Monday, 2015-06-15

« Sunday, 2015-06-14 Index Tuesday, 2015-06-16 »
*** bjornar has quit IRC00:38
*** bjornar has joined #openstack-keystone00:42
*** nkinder__ has joined #openstack-keystone00:44
jamielennoxdo we revoke uuid tokens (or fernet tokens) by id?00:51
*** btully has quit IRC00:55
*** btully has joined #openstack-keystone00:57
*** btully has quit IRC01:01
*** liusheng has quit IRC01:09
*** btully has joined #openstack-keystone01:09
openstackgerritYuiko Takada proposed openstack/keystone: Pass environment variables of proxy to tox  https://review.openstack.org/19160201:12
*** btully has quit IRC01:13
*** nkinder__ has quit IRC01:15
*** btully has joined #openstack-keystone01:20
*** btully has quit IRC01:25
*** woodster_ has joined #openstack-keystone01:27
*** btully has joined #openstack-keystone01:33
*** btully has quit IRC01:38
*** btully has joined #openstack-keystone01:44
*** btully has quit IRC01:48
*** lhcheng has joined #openstack-keystone01:56
*** ChanServ sets mode: +v lhcheng01:56
*** btully has joined #openstack-keystone01:58
*** btully has quit IRC02:03
*** lhcheng has quit IRC02:12
*** btully has joined #openstack-keystone02:14
*** btully has quit IRC02:18
*** dimsum__ has quit IRC02:22
*** btully has joined #openstack-keystone02:27
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and session  https://review.openstack.org/11708902:28
*** nkinder__ has joined #openstack-keystone02:29
*** btully has quit IRC02:32
openstackgerritDave Chen proposed openstack/keystone: Needn't load fernet keys twice  https://review.openstack.org/19160802:32
*** dimsum__ has joined #openstack-keystone02:36
*** btully has joined #openstack-keystone02:39
*** btully has quit IRC02:43
*** btully has joined #openstack-keystone02:50
*** kiran-r has joined #openstack-keystone02:51
*** btully has quit IRC02:54
*** dimsum__ has quit IRC02:58
*** btully has joined #openstack-keystone03:02
*** btully has quit IRC03:07
*** btully has joined #openstack-keystone03:15
*** tobe has joined #openstack-keystone03:20
*** btully has quit IRC03:20
*** btully has joined #openstack-keystone03:27
*** btully has quit IRC03:31
*** btully has joined #openstack-keystone03:38
*** btully has quit IRC03:42
*** kiran-r has quit IRC03:44
*** kiran-r has joined #openstack-keystone03:44
*** lhcheng has joined #openstack-keystone03:45
*** ChanServ sets mode: +v lhcheng03:45
*** btully has joined #openstack-keystone03:49
*** lhcheng has quit IRC03:53
*** btully has quit IRC03:54
*** dimsum__ has joined #openstack-keystone03:58
*** btully has joined #openstack-keystone04:01
*** dimsum__ has quit IRC04:03
*** btully has quit IRC04:06
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Convert adapter to keystoneauth  https://review.openstack.org/19162704:13
*** btully has joined #openstack-keystone04:13
*** btully has quit IRC04:18
*** kiran-r has quit IRC04:25
*** lhcheng has joined #openstack-keystone04:26
*** ChanServ sets mode: +v lhcheng04:26
openstackgerritJamie Lennox proposed openstack/keystoneauth: Removes temporary fix for doc generation  https://review.openstack.org/19163304:28
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove functional tests from tox  https://review.openstack.org/19163404:30
*** btully has joined #openstack-keystone04:30
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove unused fixtures  https://review.openstack.org/19163504:32
*** kiran-r has joined #openstack-keystone04:32
openstackgerritJamie Lennox proposed openstack/keystoneauth: Drop use of 'oslo' namespace package  https://review.openstack.org/19163604:33
*** kiranr has joined #openstack-keystone04:33
*** btully has quit IRC04:34
openstackgerritJamie Lennox proposed openstack/keystoneauth: Typo in openstack client help  https://review.openstack.org/19163704:35
openstackgerritJamie Lennox proposed openstack/keystoneauth: Ensure that failing responses are logged  https://review.openstack.org/19163804:35
*** kiran-r has quit IRC04:37
*** kiranr is now known as kiran-r04:37
openstackgerritJamie Lennox proposed openstack/keystoneauth: Prompt for password on CLI if not provided  https://review.openstack.org/19163904:41
openstackgerritJamie Lennox proposed openstack/keystoneauth: Support discovery on the AUTH_INTERFACE  https://review.openstack.org/19164104:44
openstackgerritJamie Lennox proposed openstack/keystoneauth: Provide a means to get all installed plugins  https://review.openstack.org/19164204:45
*** btully has joined #openstack-keystone04:47
openstackgerritJamie Lennox proposed openstack/keystoneauth: Cleanup fixture imports  https://review.openstack.org/19164304:54
openstackgerritJamie Lennox proposed openstack/keystoneauth: Stop using function deprecated in Python 3  https://review.openstack.org/19164404:57
openstackgerritJamie Lennox proposed openstack/keystoneauth: Use random strings for test fixtures  https://review.openstack.org/19164504:58
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add get_communication_params interface to plugins  https://review.openstack.org/19164605:02
*** davechen_afk is now known as davechen05:32
*** kiran-r has quit IRC05:39
*** bradjones has quit IRC05:46
*** belmoreira has joined #openstack-keystone05:47
*** bradjones has joined #openstack-keystone05:49
*** bradjones has quit IRC05:49
*** bradjones has joined #openstack-keystone05:49
*** henrynash has joined #openstack-keystone06:02
*** ChanServ sets mode: +v henrynash06:02
*** Kennan2 has joined #openstack-keystone06:03
*** Kennan has quit IRC06:04
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove _get_service_endpoints function  https://review.openstack.org/19165906:07
openstackgerritMerged openstack/keystoneauth: Fetch Service Providers urls from auth plugins  https://review.openstack.org/18962506:09
openstackgerritMerged openstack/keystoneauth: Properly handle Service Provider in token fixtures  https://review.openstack.org/18980306:09
*** liusheng has joined #openstack-keystone06:09
*** mabrams has joined #openstack-keystone06:12
*** Kennan2 is now known as Kennan06:14
openstackgerritMarek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858106:28
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove double call to normalize function  https://review.openstack.org/19166906:41
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make _is_endpoint_type_match function public  https://review.openstack.org/19167006:41
*** tobe has quit IRC06:44
*** kiran-r has joined #openstack-keystone06:54
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make _is_endpoint_type_match function public  https://review.openstack.org/19167007:00
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make normalize_endpoint_type public  https://review.openstack.org/19167207:00
marekdjamielennox: Hello, still on AUS west coast?07:07
*** tobe has joined #openstack-keystone07:07
jamielennoxmarekd: still there07:08
*** liusheng has quit IRC07:08
*** liusheng has joined #openstack-keystone07:09
jamielennoxmarekd: with https://review.openstack.org/#/c/187516/07:16
jamielennoxhow come we ported that to keystoneauth and not keysotneclient?07:16
*** woodster_ has quit IRC07:21
*** chlong has quit IRC07:34
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split plugin loading  https://review.openstack.org/19059407:43
marekdjamielennox: eventaully ksc will not depend on ksa also in that matter?07:46
jamielennoxmarekd: ksc will depend on it - it's ok i just found somewhere where making that change wasn't compatible with keystoneclient unit tests07:46
jamielennoxi just cherry-picked it over to my ksc branch as well07:47
jamielennoxno big deal, i was just wondering if there was a reason07:47
marekdjamielennox: eh, we really need to double the efforts by proposing everything to ksa and ksc?07:48
marekdjamielennox: i am looking at https://review.openstack.org/#/c/190594/ is it going to help with k2k being more user friendly and solving all the problems we spend discussing last week regarding k2k ?07:48
jamielennoxmarekd: it depends, if you can live with it being ksa only then it shouldn't have to07:48
jamielennoxbut it was just that in this case it was a change of behaviour that i either needed to port to ksc, or provide a compatibility layer between the 207:49
marekdjamielennox: looking at the pace were features are being landed and that sometimes it takes weeks to land a relatively simple patch i think we all should be good to wait another few weeks and wait for ksa....07:49
jamielennoxmarekd: i think it will help people conceptually more than fix the problem07:49
jamielennoxso we are still going to have problems with loading mutliple sets of plugins07:50
marekdjamielennox: ok.07:50
jamielennoxbut it means we break the link that there is only one way to load each type of plugin07:50
*** browne has quit IRC07:50
marekdwhat is type of plugin - password vs token plugin ?07:50
jamielennoxso if we do a 'simplek2k' and a 'complexk2k' then they can have completely different mechanisms for how they present their options to users, but underneath they can rely on the same K2K plugin that will actually do the work07:51
jamielennoxeach class07:51
marekdjamielennox: ack.07:51
jamielennoxmarekd: it's also something that OSC and OCC wanted to split so they could have control over the loading without modifying the plugins07:52
marekdok07:52
*** rlt has joined #openstack-keystone07:59
marekdjamielennox: remind me, please. It will be OSC to provide options like --os-cloud-project-id and simply pass them as os_project_idargument to K2K.__init__(), right?07:59
jamielennoxmarekd: more or less, the plugins will tell OSC what they want and OSC will do its best to get them in the parameter names they expect08:00
marekdjamielennox: do we need to wait for some work you are doing now?08:00
marekdcause i don't see "do its best to get them [...]" step08:01
jamielennoxmarekd: that will work today, if in ksa we move it i'll make sure everything still works08:01
*** lhcheng has quit IRC08:02
jamielennoxmarekd: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/base.py#L288 is what i mean by getting options08:02
jamielennoxbut OSC/OCC did something simimlar but not exactly the same :(08:02
*** lhcheng has joined #openstack-keystone08:03
*** ChanServ sets mode: +v lhcheng08:03
marekdjamielennox: what is a namespace here?08:04
jamielennoxmarekd: that's what's returned from argparse.ArgumentParser.parse_arguments()08:04
*** lhcheng has quit IRC08:08
*** pnavarro has joined #openstack-keystone08:09
marekdok, i am going to finish k2k plugin as another auth plugin, and wait for some of your patches merge to we can somehow combine it with other plugins for local auth.08:11
*** fhubik has joined #openstack-keystone08:17
openstackgerritDave Chen proposed openstack/keystone-specs: Use oslo-versioned-objects to deal with upgrades  https://review.openstack.org/16719508:21
*** belmoreira has quit IRC08:22
*** jorge_munoz has quit IRC08:26
*** jorge_munoz has joined #openstack-keystone08:28
*** fhubik is now known as fhubik_afk08:37
*** dguerri` is now known as dguerri08:37
*** dguerri has quit IRC08:43
*** dguerri has joined #openstack-keystone08:43
openstackgerritMarek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities  https://review.openstack.org/18888108:47
marekdjamielennox: remember my use-case about image sharing between clouds?09:04
marekdjamielennox: a client would create a glance task (a job running in the background ) for pushing images into trusted clouds (glances).09:05
*** krykowski has joined #openstack-keystone09:07
*** gabriel-bezerra has quit IRC09:23
*** ericksonsantos has quit IRC09:23
*** afaranha has quit IRC09:24
*** tellesnobrega has quit IRC09:24
*** samueldmq has quit IRC09:24
*** fhubik_afk is now known as fhubik09:24
marekdjamielennox: then you stated that you'd prefer to k2k plugin at the client console would resolve all identity steps, and simply handle remote scoped token to a local glance, probably somewhere in new http header, and glance would create this task with use of the token.09:30
