Wednesday, 2015-06-17

« Tuesday, 2015-06-16 Index Thursday, 2015-06-18 »
*** htruta_ has joined #openstack-keystone00:02
kfox1111morganfainberg: I'm hoping to get the nova folks to accept the instance blueprint for the next nova meeting on the 18th. their feature window is getting very close to closing I think. Will you have a few minutes to review and weigh in on the spec before then?00:11
*** _cjones_ has quit IRC00:23
*** _cjones_ has joined #openstack-keystone00:23
*** _cjones_ has quit IRC00:28
*** jasondotstar has quit IRC00:42
*** chlong has joined #openstack-keystone00:42
*** btully has quit IRC00:46
*** btully has joined #openstack-keystone00:48
*** lhcheng has quit IRC00:49
stevemarjamielennox, np ;)00:52
stevemari felt bad since i broke you :(00:52
*** dsirrine has quit IRC00:54
jamielennoxwe might need some unit tests for OSC00:54
jamielennoxbut np - it happens00:54
*** kfox1111 has quit IRC00:56
*** samleon has joined #openstack-keystone00:57
*** samleon has quit IRC00:57
*** tobe has joined #openstack-keystone01:05
*** dsirrine has joined #openstack-keystone01:09
*** _liusheng has joined #openstack-keystone01:10
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove _get_service_endpoints function  https://review.openstack.org/19165901:10
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make normalize_endpoint_type public  https://review.openstack.org/19167201:10
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make _is_endpoint_type_match function public  https://review.openstack.org/19167001:10
*** bknudson has joined #openstack-keystone01:11
*** ChanServ sets mode: +v bknudson01:11
*** ayoung has joined #openstack-keystone01:11
*** ChanServ sets mode: +v ayoung01:11
*** _liusheng has quit IRC01:11
*** liusheng_ has joined #openstack-keystone01:12
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add get_communication_params interface to plugins  https://review.openstack.org/19164601:14
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove unused fixtures  https://review.openstack.org/19163501:16
openstackgerritJamie Lennox proposed openstack/keystoneauth: Prompt for password on CLI if not provided  https://review.openstack.org/19163901:19
*** bradjones has quit IRC01:21
*** tqtran is now known as tqtran_afk_gowar01:27
*** bradjones has joined #openstack-keystone01:29
*** bradjones has quit IRC01:29
*** bradjones has joined #openstack-keystone01:29
*** Guest68549 is now known as dan01:30
*** tqtran_afk_gowar has quit IRC01:32
*** mtecer has quit IRC01:34
*** fangzhou has quit IRC01:34
*** spandhe has quit IRC01:35
*** kiran-r has joined #openstack-keystone01:37
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint  https://review.openstack.org/17766101:44
*** gyee is now known as operator9901:49
openstackgerritHenrique Truta proposed openstack/keystone-specs: New way to get a project scoped token by name after Reseller  https://review.openstack.org/19249501:55
*** iamjarvo has joined #openstack-keystone01:57
*** dims has quit IRC02:04
*** htruta_ has quit IRC02:05
*** dims has joined #openstack-keystone02:08
*** jasondotstar has joined #openstack-keystone02:09
*** jasondotstar has quit IRC02:09
*** jasondotstar has joined #openstack-keystone02:10
*** woodster_ has quit IRC02:11
*** kiran-r has quit IRC02:11
*** davechen is now known as davechen_afk02:13
*** dims has quit IRC02:19
*** jasondotstar has quit IRC02:24
*** davechen has joined #openstack-keystone02:25
*** csoukup has joined #openstack-keystone02:31
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/19231002:36
*** lhcheng has joined #openstack-keystone02:42
*** ChanServ sets mode: +v lhcheng02:42
*** spandhe has joined #openstack-keystone02:43
*** spandhe_ has joined #openstack-keystone02:44
*** lhcheng has quit IRC02:45
*** liusheng_ has quit IRC02:48
*** spandhe has quit IRC02:48
*** spandhe_ is now known as spandhe02:48
*** liusheng has joined #openstack-keystone02:48
*** lhcheng has joined #openstack-keystone02:52
*** ChanServ sets mode: +v lhcheng02:52
openstackgerritHenrique Truta proposed openstack/keystone-specs: New way to get a project scoped token by name after Reseller  https://review.openstack.org/19249503:00
*** kiran-r has joined #openstack-keystone03:05
*** marzif has joined #openstack-keystone03:09
*** liusheng has quit IRC03:09
*** liusheng has joined #openstack-keystone03:10
*** lhcheng has quit IRC03:21
*** raildo has quit IRC03:21
*** samueldmq has quit IRC03:21
*** htruta has quit IRC03:22
*** pauloewerton has quit IRC03:22
*** afaranha has quit IRC03:22
*** ericksonsantos has quit IRC03:22
*** iurygregory has quit IRC03:22
*** tellesnobrega has quit IRC03:22
*** iamjarvo has quit IRC03:26
*** c_soukup has joined #openstack-keystone03:27
*** iamjarvo has joined #openstack-keystone03:29
*** csoukup has quit IRC03:30
*** markvoelker has quit IRC03:31
*** stevemar has quit IRC03:47
*** stevemar has joined #openstack-keystone03:48
*** ChanServ sets mode: +v stevemar03:48
*** RichardRaseley has quit IRC03:50
*** richm has quit IRC03:52
*** c_soukup has quit IRC03:59
*** iamjarvo has quit IRC04:00
*** kiran-r has quit IRC04:06
*** rushiagr_away is now known as rushiagr04:10
*** marzif has quit IRC04:13
*** spandhe has quit IRC04:27
*** josecastroleon has quit IRC04:31
*** neelabh has joined #openstack-keystone04:32
*** markvoelker has joined #openstack-keystone04:32
*** josecastroleon has joined #openstack-keystone04:32
*** markvoelker has quit IRC04:37
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching  https://review.openstack.org/19067304:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967604:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081804:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094004:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081704:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094104:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081604:56
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching  https://review.openstack.org/19067304:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967604:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081804:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094004:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081704:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094104:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081604:59
stevemarjamielennox is going crazy with patches again05:00
jamielennoxstevemar: same patches, rebase error at the bottom of the chain05:01
*** fifieldt has joined #openstack-keystone05:10
*** stevemar has quit IRC05:14
*** Kennan has quit IRC05:14
*** browne has quit IRC05:16
*** Kennan has joined #openstack-keystone05:20
*** tobe has quit IRC05:39
*** belmoreira has joined #openstack-keystone05:44
*** neelabh has left #openstack-keystone05:46
*** lhcheng has joined #openstack-keystone05:53
*** ChanServ sets mode: +v lhcheng05:53
*** mabrams has joined #openstack-keystone05:54
*** markvoelker has joined #openstack-keystone05:55
*** markvoelker has quit IRC06:00
*** kiran-r has joined #openstack-keystone06:02
*** browne has joined #openstack-keystone06:03
*** browne has quit IRC06:14
*** jith_ has joined #openstack-keystone06:15
jith_hi all, i exported service token and endpoint. i couldnt able to delete an end point i got an error like "Unable to delete endpoint."06:16
*** tobe has joined #openstack-keystone06:20
*** afazekas has joined #openstack-keystone06:23
*** browne has joined #openstack-keystone06:32
*** boris-42 has quit IRC06:42
*** browne has quit IRC06:49
*** henrynash has joined #openstack-keystone06:50
*** ChanServ sets mode: +v henrynash06:50
*** dsirrine has quit IRC06:56
*** lhcheng has quit IRC06:58
*** btully has quit IRC07:01
*** btully has joined #openstack-keystone07:03
*** pnavarro has joined #openstack-keystone07:29
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make AccessInfo a dictionary  https://review.openstack.org/19253907:34
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Use AccessInfo from keystoneauth  https://review.openstack.org/19254007:36
*** markvoelker has joined #openstack-keystone07:44
*** markvoelker has quit IRC07:49
*** jaosorior has joined #openstack-keystone07:58
*** SaintAardvark has left #openstack-keystone08:00
*** chlong has quit IRC08:18
*** MaxV has joined #openstack-keystone08:32
*** belmoreira has quit IRC08:33
*** belmoreira has joined #openstack-keystone08:33
MaxVHello all, I am currently writing some documentation and I am wondering which are the different mimetypes for the policies available (basically I only see the json but maybe there is support for yaml)08:34
MaxVhttps://plus.google.com/hangouts/_/gxibiwe6spssxkbpqytq65utaua?hl=fr08:35
MaxVsorry wrong link :x08:35
MaxVhttp://developer.openstack.org/api-ref-identity-v3.html#policies-v308:35
*** tobe has quit IRC08:58
*** Xurong has joined #openstack-keystone08:58
*** tobe has joined #openstack-keystone08:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching  https://review.openstack.org/19067308:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967608:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081808:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094008:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094108:59
*** tobe_ has joined #openstack-keystone09:01
*** tobe_ has quit IRC09:01
*** tobe has quit IRC09:03
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching  https://review.openstack.org/19067309:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094109:04
*** tobe has joined #openstack-keystone09:23
*** dguerri` is now known as dguerri09:31
*** markvoelker has joined #openstack-keystone09:33
*** e0ne has joined #openstack-keystone09:36
*** markvoelker has quit IRC09:37
marekdrodrigods: ping.09:38
marekdrodrigods: let me know when you are online09:38
*** e0ne is now known as e0ne_09:43
*** MaxV has quit IRC09:44
*** fhubik has joined #openstack-keystone09:44
*** fhubik is now known as fhubik_afk09:44
*** e0ne_ is now known as e0ne09:47
*** fhubik_afk is now known as fhubik09:48
*** davechen has left #openstack-keystone09:54
*** MaxV has joined #openstack-keystone10:02
*** dims has joined #openstack-keystone10:17
*** tobe has quit IRC10:17
*** dims has quit IRC10:17
*** dims has joined #openstack-keystone10:18
*** kiran-r has quit IRC10:39
*** jasondotstar has joined #openstack-keystone10:41
*** fhubik has quit IRC10:44
*** e0ne is now known as e0ne_10:49
*** aix has joined #openstack-keystone10:49
*** e0ne_ has quit IRC10:54
*** e0ne has joined #openstack-keystone10:56
*** jasondotstar has quit IRC11:06
*** markvoelker has joined #openstack-keystone11:22
*** rushiagr is now known as rushiagr_away11:24
*** markvoelker has quit IRC11:27
*** e0ne is now known as e0ne_11:29
*** tellesnobrega has joined #openstack-keystone11:33
*** samueldmq has joined #openstack-keystone11:34
*** e0ne_ has quit IRC11:34
*** ericksonsantos has joined #openstack-keystone11:36
*** kiran-r has joined #openstack-keystone11:38
*** tellesnobrega has quit IRC11:40
*** ericksonsantos has quit IRC11:41
*** samueldmq has quit IRC11:41
*** tellesnobrega has joined #openstack-keystone11:43
*** MaxV has quit IRC11:43
*** samueldmq has joined #openstack-keystone11:58
samueldmqjamielennox, you around ? http://logs.openstack.org/84/186684/4/experimental/check-tempest-dsvm-neutron-identity-v3-only-full/ca5f300/logs/devstacklog.txt.gz#_2015-06-17_00_11_13_16511:59
