Thursday, 2018-01-25

« Wednesday, 2018-01-24 Index Friday, 2018-01-26 »
*** mvk has joined #openstack-keystone00:02
*** hoonetorg has quit IRC00:10
*** AlexeyAbashkin has joined #openstack-keystone00:11
*** AlexeyAbashkin has quit IRC00:15
*** edmondsw has joined #openstack-keystone00:19
*** edmondsw has quit IRC00:23
*** hoonetorg has joined #openstack-keystone00:30
*** edmondsw has joined #openstack-keystone00:31
*** edmondsw has quit IRC00:36
*** edmondsw has joined #openstack-keystone00:37
*** edmondsw has quit IRC00:41
*** dave-mccowan has joined #openstack-keystone00:42
*** edmondsw has joined #openstack-keystone00:44
*** edmondsw has quit IRC00:45
*** edmondsw has joined #openstack-keystone00:46
*** edmondsw has quit IRC00:50
*** zhurong has joined #openstack-keystone01:06
*** hoonetorg has quit IRC01:17
*** hoonetorg has joined #openstack-keystone01:21
*** dave-mccowan has quit IRC01:22
*** aselius has quit IRC01:29
wxylbragstad: o/01:38
openstackgerritGao Fei proposed openstack/keystone-specs master: Replace curly quotes with straight quotes  https://review.openstack.org/53725901:44
*** daidv has joined #openstack-keystone01:52
*** dave-mccowan has joined #openstack-keystone01:53
*** zhurong has quit IRC02:14
openstackgerritGao Fei proposed openstack/keystone master: Replace Chinese punctuation with English punctuation  https://review.openstack.org/53670902:20
openstackgerritMerged openstack/keystone master: Teach TokenFormatter how to handle system scope  https://review.openstack.org/52533002:33
openstackgerritMerged openstack/keystone master: Implement system-scope in the token provider API  https://review.openstack.org/52536002:33
openstackgerritMerged openstack/keystone master: Introduce assertions for system-scoped token testing  https://review.openstack.org/52803702:33
*** dave-mccowan has quit IRC02:33
gagehugorelationship links :(02:44
*** dave-mccowan has joined #openstack-keystone02:54
*** zhurong has joined #openstack-keystone03:08
*** harlowja has quit IRC03:21
openstackgerritwangxiyuan proposed openstack/keystone master: Improve limit sql backend  https://review.openstack.org/53558703:21
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410903:21
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014303:21
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411003:21
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568803:21
*** zhurong_ has joined #openstack-keystone03:27
ayoungmordred, is shade officially released in any of the Red Hat supported repositories, or do I need to go to EPEL for it?03:32
*** openstackgerrit has quit IRC03:33
ayoungkmalloc, same question03:35
*** openstackgerrit has joined #openstack-keystone03:43
openstackgerritGao Fei proposed openstack/keystone-specs master: Replace curly quotes with straight quotes  https://review.openstack.org/53725903:43
openstackgerritVishakha Agarwal proposed openstack/keystone master: Delete tokens from DB is not required in case of Fernet.    https://review.openstack.org/53732203:44
*** annp has joined #openstack-keystone03:49
*** namnh has joined #openstack-keystone03:57
lbragstadwxy: o/03:57
*** links has joined #openstack-keystone04:09
*** dave-mccowan has quit IRC04:24
*** harlowja has joined #openstack-keystone04:28
*** zhurong_ has quit IRC04:39
*** harlowja has quit IRC05:17
*** jaosorior has joined #openstack-keystone05:23
openstackgerritGage Hugo proposed openstack/python-keystoneclient master: Override find function in project  https://review.openstack.org/53774905:25
gagehugocmurphy ^05:26
openstackgerritGao Fei proposed openstack/keystone master: Replace Chinese punctuation with English punctuation  https://review.openstack.org/53670905:32
*** gongysh has joined #openstack-keystone05:41
*** zhurong has quit IRC06:13
*** rcernin has quit IRC06:14
*** AlexeyAbashkin has joined #openstack-keystone06:22
*** zhurong has joined #openstack-keystone06:22
*** AlexeyAbashkin has quit IRC06:30
openstackgerritwangxiyuan proposed openstack/keystone master: Improve limit sql backend  https://review.openstack.org/53558706:41
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410906:41
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014306:42
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411006:42
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568806:42
openstackgerritwangqiang-bj proposed openstack/keystone master: add 'extra' in request body of projects  https://review.openstack.org/53776206:45
