| *** stingaci has quit IRC | 00:01 | |
| *** stingaci has joined #openstack-keystone | 00:17 | |
| *** thorst_ has joined #openstack-keystone | 00:19 | |
| *** thorst_ has quit IRC | 00:20 | |
| *** stingaci has quit IRC | 00:21 | |
| *** rcernin has quit IRC | 00:45 | |
| *** spotz_zzz is now known as spotz | 00:48 | |
| *** rcernin has joined #openstack-keystone | 00:54 | |
| *** spotz is now known as spotz_zzz | 00:58 | |
| *** stingaci has joined #openstack-keystone | 01:03 | |
| *** stingaci has quit IRC | 01:07 | |
| *** mgarza_ has joined #openstack-keystone | 01:21 | |
| *** jvarlamova____ has quit IRC | 01:27 | |
| *** mgarza_ has quit IRC | 01:35 | |
| *** rcernin has quit IRC | 01:45 | |
| *** spotz_zzz is now known as spotz | 01:49 | |
| *** stingaci has joined #openstack-keystone | 01:50 | |
| *** stingaci has quit IRC | 01:54 | |
| *** rcernin has joined #openstack-keystone | 01:56 | |
| *** spotz is now known as spotz_zzz | 01:59 | |
| *** tqtran has joined #openstack-keystone | 02:02 | |
| *** tqtran has quit IRC | 02:07 | |
| *** thorst_ has joined #openstack-keystone | 02:20 | |
| *** thorst_ has quit IRC | 02:25 | |
| *** stingaci has joined #openstack-keystone | 02:36 | |
| *** stingaci has quit IRC | 02:41 | |
| *** rcernin has quit IRC | 02:48 | |
| *** thorst_ has joined #openstack-keystone | 03:00 | |
| *** thorst_ has quit IRC | 03:03 | |
| *** tqtran has joined #openstack-keystone | 03:05 | |
| *** tqtran has quit IRC | 03:10 | |
| *** rcernin has joined #openstack-keystone | 03:12 | |
| *** stingaci has joined #openstack-keystone | 03:18 | |
| *** rcernin has quit IRC | 03:20 | |
| *** stingaci has quit IRC | 03:23 | |
| *** dave-mccowan has joined #openstack-keystone | 03:27 | |
| *** stingaci has joined #openstack-keystone | 03:50 | |
| *** spotz_zzz is now known as spotz | 03:51 | |
| *** stingaci has quit IRC | 03:55 | |
| *** dave-mccowan has quit IRC | 03:57 | |
| *** spotz is now known as spotz_zzz | 04:01 | |
| *** stingaci has joined #openstack-keystone | 04:23 | |
| *** stingaci has quit IRC | 04:27 | |
| openstackgerrit | Steve Martinelli proposed openstack/keystone: cleanup release notes from PCI options https://review.openstack.org/426463 | 04:30 |
|---|---|---|
| *** lamt has joined #openstack-keystone | 04:31 | |
| *** adrian_otto has joined #openstack-keystone | 04:51 | |
| *** spotz_zzz is now known as spotz | 04:52 | |
| *** stingaci has joined #openstack-keystone | 04:54 | |
| *** stingaci has quit IRC | 04:59 | |
| *** nicolasbock has quit IRC | 05:00 | |
| *** spotz is now known as spotz_zzz | 05:01 | |
| *** lamt has quit IRC | 05:02 | |
| *** adrian_otto has quit IRC | 05:03 | |
| *** tqtran has joined #openstack-keystone | 05:06 | |
| *** tqtran has quit IRC | 05:11 | |
| *** stingaci has joined #openstack-keystone | 05:11 | |
| *** stingaci has quit IRC | 05:15 | |
| *** richm has joined #openstack-keystone | 05:20 | |
| *** stingaci has joined #openstack-keystone | 05:43 | |
| *** stingaci has quit IRC | 05:47 | |
| *** spotz_zzz is now known as spotz | 05:53 | |
| *** spotz is now known as spotz_zzz | 06:02 | |
| *** lamt has joined #openstack-keystone | 06:04 | |
| *** stingaci has joined #openstack-keystone | 06:15 | |
| *** stingaci has quit IRC | 06:20 | |
| *** lamt has quit IRC | 06:24 | |
| *** thorst_ has joined #openstack-keystone | 06:30 | |
| *** stingaci has joined #openstack-keystone | 06:30 | |
| *** lamt has joined #openstack-keystone | 06:34 | |
| *** stingaci has quit IRC | 06:34 | |
| *** thorst_ has quit IRC | 06:35 | |
| *** spotz_zzz is now known as spotz | 06:53 | |
| *** lamt has quit IRC | 06:59 | |
| *** spotz is now known as spotz_zzz | 07:03 | |
| *** tqtran has joined #openstack-keystone | 07:08 | |
| *** tqtran has quit IRC | 07:12 | |
| *** spotz_zzz is now known as spotz | 07:54 | |
| *** spotz is now known as spotz_zzz | 08:04 | |
| *** richm has quit IRC | 08:23 | |
| *** thorst_ has joined #openstack-keystone | 08:31 | |
| *** thorst_ has quit IRC | 08:35 | |
| *** zzzeek has quit IRC | 09:00 | |