*** e0ne has joined #openstack-keystone09:30
marekdjamielennox: as image sharing is going to support push model with 1:N ration (one source pushing to multiple clients) i see some problem with sending scoping information in the headers/reqiests to kmw+k2k does all the job. I am wondering if you see any potential way on how to do this in the future....I'd rather prefer to avoid client to always do the scoping steps and managing all the requests all the time.09:33
*** rushiagr_away is now known as rushiagr09:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040509:38
*** afazekas has joined #openstack-keystone09:39
*** e0ne has quit IRC09:40
*** e0ne has joined #openstack-keystone09:47
*** lhcheng has joined #openstack-keystone09:52
*** ChanServ sets mode: +v lhcheng09:52
*** f13o has joined #openstack-keystone09:56
*** lhcheng has quit IRC09:57
*** Kennan2 has joined #openstack-keystone10:03
*** Kennan has quit IRC10:05
*** dimsum__ has joined #openstack-keystone10:09
*** aix has joined #openstack-keystone10:10
openstackgerritMerged openstack/keystone-specs: v3 credentials project_id is not optional for type=ec2  https://review.openstack.org/19066010:14
*** marzif_ has joined #openstack-keystone10:18
*** ncoghlan has quit IRC10:26
*** fhubik is now known as fhubik_afk10:29
*** e0ne is now known as e0ne_10:32
*** fhubik_afk is now known as fhubik10:32
*** e0ne_ has quit IRC10:39
*** marzif_ has quit IRC10:41
*** marzif_ has joined #openstack-keystone10:41
*** e0ne has joined #openstack-keystone10:41
*** kiranr has joined #openstack-keystone10:43
*** kiran-r has quit IRC10:43
*** krykowski has quit IRC10:48
*** amakarov_away is now known as amakarov10:55
*** kiran-r has joined #openstack-keystone10:55
*** kiranr has quit IRC10:55
*** samueldmq has joined #openstack-keystone10:57
*** tellesnobrega has joined #openstack-keystone10:57
*** ericksonsantos has joined #openstack-keystone10:58
*** afaranha has joined #openstack-keystone10:58
*** krykowski has joined #openstack-keystone11:01
*** fhubik is now known as fhubik_afk11:08
*** fhubik_afk is now known as fhubik11:12
*** rushiagr is now known as rushiagr_away11:15
*** marzif_ has quit IRC11:24
*** tobe has quit IRC11:25
*** rushiagr_away is now known as rushiagr11:27
*** marzif_ has joined #openstack-keystone11:27
*** gabriel-bezerra has joined #openstack-keystone11:27
*** aix has quit IRC11:28
*** e0ne is now known as e0ne_11:36
*** iurygregory has joined #openstack-keystone11:37
*** e0ne_ is now known as e0ne11:39
*** lhcheng has joined #openstack-keystone11:41
*** ChanServ sets mode: +v lhcheng11:41
*** jdennis has joined #openstack-keystone11:45
*** lhcheng has quit IRC11:45
*** fhubik is now known as fhubik_afk11:48
*** henrynash has quit IRC11:57
*** fhubik_afk is now known as fhubik11:58
*** lhcheng has joined #openstack-keystone12:05
*** ChanServ sets mode: +v lhcheng12:05
*** lhcheng has quit IRC12:09
*** bradjones has quit IRC12:13
*** bradjones has joined #openstack-keystone12:15
*** bradjones has quit IRC12:15
*** bradjones has joined #openstack-keystone12:15
*** aix has joined #openstack-keystone12:15
*** chlong has joined #openstack-keystone12:20
*** belmoreira has joined #openstack-keystone12:21
*** e0ne is now known as e0ne_12:28
*** e0ne_ is now known as e0ne12:28
*** edmondsw has joined #openstack-keystone12:29
*** marzif_ has quit IRC12:33
*** raildo has joined #openstack-keystone12:34
*** HT_sergio has quit IRC12:35
*** woodster_ has joined #openstack-keystone12:45
*** bknudson has joined #openstack-keystone12:48
*** ChanServ sets mode: +v bknudson12:48
*** dimsum__ has quit IRC12:52
*** MaxV has joined #openstack-keystone12:52
MaxVhello all, I have an issue when I want to setup keystone with the v312:52
MaxVI get a 401 when I use the token_endpoint12:53
MaxVand when I use the following curl http://docs.openstack.org/developer/keystone/api_curl_examples.html#getting-a-token-from-a-token12:53
MaxVI get a 40412:53
MaxVWith the same config I can successfuly auth on the v2 endpoint12:54
*** f13o has quit IRC12:54
*** dimsum__ has joined #openstack-keystone12:54
*** dimsum__ is now known as dims12:55
*** dims has quit IRC12:55
*** dims has joined #openstack-keystone12:56
*** dtroyer has quit IRC13:04
*** kodoku has joined #openstack-keystone13:05
*** dsirrine has joined #openstack-keystone13:07
kodokuHi, Anyone know this issue ==> ERROR keystone.common.wsgi [-] (OperationalError) (2005, "Unknown MySQL server host 'vdc0009' (0)") None None      But nslookup and ping for vdc0009 works :/13:07
kodokuAnd If I restart keystone service, works13:07
marekdkodoku: maybe try with FQDN ?13:08
kodokumarekd It's with FQDN but I cut it for discretion on IRC :)13:09
*** jaosorior has joined #openstack-keystone13:10
edmondswMaxV: can you get a token ok from scratch? and what identity backend are you using?13:10
MaxVedmondsw: I use mysql13:11
MaxVedmondsw: If I setup users with V2 I can retrieve tokens13:11
kodokumarekd I have this trace too ==>  ERROR sqlalchemy.pool.QueuePool [-] Exception closing connection <_mysql.connection closed at 4c45c50>13:12
edmondswMaxV: this working? http://docs.openstack.org/developer/keystone/api_curl_examples.html#project-scoped13:12
MaxVedmondsw: but in the case I want to setup keystone only with the v3 endpoints (using the admin token)13:12
MaxVedmondsw: I do not even have any project13:12
marekdkodoku: hm, some problem with OS, network?13:12
*** radez_g0n3 is now known as radez13:12
edmondswMaxV: no projects? You'll need a project13:12
MaxVedmondsw: this is a setup from scratch13:12
marekdor sqlalchemy connections pool is overflowing13:13
marekd(if there is such possiblity, not sure)13:13
MaxVedmondsw: I start with nothing, only a token_admin13:13
kodokumarekd I use Rhel 7.1, Juno 2014.2.2 With Rdo package. Mariadb for backend13:13
*** kiran-r has quit IRC13:13
MaxVedmondsw: which works well with v213:13
marekdkodoku: some big loads or just test env ?13:13
marekdkodoku: how often does it starts dropping connections ?13:14
kodokumarekd hum ~200VMs with 30 users13:14
*** rushiagr is now known as rushiagr_away13:14
kodokuI have this error 10 times a day13:14
kodokuper day*13:15
kodokuwithout restart keystone13:15
edmondswMaxV: create a project... E.g.: /usr/bin/openstack --insecure project create Default --description "My Default Tenant" --domain Default13:15
edmondswMaxV: set the SERVICE_TOKEN and SERVICE_ENDPOINT env vars before running that13:16
marekdkodoku: "Exception closing connection" -> i'd google for this. This might look like sqlalchemy tries to close connection, something goes wrong (the questins is why) so it may not really close connection and there might somthing stay dangling in the memory/OS13:16
kodokumarekd full trace http://paste.openstack.org/show/294129/13:17
kodokuControlleur have 6 GB for RAM, 4GB use now. BDD have 4GB For RAM and 2 used13:18
*** fhubik is now known as fhubik_afk13:22
dstanekkodoku: are you using the correct port too? i wonder if that's just a general connectivity message13:22
marekddstanek: he says after restart it works. i am wondering whether there is some race condition or something, or there is a network problem and sqlalch gets crazy....13:23
dstaneknetwork problem seems likely13:24
kodokudstanek marekd yes I use default port, keystone works but I have this trace 10 time per days. And after this trace, keystone works13:24
dstanekmaybe running a command line mysql client from the keystone server would see the same issue?13:24
kodokuI guess keystone restart sql connection13:24
marekdkodoku: or set of descriptors is being cleaner.13:25
marekdcleaned13:25
marekdkodoku: run mysql client from keystone server and try to add some load to it....13:26
marekdkodoku: just like dstanek suggested.13:26
marekdkodoku: i'd suggest running some wireshark and sniff a little bit13:26
marekdmaybe on both sides - keystone and db server.13:26
MaxVedmondsw: It only works with the v2 endpoint13:26
marekddstanek: interesting is that is eventually says the mysql server cannot be found.13:27
edmondswdid you give the user you're trying to use a role grant on the project you created?13:27
marekdhttp://paste.openstack.org/show/294129/13:27
kodokumarekd Ok I need to install mysql client on controler13:27
dstanekmarekd: that's why i think it's a networking thin13:27
dstanekg13:27
MaxVedmondsw: there is no user at this point13:28
marekddstanek: yep, i thought the same.13:28
edmondswMaxV: you may need someone else to help you... no project, no users... if that's possible (even with v2) it's news to me13:28
MaxVa from scratch setup only use an admin_token, and it seems that this behavior is broken for the v3 endpoint13:29
kodokudstanek but nodes is VM, on same ESX with HA in strong datacenter13:30
kodokuand sql is TCP connection13:30
kodokuI guess is not a network pb13:30
dstanekkodoku: that doesn't mean you can't have any networking issues13:30
kodokudstanek With icehouse, I have not this issue13:31
*** fhubik_afk is now known as fhubik13:31
kodokujust after juno update13:31
dstanekkodoku: i still think you need to debug it the same way13:32
*** edmondsw has quit IRC13:34
*** edmondsw has joined #openstack-keystone13:38
*** jdennis has quit IRC13:42
*** krykowski has quit IRC13:50
*** jdennis has joined #openstack-keystone13:54
lbragstadmorganfainberg: you've never ran into https://github.com/dolph/next-review/issues/21 with next-review have you?13:56
marekdmorganfainberg: would you care +1 this? https://review.openstack.org/#/c/190619/13:57
lbragstadcc: dolphm ^13:58
marekdlbragstad: would you like to +A this patch: https://review.openstack.org/#/c/188302/ ?13:58
lbragstadmarekd: sure, let me give it a review13:58
marekdlbragstad: no rush!13:58
*** MaxV has quit IRC13:59
*** henrynash has joined #openstack-keystone14:04
*** ChanServ sets mode: +v henrynash14:04
*** stevemar has joined #openstack-keystone14:12
*** ChanServ sets mode: +v stevemar14:12
*** dsirrine has quit IRC14:13
*** dsirrine has joined #openstack-keystone14:16
*** mabrams has quit IRC14:21
*** openstackgerrit has quit IRC14:24
*** obedmr has joined #openstack-keystone14:24
*** openstackgerrit has joined #openstack-keystone14:24
*** csoukup has joined #openstack-keystone14:26
*** sigmavirus24_awa is now known as sigmavirus2414:28
*** kodoku has quit IRC14:31
*** htruta has joined #openstack-keystone14:34
*** kiran-r has joined #openstack-keystone14:39
*** browne has joined #openstack-keystone14:52
*** diazjf has joined #openstack-keystone14:57
*** zzzeek has joined #openstack-keystone14:58
*** ayoung has joined #openstack-keystone15:00
*** ChanServ sets mode: +v ayoung15:00
*** dguerri is now known as dguerri`15:01
*** pnavarro has quit IRC15:04
*** dguerri` is now known as dguerri15:05
*** kiranr has joined #openstack-keystone15:09
*** kiran-r has quit IRC15:09
*** bdossant has joined #openstack-keystone15:12
*** kfox1111_ has quit IRC15:13
dolphmlbragstad: specify the entire project, like openstack/keystone15:14
*** belmoreira has quit IRC15:18
*** e0ne is now known as e0ne_15:22
*** browne has quit IRC15:23
*** HT_sergio has joined #openstack-keystone15:26
*** e0ne_ has quit IRC15:32
*** e0ne has joined #openstack-keystone15:35
*** dsirrine has quit IRC15:38
*** spandhe has joined #openstack-keystone15:38
*** dsirrine has joined #openstack-keystone15:39
*** fhubik has quit IRC15:44
*** jaosorior has quit IRC15:45
*** kiranr has quit IRC15:46
*** kiranr has joined #openstack-keystone15:47
*** kfox1111 has joined #openstack-keystone15:49
*** nkinder__ has quit IRC15:50
*** kiranr is now known as kiran-r15:50
*** afazekas has quit IRC15:50
kfox1111Any further thoughts on https://review.openstack.org/#/c/186617 ?15:51
kfox1111I'd really like to get into implementing it if the general theory is ok.15:51
*** kiran-r has quit IRC15:51
*** kiran-r has joined #openstack-keystone15:52
bknudsonkfox1111: if this is changing the API then it needs to update the API spec: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html15:53
*** MaxV has joined #openstack-keystone15:55
kfox1111its completely in the nova space.15:57
kfox1111it just uses keystone as it exists today, similary to how heat uses it.15:57
*** dsirrine has quit IRC15:57
kfox1111but the reviewers would like keystone to weigh in since it uses keystone.15:57
