Tuesday, 2016-06-21

*** nkinder has quit IRC		00:00
*** shoutm_ has joined #openstack-keystone		00:20
*** shoutm has quit IRC		00:21
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	00:26
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	00:29
*** iurygregory_ has left #openstack-keystone		00:32
*** samueldmq has quit IRC		00:33
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	00:35
*** shoutm has joined #openstack-keystone		00:36
*** shoutm_ has quit IRC		00:36
*** timcline has joined #openstack-keystone		00:40
*** sdake_ has quit IRC		00:44
*** timcline has quit IRC		00:44
*** markvoelker has quit IRC		00:46
*** markvoelker has joined #openstack-keystone		00:47
*** raddaoui has quit IRC		00:47
*** ddieterly has joined #openstack-keystone		00:50
*** spandhe has quit IRC		00:58
*** browne has quit IRC		00:58
*** ddieterly is now known as ddieterly[away]		00:58
*** ddieterly[away] has quit IRC		01:08
*** ddieterly has joined #openstack-keystone		01:12
*** davechen has joined #openstack-keystone		01:13
openstackgerrit	Roxana Gherle proposed openstack/keystone: /services?name=<name> API fails when using list_limit https://review.openstack.org/331790	01:22
*** gagehugo has joined #openstack-keystone		01:36
lbragstad	dstanek congrats on your cavs ;P	01:38
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Use SAML2 requests plugin https://review.openstack.org/255056	01:43
rderose	lbragstad dstanek: yeah, good for Cleveland :)	01:44
*** roxanaghe has quit IRC		01:45
jamielennox	ayoung: how did you go with an env we can test ^ against	01:46
lbragstad	rderose dstanek is a huge James fan	01:54
*** ddieterly is now known as ddieterly[away]		01:54
*** ddieterly[away] is now known as ddieterly		01:54
rderose	lbragstad: Lebron is certainly unique	01:55
lbragstad	rderose that's a good word for it ;)	01:56
rderose	lbragstad: just no no in history like him :)	01:56
lbragstad	lol	01:56
*** TxGVNN has joined #openstack-keystone		01:59
*** ddieterly has quit IRC		02:09
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Pass X_IS_ADMIN_PROJECT header from auth_token https://review.openstack.org/331374	02:09
*** TxGVNN has quit IRC		02:48
*** TxGVNN has joined #openstack-keystone		02:48
*** slberger has left #openstack-keystone		02:50
*** stevemar has quit IRC		02:54
*** topol has quit IRC		02:54
*** haneef has quit IRC		02:59
*** 92AAAZ3WR has quit IRC		03:08
*** henrynash has joined #openstack-keystone		03:11
*** spandhe has joined #openstack-keystone		03:15
*** jorge_munoz has quit IRC		03:15
*** rderose has quit IRC		03:18
*** jorge_munoz has joined #openstack-keystone		03:19
*** spandhe_ has joined #openstack-keystone		03:22
*** julim has joined #openstack-keystone		03:23
*** spandhe has quit IRC		03:23
*** spandhe_ is now known as spandhe		03:23
ayoung	jamielennox, heh	03:23
ayoung	kerberos plugin issues	03:24
ayoung	need to redo Rippowam against DLRN I think to pick up the latest changes	03:24
ayoung	trying to close out on RHSOO and Tripleo before I get back to that	03:24
jamielennox	ayoung: no worries, i think it might be time to give it another go anyway	03:31
ayoung	jamielennox, its pretty close to functional. Need to change the repos, but that is about it. I might be able to add you to the Dreamhost account if you want?	03:32
*** dave-mccowan has quit IRC		03:32
jamielennox	ayoung: nah, that's ok cause i want to deploy from source anyway	03:32
*** dave-mccowan has joined #openstack-keystone		03:32
ayoung	jamielennox, the ipsilon stuff should be good to go as is. I just added the ipaserver and rhsso roles to Tripleo and they worked fine	03:33
ayoung	minro tweaks,	03:33
*** julim has quit IRC		03:33
ayoung	BTW< I've learned that, for Ansible, you put variables in /defaults insteado /vars	03:34
jamielennox	ayoung: yep, i'll copy that stuff as verbatim as possible	03:34
jamielennox	ayoung: :) yep	03:34
*** spandhe has quit IRC		03:35
ayoung	jamielennox, keep using Rippowam. We can split the Packstack role out into its own thing, and you can either do separate provisioning for the Openstack, or use OSAD or whatever, but then the post install changes should be common	03:35
*** dave-mccowan has quit IRC		03:36
ayoung	jamielennox, BTW, I think I want to make Anchor the default approach for X509 and TLS. Its just a simple puython CA..exactly what OpenSTack needs. Now that it is written...embrace it.	03:36
jamielennox	ayoung: so the only problem is doing keystone changes retroactively like that is a pain for simple deploys	03:36
*** richm has quit IRC		03:36
jamielennox	because it means you can't just drop templates for config, you need to do like ini updates of what packstack installs	03:36
jamielennox	ayoung: anchor the HP thing?	03:37
ayoung	THat is an issue with the IPA stuff, but not Ipsilon	03:37
ayoung	jamielennox, yeah	03:37
ayoung	short term x509	03:37
ayoung	guang hammered out a certmonger helper	03:37
ayoung	https://github.com/admiyo/anchor-certmonger-helper	03:37
jamielennox	ok, that's not openstack specific, it's just a refreshable cert provider	03:37
jamielennox	like really short term ACME	03:37
ayoung	right	03:37
ayoung	think of it as a distributed self-sign	03:38
ayoung	works for "all of these servers" instead of just this one.	03:38
jamielennox	you should try and get that merged into certmonger proper	03:38
ayoung	bascially, a REST based certmaster	03:38
jamielennox	because certmonger knows how to do things like bounce apache which i don't see there	03:38
ayoung	jamielennox, won't happen. It is python, and certmonger is all C. THey can live in separate repos just fine, though	03:39
ayoung	need to package up Anchor at some point	03:39
jamielennox	ayoung: the helper is python, but all he's doing there is a rest request and some string manipulation	03:40
ayoung	right	03:40
jamielennox	you could bang that out in C in half a day?	03:40
ayoung	I really don't want to though	03:40
ayoung	I want good examples in Python to make it more friendly to other writers	03:40
ayoung	Getting sysadmins to look at C code is a non-starter	03:40
jamielennox	ayoung: by that logic then you should be convincing certmonger to include non-c providers	03:40
*** sheel has joined #openstack-keystone		03:40
jamielennox	it can already do it, it just doesn't have any in tree afaik	03:41
ayoung	jamielennox, yes that is what I want	03:41
ayoung	right. The IPA one is in the IPA tree	03:41
ayoung	and it really is different, sticking thingsin LDAP and all that	03:41
jamielennox	ayoung: also convince someone on IPA to write a proper ansible playbook	03:41
ayoung	I was working on a self-signed-via-ssh proof-of-concept that would link a bunch of servers together	03:42
jamielennox	cause ugh	03:42
ayoung	heh	03:42
ayoung	playbook for installing the IPA server?	03:42
ayoung	I'd like to make ipa-server-install into an Ansible module	03:42
jamielennox	if you like	03:42
jamielennox	but yes, for installing	03:42
ayoung	exactly	03:42
ayoung	non of the dependencies, either	03:43
jamielennox	because a playbook that runs ipa-server-install is not useful for changing config	03:43
ayoung	just the logic	03:43
jamielennox	a full playbook that lets you configure dogtag, 389 etc as individual pieces	03:43
ayoung	I wonder if the IPA installer code could be split into a series of modules to do that	03:44
jamielennox	ayoung: you'd write it as dependent roles	03:44
jamielennox	1 for dogtag, 1 for 389, 1 for ipa, then an all in one with dependencies across all 3	03:44
ayoung	There is a lot of logic written in python there. Not much value in converting to Ansible, and it would be slower. So I;d probably vote for keeping thme as library/modules	03:45
jamielennox	+ kerb and other bits i guess	03:45
ayoung	but then, yep, structure the playbook like that	03:46
jamielennox	ayoung: so i don't really mind if it replaces ipa-server-install, that's a nice story to have	03:46
jamielennox	ayoung: but it you want to orchestarte all this then ipa-server-install is not helpful	03:46
ayoung	Well, the idea of IPA is that they are not really separable components.	03:47
jamielennox	ayoung: is it?	03:47
ayoung	But..then we make pieces optional	03:47
jamielennox	ayoung: i always got the impression it was helpers on top of standard components	03:47
jamielennox	like you might still use 389 for your own ldap requirements sepearte to ipa	03:47
jamielennox	you might want to use dogtag directly, not via IPA	03:47
ayoung	Well, take the DirServe. You don;'t want people injexcting users without going throuigh the IPA logic,. or you lose the object classes	03:48
jamielennox	IPA gave you a great tool to bring them all together, but i never got the impression it was supposed to remove knowledge of the backend pieces	03:48
ayoung	the behaviour is based on the user having all of those object classes. THe Directory structure is very opinionated	03:48
ayoung	so, things are locked down.	03:48
ayoung	and Cert Server even moreso	03:48
jamielennox	ayoung: not users, no. don't mess with things that IPA supports, but there's a lot of things people put into ldap that are not covered by ipa	03:48
ayoung	You can do that all you wan.t Early Keystone LDAP code was done that way	03:49
