Friday, 2015-05-08

« Thursday, 2015-05-07 Index Saturday, 2015-05-09 »
*** ankita_wagh has quit IRC00:02
*** ankita_wagh has joined #openstack-keystone00:05
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076900:07
*** amerine has quit IRC00:09
*** jaosorior has quit IRC00:12
*** jamielennox|away is now known as jamielennox00:29
*** ankita_wagh has quit IRC00:35
jamielennoxmorganfainberg: so can i create a feature branch for keysonteclient for depending on ksa?00:35
*** ankita_wagh has joined #openstack-keystone00:35
morganfainbergYou'll need to ask infra to make the branch. But yes.00:36
morganfainbergjamielennox: are we ready for a pre-release of ksa?00:36
jamielennoxmorganfainberg: i thought we could just push it?00:36
morganfainbergI don't think we can make branches in Gerrit n00:36
jamielennoxmorganfainberg: i know of a few small issues, i stared yesterday trying to depend ksc on ksa00:36
morganfainbergAt least I wasn't able to on other projects.00:37
jamielennoxyou can depend on a git master in a pip requirements, but unless we add ksa support to devstack i'm not sure how we can test the whole thing00:38
ayoungsamueldmq, I'm kindof in and out still, but where are we WRT V3 only?00:38
samueldmqayoung, what is WRT ?00:39
*** ankita_wagh has quit IRC00:40
morganfainbergjamielennox: we just need to put it in requires. The test jobs should be all setup.00:40
morganfainbergsamueldmq: with regard to00:40
morganfainbergjamielennox: it is setup the same way ksc and ksm are.00:41
*** Raildo_ has quit IRC00:41
jamielennoxmorganfainberg: so we need to ask dhellmann to set it up00:44
morganfainbergOr ttx00:44
morganfainbergSo if we want to do the 0.x release of ksa we can now or wait until next couple fixes.00:45
morganfainbergI'd like to make the first real release 1.0.000:45
morganfainbergAnd g-r will be set to < 2.0.000:45
samueldmqmorganfainberg, thx00:46
morganfainbergWhen we start using it. Or <= 1.0.0, <2.0.000:46
samueldmqayoung, so ... I created the jobs to use v3 only (v2 disabled), let me find the link00:46
*** blewis` has quit IRC00:46
samueldmqayoung, https://review.openstack.org/#/q/status:open+topic:identity-v3-only-jobs,n,z00:47
*** ankita_wagh has joined #openstack-keystone00:59
*** ankita_wagh has quit IRC01:00
*** ankita_wagh has joined #openstack-keystone01:00
dstanekjamielennox: my explanation on https://review.openstack.org/#/c/121667/5 is kinds of weak, but does it make sense?01:02
jamielennoxdstanek: i have no idea what the policy is on this - i know for anything that is a requirement we need to bump the minimum but considering it's just doc generation on build i don't know if it applies01:03
jamielennoxi put -1 on it just for a response - i always miss comments on my reviews unless it's actually -1ed01:03
*** blewis has joined #openstack-keystone01:04
jamielennoxdstanek: what happens if they are using an older version - the doc generation just gets weird?01:05
*** mkoderer has quit IRC01:05
ayoungsamueldmq, I saw the review, I was wondering if you had tested v3 only by hand first?  Does it work?01:08
samueldmqayoung, yes I did01:08
samueldmqayoung, there is some work to be done in tempest (since it uses v2 in some cases, even if we set it to use v3)01:09
ayoungsamueldmq, so if I follow the steps in the patch, I should be good.  Cool.  I think that my policy presentation is going to be based on that then01:09
*** alexsyip has quit IRC01:09
ayoungthat is ok,  this if for operators in live deployments01:09
samueldmqayoung, also, devtack need to use v3 to setup its resources ( morganfainberg  is taking this one )01:09
samueldmqayoung, after this, we will see failing tempest tests and submit bugs to services, until we get 100%01:09
ayoungsamueldmq, again, not an issue for me.  I'm assuming a set up cloud, and converting it over to V3 only01:09
samueldmqayoung, k, services may still contain minor hard-coded issues01:10
samueldmqayoung, let me know if you need anything01:11
bknudsondstanek: jamielennox: the change requires a newer version, so it should be in g-r first.01:11
ayoungsamueldmq, what kind of hard coding do we anticipate?  auth token is good to go, right?01:11
ayoungand we can do v3 only from Horizon, I've tested that01:11
samueldmqayoung, yeah but tempest is more exhaustive01:11
ayoungHeat is V3  clean, I'm fairly certain.  What else calls in to Keystone that will trip us?01:11
samueldmqayoung, heat is now working with v3?01:12
ayoungsamueldmq, assumption...I'll confirm01:12
samueldmqayoung, I don't expect lots of failures, I didnt get a lot when I ran that01:12
ayoungbut they need domains, so I think they must01:12
dstanekjamielennox: i can give it a try, but i think they get an error on the stderr, but the docs get generated01:12
samueldmqayoung, we just need that job to make sure, and get what else we need working01:12
ayoungsamueldmq, so the thing I want to do is avoid checking policy for V2 tokens01:13
jamielennoxdstanek: is there likely to be a pbr bump in g-r any time soon01:13
ayoungcuz that only has the tenant_id in it...01:13
samueldmqayoung, for example https://bugs.launchpad.net/tempest/+bug/145198701:13
openstackLaunchpad bug 1451987 in tempest "Tempest against openstack deployed with keystone v3 only, fails to initialize" [Undecided,Confirmed]01:13
ayoungsamueldmq, yeah, no surprise there01:13
dstanekjamielennox: good question. right now they release .11, but say .6 would work01:14
ayoungwe m,ight need to segregate all the V2 isms out.  Tempest probably needs to keep regression testing those01:14
*** mkoderer has joined #openstack-keystone01:14
samueldmqayoung, in your deployment ? I imagine we only do this in master when we officially deprecate v201:14
samueldmqayoung, yeah tempest have v2 specific tests, but I disabled them for now in my deploy :p01:14
ayoungsamueldmq, I mean in Tempest....thanks, I think I have enough to go on.  I might call you on the carpet during the policy presentation.  Be prepared.01:15
samueldmqayoung, oh01:15
ayoung:D01:15
samueldmqayoung, share your presentation with me :) and let me know what you need me to talk , so then I can get prepared01:16
samueldmq:D01:16
ayoungsamueldmq, I'm still writing it01:16
ayoungNah I just might mention that policy is better off with V2 tokens only, and that you are working on making that a tested deployment option...01:17
ayoungwell,  I guess you are doiung other policy stuff, are you not...01:17
samueldmqayoung, yeah if you mean dynamic policy stuff yes, it's one of my goals in L01:19
samueldmqayoung, for now just working in the specs, and getting prepared to discussions at the summit :)01:19
ayoung++01:19
samueldmqayoung, ' policy is better off with V2 tokens only,'01:19
samueldmqayoung, v2 ?01:19
ayoungv301:19
ayoungmeant to say  that policy is better off with V3 tokens only, and that you are working on making that a tested deployment option...01:20
samueldmqphew01:20
samueldmqyeah v3 :)01:20
samueldmqayoung, cool, remember the work for getting v3 in services was coordinated by jamielennox01:21
samueldmqayoung, I am just on the final-lap testing with gate jobs :p01:21
*** ncoghlan has joined #openstack-keystone01:23
*** rm_work|away is now known as rm_work01:23
jamielennoxmorganfainberg: so this ksa is going to be harder than expected :(01:24
morganfainbergjamielennox: you kind of knew that right?01:25
jamielennoxsure01:25
morganfainbergKSC will need to do the silly translation stuff to the old interfaces01:25
jamielennoxcompatibility sucks01:25
morganfainbergand honestly, I see a v2.0.0 of KSC dropping that compat01:25
morganfainbergamong other things01:26
jamielennoxreturning AccessInfo from the plugins means we will need to translate from old to new object01:26