samueldmqmorning guys !11:59
*** Xurong has quit IRC12:01
*** Xurong has joined #openstack-keystone12:01
samueldmqayoung, hey, I just saw your diagram12:03
samueldmqayoung, it looks great12:03
samueldmqayoung, when you say 'upload default policy' there, you're saying the default for that nova endpoint URL as well, right ?12:04
samueldmqayoung, not the unified default one, since we decided to wait a bit more on that for now :)12:04
*** markvoelker has joined #openstack-keystone12:05
*** htruta has joined #openstack-keystone12:06
*** rushiagr_away is now known as rushiagr12:11
*** iurygregory has joined #openstack-keystone12:16
*** e0ne has joined #openstack-keystone12:19
*** raildo has joined #openstack-keystone12:26
jamielennoxsamueldmq: yes, i've seen that. it's because of glance in single tenant mode storing images to swift12:33
jamielennoxi don't have a solution for that one yet12:33
rodrigodsjamielennox, ping... didn't get your comment here: https://review.openstack.org/#/c/188581/23/keystoneauth/auth/identity/v3/k2k.py12:33
samueldmqjamielennox, I don't see how it works differently with v2/v312:33
samueldmqjamielennox, single tenant/project mode should operate the same12:34
jamielennoxrodrigods: looking12:34
jamielennoxsamueldmq: so glance has two modes when talking to swift12:34
jamielennoxone where glance has its own credentials and it stores everything in swift as the glance user12:34
jamielennoxand one where it stores everything in swift as the actual user12:34
jamielennoxthe first one (the default) currently only lets you provide credentials in v2 format12:35
jamielennoxand it's related to the fact that the swift client is crap12:35
jamielennoxoff the top of my head i'm not sure what swiftclient's v3 capabilities are anyway12:36
*** dims has quit IRC12:36
samueldmqjamielennox, in few words, that *should* be fixed making swift client use v3 token format12:36
*** dims has joined #openstack-keystone12:36
jamielennoxrodrigods: oh, for that one i think it adds additional headers like the X-Auth-Token so the dictionary that you are saving at the top level may end up with additional stuff in it you didn't expect12:37
jamielennoxsamueldmq: more or less12:37
marekdrodrigods: i assume you are online but you don't really read old messages?12:37
jamielennoxsamueldmq: i *think* swiftclient can do v3, but there are no options available for the additional v3 parameters12:37
jamielennoxlike to give the corrrect credentials to swiftclient12:37
rodrigodsmarekd, yeah... my proxy only delivers the last 20 messages, let me see the log12:38
marekdrodrigods: no need12:38
samueldmqjamielennox, swift client accepts sessions as well, right ?12:39
jamielennoxsamueldmq: no :(12:39
samueldmqjamielennox, so we pass the ksclient session with v3 to it, ..12:39
jamielennoxit's the only major one left i know of that doesn't12:39
samueldmqjamielennox, oh .. shouldn't we be setting this then ? https://github.com/openstack/python-swiftclient/blob/c15e81af9bba231b7bfc3d7473d47e2e9694cd0e/tests/sample.conf#L812:39
jamielennoxbut it's so different to the others it's really different12:39
* jamielennox is repeating himself12:39
jamielennoxreally difficult12:40
rodrigodsmarekd, sorry, didn't get your ping (now I see it in the log)12:40
marekdrodrigods: no worries.12:40
marekdwhen you were setting up the fed-keystones, you were using auth method  in keystone.conf [auth] secionts saml2 = [...].Mapped or Saml2 class ?12:40
samueldmqjamielennox, so that option on swiftclient config ^should enable v3 .. maybe we need that when honoring our flag, or should osclient set that since it is supposed to be configured to work with v3?12:41
rodrigodsmarekd, for Kilo I believe it was Mapped12:41
marekdgreat12:41
*** bknudson has quit IRC12:41
jamielennoxsamueldmq: so https://github.com/openstack/python-swiftclient/blob/c15e81af9bba231b7bfc3d7473d47e2e9694cd0e/swiftclient/client.py#L319 seems to be the extend of the v3 support12:42
jamielennoxhowever os_options implies to me that these options are coming from the command line12:42
jamielennoxso i've really got no idea how you are supposed to operate swiftclient with v3 from python directly12:43
jamielennoxswiftclient has needed a rewrite for a long time, but they were going to wait for the SDK and drop the client instead12:45
jamielennoxi managed to get session adoption in glance, but i just don't see how it would integrate into swiftclient12:45
*** woodster_ has joined #openstack-keystone12:45
rodrigodsjamielennox, hmm so I pass {'Content-Type': 'application/vnd.paos+xml'} directly?12:46
ayoungsamueldmq, I was talking unified.  I have not given up on that12:46
jamielennoxrodrigods: i would12:46
jamielennoxrodrigods: just pass a new dictionary every time12:46
rodrigodsjamielennox, cool, thx12:46
ayoungI think unified is going to be essential12:46
jamielennoxrodrigods: that's not why i didn't +2 it, i don't have a setup where i can really test it and with keystoneauth happening i just want to make sure it works12:47
samueldmqayoung, not doing unified now doesn't mean to give up on it12:47
samueldmqayoung, why is it essential ? what does it bring that we haven't without unifiying ?12:47
ayoungsamueldmq, we don't get all the projects using a common set of roles12:48
rodrigodsjamielennox, sure... doug-fish is kindly testing everything to help me. It seems to work for him (using a fix in keystoneclient)12:48
samueldmqjamielennox, yes.. so that will be a challenge on swift side ..12:48
samueldmqjamielennox, let me know how I can help (as I find some time between dynamic policy stuff)12:49
*** henrynash has quit IRC12:49
jamielennoxrodrigods: yep - it's not that i don't trust you12:49
jamielennoxsamueldmq: yea, i don't know what to do with it12:49
samueldmqdo we advise people to disable a user before deleting it ?12:50
samueldmqjamielennox, ayoung  ^12:50
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858112:51
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities  https://review.openstack.org/18888112:51
samueldmqI know we need to disable before delete with domain ..12:51
*** mabrams has quit IRC12:51
jamielennoxsamueldmq: i don't think so12:51
samueldmqjamielennox, same from me :)12:52
samueldmqjamielennox, thanks12:52
*** Ctina_ has joined #openstack-keystone12:52
*** e0ne is now known as e0ne_12:55
*** e0ne_ is now known as e0ne12:57
*** edmondsw has joined #openstack-keystone12:57
ayoungwe should probably not delete users13:00
ayoungreplace CRUD with CARE. create, append, read (the summation), expire (without deleting).13:01
ayoungHeh Query Unindex Index Crawl and Kill,13:02
samueldmqayoung, we need to synchorize on the unified policy thing, let me know when ytou have some time13:05
samueldmqayoung, I want to be in full agreement with you before talking to other people (sdague and other folks)13:05
*** richm has joined #openstack-keystone13:07
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858113:08
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities  https://review.openstack.org/18888113:08
*** bknudson has joined #openstack-keystone13:08
*** ChanServ sets mode: +v bknudson13:08
*** jamielennox is now known as jamielennox|away13:13
ayoungsamueldmq, we write it ourselves and post it for review13:13
ayoungsamueldmq, I think I have a copy somewhere public13:14
*** bknudson has quit IRC13:14
ayoungsamueldmq, https://github.com/admiyo/openstack-core-policy13:14
samueldmqayoung, that requires that the unified policy be released once any related project had a new version, right ?13:17
samueldmqayoung, I suppose you're aware of the issue sdague pointed out13:17
ayoungsamueldmq, or more often than that13:17
ayoungsamueldmq, quite13:17
samueldmqayoung, if we have people running in master13:17
ayoungsamueldmq, I just don't think it will be a problem in practice13:17
samueldmqayoung, why ?13:17
ayoungsamueldmq, let's keep the effort going, and push on to see if we can solve the speed bumps13:17
samueldmqayoung, I want to see what's the big advantage on unifying13:18
samueldmqayoung, that we can't solve keeping them in separate13:18
ayoungsamueldmq, otherwise, each project comes up with its own definitions of things, and this is one place we need to align13:18
samueldmqayoung, the common definitions13:18
samueldmqayoung, this is what you want to solve13:18
ayoungsamueldmq, there are implicit meanings there, like "admin needs to be scoped" that a re not currently understood13:19
samueldmqayoung, we could base better policies on different roles for cloud_admin, domain_admin and project_admin13:19
ayoungeven if no one runs with the common policy file, the effort is worth it13:19
ayoungsamueldmq, talk to dolphm , as this idea was his origianlly13:20
ayounghe can explain it better than I can13:20
samueldmqayoung, ok .. but again, I am not against it at all, I just want to see the reasons we need that13:20
*** jamielennox|away is now known as jamielennox13:21
samueldmqayoung, I would put a story in that wiki to have the default policies .. if we start with that (without unified)13:21
samueldmqayoung, we could adopt unified later13:21
samueldmqayoung, nothing is saying if we keep our individual policies direction, we wouldn't be able to adopt unified later13:21
samueldmqdolphm, hi - let me know when you're available to talk a little bit about the unified policies thing13:22
samueldmqwhat I want is to have a 100% clear scope for L, and this must be done first here in keystone13:22
samueldmqthen synchronize with other folks (nova and so on)13:23
samueldmqso we will have specs approved and implement that in L (according to that workflow in the wiki)13:23
samueldmqayoung,  ^13:23
samueldmqayoung, btw, I am updating that to include the stories we were discussing yesterday ...13:24
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858113:25
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities  https://review.openstack.org/18888113:25
*** bknudson has joined #openstack-keystone13:27
*** ChanServ sets mode: +v bknudson13:27
*** Xurong has quit IRC13:27
samueldmqayoung, what if .....13:28
*** Xurong has joined #openstack-keystone13:28
samueldmqayoung, the unifeid policy was something that would only contain the common definitions ?13:28
samueldmqayoung, that would be used by other policies ? in the dynamic policy world13:28
ayoungsamueldmq, and then the projects imported them?  I've thought of that, but it is a far harder solution to implement13:29
ayoungnow we need to change the build process for every project13:29
ayoungit also really doesn't make people talk to each other and get a rational approach for policy13:29
ayoungand the conversation is at least as valuable as the solution13:30
