Wednesday, 2016-12-14

« Tuesday, 2016-12-13 Index Thursday, 2016-12-15 »
*** lamt has quit IRC00:02
*** chris_hultin is now known as chris_hultin|AWA00:06
*** asettle has joined #openstack-keystone00:10
*** itisha has quit IRC00:12
*** asettle has quit IRC00:14
openstackgerritMerged openstack/keystone: Do not manually remove /etc/shibboleth folder  https://review.openstack.org/41035600:14
*** rcernin has quit IRC00:22
*** spzala has quit IRC00:26
*** stingaci has joined #openstack-keystone00:28
*** aselius has quit IRC00:30
*** harlowja has joined #openstack-keystone00:30
*** ravelar has quit IRC00:41
*** guoshan has joined #openstack-keystone00:43
*** hoangcx has joined #openstack-keystone01:01
*** Zer0Byte__ has quit IRC01:06
*** asettle has joined #openstack-keystone01:13
*** guoshan has quit IRC01:16
*** asettle has quit IRC01:18
*** zhangjl has joined #openstack-keystone01:22
*** markvoelker has quit IRC01:29
*** guoshan has joined #openstack-keystone01:33
*** liujiong has joined #openstack-keystone01:50
*** chrisplo has quit IRC01:51
*** zhugaoxiao has quit IRC01:51
*** zhugaoxiao has joined #openstack-keystone01:52
openstackgerritRichard Avelar proposed openstack/keystone: Add checks for doctor credential symptoms  https://review.openstack.org/40928901:52
*** tqtran has quit IRC02:07
*** dave-mccowan has quit IRC02:10
*** dave-mccowan has joined #openstack-keystone02:11
*** stingaci has quit IRC02:57
openstackgerritLance Bragstad proposed openstack/keystone: Add tests for password requirements API  https://review.openstack.org/41051503:01
openstackgerritLance Bragstad proposed openstack/keystone: WIP implementation for password requirements API  https://review.openstack.org/41051603:01
lbragstadstevemar i want to get some eyes on the tests for password requirements here - https://review.openstack.org/#/c/410515/1/keystone/tests/unit/test_v3_domain_config.py03:03
lbragstadstevemar let me know if that's missing anything big - but i think it primarily boils down to only being able to read things from the security_compliance section, and never being able to update things in the security compliance section03:03
lbragstadi want to try and expose everything in the tests as i write the code for it03:04
lbragstadstevemar hmm - domain config is v3 only... is horizon expecting to be able to apply this stuff to v2.0?03:08
*** stingaci has joined #openstack-keystone03:10
*** stingaci has quit IRC03:14
*** phalmos_ has quit IRC03:14
*** phalmos has joined #openstack-keystone03:15
*** EmilienM has quit IRC03:19
*** EmilienM has joined #openstack-keystone03:19
openstackgerritLance Bragstad proposed openstack/keystone: Add tests for password requirements API  https://review.openstack.org/41051503:30
*** markvoelker has joined #openstack-keystone03:30
*** markvoelker has quit IRC03:35
*** dave-mccowan has quit IRC03:39
*** chrisplo has joined #openstack-keystone03:40
*** stingaci has joined #openstack-keystone03:50
*** dikonoo has joined #openstack-keystone03:51
*** dikonoor has joined #openstack-keystone03:51
*** stingaci has quit IRC03:54
*** tqtran has joined #openstack-keystone04:03
*** hoangcx has quit IRC04:04
*** guoshan has quit IRC04:05
*** nicolasbock has quit IRC04:05
*** tqtran has quit IRC04:08
*** udesale has joined #openstack-keystone04:14
*** adrian_otto has joined #openstack-keystone04:29
*** adrian_otto has quit IRC04:42
stevemarlbragstad: isn't the pci stuff v2 only? i think the v3 limitation for the config options is fine04:42
*** chlong has joined #openstack-keystone04:44
*** links has joined #openstack-keystone04:57
*** adrian_otto has joined #openstack-keystone04:59
*** guoshan has joined #openstack-keystone05:06
*** tqtran has joined #openstack-keystone05:06
*** chrisplo has quit IRC05:07
breton_https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers -- New NIST password guidelines: don't require character types or rotation05:08
*** tqtran has quit IRC05:10
*** adrian_otto has quit IRC05:10
*** guoshan has quit IRC05:11
*** asettle has joined #openstack-keystone05:14
*** asettle has quit IRC05:21
*** kfox1111 has quit IRC05:30
*** kfox1111 has joined #openstack-keystone05:30
*** markvoelker has joined #openstack-keystone05:31
*** chrisplo has joined #openstack-keystone05:34
*** markvoelker has quit IRC05:37
*** chrisplo_ has joined #openstack-keystone05:38
openstackgerritMerged openstack/keystone: Add id to conflict error if caused by duplicate id  https://review.openstack.org/40901005:39
*** chrisplo has quit IRC05:40
*** jaosorior has joined #openstack-keystone05:50
*** adriant has quit IRC05:53
*** hyakuhei has quit IRC06:03
*** guoshan has joined #openstack-keystone06:08
*** guoshan has quit IRC06:12
*** guoshan has joined #openstack-keystone06:14
*** liujiong has quit IRC06:28
*** liujiong has joined #openstack-keystone06:28
*** stingaci has joined #openstack-keystone06:35
openstackgerritMerged openstack/keystone: Refactors _get_names_from_role_assignments  https://review.openstack.org/40807406:38
*** stingaci has quit IRC06:40
*** richm has quit IRC06:40
*** afazekas has quit IRC06:40
*** afazekas has joined #openstack-keystone06:42
*** edmondsw has joined #openstack-keystone06:54
*** stingaci has joined #openstack-keystone06:56
*** edmondsw has quit IRC06:59
*** markvoelker has joined #openstack-keystone07:00
*** stingaci has quit IRC07:00
*** tobberydberg has joined #openstack-keystone07:04
*** markvoelker has quit IRC07:06
*** tobberyd_ has joined #openstack-keystone07:06
*** tobberyd_ has quit IRC07:06
*** tobberyd_ has joined #openstack-keystone07:06
*** maestropandy has joined #openstack-keystone07:07
*** tobberydberg has quit IRC07:09
*** AlexeyAbashkin has joined #openstack-keystone07:09
*** maestropandy has left #openstack-keystone07:14
*** jdennis has joined #openstack-keystone07:17
*** asettle has joined #openstack-keystone07:18
*** bapalm has quit IRC07:18
*** jdennis1 has quit IRC07:18
*** asettle has quit IRC07:25
*** chrisplo_ has quit IRC07:36
*** bapalm has joined #openstack-keystone07:38
*** zhangjl1 has joined #openstack-keystone07:55
*** rcernin has joined #openstack-keystone07:56
*** rcernin has quit IRC07:56
*** zhangjl has quit IRC07:57
*** rcernin has joined #openstack-keystone07:57
*** pcaruana has joined #openstack-keystone07:59
*** tqtran has joined #openstack-keystone08:08
*** tqtran has quit IRC08:12
*** jaosorior has quit IRC08:16
*** jaosorior has joined #openstack-keystone08:16
*** henrynash has joined #openstack-keystone08:30
*** ChanServ sets mode: +v henrynash08:30
*** henrynash has quit IRC08:34
*** henrynash has joined #openstack-keystone08:37
*** ChanServ sets mode: +v henrynash08:37
*** Zer0Byte__ has joined #openstack-keystone08:40
*** henrynash has quit IRC08:42
*** daemontool has joined #openstack-keystone08:44
*** openstackgerrit has quit IRC08:48
*** zhangjl1 has left #openstack-keystone08:51
*** dikonoor has quit IRC08:54
*** dikonoo has quit IRC08:54
*** dikonoor has joined #openstack-keystone08:54
*** edmondsw has joined #openstack-keystone08:55
*** daemontool_ has joined #openstack-keystone08:55
*** amoralej|off is now known as amoralej08:56
*** daemontool has quit IRC08:58
*** edmondsw has quit IRC08:59
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** markvoelker has joined #openstack-keystone09:02
*** markvoelker has quit IRC09:07
*** tobberyd_ has quit IRC09:10
*** openstackgerrit has joined #openstack-keystone09:10
openstackgerrityunfeng zhou proposed openstack/keystone: Internationalization (i18n) Strings  https://review.openstack.org/41062209:10
openstackgerrityunfeng zhou proposed openstack/keystone: Internationalization (i18n) Strings  https://review.openstack.org/41062209:15
*** tobberyd_ has joined #openstack-keystone09:21
*** tobberyd_ has quit IRC09:26
*** itisha has joined #openstack-keystone09:39
*** Zer0Byte__ has quit IRC09:41
*** asettle has joined #openstack-keystone09:44
*** tobberydberg has joined #openstack-keystone09:52
*** pnavarro has joined #openstack-keystone09:57
*** liujiong has quit IRC10:01
*** tobberydberg has quit IRC10:03
*** tobberydberg has joined #openstack-keystone10:04
*** tobberydberg has quit IRC10:08
*** tqtran has joined #openstack-keystone10:09
*** brad[] has quit IRC10:11
*** tqtran has quit IRC10:13
*** tobberydberg has joined #openstack-keystone10:14
*** tobberydberg has quit IRC10:19
*** mvk has quit IRC10:24
*** chrisplo_ has joined #openstack-keystone10:32
*** tobberydberg has joined #openstack-keystone10:36
*** chrisplo_ has quit IRC10:36
*** links has quit IRC10:38
*** links has joined #openstack-keystone10:38
*** guoshan has quit IRC10:40
*** tobberydberg has quit IRC10:47
*** tobberydberg has joined #openstack-keystone10:56
*** mvk has joined #openstack-keystone10:56
*** tobberydberg has quit IRC11:01
*** markvoelker has joined #openstack-keystone11:02
*** udesale has quit IRC11:05
*** pnavarro has quit IRC11:06
*** markvoelker has quit IRC11:07
*** richm has joined #openstack-keystone11:10
*** jaosorior has quit IRC11:19
*** brad[] has joined #openstack-keystone11:24
*** tobberydberg has joined #openstack-keystone11:29
*** jaosorior has joined #openstack-keystone11:30
*** nicolasbock has joined #openstack-keystone11:32
*** tobberyd_ has joined #openstack-keystone11:38
*** tobbery__ has joined #openstack-keystone11:40
*** guoshan has joined #openstack-keystone11:41
*** tobberydberg has quit IRC11:41
*** tobber___ has joined #openstack-keystone11:41
*** tobberyd_ has quit IRC11:43
*** tobbery__ has quit IRC11:44
*** tobberydberg has joined #openstack-keystone11:44
*** tobber___ has quit IRC11:45
*** guoshan has quit IRC11:46
*** tobberydberg has quit IRC11:49
*** tobberydberg has joined #openstack-keystone11:50
*** pnavarro has joined #openstack-keystone11:56
*** stingaci has joined #openstack-keystone12:03
*** dave-mccowan has joined #openstack-keystone12:04
*** stingaci has quit IRC12:07
*** tqtran has joined #openstack-keystone12:11
*** tqtran has quit IRC12:15
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947212:26
