Thursday, 2016-06-23

« Wednesday, 2016-06-22 Index Friday, 2016-06-24 »
*** tqtran has quit IRC00:03
*** nkinder has quit IRC00:03
*** dan_nguyen has joined #openstack-keystone00:05
*** lmiccini has joined #openstack-keystone00:07
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844700:08
*** lucas____ has joined #openstack-keystone00:09
*** lucas____ has quit IRC00:10
*** lucas____ has joined #openstack-keystone00:10
*** dan_nguyen has quit IRC00:12
*** stevemar has quit IRC00:13
*** stevemar has joined #openstack-keystone00:14
*** ChanServ sets mode: +o stevemar00:14
*** lucas____ has quit IRC00:15
*** raddaoui has quit IRC00:17
*** stevemar has quit IRC00:18
*** stevemar has joined #openstack-keystone00:29
*** ChanServ sets mode: +o stevemar00:29
*** roxanaghe has quit IRC00:35
*** EinstCrazy has joined #openstack-keystone00:44
*** ddieterly has quit IRC00:44
*** spandhe has quit IRC00:45
*** ddieterly has joined #openstack-keystone00:47
*** ddieterly has quit IRC00:48
*** mkoderer___ has quit IRC00:48
*** stevemar has quit IRC00:49
*** clenimar_ has joined #openstack-keystone00:49
*** mkoderer__ has joined #openstack-keystone00:50
*** stevemar has joined #openstack-keystone00:50
*** ChanServ sets mode: +o stevemar00:50
*** EinstCrazy has quit IRC00:53
*** mhu has quit IRC00:54
*** samueldmq has quit IRC00:57
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494300:57
*** stevemar has quit IRC01:00
*** stevemar has joined #openstack-keystone01:00
*** ChanServ sets mode: +o stevemar01:00
*** henrynash has joined #openstack-keystone01:01
*** ChanServ sets mode: +v henrynash01:01
*** jaugustine has joined #openstack-keystone01:04
*** spandhe has joined #openstack-keystone01:05
*** stevemar has quit IRC01:05
*** henrynash has quit IRC01:05
*** ddieterly has joined #openstack-keystone01:09
*** jaugustine has quit IRC01:09
*** mhu has joined #openstack-keystone01:12
*** stevemar has joined #openstack-keystone01:13
*** ChanServ sets mode: +o stevemar01:13
*** daminate has joined #openstack-keystone01:14
*** spandhe has quit IRC01:16
*** agireud has quit IRC01:26
*** agireud has joined #openstack-keystone01:30
*** ddieterly has quit IRC01:31
*** browne1 has quit IRC01:31
*** agireud has quit IRC01:39
*** stevemar has quit IRC01:40
*** stevemar has joined #openstack-keystone01:40
*** ChanServ sets mode: +o stevemar01:40
*** agireud has joined #openstack-keystone01:41
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844701:48
*** TxGVNN has joined #openstack-keystone01:50
*** jefrite has quit IRC01:50
daminatelooking into possibility to leverage keystone outside of openstack for auth/rbac for set of custom apps/services.  does this seem feasible?01:51
stevemardaminate: it's probably feasible but there are probably better solutions out there01:55
stevemarkeystone is pretty openstack-y01:55
openstackgerritMerged openstack/keystonemiddleware: Config: no need to set default=None  https://review.openstack.org/33306801:56
*** afred312 has quit IRC02:00
*** tqtran has joined #openstack-keystone02:01
*** afred312 has joined #openstack-keystone02:04
*** tqtran has quit IRC02:05
*** nkinder has joined #openstack-keystone02:09
*** jbell8 has quit IRC02:11
*** stevemar has quit IRC02:14
*** spandhe has joined #openstack-keystone02:15
daminateone thiking was that if services were bundled to be deployed on openstack environments for premise solution, could just extend the keystone deployment and give end users single rbac system02:23
daminatewill do bit more reading and look at some alternatives02:23
*** spandhe_ has joined #openstack-keystone02:27
*** spandhe has quit IRC02:28
*** spandhe_ is now known as spandhe02:28
*** stevemar has joined #openstack-keystone02:34
*** ChanServ sets mode: +o stevemar02:34
*** browne has joined #openstack-keystone02:38
*** stevemar has quit IRC02:39
*** iurygregory_ has quit IRC02:56
*** stevemar has joined #openstack-keystone02:57
*** ChanServ sets mode: +o stevemar02:57
*** rderose has quit IRC02:57
*** richm has quit IRC03:03
*** spzala has quit IRC03:11
*** davechen has joined #openstack-keystone03:11
*** browne has quit IRC03:14
*** stevemar has quit IRC03:20
*** daminate has left #openstack-keystone03:23
*** stevemar has joined #openstack-keystone03:28
*** ChanServ sets mode: +o stevemar03:28
*** stevemar has quit IRC03:32
*** stevemar has joined #openstack-keystone03:35
*** ChanServ sets mode: +o stevemar03:35
*** stevemar has quit IRC03:35
*** stevemar has joined #openstack-keystone03:36
*** ChanServ sets mode: +o stevemar03:36
*** topol_ has joined #openstack-keystone03:36
stevemaryiiiiiis my VM is back online!03:37
*** links has joined #openstack-keystone03:51
*** josecastroleon has joined #openstack-keystone03:58
*** lucas____ has joined #openstack-keystone04:08
*** lucas____ has quit IRC04:10
*** lucas____ has joined #openstack-keystone04:10
*** lucas____ has quit IRC04:16
*** lucas____ has joined #openstack-keystone04:18
*** GB21 has joined #openstack-keystone04:18
*** lucas____ has quit IRC04:32
*** davechen has quit IRC04:36
*** lucas____ has joined #openstack-keystone04:36
*** dan_nguyen has joined #openstack-keystone04:37
openstackgerritDolph Mathews proposed openstack/keystone: Replace keystone.common.config with keystone.conf package  https://review.openstack.org/32560404:40
*** dave-mccowan has quit IRC04:41
*** jaosorior has joined #openstack-keystone04:55
stevemardolphm: what record are you going for?04:57
*** dan_nguyen has quit IRC04:59
*** lucas____ has quit IRC05:15
*** lucas____ has joined #openstack-keystone05:19
*** GB21 has quit IRC05:21
*** jdennis1 has joined #openstack-keystone05:24
*** jdennis has quit IRC05:24
*** lucas____ has quit IRC05:28
*** lucas____ has joined #openstack-keystone05:33
*** GB21 has joined #openstack-keystone05:37
*** lucas____ has quit IRC05:43
*** roxanaghe has joined #openstack-keystone05:44
*** roxanaghe has quit IRC05:45
*** lucas____ has joined #openstack-keystone05:47
*** yolanda has joined #openstack-keystone05:56
*** lucas____ has quit IRC05:56
*** lucas____ has joined #openstack-keystone06:01
*** tqtran has joined #openstack-keystone06:02
*** tqtran has quit IRC06:06
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add create_plugin to loader  https://review.openstack.org/33311906:07
*** henrynash has joined #openstack-keystone06:07
*** ChanServ sets mode: +v henrynash06:07
*** lucas____ has quit IRC06:10
*** spzala has joined #openstack-keystone06:11
*** henrynash has quit IRC06:12
*** rcernin has joined #openstack-keystone06:15
*** lucas____ has joined #openstack-keystone06:15
*** spzala has quit IRC06:15
*** lucas____ has quit IRC06:24
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow registering additional plugin loaders  https://review.openstack.org/33312606:28
*** lucas____ has joined #openstack-keystone06:29
*** yolanda has quit IRC06:30
*** sdake has joined #openstack-keystone06:34
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow registering additional plugin loaders  https://review.openstack.org/33312606:34
*** davechen has joined #openstack-keystone06:35
*** jbell8 has joined #openstack-keystone06:35
jamielennoxbknudson_: guess that answers that: https://github.com/kennethreitz/requests/issues/336006:36
*** TxGVNN has quit IRC06:40
*** TxGVNN has joined #openstack-keystone06:40
*** lucas____ has quit IRC06:42
*** lucas____ has joined #openstack-keystone06:47
*** jamielennox is now known as jamielennox|away06:48
*** belmoreira has joined #openstack-keystone06:49
*** lucas____ has quit IRC06:56
*** lucas____ has joined #openstack-keystone06:57
*** rcernin has quit IRC07:02
*** lucas____ has quit IRC07:06
*** lucas____ has joined #openstack-keystone07:11
*** tesseract- has joined #openstack-keystone07:13
*** tesseract- has quit IRC07:14
*** ebarrera has joined #openstack-keystone07:14
*** tesseract- has joined #openstack-keystone07:14
*** rcernin has joined #openstack-keystone07:17
*** woodster_ has quit IRC07:18
*** lucas____ has quit IRC07:21
*** sdake_ has joined #openstack-keystone07:21
*** josecastroleon has quit IRC07:23
*** ChanServ sets mode: +v topol_07:23
*** topol_ is now known as topol07:23
*** sdake has quit IRC07:24
openstackgerritBhagyashri Shewale proposed openstack/keystonemiddleware: Fix typo 'olso' to 'oslo'  https://review.openstack.org/33314807:24