| *** zzzeek has joined #openstack-keystone | 09:00 | |
| *** Jack_I has joined #openstack-keystone | 09:01 | |
| *** richm has joined #openstack-keystone | 09:11 | |
| *** richm has quit IRC | 09:12 | |
| *** richm has joined #openstack-keystone | 09:18 | |
| *** richm has quit IRC | 09:53 | |
| *** spotz_zzz is now known as spotz | 09:56 | |
| *** richm has joined #openstack-keystone | 10:02 | |
| *** spotz is now known as spotz_zzz | 10:05 | |
| *** thorst_ has joined #openstack-keystone | 10:32 | |
| *** thorst_ has quit IRC | 10:37 | |
| *** richm has quit IRC | 10:53 | |
| *** spotz_zzz is now known as spotz | 10:57 | |
| *** richm has joined #openstack-keystone | 11:01 | |
| *** spotz is now known as spotz_zzz | 11:06 | |
| *** richm has quit IRC | 11:57 | |
| *** spotz_zzz is now known as spotz | 11:57 | |
| stevemar | lbragstad: 3 more patches to land for rc1 and we're done, i think we can safely release at that level | 12:04 |
| stevemar | https://review.openstack.org/#/c/426431/ (better validation for options) (morgan) | 12:04 |
| stevemar | https://review.openstack.org/#/c/424220/ (deprecate `lockout_ignored_user_ids` conf option) (stevemar) | 12:04 |
| stevemar | https://review.openstack.org/#/c/426463/ (release note cleanup) (stevemar) | 12:04 |
| *** spotz is now known as spotz_zzz | 12:07 | |
| *** thorst_ has joined #openstack-keystone | 12:33 | |
| *** thorst_ has quit IRC | 12:38 | |
| *** spotz_zzz is now known as spotz | 13:58 | |
| *** spotz is now known as spotz_zzz | 14:10 | |
| *** thorst_ has joined #openstack-keystone | 14:29 | |
| *** thorst_ has quit IRC | 14:33 | |
| *** richm has joined #openstack-keystone | 14:57 | |
| *** spotz_zzz is now known as spotz | 15:01 | |
| *** spotz is now known as spotz_zzz | 15:11 | |
| *** thorst_ has joined #openstack-keystone | 15:14 | |
| *** richm has quit IRC | 15:28 | |
| *** adrian_otto has joined #openstack-keystone | 15:36 | |
| *** dims has quit IRC | 15:38 | |
| *** adrian_otto has quit IRC | 15:40 | |
| *** thorst_ has quit IRC | 16:00 | |
| *** spotz_zzz is now known as spotz | 16:02 | |
| *** adrian_otto has joined #openstack-keystone | 16:04 | |
| *** adrian_otto has quit IRC | 16:07 | |
| *** spotz is now known as spotz_zzz | 16:12 | |
| *** nicolasbock has joined #openstack-keystone | 16:19 | |
| *** rcernin has joined #openstack-keystone | 16:29 | |
| morgan | stevemar: let me respin the lockout one | 16:35 |
| morgan | stevemar: oh wait nvm you got it all updated | 16:35 |
| *** v1k0d3n has quit IRC | 16:46 | |
| *** v1k0d3n has joined #openstack-keystone | 16:47 | |
| *** v1k0d3n has quit IRC | 16:54 | |
| *** v1k0d3n has joined #openstack-keystone | 16:55 | |
| *** spotz_zzz is now known as spotz | 17:03 | |
| *** spotz is now known as spotz_zzz | 17:12 | |
| *** lamt has joined #openstack-keystone | 17:29 | |
| *** brad[] has quit IRC | 17:45 | |
| *** rcernin has quit IRC | 17:46 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add MFA Rules and Enabled User options https://review.openstack.org/418166 | 17:48 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955 | 17:48 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912 | 17:49 |
| morgan | stevemar: ^ | 17:59 |
| morgan | reworking the next MFA one that does the auth-plugin validation bits now. | 17:59 |
| morgan | to use the option vs the table. | 17:59 |
| morgan | stevemar: then it needs tests. | 17:59 |
| morgan | i also need to work with someone on dev docs for the new resource options bit | 17:59 |
| morgan | stevemar: also... you're not here and it's sunday, i am surprised :P | 18:00 |
| *** thorst_ has joined #openstack-keystone | 18:00 | |
| *** spotz_zzz is now known as spotz | 18:04 | |
| *** thorst_ has quit IRC | 18:05 | |
| * morgan yells at the gerrit web ui | 18:12 | |
| morgan | is this thing even ever tested... | 18:12 |
| morgan | first they break mobile usage horribly.. this whole "javascript" thing ... now i can't even copy code from it and paste it | 18:12 |
| *** lamt has quit IRC | 18:13 | |
