Tuesday, 2015-09-15

*** btully has quit IRC		00:01
*** mylu has quit IRC		00:07
*** mylu has joined #openstack-keystone		00:08
*** dsirrine has joined #openstack-keystone		00:10
openstackgerrit	Jamie Lennox proposed openstack/keystone: Reject rule if assertion type unset https://review.openstack.org/216088	00:26
*** roxanagh_ has joined #openstack-keystone		00:26
jamielennox	morgan, mordred: any concerns about: https://review.openstack.org/#/c/221738/	00:26
openstackgerrit	Hidekazu Nakamura proposed openstack/keystone: Update development environment set up doc https://review.openstack.org/223020	00:26
jamielennox	it'd be the same patch for keystoneauht	00:27
mordred	jamielennox: lgtm - let me check with jeblair	00:31
*** roxanag__ has joined #openstack-keystone		00:35
*** roxanagh_ has quit IRC		00:35
morgan	jamielennox: no issues but will defer to mordred and jeblair	00:41
morgan	jamielennox: I have another idea that can come later on	00:41
jamielennox	i can't see any reason it'd be an issue, it just prevents multiple threads authenticating at the same time	00:41
morgan	But this is a good starting place	00:41
jamielennox	so we can have auths from config shared across threads	00:41
jamielennox	morgan: oh?	00:42
jamielennox	morgan: also when you have a moment can you look at https://review.openstack.org/#/c/212341/ again - i want to get those auth_token reviews moving again	00:42
morgan	Yeah. A way to do an async "reauth" if it is still valid	00:42
*** dsirrine has quit IRC		00:42
morgan	So a runner reauths but we don't block waiting on a reauth (optional)	00:43
jamielennox	hmm, i had wondered about that because it will attempt to get a new token ~30 seconds before the old one expires	00:43
morgan	The lock is still needed	00:43
jamielennox	or if invalidated immediately	00:43
morgan	So this is where to start	00:43
jamielennox	yep, this would be required either way	00:43
morgan	Yep. So LGTM as long as no issues are flagged by jeblair or mordred	00:44
*** samueldmq1 has joined #openstack-keystone		00:44
*** samueldmq1 has quit IRC		00:44
*** samueldmq has quit IRC		00:44
*** samueldmq has joined #openstack-keystone		00:45
*** tqtran has quit IRC		00:46
openstackgerrit	Lance Bragstad proposed openstack/keystone: Update federation router with missing call https://review.openstack.org/223361	00:47
mordred	jamielennox: I don't think serializing those auths will be a problem for nodepool- we should not e auth-ing frequently and we certainly want to serialize if need be	00:47
*** roxanag__ has quit IRC		00:47
jamielennox	mordred: so the use case is like nova that using nova user to do certain calls	00:48
jamielennox	at the moment it's a bit dodgy how that works	00:48
*** dims_ has joined #openstack-keystone		00:48
jamielennox	but i want all greenlet threads to share the same token	00:48
jamielennox	this is the only way i can see to share that object and not have them trample each other	00:48
mordred	yeah - I think it's a great idea	00:49
mordred	for those following along- jeblair thinks it looks fine and will not break nodepool	00:52
*** btully has joined #openstack-keystone		01:01
*** arahal_ has joined #openstack-keystone		01:02
*** btully has quit IRC		01:06
*** r-daneel has quit IRC		01:06
*** _cjones_ has quit IRC		01:06
*** arahal_ has quit IRC		01:06
*** ankita_wagh has quit IRC		01:07
*** roxanagh_ has joined #openstack-keystone		01:12
*** roxanag__ has joined #openstack-keystone		01:18
*** roxanagh_ has quit IRC		01:18
*** roxanag__ has quit IRC		01:19
*** ebalduf_ has quit IRC		01:19
*** roxanagh_ has joined #openstack-keystone		01:20
mfisch	stevemar: you here?	01:20
stevemar	mfisch: ahoy	01:20
mfisch	stevemar: trying to figure out of the pycadf module will let me take the event back into an easier to deal with format	01:21
mfisch	I was writing my own class to encapsulate the useful into	01:21
*** roxanagh_ has quit IRC		01:21
mfisch	I dont see a constructor that takes json inbound in the online docs tho	01:22
*** roxanagh_ has joined #openstack-keystone		01:22
*** jsavak has joined #openstack-keystone		01:23
stevemar	mfisch: hmm, its all json-y	01:23
mfisch	?	01:24
stevemar	mfisch: i guess we never really thought of folks trying to extend it	01:24
stevemar	all pycadf has is the .to_dict() function for events	01:24
stevemar	IIRC	01:24
stevemar	mfisch: https://github.com/openstack/pycadf/blob/9c02245f42d544147e290d97b3cb1cac2d9028b0/pycadf/cadftype.py#L81-L83	01:26
mfisch	Im missing something... ok let me look	01:27
stevemar	you can output the event as a dictionary	01:27
stevemar	but you can't create the event from a dictionary, if that's what you're asking	01:27
stevemar	i'm assuming you want to take the existing event, make it a dictionary, modify it, and create an event again?	01:27
mfisch	I just want to have it in a nice to use format	01:28
mfisch	like a python object	01:28
mfisch	which I can do stuff with like	01:28
mfisch	"show me the name of the object on which the action was taken", if it's project.delete, the lookup is different than user.delete for example	01:28
*** roxanagh_ has quit IRC		01:29
mfisch	a class can encapsulate that logic	01:29
*** roxanagh_ has joined #openstack-keystone		01:29
mfisch	otherwise I have stuff like this	01:29
mfisch	host_agent = json_data['payload']['initiator']['host']['agent']	01:29
mfisch	sounds like I'll just parse it myself	01:29
*** urulama has quit IRC		01:30
mfisch	the format is pretty solid between event types right?	01:30
mfisch	s/solid/static	01:30
stevemar	ohh, i see what you mean	01:30
*** urulama has joined #openstack-keystone		01:30
stevemar	mfisch: yes, its very static	01:30
mfisch	I'll paste this code after I work on it more	01:31
stevemar	mfisch: so all of that is a result of how the msg is put onto the mq	01:31
*** sigmavirus24 is now known as sigmavirus24_awa		01:31
stevemar	mfisch: https://github.com/openstack/keystone/blob/da1d4936465a63c99df08bf0b3a6ad9c950b8bef/keystone/notifications.py#L722-L735	01:31
mfisch	one thing my class can do is "tell me the name of the guy who did the thing"	01:31
mfisch	no need to have that logic in 5 places	01:31
stevemar	we create a pycadf object (event), and give it a whole bunch of properties; but to put it on the mq, its gotta be in a dict, so we have to call event.as_dict() and then add that to the event payload	01:32
mfisch	well if you ever add e = Event(message) let me know	01:32
mfisch	this kind of thing for example is useful to me too stevemar	01:34
mfisch	target_type = target_type_uri.split('/')[-1:][0]	01:34
mfisch	preceeded by: target_type_uri = json_data['payload']['initiator']['target']['typeURI']	01:34
*** roxanagh_ has quit IRC		01:34
*** ankita_wagh has joined #openstack-keystone		01:35
*** roxanagh_ has joined #openstack-keystone		01:35
*** davechen has joined #openstack-keystone		01:36
stevemar	mfisch: once i see your code i'll understand whats going on, i'm not opposed to changing up pycadf to construct events based on other input	01:38
stevemar	pycadf has been static for a while now	01:39
*** davechen1 has joined #openstack-keystone		01:40
*** jecarey has joined #openstack-keystone		01:40
*** dave-mccowan has quit IRC		01:40
*** davechen has quit IRC		01:42
*** roxanag__ has joined #openstack-keystone		01:44
*** roxanagh_ has quit IRC		01:44
*** lhcheng_ has joined #openstack-keystone		01:45
*** lhcheng has quit IRC		01:45
*** EinstCrazy has joined #openstack-keystone		01:47
*** mylu_ has joined #openstack-keystone		01:48
*** mylu has quit IRC		01:51
*** roxanag__ has quit IRC		01:55
*** roxanagh_ has joined #openstack-keystone		01:55
*** roxanagh_ has quit IRC		01:57
*** roxanagh_ has joined #openstack-keystone		01:57
*** roxanagh_ has quit IRC		02:01
*** roxanagh_ has joined #openstack-keystone		02:01
*** jsavak has quit IRC		02:04
*** ebalduf_ has joined #openstack-keystone		02:08
*** ankita_wagh has quit IRC		02:08
*** dims_ has quit IRC		02:11
*** roxanagh_ has quit IRC		02:12
*** roxanag__ has joined #openstack-keystone		02:12
*** dave-mccowan has joined #openstack-keystone		02:13
*** urulama has quit IRC		02:16
*** urulama has joined #openstack-keystone		02:16
mfisch	stevemar: thanks I'll post some code later	02:17
*** dave-mccowan has quit IRC		02:17
*** roxanag__ has quit IRC		02:22
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/222000	02:23
