Thursday, 2016-01-14

« Wednesday, 2016-01-13 Index Friday, 2016-01-15 »
openstackgerritHenrique Truta proposed openstack/keystone: Make project.domain_id column nullable  https://review.openstack.org/26453300:03
*** aginwala has joined #openstack-keystone00:03
*** jasonsb has joined #openstack-keystone00:07
*** shoutm_ has joined #openstack-keystone00:17
*** shoutm has quit IRC00:19
*** Guest57135 has quit IRC00:30
openstackgerritayoung proposed openstack/keystone: Implied roles driver and manager  https://review.openstack.org/26426000:32
henrynashayoung: when you have a moment you might be intersted in: https://review.openstack.org/#/c/266617/00:32
*** topol_ has joined #openstack-keystone00:33
*** topol_ is now known as Guest9343400:33
ayounghenrynash, +200:33
henrynashayoung: thx, admin_project worked a treat!00:34
ayounghenrynash, we're getting closer to where we should be...00:34
henrynashayoung: yep00:34
openstackgerritMerged openstack/python-keystoneclient: Revert "Change default endpoint for Keystone v3 to public"  https://review.openstack.org/26718000:34
notmorganjamielennox: sorry about merge conflicts on positional00:36
jamielennoxnotmorgan: yea, i thought you were done, haven't looked at what you pushed yet00:36
notmorgani just did sphinx stuff00:37
notmorganso RTD will work00:37
notmorganand merged your things except the README fix00:37
notmorganso everything except your README fix is in00:37
notmorganok and i still didn't RTD to work.00:38
notmorganugh00:38
notmorganjamielennox: so it builds... just... http://positional.readthedocs.org/en/latest/ not that interesting00:43
notmorgansomething is missing.00:43
notmorgani probably am doing something wrong00:43
jamielennoxnotmorgan: i don't know if i'd bother with RTD, there's not that much to explain00:44
*** pai15 has joined #openstack-keystone00:44
*** dims has quit IRC00:45
*** henrynash has quit IRC00:47
notmorganjamielennox: we could also just import the README00:47
notmorganor i can just can RTD00:48
notmorganif you think it's not worth it00:48
jamielennoxnotmorgan: yea, import readme is good, did you do the same as me and just import it?00:48
notmorgani think it's always nice to have RTD for indexing purposes at least00:48
jamielennoxfrom the doc string?00:48
notmorganyeah with proper RST conversions00:48
notmorganit has a typo or two still in it00:48
*** ryanpetrello has quit IRC00:49
notmorganso i should revert the sphinx change?00:50
*** ryanpetrello has joined #openstack-keystone00:50
jamielennoxnotmorgan: you got this far, even if it's the same as the README it's worth finishing00:51
notmorganoh ok.00:51
*** lhcheng has quit IRC00:51
notmorganhmm.. why is this not doing the right thing?00:52
*** ryanpetrello has quit IRC00:55
*** edmondsw has quit IRC00:55
openstackgerritMerged openstack/python-keystoneclient: Revert "Support `truncated` flag returned by keystone"  https://review.openstack.org/26718700:56
*** ryanpetrello has joined #openstack-keystone00:57
*** ryanpetrello has quit IRC01:02
notmorganjamielennox: oooh huh. i think it's not creating api/* properly01:02
openstackgerritSaulo Aislan Silva Eleuterio proposed openstack/keystone: Doc FIX  https://review.openstack.org/26725301:02
*** pai15 has quit IRC01:03
*** tonytan4ever has quit IRC01:04
*** ankita_wagh has quit IRC01:05
*** ryanpetrello has joined #openstack-keystone01:06
notmorganjamielennox: http://positional.readthedocs.org/en/latest/index.html there we go01:07
notmorganjamielennox: so i think we just need to address the typo(s) in README and fix the warn thing01:07
jamielennoxnotmorgan: ok, i'll do the warn thing now01:07
notmorganand i'll close your README fix. do you want to make the README point at RTD instead? or just keep them both?01:08
notmorganor we can make sphinx include the readme *shrug*01:08
*** tonytan4ever has joined #openstack-keystone01:10
*** ryanpetrello has quit IRC01:11
*** aginwala has quit IRC01:12
*** jbell8 has joined #openstack-keystone01:12
*** ryanpetrello has joined #openstack-keystone01:13
*** browne has quit IRC01:13
*** EinstCrazy has joined #openstack-keystone01:14
*** wasmum has joined #openstack-keystone01:16
*** davechen has joined #openstack-keystone01:18
*** jasondotstar has quit IRC01:24
*** dims has joined #openstack-keystone01:24
notmorganjamielennox: ok readme is where the useage is now, your docstring fix is also merged01:26
notmorganREADME is sourced in for RTD01:26
notmorganjamielennox: just waiting on your PR for the warn bit01:26
*** oomichi_away has quit IRC01:28
jamielennoxnotmorgan: done, add a description to the repo (in github as well)01:28
notmorganah ok01:29
*** jasondotstar has joined #openstack-keystone01:29
*** Guest93434 has quit IRC01:30
notmorganjamielennox: mind resolving the conflicts?01:30
jamielennoxconflicts?01:30
notmorganyeah01:30
notmorganhttps://github.com/morganfainberg/positional/pull/1301:30
notmorgan"this branch has conflicts that must be resolved"01:30
*** aginwala has joined #openstack-keystone01:30
flwang1hi guys, is this a known issue?  oslo_config.cfg.NoSuchOptError: no such option in group keystone_authtoken: auth_admin_prefix01:30
notmorganjamielennox: i can do it locally, but it's easier if it's done in the PR01:31
notmorganif you don't mind01:31
*** _zouyee has joined #openstack-keystone01:31
jamielennoxnotmorgan: yea, i just didn't notice them, i only branched it a few minutes ago01:31
notmorganyeah that was part of the original merge resolution01:31
notmorgansorry01:31
*** __zouyee has joined #openstack-keystone01:31
notmorganfor your readme thing01:31
notmorgani fixed extra things in there i shouldn't have :P01:31
notmorganalso you should be a collaborator, so you should be able to merge PRs etc01:32
notmorgani have it setup so you must pass travis before merges can happen01:32
*** topol_ has joined #openstack-keystone01:32
*** topol_ is now known as Guest9992401:33
notmorganand merged01:33
ayounggyee, I think you will like the refactoring I did on https://review.openstack.org/#/c/264260/  It was triggered by your feedback01:33
notmorganare you generally happy with this? i can tag/push to pypi now01:33
jamielennoxnotmorgan: one more01:34
notmorganok01:35
notmorganoh sure01:35
jamielennoxnotmorgan: just cleaned it up01:36
notmorgancool01:36
jamielennoxi don't like how PRs keep merging things rather than rebasing01:36
notmorganonce travis is done will merge, tag 1.0 and call it a day01:36
notmorganwe can always move it into gerrit if we prefer01:36
notmorgan(i don't like PRs)01:36
*** woodster_ has quit IRC01:36
notmorganbut this is a stupid small project01:36
jamielennoxi guess there is no reason to tag a < 101:37
notmorganyah01:37
notmorgangoing to tag 1.0.001:37
notmorganactually 1.0.0-post19.breakpbr01:37
notmorganjamielennox: :P01:37
* notmorgan rolls eyes01:38
jamielennoxyea, currently dealing with the X.X.X+YpostZ format :(01:38
flwang1ayoung: ping,   is this a known issue?  oslo_config.cfg.NoSuchOptError: no such option in group keystone_authtoken: auth_admin_prefix01:38
notmorganoh fantastic. i can't find my secret gpg key.01:39
jamielennoxnotmorgan: haha01:39
jamielennoxflwang1: it's kind of an issue that may have been created by the last release01:39
jamielennoxflwang1: where's it coming from ?01:40
flwang1from zaqar's unit test log01:40
flwang1jamielennox: http://logs.openstack.org/31/266831/3/check/gate-zaqar-python34/ed3cd90/testr_results.html.gz01:40
jamielennoxflwang1: hmm, i'm guessing it's coming from the way zaqar registers its options in testing01:41
flwang1jamielennox: maybe, it's nice point, i will take a  look01:42
jamielennoxflwang1: we would have just released a keystonemiddleware version with https://review.openstack.org/#/c/253972/ in it01:43
jamielennoxflwang1: from memory zaqar does funny things to with it's CONF object that might mean it was relying on that01:43
*** davechen1 has joined #openstack-keystone01:44
flwang1jamielennox: pls define 'funny' :D01:44
*** _cjones_ has quit IRC01:44
*** aginwala has quit IRC01:44
jamielennoxflwang1: it doesn't define the object globally like the other services01:44
jamielennoxflwang1: so to load auth_token middleware it has to do workarounds01:44
jamielennoxCONF object globally01:45
flwang1jamielennox: yep, flaper87 did that, IIRC01:45
*** davechen has quit IRC01:45
flwang1jamielennox: would you mind me reminding me what's the drawback?01:45
jamielennoxso it's not ideal to have global objects - no debate01:46
jamielennoxbut auth_token middleware assumes there is a global CONF object that it can register all the options so the service doesn't have to01:46
flwang1jamielennox: if it's not ideal, why the auth_token middleware still depends on that?01:47
*** aginwala has joined #openstack-keystone01:47
jamielennoxthe list_opts function is in keystonemiddleware so that oslo.config can generate sample config files with all the options in it01:48
*** doug-fish has quit IRC01:48
jamielennoxif zaqar is relying on list_opts then when we remove deprecated options (so they don't show up in sample config) zaqar wont be registering them against there own CONF object01:48
flwang1hmm... sounds like just because oslo.config needs it to auto generate conf sample, so we have to keep it, right?01:49
flwang1sorry if it's stupid question01:49
jamielennoxflwang1: i hate to say it but ideal has been replaced with what currently works for everyone01:49
flwang1jamielennox: yep, that's what i want to say, seems it just because all the other services are using a 'not-ideal' way, so we have to follow that01:50
flwang1it's not ideal :D01:50
jamielennoxthe problem would seem to be that the same function is being used for different purposes, we expected it to be for sample config and zaqar uses it as a full option list01:51
notmorganjamielennox: ok positional is up and on pypu01:51
notmorganpypi*01:51
notmorganwe can ask to add it to g-r now01:51
jamielennoxwe probably need to convert it to two distinct functions01:51
flwang1jamielennox: it would be nice01:53
flwang1jamielennox: so that zaqar won't run into this issue again and again01:53
jamielennoxflwang1: yea, i think we might have to revert that patch :(01:56
flwang1jamielennox: revert https://review.openstack.org/#/c/253972/ ?01:56
*** pai15 has joined #openstack-keystone01:57
*** EinstCrazy has quit IRC01:57
flwang1i'm trying to figure out if there is anyway to fix it on zaqar side01:57
jamielennoxflwang1: yep, and come up with a way to split the functions01:57
jamielennoxi'm also interested if anyone else is hitting the problem01:57
jamielennoxnotmorgan: should probably try and use it in ksc and ksa before you do that - probably should have done that before 1.001:58
notmorganjamielennox: i'll mark it WIP in gerrit for g-r01:59
notmorganjust posted it01:59
jamielennoxnotmorgan: it should be fine, just make sure it actually does everything01:59
notmorganhttps://review.openstack.org/#/c/267270/101:59
*** EinstCrazy has joined #openstack-keystone01:59
dims+notmorgan, +jamielennox : please kick the tires - https://pypi.python.org/pypi/python-keystoneclient/2.1.101:59
jamielennoxflwang1: do you have a bug filed?01:59
notmorganjamielennox: so once we test we can use it02:00
mordredjamielennox, notmorgan: I hear that you have released a new keystoneclient02:03
notmorganmordred: yes02:03
notmorganther eis a new keystoneclient02:03
mordrednotmorgan: http://logs.openstack.org/32/266532/5/check/gate-shade-dsvm-functional-neutron/6bfb00a/console.html02:03
notmorganwhat did we break?02:03
mordrednotmorgan: it seems to have broken our functional tests02:03
notmorganwhoa02:04
mordrednotmorgan: which might indicate that there was an interface that changed somewhere02:04
notmorganyeah02:04
notmorganthat is no good02:04
mordredall of the fails are: http://logs.openstack.org/32/266532/5/check/gate-shade-dsvm-functional-neutron/6bfb00a/console.html#_2016-01-14_01_35_27_34402:04
mordredAttributeError: 'str' object has no attribute 'get'02:04
jamielennoxwow, we've been really unsuccessful with this round of release02:04
jamielennoxs02:04
notmorgangarp, wtf.02:05
stevemarmordred: notmorgan just released a new ksc (2.1.1)02:05
mordredhttp://git.openstack.org/cgit/openstack-infra/shade/tree/shade/_utils.py#n37502:05
notmorganwow really screwed up more than one bit of interface02:05
mordredthe first tihng that fails is us tryuing to pull things out of a domain - but we seem to have gotten a string instead of a dict-like-object02:05
stevemarmordred: we released 2.1.0 yesterday, and 2.1.1 like 10 minutes ago02:05
mordredstevemar: it's possible this broke with 2.1.0 and we just noticed it02:06
mordredI don't know that we've pushed many patches to shade in the last couple of days02:06
mordredalso - I ahve not investigated really at all yet - just thought I'd mention here since you might have other users who are affected if we are02:06
notmorganlikely02:07
notmorganmordred: fun. not sure what broke ya yet02:09
mordrednotmorgan: cool. no rush on our side02:09
mordrednotmorgan: I'm going to watch some teevee- and Shrews is going to look in to things in the morning02:09
notmorganstevemar: when was our aste release?02:10
notmorganlast*02:10
notmorganbefore 2.1?02:11
*** EinstCra_ has joined #openstack-keystone02:13
notmorganjamielennox: https://github.com/openstack/python-keystoneclient/commit/c28d40814962b3a8ccb81e5e7d7f832c8f0a3c9a is one of the potential culprits02:13
jamielennoxnotmorgan: i think that already got reverted02:14
notmorganah it did02:14
notmorganthere is no way this has been lingering since ebfore 2.0... is there?02:15
notmorganmordred: ^?02:15
*** jasonsb has quit IRC02:15
notmorganooh uh02:15
notmorganmaybe not02:15
notmorganah that landed in 2.102:16
notmorganwem 2.202:16