ayoung	sepoarate tree, used the groups and Users from IPA	03:49
ayoung	its why the DN wierdness for the unique IDs	03:49
ayoung	tjhat and cuz I didn't know what I was doing	03:49
*** TxGVNN has quit IRC		03:52
*** spandhe has joined #openstack-keystone		04:02
*** itlinux has joined #openstack-keystone		04:04
*** gagehugo has quit IRC		04:12
*** links has joined #openstack-keystone		04:17
dstanek	lbragstad: i still think he's a bit of a Jordan wannabe	04:24
*** adrian_otto has joined #openstack-keystone		04:49
*** ktychkova has quit IRC		04:55
*** adrian_otto has quit IRC		04:58
*** adrian_otto has joined #openstack-keystone		05:01
*** code-R has joined #openstack-keystone		05:03
*** adrian_otto has quit IRC		05:05
*** code-R_ has joined #openstack-keystone		05:06
*** code-R has quit IRC		05:08
*** roxanaghe has joined #openstack-keystone		05:23
*** roxanaghe has quit IRC		05:27
*** jaosorior has joined #openstack-keystone		05:28
*** code-R_ has quit IRC		05:34
*** code-R has joined #openstack-keystone		05:34
*** jorge_munoz has quit IRC		05:34
*** spandhe_ has joined #openstack-keystone		05:51
*** spandhe has quit IRC		05:52
*** spandhe_ is now known as spandhe		05:52
*** TxGVNN has joined #openstack-keystone		05:54
*** yolanda has joined #openstack-keystone		05:55
*** rcernin has joined #openstack-keystone		05:56
*** TxGVNN has quit IRC		06:04
*** TxGVNN has joined #openstack-keystone		06:09
*** spandhe has quit IRC		06:15
*** code-R_ has joined #openstack-keystone		06:23
*** roxanaghe has joined #openstack-keystone		06:24
*** wanghua has quit IRC		06:25
*** code-R has quit IRC		06:26
*** roxanaghe has quit IRC		06:29
*** davechen has left #openstack-keystone		06:32
*** yolanda has quit IRC		06:32
*** markvoelker has quit IRC		06:35
*** TxGVNN has quit IRC		06:41
*** rha_ is now known as rha		06:47
*** rha has joined #openstack-keystone		06:47
*** agireud has quit IRC		06:51
*** pcaruana has joined #openstack-keystone		06:52
*** agireud has joined #openstack-keystone		06:55
*** belmoreira has joined #openstack-keystone		07:04
*** code-R_ has quit IRC		07:04
*** woodster_ has quit IRC		07:18
*** amoralej\|off is now known as amoralej		07:19
*** roxanaghe has joined #openstack-keystone		07:25
*** chlong\|rhce_trng has quit IRC		07:27
*** roxanaghe has quit IRC		07:30
*** ebarrera has joined #openstack-keystone		07:31
*** TxGVNN has joined #openstack-keystone		07:34
*** markvoelker has joined #openstack-keystone		07:36
*** jed56 has joined #openstack-keystone		07:36
*** markvoelker has quit IRC		07:41
openstackgerrit	Merged openstack/keystonemiddleware: Pass X_IS_ADMIN_PROJECT header from auth_token https://review.openstack.org/331374	07:51
*** pnavarro has joined #openstack-keystone		07:52
*** ktychkova has joined #openstack-keystone		07:56
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:03
*** shoutm has quit IRC		08:05
*** shoutm has joined #openstack-keystone		08:05
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	08:10
*** dmk0202 has joined #openstack-keystone		08:18
*** agireud has quit IRC		08:19
*** shoutm_ has joined #openstack-keystone		08:22
*** shoutm has quit IRC		08:24
*** roxanaghe has joined #openstack-keystone		08:26
*** agireud has joined #openstack-keystone		08:28
*** roxanaghe has quit IRC		08:30
*** yolanda has joined #openstack-keystone		08:39
*** dmk0202 has quit IRC		08:42
*** permalac__ has quit IRC		08:47
*** permalac has joined #openstack-keystone		08:50
*** nisha_ has joined #openstack-keystone		08:53
*** ChanServ sets mode: +v henrynash		09:00
*** shoutm has joined #openstack-keystone		09:01
*** roxanaghe has joined #openstack-keystone		09:01
*** shoutm_ has quit IRC		09:03
*** roxanaghe has quit IRC		09:05
*** jaosorior has quit IRC		09:09
*** jaosorior has joined #openstack-keystone		09:10
*** openstackgerrit has quit IRC		09:18
*** openstackgerrit has joined #openstack-keystone		09:18
*** vnogin has joined #openstack-keystone		09:31
*** samueldmq has joined #openstack-keystone		09:36
samueldmq	morning keystone	09:37
*** markvoelker has joined #openstack-keystone		09:37
samueldmq	nisha_: hi	09:37
henrynash	samueldmq: hi	09:37
samueldmq	henrynash: o/	09:37
*** ChanServ sets mode: +v samueldmq		09:38
nisha_	samueldmq, hi :)	09:42
*** markvoelker has quit IRC		09:43
samueldmq	nisha_: about your question yesterday, since that was being merged already/is merged now	09:44
samueldmq	nisha_: you may address that in a new patch	09:44
openstackgerrit	Andrew Liu proposed openstack/keystone: Added cache for sql id mapping driver https://review.openstack.org/328820	09:44
samueldmq	nisha_: just go to master, git pull, and create a new branch from there	09:45
nisha_	samueldmq, what do you think would be better? fix it now or move on to next task, as there might realize any other changes in it?	09:46
samueldmq	nisha_: I think fixing it is pretty simple; just make domain_id an optional attribute in the function (with domain_id=None) and then remove self.project_domain_id in the fixture calls in the domain tests (where I commented)	09:47
samueldmq	nikhil: that is a 4-line change	09:47
nisha_	samueldmq, yeah i did it exactly the same way	09:48
nisha_	samueldmq, no need of comments about this?	09:48
*** henrynash_ has joined #openstack-keystone		09:48
*** ChanServ sets mode: +v henrynash_		09:48
samueldmq	nisha_: just create a commit message saying you're fixing remaining comments from the other review (and put a link to it)	09:48
samueldmq	nisha_: that's all	09:48
nisha_	samueldmq, sure, thanks	09:49
*** nisha_ has quit IRC		09:59
*** nisha_ has joined #openstack-keystone		10:00
*** roxanaghe has joined #openstack-keystone		10:02
*** tqtran has quit IRC		10:05
*** roxanaghe has quit IRC		10:06
*** yolanda has quit IRC		10:08
*** henrynash_ has quit IRC		10:18
*** shewless has quit IRC		10:22
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Follow up patch for add domain functional tests https://review.openstack.org/332061	10:23
nisha_	samueldmq, did the changes	10:27
*** amrith has quit IRC		10:28
*** amrith has joined #openstack-keystone		10:29
*** amrith has quit IRC		10:32
*** amrith has joined #openstack-keystone		10:33
*** markvoelker has joined #openstack-keystone		10:38
*** markvoelker has quit IRC		10:43
samueldmq	nisha_: commented	10:45
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Follow up patch for add domain functional tests https://review.openstack.org/332061	10:49
*** chlong\|rhce_trng has joined #openstack-keystone		10:50
samueldmq	nisha_: thanks	10:53
nisha_	samueldmq, great :)	10:53
*** rodrigods has quit IRC		11:00
*** rodrigods has joined #openstack-keystone		11:00
*** GB21 has joined #openstack-keystone		11:00
*** roxanaghe has joined #openstack-keystone		11:02
*** henrynash_ has joined #openstack-keystone		11:03
*** ChanServ sets mode: +v henrynash_		11:03
*** roxanaghe has quit IRC		11:07
*** mvk_ has quit IRC		11:11
*** sheel has quit IRC		11:15
*** TxGVNN has quit IRC		11:24
*** links has quit IRC		11:35
henrynash_	(test)	11:35
*** GB21 has quit IRC		11:36
*** nisha_ has quit IRC		11:36
*** nisha_ has joined #openstack-keystone		11:37
*** real56 has joined #openstack-keystone		11:37
*** markvoelker has joined #openstack-keystone		11:39
*** markvoelker has quit IRC		11:46
*** links has joined #openstack-keystone		11:47
*** GB21 has joined #openstack-keystone		11:53
*** mvk_ has joined #openstack-keystone		11:54
*** nisha_ has quit IRC		11:59
*** nisha_ has joined #openstack-keystone		12:00
*** roxanaghe has joined #openstack-keystone		12:03
*** raildo-afk is now known as raildo		12:07
*** josecastroleon has joined #openstack-keystone		12:07
*** roxanaghe has quit IRC		12:08
*** yolanda has joined #openstack-keystone		12:08
*** shoutm has quit IRC		12:10
*** dave-mccowan has joined #openstack-keystone		12:11
*** shoutm has joined #openstack-keystone		12:15
*** markvoelker has joined #openstack-keystone		12:16
*** henrynash_ has quit IRC		12:18
*** GB21 has quit IRC		12:21
*** gordc has joined #openstack-keystone		12:22
*** real56 has quit IRC		12:22
*** ddieterly has joined #openstack-keystone		12:22
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	12:23
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support https://review.openstack.org/330464	12:23
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument https://review.openstack.org/330465	12:23
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	12:25
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support https://review.openstack.org/330464	12:25
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument https://review.openstack.org/330465	12:25
*** amoralej is now known as amoralej\|lunch		12:25
*** links has quit IRC		12:33
*** ddieterly has quit IRC		12:35
*** daemontool has joined #openstack-keystone		12:40
*** fesp has joined #openstack-keystone		12:44
*** TxGVNN has joined #openstack-keystone		12:46
*** links has joined #openstack-keystone		12:46
*** fesp has quit IRC		12:46
*** real56 has joined #openstack-keystone		12:46
*** pauloewerton has joined #openstack-keystone		12:50
*** code-R has joined #openstack-keystone		12:51
dstanek	samueldmq: you're here way to early for me	12:51