*** SheenaG has joined #openstack-keystone		02:32
*** geoffarnoldX is now known as geoffarnold		02:35
*** davechen has joined #openstack-keystone		02:39
*** davechen1 has quit IRC		02:41
*** jasonsb has joined #openstack-keystone		02:43
*** jasonsb has quit IRC		02:46
*** btully has joined #openstack-keystone		02:49
*** btully has quit IRC		02:54
*** Nirupama has joined #openstack-keystone		02:56
*** gyee has quit IRC		03:01
*** dims_ has joined #openstack-keystone		03:12
*** SheenaG has quit IRC		03:12
*** dave-mccowan has joined #openstack-keystone		03:14
*** markvoelker has quit IRC		03:15
*** dave-mccowan has quit IRC		03:18
*** dims_ has quit IRC		03:19
*** erhudy1 has quit IRC		03:25
*** sigmavirus24_awa has quit IRC		03:27
*** dtroyer has quit IRC		03:27
*** eglute has quit IRC		03:27
*** lbragstad has quit IRC		03:27
*** mgagne has quit IRC		03:28
*** dolphm has quit IRC		03:28
*** hockeynut has quit IRC		03:28
*** Guest60363 has quit IRC		03:28
*** jacorob has quit IRC		03:28
*** sudorandom has quit IRC		03:28
*** rm_work has quit IRC		03:28
*** comstud has quit IRC		03:28
*** darrenc_ has joined #openstack-keystone		03:29
*** gus has quit IRC		03:29
*** darrenc has quit IRC		03:29
*** doug-fish has joined #openstack-keystone		03:29
*** sudorandom has joined #openstack-keystone		03:30
*** dtroyer has joined #openstack-keystone		03:30
*** jacorob has joined #openstack-keystone		03:30
*** hockeynut has joined #openstack-keystone		03:30
*** eglute has joined #openstack-keystone		03:30
*** dolphm has joined #openstack-keystone		03:30
*** lbragstad has joined #openstack-keystone		03:30
*** comstud has joined #openstack-keystone		03:30
*** rm_work has joined #openstack-keystone		03:31
*** blewis has joined #openstack-keystone		03:31
*** blewis is now known as Guest82354		03:31
*** gus has joined #openstack-keystone		03:31
*** mgagne has joined #openstack-keystone		03:31
*** sigmavirus24_awa has joined #openstack-keystone		03:32
*** doug-fish has quit IRC		03:34
*** geoffarnold is now known as geoffarnoldX		03:36
*** hockeynut has quit IRC		03:39
*** sudorandom has quit IRC		03:39
*** Guest82354 has quit IRC		03:39
*** eglute has quit IRC		03:39
*** lbragstad has quit IRC		03:39
*** mgagne has quit IRC		03:41
*** gus has quit IRC		03:41
*** sigmavirus24_awa has quit IRC		03:41
*** comstud has quit IRC		03:41
*** rm_work has quit IRC		03:41
*** dolphm has quit IRC		03:41
*** dtroyer has quit IRC		03:41
*** jacorob has quit IRC		03:41
*** d34dh0r53 has quit IRC		03:42
*** ankita_wagh has joined #openstack-keystone		03:43
*** gus has joined #openstack-keystone		03:44
*** doug-fish has joined #openstack-keystone		03:44
*** roxanagh_ has joined #openstack-keystone		03:48
*** doug-fish has quit IRC		03:49
*** lhcheng_ has quit IRC		03:49
*** lhcheng has joined #openstack-keystone		03:49
*** ChanServ sets mode: +v lhcheng		03:49
*** david-lyle has joined #openstack-keystone		03:50
*** blewis_ has joined #openstack-keystone		04:03
*** eglute has joined #openstack-keystone		04:03
*** sudorandom has joined #openstack-keystone		04:03
*** comstud has joined #openstack-keystone		04:03
*** dolphm has joined #openstack-keystone		04:03
*** jacorob has joined #openstack-keystone		04:03
*** mgagne has joined #openstack-keystone		04:03
*** hockeynut has joined #openstack-keystone		04:03
*** rm_work has joined #openstack-keystone		04:04
*** dtroyer has joined #openstack-keystone		04:04
*** d34dh0r53 has joined #openstack-keystone		04:04
*** lbragstad has joined #openstack-keystone		04:04
*** sigmavirus24_awa has joined #openstack-keystone		04:04
*** mylu_ has quit IRC		04:05
*** mylu has joined #openstack-keystone		04:05
*** dave-mccowan has joined #openstack-keystone		04:15
*** markvoelker has joined #openstack-keystone		04:15
*** dims_ has joined #openstack-keystone		04:16
*** mylu has quit IRC		04:17
*** dave-mccowan has quit IRC		04:19
*** markvoelker has quit IRC		04:21
*** darrenc_ is now known as darrenc		04:21
*** dims_ has quit IRC		04:22
*** btully has joined #openstack-keystone		04:24
*** lhcheng has quit IRC		04:30
*** stevemar has quit IRC		04:34
*** stevemar has joined #openstack-keystone		04:35
*** ChanServ sets mode: +v stevemar		04:35
*** ankita_wagh has quit IRC		04:40
*** ankita_wagh has joined #openstack-keystone		04:40
*** ankita_wagh has quit IRC		04:42
*** jecarey has quit IRC		04:42
*** ankita_wagh has joined #openstack-keystone		04:43
*** shoutm has quit IRC		04:45
*** ebalduf_ has quit IRC		04:45
*** shoutm has joined #openstack-keystone		04:55
*** roxanagh_ has quit IRC		05:12
*** dave-mccowan has joined #openstack-keystone		05:16
*** doug-fish has joined #openstack-keystone		05:17
*** dave-mccowan has quit IRC		05:20
*** doug-fish has quit IRC		05:21
*** ninag has joined #openstack-keystone		05:24
*** ninag has quit IRC		05:28
*** ankita_wagh has quit IRC		05:31
*** richm has quit IRC		05:37
*** shoutm has quit IRC		05:45
*** shoutm has joined #openstack-keystone		05:48
*** hrou has quit IRC		05:50
*** henrynash has joined #openstack-keystone		06:00
*** ChanServ sets mode: +v henrynash		06:00
*** henrynash has quit IRC		06:00
*** markvoelker has joined #openstack-keystone		06:18
*** lhcheng has joined #openstack-keystone		06:18
*** ChanServ sets mode: +v lhcheng		06:18
*** woodster_ has quit IRC		06:19
*** stevemar has quit IRC		06:19
*** stevemar has joined #openstack-keystone		06:21
*** ChanServ sets mode: +v stevemar		06:21
*** markvoelker has quit IRC		06:22
*** lhcheng has quit IRC		06:23
*** ParsectiX has joined #openstack-keystone		06:24
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins https://review.openstack.org/223429	06:25
stevemar	jamielennox: hmmm? ^	06:27
jamielennox	stevemar: you like?	06:27
*** urulama has quit IRC		06:28
stevemar	jamielennox: its interesting	06:28
*** lhcheng has joined #openstack-keystone		06:29
*** ChanServ sets mode: +v lhcheng		06:29
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins https://review.openstack.org/223429	06:30
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Move generic loading tests into loading folder https://review.openstack.org/223431	06:30
jamielennox	stevemar: there's been talk about something like it for a long time, it was just a bit harder with keystoneclient	06:31
openstackgerrit	javeme proposed openstack/python-keystoneclient: pass correct max_positional_arg 4 utils.positional https://review.openstack.org/207857	06:32
jamielennox	stevemar: it came up again so i just wanted to see what was required and see what people thought	06:32
*** urulama has joined #openstack-keystone		06:40
*** e0ne has joined #openstack-keystone		06:40
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins https://review.openstack.org/223429	06:41
*** htruta has quit IRC		06:44
*** e0ne has quit IRC		06:44
*** mordred has quit IRC		06:46
*** shadower has joined #openstack-keystone		06:46
*** e0ne has joined #openstack-keystone		06:48
*** htruta has joined #openstack-keystone		06:48
*** mordred has joined #openstack-keystone		06:49
*** btully has quit IRC		06:57
*** henrynash has joined #openstack-keystone		06:59
*** ChanServ sets mode: +v henrynash		06:59
*** exploreshaifali has joined #openstack-keystone		07:05
*** boris-42 has quit IRC		07:10
*** e0ne has quit IRC		07:10
*** pnavarro has joined #openstack-keystone		07:17
mordred	jamielennox: so, for DNS - that looks like it's going to look for an _openstack_keystone TXT record ... any chance we could also hav ean AUTH_HOST config value and have the DNS look for _openstack_keystone.AUTH_HOST?	07:25
mordred	jamielennox: I actually had a cloud change their base keystone auth url on me yesterday - so one could imagine a world where public clouds could just set the txt record and update it if/when they need to move the base URL	07:27
*** martinus__ has joined #openstack-keystone		07:27
*** e0ne has joined #openstack-keystone		07:31
*** shoutm_ has joined #openstack-keystone		07:35
*** shoutm has quit IRC		07:35
*** e0ne has quit IRC		07:42
*** lhcheng has quit IRC		07:44
*** e0ne has joined #openstack-keystone		07:46
*** e0ne has quit IRC		07:51
*** fhubik has joined #openstack-keystone		07:54
*** sdake has quit IRC		08:07
*** humble__ has joined #openstack-keystone		08:10
humble__	jamielennox: ping	08:11
*** jistr has joined #openstack-keystone		08:18
*** markvoelker has joined #openstack-keystone		08:19
*** dims_ has joined #openstack-keystone		08:20
*** markvoelker has quit IRC		08:23
*** humble_ has joined #openstack-keystone		08:24
*** henrynash has quit IRC		08:24
*** humble__ has quit IRC		08:28
openstackgerrit	Dave Chen proposed openstack/keystonemiddleware: Unregister some configuration options after test https://review.openstack.org/222919	08:31
openstackgerrit	Merged openstack/keystoneauth: Identity plugin thread safety https://review.openstack.org/221551	08:37
*** humble__ has joined #openstack-keystone		08:42
jamielennox	humble_: pong	08:45
jamielennox	mordred: what's the use case? i was thinking that not adding extra flags to an auth plugin was good	08:45
