		19:40
*** iamjarvo has joined #openstack-keystone		19:42
morganfainberg	rodrigods, sounds like we should update the spec with the bug, but i'm in support of this change.	19:42
lbragstad	dstanek: do you want a comment added explaining why we're wrapping list(map()) ?	19:44
lbragstad	dstanek: on every occurrence?	19:44
dstanek	lbragstad: i don't	19:45
openstackgerrit	Merged openstack/pycadf: Remove empty _templates folder https://review.openstack.org/162428	19:45
openstackgerrit	Lance Bragstad proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	19:45
openstackgerrit	Lance Bragstad proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic https://review.openstack.org/162338	19:47
rodrigods	morganfainberg, ok... any suggestions about how to handle the db migration?	19:48
morganfainberg	rodrigods, standard db migrate, should be really easy	19:48
morganfainberg	rodrigods, you just alter the column to not_null, and make the controller/schema/etc enforce	19:48
iamjarvo	hi all, so my user now has access to the default domain. i can get back a token using curl. doesn't seem like i have access to anything else though. http://pastie.org/private/zw1kdbb1jowj9zn2pyvuq	19:49
rodrigods	morganfainberg, great, thanks	19:49
rodrigods	morganfainberg, the schema change is already submitted: https://review.openstack.org/#/c/163903/	19:50
morganfainberg	rodrigods, you'll need to do the API change saying these are not_null first.	19:50
morganfainberg	rodrigods, but that should be non-controversial	19:50
rodrigods	morganfainberg, of course, submitting now	19:50
stevemar	lhcheng, did you have to configure trusted_dashboards for sso too?	19:52
openstackgerrit	Lance Bragstad proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	19:53
openstackgerrit	Lance Bragstad proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	19:53
*** gokrokve_ has quit IRC		19:53
*** gokrokve has joined #openstack-keystone		19:54
rodrigods	morganfainberg, seems like the pattern in our API is to inform when it can be null, not the other way around. In this way, the API doc is already ok	19:55
iamjarvo	i also get this when trying to add a tenant keystone user-role-add --user cloud_admin --role admin --tenant admin	19:55
iamjarvo	WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).	19:55
iamjarvo	Conflict occurred attempting to store role grant - User 5251a786b4d90da09a5b045341e73ee12e162d3749bfe7e6d16b88710280c64a already has role 8eeaa452086142558ec3edd15d55ac2c in tenant d5b4f61c034b454ebd8db9c34cad8776 (HTTP 409)	19:55
*** gokrokve_ has joined #openstack-keystone		19:55
lbragstad	dstanek: as far as this comment goes, https://review.openstack.org/#/c/163601/6/keystone/token/providers/fernet/token_formatters.py would putting it in keystone/token/provider.py make sense?	19:55
dstanek	lbragstad: i'm really not sure	19:58
*** _cjones_ has joined #openstack-keystone		19:59
lbragstad	dstanek: I agree that it makes sense to put it with "auth" but not sure at the same time since token_formatters.py would be the only thing using it	19:59
*** gokrokve has quit IRC		19:59
dstanek	feels like maybe something keystone.auth.plugins would know - if you add a plugin you have to know about formatters too	19:59
lhcheng	stevemar: yeah. I had to add trusted_dashboards = http://<host>/auth/websso/	20:00
stevemar	lhcheng, cool cool	20:00
*** timcline has joined #openstack-keystone		20:00
stevemar	i wonder how badly that will mess up if using a proxy	20:00
lhcheng	stevemar: I assume horizon should be sending the hostname in front of load balancer. I think it will work.	20:03
ayoung	OK, test reporting is annoying...there is so much log spew I can't find the name of the test that failed, and the summary doesn't list it, and there is no good short circuit mechanism to stop on first failure	20:04
ayoung	this is hostile to me	20:04
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone. https://review.openstack.org/163878	20:06
