Wednesday, 2015-10-07

*** sdake has joined #openstack-keystone		00:00
*** jbell8 has joined #openstack-keystone		00:02
*** btully has quit IRC		00:02
*** jbell8 has quit IRC		00:03
*** dsirrine has quit IRC		00:03
*** geoffarn_ has quit IRC		00:03
*** geoffarnold has joined #openstack-keystone		00:04
*** jbell8 has joined #openstack-keystone		00:04
*** btully has joined #openstack-keystone		00:08
*** woodster_ has quit IRC		00:09
*** dims_ has quit IRC		00:13
*** dims_ has joined #openstack-keystone		00:14
*** dsirrine has joined #openstack-keystone		00:15
*** _cjones_ has quit IRC		00:16
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/230464	00:17
*** jbell8 has quit IRC		00:17
*** darrenc_afk is now known as darrenc		00:18
*** dims_ has quit IRC		00:19
*** ayoung has joined #openstack-keystone		00:19
*** ChanServ sets mode: +v ayoung		00:19
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
*** dims_ has joined #openstack-keystone		00:25
*** geoffarn_ has joined #openstack-keystone		00:25
*** geoffarnold has quit IRC		00:25
*** su_zhang has quit IRC		00:26
*** dims_ has quit IRC		00:26
*** dims_ has joined #openstack-keystone		00:26
*** lhcheng_ has quit IRC		00:27
*** roxanagh_ has joined #openstack-keystone		00:27
*** roxanagh_ has quit IRC		00:36
*** geoffarn_ has quit IRC		00:46
*** geoffarnold has joined #openstack-keystone		00:47
*** su_zhang has joined #openstack-keystone		00:47
*** jaosorior has quit IRC		00:53
*** jaosorior has joined #openstack-keystone		00:54
*** browne has quit IRC		00:57
*** gyee has quit IRC		00:58
*** dsirrine has quit IRC		00:59
openstackgerrit	Sam Leong proposed openstack/keystone: add initiator to v2 calls for additional auditing https://review.openstack.org/231123	01:04
openstackgerrit	Sam Leong proposed openstack/keystone: add initiator to v2 calls for additional auditing https://review.openstack.org/231123	01:05
*** su_zhang has quit IRC		01:07
*** geoffarn_ has joined #openstack-keystone		01:08
*** stevemar_ has quit IRC		01:11
*** geoffarnold has quit IRC		01:12
*** topol has joined #openstack-keystone		01:19
*** ChanServ sets mode: +v topol		01:19
openstackgerrit	Merged openstack/keystone: Correct docstrings https://review.openstack.org/226996	01:21
*** richm has joined #openstack-keystone		01:22
*** csoukup has joined #openstack-keystone		01:23
*** topol has quit IRC		01:23
ayoung	I don't know how to parse this. http://finance.yahoo.com/news/rackspace-announces-aws-managed-offerings-130000686.html?.tsrc=applewf	01:23
*** markvoelker has quit IRC		01:27
*** csoukup has quit IRC		01:27
*** geoffarn_ has quit IRC		01:29
*** geoffarnold has joined #openstack-keystone		01:29
lifeless	ayoung: seems straight forward to me	01:31
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/230564	01:42
ayoung	lifeless, Good. You can explain it to me	01:47
lifeless	ayoung: rackspace are getting paid to look after aws instances by their customers	01:48
lifeless	ayoung: and getting a cut on the revenue of those same instances	01:48
ayoung	lifeless, becasue Amazon can't or won't do it themselves?	01:48
lifeless	ayoung: I don't know /why/	01:49
lifeless	ayoung: I imagine rackspace saw enough demand from their users for things only available on AWS	01:49
lifeless	ayoung: e.g. third party services	01:49
ayoung	lifeless, I smells like SuSE/Microsoft to me.	01:49
lifeless	ayoung: yeah, I don't super like the smell of it either	01:49
*** geoffarnold has quit IRC		01:50
*** geoffarnold has joined #openstack-keystone		01:51
*** sdake has quit IRC		01:53
*** sdake has joined #openstack-keystone		01:56
*** fawadkhaliq has joined #openstack-keystone		01:58
*** fawadkhaliq has quit IRC		01:59
*** stevemar_ has joined #openstack-keystone		02:00
*** ChanServ sets mode: +o stevemar_		02:00
*** jbell8 has joined #openstack-keystone		02:10
*** geoffarnold has quit IRC		02:11
*** geoffarnold has joined #openstack-keystone		02:12
*** jbell8 has quit IRC		02:13
*** jbell8 has joined #openstack-keystone		02:14
*** ayoung has quit IRC		02:14
*** woodster_ has joined #openstack-keystone		02:14
*** lhcheng has joined #openstack-keystone		02:19
*** ChanServ sets mode: +v lhcheng		02:19
*** sdake has quit IRC		02:19
*** sdake_ has joined #openstack-keystone		02:22
*** topol has joined #openstack-keystone		02:24
*** ChanServ sets mode: +v topol		02:24
*** browne has joined #openstack-keystone		02:31
*** geoffarnold has quit IRC		02:33
*** geoffarnold has joined #openstack-keystone		02:33
*** ngupta has joined #openstack-keystone		02:34
stevemar_	mordred: so about https://pypi.python.org/pypi/keystoneauth1	02:35
stevemar_	and removing https://pypi.python.org/pypi/keystoneauth	02:35
stevemar_	i'm a bit confused here, what repo do i clone to alter the README of https://pypi.python.org/pypi/keystoneauth	02:35
stevemar_	since it looks like they are both coming from https://github.com/openstack/keystoneauth	02:36
*** richm has quit IRC		02:36
*** _cjones_ has joined #openstack-keystone		02:43
*** dikonoor has joined #openstack-keystone		02:43
*** btully has quit IRC		02:44
*** _cjones_ has quit IRC		02:45
*** _cjones_ has joined #openstack-keystone		02:46
*** darrenc is now known as darrenc_afk		02:53
*** sdake_ is now known as sdake		02:54
*** zzzeek has quit IRC		02:55
stevemar_	lhcheng: issued a quick refresh for the osc plugin doc	02:55
*** geoffarn_ has joined #openstack-keystone		02:55
lhcheng	cool	02:56
lhcheng	stevemar_: when is the planned next release of OSC?	02:56
lhcheng	stevemar_: thanks for documenting the plugins, that would be helpful	02:58
stevemar_	lhcheng: whenever you want it to me big guy	02:58
lhcheng	stevemar_: hah	02:58
lhcheng	stevemar_: I suppose when we get all the glance and swift related changes?	02:58
stevemar_	lhcheng: i'm of the opinion to do small releases and often	02:58
stevemar_	lhcheng: normally we do once a month, but i could be convinced to do it sooner	02:59
stevemar_	that sounds like a good plan	02:59
*** geoffarnold has quit IRC		02:59
stevemar_	i'd also like to fix the issue that zigo brought up	02:59
stevemar_	but i think that's more of a cliff issue	02:59
lhcheng	stevemar_: how about the password thing?	03:00
lhcheng	stevemar_: that's probably good to have as well	03:00
lhcheng	stevemar_: do we have a library for masking/scraping confidential values?	03:01
lhcheng	I know we do it in KSC, but I think we manually performed the hashing of the auth_token	03:03
*** csoukup has joined #openstack-keystone		03:05
stevemar_	ohhh right password	03:05
stevemar_	hmmm	03:05
stevemar_	do we have a bug for that	03:05
stevemar_	i'm going to forget it otherwise	03:05
stevemar_	lhcheng: ugh, i knew non-ascii characters wont work	03:06
*** c_soukup has joined #openstack-keystone		03:06
lhcheng	pm'd you the bug	03:06
lhcheng	stevemar_: non-ascii is a known issue?	03:06
stevemar_	lhcheng: not known-issue, but when i was coding it up, i thought 'you know, i get non-ascii characters won't work here'	03:07
stevemar_	bet*	03:07
*** csoukup has quit IRC		03:10
lhcheng	ah that was for the property set command.. I didn't expect that even "create container" would fail	03:10
lhcheng	using non-ascii works for "user create"	03:10
lhcheng	stevemar_: the non-ascii issue might be local to the swift commands, I'll take a look at it.	03:11
lhcheng	I just logged it so I won't forget	03:11
*** geoffarn_ has quit IRC		03:16
*** geoffarnold has joined #openstack-keystone		03:16
*** markvoelker has joined #openstack-keystone		03:19
stevemar_	lhcheng: you thinking swift cause it's in URLs?	03:21
*** links has joined #openstack-keystone		03:21
lhcheng	stevemar_: not sure yet, have to dig around.	03:22
lhcheng	planning to work on the password thingy first	03:22
lhcheng	then try to get the non-ascii character to work on swift commands	03:22
stevemar_	lhcheng: cool cool, i'm hoping to fix zigo's issue, let me log that one	03:22
openstackgerrit	Merged openstack/keystone: Cleanup _build_federated_info https://review.openstack.org/220658	03:23
openstackgerrit	Merged openstack/keystone: Add LimitRequestBody to sample httpd config https://review.openstack.org/208208	03:23
openstackgerrit	Merged openstack/keystone: Unit tests for fernet validate_v3_token https://review.openstack.org/226557	03:23
*** markvoelker_ has joined #openstack-keystone		03:23
openstackgerrit	Merged openstack/keystone: Remove unused get_user_projects() https://review.openstack.org/229369	03:23
lhcheng	horizon got a lot of report related to escaping of the swift url, due to special characters, so I do think it would be valuable to make it more for swift commands in OSC too	03:23
lhcheng	make it more -> make it work	03:23
*** markvoelker has quit IRC		03:25
stevemar_	lhcheng: 73 bugs for osc, we need a bug squash day >.<	03:25
*** ngupta has quit IRC		03:27
*** dikonoor has quit IRC		03:27
*** btully has joined #openstack-keystone		03:29
openstackgerrit	Merged openstack/keystone: Add test case passing is_domain flag as False https://review.openstack.org/229549	03:29
*** jbonjean has quit IRC		03:32
*** jbonjean has joined #openstack-keystone		03:32
*** markvoelker has joined #openstack-keystone		03:33
*** markvoelker has quit IRC		03:33
*** markvoelker_ has quit IRC		03:33
*** btully has quit IRC		03:33
*** sdake has quit IRC		03:37
*** geoffarnold has quit IRC		03:37
*** sdake has joined #openstack-keystone		03:37
*** geoffarnold has joined #openstack-keystone		03:37
mordred	stevemar_: I have a patch	03:41
*** mylu has joined #openstack-keystone		03:43
*** topol has quit IRC		03:46
*** mylu has quit IRC		03:48
*** darrenc_afk is now known as darrenc		03:48
stevemar_	mordred: hook it up	03:49
stevemar_	lhcheng: thoughts on https://bugs.launchpad.net/python-openstackclient/+bug/1476772 i think we can close this one out	03:50
openstack	Launchpad bug 1476772 in python-openstackclient "image set v2 uses visibility option instead of public and private" [Undecided,In progress] - Assigned to Sean Perry (sean-perry-a)	03:50
*** jbell8 has quit IRC		03:55
*** jbell8 has joined #openstack-keystone		03:55
*** jbell8 has quit IRC		03:58
lhcheng	stevemar_: yup, I added the link to the patch that resolved the issue reported	03:58
*** jbell8 has joined #openstack-keystone		03:58
*** geoffarn_ has joined #openstack-keystone		03:58
stevemar_	lhcheng: i closed a bunch of bugs as invalid	03:59
lhcheng	73 bugs wow, we need to recruit more OSC contributors	03:59
*** geoffarnold has quit IRC		03:59
lhcheng	stevemar_: I also submitted a patch for the password masking	03:59
* lhcheng stevemar the "bug squasher"		04:01
lhcheng	\o/	04:01
stevemar_	lhcheng: down to 67!	04:02
lhcheng	yay	04:02
*** hrou has quit IRC		04:03
stevemar_	lhcheng: good patch, provided a suggestion	04:06
lhcheng	good catch	04:07
lhcheng	I might be able to test at least the admin_token	04:08
lhcheng	thanks for the review	04:08
stevemar_	np	04:08
stevemar_	thanks for the patch	04:09
*** lhcheng has quit IRC		04:09
*** fawadkhaliq has joined #openstack-keystone		04:10
*** fawadk has joined #openstack-keystone		04:11
*** fawadkhaliq has quit IRC		04:15
*** su_zhang has joined #openstack-keystone		04:17
*** jbonjean has quit IRC		04:17
*** fawadkhaliq has joined #openstack-keystone		04:18
*** jbonjean has joined #openstack-keystone		04:18
*** jbonjean has quit IRC		04:18
*** jbonjean has joined #openstack-keystone		04:18
*** woodster_ has quit IRC		04:19
*** fawadk has quit IRC		04:19
*** geoffarn_ has quit IRC		04:19
*** geoffarnold has joined #openstack-keystone		04:20
mordred	stevemar_: done	04:27
mordred	stevemar_: I did not upload a patch anywhere - I just upload the stub package	04:28
mordred	stevemar_: because meh	04:28
*** lhcheng has joined #openstack-keystone		04:28
*** ChanServ sets mode: +v lhcheng		04:28
mordred	stevemar_: https://pypi.python.org/pypi/keystoneauth should make you happy now	04:28
stevemar_	mordred: looking	04:31
stevemar_	mordred: looks good to me!	04:31
mordred	mordred@camelot:~$ crap/bin/pip install keystoneauth	04:32
mordred	Collecting keystoneauth	04:32
mordred	Downloading keystoneauth-0.5.0-py2.py3-none-any.whl	04:32
mordred	Collecting keystoneauth1>=1.0.0 (from keystoneauth)	04:32
mordred	:)	04:32
stevemar_	a link to the new package would have been nice, but beggards can't be choosers	04:32
stevemar_	oh shit	04:32
stevemar_	how'd you do that magic	04:32
mordred	I have magic man	04:32
stevemar_	requirements change?	04:32
mordred	yup	04:32
stevemar_	i see "sdirector" is there now	04:33
stevemar_	i assume that is the source of your magic	04:33
mordred	yup	04:33
mordred	:)	04:33
stevemar_	dolphm: https://pypi.python.org/pypi/keystoneauth should make you happy now	04:33
stevemar_	this deserves a tweet	04:34
*** jbonjean has quit IRC		04:34
*** topol has joined #openstack-keystone		04:34
*** ChanServ sets mode: +v topol		04:34
*** jbonjean has joined #openstack-keystone		04:34
*** jaosorior has quit IRC		04:34
*** jaosorior has joined #openstack-keystone		04:34
*** miyagishi_t has joined #openstack-keystone		04:36
*** csd has quit IRC		04:38
*** topol has quit IRC		04:38
*** markvoelker has joined #openstack-keystone		04:40
*** Nirupama has joined #openstack-keystone		04:40
*** geoffarnold has quit IRC		04:41
*** geoffarnold has joined #openstack-keystone		04:41
stevemar_	it has been done	04:41