samueldmqayoung, I understand your point, but I'd like to at least understand how sdague's concerns would be solved13:30
*** stevemar has joined #openstack-keystone13:30
*** ChanServ sets mode: +v stevemar13:30
samueldmqayoung, I will be talking to people from other projects as well .. and I won't be able to have an answer for those questions13:31
ayoungsamueldmq, if we were to do this completely in the realm of the current code review process, I would say the unified policy file is a starting pouint.  they keep updating when they have microversions...it will be faster to get code through common policy than to get code into the main projects13:32
ayoungbut also have good defaults13:32
ayoungso, it you add a new microversion api, and the code is not supported yet,  you get admin13:32
ayoungsamueldmq, also, if we split the policy file as I've been suggesting, then it is just a roles check13:32
ayoungand I think that is the real solution13:32
samueldmqayoung, so each time there is a change in a project that affects external API signatures, there is a change in the unified policy13:32
ayoungsamueldmq, that is how SELinux works13:33
samueldmqayoung, I am not sure it's good to add such dependency between projects, and we want that13:33
*** jamielennox is now known as jamielennox|away13:33
ayoungsamueldmq, it is a starting point until some comes up with something better.13:33
samueldmqayoung, so it would be something from oslo-incubator ?13:33
samueldmqayoung, each project would have its copy of the unified policy ? remember we need to be backwards compatible13:34
ayoungsamueldmq, there is no need13:34
ayoungsamueldmq, stop.13:35
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267113:35
ayoungthink it through.  We need role inheritance.  You start with that, and come up with a different solution that does not involve sticking all the roles in the token, let me know13:35
samueldmqayoung, and solve the issue with common definitions13:36
ayoungthat too13:36
samueldmqayoung, k I will mull it a bit more, and come with something later13:36
*** lastops has joined #openstack-keystone13:37
samueldmqayoung, although we could shift this a little bit .. and work with policy definitions we have today13:37
samueldmqayoung, talk to you later today13:37
samueldmqayoung, you want to define role hierarchies in the policy itself ?13:39
ayoungsamueldmq, I want to get dynamic p[olicy implemented.  Defining roles in the policy is the only way I can see to make that happen, willing to hear alternatives13:40
samueldmqayoung, k got it13:40
ayoungsamueldmq, we could ship the roles in separate policy file and merge,  we could do so many different things.  WHich is the least surprise?  Which will be the easiest to work with?  Which can we get to from where we are not?13:41
*** jamielennox|away is now known as jamielennox13:42
samueldmqayoung, what if middleware know about the role hierarchy at fetch time ? and expand them in the policy file before saving it (in /etc/nova/policy.json, for example)13:43
samueldmqayoung, we would be able to use any role in the hierarchy in the policy rules directly, middleware will take care of arranging them when it fetches, before storing in the specified dir13:44
ayoungsamueldmq all possibilities13:45
ayoungsamueldmq, you need dolphm 's input before you can move ahead.  The unified was his idea, and I don;t tthink he wrote down his rationale anywhere13:46
samueldmqayoung, ok, I will talk to him when he shows up :)13:47
samueldmqayoung, I am glad to see you're open13:47
samueldmqayoung, and hope you see I am just trying to do the best we can (for all openstack)13:47
samueldmqayoung, in the circumstances we are right now, timing, etc13:47
openstackgerritMarek Denis proposed openstack/keystone: Update docs: xmlsec1 requred for K2K  https://review.openstack.org/19267413:51
openstackgerritMarek Denis proposed openstack/keystone: Update docs: xmlsec1 required for K2K  https://review.openstack.org/19267413:52
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267113:54
marekdstevemar: you are fast13:54
stevemarmarekd, that i am13:55
stevemarmarekd, mind if i overwrite the patch?13:55
marekdstevemar: go ahead!13:55
stevemarty!13:55
marekdtY!13:55
rodrigodsmarekd, I think some of these fixes closes this bug: https://bugs.launchpad.net/keystone/+bug/145925513:56
openstackLaunchpad bug 1459255 in Keystone "Fix the docs since Federation is no longer an extension" [Medium,Triaged]13:56
stevemarlooks like https://bugs.launchpad.net/keystone/+bug/1466092 is a dupe of 145925513:57
openstackLaunchpad bug 1466092 in Keystone "Docs say OS-FEDERATION is an extension" [Low,In progress] - Assigned to Marek Denis (marek-denis)13:57
ayoungsamueldmq, you are doing great.13:57
marekdstevemar: yep13:57
ayoungsamueldmq, this is why we need the overview.  Maybe it should be in an etherpad13:58
ayoungjust afreai we will lose track of all the details, but maybe that has happened already13:58
*** sigmavirus24_awa is now known as sigmavirus2413:58
stevemarrodrigods, i marked yours as a dupe14:00
*** nkinder has joined #openstack-keystone14:02
*** csoukup has joined #openstack-keystone14:03
stevemarmarekd, just one spot :)14:06
openstackgerritSteve Martinelli proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267114:06
*** fangzhou has joined #openstack-keystone14:08
*** jasondotstar has joined #openstack-keystone14:09
*** eandersson has quit IRC14:13
*** csoukup has quit IRC14:15
*** zzzeek has joined #openstack-keystone14:15
*** iamjarvo has joined #openstack-keystone14:22
*** dsirrine has joined #openstack-keystone14:22
*** eandersson has joined #openstack-keystone14:23
marekdstevemar: bknudson: discussion on whether federation should be inlined in the pipeline by default. what are your opinions on that? https://review.openstack.org/#/c/192671/3/doc/source/federation/federation.rst14:26
stevemarmarekd, it's already in the pipeline by default14:28
stevemaroh wait...14:28
bknudsonsizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v314:28
marekdit is....14:28
marekdi was Ctrl-F'in in the browser, but it was hidden...14:28
marekdmy bad14:29
marekdsorry14:29
bknudsonthere's all sorts of extensions in the pipeline14:29
*** ninag has joined #openstack-keystone14:30
marekdok, i am fixing that14:30
marekdwe don't have 'external' method anymore, do we?14:33
bknudsonexternal is used to support REMOTE_USER14:34
bknudsonwhere apache has already authenticated14:34
bknudsonfederation-lite14:34
marekdbknudson: a,ok, some other external like code was being droppeed not so long ago14:34
bknudsonsome of the external methods were deprecated14:34
bknudsonbut there are still a couple left14:35
*** obedmr has joined #openstack-keystone14:40
*** obedmr has joined #openstack-keystone14:40
*** kiran-r has quit IRC14:41
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267114:41
openstackgerritHenrique Truta proposed openstack/keystone-specs: New way to get a project scoped token by name after Reseller  https://review.openstack.org/19249514:43
openstackgerritMarek Denis proposed openstack/keystone: Update federation driver name in documentation  https://review.openstack.org/19270614:43
*** belmoreira has quit IRC14:45
*** dsirrine_ has joined #openstack-keystone14:48
*** dsirrine has quit IRC14:48
*** henrynash has joined #openstack-keystone14:50
*** ChanServ sets mode: +v henrynash14:50
henrynashrodrigods: so what was the results of the discussion of the type of token generated if you scope to a project that is acting as a domain?14:53
rodrigodshenrynash, we had a tie14:53
henrynashrodigiods: you mean on the call yesterday?14:53
rodrigodsthe specs provides both alternatives (the another one in the Alternative section)14:53
rodrigodsyes14:54
henrynashrodigods: ahh, but that just says how you specifiy the request….not whether there is a domain and project ID in the resuling token14:54
*** dsirrine_ is now known as dsirrine14:55
rodrigodshenrynash, ahh... true. We won't have dual scoped tokens14:55
rodrigodswe discussed this in the Summit14:56
henrynashrodigods: ah, and what was the rationale….I thought that was a major issue for Horizon etc.14:56
rodrigodshenrynash, exactly, but we thought that would be a bad UX14:57
*** jasondotstar has quit IRC14:58
henrynashrodigods: so for now, they have to explicitly get a domain scoped token if they want to do domin operations?14:58
rodrigodshenrynash, yes14:58
henrynashrodigods: ok….:-(14:59
samueldmqayoung, glad to hear15:00
samueldmqayoung, I am taking care of updating the wiki, but we will certainly need an etherpad soon15:00
samueldmqayoung, thanks :)15:00
* rodrigods is sad too :(15:00
*** browne has joined #openstack-keystone15:01
ayoungrodrigods, I'd like to point out that I was called away for that vote and did not participate15:01
ayoungrodrigods, the only thing that can accept a domain scoped token today is Keystone15:02
ayoungso...why even bother15:02
*** david8hu has quit IRC15:02
ayoungkeystone operations should not even require a token15:02
bknudsoneveryone thinks that domain scoped tokens are going to allow doing ops on lots of projects15:02
bknudsonlike checking the status of every project in nova15:02
ayoungso...let's kill them now15:02
bknudsonI don't know where they get this idea15:03
samueldmqbknudson, that could be true, it depends on policy15:03
bknudsonother than wishful thinking15:03
*** david8hu has joined #openstack-keystone15:03
ayoungand, ion fact, onl;y henrynash 's version of the policy file allows for domain scoped tokens, which most people don't even know how to run15:03
henrynashayoung: :-)15:03
ayoungso...let's only return project scoped tokens evar!15:03
rodrigodsayoung, why? you'd the decisive vote15:03
ayoungrodrigods, I was called away, and voting had closed by the time I got back15:03
ayoungand nothing had been decided and we moved on15:04
ayoungrodrigods, I don't scale15:04
rodrigodsayoung, yes... we are now deciding in the spec15:04
samueldmqayoung, you can, by delegation15:04
samueldmq:)15:04
rodrigodsayoung, we are between the 3 and 5 options: https://etherpad.openstack.org/p/reseller-project-token15:04
*** openstackgerrit has quit IRC15:05
henrynashrodigods: that’s a differnet questions, surely?15:05
rodrigodsayoung, we chose 3 as being the main option in the spec: https://review.openstack.org/#/c/192495/15:05
rodrigodshenrynash, just updating ayoung about the vote15:05
*** openstackgerrit has joined #openstack-keystone15:05
henrynashrodigods: the issue of what’s in the token is different from the whay you request it15:05
*** Kr4zy has joined #openstack-keystone15:06
bknudsonI voted for 1 but nobody else liked it for some reason15:06
bknudsonI'm not sure that there was enough info for me to make a choice anyways.15:06
bknudsonsince I'd only seen the options when asked to vote15:06
Kr4zyAuthorization Failed: An unexpected error prevented the server from fulfilling your request: {'info': 'Referral:\nldap://xxxx.com/ou=UserGroups,DC=xxxx,DC=com', 'desc': 'Referral'} (Disable debug mode to suppress these details.) (HTTP 500)15:06
