Monday, 2014-05-05

« Sunday, 2014-05-04 Index Tuesday, 2014-05-06 »
*** key1 has quit IRC00:01
*** daneyon_ has joined #openstack-keystone00:06
*** daneyon has quit IRC00:08
*** bach has joined #openstack-keystone00:19
*** shakamunyi has joined #openstack-keystone00:23
*** zhiyan_ is now known as zhiyan00:26
*** packet has joined #openstack-keystone00:35
*** shakamunyi has quit IRC00:48
openstackgerritJamie Lennox proposed a change to openstack/keystone: Validation Input Objects  https://review.openstack.org/9203100:50
*** bach has quit IRC00:51
*** jamielennox|away is now known as jamielennox00:51
jamielennoxlbragstad: have a look at ^, i'd prefer to make the input values actual objects so we can add custom validations on the object00:52
*** shakamunyi has joined #openstack-keystone01:13
*** diegows has quit IRC01:22
*** dstanek_zzz is now known as dstanek01:26
*** bach has joined #openstack-keystone01:44
*** mberlin1 has joined #openstack-keystone02:15
*** mberlin has quit IRC02:16
*** packet has quit IRC02:49
*** shakamunyi has quit IRC02:57
*** praneshp has quit IRC03:11
*** dims has joined #openstack-keystone03:21
*** dims has quit IRC03:33
*** praneshp has joined #openstack-keystone03:57
*** daneyon_ has quit IRC04:37
*** daneyon has joined #openstack-keystone04:37
*** daneyon has quit IRC04:39
*** daneyon has joined #openstack-keystone04:40
*** ukalifon1 has quit IRC04:44
*** dstanek is now known as dstanek_zzz04:51
*** dstanek_zzz is now known as dstanek04:52
*** stevemar has quit IRC04:55
*** daneyon has quit IRC04:57
*** chandan_kumar has joined #openstack-keystone05:26
*** dstanek is now known as dstanek_zzz05:27
*** ukalifon1 has joined #openstack-keystone05:38
*** praneshp has quit IRC05:47
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:01
*** dstanek_zzz is now known as dstanek06:19
*** dstanek is now known as dstanek_zzz06:28
*** bach has quit IRC07:11
*** Manishanker has joined #openstack-keystone07:14
*** bach has joined #openstack-keystone07:17
*** dstanek_zzz is now known as dstanek07:19
*** RockKuo_Office has joined #openstack-keystone07:26
*** dstanek is now known as dstanek_zzz07:29
*** leseb has joined #openstack-keystone07:39
*** bach has quit IRC07:43
openstackgerritMarcos FermĂ­n Lobo proposed a change to openstack/keystone: Unimplemented get roles by group for project list  https://review.openstack.org/7647007:47
*** openstackgerrit has quit IRC07:53
*** dstanek_zzz is now known as dstanek07:54
*** dstanek is now known as dstanek_zzz08:04
*** dstanek_zzz is now known as dstanek08:14
*** dstanek is now known as dstanek_zzz08:24
*** jamielennox is now known as jamielennox|away08:28
*** andreaf has joined #openstack-keystone08:36
*** andriyk0 has joined #openstack-keystone09:00
andriyk0Hello. I am working on extension to keystone-client. Can't find out how to run tests correctly. http://docs.openstack.org/developer/python-keystoneclient/ "Run tests with python setup.py test.". - is it the way how you run tests?09:03
*** dstanek_zzz is now known as dstanek09:15
*** dstanek is now known as dstanek_zzz09:25
marekdandriyk0: hey, try using tox09:30
marekdfor instance tox -epy27 will runn only tests for Python2.709:30
marekdtox -epep8 is usefull for checking if you are not violating pep8.09:30
andriyk0I use tox and nose now, but wanted to be sure that it does not go against some keystone development procedure09:31
marekdno09:31
andriyk0marekd: thank you09:31
marekdandriyk0: you are welcome :-)09:31
*** andriyk0 has left #openstack-keystone09:31
*** andriyk0 has joined #openstack-keystone09:32
*** rodrigods has joined #openstack-keystone09:34
*** ukalifon1 has quit IRC09:36
*** dstanek_zzz is now known as dstanek10:15
mhubknudson: regarding your bp about external auth plugins, I'd like to suggest the following: https://blueprints.launchpad.net/keystone/+spec/external-auth-federation-mapping10:24
*** dstanek is now known as dstanek_zzz10:25
*** jamielennox|away is now known as jamielennox10:34
*** RockKuo_Office has quit IRC11:04
*** bvandenh has joined #openstack-keystone11:09
*** stevemar has joined #openstack-keystone11:15
marekdmhu: do you have bknudsons blueprints you were talking about?11:16