*** lucas____ has joined #openstack-keystone07:25
*** pnavarro has joined #openstack-keystone07:38
*** henrynash has joined #openstack-keystone07:40
*** ChanServ sets mode: +v henrynash07:40
*** amoralej|off is now known as amoralej07:43
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000607:46
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move scope into _OidcBase  https://review.openstack.org/33046307:46
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: refactor unit tests  https://review.openstack.org/33096607:46
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046407:46
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument  https://review.openstack.org/33046507:46
*** henrynash has quit IRC07:47
*** lucas____ has quit IRC07:48
*** spandhe has quit IRC07:52
*** lucas____ has joined #openstack-keystone07:52
*** gus has quit IRC07:57
*** gus has joined #openstack-keystone07:57
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** lucas____ has quit IRC08:02
*** yolanda has joined #openstack-keystone08:04
*** markvoel_ has quit IRC08:05
*** lucas____ has joined #openstack-keystone08:06
*** luca_____ has joined #openstack-keystone08:10
*** lucas____ has quit IRC08:11
*** mvk_ has quit IRC08:21
*** aloga has quit IRC08:23
*** davechen has left #openstack-keystone08:24
*** luca_____ has quit IRC08:24
openstackgerritMartin Schuppert proposed openstack/keystone: Verify domain_id when create_user is being called  https://review.openstack.org/33156708:28
*** lucas____ has joined #openstack-keystone08:29
*** aloga has joined #openstack-keystone08:29
*** josecastroleon has joined #openstack-keystone08:30
*** daemontool has joined #openstack-keystone08:31
*** GB21 has quit IRC08:37
*** lucas____ has quit IRC08:42
*** GB21 has joined #openstack-keystone08:46
*** lucas____ has joined #openstack-keystone08:47
*** rcernin has quit IRC08:50
*** lucas____ has quit IRC08:56
*** yolanda has quit IRC09:01
*** rcernin has joined #openstack-keystone09:02
*** tqtran has joined #openstack-keystone09:03
*** markvoelker has joined #openstack-keystone09:05
*** tqtran has quit IRC09:08
*** henrynash has joined #openstack-keystone09:08
*** ChanServ sets mode: +v henrynash09:08
*** dmk0202 has joined #openstack-keystone09:09
*** markvoelker has quit IRC09:10
*** jaosorior has quit IRC09:11
*** mvk_ has joined #openstack-keystone09:11
*** jaosorior has joined #openstack-keystone09:11
*** lucas____ has joined #openstack-keystone09:20
*** mvk_ has quit IRC09:24
*** lucas____ has quit IRC09:29
*** lucas____ has joined #openstack-keystone09:33
*** clenimar_ has quit IRC09:37
*** henrynash has quit IRC09:40
*** sdake_ has quit IRC09:42
*** lucas____ has quit IRC09:43
*** mvk_ has joined #openstack-keystone09:43
*** jamielennox|away is now known as jamielennox09:43
*** nisha_ has joined #openstack-keystone09:44
*** lucas____ has joined #openstack-keystone09:47
*** pcaruana has joined #openstack-keystone09:51
*** GB21 has quit IRC09:54
*** samueldmq has joined #openstack-keystone09:59
*** ChanServ sets mode: +v samueldmq09:59
*** daemontool has quit IRC10:00
samueldmqmorning keystone10:00
*** lucas____ has quit IRC10:01
*** sdake has joined #openstack-keystone10:01
nisha_samueldmq, morning10:06
*** markvoelker has joined #openstack-keystone10:07
samueldmqnisha_: hi, morning10:07
samueldmqjamielennox: hi, you around ?10:08
samueldmqjamielennox: in keystonemiddleware, keystoneauth1.identity.v3.oidc.OidcPassword is a public symbol10:09
samueldmqjamielennox: do we need to be concerned about others using it ? (it's being proposed to rename a __init__ argument)10:10
samueldmqjamielennox: https://review.openstack.org/#/c/330463/4/keystoneauth1/identity/v3/oidc.py10:10
patchbotsamueldmq: patch 330463 - keystoneauth - oidc: move scope into _OidcBase10:10
samueldmqjamielennox: I've added you as a reviewer there10:10
*** markvoelker has quit IRC10:11
*** spzala has joined #openstack-keystone10:12
*** spzala has quit IRC10:16
*** nisha_ has quit IRC10:22
*** nisha_ has joined #openstack-keystone10:22
*** GB21 has joined #openstack-keystone10:24
*** lucas____ has joined #openstack-keystone10:25
*** sdake_ has joined #openstack-keystone10:28
*** dmk0202 has quit IRC10:29
*** TxGVNN has quit IRC10:29
*** sdake has quit IRC10:32
*** lucas____ has quit IRC10:34
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add project functional tests  https://review.openstack.org/33287110:36
nisha_samueldmq, please have a look ^10:38
*** lucas____ has joined #openstack-keystone10:39
*** nisha__ has joined #openstack-keystone10:46
*** bjornar_ has joined #openstack-keystone10:47
*** nisha_ has quit IRC10:47
alogasamueldmq: regarding https://review.openstack.org/#/c/330463/4/keystoneauth1/identity/v3/oidc.py10:47
patchbotaloga: patch 330463 - keystoneauth - oidc: move scope into _OidcBase10:47
alogasamueldmq: the patches was rebased as I rebased the parent commit10:48
alogas/patches/patchset/10:48
*** josecastroleon has quit IRC10:48
alogasamueldmq: but I share your concerns regarding the argument renaming10:49
alogasamueldmq: but I am more concerned about the option renaming that already happened with the switch from keystoneclient ("--scope") and keystoneauth1 ("--openid-scope")10:50
alogasamueldmq: so to be honest I do not know that is the best option, I am happy to implement whatever it is10:51
jamielennoxsamueldmq: @positional() saves you there10:51
jamielennoxsamueldmq: i'm more concerned about renaming scope -> openid_scope10:52
alogajamielennox: that was my concern a well10:53
alogajamielennox: on the one hand "scope" is a terrible name IMO10:53
samueldmqnisha__: reviewed, see comments10:54
alogajamielennox: as I think this causes confusion (i.e. Keystone scope VS OpenID scope)10:54
alogajamielennox: on the other hand, previous keystoneclient plugin used "scope" as its option10:54
alogajamielennox: causing users headackes when the switch to keystoneauth1 was done (see https://bugs.launchpad.net/keystoneauth/+bug/1582774/comments/19 and https://bugs.launchpad.net/keystoneauth/+bug/1582774/comments/20 )10:55
openstackLaunchpad bug 1582774 in python-openstackclient "OidcPassword auth plugin should accept Keystone scope parameters" [Undecided,Fix released] - Assigned to Alvaro Lopez (aloga)10:55
samueldmqaloga: jamielennox: yes I am concerned about the rename as well10:55
alogaso, :-?10:56
nisha__samueldmq, thanks10:56
*** ramishra has joined #openstack-keystone10:56
alogaboth options are bad \o/10:56
samueldmqjamielennox: if someone else is calling the __init__ with scope='somethin', that's just going to be ignored with the patch10:56
*** jistr is now known as jistr|mtg10:56
samueldmqbecause it renames scope to something else10:56
jamielennoxsamueldmq: yep, i think i misread first time, you need to keep the scope name, but you can move it to the upper class and rely on **kwargs because of posiitonal11:00
*** nisha_ has joined #openstack-keystone11:01
samueldmqjamielennox: ++, but that doesn't fix the bug :(11:02
jamielennoxsamueldmq: oh, i haven't read or looked at the bug or even the rest of the review yet11:02
samueldmqjamielennox: sure, take your time, I added you as a reviewer because I know you'll have a good suggestion on how to proceed in that case11:03
jamielennoxsamueldmq: so based on quickly reading the bug, you need to have the option in the loader.get_options() have Opt('openid-scope', dest='scope')11:04
samueldmqjamielennox: that's what I was thinking about and suggesting11:04
samueldmqjamielennox: to map it somehow11:04
samueldmqaloga:  ^11:04
jamielennoxthat will maintain the --os-openid-scope parameter and set the right value in **kwargs11:04
samueldmqexactly11:05
