Wednesday, 2015-04-29

« Tuesday, 2015-04-28 Index Thursday, 2015-04-30 »
*** zzzeek has quit IRC00:11
*** iamjarvo has joined #openstack-keystone00:16
*** iamjarvo has quit IRC00:24
*** bknudson has quit IRC00:31
*** david-lyle has quit IRC00:32
*** browne has quit IRC00:33
*** lhcheng_ is now known as lhcheng00:48
*** ChanServ sets mode: +v lhcheng00:48
*** edmondsw has quit IRC00:49
*** alexsyip has quit IRC00:56
*** lhcheng has quit IRC01:06
*** drjones has quit IRC01:07
*** lhcheng has joined #openstack-keystone01:08
*** ChanServ sets mode: +v lhcheng01:08
*** lhcheng has quit IRC01:13
*** david-lyle has joined #openstack-keystone01:20
*** markvoelker has quit IRC01:36
*** samueldmq has joined #openstack-keystone01:42
*** erkules_ has joined #openstack-keystone01:50
*** erkules has quit IRC01:50
*** dims_ is now known as dims01:52
*** darrenc is now known as darrenc_afk01:57
*** browne has joined #openstack-keystone02:00
*** harlowja is now known as harlowja_away02:03
openstackgerritMerged openstack/keystone: Allow wsgiref to reconstruct URIs per the WSGI spec  https://review.openstack.org/17742702:08
*** darrenc_afk is now known as darrenc02:14
*** nkinder has joined #openstack-keystone02:22
*** david-lyle has quit IRC02:30
*** david-lyle has joined #openstack-keystone02:31
*** ayoung has joined #openstack-keystone02:36
*** ChanServ sets mode: +v ayoung02:36
*** david-lyle has quit IRC02:36
*** markvoelker has joined #openstack-keystone02:41
*** richm has quit IRC02:44
*** davechen has joined #openstack-keystone02:51
*** gyee has quit IRC02:53
*** wchrisj has joined #openstack-keystone03:25
*** david-lyle has joined #openstack-keystone03:32
openstackgerritKun Huang proposed openstack/python-keystoneclient: Use "RegionOne" as default region  https://review.openstack.org/17316503:42
*** rm_work is now known as rm_work|away04:00
*** lhcheng has joined #openstack-keystone04:05
*** ChanServ sets mode: +v lhcheng04:05
*** kiran-r has joined #openstack-keystone04:13
*** rm_work|away is now known as rm_work04:13
*** stevemar has joined #openstack-keystone04:19
*** ChanServ sets mode: +v stevemar04:19
*** rushiagr_away is now known as rushiagr04:21
*** kiran-r has quit IRC04:22
*** itlinux has quit IRC04:40
*** rushiagr is now known as rushiagr_away04:45
bretonwow, no one chatted since meeting05:08
bretongood morning.05:08
*** kiran-r has joined #openstack-keystone05:35
*** ajayaa has joined #openstack-keystone05:38
*** josecastroleon has joined #openstack-keystone05:40
*** mabrams has joined #openstack-keystone05:52
*** stevemar has quit IRC05:54
*** lhcheng has quit IRC06:03
*** henrynash has joined #openstack-keystone06:03
*** ChanServ sets mode: +v henrynash06:03
*** pcaruana has joined #openstack-keystone06:09
*** abhijeetm has joined #openstack-keystone06:12
*** abhijeetm has left #openstack-keystone06:12
*** bboese has quit IRC06:14
openstackgerritDave Chen proposed openstack/keystone: Refactor: Join multiple criteria together  https://review.openstack.org/13313506:16
openstackgerritDave Chen proposed openstack/keystone: Refactor: Join multiple criteria together  https://review.openstack.org/13313506:20
*** bboese has joined #openstack-keystone06:20
openstackgerritDave Chen proposed openstack/keystone: Refactor: Join multiple criteria together  https://review.openstack.org/13313506:24
*** pnavarro has joined #openstack-keystone06:32
*** browne has quit IRC07:09
*** dguerri is now known as _dguerri07:44
*** _dguerri is now known as dguerri07:52
*** jistr has joined #openstack-keystone07:58
*** jaosorior has joined #openstack-keystone07:59
*** davechen has left #openstack-keystone08:05
*** dims has quit IRC08:10
*** davidckennedy has joined #openstack-keystone08:20
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767509:03
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog  https://review.openstack.org/17638309:03
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog  https://review.openstack.org/17638309:04
*** e0ne has joined #openstack-keystone09:06
*** e0ne is now known as e0ne_09:06
*** fhubik has joined #openstack-keystone09:10
*** e0ne_ is now known as e0ne09:14
*** rlt_ has joined #openstack-keystone09:28
*** afazekas has quit IRC09:32
*** afazekas has joined #openstack-keystone09:32
*** josecastroleon has quit IRC09:33
*** fhubik is now known as fhubik_afk09:34
rlt_hello. If i deploy two openstack in kilo (two keystone) in multi-region with one common ldap. If i want that an user will could switch region without re-authentication. Is that  the only solution is the keystone federation (K2K)  ?09:35
*** krykowski has joined #openstack-keystone09:35
marekdrlt_: hi. K2K rather for two separate clouds.09:35
*** fhubik_afk is now known as fhubik09:35
marekdrlt_: i think you should be able to use your token for every region in your cloud. You may need to rescope it, but not likely re-auth09:36
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Deprecate auth.identity.v3.federated module  https://review.openstack.org/17770409:39
rlt_marekd, Ok so it is possible to use a token provided by a keystone for another region that its own keystone? (without database shared)09:41
marekdrlt_: what is own keystone?09:42
rlt_marekd : i rephrase : If a keystone A in Region A provided a token X. How this token X could be works in a Region B (with keystone B) ?09:45
marekdrlt_: they share db, right?09:46
rlt_No without share db09:46
marekdrlt_: i haven't checked myself, but i'd say it should work as is.09:46
rlt_marekd : No without share db09:46
marekdrlt_: ah, you said they shared db. ok, so you need re-auth. but keep in mind that regions were used in k2k solution, but they no longer do that.09:47
rlt_marekd : Ok so if i want that user no need re-auth. I must implement the k2k solution. It's right ?09:49
marekdif you have completely separate clouds you will likely want to use federation, k2k in particular.09:49
marekdbut also mind that rightnow (in kilo for instance)  you will not configure regions for that.09:50
marekdrather objects called service providers.09:50
marekdhttps://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#service-providers09:51
*** dims has joined #openstack-keystone09:51
*** ajayaa has quit IRC09:57
rlt_marekd : Curently i have an openstack platform in an countrie in eastern europe. And i want create a second openstack platform in an new datacenter in France. I would like that user on the primary platform could be use the second platform in France without re-authentication.10:02
*** e0ne is now known as e0ne_10:03
rlt_marekd: So for me, it's a completely seperate clouds. no ?10:03
*** e0ne_ is now known as e0ne10:05
rlt_marekd : And i need configure region for that. But maybe i'm wrong10:05
*** mtreinish has quit IRC10:07
*** ajayaa has joined #openstack-keystone10:10
*** samueldmq has quit IRC10:11
ajayaamarekd, Hi I see few new tables in Keystone which were recently added in Keystone. For e.g. consumer, access_token, request_token. Which spec do they correspond to?10:14
ajayaaWere they added in Kilo?10:14
marekdrlt_: So  if you want to have multiple DCs as one cloud you can install openstack in France now, but replicate/use single keystone DB10:17