| morgan | god. it's like they don't want anyone to use it | 18:13 |
| *** spotz is now known as spotz_zzz | 18:13 | |
| *** brad[] has joined #openstack-keystone | 18:34 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add MFA Rules and Enabled User options https://review.openstack.org/418166 | 18:40 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955 | 18:40 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912 | 18:40 |
| morgan | stevemar: i'm restructuring auth to move the common code into keystone.auth.core, which is where the MFA helper objects will live | 18:43 |
| morgan | so AuthInfo, AuthContext will en dup there | 18:43 |
| morgan | etc | 18:43 |
| *** nicolasbock has quit IRC | 18:44 | |
| morgan | debugging a small bit with that and then i'll add in the MFA helpers and the auth validation itself | 18:45 |
| morgan | looks like MFA might be landable in Ocata as well. | 18:45 |
| morgan | stevemar: also we will need to add an index to useroptions for both the user column and the option id | 18:46 |
| morgan | so we can so some filtering on it more easily | 18:47 |
| *** lamt has joined #openstack-keystone | 18:58 | |
| *** spotz_zzz is now known as spotz | 19:04 | |
| *** lamt has quit IRC | 19:12 | |
| *** lamt has joined #openstack-keystone | 19:13 | |
| *** spotz is now known as spotz_zzz | 19:14 | |
| *** lamt has quit IRC | 19:25 | |
| *** lamt has joined #openstack-keystone | 19:29 | |
| stevemar | morgan: hey! | 19:57 |
| stevemar | morgan: yeah, gerrit on mobile is TERRIBLE! | 19:57 |
| stevemar | morgan: i can volunteer to do the dev docs for the options code | 19:57 |
| *** thorst_ has joined #openstack-keystone | 20:01 | |
| morgan | stevemar: cool. i'm finishing the MFA code refactor to process from user options | 20:04 |
| morgan | then we just need to test it | 20:04 |
| morgan | and maybe? write an API for it | 20:04 |
| morgan | i'll prob submit a followup to move AuthContext, AuthInfo and associated functions to auth.core | 20:05 |
| morgan | but for now the new mfa stuff is all that is in there | 20:05 |
| *** spotz_zzz is now known as spotz | 20:05 | |
| *** thorst_ has quit IRC | 20:06 | |
| *** spotz is now known as spotz_zzz | 20:15 | |
| stevemar | morgan: for posterity https://review.openstack.org/#/c/426463/ -- before i push it through myself | 20:21 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules https://review.openstack.org/423548 | 20:22 |
| morgan | stevemar: +2/+A | 20:23 |
| stevemar | ty | 20:23 |
| morgan | so need some tests for the MFA thing | 20:24 |
| morgan | and then we should figure out the API bits (if we want a self-service API or not) | 20:24 |
| morgan | and documentation on it | 20:24 |
| morgan | not too far out | 20:25 |
| *** r1chardj0n3s_afk is now known as r1chardj0n3s | 20:25 | |
| morgan | stevemar: i am acutally liking the new option code a lot w/ the JSON schema bits | 20:25 |
| morgan | stevemar: i look forward to implementing it for project/domain, group, etc | 20:26 |
| morgan | stevemar: annnnnnnd pushing one step closer to dropping "extras" | 20:26 |
| * morgan is pondering a way to allow vendor data (in a specific area) of the resources using a similar mechanism | 20:26 | |
| morgan | like a loadable 'vendor data' plugin | 20:27 |
| morgan | and it would work like resource_options | 20:27 |
| morgan | but be vendor-data specific. | 20:27 |
| morgan | and show up in like user['vendor_data'] | 20:27 |
| morgan | and then we could 100% ditch extras (deprecate/remove) | 20:27 |
| morgan | or deprecate and default to "off" | 20:27 |
| morgan | stevemar: so... do we want a self-service API for MFA rules or do we want to just push to pike where we can implement policy on user['options'] | 20:29 |
| *** nicolasbock has joined #openstack-keystone | 20:31 | |
| *** Jack_I has quit IRC | 20:47 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules https://review.openstack.org/423548 | 20:51 |
| morgan | stevemar: responded to comments. | 20:57 |