mordred	jamielennox: 2 use cases	08:45
jamielennox	a while ago i had a proposal for default_domain as well - a domain used in v3 but dropped in v2 and i was thinking that was a candidate for DNS as well	08:46
*** acc has joined #openstack-keystone		08:46
*** humble_ has quit IRC		08:46
mordred	jamielennox: a) I have 9 cloud accounts, _openstack_keystone without a domain attached is likely never going to be set for me BUT	08:46
humble__	jamielennox: I want to put keystone.token_auth in context, but it can not be serialized by oslo.messaging.	08:47
jamielennox	right - but this is DNS so likely propogating within a corporate environment where i really only want one entry	08:47
jamielennox	humble__: yea :(	08:47
mordred	jamielennox: b) I know the domain of eachof the cloud providers - so I'd love to just be able to say "cloud=hpcloud.com" "cloud=citycloud.net" "cloud=auro.net"	08:47
*** e0ne has joined #openstack-keystone		08:48
mordred	which is well known, easy to guess and not likely to change	08:48
jamielennox	humble__: that is the major problem with it at the moment. I was hoping to get some auth_token fixes made and then test it in keystone but that's taken a really long time to pass	08:48
jamielennox	humble__: also oslo.context has changed since last i looked at it and i need to rewrite the integration there - i was hoping the context would be based on the plugin but it might have to be the other way around	08:48
mordred	instead, I have to say "auth_url=https://region-b.geo-1.identity.hpcloudsvc.com:35357/v2.0" "cloud=https://identity1.citycloud.com:5000/v3/" "cloud=https://api.van1.auro.io:5000/v2.0"	08:48
mordred	whic his just all insane	08:49
mordred	jamielennox: totally. your thing is awesome for corporate environments	08:49
humble__	jamielennox: Is there a way I can use now?	08:49
mordred	also - auro really did change their keystone aurl_url recently	08:49
*** fhubik has quit IRC		08:49
mordred	and the hard part about that is that you can only learn what's up by logging in to the provider web dashboard, which you likely never use otherwise	08:50
jamielennox	humble__: not really, there is some stuff i did in nova, and somewhere else that i've forgotten, that built a custom plugin from the context just for that service	08:50
jamielennox	humble__: so you can replicate that, but there is nothing that provides a helper for using that actual plugin	08:51
openstackgerrit	Dave Chen proposed openstack/keystonemiddleware: Unregister some configuration options after test https://review.openstack.org/222919	08:51
jamielennox	mordred: so my DNS knowledge is fairly average - but why would my DNS server want to register half a dozen cloud entry points rather than use something like OCC?	08:52
jamielennox	AFAIK txt is not something that propogates around the internet like that	08:52
*** dims_ has quit IRC		08:53
*** stevemar has quit IRC		09:04
*** exploreshaifali has quit IRC		09:04
*** acc has quit IRC		09:08
*** aix has quit IRC		09:09
mordred	jamielennox: it totally is	09:11
mordred	jamielennox: this is actually how jabber works	09:11
mordred	jamielennox: you say "I want to connect in an XMPP session to mordred@inaugust.com" and the jabber client looks up a set of known DNS entries on top of the inaugust.com domain	09:12
mordred	jamielennox: I mean, you should use OCC - but also, if you just want to connect to citycloud, you shouldn't really need to go digging through their dashboard to learn that the url is https://identity1.citycloud.com:5000/v3/	09:13
mordred	IMO	09:13
jamielennox	I guess it really is no different to MX or any of the others	09:13
mordred	(in fact..):	09:14
mordred	_xmpp-server._tcp IN SRV 5 0 5269 scylla.inaugust.com.	09:14
mordred	_xmpp-client._tcp IN SRV 5 0 5222 scylla.inaugust.com.	09:14
mordred	_jabber._tcp IN SRV 5 0 5269 scylla.inaugust.com.	09:14
mordred	there are the XMPP records to make inaugust.com behave like a well-behaved XMPP server	09:14
*** davechen has left #openstack-keystone		09:16
mordred	jamielennox: to be clear, I think the dns patch is great and should not block on this - just talking about next steps - don't want perfect to get in the way of good	09:16
jamielennox	so i only see A and RRSIG which looks like some sort of key/sig	09:17
*** urulama has quit IRC		09:17
*** urulama has joined #openstack-keystone		09:17
*** fhubik has joined #openstack-keystone		09:19
jamielennox	mordred: right - and i honestly think the corp is an easier/more important solve at the moment, but i just want to make sure one doesn't get in the way of another	09:19
mordred	++	09:19
*** markvoelker has joined #openstack-keystone		09:19
*** katkapilatova has joined #openstack-keystone		09:24
*** markvoelker has quit IRC		09:24
*** katkapilatova has left #openstack-keystone		09:24
*** katkapilatova has joined #openstack-keystone		09:27
*** ParsectiX has quit IRC		09:35
*** ParsectiX has joined #openstack-keystone		09:36
*** bradjones\|away has quit IRC		09:47
*** bradjones has joined #openstack-keystone		09:49
*** bradjones has quit IRC		09:49
*** bradjones has joined #openstack-keystone		09:49
*** dims_ has joined #openstack-keystone		09:52
*** dims_ has quit IRC		09:57
*** aix has joined #openstack-keystone		09:57
*** stevemar has joined #openstack-keystone		10:04
*** ChanServ sets mode: +v stevemar		10:04
*** richm has joined #openstack-keystone		10:06
*** stevemar has quit IRC		10:08
*** chlong has quit IRC		10:09
*** chlong has joined #openstack-keystone		10:11
openstackgerrit	Merged openstack/keystone: Update federation router with missing call https://review.openstack.org/223361	10:22
*** flwang has quit IRC		10:31
*** flwang has joined #openstack-keystone		10:32
*** humble_ has joined #openstack-keystone		10:37
*** shoutm_ has quit IRC		10:40
*** humble__ has quit IRC		10:41
*** shoutm has joined #openstack-keystone		10:41
*** dims_ has joined #openstack-keystone		10:44
openstackgerrit	Alexander Makarov proposed openstack/keystone: Check datetime string to validate is a string https://review.openstack.org/223228	10:49
samueldmq	morning	10:55
openstackgerrit	Merged openstack/keystoneauth: Move generic loading tests into loading folder https://review.openstack.org/223431	10:56
*** shoutm has quit IRC		11:05
*** pnavarro is now known as pnavarro\|lunch		11:13
*** shoutm has joined #openstack-keystone		11:14
*** EinstCrazy has quit IRC		11:15
*** markvoelker has joined #openstack-keystone		11:20
*** e0ne has quit IRC		11:22
*** markvoelker has quit IRC		11:25
*** sdake has joined #openstack-keystone		11:25
*** dsirrine has joined #openstack-keystone		11:27
*** sdake_ has joined #openstack-keystone		11:31
*** sdake has quit IRC		11:31
*** pnavarro\|lunch has quit IRC		11:32
*** gordc has joined #openstack-keystone		11:34
*** Nirupama has quit IRC		11:35
*** EinstCrazy has joined #openstack-keystone		11:39
*** dsirrine has quit IRC		11:40
*** pnavarro\|lunch has joined #openstack-keystone		11:51
*** stevemar has joined #openstack-keystone		12:06
*** ChanServ sets mode: +v stevemar		12:06
*** nicodemos has joined #openstack-keystone		12:07
*** henrynash has joined #openstack-keystone		12:08
*** ChanServ sets mode: +v henrynash		12:08
*** stevemar has quit IRC		12:09
*** EinstCrazy has quit IRC		12:13
*** markvoelker has joined #openstack-keystone		12:19
*** nicodemos has quit IRC		12:24
*** shoutm has quit IRC		12:24
*** raildo-afk is now known as raildo		12:25
*** sdake_ has quit IRC		12:30
*** SheenaG has joined #openstack-keystone		12:31
*** pnavarro\|lunch is now known as pnavarro		12:36
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token() https://review.openstack.org/197647	12:36
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	12:36
openstackgerrit	Lance Bragstad proposed openstack/keystone: Additional documentation for services https://review.openstack.org/211184	12:41
*** richm has quit IRC		12:43
*** humble_ has quit IRC		12:44
*** doug-fish has joined #openstack-keystone		12:47
*** edmondsw has joined #openstack-keystone		12:47
*** thiagop has quit IRC		12:47
*** flaper87 has joined #openstack-keystone		12:56
*** richm has joined #openstack-keystone		12:57
*** flaper87 has left #openstack-keystone		12:57
*** amakarov_away is now known as amakarov		12:59
*** fhubik is now known as fhubik_brb		12:59
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add caching to get_catalog https://review.openstack.org/215212	12:59
amakarov	lbragstad, hi! Help me please: how to issue a Fernet token using curl? I'm getting it truncated in X-Subject-Token	13:00