marekdand only add one region pointing to France10:18
openstackgerritliusheng proposed openstack/python-keystoneclient: Use openstack common util method to find name-or-id resource  https://review.openstack.org/17859410:18
marekdthen you will not need to re-auth once you change the region, however you will be obliged to specify in what region you want to spin a VM or sth.10:19
marekdrlt_: for the Keystone DB you can either point to one DB  or replicate them somehow.10:19
marekdonceyou have it you may try different token types, like PKI, or Fernet that would allow you to skip those long RTTs10:20
*** arif-ali has quit IRC10:20
marekdFederation is rather for setups between the clouds under different jurisdition, say, my private cloud and some public cloud where i am bursting into.10:20
marekdajayaa: which versions are you comparing/10:21
rlt_marekd : Yes but i can't use single or replication keystone DB about the response time between the two different datacenters10:22
ajayaamarekd, I am talking about master.10:22
ajayaaI am just trying to figure out which table came in which release.10:23
marekdrlt_: because of the RTT, right?10:23
rlt_yes10:23
marekdajayaa: i don't have all the impl details in my mind, if you really need to do so (may i ask why?) i suggest going through keystone code where corresponding models are added and looking for commits that added it. Commit messages should also have bp's that implement this.10:25
marekdrlt_: that's what we do at cern in fact....10:26
marekdrlt_: but we have dedicated link between DCs10:26
marekdrlt_: anyway, your problem is probably replication of tokens/authentications - then you may wantto use some tokens like PKI/Fernet10:26
marekdwhere you don't necesarilly have to always ask Keystone on token validity10:27
rlt_marekd : Ok so if i understood i  need to use tokens like PKI/Fernet in environnment with replication or share keystone DB inevitably ?10:33
marekdrlt_: i think so. And you can also ask some operators how they deal with such problems.10:34
*** samueldmq has joined #openstack-keystone10:36
samueldmqmorninig10:36
marekdhey10:36
samueldmqmarekd, hey what's up :)10:36
samueldmqhenrynash, hi you also around ?10:36
marekdsamueldmq: not bad.10:36
samueldmq)10:37
samueldmqmarekd, btw, I have a question for you10:37
marekdfire away (as ayoung always says)10:37
samueldmqmarekd, one of the bps in kilo-1 was https://blueprints.launchpad.net/keystone/+spec/openid-connect10:37
marekdyep10:38
samueldmqmarekd, I need to put this in the release notes, how do you describe this ?10:38
samueldmqmarekd, Keystone now supports OpenID protocol for the Federation extension ...10:38
samueldmqsomething like ?10:38
marekdsamueldmq: yes.10:39
marekdsamueldmq: in fact this was more a matter of configuration/testing rather some coding, but yes this work was needed either way, so we should announce that.10:39
samueldmqmarekd, you have a link to a relevant doc ?10:40
samueldmqmarekd, I am bugging you on this to make it faster :p10:40
marekdsamueldmq: you can bug me on everything.10:40
marekdsamueldmq: but what link are you expecting?10:40
marekdhttps://review.openstack.org/#/c/132706/ maybe this?10:41
samueldmqmarekd, official doc ?10:41
marekdhttps://review.openstack.org/#/c/132706/6/doc/source/extensions/openidc.rst10:41
samueldmqmarekd, in this case http://docs.openstack.org/developer/keystone/extensions/openidc.html10:42
samueldmq; )10:42
rlt_marekd : But why K2K federation could not response to my problem ? Because i could considere that i have two cloud (two datacenter in differents countries). So with K2K a token provided by one keystone in one cloud could be used on the another cloud, no ?10:42
marekdsamueldmq: whatever works for you :-)10:43
ajayaamarekd, I was looking for a shortcut. I think I will have to do it the hard way. Thanks anyway.10:43
ajayaashortcut to know about these new tables and their roles.10:44
marekdrlt_: no. there is a rule "one token per cloud"10:44
marekdrlt_: so you'd need to re-auth, and treat it as a separate clouds10:44
samueldmqmarekd, you look to be the single core always up early in the morning10:44
marekdsamueldmq: henry  is also here very often.10:44
samueldmqmarekd, so you are the bugging entrypoint :p10:44
marekdsamueldmq: i feel very lonely here10:45
marekdsamueldmq: it's because i live in europe, so it's my lunch time now.10:45
marekdsamueldmq: and TBH i don't like that most of the stuff missess me because its evening.10:45
marekdor middle of the night.10:45
samueldmqmarekd, yes he is, but I think he must be doing some extraordinary coding :p10:45
samueldmqhenrynash, ^ :p10:45
samueldmqmarekd, ahah it's 7 46 am here10:46
marekdi know that.10:46
marekdusually ppl ping me when i ma just about to hibernate my comuter10:47
rlt_marekd : ok thanks, i'll maybe annoy you with more questions this afternoon still :-)10:48
marekdrlt_: sure.10:48
marekd:-)10:48
samueldmqmarekd, we support openid 2.0 ? http://openid.net/specs/openid-authentication-2_0.html10:49
samueldmqmarekd, is it this one ?10:49
samueldmqmarekd, found this link in the bp, just want to make sure10:49
marekdsamueldmq: we support whateer apache module supports10:50
marekdsamueldmq: i think you can leave 'OpenID' protocol10:50
samueldmqmarekd, ++10:50
marekdwithout detailed versions.10:50
samueldmqmarekd, btw, it's here https://etherpad.openstack.org/p/keystone-kilo-release-notes10:50
samueldmqmarekd, feel free to validate/add something if you want10:50
marekdsamueldmq: ok, after the lunch :-)10:51
marekdbbl10:51
samueldmqmarekd, bon apetit10:52
*** amakarov_away is now known as amakarov11:01
*** krykowski has quit IRC11:03
*** krykowski_ has joined #openstack-keystone11:04
samueldmqwhere do the docs at keystone-specs api/v3/ are published ?11:07
*** dims has quit IRC11:18
*** fhubik is now known as fhubik_afk11:19
*** e0ne is now known as e0ne_11:30
*** ajayaa has quit IRC11:30
*** aix has joined #openstack-keystone11:35
*** krykowski_ has quit IRC11:38
*** arif-ali has joined #openstack-keystone11:40
*** ajayaa has joined #openstack-keystone11:42
*** krykowski has joined #openstack-keystone11:45
ajayaaHi guys. I am trying out HMT feature in Keystone and I created projects in a tree structure. But when I call /projects/<id>?subtree_as_list on the root project, I see nothing except the root project.11:51
ajayaaI am using latest master using devstack.11:52
*** kiran-r has quit IRC11:53
ajayaaAny idea on what I am doing wrong?11:53
*** fhubik_afk is now known as fhubik11:56
*** dims has joined #openstack-keystone11:56
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767511:56
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog  https://review.openstack.org/17638311:58
*** krykowski has quit IRC12:03
*** krykowski has joined #openstack-keystone12:03
*** raildo has joined #openstack-keystone12:03
*** openstackgerrit has quit IRC12:07
*** openstackgerrit has joined #openstack-keystone12:07
*** krykowski has quit IRC12:08
morganfainbergjamielennox: Keystoneauth is in gerrit12:13
morganfainbergsamueldmq: specs.openstack.org12:13
samueldmqayoung, hi, need to talk about how we solve admin global bug with the new dynamic policy approach12:13
