Thursday, 2016-04-21

« Wednesday, 2016-04-20 Index Friday, 2016-04-22 »
*** mylu has quit IRC00:02
*** sdake_ has quit IRC00:02
*** mylu has joined #openstack-keystone00:03
*** gyee has joined #openstack-keystone00:04
*** ChanServ sets mode: +v gyee00:04
*** rderose has joined #openstack-keystone00:04
*** mylu has quit IRC00:05
*** mylu has joined #openstack-keystone00:07
*** mylu has quit IRC00:09
*** sdake__ has quit IRC00:13
*** gyee has quit IRC00:14
*** spzala has joined #openstack-keystone00:21
*** doug-fish has joined #openstack-keystone00:25
*** jamielennox|away is now known as jamielennox00:28
*** browne1 has joined #openstack-keystone00:36
*** Kimmo_ has quit IRC00:38
*** browne has quit IRC00:39
*** xek has quit IRC00:39
*** LZ has quit IRC00:39
*** trey has quit IRC00:39
*** tqtran has quit IRC00:39
*** spzala has quit IRC00:39
*** iurygregory has quit IRC00:39
*** rderose has quit IRC00:40
*** spzala has joined #openstack-keystone00:40
*** trey has joined #openstack-keystone00:46
*** dan_nguyen has quit IRC00:47
*** jamielennox is now known as jamielennox|away00:49
*** jamielennox|away is now known as jamielennox00:51
*** LZ has joined #openstack-keystone00:52
*** iurygregory has joined #openstack-keystone00:55
*** spzala has quit IRC00:57
*** spzala has joined #openstack-keystone00:59
*** spzala has quit IRC01:04
*** rderose has joined #openstack-keystone01:14
*** raddaoui has quit IRC01:17
*** mylu has joined #openstack-keystone01:21
*** doug-fish has quit IRC01:24
*** EinstCrazy has joined #openstack-keystone01:30
*** mylu has quit IRC01:30
*** mylu has joined #openstack-keystone01:33
*** spzala has joined #openstack-keystone01:37
*** spzala has quit IRC01:38
*** spzala has joined #openstack-keystone01:38
*** spzala has quit IRC01:39
*** spzala has joined #openstack-keystone01:39
*** mylu has quit IRC01:43
*** mylu has joined #openstack-keystone01:43
*** browne1 has quit IRC01:51
*** rderose has quit IRC01:56
*** rderose has joined #openstack-keystone01:58
*** timonwong_ has quit IRC02:12
*** timonwong_ has joined #openstack-keystone02:12
*** timcline has quit IRC02:13
*** browne has joined #openstack-keystone02:29
*** dan_nguyen has joined #openstack-keystone02:30
*** timcline has joined #openstack-keystone02:32
*** doug-fish has joined #openstack-keystone02:34
*** Kimmo_ has joined #openstack-keystone02:37
*** richm has quit IRC02:46
*** timonwong_ has quit IRC02:47
*** lhcheng has quit IRC02:50
*** zqfan has quit IRC02:52
*** jamielennox is now known as jamielennox|away03:21
*** sdake has joined #openstack-keystone03:23
*** sdake_ has joined #openstack-keystone03:24
*** doug-fish has quit IRC03:25
*** mylu has quit IRC03:27
*** sdake has quit IRC03:27
*** doug-fish has joined #openstack-keystone03:27
*** lhcheng has joined #openstack-keystone03:30
*** ChanServ sets mode: +v lhcheng03:30
*** links has joined #openstack-keystone03:30
*** dave-mccowan has quit IRC03:37
*** spzala has quit IRC03:40
*** spzala has joined #openstack-keystone03:40
*** navidp has joined #openstack-keystone03:42
*** mylu has joined #openstack-keystone03:43
*** spzala has quit IRC03:45
*** dan_nguyen has quit IRC03:45
*** timonwong_ has joined #openstack-keystone03:54
*** wxy has joined #openstack-keystone03:59
*** navidp has quit IRC04:03
*** rderose has quit IRC04:04
*** browne has quit IRC04:05
*** bapalm has quit IRC04:10
*** tjcocozz has quit IRC04:10
*** bapalm has joined #openstack-keystone04:12
*** sdake_ has quit IRC04:13
*** doug-fish has quit IRC04:26
*** timonwong_ has quit IRC04:28
*** mylu has quit IRC04:32
*** mylu has joined #openstack-keystone04:33
*** sdake has joined #openstack-keystone04:36
*** Nirupama has joined #openstack-keystone04:40
*** spzala has joined #openstack-keystone04:41
*** TxGVNN has joined #openstack-keystone04:41
*** timonwong has joined #openstack-keystone04:43
*** spzala has quit IRC04:46
*** rcernin has quit IRC04:48
*** david-nesher has quit IRC04:49
*** doug-fish has joined #openstack-keystone04:50
*** jasonsb has joined #openstack-keystone04:51
*** doug-fish has quit IRC04:54
*** maestro1 has joined #openstack-keystone04:57
*** sheel has joined #openstack-keystone04:59
*** spzala has joined #openstack-keystone05:01
*** sdake_ has joined #openstack-keystone05:01
*** sdake has quit IRC05:03
*** maestro1 has quit IRC05:05
*** spzala has quit IRC05:05
*** maestro1 has joined #openstack-keystone05:06
*** jaosorior has joined #openstack-keystone05:07
*** mylu has quit IRC05:09
*** ayoung has quit IRC05:10
*** maestro1 has quit IRC05:11
*** rcernin has joined #openstack-keystone05:17
*** e0ne has joined #openstack-keystone05:23
*** lhcheng_ has joined #openstack-keystone05:23
*** lhcheng has quit IRC05:26
*** ianw_ has quit IRC05:28
*** ianw_ has joined #openstack-keystone05:29
*** ianw_ has quit IRC05:30
*** ianw has joined #openstack-keystone05:31
*** ianw has quit IRC05:34
*** ianw has joined #openstack-keystone05:34
*** browne has joined #openstack-keystone05:40
*** browne has quit IRC05:46
*** ozialien has joined #openstack-keystone05:48
*** roxanagh_ has joined #openstack-keystone05:50
*** roxanagh_ has quit IRC05:52
*** roxanagh_ has joined #openstack-keystone05:53
*** roxanagh_ has quit IRC05:58
*** josecastroleon has joined #openstack-keystone05:59
*** TxGVNN has quit IRC06:01
*** spzala has joined #openstack-keystone06:01
*** spzala has quit IRC06:06
*** andreykurilin has quit IRC06:17
openstackgerritSrushti Gadadare proposed openstack/keystone: Provide user friendly messages for db_sync  https://review.openstack.org/28931606:19
*** ozialiendoze has joined #openstack-keystone06:22
*** ozialien has quit IRC06:24
*** lhcheng has joined #openstack-keystone06:25
*** ChanServ sets mode: +v lhcheng06:25
*** lhcheng_ has quit IRC06:29
openstackgerritNavid Pustchi proposed openstack/keystone: Fix D400 PEP257  https://review.openstack.org/30806006:30
*** yolanda has quit IRC06:37
*** henrynash has joined #openstack-keystone06:40
*** ChanServ sets mode: +v henrynash06:40
*** mylu has joined #openstack-keystone06:43
*** yolanda has joined #openstack-keystone06:47
*** mylu has quit IRC06:48
*** zqfan has joined #openstack-keystone06:52
*** roxanagh_ has joined #openstack-keystone06:54
*** roxanagh_ has quit IRC06:58
*** e0ne has quit IRC07:01
*** spzala has joined #openstack-keystone07:02
*** tesseract has joined #openstack-keystone07:03
*** henrynash has quit IRC07:04
*** tesseract is now known as Guest1450907:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/30758907:07
*** e0ne has joined #openstack-keystone07:07
*** spzala has quit IRC07:07
*** edtubill has quit IRC07:09
*** fhubik_brb has joined #openstack-keystone07:16
*** woodster_ has quit IRC07:18
*** permalac has quit IRC07:19
*** ozialien has joined #openstack-keystone07:29
*** ozialiendoze has quit IRC07:31
*** e0ne has quit IRC07:32
*** agireud has quit IRC07:35
*** agireud has joined #openstack-keystone07:42
*** hogepodge has quit IRC07:52
*** hogepodge has joined #openstack-keystone07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** jed56 has joined #openstack-keystone08:02
*** spzala has joined #openstack-keystone08:05
*** spzala has quit IRC08:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/30684808:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/30684808:10
*** jistr has joined #openstack-keystone08:13
*** pnavarro has joined #openstack-keystone08:13
*** fhubik_brb has quit IRC08:19
*** jaosorior has quit IRC08:22
*** lhcheng has quit IRC08:26
*** markvoelker has quit IRC08:27
*** jaosorior has joined #openstack-keystone08:30
*** mylu has joined #openstack-keystone08:44
*** mylu has quit IRC08:49
*** mhickey has joined #openstack-keystone08:57
*** dobson has quit IRC08:59
yolandasigmavirus24_awa, so you think it will be better to add a hook on before_record, instead of creating a custom serializer?09:04
*** EinstCrazy has quit IRC09:04
*** spzala has joined #openstack-keystone09:05
*** EinstCrazy has joined #openstack-keystone09:05
*** dobson has joined #openstack-keystone09:08
*** spzala has quit IRC09:10
*** mou has quit IRC09:26
*** mou has joined #openstack-keystone09:26
evrardjpgood morning09:27
*** markvoelker has joined #openstack-keystone09:27
*** doug-fish has joined #openstack-keystone09:31
*** markvoelker has quit IRC09:32
*** henrynash has joined #openstack-keystone09:36
*** ChanServ sets mode: +v henrynash09:36
*** doug-fish has quit IRC09:36
*** spzala has joined #openstack-keystone10:06
*** EinstCrazy has quit IRC10:10
*** spzala has quit IRC10:11
*** e0ne has joined #openstack-keystone10:12
*** henrynash has quit IRC10:21
*** mou has quit IRC10:22
*** Guest14509 has quit IRC10:22
*** mou has joined #openstack-keystone10:23
*** Guest14509 has joined #openstack-keystone10:24
-openstackstatus- NOTICE: OVH servers are down, we are working to solve it. This will cause that jobs queue is processed slowly, please have patience.10:37
*** LZ has quit IRC10:42
*** mylu has joined #openstack-keystone10:45
*** timonwong has quit IRC10:45
*** e0ne has quit IRC10:49
*** mylu has quit IRC10:50
*** jaosorior has quit IRC10:52
*** jaosorior has joined #openstack-keystone10:53
*** arunkant_ has joined #openstack-keystone11:06
*** spzala has joined #openstack-keystone11:07
*** arunkant has quit IRC11:08
*** sdake_ has quit IRC11:08
*** sdake has joined #openstack-keystone11:08
*** spzala has quit IRC11:11
*** ozialiendoze has joined #openstack-keystone11:12
*** ozialien has quit IRC11:13
*** doug-fish has joined #openstack-keystone11:17
*** e0ne has joined #openstack-keystone11:30
*** gordc has joined #openstack-keystone11:38
*** mylu has joined #openstack-keystone12:00
*** mylu has quit IRC12:06
*** spzala has joined #openstack-keystone12:07
*** csoukup has joined #openstack-keystone12:10
*** spzala has quit IRC12:12
*** krotscheck_dcm is now known as krotscheck12:15
*** TxGVNN has joined #openstack-keystone12:16
*** mou has quit IRC12:16
*** markvoelker has joined #openstack-keystone12:17
*** mou has joined #openstack-keystone12:17
*** huats has quit IRC12:26
*** huats_ has joined #openstack-keystone12:26
*** huats_ has quit IRC12:26
*** huats_ has joined #openstack-keystone12:26
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552112:32