*** dstanek_zzz is now known as dstanek11:16
mhumarekd: https://blueprints.launchpad.net/keystone/+spec/external-auth-plugins11:17
marekdthx11:18
*** bvandenh has quit IRC11:26
*** dims has joined #openstack-keystone11:39
*** dstanek is now known as dstanek_zzz11:48
*** dstanek_zzz is now known as dstanek11:54
*** rodrigods has quit IRC11:58
*** diegows has joined #openstack-keystone12:03
*** dstanek is now known as dstanek_zzz12:08
*** dstanek_zzz is now known as dstanek12:09
*** ukalifon1 has joined #openstack-keystone12:18
*** toddnni has quit IRC12:19
*** kun_huang has joined #openstack-keystone12:25
*** bvandenh has joined #openstack-keystone12:35
*** dstanek is now known as dstanek_zzz12:37
*** dstanek_zzz is now known as dstanek12:43
*** rodrigods has joined #openstack-keystone12:48
*** ericvw has joined #openstack-keystone12:49
*** erecio has joined #openstack-keystone12:51
*** ukalifon1 has quit IRC12:58
*** richm has joined #openstack-keystone13:05
*** andriyk0 has quit IRC13:21
*** andriyk0 has joined #openstack-keystone13:22
*** tomoiaga has joined #openstack-keystone13:33
tomoiagaI am curious about a comment in keystoneclient: DEPRECATED: if session is passed then we go to the new behaviour….13:35
tomoiagaIt seems a little ambigous. Is the session object still the new thing that every client will switch to ?13:35
*** openstackgerrit has joined #openstack-keystone13:36
*** openstackgerrit has quit IRC13:51
*** joesavak has joined #openstack-keystone13:55
dstanektomoiaga: i read that as not passing in a session is deprecated14:01
tomoiagadstanek: looking at the rest of the code seems clear that session should be passed. I was just wondering since I probably missunderstood the comment. Thank you!14:02
*** Manishanker has quit IRC14:14
*** tomoiaga has quit IRC14:15
*** rwsu has joined #openstack-keystone14:18
*** gokrokve has joined #openstack-keystone14:19
*** bvandenh has quit IRC14:27
*** packet has joined #openstack-keystone14:30
marekdjamielennox: o/14:36
*** david-lyle has joined #openstack-keystone14:38
lbragstadjamielennox: awesome, thanks for https://review.openstack.org/#/c/92031/ I've added myself to the review and going to make sure to take a look a little later today14:38
*** vhoward has joined #openstack-keystone14:38
*** daneyon has joined #openstack-keystone14:45
*** daneyon has quit IRC14:45
*** daneyon has joined #openstack-keystone14:46
*** erecio has quit IRC14:53
*** erecio has joined #openstack-keystone14:54
*** thedodd has joined #openstack-keystone15:06
*** stevemar has quit IRC15:12
*** stevemar has joined #openstack-keystone15:12
*** doddstack has joined #openstack-keystone15:16
*** thedodd has quit IRC15:19
*** zhiyan is now known as zhiyan_15:25
dstanekdolphm: gerrit question when you are available15:29
*** andriyk0 has quit IRC15:35
*** daneyon has quit IRC15:38
*** daneyon has joined #openstack-keystone15:38
*** vhoward has left #openstack-keystone15:41
*** openstackgerrit has joined #openstack-keystone15:43
*** topol has joined #openstack-keystone15:43
*** gyee has joined #openstack-keystone15:43
*** marcoemorais has joined #openstack-keystone16:06
*** praneshp has joined #openstack-keystone16:15
*** nkinder has joined #openstack-keystone16:15
*** chandan_kumar has quit IRC16:19
*** amerine has joined #openstack-keystone16:24
*** leseb has quit IRC16:29
*** leseb has joined #openstack-keystone16:29
*** leseb has quit IRC16:33
dolphmdstanek: o/16:34
dstanekdolphm: the last 3 reviews failed to merge over the weekend because gerrit said they needed a rebase16:35
dstaneki did that and there were no conflicts (so that was wierd), but also it left all of the +2s16:35
dstaneki was going to just +A them, but i wanted to see if you'd seen that behavior before16:36
dstanekdolphm: last 3 py3 reviews i should have said - https://review.openstack.org/#/c/84053/16:37
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216616:45