jamielennoxlike completely01:26
bknudsonv3.0.0 of KSC01:26
bknudsonv2 KSC drops middleware01:26
jamielennoxbknudson: someone merged that already :)01:26
morganfainbergbknudson: fair enough need to rev to 2.0.0 for the next release then01:26
*** sigmavirus24 is now known as sigmavirus24_awa01:26
morganfainbergbknudson: since we haven't released since that merge01:26
morganfainbergiirc01:26
jamielennoxi was massively surprised given how much we try and maintain compat01:26
morganfainbergnah01:27
bknudsonif we did release we'd already have a v201:27
morganfainbergmiddleware could die01:27
morganfainbergyou can't use that version of ksc w/ most of the servers that would expect it01:27
morganfainbergdependencies would be impossible to resolve01:27
bknudsonwe're capping in the stable branches now01:27
morganfainbergbknudson: that too.01:27
bknudsonotherwise we could never drop anything01:27
morganfainbergbknudson: we could drop the middleware01:27
morganfainbergbknudson: in either case01:27
jamielennoxhttps://review.openstack.org/#/c/177694/01:28
bknudsony, at some point the branches that needed it aren't supported anymore.01:28
morganfainbergbknudson: because it is highly unlikely the middleware from ksc would work with antyhing that needed it in ksc..and it might not even work in modern servers01:28
morganfainbergi'd say ksc.middleware was going to be dropped this cycle regardless of the stable caps01:28
bknudsonmiddleware hasn't changed that much functionally01:28
bknudson+0, -4409 !01:29
morganfainbergbknudson: but we haven't been testing it. bitrot does weird things sometimes01:29
morganfainberg:)01:29
bknudsondoesn't get much better01:29
morganfainbergbknudson: i'm not complaining in the slightest01:29
bknudsonI thought we'd drop more requirements?01:29
morganfainbergbknudson: memcache was the big one to drop01:29
bknudson(wasn't that kind of the point of splitting it out?)01:30
morganfainbergbknudson: yeah01:30
bknudsonwe already didn't have memcache01:30
morganfainbergin test-requires01:30
morganfainbergbecause people still ran tests at pacakge time.01:30
morganfainbergand it was causing issues01:30
bknudsonhttps://review.openstack.org/#/c/177694/2/test-requirements.txt01:30
morganfainbergoh01:31
*** aix has quit IRC01:31
morganfainbergwe did that before didn't we01:31
bknudsonweird01:31
morganfainberghm01:31
morganfainbergyeah01:31
morganfainbergwe'd already dropped some requires then01:31
morganfainbergjamielennox: we really should move cms somewhere besides ksc.01:32
bknudsonkeystone-cms01:32
morganfainbergjamielennox: or just own up that we should maintain it in both server and ksm distinctly01:32
morganfainbergbknudson: it's a silly wrapper thing01:32
morganfainbergit doesn't really need it's own shared function.01:32
jamielennoxmorganfainberg: we might be able to keep it in kscm01:32
jamielennoxksm01:32
bknudsonif we drop support for non-fernet then we can get rid of it.01:32
morganfainbergjamielennox: i think we can drop ksm from keystone.01:32
morganfainbergbknudson: or just drop support for pki(z) :P [we can01:33
morganfainberg't do that]01:33
bknudsonwhy not?01:33
morganfainbergbknudson: we can keep uuid :)01:33
morganfainbergbknudson: there are people who legitimately like the offload of PKI(z)01:33
morganfainbergand want to keep that going01:33
bknudsonthey can maintain it in stackforge01:33
morganfainbergwe don't have to drop pki tokens.01:33
morganfainbergbknudson: well once we get stable driver interfaces - yes01:33
morganfainbergbknudson: until then... i'd say no.01:34
morganfainberglbragstad: can i get you to make the right changes to devstack to support fernet tokens01:34
jamielennoxmorganfainberg: drop ksm from keystone? i'm trying to make it used01:35
morganfainbergjamielennox: the only reason ksm was a dep of keystone was for compat01:35
morganfainbergkeystone.middleware.s301:35
*** amerine has joined #openstack-keystone01:35
morganfainbergthat can probably go away now01:35
jamielennoxmorganfainberg: https://review.openstack.org/#/c/180818/01:35
morganfainbergoh01:36
morganfainbergsure01:36
morganfainbergand we lose authcontext being separate logic01:36
morganfainbergsure01:36
jamielennoxmorganfainberg, bknudson: so part of what i was trying out with that branch is refactor auth_token so that we can have an abstract fetch_token method01:36
jamielennoxand share the rest of the logic between keystone and auth_token01:36
*** samleon has quit IRC01:36
bknudsonkeystone is going to call ksm?01:37
jamielennoxbknudson: i want to remove the keystone auth_context middleware in favour of something that subclasses AuthProtocol01:38
jamielennoxwell - not exactly that but conceptually the same01:38
bknudsonI think the shared parts should go in a different library that they both use01:39
bknudsone.g., keystoneclient01:39
morganfainbergbknudson: *cough* ksa01:39
morganfainbergbknudson: :P01:39
*** amerine has quit IRC01:40
jamielennoxso this is pretty much what i want from a session at summit01:40
jamielennoxhow auth flows through other projects, how it flows through keystone01:40
morganfainbergjamielennox: we have a spare fishbowl01:41
morganfainbergif you want to make it more than just a working session01:41
jamielennoxwhether we want a token model in client01:41
bknudsonI think there's enough interest in a shared context for a fishbowl01:41
bknudsonand we need to get in sync with oslo01:41
morganfainbergbknudson: sure. happy to publish this into the last fishbowl01:41
jamielennoxthere is still token validation stuff which i *think* means we should use ksm from keystone, but it might be just easier to move it all to ksa or ksc01:41
jamielennoxmorganfainberg: i'm not sure what a "working session" for client would involve01:42
morganfainbergjamielennox: approving code? assigning bugs to people? getting reviews done01:42
bknudsonworking session is you typing at the keyboard and we're all complaining01:42
jamielennoxooo01:42
morganfainbergjamielennox: working sessions are open.01:42
bknudsonor cheering!01:42
jamielennoxmy open review list has got crazy long01:42
morganfainbergfishbowl is what the design sessions from previous summits are01:42
dstanekbknudson: best session ever01:43
jamielennoxi don't need a hundred people there,01:43
jamielennoxcores and actually interested people is good01:43
bknudsonwe need oslo folks too, so let's advertise it01:43
jamielennoxthough that's pretty much who we talked to in the other sessions so it really doesn't matter01:44
bknudsonwhat you're proposing is a fundamental change that requires coordination01:44
bknudsonotherwise everyone goes off in the weeds and we have to drag them back01:44
*** zzzeek has quit IRC01:44
jamielennoxbknudson, morganfainberg: ok advertise the crap out of it01:46
jamielennoxcoordinating auth across services01:46
dstanekso i'm trying to follow the conversation here, but it's a little difficult - has any of this been written up as a spec?01:49
jamielennoxdstanek: some01:51
jamielennoxbut there's more of a big picture how things tie together which still isn't fully developed and would be nice to hash out01:52
dstanekjamielennox: fair enough - i'm just looking to get as much background reading as i can find for the summit01:57
jamielennoxdstanek: so there's nothing about using auth_token in keystone - that's something we've been slowly working towards for a couple of cycles now01:58
*** dims_ has quit IRC02:00
*** dims has joined #openstack-keystone02:00
*** dims has quit IRC02:01
morganfainbergI'll push that fishbowl update tonight.02:02
morganfainbergdstanek: the qa work session we might need to go camp in mtreinish 's work session too :P02:02