*** TxGVNN has quit IRC		12:52
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 groups https://review.openstack.org/332121	12:52
*** code-R_ has joined #openstack-keystone		12:53
samueldmq	dstanek: hey, hehe	12:55
*** henrynash_ has joined #openstack-keystone		12:55
*** ChanServ sets mode: +v henrynash_		12:55
*** code-R has quit IRC		12:56
*** ddieterly has joined #openstack-keystone		12:56
*** real56 has quit IRC		13:02
*** nisha_ has quit IRC		13:02
*** real56 has joined #openstack-keystone		13:02
*** real56 has quit IRC		13:03
*** roxanaghe has joined #openstack-keystone		13:04
*** real56 has joined #openstack-keystone		13:04
*** real56 has quit IRC		13:05
*** ddieterly has quit IRC		13:06
*** roxanaghe has quit IRC		13:08
*** code-R_ has quit IRC		13:09
*** real56 has joined #openstack-keystone		13:09
*** edmondsw has joined #openstack-keystone		13:10
*** afred312 has quit IRC		13:11
*** sigmavirus24_awa is now known as sigmavirus24		13:14
*** real56 has quit IRC		13:15
*** real56 has joined #openstack-keystone		13:16
*** real56 has quit IRC		13:19
*** amoralej\|lunch is now known as amoralej		13:20
*** fifieldt has joined #openstack-keystone		13:20
*** links has quit IRC		13:23
*** real56 has joined #openstack-keystone		13:23
*** richm has joined #openstack-keystone		13:26
*** shoutm has quit IRC		13:26
*** code-R has joined #openstack-keystone		13:27
*** BigWillie has joined #openstack-keystone		13:34
*** ddieterly has joined #openstack-keystone		13:34
*** afred312 has joined #openstack-keystone		13:35
*** woodburn has joined #openstack-keystone		13:35
*** sdake has joined #openstack-keystone		13:36
*** yolanda has quit IRC		13:43
*** afred312 has quit IRC		13:46
*** afred312 has joined #openstack-keystone		13:47
*** openstackgerrit has quit IRC		13:48
*** openstackgerrit has joined #openstack-keystone		13:48
*** walharthi has joined #openstack-keystone		13:50
*** afred312 has quit IRC		13:51
*** ddieterly is now known as ddieterly[away]		13:53
*** code-R has quit IRC		13:53
*** code-R has joined #openstack-keystone		13:54
*** ametts has joined #openstack-keystone		13:55
openstackgerrit	Merged openstack/keystonemiddleware: Clean up middleware architecture https://review.openstack.org/331842	13:56
*** rderose has joined #openstack-keystone		13:58
*** amakarov has joined #openstack-keystone		13:58
*** afred312 has joined #openstack-keystone		14:00
*** fifieldt has quit IRC		14:01
*** jaosorior has quit IRC		14:01
*** ddieterly[away] is now known as ddieterly		14:02
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Improve docs for v3 groups https://review.openstack.org/332121	14:03
*** code-R_ has joined #openstack-keystone		14:04
*** roxanaghe has joined #openstack-keystone		14:05
*** code-R has quit IRC		14:07
*** afred312 has quit IRC		14:08
*** afred312 has joined #openstack-keystone		14:08
*** roxanaghe has quit IRC		14:09
*** stevemar has joined #openstack-keystone		14:12
*** ChanServ sets mode: +o stevemar		14:12
openstackgerrit	Merged openstack/python-keystoneclient: Follow up patch for add domain functional tests https://review.openstack.org/332061	14:14
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2 docs from api-ref repo https://review.openstack.org/322173	14:16
openstackgerrit	Lance Bragstad proposed openstack/keystoneauth: Fix code example for OAuth1 authentication https://review.openstack.org/332166	14:26
*** tonytan4ever has joined #openstack-keystone		14:28
*** amrith has quit IRC		14:28
*** amrith has joined #openstack-keystone		14:28
lbragstad	notmorgan what was that python interpretter you were showing me and dstanek at the summit?	14:36
lbragstad	interpreter*	14:36
lbragstad	stevemar can you tell i've been reading docs that last two days? ;)	14:38
*** phalmos has joined #openstack-keystone		14:38
dstanek	lbragstad: ?	14:40
lbragstad	dstanek maybe it was dolphm?	14:41
dstanek	lbragstad: what was it?	14:41
lbragstad	dstanek rpdb? ipdb?	14:41
lbragstad	something like that	14:41
dstanek	ah, a debugger?	14:41
lbragstad	it was a python interpreter that inspected a bunch of stuff and fuzzy completed stuff for you	14:42
*** jorge_munoz has joined #openstack-keystone		14:42
*** ninag has joined #openstack-keystone		14:42
*** ninag has quit IRC		14:43
*** afred312 has quit IRC		14:46
*** yolanda has joined #openstack-keystone		14:47
breton_	ipython?	14:47
lbragstad	it was something like that, but i can't really remember... i don't think it was ipython or ipdb, but it reminded me of it	14:48
*** edtubill has joined #openstack-keystone		14:49
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation model https://review.openstack.org/208488	14:50
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation assignment driver https://review.openstack.org/291318	14:50
openstackgerrit	Alexander Makarov proposed openstack/keystone: Delegation parent discovery function https://review.openstack.org/330573	14:50
*** nkinder has joined #openstack-keystone		14:50
*** timcline has joined #openstack-keystone		14:50
*** timcline has quit IRC		14:51
openstackgerrit	Merged openstack/keystone: Correct domain_id and name constraint dropping https://review.openstack.org/329855	14:51
*** timcline has joined #openstack-keystone		14:51
*** woodburn has quit IRC		14:52
*** raddaoui has joined #openstack-keystone		14:53
dstanek	lbragstad: i think i remember him demoing that	14:53
dstanek	i don't remembe what it was though	14:53
lbragstad	dstanek me either - i just remember watching over his shoulder and I wanted to make a note to mess with it	14:54
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation assignment driver https://review.openstack.org/291318	14:56
openstackgerrit	Alexander Makarov proposed openstack/keystone: Delegation parent discovery function https://review.openstack.org/330573	14:56
amakarov	notmorgan, o/	14:57
amakarov	notmorgan, can you please help with https://gerrit.sqlalchemy.org/#/c/108?	14:58
*** nisha_ has joined #openstack-keystone		14:59
*** lucas____ has joined #openstack-keystone		14:59
*** julim has joined #openstack-keystone		15:00
*** KevinE has joined #openstack-keystone		15:00
*** jaugustine has joined #openstack-keystone		15:00
amakarov	lbragstad, pudb is an interesting staff - it even has a ui	15:00
*** KevinE has quit IRC		15:00
lbragstad	amakarov interesting - i wonder if that was it...	15:01
*** jorge_munoz_ has joined #openstack-keystone		15:01
amakarov	lbragstad, it mimics Borland DOS debugger	15:01
*** KevinE has joined #openstack-keystone		15:01
amakarov	c/pascal I mean	15:02
*** daemontool has quit IRC		15:02
*** jorge_munoz has quit IRC		15:02
*** jorge_munoz_ is now known as jorge_munoz		15:02
*** jaugustine_ has joined #openstack-keystone		15:05
*** jaugustine has quit IRC		15:06
openstackgerrit	Merged openstack/keystone: Make sure to use InnoDB as the DB engine https://review.openstack.org/331872	15:12
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes https://review.openstack.org/314284	15:15
*** nisha_ has quit IRC		15:16
*** code-R_ has quit IRC		15:18
*** nisha_ has joined #openstack-keystone		15:20
*** jaugustine_ has quit IRC		15:21
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes https://review.openstack.org/314284	15:21
*** jaugustine has joined #openstack-keystone		15:22
*** ebarrera has quit IRC		15:24
*** belmoreira has quit IRC		15:29
*** tristanC has joined #openstack-keystone		15:34
*** TxGVNN has joined #openstack-keystone		15:35
*** pcaruana has quit IRC		15:35
*** slberger has joined #openstack-keystone		15:38
*** jaugustine has quit IRC		15:39
*** jaosorior has joined #openstack-keystone		15:39
*** walharthi has quit IRC		15:39
*** jaugustine has joined #openstack-keystone		15:40
*** jaugustine has quit IRC		15:43
*** jaugustine has joined #openstack-keystone		15:43
stevemar	lbragstad: just a bit :)	15:44
*** dan_nguyen has joined #openstack-keystone		15:47
*** jaugustine has quit IRC		15:48
*** ddieterly is now known as ddieterly[away]		15:51
*** gyee has joined #openstack-keystone		15:53
*** ChanServ sets mode: +v gyee		15:53
*** afred312 has joined #openstack-keystone		15:53
*** ebarrera has joined #openstack-keystone		15:54
*** dmk0202 has joined #openstack-keystone		15:54
*** ddieterly[away] is now known as ddieterly		15:55
*** chris__hultin is now known as chris_hultin		15:57
*** real56 has quit IRC		15:58
*** yolanda has quit IRC		16:04
-openstackstatus- NOTICE: Gerrit is being restarted now to apply an emergency security-related configuration change		16:05
*** adrian_otto has joined #openstack-keystone		16:09
*** mserngawy_ has joined #openstack-keystone		16:15
*** dmk0202 has quit IRC		16:22
*** roxanaghe has joined #openstack-keystone		16:24
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password history requirements https://review.openstack.org/328339	16:24
*** adrian_otto has quit IRC		16:25
*** adrian_otto has joined #openstack-keystone		16:25
*** phalmos has quit IRC		16:28
*** browne has joined #openstack-keystone		16:28
*** darosale has joined #openstack-keystone		16:28
*** stevemar has quit IRC		16:29
*** links has joined #openstack-keystone		16:30
*** roxanaghe_ has joined #openstack-keystone		16:33
*** roxanaghe has quit IRC		16:33
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password history requirements https://review.openstack.org/328339	16:35
