Wednesday, 2015-07-08

richm	question about `openstack project set $proj --domain $domain`	00:02
richm	does this allow you to change the domain to which the project belongs, or does it allow you to specify the domain to which $proj belongs and change some other field like --description?	00:02
richm	If I specify project set $project_id --domain newdomain, can I move $project_id to domain 'newdomain'?	00:03
*** Guest7393 has quit IRC		00:04
morganfainberg	richm: projects cannot be moved between domains	00:06
morganfainberg	richm: for security reasons. it used to be allowed (and we have an option to turn that on)	00:07
morganfainberg	but it is really insecure	00:07
morganfainberg	don't do it	00:07
richm	morganfainberg: ok - thanks - that makes my life a lot easier	00:08
morganfainberg	yay	00:08
morganfainberg	happy to make your life easier	00:08
*** gyee has joined #openstack-keystone		00:09
*** ChanServ sets mode: +v gyee		00:09
jasonsb	appreciate advice from anybody who would like to field a kilo keystone + openidc question	00:11
jasonsb	its close	00:11
jasonsb	but keystone.contrib.federation.utils [-] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral'}, 'group_names': []} process /usr/local/keystone/keystonenv/local/lib/python2.7/site-packages/keystone/contrib/federation/utils.py:476	00:11
jasonsb	Authorization failed. Unable to find valid groups while using mapping idp1_map (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from ::1	00:11
*** anhhuynx has quit IRC		00:11
*** mgarza has quit IRC		00:11
jasonsb	im missing something still	00:11
*** chlong has joined #openstack-keystone		00:11
gyee	jasonsb, are you sure the group in the mapping is valid?	00:14
jasonsb	openstack group list	00:15
jasonsb	+----------------------------------+------------+	00:15
jasonsb	\| ID \| Name \|	00:15
jasonsb	+----------------------------------+------------+	00:15
jasonsb	\| dcca514a7d754f059a1a8d5e2d1fe04a \| developers \|	00:15
jasonsb	+----------------------------------+------------+	00:15
jasonsb	openstack mapping show idp1_map	00:15
jasonsb	+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+	00:15
jasonsb	\| Field \| Value \|	00:15
jasonsb	+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+	00:15
jasonsb	\| id \| idp1_map \|	00:15
jasonsb	\| rules \| [{u'remote': [{u'type': u'HTTP_OIDC_ISS', u'any_one_of': [u'http://localhost:8080']}], u'local': [{u'group': {u'id': u'dcca514a7d754f059a1a8d5e2d1fe04a'}}]}] \|	00:15
jasonsb	+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+	00:15
jasonsb	gyee: think so	00:15
jasonsb	gyee: but i have no idea what i'm doing :)	00:15
gyee	I am guessing you don't have HTTP_OIDC_ISS in the request env	00:19
gyee	or it does not contain the value 'http://localhost:8080'	00:19
jasonsb	gyee: i think your right	00:20
jasonsb	gyee: i hadn't mentally got that far. let me try	00:21
jasonsb	gyee: opps, no its there	00:22
jasonsb	'HTTP_OIDC_ISS': 'http://localhost:8080/openid-connect-server-webapp/'	00:22
jasonsb	gyee: but its not exact mathc. i should fix that probably	00:22
gyee	yep	00:22
jasonsb	gyee: yay you were right	00:23
*** dims has joined #openstack-keystone		00:23
jasonsb	String length exceeded.The length of string '01921.FLANRJQW%40http%3A//localhost%3A8080/openid-connect-server-webapp/' exceeded the limit of column user_id(CHAR(64)).	00:23
gyee	yay!	00:23
jasonsb	:)	00:23
jasonsb	next problem	00:23
*** jamielennox is now known as jamielennox\|away		00:24
*** sigmavirus24 is now known as sigmavirus24_awa		00:27
gyee	add { "type": "openstack_user"}, to "remote"	00:28
gyee	and add {"user": {"name": "{0}"}}, to "local"	00:30
*** iurygregory has joined #openstack-keystone		00:31
*** spandhe has quit IRC		00:31
*** jamielennox\|away is now known as jamielennox		00:35
*** zzzeek has quit IRC		00:39
*** spandhe has joined #openstack-keystone		00:42
*** piyanai has joined #openstack-keystone		00:42
openstackgerrit	Merged openstack/keystone: Do not specify 'objectClass' twice in LDAP filter string. https://review.openstack.org/198270	00:52
jasonsb	gyee: i think we are close	01:02
jasonsb	gyee: http://localhost:5000/v3/OS-FEDERATION/identity_providers/idp1/protocols/oidc/auth/	01:02
jasonsb	gyee: gives	01:02
jasonsb	gyee: "token": {"methods": ["oidc"], "expires_at": "2015-07-08T02:01:58.973753Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "idp1"}, "protocol": {"id": "oidc"}, "groups": [{"id": "dcca514a7d754f059a1a8d5e2d1fe04a"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "01921.FLANRJQW", "name": "01921.FLANRJQW"}, "audit_ids": ["iPDB4PyxSPO4g73TUAZrpw"], "issued_at": "2015-07-08T01:01:58.9737	01:03
jasonsb	92Z"}}	01:03
jasonsb	gyee: i just need to get a keystone uuid token now i think	01:03
gyee	right, you can rescope it to a scoped token and ready to do some damage :)	01:04
jasonsb	gyee: how to rescope?	01:04
jasonsb	gyee: i was just trying that	01:04
jasonsb	gyee: my v3 is weak	01:04
gyee	your unscoped token is in the X-Subject-Token header	01:05
gyee	use it to get a list of projects you have access to	01:05
gyee	curl -H 'X-Auth-Token: <unscoped token>' http://localhost:5000/v3/OS-FEDERATION/projects	01:07
gyee	and rescope to one of the projects you want to access	01:07
gyee	https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#the-token-authentication-method	01:09
*** btully has quit IRC		01:09
ayoung	jamielennox, so, once I do an automated install of ipa, I need to run some IPA commands. The only account I have is admin, and I don't think I can kinit in an automated manner. If I fetch a keytab, I lock out the admin user (keytab removes the ability to do password auth)	01:16
ayoung	I can't do the old hack of echo $PASSWORD \| kinit admin	01:17
ayoung	I know this is a feature, but...I need to come up with a workaround for setting up the Federation stuff via ansible	01:17
*** shaleh_ has joined #openstack-keystone		01:17
ayoung	I can do something locally like generate a krb5.conf file and use that to kinit with a custom ccache even.	01:18
ayoung	but not from ansible...I think	01:18
*** davechen1 has joined #openstack-keystone		01:19
*** shaleh has quit IRC		01:20
*** davechen has joined #openstack-keystone		01:23
ayoung	ah...shelll command allows redirection	01:23
*** dims_ has joined #openstack-keystone		01:24
*** dims_ has quit IRC		01:24
*** davechen1 has quit IRC		01:25
*** dims has quit IRC		01:27
*** hogepodge has quit IRC		01:29
*** stevemar has joined #openstack-keystone		01:29
*** stevemar has quit IRC		01:30
jamielennox	ayoung: can't you like ssh -A or whatever the command is for kerb	01:31
ayoung	jamielennox, yeah, I did	01:31
jamielennox	i guess that would require you had a kinit on the local machine which you don't necesarily want	01:31
ayoung	- shell: echo FreeIPA4All \| kinit admin	01:31
*** woodster_ has quit IRC		01:31
ayoung	I'll replace the password with {{ ipa_admin_password }}	01:31
*** spandhe has quit IRC		01:32
ayoung	jamielennox, I have a feeling the ipa team is going to need to write some ansible modules in the not-too-distant-future. Would be nice if the ipa-client could "be" that module	01:34
openstackgerrit	janonymous proposed openstack/keystone: Python 3: Replace assertRaisesRegexp to its six implementation https://review.openstack.org/193866	01:34
jamielennox	ayoung: https://github.com/purpleidea/puppet-ipa	01:35
jamielennox	no idea how good they are	01:35
jamielennox	but if it can do a server that would be cool	01:36
ayoung	jamielennox, so, I mean more like "add a user" in an idempotent way	01:36
*** shaleh_ has quit IRC		01:36
ayoung	maybe just a "don't report the error if the user already exists" param for the cli	01:36
jamielennox	https://github.com/purpleidea/puppet-ipa/blob/master/examples/simple-usage3.pp#L13	01:37
jamielennox	still i expect there will need to be something official	01:37
*** hogepodge has joined #openstack-keystone		01:41
jamielennox	morganfainberg: can you take a look at https://review.openstack.org/#/c/192499/2 - just a py3 issue on the keystoneclient/keystoneauth branch	01:42
*** fangzhou has quit IRC		01:55
jasonsb	gyee: thank you	01:57
jasonsb	gyee: its working	01:57
jasonsb	gyee: i got unscoped token and passed it into projects and got the list	01:58
jasonsb	gyee: i dind't rescope it yet, but i'm sure its going to work	01:58
jasonsb	gyee: very very cool. thanks a bunch	01:58
*** Ctina has joined #openstack-keystone		01:58
*** Ctina has quit IRC		01:58
gyee	jasonsb, you're welcome, have fun :)	01:59
jasonsb	gyee: will do. this is fun	01:59
*** jasonsb has quit IRC		02:00
*** lhcheng has quit IRC		02:02
*** chenhong has joined #openstack-keystone		02:03
*** gyee has quit IRC		02:04
*** btully has joined #openstack-keystone		02:07
*** darrenc is now known as darrenc_afk		02:12
*** piyanai has quit IRC		02:21
*** piyanai has joined #openstack-keystone		02:22
*** stevemar has joined #openstack-keystone		02:30
*** piyanai has quit IRC		02:30
*** piyanai has joined #openstack-keystone		02:30
*** stevemar has quit IRC		02:34
openstackgerrit	Merged openstack/keystone: Delete extra parentheses in assertEqual message https://review.openstack.org/198990	02:35
openstackgerrit	Merged openstack/keystone: Modified command used to run keystone-all. https://review.openstack.org/198924	02:41
*** piyanai has quit IRC		02:45
*** piyanai has joined #openstack-keystone		02:46
openstackgerrit	Merged openstack/keystone: Remove fileutils from oslo-incubator https://review.openstack.org/199266	02:51
*** hakimo_ has joined #openstack-keystone		02:52
*** Kennan2 is now known as Kennan		02:53
*** hakimo has quit IRC		02:54
*** stevemar has joined #openstack-keystone		02:56
chenhong	hi, all. May I ask for review for these two changes: https://review.openstack.org/#/c/197184/ and https://review.openstack.org/#/c/187899/	02:59
*** fangzhou has joined #openstack-keystone		03:02
*** csoukup has joined #openstack-keystone		03:10
*** Lactem has joined #openstack-keystone		03:23
*** spandhe has joined #openstack-keystone		03:25
*** dikonoor has joined #openstack-keystone		03:25
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove convert_to_sqlite.sh https://review.openstack.org/199388	03:27
stevemar	morganfainberg: i have on idea why that file exists ^	03:28
stevemar	no*	03:28
morganfainberg	lol	03:29
morganfainberg	+2	03:29
*** darrenc_afk is now known as darrenc		03:29
*** spandhe_ has joined #openstack-keystone		03:30
dstanek	stevemar: nice; i proposed a patch to rip out all of the other incubator stuff	03:30