*** dave-mccowan has joined #openstack-keystone12:32
*** e0ne has quit IRC12:39
*** e0ne has joined #openstack-keystone12:42
*** Nirupama has quit IRC12:47
-openstackstatus- NOTICE: OVH provider is enabled again, please wait for the job queue to be processed12:48
*** richm has joined #openstack-keystone12:56
*** henrynash has joined #openstack-keystone12:56
*** ChanServ sets mode: +v henrynash12:56
*** mhickey has quit IRC12:58
*** itlinux has joined #openstack-keystone12:58
*** links has quit IRC12:59
*** e0ne has quit IRC13:01
*** henrynash has quit IRC13:02
*** ozialien has joined #openstack-keystone13:06
*** ozialiendoze has quit IRC13:06
*** mylu has joined #openstack-keystone13:07
*** spzala has joined #openstack-keystone13:08
*** ozialiendoze has joined #openstack-keystone13:12
*** doug-fish has quit IRC13:13
*** doug-fish has joined #openstack-keystone13:13
*** spzala has quit IRC13:13
*** ozialien has quit IRC13:13
*** doug-fish has quit IRC13:17
*** tellesnobrega is now known as tellesnobrega_af13:19
*** EinstCrazy has joined #openstack-keystone13:23
*** spzala has joined #openstack-keystone13:24
*** csoukup has quit IRC13:25
*** doug-fish has joined #openstack-keystone13:27
*** BjoernT has joined #openstack-keystone13:28
*** trown|outtypewww is now known as trown13:29
*** doug-fis_ has joined #openstack-keystone13:29
*** mylu has quit IRC13:30
*** sdake_ has joined #openstack-keystone13:30
*** sdake has quit IRC13:32
*** aimeeU has joined #openstack-keystone13:33
*** doug-fish has quit IRC13:33
*** BjoernT is now known as Bjoern_zZzZzZzZ13:36
*** Bjoern_zZzZzZzZ is now known as BjoernT13:36
*** cheneydc has joined #openstack-keystone13:41
*** ametts has joined #openstack-keystone13:43
cheneydcIn policy of keystone, " admin_required": "role:admin or is_admin:1", where is the defination of the "admin" and "is_admin"?13:46
*** mylu has joined #openstack-keystone13:57
cheneydcanyone knows?13:57
*** sdake_ has quit IRC14:00
evrardjpjust to make sure of something, curl on :5000/v3/auth/tokens should give me the endpoints, right?14:00
bknudsonevrardjp: the token will include the service catalog for the user/project14:01
evrardjpok14:02
evrardjpwhat if it doesn't?14:02
bknudsonyou might have an unscoped token14:02
evrardjpwrong curl request?14:02
evrardjpok14:02
bknudsonor maybe your catalog is empty14:02
*** sdake has joined #openstack-keystone14:02
*** BigWillie has joined #openstack-keystone14:02
bknudsonI think we've discussed putting the identity endpoints in an unscoped token before.14:03
evrardjpI'm sorry I try to reproduce what I had yesterday, point per point14:05
sigmavirus24_awayolanda: I do14:07
yolandasigmavirus24_awa, i'll stop the work on custom fixture until we have the hooks then14:09
*** slberger has joined #openstack-keystone14:09
sigmavirus24_awayolanda: I just want to write some docs and integration tests and I'll be ready to ship the hooks for you14:10
*** gagehugo has joined #openstack-keystone14:11
yolandasigmavirus24_awa, great14:11
*** e0ne has joined #openstack-keystone14:12
*** raddaoui has joined #openstack-keystone14:14
*** daemontool has joined #openstack-keystone14:15
cheneydcI install the mitaka, but after I use policy.v3cloudsample.json I cannot login horizon, I also update the horizon to use V3 api14:18
cheneydcActually when I access the horizon, I will get an error page :(14:21
*** Ephur has joined #openstack-keystone14:23
*** josecastroleon has quit IRC14:27
*** timcline has quit IRC14:27
*** roxanagh_ has joined #openstack-keystone14:29
*** itlinux has quit IRC14:31
*** ayoung has joined #openstack-keystone14:31
*** ChanServ sets mode: +v ayoung14:31
*** itlinux has joined #openstack-keystone14:31
*** roxanagh_ has quit IRC14:33
*** nkinder has quit IRC14:35
bretoni still wonder why keystone.tests.unit.test_cli.CliNoConfigTestCase.test_cli fails14:35
amakarovayoung, there are guys in openstack losing their faith in keystone :) https://github.com/catalyst/stacktask/14:36
ayoungamakarov, let them.  I lost faith in Keystone years ago14:37
amakarovhave you seen "new service for user management and admin tasks with keystone" ML14:37
amakarov?14:37
ayoungamakarov, yep14:37
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Added X-Forwarding-For support  https://review.openstack.org/30903814:38
ayoungamakarov, cuz no one actually understands the real problems of OpenStack.  THere is a reason Keystone has moved to Federation and Delegation14:38
ayoungCargo cult on a hack of a bad idea ....14:39
*** nkinder has joined #openstack-keystone14:39
bretonwhat is this reason?14:39
*** timcline has joined #openstack-keystone14:40
bretonand what are the real problems?14:40
bretonayoung: sounds like a good subject for a blogpost14:40
amakarovayoung, true. It seems no torture in the world can force other teams come and say "hey, we need this!"14:40
ayoungbreton, read through my archive....14:40
ayoungamakarov, yep14:41
openstackgerritBrant Knudson proposed openstack/keystone: Add other-requirements.txt  https://review.openstack.org/30847714:42
ayoungbreton, amakarov maybe they will come up with some good ideas and we'll be able to merge them on in...meanwhile, let people dream.  Things happen so slowly here in Keystone for a reason.14:43
ayoungpersonally I would prefer to find an authentication story that works without bearer tokens14:44
*** roxanagh_ has joined #openstack-keystone14:44
amakarovYes, master Oogway14:44
amakarovayoung, what criteria can be used to define a token as "bearer"?14:45
ayoungThere are no accidents14:45
ayoungamakarov, if possesion of the token alone provides access to the resources.14:46
ayoungamakarov, OK...here's the full rant.14:46
ayoungTHere are 3 means to authenticate on the web.14:46
ayoungPasswords, X509Client Certs, Kerberos14:46
ayoungPasswords provide the least management overhead, but have the most security vulnerabilities14:46
ayoungX509 is the most secure, and thebiggest pain to implement14:47
ayoungKereros is in the middle (believe it or not) but requires centralization14:47
ayoungKerberos is also very chatty14:47
ayoungSo, of them all, I like X509 the best, but the world is conspiring against me on that14:47
ayoungNow, with X509, you use PKI, which means that only the holder of the private Keys can sign something and get authorized.14:48
*** TxGVNN has quit IRC14:48
ayoungThis is fine if you authenticate and authorize at the edges, but OpenStack has this damn "pass the token" attitude which means that Nova calls Glance and passes on the bearer token14:49
ayoungyou can't do that with PKI14:49
ayoungthere are better ways to do thing IFF you have a trust set up between Nova and Glance.14:49
ayoungBut that does not solve things for Third party apps.14:49
amakarovayoung, Just thought about trusts14:49
ayoungand when I say "trust" there < don't Mena Keystone Trust, I mean an implicit trust relationship14:50
amakarovayoung, so the problem is to change token concept for a handshake concept and we remove the threat for token to be stolen?14:52
*** Ephur has quit IRC14:53
amakarovayoung, actually there is no need to pass tokens around since no service populates it with data to be used elsewhere14:54
ayoungamakarov, ok,  so  you have a warped view of thngs due to me14:54
ayoungamakarov, assume for a moment that we had unified delegation14:54
ayoungand so, instead of me passing a otken to nova, I authenticated as Me, and specified a delegation ID14:55
ayoungand when I say authenticate, I mean something crypto-secure.14:55
dstanekamakarov: stacktask is stuff that doesn't belong is keystone anyway14:55
amakarovayoung, iirc that's the plan14:55
ayoungyep...so the issue then becomse, 1.  how do we let people authenticate efficiently, and 2.  how do we do long, multie step workflows14:56
amakarovayoung, glance folks already do it with trusts14:56
ayoungamakarov, and remember ,one reason OpenStack is successful is that there is a stable API;  many 3rp party apps out there . We can't implicitly trust them all, or really, shouldnot trust any of them14:56
*** jaosorior has quit IRC14:56
bretonso why not just set up x509 between nova and glance and perform authn in a middleware?14:56
amakarovbreton, ++14:57
ayoungso If  I go to Virgils VM Factory,  I should not be handing them a token with full access to everything I do14:57
ayoungbreton, that lets glance verify  that the call came from nova and that is all14:57
bretoneven not in middlware -- in apache14:57
ayoungnecessary but not sufficeint14:57
bretonok14:57
ayoungnow, with Kerberos, we have the Idea of s4u2 proxy14:57
ayoungthat means that when I go to Nova, nova would go to the KDC and get a proxy ticket as me14:58
ayoungbut, again, this is full credentials...or at least, Nova can always ask for full credentials, not just the limited ones I requested14:58
ayoungthis is wqhy PKI tokens were written the way they were,14:58
*** josecastroleon has joined #openstack-keystone14:58
ayoungbut that ship has sailed14:58
ayoungand we were missing a lot of the pieces we needed to make use of them14:59