lbragstad	dstanek: that makes sense, I'll see if I can put it in plugins.core	20:10
*** gordc has quit IRC		20:11
dstanek	lbragstad: i'm also worried that it's a little fragile; the numbers being what they are is significant, but i don't know if that shows in the code	20:11
iamjarvo	needed to add all the service users to the service project	20:12
lbragstad	dstanek: makes sense, the main thing that it needs to accomplish is preserving the info in methods_names into a small format that we can pack in the token.	20:12
lbragstad	dstanek: there's probably a better way to do that	20:12
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone. https://review.openstack.org/163878	20:13
dstanek	lbragstad: if nothing else it is definitely clever	20:14
zzzeek	morganfainberg: easy enough to add a pymemcache backend to dogpile? no need to “convert”	20:16
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix sending invalid query parameters to database https://review.openstack.org/163949	20:18
*** nellysmitt has quit IRC		20:22
rodrigods	marekd, stevemar, where do we test sql migrations related to federation? test_sql_migrate_extensions?	20:26
stevemar	yep	20:26
rodrigods	stevemar, thx	20:27
openstackgerrit	Lance Bragstad proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	20:33
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	20:33
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	20:35
morganfainberg	zzzeek, i was looking at if there is a win to keeping the awful, atrocious, terrible python-memcache at all	20:36
zzzeek	morganfainberg: well if people are using it i dont see the harm in keeping it as one of the options…	20:37
morganfainberg	zzzeek, i think the right answer is to supersede the old one with the pymemcache on eventually	20:38
morganfainberg	zzzeek, but yeah probably run both in paralell for a while at least.	20:38
morganfainberg	because it's going to make the thread.local issues go away.	20:38
morganfainberg	but i'll need to do some work to isolate it for the older python-memcache.	20:38
morganfainberg	zzzeek, i'll submit a new backend using pymemcache as a PR soonish	20:39
zzzeek	dogpile.cache.memcached and dogpile.cache.pymemcached, i dont see why we’d change it more than that, unless python-memcached is totally abandoned in some obivous way	20:39
morganfainberg	zzzeek, its pretty bad. not python3 compat, and has seen very litttle work	20:40
openstackgerrit	Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	20:40
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	20:40
morganfainberg	zzzeek, i'm getting the feeling it's just short of abandoned	20:40
zzzeek	morganfainberg: its still maintained: https://github.com/linsomniac/python-memcached and also that’s sean reifschneider who isn’t exactly a ghost….	20:40
morganfainberg	zzzeek, my experience talking with folks trying to work with them is it is really just short of abandoned	20:41
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix sending invalid query parameters to database https://review.openstack.org/163949	20:41
zzzeek	morganfainberg: OK. I sorta know-ish sean from pycons, would be curious to hear what he says	20:42
morganfainberg	zzzeek, but i haven't spent much time with it beyond it making some really bad assumptions and being hard to debug due to thr way the code is structured	20:42
morganfainberg	zzzeek, i'm relying on some folks who were trying to py3 enable it etc.	20:43
openstackgerrit	Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	20:43
openstackgerrit	Lance Bragstad proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	20:43
*** ljfisher has quit IRC		20:43
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix sending invalid query parameters to database https://review.openstack.org/163949	20:43
zzzeek	morganfainberg: is this because of the “its wrapped in a thread local “ thing?	20:43
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	20:44