stevemar	dstanek: saw it and commented :)	03:32
*** spandhe has quit IRC		03:32
*** spandhe_ is now known as spandhe		03:32
dstanek	stevemar: if people are interested i'll have to write a real commit message	03:33
dstanek	i really just wanted to see what it would look like	03:33
stevemar	yeah, i had the same opinion with my patch	03:33
dstanek	stevemar: to answer your question you can just run the testr commands	03:34
dstanek	tox just automates running commands in a given venv; you can always run them yourself	03:34
stevemar	dstanek: yep, it runs nose or whatever underneth the covers	03:35
stevemar	but it wasn't as easy as just running run_tests	03:36
stevemar	dstanek: looks like morganfainberg wants that sql script out :)	03:38
morganfainberg	lol	03:38
morganfainberg	i'm fine with it being removed.	03:38
*** kiran-r has joined #openstack-keystone		03:38
morganfainberg	or to be caught in the incubator removal	03:38
morganfainberg	or whatever.	03:39
stevemar	morganfainberg i have no idea why it's there	03:39
dstanek	it looks like termie added it when he was converting some mysql tests in 700a397a64bf984ef4c56aec8cc597f212e1f459	03:40
davechen	dstanek: hi David,	03:41
davechen	dstanek: there is patch which has a long history, https://review.openstack.org/#/c/134124/.	03:41
Lactem	davechen: Hey Dave!	03:41
davechen	dstanek: you should know the context and backgroud.	03:42
davechen	Lactem: hi,	03:42
davechen	dstanek: Can we clean that up?	03:42
Lactem	IRC after hours... I'm not sure if you remember me (one of the new interns).. You commented on my first bug. (It got merged by the way. Thanks.)	03:42
davechen	Lactem: yes, I know you.	03:43
davechen	davechen: my pleasure. congrats.	03:43
Lactem	:D	03:43
davechen	Lactem: type the wrong name, sorry. :)	03:44
*** davechen is now known as davechen_away		03:45
stevemar	dstanek: i am totally cool with removing it now - just looked at 700a397a64bf984ef4c56aec8cc597f212e1f459	03:45
stevemar	also yay it seems like https://review.openstack.org/#/c/195873/ is passing jenkins now	03:45
stevemar	+41, -2527	03:46
*** piyanai has quit IRC		03:46
*** zzzeek has joined #openstack-keystone		03:46
*** zzzeek has quit IRC		03:46
*** boris-42 has quit IRC		03:52
openstackgerrit	David Stanek proposed openstack/keystone: Remove all traces of olso incubator https://review.openstack.org/199343	03:53
dstanek	davechen_away: do we not want to support third-party middleware?	03:56
*** ayoung has quit IRC		03:56
Lactem	That's a nice leave message.	03:56
dstanek	stevemar: for some definition of passing :-)	03:57
*** _cjones_ has quit IRC		03:57
dstanek	that's about how i passed 9th grade English	03:57
stevemar	dstanek: oh i meant it's passing in zuul :)	03:58
stevemar	looking at the results after i rechecked	03:58
stevemar	the dsvm jobs didn't crap out after 10 minutes, so i consider them passing :P	03:59
stevemar	+ tempest and py27 are successful too	03:59
*** fangzhou has quit IRC		04:02
*** stevemar has quit IRC		04:05
*** stevemar has joined #openstack-keystone		04:06
*** mtreinish has quit IRC		04:07
*** r-daneel has joined #openstack-keystone		04:13
*** c_soukup has joined #openstack-keystone		04:14
*** kiran-r has quit IRC		04:15
*** mtreinish has joined #openstack-keystone		04:16
*** csoukup has quit IRC		04:16
*** btully has quit IRC		04:19
*** david-ly_ has joined #openstack-keystone		04:19
*** david-lyle has quit IRC		04:22
*** chenhong has quit IRC		04:30
stevemar	dstanek: there we go! https://review.openstack.org/#/c/195873/	04:33
*** stevemar has quit IRC		04:35
*** chlong has quit IRC		04:35
*** stevemar has joined #openstack-keystone		04:35
*** Lactem has quit IRC		04:40
*** chlong has joined #openstack-keystone		04:44
*** chlong has quit IRC		04:51
*** btully has joined #openstack-keystone		04:51
*** davechen_away is now known as davechen		04:57
davechen	dstanek: I think we should support third-party middleware.	04:58
davechen	dstanek: so, you suggest not to deprectate it when it's third party middleware.	04:59
davechen	dstanek: not sure whether I understand it correctly. :)	05:00
davechen	Lactem: how long is your internship?	05:01
openstackgerrit	Merged openstack/keystone: Adds some debugging statements https://review.openstack.org/193619	05:04
*** richm has quit IRC		05:08
*** mabrams has joined #openstack-keystone		05:10
*** fangzhou has joined #openstack-keystone		05:10
*** dims has joined #openstack-keystone		05:11
*** chlong has joined #openstack-keystone		05:20
*** boris-42 has joined #openstack-keystone		05:21
*** ajayaa has quit IRC		05:22
openstackgerrit	Merged openstack/keystone: Remove convert_to_sqlite.sh https://review.openstack.org/199388	05:31
*** c_soukup has quit IRC		05:34
*** davechen_afk is now known as jungler		05:37
*** dims has quit IRC		05:40
*** ajayaa has joined #openstack-keystone		05:45
*** krykowski has joined #openstack-keystone		05:50
*** hrou has quit IRC		05:50
*** ig0r__ has joined #openstack-keystone		05:51
*** ig0r_ has quit IRC		05:52
*** browne has quit IRC		05:56
*** andrey-mp has joined #openstack-keystone		05:58
*** chenhong has joined #openstack-keystone		06:03
jamielennox	stevemar: still around? can you approve https://review.openstack.org/#/c/192499/	06:04
jamielennox	or look at it	06:04
stevemar	i was just about to close my laptop	06:05
jamielennox	stevemar: small python 3 fix only on the keystoneauth branch	06:05
stevemar	this looks small	06:05
jamielennox	stevemar: i have big ones if that's what you want....	06:05
stevemar	naw	06:06
stevemar	i hate that i know keystone requests	06:07
*** dguerri` is now known as dguerri		06:07
jamielennox	you and me both	06:07
jamielennox	thanks mate	06:07
*** kiran-r has joined #openstack-keystone		06:12
stevemar	jamielennox: np	06:12
stevemar	looks like it the next release won't be meiji	06:12
*** dguerri is now known as dguerri`		06:14
*** stevemar has quit IRC		06:14
*** tobe has joined #openstack-keystone		06:19
lifeless	if we get a resolution by tokyo	06:28
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Fix missing "raise" when throwing exception. https://review.openstack.org/199414	06:39
*** fhubik has joined #openstack-keystone		06:44
*** fhubik is now known as fhubik_afk		06:45
*** spandhe has quit IRC		06:49
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Fix log message. https://review.openstack.org/199420	07:00
*** fhubik_afk is now known as fhubik		07:01
*** fhubik is now known as fhubik_afk		07:08
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain. https://review.openstack.org/196942	07:10
*** fhubik_afk is now known as fhubik		07:11
*** dtantsur\|afk is now known as dtantsur		07:14
*** stevemar has joined #openstack-keystone		07:15
*** dtantsur has left #openstack-keystone		07:15
*** stevemar has quit IRC		07:18
*** lhcheng has joined #openstack-keystone		07:18
*** ChanServ sets mode: +v lhcheng		07:18
*** fhubik is now known as fhubik_afk		07:23
*** e0ne has joined #openstack-keystone		07:25
*** fhubik_afk is now known as fhubik		07:26
*** fhubik has quit IRC		07:32
*** fhubik has joined #openstack-keystone		07:33
*** afazekas has joined #openstack-keystone		07:34
*** fhubik is now known as fhubik_afk		07:39
*** dims has joined #openstack-keystone		07:41
*** dims_ has joined #openstack-keystone		07:42
*** fhubik_afk is now known as fhubik		07:43
*** jistr has joined #openstack-keystone		07:43
*** dims has quit IRC		07:45
*** btully has quit IRC		07:46
*** dims_ has quit IRC		07:46
*** tobe has quit IRC		07:46
*** markvoelker has quit IRC		07:47
*** e0ne is now known as e0ne_		07:49
*** andrey-mp has quit IRC		07:49
*** e0ne_ is now known as e0ne		07:51
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Fix missing "raise" when throwing exception. https://review.openstack.org/199414	07:52
*** afazekas has quit IRC		07:56
*** e0ne is now known as e0ne_		07:57
*** e0ne_ is now known as e0ne		07:59
*** e0ne has quit IRC		08:00
*** afazekas has joined #openstack-keystone		08:09
*** tobe has joined #openstack-keystone		08:16
*** chlong has quit IRC		08:21
*** tobe has quit IRC		08:25
*** tobe has joined #openstack-keystone		08:25
*** chenhong has quit IRC		08:29
*** boris-42 has quit IRC		08:32
*** belmoreira has joined #openstack-keystone		08:38
*** tobe has quit IRC		08:40
*** dims has joined #openstack-keystone		08:43
*** dims_ has joined #openstack-keystone		08:44
*** dims__ has joined #openstack-keystone		08:45
*** dims___ has joined #openstack-keystone		08:46
*** christx2 has joined #openstack-keystone		08:46
*** dims has quit IRC		08:47
*** markvoelker has joined #openstack-keystone		08:48
*** dims_ has quit IRC		08:49
*** dims__ has quit IRC		08:49
*** dims___ has quit IRC		08:50
*** markvoelker has quit IRC		08:53
*** christx2 has quit IRC		08:58
*** christx2 has joined #openstack-keystone		08:59
*** e0ne has joined #openstack-keystone		09:03
*** r-daneel has quit IRC		09:08
*** afazekas has quit IRC		09:12
*** belmoreira has quit IRC		09:12
*** tobe has joined #openstack-keystone		09:20
*** e0ne is now known as e0ne_		09:21
*** afazekas has joined #openstack-keystone		09:21
*** belmoreira has joined #openstack-keystone		09:24
*** fhubik is now known as fhubik_afk		09:24
*** e0ne_ is now known as e0ne		09:26
*** fhubik_afk is now known as fhubik		09:31
*** piyanai has joined #openstack-keystone		09:33
*** bdossant has joined #openstack-keystone		09:36
*** e0ne is now known as e0ne_		09:37
*** davechen has left #openstack-keystone		09:53
*** aix has joined #openstack-keystone		09:54
*** fhubik is now known as fhubik_afk		09:59
*** e0ne_ is now known as e0ne		10:00
*** fhubik_afk is now known as fhubik		10:02
*** stevemar has joined #openstack-keystone		10:04
*** stevemar has quit IRC		10:06
*** e0ne is now known as e0ne_		10:11
*** bradjones has quit IRC		10:13
*** e0ne_ is now known as e0ne		10:13
*** bradjones has joined #openstack-keystone		10:15
*** bradjones has quit IRC		10:15
*** bradjones has joined #openstack-keystone		10:15
*** tobe has quit IRC		10:29
*** afazekas has quit IRC		10:29
*** afazekas has joined #openstack-keystone		10:40
*** e0ne is now known as e0ne_		10:40
*** e0ne_ is now known as e0ne		10:42
*** markvoelker has joined #openstack-keystone		10:49
*** markvoelker has quit IRC		10:54
*** rdo has quit IRC		10:59
*** afazekas has quit IRC		11:13
*** fhubik_afk has joined #openstack-keystone		11:17
*** fhubik_afk is now known as fhubik_		11:17
*** _kiran_ has joined #openstack-keystone		11:17
*** kiran-r has quit IRC		11:17
*** fhubik has quit IRC		11:18
*** lhcheng has quit IRC		11:27
*** _kiran_ has quit IRC		11:27
*** fhubik_ is now known as fhubik_afk		11:27
*** krykowski_ has joined #openstack-keystone		11:32
*** krykowski has quit IRC		11:34
*** e0ne is now known as e0ne_		11:34
*** e0ne_ is now known as e0ne		11:35
*** jaosorior has joined #openstack-keystone		11:37
*** e0ne has quit IRC		11:38
*** amaretskiy has quit IRC		11:39
*** amakarov_away is now known as amakarov		11:39
samueldmq	morning	11:40