*** fawadk has joined #openstack-keystone		04:42
*** markvoelker has quit IRC		04:45
*** fawadkhaliq has quit IRC		04:45
*** btully has joined #openstack-keystone		04:48
*** markvoelker has joined #openstack-keystone		04:50
*** agireud has joined #openstack-keystone		04:51
*** dims_ has quit IRC		04:52
*** c_soukup has quit IRC		04:52
*** markvoelker has quit IRC		04:55
*** geoffarn_ has joined #openstack-keystone		05:02
*** markvoelker has joined #openstack-keystone		05:02
*** markvoelker has quit IRC		05:03
*** geoffarnold has quit IRC		05:07
*** markvoelker has joined #openstack-keystone		05:13
*** markvoelker has quit IRC		05:21
*** geoffarnold has joined #openstack-keystone		05:24
*** geoffarn_ has quit IRC		05:28
*** e0ne has joined #openstack-keystone		05:28
*** markvoelker has joined #openstack-keystone		05:28
*** e0ne has quit IRC		05:30
*** jamielennox is now known as jamielennox\|away		05:30
*** stevemar_ has quit IRC		05:31
*** e0ne has joined #openstack-keystone		05:34
*** markvoelker has quit IRC		05:36
*** e0ne has quit IRC		05:37
*** markvoelker has joined #openstack-keystone		05:41
*** e0ne has joined #openstack-keystone		05:42
*** markvoelker_ has joined #openstack-keystone		05:42
*** henrynash has joined #openstack-keystone		05:42
*** ChanServ sets mode: +v henrynash		05:42
*** markvoelker_ has quit IRC		05:43
*** geoffarnold has quit IRC		05:45
*** geoffarnold has joined #openstack-keystone		05:45
*** markvoelker has quit IRC		05:45
*** su_zhang has quit IRC		05:46
*** e0ne has quit IRC		05:49
*** e0ne has joined #openstack-keystone		05:53
*** e0ne has quit IRC		05:54
*** markvoelker has joined #openstack-keystone		05:58
*** e0ne has joined #openstack-keystone		05:58
*** markvoelker_ has joined #openstack-keystone		06:00
*** markvoelker has quit IRC		06:00
*** e0ne has quit IRC		06:02
*** markvoelker_ has quit IRC		06:05
*** geoffarnold has quit IRC		06:06
*** geoffarnold has joined #openstack-keystone		06:06
*** ParsectiX has joined #openstack-keystone		06:18
*** akanksha_ has quit IRC		06:18
*** markvoelker has joined #openstack-keystone		06:19
*** e0ne has joined #openstack-keystone		06:21
*** jamielennox\|away is now known as jamielennox		06:21
*** markvoelker has quit IRC		06:25
*** mtreinish has quit IRC		06:26
*** e0ne has quit IRC		06:26
*** geoffarnold has quit IRC		06:27
*** geoffarnold has joined #openstack-keystone		06:28
*** rudolfvriend has joined #openstack-keystone		06:31
*** mtreinish has joined #openstack-keystone		06:31
*** e0ne has joined #openstack-keystone		06:31
*** e0ne has quit IRC		06:35
*** e0ne has joined #openstack-keystone		06:39
*** markvoelker has joined #openstack-keystone		06:47
*** fawadk has quit IRC		06:48
*** geoffarn_ has joined #openstack-keystone		06:49
*** geoffarnold has quit IRC		06:49
*** fawadkhaliq has joined #openstack-keystone		06:50
*** fawadkhaliq has quit IRC		06:51
*** markvoelker has quit IRC		06:52
*** e0ne has quit IRC		06:55
*** fhubik has joined #openstack-keystone		06:56
*** itlinux has joined #openstack-keystone		06:57
*** markvoelker has joined #openstack-keystone		07:02
*** markvoelker has quit IRC		07:07
*** geoffarn_ has quit IRC		07:10
*** geoffarnold has joined #openstack-keystone		07:10
*** fawadkhaliq has joined #openstack-keystone		07:11
*** markvoelker has joined #openstack-keystone		07:16
*** markvoelker has quit IRC		07:21
*** vivekd has joined #openstack-keystone		07:22
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	07:29
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	07:30
*** markvoelker has joined #openstack-keystone		07:31
*** geoffarnold has quit IRC		07:31
*** geoffarnold has joined #openstack-keystone		07:32
*** marzif has joined #openstack-keystone		07:34
*** markvoelker has quit IRC		07:36
*** lhcheng has quit IRC		07:42
*** markvoelker has joined #openstack-keystone		07:46
*** markvoelker has quit IRC		07:50
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	07:51
*** csoukup has joined #openstack-keystone		07:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	07:53
*** geoffarnold has quit IRC		07:53
*** geoffarnold has joined #openstack-keystone		07:53
*** csoukup has quit IRC		07:56
*** markvoelker has joined #openstack-keystone		08:00
*** marzif has quit IRC		08:02
*** drjones has joined #openstack-keystone		08:02
*** _cjones_ has quit IRC		08:05
*** markvoelker has quit IRC		08:05
*** e0ne has joined #openstack-keystone		08:10
*** browne has quit IRC		08:14
*** geoffarnold has quit IRC		08:14
*** geoffarnold has joined #openstack-keystone		08:15
*** markvoelker has joined #openstack-keystone		08:15
*** markvoelker has quit IRC		08:19
*** fawadkhaliq has quit IRC		08:21
*** fawadkhaliq has joined #openstack-keystone		08:21
*** sdake has quit IRC		08:23
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	08:25
*** sdake has joined #openstack-keystone		08:26
*** markvoelker has joined #openstack-keystone		08:29
*** e0ne has quit IRC		08:30
*** e0ne has joined #openstack-keystone		08:32
*** markvoelker has quit IRC		08:34
*** btully has quit IRC		08:35
*** jistr has joined #openstack-keystone		08:36
*** markvoelker has joined #openstack-keystone		08:36
*** amakarov_away is now known as amakarov		08:37
*** links has quit IRC		08:38
*** pnavarro has joined #openstack-keystone		08:38
*** markvoelker has quit IRC		08:41
*** markvoelker has joined #openstack-keystone		08:44
*** fawadkhaliq has quit IRC		08:48
*** fawadkhaliq has joined #openstack-keystone		08:48
*** lhcheng has joined #openstack-keystone		08:49
*** ChanServ sets mode: +v lhcheng		08:49
*** geoffarnold has quit IRC		08:50
*** markvoelker has quit IRC		08:51
*** geoffarnold has joined #openstack-keystone		08:51
*** markvoelker has joined #openstack-keystone		08:51
*** aix has joined #openstack-keystone		08:53
*** markvoelker has quit IRC		08:56
*** jaosorior has quit IRC		08:57
*** jaosorior has joined #openstack-keystone		08:58
*** topol has joined #openstack-keystone		08:59
*** ChanServ sets mode: +v topol		08:59
*** markvoelker has joined #openstack-keystone		09:01
*** topol has quit IRC		09:03
*** markvoelker has quit IRC		09:06
*** geoffarnold has quit IRC		09:11
*** geoffarnold has joined #openstack-keystone		09:12
*** markvoelker has joined #openstack-keystone		09:16
*** markvoelker has quit IRC		09:20
*** links has joined #openstack-keystone		09:25
*** markvoelker has joined #openstack-keystone		09:27
*** markvoelker has quit IRC		09:31
*** miyagishi_t has quit IRC		09:33
*** geoffarnold has quit IRC		09:33
*** geoffarnold has joined #openstack-keystone		09:33
*** markvoelker has joined #openstack-keystone		09:37
*** jbell8 has quit IRC		09:37
*** btully has joined #openstack-keystone		09:39
*** GB21 has joined #openstack-keystone		09:41
*** GB21_ has joined #openstack-keystone		09:41
*** GB21_ has quit IRC		09:42
*** markvoelker has quit IRC		09:42
*** btully has quit IRC		09:43
*** markvoelker has joined #openstack-keystone		09:52
*** lhcheng has quit IRC		09:52
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/230564	09:53
*** geoffarn_ has joined #openstack-keystone		09:55
*** jaosorior has quit IRC		09:55
*** geoffarnold has quit IRC		09:55
*** jaosorior has joined #openstack-keystone		09:55
*** markvoelker has quit IRC		09:57
*** e0ne has quit IRC		10:06
*** hidekazu has quit IRC		10:06
*** markvoelker has joined #openstack-keystone		10:06
*** e0ne has joined #openstack-keystone		10:09
*** markvoelker has quit IRC		10:11
*** geoffarnold has joined #openstack-keystone		10:16
*** geoffarn_ has quit IRC		10:16
*** markvoelker has joined #openstack-keystone		10:21
*** markvoelker has quit IRC		10:26
*** jaosorior has quit IRC		10:33
*** jaosorior has joined #openstack-keystone		10:34
*** markvoelker has joined #openstack-keystone		10:35
*** geoffarnold has quit IRC		10:37
*** geoffarnold has joined #openstack-keystone		10:37
*** markvoelker has quit IRC		10:40
*** mdavidson has joined #openstack-keystone		10:40
*** markvoelker has joined #openstack-keystone		10:45
*** wwwjfy has joined #openstack-keystone		10:50
*** wwwjfy_ has quit IRC		10:51
*** markvoelker has quit IRC		10:54
*** geoffarn_ has joined #openstack-keystone		10:59
*** geoffarnold has quit IRC		10:59
*** markvoelker has joined #openstack-keystone		11:00
*** markvoelker has quit IRC		11:05
*** pnavarro is now known as pnavarro\|lunch		11:14
*** markvoelker has joined #openstack-keystone		11:14
*** markvoelker has quit IRC		11:19
*** jamielennox is now known as jamielennox\|away		11:19
*** geoffarn_ has quit IRC		11:19
*** geoffarnold has joined #openstack-keystone		11:20
*** aix has quit IRC		11:29
*** markvoelker has joined #openstack-keystone		11:29
*** wwwjfy has quit IRC		11:30
*** wwwjfy has joined #openstack-keystone		11:31
*** markvoelker has quit IRC		11:34
*** geoffarnold has quit IRC		11:41
*** geoffarnold has joined #openstack-keystone		11:41
*** henrynash has quit IRC		11:41
*** henrynash has joined #openstack-keystone		11:43
*** ChanServ sets mode: +v henrynash		11:43
*** markvoelker has joined #openstack-keystone		11:44
*** henrynash has quit IRC		11:46
*** markvoelker has quit IRC		11:49
*** markvoelker has joined #openstack-keystone		11:50
*** markvoelker has quit IRC		11:56
*** Nirupama has quit IRC		12:01
*** geoffarn_ has joined #openstack-keystone		12:03
*** geoffarnold has quit IRC		12:06
*** markvoelker has joined #openstack-keystone		12:07
*** david-ly_ has joined #openstack-keystone		12:07
*** david-lyle has quit IRC		12:09
*** david-ly_ is now known as david-lyle		12:09
amakarov	Hello, everybody! Have somebody installed federation with oidc under Apache 2.4?	12:10
*** richm has joined #openstack-keystone		12:10
*** markvoelker has quit IRC		12:12
*** fawadkhaliq has quit IRC		12:15
*** GB21 has quit IRC		12:16
odyssey4me	amakarov I'm not sure if this will make much sense to you, but this may help you on your way: https://review.openstack.org/#/c/226617/	12:20
*** markvoelker has joined #openstack-keystone		12:21
amakarov	odyssey4me, thank you, I'm reading	12:21
*** mylu has joined #openstack-keystone		12:23
*** geoffarn_ has quit IRC		12:23
*** su_zhang has joined #openstack-keystone		12:23
*** geoffarnold has joined #openstack-keystone		12:24
*** markvoelker has quit IRC		12:26
*** vivekd has quit IRC		12:27
*** mylu has quit IRC		12:28
*** richm has quit IRC		12:28
*** richm has joined #openstack-keystone		12:29
*** markvoelker has joined #openstack-keystone		12:31
*** gordc has joined #openstack-keystone		12:34
*** markvoelker has quit IRC		12:36
*** edmondsw has joined #openstack-keystone		12:37
*** aix has joined #openstack-keystone		12:43
*** dims_ has joined #openstack-keystone		12:44
*** geoffarnold has quit IRC		12:45
*** geoffarnold has joined #openstack-keystone		12:45
*** markvoelker has joined #openstack-keystone		12:46
*** markvoelker_ has joined #openstack-keystone		12:49
*** raildo-afk is now known as raildo		12:51
*** dikonoor has joined #openstack-keystone		12:53
*** markvoelker has quit IRC		12:53
*** markvoelker_ has quit IRC		12:54
*** markvoelker has joined #openstack-keystone		12:56
*** su_zhang has quit IRC		12:56
*** hrou has joined #openstack-keystone		13:00
*** links has quit IRC		13:02
*** geoffarn_ has joined #openstack-keystone		13:06
*** gildub has quit IRC		13:10
*** geoffarnold has quit IRC		13:11
*** pnavarro\|lunch is now known as pnavarro		13:13
*** fawadkhaliq has joined #openstack-keystone		13:15
*** su_zhang has joined #openstack-keystone		13:16
*** david-lyle has quit IRC		13:16
*** gordc has quit IRC		13:18
*** fawadkhaliq has quit IRC		13:20
*** geoffarn_ has quit IRC		13:28
*** geoffarnold has joined #openstack-keystone		13:28
*** jaosorior has quit IRC		13:31
*** jaosorior has joined #openstack-keystone		13:32
*** david-lyle has joined #openstack-keystone		13:32
lbragstad	bknudson: have you pushed a patch for renaming the int -> float fernet methods yet?	13:33
bknudson	lbragstad: no, I didn't have a chance to work on it yesterday	13:35
dolphm	bknudson: i assume it's going to be a part of this series? https://review.openstack.org/#/c/231711/	13:35
lbragstad	bknudson: i can start working on it	13:35
*** LukeHinds has joined #openstack-keystone		13:38
*** doug-fish has quit IRC		13:40
*** doug-fish has joined #openstack-keystone		13:41
*** dikonoor has quit IRC		13:45
*** doug-fish has quit IRC		13:46
*** links has joined #openstack-keystone		13:46
*** ngupta has joined #openstack-keystone		13:48
*** geoffarnold has quit IRC		13:48
*** geoffarnold has joined #openstack-keystone		13:49
*** dsirrine has joined #openstack-keystone		13:50
*** zzzeek has joined #openstack-keystone		13:53
openstackgerrit	Henrique Truta proposed openstack/keystone: Manager support for projects acting as domains https://review.openstack.org/213448	13:53
openstackgerrit	Lance Bragstad proposed openstack/keystone: Rename fernet methods to match expiration timestamp https://review.openstack.org/232010	13:54
lbragstad	dolphm: bknudson ^	13:54
*** jaosorior has quit IRC		13:55
*** EinstCrazy has joined #openstack-keystone		13:55
*** jaosorior has joined #openstack-keystone		13:55
lbragstad	dolphm: would you be able to revisit this one, too... when you get a chance - https://review.openstack.org/#/c/221799/	13:55
*** doug-fish has joined #openstack-keystone		14:01
*** csoukup has joined #openstack-keystone		14:01
*** markvoelker_ has joined #openstack-keystone		14:04
*** gordc has joined #openstack-keystone		14:04
*** markvoelker has quit IRC		14:08
*** ParsectiX has quit IRC		14:09
*** geoffarnold has quit IRC		14:10
*** geoffarnold has joined #openstack-keystone		14:10
*** GB21 has joined #openstack-keystone		14:11
*** markvoelker_ has quit IRC		14:12
openstackgerrit	Lance Bragstad proposed openstack/keystone: Rename fernet methods to match expiration timestamp https://review.openstack.org/232010	14:14
*** topol has joined #openstack-keystone		14:14
*** ChanServ sets mode: +v topol		14:14
*** topol_ has joined #openstack-keystone		14:15
*** ChanServ sets mode: +v topol_		14:15
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	14:15
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	14:15
*** sigmavirus24_awa is now known as sigmavirus24		14:16
*** btully has joined #openstack-keystone		14:16
*** ayoung has joined #openstack-keystone		14:17
*** ChanServ sets mode: +v ayoung		14:17
*** sweetjeebus has joined #openstack-keystone		14:17
sweetjeebus	Hi everyone. I have a quick question about keystone and apache	14:17
*** topol has quit IRC		14:18
sweetjeebus	Mainly, why would I prefer to launch keystone as an apache service rather than a basic service? (using wsgi instead of 'service keystone start')	14:18
