Tuesday, 2018-03-20

*** germs has joined #openstack-keystone		00:01
*** germs has quit IRC		00:01
*** germs has joined #openstack-keystone		00:01
*** germs has quit IRC		00:05
*** itlinux has joined #openstack-keystone		00:23
*** Dinesh_Bhor has joined #openstack-keystone		00:37
*** lifeless_ has joined #openstack-keystone		00:46
*** lifeless has quit IRC		00:46
*** itlinux has quit IRC		00:51
*** Dinesh_Bhor has quit IRC		00:57
*** Dinesh_Bhor has joined #openstack-keystone		00:57
*** odyssey4me has quit IRC		00:59
*** odyssey4me has joined #openstack-keystone		00:59
*** Dinesh_Bhor has quit IRC		00:59
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs master: Add spec for MFA auth receipts https://review.openstack.org/553670	00:59
adriant	kmalloc, cmurphy: hopefully that spec rewrite addresses your problems in a way we can move forward :)	00:59
kmalloc	let me see	01:00
* adriant would like to point out that the core of what it does hasn't changed, just the terms		01:00
kmalloc	i am sure we can move forward if you hit the key bits that caused the -2 :)	01:00
kmalloc	notably the issuance of a "partial token" and highlighting it remains a 401	01:00
adriant	well, I didn't originally define the response code, I had no issues with a 401 :P	01:01
adriant	but now that's explicit as a 401, and all mention of token's is gone as to what the thing we return is	01:02
*** Dinesh_Bhor has joined #openstack-keystone		01:02
adriant	tokens*	01:02
adriant	bah! I've found typos in the spec, always with the typos!	01:04
lbragstad	adriant: awesome - i'll review that tomorrow morning	01:04
adriant	lbragstad: if kmalloc is happy and removes his -2 ;)	01:04
kmalloc	i'm reviewing now, you're going to have a chunk of work still	01:05
kmalloc	but it is looking like the -2 can be dropped to -1	01:05
adriant	works for me	01:06
adriant	I never expected this spec to be merged quickly :P	01:06
adriant	this is too complicated and potentially odd change and we need to be happy with it, and how it will work so we don't hate ourselves until v4	01:07
adriant	well, potentially not complicated. We'll see.	01:08
*** wxy has joined #openstack-keystone		01:10
*** oikiki has joined #openstack-keystone		01:25
kmalloc	reviewed	01:27
kmalloc	it is now a -1	01:27
kmalloc	but, there are a lot of changes you need.	01:27
adriant	kmalloc: saw, am changing, although some stuff I'm not entirely sure of so will make changes as make sense, and leave questions for you	01:39
kmalloc	yep	01:39
kmalloc	i figured it'd be a discussion	01:39
adriant	although since you're about, what do you mean by another repo for fernet receipt?	01:40
adriant	is the fernet provider in keystone coming from another library? I haven't read through that code before, I assumed we used cryptography and did all the fernet token logic in the keystone codebase itself	01:41
adriant	Oh, key repository	01:43
adriant	can't we share the same one as tokens? Share most of the same logic too, that was what I was trying to say at the start of that section. Otherwise it is a deployer impact, and since this is token-like and ultimately it is using similar encryption models, why split it?	01:44
kmalloc	yes, for the keys	01:45
adriant	the only worry I can thing of is that partial auth will still return a receipt that is fernet encrypted and if you request it enough times (like a token) you could potentially guess the key. But I don't see how this would make that any worse.	01:45
adriant	think of*	01:46
kmalloc	the fernet code to make a token only makes a token	01:46
kmalloc	you'd need to use cryptography and encode your own fernet with it's own payload	01:46
kmalloc	you can't lean on the token provider	01:46
kmalloc	it's AES128 and HMAC'd, so, key rotation is recommended overtime.	01:46
adriant	can we break out some of the token logic to make it generic and share elements?	01:47
adriant	and keys?	01:47
kmalloc	not really.	01:47
kmalloc	do not share keys	01:47
kmalloc	the fernet work in the token provider is really only layering in it's own fernet code. you might be able pull out some utils	01:47
kmalloc	but it wont be much	01:47
kmalloc	layering the token specific stuff*	01:47
kmalloc	there really wont be a ton of reusable stuff between the token core and the receipt bits	01:48
adriant	yeah I'm looking at the token code now	01:48
