Thursday, 2015-06-04

« Wednesday, 2015-06-03 Index Friday, 2015-06-05 »
*** Nikkau has quit IRC00:00
*** hemna is now known as hemnafkj00:09
*** geoffarnold has quit IRC00:19
*** samleon has quit IRC00:19
*** gyee has quit IRC00:23
*** jaypipes has quit IRC00:27
*** iamjarvo has joined #openstack-keystone00:28
*** iamjarvo has quit IRC00:28
*** iamjarvo has joined #openstack-keystone00:29
*** iamjarvo has quit IRC00:29
*** iamjarvo has joined #openstack-keystone00:29
*** iamjarvo has quit IRC00:30
*** iamjarvo has joined #openstack-keystone00:31
*** iamjarvo has quit IRC00:31
*** iamjarvo has joined #openstack-keystone00:32
*** roxanaghe has quit IRC00:36
*** gordc has joined #openstack-keystone00:43
*** bknudson has joined #openstack-keystone00:43
*** ChanServ sets mode: +v bknudson00:43
*** dsirrine has quit IRC00:48
*** SaintAardvark has quit IRC00:49
*** blewis has quit IRC00:55
*** dsirrine has joined #openstack-keystone01:03
*** zzzeek has quit IRC01:04
openstackgerritBrant Knudson proposed openstack/keystone: Remove setUp for RevokeTests  https://review.openstack.org/17925901:05
samueldmqjamielennox, hi, you around ?01:13
samueldmqjamielennox, I saw a message from you telling you got devstack + v3 working01:13
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Common base class for unit tests  https://review.openstack.org/18777001:15
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Unit tests catch deprecated function usage  https://review.openstack.org/18777501:15
*** openstack has joined #openstack-keystone01:21
*** roxanaghe has joined #openstack-keystone01:22
*** dan_ has joined #openstack-keystone01:22
*** henriquetruta has joined #openstack-keystone01:22
*** roxanaghe has quit IRC01:22
*** roxanaghe has joined #openstack-keystone01:22
*** dan_ is now known as Guest3242801:22
*** Kennan has joined #openstack-keystone01:22
*** diabloneo has joined #openstack-keystone01:26
*** openstack has joined #openstack-keystone01:36
*** dan| has joined #openstack-keystone01:36
*** _cjones_ has quit IRC01:40
openstackgerritDave Chen proposed openstack/keystone: Let `region` field be effective both in the testcase and API  https://review.openstack.org/16753401:41
*** iamjarvo has quit IRC01:42
jamielennoxsamueldmq: i am here01:44
jamielennoxsamueldmq: i found a way to get the devstack run to complete with v3 only01:45
jamielennoxthat's not the same as having tempest and everything done01:45
samueldmqjamielennox, oh really  ? great !!01:45
jamielennoxbut it means we can at least start testing01:45
samueldmqjamielennox, how is that ?01:45
jamielennoxumm, it needs a new version of OSC which they are just waiting for a g-r bump before releasing01:45
jamielennoxafter that you do: https://review.openstack.org/#/q/status:open+project:openstack-dev/devstack+branch:master+topic:keystonev3,n,z01:46
jamielennoxand one or two other little fixes i haven't worked into patches yet01:46
samueldmqjamielennox, great, I will be looking at those ^ on devstack tomorrow01:47
samueldmqjamielennox, I am happy you're making a good progress, good job :)01:47
jamielennoxsamueldmq: cheers, thanks for the help01:47
*** boris-42 has quit IRC01:48
samueldmqjamielennox, np; glad to have helped01:48
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Move bandit requirement to test-requirements.txt  https://review.openstack.org/18822701:49
samueldmqjamielennox, hopefully I will have some time to help on the project specific fixes  .. but I have been very busy on the policy stuff01:49
*** fangzhou has quit IRC01:49
*** openstack has quit IRC01:52
*** openstack has joined #openstack-keystone01:53
jamielennoxsamueldmq: np, once we get to the project specific stuff we can split it up more easily01:54
samueldmqjamielennox, ++ sure01:54
*** davidchep has quit IRC01:54
*** spandhe has quit IRC01:54
samueldmqayoung, jamielennox https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L1132-L113501:56
samueldmqayoung, jamielennox is this the entry point in the ksmiddleware, right ?01:56
jamielennoxsamueldmq: no, filter_factory above it01:57
jamielennoxapp_factory is terminal so it acts like an application, filter_factory makes it middlewarew01:57
samueldmqjamielennox, nice .. I wonder if for the policy fetch thing01:57
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: tox env for Bandit  https://review.openstack.org/18291201:57
samueldmqjamielennox, it shouldnt be something similar01:58
samueldmqjamielennox, and then it should return auth_filter, policy_filter (or something that represents both)01:58
jamielennoxsamueldmq: that is where ayoung is thinking, i don't know01:58
*** iamjarvo has joined #openstack-keystone02:00
samueldmqjamielennox, for each request, if the policy cache has reach the timeout, invalidate and fetch it again02:00
*** iamjarvo has quit IRC02:00
samueldmqjamielennox, or is there a mechanism to get notified from the os when a given timeout is reached ?02:00
*** iamjarvo has joined #openstack-keystone02:00
*** iamjarvo has quit IRC02:00
ayoungideally it would be based on the HTTP headers timeout02:00
samueldmqayoung, yes, it keeps the last time it has updated it02:01
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: tox env for Bandit  https://review.openstack.org/18291202:01
*** packet has quit IRC02:01
*** iamjarvo has joined #openstack-keystone02:01
samueldmqayoung, and based on the timeout the http header is telling it02:01
ayoungwe do stuff like this with the revocation list02:01
samueldmqayoung, it should decide if fetch or wait02:01
ayoungsamueldmq, jamielennox so gyee had the suggestion that we put a hash of the policy file into the token data.  I kindof like that idea02:02
samueldmqayoung, makes sense ? ^ (I thing it's what you said)02:02
samueldmqayoung, do you have an entry point to that code?02:02
jamielennoxsamueldmq: there are some issues there, like if you have a bunch of different worker processes the timeout will be different for each02:02
ayoungjamielennox, stampeding herd?02:02
jamielennoxayoung: yea, we've discussed that one before, we had the same discusssion around revocation events02:03
samueldmqjamielennox, from getting from the os ?02:03
ayoungor not worried about that?02:03
ayoungyeah02:03
ayoungjamielennox, can you think of any reason not to put the hash of the policy file in the token?02:03
*** radez is now known as radez_g0n302:04
samueldmqayoung, it depends whether the policies will be stored on keystone or not02:04
samueldmqayoung, keystone needing to query other service each time it needs to issue a token shoudn't be desired02:05
ayoungsamueldmq, if we put the (id) hash of the policy in the token, it will be stored in Keystone02:05
ayoungkeystone will still be the service of record for policy, or we will have some way of finding it02:05
*** packet has joined #openstack-keystone02:05
openstackgerritBrant Knudson proposed openstack/keystone: Don't query db if criteria longer than col length  https://review.openstack.org/16394902:05
samueldmqayoung, makes sense, but this shouldn't be the decision criteria on keeping/splitting policy management/storage in keystone02:06
samueldmqayoung, but I support this is a great idea to be considered02:06
samueldmqayoung, I liked it02:06
ayoungsamueldmq, it gives us a really powerful tool to provide more fine grained policies in the future02:06
jamielennoxayoung: assuming that you won't update policy much the only thing i can see is you have to be careful about caching02:07
ayoungpeople were requesting project specific policies etc.02:07
diabloneoHi, everyone, I notice that Jenkins gate-keystone-python27 failed in my changes, failed on many unit testcases. Any one know why?02:07
ayoungjamielennox, the reason I want it as a hash is so we know if it has changed...a given policy should be immutable02:07
*** diabloneo is now known as Chenhong02:07
ayoungChenhong, look in the logs02:07
samueldmqayoung, so that bings the policy with any resource you want to ?02:07
ayoungChenhong, if you oprovide a link, I can show you where to look02:08
ayoungbings?02:08
ayoungbinds or brings?02:08
samueldmqayoung, if a new policy hash arrives and I don't have it, fetch that02:08
samueldmqayoung, bind02:08
ayoungsamueldmq, exactly02:08
jamielennoxayoung: right - but you don't get an ordering from a hash, i just mean you wouldn't know about policy changes for tokens you fetch from cache02:08
samueldmqsorry02:08
Chenhonghttps://review.openstack.org/#/c/187511/02:08
samueldmqayoung, oh02:08
ayoungjamielennox, right02:08
ChenhongThanks, I am reading the log02:08
jamielennoxand you have a bit of an issue for PKI because if we embed it in the token there's no way to know which one is newer02:09
samueldmqayoung, that definitely makes a lot of sense02:09
ayoungjamielennox, but...if new tokens come in with new policies hashes, we could use that as an excuse to invalidate the cache and revalidate the tokens....or we accept that the will always be the potential for delay when making policy changes02:09
ayoungjamielennox, true02:09
samueldmqayoung, after we will need to think about policies subsets .. to expose only what make sense to domain admins (per domain policy) or project admins, for example02:10
samueldmqayoung, they don't need to see POST /endpoint, for example02:10
ayoungsamueldmq, you mean domain admins don't need to be able to create new endpoints...depends on who you talk to, but by default, sure.02:11
openstackgerritMerged openstack/keystone: Rename driver to backend and fix the inaccurate docstring  https://review.openstack.org/17232902:11
samueldmqayoung, cloud admin should define what domain admins can see02:12
samueldmqayoung, and domain admins what project admins see02:12
samueldmqayoung, something like that02:12
