Wednesday, 2015-04-22

« Tuesday, 2015-04-21 Index Thursday, 2015-04-23 »
morganfainbergand v3 is so wildly different you can't even use similar cli args00:00
bknudsonOS_VOLUME_API_VERSION=1 openstack server create --image cirros-0.3.2-x86_64-uec --flavor 1 blktest100:00
morganfainbergnot the warning00:00
morganfainbergthe endpoint create error00:00
bknudsonoh.00:00
morganfainberginterface *must* be "internal" "public" or "admin"00:00
*** amerine has quit IRC00:01
morganfainbergand we accept some wacky different params for v2.00:01
morganfainberg--region RegionOne --publicurl http://172.16.30.15:9292 --adminurl http://172.16.30.15:9292 --internalurl00:01
*** markvoelker has joined #openstack-keystone00:02
bknudsonmorganfainberg: http://developer.openstack.org/api-ref-identity-v2-ext.html00:02
bknudsonsee /v2.0/tenants/​{tenantId}​/OS-KSCATALOG/endpoints00:02
morganfainbergi..00:03
bknudsonI wonder what /v2.0/OS-KSCATALOG/endpointTemplates is?00:03
morganfainbergwtf?00:03
morganfainbergi mean..00:03
bknudsonendpoint for v3 is different -- http://developer.openstack.org/api-ref-identity-v3.html00:03
morganfainbergreally?!00:03
morganfainbergyeah00:04
morganfainbergthe OS-KSCATALOG thing00:04
morganfainbergwow.00:04
morganfainbergi don't think i've ever looked at that.00:04
bknudsonquit looking into the abyss.00:04
morganfainbergi'm trying to fix devstack so it'll stand up a devstack based on v3 keystone api00:05
morganfainbergwell *only* v3 keystone api00:05
bknudsonnice!00:05
bknudsonis there a switch for one or the other?00:05
bknudsonI thought there was a version options00:05
morganfainbergit'll be changing IDENTIT_API_VERSION to v300:06
morganfainbergor = 3 that is00:06
morganfainbergvs 2.000:06
bknudsonI've got a TODO on my list to change devstack so it won't try to make a /v3 identity endpoint00:06
morganfainbergso i'm chasing down all the hard-coded stuff00:06
bknudsonthere's an option for which to make and since we never run with /v3 it makes no sense to allow it00:07
morganfainbergi figure if we can standup a v3 devstack then i can put an experimental dsgate job in that we can execute that is v3 disabled00:07
bknudsonand we've got jerks here who keep saying they should be able to put /v3 in their catalog.00:07
morganfainbergand we can chase down what is actually broken00:07
morganfainbergi think there is 1 thing left in openstack that breaks v3-only [with v2 disabled]00:07
morganfainbergand that is heat.00:07
morganfainbergi *think*00:07
bknudsonneutron works?00:07
morganfainbergjamielennox did a fix for that00:08
morganfainberghaven't gotten far enough to try running tempest00:08
bknudsonit didn't work for us to set /v3 for the endpoint.00:08
morganfainbergstep 1: make v3 standup cleanly00:08
bknudsonbut then our python-keystoneclient was really backlevel.00:08
morganfainbergstep 2: provide function to disable v200:08
morganfainbergstep 3: ???00:08
morganfainbergstep 4: profit00:08
bknudsonsteal underpants00:08
morganfainbergyes!00:08
*** markvoelker has quit IRC00:08
morganfainbergbknudson, so OS-KSCATALOG doesn't exist in our codebase00:09
morganfainbergfwiw00:09
bknudsonwhat's the API then?00:09
morganfainbergdead:P00:09
bknudsonhow is devstack creating endpoints?00:09
jamielennoxi did a bunch of fixes for tempest - i was doing them in conjunction with v3 policy and allowing tempest to get a domain scoped token00:10
morganfainbergi think openstackclient is doing something wrong00:10
jamielennoxthat's not finished yet - i haven't tried with the standard policy for ages00:10
morganfainbergwhere v2 = different CLI arguments when it shouldn't be.00:10
morganfainbergjamielennox, yeah i figure we should be able to run openstack w/ stupid policy but v300:10
morganfainbergjamielennox, everything can live in default domain. just able to turn v2.0 off00:11
morganfainbergjamielennox, then we can deprecate v2.0 and work on solving issues like tempest v3 and better default policy00:11
jamielennoxright00:11
morganfainbergdtroyer, halp. why does osc change behavior on arguments for endpoint create between v2 and v3?00:13
morganfainbergdtroyer, this looks like a bug/incorrect behavior. it's the same API extension in keystone00:13
morganfainberghttp://paste.openstack.org/show/205039/00:14
*** samueldmq has quit IRC00:14
morganfainbergi wonder how many other commands are going to get horked up00:14
jamielennoxmorganfainberg: the way endpoints are defined changes between v2 and v300:15
morganfainbergjamielennox, really?00:15
jamielennoxservice becomes a more important thing in v3, then an endpoint has an interface, whereas in v2 endpoint has public, internal and admin urls00:15
morganfainbergjamielennox, because afaict we don't have a V2 CRUD for creating a catalog.00:16
jamielennoxyou don't create a catalog00:16
jamielennoxyou create services and endpoints00:16
morganfainbergfor creating endpoints and the like00:16
bknudsonhttp://www.amazon.com/Port-Authority-J790-Glacier-X-Large/dp/B0036XH14Q/ref=sr_1_10_mc?s=apparel&ie=UTF8&qid=1429654781&sr=1-1000:17
bknudsonoops00:17
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/controllers.py#n9300:17
morganfainbergi'm just not seeing it wired up.00:17
jamielennoxbknudson: looks good00:17
bknudsonthat's the create_endpoint in controller00:17
bknudsonI will look good.00:17
morganfainbergbknudson, right. i'm not seeing routes.00:17
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/admin_crud/core.py#n20400:18
morganfainbergah we do it in that annoying thing00:18
morganfainbergok00:18
jamielennoxooo, admin_curd - i always forget to look there00:18
morganfainbergcrap.00:18
morganfainbergrm -rf contrib/admin_crud00:19
morganfainbergoopse00:19
bknudsonover the weekend I ordered a screen protector from amazon and it was $0.0100:19
bknudsonI didn't think you could get anything for 1c00:19
morganfainbergok looks like i need to special case this whole creation bit.00:20
bknudsonyou could change the openstack CLI to take the same params for v300:20
morganfainbergit probably should be able to00:21
*** alexsyip has quit IRC00:21
bknudsonthat would make it easier00:21
morganfainbergunfortunately00:22
morganfainbergthis is not something i can assume is fixed, so need to special case it in devstack00:23
morganfainbergif it gets better we can fix itdown the line in devstack too00:23
bknudsonIf you can't assume support of openstack commands then can you assume the openstack command is even there?00:23
morganfainbergwell i dont want to assume something magical from the future00:23
*** _cjones_ has quit IRC00:23
*** david-lyle has quit IRC00:24
*** tqtran has quit IRC00:24
*** david-lyle has joined #openstack-keystone00:27
bknudsonlooks like even auth_token middleware uses persistent connections to keystone00:33
jamielennoxbknudson: if you are maintaining your session object then you should get connection pooling00:35
*** alexsyip has joined #openstack-keystone00:49
*** browne has quit IRC01:00
*** ayoung has joined #openstack-keystone01:02
*** ChanServ sets mode: +v ayoung01:02
*** iamjarvo has joined #openstack-keystone01:10
*** iamjarvo has quit IRC01:10
*** iamjarvo has joined #openstack-keystone01:10
*** alexsyip has quit IRC01:11
*** gyee has quit IRC01:12
*** lhcheng has quit IRC01:22
*** _cjones_ has joined #openstack-keystone01:24
*** rushil has quit IRC01:32
*** spandhe has quit IRC01:35
*** erkules_ has joined #openstack-keystone01:38
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420201:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420101:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420001:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419901:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419801:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419701:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419601:39
*** erkules has quit IRC01:40
ayoungleonchio_, you around?01:41
ayounglets talk tokenless01:41
*** iamjarvo has quit IRC01:42
*** deep has joined #openstack-keystone01:42
*** davechen has joined #openstack-keystone01:43
deepmorganfainberg: hey01:48
*** zzzeek has quit IRC01:48
morganfainbergdeep: hi. About to drop off for about an hour or two.01:48
ayoungmorganfainberg, am I being hard headed in insisting that the tokenless auth and the X509 aspect be split?01:49
deepmorganfainberg: Hi Morgan, had a very quick question. Can catch you later too.01:49
ayoungI mean, I agree that his use case will be the most common.01:49
morganfainbergdeep: if you ask I can respond when I am done.01:50
morganfainbergayoung: not impossible. Will think while at the gym on that.01:50
ayoungmorganfainberg, thanks01:50
*** jamesllondon has quit IRC01:53
*** zzzeek has joined #openstack-keystone01:54
*** zzzeek has quit IRC01:54
*** jamesllondon has joined #openstack-keystone01:54
deepcan a domain admin not get a list of projects for a given user? I keep on getting a 403 error even though I have an updated policy.son file with the right authorization. I am using the the following API: /keystone/v3/users/<userid>/projects.01:55
*** stevemar has joined #openstack-keystone01:56
*** ChanServ sets mode: +v stevemar01:56
*** davechen1 has joined #openstack-keystone01:58
*** davechen has quit IRC02:00
*** browne has joined #openstack-keystone02:01
*** markvoelker has joined #openstack-keystone02:01
*** darrenc is now known as darrenc_afk02:02
*** harlowja is now known as harlowja_away02:03
*** deep has quit IRC02:04
*** _cjones_ has quit IRC02:08
ayoungdeep hmmm02:16
*** darrenc_afk is now known as darrenc02:16
*** iamjarvo has joined #openstack-keystone02:33
*** iamjarvo has quit IRC02:33
*** iamjarvo has joined #openstack-keystone02:34
*** jamielennox is now known as jamielennox|away02:39
*** spandhe has joined #openstack-keystone02:54
*** lhcheng has joined #openstack-keystone03:01
*** ChanServ sets mode: +v lhcheng03:01
morganfainbergayoung: I think this is a known issue with the policy file (cc deep)03:07
morganfainbergAh deep left.03:07
ayoungyeah03:07
morganfainbergSo. Re toke less auth separate from x50903:09
morganfainbergI think it's fine to couple them as long as t is designed in a way that x509 is not the only way to do it. X509 is the first method that is supported.03:09
morganfainbergWithout the x509 use case it's hard to justify the work. But it shouldn't be the only usable method with token less.03:10
morganfainbergThe design needs to be modular out the door03:10
morganfainbergayoung: that in line with your thoughts?03:11
ayoungmorganfainberg, sort of03:11
ayoungI'd say x509 and Kerberos are about equal in demand03:11
ayoungyou can use a Keytab with Kerberos and get the same type of behavior03:12
ayoungand...for UserID password, I'd like to see Basic-Auth03:12
ayoungI'm not 100% certain how that would work,  but I suspect mod_auth_mysql or sumtin03:12
ayoungand then we would have a story regardless of the auth mechanism, for treating all service users the same way03:14
*** richm has quit IRC03:20
*** iamjarvo has quit IRC03:27
ayounghttp://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html03:28
morganfainbergAnyway. Modular to begin with so x509 is the first supported but easy to add others.03:31
morganfainbergAgain, I see this as a variation on a theme we call federation.03:32