notmorganor whatever the most recent one was02:16
*** browne has joined #openstack-keystone02:16
*** EinstCrazy has quit IRC02:16
notmorganthis failed with ksc 2.0.p002:17
notmorganfwiw02:17
notmorganmordred, ^ this might be a non-issue with something newer than 2.0.002:17
*** boris-42 has joined #openstack-keystone02:18
*** tonytan4ever has quit IRC02:20
flwang1jamielennox: file bug for keystone middleware or zaqar ? :D02:21
jamielennoxflwang1: probably file it against both02:21
flwang1now i'm trying to fix it on zaqar side, since it's breaking our gate02:21
flwang1jamielennox: ok, will do02:21
*** aginwala has quit IRC02:22
*** aginwala has joined #openstack-keystone02:27
*** dims has quit IRC02:29
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060002:31
jamielennoxflwang1: have a bug number? i think i've got a fix02:31
openstackgerritHenrique Truta proposed openstack/keystone: Make project.domain_id column nullable  https://review.openstack.org/26453302:32
flwang1jamielennox: feel free update the description https://bugs.launchpad.net/keystonemiddleware/+bug/153393202:36
openstackLaunchpad bug 1533932 in keystonemiddleware "Remove the deprecated opts from sample config breaking zaqar" [Undecided,New]02:36
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Split oslo_config and list all opts  https://review.openstack.org/26727702:39
flwang1jamielennox: what a quick hand02:39
jamielennoxstevemar, flwang1, notmorgan: i think this fixes it the auth_token regression02:39
flwang1jamielennox: awesome02:40
flwang1jamielennox: i will let a zaqar patch depens on that to see if it works02:40
jamielennoxflwang1: i'm running the tests against zaqar, but i'd appreciate if you can confirm that fixes it02:40
*** josecastroleon has quit IRC02:41
*** josecastroleon has joined #openstack-keystone02:42
*** jbell8 has quit IRC02:43
*** jbell8 has joined #openstack-keystone02:44
flwang1jamielennox: sure02:46
jamielennoxflwang1: zaqar runs functional tests when you tox -e py27 ?02:48
flwang1jamielennox: yes02:49
jamielennoxflwang1: thats annoying02:49
flwang1jamielennox: ;)02:49
*** roxanag__ has joined #openstack-keystone02:50
*** crinkle_ has joined #openstack-keystone02:51
*** spzala has joined #openstack-keystone02:52
*** _fortis has quit IRC02:52
*** mkoderer has quit IRC02:52
*** dulek has quit IRC02:52
*** dstanek has quit IRC02:52
*** ekarlso has quit IRC02:52
*** boltR has quit IRC02:52
*** roxanagh_ has quit IRC02:52
*** ccard_ has quit IRC02:52
*** crinkle has quit IRC02:52
*** dstanek has joined #openstack-keystone02:53
*** ChanServ sets mode: +v dstanek02:53
*** boltR has joined #openstack-keystone02:53
*** dulek has joined #openstack-keystone02:54
*** mkoderer has joined #openstack-keystone02:55
*** ccard_ has joined #openstack-keystone02:55
*** spzala has quit IRC02:57
*** jbell8 has quit IRC02:57
*** jbell8 has joined #openstack-keystone02:58
stevemarnotmorgan: yeah that was released in 2.1.0 and reverted in 2.1.102:58
*** dims has joined #openstack-keystone02:58
*** dims_ has joined #openstack-keystone03:01
*** pai15 has quit IRC03:03
*** dims has quit IRC03:03
*** _fortis has joined #openstack-keystone03:04
*** spandhe has quit IRC03:05
*** ekarlso has joined #openstack-keystone03:06
notmorganhmmm03:06
notmorganok so i need to look at everything in 2.0.0 and see what is horked03:06
notmorganugh03:06
flwang1jamielennox: after your patch merged, how long we need to wait to get the release?03:07
jamielennoxstevemar: ^03:07
notmorganflwang1: we need to submit a request to rel ream and then get the rel team to releawe... sometimes no more than a day.03:07
notmorgandepending on how broken/critical the fix is03:08
*** roxanag__ has quit IRC03:08
flwang1notmorgan: that's cool03:08
*** crinkle_ is now known as crinkle03:08
*** roxanagh_ has joined #openstack-keystone03:08
*** aginwala has quit IRC03:09
openstackgerritHenrique Truta proposed openstack/keystone: Make project.domain_id column nullable  https://review.openstack.org/26453303:11
openstackgerritHenrique Truta proposed openstack/keystone: Removes project.domain_id FK  https://review.openstack.org/23327403:11
openstackgerritHenrique Truta proposed openstack/keystone: Change project unique constraint  https://review.openstack.org/15837203:11
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060003:11
*** aginwala has joined #openstack-keystone03:14
*** aginwala has quit IRC03:16
*** links has joined #openstack-keystone03:17
*** roxanagh_ has quit IRC03:18
*** ankita_wagh has joined #openstack-keystone03:21
*** daemontool has quit IRC03:30
*** oomichi has joined #openstack-keystone03:30
ayoungjamielennox, I'll trade reviews with you.  https://review.openstack.org/#/c/264260/  Is +417, -6I'll git you 423 Lines of review in exchange for it.03:33
jamielennoxayoung: i did say as was going to review this one03:34
ayoungthat too.  Plus it is the killer keystone feature for this release03:34
ayoungand it supports https://review.openstack.org/#/c/245629/03:34
stevemarjamielennox: we gonna need a new ksm release?03:35
jamielennoxstevemar: i think so03:35
jamielennoxayoung: if not CONF.token.infer_roles - we making this optional?03:36
stevemarjamielennox: for https://review.openstack.org/#/c/267277/ , booo03:36
ayoungjamielennox, yeah...it is a kill switch,03:36
ayoungjamielennox, and I wrote it that way so that we could, potentially, switch to expanded roles in policy files in the future03:37
*** spzala has joined #openstack-keystone03:38
notmorganstevemar: oh nice03:41
stevemarnotmorgan: what's nice, the fact that we broke everything?03:41
notmorganyeah03:41
notmorgan:P03:41
notmorganit's amazing03:41
stevemarspectacular03:42
stevemar*grumble grumble*03:42
notmorganstevemar: so shade looks to be broken in 2.0.0 fwiw03:42
notmorganstevemar: not just 2.1 or 2.203:42
notmorganthis is unfun.03:42
stevemarnotmorgan: oh wow03:42
stevemarthat's been out for months03:42
notmorganyeah well the pip-freeze says the failure mordred reported was 2.0.003:42
notmorganthis is weird cause i mean... i was almost sure we run some things through gate post 2.0.0 for shade03:43
* stevemar shrugs03:43
notmorgansomething has gone really sidewys. there are not fixes in 2.1 or .2.2 that should impact the object type shade is using03:43
notmorgansooooooooooo03:43
notmorganstevemar: also jamielennox and i rolled positional into a small independant lib03:44
notmorganit's on pypi already03:44
jamielennoxnotmorgan: have you had a chance to test it?03:44
stevemarneat!03:44
notmorganjamielennox: no :P03:44
notmorganjamielennox: of course not03:44
notmorganjamielennox: that would require me to not drink wine and stop watching TV and stop looking into shade failure03:44
notmorganjamielennox:  :(03:44
jamielennoxnotmorgan: it'd be a quick job compared to this implied roles review of ayoung's, this is going to take a while03:45
notmorganjamielennox: really my issue is i'm digging into the shade + ksc ick03:46
notmorganjamielennox: since that might be some ugly revert03:46
notmorganand it's requiring some real chasing down.03:46
ayoungjamielennox, I love https://review.openstack.org/#/c/244472  but is it safe to yank the context out like that? Or is nothing using this yet?03:50
notmorganayoung: i'm sure it's fine :P03:50
ayoungnotmorgan, its a work of pure art03:50
ayoungare is dangerous.03:51
ayoungart is dangerous.03:51
notmorganjamielennox: i'm diving into ksm03:51
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains  https://review.openstack.org/21121903:51
notmorganjamielennox: soon03:51
notmorganjamielennox: you have an approach you want to seriously take on what we talked about the other day03:51
jamielennoxayoung: i don't think there's a problem with that one03:51
notmorganjamielennox: cause i'm ready to just roll up thread.local fun ;)03:51
jamielennoxayoung: we're still constructing the context dict03:52
notmorganand then hacking up ksa auth plugin to use it >.>03:52
jamielennoxayoung: ideally i want to pass around the request object instead, or maybe the oslo_context, just not that dict03:52
* notmorgan shudders03:52
jamielennoxnotmorgan: i haven't had time to pursue that one03:52
notmorganoslo_context03:52
notmorganshuuuudddddeerrrr03:52
jamielennoxnotmorgan: so oslo_context i have a few things for03:52
notmorganok03:53
notmorganplease make it better03:53
flwang1jamielennox: i just updated a patch and let it depends on your patch, but seems it doesn't work03:53
jamielennoxi wanted to replace oslo_context with the auth_token plugin obj but i don't think that's going to work03:53
jamielennoxflwang1: you can't depends-on in a library03:53
jamielennoxs/in/for03:53
flwang1not sure if it's because the infra isn't so smart to get the correct keystonemiddle03:53
jamielennoxor you couldn't last time i tried03:53
flwang1oh03:54
flwang1that makes sense03:54
flwang1so we have to wait the fix release?03:54
notmorganyeah you can't do a depends-on for a new lib03:54
flwang1ok, got it03:54
notmorganactually... can you depends-on for a g-r update?03:54
notmorgani think that might work03:54
notmorganbut you'd need a release first03:54
notmorganchicken-egg03:55
notmorganflwang1: you could hack it and try it w/ a git:// url in requirements, but only locally03:55
notmorgannot in the gate itself03:55
flwang1notmorgan: that's a good point, i will try it locally03:57
*** browne1 has joined #openstack-keystone03:57
flwang1oh, wait, until it merged, i still can't get a valid url for the fix like git:// unless i download the patch to my local, right?03:58
notmorganayoung, jamielennox, stevemar: so i am moving on the ksm updates to offload keystone auth things.03:58
notmorganflwang1: you could use the git:// from gerrit? or the http version [i'd have to look up the syntax]03:58
openstackgerritayoung proposed openstack/keystone: Use our own request in base wsgi class  https://review.openstack.org/24447203:59
notmorganayoung, jamielennox, stevemar: i am going to tack in a digest validator that can be enabled so for example haproxy can say "this is already valididated/auth"03:59
ayoungjamielennox, rebased it.  +203:59
jamielennoxnotmorgan: what's the thing to say that it's ok to do from x import y passed hacking?03:59
notmorganjamielennox: # noqa ?04:00
notmorgani think04:00
*** browne has quit IRC04:00
jamielennoxno there's a way to set it in hacking or tox or somewher04:00
jamielennoxe04:00
notmorganoh in tox.ini04:00
notmorganyou can do ignore https://github.com/morganfainberg/positional/blob/master/tox.ini#L3504:01
notmorgansomething like that04:01
notmorganyou just need to know the error to ignore04:01
notmorganayoung, jamielennox, stevemar: so i am looking at pushing a "if hmac(key, token_id) is valid" we don't ask keystone to validate if the proper headers are present (and don't strip headers). if ksm doesn't have an hmac key or headers are missing, normal validation occurs04:03
notmorganany concerns with that kind of approach?04:04
flwang1jamielennox: notmorgan: i'm going to log off to pick up my boy, thanks a lot for your help04:04
notmorganthe other thought was doing a TOTP implementation between edge and services so you can limit replay attacks.04:04
flwang1really appreciate it04:04
ayoungnotmorgan, its crap,. but you know that already.  Go for it04:04
notmorganbut that seems overkill for edge -> service04:04
jamielennoxflaper87: no problem -04:04
notmorganayoung: this is internal edge -> service stuff, *not* user -> cloud04:04
flwang1jamielennox: flaper87 is my shadow :D04:05
ayoungnotmorgan, I mean the token side of it...your part is fine04:05
notmorganayoung: right. you know what my long term goal is04:05
jamielennoxflwang1: ah, woops04:05
notmorgantrying to kill tokens04:05
notmorganbut steps along the way :)04:05
ayoungnotmorgan, https://review.openstack.org/#/c/245588/04:05
ayoungBut you have a better approach it sounds04:06
jamielennoxnotmorgan: you don't want to hmac the entire thing?04:06
notmorganjamielennox: i could hmac all the headers04:06
notmorganwell except catalog cause.. no.04:07
notmorganjamielennox: i was just thinking token_id cause it's lower cost to do so.04:07
ayoungnotmorgan, userid, projectid, roles are the important part04:07
jamielennoxi guess hmac(token_id) gives you authentication but not integrity04:07
ayoungauditId too probably04:07
notmorganayoung: if i expand beyond token_id, i'll do audit_ids instead of token_id04:07
ayoungand you need the timeout...so, yeah, everything but catalog04:07
notmorganno don't need timeout04:07
ayoungnotmorgan, otherwise two tokens will have same HMAC04:08
ayoungtokenid is OK as alternative04:08
notmorganaudit_id04:08
ayoungyep04:08
notmorgan:)04:08
jamielennoxnotmorgan: it depends on your concerns about intercept04:09
notmorganjamielennox: the idea is that the edge will do the validation04:09
notmorganfrom edge -> service i think it's a bit overkill04:09
notmorganto do like totp or crazy levels of hmac on headers04:09
notmorganif the edge to the service is compromised, we're kindof screwed04:09
notmorganayoung: your spec is along the lines of what i want to do, but i actually want to use a one time oauth to a given deploy [hence suburl] then use an http cookie04:10
jamielennoxthere's a replay attack as well04:10
notmorganayoung: aince the web-domain is consistent04:10
jamielennoxnotmorgan: i think the way i would do it is to convert everything to apache, do optional client cert auth in apache and don't strip headers/validate if the client cert is correct04:10
notmorgancan't do client cert from HAProxy04:10
notmorganor similar04:10
notmorganin many cases04:11
notmorgani can validate a client cert, i just can't use one to talk to the backend servers04:11
jamielennoxnotmorgan: backend, why would you use one for backend?04:11