sweetjeebus	I see mention in documentation that it allows external authentication. Are there any other reasons? Is apache preferred over upstart/systemd?	14:19
dolphm	sweetjeebus: because as of juno or kilo (i don't recall which) we deprecated support for "as a basic service" in favor of whatever real, big-kid application server you want to use	14:20
sweetjeebus	right on	14:20
dolphm	sweetjeebus: keystone is just a wsgi application. there was no reason for a proprietary http server to be hardcoded on top.	14:20
sweetjeebus	I already have apache set up. Someone went onto the server and disabled it in favor of the 'basic service' approach	14:21
sweetjeebus	so... thanks @dolphm :)	14:21
dolphm	sweetjeebus: if you're not seeing deprecation warnings on startup, you likely will when you upgrade!	14:22
*** timcline has joined #openstack-keystone		14:23
sweetjeebus	@dolphm: yeah, I just upgraded to kilo. So I stripped out usage of 'service keystone start' in favor of apache-wsgi	14:24
sweetjeebus	I think my team didn't like it, so when I came back in this morning, apache was down and the service is up	14:24
sweetjeebus	so now I'm just digging to get all the facts straight :)	14:24
dolphm	sweetjeebus: lol hopefully your orchestration is version controlled :)	14:24
sweetjeebus	hehe... well... about that	14:25
sweetjeebus	we want everything brought up to keystone, but we	14:25
sweetjeebus	're stepping the components up	14:25
sweetjeebus	er... 'we want everything brought up to -kilo-'	14:26
dolphm	sweetjeebus: for reference, https://www.mail-archive.com/openstack-dev@lists.openstack.org/msg46449.html	14:26
*** timcline has quit IRC		14:27
bknudson	eventlet server doesn't have the security features that apache has. We had to implement sizelimit middleware.	14:27
sweetjeebus	@dophm Thanks!	14:27
*** timcline has joined #openstack-keystone		14:27
dolphm	although, any mention of eventlet support being explicitly deprecated is missing from juno's release notes https://wiki.openstack.org/wiki/ReleaseNotes/Kilo	14:28
sweetjeebus	yeah... I just stepped through juno with nothing but a db upgrade and went straight to kilo	14:30
sweetjeebus	it worked really well. Just a couple of extra sql statements had to be issued	14:31
*** geoffarn_ has joined #openstack-keystone		14:32
*** markvoelker has joined #openstack-keystone		14:32
dolphm	sweetjeebus: what was missing from db_sync ?	14:33
*** alextricity has quit IRC		14:33
sweetjeebus	@dolphm: give me a minute, I'll gather all the details from my cookbook/playbook combo	14:33
sweetjeebus	Okay... first, I built a throw-away server with access to the juno cloud repos (ubuntu). I installed the keystone packages, but the only configuration I did was to point keystone.conf at the proper db.	14:35
sweetjeebus	Then, from that throw-away (juno.upgrade.server) I ran the db_sync	14:36
*** geoffarnold has quit IRC		14:36
sweetjeebus	In order to upgrade it again to kilo, I first had to log into the db and issue these statements:	14:37
*** fawadkhaliq has joined #openstack-keystone		14:37
sweetjeebus	alter table revocation_event convert to character set utf8 collate utf8_unicode_ci ; alter database keystone CHARACTER SET utf8 COLLATE utf8_unicode_ci;	14:37
sweetjeebus	after that, the kilo version of keystone-manage ran the db_sync just fine	14:37
dolphm	sweetjeebus: this was the latest branch of kilo?	14:38
sweetjeebus	Yes. The latest branch that ubuntu is serving. I'll get you the version info on keystone-manage	14:38
sweetjeebus	a6000798@dtl07sbcid001:~$ keystone-manage --version 2015.1.1	14:39
sweetjeebus	the version number is the actual output	14:39
sweetjeebus	also...	14:39
*** EinstCrazy has quit IRC		14:39
sweetjeebus	sudo keystone-manage --nodebug db_version 67	14:39
dolphm	sweetjeebus: we've actually had that exact problem release after release, but i'm not aware of any such open bugs against kilo	14:39
sweetjeebus	67	14:39
*** ayoung has quit IRC		14:41
sweetjeebus	yeah, I -think- there's a bug stating that we don't need that db check to fail the db_sync	14:41
*** phalmos has joined #openstack-keystone		14:41
sweetjeebus	but anyway... the db_sync to juno didn't throw the errors. It came from the sync to kilo	14:42
*** ayoung has joined #openstack-keystone		14:42
*** ChanServ sets mode: +v ayoung		14:42
sweetjeebus	@dolphm: you want me to do anything further with this info? Otherwise, I'm going to go do some werk	14:44
*** agireud has quit IRC		14:44
dolphm	sweetjeebus: no, go be productive! i'm poking around to see if it makes sense to file a bug	14:44
*** ngupta has quit IRC		14:45
sweetjeebus	aye aye.	14:45
sweetjeebus	I think I can reproduce the bug pretty quick, if you need	14:46
*** GB21_ has joined #openstack-keystone		14:47
*** ayoung has quit IRC		14:47
*** GB21 has quit IRC		14:49
*** HenryG has quit IRC		14:49
*** shadower has quit IRC		14:49
*** martinus__ has quit IRC		14:49
*** hogepodge has quit IRC		14:50
*** slberger has joined #openstack-keystone		14:50
*** hogepodge has joined #openstack-keystone		14:51
*** stevemar_ has joined #openstack-keystone		14:51
*** ChanServ sets mode: +o stevemar_		14:51
*** martinus__ has joined #openstack-keystone		14:51
stevemar_	anyone have time to try this out with master? https://bugs.launchpad.net/keystone/+bug/1503712	14:51
openstack	Launchpad bug 1503712 in Keystone "Cannot delete tenant in openstack Juno" [Undecided,New]	14:51
*** HenryG has joined #openstack-keystone		14:52
*** geoffarn_ has quit IRC		14:52
*** browne has joined #openstack-keystone		14:53
*** geoffarnold has joined #openstack-keystone		14:53
*** petertr7 has quit IRC		14:55
*** petertr7_away has joined #openstack-keystone		14:55
*** petertr7_away is now known as petertr7		14:55
*** alejandrito has joined #openstack-keystone		14:57
dolphm	stevemar_: might be a configuration error? i have no other clue why their trust_api driver would be called Revoke, otherwise...	14:58
stevemar_	dolphm: i assume deleting projects caused the revocation extension to be engaged, which then checked for trusty bits...	14:59
dolphm	stevemar_: that's not what i'm reading from the stack trace	14:59
*** ayoung has joined #openstack-keystone		14:59
*** ChanServ sets mode: +v ayoung		14:59
stevemar_	_emit_invalidate_user_project_tokens_notification	15:00
*** diazjf has joined #openstack-keystone		15:00
*** sweetjeebus has quit IRC		15:00
*** diazjf has left #openstack-keystone		15:01
dolphm	stevemar_: look further down. a call to self.trust_api.list_trusts_for_trustee() fails with "'Revoke' object has no attribute 'list_trusts_for_trustee'"	15:01
stevemar_	yeah, i'm looking around there now	15:01
*** david_cu has joined #openstack-keystone		15:01
*** timcline_ has joined #openstack-keystone		15:03
*** timcline has quit IRC		15:03
*** agireud has joined #openstack-keystone		15:05
*** timcline_ has quit IRC		15:05
*** timcline has joined #openstack-keystone		15:06
*** jaosorior has quit IRC		15:06
*** jaosorior has joined #openstack-keystone		15:06
*** ngupta has joined #openstack-keystone		15:07
stevemar_	dolphm: maybe the user has CONF.token.revoke_by_id enabled, but no revocation driver in pipeline?	15:08
*** jdennis1 has joined #openstack-keystone		15:09
dolphm	stevemar_: not sure what you mean (drivers aren't in the pipeline?)	15:10
*** jdennis has quit IRC		15:10
*** sdake has quit IRC		15:11
*** sdake has joined #openstack-keystone		15:14
*** jistr is now known as jistr\|mtg		15:14
bknudson	should keystone be dealing internally with unicode strs or regular strs?	15:15
bknudson	in python3 some things don't work if you try to mix and match str with unicode	15:16
*** jistr\|mtg is now known as jistr		15:17
dolphm	bknudson: i would think unicode, and decode them when they're being written somewhere that doesn't understand them?	15:17
*** pnavarro has quit IRC		15:18
bknudson	I'll give it a try. there's a lot of python apis that generate strings rather than unicode	15:19
bknudson	data from clients is unicode so seems like it would be better to keep it that way as long as we can.	15:23
bknudson	or, convert it right away	15:23
dolphm	bknudson: are you looking at the cryptography one?	15:23
dolphm	bknudson: right	15:23
dolphm	bknudson: and we need to support unicode user input... so i would think we'd be unicode internally	15:23
bknudson	ok, I'll try it.	15:24
dolphm	but i know we're inconsistent, in part because character encodings are super subtle to keep track of in code reviews	15:24
bknudson	I'm looking into the unit test failures in my py3 changes: http://logs.openstack.org/11/231711/1/check/gate-keystone-python27/cdd7f8d/console.html#_2015-10-06_21_26_25_963	15:25
bknudson	I tried changing the code so that the audit id generated is a str	15:25
bknudson	but when you rescope a token, the original audit_id comes from the token	15:25
bknudson	and the original audit_id is coming in as a unicode	15:25
*** EinstCrazy has joined #openstack-keystone		15:25
bknudson	so we wind up with a list of ['new_audit_id', u'original_audit_id'] which is hard to work with	15:26
bknudson	so should be either 2 unicodes or both strs	15:26
bknudson	I've been trying to make them both strs but I'll try making them both unicodes.	15:27
bknudson	here's token_ref from keystone/token/providers/fernet/core.py(94)issue_v2_token() : http://paste.openstack.org/show/475625/	15:29
bknudson	it's a mishmash of unicodes and strs	15:29
*** roxanagh_ has joined #openstack-keystone		15:30
bknudson	it's just the tenant values that are strs	15:30
*** geoffarn_ has joined #openstack-keystone		15:31
*** geoffarnold has quit IRC		15:31
dolphm	bknudson: passing dictionaries around is probably the first mistake that led to that ;)	15:32
bknudson	ok, I'll just fix that.	15:32
bknudson	be back in a few weeks	15:33
dolphm	lol	15:33
stevemar_	hehe	15:34
*** dims_ has quit IRC		15:34
*** EinstCrazy has quit IRC		15:34
openstackgerrit	Dolph Mathews proposed openstack/keystone: Additional documentation for services https://review.openstack.org/211184	15:38
*** david-lyle has quit IRC		15:41
*** david-lyle has joined #openstack-keystone		15:42
*** links has quit IRC		15:42
*** dims_ has joined #openstack-keystone		15:44
*** arunkant has quit IRC		15:48
*** rudolfvriend has quit IRC		15:50
*** timcline_ has joined #openstack-keystone		15:51
*** geoffarn_ has quit IRC		15:52
*** timcline has quit IRC		15:52
*** geoffarnold has joined #openstack-keystone		15:52
*** nicodemos has joined #openstack-keystone		15:54
*** david-ly_ has joined #openstack-keystone		15:55
dstanek	reading RFCs makes me feel dumb	15:55
*** david-lyle has quit IRC		15:55
*** david-ly_ has quit IRC		15:56
lbragstad	dolphm: I see you just rechecked https://review.openstack.org/#/c/231191/	15:56
*** david-lyle has joined #openstack-keystone		15:56
lbragstad	dolphm: thanks, cinder issues?	15:57
*** flwang has quit IRC		15:58
notmyname	stevemar_: I'd like to talk about the service catalog spec. got any time? https://review.openstack.org/#/c/181393/14/specs/service-catalog.rst	15:58
jgriffith	lbragstad: looks like grenade didn't deploy succesfuly	15:58
stevemar_	notmyname: for you, always	15:58
dolphm	lbragstad: volume already attached, you gotta detach it first	15:58
notmyname	lol	15:58
lbragstad	jgriffith: dolphm gotcha, makes sense	15:59
stevemar_	dstanek: they use a lot of complicated sentences	15:59
notmyname	stevemar_: specifically, the tenant_id removal from the catalog. (the rest of it I'm generally ok with).	15:59
notmyname	the tenant_id part is what I'm concerned about	15:59
dstanek	stevemar_: i think most just need a tldr; section to get you started	15:59
*** dims__ has joined #openstack-keystone		15:59
morgan	notmyname: why?	15:59
stevemar_	notmyname: cool - what are your concerns	15:59
jgriffith	dolphm: I'm kinda curious about that	16:00
*** fawadkhaliq has quit IRC		16:00
notmyname	my first one is a general one, and I'm curious how you see this playing out. this sounds like something that's going to require client changes to be able to use it. is that true?	16:00
*** fawadk has joined #openstack-keystone		16:00
jgriffith	dolphm: you state "cinder fragility"... what makes you say that?	16:00
notmyname	what is the new client request pattern?	16:01
jgriffith	dolphm: looking at the console log it appears stack.sh failed	16:01
jgriffith	but I'm likely missing something you saw so looking for education :)	16:01
notmyname	(I think understanding what the expected client changes are in other openstack projects will either alleviate or reenforce my concerns about the proposal)	16:02
stevemar_	notmyname: sec, looking at swiftclient code	16:02
notmyname	stevemar_: no, don't worry about that :-)	16:03
notmyname	stevemar_: just in general	16:03
*** arunkant has joined #openstack-keystone		16:03
morgan	notmyname: ideally, client changes would be minimal. The client should still know where to place in the tenant id if needed. However, with tokens, the server already has the tenant so for discovery the server can produce appropriate links	16:03
*** dims_ has quit IRC		16:03
stevemar_	notmyname: well in general it would mean that the client needs to know the tenant id as well	16:03
notmyname	so today a client give id creds to keystone and gets back a catalog, including the endpoint for the service	16:03
notmyname	and in the new world a client makes the request to keystone and then has to construct somethign locally to know the endpoint, right? ie clients need to be rewritten to use this	16:04
stevemar_	notmyname: it would involve client work, yes	16:05
morgan	The fact we have random substitutions in the catalog is a little silly - the catalog should indicate host/port/base url, but not need the substitution parts.	16:05
bknudson	in the case of nova, there's no client changes necessary. The client doesn't care about the tenant_id in the url, and the server doesn't need the tenant from the URL since it gets it from the token.	16:05