*** dsirrine has joined #openstack-keystone15:58
*** thedodd has joined #openstack-keystone15:58
kfox1111it gives each vm that needs it, its own keystone user, which is kind of a new thing, though could be done maually all along.15:59
stevemarkfox1111, what's the benefit of that?15:59
bknudsonthat sounds like what heat is doing15:59
bknudsonI'd like to see these things implemented with federation.16:00
kfox1111stevemar: see the spec.16:00
kfox1111couple of reasons.16:00
kfox1111vm's need to interact with openstack services the same way users do.16:00
*** kiran-r has quit IRC16:00
kfox1111for example, to download a secret from the barbican secret store, or to post a message to a zaqar queue.16:01
kfox1111openstack services require keystone authentication, so having vm's be able to have an account means each service doesn't have to come up with a totally different authentication mechanism.16:01
kfox1111bknudson: how does federation help?16:02
*** kiran-r has joined #openstack-keystone16:02
kfox1111bknudson: heat would have its own keystone?16:02
*** kiran-r has quit IRC16:02
*** kiranr has joined #openstack-keystone16:02
*** Guest67074 is now known as redrobot16:02
bknudsonheat knows what its users are and keeps track of them rather than trying to keep keystone in sync16:03
*** kiranr is now known as kiran16:03
*** kiran is now known as kiran-r16:03
kfox1111bknudson: They create keystone users in a heat domain these days.16:04
bknudsonand they destroy the users?16:04
bknudsonhow do they keep the users in sync?16:05
kfox1111besides, this isn't about one service managing users for itself.16:05
*** kiran-r has quit IRC16:05
kfox1111assume something like heat template -> nova -> instance -> barbican16:05
*** kiran-r has joined #openstack-keystone16:05
kfox1111heat sets up the barbican acl, the instance downloads the secret.16:05
*** kiran-r has quit IRC16:05
kfox1111they keep things in sync as part of the stack.16:05
*** kiran-r has joined #openstack-keystone16:05
kfox1111the engine does it.16:05
kfox1111each stack tends to have a minimum of one keystone user.16:06
kfox1111thats kind of a digression though. Just mentioning it since there is precident for over a year of a project doing something very similar.16:07
*** roxanaghe has joined #openstack-keystone16:08
bknudsonthe problem is the keystone sql backend has weak security16:09
bknudsonso I wouldn't choose to use it16:09
kfox1111implementation detail. shouldn't matter to the nova spec. the deployer can choose whatever keystone backend they want.16:10
bknudsonand while the LDAP backend can be secure, you shouldn't allow keystone to create users in it.16:10
kfox1111What I'm really trying to acomplish is folks putting secrets in heat templates / nova user data.16:11
kfox1111thats WAY less secure then having a keystone user/password in a database. :/16:11
kfox1111the secret gets into both the heat/nova database and even persists after the instance is deleted since its a soft delete.16:11
bknudsonthat is worse16:11
kfox1111I'd like secrets to only live in barbican.16:12
bknudsonmaybe use x509 certificates instead16:12
kfox1111then let the instance somehow get a credential to talk to barbican to get the secrets.16:12
bknudsonclient certs16:12
kfox1111arg...16:12
kfox1111how do you get a cert to the instance so it can get secrets?16:12
kfox1111chicken and the egg.16:12
kfox1111secret to vm so it can get a secret. :/16:12
bknudsonsome kind of injection, through cloud-init16:12
bknudsoncan't you set up a ssh key?16:13
kfox1111then it still hits the nova db in userdata, that outlasts16:13
kfox1111deletes.16:13
*** hogepodge has quit IRC16:13
kfox1111then you cant autoscale.16:13
kfox1111the spec allows nova to maintain a keystone username/password and only hand out keystone tokens to the vm.16:13
kfox1111no one ever knows the instance user's username/password but nova.16:13
kfox1111and the vm has a way to get fresh tokens.16:14
bknudsonhow long do you need that token to be valid?16:14
kfox1111a short time. the vm can always get a new one.16:14
bknudsonbecause tokens expire and get invalidated on password change and such16:14
bknudsonif the vm can get a token itself then why send a token?16:15
kfox1111yup. thats ok. the usual case will be "get token, grab secrets from container"16:15
kfox1111or "grab token, connect to zaqar queue"16:15
*** kiran-r has quit IRC16:15
*** kiran-r has joined #openstack-keystone16:15
kfox1111because it needs to talk to barbican or zaqar.16:15
kfox1111which are on different machines, provided by the cloud.16:16
kfox1111how does an instance provide authentication to openstack services without a keystone token?16:16
bknudsonyou mean from inside the vm itself?16:17
kfox1111yes.16:17
bknudsonthat's a good question... we haven't had to do that before? maybe not.16:18
kfox1111thats what the instance user spec is all about.16:18
kfox1111instances need users to be able to talk to other openstack services.16:18
kfox1111This provides a mechanism to do so.16:18
kfox1111amazon does something similar.16:18
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: move PKI-specific tests into the appropriate class  https://review.openstack.org/19187316:19
openstackgerritDavid Stanek proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076916:19
bknudsonkfox1111: if we make it the same interface as amazon then we can run amazon instances in openstack16:19
*** henrynash has quit IRC16:19
bknudsonany way to adapt?16:19
dstanekbknudson: ^ oslo_config is stupid16:20
kfox1111I think they rely too much on the advanced features of the IAM they have to make them totally compatable at this point.16:20
*** hogepodge has joined #openstack-keystone16:20
bknudsonmaybe something for future... no problem having openstack-specific for now.16:20
kfox1111I'm sure once keystone gains those features, the ec2 compatability project will pick them up.16:21
kfox1111yup.16:21
*** kiran-r has quit IRC16:21
kfox1111can you please have a look at the spec when you get a few mintues and weigh in? The nova folks would really like to know if the keystone folks think the world would break if it was accepted.16:23
kfox1111I'd really appreciate it.16:23
dimsjamielennox: were you the one telling me about a jsonhome impl?16:25
bknudsondims: https://github.com/jamielennox/jsonhome/tree/master/jsonhome16:26
dimsbknudson: ah thanks16:27
*** diazjf1 has joined #openstack-keystone16:29
*** diazjf has quit IRC16:29
*** gyee_ has joined #openstack-keystone16:30
*** diazjf1 has quit IRC16:31
*** kiran-r has joined #openstack-keystone16:32
*** henrynash has joined #openstack-keystone16:34
*** ChanServ sets mode: +v henrynash16:34
*** spandhe_ has joined #openstack-keystone16:35
*** spandhe has quit IRC16:37
*** spandhe_ is now known as spandhe16:37
lbragstaddolphm: thanks! that seems to have been the issue16:37
*** dsirrine has joined #openstack-keystone16:41
*** bdossant has quit IRC16:43
*** _cjones_ has joined #openstack-keystone16:44
*** henrynash has quit IRC16:50
*** browne has joined #openstack-keystone16:51
*** dguerri is now known as dguerri`16:53
openstackgerritMichael Tupitsyn proposed openstack/keystone: Fix debug message in flush_expired_tokens job  https://review.openstack.org/19115716:53
*** richm has joined #openstack-keystone16:57
*** MaxV has quit IRC17:00
*** e0ne has quit IRC17:02
*** tqtran has joined #openstack-keystone17:08
*** kiran-r has quit IRC17:11
*** lhcheng has joined #openstack-keystone17:26
*** ChanServ sets mode: +v lhcheng17:26
*** dims has quit IRC17:27
*** lhcheng_ has joined #openstack-keystone17:27
*** dims has joined #openstack-keystone17:28
*** Ephur has joined #openstack-keystone17:29
*** lhcheng has quit IRC17:31
*** henrynash has joined #openstack-keystone17:31
*** ChanServ sets mode: +v henrynash17:31
*** henrynash has quit IRC17:37
*** RichardRaseley has joined #openstack-keystone17:39
notmynamedoes keystone allow for setting multiple URLs for a given catalog entry?18:00
notmynamesetting/returning18:00
*** dsirrine has quit IRC18:04
*** dsirrine has joined #openstack-keystone18:05
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: DO NOT MERGE: Add K2K federation auth plugin  https://review.openstack.org/19192218:06
*** aix has quit IRC18:09
*** stevemar2 has joined #openstack-keystone18:09
*** ChanServ sets mode: +v stevemar218:09
*** stevemar has quit IRC18:09
*** spandhe_ has joined #openstack-keystone18:12
*** spandhe has quit IRC18:12
*** spandhe_ is now known as spandhe18:12
gyee_notmyname, you mean multiple URLs per "interface"? like multiple "public" URLs?18:13
notmynameyeah18:14
gyee_can't18:14
notmynameeg if I have 10 servers but no load balancer can I expose all 10 URLs for a given service catalog entry18:14
notmynameok18:14
notmynamegood to know. thanks18:14
openstackgerritMerged openstack/keystone: Mapping Engine CLI  https://review.openstack.org/18830218:15
*** dguerri` is now known as dguerri18:15
kfox1111notmyname: you could use dns for that?18:17
kfox1111put all the ip addresses on the one dns name, then put the dns name in keystone.18:17
notmynameof course :-)18:18
notmynamethis comes up based on some conversations around the office. just curious what's possible today18:18
kfox1111ah. :)18:19
*** dguerri is now known as dguerri`18:21
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: DO NOT MERGE: Add K2K federation auth plugin  https://review.openstack.org/19192218:23
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: move PKI-specific tests into the appropriate class  https://review.openstack.org/19187318:24
dolphmstevemar2: managed to have a pep8 violation on https://review.openstack.org/#/c/191873/18:25
stevemar2dolphm, dolphm2 d'oh!18:25
stevemar2re +2'ed18:25
dolphmstevemar2: danke!18:26
stevemar2dolphm, while you're here - thoughts on this18:27
stevemar2https://bugs.launchpad.net/python-openstackclient/+bug/145725718:27
openstackLaunchpad bug 1457257 in python-openstackclient "If user's password ends with "{" and OS_TOKEN is set, client crashes" [Low,Incomplete]18:27
ayoungmorganfainberg, so, I have a presentation on Keystone tomorrow.  I'm hacking apart a bunch of my old presentations...was wondering if I could steal some of yours?18:27
kfox1111ayoung: Good morning.18:28
dolphmstevemar2: what's the backtrace?18:28
ayoungkfox1111, OK...so you have to decide what you are optimizing for18:28
stevemar2ayoung, morganfainberg is afk this week (or spotty attendance at best), i can hook you up with what I used for CIS?18:28
ayoungstevemar2, yes please18:28
stevemar2dolphm, pfft, as if i wrote that bug18:28
morganfainbergstevemar2: feel free to share my modified version w/ ayoung as well.18:29
stevemar2morganfainberg, rgr18:29
kfox1111ayoung: with reguard to the instance user thing?18:29
ayoungkfox1111, ok...lets take it from the top:  you want it so a VM can get a secret.  You don't want to store the secret in the VM18:29
ayoungright18:29
kfox1111I'm ok with the vm having the secret, since it needs it. its a matter of how to get it there.18:30
ayoungkfox1111, so you are talking about puitting the secret into Barbican.  But you want one user to have multiple secrets, and VMs sghould be insulated from each other18:30
morganfainbergkfox1111: I'll comment on the spec, but fwiw identity user management Apis are not and will not be designated via Defcore. This means that feature is likely never going to be interoperable between clouds.18:30
morganfainbergkfox1111: expect my comments later today. /me goes back to being more AFK for a bit.18:30
ayoungkfox1111, not talking about the password yet, but, right18:30
kfox1111morganfainberg: yeah. I understand. thanks. :)18:31
ayoungkfox1111, so  last we talked, I told you that putting the password in Nova was a bad idea.18:31
kfox1111ayoung: with you so far.18:31
ayoungI stand by that;18:31
ayoungwhat I would say is the "right" way to do it is this:18:31
kfox1111I don't disagree, but that is an implementation detail that can be changed without changing the workflow once a better mechanism is implemented.18:31
ayoungif  a secret resource is owned by a user, and that user wants to have different VMs have access to different secret resources, then we need two things:18:32
ayoung1.  the trust should be (somehow) limited in scope to the resource and18:32