morganfainberg	zzzeek, the move to pymemcache is because it is 1) already py3 friendly, 2) no thread.local issues, 3) code is well structured and easy to work with.	20:44
morganfainberg	zzzeek, unfortunately pymemcache guys didn't make it a drop-in replacement interface wise for python-memcache	20:44
morganfainberg	:(	20:44
morganfainberg	that is my biggest complaint	20:44
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	20:45
morganfainberg	delete_many vs delete_multi (for example)	20:45
morganfainberg	it's minor	20:45
morganfainberg	anyway, i'll post up some pymemcache love for dogpile soon™	20:47
morganfainberg	since i really want to move over to dogpile in keystonemiddleware.	20:47
morganfainberg	but solving some of these thread.local things in friendlier ways is important if i'm doing that work	20:48
morganfainberg	and python3.	20:48
*** ljfisher has joined #openstack-keystone		20:48
*** thedodd has quit IRC		20:50
marekd	morganfainberg: dogpile is some lib/wrapper for pymemcache? how do they correspond?	20:52
morganfainberg	marekd, dogpile is a wrapper for a lot of different caching/key-value-store wrappers	20:52
morganfainberg	marekd, memcache is just one of them.	20:52
morganfainberg	marekd, redis, file-based, in-memory dictionary, etc are all possible	20:52
morganfainberg	we even have a mongo driver in keystone's tree.	20:52
*** thedodd has joined #openstack-keystone		20:53
marekd	morganfainberg: thank you, sir!	20:53
*** thedodd has quit IRC		20:54
*** raildo has quit IRC		20:58
*** harlowja_ has quit IRC		21:03
*** samueldmq has quit IRC		21:03
*** harlowja has joined #openstack-keystone		21:04
jamielennox	ayoung: what we were talking about the other day in terms of a base federation plugin that can be used for kerb/x509: https://review.openstack.org/#/c/163271/	21:08
nkinder	jamielennox: cool	21:10
*** thedodd has joined #openstack-keystone		21:14
ayoung	jamielennox, so, do the ABC thing and I think that one is good	21:18
ayoung	personally, I don't care about ABC, but if we are going to use it, use it	21:18
*** samueldmq has joined #openstack-keystone		21:18
jamielennox	ayoung: yea, it'll need some tests as well - considering marekd's comment about another abstraction level	21:18
ayoung	I wonder, though, if we want to be able to overload the protocol paramter	21:18
ayoung	I don't think we need it	21:18
jamielennox	ayoung: i'm not sure, do we consider that standard (defined by the plugin) or a user param?	21:19
jamielennox	i like the idea of whatever we can remove from user control	21:19
ayoung	I think the plugin gives a default, but the user can set an override value for protocol	21:19
*** mattfarina has quit IRC		21:19
ayoung	for examle, there might be two different mappings, and the only way to trigger is to swap either idp or protocol	21:20
ayoung	so there might be kerberos and kerberos_modified	21:20
ayoung	more likely with SAML or X509 that provides more attributes to play with	21:20
ayoung	I could see there being something like that in the case of a cross realm trust	21:20
ayoung	its not pretty, but it would give the end deployer something to work with	21:20
ayoung	just a thought	21:21
ayoung	ok...gotta take my kid to an event. Back on line in a few	21:21
jamielennox	np	21:21
*** ayoung has quit IRC		21:24
marekd	jamielennox: actually param must be provided by a user.	21:30
*** emily__ has joined #openstack-keystone		21:31
jamielennox	marekd: param?	21:32
marekd	jamielennox: sorry, protocol.	21:32
jamielennox	ok - _must_ be?	21:32
jamielennox	as in there no point with the abstractproperty	21:32
*** timcline has quit IRC		21:32
jamielennox	my though was i'd make it accept both, given the class property = None and then override with a user property	21:33
marekd	jamielennox: yes, i just though of it again.	21:33
marekd	jamielennox: it's just...we don't explicitely say "if we use mod_shib the protocol object in keystone will have id 'saml2'"	21:33