*** jamielennox is now known as jamielennox|away12:43
*** guoshan has joined #openstack-keystone12:43
*** nklenke has joined #openstack-keystone12:47
*** jamielennox|away is now known as jamielennox12:50
*** amoralej is now known as amoralej|lunch12:55
*** nklenke has quit IRC12:57
*** guoshan has quit IRC12:58
*** markvoelker has joined #openstack-keystone13:03
*** markvoelker has quit IRC13:08
*** edmondsw has joined #openstack-keystone13:13
*** mvk has quit IRC13:15
*** edmondsw_ has joined #openstack-keystone13:20
*** edmondsw_ has quit IRC13:20
*** markvoelker has joined #openstack-keystone13:24
*** brad[] has quit IRC13:28
*** daemontool_ has quit IRC13:30
*** chlong has quit IRC13:32
*** lamt has joined #openstack-keystone13:35
*** lamt has quit IRC13:39
samueldmqmorning keystone13:40
*** brad[] has joined #openstack-keystone13:52
*** guoshan has joined #openstack-keystone13:55
*** guoshan has quit IRC13:59
*** hrybacki is now known as hrybacki|mtg14:01
*** ayoung has quit IRC14:04
*** amoralej|lunch is now known as amoralej14:07
*** tqtran has joined #openstack-keystone14:12
*** tqtran has quit IRC14:17
*** pnavarro has quit IRC14:19
rderosemorning14:26
*** asettle has quit IRC14:31
*** asettle has joined #openstack-keystone14:32
rderosesamueldmq: just left you a note on this one: https://review.openstack.org/#/c/40994614:32
samueldmqrderose: looking14:32
dstaneklbragstad: i'm looking at the shadow mapping spec again and it seems to overlap with what rderose is doing with idps14:32
samueldmqrderose: nice. do you mind adding that to the commit message so it's clear to everyone ?14:33
samueldmqrderose: it was not clear to me, for example14:33
rderosesamueldmq: sure14:33
dstaneklbragstad: it's not entirely clear to me that the spec actually changes the JSON at all so it may be better to use a separate spec14:34
dstanekoh rderose you're mentioned on that spec too14:36
rderosedstanek: shadow mapping?14:36
*** mvk has joined #openstack-keystone14:36
dstanekrderose: yeah14:37
dstanekrderose: it talks about adding a domain_id key, but with what you are doing now you wouldn't need to do that anymore right?14:37
*** phalmos has quit IRC14:38
rderosedstanek: correct14:38
rderosedstanek: to me that part was a flaw because an IdP can have multiple protocols; multiple mappings14:39
rderosedstanek: so you could end up with multiple domains if tied to the mapping14:39
rderosedstanek: so now the mapping can get the domain from the IdP14:39
rderosewith: https://review.openstack.org/#/c/399684/14:40
dstanekrderose: ok, that's what i was thinking14:42
openstackgerritRon De Rose proposed openstack/keystone: Make user to nonlocal_user a 1:1 relationship  https://review.openstack.org/40994614:43
rderosesamueldmq: ^14:43
lbragstadstevemar you mean v3 only?14:44
dstanekrderose: so basically we have to find a way to get the IdP information into the mapping engine14:44
rderosedstanek: no, when processing the mapping, you would get the domain from the IdP14:45
dstanekrderose: how?14:45
dstanekrderose: or will the creation of resources come after the mapping has occurred? (actually that's probably ideal from an implementation perspective anyway)14:46
*** udesale has joined #openstack-keystone14:47
samueldmqrderose: looking nice. just another question inline (in the test)14:47
rderosedstanek: creation of resources happen when the user federates into keystone14:48
rderosedstanek: at that point, you know the IdP, right?14:49
lbragstadrderose I would think so14:49
dstanekrderose: i was asking specifically about the mapper which does not14:49
dstanekbut i don't think you would create resources in there anyway14:49
dstaneksomething after that should probably take the resulting dictionary and inspect it14:50
lbragstaddstanek rderose when dolphm and i originally looked at the shadow mapping stuff, we didn't really have a good way to incorporate the domain_id in the mapping14:50
rderosedstanek: mapping is just a set of rules that gets processed by the mapping engine14:50
dstanekrderose: right14:50
rderosedstanek: so you could pass in the domain to the mapping engine when it does the provisioning14:51
dstanekrderose: where do you anticipate creating the resources? not in the mapper right?14:52
rderosedstanek: mapper?  mapping engine or mapping?14:53
lbragstadrderose are you expecting the mapping engine to create the domain?14:53
rderoselbragstad: no14:53
rderosethe domain would be created as part of the idp creation14:53
dstanekmapper is the rule processing engine...or anything in keystone.federation.utils14:53
lbragstadok - just checking14:53
dstanekrderose: i would expect things to be created after that has run by the calling code14:54
rderosedstanek: the mapper is processing the rules and would call code to do the provisioning14:54
rderosedstanek: at the time of federated auth14:55
dstaneki don't think it should. i think i should remain as generic as possible.14:55
rderosedstanek: what do you mean by generic?14:55
*** guoshan has joined #openstack-keystone14:56
dstanekrderose: all it knows is processing rules and nothing about the drivers right now. i don't know why we wouldn't keep it that way if we could.14:56
rderosedstanek: shadow mapping is about enhancing the mapping engine to do auto provisioning14:56
dstanekrderose: i think the calling code should do it14:57
*** links has quit IRC14:57
lbragstaddstanek what's the calling code?14:57
rderosedstanek: the controller?14:57
rderoseor actually the manager14:57
rderoseor the auth plugin?14:58
dstanekright now it's in the driver base i think14:58
rderosedstanek: whatever does the provisioning will be calling the api (core); not drivers14:59
rderosedstanek: but I could see the mapping engine returning a set of provisioning tasks and something else does the provisioning14:59
dstanekhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/federation/core.py#n10014:59
*** jaugustine has joined #openstack-keystone15:00
*** guoshan has quit IRC15:00
rderosedstanek:++15:00
rderosedstanek: makes sense15:00
*** jlk has quit IRC15:01
lbragstadrderose well - if the mapping engine doesn't do the provisioning, all it would need to do would be to pass back the values of whatever the mapping evaluated to15:02
*** hrybacki|mtg is now known as hrybacki15:02
dstanekbecause right now not even that code knows about the resource manager let alone utilties like the mapping engine15:02
*** mvk has quit IRC15:02
rderoselbragstad dstanek: agree15:02
dstaneklbragstad: take a look at that method. it gets them from the eninge and also retuns them15:02
*** jlk has joined #openstack-keystone15:03
*** jlk has quit IRC15:03
*** jlk has joined #openstack-keystone15:03
lbragstaddstanek you're talking about keystone.federation.core:Manager.evaluate()15:03
dstaneklbragstad: are you getting my email on you rax account?15:03
dstaneklbragstad: right15:04
lbragstaddstanek i think so15:04
rderosedstanek: so evaluate is doing this, just returning the mapping results15:05
rderosedstanek: and something else is doing the processing15:05
dstaneklbragstad: ok, it didn't seem to work and jorge just responded with what i was suggesting anyway :-)15:05
SamYaplehello. im seeing "NoMatchingPlugin: The plugin v3scopedsaml could not be found" in a new virtualenv and I can't understand why. Any suggestions?15:06
dstanekrderose: correct. that's the auth plugin for federation15:06
SamYapleMore info: http://paste.openstack.org/show/592355/15:06
dstanekrderose: errr....mapped. we renamed it some time ago15:06
lbragstadhttps://github.com/openstack/keystone/blob/c30b539bda5acf80d22f98f0712e688022b4b20b/keystone/auth/plugins/mapped.py#L198-L19915:06
SamYaple /win 2215:06
dstanekSamYaple: nope, you're still here!15:06
SamYapledstanek: :)15:07
dstanekSamYaple: hmmm...is that the right entrypoint name?15:07
SamYapledstanek: its what is in setup.cfg15:07
SamYaplethe entry point is correct... but when i debug stevedore is getting namespace 'keystoneauth1.plugins' which i think is wrong15:08
dstanekSamYaple: hmmm...that should be picked up unless maybe it fails silently on import error or something15:08
lbragstaddstanek rderose so in that case you're thinking about making https://github.com/openstack/keystone/blob/c30b539bda5acf80d22f98f0712e688022b4b20b/keystone/auth/plugins/mapped.py#L198-L199 process whatever the mapped_properties are and doing the provisioning?15:08
SamYapledstanek: im not sure, this works in one environment, and i cant get it to work with either mitaka containts python-openstackclient, or latest15:08
rderoselbragstad: yeah, I think so15:09
dstaneklbragstad: yes, because https://github.com/openstack/keystone/blob/c30b539bda5acf80d22f98f0712e688022b4b20b/keystone/auth/plugins/mapped.py#L3215:09
dstanekit already knows the identity_api15:09
lbragstadah - sure15:09
lbragstadthat makes sense15:09
dstanekerr... resource api15:09
lbragstadwell - it knows both15:09
lbragstadit would need to know about the assignment api, too15:10
dstanekSamYaple: what happens when you just import the code?15:10
lbragstadbut that's probably not that big of a deal15:10