samueldmqayoung, need to clarify on the specs12:14
samueldmqmorganfainberg, great, I thought there was a link on docs.openstack.org12:14
amakarovmorganfainberg, hi! We have a problen in requirements for stable/kilo: stevedore>=1.1.0 in KSC and stevedore>=1.3.0,<1.4.0 in global requirements12:14
samueldmqmorganfainberg, https://etherpad.openstack.org/p/keystone-kilo-release-notes12:14
amakarovs/problen/problem/12:14
samueldmqmorganfainberg, the etherpad for release notes me and dolphm are working on12:15
amakarovShould I file a patch for kilo?12:15
morganfainbergamakarov: please speak with the release mgmnt team about that. The g-r update was held up intentionally. dhellmann might bring insight to it. There will be a subsequent release of ksc and ksm, but I don't know the details on requirements for it12:16
amakarovmorganfainberg, thanks!12:16
morganfainbergsamueldmq: I'm about to go offline for the day. Thanks for working on the release notes with Dolph.12:16
morganfainbergI will look over the release nots when I hit la tonight.12:17
samueldmqmorganfainberg, np, have a nice trip12:18
*** Ephur has joined #openstack-keystone12:20
ajayaa Hi guys. I am trying out HMT feature in Keystone and I created projects in a tree structure. But when I call /projects/<id>?subtree_as_list on the root project, I see nothing except the root project.12:23
ajayaaIs there something which I am missing?12:23
rodrigodsajayaa, the user performing the call needs to have access for the bottom project as well12:23
rodrigodsie, have a role assignment in this project12:24
ajayaarodrigods, on all the children nodes?12:24
rodrigodsajayaa, for every project in the subtree, keystone will only return the ones the user performing the call has access to12:24
rodrigodsajayaa, if you want a complete list, despite access privileges but only with "ids"12:25
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Add docstrings for ``protocol`` parameter  https://review.openstack.org/17730312:25
rodrigodsyou may call ?subtree_as_ids12:25
marekdrodrigods: look at my comment here and see if i am right: https://review.openstack.org/#/c/172647/6/keystone/contrib/federation/idp.py12:25
rodrigodsmarekd, yes you are12:26
ajayaarodrigods, I thought if I have a role x on a project y and then I should get role x on all children of project y.12:26
rodrigodsmarekd, already working to address your review, thanks for that btw12:26
*** e0ne_ is now known as e0ne12:26
marekdrodrigods: no problem.12:26
raildoajayaa, for this, you can use inherited role assignments.12:26
rodrigodsajayaa, we have two different types of roles: a role that is inherited to the subtree or not12:27
rodrigodsraildo, ++12:27
ajayaaohh...Do I have to create an inherited role?12:27
rodrigodsajayaa, yes12:27
rodrigodsajayaa, but we have a bug where you can't have the same role assignment being inherited or not in the same target12:28
rodrigodssamueldmq is working on a fix for it12:28
ajayaarodrigods, I am following https://github.com/openstack-attic/identity-api/blob/master/v3/src/markdown/identity-api-v3.md12:29
samueldmqrodrigods, ++12:29
samueldmqajayaa, https://review.openstack.org/#/c/142472/12:29
samueldmqbtw, we need reviews on this12:29
samueldmqhenrynash, marekd ^12:29
ajayaarodrigods, How do I create an inherited role?12:29
raildoajayaa, you can do this: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-inherit-ext.rst#assign-role-to-user-on-projects-in-a-subtree12:30
marekdsamueldmq: ok, i will once i am done with stuff here.12:30
rodrigodsajayaa, you need to activate the extension as well12:30
ajayaaokay.12:30
raildoajayaa, it's a normal role... you just inherit the assignment.12:31
ajayaaIs the extension going to be merged into main API in future?12:31
raildoajayaa, probably... this is what we want to do. :)12:31
ajayaaI was under the impression that Keystone was doing away with extensions.12:31
ajayaaraildo, That would be nice.12:32
ajayaaThanks for all the help. :)12:32
*** henrynash has quit IRC12:32
raildoajayaa, any other question about HMT or inherited role assignment, you can ask us :)12:32
ajayaaraildo, Thanks, will do12:33
ajayaa!12:33
*** gordc has joined #openstack-keystone12:33
ayoungmabrams, actaully, better to discuss the hierarchical thing here.12:41
*** EmilienM is now known as EmilienM|afk12:41
*** ajayaa has quit IRC12:41
*** lifeless has quit IRC12:43
*** chlong has joined #openstack-keystone12:44
*** fhubik has quit IRC12:44
*** krykowski has joined #openstack-keystone12:45
ayoungmabrams, was that auth required error only on the hierarchical one? Was it right after creating the parent project?12:45
ayoungLet me try the same commands...12:46
mabramsayoung: yes12:46
*** wchrisj has quit IRC12:46
ayoungmabrams, let me see if there is some pre-req we need to setup before the hierarchical stuff works.  It should be in the docs dir...12:47
ayoungmabrams, http://git.openstack.org/cgit/openstack/keystone/tree/doc/source/extensions.rst#n11112:48
ayoungmabrams, usually an extension needs to be enabled.  Let's see12:49
ayounghttp://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html12:49
ayoungah  disregard...wrong inherit12:49
ayoungraildo, does HMT need to be specifically enabled?12:50
*** krykowski has quit IRC12:52
ayoungmabrams, I'm guessing that the problem is inheritance of roles.  You have permission from the domain to create the parent project, but because you create the child within that project, you need a token scoped to that project to create the child?  Something like that.  I'm going to try it myself12:54
*** e0ne is now known as e0ne_12:54
ayoungsamueldmq, we don't have support for HMT in the common client yet, right?12:55
rodrigodsayoung, https://review.openstack.org/#/c/166373/12:59
rodrigodsand12:59
rodrigodshttps://review.openstack.org/#/c/123539/13:00
ayoungrodrigods, so you are saying I should review that...13:00
ayoungheh thanks13:00
rodrigodsayoung, and HMT is not an extension, it is supported by default13:01
*** ir2ivps8_ has quit IRC13:01
ayoungrodrigods, right, I got confused with the role inheritance13:01
ayoungwhich is an extension, but probably needs to be core.  I think that it is the solution the global admin issue13:02
rodrigodsayoung, ++13:02
rodrigodsayoung, related to HMT and inherited roles: https://review.openstack.org/#/c/142472/13:04
ayoungrodrigods, I remember that one...I had some questions about the impl...lets hold off on that for a moment13:04
rodrigodsok...13:04
*** edmondsw has joined #openstack-keystone13:04
samueldmqayoung, yeah role inheritance will probably be core when start dropping extensions in favor of in-tree, et c ..13:05
samueldmqayoung, I need to understand how the dynamic policy thing will solve/help to solve the long-standing bug in the admin-ness scope13:06
*** krykowski has joined #openstack-keystone13:06
*** e0ne_ is now known as e0ne13:06
*** bknudson has joined #openstack-keystone13:06
*** ChanServ sets mode: +v bknudson13:06
ayoungsamueldmq, I want  people to get tokens scoped to the project for which they are operating13:06
ayoungso if you are a global admin, you need a way to get a role for all subordinate projects13:07