ayoungsamueldmq, yep  something like that02:12
samueldmq:)02:12
samueldmqayoung, I will start looking at filter thing in the middleware02:13
ayoungsamueldmq, I'll write up the "policy id in the token" spec02:13
samueldmqayoung, to create a policy_filter, is that the correct approach, tight ?02:13
samueldmqayoung, policy id ? isn't that hash ?02:14
ayoungjamielennox, cache issues with pki aside, do you think it is a good approach?02:14
samueldmqayoung,  https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L1122-L112902:14
jamielennoxayoung: i certainly think it's the easiest way to signal middleware02:14
jamielennoxas you say we may have like thundering herd issues02:14
ayoungjamielennox, it does mean that one policy file will have to be able to handle two or more endpoints at once.  WIth Chadwicks code, that should be easy.02:15
jamielennoxmultiple endpoints?02:15
ayoungAnd, just because we don't put a specific endpoint in the service catalog doesn;'t mean its policy rules can't be in the policy file...02:15
jamielennoxoh - it means we will have trouble with domain specific policies02:16
jamielennoxbut i'm not convinced we want to do that anyway02:16
ayoungjamielennox, I was thinking of the case where we create a token with only, say one of the endpoints specified, but the policy file would cover all of the endpoints in the service catalog.  With the "fetch by endpoint URL" approach, we know what service we are serving for02:16
jamielennox(ditto domain specific roles)02:16
ayoungI mean more that we need to resolve the issues with sdague on unified policy file02:16
ayoungdomain and project specific can come later.  They can use the same mechanism, if we go with policy id in the token, but not if we cache by time02:17
ayoungChenhong, there is nothing wrong with asking here, as opposed to a Private message02:17
ayoungChenhong, looking at http://logs.openstack.org/11/187511/2/check/gate-keystone-python27/ed282ef/console.html02:17
ayoungChenhong, you can't compare the numeric code that comes back from a web request with an exception02:19
ayoungah...but you are not...02:19
ayoungdoesn;'t look like it was your change at fault...hmmmm02:20
ayoungChenhong, I assume tox passed when you ran it on your system?02:22
ChenhongYes, tox was passed02:22
ayoungChenhong, The change looks like something is treating a Deprecation warning as an error, I wonder if that is spurious...almost tempted to to a recheck just to  be sure02:22
ayoungbut before we do...02:22
ayoungseems to be failijng consistantly.02:23
Chenhongayoung, It was rechecked, but still failed as you can see it in the comment. That's what confuse me.02:25
ayoungChenhong, yeah.  and the thing that is breaking is not AFAICT due to your code02:25
*** nkinder_ has quit IRC02:27
ChenhongI noticed some other change encouter the same problem, like this one http://logs.openstack.org/31/188131/1/check/gate-keystone-python27/c0f6593/console.html02:30
*** geoffarnold has joined #openstack-keystone02:30
openstackgerritMerged openstack/keystonemiddleware: Drop py2.6 support for keystone middleware  https://review.openstack.org/18701502:31
openstackgerritMerged openstack/keystonemiddleware: Removes discover from test-reqs  https://review.openstack.org/17151602:32
*** geoffarnold_ has joined #openstack-keystone02:32
openstackgerritMerged openstack/keystone: Run WSGI with group=keystone  https://review.openstack.org/18780002:32
*** iamjarvo_ has joined #openstack-keystone02:37
*** iamjarvo_ has quit IRC02:37
*** iamjarvo_ has joined #openstack-keystone02:37
*** nkinder_ has joined #openstack-keystone02:39
*** tqtran has quit IRC02:39
*** bknudson has quit IRC02:39
*** iamjarvo has quit IRC02:40
ayoungChenhong, I don't get it either.  Something else must have changed02:40
ayoungChenhong, that being said, I don't think I agree with your reason for the patch.  The error codes are the HTTP standards, and I thin we want to check for those values exactly, not hte constants we define.  Usually, I would agree with you that we should favor a symbollic constant over  a magic number, but these numbers actually means something02:42
*** richm has quit IRC02:43
*** iamjarvo_ has quit IRC02:46
Chenhongayoung, I know what you mean. 403 or Forbidden.code can both work, I just pick up a more readable way. I also noticeed that, there are so many codes write '200 OK' directly. Is it good to use a symbolic constant instead?02:47
ayoungChenhong, yes 200 OK  should be generated from a symbollic constant02:48
ayoungChenhong, I think there is something different about generating them than checking the values in tests02:48
*** lihkin has joined #openstack-keystone02:49
Chenhongayoung, Does that mean keystone prefer to use explicitly status code 403 in tests than symbolic constant, and prefer to use symbolic constant about status code in non-tests code?02:55
ayoungChenhong, that sounds right02:55
*** henriquetruta has quit IRC02:56
Chenhongayount, thanks, I understood.02:56
samueldmqayoung, does it sounds correct to you that I start on the filter thing in the ksmiddleware?02:56
ayoungsamueldmq, yes02:56
samueldmqayoung, https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L1122-L112902:56
ayoungChenhong, your welcome, and thanks for contributing.  Hope this was not too big a demotivator02:56
samueldmqayoung, great I will start a patch tomorrow, I need to sleep now02:57
samueldmqgood night for you all :)02:57
ayoungsamueldmq, does not *need* to be in there, but something like that...it might make sense to have it there, just make it a one liner we can move around as we get better understanding02:57
Chenhongayoung, it's find, I just new to openstack and keystone, and I still trying to find out some convention. Thanks for your help.02:58
samueldmqayoung, ok .. as per my current understanding, that should be another filter (policy_filter)02:58
Chenhongfine02:58
*** stevemar has joined #openstack-keystone02:58
*** ChanServ sets mode: +v stevemar02:58
samueldmqayoung, then that method register both, or something that include both02:58
ayoungsamueldmq, no, not a filter for Policy.  it is a registration of a stevedore component that will be used later inside the oslo.policy library02:59
ayoungand the registration can happen from ATM, I think02:59
samueldmqayoung, ok I will take a look tomorrow, since we are good with the /policies?endpoint_url thing03:01
samueldmqayoung, we can discuss tomorrow then03:01
samueldmqayoung, but wait ... oslo policy is doing enforcement ... so what you want is to, before enforcing a given rule, check for policy and update if necessary03:03
ayoungsamueldmq, lets talk tomorrow03:04
samueldmqayoung, yes, I need to sleep03:04
samueldmqsee you03:04
*** alanf-mc has quit IRC03:04
*** samueldmq has quit IRC03:04
*** spandhe has joined #openstack-keystone03:04
*** spandhe has quit IRC03:07
*** dims_ has quit IRC03:07
*** geoffarn_ has joined #openstack-keystone03:07
*** lhcheng has quit IRC03:08
*** geoffarn_ has quit IRC03:08
openstackgerritayoung proposed openstack/keystone: IAM Models  https://review.openstack.org/18465103:10
*** markvoelker has quit IRC03:23
openstackgerritDave Chen proposed openstack/keystone: Remove deprecated external authentication plugins  https://review.openstack.org/12570103:24
*** spandhe has joined #openstack-keystone03:25
*** _cjones_ has joined #openstack-keystone03:28
*** dsirrine has quit IRC03:29
*** _cjones_ has quit IRC03:29
*** _cjones_ has joined #openstack-keystone03:30
openstackgerritMerged openstack/keystone: Remove the deprecated ec2 token middleware  https://review.openstack.org/18550903:32
*** lhcheng has joined #openstack-keystone03:32
*** ChanServ sets mode: +v lhcheng03:32
openstackgerritMerged openstack/keystone: Fix the wrong order of parameters when using assertEqual  https://review.openstack.org/18786903:32
*** alanf-mc has joined #openstack-keystone03:34
*** davechen_afk is now known as davechen03:44
*** tobe has joined #openstack-keystone03:51
*** EmilienM|off has quit IRC03:55
*** EmilienM has joined #openstack-keystone04:00
*** gordc has quit IRC04:03
*** dims_ has joined #openstack-keystone04:07
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases of list_role_assignments of v3 domains  https://review.openstack.org/18789904:09
*** dims_ has quit IRC04:13
*** krotscheck has quit IRC04:19
*** mordred has quit IRC04:21
*** markvoelker has joined #openstack-keystone04:23
*** mordred has joined #openstack-keystone04:25
*** krotscheck has joined #openstack-keystone04:25
*** markvoelker has quit IRC04:28
*** Chenhong has quit IRC04:40
*** rushiagr_away is now known as rushiagr04:42
*** csoukup has joined #openstack-keystone04:48
*** Chenhong has joined #openstack-keystone04:56
*** csoukup has quit IRC04:58
*** roxanaghe has quit IRC04:59
*** kiran-r has joined #openstack-keystone05:00
*** stevemar has quit IRC05:04
*** csoukup has joined #openstack-keystone05:14
*** csoukup has quit IRC05:19
*** alanf-mc has quit IRC05:19
*** alanf-mc has joined #openstack-keystone05:20
*** tobe has quit IRC05:22
*** fangzhou has joined #openstack-keystone05:22
*** tobe has joined #openstack-keystone05:40
*** henrynash has joined #openstack-keystone05:40
*** ChanServ sets mode: +v henrynash05:40
*** ajayaa has joined #openstack-keystone05:47
ajayaaHi guys. Is there an api in v3 using which I can verify s3 credential?05:47
ajayaamarekd, jamielennox ^^05:47
jamielennoxajayaa: not afaik05:48
jamielennoxwell there is the s3 middleware but i think it's only v2 api05:49
ajayaaSo the alternative is to use v2.0/s3tokens, right?05:49
jamielennoxbut i don't really know how s3 works in that anyway05:49
ajayaaThe middleware just takes the access and secret to Keystone and Keystone replies with the usual info, afaik.05:50