*** markvoelker has quit IRC06:52
*** markvoelker has joined #openstack-keystone06:53
*** markvoelker has quit IRC06:57
openstackgerritMerged openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/53705706:57
*** threestrands_ has quit IRC07:02
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410907:03
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014307:03
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411007:03
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568807:03
*** hoonetorg has quit IRC07:17
*** jose-phi_ has quit IRC07:26
*** hoonetorg has joined #openstack-keystone07:29
openstackgerritAndreas Jaeger proposed openstack/keystone master: Use native Zuul v3 tox job  https://review.openstack.org/53778707:40
*** deepak_ has quit IRC07:49
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410907:54
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014307:54
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411007:54
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568807:54
*** pcaruana has joined #openstack-keystone07:55
*** yangzhenyu__ has quit IRC08:01
*** AlexeyAbashkin has joined #openstack-keystone08:04
*** mvk has quit IRC08:08
*** jose-phillips has joined #openstack-keystone08:16
*** tesseract has joined #openstack-keystone08:20
*** jose-phillips has quit IRC08:25
*** jose-phillips has joined #openstack-keystone08:25
*** gongysh has quit IRC08:26
*** rha has joined #openstack-keystone08:31
*** rha has quit IRC08:31
*** rha has joined #openstack-keystone08:31
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411008:32
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568808:32
*** gongysh has joined #openstack-keystone08:33
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411008:34
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568808:34
*** jose-phillips has quit IRC08:47
*** markvoelker has joined #openstack-keystone08:54
*** zhurong has quit IRC08:55
*** yangzhenyu has joined #openstack-keystone09:03
*** jmlowe has quit IRC09:16
*** zhurong has joined #openstack-keystone09:25
*** markvoelker has quit IRC09:27
*** itlinux has joined #openstack-keystone09:31
*** magicboiz has joined #openstack-keystone09:36
*** magicboiz has quit IRC09:36
openstackgerritwangxiyuan proposed openstack/keystone master: Remove pki_setup step in doc  https://review.openstack.org/53630809:44
openstackgerritwangxiyuan proposed openstack/keystone master: Remove PKI/PKIZ token in doc  https://review.openstack.org/53782009:51
*** yangzhenyu has quit IRC09:55
*** zhurong_ has joined #openstack-keystone09:56
*** itlinux has quit IRC09:58
*** itlinux has joined #openstack-keystone10:01
*** baffle has quit IRC10:05
*** baffle has joined #openstack-keystone10:05
*** yangzhenyu has joined #openstack-keystone10:05
*** itlinux has quit IRC10:09
*** hoonetorg has quit IRC10:09
*** yangzhenyu_ has joined #openstack-keystone10:15
*** yangzhenyu has quit IRC10:15
*** hoonetorg has joined #openstack-keystone10:22
*** markvoelker has joined #openstack-keystone10:25
*** annp has quit IRC10:46
*** jistr is now known as jistr|mtg10:49
*** gongysh has quit IRC10:54
*** markvoelker has quit IRC10:58
*** yangzhenyu__ has joined #openstack-keystone11:25
*** yangzhenyu_ has quit IRC11:27
*** namnh has quit IRC11:31
*** zhurong has quit IRC11:35
*** sapd_ has quit IRC11:45
*** zhurong has joined #openstack-keystone11:55
*** markvoelker has joined #openstack-keystone11:55
*** AlexeyAbashkin has quit IRC11:58
*** AlexeyAbashkin has joined #openstack-keystone11:58
*** sapd_ has joined #openstack-keystone11:58
*** yangzhenyu__ has quit IRC12:06
*** yangzhenyu__ has joined #openstack-keystone12:06
*** raildo has joined #openstack-keystone12:10
*** tesseract has quit IRC12:24
*** markvoelker has quit IRC12:29
*** sambetts|afk is now known as sambetts12:35
*** jistr|mtg is now known as jistr12:38
*** yangzhenyu_ has joined #openstack-keystone12:47
*** yangzhenyu__ has quit IRC12:50
*** jmlowe has joined #openstack-keystone12:57
*** yangzhenyu_ has quit IRC12:59
*** yangzhenyu_ has joined #openstack-keystone13:00
*** jmlowe has quit IRC13:02
*** belmoreira has joined #openstack-keystone13:04
*** dave-mccowan has joined #openstack-keystone13:05
*** yangzhenyu__ has joined #openstack-keystone13:07
*** yangzhenyu_ has quit IRC13:10
*** zhurong has quit IRC13:16
openstackgerritColleen Murphy proposed openstack/keystone master: Add a release note for application credentials  https://review.openstack.org/53549313:22
*** markvoelker has joined #openstack-keystone13:26
*** tesseract has joined #openstack-keystone13:28
*** edmondsw_ has joined #openstack-keystone13:30
openstackgerritColleen Murphy proposed openstack/keystone master: Add Application Credentials controller  https://review.openstack.org/52442313:40