ayoungand then when you perform and action there, instead of using your global token, you use one you get via inheritance13:07
*** richm has joined #openstack-keystone13:11
samueldmqayoung, subordinate projects are projects in the subtree (hierarhcical projects) ?13:12
*** nkinder has quit IRC13:12
ayoungsamueldmq, yes13:13
samueldmqayoung, wait .. but the bug today occurs even if there is no relationship between projects13:14
samueldmqayoung, they may be in different subtrees13:14
ayoungsamueldmq, projects are always under a domain13:14
ayoungmabrams, still working to reproduce.13:15
samueldmqayoung, yes, but projects with different domains can also be affected by that bug13:15
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674613:15
ayoungsamueldmq, we need one big hierarchy.  Then there is a root domain, and admin on the root domain is admin all the way down...until reseller hits.13:16
mabramsayoung: thx a lot; i gotta hop in a few; i'll have the history.13:16
ayoungmabrams, I'll have it as a bash script, which is why it is taking slightly longer13:16
samueldmqayoung, yes, so you want a way to easily allow the global admin if people want it13:16
mabramsayoung: gotcha; just lemme know where i can pik it up13:16
ayoungsamueldmq, ++13:16
samueldmqayoung, but this doesn't solve the bug13:17
samueldmqayoung, I like the idea, it would be clearer, but the bug ..13:17
ayoungsamueldmq, we won't be closing out this bug in Kilo, but maybe in Liberty13:17
samueldmqayoung, this approach we discussed above doesn't solve the bug13:18
samueldmqayoung, what solves it is to check scope in each api endpoint13:18
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722713:19
samueldmqayoung, this way you block the global admin13:19
samueldmqayoung, the approahc you described allows the global admin ina fashion, I like that13:19
samueldmqayoung, but it's a separate thing13:19
ayoungnope13:20
ayoungwe need dynamic policy as well13:20
ayoungbecause we can't break people, but we can provide them a way to unbreak themselves13:20
ayoungif we dismiss the admin, they will have no way to perform an essential use case.  We need the inherited roles to give them back that way13:20
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722713:22
*** mattfarina has joined #openstack-keystone13:23
samueldmqayoung, so how people using the global admin now would be able to migrate to local admins13:24
samueldmq?13:24
*** mattfarina has quit IRC13:24
samueldmqayoung, one way to do so is by adding scope checks on their policies themselves, right ?13:24
ayoungsamueldmq, yes13:24
samueldmqayoung, another would be using your approach, how should that work ?13:24
ayoungsamueldmq, that is baseline13:24
ayoungsamueldmq, my approach is based on all policy being scoped13:25
samueldmqayoung, I want to migrate to it, so I activate an extension/switch whatever to make everything scoped?13:25
samueldmqayoung, and then create new inherited role assignents to make global admins ?13:26
ayoungsamueldmq, I think the process to migrate will need to be laid out.  I think setp by step, it would be:  get everything under one root domain,  enable inheritfed roles, assing admin to someone on root, then update the policy roles to have scope on each.13:27
ayoungmake sense?13:27
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Dual Scoped Token  https://review.openstack.org/17605413:27
ayoungsamueldmq, you could avoid the global admin role by explicitly giving one (or a set) of users admin on each domains13:27
ayoungbut then you have to make sure you always add a new role assignment when you create a new domain13:28
samueldmqayoung, yes we can create a group of global_admins and then make admin inherited on every domain13:28
ayoung++13:28
ayoungsamueldmq, we can give people a range of options, without forcing them to break things13:28
samueldmqayoung, and add the scope checks on every api entry in the policies13:28
ayoungyep13:29
samueldmqayoung, so actually it can be solved today, right ?13:29
ayoungand having the policy served out of Keystone, and having a tool that checks the result of policy changes both make this a safer process13:29
ayoungsamueldmq, I thin the rewriting of the policy rules needs to be more controlled than it is today.  So, in theory, yes....in practice, not so much13:30
samueldmqayoung, what's that tool ? you already said that in the sepcs ?13:30
* samueldmq is interviewing ayoung to get info to detail as much as we can the specs :-)13:30
ayoungsamueldmq, I posted a review for the start of the tool13:31
samueldmqayoung, k will take a look13:31
samueldmqayoung, I understood the process above, and I agree with you13:31
ayounghttps://review.openstack.org/#/c/170978/13:31
samueldmqayoung, but I dont see the clue in inherited roles (I see inherited assignment)13:31
*** ir2ivps8_ has joined #openstack-keystone13:32
ayoungsamueldmq, raildo rodrigods please make sure you add me to any reviews you actually want me to see...I'm so far behind, that I am going to prioritize those I am already a reviewer on, and doubt I will get through that list13:32
raildoayoung, sure. thanks!13:33
samueldmqayoung, ack13:33
*** ajayaa has joined #openstack-keystone13:34
ayoungsamueldmq, so...if you were using that tool, what you would see is that a global token (admin on the default domain say) would stop working, but a token scoped to the project would then start working, and the user could confirm that they could get a token for that project13:34
samueldmqayoung, yes, and this is inherited role assignments13:34
samueldmqayoung, not inehrited roles13:34
ayounginherited roles will show up in the policy file13:35
ayoung...lets chose a better name13:35
ayoungso there is no conflict.  I liked implied roles...13:35
ayoungbut you get the general flow?13:35
samueldmqayoung, yeah they will give more power, but are not essential to solve the issue with the approach we are discussing so far13:35
samueldmqayoung, you agree?13:35
ayoungimplied?  Not essential, but the rules will quickly become unmanageable without.  I think they are required13:36
ayoungI'd not want to try to fix it without implied roles, at least hard coded into the policy file13:36
samueldmqayoung, yes they are essential, I am not against this ....13:36
ayoung++13:37
samueldmqayoung, I am just trying to separate the essential vs the core13:37
ayoungok...let me try to create a hierarchical projectn ow13:37
*** EmilienM|afk is now known as EmilienM13:37
samueldmqops the vcore vs whishlist13:37
samueldmqayoung, the essential flow is around inehrited role assignments, dynamically modifying the policy and having a tool to check the changes13:37
samueldmqayoung, nice I will be checking everything we discussed against the specs13:37
samueldmqayoung, thanks13:38
*** e0ne is now known as e0ne_13:38
*** lifeless has joined #openstack-keystone13:38
*** e0ne_ is now known as e0ne13:39
*** josecastroleon has joined #openstack-keystone13:39
*** joesavak has joined #openstack-keystone13:48
*** csoukup has joined #openstack-keystone13:49
dstanekwe have all of these policy ideas written up as specs right?13:52
*** jsavak has joined #openstack-keystone13:53
samueldmqdstanek, I am not sure :p13:54