Kr4zyanyone got this error before that can assist?15:06
ayoungrodrigods, name: ""  could be dropped.  You are requesting a project scoped token15:07
ayoungso15:07
bknudsonKr4zy: I think there's an option for referral chasing...15:07
rodrigodsbknudson, 1 was my preferred option as well - but we decided to go with 3 (since the current code is ready for it)15:07
ayoung"project": {15:07
ayoung                "domain": {15:07
ayoung                    "name": "A"15:07
ayoung                },15:07
ayoung}15:07
Kr4zybknudson: I have tried it both enabled and disabled, but it didn't work15:07
bknudsonKr4zy: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n92115:07
rodrigodsayoung, yes... we put this option in the etherpad but didn't receive votes15:07
morganfainbergSo.. I have no idea what option 1, 2, 3 etc are.15:07
*** fangzhou has quit IRC15:08
bknudsonif the referral option doesn't help then I have no idea15:08
morganfainbergBut I'm going to say I am still a big -1 on "is_domain": True15:08
*** HT_sergio has joined #openstack-keystone15:08
morganfainbergIn the request for a token if that is what is being proposed still.15:08
rodrigodsmorganfainberg, check https://etherpad.openstack.org/p/reseller-project-token whenever you have a moment :)15:08
ayoungrodrigods, I don't see it on there15:08
bknudsonmorganfainberg: you and I lost that vote.15:09
rodrigodsayoung, it's same as option 2, but just removing "name"15:09
*** iamjarvo has quit IRC15:09
morganfainbergIn fact I'm close to a -2 on the is--domain15:09
ayoungdomain has a domain name, but not explicit project name15:09
ayoungrodrigods, that is not "the same" though15:09
morganfainbergI'm close to pulling the ptl card here15:09
henrynashrodigods: I personally don’t like taht since it seems different to the regular way you ask for a project by name….with a name (and the domain part is just saying which domain it’s in)15:09
ayoungit *is* what we mean15:09
morganfainbergbknudson: ^15:09
rodrigodshenrynash, ++15:09
bknudsonit was a tie for a while.15:10
henrynashmorganfainberg: and, for the record, you don’t like the is_domain part because?15:10
*** afazekas has quit IRC15:10
morganfainberghenrynash: is is a really awful ux.15:10
bknudsonI think 5 was the runner-up15:10
rodrigodsyes15:10
morganfainbergWhy aren't we doing a scope that specifies domain explicitly as the type rather than guessing or needing extra params.15:11
bknudsonmy favorite was 1 with a list instead of a string but that was not liked by others.15:11
morganfainbergbknudson: looking at it, #1 is my choice.15:11
rodrigodsfor me #1 is better too, with delimiter15:11
ayoungbknudson,  I suggested that one origianlly15:11
morganfainbergbknudson: sure a list is fine vs a string.15:11
rodrigodsayoung, ++15:12
henrynashmorganfainberg: specifiy a valid attribute of an entity you want in a request is bad ux?15:12
ayoungand, if you leave off the list altogether, you get the same thing : scoped to the domain15:12
morganfainberghenrynash: why are we conflating domain scoped requests with project scoped requests?15:12
*** iamjarvo has joined #openstack-keystone15:12
morganfainbergThat is my problem. We should stop trying to make them all 100% the same.15:12
*** iamjarvo has quit IRC15:12
morganfainbergIf you want a domain scoped request, ask for a domain scope, don't wedge it into how you ask for a project scope.15:13
ayoungtreat these as the same15:13
ayoung"project": {"domain": {"name": "A"},"name": []}15:13
ayoung"proje15:13
ayoung"project": {"domain": {"name": "A"}}15:13
*** iamjarvo has joined #openstack-keystone15:13
morganfainbergIf domain scope remains a "thing"15:13
ayoungmorganfainberg, yep15:13
ayoungdomain scope is kindof useless anyway.15:13
rodrigodsmorganfainberg, this is to solve the name conflict issue15:14
ayoungrodrigods, there is no conflict15:14
rodrigodsif we don't allow to get project scoped token for a domain15:14
ayoungthe domain name is not the same as the project name15:14
ayoungthe root project of a domain has no name15:14
morganfainbergrodrigods: we probably need to step back if we are backed into that corner. Why do we have a name conflict.15:14
bknudsonapropos -- https://bugs.launchpad.net/keystone/+bug/1437407 -- new bug for domain admin15:14
openstackLaunchpad bug 1437407 in Keystone "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,In progress] - Assigned to Guang Yee (guang-yee)15:14
e0nemorganfainberg: hi. i posted review for cinder spec about wsgi https://review.openstack.org/#/c/192683/. i will be glad if you'll get a time to treview it15:15
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support  https://review.openstack.org/13470015:15
rodrigodsmorganfainberg, we are migrating the domain table to the project table, it is possible to have deployments where we are going to have a name conflict in this step15:15
e0nemorganfainberg: also, i want to start cross-project initiative for it15:15
morganfainbergBut the is_domain in the request to get a scoped token is the wrong approach.15:15
morganfainberge0ne: cool.15:15
rodrigodsmorganfainberg, we have several options, 3 was the most voted alongside 5 in yesterday's meeting15:16
morganfainbergSo, either we do something like (straw man): {scope: domain: <thing> }15:16
morganfainbergAnd the. We do the request with project instead.15:16
morganfainbergOr we use the hierarchy like option 115:16
ayoungso..that is a sure sign that people don15:16
ayoung't understand15:16
ayoungthe others all say the same thing:15:16
ayoungif name is missing or is falsy, give the  root project for the domain15:17
morganfainbergThe "is_domain": True is mixing how you request the scopes and really is not clear.15:17
ayoungNone,  [] , "" or just plain missing15:17
morganfainbergAnd people will do it wrong. It's wedging in a new resulting token in the wrong place.15:17
morganfainbergThat is why I view it as bad up15:17
morganfainbergUx*15:17
ayoungallow any of them, allow all of them, and so long as you do not explicitly request a project by name, you get the root project15:17
rodrigodsayoung, I don't like "hiding" the name option15:18
rodrigodsit *will* have a name15:18
morganfainbergSo in short I am a strong -1 on "is_domain": True, bordering on -215:18
ayoungrodrigods, you are not hiding the name option,15:18
ayoungyou are saying that you want the root project in the domain.  Say it however you want15:18
rodrigodspassing "" won't result in a correct result15:18
ayoung""  None  []  Bupkis15:19
morganfainberge0ne: I'm excited to see that become more of a general pattern in OpenStack :)15:19
ayoungrodrigods, I don15:19
ayoungrodrigods, I don't like domains.15:19
ayoungWe should never have had them, should have made projects hierarchical15:20
ayoungbut, we did what we did qand now we do what we have to do to deal15:20
rodrigodsayoung, I mean - if we request something passing "name" with "", [] or None, it is "wrong" as an API perspective since we are going to return a name in the request response (the scope will have a name different from "", [] or None)15:20
e0nemorganfainberg: agree. it should be done in the same way across all projects15:20
morganfainbergI'm not sure what the issue with just issuing a project scoped token always is. But I'm sure there is one...15:20
ayoungrodrigods, so long as the name is consistently defined in the response, what does it matter?15:21
ayoungmorganfainberg, there is none.  the problem is how is Horizon going to request it15:21
morganfainberge0ne: as a heads up we need to fix grenade to be smarter about upgrades. It has some issues ATM for the wsgi py files.15:21
morganfainberge0ne: but it really isn't the end of the world ;)15:21
rodrigodsayoung, it is wrong to return something different from what was requested15:21
ayoungif we need to scope to the project at the root of the hierarchy for a domain, how does Horizon generate the request15:21
ayoungrodrigods, no it is not15:21
e0nemorganfainberg: could you please provide me a link with bug?15:22
rodrigodsayoung, of course it is15:22
ayoungrodrigods, it is not diffferent in meaning, just in form15:22
morganfainberge0ne: i need to dig it up. It is an issue keystone is going to solve soon because we need to.15:22
samueldmqmorganfainberg, need your view on something, will summarize in a sentence ...15:22
e0nemorganfainberg: as i described in spec, i'm going to leave eventlet as default (we could depreacte it) and setup CI to run with apache15:22
morganfainberge0ne: we ran into it last week and I was traveling so I need to dredge through my IRC logs.15:23
rodrigodsayoung, if I do something in a Python API: get_entity(name="") and return is something with {name="xpto"} is wrong IMHO15:23
*** afazekas has joined #openstack-keystone15:23
samueldmqmorganfainberg, what if, with hierarchical roles, one can use any role in the hierarchy in the policy, and middleware knows the hierarchy and replace roles as needed at fetching time15:23
rodrigodsayoung, the difference is that we are talking about a HTTP API15:23
e0nemorganfainberg: ok. if you or someone from keystone folks will fix it, i'm not worry on it:)15:23
morganfainberge0ne: I hope eventually we can make it he default. But there is one major concern, that is event listening on Oslo. But not sure how much the cinder api has to listen.15:23
samueldmqmorganfainberg, I will be discussing this and some unified things with dolphm once he shows up, unified vs not unified (as today) is the only point I need to agree with ayoung before talking to other projects15:24
morganfainbergsamueldmq: hold up. Can only do two conversations at once on IRC via a cell phone :P15:24
ayoungsamueldmq, I'll post an updated unified to the github repo in a moment15:24
e0nemorganfainberg: we need to move from thread-based to process-based first15:25
samueldmqayoung, nice15:25
morganfainbergsamueldmq: didn't we decide the unified was going to cause deployer issues?15:25
morganfainbergIn the short term.15:25
morganfainberge0ne: yes.15:25
samueldmqmorganfainberg, yes, I think we had decided ... but ayoung wants to discuss it a bit more to see fi we find a solution15:26
samueldmqmorganfainberg, I got from him what he solves with the unified, and would possibly solving with that suggestion above for hierarchcial roles ^15:26
samueldmqI am trying to satisfy ayoung's requirements in a different approach15:27
*** jasondotstar has joined #openstack-keystone15:27
morganfainbergSo middleware wouldn't replace the roles. Keystone would need to do it at validate.15:27
ayoungmorganfainberg, no, people complained about policy being unified, but provided no viable alternative15:27
ayoungso we are continuing the conversation until we have an alternative15:27
morganfainbergHaving the extra round trip is not worth it.15:27
* rodrigods goes to lunch, will be back in +/- 1 hour15:27
*** afazekas has quit IRC15:28
morganfainbergrodrigods: if you are back in -1 hour I'll be impressed :P15:28
samueldmqmorganfainberg, middleware would do it when it fetch the policy, at the same time15:28
morganfainberg;)15:28
morganfainbergUhhhh15:28