dstaneklbragstad: yep, but that's an easy leap since it knows about everything else :-)15:10
rderoselbragstad dstanek: or, you could let the federation API to the provisioning; called from the mapped plugin15:10
lbragstaddstanek rderose so what happens if we ever have another plugin that does something similar to mapped?15:10
SamYapledstanek: I can import https://github.com/openstack/python-keystoneclient/blob/master/setup.cfg#L3715:11
rderoselbragstad: hmm...15:11
dstanekrderose: sure you could possibly do that. i'd be open for which ever seems better15:11
dstanekrderose: i just didn't want my mapper to grow a third arm unnecessarily :-)15:11
lbragstadrderose dstanek i guess a better question would be, do we think the mapped plugin will *always* handle all federated authentications?15:12
dstanekSamYaple: 'import keystoneclient.contrib.auth.v3.saml2' worked ok?15:12
rderosedstanek lbragstad: true and I don't wan the auth plugin to grow a 3rd arm15:12
rderose:)15:12
SamYapledstanek: yea15:13
lbragstadso - it sounds like the real questions is "who wants to grow a third arm?"15:13
*** spzala has joined #openstack-keystone15:13
lbragstadif we *really* need a third arm to grow, who should do it]15:13
dstanekSamYaple: hmmm...how did you create the virtualenv? i'll like to try to test it15:13
rderoselbragstad: ++15:14
rderoselbragstad: federation_api seems more appropriate to me15:14
dstaneklbragstad: rderose: ideally it won't be a third arm at all. the logic should belong somewhere. ideally were we are already process that data or creating related objects.15:14
lbragstaddstanek rderose so - what creates the shadow user now?15:15
* dstanek takes off his software engineering hat and puts on a Beer Guzzler Helmet (filled with coffee of course)15:15
rderoselbragstad: identity_api15:16
rderoseidentity_api calls shadow backend15:16
*** mvk has joined #openstack-keystone15:16
lbragstadrderose what calls the identity api to do that15:16
SamYapledstanek: nope! found it. got my environments mxed up15:16
rderoseauth15:16
dstaneklbragstad: the plugin15:16
rderoselbragstad: auth plugin15:17
SamYapledstanek: good ol' missing python-lxml15:17
*** narasimha_SV has joined #openstack-keystone15:17
dstanekSamYaple: ha15:17
SamYapledstanek: thank you!15:17
dstanekglad you got it working before i started creating a new env :-)15:17
lbragstadrderose dstanek ah - here https://github.com/openstack/keystone/blob/c30b539bda5acf80d22f98f0712e688022b4b20b/keystone/auth/plugins/mapped.py#L15515:17
narasimha_SVhttp://docs.openstack.org/developer/keystone/federation/federated_identity.html#keystone-as-an-identity-provider-idp I followed this link to have k2k federation15:18
dstaneknarasimha_SV: did it work?15:18
*** jaugustine has quit IRC15:18
narasimha_SVhow to check that I am confused how to check this ?15:18
dstaneknarasimha_SV: how you do see if it's working?15:19
narasimha_SVi can see both IDP and SP keystone commands are working15:19
stevemaro/15:19
dstaneknarasimha_SV: what's the issue?15:20
narasimha_SVbut how to test this that I can confirm both are working15:20
*** chlong has joined #openstack-keystone15:21
narasimha_SVif I create users in IDP keystone do they need to be reflected in SP keystone ???15:21
narasimha_SVwill that be my validation of working setup ?15:21
dstaneknarasimha_SV: http://docs.openstack.org/developer/keystone/federation/federated_identity.html#testing-it-all-out15:22
lbragstaddstanek rderose so - would we just make another method in the federation api called auto_provision() that takes the mapping creates everything/15:22
dstaneknarasimha_SV: you don't explicitly create users in your SP at all. you just need them in the IdP so that you can login to the SP15:22
lbragstaddstanek rderose then that would be called from within the mapped plugin?15:23
rderoselbragstad: that could work15:23
dstanekyour SP will need a mapping for your IdP and whatever projects you need already created15:23
lbragstadrderose is that where you guys were headed or am I still in left field?15:23
dstaneklbragstad: that would be reasonable15:23
rderoselbragstad: that's where I was headed :)15:23
lbragstadrderose sweet15:23
* lbragstad stands with rderose in left field15:24
narasimha_SVhttp://docs.openstack.org/developer/keystone/federation/federated_identity.html#add-identity-provider-s-mapping-s-and-protocol-s15:24
narasimha_SVthis is what you are talking about right ?15:24
narasimha_SVthe mapping which needs to be created for all the keystone related stuff ?15:24
dstaneknarasimha_SV: yes the stuff from that link15:25
lbragstadand I suppose that federation_api.auto_provision(mapped_properties) would be called somewhere around here - https://github.com/openstack/keystone/blob/c30b539bda5acf80d22f98f0712e688022b4b20b/keystone/auth/plugins/mapped.py#L155-L15715:25
narasimha_SVso if i created that mapping file and add to the IDP then what ever i have created over IDP can be used in SP right ?15:26
rderoserodrigods: you around?15:27
*** nklenke has joined #openstack-keystone15:27
rodrigodsrderose, in a meeting... but can try to respond15:28
lbragstadstevemar were you expecting horizon to use the password requirements API for v2 calls at all ?15:28
rderoserodrigods: just left you a comment on: https://review.openstack.org/#/c/399157/1215:28
rderoserodrigods: I'm not following "we also need to have the possibility to list identity providers by domain_id"15:29
rodrigodsrderose, ahh...15:29
rodrigodsrderose, so... you are adding a field to IdPs, right?15:29
*** chris_hultin|AWA is now known as chris_hultin15:29
rderoserodrigods: yes15:29
*** phalmos has joined #openstack-keystone15:29
rodrigodsrderose, it is expected that i can filter IdPs based on that field15:29
stevemarlbragstad: if the right move architecturally is to make it v3 only then i'm OK with not extending v2 features15:29
stevemarlbragstad: more encouragement for folks to move to v315:30
*** jefrite_ has quit IRC15:30
rderoserodrigods: not necessarily15:30
rodrigodsrderose, at least, for this case i think it is15:30
rderoserodrigods: why?15:30
*** chrisplo_ has joined #openstack-keystone15:31
rodrigodsrderose, listing idps per domain?15:31
rodrigodsit is not a 1:1 relationship, right?15:31
*** chrisplo_ has quit IRC15:31
rderoserodrigods: it is a 1:115:31
lbragstadstevemar true15:31
dstaneknarasimha_SV: no, the mapping allows the SP to map the IdP user into a local user. you will still have to create the projects in the SP ahead of time15:31
rodrigodsrderose, hmm so something to get the idp based on the domain_id?15:32
rodrigodsand vice versa15:32
rderoserodrigods: seems reasonable, but it's not a requirement15:32
dstanekrodrigods: is there a case where you would need to do that?15:33
rodrigodsdstanek, rderose, to list the assignments of users of a given idp15:34
rderoserodrigods: you would list by domain15:35
*** chrisplo has joined #openstack-keystone15:35
dstanekrodrigods: i don't get that one. idp wouldn't matter at that point right?15:35
narasimha_SVdstanek: so you are saying I can map users to be from IDP to SP15:35
rodrigodsrderose, dstanek, it matters if i want to revoke tokens, for example (if i delete an IdP)15:36
rderoserodrigods: if you delete an idp, we don't delete the domain15:36
dstanekrodrigods: they you would already know the idp15:36
rderosestevemar: missed your ping yesterday, you want to chat about idp and domain now?15:37
rodrigodsrderose, and the other way around it works via fks, right?15:38
rodrigodsif i delete a domain, the idp is deleted15:38
rderoserodrigods: yes15:38
rodrigodshmm15:38
*** adrian_otto has joined #openstack-keystone15:39
rodrigodsyeah... so i guess i don't have use case after all :)15:39
rderose:)15:39
openstackgerritMerged openstack/keystone: Add doctor tests on security_compliance and rename  https://review.openstack.org/40874315:39
dstaneki think the only time anyone cares about the IdP is when they CRUD it or auth against it15:39
dstaneknarasimha_SV: that's the point of federation. allows users from some other system to login to yours15:40
rodrigodsrderose, can we update the domain_id?15:40
narasimha_SVok15:41
rderoserodrigods no15:41
rderoserodrigods updates are not allowed15:41
*** Marcellin__ has joined #openstack-keystone15:41
rodrigodsrderose, need to add this to the API ref?15:41
rderoserodrigods that updates are not allowed?15:41
rodrigodsrderose, yep15:41
rderoserodrigods oh, you just had to find something, right?15:42
rderose:)15:42
rodrigodsrderose, lol :)15:42
*** pnavarro has joined #openstack-keystone15:44
rderoserodrigods: domain_id is not in the update request: https://review.openstack.org/#/c/399157/12/api-ref/source/v3-ext/federation/identity-provider/idp.inc15:45
rderoserodrigods so may be good after all15:45
rodrigodsrderose, it isn't but we need to say that15:45
rodrigodsotherwise, in the future, we can just think "oh, we forgot to document updates"15:45
rderoserodrigods why, if it's not in the docs15:45
rodrigodsrderose, because it is a field from the API object15:46
rderoserodrigods right, but it's not updatable, so can't be in an update request15:46
rodrigodsbut if you provide it, an error is returned15:46
*** dave-mccowan has quit IRC15:46
*** udesale has quit IRC15:47
rderoserodrigods 409?15:47
rderoserodrigods but if we already to this, then we should be consistent15:48
rodrigodsrderose, not sure about the error code15:48
rodrigodsbut if i send an update of a field, i expect a return15:48
rderoserodrigods perfect15:48
rodrigodseither a success or an error15:48
rderoserodrigods and appreciate the review btw15:49
rodrigodsrderose, np :)15:49