morganfainbergSame basic tool chains. Apache passes some data down to us, we consume it and map to a user03:32
ayoungmorganfainberg, the issue is, I think, that the mapping code should probably be reused to do the X509 to Keystone translation.  The code I looked at was not doing that.03:46
morganfainbergThat was the direction we had originally agreed on afaicr03:46
morganfainbergSooooo... Let's revisit. Was the spec moved forward to Liberty yet?03:47
* morganfainberg thought it ended in the backlog.03:47
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/backlog/keystone-tokenless-authz-with-x509-ssl-client-cert.rst  morganfainberg03:51
morganfainbergyep03:51
morganfainbergso that needs to move from backlog to liberty03:51
morganfainbergand we should revisit to ensure it's doing the right thing03:51
ayoungmorganfainberg, I think we need to make a clean distinction bvetween X509 and tokenless.   We want to be able to use X509 for reguolar token ops too03:52
ayoungthe X509 for token *should* work but I don;t know if anyone has tested it03:52
ayoungif it works to get an Federated unscoped token, it should work against Keystone in general.  RIght?03:53
morganfainbergayoung, should03:56
ayoungOK, I was wrong03:56
ayounghttps://review.openstack.org/#/c/156870/24/keystone/common/tokenless_auth.py,cm03:56
ayoungI missed this file completely, they are using federation and mapping03:57
morganfainberglooks like it's doing exactly what we asked.03:57
morganfainbergcool03:57
ayoungGAH...they suck at naming03:57
ayoungtokenless_auth_helper?03:57
morganfainberghah03:58
* stevemar admits that he suggested that name03:58
morganfainbergoh LOOK i disable the craptacular wifi on the ATT router03:58
ayoungits another place that should be using the access info03:58
morganfainbergand my latency goes from 1000-1500ms to 20003:58
ayoungschweet03:58
morganfainbergthey keep remotely re-enabling it03:58
ayoungI have the same issues with wifi, tend to use the cat5 where ever available03:59
morganfainbergbecause they keep trying to fix my broken phone line03:59
* morganfainberg has to run wifi03:59
ayoungstevemar, Helper is not a good class name03:59
morganfainbergbut i use a router that isn't a POS03:59
ayoungstevemar, It should be MappedAuthBuilder or something like that03:59
morganfainbergayoung, MappedAuthBuildingHelperSpecialClassyLikeThingAMerjigger04:00
ayoungmorganfainberg, needs more cowbell04:00
ayoungMappedAuthBuildingHelperSpecialClassyLikeThingWITHCOWBELLAMerjigger04:01
stevemarayoung, it was just something i thought of, the original code was not the prettiest04:01
ayoungOK,  have to admit I am not going to get ECP working tonight04:01
morganfainberghttps://youtu.be/8Ix7jqxXQ2I?t=17 ?04:01
ayoungstevemar, have you looked at the unified access info builder?  It is designed for this kind of use case04:02
ayoungIt would be a Director, actually04:02
ayoungMappedAccessDirectory?04:02
ayounghttps://review.openstack.org/#/c/138519/19/keystoneclient/models/builder.py,cm04:03
ayoungheh Directory....muscle memor04:03
stevemarit also needs docstrings for the class04:03
stevemarayoung, oh, i *didn't* suggest that name04:05
stevemarhuzzah04:05
ayoungHeh04:05
ayoungI like where they are headed, though04:05
stevemari just suggested to put it in it's own class04:05
stevemarerr... own file04:05
stevemarmodule, whatever the heck python calls it04:06
ayoungwe need to get access info merged04:06
ayoungI'll loop back around on that here shortly/04:06
stevemarmalrighty04:06
*** lhcheng has quit IRC04:07
ayoungstevemar, http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/tests/unit/v3/test_auth_saml2.py#n101  what is the identity provider URL supposed to be here?04:09
ayoungthe test code doesn't make it clear04:09
ayoung self.IDENTITY_PROVIDER_URL = 'http://local.url'04:09
marekdayoung: you can try using ksc and possibly plugin https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L8804:10
ayoungmarekd, I have an IdP all set up.  Works with websso, just got ecp support enagbled, and what are you doing up?04:10
ayoungmarekd, so I was trying to follow the code that the test does04:11
stevemarmarekd !!04:11
stevemarwe haven't had a late night chat in so long04:12
marekdstevemar: now it's my turn to stay late.04:12
ayoungmarekd, is there some special suburl for the IdP?04:14
marekdayoung: sec.04:15
*** joesavak has joined #openstack-keystone04:16
*** iamjarvo has joined #openstack-keystone04:17
ayoungOK..in the webSSO it should not be anything on the idp, as Keystone is supposed to do the redirect...in the ECP case, do we go to the IdP first and make a response?  Is this the URL We need here, something on the IdP ECP ?  Can we get this out of the metadata?04:19
ayounghttp://ecp.cloudlab.freeipa.org:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth/mellon/metadata04:20
marekdayoung: so it's somethink like: https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP for the shibboleth04:21
ayoungmarekd, ok...that looks familiar04:21
ayoungin the sp metat data I have04:21
ayounghttp://ecp.cloudlab.freeipa.org:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth/mellon/ECP04:22
ayoungwould it make sense to go there?  and then get redirected?04:22
ayoungnah..needs a post.04:22
marekdwait wait.04:23
marekdayoung: looks like you we are talking different things now.04:24
ayoungI think my Idp might be misconfigured.  We were battling this04:24
ayoungno, I am just behind04:24
marekdfirst of all ecp.cloudlab.freeipa.org is you keystone-sp, right?04:24
marekdwith mod_mellon and so on.04:24
ayoungthis is internal, but yes04:24
ayoungecp is keystione  ipa.... is IdP04:25
ayoungI think the Ipa is misconfigured.  I hit a different Ipsilon server and it respondded on04:25
ayounghttps://hostname/idp/saml2/SOAP/ECP04:25
ayoungI think we were hardcoding something...I think I know how to fix...1 sec04:25
*** sdake has joined #openstack-keystone04:29
*** joesavak has quit IRC04:29
*** sdake_ has joined #openstack-keystone04:32
marekdayoung: auth url for keystone-sp would be /OS-FEDERATION/identity_providers/{identity_provider}/protocols/{protocol}/auth04:32
marekdso skip /mellon/ECP part from your auth url.04:33
ayoungmarekd, but that gets build by the saml plugin from t\just the auth url04:33
ayoungmarekd, let me paste04:33
*** sdake has quit IRC04:33
ayounghttp://paste.openstack.org/show/205047/04:33
marekdayoung: let met get back in an hour or so, need to get to work now (email if you are not here then).04:36
ayoungmarekd, I need to go to bed04:36
ayoungI won;t be uop in an hour or so...but tomorrow I will have people I can ask04:37
*** pnavarro has joined #openstack-keystone04:45
*** kiran-r has joined #openstack-keystone04:50
*** iamjarvo has quit IRC05:03
*** iamjarvo has joined #openstack-keystone05:04
*** iamjarvo has quit IRC05:08
*** _cjones_ has joined #openstack-keystone05:21
*** _cjones_ has quit IRC05:26
*** sdake_ has quit IRC05:42
*** ajayaa has joined #openstack-keystone05:52
*** markvoelker has quit IRC06:10
*** jamesllondon has quit IRC06:10
*** _cjones_ has joined #openstack-keystone06:22
*** pnavarro has quit IRC06:26
*** _cjones_ has quit IRC06:27
*** stevemar has quit IRC06:31
*** sdake has joined #openstack-keystone06:35
*** spandhe has quit IRC06:36
*** markvoelker has joined #openstack-keystone06:40
*** markvoelker has quit IRC06:45
*** spandhe has joined #openstack-keystone06:51
*** blogan has quit IRC06:52
*** ptoohill has quit IRC06:53
*** jaosorior has joined #openstack-keystone06:54
*** blogan has joined #openstack-keystone06:56
*** ptoohill has joined #openstack-keystone06:57
*** browne has quit IRC06:58
*** bdossant has joined #openstack-keystone07:03
*** henrynash has joined #openstack-keystone07:17
*** ChanServ sets mode: +v henrynash07:17
*** sdake has quit IRC07:35
*** markvoelker has joined #openstack-keystone07:41
*** markvoelker has quit IRC07:46
*** sdake has joined #openstack-keystone07:48
*** jistr has joined #openstack-keystone07:50
*** josecastroleon has joined #openstack-keystone07:52
*** spandhe has quit IRC07:54
*** lhcheng has joined #openstack-keystone07:55
*** ChanServ sets mode: +v lhcheng07:55
*** sdake has quit IRC08:00
*** josecastroleon has quit IRC08:01
*** josecastroleon_ has joined #openstack-keystone08:07
*** henrynash has quit IRC08:09
*** josecastroleon_ has quit IRC08:10
*** henrynash has joined #openstack-keystone08:12
*** ChanServ sets mode: +v henrynash08:12
*** rushiagr_away is now known as rushiagr08:13
openstackgerritDeepti Ramakrishna proposed openstack/python-keystoneclient: Document non-standard encoding of the PKI token.  https://review.openstack.org/17623008:13
marekdHm, I am having trouble finding logs from yesterday's Keystone meeting. Anybody possess such link ?08:18
*** lhcheng has quit IRC08:32
*** lhcheng has joined #openstack-keystone08:37
*** ChanServ sets mode: +v lhcheng08:37
*** lhcheng has quit IRC08:39
*** markvoelker has joined #openstack-keystone08:42
*** markvoelker has quit IRC08:47
*** g2` has quit IRC08:54
*** g2` has joined #openstack-keystone08:58
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329609:04
*** lhcheng has joined #openstack-keystone09:15
*** ChanServ sets mode: +v lhcheng09:15
*** rushiagr is now known as rushiagr_away09:17
*** Ephur has quit IRC09:19
*** afazekas_ has joined #openstack-keystone09:21
*** lhcheng has quit IRC09:30
*** e0ne has joined #openstack-keystone09:30
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329609:31
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy  https://review.openstack.org/17342409:36
*** rushiagr_away is now known as rushiagr09:37
*** markvoelker has joined #openstack-keystone09:43
*** erkules_ is now known as erkules09:44
*** erkules has joined #openstack-keystone09:44
*** markvoelker has quit IRC09:47
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy  https://review.openstack.org/17342409:48
*** davechen1 has quit IRC09:57
*** g2` has quit IRC09:58
*** henrynash has quit IRC09:59
*** _cjones_ has joined #openstack-keystone10:00
*** aix has joined #openstack-keystone10:00
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329610:01
*** g2` has joined #openstack-keystone10:01
*** _cjones_ has quit IRC10:05
*** samueldmq has joined #openstack-keystone10:27
samueldmqmorning10:28
bretonmorning!10:34
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: New attributes for SAML assertion  https://review.openstack.org/17446210:39
*** markvoelker has joined #openstack-keystone10:43
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767510:48
*** rushiagr is now known as rushiagr_away10:48
*** markvoelker has quit IRC10:48
*** e0ne is now known as e0ne_10:51
*** e0ne_ is now known as e0ne10:55
*** aix has quit IRC11:07
*** davidckennedy has joined #openstack-keystone11:13
*** afazekas_ has quit IRC11:18
*** e0ne is now known as e0ne_11:27
*** afazekas_ has joined #openstack-keystone11:33
*** e0ne_ has quit IRC11:38
*** bknudson has quit IRC11:40
*** markvoelker has joined #openstack-keystone11:44
*** markvoelker has quit IRC11:45
*** markvoelker has joined #openstack-keystone11:45
samueldmqbreton, ayoung could you please revisit 'Adds inherited column to RoleAssignment PK' ?11:45