marekd	it can have any name	21:33
jamielennox	marekd: we don't - should we?	21:33
jamielennox	this wouldn't be the only time we've defined these things, like service_type	21:34
jamielennox	it would only take us writing it into the docs	21:34
marekd	jamielennox: that's a more philosophical question whether we should hardcode protocol names. For now we allow users choose whatever name they want and it'd be hard to change it just like that.	21:34
jamielennox	marekd: ok - so don't offer the class property at all?	21:35
marekd	jamielennox: yeah, that's a good thing i think.	21:36
*** emily__ is now known as elowing		21:36
jamielennox	ok, i'll respin it	21:36
marekd	jamielennox: thanks.	21:36
jamielennox	marekd: i left a comment on the first one as well	21:36
marekd	jamielennox: link pls?	21:37
jamielennox	https://review.openstack.org/#/c/163259/2	21:37
jamielennox	so many tabs	21:37
jamielennox	marekd: and you think rename this to MappedBase or something	21:40
*** tqtran has quit IRC		21:40
jamielennox	i like the idea of removing the word 'federated' because it's not really true for all these cases	21:40
jamielennox	but it's all going through OS-FEDERATION so i don't know if it matters	21:40
marekd	It depends if for the kerb/x509 we are going to use faked idp/protocols (just to get mappings) or not. If not, then I propose a tree MappedBase, KerbAuth(MappedBase), X509Auth(MappedBase), FederatedBase(MappedBase), Saml2(FederatedBase), ADFS(FederatedBase)	21:44
*** tqtran has joined #openstack-keystone		21:44
jamielennox	what would FederatedBase provide that MappedBase didn't	21:45
marekd	There is an abstraction of IdP and Protocol in real federations, but I think there is none of it in technologies like Kerberos	21:45
stevemar	dstanek, i am not about to try out the entire steps for abfab	21:45
marekd	jamielennox: identity-provider, protocol for instance	21:45
jamielennox	marekd: there's not, however the only way to trigger these mappings and such at the moment is to mount them at /OS-FEDERATION/{idp}/protocol/{protocol}	21:46
dstanek	stevemar: i'm planning on it if i can get an easy to use IdP; i'm curious :-)	21:46
stevemar	dstanek, it might just use mod_shib	21:46
jamielennox	so we still need those values to build the url don't we?	21:46
dstanek	for an IdP?	21:46
stevemar	dstanek, i think ... maybe	21:47
marekd	jamielennox: we do, but if we find another way to actually fetch the mapping then we don't need it.	21:48
marekd	jamielennox: i imagine there will be only one mapping set for x509, right?	21:49
jamielennox	marekd: i don't know - i could imagine multiple x509 providers one per idp	21:49
jamielennox	marekd: let's look to pass this as federated for now, it's fairly easy to extract a subclass and maintain compatibility	21:50
marekd	jamielennox: yes.	21:50
jamielennox	marekd: we can discuss at summit or somewhere how we can make the mapping engine more central, so it doesn't need {idp} and {protocol} params	21:50
marekd	so I'd rename to MappedBase and inherit everything from it.	21:51
jamielennox	it's going to take some time to get to the point where kerberos and x509 are there	21:51
marekd	jamielennox: why?	21:51
jamielennox	i guess it's just testing	21:51
jamielennox	we were talking about this because i don't really like kerberos being mounted at /krb	21:52
jamielennox	i'd prefer it work just like any other apache based plugin	21:52
marekd	aha	21:52
jamielennox	and that blog that ayoung did the other day, he had it hacked up so that he was using kerberos, but triggering the mapping plugin via the 'method'	21:52
marekd	understand.	21:53
marekd	jamielennox: ok, i am going to bed now. I will take a look at it tomorrow.	21:53
marekd	bye	21:53
*** marekd is now known as marekd\|away		21:53
jamielennox	marekd: cya	21:53
*** bknudson has quit IRC		21:55
morganfainberg	nkinder, ping: re https://bugs.launchpad.net/keystone/+bug/1408845	21:59