*** Chenhong has quit IRC05:50
ajayaaCan it be added to Keystone, so that dependency on v2.0 is completely removed?05:51
ajayaaIf I propose a spec or bug and work on it!05:51
jamielennoxajayaa: i assume it's doable. personally i would like to hear from the swift team that they want it05:51
*** alanf-mc has quit IRC05:51
jamielennoxafaik no-one was using it05:51
ajayaajamielennox, I am working on integrating ceph with Keystone.05:52
*** spandhe_ has joined #openstack-keystone05:52
ajayaaSo, we need an api in v3 which can verify s3 tokens.05:52
*** spandhe has quit IRC05:52
*** spandhe_ is now known as spandhe05:52
jamielennoxajayaa: why s3 tokens? why wouldn't you use keystone tokens?05:52
ajayaaceph provides both s3 apis and swift apis.05:53
ajayaas3 apis work with amazon credentials.05:53
ajayaajamielennox ^^05:53
ajayaaSwift apis work with Keystone tokens, so that's not a problem anyway.05:53
jamielennoxajayaa: but you want to be able to mix and match those things?05:53
*** fangzhou has quit IRC05:53
ajayaajamielennox, sort of. We need both swift and s3 apis in our cloud.05:54
jamielennoxare you trying to use keystone as a s3 credential store or are you trying to sign swift requests with s3 tokens05:54
jamielennox(or both)05:55
ajayaathe first one for sure. Not sure if I understand the second point.05:56
*** belmoreira has joined #openstack-keystone05:56
*** lhcheng has quit IRC05:56
jamielennoxthe second part is being able to use s3 credentials for swift calls05:57
*** _cjones_ has quit IRC05:57
jamielennoxanyway, i think i might be getting confused05:57
ajayaajamielennox, nope.05:57
*** josecastroleon has joined #openstack-keystone05:57
ajayaaThere are two kinds of apis in ceph. The first is s3 api calls and second is swift api calls.05:58
jamielennoxok05:58
ajayaas3 apis use amazon credentials and swift apis use vanila Keystone tokens.05:58
ajayaaSo swift apis are not a problem with Keystone v3 because v3 provides a way to validate a vanilla token.05:59
ajayaaBut Keystone v3 does not provide a way to validate amazon credentials.05:59
ajayaaSo for this single thing, we are still persisting with v2.0 api in Keystone.06:00
ajayaaWhat I want is to completely remove v2.0 api from our Keystone deployment.06:00
jamielennoxso it provides a v3 way of authenticating ec2 tokens (which i'm not sure how they differ)06:00
ajayaajamielennox ^^06:00
ajayaaWho provides?06:00
ajayaaKeystone? afaik, it does not and there is no documentation regarding it.06:01
ajayaahttps://github.com/openstack-attic/identity-api/blob/master/v3/src/markdown/identity-api-v3.md06:01
jamielennoxajayaa: well i don't like the fact that it provides it at all and it's poorly done06:01
*** _cjones_ has joined #openstack-keystone06:01
jamielennoxbut https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/routers.py#L64 is in v3 by default06:02
ajayaaLet me check06:02
jamielennoxoh joy https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L8206:02
*** Chenhong has joined #openstack-keystone06:02
jamielennoxs3 is in there as well06:02
jamielennoxajayaa: that's good for you and makes me a little sad06:02
jamielennoxhttps://github.com/openstack/keystone/blob/master/keystone/contrib/s3/core.py#L5406:03
ajayaajamielennox, maybe you can give me some idea on why you think it's poorly done.06:03
ajayaaI will fix it and make it right. :)06:04
jamielennoxso it looks like /v3/s3tokens will exist in a default keystone install06:04
jamielennoxajayaa: i went through this with ec2 recently06:04
jamielennoxthere is no attempt to make it better or really test it from v206:04
jamielennoxfor example the parameters are all called tenant_id in v306:04
jamielennoxsomething we otherwise absolutely banished06:04
ajayaawe need that to be project_id or something like that.06:05
jamielennoxat least06:05
jamielennoxotherwise i guess i just don't like that keystone is trying to emulate those other formats06:05
jamielennoxajayaa: so it looks like you've got the server side already, you just need to update https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/s3_token.py to make it work with v306:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/18627906:07
ajayaajamielennox, But if Openstack needs compatibility with amazon then we would need to map other formats to Keystone token format.06:07
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix SCRIPT_NAME computation.  https://review.openstack.org/18826906:07
jamielennoxajayaa: that is a philosophical question - i would argue why does openstack want to be compatible with amazon06:08
*** Nikkau has joined #openstack-keystone06:08
jamielennoxthere was a phase there where nova tried to be, and swift did for a bit, but as far as i'm aware that idea has died06:08
ajayaajamielennox, The nova thing got forked into a different project altogether and they are using Keystone for auth.06:10
ajayaaSo it needs to be there.06:10
ajayaaAgain there are other projects in wild such as ceph which are integrated with Openstack.06:11
ajayaaFor the sake of these projects I would argue the s3 token stuff needs to be there.06:11
*** merlin_ has joined #openstack-keystone06:11
jamielennoxok - well so the server side is already available, you would just have to update the middleware because it looks like it hasn't been updated in a long time06:11
ajayaajamielennox, cool! Thanks for the pointer.06:12
jamielennoxajayaa: no06:12
jamielennoxnp06:12
*** markvoelker has joined #openstack-keystone06:13
*** mabrams has joined #openstack-keystone06:13
jamielennoxlet me know how you go with that because you will need to update all the auth credentials to match what we've done in auth_token middleware, and that can be a little confusing06:13
*** kwills has quit IRC06:13
ajayaasure. First I will try the server side thing and make sure it works and then dive into the middleware.06:14
ajayaaI will let you know if I come across confusing things.06:14
ajayaa:)06:14
yogeshwars1Hi Guys, I am confused about what the Keystone v3 policy API is intended for.06:16
yogeshwars1Are these APIs related to the policy.json files we use in all components? Or am I way off the mark?06:17
*** markvoelker has quit IRC06:18
*** tobe has quit IRC06:18
yogeshwars1jamielennox: ^^06:26
jamielennoxyogeshwars1: sorry, missed that06:26
jamielennoxumm06:26
jamielennoxthe CRUD policy API?06:26
jamielennoxat the moment we really don't use it for anything06:27
jamielennoxwe are in the process of trying to make it more dynamic but really it's not currently used06:27
yogeshwars1jamielennox: yes, the CRUD policy API.06:27
*** ajayaa has quit IRC06:28
yogeshwars1jamielennox: ok got it. Is the intent for these API calls to replace policy.json files?06:29
jamielennoxyogeshwars1: eventually, yes06:29
yogeshwars1jamielennox: thanks. could you please point me to a spec or something that talks about making it more dynamic?06:32
jamielennoxyogeshwars1: it's very curent and we are calling it dynamic policy, there is a whole subgroup meeting and such, i think they are still working out the details for how it will work06:33
jamielennoxyogeshwars1: ask ayoung or samueldmq during US time, they would know most i think06:33
*** ajayaa has joined #openstack-keystone06:34
yogeshwars1jamielennox: ok, thank you.06:34
*** spandhe has quit IRC06:35
*** Nikkau has quit IRC06:42
*** _cjones_ has quit IRC06:44
*** fhubik has joined #openstack-keystone06:50
*** fhubik is now known as fhubik_afk06:50
*** _cjones_ has joined #openstack-keystone06:56
*** tobe has joined #openstack-keystone06:57
*** lufix has joined #openstack-keystone07:00
*** woodster_ has quit IRC07:00
*** _cjones_ has quit IRC07:01
*** geoffarnold_ has quit IRC07:08
*** markvoelker has joined #openstack-keystone07:13
*** markvoelker has quit IRC07:18
*** Nikkau has joined #openstack-keystone07:32
evrardjpgood morning everyone07:33
*** Nikkau has quit IRC07:41
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix req.environ[SCRIPT_NAME] value.  https://review.openstack.org/18826907:43
*** dims_ has joined #openstack-keystone07:44
*** chlong has quit IRC07:44
*** dims_ has quit IRC07:49
*** dguerri`away is now known as dguerri07:49
*** henrynash has quit IRC07:49
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix req.environ[SCRIPT_NAME] value.  https://review.openstack.org/18826907:49
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Fix req.environ[SCRIPT_NAME] value.  https://review.openstack.org/18826907:50
*** jistr has joined #openstack-keystone07:50
*** Nikkau has joined #openstack-keystone07:50
*** jistr is now known as jistr|mt07:54
*** jistr|mt is now known as jistr|mtg07:54
*** Nikkau has quit IRC07:56
*** _cjones_ has joined #openstack-keystone07:57
*** afazekas has joined #openstack-keystone08:01
*** henrynash has joined #openstack-keystone08:01
*** ChanServ sets mode: +v henrynash08:01
*** henrynash has quit IRC08:02
*** _cjones_ has quit IRC08:02
*** aix has joined #openstack-keystone08:03
openstackgerritMerged openstack/keystone: Don't query db if criteria longer than col length  https://review.openstack.org/16394908:09
openstackgerritMerged openstack/keystone: Don't query db if criteria longer than col length  https://review.openstack.org/16394908:09
*** lhcheng has joined #openstack-keystone08:31
*** ChanServ sets mode: +v lhcheng08:31
*** pnavarro has joined #openstack-keystone08:32
openstackgerritMarek Denis proposed openstack/keystone: MappingEngineTester  https://review.openstack.org/18830208:35
*** tobe has quit IRC08:39
*** tobe has joined #openstack-keystone08:39
*** markvoelker has joined #openstack-keystone09:02
*** markvoelker has quit IRC09:07
*** bdossant has joined #openstack-keystone09:07
openstackgerritliusheng proposed openstack/keystone: Add Validity check of 'expires_at' in trust creation  https://review.openstack.org/18831509:15