ayoung2.  A VM gets an identity, and uses the trust to get the secret resource18:33
*** rlt has quit IRC18:33
*** spandhe_ has joined #openstack-keystone18:33
kfox1111ok. lets go through it.18:33
ayoungnow...that is probably the most invasive solution, as it requires changs in a couple places...lets lay out what we have to work with today18:33
ayoungwe have trusts, which are expected to be scoped to a trustee, and use the project abstraction to keep resources separate18:34
ayoungthe VMs do not have a service user yet18:34
ayoungVMs get their config options from Meta data fetched via cloud init.18:34
ayoungI would say that, today, the best option is to have separate of secrest via proejcts,  and then create a trust with the service user  as trustee18:35
*** spandhe has quit IRC18:36
*** spandhe_ is now known as spandhe18:36
ayoungand then the VM would have its own authentication and trust execution to get access to the resource stored in Barbican18:36
ayoungkfox1111, now...could you please attack that approach, and show where that does not support your use case?18:36
kfox1111ok.18:37
stevemar2ayoung, i PMed you a few links18:37
ayoungI really want to get to a good solution here18:37
kfox1111sure.18:38
kfox1111so... lets go back up a step farther because I think its important.18:38
kfox1111we have non admin's that are going to be running this workflow.18:38
kfox1111they themselves are not going to be allowed to create Keystone accounts in any domain.18:39
kfox1111So, firstly, how do we create the instance keystone accounts? and second, how do we safely get the creds to the vm?18:39
kfox1111Another issue, how does the user create the projects that you then associate the secrets to?18:40
bknudsonshould be using federation, where nova is the IdP. Need to generate SAML assertions.18:40
kfox1111...18:40
kfox1111wow... um, ok. let me thing through that one for a sec...18:41
kfox1111so, I guess that's just a different way for nova -> keystone authentication. It replaces storing the password in the db of the spec. Nothing else changes I think though.18:42
ayoungkfox1111, "they themselves are not going to be allowed to create Keystone accounts in any domain."  I can't accept this as a limitation18:42
ayoungIt is artificial, and not somethign we can design around18:42
kfox1111ayoung: Sorry, but that's a policy problem your going to run into at a lot of production sites.18:42
kfox1111the extra user is needless too.18:42
ayoungkfox1111, then the solution is intractable.  Its like sayiong "we can't create any more virtual machines"18:43
kfox1111I mean, that's using a sledge hammer when a regular one's sufficient.18:43
ayoungkfox1111, Heat already creates service users.  OAUTH calls things Consumers instead of users, but they are the same thing18:43
kfox1111kfox1111: exactly. I'm trying to implement service users in nova rather then heat. Why is that different?18:44
dolphmstevemar2: did you see my comment on https://bugs.launchpad.net/python-openstackclient/+bug/1457257 ?18:44
openstackLaunchpad bug 1457257 in python-openstackclient "If user's password ends with "{" and OS_TOKEN is set, client crashes" [Low,Incomplete]18:44
ayoungkfox1111, kfox1111 a User record is not more of a slegehammer than any other record in any other database table.  A user is simply a long term statement of identity18:45
kfox1111ayoung: one of the problems I'm trying to deal with is allowing instance's lifespan to match the project, not match the user that launched them's employment.18:45
kfox1111the project is the unit of ownership. if the user leaves the project, the vm should still work.18:46
ayoungIf a virtual machine, or any other element of openstack needs to operate in the absence of a direct user's interaction, it needs an identity18:46
kfox1111if the user creates an instance user manually, then uploads it to the vm via cloud init, the account needs to be eliminated when the user leaves.18:46
kfox1111becauase they could take that username/password with them.18:47
*** arunkant has joined #openstack-keystone18:47
kfox1111ayoung: ok. we're in full agreement there.18:47
ayoungkfox1111, ok,  that is a general problem with delegation in Keystone today;  either we do a role assignment, or we do trusts.  Trusts have all the features we want, but has the limitation it is bound to a user.  We could do role assignemtns, but they are pretty huge...18:47
*** amakarov is now known as amakarov_away18:47
kfox1111with nova mantaining the user and only handing out tokens, then that issue is resolved.18:47
kfox1111the user can only take a short term token with them, and it will expire before it will be of much use.18:47
stevemar2dolphm, yes, i noticed that after i tested it and wrote in the defect :)18:47
dolphmstevemar2: how did you set OS_PASSWORD exactly?18:47
dolphmstevemar2: i see it now18:48
ayoungkfox1111, don't try to make Nova do Keystone's job18:48
ayoungif we need better delegation in Keystone, build it there, not in Nova18:48
stevemar2dolphm, i made 2 further updates to the bug18:48
kfox1111I'm not... keystone assumes a user proves their identity before giving them a token.18:48
ayoungbecause if Nova has this problem, so will Sahara, Heat, etc...18:48
stevemar2dolphm, i can't get it to fail18:48
kfox1111either the instance needs credentials to prove that identity to get a token from keystone,18:48
*** obedmr has quit IRC18:48
kfox1111or the instance has to ask nova do do it on their behalf.18:48
dolphmstevemar2: how did you set OS_PASSWORD?18:49
kfox1111instance -> nova already has an authenticated channel via the metadata server.18:49
kfox1111keystone does not.18:49
stevemar2dolphm, `export OS_PASSWORD=testA{`18:49
ayoung"either the instance needs credentials to prove that identity to get a token from keystone"  is the right approach18:49
dolphmstevemar2: try doing it like the report says -- use quotes?18:49
stevemar2dolphm, tried that just now, still works18:49
dolphmthen mark as incomplete?18:49
stevemar2export OS_PASSWORD="testA{"18:50
stevemar2dolphm, already did!18:50
dolphmstevemar2: i don't know why anything would be doing string formatting on the password anyway :-/18:50
ayoung"the instance has to ask nova do do it on their behalf."  puts Nova into the midst of workflows where it has no interest nor reason to interfere18:50
kfox1111your speaking for the nova team, and they are actually ok with it.18:50
stevemar2dolphm, just wanted your thoughts on it :P it's low priority18:50
bknudsonjust wanted to mention, since people are around -- DB2 CI discussion today at 8 PM central time.18:50
ayoungkfox1111, so...lets assume that we go with trusts...and then the user that set all this up gets kicked off the project.18:50
*** jdennis has quit IRC18:50
ayoungAt that point, here is what would need to be updated:18:50
kfox1111Won't fly, but ok lets keep going.18:50
stevemar2bknudson, give me a poke on ST/IRC if i'm not replying18:50
bknudsonhttp://lists.openstack.org/pipermail/openstack-dev/2015-June/066901.html18:51
ayounga new user would have to create another trust, mirroring the first18:51
*** stevemar2 is now known as stevemar18:51
*** obedmr has joined #openstack-keystone18:51
ayoungthat user would have to provide the trust ID to the VM18:51
*** obedmr has quit IRC18:51
ayoungand then the VM would use that new trust ID when getting tokens18:51
bknudsonstevemar: ST? is that like slack?18:51
*** e0ne has joined #openstack-keystone18:51
stevemarbknudson, sort of, but crappier18:51
ayoungkfox1111, so..what you want is to automate that process...so long as someone in the project says "this should go on...then this should go on."18:51
kfox1111the trust is broken as soon as the user leaves the project, no?18:52
ayoungkfox1111, "broken" is not the right word, but yes18:52
ayoungthe trust is no longer executable18:52
kfox1111so that breaks the vm's ability to talk to barbican and refresh its keys.18:53
ayoungkfox1111, so, what you want is a form of delegation not tied to a single user.  And to answer that, we need to look at how we do role assignments18:53
kfox1111ok. I don't disagree on that part.18:53
*** obedmr has joined #openstack-keystone18:53
ayoungwe could always grant the Service user a full role on the project.  The only problem with that is that most users do not have that power18:53
bknudsonyou can pass the SAML to the VM, then the VM can use that SAML to get a keystone token.18:53
bknudsonas long as you set up your mapping in keystone properly you'll get a token with the roles you need18:54
ayoungrole assignment is, by definition, a limited power, as right now a user that can assign something  anything anything18:54
kfox1111bknudson: How do you know what to delegate in the first place in the workflow?18:54
ayoungI wopuld argue that role assignments are, as implemented today, broken18:54
kfox1111ayoung: I would totally agree with that. :)18:54
ayoungbknudson, the mechanism is irrelevant18:55
ayoungSAML is not a solution18:55
ayoungSAML needs someone to request the assertion, and assertions are not good forever18:55
*** jdennis has joined #openstack-keystone18:55
kfox1111bknudson: I agree SAML might be able to replace putting a passowrd in a db in the spec I proposed. No pw needed in that case.18:55
bknudsonan IdP can't just generate assertions?18:56
ayoungkfox1111, wrong.  You still need a password to get the SAML assertion.  Let's focus, please.18:56
kfox1111I think the permissions that are delegated to the user stil has to go through keystone though.18:56
kfox1111ok.18:56
bknudsonseems like an IdP needs to be able to generate any assertion it feels like.18:56
*** jdennis has joined #openstack-keystone18:56
ayoungkfox1111, so, until we fix delegation, the trust approach is your best and only secure bet18:56
kfox1111ayoung: I htink your forgetting about project acl's.18:57
ayoungkfox1111, and to fix delegation requires the whole damn thing I am trying to get done with dynamic policy18:57
kfox1111such as https://review.openstack.org/#/c/190404/18:57
kfox1111ayoung: Which, I am totally for as well. :)18:57
ayoungkfox1111, ACLs are per suer, no?18:57
ayounguser18:57
kfox1111yes sort of.18:57
kfox1111the instance user gets the acl put on them.18:57
ayoungkfox1111, then they are even worse18:58
kfox1111so it works out ok.18:58
*** geoffarnold has joined #openstack-keystone18:58
ayoungkfox1111, so if the user gets kicked out of the project, no one can get the secret...18:58
ayoungor...18:58
ayoungyou add to the ACLs the service users18:58
ayoungand it works without a trust18:58
kfox1111so you just tag on the instance user's access on to the secrets you want to allow. easy to do in heat.18:58
kfox1111yeah.18:58
ayoungeither way...there is no reason to put the password in to Nova18:58
*** Rockyg has joined #openstack-keystone18:59
kfox1111ayoung: we differ on that part, but we've decided to put that aside for now.18:59
ayoung" add to the ACLs the service users"  really should read "add the service users to the ACLs"18:59
kfox1111so for the barbican acl case, you don't need a trust.18:59
ayoungnope...you just need to be able to get a token.18:59
kfox1111ok. my english isnot always the best. :)18:59
*** jdennis has quit IRC18:59
ayoungAnd be in the ACL18:59
kfox1111yes.18:59
kfox1111and discover the barbican endpoint. :)18:59
kfox1111which is the unscoped token spec thing. :)19:00
ayoungI don't know if Barbican even requires a scoped token.  If it does, then, you probably do need a trust, or you need to let the Nova user do a role assignment19:00
ayoungwhich is...bad19:00
kfox1111it doesn't require a scoped token.19:00
ayoungGreat...now we have people using unscoped tokens outside of Keystone.19:00
* ayoung mutters in his beard19:00
kfox1111yeah. cause you want the vm to be able to become whichever project/role/trust it wants after getting the unscoped token.19:01
kfox1111ayoung: yeah. :/19:01
kfox1111I'd really like to see a whole nother scoping of tokens long term.19:01
kfox1111kerberos has service tickets.19:01
kfox1111totally different from project scoping.19:01
ayoungkfox1111, that is different.  There you are talking endpoint binding of tokens19:01
ayoungand that is enroute19:01
