Tuesday, 2015-07-07

« Monday, 2015-07-06 Index Wednesday, 2015-07-08 »
*** annasort has quit IRC00:01
*** dims has joined #openstack-keystone00:01
openstackgerritMerged openstack/keystone: Add unit test for fernet provider  https://review.openstack.org/19764900:07
*** chlong has quit IRC00:08
*** piyanai has quit IRC00:09
openstackgerritMerged openstack/keystone: Update federation docstring  https://review.openstack.org/19887200:09
*** _cjones_ has quit IRC00:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/19648500:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/19648500:12
*** TheIntern has quit IRC00:12
*** dramakri has quit IRC00:12
*** r-daneel has quit IRC00:13
*** annasort has joined #openstack-keystone00:15
*** dramakri has joined #openstack-keystone00:20
*** dramakri has left #openstack-keystone00:21
*** dramakri has quit IRC00:21
*** btully has joined #openstack-keystone00:32
*** zzzeek has quit IRC00:35
*** tqtran has quit IRC00:39
*** ankita_wagh has quit IRC00:43
*** dims has quit IRC00:50
*** lhcheng has quit IRC00:52
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893100:55
*** dims has joined #openstack-keystone00:58
*** woodster_ has quit IRC01:01
*** fangzhou_ has joined #openstack-keystone01:06
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/19727701:07
*** fangzhou has quit IRC01:07
*** fangzhou_ is now known as fangzhou01:07
*** ankita_wagh has joined #openstack-keystone01:12
*** gyee has quit IRC01:13
*** piyanai has joined #openstack-keystone01:16
*** chlong has joined #openstack-keystone01:30
*** shaleh_ has joined #openstack-keystone01:33
*** davechen1 has joined #openstack-keystone01:34
*** shaleh has quit IRC01:36
openstackgerritDave Chen proposed openstack/keystone: Fix the invalid testcase  https://review.openstack.org/19862901:40
*** stevemar has joined #openstack-keystone01:41
openstackgerritDave Chen proposed openstack/keystone: Fix the invalid testcase  https://review.openstack.org/19862901:43
*** davechen has joined #openstack-keystone01:44
*** davechen2 has joined #openstack-keystone01:45
*** davechen1 has quit IRC01:46
*** davechen has quit IRC01:48
*** btully has quit IRC01:53
*** ankita_wagh has quit IRC01:53
*** ankita_wagh has joined #openstack-keystone01:54
*** davechen has joined #openstack-keystone01:56
*** davechen2 has quit IRC01:57
*** ajayaa has joined #openstack-keystone01:58
*** fangzhou has quit IRC02:04
*** lhcheng has joined #openstack-keystone02:11
*** ChanServ sets mode: +v lhcheng02:11
*** shaleh_ has quit IRC02:13
*** hrou has joined #openstack-keystone02:28
*** richm has quit IRC02:33
*** chenhong has joined #openstack-keystone02:35
*** lhcheng has quit IRC02:40
*** iamjarvo has joined #openstack-keystone02:51
*** stevemar has quit IRC02:54
*** hakimo has quit IRC02:54
*** stevemar has joined #openstack-keystone02:54
*** hakimo has joined #openstack-keystone02:55
*** ankita_wagh has quit IRC02:58
*** iamjarvo has quit IRC03:01
*** dikonoor has joined #openstack-keystone03:08
*** jkomg has joined #openstack-keystone03:38
*** dims has quit IRC03:39
*** piyanai has quit IRC03:42
*** piyanai has joined #openstack-keystone03:43
*** piyanai has quit IRC03:43
*** piyanai has joined #openstack-keystone03:44
*** ankita_wagh has joined #openstack-keystone03:48
*** piyanai has quit IRC03:48
*** ankita_wagh has joined #openstack-keystone03:50
*** ankita_w_ has joined #openstack-keystone04:00
*** ankita_wagh has quit IRC04:04
*** davechen has quit IRC04:07
*** davechen has joined #openstack-keystone04:07
*** davechen1 has joined #openstack-keystone04:11
*** btully has joined #openstack-keystone04:12
*** davechen has quit IRC04:13
*** chenhong has quit IRC04:16
*** davechen1 is now known as davechen04:17
*** davechen2 has joined #openstack-keystone04:22
*** davechen has quit IRC04:23
*** ankita_w_ has quit IRC04:24
*** jkomg has quit IRC04:33
*** ankita_wagh has joined #openstack-keystone04:34
*** dims has joined #openstack-keystone04:40
*** lhcheng has joined #openstack-keystone04:41
*** ChanServ sets mode: +v lhcheng04:41
*** dims_ has joined #openstack-keystone04:41
*** _cjones_ has joined #openstack-keystone04:43
*** dims has quit IRC04:45
*** dims_ has quit IRC04:46
*** ajayaa has quit IRC04:47
*** _cjones_ has quit IRC04:56
*** _cjones_ has joined #openstack-keystone04:57
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/19648505:17
*** e0ne has joined #openstack-keystone05:22
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain.  https://review.openstack.org/19694205:24
*** ajayaa has joined #openstack-keystone05:28
*** ankita_wagh has quit IRC05:32
*** ankita_wagh has joined #openstack-keystone05:33
*** iamjarvo has joined #openstack-keystone05:36
*** iamjarvo has quit IRC05:37
*** iamjarvo has joined #openstack-keystone05:37
*** ankita_wagh has quit IRC05:41
*** henrynash has joined #openstack-keystone05:42
*** ChanServ sets mode: +v henrynash05:42
*** e0ne has quit IRC05:44
*** Trozz_ has left #openstack-keystone05:45
*** henrynash has quit IRC05:47
*** ig0r_ has joined #openstack-keystone05:51
*** mabrams has joined #openstack-keystone05:53
*** _hrou_ has joined #openstack-keystone05:54
*** lhcheng has quit IRC05:55
*** ig0r__ has quit IRC05:55
*** hrou has quit IRC05:57
marekdlbragstad: sorry, i was already at home (and not monitoring this time). What's up?05:59
*** kiran-r has joined #openstack-keystone06:02
marekdjamielennox: hey06:02
jamielennoxmarekd: hey06:03
marekdjamielennox: do you happen do understand syntax like in branch line in https://review.openstack.org/#/c/190631/3/zuul/layout.yaml ?06:04
marekdi must confess i was blindly following your patches without deeper understanding it.06:04
marekdand apparently some 'proboblems' arose.06:05
jamielennoxmarekd: i think you just want voting: false there06:06
marekdjamielennox: hm?06:06
jamielennoxso the branch syntax is saying ignore this for specific branch06:06
jamielennoxso in mine, i want to run it so long as it's not the keystoneauth_integration branch06:07
jamielennoxit's a regexp, there is a reason it's written so complicated but i can't remember what it is06:07
marekdit looks kind of regexpy byt defiitely not a regexp i know and understand :-)06:07
marekdso it says don't run gate-keystoneauth-saml2-requirements job against master branch?06:08
jamielennoxin this case cause you want to disable it for a while if you just say voting: false (there are examples of this elsewhere in the file) then it will make it a check only job for all branches06:08
jamielennoxi think it's a lookahead in regexp06:08
jamielennox^$ are anchors, start line, end line06:09
jamielennox(?  ) is an optional group i think06:09
jamielennoxthen !master is anything but master06:09
marekdyep06:09
jamielennoxso i'm thinking your syntax is right, just unnecessary in this case because you want to disable it for all branches06:10
*** _hrou_ has quit IRC06:10
marekdi think you made it disable due to ksa not being released yet for a feature keystoneauth_integration - where did you mark certain patches being under that 'feature' tag?06:10
jamielennoxtag? it's a branch06:11
marekdaha06:11
jamielennoxmarekd: i filed bug 1472060 which is me ranting about websso06:13
openstackbug 1472060 in Keystone "websso callback is in the wrong place" [Undecided,New] https://launchpad.net/bugs/147206006:13
jamielennoxi dont understand why it's not related to an IDP06:13
*** henrynash has joined #openstack-keystone06:15
*** ChanServ sets mode: +v henrynash06:15
marekdjamielennox: let me check06:18
marekdjamielennox: let me respond in the bug comment.06:23
*** _cjones_ has quit IRC06:25
*** henrynash has quit IRC06:29
*** joe1_ has quit IRC06:37
*** belmoreira has joined #openstack-keystone06:43
*** fifieldt has joined #openstack-keystone06:43
*** afazekas has joined #openstack-keystone06:50
*** btully has quit IRC06:54
*** annasort has quit IRC06:56
*** lufix has joined #openstack-keystone06:56
*** e0ne has joined #openstack-keystone06:57
*** fhubik has joined #openstack-keystone06:57
*** stevemar has quit IRC06:59
*** stevemar has joined #openstack-keystone07:00
*** e0ne has quit IRC07:04
jamielennoxmarekd: will two saml providers with websso work with our current setup >07:10
marekdyes, why wouldn't they ?07:11
*** stevemar has quit IRC07:11
*** iamjarvo has quit IRC07:12
openstackgerritChenhong Liu proposed openstack/keystone: Delete extra parentheses in assertEqual message  https://review.openstack.org/19899007:15
jamielennoxmarekd: i put a reply on that bug07:15
jamielennoxmarekd: so in setups i've seen you need to specify that the /websso path is protected by mellon/shib. This triggers the browser to be sent off to the idp found in the metadata07:16
jamielennoxif you had two saml providers then how does httpd know which idp this should be redirected to07:17
jamielennoxmarekd: for example this is a template i'm working off: https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-federation-setup/vm-post-cloud-init-rdo.sh#L8207:18
jamielennoxthat /v3/auth/OS-FEDERATION/websso/saml2 is protected by one idp defined by all those metadata and certs above. How would you have it protected by a different one?07:19
*** belmoreira has quit IRC07:26
marekdjamielennox: sorry, i am running between meetings and so.07:28
jamielennoxmarekd: that's ok, i'm about to finish as well07:28
jamielennoxi've just been banging my head against federation all day and i'm just not sure why websso is different in this sense07:28
marekdjamielennox: so in normal WebSSO usecase, when a browser hits a protected url and there more than 1 IdP defineda user is usually redirected to a Discovery Service where he chooses an IdP of his choice07:29
marekdjamielennox: if you want example go to openstack.cern.ch . you will be redirected to OUR IdP website, but you will also be able from a dropdown box a list of other federated IdPs you can use.07:30
marekdjamielennox: i can risk we could possibly use link without idp specified in an url but it's likely that clients would still need to know IdP's address07:33
marekdIdP URL07:33
*** browne has quit IRC07:33
jamielennoxmarekd: are all those idps set up as individual IDPs in keystone07:34
jamielennoxlike each with a unique idp_id?07:34
*** fhubik is now known as fhubik_afk07:35
marekdidp_id is a user defined name, that's one.07:35
jamielennoxlike /OS-FEDERATION/identity_provider/{idp_id}/...07:35
marekdyou can create one IdP and put multiple remote_id in there and this object can server for multiple real IdPs if you wish to for instance share a mapping between them (because you are in one federation).07:36
jamielennoxok, so you are proxying that a whole bunch of actual IDPs are going through the same keystone IDP07:36
*** e0ne has joined #openstack-keystone07:36
marekdjamielennox: what realy matters is a mapping - note keystone idp is just instance with almost no data in there.07:37
*** jistr has joined #openstack-keystone07:37
jamielennoxin which case i think i am still right because this should still be going through /identity_provider/{idp_id}/protocol/saml/websso07:37
jamielennoxit's just that you use one idp_id as a proxy to a bunch of real idps07:38
jamielennoxmarekd: my problem with this is that there are now two ways to define the relationship07:38
marekdjamielennox: how come?07:38
jamielennoxyou need to define identity_provider/{id}/protocol/{id} and then you need to define protocol + remote_id -> idp_id07:39
jamielennoxi have no objection to remote_ids on identity_provider so that in your case you can check that the response is from a known place07:39
jamielennoxbut i think in general that the websso response should be tied to a keystone idp_id07:40
jamielennoxbecause remote_ids is not just a security feature at the moment, if you don't set up remote_ids then you can't use websso07:40
marekdjamielennox: that's true, but not setting remote_id will expose you to a serious security risk.07:41
jamielennoxmarekd: how?07:41
*** lhcheng has joined #openstack-keystone07:42
*** ChanServ sets mode: +v lhcheng07:42
jamielennoxassertions should be validated against the signatures in the metadata files07:42
jamielennoxif you use an invalid assertion it should never make it past the first step07:42
*** dims has joined #openstack-keystone07:43
*** btully has joined #openstack-keystone07:43
marekdOk, I work for Pepsi, you for Cola, our copanies has federated access to HP public cloud. Imagine there is no remote_id configured. No, we are both softengs in our companies, and somehoor mapping for Pepsi and Cola says "if the guy is softeng give him access to group ENGINEERING" <- this is of course per company. Now, I want to steal your code, so I, working for Cola say: /v3/OS-FEDERATION/identity_providers/PEPSI/protocols/saml2/auth -> however i07:44
marekdoups, i flipped companies - let's say I work for Cola, your for Pepsi.07:45
jamielennoxi get it07:45
jamielennoxwhy wouldn't mellon or shib say this assertion is not signed by the idp registered in this location - reject07:45
marekdthe problem is that keystone must be aware who issues the assertion, and can validate it only via remote_id which is a part of an assertion.07:46
jamielennoxwhy? i don't think this should ever get to keystone, shib/mellon should reject assertions not signed by the expected idp07:46
marekdjamielennox: you could also do this, and nkinder stated this when we discussed this, but afair the problem is every chae need mellon configuration reload and this is somewhat inconvenient as opposed to api call.07:46
*** abhishekk has joined #openstack-keystone07:47
jamielennoxi think that's a seperate issue as you are still going to need to configure metadata files etc in httpd settings07:47
*** AYs has joined #openstack-keystone07:48
marekdalso, can you configure multiple IdPs per <Location> ?07:48
marekdthis is also a use-case.07:48
*** btully has quit IRC07:48
*** dims has quit IRC07:48
jamielennoxmarekd: no - i don't think you can07:48
jamielennoxwhich is why i'm not sure if i can have multiple saml providers now07:48
jamielennoxbut i think this is a side effect of the websso problem07:49
marekdjamielennox: so, that's also kind of problem - i had a request for some users saying: i have federations with 100s of users, and you want me to make up names for those 100s IdPs in keystone?07:49
jamielennoxif the route was /identity_providers/{id}/protocol/saml/websso then you wouldn't have overlapping Locations07:49
marekdah, and they all shared same mapping.07:49
jamielennoxmarekd: that's fine, you are already doing that by having your proxy idp that handles everything07:50
jamielennoxbecause that's what your mapping is associated with07:50
jamielennoxthat should still exist per idp_id07:50
marekdjamielennox: and i want to be able to handle 100 IdPs (explicitely specified) not all of them.07:50
*** amirosh has joined #openstack-keystone07:51
jamielennoxagain, i don't have a problem with the remote_ids as a security feature for that proxying case. I just don't think i should need it for the simple websso case07:51
marekdjamielennox: i honestly don't think {idp_id} should be specified in websso url - look how other websso are being done - you enter a website, say jamielennox.net and than a popupshows :login with google, login with facebook, login with redhat07:51
jamielennoxand also i think that could be handled by here are all the certificates that are allowed to sign assertions for this url07:52
marekdit's a single entry point07:52
jamielennoxmarekd: no it's not07:52
jamielennoxyou just listed 307:52
jamielennoxgoogle, facebook, redhat07:52
marekdyes, but i didn't have to go to jamielennox.net/google/auth to authenticate via Google IdP.07:53
jamielennoxwell you did it was just hidden by the button you pressed07:53
jamielennoxin the same way that you have a drop down on horizon07:53
jamielennoxyou could have them all there as seperate options07:53
jamielennoxat some point the user has to pick an idp and the URLs will be different07:53
jamielennoxthe mappings will be different07:54
*** jaosorior has joined #openstack-keystone07:55
jamielennoxi think that's proving my point - having those three idps that contain different mappings all coming back to the same /websso endpoint is crazy - you want to return to the websso point for that idp07:55
bretonmorning07:58
marekdjamielennox: hm.07:58
marekdjamielennox: is it somehow complicating any work you are dong or it just feels wrong?07:58
marekdjamielennox: in fact i liked an idea of 'single entrypoint' and would probably prefer to have it for CLI as well.07:59
jamielennoxmarekd: right, from memory you were anti having idp_id in the url at all07:59
jamielennoxmarekd: it feels wrong because we are establishing two relationships between the same concepts. It also means i don't know how i would run two saml protected endpoints on the same websso macine08:00
jamielennoxbecause if you look at https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-federation-setup/vm-post-cloud-init-rdo.sh#L10908:00
marekdjamielennox: we could probably satisfy websso with idp/protocol in url - it's a matter of patch recognizing http headers08:00
jamielennoxthat whole /v3 route is protected by one mellon instance08:01
*** e0ne is now known as e0ne_08:01
marekdwhich probably wrong08:01
jamielennoxand it's purely because it's shared between the ipsilon provider and websso, if it was /identity_provider/{id}/protocol/{id}/websso then it would be a single entry and i could easily have different providers side by side08:01
*** amirosh has quit IRC08:02
*** fhubik_afk is now known as fhubik08:02
marekdso why not protect /OS-FEDERATION/webbso/saml2 only ?08:02
jamielennoxmarekd: i'm doing this because i'm presenting on it at the end of the month and the story is off08:02
marekdand install DS like https://wiki.shibboleth.net/confluence/display/EDS10/2.+Installation08:03
*** e0ne_ is now known as e0ne08:03
jamielennoxmarekd: say i had two idps, idp_A and idp_B which were both saml08:03
jamielennoxwhich would i use to protect /websso/saml2?08:03
marekdconfigure /websso/saml2 to redirect to a Discovery Service08:03
marekdusers is redirected to this kind of popup "login with {Google, Facebook, RedHat}"08:04
jamielennoxthat is very much relying on a feature of shiboleth08:04
jamielennoxwhy isn't horizon my discovery service?08:05
marekdthis is an example, http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf08:05
marekdDS is more like a concept around protocol.08:05
marekdmaybe mellon is missing that, but i think mellon is still missing some other features08:06
