Thursday, 2016-07-14

*** gyee has quit IRC		00:08
*** anteaya has quit IRC		00:10
*** thumpba has joined #openstack-keystone		00:22
*** adrian_otto has quit IRC		00:30
*** david-lyle has quit IRC		00:31
*** thumpba has quit IRC		00:33
*** david-lyle_ has quit IRC		00:36
*** david-lyle_ has joined #openstack-keystone		00:36
openstackgerrit	Merged openstack/keystone: Validate SAML keyfile & certfile options https://review.openstack.org/341525	00:44
openstackgerrit	Jamie Lennox proposed openstack/keystone: Disable warnerrors in setup.cfg temporarily https://review.openstack.org/341884	00:46
*** tonytan4ever has joined #openstack-keystone		00:54
*** edtubill has joined #openstack-keystone		00:54
*** tonytan4ever has quit IRC		00:59
*** anteaya has joined #openstack-keystone		01:02
*** spzala has joined #openstack-keystone		01:09
*** pece has quit IRC		01:09
*** lamt has quit IRC		01:11
*** thumpba has joined #openstack-keystone		01:16
*** code-R has joined #openstack-keystone		01:18
*** browne has quit IRC		01:20
*** EinstCrazy has joined #openstack-keystone		01:26
*** edtubill has quit IRC		01:38
*** ravelar159 has joined #openstack-keystone		01:40
*** wangqun has joined #openstack-keystone		01:42
*** ravelar159 has quit IRC		01:45
*** tonytan4ever has joined #openstack-keystone		02:02
*** rderose has quit IRC		02:08
*** tonytan_brb has joined #openstack-keystone		02:10
*** tonytan4ever has quit IRC		02:13
*** davechen has joined #openstack-keystone		02:14
*** EinstCrazy has quit IRC		02:15
*** EinstCrazy has joined #openstack-keystone		02:16
*** akscram has quit IRC		02:22
*** kean has quit IRC		02:23
*** kean has joined #openstack-keystone		02:24
*** akscram has joined #openstack-keystone		02:28
openstackgerrit	Dave Chen proposed openstack/python-keystoneclient: Add region functional tests https://review.openstack.org/339158	02:29
*** spzala has quit IRC		02:33
*** spzala has joined #openstack-keystone		02:33
*** ddieterly has joined #openstack-keystone		02:33
*** spzala has quit IRC		02:38
*** itisha has quit IRC		02:40
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Move OS-INHERIT api-ref from extensions to core https://review.openstack.org/341912	02:40
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Move OS-INHERIT api-ref from extensions to core https://review.openstack.org/341912	02:43
*** markvoelker has quit IRC		02:45
*** roxanaghe has quit IRC		02:46
*** roxanaghe has joined #openstack-keystone		02:46
*** adu has joined #openstack-keystone		02:48
*** akscram has quit IRC		02:48
*** woodster_ has quit IRC		02:49
*** akscram has joined #openstack-keystone		02:49
*** ddieterly has quit IRC		02:50
*** roxanaghe has quit IRC		02:51
*** akscram has quit IRC		02:53
*** akscram has joined #openstack-keystone		02:54
*** sdake has joined #openstack-keystone		02:59
*** richm has quit IRC		03:02
*** itisha has joined #openstack-keystone		03:03
*** TxGVNN has joined #openstack-keystone		03:06
*** akscram has quit IRC		03:07
*** akscram has joined #openstack-keystone		03:13
*** mordred has quit IRC		03:14
*** thumpba has quit IRC		03:25
*** akscram has quit IRC		03:31
*** akscram has joined #openstack-keystone		03:33
openstackgerrit	zheng yin proposed openstack/python-keystoneclient: Add Python 3.5 classifier and venv https://review.openstack.org/341931	03:37
*** akscram has quit IRC		03:38
*** markvoelker has joined #openstack-keystone		03:39
*** akscram has joined #openstack-keystone		03:40
*** EinstCrazy has quit IRC		03:43
*** EinstCrazy has joined #openstack-keystone		03:44
*** akscram has quit IRC		03:47
*** akscram has joined #openstack-keystone		03:54
openstackgerrit	Merged openstack/keystoneauth: Add Python 3.5 classifier and venv https://review.openstack.org/341065	03:55
*** julim has quit IRC		03:56
*** dikonoor has joined #openstack-keystone		03:56
*** akscram has quit IRC		04:01
*** spzala has joined #openstack-keystone		04:03
*** akscram has joined #openstack-keystone		04:04
*** adu has quit IRC		04:05
*** davechen has left #openstack-keystone		04:06
*** spzala has quit IRC		04:07
stevemar	jamielennox: yes	04:07
*** adrian_otto has joined #openstack-keystone		04:09
*** harlowja has quit IRC		04:13
*** akscram has quit IRC		04:13
*** roxanaghe has joined #openstack-keystone		04:15
*** eggmaster has quit IRC		04:16
*** dikonoor has quit IRC		04:16
*** akscram has joined #openstack-keystone		04:23
*** david-lyle_ has quit IRC		04:26
*** links has joined #openstack-keystone		04:27
*** akscram has quit IRC		04:28
*** akscram has joined #openstack-keystone		04:28
jamielennox	stevemar: is this something we're doing now: https://review.openstack.org/#/c/341841/1/api-ref/source/v2/samples/admin/authenticate-response.json	04:30
patchbot	jamielennox: patch 341841 - keystone - Update identity endpoint in v2 samples	04:30
*** roxanaghe has quit IRC		04:32
*** roxanaghe has joined #openstack-keystone		04:32
*** GB21 has joined #openstack-keystone		04:34
*** nisha_ has joined #openstack-keystone		04:34
*** roxanaghe has quit IRC		04:36
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add OS-KSCRUD api-ref https://review.openstack.org/341708	04:41
*** david-lyle_ has joined #openstack-keystone		04:42
*** akscram has quit IRC		04:48
*** EinstCrazy has quit IRC		04:49
*** code-R_ has joined #openstack-keystone		04:49
*** EinstCrazy has joined #openstack-keystone		04:50
jamielennox	that's a big list of merging patches	04:51
*** code-R has quit IRC		04:52
*** akscram has joined #openstack-keystone		04:59
*** eggmaster has joined #openstack-keystone		05:01
*** EinstCrazy has quit IRC		05:03
*** EinstCrazy has joined #openstack-keystone		05:04
*** adu has joined #openstack-keystone		05:08
openstackgerrit	Merged openstack/keystone: Require auth_context middleware in the pipeline https://review.openstack.org/339356	05:08
openstackgerrit	Merged openstack/keystone: Handle more auth information via context https://review.openstack.org/339390	05:10
openstackgerrit	Merged openstack/keystone: Disable warnerrors in setup.cfg temporarily https://review.openstack.org/341884	05:10
*** sdake has quit IRC		05:26
*** code-R_ has quit IRC		05:26
*** code-R has joined #openstack-keystone		05:27
*** adu has quit IRC		05:33
openstackgerrit	Merged openstack/keystone: Improve keystone.conf [saml] documentation https://review.openstack.org/340566	05:36
openstackgerrit	Merged openstack/keystone: Improve keystone.conf [security_compliance] documentation https://review.openstack.org/341797	05:36
*** nisha_ has quit IRC		05:36
*** roxanaghe has joined #openstack-keystone		05:36
*** jojden has joined #openstack-keystone		05:38
*** akscram has quit IRC		05:40
*** roxanaghe has quit IRC		05:41
*** davechen has joined #openstack-keystone		05:43
openstackgerrit	Merged openstack/keystone: Improve keystone.conf [token] documentation https://review.openstack.org/341646	05:45
openstackgerrit	Merged openstack/keystone: Improve keystone.conf [signing] documentation https://review.openstack.org/341790	05:45
openstackgerrit	Merged openstack/keystone: Improve keystone.conf [shadow_users] documentation https://review.openstack.org/341791	05:45
openstackgerrit	Merged openstack/keystone: Improve keystone.conf [tokenless_auth] documentation https://review.openstack.org/340591	05:46
openstackgerrit	Merged openstack/keystone: Correct normal response codes for auth docs https://review.openstack.org/341715	05:46
openstackgerrit	Merged openstack/keystone: Correct normal status codes for v2.0 admin docs https://review.openstack.org/341796	05:46
*** sheel has joined #openstack-keystone		05:47
*** markvoelker has quit IRC		05:52
openstackgerrit	Merged openstack/keystone: Correct normal response codes in v2.0 tenant docs https://review.openstack.org/341781	05:55
openstackgerrit	Merged openstack/keystone: Correct normal response codes for credential docs https://review.openstack.org/341716	05:56
openstackgerrit	Merged openstack/keystone: Correct normal response codes in v2.0 admin user docs https://review.openstack.org/341770	05:56
openstackgerrit	Merged openstack/keystone: Correct normal response codes for role docs https://review.openstack.org/341726	05:56
openstackgerrit	Merged openstack/keystone: Correct normal response codes for policy docs https://review.openstack.org/341719	05:56
*** akscram has joined #openstack-keystone		05:57
*** EinstCrazy has quit IRC		05:58
*** EinstCrazy has joined #openstack-keystone		05:59
openstackgerrit	Jamie Lennox proposed openstack/keystone: Cleanup trusts controller https://review.openstack.org/341969	06:00
openstackgerrit	Jamie Lennox proposed openstack/keystone: Remove get_user_id in trust controller https://review.openstack.org/341970	06:00
*** rcernin has joined #openstack-keystone		06:01
*** spzala has joined #openstack-keystone		06:01
openstackgerrit	Dave Chen proposed openstack/keystone: Change the parameter from optional to required https://review.openstack.org/341973	06:02
openstackgerrit	Merged openstack/keystone: Correct normal response codes in service catalog doc https://review.openstack.org/341759	06:03
openstackgerrit	Merged openstack/keystone: Correct normal response codes for region docs https://review.openstack.org/341723	06:03
openstackgerrit	Eric Brown proposed openstack/keystone: Trivial spacing and comma corrections https://review.openstack.org/341975	06:04
openstackgerrit	Merged openstack/keystone: Correct normal response codes for project docs https://review.openstack.org/341720	06:04
openstackgerrit	Merged openstack/keystone: Correct normal response codes for v2.0 versions doc https://review.openstack.org/341785	06:04
openstackgerrit	Merged openstack/keystone: Clean up token binding validation code https://review.openstack.org/341662	06:04
*** spzala has quit IRC		06:06
*** akscram has quit IRC		06:08
openstackgerrit	zheng yin proposed openstack/python-keystoneclient: Add Python 3.5 classifier and venv https://review.openstack.org/341931	06:26
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add project functional tests https://review.openstack.org/332871	06:33
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add project functional tests https://review.openstack.org/332871	06:34
*** markvoelker has joined #openstack-keystone		06:34
*** code-R_ has joined #openstack-keystone		06:38
*** markvoelker has quit IRC		06:39
*** pcaruana has joined #openstack-keystone		06:40
*** code-R has quit IRC		06:41
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add region functional tests https://review.openstack.org/339158	06:42