| stevemar | morgan: pull out meant ... just define the schema above the option registry or something | 20:58 |
| stevemar | so you don't have the schema in line | 20:58 |
| morgan | ah, *shrug* we could | 20:59 |
| morgan | i think it's about the same either way. jsonschema is genrally not super readable | 20:59 |
| morgan | stevemar: so... since you're here... | 20:59 |
| morgan | stevemar: are we good with leaving MFA admin-set for the moment | 21:00 |
| morgan | and future (PIKE) do the user-option policy thing | 21:00 |
| morgan | would make it much easier to land. | 21:00 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add comment to clarify resource-options jsonschema https://review.openstack.org/426604 | 21:02 |
| stevemar | morgan: thats what i figured it would be | 21:04 |
| morgan | okie | 21:04 |
| morgan | wfm | 21:04 |
| morgan | ugh. | 21:04 |
| morgan | w.t.f | 21:04 |
| morgan | gah python2.7 does a bad job of managing circular deps | 21:05 |
| *** flwang has joined #openstack-keystone | 21:06 | |
| flwang | lbragstad: ping | 21:16 |
| morgan | flwang: lbragstad might not be around since it's the weekend | 21:17 |
| morgan | flwang: FYI. | 21:17 |
| morgan | but then again.. he might be ;), worst case he'll be around tomorrow for sure. | 21:17 |
| flwang | morgan: thanks | 21:17 |
| flwang | morgan: would you mind helping take a look this error http://logs.openstack.org/58/423658/4/check/gate-rally-dsvm-zaqar-zaqar-ubuntu-xenial-nv/c943347/logs/apache/keystone.txt.gz ? | 21:17 |
| morgan | sec. | 21:17 |
| flwang | our zaqar rally gate always failed because failed to get token from keystone | 21:18 |
| flwang | morgan: thank you! | 21:18 |
| morgan | stevemar: ugh. things are broken somehow between last run and this run with DeprecationWarnings. | 21:19 |
| morgan | *blink* | 21:19 |
| morgan | stevemar: nvm. | 21:20 |
| morgan | stevemar: i needed a rebase *wince* | 21:20 |
| morgan | flwang: waiting for it to load. oncethe log loads i might be able to help more | 21:20 |
| flwang | morgan: thanks a lot | 21:21 |
| morgan | flwang: so.. this log looks normal to me? i need more context to dig up what you're having an issue with | 21:21 |
| flwang | http://logs.openstack.org/58/423658/4/check/gate-rally-dsvm-zaqar-zaqar-ubuntu-xenial-nv/c943347/logs/ | 21:22 |
| morgan | it looks like you might be making a v3 user auth request with v2 data (no domain in the user) | 21:22 |
| morgan | flwang: i'm sorry i'm going to need more specifics, digging through every log is not in the books for me today | 21:23 |
| morgan | point me at the specific error | 21:23 |
| *** lamt has quit IRC | 21:23 | |
| flwang | morgan: http://logs.openstack.org/58/423658/4/check/gate-rally-dsvm-zaqar-zaqar-ubuntu-xenial-nv/c943347/console.html | 21:24 |
| morgan | it looks like rally is making a bad auth request | 21:24 |
| morgan | my guess is it is making a v2 auth request to the v3 api | 21:24 |
| morgan | flwang: BadRequest: Expecting to find domain in user. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-511d48a5-5c2a-428c-b89d-34162d20473d) | 21:25 |
| morgan | flwang: if you use username in auth in v3, you must specify a domain | 21:25 |
| flwang | morgan: yep, but seems the other services's rally job work fine, that's weird | 21:25 |
| morgan | you cannot assume keysotne knows the domain you're talking to | 21:25 |
| morgan | that i can't tell you why, it may be that zaqar is misconfigured | 21:25 |
| *** agrebennikov__ has joined #openstack-keystone | 21:26 | |
| morgan | flwang: looking here: http://logs.openstack.org/58/423658/4/check/gate-rally-dsvm-zaqar-zaqar-ubuntu-xenial-nv/c943347/logs/etc/zaqar/zaqar.conf.txt.gz the trustee config might be wrong | 21:27 |
| morgan | but it doesn't look off | 21:28 |
| morgan | it may also be rally's config | 21:28 |
| flwang | morgan: but the trustee options shouldn't be used for a normal queue action | 21:28 |
| flwang | i will dig more and get back to ask more question :) thank you very much | 21:29 |