*** GB21 has joined #openstack-keystone		16:35
*** GB21 has quit IRC		16:36
*** TxGVNN has quit IRC		16:36
*** david-lyle has quit IRC		16:38
*** david-lyle has joined #openstack-keystone		16:38
*** jaosorior has quit IRC		16:40
*** lucas____ has quit IRC		16:41
samueldmq	bknudson_: hi, I didn't get your comment here https://review.openstack.org/#/c/322247/	16:42
patchbot	samueldmq: patch 322247 - keystone - Migrate identity /v2-admin docs from api-ref repo	16:42
*** adrian_otto has left #openstack-keystone		16:42
*** tonytan4ever has quit IRC		16:45
*** lucas____ has joined #openstack-keystone		16:50
*** catintheroof has joined #openstack-keystone		16:53
*** lucas____ has quit IRC		16:54
*** mvk_ has quit IRC		16:58
openstackgerrit	Merged openstack/python-keystoneclient: Improve docs for v3 groups https://review.openstack.org/332121	16:59
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes https://review.openstack.org/314284	16:59
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password history requirements https://review.openstack.org/328339	16:59
*** pushkaru has joined #openstack-keystone		17:01
*** jaugustine has joined #openstack-keystone		17:01
*** BjoernT has joined #openstack-keystone		17:10
*** roxanaghe_ has quit IRC		17:10
*** roxanaghe has joined #openstack-keystone		17:11
bknudson_	samueldmq: http://docs-draft.openstack.org/47/322247/5/check/gate-keystone-api-ref/a1f1a91//api-ref/build/html/v2-admin/admin-extensions.html	17:15
samueldmq	bknudson_: was just copying at it was there in api-ref	17:16
*** vern has joined #openstack-keystone		17:16
samueldmq	bknudson_: I agree that's not necessary though, I will remove it	17:16
samueldmq	bknudson_: thanks	17:16
*** lucas____ has joined #openstack-keystone		17:16
*** jaugustine has quit IRC		17:18
*** nisha__ has joined #openstack-keystone		17:18
*** jaugustine has joined #openstack-keystone		17:20
*** ddieterly is now known as ddieterly[away]		17:21
*** nisha_ has quit IRC		17:21
lbragstad	jamielennox you have the reservation spec topic, right?	17:22
*** sdake_ has joined #openstack-keystone		17:24
*** shaleh has joined #openstack-keystone		17:26
*** sdake has quit IRC		17:27
*** jdennis has quit IRC		17:30
*** jbell8 has joined #openstack-keystone		17:32
openstackgerrit	Ron De Rose proposed openstack/keystone: Concrete role assignments for federated users https://review.openstack.org/284943	17:32
*** ayoung has quit IRC		17:33
*** stevemar has joined #openstack-keystone		17:36
*** ChanServ sets mode: +o stevemar		17:36
*** jdennis has joined #openstack-keystone		17:36
henrynash_	rderose: hi	17:37
stevemar	damn irc bouncer is down	17:37
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Complete RBAC in keystone https://review.openstack.org/325326	17:37
rderose	henrynash_: hi	17:37
henrynash_	redrose: so tahnks for the udpates to the sql changes for passwords (and was confused for a while when you missed out the actual file that updated the db !!)	17:38
rderose	henrynash_: yeah, doing too many things at once :)	17:39
rderose	henrynash_: thanks for the feedback, totally didn't see there was an exception field	17:39
henrynash_	redrose: I assume you are avoiding a server default on the created_at field due to compatbility between databases? Or is there some other reason? (since this would cure the problem of rolling upgrdaes)	17:39
*** pnavarro has quit IRC		17:39
openstackgerrit	Roxana Gherle proposed openstack/keystone: /services?name=<name> API fails when using list_limit https://review.openstack.org/331790	17:39
rderose	henrynash_: server_default is only used for table creates; not alter table	17:40
*** pcaruana has joined #openstack-keystone		17:40
henrynash_	redrose: (I liked what you did with settingteh values….until I thoougt about rolling upgrades)	17:40
*** phalmos has joined #openstack-keystone		17:40
rderose	henrynash_: oh boy :)	17:40
henrynash_	rderose: you can’t have server_default on a new column ou are adding?	17:40
rderose	henrynash_: correct, because add column will result in an alter table; not a table create	17:41
rderose	henrynash_: at least that is my understanding	17:41
henrynash_	rderose: that’s a bummer	17:41
rderose	henrynash_: yeah	17:41
henrynash_	rderose: and alter table is bad becuase…?	17:42
*** rcernin has quit IRC		17:43
rderose	henrynash_: alter table is not bad, it's just that when you add a column, you run an alter table command, as opposed to create. and like I said, the server_default only works for create table command. does that make sense?	17:44
openstackgerrit	Roxana Gherle proposed openstack/keystone: /services?name=<name> API fails when using list_limit https://review.openstack.org/331790	17:44
openstackgerrit	Roxana Gherle proposed openstack/keystone: /services?name=<name> API fails when using list_limit https://review.openstack.org/331790	17:45
*** gagehugo has joined #openstack-keystone		17:46
henrynash_	rderose: ah, i see what you are saying…let me dig into that a bit, but you may be right….we should think about wht we do here…one altenative is we do’t alter the column (yet), and once we have rolled all the keystone, update the column in a finish migration” step (would be part of keystone-manage)…that’s the way rolling upgrades are meant to work….	17:46
rderose	henrynash_: and setting a default datetime value is different for sqlite, mysql, and postgres	17:46
rderose	henrynash_: hmm... interesting	17:47
henrynash_	rderose: People are trying to do rolling upgrades with keystone already (an we had bugs reported for Liberty to Mitaka)	17:47
rderose	henrynash_: I see	17:47
henrynash_	rderose: I think we agreed that we were going to start officially supporting them with Newton….but I was never exactly sure if we did decide that at thesummit!	17:48
*** jaugustine has quit IRC		17:48
stevemar	henrynash_: we did!	17:48
henrynash_	(just checking!)	17:49
stevemar	henrynash_: rderose no more subtractive changes (renames, drops, etc)	17:49
*** itlinux has quit IRC		17:49
*** jaugustine has joined #openstack-keystone		17:50
henrynash_	stevemar: this is a littlemore subtle…if you want to add a colum..but have the server populate teh value (so that older clients still work)…is the aisseu at hand here	17:50
rderose	stevemar: https://review.openstack.org/#/c/314284	17:50
rderose	stevemar henrynash_: yeah, so adding a created_at column, populating it, and then setting it to be not nullable	17:51
rderose	stevemar: and setting a default datetime value is not supported (spent hours trying to get that to work)	17:52
*** spandhe has joined #openstack-keystone		17:55
*** jaugustine has quit IRC		17:56
*** jaugustine has joined #openstack-keystone		17:57
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo https://review.openstack.org/322247	17:57
samueldmq	bknudson_: ^	17:57
samueldmq	thanks	17:57
stevemar	meeting time	17:59
samueldmq	\o/	18:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/332298	18:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/332299	18:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/332300	18:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/ldappool: Updated from global requirements https://review.openstack.org/322990	18:00
*** ebarrera has quit IRC		18:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/332346	18:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements https://review.openstack.org/332357	18:04
*** ayoung has joined #openstack-keystone		18:05
*** ChanServ sets mode: +v ayoung		18:05
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/332369	18:05
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/331181	18:05
*** BjoernT has quit IRC		18:07
*** amoralej is now known as amoralej\|off		18:11
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add group functional tests Adds functional tests for groups. For now, the tests are created under a single class. Once we have a gate that runs against LDAP, we will create a class that only contains readonly tests and a tox call for it (e.g tox -e functi https://review.openstack.org/332411	18:14
openstackgerrit	David Stanek proposed openstack/keystone: WIP: please don't review me https://review.openstack.org/211693	18:16
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add group functional tests https://review.openstack.org/332411	18:16
*** phalmos has quit IRC		18:16
*** topol has joined #openstack-keystone		18:17
*** ChanServ sets mode: +v topol		18:17
*** mwheckmann has joined #openstack-keystone		18:19
*** phalmos has joined #openstack-keystone		18:19
*** ddieterly[away] has quit IRC		18:21
*** pcaruana has quit IRC		18:22
*** dan_nguyen has quit IRC		18:30
*** BjoernT has joined #openstack-keystone		18:32
*** nisha__ has quit IRC		18:32
*** ninag has joined #openstack-keystone		18:35
*** ninag has quit IRC		18:36
*** links has quit IRC		18:36
*** phalmos has quit IRC		18:40
*** ddieterly has joined #openstack-keystone		18:41
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation model https://review.openstack.org/208488	18:42
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation assignment driver https://review.openstack.org/291318	18:42