morganfainbergdstanek: but we got it cross listed.02:03
dstanekmorganfainberg: i have my eye on some of the QA things already02:04
morganfainbergCool.02:05
morganfainbergjamielennox: give me a title for the new fishbowl.02:05
jamielennoxumm02:06
*** david-lyle has joined #openstack-keystone02:10
jamielennoxconsuming auth across services - it's horribe but i don't know what else02:10
jamielennoxi want to figure out how we coordinate driving all this new policy stuff, and essentially hooking into oslo.context etc02:11
jamielennoxi have ideas02:11
*** browne has quit IRC02:23
*** stevemar has joined #openstack-keystone02:23
*** ChanServ sets mode: +v stevemar02:23
*** r-daneel has quit IRC02:40
ayoungmorganfainberg, one thing that ties in with that:  when enforcing policy, we sometimes need an object out of the database to be passed in to the policy engine.  It would be wonderful if we found a way to standardize that such that we could do a policy middleware.02:42
jamielennoxayoung: yep - i've got that, though not the db, from the token02:43
jamielennoxbecause i'm thinking of the other services first02:43
ayoungjamielennox, the issue we have is worst in Keystone, as we put the thing we want to scope on all over the place.  project/tenant depending on v2 opr v3, but also domain on user, group, project for role assignments...but fot the other services, the same issue02:45
ayoungwhen an API call only specifies the id of the object, they need to fetch the object first, then figure out where the project_id is on it.  Its all over nova for example02:46
ayoungand then ,tehre is the question of whether any of the other services try to extend the auth info02:46
jamielennoxayoung: i'm trying to reverse my thinking on the 'keystone is special' front. I know keystone is going to be different for all these policy problems, but keystone is also the place where we can most easily maintain those differences ourselves.02:46
ayoungjamielennox, agreed02:47
jamielennoxI want any solution we come up with to be targetted first at making things easier for all the other services and then keystone can extend that where required02:47
ayoungjamielennox, its not that keystone is special in that it needs special treatment, more like it is is special in a "it is all over the place and needs to behave better"sort of way02:47
jamielennoxright - we will need a way to enforce policy on a loaded object and that's fine02:48
ayoungjust that Keystone shows the problem clearest with the v3 cloudsample02:48
jamielennoxi just want to standardize the process02:48
*** stevemar has quit IRC02:49
jamielennoxright - it's mostly just that the other services have not yet tried to tackle the problem02:50
*** browne has joined #openstack-keystone02:55
*** Ephur has quit IRC02:56
*** richm has quit IRC02:57
*** smallbig has joined #openstack-keystone03:00
*** eglute has joined #openstack-keystone03:01
*** dims has joined #openstack-keystone03:01
*** dims has quit IRC03:06
bigjoolsayoung: thanks for the tweet :)03:08
ayoungbigjools, thank you for the effort03:11
ayoungbigjools, see you in Vancouver?03:11
bigjoolsayoung: sadly no, I could have gone if it wasn't for a prior engagement that could not be moved03:11
bigjoolssee you in Tokyo? :)03:11
ayoungbigjools, getting married?03:11
bigjoolshah03:11
bigjoolsno, medical03:11
ayoungYeah,  I think I'll be in Tokyo03:12
bigjoolsI owe beers to two people there now03:12
ayoungjamielennox, 10.10.10.40 - - [08/May/2015:03:10:23 +0000] "GET /v2.0 HTTP/1.1" 404 93 "-" "python-keystoneclient"  <<  in tghe Nova logs03:12
ayoungits trying to use v2 to validate tokens.03:12
ayoungjamielennox, but there is no explicit V2 or v2.0 in the conf03:13
ayoungjamielennox, and I hacked the service catalog to only have /v3 in theere03:13
ayounghow is it getting V2?03:14
ayoungsamueldmq, ^^ same question...how is it getting v2?03:15
*** Qiming has joined #openstack-keystone03:18
*** lhcheng has joined #openstack-keystone03:20
*** ChanServ sets mode: +v lhcheng03:20
*** r-daneel has joined #openstack-keystone03:26
*** r-daneel has quit IRC03:31
*** yasu_ has joined #openstack-keystone03:36
*** ankita_w_ has joined #openstack-keystone03:45
*** r-daneel has joined #openstack-keystone03:46
*** ankita_wagh has quit IRC03:49
jamielennoxayoung: i don't know - what's the config look like?03:50
jamielennoxyou using the generic password plugin?03:50
ayoungjamielennox, It looks all commented out.03:50
samueldmqayoung, jamielennox hard-coded I guess03:50
ayounghmmm...03:50
ayoungauth_uri=http://10.10.10.40:5000/03:51
ayoungI even set auth_version=v303:51
ayoungalthough I should not have too03:51
jamielennoxayoung: the weird part is that it's GET /v2.0 because that means it's looking up the version list from /v2 and i don't know why03:52
jamielennoxactually it shouldn't return a 404 from /v2.0 either03:52
jamielennoxis this auth_token?03:52
ayoungjamielennox, that is my doing03:52
ayoungI disabled v2.003:52
ayoungjamielennox, yes, this is the authtoken seciotn of nova.conf03:53
ayoungalthough, to be fair, wI looked in the keystone log and it doesn ot say which component called it, just that it was keystoneclient03:53
samueldmqayoung, and does ksclient know the service is using it ?03:54
jamielennoxayoung: auth_uri is not the one, it's auth_url03:55
ayoungsamueldmq, what I pasted above was out of the log...let me see which log03:55
jamielennoxthese names are a problem03:55
ayoungjamielennox, that is commented out.  Let me uncomment and try again03:55
ayoung#admin_auth_url=http://localhost:5000/v2.003:55
jamielennoxjust auth_url03:56
jamielennoxhttp://www.jamielennox.net/blog/2015/02/23/v3-authentication-with-auth-token-middleware/03:56
ayoungjamielennox, nope03:58
jamielennoxayoung: is it on a machine i can look at?03:59
ayoungsure03:59
ayoungkinit jlennox@YOUNGLOGIC.COM and then ssh to http://rdo.younglogic.net/03:59
ayoungnothing quite like coding in production03:59
ayounghad it in the wrong section...trying again04:02
jamielennoxayoung: ok in04:02
jamielennoxwhat am i looking at?04:02
jamielennoxis it packstack?04:03
ayoungsudo vi  /etc/nova/nova.conf04:03
ayoungyeah, packstack04:03
ayoungauth_url=http://10.10.10.40:5000/04:03
ayoung sudo less /var/log/httpd/keystone_wsgi_admin_access.log04:03
jamielennoxi don't have sudo04:03
ayoungno?04:03
ayoungah,  one sec04:03
ayoungjamielennox, I just added you to wheel, log out and back in and you should see it04:04
ayoungwhat I am doing is checking the dashboard, but using the cli works too.  keystonerc info is in root04:05
jamielennoxayoung: auth_host etc? yea that's not going to work04:06
ayoungthat was what was set up by default..should I comment those out?04:06
ayoungjamielennox, if you make changes,  you can run the following to force a restart of all nova services04:06
ayoung for SVC in $( sudo systemctl | awk '/openstack-nova/ {print $1}' ) ; do echo $SVC ; sudo systemctl restart $SVC ; done04:06
ayoungruns fast enough04:06
jamielennoxi'll change now04:07
ayoungjamielennox, I should have made a copy of the origianl file to see the diff...04:09
samueldmqayoung, jamielennox a new version of the patch which defines the flag for v3 only in devstack04:09
samueldmqayoung, jamielennox https://review.openstack.org/#/c/179663/04:09
samueldmqI have to hit the sack ... talk to you tomorrow04:09
jamielennoxayou domain name = Default?04:09
jamielennoxayoung: ^04:10
ayoungjamielennox, uh  I think so...04:10
ayoungyes04:10
*** samueldmq has quit IRC04:11
jamielennoxayoung: ok, updated try again04:12
jamielennoxalso only the api servers use auth_token so you only need to restart nova-api (unless novas doing something naughty with auth options)04:12
ayoungjamielennox, that seems to work04:13