openstackgerritliusheng proposed openstack/keystone: Add validity check of 'expires_at' in trust creation  https://review.openstack.org/18831509:17
*** jistr|mtg is now known as jistr09:19
*** davechen is now known as davechen_afk09:33
*** tobe has quit IRC09:33
*** ajayaa has quit IRC09:40
*** e0ne has joined #openstack-keystone09:44
*** afazekas is now known as afazekas_mtg09:44
*** jaosorior has joined #openstack-keystone09:45
*** lhcheng has quit IRC09:45
*** dims_ has joined #openstack-keystone09:45
*** dims_ has quit IRC09:51
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-kerberos: Disable optional authentication for plugin  https://review.openstack.org/18832909:51
*** tobe has joined #openstack-keystone09:53
*** ajayaa has joined #openstack-keystone09:57
*** _cjones_ has joined #openstack-keystone10:00
*** dims_ has joined #openstack-keystone10:03
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-kerberos: Federated Kerberos plugin  https://review.openstack.org/17355810:04
*** _cjones_ has quit IRC10:05
*** markvoelker has joined #openstack-keystone10:18
*** Kennan2 has joined #openstack-keystone10:20
*** Kennan has quit IRC10:20
*** Kennan2 is now known as Kennan10:21
*** markvoelker has quit IRC10:22
*** boris-42 has joined #openstack-keystone10:33
*** markvoelker has joined #openstack-keystone10:46
*** marzif_ has joined #openstack-keystone10:47
*** marzif_ has quit IRC10:50
*** marzif_ has joined #openstack-keystone10:50
*** Chenhong has quit IRC10:52
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow searching a catalog on service or endpoint id  https://review.openstack.org/17466910:57
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Remove service_type requirement from catalog searching  https://review.openstack.org/17467010:57
*** woodster_ has joined #openstack-keystone11:00
*** _cjones_ has joined #openstack-keystone11:01
*** _cjones_ has quit IRC11:06
*** Chenhong has joined #openstack-keystone11:11
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add flag to append project_id to catalog URL  https://review.openstack.org/14816611:17
*** pnavarro_ has joined #openstack-keystone11:21
*** pnavarro has quit IRC11:22
openstackgerritMerged openstack/keystoneauth: Cleanup needless variable binding  https://review.openstack.org/18708011:26
openstackgerritMerged openstack/python-keystoneclient: Cleanup fixture imports  https://review.openstack.org/18706011:27
*** pnavarro_ has quit IRC11:27
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow saving and caching the plugin auth state  https://review.openstack.org/14917511:28
*** aix has quit IRC11:30
openstackgerritAlexander Maretskiy proposed openstack/keystone: Improvements for rally jobs.  https://review.openstack.org/18835211:37
*** e0ne is now known as e0ne_11:39
*** pnavarro_ has joined #openstack-keystone11:39
*** samueldmq has joined #openstack-keystone11:41
*** merlin_ has quit IRC11:42
*** tellesnobrega has joined #openstack-keystone11:47
*** e0ne_ has quit IRC11:49
*** kiran-r has quit IRC11:49
samueldmqmorning11:51
marekdhi11:51
openstackgerritliusheng proposed openstack/keystone: Add validity check of 'expires_at' in trust creation  https://review.openstack.org/18831511:52
*** afazekas_mtg has quit IRC11:53
openstackgerritAlexander Maretskiy proposed openstack/keystone: Improvements for rally jobs.  https://review.openstack.org/18835211:53
openstackgerritAlexander Makarov proposed openstack/keystone: Revocation engine refactoring  https://review.openstack.org/18813111:57
*** _cjones_ has joined #openstack-keystone12:02
*** amaretskiy has joined #openstack-keystone12:03
amaretskiymorganfainberg hi12:04
amaretskiymorganfainberg I've just submitted https://review.openstack.org/#/c/188352/12:05
amaretskiymorganfainberg this patch improves rally jobs - there are a lot of scenarios added, should be much more interesting12:05
*** pnavarro_ has quit IRC12:06
*** tobe has quit IRC12:06
*** _cjones_ has quit IRC12:07
*** bdossant_ has joined #openstack-keystone12:07
*** bdossant has quit IRC12:10
*** e0ne has joined #openstack-keystone12:13
*** fhubik_afk is now known as fhubik12:15
*** chlong has joined #openstack-keystone12:20
*** lihkin has quit IRC12:23
*** lihkin has joined #openstack-keystone12:23
*** lihkin has quit IRC12:23
*** liusheng has quit IRC12:26
*** ajayaa has quit IRC12:29
*** aix has joined #openstack-keystone12:30
*** gordc has joined #openstack-keystone12:32
*** mabrams has quit IRC12:32
*** mabrams has joined #openstack-keystone12:33
*** jsavak has joined #openstack-keystone12:33
*** henrynash has joined #openstack-keystone12:33
*** ChanServ sets mode: +v henrynash12:33
*** rushiagr is now known as rushiagr_away12:36
*** rwsu has joined #openstack-keystone12:36
*** stevemar has joined #openstack-keystone12:41
*** ChanServ sets mode: +v stevemar12:41
*** zzzeek has joined #openstack-keystone12:42
*** bknudson has joined #openstack-keystone12:43
*** ChanServ sets mode: +v bknudson12:43
*** marzif_ has quit IRC12:44
*** afazekas_mtg has joined #openstack-keystone12:45
*** henrynash has quit IRC12:46
*** henrynash has joined #openstack-keystone12:52
*** ChanServ sets mode: +v henrynash12:52
*** kiran-r has joined #openstack-keystone12:58
*** amakarov_away is now known as amakarov13:00
*** Chenhong has quit IRC13:01
*** e0ne is now known as e0ne_13:01
*** pnavarro_ has joined #openstack-keystone13:03
*** afazekas_mtg has quit IRC13:04
*** e0ne_ is now known as e0ne13:04
*** topol has joined #openstack-keystone13:05
*** ChanServ sets mode: +v topol13:05
*** iamjarvo has joined #openstack-keystone13:08
*** Chenhong has joined #openstack-keystone13:12
*** sbasam has joined #openstack-keystone13:15
*** henrynash has quit IRC13:21
*** timcline has joined #openstack-keystone13:24
*** bdossant_ has quit IRC13:26
*** iamjarvo has quit IRC13:27
*** timcline has quit IRC13:27
*** richm has joined #openstack-keystone13:28
*** rushiagr_away is now known as rushiagr13:28
*** iamjarvo has joined #openstack-keystone13:32
*** ajayaa has joined #openstack-keystone13:38
*** fhubik is now known as fhubik_afk13:38
*** henrynash has joined #openstack-keystone13:40
*** ChanServ sets mode: +v henrynash13:40
*** kiran-r has quit IRC13:41
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742713:48
samueldmqayoung, hi, I have some dynamic polciies thoughts in mind that want to be shared with you13:48
*** dsirrine has joined #openstack-keystone13:49
*** lihkin has joined #openstack-keystone13:49
*** lihkin has quit IRC13:49
*** csoukup has joined #openstack-keystone13:49
*** lihkin has joined #openstack-keystone13:51
*** timcline has joined #openstack-keystone13:52
*** mabrams has quit IRC13:55
*** sigmavirus24_awa is now known as sigmavirus2413:55
*** henrynash has quit IRC13:56
*** fhubik_afk is now known as fhubik13:57
*** e0ne is now known as e0ne_13:59
*** _cjones_ has joined #openstack-keystone14:04
*** e0ne_ has quit IRC14:04
*** e0ne has joined #openstack-keystone14:06
*** henrynash has joined #openstack-keystone14:06
*** ChanServ sets mode: +v henrynash14:06
*** HT_sergio has joined #openstack-keystone14:07
*** fangzhou has joined #openstack-keystone14:07
*** dsirrine has quit IRC14:08
*** iamjarvo has quit IRC14:08
*** _cjones_ has quit IRC14:08
*** radez_g0n3 is now known as radez14:09
*** iamjarvo has joined #openstack-keystone14:13
*** merlin_ has joined #openstack-keystone14:14
samueldmqayoung, see http://paste.openstack.org/show/262978/14:14
samueldmqayoung, I think what is in that diagram fits what we discussed yesterday + nova needs and is still aligned with the goals of dynamic policy14:15
ayoungUnauthorized and "Not enough privilegies" are the same thing samueldmq14:15
ayoungI don't want /policy14:16
samueldmqayoung, yes, I meant authentication failure14:16
ayoungright14:16
samueldmqayoung, ok that's part of the unified policy discussion14:16
samueldmqayoung, but point iii) in ksmiddleware14:16
samueldmqayoung, is that what you want/was trying to explain me yesterday14:17
samueldmq?14:17
ayoungsamueldmq, we can't enforce all policy from middleware14:17
ayoungmany of the calls need to fetch an object from the DB first14:17
ayoungso, we are going to leave the calls from nova into oslo.policy in place, but inject a "fetch" mechanism into oslo.policy14:18
samueldmqayoung, hmm ... so the fetch mechanism is inside oslo.policy14:18
samueldmqayoung, how does oslo.policy knows the endpoint url ?14:18
samueldmqayoung, middleware will tell him ? I think it is much more middlewaer job itself14:18
ayoungsamueldmq, if people wrote sane URLs, where resources were scoped by projects, then, yes, we could do it in middleware14:19
ayoungbut since we need to let them fetch objects from the DB first, we need to just have middleware setup the "fetcher:"14:20
samueldmqayoung, at this point we should be able to fetch the policy14:20
samueldmqayoung, https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L54214:20
ayoungand, it does not need to be "middleware" per se, it needs to be registered at app startup time14:20
ayoungwe need to check the cache and refetch14:20
*** iamjarvo has quit IRC14:20
samueldmqayoung, yes, and could be done by ksmiddleware14:21
ayoungsamueldmq, actually...we could do the fetching and caching from middleware, just not the actual policy check14:21
samueldmqayoung, oslo.policy would own the engine, as it does today14:21
ayoungso long as the directory is writable, it really does not make a difference.14:21
samueldmqayoung, yes that's exactly what I am thinking14:21
samueldmqayoung, to make that from middleware, which cache/refresh/fetch/whatever14:21