rodrigodssorry for being picky15:49
rderoserodrigods nah, it's all good15:49
dstanekrderose: i think it's a validation error and not a 40915:49
rderosedstanek: cool15:49
*** henrynash has joined #openstack-keystone15:50
*** ChanServ sets mode: +v henrynash15:50
*** spilla has joined #openstack-keystone15:51
*** ngupta has joined #openstack-keystone15:51
*** henrynash has quit IRC15:53
*** ravelar has joined #openstack-keystone15:55
*** stingaci has joined #openstack-keystone15:56
*** tobberyd_ has joined #openstack-keystone15:56
*** jaugustine has joined #openstack-keystone15:57
*** ayoung has joined #openstack-keystone15:57
*** ChanServ sets mode: +v ayoung15:57
*** tobberydberg has quit IRC15:59
*** stingaci has quit IRC16:00
*** tobberyd_ has quit IRC16:00
lbragstadpolicy meeting ping ping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ayoung, ruan_0516:00
lbragstadhappening in #openstack-meeting-cp now16:00
gagehugothanks16:01
*** adrian_otto has quit IRC16:02
*** rcernin has quit IRC16:14
*** dave-mccowan has joined #openstack-keystone16:17
*** jaosorior has quit IRC16:20
*** jaosorior has joined #openstack-keystone16:20
*** nicolasbock has quit IRC16:25
*** adrian_otto has joined #openstack-keystone16:31
*** mvk has quit IRC16:32
*** dikonoor has quit IRC16:34
*** pnavarro has quit IRC16:35
*** nicolasbock has joined #openstack-keystone16:35
mfischstevemar: did you guys ever get all the special "is_admin" code out of the tree? The code that bypasses policy rules16:41
* stevemar ropes in ayoung to answer mfisch16:43
mfischI hope I'm describing that right16:43
stevemarmfisch: you are16:43
stevemarmfisch: lets see if i know it16:44
ayoungmfisch, can you wait 20 mins?  In the policy meeting16:44
mfischsure16:44
mfischno rush16:44
stevemarmfisch: you have to specify 'admin_project_name' and 'admin_project_domain_name' in keystone.conf first16:44
stevemarmfisch: and use the latest policy files for each project16:44
mfischwe're about to do that for something heat needs16:44
stevemar(those that have the policy changes anyway)16:44
mfischI want to make a policy file that has a super-admin role basically16:45
mfischmeaning that you need admin + a special role to delete a project16:45
mfisch(for example)16:45
*** chlong has quit IRC16:45
mfisch"identity:delete_group": "rule:admin_required and role:project_deleter",16:46
*** rcernin has joined #openstack-keystone16:46
akrzoswhen will fernet tokens replace uuid as the default in tripleo clouds? (Not sure this is the right place over #tripleo to ask this question)16:47
lbragstadakrzos we've already made the switch in keystone16:48
lbragstadakrzos and I believe tripleo was working on it16:48
lbragstadayoung and EmilienM might have better information than I though16:48
*** jaosorior has quit IRC16:48
*** jaosorior has joined #openstack-keystone16:48
akrzoslbragstad: rgr that thanks for the update16:48
EmilienMakrzos: I think it's done16:49
EmilienMakrzos: in Ocata16:49
lbragstadakrzos anytime16:49
EmilienMwe just don't have key rotations yet16:49
akrzosEmilienM: cool I'll have to try and deploy some of the ocata bits16:49
*** diazjf has joined #openstack-keystone16:50
*** guoshan has joined #openstack-keystone16:56
*** chlong has joined #openstack-keystone16:58
*** ruan_05 has joined #openstack-keystone17:00
*** guoshan has quit IRC17:01
*** Zer0Byte__ has joined #openstack-keystone17:03
ayoungmfisch, OK so....maybe?17:05
ayoungmfisch, ADMIN_TOKEN can and should be disabled17:05
ayoungis_admin was based on that, so if you actively disable ADMIN_TOKEN, is_admin goes away17:06
ayoungthe idea is that the functionality that ADMIN_TOKEN provided is done by bootstrap now17:06
*** ruan_05 has quit IRC17:07
bknudsonmfisch: I was going to warn you about the v2 apis not using policy file, but they actually do use is_admin.17:08
bknudsonas in, you can prevent someone using v3 to delete a project but not v2.17:08
mfischbknudson: ayoung thanks17:09
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987417:09
mfischso is_admin is more than just using the ADMIN_TOKEN right?17:09
ayoungmfisch, usual caveats apply:  I lie.  I make shit up.  Verify everything I say against the source code.17:10
mfischsure17:10
mfischits easy enough to tr17:10
mfischtry17:10
*** nklenke has quit IRC17:12
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987417:12
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987417:13
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389817:13
*** edtubill has joined #openstack-keystone17:14
*** nklenke has joined #openstack-keystone17:14
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987417:16
*** tqtran has joined #openstack-keystone17:21
*** diazjf has quit IRC17:24
*** diazjf has joined #openstack-keystone17:34
*** AlexeyAbashkin has quit IRC17:41
*** asettle has quit IRC17:48
*** jaosorior has quit IRC17:54
*** ngupta has quit IRC17:54
*** ngupta has joined #openstack-keystone17:55
*** guoshan has joined #openstack-keystone17:57
rderosestevemar: you free?17:57
dstanekrderose: in my mind you should get enough information for the mappings to create the same unique_id, but i could see why that wouldn't be the case always17:58
*** ngupta has quit IRC18:00
rderosedstanek: I'm not getting info from the mappings18:00
rderosedstanek: I'm getting the info during auth or during an api call18:00
stevemarrderose: somewhat, will be more free in about 30 minutes18:02
rderosestevemar: no rush, just ping me when you have some time18:02
*** guoshan has quit IRC18:02
dstanekrderose: when we create users as the login we get that from the mapping output right?18:03
*** asettle has joined #openstack-keystone18:04
dstanekrderose: specifically here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py#n21718:04
dstanekit wouldn't have to be something that is provided in the assertion. it can be something based off of that.18:04
dstanekrderose: for example, in my testshib environments i do this: https://github.com/dstanek/ansible-role-keystone-sp/blob/master/templates/mapping.json.j2#L618:05
dstanekthat give me testshib:urlencoded_email as my unique ids18:05
rderosedstanek: you're right, the unique_id comes from the mapping18:06
rderosedstanek: currently, it's being set as the mapped user name or ID18:07
dstanekrderose: yep18:07
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675218:09
dstanekrderose: so a potential incompatibility is getting an email via SAML and and encoded email via openidc (we just to investigate those possibilities more)18:10
rderosedstanek: you could change the mapping to ensure they were the same unique id18:11
rderosedstanek: and when say federation, I think we should only be talking saml and openidc18:11
dstanekrderose: it depends on the source data. in that case there may be nothing you can do18:11
dstanekrderose: i'm not sure we want to say that. what about straight up oauth and i'm sure there's other things18:12
rderosedstanek: oauth is authorization18:13
rderose:)18:13
dstanekin keystone don't we have a very similar flow for it?18:14
rderosedstanek: not sure18:15
dstanekoidc is just oauth2++ anyway18:15
rderosedstanek: true18:15
dstanekand ayoung's kerberos example using REMOTE_USER is also very similar18:15
dstanekif the cases are similar does it make sense to have many different code paths?18:16
rderosedstanek: while depends on the source data, the source data is the same (the idp)18:16
dstaneki don't know the answer. i'm just posing the quesiton18:16
rderosedstanek: yeah, just think when it goes down the federation flow, it should be saml or openidc18:16
rderosethose are the "federation" protocols we support18:17
rderosedstanek: to me, remote user is something different18:17
*** asettle has quit IRC18:17
dstanekisn't kerberos usable as a federation protocol?18:17
dstanekrderose: why do you say it's something different?18:18
rderosedstanek: it's a single sign-on implementation for sure, but is it a federation protocol?18:19
stevemardstanek: its a bit different18:19
dstanekshibboleth is dropping a REMOTE_USER and that's how i do my mappings https://github.com/dstanek/ansible-role-keystone-sp/blob/master/templates/mapping.json.j2#L1618:19
stevemarrderose: what was it you wanted to chat about?18:19
rderosethe idp + domain patch18:20
rderosestevemar: ^18:20
stevemarrderose: k, i'm looking at https://etherpad.openstack.org/p/keystone-idp-domain-questions18:20
rderosecool18:21
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675218:21
*** david-lyle has quit IRC18:21
dstanekstevemar: the question ayoung implied is if it is possible that a single IdP using different protocols could have different unique_ids because there is different information available to the mapping engine18:24
ayoungdstanek, I'm going to pull up jdennis' proposal18:25
dstanekrderose: easier to chat here. what if the domain you automatically create already exists?18:25
ayounghe did a very in depth mapping ,used for Open Daylight I think18:25
*** ngupta has joined #openstack-keystone18:27
rderosedstanek: the domain name would have to be the same as the idp_id for it to exist18:28
rderosedstanek: but it's a good point, that I'm not currently accounting for18:29
*** markvoelker has quit IRC18:29
rderosedstanek: my thought is, is that we would user a new uuid for the name in the situation18:29
*** nklenke has quit IRC18:30
ayoungdstanek, rderose so lets use  the case where we have Kerberos, X509, and SAML all in play. For Kerberos REMOTE_USER is going to come in as ayoung@REDHAT.COM   for X509 it will DN=cn=ayoug,ou=redhat,ou=com, and for saml is will be REMOTEUSER=ayoung@redhat.com18:30