ayoungbut we could use SAML from K2K the exact way that I planned on using PKI tokens14:59
ayounghowever...PKI and SAML themselves fall back to Bearer tokens, and that is not really a nice thing14:59
ayoungso,  instead, lets get it so we have fine grained roles, and let a user request a token with the appropriate subset of roles for the workflow15:00
ayoungthen beare tokens are alittle less scary15:00
ayoungmake it so a scoped token cannot be traded for another scoped token (merges!)15:00
ayoungmerged!15:00
ayoungand enforce that15:00
ayoungGetting GLance ot trust Nova is fine, but still only works for "all these services have the same identity" approach15:01
ayoungdoes not handle the less trusted 3rd party app15:01
ayoungthis is why Amazon has signed requests, which was something morgan and I have discussed on and off over the years15:01
ayoungso...lets say we had signed requests.15:02
ayoungTHat means that we are basing our infrastructure on X509 , or at least PKI15:02
bknudsonsigned requests put a burdon on client users.15:02
ayoungbknudson, exactly15:02
bknudsonnot sure how you could do this with curl15:02
ayoungbknudson, and does not handle 3rd part web apps, either15:02
ayoungbknudson, it would be 2 stage;15:03
ayoungopensssl --sign <request>15:03
ayoungcurl -d  @signedrequest.cms15:03
ayoungand yes, that would suck15:03
bknudsonfor every request15:03
bknudsonand I have to copy-paste expected headers15:03
dstanekbknudson: or write a script15:03
ayoungbknudson, yep, but keystoneauth could handle that for the Python case.15:04
ayoungIt still doesn';t handle Horizon15:04
ayoungso, lets agree it sucks15:04
ayoungbut a signed request is only necessary for multistage workflow15:04
bknudsonI'd prefer client cert.15:04
ayoungbknudson, but that only works for auth at the surface15:04
ayoungbknudson, I would prefer client cert or Kerberos as the basic15:05
ayoungauth starting point15:05
ayoungOK...so lets say we go with client cert.  I go to a a Trove instance set up by some other group, and it wants to make changes inside my project...how much trust goes where?15:06
morganayoung: oh hai15:06
morgani heard my name15:06
*** henrynash has joined #openstack-keystone15:06
*** ChanServ sets mode: +v henrynash15:06
ayoungmorgan, amakarov kicked over the hornets nest, and found a soapbox15:06
ayoungI'm on that soapbox now15:06
morganayoung: signed requests and ditching tokens?15:06
morganand krb5?15:06
ayoungmorgan, yep15:06
* morgan is just guessing15:06
morganLOL15:07
ayoungand the problems with all of them15:07
ayoungamakarov, so....here is what it should be:15:07
*** roxanagh_ has quit IRC15:07
morganso, like i said before if we break apart user->service and service->service this becomes a lot easier to work on :)15:07
ayoungmorgan, service->service is exactly what I am ranting about15:07
ayoungmorgan, assume the srevice is thrid party and not to get full trust from anyone15:08
morganyou know my view, service to service should NOT use the user's authz at all15:08
morganthey're authorized to do X at the edge15:08
morganstop asking every step of the way15:08
morgan"Can i boot an instance, yes? boot it"15:08
ayoungmorgan, exactly, but who gets to say what that other service cando?15:08
morganservices must be implicitly trusted to do things.15:09
ayoungSee, for Trove, or a third party service, it should be trusts...explicitly set up by the user15:09
ayounghave templates that are easy to stamp out.15:09
morganif you are talking to trove, ys15:09
morganyes*15:09
morganbut if you're talking to trove via.. nova? (not a thing but for argument sake)15:09
ayoungfor Nova to Glance, we just make a blanket trust...15:09
morganno15:09
*** edtubill has joined #openstack-keystone15:09
morganheat is treated like a "user"15:09
morgannot a trusted service15:09
ayoungmorgan, here is the sample setup I've been thinking15:10
ayoungtrove talks to heat.  Heat talks to nova and the rest15:10
morganugh... my coffee cup's lid is defective :(15:10
ayoungheat is the edge of the trust boundary15:10
morgannewp15:10
ayoungheat does trusts all over the place anyway15:10
morganheat is a user.15:10
*** timcline_ has joined #openstack-keystone15:10
morganyou must explicitly delegate trust to heat15:10
ayoungmorgan, that too15:10
morganconsumers of heat likewise need to know what trust was delegated15:11
ayoungyeah...but heat is in the buisness of telling the user how to set up trusts15:11
ayoungand I think we shouldlet it15:11
*** phalmos has joined #openstack-keystone15:11
morganyeah that is fine. i mean you don't implicitly trust heat15:11
morganlike say nova->glance15:11
morganor nova->cindeer15:11
morganor nova->glance->swift15:11
ayoungI'm almost thinking of heat ast the "set up a trusdt" service becausethey havetaken on that roll15:11
dstaneki've said this may times before. it would be great to have a graph of operations and a list of trusted services that can do those operations15:12
morgandstanek: yes.15:12
amakarovayoung, morgan let's make all trusts explicit for starters15:12
ayoungdstanek,15:12
morganamakarov: no15:12
ayoungamakarov, for now they are.15:12
morganamakarov: you are in no better shape than today. it's the same thing we have today15:12
ayoungamakarov, what I think we need is a way to make them non-explicit15:12
morganamakarov: if we're moving the needle, we need to plan for the next step15:12
ayoungmorgan, I think what he said can be translated 2 ways15:13
amakarovmorgan, this can be settled in bootstraps/setups/install scripts15:13
morganamakarov: oh god no.15:13
ayoung"for starters" meaning stage 1, not "for starters" as the basic rule15:13
amakarovmorgan, then gather these and see, what should be implicit15:13
ayoungso, we have explicit trusts right now15:13
morgandstanek: i thnk the best approach is get things split, then ratchet down with the callgraph15:13
ayoungwe need something that sayd "nova can do X Y an Z" on glance15:14
ayoungand let Nova chose to do those15:14
*** mylu has quit IRC15:14
ayoungblanket trust there15:14
dstanekmorgan: by split you mean u->s and s->s?15:14
morganayoung: the way i see it is that is not an optional configured thing.15:14
morgandstanek: ++15:14
ayoungmorgan, right15:14
dstanekmorgan: yeah, agreed15:14
morganayoung: cool, we're on the same page :)15:14
ayoungand s->s is setup type stuf...core trusted by one org15:14
ayoungtrove is on the other side of a boundary15:14
ayoungand we make heat the gatekeeper to that boundery.15:15
dstanekayoung: right, the 'nova can do ...' is similar to what i was thinking15:15
*** mou has quit IRC15:15
dstaneki think i'm going a step further though15:15
ayoungWe don't want 3rd party  projects setting up trusts for themselves15:15
*** navidp has joined #openstack-keystone15:15
*** e0ne has quit IRC15:15
*** mou has joined #openstack-keystone15:15
morganayoung: i think anything can fit into the heat area fwiw15:15
ayoungIf it is not heat, then we need to figure that out somewhere15:15
morganayoung: but i'm content to say |service who can do trust things|15:15
*** jaosorior has joined #openstack-keystone15:16
morganregardless of what it's named15:16
ayoungmorgan, except that apps are not thinking that they have to talk to heat to get trusts...everything is token based right now15:16
ayoung"go to keystone, get token, hand token to mafia...."15:16
morganayoung: if we get it to a point where we can make tokens go away....15:16
amakarovayoung, 5-min tokens ftw15:16
ayoungso...someting like DSR might be the right approach15:16
morganamakarov: nope, no bearer tokens ever15:16
morganamakarov: kill the tokens15:17
ayoungmorgan, so...that is where the rant started15:17
ayoungin order for tokens to go away, we need an authentication story15:17
*** navid_ has joined #openstack-keystone15:17
ayoungX509 and Kerberos both suck in different ways15:17
morganayoung: right. and oauth has other issues15:17
ayoungand, swift would have collective apoplexy if we said they needed to support SAML ECP15:17
morgansigned requests a different set15:17
*** e0ne has joined #openstack-keystone15:17
morganoh dude can we say that just to watch the meltdown? :P15:17
bknudsonI don't see how kerberos is going to work on a public cloud.15:17
morganbknudson: it wont15:18
morganwell it *could* but... lets just pretend it wont15:18
ayoungbknudson, I'll wax poetic on that over beer next week if you wnat15:18
morgankrb5 is great for public clouds... as a way to authorize AFS volumes15:18
bknudsonI might just not be familiar with it.15:18
ayoungI think that the norm is going to be Federation to an offsite provider, which means we have to deal with SAML in OpenStack.15:18
ayoungor OpenIDC15:18
morganOIDC15:18
morganmost likely15:18
bknudsonalthough I have used kerberos in the past so not totally new to it.15:19
*** raildo is now known as raildo-afk15:19
ayoungbknudson, so...there have been some advances there.  Lets short circuit and say "it could be made to work if needs be" and leave it there for now15:19
ayoungthe real shortcoming is the spnego overhead15:19
bknudsonI have been surprised recently of web applications allowing enterprise logins using oidc.15:19
ayoungmultiple round trips on each request15:19
*** navidp has quit IRC15:19
ayoungso oidc and SAMlare not Authentication Per Se15:20
bknudsonit asks for your email and if it's ibm.com you get redirected to an ibm signon.15:20
* morgan is mostly concerned with splitting u->s and s->s in a "smart" way so all this is doable15:20
ayoungthey are more a proxy to some other authentication...bearer tokens when put into practice15:20
ayoungbut the real issue with either of them is that multiple round trips per request is painful15:21