samueldmqayoung, since it knows the diretory + file to write, and the endpoint ot ask keystone for the policy14:22
ayoungok, lets start by writing it as a separate middleware.  I know that the answer is going to come back "make it part of ATM and enable it via a config option."14:22
ayoungBut that is a different story14:22
samueldmqayoung, ok so other middleware means another filter, besides auth_filter14:23
ayoungDo we already have the directory available in the config section?  I was a little afraidf that each of the services would manage it their own way.14:23
ayoungyeah...let's make it like this:14:23
ayoungcreate a stand alone policy cache management filter14:24
samueldmqayoung, I will chekc for the availability14:24
samueldmqayoung, ++14:24
ayoungbut...make it trivial to call it from ATM, so that if we end up merging it in, we can do either with just one or two  lines of code changed14:24
samueldmqayoung, ATM ? at the moment ?14:25
ayoungAuth token middleware14:25
samueldmqayoung, great I can plug it in the auth_token __call__ as well14:26
samueldmqayoung, yeah this will be easier14:26
ayoungmaybe...we'll see14:26
samueldmqayoung, ok I think we now agreed on this point, I can start coding :)14:26
samueldmqayoung, regarding the directories/policy file14:30
samueldmqayoung, https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L1507-L152914:30
samueldmqayoung, we should be able to get that info if services already use oslo_policy14:31
ayoungcool14:31
samueldmqayoung, nice, I am going afk for a bit now, and the fun starts this afternoon :)14:32
samueldmqayoung, thanks14:32
samueldmqayoung, for taking the time and making things clear14:32
*** fangzhou has quit IRC14:35
*** afazekas_mtg has joined #openstack-keystone14:35
*** iamjarvo has joined #openstack-keystone14:40
*** afazekas_mtg has quit IRC14:43
*** chlong has quit IRC14:47
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Service Providers handling to AccessInfo  https://review.openstack.org/18842614:51
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742714:51
ayoungI just saw a lab keystone token of length 9326514:53
ayoungwith the error ....' exceeded the limit of column id(CHAR(64)). (HTTP 400)14:53
gsilvisayoung: did morganfainberg ever talk to you about his concerns with mix & match federation?15:00
ayounggsilvis, slightly15:00
*** lihkin has quit IRC15:01
*** lihkin has joined #openstack-keystone15:01
*** belmoreira has quit IRC15:05
*** _cjones_ has joined #openstack-keystone15:05
*** hemnafkj is now known as hemna15:06
*** fhubik is now known as fhubik_afk15:08
*** _cjones_ has quit IRC15:10
dstanekbknudson, morganfainberg: any thoughts on this https://review.openstack.org/#/c/183698/2/guidelines/http.rst ?15:14
bknudsonthere's a 405 error for method not allowed.15:18
bknudsonI'd be ok with a 400 error for not implemented15:18
bknudsonwouldn't be backwards compatible15:18
bknudsonwe'd need to at least offer some way for the client to avoid the error, e.g., discovery of what's implemented and what's not15:19
dstanekisn't that what 501 gives you over 400?15:19
bknudsonhttp://tools.ietf.org/html/rfc7231#section-6.6.215:19
dstaneki also think raising 5xx from code is reasonable15:19
bknudsonthe way I interpret the RFC I don't think we're using 501 incorrectly15:20
dstaneki think that they are reading it as "only used when the server doesn't recognize the method"15:20
dstaneki read it as a concrete example and not the only one15:20
bknudsonthat's the only example they give15:20
bknudsonbut I read it as an example not the only time to use it15:21
bknudsonit's the server that doesn't implement it, so a 5xx makes sense to me.15:21
*** arunkant_ has joined #openstack-keystone15:22
dstanekboth of those reviews feel like they are reaching to me15:24
*** timcline has quit IRC15:26
*** timcline has joined #openstack-keystone15:27
openstackgerritDan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call  https://review.openstack.org/18818415:27
*** fhubik_afk is now known as fhubik15:29
*** gyee has joined #openstack-keystone15:33
*** ChanServ sets mode: +v gyee15:33
*** _cjones_ has joined #openstack-keystone15:38
*** fhubik is now known as fhubik_afk15:43
*** dims_ has quit IRC15:43
*** fhubik_afk is now known as fhubik15:44
*** lufix has quit IRC15:47
*** Chenhong has quit IRC15:50
openstackgerritAlexander Maretskiy proposed openstack/keystone: Rename directory with rally jobs files.  https://review.openstack.org/18835215:57
openstackgerritAlexander Maretskiy proposed openstack/keystone: Add more Rally scenarios  https://review.openstack.org/18845715:59
*** jistr has quit IRC16:01
*** mattfarina has joined #openstack-keystone16:04
*** iamjarvo has quit IRC16:05
openstackgerritAlexander Maretskiy proposed openstack/keystone: Rename directory with rally jobs files.  https://review.openstack.org/18835216:07
*** pnavarro__ has joined #openstack-keystone16:14
*** pnavarro_ has quit IRC16:15
openstackgerritAlexander Maretskiy proposed openstack/keystone: Add more Rally scenarios  https://review.openstack.org/18845716:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18847616:18
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/18847716:18
*** pnavarro__ has quit IRC16:20
openstackgerritAlexander Maretskiy proposed openstack/keystone: Improvements for rally jobs files.  https://review.openstack.org/18847916:20
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/18849616:24
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-saml2: Updated from global requirements  https://review.openstack.org/18849716:24
*** iamjarvo has joined #openstack-keystone16:31
gyeeayoung, I am trying to understand your comment here https://review.openstack.org/#/c/177661/16:31
*** iamjarvo has quit IRC16:31
*** pnavarro__ has joined #openstack-keystone16:31
gyeeayoung, default rule is an oslo policy behavior, I merely making sure it works16:31
ayounggyee, you don't want the  default rule16:32
ayounggyee, so,  the default rule is what will be executed when the api level policy is enforced16:32
ayoungbut, endpoint level  should not use that...it means we enforce the same rule twice16:32
gyeeayoung, right, but we are sharing policy.json16:32
*** lufix has joined #openstack-keystone16:32
ayounggyee, and we might have no choice.  But really ,we should not be using the default for endpoint binding16:33
gyeeayoung, two separate tests, one with the global rule defined and one without16:33
*** aix has quit IRC16:33
ayoungif we enable endpoint binding/globval polci, we should execute only the explicit rule16:33
ayoungthe default...should be namespaced16:33
ayoungwe shouodl have like compute::default and so on16:33
gyeeayoung, I agree16:34
ayoungand then you would use global::default if there was one...but it would be kindof strange to define that16:34
ayounggyee, ,so, the short answer is, I guess it really does not matter,16:34
gyeebut that's something that oslo policy will have to implement16:34
ayounggyee, yeah...something like enforce_no_defaults()16:34
gyeeayoung, right, we can enhance oslo.policy to restrict default enforcement16:35
ayoungbut...I guess it really does not matter for your patch,  I can remove the negative comment.16:35
gyeeayoung, cool, thanks16:35
*** pnavarro__ has quit IRC16:36
* gyee is reading up on the dynamic policy thread, its getting long16:36
ayounggyee, trying to balance practical with incur-technical-debt...16:36
*** marzif_ has joined #openstack-keystone16:37
gyeeayoung, I am not in favor of code decorative (hardcoded) defaults16:38
ayounggyee, I am not sure that sdague thought through the mechanism to implement what he is proposing16:38
gyeeI've heard many times that model sucks (i.e. Spring Acegi)16:39
ayoungif you put it in the code, you need to crawl the code, or you have the potential for things to get out of sync16:39
*** dims_ has joined #openstack-keystone16:39
gyeesecurity model is defined by deployers/customers per their security/compliance requirement16:39
gyeeit has to be flexible16:40
gyeehence "dynamic"16:40
gyeeI hope we don't hardcode "admin" all over the place16:41
*** iamjarvo has joined #openstack-keystone16:41
*** iamjarvo has quit IRC16:41
*** iamjarvo has joined #openstack-keystone16:41
*** lufix has quit IRC16:42
*** lihkin1 has joined #openstack-keystone16:45
*** iamjarvo has quit IRC16:49
*** lihkin has quit IRC16:49
*** amaretskiy has quit IRC16:57
*** fangzhou has joined #openstack-keystone16:57
*** alanf-mc has joined #openstack-keystone16:59
*** marzif_ has quit IRC17:00
openstackgerritBrian Tully proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call  https://review.openstack.org/18818417:01
*** lihkin1 has quit IRC17:01
*** fhubik has quit IRC17:02
*** csoukup has quit IRC17:05
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Encapsulate Service Providers in AccessInfo  https://review.openstack.org/18842617:08