ayoungall three should map to me18:30
*** david-lyle has joined #openstack-keystone18:30
rderosedstanek: the domain description indictates that it is a federated domain for IdP: idp_id18:30
rderoseayoung: is a remote user federation?18:31
ayoungrderose, yes.  I want all users done via Federation18:31
ayoungI'd like to make even the internal Keystone users be considered Federated users18:31
rderoseayoung: my thinking is that saml and openidc are the only federation protocols we support18:31
ayoungrderose, and Kerberos and X50918:32
ayoungrderose, I've had those working for years18:32
ayoungand it should be fine18:32
*** diazjf has quit IRC18:32
dstanekayoung: but will you have enough other information to construct a unique id?18:32
ayoungX509 is used for Tokenless now18:32
ayoungdstanek, you should, yes18:32
rderoseayoung: but those aren't federation protocols; should go down a different flow18:32
ayoungrderose, they are absolutelty Federation18:32
dstanekrderose: why a different flow? how do you know saml vs kerberos?18:32
ayounghttps://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/18:33
dstanekfundamentially they both use remote_user18:33
ayoungand it does not matter even the Name of the the variable18:33
ayoungthe set of known variables is listed here, BTW.  Good reference:  http://www.freeipa.org/page/Environment_Variables18:33
dstanekrderose: i guess the question is why do you want to limit it?18:34
*** markvoelker has joined #openstack-keystone18:35
rderosedstanek: simpler API and because saml and openidc are the industry standards18:35
ayoungrderose, limiting it is not an option.  The question is how can we transform the unique identifier from the Assertion, regardless of protocol, into a canonical version that we can then match as  the unique id18:35
ayoungrderose, no and no18:35
rderose:)18:36
ayoungKerberos SSSD is acatiualy about 10000.2% easier18:36
ayoungand Kerberos has been the standard for Industry since  Gates was still in charge of Microsoft18:36
dstanekrderose: you'd have to convince me that it's a simplier api18:36
rderosedstanek: by simpler, I'm talking about the user API18:37
*** nklenke has joined #openstack-keystone18:37
dstanekrderose: in the future if i don't supply a domain_id i'll get one created right? how do you pick the name you will use?18:37
*** ayoung has left #openstack-keystone18:37
rderosedstanek: currently using the idp_id18:37
*** ayoung has joined #openstack-keystone18:37
*** ChanServ sets mode: +v ayoung18:37
dstanekrderose: you'll have to show here is with the limit and here is without to see why it's more complicated18:37
ayoungOK...what key did I just hit to close this room by accident18:37
dstanekrderose: do we reject the idp create if the domain already exists?18:38
ayoungrderose, Federation is protocol agnostic18:38
dstanekayoung: "i give up"18:38
dstanekit's right next to esc18:38
rderoseayoung: okay18:38
ayoungrderose, even if it was just SAML and OpenIDC, you would have this problem18:38
stevemarrderose: added more stuff to the etherpad18:39
ayoungrderose, we can use jdennis' engine, and it will make this all much clearer18:39
rderoseayoung: really?18:39
rderosestevemar: okay18:39
stevemarayoung: get jdennis to push a patch upstream!18:39
rderosedstanek: if domain exists with the idp_id as the name, I'll use a new uuid18:40
rderosedstanek: either case, the domain description will be: "Federated domain for Identity Provider: idp_id"18:40
ayoungstevemar, so I think that is in cards18:40
ayoungif the version mapping thing that dstanek proposed goes through, it would work very nicely18:41
stevemarayoung: doesn't even have to work properly with the current code base, just get the dang engine somewhere for us to look at18:41
stevemarwe can make it fit18:41
rderoseayoung: if only SAML and OpenIDC, the unique_id would be different?18:41
rderoseshould be the same, same identity source18:41
dstanekrderose: we should document that as a test case18:42
ayoungrderose, not the format necessarily18:42
ayoungrderose, that is what I was getting at above.  Kerberos is the most obvious example, as it does that weird ALL_CAPS_REALM18:42
rderosestevemar: currently, I'm not allowing updating the domain for an IdP18:43
dstanekayoung: we control the format via mapping, but do we get the same context information to build it?18:43
stevemarrderose: any reason why?18:43
rderosestevemar: just the implications of changing the domain18:43
dstanekstevemar: because you'd switch the domain of all the federated users18:43
stevemarrderose: what if my fat fingers make a mitake?18:43
rderosestevemar: if you change the domain, what happens to all of the federated users created under the old domain18:44
ayoungrderose, please don't even propose dropping things like that.  My blood pressure is already right at the max.  Any higher and they say I need meds.18:44
rderosestevemar: delete the idp and create a new idp18:44
rderoseayoung: alright18:44
ayoungso long as deleting the IdP does not delete the domain, that is sufficient for now18:44
rderoseayoung: just wanted to go down that road one more time18:44
ayoungthese are going to be rare operations.  Just don't make things irreversable18:45
rderosebefore starting the user API work18:45
rderoseayoung: correct, deleting the idp does not delete the domain18:45
ayoungI'm almost tempted to say that the domain needs to be specified and  explicit18:46
ayoungwhat happens now?  We assume they go into the Federated domain as specified in theconfig file, right?18:46
rderoseayoung: would love it, but need to be backwards compatible18:46
rderoseayoung: users are associated to a hardcoded "Federated" domain18:47
ayoungso, no IdP specified, it stays there.  IdP specified, go into the specified domain18:47
rderosestevemar: you okay with delete/create for fat finger issue?18:47
ayoungand then deprecate the default18:47
rderoseayoung: idp will be associated to a real domain either way18:49
ayoungyep18:50
ayoungI'm flexible.  This stuff is done so infrequently, so long as we let people know, we could even break it and report it and it would be OK.18:51
ayoungPuppet module support is not even there yet for Federation18:51
openstackgerritRichard Avelar proposed openstack/keystone: Add doctor checks for ldap symptoms  https://review.openstack.org/40929218:52
ayoungrderose, stevemar jdennis seems to be in, but not answering.  I did find his old docs on it, though18:54
ayounghttps://jdennis.fedorapeople.org/federated_mapping/mapping.html18:54
ayounghttps://jdennis.fedorapeople.org/federated_mapping/strategy.html18:54
ayoungthe second link documents the issues18:56
samueldmqrderose: are there any discussion going on regarding adding domain_id to IdP ?18:57
samueldmqrderose: I remember we had created an etherpad to that in the last meeting18:57
rderosesamueldmq: yes, here: https://etherpad.openstack.org/p/keystone-idp-domain-questions18:57
samueldmqrderose: I've +2ed it, looks pretty good to me18:57
rderosesamueldmq: sweet!18:58
samueldmqrderose: https://review.openstack.org/#/c/408332 is where we'll make use of that idp's domain_id to its users, right ?18:58
rderosesamueldmq: yes18:59
rderosecorrect18:59
lbragstadstevemar quick question for you on the domain config stuff18:59
lbragstadstevemar right now we have this - https://github.com/openstack/keystone/blob/31713100f9f4dbf19caef6d54a81518c8cc45b5a/etc/policy.json#L19418:59
samueldmqrderose: but if users don't have fderated attributes yet, how can you identify what users belong to what idp?18:59
lbragstadstevemar and https://github.com/openstack/keystone/blob/31713100f9f4dbf19caef6d54a81518c8cc45b5a/etc/policy.v3cloudsample.json#L22118:59
rderosesamueldmq I get the IdP from the auth plugin19:00
lbragstadin order for this to work - we'll have to loosen that up, but i remember you mentioning a way to get around that as we were talking about the spec19:00
samueldmqrderose: so you'll update it on-demand ?19:00
samueldmqrderose: and new users will get it set upon creation19:00
rderosesamueldmq oh no, I'll do a migration to update the domain for federated users19:00
jdennisayoung, stevemar, rderose: I'm not sure but I think the document ayoung found might be out of date, this ODL doc is current, it includes other stuff but see the section "The Mapping Rule Processor"  https://jdennis.fedorapeople.org/doc/sssd_configuration.pdf19:00
rderosesamueldmq and users will get it on creation19:01
samueldmqrderose: ok but how does that migration will know what user belongs to what idp?19:01
ayoungjdennis, thanks.19:01
rderosesamueldmq the idp_id is in the federated_user table19:01
samueldmqrderose: because there are federated users in the table, but no clue on what idp they belong to fill in the users' domain_id19:01
ayoungjdennis, is it a stand alone python packaged on PyPI?  Is there any plan to make it into one?19:01
rderosesamueldmq we capture during creation19:01
samueldmqrderose: ah sweet, easy peasy then19:02
samueldmq:)19:02
rderosesamueldmq,19:02
rderoseyeah19:02
rderose:)19:02
ayoungah....that is also SSSD19:02
*** lamt has joined #openstack-keystone19:03
ayoungjdennis, so could sssd handle SAML, OpenIDC, and X509 authentication, and then perform the mapping?19:04
ayoungI know it can do Kerberos19:04
ayoungcan mod_auth_mellon pass the variables to sssd and have mod_lookup_identity get them in the post mapped state?19:04
rderosestevemar: I've updated the etherpad, let me know if you have further questions19:08
*** stingaci has joined #openstack-keystone19:09
jdennisayoung: the code is living in my private git repo, I could upload it to github19:11