openstackgerrit	Alexander Makarov proposed openstack/keystone: Delegation parent discovery function https://review.openstack.org/330573	18:42
*** htruta` is now known as htruta		18:48
*** timcline has quit IRC		18:50
*** catintheroof has quit IRC		18:51
*** timcline has joined #openstack-keystone		18:51
*** catintheroof has joined #openstack-keystone		18:51
*** jaosorior has joined #openstack-keystone		18:52
*** ayoung has quit IRC		18:54
*** timcline has quit IRC		18:55
*** sdake has joined #openstack-keystone		18:56
*** ayoung has joined #openstack-keystone		18:59
*** ChanServ sets mode: +v ayoung		18:59
*** sdake_ has quit IRC		18:59
gyee	henrynash, I thought we agreed on nasted domains sometime ago no?	19:00
*** ayoung has quit IRC		19:00
jamielennox	notmorgan: drop paste? i would like to consolidate a bunch of paste into the core service - but i see no reason to drop it	19:01
raildo	gyee: it's a next step, after this project naming constraint issue	19:01
notmorgan	jamielennox: yes. drop paste	19:01
jamielennox	just dangle that bait right at the end of the meeting	19:01
notmorgan	because upgrades are a PITA	19:01
notmorgan	basically we need to stop shipping "config" that is "required" to run the service	19:01
notmorgan	solution: provide in a config file a list of classes/entrypoints to load as middleware	19:01
dstanek	notmorgan: i'm also removing routes in an experimental patch	19:01
gyee	raildo, k, I was confused about the dependencies	19:02
notmorgan	and hook into the paste library stuff.	19:02
notmorgan	dstanek: nice.	19:02
notmorgan	jamielennox: this is for something openstack-wide	19:02
dstanek	notmorgan: fixing up my flask patch for mid-cycle	19:02
jamielennox	dstanek: i had another look at routes - if we didn't do things the crazy router way we do now it's not so bad	19:02
notmorgan	jamielennox: the goal is to POC having "Sane" defaults for running a service with no configs on disk so pip doesn't have to create/install them	19:02
dstanek	jamielennox: it doesnt' jive well with the flask stuff i'm doing	19:02
notmorgan	this includes making policy.json defaults in-code with an extract-like-sample-config tool	19:03
gyee	ayoung, this is going to be sad, just received an alert on neighborhood locked down in progress, active shooter in camp park	19:03
notmorgan	for overrides.	19:03
gyee	ayoung, hope no one gets hurt	19:03
jamielennox	dstanek: i would still prefer flask	19:03
jamielennox	dstanek: was just thinking it was still a ways out	19:03
notmorgan	gyee: :(	19:03
notmorgan	dstanek: yay flask.	19:03
*** erhudy has joined #openstack-keystone		19:03
gyee	notmorgan, I am staying indoors till they lift the alert	19:03
jamielennox	notmorgan: meh to no configs on disk, you're always going to have configs on disk and pip should just stay out of it	19:04
notmorgan	jamielennox: you are, but in this case we have things that can't be generated.	19:04
notmorgan	and must exist.	19:04
notmorgan	you can't turn on keystone w/o a paste.ini	19:04
notmorgan	and that is something we ship like code	19:04
notmorgan	but is "user editable"	19:04
*** jaosorior has quit IRC		19:05
notmorgan	it puts pip and non-distro packages into a weird/unhappy place	19:05
notmorgan	since they need to reach beyond their means and get very inconsistent results	19:05
jamielennox	that's because IMO we went way to far down the everything middleware option	19:05
breton_	who cares about pip and non-distro packages?	19:05
notmorgan	an example is rootwrap	19:05
notmorgan	it has to install things in sudoers to work	19:05
notmorgan	breton_: people doing docker containers and custom rolled installs.	19:06
jamielennox	if you remove everything that is not optional from paste (like auth_context) paste is fine	19:06
notmorgan	breton_: via pip, etc	19:06
notmorgan	jamielennox: so why even keep paste.ini?	19:06
breton_	notmorgan: oh ok	19:06
jamielennox	notmorgan: because people customize it - a lot	19:06
notmorgan	jamielennox: we can just pass a list of classes to load	19:06
notmorgan	jamielennox: it's all hooks under the hood.	19:06
jamielennox	notmorgan: and from a pure middleware perspective it's kinda nice	19:06
jamielennox	ok, not nice	19:06
stevemar	jamielennox: handy? :)	19:06
jamielennox	but you get used to it and it's fairly obvious	19:06
notmorgan	jamielennox: yeah. it's just respinning how we get that data into paste	19:07
notmorgan	jamielennox: removing the paste.ini itself.	19:07
notmorgan	but hooking into the same mechanism still.	19:07
notmorgan	then we don't need to ship a paste.ini	19:07
jamielennox	yea, i don't know, having the info in paste vs having the info in conf not sure if people care, you'll still have upgrade problems	19:07
notmorgan	jamielennox: the difference is we don't have to ship something to run the service	19:08
jamielennox	notmorgan: keystone.conf ?	19:08
notmorgan	you can run keystone w/o it today --- not well	19:08
notmorgan	but you can	19:08
notmorgan	it defaults to sqlite.	19:08
notmorgan	but doable	19:08
jamielennox	you can't point to a db without keystone.conf - so i'd argue you can't	19:08
notmorgan	requiring a file on disk in /etc/ (basically) that is effectively code, is an issue	19:09
notmorgan	if it is config, that is fine, don't mix code and config.	19:09
jamielennox	if sqlite is a fine default then the use case you care about is: pip install keystone && keystone-all	19:10
jamielennox	and keystone-all doesn't exist any more	19:10
notmorgan	jamielennox: wsgi-ref	19:10
jamielennox	notmorgan: why optimize for that case? who cares?	19:10
notmorgan	jamielennox: i care that when someone upgrades keystone they don't need to worry if we add/remove components from the middleware	19:10
*** shewless has joined #openstack-keystone		19:11
jamielennox	notmorgan: would we not be doing that in CONF?	19:11
notmorgan	jamielennox: if you supply your own middleware it should still work / be loaded	19:11
bknudson_	there's a keystone-public-wsgi script you can run in place of keystone-all.	19:11
notmorgan	jamielennox: WE ARE doing it in conf now.	19:11
shewless	Hello guys. Thanks again for all of your help getting keystone federation to work. dstanek especially. ayoung as well. I finally got it working with testshib. Soon I will be trying with my ADFS IDP at work.	19:11
bknudson_	there is a use case for not requiring any config files for keystone but it's testing.	19:11
jamielennox	bknudson_: yea, forgot that did a simple server when run directly	19:11
notmorgan	jamielennox: so - my answer is tryinbg to get us out from under "ship these files that are identical in 90% of the deploys"	19:11
bknudson_	see the comments in the review to install some etc.	19:11
shewless	My main problem was the "UseCanonicalNames" in my apache settings. That "sort of" made it work but in the end it caused that bug where I would get a page not found error the first time	19:12
notmorgan	if you want to have ytour own config, please do. but pip shouldn't need to be config-file aware at all.	19:12
notmorgan	there are reasons (see ML topic on PBR, wheels, etc)	19:12
bknudson_	https://review.openstack.org/#/c/326152/	19:12
patchbot	bknudson_: patch 326152 - keystone - Revert "Install necessary files in etc/"	19:12
notmorgan	bknudson_: that was the start of it.	19:12
notmorgan	bknudson_: it turns out it is a much much bigger problem	19:13
jamielennox	notmorgan: so i get that argument - but to me that means pip should sort itself out, not that every service needs to run without config files	19:13
bknudson_	shouldn't need to install the sample keystone.conf file, since it's all comments.	19:13
shewless	For what it's worth the instructions here could use some love (http://docs.openstack.org/developer/keystone/federation/shibboleth.html). Especially just to note that everything goes in vh 5000	19:13
jamielennox	notmorgan: everyone _is_ going to need a config file and optimizing for the stupid case isn't useful	19:13
notmorgan	jamielennox: you can't expect pip to sort itself out	19:13
notmorgan	jamielennox: and before we can set out a policy that setup.cfg does not ship config files	19:14
notmorgan	[as it shouldn't]	19:14
bknudson_	shewless: the source for that documentation is http://git.openstack.org/cgit/openstack/keystone/tree/doc/source/federation/shibboleth.rst	19:14
shewless	I have a question though. Even though I'm using port 5000 is everything in "federation" encrypted because via the SP and IdP by default?	19:14
notmorgan	we need to address shipping config files by default	19:14
notmorgan	these are config, not data files. and we (openstack) should not be shipping config in setup.cfg.	19:14
shewless	bknudson_: I may just update the docs. I suppose I have to do a push request or something to get it reviewed?	19:15
jamielennox	notmorgan: ok, agreed, don't ship them in setup.cfg - done?	19:15
notmorgan	jamielennox: then you don't have paste-ini for venvs.	19:15
notmorgan	jamielennox: and need to extract explicitly multi-step wise. something that is 90+% the same in every environment	19:15
openstackgerrit	Merged openstack/keystoneauth: Fix code example for OAuth1 authentication https://review.openstack.org/332166	19:15