adriant	Ok, nvm, that's fine, the annoying bit will be needing an extra key repo	01:48
*** Dinesh_Bhor has quit IRC		01:49
kmalloc	yeah, there is a good reason for that, but i wouldn't hold up if you shared the repo (bug lbragstad about that one)	01:49
kmalloc	the main reason is isolating concerns.	01:49
adriant	and then a question of do we want to make the receipt provider also configureable so we can also JWT, if jwt even makes sense for receipts	01:50
kmalloc	long term, yes.	01:50
kmalloc	for the same reasons we want an alternative to fernet	01:50
adriant	ok, so it's basically a off-brand tokens :P	01:50
kmalloc	but i wouldn't make it a hard-requirement to be pluggable to start	01:50
adriant	alright, I can work with that	01:50
kmalloc	that is up to you	01:50
adriant	shouldn't be too much extra effort to make it pluggable. I'd rather do it right than rush it.	01:51
adriant	and if we can share the same key repo at least at first, or potentially make that a configurable thing... that would make it easier to consume	01:52
*** Dinesh_Bhor has joined #openstack-keystone		01:52
adriant	plus we likely want the token and receipt providers to be in sync. not fernet and jwt respectively. Alway fernet or jwt for both.	01:52
*** Dinesh_Bhor has quit IRC		01:52
kmalloc	maybe	01:53
kmalloc	but that isn't anywhere as a hard requierment in my head	01:53
adriant	yeah, I think you're right	01:53
adriant	and we may go down a route with tokens that magically will one day be drastically different to what we want with auth receipts.	01:53
kmalloc	right	01:54
adriant	kmalloc: cool, thanks for the review, I'll update and lbragstad can review in the morning.	01:54
*** annp has joined #openstack-keystone		01:56
*** Dinesh_Bhor has joined #openstack-keystone		02:01
*** dikonoor has joined #openstack-keystone		02:02
*** Dinesh_Bhor has quit IRC		02:02
*** germs has joined #openstack-keystone		02:02
*** germs has quit IRC		02:06
*** Dinesh_Bhor has joined #openstack-keystone		02:08
openstackgerrit	Dai Hanada proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option https://review.openstack.org/554397	02:10
*** dikonoor has quit IRC		02:11
*** wes_dillingham has quit IRC		02:19
openstackgerrit	Masaki Hatada proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option https://review.openstack.org/554397	02:25
*** gongysh has joined #openstack-keystone		02:25
*** dave-mccowan has quit IRC		02:31
*** r-daneel has joined #openstack-keystone		02:32
*** r-daneel_ has joined #openstack-keystone		02:34
*** r-daneel has quit IRC		02:36
*** r-daneel_ is now known as r-daneel		02:36
*** links has joined #openstack-keystone		02:40
*** itlinux has joined #openstack-keystone		02:42
*** oikiki has quit IRC		03:12
*** gongysh has quit IRC		03:42
*** itlinux has quit IRC		03:49
*** germs has joined #openstack-keystone		04:03
*** germs has quit IRC		04:03
*** germs has joined #openstack-keystone		04:03
*** germs has quit IRC		04:07
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs master: Add spec for MFA auth receipts https://review.openstack.org/553670	04:17
adriant	kmalloc: alright, that... should be closer to what we want.	04:18
adriant	lbragstad, all yours for when you're awake!	04:19
*** Dinesh__Bhor has joined #openstack-keystone		04:58
*** Dinesh_Bhor has quit IRC		04:58
*** jmlowe has quit IRC		05:18
*** jmlowe has joined #openstack-keystone		05:37
*** oikiki has joined #openstack-keystone		05:38
*** deepak_ has joined #openstack-keystone		05:40
*** jmlowe has quit IRC		05:42
*** germs has joined #openstack-keystone		06:04
*** dineshbhor__ has joined #openstack-keystone		06:07
*** germs has quit IRC		06:08
*** Dinesh__Bhor has quit IRC		06:09
*** masber has quit IRC		06:12
*** Jack_Iv has joined #openstack-keystone		06:22
*** Jack_Iv has quit IRC		06:26
openstackgerrit	Dai Hanada proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option https://review.openstack.org/554397	06:32
*** wxy_ has quit IRC		06:34
*** wxy_ has joined #openstack-keystone		06:36
*** wxy_ has quit IRC		06:42
*** wxy_ has joined #openstack-keystone		06:43
*** oikiki has quit IRC		06:44
*** masber has joined #openstack-keystone		06:44
*** masber has quit IRC		06:47
*** masber has joined #openstack-keystone		06:47
*** dineshbhor__ has quit IRC		07:00
*** Supun has joined #openstack-keystone		07:08
*** d0ugal has joined #openstack-keystone		07:12
*** d0ugal has quit IRC		07:12
*** d0ugal has joined #openstack-keystone		07:12
*** d0ugal has quit IRC		07:21
*** rcernin has quit IRC		07:23
*** rcernin has joined #openstack-keystone		07:24
*** rcernin has quit IRC		07:24
*** Dinesh_Bhor has joined #openstack-keystone		07:32
Dinesh_Bhor	cmurphy: Hi, you there?	07:34