notmorganmany proxy/lbs suffer from the same limitation04:11
notmorganjamielennox: this is meant to be an edge [ha-proxy] to service thing04:12
notmorgannot a user-> service thing04:12
jamielennoxright, but it's not haproxy talking to other services, it's service->service04:12
notmorganthe user would still use tokens (for now) just the edge would auth validate not middleware04:12
notmorganservice would talk to HAProxy, since you still want sub-url04:12
jamielennoxdoesn't matter, the client cert would be from service->haproxy04:12
notmorganriht04:13
jamielennoxhaproxy just needs to validate04:13
notmorganand that is fine04:13
notmorgani just need to make sure the service is sure it received the request from HAProxy04:13
notmorganand HAProxy can't do a client cert04:13
*** EinstCra_ has quit IRC04:13
ayounghttps://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html  looks like it is possible04:13
*** EinstCrazy has joined #openstack-keystone04:13
jamielennoxnotmorgan: typically haproxy passes on headers or something to indicate that it has validated the cert04:13
notmorganayoung: that validates the ssl cert from the end user04:13
notmorgannot haproxy to the backend.04:14
jamielennoxnotmorgan: haproxy -> (eg) n-api is assumed to be secured in another way04:14
*** spandhe has joined #openstack-keystone04:14
ayoungnotmorgan, if HA Proxy is the safe boundary, then client cert to HAProxy is the right place to authenticate04:15
jamielennoxthere are things you can do there but not really a concern for now04:15
notmorganso, the issue is likely that you'll have user->service and user->haproxy->service available.04:15
jamielennoxnotmorgan: these client certs would never be issued to users04:15
notmorgani am just looking at letting the service have an extra layer of "yep haproxy sent this request"04:15
notmorganjamielennox: long term i want to allow end users to use client certs too :P04:15
jamielennoxnotmorgan: ok, then you would need to also validate the issueing cert name or something to distinguish client from service04:16
notmorganyeah04:16
*** richm has quit IRC04:16
ayoungnotmorgan, you are one step ahead of me...yep agreed SSL/Client Cert from HA to app is a good approach04:16
notmorganso is there no reason to provide a way to validate haproxy sent the request or it was passed via haproxy?04:16
jamielennoxnotmorgan: depends on your infrastructure i think04:17
jamielennoxnotmorgan: normally i think the HAProxy is the only one with an external ip04:17
notmorgani mean, ideally i would use iptables and just lockout access to the apis04:17
notmorganjamielennox: that is my end goal, but i am trying to also address the wierd mix deployments because osmeone will leave both things open04:18
jamielennoxi know in big loadbalancers they have the edge router validate the public SSL cert then they have a seperate SSL system that authenticates the backend with the loadbalancer04:18
notmorganyeah04:18
jamielennoxthat's how you maintain security without distributing the ssl key to each worker04:18
jamielennoxi assume haproxy can do that - again it depends on layout as to whether its worth it04:19
notmorganhaprocxy can use TLS to the backend04:19
notmorganit can't do client cert04:19
notmorganunless i just circumvent haproxy totally [not what i want to do]04:19
jamielennoxoh04:19
jamielennoxi see what your saying04:20
notmorganso you can validate a client cert at haproxy, you jsut can't use one to talk to the backend servers04:20
notmorganmost environments never need that04:20
jamielennoxnotmorgan: so i don't think you need to do client cert there?04:20
notmorganin fact, many many many evironments wont SSL internally04:20
jamielennoxinternal CA loaded into haproxy04:20
notmorgancause it's too expensive CPU wise, you can't pipeline anyway04:20
jamielennoxTLS from haproxy -> backend04:21
jamielennoxbackend has SSL with a cert signed by CA04:21
notmorganyeah.04:21
notmorganstandard simple TLS stuff04:21
jamielennoxhaproxy isn't issuing client cert requests just validating responses against specific CA04:21
notmorganyep04:21
notmorganalso in most proxy envs. pipeline is bad cause you hold state04:22
jamielennoxso i don't see that haproxy not issuing client cert requests is a problem04:22
notmorganso a lot of envs wont even TLS interally04:22
notmorgannow, i have minor issue. i need to ensure we do normal token validate in the case a service doesn't something silly like talk directly to neutron04:23
notmorganrather than going through haproxy04:23
notmorganit's minor, but still need a way to be sure the connection came from haproxy04:23
notmorgannot say nova->neutron [i mean i can just reject too, i guess]04:24
jamielennoxyou'd check the presence of the client cert validation04:24
jamielennoxoh, hmm04:24
notmorganyeah.04:24
notmorganit's an edge case for catching broken things04:24
notmorganand allowing a roll to the new method04:25
notmorganrather than needing it to be a "boom" big breaking change04:25
jamielennoxhttp://security.stackexchange.com/questions/99553/using-separate-haproxy-and-api-tiers-how-can-i-ensure-a-request-came-from-hapro04:25
notmorganyeah those two answers aren't really answers04:26
jamielennoxreqadd isn't bad04:26
notmorganright04:26
notmorgani'm already working in lua i could do that there04:26
jamielennoxi mean security by obscuring etc, but in practice it'd work04:27
notmorganyeah this is the same thing i'm at now04:27
notmorganreqadd is the same basically as where i'm at already04:27
notmorgani was thinkgin HMAC only cause it is a digest rather than a plain-text thing04:28
notmorganin case we accidently leak the data, you're not leaking the secret04:28
notmorgani am also already stripping the magic headers when the request comes into haproxy04:28
openstackgerritMerged openstack/oslo.policy: Run docs testenv by default with tox  https://review.openstack.org/26659104:29
*** dims_ has quit IRC04:30
notmorganjamielennox: so i think it comes down to... is it worth even making this a digest?04:30
jamielennoxnotmorgan: i mean it's always safer as a digest, but you're always going to be putting keys somewhere04:32
jamielennoxalways a tradeoff04:32
notmorganjamielennox: right, i'm asking cause it's stupid easy to match a header04:32
notmorganit's a little more work to propose HMAC04:32
jamielennoxnotmorgan: for POC i'd just match the header04:32
notmorganit;s a lot more work to use TOTP to prevent replay if we are really paranoid04:32
notmorganthis is partially POC and partially lining up what i'm proposing04:33
jamielennoxmore because it tells you if someone circumvented haproxy rather than it's great security04:33
notmorgani could also just make it a plugable thing04:33
*** ryanpetrello has quit IRC04:33
notmorganor plan to04:33
notmorganbecause i have heard there is distinct interest in this a sa real deployment method from a couple places04:34
jamielennoxfor a real deploy i'd probably want to do more than header match04:36
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844204:36
openstackgerritDavid Stanek proposed openstack/keystone: WIP: better catalog tests  https://review.openstack.org/26729704:36
*** ryanpetrello has joined #openstack-keystone04:38
jamielennoxnotmorgan: positional works in ksa, you can unblock the g-r04:38
notmorganyay04:38
notmorganexcept i screwed something up in the g-r04:39
notmorganlooking04:39
notmorganoh derp04:39
notmorganand done04:40
notmorganunblocked04:40
notmorganfeel free to +1 it04:40
notmorganstevemar: could use your https://review.openstack.org/#/c/267270/ +1 there too04:41
*** lhcheng has joined #openstack-keystone04:41
*** ChanServ sets mode: +v lhcheng04:41
openstackgerritJamie Lennox proposed openstack/keystoneauth: Use positional library instead of our own copy  https://review.openstack.org/26730004:42
*** ryanpetrello has quit IRC04:43
*** RA_ has joined #openstack-keystone04:46
*** ankita_wagh has quit IRC04:49
*** ankita_wagh has joined #openstack-keystone04:50
stevemarnotmorgan: "from positional import positional"04:51
stevemar*facepalm*04:51
jamielennoxstevemar: from pprint import pprint ?04:51
stevemari suppose04:52
stevemarthat has always been weird to me04:52
jamielennoxotherwise it's @positional.positional()04:52
notmorgannot a good alternative04:52
notmorgansame thing w/ pprint04:52
notmorganas jamielennox said04:52
notmorgani mean @positonal.decorator would be the alternative04:53
notmorganand i don't think that is particularly good04:53
*** jasonsb has joined #openstack-keystone04:56
*** EinstCrazy has quit IRC04:57
*** oomichi is now known as oomichi_away04:58
*** ryanpetrello has joined #openstack-keystone05:00
*** EinstCrazy has joined #openstack-keystone05:01
*** ryanpetrello has quit IRC05:06
*** jbell8 has quit IRC05:07
*** lhcheng_ has joined #openstack-keystone05:07
*** vivekd has joined #openstack-keystone05:08
*** lhcheng has quit IRC05:09
*** oomichi_away has quit IRC05:10
*** itlinux has joined #openstack-keystone05:12
notmorganstevemar: henrynash also needs a bouncer05:14
stevemari'll see what i can do05:15
stevemarnotmorgan: did he register his nick with the nickserv?05:16
*** shoutm has joined #openstack-keystone05:20
*** shoutm_ has quit IRC05:22
*** spzala has quit IRC05:23
*** spzala has joined #openstack-keystone05:24
*** Nirupama has joined #openstack-keystone05:26
openstackgerritMerged openstack/python-keystoneclient: Deprecate the baseclient.Client  https://review.openstack.org/25874305:26
openstackgerritMerged openstack/keystonemiddleware: Fix tests to work with keystoneauth1 2.2.0  https://review.openstack.org/26712905:26
*** jdennis has quit IRC05:28
*** spzala has quit IRC05:28
*** jdennis has joined #openstack-keystone05:29
*** gyee has quit IRC05:30
*** roxanagh_ has joined #openstack-keystone05:30
*** ankita_wagh has quit IRC05:34
*** roxanagh_ has quit IRC05:34
notmorganstevemar: no idea05:36
notmorganstevemar: i think so05:36
stevemarnotmorgan: any way i can check?05:36
*** ankita_wagh has joined #openstack-keystone05:37
notmorganuhmm...05:37
notmorgantopol or henry?05:37
notmorgancause....05:37
notmorganthere is an easy way to test...05:38
notmorganstevemar: 20.#openstack-keystone│05:38:34 UTC freenode  -- | ChanServ (ChanServ@services.): 19    henrynash              +Vt                  (#openstack-keystone) [modified 1y 8w 1d ago, on Nov 17 19:09:00 2014]05:38
notmorganstevemar: henry is registered with nickserv as is topol05:39
notmorgan19.##reboot-the-cloud │05:38:34 UTC freenode  -- | ChanServ (ChanServ@services.): 18    topol_                 +Vt                  (#openstack-keystone) [modified 1y 8w 1d ago, on Nov 17 18:35:52 2014]05:39
stevemarnotmorgan: neato05:39
notmorganstevemar: /msg chanserv flags #openstack-keystone05:40
notmorganyou should be able to see who can op/voice/etc on this channel05:40
notmorgansinc ei added you to the op list05:40
stevemarneat05:41
*** spandhe_ has joined #openstack-keystone05:42
*** spandhe has quit IRC05:43
*** spandhe_ is now known as spandhe05:43
stevemarnotmorgan: can you review the last of the liberty backports? https://review.openstack.org/#/c/256101/05:44
stevemarnotmorgan: also, we need to talk about dolphm's concerns about the validate domain bug05:44
notmorganstevemar: i already responded unless he also responded since05:44
openstackgerritMerged openstack/keystone: Fix incorrect signature in federation legacy V8 wrapper  https://review.openstack.org/26655905:45
notmorganoh05:45
notmorgani disagree with his assertion05:45
notmorganwe can't break behavior05:45
notmorganplain and simple05:45
lifelessnotmorgan: ++05:45
lifelessnotmorgan: +++05:45
notmorganwe were broken before05:45
lifelessnotmorgan: ++++05:45
notmorganit sucks05:45
notmorgandon't expect usernames to be unique05:45
notmorganif you rely on usernames being unique and never check user_id... you're wrong05:46
notmorgansince we shipped and people deployed AND wrote systems around this broken behavior05:46
notmorganso.. the answer is we have an ok to kill v2 keystone05:46
notmorganeven with the "don't ever remove APIs" sentiment from the TC and lots of folks05:47
notmorgansince we have known issues in v205:47
notmorganso, we keep moving and we use it as a reason to encourage folks to use v305:47
notmorgan"v2 is bad, we know it's bad, sorry, here is why it is bad, don't do X"05:47
notmorganpeople are relying on this behavior in production05:47
notmorganlifeless: [see! I told you i'd hold that line, and as sucky as that line is... i want this to not break things even where it is sucky]05:49
notmorganlifeless:  also Hai!05:50
*** jasonsb has quit IRC05:52
*** jaosorior has joined #openstack-keystone05:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26434605:54
*** brad[] has quit IRC05:57
*** lhcheng_ has quit IRC06:01
*** lhcheng has joined #openstack-keystone06:01
*** ChanServ sets mode: +v lhcheng06:01
*** shoutm_ has joined #openstack-keystone06:02
*** shoutm has quit IRC06:03
*** vivekd has quit IRC06:03
*** henrynash has joined #openstack-keystone06:03
*** RA_ has quit IRC06:04
stevemarhenrynash: poke06:06
*** itlinux has quit IRC06:09
openstackgerritSteve Martinelli proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844206:14
*** aginwala has joined #openstack-keystone06:14
*** brad[] has joined #openstack-keystone06:15
stevemarjamielennox: your patch is failing pep8: http://logs.openstack.org/77/267277/1/check/gate-keystonemiddleware-pep8/0091c2d/console.html#_2016-01-14_02_46_59_87806:18
jamielennoxstevemar: that doesn't sound like one of my patches06:18
stevemarjamielennox: https://review.openstack.org/#/c/267277/06:18
notmorganhenrynash: oooooh i see a henrynash06:18
notmorganhenrynash: i need to bug you re @filterprotect06:19