ayoungand we couldn't even get away with PKI tokens,  people wanted smaller inside OpenStack15:21
bknudsonI assume auth_token is still involved so can validate the client cert to get the user info15:21
ayoungbknudson, something like auth token, but no15:21
ayoungit would be more like this15:21
ayoungsay I use kerberos to Nova, nova would take the env vars post mod_auth_kerb and pack them up in a call to Keystone15:21
bknudsonauth_token could build a fake "token" which contains some data that it presents to the service?15:22
ayoungit would have the same response as a token validation, but would be based on the Federation mapping15:22
ayoungbknudson, exactly15:22
bknudsonwhy couldn't that be auth_token?15:22
morganbknudson: it could be15:22
ayoungbknudson, cuz there is no token15:22
ayoungauth_mappins?15:22
bknudsonoh, just the name.15:22
bknudsonsure.15:22
dstanekayoung: a quick, badly written and lacking description of what i was proposing a few summits ago https://etherpad.openstack.org/p/keystone-trusting-dstanek15:23
dstaneksome details are missing15:23
bknudsonright, let's remove the mechanism from the name.15:23
ayoungwell...OK, here is the really crazy idea...you can blame termie for putting it in my head...15:23
*** BigWillie has quit IRC15:23
ayounglets say that we skip the authtoken step15:23
bknudsonyou need to get termie out of your head already15:23
ayoungand go right down to the policy enforcement code15:23
ayoungand *there* we send it all to Keystone15:23
ayoung1.  federation env vars, 2.  API name, and 3. resource data15:24
amakarovayoung, that's how Fortress works  ))15:24
ayoungamakarov, I know15:24
ayoungits called a remote pdp and its is an old, well established concept15:24
ayoungpdp == policy decision point15:24
amakarovayoung, good concept15:24
dstaneki walk away for 2 mins to get coffee and i'm 3 pages behind in this chat15:24
ayoungit means that you fetch the resource from the backend before doing any validation, but it does mean that a user has to be authenticated, jut not mapped15:25
*** henrynash has quit IRC15:25
ayoungso the problem with *that* approach is that now keystone needs to know about everything15:26
amakarovayoung, in real life AuthN is usually enough to get a room in a hotel and you don't need your voucher :)15:26
ayoungamakarov, that is beacsue the hotel is the PDP15:26
ayoungamakarov, the card key is the bearer token15:27
ayoungand the authorization you have is tied to the account that purchased the hotel room15:27
amakarovayoung, inside the hotel15:27
bknudsonit's hard for me to keep people out of my hotel room.15:27
ayoungits why I can get in to the executive loung and you cannot, but we both cango to the health club15:27
ayoungbknudson, you keep your personal life out of this15:27
bknudsoncleaning people15:27
ayoungthey have service tokens15:28
*** BigWillie has joined #openstack-keystone15:28
bknudsonwhere does the room safe fit into this?15:28
*** mhickey has joined #openstack-keystone15:28
bknudson2FA?15:29
dstanekbknudson: it's too small for anything real so who cares?15:29
openstackgerritNavid Pustchi proposed openstack/keystone: Fix D400 PEP257  https://review.openstack.org/30806015:29
*** e0ne has quit IRC15:29
bknudsonI can't even fit a PKI token in there.15:29
*** josecastroleon has quit IRC15:30
ayoungok, so room safe is probably safe from the cleaning service15:30
dstanekyou need a smaller catalog :-)15:30
ayoungyou put something in there, and a different service user might have access, like the manager15:30
ayoungin RBAC terms, different Role. The hotel is the project (or domain)15:31
ayoungso manager of the 4 seasons can do these same things in his hotel, but not in the Raddision15:31
*** mylu has joined #openstack-keystone15:31
*** rderose has joined #openstack-keystone15:32
amakarovayoung, so back to the idea: you want clients just do AuthN and not dragging tokens around?15:32
ayoungamakarov, ideally15:33
ayoungamakarov, then the issue is performance and network traffic15:33
ayoungso we can optimize, back off if needs be15:33
*** sigmavirus24_awa is now known as sigmavirus2415:33
ayoungfor example, we could use mod_session if things run in apache, and give users a session cookie.  Its reallyaa bearer token, but the web server links it to the users identity.  THat plus HTTPS is probablt about the right level of optimization15:34
morganayoung: if we push on an option for suburls again...15:35
morganwhich we're pretty close to15:35
morganayoung: a single oauth works for the entire API15:35
morganwhich... is nice.15:35
*** csoukup has joined #openstack-keystone15:35
*** e0ne has joined #openstack-keystone15:36
ayoungmorgan, you mean to get things running in a single server...the whole upgrade story is going to disrupt that, I'm guessing.  Wellllllll  hmmmm.15:36
morganno i didn't say a single server15:36
morgani said sub-url15:36
morganLoad-balancer (l7 routing) is also an option15:36
ayoungright, yep15:36
morganand that can be made redundant15:37
*** Ephur has joined #openstack-keystone15:37
ayoungI'm morethinking database migrations, but yep15:37
stevemardolphm: i'll let you kick this one through, https://review.openstack.org/#/c/308060/3 -- folks can blame you for having to rebase things :)15:38
patchbotstevemar: patch 308060 - keystone - Fix D400 PEP25715:38
bretonso what stops us from the suburl thing?15:38
*** dan_nguyen has joined #openstack-keystone15:39
morganstevemar: nope they get to blame me15:39
morganbreton: a lot of things15:39
bknudsontempest breaks when projects are running on a sub url15:39
*** stingaci has joined #openstack-keystone15:39
morganbreton: it's beena  slow march - tempest is one of the things15:39
morganalso many projects get weird about it15:39
bknudsonI think there are also issues in the projects.15:39
bretontempest is just code and fixable, isn't it?15:39
morganwe've corrected nova (mostly)15:39
morganand i have had most services "work" but the links are all wrong15:39
morganand sometimes things act weird15:40
bretonprojects == openstack components, right?15:40
morganbreton: yes openstack services15:40
bknudsonmorgan: this seems to indicate that there's an issue in nova?15:40
morganbknudson: there has been. sdague and i worked a bunch on it in mitaka15:40
morganthere are still some issues but it will *actually* work in most cases now15:41
morganmosrt of the projects assume they are on / of whatever server they are running15:41
bknudsonalso, https://review.openstack.org/#/c/301172/3/files/apache-tlsproxy.template15:41
patchbotbknudson: patch 301172 - openstack-dev/devstack - Use Apache/mod_proxy as TLS proxy instead of stud15:41
morganthis is also part of the failing of not using a proper application server.15:41
bknudsonfor some reason he added a rewriter.15:41
bknudsonlike tomcat ?15:42
morganbknudson: uwsgi, mod_wsgi15:42
morganbknudson: not a lot different than tomcat architecturally15:42
bknudsonwe do.15:43
bknudsondoes nova support it? I haven't checked on all the projects.15:43
morganwe do, but nova, cinder, etc don't15:43
morgannope15:43
bknudsonI wonder why not.15:43
morgankeystone, swift (sortof), zaqar...15:43
bknudsonis there an actual issue or just not a priority?15:43
morganwell right now the periodic tasks *and* oslo.messaging is... broken15:43
morganfor them15:43
morganin uwsgi etc15:43
morganthey pretty much rely on eventlet semantics and pseudoco-routines15:44
bknudsongross15:44
morganyep.15:44
bretonhttps://github.com/openstack/nova/commit/234294587ae3d92728e23f894c62c212ee800d73 well15:44
morganmost every oroject in openstack does15:44
morganit isn't a high priority with them afaik15:44
morganbut it's also not "just not caring"15:44
bknudsonthere's a cross-project session at the summit. We'll see how it goes.15:45
bknudsonif anybody shows up15:45
morganalso.. i want to pointout how badass flask_restplus is15:45
morgani totally dig automatic swagger docs.15:45
bretoni wonder if it is possible to wrap trafic from host:80 to nova:port15:45
*** stingaci_ has joined #openstack-keystone15:46
morganayoung: ^ we could convert keystone to flask and flask_restplus and the whole "web page" for keystone would be "free"15:46
bknudsonyes, it's a reverse-proxy15:46
bknudsonbreton: this is what https://review.openstack.org/#/c/301172/3/files/apache-tlsproxy.template does.15:46
patchbotbknudson: patch 301172 - openstack-dev/devstack - Use Apache/mod_proxy as TLS proxy instead of stud15:46
morganayoung: its.. pretty amazing15:46
morganayoung: and it's almost free when the framework is used.15:46
bretonbecause nova could still run on it's port, it's just all components should talk to nova on host:8015:46
morganayoung: i'll show you an example of it at the summit15:46
ayoungmorgan, could we?15:46
*** dan_nguyen has quit IRC15:46
morgandstanek: ^ cc if we use flask, i am going to push for restplus too15:46
ayoungmorgan, so, I believe the part after "if we convert"15:47
morgani <3 the swagger docs automatically there.15:47
*** roxanagh_ has joined #openstack-keystone15:47
morganayoung: well "if" as in.. when dstanek pushes his next patch now that eventlet is dead15:47
ayoungits the ability to convert to flask that I need to see proven.  We've tried things like that15:47
ayoungmorgan, which patch is that?15:47
*** cheneydc has quit IRC15:48
*** openstackgerrit has quit IRC15:48
morganayoung: starts here https://review.openstack.org/#/c/202686/15:48
patchbotmorgan: patch 202686 - keystone - Initial view of Flask app factories15:48
*** openstackgerrit has joined #openstack-keystone15:48
*** jaosorior has quit IRC15:48
morganayoung: but once we're on flask (mostly it's ditching our custom crappy wsgi code)15:48