ayounglet me see what you did, and I can reproduce for cinder glance and neutron04:13
ayoungjamielennox, auth_url is set twice04:14
jamielennoxone is auth_uri04:14
ayoungauth_url = http://10.10.10.40:3535704:14
ayoung  and04:14
jamielennoxbad naming04:14
ayoungauth_url=http://10.10.10.40:5000/04:14
jamielennoxit's unfortunate04:14
ayoungnah, this was me04:14
jamielennoxoh - ok, yea well with v3 it doesn't matter04:14
ayoungjamielennox, should I comment out all but the block you did at the top?04:15
ayoungjust to be clear what is actually working?04:15
ayoungOK, I broke it again04:16
jamielennoxi just changed that block, i thought i commented out the rest of it but if i didn't the auth plugin options should be read in priority04:17
ayoungjamielennox, I think it needs a couple of the other values to work.04:19
ayoungI'm going to move them all together... one sec04:19
*** rm_work is now known as rm_work|away04:19
ayoungok it works now.  commenting out the second auth_url (with 5000)04:21
ayoungOPK...taht is not needed04:21
ayoungit needs the version string04:22
ayoung#auth_version=v3  breaks it04:22
ayoungand it needs the port for some reason04:23
ayoungtrying commenting out auth_host as welll04:23
ayoungok,  if you set one, you need to set the other.  removing both of those works again04:24
jamielennoxauth_version=v3 shouldn't be required04:24
jamielennoxthere was that bug remember where auth_version was being set in the nova-dist.conf files04:24
jamielennoxso maybe that's still set04:24
ayoungah...I et04:25
ayoungbet04:25
ayoung# Workaround for https://bugs.launchpad.net/nova/+bug/115480904:25
ayoungauth_version = v2.004:25
openstackLaunchpad bug 1154809 in python-keystoneclient "Volume detach fails via OSAPI: AmbiguousEndpoints" [Wishlist,Confirmed]04:25
jamielennoxyea, it's been dead for ages, we had a RHOS bug for it and i think it was fixed04:26
ayoungbut even if I comment that out it still fails04:26
ayounggonna comment out all that secion04:26
ayoungthose dist files are just confusing as all get out.  THey need to die04:27
*** rushiagr_away is now known as rushiagr04:27
ayoungyep...once I kill all those values, tjhe block you set works.04:27
ayoungok, let me fix the other services04:28
ayoungjamielennox, glance was easy,  but cinder does not have an authtoken section04:39
ayoungthere is one in the /usr./share/cinder/*dist file04:40
ayoungbut I don't know where to find the service pasword04:41
jamielennoxoh god04:41
jamielennoxthere is an authtoken section in the cinder dist file?04:41
jamielennoxfile that as a bug04:42
*** rm_work|away is now known as rm_work04:44
ayoungyeah, but I killed that.  the actual thing I was looking for was in paste04:44
ayoungl[filter:authtoken]04:44
jamielennoxoh yea, that's pretty normal, would like to kill that too04:44
ayoungjamielennox, got it04:46
ayoungOK,  all services reporting in normal04:46
ayoungI don't think I have neutron on this04:46
ayoungjamielennox, now that we have that, we can enforce policy on all the fields of the v3 token, and only those fields...04:48
ayoungbut tommorrowwwww04:48
jamielennoxayoung: i'm super surprised that it works this effectively04:48
ayoungjamielennox, I'm not.  You built a good mechanism, we just need to clear out the old cruft04:49
jamielennoxthere are plenty of places that still require v2 auth04:49
ayoungyeah.  I think I'll just lie and say they don't exist04:49
ayoungdo you know where?04:49
jamielennoxumm, a lot of glance04:50
jamielennoxanything that talks to swift04:50
jamielennoxit's all the services that have there own admin auth credentials04:50
jamielennoxthere was a bunch of ironic that i don't know if it ever got fixed04:51
jamielennoxyou find them when you try and put service users in the non-default domain - though i would expect disabling v2 would have done the same thing04:51
ayoungjamielennox, I have not done a slew of glance stuff here04:52
ayoungit might be that glance does v2 if it needs to talk to swift?04:52
jamielennoxum, i think when it talks to cinder it is v2 only04:53
ayoungjoy04:53
jamielennoxbut then a lot of these things are old options that may not be required any more04:53
ayoungjamielennox, I have a unified policy file for glance, cinder and nova04:54
ayoungI wanted to push keystone in there too, but I think it would only work v3 pure04:54
ayoungmeaning that any v2 tokens would be not-allowed...but that might be ok04:54
ayoungquestion is if Horizon does V3, will that work for the Glance V2 isms...04:55
ayoungI'm guessing yes04:55
jamielennoxi don't follow04:55
jamielennoxit will work for glance it just doesn't necessarily yet04:57
*** gokrokve has joined #openstack-keystone04:58
*** emagana has joined #openstack-keystone05:07
*** gokrokve has quit IRC05:09
*** gokrokve has joined #openstack-keystone05:10
*** gokrokve has quit IRC05:13
*** gokrokve has joined #openstack-keystone05:13
*** gokrokve has quit IRC05:18
*** Qiming has quit IRC05:21
*** Qiming has joined #openstack-keystone05:22
*** lhcheng has quit IRC05:31
*** gokrokve has joined #openstack-keystone05:40
*** gokrokve has quit IRC05:42
*** gokrokve has joined #openstack-keystone05:42
*** emagana has quit IRC05:44
*** emagana has joined #openstack-keystone05:45
openstackgerritQiming Teng proposed openstack/keystone: Enable service role to list/get users  https://review.openstack.org/18129805:49
*** emagana has quit IRC05:49
*** kiran-r has joined #openstack-keystone05:51
*** belmoreira has joined #openstack-keystone06:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/17933106:07
*** r-daneel has quit IRC06:15
*** lhcheng has joined #openstack-keystone06:21
*** ChanServ sets mode: +v lhcheng06:21
*** pnavarro has joined #openstack-keystone06:28
*** markvoelker has quit IRC06:33
*** ajayaa has joined #openstack-keystone06:34
*** kiran-r has quit IRC06:37
*** ccard has quit IRC06:46
*** Qiming_ has joined #openstack-keystone06:48
*** Qiming has quit IRC06:48
*** rushiagr is now known as rushiagr_away07:04
*** ankita_w_ has quit IRC07:04
*** ankita_wagh has joined #openstack-keystone07:05
*** e0ne has joined #openstack-keystone07:09
*** ankita_wagh has quit IRC07:10
*** krykowski has joined #openstack-keystone07:17
*** junhongl has quit IRC07:21
*** junhongl has joined #openstack-keystone07:21
*** e0ne has quit IRC07:29
*** e0ne has joined #openstack-keystone07:33
*** jamielennox is now known as jamielennox|away07:36
*** lhcheng has quit IRC07:37
*** ajayaa has quit IRC07:40
*** rushiagr_away is now known as rushiagr07:40
*** kiran-r has joined #openstack-keystone07:41
*** ccard has joined #openstack-keystone07:54
*** browne has quit IRC08:02
*** ajayaa has joined #openstack-keystone08:03
*** markvoelker has joined #openstack-keystone08:07
*** Qiming_ is now known as Qiming08:09
*** kiranr has joined #openstack-keystone08:10
*** kiran-r has quit IRC08:10
*** ncoghlan has quit IRC08:18
*** jaosorior has joined #openstack-keystone08:19
*** chlong has quit IRC08:20
*** e0ne has quit IRC08:23
kiranrHi! Can anybody explain me, if we can have 2 endpoints say IP1:5000 for get token and IP2:35357 for other keystone apiÅ›?08:25
*** lhcheng has joined #openstack-keystone08:38
*** ChanServ sets mode: +v lhcheng08:38
*** markvoelker has quit IRC08:38
*** lhcheng has quit IRC08:42
*** e0ne has joined #openstack-keystone08:58
*** e0ne is now known as e0ne_08:58
*** e0ne_ is now known as e0ne09:07
*** e0ne is now known as e0ne_09:21
*** kiranr is now known as kiran-r09:26
*** krykowski has quit IRC09:29
*** krykowski has joined #openstack-keystone09:29
*** e0ne_ is now known as e0ne09:55
*** krykowski has quit IRC09:59
*** krykowski has joined #openstack-keystone10:24
*** lhcheng has joined #openstack-keystone10:27
*** ChanServ sets mode: +v lhcheng10:27
*** lhcheng has quit IRC10:31
*** gsagie_ has joined #openstack-keystone10:33
gsagie_Hello, i am running a 2 nodes setup with devstack, when the controller is up everything works fine, when i start the compute node ./stach.sh after it goes up i suddenly can't access the API in the controller, for example when i try to do "neutron port-list" i get a message like this "Couldn't find Networking in Region One..." (something like that)10:35