samueldmqbreton, ayoung https://review.openstack.org/#/c/142472/11:46
*** _cjones_ has joined #openstack-keystone11:49
*** _cjones_ has quit IRC11:53
*** e0ne has joined #openstack-keystone11:58
*** aix has joined #openstack-keystone11:58
*** ayoung has quit IRC12:03
*** ajayaa has quit IRC12:07
*** raildo has joined #openstack-keystone12:09
*** lhcheng has joined #openstack-keystone12:30
*** ChanServ sets mode: +v lhcheng12:30
*** iamjarvo has joined #openstack-keystone12:32
*** iamjarvo has quit IRC12:33
*** iamjarvo has joined #openstack-keystone12:33
*** lhcheng has quit IRC12:34
bretonsamueldmq: will do later today12:36
*** rushiagr_away is now known as rushiagr12:39
*** e0ne is now known as e0ne_12:41
*** gordc has joined #openstack-keystone12:41
*** bknudson has joined #openstack-keystone12:43
*** ChanServ sets mode: +v bknudson12:43
*** e0ne_ is now known as e0ne12:46
*** mattfarina has joined #openstack-keystone13:07
*** zzzeek has joined #openstack-keystone13:09
*** rushiagr is now known as rushiagr_away13:12
*** henrynash has joined #openstack-keystone13:13
*** ChanServ sets mode: +v henrynash13:13
*** afazekas_ has quit IRC13:13
samueldmqbreton, nice thanks13:14
samueldmqhenrynash, hi - you around ?13:14
henrynashsamueldmq: hi13:14
*** richm has joined #openstack-keystone13:14
samueldmqhenrynash, just to let you know I have a blog post on domain-specific configs on sql13:15
samueldmqhenrynash, http://www.samueldmq.com/domain-specific-configuration-on-sql/13:15
samueldmq:-)13:15
henrynashsamueldmq: nice!!!!!!13:15
samueldmqhenrynash, 'A kilo of domain-specific configs on SQL' : )13:17
henrynashsamuldmq: cute, indeed!13:18
samueldmqhehe13:18
dstanekhenrynash: samueldmq: is there any reason why we don't throw an exception when listing a subtree that contains a reference cycle? right now it just returns None13:22
*** ajayaa has joined #openstack-keystone13:22
openstackgerritDavid Stanek proposed openstack/keystone: Fixes cyclic ref detection in project subtree  https://review.openstack.org/17630413:22
henrynashdstanek: I’d have expected it to throw an error…13:23
dstanekhenrynash: see my patch above ^13:24
henrynashdstanek: looking13:24
henrynashdstanek: so agree it should error….if we ever hit the coniditon, we’ve no way to know whether returning partial data is a good thing or a bad thing13:26
samueldmqdstanek, hi - looking13:26
henrynashdstanek: I assuume you found teh actual bug referenced by inspection, rather than actuall hitting it?13:27
dstanekhenrynash: yes, i was reading though a code review and spotted it13:27
henrynashdstanek: yet again the stanel knowledge shines through!13:28
dstanekhenrynash: from what i can tell you can't create a cycle through the manager so i wouldn't expect this bug to be possible in a real environment13:28
henrynashs/stanel/stanek/13:28
henrynashdstanek: no, you can’t…so it’s really a check to ensure we don’t have infinite loops i our code13:28
samueldmqdstanek, ++, yeah since you modified directly in the sql13:29
henrynashdstanek: something really bad has happened if we hit it13:29
dstanekhenrynash: should i create a patch to fix the None and make it raise an exception?13:29
*** stevemar has joined #openstack-keystone13:29
*** ChanServ sets mode: +v stevemar13:29
dstanekmy worry is that if we don't and this does happen that there will be no way to detect and know what's happening13:30
henrynashdtsanek: i think we should…I’m OK to do it if you like, or feel free to do it if you like13:30
henrynashdstanek: otehr than the logs….and that could be ages until anyone spots that13:30
samueldmqdstanek, henrynash actually we can hit this in real-envs, since we can use a ldap managed outside, right?13:31
samueldmqbut I dunno if ldap is really used by anyone for resource13:31
samueldmqand yes, I agree an error should be better, and logging it should be a plus13:31
henrynashsamueldmq: (I doubt it): I thikn the ldap case is that just the same as someone updating sql directly13:32
henrynashsamueldmq: …and I think we log it already…just don’t raise an error…which we should13:32
samueldmqhenrynash, right, I agree13:33
*** ayoung has joined #openstack-keystone13:33
*** ChanServ sets mode: +v ayoung13:33
samueldmq henrynash. dstanek I am wondering if we could have an automated approach to find bugs like this13:33
dstaneki thought ldap didn't allow hierarchical projects13:34
samueldmqI dunno, I knew softwares like findbugs in the past, dunno for python13:34
samueldmqdstanek, actually no, not yet13:34
dstaneksamueldmq: for this one no, not really13:34
samueldmqhenrynash, ^ should we support it?13:34
samueldmqdstanek, this one is interesting since you couldnt even use your @wip, since it will never fail13:35
samueldmqdstanek, @infinite_loop13:35
samueldmqhah13:35
*** rushil has joined #openstack-keystone13:36
dstanekthe way this could have been caught is to start making sure all cases are tested and looking at the coverage report - the coverage report showed that this code was never hit13:36
samueldmqdstanek, oh! a gate job warning coverage was reduced for any specific job would be good :p13:37
samueldmqdstanek, but would carry ppl to put their focus on passing it13:37
dstaneksamueldmq: that becomes dangerous - we as developers should really be looking into this13:37
samueldmqdstanek, as we discussed a few days ago13:37
henrynashdtsanek: yep, I think that’s my bad….not testing it….13:37
*** stevemar has quit IRC13:37
rodrigodsmarekd, around?13:38
marekdrodrigods: Hi.13:38
samueldmqdstanek, how do you check test coverage for keystoen ?13:38
marekdsamueldmq: tox -ecover13:38
samueldmqmarekd, thx13:38
dstanekhenrynash: not your fault - we have a half dozen people listed as authors on the patch and at least 2 cores gave is a +2 - i think we just need to be a little more formal with reviewing coverage13:39
samueldmqdstanek, ++13:39
henrynashdstanek: agreed13:39
samueldmqdstanek, I agree, the ones I know do it often are you and bknudson13:39
samueldmqI will start doing it more often13:39
rodrigodsmarekd, keystone is throwing an error when I try to scope a federated token13:40
rodrigodsmarekd, http://paste.openstack.org/show/205092/13:40
rodrigodsmarekd, did you see this before?13:40
bknudsonthere's a thread on the mailing list about having a job that automatically checks coverage13:40
marekdrodrigods: let me see.13:40
rodrigodsmarekd, Juno version, btw13:40
samueldmqbknudson, I will look for it13:41
samueldmqbknudson, then it would fail if test coverage was reduced ?13:41
dstanekugg...i hope not. i hate that idea. always leads to gaming the system.13:41
samueldmqbknudson, I've been discussing about this with dstanek13:42
samueldmq^13:42
marekdrodrigods: hm, is it master?13:42
rodrigodsmarekd, stable/juno13:43
ayounghttps://review.openstack.org/#/c/135774/  please approve.  Unified Access info is holding up a slew of other features13:45
ayoungI'm working on the client code now13:45
rodrigodsmarekd, aaaand the code http://paste.openstack.org/show/205094/13:45
*** iamjarvo has quit IRC13:46
*** e0ne is now known as e0ne_13:46
dstaneki think in a couple of cases my patches may have decreased coverage because we were testing useless things13:47
marekdrodrigods: let me check few spots.13:47
marekdrodrigods: try with auth method set to 'saml2' instead of 'token'13:49
rodrigodsmarekd, tried already...13:50
rodrigods"message": "Expecting to find saml2 in identity - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"13:50
marekdrodrigods: i bet you removed 'saml2' from your auth methods from keystone.conf.13:51
samueldmqayoung, so each service would instantiate an access info object from the HTTP headers set by keystonemiddleware ?13:51
ayoungsamueldmq, yes13:51
ayoungsamueldmq, they already do13:51
ayoungit is just a dictionary13:51
ayoungthis is a strict python class model, but can act as a dictionary13:51
samueldmqayoung, where this code will be placed ? oslo ?13:51
ayoungno  KC13:51
ayoungit is common code, but the primary consumer is KC....13:52
ayoungthere is a follow on patch to make KC use it13:52
marekdrodrigods: i am also curious what's in self.fed_token_id (or how the token actually looks like).13:52
ayounghttps://review.openstack.org/#/c/160134/7  samueldmq13:52
*** iamjarvo has joined #openstack-keystone13:52
*** iamjarvo has quit IRC13:53
rodrigodsmarekd, http://paste.openstack.org/show/205097/13:53
*** iamjarvo has joined #openstack-keystone13:53
rodrigodsmarekd, fed_token_id is the Unscoped token id13:53
samueldmqayoung, ok but .. I cant see why kc there ... middleware is in front of the services, and set the headers13:53
*** iamjarvo has quit IRC13:54
samueldmqayoung, the service read the headers themselves and create the dict ( today )13:54
ayoungsamueldmq, and how does middleware validate the token?13:54
rodrigodsmarekd, and here the auth_context http://paste.openstack.org/show/205098/13:54
samueldmqayoung, k middleware uses the kc13:54
*** jdennis has quit IRC13:54
*** iamjarvo has joined #openstack-keystone13:54
ayoungand it will get the access info from that13:54
samueldmqayoung, and sets the HTTP headers in the request, before passing it to the service right?13:54
ayoungsamueldmq, none of that will change13:55
ayoungits just the implementation of the access info that I'm changing here.13:55
samueldmqayoung, dont the services also need to build accessinfo ?13:55
*** bandwidth has joined #openstack-keystone13:55
ayoungsamueldmq, yes.   the goal here is that they all have a common definition.  If they need to recreate it, they can use the builder13:56
*** e0ne_ has quit IRC13:56
*** henrynash has quit IRC13:56
*** henrynash has joined #openstack-keystone13:57
*** ChanServ sets mode: +v henrynash13:57
samueldmqayoung, right, but as it ( the builders and accessinfo object ) will be used by services + client, I was thinking about the place to put it, that's why I asked if it was on oslo13:58
*** iamjarvo has quit IRC13:58
samueldmqayoung, but it makes sense to have it on kc as well, since kc itself uses it13:59
samueldmqayoung, and the services already import kc13:59
ayoungsamueldmq, maybe eventually, but for now it stays in KC13:59
ayoungyep13:59
samueldmqayoung, yes great13:59
*** e0ne has joined #openstack-keystone13:59
bandwidthquestion: does Juno services (nova, cinder, heat...) support keystone v3 API? I mean, can they talk v3?13:59
henrynashanyone have any experience in using TLS with AD and multipel domain controllers?13:59
samueldmqayoung, I will take a deeper look on it later today, need to get my kid on the school13:59
ayoungthanks13:59
*** tqtran has joined #openstack-keystone14:02
*** sigmavirus24_awa is now known as sigmavirus2414:05
*** stevemar has joined #openstack-keystone14:07
*** ChanServ sets mode: +v stevemar14:07
*** Ephur has joined #openstack-keystone14:09
rodrigodsmarekd, what I know so far... isn't the mapped plugin that is taking care of the request14:10
*** henrynash has quit IRC14:12
marekdrodrigods:  what makes you think so?14:12
rodrigodsmarekd, added lots of prints in its authenticate() method14:13
marekdrodrigods: how does keystone.conf [auth] look like ?14:14
marekdi'd rather suspect some misconfiguration, rather that bug..but who knows :-)14:14
rodrigodsmarekd, yeah, me too14:15
rodrigodslooking14:15