ayoungbut an unscoped token has no catalog19:01
kfox1111unscoped is similart to the kerberos ticket granting ticket.19:01
ayoungyep19:02
kfox1111there is no equiv of "give me a token that I can use only to talk to barbican and no other openstack services"19:02
kfox1111aka, service ticket.19:02
ayoungkfox1111, but Kerberos does not have local authorization, per application.  Kerberos is for authentication, and keystone is for authorization...there is a difference.19:02
kfox1111if one service is comprimized, the tokens can be sniffed and used on any other service.19:02
ayoungWe just abuse Keystone tokens...and now I am all depressed again19:03
ayoungkfox1111, and I am trying to solve that19:03
ayoungbut first we need to educate people..and that is the pain19:03
kfox1111yeah. I know. I'm all for the work your doing. :)19:03
kfox1111know you know where I'm coming from though. :)19:03
*** jdennis has joined #openstack-keystone19:03
ayoungkfox1111, http://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/19:03
kfox1111I'm trying to make this as secure/safe as possible, and I'm talking to a bunch of people that don't quite understan the use case. :/19:04
kfox1111Each are saying its the other projects responsability to solve. :/19:04
ayoungkfox1111, I am saying it is Keystone's responsibility to solve.  In doing so, I've been accused of a power grab19:04
kfox1111Yup. I've read that blog post a few times. :)19:04
ayoungkfox1111, OK, so  user trusts until you can't19:05
ayoungthere really is no better option19:05
ayoungand, if you want to extend the trust mechanism,  submit a blueprint for that19:05
ayoungI'd be all for it19:05
kfox1111I thought we just decided we didn't need a trust when acl's are in play?19:05
ayoungsomething like : group trusts.19:05
ayoungkfox1111, you decided that...I was just walking through it.19:05
kfox1111ok.19:05
kfox1111think it over for a minute and let me know what you think of it.19:06
ayoungkfox1111, to be hones, for what you wnat with ACLs, you don't need or want tokens, you want something like19:06
ayounguse X509 to talk to Barbican,. barbican maps that to the Keystone user, and performs its own ACL check19:06
ayoungalong the idea of http://adam.younglogic.com/2014/10/who-can-sign-for-what/  but replace the PKI tokens with straight X509...or kerberos19:07
kfox1111feels like I've been around and around this one for a while. :/19:08
kfox1111now you need to implement an x509 fetching mechanism into all openstack projects that will support acl's. :?19:08
kfox1111shouldn't that just be solved with keystone service tokens?19:09
kfox1111btw, I tried suggesting something similar here:19:09
ayoungkfox1111, as I said at first, use Trusts19:09
kfox1111https://review.openstack.org/#/c/159571/19:10
*** lhcheng_ is now known as lhcheng19:10
*** ChanServ sets mode: +v lhcheng19:10
ayoungif you are going to go off into the weeds, I assure you I can always find deeper weeds19:10
ayoungkfox1111, so,  gyee_ is working on X509 tokenless auth for Keystione...that is a future thing.  Don't build on it yet19:10
kfox1111a signed message between nova -> barbican to pass securitygroup/metadata. The barbican folks much prefered the nova instance user concept since it would work for other services besides just barbican.19:11
ayoungFor you use, the trusts provide a way a user can provide a role assignemnt for a workflow.  There is no other limited way to do that19:11
stevemarjamielennox, btw - new OSC release19:11
stevemarmight want to try your v3 only devstack19:11
kfox1111I'm ok with the user using user trusts, or project trusts (if that becomes a thing) or just plain acl's.19:12
kfox1111I think we're in agreement that the instances need keystone users, just in disagreement at this point how they obtain them.19:12
kfox1111either way they get them from the nova metadata server.19:12
kfox1111the main difference is with my proposal, the user is managed by nova, the instance user is not put into heat's db or the nove instance's perminant log, and the user never gains direct access to the ability to fetch fresh tokens for it.19:14
ayoungkfox1111, from a security perspective, I can see how to do user creation without role assignments in a secure way.  Trusts allow for delegation.  I don't yet have a mechnism in Keystone for secure role assignments.  THus, I can't recommend that.  You suggest using unscoped tokens, but those are like TGS, and, as they are also bearer tokejns, with complete access to all that the user can do, very insecure to pass around19:14
kfox1111those seem like a security enhancement to me without requiring much of nova.19:14
ayoungcorrect,  all this work is Keystone work19:14
ayoungkfox1111, why is it any better to put a "user" in Nova than to put it in Keystone?19:15
kfox1111agreed. I'm thinkging, for now, we pass the unscoped token to barbican. its not any less secure then it works today. in the future, once a more secure mechanism is put in place, we can switch to that.19:15
ayoungNo...Use a trust.  PLease please please hear what I am saying19:15
ayoungunscoped is not for you to use19:15
kfox1111because, like I said before, nova and the instance have a trust relationship.19:16
kfox1111when the instance talks to nova, nova knows for sure it is the instance talking to it.19:16
ayoungNo t really.  That is just a lie that we don't want to look too closely at.19:16
kfox1111how do you extend that trust relationship with keystone such that keystone knows the instance that is talking to it so it can hand back a token?19:16
ayoungMeta data is scary19:16
*** samuel-dmq has joined #openstack-keystone19:16
ayoungkfox1111, ok...let me seee if I can  give you what you want...19:17
kfox1111ayoung: cant have it both ways. you said you should put the instance user pw in the metadata.19:17
kfox1111so it has to be safe enough for your workflow too.19:17
ayoungyou are saying that if I create a VM, I should have an implicit trust, as the VM should be able to get a token to work on the users behalf at any time.19:17
kfox1111a little less then that.19:18
kfox1111the instance needs a way to get a token.19:18
ayoungYou can pass the password that way, but I would also have the VM autogenerate a new one and change the apssword right away19:18
kfox1111the launching user needs some handle to associate trusts with it, or acls, or whatever else they want to do.19:18
kfox1111but all they need for that is the instance user's uuid.19:18
*** dguerri` is now known as dguerri19:19
kfox1111ayoung: even more secure woudl be to only pass keystone tokens through. that way they expire automatically. :)19:19
*** nkinder__ has joined #openstack-keystone19:20
kfox1111which was why I was thinking we extend the metadata server to hand them back. the vm can't ever get a token that can't expire then.19:21
kfox1111nor can a user that can login to the vm.19:21
kfox1111that does require nova to know how to fetch a token, but that's a relatively minor thing.19:21
raildohey guys, in case you haven't seen in the ML, I sent an email with the etherpad describing the options of getting a project scoped token after reseller: https://etherpad.openstack.org/p/reseller-project-token In case you have any questions, we have until keystone meeting tomorrow to discuss, improve and maybe add alternatives :)19:22
ayoungkfox1111, leave meta data out of it after the initial launch.  it can't make things more secure, only less so.19:22
kfox1111how do? I just layed out exactly how it could make it more secure. How can it make it less so?19:23
*** samuel-dmq has quit IRC19:23
ayoungkfox1111, I need to move on.  the only secure way to do this today is with trusts.  If those don't meet your needs, then propose a way to make them meet your needs19:23
kfox1111truely curious here. I totally could have missed something.19:23
ayoungkfox1111, there are multiple Nova servers.  You can't treat one as more trusted than the others.19:24
dstanekraildo: can you explain what benefit we lose with #5?19:24
kfox1111no, they are treated equally by this.19:24
ayoungIf Nova can request tokens for all vms they are managing, they become another place where a compromise is catastrophic19:25
ayoungNova is not a password vault19:25
kfox1111true. but putting a keystone secret in the nova db as done today is not any more safe.19:25
ayoungThe nova user should not be ab le to get tokens for another use19:25
ayoungkfox1111, heh, agreed19:25
kfox1111at the end of the day, if you are going to be supporting autoscaling,19:26
kfox1111nova's going to be able to get at the keys.19:26
kfox1111I see no other way. :/19:26
kfox1111I'm trying to come up with the most secure system that will still work under autoscaling.19:26
kfox1111its up to the user to deside if that's good enough, or to support manual scaling and be safer yet.19:26
ayoungkfox1111, it is a delegation problem.  Please think of it in those terms, do not build a nova specific solution, and think instead what additional support you need from Keystone.19:27
ayoungAnd with that..I have to sign off..I have a presentation tomorrow, and can;t postpone working on it any longer19:27
*** ayoung is now known as ayoung-nopthere19:27
kfox1111chicken and the egg, your still avoiding.19:27
*** ayoung-nopthere is now known as ayoung-nowhere19:27
kfox1111how do yo uget the initial secret into the vm so it can get secrets?19:27
*** ayoung-nowhere is now known as ayoung19:27
kfox1111how do you get a keystone secret to keystone so that you can talk to keystone?19:27
kfox1111same problem. :/19:27
*** ayoung has quit IRC19:28
raildodstanek, sure. imo, The other services doesn't know about domain, if we provide a project scoped token to a project with is_domain, will be easier to the other services handle with it. For example, Horizon works with domains without need about domain scoped token.19:28
kfox1111how do you get a keystone secret to a vm so that you can talk to keystone?19:28
* kfox1111 sighs19:28
kfox1111no one wants to answer that one. :/19:28
*** jaosorior has joined #openstack-keystone19:29
dstanekraildo: to use v3 won't things have to know about domains to some extent?19:29
raildodstanek, another benefit is that, if we are going to work with domain as a feature of projects, I think that make sense to provide a project, that is is_domain=True/False.19:30
raildodstanek, yes, there is, but not about domain scoped token.19:30
*** samuel-dmq has joined #openstack-keystone19:30
kfox1111bknudson: I think your right btw.19:31
kfox1111with your suggestion, rather then putting the instance user/pw in the db, it should just be able to issue a assertion on behalf of the instance user, get a token,19:32
kfox1111and hand it back to the instance.19:32
*** ayoung has joined #openstack-keystone19:32
*** ChanServ sets mode: +v ayoung19:32
dstanekraildo: i think since we made the decision that v3 clients should have some knowledge about domains we don't need to back peddle19:32
ayoungkfox1111, OK...one last answer, and then I really am done:19:32
* morganfainberg wakes up for a few minutes19:32
bknudsonkfox1111: hey! right for once!19:32
kfox1111I'm going to put that as an alternate in the spec.19:32
ayoung1.  Nova workflow kicks off the new user create19:32
dstanekraildo: i think domain scoped tokens are Project<is_domain=True> and project scoped tokens are Project<is_domain=False>19:32
morganfainbergkfox1111: yes. issuing an assertion is the right direction imo19:32
ayoung2.  Nova generate  password for the new VM, and passes it via Meta\data to the new VM19:32
ayoungNew VM immediately changes the password19:33
bknudsonI wonder if heat can use the same technique19:33
kfox1111bknudson: I bet it could. :)19:33
morganfainbergkfox1111: don't try and create a keystone user directly, this is not going to be interoperable and imo means a -1 always.19:33
kfox1111morganfainberg: so being a identity provider is a hard requirement?19:33
morganfainbergkfox1111: pretty much we need to have a way to construct an assertion of some sort.19:34
kfox1111I'm ok with that if it is. I'll ammend the spec.19:34
morganfainbergdoesn't need to be a full IdP19:34
morganfainbergjust don't assume you can manage users19:34