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add region functional tests https://review.openstack.org/339158	06:44
openstackgerrit	Merged openstack/keystone: Correct normal response codes in v2.0 versions doc https://review.openstack.org/341782	06:47
openstackgerrit	Dave Chen proposed openstack/keystone: Clean the V3 extension parameter list https://review.openstack.org/341993	06:48
*** roxanaghe has joined #openstack-keystone		06:48
*** roxanaghe has quit IRC		06:52
*** belmoreira has joined #openstack-keystone		06:57
*** nisha_ has joined #openstack-keystone		06:57
*** rcernin has quit IRC		07:05
*** jaosorior has joined #openstack-keystone		07:08
*** tesseract- has joined #openstack-keystone		07:10
*** code-R_ has quit IRC		07:18
*** code-R has joined #openstack-keystone		07:18
*** rcernin has joined #openstack-keystone		07:20
*** nisha_ has quit IRC		07:24
*** markvoelker has joined #openstack-keystone		07:28
*** GB21 has quit IRC		07:30
*** markvoelker has quit IRC		07:35
*** andrewliu117 has joined #openstack-keystone		07:36
openstackgerrit	Swapnil Kulkarni (coolsvap) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	07:40
andrewliu117	dear fellows, I have a question need your help, I am trying to using the pycharm remote debug to debug keystone. now I met this problem, when I start the keystone by keystone-all command, and then I add the "pydevd.settrace(myip, port=15678, stdoutToServer=True,	07:40
andrewliu117	stderrToServer=True)" to some api function, but it won't stop here	07:40
*** tonytan_brb has quit IRC		07:40
andrewliu117	but instead, I using the httpd way to start the keystone, it will stop	07:41
*** ravelar159 has joined #openstack-keystone		07:41
andrewliu117	did anyone meet this problem before?	07:41
andrewliu117	I think it may relate to the paste worker	07:41
andrewliu117	any advice is appreciated	07:42
*** akscram has joined #openstack-keystone		07:44
*** TxGVNN has quit IRC		07:46
*** ravelar159 has quit IRC		07:47
openstackgerrit	Merged openstack/keystone: Add OS-KSCRUD api-ref https://review.openstack.org/341708	07:49
*** TxGVNN has joined #openstack-keystone		07:49
*** itisha has quit IRC		07:50
andrewliu117	or can any one give me some information about how to debug keystone?	07:52
jamielennox	andrewliu117: i haven't used pycharm but i do remember that there used to be a problem with eventlet and pycharm debugging	07:56
jamielennox	andrewliu117: there were some flags that might have worked, but keystone-all and the eventlet code has all been deprecated and removed so i'm not sure how much luck you'll have there	07:56
jamielennox	the wsgi code will work, and i've used rpdb with success there	07:57
jamielennox	otherwise i'd suggest you execute the keystone-wsgi-public script directly which will run a test server on a single thread	07:57
jamielennox	from there you can just use ipdb or whatever you like in the console	07:57
*** d0ugal has joined #openstack-keystone		07:59
*** jrist has joined #openstack-keystone		07:59
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** rcernin has quit IRC		08:00
*** spzala has joined #openstack-keystone		08:03
*** spzala has quit IRC		08:07
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	08:10
openstackgerrit	yuyafei proposed openstack/python-keystoneclient: Add __ne__ built-in function https://review.openstack.org/337435	08:10
*** jistr is now known as jistr\|off		08:11
*** rcernin has joined #openstack-keystone		08:13
*** GB21 has joined #openstack-keystone		08:17
openstackgerrit	Dave Chen proposed openstack/keystone: Fix the wrong check condition https://review.openstack.org/342034	08:18
*** markvoelker has joined #openstack-keystone		08:23
*** markvoelker has quit IRC		08:27
*** akscram has quit IRC		08:27
openstackgerrit	Jamie Lennox proposed openstack/keystone: Cleanup trusts controller https://review.openstack.org/341969	08:30
openstackgerrit	Jamie Lennox proposed openstack/keystone: Remove get_user_id in trust controller https://review.openstack.org/341970	08:30
openstackgerrit	Jamie Lennox proposed openstack/keystone: Remove a validate_token_bind call https://review.openstack.org/342046	08:32
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class https://review.openstack.org/337140	08:32
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support https://review.openstack.org/330464	08:32
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument https://review.openstack.org/330465	08:32
*** nisha_ has joined #openstack-keystone		08:36
*** adrian_otto has quit IRC		08:41
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add region functional tests https://review.openstack.org/339158	08:43
*** akscram has joined #openstack-keystone		08:45
*** nisha_ has quit IRC		08:54
openstackgerrit	Jamie Lennox proposed openstack/keystone: Pass request to normalize_domain_id https://review.openstack.org/342052	08:55
*** aastha has quit IRC		08:59
openstackgerrit	Jamie Lennox proposed openstack/keystone: Remove get_trust_id_for_request function https://review.openstack.org/342056	09:04
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	09:16
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class https://review.openstack.org/337140	09:16
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument https://review.openstack.org/330465	09:16
*** markvoelker has joined #openstack-keystone		09:17
andrewliu117	jamielennox, thanks	09:19
*** EinstCrazy has quit IRC		09:19
*** EinstCrazy has joined #openstack-keystone		09:20
*** markvoelker has quit IRC		09:21
jamielennox	aloga: i'm +2 all the way to the last one, i'm not sure what you mean that you can't not set the port	09:25
andrewliu117	@jamielennox, thanks	09:25
jamielennox	andrewliu117: no worries, hope it helped	09:25
aloga	jamielennox: if you chose a random port, it will change each time you're executing the code	09:30
*** clenimar_ has quit IRC		09:30
aloga	jamielennox: and in some oidc servers you have to explicitly set the list of allowed urls for redirection	09:30
jamielennox	aloga: OIDC has a service registration?	09:30
aloga	s/chose/choose/	09:30
jamielennox	ah	09:30
jamielennox	i think that pretty much kills this whole approach though right?	09:31
jamielennox	i mean you would need to get every person who is possibly going to use the OIDC server registered with a real hostname	09:31
jamielennox	because they can't all be localhost	09:31
aloga	jamielennox: nope	09:31
aloga	you can set localhost	09:31
jamielennox	(or maybe they can and that's weird)	09:31
aloga	jamielennox: /clear	09:32
aloga	jamielennox: lets start again	09:32
aloga	jamielennox: when you define a client, you have to specify which URLs you are allowed to be redirected	09:32
jamielennox	so its perfectly OK to say: OIDC server allow requests from localhost:8080 and that will work for everyone	09:32
aloga	jamielennox: no, this is done by the client	09:32
aloga	jamielennox: the user, when it creates a client so that it gets the client id and secret	09:33
aloga	jamielennox: she has to specify a redirection URL	09:33
aloga	jamielennox: this can be localhost:8080	09:33
aloga	jamielennox: in the horizon case, it is the websso url	09:33
aloga	jamielennox: they can be both	09:33
aloga	jamielennox: but the thing is that you have to know the URL when you (as a user) create a client in the oidc server	09:34
aloga	jamielennox: so, if Alice wants to use oidc for OpenStack using osc, she can go to the server and create a client, specifying localhost:8080 as the redirect URI	09:34
aloga	s/can/must/	09:35
*** woodburn has quit IRC		09:35
aloga	jamielennox: if then she moves to another location where 8080 is not available, she can add another url like localhost:12345 and she would pass the port option to the client	09:36
aloga	jamielennox: so, you need to know where you will be listening beforehand	09:36
jamielennox	aloga: so i think horizon is out of scope here - we are popping a webbrowser so there's no way they can use this	09:38
*** akscram has quit IRC		09:38
aloga	jamielennox: yes, it was just an example	09:38
jamielennox	but i can reorder that code so whilst i don't know ahead of time the port i can set the correct redirect_uri	09:38
jamielennox	aloga: do you mind if i upload a new version of that last review to show you what i mean	09:39
aloga	jamielennox: I don't get your point, so yes	09:39
aloga	jamielennox: :)	09:39
aloga	I mean yes, go ahead	09:39
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	09:40
jamielennox	aloga: so if i reorder it like ^ is it not the same thing?	09:40
jamielennox	aloga: i don't have any way of testing this	09:40
aloga	jamielennox: you're getting a random port	09:42
jamielennox	yes, but i'm not making the request until i know what the port is	09:43
*** akscram has joined #openstack-keystone		09:43
aloga	jamielennox: right, but the thing is that the URL has to be configured in the server	09:43
aloga	when the user creates a client	09:44
jamielennox	right ok - that's kind of where we started and i thought i had misunderstood when you restarted from a client perspective	09:45
jamielennox	so the OIDC server likely has a whitelist of allowed redirect_uris	09:45
aloga	yes, but they are not global	09:46
aloga	they are explicitly set by each user	09:46
aloga	when they define a client	09:46
jamielennox	oh, per user? that seems like an odd step	09:46
aloga	so, if Alice wants to use FooBar OIDC server, she must go to the server	09:47
aloga	she must create a client, where she define the redirect URI among other things (like the scope)	09:47
aloga	and she will get back the client secret and client id	09:47
aloga	then, she will use this client secret and ID to authenticate in osc and keystoneauth	09:48
aloga	so yes, there is this extra step that needs to be done	09:48
aloga	jamielennox: there are some servers where you can directly use your client credentials (https://tools.ietf.org/html/rfc6749#section-4.4)	09:49
*** jaosorior has quit IRC		09:50
jamielennox	and this is more than like an oauth accepting yes i want to allow delegation to this client? it's an out of band registration?	09:50
aloga	jamielennox: but, this is another grant_type, not this one	09:50
*** jaosorior has joined #openstack-keystone		09:50
jamielennox	aloga: i'm more and more inclined to say that this simply isn't workable from a CLI and deprecate the whole plugin	09:52
jamielennox	it's obviously not desinged for this purpose	09:52