openstack	Launchpad bug 1408845 in Keystone "Disabling user in ldap breaks user-list for project" [Undecided,New]	21:59
morganfainberg	nkinder, can we confirm / see what is going on there?	22:00
nkinder	morganfainberg: let me check it out...	22:00
morganfainberg	nkinder, thanks	22:00
nkinder	morganfainberg: my guess is that 'keystone user-list' actually does multiple operations	22:01
morganfainberg	nkinder, i'm sure it does	22:01
morganfainberg	in really scary ways	22:01
nkinder	it does a user list call, but they likely makes another call per user (and one doesn't like disabled users it seems)	22:01
*** sigmavirus24 is now known as sigmavirus24_awa		22:02
nkinder	perhaps a call to show roles assigned to the user or something similar	22:02
morganfainberg	nkinder, i'm in bug triage mode, so hitting the people who know more about bugs than I.	22:02
morganfainberg	s/bugs/systems in question/	22:02
*** harlowja has quit IRC		22:02
*** harlowja has joined #openstack-keystone		22:04
nkinder	morganfainberg: my testbed is torn down right now, but I can try this out a bit later	22:05
morganfainberg	nkinder, sounds good	22:05
morganfainberg	oh marvelous... LP is timing out all requests now	22:10
* morganfainberg sighs.		22:10
*** chrisshattuck has quit IRC		22:10
morganfainberg	this is why we can't have nice things .	22:11
*** chrisshattuck has joined #openstack-keystone		22:11
*** elowing has quit IRC		22:24
samueldmq	morganfainberg, the bug reporter said a workaround would be remove the use rrole assignment from user_project_metadata	22:24
samueldmq	morganfainberg, it was the old assignment tables ... we had a script to add assignment table (as it is today) in juno	22:25
morganfainberg	sure.	22:25
samueldmq	morganfainberg, 038 and 039	22:25
morganfainberg	except disabling a user shouldn't break anything and removing assignments would be very bad on a disable	22:26
samueldmq	morganfainberg, so he is using a version older than juno ...	22:26
morganfainberg	and wer need to be sure it doesn't still remain broken	22:26
morganfainberg	if it's still broken, then we need to address it	22:26
samueldmq	morganfainberg, need me to dig a bit on this?	22:27
morganfainberg	or nkinder can.	22:27
morganfainberg	someone just needs to confirm if it's still an issue	22:27
morganfainberg	unfortunately i don't have a test bed for that type of testing handy atm.	22:27
nkinder	yeah, I'm building one right now	22:27
morganfainberg	samueldmq, don't worry about it then. nkinder will have it :)	22:27
samueldmq	morganfainberg, nkinder ok then :)	22:28
samueldmq	morganfainberg, nkinder let me know any news, I can work on the fix (if needed, and nkinder is not going to grab it)	22:28
* samueldmq is curious to understand what's happening there .. :/		22:29
openstackgerrit	Merged openstack/keystone: Adding utf8 to federation tables https://review.openstack.org/159803	22:30
morganfainberg	jamielennox, is https://bugs.launchpad.net/python-keystoneclient/+bug/1420118 still a thing or are we keeping that stuff in ksc's tree?	22:31
openstack	Launchpad bug 1420118 in python-keystoneclient-kerberos "Break out the federation plugin" [Undecided,New]	22:32
jamielennox	morganfainberg: it can be repurposed	22:32
morganfainberg	so, i can close that bug	22:32
jamielennox	morganfainberg: i'm going to bring the base plugin into ksc, then do a ksc-saml or whatever marekd\|away wants to call it	22:32
morganfainberg	and i should kill off the keystoneclient-federation project?	22:32
jamielennox	probably, yea	22:32
morganfainberg	ok	22:32
jamielennox	we are going to need a saml one anyway so you could rename it all if that's easier	22:33
jamielennox	but ask marek what he wants it called	22:33
morganfainberg	stevemar, ping https://bugs.launchpad.net/python-keystoneclient/+bug/1379872 is that... still a thing or is this something else [we don't have extensions]	22:35
openstack	Launchpad bug 1379872 in python-openstackclient "can't list extensions for v3 keystone client" [Low,Confirmed]	22:35