*** dims has joined #openstack-keystone		11:47
*** dims_ has joined #openstack-keystone		11:48
*** dims__ has joined #openstack-keystone		11:49
*** markvoelker has joined #openstack-keystone		11:50
*** dims has quit IRC		11:52
*** dims_ has quit IRC		11:53
samueldmq	dstanek: ping - I was looking at #137202, 'Improve List Role Assignments Filters Performance'	11:53
*** stevemar has joined #openstack-keystone		11:54
*** markvoelker has quit IRC		11:54
*** dims__ has quit IRC		11:54
samueldmq	dstanek: you asked me to split that patch into 2: i) pass the filters to the driver and ii) move the role assignment expansion logic to the manager	11:54
samueldmq	dstanek: I agree that would be much clearer if it was split that way, however that would take a considerable effort, since the code has changed a lot ..	11:55
samueldmq	dstanek: I'd like to know if you see your comment there as something 'essential' or if that could be reviewed/approved that way	11:55
*** stevemar has quit IRC		11:56
samueldmq	dstanek: dstanek the right behavior can be ensured by a ton of data-driven tests henrynash is adding in the next patch sets	11:56
*** fhubik_afk is now known as fhubik_		11:58
*** krykowski has joined #openstack-keystone		12:04
*** fhubik_ has quit IRC		12:04
*** fhubik_ has joined #openstack-keystone		12:05
*** ajayaa has quit IRC		12:06
*** gordc has joined #openstack-keystone		12:06
*** krykowski_ has quit IRC		12:07
*** afazekas has joined #openstack-keystone		12:11
*** markvoelker has joined #openstack-keystone		12:13
*** arunkant has joined #openstack-keystone		12:14
*** kiran-r has joined #openstack-keystone		12:14
*** arunkant_ has joined #openstack-keystone		12:16
*** piyanai has quit IRC		12:17
*** belmoreira has quit IRC		12:17
*** arunkant__ has joined #openstack-keystone		12:18
*** krykowski has quit IRC		12:19
*** browne has joined #openstack-keystone		12:19
dstanek	samueldmq: what did i ask to be split?	12:20
*** arunkant has quit IRC		12:20
samueldmq	dstanek: see your comment on the controller	12:21
samueldmq	dstanek: since I've put the expansion logic (previously on the controller) in the manager	12:22
samueldmq	dstanek: we have a new representation for expanded role assignments	12:22
dstanek	samueldmq: the one where i asked about formatting changes?	12:22
*** arunkant_ has quit IRC		12:22
samueldmq	dstanek: yes, we had a conversation on irc after that I think ..	12:23
*** belmoreira has joined #openstack-keystone		12:23
samueldmq	dstanek: we need that formatting changes, since that's how the manager tells the controller that the assignment is an expanded one (i.e came from group, or inherited)	12:23
dstanek	samueldmq: no, you are misunderstanding. i am referring to the changes in the comment. it was hard to see what you changed since you renamed somethings and at the same time restructured	12:25
dstanek	samueldmq: on another note i think the reason you are having a hard time getting people to review this patch is that there is a lot mixed into one patch	12:27
samueldmq	dstanek: yes I did misunderstood :(	12:27
samueldmq	dstanek: yes this patch has been there for almost an year now .. (it was in another change before .. )	12:28
samueldmq	dstanek: I'll fix your concerns and let's see what happens	12:28
samueldmq	dstanek: another point is that .. that code is just .. hard/complex, it includes too many cases of role assignment expansion, at the same time it tries to be clear enough	12:29
dstanek	samueldmq: also, what are the helpers in the sql driver used for?	12:29
samueldmq	dstanek: let me see ..	12:30
*** chlong has joined #openstack-keystone		12:30
*** afazekas has quit IRC		12:31
samueldmq	dstanek: that would allow us to get, for example, role assignments for a user on both a project + a domain	12:32
*** tellesnobrega_ has joined #openstack-keystone		12:32
samueldmq	dstanek: but I am not sure I am using that benefit at the manager at all, I'll remove it and see what happens	12:32
dstanek	samueldmq: there a 5 helper methods that i don't see being used	12:33
samueldmq	dstanek: they're used in list_role_assignments() main method	12:33
samueldmq	dstanek: _get_assignment_types is used there .. which in turn uses the other 4	12:34
samueldmq	dstanek: however I'll check whether I really need that	12:34
samueldmq	or not	12:34
*** tellesnobrega__ has joined #openstack-keystone		12:39
*** afazekas has joined #openstack-keystone		12:42
*** tellesnobrega_ has quit IRC		12:42
*** tellesnobrega_ has joined #openstack-keystone		12:42
*** piyanai has joined #openstack-keystone		12:43
*** piyanai has quit IRC		12:44
*** stevemar has joined #openstack-keystone		12:44
*** tellesnobrega__ has quit IRC		12:46
*** ninag has joined #openstack-keystone		12:49
*** dims has joined #openstack-keystone		12:50
*** piyanai has joined #openstack-keystone		12:50
*** dims has quit IRC		12:54
*** afazekas has quit IRC		12:55
*** piyanai has quit IRC		12:56
*** fhubik_ is now known as fhubik_afk		12:58
*** j_king has quit IRC		12:59
samueldmq	dstanek: those helper methods in sql are needed because we now need to check for the assignmenttype as well	12:59
*** bradjones has quit IRC		13:00
*** hrou has joined #openstack-keystone		13:00
*** ninag has quit IRC		13:00
*** nkinder has quit IRC		13:00
samueldmq	dstanek: i.e besides querying the actor/target, we query the expected assignment type	13:00
*** mfisch has quit IRC		13:00
*** jsavak has joined #openstack-keystone		13:00
*** ninag has joined #openstack-keystone		13:00
*** bradjones has joined #openstack-keystone		13:00
*** bradjones has quit IRC		13:00
*** bradjones has joined #openstack-keystone		13:00
*** j_king has joined #openstack-keystone		13:00
*** tellesnobrega__ has joined #openstack-keystone		13:01
*** nkinder has joined #openstack-keystone		13:01
*** tellesnobrega_ has quit IRC		13:03
*** tellesnobrega_ has joined #openstack-keystone		13:04
*** tellesnobrega__ has quit IRC		13:06
*** mestery_ has joined #openstack-keystone		13:06
*** tellesnobrega_ has quit IRC		13:09
*** mestery has quit IRC		13:09
*** tellesnobrega_ has joined #openstack-keystone		13:09
samueldmq	dstanek: I've added some documentation on the helper methods, thanks	13:11
*** doug-fish has joined #openstack-keystone		13:12
*** afazekas has joined #openstack-keystone		13:15
*** lhcheng has joined #openstack-keystone		13:15
*** ChanServ sets mode: +v lhcheng		13:15
*** tellesnobrega__ has joined #openstack-keystone		13:16
*** Ephur has joined #openstack-keystone		13:16
*** tellesnobrega_ has quit IRC		13:18
*** bknudson has joined #openstack-keystone		13:19
*** ChanServ sets mode: +v bknudson		13:19
*** lhcheng has quit IRC		13:20
*** ayoung has joined #openstack-keystone		13:20
*** ChanServ sets mode: +v ayoung		13:20
ayoung	samueldmq, do you think there is some way we could "deduce" the URL from inside the call to middleware, so we don't need to explicitly set the URL used for policy in the config file?	13:21
*** tellesnobrega_ has joined #openstack-keystone		13:21
*** dims has joined #openstack-keystone		13:22
*** tellesnobrega__ has quit IRC		13:24
*** richm has joined #openstack-keystone		13:25
samueldmq	ayoung: hello, I was waiting for you :)	13:27
ayoung	samueldmq, I want to try and avoid making the installers updateall the conifg files	13:27
*** tellesnobrega__ has joined #openstack-keystone		13:27
samueldmq	ayoung: the url is in the service catalog, right ?	13:27
ayoung	seems unnecessary	13:28
ayoung	yes, the URL is in the endpoint entry	13:28
ayoung	I was thinking we could use the service user, but that is not mapped un-ambiguously to the endpoint	13:28
samueldmq	ayoung: however for the endpoint contraint gyee is looking at, we'll possibly need ot specify the endpoint_id ?	13:28
ayoung	the same service user could be used for multiple endpoints. Too bad, that would be the right thing to do, I think	13:28
*** woodster_ has joined #openstack-keystone		13:29
samueldmq	ayoung: we'd need to solve that automatically as well, otherwise we'd still need that configured by the deployer	13:29
ayoung	once we know one value we cal look up the others	13:29
samueldmq	ayoung: exactly	13:29
samueldmq	ayoung: however if we get to the url, that can map to multiple ids	13:29
ayoung	I think that is a non-issue. There can only be one policy file executed for any given path through the web server	13:30
samueldmq	ayoung: could endpoint constraint be enforced on the url as well ?	13:30
ayoung	the is no way to distinguish upon the call that this is an "public" endpoint call vs, an "admin" endpoint if the url is identitcal	13:30
ayoung	samueldmq, yes, it could	13:31
*** tellesnobrega_ has quit IRC		13:31
samueldmq	ayoung: ok, so if we know the url, we could solve both (assuming other agree on that approach)	13:32
ayoung	samueldmq, I was thinking we could deduce the URL out of the request values upon first request, but we might be behind a load balancer or proxy, and thus it might not match the hostname of the endpoint URL	13:32
ayoung	need to look at what comes through the request, there may be something in there we can use	13:32
samueldmq	ayoung: yes, we can't use the hostname ..	13:32
samueldmq	ayoung: also, looking at the existing middleware configs may help	13:33
samueldmq	ayoung: why don't service endpoints register themselves against keystone automatically ? using the service token ..	13:35
ayoung	samueldmq, not much we can count on there.	13:35
ayoung	samueldmq, only the[auth_token] section	13:35
ayoung	samueldmq, so, they do. But they don't record their own ID	13:35
ayoung	techincally, they don't register themselves	13:35
samueldmq	ayoung: do they ? really ?	13:35
ayoung	its done by the setup process	13:36
ayoung	which is outside the service, and has to be for security reasons	13:36
samueldmq	ayoung: so that is done by the deployer .. at bootstrap time	13:36
ayoung	there is no easy way to ask Keystone "what endpoint do you think I am?"	13:36