*** pcaruana has joined #openstack-keystone		07:34
*** martinus__ has joined #openstack-keystone		07:37
*** pcichy has joined #openstack-keystone		07:38
cmurphy	Dinesh_Bhor: I am, but in the future you could also just ask your question here or on the review instead of waiting for me to show up	07:44
*** Supun has quit IRC		07:45
Dinesh_Bhor	cmurphy: yes, about this: https://review.openstack.org/#/c/329913/10/keystoneclient/base.py	07:45
Dinesh_Bhor	cmurphy: We can not move the client initialization to Manage class since we the "_prepare_return_value" method is using self.client.	07:46
Dinesh_Bhor	S/Manage/Manager	07:46
cmurphy	Dinesh_Bhor: when _prepare_return_value is called self.client will have been initialized by Manager	07:47
*** d0ugal has joined #openstack-keystone		07:48
Dinesh_Bhor	cmurphy: let me check and get back to you	07:52
Dinesh_Bhor	cmurphy: thank you	07:52
cmurphy	Dinesh_Bhor: no problem	07:53
*** tesseract has joined #openstack-keystone		08:00
*** namnh has joined #openstack-keystone		08:01
*** AlexeyAbashkin has joined #openstack-keystone		08:04
*** germs has joined #openstack-keystone		08:05
*** germs has quit IRC		08:05
*** germs has joined #openstack-keystone		08:05
*** Supun has joined #openstack-keystone		08:05
*** germs has quit IRC		08:08
*** dangtrinhnt has quit IRC		08:23
openstackgerrit	wangxiyuan proposed openstack/keystone master: The migration script to add description for limit https://review.openstack.org/553131	08:29
openstackgerrit	wangxiyuan proposed openstack/keystone master: Limit description support https://review.openstack.org/553132	08:30
Dinesh_Bhor	cmurphy: you are right. I have fixed your comment	08:31
Dinesh_Bhor	For the other comment: https://review.openstack.org/#/c/329913/10/keystoneclient/tests/unit/test_base.py I am getting error as ManagerWithFind is an abstract class with abstract methods defined so we can not initialize it.	08:32
openstackgerrit	Dinesh Bhor proposed openstack/python-keystoneclient master: Add Response class to return request-id to caller https://review.openstack.org/329913	08:33
openstackgerrit	Dinesh Bhor proposed openstack/python-keystoneclient master: Add return-request-id-to-caller function(v3) https://review.openstack.org/267456	08:33
cmurphy	Dinesh_Bhor: ah okay	08:35
*** pcichy has quit IRC		08:50
cmurphy	Dinesh_Bhor: sorry, should have caught this before but AccessInfo and everything to do with tokens has moved to keystoneauth, so most of https://review.openstack.org/#/c/267456 is misplaced	08:52
cmurphy	and keystoneauth already has a mechanism for logging request IDs so I don't think changes are needed there	08:53
Dinesh_Bhor	cmurphy: ohh	08:54
Dinesh_Bhor	cmurphy: that is for logging. In these patches we are returning request-id.	08:55
*** Dinesh_Bhor has quit IRC		09:01
*** d0ugal has quit IRC		09:02
*** oikiki has joined #openstack-keystone		09:03
*** baffle has quit IRC		09:13
*** vegarl has quit IRC		09:14
*** baffle has joined #openstack-keystone		09:14
*** vegarl has joined #openstack-keystone		09:14
*** pcichy has joined #openstack-keystone		09:17
*** oikiki has quit IRC		09:19
*** Supun has quit IRC		09:44
*** Supun has joined #openstack-keystone		09:45
*** josecastroleon has quit IRC		09:49
*** josecastroleon has joined #openstack-keystone		09:50
*** wxy_ has quit IRC		09:58
*** wxy_ has joined #openstack-keystone		09:58
*** Supun has quit IRC		09:59
*** germs has joined #openstack-keystone		10:05
*** germs has quit IRC		10:05
*** germs has joined #openstack-keystone		10:05
*** germs has quit IRC		10:10
*** namnh has quit IRC		10:10
*** mvk has quit IRC		10:31
*** masber has quit IRC		10:43
*** mvk has joined #openstack-keystone		10:46
*** wxy_ has quit IRC		10:51
*** wxy_ has joined #openstack-keystone		10:51
*** rcernin has joined #openstack-keystone		11:02
*** Supun has joined #openstack-keystone		11:04
*** josecastroleon has quit IRC		11:06
*** rcernin has quit IRC		11:06
*** masber has joined #openstack-keystone		11:08