rodrigodsmethods = external, password, token, saml2, oidc14:15
rodrigodssaml2 = keystone.auth.plugins.mapped.Mapped14:15
rodrigodsoidc = keystone.auth.plugins.mapped.Mapped14:15
rodrigodsmarekd, ^14:15
marekdrodrigods: change to saml2 = keystone.auth.plugins.saml2.Saml214:17
marekdand try again.14:17
rodrigodsthe same =(14:18
*** samueldmq_ has joined #openstack-keystone14:22
*** edmondsw has joined #openstack-keystone14:23
marekdrodrigods: maybe remove external ?14:23
marekdjust to be sure nothing is messing around.14:23
marekdrodrigods: i can try to dig a little bit directly on your keystone-sp, otherwise i can guess with you :-)14:24
marekdfor sure unscoped token looks correct.14:24
*** stevemar has quit IRC14:26
rodrigodsmarekd, thanks for the help14:28
marekdrodrigods: try to figure out what auth plugin is being used/loaded.14:28
marekdunless you did it.14:28
rodrigodsmarekd, I know that "token" is being used14:28
*** iamjarvo has joined #openstack-keystone14:29
marekdrodrigods: so you are using auth method 'saml2' and token.Token is loaded?14:29
*** iamjarvo has quit IRC14:29
rodrigodsmarekd, neither work, with saml2 it returns "Expecting to find saml2 in identity - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"14:30
*** iamjarvo has joined #openstack-keystone14:30
*** iamjarvo has quit IRC14:30
*** iamjarvo has joined #openstack-keystone14:30
*** iamjarvo has quit IRC14:30
*** iamjarvo has joined #openstack-keystone14:31
marekdrodrigods: http://paste.openstack.org/show/205094/ -> iirc you should change 2 lines here.14:31
*** iamjarvo has quit IRC14:31
marekdrodrigods: so it's methods: ['saml2'] and later 'saml2': { 'id': self.fed_token_id }14:32
marekd(sorry for saying this, i don't know whether you changed it or not :-)14:32
*** iamjarvo has joined #openstack-keystone14:32
*** iamjarvo has quit IRC14:32
rodrigodsmarekd, yay!14:32
rodrigodsit worked!14:32
*** iamjarvo has joined #openstack-keystone14:33
*** iamjarvo has quit IRC14:33
rodrigodsmarekd, many many thanks14:33
marekdrodrigods: no problem :-)14:33
*** iamjarvo has joined #openstack-keystone14:33
*** iamjarvo has quit IRC14:33
rodrigodsmarekd, luckly you remembered how the request was made in Juno :)14:33
*** iamjarvo has joined #openstack-keystone14:34
marekdi know i was playing with that and since Kilo (or master) your 'token' method should also work.14:34
*** iamjarvo has quit IRC14:34
*** iamjarvo has joined #openstack-keystone14:35
*** iamjarvo has quit IRC14:35
*** iamjarvo has joined #openstack-keystone14:36
*** iamjarvo has quit IRC14:36
*** iamjarvo has joined #openstack-keystone14:36
*** iamjarvo has quit IRC14:36
*** iamjarvo has joined #openstack-keystone14:37
*** iamjarvo has quit IRC14:37
*** iamjarvo has joined #openstack-keystone14:38
*** iamjarvo has quit IRC14:38
*** iamjarvo has joined #openstack-keystone14:39
*** iamjarvo has quit IRC14:39
*** iamjarvo has joined #openstack-keystone14:39
*** iamjarvo has quit IRC14:40
*** iamjarvo has joined #openstack-keystone14:40
*** iamjarvo has quit IRC14:41
*** iamjarvo has joined #openstack-keystone14:41
*** iamjarvo has quit IRC14:41
*** iamjarvo has joined #openstack-keystone14:42
*** iamjarvo has quit IRC14:42
*** iamjarvo has joined #openstack-keystone14:43
*** iamjarvo has quit IRC14:43
*** sdake has joined #openstack-keystone14:43
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Remove saml2 comment in scoping federated token  https://review.openstack.org/17633914:43
rodrigodsmarekd, ^14:43
*** iamjarvo has joined #openstack-keystone14:44
*** samueldmq_ has quit IRC14:44
*** sdake_ has joined #openstack-keystone14:44
marekdrodrigods: i am notsure whether resoping fed-token would work.14:45
marekdthen we could probably leave --federated-token-id-- ....14:45
*** tqtran has quit IRC14:45
marekdayoung: did you solve your problems with ipsilon + ecp ?14:46
ayoungmarekd, not yet, but got some advice...try8ing to update access info first, will return to it later today14:46
rodrigodsmarekd, true14:47
marekdayoung: https://gist.github.com/zaccone/509136cfa1c4efca6926 for the record, this is my snipped that i used (successfully) when I was playing with it.14:47
marekdayoung: looks pretty much like yours.14:47
ayoungmarekd, still helps.  THanks14:47
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Remove saml2 comment in scoping federated token  https://review.openstack.org/17633914:47
marekdayoung: can you remind me what was failing actually?14:47
*** sdake has quit IRC14:48
*** iamjarvo has quit IRC14:49
*** browne has joined #openstack-keystone14:50
marekdrodrigods: ok, voted on the patch.14:54
marekdrodrigods: thanks.14:54
*** bandwidth has quit IRC14:54
openstackgerritDave Chen proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767514:55
*** ajayaa has quit IRC14:55
*** bandwidth has joined #openstack-keystone14:56
*** ajayaa has joined #openstack-keystone14:58
*** iamjarvo has joined #openstack-keystone15:08
*** bdossant has quit IRC15:12
*** bdossant has joined #openstack-keystone15:13
*** iamjarvo has quit IRC15:18
*** tqtran has joined #openstack-keystone15:22
*** _cjones_ has joined #openstack-keystone15:23
openstackgerritMerged openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994415:24
*** tqtran has quit IRC15:26
*** _cjones_ has quit IRC15:28
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851915:32
*** joesavak has joined #openstack-keystone15:33
*** kiran-r has quit IRC15:34
*** rwsu has joined #openstack-keystone15:34
*** csoukup has joined #openstack-keystone15:35
*** c_soukup has joined #openstack-keystone15:36
*** e0ne has quit IRC15:36
*** csoukup has quit IRC15:36
*** c_soukup has quit IRC15:36
*** csoukup has joined #openstack-keystone15:37
*** e0ne has joined #openstack-keystone15:37
*** iamjarvo has joined #openstack-keystone15:43
*** iamjarvo has quit IRC15:44
*** gyee has joined #openstack-keystone15:44
*** ChanServ sets mode: +v gyee15:44
*** iamjarvo has joined #openstack-keystone15:44
*** iamjarvo has quit IRC15:45
marekdHm, typically when user wants to use any OpenStack service he would authenticate with Keystone, get a token, later put this token in the X-Auth-Token header and issue a HTTP request to service like glance or nova. Now, it will be keystonemiddleware that will take care of the validating of the X-Auth-Token (and the detailed steps would be: ksm auhenticates with some service account, gets a token, and then validates the user's token stored in15:46
*** sdake_ has quit IRC15:48
ayoungmarekd, is this a problem?15:54
marekdayoung: not at all. I am asing is my understanding of the workflow is correct.15:54
ayoungmarekd, ah, just saw your question.  My problem with ECP was still getting Ipsilon setup.  We are just getting ECP support into the server15:54
marekdayoung: yeah, i know.15:55
ayoungThere is something wrong with my metadata setup, and I don't know what15:55
*** jsavak has joined #openstack-keystone15:55
ayoungbut the server metadata doesn't have the ECP URL in it15:55
marekdayoung: if you need to test ECP itself you don't need any single bit of Keystone or OpenStack.15:55
ayoungI've compared it with a working one, and that does have the meta data in it15:56
marekdserver - idp or sever sp ?15:56
ayoungmarekd, my goal is to make sure that the ECP support in Ipsilon will work with the ECP support in Keystone client15:56
ayoungIDP15:56
ayoungSP looks OK15:56
*** joesavak has quit IRC15:58
ayoungmarekd, one sec...let me repost the access info patch with the audit_ids in it, and then I'll swich back to ECP mode15:58
marekdayoung: i will be here ~20 minutes more :/15:59
ayoungmarekd, its OK, I think I'm tracking15:59
ayoungI have a script that shows what is supposed to happen with ECP for a generic resource.  I'll use that to troubleshoot my setup until and then should be able to use the code you gisted to test the client auth plugin16:00
*** browne has quit IRC16:08
morganfainbergHmm.16:08
gyeemorganfainberg, need your opinion on the endpoint filtering enforcement middleware16:10
gyeecurrently it allows enforcement on both service_id and endpoint_id16:11
morganfainbergRight.16:11
gyeeI am debating whether we should also allow service_type and region_id16:11
gyeebecause for V2 catalog, only service_type is there16:11
morganfainbergThe initial scope is service_id and endpoint_id.16:12
gyeeI can't think of a case where a service_type corresponding to multiple service_ids16:12
gyeeour schema allows it however16:12
morganfainbergRackspace does it.16:12
gyeeoh16:12
*** jistr has quit IRC16:12
morganfainbergLegacy compute and non-legacy compute16:12
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog  https://review.openstack.org/17638316:12
gyeeah16:12
gyeeyes16:12
morganfainbergBut they use repose to do enforcement16:13
morganfainbergI think service type would be very logical16:13
gyeeso should we allow service_type and region_id? I think its worth supporting all16:13
gyeek, thanks16:14
morganfainbergI don't see a huge demand for region_id, but it's trivial to add16:14
gyeedavidckennedy, ^^^16:14
morganfainbergYou'll need to update the spec to cover those added extra bits though.16:14
gyeedavidckennedy, can you please update the spec?16:14
gyeeor I can update it if davidckennedy is occupied16:14
morganfainbergDo we want this as a logical or, logical and, or???16:15
gyeelogical and16:15
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog  https://review.openstack.org/17638316:15
gyeethat's how endpoint group is setup16:15
morganfainbergWhat is the effect of service_id and service_type are set, or service_id and endpoint_id or service_type and region_id16:16
gyeewait, sorry16:16
gyeeI mean logical or16:16
morganfainbergOk16:16
gyeeunion of all16:16
gyeemy bad16:16
morganfainbergMake sure that is very clearly documented16:16
gyeewill do16:16
davidckennedygyee morganfeinberg if we're using service_type then we should drop service_id right?16:17
*** _cjones_ has joined #openstack-keystone16:18
gyeedon't drop it16:18
gyeejust do the union of all the results16:18
davidckennedybut it doesn't work for v2 anyway and surely service_type would do as well?16:19
gyeeif service_type is there, use it16:19
gyeeif absence, skip it16:19
gyeeabsent16:19
gyeeresult = (service_type matches) || (service_id matches) || (endpoint_id matches) || (region_id matches)16:20
davidckennedyORs?16:20
*** henrynash has joined #openstack-keystone16:20
*** ChanServ sets mode: +v henrynash16:20
gyeethat's how we process the endpoint group filters at the server side16:20
gyeeright16:21
davidckennedyI think this is a bit odd.  That means that if a region is specified then all endpoints will be valid - given an association16:22
*** jsavak has quit IRC16:22
davidckennedySo whoever configures it has to be pretty careful that they are not giving away more than they want?16:23
davidckennedygyee I'll make those changes to the spec tomorrow and see how it looks.16:24
*** bdossant has quit IRC16:25
*** davidckennedy has quit IRC16:26
morganfainbergI wonder if we could use Oslo.policy DSL for this.16:26
gyeeoh?16:27
morganfainberggyee: ^ davidckennedy16:27
gyeeDSL16:27
gyeepolicy match is a logical and16:27
gyeenevermind, it can be both16:28
morganfainbergIs a logical <whatever>16:28