gsagie_anyone familiar with that problem?10:35
*** markvoelker has joined #openstack-keystone10:35
openstackgerritDavid Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec  https://review.openstack.org/17479910:39
*** markvoelker has quit IRC10:40
lbragstadmorganfainberg: sure thing, I'll look into it10:44
*** krykowski has quit IRC10:47
*** samueldmq has joined #openstack-keystone10:49
*** Qiming has quit IRC10:49
samueldmqmorning10:49
*** krykowski has joined #openstack-keystone10:53
*** e0ne is now known as e0ne_10:56
openstackgerritDavid Stanek proposed openstack/keystone: Handles Python3 builtin changes  https://review.openstack.org/17741111:01
openstackgerritDavid Stanek proposed openstack/keystone: Fixes use of dict methods for Python3  https://review.openstack.org/17741011:01
openstackgerritDavid Stanek proposed openstack/keystone: Fixes deprecations test for Python3  https://review.openstack.org/17741511:01
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for ldappool for Python3 tests  https://review.openstack.org/17741411:01
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a whitespace issue  https://review.openstack.org/17741311:01
openstackgerritDavid Stanek proposed openstack/keystone: Handles modules that moved in Python3  https://review.openstack.org/17741211:01
openstackgerritDavid Stanek proposed openstack/keystone: basestring no longer exists in Python3  https://review.openstack.org/17741811:01
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for memcache for Python3 tests  https://review.openstack.org/17741711:01
openstackgerritDavid Stanek proposed openstack/keystone: Refactor deprecations tests  https://review.openstack.org/17741611:01
openstackgerritDavid Stanek proposed openstack/keystone: Fixes broken federation test  https://review.openstack.org/18136011:01
samueldmqdstanek, oh that patch chain :)11:05
*** ajayaa has quit IRC11:05
samueldmqdstanek, although you updated patches, gerrit still is showing 'patch in merge conflict' and the previous votes :/11:06
samueldmqmaybe that's broken11:06
*** davidckennedy has joined #openstack-keystone11:06
samueldmq(gerrit)11:06
*** gsagie_ has quit IRC11:10
dstanekwow, that's weird11:11
openstackgerritDavid Stanek proposed openstack/keystone: Handles Python3 builtin changes  https://review.openstack.org/17741111:11
openstackgerritDavid Stanek proposed openstack/keystone: Fixes use of dict methods for Python3  https://review.openstack.org/17741011:11
openstackgerritDavid Stanek proposed openstack/keystone: Fixes deprecations test for Python3  https://review.openstack.org/17741511:11
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for ldappool for Python3 tests  https://review.openstack.org/17741411:11
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a whitespace issue  https://review.openstack.org/17741311:11
openstackgerritDavid Stanek proposed openstack/keystone: Handles modules that moved in Python3  https://review.openstack.org/17741211:11
openstackgerritDavid Stanek proposed openstack/keystone: basestring no longer exists in Python3  https://review.openstack.org/17741811:11
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for memcache for Python3 tests  https://review.openstack.org/17741711:11
openstackgerritDavid Stanek proposed openstack/keystone: Refactor deprecations tests  https://review.openstack.org/17741611:11
dstanekno, conflict. so i don't know what happened11:11
*** dims has joined #openstack-keystone11:13
*** e0ne_ is now known as e0ne11:14
*** ajayaa has joined #openstack-keystone11:22
*** dims has quit IRC11:28
*** e0ne is now known as e0ne_11:28
*** dims has joined #openstack-keystone11:29
*** e0ne_ is now known as e0ne11:30
*** jsheeren has joined #openstack-keystone11:30
*** markvoelker has joined #openstack-keystone11:36
*** yasu_ has quit IRC11:49
*** r-daneel has joined #openstack-keystone11:50
*** Qiming has joined #openstack-keystone11:54
*** r-daneel has quit IRC11:56
*** kiranr has joined #openstack-keystone12:02
*** kiran-r has quit IRC12:02
baffleI have a domain-level role called "domain_admin". I want this role to be able to grant roles, but not the magic "admin" role. How can I stop that from happening in policy.json?12:05
baffleAlso, isn't identity:create_credential basically the same as identity:ec2_create_credential? Shouldn't the policy be the same?12:06
*** markvoelker has quit IRC12:07
*** markvoelker has joined #openstack-keystone12:07
*** e0ne is now known as e0ne_12:10
*** amakarov_away is now known as amakarov12:10
*** e0ne_ is now known as e0ne12:13
*** kiranr is now known as kiran-r12:16
*** lmtaylor has joined #openstack-keystone12:27
*** gordc has joined #openstack-keystone12:29
*** topol has joined #openstack-keystone12:35
*** ChanServ sets mode: +v topol12:35
*** rushiagr is now known as rushiagr_away12:37
*** Qiming_ has joined #openstack-keystone12:42
*** bknudson has quit IRC12:43
*** raildo has quit IRC12:43
ekarlsoHi guys, what ports does authtoken use to communicate towards ks with ?12:44
ekarlso5000, 35357 or both ?12:45
*** Qiming has quit IRC12:46
*** chlong has joined #openstack-keystone12:46
*** joesavak has joined #openstack-keystone12:49
*** raildo has joined #openstack-keystone12:51
lbragstadraildo: samueldmq ping12:53
raildolbragstad, hi12:56
*** e0ne is now known as e0ne_12:56
lbragstadthe 'is_domain' functionality is accessible to the end-user, right? So does that mean we should add it to the current jsonschema checking for domains? http://cdn.pasteraw.com/5z1vhufy7vw8skpc678gm1xtb7bubzy for example?12:56
lbragstadthis is the patch I'm referencing https://review.openstack.org/#/c/158372/5112:56
ekarlsonoone knows ? :p12:56
lbragstadekarlso: are you using v3?12:56
lbragstadekarlso: I don't think it matters if you're using v3?12:57
*** e0ne_ is now known as e0ne12:57
ekarlsolbragstad: THANK you so much !12:57
raildolbragstad, yes... is_domain functionality is accessible to the end-user, as a project property.12:59
lbragstadekarlso: you set the URI for auth_token to talk to keystone https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L24112:59
raildolbragstad, as we have added here: https://review.openstack.org/#/c/157427/56/keystone/resource/schema.py12:59
lbragstadhttp://cdn.pasteraw.com/nm0s0jbijwqknyslwtd8zm1fchbanbh12:59
lbragstadah.. gotcha13:00
lbragstadraildo: ok13:00
raildolbragstad, :)13:00
*** blewis has quit IRC13:08
*** rushiagr_away is now known as rushiagr13:09
*** jsheeren has quit IRC13:11
*** bknudson has joined #openstack-keystone13:11
*** ChanServ sets mode: +v bknudson13:11
samueldmqlbragstad, hi , sorry I was afk, reading up13:12
*** richm has joined #openstack-keystone13:13
samueldmqlbragstad, yeah, I do agree it should be included in the json schema, as it affects the representation given to the end-user13:13
lbragstadsamueldmq: cool, I was just curious if it was going to be in that patch but it looks like you guys addressed it in a different one, so that's good.13:14
samueldmqlbragstad, ++13:14
samueldmqraildo, we addressed this json schmea change for the is_domain attribute ? ^13:14
raildosamueldmq, yes... in the project schema, but we don't have to add this in the domain schema.13:15