jamielennox	and i'm not sure from a practical perspective anyone would use it	09:52
aloga	jamielennox: i disagree :)	09:52
aloga	jamielennox: we would use it	09:53
aloga	;)	09:53
jamielennox	i was assuming there (i don't know OIDC well) that the webbrowser would pop, you'd enter your credentials, agree to the delegation and be returned an access token or something	09:53
aloga	jamielennox: yes, this is true	09:53
aloga	jamielennox: the OIDC client registration is a one-time step	09:53
*** GB21 has quit IRC		09:53
jamielennox	which is a little why i was confused you'd need to redirect_uri at all, because it's a client initiated redirect	09:53
jamielennox	well no, that part makes sense because having popped the webbrowser python has no other way to receive back that code	09:54
aloga	jamielennox: the webbrowser thing is because of this specific grant type, because to obtain an access code you need to do all the flow	09:55
jamielennox	aloga: so if i have a client_id and a client_secret that only identifies my server, why do we need to pop a browser?	09:56
jamielennox	identifies my client	09:56
jamielennox	we need a per user client_id, client_secret and they still need to login?	09:56
aloga	jamielennox: if your server allows client_credentials as grant type, you don't need a browser, as this grant type allows to use the client credentials directly	09:57
aloga	jamielennox: if your server does not allow client credentials (like google) and only authz code, you need a browser	09:57
aloga	jamielennox: because the oauth standard specifies so, there is no other way to go	09:58
aloga	jamielennox: if we could persist the access token, this could be done only once for the lifetime of the access token, as this could be reused	09:58
aloga	(access token = oidc access token)	09:58
aloga	jamielennox: if you are a service, or a server, then you must use the client credentials or the resource owner grant types	09:59
aloga	jamielennox: not this particular one	09:59
*** akscram has quit IRC		10:00
jamielennox	ok client credentials in this case being a user login/password right? not the client secret	10:02
jamielennox	so i understand this from a 3rd party auth perspective where like openstack.org was using google auth	10:02
aloga	jamielennox: not sure, unfortunately I could not test this up to know, but I guess so	10:02
jamielennox	then openstack.org gets a client_id and client_secret	10:02
jamielennox	then the user uses their login/pass	10:03
jamielennox	and the client_secret has validated that handshake between google and openstack.org	10:03
jamielennox	that's pretty standard amongst federated protocols	10:03
aloga	jamielennox: using which grant type :)	10:03
jamielennox	i'm mostly trying to understand why atm, but some form of the above can be seen in saml and oauth off the top of my head	10:04
jamielennox	but in that case the client is not the user, the client is the third party you want to auth agains	10:04
*** spzala has joined #openstack-keystone		10:05
aloga	jamielennox: you're describing the resource owner credentials	10:05
jamielennox	so in this case it would be keystone having a client_secret	10:05
aloga	s/credentials/grant type/	10:05
*** nisha_ has joined #openstack-keystone		10:06
aloga	jamielennox: I do not know the motivations of each grant type in oauth 2, but they're focused at different purposes	10:06
aloga	jamielennox: the authorization_code and the user credentials are focused on authenticating the final user, i.e. Alice or Bob	10:06
aloga	jamielennox: the resource password credentials (implemented in oidcpassword) is focused on authenticating the service, i.e. the resource	10:07
aloga	jamielennox: to my knowledge this last grant type is not enabled by default in most implementations, as it implies a trust relationship between the oidc server and the resource owner	10:08
jamielennox	alright, i think i'm going to need to do a proper read of the oidc spec	10:08
jamielennox	it's been on my list for a while	10:08
aloga	jamielennox: the client credentials would solve our problems, as the users will pass their username and password to the oidc server and return the access token	10:08
*** spzala has quit IRC		10:09
aloga	jamielennox: but, it is not supported by all the oidc servers (like google)	10:09
jamielennox	yea, for a CLI case that's what we need	10:09
aloga	jamielennox: finally, the authz code, implies interacting with the user browser	10:09
jamielennox	i need to run off for a bit, i'm supposed to be doing dinner, but i'll read through the spec and try and figure it out	10:10
jamielennox	it's at the end of the queue now so not holding the others up	10:10
aloga	jamielennox: I do think that this needs to be implemented, otherwise the oidc thing would become a bit useless	10:11
*** markvoelker has joined #openstack-keystone		10:11
aloga	jamielennox: although I am aware of the browser and redirection stuff,	10:11
*** ktychkova has joined #openstack-keystone		10:11
aloga	jamielennox: but I do think that somebody using this plugin is or should be aware of the redirection stuff	10:11
*** akscram has joined #openstack-keystone		10:12
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	10:14
aloga	jamielennox: FYI: I am working in the client credentials atm	10:15
*** markvoelker has quit IRC		10:16
*** roxanaghe has joined #openstack-keystone		10:24
*** akscram has quit IRC		10:24
*** akscram has joined #openstack-keystone		10:27
*** roxanaghe has quit IRC		10:29
openstackgerrit	Dave Chen proposed openstack/keystone: {WIP} Choose the right parameter from the parameter list https://review.openstack.org/342089	10:31
*** GB21 has joined #openstack-keystone		10:35
*** clenimar_ has joined #openstack-keystone		10:41
*** davechen has quit IRC		10:45
nisha_	o/	10:49
*** TxGVNN has quit IRC		11:04
*** markvoelker has joined #openstack-keystone		11:05
*** markvoelker has quit IRC		11:09
*** dikonoor has joined #openstack-keystone		11:18
*** divyakkonoor has joined #openstack-keystone		11:18
*** divyakkonoor has quit IRC		11:19
*** wangqun has quit IRC		11:19
*** nisha__ has joined #openstack-keystone		11:27
*** nisha_ has quit IRC		11:28
*** TxGVNN has joined #openstack-keystone		11:30
*** akscram has quit IRC		11:32
openstackgerrit	Dave Chen proposed openstack/keystone: Variables in URL path should be required https://review.openstack.org/341973	11:39
*** andrewliu117 has quit IRC		11:43
*** andrewliu117_ has joined #openstack-keystone		11:45
*** akscram has joined #openstack-keystone		11:46
*** EinstCrazy has quit IRC		11:48
*** EinstCrazy has joined #openstack-keystone		11:48
*** markvoelker has joined #openstack-keystone		11:59
*** rodrigods has quit IRC		11:59
*** rodrigods has joined #openstack-keystone		11:59
*** wangqun has joined #openstack-keystone		12:00
*** markvoelker has quit IRC		12:03
*** spzala has joined #openstack-keystone		12:06
*** thumpba has joined #openstack-keystone		12:09
*** spzala has quit IRC		12:10
*** roxanaghe has joined #openstack-keystone		12:12
*** roxanaghe has quit IRC		12:16
*** nisha__ is now known as nisha_		12:19
*** GB21 has quit IRC		12:23
*** ddieterly has joined #openstack-keystone		12:28
*** clenimar_ has quit IRC		12:28
*** ddieterly has quit IRC		12:31
*** TxGVNN has quit IRC		12:35
*** raildo has joined #openstack-keystone		12:36
*** daemontool_ has quit IRC		12:38
*** links has quit IRC		12:40
*** pauloewerton has joined #openstack-keystone		12:44
*** TxGVNN has joined #openstack-keystone		12:46
*** samueldmq has joined #openstack-keystone		12:47
*** ChanServ sets mode: +v samueldmq		12:47
samueldmq	hey keystone	12:47
samueldmq	don't make it bad, take a sad doc and make it better :)	12:47
*** lamt has joined #openstack-keystone		12:48
* samueldmq continues with federation docs		12:48
nisha_	samueldmq, nice	12:49
nisha_	samueldmq, good morning :)	12:49
samueldmq	nisha_: o/	12:49
openstackgerrit	Merged openstack/keystone: Trivial spacing and comma corrections https://review.openstack.org/341975	12:49
*** d0ugal has quit IRC		12:53
*** thumpba has quit IRC		12:54
*** thumpba has joined #openstack-keystone		12:55
*** EinstCrazy has quit IRC		12:58
*** EinstCrazy has joined #openstack-keystone		12:58
*** tonytan4ever has joined #openstack-keystone		12:58
*** thumpba has quit IRC		13:00
*** gordc has joined #openstack-keystone		13:00
*** ddieterly has joined #openstack-keystone		13:00
*** edmondsw has joined #openstack-keystone		13:06
*** julim has joined #openstack-keystone		13:06
*** spzala has joined #openstack-keystone		13:07
*** jojden has quit IRC		13:10
*** henrynash has joined #openstack-keystone		13:10
*** ChanServ sets mode: +v henrynash		13:10
*** sdake__ has joined #openstack-keystone		13:15
*** woodster_ has joined #openstack-keystone		13:21
lbragstad	o/	13:22
lbragstad	couple more easy keystone-api-sprint reviews if any wants to review them - https://review.openstack.org/#/c/341762/ and https://review.openstack.org/#/c/341765/	13:22
patchbot	lbragstad: patch 341762 - keystone - Correct normal response codes in OS-INHERIT docs	13:22
patchbot	lbragstad: patch 341765 - keystone - Correct normal response codes in endpoint policy docs	13:22
*** EinstCrazy has quit IRC		13:22
*** EinstCrazy has joined #openstack-keystone		13:23
*** code-R_ has joined #openstack-keystone		13:25
samueldmq	lbragstad: left a comment in 341762	13:25
samueldmq	lbragstad: see if it makes sense for you	13:26
openstackgerrit	Lance Bragstad proposed openstack/keystone: Correct normal response codes in trust documentation https://review.openstack.org/341760	13:26
samueldmq	lbragstad: but perhaps that could be addressed in a separate thing .... as it's all over the places in that way	13:27
*** code-R has quit IRC		13:28
lbragstad	samueldmq responed	13:29
lbragstad	responded*	13:29
*** EinstCra_ has joined #openstack-keystone		13:29
*** richm has joined #openstack-keystone		13:29
*** EinstCrazy has quit IRC		13:29
*** bigdogstl has joined #openstack-keystone		13:31
*** bigdogstl has quit IRC		13:31
samueldmq	lbragstad: makes sense	13:33
samueldmq	lbragstad: all reviewed, see comment in 341760	13:33
*** ametts has joined #openstack-keystone		13:33
*** adrian_otto has joined #openstack-keystone		13:35
*** sheel has quit IRC		13:36
*** gagehugo has joined #openstack-keystone		13:38
*** akscram has quit IRC		13:38
*** richm has quit IRC		13:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Correct normal response codes in trust documentation https://review.openstack.org/341760	13:39
*** ninag has joined #openstack-keystone		13:39
*** akscram has joined #openstack-keystone		13:40
*** itisha has joined #openstack-keystone		13:42
lbragstad	samueldmq did you have a review up for migrating the OS-FEDERATION docs?	13:43