morganfainbergwe have technology that lets us map bundles of attributes to ephemeral users in a grou19:34
morganfainberggroup*19:34
kfox1111ayoung: I don't see much advantage in that over just having heat manage the user creation.19:34
raildodstanek, I see your point, but I'm little concern if this will be odd to the users... How we can explain that the user can get a project scoped token to a project, and can't for another?19:35
morganfainbergif we can use this technology - it means you wont need to worry if user creation is supported/allowed19:35
raildodstanek, if I have project that I can handle with it as a domain in Keystone and as a "normal" project in the other service. I think that is most useful that create a domain just because I'm obligated to be  the container of users, and create a project inside this domain to use in other services. Make sense?19:35
morganfainbergthen if heat did the same thing, -- woot, this makes life better because we can move away from needing to be an idp.19:35
dstanekraildo: because the other is a domain, it's not a project19:35
ayoungmorganfainberg, so, in that case, who would be the SAML provider?19:35
kfox1111morganfainberg: Ok. I'll revise the spec and modify.19:35
kfox1111morganfainberg: It would be nice if you commented on the spec so we don't loose this conversation, but I'll ammend the spec anyway if you don't have time.19:36
morganfainbergayoung: this might be a case where we do the same thing we do for k2k - or make an API that the nova service user is allowed to request an ephemeral user assertion with specific params19:36
kfox1111ayoung: Nova I think.19:36
dstanekraildo: in my mind this is really just like a filesystem where directories(domains) hold files(projects)19:36
ayoungmorganfainberg, K2k is based on auser in Keystone...or coming from outside.  We always need some baseis for authentication19:36
ayoungNova as a SAML provider...19:36
morganfainbergayoung: this is a case where we are allowing the nova service user to create a very specific-cased user19:36
ayounginteresting19:36
kfox1111nova has a keystone user already. :)19:37
*** dguerri is now known as dguerri`19:37
kfox1111I do like the idea.19:37
morganfainbergayoung: how that assertion is created is less of a concern to me at the moment - we can dig into that implementation detail once we decide we don't need a user-per-vm in keystone's identity store19:37
ayoungIf Keystone could do a Nova server list.....it could provide the assertion19:37
ayounghmmmm19:37
morganfainbergayoung: yes, you're seeing the general thought i have.19:37
*** dguerri` is now known as dguerri19:38
kfox1111... I am starting to not understand again.19:38
ayoungmorganfainberg, so...do we make this nova sepcific or more general purpose " here is the callback  hooK"  type thing19:38
kfox1111why would keystone need to do a nova server list?19:38
morganfainbergkfox1111: implementation detail19:38
raildodstanek, I see like you but to me is something like: directories(project) hold files(vms, images...) and we do a upgrade on this directory to to hold users(is_domain=True)19:38
morganfainbergayoung: callback hook19:38
kfox1111shouldn't it trust the assertion coming from nova? Nova's the one asserting?19:38
ayoungmorganfainberg, OK,  I'm sold19:38
morganfainbergkfox1111: we're saying nova can request an ephemeral user assertion from keystone19:39
morganfainbergkfox1111: not nova directly issuing an assertion19:39
morganfainbergi dont trust nova to be a source of identity, i trust keystone to be.19:39
morganfainbergi don't want nova to need to understand semantics of revocations etc.19:39
kfox1111so... nova -> keystone "Give me a token for ephemeral user 12345" and it gets one back.19:39
ayoungmorganfainberg, so thie really means we should be able to hang an assertion off any resource in OpenStack....so long as the trusted service user says "uyes, I amamanaging that."19:39
dstanekraildo: that changes to current concept though. imo makes it more complicated19:40
morganfainbergayoung: service and service is allowed to do so19:40
ayoungmorganfainberg, scoping sucks today19:40
morganfainbergkfox1111: basically instead of a user create: we have keystone issue a special-case assertion (not nessicarily saml, but an assertion)19:40
morganfainbergkfox1111: then the VM can use that assertion for <lifespan> to get the special-case token. since we still talk tokens everywhere else (can't be helped yet)19:41
dstanekraildo: i think it is clearer to keep the domain -> project concept and layer in the nesting of domains19:41
morganfainbergbut if we fix the bearer token thing, that assertion can be more directly used.19:41
kfox1111so, something a little more concrete to help my brain....19:41
morganfainbergkfox1111: nova create vm, needs access to <barbican>19:41
morganfainbergfrom vm19:41
kfox1111nova -> keystone "give me a x509 for instance user 12345"19:41
morganfainbergbasically.19:42
kfox1111nova hands the cert to the instance.19:42
kfox1111the instance can present the cert and get new tokens?19:42
morganfainbergor whatever the form is for the "assertion"19:42
kfox1111right.19:42
morganfainbergvery limited scope of what those tokens can do19:42
morganfainberguses the ephemeral user mapping engine19:42
morganfainbergso we don't need to create a heavy-weight user for each vm19:42
ayoungmorganfainberg, there is something not right there19:42
kfox1111I like the idea, but still prefer that the cert stay in nova's db rather then all the way to the vm.19:42
*** Rockyg has quit IRC19:42
morganfainbergkfox1111: the cert can go in the DB.19:43
kfox1111that way it can be revoked and updated and the vm wouldn't know.19:43
morganfainbergkfox1111: doesn't matter how you do that.19:43
kfox1111ok.19:43
*** Rockyg has joined #openstack-keystone19:43
morganfainbergkfox1111: that is nova's domain to manage.19:43
kfox1111ok. cool.19:43
ayoungmorganfainberg, once the token is used somewhere else, there is no tying it back to the origianl users.  The fact that the resource is associated with the user....well, it isn;'t19:43
morganfainbergayoung: i am sure there is more to consider19:43
kfox1111I think I can see how it all comes together.19:43
*** HT_sergio has quit IRC19:43
raildodstanek, I agree that your suggestion may be simpler, but I think that will be more complicated change this in a future, than now.19:43
ayoungit is associate with the project, but...that is OK19:43
ayounghmmm19:43
ayoungmorganfainberg, it still need dynamic policy19:44
morganfainbergayoung: and these tokens would need to be explicit no-rescope.19:44
ayoungheh that goes without saying19:44
kfox1111wait a second...19:44
kfox1111one case I was considering...19:44
raildodstanek, It's complicated, that why we have a lot of options :P19:44
morganfainbergayoung: ok anyway, that is a better direction (imo) if we need services to manage users than "create a real user"19:44
kfox1111heat creates instance. heat gets instance user uiid from instance,19:44
ayoungkfox1111, I'm not agreeing to this yet.  I was seduced for a moment only19:44
kfox1111heat associates whatever acl's it wonats th user uuid,19:45
ayoungmorganfainberg, we treat the services as idenitty sources19:45
kfox1111heat runs shell script on vm to do something.19:45
*** afazekas has joined #openstack-keystone19:45
morganfainbergayoung, kfox1111: I'm also not 100% sold on this. but I'm looking at how we can get out of managing users.19:45
morganfainbergcompletly19:45
kfox1111the nice thing about that work flow, is the user can at any time associate further trusts or projects or whatever with the instance user at any time.19:45
morganfainbergwith x509/tokenless auth and something like this, we can be better about it - it drives towards no "directly managed identity store"19:45
kfox1111so long as the cert handed back allows that, I'm good.19:46
ayoungmorganfainberg  if we let Nova sign tokens, and then the VM could reqeust tokens from Nova...19:46
morganfainbergayoung: i would never let nova directly sign.19:46
morganfainbergayoungat this point19:46
ayoungwhy not19:46
kfox1111morganfainberg: I'm with you. I'd rather handle as little as possible myself. :)19:46
morganfainberganyway i need to go19:46
ayoungiff and only iff we knoew who signed a token....19:46
ayoungdifferent keys...all that...19:46
ayoungkfox1111, none of this is going to happen soon19:47
morganfainbergayoung: so just tossing a view onto the pile of "how to handle this", but i think it's better if we don't do direct user management here19:47
ayoungthis is just the glimmer of an idea19:47
morganfainbergsome of it can happen sooner with some scaffolding19:47
morganfainbergbut it's going to take a chunk of work19:47
kfox1111ayoung: whats soon?19:47
kfox1111We need instance users of some kind for Liberty.19:47
ayoungmorganfainberg, so if we had a CA, then the VM could request a cert.  We could use federation19:47
kfox1111It can be imperfect if it can be grown into the more secure meachanism over time.19:48
ayoungit would be gyee 's tokenless auth19:48
ayoung+ federation19:48
morganfainbergayoung: that at the least could happen 100% outside of keystone19:48
morganfainbergno new APIs needed.19:48
ayoungmorganfainberg, right19:48
morganfainbergso that is a good starting place19:48
kfox1111so nova gains a CA?19:48
ayoungmorganfainberg, but we still need delagation19:48
ayoungkfox1111, Barbican is the CA, I think19:48
morganfainbergkfox1111: nova gains a way to say "hey CA give me a cert"19:48
kfox1111hah. ok, so,19:49
morganfainbergayoung: this could all be rough with config.19:49
morganfainbergkfox1111: nova's service user would do that specifically19:49
kfox1111nova -> barbican get an instance user cert -> novadb -> launches vm19:49
morganfainbergkfox1111: not the VM-specific auth construct19:49
morganfainbergyep19:49
morganfainbergand that cert can be used to talk to keystone for the vm19:49
kfox1111vm boots -> nova metadata server, cert -> keystone get token.19:49
kfox1111vm -> barbican. :)19:49
morganfainbergthat is the immediate solution with the token-less auth19:49
*** afazekas has quit IRC19:49
morganfainbergin keystone slated for liberty19:50
kfox1111plus making nova an identity provider still required?19:50
morganfainbergkfox1111: nope19:50
morganfainbergbarbican's CA is technically the identity provider then19:50
morganfainbergand keystone explicitly trusts it.19:50
kfox1111or does it just "keystone create user +  here's the pubkey"19:50
morganfainbergkfox1111: it uses the x509 cert as auth, and keystone does the federated user mapping19:51
morganfainbergkfox1111: no user-create needed (again)19:51
kfox1111oh. using attributes in the cert?19:51
morganfainbergyep19:51
kfox1111ok... so the nwe need to make sure barbican can allow a user to set those attributes.19:51
* morganfainberg really needs to jump off IRC again.19:51
kfox1111ok. thanks. I really appreciate it. :)19:51
morganfainbergkfox1111: should be normal attributes from the cert nothing magical19:51
morganfainbergbut yes.19:51
morganfainbergit uses the mapping engine in keystone to map the standard attrs over19:52
*** boris-42 has quit IRC19:52
* morganfainberg lets ayoung talk more about this.19:52
morganfainbergif needed19:52
dstanekraildo: is there any documentation that tells users how to think about the projects->domains transition?19:52
kfox1111I'll update the spec and run it by you guys again. :)19:52
raildodstanek, hum.. not now, but it's something that we need to do in liberty19:53
raildodstanek, btw I had updated the keystone documentation with the parent_id information: https://review.openstack.org/#/c/191184/19:54
*** HT_sergio has joined #openstack-keystone19:55
raildodstanek, so, we need to keep doing this in every official documentation (admin guide, installation, glossary...)19:55
dstanekraildo: ok, i was curious because i understand domains/projects, but i don't understand how to tell the user that some domains may act as projects and when they would do that19:57
*** afazekas has joined #openstack-keystone19:57
dstanekraildo: to we have use cases for that? when a domain should be used like a project and when a project should be used as a domain?19:57