*** ddieterly has joined #openstack-keystone11:05
*** nisha__ has quit IRC11:05
*** markvoelker has joined #openstack-keystone11:07
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow registering additional plugin loaders  https://review.openstack.org/33312611:09
*** josecastroleon has joined #openstack-keystone11:12
*** markvoelker has quit IRC11:13
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000611:15
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move scope into _OidcBase  https://review.openstack.org/33046311:15
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046411:15
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument  https://review.openstack.org/33046511:15
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect scope option  https://review.openstack.org/33326111:15
alogathere it goes11:16
*** amrith has quit IRC11:16
*** amrith has joined #openstack-keystone11:17
alogasamueldmq, jamielennox thanks for the input11:18
*** amoralej is now known as amoralej|lunch11:19
*** lucas____ has quit IRC11:20
*** sdake_ has quit IRC11:21
samueldmqaloga: sure, yw11:23
*** lucas____ has joined #openstack-keystone11:25
*** ekarlso has quit IRC11:26
*** henrynash has joined #openstack-keystone11:27
*** ChanServ sets mode: +v henrynash11:27
*** daemontool has joined #openstack-keystone11:28
*** lucas____ has quit IRC11:29
*** lucas____ has joined #openstack-keystone11:30
*** ddieterly has quit IRC11:31
*** henrynash has quit IRC11:31
*** dmk0202 has joined #openstack-keystone11:33
*** lucas____ has quit IRC11:34
*** lucas____ has joined #openstack-keystone11:34
*** ddieterly has joined #openstack-keystone11:35
*** TxGVNN has joined #openstack-keystone11:38
*** ddieterly has quit IRC11:38
*** GB21 has quit IRC11:40
*** GB21 has joined #openstack-keystone11:42
*** lucas____ has quit IRC11:43
*** lucas____ has joined #openstack-keystone11:48
*** ekarlso has joined #openstack-keystone11:51
*** ddieterly has joined #openstack-keystone11:51
*** lucas____ has quit IRC11:54
*** lucas____ has joined #openstack-keystone11:54
*** daemontool_ has joined #openstack-keystone11:54
*** daemontool has quit IRC11:55
*** amakarov_away is now known as amakarov11:57
*** ddieterly has quit IRC11:59
*** markvoelker has joined #openstack-keystone11:59
*** jdennis1 has quit IRC12:03
*** jdennis has joined #openstack-keystone12:03
*** lucas____ has quit IRC12:03
*** GB21 has quit IRC12:07
*** lucas____ has joined #openstack-keystone12:08
*** ramishra has quit IRC12:19
*** nisha_ has quit IRC12:22
*** nisha_ has joined #openstack-keystone12:23
*** GB21 has joined #openstack-keystone12:24
*** ddieterly has joined #openstack-keystone12:24
*** amoralej|lunch is now known as amoralej12:25
*** lucas____ has quit IRC12:26
*** ramishra has joined #openstack-keystone12:30
*** lucas____ has joined #openstack-keystone12:31
*** ddieterly has quit IRC12:32
*** M00nr41n has quit IRC12:37
*** GB21 has quit IRC12:37
*** lucas____ has quit IRC12:40
*** ramishra has quit IRC12:41
*** ametts has joined #openstack-keystone12:43
*** lucas___ has joined #openstack-keystone12:45
*** sdake has joined #openstack-keystone12:48
amakarovsamueldmq, hi! Can you please suggest, how problem description should look like? :) I've written what I consider a problem in the spec12:51
*** edmondsw has joined #openstack-keystone12:57
*** pauloewerton has joined #openstack-keystone12:58
*** real56 has joined #openstack-keystone12:59
*** lucas___ has quit IRC13:03
samueldmqamakarov: hi13:06
samueldmqamakarov: in the problem description I expect to see what's the issue with the current code13:07
samueldmqamakarov: and why it's an issue13:07
amakarovsamueldmq, this is a spec - not a bug13:07
samueldmqamakarov: then in the proposed change you'll propose how to fix that13:07
samueldmqamakarov: it depends13:08
samueldmqamakarov: specs are also for big refactoring and API changes13:08
*** lucas___ has joined #openstack-keystone13:08
amakarovsamueldmq, I'm proposing a workflow that will allow to implement RBAC313:08
samueldmqamakarov: are you introducing something completely new ?13:08
amakarovsamueldmq, and remove bearer tokens13:08
samueldmqamakarov: why we need to remove bearer tokens ?13:09
*** sigmavirus24_awa is now known as sigmavirus2413:09
samueldmqamakarov: what's wrong with it ?13:09
samueldmqamakarov: I understand what you're willing to do, I just don't get a why13:09
amakarovsamueldmq, it generates load by issue/validation13:09
samueldmqamakarov: and you consider this an issue, this is why you want the new proposal13:10
samueldmqamakarov: so put that in the problem description, it's your motivation to implement a new approach13:10
amakarovsamueldmq, partially13:10
samueldmqamakarov: add other things too13:10
amakarovand I've described it13:10
*** BjoernT has joined #openstack-keystone13:11
samueldmqamakarov: see my comments13:13
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Complete RBAC in keystone  https://review.openstack.org/32532613:16
amakarovsamueldmq, ^^13:16
samueldmqamakarov: it might be interesting to take a look at Jamie's spec for reservations https://review.openstack.org/#/c/330329/13:18
patchbotsamueldmq: patch 330329 - keystone-specs - Reservations (a working title)13:18
samueldmqamakarov: he mentions keystone having the option to validate that a user can perform an operation in the deployment (i.e rbac centralized in keystone)13:19
openstackgerrithenry-nash proposed openstack/keystone-specs: Support nested domains to provide additional project namespaces  https://review.openstack.org/33294013:20
*** lucas___ has quit IRC13:22
amakarovsamueldmq, this looks an ad-hoc solution to me. My propose is a conceptual change13:23
amakarovproposal13:23
samueldmqamakarov: it changes a lot of how openstack does today for issuance/validation of tokens, I think it deserves a topic meeting so we get more attention to it13:26
*** lucas___ has joined #openstack-keystone13:26
*** lucas___ has quit IRC13:27
amakarovsamueldmq, I believe it does, and I also believe we should at least give it a try, otherwise we'll end up using stale model drowning in patches13:27
samueldmqamakarov: and IMO it isn't worth it when we compare the benefits VS the complexity of the change13:27
*** lucas___ has joined #openstack-keystone13:27
samueldmqamakarov: but I really want to see other's input on it13:27
amakarovsamueldmq, ok13:27
amakarovunfortunately, I'll not be on mid-cycle in person13:28
samueldmq:(13:28
amakarovso I think it may be a meeting13:28
amakarovsamueldmq, is the spec clear now? I mean about problem description and what I'm proposing?13:30
*** spzala has joined #openstack-keystone13:31
*** jistr|mtg is now known as jistr13:31
samueldmqamakarov: I think it's better13:32
*** david-lyle_ has joined #openstack-keystone13:32
*** catintheroof has joined #openstack-keystone13:32
*** ddieterly has joined #openstack-keystone13:33
amakarovsamueldmq, thank you. I definitely have to detail use cases, but I want to validate the idea first.13:33
*** richm has joined #openstack-keystone13:34
*** yolanda has joined #openstack-keystone13:34
*** david-lyle has quit IRC13:36
*** rderose has joined #openstack-keystone13:41
*** timcline has joined #openstack-keystone13:44
*** dave-mccowan has joined #openstack-keystone13:55
*** itisha has joined #openstack-keystone13:55
*** ddieterly is now known as ddieterly[away]13:56
*** yolanda has quit IRC13:56
*** topol_ has joined #openstack-keystone13:56
*** ChanServ sets mode: +v topol_13:56
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/33336013:58