morganfainbergyes16:28
gyeeyeah16:28
gyeeI like the idea16:28
morganfainbergWell it doesn't do bitwise operations and isn't Turing complete. :P16:28
gyeebecause we will be introducing police enforcement middleware as part of policy revamp anyway16:29
gyeelets do this!16:29
morganfainbergBut we already have a tool for this. The issue is we are giving people a ton of rope to to shoo themselves in the foot (yay mixed up metaphors).16:29
gyeeI call it "flexibility"16:29
openstackgerritBrant Knudson proposed openstack/keystone: service child process normal SIGTERM exit  https://review.openstack.org/17639116:30
morganfainbergWe could craft a basic rule set that is better than straight logical or/ands and put it in the config.16:30
morganfainbergJust with a warning "OMG DO NOT CHANGE THIS unless you know wtf you are doing"16:30
gyeelemme tinker around with the code16:30
gyeetinker with16:30
gyeethere should be only one rule I think16:31
gyee(service_id%(service_id)s or ...)16:31
morganfainbergIt may be worth hard-coding a nice rule set first pass: (region_id? &(service_id || service_type || endpoint_id)16:31
gyeeyes I agree16:32
morganfainbergOr just make that the logical policy w/o the DSL ^16:32
morganfainbergThat is a weird mix of regex and ldap notation ^16:33
*** _cjones_ has quit IRC16:33
gyeepolicy is pretty straight forward, only issue is to turn the catalog into a flatten dict16:33
gyeewhich is not a big deal16:33
morganfainbergBut if region id, it is an and with, service id, endpoint id, or service type16:34
*** alexsyip has joined #openstack-keystone16:34
gyeecan oslo policy handle wildcard matches?16:34
gyeeit would be awesome if it can do that16:34
morganfainbergOr would it be: region id & (service_id || service_type) & endpoint id16:34
openstackgerritBrant Knudson proposed openstack/keystone: Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab  https://review.openstack.org/17639116:34
morganfainberggyee: not sure if it can.16:34
gyeewe should16:35
morganfainbergOk so I think we need to make the enforcement configurable. Think about the default rule.16:36
gyeeyes definitely16:36
gyeelet me work on the patch16:36
morganfainbergBecause I think it needs to be the best general use-case option.16:36
gyeemorganfainberg, should I also submit a spec to make oslo policy handle wildcard matches?16:37
morganfainbergLet's evaluate that separately.16:37
gyeek16:37
gyeefor the hierarchical/tree stuff, wildcard matches definitely helps16:38
*** bandwidth has quit IRC16:40
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy  https://review.openstack.org/17342416:41
amakarovrodrigods, gyee hi! Can you please take a look again? ^^16:45
rodrigodsamakarov, will do, thx16:46
*** _cjones_ has joined #openstack-keystone16:46
*** Ctina has joined #openstack-keystone16:49
amakarovrodrigods, wait, fixing something...16:49
*** browne has joined #openstack-keystone16:50
amakarovdone16:50
*** e0ne has quit IRC16:50
*** joesavak has joined #openstack-keystone16:53
morganfainbergayoung: going to have stickers with the KSL logo made for the summit. Light background or dark?16:55
morganfainbergAs in made to standout on a light background or a dark one.16:55
gyeeneon, grow in the dark :)16:57
gyeeamakarov, looking16:57
amakarovgyee, adding an example now, just a moment please :)16:59
gyeek16:59
*** harlowja_away is now known as harlowja16:59
amakarovgyee, rodrigods, raildo welcome! https://review.openstack.org/#/c/17342417:01
raildo:)17:01
*** jaosorior has quit IRC17:02
*** tqtran has joined #openstack-keystone17:05
*** _cjones_ has quit IRC17:08
ayoungmorganfainberg, link?17:08
*** lhcheng has joined #openstack-keystone17:08
*** ChanServ sets mode: +v lhcheng17:08
ayoungI want to say dark, but I need to see the colors17:08
morganfainberghttps://github.com/morganfainberg/keystone_stuff/blob/master/KeystoneLogo.svg17:09
morganfainbergbasically.17:09
morganfainbergi have a version that works on a dark background too17:09
morganfainbergit inverts some colors.17:09
ayoungmorganfainberg, should we drop the word.  Make it so you just have to know?17:11
*** lhcheng_ has joined #openstack-keystone17:11
morganfainbergayoung, perhaps.17:12
morganfainbergayoung, I'm going to do a few variations on it. one variation might be no word17:12
ayoungmorganfainberg, I kindof want this: http://upload.wikimedia.org/wikipedia/commons/5/5c/8500_-_Milano_-_Palazzo_Borgazzi_%281829%29_-_Dettaglio_-_Foto_Giovanni_Dall%27Orto,_31-Aug-2007.jpg17:13
morganfainbergline art it?17:13
ayoungalthough this is probably more accurate http://sugarmtnfarm.com/blog/uploaded_images/ArcKeyStoneDSCF5630-706588.jpg17:13
ayoungWill do!17:13
morganfainberghah17:13
*** lhcheng has quit IRC17:14
ayoungmorganfainberg, https://www.google.com/search?q=keystone+images&tbm=isch&tbo=u&source=univ&sa=X&ei=YtY3VeK7B4vBggTd5oGgBA&ved=0CCoQsAQ&biw=1680&bih=851#imgrc=ZhxAyiQU1rPVcM%253A%3BygR5X1ywZEuKoM%3Bhttp%253A%252F%252Fwww.buffaloah.com%252Fa%252FDCTNRY%252Fk%252Fkeystone_fairfax.JPG%3Bhttp%253A%252F%252Fwww.buffaloah.com%252Fa%252FDCTNRY%252Fk%252Fkey.html%3B648%3B387  but modify the face to look like a certain bearded someone?17:14
morganfainberghaha no17:14
ayoungHeh17:14
morganfainbergfwiw, i like the KSL logo because it's simple.17:14
*** _cjones_ has joined #openstack-keystone17:15
amakarovmorganfainberg, what about this one? :) https://www.google.com/search?q=keystone+images&tbm=isch&tbo=u&source=univ&sa=X&ei=YtY3VeK7B4vBggTd5oGgBA&ved=0CCoQsAQ&biw=1680&bih=851#imgrc=jE0qObx8RqtdoM%253A%3B_qI-J_NXX7NtYM%3Bhttp%253A%252F%252Fupload.wikimedia.org%252Fwikipedia%252Fcommons%252F5%252F5c%252F8500_-_Milano_-_Palazzo_Borgazzi_(1829)_-_Dettaglio_-_Foto_Giovanni_Dall'Orto%252C_31-Aug-2007.jpg%3Bhttp%253A%252F%252Fen.wikipedia.org%2517:15
amakarov2Fwiki%252FKeystone_(architecture)%3B2592%3B194417:15
morganfainbergamakarov, direct link please?17:15
morganfainbergamakarov, the google search = line-wrap and icky17:15
gyeetinyurl17:15
morganfainberggyee, bit.ly17:16
gyeeah nice17:16
lhcheng_ayoung: haha that reminds me of someone17:17
ayoungamakarov, that is the same one I posted.  I like17:17
morganfainbergayoung, this one is... just disturbing http://www.stonecarver.com/architecture/key-lion-keystone.jpg17:17
morganfainbergand i don't know why...17:17
gyeedamn that one scary!17:17
amakarovhttp://dic.academic.ru/pictures/wiki/files/68/Dresden_Residenzschloss_06.jpg17:18
morganfainbergso, these are all great... but bad for stickers/logos17:19
amakarovAnd I like this one with a lion: http://www.idealstone.ru/upload/resize_cache/iblock/a43/300_1000_1/a434576338173676f72aaf3315c66718.jpg17:19
ayoungamakarov, the Dresden one is great17:20
amakarovmorganfainberg, then maybe something like this: http://krov-m.ru/d/269827/d/2_48.jpg17:20
gyeeyeah for a sticker, make it cartoonish17:20
morganfainbergthis is why the KSL logo is good17:20
morganfainbergit's already cartoonish... it's already associated with us17:20
amakarovmorganfainberg, system of baloons :D17:21
morganfainbergamakarov, goes into the cloud.17:21
gyeeeven better!17:21
morganfainberghere is the original fwiw17:21
morganfainberghttps://camo.githubusercontent.com/160d8ec179f975175efe17a3225dfd557772c1b2/687474703a2f2f7465726d2e69652f646174612f6d656469756d5f6b736c2e706e6717:21
morganfainbergthe svg i linked earlier was just a vectorization17:22
ayoungthe keystone ios floating away...the whole bridge is gonna collapse.  Plus,  not sure the "light" aspect is something I'd emphasize.17:22
morganfainbergit doesn't say "light"17:23
morganfainbergand you don't know if it's floating away or floating down into place ;)17:23
*** sdake has joined #openstack-keystone17:24
ayoungquick sketch http://www.younglogic.com/images/Keystone-Lion.jpg17:25
amakarovmorganfainberg, then it's better a helicopter instead of baloons :)17:25
morganfainbergok i'm now sorry i asked.17:25
ayoungmorganfainberg, nah, that is not it.  ...we want cartoony...let me see17:25
morganfainbergnever mind wont bother with this.17:26
harlowjaor u guys can actually use a keystone stone :-P17:26
harlowjahttp://upload.wikimedia.org/wikipedia/commons/thumb/2/24/Arch_voussoirs.svg/2000px-Arch_voussoirs.svg.png17:26
harlowjabest logo ever, lol17:26
*** spandhe has joined #openstack-keystone17:26
morganfainbergbetter to have people bikeshed over other things than a stupid sticker17:26
ayoungI'd like to do something that plays on the openstack logo17:26
morganfainbergso yeah nevermind.17:26
morganfainbergayoung, lets just say Trademark makes that very hard.17:27
ayoungplays on....17:27
morganfainbergayoung, there is a reason we don't have logos for the projects that really do that.17:27
morganfainbergayoung, stay out of waters that muddy/get close to the official OS logo(s)17:28
morganfainbergayoung, its a headache.17:28
Ctinathis looks nice yet simple if it was changed a little obviously https://stocklogos.com/logo/keystone-construction-017:29
*** sdake has quit IRC17:29
*** sdake has joined #openstack-keystone17:30
*** bandwidth has joined #openstack-keystone17:30
ayoungleonchio_, let's talk!17:31
ayoungleonchio_, I think the code I saw is pretty close17:31
leonchio_hey ayoung17:31
leonchio_that's the good sign;-)17:32
gyeedid review.openstack.org just died on me?17:32
amakarovmorganfainberg, maybe get the top half of the openstack logo and put a key stone atop?17:32
leonchio_so what exactly you can suggest my patch needs to be done?17:32
ayoungsince the spec is already approaved, we can leave it as linking x509 and tokenless.  I think there is nothing serious in the code that ties the two together17:32
-openstackstatus- NOTICE: gerrit is restarting to clear hung stream-events tasks. any review events between 16:48 and 17:32 utc will need to be rechecked or have their approval votes reapplied to trigger testing in zuul17:32
amakarovhttp://logo-kid.com/openstack-logo.htm17:32
morganfainbergamakarov, i'm done, i'm sorry i asked.17:32
ayoungleonchio_, I had missed the whole mapping piece of it17:32
morganfainbergamakarov, not bothering.17:32
amakarovmorganfainberg, np17:32
morganfainbergamakarov, and we can't do those things witht he OS logo.17:33
gyeeamakarov, that the latest? https://review.openstack.org/#/c/173424/14/specs/backlog/materialize-project-hierarchy.rst17:33
amakarovgyee, yes17:33
leonchio_ayoung, ok as you may tell the mapping is basically follows the same mechansim as the federation, but we don't need grouping though17:33
ayoungmorganfainberg, so...to put it to rest:  use the keystone from your logo, but actually show it in an arch.  Balloons are optional17:33
amakarovayoung, ++17:34
morganfainbergayoung, not going to bother17:34
ayoungleonchio_, we need the "map to an existing user" feature...17:34
ayoungnot sure where that is17:34
morganfainbergayoung, i'm already done and over this.17:34
morganfainbergayoung, someone else can do something like this if they care.17:34
ayoungmorganfainberg, you started it.17:34
morganfainbergayoung, i asked a "dark or light background" not "what logo"17:34
leonchio_ayoung, yes, that's exactly what this patch needs, user + domain so that we can make sure the user is in the system in order to authenticate17:34
gyeehahahaha, morgainfainber see what "open" source get you now?17:35