*** masuberu has joined #openstack-keystone		11:12
*** masber has quit IRC		11:14
*** annp has quit IRC		11:15
*** Supun has quit IRC		11:18
*** Supun has joined #openstack-keystone		11:21
*** pcaruana has quit IRC		11:23
*** pcichy has quit IRC		11:29
*** Supun has quit IRC		11:53
*** pcaruana has joined #openstack-keystone		11:55
*** dangtrinhnt has joined #openstack-keystone		12:04
*** germs has joined #openstack-keystone		12:06
*** germs has quit IRC		12:06
*** germs has joined #openstack-keystone		12:06
*** raildo has joined #openstack-keystone		12:08
*** jaosorior has quit IRC		12:09
*** josecastroleon has joined #openstack-keystone		12:09
*** germs has quit IRC		12:10
*** odyssey4me has quit IRC		12:11
*** odyssey4me has joined #openstack-keystone		12:11
*** wes_dillingham has joined #openstack-keystone		12:14
*** Supun has joined #openstack-keystone		12:16
*** edmondsw has joined #openstack-keystone		12:17
*** jaosorior has joined #openstack-keystone		12:23
*** wxy_ has quit IRC		12:25
*** wxy_ has joined #openstack-keystone		12:26
*** openstackgerrit has quit IRC		12:33
*** r-daneel has quit IRC		12:41
*** d0ugal has joined #openstack-keystone		12:41
*** d0ugal has quit IRC		12:41
*** d0ugal has joined #openstack-keystone		12:41
*** panbalag has joined #openstack-keystone		12:43
*** panbalag has left #openstack-keystone		12:45
*** AlexeyAbashkin has quit IRC		12:48
*** Supun has quit IRC		13:06
*** dangtrinhnt has quit IRC		13:06
*** AlexeyAbashkin has joined #openstack-keystone		13:10
*** Supun has joined #openstack-keystone		13:18
*** r-daneel has joined #openstack-keystone		13:32
*** r-daneel has quit IRC		13:36
*** voelzmo has joined #openstack-keystone		13:40
*** voelzmo has quit IRC		13:41
*** voelzmo has joined #openstack-keystone		13:42
*** wxy_ has quit IRC		13:49
*** wxy_ has joined #openstack-keystone		13:50
*** links has quit IRC		13:51
*** SamYaple has quit IRC		13:52
*** dmellado has quit IRC		13:55
*** jmlowe has joined #openstack-keystone		13:58
*** voelzmo has quit IRC		14:01
*** openstackgerrit has joined #openstack-keystone		14:04
openstackgerrit	Jens Harbott (frickler) proposed openstack/keystoneauth master: Be more verbose when version discovery fails https://review.openstack.org/554044	14:04
*** voelzmo has joined #openstack-keystone		14:04
*** germs has joined #openstack-keystone		14:07
*** germs has quit IRC		14:07
*** germs has joined #openstack-keystone		14:07
*** spilla has joined #openstack-keystone		14:07
*** voelzmo has quit IRC		14:08
*** SamYaple has joined #openstack-keystone		14:11
*** germs has quit IRC		14:11
*** pcaruana has quit IRC		14:21
*** felipemonteiro has joined #openstack-keystone		14:27
*** pcaruana has joined #openstack-keystone		14:28
*** felipemonteiro_ has joined #openstack-keystone		14:29
*** voelzmo has joined #openstack-keystone		14:32
*** felipemonteiro has quit IRC		14:32
*** voelzmo has quit IRC		14:37
*** d0ugal has quit IRC		14:38
*** voelzmo has joined #openstack-keystone		14:47
*** itlinux has joined #openstack-keystone		14:50
*** wxy\| has joined #openstack-keystone		14:54
*** dmellado has joined #openstack-keystone		14:54
*** r-daneel has joined #openstack-keystone		14:55
*** dmellado has quit IRC		14:56
*** dmellado has joined #openstack-keystone		15:01
*** jistr is now known as jistr\|mtg		15:01
*** voelzmo has quit IRC		15:02
*** voelzmo has joined #openstack-keystone		15:03
*** dmellado has quit IRC		15:04
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove references to UUID from token documentation https://review.openstack.org/554581	15:04
*** dmellado has joined #openstack-keystone		15:05
*** d0ugal has joined #openstack-keystone		15:09
*** Supun has quit IRC		15:14
*** dmellado has quit IRC		15:16
*** dave-mccowan has joined #openstack-keystone		15:29
*** knasim-wrs has quit IRC		15:33
*** jistr\|mtg is now known as jistr		15:36
*** Supun has joined #openstack-keystone		15:37
*** ayoung has joined #openstack-keystone		15:37
lbragstad	reminder that the keystone meeting will be taking place in 13 minutes in #openstack-meeting-alt	15:47
*** felipemonteiro_ has quit IRC		15:48
*** felipemonteiro_ has joined #openstack-keystone		15:49
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds https://review.openstack.org/396331	16:00