*** dims has quit IRC16:54
*** jsavak has joined #openstack-keystone16:58
*** joesavak has quit IRC17:00
*** dims has joined #openstack-keystone17:04
*** morganfainberg_Z is now known as morganfainberg17:05
morganfainbergdstanek, i think it's safe to re-+A those17:06
morganfainbergdstanek, obv. i'll defer to dolph17:06
*** vhoward has joined #openstack-keystone17:06
*** gokrokve has quit IRC17:11
*** harlowja_away is now known as harlowja17:16
*** erecio has quit IRC17:19
*** erecio has joined #openstack-keystone17:20
*** openstackgerrit has quit IRC17:20
*** tstevenson has joined #openstack-keystone17:22
*** openstackgerrit has joined #openstack-keystone17:24
*** sbfox has joined #openstack-keystone17:28
*** jsavak has quit IRC17:28
*** joesavak has joined #openstack-keystone17:33
*** doddstack has quit IRC17:34
*** derek_c has joined #openstack-keystone17:44
*** gabriel-bezerra has quit IRC17:45
*** amcrn has joined #openstack-keystone17:46
*** gokrokve has joined #openstack-keystone17:48
morganfainbergdstanek, I +A'd those changes post rebase.17:49
*** gabriel-bezerra has joined #openstack-keystone17:51
*** derek_c has quit IRC17:52
*** marcoemorais has quit IRC18:00
*** jsavak has joined #openstack-keystone18:01
*** joesavak has quit IRC18:03
*** marcoemorais has joined #openstack-keystone18:03
*** jsavak has quit IRC18:06
*** derek_c has joined #openstack-keystone18:07
*** jayh has quit IRC18:10
dstanekmorganfainberg: thanks. i've never seen it not remove +2s like that18:14
dstanekusually it would at least say it's adding it back18:14
morganfainbergdstanek, i have, it means it was a clean rebase18:14
*** bvandenh has joined #openstack-keystone18:15
morganfainbergdstanek, i think that is an artifact of the new gerrit18:15
*** doddstack has joined #openstack-keystone18:21
*** bach has joined #openstack-keystone18:22
*** packet has quit IRC18:27
*** dims has quit IRC18:29
dolphmdstanek: terribly belated response: you're likely using a different merge strategy locally (less restrictive than what gerrit attempts on it's own), and it may have succeeded automatically on your end whereas it failed for gerrit18:41
dstanekdolphm: oh, that's a good point18:42
*** kun_huang has quit IRC18:46
morganfainbergdolphm, could use your weigh in on https://review.openstack.org/#/c/91738/ and the parent.18:47
morganfainbergdolphm, adding tempests (non-vote) for mod_wsgi18:47
*** leseb has joined #openstack-keystone18:50
dolphmmorganfainberg: ooh18:51
morganfainbergdolphm, they should wait for https://review.openstack.org/#/c/91735/ but that is well on its way18:51
dolphmmorganfainberg: who should wait?18:52
morganfainbergdolphm the temptest tests18:52
morganfainbergwithout the logging fixes the logs are going to be ... less wonderful due to duplicated timestamps18:52
morganfainbergbut it's not a hard dependency18:53
dolphmmorganfainberg: which of these apache jobs are expected to pass today?18:55
*** joesavak has joined #openstack-keystone18:57
morganfainbergdolphm, i'd hope both pass.18:58
morganfainbergdolphm, this introduces a new tempest run for keystone and keystoneclient that deploys keystone under mod_wsgi18:58
morganfainbergdolphm, my expectation that as long as ayoung's fix for cms to return a string on token issuance is merged, they would pass18:58
morganfainbergdolphm, but go non-vote, make sure they work, then convert to voting as soon as they are confirmed to work18:59
*** jsavak has joined #openstack-keystone19:00
dolphmmorganfainberg: well you're also adding 2 stable/ jobs - would those pass?19:02
morganfainbergdolphm, it shouldn't be adding stable jobs19:02
*** leseb has quit IRC19:02
morganfainbergdolphm, branch: ^(!?stable/(havana|icehouse)).*$19:02
*** joesavak has quit IRC19:03
morganfainbergdolphm, well the "tasks" in jenkins would exist, just not ever executed by zuul19:03
dolphmmorganfainberg: ah, so you want it to match stable/juno?19:03
morganfainbergdolphm, yep, the idea would be stable/juno would match when we cut it19:04
dolphmgotcha19:04
morganfainbergdolphm, once we're gating on this, we should continue even into stable (i'd hope)19:04
dolphmmorganfainberg: +1 on both!19:04