morganfainbergsomeone else can do this.17:35
ayoungI think that patch is out there leonchio_ take a look, and, if it is, make sure yours depends on it17:35
leonchio_ayoung, group in federation is used to assign scope which this patch does not need17:35
ayoungleonchio_, right...17:35
lhcheng_gyee: how about sticking a keystone on the openstack logo?17:35
*** lhcheng_ is now known as lhcheng17:35
*** ChanServ sets mode: +v lhcheng17:35
amakarovlhcheng_, we can't17:35
morganfainbergleonchio_, trademark issues17:36
lhchengoh17:36
lhchengheh that would have been nice17:36
leonchio_morganfainberg, what's trademark issues?17:36
ayoungIGGY PECK FTW https://www.google.com/search?q=arch+of+pancakes&source=lnms&tbm=isch&sa=X&ei=H9w3VdGDHYGENvOEgJgJ&ved=0CAgQ_AUoAg&biw=1680&bih=851#imgrc=PQWj8pXPQPpKwM%253A%3BRdx5_0ZUOkpBPM%3Bhttp%253A%252F%252F4.bp.blogspot.com%252F-NlvYJ-KLd3M%252FUkuZ94gwxaI%252FAAAAAAAAcI8%252Fb7alzHjqHW4%252Fs1600%252Fcomposition.jpg%3Bhttp%253A%252F%252Fwww.thirdstoryies.com%252F2013%252F10%252F02%252Fstorytime-iggy-peck-architect-and-rosie-r17:36
ayoungevere-engineer%252F%3B1600%3B102017:36
ayoungheh.17:36
morganfainbergleonchio_, the openstack logo is a registered trademark.17:36
ayounglet me shorten that17:36
leonchio_ayoung, so this is the patch you are referring to ? https://review.openstack.org/#/c/109295/17:37
ayounghttp://4.bp.blogspot.com/-NlvYJ-KLd3M/UkuZ94gwxaI/AAAAAAAAcI8/b7alzHjqHW4/s1600/composition.jpg17:37
morganfainbergleonchio_, changing that / incorporating it with other things... it's bad legally17:37
morganfainbergleonchio_, and it *must* be defended to the Trademark is lost. so it just isn't possible.17:37
*** gyee is now known as chinese_gyee17:37
ayoungleonchio_, heh...feel free to use any code out of that patch you want17:37
ayoungI was actually ... let me find it.17:37
chinese_gyeemorganfainberg, what trademark, never heard of it17:37
*** chinese_gyee is now known as gyee17:38
morganfainberggyee, hah.17:38
lhchengmorganfainberg: I actually asked about sticking keystone to logo :P17:38
*** Ctina has quit IRC17:38
leonchio_ayoung, ok, thanks, will review it17:38
lhchengmorganfainberg: but yeah, that makes sense17:38
morganfainberglhcheng, you there are tons of rules on how close things can be etc.17:38
morganfainberglhcheng, /me has been wading through the legalese for this recently17:39
lhchengmorganfainberg: eekk17:40
morganfainbergtrademark usage is difficult.17:40
lhchenglikely need the lawyers to get involved17:41
lhchengis the old KSL logo trademarked?17:41
gyeelet me check with my couz in China to see if they can make the O slightly tilted so there's no trademark issue :)17:42
lhchenggyee haha17:42
*** david-lyle has quit IRC17:42
*** amakarov is now known as amakarov_away17:46
morganfainberglhcheng, no it's public domain17:48
morganfainberglhcheng, afaict17:48
* morganfainberg asked around about it.17:48
morganfainbergayoung, we should just pick an animal for our mascot instead http://en.wikipedia.org/wiki/Keystone_species17:51
*** leonchio_ is now known as samleong17:55
*** e0ne has joined #openstack-keystone18:00
ayoungmorganfainberg, OK,  you were the one that browbeat me into writing access info.  We need it.  Please bleed on the review.18:04
ayounghttps://review.openstack.org/#/c/13851918:04
ayoungI'll work on rebasing the dependent reviews, but ^^ is needed by a lot of the server side code18:05
ayoungsamleong, please look at https://review.openstack.org/#/c/138519  as well, as that is what your patch should be building18:06
openstackgerritMerged openstack/keystone-specs: Remove saml2 comment in scoping federated token  https://review.openstack.org/17633918:06
*** david-lyle has joined #openstack-keystone18:07
*** sleong has joined #openstack-keystone18:07
*** richm has quit IRC18:13
*** joesavak has quit IRC18:13
openstackgerritayoung proposed openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116618:14
*** richm has joined #openstack-keystone18:18
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013318:19
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013418:19
*** sleong has quit IRC18:20
*** aix has quit IRC18:21
*** sleong has joined #openstack-keystone18:23
*** richm has quit IRC18:24
*** ayoung has quit IRC18:24
*** sleong has quit IRC18:24
*** sleong has joined #openstack-keystone18:26
*** richm has joined #openstack-keystone18:28
*** sleong has quit IRC18:29
*** samleon has joined #openstack-keystone18:30
*** joesavak has joined #openstack-keystone18:30
*** lhcheng_ has joined #openstack-keystone18:35
*** lhcheng has quit IRC18:39
morganfainbergmarekd, reading your email. was a bit late last night to really grok it.18:42
morganfainbergmarekd, will have some answers/responses later today /tomorrow18:42
samleongayoung, great, will review it as well18:47
*** samleong has quit IRC18:47
*** samleon has quit IRC18:47
*** samleon has joined #openstack-keystone18:47
*** thedodd has joined #openstack-keystone18:49
*** stevemar has joined #openstack-keystone18:50
*** ChanServ sets mode: +v stevemar18:50
*** rushil has quit IRC18:51
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844218:52
openstackgerritDavid Stanek proposed openstack/keystone: Adds missing list_endpoints tests  https://review.openstack.org/17643418:52
samueldmqhi, I have a question regarding keystonemiddleware18:53
samueldmqv3 support specifically18:53
samueldmqdoes it need any config to work with v3 ? how does it know the token version (infer from its format ) ?18:54
*** carlosmarin has quit IRC18:59
bknudsonv3 tokens are totally different than v2 tokens19:00
*** carlosmarin has joined #openstack-keystone19:00
bknudsonsamueldmq: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n39619:00
samueldmqbknudson, yeah, I am trying to understand everything because I am working on testing all services with v319:01
samueldmqusing devstack19:01
samueldmqbknudson, and was trying to realize if just changing the keystone url to v3 was enough (no change in middleware)19:01
samueldmqthx for that link ^19:02
dstaneki think that the version of the token doesn't have too much to do with the version of the API19:02
bknudsonsamueldmq: auth_token supports version discovery if you use an unversioned auth URL.19:02
samueldmqdstanek, oh really ? Oo19:02
bknudsonso it will pick v3 if the server says it's available.19:02
morganfainbergit should also work if you use v3 specifically19:02
samueldmqbknudson, hmm nice19:02
morganfainbergbut then it will only use v319:02
*** lsmola__ has joined #openstack-keystone19:03
samueldmqmorganfainberg, so yes, that's what I want, using specifically19:03
bknudsonyes, you can tell it to also use v3 but recommended setting is unversioned.19:03
morganfainbergbknudson, ++19:03
dstaneksamueldmq: one is the version of the token format and the other is the API19:03
samueldmqbknudson, nice, and then middleware choose the right version (newer one, whatever)19:03
samueldmqdstanek, I thought they had raised together19:04
samueldmqftw19:04
samueldmqo/19:04
bknudsonyou can validate a v2 token with v3 or a v3 token with v2.19:05
bknudsonalthough some v3 tokens cannot be validated using v2.19:05
dstaneksamueldmq: the concepts are mostly orthogonal - it's just unfortunate that the version numbers are the same19:05
samueldmqbknudson, yes that's what I was thinking, but I didnt know any v3 could be validated against v219:06
dstaneksomeone was in there the other day asking for to for a token version upgrade because they have v2 tokens and wanted to use the v3 api19:06
*** lsmola_ has quit IRC19:06
samueldmqdstanek, I have been here for some months, and hadnt realized19:06
bknudsonI doubt that there is anything we could do with versions where people would understand it19:06
* samueldmq facepalm19:06
bknudsonother than if we did actual microversioning19:07
bknudsonI don't know how many times I've been asked if we support v3.19:07
bknudson"keystone v3"19:07
dstanekbknudson: totally agree19:07
samueldmqbknudson, what to do so? microversioning ?19:07
samueldmq3.x.y .. ?19:07
bknudsonand every time it's asked they actually mean something different.19:07
*** lhcheng_ is now known as lhcheng19:08
*** ChanServ sets mode: +v lhcheng19:08
samueldmqhow*19:08
bknudsonsamueldmq: nova is doing microversioning... I think there's a spec.19:08
samueldmqbknudson, https://wiki.openstack.org/wiki/Nova/ProposalForAPIMicroVersions19:08
samueldmqbknudson, will take a look, thanks19:09
*** _cjones_ has quit IRC19:09
*** lsmola__ has quit IRC19:10
morganfainbergbknudson, lol19:10
samueldmqmorganfainberg, so I understand more and more why we should have just /auth instead of /v2/auth and  /v3/auth19:10
morganfainbergsamueldmq, yeah19:10
morganfainbergsamueldmq, CRUD != Auth19:10
bknudsonCREATE token, DELETE token.19:10
samueldmqmorganfainberg, ++ and this just make people confused19:11
bknudsonwe don't have update token (yet!)19:11
samueldmqbknudson, true :p19:11
samueldmqbknudson, rescoping ?19:11
morganfainbergbknudson, sortof. we aren't realllllly doing tradition REST in these cases19:11
bknudsonREST would be to use www-authenticate19:11
morganfainbergok let me clarify: Keysotone's management interfaces (identity, assignment) CRUD have little to do with the act of auth.19:12
samueldmqmorganfainberg, please do :)19:12
morganfainbergbknudson, hey webSSO.19:12
morganfainbergbknudson, >.>19:12
samueldmqmorganfainberg, so auth could be taken to a different place than identity,assignment crud  ? :P19:14
morganfainbergsamueldmq, this is really about avoiding mixing interacting with a specific version of keystone and the contract on auth19:15
*** jdennis has joined #openstack-keystone19:15
samueldmqmorganfainberg, ++19:15
*** stevemar has quit IRC19:15
openstackgerritDavid Stanek proposed openstack/keystone: Script to sync oslo  https://review.openstack.org/11430519:16
bknudsonif we want a different contract for auth, then what about identity, assignment, etc.19:17
bknudsonmight as well just go to microversioning19:18
*** david-lyle has quit IRC19:18
morganfainbergbknudson, why is auth API version dependabnt?19:18
morganfainbergbecause historically it was?19:18
bknudsonall of the apis are version dependent19:18
bknudsonthis seems to just be the way that we did versioning, put it on the URL19:19
bknudsonalthough the docs said you could do versioning in a header for a long time.19:19
morganfainbergi think part of the massive headache we have had with getting adoption of v3 has been because auth *was* version dependant19:19
samueldmqI think if we could make it optionally dependent (and in the header instead of in the url) we were good19:20
morganfainbergso the idea that to support use of keystone v3 meant you had to do all of keystone v3. well who cares. a v2 token could represent everything important for v3 if we had wanted to. the only cases it couldn't would be project "name", and domains.19:21
morganfainbergit also means that if we change/deprecate an API we aren't impacting auth.19:22
morganfainbergif we wanted a v4 management api, we could do it.19:22
*** lsmola__ has joined #openstack-keystone19:23
morganfainbergand not worry about breaking how people auth with keystone19:23
samueldmqmorganfainberg, and should be a good idea, to make people understand crud apis != auth version19:23