ayoung	yeah, at boot	13:36
*** radez_g0n3 is now known as radez		13:37
samueldmq	ayoung: yep, there isn't, because the deployer registered the endpoint in keystone, and there could be too much network abstraction being used, such as haproxy etc	13:37
ayoung	samueldmq, so each of the nova servers have a serviceuser added to them, and that is who they use to authenticate when validating tokens	13:37
samueldmq	ayoung: that the endpoint itself can't tell keystone about	13:37
samueldmq	if that makes sense	13:37
ayoung	yes, makes sense to me...	13:38
dstanek	the services don't actually register themselves do they? i thought the bootstrap process was handled by ansible, puppet, etc.	13:38
ayoung	if there was no load balancer, the endpoint could look at a request and send that in the "get policy" call. Keystone could do a parital match of the URL	13:38
ayoung	dstanek, you are correct	13:39
samueldmq	ayoung: so .. the deployer has to tell to the endpoint who it is .. :(	13:39
ayoung	dstanek, behind a load balancer, the WSGI app does not get the real hostname in the request URL, doees it?	13:39
samueldmq	ayoung: setting any of its id/url	13:39
dstanek	ayoung: yes, it should; because virtual hosting works behind a load balancer too	13:39
dstanek	unless your LB isn't configured correctly	13:40
ayoung	dstanek, so, we could deduce the URL from the request?	13:40
dstanek	ayoung: yes	13:40
*** mylu has joined #openstack-keystone		13:40
samueldmq	hmm...	13:40
ayoung	dstanek, then the only thing we need to be aware of is that the URL might not match; request by IP address is different than Hostname	13:40
dstanek	ayoung: which is why i don't like URL - there could be two different URLs pointing to the same VIP	13:40
dstanek	ayoung: yeah, that too	13:41
ayoung	dstanek, its not just the hostname, it is the whole URL, down to the version	13:41
*** LukeHinds has joined #openstack-keystone		13:42
ayoung	dstanek, say you have an all-in-one deployment, with nova and glance behind the same load balancer. Then,	13:42
ayoung	the URL would be something like	13:42
ayoung	http://hostname/nova/ vs	13:42
ayoung	http://hostname/glance/ vs	13:42
ayoung	http://hostname/cinder/	13:42
ayoung	with finer distinctions for keystone main vs admin, for example	13:42
ayoung	http://hostname/keystone/admin	13:43
ayoung	heh, those should all be https of course	13:43
ayoung	dstanek, is that clear?	13:44
*** mabrams has quit IRC		13:45
dstanek	ayoung: sure	13:46
*** mylu has quit IRC		13:46
ayoung	dstanek, so, lets say we make the query for policy such that you pass an URL to Keystone and it gives you back the endpoint id. Then you use the endpoint id to fetch the policy itself.	13:47
openstackgerrit	Steve Martinelli proposed openstack/keystone: switch to oslo.cache https://review.openstack.org/195873	13:47
ayoung	that is chatty, but so what. It means that we have a little clearer view of how the decision is made, which might just help debugging.	13:47
*** mylu has joined #openstack-keystone		13:48
ayoung	So, we drop the assign/fetch by URL, just provide an URL to endpoint mapping function	13:48
ayoung	samueldmq, ^^ does that seem cleaner to you?	13:48
*** jacorob_ has joined #openstack-keystone		13:48
*** mestery_ has quit IRC		13:48
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	13:48
dstanek	ayoung: are you saying that the URL you would use is the one from the request or one hard coded into the config?	13:49
samueldmq	ayoung: I am concerned about how that function 'f(url) -> id' looks like, since url doesn't map uniquely to the id, and it could not match at all	13:49
samueldmq	ayoung: that looks interesting though	13:49
*** mylu has quit IRC		13:49
*** mylu has joined #openstack-keystone		13:50
*** TheIntern has joined #openstack-keystone		13:52
*** jecarey has joined #openstack-keystone		13:55
samueldmq	ayoung: another point is, if the policy is still by enpoint id, the deployer will need to get the endpoint_id anyway .. whcih was the motivation to use URL (and what morgan was trying to avoid)	13:56
*** arunkant_ has joined #openstack-keystone		13:56
samueldmq	ayoung: notice that I am not against this solution at all .. I find it very very interesting since it would reduce the deployer bootstrap configuration, I am just pointing out the potential issues I am seeing :)	13:57
ayoung	dstanek, the URL you would use is the one from the request	13:57
ayoung	samueldmq, yeah, it might not be unique. Then ATM would pick one at random	13:58
*** csoukup has joined #openstack-keystone		13:58
samueldmq	ayoung: i.e you might pick the one which has not the policy associated with :/	13:59
*** arunkant has joined #openstack-keystone		13:59
*** arunkant__ has quit IRC		14:00
ayoung	samueldmq, if you have two different endpoints with exactly the same URL, we should force them all to have the same policy file. There is no way to distinguish between them	14:00
samueldmq	ayoung: if I understand correctly, we need a policy per service process, correct?	14:01
samueldmq	ayoung: yes I agree, but today we don't enforce that at all	14:01
ayoung	samueldmq, well, sort of. It really is per-service-process-that-reads-the-same-config-file	14:01
samueldmq	ayoung: what identifies a service process uniquely ? what are the possibilities ?	14:02
*** tellesnobrega_ has joined #openstack-keystone		14:02
*** arunkant_ has quit IRC		14:02
samueldmq	ayoung: so a per-service-process-that-reads-the-same-config-file may group multiple endpoint ids (as represented in keystone)	14:02
samueldmq	althoguh we don't enforce that today	14:02
ayoung	samueldmq, none of this is used yet. Not siginifcantly	14:02
ayoung	the endpoint-policy stuff was prep for this	14:02
dstanek	ayoung: so you will need to define a policy for each URL that a service serves? i'm assuming this is really each base URL (auth.example.com, auth-internal.example.com, etc)	14:03
samueldmq	ayoung: so we can just deprecate and create anything else if needed	14:03
*** btully has joined #openstack-keystone		14:03
ayoung	dstanek, so, lets drop the policy-url mapping for a moment. Instead, lets say that for each requested URL, we use the URL value in the endpoint to try to match it	14:04
ayoung	is would be a partial match (base url as you say)	14:04
*** edmondsw has joined #openstack-keystone		14:05
ayoung	so it would be requestedurl -> endpoint.url -> endpoint.id -> policy file	14:05
*** tellesnobrega__ has quit IRC		14:05
samueldmq	if we'd have a single endpoint entity (single id) that contains multiple interfaces (and URLs), that'd be solved I think .. however we have different ids for different interfaces	14:06
samueldmq	I think the current design of endpoints doesn't help :(	14:06
*** tellesnobrega__ has joined #openstack-keystone		14:06
*** tellesnobrega_ has quit IRC		14:06
*** jsavak has quit IRC		14:07
dstanek	ayoung: what if the requestedurl doesn't match any endpoints? or if that endpoint has no policy associated with it?	14:07
ayoung	dstanek, let me take those separately	14:07
ayoung	if the requested URL doesn't match any endpoints, we have an error, and we deny the request (maybe a 500 error would even be appropriate here)	14:08
ayoung	if the endpoint has no policy, we have a couple choices	14:08
*** kiran-r has quit IRC		14:08
ayoung	first, there is the stock policy shipped with the server. We default to that.	14:08
samueldmq	++ to this first option	14:09
ayoung	But, the most common case would be to use the rest of the endpoint-policy rules to get a more general policy file	14:09
ayoung	that happens automatically	14:09
ayoung	so, that is why I want the unified policy file	14:09
ayoung	that should be the default. When a request comes in, the check should start with most specific to most general:	14:09
ayoung	endpoint->service->region->default	14:10
ayoung	actually there is one in the middle	14:11
ayoung	- A policy associated to any endpoint of a given service type in a given region	14:11
ayoung	http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst#n11	14:11
*** fhubik_afk is now known as fhubik_		14:12
*** jsavak has joined #openstack-keystone		14:12
ayoung	samueldmq, I actually do not like the "stock policy" fallback, as I think it is a security weakness, but it can be a transition strategy until we get dynamic policy as the default	14:13
brad[]	Do the keystone command line tools support API v3 oriented commands at this time?	14:13
*** mylu has quit IRC		14:13
samueldmq	ayoung: ++	14:13
stevemar	brad[]: use openstackclient	14:13
*** fhubik_ is now known as fhubik		14:13
*** fhubik has quit IRC		14:14
stevemar	brad[]: docs.openstack.org/developer/python-openstackclient/	14:14
stevemar	err rather http://docs.openstack.org/developer/python-openstackclient/	14:14
stevemar	the keystone CLI is being removed (soon)	14:14
samueldmq	bradsquarebrackets	14:14
ayoung	stevemar, I thought that was your boss, but I realize that, in python, he'd be brad(,)	14:14
stevemar	ayoung: he's normally topol, but i'd be lying if that thought didn't cross my mind	14:15
stevemar	maybe he's testing me	14:15
*** mylu has joined #openstack-keystone		14:15
*** fhubik has joined #openstack-keystone		14:15
ayoung	you say topol, I say tuple	14:15
stevemar	samueldmq: don't trust folks with brackets in their name, any brackets	14:15
brad[]	Is openstackclient able to be used with Juno? We haven't yet upgraded	14:15
dstanek	ayoung: how do real deployments deal with internal URLs to services? like having nova use a different URL to bypass the load balancer. endpoint filtering?	14:15
ayoung	brad[], it should work	14:15
samueldmq	stevemar: hehe :)	14:15
ayoung	dstanek, I think it varies.	14:16
ayoung	dstanek, I'd really need to go beat up our support guys to get real answers	14:16
stevemar	brad[]: should be, you might run into requirements issues, but shrugs - it's meant for client machines, don't need to install it on the same machine as the server	14:16
brad[]	stevemar: nod	14:16
stevemar	brad[]: it's intallable via pypi	14:16
ayoung	or Yum	14:17
stevemar	you'll get the latest and greatest that way, the ones that come bundled with RHEL/Ubuntu are a bit older	14:17
ayoung	or APT	14:17
stevemar	ayoung: i think if you install it on ubuntu 12.04lts you get v0.4.2 :(	14:17
stevemar	and even 14.04, you get 1.0.3	14:17
stevemar	and they don't change, which upsets me	14:18
ayoung	stevemar, so, we don't even install it on RHEL. You need the OSP product to get it. We are working to change that	14:18