morganfainbergbut retrofitting tests is not something i'm keen on doing unless we really need it.19:04
morganfainbergcool19:04
morganfainbergdolphm, ty!19:04
morganfainbergdolphm, and on the topic of infra stuff that is probably going to require your eyes :P19:05
morganfainberghttps://review.openstack.org/#/c/91690/19:05
morganfainbergstable filter for rally/py3319:05
*** bvandenh has quit IRC19:05
*** topol has quit IRC19:11
*** sbfox has quit IRC19:30
*** rodrigods has quit IRC19:32
*** andreaf_ has joined #openstack-keystone19:35
*** andreaf_ has quit IRC19:35
*** sbfox has joined #openstack-keystone19:35
*** andreaf_ has joined #openstack-keystone19:35
*** andreaf has quit IRC19:38
*** andreaf_ has quit IRC19:38
*** andreaf has joined #openstack-keystone19:38
*** sbfox has quit IRC19:40
dolphmmorganfainberg: bknudson: +1! thanks19:41
bknudsonlooks oslo-incubator memorycache switched from ignoring failure to `import memcache` to now failing19:41
bknudsonhttp://git.openstack.org/cgit/openstack/oslo-incubator/commit/openstack/common/memorycache.py?id=297d772b780db18dd4debc23dddef089f4ba8b7a19:42
*** dims has joined #openstack-keystone19:42
stevemaranyone know why i'm seeing this? CRITICAL keystone [-] AttributeError: 'CacheRegion' object has no attribute 'is_configured19:44
stevemarwhen I try to run keystone-all?19:44
stevemari feel it's a silly reason19:44
bknudsonwe have a bunch of NoMemcacheAuthToken tests that now would expect to raise rather than continue on.19:44
bknudsonunless auth_token tried the import itself?19:45
ayounggyee, question for you;  for Keystone signing certs would it make sense to have the subject be composed of organizationalUnitName  = Service  commonName  = endpointid19:47
ayoungWe don't have a lot of guaranteed fields to work with19:48
dstanekstevemar: i think you need to update your dogpile.cache19:50
ayoungdstanek, tox -r ?19:50
dstanekayoung: yeah, that should do it19:51
ayoungOr is there a less invasive way?  I guess active /pip install?19:51
ayoungactivate19:51
*** vhoward has left #openstack-keystone19:51
dstanekyou could 'pip install -U dogpile.cache' and add the version spec19:51
*** leseb has joined #openstack-keystone19:52
stevemardstanek, yeah, i was just narrowing down to 'upgrading the libraries'19:55
ayoungdstanek, is there a pip update --all switch?19:55
stevemardstanek, i usually check db_sync / db_version, then i make sure /etc/keystone.conf isn't out of date, then libraries19:55
bknudsonstevemar: if there's code that doesn't work with the version of dogpile.cache that requirements lists then requirements should be updated19:56
* ayoung looks at what run_tests did19:56
stevemarbknudson, nah, just needed to update dogpile.cache19:56
ayoung python tools/install_venv.py19:56
dstanekayoung: maybe 'pip -U -r requirments.txt' in an activated shell19:56
ayoungdstanek, and test-requirements19:57
dstanekayoung: right19:57
stevemari tend to go for a while without updating the environments, and run into these sort of errors19:57
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/tools/install_venv.py#n5319:57
gyeeayoung, yes, that should work, between ou and cn, cert has all we need to identity a keystone instance19:58
ayounggyee, but is it going to step on toes?19:58
ayoungI mean, is it OK to hijack ou?19:58
gyeeayoung, I can't think of any19:58
ayounggyee, also, I would love to make this work for Hypervisors talking to Oslo Messaging19:59
ayoungand the other elements of the undercloud19:59
ayounghttp://adam.younglogic.com/2014/05/mapping-x509-to-endpoints-in-openstack/  gyee   as well   as http://adam.younglogic.com/2014/04/pki-for-oslo-messaging/20:00
dstanekbknudson: the issue for requirements is usually that you built the venv and then the requirements file changes20:00
*** joesavak has joined #openstack-keystone20:00
gyeeayoung, only drawback I can think of with cn=endpoint ID is in a HA situation where an endpoint is really a HA proxy20:00
dstanekwe really don't have a good way to signal that the venv should be rebuilt20:00
bknudsonok, but stevemar said it was for keystone-all20:00