openstackgerritColleen Murphy proposed openstack/keystone master: Add application credential auth plugin  https://review.openstack.org/52534613:40
openstackgerritColleen Murphy proposed openstack/keystone master: Add api-ref for application credentials  https://review.openstack.org/53374413:40
openstackgerritColleen Murphy proposed openstack/keystone master: Enable application_credential auth by default  https://review.openstack.org/53546913:40
openstackgerritColleen Murphy proposed openstack/keystone master: Impose limits on application credentials  https://review.openstack.org/53654313:40
openstackgerritColleen Murphy proposed openstack/keystone master: Add a release note for application credentials  https://review.openstack.org/53549313:40
*** tesseract has quit IRC13:42
*** tesseract has joined #openstack-keystone13:42
*** zhurong_ has quit IRC13:44
*** edmondsw_ is now known as edmondsw13:48
*** panbalag has joined #openstack-keystone13:56
*** panbalag has left #openstack-keystone13:56
*** gongysh has joined #openstack-keystone13:58
*** McClymontS has joined #openstack-keystone13:58
*** markvoelker has quit IRC13:59
*** jmlowe has joined #openstack-keystone13:59
*** david-lyle has quit IRC14:01
*** Supun has joined #openstack-keystone14:03
*** McClymon_ has joined #openstack-keystone14:05
*** McClymontS has quit IRC14:07
*** jose-phillips has joined #openstack-keystone14:09
*** tesseract has quit IRC14:17
*** tesseract has joined #openstack-keystone14:18
*** phalmos has joined #openstack-keystone14:22
-openstackstatus- NOTICE: We're currently experiencing issues with the logs.openstack.org server which will result in POST_FAILURE for jobs, please stand by and don't needlessly recheck jobs while we troubleshoot the problem.14:26
*** jose-phillips has quit IRC14:29
hrybackio/14:29
*** markvoelker has joined #openstack-keystone14:34
*** McClymon_ has quit IRC14:36
ayounghrybacki, I think I can get shade to install using two RPMs14:37
ayoungwhich, of course, we need for Ansible14:37
ayoungSupun, ask me again here...I think you will like the answer14:37
SupunYeah sure14:37
SupunWe're working with Google Summer of Code administration process14:38
hrybackiayoung: context? sorry if I miseed something14:38
SupunWe need to submit Google Summer of Code internship ideas for getting students for our projects14:38
ayounghrybacki, total non-sequitor to you14:38
ayoungSoC 2018 landing page - https://wiki.openstack.org/wiki/GSoC201814:39
SupunGSoC 2018 landing page - https://wiki.openstack.org/wiki/GSoC201814:39
SupunWe already have 4 internship ideas(Manila,Zun and Cinder projects) - https://wiki.openstack.org/wiki/GSoC201814:39
ayoungSupun, ++14:39
hrybackiayoung: okay (me opens link)14:39
ayounghrybacki, heh14:40
SupunCould you please help us to add 2-3 internship ideas for Keystone and help mentoring. That would be a great help14:40
ayoungwrong convo14:40
ayoungSupun, we'd be happy to14:40
Supungreat thanks :)14:40
ayoungSupun, when do you need them by?  Right now, the main coders for Keystone are heads down on the current release14:40
* hrybacki nods14:40
ayoungthere are 2 huge efforts going on:  System scoped roles and Application credentials14:41
hrybackicode freezes are this week14:41
lbragstadand unified limits14:41
hrybacki^^14:41
ayoungboth are slated to land this release, but both will, I suspect, have follow on work14:41
hrybackilbragstad: great job -- lots of +1 workflows :)14:41
ayounglbragstad, is doing the former, cmurphy the latter14:41
ayounglbragstad, good point14:41
ayoungso for GSOC...we'll be well into the next release when that starts.14:42
lbragstadSupun: another option for curating ideas is to send a note to the openstack-dev mailing list with [keystone] tagged in the subject14:42
Supunayong,  please try to update your project ideas as soon as you get a chance :)14:42
ayounglbragstad, lets own the Keystone ones here, though...give me a sense of what you think the priorities/action items will be, and I'll update the GSoC site14:43
SupunBecause Google is doing the evaluation process14:43
lbragstadwell - the unified limit api is going to be marked as experimental14:43
ayounglbragstad, one thing I was thinking of was better REST linkages.  So you can hit /v3 and see a link to /v3/users etc14:43
hrybackilbragstad: ayoung thinking outside the (release) box -- what sorts of things need to happen that fall outside of 'landing feature in release X' ?14:43