*** mtreinish has joined #openstack-keystone13:54
samueldmqdstanek, that's what I am doing now13:54
samueldmqdstanek, ensuring things are clearly described in the specs13:55
samueldmqdstanek, what are the problems we are trying to solve with each step, etc13:55
*** iamjarvo has joined #openstack-keystone13:55
*** iamjarvo has quit IRC13:56
*** nkinder has joined #openstack-keystone13:56
*** joesavak has quit IRC13:56
*** iamjarvo has joined #openstack-keystone13:57
*** iamjarvo has quit IRC13:57
samueldmqdstanek, sorry need to go afk for abit, get the kid at school :)13:57
*** iamjarvo has joined #openstack-keystone13:57
*** iamjarvo has quit IRC13:58
dstaneksamueldmq: np, forward me any specs you find interesting - i'm starting my pre-summit reading13:58
samueldmqdstanek, great will do13:58
*** iamjarvo has joined #openstack-keystone13:58
*** iamjarvo has quit IRC13:58
*** iamjarvo has joined #openstack-keystone13:59
*** iamjarvo has quit IRC13:59
*** iamjarvo has joined #openstack-keystone14:00
*** rushiagr_away has quit IRC14:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837214:05
*** mtreinish has quit IRC14:05
-openstackstatus- NOTICE: gerrit has been restarted to clear a stuck events queue. any change events between 13:29-14:05 utc should be rechecked or have their approval votes reapplied to trigger jobs14:05
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376314:06
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376314:08
*** sigmavirus24_awa is now known as sigmavirus2414:09
*** rushiagr_away has joined #openstack-keystone14:16
marekdis it okay to reference keystone patches to bps from different project (congress in this particular case) ?14:25
marekdhttps://blueprints.launchpad.net/openstack/?searchtext=api-validation14:25
marekdlbragstad: ^^14:25
lbragstadmarekd: responded14:37
*** itlinux has joined #openstack-keystone14:37
bknudsonmaybe we need a new blueprint for the work that continues in L.14:39
*** dims has quit IRC14:42
*** dims has joined #openstack-keystone14:42
*** mtreinish has joined #openstack-keystone14:45
*** mtreinish has quit IRC14:49
*** ajayaa has quit IRC14:52
*** davidckennedy has quit IRC14:53
marekdlbragstad: thanks.14:56
marekdlbragstad: me too14:56
*** samueldmq_ has joined #openstack-keystone14:56
*** samueldmq_ has quit IRC14:56
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Ignore cover directory  https://review.openstack.org/17870714:57
*** sirushti has left #openstack-keystone14:58
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742715:00
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:00
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418015:00
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837215:00
*** packet has joined #openstack-keystone15:02
*** browne has joined #openstack-keystone15:02
*** ajayaa has joined #openstack-keystone15:05
*** erkules_ is now known as erkules15:08
*** erkules has joined #openstack-keystone15:08
*** erkules has left #openstack-keystone15:13
*** itlinux has quit IRC15:15
bknudsonis https://review.openstack.org/#/c/153803/ re-proposing fernet tokens?15:16
*** itlinux has joined #openstack-keystone15:28
openstackgerritMerged openstack/keystonemiddleware: Drop use of 'oslo' namespace package  https://review.openstack.org/17836015:35
openstackgerritMerged openstack/keystonemiddleware: Remove superfluous / spammy log line  https://review.openstack.org/17829215:35
*** iamjarvo has quit IRC15:36
*** kiran-r has joined #openstack-keystone15:39
*** stevemar has joined #openstack-keystone15:42
*** ChanServ sets mode: +v stevemar15:42
*** rushiagr_away is now known as rushiagr15:46
*** browne has quit IRC15:46
stevemarwhich channel do requirements folks hang out?15:47
openstackgerritMerged openstack/keystone: Update sample config  https://review.openstack.org/17754415:48
*** samleon has quit IRC15:50
*** samleon has joined #openstack-keystone15:52
*** _cjones_ has joined #openstack-keystone15:52
*** rm_work is now known as rm_work|away15:53
*** jsavak has quit IRC16:03
openstackgerritMerged openstack/python-keystoneclient: Document non-standard encoding of the PKI token.  https://review.openstack.org/17623016:04
ayoungbknudson, morganfainberg https://github.com/simo5/jwcrypto16:05
ayoungmabrams, http://adam.younglogic.com/2015/04/creating-hierarchical-projects-in-keystone/16:06
bknudsonforget SAML!16:07
bknudsonand the PKI tokens!16:08
openstackgerritMerged openstack/keystonemiddleware: Remove unused iso8601 dependency  https://review.openstack.org/17783116:08
bknudsonlooks like JWT is the new SAML16:09
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376316:10
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837216:10
stevemarbknudson, jwt is pretty nice16:10
bknudsonstevemar: does anything support it?16:10
*** jistr has quit IRC16:11
*** alexsyip has joined #openstack-keystone16:12
bknudsonthis is neat: http://jwt.io/16:12
bknudsonit says there's already a pyjwt16:13
bknudsonhttps://pypi.python.org/pypi/PyJWT/1.1.016:15
ayoungbknudson, yeah, but simo uses Python-cryptography16:15
bknudsonhttps://github.com/jpadilla/pyjwt use python-cryptography as far as I can tell16:15
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742716:15
stevemarbknudson, jwt is nice cause it's all json16:15
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837216:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376316:16
bknudsonJSON with XML in it?16:16
bknudson{ "xml": "<XML> </XML>"}16:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418016:16
stevemarbknudson, you just made me cringe16:17
*** josecastroleon has quit IRC16:17
bknudsonit meets all the requirements.16:18
*** chlong has quit IRC16:19
stevemarbknudson, identity v4 - jwt16:19
stevemarbit of trivia, it's pronounced "jot"16:20
*** pcaruana has quit IRC16:22
*** gyee has joined #openstack-keystone16:25
*** ChanServ sets mode: +v gyee16:25
ayoungbknudson, why'd you think he was using python-cryoptography?  I dont see a requirements.txt, and none of his python files seem to import from it.  He only uses hmac and hashlib AFAICT16:26
bknudsonayoung: RSA and ECDSA signatures depend on the recommended cryptography package (0.8+).16:27
bknudsonhttps://github.com/jpadilla/pyjwt16:27
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Update README.rst and remove ancient reference  https://review.openstack.org/17875916:29
*** mattfarina has joined #openstack-keystone16:34
*** mattfarina has quit IRC16:34
*** zzzeek has joined #openstack-keystone16:44
marekdayoung: wasn't jwt described on rh security blog some time ago?16:47
*** itlinux has quit IRC16:48
ayoungbknudson, marekd yeah16:48
marekdi am wondering if jwt as a transport layer only can fully replace saml16:48
ayoungmarekd, on ECP, why do we assume we should do  IdP instigated ?16:48
marekdhmm?16:49
ayoungshouldn't we only take that shortcut if necessary16:49
marekda shortcut instead of what? sp->idp->sp ?16:49
ayoungmarekd, from jdennis " it doesn't look like they are doing full ECP, rather it appears they are doing  IdP initiated responses and only doing 1 step of the ECP process, returning a PAOS response."16:50