gyeeayoung, we have the same challenge with SSL setup as well20:00
dstaneki have a habit of using 'tox -r' when the requirements change, but that only when i notice during a fetch20:01
ayounggyee, well, it is only an issue for signing.  But yeah, in that case, we would want to be able to distinguish "which keystone" signed it.20:01
bknudsonI don't run keystone-all in a venv... just run devstack20:01
*** jsavak has quit IRC20:01
ayounggyee,    SSL can use the existing format where the FQDN is the Subject, no?20:01
*** jsavak has joined #openstack-keystone20:01
gyeeayoung, I think we are fine, in HA situation, all instance behind the VIP would use the same cert anyway20:01
dstanekbknudson: i would guess that the devstack env was build using the old requirements file20:02
ayounggyee, shudder20:02
ayoungtrying to get away from that, but, yes20:02
ayounggyee, so the SIMPLE_CERT extension allows multiple certs.20:02
gyeeayoung, for SSL, we ended up putting the VIP in the CN and real IP in the subject alternative name I think20:02
ayoungwe could match on index, and say "signed by any valid cert from "endpoint"20:02
ayounggyee, I guess that works20:03
ayounggyee, I'm guessing, though, that you are limited to enforcing something network wise is the CN20:03
ayounggyee, FQDN resolves to VIP, right?20:03
gyeeright20:04
*** joesavak has quit IRC20:04
gyeeHTTPS standard calls for FQHN in either cn or subject alternative name I think20:04
ayounggyee, matches what I reacll20:05
ayoungrecall20:05
gyeethough you can also use wildcards or domain name20:05
ayoungbut these certs can and should have different Subjects.20:05
*** topol has joined #openstack-keystone20:05
ayounggyee, one possibility is using the local user:  keystone@identity.mydomain.org20:05
gyeeI think endpoint ID is better20:06
ayoungor even <service>@<FQDN>20:06
ayounggyee, endpoint doesn't work for Hypervisors20:07
ayoungOr the other undercloud elements20:07
gyeewhy not?20:07
gyeeyou want something that is unique and immutable20:08
bknudsondstanek: got a minute?20:08
bknudsontesting question20:08
ayounggyee, because they are not endpoints20:09
bknudsonauth_token tests have class CommonAuthTokenMiddlewareTest(object)20:09
dstanekbknudson: sure20:09
bknudsonCommonAuthTokenMiddlewareTest is used by v2AuthTokenMiddlewareTest and v3AuthTokenMiddlewareTest20:10
bknudsonso seems like CommonAuthTokenMiddlewareTest should contain tests that depend on the version of the token20:10
bknudsonbut looking at the tests there are several in there that don't have anything to do with the version20:11
*** thiagop has joined #openstack-keystone20:11
bknudsonso does it make sense to pull those out into a new class?20:11
bknudsondstanek: that was the question.20:12
dstanekbknudson: just by the names i would assume that CommonAuthTokenMiddlewareTest contains token independent tests and that specific data would be in v2AuthTokenMiddlewareTest to make them work with v2 tokens20:12
dstanekand maybe additional v2 only tests20:12
gyeeayoung, how many instance of Keystone one can have in undercloud?20:13
dstanekkinda like the old template GoF design pattern20:13
dstanekbknudson: looking at the tests now20:14
bknudsondstanek: what do you think would be a good name for a class containing tests that don't depend on the version?20:14
bknudsondstanek: e.g., test_assert_valid_memcache_protection_config -- what does that have to do with the token version?20:15
ayounggyee, in theory, many.20:15
ayounggyee, I could see a local Keystone for a multi region deployment20:15
ayoungso, lets assume a US/ Europe deploy, where the tokens are signed by the appropriate server, and identity and assignment backends are replicated and synced20:16
ayoungBut Hypervisors are per Nova20:16
gyeeayoung, sure, but it is an endpoint nevertheless right? I don't understand why the dichotomy20:16
ayoungas are all the other undercloud things that need messaging, but are not exposed to the outside world20:16
ayounggyee, I'm trying to solve a broader problem than just Keystone Token signing20:17
bknudsondstanek: maybe we just want a class for memcache tests...20:17