*** jdennis has quit IRC19:11
ayounghah19:11
ayoungrun away!19:11
*** amoralej is now known as amoralej|off19:11
*** jdennis has joined #openstack-keystone19:11
dstanekrderose: i'm still a little concerned thats working policy for the 'federated' domain wouldn't work after the migration19:13
jdennisayoung: I'm not sure SSSD is the right place to do the mapping simply because SSSD is not the right place to do federated authentication19:15
*** nklenke has quit IRC19:16
*** nklenke has joined #openstack-keystone19:17
jdennisayoung: which goes to your second question as well, also the mapping is specific to a <service,idp> pair so I don't think you want SSSD to be managing all those unique pairs19:18
openstackgerritRichard Avelar proposed openstack/keystone: Add unit tests for doctor token_fernet symptoms  https://review.openstack.org/41092619:18
openstackgerritRichard Avelar proposed openstack/keystone: Add checks for doctor credential symptoms  https://review.openstack.org/40928919:19
ayoungjdennis, yeah, but code deployed is code usable19:19
ayoungdstanek, jdennis has the Python version of the mapping code he wrote in a private repo.  It is released on ODL, but in Java.  Want him to post it to a github or comparable, and see if it works in with you mapping -versioning scheme?19:20
dstanekjdennis: thx for the pdf link. reading it now19:20
dstanekayoung: jdennis: i'd love to take a look19:21
rderosedstanek: so you have some policy rules based on the hardcoded 'Federated' domain?19:21
*** ngupta has quit IRC19:21
dstanekrderose: correct. could you do that today?19:22
*** ngupta has joined #openstack-keystone19:22
rderosedstanek: it's definitely something we'll have to address, however this patch is not changing that19:22
dstanekrderose: if you change the domains of all federated users wouldn't you change that?19:22
rderosedstanek: yes, but this patch is not changing the domains for federated users19:23
rderosedstanek: I have another patch for that19:23
rderose:)19:23
dstanekrderose: i just talking about the domain_id etherpad19:23
rderosedstanek: okay, I'll update my comment there19:24
*** ngupta has quit IRC19:24
dstanekrderose: i'm ok saying we won't be backward compatible there, but we need to call it out19:24
*** ngupta has joined #openstack-keystone19:24
rderosedstanek: agree19:25
dstaneklbragstad: did you see my message earlier about the mapping spec stuff?19:26
jdennisdstanek, ayoung: I don't really believe in mapping engines, to be powerful enough they start to look like programming languages so why not just an existing scripting language? The only issue with allowing an embedded script interpreter to evaluate a block of code to implement mapping is the problem of sandboxing the interpreter to prevent any loaded mapping code from being nefarious, my recommendation for OpenStack would be mapping is implement19:26
lbragstaddstanek i remember we were talking about it a bit this morning19:27
lbragstaddstanek was there something specific that i missed?19:27
dstaneklbragstad: do you think it's worth augmenting the existing spec or should it go into its own?19:28
lbragstaddstanek oh - you're talking about the auto-provisioning code and where that should live?19:28
dstaneklbragstad: specifically if you thnk i should update the shadow mapping spec with versioning or create a new one19:29
lbragstaddstanek ah - well, should the mapping changes required to achieve auto-provisioning be versioned?19:30
lbragstaddstanek i don't think those changes *require* a version, but *should* they?19:30
dstaneklbragstad: not really since you don't change anything about how the mapping actually works19:31
lbragstaddstanek well - we're changing the format of the mapping to include other things...19:31
lbragstaddstanek and also changing the mapping engine to pull those things out19:31
lbragstaddstanek but - this is all additive change19:32
stevemarrderose: i think that's good for now19:32
rderosestevemar: cool19:32
stevemarayoung: want to take a look at https://etherpad.openstack.org/p/keystone-idp-domain-questions  -- rderose and i jotted down some notes19:32
dstaneklbragstad: right. all mappings that already exist will continue to work19:33
lbragstadhm19:34
lbragstadwhich is good19:34
lbragstaddstanek well - how much work do you think it will be to introduce a version to the mapping?19:34
lbragstaddstanek and make the mapping engine understand it?19:35
*** diazjf has joined #openstack-keystone19:36
dstaneklbragstad: well, the first step is really just allowing the version through, which should be trivial. the second step will be more interesting and I'll have to take a deeper look, but it only matter when we have to have a version change19:37
lbragstaddstanek what's the second step?19:37
lbragstaddstanek incorporating the version into different mapping capabilities?19:38
dstanekdispatching based on version19:38
lbragstaddstanek ok - yeah the first step doesn't sound too bad at all19:38
ayoungstevemar, what if we disable existing IdPs until they have a domain_id set?19:38
lbragstaddstanek but the second might be more work, which makes me think we should isolate all the mapping version work into a separate spec19:39
dstaneklbragstad: not at all. add a new column and allow the data to flow through. in the absence of a value use the default19:39
lbragstaddstanek sure19:39
dstanekspec freeze this what day this week?19:39
narasimha_SVwhat is the importane of enabling a user in keystone ?19:39
lbragstaddstanek friday at the absolute latest19:40
dstaneknarasimha_SV: disabled users can't auth19:41
dstaneklbragstad: then today it is! i'll just create a new one then19:41
narasimha_SVok19:41
lbragstaddstanek so - should the auto-provisioning work wait for it?19:42
lbragstadwould it be easier to implement the auto-provisioning work with a specific mapping version?19:42
*** ngupta has quit IRC19:42
lbragstaddstanek because if that is the case, then i'd be fine to push all that work to pike19:42
*** ngupta has joined #openstack-keystone19:43
dstaneklbragstad: no i don't think you need it for auto provisioning19:44
lbragstaddstanek ok19:45
dstaneklbragstad: based on what i saw this morning you won't even need to change anything in the mapping at all19:45
dstaneklbragstad: i mentioned to rderose that the added domain_id isn't useful since you will have a domain tied to the IdP19:45
stevemarayoung: that's definitely possible19:46
lbragstaddstanek it's just a hook in the mapped plugin to call a federated method to auto-provision stuff based on whats in the mapping19:46
lbragstadbut we do need to make the mapping engine handle keystone resource values19:46
*** nklenke has quit IRC19:46
ayoungstevemar, something like this:19:46
dstaneklbragstad: what do you mean? nothing in your spec seems different19:47
ayoungwe make all IdPs disabled with no domain set in the migration19:47
*** ngupta has quit IRC19:47
ayoungwhen running bootstrap, provide an option to default domains19:47
lbragstaddstanek what about the additional attributes in http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/shadow-mapping.html ?19:47
lbragstaddstanek http://cdn.pasteraw.com/mnx3bq9rpmu964h2h1adqpr75r4asow specifically19:47
lbragstaddstanek does the mapping engine just pass those through when processing mapping and assertion?19:48
*** nklenke has joined #openstack-keystone19:49
dstaneklbragstad: yes, that should be fine the local comes out as a dict of what you put in it with substitution applied. i don't think anything would have to change to impolement that19:49
lbragstaddstanek huh - awesome19:50
*** stingaci has quit IRC19:50
lbragstaddstanek so it's really just a conditional in the mapped plugin to pass the mapping to the federation_api19:50
*** stingaci has joined #openstack-keystone19:50
lbragstadand then a method in the federation_api to use the resource managers to create all the things19:50
*** stingaci_ has joined #openstack-keystone19:52
narasimha_SVhttp://paste.openstack.org/show/592394/ does this mapped rules file is sufficient ?19:53
narasimha_SVfor k2k federation ?19:53
*** stingaci has quit IRC19:55
dstaneklbragstad: brb. have to get my kids19:55
lbragstaddstanek sounds good19:55
*** guoshan has joined #openstack-keystone19:58
*** ayoung has quit IRC19:59
*** guoshan has quit IRC20:02
*** spzala has quit IRC20:04
dstaneklbragstad: back!20:09
lbragstaddstanek fast!20:09
lbragstaddstanek grabbing coffee quick20:15
*** adrian_otto has quit IRC20:16
*** asettle has joined #openstack-keystone20:18
dstaneklbragstad: i lied to you a little20:20
stevemarravelar: looking forward to your doctor patches!20:20
*** asettle has quit IRC20:22
*** ngupta has joined #openstack-keystone20:23
lbragstaddstanek why?!20:27
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675220:28
lbragstaddstanek alrighty - i'm caffinating, what's up?20:30
dstanekgrrr...jas20:31
dstaneklbragstad: there is an additive change required20:31
lbragstaddstanek to the mapping engine?20:33
lbragstadfor the auto provisioning stuff?20:33
*** pcaruana has quit IRC20:33
*** rm_work has quit IRC20:34
*** rm_work has joined #openstack-keystone20:34
openstackgerritDavid Stanek proposed openstack/keystone: Adds role mapping to the mapping engine  https://review.openstack.org/41094920:38
dstaneklbragstad: rderose: something like that ^20:38
*** tobberydberg has joined #openstack-keystone20:39
*** narasimha_SV has quit IRC20:39
lbragstaddstanek ah - right20:40
lbragstaddstanek we never had to deal with the roles in the mapping because that was always done with the group assignments20:40