openstackgerrit	Jens Harbott (frickler) proposed openstack/keystoneauth master: Be more verbose when version discovery fails https://review.openstack.org/554044	16:01
*** jamielennox has quit IRC		16:01
*** felipemonteiro_ has quit IRC		16:06
*** pcichy has joined #openstack-keystone		16:10
*** Supun has quit IRC		16:11
*** Supun has joined #openstack-keystone		16:12
*** voelzmo has quit IRC		16:17
*** masuberu has quit IRC		16:18
*** wxy\|_ has joined #openstack-keystone		16:22
*** wxy\| has quit IRC		16:22
openstackgerrit	Merged openstack/keystone-specs master: Change keystone-specs webpage from oslosphinx to openstackdocstheme https://review.openstack.org/551974	16:26
*** gyee has joined #openstack-keystone		16:26
*** jamielennox has joined #openstack-keystone		16:38
*** Supun has quit IRC		16:44
*** mvk has quit IRC		16:49
*** AlexeyAbashkin has quit IRC		16:53
*** felipemonteiro has joined #openstack-keystone		16:55
*** masuberu has joined #openstack-keystone		16:59
lbragstad	#startmeeting keystone-office-hours	17:01
openstack	Meeting started Tue Mar 20 17:01:05 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:01
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		17:01
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		17:01
openstack	The meeting name has been set to 'keystone_office_hours'	17:01
lbragstad	#link https://bluejeans.com/8559013623	17:01
gagehugo	going out for lunch, will be back in an hour or so	17:03
*** mvk has joined #openstack-keystone		17:03
*** felipemonteiro_ has joined #openstack-keystone		17:04
*** felipemonteiro has quit IRC		17:08
*** felipemonteiro has joined #openstack-keystone		17:08
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds https://review.openstack.org/396331	17:11
*** felipemonteiro_ has quit IRC		17:11
*** Supun has joined #openstack-keystone		17:11
*** wxy\|_ has quit IRC		17:12
cmurphy	o/	17:14
lbragstad	reviewing https://review.openstack.org/#/c/396331/ since jgr won't be around all of office hours	17:20
lbragstad	in case you missed it - https://bluejeans.com/8559013623/	17:30
cmurphy	oh we're bluejeansing?	17:30
lbragstad	yep - we actually have questions for you cmurphy	17:31
cmurphy	bah okay	17:31
cmurphy	one sec	17:31
*** masuberu has quit IRC		17:33
lbragstad	kmalloc: i'm not sure if it's just me, but it sounds like your mic is clipping	17:36
adriant	kmalloc: added some comments, and will fix up most of that in a patch after lbragstad, or cmurphy get a chance to also comment.	17:37
cmurphy	adriant: want to join the bluejeans session ^	17:41
lbragstad	moving on to https://review.openstack.org/#/c/553670/	17:42
adriant	cmurphy: might jump on in a sec :)	17:43
*** Supun has quit IRC		17:53
*** Supun has joined #openstack-keystone		17:54
hrybacki	lbragstad: ping, default roles chat?	18:04
*** oikiki has joined #openstack-keystone		18:06
cmurphy	kmalloc: your puppy left :'(	18:09
*** jessegler_ has joined #openstack-keystone		18:09
*** AlexeyAbashkin has joined #openstack-keystone		18:14
*** AlexeyAbashkin has quit IRC		18:14
*** AlexeyAbashkin has joined #openstack-keystone		18:15
gagehugo	o/ back	18:22
*** harlowja has joined #openstack-keystone		18:23
*** gyee has quit IRC		18:30
*** dave-mccowan has quit IRC		18:32
*** AlexeyAbashkin has quit IRC		18:44
*** dave-mccowan has joined #openstack-keystone		18:45
*** panbalag has joined #openstack-keystone		18:52
hrybacki	gagehugo: we just dropped bridge fyi	18:52
gagehugo	hrybacki ok I was listening in	18:53
hrybacki	ack -- didn't want you to feel as if we abandoned you gagehugo	18:53
gagehugo	heh	18:53
gagehugo	nah I caught the tail end of system scope	18:53
hrybacki	++	18:53
hrybacki	relocating now o/	18:54
*** jessegler_ has quit IRC		18:54
gagehugo	lbragstad https://review.openstack.org/#/c/554327/ fixes the same bug as https://review.openstack.org/#/c/553108/ but it refactors the sql backend logic for tags, which I'm not sure about	18:56
gagehugo	it uses nova's approach which looks like using inner joins, but we had some concerns about if that would be worse performance	18:57
*** pcichy has quit IRC		19:00
*** dave-mccowan has quit IRC		19:03
*** AlexeyAbashkin has joined #openstack-keystone		19:03
lbragstad	gagehugo: revieing	19:09
lbragstad	reviewing*	19:09
gagehugo	I need to be revived on this tue	19:09
gagehugo	:)	19:09
lbragstad	gagehugo: is https://review.openstack.org/#/c/553108/3 the perferred way to close the bug?	19:26