*** EinstCra_ has quit IRC		13:43
samueldmq	lbragstad: not yet, I am working on it... I had schedule so many things to do yesterday, sorry :(	13:44
samueldmq	lbragstad: I will ping you as soon as I push it to review	13:44
lbragstad	samueldmq ok - no worries. I was just curious	13:45
*** ninag has quit IRC		13:45
lbragstad	I'm in the process of updating the etherpad	13:45
*** woodburn has joined #openstack-keystone		13:47
samueldmq	lbragstad: nice	13:47
*** slberger has joined #openstack-keystone		13:47
*** daemontool has joined #openstack-keystone		13:48
samueldmq	lbragstad: another thing is to check whether all those error response codes are returned by keystone	13:49
lbragstad	samueldmq those are probably wrong too	13:50
samueldmq	lbragstad: perhaps they've come from old docs and we're just c&ping them all over the place	13:50
samueldmq	lbragstad: ++	13:50
lbragstad	my patches just went through and separated them into two separate lists so that we aren't advertising 20X status codes as Errors.	13:50
stevemar	o/	13:50
stevemar	joining now!	13:50
samueldmq	lbragstad: ++ that's a good improvement already	13:51
samueldmq	stevemar: o/	13:51
lbragstad	samueldmq personally - i'd be fine to nuke the Error response codes list	13:51
lbragstad	it's an http status code...	13:51
openstackgerrit	Gage Hugo proposed openstack/keystone: Add OS-EP-FILTER to api-ref https://review.openstack.org/341787	13:51
samueldmq	stevemar: lbragstad: do we want to keep that "Relationship" thing from the -specs repo	13:51
lbragstad	stevemar i'll be able to join for about an hour then I have to hop off for a couple meetings	13:51
samueldmq	lbragstad: yes, I think they could be documented somewhere, in a common place	13:52
stevemar	lbragstad: samueldmq new hangout link, old one died :( https://hangouts.google.com/call/tp757ctnojfdvh7dpc66pqnq3ie	13:52
samueldmq	rather than just repeating them for every API description	13:52
stevemar	lbragstad: i'm OK with that too TBH	13:52
*** ametts has quit IRC		13:54
*** rderose has joined #openstack-keystone		13:54
*** ddieterly is now known as ddieterly[away]		13:55
*** richm has joined #openstack-keystone		13:55
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	13:57
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add "v2 overview" docs to APIs https://review.openstack.org/341739	13:57
*** roxanaghe has joined #openstack-keystone		13:58
*** nk2527 has quit IRC		13:59
openstackgerrit	Gage Hugo proposed openstack/keystone: Add OS-EP-FILTER to api-ref https://review.openstack.org/341787	14:00
* lbragstad stevemar https://review.openstack.org/#/c/341787/2/api-ref/source/v3-ext/ep-filter.inc		14:00
patchbot	lbragstad: patch 341787 - keystone - Add OS-EP-FILTER to api-ref	14:00
*** nk2527 has joined #openstack-keystone		14:01
*** links has joined #openstack-keystone		14:01
*** ddieterly[away] is now known as ddieterly		14:01
dstanek	so do we consider OS-INHERIT core or extension?	14:02
*** roxanaghe has quit IRC		14:03
*** adu has joined #openstack-keystone		14:03
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password history requirements https://review.openstack.org/328339	14:04
samueldmq	dstanek: core	14:05
*** GB21 has joined #openstack-keystone		14:05
samueldmq	dstanek: I remember we have put it into core a few releases back... stevemar ^ you agree?	14:05
dstanek	samueldmq: what is the distinction between what is core and what is an extension?	14:05
samueldmq	dstanek: in the docs, we are keeping what's in extension already in v3-ext, we can move them later if we want	14:06
samueldmq	dstanek: at least this is how I am doing for federation	14:06
dstanek	samueldmq: you mean the extension package?	14:06
dstanek	did we get rid of that a long time ago?	14:07
*** ametts has joined #openstack-keystone		14:07
samueldmq	dstanek: yes, for eg federation is identity-api-v3-os-federation-ext.rst in -specs, so I am putting it under the -ext package in the new docs	14:07
samueldmq	dstanek: looks like we did .. but some naming remained ?	14:08
samueldmq	iirc we replaced extensions by moving everything to core and classifying those things into stable or experimental	14:08
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password expires validation https://review.openstack.org/333360	14:09
*** edmondsw has quit IRC		14:10
samueldmq	does anybody know what those "Relationship" links are for ?	14:13
*** catintheroof has joined #openstack-keystone		14:16
openstackgerrit	Merged openstack/keystone: Add is_domain to project example responses https://review.openstack.org/341820	14:17
catintheroof	hi guys, quick question. does the openstack cli supports to handle domain-specific configuration ? how do i change those configs after i run keystone-manage domain_config_upload ??	14:17
*** aastha has joined #openstack-keystone		14:19
*** ravelar159 has joined #openstack-keystone		14:21
lbragstad	clenimar around?	14:21
*** adrian_otto has quit IRC		14:25
*** adrian_otto has joined #openstack-keystone		14:25
catintheroof	does anyone know if the API for domain configuration management is still experimental on mitaka ? https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#domain-configuration-management	14:26
*** ravelar159 has quit IRC		14:26
*** ravelar159 has joined #openstack-keystone		14:27
*** GB21 has quit IRC		14:30
*** samueldmq has quit IRC		14:31
*** samueldmq has joined #openstack-keystone		14:31
*** ChanServ sets mode: +v samueldmq		14:31
*** jaosorior has quit IRC		14:32
knikolla	o/	14:33
*** adrian_otto has quit IRC		14:35
*** markvoelker has joined #openstack-keystone		14:35
*** dikonoor has quit IRC		14:37
*** phalmos has joined #openstack-keystone		14:38
*** pcaruana has quit IRC		14:39
clenimar	lbragstad: hey	14:43
*** adrian_otto has joined #openstack-keystone		14:43
*** david-lyle_ has quit IRC		14:45
*** d0ugal has joined #openstack-keystone		14:46
lbragstad	clenimar o/ i just saw your comment :)	14:48
clenimar	clenimar: np :)	14:49
clenimar	lbragstad: what about identity.example.com/v3?	14:50
lbragstad	clenimar I think that would be perfect	14:50
lbragstad	that way it denotes the hostname from the path	14:50
lbragstad	cc stevemar gagehugo samueldmq ^	14:50
lbragstad	dstanek ^	14:50
dstanek	samueldmq: did you get an answer about the links?	14:50
lbragstad	regarding my question here - https://review.openstack.org/#/c/341829/1//COMMIT_MSG	14:51
patchbot	lbragstad: patch 341829 - keystone - Update identity endpoint in v3 samples	14:51
gagehugo	sure	14:51
dstanek	lbragstad: ?	14:52
lbragstad	dstanek just curious if you had any thoughts about the way we reference the identity endpoint in docs	14:52
dstanek	lbragstad: as long as we are consistent i'd be happy with anything	14:53
lbragstad	dstanek ++	14:54
lbragstad	clenimar yeah - i think we should change it	14:54
lbragstad	clenimar I'll update my comment	14:54
clenimar	lbragstad: okay	14:54
*** edtubill has joined #openstack-keystone		14:54
stevemar	oh i just went through and changed all the URLs in the EP-filter patch	14:55
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add OS-EP-FILTER to api-ref https://review.openstack.org/341787	14:56
*** chrisshattuck has joined #openstack-keystone		14:57
samueldmq	dstanek: not yet	14:59
*** slberger has left #openstack-keystone		14:59
dstanek	samueldmq: i think we are trying to be a real restful api	14:59
dstanek	stevemar: lbragstad: so what's the verdict on what the example URLs should be?	15:01
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add OS-EP-FILTER to api-ref https://review.openstack.org/341787	15:01
lbragstad	dstanek documented here - https://review.openstack.org/#/c/341829/1//COMMIT_MSG	15:02
patchbot	lbragstad: patch 341829 - keystone - Update identity endpoint in v3 samples	15:02
stevemar	dstanek: i'm OK with any combination of {localhost\|identity}:{5000\|35357} TBH	15:02
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	15:02
stevemar	i think i prefer identity:5000 for simplicity	15:02
stevemar	we don't want to advertise 35357 i think	15:03
*** chrisshattuck has quit IRC		15:03
stevemar	and localhost seems amatuerish	15:03
*** phalmos has quit IRC		15:03
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	15:04
*** akscram has quit IRC		15:04
*** edmondsw has joined #openstack-keystone		15:05
stevemar	dstanek: lbragstad i think https://review.openstack.org/#/c/341787/6 is ready	15:06
patchbot	stevemar: patch 341787 - keystone - Add OS-EP-FILTER to api-ref	15:06
*** akscram has joined #openstack-keystone		15:06
breton	stevemar: but we use /identity/ in devstack	15:06
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 endpoints https://review.openstack.org/339468	15:07
stevemar	breton: thtas a fairly new change,	15:07
openstackgerrit	Merged openstack/keystone: Correct normal response codes in endpoint policy docs https://review.openstack.org/341765	15:08
dstanek	stevemar: that's the one i'm looking at now	15:08
breton	i think we should stick to what is used in the gates now. And in the gates /identity/ is even in endpoints.	15:08
openstackgerrit	Merged openstack/keystone: Correct normal response codes in OS-INHERIT docs https://review.openstack.org/341762	15:09
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 endpoints https://review.openstack.org/339468	15:10
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	15:10
*** chrisshattuck has joined #openstack-keystone		15:11
dstanek	just a general note...i think we document APIs backwards in OpenStack. we don't focus nearly enough on defining a media type	15:11
samueldmq	stevemar: federation API is HUGE	15:14
samueldmq	stevemar: what if we split it into Federation [Identity Provider\|Mappings\|Service Provider]	15:14
samueldmq	3 APIs rather than a single one	15:15
stevemar	there are also the auth ones :P	15:15
samueldmq	I think it makes sense, as we don't document Identity API (with user and groups in there)	15:15
lbragstad	maybe that's a sign	15:15
stevemar	fine with me	15:15
samueldmq	neither Resource API	15:15
*** thumpba has joined #openstack-keystone		15:15
samueldmq	with projects and domains	15:15
samueldmq	stevemar: nice	15:15
samueldmq	stevemar: I am in the middle of the transition, and the number of followup patch sets are increasing exponentially in my mind	15:16
samueldmq	:p	15:16