*** jistr has quit IRC		16:05
morgan	bknudson: ++	16:05
bknudson	I think notmyname is saying that swift can't get the tenant from the token?	16:06
notmyname	bknudson: well, tell me more about that. I'm not terribly familiar with the nova API, but looking at the docs yesterday it does look like the tenant id is required	16:06
notmyname	morgan: I'm not sure I understand the "should" in your statement	16:06
morgan	notmyname: it is today. The goal is that nova shouldnt need that	16:06
stevemar_	notmyname: s/should/ideally	16:06
bknudson	notmyname: for now the tenant_id is required, but what they said is that they're going to change it so that nova works without the tenant id.	16:06
morgan	It is superfluous info in almost all cases to add it	16:06
notmyname	because nova can get the tenant from the token?	16:07
stevemar_	oui	16:07
morgan	Yep. As part of token validation the tenant_id is passed down to the app :)	16:07
bknudson	notmyname: right, the tenant id is in the token (nova gets it from the request env set by the auth_token middleware)	16:07
notmyname	and the tenant id isn't referring to an actual resource the client is using in nova	16:07
bknudson	I think there's a check now that verifies that URL tenant_id matches token tenant_id	16:08
notmyname	morgan: ok, so the tenant id is part of the actual token? or just part of the identity record that the server-side gets after validating the token?	16:08
morgan	notmyname: yes	16:08
morgan	notmyname: part of the token	16:08
stevemar_	notmyname: it's part of the token	16:08
notmyname	morgan: that wasn't a yes/no question ;-)	16:08
notmyname	oh ok	16:08
notmyname	as in a substring?	16:08
bknudson	the tenant_id is a field in the token (the token is json)	16:09
notmyname	is that true for uuid tokens? pki tokens? fernet tokens?	16:09
bknudson	it's the scope	16:09
morgan	notmyname: it is in the token body, services do not care about the token itself. The token when we say something is part of it is part of the body returned	16:09
notmyname	ok, so we have different ideas of what a "token" is. I'm talking about the thing that the client sends to be authorized	16:09
morgan	notmyname: the token id (what the client sends) is opaque	16:10
bknudson	does swift match the client's tenant_id against the tenant ID in the URL?	16:10
stevemar_	notmyname: the project id is part of the token payload, http://paste.openstack.org/show/475631/	16:10
morgan	The migration path for nova is to support urls with both tenant_id in them and once that dont. Since nova knows the tentant_id and checks that tenant-id from token body and passed as part of the url matches explicitly	16:11
bknudson	as in, could I change the request URL to use a different tenant?	16:11
bknudson	with the same token	16:11
notmyname	bknudson: the part of the URL that keystone is historically using the tenant id for is what we call the "swift account". it's just a storage area. we don't have any requirements on it, really, other than being unique	16:11
notmyname	bknudson: ie your account is differnet than mine	16:11
bknudson	notmyname: so swift doesn't care about the token scope?	16:11
bknudson	how do you give auth to different accounts?	16:12
bknudson	maybe there's some docs somewhere we should look at	16:12
morgan	notmyname: this seems like apriori knowledge. You would either extract it from the initial token request or be specifying it. (Please correct me if i am wrong)	16:12
notmyname	well the swift account is an actual resource that clients interact with and its name is part of the data placement and namespace for everything	16:12
bknudson	how do you tell if a user has authority to an account?	16:13
morgan	E.g. With an env or cli option if it wasnt extracted from the token?	16:13
notmyname	bknudson: well now were getting closer to some of my concerns with this spec :-)	16:13
notmyname	bknudson: in swift, the account name is unique. you have one and I have one	16:13
bknudson	can I give you access to my account?	16:13
notmyname	bknudson: in the account we can create containers, and in the containers we can put objects. the names of those are unique per account	16:14
*** geoffarn_ has joined #openstack-keystone		16:14
notmyname	gettign there :-)	16:14
*** geoffarnold has quit IRC		16:14
*** su_zhang has quit IRC		16:14
notmyname	so we can both create and "images" container with an object called "cat.jpg"	16:14
notmyname	so we've now got "AUTH_notmyname/images/cat.jpg" and "AUTH_bknudson/images.cat.jpg"	16:15
stevemar_	this is because both our "images" containers are namespaced by the account IDs (project IDs)	16:15
notmyname	with keystone today, s/notmyname/<whatever my tenant id is/	16:15
notmyname	stevemar_: right	16:15
notmyname	so we can also give each other access to resources in our own account	16:15
bknudson	AUTH_ is a hardcoded string?	16:15
stevemar_	bknudson: yes it is, AFAICT	16:15
notmyname	bknudson: no. sortof. it's unique per auth system that's used in the cluster. many clusters have more than one auth system installed	16:16
notmyname	so keystone eg gets KEY_ and something else gets OTHER_ and something else gets AUTH_. etc	16:16
bknudson	are you still using keystone role assignments to control access to different accounts?	16:16
bknudson	I admit it will be strange for nova to have resources with the same path but different meanings based on the token scope	16:17
notmyname	when swift is determining authz for a request, it gets the roles from keystone and compares them to the roles allowed for that resource. if there is an intersection, the request is allowed	16:17
bknudson	most of the nova resources use uuids but I think flavors are named by the user	16:17
notmyname	so you could set read access for me on your images contianer and read/write access for morgan on your images container	16:18
stevemar_	notmyname: ah, is that where swft ACLs come into play?	16:18
notmyname	stevemar_: yes, exactly	16:18
bknudson	but you're expecting them to get a token scoped to the other project so that they can get the URL	16:18
morgan	notmyname: so in this case, swiftclient would know when using keystone to do the url construction. The account name can just be accquired when the token is initially requested or on the cli/by env or have the client validate the token for the info. You still need to get the account id	16:19
*** dims__ is now known as dims		16:19
morgan	notmyname: the only difference is the keystone catalog wont say "put account id here" it may say: <swift url>/base_path_for_keystone_auth/	16:19
bknudson	say I've got a token scoped to my account and I want to read morgan's files, now I need a new token?	16:20
notmyname	so therefore I've got to get a different token for every potential resource I'm accessing? eg if I'm sharing content in swift, then I could have up to one token for every tenant in the system, right?	16:20
bknudson	notmyname: we're asking each other the same question... but this is how it works now	16:20
morgan	Only if you rely on the token to extract the id	16:20
notmyname	bknudson: heh	16:20
morgan	But if you specify the id in another way (cli option?) it wouldnt be needed	16:21
morgan	You already need that info client side	16:21
morgan	How do you get it today?	16:21
bknudson	seems like swift will need to get the roles the user has on the other account	16:21
bknudson	so it's going to need another token with the different scope.	16:21
notmyname	bknudson: but I don't think it does work that way now. basically, the keystone id comes back with some roles on it (we call them groups in swift)	16:21
bknudson	it doesn't really need the project ID in the catalog if the user tells it what the project ID is.	16:22
morgan	bknudson: ++	16:22
*** drjones has quit IRC		16:22
bknudson	or if the client can figure out the project ID itself somehow (ask keystone to pull it out of the token or something)	16:22
notmyname	yeah, but how do I, the client, know that I'm supposed to access your images/cat.jpg instead of mine? or instead of anyone else's?	16:22
*** _cjones_ has joined #openstack-keystone		16:23
bknudson	how did the client know before? it must have been told.	16:23
*** zzzeek has quit IRC		16:23
*** agireud has quit IRC		16:24
notmyname	the client gets an auth token with his own identity creds and then uses that token[id] to access the URL you gave me (which includes your account string, which today is your tenant id by convenience/accident)	16:24
bknudson	how did the client even know that keystone auth was being used instead of something else?	16:24
bknudson	is there a sample application somewhere we could look at?	16:24
notmyname	heh	16:24
notmyname	I'll try to put together a sample	16:25
notmyname	but before that...	16:25
notmyname	well, maybe not :-)	16:26
*** agireud has joined #openstack-keystone		16:27
notmyname	ah, here	16:28
notmyname	http://docs.openstack.org/developer/swift/overview_auth.html#access-control-using-keystoneauth	16:28
notmyname	tl;dr I set <other_project_id:other_user_id> in the ACL on the swift resource to your project:user and you get access	16:30
*** geoffarnold has joined #openstack-keystone		16:35
*** geoffarn_ has quit IRC		16:35
stevemar_	notmyname: okay, so there is a way to allow others access	16:36
notmyname	right	16:37
stevemar_	i think we went crazy off-topic though :)	16:37
stevemar_	notmyname: the way i imagine it would flow is: create a keystone session with a user's name/password and project, this can get us a token	16:38
stevemar_	get the service catalog, and with the new session in place, we already know the project that the user is authenticated again	16:38
stevemar_	st	16:38
notmyname	that's the part I'm not sure about	16:39
notmyname	I don't think you do	16:39
notmyname	since if I get a keystone session/token, then that doesn't say anything about my access to your resources	16:39
notmyname	so you give me a link to your cat.jpg and then I have to get another keystone session/token to access it?	16:40
morgan	notmyname: how does the client know what the account_id is today?	16:41
notmyname	the swift account or the keystone tenant id?	16:41
*** geoffarnold has quit IRC		16:41
morgan	The swift account id	16:41
notmyname	that's part of the URL	16:41
notmyname	eg http://swift.example.com/v1/AUTH_morgan/awesome/content/lives/here.data	16:42
morgan	Ok, so you already know it	16:42
morgan	If you are doing a get, nothing changes	16:42
morgan	You dont use the tenant_id directly	16:42
notmyname	ok. thanks. I wasn't sure about that part	16:42
morgan	You arent constructing /tenant_id/url	16:43
morgan	You just. Get "url" ;)	16:43
openstackgerrit	Dolph Mathews proposed openstack/keystone: Explain default domain in docs for other services https://review.openstack.org/232098	16:43
morgan	You use roles, user, whatever for the ACLs	16:44
notmyname	to be pedantic, the only mapping that a tenant_id and swift account have is because that's what keystone has chosen to use. they aren't required to be the same at all. all swift cares about is that they hash to a unique value	16:44
morgan	Right	16:44
morgan	It seems you mostly ignore tenant_id and act on known urls.	16:44
*** lhcheng has joined #openstack-keystone		16:45
*** ChanServ sets mode: +v lhcheng		16:45
notmyname	ok, so aside for the client having to be rewritten, everything is mostly the same if there is a token ;-)	16:45
*** belmoreira has joined #openstack-keystone		16:45
notmyname	what if there isn't a token?	16:45
notmyname	eg with public access?	16:45
morgan	Same again as today.	16:45
*** lhcheng has quit IRC		16:45
morgan	You bypass the keystonemiddleware because you dont care	16:46
morgan	It isnt a protected resource	16:46
*** lhcheng has joined #openstack-keystone		16:46
*** ChanServ sets mode: +v lhcheng		16:46
morgan	You still know the url for the resource and do a get, token validation sets (for your case) identity_invalid header but you're not blocking access	16:47
notmyname	you have to have knowledge of the swift account up front through some other changel	16:47
notmyname	could be a PUT	16:47
morgan	Correct.	16:47
notmyname	changel? channel	16:47
* morgan is fluent in typoese		16:47
notmyname	I'm a native speaker	16:48
morgan	As long as you know the url, you are good. If you are trying to "construct" the url, the client needs a slight bit more smarts	16:48
morgan	But again, the client already has to be told this today	16:48
morgan	Somehow	16:49
notmyname	?	16:49
*** tonytan4ever has joined #openstack-keystone		16:49
morgan	I dont think swift constructs the url	16:49
morgan	Swiftclient	16:49
morgan	But in hav not looked	16:49
morgan	You dont say "get me cat.jpg" you say get me <url>	16:50
morgan	right?	16:50
notmyname	right	16:50
notmyname	it means that for auth'd access to a resource in swift, the client needs to adopt a new protocol: now they get a catalog and construct something whereas before they used what was in the catalog. after that point it's largely the same	16:50
notmyname	so this is keystone v4?	16:50
morgan	No	16:50
notmyname	to which one?	16:50
morgan	Not keystone v4	16:50
notmyname	why not? the auth conversation changes	16:51
morgan	The auth is the same.	16:51
notmyname	breaking existing clients	16:51
morgan	Ok so i have no idea what swiftclient is constructing	16:51
morgan	What is swiftclient constructing	16:51
morgan	We are talking past each other here somehow	16:52
notmyname	swiftclient grabs the endpoint that was in the catalog and sends requests to that	16:52
morgan	What is passed to swiftclient?	16:52
morgan	For the url	16:52
bknudson	what if you're not using keystoneauth, then you don't have a catalog	16:53
morgan	Is it the whole url or just image/cat.jpg?	16:53
notmyname	morgan: I don't understand. to do auth?	16:53
morgan	notmyname: ignore auth.	16:53
notmyname	ok	16:54
morgan	Assume you are using keystone	16:54
notmyname	ok	16:54
bknudson	I think a sample application would explain things	16:54
morgan	What is the swiftclient command look like	16:54