ayoungkfox1111, so...separate Identiyt from authorization.  In this case, the X509 idenitifies the VM as them.  It is still up to Keystone to map that to something20:00
ayoungand the mapping API for Federation is even more "must be done by admin" than role assignments20:00
ayoungso..this is just another way of identifing a resources.  It means, yeah, no explicit entry in the user table, but that is it20:01
morganfainbergand the mapping should be generic enough that it's a one-off in this case (once for each service doing this, so not needed per vm, but just before nova can use this mechanism)20:01
ayounghow we would then say "Vmthx1138 is authorize to fetch this secret"  is still not nailed down20:01
raildodstanek, I can see some use cases, like I'm a domain_admin, I want a VM but I don't want to influence the projects in my domain, so I can handle with my domain as a project and create my instance20:02
ayoungmorganfainberg, so it should have something like an association with the project that spun it up, and no more permissions than the user that spun it up...but a different lifespan"20:02
dstanekraildo: what is the benefit of them doing that over creating their own project20:02
morganfainbergayoung: i ... think so?20:02
* morganfainberg ducks out before exceeding the IRC limit for the day.20:03
ayoungmorganfainberg, I think I'm going to cop out and just use your slides.20:03
morganfainbergayoung: steve shared mine?20:03
ayoungmorganfainberg, yep20:03
morganfainbergcool. if you make changes / clean them up some please pass those back20:03
morganfainbergi want to conver it to reveal.js and publish it as a publication20:04
*** afazekas has quit IRC20:04
morganfainbergit needs a little more cleanup (Some slides are too verbose)20:04
morganfainbergconvert*20:04
ayoungmorganfainberg, I want to convert it to Latex, but that isnot happening tonight20:04
morganfainbergdon't do latex :P20:04
morganfainberguse reveal20:04
morganfainberghtml slides20:04
*** Rockyg has quit IRC20:04
morganfainbergRST driven20:04
raildoone of benefits that I see is that I don't need to create a project, and a new role assignment for this user in this project, set quotas for this new project.20:04
morganfainbergiirc20:04
ayoungmorganfainberg, latex can generate all that and more. it is what I used for the summit.  PDF too20:05
raildodstanek, ^20:05
kfox1111ayoung: vm x is authorized to get this secret's up to barbican's acl api I think.20:05
kfox1111I think it should work. :)20:05
*** Rockyg has joined #openstack-keystone20:05
ayoungkfox1111, so...let's say we do this X509 thing, which we can totally do.  Then  Barbican needs a mapping file, which, while it should get from Keystone, could be hand waved away....20:05
morganfainbergayoung: well the official publications i want to do should all be strict html20:05
morganfainbergand that is what i want to publish, anyway i'll be doing reveal20:06
ayoungmorganfainberg, Ah...very good20:06
morganfainbergbut like i said, more important - just let me know what/if you change things so we can roll it up20:06
ayoungmorganfainberg, no problem with that, but have not yet learned reveal.20:06
ayoungmorganfainberg, the only things I 've seen have been RH specific issues, like not supporting mod_shib20:06
morganfainbergit's basically all RST and some jscript stuff20:06
morganfainbergit's nice.20:06
ayoungand I wanted to dig deeper into the KErberos and HTTPD stuff20:07
morganfainbergall the slides from mordred and devananda are reveal20:07
morganfainbergthey're cool stuff and look good.20:07
raildodstanek, I think that can exists more use cases for, but I need to think more about that.20:07
ayoungI'd bump SSSD into the Federation section, as we can use that today20:07
morganfainbergayoung: email / share a changed slide deck :)20:07
samuel-dmqmorganfainberg: could I have access to those slide presentations ?20:08
ayoungmorganfainberg, I'm not sure I will change it.   I might just mention those things inthe preso...still reading through and considering, but I will def contribute back20:08
morganfainbergsamuel-dmq: i think i gave you a link. i justhaven't converted to the new format20:08
morganfainbergi'm avoiding sharing the google deck to far until we have a better format20:08
* morganfainberg isn't a fan of the google slide format20:08
morganfainbergit's too PPT-ish20:08
samuel-dmqmorganfainberg: that's the one about keystone in general, ec20:09
morganfainbergyes20:09
*** radez is now known as radez_g0n320:09
ayoungagreed20:09
samuel-dmqmorganfainberg: nice thanks20:09
ayoungmorganfainberg, also, this is an internal presentation. I don't know what will happen with the slides.  If we don't want them in wide distribution, I might have to make my own preso.  I stared that alreadym but in Latex, and I cover a lot of the same material....anyway, I'll let you know.20:10
morganfainbergyeah np20:11
morganfainbergjust want the contribution of changes that should go back into the main deck20:11
morganfainbergnot any $internal_things20:11
dstanekraildo: this brings it back toward my original thought of hierarchal domains20:11
kfox1111ayoung: Wouldn't it just pull the username from the cert attribute where the username is basically just the instance uuid passed from nova?20:12
kfox1111the mapping in keystone would basically just that?20:12
ayoungkfox1111, essentially.  The tricky part is mapping the attributes from the cert to the groups and role assignemtns necessary20:12
kfox1111I think thats where trusts come in. If the user wants that, then they associate the instance user with their own stuff via a trust?20:13
kfox1111or they acl the resources individually in the services that support that.20:13
ayoungkfox1111, too many directions at once....AH!20:14
kfox1111though  Ireally think it would be awesome if Keystone supported a restricted resource token.20:14
gyee_ayoung, nkinder__, having trouble with SSSD here, I am trying to setup SSSD on Ubuntu20:14
kfox1111(yeah. I'm in 2 other meetings. :/ )20:14
ayoungkfox1111, OK,  so I think that trusts are one thing...that is today....the X509 thing is different, that is tomorrow20:14
ayounggyee_, nkinder__ is moving houses20:14
ayounggyee_, I'll see if I can field it, though20:14
gyee_ayoung, nkinder__, its keep telling me I have an older version of sssd.conf20:14
kfox1111so a user could create a trust that says "only allow access to this one resource uuid on this service"20:14
gyee_and asking me to run the configuration upgrade script20:15
kfox1111ayoung: yeah. agreed.20:15
gyee_so where's this magic configuration upgrade script20:15
ayounggyee_, let me see what I have on my machine20:15
*** ccrouch has joined #openstack-keystone20:16
kfox1111the token returned by that restricted trust would contain the restriction and the openstack services would allow access only if the resource was mentioned in the token.20:16
gyee_ayoung, in my [sssd] section, I set config-file-version to 2, 3, 4, 5, and none of them seem to work20:16
raildodstanek, and what was that thought?20:16
*** zzzeek has quit IRC20:16
gyee_so I have no clue what exact version it is looking for20:16
ayounggyee_, I know this from nothing...but I can find out...hold on20:16
*** belmoreira has joined #openstack-keystone20:16
ayounggyee_, and I am not certain I have it set up correctly on this machine.20:17
*** Rockyg has quit IRC20:17
*** pnavarro has joined #openstack-keystone20:18
ayounggyee_, what is the exact error message you are getting?20:18
ayounggyee_, it might be authconfig20:19
*** samuel-dmq has quit IRC20:19
dstanekraildo: when we were discussing this (at Paris?) I mentioned hierarchical domains instead of projects because that's what all of the use cases were indicating20:19
gyee_ayoung, is there a cache I need to cleanup20:19
gyee_changing config-file-version seem to have no effect20:19
ayounggyee_, there might be.  But Give me the steps you are going through and I might be able to answer better20:20
*** henrynash has joined #openstack-keystone20:21
*** ChanServ sets mode: +v henrynash20:21
gyee_ayoung, I basically installed the sssd packages on my ubuntu 14.04 vm, manually created sssd.conf in /etc/sssd/, and restart20:21
ayounggyee_, and by restart, you mean running by hand as root?  init.d script, what?20:22
gyee_sssd.conf is owned by root and have 0600 file perm as instructed20:22
gyee_ayoung, service sssd restart20:22
ayounggyee_,  best bet is /join #sssd20:22
ayoungI'll answer there, and there will be someone smarter than me who will join in and say where I am wrong20:23
*** jaypipes has joined #openstack-keystone20:23
jaypipesmorgan: hey, what's your email now? I only have the metacloud one.../20:23
*** zzzeek has joined #openstack-keystone20:24
morganfainbergjaypipes: morgan.fainberg@gmail.com20:24
jaypipesdanke20:24
morganfainbergjaypipes: (i know.. hard huh?)20:24
morganfainbergnp20:24
jaypipes:)20:24
* morganfainberg suddenly looks for email from jaypipes20:24
*** afazekas has joined #openstack-keystone20:26
raildodstanek, We are trying to do both with reseller, so we can handle with the hierarchical domains as is-domain=True, and with the hierarchical projects use cases as is_domain=False, in a single hierarchy...20:26
jaypipesmorganfainberg: look for the "Microversion API HTTP header" subject one.20:26
morganfainbergyeah20:26
morganfainbergwas actually responding to that one now20:26
dstanekraildo: can a Project<is_domain=False> own another project?20:27
raildodstanek, yes. another Project<is_domain=False>20:29
dstanekraildo: what was the use case for that?20:29
dstanekraildo: i'm just trying to get a handle on this (not say what's wrong or right) - i find it very confusing20:30
*** afazekas has quit IRC20:31
raildodstanek, no problem :) and I'm trying to do my best to explain this, sorry if I'm not clear enough20:31
ccrouchI'm looking for SAML IdPs: e.g. simplesamlphp or shibboleth, that could be infront of an LDAP server and that keystone could then use for SSO. Any suggestions besides the two I mentioned?20:32
raildodstanek, so, the use cases for this, is the same for hmt, departmental division in a company and provide hierarchical quotas20:32
raildodstanek, moreover, improve the assignment management with inherited role assignments.20:33
dstanekraildo: is that use case satisfied with a hierarchy of domains and no project->project ownership?20:34
dstanekraildo: when i say domains i mean is_domain=True and when i say project i mean is_domain=False20:35
kfox1111fixing up the spec... here's a question....20:35
raildodstanek, hum... i don't think so... first of all, we don't have domain quotas, so I can't control this only with domains hierarchy20:35
kfox1111nova -> barbican , gets a cert.20:35
kfox1111nova hands back X piece of metadata to the user. User associates the barbican acl with user X20:36
raildodstanek, besides that, I saw hierarchical projects useful to distribute resources in the hierarchy and I can't create a instance or image in a domain20:36
kfox1111Do you still have to do a keystone create call to make sure a uuid gets assigned to it?20:36
dstanekraildo: domains would be irrelevant; if you have a 100 project quota minimum you could create more than 100 in the hierarchy20:36
morganfainbergjaypipes: responded, sorry for the little hectic formatting, mobile plus... i'm trying to duck out of IRC for the day20:37
raildodstanek, that's why that we are working to provide hierarchical quotas: https://blueprints.launchpad.net/nova/+spec/nested-quota-driver-api20:38
morganfainbergjaypipes: included spec and etherpad link.20:38
kfox1111If a create is needed, I assume a delete is needed as well?20:38
*** afazekas has joined #openstack-keystone20:38
raildodstanek, https://review.openstack.org/#/c/160605/3/specs/liberty/approved/nested-quota-driver-api.rst20:38
*** zzzeek has quit IRC20:38
jaypipesmorganfainberg: no worries, thanks man!20:39
kfox1111morganfainberg: might have a hole in the process. :/20:39
morganfainbergccrouch: redhat has ipsilon, not sure about it's state.20:39
ccrouchah ha, thanks20:41
ccrouchhttps://fedorahosted.org/ipsilon/20:41
raildodstanek, the important thing in this links is that we will be able to control the quota for subprojects as a subquota for the parent project20:41