notmorgan	why not make it code, like it really is	19:15
bknudson_	shewless: I hope this explains it: https://wiki.openstack.org/wiki/How_To_Contribute (It's been a while)	19:16
notmorgan	allow a config option to add middleware(s) [hook]	19:16
notmorgan	and we can stop needing to ship paste-ini files.	19:16
dstanek	shewless: yw	19:16
jamielennox	notmorgan: ok, i will look at the proposal when up, but going from deploying zero configs to one is a big deal, going from deploying one to two or three is trivial	19:17
*** dan_nguyen has joined #openstack-keystone		19:17
jamielennox	notmorgan: and it seems like the overall effect will just be pushing everything into one	19:17
notmorgan	jamielennox: it's an issue from a "openstack works and is upgradable" standpoint	19:17
notmorgan	jamielennox: in docker containers, venvs, git, and distropackages	19:18
shewless	I was also able to get each user to have their own project on login. The only caveat is that I have to create the project/group ahead of time.. kind of a bummer but we already have "new user" scripts that run so no big deal	19:18
dstanek	henrynash_: i pitched as idea for an alternative approach to the project naming spec in a comment on the spec	19:18
jamielennox	notmorgan: unless you are expecting it to pull that kind of config at runtime (i once had a spec for that) it doesn't change the need for filse	19:18
notmorgan	jamielennox: and i totally disagree between 1 to 2-3 for 18 services	19:18
notmorgan	jamielennox: 1 config -> 18, 2-3 -> 18*2-3	19:19
mwheckmann	shewless: care to share your mapping? I'm about to embark on a similar mapping scheme	19:19
notmorgan	especially since they are are very different.	19:19
*** gyee has quit IRC		19:19
jamielennox	you will always end up diffing old config vs new config files to figure out what has changed beneath you	19:19
notmorgan	and we're now eliminating a highly complex, highly static config file	19:20
jamielennox	you're eliminating a file by putting its content into another file	19:20
notmorgan	no	19:20
*** joaotargino has joined #openstack-keystone		19:20
notmorgan	i'm eliminating 90% of a config file	19:20
notmorgan	and allowing the part that people actually change to go into the config file	19:21
notmorgan	and that 90% is effectively static data	19:21
*** dan_nguyen has quit IRC		19:22
notmorgan	and if it isn't static... you risk seriously breaking everything	19:22
notmorgan	so, lets eliminate/make this easier to work with.	19:22
jamielennox	ok	19:22
shewless	mwheckmann: sure: http://paste.ubuntu.com/17658442. Thank you for the help as well BTW. It helped me realize what my problem was.. though I did go back to shibboleth in the end	19:22
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/331181	19:22
notmorgan	the difference between saying "use these classes as middleware" [or entry points] and "update the paste-ini file to add them" is significant	19:23
shewless	mwheckmann: the "type" is the attribute pulled by your service provider. you should have a domain called "foo" in this case as well	19:24
shewless	mwheckmann: and you need to run these 3 commands per user... maybe it can be paired down to 2 commands.. still need to explore	19:24
jamielennox	notmorgan: so i realize i'm being overly difficult - and they have become too complex with required stuff, so anything we can do to clean that up i'd be for	19:24
mwheckmann	shewless: np. thanks for the mapping. So it looks like you're mapping them to a local group w/ same name as their remote username? correct?	19:24
shewless	mwheckmann: "openstack group create Ego --domain foo" "openstack project create Ego --domain foo" openstack role add user --group Ego --project Ego	19:25
notmorgan	jamielennox: i really wouldn't care too much, but i'm trying to resolve the "stop shipping config" openstack-wide via pip as a policy	19:25
jamielennox	notmorgan: but it's biting off a big cross-project spec to work around pip problems which we could get around by saying "don't ship conf files"	19:25
notmorgan	jamielennox: and this is one of the [easier] things to tackle. policy is harder (but will have a pattern for it)	19:25
shewless	mwheckmann: yes. that is why I need to run those commands to create local groups and projects	19:25
notmorgan	jamielennox: pip problems have been problems for year+ noiw	19:25
*** roxanaghe has quit IRC		19:26
notmorgan	and it's not solving itself, even when folks get involved it's even harder to address since setuptools, wheels, and distools work in mysterious ways	19:26
jamielennox	notmorgan: and i have seen what happens to people who mess with that stuff and have zero interest in going there	19:26
*** edtubill has quit IRC		19:26
notmorgan	we can say "don't ship config in setup.cfg, it's the wrong tool for the job for lots of reasons"	19:26
shewless	mwheckmann: in my case I want users to have a unique project that is named the same as their user name... since federation only allows me to map users to groups I have to also create a group with the same name as the user and map the project and role to the group.. if that makes sense..	19:26
*** mwheckma1n has joined #openstack-keystone		19:26
notmorgan	jamielennox: and we do rely on pip for a lot of things and a lot of deployers do	19:26
shewless	mwheckmann: if you find a better way let me know! :)	19:27
*** permalac_ has joined #openstack-keystone		19:27
jamielennox	notmorgan: anyway - we could fix this by consolidating all the non-optional middleware into core, and if that leaves an empty paste file - then skip paste	19:27
notmorgan	jamielennox: except you can't	19:27
notmorgan	jamielennox: paste.ini is still needed to load the core service atm	19:27
notmorgan	jamielennox: which is what i want to fix.	19:27
*** topol_ has joined #openstack-keystone		19:27
*** ChanServ sets mode: +v topol_		19:27
*** darosale_ has joined #openstack-keystone		19:27
jamielennox	if file not found, load services directly	19:28
notmorgan	jamielennox: then why not just go the next step and make it so you can just specify a list of middleware that isn't core?	19:28
*** henrynash has quit IRC		19:28
*** martinus__ has quit IRC		19:28
*** henrynash_ is now known as henrynash		19:28
jamielennox	notmorgan: we do, in paste	19:28
jamielennox	:)	19:29
notmorgan	jamielennox: but you now need to create the entire paste file!!	19:29
notmorgan	ugh.	19:29
*** samueldmq has quit IRC		19:29
notmorgan	what a terrible awful design	19:29
jamielennox	alright - this one doesn't really bother me and i didn't expect to argue about it	19:29
notmorgan	:P	19:29
*** mwheckmann has quit IRC		19:29
*** darosale has quit IRC		19:29
*** rdo has quit IRC		19:29
notmorgan	i know it doesn't impact you	19:29
*** mwheckma1n is now known as mwheckmann		19:30
notmorgan	in fact, it hardly impacts keystone	19:30
*** darosale_ is now known as darosale		19:30
notmorgan	it impacts nova privsep, etc much much more	19:30
jamielennox	personally i don't see the effort worth the reward but if you do then it's worth it	19:30
notmorgan	and we should be consistent openstack wide	19:30
*** topol has quit IRC		19:30
*** david-lyle has quit IRC		19:30
*** gabriel-bezerra has quit IRC		19:30
*** permalac has quit IRC		19:31
*** hoonetorg has quit IRC		19:31
*** tristanC has quit IRC		19:31
*** tonyb has quit IRC		19:31
*** rdo has joined #openstack-keystone		19:31
openstackgerrit	Ron De Rose proposed openstack/keystone: Concrete role assignments for federated users https://review.openstack.org/284943	19:31
notmorgan	jamielennox: this isn't the stupid case	19:32
notmorgan	ugh sorry backscroll	19:32
*** tristanC has joined #openstack-keystone		19:32
notmorgan	and up-arrow	19:32
*** tonyb has joined #openstack-keystone		19:32
mwheckmann	shewless: perfect. thanks for confirming. I'm looking at the classic case of mapping users to shared projects. But this spec for Newton will do what you want without pre-creating: https://review.openstack.org/#/c/324055/2/specs/keystone/newton/shadow-mapping.rst	19:32
patchbot	mwheckmann: patch 324055 - keystone-specs - Mapping shadow users into projects and roles	19:32
shewless	mwheckmann: can't wait :)	19:34
*** henrynash_ has joined #openstack-keystone		19:35
*** ChanServ sets mode: +v henrynash_		19:35
*** martinus__ has joined #openstack-keystone		19:35
*** dave-mccowan has quit IRC		19:36
*** phalmos has joined #openstack-keystone		19:38
*** dave-mccowan has joined #openstack-keystone		19:40
*** ayoung has joined #openstack-keystone		19:40
*** ChanServ sets mode: +v ayoung		19:40
*** topol_ has quit IRC		19:41
*** david-lyle has joined #openstack-keystone		19:41
*** topol has joined #openstack-keystone		19:41
*** ChanServ sets mode: +v topol		19:41
*** gabriel-bezerra has joined #openstack-keystone		19:43
openstackgerrit	Ron De Rose proposed openstack/keystone: Concrete role assignments for federated users https://review.openstack.org/284943	19:43
*** hoonetorg has joined #openstack-keystone		19:43
*** dave-mccowan has quit IRC		19:45
*** timcline has joined #openstack-keystone		19:45
*** dave-mcc_ has joined #openstack-keystone		19:45
*** BigWillie has quit IRC		19:45
*** buhman has quit IRC		19:48
*** timcline has quit IRC		19:49
*** walharthi has joined #openstack-keystone		19:50
*** pushkaru has quit IRC		19:52
*** haplo37_ has joined #openstack-keystone		19:58
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password history requirements https://review.openstack.org/328339	19:59