notmorgancause i think you're the only one who really understands it06:19
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Split oslo_config and list all opts  https://review.openstack.org/26727706:20
*** vgridnev has joined #openstack-keystone06:20
jamielennoxstevemar: ^06:20
stevemarjamielennox: weigh in on: https://review.openstack.org/#/c/255128/1 as well06:20
stevemarnotmorgan: he is the ONLY ONE!06:21
bretonyay, my name on 2 reverted patches tonight06:21
notmorganstevemar: do you *really* get all the use of @filterprotected?06:21
jamielennoxstevemar: umm, is that a normal thing?06:21
notmorganstevemar: cause...06:22
stevemarjamielennox: look on like 24606:22
notmorganstevemar: it's a bit insane.06:22
stevemarnotmorgan: oh hell no06:22
openstackgerritAjaya Agrawal proposed openstack/keystone: Remove assignments when deleting a domain  https://review.openstack.org/12743306:22
notmorganstevemar: i mean, i get most of it, but i need to 2x check :(06:22
notmorganbefore i simply unwind it to an in-line .enforce06:22
notmorganlike it should hav ebeen06:22
notmorganonly cause the callback stuff is insanity06:22
jamielennoxstevemar: i've really no idea where that came from06:23
*** aginwala_ has joined #openstack-keystone06:23
jamielennoxand whether we want it on all 4xx errors06:23
bretonstevemar: how do we support `truncated` in responses then?06:23
stevemarbreton: i'm not sure, but i needed to unbreak the stable gates :(06:25
bretonhttps://blueprints.launchpad.net/python-keystoneclient/+spec/return-request-id-to-caller this will also fail06:25
stevemarbreton: i don't have an answer for you yet06:25
*** aginwala has quit IRC06:26
stevemarbreton: maybe it's a special case where we return [] if no results06:26
stevemarthat'll fix the tests, but not sure what the implications are for people using the library06:27
*** aginwala has joined #openstack-keystone06:27
stevemarcause it's returning an object now06:27
stevemarjamielennox: i figured you know the exceptions more than i did06:27
bretonmaybe do something like `class OurWrapper(list):`06:27
stevemarjamielennox: it is a real http header value06:27
jamielennoxstevemar: i tried to make them sane but i mostly copied them from the oslo ones06:27
jamielennoxstevemar: for all 4xx?06:28
*** ankita_w_ has joined #openstack-keystone06:28
stevemarjamielennox: probably not needed on all 40006:30
stevemarbreton: gotta dig up the patch, 1 sec06:30
*** roxanagh_ has joined #openstack-keystone06:30
*** aginwala_ has quit IRC06:30
*** ankita_wagh has quit IRC06:32
*** roxanagh_ has quit IRC06:35
*** henrynash_ has joined #openstack-keystone06:35
*** ChanServ sets mode: +v henrynash_06:35
*** ankita_w_ has quit IRC06:35
*** vivekd has joined #openstack-keystone06:37
*** markvoelker has quit IRC06:42
*** jaosorior has quit IRC06:42
*** jaosorior has joined #openstack-keystone06:43
*** aginwala has quit IRC06:43
*** aginwala has joined #openstack-keystone06:43
*** jaosorior has quit IRC06:45
*** jaosorior has joined #openstack-keystone06:46
*** spandhe has quit IRC06:49
davechen1notmorgan: you mean endpoint filter should be drepcated on master?06:49
*** davechen1 is now known as davechen06:49
*** spandhe has joined #openstack-keystone06:50
*** gsilvis has quit IRC06:50
davechennotmorgan: why? I saw marekd are still working on service provider filtering this cycle.06:50
bretonyep, inheriting from the list kinda works06:50
*** spandhe has quit IRC06:50
bretonbut they are not strictly ==06:50
*** spandhe has joined #openstack-keystone06:51
*** browne1 has quit IRC06:52
*** gildub has quit IRC06:55
notmorgandavechen: because endpoint filtering is awful.06:56
davechenmarekd: not sure if you need change the router path or not., something like this (path=('/OS-EP-FILTER/projects/{project_id}''/service_providers/{sp_id}'),)06:56
davechennotmorgan, marekd: maybe, so I give marked a heads up, be careful then. :)06:58
notmorganthe SP filter is not the issue06:58
notmorganit;s the ednpoint/catalog filter06:58
notmorganSP filtering has different reasonings behind it - and SPs probably shouldn't have ended up inthe catalog (wrong choice but we need to live with it now)06:59
*** mserngawy_ has quit IRC07:00
davechennotmorgan: agreed, sp filtering implemented within ep filtering looks weird.07:00
stevemarjamielennox: how is http://logs.openstack.org/20/263920/2/check/gate-zaqar-python27/5829f73/testr_results.html.gz a keystonemiddleware bug?07:00
davechenthey are not connected tightly.07:00
bretonstevemar: return-request-id-to-caller will not fail because the wrapper is inherited from list07:00
notmorgandavechen: so i'm wanting to deprecate endpoint filter07:00
notmorgandavechen: especially since we have folks re-working how the catalog works07:00
stevemarbreton: ++07:01
davechennotmorgan: gotchar, i can work on it.07:01
notmorganwe shouldn't lock our sleves more into the current catalog07:01
davechenstevemar: ^07:01
notmorgandavechen: i'd not worry too much we'll have more convos at the midcycle on this07:01
stevemarbreton: my heart broke a little when i had to revert and release, cause i know you worked on it so hard :(07:01
jamielennoxstevemar: that one doesn't look like our fault07:01
stevemarjamielennox: it was in the bug description07:01
notmorganand i'm sure gyee_needs_a_boucer [seriously?! gyee too?!] will have a battle over endpoint filtering with me07:02
stevemarjamielennox: https://bugs.launchpad.net/keystonemiddleware/+bug/153393207:02
openstackLaunchpad bug 1533932 in keystonemiddleware "Remove the deprecated opts from sample config breaking zaqar" [Critical,In progress] - Assigned to Jamie Lennox (jamielennox)07:02
notmorganwhy does no one have a bouncer!? :P07:02
bretonstevemar: nah, I'll re-propose it again, don't worry. Sorry for breaking the gate :)07:02
stevemarbreton: it happens :)07:02
stevemarnotmorgan: i may have set one up for henrynash07:02
notmorganstevemar: LOL07:02
davechennotmorgan: depends on is there anyone still use it.07:02
jamielennoxstevemar: http://logs.openstack.org/31/266831/3/check/gate-zaqar-python34/ed3cd90/testr_results.html.gz is the one i was shown on IRC07:03
notmorgandavechen: i am not advocating removing it, just deprecating it and when next-gen-catalog comes along, we don't re-implement it07:03
stevemarjamielennox: rgr07:03
jamielennoxbreton: it's a right of passage to jam the gate07:03
stevemarjamielennox: updated the gate07:04
stevemarerr bug07:04
notmorganbreton: yeah if you've not wedged the gate at least once, you've not contributed enough07:04
davechennotmorgan: is there any substitution so far?07:04
stevemarnotmorgan: LOL07:04
stevemarnotmorgan: sad but true07:04
notmorgandavechen: for endpoint filtering? no ideally we would just stop supporting the concept07:05
davechennotmorgan: may need think more about it before other choices is given.07:07
notmorgandavechen: i don't think there should be an option for endpoint filtering07:08
notmorgandavechen: the catalog should not be mutable/change based on user/scope/auth07:08
notmorganit's a discovery thing07:08
stevemarso long night-keystone, i'm calling it early today. keep the gates well guarded!07:10
davechenstevemar: sweet dreaming07:10
*** oomichi has joined #openstack-keystone07:12
davechennotmorgan: okay, let me see is there any decision made in the midcycle. ;-)07:13
*** daemontool has joined #openstack-keystone07:14
*** gsilvis has joined #openstack-keystone07:18
*** daemontool has quit IRC07:22
*** roxanagh_ has joined #openstack-keystone07:31
*** lhcheng has quit IRC07:32
*** roxanag__ has joined #openstack-keystone07:34
*** aginwala has quit IRC07:34
*** ktychkova has quit IRC07:35
*** roxanagh_ has quit IRC07:36
*** ktychkova has joined #openstack-keystone07:38
*** spandhe has quit IRC07:39
*** jimbaker has quit IRC07:40
*** shoutm_ has quit IRC07:45
*** shoutm has joined #openstack-keystone07:46
*** vgridnev has quit IRC07:52
marekdnotmorgan: SPs are not in the catalog07:54
*** belmoreira has joined #openstack-keystone07:55
*** henrynash_ has quit IRC07:56
Anticimexso, having just run "pip install --upgrade python-openstackclient" (i.e. i have whatever was most recently released), i get "SSL: CERTIFICATE_VERIFY_FAILED".07:57
Anticimexi don't know if it worked before, but my systems trust store, /etc/ssl/certs/ does have the necessary ca certs.  which begs me wondering if python-openstackclient avoids attempting to use that store by default?07:58
Anticimexi guess i can use OS_CACERT07:58
Anticimexand doh!  my bad, had a lingering env variable set after switching between keystone endpoints07:59
*** jaosorior has quit IRC08:05
*** vgridnev has joined #openstack-keystone08:13
*** RA_ has joined #openstack-keystone08:14
*** davechen1 has joined #openstack-keystone08:15
*** davechen1 has left #openstack-keystone08:15
*** davechen has quit IRC08:17
*** oomichi is now known as oomich_away08:22
*** jaosorior has joined #openstack-keystone08:24
*** vgridnev has quit IRC08:32
*** pnavarro has joined #openstack-keystone08:35
*** roxanag__ has quit IRC08:36
*** roxanagh_ has joined #openstack-keystone08:37
*** roxanagh_ has quit IRC08:42
*** markvoelker has joined #openstack-keystone08:43
*** fhubik has joined #openstack-keystone08:46
*** markvoelker has quit IRC08:48
*** e0ne has joined #openstack-keystone08:48
*** RA_ has quit IRC08:51
*** aj3 has joined #openstack-keystone08:54
*** aj3 has quit IRC08:54
*** martinus__ has joined #openstack-keystone08:57
*** jistr has joined #openstack-keystone09:03
*** fhubik has quit IRC09:08
*** ig0r_ has joined #openstack-keystone09:17
*** jamielennox is now known as jamielennox|away09:18
*** rm_work has quit IRC09:19
*** bigjools has quit IRC09:20
*** rm_work has joined #openstack-keystone09:20
*** bigjools has joined #openstack-keystone09:21
*** daemontool has joined #openstack-keystone09:23
openstackgerritAjaya Agrawal proposed openstack/keystone: Remove assignments when deleting a domain  https://review.openstack.org/12743309:25
*** vgridnev has joined #openstack-keystone09:31
*** __zouyee has quit IRC09:37
*** oomich_away is now known as oomich09:39
*** ig0r_ has quit IRC09:41
*** markvoelker has joined #openstack-keystone09:44
*** mhickey has joined #openstack-keystone09:45
*** RA_ has joined #openstack-keystone09:45
*** markvoelker has quit IRC09:49
*** ajayaa has joined #openstack-keystone09:50
ktychkovaayoung: Hi, are you around?09:56
*** ajayaa has quit IRC10:00
*** ajayaa has joined #openstack-keystone10:01
*** jimbaker has joined #openstack-keystone10:01
*** jimbaker has quit IRC10:01
*** jimbaker has joined #openstack-keystone10:01
*** oomich is now known as oomich_away10:01
*** _zouyee has quit IRC10:03
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118810:04
*** EinstCrazy has quit IRC10:10
*** ajayaa has quit IRC10:12
*** ajayaa has joined #openstack-keystone10:12
*** shoutm has quit IRC10:15
*** fhubik has joined #openstack-keystone10:17
*** fhubik has quit IRC10:21
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744910:21
*** fhubik has joined #openstack-keystone10:22
*** spzala has joined #openstack-keystone10:24
*** spzala has quit IRC10:29
*** aix has joined #openstack-keystone10:32
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745610:42
*** aix has quit IRC10:52
*** vgridnev has quit IRC10:54
*** vgridnev has joined #openstack-keystone10:56
*** ktychkova has quit IRC10:56
*** _zouyee has joined #openstack-keystone11:04
*** dims has joined #openstack-keystone11:04
*** GB21 has joined #openstack-keystone11:05
*** RA_ has quit IRC11:07
*** ktychkova has joined #openstack-keystone11:13
*** GB21 has quit IRC11:15
*** fawadkhaliq has joined #openstack-keystone11:25
*** roxanagh_ has joined #openstack-keystone11:26
*** roxanagh_ has quit IRC11:30
*** EinstCrazy has joined #openstack-keystone11:33
*** ericksonsantos has joined #openstack-keystone11:38
*** d0ugal has quit IRC11:40
*** markvoelker has joined #openstack-keystone11:45
*** markvoelker has quit IRC11:49
*** davechen has joined #openstack-keystone11:50
*** d0ugal has joined #openstack-keystone11:58
*** pauloewerton has joined #openstack-keystone12:11
*** vgridnev has quit IRC12:11
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414912:11
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424812:13
*** vgridnev has joined #openstack-keystone12:14
*** ajayaa has quit IRC12:16
*** ajayaa has joined #openstack-keystone12:16
*** fhubik is now known as fhubik_brb12:20
*** aix has joined #openstack-keystone12:22
*** raildo-afk is now known as raildo12:22
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336812:26
*** davechen1 has joined #openstack-keystone12:41
*** davechen has quit IRC12:42
*** markvoelker has joined #openstack-keystone12:45
*** markvoelker has quit IRC12:50
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336812:57
*** vgridnev has quit IRC12:57
*** vgridnev has joined #openstack-keystone12:59
*** doug-fish has joined #openstack-keystone13:01
*** doug-fish has quit IRC13:07
*** fawadkhaliq has quit IRC13:07
*** doug-fish has joined #openstack-keystone13:08
ayoungktychkova, http://adam.younglogic.com/2015/12/questions-about-keystone/13:09
*** fhubik_brb is now known as fhubik13:11
*** _zouyee has quit IRC13:12
*** doug-fish has quit IRC13:12
*** roxanagh_ has joined #openstack-keystone13:14
*** roxanagh_ has quit IRC13:18
ktychkovaayoung: Could you give me more details for your comment here: https://review.openstack.org/#/c/259418/? Do you think that it is a bad idea to have another one enforcer? Could you please explain me alternative ways?13:21
ayoungktychkova, I think it is a nawesome idea, just one that should not be tied to OpenStack13:22