morganayoung: the rest becomes easier.15:48
dstanekayoung: working on fixing that up before the summit so i can show it working15:48
dstanekbetter now that we no longer have eventlet to deal with!15:48
ayoungdstanek, you are awesome15:48
*** stingac__ has joined #openstack-keystone15:49
*** stingaci has quit IRC15:49
dstanekwhat a pile of ... badness15:49
morganalso...15:49
morganthe whole permission model in flask is *much* easier to work with15:49
morgani think it's (while a lot of code shift) going to make keystone a lot more streamlined15:49
morganand far far more "python"-community friendly15:50
bretonwhat's bad in current permission model?15:50
morganbreton: overly complex15:50
morganthe whole @decorator + callbacks that re-implment everything15:51
morganit's icky15:51
*** stingaci_ has quit IRC15:51
* morgan has it on his plate [probably while on the plane to austin]15:51
morganto rewrite them as direct enforce calls15:51
morganrather than hyper complex decorators.15:51
ayoungmorgan, I have some code in flight along those lines, but more on pulling the logic out of the decorator...15:52
ayounglet me see...15:52
morganayoung: basically i was going to just yank the decorator apart, add a new decorator that strictly checks if .enforce was called (so we can be sure a function always enforces if it's expected to)15:52
ayoungmorgan, I think it was Sam's patch...15:53
*** trown is now known as trown|lunch15:53
morganand then do .enforce in the method where we want to actually enforce instead of... well trying to extract data and then use it in the decorator15:53
ayoungmorgan, lookg at https://review.openstack.org/#/c/279263/15:53
patchbotayoung: patch 279263 - keystone - enforcement logic refactored15:53
breton@protected you mean?15:53
morganbreton: yeah15:53
morgan@protected is... icky15:53
morganit was implemented exactly as asked... then grew and grew and is now not rreally maintainable15:54
morganand exceedingly hard to debug15:54
ayoungmorgan, agreed, and you might want to throw out my patch to deal with it, but there are some embedded lessons there15:54
ayoungthe filter being a separate decorator is horrible15:54
bretonwhat's the problem in rewriting it now, to simple .enforce calls?15:54
ayoungthat was the big thing that was too different15:55
morganbreton: it's a lot of work15:55
knikollafinally managed to catch up reading15:55
morganbreton: and a lot of edgecases to make sure we don't regress - it's VERY complex15:55
morganbreton: thats all15:55
morganayoung: sam's patch is good because it's a simplification15:55
ayoungso that patch does, among other things, turns the filtersin into a single paramater that is an array15:55
bretonmore complex than switching to flask?15:55
morganayoung: i want to take it much much further15:55
morganbreton: yes.15:55
ayoungmorgan, I'm with you15:55
morganbreton: @protected/@filterprotected is crazy complex.15:56
morganbreton: because you have callbacks that reimplment all the logic in subtly different ways on many classes15:56
morganand it encodes a ton of logic in ways to "wedge" it into a decorator model15:56
ayoungmorgan, If you get a single call, it should have a lot of the same logic as that patch.  Maybe you want to start with that patch and keep going.15:56
morganayoung: likely15:56
morganayoung: that patch helps.15:57
ayoungmorgan, I want to disconnect the enforcement from our controller hierarchy15:57
morganayoung: explain?15:57
ayoungthe decoractor does a lot of this.token_api stuff15:57
evrardjphello guys15:57
evrardjpI have a paste for you15:58
ayoungIt means that the logic for building a token into an policy dictionary is tied to keystone15:58
morganoh yeah15:58
evrardjphttp://paste.openstack.org/show/495006/15:58
ayoungI want to make it into a separateable library, something we could put into middleware15:58
morganexcept you can't15:58
morganbecause scope checks.15:58
morganthe middleware part15:58
morganyou need resources from the DB to know if you should allow it15:59
*** belmoreira has joined #openstack-keystone16:01
evrardjpthis paste is link to my yesterday conversation16:02
evrardjplinked*16:02
*** stingaci has joined #openstack-keystone16:02
*** rderose_ has joined #openstack-keystone16:04
*** stingac__ has quit IRC16:04
*** rderose has quit IRC16:08
*** mhickey has quit IRC16:11
*** lhcheng has joined #openstack-keystone16:12
*** ChanServ sets mode: +v lhcheng16:12
*** lhcheng has quit IRC16:13
*** lhcheng has joined #openstack-keystone16:13
*** ChanServ sets mode: +v lhcheng16:13
bknudsonevrardjp: do you want listing endpoints to be a public interface? The keystone public interface is really just getting a token.16:15
bknudsonthere's someplace you can pass in the interface to use ... not sure if it's on session or auth or client.16:15
evrardjpbknudson curl seems to make it work and lists it, while the openstack CL / libs don't seem to work16:17
evrardjpthat's a usability concern for me16:17
bknudsonwhen you use curl it uses whatever interface you give it directly, not the service catalog16:17
bknudsonI don't know how you pass the interface to the openstack CLI.16:18
bknudson(or if it's even supported)16:18
*** roxanag__ has joined #openstack-keystone16:19
*** jistr has quit IRC16:21
mylurodrigods: I figured it out....it was because I passed a saml flag to handle the 302 redirection and tempest took that parameter as part of kwargs and pass it as "body" on the GET request. and GET doesn't want any body16:22
*** roxanagh_ has quit IRC16:22
*** arun_kant has joined #openstack-keystone16:22
*** navid_ has quit IRC16:23
openstackgerritRon De Rose proposed openstack/keystone: Move the resource abstract base class out of core  https://review.openstack.org/30282616:24
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963516:28
arun_kantdstanek: Hi, can you please check latest patch on https://review.openstack.org/#/c/279828/ as addressed your comments.16:30
patchbotarun_kant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...16:30
*** mylu has quit IRC16:33
*** browne has joined #openstack-keystone16:35
evrardjpbknudson yet that would mean different standards for libs and curl16:36
*** browne1 has joined #openstack-keystone16:39
dstanekevrardjp: not exactly. with curl you are picking the URL to use manually. the client is discovering it16:39
*** Guest14509 has quit IRC16:40
dstanekif you curled the same url the client is using it would fail the same way16:41
*** browne has quit IRC16:41
*** darosale has joined #openstack-keystone16:41
*** phalmos has quit IRC16:45
*** stingaci has quit IRC16:46
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Added X-Forwarded-For support  https://review.openstack.org/30909816:48
*** ayoung has quit IRC16:48
*** belmoreira has quit IRC16:50
evrardjpdstanek true, but I didn't set that as my auth url16:51
*** jlk has joined #openstack-keystone16:52
jlkHey all. I have a question. If I'm doing a new install of Mitaka, and I want to support both keystone v2 api and v3 api, what should I put into the catalog for the identity service(s)?16:53
*** roxanag__ has quit IRC16:53
jlkshould the URL be versioned or unversioned?16:54
*** doug-fish has joined #openstack-keystone16:58
*** mou1 has joined #openstack-keystone16:59
*** pushkaru has joined #openstack-keystone17:00
*** real56 has joined #openstack-keystone17:00
*** dave-mccowan has quit IRC17:01
*** mou has quit IRC17:01
*** real56 has quit IRC17:01
*** real56 has joined #openstack-keystone17:02
*** trown|lunch is now known as trown17:02
*** doug-fis_ has quit IRC17:02
*** yarkot has quit IRC17:02
*** kevinbenton has quit IRC17:02
*** hugokuo has quit IRC17:03
*** fungi has quit IRC17:03
*** jgriffith has quit IRC17:03
*** serverascode has quit IRC17:03
*** jgriffith has joined #openstack-keystone17:03
*** fungi has joined #openstack-keystone17:04
*** sc68cal has quit IRC17:04
*** jgriffith is now known as Guest389417:04
*** sc68cal has joined #openstack-keystone17:04
*** kevinbenton has joined #openstack-keystone17:05
*** hugokuo has joined #openstack-keystone17:05
*** yarkot has joined #openstack-keystone17:05
*** sdake_ has joined #openstack-keystone17:06
*** stevemar has quit IRC17:06
*** sdake has quit IRC17:07
*** mou has joined #openstack-keystone17:07
*** dave-mccowan has joined #openstack-keystone17:07
*** stevemar has joined #openstack-keystone17:08
*** jasonsb has quit IRC17:08
*** raddaoui has quit IRC17:08
*** ekarlso has quit IRC17:08
*** martinus__ has quit IRC17:08
*** serverascode has joined #openstack-keystone17:08
*** sdake has joined #openstack-keystone17:09
*** rderose_ has quit IRC17:09
*** toddnni_ has joined #openstack-keystone17:10
*** ChanServ sets mode: +o stevemar17:10
*** raddaoui has joined #openstack-keystone17:10
*** martinus__ has joined #openstack-keystone17:10
*** sdake_ has quit IRC17:11
*** sheel_ has joined #openstack-keystone17:12
*** vnogin1 has joined #openstack-keystone17:12
*** spzala_ has joined #openstack-keystone17:13
*** mou1 has quit IRC17:13
*** darosale_ has joined #openstack-keystone17:13
*** zhiyan_ has joined #openstack-keystone17:14
*** tristanC_ has joined #openstack-keystone17:14
*** sc68cal_ has joined #openstack-keystone17:14
odyssey4mebknudson evrardjp dstanek OK, let's step back a bit here. When accessing the Keystone auth endpoint which I've defined, and using the endpoint type that I've defined, I expect to be able to do various things via the API. Some of those things may require elevated priveleges.17:15
*** pleia2_ has joined #openstack-keystone17:15
odyssey4meSo the first question is - if elevated privs are required, is it 'by design' behaviour to redirect the requester to the admin endpoint?17:15