jamielennoxok, so this is the first time i'm seeing a discovery service as a seperate concept08:06
jamielennoxlike something you would do in addition to what horizon is already doing by offering you multiple idp choices08:06
marekdjamielennox: i see your point, the battle whether horizon should have it or not has been live for a longer time.08:07
jamielennoxmarekd: so i guess my point is that in your proxy example the /identity_providers/{id}/protocol/saml2/websso should be the discovery path, not /websso08:08
marekdso, users starts with typing /identity_providers/{id}/protocol/saml2/websso ?08:08
jamielennoxif your single keystone IDP id represents many real idps then that should be an idp specific thing08:09
jamielennoxusers never type that, they never type the /websso url either - that's all horizon config08:09
jamielennoxas it sits now i can't run two saml providers on the same system without this discovery service08:11
jamielennoxand in my fairly simple case i just want to hardcode some options to horizon and i can't08:11
*** stevemar has joined #openstack-keystone08:12
marekdjamielennox: I'd say DS is a standard way for more than one IdP and probably more popular than url per IdP.08:12
*** chlong has quit IRC08:13
jamielennoxi'll play with the mellon discovery service, it will at least mean i don't need to protect the entire /v3 location with mellon08:14
marekdjamielennox: if you really want this - let's propose a change, where a depending on http headers keystone will respond with either standard websso workflow or with ecp one.08:14
jamielennoxmarekd: i don't think it's a headers thing, ECP uses /auth and websso would be /websso08:15
jamielennoxthey should live side by side08:15
marekdmaybe.08:15
*** stevemar has quit IRC08:16
marekdpart of the problem here is that we are mixing some functionalities here - we would like keystone to be protocol agnostic (apache handles all the protocol details) byt keyston will handle DS.08:16
jamielennoxmarekd: i don't think keystone should handle discovery08:17
jamielennoxnot websso style discovery08:17
jamielennoxbut anyway08:17
marekdjamielennox: if horizon will be able to query keystone for available idps and build dynamic liknks idp/{idp}/protocol/saml2/websso to me it's kind of handling discovery08:17
jamielennoxmarekd: i thought we decided against that? being able to query keystone for idps08:18
jamielennoxthis was why i was saying that the choices would be hard coded into horizon config08:18
jamielennoxideally later you could configure the horizon config via horizon08:18
marekdjamielennox: uh, oh, so, imagine you have multiple horizons and suddently you remove one IdP and then what - an email "hey, please remove this IdP from your choices" ?08:19
jamielennoxmarekd: how is this different to doing it in keystone?08:20
jamielennoxyou still need to remote the idp from the discovery somehow08:20
marekdjamielennox: not if you control that DS08:20
marekdsorry,08:20
marekdyes, you still do, but you do this once, in your service08:21
jamielennoxwhat does controlling a DS involve? how is it different to querying keystone for IDPs08:21
*** amaretskiy has joined #openstack-keystone08:22
marekdquerying keystone for IDPs would be automatized here, because you remove IdP from Keystone and next time all horizons don't see that IdP. I was referring to having hardcoded choices in client's horizons08:22
marekdkeystone is yours, horizons are not.08:22
*** _cjones_ has joined #openstack-keystone08:22
marekdif , on the other hand you controll DS, you can remove it from DS as well as Keystone without this out of band "please remove" e-mails or tickets.08:23
*** fhubik is now known as fhubik_afk08:23
marekdi still hope we will one day mature enough to say let's make Keystone a 1st class SP and we will handle all those stuff into Keystone08:23
marekdi really hate configuing SAML w/ Apache08:23
marekdno matter whether it is mellon or shibboleth.08:24
jamielennoxmarekd: so i think the discovery service only when you have a proxying idp makes sense08:25
jamielennoxif you are adding/removing lots then that makes sense08:25
jamielennoxi don't think adding/removing keystone IDPs are common enough there08:25
*** fhubik_afk is now known as fhubik08:25
marekdbtw, are you attending meetup next week ?08:25
jamielennoxmarekd: mellon does have discovery https://github.com/UNINETT/mod_auth_mellon/blob/master/README#L444 i haven't seen how to use it yet08:26
jamielennoxmarekd: no08:26
marekdjamielennox: too bad.08:26
jamielennoxyea08:26
jamielennoxwould be good08:26
marekd:(08:27
marekdwe would drag others attention08:27
marekdand maybe have some bigger decisions08:27
jamielennoxhopefully they'll do some VOIP or video links08:27
marekdhowever, i doubt keystone will ever become a 1st class SP given the nature of the project.08:27
jamielennoxanyway - it's in the kilo release so it's not getting changed any time soon08:28
jamielennoxi'll have a look and see if i can fix my issue with discovery08:28
jamielennoxi'm done for the day though08:29
marekdbtw, i will be on holiday until next monday, so i may not respond here, e-mails would be much better way of communication.08:29
jamielennoxmarekd: thanks for arguing :)08:29
jamielennoxmarekd: no worries08:29
marekdjamielennox: always a pleasure, especially given that you always have lots of valid points :-)08:29
jamielennoxmarekd: i always discover these things when i have to do my once a year federation presentation08:30
jamielennoxnever early enough to catch them in spec time08:30
marekdwe made some mistakes with saml, but i am not convinced  websso is not one of them :-)08:31
marekdanyway, need to run too!08:31
marekdcheers!08:31
jamielennoxcya08:31
*** henrynash has joined #openstack-keystone08:36
*** ChanServ sets mode: +v henrynash08:36
*** lhcheng has quit IRC08:42
*** _cjones_ has quit IRC08:57
*** fhubik has quit IRC08:59
*** krykowski has joined #openstack-keystone09:05
*** e0ne is now known as e0ne_09:11
*** boris-42 has quit IRC09:22
*** e0ne_ is now known as e0ne09:24
*** btully has joined #openstack-keystone09:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725409:32
*** henrynash has quit IRC09:32
*** btully has quit IRC09:36
*** fhubik has joined #openstack-keystone09:38
*** dims has joined #openstack-keystone09:44
*** dims_ has joined #openstack-keystone09:45
*** dims__ has joined #openstack-keystone09:46
odyssey4memarekd jamielennox Shibboleth has an Embedded Discovery Service which is really just a set of css/js files: https://wiki.shibboleth.net/confluence/display/EDS10/2.+Installation09:47
odyssey4meIdeally that should actually be used as a base to have an embedded DS in Horizon/Keystone for Federation SP's09:47
*** dims has quit IRC09:48
jamielennoxodyssey4me: when you are using one keystone idp to represent a bunch of real idps with the same mapping i agree09:48
jamielennoxthat seems to be the cern case09:48
odyssey4mejamielennox erm, no - that would be a case for an enterprise discovery service09:49
odyssey4meeach SP may have multiple IDP's09:49
odyssey4methat's the use case for an embedded DS09:49
*** dims_ has quit IRC09:50
odyssey4meso in the case you're describing where you have two saml IDP's for a SP, if you had an embedded DS then you wouldn't have any issues - you could present the choice to the end-user through horizon09:50
*** dims__ has quit IRC09:50
*** fhubik is now known as fhubik_afk09:51
odyssey4meI unfortunately haven't had the time to get that working in some sort of prototype, but it is something I'd like to see happen and will possibly give that a go some time09:51
jamielennoxyep, i understand that, but horizon already has a drop down of WEBSSO sources for identity09:52
jamielennoxand at the moment i can't link to individual idps09:52
odyssey4mejamielennox yep, for the moment it appears that the use-case was built largely around one IDP per SSO type09:53
jamielennoxi also need to check the mod_auth_mellon support for discover09:53
jamielennoxy09:53
odyssey4mejamielennox discovery just parses the metadata for the appropriate endpoints and names as I recall (it's been a while since I looked in detail)09:53
odyssey4meall it needs to determine is the entityID09:54
jamielennoxodyssey4me: so actually my problem with the whole thing is that there are multiple ways you have to configure things, you need to associate idp -> protocol, then in the websso route  you need to configure based on idp url09:54
*** fhubik_afk is now known as fhubik09:54
jamielennoxso here's a scenario09:55
jamielennoxi deploy a horizon that is limited to one domain on top of a shared openstack09:55
*** davechen2 has left #openstack-keystone09:55
jamielennoxthis would be how you set up like a coke front end on a multi-tenant cloud09:56
odyssey4meit might be nice if Horizon's WEBSSO_CHOICES could include the protocol, a friendly name, and optionally the IDP name? that might be a simple way of providing the option of multiple IDP's to end-users?09:56
jamielennoxi want to limit the horizon login to just the coke idp09:56
jamielennoxi don't have that choice at the moment, i have to send users to the shared /websso route09:56
jamielennoxodyssey4me: it already contains the protoocl09:57
jamielennoxso ideally i'd like to add a /websso route to the identity_providers/{id}/protocol/saml/ location09:57
jamielennoxif you provide an idp_id to django_openstack_auth then it uses that route, if you don't it uses the shared /websso/saml route09:58
odyssey4mejamielennox yep, that sounds sensible - it won't be dynamic, but it will provide more options09:58
jamielennoxthere's no reason that identity_providers/{id}/protocol/saml/websso can't be a discovery service09:58
jamielennoxthat's what marekd's case is09:58
jamielennoxwhere he has 100s of idps that all use the exact same mapping so he wants to accept assertions from any of those as valid for that keystone idp09:59
jamielennoxanyway - i think those two things can exist side by side10:00
odyssey4mejamielennox I agree10:00
*** fhubik is now known as fhubik_afk10:04
*** fhubik_afk is now known as fhubik10:06
*** fhubik is now known as fhubik_afk10:06
*** piyanai has joined #openstack-keystone10:07
*** e0ne is now known as e0ne_10:07
*** e0ne_ is now known as e0ne10:21
*** viktors|afk is now known as viktors10:30
*** ericksonsantos has joined #openstack-keystone10:40
*** AYs has quit IRC10:43
*** radez is now known as radez_g0n310:45
*** dims has joined #openstack-keystone10:46
*** iamjarvo has joined #openstack-keystone10:47
*** dims has quit IRC10:51
*** iamjarvo has quit IRC10:52
*** e0ne is now known as e0ne_11:25
samueldmqmorning11:30
*** e0ne_ is now known as e0ne11:45
*** fhubik_afk is now known as fhubik11:47
*** stevemar has joined #openstack-keystone11:50
samueldmqayoung: morning11:50
samueldmqayoung: I had a thought on 'how identify the endpoint' at middleware, get the policy, etc11:51
samueldmqdo we really need different endpoint entities to represent different URL/interface of the same endpoint ?11:53
samueldmqmaybe the answer is in the question above ...11:53
*** stevemar has quit IRC11:54
ayoungsamueldmq, Im not really in work mode, still have to drop off a kid, but..fire away11:55
samueldmqayoung: there we go .. :)11:55
samueldmqayoung: what if we had a single endpoint entity (owning multiple interfaces/URLs)11:55
samueldmqayoung: that imply in a single endpoint_id11:55
samueldmqayoung: if we have custom id/label to that endpoint entity, we use that in middleware to say 'this is what I am'11:56
samueldmqayoung: that's all the thing I was thinking .. :)11:56
ayoungsamueldmq, so, I think we are overdoing this.  The URL is a label of sorts.  We have sufficient granularity with that for practical purposes11:57
ayoungwe can say that multple URLs that have the same endpoint_id will all get the same policy11:57
ayounggood enough11:57
ayoungsamueldmq, I'm putting together a presentaion on the rest of Dyn Pol.  Rough draft is already 30+ dense pages11:57
samueldmqayoung: I think that's the opposite .. in your sentence above :)11:57
samueldmqayoung: oh lol11:58
ayoungright now, Im not even sure if the rest of the weorld accepts that we should fetch policy at all, vs Puppet11:58
samueldmqayoung: is that to the midcycle ?11:58
ayoungyeah11:58
ayoungsamueldmq, I'll send you a copy when it is ~90% finished11:58
samueldmqayoung: so that will cover the whole midcycle :-)11:58
ayoungheh11:58
samueldmqayoung: sure, please do :)11:58
samueldmqayoung: popcorns and soda ... watch adam's midcycle dude11:59
ayoungshould be no surprises in it, but trying to lay it out clearly, rationale, and sequence11:59
samueldmqayoung: ++11:59
*** markvoelker has quit IRC11:59
ayoungsamueldmq, OK...I'll be back in aboiut an hour11:59
*** markvoelker has joined #openstack-keystone11:59
samueldmqayoung: go :) o/11:59
*** dims has joined #openstack-keystone12:02
*** dtantsur has joined #openstack-keystone12:02
*** gordc has joined #openstack-keystone12:02
*** bknudson has quit IRC12:03
dtantsurhey folks! could you please make a release of keystonemiddleware?12:03
dtantsurreleased requirements contain old cap on pbr, which makes devstack downgrade pbr to 0.11 and fail12:03
*** chlong has joined #openstack-keystone12:05
*** kiran-r has quit IRC12:06
*** dims has quit IRC12:07
*** ajayaa has quit IRC12:15
*** browne has joined #openstack-keystone12:18
*** piyanai has quit IRC12:20
*** fhubik is now known as fhubik_afk12:25
*** bknudson has joined #openstack-keystone12:27
*** ChanServ sets mode: +v bknudson12:27
*** ajayaa has joined #openstack-keystone12:31
*** markvoelker has quit IRC12:31
*** fhubik_afk is now known as fhubik12:33
*** edmondsw has joined #openstack-keystone12:38
*** tjcocozz has joined #openstack-keystone12:39
*** dguerri` is now known as dguerri12:39
*** markvoelker has joined #openstack-keystone12:40
*** fhubik is now known as fhubik_afk12:43
*** krykowski has quit IRC12:59
*** krykowski_ has joined #openstack-keystone12:59
*** browne has quit IRC13:10
*** jsavak has joined #openstack-keystone13:11
*** hrou has joined #openstack-keystone13:12
*** fhubik_afk is now known as fhubik13:12
*** _hrou_ has joined #openstack-keystone13:12
*** mylu has joined #openstack-keystone13:13
*** annasort has joined #openstack-keystone13:13
*** hrou has quit IRC13:16
*** _hrou_ has quit IRC13:17
*** hrou has joined #openstack-keystone13:18
*** kiran-r has joined #openstack-keystone13:18
ayoungdtantsur, need to bug morganfainberg about that13:19
*** dims has joined #openstack-keystone13:19
dtantsurmorganfainberg, hi! may I bug you about making a release of keystonemiddleware? (see above)13:20
*** bdossant has joined #openstack-keystone13:21
samueldmqayoung: I suppose you're back :-)13:21
samueldmqayoung: I've put a point on the meeting to talk about that endpoint URL vs ID vs policy custom id thing in the meeting13:22
EmilienMhello Keystone folks! I have a question for you guys: do we need to restart keystone service after creating the default domain?13:22
samueldmqayoung: and another topic for voting on making Dynamic Policy in its own middleware ... makes sense?13:23
bknudsonEmilienM: my experience is that you do have to restart keystone to get it to read the domain-specific config files13:23
ayoungEmilienM, default domain is created by migration.  DO you mean changing default domain?13:23
*** jdennis has quit IRC13:24
ayoungsamueldmq, so...on that second thing13:24
ayoungyes and no13:24
ayoungwe make auth token into a facade that calls other middlewares13:24
ayoungthen we can deploy policy either under the AUTH token facade or on its own13:24
lbragstadmarekd: no worries, I think I figured it out :)13:26
ayoungsamueldmq, for the fetch question:  the label used to fetch the policy needs to be a) calculated ahead of time and b) resolvable to an endpoint13:26
*** csoukup has joined #openstack-keystone13:26
ayoungURL is the obvious candidate.  Any other values need to be just as obvious13:26
*** piyanai has joined #openstack-keystone13:29
EmilienMayoung: richm and I are working on puppet-keystone/v3 implementation and he told me we need to restart keystone to take in account a change into default_domain_id13:29
ayoungEmilienM, that is correct13:29
dstanekEmilienM: if you are changing the config you will need to restart to read in the new values13:29
EmilienMayoung: so during the deployment,  he wants to: configure keystone, start keystone, manage domains, etc, and then restart keystone to take default_domain_id  in account13:29
EmilienMis that correct ^ ?13:29
ayoungEmilienM, config changes are only read with a server restart13:29
samueldmqayoung: k, let's make that clear in the meeting and have an agreement13:30
*** browne has joined #openstack-keystone13:30
samueldmqayoung: so we can implement it13:30
samueldmqayoung: we need to get eyes on those things13:31
EmilienMayoung: I know what. What I wanted to be sure is, if this just about restarting keystone *after* a config change or do we also need to restart it after the creation of the domain13:31
EmilienMayoung: it's a dumb question I know but I want to be sure13:31
amakarovdolphm, hi! I have a change you asked for: https://review.openstack.org/#/c/189810/ (it was some time ago :) )13:32
dstanekEmilienM: it should only be about reading configs. if you add/edit/delete domains the server should be able to use those13:32
EmilienMdstanek: cool13:32
EmilienMthanks guys o/13:32
*** boris-42 has joined #openstack-keystone13:33
raildoayoung, do you have some minutes to take a look on this https://review.openstack.org/#/c/153007/ ? :)13:35
*** csoukup has quit IRC13:36
*** e0ne is now known as e0ne_13:37
ayoungraildo, I could, but both Henrynash and topol have +2ed it. One of them should have the courage of their convictions and +a it.13:37
*** richm has joined #openstack-keystone13:38
ayoungraildo, +2a.13:38
samueldmqayoung: it should have at least  2 +2 from different organizations, shouldn't it ?13:38
raildoayoung, but both are from IBM , henrynash told me that  it’s not good practice for us to push it13:38
*** jecarey has joined #openstack-keystone13:38
ayoungsamueldmq, nope.  Since the writer was not an IBMer13:38
raildoayoung, thanks :)13:38
*** csoukup has joined #openstack-keystone13:38
*** stevemar has joined #openstack-keystone13:39
*** Ctina has joined #openstack-keystone13:39
*** e0ne_ is now known as e0ne13:39
openstackgerritMerged openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300713:41