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add documentation for configuring IdP WebSSO https://review.openstack.org/218353	13:04
openstackgerrit	Lance Bragstad proposed openstack/keystone: Ensure token validation works irrespective of padding https://review.openstack.org/221786	13:05
lbragstad	amakarov: you should be able to get a token using curl, but inspecting the headers	13:06
*** ninag has joined #openstack-keystone		13:06
lbragstad	amakarov: what's the curl call you're making?	13:06
*** ninag has quit IRC		13:06
amakarov	curl -i -H "Content-Type: application/json" -d '	13:06
amakarov	{ "auth": {	13:06
amakarov	"identity": {	13:06
amakarov	"methods": ["password"],	13:06
amakarov	"password": {	13:06
amakarov	"user": {	13:06
amakarov	"name": "admin",	13:06
amakarov	"domain": { "id": "default" },	13:06
amakarov	"password": "admin"	13:06
amakarov	}	13:06
amakarov	}	13:06
amakarov	}	13:06
amakarov	}	13:06
amakarov	}' http://192.168.0.7:5000/v3/auth/tokens	13:06
*** ayoung has joined #openstack-keystone		13:07
*** ChanServ sets mode: +v ayoung		13:07
amakarov	lbragstad, ^	13:07
lbragstad	amakarov: what's the response you're getting (try using http://pasteraw.com/ )	13:07
lbragstad	amakarov: and then just post the link	13:07
amakarov	http://cdn.pasteraw.com/dlhqxse7iyszfncr8jwn5wgs5pmz04o	13:08
lbragstad	amakarov: looks like it's working...	13:08
*** tdurakov_ has quit IRC		13:09
lbragstad	looks like it's an unscoped token response..	13:09
amakarov	lbragstad, yes, but token is shorter than it should be )	13:09
lbragstad	which is consistent with the request	13:09
lbragstad	amakarov: how so?	13:09
lbragstad	amakarov: see if you can decrypt it and inspect the contents...	13:10
amakarov	lbragstad, doing that	13:10
lbragstad	amakarov: you can use https://github.com/lbragstad/fernet-inspector if it helps	13:10
lbragstad	amakarov: http://cdn.pasteraw.com/fsq4fmye4b6sphj41xjc261dzn9a7e0	13:11
*** thiagop has joined #openstack-keystone		13:12
*** hrou has joined #openstack-keystone		13:12
amakarov	lbragstad, http://cdn.pasteraw.com/hv4acrpdlndhth57byqt4c5ihvqa8bb	13:16
amakarov	lbragstad, I presume, given that it was decoded, the token is valid	13:16
amakarov	?	13:16
lbragstad	amakarov: yep, at least according to the Fernet spec	13:17
lbragstad	amakarov: you can try passing it back to keystone and validate it	13:17
amakarov	lbragstad, ok, thanks	13:17
lbragstad	amakarov: it shouldn't have an issue decrypting it	13:17
lbragstad	amakarov: fernet unscoped tokens have a little less in their payloads so the typically end up being a bit smaller than project or domain scoped fernet tokens.	13:18
amakarov	lbragstad, it looks like I've mistaken it for scoped one	13:18
*** jecarey has joined #openstack-keystone		13:19
*** dims_ has quit IRC		13:21
*** dims_ has joined #openstack-keystone		13:22
amakarov	lbragstad, thank you! Getting a scoped token works as it should - my mistake	13:24
lbragstad	amakarov: no problem! glad it worked!	13:26
*** jsavak has joined #openstack-keystone		13:32
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/192319	13:33
*** btully has joined #openstack-keystone		13:44
*** nicodemos has joined #openstack-keystone		13:49
*** ninag has joined #openstack-keystone		13:57
*** ParsectiX has quit IRC		14:06
*** phalmos has joined #openstack-keystone		14:06
*** lsmola has quit IRC		14:06
*** stevemar has joined #openstack-keystone		14:06
*** ChanServ sets mode: +v stevemar		14:06
*** stevemar has quit IRC		14:10
*** gabriel-bezerra has quit IRC		14:11
openstackgerrit	Dave Chen proposed openstack/keystonemiddleware: update middlewarearchitecture.rst https://review.openstack.org/219162	14:11
*** gabriel-bezerra has joined #openstack-keystone		14:11
*** sigmavirus24_awa is now known as sigmavirus24		14:13
openstackgerrit	Dave Chen proposed openstack/keystonemiddleware: Configuration is outdated https://review.openstack.org/220545	14:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/222000	14:15
*** SheenaG has quit IRC		14:15
*** exploreshaifali has joined #openstack-keystone		14:17
*** slberger has joined #openstack-keystone		14:18
*** david-lyle has quit IRC		14:20
dstanek	lbragstad: do you know if fernet works ok in devstack? i have to assume it does, but i don't want to go down that path right now if there are known issues	14:32
lbragstad	dstanek: the only issues we are hitting are the ones with tempest	14:36
lbragstad	dstanek: which are side-effects of sub-second precision	14:36
lbragstad	dstanek: which are shown here - https://review.openstack.org/#/c/195780/	14:36
dstanek	lbragstad: perfect. i'll update my setup then to start using fernet.	14:36
lbragstad	dstanek: and documented here - https://bugs.launchpad.net/keystone/+bug/1473567	14:38
openstack	Launchpad bug 1473567 in Keystone "Fernet tokens fail tempest runs" [High,Triaged]	14:38
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: auth_token tests use clean config https://review.openstack.org/223338	14:38
*** gabriel-bezerra has quit IRC		14:40
*** dsirrine has joined #openstack-keystone		14:40
*** dsirrine has quit IRC		14:44
morgan	Oh Steve is offline	14:45
morgan	Was going to bug him	14:45
*** katkapilatova has left #openstack-keystone		14:45
morgan	If we want new client, middleware, pycadf, or any other lib releases we need to cut them by tomorrow	14:47
morgan	Please check them over. I will be putting in the requests for this tonight	14:47
morgan	I'll comment on this at the meeting as well	14:47
bknudson	we need new olso.policy.	14:48
bknudson	morgan: 0.11.1	14:48
bknudson	morgan: are we going to need another keystoneclient release after translations get updated?	14:49
bknudson	assuming translations get updated	14:49
bknudson	keystonemiddleware doesn't need a release	14:50
morgan	Dunno on ksc	14:50
morgan	Policy will go out with the Oslo batches	14:50
morgan	KSM has 1-2 new patches that we might as well grab but aren't needed	14:51
morgan	Keystoneauth I need to bug mordred and jamielennox	14:51
mordred	aroo?	14:52
morgan	Releases of libraries	14:52
mordred	libraries are neat	14:52
morgan	Have to go out for tomorrow. So keystoneauth	14:52
*** geoffarnoldX is now known as geoffarnold		14:52
morgan	Do we need a 1.0.1 for the loading fixes etc?	14:52
bknudson	keystoneauth has a bug fix.	14:52
*** fhubik_brb is now known as fhubik		14:53
morgan	bknudson: ok so we do need 1.0.1	14:53
morgan	Cool	14:53
bknudson	personally I'd like to see a freeze on keystoneauth dev until something starts using it as is	14:53
bknudson	e.g., keystonemiddleware	14:53
bknudson	then we can gate on it	14:53
morgan	There are a couple fixes that will come over from ksc. But I'm going to freeze ksc session work too	14:54
morgan	Once those 1 or 2 land	14:54
morgan	ksc session will be frozen after the next release of keystoneclient	14:54
*** shoutm has joined #openstack-keystone		14:54
*** phalmos has quit IRC		14:54
*** pnavarro is now known as pnavarro\|off		14:55
*** stevemar has joined #openstack-keystone		14:56
*** ChanServ sets mode: +v stevemar		14:56
*** zzzeek has joined #openstack-keystone		14:56
*** phalmos has joined #openstack-keystone		14:59
*** gabriel-bezerra has joined #openstack-keystone		15:07
*** csoukup has joined #openstack-keystone		15:07
openstackgerrit	Konstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting https://review.openstack.org/207456	15:09
*** flaper87 has joined #openstack-keystone		15:09
flaper87	Greetings. Does this look ok? https://github.com/openstack/python-glanceclient/blob/master/glanceclient/shell.py#L482-L489	15:10
flaper87	is domain_name or domain_id required when using the project_name ?	15:10
bknudson	flaper87: yes	15:10
flaper87	bknudson: danke :)	15:10
bknudson	flaper87: why doesn't tenant_name require domain?	15:11
bknudson	does it use v2 instead?	15:11
henrynash	flaper87: why doens’t tenant need a domain spec as well?	15:11
henrynash	oops	15:11
*** fhubik is now known as fhubik_brb		15:12
flaper87	well, that's the quesiton I was about to ask to you :)	15:12
flaper87	I guess that line is not really ok	15:12
flaper87	bknudson: henrynash thanks folks	15:12
bknudson	tenant is just another name for project so there should just be a translation	15:12
*** roxanaghe has quit IRC		15:13
flaper87	bknudson: yup, I know that and I would expect the requirements to be the same	15:13
*** david-lyle has joined #openstack-keystone		15:13
flaper87	(hence my questions)	15:14
flaper87	:D	15:14
*** jorge_munoz has quit IRC		15:16
bknudson	also, you should deprecate your CLI and use openstack unified CLI instead.	15:16
*** shoutm has quit IRC		15:17
flaper87	bknudson: one step at a time	15:17
flaper87	but yeah	15:17