ayoungktychkova, the idea should be developed stand alone, and I would be surprised if the Apache project did not have such a library already13:22
ktychkovaayoung: Apache Fortress is one of possible interface here, solution is more general - OpenLDAP, AD....13:24
ayoungktychkova, and the application is also broader than just the OpenStack services13:24
ayoungthink in terms of every single application running in the cloud and there you have it13:25
*** markvoelker has joined #openstack-keystone13:25
*** browne has joined #openstack-keystone13:26
ktychkovaayoung: I got your point. Could you explain in terms of architecture? So, we have permissions and they are stored in OpenLDAP. User is asking to list roles, how oslo.policy/keystone should check permissions?13:31
*** doug-fish has joined #openstack-keystone13:31
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485413:36
openstackgerritBoris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups  https://review.openstack.org/23484913:37
openstackgerritBoris Bobrov proposed openstack/keystone: Enable limiting in ldap for users  https://review.openstack.org/23307013:37
*** edmondsw has joined #openstack-keystone13:39
openstackgerritBoris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups  https://review.openstack.org/23484913:40
*** ninag has joined #openstack-keystone13:41
*** richm has joined #openstack-keystone13:42
*** dslev has joined #openstack-keystone13:48
*** browne has quit IRC13:48
*** Nirupama has quit IRC13:50
*** davechen1 has left #openstack-keystone13:52
*** dslev_ has joined #openstack-keystone13:54
*** dslev has quit IRC13:57
*** gordc has joined #openstack-keystone13:58
*** dslev_ has quit IRC14:00
*** vivekd has quit IRC14:06
samueldmqayoung: ahahaha14:10
samueldmqayoung: I think I hear you talking about naked pings since I joined the community in 2013 :-)14:11
ayoungktychkova, sorry...was dealing with other parts of life....14:11
ayoungsamueldmq, people learn by example.  Some people got a bad example14:11
samueldmqayoung: that's true, what I do (or try in most cases) is14:13
samueldmqayoung: ping - about x,yz, let me know when you're available14:13
ayoungsamueldmq, even that is better.14:13
openstackgerritHarshada Mangesh Kakad proposed openstack/keystone-specs: Replace deprecated library function os.popen() with subprocess  https://review.openstack.org/26759014:14
samueldmqayoung: because even if you're up at that time, perhaps you could be doing something different and can't change context :)14:14
ayoungsamueldmq, at which point someone else that does know the issue at hand can answer.  Bascially, ask the chat room, but put the name of the person you think knows the answer14:15
ayoungalso, as much context as possible to help with the context switch14:15
stevemarnooo davechen isn't around14:15
ayoungsamueldmq, BTW, would be good to get as many eyes as p[ossible on the Implied Roles reviews.   https://review.openstack.org/#/c/264260/  espe14:16
ayoungespecially14:16
dstanekayoung: ping - i'll tell you more about it when you pong14:16
samueldmqdstanek: ahha14:16
*** dslev has joined #openstack-keystone14:16
ayoungdstanek, I suck at ping pong.14:16
dstanekayoung: noted14:17
samueldmqayoung: domain specifci roles is also in the scope for this cycle right ,14:17
ayoungsamueldmq, yes, and builds on that14:17
ayoung we have a long tree here, and I want to get it moving samueldmq14:17
samueldmqayoung: cool, I think these 2 should be my priority for reviews14:17
samueldmqayoung: as I've a good background on our assignment backend14:18
ayoungsamueldmq, so backend, followed by API: https://review.openstack.org/#/c/242614/3814:18
ayoungsamueldmq, the changes are actually fairly small.14:18
samueldmqnice14:18
samueldmqbtw, how do I see patches dependencies on this new gerrit ui?14:18
ayoungIts a crud interface, and then added to the roles backend the ability to expand the roles14:18
ayoungsamueldmq, right side "related changes"14:19
ayoung"Same Topic"14:19
samueldmqare all of them in "related changes"? are they ordered?14:19
ayoungI think they are ordered properly.  Sometimes it gets an older version of a patch if you are moving up the tree14:20
samueldmqyeah :-(14:20
openstackgerritHarshada Mangesh Kakad proposed openstack/keystone-specs: Replace deprecated library function os.popen() with subprocess  https://review.openstack.org/26759014:21
ayoungsamueldmq, I tend to just edit the URL to chop off the version number if it is specified14:22
samueldmqayoung: me too, when after a couple of minutes I notice that I am looking at an older version that doesn't make sense anymore14:23
ktychkovaayoung: it isok :) You can answer when you have time. Please give me your vision how it should work. I'm afraid I didn't get it14:24
ayoungktychkova, Are you going to the summit in Austin?14:25
ktychkovaayoung: I think, no, I'm not going14:26
ayoungktychkova, pity...could have talked it over in depth....ok14:26
*** dims has quit IRC14:26
ayoungktychkova, so, standard RBAC is, IIUC, not explicitly targetting "project" or any other namespace.  Instead, roles are flat14:26
ayoungso insteaod "Admin" on "Demo" project you would end up with a role like "demo_admin"  right?14:27
ayoungthe "organization" is assumed to contain all of the roles14:27
ktychkovaayoung: yes, something like that14:28
ayoungktychkova, so the Keystone model does not quite map to that.  It is designed more for scale.  The idea is that you set up "role on project" as a template, and then create a new projec.t HTne when you assign someone a role on that project, the access control is precanned14:29
*** dims has joined #openstack-keystone14:30
ayoungktychkova, I do know that the LDAP model can support what we are doing in Keystone, as that is what the "soon to be deprcated" role assignment backend is doing now14:33
ayoungI think that what you are talking about would be  handled via groups in the existing Identity backend.14:34
ayoungand could be done today by changing the binding14:34
ktychkovaayoung: the idea is not to replace keystone model, the idea is to have alternative for policy.json file14:35
edmondswstevemar, why was https://review.openstack.org/#/c/230157/ abandoned?14:36
ayoungktychkova, you could use the LDAP model you have there to generate a policy file.  You still have an enforcment step required14:36
samueldmqFYI: keystone v3 only job for tempest is now gating; devstack already has it14:37
*** petertr7_away is now known as petertr714:38
*** jdennis has quit IRC14:38
ktychkovaayoung: yes, one opportunity is to generate a policy file. But do you think it is convinient to do it each time after changes? And BTW you have to restart keystone if you update policy.json file14:39
ayoungktychkova, you would need to have a complete inventory of all the operations uploaded into LDAP...at which point you are basically doing an LDAP implementation of what I suggested with dynamic policy...which did not fly with the wider openstack community.  I have another thoguth on that, but for later14:39
*** browne has joined #openstack-keystone14:39
ayoungyou can releoad policy,json file without restarting Keystone, but we've not really had to work that hard at it.  JSON is just the marshalling format, though.  You would still need something like that for LDAP, or do an LDAP query on each access, which would kill LDAP with requests14:40
samueldmqstevemar: dstanek: bknudson_ regarding our "Setting up a keystone development environment" documentation14:40
*** jistr has quit IRC14:40
dstaneksamueldmq: ?14:40
samueldmqI think https://review.openstack.org/#/c/246400 is a good improvement of it, I'd appreciate your views14:40
samueldmqdstanek: this ^ (you're quick)14:40
bretonayoung: as far as I understand the idea is to offload policy handling to LDAP14:40
breton> which  would kill LDAP with requests14:40
bretonwhy is that? 1 request to ldap per keystone request14:40
bretonor per any request14:40
*** jistr has joined #openstack-keystone14:41
ayoungbreton, any request14:41
samueldmqalso https://review.openstack.org/#/c/253219/ should be an easy +2+A14:41
samueldmqayoung: ^14:41
bretonayoung: it's read operation. Shouldn't ldap work best for them?14:41
ayoungbreton, it can be cached, but then you have the issue of cache invalidation...and all of that is what the policy mechanism is already there to perform,14:41
ktychkovaayoung, breton: I think I should do performance tests to be sure14:42
*** jaosorior has quit IRC14:42
ayoungbreton, the real answer is that, for the vast majority of OpenStack deployements, LDAP is read only.  No way to update, which means the mechanism is unusable.  So we would end up reimplementing in SQL...which is the DYnamic policy proposal...but I'm not saying that is dead, just that  there are pre-reqs to knock out first14:43
dstaneksamueldmq: starred14:43
samueldmqdstanek: thanks14:43
ayoungit is really hard to have this conversation in IRC14:43
*** jaosorior has joined #openstack-keystone14:43
breton> No way to update, which means the mechanism is unusable.14:43
bretonthis14:43
ayoungbreton, you going to Austin?  I'm going to put together a future-of-policy session there (once again)14:43
samueldmqdstanek: btw, do you know what's all the official docs we have for keystone?14:43
bretonwhy handle roles from OpenStack?14:43
bretonayoung: to midcycle no, to summit yes.14:44
samueldmqdstanek: I am aware of http://developer.openstack.org/api-ref.html and http://docs.openstack.org/developer/keystone/14:44
*** jaosorior has quit IRC14:44
ayoungbreton, so, at the summit.  The short of it is that we need better policy handling, but I want to do that for the widest audience which means anything dynamic is going to have to be in SQL, not LDAP14:44
*** jaosorior has joined #openstack-keystone14:45
ayoungI also want to split policy enforcement into ROLE check whcih can be done in middleware and project-scope-check which will be done inside the Python code of the application14:45
ayoungso, the middleware check *could* get its data from LDAP, but I would still insist on it being transformed to JSON for that14:46
*** GB21 has joined #openstack-keystone14:46
ayoungalso, the RBAC stuff as written up in that spec gets into what is in the token, not just the policy14:46
dstaneksamueldmq: our identity-api docs too14:46
ayoungroles are assuigned to users, that is token stuff14:46
bretonThe idea behind handling this in LDAP is the same as with identity. If users are in LDAP, we suggest to manage them with an external tool. If roles are in LDAP, they will be managed extrenally too.14:46
ayoungthat actualkly closely mimics what the assignement backend for LDAP does today14:46
samueldmqdstanek: https://specs.openstack.org/openstack/keystone-specs/ ?14:47
stevemaredmondsw: oct 4, 2015. i have no idea.14:47
ayoungbreton, managed, yes, but it still needs to come through Keystone and be treated the same way as any other user, whcih means user + group.  Period. You hage to understand that14:47
ayounghave14:47
edmondswstevemar, lol... sorry, should have asked earlier14:48
edmondswso... can we get it revived?14:48
stevemaredmondsw: i probably got frustrated14:48
stevemarsure14:48
edmondswit was a big change, but it's also kinda important14:48
stevemarrestored14:48
stevemarnow to rebase... hmm14:48
bretonstevemar: what's the problem to do that? Roles are simplier that users.14:49
bretonoops, wrong hl14:49
bretonayoung: ^14:49
stevemar;)14:49
dstaneksamueldmq: yes14:49
bretonand there are systems that do better RBAC than we already have14:49
ayoungbreton, ktychkova I think you guys do not really understand what Keystone is doing.  You are proposing the same kuind of thing that I origianlly impklemented in Keystone 4years ago in the LDAP backend, but that is too limiting aview of things.  You need to understand where Keystoen is today and then take it incrementally.14:49
ayoungit is the rare system that has writable access to LDAP where all of the users come out of LDAP.14:50
ayoungAnd even in those cases, you would not want assignement data coming out of LDAOP14:50
*** jdennis has joined #openstack-keystone14:51
ayoungso, while technically you could implement what you have proposed, it does not map to the problem space14:51
bretonI am not talking about assignments and I don't understand what it has to do with write access14:51
ayoungadd to that the fact that it only solves things for managing the openstack services, and not the applications running in the cloud, and you are targetting a vanishingly small problem14:52
*** gordc has quit IRC14:52
*** links has quit IRC14:52
ayoungbreton, your propsal without write access you can;t change policy14:52
bretonyep14:52
samueldmqdstanek: cool, thanks14:52
bretonI don't want to change policy from OpenStack14:52
bretonI want to change policy from external tool14:53
bretonApache Fortress, for example14:53
ayoungbreton, you don't have access to that external tool14:53
bretonwhy not?14:53
ayoungLDAP is read only.  Not just friom OpenStack.  F\rom an Operators perspective14:53
ayoungthey don;'t own LDAP implementation14:53
ayoungthey can only read it14:53
*** gordc has joined #openstack-keystone14:54
ayoungbreton, 100000 person company.  LDAP is managed by the HR dept and one part of IT.  Openstack is owned by the devops group14:54
ayoungdevops groups cannot write to LDAP14:54
ayoungthety can;t specify new object classes, trees, schemas, nor put any new data in there.  It is an external resource.14:55
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865014:56
bretonwhy would they do it if all classes, trees and schemas already there? And there is a ready RBAC system14:56
*** Ephur has joined #openstack-keystone14:58
dstanekbreton: how would they get in there?15:00
bretondstanek: what do you mean by "there"?15:01