ayoungyeah, it needs to be sp initiated (with a nonce) in order to not be a bearer token.  I can't see why we would want to even make that optional, but it should certainly be the norm16:51
marekdayoung: i emailed him on Monday, i don't know what he meant exactly. In fact ECP code in KSC hits SP first16:56
ayoungmarekd, he's still out, unfortunately16:57
rodrigodsayoung, marekd, there is some steps in ECP that K2K doesn't perform (is that what you are talking about?)16:58
ayoungrodrigods, not K2K16:59
ayoungrodrigods, the federation auth plugin16:59
marekdi need to step away for a while17:00
*** joesavak has joined #openstack-keystone17:08
samueldmqjust to make sure, we can use v2 api with v3 tokens, cant we ?17:08
marekdrodrigods: ubuntu@devstack:~/devstack/accrc/demo$ OS_IDENTITY_API_VERSION=3 OS_AUTH_URL=http://128.142.132.173:5000/v2.0 openstack server list17:09
marekdWARNING: openstackclient.shell Possible error authenticating: Could not determine a suitable URL for the plugin17:09
marekdERROR: openstack Could not determine a suitable URL for the plugin17:10
marekdsamueldmq: ^^17:10
stevemarnope17:10
*** aix has quit IRC17:10
stevemarsamueldmq, the v2 API wouldn't know how to handle v3 tokens17:10
stevemarthe v3 API can handle v2 tokens (i think...)17:11
marekdstevemar: i think not....17:11
marekdit expect domains for instance.17:11
*** browne has joined #openstack-keystone17:12
*** tellesnobrega_ has joined #openstack-keystone17:16
gyeestevemar, how far are you from Ottawa?17:17
*** dguerri is now known as _dguerri17:18
*** _dguerri is now known as dguerri17:18
samueldmqstevemar, marekd nice, I thought we could, since v3 auth != v3 api17:18
samueldmqthanks17:18
gyeefor default domain, v2 and v3 token should be interchangeable17:18
samueldmqbknudson, dstanek I thought we had discussed this last week ^17:18
samueldmqbknudson, dstanek I thought we could use v2 api with v3 auth :/17:19
samueldmqhmm, gyee yes, that's what I think17:19
gyeetrust me, it works :)17:20
gyeemoney back guarantee17:20
samueldmqgyee, hehe o/17:21
*** tellesnobrega_ has quit IRC17:21
stevemargyee, about a 4 hr drive17:28
stevemargyee, you visiting?17:28
gyeestevemar, yeah, I'll be in Ottawa next week for a customer visit17:29
gyeeany "must visit" places?17:29
stevemargyee, was there last week, to see a hockey game17:29
gyeeRediau Canel17:29
stevemargyee, go see parliament17:30
*** samleon has quit IRC17:30
gyeeRideau17:30
*** iamjarvo has joined #openstack-keystone17:30
*** samleon has joined #openstack-keystone17:30
*** iamjarvo has quit IRC17:30
*** iamjarvo has joined #openstack-keystone17:31
*** iamjarvo has quit IRC17:31
stevemarhttps://www.google.ca/maps/place/Parliament+Hill/@45.423624,-75.699298,3a,75y,304.25h,87.64t/data=!3m5!1e1!3m3!1sA-1ux82EoMIAAAQWtOCdGg!2e0!3e11!4m2!3m1!1s0x4cce04ff4fe494ef:0x26bb54f60c29f6e17:31
gyeewow nice17:31
*** iamjarvo has joined #openstack-keystone17:31
*** iamjarvo has quit IRC17:32
*** lhcheng has joined #openstack-keystone17:32
*** ChanServ sets mode: +v lhcheng17:32
*** iamjarvo has joined #openstack-keystone17:32
stevemargyee, kind of a small town17:32
stevemarerr small city17:33
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:33
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376317:33
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593617:33
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837217:33
gyeestevemar, good, I love walking around17:33
stevemargyee, go hang with your coworker: https://twitter.com/somerville3217:33
gyeeoh I didn't know Cody lives there17:34
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:37
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376317:39
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837217:39
*** itlinux has joined #openstack-keystone17:41
*** iamjarvo has quit IRC17:48
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593617:48
*** iamjarvo has joined #openstack-keystone17:55
*** iamjarvo has quit IRC17:55
*** iamjarvo has joined #openstack-keystone17:56
*** e0ne has quit IRC17:57
*** harlowja_away is now known as harlowja18:00
*** krykowski has quit IRC18:04
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185418:05
*** dhellmann has quit IRC18:05
*** mtreinish has joined #openstack-keystone18:06
*** rm_work|away is now known as rm_work18:07
gyeejamielennox, for the keystoneclient.fixture, when we generate the sample service catalog, we don't put the endpoint or service IDs in there18:09
*** topol has joined #openstack-keystone18:11
*** ChanServ sets mode: +v topol18:11
bknudsonif you're using the templated backend there aren't IDs available.18:12
gyeebkundson, oh18:13
gyeeanybody really using the template backend in production?18:14
*** harlowja has quit IRC18:16
*** harlowja has joined #openstack-keystone18:16
*** harlowja has quit IRC18:17
*** harlowja has joined #openstack-keystone18:20
*** henrynash has joined #openstack-keystone18:21
*** ChanServ sets mode: +v henrynash18:21
*** markvoelker has quit IRC18:28
*** harlowja has quit IRC18:29
*** harlowja has joined #openstack-keystone18:29
*** dguerri is now known as _dguerri18:30
*** e0ne has joined #openstack-keystone18:31
*** e0ne is now known as e0ne_18:31
*** e0ne_ is now known as e0ne18:32
*** e0ne is now known as e0ne_18:32
*** e0ne_ is now known as e0ne18:32
*** e0ne has quit IRC18:32
*** _dguerri is now known as dguerri18:34
htrutabknudson: do you have a few minutes to take a look at https://review.openstack.org/#/c/167613/ ?18:37
*** dguerri has quit IRC18:42
*** e0ne has joined #openstack-keystone18:48
*** nkinder has quit IRC18:50
*** dhellmann has joined #openstack-keystone19:06
*** rushiagr is now known as rushiagr_away19:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/17841419:17
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/17841519:17
*** henrynash has quit IRC19:19
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/17842619:23
*** ajayaa has quit IRC19:23
*** _cjones_ has quit IRC19:25
*** amakarov is now known as amakarov_away19:27
*** _cjones_ has joined #openstack-keystone19:41
*** david-lyle has quit IRC19:44
samueldmqstevemar, all the keystone notifications are now in cadf format ?19:44
*** david-lyle has joined #openstack-keystone19:44
lhchenggyee, I recall one company used it for global keystone setup, and keystone in each region filters the endpoints using templated backend19:45
*** ajayaa has joined #openstack-keystone19:48
gyeewith endpont constraint feature, we don't have to do it that way19:48
gyeejust add a constraint for region19:49
stevemarsamueldmq, theres a config option that enables it to be cadf format19:53
*** arif-ali has quit IRC19:56
samueldmqstevemar, ack, the release notes contain a bunch of federation things, I would appreciate any help there :)19:56
samueldmqstevemar, https://etherpad.openstack.org/p/keystone-kilo-release-notes19:56
stevemarsamueldmq, real release notes: https://wiki.openstack.org/wiki/ReleaseNotes/Kilo#OpenStack_Identity_.28Keystone.29 ?19:58
*** itlinux has quit IRC19:58
stevemarbut yeah, i'll be updating the wiki soon19:58
*** Rockyg has joined #openstack-keystone20:08
gyeelhcheng, this dual scope concept scares me20:11