rodrigodsmorganfainberg, heh :)15:28
ayoungmorganfainberg, if I could come uip with a way to actually have the necessary conversation on this, I would./15:29
morganfainbergsamueldmq: why would this be a policy fetch thing and not a validate time?15:29
ayoungI presented at the summit on the main side, and put together a cross project talk as well15:29
henrynashmorganfainberg: although teh current proposla is that you do just get a projrect scoped token…all we rae talkng about is how the request it15:29
samueldmqmorganfainberg, validate policy/ token ?15:29
ayoungand I only found out that Nova was going off in a different direction at a party one evening15:29
morganfainberghenrynash: and merging how you make this request is where I have the problem.15:29
samueldmqmorganfainberg, it would allow one to use any role in the hierarchy transparently15:30
ayoungthe short of it is, RBAC is a cross project approach, not any one project, and we need input from the main players15:30
morganfainberghenrynash: we should make requesting a domain scoped token not look like a project scope request. Don't wedge it into the same thing.15:30
ayoungI don;'t know how to make that conversation happen short of a unified policy file starting point15:30
samueldmqmorganfainberg, we need to translate the hierarchy somewhen, if we do that at token generation, we can have token bloat issue, and one couln't use any role in the hierarchy in the polucy15:30
morganfainbergayoung: fwiw I agree with nova's general proposal.15:30
samueldmqmorganfainberg, https://wiki.openstack.org/wiki/DynamicPolicies#Overview_Solution_-_Liberty_Scope15:31
morganfainbergBut I'm not saying it is the right one.15:31
ayoungmorganfainberg, I think I do to, but I think they don't even understand it15:31
ayoungmorganfainberg, here is what I think it means15:31
morganfainbergI think you aren't giving them enough credit.15:31
samueldmqmorganfainberg, this is my first try, ayoung kind of agree with that15:31
ayoung1.  We let the individual project defined the basis of policy.15:31
henrynashmorganfainberg: we do! all is_domain=True is doing is provding exactness in scope…..it is not implying a domain token….that’s why it is project {} as a scope15:31
ayoungand that means a coupld different things15:31
ayoungrealisitically, it means that they have to define "here is how you match scope"  and "we expect this api to be used by admins vs end users"15:32
morganfainberghenrynash: it is mixing how you are asking for the tokens. It is not a clear "domain scope". Don't make someone guess if a project is a domain this way. Ask for a domain scope a separate way.15:32
ayoungmorganfainberg, anyway, when you can pay attention, I am more than happy to talk throuigh it with you.15:33
ayoungor with anyone else15:33
morganfainbergayoung: I can't hold 4 convos in IRC. On a phone. :( I'm trying.15:33
*** csoukup has joined #openstack-keystone15:33
samueldmqayoung, I am aware of what you want :)15:33
ayoungmorganfainberg, I understand,  and I am excusing you from this one15:33
henrynashmorganfainberg: but we aren’t asking for domain scope15:33
samueldmqayoung, we basically have now to agree on whether default will be unified or not15:33
samueldmqayoung, at least for you and I have a 100% agreement :)15:34
morganfainberghenrynash: so I've given my justification here and I am against mixing up how we are asking for this scope like that. I've been against is_domain for a while. At this point I'm going to say don't do that.15:34
ayoungsamueldmq, if I were to start from scratch here, I would say that policy would only have RBAC checks in it.  Scopeing the token to the resource would not be a policy check15:34
ayoungit would be in code;15:34
ayoungbut...that implies a few things we can't do today15:35
ayoung1.  There are two different token formats15:35
samueldmqayoung, that's story 615:35
ayoungwe need to reduce that to ione15:35
samueldmqayoung, we will get there, but incrementally :)15:35
morganfainbergThe is_domain is mixing how we are asking for the scopes. It is not a clear definition it is wedging in a poor design because we feel backed into a corner on name conflicts.15:35
ayoung23.  We need to provide a meeting place for code from, say, Nova with the token format15:35
ayounghmmmm15:36
ayoungwhat do we do with the headers for roles and proejcts right now...15:36
henrynashmorganfainberg: Ok, this will be an agree to disagree…but that’s OK :-)15:37
morganfainberghenrynash: and in this case (and you known rarely do this) I'm going to play the PTL card. Let's not do it that way.15:37
morganfainbergS/known rarely/ know I rarely15:38
henrynashmorganfainberg: agreed, it’s rare, and if you feel that strongly, time to play :-)15:38
morganfainberghenrynash: cool.15:38
*** jamielennox is now known as jamielennox|away15:38
ayoungOK, so the contract we have is the headers:      'X%s-Project-Name': 'project_name',  and the roles template15:38
ayoungGAH!15:39
morganfainberghenrynash: I like the option 1, but I know there were concerns.15:39
morganfainberghenrynash: even with a list. But I'm not opposed to other proposals.15:39
henrynashmorganfainbergL have to go re-read the options now!!!!15:39
morganfainberghenrynash: sorry!15:39
ayoungsamueldmq, so...we probably should not even be enforcing based on the token, but based on the headers....15:40
ayounghttp://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_request.py#n5815:40
morganfainbergayoung: I'll be back soonish. And will be able to do the backscroll read.15:40
* morganfainberg looks at it being Wednesday. So much for the week off.15:40
*** esp has joined #openstack-keystone15:41
samueldmqayoung, but the headers must be validated against the token, since you can be lying to the service15:45
ayoungsamueldmq, the headers are set by AUTH_TOKEN middleware15:45
morganfainbergsamueldmq: any headers we rely on auth token strips and sets directly15:45
*** viktors is now known as viktors|afk15:45
morganfainbergWe have to trust them.15:45
samueldmqayoung, and at the service we trust in the headers validated by middleare15:45
samueldmqmorganfainberg, ^15:45
samueldmqdon't we already do it like this ?15:46
ayoungsamueldmq, stop asking morgan15:46
ayoungsamueldmq, look at the code15:46
*** ericksonsantos has joined #openstack-keystone15:46
ayoungso, if there is no auth token, then, yeah, the end user could lie.15:46
ayoungbut we don't really care15:46
*** jamielennox|away is now known as jamielennox15:47
samueldmqayoung, isn't there a way to let people know who set the vars ?15:47
ayoungwith auth_token, we endure the headers are valid, and that is the case we care about15:47
samueldmqayoung, I mean a way to let the service trust the middleware15:47
ayoungsamueldmq, THE USER COULD LIE ABOPUIT THAT, TOO15:47
ayounggah caps lock15:47
morganfainbergayoung: remember some services don't use auth_token in all cases. But I don't think that is a huge concern in this context.15:47
*** hemnafk is now known as hemna15:47
ayoungmorganfainberg, In those cases, policy would be invalid, too15:47
samueldmqso .. why do auth_token set those env vars ? if the service is not looking at them15:48
morganfainbergLike I said. Probably not a huge concern.15:48
samueldmq:(15:48
morganfainbergsamueldmq: it is how we pass the data down to the app under auth token.15:48
samueldmqmorganfainberg, but is doesn't trust the token info we pass down15:48
morganfainbergThe service does end up looking at it via huge auth context.15:48
samueldmqit*15:48
morganfainbergIt has to trust the data we pass down.15:49
morganfainbergAuth token is a trusted data source for the apps behind it.15:49
samueldmqif it does, they wouldn't need the token, but only the vars passed down by middleware instead15:49
samueldmqI think this is what we're talking about, right ayoung15:49
morganfainbergThe token is often used for other things too.15:49
morganfainbergLike nova -> glance.15:50
morganfainbergThere are multiple things happening here n15:50
samueldmqmorganfainberg, k it need to be passed through, but in this case, couldn't glance trust nova /?15:50
*** stevemar has quit IRC15:50
morganfainbergNo. Because it needs the user's authz to access the image.15:50
morganfainbergI have a plan to fix it and it revolves around jamielennox 's work with the service tokens. But that is t today.15:51
morganfainbergMight not even be this cycle.15:51
samueldmqmorganfainberg, sure, but nova passes the token and say, 'trust me, it's valid', and glance wouldn't need to vbalidate that again15:51
openstackgerritDolph Mathews proposed openstack/keystone: addtional Fernet test coverage  https://review.openstack.org/19273915:51
morganfainbergsamueldmq: except they glance can't know it's valid. Since who sent it? It isn't internal communication, it is via glance's rest api15:52
morganfainbergSo... You must re validate in this case at glance.15:52
ayoungsamueldmq, , so, one thing I think we need to add to the policy enforcement is namespaced defaults.  Instead of a global default, we need to be able to say "compuet:default"  or "image:default"15:52
*** kiran-r has joined #openstack-keystone15:52
bknudsonif x.509 was used you could trust it15:52
*** stevemar has joined #openstack-keystone15:52
*** ChanServ sets mode: +v stevemar15:52
ayoungbknudson, ++15:52
samueldmqbknudson, yes15:52
samueldmqayoung, if we go to the unified yes15:52
samueldmqayoung, remember what I said earlier today about middleware knowing the roe hierarchy ?15:53
morganfainbergbknudson: sort of. Still some concerns re the model we have today. But that is off in the weeds.15:53
ayoungbknudson, if X509 was used we would not need tokens.  We'd just map in process, and fetch roles for the user15:53
samueldmqmorganfainberg, cc ^15:53
samueldmqayoung, morganfainberg we could have GET /policy?endoint_url=<> ... which would convert15:54
samueldmq'compute:create_server': 'role:admin1' to -> 'compute:create_server': 'role:admin1 or role:admin2'15:54
samueldmqin the case admin2 inherits from admin 115:54
samueldmqso no need to tell middleware about role hierarchies15:55
samueldmqit already comes expanded from keystone, who owns them15:55
*** pballand has joined #openstack-keystone15:55
samueldmqmorganfainberg, ayoung sorry I need to go afk for a bit, have an English class right now .. will be back with a better English in 2 hours :)15:56
morganfainbergHah! Have fun in class ;)15:56
*** kiran-r has quit IRC15:56
samueldmqmorganfainberg, ayoung and I meant :  GET /policy?endoint_url=<>?effective   < - ***EFFECTIVE***15:56
morganfainbergYour English is probably better than mine. I speak two languages English and bad English. :P15:56
samueldmqmorganfainberg, thanks15:56
*** kiran-r has joined #openstack-keystone15:57
samueldmqmorganfainberg, haha that's a nice joke :)15:57
morganfainbergI don't get to take credit. It's from the 5th element.15:57
bknudsonsamueldmq: you could teach an english class.15:57
stevemarbknudson, ++15:57
*** jamielennox is now known as jamielennox|away15:58
samueldmqbknudson, yes, but you misspelled that, run: s/english/portuguese15:58