*** stevemar has quit IRC13:42
*** ajayaa has quit IRC13:45
*** blewis has joined #openstack-keystone13:47
amakarovayoung, hi! I need you support. Again :) https://review.openstack.org/#/c/141854/13:47
*** piyanai_ has joined #openstack-keystone13:49
*** piyanai has quit IRC13:49
*** piyanai_ is now known as piyanai13:49
ayoungamakarov, done13:49
*** TheIntern has joined #openstack-keystone13:50
amakarovayoung, cool, thanks!13:51
amakarovmorganfainberg, greetings!13:51
amakarovmorganfainberg, can you please review my revocation fix again? https://review.openstack.org/#/c/141854/13:52
*** blewis has quit IRC13:53
*** msno has joined #openstack-keystone13:54
msnoi have a Juno instalation on tripleo method and my keystone command fails in under cloud13:55
msnoTraceback (most recent call last):13:55
msno  File "/opt/stack/venvs/openstack/bin/keystone", line 6, in <module>13:55
msno    from keystoneclient.shell import main13:55
msno  File "/opt/stack/venvs/openstack/local/lib/python2.7/site-packages/keystoneclient/__init__.py", line 28, in <module>13:55
msno    from keystoneclient import client13:55
msno  File "/opt/stack/venvs/openstack/local/lib/python2.7/site-packages/keystoneclient/client.py", line 13, in <module>13:55
msno    from keystoneclient import discover13:55
msno  File "/opt/stack/venvs/openstack/local/lib/python2.7/site-packages/keystoneclient/discover.py", line 19, in <module>13:55
msno    from keystoneclient import session as client_session13:55
msno  File "/opt/stack/venvs/openstack/local/lib/python2.7/site-packages/keystoneclient/session.py", line 21, in <module>13:55
msno    from oslo.serialization import jsonutils13:55
msnoImportError: No module named serialization13:55
msno13:55
msno13:55
msnocan anyone give me a pointer13:56
dstanekmsno: use paste.openstack.org next time13:56
msnothis is the output of keystone user-list command13:56
msnodstanek, sure .. will do13:56
*** r-daneel has joined #openstack-keystone13:56
dstanekmsno: it looks like no all of the dependencies were properly installed13:56
*** sigmavirus24_awa is now known as sigmavirus2413:57
msnodstanek, oslo.serialization package is installed actually13:58
msno# pip freeze | grep oslo.serialization13:58
msnooslo.serialization==1.7.013:58
dstanekmsno: what happens when you try to import it directly from within Python?13:59
msnodstanek, let me check14:00
*** Ctina has quit IRC14:00
*** Ctina has joined #openstack-keystone14:00
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion  https://review.openstack.org/14873014:01
*** jsavak has quit IRC14:02
*** jsavak has joined #openstack-keystone14:03
*** Kennan2 has joined #openstack-keystone14:03
*** Kennan has quit IRC14:03
ayoungsamueldmq, http://interactive.blockdiag.com/?compression=deflate&src=eJxtjsFuwjAQRO_5itFeOPEF9FIVpUItl1I-YJ1sgtW1F9nmEFX9d5wgpLbi-ubNaJxa99V7HvHd0DH6wUuP1qsQ8LQGvao5Vmxl4IsW2qChd-8Sp4mW_MVCsIjOeqHNv6yV0p3QJgt4kykXi3W1eYxnf8-RR4GP2HJhx3nhtAtnnV99mEq-mYdKClZ7CU7Siqp0PPdcBJ-cRil5vvK3VpXnnP0Y8ZtTc6cWdUKaVfBCqlEMWXRYTjws_1wBda1l-A14:06
ayoungsamueldmq, the arrow means "depends on"14:06
ayoungmsno, my guess is that serialization depends on something it can't load14:07
msnoayoung, may be jsonutils14:08
msnowhich package provides this module14:08
*** iamjarvo has joined #openstack-keystone14:09
*** iamjarvo has quit IRC14:09
*** iamjarvo has joined #openstack-keystone14:10
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Enable retrieval of default values of domain config options  https://review.openstack.org/18565014:10
ayoungmsno, I thought that was an oslo library14:12
dstanekmsno: what happened when you imported it? if it has a dep missing you'll see an error14:12
msnodstanek, i am not a python dev.. to import it in a python program and test .. let me check how to do it14:13
*** tjcocozz has quit IRC14:13
dstanekjust type python in the shell14:13
dstanekand in the python shell type 'from oslo.serialization import jsonutils'14:13
msno>>> from oslo.serialization import jsonutils14:14
msnoTraceback (most recent call last):14:14
msno  File "<stdin>", line 1, in <module>14:14
msnoImportError: No module named oslo.serialization14:14
msno>>>14:14
msnobtw: its python 2.7.914:14
*** krykowski_ has quit IRC14:14
*** amrith has joined #openstack-keystone14:14
*** amrith has left #openstack-keystone14:15
*** fangzhou has joined #openstack-keystone14:15
lbragstadmsno: did you try installing oslo.serialization?14:16
msnolbragstad, its already installted .. when i check pip freeze14:16
lbragstadmsno: what version are you using?14:20
msnopip freeze | grep oslo.serialization14:21
msnooslo.serialization==1.7.014:21
lbragstadmsno: what if you do from oslo_serialization import jsonutils14:21
lbragstaddoes that work?14:21
msnook.. now i checked it my venv ..14:22
msnoit works14:22
lbragstadmsno: you might have a version of oslo.serialization that is too new14:22
msnowith python Python 2.7.814:22
msnook.. let me try to install 1.6.014:22
lbragstadI am able to do 'from oslo.serialization import jsonutils' and 'from oslo_serialization import jsonutils' with 1.6.014:22
lbragstads/1.6.0/oslo.serialization 1.6.0/14:23
*** btully has joined #openstack-keystone14:24
*** chlong has quit IRC14:25
msnolbragstad, with 1.6.0 .. the error is now gone with keystone user-list14:25
lbragstadmsno: cool14:26
msnobut my tempest is still failing .. let me work on it :)14:26
msnothanks a lot..!!!14:26
lbragstadmsno: no problem!14:26
dstanekmsno: we've had tons of issues with conflicting dependency versions between projects14:26
msnodstanek, yes.. the version mismatch issues between diff modules i a nightmare to troubleshoot :)14:27
*** krykowski has joined #openstack-keystone14:27
*** toddnni_ has joined #openstack-keystone14:29
*** toddnni has quit IRC14:29
*** toddnni_ is now known as toddnni14:29
*** annasort has quit IRC14:30
mordredhey everybody! (especially ayoung)14:31
mordredI would like to argue about my need to supply OS_USER_DOMAIN_NAME=default on clouds that have one and only one domain and it's called "default"14:32
mordred(I say especially ayoung, because I assume that if he agrees with me I'm golden)14:32
ayoungmordred, nope.  I have no such power14:33
mordredayoung: it has been suggested to me that things don't actually fallback to default as a value for "security"14:33
ayoungmy agreement usually dealys things, not expedites.  Sorry14:33
mordredayoung: blast14:33
dstanekmordred: i don'14:34
ayoungmordred  longer conversation than I can have now.  Short is "Agree but irrelevant?"14:34
dstanekt know about security for that14:34
dstaneki would have assumed that's it's so a user can't mess up and get things in the wrong domain14:34
mordredI would assume that most users are only scoped to have access to one domain anyway14:35
bknudsonthe default domain is actually named "Default" not "default"14:35
bknudsonthe ID is "default"14:35
dstanekit would make scripts moving from one cloud to another broken in some cases14:35
mordredbknudson: ok. so that's two things I'd like to complain about14:35
bknudsonThe default domain ID is configurable.14:36
mordredwell, not to bikeshed, but I'd suggest that a name of 'Default' and an id of $(uuidgen) would be more appropriate14:36
bknudsonwhereas the default domain name is not.14:36
mordredbut I don't _really_ care14:36
mordredother than that of all the things you can kind of pass either to either parameter name, so learning how to do it 'right' is not well served by having Default vs. default - except you can use them seemingly interchangably14:37
bknudsonyou can go ahead and delete the default domain. Things should work fine but you wouldn't be able to use v2.14:37
mordredI just want keystone v3 to work on devstack, actually14:38
bknudsonjamielennox is working on it and looks like he's got it working.14:38
mordredand the devstack currently has a default domain set which does not behave like a default domain in v3 beacuse I have to set it - but it does not add the parameter to openrc anywhere14:38
bknudsonmordred: jamielennox has a change for openrc14:38
mordredawesome14:38
mordredthat excites me14:38
mordredI still don't think I should have to specify the domain AT ALL if there is one and only one domain14:39
*** woodster_ has joined #openstack-keystone14:39
mordredregions work 'correctly' here14:39
*** jsavak has quit IRC14:39
bknudsonit would get confusing when the admin adds a domain... things that worked would now fail.14:39
*** jsavak has joined #openstack-keystone14:40
bknudsononce we get rid of v2 we won't need a default domain anymore.14:40
mordredv2 isn't going anywhere for like 3 years at least14:40
mordredin the mean time, both need to be supported in parallel14:40
mordredin any case- my config is updated now - so I'm really just reporting "I'm an end user and have foudn this experience painful"14:41
bknudsondevstack should also be updating your clouds.yaml so you can use that14:45
*** fangzhou has quit IRC14:46
*** krykowski has quit IRC14:47
openstackgerritjanonymous proposed openstack/keystone: Python 3: Replace assertRaisesRegexp to six implementation for py3 compatibility  https://review.openstack.org/19386614:48
*** ajayaa has joined #openstack-keystone14:49
*** krykowski has joined #openstack-keystone14:49
*** radez_g0n3 is now known as radez14:50
*** jsavak has quit IRC14:52
*** jsavak has joined #openstack-keystone14:52
*** bradjones|away is now known as bradjones14:56
*** abhishekk has quit IRC14:57
*** jkomg has joined #openstack-keystone14:57
ayoungmordred, we all want Keystone V3 to work on Devstack14:57
ayoung?me back now14:57
*** slberger has joined #openstack-keystone14:57
mordredbknudson: yah - also missing domain - but if jamie is already on it - awesome!14:58
ayoungmordred, so....one Idea I've had shot down a couple times is the ability tio read the Keystone config (minus secure values) from an un-authenticated API14:58
mordredayoung: YES!!!!!!!!!14:58
ayoungand that would, at least, let the client fill in the default domain if one is not specified14:58
mordredayoung: literally everyone in the world wants this14:58
ayoungmordred, sadly, only figuratively14:59
ayoungat least one person does not want it14:59
mordredthat's sad for them14:59
mordredayoung: what do they want me to purchase them?14:59
ayoungI think he might work for you, though, so you could apply undue pressure on him14:59
mordredayoung: darn. I'm much more comfortable applying undue pressure on people who do not work for me14:59
ayoungmordred, heh14:59
mordredayoung: I actually want such a thing from more things than keystone15:00
ayoungmordred, the other place I want that to work is for policy enforcement15:00
ayoungI want to know the name of the admin domain15:00
mordredayoung: I would like an unauthenticated list of the informatino I currently keep in vendor data in os-client-config15:00
*** jsavak has quit IRC15:01
ayoungwe could either read it from config, or do statement replacement upon upload/download of the to policy file...I know which I would prefer15:01
*** jsavak has joined #openstack-keystone15:01
ayounghint, it is the one that doesn't change the content of the policy file15:01
mordredayoung: I'm fine with either - as long as as a user I have a way to get the information15:01
*** fhubik has quit IRC15:01
mordredayoung: btw - folks in defcore would like something similar to this capability as well15:01
ayoungmordred, https://review.openstack.org/#/c/186926/15:01
*** zzzeek has joined #openstack-keystone15:02
mordredbecause, you know what - if your cloud DECLARES that it has a particular thing, then testing to see if it has that thing is less crazy than just testing all the things your cloud might have15:02
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687715:02
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764715:03
mordredayoung: I am not opposed to that spec15:03
ayoungmordred, I'll get it on the agenda for the meeting today15:04
morganfainbergayoung: make the config readable from an api. Sure. Go for it.15:05
ayoungmorganfainberg, so the discussion was whether to do that for policy.  Maybe I should have emphasized that it had enough value on its own15:05
*** _kiran_ has joined #openstack-keystone15:05
*** thedodd has joined #openstack-keystone15:05
ayoungmorganfainberg, I was thinking in terms of "admin_domain" when we discussed it15:06
*** _kiran_ has quit IRC15:06
morganfainbergSure.15:06
ayoungI think you favored the text replacement approach15:06
morganfainbergIm not being sarcastic here im fine with it15:06
ayoungmorganfainberg, so, if we do that, then we can also use that data in enforcing policy.  Cache values done the same way. You are OK with that?  I don't think it makes sense to do both the API and text replacement in the policy file15:08
morganfainbergayoung: yep.15:08
*** slberger has left #openstack-keystone15:08
ayoungmorganfainberg, ++.  I'm putting to gether a presentation for the midcycle on the policy stuff, to make sure we have a common understanding. I'll add that15:09
morganfainbergIf you argue strictly policy, ill say text replacement. But you have a general use case beyond it15:09
morganfainbergSo lets cater to the general use.15:09
dstanekayoung: ++ on the presentation15:09
* morganfainberg isn't unreasonable about this stuff.15:10
ayoungdstanek, I think I owe you an apology.  I was wayyyyy to aggro last time we talked about this.15:10
ayoungdstanek, the more I work on the presentation, the more I realize we have to communicate15:10
* mordred likes communication!15:10
dstanekayoung: i don't think so15:10
ayoungand I have had all this stuff in my head, trying to make it clear is frustrating,....so face to face should help15:11
morganfainbergmordred: only if we communicate after coffee.15:11
dstanekayoung: about aggro, not communication15:11
morganfainbergdstanek: lol15:11
morganfainberg^_^15:11
mordredmmm. coffee15:11
mordredso ...15:11
mordredkeystoneclient.openstack.common.apiclient.exceptions.NotFound: Could not find token: secretsecret (HTTP 404) (Request-ID: req-19599388-650a-4203-a996-39723924ac52)15:11
dstanekayoung: it's good that you are passionate about your ideas...just remember that very few of us can see what's in your head15:11
mordredI'm trying to use this token auth plugin15:11
mordredand I feel like I might be doing something wrong15:12
ayoungmordred, that looks wrong on a couple accounts....15:12
ayoungmordred, I am going to make a guess15:12
ayoungyou are trying to get shade to use a single token for multiple calls, and want to pass the token from request to request, because each happens in its own process.  Right?15:13
mordrednope15:13
ayoungdarn15:13
mordredI'm trying to debug use of the admin token for service registration bootstrapping15:13
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764715:13
morganfainbergThis is bootstrap stu.. Yeah15:13
ayoungmordred, AH15:13
mordredhowever - I'm not ACTUALLY bootstrapping anything righ tnow15:13
mordredright now I'm just trying to use that auth and print the catalog it gets15:14
*** mabrams has quit IRC15:14
morganfainbergayoung: we need the plugin that doesnt do catalog mangling / lookup15:14
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin  https://review.openstack.org/19807115:14
mordredit's possible that's a wrong choice15:14
morganfainbergThats the token endpoint option set, right?15:14
ayoungjamielennox, wrote that, as I recall...let me see....15:14
*** jkomg has quit IRC15:14
mordredmorganfainberg: is there a good way for me to verify that I'm passing the right creds and being authed?15:14
mordred(I just tried v3token instead of token fwiw)15:15
ayoungmordred, that is a client side error, I think.  Maybe it is the wrong auth plugin ...one sec15:15
mordredayoung: /home/mordred/src/openstack/python-keystoneclient/keystoneclient/auth/identity/v3/base.py15:15
*** e0ne is now known as e0ne_15:16
morganfainbergmordred: you can always use curl to 100% check, but let ayoung look at this for a sec, he'll have a better answer than i will pre-coffee15:16
mordredcool15:16
*** dims has quit IRC15:16
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin  https://review.openstack.org/19807115:18
ayoungmordred, OK,  first things first.  I can do `openstack user list `  with only the OS_SERVICE*  env vars set15:20
ayoungI think that uses the plugin15:20
*** TrevorV has joined #openstack-keystone15:20
ayoungnope I lied15:20
ayoungexcellent...ok15:21
ayounglet me now get this onto a debugable system15:21
* morganfainberg tries to context switch from bed to keystoneclient to be useful in this convo.15:22
*** stevemar has joined #openstack-keystone15:22
*** _cjones_ has joined #openstack-keystone15:23
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Fix diagram representation in rst  https://review.openstack.org/19914815:23
mordredhttps://gist.github.com/emonty/81612fc0ee759b56eaec15:25
mordredthere is my clouds.yaml and a small test program taht fails15:25
mordredthe URL there is to a thing that just ran a default devstack15:26
*** e0ne_ is now known as e0ne15:26
* mordred still digging - just wanted other people to be able to follow along if they want15:26
morganfainbergamakarov: +2/+A on group revocation fixes.15:27
amakarovmorganfainberg, thanks!15:27
*** _cjones_ has quit IRC15:28
*** _cjones_ has joined #openstack-keystone15:28
amakarovmorganfainberg, I have a question about Tokyo: I'd like to conduct a talk about trusts/delegations or whatever it will be called that time. A deadline to submit a talk is Jul 15. Have these talks to be discussed in the team or anybody may tell anything?15:30
morganfainbergamakarov: you want to do a design summit session or a conference presentation?15:31
morganfainbergamakarov: if its the user conference part, submit a talk ;). You should do it. We dont discuss those internal to the dev team here.15:31
morganfainbergIf its a design summit session thing, that will be later on / closer to the summit.15:32
*** diazjf has joined #openstack-keystone15:33
*** annasort has joined #openstack-keystone15:33
mordredmorganfainberg: while I'm bugging you ... what's the 'right' way for me to enable http request tracing when using keystoneclient as a library15:33
*** kiran-r has quit IRC15:33
amakarovmorganfainberg, I've discovered that despite the presence of the trust feature other components still prefer using tokens to perform long operations in hope that tokens survive long enough for operation to end :)15:33
*** jkomg has joined #openstack-keystone15:33
amakarovmorganfainberg, so it's more technical then customer-oriented.15:34
*** slberger has joined #openstack-keystone15:35
amakarovmorganfainberg, I feel it'll be better done on design summit...15:36