ayoung	it will be interesting when OpenStack code gets spread across multiple product lines.	14:19
ayoung	best to stick to Curl	14:19
dstanek	ayoung: i wonder because each one of those base URLs will have to be associated with the policy	14:19
*** mfisch has joined #openstack-keystone		14:19
*** mfisch has quit IRC		14:20
*** mfisch has joined #openstack-keystone		14:20
ayoung	dstanek, the more we talk about this, the more paranoid I start thinking. I wonder if we want to lock down a "secure" endpoint to only work with a specific policy file..but I think if anyone needs that, they would disable dynamic policy.	14:20
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance https://review.openstack.org/137202	14:21
samueldmq	henrynash: dstanek ^ updated ! :)	14:21
ayoung	henrynash, read up our discussion, too, as I think it addresses some of your questions WRT dynamic policy	14:22
dstanek	ayoung: this is the fear i had when discussing with samueldmq last week.	14:22
ayoung	dstanek, I'd ask the folks with the tinfoil hats....	14:22
dstanek	right now it is so simple and has no corner cases. a service deploys a policy file and that is used to enforce policy.	14:22
dstanek	in the new world we have cascading policy lookups from the specific (endpoint id) to the generic (service or whatever)	14:23
dstanek	that means deployers have to make the generic policy very locked down	14:24
ayoung	dstanek, yeah, but there is no continuity in meaning between the policy files deployed by Nova vs Glance. bug 968696	14:24
openstack	bug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)	14:24
henrynash	ayoung; Thx, tied up rght now (not literally)…..will get to themlater	14:24
dstanek	ayoung: sure, but maybe there are other ways to handle that. i'm just thinking of this policy solution	14:24
ayoung	dstanek, so, lets say we cut the fetch and store aspect. We'd depend on Ansible or Puppet to keep things in sync	14:26
ayoung	it would be a different integration, and outside of our hands	14:26
ayoung	but...there is nothing to prevent someone from doing that with the dynamic policy approach, it would just take additional work	14:26
ayoung	they would use the same calls to get the policy out of Keystone, etc.	14:27
ayoung	dstanek, if you triggered the ansible/puppet call automatically, you would basically have the same system	14:28
*** arunkant_ has joined #openstack-keystone		14:28
ayoung	dstanek, which is another argument for doing url-endpointid as a deliberate call.	14:29
samueldmq	dstanek: ayoung I gotta go afk for a bit now, will be back in a bit, sorry	14:30
*** arunkant has quit IRC		14:31
*** tellesnobrega__ has quit IRC		14:32
*** mylu has quit IRC		14:39
*** fangzhou has quit IRC		14:39
*** mylu has joined #openstack-keystone		14:40
*** tellesnobrega_ has joined #openstack-keystone		14:41
*** mylu has quit IRC		14:41
*** mylu has joined #openstack-keystone		14:42
*** ajayaa has joined #openstack-keystone		14:46
*** belmoreira has quit IRC		14:53
openstackgerrit	Theodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin https://review.openstack.org/198071	14:53
*** jdandrea has quit IRC		14:54
*** ninag has quit IRC		15:00
*** Lactem has joined #openstack-keystone		15:00
*** ninag has joined #openstack-keystone		15:01
Lactem	dstanek: That was a fast +2. Thanks!	15:01
*** csoukup has quit IRC		15:01
gordc	stevemar: you know of any examples where policy is enforced pre-query?	15:02
gordc	ie, we query based on policy rules rather than filter results using policy	15:03
*** dims has quit IRC		15:04
*** Akshay04 has joined #openstack-keystone		15:04
*** lhcheng has joined #openstack-keystone		15:05
*** ChanServ sets mode: +v lhcheng		15:05
*** dims has joined #openstack-keystone		15:05
*** tellesnobrega_ has quit IRC		15:06
*** diazjf has joined #openstack-keystone		15:07
*** ninag has quit IRC		15:07
*** jsavak has quit IRC		15:08
ayoung	gordc, what are you asking?	15:09
*** lhcheng has quit IRC		15:09
*** dims has quit IRC		15:10
gordc	ayoung: we have this patch: https://review.openstack.org/#/c/198536/12/ceilometer/api/controllers/v2/events.py	15:10
ayoung	gordc, policy does not work that way, if you are talking RBAC.	15:10
gordc	ayoung: i am talking rbac.	15:10
gordc	i also should add disclaimer i didn't write our implementation nor do i know much about policy	15:11
*** Lactem has quit IRC		15:11
gordc	but currently, the implementation is to run query, and loop through each record and validate if it passes policy rules	15:11
ayoung	gordc, I...I did not know such code existed. The Horror. The Horror.	15:11
gordc	i won't name names...	15:12
ayoung	gordc, so...that is very different from how policy is used elsewhere	15:12
ayoung	gordc, let me take a look at the policy file that goes with that...one sec	15:12
gordc	ayoung: can you point to 'best practice' example for reference.	15:12
ayoung	gordc, hold on. Still wrapping my head around what you are doing here	15:13
ayoung	http://git.openstack.org/cgit/openstack/ceilometer/tree/etc/ceilometer/policy.json is pretty sparse...	15:13
ayoung	http://git.openstack.org/cgit/openstack/ceilometer/tree/etc/ceilometer/policy.json.sample is a little more explicit.	15:13
stevemar	gordc: i was wondering about that, normally is easy for us because the URL or backend defines the owner	15:14
ayoung	gordc, I actually kindof like that code, and kindof hate it...it is making me think. THat hurts my brain	15:14
gordc	stevemar: owner == user id?	15:15
*** Akshay04 has quit IRC		15:15
ayoung	stevemar, wow...so they are trying to check ownership on a per-event basis, and then apply policy to it>	15:16
gordc	the result we're trying to achieve is if user_id/project_id exists in record, use it against defined policy. if not, it's admin only.	15:17
stevemar	ayoung: it's not unreasonable, they only want stuff that affects that	15:17
ayoung	gordc, what policy rule do you match	15:17
gordc	ayoung: yeah, that's the current patch, trying to see if we can build query param from policy to avoid post filtering	15:18
ayoung	telemetry:get_events	15:18
gordc	"user_id:%(user_id)s" "project_id:%(project_id)s" role:admin "role:admin or user_id:%(user_id)s"	15:18
gordc	that's the example that was provided.	15:18
stevemar	gordc: so we have a similar issue with trusts/credential/oauth in keystone, but its easy for us to do things pre-query. since when a trust/oauth/credential is created we set an owner/user id in a db somewhere	15:18
*** browne has quit IRC		15:19
stevemar	when we list or get, we just query against that user_id	15:19
ayoung	gordc, getting a query parameter from policy is not going to work	15:19
stevemar	the trouble is ceilometer events doesn't have a way to query for a user_id / project_id	15:19
ayoung	you need to filter	15:19
gordc	stevemar: we can.	15:19
*** browne has joined #openstack-keystone		15:19
ayoung	try not to do "user" and only do project	15:20
ayoung	user is the wrong abstraction. Just because a userid is somehow part of an audit event does not imply an ownership relationship. It should be pure RBAC for this	15:20
*** boris-42 has joined #openstack-keystone		15:21
ayoung	gordc, so...role:admin is unscoped. We are on a quest to get rid of unscoped policy rules	15:22
*** browne has quit IRC		15:22
ayoung	gordc, so I would simplify your problem to: every audit event needs a project to own it. If an event comes in with out a project ID, put it into the admin project	15:23
*** dims has joined #openstack-keystone		15:23
ayoung	hrm...admin domain...	15:23
gordc	ayoung: can the admin project be an assumed value rather than stored default value?	15:23
*** jsavak has joined #openstack-keystone		15:23
ayoung	gordc, we are trying to make it something queried from Keystone. Link...	15:24
ayoung	https://review.openstack.org/#/c/186926/	15:24
*** wrale has joined #openstack-keystone		15:26
*** browne has joined #openstack-keystone		15:27
dstanek	gordc: my first ceilometer review!	15:28
openstackgerrit	ayoung proposed openstack/keystone-specs: query configuration via web API https://review.openstack.org/186926	15:28
*** lhcheng has joined #openstack-keystone		15:29
*** ChanServ sets mode: +v lhcheng		15:29
gordc	dstanek: should review in a few weeks. i'm hoping for net loss of 5000 lines of code this cycle.	15:30
dstanek	gordc: i can help you out with that one! unless you need the thing to work when i am done...	15:31
gordc	dstanek: nah, we're making no guarantees it'll work either.	15:32
gordc	so we have a get_limited_to method https://github.com/openstack/ceilometer/blob/master/ceilometer/api/rbac.py#L63-L90	15:32
gordc	it seems like we can grab user/project info using that... i'm assuming that's wrong way to use policies?	15:32
*** lhcheng has quit IRC		15:33
*** jdandrea has joined #openstack-keystone		15:33
*** arunkant__ has joined #openstack-keystone		15:34
*** arunkant__ has quit IRC		15:34
*** arunkant has joined #openstack-keystone		15:34
ayoung	gordc, why user_id?	15:35
stevemar	morganfainberg: heads up on https://bugs.launchpad.net/keystone/+bug/1472503	15:35
openstack	Launchpad bug 1472503 in Keystone "python-ldap 2.4.20 causing install issues" [Undecided,New]	15:35
morganfainberg	stevemar: I think we need to just buckle down and replace that. :(	15:36
morganfainberg	Oh that	15:36
morganfainberg	No that is a setup tools/pbr issue	15:37
stevemar	oh phew	15:37
morganfainberg	Someone has an old devstack methinks.	15:37
morganfainberg	People need to stop reusing devstacks and make new vms	15:37
ayoung	gordc, the event is the target of the policy. Is the idea that some users should only be able to see events that they themself generated?	15:38
*** arunkant_ has quit IRC		15:38
morganfainberg	It has been a repeat issue (or do a full update of Python libs too)	15:38
openstackgerrit	henry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing https://review.openstack.org/149178	15:39
*** piyanai has joined #openstack-keystone		15:39
gordc	ayoung: we use that method currently for meters. the idea being they can see users can see only their data (if not admin).	15:40
openstackgerrit	henry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests https://review.openstack.org/151623	15:40
*** e0ne has joined #openstack-keystone		15:40
openstackgerrit	henry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests https://review.openstack.org/151962	15:40
openstackgerrit	henry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments https://review.openstack.org/154302	15:40