samueldmqsee you guys in a bit ;)15:58
*** iamjarvo has quit IRC16:00
*** kfox1111 has joined #openstack-keystone16:02
*** kiran-r has quit IRC16:03
*** kiran-r has joined #openstack-keystone16:03
*** Kr4zy has quit IRC16:05
*** jamielennox|away is now known as jamielennox16:06
*** kiran-r has quit IRC16:10
*** dims_ has joined #openstack-keystone16:11
*** dims has quit IRC16:13
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Remove keystoneclient.middleware  https://review.openstack.org/19275216:15
*** dguerri is now known as dguerri`16:15
*** dguerri` is now known as dguerri16:25
*** afazekas has joined #openstack-keystone16:28
*** tqtran_afk_gowar has joined #openstack-keystone16:30
*** tqtran_afk_gowar is now known as tqtran16:30
*** dguerri is now known as dguerri`16:32
*** openstackgerrit has quit IRC16:33
*** openstackgerrit has joined #openstack-keystone16:34
*** jamielennox is now known as jamielennox|away16:35
*** fangzhou has joined #openstack-keystone16:35
*** RichardRaseley has joined #openstack-keystone16:36
*** dsirrine has quit IRC16:36
stevemarlhcheng has been afk lately16:39
*** jasondotstar has quit IRC16:43
*** gyee_ has joined #openstack-keystone16:43
*** fifieldt_ has joined #openstack-keystone16:43
*** jasondotstar has joined #openstack-keystone16:44
*** fifieldt has quit IRC16:45
*** josecastroleon has quit IRC16:45
*** operator99 has quit IRC16:45
*** josecastroleon1 has joined #openstack-keystone16:45
*** jasondotstar has quit IRC16:45
*** roxanaghe has joined #openstack-keystone16:45
*** jasondotstar has joined #openstack-keystone16:46
*** RichardRaseley has quit IRC16:47
*** mfisch has quit IRC16:47
*** jamielennox|away is now known as jamielennox16:49
*** mfisch has joined #openstack-keystone16:49
*** mfisch has quit IRC16:50
*** mfisch has joined #openstack-keystone16:50
*** kiran-r has joined #openstack-keystone16:50
*** timsim has left #openstack-keystone16:50
*** gyee has joined #openstack-keystone16:52
*** ChanServ sets mode: +v gyee16:52
*** jasondotstar has quit IRC16:52
*** jasondotstar has joined #openstack-keystone16:54
*** belmoreira has joined #openstack-keystone16:57
*** kiran-r has quit IRC16:59
*** jasondotstar has quit IRC16:59
*** kiran-r has joined #openstack-keystone16:59
*** _cjones_ has joined #openstack-keystone16:59
*** e0ne has quit IRC17:00
*** jasondotstar has joined #openstack-keystone17:02
*** rushiagr is now known as rushiagr_away17:04
kfox1111morganfainberg: have a spec for the x509 federated thing handy?17:06
morganfainbergkfox1111: http://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html17:07
kfox1111thx. :)17:08
david8huayoung, samueldmq, Sorry, I missed your earlier discussion on the topic of unified policy.  I like the role check idea, but keystone should not be the gate keeper for all rules going into unified policy.  For example, nova adds a new compute rule to unified policy.  Nova should have its core reviewers approve the change, and not keystone core reviewers.17:09
ayoungdavid8hu, agreed, but make it a separate repo17:10
ayoungshould not be Keysteon, should be policy reviewers17:10
ayoungdavid8hu, however, before we get there, let's just look at twhat it would look like17:10
ayoungwe can stick in oslo to start and clone, for all I care17:10
ayoungits the rules themselves that matter, not the workflow at this point17:10
openstackgerritLance Bragstad proposed openstack/keystone: Fix Fernet key rotation  https://review.openstack.org/19278217:11
lbragstaddolphm: ^17:12
*** jamielennox is now known as jamielennox|away17:13
david8huayoung, I see 2 approaches, might be more.  Approach 1, move policy to role check (get rid of is_admin), then unified.  Approach2, Unified, then move to role check.  Either way, it is going to be an up hill battle out side of keystone.  But we need to start somewhere.17:16
*** dims_ has quit IRC17:16
ayoungdavid8hu, I think you are right, but could you clarify17:16
ayoung"policy to role check" means what?17:16
*** dims has joined #openstack-keystone17:17
openstackgerritDolph Mathews proposed openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279217:17
dolphmbknudson: the unit tests you just requested https://review.openstack.org/#/c/192792/17:17
bknudsonthat was fast.17:17
david8huayoung, simply get rid context_is_admin, instead "api":"role"17:18
lbragstadbknudson: like Jimmy Johns.. but with code..17:19
david8huayoung, we need to go around and educate other services on the topic of getting rid of context_is_admin.  It would make our story even better, if we can get oslo.policy to deprecate is_admin arguments.17:20
morganfainberglbragstad: uhh.17:23
openstackgerritDolph Mathews proposed openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279217:24
*** henrynash has quit IRC17:24
dolphmbknudson: if you're reviewing ^ just factored out "2" as a constant and added an inline comment to explain the constant17:24
*** belmoreira has quit IRC17:38
*** afazekas has quit IRC17:41
*** aix has quit IRC17:42
kfox1111morganfainberg: looking through that spec. it seems like there is no way to get an unscoped token with it.17:44
kfox1111correct?17:44
morganfainberggyee: ^ cc17:44
morganfainbergGoing to defer you over to Guang on that one kfox111117:45
morganfainbergHe's been working on the implementation.17:45
kfox1111oh.... I see.. it does mention "absence of the scope headers is equivalent to an unscoped token"17:45
kfox1111later on.17:45
morganfainbergYeah.17:45
kfox1111so this also depends on keystone in apache. ok.17:46
morganfainbergSome extra work will likely be needed as well for this all to work. You should take with Guang on your specific needs as well since most of that code has been written and is pending debase/review.17:46
kfox1111the install howto to make instance users work is going to be long....17:46
morganfainbergkfox1111: yes. But eventlet keystone is deprecated.17:46
kfox1111oh really? ok.17:47
morganfainbergSo that isn't an unreasonable ask.17:47
kfox1111when was it deprecated?17:47
morganfainbergYep as of kilo. Removed in m17:47
kfox1111hmm... so the rdo folks have got to be planning on dealing with this soon.17:47
morganfainbergEventlet keystone is a thing of the past :)17:47
*** HT_sergio has quit IRC17:47
kfox1111rdo kilo's still eventlet out of the box.17:48
morganfainbergThat is unfortunate.17:48
gyeekfox1111, you want to get a token with an x.509client cert?17:48
*** kiall has joined #openstack-keystone17:48
*** eandersson has quit IRC17:48
*** rlt has quit IRC17:48
morganfainberggyee: ephemeral user (federated) from a cert17:48
kfox1111gyee: if you haven't seen this spec yet, could you please have a look: https://review.openstack.org/#/c/18661717:49
morganfainbergI think it is a minor scope increase from that spec. But should be pretty easy to accommodate.17:49
gyeeoh ok17:49
kfox1111its going to depend on the x.509client cert stuff.17:49
kiallHey - Is it expected for keystonemiddleware to pull the latest+greatest keystoneclient and pycadf? It seems to be causing us issues on stable/kilo, where.. for e.g.  error: oslo.config 1.9.3 is installed but oslo.config>=1.11.0 is required by set(['pycadf'])17:49
gyeelet me take a look17:49
kfox1111thx. :)17:49
morganfainbergkfox1111: all the federation work and lots of other things relies on Apache. It is silly to try and support eventlet as a second class citeZen.17:50
morganfainbergkiall: you should be using the stable/kilo middleware for kilo.17:50
morganfainbergkiall: there is a branch specifically for it (I need to look atwha that tag # is. But I need food first)17:51
kfox1111morganfainberg: I agree. I've needed to rely on apache modules before to handle kerberos and other things. Never want to ever try and implement those directly. they are scary. :)17:51
kiallmorganfainberg: So, this is pulling from pip using the stable/kilo global-req's pin of keystonemiddleware>=1.5.0,<1.6.017:51
*** pnavarro has quit IRC17:51
*** kiranr has joined #openstack-keystone17:51
morganfainbergkiall: possibly a global requirement issue then.17:51
*** e0ne has joined #openstack-keystone17:51
morganfainbergMiddleware relies on the g-r data.17:51
bknudsonkiall: here's the requirements.txt for keystonemiddleware in stable/kilo: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/requirements.txt?h=stable%2Fkilo17:51
kiallBut, it seems the released keytonemiddleware package is pulling in a post-kilo KS client and pycadf - it seems theres no cap there17:51
morganfainbergI think someone blocked capping in kilo a while back.17:52
bknudsonanf ro 1.6.1 -- http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/requirements.txt?h=stable/kilo&id=1.6.117:52
bknudson*and for*17:52
kiallYea, KS middlewar's KS client and pycady requirements are open, while the global-requirements repo has a cap that works :)17:52
morganfainbergYep we have a -2'd patch from I think dhellman for the pin/cap in kilo17:53
bknudsonhttps://review.openstack.org/#/c/173972/17:53
openstackgerritLance Bragstad proposed openstack/keystone: Fix Fernet key rotation  https://review.openstack.org/19278217:54
openstackgerritLance Bragstad proposed openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279217:54
kiallAh, Okay.. I think that needs to land.. as is it, anyone up to date with Kilo global requirements, who don't have explict dependancies on  KS client and pycadf will likely be failing to `pip install -r requirements.txt` -17:54
*** kiran-r has quit IRC17:55
kiallI wonder if Doug forgot to remove the -2 on that17:55
*** ninag has quit IRC17:55
*** kiranr has quit IRC17:58
*** browne has quit IRC18:01
dstaneklbragstad: at a quick glance the logic here looks incorrect https://review.openstack.org/#/c/192782/2/keystone/token/providers/fernet/utils.py18:03
*** browne has joined #openstack-keystone18:03
lbragstaddstanek: do you think it needs a better comment?18:04
lbragstador it *is* in correct?18:04
dstaneklbragstad: hmm....no i think it is correct, but would 'active_keys = len(key_files) - 1; number_of_keys_to_purge = max(0, active - CONF.fernet_tokens.max_active_keys)' make it more obvious?18:07
openstackgerritDolph Mathews proposed openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279218:07
dstaneki found the +1 misleading, but after thinking about it it's because there is one extra file (the next key) that you are not counting, right?18:07
lbragstaddstanek: I think I like the logic ^ with the active keys set better?18:09
dolphmdstanek: then you'd be slicing from [1:first_good_key] , right?18:09
lbragstadbut active keys should include the staged key becuase that key is also, technically active18:09
lbragstads/,//18:09
dolphmlbragstad: but we're slicing into the list of excess keys18:09
lbragstadright18:10
dolphmwhich is a subset of like, [0,4,5,6] where max_active_keys=3, you should be selecting [0,4,5,6][1:1]18:10
dolphmexcess_keys == [4]18:10
dstanekdolphm: i think think my logic is any different; i moved the +1 to the other side as a -1 and gave it a name18:10
*** spandhe has joined #openstack-keystone18:11
dstanek1:1 shouldn't give you anything18:11