*** ddieterly[away] is now known as ddieterly13:59
*** mwheckmann has joined #openstack-keystone14:00
*** rderose_ has joined #openstack-keystone14:01
*** rderose has quit IRC14:04
*** dan_nguyen has joined #openstack-keystone14:06
*** lucas___ has quit IRC14:06
*** dan_nguyen has quit IRC14:09
*** walharthi has joined #openstack-keystone14:11
*** lucas___ has joined #openstack-keystone14:11
*** woodster_ has joined #openstack-keystone14:12
*** zqfan has quit IRC14:13
*** sdake has quit IRC14:13
*** bjornar_ has quit IRC14:13
*** lucas___ has quit IRC14:15
*** sdake has joined #openstack-keystone14:16
*** kfox1111 is now known as kfox1111_away14:17
*** TxGVNN has quit IRC14:21
*** TxGVNN has joined #openstack-keystone14:22
*** nisha__ has joined #openstack-keystone14:23
*** darosale has joined #openstack-keystone14:24
*** josecastroleon has quit IRC14:26
*** nisha_ has quit IRC14:26
*** raddaoui has joined #openstack-keystone14:30
*** lucas___ has joined #openstack-keystone14:34
amakarovayoung, g'day!14:37
*** ayoung has quit IRC14:37
*** jefrite has joined #openstack-keystone14:38
*** jistr is now known as jistr|mtg14:38
*** lucas___ has quit IRC14:38
amakarovsamueldmq, can you please review this chain? https://review.openstack.org/#/c/291318/14:38
patchbotamakarov: patch 291318 - keystone - Unified delegation assignment driver14:38
amakarovit's about unified delegations14:39
*** links has quit IRC14:41
*** josecastroleon has joined #openstack-keystone14:41
*** pcaruana has quit IRC14:41
*** jrist has quit IRC14:43
*** KevinE has joined #openstack-keystone14:44
*** edtubill has joined #openstack-keystone14:47
*** pnavarro has quit IRC14:48
*** timcline has quit IRC14:51
*** GB21 has joined #openstack-keystone14:51
*** timcline has joined #openstack-keystone14:51
*** jaosorior has quit IRC14:53
*** timcline has quit IRC14:55
*** jrist has joined #openstack-keystone14:55
*** phalmos has joined #openstack-keystone14:57
*** david-lyle_ is now known as david-lyle14:59
*** mvk_ has quit IRC15:02
*** dave-mccowan has quit IRC15:02
*** markvoelker_ has joined #openstack-keystone15:03
*** markvoelker has quit IRC15:03
*** amit213 has quit IRC15:04
*** tqtran has joined #openstack-keystone15:06
*** ebarrera has quit IRC15:08
*** darosale has quit IRC15:08
*** tqtran has quit IRC15:10
*** josecastroleon has quit IRC15:11
*** josecastroleon has joined #openstack-keystone15:12
samueldmqamakarov: yes I will review it later15:13
openstackgerritMerged openstack/keystonemiddleware: Fix typo 'olso' to 'oslo'  https://review.openstack.org/33314815:14
*** sdake_ has joined #openstack-keystone15:14
*** sheel has quit IRC15:15
*** sdake has quit IRC15:16
*** darosale has joined #openstack-keystone15:19
*** dave-mccowan has joined #openstack-keystone15:19
*** sdake_ has quit IRC15:20
*** dan_nguyen has joined #openstack-keystone15:20
*** ddieterly is now known as ddieterly[away]15:21
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428415:22
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428415:22
*** belmoreira has quit IRC15:23
*** ddieterly[away] is now known as ddieterly15:24
mwheckmannCan someone tell me to what extented Mitaka Horizon is identity v3 Domain aware?15:26
mwheckmannWhen I'm logged in as a user with domain admin creds (role=admin) + using sample v3 Keystone policy.json, I can't list projects within domain. It seems that Horizon is trying to list all projects in the whole cloud and not just the domain15:27
*** timcline has joined #openstack-keystone15:30
*** sdake has joined #openstack-keystone15:31
*** samueldmq has quit IRC15:33
*** lucas___ has joined #openstack-keystone15:33
*** sdake_ has joined #openstack-keystone15:34
*** luca_____ has joined #openstack-keystone15:35
*** lucas___ has quit IRC15:36
*** sdake has quit IRC15:36
*** luca_____ has quit IRC15:37
*** ayoung has joined #openstack-keystone15:37
*** ChanServ sets mode: +v ayoung15:37
*** josecastroleon has quit IRC15:42
ayounghenrynash_, notmorgan I wonder if we could somehow optimize the LDAP code path for a token, by linking the  bind and query for a user into a single lookup.  I know that groups might be a problem, as that is currently coded as a separate lookup, but that actually is not the norm.  Usually, groups as available as a field inside the user object15:42
amakarovayoung, g'day! can you please review this chain? https://review.openstack.org/#/c/291318/15:43
patchbotamakarov: patch 291318 - keystone - Unified delegation assignment driver15:43
david-lylemwheckmann, which domain are you admin on? if the default domain, then yes, you are cloud admin not domain admin15:43
ayoungamakarov, will do15:43
david-lylemwheckmann, so the project list would be all rather than just the one domain15:43
david-lylemwheckmann, if you want to list the projects for a single domain as cloud admin, just set the domain context on the domains panel and then visit the projects panel15:44
*** slberger has joined #openstack-keystone15:45
*** dmk0202 has quit IRC15:46
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428415:48
mwheckmanndavid-lyle: problem is that the user is not Cloud-admin. I'm testing a user that is admin of a single domain (let's ignore the fact that other projects like Nova are not aware of the Cloud admin concept yet)15:50
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428415:50
mwheckmanndavid-lyle: my domain context is set correctly. But if I check my Keystone logs, it's still trying to list projects for all domains15:51
*** spandhe has joined #openstack-keystone15:57
*** josecastroleon has joined #openstack-keystone15:58
*** anush__ has joined #openstack-keystone16:00
ayoungamakarov, reveiwed the first few in the chain.  First one ready to go.  Second and third should probably be merged16:00
*** slberger has quit IRC16:00
amakarovayoung, thank you, will fix16:01
ayoungamakarov, last one still needs the fix I suggested, but good progress16:01
*** TxGVNN has quit IRC16:01
*** slberger has joined #openstack-keystone16:01
*** GB21 has quit IRC16:02
nisha__Can anyone please help me out please?16:02
nisha__I am writing functional test for projects16:02
*** spandhe has quit IRC16:02
nisha__getting an error16:02
nisha__here's the test and error, http://paste.openstack.org/show/521677/16:02
*** markvoelker has joined #openstack-keystone16:03
amakarovayoung, please suggest me what test cases are needed for assignment driver. I'm just applying existing assignment to be sure that the thing works as the original.16:03
*** markvoelker_ has quit IRC16:04
*** anush__ has quit IRC16:04
amakarovayoung, and one more thing. I wonder if this can remove bearer tokens: https://review.openstack.org/#/c/325326/16:05
patchbotamakarov: patch 325326 - keystone-specs - Complete RBAC in keystone16:05
ayoungamakarov, the function you pulled out does not have a cller in the patch:16:05
ayoungamakarov, gah16:06
amakarovayoung, which one?16:06
ayoungdon't tease me...16:06
ayoungamakarov, ok so16:06
ayounghttps://review.openstack.org/#/c/291318/ is good to go16:06
patchbotayoung: patch 291318 - keystone - Unified delegation assignment driver16:06
ayoungnext up was16:06
ayounghttps://review.openstack.org/#/c/330573/6  which needs to be merged into the patch after it, or have tests or something16:07
patchbotayoung: patch 330573 - keystone - Delegation parent discovery function16:07
ayoung https://review.openstack.org/#/c/291318/21  is ok-ish16:07
patchbotayoung: patch 291318 - keystone - Unified delegation assignment driver16:07
ayoungBut I want to see how you rework things with 330573 before reviewing16:08
ayoungexisting tests should be sufficient16:08
raildonisha__: this test are creating the project with parent_id=default, I'm not sure it'll be the same if that parent_project16:09
ayoungamakarov, lets get throguh those 3, and then rebase the rest of the chain.  Make sense?16:09
amakarovayoung, yes. do you want me to squash assignment driver and discovery function?16:10
nisha__raildo, hi16:10
ayoungamakarov, I think so. probably the easiest way to handle those16:10
ayoungnisha__, looking16:10
nisha__raildo, but I modified the client_fixture.py to take an optional argument 'parent'16:10
amakarovayoung, I've pulled it out because it's quite complicated and the driver is big already16:10
nisha__ayoung, thanks16:10
ayoungnisha__, so tests are "expecte" "actual"16:11
ayoungand in your expected you have one project come back, but theactual has none...do I read that rihgt?16:11