lbragstadso we need to flesh out issues and get that squared away14:43
hrybackitech debt type things that we aren't trying to slam into a release that are still incredibly important14:44
cmurphyayoung: we need that14:44
ayoungyeop14:44
lbragstadmind if i start an etherpad and you can copy paste into another document?14:44
*** McClymontS has joined #openstack-keystone14:44
ayounglbragstad, go for it14:44
lbragstadhttps://etherpad.openstack.org/p/keystone-internship-ideas14:44
ayounghrybacki, heading back to the other topic: shade14:45
* hrybacki nods14:45
ayoungI was trying to do some basic OpenStack operations against our cluster last night, and was getting frustrated14:45
ayoungI'm on F27, and that means I have ansible, shade, etc14:45
ayoungbut I really don't want to have passwordless sudo on my machiine14:46
ayoungsecurity thing14:46
ayoungand so, to call an openstack module, I really want it on one of the remote machines on which I am working, even if it is really just a jump host14:46
ayounghowever, there was no good way to get shade installed on "official" OSP deployments14:47
ayoungit turns out that, although it is in RDO, it is not yet in OSP, which makes me sad14:47
*** McClymontS has quit IRC14:47
ayoungin order to get ansible/shade/openstack working, you can install:  http://mirror.centos.org/centos/7/cloud/x86_64/openstack-pike/python2-shade-1.22.2-1.el7.noarch.rpm14:47
ayoungbut that needs one other RPM, too14:48
ayoung http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/p/python-munch-2.0.2-2.el7.noarch.rpm14:48
ayoungthought it might help you out on your quest to automate testability stuff, especially for Keystone14:48
ayounghrybacki, I see this as strategic:  ansible is the norm now, and we need to support it as seamlessly as possible, upstream and down14:49
*** rmcall has joined #openstack-keystone14:49
hrybackiayoung: I agree. And fwiw we know OSP does as well. Much of the TripleO workflow is being moved from puppet->ansible which says A LOT to me14:50
cmurphyansible is still one choice of several14:51
cmurphyit shouldn't be on us to converge behind one deployment style choice14:51
ayounghrybacki, yeah, I know that, and so I found it strange that it was not yet supported14:51
hrybackiayoung: I'd have to look through internal lists to gain context on Shade from downstream perspective14:52
ayoungcmurphy, heh...battles of the past rearing their heads...14:52
ayoungcmurphy, agreed that there are many ways to do it, but this is actually day2 as well:14:52
ayounghow to do basic Keystone operations like add users to domain and so on14:52
ayoungits more than just deployment...shade is really an extension to the python-*clients14:52
ayoungand a useful library in its own right, just it came out of the need for better organization within the ansible modules14:53
ayounghttps://bugzilla.redhat.com/show_bug.cgi?id=145308914:53
openstackbugzilla.redhat.com bug 1453089 in distribution "[RFE] Ship python-shade as part of the RHOS Channels" [Medium,Post] - Assigned to tvignaud14:53
ayoungcmurphy,  shade is under the big tent:  https://github.com/openstack-infra/shade14:54
cmurphyayoung: i'm with you on shade14:54
cmurphyayoung: and if making shade better transitively makes ansible support better then great14:55
cmurphyi just don't want keystone to be part of holy wars14:55
hrybacki"Keystone Crusades" does have a nice ring to it though cmurphy...14:55
*** aselius has joined #openstack-keystone14:55
ayoungcmurphy, so I had built something comparable for testing a while back.  It was a setupand teardown code base for Openstack clusters, mostly for dealing with the network setup14:58
ayoungI needed to be able to create: a private network + subnet + router + router interface etc and it has to be built in the right order14:58
ayoungit was just a personal project, and it took a fair bit of time, but it is the only thing I know of which was designed to both built and tear down a network stack in the right order14:59
ayoungI resurrected it about a week ago for my day job, and the one thing I realized that it does not do (at all) is provide a way to add a new partition to a server...which we need for some workflows15:00
ayoungso I started messing with Ansible to do that, and thus this discussion15:00
ayoungbut...15:00
ayoungwhat I am starting to see is that the container way of deploying OpenStack is fast becoming the norm, and I'd like to get some documentation around that avaiaable15:01