dolphmdstanek: but actually there is no zero in the list of keys, because i created one a few lines before but never added it to that list18:12
htrutaso, morganfainberg... catching up your conversation with rodrigods, ayoung and henry-nash18:12
htrutadoes your PTL card have the number 1 option in our reseller vote?18:13
dolphmdstanek: so [4,5,6][:3 - 3 + 1], where the first 3 is the current length of keys, excluding the newly created staged key, and the second 3 is max_active_keys, would select [4] for purging18:14
stevemarwhere did the bin directory go for keystone?18:14
lbragstadstevemar: keystone/cmd/18:14
dstanekstevemar: gone! using entry points now18:14
dstanek.cmd18:15
lbragstadstevemar: logic is in keystone/cli.py18:15
stevemarohhh18:15
stevemarokayyy18:15
dolphmdstanek: so keys on disk would end up as 0 5 6 (max_active_keys=3)18:15
dolphmstevemar: and entry points are listed in setup.cfg18:15
kiallmorganfainberg / bknudson: Doug removed the -2 from the kilo requirements update :) https://review.openstack.org/#/c/173972/18:15
stevemarsteve:keystone$ keystone-manage18:16
stevemarTraceback (most recent call last):18:16
stevemar  File "/usr/local/bin/keystone-manage", line 6, in <module>18:16
stevemar    from keystone.cmd.manage import main18:16
stevemardolphm, expected?18:16
dstanekdolphm: it's not slicing to remove :-)18:16
dstanekdolphm: gimme a sec so i can actually read through the code18:16
dolphmdstanek: it's slicing to select what to purge18:16
kiallmorganfainberg / bknudson: Discussion with Doug in #openstack-infra too, he's still got a concern it seems :)18:17
dstanekdolphm: hmmm..is key_files a dict?18:17
dstanekyeah, i guess so18:17
lbragstaddstanek: yep18:17
lbragstaddstanek: {3: '/etc/keystone/fernet-keys/3', 4: '/etc/keystone/fernet-keys/4', 5: '/etc/keystone/fernet-keys/5', 6: '/etc/keystone/fernet-keys/6'}18:18
openstackgerritDolph Mathews proposed openstack/keystone: Test to ensure fernet key rotation results in new key sets  https://review.openstack.org/19281718:19
openstackgerritHenrique Truta proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300718:20
*** kr4zy has joined #openstack-keystone18:20
dstanekdolphm: lbragstad: won't there always be a 0 key?18:20
lbragstaddstanek: the newly created 0 key isn't added to the key_files dict per dolphm's comment above18:22
openstackgerritLance Bragstad proposed openstack/keystone: Fix Fernet key rotation  https://review.openstack.org/19278218:22
openstackgerritLance Bragstad proposed openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279218:22
openstackgerritLance Bragstad proposed openstack/keystone: Test to ensure fernet key rotation results in new key sets  https://review.openstack.org/19281718:23
*** HT_sergio has joined #openstack-keystone18:23
*** markvoelker has quit IRC18:25
*** markvoelker has joined #openstack-keystone18:25
dstaneklbragstad: i get the logic. it just feels like the +1 is a magic number and i was trying to give it a name18:29
*** diazjf has joined #openstack-keystone18:30
lbragstaddstanek: what did you want that name to be?18:34
dstaneklbragstad: not sure18:35
dstaneklbragstad: since i can't think of anything better it's probably fine as-is18:36
lbragstaddstanek: if you come up with something better, by all means, ping me and I'll push another patch18:37
samueldmqdolphm, do you have any blog post (or other resource) on the idea of unified policy ?18:38
stevemardiazjf, fernando!!18:39
*** afazekas has joined #openstack-keystone18:41
*** lhcheng has joined #openstack-keystone18:43
*** ChanServ sets mode: +v lhcheng18:43
samueldmqstevemar, fernando ? what does it mean in English ?18:44
stevemarsamueldmq, that is mr diazjf name18:45
samueldmqstevemar, is he Brazilian ? looks like a Brazilian name :)18:45
*** markvoelker_ has joined #openstack-keystone18:47
*** markvoelker has quit IRC18:47
samueldmqayoung, ping - did you see the idea on GET / policies ? endpoint_url=<> & effective18:48
samueldmqayoung, ?18:48
ayoungsamueldmq, we are not rewriting policy on the way out, if that is what you are suggesting18:48
samueldmqayoung, I explained earlier, and that solves role inheritance at keystone server, without even touching the token18:48
ayoungsamueldmq, we'ere headed that way, but in the database driven approach18:49
ayoungnot in keystone itself18:49
samueldmqayoung, only middleware would ask that with ?effective18:49
ayoungsamueldmq, I need to finish something first18:49
samueldmqayoung, k18:49
stevemarsamueldmq, nope :(18:50
stevemarsamueldmq, diazjf is not brazilian, he's from austin TX18:50
*** mtecer has joined #openstack-keystone18:50
samueldmqstevemar, k :)18:50
openstackgerritLance Bragstad proposed openstack/keystone: Add unit test to exercise key rotation  https://review.openstack.org/19279218:50
openstackgerritLance Bragstad proposed openstack/keystone: Test to ensure fernet key rotation results in new key sets  https://review.openstack.org/19281718:50
kr4zyAnyone seeing this error with Keystone before https://gist.github.com/anonymous/239f3a51e695e3398fdd18:51
diazjfhello everyone, not Brazilian. I'm a Miami Cuban lol18:55
ayoungkr4zy, not enough information to debug18:55
samueldmqdiazjf, hi, haha :)18:59
*** mtecer has quit IRC19:02
*** jaosorior has quit IRC19:05
*** fifieldt_ has quit IRC19:12
samueldmqayoung, Call for Speakers is now open .. let's add something once we agree on the scope for L :)19:13
ayoungsamueldmq, heh...sure19:13
ayoungcome up with a title.19:14
samueldmqayoung, let's come up with an agreement on that thing, I am not sleeping at night :(19:15
samueldmqayoung, kidding .. yes I will find a title! :)19:15
*** openstackgerrit has quit IRC19:16
*** openstackgerrit has joined #openstack-keystone19:17
*** afazekas has quit IRC19:21
*** gyee has quit IRC19:25
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285019:25
stevemardiazjf, ^^^19:26
morganfainbergsamueldmq: there are 2 hard things in computer science, cache coherency and naming things.19:26
*** mtecer has joined #openstack-keystone19:27
kr4zyayoung: hope this is enough info: https://gist.github.com/anonymous/0da837d01e4a28fb8c2619:28
samueldmqmorganfainberg, ++ haha19:28
stevemardstanek, just teaching diazjf the workflow!19:28
stevemaryou gave him like 10 seconds :P19:29
samueldmqmorganfainberg, should 'get agreement in a cross-project view in openstack' (dynamic policies) be classified as fun ? :)19:29
dstanekstevemar: haha, i get a popup notification for every review19:29
*** fifieldt_ has joined #openstack-keystone19:29
stevemardstanek, me too :)19:29
ayoungchase_referrals = False19:29
ayoungkr4zy, chase_referrals = False  is that intentional?19:29
ayoungcuz the error message is19:30
ayoungREFERRAL: {'info': 'Referral:\nldap://xxxxx.com/ou=UserGroups,DC=xxxxx,DC=com', 'desc': 'Referral'}19:30
ayoung2015-06-17 14:14:18.798 10945 TRACE keystone.common.wsgi19:30
*** obedmr has quit IRC19:30
samueldmqstevemar, ah great, so diazjf will be working with us from now ? :)19:30
stevemarsamueldmq, FOREVER19:30
samueldmqstevemar, ++ great19:31
stevemarsamueldmq, i mean... uh... we don't employ people for life19:31
samueldmqdiazjf, welcome, feel free to ask any question :)19:31
openstackgerritDolph Mathews proposed openstack/keystone: Test to ensure fernet key rotation results in new key sets  https://review.openstack.org/19281719:31
samueldmqdiazjf, I will (and anyone here) be happy to help you  ...19:31
samueldmqdiazjf, well, at least this has been working for me since I started working here :)19:32
dolphmdstanek: left a stray line of cruft in that last fernet test review: https://review.openstack.org/#/c/192817/3..4/keystone/tests/unit/token/test_fernet_provider.py,unified19:32
samueldmqstevemar, got that , you're excited on having one more from ibm with us :) that's great to have new people coming here19:32
ayoungkr4zy, ah, that seems like it is in there explicitly for AD19:33
ayoungcommit 9c15b73f8361ce8606a531b5765c94b3927d99c419:33
diazjfthanks guys19:34
kr4zyayoung: yeah.. I have also tried true. Didn't help.19:34
ayoungkr4zy, sometjhing is throwing an excpetion talking to AD.  Don't see in there the root cause of that19:35
kr4zyayoung: here is the updated link: https://gist.github.com/anonymous/d978cd3a764dedfc2465. had to removed some sensitive info19:35
ayoungkr4zy, File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 547, in search_s  is the last place it is in Keystone code19:36
ayoungthat does not quite line up with upstream master http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n54719:38
ayoungkr4zy, what version are you running?19:38
*** thedodd has joined #openstack-keystone19:40
kr4zyayoung: I am using openstack juno version 2014.2.2-1.el719:41
ayoungkr4zy, OK let me pull up that code19:41
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py?h=stable/juno#n547  still doesn't seem to match your stack trace19:43
ayoung547 is in search_ext, and yours shows search_s19:44
ayounghmm, I thought we had logging in there, too19:45
ayoungkr4zy, that code sucks19:47
ayoungjust thought I'd mention19:47
ayoungkr4zy, OK,  so the failure is happening on an authenticate call, which is done via a simple bind19:51
ayoungthe user passes in userid and password, and the LDAP code attempts to bind to the AD server19:51
*** diazjf has quit IRC19:51
ayoungI don't know the error being triggered there, but I would try, at a minimum, to make the same call from a command line client, to see what it is complaining a bout19:52
ayoungyou should be able to pull together the actual LDAPQuery command values from elsewhere in that log19:52
ayoungI lied19:53
ayoung _get_project_roles_and_ref19:53
ayoung2015-06-17 14:14:18.798 10945 TRACE keystone.common.wsgi     user_id, tenant_id)19:53
ayoungthat happens after wards19:53
ayoung_get_group_ids_for_user_id19:53
ayoung2015-06-17 14:14:18.798 10945 TRACE keystone.common.wsgi     x in self.identity_api.list_groups_for_user(user_id)]19:53
ayoungits trying to list the groups for the user19:53
ayoungLDAP search: base=ou=UserGroups,DC=xxxxx,DC=com scope=2 filterstr=(&(&(objectClass=groupOfNames)(member=CN=Unknown Name,OU=Users,OU=XXX,OU=Sites,DC=adstg,DC=xxxxx,DC=com))(objectClass=groupOfNames)) attrs=['ou', 'cn', 'description'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:93719:54
ayoung(member=CN=Unknown  looks suspect, but maybe it makes sense to you19:54
ayoungkr4zy, you want to run something in the form of     ldapsearch   -x  -H 'ldaps://$ADSERVER'  -D "cn=$ADMINUSER" -w $PASSWORD -b "$BASE_DN"19:56
kr4zyayoung: does the extra sapce for the cn cause an error19:56
ayoungkr4zy, I'll let you figure that out.  I can't debug LDAP visually19:57
*** Rockyg has joined #openstack-keystone19:57
*** Rockyg has quit IRC19:57
ayoungkr4zy, I do know that I would not be putting spaces in mine.19:58
kr4zyayoung: haha..thanks19:58