raildoayoung: it's right, my guess it is that the project_red.parents was not created properly16:12
ayoungnisha__, it is hard to tell from your paste:  which check is failing?16:12
nisha__ayoung, self.assertItemsEqual([parent_project.entity], project_ret.parents)16:13
nisha__        self.assertItemsEqual([child_project.entity], project_ret.subtree)16:13
ayoungso no hierarchy.16:13
ayoungnisha__, run it with a breakpoint, prior to the check, but after the fetch16:13
ayoungthen, take a look in the database using SQL and see if the data is as you expect16:14
ayoungnisha__, use this http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/16:14
amakarovyes16:14
ayoungalways a good idea to step through your code16:14
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver  https://review.openstack.org/29131816:14
nisha__ayoung, looking thanks16:14
raildoayoung: ++16:14
ayoungamakarov, this is good stuff .  You are on track.  Ask sam to look at that first patch (the one I +2ed) and we can start making progress up the chain16:15
amakarovayoung, ^^16:15
amakarovayoung, ack, will ask him once he is online16:15
*** tesseract- has quit IRC16:17
nisha__ayoung, raildo thanks a lot for help :)16:18
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844716:18
raildonisha__: good luck :)16:18
*** sdake_ is now known as sdake16:21
*** sheel has joined #openstack-keystone16:22
*** nisha__ has quit IRC16:22
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844716:23
*** nisha__ has joined #openstack-keystone16:24
*** nisha__ has quit IRC16:27
*** josecastroleon has quit IRC16:31
*** roxanaghe has joined #openstack-keystone16:32
*** josecastroleon has joined #openstack-keystone16:36
*** jistr|mtg is now known as jistr16:42
*** ddieterly is now known as ddieterly[away]16:44
*** lucas____ has joined #openstack-keystone16:44
*** luca_____ has joined #openstack-keystone16:46
*** ddieterly[away] is now known as ddieterly16:48
*** lucas____ has quit IRC16:48
*** luca_____ has quit IRC16:51
*** topol_ has quit IRC16:52
*** lucas____ has joined #openstack-keystone16:54
*** lucas____ has quit IRC16:55
*** luca_____ has joined #openstack-keystone16:55
*** browne has joined #openstack-keystone16:56
openstackgerritRudolf Vriend proposed openstack/keystone: Do not spam the log with uncritical stacktraces  https://review.openstack.org/33349016:57
*** luca_____ has quit IRC16:59
*** real56 has quit IRC17:00
*** M00nr41n has joined #openstack-keystone17:02
*** josecastroleon has quit IRC17:05
*** daemontool_ has quit IRC17:06
*** lucas___ has joined #openstack-keystone17:07
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844717:08
*** M00nr41n has quit IRC17:09
*** tqtran has joined #openstack-keystone17:13
*** ddieterly is now known as ddieterly[away]17:20
*** pushkaru has joined #openstack-keystone17:21
*** M00nr41n has joined #openstack-keystone17:22
*** raildo is now known as raildo-afk17:22
*** mlbiam has joined #openstack-keystone17:22
*** sdake has quit IRC17:22
*** GB21 has joined #openstack-keystone17:26
*** ayoung has quit IRC17:28
*** josecastroleon has joined #openstack-keystone17:28
*** anush__ has joined #openstack-keystone17:33
*** timcline has quit IRC17:35
*** timcline has joined #openstack-keystone17:36
*** gabriel-bezerra has quit IRC17:37
*** rcernin has quit IRC17:38
*** gabriel-bezerra has joined #openstack-keystone17:39
*** timcline has quit IRC17:40
*** anush__ has quit IRC17:44
*** pushkaru has quit IRC17:46
mwheckmanndavid-lyle: according to Horizon Mitaka release notes, it's supposed to support the concept of Domain admin vs. Cloud admin, but I can't get that to work. Neither with Federated nor non-federated users with admin role on domain. Do I have to update a keystone_policy.json or something?17:46
*** anush__ has joined #openstack-keystone17:46
mwheckmanndavid-lyle: I'm already using the policy.v3cloudsample.json in Keystone, but maybe Horizon needs a copy of that as well.... will try17:49
*** mwheckmann_ has joined #openstack-keystone17:50
openstackgerritMatthew Edmonds proposed openstack/keystone: Allow user to get themself and their domain  https://review.openstack.org/33351617:50
*** mwheckmann has quit IRC17:51
*** mwheckmann_ is now known as mwheckmann17:51
*** anush__ has quit IRC17:51
*** mwheckmann_ has joined #openstack-keystone17:54
*** mwheckmann has quit IRC17:54
*** mwheckmann_ is now known as mwheckmann17:54
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058617:55
*** shaleh has joined #openstack-keystone17:55
shalehre: newton midcycle. There is a restaurant near Cisco called "Darda" that is worth a stop. It is a Muslim Chinese place. Really good. Decent prices. It has been a South Bay standard for the 15+ years I have been here.17:57
shalehhomemade noodles with lamb17:57
shalehmakes me hungry thinking about them17:57
*** josecastroleon has quit IRC17:58
*** dave-mccowan has quit IRC17:58
*** mwheckmann has quit IRC17:59
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058618:00
*** spandhe has joined #openstack-keystone18:01
*** GB21 has quit IRC18:04
*** BjoernT is now known as Bjoern_zZzZzZzZ18:04
*** mwheckmann has joined #openstack-keystone18:07
*** mwheckmann has quit IRC18:10
*** pauloewerton has quit IRC18:11
*** sdake has joined #openstack-keystone18:11
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833918:15
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058618:15
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833918:15
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844718:16
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/33336018:16
*** timcline has joined #openstack-keystone18:16
mlbiamis there a way to determine what groups a user is a member of other then iterating through all the groups and seeing if the user is a member?18:18
*** dave-mccowan has joined #openstack-keystone18:19
*** ddieterly[away] has quit IRC18:21
*** amoralej is now known as amoralej|lunch18:21
*** amoralej|lunch is now known as amoralej|off18:21
shalehmlbiam: inside Keystone or via the REST API?18:22
*** ddieterly has joined #openstack-keystone18:24
mlbiamshaleh: in the REST api18:24
shalehmlbiam: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#list-groups-of-which-a-user-is-a-member18:24
shalehmlbiam: when in doubt, read the specs :-)18:25
mlbiamshaleh: perfect!  I didn't see this on the keystone website18:26
shalehmlbiam: which website?18:28
*** M00nr41n has quit IRC18:29
mlbiamshaleh: http://docs.openstack.org/developer/keystone/ i think that was the first thing that came up when I googled OpenStack Keystone18:30
dstanekmlbiam: google for 'openstack identity api'18:30
shalehmlbiam: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#list-groups-of-which-a-user-is-a-member18:31
shalehmlbiam: I just followed the links and leads right there18:31
mlbiamshaleh: perfect, thanks!18:32
shalehdstanek: I have 2 interns here at the moment. They seem incapable of deep reading. Goole search -> (usually) Stack Overflow -> hmm, is that it? -> lost.18:33
dstanekshaleh: sounds like fun :-)18:33
shalehdstanek: I (re)introduced them to dir() and cli hacking with help() Tuesday18:33
dstaneki need an intern. that way i don't need to get up to get coffee18:34
shalehdstanek: caffeine drone?18:34
shalehmagnetic topped karafe18:34
shalehdstanek: you know the mantra, when in doubt use more arduinos. When that is not enough use more RPis.18:35
shalehI do have a Keystone hacking question/issue though18:35
stevemarshaleh: ?18:35
shalehwe are getting reports of hitting deadlocks on token revoke18:35
shalehI found that Nova is using oslo.db to perform db retries18:36
shalehis there a reason we are not?18:36
shalehbefore i submitted a patch I wanted to ask about history18:36
stevemarshaleh: not to my knwledge18:36
dstanekhow would a retry fix a deadlock?18:36
dstanekno reason i can think of to not do that18:36
shalehdstanek: they are momentary right? Once the db finishes the work18:37
dstanekso not really a deadlock, just a glitch somehow?18:37