ayoungthe Kolla folks have some, and getting links to "here is how you deploy keystone in Kubernetes" type stuff for development/testing would be on my shortlist15:01
ayoungso, as you can see, I am kind of in the "lets actually use this stuff" mode, and trying to close the gaps.  Hopefully this means I will have some more real world data for the team here in the next couple iterations15:02
ayoung"this is really what customers need Keystone to be able to do"15:02
*** r-daneel has joined #openstack-keystone15:02
ayoungsome of it will be infra, but hopefully some of it will be to strengthen the core project here15:02
*** phalmos_ has joined #openstack-keystone15:04
*** belmoreira has quit IRC15:05
*** phalmos has quit IRC15:07
lbragstadthis is interesting based on yesterdays conversation https://apievangelist.com/2017/08/03/api-discovery-using-json-home/15:12
lbragstadhuh - interesting15:16
ayounglbragstad, so, at a minimum, shouldn't we have a link to the json home doc from /v3 ?15:16
ayoungwhere is json home housed by default?15:17
lbragstadhttps://tools.ietf.org/html/draft-nottingham-json-home-0615:17
lbragstadayoung: just hit the v3 endpoint with application/json-home in the header15:17
lbragstadas the content-type15:17
ayounghmmm15:17
ayoungthat seems wrong15:17
ayoungbut, ok15:17
* lbragstad shrugs15:17
cmurphyhard to make a link that way15:17
lbragstadwe could add a link i suppose15:18
ayoungyeah15:18
lbragstadthe spec looks like it is still under development15:18
lbragstad(i was under the assumption it was abandon)15:18
ayounglbragstad, its just JSON, right?15:18
lbragstadhttps://tools.ietf.org/html/draft-nottingham-json-home-0615:18
lbragstadayoung: yes - to my knowledge15:18
ayoungwhere would we want it?  /v3/home ?15:18
lbragstad^ that draft says it is expired15:19
lbragstadhttps://github.com/mnot/I-D/wiki/json-home is not15:19
lbragstadi need to read this15:19
*** gongysh has quit IRC15:19
lbragstadactually - this is the most up-to-date version i can find https://mnot.github.io/I-D/json-home/15:20
ayounglbragstad, this does not seem to work:15:20
ayoungcurl http://openstack.salab.redhat.com:5000/v3    -H "Content-type: application/json-home"15:20
*** pcaruana has quit IRC15:20
cmurphyit's Accept: not Content-type:15:21
lbragstadayoung: sorry - i gave you the wrong header15:21
lbragstad curl -X GET -H 'Accept: application/json-home' http://192.168.122.160:35357/v3/ | python -m json.tool15:21
ayoung curl http://openstack.salab.redhat.com:5000/v3    -H "Accept: application/json-home" | jq '.'15:22
ayounggot it15:22
ayounglbragstad, so...this is why, you might recall a few years back, I wanted keystone to be able to product HTML15:22
ayoungif you hit /v3 with a browser, and clicked from link to link, you would see the workflow that we then want to be able to automate15:23
lbragstadyeah - i remember that effort15:23
ayoungso the fact that this requires a-priori knowledge of how to find json-home is anti- REST15:23
ayoungand...what we really want is something like the capabilities effort:15:24
ayoungby hitting a keystone site, you can figure out what is supported15:24
ayoungIdeally, I think it would work like this:15:24
mordredayoung: right - the thing you're talking about is called "swagger"15:24
mordredand serves a different purpose than json-home - but also having a swagger/openapi endpoint available would be awesome15:25
ayoungmordred, yeah, that would work, but it is not quite the same thing15:25
ayoungswagger is for producing human readalbe docs of an API15:25
ayoungand it is wonderful15:25
ayoungwhat I want is slightly different:15:25
ayoungI want to direct a user (human or bot) to what they can do on an actual site:15:25
ayoungsomething more like capabilities15:26
ayoungand...for Keystone, It should be based on the roles  that a user hasactive:15:26
ayoungso sometjhing like this:15:26
ayounghit /v3.  Authenticate.  Get unscoped token....but a list of viable scoped for that user15:26
ayoungselecte a scope15:27
ayoungand possbile a subset of roles under that scope15:27
*** itlinux has joined #openstack-keystone15:27
ayoungget a set of links for what you *can* do with that15:27
ayoungso json home gives me, for example:15:28
ayoung    "http://docs.openstack.org/api/openstack-identity/3/rel/project": {15:28
ayoung      "href-template": "/projects/{project_id}",15:28
ayoung      "href-vars": {15:28
ayoung        "project_id": "http://docs.openstack.org/api/openstack-identity/3/param/project_id"15:28
ayoung      }15:28
ayoung    },15:28
ayoungreally what I need is "here is the URL to list projects"15:28
ayoung    "http://docs.openstack.org/api/openstack-identity/3/rel/groups": {15:29