*** flaper87 has left #openstack-keystone		15:18
*** jorge_munoz has joined #openstack-keystone		15:19
*** e0ne has joined #openstack-keystone		15:20
*** fhubik_brb is now known as fhubik		15:24
ayoung	gah	15:24
*** roxanaghe has joined #openstack-keystone		15:27
morgan	stevemar, ayoung: FYI once the PTL election is over I am delegating the rest of the release stuff to whomever wins. Choose wisely if you would like to continue to run for PTL.	15:28
ayoung	morgan, care to share your notebook on these tasks?	15:29
*** flaper87 has joined #openstack-keystone		15:29
*** shadower has quit IRC		15:30
morgan	ayoung: notebook? It is mostly talking with relmanagement and taking care of the rc bugs and babysitting the gate	15:30
morgan	And managing the rc milestone(s)	15:30
morgan	Finally, it is writing release notes	15:31
ayoung	morgan, might I request that you gather your thoughts on said issues to hand them off....	15:31
ayoung	flaper87, hey...	15:31
morgan	^^ there you have the thoughts ;)	15:31
ayoung	morgan is ROAD.	15:31
ayoung	flaper87, so I think you can get all of the values you need from the AUTH plugin	15:32
henrynash	do we have a sensible way to check from our RESTful unit tests (e.g. test_v3_identity) if the keystone “server” issues a deprecation warning?	15:32
*** exploreshaifali has quit IRC		15:32
flaper87	ayoung: is that keystoneauth1 ?	15:32
ayoung	flaper87, um...it will be, but still in keystoneclient for now	15:33
flaper87	ayoung: gotcha	15:33
bknudson	henrynash: should be able to attach a Mock to whatever is called to indicate deprecation and then verify it was invoked.	15:33
ayoung	flaper87, what are you trying to do?	15:34
flaper87	ayoung: this is how it's currently done: https://github.com/openstack/python-glanceclient/blob/master/glanceclient/shell.py#L406	15:34
flaper87	ayoung: not much really, just found that while fixing a different thing	15:34
flaper87	and thought I'd fix that as well	15:34
ayoung	hmmm	15:35
*** boris-42 has joined #openstack-keystone		15:35
ayoung	so you were mixinfg the user and project domains?	15:35
ayoung	oh...you are detecting that the domain was set for at least one....	15:36
ayoung	so, default domain is a bad name	15:36
ayoung	it really is just supposed to be default for V2	15:36
henrynash	bknudson: …yep that was what I was trying to do…maybe I’not got it quite right..let me experiement further	15:36
flaper87	ayoung: lemme rephrase that. I was looking at something that had nothing to do with auth and then I realized that we require domain_id or domain_name to be set if project_name is used	15:36
ayoung	if you specify V3...it should be V3 for both.	15:36
ayoung	yeah...so that should be explicitly OS_PROJECT_DOMAIN_[ID\|NAME]	15:36
ayoung	flaper87, and...we don't give you a good qay to query the domain ID, so if you've been using V2, but now you need V3 due to an assignment in another domain, you have to work for it	15:37
ayoung	flaper87, I realize it is hard for you to overlap with jamielennox in Australia, but I think you would benefit from a short conversation with him about auth plugins here. You are doing things that tie us to the Password Auth approach, and we are quickly moving beyond that.	15:38
flaper87	ayoung: I think jamielennox was one of the last to touch that keystone code (or similar)	15:40
flaper87	ayoung: but yeah, I pinged him earlier today and he wasn't around	15:40
flaper87	ayoung: I'll keep pinging him and seek for a path forward from this current state	15:40
ayoung	flaper87, you are in Italy now, right? He'll be around for the Keystone meeting at 2 US Easter, in a bout 2 hours.	15:41
ayoung	flaper87, but I'll be happy to proxy your concerns on this. However, what bknudson said about moving to the common CLI is your best bet. I'd just leave it brokn and focus efforts there	15:41
ayoung	I think that glance is pretty well working with common, no?	15:42
flaper87	ayoung: feel free to proxy my concerns if I'm not around	15:43
flaper87	while I'd like to move to the common CLI, I think we need some other prios for now. Lets see what Mitaka brings	15:43
flaper87	ayoung: thanks for the support :)	15:44
flaper87	but yeah, I agree moving to common would be better	15:44
*** pece has joined #openstack-keystone		15:44
*** roxanaghe has quit IRC		15:45
*** ebalduf has joined #openstack-keystone		15:47
*** gyee has joined #openstack-keystone		15:53
*** ChanServ sets mode: +v gyee		15:53
*** geoffarnold is now known as geoffarnoldX		15:53
*** fhubik is now known as fhubik_brb		15:54
*** richm has quit IRC		15:59
*** ankita_wagh has joined #openstack-keystone		16:01
openstackgerrit	Brant Knudson proposed openstack/keystone: Document httpd for accept on /identity, /identity_admin https://review.openstack.org/195766	16:01
*** fhubik_brb is now known as fhubik		16:05
*** diazjf has joined #openstack-keystone		16:10
*** richm has joined #openstack-keystone		16:13
*** geoffarnoldX is now known as geoffarnold		16:14
*** phalmos has quit IRC		16:14
stevemar	bknudson: why :443/identiity and /identity_admin	16:16
stevemar	why do we need /identity_admin at all?	16:17
bknudson	stevemar: for v2.	16:17
stevemar	bah	16:17
stevemar	screw v2!	16:17
stevemar	and whats your reason for :443?	16:18
*** richm has quit IRC		16:18
bknudson	stevemar: 443 is the default port for https	16:18
gyee	nothing on the meeting agenda today? no meeting then?	16:19
*** _cjones_ has joined #openstack-keystone		16:20
*** richm has joined #openstack-keystone		16:20
*** fhubik has quit IRC		16:22
*** jistr has quit IRC		16:24
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: auth_token tests use clean config https://review.openstack.org/223338	16:24
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Remove unused group parameter from tests https://review.openstack.org/223679	16:24
morgan	gyee: there is a meeting	16:24
morgan	Have some relmngment stuff to go over	16:24
gyee	morgan, sounds good	16:26
*** lhcheng has joined #openstack-keystone		16:26
*** ChanServ sets mode: +v lhcheng		16:26
stevemar	bknudson: true true	16:27
*** ninag has quit IRC		16:27
*** sdake has joined #openstack-keystone		16:28
morgan	There agenda updated	16:30
*** sdake_ has joined #openstack-keystone		16:31
gyee	do mo morgan son	16:31
*** sdake has quit IRC		16:35
*** aix has quit IRC		16:39
ayoung	stevemar, he's right	16:40
ayoung	https://wiki.openstack.org/wiki/URLs#Keystone stevemar	16:40
*** GheRivero has joined #openstack-keystone		16:41
stevemar	ayoung: aye, bknudson is rarely wrong, i was just trying to extract all the information out	16:41
ayoung	stevemar, look at the date on that Wiki	16:41
ayoung	I wrote that when Keystone was me, dolphm and Joe Heck.	16:41
ayoung	man this is a long-view project	16:42
stevemar	ayoung: oooof	16:42
stevemar	needs buy-in from all projects	16:42
stevemar	but definitely possible	16:43
dolphm	stevemar: bknudson: both are :443 though, right?	16:44
*** mylu has joined #openstack-keystone		16:44
*** annasort has joined #openstack-keystone		16:44
stevemar	dolphm: i assume so	16:44
stevemar	why wouldn't v2 be https	16:44
dolphm	just a sanity check	16:44
*** fifieldt_ has quit IRC		16:49
ayoung	stevemar, so the thing to keep in mind is that if you do 443 all on the same hostname, they have to be in the same web server. Mixing eventlet and HTTPD on 443 won't wokr. THe Eventlet story is priamrity some other TLS termination	16:50
*** mylu has quit IRC		16:50
ayoung	So, if you have an all-in-one install, and both Nova and Keystone are on the same machine, one can't run on 443	16:51
dolphm	so you front them both with a real HTTPS terminator	16:51
ayoung	Now, I think we could resurrect the Nova-in-HTTPD approach. I origianlly followed a rackspace article when doing the Keystone stuff that was arouind running nOva in HTTPD	16:51
dolphm	and leave the developer solutions to the dev boxes	16:51
ayoung	dolphm, that is also an option, but the terminator has to support the authentication, too	16:52
ayoung	and most don't do Kerberos or X509. THis is not a devloper-centric solution. It is a different deployment profile than I think you guys are doing, but very common in the internal cloud world	16:52
*** edtubill has joined #openstack-keystone		16:53
morgan	ayoung: I should have docs up for uwsgi soonish (for review) which helps the all-in-one webserver	16:53
morgan	It's been slow due to other things.	16:53
ayoung	morgan, cool.	16:53
gyee	ayoung, you're right, take stunnel for example, it does not pass down the x.509 information	16:54
morgan	Mod_proxy and uwsgi for horizon, keystone, etc all independent is a nice setup	16:54
morgan	Since you can configure Apache once and/or graceful with a fast reload	16:54