mordredayoung: this is what it's doing:15:38
mordredREQ: curl -g -i -X POST http://192.168.1.231:5000/v3/auth/tokens -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e579c4fea528a36862a0a5352587a30d58da532f" -d '{"auth": {"scope": {"project": {"domain": {"id": "default"}, "name": "admin"}}, "identity": {"token": {"id": "secretsecret"}, "methods": ["token"]}}}'15:38
ayoungmordred, try this:15:39
ayounghttp://fpaste.org/240934/83560143/15:39
ayoungOK..lets get some debugging in there....15:39
morganfainbergmordred: if you enable debug logging for the keystoneclient https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L166 you'll get debug output15:39
morganfainbergmordred: for http tracing.15:40
*** solomondg has joined #openstack-keystone15:40
morganfainbergamakarov: that is user-conference side and part of the july 15th deadline15:40
morganfainbergamakarov: my recommendation: submit your talk :)15:40
morganfainbergmordred: that debug output should likely be just the logger defaults15:41
ayoungmorganfainberg, so...don't use the ADMIN_TOKEN to request a token15:41
morganfainbergayoung: oh yeah don't do that15:41
morganfainbergit *can't* work15:41
morganfainbergwe don't have any of that wired up in keystone15:41
ayoungthat does not work.  What are you trying to do?  Register an endpoint or some other setup call?15:41
mordredayoung: ok - your script works15:42
mordredand yes - I was just trying to print the catalog to verify I was logged in15:42
mordredso, it's possible I picked a bad thing to verify15:42
amakarovmorganfainberg, thanks :)15:42
*** dims has joined #openstack-keystone15:43
mordredmorganfainberg: just setting debug logging does not get the curl calls - I had to edit session.py to get that, fwiw15:43
morganfainbergmordred: admin token doesn't get a catalog either15:43
mordrednod15:43
mordredI will try a new synthetic test armed with this information!15:43
morganfainbergmordred: hm. the session logging should work as long as the logger is enabled for debug15:43
*** bdossant has quit IRC15:44
*** lufix has quit IRC15:45
morganfainbergmordred: the logger *may* be overridden and passed through on the <session>.request() method as well15:45
morganfainbergmordred: but as long as that logger is enabled for debug you should get curl output. the default is to use logging.getLogger(__name__)15:45
*** TrevorV has left #openstack-keystone15:45
mordredaha!15:45
mordredmorganfainberg: nope. that definitely does not work15:46
morganfainbergs/curl output/curl log lines15:46
mordredayoung, morganfainberg: so - for the other thing - I'm in a slight bit of a pickle ...15:46
mordredin order for me to get a keystone_client object15:46
mordredI do this:                     auth_url=self.get_session_endpoint('identity'),15:46
mordredbecause of how auth plugins work - I can't assume I have an endpoint without asking the session infrastructure for it15:46
mordredhowever, that does catalog lookups15:47
ayoungmordred,15:47
ayoungfor endpoint in keystone_client.endpoints.list():15:47
ayoung    print(endpoint)15:47
mordredayoung: I have to construct a keystone_client first15:47
morganfainbergmordred: this is chicken egg? where you're trying to bootstrap [long term goal] so you can do things?15:47
mordredoh! when did it start working that I can just pass in a session?15:47
mordredlemme try something ...15:47
ayoungmordred, the short of it is that the ADMIN_TOKEN really should be used for setting up the first admin user and then use the admin user to do everything else15:48
morganfainbergmordred: since the very begining of session land.15:48
morganfainbergmordred: we should have always supported that afaik15:48
mordredI have an auth_url param in my keystoen_client constructor call, I believe because ksc was unhappy not getting one15:48
ayoungmorganfainberg, nope...jamie added a new auth plugin for Admin token .... mumbe ago15:48
mordredBECAUSE it assumes admin acess15:48
morganfainbergayoung: ah15:48
*** slberger has quit IRC15:48
ayoungmorganfainberg, jamielennox is kindof sneaky in a cool sort of way15:48
ayoungor15:48
ayoungmorganfainberg, jamielennox is kindof cool in a sneaky sort of way15:49
mordredError constructing keystone client: Not enough information to determine URL. Provide either auth_url or endpoint15:49
*** Akshay00 has joined #openstack-keystone15:49
morganfainbergmordred: yeah so you need to pass the endpoint in for this case, making discovery not happen15:49
mordredbut ayound did not do that in his code15:49
morganfainberg*or* need a real token so discovery can happen15:49
ayoungmordred, give me the larger use case, and maybe I can help out.15:49
*** anhhuynx has joined #openstack-keystone15:50
mordredayoung: so - I'm trying to write code that gets a keystone client object from input parameters15:50
morganfainbergstevemar: you're on the hook for things today [see the email i reply to for henry]15:50
morganfainbergstevemar: :)15:50
ayoungimport logging15:50
ayounglogging.basicConfig(level=logging.DEBUG)15:50
ayoung^^ should get you logging15:50
mordredit gets me logging15:50
morganfainbergayoung: ++15:51
mordredit does not get me curl output15:51
morganfainbergmordred: you can pass a logger with debug to .request() (logger=)15:51
mordredhttp://paste.openstack.org/show/35228915:51
ayoungmordred, weeeeeeieeeird15:51
mordredI had to do that to get curl output15:51
morganfainbergor .. hm15:51
mordredI got other debug output15:51
ayoungDEBUG:keystoneclient.session:REQ: curl -g -i -X GET http://10.16.18.219:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}7c0eb3ba0dba3fadaf5c8810303ad8d74286682d"15:52
mordredyup. I did not get that without that patch15:52
mordredbut - I'll circle back and debug that next15:52
mordredif that's the intended operation - I'm sure I'm doing something wrong15:52
morganfainbergoh something is setting log=False maybe on .request()15:52
mordredand it's good to know that's how it's supposed to work15:52
ayoungmordred, I have it as the first line of the script15:52
morganfainbergmordred: yeah if you're commenting out if log, that means something is doing .request(..., log=False, ...)15:53
ayoungmordred, OK.  So back to the larger question:  is this for Shade and ansible consumption?15:53
mordredyes15:54
mordredayoung: back to the hard problem ... I was hoping that I could use Client() and a plugin name to construct a Client object in a general way15:54
ayoungand you want to have a way to build the auth plugin based on parameters.15:54
mordredbut - it's seeming liek I'm going to have to have "if plugin_name: 'endpoint' then: construct the Client differently"15:54
mordredyes15:54
ayoungyou should be able to do that, we use stevedore to load them....shade should be OK with that15:55
anhhuynxWill someone please take a look at my short patch to the v3 API documentation? https://review.openstack.org/#/c/198921/15:55
ayoungI had it in an eraly copy of some Dajngo openstack auth code15:55
mordredayoung: nono- shade does a fine job with that15:55
mordredayoung: it's that the sequence for constructing things and the arguments are different depending on executional context15:55
mordredwhich is potentially fair in this case15:55
ayoungmordred, so...  https://github.com/admiyo/ossipee/blob/master/ossipee.py#L62515:56
mordredso I think what I need to do is override my keystone_client method in the OperatorCloud class so that it has a different behavior if the user has specified a token auth plugin15:56
mordredayoung: right. that is not nearly genearl enough15:56
mordredayoung: because you're tying to v3.auth15:56
ayoungmordred, heh...V2 MUST DIE!15:56
mordredright. good luck with that.15:57
mordredseriously15:57
mordredI get it15:57
mordredv3 is better15:57
mordredHOWEVER15:57
ayoungwe'll ignore the fact that the public cloud I have access to blows up with V3 auth15:57
mordredreality also exists where there are no usable public clouds running v315:57
mordred(unitedstack is, but I can't figure out how to pay them for my account, so it is not on)15:57
mordredayoung: I tink I have a path forward - i'll paste in the patch here in just a sec so you can check me15:58
mordredayoung: thanks! this has been _super_ helpful15:58
ayoungmordred, we have logic along these lines in the openstack common CLI15:58
ayounglet's see....15:58
mordredayoung: yah. although it sadly uses its own magical auth plugins15:58
mordredI would love a world where this logic was in either ksc or ksa15:58
mordredhrm15:58
mordredmaybe I should make a patch to ksa once I get this sorted15:59
ayoungksa.auth.factory()15:59
ayoungreturns and auth plugin based on the env vars.15:59
ayoungsomething like that?15:59
*** jistr has quit IRC16:00
*** mgarza_ has joined #openstack-keystone16:00
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method  https://review.openstack.org/19769916:00
ayoungmordred, how does shade do this today?16:00
*** slberger has joined #openstack-keystone16:01
mordredayoung: possibly - except I don't want something else processing env vars right now16:01
*** slberger has left #openstack-keystone16:02
mordredayoung: we do this: https://github.com/openstack-infra/shade/blob/master/shade/__init__.py#L39916:02
mordredto get a session16:02
mordredayoung: and this; https://github.com/openstack-infra/shade/blob/master/shade/__init__.py#L429 to get a Client16:03
mordredayoung: it's the second thign I need to make smarter16:03
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method  https://review.openstack.org/19769916:03
mordredayoung: since it's not accounting for admin tokens not being able to look into the catalog16:03
*** solomondg has quit IRC16:03
ayoungmordred, so I don't think you need to pass auth_url to the session16:04
morganfainbergit's another sign we need to kill the whole "admin token" concept16:04
ayoungand, in fact, I don;t think you are supposed to16:04
*** solomondg has joined #openstack-keystone16:04
mordredayoung: I don't16:04
mordredI pass it to the Client16:04
*** dtantsur is now known as dtantsur|afk16:04
mordredI pass an auth plugin to the session16:04
ayoungmordred, https://github.com/openstack-infra/shade/blob/master/shade/__init__.py#L43416:04
mordredhttps://github.com/openstack-infra/shade/blob/master/shade/__init__.py#L41916:04
mordredright. that's the Client constructor16:05
mordredit is required to pass an auth_url to that16:05
ayoungnope16:05
ayoungI think that might again be an ADMIN_TOKEN workaround16:05
ayoung self.keystone = keystone_v3.Client(session=session)16:05
mordredayoung: I promise: Error constructing keystone client: Not enough information to determine URL. Provide either auth_url or endpoint16:06
mordredayoung: I'm not constructing a keystone_v3.Client16:06
solomondgQuestion: Is it acceptable to modify a "base" function, such as the keystone-manage script, for a patch? Or should I try to have as little impact as possible? I'm pretty much writing a script that checks for the keystone.conf file when you run keystone-manage, and I'm not sure if I should have it run when keystone-manage is called, or only when the16:06
solomondg subject of the bug (db_sync) is called.16:06
ayoungmordred, let me try a V2....16:06
mordredI'm constructing a ke keystoneclient.client.Client16:06
openstackgerritNathan Jewell proposed openstack/keystone: Saves output of run_tests.sh to .log file  https://review.openstack.org/19628516:06
dstaneksolomondg: what are you checking?16:07
*** jistr has joined #openstack-keystone16:07
*** Akshay00 has quit IRC16:07
*** dikonoor has quit IRC16:07
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin  https://review.openstack.org/19807116:08
ayoungmordred, http://paste.openstack.org/show/352401/16:08
ayounglet me try with password16:08
*** Akshay00 has joined #openstack-keystone16:08
solomondgIt has to do with a wishlist item where db_sync doesn't have any effect when run without access to keystone.conf (whether file not found or not enough user permissions), but does not report any errors.16:09
mordredayoung: but can you do it with keystoneclient.client.Client ?16:09
ayoungmordred, I'll check16:10
dstaneksolomondg: link?16:10
solomondghttps://bugs.launchpad.net/keystone/+bug/127327316:11
openstackLaunchpad bug 1273273 in Keystone "keystone-manage should produce a friendlier error when it cannot read the config files" [Wishlist,In progress] - Assigned to Solomon (solomongreenberg)16:11
ayoungmordred, http://paste.openstack.org/show/352402/16:12
stevemarmorganfainberg: ayoung want to review this ldap patch? https://review.openstack.org/#/c/198270/16:13
stevemarhenry and i have +2ed, but it's coming from an ibmer, so we're on hold16:13
mordredayoung: that's still v2_0.client16:13
ayoungmordred, hmmm.16:14
ayoungyep, that does complain.16:15
ayounglet's see...16:15
mordredayoung: I'd be more than happy to make a ksc patch if this is behavior you expect to work16:15
ayoungmordred, OK, so I'm passing in session....16:15
ayoungwhich kicks us in to discover16:16
mordredayoung: (btw, if you solve this, you will be my new favorite pony)16:16
openstackgerritMerged openstack/keystone-specs: Fix diagram representation in rst  https://review.openstack.org/19914816:16
stevemaramakarov: did someone on the keystone team ask you to open https://bugs.launchpad.net/keystone/+bug/1472306 ?16:16
openstackLaunchpad bug 1472306 in Keystone "Broken ascii diagram in materialized path spec" [Undecided,Fix committed] - Assigned to Alexander Makarov (amakarov)16:16
*** fangzhou has joined #openstack-keystone16:17
ayoungmordred, OK, so I agree, it is not working.  It looks to me like he (jamie) has intentionally bypassed the session in the discovery stage.16:20
*** ajayaa has quit IRC16:20
*** hogepodge has quit IRC16:21
mordredayoung: ok. cool16:21
ayoungand...since you already have a session...that seems wierd.  http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/discover.py#n28616:21
ayoungI wonder if he is expecting people to do someothing like16:21
ayoungkeystoneclient.discover.create_client()16:21
mordredjamielennox: ^^ when you awaken ...16:22
*** slberger has joined #openstack-keystone16:22
dstaneksolomondg: do you need to do more than revive the existing change?16:23
*** krykowski has quit IRC16:23
ayoungmordred, https://review.openstack.org/#/c/182118/16:23
ayoungmordred, so jamielennox is battling that himself.16:25
amakarovstevemar, good day! Nobody asked for it16:25
*** solomondg has quit IRC16:27
ayoungamakarov, https://review.openstack.org/#/c/186926/3  please remove -1.  New rule, don;'t -1 specs just for questions.16:30
ayoungbother me directly instead, please!16:30
*** solomondg has joined #openstack-keystone16:30
solomondgSorry about that, had internet problems16:31
dstaneksolomondg: do you need to do more than revive the existing change?16:31
amakarovayoung, done16:31
ayoungamakarov, thanks.  Did my answer make sense?  Did I post my answer?16:31
ayoungI didn;t16:32
ayoungok...now posted16:32
*** slberger has quit IRC16:32
*** e0ne has quit IRC16:33
amakarovayoung, I see. The question is: can exposed whitelist be changed from the outside to expose something secret?16:33
ayoungamakarov, this is a read only API16:33
ayoung"query configuration via web API "16:34
mordredayoung: \o/16:34
ayoungnot "set configuration via web API"16:34
amakarovayoung, oh, well... Missed my attention :)16:34
*** jistr has quit IRC16:35
*** msno has quit IRC16:35
ayoungamakarov, No problem...always feel free to question me directly, and you can put questions in the code.  Just remember that a -1 stops the bus.16:35
ayoungso only -1 if there is risk you can see, please16:35
ayoungand ,since spec is not code, we can amend a spec after acceptance16:35
solomondgdstanek: I believe so... It seems that much of the functionality of the old keystone-manage (from that patch) has been moved to other files, most notably cli.py, from my understanding. I'd also like to have a slightly more eloquent response than simply reporting the absence of the config file and/or permissions needed to read it.16:35
amakarovayoung, that's good: I had a feeling that -1 is just a heads-up for almost everything :)16:36
dstaneksolomondg: what else would be in the response?16:36
ayoungamakarov, not your fault.  It is a norm we've created in the team culture, and something I'd like to change.16:37
amakarovayoung, is our new culture described? It'd be nice to have basic values written down somewhere :)16:38
ayoungculture makes me thing " fungal rot, bacterial formation/Microbes, enzymes, mould and oxidation"16:38
ayoungamakarov, I think that there is a doc that describes the spec process.  It might be Nova specific.16:39
solomondgdstanek: At least in its current state, the user can re-define the keystone.conf path, abort the operation or ignore the absence of files/permissions and force the operation. It can also copy the keystone.conf.sample file into the keystone.conf file, with the paths to the two files being definable by the user (with default values given, of course).16:40
amakarovayoung, hm, I assusiate culture with arts :)16:40
amakarovs/assusiate/associate/16:40
ayoungЯ некультурным16:41
diazjfuncultured?16:42
amakarovayoung, google translate makes funny attempts sometimes :)16:42
ayoungamakarov, not sure about the Я  but pretty sure I meant "NEEECULTOOOORNIE!"16:43
*** lufix has joined #openstack-keystone16:44
ayoungНекултурний versus  некультурны16:44
*** htruta_ has joined #openstack-keystone16:46
amakarovayoung: "Ovvvercoming langage beariers!"16:46
ayoungI support the right to carry and arm bears16:47
*** kiran-r has joined #openstack-keystone16:47
amakarovayoung, bears will surely appreciate :)16:48
*** dikonoor has joined #openstack-keystone16:50
bretonamakarov: there was a big discussion on the ml about it16:51
*** slberger has joined #openstack-keystone16:52
amakarovbreton, about what exactly?16:53
stevemarmorganfainberg: gonna push that ldap patch16:53
bretonamakarov: about asking questions and putting -116:53
bretonamakarov: http://lists.openstack.org/pipermail/openstack-dev/2015-April/thread.html#6249216:53
morganfainbergstevemar ok16:53
stevemaramakarov: sry, i was afk. i was going to say you don't need to open a bug to fix typos in keystone-specs :P16:54
stevemaramakarov: cause i plan on using the resolved bugs at the end of the release for creating release notes about keystone :)16:54
*** lufix has quit IRC16:55
*** Lactem has joined #openstack-keystone16:55
stevemarits closed now with fix commited, but next time, just make the change to keystone-specs :)16:55