ayoung      "href": "/groups"15:29
ayoung    },15:29
ayoungis probably a better example15:29
ayoungor     "http://docs.openstack.org/api/openstack-identity/3/rel/projects": {15:29
ayoung      "href": "/projects"15:29
ayoung    },15:29
ayoungbut I should not see that if I don't have the role in my token that allows me to list projects15:29
ayoungright now, all a user can do is try it, and see that it fails15:30
ayoungOK, enough crapflood from me15:30
*** phalmos_ has quit IRC15:30
*** dave-mccowan has quit IRC15:31
*** d0ugal has quit IRC15:31
*** phalmos has joined #openstack-keystone15:34
*** dave-mccowan has joined #openstack-keystone15:34
*** david-lyle has joined #openstack-keystone15:38
*** d0ugal has joined #openstack-keystone15:40
*** belmoreira has joined #openstack-keystone15:43
lbragstadour json-home document makes more sense after i read https://mnot.github.io/I-D/json-home/#resolving-templated-links15:53
lbragstadayoung:  what you described sounds like what is laid out in https://mnot.github.io/I-D/json-home/#resource_hints15:55
lbragstadwhere resource hints looks like a mechanism you could use to do some of what you're talking about15:56
ayoung      "hints": {15:58
ayoung        "status": "experimental"15:58
ayoung      }15:58
ayoungso, yeah, we could put15:58
ayoung        "role": "Member"15:58
ayoungin there15:59
ayoungand leave blank for those where the user does not have an appropriate role15:59
ayoungthat would be keystone specific, but it seems like it would be a better mechanism thant adding a /capabilities link like Cinder is doing16:00
*** belmoreira has quit IRC16:00
lbragstadwell - i'm wondering if it is possible to prune the home document based on the token16:01
-openstackstatus- NOTICE: logs.openstack.org is stabilized and there should no longer be *new* POST_FAILURE errors. Logs for jobs that ran in the past weeks until earlier today are currently unavailable pending FSCK completion. We're going to temporarily disable *successful* jobs from uploading their logs to reduce strain on our current limited capacity. Thanks for your patience !16:01
lbragstadif all the apis have hints that contain the default or registered policies for those APIs, then we might just have everything we need to give a customized home document to a client16:02
*** phalmos has quit IRC16:02
mordredayoung: right. that's why I'm saying that's what swagger is for16:09
mordredayoung: because with swagger docs you can totally click through to various links and execute the api calls and everything16:09
mordredayoung: the PROBLEM is that your browser has no idea how to authenticate to keystone16:09
ayoungmordred, right16:10
ayoungmordred, we can solve that, though16:10
ayoungstarting with basic auth:16:10
ayoungpassword auth should be replaced with basic auth,  all the other federated links should work...but we need a way to point users at the right one16:11
ayounglbragstad, can you add a keystone meeting agenda Item at the right point to comb through and chose s GSoC item from https://etherpad.openstack.org/p/keystone-internship-ideas  ... next week or the week after ?16:12
mordredayoung: in general, fwiw, I totally agree with the desire for an explorable authed web interface - I was mostly saying it was different than the json-home because the json-home is a thing that sdk's can consume programmatically as needed on-behalf of a user16:12
mordredayoung: so I'd ultimately like *both* things so that the world is a happy place for a16:13
mordredall16:13
ayoungmordred, I had basic-auth working at one point16:13
ayoungit would be something like this:16:13
ayoungwhen a user comes in with basic auth, we have to create a session cookie with the scope in it16:13
ayoungit starts out: none16:13
ayoungthey then need a way to see the list of projects they have, and selects one16:13
ayoungfrom that point on, Keystone *acts* like it has a project scoped token...it can actually be a token, just stored in a cookie16:14
ayoungit could be done when the Accept: html header is set16:14
ayoungneed to make sure that doesn't mess up the Federation redirects16:15
*** phalmos has joined #openstack-keystone16:15
ayoungpart of the issue is that we would want to pull apart the Paste pipelines, and have /auth separate from the rest16:15
*** spilla has joined #openstack-keystone16:19
lbragstadeven though all the json-home stuff is still WIP and in draft, we don't have any documentation for it16:28
lbragstadi wonder if that is on purpose ^16:28