shalehdstanek: https://bugs.launchpad.net/nova/+bug/1439067 that is the nova issue18:37
openstackLaunchpad bug 1439067 in OpenStack Compute (nova) "use db retry decorator from oslo.db" [Low,Fix released] - Assigned to Eugene Nikanorov (enikanorov)18:37
dstanekshaleh: did you create a bug yet?18:38
shalehdstanek: it is a MySQL deadlock not a traditional locking style deadlock18:38
dstanekshaleh: do you know what is happening?18:38
*** Bjoern_zZzZzZzZ is now known as BjoernT18:39
shalehdstanek: the usual. Too many revokes in the table and a simultaneous update occurs18:39
shalehdstanek: as usual for these issues it is not easy to reproduce18:39
dstanekshaleh: what is the update doing?18:40
shalehI see mentions off it from people on line18:40
shalehdstanek: I do not have enough insight into what else was happening. Bad logs provided )-:18:40
dstanekto me a retry is a bandaid. i'd rather fix the issue if there is one18:40
*** rodrigods has quit IRC18:40
*** rodrigods has joined #openstack-keystone18:40
shalehThe user was attempting a glance operation which did a token validation which triggered a revocation clearing which deadlocked18:40
*** anush__ has joined #openstack-keystone18:41
shalehdstanek: strong possibility this was after a tempest test which artificially filled the revocation table18:41
*** Ephur has joined #openstack-keystone18:41
shalehKeystone has zero handling for this and just emits a server 50018:42
dstanekshaleh: that's why i want to figure out why it locks :-)18:42
shalehdstanek: understood18:42
dstanekmultiple things accessing the same table record?18:42
shalehdstanek: concurrent token validation attempts perhaps?18:43
bknudson_mysqld has deadlock detection?18:43
shaleh24390 (keystone.common.wsgi): 2016-05-13 14:43:01,804 ERROR wsgi __call__ (_mysql_exceptions.OperationalError) (1213, 'Deadlock found when trying to get lock; try restarting transaction') [SQL: u'DELETE FROM revocation_event WHERE revocation_event.revoked_at < %s'] [parameters: (datetime.datetime(2016, 5, 13, 10, 13, 1, 772294),)]18:44
shalehdstanek: in typical user fashion that is ALL I was given18:45
bknudson_for uuid tokens we required an external cleanup job... I think for revocation events we made it part of the request handling.18:46
shalehso like I said, before I submit a patch with oslo.db retry decorator I wanted to ask here18:46
shalehbknudson_: there is a cron job on the system to keep the table in check. However, tempest can flood the table and it will not drain fast enough.18:47
bknudson_tempest should reuse tokens.18:47
*** anush__ has quit IRC18:48
dstanekshaleh: i wonder if ordering that delete would help http://stackoverflow.com/questions/2332768/how-to-avoid-mysql-deadlock-found-when-trying-to-get-lock-try-restarting-trans18:49
shalehdstanek: yeah, we talked about that yesterday internally.18:49
*** tonytan4ever has joined #openstack-keystone18:49
shalehdstanek: seems like a good idea anyways18:49
shalehdstanek: I was planning on applying that fix too. Double bandaid :-)18:50
*** Raildo has joined #openstack-keystone18:50
dstanekshaleh: i'd try that first and see if it stops your issue18:51
dstanekshaleh: what environment where you getting that on?18:51
shalehdstanek: notice the comment about retrying in there pulled from the mysql docs18:51
bknudson_bandaids18:51
dstanekshaleh: on a really busy server i would expect retrys to also fail18:52
shalehdstanek: it was a test environment. They had done some experiments then tried to run another set of playbooks and the error occurred. Like I said, I was not provided a ton of detail.18:52
shalehdstanek: yeah, me too. Which is why mysql recommends 3+ of them :-)18:52
dstanekerr...and make the problem worse18:52
bknudson_the only way that this should happen is if you have 2 connections holding transactions over 2 tables, where one of them is the revocation event table18:53
shalehI will start with the smarter delete query18:53
bknudson_the revocation events should be cleaned up in their own transaction18:53
dstanekbknudson_: according to that post it could happen on a single table18:53
shalehbknudson_: doesn't token validation satisfy your requirement?18:54
dstanekbased on the sort order of the dataset18:54
bknudson_that is nuts.18:54
dstanekso is mysql :-(18:54
shalehdstanek: ++18:54
shalehI lost the postgres v. mysql argument years ago. Marketing at OReilly won that.18:54
*** dan_nguyen has quit IRC18:55
bknudson_in our case we could just ignore a deadlock there since the next op will "retry" it.18:55
dstanekbknudson_: that's actually a really good point18:56
shalehwe do ignore it. Which triggers the server 500.......18:56
bknudson_I mean discard the exception and continue the operation18:56
*** gordc has quit IRC18:57
shalehbknudson_: ah.19:00
shalehbknudson_: I could add that logic in as well. Do the sort to try and avoid it and drop it anyways assuming the next go round will handle it.19:01
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058619:01
bknudson_sure. sorting can be expensive, but this table shouldn't be too big.19:01
shalehdefine "too big"19:02
bknudson_the time to sort will depend on your deployment.19:04
*** sheel has quit IRC19:05
*** josecastroleon has joined #openstack-keystone19:10
jdennisin Gerrit how do you dismiss a comment box in a patch review diff? It's obscuring the lines of code I want to look at but I can't make it go away19:10
*** lucas___ has quit IRC19:14
*** lucas___ has joined #openstack-keystone19:15
*** timcline has quit IRC19:16
*** timcline has joined #openstack-keystone19:16
openstackgerritMerged openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428419:17
*** roxanaghe has quit IRC19:17
*** shaleh is now known as shaleh|away19:18
*** lucas___ has quit IRC19:20
*** ddieterly is now known as ddieterly[away]19:20
stevemarjdennis: esc?19:20
stevemaroh wait19:20
stevemari didn't understand the question, don't think you can19:20
*** timcline has quit IRC19:21
*** htruta is now known as henrique19:22
*** lucas___ has joined #openstack-keystone19:23
*** henrique is now known as Guest7841919:23
*** Guest78419 is now known as htruta19:23
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914619:25
jdennisstevemar: https://jdennis.fedorapeople.org/images/Screenshot%20from%202016-06-23%2015-21-40.png19:26
jdennisstevemar: the comment from Lance is obscuring the code, I want to hide it, make sense?19:27
*** lucas___ has quit IRC19:27
*** henrynash has joined #openstack-keystone19:27
*** ChanServ sets mode: +v henrynash19:27
dstanekjdennis: i don't think you can. or at least i've never been able to figure it out. in the past i've use the developertools to make it go away19:27
dstanekbut i don't do that much19:27
dstanekjdennis: if you find a real way to do it pls post it here :-)19:28
jdennisok, that stinks, oh well19:28
*** lucas___ has joined #openstack-keystone19:28
*** ayoung has joined #openstack-keystone19:31
*** ChanServ sets mode: +v ayoung19:31
*** lucas___ has quit IRC19:33
bknudson_if "domain" goes away in favor of projects, do we change user/project domain_id attribute to project_id ?19:34
*** lucas___ has joined #openstack-keystone19:35
*** lucas___ has quit IRC19:36
*** lucas___ has joined #openstack-keystone19:36
*** josecastroleon has quit IRC19:40
*** dan_nguyen has joined #openstack-keystone19:42
*** ddieterly[away] is now known as ddieterly19:44
*** mwheckmann has joined #openstack-keystone19:44
stevemarjdennis: yep, don't think you can :(19:46
stevemarbknudson_: that'll be awful confusing...19:46
stevemarproject: { id: x, project_id: y}19:46
bknudson_project has parent_project_id so that was a bad example19:48
*** mwheckmann has quit IRC19:48
dstanekbknudson_: any reason the term domain would need to go away?19:49
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058620:00
*** rderose has joined #openstack-keystone20:03
*** timcline has joined #openstack-keystone20:03
*** ayoung has quit IRC20:04
*** rderose_ has quit IRC20:05
openstackgerritDolph Mathews proposed openstack/keystone: Replace keystone.common.config with keystone.conf package  https://review.openstack.org/32560420:06