*** alanf-mc has quit IRC17:10
*** marzif_ has joined #openstack-keystone17:11
*** csoukup has joined #openstack-keystone17:11
*** alanf-mc has joined #openstack-keystone17:12
*** dsirrine has joined #openstack-keystone17:15
*** Kennan2 has joined #openstack-keystone17:18
*** bradjones is now known as bradjones_away17:19
*** csoukup has quit IRC17:19
*** Kennan has quit IRC17:20
*** csoukup has joined #openstack-keystone17:20
*** e0ne has quit IRC17:22
*** dan has quit IRC17:23
*** dan| is now known as dan17:23
*** dguerri is now known as dguerri`away17:24
*** dguerri`away is now known as dguerri17:24
*** dguerri is now known as dguerri`away17:24
*** Viswanath has joined #openstack-keystone17:25
*** timcline has quit IRC17:27
*** josecastroleon has quit IRC17:28
*** Viswanath has quit IRC17:30
*** spandhe has joined #openstack-keystone17:31
*** timcline has joined #openstack-keystone17:39
*** dims_ has quit IRC17:40
*** dsirrine has quit IRC17:42
*** dontalton has joined #openstack-keystone17:47
*** gyee has quit IRC17:49
*** lhcheng has joined #openstack-keystone17:50
*** ChanServ sets mode: +v lhcheng17:50
*** lhcheng_ has joined #openstack-keystone17:51
*** lhcheng has quit IRC17:55
*** marzif_ has quit IRC17:55
*** marzif_ has joined #openstack-keystone17:56
*** rushiagr is now known as rushiagr_away17:57
*** Viswanath has joined #openstack-keystone18:01
*** Viswanath has quit IRC18:04
*** tellesnobrega_ has joined #openstack-keystone18:06
*** lhcheng has joined #openstack-keystone18:07
*** ChanServ sets mode: +v lhcheng18:07
*** lhcheng_ has quit IRC18:07
*** dsirrine has joined #openstack-keystone18:07
*** dims_ has joined #openstack-keystone18:08
*** amakarov is now known as amakarov_away18:11
*** packet has quit IRC18:15
samueldmqwhat would be a good default for policy_cache_time in ksmiddleware ?18:15
samueldmqayoung,  ^18:15
*** iamjarvo has joined #openstack-keystone18:15
ayoungsamueldmq, either 1 minute or 5 minutes18:15
ayounglets go with 518:15
samueldmqayoung, ++18:16
*** dguerri`away is now known as dguerri18:17
*** lhcheng_ has joined #openstack-keystone18:20
*** iamjarvo has quit IRC18:21
ayoungmorganfainberg, so...I wrote it up like I said I would.18:22
ayounghttps://www.mail-archive.com/openstack-dev@lists.openstack.org/msg54645.html18:22
*** lhcheng has quit IRC18:23
*** iamjarvo has joined #openstack-keystone18:25
*** lhcheng_ has quit IRC18:27
*** bradjones_away is now known as bradjones18:29
*** tellesnobrega_ has quit IRC18:29
*** tellesnobrega_ has joined #openstack-keystone18:29
*** tellesnobrega_ has quit IRC18:29
*** tellesnobrega_ has joined #openstack-keystone18:32
*** tellesnobrega_ has quit IRC18:32
*** iamjarvo has quit IRC18:32
*** openstackstatus has joined #openstack-keystone18:39
*** ChanServ sets mode: +v openstackstatus18:39
*** bradjones is now known as bradjones_away18:40
*** tellesnobrega_ has joined #openstack-keystone18:41
-openstackstatus- NOTICE: Gerrit has been restarted to clear an issue with its event stream. Any change events between 17:25 and 18:38 UTC should be rechecked or have their approvals reapplied to initiate testing.18:42
*** tellesnobrega_ has quit IRC18:43
*** ajayaa has quit IRC18:45
*** tellesnobrega_ has joined #openstack-keystone18:45
*** marzif_ has quit IRC18:47
*** packet has joined #openstack-keystone18:50
*** packet has quit IRC18:51
*** dguerri is now known as dguerri`away18:51
*** lhcheng has joined #openstack-keystone19:04
*** ChanServ sets mode: +v lhcheng19:04
*** marzif_ has joined #openstack-keystone19:04
*** timcline has quit IRC19:10
*** timcline has joined #openstack-keystone19:12
*** HT_sergio has quit IRC19:17
*** Viswanath has joined #openstack-keystone19:18
*** Viswanath has quit IRC19:21
*** alanf-mc has quit IRC19:24
*** dsirrine has quit IRC19:30
*** dsirrine has joined #openstack-keystone19:31
*** iamjarvo has joined #openstack-keystone19:37
*** spandhe has quit IRC19:38
*** dsirrine has quit IRC19:40
*** elmiko has joined #openstack-keystone19:44
*** HT_sergio has joined #openstack-keystone19:44
elmikojamielennox: hey, might i bug for a few minutes about Sessions?19:44
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystonemiddleware: WIP - Fetch Policy File by Service Endpoint  https://review.openstack.org/18856119:48
samueldmqayoung, ^19:49
samueldmqayoung, still wip ... I have set up the main code skeleton19:49
ayoungsamueldmq, cool19:50
samueldmqayoung, still some todo's etc, but can give the direction I am taking19:50
samueldmqayoung, I am going afk for a bit, feel free to add preliminar comments there if you have  :)19:50
ayoungsamueldmq, very good.19:51
samueldmqayoung, thanks :)19:51
stevemarmorganfainberg, did you have a keystone release plan btw?19:53
*** samueldmq has quit IRC19:54
*** e0ne has joined #openstack-keystone19:55
*** Viswanath has joined #openstack-keystone19:55
*** iamjarvo has quit IRC19:59
*** Viswanath has quit IRC20:00
*** marzif_ has quit IRC20:00
openstackgerritDolph Mathews proposed openstack/keystone-specs: User groups in token bodies  https://review.openstack.org/18856420:01
*** iamjarvo has joined #openstack-keystone20:04
*** iamjarvo has quit IRC20:04
*** iamjarvo has joined #openstack-keystone20:05
*** iamjarvo has quit IRC20:05
*** iamjarvo has joined #openstack-keystone20:05
*** radez is now known as radez_g0n320:06
*** Viswanath has joined #openstack-keystone20:07
*** radez_g0n3 is now known as radez20:09
*** Viswanath has quit IRC20:10
morganfainbergstevemar: hmm?20:10
morganfainbergLike the nova and ironic threads?20:10
morganfainbergstevemar: if that is the question, right now I think it is better for us to not change.20:11
morganfainbergstevemar: where keystone sits, we don't want to shake things up too much. We can follow and make sure we see how this impacts the projects making the changes.20:11
morganfainbergstevemar: if you meant something else... Please elaborate.20:13
*** timcline_ has joined #openstack-keystone20:15
openstackgerritDolph Mathews proposed openstack/keystone-specs: User groups in token bodies  https://review.openstack.org/18856420:16
*** Viswanath has joined #openstack-keystone20:16
*** alanf-mc has joined #openstack-keystone20:17
*** stevemar has quit IRC20:18
*** timcline has quit IRC20:18
*** Viswanath has quit IRC20:20
*** dguerri`away is now known as dguerri20:26
*** bradjones_away has quit IRC20:26
*** dguerri is now known as dguerri`20:29
*** bradjones has joined #openstack-keystone20:32
bigjoolshey morganfainberg, do you know a shibboleth expert?20:38
*** markvoelker has quit IRC20:41
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add SAML2 fixtures  https://review.openstack.org/18858020:41
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858120:41
rodrigodsdolphm, added you as reviewer in https://review.openstack.org/#/c/188426/  (as you requested to be part of k2k reviews :) )20:44
*** spandhe has joined #openstack-keystone20:44
*** Viswanath has joined #openstack-keystone20:44
dolphmrodrigods: thank you! i'm planning to dedicate my entire day tomorrow to federation things20:45
rodrigodsdolphm, ++ thanks for that20:45
*** Viswanath has quit IRC20:47
bigjoolsrodrigods: I may take a look at that too20:47
dolphmdstanek: this is a nasty regression if the report is accurate - have time to look into it? https://bugs.launchpad.net/keystone/+bug/146109520:49
openstackLaunchpad bug 1461095 in Keystone "Token is not revoked when removing a user from project in Horizon" [High,Triaged]20:49
dstanekdolphm: yes, i can take a look in a little bit20:51
*** timcline_ has quit IRC20:52
*** HT_sergio has quit IRC20:52
*** timcline has joined #openstack-keystone20:52
dstanekdolphm: looks like fun20:58
dolphmdstanek: ++20:58
dolphmdstanek: i'm hoping it's some operation with an unscoped token that's legitimately not being revoked which is succeeding20:59
dolphmdstanek: i'd try to repro in horizon first, and see if you can do something real in that tenant, like create a vm20:59
*** iamjarvo has quit IRC21:01
*** raildo has quit IRC21:01
*** operator99 is now known as gyee21:02
dstanekyeah, i'll verify and experiment in horizon first and then write some broken tests based on what i find21:02
*** e0ne has quit IRC21:05
openstackgerritMerged openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420021:06
openstackgerritMerged openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420121:07
openstackgerritMerged openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420221:07
bknudsonit could be caching21:07
*** elmiko has quit IRC21:11
*** Kennan has joined #openstack-keystone21:18
*** Kennan2 has quit IRC21:19
*** tellesnobrega_ has quit IRC21:21
*** timcline has quit IRC21:25
*** ayoung has quit IRC21:26
*** Raildo has joined #openstack-keystone21:27
*** Raildo_ has joined #openstack-keystone21:29
*** Raildo__ has joined #openstack-keystone21:29
*** Raildo__ has quit IRC21:30
*** Raildo has quit IRC21:33
*** Raildo_ has quit IRC21:34
*** mattfarina has quit IRC21:37
*** mattfarina has joined #openstack-keystone21:38
*** henrynash has quit IRC21:41
*** markvoelker has joined #openstack-keystone21:41
*** markvoelker has quit IRC21:46
morganfainbergbknudson: my guess is it's endpoint caching21:54
*** mattfarina has quit IRC21:54
morganfainbergbknudson: validation at the endpoint is holding the valid token longer than expected (~5min+)21:54
morganfainbergat a glance that is21:54
morganfainbergbigjools: marekd and gyee are great shib resources21:54
marekdbigjools: what's up?21:55
morganfainbergdolphm, dstanek, ^^ see what bknudson and I said.21:55
bigjoolshey guys21:55
marekdbigjools: hey.21:56
bigjoolsmarekd: I'm trying to get SPs to accept an existing session from another SP21:56
marekdbigjools: i know i had promised you something ;)21:56
bigjoolsyeah :)21:56
marekdbigjools: i will get there soon, needed to work on some internal stuff most of this week :(21:57
bigjoolsso basically I'm trying to get cross site federation working in a way that doesn't require you to sign in again21:57
bigjoolsmarekd: no worries21:57
*** iamjarvo has joined #openstack-keystone21:58
*** iamjarvo has quit IRC21:58
bigjoolsmarekd: so if you know how to configure that in Shib I'd be extremely grateful21:58
marekdbigjools: so, when you got logged in while accessing your payments website, you don't want to repeat it when accessing holiday website?21:58
*** iamjarvo has joined #openstack-keystone21:58
bigjoolsexactly21:58
*** iamjarvo has quit IRC21:58
bigjoolswe assume they trust each other21:58
marekdbigjools: sure...21:59