stevemar	:)	15:16
*** d0ugal has quit IRC		15:16
*** links has quit IRC		15:17
*** d0ugal has joined #openstack-keystone		15:17
*** spzala has quit IRC		15:17
stevemar	breton: you can do a grep/awk call to change all of them at once :P	15:18
*** spzala has joined #openstack-keystone		15:18
*** kean has quit IRC		15:18
stevemar	breton: i'd be OK with the change	15:18
dstanek	stevemar: we need to come up with some rules to make the docs more uniform. i left a few comments in the ep-filter review	15:19
gagehugo	+1 yeah it would be good to have some master layout guide	15:21
stevemar	dstanek: agreed, even the order of GET/POST/DELETE and the order of arguments needs to be uniform	15:21
stevemar	dstanek: also: https://review.openstack.org/#/c/341739/	15:21
patchbot	stevemar: patch 341739 - keystone - Add "v2 overview" docs to APIs	15:21
*** thumpba has quit IRC		15:21
*** phalmos has joined #openstack-keystone		15:21
*** spzala has quit IRC		15:22
stevemar	dstanek: i'll add /v3 to the beginning of the route, i think most have it	15:22
*** kean has joined #openstack-keystone		15:24
*** nisha_ has quit IRC		15:24
stevemar	dstanek: patched	15:24
*** nisha_ has joined #openstack-keystone		15:25
openstackgerrit	Steve Martinelli proposed openstack/keystone: Correct normal response codes in trust documentation https://review.openstack.org/341760	15:26
*** lucas___ has joined #openstack-keystone		15:26
*** ravelar159 has quit IRC		15:26
*** ravelar159 has joined #openstack-keystone		15:27
stevemar	breton: oh i see someone else has updated all the examples: https://review.openstack.org/#/c/341829/	15:28
patchbot	stevemar: patch 341829 - keystone - Update identity endpoint in v3 samples	15:28
stevemar	oof	15:28
*** thumpba has joined #openstack-keystone		15:32
*** arunkant_ has joined #openstack-keystone		15:32
breton	stevemar: the discussion came from that review, right	15:33
*** clenimar_ has joined #openstack-keystone		15:33
stevemar	breton: sorry, i'm behind, had a late start	15:33
stevemar	and jumped right into the ep-filter review	15:33
stevemar	we really need to create a separate parameters.yaml for each .inc	15:34
stevemar	it would make things so much easier	15:34
stevemar	a bit duplicative, but meh	15:34
dstanek	stevemar: that's where we have to be careful not to duplicate too much and have language discrepencies	15:35
*** rderose has quit IRC		15:35
stevemar	dstanek: yeah	15:35
breton	stevemar: it will be easier to do when https://bugs.launchpad.net/keystone/+bug/1602772 is closed	15:35
openstack	Launchpad bug 1602772 in OpenStack Identity (keystone) ""_{n}" suffixes in parameters.yaml are not used" [Medium,In progress] - Assigned to Ron De Rose (ronald-de-rose)	15:35
stevemar	i agree	15:35
stevemar	i'm worried some of those are being removed when they shouldn't be	15:36
stevemar	they should be renamed or something	15:36
*** belmoreira has quit IRC		15:36
*** jaosorior has joined #openstack-keystone		15:36
*** lucas____ has joined #openstack-keystone		15:36
*** jaosorior has quit IRC		15:36
*** lucas___ has quit IRC		15:36
*** andrewliu117__ has joined #openstack-keystone		15:37
dstanek	stevemar: it's possible they should be used instead of the non-_{n} ones	15:37
*** jaosorior has joined #openstack-keystone		15:38
breton	stevemar: dstanek: please comment on https://review.openstack.org/#/c/341757/ too.	15:39
patchbot	breton: patch 341757 - keystone - Remove unused parameters with underscore suffix in...	15:39
*** andrewliu117_ has quit IRC		15:40
*** KevinE has joined #openstack-keystone		15:41
*** code-R_ has quit IRC		15:42
dstanek	stevemar: breton: is it possible we're just doing it all wrong?	15:44
stevemar	dstanek: i don't think so, i think all the documentation was automatically generated from the wadl docs	15:45
*** spzala has joined #openstack-keystone		15:46
breton	stevemar: ++	15:46
dstanek	the _{n} appear to be variations (at least in some cases). x is 'in:body", but x_1 is 'in:path' and x_2 is 'in:querystring'	15:46
breton	dstanek: they were supposed to be used but they are not. My guess is that when it all was merged, parameters.yaml were generated with _n appended, but .inc were not	15:47
*** roxanaghe has joined #openstack-keystone		15:47
openstackgerrit	David Stanek proposed openstack/keystone: wip it https://review.openstack.org/342253	15:48
breton	i also thought that os-api-ref supports that in some weird way. But it doesn't.	15:48
*** rderose has joined #openstack-keystone		15:48
dstanek	breton: which would indicate that the .inc files are incorrect - see ^ for a quick example	15:48
stevemar	can someone confirm is https://bugs.launchpad.net/keystone/+bug/1603038 exists?	15:48
openstack	Launchpad bug 1603038 in OpenStack Identity (keystone) "Execption on admin_token usage ValueError: Unrecognized " [Undecided,New]	15:48
dstanek	stevemar: breton: service_id is defined as a path variable and is used to show the response body too....but service_id_1 is defined as a body parameter	15:49
stevemar	dstanek: we probably need path_service_id cause there will be many of those	15:49
stevemar	path_service_id: the UUID of the service, whereas service_id (no prefix) can be used for the body	15:50
*** wangqun has quit IRC		15:51
*** nisha_ has quit IRC		15:51
*** roxanaghe has quit IRC		15:52
*** akscram has quit IRC		15:52
openstackgerrit	David Stanek proposed openstack/keystone: Fixes a variable usage issue https://review.openstack.org/342253	15:53
breton	here is what we need to do:	15:53
breton	1. Use correct variable_{n} where they are needed	15:53
breton	2. Split parameters.yaml into several incname_parameters.yaml, copying _{n} variables where needed	15:53
breton	3. Rename _{n} variables to something sane	15:53
dstanek	i worry about #2	15:53
*** akscram has joined #openstack-keystone		15:54
samueldmq	what if we have a parameters file per API e.g projects, domains, and so on ?	15:54
samueldmq	dstanek: ^	15:54
samueldmq	this way we won't need to put suffixes on things	15:54
dstanek	if you spit by .inc file then you will have the same param in multiple places. then you get into the mess of adding a 'common' file of some sort	15:55
dstanek	samueldmq: where would domain_id be defined?	15:55
samueldmq	dstanek: 2 options	15:55
breton	samueldmq: we still need suffixes. For example, when specifying a project, "id" might mean both project and domain id.	15:55
samueldmq	we can put on every file and then have more meaningful descriptions, like: The ID of user's domain.	15:56
samueldmq	or put them in a common file for very common things, but I can't think of many cases	15:56
breton	i think that some duplication is not a big issue	15:57
dstanek	samueldmq: the problem is that i don't think you can specify multiple parameters files	15:57
samueldmq	why not ? you specify the parameters file when defining the params	15:57
samueldmq	like	15:57
*** ddieterly is now known as ddieterly[away]		15:58
samueldmq	.. rest_parameters:: parameters.yaml	15:58
dstanek	if you have domain_id (from common) and username (from user) in the same response	15:58
dstanek	i don't see any advantage to splitting. just disadvantages	15:58
samueldmq	dstanek: so let's just have a file for each one	15:58
samueldmq	I don't see much things that will be "duplicated"	15:59
samueldmq	mostly domain_id	15:59
stevemar	and it may be better to split that	15:59
samueldmq	and this has also the advantage to put very specific messages for each resource	15:59
stevemar	for domain CRUD domain_id is "the id of the domain"	15:59
*** lucas____ has quit IRC		15:59
stevemar	for project CRUD it's "the id of the domain that owns the project"	15:59
samueldmq	like I said, domain_id can be: Project's domain ID. or User's domain ID. and so on	15:59
samueldmq	stevemar: yes that's my point	16:00
samueldmq	we describe the parameter in a way its description is more accurate depending on the context it's used	16:00
*** ddieterly[away] is now known as ddieterly		16:01
stevemar	i like the splitting option	16:01
stevemar	one .yaml file per .inc file	16:02
dstanek	what's the problem that's being solved?	16:03
samueldmq	more accurate descriptions for attributes depending where they are used	16:03
samueldmq	and fixing lots of bugs because sometimes you use domain_id and it has a description of another thing	16:04
samueldmq	let me give an example	16:04
dstanek	that's fine, i don't care enough to debate this :-)	16:05
samueldmq	see http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=list-projects-detail#projects	16:05
samueldmq	enabled field description is wrong :/	16:05
breton	(and bug 1602772)	16:06
openstack	bug 1602772 in OpenStack Identity (keystone) ""_{n}" suffixes in parameters.yaml are not used" [Medium,In progress] https://launchpad.net/bugs/1602772 - Assigned to Ron De Rose (ronald-de-rose)	16:06
*** nisha_ has joined #openstack-keystone		16:06
dstanek	the bug is something different	16:06
samueldmq	yes	16:06
samueldmq	maybe that will be fixed during the process of splitting the files	16:07
samueldmq	as one file won't contain lots of name attributes anymore	16:08
dstanek	samueldmq: that bug won't be fixed that way. you have to use the _n versions of the attributes	16:08
samueldmq	what are versions of attributes useful for ?	16:08
dstanek	samueldmq: https://review.openstack.org/#/c/342253/	16:09
patchbot	dstanek: patch 342253 - keystone - Fixes a variable usage issue	16:09
breton	also, nobody idles in hangout today?	16:09
gagehugo	I'll be back in this afternoon	16:10
samueldmq	dstanek: because query and body params are in the same namespace ? :/	16:10
dstanek	samueldmq: so you want 2 parameter files per include?	16:11
dstanek	...actually three	16:11
dstanek	path, body and querystring	16:11
samueldmq	header, path, query and body are only separated by a comment in parameters.yml :/	16:11
samueldmq	dstanek: no, but maybe putting something more meaningful in the parameter name	16:11
samueldmq	like:	16:11
samueldmq	service_id_query, service_id_body	16:12
samueldmq	rather than _1 and _2, and so on	16:12
*** nisha__ has joined #openstack-keystone		16:12
*** nisha_ has quit IRC		16:12
dstanek	samueldmq: right, like i said has nothing to do with splitting files	16:12
samueldmq	dstanek: splitting is useful for keeping them small too.. imo	16:13
openstackgerrit	Richard proposed openstack/keystone: Improve user experience involving token flush https://review.openstack.org/341165	16:13
samueldmq	otherwise we would have another append for the API... like service_name_query, service_name_body	16:13