*** mylu has quit IRC16:56
amakarovstevemar, ok, I understand16:56
amakarovstevemar, so specs cannot have bugs, or is there some policy about it?16:58
dstaneksolomondg: so you don't want to just give them a better error message? you want to allow them to ignore the error?16:58
*** jsavak has quit IRC16:59
*** afazekas has quit IRC17:01
stevemaramakarov: no policy about it - just the17:02
solomondgdstanek: I don't think it would be that bad of an idea. At least from my (limited) experience, I've found that it's usually good to at least have the option of ignoring an error message that won't result in a crash/exception. I'm probably wrong though, haha.17:02
amakarovstevemar, common sense? )17:02
stevemarthe keystone project should try to be about keystone server bugs17:02
amakarovstevemar, ok17:02
dstaneksolomondg: i think in this case if you can't read the config file then we shouldn't go any further17:03
solomondgdstanek: Okay, then. I'll remove the part that allows you to ignore the error.17:03
*** aix has quit IRC17:08
*** piyanai has quit IRC17:08
solomondgdstanek: So, a change directly to keystone-manage is acceptable?17:09
*** amaretskiy has quit IRC17:09
dstaneksolomondg: sure, i don't see why not17:09
*** amaretskiy has joined #openstack-keystone17:09
*** e0ne has joined #openstack-keystone17:09
solomondgGreat. Thanks for the help!17:09
*** jsavak has joined #openstack-keystone17:09
*** ajayaa has joined #openstack-keystone17:10
*** lhcheng has joined #openstack-keystone17:10
*** ChanServ sets mode: +v lhcheng17:10
*** gyee has joined #openstack-keystone17:12
*** ChanServ sets mode: +v gyee17:12
*** piyanai has joined #openstack-keystone17:15
*** zzzeek has quit IRC17:16
anhhuynxWill someone please take a look at my short patch to the v3 API documentation? https://review.openstack.org/#/c/198921/17:17
*** e0ne is now known as e0ne_17:18
*** david-lyle has quit IRC17:19
ayounganhhuynx, looking17:20
ayounganhhuynx, so, why?17:21
*** e0ne_ is now known as e0ne17:21
anhhuynxBecause there is a functionality that was missing documentation17:21
anhhuynxSo I added it17:21
ayounganhhuynx, hmmm, not sure where that doc comes from.17:21
dstanekis that what the #openstack-docs folks maintain?17:22
anhhuynxayoung: It is the Identity API v3 http://developer.openstack.org/api-ref-identity-v3.html#listCredentials17:22
*** browne has quit IRC17:22
anhhuynxdstanek: It seems so, but they seem to always be inactive17:23
*** kiran-r has quit IRC17:23
ayounganhhuynx, http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n773  is the doc that we've produced from this team.  Not sure who translated it to docbook17:23
openstackgerritAkshay Aggarwal proposed openstack/keystone: Catch exception.Unauthorized when checking for admin  https://review.openstack.org/19807117:24
dstanekanhhuynx: i don't know anything about WADL so i can't help you there - if you need +2s you should talk with the docs folds, but i thought that site what driven from Keystone's documentation17:24
ayounganhhuynx, it certainly looks like it was missing17:25
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n452117:25
*** TheIntern has quit IRC17:25
anhhuynxbut not /v3/credentials?user_id=<user_id>17:26
*** e0ne is now known as e0ne_17:26
anhhuynxnot sure why that didn't send17:26
anhhuynxthe /v3/credentials/<user_id> was documented*17:27
*** e0ne_ is now known as e0ne17:27
anhhuynxayoung: Thank you for the +117:29
ayounganhhuynx, keep up the good work17:30
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin  https://review.openstack.org/19807117:31
Lactem: D17:31
Akshay00can someone please review my patch: https://review.openstack.org/#/c/198924/1 ?17:31
dstanekAkshay00: patience :-) too many patches and not enough time17:32
*** e0ne is now known as e0ne_17:33
*** njnjnj has joined #openstack-keystone17:34
*** zzzeek has joined #openstack-keystone17:35
dstanekuggg...i still have 159 patches in my next-review queue17:35
LactemSorry to hear dstanek. Hard life17:35
raildoor core life? :P17:36
*** piyanai has quit IRC17:36
LactemYeah core life.17:36
*** blewis has joined #openstack-keystone17:36
*** mylu has joined #openstack-keystone17:37
*** blewis` has joined #openstack-keystone17:37
*** Akshay00 has quit IRC17:38
*** Lactem has quit IRC17:39
*** piyanai has joined #openstack-keystone17:39
*** e0ne_ is now known as e0ne17:39
*** piyanai has quit IRC17:39
*** piyanai has joined #openstack-keystone17:40
openstackgerritjanonymous proposed openstack/keystone: Python 3: Replace assertRaisesRegexp to six implementation for py3 compatibility  https://review.openstack.org/19386617:40
*** blewis has quit IRC17:41
*** njnjnj has quit IRC17:41
*** diazjf has quit IRC17:45
openstackgerritDavid Stanek proposed openstack/keystone: Modified command used to run keystone-all.  https://review.openstack.org/19892417:46
*** Akshay00 has joined #openstack-keystone17:46
*** dguerri is now known as dguerri`17:47
ayoungmordred, do services other than keystone expose APIs to manage resources not in projects or owned by users?  THe only example I've come across thus far is Hypervisors by Nova17:51
morganfainbergI solved the core life issue dstanek has. I use a coin. Heads is a -1 tails is a -1, if it lands on its edge its a +2 (/sarcasm)17:51
dstanekmorganfainberg: i could just write a bot that gives every review a '-1' with a 'needs a little work' comment - that would probably be pretty accurate17:52
*** diazjf has joined #openstack-keystone17:53
morganfainbergdstanek: lol17:53
lbragstaddstanek: nice17:53
lbragstaddstanek: make it pick from a list of responses = ['almost there', 'needs just a little more work', 'I'd like to see another test']17:54
mordredayoung: I have no idea - I have not gone far enough down the rabbit hoel to nkow that17:54
dstanek"I'd liek to see another test" is a good one17:55
morganfainberglbragstad: and every 117:55
mordredayoung: btw - there does not seem to be a way for me to construct the same auth plugin you constructed in your sample code via get_plugin_class17:55
ayoungmordred, fair enough.  I'm thinking, though, that everything should be scoped17:55
morganfainbergIn 1000 -2 "oh hell no"17:55
lbragstadlol17:55
mordredayoung: if I try "token_endpoint" - I get <class 'openstackclient.api.auth_plugin.TokenEndpoint'>17:55
mordred:)17:55
ayoungmorganfainberg, I already have a bot that looks for all +1/+2 and adds a +A17:55
ayoungmordred, hemmm17:56
*** topol has joined #openstack-keystone17:56
*** ChanServ sets mode: +v topol17:56
morganfainbergayoung: its ok the bot im working on looks for +2/+A and slaps it with a -1 workflow *shiftyeyes*17:56
*** Akshay00 has quit IRC17:57
morganfainbergtopol: after meeting today need to bug you.17:57
topolmorganfainberg sure17:57
mordredayoung: WOOT!17:57
mordredayoung: with two ugly hacks, I have working code17:57
ayoungmordred, looks like the entrypoint is missing, too...17:58
mordredayoung, morganfainberg: http://paste.openstack.org/show/35261317:58
dstanekmordred: ugly hacks means that we gave you a learning opportunity17:58
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/setup.cfg#n30  should be inthere, I think17:58
mordreddstanek: and I'm eversothankful17:58
mordredayoung: I agree17:58
*** anhhuynx has quit IRC17:58
dstanekmordred: then you are welcome!17:59
morganfainbergmordred: ive seen worse. >.>17:59
morganfainbergin keystone /hushed whisper17:59
* mordred hands dstanek a mostly unmuddy donkey that hasn't taken many amphetamines in gratitude17:59
*** browne has joined #openstack-keystone17:59
ayoungmorganfainberg, I'm not certain how the auth plugin would be built from stevedore, but it has to be smart enough to pull the right varaialbes out of the envvars/CLI params17:59
*** dikonoor has quit IRC18:00
stevemarmordred gives the strangest gifts18:00
* mordred eyes stevemar for a gift next!18:00
*** mgarza_ has quit IRC18:00
morganfainbergmordred: you hand people the weirdest gifts from .. Some kind of really strange zoo -- or you have access to some odd purchasing system i havent found yet....18:00
mordredmorganfainberg: HP has at least one of _everything_18:01
morganfainbergI didnt know we could expense a mostly unmuddy donkey... That is only slightly strung out on amphetamines.18:01
*** TheIntern has joined #openstack-keystone18:01
morganfainbergayoung: the auth plugin for admin token is hard18:02
morganfainbergayoung: but thenrest are fairly straight forward.18:02
*** solomondg has quit IRC18:02
*** jsavak has quit IRC18:02
*** jsavak has joined #openstack-keystone18:03
*** solomondg has joined #openstack-keystone18:03
*** marzif_ has joined #openstack-keystone18:03
*** njnjnj has joined #openstack-keystone18:04
*** ajayaa has quit IRC18:04
*** anhhuynx has joined #openstack-keystone18:05
*** mgarza_ has joined #openstack-keystone18:06
openstackgerritLance Bragstad proposed openstack/keystone: Fix code-block in federation documentation  https://review.openstack.org/19920818:08
*** hogepodge has joined #openstack-keystone18:11
*** dikonoor has joined #openstack-keystone18:13
*** jsavak has quit IRC18:15
*** jsavak has joined #openstack-keystone18:16
*** e0ne is now known as e0ne_18:17
*** anhhuynhx has joined #openstack-keystone18:19
*** anhhuynx_ has joined #openstack-keystone18:20
*** hogepodge has quit IRC18:20
*** anhhuynx has quit IRC18:20
*** marzif_ has quit IRC18:21
*** anhhuynhx is now known as anhhuynx18:21
*** njnjnj has quit IRC18:21
*** anhhuynx_ has quit IRC18:24
*** piyanai has quit IRC18:25
*** dikonoor has quit IRC18:25
*** evb1007 has joined #openstack-keystone18:26
*** njnjnj has joined #openstack-keystone18:33
*** piyanai has joined #openstack-keystone18:33
*** blewis` has quit IRC18:38
*** mgarza_ has quit IRC18:38
*** e0ne_ is now known as e0ne18:39
*** mylu has quit IRC18:41
*** shaleh has joined #openstack-keystone18:41
*** mylu has joined #openstack-keystone18:41
*** mgarza_ has joined #openstack-keystone18:45
*** njnjnj has quit IRC18:46
mordredmorganfainberg, ayoung: should I expect that in a devstack install with only the default domain named "Domain" with id of "domain" that running GET http://192.168.1.231:5000/v3/auth/domains should return me an empty list?18:46
morganfainbergThat... Seems odd? Oh wait you dont have roles on the domain itself18:46
morganfainbergThat url should show what domains you have direct access too afaik18:47
mordredbut I have to specify it to log in18:47
morganfainbergYes. But the role is on the project18:47
mordred*headdesk*18:47
ayoungmordred, Keystone Meeting right now...answer in 13 minutes18:47
mordredayoung: k. thanks!18:47
morganfainbergNot on the domain. If you are specifying project name18:47
morganfainbergYou need domain to resolve which project18:47
morganfainbergIf you are using project id, you dont need domain18:48
morganfainbergTo auth18:48
*** iamjarvo has quit IRC18:48
morganfainbergThis is because you can have projects with the same name in different domains.18:48
morganfainbergIts a namespace thing.18:48
mordredmorganfainberg: all of those words make sense18:48
mordredmorganfainberg: HOWEVER18:49
*** njnjnj has joined #openstack-keystone18:49
mordredmorganfainberg: I'd like to register a niggle that at some point, as a user, being able to ask the question "what domains can I see/am I a part of" might be a nice thing to get an answer to18:49
mordredbut I'll let you finish the meeting before I niggle more18:50
morganfainbergSure. Though i think you can mostly derive that from what projects you have access to atm (until we get the rfe youre advocating added)18:50
morganfainbergV3/auth/projects18:50
*** e0ne has quit IRC18:50
morganfainbergAs a workaround today18:50
*** njnjnj has quit IRC18:51
* morganfainberg made18:51
*** dims has quit IRC18:53
mordredmorganfainberg: ok18:54
jamielennoxmordred: did you make everything work?18:55
morganfainbergmordred: i can see benefit to knowing what domains you can see into. But the api you referenced above really is what domains you have roles directly on to scope to18:55
jamielennoxi've got a lot of highlights in scrollback and no idea which are still relevant18:55
jamielennoxsessions don't work with keystoneclient.client.Client, they should there's a bug, there is something about that code that makes it difficult to work with a session and i can't remember what18:57
*** dims has joined #openstack-keystone18:58
jamielennoxi'm not a great fan of keystoneclient.client.Client (i wrote it pre-session stuff) because the v2 and v3 clients have very different APIs and i thinks it's confusing to have them returned from the same function depending on whats happening on the server18:58
*** solomondg has quit IRC18:59
mordredjamielennox: well, I wrote this: https://review.openstack.org/#/c/199209/18:59
mordredjamielennox: which I think will do what I need it to18:59
mordredjamielennox: so the session-in-client.Client is less pressing18:59
mordredmorganfainberg: nod. the projects list does seem to work18:59
mordredmorganfainberg: althoguh I'll say that against my devstack, I get this:19:00
mordredhttp://paste.openstack.org/show/35278419:00
morganfainbergjamielennox: so, let me look at ksa today again. What is left? So we can get that rolled up for ksc 2.019:00
*** hogepodge has joined #openstack-keystone19:00
ayounggyee, I think you misunderstand19:00
ayoungthe URL is not the Hostname19:00
ayoungthe URL is the full URL to the endpoint19:00
mordredplease note that's running as the demo user19:00
lbragstadquick note on weekly bugs, we had a good amount of them opened this week (19 in keystone alone). still in the process of triaging, but feel free to hop in (http://keystone-weekly-bug-report.tempusfrangit.org/weekly-bug-reports/keystone-weekly-bug-report.html)19:00
ayoungso even if both /kleystone and /nova are on the same machine, they have different URLS19:00
mordredso apparently either a) the call is broken or b) the devstack install gives the demo user roles into the admin project19:01
morganfainbergmordred: yeah. I think it does.19:01
jamielennoxmorganfainberg: i'm waiting to get it tested again19:01
mordredmorganfainberg: ok. so, I'll just file that as "wow, that's not expected"19:01
morganfainbergjamielennox: ok. Let me get a release cut with the new namespace19:01
ayounggyee so, the real issue is that you can't set a different policy for https://hostname:5000  vs https://hostname:35357  if they both map to the same endpoint_id19:01
gyeeayoung, oh, you mean like https://host:port/v3/instance?19:01
jamielennoxmorganfainberg: the -e requirements.txt doesn't work so all my ksc on ksa19:01
ayounggyee, YES!19:01
jamielennoxmorganfainberg: that would fix it temporarily yes19:01
mordredayoung: are you advocating for getting rid of teh port numbers and moving to sane URLs?????19:02
* mordred hands ayoung a fluffy marmot19:02
morganfainbergjamielennox: and ill get the base project to install the ksa1 version too today19:02
ayoungmordred, orthoganal19:02
gyeeayoung, wow, that would be policy per API19:02
ayoungmorganfainberg, I mean, yes, I've been for that for 3+ years now19:02
* mordred rescinds the marmot19:02
ayounggyee, no.19:02
ayounggyee, I mean the URL for the endpoint entry19:02
*** harlowja_ has joined #openstack-keystone19:02
*** harlowja has quit IRC19:03
morganfainbergmordred: yes we should be doing thst too. Yes yes yes. And it has been a slow march. Now thst horizon can play nice. we can do it19:03
gyeeayoung, I don't get it19:03
mordredmorganfainberg: yay!19:03
* mordred gives the marmot to morganfainberg19:03
ayounggyee, http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n2899  this value19:03
gyeeayoung, https://host:port/v3, that keystone or nova?19:03
ayoungmordred, I wrote https://wiki.openstack.org/wiki/URLs19:03
jamielennoxmordred: oh yea, OSC stole the token_endpoint entrypoint, it's a PITA19:03
jamielennoxmordred: where is self.api_versions coming from there?19:03
morganfainbergjamielennox: ill respin my two ksc 2.0 patches19:03
morganfainbergjamielennox: so we can land them too19:04
gyeeayoung, unless we go with namespaceing, like https://host:port/nova/v3, https://host:port/identity/v3, etc19:04
morganfainbergjamielennox: but honestly i think we are close.19:04
ayoungmordred, Date of page creation21:07, 1 May 201219:04
morganfainberggyee: that would be needed in devstack19:04
morganfainberggyee: but not everywhere.19:04
gyeemorganfainberg, exactly19:04
samueldmqayoung: gyee what if we add a new field to endpoints called 'label', that'd unique and equals to the id in a migration, then you specify that label  in the middleware config19:04
ayoungsamueldmq, stop19:05
ayoungno new labels19:05
morganfainberggyee: json home can also discover that for us.19:05
mordredjamielennox: I have dictionary of them19:05
morganfainberggyee: from /19:05
morganfainberggyee: if we wanted.19:05
ayoungsamueldmq, until people understand why this is sufficient, do not offer any alternatives.  It just muddies the water19:05
mordredjamielennox: from vendor cloud configs for the most part19:05
gyeemorgainfainberg, ayoung, soure service.example.com would work19:05
samueldmqayoung: ok then, I am out of solutions/ideas, I will wait for you guys find what works for you both19:05
samueldmqayoung: either work for me19:05
*** Rockyg has joined #openstack-keystone19:06
ayoungsamueldmq, URL is the endpoint value.  It is already unique enough to identify the endpoint by id, and it is generated by the CMS when registering the CMS19:06
ayounger19:06
ayoungwhen registereing the endpoint19:06
gyeewait, service.example.com wrong work for public endpoint19:06
mordredthe url, by definition, kind of has to be unique19:06
gyeeAPI proxy I mean19:07
jamielennoxmordred: so what you should be able to do there is just if session.get_endpoint(interface='auth', service_type='compute', version=(3, 0)): to discover that19:07
gyeeshould be like example.com/service/19:07
mordredjamielennox: to discover what?19:07
jamielennoxmordred: unfortunately the success of that will vary on service because we never came up with a standard way of listing available versions19:07
jamielennoxmordred: rather than hard code what clouds have what apis19:07
*** diazjf has quit IRC19:07
mordredah. yeah. I've given up on that for now19:08
*** jsavak has quit IRC19:08
samueldmqayoung: both you and gyee have valid arguments imo, both solution work for me, you guys have more experience with deployments than me, I can't vote what is better since I have not deployed a single keystone endpoint in production19:08