*** timcline has quit IRC20:07
*** timcline has joined #openstack-keystone20:09
*** rderose has quit IRC20:11
*** gyee has joined #openstack-keystone20:16
*** ChanServ sets mode: +v gyee20:16
*** lucas___ has quit IRC20:16
*** rderose has joined #openstack-keystone20:17
*** ayoung has joined #openstack-keystone20:18
*** ChanServ sets mode: +v ayoung20:18
*** rderose_ has joined #openstack-keystone20:20
*** gordc has joined #openstack-keystone20:20
*** phalmos has quit IRC20:21
*** rderose has quit IRC20:22
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844720:25
openstackgerritMatthew Edmonds proposed openstack/keystone: Allow user to get themself and their domain  https://review.openstack.org/33351620:26
*** tonytan4ever has quit IRC20:27
*** itisha has quit IRC20:27
*** jdennis has quit IRC20:27
*** mkoderer__ has quit IRC20:27
*** hugokuo has quit IRC20:27
*** notmorgan has quit IRC20:27
*** chris_hultin has quit IRC20:27
*** ctracey has quit IRC20:27
*** Daviey has quit IRC20:27
*** freerunner has quit IRC20:27
*** Anticimex has quit IRC20:27
*** ericksonsantos has quit IRC20:27
*** dobson has quit IRC20:27
*** zigo has quit IRC20:27
*** DuncanT has quit IRC20:27
*** mgagne has quit IRC20:27
*** cburgess has quit IRC20:27
*** _fortis has quit IRC20:27
*** dutsmoc has quit IRC20:27
*** odyssey4me has quit IRC20:27
*** lbragstad has quit IRC20:27
*** jamielennox has quit IRC20:27
*** evrardjp has quit IRC20:27
*** lbragstad_ has joined #openstack-keystone20:27
*** evrardjp has joined #openstack-keystone20:27
*** Anticimex has joined #openstack-keystone20:27
*** hugokuo has joined #openstack-keystone20:27
*** notmorgan has joined #openstack-keystone20:27
*** notmorgan has joined #openstack-keystone20:27
*** cburgess has joined #openstack-keystone20:27
*** ericksonsantos has joined #openstack-keystone20:27
*** chris_hultin has joined #openstack-keystone20:28
*** jdennis has joined #openstack-keystone20:28
*** tonytan4ever has joined #openstack-keystone20:28
*** freerunner has joined #openstack-keystone20:28
*** mkoderer__ has joined #openstack-keystone20:28
*** odyssey4me has joined #openstack-keystone20:28
*** dobson has joined #openstack-keystone20:28
*** zigo has joined #openstack-keystone20:29
*** ctracey has joined #openstack-keystone20:29
*** woodster_ has quit IRC20:29
*** mgagne has joined #openstack-keystone20:30
*** mgagne is now known as Guest2045420:30
*** tonytan4ever has quit IRC20:30
*** DuncanT has joined #openstack-keystone20:31
*** itisha has joined #openstack-keystone20:31
*** comstud has joined #openstack-keystone20:32
*** jefrite has quit IRC20:32
*** Daviey has joined #openstack-keystone20:34
*** lbragstad_ is now known as lbragstad20:35
*** tonytan4ever has joined #openstack-keystone20:36
*** isd has joined #openstack-keystone20:37
*** jamielennox has joined #openstack-keystone20:38
*** ChanServ sets mode: +v jamielennox20:38
*** jefrite has joined #openstack-keystone20:45
*** mwheckmann has joined #openstack-keystone20:48
*** adu has joined #openstack-keystone20:50
*** ayoung has quit IRC20:51
*** mwheckmann has quit IRC20:51
*** browne has quit IRC20:57
*** woodster_ has joined #openstack-keystone21:01
*** mvk_ has joined #openstack-keystone21:02
*** ozialien10 has quit IRC21:08
edmondswstevemar or jamielennox... don't most clients retry automatically, so we don't have to do things like https://review.openstack.org/#/c/332485/ ?21:13
patchbotedmondsw: patch 332485 - nova-powervm - Some VM deploys fail from expired keystone token21:13
edmondswwondering if the better fix there is to address the issue in swiftclient rather than in the nova-powervm driver21:14
edmondswdo we have a preferred way of doing this that could be copied?21:14
jamielennoxedmondsw: it depends on the error type21:16
jamielennoxoh - swift - yea swift does things completly differently21:16
edmondswjamielennox, I think it was just token expired21:16
jamielennoxedmondsw: so swift kinda uses ksa to do auth, but it doesn't use the session directly so it won't benefit from anything liek that21:17
edmondswideally the client would realize the token is about to expire and get a new one before it does, but even just retrying would be an improvement21:17
edmondswjamielennox, I think you're telling me I'm right, but that it would be a lot of work to fix up swiftclient?21:18
jamielennoxanything uses ksa session does that to an extent. i think it will only use tokens with at least 30 sec of expiration21:18
jamielennoxedmondsw: yep - for anything other than swift you're right and it happens now, swift only just started accepting a session at all and doesn't use it the way everyone else does21:20
*** catintheroof has quit IRC21:21
*** lmtaylor1 has joined #openstack-keystone21:22
*** lmtaylor1 has left #openstack-keystone21:22
*** AndyWojo has joined #openstack-keystone21:23
timburkejamielennox: sadly patch 298968 still hasn't landed yet, so it *still* doesn't accept sessions21:24
patchbottimburke: https://review.openstack.org/#/c/298968/ - python-swiftclient - Adding keystoneauth sessions support21:24
openstackgerritDolph Mathews proposed openstack/keystone: Replace keystone.common.config with keystone.conf package  https://review.openstack.org/32560421:24
*** adu has quit IRC21:26
timburkeedmondsw: i would have expected swiftclient to have automatically re-authed, though, if the username, etc. were passed to it (which it *looks like* they are, but i'm not familiar with nova-powervm)21:26
*** ddieterly is now known as ddieterly[away]21:28
bknudson_it would be nice if clients weren't required to use keystoneauth and could instead take my own request session. maybe I don't want to do keystone auth (see the -dev mailing list about mistral not using keystone)21:28
jdennisIs there a policy on the format of value in JSON vs. config options? e.g. int, "True", "False", and is the JSON generators smart enough to realize Python booleans can be represented as integers yet are logically boolean?21:28
bknudson_if I was able to auth using standard HTTP methods like TLS client cert or normal http auth then there's no need for keystoneauth21:30
edmondswlmtaylor1, can you verify what timburke thought he saw?21:30
*** henrynash has quit IRC21:31
*** sdake has quit IRC21:38
*** darosale has quit IRC21:39
*** sdake has joined #openstack-keystone21:42
jamielennoxbknudson_: so keystoneauth handles the service catalog and token refresh with tokens, i don't know any way we could generalize that21:52
jamielennoxbknudson_: also there is no reason the plugins have to actually talk to keystone, the token_endpoint plugin is really simple and uses pre-existing things21:52
jamielennoxso you can use keystoneauth without keystone there21:52
*** pnavarro has joined #openstack-keystone21:53
jamielennoxjdennis: i'm not entirely sure what you're asking but the json will be converted back into the python equivalent and the logical boolean happen in python21:53
*** tonytan4ever has quit IRC21:54
*** roxanaghe has joined #openstack-keystone21:58
jdennisjamielennox: so if an attribute in a JSON struct has a zero value how does that become a Python False value, equivalently in Python code are we rigorous to always use Python booleans (such that json converts it to true or false) because otherwise storing 0 or 1 in a Python value has the same truth semantics and worse I believe isinstnace(x, int) and isinstnace(x, boolean) both return true21:59
jdennismake more sense?21:59
*** edtubill has quit IRC22:00
*** ddieterly[away] is now known as ddieterly22:00
jamielennoxjdennis: a 1 in json will become a 1 in python and bool(1) == True22:01
jdennisjamielennox: I'm trying to chase down a bug where logically a config value is boolean but when JSON is exchanged it's demanding an int22:01
jdennisas opposed to JSON true or false22:01
jamielennoxwhat's failing? the jsonschema?22:01