samueldmq:p19:23
bknudsonwe can support v2 auth for a long time.19:23
bknudsonif the token format/features change then things will break again.19:23
bknudsonif you pass a v3 token with non-default domain to v2 auth then it's rejected19:24
morganfainbergbknudson, honestly if we didn't have PKI tokens, i'd move v2 auth to a middleware translator19:24
samueldmqif we get services working with v3, let's make it default for devstack gates and deprecate v219:24
morganfainbergsamueldmq, that is the plan in liberty19:24
bknudsonall of the controllers should just be translators19:24
morganfainbergbknudson, it's a lot closer to that today.19:25
samueldmqmorganfainberg, nice, and I am trying to start this by testing the devstack + identity v3 thing-y :p19:25
morganfainbergbknudson, than it was even in juno19:25
*** rushil has joined #openstack-keystone19:26
samueldmqhenrynash, hi, could you revisit 'Adds inherited column to RoleAssignment PK' ?19:27
samueldmqhenrynash, https://review.openstack.org/#/c/142472/19:27
samueldmqmorganfainberg, is there a chance to still get this in rc2 ? ^19:27
morganfainbergsamueldmq, no19:27
samueldmqit's been ready for review, just waiting people to do so19:28
samueldmqit's been there for some days :/19:28
morganfainbergsamueldmq, it can be evaluated for a backport, but i don't think it's going to happen for RC219:28
samueldmqmorganfainberg, k then, so if we decide we backport19:28
samueldmqmorganfainberg, ack19:28
morganfainbergsamueldmq, rc2 was pretty much complete as of monday19:28
morganfainbergwe have one outstanding issue that is a bit more sestemic19:28
morganfainbergand needs love [oslo-incubator related]19:28
morganfainbergwhich is currently through check.19:29
samueldmqmorganfainberg, the think dstanek is working on ?19:29
dstaneksamueldmq: i'm not working on any rc2 stuff19:29
dstaneki think morganfainberg means the service bug they found in incubator19:30
morganfainbergsamueldmq, bknudson has been working on it19:30
morganfainbergdstanek, yes19:30
samueldmqdstanek, ah sorry, I saw 'Script to sync oslo' https://review.openstack.org/#/c/114305/19:30
samueldmqdstanek, and thought it was related19:30
samueldmqmorganfainberg, you have link ?19:31
dstaneksamueldmq: nope, i'm going through all of my outstanding patches and make sure they all still work19:31
samueldmqdstanek, ++ :-)19:31
morganfainberghttps://review.openstack.org/#/q/I7b43a67a0b67fe0ff5ac3d87708ecc4ab52102f8,n,z19:31
morganfainberghttps://review.openstack.org/#/c/176151/19:31
samueldmqdstanek, I need to do the same, have some patches to be updated/get back to life19:31
samueldmqmorganfainberg, the fix on master and its backport to kilo, right ?19:32
morganfainbergyep19:32
morganfainbergand both depend on oslo-incubator change19:32
samueldmqmorganfainberg, k, so let's check if I understand things correctly :p19:33
samueldmqmorganfainberg, this is non-keystone code inside keystone, and have to be manually updated19:34
*** ayoung has joined #openstack-keystone19:34
*** ChanServ sets mode: +v ayoung19:34
morganfainbergoslo-incubator19:34
morganfainberganyway i need to go get food.19:34
samueldmqmorganfainberg, go19:35
morganfainbergi'm now 4hrs late from when i needed to get breakfast :P19:35
samueldmqmorganfainberg, np, bon apetit19:35
samueldmqbknudson, dstanek only oslo-incubator code need to be synchronized manually, right ?19:36
*** jimbaker has quit IRC19:36
dstanekthat's the only thing we copy-paste everywhere19:36
samueldmqand all the code for keystone is under openstack/common19:36
*** jimbaker has joined #openstack-keystone19:36
*** jimbaker has quit IRC19:37
*** jimbaker has joined #openstack-keystone19:37
samueldmqdstanek, hmm, and then when the code get incubated, we add it as a dependency to the projects that need it19:37
dstaneksamueldmq: yes, but they call it graduation. when the things grows up into it's own lib19:38
*** lhcheng_ has joined #openstack-keystone19:38
dstaneksamueldmq: that commit you mentioned above is that i used to update our incubated code; it's modeled after bknudson's documented process19:38
samueldmqdstanek, great and now you just need to run the script and commit the code19:39
samueldmqdstanek, bknudson great job ! :)19:39
bknudsonrealize that the oslo-incubator code is almost all going away19:39
bknudsonand being moved into real libraries19:40
*** lhcheng_ has quit IRC19:40
*** lhcheng_ has joined #openstack-keystone19:40
bknudsonso where it used to be a lot of work it's been much less work lately19:40
*** lhcheng has quit IRC19:40
*** lhcheng_ is now known as lhcheng19:41
*** ChanServ sets mode: +v lhcheng19:41
*** david-lyle has joined #openstack-keystone19:41
*** _cjones_ has joined #openstack-keystone19:42
morganfainbergdstanek, could use a second +2 on https://review.openstack.org/#/c/176391/19:44
morganfainbergdstanek, if you don't mind.19:44
dstanekmorganfainberg: looking19:44
samueldmqbknudson, ack, thanks for the update19:44
*** stevemar has joined #openstack-keystone19:44
*** ChanServ sets mode: +v stevemar19:44
morganfainbergdstanek, the oslo-change should be gating so should be sane to +2/A that19:44
dstanekmorganfainberg: done19:45
*** ayoung has left #openstack-keystone19:46
*** ayoung has joined #openstack-keystone19:46
*** ChanServ sets mode: +v ayoung19:46
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013419:49
*** openstackgerrit has quit IRC19:54
*** openstackgerrit has joined #openstack-keystone19:54
openstackgerritDavid Stanek proposed openstack/keystone: Removed dependency.provider  https://review.openstack.org/16302919:56
openstackgerritDavid Stanek proposed openstack/keystone: Removed optional dependency support  https://review.openstack.org/16277019:56
openstackgerritDavid Stanek proposed openstack/keystone: Decouple notifications from DI  https://review.openstack.org/16276919:56
openstackgerritDavid Stanek proposed openstack/keystone: Isolate injection tests  https://review.openstack.org/16276819:56
dstaneklbragstad: minor modification to change the commit message on https://review.openstack.org/#/c/162768/19:57
morganfainbergtesting19:57
morganfainbergtesting...19:57
morganfainbergone..19:58
morganfainbergtwo..19:58
dstanekone.19:58
dstanektwo..19:58
dstanekthree...19:58
_cjones_Quick question on keystone/nova v3 migration using _novaclient from within a Neutron extension. Is anyone around to answer?20:00
_cjones_I'll free-beer you if you can help solve my issue (and you're attending the summit in Vancouver).20:02
*** tqtran is now known as tqtran_afk20:04
dstanek_cjones_: go ahead and ask; i'm sure someone will be able to answer it, just maybe not in real time20:04
samueldmq_cjones_, lol just ask your question and someone can have your answer20:04
samueldmqdstanek, ++20:04
_cjones_Okay. :)20:04
_cjones_So previously I'd instantiate like this:20:05
_cjones_nova = nova_client.Client('admin', CONF.nova_admin_password, project_name....)20:05
_cjones_Migrating to keystone v3 this no longer works with the admin user.20:06
_cjones_Is there a nice way to extract the credentials of the current tenant admin to pass along?20:06
_cjones_(I know why it doesn't work... because the policies have changed) I just don't know how to rectify.20:07
_cjones_Current nova policy is:20:08
_cjones_    "context_is_admin":  "role:admin",20:08
_cjones_    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",20:08
_cjones_    "default": "rule:admin_or_owner",20:08
_cjones_So I assume we're hitting the "is_admin:True".20:08
bknudsonuse of identity v3 or v2 shouldn't affect nova's policy enforcement.20:09
dstanek_cjones_: when you say "no longer works", what exactly is happening? exception, failure to auth, etc?20:10
samueldmqmorganfainberg, https://github.com/openstack/glance/blob/master/glance/common/auth.py#L122-L12520:10
samueldmqmorganfainberg, glance: try v2 auth, otherwise v1 auth, oh !20:10
morganfainbergyeah20:10
*** e0ne has quit IRC20:12
_cjones_dstanek Thanks. Perhaps a bit premature for question time.20:18
_cjones_bknudson understood. That's why I'm thinking this is more of a policy issue that must change when using v3.20:19
dstanek_cjones_: what is the new policy?20:19
_cjones_dstanek: Sorry. I'm speaking with my keystone guy here. He says that this works with the keystone v2 policy, but using the v3 policy we get 'not authorized'.20:21
dstanekwhat is the v3 policy? the nova policy is not controlled by keystone20:21
_cjones_We're using the one out of the box essentially... policy.v3cloudsample.json20:22
_cjones_I think we're running into an issue of a  obtaining a domain scoped token from keystone, but only need a project scoped token for nova.20:30
samueldmq_cjones_, what are you changing ?20:31
samueldmq_cjones_, just from the default policy.json to policy.v3cloudsample.json ?20:31
_cjones_Changed nothing.20:31
samueldmq_cjones_, or trying to use v3 auth instead of v2 auth ?20:31
_cjones_samueldmq, correct sir.20:31
samueldmq_cjones_, so you just changed the policy20:32
_cjones_samueldmq, also use v3 auth.20:32
samueldmq_cjones_, k so v3 auth is still being adopted by other services20:33
samueldmq_cjones_, you should be able to use v2 auth and policy.v3cloudsample.json20:33
samueldmqbknudson, dstanek ^ am I right ?20:34
_cjones_samueldmq, we are looking for domain support so we need v3.20:36
samueldmq_cjones_, nova still does nothing with domains, it does not even udnerstand domains20:36
samueldmq_cjones_, are you going to implement some support on nova side ?20:36
_cjones_Does it need to? As long as it has authenticated? Is this just a nova policy issue?20:38
samueldmq_cjones_, we're talking about nova policy or keystone policy ?20:39
samueldmq_cjones_, you said you moved from keystone policy.json to keystoen policy.v3cloudsample.json, right ?20:39
_cjones_samueldmq: Correct. This has been done.20:39
_cjones_Also using v3 auth.20:40
samueldmq_cjones_, the error happens when you try to instantiate the client ?20:40
samueldmq_cjones_, or when you try a specific operation?20:40
bknudsonthe policy file has no effect on v220:41
*** stevemar has quit IRC20:41
samueldmqbknudson, ++20:41
bknudsonactually there are a couple of v2 operations that use the policy file20:41
bknudson... and, when v2 checks for is_admin it's using the policy file.20:42
samueldmqbknudson, yeah, maybe that instantiating the nova client as he's doing with admin/CONF.nova_admin_password is using the keystone is_admin thing20:43
samueldmqbknudson, and when going to v3cloudsample, that stops working20:43
samueldmqnot sure20:43
bknudsoninteresting... definitely possible.20:43
bknudsonalthough I thought other deployers were using the cloud policy file without problems.20:43
dstanekso reading back...it looks like he is failing to get a project scoped token20:44
samueldmqdstanek, yeah20:44
samueldmqhe's trying to do 2 things here: i) v3cloudsample policy ii) nova use v3 auth20:44
*** ajayaa has quit IRC20:44
*** stevemar has joined #openstack-keystone20:45
*** ChanServ sets mode: +v stevemar20:45
_cjones_samueldmq: Correct. Okay guys. We're going to do a bit more experimenting.20:45
samueldmq_cjones_, could you try to use v2 auth on nova + keystone v3cloudsmaple20:45