marekdbigjools: we have that at cern, however I think it's IdP configuration21:59
*** iamjarvo has joined #openstack-keystone21:59
marekdwhat idp are you using?21:59
bigjoolsthat's fine.  I'm using simplesamlphp21:59
bigjoolsbut not attached to it21:59
bigjools(it was packaged for Ubuntu whereas shib-idp was not)22:00
marekdshib-idp is much harder to configure, not matter how hard simplesamlphp is :-)22:00
nkinder_bigjools: you should have a session with your IdP, so when you go to the second SP, the IdP won't ask you to login again22:00
bigjoolsheh :)22:00
nkinder_it should just issue an assertion22:00
marekdnkinder_: exactly22:00
nkinder_that's what we do in Ipsilon22:00
bigjoolsnkinder_, marekd: they have different IdPs22:00
bigjoolsI want to make those two IdPs trust each other22:01
nkinder_ok, so you need IdP chaining22:01
marekdbigjools: nkinder_ is right22:01
nkinder_one IdP would need to be an SP of the other (and SAML is an auth method for that other IdP22:01
bigjoolsis that an IdP config or SP confug?22:01
marekdrather idp22:01
nkinder_You'd have an IdP that is an SP of another IdP22:01
nkinder_are your eyes crossed yet? ;)22:01
bigjoolshaha22:02
bigjoolsyeah this is making my brain ache for sure22:02
marekdbigjools: why two idps btw?22:02
marekdbigjools: if you are thinking about getting some production idp i think i'd consider switching to at least idp-shib.22:02
bigjoolsmarekd: separate installations of openstack but all for same users22:03
marekdso why not using one idp :-)22:03
bigjoolsbecause $reasons :)22:03
bigjoolsI have no objection to using idp-shib at all.22:04
bigjoolsThe concept I was missing was to make one IdP an SP for the other IdP22:04
marekdi don't understand how having two (more?) opensource project deployments instead of one  can bring $ problems22:04
bigjoolsdifferent availability zones22:04
* morganfainberg glares at LaunchPad22:04
bigjoolspoor Launchpad22:05
morganfainbergtimeout... timeout... timeout22:05
*** stevemar has joined #openstack-keystone22:05
*** ChanServ sets mode: +v stevemar22:05
marekdbigjools: i still don't get it, but you probably know what you are doing22:05
morganfainbergyeah wonderful.22:05
bigjoolsmarekd: it's ok, honest :)  We do22:06
bigjoolsargh22:06
bigjoolswe don't want a single IdP in the same way that multiple organisations don't want only one when they federate22:07
bigjoolsmarekd: so once I make an IdP an SP of another IdP, does the SP need multiple IdP <SSO> blocks in the shib-sp config?22:09
bigjoolsor is that transparent to the SP?22:09
marekdtbh i don't know, nkinder_ may help here.22:09
*** sigmavirus24 is now known as sigmavirus24_awa22:13
nkinder_bigjools: I'm not familiar with shib config on the SP side.22:14
bigjoolssadly I am intimately familiar22:14
gyeebigjools, if you an SP to trust multiple IdPs, you can try chaining them22:14
nkinder_bigjools: I'm not sure I get the reason for multiple IdPs here either (unless you have different groups of users for different IdPs)22:14
gyeehttps://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider22:14
bigjoolsnkinder_: can you reference a doc that explains the shib IdP config?22:15
bigjoolsnkinder_: the multiple IdPs is a rollout constraint that I have22:15
*** spandhe has quit IRC22:16
bigjoolsgyee: I *think* I did that already - at least when I defined multiple MetadataProvider blocks it auto-chained them22:16
gyeemultiple blocks won't work22:17
gyeewe ended up chaining them22:17
gyeethen in the mapping, make sure you look for the particular idp22:17
*** iamjarvo has quit IRC22:18
bigjoolshow does this work with the browser session, since the new SP won't know about it22:18
gyeeI haven't tried the browser side yet, only K2K22:18
bigjoolsah ok22:19
bigjoolsthe shib session cookie that gets sent to the new SP won't hold a valid session22:19
bigjoolsK2K works differently IIRC22:20
*** ayoung has joined #openstack-keystone22:20
*** ChanServ sets mode: +v ayoung22:20
bigjoolsgyee: so when you talk about chaining, do you mean making use of the ChainingMetadataProvider?22:21
bigjoolsas per https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider#IdPMetadataProvider-ChainingMetadataProvider22:21
gyeebigjools, yes, that's in the situation where need to trust multiple IdPs22:23
marekdgyee: you sure idp chaining will get what bigjools wants? AFAIK it's usually a matter of idp created cookie that makes IDP to issue assertion again instead of  asking for authentication again...22:23
bigjoolsyeah I think marekd is right22:23
marekdhttp cookie to be more specific.22:23
gyeenot sure it will work with cookies22:24
gyeethat only deals with assertions22:24
marekdgyee: a cookie is just a way to hold a session, so it's not an ultimate goal of this excercise :-)22:24
bigjoolsbut that session cookie effectively needs to work with the new SP22:25
bigjoolswithout requiring re-authn22:25
marekdbigjools: there are two cookies - idp cookie and sp cookie22:25
*** spandhe has joined #openstack-keystone22:25
bigjoolsnot according to my browser there isn't :22:25
bigjools:)22:25
marekdok, maybe it's different per implementation.22:26
*** radez has quit IRC22:26
bigjoolsI've got a _shibsession_fooxxxx cookie22:26
bigjoolsand one for Horizon22:27
bigjoolsoh actually you are right, I'm sorry.22:27
*** bknudson has quit IRC22:28
*** sbasam has quit IRC22:28
marekdi think it's nor defined per protocol specs, it's rather a matter of good practices and nicer ux implemented by idp devs.22:28
marekds/nor/not/22:28
*** btully has joined #openstack-keystone22:29
marekdanyways, i don't know how to make easily what you want to make. As long as you have a cookie you are somehow 'tied' with a session to your IdP.22:29
btullyhi there. i’m having a hard time getting devstack master running and wondering if there was a known issue with keystone22:29
bigjoolsmarekd: I will look into making the IdPs SPs of each other22:30
*** radez has joined #openstack-keystone22:30
bigjoolsthanks again for your help everyone22:30
marekdbigjools: ok, i'd look into using one idp instead of two :-)22:30
*** rwsu has quit IRC22:30
marekdseriously, where is the problem?22:31
bigjoolsmarekd: I would like to do that :)  But can't (22:31
btullyi’m seeing the following error in the log whenever i try to authenticate either through the keystone cli or through horizon22:31
btullyhttp://paste.openstack.org/show/264126/22:31
*** c_soukup has joined #openstack-keystone22:31
gyeemarekd, currency exchange :)22:31
marekdgyee: I never know when you are making fun of me :-)22:32
bigjoolsmarekd: the plan is to move to k2k when it can handle websso22:32
bigjoolsand there are effectively multiple IdPs there... :)22:32
marekdbigjools: yeah, but k2k is not a fully fledged IdP22:32
bigjoolsunderstood22:32
marekdand i don't think anybody will be trying to support all those nice features....22:33
bigjoolswhen I chatted with morganfainberg he said that we need to get it doing ECP assertions22:33
bigjoolsIIRC22:33
marekdbigjools: and it does ecp assertions22:33
morganfainbergwasn't ecp22:33
morganfainbergkeystone doesn't do the redirects22:33
bigjoolsoh, my bad memory then22:33
morganfainbergbigjools: no worries :)22:34
morganfainbergwe use ecp now for scripts etc.22:34
bigjoolsstill learning lots of stuff :)22:34
marekdmorganfainberg: keystone-idp you mean.22:34
morganfainbergmarekd: yes22:34
*** csd has quit IRC22:34
*** csoukup has quit IRC22:34
morganfainbergmarekd: since we rely on idp-initated22:34
*** dontalton has quit IRC22:35
morganfainbergif they wanted SP-initiated for K2K the redirect would need to be implemented22:35
morganfainbergbigjools: it's not easy.22:35
*** csd has joined #openstack-keystone22:35
btullymod_wsgi (pid=2850): Target WSGI script '/var/www/keystone/main' cannot be loaded as Python module22:35
marekdmorganfainberg: yeah. redirects is easy, we don't even understand <saml2:Request> messages from SP, we cannot validate such things and lot's of other stuff we *don't* support.22:35
morganfainberglots of things to think about when doing federation, heck i always 2x check before i write up how it works22:35
morganfainbergmarekd: yeah there are other things we need too.22:35
morganfainbergbut i said we were hesitent to make keystone a full IdP. not that is was off the table22:36
jamielennoxA keystone species is a species that has a disproportionately large effect on its environment relative to its abundance.[1] Such species are described as playing a critical role in maintaining the structure of an ecological community, affecting many other organisms in an ecosystem and helping to determine the types and numbers of various other species in the community.22:36
morganfainbergbut it was something we hadn't descided if we wanted at this juncture22:36
bigjoolsmorganfainberg: I thought that we talked about doing an ECP assertion internally to get a token from the other IdP before passing control to its dashboard22:36
stevemaroh jamielennox is around22:36
morganfainbergstevemar: so uh22:36
jamielennoxthat's my morning wisdom22:36
morganfainbergstevemar: did you see my question?22:36
stevemarmorganfainberg, about release schedule?22:36
morganfainbergjamielennox: going to be sending a email re that today22:36
morganfainbergstevemar: yes22:36
jamielennoxand what happens when you mistype keystone-specs into search and instead get wikipedia22:37
stevemarmorganfainberg, i meant do we have a cut off day for specs and code and such?22:37
morganfainbergstevemar: yes. it was announced that spec-proposal-freeze was Liberty-122:37
morganfainbergapi impacting changes liberty-222:37
morganfainbergwith the ability to do exceptions22:37
*** iamjarvo has joined #openstack-keystone22:37
*** iamjarvo has quit IRC22:38
stevemargotcha22:38