openstackgerrit	Thomas Herve proposed openstack/keystonemiddleware: Fix an issue with oslo_config_project paste config https://review.openstack.org/332459	20:02
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password history requirements https://review.openstack.org/328339	20:04
*** rcernin has joined #openstack-keystone		20:13
stevemar	EmilienM: you like running off of master eh? :) https://bugs.launchpad.net/aodh/+bug/1594930	20:21
openstack	Launchpad bug 1594930 in keystonemiddleware "aodh fails with keystonemiddleware after commit f8c150a9cc9b407b2df87244daf3342177260e90" [Undecided,In progress] - Assigned to Thomas Herve (therve)	20:21
EmilienM	as usual	20:21
*** lucas____ has quit IRC		20:21
EmilienM	stevemar: please look https://review.openstack.org/#/c/332459/ when you can :)	20:21
patchbot	EmilienM: patch 332459 - keystonemiddleware - Fix an issue with oslo_config_project paste config	20:21
stevemar	EmilienM: i guess it helps to find issues before we release :)	20:21
stevemar	EmilienM: looking now	20:21
EmilienM	stevemar: yeah but it would be cool to also improve keystonemiddleware testing coverage	20:22
*** edtubill has joined #openstack-keystone		20:22
*** lucas____ has joined #openstack-keystone		20:22
jamielennox	EmilienM: oh, https://review.openstack.org/#/c/332459/1/keystonemiddleware/_common/config.py makes a difference?	20:23
patchbot	jamielennox: patch 332459 - keystonemiddleware - Fix an issue with oslo_config_project paste config	20:23
EmilienM	jamielennox: yes	20:23
jamielennox	i guess i didn't check that and assumed that None or empty list would have the same behaviour	20:23
jamielennox	which seemed logical but you shouldn't assume	20:23
*** lucas____ has quit IRC		20:24
*** lucas____ has joined #openstack-keystone		20:26
*** lucas____ has quit IRC		20:26
openstackgerrit	David Stanek proposed openstack/keystone: Reduce setup overhead in auth_plugin tests https://review.openstack.org/266397	20:27
*** markvoelker has quit IRC		20:27
jamielennox	"2	20:27
jamielennox	+2	20:27
*** edtubill has quit IRC		20:29
stevemar	EmilienM: +2 +A	20:29
EmilienM	thanks	20:29
EmilienM	you folks are fast here	20:29
*** lucas____ has joined #openstack-keystone		20:29
bknudson_	we stopped caring about unit tests.	20:30
EmilienM	we figured :P	20:30
*** gagehugo has quit IRC		20:33
*** lucas____ has quit IRC		20:35
*** edtubill has joined #openstack-keystone		20:35
*** edtubill has quit IRC		20:38
*** ayoung has quit IRC		20:38
*** timcline has joined #openstack-keystone		20:39
*** lucas____ has joined #openstack-keystone		20:39
*** dan_nguyen has joined #openstack-keystone		20:40
*** lucas____ has quit IRC		20:41
*** ddieterly is now known as ddieterly[away]		20:42
*** jaugustine_ has joined #openstack-keystone		20:42
*** edtubill has joined #openstack-keystone		20:43
*** timcline_ has joined #openstack-keystone		20:43
*** timcline has quit IRC		20:43
*** jaugustine has quit IRC		20:44
*** jaugustine_ is now known as jaugustine		20:44
jamielennox	in our defence the only thing that uses that code is aodh because they decided they wanted to do things special	20:44
*** dan_nguyen has quit IRC		20:44
*** jaugustine has quit IRC		20:45
*** lucas____ has joined #openstack-keystone		20:45
*** edtubill has quit IRC		20:47
*** lucas____ has quit IRC		20:49
*** roxanaghe has joined #openstack-keystone		20:53
*** lucas____ has joined #openstack-keystone		20:58
dstanek	/b 28	20:58
*** lucas____ has quit IRC		20:59
*** lucas____ has joined #openstack-keystone		20:59
*** lucas____ has quit IRC		21:00
*** lucas____ has joined #openstack-keystone		21:00
*** gyee has joined #openstack-keystone		21:00
*** ChanServ sets mode: +v gyee		21:00
amrith	bknudson_, hello ...	21:01
* amrith wonders whether anybody is home, walks from room to room and finds no one ...		21:02
bknudson_	amrith: what's up?	21:02
amrith	hi bknudson_	21:02
amrith	was wondering if you'd had a chance to look more into the test failures	21:02
amrith	was it that you were expecting .000000	21:02
amrith	that is an isotime() quirk	21:02
bknudson_	not yet. I'll take a look at it now.	21:02
amrith	and not shared by isoformat()	21:02
amrith	ok, thanks	21:03
bknudson_	just set a breakpoint and see what timeutils.isoformat is returning.	21:03
amrith	just wanted to check. what was the testing you did, just ran tox on keystone? I could try that if that's all you did. else I'll wait for your testing.	21:03
*** woodburn has joined #openstack-keystone		21:03
amrith	if you pass it something with a microsecond = 0	21:03
amrith	and you specify microsecond	21:03
amrith	it'll still give you HH:MM:SS+NN:NN or HH:MM:SSZ	21:04
bknudson_	amrith: yes, just ran tox on keystone after installing the new oslo.utils in the venv	21:04
amrith	no .000000	21:04
amrith	that's guaranteed	21:04
amrith	in other words, that is something that I now realize is a difference from isotime()	21:04
*** pauloewerton has quit IRC		21:04
amrith	if you want that behavior, it is easy enough to do ...	21:04
*** ddieterly[away] is now known as ddieterly		21:04
*** raildo is now known as raildo-afk		21:04
bknudson_	I think we will need that behavior otherwise it would cause an incompatible change in the REST API.	21:04
bknudson_	but let me make sure that's the case.	21:05
*** lucas____ has quit IRC		21:05
bknudson_	could just add a testcase to oslo.utils to show how it works, too.	21:05
amrith	yes, I will do that.	21:05
amrith	add the test	21:05
*** yolanda has joined #openstack-keystone		21:06
*** mwheckmann has quit IRC		21:09
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements https://review.openstack.org/328447	21:11
bknudson_	amrith: looks like it was as expected: http://paste.openstack.org/show/520993/	21:13
bknudson_	passed a datetime with at= that didn't have microseconds specified.	21:14
amrith	sorry, I don't follow	21:15
amrith	if you invoke isotime() with subsecond False	21:16
amrith	it will never show subsecond	21:16
amrith	and if you invoke with subsecond True	21:16
amrith	it will always show subsecond	21:16
amrith	with isoformat() it is different	21:16
amrith	if you invoke with subsecond is false, it will never show subsecond	21:16
amrith	if you invoke with subsecond is True but don't provide microsecond information, it will NOT show .000000	21:16
bknudson_	amrith: timeutils.isoformat is called with (datetime.datetime(2016, 6, 21, 21, 12, 39), True) and returns 2016-06-21T21:12:39Z	21:16
amrith	isotime() woud	21:16
amrith	would	21:17
amrith	correct	21:17
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	21:17
amrith	isotime would return 2016-06-21T21:12:39.000000	21:17
bknudson_	if isoformat doesn't work like isotime in this respect then I'm not going to use it in keystone.	21:18
amrith	I have to fix that :)	21:18
amrith	was just waiting to confirm that this was what you needed	21:18
bknudson_	ok	21:18
*** jbell8 has quit IRC		21:19
amrith	see: http://paste.openstack.org/show/520995/	21:19
bknudson_	Looks good.	21:20
amrith	will fix and resubmit	21:20
amrith	thx	21:20
*** markvoelker has joined #openstack-keystone		21:21
bknudson_	I wish isotime didn't have an argument for subsecond=True/False... I have no idea whether the calls are correct.	21:21
openstackgerrit	Roxana Gherle proposed openstack/keystone: /services?name=<name> API fails when using list_limit https://review.openstack.org/331790	21:26
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/332299	21:26
*** walharthi has quit IRC		21:27
openstackgerrit	Merged openstack/pycadf: Updated from global requirements https://review.openstack.org/332357	21:28
*** ddieterly is now known as ddieterly[away]		21:29
*** KevinE_ has joined #openstack-keystone		21:30
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/332369	21:31
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/332346	21:32
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/332300	21:33
*** rderose has quit IRC		21:33
*** KevinE has quit IRC		21:33
rodrigods	stevemar, hey... quick question: what is the policy to decide if a change need a release note or not?	21:34
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/332298	21:34
*** KevinE_ has quit IRC		21:35
*** ddieterly[away] is now known as ddieterly		21:35
*** haplo37_ has quit IRC		21:37
*** topol has quit IRC		21:38
*** markvoelker has quit IRC		21:39
*** rderose has joined #openstack-keystone		21:41
*** ayoung has joined #openstack-keystone		21:41
*** ChanServ sets mode: +v ayoung		21:41
*** rcernin has quit IRC		21:41
*** clayton has quit IRC		21:46
*** stevemar has quit IRC		21:47
*** clayton has joined #openstack-keystone		21:47
*** chlong\|rhce_trng has quit IRC		21:48
*** roxanaghe has quit IRC		21:49
*** markvoelker has joined #openstack-keystone		21:50
*** catintheroof has quit IRC		21:51
*** ametts has quit IRC		21:54
openstackgerrit	Merged openstack/python-keystoneclient: Add group functional tests https://review.openstack.org/332411	21:54