*** EmilienM|afk is now known as EmilienM13:15
samueldmqraildo, k since we are not changing the domain representation13:16
samueldmqraildo, lbragstad makes sense thanks13:16
raildosamueldmq, yes, is_domain attribute is only visible in a project, since for domains it always true, so, doesn't make sense include this there.13:17
samueldmqraildo, ++ sure :)13:18
*** dims has quit IRC13:19
*** dims has joined #openstack-keystone13:20
*** jsavak has joined #openstack-keystone13:25
kiran-rHi! I have a problem here, I am using keystone v2 auth. Here I have different adminURL and publicURL and the adminURL is not accessible externally. I am able to use other clients but not keystone CLI´s since they are unable to reach the adminURL. http://paste.openstack.org/show/217090/13:25
kiran-rPlease help me understand. =)13:26
kiran-rand solve the problem13:26
*** joesavak has quit IRC13:27
*** lmtaylor has quit IRC13:36
openstackgerritDoug Hellmann proposed openstack/python-keystoneclient: Drop use of 'oslo' namespace package  https://review.openstack.org/18068813:37
*** jsavak has quit IRC13:48
*** openstackgerrit has quit IRC13:51
*** dims is now known as dimsum__13:51
*** openstackgerrit has joined #openstack-keystone13:51
*** samueldmq has quit IRC13:57
*** blewis has joined #openstack-keystone13:58
*** blewis has quit IRC13:59
*** htruta has joined #openstack-keystone14:04
*** lhcheng has joined #openstack-keystone14:04
*** ChanServ sets mode: +v lhcheng14:04
*** lmtaylor has joined #openstack-keystone14:08
*** lhcheng has quit IRC14:09
*** sigmavirus24_awa is now known as sigmavirus2414:13
*** kiran-r has quit IRC14:16
*** kiran-r has joined #openstack-keystone14:17
*** gokrokve_ has joined #openstack-keystone14:21
*** kiran-r has quit IRC14:22
*** gokrokve has quit IRC14:25
bretonfolks14:30
bretonwhat is X-SERVICE-TOKEN?14:30
bretonit is in the "implemented" directory of keystone-specs14:30
bretonbut grep shows that ks knows nothing about it14:31
*** gokrokve_ has quit IRC14:31
*** gokrokve has joined #openstack-keystone14:31
*** emagana has joined #openstack-keystone14:32
morganfainbergbreton: it's all in keystone middleware.14:37
morganfainbergbreton: it allows a service to have separate authorization (eg make it so nova/glance/etc) can add an extra layer in so glance can control data it puts into swift (for example) but still have it "owned" by the user.14:38
morganfainbergThe user couldn't circumvent glance and change the data in swift.14:39
morganfainbergJust as an example.14:39
morganfainbergjamielennox|away: ^^ see the spec from annegentle14:39
morganfainbergmordred: fwiw I'm looking forward to the x-project session on service catalog.14:40
*** browne has joined #openstack-keystone14:44
*** packet has joined #openstack-keystone14:45
mordredmorganfainberg: yes. I am to14:49
*** stevemar has joined #openstack-keystone14:54
*** ChanServ sets mode: +v stevemar14:54
*** e0ne is now known as e0ne_14:55
*** mtecer has joined #openstack-keystone14:58
stevemarnkinder, o/15:00
nkinderstevemar: hey!15:01
*** ajayaa has quit IRC15:02
morganfainbergmordred: lots of concerns and potential API contract issues there. I think we can resolve most of them in the session.15:02
*** e0ne_ is now known as e0ne15:07
*** mflobo has quit IRC15:07
*** josecastroleon has quit IRC15:08
mordredmorganfainberg: I'll be standing by the door with a bat to make sure we do15:15
*** ajayaa has joined #openstack-keystone15:16
morganfainbergHaha. Nice!15:17
morganfainbergI tossed most of my concerns on the spec already.15:17
*** belmoreira has quit IRC15:18
*** henrynash has joined #openstack-keystone15:19
*** ChanServ sets mode: +v henrynash15:19
*** henrynash has quit IRC15:20
amakarovmorganfainberg, hi!15:22
amakarovI have a spec here: https://review.openstack.org/#/c/173424 about HMT optimization15:23
amakarovCan you please look at it?15:24
*** rm_work is now known as rm_work|away15:32
*** mtecer has quit IRC15:35
*** blewis` has joined #openstack-keystone15:37
*** henrynash has joined #openstack-keystone15:38
*** ChanServ sets mode: +v henrynash15:38
*** Qiming_ has quit IRC15:39
*** henrynash has quit IRC15:47
*** zzzeek has joined #openstack-keystone15:48
*** krykowski has quit IRC15:48
*** gyee has joined #openstack-keystone15:52
*** ChanServ sets mode: +v gyee15:52
*** openstackstatus has quit IRC15:56
*** esp has joined #openstack-keystone15:56
*** henrynash has joined #openstack-keystone15:57
*** ChanServ sets mode: +v henrynash15:57
*** openstackstatus has joined #openstack-keystone15:57
*** ChanServ sets mode: +v openstackstatus15:57
*** henrynash has quit IRC16:01
*** e0ne is now known as e0ne_16:04
*** davidckennedy has quit IRC16:07
*** lhcheng has joined #openstack-keystone16:10
*** ChanServ sets mode: +v lhcheng16:10
*** kiran-r has joined #openstack-keystone16:15
*** dan_ has joined #openstack-keystone16:15
*** dan_ is now known as Guest6478716:15
*** gyee has quit IRC16:16
*** browne has quit IRC16:21
*** gyee has joined #openstack-keystone16:22
*** ChanServ sets mode: +v gyee16:22
*** gokrokve has quit IRC16:40
*** harlowja has quit IRC16:44
*** harlowja has joined #openstack-keystone16:44
*** packet has quit IRC16:46
*** rushiagr is now known as rushiagr_away16:53
*** gokrokve has joined #openstack-keystone16:57
*** gokrokve has quit IRC16:58
*** gokrokve has joined #openstack-keystone16:58
*** ankita_wagh has joined #openstack-keystone17:00
*** lhcheng_ has joined #openstack-keystone17:06
*** browne has joined #openstack-keystone17:07
*** lhcheng has quit IRC17:08
*** wasmum has quit IRC17:09
morganfainbergamakarov: just finished an appointment17:23
morganfainbergamakarov: so looking at stuff now.17:23
amakarovmorganfainberg, and I think I've addressed your consern here: https://review.openstack.org/#/c/141854/17:25
morganfainbergyeah i've been swamped with some pre-summit stuff17:25
morganfainbergbut we should start accelerating merging things here soon17:25
morganfainbergi hope17:25
morganfainberg:)17:25
amakarovmorganfainberg, me too :)17:26
amakarova question: what shall we do to TRL? There is no spec or active bp...17:26
amakarovThere is a request to drag it to v3 :)17:27
morganfainbergamakarov: since it doesn't exist for V3... we can probably make it die with the death of V217:27
morganfainbergamakarov: and make v3 revocation events only17:28
morganfainbergamakarov: and that is the direction i'd like to see things go if at all possible17:28
amakarovmorganfainberg, so bp/spec will be necessary?17:28
morganfainbergamakarov: well we have revocation events17:29
morganfainbergwe can turn off the TRL17:29
morganfainbergwe need to make rev. events parsable in keystone middleware17:29
morganfainbergand distributed to ksm (from keystone server)17:29
morganfainbergand i think we can document that rev. events is the preferred way forward17:29
morganfainbergand then when v2 is removed, TRL is also removed.17:29
morganfainbergwe should have some specs for that already17:29
*** lhcheng_ has quit IRC17:30
amakarovmorganfainberg, for ksm: https://blueprints.launchpad.net/keystone/+spec/middleware-revocation-events17:30
amakarovwhile for keystone it's konsidered implemented: https://blueprints.launchpad.net/keystone/+spec/revocation-events17:31
amakarovs/konsidered/considered/17:31
morganfainbergamakarov: correct rev. events for keystone are implemneted17:31
morganfainbergksm needs to grow support for it17:31
amakarov"As a consequence of this blueprint, GET /v3/auth/tokens/OS-PKI/revoked should be deprecated."17:32
morganfainbergamakarov: ayoung is working on some stuff related to that. and i think it's depending on new keystoneauth and accessinfo17:32