openstackgerrit	Merged openstack/keystone: Implements whitelist and blacklist mapping rules https://review.openstack.org/142573	22:35
*** csoukup has quit IRC		22:35
*** ljfisher has quit IRC		22:37
morganfainberg	jamielennox, is this as easy a fix as it looks: https://bugs.launchpad.net/python-keystoneclient/+bug/1420791 ?	22:37
openstack	Launchpad bug 1420791 in python-keystoneclient "python keystoneclient misreports connection error reason" [Undecided,New]	22:37
jamielennox	ugh, i hate that one - that's a mistake from the guys who did all that apiclient stuff	22:38
jamielennox	when they renamed all the exceptions - there's another one like it	22:38
jamielennox	i had it fixed as part of another review which i had to drop	22:38
jamielennox	but yes - pretty much	22:38
stevemar	morganfainberg, i'll kill the bug	22:39
stevemar	lhcheng, o/	22:39
*** thedodd has quit IRC		22:39
stevemar	lhcheng, do you remember what we set 'remote_id' to yesterday?	22:39
stevemar	for the idp?	22:39
*** dims_ has joined #openstack-keystone		22:46
*** dims has quit IRC		22:46
*** r-daneel has quit IRC		22:48
lhcheng	stevemar: accounts.google.com	22:50
*** ayoung has joined #openstack-keystone		22:50
*** ChanServ sets mode: +v ayoung		22:50
stevemar	same as the idp id eh	22:50
stevemar	lhcheng, get ready to review some docs!	22:52
lhcheng	stevemar: yeah, that makes sense, since that's the same value we used to lookup the IdP	22:52
lhcheng	stevemar: sure, I'll be happy to	22:53
*** arunkant_ has quit IRC		22:56
ayoung	Hey guys, send the reviews my way. If you don't add me to a review, I don't know that it is pressing.	22:56
stevemar	ayoung, this one is sso specific, does that tickle your fancy?	22:57
ayoung	fire way	22:57
stevemar	i was going to only add lhcheng since we were playing around with it last night	22:57
ayoung	stevemar, you trying to make K3?	22:57
ayoung	stevemar, just logged back in...what is the review?	22:58
ayoung	don't make me go to evesdrop	22:58
stevemar	ayoung, the code for keystone is actually merged	22:59
stevemar	the horizon code is almost there, a few more ui tweaks	22:59
*** ljfisher has joined #openstack-keystone		22:59
ayoung	stevemar, you talking a bout https://review.openstack.org/#/c/151842/	22:59
ayoung	I'm on that one alreay, was just looking at it	22:59
stevemar	ayoung, i haven't pushed it upstream yet :)	22:59
stevemar	this is purely docs	23:00
ayoung	stevemar, my shout out was a generic shout for review requests, not specific to you	23:00
*** dims_ has quit IRC		23:00
stevemar	ayoung, yep!	23:00
stevemar	i knows, just making convo :)	23:00
*** dims has joined #openstack-keystone		23:00
openstackgerrit	Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	23:01
openstackgerrit	Steve Martinelli proposed openstack/keystone: Document websso setup https://review.openstack.org/164012	23:02
stevemar	lhcheng, ayoung ^	23:02
openstackgerrit	Steve Martinelli proposed openstack/keystone: Document websso setup https://review.openstack.org/164012	23:02
lhcheng	stevemar: thanks!	23:03
stevemar	gah! whitespace error -_-	23:03
ayoung	stevemar, make sure you add the people you want as reviewers.	23:03
*** dims has quit IRC		23:05
*** ayoung has quit IRC		23:07
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add a FederatedBase v3 plugin https://review.openstack.org/163271	23:17
openstackgerrit	Bob Thyne proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware https://review.openstack.org/153296	23:17
*** chrisshattuck has quit IRC		23:31
morganfainberg	dstanek, lbragstad, for https://review.openstack.org/#/c/162031/16/keystone/token/providers/fernet/token_formatters.py what are the real blockers before we can +2 it?	23:32
morganfainberg	because we are at the wire. lets either propose fixes on the end of the chain or be clear what we're ok with vs what we're not.	23:33
morganfainberg	sorry the whole patchset no just that file	23:33