openstackgerritMerged openstack/keystone-specs: Replace deprecated library function os.popen() with subprocess  https://review.openstack.org/26759015:01
lbragstadstevemar have a few minutes for oauth1 behavior questions?15:01
stevemarlbragstad: pfft, i haven't tried it in about a year, i'm pretty rusty, but i'll give it a go15:02
*** roxanagh_ has joined #openstack-keystone15:02
lbragstadstevemar switching the default provider to be fernet breaks 8 AuthTokenTests in test_v3_oauth1.py15:02
dstanekbreton: you said the classes, trees and schemas might already be there15:02
openstackgerritSteve Martinelli proposed openstack/keystone: document the bootstrapping process  https://review.openstack.org/25973015:04
lbragstadstevemar one of the ways its breaking is like this - http://cdn.pasteraw.com/iq5567jovafyyuguf0ig8tkx5bismza15:04
bretondstanek: by installation of Fortress15:04
lbragstadstevemar the strange thing is that fernet and uuid are using almost identical code paths for issuing v3 tokens15:05
lbragstadstevemar but - the fernet test cases fail getting the access_token_id from the auth_context here - https://github.com/openstack/keystone/blob/08ce1a504b73c3f95f60ea6fc990fbf19a8b8c0e/keystone/token/providers/common.py#L548 because oauth1 is still in the method names... where in uuid it isn't15:06
dstanekbreton: i think ayoung's point is that the LDAP used by deployers isn't writable by them or other tools they install; and the people managing the LDAP instance don't want outside junk in it.15:06
ayoungdstanek, ++15:07
*** sigmavirus24_awa is now known as sigmavirus2415:07
ayoungdstanek, to add to that idea15:07
stevemarlbragstad: i'm trying to remember why that line exists15:07
bretonyes, I understood his point.15:07
*** peter-hamilton has joined #openstack-keystone15:07
ayoungif there is stuff in the LDAP server that we want to consume in OpenStack, it has to come through the existing mechanisms.15:07
lbragstadstevemar so I guess my question is - why the method_names don't have 'oauth1' for uuid tokens15:07
dstanekbreton: that's why i was asking how those things would get there15:08
*** roxanagh_ has quit IRC15:08
ayoungso, if you want to manage policy from LDAP, use it to generate a policy.json file.15:08
ayoungIf you want roles from LDAP to show up in the policy access enforcement, they have to be transformed to groups15:08
*** mhickey has quit IRC15:09
stevemarlbragstad: give me a few minutes to rethink how this all worked15:10
dimsayoung : breton and ktychkova are talking about a scenario where Apache Fortress is already there even before OpenStack was in the enterprise15:10
lbragstadstevemar ok15:11
dimsayoung : not that the scenario when someone is installing openstack and we ask them to install fortress because openstack needs it15:11
bretonayoung: > use it to generate a policy.json file15:11
lbragstadstevemar I assume these kinds of behaviors with fernet must be fixed before making it the default15:11
bretonwhy if we can make policy check transparent for oslo.policy?15:11
lbragstadstevemar and - do you want a separate bug opened for each of these little things?15:11
dimsayoung : real life situation, there's a customer asking for it :)15:12
bretonwhen oslo.policy is a thin wrapper around a REST call to Fortress which returns true/false15:12
stevemarlbragstad: so, looking at: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html#request-an-identity-api-token15:13
*** ryanpetrello has joined #openstack-keystone15:13
stevemaryou set the methods block to 'oauth1' , but don't actually submit things in the body15:14
stevemarit's all about the headers, and everything is in there15:14
ayoungdims, then do what I just said15:14
ayoungdims, does fortress have a python library that can enforce access control?15:14
bretonfortress has a REST api15:14
ayoungbreton, so does my TOaster15:15
stevemarlbragstad: so where is this accees_token_id coming from... access_token_id = auth_context['access_token_id']15:15
dimsayoung : " policy from LDAP, use it to generate a policy.json file"?15:15
ayoungREST API is just another way of saying "Make it some one elses problem"15:15
ayoungdims, or use a standard policy enforcement library, not something openstack specific15:15
dimsayoung : why the push back on an optional thing? esp from real world scenarios?15:16
ayoungdims, experience15:16
lbragstadstevemar it's passed in the auth_context (or built) in there somewhere15:16
stevemarlbragstad: here, it seems: https://github.com/openstack/keystone/blob/68b7c6c098bcec7635d3c17b7908643aad0bb638/keystone/common/authorization.py#L9915:17
lbragstadstevemar the tests gets a token originally and then makes sure it can't be chained (OAuth-specific)15:17
lbragstadstevemar ah yes15:17
dimsayoung : i respect that but that's just one view15:17
stevemarlbragstad: whoa shouldn't 98 and 99 be indented :O15:18
lbragstadstevemar but when the first token (self.keystone_token_id) is received using fernet I believe the method_names = ['oauth1']15:18
ayoungdims, because it shows a real lack of understanding about how the rest of Keystone and policy works.  You throw something like that out there and then say "why not" when the fact is to get even the simplest thing done uin Keystoen requires a huge degree of consensus and coordination.15:18
*** phalmos has joined #openstack-keystone15:19
dimsayoung : we went all the way to dyanmic policies and then dialed it all the way back15:19
lbragstadstevemar when the test goes to chain self.keystone_token_id the method_names = ['oauth1', 'token']15:19
ayoungdims, No. I've lived in this world exclusively for 4 years.  It is \many many points of view shove into varisou of my orifii one at a time...15:19
ayoungdims, do you understand why?15:19
ayoungdims, do you understand why we dialed it back?15:19
dimsayoung : because no one needs it in real world15:19
ayoungNo15:19
* dims waits15:19
bretonayoung: with REST API, yes, there is a call to enforce access control15:19
ayoungdims, because it did not map to how OpenStack needed it to work15:20
stevemarlbragstad: we should def make this change: http://paste.openstack.org/show/483894/15:20
lbragstadstevemar which is different than what uuid shows - when doing that same exact thing with uuid, the method_names list doesn't actually have 'oauth1'15:20
ayoungthe real issue with policy enforcvement is that it is doing two distinct things15:20
ayoungthe easy part is RBAC15:20
ayoungbut we can't even do that right now...15:20
stevemarlbragstad: hmm15:20
lbragstadstevemar let me try that quick and see what happens15:20
ayoungthat is why I am, pushin on the implied roles spec15:20
ayoungwithout that, RBAC is hobbled15:20
*** slberger has joined #openstack-keystone15:20
ayoungbut...even once we have that, we need to split the Role check from the  scope check15:21
dimsayoung : i see15:21
ayoungthe scope check is something that needs Nova specific knowledge in Nova, neutron in neutron and so on15:21
bretonwhy reimplement RBAC when there is a system for RBAC authorization?15:21
ayoungso the only part that Dynamic policy can solve is the role check15:21
ayoungbreton, because read up15:21
ayoungNIST RBAC assumes as sinlge organization15:21
ayoungOpenStack and Cloud needs something more scalable15:22
*** doug-fish has quit IRC15:22
dimsayoung : sounds like we should wait for the mid-cycle sprint :)15:22
dimsand talk there15:22
ayoungand this is why you guys should have been participating in the policy discussions last summit.  And if you are not in the one this summit, I will hunt you down on a hot summker day and put a fish in your collective cars.15:22
ayoungI can;t make it to the midcycle this year, unfortunatly15:22
*** doug-fish has joined #openstack-keystone15:22
stevemarlbragstad: give it a whirl, my brain has just started to wake up15:23
dimsLOL, customer showed up after15:23
*** spandhe has joined #openstack-keystone15:23
ayoungdims, it is not going to happen this release anyway....AUstin at the Summit15:23
ayoungOK?15:23
ayoungdims, let me talk to him15:23
lbragstadstevemar fernet still fails with the key error15:23
ayoungor her15:23
dimsayoung : looking for a way forward, not necessary to be in this release15:23
*** spzala has joined #openstack-keystone15:23
*** pai15 has joined #openstack-keystone15:23
*** mhickey has joined #openstack-keystone15:23
ayoungohm, I though you mean the customer just showed up at your site!15:23
mnasersome customers who are trying to create really large images in glance are failing because our the tokens are expiring during the upload.  we're running the default expiration=3600 .. is there anything we should worry about if we increase it?15:24
mnaserand wasn't the default 1 day before, or is this me imagining things15:24
dimsayoung : we can setup a hangout with a couple of folks who can may be respond better :) if you are game15:24
dolphmmnaser: not unless your tokens are compromised15:24
dolphmmnaser: it was 24 hours before, yes15:24
ayoungdims, I'd be happy to.  But you have to pay it forward15:25
dimsayoung : absolutely15:25
ayounglook at and understand what is going on with the main thrust here15:25
ayoung1.  implied roles15:25
mnaserdolphm: i see, thanks, anything to look out for if we decide to bring it back to 24 hours?15:25
ayoung2.  Split policy15:25
mnaserbesides: make sure your tokens don't get compromised15:25
ayoungdims, and, if you can find a way to generate policy.json from apache fortress, pursue that15:26
stevemarmnaser: you may have to prune token table more often? dolphm can confirm15:26
dimsayoung : yep, we already did that prototype15:26
mnaseri think we have a nightly job for that already15:26
mnaseri think recent ubuntu packages drop something in cron.d to clean it up15:26
ayoungdims, but, the real benefit from fortress will be at hte App level, not at the OpenStack level.15:26
stevemarmnaser: then yeah, but sure they don't get compromised15:26
*** jsavak has joined #openstack-keystone15:26
*** doug-fish has quit IRC15:27
dolphmmnaser: stevemar: yeah, with UUID you'll have more valid tokens at once, so your token table will grow 24x15:27
ayoungdims, that is great.  IS there a write up?  Is it posted?15:27
dimsanyone else interested in this topic? please let breton know15:27
dolphmif you switch back to a day15:27
dimsayoung : not yet. i believe ktychkova did the real work15:27
mnaserhmm, 4500 tokens at the moment, so it'll bring us up to 100k possibly15:28
dimsbreton : let's setup a hangout next week with folks?15:28
bretonit was not generating of policy json, it was a rest query to fortress15:28
ayoungdims, So, how WOULD fortress work in a Federated deployment?15:28
mnaseri feel like this is a workaround and glance should have a better way of handling this issue :(15:28
dimsayoung : will line that up on the agenda :)15:28
bretonit was not single call, but single call can be done too15:28
bretondims: yep15:29
dimsbreton : stefan mentioned generating a policy.json too15:29
ktychkovaayoung: https://review.openstack.org/#/c/244059/15:29
ktychkovahttps://review.openstack.org/#/c/237521/15:29
ktychkovaVideo demo: https://vimeo.com/14371547715:29
ktychkovahttps://vimeo.com/14610980115:29
*** doug-fish has joined #openstack-keystone15:29
dimsktychkova : thanks!15:30
ayoungdims, the short of it is that Federation is the way forward.  OpenStack is a layer of policy that consumes external identity.  I would love to be able to make use of Fortress in a solution based on that, but there are a lot of small steps.15:30
*** spandhe has quit IRC15:30
bretonI don't see how fortress would not work in federated deployment15:30
bretonthey don't interfere at all15:31
dimsayoung : +1 all we are looking at is future direction15:31
ayoungbreton, where does User_ID come from?15:31
*** timcline has joined #openstack-keystone15:33
* breton thinks15:33
dimsbreton : haha :)15:33
dimsbreton : so let's think this through before we burn up ayoung 's time :)15:34
ayoungktychkova, BTW...lokingh at your WIP...can you use the HTTP check15:34
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865015:34
openstackgerritLance Bragstad proposed openstack/keystone: Update v3policysample tests to use admin_project not special domain_id  https://review.openstack.org/26661715:34
openstackgerritLance Bragstad proposed openstack/keystone: Fix indentation for oauth context  https://review.openstack.org/26764915:34
*** doug-fish has quit IRC15:34
mnaseri remember there was some performance regressions in fernet tokens in liberty.. are those still the case?15:34
ayoungand the REST API instead of doing wsomething LDAP specific ?15:34
mnaserspeaking of fernet tokens.. lol15:34
lbragstadmnaser we did add some caching to the catalog and we have a patch up to add caching to role assignments15:35
dolphmlbragstad: it hasn't merged?15:35
lbragstadmnaser if we can land https://review.openstack.org/#/c/215715/15:35
mnaserso on liberty, it's better to continue to stick uuid tokens for now15:35
lbragstadmnaser we should have both of those improvements in Mitaka15:35
ayounghttps://review.openstack.org/#/c/244059/6/oslo_policy/_checks.py  think about that from a dependency standpoint:  you will have wired LDAP in to every service out there.  If you really want this,  use the HTTP check instead.  It keeps things down to a single remote protocol.15:35
dolphmmnaser: "it depends"15:35
dimsayoung : good point15:36
lbragstadmnaser we are also actively trying to reduce the scope of revocation events - which also proved to be a painpoint of rebuilding the authorization context15:36
mnaseri see, and by "it depends" .. what would it depend on in that case?15:36
dolphmlbragstad: i'm also requesting OSIC hardware to do performance benchmarking on mitaka+fernet15:36