amakarovmorganfainberg, is it a part of the blueprint or just a wish? ))17:32
*** e0ne_ is now known as e0ne17:32
ayoungmorganfainberg, and for that we need to take Jamie to the interrogation room and make him see the light17:32
morganfainbergayoung: we have summit for that.17:33
morganfainbergayoung: now... i need to figure out what to title this last fishbowl17:33
morganfainbergayoung: it's going to be related to KSA, new access info, etc17:33
morganfainbergayoung: iirc, i need to reread the scrollback17:33
ayoungmorganfainberg, consuming Keystone Artefacts17:33
*** e0ne has quit IRC17:34
ayoungmorganfainberg, call it "improving Keystone AuthN"17:37
*** vhoward has left #openstack-keystone17:37
morganfainberghah17:37
ayoungKSA is the core of that17:37
ayoungwe dynamic policy dirves towards that17:37
ayoungand this is the mechanisms that will allow us to do both17:37
ayoungmorganfainberg, so, I have V3 only on rdo.younglogic.net17:39
ayoungseems to be working17:39
morganfainbergcool17:39
ayoungif we go V3 only...poicy gets much easier to enforce17:39
ayoungwe can do something like:17:39
morganfainbergayoung: The Alchemy of AuthN in Keystone and turning it to Gold17:39
morganfainbergayoung: :P17:40
ayoung   token.project.domainid == target.project.domain id type mathces17:40
ayoungmatches17:40
morganfainbergayoung: i seriously think we will be able to deprecate v2 this cycle.17:40
morganfainbergayoung: which case we can start making moves like that17:40
ayoungmorganfainberg, I think the mission of keystone is "To Enable secure delegation of workloads in a cloud environmnet"17:41
ayoungwe ened top deprecate it.  We want to stop people from coding against it17:41
morganfainbergayoung: To provide a robust solution for IAM across cloud environments.17:41
ayoungIAM?17:41
ayoungisn't that a dog food?17:41
morganfainbergIdentity and Access Management17:41
morganfainbergit's the technical industry term for what we do.17:42
morganfainbergwe're more on the AM side17:42
morganfainbergthan the I side17:42
ayoungyes17:42
morganfainbergbut we still are closely related to the identity side17:43
ayoungwe consume it, but it should not be our core mission17:43
ayoungour mission is the AuthZ piece17:43
ayoungwhich is what I meant to type above, not AuthN17:43
morganfainbergwe still help manage where identity comes from for what OpenStack services consume17:43
ayoung(AuthN should be AuthC dagnabit)17:43
morganfainbergso, i'd say we're firmly IAM across the board.17:43
morganfainbergjust more focused on access management17:43
ayoungyep.  I is the primary input to AuthZ17:44
morganfainbergyep yep17:44
* morganfainberg is debating tossing a governacne change to get "IAM" in the keystone description17:44
morganfainbergwell "Identity and Access Management"17:44
ayoungmorganfainberg, I think that would be prudent17:44
morganfainbergyeah17:44
morganfainbergi'll probably do that next week or @ summit17:44
*** browne has quit IRC17:45
ayoung"Keystone is a service which allows the operator to consume multiple forms of Identity Management in order to perform secure authorization in OpenStack"17:45
ayoungmake that17:45
ayoung"Keystone is a service which allows the operator to consume multiple forms of Identity Management in order to manage access in OpenStack services"17:46
ayoungideally, we will repalce OpenStack with CLoud17:46
morganfainbergayoung: also at the summit going to open the door for us to adopt a real mascot - an animal that we can do cool things w/ vs needing to be an "arch" logo17:46
morganfainbergayoung: the requirement is it must be classified as a "keystone species"17:46
morganfainberg;)17:46
ayoungmorganfainberg, I can work with that17:46
morganfainbergayoung: yeah. examples i've seen: sea otters, grey wolf, jaguar, etc17:47
ayoungJaguars are cool17:47
morganfainbergyeah17:47
ayounggrey wolves are even cooler17:47
bretoncorgi17:47
bretonlet's have a corgi17:47
morganfainbergbreton: not a keystone species, sorry :P17:47
morganfainbergbreton: also... no corgis17:47
ayounghttp://www.google.com/imgres?imgurl=http://kids.nationalgeographic.com/content/dam/kids/photos/animals/Mammals/A-G/gray-wolf-closeup.jpg&imgrefurl=http://kids.nationalgeographic.com/animals/gray-wolf&h=900&w=1600&tbnid=tUhfZrd2jwDTWM:&zoom=1&tbnh=112&tbnw=199&usg=__70cRDCIhL3adkrO_zzFIQRzWFow=&docid=2chx2HGzA2nbyM&itg=117:48
morganfainbergayoung: we will need an awesome line-art17:48
blewis`prarie dogs are keystone species17:48
blewis`so are sea stars17:48
morganfainbergblewis`: yes they are17:48
bretonoh.17:48
ayoung#action ayoung to get awesome line art of a gray wolf17:48
morganfainbergayoung: before you do that, lets open up for suggestions then we will do a open call for art for the suggestions17:49
bretongray wolfs are boring and for 12 years old girls17:49
morganfainbergayoung: you may see another suggestion you like better :)17:49
blewis`Sugar maple: This tree is a keystone species of the hardwood forest. It brings water from lower levels in the ground that helps other plants. It is also home to many insects, birds, and small animals.17:49
ayoungmorganfainberg, I had a Husky when I was a kid.  She still shows up in my dreams.  I am not going to see something I like better17:49
morganfainbergblewis`: there are many many options.17:49
morganfainbergayoung: as soon as I move to a place i can have a dog, i'm getting either a husky or a malamute17:50
morganfainbergboth are such awesome dog breeds17:50
morganfainbergayoung: actually, i just like all of the spitz breeds17:50
ayoungmorganfainberg, yes they are.17:50
blewis`how about a miniature husky17:50
morganfainbergayoung: even the silly shiba inus17:50
morganfainbergblewis`: on the officially banned list at my current apt.17:50
morganfainbergblewis`: or i'd consider it17:50
blewis`mini ones are?!17:50
blewis`they're like the size of chihuahuas~17:50
morganfainbergblewis`: all things named husky or husky like17:51
blewis`mutiny!17:51
morganfainbergthey had stupid rules17:51
morganfainbergblewis`: i even looked at the klee kai17:51
morganfainbergblewis`: banned17:51
morganfainbergblewis`: stupid.17:51
blewis`sounds like its time to move :P17:51
morganfainbergblewis`: yep17:52
morganfainbergi've had 2 malamutes.17:52
morganfainberglove those dogs.17:52
morganfainbergthey're just so awesome...17:52
*** amakarov is now known as amakarov_away17:52
blewis`see, i just don't form attachments to animals at all. like i like dogs and think they'er awesome, but i never want to take care of one.17:53
morganfainbergblewis`: but funny they don't ban shiba inus17:53
morganfainbergblewis`: ijt's a weird company that runs the complex17:53
blewis`im licensed for foster care and i have a foster kiddo in my house... anyway, the agency i am licensed through has a breed restriction list. no pitbulls, husky's, etc17:53
blewis`great danes are not on the list tho17:54
morganfainbergblewis`: i bet malamutes are on the list of banned too17:56
morganfainbergblewis`: as awesome as they are... people consider them a "risk" above other dogs.17:57
blewis`probably17:57
stevemarwell this channel went on a heck of a tangent :)17:57
blewis`malamutes look like spirt animals17:58
blewis`like if that were a real thing and you had to have one, you'd probably want to have a malamute as your spirit animal vs some other lame animal17:58
blewis`like a goat.17:58
*** gokrokve has quit IRC17:58
*** browne has joined #openstack-keystone17:59
*** lhcheng has joined #openstack-keystone18:03
*** ChanServ sets mode: +v lhcheng18:03
*** samleon has joined #openstack-keystone18:04
*** ajayaa has quit IRC18:09
*** wasmum has joined #openstack-keystone18:11
morganfainbergblewis`: hahah18:11