stevemarjust wanted it all official22:38
morganfainbergstevemar: but lets avoid exceptions if we can :)22:38
*** iamjarvo has joined #openstack-keystone22:38
morganfainbergbigjools: i think we discussed that you could get an assertion desitined for the original deployment (in K2K) if both were k2k targets22:39
morganfainbergfor each other22:39
bigjoolsmorganfainberg: right, that's what I mean.22:39
jamielennoxwhat's the API to list users in a project? do you have to do via role assignments or something/22:39
morganfainbergbigjools: and you can use the direct mapping (map to an existing user) to ensure it lands on the correct user on both sides22:39
*** c_soukup has quit IRC22:39
morganfainbergsince you have direct LDAP access to supply the base identity information (ldap identity driver)22:40
morganfainbergmarekd: cc ^^ for what they are doing22:40
bigjoolsmorganfainberg: we're also looking at not using K2K and federating IdPs in each zone22:41
jamielennoxwhatever it is horizon is doing it wrong22:41
david-lylewow22:41
*** sbasam has joined #openstack-keystone22:41
david-lylethat's probably true, but what are we doing wrong22:42
marekdbigjools: but even if you do 'federation' you will not get what you are looking at today.22:42
jamielennoxdavid-lyle: i'm still looking at that, trying to track a bug report22:42
bigjoolsmarekd: in what way?22:42
*** markvoelker has joined #openstack-keystone22:42
david-lylejamielennox: ok22:42
marekdbigjools: this session replication.22:42
morganfainbergmarekd: uhm.22:43
morganfainbergmarekd: is that what they are asking for?22:43
gyeejamielennox, GET /v3/role_assignments?scope.project.id=id&effective22:43
jamielennoxgyee: yuk22:44
morganfainbergmarekd: i might be missing the new data, but the architecure i tlaked to them about was22:44
marekdmorganfainberg: what 'them'?22:44
morganfainbergmarekd: AD LDap in each side, and k2k between each side. use direct mapping rules to allow crossing the clouds w/o re-auth (username/password)22:44
gyeebtully, that's the latest devstack?22:44
btullyyes, origin/master22:44
morganfainbergmarekd: so you could do normal K2K workflow to move between each site w/o re-auth, but not a session replication22:45
gyeelooks like its having trouble loading a driver22:45
gyeenot sure if the keystone.conf you have is correct22:45
morganfainbergbtully: hm. what permissions are on /var/www/keystone/main22:46
marekdmorganfainberg: yeah,22:46
morganfainbergmarekd: so that should be fine. if there are things outside of that i don't know if the disucssion has moved.22:46
*** iamjarvo has quit IRC22:47
morganfainbergbigjools: ^ are we adding extra layering in?22:47
jamielennoxdavid-lyle: ok so https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L302 calls https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L78 which does a mistake and translates the project= param to default_project_id22:47
btullyi wiped it and am rebuilding devstack, but will check once it boots up22:47
marekdmorganfainberg: bigjools started asking about some setup with his idp being phpsimplesaml22:47
*** markvoelker has quit IRC22:47
*** iamjarvo has joined #openstack-keystone22:47
morganfainbergmarekd: ah22:47
bigjoolsmorganfainberg: Chet talked about looking at using multiple IdPs instead of k2k using keystone as idp22:47
jamielennoxdavid-lyle: but that doesn't matter because neither project= or default_project_id= is in the list_users controller or spec, https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#list-users or https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L21922:47
bigjoolsmy simplesamlphp is just in my test rig22:47
morganfainbergbigjools: ah. oh so [site1, [keystone], [idp]] <-------> [Site2, [kestone][idp]]22:48
bigjoolsmorganfainberg: so anyway I'm just looking at this as a solution as well, but k2k is the ultimate goal.22:48
morganfainbergand just jumping across w/ just the normal federation22:48
bigjoolsmorganfainberg: exactly.22:48
bigjoolsjust using separate idp instead of keystone's22:48
morganfainberge.g. i can login with the non-keystone IDP from each side.22:48
morganfainbergahhhhhhh22:48
morganfainberguhm22:48
morganfainbergprobably wont be as smooth, you likely want the IDP to not be tied to the site then.22:49
morganfainbergand have both sides just use the same IDP [external]22:49
bigjoolsChet was adamant it would work :)22:49
jamielennoxdavid-lyle: so i'm trying to find anywhere in horizon where you do a user_list based on project22:49
morganfainbergit would work.. but it would require an explicit re-auth in a number of cases22:49
marekdmorganfainberg: and this is what he wanted to avoid...22:49
bigjoolsoh really? do you know which cases offhand?22:50
morganfainbergbigjools: when you jump between sites22:50
morganfainbergsince each IDP is considered to own the session22:50
morganfainbergmarekd: yeah22:50
marekdmorganfainberg: exactly22:50
david-lylejamielennox: is this domain admin related?22:50
gyeejamlelennox, david-lyle, watch out for assignment inheritance and hierarchical stuff :)22:50
david-lylenot sure where the bug came from22:50
bigjoolsright - but apparently you can make each IdP an SP of the other IdPs to avoid the re-authn22:50
morganfainbergmarekd: i see what is being asked for now22:50
*** zzzeek has quit IRC22:50
marekd:-)22:50
morganfainbergbigjools: oh god. uh...........22:50
morganfainbergi'm going to duck out of that22:51
jamielennoxdavid-lyle: hmm, my repo is out of date and the reference i had seems to be gone22:51
bigjoolswhich, thinking about it, is kinda what you're doing with k2k22:51
*** gordc has quit IRC22:51
gyeejamielennox, which bug?22:51
jamielennoxgyee: not sure yet22:51
morganfainbergbigjools: i don't know of people doing that as much22:51
bigjoolsmorganfainberg: me neither :)22:51
morganfainbergso, it might be "supported" in some cases or cause weird effects in others22:51
bigjoolsif it's going to be a nightmare then that's fine, I'm just looking at the option22:52
morganfainbergi'd say it might be a nightmare22:52
david-lylejamielennox: without knowing what you're trying to solve, horizon direction is difficult22:52
morganfainbergit may also be a misunderstanding of how the prootocl handles sub-idps22:52
morganfainbergi haven't looked at that type of config tbh22:52
marekdme neither22:52
morganfainbergi've tried to keep it simple-ish22:52
bigjoolsI'll see if I can find out more and let you know22:52
morganfainbergbecause simple tends to have less ways for things to get bound up and less edge cases22:52
bigjools+122:52
morganfainbergbigjools: it is likely you can do things like that.22:53
morganfainbergbut it is going to get complex fast22:53
morganfainbergvery complex22:53
morganfainbergand federated identity is already complex22:53
bigjoolstbh that's what I was thinking when I saw the k2k :)22:53
morganfainbergthis is like sq(complex)22:53
gyeemorganfainberg's inventing a new acronym KISI22:53
bigjoolsheh22:53
morganfainberggyee: shus22:53
morganfainbergh22:53
morganfainberg:P22:53
marekdKISI?22:53
jamielennoxdavid-lyle, gyee: so at least part of what i was seeing was fixed with: bug 127892022:53
openstackbug 1278920 in OpenStack Dashboard (Horizon) "Bad performance when editing project members" [Medium,Fix released] https://launchpad.net/bugs/1278920 - Assigned to Rodrigo Duarte (rodrigodsousa)22:53
morganfainbergmarekd: i think he means KSDO22:54
morganfainbergKSDI*22:54
*** ayoung has quit IRC22:54
gyeeKISI - Keep It Simple-Ish22:54
marekdok, need to go to bed. good night.22:54
morganfainbergmarekd: g'night dude22:55
morganfainberggyee: uh no.22:55
bigjoolsnn marekd and thanks22:55
morganfainberggyee: no just no :P22:55
morganfainbergwe arleady have too many acronyms and initialisms22:55
gyeeheh22:55
bigjoolsTMA22:55
morganfainbergnotice i am trying to type out keystonemiddleware and keystoneclient everytime now22:55
morganfainbergbigjools: that is a TLA22:55
bigjoolsa specific kind of A22:55
*** csoukup has joined #openstack-keystone22:56
gyeejamielennox, yes, I can believe it22:56
gyeejamielennox, we need to better filtering on GET /role_assignments22:56
jamielennoxgyee, david-lyle: as part of that fix they moved to testing for role assignments on projects and not looking for users in a project22:57
jamielennoxcause that doesn't make sense in v322:57
jamielennoxbut that was marked juno..22:57
gyeejamielennox, I am fine with GET /v3/projects/id/users22:57
gyeenew API22:58
gyeebut with assignment inheritance and hierarchical projects, I am afraid we may have to make schema changes22:58
gyeeotherwise, perf may suck at the service side22:58
dstanekmorganfainberg: caching is a good call - i'll check for that23:01
*** csoukup has quit IRC23:01
morganfainbergdstanek: yeah. this *sounds* like the endpoint is caching the token23:01
morganfainbergdstanek: it is similar thing as bug 143403423:02
*** packet has joined #openstack-keystone23:02
jamielennoxdavid-lyle: ok, it appears it is at least fixed upstream and the person who reported it told me the wrong info23:02
jamielennoxdavid-lyle: sorry to bug you23:03
*** gordc has joined #openstack-keystone23:15
*** arunkant_ has quit IRC23:17
*** packet has quit IRC23:19
*** chlong has joined #openstack-keystone23:27
*** lhcheng has quit IRC23:32
*** lhcheng has joined #openstack-keystone23:36
*** ChanServ sets mode: +v lhcheng23:36
*** bradjones has quit IRC23:36
*** bradjones has joined #openstack-keystone23:39
*** davechen_afk has quit IRC23:39
*** hemna is now known as hemnafk23:43
*** ayoung has joined #openstack-keystone23:48
*** ChanServ sets mode: +v ayoung23:48
*** fangzhou has quit IRC23:54
« Wednesday, 2015-06-03 Index Friday, 2015-06-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!