*** slberger has quit IRC19:08
mordredthe existing state of the world is not good enough, so I _must_ declare it for some of them19:08
ayoungsamueldmq, gyee, does not have a valid argument.  He is stumbling towards clarity19:08
mordredwhich means it's easier/less work to declare for all of them19:08
samueldmqayoung: does URL uniquely identify an endpoint ?19:08
mordredI look forward to the future when I can delete that code19:08
*** dramakri has joined #openstack-keystone19:08
ayounggyee, you mean to tell me that you have a service catalog where the nova and the keystone endpoitns have the EXACT.SAME.URL configured?19:08
ayoungI know that to be a lie19:09
ayoungthat does not work19:09
ayoungyou know that, too19:09
ayoungso, you are not lying, you are just confusing two things.19:09
dstanekso...19:09
jamielennoxmordred: yep, regarding fixing token_endpoint, when we go to keystoneauth we will need to declare a new name for entrypoints to live in so i will make sure to grab token_endpoint away from OSC19:09
dstanekayoung: if you just take URL out of what you are saying then really you just have a unique ID that keystone looks at and passed out a policy. right?19:10
david8hugyee, service catalog would have the service name for each endpoints19:10
ayoungdstanek, I have a unique Id that is already part of the domain model19:10
dstanekyou just know the unique ID ahead of time (which we don't for endpoint id)19:10
ayoungand part of the workflow19:10
mordredjamielennox: yay!19:10
dstanekayoung: which id?19:10
ayoungthe only other thing I have that falls into that category is the endpoint_id19:10
*** radez is now known as radez_g0n319:10
ayoungurl is unique for endpoint.19:10
mordredjamielennox: when I switch to ksa in shade, I'll remove that silly little workaround19:11
*** slberger has joined #openstack-keystone19:11
*** slberger has left #openstack-keystone19:11
*** jsavak has joined #openstack-keystone19:11
*** spandhe has joined #openstack-keystone19:12
ayoungdstanek, look at it this way:  I really just want one, global policy file that all the services and endpoints use.  I want the endpoint to say "give me the right one" and let Keystone resolve it:19:12
*** htruta_ has quit IRC19:12
ayoungstart with : is there one for this endpoint.  If not,, then "is there one for this serivces" ...19:12
ayoungthat code already existst, by the way19:13
dstanekayoung: i'm on board with what i think you want to do generally. there are two reason why i didn't like URL as the unique id. 1. have to deal with encoding which sucks and 2. some endpoints can have multiple URLs (which one do i use?)19:13
mordredendpoints should not have multiple URLs19:13
ayoungI mneed to run19:13
mordredif they do - how does an end user use them?19:13
ayoungback in about 1/2 hour19:13
*** ayoung is now known as ayoung-afk19:13
dstanekwhen i say endpoint i am really saying 'service process'19:13
mordredthat is different - there are definitely different service processes19:14
gyeemordred, yeah, I just confirmed it, we have different external endpoints for each service19:14
*** mgarza_ has quit IRC19:14
mordredgyee: I was just about to pastebin my hp service catalog :)19:14
gyeemordred, I just checked it myself19:14
gyeethere's region baked in too19:15
gyeeso we are OK19:15
dstanekso what do you do if the internal and external URLs point to the same daemon?19:15
gyeedstanek, they point to a VIP19:16
gyeewhich is load balanced across multiple instances19:16
mordredit sounds like there are two problems being conjoined here ... one is "what are the URLs that a consumer should use" - the other is "what are the currently existing service processes that provide a service19:17
mordredboth are interesting pieces of information - but to VASTLY different people19:17
gyeeyeah, external versus internal19:18
mordredwhether or not a service URL points to a load balancer vip or directly to a process is not interesting to a consumer - because the web is awesome19:18
gyeeright, but policies admin care about preciseness19:19
dstanekmy question continues to be which URL do use use the specify the policy? can we have different policy if the user hits the daemon via a different URL?19:19
mordredgyee: I don't think it's internal vs. external19:19
samueldmqdstanek: URL does not uniquely identify an endpoint id, that what you're saying, right?19:19
samueldmqdstanek: and this is right, we don't enforce that anywhere19:19
mordredgyee: even internal you want a service to have a URL - unless you are talking about scripts that want to target a single backend process by its rest API19:20
mordredand if that's needed, somethign else seems rather broken19:20
gyeesorry I gotta run too, be back in 45 mins19:21
*** mgarza has joined #openstack-keystone19:24
*** mylu has quit IRC19:24
dstaneksamueldmq: sorta. url is many-to-one with a service. a single url will only point to one service, but there may be multiple urls that point to it19:25
samueldmqdstanek: hmm, even if endpoint ids we may have some trouble ..19:25
samueldmqdstanek: different interfaces will have different endpoint ids, which one do I configure my middleware with ?19:26
dstaneksamueldmq: i have to go and read ayoung's summary spec; i've only read a few of the specs and that's not enough to understand the full picture19:26
dstanekare we using the correct terms here? is this about endpoint enforcement or server enforcement?19:26
samueldmqdstanek: sure. btw, see the SFE email to see what is targeted to L https://www.mail-archive.com/openstack-dev@lists.openstack.org/msg57416.html19:27
samueldmqdstanek: endpoint enforcement .. a service process will have a single middleware process, but can be represented to multiple endpoint ids inside keystone19:28
samueldmqdstanek: mapping to different interfaces, that's what I meant19:29
dstaneksamueldmq: so if http://keystone/v2 and http://keystone/v3 were in the catalog as separate endpoints they could potentially have different policies?19:30
*** htruta_ has joined #openstack-keystone19:31
samueldmqdstanek: we can't, we don't allow multiple policies per service process, what adam proposes is: pick one and use it19:31
*** mylu has joined #openstack-keystone19:31
samueldmqdstanek: associate the policy to the same URL you will tell middleware to fetch the policy for19:31
dstaneksamueldmq: so it's policy per service process and not endpoint19:33
samueldmqdstanek: we can't do per endpoint (as represented in keystone server)19:33
samueldmqdstanek: a single service process will read from a single policy file19:33
samueldmqdstanek: taht's how we've been doing all the time19:34
dstaneksamueldmq: yep, exactly. that's why URL seems arbitrary to me and we keep getting hung up on it19:34
*** htruta_ has quit IRC19:35
jamielennoxbknudson: hvae you had a chance to look at https://review.openstack.org/#/c/190940/ ? It changes behaviour slightly in the way we cache which we have discussed before but i want to make sure i get it right19:36
bknudsonjamielennox: I haven't looked at it19:37
jamielennoxbknudson: ok19:37
bknudsonjamielennox: there's a lot of reviews out there to look at.19:37
bknudsonand this one doesn't have a bug or blueprint19:37
*** piyanai has quit IRC19:38
jamielennoxbknudson: yep, i need to find other people to look at them as well, just you were following that chain19:38
*** piyanai has joined #openstack-keystone19:39
jamielennoxgyee, morganfainberg: do you mind having a look at https://review.openstack.org/#/c/190940/ - it changes the caching behaviour of auth_token middleware slightly19:44
*** ajayaa has joined #openstack-keystone19:45
stevemarjamielennox: for ksm, we don't want folks using identity_uri right?19:45
stevemarhttps://github.com/openstack/keystonemiddleware/blob/647f2ab9c437e2bcd6fd9a12a6f52a39553c9a80/keystonemiddleware/auth_token/_auth.py#L34-L3919:45
jamielennoxstevemar: it's better than auth_host, auth_port etc but it won't work with plugins19:46
morganfainbergjamielennox: im sure its fine but will look.19:46
*** jasonsb has joined #openstack-keystone19:47
*** dims has quit IRC19:48
jasonsbhi all.  i'm trying to configure openidc with keystone using steve's gist pages.19:48
jamielennoxmorganfainberg: let me know when you release the next ksa so i can recheck a bunch of these reviews19:48
jasonsbi'm stuck on openstack identity provider create part19:48
jasonsbopenstack identity provider create idp119:49
jasonsbERROR: openstack Could not change immutable attribute(s) 'remote_ids' in target IdentityProvider (HTTP 403)19:49
jasonsbadvice appreciated!19:49
jamielennoxstevemar: ^, i had this problem as well - i ended up putting it in the database directly19:49
jamielennoxmarekd: ^19:49
stevemarjasonsb: did i not include remote-ids in the instructions?19:50
*** david-lyle has joined #openstack-keystone19:50
stevemarjasonsb: `openstack identity provider create bluepages --remote-id bluepages`19:50
jasonsbstevemar: i tried this too19:50
jasonsbopenstack identity provider create idp1 --remote-id http://localhost:808019:50
jasonsbERROR: openstack Could not change immutable attribute(s) 'remote_ids' in target IdentityProvider (HTTP 403)19:50
jamielennoxstevemar: why is it immutable though?19:51
stevemarjamielennox: thats a good question, i didn't think it would be19:51
jamielennoxi thought the point was so you could add new remote idps without restarting apache19:51
stevemarjasonsb: is the idp in the table?19:51
stevemarjasonsb: `openstack identity provider list` ?19:52
*** ayoung-afk is now known as ayoung19:52
*** shaleh has quit IRC19:52
*** slberger has joined #openstack-keystone19:52
ayoungdstanek, to be honest, I don't love the URL approach myself.  I would prefer to use the endpoint ID.  But I think the URL is good enough19:52
*** slberger has left #openstack-keystone19:53
jasonsbstevemar: my provider list is empty19:53
dstanekayoung: you couldn't use the endpoint ID because there may be multiple IDs pointing to that service19:53
*** e0ne has joined #openstack-keystone19:54
jasonsbstevemar: i'm using policy v2 still19:54
dstanekayoung: that's why i said it could be identity-dfw if the cloud provider wanted to do that19:54
jasonsbstevemar: does that cause problem?19:54
stevemarjasonsb: that should be okay19:54
ayoungdstanek,  dfw?19:54
ayoungDallas Fort Worth?19:54
dstanekayoung: yeah, service_type-region or whatever19:54
dstanekthat's why i find endpoint enforcement confusing because it's really service enforcement we are talking about19:55
ayoungdstanek, have you seen the http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst  spec?19:55
jasonsbstevemar: oh, worth mentioning, i'm using juno keystone19:55
ayoungEr...API19:55
jasonsbstevemar: should i use kilo instead?19:55
stevemarjasonsb: oh that might be why19:55
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst#n22019:55
stevemarjasonsb: so try issuing the command without --remote-id, it doesn't work?19:56
*** shaleh has joined #openstack-keystone19:56
dstanekayoung: which is another reason i find this confusing...seems like we are defining another way to do this19:56
*** mylu has quit IRC19:56
jasonsbopenstack identity provider create idp119:56
jasonsbERROR: openstack Could not change immutable attribute(s) 'remote_ids' in target IdentityProvider (HTTP 403)19:56
ayoungdstanek, I planned on juist using the API as written19:57
ayoungit was morganfainberg that threw this particular wrench in my plans19:57
ayounghis argument is that to use that approach, we need to register, capture the ID, then stick it in the config file...potentially restarting the service19:57
ayoungnasty, but...meh19:57
dstanekayoung: i though you couldn't because you didn't know the endpoint ids ahead of time19:57
morganfainbergdstanek: ^^ yep19:58
ayoungdstanek, you can register the endpoint before you create the endpoint, actually.  You just need to remember the ID you get back19:58
*** mylu has joined #openstack-keystone19:58
dstanekor we just need to be able to specify the ID or "some ID" that corresponds with endpoint_id19:59
ayoungdstanek, so, the URL is a compromise;  the Configm Mgmt System knows the URL it is telling to Keystone, so it can record that at the same time19:59
ayoungI ... I really don't care.  I think it is agoing to be a mess no matter what, as it, again, requires touching the mnost painful part of the system, namely the installation20:00
ayoungI wish there were a way around it.  I'm willing to listen20:00
ayounglisten intentley20:00
ayoungto anyone that has a better Idea20:00
*** mgarza has quit IRC20:00
morganfainbergConsul20:01
dstanekyou still have the problem there20:01
morganfainbergAnd we could transmit policy via it's service kvs/registration20:01
dstaneki like the URL approach, but dislike the URL20:01
*** ducttape_ has joined #openstack-keystone20:01
*** diazjf has joined #openstack-keystone20:02
morganfainbergNo rest get needed. And it can be pushed on change by keystone with a lowish cost20:02
morganfainbergAnd picked up quickly on the far end20:02
morganfainbergIn fact... We could even have the endpoints push thier policy up to keystone too (the local seed of truth)20:03
*** mgarza_ has joined #openstack-keystone20:03
morganfainbergThis is probably more work/out of scope for liberty20:03
morganfainbergBut it *could* be used.20:03
* morganfainberg is throwing an idea at the wall.20:04
morganfainbergdstanek: you could use an arbitrary id, i would use urls as the example though.20:05
* dstanek rolls dice20:06
*** jaosorior has quit IRC20:06
*** chlong has joined #openstack-keystone20:06
morganfainbergE.g host.tld/nova or whatever20:06
dstanek"you have died of dysentery"20:06
jasonsbstevemar: yessir.  error msg is same20:06
dstanekmorganfainberg: what id didn't like about that what the encoding needed for the spec to work20:06
stevemarjasonsb: err... try kilo :\20:06
morganfainbergdstanek: bandits have stolen your supplies20:06
jasonsbokedokey20:07
jasonsbstevemar: oddly, google doesn't have this error in it20:07
*** marzif_ has joined #openstack-keystone20:07
morganfainbergjamielennox: tagged ksa120:07
morganfainberg0.3.020:07
jasonsbstevemar: thank you for help20:07
jamielennoxmorganfainberg: cheers20:07
jasonsbstevemar: i still owe you runthrough on google oauth2 workflow for google compute engine20:08
jasonsbstevemar: is it still relevant?20:08
morganfainbergjamielennox: and it is published to pypi20:08
openstackgerritMatt Riedemann proposed openstack/keystone: Remove comment for doc building bug 1260495  https://review.openstack.org/19923920:08
openstackbug 1260495 in python-keystoneclient "Setting autodoc_tree_index_modules makes documentation builds fail" [Low,Fix released] https://launchpad.net/bugs/1260495 - Assigned to David Stanek (dstanek)20:08
jamielennoxmorganfainberg: it's still showing me 0.2.0, but i can wait for it20:08
stevemarjasonsb: ohhh that jason20:08
jasonsbstevemar: (sheepish) yes20:09
stevemarjasonsb: i think i figured that stuff out, i might need to create another oidc plugin for keystoneclient, but its all good20:09
jasonsbstevemar: i got sidetracked on google because they introduced a new format which didn't work well with my python script20:09
jasonsbstevemar: and then i never made the video20:09
stevemarah that happens20:10
jasonsbstevemar: would still like to help if there is anything.  but sounds like your good20:10
morganfainbergjamielennox: look at keystoneauth120:10
jasonsbdo you have bp?20:10
morganfainbergjamielennox: in pypi. Totally new package place20:10
jasonsbstevemar: i would like to read20:10
jamielennoxmorganfainberg: oh - right you changed the entire package20:11
bretonwow, py3.5 has coroutines20:11
morganfainbergjamielennox: keystoneauth will become a virtual package tomorrow (ish) that will just install all keystoneauth* packages20:11
morganfainbergAt least that is my hope.20:11
*** diazjf has quit IRC20:11
stevemarjasonsb: no bp yet, basically i want to enable oidc with just an access token key20:12
stevemari have frantic notes in a notebook somewhere20:12
morganfainbergbreton: meh.20:13
morganfainbergbreton: /me20:13
morganfainbergLikes real threading and/or full processes20:13
jasonsbstevemar: you generate token via http workflow?20:13
jasonsbstevemar: and then renew from client?20:13
morganfainbergbreton: how are we looking for alembic stuff?20:15
morganfainbergbreton: since I see you here.20:15
openstackgerritMerged openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185420:16
*** marzif__ has joined #openstack-keystone20:16
*** marzif_ has quit IRC20:18
*** Ctina has quit IRC20:20
*** piyanai has quit IRC20:23
stevemarjasonsb: pretty much, authenticate with your idp via a browser, get the access pin/code whatever it's called20:24
stevemarthen use that against keystone20:24
*** marzif__ has quit IRC20:26
*** dramakri has quit IRC20:26
*** dramakri has joined #openstack-keystone20:27
morganfainbergayoung: you here?20:28
ayoungmorganfainberg, yes, but in team meeting20:28
morganfainbergayoung: ping me when done. Need to ask a question re: jacket20:29
*** ducttape_ has quit IRC20:30
*** htruta has quit IRC20:31
*** htruta has joined #openstack-keystone20:34
*** mylu has quit IRC20:41
*** jamielennox is now known as jamielennox|away20:41
*** njnjnj has joined #openstack-keystone20:42
*** piyanai has joined #openstack-keystone20:43
*** e0ne has quit IRC20:44
openstackgerritSteve Martinelli proposed openstack/keystone: Remove fileutils from oslo-incubator  https://review.openstack.org/19926620:46
stevemarbknudson: ^20:46
bknudsonstevemar: freedom from oslo-incubator!!!20:47
stevemarbknudson: i may have been too ambitious in removing openstack-common.conf20:48
stevemari think we still need it for junk in tools/20:48
bknudsonwhat about tools/colorizer?20:48
stevemary, refer to my previous comment20:48
bknudsonwe want things in color, not black and white.20:48
*** diazjf has joined #openstack-keystone20:49
mtreinishbknudson: that colorizer.py script is straight up copy and paste from nova20:49
mtreinishit's not oslo synced20:49
openstackgerritSteve Martinelli proposed openstack/keystone: Remove fileutils from oslo-incubator  https://review.openstack.org/19926620:49
stevemarbknudson: now with less deleting ^20:50
bknudsonmtreinish: http://git.openstack.org/cgit/openstack/oslo-incubator/tree/tools/colorizer.py ?20:50
*** mylu has joined #openstack-keystone20:50
bknudsonwe also have install_venv_common20:50
bknudsonstevemar: do we actually use colorizer and install_venv_common?20:51
bknudsonmaybe in run_tests20:51
*** annasort has quit IRC20:51
mtreinishbknudson: oh, that didn't used to be something you could sync20:51