*** Ctina_ has quit IRC19:59
*** Rockyg has joined #openstack-keystone19:59
*** stevemar has quit IRC20:00
*** jasondotstar has quit IRC20:05
*** diazjf has joined #openstack-keystone20:06
*** lastops has quit IRC20:09
*** obedmr has joined #openstack-keystone20:09
*** toddnni has quit IRC20:11
*** toddnni has joined #openstack-keystone20:13
*** RichardR_ has joined #openstack-keystone20:19
*** toddnni_ has joined #openstack-keystone20:23
*** RichardR_ is now known as RichardRaseley20:23
*** HT_sergio has quit IRC20:24
*** toddnni has quit IRC20:26
*** toddnni_ is now known as toddnni20:26
*** ErickCharles has joined #openstack-keystone20:30
*** e0ne has quit IRC20:32
*** e0ne has joined #openstack-keystone20:33
*** mtecer has quit IRC20:33
*** comstud has joined #openstack-keystone20:37
*** e0ne has quit IRC20:41
*** gyee has joined #openstack-keystone20:46
*** ChanServ sets mode: +v gyee20:46
*** cinerama has joined #openstack-keystone20:51
*** josecastroleon1 has quit IRC20:53
*** josecastroleon has joined #openstack-keystone20:54
*** dguerri` is now known as dguerri20:55
*** spandhe has quit IRC21:00
*** gyee has quit IRC21:03
*** pnavarro has joined #openstack-keystone21:03
ErickCharlesHello everybody.  I'm new to Keystone, so I apologize if this is a dumb question.  I want to use Keystone as a more generalized service endpoint catalog for doing managed services.  For this, I'd like to be able to create custom types (this is the "interface" field in the database).  Is this advisable or worth pursuing?  Right now with the Keystone client, it looks like all I can do is specify an admin endpoint, an internal, and admin21:04
ErickCharles URL for a very specific service.  I'd like to map customers to services, and then have keystone keep track of their different endpoints that I need to create for them (like a vpn endpoint, a puppet master endpoint, etc...).21:04
*** diazjf has quit IRC21:05
ErickCharlesI get that it's not quite the model or intended use, but I might just also not be understanding how to do this with the software.  So, if it can't be done or shouldn't be done, I'm okay with that.21:05
morganfainbergErickCharles: so endpoints typically are subordinate to the Service construct21:06
*** edmondsw has quit IRC21:06
morganfainbergErickCharles: if you look we define a Service (aka in OpenStack land, "Compute"), then we define an endpoint for that service21:07
morganfainbergthe URL in the endpoint is specific to that endpoint21:07
morganfainbergwhereas the type is part of the service object21:07
morganfainbergthis is of course assuming the V3 API21:07
*** fangzhou has quit IRC21:07
morganfainbergErickCharles: and a service "type" is just a string21:09
morganfainbergbut (for example) the AdminURL or InternalURL etc are assumed to be part of the structure of an endpoint that is associated to the service object (think of a one service with many endpoints relationship)_21:09
morganfainbergand you can have as many services, each with as many endpoints as you'd like21:10
cineramahi folks21:10
cineramai was wondering if we could get a keystonemiddleware release that includes the recent requirements bump21:11
dstanekmorganfainberg: i think what's missing is a way to do catalogs based on the user and21:11
morganfainbergcinerama, I cannot release keystonemiddleware anymore.21:11
morganfainbergcinerama: we need to get dhellmann to do it.21:11
cineramamorganfainberg: well, i figured this would be the best place to ask :)21:12
morganfainbergcinerama: #openstack-relmgr-office21:12
morganfainberglets go there really quickly21:12
*** csoukup has quit IRC21:13
ErickCharlesdstanek:  I think that's what I'm actually trying to ask for now that you phrase it that way.  I need to map an endpoint catalog to a user or tenant, but it's not necessarily one service.  I can create a lot of services and do it, but then I'm duplicating a lot of work so that each customer has their own service for the same things as other tenants or users.21:15
dstanekErickCharles: right now users and services are orthogonal concepts21:16
ErickCharlesOkay, cool21:16
morganfainbergdstanek: but you could scope a user to a project... and filter the endpoints per project21:17
morganfainbergkeystonemiddleware 2.0 just went out21:20
morganfainbergFYI.21:20
dstanekmorganfainberg: that's an interesting thought21:20
bknudsoncongrats on 2.0!21:20
*** diazjf has joined #openstack-keystone21:21
*** ChanServ changes topic to "Review Specs and Code | Milestone 1 for Liberty is ~June 23 | MidCycle July 15, 16, 17 in Boston"21:21
dstanekwhen do we get a ksc 2.0?21:21
morganfainbergdstanek: when we move to Keystonauth21:21
morganfainbergdstanek: jamie is working on this.21:21
morganfainbergdstanek: we are also looking at dropping CLI in 2.021:22
bknudsonI'd like to get https://review.openstack.org/#/c/191511/ in place before a 2.021:22
dstanekk, i ask because there is a review to remove the middleware21:22
bknudsonif I can get time to work on it21:22
morganfainbergdstanek: yes middleare as well21:22
morganfainbergwe could branch for 2.0 work now21:22
morganfainbergor use jamie's feature branch21:22
morganfainbergthat he's using for KSA integration21:22
ErickCharlesThank you both :)21:22
*** pnavarro has quit IRC21:22
dstaneksamueldmq: does https://review.openstack.org/#/c/186765 rely on ayoung's work?21:23
*** openstackgerrit has quit IRC21:24
morganfainbergbknudson: likely we will also have a KSM 3.0 this cycle for when we move to keystoneauth21:24
*** openstackgerrit has joined #openstack-keystone21:24
*** spandhe has joined #openstack-keystone21:25
morganfainbergjamielennox|away: re https://review.openstack.org/#/c/192539 what parts are hard to use from KSC?21:33
morganfainbergjamielennox|away: also how are we going to break the dependency on oslo_config?21:34
*** fangzhou has joined #openstack-keystone21:36
*** bknudson has quit IRC21:37
*** Rockyg has quit IRC21:38
*** toddnni has quit IRC21:38
*** roxanaghe has quit IRC21:41
*** HT_sergio has joined #openstack-keystone21:41
*** toddnni has joined #openstack-keystone21:41
*** HT_sergio has quit IRC21:56
ayoungdstanek, I think we are going to do something slightly different21:59
dstanekayoung: related to that spec?21:59
ayounghttps://review.openstack.org/#/c/192422/21:59
ayoungso get and fetch a single policy by URL21:59
ayoungGET /OS-ENDPOINT-POLICY/endpoint?endpoint_url=<encodedURL>  won't be a list22:00
ayoungit will be the blob required instead22:00
openstackgerritMerged openstack/keystoneauth: Remove unused fixtures  https://review.openstack.org/19163522:00
openstackgerritMerged openstack/keystoneauth: Drop use of 'oslo' namespace package  https://review.openstack.org/19163622:01
openstackgerritMerged openstack/keystoneauth: Typo in openstack client help  https://review.openstack.org/19163722:01
openstackgerritMerged openstack/keystoneauth: Use random strings for test fixtures  https://review.openstack.org/19164522:01
*** thedodd has quit IRC22:01
openstackgerritMerged openstack/keystoneauth: Stop using function deprecated in Python 3  https://review.openstack.org/19164422:02
openstackgerritMerged openstack/keystoneauth: Cleanup fixture imports  https://review.openstack.org/19164322:02
openstackgerritMerged openstack/keystoneauth: Ensure that failing responses are logged  https://review.openstack.org/19163822:02
openstackgerritMerged openstack/keystoneauth: Removes temporary fix for doc generation  https://review.openstack.org/19163322:02
*** kr4zy has quit IRC22:07
openstackgerritMerged openstack/keystoneauth: Remove functional tests from tox  https://review.openstack.org/19163422:08
*** sigmavirus24 is now known as sigmavirus24_awa22:08
*** diazjf has quit IRC22:08
*** spandhe has quit IRC22:11
*** spandhe has joined #openstack-keystone22:14
openstackgerritMerged openstack/keystoneauth: Remove _get_service_endpoints function  https://review.openstack.org/19165922:23
openstackgerritMerged openstack/keystoneauth: Make _is_endpoint_type_match function public  https://review.openstack.org/19167022:23
openstackgerritMerged openstack/keystoneauth: Make normalize_endpoint_type public  https://review.openstack.org/19167222:24
*** dims has quit IRC22:26
openstackgerritMerged openstack/keystoneauth: Provide a means to get all installed plugins  https://review.openstack.org/19164222:30
*** HT_sergio has joined #openstack-keystone22:34
*** dguerri is now known as dguerri`22:34
*** obedmr has quit IRC22:40
*** zzzeek has quit IRC22:44
*** jasondotstar has joined #openstack-keystone22:45
*** josecastroleon has quit IRC22:47
*** josecastroleon has joined #openstack-keystone22:48
*** Ephur has quit IRC22:53
*** sigmavirus24_awa is now known as sigmavirus2422:55
*** sigmavirus24 is now known as sigmavirus24_awa22:56
*** lhcheng has quit IRC22:59
openstackgerritMerged openstack/keystonemiddleware: Common base class for unit tests  https://review.openstack.org/18777023:00
openstackgerritMerged openstack/keystonemiddleware: Unit tests catch deprecated function usage  https://review.openstack.org/18777523:01
openstackgerritMerged openstack/keystonemiddleware: Move bandit requirement to test-requirements.txt  https://review.openstack.org/18822723:01
*** gyee has joined #openstack-keystone23:01
*** ChanServ sets mode: +v gyee23:01
*** lhcheng has joined #openstack-keystone23:01
*** ChanServ sets mode: +v lhcheng23:01
*** lhcheng has quit IRC23:02
*** lhcheng has joined #openstack-keystone23:02
*** ChanServ sets mode: +v lhcheng23:02
*** ErickCharles has quit IRC23:12
*** ErickCharles has joined #openstack-keystone23:13
kfox1111ok... so... if the unscoped catalog is a no go....23:18
kfox1111how do I give a vm an unscoped token, and enough information so it can contact keystone, get a scoped one (maybe nova gives it a dummy project), and then use that to contact barbican?23:19
kfox1111or do I start adding scopeing stuff to the nova metadata api so that nova can contact keystone and get the right token with only one call to keystone?23:19
kfox1111will using a project scoped token to fetch a new one through a trust ever be disallowed?23:21
*** HT_sergio has quit IRC23:24
*** dims has joined #openstack-keystone23:24
*** ErickCharles has quit IRC23:24
*** zzzeek has joined #openstack-keystone23:25
kfox1111if it will always be allowed, we could just have nova hand back nova project scoped tokens and then the vm can get trusts back for talking to things that don't support acl's.23:26
*** dims has quit IRC23:28
*** dims has joined #openstack-keystone23:28
*** dims has quit IRC23:33
notmynameis cyril roelandt around in here? I don't know his IRC nick (if any)23:35
*** chlong has joined #openstack-keystone23:38
dstaneknotmyname: there doesn't seem to be an irc nick list on cyril's launchpad profile. maybe not an irc user?23:46
*** roxanaghe has joined #openstack-keystone23:49
*** vilobhmm has joined #openstack-keystone23:51
*** RichardRaseley has quit IRC23:52
notmynamedstanek: ok. he's got an enovance email, so I assume he's asleep23:56
notmynameI'm looking for progress on https://review.openstack.org/#/c/179777/23:56
notmynamefirst step will be to resolve the merge conflict23:56
notmyname(I've got a customer who is hit by that bug)23:56
« Tuesday, 2015-06-16 Index Thursday, 2015-06-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!