| morgan | then it might be rally's config is just wrong itself. it's def something making a v3 auth request without domain in the user block in auth | 21:29 |
| flwang | morgan: cool, and another weird thing is, i can't reproduce it locally :( | 21:30 |
| morgan | check to make sure v2 keystone is enabled in that test | 21:31 |
| morgan | we have some things not enabling v2 keystone iirc. | 21:31 |
| * morgan points out things need to start gating on v3-only, so it is good to find these issues. | 21:31 | |
| flwang | morgan: is it possible that zaqarclient is doing a bad thing http://logs.openstack.org/58/423658/4/check/gate-rally-dsvm-zaqar-zaqar-ubuntu-xenial-nv/c943347/console.html#_2017-01-27_16_07_45_203789 ? | 21:34 |
| morgan | perhaps | 21:34 |
| morgan | usually that means what is being passed to the client is incorrect | 21:35 |
| flwang | morgan: yep,i think you're correct | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add MFA Rules and Enabled User options https://review.openstack.org/418166 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules https://review.openstack.org/423548 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Implement better validation for resource options https://review.openstack.org/426431 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Create user option `ignore_lockout_failure_attempts` https://review.openstack.org/424220 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: cleanup release notes from PCI options https://review.openstack.org/426463 | 21:38 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add comment to clarify resource-options jsonschema https://review.openstack.org/426604 | 21:38 |
| morgan | stevemar: ^ lots of rebase. | 21:42 |
| morgan | stevemar: but mostly ready to go, working on some cleanup and then testing | 21:42 |
| Adobeman | orz.. I built the entire top level ldap tree where I can do ldapsearch and stuff, keystone still tells me user is disabled.. | 21:42 |
| Adobeman | what the hell is it trying to read #!*&%#!) | 21:42 |
| Adobeman | its almost as of it should just go with an objectClass or something.. | 21:43 |
| Adobeman | even went as far as getting cinder/nova/swift.. created in ldap.. mapping the user ID back to whatever it was internal to the SQL server.. | 21:47 |
| Adobeman | adding all of them into a enabled_users group.. | 21:48 |
| *** lamt has joined #openstack-keystone | 21:52 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Cleanup TODO about auth.controller code moved to core https://review.openstack.org/426607 | 22:01 |
| *** thorst_ has joined #openstack-keystone | 22:02 | |
| *** spotz_zzz is now known as spotz | 22:07 | |
| *** thorst_ has quit IRC | 22:07 | |
| *** lamt has quit IRC | 22:07 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone: Cleanup TODO, AuthContext and AuthInfo to auth.core https://review.openstack.org/426608 | 22:09 |
| morgan | stevemar: ok working on MFA tests now. | 22:13 |
| morgan | actually going to take a break and cook something then do MFA tests | 22:14 |
| *** spotz is now known as spotz_zzz | 22:16 | |
| morgan | #success implemented a far better architecture for resource-specific options in keystone (initially used for Users) | 22:24 |
| openstackstatus | morgan: Added success to Success page | 22:24 |
| *** thorst_ has joined #openstack-keystone | 22:29 | |
| *** adrian_otto has joined #openstack-keystone | 22:39 | |
| *** adrian_otto1 has joined #openstack-keystone | 22:41 | |
| *** adriant has joined #openstack-keystone | 22:43 | |
| *** adrian_otto has quit IRC | 22:44 | |
| *** martinlopes has joined #openstack-keystone | 22:45 | |
| *** lamt has joined #openstack-keystone | 22:52 | |
| *** ianw_pto is now known as ianw | 22:53 | |
| *** agrebennikov__ has quit IRC | 22:56 | |
| adriant | morgan: you about? | 22:58 |
| *** spotz_zzz is now known as spotz | 23:08 | |
| morgan | adriant: o/ | 23:08 |
| *** lamt has quit IRC | 23:08 | |
| morgan | adriant: whats up? | 23:08 |
| adriant | morgan: hello! Have been going through your patches for MFA, they look great! Was curious though if I could convince you to do a set of global default rules in the conf. :P | 23:09 |