*** jamielennox|away is now known as jamielennox20:52
mtreinishstevemar: yeah it's only ever been used in run_tests, or by people manually20:52
*** Akshay00 has joined #openstack-keystone20:52
mtreinishpersonally I've never understood the point of it, the colors are basically meaningless20:53
dstanekbknudson: isn't install_venv_common used to make the venv for tools/with_venv.sh?20:53
*** Lactem has joined #openstack-keystone20:54
mtreinishdstanek: yeah the run_tests.sh script ends up depending on it. tools/install_venv.py calls to install_venv_common.py20:54
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/tools/with_venv.sh20:54
dstaneki just want to get rid of run_tests.sh20:54
bknudsonI haven't used run_tests.sh in years.20:55
mtreinishbknudson: http://git.openstack.org/cgit/openstack/keystone/tree/run_tests.sh#n11220:55
mtreinishall that stuff is there just for run_tests20:55
mtreinishcolorizer: http://git.openstack.org/cgit/openstack/keystone/tree/run_tests.sh#n9120:55
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin  https://review.openstack.org/19841820:55
dstaneki wanted to remove it a while back and there were detractors20:55
*** christx2 has joined #openstack-keystone20:56
mtreinishdstanek: people love those scripts, that's another thing I've never understood20:56
christx2hi keystone20:56
bknudsonI'm guessing we'll never sync oslo-incubator again.20:56
mtreinishespecially considering I did a lot of the clean up on them a long time ago20:57
mtreinishI know how ugly they are20:57
christx2quick quetion: do we have a slideshare deck with what is going into liberty ?20:57
bknudsonwhen you need to run tests, a script called run_tests.sh seems like the logical choice20:57
mtreinishdstanek: the big thing I've heard is that run_tests lets you run without a venv20:57
mtreinishwhile tox doesn't give you that option20:57
dstanekbknudson: that's exactly why it should go! nobody uses it and new devs assume that's what they should use20:57
*** marzif__ has joined #openstack-keystone20:58
mordredyou still have a run_Tests.sh ?20:58
mordred(btw - if you want to run without a venv  ... "testr run")20:59
bknudsonmordred: how do I stop on first failure?21:00
dstanekmtreinish: tox just automates the test commands. you can always run them manually21:00
dstanekbknudson: --fastfail21:00
dstanekbknudson: (i think)21:00
mtreinishmordred, dstanek: yes exactly, but we've tried to kill this several times before and that is one argument that keeps coming back21:00
*** shaleh has quit IRC21:00
bknudsonmaybe change it to print some help instead.21:01
mordredor - just do what I do - and just push unfinished patches to the gate :)21:01
mtreinishmordred: that's my normal operating procedure too :)21:01
mordredmtreinish: sss.h don't let clarkb hear you21:02
bknudsonsetup.py: error: no such option: --fastfail21:02
mordredsorry ...21:02
njnjnjthis patch would make run_tests much more useful https://review.openstack.org/#/c/196285/21:02
mordredbknudson: failfast21:03
stevemarbknudson: thats the hope21:03
dstaneknjnjnj: i'd rather kill it21:04
Lactemlol21:04
bknudsonI think your testrepository contains all the output?21:04
stevemarmtreinish: yeah, thats the only plus side to it21:04
Akshay00destanek: nice one haha21:04
*** rdo has quit IRC21:04
stevemari had to run tests outside of venv,.... once21:04
Akshay00dstanek21:04
mordrednjnjnj: yah. that's right. it's all in testr21:05
*** amakarov is now known as amakarov_away21:05
mtreinishmordred: heh, I just blame rax for taking away my free account. Now I have to get my free cloud through a proxy21:06
LactemAkshay00: I made a new patch set: https://review.openstack.org/#/c/198071/421:06
*** rdo has joined #openstack-keystone21:06
bknudsontox -e py27 -- -- --failfast21:06
bknudsonit's not really stopping, though21:07
bknudsonmaybe one of the child procs exited21:07
dstanekbknudson: how i wish for the simple days of nose21:08
*** shaleh has joined #openstack-keystone21:08
bknudsonif we had proper unit tests that didn't take so long to run we could run in serial21:09
gyeejamielennox, looking, just got back21:09
mtreinishbknudson: it's probably related to: https://bugs.launchpad.net/testrepository/+bug/141180421:09
openstackLaunchpad bug 1411804 in Testrepository "--subunit makes --until-failure not actually work" [Undecided,New]21:09
anhhuynxI'm working on this bug: https://bugs.launchpad.net/keystone/+bug/1460492 that has to do with API calls,21:09
openstackLaunchpad bug 1460492 in Keystone "List credentials by type" [Wishlist,Triaged] - Assigned to Anh Huynh (anhx-huynh)21:09
bknudsonit must take 30 mins to run the tests in serial21:09
anhhuynxhow do you modify driver hints and DB call?21:09
*** pgbridge has quit IRC21:10
*** pgbridge has joined #openstack-keystone21:11
anhhuynxI narrowed it down to this location for API handling: https://github.com/openstack/keystone/blob/master/keystone/credential/controllers.py#L84-L9021:11
anhhuynxBut I'm not sure how to proceed with adding a new query21:11
mtreinishbknudson: it's probably something we can add a dirty hack around for in os-testr21:12
mtreinishif it's really broken with --subunit output21:12
*** dims has joined #openstack-keystone21:13
bknudsonmtreinish: failfast might only make sense when running in serial21:13
bknudsonmaybe there's an option to run in serial.21:13
*** piyanai has quit IRC21:14
bknudson(the help text doesn't mention --failfast)21:14
bretonmorganfainberg: this week, I'll prepare it for the midcycle21:14
*** piyanai has joined #openstack-keystone21:14
morganfainbergbreton: cool21:15
*** jdennis has joined #openstack-keystone21:15
mtreinishbknudson: yeah it probably only makes sense in serial, unless you want to try and sigterm all the other processes with failfast enabled21:15
mtreinishwhich seems like it would be messy21:16
*** dramakri has quit IRC21:16
dstanekbknudson: the only way i know to run in serial is the TEST_RUN_CONCURRENCY env var21:17
*** dramakri has joined #openstack-keystone21:17
*** piyanai has quit IRC21:17
dstanekmaybe test_run_concurrency is also a command line option?21:17
mtreinishdstanek: by default testr runs serially, our wrapper layers (in keystone's case from pbr) defaults the other way21:17
mtreinishdstanek: there is a flag for setup.py test to run serially21:18
mtreinishI think it's --no-parallel but I'm probably wrong21:18
dstanekanhhuynx: can you just add it to the list of filters passed into filterprotected?21:18
bknudsonTEST_RUN_CONCURRENCY doesn't seem to work.21:18
anhhuynxI tried doing @controller.filterprotected('user_id', 'type')21:19
*** Akshay00 has quit IRC21:19
dstanekbknudson: in the past i was able to set it to 1 so that it only ran a single process21:19
anhhuynxand then tried callign /v3/credentials?user_id=xxx&type=ec221:19
anhhuynxit didn't work21:20
anhhuynxit showed every type of credentials21:20
mtreinishbknudson: just call testr manually21:20
bknudsondstanek: y, I wonder if we broke it.21:20
*** iurygregory has left #openstack-keystone21:20
*** Akshay00 has joined #openstack-keystone21:20
*** Akshay00 is now known as Akshay0421:20
mtreinishit'll be serial unless you use --parallel21:20
bknudson`.tox/py27/bin/testr run -- --failfast` seems to work21:21
dstanekanhhuynx: no idea, i think you just need to debug what's happening there21:22
bknudsondstanek: btw - the keystoneclient module index is kind of messed up -- http://docs.openstack.org/developer/python-keystoneclient/py-modindex.html21:22
anhhuynxdstanek: I talked to jamielennox before, and he said I also have to modify the driver hint and DB call21:23
anhhuynxdstanek: but I really don't know how to do that21:23
dstanekanhhuynx: not sure what you have to do. do the hints get into the SQL backend's list_credentials call?21:24
*** mylu has quit IRC21:24
*** evb1007 has quit IRC21:25
dstanekbknudson: what's wrong with it? looks ok21:25
dstanekbknudson: we still have the tree here: http://docs.openstack.org/developer/python-keystoneclient/api/modules.html21:26
*** marzif_ has joined #openstack-keystone21:26
*** marzif__ has quit IRC21:26
bknudsondstanek: http://docs.openstack.org/developer/keystone/py-modindex.html -- keystone has a b c21:26
bknudsonwhereas keystoneclient only has k21:26
bknudsonso somehow keystone's index is down a level21:26
dstanekbknudson: ah, i see. i can fix that21:27
bknudsondstanek: awesome21:27
*** dims has quit IRC21:30
*** christx2 has quit IRC21:30
*** jsavak has quit IRC21:30
*** marzif_ has quit IRC21:32
*** dims has joined #openstack-keystone21:35
*** dims has quit IRC21:35
*** Guest7393 has joined #openstack-keystone21:35
*** christx2 has joined #openstack-keystone21:36
anhhuynxdstanek: I don't understand exactly how the API calls relates to the DB21:36
anhhuynxdstanek: can you explain it to me?21:36
dstanekanhhuynx: the API URLs are translated into controller calls based on the routers. in this case keystone.credentials.routers21:39
dstanekanhhuynx: then you just follow the controller to see what it calls21:39
dstanekanhhuynx: at a high level the controller generally uses a manager and that in turn uses a backend21:39
dstanekanhhuynx: the reason for the indirection is so that the backends can more easily vary (SQL, LDAP, etc)21:40
*** christx2 has quit IRC21:40
anhhuynxdstanek: Thank you. Can you explain how to "follow the controller"?21:43
anhhuynxdstanek: I'm very new to this.21:44
dstanekanhhuynx: read the logic and see what it calls21:44
*** browne has quit IRC21:44
*** topol has quit IRC21:45
dstanekanhhuynx: also you can use pdb to set breakpoints and do investigation that way21:47
*** Lactem has quit IRC21:47
*** shaleh has quit IRC21:49
jamielennoxanhhuynx: sorry - that look longer than expected, people are helping with what you need?21:51
anhhuynxjamielennox: yes, although I'm still having trouble21:51
*** piyanai has joined #openstack-keystone21:52
jamielennoxanhhuynx: anything particular or you just need to work through it?21:54
*** mgarza_ has quit IRC21:57
anhhuynxjamielennox: If I understand what dstanek said correctly, when I call the API URL, the router file translates that into method calls in the controller right?21:57
dstanekanhhuynx: yep, that's correct21:57
anhhuynxso If I do GET /v3/credentials?user_id=xxx I am basically calling the list_credentials method in the controller file21:58
dstanekanhhuynx: the routers are just mappings used by keystone's internals to know what controller method to call21:58
dstanekanhhuynx: that sounds about correct21:58
anhhuynxdstanek: parameters are also passed in the same way?21:59
anhhuynxso the list_credentials method have parameters called context and filter21:59
anhhuynxI'm assuming filter is when I do user_id=xxx21:59
anhhuynxbut what is context?21:59
*** mgarza has joined #openstack-keystone21:59
anhhuynxthe referenced code is here: https://github.com/openstack/keystone/blob/master/keystone/credential/controllers.py#L84-L9022:00
jamielennoxanhhuynx: context is like information about the current request22:00
jamielennoxanhhuynx: it has things like the user information and the token the request is being made with22:00
anhhuynxok22:01
dstanekanhhuynx: right, see https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L198-22422:01
dstanekanhhuynx: wsgi.py is the basic framework that actually calls the controller methods22:01
jamielennoxuntil dstanek gets around to replacing it22:02
dstanekjamielennox: ++22:02
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: Fixes modules index generates by Sphinx  https://review.openstack.org/19932022:05
*** zzzeek has quit IRC22:05
anhhuynxand so context and filter is passed to create driver hints22:06
anhhuynxwhat are driver hints on a high level?22:06
*** zzzeek has joined #openstack-keystone22:07
dstanekanhhuynx: simple filters: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/driver_hints.py22:07
jamielennoxright, they're a generic way of passing filters to drivers22:07
anhhuynxwhat are drivers in this context?22:08
jamielennoxthe context is not passed to drivers so you need to tell things like which users as well as type etc to list credentials for22:08
jamielennoxanhhuynx: the workes22:08
jamielennoxworkers22:08
dstanekanhhuynx: drivers and backends are the same thing; the implementation to actually talk to a datastore22:09
jamielennoxlike there is an SQL driver, there may be an LDAP driver22:09
anhhuynxoh ok22:09
anhhuynxso I can think of it as synonymous to database?22:09
dstanekit's the code that interfaces with it22:09
anhhuynxI see22:09
dstaneki think you just need to spend a little time walking around the code; that will help you get a feel for things22:10
anhhuynxdstanek: I'm still inexperienced with this type of low level python code, but thank you very much for the help.22:11
jamielennoxright, try pdb - or ipdb - and try and follow through what happens when you make a request22:11
bknudsonyou calling keystone low-level ?! hehe22:12
*** g2` has quit IRC22:12
dstanekanhhuynx: yeah, that's why i think just digging in will help; it'll be intimidating at first, but you should just write down your questions and move on. i think that you'll find you'll start answering your own questions22:13
morganfainbergbknudson: low-brow?22:13
anhhuynxdstanek: thank you for the advice22:13
*** jecarey has quit IRC22:13
bknudsonmorganfainberg: y, very low-brow. We need to raise the level of abstraction22:13
dstanekanhhuynx: np, good luck. i'm sure you'll do fine22:13
anhhuynxjamielennox: thank you for your help too.22:13
*** g2` has joined #openstack-keystone22:15
*** njnjnj has quit IRC22:15
*** Raildo_ has joined #openstack-keystone22:20
morganfainbergbknudson: sounds good. lets do eet22:20
*** njnj` has joined #openstack-keystone22:22
*** njnj` has quit IRC22:22
*** diazjf has quit IRC22:23
openstackgerritDavid Stanek proposed openstack/oslo.policy: Fixes up the API docs and module index  https://review.openstack.org/19932822:24
dstanekyou know what they say about abstraction...one more layer to simplify the top and make the bottom that much more complicated22:25
bknudsondstanek: going to pyohio?22:25
dstanekbknudson: of course. you?22:26
bknudsondstanek: no, too far22:26
bknudsondhellmann said he'd be there22:26
bknudsonflask: http://www.pyohio.org/schedule/presentation/184/22:26
dstanekbknudson: cool. i was asking him about submitting something22:27
dstanekthe guy who is doing that talk put together pytennessee22:28
anhhuynxjamielennox: If i want to use pdb for debugging, which file would I call on?22:28
anhhuynxcall it on*22:28
jamielennoxanhhuynx: i would use the import ipdb; ipdb.set_trace() syntax so it will trigger when the command is hit22:29
dstanekif you run it during the unit tests you should use 'tox -e debug'22:29
*** shaleh has joined #openstack-keystone22:31
*** bknudson has quit IRC22:31
*** piyanai has quit IRC22:32
*** edmondsw has quit IRC22:33
dstanekwhoa...this fixes a very, very old bug: https://review.openstack.org/#/c/198071/422:34
lifelessmorganfainberg: what was the project you started using extras on ?22:35
morganfainberglifeless: hmm? none yet afaik22:35
morganfainberglifeless: but we want to22:35
*** henrynash has joined #openstack-keystone22:35
*** ChanServ sets mode: +v henrynash22:35
lifelessah kk22:36
morganfainbergafaik keystone and keystonemiddleware would be the targets22:36
*** gordc has quit IRC22:36
morganfainbergkeystone for the different backends/deps, and ksm for caching22:36
morganfainberglifeless: if i am remembering what extras is (aka pip install keystone[ldap] ?)22:36
*** ASDFJKL has joined #openstack-keystone22:37
*** browne has joined #openstack-keystone22:37
*** ASDFJKL has quit IRC22:37
*** solomon_greenber has joined #openstack-keystone22:38
*** solomon_greenber has quit IRC22:38
*** csoukup has quit IRC22:40
lifelessyeah22:41
lifelesssomeone wanted an example was all22:41
lifelessI've refreshed my oslo.db patch22:42
*** Raildo_ has quit IRC22:43
*** hrou has quit IRC22:44
*** Lactem has joined #openstack-keystone22:44
Lactemdstanek: That's my patch! : D22:44
jasonsbstevemar: your right sir.  kilo got past where i was stuck22:45
jasonsbstevemar: openstack identity provider create idp1 --remote-id http://localhost:8080 is working22:45
*** jk|osx has joined #openstack-keystone22:45
jasonsbstevemar: i hope i have the syntax right22:46
dstanekjasonsb: i think that every time i push a new commit :)22:46
*** njnjnj has joined #openstack-keystone22:46
*** chlong has quit IRC22:46
jasonsbdstanek: dont worry pep8 will find it.  even if its not there22:47
Lactem^^^^^^^22:47
dstanekonce i push it's not my problem22:48
*** jkomg has quit IRC22:48
dstanekif a bug is never found does it actually exist22:48
dstanekLactem: yes22:48
dstaneknjnjnj: do you really use run_tests.sh?22:49
lifelessand there is proof that code never des22:49
lifelessdies22:49
Lactemdstanek: Are you yessing that the bug actually exists? If so, why are you just yessing me?22:49
dstanekLactem: your review22:49
LactemOh.22:49
Lactemty22:49
LactemDoes that mean +2?22:49
LactemWait my review or my patch?22:50
njnjnjdstanek: not really i was just trying to add that feature since it seems like some people do use run_tests22:50
dstanekLactem: your patch...i just have to circle back around to it. at this rate i'm about 20 reviews away22:50
LactemAlright. Good to hear!22:50
LactemYou had 170 earlier, so 20 doesn't sound like a lot to me anymore.22:51
dstanekLactem: i use a couple of different things that show me what reviews i have to do and one neat this is that they are prioritized partially by things i've already reviewed floating to the top. i go nowhere near the 17022:53
LactemOh.22:53
dstanekLactem: depending on what gets submitted between now and when i get to your review it may be bumped a little further down the list22:53
LactemGood luck. Happy reviewing.22:54
dstanekthere's typically nothing happy about it :-)22:54
dstanekalthough on the bright side, I could be stuck writing Java!22:55
Akshay04^^^^^22:55
anhhuynxJava isn't so bad :(22:55
LactemUmm Java is so much better than Python, though.22:55
Akshay04^^^^^^^ agreed22:55
LactemI would argue this right now, but I don't want to distract you from getting around to my patch.22:55
dstaneki spent too may years doing Java. i'll never go back22:55
dstanekhaha22:55
LactemAkshay04: You just agreed with both sides of the argument...22:56
anhhuynx^22:56
Lactemdstanek: I like Java because I actually understand it well, unlike Python.22:56
dstanekit's 7PM here, i'm on break doing other things for a little while22:56