*** openstackstatus has quit IRC16:41
*** openstackstatus has joined #openstack-keystone16:43
*** ChanServ sets mode: +v openstackstatus16:43
Supunayoung, could you please assign mentors and add "Required skills" for the keystone-internship-ideas page16:43
*** linkmark has joined #openstack-keystone16:43
Supunhttps://etherpad.openstack.org/p/keystone-internship-ideas16:43
Supunthen I can update Google Summer of Code internship idea page as well -> https://wiki.openstack.org/wiki/Internship_ideas16:44
ayoungSupun, We need to whittle down to the right idea, and then we will do that16:48
*** links has quit IRC16:57
*** tesseract has quit IRC16:58
SupunCool16:58
lbragstadis it just me or are all rechecks failing?17:00
gagehugomuch borked17:01
cmurphylbragstad: infra was having problems with the log server, that should be fixed-ish now17:03
lbragstadack17:03
cmurphyor so said the notice, they still seem to be fighting it17:03
lbragstadjust put a fresh set of rechecks on the application credential stuff17:04
cmurphybut tempest still fails a lot due to cinder problems i think17:04
cmurphylbragstad: your auth plugin changes conflict with my auth plugin changes since you expanded the scope tuple17:05
cmurphyso whichever of us lose the zuul game will have to fix it17:05
lbragstad++17:06
lbragstadi saw your comment there17:06
lbragstadit's like the turtle races!17:06
cmurphyso many turtles http://zuul.openstack.org/17:06
lbragstadi know it - it's insane17:07
*** jistr is now known as jistr|conf17:13
lbragstadgoing to take lunch quick17:13
*** spilla has quit IRC17:15
openstackgerritmelissaml proposed openstack/keystone-specs master: Replace curly quotes with straight quotes  https://review.openstack.org/53798017:21
*** jose-phillips has joined #openstack-keystone17:32
ayounglbragstad, thanks https://adam.younglogic.com/2018/01/using-json-home-keystone/17:37
*** itlinux has quit IRC17:38
lbragstadayoung: nice!17:38
lbragstadi was just thinking about whether or not we should add the to out documentation17:38
lbragstador if that's "jumping the gun"17:38
lbragstad(even though we've supported it forever)17:39
lbragstadeven after reading the specification, i'mnot sure why it stalled out...17:39
*** AlexeyAbashkin has quit IRC17:59
*** david-lyle has quit IRC18:08
*** jistr|conf is now known as jistr18:14
*** rmcall has quit IRC18:20
*** sambetts is now known as sambetts|afk18:22
*** raildo has quit IRC18:27
*** raildo has joined #openstack-keystone18:27
*** hoonetorg has quit IRC19:07
*** david-lyle has joined #openstack-keystone19:09
*** david-lyle has quit IRC19:09
*** AlexeyAbashkin has joined #openstack-keystone19:24
*** david-lyle has joined #openstack-keystone19:26
*** AlexeyAbashkin has quit IRC19:28
*** rmcall has joined #openstack-keystone19:35
*** harlowja has joined #openstack-keystone19:44
*** spilla has joined #openstack-keystone19:45
edmondswcmurphy did I understand correctly that there are some limitations with using OIDC for federation compared to SAML? Can you point me to more info on that?19:55
edmondswI think what I remembered was with the openstack CLI... horizon is ok, cli not so much?19:56
*** Supun has quit IRC19:58
*** hoonetorg has joined #openstack-keystone20:14
*** chason has quit IRC20:17
lbragstadcmurphy: mordred jamielennox this seems even more specific to what we were talking about yesterday https://github.com/mnot/I-D/issues/21320:23
*** chason has joined #openstack-keystone20:23
*** raildo has quit IRC20:24
jamielennoxlbragstad, that at least implies that someone is still working on it. The draft up now looks to have changed since i last looked.20:26
lbragstadyeah - they are on draft 06?20:26
lbragstadbased on what i can find20:27
jamielennoxI don't know why i thought it was abandoned20:27
lbragstadwell - there are drafts that have different status20:27
lbragstadthis says it is expired - https://datatracker.ietf.org/doc/draft-nottingham-json-home/20:27
lbragstadthis doesn't - https://mnot.github.io/I-D/json-home/20:27
lbragstadi scrubbed the ietf mailing list to see if i could find more recent information, but i didn't have any luck20:28
lbragstad(i also have absolutely no idea if i'm looking in the right places)20:28
lbragstadit's still referred to as in progress by the author... https://mnot.github.io/I-D/20:30
lbragstadi also agree with flavio's point here - http://lists.openstack.org/pipermail/openstack-dev/2013-November/020415.html20:31
lbragstadit'd be cool to supply feedback on the approach if we have any20:31