gyee	one drawback with apache, though more like a minor annoyance, is that it can dynamically reload the server cert during a switch over	16:55
morgan	Also uwsgi can run isolated like eventlet	16:55
morgan	With even just a single worker	16:55
ayoung	gyee, gyee can or can'	16:55
ayoung	t?	16:55
gyee	it mean it can't	16:55
morgan	So same tool chain for all of it	16:55
morgan	gyee: this is what graceful reloads are for	16:55
ayoung	Thought that is what you meant. Yeah, in general, Apache's pain is that it is so static	16:55
gyee	fock I can't type today!	16:55
ayoung	same issue with adding new authentication methods for Federation	16:56
morgan	Unless cert is compromised	16:56
gyee	yeah, if Apache can dynamically reload stuff it would be awesome	16:56
morgan	ayoung: same answer re: graceful. But we need to get process management for the wsgi apps out of Apache itself for it to work	16:56
morgan	Otherwise the graceful is a loooooooong process	16:57
morgan	Aww rain stopped :(	16:57
ayoung	morgan, So...had a thought you might like. I need to do a proof of concept, but I think I can make Federation work with the existing Keystone User database ana Basic-Auth using mod_auth_dbm	16:57
morgan	ayoung: always has been an option	16:58
ayoung	morgan, well, I know it should work for an unscoped token. THe question is what to do about groups	16:58
morgan	The downside is somethings want a user_get (a habit we need to break)	16:58
ayoung	mod_lookup_identity should, in the future support it	16:58
morgan	Groups we keep in keystone for now	16:58
morgan	Iterate on it	16:59
ayoung	but we could, I think, use federation to get an unscoped token, and then token-token for scoped using a DB lookup	16:59
ayoung	morgan, my thought is it gets toward what you wanted with auth being out of the version code...	16:59
morgan	Also I asked for a question to go on the user survey re: using keystone for user management	16:59
morgan	And what deployers are really doing / why they are doing it	16:59
morgan	So we have real feedback	17:00
gyee	really?	17:00
gyee	they are using keystone for user management?	17:00
morgan	Yes. People are	17:00
gyee	wow	17:00
morgan	So we need to know really why the choice was made	17:00
*** pnavarro\|off has quit IRC		17:01
gyee	yeah, I am curious if they have to deal with any compliance at all	17:01
morgan	Then we can solve those cases. My guess is shipping freeipa as the default in devstack solves 99% of it	17:01
gyee	since we don't even have basic password policy support	17:01
morgan	gyee: people hack things up.	17:01
morgan	Assume they walk the line of compliance	17:02
*** diazjf has quit IRC		17:02
gyee	yeah	17:02
morgan	Because you know that isnt hard to do	17:02
morgan	Its hard to do it right and in a way that makes it easy	17:02
morgan	But it isnt hard to hack something in to cya	17:02
gyee	:)	17:02
morgan	That makes operator life later suck	17:03
*** diazjf has joined #openstack-keystone		17:03
morgan	Anyway ask for that. Asked for real feedback on centralization of policy	17:03
morgan	And one or two other things	17:03
morgan	So we have clear priorities	17:03
gyee	++	17:03
morgan	And views via the foundation	17:03
morgan	ayoung: ^^ figured you'd like that	17:04
*** GheRivero has left #openstack-keystone		17:04
ayoung	morgan, one disconnect between Keystone and FreeIPA (LDAP RFCs really) is that to add a human user you need frist and last name	17:04
morgan	Doesnt mean it isnt important if it doesnt get the level of response expected, just see where deployers/operators are	17:05
ayoung	but...for service users, we are acutally just using a service principal.	17:05
morgan	ayoung: service, nova	17:05
morgan	There	17:05
morgan	:P	17:05
morgan	Lots of users with the surname "service"	17:05
morgan	:P	17:05
ayoung	morgan, we have a demo of this we'll be showing in TOkyo.	17:05
morgan	Cool	17:06
ayoung	We need to figure out a way to map domains to service users for Heat.	17:06
morgan	Also may want to line out how horizon shouldnt/should manage users with freeipa (once you demo it)	17:06
morgan	via a spec	17:06
morgan	Future looking of course :)	17:06
*** mylu has joined #openstack-keystone		17:09
ayoung	I could see a morgan One possibility is that we add an IPA backend for Identity. If we can do "First Last" as optional fields for Keystone it would map a little cleaner	17:09
morgan	Sure	17:10
morgan	Things to consider	17:10
gyee	ayoung, FreeIPA works on ubunut now right?	17:10
*** diazjf has quit IRC		17:10
ayoung	gyee, yes	17:10
* gyee add freeipa poc to his todo list		17:10
ayoung	gyee: give me a shout when you get to it	17:12
gyee	ayoung, sure will do, I'll try to do my homework before Tokyo	17:12
*** ankita_wagh has quit IRC		17:13
*** ayoung has quit IRC		17:17
*** ninag has joined #openstack-keystone		17:21
*** jorge_munoz has quit IRC		17:25
*** ankita_wagh has joined #openstack-keystone		17:25
*** mylu_ has joined #openstack-keystone		17:29
dstanek	so, this is weird. when i ./stack.sh on F22 it seems to uninstall python-tox and then it fails	17:29
*** mylu has quit IRC		17:32
*** phalmos has joined #openstack-keystone		17:32
*** ayoung has joined #openstack-keystone		17:32
*** ChanServ sets mode: +v ayoung		17:32
*** sdake_ is now known as sdake		17:33
*** ParsectiX has joined #openstack-keystone		17:35
*** mylu_ has quit IRC		17:36
*** sdake_ has joined #openstack-keystone		17:41
*** haneef has joined #openstack-keystone		17:42
*** phalmos has quit IRC		17:43
*** sdake has quit IRC		17:44
*** tsymancz1k is now known as tsymanczyk		17:45
*** jdandrea has joined #openstack-keystone		17:45
bknudson	dolphm: you can configure httpd with the handler for any path on any port you want ... so it's got https://host/identity_admin handled by admin.py and https://host/identity handled by main.py	17:45
bknudson	and you could do the same with /compute and /image or whatever	17:46
jdandrea	Can someone please point me toward info that differentiates between _member_ and user roles (as I'm now seeing user show up in kilo installs)?	17:46
bknudson	jdandrea: keystone doesn't do anything special with "user" roles, or any roles other than _member_	17:49
jdandrea	bknudson: Thanks. I wasn't sure where those came from.	17:49
bknudson	we don't stop admins from creating roles, so could be anyone	17:50
jdandrea	bknudson: Ah, I will check with the admins then. (I don't think they knew either ... yipe.)	17:50
*** phalmos has joined #openstack-keystone		17:53
gyee	jdandrea, we automagically create the _member_ when you use V2 API to add user to tenant/project, https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L223	17:54
*** e0ne has quit IRC		17:54
jdandrea	gyee: Sounds good. I need to find who made that 'user' role on our end. :)	17:55
gyee	yeah time to make CADF work for you :)	17:57
*** jsavak has quit IRC		17:58
*** spandhe has joined #openstack-keystone		17:58
jdandrea	XD	17:59
*** jorge_munoz has joined #openstack-keystone		18:00
*** jsavak has joined #openstack-keystone		18:00
morgan	... stupid client disconnected	18:03
*** pece has quit IRC		18:03
*** ninag has quit IRC		18:05
*** ninag has joined #openstack-keystone		18:06
*** ninag has quit IRC		18:11
*** gordc has quit IRC		18:11
*** gordc has joined #openstack-keystone		18:12
openstackgerrit	venkatamahesh proposed openstack/keystone: Removed the extra http:// from JSON schema link https://review.openstack.org/217319	18:14
*** jsavak has quit IRC		18:17
*** jsavak has joined #openstack-keystone		18:17
*** tonytan4ever has joined #openstack-keystone		18:17
*** ankita_wagh has quit IRC		18:19
*** phalmos has quit IRC		18:20
*** exploreshaifali has joined #openstack-keystone		18:20
*** ankita_wagh has joined #openstack-keystone		18:22
jamielennox	bknudson: https://review.openstack.org/#/c/223338/ is not very nice, but if you think that's best i'm ok	18:27
jamielennox	my only other thought was to mock it or something	18:27
jamielennox	stupid oslo_config	18:27
bknudson	jamielennox: I don't think there's a nice way to do it without a lot of rewriting	18:28
bknudson	and I think we should rewrite it.	18:28
bknudson	but that's going to be more work just to fix the bug.	18:28
*** e0ne has joined #openstack-keystone		18:29
jamielennox	bknudson: yea, I had ideas to rewrite this part after all those outstanding reviews had passed	18:29
jamielennox	try and fix the glance passes CONF issue	18:30
jamielennox	but not today	18:30
*** phalmos has joined #openstack-keystone		18:31
bknudson	we've still got the memcache part in oslo-incubator that uses global conf	18:31
jamielennox	bknudson: you might want to flip the ordering of those two patches rather than risk the other failing in gate	18:31
bknudson	and auth_token registers global conf	18:31