stevemarjlk: you probably still want to put /v2.0 into the catalog for the identity service17:16
*** stingaci has joined #openstack-keystone17:17
*** jlk` has joined #openstack-keystone17:18
*** real56 has quit IRC17:18
*** real56 has joined #openstack-keystone17:18
odyssey4mebknudson evrardjp dstanek it's my understanding that in Keystone today, all endpoints actually have the same functionality and the authorisation is handled through the token scoping17:19
*** sc68cal has quit IRC17:19
*** darosale has quit IRC17:19
*** spzala has quit IRC17:19
*** sheel has quit IRC17:19
*** amit213 has quit IRC17:19
*** pleia2 has quit IRC17:19
*** jlk has quit IRC17:19
*** jasondotstar has quit IRC17:19
*** tristanC has quit IRC17:19
*** lbragstad has quit IRC17:19
*** zhiyan has quit IRC17:19
*** toddnni has quit IRC17:19
*** vnogin has quit IRC17:19
*** toddnni_ is now known as toddnni17:19
*** darosale_ is now known as darosale17:19
odyssey4me(this assumes a v3 API environment, of course)17:19
*** sheel_ is now known as sheel17:19
*** real56 has quit IRC17:20
*** real56 has joined #openstack-keystone17:20
*** pleia2_ is now known as pleia217:20
*** ekarlso has joined #openstack-keystone17:21
*** lbragstad has joined #openstack-keystone17:22
*** real56 has quit IRC17:22
*** amit213 has joined #openstack-keystone17:22
*** daemontool has quit IRC17:22
*** real56 has joined #openstack-keystone17:22
*** zhiyan_ is now known as zhiyan17:23
*** sc68cal_ has quit IRC17:23
odyssey4mebknudson evrardjp dstanek worth noting is that the impression of both endpoints being functionally equivalent is based on the comment from dolphm in this bug: https://bugs.launchpad.net/keystone/+bug/138196117:24
openstackLaunchpad bug 1381961 in OpenStack Identity (keystone) "Keystone API GET 5000/v3 returns wrong endpoint URL in response body" [Low,Fix released] - Assigned to Steve Martinelli (stevemar)17:24
*** jasondotstar has joined #openstack-keystone17:24
evrardjpalso, that would deserve a word of explanation here: http://docs.openstack.org/developer/keystoneauth/using-sessions.html17:25
*** ayoung has joined #openstack-keystone17:26
*** ChanServ sets mode: +v ayoung17:26
*** alex_xu has quit IRC17:27
*** AJaeger has joined #openstack-keystone17:27
dstanekodyssey4me: i believe that you are correct17:27
*** chrisshattuck has joined #openstack-keystone17:27
AJaegerkeystone cores, could you import translation sync, please? https://review.openstack.org/307589 it removes all the pot (source files) for the tempest plugin since that one is untranslated. No need to keep the pots in tree for that...17:28
stevemarAJaeger: hmmmm?17:28
*** fawadkhaliq has joined #openstack-keystone17:29
AJaegerstevemar: we import translations and their source files - the tempest plug-in does not need translations - or at least we do not need to store the source files in tree and update them everytime as long as nobody translates them17:30
AJaegerstevemar: source files = .pot files. Source fiels for translators17:30
AJaegerstevemar: clearer now?17:31
*** tqtran has joined #openstack-keystone17:31
*** alex_xu has joined #openstack-keystone17:31
*** jed56 has quit IRC17:33
*** EinstCrazy has quit IRC17:35
*** jlk` is now known as jlk17:35
*** real56 has quit IRC17:38
*** real56 has joined #openstack-keystone17:39
stevemarAJaeger: all i see is magic17:40
*** real56 has quit IRC17:41
*** real56 has joined #openstack-keystone17:41
*** pnavarro has quit IRC17:42
AJaegerstevemar: shall I explain it differently?17:43
AJaegerstevemar: yeah, we try to add some magic to our scripts - to reduce the churn ;)17:43
AJaegerstevemar: thanks for approving.17:43
stevemarAJaeger: i'm not a wizard, explaining magic to me wouldn't help :)17:44
stevemarAJaeger: thanks for removing the keystone CLI stuff from the docs :)17:45
stevemaroh that reminds me, i need to release today17:45
stevemarbknudson: !17:45
AJaegerOk, will not hold you up on that  ;) Bye for now!17:45
*** AJaeger has left #openstack-keystone17:45
jlkstevemar: I have a question. If I'm doing a new install of Mitaka, and I want to support both keystone v2 api and v3 api, what should I put into the catalog for the identity service(s)?17:46
jlkstevemar: should the URL be versioned or unversioned?17:46
stevemar13:16 stevemar: jlk: you probably still want to put /v2.0 into the catalog for the identity service17:47
stevemar:)17:47
*** ayoung has quit IRC17:47
jlkhuh, my proxy ate that17:47
jlkand I didn't see it17:47
jlkis there a reason for still putting /2.0 in there?17:47
stevemardamn proxies *shakes fist*17:47
jlkwhen we want everything to use 3?17:47
*** ayoung has joined #openstack-keystone17:47
*** ChanServ sets mode: +v ayoung17:47
stevemarjust cautionary, in case some services are using v3 still, but most core services should be v3 friendly17:47
morganoooh i see a jlk17:48
stevemarjlk: maybe morgan and jamielennox|away have a different opinion17:48
jlkstevemar: well, I control all the services too, so shouldn't I be able to tell the services to use the v3, and put the URL into the service config unversioned ?17:48
jlkI mean, what even makes use of the identity entry in the catalog, because you have to pre-known the identity URL in order to get the catalog....17:49
*** real56 has quit IRC17:49
* morgan reads backscroll?17:49
dstanekdoes anything actually use the catalog to find the identity service?17:49
morganok17:49
*** real56 has joined #openstack-keystone17:49
morganso..17:49
morganyou can use V2 CRUD with V3 tokens17:50
stevemarjlk: right, the only bits that really use the identity entry in the catalog are the other services, and if you're controlling them, you can set things up to be v317:50
morganand vice versa (keystone will translate)17:50
morganNOW.. the issue is users in not the default domain CANNOT use v2 crud*17:50
jlkstevemar: how do the other services use the identity entry in the catalog?17:50
morgan* some special exceptions17:50
morgani highly recommend pushing people to v317:50
morgan*highly*17:50
morganbut if you need to support both, don't put anything outside of the default domain17:51
jlkhow does one get catalog information, without already knowing the url to the identity service?17:51
morganand it should work17:51
morganjlk: the auth_url is known apriori17:51
bknudsonstevemar: did people fix the issues that you brought up on the mailing list?17:51
jlkmorgan: and the auth_url is the entry in the catalog, so...?17:51
morganjlk: you can put a (i think?) versionless entry in the catalog now17:51
jlkor are there cases where that's not the same?17:51
morganwith mitaka.17:51
morganauth_url doesn't need to be the same17:52
odyssey4memorgan hmm, liberty was definitely a no-go on that one - I'll take a bash at trying that for Mitaka :)17:52
bknudsonstevemar: https://review.openstack.org/#/c/247810/ isn't merged.17:52
patchbotbknudson: patch 247810 - barbican - Deleting duplicate code17:52
morganmy poc cloud used "auth.tempusfrangit.org" as the auth endpoint and "api.tempusfrangit.org/identity" for the CRUD interface17:52
odyssey4me(the versionless endpoint for the identity service in the catalog)17:52
jlkalright, so other services would read the catalog17:52
morganjlk: correct.17:52
morganjlk: so.. i would probably use v3 in the catalog tbh if you need versions17:53
jlkis there anything special about "identityv3"   as an entry in the catalog?17:53
jlkor do services only look for "identity" or what they're explicitly told to look for?17:53
morganwe try to discourage "versioned" names17:53
*** timcline_ has quit IRC17:53
morgani think "identity" is what things look for17:53
morganthough in most cases, nothing needs to do CRUD on keystone17:53
morganso they just need the auth_url17:53
stevemarbknudson: i proposed https://review.openstack.org/#/c/307837/ instead, and it's not used in the CI17:53
patchbotstevemar: patch 307837 - barbican - migrate keystone_data to openstackclient17:53
morgan(heat being the exception afaik)17:53
jlkyeah, heat.17:54
morganand heat talks v317:54
jlkbut if my catalog entry ends in /v2.0...17:54
morganin fact. don't ask heat to talk v217:54
morganit doesn't like that17:54
jlkdoes heat just ignore that /v2.0 entry and use /v3 instead?17:54
morgani think it will be configured with a direct path to /v317:54
morganvs catalog lookup17:54
bknudsonhttp://git.openstack.org/cgit/openstack/barbican/tree/bin/keystone_data.sh is broken17:55
jlkoh right, we configure heat directly so that auth_uri is /v317:55
bknudsonoh, not used in the ci17:55
bknudsonhttp://git.openstack.org/cgit/openstack/murano-deployment/tree/murano-ci/config/devstack/local.sh :(17:55
*** sigmavirus24 is now known as sigmavirus24_awa17:55
bknudsonfuel still has it17:55
morganjlk: so, basically nothing really does keystone crud.17:55
bknudsonopenstack CLI does17:56
morganjlk: and only ever looks at auth_url you configure it with17:56
morganthe cli talking to keystone is different (i mean services)17:56
jlkso I'm not going to worry about "stale" entries in our catalog that has /v2.0 on the URL17:56
jlkand any new catalogs will just get /v317:56
morganyou're probably "ok" in most cases.17:56
morganbut i really would try and push people to /v317:56
morganwherever you can17:56
bknudsonwhy would you want /v3 in the catalog?17:56
jlkwe are17:56
morganor well versionless17:56
jlkbknudson: if I have to put a version17:56
bknudsonwe're just going to come out with a v4 and then we'll have to go through this all over again17:56
morganand if versionless isn't working17:56
jlkif I don't have to, then won't put a version.17:57