jamielennoxIt's one of those standards that i just want to be a standard, imo it's kinda long winded, but it provides everything we need and it was jumped on as better than indenting or own discovery format again20:33
jamielennoxInventing20:34
jamielennoxPhone keyboards20:34
lbragstad++20:34
lbragstadi agree...20:34
lbragstadi am relieved to see activity on the github issues20:35
lbragstadwhile one representation does look "expired" the other appears to be "active" until march20:35
jamielennoxIt seems to be a one man standards effort, so i don't know how much it's actually trying to get passed or just an intellectual exercise20:39
jamielennoxBut we never reached out to the author to figure that out20:39
ayoungedmondsw, IIRC it was the CLI intergration that we never tested20:42
ayoungedmondsw, at some point, I need to resurrect my automated integration of all that.  Should be able to front Keystone with Keycloak and test20:42
ayoungright now I am kindof limited in my ability to set up an OpenStack cluster until I figure out the networking part of "use pre-provisionied nodes for the overcloud"20:43
ayounglbragstad, what if we made json-home work for any Accept: JSON on a resolving link as-well as the Accetp appliction/json-home?20:45
ayoungmaybe  /v3/home ?20:45
ayoungwe can still track the standard as it evolves, but my gut says that it should not be a separate content type from JSON20:46
*** mvk has joined #openstack-keystone20:55
*** phalmos has quit IRC21:01
edmondswayoung tx, I thought it was the CLI21:02
edmondswand I think from what I understood there's not much we can do about that, just gonna be a permanent limitation because of how oidc works21:02
*** chason has quit IRC21:02
edmondswbut obviously I'm not the expert on anything federation, so wanted to double-check that :)21:03
lbragstadayoung: https://github.com/mnot/I-D/issues/21221:03
ayoungedmondsw, I think that is the case, but I have not examined it too closely.  Once I do, I can beat up the keycloak team to get an implementation, if there is anything that corresponds to ecp21:03
edmondswcool cool21:03
lbragstadjamielennox: mnot is the author i think21:03
cmurphyedmondsw: I'm not sure what I said but the CLI is an issue21:04
cmurphyin theory though there are bits in ksa that were supposed to make it work21:04
edmondswoh, so we might actually get that working?21:04
edmondswnice21:04
cmurphyI'm not sure how close that is to reality but there's something there21:06
cmurphyit definitely didn't just work when i tried to use it with google21:06
ayoungedmondsw, the protocol guru for my old team was jdennis .  He might be able to fill you in on what it would take to get CLI access for OIDC working.  If its anything like OIDC, it has to do with how the user authentiates to the IdP up front, but I know little about that21:07
* edmondsw makes a note to self21:08
*** chason has joined #openstack-keystone21:13
jamielennoxThere is a section in the keystoneauth discovery which was supposed to be able to resolve URLs via json home IDs. I honestly can't remember if we ever finished that21:23
*** pramodrj07 has joined #openstack-keystone21:29
jamielennoxOidc is funny from the cli because there are parts where there is really no choice but to bounce back to a web server21:31
jamielennoxAt one point someone tried to merge they into ksa and i fairly strongly opposed21:31
jamielennoxThat21:31
cmurphyjamielennox: this? http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/identity/v3/oidc.py21:32
jamielennoxIt might have been ok if we had decent caching or could exchange the federated login for an api key but popping a browser on every login wasn't acceptable imo21:32
jamielennoxSo I think access code is ok, but not many places implement it?21:34
jamielennoxhttps://review.openstack.org/#/c/330006/21:36
jamielennoxBut yea, aloga did a bunch of work around oidc plugins21:37
*** spilla has quit IRC21:53
*** linkmark has quit IRC22:00
*** itlinux has joined #openstack-keystone22:37
*** jmlowe has quit IRC22:48
*** mvk has quit IRC23:00
*** itlinux has quit IRC23:04
*** itlinux has joined #openstack-keystone23:06
*** Pramod has joined #openstack-keystone23:09
*** Aibot has joined #openstack-keystone23:10
*** Aibot has quit IRC23:10
*** Pramod has quit IRC23:10
*** pramodrj07 has quit IRC23:10
*** itlinux has quit IRC23:11
*** pramodrj07 has joined #openstack-keystone23:11
*** rmcall has quit IRC23:20
*** edmondsw has quit IRC23:27
*** dave-mccowan has quit IRC23:28
*** gongysh has joined #openstack-keystone23:54
*** r-daneel has quit IRC23:57
« Wednesday, 2018-01-24 Index Friday, 2018-01-26 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!