morganfainbergkfox1111: so keystone will use an apache module to validate the cert, meaning that nova will just need to do the barbican delete which needs to do CRL stuff20:41
ccrouchLatest release: Version ​1.0.0 Released on 2015-05-1220:41
ccrouchfresh out of the oven :-)20:41
morganfainbergkfox1111: as long as the apache module handles CRLs properly that delete should be sufficient20:42
kfox1111no, how does the real user associate a barbican acl or a keystone trust with it,20:42
kfox1111without having the whole cert?20:42
morganfainbergkfox1111: the active tokens will remain active in keystone unless you do an explicit revoke. but I'm inclined to say that's fine20:42
kfox1111those api's expect keystone uuids.20:42
morganfainbergkfox1111: you get a token from keystone with the cert, the token has all the normal things (Except the user's id is not uuid, it's a sha256)20:43
kfox1111I'd rather not duplicate all of keystone's trust api into nova/barbican. :/20:43
morganfainbergwhen you use the cert to auth with keystone, you get a normal token20:43
kfox1111so then you can use that sha256 in the trust api?20:44
morganfainbergwell a federated token20:44
dstanekraildo: i'm just worried the model is wrong20:44
morganfainbergso you can do waht you normal would do with that token20:44
*** afazekas has quit IRC20:44
morganfainbergjust as if you had authed with a username/password20:44
morganfainbergincluding trust things.20:44
morganfainbergi really don't know what you're trying to solve now20:44
kfox1111Its an issue of who has the cert.20:45
morganfainbergok, so nova creates the cert.20:45
kfox1111regular user contacts nova, "create me an instance + user.20:45
morganfainbergstores the value it needs for the VM20:45
kfox1111nova does that. It now has a cert for instance "12345"20:45
morganfainberginject the data into the metadata service or whatever20:45
morganfainbergso the VM can get it [in nova's db]20:45
kfox1111it now talks to keystone and gets a token.20:46
morganfainbergchange as needed20:46
morganfainbergvm uses cert to talk to keystone, gets token20:46
kfox1111it then returns the sha256 uuid to the creator of the instance20:46
morganfainbergtoken is the same as a normal username/password token20:46
morganfainbergjust has some extra attrs in it to show it's federated20:46
morganfainbergdo normal actions with token20:46
morganfainbergwhen VM is deleted - nova tells barbican delete cert20:46
kfox1111the launching user then contacts the keystone trust api, using that sha256 and associates some of his/her roles with that sha256 user uuid?20:47
morganfainbergCRL is updated20:47
morganfainbergok so lets back up20:47
kfox1111k.20:47
morganfainbergwhat is the VM going to do20:47
morganfainbergwhat does the VM need to be able to do?20:47
kfox1111ok. lets do a concrete workflow.20:47
morganfainbergwhat is the very specific case you're trying to solve (not generic: get a token for keystone)20:47
morganfainbergyes20:47
kfox1111user wants to launch a heat temlpate for a scalable web server.20:47
kfox1111main template contains: autoscaling group. keeps between 1 and 7 servers running. Using templateb.yaml20:48
kfox1111template b: contains:20:48
kfox11111 nova instance.20:48
kfox11111 barbican acl, associates nova_insance.instance_user_uuid to barbican container "secrets_to_make_instance_work"20:49
kfox11111 shell script dependent on barbican acl finishing, that fetches token from nova metadata server,20:50
kfox1111and contacts barbican to get the keys. then starts up the webserver.20:50
kfox1111the system can then automatically create and delete servers to handle load without user interaction.20:51
kfox1111make sense?20:51
raildodstanek, I have to go in a few minutes, if you want to talk more about this, I'll come back 2-3 hours, or we can talk tomorrow.20:51
dstanektomorrow is fine20:52
dstanekraildo: ^20:52
raildodstanek, ok, thank you for your time :)20:52
kfox1111actually, there are two more parts I forgot. One load balancer in the main template, one load ballancer attachment in templateB.20:53
kfox1111the problem is, in the nova code, I have to return some piece of metadata, that allows the barbican container acl api to be called to add the permission.20:54
*** MaxV has joined #openstack-keystone20:54
morganfainbergkfox1111: ok so. reading backscroll n20:55
morganfainbergkfox1111: just needed another coffee20:55
*** raildo has quit IRC20:55
morganfainbergkfox1111: so yeah, nova will need to ask keystone what the ID of the user that cert will generate is20:56
morganfainbergkfox1111: but that should be relatively easy (or the end user does)20:56
morganfainbergkfox1111: and then you need to do the normal trust association work20:56
kfox1111ok. is there an api for that today, or will that be part of the work to be done?20:56
*** dims_ has joined #openstack-keystone20:56
morganfainbergkfox1111: keystone will need to expose an API for that20:56
kfox1111ok. should it have a corisponding delete call for when its no longer needed then, since its a little stateful?20:57
kfox1111Nova knows when the instance is deleted, so I can call a keystone api at that point.20:57
morganfainbergkfox1111: no shouldn't be needed. but i think we need to get some more logic in keystoen20:57
kfox1111ok. then I'll drop the delete part out of the spec.20:58
morganfainbergbecause the state in keystone is maintained as a map20:58
morganfainbergbasically we hold minimal state that canbe flushed [but will be recreated on demand]20:58
morganfainbergsame ids etc20:58
morganfainbergit's programatic20:58
kfox1111and modify the create wording to just say fetch uuid from keystone?20:58
morganfainbergfetch user-id20:58
morganfainbergdon't use UUID20:58
kfox1111ok.20:58
morganfainberguuid assumes a specific format and length20:58
kfox1111ah. ok.20:58
morganfainbergwe so SHA256(Domain_id + user_element_from_federated_source)20:59
morganfainbergin this case federated source is cert DN20:59
morganfainbergand attributes20:59
morganfainbergs/so/do20:59
kfox1111ah. gotcha.20:59
*** samuel-dmq has joined #openstack-keystone20:59
morganfainberguuid assume (uhhh i think) 16bytes of data binary, or 32 hex21:00
morganfainbergetc21:00
kfox1111yeah. sounds about right.21:00
morganfainbergand conforms to uuid.UUID()21:00
morganfainbergwhich sha256 absolutely does not21:00
*** dims has quit IRC21:00
kfox1111though I think in most of openstack, the db fields are just strings.21:00
kfox1111but yeah. being explicit helps.21:00
morganfainbergyes, but len(sha256) > uuid21:00
kfox1111right.21:00
*** dims_ has quit IRC21:00
morganfainbergso that way no one assumes a user_id is 32bytes hex21:00
morganfainbergso we need 2 things for keystone: "what would X assertion's user_id be" [specifically for x509, but probably wider scope], and 2) tokenless auth21:02
morganfainbergthe rest is nova/normal workflow you'd need to do via trusts/etc21:03
morganfainbergand barbican needs to issue certs / manage CA, and when a delete, CRL needs to be updated so the apache module can do it21:03
*** stevemar2 has joined #openstack-keystone21:03
*** ChanServ sets mode: +v stevemar221:03
kfox1111yeah. sounds good. :)21:03
*** stevemar has quit IRC21:04
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config  https://review.openstack.org/19197621:04
morganfainbergs/do it/reference CRL21:04
*** MaxV has quit IRC21:05
*** bknudson has quit IRC21:09
*** gabriel-bezerra has quit IRC21:10
*** iurygregory has quit IRC21:11
*** ericksonsantos has quit IRC21:11
*** htruta has quit IRC21:11
*** samueldmq has quit IRC21:11
*** tellesnobrega has quit IRC21:11
*** afaranha has quit IRC21:11
*** pnavarro has quit IRC21:15
*** henrynash has quit IRC21:18
ayoungmorganfainberg, I think we can export the mapping to solve "what would X assertion's user_id be"21:23
morganfainbergayoung: this will need to be an API call. but yes21:23
morganfainbergayoung: i don't think i want nova to try and determine this on it's own21:23
morganfainbergeasier to just ask keystone (and has the added bonus of building the map in the user/group/domain table thing)21:24
ayoungmorganfainberg, we could do it either way.  An API call for each call to a remote service would be expensive...why not let the remote service calculate it?21:24
morganfainbergayoung because if you're assigning to it you already need to create it. *shrug* it's going to be expensive either way21:24
*** samuel-dmq has quit IRC21:25
ayoungmorganfainberg, I'd like to get Keystone out of the hot path.  My thought was that everything Keystone does could be done by a remote service  with cached data from Keystone21:25
morganfainbergayoung: will discuss this later on.21:25
* morganfainberg is way over budget for IRC today21:26
morganfainbergway way way21:26
*** dsirrine has quit IRC21:26
stevemar2morganfainberg, go rest  :)21:27
*** zzzeek has joined #openstack-keystone21:32
*** dims has joined #openstack-keystone21:35
*** e0ne has quit IRC21:36
*** afaranha has joined #openstack-keystone21:39
*** tellesnobrega has joined #openstack-keystone21:39
*** htruta has joined #openstack-keystone21:39
*** samueldmq has joined #openstack-keystone21:39
*** iurygregory has joined #openstack-keystone21:39
*** ericksonsantos has joined #openstack-keystone21:39
*** gabriel-bezerra has joined #openstack-keystone21:40
*** belmoreira has quit IRC21:42
*** bknudson has joined #openstack-keystone21:43
*** ChanServ sets mode: +v bknudson21:43
*** stevemar2 is now known as stevemar21:43
stevemarayoung, did you get my links?21:43
stevemari never received an ACK from you21:43
*** henrynash has joined #openstack-keystone21:49
*** ChanServ sets mode: +v henrynash21:49
*** henrynash has quit IRC21:56
*** edmondsw has quit IRC21:56
*** chlong has quit IRC21:57
*** boris-42 has joined #openstack-keystone22:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040522:02
*** RichardR_ has joined #openstack-keystone22:03
*** RichardRaseley has quit IRC22:07
*** RichardR_ has quit IRC22:08
*** fangzhou has joined #openstack-keystone22:12
*** csoukup has quit IRC22:14
*** csoukup has joined #openstack-keystone22:19
*** stevemar has quit IRC22:21
*** charlesw has joined #openstack-keystone22:21
charleswHi folks, I have a two-region swift cluster. I wonder how to set up region_name in keystone middleware config in my proxy-server.conf. I looked around to see if auth_region_name is supported but all I could find is https://bugs.launchpad.net/keystonemiddleware/+bug/1405717. Does anybody know if auth_region_name is supported?22:22
openstackLaunchpad bug 1405717 in keystonemiddleware "region_name is not in keystone client auth_token config" [Wishlist,Confirmed]22:22
bknudsoncharlesw: there's no auth_region_name option in auth_token middleware -- http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n23822:25
bknudsonlooks like the bug still needs someone to do the work22:26
charleswThen which region's Keystone server will validate the token?22:29
bknudsonI assume it's the one you put in auth_uri22:30
*** david-lyle has quit IRC22:31
charleswthx bknudson. I'll report back if I can confirm it.22:32
*** dims has quit IRC22:34
*** thedodd has quit IRC22:38
*** kfox1111 has quit IRC22:40
*** kfox1111 has joined #openstack-keystone22:41
*** HT_sergio has quit IRC22:41
openstackgerritDoug Fish proposed openstack/python-keystoneclient: WIP: Allow listing of sp projects  https://review.openstack.org/19199522:42
*** charlesw has quit IRC22:44
*** hogepodge has quit IRC22:52
*** zzzeek has quit IRC22:56
*** dims has joined #openstack-keystone23:03
*** dims has quit IRC23:03
*** dims has joined #openstack-keystone23:04
*** jaosorior has quit IRC23:05
*** zzzeek has joined #openstack-keystone23:08
*** david-lyle has joined #openstack-keystone23:11
*** obedmr has quit IRC23:18
*** hogepodge has joined #openstack-keystone23:19
*** EmilienM|afk is now known as EmilienM23:24
*** zzzeek has quit IRC23:25
*** roxanaghe has quit IRC23:33
*** csoukup has quit IRC23:38
*** chlong has joined #openstack-keystone23:47
*** csoukup has joined #openstack-keystone23:55
*** zzzeek has joined #openstack-keystone23:59
« Sunday, 2015-06-14 Index Tuesday, 2015-06-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!