lhchenggyee: me too, and reseller :)20:11
gyeewe are already dealing with service admin bleed over20:11
gyeenow we are going to have to deal with domain admin bleed over20:11
gyeeright now there's a clear distinction between domain admin and project admin20:11
rodrigodsgyee, can you give examples of problems you see?20:12
gyeerodrigods, right now if you have admin role on a project, you are admin for nova, swift, glance, etc20:14
gyeebut if you only have admin role on a domain, you can't do squat with the services20:14
lhchenggyee: about the use of templated catalog, heard it about 2 summits ago. maybe they were still in v2. But yet, the endpoint feature will do the trick.20:14
lhchengyet -> yeah20:14
gyeelhcheng, endpoint will place a significant role going forward, endpoint policies, endpoint constraint, etc20:16
rodrigodsgyee, but if you are a domain admin today, you could create a project and give admin to yourself20:16
gyees/place/play/20:16
gyeerodrigods, only if policies allows it20:17
gyeebut yes, you can do that with the default policies20:17
morganfainbergstevemar: samueldmq dolphm do I need to update the release notes wiki when I get home or are one of you going to? (Just checking so I can plan for it)20:18
*** dguerri has joined #openstack-keystone20:18
morganfainberggyee: also we need to not call it "dual scope" please ;)20:18
*** samleon has quit IRC20:18
dolphmmorganfainberg: samueldmq knocked out about half of the to-do list yesterday, and i'm planning on finish the rest today20:19
*** kiran-r has quit IRC20:19
gyeemorganfainberg, project admin is "multi-scope" today :)20:19
morganfainbergdolphm: ok.20:19
stevemarmorganfainberg, i'll actually do some today20:19
morganfainberggyee: "dual scope" has a bad name implication that you're scoped to multiple projects.20:19
gyeeyeah I know20:19
gyeemagic scope20:19
morganfainbergdolphm: sure. Just checking if I'll need to sync from the ether pad to wiki. I'll check in when I land and see where we are.20:20
*** pnavarro has quit IRC20:25
*** e0ne has quit IRC20:26
openstackgerritDavid Stanek proposed openstack/keystone: Handles Python3 builtin changes  https://review.openstack.org/17741120:28
openstackgerritDavid Stanek proposed openstack/keystone: pycadf now supports Python3  https://review.openstack.org/17740720:28
openstackgerritDavid Stanek proposed openstack/keystone: Fixes use of dict methods for Python3  https://review.openstack.org/17741020:28
openstackgerritDavid Stanek proposed openstack/keystone: eventlet now supports Python3  https://review.openstack.org/17740620:28
openstackgerritDavid Stanek proposed openstack/keystone: Updates the *py3 requirements files  https://review.openstack.org/17740920:28
openstackgerritDavid Stanek proposed openstack/keystone: Fixes mocking of oslo messaging for Python3  https://review.openstack.org/17740820:28
openstackgerritDavid Stanek proposed openstack/keystone: Fixes deprecations test for Python3  https://review.openstack.org/17741520:28
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for ldappool for Python3 tests  https://review.openstack.org/17741420:28
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a whitespace issue  https://review.openstack.org/17741320:28
openstackgerritDavid Stanek proposed openstack/keystone: Handles modules that moved in Python3  https://review.openstack.org/17741220:28
openstackgerritDavid Stanek proposed openstack/keystone: basestring no longer exists in Python3  https://review.openstack.org/17741820:28
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for memcache for Python3 tests  https://review.openstack.org/17741720:28
openstackgerritDavid Stanek proposed openstack/keystone: Refactor deprecations tests  https://review.openstack.org/17741620:28
dstaneksorry!20:28
*** pnavarro has joined #openstack-keystone20:29
morganfainbergdstanek: haha20:30
lhchenggyee: we're really not doing dual scope, but merging domain and project role assignment20:31
lhchenggyee: if the user grant a project role on a "domain" project, they really get the domain role too.20:32
gyeelhcheng, that's a problem isn't it20:33
lhchenggyee: it could cause confusion and accidental granting privilege to some user20:33
lhchenggyee: yeah, it is :)20:33
gyeeright now domain admin can't do anything with services like nova20:33
lhchenggyee: that's also my concern abot it20:33
gyeewith this change, domain admin is the same as project20:33
lhcheng*about20:33
lhchenggyee: brb, heading to lunch before cafeteria closes.20:35
raildoI think that we dont have a clear difference between a domain_admin and project_admin in policy.20:36
gyeefor v3 policy we do20:36
raildogyee, ++20:36
*** e0ne has joined #openstack-keystone20:36
raildoand this is way merge this two assignment for the same entity is not a problem (when we use the policy in the correct way, like in v3 policy)20:37
*** itlinux has joined #openstack-keystone20:37
raildos/way/why20:38
gyeeraildo, if we are returning both project_id and domain_id in the scope, it will be problematic20:38
samueldmqdolphm, morganfainberg hi, sorry was afk20:39
samueldmqyes I am starting on that list again now :)20:39
morganfainbergCool20:39
raildobut it's the same id. I can see only one "problem" that we have with this, handle with a previous domain as a project.20:39
samueldmqbut I will need you to check the info I put there20:39
morganfainbergAbout to get in the air.20:39
morganfainbergI'll be back in la at like 10pm pacific20:40
morganfainbergSo I'll go through all the notes when I am home before going to bed.20:40
morganfainbergFeel free to sync them to the wiki page (if you have access)20:40
samueldmqmorganfainberg, k, so about ~11pm or so I guess20:40
morganfainbergElse I'll do it tonight.20:40
morganfainbergYah.20:40
*** rlt_ has quit IRC20:40
morganfainbergOk see ya later.20:40
samueldmqmorganfainberg, Ok will do, I will sync up with dolphm thanks20:40
samueldmqmorganfainberg, see you :)20:41
* morganfainberg goes afk for ~6hrs20:41
samueldmqdolphm, I put N/A for things I think it is not worth it do put in the release ntoes20:41
gyeeraildo, there's my issue, I get a "dual-scoped" token from keystone and I hit Swift with it20:42
samueldmqdolphm, and a small explanation on why I think so20:42
gyeeSwift see a project-scoped token and happily provision the account for me20:42
gyeebut I don't ever intend to do anything with that account as it is meant for identity management20:42
samueldmqstevemar, yeah, release notes on that link, me and dolphm started that etherpad to iterate faster20:42
gyeeright now if I hit Swift with a domain-scoped token, Swift will tell me to f off20:44
raildogyee, I can't to this, if my role don't enforce this actions, even I have a token. if a domain_admin can't create instances, for example, even I have a token for Nova, I can't do this action.20:44
*** e0ne has quit IRC20:44
*** mtreinish_ has joined #openstack-keystone20:45
gyeedomain admin is not suppose to do anything with the services20:45
raildogyee, what I want to say is can be a problem for bad use for policies, this is just the consequence.20:46
gyeeraildo, its not really about policies, its how services are treating the scope right now20:47