*** ametts has quit IRC22:02
*** pnavarro has quit IRC22:02
jdennisjamielennox: https://bugzilla.redhat.com/show_bug.cgi?id=134739422:02
openstackbugzilla.redhat.com bug 1347394 in openstack-keystone "keystone LDAP configuration chase_referrals is only accepted as integer when using domain_configurations_from_database" [Unspecified,New] - Assigned to jdennis22:02
jdennisjamielennox: I'm just trying to get a handle on what is permitted in JSON22:04
jamielennoxso json should be just a serialization format, it supports str, int/float, true, false and null22:04
jamielennox+ list and dicts of22:05
jdennisjamielennox: and more to the point how do we know what type a value should be, is there a schema for every piece of JSON?22:05
*** roxanaghe_ has joined #openstack-keystone22:05
jamielennoxour APIs have a jsonschema for validation, but that's all22:06
jdennisjdennis: in this particular case the question is a value an int or a boolean?22:06
jamielennoxjdennis: the serialize/deserialize should be able to easily interpret that, you should get the same in as out22:08
jamielennoxi really doubt the json serializer (assuming the standard python ones) is making a mistake on that22:08
jdennisjamielennox: there is a difference between int and boolean22:09
jamielennoxhowever - for historical quirk reasons i think22:09
jamielennoxisinstance(True, int) == True22:09
jdennisright22:09
jamielennoxTrue == 1 is True as well, which i guess follows on from the above, but i never realized22:11
dstanekthe json serializer uses 'true' for True22:11
openstackgerritMatthew Edmonds proposed openstack/keystone: Allow user to get themself and their domain  https://review.openstack.org/33351622:12
*** isd has left #openstack-keystone22:13
dstanekpython is a little strange in that bool is a subclass of int; that's why True is equal to 122:14
*** edtubill has joined #openstack-keystone22:14
*** KevinE has quit IRC22:15
*** rderose_ has quit IRC22:16
*** edmondsw has quit IRC22:16
*** ddieterly has quit IRC22:18
*** walharthi has quit IRC22:19
*** timcline has quit IRC22:19
*** roxanaghe has quit IRC22:24
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058622:25
*** roxanaghe_ has quit IRC22:29
*** slberger has left #openstack-keystone22:29
*** shaleh|away has quit IRC22:31
*** spzala has quit IRC22:33
*** spzala has joined #openstack-keystone22:33
*** roxanaghe has joined #openstack-keystone22:34
*** spzala has quit IRC22:38
*** timcline has joined #openstack-keystone22:38
jamielennoxgyee: i don't understand how you think reservations is any more cumbersome? it's completely transparent and is exactly the same number of requests22:38
*** timcline_ has joined #openstack-keystone22:39
*** Raildo has quit IRC22:42
*** timcline has quit IRC22:43
*** jbell8 has quit IRC22:43
*** roxanaghe has quit IRC22:46
*** roxanaghe has joined #openstack-keystone22:48
*** timcline_ has quit IRC22:49
*** timcline has joined #openstack-keystone22:50
*** timcline has quit IRC22:54
*** jbell8 has joined #openstack-keystone22:54
*** gordc has quit IRC22:59
*** phalmos has joined #openstack-keystone22:59
*** phalmos_ has joined #openstack-keystone23:00
*** phalmos has quit IRC23:04
*** jbell8 has quit IRC23:14
*** rcernin has joined #openstack-keystone23:16
*** zqfan has joined #openstack-keystone23:16
gyeejamielennox, cumbersome for deployers23:28
*** sheel has joined #openstack-keystone23:29
jamielennoxgyee: how so?23:30
gyee1) they can't be persisted; 2) they can't be cached; 3) require centralized policy; 4) support yet another token-ish format; 5) more effort to trace/audit the call23:31
*** phalmos_ has quit IRC23:31
gyeeif glance is using Swift backend to store the images23:31
*** sdake_ has joined #openstack-keystone23:31
gyeewe now required Keystone to know the entire chain of authorization23:31
gyeeand those configurations changes from deployer to deployer23:32
gyeehow do they setup the *right* reservation policies?23:32
jamielennox1) non-persisted is exactly the idea 2) caching does get more misses 3) not immediately, but hopefully we can figure that out 4) what do deployers care about that 5) why would that be any different?23:33
gyeeI am still having hard time understanding the details23:33
jamielennoxgyee: so there's no way we can do the policy changes immediately, but i'm definetly trying to leave that door open23:33
jamielennoxgyee: but the how of that is the same conversation we were going to have to have for any attempt at centralizing policy, for now i just want to make a mechanism that solves the expiry problem and we can extend in future23:34
gyeewe already have this thing called PKI token, where the data is signed and encrypted, and can be verify *independently*23:34
gyeewhy re-inventing the wheel?23:34
*** spzala has joined #openstack-keystone23:34
jamielennoxgyee: we deprecated PKI tokens - and for a reason23:34
gyeejamielennox, with revoke by audit_id, don't we have a mitigation in place?23:34
*** sdake has quit IRC23:35
jamielennoxwe deprecated the whole concept of PKI tokens23:35
jamielennoxvalid options today are fernet and UUID because there are some things fernet can't do yet23:35
gyeeI know that, that doesn't mean its not useful in certain situations23:35
jamielennoxuseful deprecated features are a bad mix23:36
gyeejust forget about the name "PKI token" for a moment, and concentrate on the use case23:36
jamielennoxok23:37
gyeewe need <something> that can be trusted by all services23:37
gyeewe need <something> that can be verified independently23:37
gyeewe need <something> that need no be persisted23:37
gyeewe need <something> that can be cached23:38
gyeewe need <something> which does not required the complexity of centralized policies23:38
gyeenow what would that <something> look like? :-)23:39
jamielennoxso i think we need to figure out the complexity of centralized policy one way or another and theres been a number of attempts on that, i'm also not convinced on independant verification - just trusted verification is sufficient23:40
*** adu has joined #openstack-keystone23:40
*** spzala has quit IRC23:40
gyeeif service can't trust each other, we need something that can be trusted by both parties23:40
jamielennoxlike keystone?23:41
gyeethat's the essence of PKI23:41
gyeeto establish mutual trust23:41
gyeebesides, policy can only tell you whether you can call an API23:42
jamielennoxso signed reservations was defintely something i put into the spec, i just expected people to want to go for fernet instead23:42
gyeeit does not authorize the resource itself23:42
jamielennoxafaik keystone is the only service to put that logic into policy23:43
gyeepolicy can only tell you to whether you can perform an action, it can't tell you whether you can perform an action on a given resource23:43
jamielennoxthere are probably others i just don't know them23:43
gyeewe even consider query params in the policies23:44
gyeeso it is quite complex, just to comprehend the polices23:44
gyeenow imagine admins having to design policies on reservation23:45
jamielennoxyea, i think that trend is going the other way23:45
jamielennoxnova for example is trying to pull most of that back into code23:45
gyeeright, resource authorization is in the code23:45
gyeewhich reservation would need to know in advance isn't it?23:46
gyeethat's why I would like to see what a reservation will actually look like in the spec23:46
jamielennoxi don't claim to know how the policy enforcement would work there23:46
jamielennoxcentralized policy is going to be hard23:46
jamielennoxi need to run for about an hour - sorry23:46
gyeek, lets chat more later23:47
*** agrebennikov has joined #openstack-keystone23:52
*** sdake_ has quit IRC23:53
*** daemontool has joined #openstack-keystone23:53
*** BjoernT has quit IRC23:53
*** dan_nguyen has quit IRC23:54
*** edtubill has quit IRC23:56
*** sdake has joined #openstack-keystone23:58
*** dan_nguyen has joined #openstack-keystone23:59
« Wednesday, 2016-06-22 Index Friday, 2016-06-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!