mnaserwe quite rarely see things like revoked tokens on our cloud oddly enough.. people so very rarely do it15:36
dolphmmnaser: i think that's true for most deployments in the real world, unless it's under artificial load (i.e. tempest or some other test suite)15:37
*** mhickey has quit IRC15:37
lbragstaddolphm that would be awesome15:37
*** EinstCrazy has quit IRC15:38
ktychkovaayoung: It is possible to use http check, I am going to update patch, thank you for comment15:38
*** pai15 has quit IRC15:38
mnaseris there not another way to have glance contact/work with keystone without the token expiring (therefore maintaining our existing 1 hour token timeout)?15:39
bretonayoung: looks like it doesn't. And it won't work in a federated use case at all.15:39
tjcocozzping stevemar15:40
tjcocozzstevemar, you were the first +2 on https://review.openstack.org/#/c/267590/15:41
* ayoung puts on Fargo accent15:41
ayoungbreton, well, there ya go!15:41
stevemartjcocozz: what about?15:41
* ayoung takes off Fargo accent as it does not really fit15:41
*** ngupta has joined #openstack-keystone15:41
tjcocozzstevemar, you also +1 workflowed the patch15:41
* dims bows to ayoung 15:41
* ayoung leap frogs over dims back while he is bowing15:42
bretonyes, I haven't thought of federated use case.15:42
stevemartjcocozz: saying there should have been another +2 on it?15:42
ayoungdims, now back to http://hairycode.org/2016/01/13/deploying-an-openstack-undercloudovercloud-on-a-single-server-from-my-laptop-with-ansible/15:43
tjcocozzstevemar, I figure since everyone is have techinical problem with gerrit,  i'd let you know.15:43
*** ngupta has quit IRC15:44
stevemartjcocozz: no, i said screw it and invoked ptl powers. it's a doc change and we've had 4 of them in separate repos15:44
stevemartjcocozz: 4 of the same changes15:44
tjcocozzstevemar, haha that makes sense.15:45
dimsayoung : neat thanks for the link15:45
ayoungdims, it is what my day job is paying me to beat on right now15:45
stevemartjcocozz: the quicker these tiny patches go in, the better, as far as i'm concerned15:46
*** ngupta has joined #openstack-keystone15:46
tjcocozzstevemar, then people can't jump on the +1 bandwagon :-(15:46
stevemartjcocozz: the bandwagon is leaving the station!15:47
stevemartjcocozz: there are a lot more important changes to review :)15:47
*** doug-fish has joined #openstack-keystone15:47
tjcocozzstevemar, agreed!15:47
*** phalmos has quit IRC15:48
*** itlinux has joined #openstack-keystone15:48
*** doug-fis_ has joined #openstack-keystone15:49
*** mhickey has joined #openstack-keystone15:49
*** petertr7 is now known as petertr7_away15:50
*** pai15 has joined #openstack-keystone15:50
*** ayoung has quit IRC15:52
*** doug-fish has quit IRC15:52
*** phalmos has joined #openstack-keystone15:59
*** GB21 has quit IRC16:00
*** petertr7_away is now known as petertr716:01
*** doug-fis_ has quit IRC16:01
*** doug-fish has joined #openstack-keystone16:01
*** doug-fish has quit IRC16:01
*** doug-fish has joined #openstack-keystone16:02
*** vgridnev has quit IRC16:03
*** phalmos has quit IRC16:03
*** roxanagh_ has joined #openstack-keystone16:04
*** vgridnev has joined #openstack-keystone16:04
*** vgridnev has quit IRC16:05
*** belmoreira has quit IRC16:06
*** doug-fish has quit IRC16:07
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity  https://review.openstack.org/26204516:07
*** henrynash_ has joined #openstack-keystone16:09
*** ChanServ sets mode: +v henrynash_16:09
*** roxanagh_ has quit IRC16:09
*** ayoung has joined #openstack-keystone16:09
*** ChanServ sets mode: +v ayoung16:09
*** petertr7 is now known as petertr7_away16:10
*** fawadkhaliq has joined #openstack-keystone16:11
*** fawadkhaliq has quit IRC16:11
*** fawadkhaliq has joined #openstack-keystone16:12
*** vivekd has joined #openstack-keystone16:12
*** tonytan4ever has joined #openstack-keystone16:14
*** lhinds has joined #openstack-keystone16:15
lbragstadstevemar I think the access_token_id needs to be persisted in the fernet token16:15
*** roxanagh_ has joined #openstack-keystone16:16
*** lhinds has quit IRC16:19
*** lhinds has joined #openstack-keystone16:20
*** lhinds is now known as LukeH16:20
*** LukeH has quit IRC16:21
*** doug-fish has joined #openstack-keystone16:23
*** fhubik is now known as fhubik_brb16:23
*** itlinux has quit IRC16:24
*** doug-fis_ has joined #openstack-keystone16:24
*** woodster_ has joined #openstack-keystone16:25
*** petertr7_away is now known as petertr716:25
*** vivekd has quit IRC16:26
*** doug-fish has quit IRC16:27
*** Guest77121 is now known as med_16:28
*** med_ has quit IRC16:28
*** med_ has joined #openstack-keystone16:28
*** fhubik_brb is now known as fhubik16:28
*** doug-fis_ has quit IRC16:28
*** doug-fish has joined #openstack-keystone16:30
openstackgerritAjaya Agrawal proposed openstack/keystone: Remove assignments when deleting a domain  https://review.openstack.org/12743316:32
*** spandhe has joined #openstack-keystone16:32
*** _zouyee has joined #openstack-keystone16:36
*** vivekd has joined #openstack-keystone16:37
stevemarlbragstad: that'll suck16:38
*** jorge_munoz1 has joined #openstack-keystone16:46
*** csoukup has joined #openstack-keystone16:48
jorge_munoz1In Keystone, in order to re-delegate a trust, whose token should be used to create the new trust? The trustee's trusted token? I get forbidden 403 when using a trustee's trusted token to create a new trust.16:50
*** Guest99924 is now known as topol16:51
*** ChanServ sets mode: +v topol16:52
lbragstadstevemar are access_token_id's unique to customer_ids?16:53
stevemarlbragstad: you mean consumer_ids? yes16:54
*** pgbridge has joined #openstack-keystone16:54
*** vivekd has quit IRC16:54
lbragstadstevemar yes - http://cdn.pasteraw.com/4xd2kazr2qxwlgjmj2ft05ysgouyzwl16:55
lbragstadi can retrieve the consumer id from the access token id?16:55
lbragstadi think i can?16:55
stevemarthey are both uuids too16:55
*** petertr7 is now known as petertr7_away16:57
*** pumaranikar has joined #openstack-keystone16:57
*** dslev has quit IRC16:58
*** rderose has joined #openstack-keystone17:00
*** spandhe has quit IRC17:01
*** pai15 has quit IRC17:04
*** dslev has joined #openstack-keystone17:06
*** pai15 has joined #openstack-keystone17:09
*** dslev has quit IRC17:09
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity  https://review.openstack.org/26204517:09
*** pai15 has quit IRC17:10
*** pai15 has joined #openstack-keystone17:11
*** raildo is now known as raildo-afk17:12
*** pai15 has quit IRC17:12
*** pai15_ has joined #openstack-keystone17:13
*** pai15_ has quit IRC17:13
*** rderose has quit IRC17:15
*** pai15_ has joined #openstack-keystone17:15
*** pai15_ has quit IRC17:16
*** pai15_ has joined #openstack-keystone17:16
*** pai15_ has quit IRC17:17
*** pai15_ has joined #openstack-keystone17:18
*** pai15_ has quit IRC17:18
*** vgridnev has joined #openstack-keystone17:19
*** raildo-afk is now known as raildo17:20
*** gyee has joined #openstack-keystone17:22
*** ChanServ sets mode: +v gyee17:22
*** jistr has quit IRC17:29
*** lhinds has joined #openstack-keystone17:30
*** LukeH has joined #openstack-keystone17:31
*** jorge_munoz1 has quit IRC17:35
*** lhcheng has joined #openstack-keystone17:37
*** ChanServ sets mode: +v lhcheng17:37
*** e0ne has quit IRC17:40
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity  https://review.openstack.org/26204517:44
*** LukeH has quit IRC17:46
*** ankita_wagh has joined #openstack-keystone17:48
dolphmstevemar: keystone is missing deadlines on http://docs.openstack.org/releases/schedules/mitaka.html17:53
*** jorge_munoz1 has joined #openstack-keystone17:54
*** tonytan4ever has quit IRC17:57
*** GB21 has joined #openstack-keystone17:59
*** mhickey has quit IRC18:00
lhchengwould changing the error message on a method in backend driver require bumping up the driver?18:01
*** daemontool has quit IRC18:01
lhchengbeen getting a legacy_driver test failure for a change in error message. :(18:01
lhchenghttp://logs.openstack.org/79/265279/3/check/gate-keystone-tox-legacy_drivers/0d2d62c/console.html18:01
stevemardolphm: hmm, okay, i can add18:03
stevemardolphm: i figured if let empty, the defaults would apply18:04
stevemardolphm: but i can make it explicit18:04
dolphmstevemar: there's no "default" for spec freeze, etc18:04
stevemardolphm: k, i'll do it after i eat18:04
dolphmi don't think Cinder needed to put their feature freeze on the calendar though, for example18:05
dolphm(it's the same as the general feature freeze)18:05
dolphmstevemar: and mitaka-2 is our feature proposal freeze, right? i don't think any other projects have one on the calendar18:06
*** fesp has joined #openstack-keystone18:09
*** _cjones_ has joined #openstack-keystone18:09
*** fesp has quit IRC18:09
openstackgerritMorgan Fainberg proposed openstack/keystone: Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10  https://review.openstack.org/26502418:12
*** _cjones_ has quit IRC18:13
*** _cjones_ has joined #openstack-keystone18:13
*** sigmavirus24 is now known as sigmavirus24_awa18:15
*** sigmavirus24_awa is now known as sigmavirus2418:19
*** jsavak has quit IRC18:20
*** tonytan4ever has joined #openstack-keystone18:20
*** spzala has quit IRC18:22
*** spzala has joined #openstack-keystone18:23
*** petertr7_away is now known as petertr718:24
openstackgerritWang Bo proposed openstack/python-keystoneclient: Fix filter() returning list in python3  https://review.openstack.org/26678718:25
*** spzala has quit IRC18:27
*** _zouyee has quit IRC18:27
*** peter-hamilton has quit IRC18:32
*** jaosorior has quit IRC18:33
*** spandhe has joined #openstack-keystone18:34
*** jasonsb has joined #openstack-keystone18:36
*** ajayaa has quit IRC18:42
ayoungIf anyone wants to review Implied Roles and needs a walkthrough, I am more than willing to give it.  https://review.openstack.org/#/c/264260/18:45
*** pnavarro has quit IRC18:47
*** e0ne has joined #openstack-keystone18:48
*** fhubik has quit IRC18:48
*** aix has quit IRC18:49
*** ankita_wagh has quit IRC18:50
*** ankita_wagh has joined #openstack-keystone18:51
*** peter-hamilton has joined #openstack-keystone18:53
*** Guest67265 has quit IRC18:54
dstanekayoung: you should audio (or video) record a walk through18:58
notmorgandstanek: screencast!18:58
ayoungdstanek, notmorgan looks like you two just volunteered18:59
dstanekayoung: i would if i knew all the information :-)18:59
ayoungdstanek, implied roles are pretty straight forwarsd19:00
ayoungif we create a rule that says admin implies member, when you assign someone admin, you implicitly assign them member as well19:00
ayoungwe expand the rules when listing roles19:01
ayoungso, the first step was to get a migration in.  I split that into a separate review  to beat the race on the rebase chase19:01
ayoungdstanek, but pullimng up am erged revewi seems to be problematic at the moment...let me pull from git19:02
ayoungdstanek, http://git.openstack.org/cgit/openstack/keystone/commit/?id=008aee4789e63f3c08da7f0794276f6b5185ee7719:02
ayoungits a two column table, a prior role implies an implied role19:03
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844219:03
openstackgerritDavid Stanek proposed openstack/keystone: Removed deprecated revoke KVS backend  https://review.openstack.org/26777719:03
*** tsymanczyk has joined #openstack-keystone19:04
*** tsymanczyk is now known as Guest8776319:04
ayoungdstanek, so the review https://review.openstack.org/#/c/264260/  can be thought of as two pieces, and maybe I should have split it this way.  One is the driver CRD for the role inference rules.  THe second is the changes to the assignment driver to expand them in the list19:04
ayoungdstanek, so the driver changes are pretty simple:19:04
ayounghttps://review.openstack.org/#/c/264260/19/keystone/assignment/role_backends/sql.py19:04
ayoungCRD.  No update required19:04
ayoungLDAP is not supported, so that file is no-ops19:05
*** spandhe has quit IRC19:05
*** tonytan4ever has quit IRC19:11
*** lhcheng_ has joined #openstack-keystone19:11
dstanekayoung: i should have some time a little later to dive into that; is there prior art somewhere?19:11
ayoungdstanek, there is prior art, but it is not a direct map19:11
*** lhcheng has quit IRC19:12
dstanekayoung: any references would be helpful, if any exist19:12
*** tonytan4ever has joined #openstack-keystone19:12
ayoungdstanek, http://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/mitaka/implied-roles.rst  see the bottom of the page19:13
dstanekayoung: nice, thx19:14
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865019:15
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778119:15
*** fawadkhaliq has quit IRC19:17
*** Guest87763 has quit IRC19:17
*** spandhe has joined #openstack-keystone19:17
*** fawadkhaliq has joined #openstack-keystone19:17
*** fawadkhaliq has quit IRC19:19
*** tsymanczyk has joined #openstack-keystone19:20
*** tsymanczyk is now known as Guest2936619:21
*** andrewbogott has left #openstack-keystone19:23
*** spzala has joined #openstack-keystone19:23
henrynash_lbragstad: feel free to +2/A https://review.openstack.org/#/c/266617/3 (especially as you need it !)19:27
*** Guest29366 has quit IRC19:28
*** spzala has quit IRC19:29
*** roxanagh_ has quit IRC19:31
henrynash_lhcheng: what’s teh patch giving you that legacy error?19:31
*** roxanagh_ has joined #openstack-keystone19:31
*** roxanagh_ has quit IRC19:33
*** jsavak has joined #openstack-keystone19:34
openstackgerrithenry-nash proposed openstack/keystone: Correct docstrings for federation driver interface  https://review.openstack.org/26406819:35
*** spzala has joined #openstack-keystone19:36
lbragstadhenrynash_ will do - i'm working on the tests for https://review.openstack.org/#/c/267649/119:42