*** Supun has quit IRC		19:27
lbragstad	i'm spinning up an environment to test it quick	19:27
gagehugo	lbragstad I think it's a much simpler fix than Nic's	19:28
gagehugo	I'm sure the logic could be refactored to be better	19:28
gagehugo	and it may require refactoring if we add starts/ends with & contains	19:29
kmalloc	lbragstad: extensive comments on app-cred whitelist	19:31
kmalloc	it should cover all the things we talked about	19:31
lbragstad	perfect	19:31
kmalloc	it's a pretty big re-work, but it should simplify and clarify what we allow	19:31
*** dave-mccowan has joined #openstack-keystone		19:36
*** d34dh0r53 has quit IRC		19:37
*** d34dh0r53 has joined #openstack-keystone		19:37
*** wes_dillingham has quit IRC		19:46
hrybacki	lbragstad: I think we need to find a good way of de-coupling default roles from scope types	19:48
hrybacki	at least in documentation. e.g. Here are default roles X, Y, and Z. This is generically what their purpose should be. Have you heard of scope types A and B? Here is generically what their purposes <link to spec/doc/whatever>. Here is how we envision default roles being applied in the following scoped operations.	19:49
hrybacki	thoughts? I think it gets v confusing when we introduce both the default roles and how they are used with scope at the same time	19:50
*** AlexeyAbashkin has quit IRC		19:51
lbragstad	right	19:51
lbragstad	it's almost like a support matrix	19:51
gagehugo	yeah roles & scope like to confuse people	19:52
gagehugo	more clarification would be great	19:52
lbragstad	would an abstracted support matrix with "scopes" being one axis and "default roles" being the other help?	19:53
hrybacki	lbragstad: I'm not sure I follow precisely	19:53
hrybacki	so maybe XD	19:53
lbragstad	trying to find an example	19:54
hrybacki	ack	19:55
*** tesseract has quit IRC		19:56
*** masber has joined #openstack-keystone		20:02
*** dave-mccowan has quit IRC		20:03
gagehugo	lbragstad you tested tags with ksc right?	20:04
*** dave-mccowan has joined #openstack-keystone		20:04
lbragstad	gagehugo: yeah	20:06
lbragstad	hrybacki: gagehugo - https://imgur.com/a/XGMnW	20:06
lbragstad	i apologize for the chicken scratch	20:06
gagehugo	oh man engineering paper	20:07
hrybacki	hah, no you are fine	20:07
hrybacki	lbragstad: do we have any documentation specific to system, domain, and project scope atm?	20:07
hrybacki	I'm thinking 1) intro the default roles and their generic purpose 2) brief review of scope levels (system, domain, project) and link to more info for the curious 3) present something akin to your diagram demoing how they 'should' overlap	20:08
gagehugo	lbragstad http://paste.openstack.org/show/706590/	20:09
gagehugo	it works for curl	20:09
gagehugo	wonder if ksc is borked as well	20:09
hrybacki	and maybe in reverse order of how we have e.g. reader, write, and admin roles -> project, domain, and system scopes	20:09
*** germs has joined #openstack-keystone		20:10
*** germs has quit IRC		20:10
*** germs has joined #openstack-keystone		20:10
lbragstad	hrybacki: that was kind of my thinking behind https://bugs.launchpad.net/keystone/+bug/1757151	20:10
openstack	Launchpad bug 1757151 in OpenStack Identity (keystone) "Token and scope documentation needs an update" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)	20:10
gagehugo	I can add a testcase though	20:10
lbragstad	huh - interesting	20:10
lbragstad	i can retest with curl	20:10
hrybacki	lbragstad: okay. I'll work on this draft in an abstract way and then we can fill in the specifics together this week?	20:11
lbragstad	yeah - i'll start working on the scope docs	20:12
hrybacki	++	20:12
lbragstad	also - i was wondering if it would be useful to break the scope doc up depending on the audience	20:12
lbragstad	having a document that explains scope types for users and operators	20:12
lbragstad	and a separate document that explains scope types for developers writing other services	20:13
*** germs has quit IRC		20:13
hrybacki	lbragstad: would it be too much to have them separate but in the same doc? Not sure how different they would be	20:14
lbragstad	hrybacki: we'll - we have a section for user guides and then we have this - https://docs.openstack.org/keystone/latest/contributor/services.html	20:17
lbragstad	which is in a separate document	20:17