| adriant | morgan: user rules if present, of global defaults if present, or any of active plugins, | 23:09 |
| adriant | because I don't want users using TOTP by itself for example | 23:10 |
| adriant | and the only way to do that otherwise is set that as a rule for everyone... | 23:10 |
| adriant | as long as there is a good fall back if the globals aren't there, it won't break anything and will be purely optional | 23:11 |
| adriant | morgan: can be done as a follow up later, just wondering if you're open to the idea. | 23:12 |
| morgan | nope | 23:12 |
| morgan | not in this cycle | 23:12 |
| morgan | right now the options will be landing (if this cycle) as Admin-set only | 23:13 |
| morgan | in the future you can still maintain that and guarantee the logic such as not using totp in isolation is done | 23:13 |
| *** adrian_otto1 has quit IRC | 23:13 | |
| adriant | Oh yeah, I was mainly thinking for Pike | 23:13 |
| morgan | in pike i'd be open to discussion | 23:14 |
| morgan | but i wont commit one way or another at this point | 23:14 |
| morgan | :) | 23:14 |
| adriant | not a problem. I don't expect us to have fully working MFA until at least Pike anyway. :P | 23:14 |
| *** adrian_otto has joined #openstack-keystone | 23:15 | |
| *** spotz is now known as spotz_zzz | 23:17 | |
| adriant | morgan: looking at the patches up, seems the only thing left (apart from more review) is the API for actually adding rules. | 23:18 |
| morgan | not needed this cycle | 23:19 |
| morgan | in fact, the rules are validated in the jsonschema and on the backend, the only thing we aren't validating *atm* is if the strings are valid auth methods | 23:19 |
| morgan | but the enforcement of such things is ensured at the auth controller | 23:19 |
| adriant | morgan: yeah, so all that is missing is the API which uses that validation, which will come in Pike. | 23:20 |
| morgan | if an invalid auth-method is supplied, it is removed. if an auth rule has no methods, the rule is removed (from processing) and if there are no rules, auth works like it does today | 23:20 |
| adriant | so for now the rules need to be set in the database? | 23:20 |
| morgan | the enforcement is already built. | 23:20 |
| morgan | no, you set it with a post to update_user | 23:20 |
| adriant | OH | 23:20 |
| adriant | nvm ignore me | 23:21 |
| morgan | user['options']['multi_factor_auth_rules'] = [['password', 'totp'], ['token'], ...] | 23:21 |
| adriant | yeah, that's right | 23:21 |
| morgan | it's baked in to use the new resource options | 23:21 |
| morgan | i need to add some tests for it in the next patch | 23:21 |
| morgan | but that is all that is missing (and docs) | 23:21 |
| adriant | nice | 23:22 |
| adriant | I'll start looking at keystoneauth1 code for what we'll need to do there in Pike, and possibly even at the django openstack auth code | 23:23 |
| adriant | from what I remember from the discussion with jamielennox we'll need to make a "multi" plugin for keystoneauth | 23:24 |
| adriant | or something of the sort | 23:24 |
| *** adrian_otto has quit IRC | 23:24 | |
| morgan | yep | 23:25 |
| adriant | with sub-plugins for it which tell keystone auth what each auth method actually requires | 23:25 |
| morgan | sub-plugins? | 23:28 |
| morgan | just allow ksa to accept multiple plugins cleanly | 23:28 |
| morgan | it is likely just the multi-plugin can process multiple of the main plugins | 23:28 |
| morgan | not really any sub or "extra" plugins | 23:29 |
| adriant | That was one of the things i was considering. Have the multi-plugin be a special case that wraps around multiple of the other ones. | 23:29 |
| adriant | would be odd though, but likely the easiest way to do it without changing how ksa handles plugins entirely | 23:30 |
| *** martinlopes has quit IRC | 23:37 | |
| *** martinlopes has joined #openstack-keystone | 23:39 | |
| *** thorst_ has quit IRC | 23:59 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!