dstanekbknudson: hmm...that probably goes in a separate class20:17
dstanekyeah, a memcache one sounds good20:18
bknudsondstanek: ok, I'll take a stab at it.20:18
bknudsondstanek: I was also looking at http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/tests/test_auth_token_middleware.py#n42320:18
dstanekbknudson: i think it is sorta being used like i though, but there seem to be more than just v2/v3 subclasses20:18
dstaneklooks like many of the tests are redundant20:19
bknudsondstanek: there's a couple of tests in NoMemcacheAuthToken that seem to expect memcache is set... not sure why that is.20:19
bknudsonso I'd move those into the memcache tests, too.20:19
*** andriyk0 has joined #openstack-keystone20:19
bknudsonok, I'll take a closer look since I think it makes sense to clean this up.20:20
openstackgerritA change was merged to openstack/python-keystoneclient: Fix client fixtures  https://review.openstack.org/9202120:20
openstackgerritA change was merged to openstack/keystone: Fixed the size limit tests in Python 3  https://review.openstack.org/8405320:20
openstackgerritA change was merged to openstack/keystone: Fixed the policy tests in Python 3  https://review.openstack.org/8405420:20
openstackgerritA change was merged to openstack/keystone: Adds several more tests to the Python 3 test run  https://review.openstack.org/8405520:20
gyeeayoung, I think having identity at the endpoint level give us flexibility20:21
gyeeayoung, but that doesn't mean you can't have service identities20:22
dstanekbknudson: looks like maybe it is rigging the cache to make sure it isn't used. maybe?20:22
gyeeyou can trust both20:22
dstanekbknudson: I rather see a fake cache imple that just raises exceptions when used20:22
ayounggyee, so I see us solving this set of problems:20:23
ayoungone: assuming a certificate is stripped out of a message (performance tune)  where do we go to get the cert20:23
bknudsondstanek: the test_nomemcache makes sense since it's testing what happens when memcache isn't available20:24
ayoungregardless of how we get the cert, how do we link that specific cert with the endpoint or host that is claimed to have signed the document20:24
bknudsondstanek: but test_not_use_cache_from_env shouldn't care if memcache isn't available.20:24
ayoungand then how do we confirm Ok, we believe you are you, but how do we know we should let YOU sign for THIS?20:24
gyeeayoung, there are two separate issues: 1) how do you know you are talking to an endpoint, and 2) how do you trust something from that endpoint20:26
gyee1) is basic HTTPS20:27
bknudsonyou can have alternative names in a cert20:27
bknudsonhttp://en.wikipedia.org/wiki/SubjectAltName20:27
gyee2) is whether you trust the signing cert, by either implicitly added it to your trust store or trust the CA chain20:28
gyeebknudson, right, that's how we setup SSL certs in HA clusters20:28
*** bach has quit IRC20:29
*** bach has joined #openstack-keystone20:29
*** derek_c has quit IRC20:31
thiagopHello people, can someone point me to a documentation that shows how to use URL's inside policy.json files?20:35
*** dims has quit IRC20:35
stevemarayoung, keep a list of people you trust to sign stuff20:37
*** andriyk0 has quit IRC20:37
*** dims has joined #openstack-keystone20:37
gyees/stuff/your checkbook/20:38
gyeethiagop, you want URLs in policy.json?20:39
thiagopgyee: I know that it is supported (i.e.: to make a external policy check), but I'd like to know if there is some config I can use to send the token on the URL call20:40
gyeeah20:41
ayoungstevemar, and from where do you fetch this list?20:43
ayoungand how is this list signed?20:43
ayoungand whom do you trust to sign it?20:43
ayoungDear Liza Dear Liza20:43
stevemaradmins, oh admins20:43
ayoungstevemar, but, yeah, I was wondering if we needed to support that information out of the policy API.20:44
ayoungstevemar, some of it is self filtering: auth_token middleware should be ignoring anything that is not a token signing request or revoction list20:45
*** gokrokve has quit IRC20:46
ayoungstevemar, http://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/20:50