morgan	Or pseudocode using as a library	16:54
*** itlinux has quit IRC		16:54
notmyname	swiftclient has a CLI tool, a low-level client SDK, and a high-level SDK. that's where I'm tripping up on "send to swiftclient"	16:55
morgan	So lets get a clear example of each.	16:55
notmyname	here's a simple example using curl and auth v1 https://gist.githubusercontent.com/notmyname/47d948e864c6185e2c88/raw/2136f89ba9e66c4a4b00e29edf715a6ce808539a/gistfile1.txt	16:55
*** exploreshaifali has joined #openstack-keystone		16:56
notmyname	here's something very similar using the CLI from swiftclient	16:57
notmyname	https://gist.github.com/notmyname/72fa6f934b1e7a7410aa	16:57
*** ngupta_ has joined #openstack-keystone		16:57
bknudson	notmyname: where did you tell it the account ^	16:58
bknudson	this one isn't using keystone ^ ?	16:58
notmyname	it's returned in the "catalog" (with auth v1 that's a header like the token. see x-storage-url)	16:58
notmyname	correct. this is using swift's tempauth. I can get keystone-specific examples, but it will take a while. the concepts are the same	16:59
bknudson	is it in the ST_USER?	16:59
dstanek	looking at how swift auth works made this clearer to me; you send username/password to swift and get back a storage url and token; that storage url is the entry point to listing containers, etc.	17:00
morgan	Fwiw, this might be something that can be solved at the summit in ~5mintues	17:00
morgan	This looks like IRC is not working for clear communication.	17:00
notmyname	dstanek: almost exactly 100% correct. the slight update is that "you send username/password [ie creds] to the auth system and get back a storage url and token..."	17:01
*** ngupta has quit IRC		17:01
bknudson	how does it know the account from the username / password?	17:01
bknudson	there's multiple accounts and it doesn't know which one I'm going to talk to.	17:01
notmyname	in today's keystone, that's the storage url that comes back in the catalog	17:01
dstanek	bknudson: probably the same as what keystone does now	17:01
bknudson	dstanek: default project?	17:01
dstanek	bknudson: probably their account id/user id/ or something in the auth	17:02
notmyname	the auth system (today) is responsible for mapping the user creds to a default swift account endpoint, if one exists. the auth system maintains that mapping. today keystone constructs that from the base url and tenant id	17:02
bknudson	ok, so seems like the catalog is only important because you take advantage of the user's default project	17:04
bknudson	notmyname: what if the user doesn't have a default swift account endpoint?	17:05
bknudson	or they want to override the default, they can do that?	17:05
bknudson	the token response does have the project, or given a token you can query keystone to get the project, so the client can use that to construct the URL	17:06
bknudson	or if the user passes a different project then the client can just stuff that in the url	17:07
dstanek	bknudson: here's my example code http://paste.openstack.org/show/475638/	17:07
dstanek	not sure it if works because i deleted my swift container	17:07
*** fhubik has quit IRC		17:08
bknudson	so then it would be interesting to see how you'd change the sample code to use a different account with the same user.	17:08
notmyname	dstanek: yeah, that's using the low-level SDK	17:09
dstanek	notmyname: would it be possible for swift to take a token and figure out it tenant_id instead of having it in the url	17:09
notmyname	dstanek: it seems like all the info is there, so yes. aside from the fact that every existing client breaks	17:09
bknudson	the catalog rework is going to be a long-term project.	17:09
dstanek	notmyname: would the clients break? do they assume they can parse the URL?	17:10
dstanek	bknudson: i would give you a URL and you would use that with your token (i think)	17:10
dstanek	notmyname: in my example i have no idea what the URL is and it really doesn't matter	17:10
notmyname	dstanek: because after getting that catalog back, the next thing to do is the equiv of `curl -XPUT <storage url endpoint from catalog>/my_new_container`	17:11
notmyname	dstanek: swiftclient is the client in this case. not you, the end user	17:11
notmyname	client == the program that is using the API to access storage	17:11
*** su_zhang has joined #openstack-keystone		17:11
*** geoffarnold has joined #openstack-keystone		17:11
dstanek	notmyname: so you are not following links at all? and actually constructing them in the client?	17:12
notmyname	what links?	17:13
notmyname	you give me an opaque string that I assume works. I append the thing I'm creating to it and do an HTTP PUT request	17:13
dstanek	notmyname: getting a list of containers, or whatever else.	17:13
dstanek	notmyname: and i'm assuming the client doesn't support redirects	17:13
notmyname	for a list of containers, the client today does a GET to the storage url that was in the catalog	17:14
notmyname	and no, there is no support for redirects. does keystone return 3xx response codes?	17:14
notmyname	currently swift doesn't respond with anythign in the 3xx series, so there's no support for that in our client library	17:15
bknudson	we can't stop anyone from putting a proxy in front of keystone that does 3xx.	17:15
dstanek	if that line were to http://swift/v1.0 and it could use the auth token to either redirect to /v1.0/tenant_id or just return the data	17:15
dstanek	s/line/link/	17:16
*** itlinux has joined #openstack-keystone		17:17
*** x58 has quit IRC		17:18
dstanek	i want to dig into the architecture a little more because it seems strange that the auth system would control the IDs if swift can simultaneously use multiple auth systems	17:18
notmyname	dstanek: yes. but that means that the client needs to be rewritten. not just swiftclient. every client	17:18
notmyname	ok, so I think I can imagine a path forward	17:18
*** x58 has joined #openstack-keystone		17:18
dstanek	notmyname: i was hoping that the client would just follow the redirect, get a list of container URLs that would have the tenant_id in them and use those	17:19
*** itlinux has quit IRC		17:19
notmyname	keystone updates the catalog (IMO this still sounds like a breaking API change requiring an update to the version). then swift implements a 3xx to redirect iff the account isn't give and there is also a valid token in the reuqest. then the swiftclient is taught how to follow the redirect	17:20
dstanek	notmyname: don't you use requests in your client?	17:20
notmyname	dstanek: yes we do	17:20
dstanek	it should be able to follow the redirect just fine. the part that would change is if it uses the original URL to do things instead of using URLs from the response	17:21
morgan	notmyname: for what it is worth, the catalog has not been well defined - there are a lot of cases where random cruft/non-conforming things are randomly added	17:21
*** itlinux has joined #openstack-keystone		17:21
notmyname	the client ecosystem that will have to change is a lot larger than just swiftclient. swiftclient is just the one that we have some control over	17:22
morgan	notmyname: and the catalog is part of the token not the API version	17:22
dstanek	notmyname: unless swiftclient has the default redirect following behavior turned off	17:22
bknudson	keystone doesn't define the catalog, it just holds whatever the deployer puts in it.	17:22
notmyname	dstanek: I don't know	17:22
dstanek	notmyname: ah, non-openstack clients	17:22
bknudson	maybe that's part of the problem	17:23
morgan	notmyname: so it would not be keystone v4, but an alternative to auth.	17:23
dstanek	but would a change in keystone matter to them anyway?	17:23
morgan	bknudson: that is what this spec is looking to change - define the catalog specification, then we can start being more opinionated about the catalog	17:23
notmyname	dstanek: yes, if deployers upgrade to a new keystone that has a different catalog, then yes I think they care very much	17:23
dstanek	notmyname: no i mean other non-openstack clients	17:24
notmyname	dstanek: yeah, me too	17:24
dstanek	notmyname: i guess i'm not following - unless they are using keystone auth too	17:24
notmyname	dstanek: eg if ruby fog starts getting new stuff back from the auth request, it's likely it could break. or jclouds, or any of the hundreds of custom scrips written for a particular deployment	17:25
dstanek	notmyname: and those things are used against keystone?	17:25
notmyname	dstanek: many times. how many devs have written a script to talk to rax cloud files or hp object storage? those use keystone (or look-alikes--doesn't matter from the client perspective)	17:27
dstanek	i would expect that existing auth systems would work the same way and "deep link" to the tenant url; i would also expect any rest client to handle redirects properly and my only concern would be hateos	17:27
notmyname	hateos? is that like iOS? or BeOS? or...	17:27
dstanek	oops...no. meant hateoas and in the rest constraint	17:28
dstanek	hateos is what i'm calling my personal bsd distro	17:29
notmyname	:-)	17:30
*** e0ne has quit IRC		17:30
dstanek	notmyname: i'd love to see an example of a script that you are worried about to that i can get a clearer picture	17:30
dstanek	not necessarily not though :-)	17:31
dolphm	bknudson: i'd be happy to submit a revised patchset for this one, but i wanted to make sure you at least saw my comment first https://review.openstack.org/#/c/225692/ -- let me know if you want to revise it or if you'd like me to	17:34
bknudson	dolphm: moving the part about the arguments being safe to the beginning makes sense	17:35
*** _cjones_ has quit IRC		17:35
notmyname	dstanek: what I have locally is all based on swiftclient, so they wouldn't change themselves, but swiftclient would	17:36
notmyname	dstanek: here https://github.com/openstack/python-swiftclient/blob/master/swiftclient/client.py#L354	17:36
bknudson	dolphm: if you have time to make the change go ahead since I'm in the middle of py3 unicode work.	17:36
dolphm	bknudson: ack	17:36
notmyname	also, to everyone, I know I've taken up a ton of time with this. thank you for helping me understand	17:37
*** itlinux has quit IRC		17:37
*** GB21_ is now known as GB21		17:37
bknudson	notmyname: we need to know if this is going to work for swift otherwise it's a non-starter, so it'll save time to know.	17:37
notmyname	bknudson: the swift account part of the request is essential for every request to swift. the debate seems to be around if it's ok to not provide that in the service catalog any more	17:39
dstanek	notmyname: i wouldn't expect that to need to change - the endpoint from Keystone would be http://swift/v1.0 and the swift server would handle the redirect	17:39
notmyname	I don't like the implied client changes required by this proposal, and I'm concerned about how this impacts use cases where a lot of users are sharing a lot of data with each other	17:40
dstanek	if anything i would expect that https://github.com/openstack/python-swiftclient/blob/master/swiftclient/client.py#L494 would need to change, but a brief look at the code makes me think not	17:40
notmyname	dstanek: actually, wouldn't the version be dropped too? ;-)	17:40
dstanek	notmyname: probably	17:40
*** jbell8 has joined #openstack-keystone		17:40
openstackgerrit	Dolph Mathews proposed openstack/keystone: Enable subprocess_without_shell_equals_true Bandit test https://review.openstack.org/225692	17:41
dstanek	the only thing the url in get_account seems to be used for is to get the objects (which would be fine in the redirect case) and to log the request	17:41
dolphm	bknudson: uploaded this diff ^ http://cdn.pasteraw.com/4316vg9ju2a0au36u5wkgruokobtt89	17:41
bknudson	the endpoints should all be under a namespace rather than separate ports, e.g., https://host/openstack/swift	17:41
notmyname	dstanek: that method is for getting a list of the containers in a specific account. I think it's unrelated to this proposal	17:42
notmyname	dstanek: ie that information would be available before that method is called	17:42
dstanek	i think it's very related. i don't expect swift's auth to change at all; it's the things that use the endpoint returned from the catalog that are the problem	17:43
notmyname	bknudson: actually, that's normally a terrible idea for swift. you don't want user-specified data at the same domain as other protected content. opens up a lot of security holes	17:43
dstanek	i would return xxx://yyyy.zzzz in the catalog and i would expect the auth stuff to work fine, but that thing that tried to use that url will be broken	17:44
*** LukeHinds has quit IRC		17:45
*** _cjones_ has joined #openstack-keystone		17:45
dstanek	s/i would return/i could return/ - my typing is just terrible today	17:45
notmyname	dstanek: right. I think I see what you're getting at. the code is structured so that the internal calls to do the auth return the endpoint that includes the swift account. so that's where the changes would be	17:46
dstanek	notmyname: why change it there instead of letting the subsequent call to the swift server do a redirect?	17:50
*** sdake has quit IRC		17:51
dstanek	notmyname: the only thing i don't know is how those PUT URLs are constructed	17:51
notmyname	dstanek: where any particular code changes go isn't really important. if we need to make changes, we'll do it and try to put them in the best place	17:52
*** dims has quit IRC		17:52
*** dims has joined #openstack-keystone		17:53
*** sdake has joined #openstack-keystone		17:57
*** raildo is now known as raildo-afk		17:59
*** dims_ has joined #openstack-keystone		18:00
*** jvarlamova has quit IRC		18:00
*** e0ne has joined #openstack-keystone		18:03
*** doug-fis_ has joined #openstack-keystone		18:03
*** dims has quit IRC		18:04
*** raildo-afk is now known as raildo		18:04
notmyname	so if keystone is no longer returning the account mapping in the catalog and swift is deriving that and sending it back based on the token, doesn't that mean that swift is now maintaining the mapping between keystone identities and swift accounts?	18:04