dstaneklbragstad: right. i thought we just pushed values through, but apparently we actually cherry pick what we want20:41
dstanekwe also never supported lists20:41
lbragstadhuh20:41
lbragstadthat sucks20:41
lbragstadkind of20:42
rderosedstanek: nice20:42
rderosedstanek: groups are a list20:42
lbragstaddstanek so we will have a few more additive changes to make sure the provisioning bits from the mapping are pulled out.20:42
*** ayoung has joined #openstack-keystone20:46
*** ChanServ sets mode: +v ayoung20:46
*** nklenke has quit IRC20:46
*** mvk has joined #openstack-keystone20:46
dstanekrderose: it's not a list in the json sense20:48
*** ayoung has quit IRC20:49
stevemarlbragstad: o/20:49
rderosedstanek: ah, I see20:50
stevemarlbragstad: so, thoughts on https://review.openstack.org/#/c/408837/ ? turns out it's not a trivial backport20:50
lbragstadstevemar but only for stable/mitaka?20:50
stevemarlbragstad: right20:52
lbragstadstevemar hmmm20:52
lbragstadthat's weird20:53
*** phalmos has quit IRC20:53
stevemarlbragstad: the "make_request" method is not there: https://github.com/openstack/keystone/blob/74d4b58368dea07eab6653e5d91f93b474d6c8ca/keystone/tests/unit/core.py#L56520:53
lbragstadstevemar ah...20:53
stevemarlbragstad: i tried to add that in and it depends on a bunch of changes we made to context20:53
lbragstadstevemar if i remember correctly - that was a large refactor that jamielennox did20:53
stevemarso don't go down that path20:53
stevemaryep20:53
stevemarlbragstad: was there something we used in tests that did a similar request?20:54
lbragstadright - i remember that20:54
lbragstadstevemar i thought so, because we needed that information regardless20:54
stevemarlbragstad: https://github.com/openstack/keystone/commit/da6ea7e2243aa13e626a2dbd5407477fcbd79c9c20:55
lbragstadohhhh20:56
lbragstadcontext was just a dictionary20:56
lbragstadand you never really knew what was in it...20:57
stevemarlbragstad: eh maybe i got it20:58
*** phalmos has joined #openstack-keystone21:02
*** lamt has quit IRC21:02
lbragstadstevemar did you happen to see my comment about the security requirements api?21:03
lbragstadstevemar specifically around the default policy files?21:03
stevemarlbragstad: i did not21:04
lbragstadstevemar so - we do this https://github.com/openstack/keystone/blob/31713100f9f4dbf19caef6d54a81518c8cc45b5a/etc/policy.v3cloudsample.json#L22121:05
lbragstadand this https://github.com/openstack/keystone/blob/31713100f9f4dbf19caef6d54a81518c8cc45b5a/etc/policy.json#L19421:05
lbragstadso - we are going to have either loosen that or add a hack to the protected method for it21:06
*** tobberydberg has quit IRC21:06
lbragstadstevemar i thought i remember you having a way to get around that when we were discussing the spec but i couldn't remember it.21:06
ravelarstevemar: just needs a few more tests and should be all done :)21:07
ravelargagehugo: ping?21:07
gagehugoravelar: pong21:07
ravelargagehugo ha! I just had a question about the last test. Just saw your review21:08
gagehugoravelar what's up?21:08
ravelarto cause the method to return true would need cause configparser to throw and exception configparser.Error21:09
ravelarbut I was wondering how one would be thrown without configparser checking for nosection, ect, in the method? Is there a way to get that to be raised?21:09
*** diazjf has quit IRC21:11
gagehugoyeah, if you put something invalid in the config, ie some key without an '=' and value, it will throw21:11
stevemarlbragstad: can't we have a new one?21:12
gagehugoravelar: the Error is there to just catch anything wrong that configparser finds21:12
stevemarlbragstad: like: https://github.com/openstack/keystone/blob/31713100f9f4dbf19caef6d54a81518c8cc45b5a/etc/policy.json#L96-L9721:12
stevemarlbragstad: https://github.com/openstack/keystone/blob/fc93521ed1fca2e8393cf2e53e0f79a61dec7222/keystone/assignment/controllers.py#L985-L99921:13
lbragstadstevemar huh - interesting21:14
ravelargagehugo: ahh okay then :)21:14
lbragstadstevemar what calls list_role_assignments_wrapper ?21:14
lbragstadthe router?21:14
stevemarlbragstad: if config group == security compliance, return list_security_stuff (which is wrapped with a different policy); else call the other thang21:14
stevemarlbragstad: you betcha; https://github.com/openstack/keystone/blob/3e5ead0a45f698eed4162787b723090cee4733f8/keystone/assignment/routers.py#L20021:15
gagehugoravelar: np!21:15
lbragstadah ha - https://github.com/openstack/keystone/blob/fc93521ed1fca2e8393cf2e53e0f79a61dec7222/keystone/assignment/routers.py#L20021:15
lbragstadok21:15
stevemarlbragstad: i wasn't a big fan of it when i first saw it21:15
stevemarbut it won be over21:15
lbragstadstevemar yeah - interesting21:17
stevemarlbragstad: you're allowed to not like it :D21:19
stevemarlbragstad: we could always nix the whole damn thing21:19
*** guoshan has joined #openstack-keystone21:20
lbragstadstevemar true - but at the same time i'm not sure what I'd do instead?21:20
*** r-daneel has joined #openstack-keystone21:20
*** asettle has joined #openstack-keystone21:21
*** chrisplo_ has joined #openstack-keystone21:22
lbragstadstevemar the obviously solution would be to make it its own dedicated API, but then we're not holding to the conventions already in place with the domain config API21:22
lbragstadso that's out21:22
lbragstadthe only other option i was thinking would work would be to hack the protected method, but that feels dirty and counter-intuitive to policy21:22
*** chrisplo has quit IRC21:24
*** guoshan has quit IRC21:24
*** catintheroof has joined #openstack-keystone21:24
*** asettle has quit IRC21:25
stevemarlbragstad: what you mean about "hack the protected method"21:28
lbragstadstevemar something to make it so that the protected method would not enforce admin policy on that specific call21:28
lbragstadbut i don't like that21:28
stevemarlbragstad: could go with the wrapper route21:31
lbragstadstevemar like for list assignments?21:31
openstackgerritRichard Avelar proposed openstack/keystone: Add unit tests for doctor tokens symptoms  https://review.openstack.org/41096421:34
openstackgerritLance Bragstad proposed openstack/keystone: Add tests for password requirements API  https://review.openstack.org/41051521:35
lbragstadstevemar are you ok with the contracts in those tests? ^21:36
*** diazjf has joined #openstack-keystone21:38
*** adriant has joined #openstack-keystone21:39
*** itisha has quit IRC21:42
lbragstadstevemar hmm - apparently we have this https://github.com/openstack/keystone/blob/fc93521ed1fca2e8393cf2e53e0f79a61dec7222/keystone/resource/routers.py#L94-L11421:43
lbragstadstevemar i totally didn't see that fact we already have a dedicated api for reading the default domain21:44
stevemarlbragstad: ah thats not the default domain21:47
stevemarlbragstad: that's reading the defaults of a specific config option21:47
lbragstadah21:47
lbragstadnevermind21:47
stevemarlbragstad: http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-default-configuration-settings-detail,show-default-configuration-for-a-group-detail,show-default-option-for-a-group-detail#show-default-configuration-settings21:48
lbragstadstevemar so accessing should still be done with /domains/{default_domain_id}/config/security_compliance21:48
stevemarlbragstad: i think so21:48
lbragstadok21:48
stevemarlbragstad: fyi: just updated https://review.openstack.org/#/c/408837/4 and https://review.openstack.org/#/c/408838/421:49
lbragstadstevemar looks good minus the whitespace21:50
stevemardammittttt21:50
*** ravelar has quit IRC21:50
stevemarfixed21:51
stevemarlbragstad: that took longer than i wanted21:53
lbragstadstevemar happens to the best of us21:53
stevemarlbragstad: not many commits between now and 2 weeks ago for ksc/ksm/ksa21:55
stevemarnot going to both releasing til 2017 probably21:55
lbragstadstevemar works for me21:55
stevemarunless jamielennox really wants his token expiry thing merged21:55
stevemarlbragstad: easy merge: https://review.openstack.org/#/c/410964/121:56
lbragstadstevemar oh - yes, i wanted to review that21:56
jamielennoxi do want it merged, it's harder than expected21:57
stevemarjamielennox: i left a comment on it22:02
stevemarjamielennox: isn't it only backwards incompatible if you intend to use the allow_expires flag?22:02
stevemarjamielennox: or are service users fundamentally affected?22:02
jamielennoxstevemar: oh nice, that worked!22:03
jamielennoxthe first version was definitely incompatible, and ideally that's what we'd want22:03
stevemarjamielennox: it did indeed work22:04
jamielennoxbut i wanted to try it that way and see how if it still affected things and how we turn that policy check on22:04
jamielennoxthen yea, i think we need to make an effort to get that out asap22:05
jamielennoxi'll clean up the docs etc now22:05
stevemarjamielennox: please do, i'll be able to mark the bp complete then ^_^22:06
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: remove LDAP write support  https://review.openstack.org/37448222:07
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675222:10
*** ayoung has joined #openstack-keystone22:11
*** ChanServ sets mode: +v ayoung22:11
jamielennoxstevemar, lbragstad: so there's a comment from edmondsw about whether the policy should be all roles in the list or any role in the list. thoughts?22:13
jamielennoxalso does this roles in middleware thing mean that oslo.policy is going to be in keystonemiddleware anyway?22:14
edmondswjamielennox was there a reason you thought it should be all?22:14