morganfainberg	stevemar: question asked marked as incomplete.	15:40
openstackgerrit	henry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests https://review.openstack.org/153897	15:41
gordc	ayoung: we can also limit to just project... i'm just curious if that's even a valid use of policy the (the way we use it in method)	15:41
openstackgerrit	henry-nash proposed openstack/keystone: Support project hierarchies in data driver tests https://review.openstack.org/154485	15:41
ayoung	gordc, and the point is that you want to know ahead of time if a user should see only their own, project scoped, or larger.	15:41
ayoung	So you are querying all, and then removing ones based on policy. Inefficient, but the most conservative	15:41
*** piyanai has quit IRC		15:41
*** david-ly_ is now known as david-lyle		15:42
ayoung	gordc, is that something you really want conifgurable via policy?	15:42
gordc	ayoung: that is the proposal yes. i'm hoping to not have to query all but restrict query to project	15:42
gordc	or whatever the policy is.	15:42
ayoung	gordc, cuz the way you wrote it, you could have different roles for different events, too	15:43
gordc	the get_limited_to method seems to return me a user and/or project... which seems useful to avoid query all	15:43
ayoung	you could have "storage_auditor" that could only see one class of events, and "network_auditor" that could only see neutron type things	15:43
ayoung	you wouldn't know until you got the results back which would apply	15:43
ayoung	policy is designed to be configurable	15:44
*** piyanai has joined #openstack-keystone		15:44
ayoung	so, I would almost think you would want to make the queries pre-canned, from most general, to most specific, and put the RBAC check on the query itself, before executing.	15:45
*** Akshay04 has joined #openstack-keystone		15:45
gordc	" put the RBAC	15:46
gordc	check on the query itself, before executing"	15:46
*** kiran-r has joined #openstack-keystone		15:46
ayoung	gordc, it seems you know the query you are executing, to include the filters, prior to hitting the database.	15:46
ayoung	so lets say you have 3 queries	15:46
gordc	how do you do that? in ceilometer you can filter on whatever attributes you want.	15:46
ayoung	A) select all events	15:46
ayoung	B) select all events for a project	15:47
henrynash	looking for someone to tip https://review.openstack.org/#/c/190996/ over the edge…..	15:47
ayoung	C) select all events for a user in a project	15:47
ayoung	henrynash, 1 sec and I'll look	15:47
henrynash	ayoung: merci, mon capotan	15:47
ayoung	gordc, so, you do do a policy check for A, it fails, do it for B, it fails, do it for C and it succeeds, So execute C	15:47
gordc	how do you get the project and/or user based on policy? using method similar to get_limited_to?https://github.com/openstack/ceilometer/blob/master/ceilometer/api/rbac.py#L63-L90	15:47
henrynash	(Henry just returned from vacation in France…but still can’t spell)	15:48
ayoung	henrynash, ok, that one falls into "no brainer, should not even require a spec" +2A	15:48
ayoung	gordc, only if it is not explicit in the request itself. I don't love the "magic based on the token values" approach, but it works	15:50
ayoung	I'd rather keep the token separate, and make someone explicitly ask for one or the other	15:50
ayoung	different APIs or at least query params	15:51
openstackgerrit	Theodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin https://review.openstack.org/198071	15:52
gordc	ayoung: i see. yeah our access is dependent on what token you're using. there's no explicit way to pass in the user/project info (either in body or in url)(	15:53
ayoung	gordc, so, instead of checking policy on the events themselves, make 3 queries, check policy on the query, and execute the most general one that passes.	15:54
*** jistr has quit IRC		15:56
*** tellesnobrega_ has joined #openstack-keystone		16:00
openstackgerrit	Merged openstack/keystone-specs: Support data driven test plans for role assignment testing https://review.openstack.org/190996	16:01
*** geoffarnold has quit IRC		16:01
gordc	ayoung: cool cool. i'll work around that. i'm not sure we need 3 queries since we can define variable filter parameters on our queries	16:01
ayoung	gordc, so the way you are doing it is the most conservative, just puts more load on the webserver. BUt if you are building the filters dynamically, you can check policy based on the set of filters you are planning on applying...if that makes sense	16:05
*** jsavak has quit IRC		16:06
*** jsavak has joined #openstack-keystone		16:06
henrynash	ayoung: thx	16:07
*** kiran-r has quit IRC		16:08
*** dontalton has joined #openstack-keystone		16:10
*** annasort has joined #openstack-keystone		16:11
*** jsavak has quit IRC		16:12
*** jsavak has joined #openstack-keystone		16:12
*** bdossant has quit IRC		16:13
gordc	ayoung: yeah, i think the goal is apply query filters based on policy.	16:14
ayoung	gordc, that makes more sense than checking policy on results, one-by-one	16:15
*** dims has quit IRC		16:15
*** dims has joined #openstack-keystone		16:16
gordc	ayoung: agreed. especially when it's in tens/hundreds of thousands.	16:17
ayoung	gordc, want me to respond on that code review?	16:19
gordc	ayoung: sure. that'd be good.	16:20
*** dims has quit IRC		16:21
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Fix log message in one of the v3 create call methods. https://review.openstack.org/199420	16:23
*** piyanai has quit IRC		16:25
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Fix log message in one of the v3 create call methods. https://review.openstack.org/199420	16:27
*** _cjones_ has joined #openstack-keystone		16:28
*** fangzhou has joined #openstack-keystone		16:30
*** ajayaa has quit IRC		16:33
*** browne has quit IRC		16:36
*** dims has joined #openstack-keystone		16:40
*** dontalton is now known as bitblt		16:41
*** bitblt has quit IRC		16:41
*** bitblt has joined #openstack-keystone		16:41
*** bitblt has quit IRC		16:42
*** afazekas has quit IRC		16:42
openstackgerrit	henry-nash proposed openstack/keystone-specs: Enable retrieval of default values of domain config options https://review.openstack.org/185650	16:43
*** Akshay04 has quit IRC		16:43
henrynash	bknudson, gyee, btopol: you previously commented on: https://review.openstack.org/#/c/185650/ - any other issues are we OK on this one?	16:45
*** TheIntern has quit IRC		16:49
*** _hrou_ has joined #openstack-keystone		16:51
*** hrou has quit IRC		16:52
*** _hrou_ has quit IRC		16:54
*** _hrou_ has joined #openstack-keystone		16:54
*** geoffarnold has joined #openstack-keystone		16:56
*** ayoung has quit IRC		16:59
*** shaleh has joined #openstack-keystone		17:02
*** piyanai has joined #openstack-keystone		17:06
*** pnavarro has joined #openstack-keystone		17:07
*** spandhe has joined #openstack-keystone		17:09
samueldmq	henrynash: hi, welcome back :) I hope you enjoyed France	17:11
samueldmq	henrynash: have you visited Lyon ? :)	17:11
*** jsavak has quit IRC		17:15
*** piyanai has quit IRC		17:17
*** tellesnobrega_ has quit IRC		17:19
*** crc32 has joined #openstack-keystone		17:19
*** fhubik has quit IRC		17:20
*** jsavak has joined #openstack-keystone		17:20
henrynash	samueldmq: absolutely, have…although this time we were i our favourite family-run hotel in Provence, (in a town called Mouriès)	17:21
samueldmq	henrynash: nice, France is great :)	17:22
samueldmq	henrynash: I lived in Lyon for a year, during my undergraduation	17:22
samueldmq	henrynash: that was a great experience .. that's a great city	17:23
henrynash	samueldmq: I lived in both Antibes and Paris for a year	17:23
*** browne has joined #openstack-keystone		17:23
henrynash	samueldmq: je parle le Franglais un peu	17:24
samueldmq	henrynash: ah great, so on peut avoir des discussions en français :-)	17:24
*** piyanai has joined #openstack-keystone		17:24
samueldmq	henrynash: hehe	17:24
henrynash	samueldmq: bien sûr	17:24
samueldmq	:-)	17:25
samueldmq	henrynash: it's a long time I don't practice my French, get a better English is my priority now, since I need it more :)	17:26
samueldmq	henrynash: but French is a very interesting and beautiful language	17:26
henrynash	samueldmq: indeed	17:26
*** e0ne has quit IRC		17:28
samueldmq	henrynash: I was looking at your changes for data-driven assignment testing	17:30
samueldmq	henrynash: you rebased them .. however they seem to be in merge conflict	17:30
*** crc32 has quit IRC		17:34
*** pnavarro has quit IRC		17:35
*** christx2 has quit IRC		17:35
*** bknudson has quit IRC		17:38
*** dims has quit IRC		17:39
*** dims has joined #openstack-keystone		17:39
*** piyanai has quit IRC		17:47
*** marzif_ has joined #openstack-keystone		17:49
*** TheIntern has joined #openstack-keystone		17:51
*** TheIntern has quit IRC		17:56
samueldmq	dear Keystoners .. I'd appreciate a couple of eyes on the dynamic policies oslo.policy spec	17:57
*** aix has quit IRC		17:57
samueldmq	"Dynamic Policies Overlay" https://review.openstack.org/#/c/196753/	17:57
samueldmq	henrynash: morganfainberg cc ^ the idea is to get that merged and then its code asap, since that essential part won't change :)	17:58
samueldmq	dstanek: cc ^	17:59
samueldmq	I will start the code, as we try to find a good solution for middleware ftching the right policy (url, id, or whatever)	17:59
*** mestery has joined #openstack-keystone		18:01
*** TheIntern has joined #openstack-keystone		18:03
*** bknudson has joined #openstack-keystone		18:03
*** ChanServ sets mode: +v bknudson		18:03
*** jasonsb has joined #openstack-keystone		18:05
dstanek	i'll take a look	18:06
* samueldmq wonders why #keystone is that quiet today :)		18:06
samueldmq	dstanek: ha .. nice thanks	18:06
jasonsb	stevemar: hallo sir. wanted to let you know i built keystone from master and openstack identity provider create idp1 went through fine	18:06
*** _hrou_ has quit IRC		18:07
jasonsb	stevemar: everything is working (thank you goes out to gyee)	18:07
*** hrou has joined #openstack-keystone		18:07
*** tellesnobrega_ has joined #openstack-keystone		18:08
*** ayoung has joined #openstack-keystone		18:11
*** ChanServ sets mode: +v ayoung		18:11
*** jsavak has quit IRC		18:12
*** jsavak has joined #openstack-keystone		18:13
stevemar	jasonsb: oh nice, what did gyee do?	18:14
jasonsb	stevemar: helped me with Authorization failed. Unable to find valid groups while using mapping idp1_map (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from ::1	18:15