lbragstad	but then we have https://docs.openstack.org/keystone/latest/admin/identity-tokens.html#authorization-scopes which is in the admin-guide	20:18
hrybacki	I feel like I need to read all of our docs. I haven't the slighest clue as to how they are structured rn	20:20
lbragstad	the last major restructuring we did was in PIke	20:20
lbragstad	we moved all the openstack manuals content into keystone	20:20
lbragstad	and per the specification, we broke it into several guides	20:21
lbragstad	(admin guide, install guide, configuration guide, user guide, API references, etc...)	20:21
hrybacki	ack, that does ring a bell	20:22
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove references to UUID from token documentation https://review.openstack.org/554581	20:24
lbragstad	but yeah, we have things that are applicable to multiple guides,	20:25
lbragstad	scope and roles feel like one of them	20:25
*** dave-mccowan has quit IRC		20:31
*** masber has quit IRC		20:32
*** openstackgerrit has quit IRC		20:33
gagehugo	++ multiple guides	20:39
*** openstackgerrit has joined #openstack-keystone		20:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove references to UUID from token documentation https://review.openstack.org/554581	20:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove references to v2.0 from external developer doc https://review.openstack.org/554690	20:40
hrybacki	alright lbragstad -- I made a bunch of changes and shared the doc with you. Adding comments on the side to allow for easy communication without muddling up the already murky doc	20:49
lbragstad	checking	20:50
hrybacki	I have to drop for the night at 5PM (meetings outside of work-work) but will pick this up based on your comments lbragstad	20:50
*** edmondsw has quit IRC		20:51
*** felipemonteiro_ has joined #openstack-keystone		20:51
*** felipemonteiro has quit IRC		20:54
*** dmellado has joined #openstack-keystone		20:56
gagehugo	I think the stable/queens neutron-grenade job is bork	20:57
gagehugo	https://review.openstack.org/#/c/548788/	20:57
cmurphy	anyone have thoughts on https://review.openstack.org/#/c/549723 ? the problem i think is that we're not mapping to the extra column but i don't know if we want to encourage that	20:58
*** dmellado has quit IRC		20:58
*** dave-mccowan has joined #openstack-keystone		21:00
gagehugo	yeah it should come from extras	21:01
gagehugo	I would assume?	21:01
*** dmellado has joined #openstack-keystone		21:02
* gagehugo takes a look		21:02
cmurphy	yeah it should be an extra but i guess for federated users we're not passing arbitrary attributes in to the shadow user	21:03
cmurphy	which sort of seems fine to me but it makes our example here wrong https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#mappings-examples	21:04
gagehugo	ah	21:04
gagehugo	yeah it should use arbitrary attributes then I guess	21:05
*** raildo has quit IRC		21:06
openstackgerrit	Merged openstack/keystone master: Fix api-ref for project tag create https://review.openstack.org/553422	21:07
*** jmlowe has quit IRC		21:08
*** dmellado has quit IRC		21:08
*** jmlowe has joined #openstack-keystone		21:11
*** dmellado has joined #openstack-keystone		21:12
*** dmellado has quit IRC		21:13
*** dmellado has joined #openstack-keystone		21:15
*** AlexeyAbashkin has joined #openstack-keystone		21:19
lbragstad	hrybacki: responded inline	21:20
*** wes_dillingham has joined #openstack-keystone		21:22
adriant	lbragstad, cmurphy: What's the response code when attempting auth with an expired token? Or trying to use an expired token?	21:23
lbragstad	401 i believe	21:23
*** AlexeyAbashkin has quit IRC		21:23
lbragstad	or 404... i need to double check..	21:23
cmurphy	yeah i think still 401	21:23
adriant	I'm just trying to decide and add to the spec what we return when a receipt expires	21:24
adriant	because knowing the failure was expiry would be useful	21:24
adriant	but if we can add that to the 401 error message that works	21:24
lbragstad	yeah - 401, just tested it	21:25
adriant	I'm imagining horizon flow: username+password > totp screen > wait 6 mins > hit enter > error redirect to login again	21:25
adriant	in that case should the user be made away the failure was expiry	21:25
adriant	and if so, then we need to convey that in the response :/	21:26
hrybacki	mmm should Horizon handle a timeout like that?	21:26