notmyname	eg if swift wanted to use the ROT13(username), it could. or it could keep a static mapping of that. or it could use the tenant_id	18:05
openstackgerrit	Merged openstack/python-keystoneclient: List creation could be rewritten as a list literal https://review.openstack.org/227691	18:05
*** doug-fi__ has joined #openstack-keystone		18:05
openstackgerrit	Merged openstack/python-keystoneclient: Use dictionary literal for dictionary creation https://review.openstack.org/227690	18:06
notmyname	IOW, swift maintains the mapping, not keystone. and this would apply to every openstack project. they would each maintain their own mapping of keystone identity to the resources they manage	18:06
*** doug-fish has quit IRC		18:06
openstackgerrit	Dolph Mathews proposed openstack/keystone: Enable subprocess_without_shell_equals_true Bandit test https://review.openstack.org/225692	18:07
*** doug-fis_ has quit IRC		18:08
*** doug-fi__ is now known as doug-fish		18:08
*** dims_ has quit IRC		18:08
notmyname	is my understanding of the change of responsibility accurate?	18:10
*** e0ne has quit IRC		18:12
dstanek	notmyname: not sure the overall intent, but isn't that how it is now for nova, glance, etc? they do use tenant_id, but in theory i don't know that they have to other than the policy files	18:13
*** su_zhang has quit IRC		18:14
*** geoffarnold has quit IRC		18:15
notmyname	is it? I don't know	18:15
*** belmoreira has quit IRC		18:15
dstanek	notmyname: i think swift is the only thing that has the tenant_id in the endpoint in devstack	18:16
notmyname	dstanek: again, to be pedantic, swift doesn't care what that string is. the fact it's an equivalent string to a tenant_id in keystone is a coincidence	18:16
notmyname	the fact that there is a string, swift cares very much about	18:17
dstanek	notmyname: but it differs between users; i don't think other services do that by default	18:17
*** e0ne has joined #openstack-keystone		18:18
notmyname	it might be 1:1 to identities. it might not be. I've seen swift clusters that have an endpoint per department or similar. I've also seen deployments with a 1:1 mapping between user identities and swift accounts	18:18
notmyname	for the first case, you might have one swift account for the IT department and one for HR	18:18
notmyname	or, at the risk of giving too much away, one swift account for this game studio, and another for that game studio for a gaming company that has a lot of different games	18:19
*** geoffarnold has joined #openstack-keystone		18:20
dstanek	notmyname: nope, it looks like nova does have tenant_id in it's endpoint in devstack	18:21
notmyname	at a very high level, a user is given an endpoint where they can store stuff (account). that's it. today that endpoint mapping of user identity->account is managed by keystone. AIUI (and I want to make sure I do), this means swift manages it	18:21
dstanek	stevemar_: morgan: bknudson: does that mean nova will have the same issues that we've been talking about for swift?	18:21
notmyname	dstanek: so nova would also have to maintain a mapping	18:21
dstanek	notmyname: not entirely sure :-(	18:21
bknudson	dstanek: nova is going to pull the project id from the token	18:22
bknudson	i.e., from the env as set by auth_token middleware	18:22
bknudson	nova uses auth_token.	18:22
dstanek	bknudson: on the server side with no client changes then?	18:22
bknudson	dstanek: yes.	18:22
notmyname	that's somethign I'm curious about	18:22
notmyname	no client changes because every nova client already understands redirects?	18:22
*** phalmos has quit IRC		18:23
notmyname	or because there's a different implementation that they're doing?	18:23
bknudson	nova doesn't need redirect, it'll work with either tenant in the url or without the tenant	18:24
bknudson	if you use the tenant url it'll use that and if you don't pass the tenant in the url it'll get it from the token	18:25
notmyname	bknudson: where does the client get the tenant url from to pass it to nova?	18:25
*** aix has quit IRC		18:26
dstanek	keystone catalog	18:26
bknudson	you had to specify the project when you got a token	18:26
bknudson	right now when it uses the catalog to build the nova url it'll have the project id in it	18:26
notmyname	ok, so if the keystone catalog changes, the client no longer has the tenant id? or the tenant id is a priori knowledge?	18:26
bknudson	in future, it'll use the catalog to build the nova url but it won't have the project in it	18:27
bknudson	the tenant id is a-priori knowledge	18:27
bknudson	the client doesn't care if there's a project id in the url or not	18:27
*** geoffarnold is now known as geoffarnoldX		18:28
notmyname	bknudson: project id == tenant id?	18:28
bknudson	notmyname: yes	18:28
dstanek	i was going to do a quick hack to see if this would work, but installing swift in my devstack seems to be borked at the moment	18:31
notmyname	this happens every so often when I try to understand something in openstack: I feel like I'm beating my head against a wall, and then some little piece of info is revealed and it clicks	18:31
notmyname	dstanek: if you've got vagrant/virtual box, this is really fast: https://github.com/swiftstack/vagrant-swift-all-in-one	18:32
dstanek	notmyname: does that do openstacky stuff too?	18:32
notmyname	so the piece that just clicked is that there is a priori knowledge of the tenant id	18:32
notmyname	dstanek: swift is openstacky ;-)	18:32
dstanek	notmyname: no i mean keystone instead of tempauth (or other)	18:32
notmyname	:-) I know	18:33
*** phalmos has joined #openstack-keystone		18:33
notmyname	looking. I know there's been some work on that to do it automatically. but it's also possible to set the keystone config parts by hand and it will work	18:33
*** su_zhang has joined #openstack-keystone		18:34
dstanek	hmmm...can't create swift domain because multi domain is off in devstack	18:34
notmyname	help me understand this: if the client is expected to know the tenant_id, where does that come from originally?	18:35
notmyname	is there any way the client can query it?	18:35
lbragstad	dstanek: do you do anything like this with vim? http://vim.wikia.com/wiki/Moving_lines_up_or_down	18:35
dstanek	notmyname: in the case of horizon the user may pick it from their list of projects	18:35
lbragstad	dolphm: ^	18:35
dstanek	notmyname: or i know mine from rax from their control panel	18:36
notmyname	dstanek: is that written down at account provisioning time? or is it discoverable later?	18:36
dstanek	notmyname: openstack-client has a nice yaml format that i setup once and never think about again	18:36
dolphm	lbragstad: which part?	18:36
dstanek	notmyname: at rax i can find the info in my control panel	18:36
bknudson	devstack will update your clouds.yaml	18:36
dstanek	bknudson: automatically?	18:37
lbragstad	dolphm: using mappings to move lines	18:37
notmyname	dstanek: sure, but it could have just been written down at account provisioning time inside of rax. same for horizon	18:37
dstanek	sure	18:37
notmyname	what happens if you lose it?	18:37
dstanek	i would login and get it again	18:37
david-lyle	notmyname: if the user obtains an unscoped token they have access to list projects they have a role on	18:38
dstanek	lbragstad: i've done a few of those	18:38
lbragstad	dstanek: kinda handy	18:38
david-lyle	so username and password is enough to provide the list of projects	18:38
notmyname	david-lyle: and one of those would be the project id (tenant_id) that is used in the api requests?	18:38
dolphm	lbragstad: nope, but that's cool	18:38
bknudson	dstanek: yes, when you run devstack it updates your clouds.yaml	18:39
dstanek	notmyname: used in the token request to get a scoped token (right now that is also jammed into the catalog for some things)	18:39
bknudson	it creates a couple of entries for devstack-admin or something	18:39
dstanek	bknudson: neat. i didn't know that	18:39
david-lyle	notmyname: should be, but you would have to pick one and scope to it	18:40
*** dims has joined #openstack-keystone		18:40
dstanek	bknudson: yep, devstack and devstack-admin	18:40
bknudson	dstanek: I did that a while ago and have meant to make some more updates in that area... actually to have devstack use the clouds.yaml rather than env vars	18:41
bknudson	should be able to do that now that it's all v3.	18:41
* david-lyle not entirely sure of the API workflow in swift, so not sure he's answering the right question		18:41
dolphm	lbragstad: i think it's a single key shorter than the generic method to copy-delete, move the cursor, and paste. does it feel worthwhile to you?	18:41
lbragstad	dolphm: not sure yet, in the process of playing with it	18:42
dstanek	can we stop new reviews in gerrit so i can catch up?	18:44
*** jaosorior has quit IRC		18:47
*** jaosorior has joined #openstack-keystone		18:47
*** timcline_ has quit IRC		18:48
*** timcline has joined #openstack-keystone		18:49
*** GB21 has quit IRC		18:50
*** geoffarnoldX has quit IRC		18:56
*** geoffarnold has joined #openstack-keystone		18:56
dolphm	dstanek: if there is a button for that i will push it	18:57
*** itlinux has joined #openstack-keystone		18:59
*** flwang has joined #openstack-keystone		19:01
*** su_zhang has quit IRC		19:02
dstanek	i'd appreciate that :-)	19:07
*** dims has quit IRC		19:10
dolphm	stevemar_: please stop tagging bugs as "kestone" [sic] it does not provide us any benefit https://bugs.launchpad.net/keystone/+bug/1503712	19:10
openstack	Launchpad bug 1503712 in Keystone "Error while deleting tenant in openstack Juno" [High,Invalid]	19:10
stevemar_	dolphm: i didn't tag that one as keystone, it was already there	19:10
stevemar_	i added the tag juno	19:10
dolphm	stevemar_: "kestone"	19:11
stevemar_	dolphm: huh, what the..	19:11
stevemar_	err, dont know how it got there	19:11
dolphm	stevemar_: you edited the bug in a 3 hour old browser tab after i had deleted "kestone" as a tag long before	19:12
stevemar_	dolphm: it was an old browser tag	19:12
*** diazjf has joined #openstack-keystone		19:12
stevemar_	err tab	19:12
stevemar_	well now weve come full circle	19:13
*** dims has joined #openstack-keystone		19:13
*** diazjf has left #openstack-keystone		19:14
*** fawadk has quit IRC		19:16
stevemar_	ouch	19:16
stevemar_	[trust] driver = keystone.contrib.revoke.backends.sql.Revoke	19:16
*** tonytan4ever has quit IRC		19:17
stevemar_	dolphm: well, thanks for the bug triaging dude	19:17
dolphm	stevemar_: do i win?	19:18
stevemar_	dolphm: you always win in keystone	19:18
dolphm	I WINNERED!	19:18
*** roxanagh_ has quit IRC		19:19
stevemar_	dstanek: s/openstack-client/openstackclient	19:21
lbragstad	bknudson: regarding https://review.openstack.org/#/c/196877/ - do you have any suggestions on how we should go about that?	19:21
*** nicodemos has quit IRC		19:24
*** akanksha_ has joined #openstack-keystone		19:24
*** tonytan4ever has joined #openstack-keystone		19:24
bknudson	lbragstad: I'll have to think about it. maybe a base class for nonpersistent providers would make it clearer?	19:25
bknudson	and a base class for persistent providers	19:25
*** e0ne has quit IRC		19:25
*** amakarov is now known as amakarov_away		19:26
lbragstad	bknudson: that would make sense	19:26
*** pnavarro has joined #openstack-keystone		19:26
*** itlinux has quit IRC		19:27
*** itlinux has joined #openstack-keystone		19:27
*** dims has quit IRC		19:28
*** dims has joined #openstack-keystone		19:28
*** timcline_ has joined #openstack-keystone		19:30
*** timcline has quit IRC		19:30
*** fawadkhaliq has joined #openstack-keystone		19:31
*** su_zhang has joined #openstack-keystone		19:33
*** sdake has quit IRC		19:33
openstackgerrit	Merged openstack/keystone: Add user domain info to federated fernet tokens https://review.openstack.org/213742	19:34
*** sdake has joined #openstack-keystone		19:35
*** jaosorior has quit IRC		19:36
openstackgerrit	Merged openstack/keystone: Add user_domain_id, project_domain_id to auth context https://review.openstack.org/213792	19:36
openstackgerrit	Merged openstack/keystone: Add unit test for creating RequestContext https://review.openstack.org/228269	19:37
*** su_zhang has quit IRC		19:37
*** timcline_ has quit IRC		19:38
*** sdake_ has joined #openstack-keystone		19:38
openstackgerrit	Henrique Truta proposed openstack/keystone: Tests for projects acting as domains https://review.openstack.org/211219	19:38
*** timcline has joined #openstack-keystone		19:38
*** sdake has quit IRC		19:39
*** timcline_ has joined #openstack-keystone		19:40
*** e0ne has joined #openstack-keystone		19:43
*** timcline has quit IRC		19:43
*** pnavarro has quit IRC		19:44
*** dobson` has quit IRC		19:47
*** afazekas has quit IRC		19:47
*** jamiec has quit IRC		19:47
*** dhellmann has quit IRC		19:47
*** dhellmann has joined #openstack-keystone		19:47
*** jamiec has joined #openstack-keystone		19:48
*** dobson has joined #openstack-keystone		19:48
*** markvoelker has quit IRC		19:51
*** afazekas has joined #openstack-keystone		19:55
*** markvoelker has joined #openstack-keystone		19:55
*** andrewbogott has joined #openstack-keystone		20:02
andrewbogott	If I’m using keystone with an ldap backend… would domains be defined in ldap, or in a keystone db?	20:02
*** e0ne has quit IRC		20:05
browne	andrewbogott: keystone db would be used for the domains	20:06
andrewbogott	ok. And there’s no commandline tool for manipulating domains, right? Just curl?	20:06
browne	you can use ldap for assignment (roles, projects, etc), but i don't recommend it	20:06
*** geoffarnold is now known as geoffarnoldX		20:06
browne	with the openstack CLI you can modify domains	20:06
andrewbogott	oh? In kilo?	20:07
browne	yep, kilo has the openstack cli	20:07
andrewbogott	I’ve been staring at ‘openstack —help’ for a while now, don’t see any commands for domain creation. What am I missing?	20:08
browne	only the openstack cli supports keystone v3	20:08