samueldmq_cjones_, change one thing by time, and see what happens :)20:45
_cjones_samueldmq: We can try. I'll let you know when we get a result.20:46
samueldmq_cjones_, great, I am going afk for a bit, but interested on what's happening20:46
dstanek_cjones_: are you able to auth and get the correct token?20:47
_cjones_dstanek: Yes. That's correct.20:47
dstanek_cjones_: then what operation are you trying to perform when you get the unauthorized access error?20:48
openstackgerritBaldemar Silva proposed openstack/pycadf: Add test to cover mask value for utils.mask_value  https://review.openstack.org/17647920:50
_cjones_dstanek: Sorry. It looks like it may be our driver. Give us some more time, I'll be back. Thanks.20:52
*** carlosmarin has left #openstack-keystone20:54
*** csoukup has quit IRC20:56
*** david-lyle_ has joined #openstack-keystone20:58
*** david-lyle has quit IRC20:59
*** raildo has quit IRC20:59
*** mattfarina has quit IRC21:01
dstanekbknudson: if we stop modifying the config global in our tests can't we get rid of this reset? https://review.openstack.org/#/c/162765/2/keystone/tests/unit/core.py21:02
bknudsondstanek: yes!21:03
bknudsonhow do we stop people from modifying the config global in the tests?21:03
morganfainbergdstanek, didn'21:03
morganfainbergt we mostly move everything to the fixture?21:03
dstanekbknudson: ok, that's what i thought; good question - i can probably rid something for the tests21:03
dstanekmorganfainberg: almost - that's what that patch is trying to do21:03
morganfainbergbknudson, wrap the config global in magic sauce that says DONT DO THAT.21:04
bknudsonnice.21:04
bknudsonmagic sauce21:04
dstanekmorganfainberg: exactly - but in a way that doesn't break the config_fixture - no sure what that actually does yet21:04
dstaneki'll fix up this patch and report back21:04
morganfainbergdstanek, the config fixture works in a specific manner21:04
morganfainbergit sets an override value and clears overrides21:05
bknudsonif there's no magic sauce then that's fine... hopefully reviewers will catch it.21:05
morganfainbergprevent setting non-override values21:05
bknudsony, that should be good enough.21:05
*** tqtran has joined #openstack-keystone21:05
morganfainbergthe conf object does: option( override set? return overide, else return real value)21:05
bknudsonif you set an override then the config fixture should take care of it anyways.21:05
morganfainbergexactly21:05
dstanekbknudson: you mean with CONF.set_override?21:06
morganfainbergdstanek, yeah the fixture does that and auto-cleans up after in the tearDown21:06
morganfainbergso preventing direct setting of values but not breaking set_override should be sufficient21:07
dstanekok, on it :-)21:08
morganfainbergdstanek, wow we were really close weren't we21:08
* morganfainberg was looking at that patch21:09
dstanekhaha, if actually handles the case where we would call CONF.set_override ourselves.21:09
*** tqtran has quit IRC21:09
dstanekshould i convert those to use the config fixture too21:09
dstanekmorganfainberg: yes, almost there21:09
morganfainbergyeah i was sure that was almost all cleaned up juno-ish21:10
*** stevemar has quit IRC21:13
*** david-lyle_ has quit IRC21:15
*** david-lyle has joined #openstack-keystone21:15
*** alexsyip has quit IRC21:16
*** rdo has quit IRC21:19
*** gyee has quit IRC21:20
*** david-lyle has quit IRC21:21
*** rdo has joined #openstack-keystone21:21
dolphmso for stable/juno, since the ldap identity driver wasn't multi-domain aware, there's basically no way to use heat? (which depends on domains & trusts)21:24
morganfainbergdolphm, LDAP identity driver is still not multi domain aware.21:24
dolphmhenrynash: morganfainberg: ^ ?21:24
EmilienMayoung: your reply on puppet-keystone is much appreciated, thanks. I'll poke you when needed :-)21:24
morganfainbergdolphm, juno has henrynash's mapping thing right?21:24
dolphmmorganfainberg: right, but at least in kilo, heat can create additional domains and stick users in them (sql-backed)21:25
morganfainbergdolphm, you'd need to make the LDAP domain a per-domain identity configuration21:25
ayoungdolphm, heat can't do temporary users in their own domain if LDAP is not writable21:25
morganfainbergdolphm, if you make the default driver ldap you can't make extra domains21:25
dolphmmorganfainberg: in juno, does heat require just one domain, or the ability to create new domains?21:25
ayoungyou have it right dolphm21:25
morganfainbergdolphm, not sure.21:25
morganfainbergdolphm, i think they always try do to more than 1 domain21:25
ayoungthey were copying creds around back then I think21:25
ayoungmorganfainberg, I'd have to look at the time frame when they switched to that21:26
ayoungdolphm, Juno I think you could do this:21:26
*** gyee has joined #openstack-keystone21:26
*** ChanServ sets mode: +v gyee21:26
morganfainbergdstanek, holy crap.21:28
morganfainbergdstanek, looks like we have 3 libs in all our requirements for keystone not py3 compat.21:28
morganfainbergdstanek, ldap, ldappool, and pysqlite21:29
morganfainbergwe... might be able to hit py3 compat this cycle .21:29
dolphmmorganfainberg: so for a mysql-only deployment, all ours deps work on py3?21:29
*** openstackgerrit has quit IRC21:29
morganfainbergdstanek, yep.21:29
morganfainbergdolphm, ^ yep21:29
dolphm:)21:29
*** openstackgerrit has joined #openstack-keystone21:30
morganfainbergdolphm, i haven't tested this. nor have I tested this with mod_wsgi21:30
morganfainbergdolphm, but purely python install wise. it works21:30
morganfainbergdolphm, i think we can aim for py34 this cycle too.21:30
morganfainbergwoo21:30
dolphmthen it'll work in httpd21:30
dstanekmorganfainberg: yes, we are really close21:31
morganfainbergdstanek, how broken / awesome is: https://pypi.python.org/pypi/ldap3 ?21:34
morganfainbergdstanek, because i think that is our major blocker21:34
morganfainbergldappool we could re-implement py3 friendly if needed.21:35
dstanekmorganfainberg: my understanding is that it has a different API than python-ldap21:36
morganfainbergso not drop-in21:36
dstanekand python-ldap's impl needs love from what i understand21:36
morganfainbergbut the question is, if we moved to ldap3 (whole-sale)21:36
morganfainbergwould we win?21:36
morganfainbergbtw: python-memcached looks to be py3 compat.21:37
dstaneknot sure, i don't know much about the state of ldap in python21:37
*** david-lyle has joined #openstack-keystone21:37
dstanekno there is still some issues there21:37
morganfainbergdstanek, i might take a crack at converting us to ldap321:38
morganfainbergif it looks good go through the g-r dance21:38
dstaneki say go for it21:39
morganfainbergthough it might be a good deal slower since python-ldap has c-bindings21:39
morganfainbergand we likely will need to implement our own ldappool21:40
morganfainbergbut thats not the end of the world.21:40
dstanekdo we need a pool if we get rid of eventlet21:40
dstanek?21:40
morganfainbergit helps not tearing down and restarting the connection21:40
morganfainberghowever we accomplish that21:40
dstanekyou just need a single connection is sit around21:41
morganfainbergoh ldap3 already has pooling21:44
morganfainbergnead21:44
morganfainbergneat*21:44
*** sdake has quit IRC21:44
*** bknudson has quit IRC21:46
*** edmondsw has quit IRC21:47
*** dramakri has joined #openstack-keystone21:48
dstanek"that was easy"21:55
*** tqtran_afk is now known as tqtran22:01
*** bknudson has joined #openstack-keystone22:05
*** ChanServ sets mode: +v bknudson22:05
*** openstackgerrit has quit IRC22:11
*** openstackgerrit has joined #openstack-keystone22:11
*** david-lyle_ has joined #openstack-keystone22:20
*** david-lyle has quit IRC22:20
*** _cjones_ has quit IRC22:25
*** _cjones_ has joined #openstack-keystone22:25
*** hogepodge has quit IRC22:27
*** sdake has joined #openstack-keystone22:32
*** hogepodge has joined #openstack-keystone22:32
samleonayoung, just looked at your basic auth path, it is a good  idea to support the standard http authentication in ks, but what i am not sure if you wanted my x509 patch to support the basic auth as well?22:33
*** gordc has quit IRC22:47
*** joesavak has quit IRC22:55
*** david-lyle_ has quit IRC22:57
*** stevemar has joined #openstack-keystone23:01
*** ChanServ sets mode: +v stevemar23:01
morganfainbergayoung, will be looking at accessinfo tonight23:06
morganfainbergayoung, finally done with meetings.23:06
*** thedodd has quit IRC23:13
*** bandwidth has quit IRC23:14
morganfainbergdstanek, ok so ldap3 is pretty freaking cool23:22
morganfainbergdstanek, has an abstraction layer23:22
dstanekabstraction over what?23:23
dstanekturns out making the CONF read-only isn23:23
morganfainberghttps://ldap3.readthedocs.org/en/latest/abstraction.html23:23
dstanek't as easy as i hoped23:23
dstanekduring the runtime of the test CONF.clear() is called and that actually does some setattr stuff23:23
*** david-lyle has joined #openstack-keystone23:24
dstanekoh, neat. kinda like an orm23:24
morganfainbergyeah23:25
openstackgerritDavid Stanek proposed openstack/keystone: Fixes tests to use the config fixture  https://review.openstack.org/16276523:25
dstanekmorganfainberg: what do you think of https://review.openstack.org/#/c/126030/ for the short term?23:26
morganfainbergsec23:26
*** markvoelker has quit IRC23:26
*** sigmavirus24 is now known as sigmavirus24_awa23:27
*** rushil has quit IRC23:30
*** sdake has quit IRC23:39
morganfainbergdstanek, ok off the phone23:52
morganfainberglooking23:52
morganfainbergdstanek, honestly23:52
morganfainbergdstanek, i'd rather spend time on functional testing.... butttttttt...23:52
morganfainbergas a quick intirim fi23:52
morganfainbergfix23:52
morganfainbergthat looks reasonable23:52
dstanekthere's actually nothing more to do on that patch. just a small amount of docs. after that goes in there would some added checking on the FKs for us23:55
morganfainbergdstanek, like i said23:55
morganfainbergfor a quick intirim fix23:55
morganfainbergwfm23:55
morganfainbergi just want to kill sqlite in keystone23:55
morganfainberg"they'll be none of that"23:56
stevemardo it do it23:56
morganfainbergs/they'll/there'll/23:56
morganfainbergstevemar, need functional testing up and running23:56
morganfainbergstevemar, so we can validate everything works as expected23:56
stevemarmorganfainberg, i have nothing to deliver this release it seems23:56
stevemartopes hasn't told me anything insane23:56
morganfainbergstevemar: /me hands stands you on quicksand, hands you the bus labled "Stable ABIs"23:57
* morganfainberg runs23:57
stevemari was thinking functional tests with stanek, or the sqlite stuff23:57
stevemaror moving extensions to core23:58
stevemaror more notifications23:58
stevemarbut i'm not committed to anything23:58
stevemarwee23:58
stevemari'll make keystone-identity-provider and split the code base23:58
dstanekmorganfainberg: what will we use on our unit tests? just mocks?23:58
morganfainbergdstanek, restful test cases are functional right?23:59
morganfainbergdstanek, what outside of the restful cases are using a DB?23:59
dstanekyes, but the backend tests are not23:59
morganfainbergdstanek, drizzle? :P23:59
« Tuesday, 2015-04-21 Index Thursday, 2015-04-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!