hrybacki	think of when your bank kicks you off a login screen without you making any prompt at all	21:27
hrybacki	(maybe that's just my bank)	21:27
adriant	oh, so have the js do it?	21:27
adriant	Actually...	21:27
hrybacki	aye	21:27
adriant	yes, we'd return the expiry time in the receipt	21:27
adriant	horizon would know when it expires and could pass to the js that time	21:28
adriant	then redirect back to login before even hitting the failure	21:28
kmalloc	yeah, i'd have horizon handle that case if possible	21:28
adriant	yeah, that works	21:28
*** itlinux has quit IRC		21:31
*** dmellado has quit IRC		21:32
adriant	kmalloc: as a middle ground, you ok with 10mins for expiry and having it configurable should a cloud want it short/longer?	21:36
kmalloc	i'd rather it not be configurable, not my followup comment, don't worry about timing.	21:36
kmalloc	pick a timeout, go with it.	21:37
adriant	alright, I'll put 10 then since it's a little safer than 15, and not quite as short as 5	21:37
kmalloc	honestly i don't think it'll matter	21:37
kmalloc	remember this is only every supposed to be used from initial password -> followup	21:37
kmalloc	what usecase are you solving with 10 or 15m timeout	21:38
kmalloc	my opinion is start very low and increase	21:38
kmalloc	vs the inverse	21:38
* adriant nods		21:38
adriant	done, 5m it is	21:38
kmalloc	but answer what you're solving with the longer timeout before selecting above 5 :)	21:38
kmalloc	and then i'm on the same page as you for the reasoning.	21:38
adriant	kmalloc: I don't have a good reason, more just that I expect people to be silly and take too long for stuff that shouldn't and then complain :P	21:39
* adriant is quite cynical when it comes to users		21:39
kmalloc	i'd rather they complain and we increase it in code ;)	21:39
kmalloc	because then we can ask "why does it take you 10m to get your auth process done?" ;)	21:40
hrybacki	ack, thanks lbragstad	21:43
lbragstad	no problem	21:43
*** josecastroleon has quit IRC		21:47
*** spilla has quit IRC		21:55
lbragstad	#endmeeting	22:04
*** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		22:04
openstack	Meeting ended Tue Mar 20 22:04:06 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	22:04
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-03-20-17.01.html	22:04
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-03-20-17.01.txt	22:04
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-03-20-17.01.log.html	22:04
*** dmellado has joined #openstack-keystone		22:04
*** germs has joined #openstack-keystone		22:10
*** germs has quit IRC		22:10
*** germs has joined #openstack-keystone		22:10
*** martinus__ has quit IRC		22:11
*** rcernin has joined #openstack-keystone		22:13
openstackgerrit	Gage Hugo proposed openstack/keystone master: Refactor list_users and related functions https://review.openstack.org/553880	22:13
gagehugo	wxy: added your test change for ^	22:13
*** germs has quit IRC		22:14
*** dave-mccowan has quit IRC		22:17
*** felipemonteiro_ has quit IRC		22:18
*** AlexeyAbashkin has joined #openstack-keystone		22:19
*** AlexeyAbashkin has quit IRC		22:23
*** dave-mccowan has joined #openstack-keystone		22:29
*** oikiki has quit IRC		22:43
*** oikiki has joined #openstack-keystone		22:50
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add scope documentation for service developers https://review.openstack.org/554727	22:54
lbragstad	hrybacki: kmalloc cmurphy ^	22:54
*** harlowja has quit IRC		22:57
*** masber has joined #openstack-keystone		23:03
*** masuberu has joined #openstack-keystone		23:04
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs master: Add spec for MFA auth receipts https://review.openstack.org/553670	23:06
*** oikiki has quit IRC		23:06
*** masber has quit IRC		23:08
*** AlexeyAbashkin has joined #openstack-keystone		23:19
*** AlexeyAbashkin has quit IRC		23:23
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs master: Add spec for MFA auth receipts https://review.openstack.org/553670	23:24
*** Anticime1 is now known as Anticimex		23:29
adriant	kmalloc, cmurphy: added a comment about scope	23:32
adriant	and hopefully now we've got most of the things that need addressing, addressed!	23:32
*** harlowja has joined #openstack-keystone		23:49

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!