jasonsb	stevemar: gyee pointed me to the map to double check in the debug output that	18:16
jasonsb	stevemar: 'HTTP_OIDC_ISS': 'http://localhost:8080/openid-connect-server-webapp/'	18:16
jasonsb	stevemar: matched up with the mapping	18:16
stevemar	ah yeah	18:17
stevemar	that'll differ from deployment to deployment	18:17
jasonsb	stevemar: in my case, HTTP_OIDC_ISS was present, but i only had http://localhost:8080	18:17
jasonsb	stevemar: i changed it to the whole string and it worked	18:17
stevemar	yay	18:17
jasonsb	stevemar: +1 on yay	18:17
jasonsb	stevemar: it was very cool to see it work	18:18
stevemar	jasonsb: agreed, once it's all setup it's pretty spiffy	18:18
jasonsb	stevemar: maybe should write it up?	18:18
stevemar	did the write up help? anything i missed?	18:18
jasonsb	stevemar: its mitreid idp	18:18
jasonsb	stevemar: writeup is good. i had a little bit trouble figuring out what to change for mitre and i'm super weak in v3	18:19
jasonsb	stevemar: so verifying that it is working threw me a little bit	18:19
stevemar	ahh, let me know if theres need for edits	18:20
jasonsb	stevemar: but considering the complexity of the thing, i think keystone has done an amazing job	18:20
stevemar	woot	18:20
*** ajayaa has joined #openstack-keystone		18:20
jasonsb	stevemar: biggest hurdle i think is to assemble all of the pieces (apache config, keystone config, and procedure to config)	18:21
jasonsb	stevemar: since they are sourced from separate places (and hence reflect different points in time)	18:21
jasonsb	stevemar: if i had referred to devstack more it probably would have helped me a bit	18:22
*** boris-42 has quit IRC		18:22
stevemar	jasonsb: which, we're (not i) working on through better ansible and puppet support for federation	18:22
jasonsb	stevemar: how about kolla?	18:23
jasonsb	stevemar: we would like to use kolla so maybe could contribute kolla+configs+ansible	18:24
stevemar	jasonsb: no one has brought it up yet, first i'm hearing of kolla support for federation-y things	18:27
jasonsb	stevemar: oh sorry, this isn't something i've discussed with kolla peeps. but if it interests you something we maybe could help with	18:28
ayoung	morganfainberg, so, a propsal I discussed with samueldmq and dstanek this morning. Instead of fetch by url, we use the URL to look up the id, and fetch by id. And...we deduce the URL 9if possible) from the request.	18:28
*** doug-fish has quit IRC		18:29
morganfainberg	Sure.	18:31
ayoung	morganfainberg, if we do this right, we should be able to make it work without further changes to the install process	18:32
ayoung	something like this:	18:32
ayoung	we get the full URL out of the request. Send it to Keystone in a "get endpoint_id for url" call Keystone goes through the URLs in the ednspoints until it comes up with a partial match:	18:33
ayoung	beginswith (reuqest.url(endpoint.url)) > 0	18:35
ayoung	or some somethjing valid like that	18:35
ayoung	the question I have is, when running behind a load balancer, are we going to have valid URLs that match to begin with, or are they going to get re-written. dstanek seemed to think they would be valid	18:35
*** jaosorior has quit IRC		18:36
dstanek	they have to be valid from the path on otherwise keystone can't serve the request - the domain should be correct is the LB is properly configured (think virtual hosting) - an the protocol will be there maybe in a different header is the LB does the SSL termination	18:37
*** rdo has joined #openstack-keystone		18:39
dstanek	samueldmq: your RST is a bit rusty	18:41
*** piyanai has joined #openstack-keystone		18:43
*** piyanai has quit IRC		18:44
*** doug-fish has joined #openstack-keystone		18:44
*** piyanai has joined #openstack-keystone		18:44
*** dikonoor has quit IRC		18:46
*** jamielennox is now known as jamielennox\|away		18:47
*** g2` has quit IRC		18:48
*** g2` has joined #openstack-keystone		18:53
*** jamielennox\|away is now known as jamielennox		18:54
*** lhcheng has joined #openstack-keystone		18:56
*** ChanServ sets mode: +v lhcheng		18:56
*** sigmavirus24_awa is now known as sigmavirus24		18:56
dstanek	bknudson: hola	18:56
bknudson	dstanek: aloha	18:57
dstanek	re: https://review.openstack.org/#/c/180769/18/keystonemiddleware/auth_token/__init__.py	18:57
dstanek	if swift doesn't use oslo.config how do we properly get their settings?	18:58
bknudson	dstanek: for anything?	18:58
bknudson	dstanek: that's a good question	18:58
bknudson	but it must work since swift has been around for a while	18:58
*** shaleh has quit IRC		18:58
samueldmq	dstanek: :(	18:59
samueldmq	dstanek: please gimme suggestions on how to improve that o/	18:59
dstanek	bknudson: haha, ok	18:59
dstanek	samueldmq: links are more like `text`_	18:59
dstanek	bknudson: so anyway the reason i treated CONF.project in a special way is that it is special!	18:59
*** gordc has quit IRC		18:59
dstanek	when a project does CONF('project name') it will set the CONF.project property on the object	19:00
bknudson	I didn't know that	19:00
*** piyanai has quit IRC		19:00
samueldmq	dstanek: k will fix :-)	19:00
dstanek	if the project (like swift?) doesn't do this the oslo.config's __getattr__ is called since they don't set a reasonable default	19:00
samueldmq	dstanek: I don't know why I defined it like that, maybe to allow one to print the html and still see the link lol	19:01
dstanek	bknudson: i was going to submit a patch to oslo.config that fixes the issue, but breaks the current interface so I'm not sure they'll take it /cc dhellmann	19:02
dstanek	with a bug report first, of course	19:02
bknudson	dstanek: ok, so maybe just add to the comment that CONF.project is a special config property.	19:03
*** piyanai has joined #openstack-keystone		19:03
dstanek	bknudson: in the process of making a quick edit there now to make it a little more clear	19:03
bknudson	so this gets from 1) auth_token middleware config in paste, 2) keystone_authtoken in .conf, or 3) special CONF.project value	19:04
bknudson	might be worth it to put this bit in a method rather than inline	19:04
bknudson	e.g., self._get_project()	19:04
bknudson	or just self._project ?	19:04
dstanek	sure, that would probably make it more readable	19:04
samueldmq	ayoung: while we keep fighting on that url vs id thing, i.e specs, I will be writing the other pieces to get a demo of dynamic policies running	19:05
samueldmq	ayoung: considering what we have defined today in specs	19:05
samueldmq	ayoung: that'd be great if we could have something to show at the midcycle	19:06
ayoung	samueldmq, I'll write the "map url to endpoint_id" spec	19:06
samueldmq	ayoung: this will keep me sane .. thinking about specs 100% of the time is getting me crazy	19:06
samueldmq	ayoung: ok for this first iteration, I am going to set endpoint_id as a config option in middleware	19:07
samueldmq	ayoung: in this patch https://review.openstack.org/#/c/188561/	19:07
ayoung	samueldmq, tell you what, try coding up a proof of concept that pulls the URL out of the request	19:07
ayoung	samueldmq, that is a good first step	19:08
*** e0ne has joined #openstack-keystone		19:09
*** odyssey4me_ has joined #openstack-keystone		19:10
*** odyssey4me has quit IRC		19:10
*** jsavak has quit IRC		19:13
samueldmq	ayoung: I think we can easily get that from the webob request object	19:13
samueldmq	ayoung: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_request.py#L63	19:13
*** bitblt has joined #openstack-keystone		19:13
samueldmq	ayoung: http://webob.readthedocs.org/en/latest/reference.html#id1	19:13
dstanek	bknudson: tests are running now...here is what i ended up with: http://paste.openstack.org/show/356123/	19:13
*** geoffarnold has quit IRC		19:14
samueldmq	ayoung: req.environ['HTTP_HOST']	19:14
*** odyssey4me_ is now known as odyssey4me		19:14
*** jsavak has joined #openstack-keystone		19:14
*** Rockyg has joined #openstack-keystone		19:15
dstanek	samueldmq: the tricky one is getting the correct protocol	19:15
dstanek	samueldmq: also i think there is a request property that does the HTTP_HOST stuff too	19:17
lbragstad	dolphm: here are a couple commits to help get keystone-deploy's master branch passing again https://github.com/dolph/keystone-deploy/pull/19	19:18
samueldmq	dstanek: I don't get it ... 'correct protocol', what would be the protocol you refer to ther E?	19:18
dstanek	http vs. https	19:19
*** jsavak has quit IRC		19:19
dstanek	i'm pretty sure servers take core of the header magic and set the wsgi.url_scheme header, but i'd have to verify	19:19
*** jsavak has joined #openstack-keystone		19:20
*** ajayaa has quit IRC		19:22
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	19:23
*** r-daneel has joined #openstack-keystone		19:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token() https://review.openstack.org/197647	19:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method https://review.openstack.org/197699	19:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token() https://review.openstack.org/197706	19:23
dolphm	lbragstad: looking!	19:27
*** woodster_ has quit IRC		19:31
openstackgerrit	David Stanek proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	19:32
*** csoukup has joined #openstack-keystone		19:32
lbragstad	stevemar: ping, i'm working on a quick ansible script to help setup federated keystone nodes and following the directions here	19:33
lbragstad	https://github.com/openstack/keystone/blob/master/doc/source/federation/shibboleth.rst	19:33
samueldmq	dstanek: makes sense, thanks for pointing that out :)	19:33
lbragstad	stevemar: oh, wait...	19:35
lbragstad	stevemar: the WSGIScriptAliasMatch part is giving me some issues.	19:36
*** arunkant has quit IRC		19:42
*** arunkant has joined #openstack-keystone		19:44
*** e0ne has quit IRC		19:47
*** ajayaa has joined #openstack-keystone		19:47
stevemar	lbragstad: sry, was helping out diazjf :)	19:48
stevemar	que pasa with your federation	19:49
lbragstad	stevemar: wait, it might be my lack of knowledge. trying something out quick	19:49
stevemar	wait and see approach worked!	19:49
*** piyanai has quit IRC		19:50
*** piyanai has joined #openstack-keystone		19:57
openstackgerrit	David Stanek proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	19:57
*** crc32 has joined #openstack-keystone		19:58
*** Ephur has quit IRC		20:01
*** shaleh has joined #openstack-keystone		20:06
dstanek	bknudson: where you saying on https://review.openstack.org/#/c/196942/6 that you want to be able to create a user without specifying the domain?	20:07