ayoungmarekd, ^^20:50
stevemarayoung, i saw that on friday night20:50
stevemarayoung, err no.. i saw this one on friday night http://adam.younglogic.com/2014/05/mod_lookup_identity/20:51
stevemarayoung, you left the readers hanging! what was the result?!?20:53
ayoungstevemar, the result is that, using the curl at the bottom, I can get a token20:53
stevemarayoung, show the token!20:54
ayoungFine!20:54
stevemaror state it20:54
stevemarayoung, i see you decided to not go from unscoped->scoped20:54
ayoungstevemar, one step at a time20:54
stevemarayoung, i'm liking the fact that you are able to play around and get kerberos working20:55
ayoungstevemar, let me get that updated20:55
ayoungstevemar, I have a couple half written posts about that, too20:55
ayoungI have one I started on packstack20:55
ayoungand someone asked on my blog how they would deploy using just Puppet, which would be a good attempt to make20:56
ayoungstevemar, there ya go!21:07
stevemarayoung, yay!21:10
marekdayoung: nice.21:11
ayoungstevemar, I just realiex I have 98 draft posts on my Blog.  I just found one from back when I first started playing with Javascript:    http://younglogic.com/formographer/main.html21:12
ayoungHeh21:12
morganfainbergayoung, 98 drafts?!21:14
morganfainbergwow21:14
marekdstevemar: for the federation docs, maybe we will  hold on a little bit and wait for the ecp impl to be in a shape ready for the review?21:14
marekdstevemar: small changes would then be required.21:14
ayoungmorganfainberg, yeah, some are placeholders I never really addressed, many are things that I type and said "Ok I've done that, I don't need anyone to see it"21:14
ayoungecp ++21:14
*** boris-42 has quit IRC21:15
*** boris-42 has joined #openstack-keystone21:16
morganfainbergayoung, woo summit next week!21:17
morganfainbergayoung, looking forward to it!21:17
*** topol has quit IRC21:17
ayoungmorganfainberg, yeah, me to . I finally get to learn what nkinder looks like.21:17
morganfainbergayoung, also i've been thinking about your email when it comes to cert subjects...21:17
ayoungHe claims he's going to try and have a conversation with me before telling me21:17
nkinderayoung: maybe I'll send someone else in my place...21:18
ayoungAh,  yeah, cert subjects.  gyee and I were discussing in here earlier21:18
morganfainbergayoung, hopefully i'll have something to contribute to the convo when we're there.21:18
morganfainbergayoung, hah! i thats awesome, nkinder ++21:18
morganfainbergayoung, i'll scroll back and see the info.21:18
ayoungmorganfainberg, the current Strawman is CN=endpoint_id  OU=Service  For Things exposed via Keystone21:20
ayoungmorganfainberg, and for undercloud, it would be something similar like21:20
ayoungCN=FQDN  OU=Nova-Hypervisor21:20
ayoungthe goal is so that something that is fetching documents signed this way has an unambiguous link from the signed document to the OpenStack entity that signed it.21:21
*** marekd is now known as marekd|away21:22
*** jamielennox is now known as jamielennox|away21:23
*** dims has quit IRC21:25
morganfainbergayoung, makes sense to me21:25
ayoungmorganfainberg, I'm just concerned that we will come up with something that conflicts with X509 policy in the organizations that depend upon it heavily21:26
morganfainbergayoung, right21:26
ayoungSo I want to make sure I have a clear view of the options.21:26
*** gokrokve has joined #openstack-keystone21:29
morganfainbergayoung, i hope we can come up with something that plays nice with our designs and x50921:29
morganfainbergi think it's imminently doable21:29
*** rodrigods has joined #openstack-keystone21:33
*** rodrigods has joined #openstack-keystone21:33
*** gokrokve has quit IRC21:33
*** leseb has quit IRC21:36
*** gokrokve has joined #openstack-keystone21:39
*** gokrokve_ has joined #openstack-keystone21:44
*** gokrokve has quit IRC21:44
*** gokrokve has joined #openstack-keystone21:45
*** gokrokve_ has quit IRC21:48
*** gokrokve has quit IRC21:49
*** jsavak has quit IRC21:58
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Move auth_token cache pool tests out of NoMemcache  https://review.openstack.org/9221522:00