dstanek	samueldmq: that's fine. i'm simply saying that the bug has nothing to do with splitting	16:13
samueldmq	dstanek: I agree	16:13
dstanek	breton: i'm not in the hangout because i uses by cpu something fierce and i'm not plugged into an outlet right now	16:16
*** GB21 has joined #openstack-keystone		16:19
*** david-lyle__ has joined #openstack-keystone		16:20
*** sdake__ is now known as sdake		16:20
*** david-lyle__ is now known as david-lyle		16:21
*** rcernin has quit IRC		16:21
openstackgerrit	Andrew Laski proposed openstack/oslo.policy: Allow policy file to not exist https://review.openstack.org/341732	16:23
*** code-R has joined #openstack-keystone		16:25
breton	^ that oslo.policy change is interesting btw	16:27
dstanek	samueldmq: i'm not sure if i ever got an answer before or if i just can't find it :-( do we have criteria for determining which things go into v3 vs v3-ext?	16:28
dstanek	technically we don't have extensions anymore	16:28
*** daemontool has quit IRC		16:30
*** lucas___ has joined #openstack-keystone		16:33
*** lucas___ has quit IRC		16:37
*** gordc has quit IRC		16:37
stevemar	breton: i'll idle there in 10 minutes, lots of calls today :(	16:37
breton	stevemar: i'll go home in 50 :)	16:43
stevemar	breton: noooo	16:43
stevemar	breton: thanks for the help over the sprint :)	16:43
*** lucas___ has joined #openstack-keystone		16:45
*** KevinE has quit IRC		16:45
*** d0ugal has quit IRC		16:49
stevemar	breton: i'm there now :P	16:50
*** julim has quit IRC		16:53
samueldmq	dstanek: if it's said to be an extension in -specs, it goes in v3-ext	16:53
samueldmq	dstanek: at least this is how I am doing for federation	16:53
samueldmq	which is identity-api-v3-os-federation-ext.rst in -specs	16:53
dstanek	k, thx	16:54
samueldmq	yw	16:54
*** spzala has quit IRC		16:56
*** sdake has quit IRC		17:00
*** sdake has joined #openstack-keystone		17:02
*** GB21 has quit IRC		17:02
*** spzala has joined #openstack-keystone		17:03
*** jrist has quit IRC		17:04
*** GB21 has joined #openstack-keystone		17:05
*** ddieterly is now known as ddieterly[away]		17:05
*** jlk has joined #openstack-keystone		17:06
jlk	Does anybody remember or know of an open spec/blueprint for admin readonly like roles?	17:06
jlk	I swear I've seen them before but can't find them now	17:06
*** spzala has quit IRC		17:08
openstackgerrit	Ron De Rose proposed openstack/keystone: Drop EPHEMERAL user type https://review.openstack.org/296639	17:08
stevemar	jlk: there should be	17:14
stevemar	jlk: https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role	17:14
jlk	Yeah I found that, but there is nothing much there.	17:14
*** thumpba has quit IRC		17:14
jlk	oh I clicked on "Set URL for this specification" thinking it was "See this specification". That's why I got a error	17:15
stevemar	jlk: theres also https://review.openstack.org/#/c/245629/	17:15
patchbot	stevemar: patch 245629 - openstack-specs - A common policy scenario across all projects	17:15
*** spzala has joined #openstack-keystone		17:15
stevemar	jlk: also, i though dolphm had something cooking for that?	17:16
*** ddieterly[away] is now known as ddieterly		17:16
dolphm	jlk: it's a cross-project spec	17:16
jlk	Yeah I remember the sessions in Austin	17:17
dolphm	jlk: jamielennox owns it though	17:17
jlk	I was just not finding the things to track through the googles.	17:17
jlk	I'm trying to give it to my product team so they stop asking _me_ to implement it in Blue Box clouds.	17:17
stevemar	jlk: hehe	17:18
stevemar	jlk: just implement it all	17:18
jlk	sure, no problem. Will have it done this afternoon	17:18
*** thumpba has joined #openstack-keystone		17:19
clenimar	stevemar: so, what endpoint should we use? :) localhost/identity/v3 or localhost:5000/v3	17:19
clenimar	maybe identity.example.com/v3	17:19
*** spzala has quit IRC		17:20
stevemar	jlk: :)	17:20
* jlk cries at versioned endpoint urls		17:20
stevemar	clenimar: breton dstanek what about example.com/identity ?	17:20
*** ddieterly is now known as ddieterly[away]		17:21
*** spzala has joined #openstack-keystone		17:21
*** jaosorior has quit IRC		17:22
samueldmq	stevemar: what about this https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#listing-projects-and-domains	17:23
samueldmq	stevemar: "Deprecated in v1.1. This section is deprecated as the functionality is available in the core Identity API.	17:23
samueldmq	"	17:23
*** jaosorior has joined #openstack-keystone		17:24
*** lucas___ has quit IRC		17:24
*** spzala has quit IRC		17:25
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Move OS-INHERIT api-ref from extensions to core https://review.openstack.org/341912	17:26
stevemar	samueldmq: keep it around, it's an API	17:27
*** spzala has joined #openstack-keystone		17:27
*** harlowja has joined #openstack-keystone		17:28
openstackgerrit	Boris Bobrov proposed openstack/keystone: Add v2.0 /endpoints/ api-ref https://review.openstack.org/342294	17:28
*** KevinE has joined #openstack-keystone		17:30
*** spzala has quit IRC		17:31
openstackgerrit	Boris Bobrov proposed openstack/keystone: Add v2.0 /endpoints/ api-ref https://review.openstack.org/342294	17:31
*** rcernin has joined #openstack-keystone		17:32
*** browne has joined #openstack-keystone		17:32
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	17:32
*** spzala has joined #openstack-keystone		17:33
*** TxGVNN has quit IRC		17:33
*** haplo37_ has joined #openstack-keystone		17:34
*** roxanaghe has joined #openstack-keystone		17:35
*** spzala has quit IRC		17:37
*** spzala has joined #openstack-keystone		17:39
openstackgerrit	Merged openstack/keystone: Variables in URL path should be required https://review.openstack.org/341973	17:39
*** roxanaghe has quit IRC		17:40
*** sdake_ has joined #openstack-keystone		17:42
*** spzala has quit IRC		17:43
*** jaosorior_ has joined #openstack-keystone		17:43
*** code-R_ has joined #openstack-keystone		17:44
*** tesseract- has quit IRC		17:44
*** sdake has quit IRC		17:44
*** jaosorior has quit IRC		17:46
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	17:46
*** code-R has quit IRC		17:47
*** jaosorior_ is now known as jaosorior		17:47
*** spzala has joined #openstack-keystone		17:49
*** spzala has quit IRC		17:53
*** spzala has joined #openstack-keystone		17:55
*** catintheroof has quit IRC		17:58
*** julim has joined #openstack-keystone		17:59
*** Nexus_ has joined #openstack-keystone		18:00
*** spzala has quit IRC		18:00
*** nisha__ has quit IRC		18:00
*** jaosorior has quit IRC		18:02
stevemar	#success keystone newton-2 driver is cut! thanks everyone!	18:02
openstackstatus	stevemar: Added success to Success page	18:02
*** sdake has joined #openstack-keystone		18:02
*** GB21 has quit IRC		18:02
*** sdake_ has quit IRC		18:03
*** spzala has joined #openstack-keystone		18:06
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Migrate OS-FEDERATION from specs repo https://review.openstack.org/342322	18:07
samueldmq	stevemar: dstanek: lbragstad: ^	18:07
openstackgerrit	henry-nash proposed openstack/keystone: Improve readability of the api-ref roles section https://review.openstack.org/342325	18:11
*** spzala has quit IRC		18:11
*** spzala has joined #openstack-keystone		18:12
openstackgerrit	henry-nash proposed openstack/keystone: WIP Improve readability of the api-ref roles section https://review.openstack.org/342325	18:14
*** samueldmq has quit IRC		18:15
*** sdake_ has joined #openstack-keystone		18:16
*** spzala has quit IRC		18:17
*** spzala has joined #openstack-keystone		18:18
*** sdake has quit IRC		18:18
*** spzala has quit IRC		18:22
edtubill	ping stevemar	18:23
stevemar	edtubill: yo	18:23
*** spzala has joined #openstack-keystone		18:24
*** spzala has quit IRC		18:25
*** spzala has joined #openstack-keystone		18:25
openstackgerrit	henry-nash proposed openstack/keystone: Improve readability of the api-ref roles section https://review.openstack.org/342325	18:25
edtubill	stevemar: so we have been getting this error for heat using an external heat engine and we been getting an RBAC error for "create_credential". The user that needs access uses our "cloud_admin" role. I'm trying to figure out if allowing cloud_admin access to create_credential will cause security vulnerabilities...	18:25
stevemar	edtubill: hmm, to create_credential... probably not,	18:26
stevemar	the cloud admin could go and create 1000000 credentials now, but likely he could do much worse already ...	18:27
edtubill	ok, I was afraid like the cloud_admin user could make some credential for admin and somehow use that to get admin level access.	18:27
*** roxanaghe has joined #openstack-keystone		18:28
Nexus_	Hello everybody, I am encountering a problem with Keystone / AD integration. We don't have any OU containing all our users and when trying to set user_tree_dn to the root of the domain, Keystone is behaving weirdly	18:28
dstanek	Nexus_: what is happening?	18:29
dstanek	edtubill: i would say that if we allow credentials to be created for any user other than the one making the API call that we've got a bug	18:30
Nexus_	If doing a user show --domain DOMAIN myuser it is hanging and ending up with "could not find resource myuser".	18:30
henrynash	api-ref question? Where do you specifify the supproted query parameters for list APIs? Can’t see this anywhere	18:30
dstanek	henrynash: parameters.yaml?	18:31
*** chrisshattuck has quit IRC		18:31
dstanek	that where we define what they mean and their descriptions	18:31
dstanek	Nexus_: do you see the ldap query in the keystone log?	18:31
Nexus_	If at this point I try to restart the keystone service, it is stuck and I have to kill -9 it	18:31
Nexus_	+dstanek: Yes I see it and it is valid	18:32
henrynash	dstanek:…and where is the link from that to a given API, e.g. list projects?	18:32
Nexus_	I capture the LDAP flow with wireshark and I see the AD server properly answering with the correct LDAP entry	18:32
openstackgerrit	werner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone https://review.openstack.org/317169	18:35
edtubill	stevemar: ok. So after changing the policy file to include cloud_admin and admin for credentials, the admin was able to create credentials for cloud_admin but the cloud_admin was not able to create credentials for admin (This was using totp credentials ...not sure if the credential types behave differently).	18:35
dstanek	henrynash: the request and responses have lists of dictionaries the point back to things in parameters.yaml	18:35