morganfainbergblewis`: http://www.dogwallpapers.net/wallpapers/nice-adult-alaskan-malamute-dog-wallpaper.jpg18:12
morganfainbergstevemar: dude the Keystone "spirit" animal ;)18:15
morganfainbergstevemar: that was the discussion.18:15
*** samleon has quit IRC18:15
*** kiran-r has quit IRC18:17
morganfainbergstevemar: ping - summit slide review things18:23
morganfainbergstevemar: that planned for next week?18:24
*** rwsu_ has quit IRC18:24
*** wasmum has quit IRC18:33
*** jaosorior has quit IRC18:42
stevemarmorganfainberg, you have editor permission on the deck18:43
stevemari did a whole bunch of tweaks today18:43
morganfainbergstevemar: sure. was just curious when/if we were spending time to focus on it18:43
morganfainbergor if it was ad-hoc18:43
stevemarmorganfainberg, next week for suuuuureee18:49
morganfainbergraildo, rodrigods, ping - need to ask you a question re: summit stuff18:52
rodrigodsmorganfainberg, hi18:52
raildomorganfainberg, hi18:52
*** browne has quit IRC19:03
*** browne has joined #openstack-keystone19:04
*** wasmum has joined #openstack-keystone19:07
rodrigodsmorganfainberg, stevemar, topol, marekd ping... "Your Onsite Phone Number in Vancouver: *" in the speaker confirmation form19:07
rodrigodsmy mobile won't work there19:08
rodrigodsshould I put the hotel phone number?19:08
stevemarrodrigods, sure19:08
rodrigodsstevemar, thanks19:09
stevemarwho uses phones anymore (for calling anyway)19:09
topolas long as we can find you thats all that matters :-)19:11
rodrigodstopol, heh19:13
*** esp has left #openstack-keystone19:25
*** ankita_wagh has quit IRC19:26
*** ankita_w_ has joined #openstack-keystone19:28
*** atiwari1 has joined #openstack-keystone19:56
baffleI have a domain-level role called "domain_admin". I want this role to be able to grant roles, but not the "admin" role, as nova & friends still live in V2 and think it means r00t. How can I stop that from happening in policy.json?19:58
baffleAlso, is identity:create_credential basically the same as identity:ec2_create_credential? Shouldn't the policy be the same? So that users using the v3 api can create ec2/s3 tokens?19:58
*** atiwari has quit IRC19:59
bknudsonI don't think the policy code is expressive enough to disallow assigning a single role19:59
*** blewis` has quit IRC19:59
baffleSo, basically, the usecase of having "domain admins" where they can create groups, users, projects and do RBAC is basically broken then? Or, one could ofcourse debate that nova & friends is broken. :)20:02
bknudsony, it makes total sense.20:02
bknudsonI mean it makes sense to need to do that.20:03
bknudsonhaving nova & friends living in v2 is broken... but I thought we'd made better progress on that.20:04
baffleTo be able to restrict that, since other projects policies are broken you mean?20:04
baffleMaybe we have. My nova+neutron is still Icehouse.20:04
baffleKeystone is Kilo, tho'. \o/20:04
bknudsonin icehouse nova and friends were not able to use v3.20:05
baffleMaybe my concerns are unfounded then.20:05
*** packet has joined #openstack-keystone20:06
*** atiwari2 has joined #openstack-keystone20:06
bafflebknudson: I see you had this review wich seemingly was abandoned: https://review.openstack.org/#/c/103617/ .. Was the work done elsewhere?20:07
baffleUh. That was a spec. Nevermind.20:08
bknudsonbaffle: it was implemented without the spec.20:08
bknudsonthe spec was only written because nova didn't understand what all needed to change (how big or small the change was)20:09
bknudsonthey kept -1ing changes for v3 support because they weren't comprehensive.20:09
bafflebknudson: Ah, right. But if it has actually been implemented, that's really great.20:10
*** atiwari1 has quit IRC20:10
bknudsony, it's all there in nova as far as I know.20:10
bknudsonsamuelds is working on a test to see if we can run without v2.20:11
baffleNow I just wish all the SDKs and tools using them would actually get V3 support. Finally Gophercloud has it.. But jcloud and lots of other still is missing it. :)20:11
bafflebknudson: Unrealted, but since I stole some attention... Is identity:*_credential the same as identity:ec2_*_credential? Just the v2.0 vs v3 policies? Because right now (according to the policy) it seems as if only an admin can create ec2 credentials if authed with v3. And I assume that a user should be able to do that.20:14
bknudsonbaffle: I've got some docs for policy targets: https://review.openstack.org/#/c/168521/20:15
bknudsonnot merged yet20:15
bknudsonthe ec2_* has the user in the path, whereas *_credentials doensn't have the user... so makes sense for *_credential to require admin20:17
*** samleon has joined #openstack-keystone20:25
bafflebknudson: Hmm, in OSC "ec2 credentials create" magically disappears if OS_IDENTITY_API_VERSION="3" it seems. So that was why I tought identity:credential was the new thing. Where is the API docs for OS-EC2 for v3 anyway? It's not in "Identity API v3 extensions (CURRENT)" or "Identity API v3 (CURRENT)" it seems.20:25
bknudsonbaffle: I don't know if any docs exist for it... I think it's the same as the v2 version of the API.20:26
bafflebknudson: I assumed that one would use something like target.user_id in the policy to limit a user to only create credentials using /v3/credentials/20:27
bknudsonbaffle: that's a great question ... should have docs for this stuff but nobody wants to write them.20:28
baffleHmm, I'm even more confused right now. 1 sec, I'll just look at --debug output of something.. That's the best doc I've found till now. :)20:31
*** e0ne has joined #openstack-keystone20:33
*** ankita_w_ has quit IRC20:34
*** ankita_wagh has joined #openstack-keystone20:36
baffleI'm more confused now. Better go read the code some more.20:39
openstackgerritMerged openstack/keystone: Fixes use of dict methods for Python3  https://review.openstack.org/17741020:40
*** htruta has quit IRC20:51
ankita_waghHi , Can someone please do a +2 for this https://review.openstack.org/#/c/179624/ ?20:57
*** rm_work|away is now known as rm_work21:00
*** raildo has quit IRC21:00
*** e0ne has quit IRC21:02
*** emagana has quit IRC21:14
*** rwsu has joined #openstack-keystone21:30
*** rwsu has quit IRC21:30
*** rwsu has joined #openstack-keystone21:31
*** pnavarro has quit IRC21:34
*** gordc has quit IRC21:36
*** rwsu has quit IRC21:39
*** lmtaylor has left #openstack-keystone21:43
*** doug-fish has left #openstack-keystone21:49
*** rwsu has joined #openstack-keystone21:58
*** stevemar has quit IRC22:05
*** browne1 has joined #openstack-keystone22:06
*** browne has quit IRC22:07
*** EmilienM is now known as EmilienM|afk22:08
*** ankita_w_ has joined #openstack-keystone22:08
*** ankita_wagh has quit IRC22:09
*** dimsum__ has quit IRC22:21
*** bknudson has quit IRC22:21
*** Ephur has joined #openstack-keystone22:27
*** ankita_w_ has quit IRC22:31
*** ankita_wagh has joined #openstack-keystone22:44
*** rwsu has quit IRC22:56
*** amerine has joined #openstack-keystone22:59
morganfainbergankita_wagh: on my list to look at but won't happen until later tonight.23:04
*** ankita_wagh has quit IRC23:04
*** atiwari1 has joined #openstack-keystone23:04
*** ankita_wagh has joined #openstack-keystone23:05
*** atiwari2 has quit IRC23:07
*** topol has quit IRC23:08
*** packet has quit IRC23:15
*** rwsu has joined #openstack-keystone23:22
*** mestery has quit IRC23:34
*** samueldmq has joined #openstack-keystone23:51
*** drjones has quit IRC23:52
*** _cjones_ has joined #openstack-keystone23:53
*** atiwari2 has joined #openstack-keystone23:55
*** rwsu has quit IRC23:56
*** _cjones_ has quit IRC23:58
*** atiwari1 has quit IRC23:58
« Thursday, 2015-05-07 Index Saturday, 2015-05-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!