dstanekLactem: once you understand Python and the philosophy you'll want to stick with it22:56
anhhuynxpython is easier to understand than java though22:56
*** Rockyg has quit IRC22:57
LactemAh alright. I probably wouldn't get second +2 by tomorrow anyway.22:57
anhhuynxand also it looks nicer22:57
LactemIt kind of looks nice.22:57
LactemBut Java is just so much better for me because I know it.22:57
dstanekLactem: i've been doing python for a little over 15 years now. there's no hope of me turning back now22:58
LactemAnd I much prefer coding in an IDE over Vim. The most annoying thing about Python for me is that you can't look at all the classes to see the methods and what they do. I have to do assertEqual(None, dir(variable)) in order to see the functions.22:58
morganfainbergdstanek: we should rewrite keystone in Rust22:58
Lactemdstanek: I've been doing life for little over 15 years now.22:58
dstanekmorganfainberg: i'm not a rust fan; how about something like erlang or haskell?22:59
morganfainbergdstanek: eeeuuuuwww functional?22:59
dstanekLactem: i use vim and love it. you need ctags22:59
Lactemdstanek: I'll look into it.23:00
morganfainbergdstanek: how about C++23:00
*** topol has joined #openstack-keystone23:00
*** ChanServ sets mode: +v topol23:00
*** r-daneel has quit IRC23:00
dstanekLactem: also with python there are several good IDEs. i think the JetBrains one if free for open source development23:00
* bigjools hopes nobody says Go23:00
morganfainbergdstanek: we could write it as an apache module: mod_keystone23:00
dstanekmorganfainberg: C sure, C++ hurts my brain23:00
morganfainbergbigjools: ^ trust me, apache_module would be worse23:00
bigjools:)23:00
Lactemdstanek: But not from a VM.23:01
morganfainbergdstanek: C++ shouldn't hurt your brain more than python23:01
*** topol has quit IRC23:01
*** Akshay04 has quit IRC23:01
morganfainbergdstanek: now apache bucket brigade code...23:01
morganfainbergthat is a different story23:01
dstanekLactem: usually editors allow you to edit remotely - i use macvim to edit things on cloud nodes23:01
njnjnjI have some c++ experience23:01
LactemInteresting. I only know how to edit on vim with putty on the VM right now.23:02
morganfainbergdstanek: lets use pascal..or cobol23:02
morganfainbergdstanek: wait wait... i know... this is a perfect app to write in ColdFusion23:02
morganfainbergnodejs?23:02
dstanekif you are going that direction then PHP - it's known for it's security23:03
dstaneksolid choice23:03
njnjnjhow about assembly the performance gainz23:03
morganfainbergdstanek: lets write the upstart/systemd/etc interfaces in php (the shell scripts) and then we need to use Ruby on Rails for keystone itself23:03
dstanekwe may just need a new "cloud" language; a new paradigm to write the cloud operating system23:03
morganfainbergdstanek: we totally need to make a standard so everyone can standardize on it and talk the same language23:04
LactemGood talk guys. See you tomorrow.23:04
morganfainbergdstanek: /xkcd23:04
morganfainbergLactem: sorry just a little punchy23:04
morganfainbergLactem: didn't mean to scare you off/hijack the convo23:04
LactemHaha no you didn't. It's just about time for me to go.23:05
morganfainberghave a good day then23:05
LactemYou too23:05
*** Lactem has quit IRC23:05
*** njnjnj has quit IRC23:06
openstackgerritDavid Stanek proposed openstack/keystone: Fixes docstring to make it more precise  https://review.openstack.org/19933823:07
openstackgerritJamie Lennox proposed openstack/keystone-specs: IDP specific websso  https://review.openstack.org/19933923:08
gyeemorganfainberg, bknudson, can I get a verdict on this one? https://review.openstack.org/#/c/194733/23:11
gyeemay need to backport to Kilo as well23:11
dstanekgyee: guilty?23:11
gyeehah23:11
*** thedodd has quit IRC23:11
morganfainbergdstanek: special circumstances23:11
morganfainbergdstanek: so.. not just guilty :P23:11
gyeeheh23:12
dstaneksorry..too much people's court23:12
gyeejudge judy23:12
morganfainbergquery = u'(&%s%s)' % (query or '', ''.join(filter_list))23:12
morganfainbergwouldn't that work?23:12
gyeeit would, but I like it easier to read23:13
gyeebasically, query need to be a string23:13
dstanekgyee: is someone passing query=None into the filter_quest method?23:14
gyeedstanek, yes23:14
dstanekerr...filter_query23:14
gyeeit is None by default23:14
dstanekit's '' by default23:14
morganfainbergdstanek, ++23:14
dstanekshouldn't it be caught up there instead of in a loop?23:15
gyeeup where?23:15
morganfainbergdstanek: yes23:15
openstackgerritMerged openstack/keystone: Fix code-block in federation documentation  https://review.openstack.org/19920823:15
morganfainbergdstanek: someone is overriding the arg with None23:15
morganfainberginstead of just not passing it23:15
gyeeit passing down from identity backend23:15
gyeeone sec23:15
bigjoolsmorganfainberg: so unless I am reading things badly, does the ldap driver really need write access to store group memberships?23:15
morganfainberggyee: at the top if query is None: query = ''23:15
morganfainbergbigjools: the ldap driver only needs that power if run in read/write mode23:16
morganfainbergbigjools: typically it's run in read-only, all writes fail23:16
bigjoolswould that mean that group memberships won't work?23:16
bigjoolsor is there another mechanism?23:16
morganfainbergbigjools: you'd manage group memberships in LDAP directly23:16
morganfainbergnot via keystone23:16
bigjoolsah ok23:17
morganfainbergfor SAML you'd map the users into a group [possibly something in a SQL domain]23:17
morganfainbergbut you could also use a group from LDAP23:17
bigjoolsone of my constraints is that we can't rely on LDAP *at all* for group info23:17
morganfainbergnothing in the identity store is directly changed for federated-ephemeral users23:17
gyeemorganfainberg, dstanek, its passing down from here https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L39923:17
bigjoolsI'm looking at potentially mapping to local users23:18
morganfainberggyee: so either we should fix it higher up to *not* pass if None, or at the top of the method if query is None: query = '' [actually if not isinstance(string) is probably more correct]23:18
morganfainbergbigjools: then you use groups in an SQL backed domain23:18
dstanekmorganfainberg: gyee: yes, i agree. i commented on the review, but if you can fix it even higher up I think you should23:18
bigjoolsmorganfainberg: right - but that doesn't work with just LDAP, right?23:19
*** shaleh has quit IRC23:19
bigjools(ignoring federation for now)23:19
openstackgerritDavid Stanek proposed openstack/keystone: Can we really get rid of oslo and run_tests.sh?  https://review.openstack.org/19934323:20
gyeedstanek, line 1689?23:20
gyeebuild_filter is nested func23:20
morganfainbergbigjools: you would need the identity driver to either be SQL, with an ldap-specific driver for the domain users are in, or LDAP identity driver, and then override a specific domain for a SQL back23:20
gyeeit does not use query yet23:20
morganfainbergbigjools: in both cases, it's V3 only23:20
morganfainberggyee: before the for loop23:21
morganfainberggyee: just not in the loop itself23:21
*** jk|osx has quit IRC23:21
gyeemorganfainberg, its not in any loop23:21
morganfainbergprobably before "if hints"23:21
*** shaleh has joined #openstack-keystone23:21
gyeecan't, if hints is None, we need to return None23:21
dstanekgyee: yes, in the outer method23:21
gyeeotherwise, it will break LDAP filter23:21
morganfainbergno23:21
morganfainbergquery != None there23:22
morganfainbergquery should be ''23:22
gyeecan't23:22
morganfainbergthen our whole system is broken23:22
gyeequery needs to be either LDAP query or None23:22
gyeecan't be an empty string23:22
morganfainbergit shouldn't default to '' in the method signature23:22
morganfainbergotherwise it is also very broken23:22
morganfainbergor we shouldn't do blind substitutions.23:23
gyeeyes, that code needs a whole lot of refactoring23:23
gyeeone thing at a time :)23:23
morganfainberggyee: so if it *needs* to be None not ''23:23
morganfainbergfix the method sig too23:23
bigjoolsmorganfainberg: ok thanks23:23
morganfainbergotherwise we can return '' if hints is None23:23
bigjoolssounds like coding work :)23:24
morganfainbergbigjools: and the hybrid driver i wrote needs to die a horrible death :P23:24
gyeemorganfainberg, k, lemme fix the method sig, don't think the default is being used anywhere23:24
bigjoolsmorganfainberg: that's my plan :)23:24
morganfainberggyee: yeah it's one of those "be consistent in expectations"23:24
gyeeyou got it boss23:24
morganfainberggyee: otherwise we haven't fixed the issue, we end up with other problems.23:24
morganfainbergwe just get different stack traces potentially23:25
gyeeafaict, that default is not being used23:25
morganfainbergthe other option is not to pass query to the LDAP connector code if string is ''23:25
morganfainberggyee: then why is it a default? ;)23:25
morganfainbergmaybe we shouldn't provide a default23:26
dstanekgyee: what breaks if an '' is returned instead of a None?23:26
*** dramakri has left #openstack-keystone23:26
morganfainbergdstanek: python-ldap afaict23:26
gyeedstanek, '' is not a valid LDAP filter23:26
morganfainbergdue to crap coding on their end23:26
dstanekhmmm...odd. i started digging into the callers then they all seem to use boolean logic on the return value23:27
dstaneki'll just write it off as "not my mess" for right now23:28
morganfainbergdstanek: python-ldap should be removed in favour of ldap3 if we are putting any energy into it23:28
gyeedstanek, if you continue to follow the rabbit hole, it will eventually ended up in here https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L145823:28
gyeethat's where if ldap_filter is None it will use the default one23:28
dstanekgyee: that's what i was looking at23:29
gyeebut if we pass '', we will end up in a world of shit23:29
dstanekthat logic should work find with None or ''23:29
morganfainbergdstanek: it's because we already constructed a filter23:29
morganfainberg&(objectclass=*)(group='')23:29
morganfainbergisn't valid23:29
dstanekwhere does that get constructed?23:30
morganfainbergit's just really really bad filter construction23:30
morganfainbergdstanek: don't look too deep, it's a rats nest of code23:30
lifelessartisinal filters 4 lyfe23:31
gyeedstanek, morganfainberg, sorry, I see what you mean now, I'll move the code up23:31
gyeeand fix the method sig23:32
morganfainberggyee: hehe23:32
morganfainberglifeless: worse.. python-ldap + artisanal filters23:32
gyeemorganfainberg, you agree we also need backport to Kilo?23:32
*** hrou has joined #openstack-keystone23:32
morganfainberggyee: do we have cases of people really hitting this?23:33
gyeemorganfainberg, yes, our QA discovered it with just the default attributes against openldap23:33
bigjoolsmorganfainberg: hypothetically, if I did a change to make the LDAP driver pull group info from SQL backing for a configured list of domains, is that something upstream would take?23:33
morganfainbergbigjools: the thing is you don't need to change code really to do that23:34
dstanekthis is my favorite review title of all time:23:34
dstanekJesse Pretorius proposed stackforge/os-ansible-deployment: Enable all services to use Keystone 'insecurely'  https://review.openstack.org/19930723:34
bigjoolsmorganfainberg: oh! tell me more ...23:34
morganfainbergbigjools: create a group in SQL - add user <from ldap> to group23:34
morganfainbergbigjools: ???; profit23:34
morganfainbergagain, requires V323:35
bigjoolsumm ok maybe I misread the code, I thought it always went to ldap23:35
dstanekgyee: let me know if you need another -1 on something; itchy trigger finger this evening23:35
morganfainbergbigjools: this requires the multi-domain (with specific domains having different identity drivers) configured23:35
gyeedstanek, go for it, I am uploading another patch23:35
morganfainberggyee: -123:36
morganfainberggyee: -(-2)?23:36
gyeethanks, may I have another one?23:36
gyeenooooh23:36
morganfainberg*cough* do the math23:36
anhhuynxdstanek: It seems that I have been modifying the wrong files the whole time which is why my code isn't working23:36
anhhuynxdstanek: how do you find the file that handles API calls in devstack?23:37
bigjoolsmorganfainberg: so there's already a driver that pulls users from ldap and groups from sql? sorry for being thick, still learning things.23:38
morganfainbergbigjools: you can configure a specific domain to use a different backing store23:38
bigjoolsthat makes sense23:39
morganfainbergbigjools: so you'd either configure one of the domains to be LDAP or you'd configure one to be SQL23:39
morganfainbergin a domain that is SQL backed - you create the groups23:39
morganfainbergthen add the users from LDAP to the SQL groups.23:39
openstackgerritguang-yee proposed openstack/keystone: Fix for LDAP filter on group search by name  https://review.openstack.org/19473323:39
morganfainbergit *should* work.23:39
morganfainbergafaicr23:39
bigjoolsah ok - it's the manually adding things I want to avoid23:39
gyeemorganfainberg, dstanek, patch #323:40
dstanekanhhuynx: what do you mean?23:40
openstackgerritMerged openstack/keystone: Remove comment for doc building bug 1260495  https://review.openstack.org/19923923:40
openstackbug 1260495 in python-keystoneclient "Setting autodoc_tree_index_modules makes documentation builds fail" [Low,Fix released] https://launchpad.net/bugs/1260495 - Assigned to David Stanek (dstanek)23:40
morganfainbergbigjools: you're going to have to do some manual things unless you manage groups in LDAP directly23:40
morganfainbergbigjools: which case - it's someone else's problem23:40
* morganfainberg likes SEPs23:40
*** stevemar has quit IRC23:40
bigjoolsheh :)  well that was the point of my suggestion, pulling users from LDAP and their group memberships from SQL (which is fine to manually maintain)23:40
morganfainbergbigjools: the automatic mapping is a federated thing.23:40
gyeebtw, we don't support nested LDAP groups23:41
morganfainberggyee: we don't support referral chasing either really23:41
gyeenor do we support memberOf23:41
anhhuynxdstanek: I'm not sure you are using the same development environment as I am, but it seems that the keystone repository i'm workign on isn't the one handling the API call23:41
bigjoolsconsider large enterprises that have an existing LDAP server, and they are not willing to make any changes to it23:41
morganfainbergi don't know how you get automatic group management your way23:42
dstanekanhhuynx: if you are working in a devstack env it uses the code from /opt/stack/keystone23:42
bigjoolsit's not automatic23:42
morganfainbergyou still need users -> groups somehow23:42
morganfainbergi don't want to make drivers that source some things from LDAP and somethings from SQL23:42
dstanekyou'll have to restart keystone though <- anhhuynx23:42
morganfainbergit's what the multi-driver story is for23:42
morganfainbergwe just require it to be a V3 story23:42
bigjoolsthe existing ldap driver puts groups in a particular user attribute, I would just want to switch that to an SQL source23:43
morganfainbergbigjools: a lot of times the groups in LDAP already mirror the applications someone wants to manage23:43
morganfainbergbigjools: or security wants to do so.23:43
anhhuynxdstanek: what do you mean?23:43
morganfainbergbigjools: i'm clearly missing what benefit you're describing by doing a hybrid driver23:44
dstanekanhhuynx: about the location or restart?23:44
morganfainbergvs. what i'm describing23:44
anhhuynxdstanek: about the restart23:44
morganfainbergbigjools: you could configure keystone to never return a group via the config if you're worried someone would assign a role to an LDAP group23:44
dstanekanhhuynx: assuming you ran ./stack.sh you have an instance of keystone running. if you change the code you will have to restart the instance to load the changed code23:45
morganfainberg(objectClass="NotAValidObjectClass")23:45
morganfainbergwill never return match23:45
anhhuynxdstanek: oh ok23:45
dstanekanhhuynx: if it's running under apache you can just restart that. i don't remember when current devstack uses23:45
bigjoolsmorganfainberg: ignoring federation, it's the situation where we have an existing enterprise LDAP that we cannot write to, nor are they willing to make changes to group info23:45
anhhuynxddstanek: thank you very much23:45
dstanekanhhuynx: np23:45
morganfainbergbigjools: so, configure keystone with another domain to be SQL backed23:45
morganfainbergbigjools: assign the LDAP user into a group in that SQL backed domain23:46
morganfainbergassign roles to SQL group23:46
morganfainbergwin23:46
bigjoolsbut that means manually configuring the user in SQL?23:46
morganfainbergoh nvm23:47
morganfainbergyou can't we explicitly deny this23:47
bigjoolsok23:47
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L937-L93823:47
morganfainbergyou can't bridge backends23:48
morganfainbergbigjools: /me doesn't remember that code. but eh lots of code in keystone23:48
bigjools:)23:48
morganfainbergyou could make an RFE to somehow allow that23:48
morganfainbergbut i personally am against having an in-tree driver that straddles these things23:49
bigjoolsit sounds non-trivial23:49
bigjoolswell, invasive I mean23:49
bigjoolsfair enough23:49
morganfainbergbigjools: probably a simple config to allow domain X to have users in groups where the users are in domain Y23:49
*** TheIntern has quit IRC23:49
morganfainbergwould probably be easy code and not too invasive23:49
morganfainbergbut it would be an RFE23:50
bigjoolsyeah23:50
morganfainbergand likely not until M-cycle23:50
bigjoolsI think federation recognises this problem FWIW, with the group mapping stuff.23:50
morganfainbergbigjools: federation was designed in a very different manner23:51
bigjoolssure23:51
* morganfainberg recommends federation where possible for non-service users.23:51
*** gyee has quit IRC23:51
bigjoolsI have an odd situation that I think you're aware of :)23:52
morganfainbergyeah i know your customers23:52
morganfainbergand i know the PITA your stuck in atm23:52
morganfainbergi regret some of those choices.23:53
bigjoolswebsso with K2K would fix things, but I need a solution that works RSN23:55
openstackgerritDoug Fish proposed openstack/python-keystoneclient: List federated projects from keystoneauth  https://review.openstack.org/19934723:56
« Monday, 2015-07-06 Index Wednesday, 2015-07-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!