bknudson	so we need to fix thos.	18:31
*** doug-fis_ has joined #openstack-keystone		18:32
bknudson	jamielennox: I was worried I'd have to flip the order... I'll work on that after the meeting	18:32
jamielennox	bknudson: yes, and we can still register options to global conf, but provide a function (like oslo_conf already does) to register options against any CONF and pass a CONF in	18:32
jamielennox	the oslo-incubator part is removed in the memcache patches i've already got up	18:33
bknudson	oslo.cache?	18:33
*** doug-fish has quit IRC		18:33
jamielennox	no, apparently someone else was working on that, i killed the memorycache altogether	18:33
jamielennox	we shouldn't be caching tokens on the process	18:34
*** ayoung has quit IRC		18:34
*** ayoung has joined #openstack-keystone		18:34
*** ChanServ sets mode: +v ayoung		18:34
henrynash	anyone want to do teh honors on: https://review.openstack.org/#/c/154485/ - nice to get the last of these in before RC1	18:34
ayoung	henrynash, looking	18:35
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Remove unused group parameter from tests https://review.openstack.org/223679	18:37
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: auth_token tests use clean config https://review.openstack.org/223338	18:37
*** e0ne has quit IRC		18:38
bknudson	swapped the order of those 2 ^	18:38
ayoung	henrynash, so, I understand creating nested projects and users ,but why is it creating roles? https://review.openstack.org/#/c/154485/	18:39
henrynash	ayoung: a specific test, or the helper?	18:39
ayoung	the helper.... henrynash I think I get it	18:40
ayoung	henrynash, when I see...	18:40
ayoung	'assignments': [{'user': 0, 'role': 0, 'project': 0},	18:40
ayoung	that is assiging newly created user 0 newly created role 0 or newly created projecrt 0 for the test, right?	18:40
henrynash	yep	18:40
henrynash	this patch builds on all the earlier ones that introduced the concepts	18:41
ayoung	henrynash, so...they are not so much test plans as fixtures, right?	18:41
*** ParsectiX has quit IRC		18:41
ayoung	This does not say what passes or fails, just what the db should have at the start of the run	18:41
ayoung	and everything is still created with uuidgen for names and ids.	18:42
*** doug-fis_ has quit IRC		18:42
*** ParsectiX has joined #openstack-keystone		18:42
henrynash	ayoung: well, teh plan is a dict, and when you “execute the plan” it crates the users, roles, projecst you requetsed, followed by the assinments, followed by the tests you defined	18:42
*** doug-fish has joined #openstack-keystone		18:42
ayoung	ahhhh	18:42
ayoung	I was still reading...I see	18:43
gyee	like linear algebra :)	18:44
ayoung	hmmm. henrynash I both love and hate it	18:44
henrynash	yep, me too…but it’s super easy to write tetsts	18:44
ayoung	I love the idea, just .... worried it might not be clear to people that come along after us to maintina	18:44
ayoung	maintain	18:44
ayoung	but...its elegant	18:44
*** doug-fis_ has joined #openstack-keystone		18:44
henrynash	ayoung: yep, agreed….whcih is why if you read teh full test helper, there is a pretty comprehensie doc string to describe it all	18:45
ayoung	it feels like it should be up one level, you know? Like we are doing something in the tests that should be handled by the framework	18:45
*** pnavarro\|off has joined #openstack-keystone		18:45
*** exploreshaifali has quit IRC		18:45
ayoung	henrynash, I think I'm in favor..just adjusting my thinking	18:45
*** sdake_ is now known as sdake		18:45
henrynash	ayuong: so this was discussed in the BP for this….(remeber this is the last patch out of 6 or 7 that implementedthe BP)…and the general agreement was keep it as a bisic dict so we execute fast (basically directed for loops, essentially)	18:46
*** doug-fish has quit IRC		18:47
ayoung	henrynash, yeah, I have been in a cave. This is cool	18:48
*** phalmos has quit IRC		18:48
henrynash	cave’s can be ccol too!	18:48
ayoung	henrynash, +2A	18:49
openstackgerrit	Alexander Makarov proposed openstack/keystone: Return default domain for admin https://review.openstack.org/223752	18:49
henrynash	ayoung: thx	18:49
*** doug-fis_ has quit IRC		18:51
*** ParsectiX has quit IRC		18:52
*** e0ne has joined #openstack-keystone		18:53
*** nicodemos has quit IRC		18:53
*** doug-fish has joined #openstack-keystone		18:55
*** doug-fish has quit IRC		18:55
*** doug-fish has joined #openstack-keystone		18:55
*** pnavarro\|off has quit IRC		18:56
*** diazjf has joined #openstack-keystone		18:56
*** jecarey has quit IRC		18:59
*** doug-fis_ has joined #openstack-keystone		19:00
*** doug-fis_ has quit IRC		19:00
*** doug-fis_ has joined #openstack-keystone		19:00
jamielennox	morgan: how did we go with a v2 branch for ksc?	19:00
*** henrynash has quit IRC		19:01
*** doug-fish has quit IRC		19:03
*** phalmos has joined #openstack-keystone		19:04
*** gyee has quit IRC		19:05
*** tonytan4ever has quit IRC		19:07
*** mylu has joined #openstack-keystone		19:07
morgan	jamielennox: the answer was "don't do that"	19:08
*** henrynash has joined #openstack-keystone		19:08
*** ChanServ sets mode: +v henrynash		19:08
jamielennox	ergh	19:08
morgan	jamielennox: wait for liberty branch to happen and make master v2	19:09
morgan	for mitaka	19:09
jamielennox	morgan: that's going to be difficult	19:09
morgan	yep	19:09
morgan	feel free to talk to dhellmann and explain the difficulty	19:09
morgan	so we can change that up	19:09
morgan	you can explain better than I can	19:10
*** ninag has joined #openstack-keystone		19:10
*** nicodemos has joined #openstack-keystone		19:10
*** henrynash has quit IRC		19:11
*** ninag_ has joined #openstack-keystone		19:11
jamielennox	well, we're breaking compatibility...	19:11
morgan	yep but we could propose the break and then go play "fix everyone"	19:11
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others https://review.openstack.org/196932	19:11
morgan	then land it	19:11
morgan	"could"	19:12
jamielennox	i don't know how requirements is going to handle this anyway	19:12
*** mylu has quit IRC		19:13
*** ninag has quit IRC		19:14
morgan	requirements branch stable just like everything else does	19:14
morgan	liberty will be stable/liberty for keystoneclient	19:15
*** ninag_ has quit IRC		19:16
*** fhubik has joined #openstack-keystone		19:16
*** ninag has joined #openstack-keystone		19:16
*** ankita_wagh has quit IRC		19:16
*** fhubik has quit IRC		19:17
jamielennox	so we need to update everybody before we can actually cut a release of 2.0, that's going to be fun	19:18
*** jecarey has joined #openstack-keystone		19:20
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins https://review.openstack.org/223429	19:20
jdandrea	bknudson: I checked with folks on our end regarding user. They added it by following the steps here: http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-users.html ... but I wonder why create a user role if there's already a _member_ role? (Unless they have distinct purposes.)	19:22
openstackgerrit	Alexander Makarov proposed openstack/keystone: Return default domain for admin https://review.openstack.org/223752	19:26
bknudson	jdandrea: I don't know who writes those docs... we've got a couple of people on our team to work on it now so I can tell them about it.	19:26
bknudson	jdandrea: "As an example, this guide creates the demo project and user."	19:27
bknudson	jdandrea: maybe they were thinking this was required and not an example?	19:27
jdandrea	bknudson: I'm going to ask. They say the docs specifically advise to change "_member_" to "user" ... hmmmmm.	19:27
* jdandrea is dubious.		19:27
bknudson	jdandrea: you can configure the role that's used for v2: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n41	19:28
bknudson	so if you'd rather use a role name "user" than _member_, go ahead	19:28
jdandrea	bknudson: Ah, and that id maps to, say, _member_.	19:28
*** ebalduf has quit IRC		19:36
bknudson	maybe somebody else can look at https://review.openstack.org/#/c/155758/ and see if they agree with my comments...	19:36
bknudson	if so I'll go in and fix it.	19:36
bknudson	looked at it more closely and now I think it's correct. https://review.openstack.org/#/c/155758/	19:39
*** jsavak has quit IRC		19:42
*** geoffarnold is now known as geoffarnoldX		19:44
bknudson	jamielennox: how was this all incorrect? https://review.openstack.org/#/c/207857/	19:44
jamielennox	bknudson: depends on your definition of correct	19:45
jamielennox	bknudson: taking for example https://review.openstack.org/#/c/207857/4/keystoneclient/v3/credentials.py	19:45
jamielennox	passing 1 there is fine, it just makes user and type required keyword arguments	19:46