andrewbogott	yep, moving to v3 is my main objective right now. I’ve noticed that I need to define someone as ‘cloudadmin’ which means I need to create an account in the ‘admin’ domain which means I need to /create/ the admin domain which...	20:09
andrewbogott	…how do I do that?	20:09
*** ayoung has quit IRC		20:11
*** csoukup has quit IRC		20:11
browne	andrewbogott: http://docs.openstack.org/developer/python-openstackclient/command-objects/domain.html	20:12
andrewbogott	hm… that documents a tool named ‘os’ which I do not have	20:13
browne	well os = openstack	20:14
andrewbogott	root@labcontrol1001:~# openstack --version	20:14
andrewbogott	openstack 1.0.3	20:14
andrewbogott	root@labcontrol1001:~# openstack domain create	20:14
andrewbogott	ERROR: openstack Unknown command ['domain', 'create']	20:14
browne	make sure the identity api version env var is set to 3	20:15
andrewbogott	hm, yep, that’s it. Thank you	20:16
*** timcline_ has quit IRC		20:17
andrewbogott	ooh, I like that the usage statement changes based on an env variable. Very unobvious :)	20:18
browne	yeah, IMO, openstack cli needs some work. not quite there yet	20:18
*** roxanagh_ has joined #openstack-keystone		20:20
*** roxanagh_ has quit IRC		20:24
*** timcline has joined #openstack-keystone		20:25
*** timcline has quit IRC		20:26
*** timcline has joined #openstack-keystone		20:26
andrewbogott	hm, $ openstack domain list gets me a 404	20:28
*** pnavarro has joined #openstack-keystone		20:28
*** timcline_ has joined #openstack-keystone		20:28
andrewbogott	oh, wait, nm, it’s entirely broken :)	20:28
bknudson	andrewbogott: you should be using a clouds.yaml file instead of setting a bunch of env vars	20:29
browne	bknudson: i don't think clouds.yaml is supported in kilo	20:30
bknudson	upgrade your openstack package to the latest.	20:32
*** timcline has quit IRC		20:32
dolphm	morgan: unable to review myself https://review.openstack.org/#/c/221799/	20:32
*** pnavarro has quit IRC		20:34
*** itlinux has quit IRC		20:36
*** roxanagh_ has joined #openstack-keystone		20:37
dolphm	rofl just saw your review on https://review.openstack.org/#/c/228603/	20:38
*** exploreshaifali has quit IRC		20:39
*** ayoung has joined #openstack-keystone		20:42
*** ChanServ sets mode: +v ayoung		20:42
*** sdake_ has quit IRC		20:43
breton	cloud.yaml?	20:46
breton	I though everyone uses `source openrc`	20:46
browne	clouds.yaml is the newest, bestest way!	20:46
breton	what's bad in the old way?	20:46
*** roxanagh_ has quit IRC		20:46
openstackgerrit	Henrique Truta proposed openstack/keystone: Tests for projects acting as domains https://review.openstack.org/211219	20:47
openstackgerrit	Henrique Truta proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	20:47
browne	maybe somewhat easier to understand for new people	20:47
openstackgerrit	Merged openstack/keystone: Documentation for other services https://review.openstack.org/204801	20:47
openstackgerrit	Merged openstack/keystone: Rename fernet methods to match expiration timestamp https://review.openstack.org/232010	20:48
bknudson	clouds.yaml will allow us to support more interesting auth, for example keystone2keystone that a bunch of env vars isn't going to work with.	20:48
stevemar_	i think i crossed bknudson by approving patches he -1'ed	20:49
dolphm	bknudson: E_OXYMORON ^interesting auth	20:49
stevemar_	i am forever blacklisted	20:49
*** pnavarro has joined #openstack-keystone		20:49
bknudson	stevemar_: what goes around comes around.	20:50
bknudson	I'll find something you -1d and +2 it.	20:50
*** topol_ has quit IRC		20:50
stevemar_	bknudson: except you'll probably be right about it!	20:50
*** njohnston is now known as nate_gone		20:51
* bknudson will switch to -2ing everything.		20:51
*** sdake has joined #openstack-keystone		20:51
*** su_zhang has joined #openstack-keystone		20:52
*** ankurgupta has joined #openstack-keystone		20:52
*** roxanagh_ has joined #openstack-keystone		20:53
*** atiwari1 has quit IRC		20:53
ayoung	browne, and andrewbogott sorry, must have been disconnected, I had aanswered your questions, but the messages didn't go through	20:54
ayoung	If you are using the ldap backend, you can't do domains	20:54
ayoung	you should use the sql backend for identity and then do a domain specific backend for the LDAP portion	20:54
ayoung	and, you can use the openstack common client to manipulate domains	20:54
ayoung	you can do the env vars approach like this: http://adam.younglogic.com/2015/08/template-for-a-keystonev3-rc/	20:55
andrewbogott	ayoung: ok, that makes sense… in that case would I be using file-based domain configs or db-based? Or does it not matter?	20:55
* ayoung does env vars, not ymal		20:55
ayoung	yaml	20:55
ayoung	andrewbogott, I do file based. SQL based is newer...have not tested myself yet	20:55
andrewbogott	yeah, I have a ready-made script that sets up my env vars, it’s just a question of knowing which ones :)	20:55
ayoung	it shold work too, though	20:55
ayoung	andrewbogott, ^^	20:55
ayoung	those are the right ones, and unset any other OS_* ones	20:56
ayoung	OS_DOMAIN esp will mess you up, or the OS_ENDPOINT*	20:56
andrewbogott	ayoung: so, given that I already have everything in ldap… I would just create a file for the Default domain and point that to the same ldap config, right?	20:56
ayoung	http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/ a little dated but still applied	20:56
*** thiagop has quit IRC		20:57
ayoung	andrewbogott, and, if you get stuck:	20:57
ayoung	http://adam.younglogic.com/2015/03/troubleshoot-new-keystone/	20:57
*** zhenq has joined #openstack-keystone		20:59
dstanek	bknudson: go for the -2s!	20:59
stevemar_	bknudson: do it up!	21:00
*** timcline_ has quit IRC		21:01
zhenq	qq, why keystone API v3 doc doesn't differentiate admin URI from other API while v2 does: http://developer.openstack.org/api-ref-identity-v3.html	21:01
*** timcline has joined #openstack-keystone		21:02
stevemar_	zhenq: because we now check the roles the user has, so we don't need 2 ports, just the one (5000)	21:02
*** ankurgupta has quit IRC		21:04
ayoung	443	21:04
*** csoukup has joined #openstack-keystone		21:05
ayoung	$ grep " 5000/tcp" /etc/services	21:05
ayoung	commplex-main 5000/tcp #	21:05
openstackgerrit	Henrique Truta proposed openstack/keystone: Prevents creating is_domain=True projects in v2 https://review.openstack.org/224876	21:05
ayoung	I don;t even know wnat commplex-main is	21:05
zhenq	stevemar_: thanks! since which version identity V3 is the default? kilo?	21:06
*** annasort has quit IRC		21:06
ayoung	Here's everything that lays claim to port 5000 http://www.speedguide.net/port.php?port=5000	21:06
ayoung	Keystone doesn't even make the list	21:07
bknudson	you're not a player unless you're on speedguide.net.	21:08
bknudson	that should be our goal	21:08
*** harlowja has quit IRC		21:08
ayoung	OUr goal shoudl be to get off ports 35357 and 5000	21:08
browne	why does the port number matter. you can still run keystone in apache with port 5000	21:10
stevemar_	zhenq: v2 and v3 run side by side since grizzly	21:10
*** Guest62625 is now known as mfisch		21:10
*** john5223 is now known as zz_john5223		21:10
*** mfisch is now known as Guest49167		21:10
*** zz_john5223 is now known as john5223		21:10
ayoung	browne, quick, tell me if 5000 is running tls or not?	21:11
zhenq	stevemar_: thanks	21:11
ayoung	also, it conflicts with all those other services, but the real deal is that Keystone is a web API, and already has a well known port	21:11
ayoung	443 for HTTPS	21:11
ayoung	we should be doing this https://wiki.openstack.org/wiki/URLs	21:12
browne	ayoung: you can use tls with any port number	21:12
ayoung	not if uniersal plug and play is listening on it	21:12
ayoung	or yahoo messenger...hopefull not on your Keystone server	21:12
browne	ayoung: ok, well i don't know anything about that. what if something else is using 443?	21:13
ayoung	Keystone, or openstack identity is not a protocol.	21:13
ayoung	browne, that something else should be apache HTTPD, and they should both be configured to work together	21:13
browne	ayoung: keystone is not a protocol, https is the protocol	21:13
ayoung	browne, exaclt	21:13
ayoung	getent services https	21:14
ayoung	https 443/tcp	21:14
browne	but its not uncommon to redefine https port of a service to something other than 443	21:14
browne	mostly to avoid conflicts with other products	21:14
ayoung	makes firewall admins really happy when you do, too	21:14
ayoung	browne, so, yeah, that was why originally. We used a separate process for Nova, Keystone, And GLance	21:14
browne	i should hope firewall admins are used to that	21:14
ayoung	pre-quantum those days	21:14
ayoung	Heh...nope. Its why we did this...	21:15
ayoung	http://adam.younglogic.com/2012/05/path-to-kerberos-443/	21:15
openstackgerrit	Lance Bragstad proposed openstack/keystone: Enable try_except_pass Bandit test https://review.openstack.org/225738	21:15
ayoung	MS-KKDCP support	21:15
ayoung	cuz I am too long winded	21:15
browne	i like the idea of going to apache. don't disagree. but i haven't done it because it gets harder to maintain the service. starting/stopping/configuring. just was more hassle for the time being	21:17
ayoung	browne, devstack does httpd already, but on port 5000	21:18
ayoung	We have support in the puppet modules, too	21:18
browne	yeah, i don't use devstack	21:18
browne	or puppet	21:19
browne	use ansible, but not openstack-ansible	21:19
*** john5223 is now known as zz_john5223		21:22
andrewbogott	ayoung: you have better things to do than review my puppet code, but is this the right idea? https://gerrit.wikimedia.org/r/#/c/244350/2	21:22
ayoung	andrewbogott, actually, reviewing puppet code is probably somethig I should do more of	21:23
ayoung	looking...	21:23
*** fawadkhaliq has quit IRC		21:23
ayoung	my puppet-fu is weak, though	21:23
ayoung	andrewbogott, all the tenant stuff needs to go. That is assignment, and we don't support that anymore. Just identity	21:24
ayoung	user and group values only	21:24
*** zz_john5223 is now known as john5223		21:24
ayoung	look at the block I have http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/	21:24
andrewbogott	ayoung: I know that tenants in ldap are deprecated, but fixing that is for another day	21:25
ayoung	you might need a value or two more for users or groups depending	21:25
andrewbogott	(and will be ugly)	21:25
ayoung	you can;'t do assignemt via a domain specific backend, though	21:25
andrewbogott	ayoung: do you think I have to do that migration before I can do this one?	21:25
ayoung	only identity, so those values will be ignored	21:25
ayoung	migration?	21:25
andrewbogott	‘migration’ of all my tenant data from ldap into mysql	21:25
ayoung	https://gerrit.wikimedia.org/r/#/c/244350/2/modules/openstack/templates/kilo/keystone/domains/keystone.Default.conf.erb looks like a new file	21:26
ayoung	ohh	21:26
ayoung	you inheriteds Ryan's mess, didn't you?	21:26
andrewbogott	:)	21:26
andrewbogott	It’s my mess now	21:27
ayoung	andrewbogott, so, yeah, migrate, or no domains for you	21:27
ayoung	migration should not be too bad. The structure is relatively parallel	21:28
bknudson	here's my proposed change to get keystone accepting on paths: https://review.openstack.org/#/c/195766/	21:28
bknudson	it's not getting much traction	21:28
*** lhcheng has quit IRC		21:28
ayoung	andrewbogott, so...you probably want to do the assignemt piece first, then switch to ldap in a domain specific backend	21:29
andrewbogott	ayoung: I don’t think I’ve ever read the phrase ‘No one is using this’ in an Openstack email without thinking, ‘I am'	21:29
*** Guest49167 is now known as mfisch		21:29
*** mfisch has quit IRC		21:29
*** mfisch has joined #openstack-keystone		21:29
ayoung	bknudson, I'd +3 it if I could	21:29
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Fix direct paths inside filter_factory https://review.openstack.org/231722	21:30
andrewbogott	ayoung: I believe you don’t don’t totally follow why domains depend on my moving tenants out of ldap. Clearly the code is there to read them since it’s working now...	21:30
andrewbogott	Is the domains code not being traversed at all right now?	21:30
ayoung	andrewbogott, Nope	21:31
andrewbogott	Ah	21:31
ayoung	andrewbogott, we tapdance around domains in LDAP...long boring story	21:31
andrewbogott	The interface implies that the difference is between multi-domain and single-domain, not between multi-domain and something-unrelated-to-domains	21:31
andrewbogott	but, ok	21:31
*** doug-fish has quit IRC		21:32
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n689	21:32
ayoung	if (not driver.is_domain_aware() ....	21:32
*** jamielennox\|away is now known as jamielennox		21:32
*** doug-fish has joined #openstack-keystone		21:32
ayoung	andrewbogott, so your big problem, is to get assignment over to SQL first. THe identity stuff won't be hard after that	21:33
ayoung	you want to do a migration...and then flip a switch	21:33
*** lhcheng has joined #openstack-keystone		21:33
*** ChanServ sets mode: +v lhcheng		21:33
openstackgerrit	Merged openstack/keystoneauth: Make __all__ immutable https://review.openstack.org/230034	21:36
*** doug-fish has quit IRC		21:36
andrewbogott	ayoung: so… here’s how I got here. I switched to the v3 api and discovered that lots of my normal workflows are broken	21:37
andrewbogott	because v3 only permits me to do things like ‘list projects’ if I’m cloudadmin	21:37
andrewbogott	and to be cloudadmin I have to be in the admin domain	21:37
andrewbogott	So...	21:37
andrewbogott	this means that I have to revert to v2, yes?	21:37
andrewbogott	Since v3 implies this whole dependency cascade?	21:37
stevemar_	bknudson: whats ExecCGI?	21:38
*** doug-fish has joined #openstack-keystone		21:38
bknudson	stevemar_: that tells apache that you can exec the files in the directory.	21:38
bknudson	https://www.google.com/search?q=apache+execcgi&ie=utf-8&oe=utf-8	21:38
ayoung	andrewbogott, v2 is going to be deprecated, aand ldap assignment is already.	21:38