morganplease please please open bugs for us17:57
morganesp. in mitaka and later17:57
bknudsonif the clients are expecting a versioned endpoint then v3 isn't going to work.17:57
morganwe need to fix the versioned endpoint crap17:57
jlkodyssey4me: is testing that right now, right?  :D17:57
jlkfwiw, your install documents still say to tag /2.0 on them17:57
odyssey4mejlk heh, I need an hour to setup an environment to validate whether stuff works with a versioned endpoint17:58
bknudsonbecause clients expect the identity entry to be /v2.017:58
jlkhttp://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html17:58
jlkwhoops17:58
jlksorry, that does say /v317:58
jlknot versionless17:58
bknudsonIf /v3 is working then that's just because you're lucky17:59
*** real56 has quit IRC17:59
morganjlk: our docs need love18:00
morganjlk: it's def. on our radar18:00
*** real56 has joined #openstack-keystone18:00
*** pushkaru has quit IRC18:01
*** pushkaru has joined #openstack-keystone18:01
jlkbknudson: I'm confused, didn't you just advocate for putting versionless in the catalog?18:01
jlkand now you're saying anything but /v2.0 is only working due to luck?18:01
*** real56 has quit IRC18:01
morganjlk: there are rough edges18:02
morganwe need to improve the testing and get feedbacke where it breaks18:02
*** real56 has joined #openstack-keystone18:02
morganit *should* work18:02
morganbut ... as odyssey4me said, there are cases (liberty esp.) where it just didn't18:02
*** doug-fis_ has joined #openstack-keystone18:02
bknudsonjlk: If you're deploying openstack you should have v2.0 as the identity endpoint. It's been that way so long that clients are going to expect it.18:03
odyssey4mejlk we've been using v3 endpoints in the catalogue as a default in OpenStack-Ansible since Liberty, and it works... some of the services needed to use the v2 url in their client configs (ceilometer, aodh, etc) but that was OK for those cases and many of them were fixed up for Mitaka.18:03
bknudsonchanging to versionless or v3 is not backwards compatible.18:03
bknudsonwe can't test every possible application.18:04
*** doug-fish has quit IRC18:04
jlkwell, I'm going to follow the written docs and see what falls over.18:05
morganbknudson: yeah.18:05
*** stingaci has quit IRC18:05
bknudsonI'm guessing the reason it works is because nothing uses it except openstack CLI and that does version discovery / version replacement.18:07
*** stingaci has joined #openstack-keystone18:07
bknudsondevstack now sets up versionless.18:07
*** lhcheng has quit IRC18:08
jlkversionless would be preferrable18:08
jlkso that I don't have to mess with URLs down the road if/when v4 happens18:08
morganjlk: ++ versionless is where we SHOULD land18:08
bknudsonif changing the endpoint to /v3 works for you then versionless will likely work too.18:08
jlkokay, worth a shot I suppose18:08
*** lhcheng has joined #openstack-keystone18:09
*** ChanServ sets mode: +v lhcheng18:09
*** sigmavirus24_awa is now known as sigmavirus2418:09
*** lhcheng has quit IRC18:09
*** timcline_ has joined #openstack-keystone18:14
*** real56 has quit IRC18:18
*** real56 has joined #openstack-keystone18:19
*** phalmos has joined #openstack-keystone18:19
*** real56 has quit IRC18:20
*** real56 has joined #openstack-keystone18:21
*** ayoung has quit IRC18:21
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914618:21
*** sdake has quit IRC18:23
openstackgerritBrant Knudson proposed openstack/keystone: Add other-requirements.txt  https://review.openstack.org/30847718:24
*** dan_nguyen has joined #openstack-keystone18:30
*** real56 has quit IRC18:30
openstackgerritMerged openstack/python-keystoneclient: Removing bandit.yaml in favor of defaults  https://review.openstack.org/29459718:32
*** woodster_ has joined #openstack-keystone18:34
openstackgerritBrant Knudson proposed openstack/keystone: Add other-requirements.txt  https://review.openstack.org/30847718:37
*** gagehugo has quit IRC18:39
*** pushkaru has quit IRC18:50
openstackgerritMerged openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/30758918:51
*** john5223 has joined #openstack-keystone18:55
*** mylu has joined #openstack-keystone18:59
*** mou has quit IRC19:00
*** henrynash has joined #openstack-keystone19:02
*** ChanServ sets mode: +v henrynash19:02
*** doug-fis_ has quit IRC19:06
*** lhcheng has joined #openstack-keystone19:07
*** ChanServ sets mode: +v lhcheng19:07
*** edmondsw has joined #openstack-keystone19:07
*** rderose_ has joined #openstack-keystone19:08
*** lhcheng has quit IRC19:08
*** doug-fish has joined #openstack-keystone19:08
*** lhcheng has joined #openstack-keystone19:08
*** ChanServ sets mode: +v lhcheng19:08
*** john5223 is now known as john19:16
*** john is now known as john522319:16
*** mhickey has joined #openstack-keystone19:18
*** rcernin has quit IRC19:19
*** john5223 has quit IRC19:23
*** john5223 has joined #openstack-keystone19:24
*** timcline_ has quit IRC19:27
*** mylu has quit IRC19:30
*** mylu has joined #openstack-keystone19:31
openstackgerritMerged openstack/keystone: Fix D400 PEP257  https://review.openstack.org/30806019:37
*** Guest3894 is now known as jgriffith19:40
*** stingaci has quit IRC19:40
*** tellesnobrega_af is now known as tellesnobrega19:43
*** mylu has quit IRC19:44
openstackgerritRon De Rose proposed openstack/keystone: Fixes incorrect deprecation warning for IdentityDriverV8  https://review.openstack.org/30530119:44
*** mylu has joined #openstack-keystone19:47
*** mylu has quit IRC19:49
*** doug-fis_ has joined #openstack-keystone19:49
*** doug-fis_ has quit IRC19:50
*** doug-fis_ has joined #openstack-keystone19:50
*** erhudy has quit IRC19:51
*** mylu has joined #openstack-keystone19:51
*** woodburn has quit IRC19:52
*** doug-fish has quit IRC19:53
*** doug-fis_ has quit IRC19:54
*** ayoung has joined #openstack-keystone19:55
*** ChanServ sets mode: +v ayoung19:55
*** mylu has quit IRC19:56
*** tqtran is now known as tqtran-afk19:56
*** mylu has joined #openstack-keystone19:57
*** timcline_ has joined #openstack-keystone19:57
*** timclin__ has joined #openstack-keystone19:58
*** timcline_ has quit IRC19:58
*** dhellmann has left #openstack-keystone20:00
*** gyee has joined #openstack-keystone20:00
*** ChanServ sets mode: +v gyee20:00
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:02
*** mylu has quit IRC20:03
*** timclin__ has quit IRC20:03
*** timcline_ has joined #openstack-keystone20:04
*** spzala_ has quit IRC20:05
*** spzala has joined #openstack-keystone20:06
*** mylu has joined #openstack-keystone20:07
*** woodburn has joined #openstack-keystone20:07
*** sigmavirus24 is now known as sigmavirus24_awa20:09
*** csoukup has quit IRC20:10
*** spzala has quit IRC20:10
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:11
*** fawadkhaliq has quit IRC20:11
morgandolphm: when do you arrive in austin20:12
morgan?20:12
*** rcernin has joined #openstack-keystone20:12
*** fawadkhaliq has joined #openstack-keystone20:13
*** sigmavirus24_awa is now known as sigmavirus2420:13
morganstevemar: ^ cc same q20:13
dolphmmorgan: not sure exactly, but probably sunday around 3pm20:13
*** ebalduf_ has joined #openstack-keystone20:15
morgandolphm: ok cool.20:15
morgandolphm: was wondering if it was sat or sunday20:15
morgandolphm: /me is trying to get teh schedule in order so things like hanging w/ the keystone folks happen :)20:16
dstanekmorgan: are you that busy? :-P20:16
bknudsonlife of a tc member20:17
morgandstanek: no20:17
morgandstanek: i figure yall are that busy cause you're employed ;)20:17
morganand have "things" to do20:18
morgan^_^20:18
bknudsonwe're all "buy buy buy, sell sell sell"20:18
morganhehe20:18
dolphmmorgan: i have no plans beyond setup the traditional twitter group for anyone interested and pick a rally point20:19
*** fawadkhaliq has quit IRC20:19
*** fawadkhaliq has joined #openstack-keystone20:20
bknudsonYou'll all be at the core party... it was full when I tried to sign up (or maybe I was blocked for spite).20:20
dolphmit was full for me too20:21
bknudsonok, maybe nobody will be at the core party20:21
morganbknudson: hehe20:23
morgani got in.. cause i asked for an extra ticket :P20:23
*** e0ne has quit IRC20:24
morganso i has two.20:24
* morgan shakes head20:24
* morgan point to the ML topic20:24
*** fawadkhaliq has quit IRC20:24
morganand the general sentiment makes me happy20:24
bknudsonyou can put it on eventbrite and invite everyone to try to sign up for it.20:24
morgansmall groups, team meetups20:24
*** e0ne has joined #openstack-keystone20:24
morganand less "core reviewer party"20:24
morgan:)20:24
morganoh crap...20:25
morgani need a hostname for my new laptop20:25
morganhmmmmmm.20:25
*** fawadkhaliq has joined #openstack-keystone20:25
morganone of the hardest things in computer science!20:25
morganNAming things!20:25
bknudsonportlandia20:25
morganlol20:25
morganit has to be A song of ice and fire based.20:25
bknudsonyou should put a bird on it20:25
morganmac laptop is whitewalker20:26
morgannetwork is winterfell.20:26
morganserver is tyrell.20:26
* morgan ponders20:27
morganHODOR!20:27
dstanekmorgan: i'll rearrange my schedule for you sir20:28
morgandstanek: hehe20:28
*** jamielennox|away is now known as jamielennox20:29
morganhmm.20:30
*** mhickey has quit IRC20:30
*** stingaci has joined #openstack-keystone20:31
*** doug-fish has joined #openstack-keystone20:32
morganooh opensuse uses btrfs20:32
morganneat20:32
bknudsonhere's an example using wrapt.ObjectProxy for the request ID stuff: http://paste.openstack.org/show/495040/20:33
bknudsonso all the _*WithMeta classes are not needed.20:34
morganbknudson: please!20:34
morgani dislike the _*withmeta things20:34