*** jbell8 has joined #openstack-keystone		21:56
*** darosale has quit IRC		21:57
*** woodburn has quit IRC		21:59
*** dan_nguyen has joined #openstack-keystone		22:04
*** jrist has quit IRC		22:06
ayoung	I had to look twice at this domain name https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html	22:06
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct use of isotime https://review.openstack.org/332493	22:11
*** edtubill has joined #openstack-keystone		22:13
*** phalmos has quit IRC		22:14
*** timcline_ has quit IRC		22:15
*** timcline has joined #openstack-keystone		22:15
*** iurygregory_ has joined #openstack-keystone		22:15
*** edtubill has quit IRC		22:17
*** ddieterly is now known as ddieterly[away]		22:19
*** timcline has quit IRC		22:20
*** edmondsw has quit IRC		22:25
jamielennox	ayoung: long, i thought you mistyped it as well	22:29
*** markvoelker has quit IRC		22:36
*** roxanaghe has joined #openstack-keystone		22:41
*** ddieterly[away] is now known as ddieterly		22:43
*** lucas____ has joined #openstack-keystone		22:44
*** edtubill has joined #openstack-keystone		22:47
*** KevinE has joined #openstack-keystone		22:47
*** lucas____ has quit IRC		22:48
*** KevinE has quit IRC		22:51
*** topol has joined #openstack-keystone		22:55
*** ChanServ sets mode: +v topol		22:55
openstackgerrit	Merged openstack/keystonemiddleware: Fix an issue with oslo_config_project paste config https://review.openstack.org/332459	22:57
*** ddieterly has quit IRC		22:57
*** chlong has joined #openstack-keystone		23:02
*** stevemar has joined #openstack-keystone		23:07
*** ChanServ sets mode: +o stevemar		23:07
*** KevinE has joined #openstack-keystone		23:08
*** jbell8 has quit IRC		23:09
*** lucas____ has joined #openstack-keystone		23:10
*** erhudy has quit IRC		23:11
*** stevemar has quit IRC		23:12
*** jrist has joined #openstack-keystone		23:12
*** itlinux has joined #openstack-keystone		23:14
*** lucas____ has quit IRC		23:14
*** stevemar has joined #openstack-keystone		23:18
*** ChanServ sets mode: +o stevemar		23:18
stevemar	rodrigods: depends if the change will impact users	23:18
*** dan_nguyen has quit IRC		23:19
*** shaleh has quit IRC		23:21
*** edtubill has quit IRC		23:22
*** edtubill has joined #openstack-keystone		23:23
*** julim has quit IRC		23:25
*** slberger has left #openstack-keystone		23:27
jamielennox	ayoung: in centos 7.2 ipsilon is still at 1.0.0 - why?	23:35
*** lucas____ has joined #openstack-keystone		23:38
ayoung	jamielennox, Keycloak...	23:40
jamielennox	ayoung: sure, but update to 1.2 anyway	23:41
ayoung	jamielennox, it should probably move to EPEL	23:41
ayoung	jamielennox, but it is that weird catch 22	23:41
jamielennox	could maintain 1.0 in core and 1.2 in epel?	23:42
ayoung	its tech preview, because Keycloak is the basis for the new product.	23:42
ayoung	I don;'t know	23:42
ayoung	is there a COPR for it?	23:42
jamielennox	yea	23:42
*** lucas____ has quit IRC		23:42
jamielennox	https://copr.fedorainfracloud.org/coprs/puiterwijk/ipsilon/	23:42
*** lucas____ has joined #openstack-keystone		23:43
ayoung	jamielennox, https://copr-be.cloud.fedoraproject.org/results/puiterwijk/ipsilon/epel-7-x86_64/00330301-ipsilon/ is up to date	23:43
jamielennox	ayoung: also i might have used keycloak - but that's not packaged	23:43
ayoung	jamielennox, all I want to do is fix policy	23:44
ayoung	and this stuff is my Albatross	23:44
jamielennox	ayoung: reservations will do it	23:44
ayoung	Ha	23:45
ayoung	no, but they will make things better	23:45
ayoung	jamielennox, so, naming	23:45
jamielennox	ayoung: don't call it a token - otherwise i don't cre	23:45
jamielennox	care	23:45
ayoung	jamielennox, the end product is a token. Prior to that, it is a promise	23:46
*** topol has quit IRC		23:46
jamielennox	no the start product is a token	23:46
ayoung	its an implied delegation	23:46
ayoung	jamielennox, ok, I see it something like this	23:46
*** BjoernT has quit IRC		23:46
ayoung	I get a token with a role specific to the operations	23:47
ayoung	I send that to Nova and say "boot server"	23:47
ayoung	nova validates the token, and gets, in the response, one of those things	23:47
*** lucas____ has quit IRC		23:47
ayoung	it hands one of those things to glance, cinder, and neutron during the boot process	23:47
ayoung	possibly one, possibly three depending on how you want to implement	23:48
ayoung	lets say one	23:48
jamielennox	ayoung: i see less reason with this to do "role specific to the operation" but ok, doesn't change it	23:48
jamielennox	one	23:48
ayoung	ok, SO THAT thing is not a reservation. THe reservation is what was created implicitly to allo Nova to get "that thing"	23:48
ayoung	its the delegation	23:48
jamielennox	otherwise the expiry doesn't work	23:48
ayoung	the reservation is created implicitly when I first got the token	23:49
ayoung	so, when Nova validates the token, it exercises the reservation.	23:49
ayoung	I say the right way to complete that statement is "and gets a new token"	23:50
jamielennox	no because the reservation is not created implicitly	23:50
ayoung	THat new token is not limited by the expiry of the original	23:50
ayoung	eyebrows?	23:50
ayoung	it is explicit?	23:50
jamielennox	the reservation here is just an authenticated state transfer right?	23:50
jamielennox	same as tokens now	23:50
ayoung	jamielennox, perhaps a bit more than that	23:51
jamielennox	so it doesn't hit the database but yes you would ask it to create a reservation for you instead of validating your token (token validation included in process)	23:52
openstackgerrit	David Stanek proposed openstack/keystone: Reduce setup overhead in auth_plugin tests https://review.openstack.org/266397	23:52
openstackgerrit	David Stanek proposed openstack/keystone: Limits config fixture usage to where it's needed https://review.openstack.org/266399	23:52
openstackgerrit	David Stanek proposed openstack/keystone: Change the remaining conf setup to use the fixture https://review.openstack.org/266398	23:52
ayoung	hte reservation, since it is managed by Keystone, also allows the service to say "I'm going to need this for a while..." and get a delegation that lasts longer than the original token expiry	23:52
*** lucas____ has joined #openstack-keystone		23:52
jamielennox	ayoung: it's going to have to for now because of the way people implemented trusts	23:52
jamielennox	how we policy that is still undertermined	23:53
ayoung	jamielennox, a reservation (in the hotel sense) is a promise. When you show up to the hotel, you still show your id to get the room, based on the reservation	23:54
ayoung	what you are creating here is more like the key card to the room	23:54
jamielennox	ok, thats not how i'm using it	23:54
ayoung	that is a token	23:54
jamielennox	using the term	23:54
jamielennox	but i'm keen to change it	23:54
ayoung	jamielennox, I really suggest you find an appropriate modifier around the word token	23:54
ayoung	long-lived-tokens	23:54
jamielennox	what if for now we ignore all the other meanings and call in AuthContext	23:54
jamielennox	just for this convo	23:55
ayoung	or service-promoted-happy-tokens	23:55
ayoung	hmmm	23:55
jamielennox	in any other system like this you validate the user's credentials (in this case a token)	23:55
jamielennox	you authorize it's allowed to make the request	23:55
ayoung	so, the AuthCOntext is the end product?	23:55
jamielennox	then you create an AuthContext with the user information	23:55
ayoung	even with tokens, what you really want is an AuthContext, right?	23:55
jamielennox	this AuthContext is then shuffled around to all services to represent the current operation, who's performing it and the object it's on	23:56
ayoung	How about AuthzCOntext to be explicit that this is for authorization?	23:56
*** lucas____ has quit IRC		23:56
ayoung	I almost suggested just calling it an authorizatiojn	23:57
ayoung	without the j	23:57
jamielennox	right - that's the best name i have, but it's super overloaded	23:57
ayoung	lightweight-delegations?	23:57
ayoung	ephemeral delegations?	23:57
jamielennox	so this AuthContext is for one operation, now because of the re-entrant problem we can't just trust that anyone providing an authcontext is real	23:57
jamielennox	so we're using keystone as a means of doing verification and packaging of AuthContext data	23:58
ayoung	service delegation tokens are what is passed back and forth, and they produce service delegation authz context	23:58
jamielennox	we could use PKI but that's bean a problem before	23:58
ayoung	yep	23:58
jamielennox	we could do symmetric key distribution but that would be ugly	23:58
ayoung	we'll use the Fernet format for the same reason we are using it for tokens	23:58
jamielennox	most likely,yea	23:58
ayoung	it keeps a liveness check in play	23:59
ayoung	which was the real problem with pki	23:59
jamielennox	this is actually a better case than tokens for PKI, but i still don't think people would be ok with us redoing that	23:59
jamielennox	so i still plan on like a 15 minutes expiration on this AuthContext	23:59
ayoung	nah, we still want Keystone to say "yes, that is still legal"	23:59
ayoung	I think that will prove to be too short	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!