dstanek	henrynash: http://git.openstack.org/cgit/openstack/keystone/tree/api-ref/source/v2/identity-auth.inc#n37	18:35
rderose	hey all you hardcore reviewers, I could use some PCI love if anyone has time :)	18:35
rderose	https://review.openstack.org/#/q/topic:bp/pci-dss+status:open+owner:ronald.de.rose%2540intel.com	18:35
Nexus_	+dstanek: The interesting think is that if I change the user_tree_dn and put an OU instead, then I am able to observe the exact same request / reply in Wireshark but Keystone behaves properly	18:36
edtubill	stevemar: but let me double check that was the behavior we saw.	18:36
dstanek	henrynash: actually the request for this is http://git.openstack.org/cgit/openstack/keystone/tree/api-ref/source/v2/identity-auth.inc#n75 - the dictionary key is what the param is called in the API and the value is what it is called in the parameters file	18:36
dstanek	Nexus_: are you don't see anything interesting in the logs?	18:37
dstanek	edtubill: so you can create credentials for other users?	18:37
henrynash	dtstanek:..ok, got that but..how does that link to something like “domain_id_7:” that is in pararmers.yaml? Sorryto be dumb, but can’t quite understand hwo this hangs together	18:38
edtubill	dstanek: I think somehow the admin can, but I am going to go confirm again that this is the behavior.	18:39
dstanek	henrynash: if you needed to use domain_id_7 you would do something like 'domain_id: domain_id_7' since i presume you call the param domain_id in the api and you just need to use the description from domain_id_7	18:39
*** spzala has quit IRC		18:40
henrynash	dstanek: rather than me waste your time, is there somewhere this is actually documented (or howwe use it)…I’m just totally missing even the basic fundamentals of how this hangs together	18:40
dstanek	henrynash: i'm sure there is.... i just put it all together myself this morning	18:41
Nexus_	dstanek: The last thing I have in the log is the ldap request displayed by the search_s function in common/ldap/core.py	18:41
henrynash	dtsanek: which is making writing docs a bit hit and miss!	18:41
dstanek	henrynash: i actually said in channel earlier that we were doing the docs wrong.... see if this helps https://review.openstack.org/#/c/342253/	18:42
patchbot	dstanek: patch 342253 - keystone - Fixes a variable usage issue	18:42
henrynash	dstanek: the thing I am really missing is where, in parameters.yaml, is the link for a given entry back to a given API that is listed in proejcts, users, roles.rst etc.	18:43
*** ddieterly[away] is now known as ddieterly		18:43
dstanek	henrynash: i don't think you can look at parameters.yaml and easily find what api uses the entries	18:44
dstanek	you can think of parameters.yaml as the same as our schema.py files ( just definitions )	18:45
henrynash	dtsanek: right…so your example makes sense…but where would the link be to a query parameter…since we don;t reference them in the rst? I’ll read up some more!!	18:45
*** chrisshattuck has joined #openstack-keystone		18:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: Copy the preamble / summary of OAuth1 from the specs repo https://review.openstack.org/342347	18:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: re-order the oauth APIs https://review.openstack.org/342348	18:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: add OS-OAUTH1/authorize/{request_token_id} API https://review.openstack.org/342349	18:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add relationship links to OAUTH APIs https://review.openstack.org/342350	18:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: clean up OAUTH API https://review.openstack.org/342351	18:45
dstanek	henrynash: that's where i think we are doing it wrong. you have separate enties for body, path and query params. the tools used _1, _2 to differentiate, but never actually used the _1 version	18:47
henrynash	dstanek: maybe you have to make eaach attribute unique…and then you know if it is “in: query” in parameters.yaml, then you know it is for just that API	18:47
dstanek	henrynash: stevemar had the suggestion earlier to use names like path_domain_id and body_domain_id to that it's easier to see if you are using the first one	18:47
dstanek	s/first/right/	18:47
stevemar	dstanek: who wants to look at the oauth series :P	18:48
henrynash	dstanek: /cuase a domain_id might be OK as a query param in one api, but not another	18:48
henrynash	(be back on line in a bit)	18:48
henrynash	dstanek: thx, chat later	18:48
stevemar	henrynash: dstanek yeah, i'm really thinking a separate yaml file per inc file is needed	18:49
dstanek	henrynash: yeah the .inc file is what defines what is acceptable for each call. talk to you later	18:50
*** jaugustine has joined #openstack-keystone		18:52
*** slberger has joined #openstack-keystone		18:58
*** adu has quit IRC		18:58
knikolla	anybody working on the nonvoting 3.5 gate error?	19:02
stevemar	knikolla: not i	19:03
knikolla	i'm thinking of giving it a shot if i can get past the ast learning curve	19:04
browne	knikolla: https://review.openstack.org/#/c/337952/	19:05
patchbot	browne: patch 337952 - keystone - Add a py35 tox venv for Python 3.5 support	19:05
*** ddieterly is now known as ddieterly[away]		19:05
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	19:05
*** ddieterly[away] is now known as ddieterly		19:06
knikolla	browne: hmmm, that didn't work. i wonder why the values are different.	19:07
openstackgerrit	Merged openstack/keystone: Correct normal response codes in trust documentation https://review.openstack.org/341760	19:07
browne	knikolla: yeah i thought that would do the trick. not sure why the values are different. maybe it was always broken	19:08
*** haplo37_ has quit IRC		19:09
*** mvk has quit IRC		19:10
knikolla	browne: well, it works on 3.4. so need to look up what's new in 3.5.	19:10
dstanek	knikolla: i started looking into it, but got side tracked	19:11
dstanek	browne: adding a 3.5 target doesn't actually change anything. that is included by default in tox	19:12
dstanek	all that list really does is tell tox what enviroments to run if none are specified, e.g. 'tox'	19:12
browne	ok, can py34 also be removed?	19:12
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	19:13
dstanek	browne: i prefer not because i currently run 'tox' to run py27 and py34 (plus all the docs stuff)	19:13
browne	ok, so maybe when py34 is dropped, we would add py35 there	19:14
dstanek	i'm not against adding it. i just want everyone to know what it actually means	19:14
dstanek	browne: back in the day we needed a config section for py34 because we had different test requirements at the time	19:15
browne	ah ok	19:15
dstanek	browne: see https://testrun.org/tox/latest/example/basic.html	19:16
dstanek	using our existing tox.ini you can 'tox -e pypy' for example	19:16
dstanek	assuming you have pypy installed it'll run our tests under it	19:16
*** catintheroof has joined #openstack-keystone		19:18
*** sdake__ has joined #openstack-keystone		19:19
*** sdake_ has quit IRC		19:21
*** tonytan4ever has quit IRC		19:21
*** tonytan4ever has joined #openstack-keystone		19:22
*** rderose has quit IRC		19:23
browne	knikolla: seems node.col_offset is off by one in python3.5	19:23
knikolla	browne: interesting	19:24
*** ddieterly is now known as ddieterly[away]		19:24
knikolla	browne: do you have a link?	19:25
browne	no link, just from examining the code. i don't know a root cause yet. the ast docs don't indicate any change	19:25
*** sdake_ has joined #openstack-keystone		19:25
browne	for example, on this line:	19:27
browne	def f(bad=set(), more_bad={x for x in range(3)}, even_more_bad={1, 2, 3}):	19:27
browne	it flags the column before the =, not after for the first two parameters	19:28
*** sdake__ has quit IRC		19:28
knikolla	browne: i see, that would explain the off by one error	19:29
knikolla	browne: good find	19:29
*** andrewliu117__ has quit IRC		19:30
stevemar	henrynash: around?	19:32
*** rderose has joined #openstack-keystone		19:32
*** nk2527 has quit IRC		19:34
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add "v2 overview" docs to APIs https://review.openstack.org/341739	19:39
stevemar	dstanek: want to punt https://review.openstack.org/#/c/341739/ through? already +2ed by lancey	19:39
patchbot	stevemar: patch 341739 - keystone - Add "v2 overview" docs to APIs	19:39
stevemar	otherwise, i was just gonna punt it through...	19:40
*** gordc has joined #openstack-keystone		19:41
edtubill	stevemar, dstanek: so I think that a user can create a credential for another user. I confirmed it on my devstack... So my cloud_admin user can create a TOTP credential for my admin user. And just to clarify the RBAC setting, I set the credential policies to a non admin role. Should I open up a bug to say that a credential can only be created/updated/viewed/listed by the user that created it?	19:47
*** julim has quit IRC		19:47
*** ddieterly[away] is now known as ddieterly		19:49
*** julim has joined #openstack-keystone		19:49
*** adu has joined #openstack-keystone		19:49
*** spzala has joined #openstack-keystone		19:51
openstackgerrit	Richard Avelar proposed openstack/keystone: Improve user experience involving token flush https://review.openstack.org/341165	19:52
*** adu has quit IRC		19:53
*** roxanaghe has quit IRC		19:56
*** ravelar159 has quit IRC		19:57
*** ametts has quit IRC		20:00
dstanek	stevemar: i +2ed it - do you want me to +A it too?	20:01
*** ravelar159 has joined #openstack-keystone		20:02
dstanek	edtubill: yes, i think so. if we really want to use this for totp then that can't happen	20:04
clenimar	stevemar: wouldnt it be better to move os-inherit first then update based on the commit you just pointed?	20:05
edtubill	dstanek: ok.	20:07
edtubill	stevemar, dstanek: do you know what types there are for credentials? Is it just totp, cert, and ec2? or are there potentially numerous because it's a string?	20:08
*** adu has joined #openstack-keystone		20:09
*** rderose has quit IRC		20:10
*** rderose has joined #openstack-keystone		20:11
*** timcline has joined #openstack-keystone		20:12
*** timcline has quit IRC		20:12
dstanek	edtubill: it can be whatever. keystone doesn't dictate what can be stored there	20:12
*** timcline has joined #openstack-keystone		20:13
*** gyee has joined #openstack-keystone		20:13
*** ChanServ sets mode: +v gyee		20:13
*** ametts has joined #openstack-keystone		20:15
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Update identity endpoint in v3 samples https://review.openstack.org/341829	20:18