morganfainberg	dstanek: it makes me all sorts of sad we need to accept config from paste-ini in ksm	20:07
*** gyee has joined #openstack-keystone		20:07
*** ChanServ sets mode: +v gyee		20:07
dstanek	morganfainberg: fire swift	20:07
morganfainberg	notmyname, ^ there has to be a better way	20:08
*** vilobhmm has joined #openstack-keystone		20:08
dstanek	i'm assuming that they are the ones doing it since they are not use oslo.config	20:08
dstanek	morganfainberg: if everyone used oslo.config we could potentially remove lots of cruft	20:09
*** openstackgerrit has quit IRC		20:10
* morganfainberg throws oslo.config at swift to see if it sticks...		20:10
*** openstackgerrit has joined #openstack-keystone		20:10
bknudson	dstanek: you can create a user without specifying the domain	20:11
bknudson	that's what the code allows now	20:11
*** piyanai has quit IRC		20:11
*** e0ne has joined #openstack-keystone		20:11
*** e0ne has quit IRC		20:12
openstackgerrit	David Stanek proposed openstack/keystonemiddleware: Fixes modules index generated by Sphinx https://review.openstack.org/199724	20:13
openstackgerrit	David Stanek proposed openstack/python-keystoneclient: Fixes modules index generated by Sphinx https://review.openstack.org/199320	20:13
dstanek	stevemar: any reason not to +A https://review.openstack.org/#/c/199328/ ?	20:14
morganfainberg	lbragstad: poke you here?	20:17
*** piyanai has joined #openstack-keystone		20:17
morganfainberg	need to ask you a question	20:17
lbragstad	morganfainberg: o/	20:17
*** belmoreira has joined #openstack-keystone		20:18
dstanek	what is keystoneauth1?	20:18
*** stevemar has quit IRC		20:19
morganfainberg	dstanek: the propernamespace for keystoneauth	20:21
morganfainberg	to make sure if can be installed side-by-side if we need a major version rev in the future	20:21
dstanek	morganfainberg: really?	20:21
dstanek	looks like i am behind the times	20:22
morganfainberg	dstanek: it's a future proof	20:22
morganfainberg	dstanek: i hope we don;t need a major version change	20:22
morganfainberg	but if we do...	20:22
*** woodster_ has joined #openstack-keystone		20:23
dstanek	interesting approach	20:26
*** geoffarnold has joined #openstack-keystone		20:26
morganfainberg	dstanek: yeah taking a page from glibc :P	20:27
morganfainberg	and other similar libraries	20:28
morganfainberg	this is becasue it will be used by services, sdk, and things like shade	20:28
morganfainberg	it just needs to not break things because something demands a newer version of it	20:28
*** crc32 has quit IRC		20:29
openstackgerrit	David Stanek proposed openstack/keystone: Adds proper isolation to templated catalog tests https://review.openstack.org/174556	20:30
*** christx2 has joined #openstack-keystone		20:34
*** marzif_ has quit IRC		20:34
*** crc32 has joined #openstack-keystone		20:38
*** annasort has quit IRC		20:38
*** shaleh has quit IRC		20:40
*** arunkant_ has joined #openstack-keystone		20:48
*** shaleh has joined #openstack-keystone		20:50
*** piyanai has quit IRC		20:51
*** arunkant has quit IRC		20:52
*** jinsong has joined #openstack-keystone		20:55
*** radez is now known as radez_g0n3		20:55
*** piyanai has joined #openstack-keystone		20:57
jinsong	Hi: I'm looking at the Keystone v3 credential management and was wondering how it may be used. For example, if created an ec2 credential, how would it be used later? Thanks.	20:57
jinsong	I'm talking about the /v3/credentials API	20:59
*** shaleh has quit IRC		21:02
*** shaleh has joined #openstack-keystone		21:02
*** jsavak has quit IRC		21:04
*** iurygregory has quit IRC		21:05
*** tellesnobrega_ has quit IRC		21:07
*** ankita_wagh has joined #openstack-keystone		21:10
*** annasort has joined #openstack-keystone		21:13
*** stevemar has joined #openstack-keystone		21:19
*** amakarov is now known as amakarov_away		21:23
*** stevemar has quit IRC		21:23
*** tellesnobrega_ has joined #openstack-keystone		21:23
ayoung	who's jenious Idea was it to embed K2K into the middle of Federation? Most federation does not need saml2, or any saml....or any other protocol specific code. Packaging PITA....	21:24
ayoung	seriously considering patching it out and disabling it ....	21:24
*** jsavak has joined #openstack-keystone		21:25
*** henrynash has quit IRC		21:25
gyee	ayoung, uh cause SAML2 sound sexy?	21:26
*** tellesnobrega_ has quit IRC		21:26
*** e0ne has joined #openstack-keystone		21:29
dstanek	no, SAML2 is sexy	21:29
*** christx2 has quit IRC		21:30
*** fifieldt has quit IRC		21:30
lbragstad	I think ayoung is ready for some happy hour :)	21:33
*** belmoreira has quit IRC		21:34
ayoung	lbragstad, quite	21:34
ayoung	dstanek, SAML2 is quite possible the least sexy part of distributed programming I've seen	21:34
ayoung	But...seriously, K2K is really not Federation like the rest of federation. It builds on it, but it is not core	21:35
ayoung	I realize we want to do away with Extensions, but if anything should be an extension, it should be K2K	21:36
*** pnavarro has joined #openstack-keystone		21:36
*** ajayaa has quit IRC		21:36
lbragstad	dolphm: I'm poking at adding a branch to keystone-deploy that will setup k2k federation. I have most everything built into a role for federation but I'm thinking that I should break it into two (one for the sp and one for the ipd), any recommendations?	21:36
ayoung	I'm just annoyed because I've avoided becoming a package maintainer this long, and it looks like I am going to be stuck with it, and it really is not something I even want us to support.	21:36
bigjools	I always thought it was a little odd too, since it was just adding a SAML IdP	21:37
*** e0ne has quit IRC		21:37
*** ankita_w_ has joined #openstack-keystone		21:37
ayoung	bigjools, I think I'd be OK if we said we were going to do SAML inside of a single cloud, instead of tokens. But we are not	21:37
*** jsavak has quit IRC		21:38
*** ankita_wagh has quit IRC		21:40
*** Rockyg has quit IRC		21:42
*** jsavak has joined #openstack-keystone		21:43
*** fifieldt has joined #openstack-keystone		21:43
*** navid__ has joined #openstack-keystone		21:43
ayoung	Hey bigjools wanna be a co-presenter in Tokyo?	21:44
bigjools	what for? :)	21:44
ayoung	I've got a presentation proposal for Kerberos with Openstack	21:44
dstanek	bigjools: do it! do it!	21:45
*** bknudson has quit IRC		21:45
bigjools	heh	21:45
bigjools	I have no experience at presenting, and I've never been to ODS before.	21:45
ayoung	https://www.openstack.org/summit/tokyo-2015/call-for-speakers/manage/4007/summary	21:45
bigjools	so it could be a disaster :)	21:45
bigjools	also I'm not using Kerberos any more	21:46
ayoung	bigjools, if there were no potential for disaster, what fun could it really be?	21:46
dstanek	the edge of disaster is where the fun it at	21:46
ayoung	Ah well	21:46
bigjools	one sec, I am in a meeting	21:46
dstanek	ayoung: i think bigjools is running away :-)	21:47
*** jorge_munoz has quit IRC		21:47
bigjools	:)	21:47
*** diazjf has left #openstack-keystone		21:48
ayoung	I asked marekd or josecastroleon too, but I suspect that all their Kerberos is hidden behind SAML now	21:50
openstackgerrit	David Stanek proposed openstack/keystone: Removed dependency.provider https://review.openstack.org/163029	21:50
openstackgerrit	David Stanek proposed openstack/keystone: Removed optional dependency support https://review.openstack.org/162770	21:51
openstackgerrit	David Stanek proposed openstack/keystone: Decouple notifications from DI https://review.openstack.org/162769	21:51
*** jkomg has joined #openstack-keystone		21:52
*** jsavak has quit IRC		21:55
*** jsavak has joined #openstack-keystone		21:56
*** TheIntern has quit IRC		21:57
*** boris-42 has joined #openstack-keystone		22:04
*** anhhuynx has joined #openstack-keystone		22:04
*** annasort has quit IRC		22:04
*** jsavak has quit IRC		22:09
*** ankita_wagh has joined #openstack-keystone		22:10
*** ankita_w_ has quit IRC		22:10
*** pnavarro has quit IRC		22:11
*** piyanai has quit IRC		22:18
*** mylu has quit IRC		22:22
openstackgerrit	Solomon proposed openstack/keystone: Updated ~/keystone/keystone/cmd/manage.py https://review.openstack.org/199758	22:26
*** piyanai has joined #openstack-keystone		22:30
*** piyanai has quit IRC		22:35
*** doug-fish has quit IRC		22:35
*** sigmavirus24 is now known as sigmavirus24_awa		22:35
*** browne has quit IRC		22:42
*** piyanai has joined #openstack-keystone		22:44
*** bknudson has joined #openstack-keystone		22:47
*** ChanServ sets mode: +v bknudson		22:47
*** piyanai has quit IRC		22:47
*** edmondsw has quit IRC		22:50
*** boris-42 has quit IRC		22:56
*** crc32 has quit IRC		22:56
*** csoukup has quit IRC		22:57
*** boris-42 has joined #openstack-keystone		22:57
*** stevemar has joined #openstack-keystone		23:09
*** piyanai has joined #openstack-keystone		23:11
*** ankita_w_ has joined #openstack-keystone		23:12
openstackgerrit	Solomon proposed openstack/keystone: Updated ~/keystone/keystone/cmd/manage.py https://review.openstack.org/199758	23:12
*** ankita_w_ has quit IRC		23:13
*** ankita_wagh has quit IRC		23:13
*** ankita_wagh has joined #openstack-keystone		23:13
*** stevemar has quit IRC		23:13
*** piyanai has quit IRC		23:13
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	23:14
openstackgerrit	Brant Knudson proposed openstack/keystone: Fixes docstring to make it more precise https://review.openstack.org/199338	23:14
*** hrou has quit IRC		23:17
*** tortle has joined #openstack-keystone		23:28
*** anhhuynx has quit IRC		23:28
*** tortle has quit IRC		23:28
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others https://review.openstack.org/196932	23:36
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Move enforcement and time validation to base class https://review.openstack.org/196951	23:36
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Move common request processing to base class https://review.openstack.org/180818	23:36
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate parts of auth_token https://review.openstack.org/190940	23:36
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens https://review.openstack.org/190941	23:36
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	23:40
openstackgerrit	Merged openstack/oslo.policy: Fixes up the API docs and module index https://review.openstack.org/199328	23:41
*** hrou has joined #openstack-keystone		23:49
*** jkomg has quit IRC		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!