edmondswor even why it should be a list?22:15
*** chrisplo_ has quit IRC22:15
edmondswand no, olso.policy would not be in keystonemiddleware with the spec you're referring to22:16
lbragstadjamielennox the spec sounded like it was any role in the list22:16
jamielennoxedmondsw: well i thought it should be an oslo.policy rule, but that's a PITA - but that's why the bad variable name22:16
lbragstadjamielennox as far as i know, oslo.policy is still it's own thing that can do it's own checks22:16
edmondswlbragstad ++22:17
*** lamt has joined #openstack-keystone22:17
jamielennoxi didn't really think much beyond a single item list however i can see that ['service', 'admin'] makes sense22:17
jamielennoxand would have fixed the problem we had in devstack22:17
lbragstadthe part i'm not quite clear on is if role checks can or should be refactored out of the policy files now that they won't be checked by oslo.policy22:17
stevemarjamielennox: so either role makes sense22:17
jamielennoxits also likely that anyone using keystonemiddleware is also using oslo.policy so maybe just fix it properly that wway22:18
lbragstadjamielennox what do you mean by fix properly?22:18
jamielennoxlbragstad: well theres a bunch of stuff you can do to assert service if you wanted, like role:service project_name:service domain_name:service22:19
*** catintheroof has quit IRC22:19
jamielennoxjust checking role is how we got into the admin everywhere mess to begin with22:19
edmondswlbragstad, the only role that is checked in default policy files today is admin, and we probably need that to stay so that things work as they do today if you haven't used this new middleware approach (which is optional for deployers)22:20
jamielennoxnow it probably doesn't matter as much for services, but depending how people expect to lock that down it may be worth just hacking up oslo.policy so we can just assert one rule22:20
lbragstadah22:21
edmondswlbragstad and some of the references to admin in policy would have to stay so that you can do less scope checking if you're an admin than if you aren't22:22
edmondswe.g. admin_or_owner... only does a scope check if you're NOT an admin22:23
lbragstadright22:23
ayoungI hate naming things22:24
ayoungjamielennox, I origianlly had it as a single role22:25
ayoungany expansion would be done via implied roles22:25
edmondswthough ideally I think the "or owner" piece of that should move into code and out of policy... it would never make sense for someone using a token scoped to project A to access a VM scoped to project B, so that project scope check should happen in code, not in policy where someone can mess it up22:25
ayoungedmondsw insisted on multiple roles per API, and I  didn't have a good counter argument22:25
edmondswayoung that's not what we're talking about22:25
*** edtubill has quit IRC22:26
ayoungedmondsw, I'm processing througjh it as I read it22:26
edmondsw++22:26
ayoungedmondsw, but you really messed up my naming22:26
ayoungapi_role was simple22:26
ayoungnow I need a name for two things22:26
ayoungapi_role_set?22:27
edmondswI didn't say anything that should have caused to to have two things22:27
ayoungand api_role_set entry22:27
ayoungedmondsw, it was a single table before. Now I have two22:27
edmondswin fact, I said you should only have one thing22:27
edmondswthere should only be one table22:27
ayoungedmondsw, and how do I do multiple roles per API?  Duplicate the VERB+SERVICE+URL_PATTERN?22:27
edmondswayoung the roles field would hold a list22:28
ayoungNONONONONONONONONONONONONO22:28
edmondswor what you said22:28
ayoungThis is a relational database22:28
ayoungWe belive in normalization22:28
ayoung VERB+SERVICE+URL_PATTERN  is the api22:29
edmondswyes22:29
ayoungand the other table is api_id and role_id22:29
edmondswfine22:29
ayoungright. but the second table is the one that should be called the api_role table22:29
jamielennoxso i've been out of keystone-sepcs for a bit but is that a dict of key -> list?22:29
ayoungso what is the first table then22:29
ayoungjamielennox, roughly22:30
ayoungI can point to the spec line, one sec22:30
jamielennoxhow is the list processed? any or all22:30
edmondswwhat goes in the first except verb, service, url?22:30
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/ongoing/role-check-from-middleware.rst#n25222:30
edmondswjamielennox any22:31
*** chrisplo_ has joined #openstack-keystone22:31
ayoungjamielennox, any, but there is also a default which is only evaluated if none of the APIs match22:31
jamielennoxok, so if i make that service_role_policy process any then there is precedent22:31
jamielennoxbecause it's too hard to do oslo.policy22:31
ayoungjamielennox, I might have missed the start of what you are tryiubng to do...I'm gonna go check evesdrop, one sec22:32
edmondswayoung, the role_id column for the api table doesn't seem to make sense22:32
ayoungbut this was done in support of your standard policy effort.22:32
*** adrian_otto has joined #openstack-keystone22:32
edmondswthe interaction is with the api_roles table, not the role table22:33
jamielennoxayoung: https://review.openstack.org/#/c/382100/3/keystonemiddleware/auth_token/__init__.py L37722:33
ayoungedmondsw,  yeah, but the pkey that you pass in is the id of the api table22:33
edmondswand there would be multiple rows potentially in api_roles, so not a single id to point to there22:33
jamielennoxfor checking the service token on allow_expired, i've done all roles in config must be present22:33
ayoungedmondsw, I think I would like to keep a single ID for each distinct API22:33
edmondswthat's API.id... not API.role_id22:34
ayoungedmondsw, right.22:34
edmondswayoung I think your API table should only have id, service, pattern, and verb22:35
edmondswayoung and then the api_role table is as you have it... api_id and role_id22:35
ayoungedmondsw,  though, I made the url    GET https://hostname:port/v3/api_roles?service=compute22:35
ayoungand I don't like that22:35
ayoungso would it be weird to make it22:35
ayoung  GET https://hostname:port/v3/api?service=compute22:35
*** chrisplo_ has quit IRC22:35
ayoungan API API is wierd22:35
edmondswayoung why don't you like api_roles in the URI?22:36
ayoungso I was thinkging maybe the main table, instead of API should be api_role_set22:36
edmondswdon't confuse the db table with the API22:36
ayoungedmondsw, yeah, I know, but people are going to confuse them anyway.  I want to keep the names distinct22:36
edmondswayoung there is nothing about roles in that first table, so api_role_set would be a crazy name22:36
ayoungedmondsw, maybe the api should be22:37
*** browne has joined #openstack-keystone22:37
ayoung GET https://hostname:port/v3/api_role_set?service=compute22:37
edmondswayoung I don't see why anyone would confuse them... the api_roles API would go through the api_roles table, which will then pull info from the api table... but the api_roles table is the starting point22:37
edmondswnono22:38
edmondswoh, let me backup... no, the api table would be the starting point, and then pull info from api_roles22:38
edmondswI had that backwards22:38
edmondswyou'd query api, find the ids you want, and then go to api_roles via api_roles.api_id22:39
edmondswayoung I still think api_roles makes the most sense for the URL22:40
edmondswayoung and that you need to update the spec to pull role_id out of the api table22:40
ayoungedmondsw, put you pass in the api_id to the controller, in the case of22:41
edmondswI assume that was just mistakenly left behind when you split role out to the api_roles table22:41
ayoung GET https://hostname:port/v3/api_roles/{uuid}22:41
*** phalmos has quit IRC22:42
ayoungOK, I think I can work with that...that is where I was headed, just needed to talk through it22:42
edmondswGET v3/api/roles and GET v3/api/{uuid}/roles ?22:42
ayoungand GET v3/api/role?service=compute22:42
edmondswyeah22:43
edmondsws/role/roles/22:43
ayoungand that way if we have other things we want to hang off the API, we can do it...ok22:43
ayoungright22:43
ayoungOK....dad mode ACTIVATE!22:43
*** ayoung is now known as ayoung_dadmode22:43
edmondswbye22:43
*** edmondsw has quit IRC22:45
*** edmondsw has joined #openstack-keystone22:46
*** edmondsw has quit IRC22:51
*** chrisplo_ has joined #openstack-keystone22:52
*** spilla has quit IRC22:53
*** dave-mccowan has quit IRC22:56
*** ngupta has quit IRC22:57
*** ngupta has joined #openstack-keystone22:58
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389823:00
*** ngupta has quit IRC23:02
*** rcernin has quit IRC23:05
*** jaugustine has quit IRC23:12
*** ngupta has joined #openstack-keystone23:12
*** diazjf has quit IRC23:15
*** dave-mccowan has joined #openstack-keystone23:15
*** guoshan has joined #openstack-keystone23:21
*** asettle has joined #openstack-keystone23:22
*** guoshan has quit IRC23:25
*** dave-mccowan has quit IRC23:27
*** asettle has quit IRC23:27
*** edmondsw has joined #openstack-keystone23:29
*** edmondsw has quit IRC23:33
*** chris_hultin is now known as chris_hultin|AWA23:37
*** chlong has quit IRC23:37
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use  https://review.openstack.org/40391623:47
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use  https://review.openstack.org/40391623:52
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Pass ?allow_expired  https://review.openstack.org/38210023:53
jamielennoxstevemar, lbragstad: ^ reasonably happy with that, i'd like to wait for something like it before next release23:57
« Tuesday, 2016-12-13 Index Thursday, 2016-12-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!