openstackgerrit	venkatamahesh proposed openstack/keystonemiddleware: Added the home-page value with openstack.org https://review.openstack.org/223784	19:46
jamielennox	which i always like	19:46
jamielennox	d	19:46
jamielennox	almost everyone does/should do that anyway because otherwise you really can't tell what's happening	19:46
bknudson	the submitter is saying that it was wrong because we forgot to take the self parameter into account	19:47
*** ankita_wagh has joined #openstack-keystone		19:47
jamielennox	bknudson: no that's not right	19:47
bknudson	maybe clearer error message would help	19:48
openstackgerrit	Alexander Makarov proposed openstack/keystone: Check datetime string to validate is a string https://review.openstack.org/223228	19:48
*** jecarey_ has joined #openstack-keystone		19:48
*** topol has joined #openstack-keystone		19:49
*** ChanServ sets mode: +v topol		19:49
*** geoffarnoldX is now known as geoffarnold		19:49
*** ebalduf has joined #openstack-keystone		19:50
*** devlaps has joined #openstack-keystone		19:51
*** jecarey has quit IRC		19:51
*** jsavak has joined #openstack-keystone		19:52
*** mylu has joined #openstack-keystone		19:55
*** doug-fis_ has quit IRC		19:57
*** jorge_munoz has quit IRC		19:57
*** ebalduf has quit IRC		19:58
*** doug-fish has joined #openstack-keystone		19:58
*** doug-fish has quit IRC		20:02
*** nicodemos has quit IRC		20:03
*** gyee has joined #openstack-keystone		20:08
*** ChanServ sets mode: +v gyee		20:08
*** henrynash has joined #openstack-keystone		20:09
*** ChanServ sets mode: +v henrynash		20:09
*** jorge_munoz has joined #openstack-keystone		20:09
*** doug-fish has joined #openstack-keystone		20:10
bknudson	I guess it's a waste of time to review middleware patches since they're going to be hard to get merged since unit tests are failing all the time	20:11
*** ankita_wagh has quit IRC		20:22
*** mylu has quit IRC		20:23
*** mylu has joined #openstack-keystone		20:25
*** mylu has quit IRC		20:27
*** mylu has joined #openstack-keystone		20:27
*** ParsectiX has joined #openstack-keystone		20:28
*** ankita_wagh has joined #openstack-keystone		20:28
*** ParsectiX has quit IRC		20:28
*** shadower has joined #openstack-keystone		20:29
*** mylu has quit IRC		20:31
*** mylu has joined #openstack-keystone		20:32
*** jsavak has quit IRC		20:34
*** jsavak has joined #openstack-keystone		20:35
*** mylu has quit IRC		20:38
*** mylu has joined #openstack-keystone		20:38
*** mylu has quit IRC		20:39
*** mylu has joined #openstack-keystone		20:39
jdandrea	bknudson: I've been given the specific page that references changing OPENSTACK_KEYSTONE_DEFAULT_ROLE to user: http://docs.openstack.org/kilo/install-guide/install/apt/content/install_dashboard.html	20:41
jdandrea	bknudson: ... so it's not the default role but it's the default for Horizon (plus now we see where it comes from).	20:41
*** mylu has quit IRC		20:41
jdandrea	bknudson: Although it's documented as a default role for users created via the dashboard.	20:42
bknudson	jdandrea: I guess horizon or anybody can tell people to create roles. keystone will accept any string you throw at it for a role name	20:42
jdandrea	bknudson: nodnod	20:43
bknudson	I wonder why they decided on user.	20:43
jdandrea	bknudson: Exactly what I'm wondering. Why not use _member_?	20:44
jdandrea	Folks are confused on this end: "Do I use _member_ or user?" That sort of thing.	20:44
bknudson	note that we'll eventually remove keystone dealing with the _member_ role.	20:45
bknudson	once we get rid of v2.	20:45
*** mylu has joined #openstack-keystone		20:45
jdandrea	bknudson: Ah, good to know, tx.	20:45
*** mylu has quit IRC		20:46
*** mylu has joined #openstack-keystone		20:47
*** mylu_ has joined #openstack-keystone		20:51
*** mylu has quit IRC		20:51
*** pgbridge has quit IRC		20:56
*** jsavak has quit IRC		20:56
*** hrou has quit IRC		20:59
*** hrou has joined #openstack-keystone		20:59
openstackgerrit	Merged openstack/python-keystoneclient: Identity plugin thread safety https://review.openstack.org/221738	21:01
*** raildo is now known as raildo-afk		21:03
*** thiagop has quit IRC		21:03
*** mylu_ has quit IRC		21:06
jamielennox	bknudson: can you have a look at https://review.openstack.org/#/c/217450/ as it needs a keystone-stable-core	21:07
*** csoukup has quit IRC		21:07
bknudson	will do	21:08
*** mylu has joined #openstack-keystone		21:08
*** mylu has quit IRC		21:09
*** mylu has joined #openstack-keystone		21:10
*** mylu has quit IRC		21:10
*** mylu has joined #openstack-keystone		21:10
*** mylu has quit IRC		21:12
*** mylu has joined #openstack-keystone		21:12
*** henrynash has quit IRC		21:28
*** stevemar has quit IRC		21:30
*** urulama has quit IRC		21:31
*** urulama has joined #openstack-keystone		21:31
*** richm has quit IRC		21:38
*** topol has quit IRC		21:39
*** topol has joined #openstack-keystone		21:39
*** ChanServ sets mode: +v topol		21:39
*** diazjf has quit IRC		21:42
*** mylu has quit IRC		21:43
*** mylu has joined #openstack-keystone		21:43
*** jorge_munoz has quit IRC		21:46
*** ebalduf has joined #openstack-keystone		21:46
*** ebalduf has quit IRC		21:47
*** phalmos has quit IRC		21:47
*** edmondsw has quit IRC		21:54
*** richm has joined #openstack-keystone		21:55
*** csoukup has joined #openstack-keystone		21:56
*** csoukup has quit IRC		21:57
*** ninag has quit IRC		21:57
*** ninag has joined #openstack-keystone		21:58
dolphm	jdandrea: "user" is a very strange default. the precedent before keystone adopted "_member_" was "Member", but keystone had reason to force people to have a role, so we created a new one.	21:59
dolphm	"_member_" was chosen because no one would ever create such a hideous role name	21:59
*** edtubill has left #openstack-keystone		22:00
*** diazjf has joined #openstack-keystone		22:00
*** ayoung has quit IRC		22:01
*** doug-fish has quit IRC		22:01
*** doug-fish has joined #openstack-keystone		22:02
*** ninag has quit IRC		22:02
*** hrou has quit IRC		22:03
*** _hrou_ has joined #openstack-keystone		22:03
*** lhcheng_ has joined #openstack-keystone		22:04
*** lhcheng has quit IRC		22:07
dolphm	morgan: bknudson: thoughts on the backportability of https://review.openstack.org/#/c/202176/ ?	22:08
bknudson	dolphm: if this only affects fernet tokens then go ahead. they're experimental	22:08
dolphm	it's an interesting case because it doesn't technically expose a new API (and if it does, it's an API that's only internally consumable in keystone) and fixes an important feature	22:08
morgan	should be fine	22:08
dolphm	bknudson: morgan: i'll propose it now then	22:08
*** gordc has quit IRC		22:16
*** roxanaghe has joined #openstack-keystone		22:22
*** mylu has quit IRC		22:25
*** mylu has joined #openstack-keystone		22:27
*** Ephur has quit IRC		22:31
*** jecarey_ has quit IRC		22:31
*** slberger has left #openstack-keystone		22:31
*** geoffarnold is now known as geoffarnoldX		22:36
*** lhcheng_ has quit IRC		22:37
*** erhudy1 has joined #openstack-keystone		22:37
*** ninag has joined #openstack-keystone		22:40
*** lhcheng has joined #openstack-keystone		22:40
*** ChanServ sets mode: +v lhcheng		22:40
*** doug-fish has quit IRC		22:43
*** ninag has quit IRC		22:44
*** darrenc is now known as darrenc_afk		22:52
*** aix has joined #openstack-keystone		22:52
*** diazjf has quit IRC		22:55
*** sdake has quit IRC		22:56
*** r-daneel has joined #openstack-keystone		22:57
*** zzzeek has quit IRC		22:59
*** ankita_wagh has quit IRC		23:03
dolphm	morgan: bknudson: https://review.openstack.org/#/c/223863/	23:05
*** darrenc_afk is now known as darrenc		23:06
*** e0ne has quit IRC		23:09
*** markvoelker has quit IRC		23:10
*** e0ne has joined #openstack-keystone		23:13
*** openstackgerrit has quit IRC		23:16
*** david-lyle has quit IRC		23:17
*** openstackgerrit has joined #openstack-keystone		23:17
*** geoffarnoldX is now known as geoffarnold		23:21
*** ankita_wagh has joined #openstack-keystone		23:22
*** mylu has quit IRC		23:23
*** mylu has joined #openstack-keystone		23:23
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/222000	23:26
*** e0ne has quit IRC		23:26
openstackgerrit	Merged openstack/keystone: Update man pages with liberty version and dates https://review.openstack.org/223238	23:28
morgan	YAY global reqs is working again	23:29
*** _hrou_ has quit IRC		23:33
*** mylu has quit IRC		23:43
*** diazjf has joined #openstack-keystone		23:47
*** aix has quit IRC		23:53
*** markvoelker has joined #openstack-keystone		23:56
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Removed the extra http:// from JSON schema link https://review.openstack.org/217319	23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!