henrynash_lbragstad: np, thx19:42
lbragstadhenrynash thank you19:43
*** tonytan4ever has quit IRC19:43
henrynash_lhchecng: ping19:44
*** ayoung has quit IRC19:59
*** timcline has quit IRC20:00
*** spzala has quit IRC20:00
*** spzala has joined #openstack-keystone20:01
*** timcline has joined #openstack-keystone20:02
*** jasonsb has quit IRC20:03
*** spzala has quit IRC20:05
*** spzala has joined #openstack-keystone20:08
*** petertr7 is now known as petertr7_away20:08
*** gyee has quit IRC20:09
*** josecastroleon has quit IRC20:10
*** peter-hamilton has quit IRC20:10
*** henrynash_ has quit IRC20:11
*** josecastroleon has joined #openstack-keystone20:12
samueldmqhenrynash: this one https://review.openstack.org/#/c/265279/20:14
samueldmqhenrynash: it is the lhcheng_ 's patch failing with legacy tests20:14
*** ayoung has joined #openstack-keystone20:16
*** ChanServ sets mode: +v ayoung20:16
*** petertr7_away is now known as petertr720:18
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128920:21
stevemarnotmorgan: are you go for midcycle?20:21
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128920:22
*** topol has quit IRC20:23
*** topol_ has joined #openstack-keystone20:25
*** topol_ is now known as Guest3637020:25
*** timcline has quit IRC20:25
*** GB21 has quit IRC20:28
*** Guest36370 has quit IRC20:30
*** timcline has joined #openstack-keystone20:30
*** jsavak has quit IRC20:32
*** jsavak has joined #openstack-keystone20:32
*** spzala has quit IRC20:33
*** spzala has joined #openstack-keystone20:33
notmorganstevemar: haven't gotten to trying to book hotel etc20:35
notmorganstevemar:  still looking at it20:35
notmorganstevemar:  sorry20:35
*** spzala has quit IRC20:38
*** spzala has joined #openstack-keystone20:39
*** ankita_wagh has quit IRC20:39
*** topol__ has joined #openstack-keystone20:40
*** topol__ has quit IRC20:41
*** zeus has quit IRC20:42
*** bigjools has quit IRC20:42
*** tsymanczyk has joined #openstack-keystone20:43
*** topol_ has joined #openstack-keystone20:44
*** ChanServ sets mode: +v topol_20:44
*** tsymanczyk is now known as Guest2581420:44
*** tonytan4ever has joined #openstack-keystone20:44
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865020:44
openstackgerritLance Bragstad proposed openstack/keystone: Fix indentation for oauth context  https://review.openstack.org/26764920:44
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778120:44
stevemartopol_: test20:44
lbragstadtopol_ topol_ topol_ topol_20:44
*** _cjones_ has quit IRC20:44
topol_lbragstad: hush!20:44
topol_:)20:44
lbragstadt20:45
lbragstadto20:45
lbragstadtop20:45
lbragstadtopol_20:45
lbragstadit works!20:45
*** bigjools has joined #openstack-keystone20:46
lbragstadhenrynash heads up - https://review.openstack.org/#/c/266617/320:46
lbragstadstevemar heads up - https://review.openstack.org/#/c/267649/220:46
lbragstadstevemar and - https://review.openstack.org/#/c/267781/220:46
sigmavirus24stevemar: lbragstad what's going on with topol_ ?20:47
lbragstadsigmavirus24 i'm not sure what's up with topol_20:47
lbragstadsigmavirus24 apparently topol_ needs testing20:47
sigmavirus24lbragstad: why would topol_ need testing?20:47
lbragstadtopol_ why do you need testing?20:48
*** jasonsb has joined #openstack-keystone20:48
*** zeus has joined #openstack-keystone20:49
*** zeus is now known as Guest7794620:50
topol_lbragstad stevemar your punching bag is now here online20:51
topol_stevemar I'm gonna add changing my nickname to topol20:51
*** topol_ is now known as topol20:52
stevemarsigmavirus24: lbragstad maybe topol_ needs nesting?20:53
stevemarlbragstad: he ain't working as well as he used to :(20:53
stevemarlbragstad: even the best products starts showing signs of aging20:53
stevemarlbragstad: you'll be there one day, entering your 20s is the first step20:53
stevemarlet me know when that happens20:53
stevemartopol_: do i look like i exercise with a punching bag?20:53
stevemartopol_: i will shutdown your VM20:53
*** ankita_wagh has joined #openstack-keystone20:53
lbragstadstevemar lol20:53
topolI'll be good20:54
notmorganoh look topol is back20:55
stevemarnotmorgan: please tease him relentlessly20:55
topolnotmorgan just had a few opening night jitters20:56
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Bandit profile updates  https://review.openstack.org/26781020:57
*** ngupta has quit IRC20:59
*** pauloewerton has quit IRC21:01
*** _cjones_ has joined #openstack-keystone21:02
*** vgridnev has quit IRC21:04
topollbragstad, notmorgan, stevemar someone in my hometown of melbourne won the powerball.   Let  me call my parents and see if I have to take your alls crap anymore...21:05
topol...21:05
topol...21:05
lbragstadtopol are you friends with said person? ;)21:06
topollbragstad, notmorgan stevemar rest easy they didnt win21:06
*** jasonsb has quit IRC21:06
stevemarlbragstad: his parents stopped being friends with him21:07
lbragstadawww #powerballfail21:07
*** spzala has quit IRC21:07
*** spzala has joined #openstack-keystone21:08
topolstevemar, lbragstad, notmorgan I believe it was someone who worked at the local publix grocery store. Im sure they are very excited21:08
lbragstadtopol i can imagine !21:09
*** raildo is now known as raildo-afk21:09
lhcheng_henrynash: just got back, any idea on the legacy driver error (https://review.openstack.org/#/c/265279/) ? do I have to bump the driver version.21:12
*** spzala has quit IRC21:12
openstackgerritMerged openstack/keystonemiddleware: Replace deprecated library function os.popen() with subprocess  https://review.openstack.org/26695321:13
*** ryanpetrello has quit IRC21:18
*** ayoung has quit IRC21:20
*** ryanpetrello has joined #openstack-keystone21:22
*** vgridnev has joined #openstack-keystone21:27
*** harlowja has quit IRC21:27
*** aix has joined #openstack-keystone21:28
*** Guest77946 has quit IRC21:28
*** zeus has joined #openstack-keystone21:30
*** zeus is now known as Guest1678221:30
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865021:34
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778121:34
*** bigjools has quit IRC21:34
stevemarnotmorgan: ayoung? heads up that we still need to deprecate the ADMIN_TOKEN if you want to complete the bootstrapping bp21:35
notmorganstevemar: when devstack change is merged21:35
notmorganstevemar: otherwise i don't think we can mark it deprecated.21:35
stevemarnotmorgan: pretty sure its gating or +2ed a bunch21:35
notmorganaye21:35
notmorganthen yes :)21:35
*** ankita_w_ has joined #openstack-keystone21:36
*** ankita_wagh has quit IRC21:36
*** bigjools has joined #openstack-keystone21:37
*** bigjools has quit IRC21:37
*** bigjools has joined #openstack-keystone21:37
*** stevemar changes topic to "Mitaka-2 Deadline Jan 19th!!!!! | Mitaka-2: https://launchpad.net/keystone/+milestone/mitaka-2 | MidCycle: https://wiki.openstack.org/wiki/Sprints/KeystoneMitakaSprint"21:39
*** stevemar changes topic to "Mitaka-2 deadline Jan 19th!!! | MidCycle: https://wiki.openstack.org/wiki/Sprints/KeystoneMitakaSprint | Mitaka-2: https://launchpad.net/keystone/+milestone/mitaka-2"21:39
stevemarthat was laggy21:39
*** henrynash_ has joined #openstack-keystone21:40
*** ChanServ sets mode: +v henrynash_21:40
stevemardeadline!! review review review!21:40
*** dims has quit IRC21:42
*** dims_ has joined #openstack-keystone21:42
notmorganstevemar: removing invalid bug from the milestone21:43
notmorganhttps://bugs.launchpad.net/keystone/+bug/127669421:43
openstackLaunchpad bug 1276694 in Sahara "Openstack services should support SIGHUP signal" [Medium,In progress] - Assigned to Sergey Lukjanov (slukjanov)21:43
*** jsavak has quit IRC21:45
*** jamielennox|away is now known as jamielennox21:49
*** jsavak has joined #openstack-keystone21:50
*** ayoung has joined #openstack-keystone22:01
*** ChanServ sets mode: +v ayoung22:01
*** Guest25814 is now known as tsymanczyk22:02
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity  https://review.openstack.org/26204522:02
tsymanczykIn case anyone else is interested, I've written a python script to validate and clean up old role assignments. In our ~couple year old production environment running it last night ended up removing 3979 invalid role assignments. I assume we're not the only ones with that situation.22:03
tsymanczykhttps://github.com/Symantec/KeystoneTools/tree/master/dead-role-cleanup22:03
*** vgridnev has quit IRC22:08
*** spzala has joined #openstack-keystone22:08
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity  https://review.openstack.org/26204522:11
openstackgerrithenry-nash proposed openstack/keystone: Add tests for role management with v3policy file  https://review.openstack.org/26184622:11
*** spzala has quit IRC22:13
openstackgerrithenry-nash proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261422:15
openstackgerrithenry-nash proposed openstack/keystone: Add tests for role management with v3policy file  https://review.openstack.org/26184622:15
*** e0ne has quit IRC22:15
*** gordc has quit IRC22:17
*** vgridnev has joined #openstack-keystone22:19
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995822:24
*** petertr7 is now known as petertr7_away22:24
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995822:26
*** petertr7_away is now known as petertr722:28
*** timcline has quit IRC22:29
*** Guest16782 is now known as zeus22:32
*** zeus has quit IRC22:32
*** zeus has joined #openstack-keystone22:32
*** ayoung has quit IRC22:37
lbragstaddstanek did you ever pass me a diff of the notification thing you were talking about?22:42
*** vgridnev has quit IRC22:42
*** petertr7 is now known as petertr7_away22:44
*** gildub has joined #openstack-keystone22:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy SQL driver  https://review.openstack.org/21200622:47
*** harlowja has joined #openstack-keystone22:50
*** ninag has quit IRC22:53
*** ninag has joined #openstack-keystone22:54
*** dims_ has quit IRC22:54
openstackgerrithenry-nash proposed openstack/keystone: Add CRUD support for domain specific roles  https://review.openstack.org/26187022:57
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207822:58
*** ninag has quit IRC22:58
*** browne has quit IRC22:59
*** sigmavirus24 is now known as sigmavirus24_awa22:59
lhcheng_henrynash_: any idea on https://review.openstack.org/#/c/265279/ ?22:59
henrynash_lhcheng_: looks to me like it is behaving as expected! You have changed the V9 driver and then written a test that checks that behavior…which will fail agains a V8 driver, which is exactly what the leagcy test failure is teilling you23:01
*** doug-fish has quit IRC23:02
henrynash_lhcheng_: if you are Ok with your functionality not being present when running a V8 driver, then you should add an override to your test in the legacy federation test class23:02
henrynash_lhcheng_: which is in tests/unit/backend/legacy_drivers/federation/V823:04
*** jsavak has quit IRC23:05
*** e0ne has joined #openstack-keystone23:06
*** pumaranikar has quit IRC23:06
*** pumaranikar has joined #openstack-keystone23:06
lhcheng_henrynash_: great catch by the test!23:07
*** pumaranikar has quit IRC23:07
henrynash_lhcheng_: that’s what they’re there for!23:07
*** pumaranikar has joined #openstack-keystone23:07
*** jorge_munoz1 has quit IRC23:10
*** spzala has joined #openstack-keystone23:10
*** spzala has quit IRC23:10
*** spzala has joined #openstack-keystone23:10
*** ayoung has joined #openstack-keystone23:11
*** ChanServ sets mode: +v ayoung23:11
lhcheng_henrynash_: do you mean overriding the test method in legacy federation test class ?23:11
*** pumaranikar has quit IRC23:12
lhcheng_henrynash_: wondering how to structure the test better for that - https://review.openstack.org/#/c/265279/3/keystone/tests/unit/test_v3_federation.py23:12
lhcheng_henrynash_: perhaps would be better to add a new method that extends from test_check_idp_uniqueness(), and make it no-op for v8 driver?23:13
henrynash_lhcheng_: typically what peopel have done (and we are early in this process) is have an override for the test in the legacy test class, in this case in FederatedIdentityProviderTestsV823:14
lhcheng_henrynash_: alright, sounds good to me.23:16
lhcheng_henrynash_: appreciate the help sir23:16
henrynash_lhcheng_: yw….note that that there is a change in flight from me to to that legacy test file…hmm, thought it had alrady landed…..just adding tests for some of teh other fedeartion test classes23:17
lhcheng_henrynash_: lets land it then :P23:18
*** tsymanczyk has quit IRC23:19
henrynash_lhcheng_: np..it’s already landed23:20
lhcheng_henrynash_: excellent23:20
*** gyee has joined #openstack-keystone23:21
*** ChanServ sets mode: +v gyee23:21
*** henrynash_ has quit IRC23:22
*** dims has joined #openstack-keystone23:27
*** ninag has joined #openstack-keystone23:28
*** slberger has left #openstack-keystone23:29
*** ninag has quit IRC23:32
*** spzala has quit IRC23:36
*** spzala has joined #openstack-keystone23:36
*** tsymanczyk has joined #openstack-keystone23:39
*** tsymanczyk is now known as Guest9368723:40
*** spzala has quit IRC23:41
*** henrynash_ has joined #openstack-keystone23:46
*** ChanServ sets mode: +v henrynash_23:46
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles  https://review.openstack.org/26306423:48
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments  https://review.openstack.org/26354923:48
*** e0ne has quit IRC23:49
henrynash_gyee: if you have a moment, could you take a look at: https://review.openstack.org/#/c/260335/ relatvely simple23:57
*** csoukup has quit IRC23:59
*** Guest93687 has quit IRC23:59
« Wednesday, 2016-01-13 Index Friday, 2016-01-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!