gyeeproject scope = owner or admin20:47
gyeedomain scope = access denied20:47
gyeeraildo, food time, be back in a few20:48
raildogyee, np, we can talk later about this :)20:48
*** mtreinish has quit IRC20:51
*** mtreinish_ is now known as mtreinish20:51
*** joesavak has quit IRC20:53
ayoungbknudson, I talked with Simo.  He's implementing a lot more of the standard than the pyjwt project does so far...key exchange and so forth, not just message signing.  I think there is a real potential for working together.20:54
bknudsonayoung: nice.20:54
bknudsonthe jwt page showed that the pyjwt didn't implement everything.20:55
stevemardid my part for the release notes20:56
stevemar\o/20:56
dstanekstevemar: !20:57
*** raildo has quit IRC20:58
*** iamjarvo has quit IRC20:58
stevemardstanek, ahoy21:01
dstanekstevemar: looks like your rocking it again!21:01
stevemari am?21:01
dstanekstevemar: everytime i get to a review it looks like you were already there21:02
*** csoukup has quit IRC21:02
stevemarthe trick is to do the easy ones21:02
*** iamjarvo has joined #openstack-keystone21:06
*** iamjarvo has quit IRC21:06
*** iamjarvo has joined #openstack-keystone21:07
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/17841521:11
samueldmqstevemar, is it worth it to put this on the release note s?  (https://bugs.launchpad.net/keystone/+bug/1426128)21:11
openstackLaunchpad bug 1426128 in Keystone "Add ECP related bits to saml generation code" [Wishlist,Fix released] - Assigned to Steve Martinelli (stevemar)21:11
samueldmqstevemar, Add ECP related bits to saml generation code21:11
samueldmqstevemar, does it impact deployers / end users ?21:11
stevemarsamueldmq, probably not worth it21:12
samueldmqstevemar, k got it21:13
*** ajayaa has quit IRC21:13
samueldmqstevemar, it only ease the job for the client21:13
*** iamjarvo has quit IRC21:14
samueldmqstevemar, by creating the ecp wrapped saml assertion21:14
*** itlinux has quit IRC21:14
samueldmqstevemar, right ? otherwise it would be done by the client ..21:14
samueldmqstevemar, what does not impact the user, looks as a refactoring21:15
samueldmqdolphm, almost done for that list21:17
samueldmqdolphm, it remains only 11 bps on kilo-3 and 2 bps in kilo-rc121:17
samueldmqdolphm, wishlist bugs are done21:18
samueldmqdolphm, I need to go afk for a bit21:18
dolphmsamueldmq: holy crap, nicely done21:18
*** arif-ali has joined #openstack-keystone21:19
samueldmqdolphm, thanks, just trying to help things moving :-)21:21
samueldmqwill be back in about 2-3 hours21:21
*** samueldmq has quit IRC21:21
*** pnavarro has quit IRC21:28
*** Rockyg has quit IRC21:30
*** nkinder has joined #openstack-keystone21:33
*** stevemar has quit IRC21:36
*** harlowja is now known as harlowja_away21:36
*** harlowja_away is now known as harlowja21:37
*** mattfarina has joined #openstack-keystone21:40
*** mattfarina has quit IRC21:40
*** csoukup has joined #openstack-keystone21:59
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient  https://review.openstack.org/14424822:05
*** dguerri is now known as _dguerri22:18
*** itlinux has joined #openstack-keystone22:22
*** itlinux has left #openstack-keystone22:24
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Adapter expects a tuple  https://review.openstack.org/17886622:38
*** c_soukup has joined #openstack-keystone22:38
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Adapter version is a tuple  https://review.openstack.org/17886622:38
*** csoukup has quit IRC22:42
*** bknudson has quit IRC22:46
*** gordc has quit IRC22:46
*** josecastroleon has joined #openstack-keystone22:46
*** josecastroleon has quit IRC22:48
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Adapter version is a tuple  https://review.openstack.org/17886622:49
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/17841422:49
openstackgerritMerged openstack/keystone: Refactor assignment driver internal clean-up method names  https://review.openstack.org/16916922:54
*** Raildo has joined #openstack-keystone22:57
*** rm_work is now known as rm_work|away22:58
*** Raildo is now known as raildo23:00
raildodstanek, can you review this patch later? :)  https://review.openstack.org/15872023:04
jamielennoxgyee: https://review.openstack.org/#/c/174668/23:05
jamielennoxi think one of my goals for summit is to force at least 2 cores to sit down while i go through all my client patches23:06
*** tqtran_ has joined #openstack-keystone23:07
*** tqtran_ is now known as tqtran23:07
jamielennoxmorganfainberg: nice! can we have a feature branch for ksc that has a dep on ksa?23:10
openstackgerritMerged openstack/keystone: eventlet now supports Python3  https://review.openstack.org/17740623:11
*** c_soukup has quit IRC23:19
gyeejamielennox, thank you!!!!!!!!!!!!!!!!!!!!!!!!!23:20
jamielennoxgyee: i think that was a week or two ago23:20
*** Rockyg has joined #openstack-keystone23:20
jamielennoxgyee: i did a whole branch there so you can filter the catalog based on endpoint_id or service_id23:20
gyeedamn, I need to keep up with the reviews23:21
jamielennoxi feel kind of bad about picking through david's review so much, as when the global-requirements catch up we can replace all his good auth_token endpoint_id filtering work with23:21
*** Raildo_ has joined #openstack-keystone23:21
jamielennoxif auth_ref.service_catalog.filter(endpoint_id=self._endpoint_id, service_id=self._service_id)23:21
jamielennoxor url_for i think it's called23:22
gyeejamielennox, I am working on a patch to use oslo policy to enforce endpoint constraint, I feel like that functionality should be part of endpoint filter23:22
gyeewhat do ya think?23:22
jamielennoxconstraint like service_id or endpoint_id?23:23
gyeeso we can do endpoint filter based on a rule23:23
gyeeright23:23
jamielennoxhmm, i don't know how you put that in policy23:23
gyeelike, "service_id:12345 or region:abc"23:23
jamielennoxyou'd need to submit the whole service catalog23:23
gyeejamielennox, https://review.openstack.org/#/c/177661/23:24
gyeethis patch basically enforces endpoint constraint based on a given rule23:24
gyeeI am trying to do the unit tests using the keystoneclient fixture23:25
*** raildo has quit IRC23:25
gyeeright now I am adding the endpoint_id and service_id after I created the catalog23:25
gyeeI can remove that code after your patches are landed23:25
*** packet has quit IRC23:25
jamielennoxhow does this relate to the existing review?23:26
gyeebecause I need to 'id' in the fixture so I can test the enforcement23:26
*** Raildo_ has quit IRC23:27
jamielennoxand i guess do you have a need for the more complicated matching23:27
jamielennoxlike region based, because region in the catalog is kind of funny23:27
gyeeyes, with rule, we can match anything in the endpoint23:28
gyeeinterface, url, etc23:29
openstackgerritMerged openstack/keystone: pycadf now supports Python3  https://review.openstack.org/17740723:45
*** dims has quit IRC23:50
*** chlong has joined #openstack-keystone23:50
openstackgerritMerged openstack/keystone: Fixes mocking of oslo messaging for Python3  https://review.openstack.org/17740823:56
« Tuesday, 2015-04-28 Index Thursday, 2015-04-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!