*** marcoemorais has quit IRC22:04
*** marcoemorais has joined #openstack-keystone22:06
*** rodrigods has quit IRC22:06
*** gokrokve has joined #openstack-keystone22:10
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Cached tokens aren't expired  https://review.openstack.org/9221722:10
*** rodrigods has joined #openstack-keystone22:10
*** dims has joined #openstack-keystone22:17
*** marcoemorais has quit IRC22:18
*** andreaf has quit IRC22:20
*** marcoemorais has joined #openstack-keystone22:28
*** rodrigods has quit IRC22:28
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Move auth_token tests not requiring v2/v3 to new class  https://review.openstack.org/9222222:31
stevemarmarekd|away, i'm okay with whatever the consensus is22:33
*** dims has quit IRC22:34
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Remove importutils from oslo config  https://review.openstack.org/9222322:35
*** doddstack has quit IRC22:36
*** nkinder has quit IRC22:40
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator 2640847  https://review.openstack.org/9222822:41
*** marcoemorais has quit IRC22:45
*** david-lyle has quit IRC22:55
*** jamielennox|away is now known as jamielennox23:16
gyeejamielennox, dolphm, regarding https://review.openstack.org/#/c/80124/, I agree we should be using Session instead of the whole client. But I am trying to figure out when can we declare keystoneclient is good enough for others to integrate.23:23
gyeeis there even room for incremental improvement?23:24
*** marcoemorais has joined #openstack-keystone23:44
*** gokrokve has quit IRC23:45
jamielennoxgyee23:49
jamielennoxgyee: i think it's good enough for use23:49
jamielennoxthere is definitely things to do but for a client as young as barbican i don't see that as a problem23:49
gyeejamielennox, so I should use session for now?23:50
*** kfox1111 has joined #openstack-keystone23:50
jamielennoxyes23:50
gyeeand wait for the api version discovery and catalog parsing later?23:50
jamielennoxcatalog parsing is done23:50
gyeejamielennox, in 0.8.0 release?23:50
jamielennoxthe only thing that isn't done is the specifiying unversioned endpoints23:50
jamielennoxso doing discovery23:51
jamielennoxcatalog parsing has been done for ages23:51
gyeein the Session object?23:51
jamielennoxit's handled within the auth plugins but yes23:51
gyeeoh23:52
gyeelemme double check23:52
jamielennoxit's part of the endpoint handling23:52
jamielennoxso request(....., endpoint_filter={'service_type': 'barbican', 'interface': 'public'})23:53
jamielennoxwhat is barbican's service_type?23:53
bknudsondstanek: http://logs.openstack.org/28/92228/1/check/gate-python-keystoneclient-python33/307a72d/console.html ?23:54
gyeejamielennox, service_type='keystore'23:54
jamielennoxok23:54
gyeejamielennox, I think I know what to do now, thanks!23:55
dstanekbknudson: that looks ugly23:55
bknudsonweird, only failed on python323:55
jamielennoxgyee: cool, let me know if you want me to do anything regarding that23:55
dstanekit looks like it is comparing bytes to strings23:55
jamielennoxgyee: also you may find something like https://review.openstack.org/#/c/86237/ useful23:56
gyeejamielennox, that's one have a -2?23:56
gyeefrom you?23:56
dstanekbknudson: i think it is trying to find a unicode string inside of a byte string23:56
jamielennoxgyee: that one was a WIP, i should bring it out23:56
jamielennoxi don't like the name 'binding' amongst other problems23:57
gyeeah :)23:57
gyeeI see23:57
jamielennoxbut in general the way i see it is that a client would be passed a session23:57
gyeeno argument here23:58
jamielennoxyou would then 'bind' it to the service_type, interface, JSON etc and save that23:58
jamielennoxand then all your operations within the client would use the 'bound' interface so that you don't need to specify endpoint_type, and Accept: headers on every request23:58
gyees/bind/couple/23:58
jamielennoxmaybe, still not great23:59
« Sunday, 2014-05-04 Index Tuesday, 2014-05-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!