ayoung	How many projects we talking about here? andrewbogott	21:39
andrewbogott	176 projects	21:39
andrewbogott	I take it that was a ‘yes'	21:39
*** diazjf has joined #openstack-keystone		21:40
ayoung	andrewbogott, yeah, you need to move forward or we won't be able to supporty ou	21:40
*** sdake_ has joined #openstack-keystone		21:40
stevemar_	bknudson: you should have done: http://lmgtfy.com/?q=apache+execcgi	21:40
*** sdake has quit IRC		21:41
ayoung	projects should be pretty easy, then. I would try this:	21:41
openstackgerrit	Merged openstack/python-keystoneclient: Make __all__ immutable https://review.openstack.org/230020	21:41
bknudson	stevemar_: he he. too much work.	21:41
andrewbogott	ayoung: "this means that I have to revert to v2, yes?” There’s no other way to enable	21:41
andrewbogott	$ openstack project list	21:41
ayoung	andrewbogott, I have no real idea what would or would not work trying to do v3 ...you are on what realse?	21:42
ayoung	release	21:42
*** doug-fish has quit IRC		21:42
andrewbogott	kilo	21:42
morgan	stevemar_: will plan on circling up on the LDAP removal thing soon.	21:42
morgan	stevemar_: FYI	21:42
ayoung	andrewbogott, https://openstack.nimeyo.com/29408/openstack-keystone-deprecation-assignment-project-assignment	21:43
bknudson	tjcocozz: here's the auth_token middleware I was talking about -- http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n627	21:43
ayoung	andrewbogott, so you get a one-cycle reprieve	21:43
bknudson	if you wanted to add the paste entrypoints for it.	21:44
andrewbogott	ayoung: yes, I’ve read that, which is why I thought I didn’t have to migrate	21:44
andrewbogott	immediately	21:44
ayoung	" Most deployers using LDAP Assignment already have plans on how to Migrate. The Keystone team will be happy to provide advice (come chat with us in #openstack-keystone on Freenode) but we do not expect to provide a canned script to make the migration happen."	21:45
ayoung	andrewbogott, so, I think for V3 we had a hack in place that assumed the domain to be "Default" but I'd have to look htroug hte code to be sure	21:45
ayoung	we did this a while ago	21:46
morgan	ayoung: i think we still assume "default"	21:46
morgan	in most cases	21:46
andrewbogott	ayoung: yes, that’s what I’m seeing	21:46
ayoung	andrewbogott, so V3 should work	21:46
andrewbogott	but the security engine assumes that there’s also an admin domain	21:46
andrewbogott	I can probably rewrite policy.json to assume otherwise	21:47
ayoung	andrewbogott, this is an issue just in keystone?	21:49
andrewbogott	so far. I haven’t done a complete audit of what works and what doesn't	21:49
*** ngupta_ has quit IRC		21:50
openstackgerrit	Eric Brown proposed openstack/keystone: Handle 16-char non-uuid user IDs in payload https://review.openstack.org/226121	21:50
*** harlowja has joined #openstack-keystone		21:53
openstackgerrit	Henrique Truta proposed openstack/keystone: Create tests for set_default_is_domain in LDAP https://review.openstack.org/229536	21:54
andrewbogott	ayoung: in our cloud we have another class of user that OpenStack doesn’t really account for. Project members who get automatic ssh access (and other forms of access) to instances in a project but do not have the ability to manipulate instances directly.	21:55
*** john5223 is now known as zz_john5223		21:55
andrewbogott	This membership is handled in ldap.	21:55
ayoung	andrewbogott, is it a role assignment?	21:55
ayoung	andrewbogott, I think I get it.	21:55
ayoung	do you put anewl;y created hosts into host groups and do LDAP Host based access control?	21:56
andrewbogott	So removing tenants from ldap will break access for 90% of my users. Migrating tenants out of ldap is not going to be trivial	21:56
andrewbogott	as any logic that currently checks for project membership in ldap will have to do so via a keystone change instead.	21:56
stevemar_	morgan: thanks for the heads up	21:56
*** geoffarnoldX is now known as geoffarnold		21:57
andrewbogott	since of course pam doesn’t come with built-in keystone integration...	21:57
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix fernet key writing for python 3 https://review.openstack.org/231710	21:57
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix fernet padding for python 3 https://review.openstack.org/231711	21:57
andrewbogott	well	21:57
andrewbogott	Obviously the train has sailed, regarding tenants in ldap. But it’s not like this is a 3-hour trivial switchover	21:57
*** timcline_ has joined #openstack-keystone		21:59
*** timcline_ has quit IRC		22:00
*** phalmos has quit IRC		22:00
*** timcline has quit IRC		22:03
*** edmondsw has quit IRC		22:03
morgan	stevemar_: it shouldn't be hard to finish up. just annoying to play "find the test" whack-a-mole	22:05
ayoung	andrewbogott, you will be really interested in what we are doing with FreeIPA and automatic LDAP Host group registration for new instances. We will Demo in Tokyo. What LDAP backend are you using (OpnLDAP IIRC)?	22:06
andrewbogott	opendj but we hope to move to openldap sometime this year	22:06
*** csoukup has quit IRC		22:07
*** su_zhang_ has joined #openstack-keystone		22:07
stevemar_	morgan: we broke shade \o/	22:08
stevemar_	well devstack broke them	22:08
stevemar_	but that's cause we are trying to push our v3 only agenda	22:08
morgan	stevemar_: that isn't the worst thing in the world	22:08
stevemar_	v3 default	22:08
stevemar_	nope	22:08
jamielennox	stevemar_: what happened?	22:08
morgan	we may know someone involved in shade that can help us out ( SpamapS, mordred, etc ) ;)	22:08
jamielennox	yay v3 agenda	22:09
mordred	aroo?	22:09
mordred	ah. yes	22:09
mordred	so	22:10
mordred	it turns out that we were in the middle of landing keystone support to shade	22:10
stevemar_	jamielennox: refer to mordred's reply	22:10
mordred	and this has shown us some places where the v3 api is different	22:10
stevemar_	oh timely!	22:10
mordred	such as services.create now takes type instead of service_type	22:10
*** sdake_ has quit IRC		22:10
stevemar_	because repeating things is silly	22:10
mordred	sure	22:10
*** hrou has quit IRC		22:11
mordred	except now I get to add an "if v3: type: else: service_type" block in my code and glower at you	22:11
* mordred glowers at stevemar_		22:11
morgan	stevemar_: because repeating things is silly	22:11
*** su_zhang has quit IRC		22:11
mordred	I'd like to suggest for when you do v4	22:11
morgan	mordred: REALMS!	22:11
mordred	that you make the python code for v4 accept both names and silently translate it to the new name for the user	22:11
morgan	mordred: actually I hope we can split up auth from CRUD so a move to v4 isn't breaking everything/everyone's auth :( too.	22:12
mordred	well	22:12
morgan	if a v4 is a thing	22:12
mordred	what I meant was	22:12
stevemar_	v4 will happen when star wars episode 18 comes out	22:12
mordred	next time you make a thing with a new version of a python library	22:12
morgan	stevemar_: jokes on you, that's next year	22:12
morgan	stevemar_: :P	22:12
mordred	please help users with backwards compat on kwargs	22:12
ayoung	andrewbogott, are you going to Tokyo?	22:13
morgan	mordred: I think everything should be kwargs and nothing should be taken as positional. and stuff.	22:13
andrewbogott	no, I have a conflict	22:13
mordred	morgan: right	22:13
mordred	morgan: but key name	22:13
morgan	mordred: and more stuff. but yah, makes sense to support the kwargs names	22:14
mordred	morgan: if you change the key name you accept, and stop accepting the old keyname, it just makes it hard on the programmer	22:14
morgan	mordred: or at the very least... make the v3 mode (for example) translate to the v4 mode (for example)	22:14
mordred	who just wants to love you	22:14
mordred	yes	22:14
mordred	that's a great example	22:14
mordred	OR	22:14
andrewbogott	ayoung: anyway, I will roll back to v2 for now	22:14
*** sdake has joined #openstack-keystone		22:14
mordred	andrewbogott: oh - you don' tneed to rollback for shade	22:14
morgan	so when v4 is a thing v3 -> v4 (internal to lib) -> server	22:14
ayoung	andrewbogott, yeah starting with that...then we can help you come up with a sane plan	22:15
morgan	or... v4.compat	22:15
morgan	or something	22:15
ayoung	no more versions...	22:15
andrewbogott	If you have a fix for my use case, it would be awesome if it could be implemented before the code I’m using /now/ is ripped out :)	22:15
morgan	ayoung: there will always need to be new versions	22:15
morgan	ayoung: it just depends on how you slice it up	22:15
morgan	microversions, major versions, etc	22:15
andrewbogott	I mean, more than it is already	22:15
ayoung	morgan, I should say "no more monolithic versions"	22:15
ayoung	for across all of Keystone	22:15
mordred	oh - andrewbogott's rollback is different than my issue	22:15
jamielennox	no to microversions	22:16
ayoung	jamielennox, no to microversions as well	22:16
morgan	ayoung: in an ideal world, (imo) subsystem = own version.	22:16
*** mylu has joined #openstack-keystone		22:16
ayoung	morgan, that is what I would prefer	22:16
morgan	ayoung: you still need CRUD interface support that does like V4, V5, etc	22:17
ayoung	let identity, assignment, policy, catalog, and auth vary independently	22:17
bknudson	we can split up keystone into microservices	22:17
morgan	bknudson: we mostly have.	22:17
morgan	bknudson: just not in separate process space. but with wsgi... almost doable	22:17
*** gordc has quit IRC		22:18
ayoung	autopep257	22:18
ayoung	No package autopep257 available.	22:19
ayoung	Error: Unable to find a match.	22:19
ayoung	damn	22:19
*** david_cu has quit IRC		22:19
*** henrynash has joined #openstack-keystone		22:20
*** ChanServ sets mode: +v henrynash		22:20
*** pnavarro has quit IRC		22:20
*** tonytan4ever has quit IRC		22:21
*** mylu has quit IRC		22:25
*** mylu has joined #openstack-keystone		22:26
*** aix has joined #openstack-keystone		22:26
*** mylu has quit IRC		22:28
*** mylu has joined #openstack-keystone		22:29
*** dims has quit IRC		22:29
*** markvoelker has quit IRC		22:31
*** roxanagh_ has quit IRC		22:32
*** roxanagh_ has joined #openstack-keystone		22:33
*** markvoelker has joined #openstack-keystone		22:33
*** mylu has quit IRC		22:33
*** stevemar_ has quit IRC		22:36
*** stevemar_ has joined #openstack-keystone		22:37
*** ChanServ sets mode: +o stevemar_		22:37
*** annasort has joined #openstack-keystone		22:39
*** jbell8 has quit IRC		22:40
*** stevemar_ has quit IRC		22:41
*** su_zhang has joined #openstack-keystone		22:49
*** su_zhang_ has quit IRC		22:52
*** david-lyle has quit IRC		22:54
*** zhenq has quit IRC		22:54
*** mylu has joined #openstack-keystone		22:55
*** david-lyle has joined #openstack-keystone		22:55
*** mylu has quit IRC		22:56
*** mylu has joined #openstack-keystone		22:56
*** stevemar_ has joined #openstack-keystone		22:59
*** ChanServ sets mode: +o stevemar_		22:59
*** mylu has quit IRC		23:01
*** mylu has joined #openstack-keystone		23:03
*** markvoelker has quit IRC		23:04
*** alejandrito has quit IRC		23:04
*** mylu has quit IRC		23:06
*** markvoelker has joined #openstack-keystone		23:08
*** harlowja has quit IRC		23:10
*** david-lyle has quit IRC		23:10
*** harlowja has joined #openstack-keystone		23:10
*** david-lyle has joined #openstack-keystone		23:10
*** mylu has joined #openstack-keystone		23:14
*** david-lyle has quit IRC		23:14
*** gildub has joined #openstack-keystone		23:16
*** david-lyle has joined #openstack-keystone		23:17
*** david-ly_ has joined #openstack-keystone		23:19
*** sigmavirus24 is now known as sigmavirus24_awa		23:19
*** david-lyle has quit IRC		23:21
*** dims has joined #openstack-keystone		23:22
*** hrou has joined #openstack-keystone		23:23
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove auth headers in AuthProtocol https://review.openstack.org/229751	23:28
*** david-ly_ is now known as david-lyle		23:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Use request helpers for token_info/token_auth https://review.openstack.org/229161	23:32
marekd	jamielennox: just curious why 'no to microversions' ?	23:37
openstackgerrit	Henrique Truta proposed openstack/keystone: Create tests for set_default_is_domain in LDAP https://review.openstack.org/229536	23:37
*** mylu has quit IRC		23:37
jamielennox	marekd: i really dislike them, i realize that major versions are a pain, but microversions just offloads all the problems of dealing with versions onto the clients	23:37
*** _hrou_ has joined #openstack-keystone		23:38
jamielennox	you need to do all sorts of negotiation, and different providers are going to get really diverse in which microversions they provide	23:38
marekd	ok	23:38
jamielennox	i think it's cleaner to do a new major version if you really need to break	23:38
stevemar_	jamielennox: marekd as far as micros go, i like microservices more than microversions	23:39
stevemar_	microphones are good	23:39
jamielennox	i thought you were joking with that - how much more micro do you want to go	23:40
*** dims has quit IRC		23:40
jamielennox	can i get some movement on reviews like: https://review.openstack.org/#/c/212341/ - i realize it's not that interesting but there's stuff there it's blocking	23:41
*** hrou has quit IRC		23:41
*** geoffarnold is now known as geoffarnoldX		23:42
*** markvoelker has quit IRC		23:42
openstackgerrit	Merged openstack/keystone: Deprecate httpd/keystone.py https://review.openstack.org/221975	23:43
*** markvoelker has joined #openstack-keystone		23:43
*** richm has quit IRC		23:44
openstackgerrit	Merged openstack/keystone: Additional documentation for services https://review.openstack.org/211184	23:46
stevemar_	i shall do it later tonight sir	23:47
stevemar_	jamielennox:	23:47
*** stevemar_ has quit IRC		23:47
*** lhcheng has quit IRC		23:51
*** markvoelker has quit IRC		23:53
*** dims has joined #openstack-keystone		23:54
*** slberger has left #openstack-keystone		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!