*** rderose has quit IRC		20:19
edtubill	dstanek: ok, so do you think there is a way (besides totp) for a non admin user to create a credential for the admin user and then use that credential to log in as the admin user?	20:19
*** rderose has joined #openstack-keystone		20:20
*** roxanaghe has joined #openstack-keystone		20:20
dstanek	edtubill: i don't think so. i don't think that keystone (other than totp) uses that data for anything relasted to auth	20:24
edtubill	dstanek: ok thanks!	20:25
dstanek	edtubill: as i understand the history is was just for someone to store their own secrets (like barbican), but using keystone instead of another dependency	20:25
edtubill	dstanek: oh okay, so it was supposed to store some type of secret blob for a user?	20:26
stevemar	dstanek: sure, start gating those changes	20:27
stevemar	clenimar: sure, we can do that	20:28
clenimar	stevemar: also the samples need to be put in json files in order to match what we've been doing already	20:29
stevemar	clenimar: yeppers	20:29
*** tonytan4ever has quit IRC		20:31
henrynash	stevemar: hi	20:32
stevemar	henrynash: yo	20:32
stevemar	henrynash: just wanted you to review clenimar's change for os-inherit	20:32
stevemar	but its late now!	20:32
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Remove the v2.0 section from our APIs https://review.openstack.org/342395	20:33
henrynash	ok, sorry	20:33
*** dan_nguyen has joined #openstack-keystone		20:34
henrynash	what was the link, I’ll review and make a follow up patch if needed	20:34
clenimar	henrynash: https://review.openstack.org/#/c/341912/	20:35
patchbot	clenimar: patch 341912 - keystone - Move OS-INHERIT api-ref from extensions to core	20:35
*** ravelar159 has quit IRC		20:35
clenimar	it certainly needs a follow up patch :)	20:35
henrynash	stevemar: actually that’s teh one I am looking at now…it hasnn’t merged yet	20:35
clenimar	this is just moving the old stuff into the core	20:35
henrynash	clenimar: looks good to me	20:39
*** roxanaghe has quit IRC		20:40
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Put the APIs in the attic https://review.openstack.org/342399	20:42
*** roxanaghe has joined #openstack-keystone		20:42
stevemar	dstanek: henrynash thoughts on https://review.openstack.org/#/c/342395/1 and https://review.openstack.org/#/c/342399/1	20:42
patchbot	stevemar: patch 342395 - keystone-specs - Remove the v2.0 section from our APIs	20:42
patchbot	stevemar: patch 342399 - keystone-specs - Put the APIs in the attic	20:42
henrynash	dstanek: looking	20:43
stevemar	i don't really care to keep the v2 stuff around, there were no APIs there per say, just random notes	20:43
*** rderose has quit IRC		20:44
henrynash	stevemar: ++ agreed	20:44
*** rderose has joined #openstack-keystone		20:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: Correct normal response codes for v2.0 extensions https://review.openstack.org/341783	20:46
henrynash	yadq (yet another dumb question)…so how do I actually see the api-ref changes for a given patch?	20:47
henrynash	i mean, see them formatted nicely	20:47
henrynash	ahh, just seen it! foolishly thought it was part of teh docs job!	20:49
stevemar	:)	20:51
stevemar	henrynash: it's the only cleverly named api-ref	20:51
henrynash	indeed! subte that, eh?	20:51
henrynash	whodathought	20:51
stevemar	henrynash: note that it shows you the index.html that lists all of them, you gotta go to the direct one (or the top level one)	20:52
stevemar	oh another https://review.openstack.org/#/c/342294/2	20:52
patchbot	stevemar: patch 342294 - keystone - Add v2.0 /endpoints/ api-ref	20:52
stevemar	i missed it	20:52
stevemar	henrynash: why no +A https://review.openstack.org/#/c/341912/ ?	20:53
patchbot	stevemar: patch 341912 - keystone - Move OS-INHERIT api-ref from extensions to core	20:53
henrynash	stevemar: oh, yes, hsould have done….no reason	20:53
stevemar	i flipped it :)	20:53
henrynash	:-)	20:53
stevemar	clenimar: missed a few here: https://review.openstack.org/#/c/341829/2	20:58
patchbot	stevemar: patch 341829 - keystone - Update identity endpoint in v3 samples	20:58
stevemar	clenimar: also need to do the v3-ext samples :(	20:58
clenimar	stevemar: whops... gonna fix it :)	20:59
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Put the APIs in the attic https://review.openstack.org/342399	20:59
*** adrian_otto has quit IRC		21:00
*** thumpba has quit IRC		21:01
lbragstad	wow - we have so much federation documentation	21:05
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Update identity endpoint in v3 and v3-ext samples https://review.openstack.org/341829	21:05
*** raildo has quit IRC		21:07
stevemar	lbragstad: it's a biggie	21:08
*** roxanagh_ has joined #openstack-keystone		21:12
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Update identity endpoint in v3 and v3-ext samples https://review.openstack.org/341829	21:12
*** dan_nguyen has quit IRC		21:16
*** roxanagh_ has quit IRC		21:16
*** adu has quit IRC		21:16
*** ddieterly has quit IRC		21:18
*** edtubill has quit IRC		21:20
*** rcernin has quit IRC		21:24
*** Nexus_ has quit IRC		21:27
henrynash	stevemar, dstanek: so I’m taking a crack and making query params work properly for an example listing API (roles and role assignmnets in this case)….will post shorlty	21:28
henrynash	(shortly)	21:28
*** tonytan4ever has joined #openstack-keystone		21:32
*** adu has joined #openstack-keystone		21:33
*** tonytan4ever has quit IRC		21:37
stevemar	clenimar: still a few more comments to address here: https://review.openstack.org/#/c/341829/ :)	21:40
patchbot	stevemar: patch 341829 - keystone - Update identity endpoint in v3 and v3-ext samples	21:40
openstackgerrit	Gage Hugo proposed openstack/keystone: (WIP) Add scheme for endpoint_policy https://review.openstack.org/342440	21:40
*** catintheroof has quit IRC		21:40
openstackgerrit	Clenimar Filemon proposed openstack/keystone: Update identity endpoint in v2 samples https://review.openstack.org/341841	21:41
openstackgerrit	henry-nash proposed openstack/keystone: Improve readability of the api-ref roles section https://review.openstack.org/342325	21:41
openstackgerrit	henry-nash proposed openstack/keystone: Fix up the api-ref for role query paramaters https://review.openstack.org/342441	21:41
*** pauloewerton has quit IRC		21:41
openstackgerrit	Gage Hugo proposed openstack/keystone: (WIP) Add schema for endpoint_policy https://review.openstack.org/342440	21:41
clenimar	stevemar: oh lord why	21:43
clenimar	thank you, steve	21:44
clenimar	i'll fix it soon	21:44
*** gagehugo has quit IRC		21:46
*** jaugustine has quit IRC		21:49
*** edmondsw has quit IRC		21:52
*** roxanaghe has quit IRC		21:53
openstackgerrit	henry-nash proposed openstack/keystone: Improve readability of the api-ref roles section https://review.openstack.org/342325	21:56
openstackgerrit	henry-nash proposed openstack/keystone: Fix up the api-ref for role query paramaters https://review.openstack.org/342441	21:56
openstackgerrit	Merged openstack/keystone: Add "v2 overview" docs to APIs https://review.openstack.org/341739	22:00
openstackgerrit	Merged openstack/keystone: Add OS-EP-FILTER to api-ref https://review.openstack.org/341787	22:00
openstackgerrit	Merged openstack/keystone: Move OS-INHERIT api-ref from extensions to core https://review.openstack.org/341912	22:01
*** ametts has quit IRC		22:01
*** phalmos has quit IRC		22:02
*** openstackgerrit has quit IRC		22:03
*** openstackgerrit has joined #openstack-keystone		22:03
openstackgerrit	henry-nash proposed openstack/keystone: Fix up the api-ref for role query paramaters https://review.openstack.org/342441	22:04
*** dan_nguyen has joined #openstack-keystone		22:05
*** mvk has joined #openstack-keystone		22:05
*** adu has quit IRC		22:11
*** spzala has quit IRC		22:12
openstackgerrit	henry-nash proposed openstack/keystone: Improve readability of the api-ref roles section https://review.openstack.org/342325	22:14
openstackgerrit	henry-nash proposed openstack/keystone: Fix up the api-ref for role query paramaters https://review.openstack.org/342441	22:17
henrynash	stevemar: first two role api-ref updates are up and ready: https://review.openstack.org/342325 and https://review.openstack.org/342441	22:18
*** KevinE has quit IRC		22:25
*** ntpttr has quit IRC		22:31
*** ntpttr has joined #openstack-keystone		22:31
*** tonytan4ever has joined #openstack-keystone		22:33
*** spzala has joined #openstack-keystone		22:37
*** tonytan4ever has quit IRC		22:38
openstackgerrit	Merged openstack/keystone: Remove a validate_token_bind call https://review.openstack.org/342046	22:44
openstackgerrit	Merged openstack/keystone: Pass request to normalize_domain_id https://review.openstack.org/342052	22:44
*** timcline has quit IRC		22:49
*** adu has joined #openstack-keystone		22:50
*** timcline has joined #openstack-keystone		22:50
*** slberger has left #openstack-keystone		22:53
*** roxanaghe has joined #openstack-keystone		22:53
*** itlinux has joined #openstack-keystone		22:54
*** timcline has quit IRC		22:55
openstackgerrit	Eric Brown proposed openstack/keystone: Add support for Python 3.5 https://review.openstack.org/337952	22:57
*** ddieterly has joined #openstack-keystone		22:59
openstackgerrit	Merged openstack/keystone: Correct normal response codes for v2.0 extensions https://review.openstack.org/341783	23:01
*** tonytan4ever has joined #openstack-keystone		23:05
*** ddieterly has quit IRC		23:06
*** chrisshattuck has quit IRC		23:08
*** jerrygb has joined #openstack-keystone		23:08
*** adrian_otto has joined #openstack-keystone		23:13
*** praneshp has joined #openstack-keystone		23:19
*** jerrygb has quit IRC		23:24
openstackgerrit	henry-nash proposed openstack/keystone: Fix up numerous errors in params in api-ref for roles https://review.openstack.org/342468	23:28
*** roxanaghe has quit IRC		23:28
*** spzala has quit IRC		23:32
openstackgerrit	Merged openstack/keystone: Improve user experience involving token flush https://review.openstack.org/341165	23:35
*** praneshp has quit IRC		23:39
*** itlinux has quit IRC		23:45
*** spzala has joined #openstack-keystone		23:46
*** itlinux has joined #openstack-keystone		23:48
*** tonytan4ever has quit IRC		23:49
*** spzala has quit IRC		23:51
*** thumpba has joined #openstack-keystone		23:54
*** david-lyle has quit IRC		23:54
*** dan_nguyen has quit IRC		23:55
*** gordc has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!