*** stingaci has quit IRC20:34
morganthough TBH i think we should be returning response objectds20:34
morganbut that ship has sailed :(20:34
*** stingaci has joined #openstack-keystone20:35
bknudsonwe could have had a callback function that's registered on requests (or session?)20:35
morganbknudson: happy to add that to session20:35
bknudsonthat was one of my suggestions20:35
morganno question20:35
morganhmm. dstanek in your opinion is there a benefit to having /home isolated in a desktop linux?20:36
morgandstanek: /me leans towards "not really"20:36
bknudsonthere is always a benefit to having home isolated20:37
bknudsonlvm makes it easy to resize20:37
morganbknudson: true.20:37
morganit's been a while since i seriously considered a desktop linux partition layout beyond "/boot, /, swap"20:38
*** BigWillie has quit IRC20:38
bknudsonI went overboard this time -- I've got home , openstack , vms , images20:39
*** trown is now known as trown|outtypewww20:39
morganbknudson: hehe20:39
morganbknudson: also.. btrfs "yay" or "OH HELL NAW"20:39
morgans/naw/no20:39
*** spzala has joined #openstack-keystone20:39
bknudsonhaven't tried it. Not sure what difference it makes20:39
* morgan kicks autocorrect20:39
morganHOW THE HELL did no => naw20:39
bknudsonI say NAW.20:39
morgani know.. but i'm from the west coast20:40
morganwe use "no" :)20:40
john5223i like btrfs. if you snapshot you can rollback if you screw something up20:40
morganjohn5223: have you had data loss issues though?20:40
morgani mean i wouldn't use it on a prod server yet (until i play with it more)20:40
john5223no. i've heard of issues possibly with really large drives but i haven't seen anything myself20:40
morganwhat is "really large"?20:40
morgan6TB? 20TB?20:41
john5223and btrfs is now required for lxd20:41
morganoooh20:41
morgangood to know20:41
bknudsondoes ubuntu default to btrfs?20:41
john5223no. defaults to lvm install20:41
john5223not sure about new release20:41
morganbknudson: i'm installing openSUSE tumbleweed20:42
morganbknudson: i want a rolling distro20:42
bknudsonI just installed ubuntu 14.04 and now theres 16.04.20:42
morganand .. i have an aversion to arch20:42
morganif i can't get this to work, i'll go to 16.0420:42
* morgan needs super bleeding edge kernel :)20:42
john5223im going to be trying a dev openstack environment on 16.04 with mitaka soon. should be fun.20:43
morgani also figure i give ubuntu 2wk run before i upgrade/install20:44
morganbecause... uhm... things are wonky right at release usually20:44
morganand since 16.04 released today20:44
*** rderose_ has quit IRC20:46
morganjohn5223: hmmm. well good to know LXD requires btrfs20:46
john5223btrfs or zfs i believe20:47
morgani use ZFS on my home nas20:47
john5223but yeah, i dont think its documented yet. learned it the hard way :)20:47
morganbut ZFS-boot worries me20:47
morganesp. when i need like 4.6 kernel20:47
morganor 4.520:48
*** krotscheck has quit IRC20:48
*** krotscheck has joined #openstack-keystone20:48
jamielennoxwhen does everyone arrive into austin?20:50
jamielennox(i'm sure this has been asked here before)20:51
*** fawadk has joined #openstack-keystone20:54
*** fawadkhaliq has quit IRC20:54
bknudsonlate sunday20:54
*** clenimar has quit IRC20:55
stevemarsunday evening20:58
lbragstadsunday afternoon20:58
knikollasunday afternoon20:58
jamielennoxah, everyone fairly late20:59
*** fawadk has quit IRC20:59
jamielennoxmaybe i should have said instead i've got the weekend in austin before hand, so if anyone's around early send me a twitter or something21:00
morganjamielennox: saturday ~noon21:04
jamielennoxmorgan: ah, nice!21:05
jamielennoxi'll pick up a sim card somewhere so i should be contactable21:05
jamielennoxactually does T-mobile still do that, hmm21:06
morganjamielennox: probably21:06
*** BjoernT has quit IRC21:06
*** tristanC_ is now known as tristanC21:07
*** e0ne has quit IRC21:07
*** fawadkhaliq has joined #openstack-keystone21:07
*** fawadkhaliq has quit IRC21:08
*** edmondsw has quit IRC21:08
*** e0ne has joined #openstack-keystone21:08
*** fawadkhaliq has joined #openstack-keystone21:08
*** fawadkhaliq has quit IRC21:08
*** pushkaru has joined #openstack-keystone21:10
openstackgerritBrant Knudson proposed openstack/keystone: Add other-requirements.txt  https://review.openstack.org/30847721:10
*** ebalduf_ has quit IRC21:12
stevemarbknudson: TIL that prince hails from minnesota, i didn't realize cool people come from there21:16
bknudsonthere was one cool guy. :(21:16
*** woodburn has quit IRC21:18
stevemarbknudson: time for you to take up the cool guy position21:18
bknudsonI'm not from minnesota21:18
bknudsonI just live here21:19
stevemarbknudson: gonna play your ND card now eh21:23
stevemarbknudson: looks like we've got a meeting tomorrow!21:23
bknudsonstevemar: yes, and I'll probably have meetings all the time next week too.21:23
*** tellesnobrega is now known as tellesnobrega_af21:24
bknudsonstevemar: maybe we'll get some requirements to bring up during summit sessions21:25
*** gordc has quit IRC21:25
bknudsonstevemar: you're not in the slack channel21:26
*** bebech has quit IRC21:32
*** bebech has joined #openstack-keystone21:32
*** roxanaghe has quit IRC21:38
*** roxanaghe_ has joined #openstack-keystone21:39
*** roxanaghe__ has joined #openstack-keystone21:39
*** roxanaghe_ has quit IRC21:39
*** rcernin has quit IRC21:39
*** aimeeU has quit IRC21:46
*** chrisshattuck has quit IRC21:49
*** roxanaghe__ has quit IRC21:51
*** roxanaghe has joined #openstack-keystone21:51
*** fawadkhaliq has joined #openstack-keystone21:52
*** gordc has joined #openstack-keystone21:55
*** rderose_ has joined #openstack-keystone21:56
*** henrynash has quit IRC21:57
*** mylu has quit IRC21:57
*** ebalduf has joined #openstack-keystone21:57
*** spzala has quit IRC21:58
*** BjoernT has joined #openstack-keystone21:59
stevemarbknudson: never got the invite22:01
*** mylu has joined #openstack-keystone22:01
*** BjoernT has quit IRC22:03
bknudsonbob dylan is now the cool guy from minnesota22:07
*** ebalduf has quit IRC22:07
bknudsonstevemar: jamielennox has been hiding slack from us.22:08
lbragstadmmmhm - that's right22:08
*** darosale has quit IRC22:10
*** timcline_ has quit IRC22:13
*** tqtran-afk is now known as tqtran22:14
*** phalmos has quit IRC22:14
*** doug-fish has quit IRC22:14
crinklemorgan: what does "the token can be refreshed" mean in https://bugs.launchpad.net/keystoneauth/+bug/1510825 ? wouldn't you just want a new token?22:15
openstackLaunchpad bug 1510825 in keystoneauth "need a session constructor that takes both auth params and token" [Medium,Triaged]22:15
morganhmm.22:15
morganuhm22:15
morganlooking22:15
morganah22:15
morgancrinkle: so in keystoneauth, if you have username/password it can refresh the token when it's about to expire22:16
morgancrinkle: so the bug is saying we need a way of passing username/password in and an active token, so that the current token is used until it expires22:16
morganthen we get a new token22:16
*** fawadkhaliq has quit IRC22:16
morgancrinkle: the current constructor either takes token or username/password - and doesn't do the right thing with both (if it is even possible)22:19
crinklemorgan: it can take both it just doesn't do anything with the password one http://paste.openstack.org/show/495050/22:20
morganahh22:20
morganthats it22:20
morgani think it fails to make a session that has all the sane attributes for token refresh/new-token-get when current expires22:21
morganat least i remember that is what mordred was complaining about when tha tbug was opened.22:21
*** timcline_ has joined #openstack-keystone22:22
*** fawadkhaliq has joined #openstack-keystone22:25
*** timcline_ has quit IRC22:27
*** fawadkhaliq has quit IRC22:28
*** slberger has left #openstack-keystone22:28
*** fawadkhaliq has joined #openstack-keystone22:30
*** krotscheck is now known as krotscheck_dcm22:32
*** sigmavirus24 is now known as sigmavirus24_awa22:35
*** ametts has quit IRC22:38
*** fawadkhaliq has quit IRC22:40
*** gordc has quit IRC22:41
*** stingaci has quit IRC22:43
*** edtubill has quit IRC22:45
*** dan_nguyen has quit IRC22:45
*** mylu has quit IRC22:46
*** stingaci has joined #openstack-keystone22:55
*** stingaci has quit IRC22:55
*** mylu has joined #openstack-keystone22:57
*** can8dnSix has joined #openstack-keystone23:00
*** mylu has quit IRC23:01
*** can8dnSix has quit IRC23:03
*** can8dnSix has joined #openstack-keystone23:03
*** furface has joined #openstack-keystone23:04
*** edtubill has joined #openstack-keystone23:05
*** rderose_ has quit IRC23:06
*** markvoelker has quit IRC23:20
*** dan_nguyen has joined #openstack-keystone23:29
*** timonwong has joined #openstack-keystone23:34
*** arun_kant has quit IRC23:36
*** mylu has joined #openstack-keystone23:46
*** e0ne has quit IRC23:47
jamielennoxadding the token and password like that is validating 2 auth types - not one then fallback to the other23:51
jamielennoxthe problem with using an existing token for a while is that we need more than the token, we need the service catalog and other details23:51
jamielennoxnow we could take an existing token and ask keystone for the auth_ref that goes with it23:52
jamielennoxbut at which point we could also have just issued a new token23:52
*** mylu has quit IRC23:52
jamielennoxyou can use the plugin caching to save and restore all this if you know you are going to want to use it later23:52
stevemardo i upgrade my dev env to 16.04 hmmmm23:55
*** edtubill has quit IRC23:57
*** mylu has joined #openstack-keystone23:58
« Wednesday, 2016-04-20 Index Friday, 2016-04-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!