dstanek	morganfainberg: i think the issues can be fixed in follow up patches	23:34
dstanek	morganfainberg: the only thing that bothers me is the commented out lines on https://review.openstack.org/#/c/162031/16/keystone/tests/unit/test_v3_auth.py	23:34
morganfainberg	dstanek, ok that is my opinion as well, we can strip those in a followup though [and we should remove them]	23:35
morganfainberg	let me propose that	23:35
dstanek	morganfainberg: dolphm's comment seemed to indicate that they should be there, but just aren't working	23:36
morganfainberg	then they should be re-added afterwards.	23:36
morganfainberg	or they need to be fixed	23:36
morganfainberg	commented out = wrong	23:36
morganfainberg	#TODO for each one is also not correct	23:37
dstanek	morganfainberg: if they should be fixed then i vote we do it asap - i haven't run the code yet to see why it's broken	23:37
morganfainberg	dstanek, yeah	23:37
morganfainberg	dstanek, my opinion is we weren't doing those before	23:37
morganfainberg	they shouldn't be a hard requirement now	23:37
morganfainberg	so lets strip them out and propose that they are re-added as a followup and we can work on fixing it	23:38
dstanek	morganfainberg: i can propose a fix if you aren't already doing it	23:40
morganfainberg	dstanek i was going to do it as a 2-fer, 1 remove those frm that patch, and 2 new patch re-adding them not commented out	23:40
morganfainberg	dstanek, already working on it.	23:40
*** david-lyle is now known as david-lyle_afk		23:41
dstanek	morganfainberg: ok, ping me when you push; i'll be around, but probably not watching chat	23:41
morganfainberg	dstanek, anything else we need to fix? or otherwise we're good?	23:42
dstanek	morganfainberg: i think everything else can be fixed later	23:42
dstanek	morganfainberg: it was really a bad comment and i didn't like the classmethod design	23:43
morganfainberg	no worries	23:43
*** iamjarvo has quit IRC		23:50
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	23:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add in further token validation in v3_auth tests https://review.openstack.org/164026	23:52
morganfainberg	dstanek, ^	23:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	23:54
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic https://review.openstack.org/162338	23:54
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	23:54
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	23:54
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Allow methods to be carried in Fernet tokens. https://review.openstack.org/163601	23:54
dstanek	morganfainberg: did you see https://bugs.launchpad.net/keystone/+bug/1431434 ?	23:54
openstack	Launchpad bug 1431434 in Keystone "user creation with fernet tokens results in 401" [High,New]	23:54
morganfainberg	dstanek, yes and dolph indicated it would be affected by these changes	23:55
morganfainberg	considering fernet wasn't fully finished when that bug was filed, i'd like to revisit as we get into the chain	23:55
dstanek	morganfainberg: does affected mean fixes or broken?	23:55
morganfainberg	dstanek, might be fixed, might be different broken	23:55
dstanek	morganfainberg: ah, ok. it would be awesome if boris could have provided a test!	23:56
morganfainberg	dstanek, yeah, thats why i think i don't want to dig too far until we have more code landed	23:56
*** gyee has joined #openstack-keystone		23:56
*** ChanServ sets mode: +v gyee		23:56
morganfainberg	dstanek, with a test it would be easy to do, but lets circle back on it	23:56
dstanek	morganfainberg: i'm fine with https://review.openstack.org/#/c/162031/17 as is. do you want me to hold a +2 until you do another pass?	23:58
morganfainberg	nah	23:58
morganfainberg	you can +2, i'm just doing a quick check to make sure i didn't miss anything before i +2A it	23:58
morganfainberg	if there is another +2 on it	23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!