*** praneshp has quit IRC | 00:28 | |
*** bknudson has joined #openstack-keystone | 00:28 | |
*** richm has quit IRC | 00:30 | |
*** dstanek has joined #openstack-keystone | 00:43 | |
*** dstanek has quit IRC | 00:47 | |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398 | 00:55 |
---|---|---|
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token hashes PKI token once https://review.openstack.org/92499 | 00:55 |
morganfainberg | bknudson, cool, those were the only two things i found in the code that looked suspect | 00:56 |
morganfainberg | bknudson, otherwise it's def looking solid. | 00:56 |
morganfainberg | bknudson, +2 once jenkins weighs in (not that I expect any issues) | 00:58 |
bknudson | morganfainberg: I'm glad somebody complained about it. | 00:58 |
bknudson | morganfainberg: and they complained about it after I'd looked at the test code enough that I have some idea what's going on. | 00:58 |
morganfainberg | bknudson, took me a bit to get through it (not hard code). I wanted to make sure i gave it a serious once over. | 00:59 |
morganfainberg | hehe | 00:59 |
morganfainberg | it's def. a good change. | 01:00 |
ayoung | bknudson, strange to pass in the token_id. Why? | 01:02 |
morganfainberg | ayoung, which part? | 01:02 |
bknudson | ayoung: because we'd already calculated it | 01:02 |
ayoung | morganfainberg, the auth_token hashes PKI token once https://review.openstack.org/92499 | 01:02 |
bknudson | and it's somewhat expensive | 01:03 |
*** dstanek has joined #openstack-keystone | 01:03 | |
morganfainberg | bknudson, ++ | 01:03 |
ayoung | verified = self.verify_signed_token(user_token, token_id)? | 01:03 |
*** david-lyle has joined #openstack-keystone | 01:03 | |
bknudson | when we verify the token we check against the revocation list and cms decode | 01:04 |
ayoung | OK...I get it | 01:04 |
ayoung | caught me off guard. I wouldn't have written the verify_signed_token with the check inside it that way. I would have pulled it out. | 01:04 |
ayoung | BUt not really anything wrong with it as is | 01:04 |
bknudson | ayoung: it's a pile of spaghetti | 01:04 |
morganfainberg | ayoung, ah i see why that would catch you off guard | 01:05 |
ayoung | bknudson, yeah, it needs a good refactoring. Too miuch is done in middleware | 01:05 |
ayoung | middleware really should be a binding to a well organized set of classes. | 01:05 |
ayoung | and very little logic | 01:05 |
morganfainberg | ayoung, ++ | 01:05 |
*** diegows has quit IRC | 01:06 | |
ayoung | I should have made all of those methods private. But part of me still thinks it stinks that Python's "private" methods are nothing be a naming convention | 01:06 |
ayoung | hard to refactor public APIs | 01:06 |
morganfainberg | ayoung, i think we decided auth_token_middleware was 100% private? or are you referencing something else? | 01:07 |
ayoung | Nah, Its all naming conventions these days. | 01:07 |
morganfainberg | ah right | 01:07 |
morganfainberg | i wish there was something better than _ or __ (limited use) | 01:08 |
*** amcrn has quit IRC | 01:08 | |
bknudson | we could go with _PRIVATE_HANDS_OFF_ | 01:11 |
*** marcoemorais has quit IRC | 01:12 | |
gyee | jamielennox, ping | 01:13 |
jamielennox | gyee: hi | 01:14 |
gyee | jamielenoox, I have a couple of questions for https://review.openstack.org/#/c/85920 | 01:14 |
jamielennox | gyee: yep | 01:14 |
ayoung | bknudson, or we could code in a language that gave support for types and type checking and information hiding and all that. But then the world would end. | 01:15 |
gyee | first of all, where are all the shell changes | 01:15 |
gyee | jamielennox, I was hoping for an example of how to use OCS | 01:15 |
jamielennox | gyee: there are none, if you don't use a session then the old behaviour is maintained | 01:15 |
gyee | like how to add the common args | 01:15 |
jamielennox | gyee: novaclient and OSC are imlemented completely seperately | 01:16 |
*** gokrokve_ has quit IRC | 01:21 | |
*** xianghui has joined #openstack-keystone | 01:24 | |
morganfainberg | ayoung, we could do some shaaaaaaaaady things with metaclasses :P | 01:24 |
ayoung | morganfainberg, We already do. | 01:24 |
morganfainberg | ayoung, no i mean horribly shady vs "well thats just how we do it here" | 01:25 |
gyee | jamielennox, so if keystoneclient session and auth is used, there will be lost functionality with _original_only? | 01:25 |
jamielennox | right _original_only will bar it from use | 01:25 |
ayoung | morganfainberg, Python is better than bash. It is better than Perl. As far as scripting, type free, dynamic, interpreted languages go, it is about as good as we are going to get. | 01:26 |
morganfainberg | ayoung, true | 01:26 |
ayoung | And I've almost come to accept that. | 01:26 |
*** rodrigods_ has quit IRC | 01:26 | |
morganfainberg | ayoung, if this project was written in perl, i don't think i'd have any sanity left | 01:26 |
ayoung | But I can't help feel I'm being asked to cut down the tallest tree in the forest. With a herring. | 01:26 |
morganfainberg | ayoung, need a shrubbery as well | 01:26 |
ayoung | morganfainberg, sooo.....if I leave in this line events = self.list(since=self._last_fetch) in the revoke code, my scripts fail to show the token revoked. If I take out the last_fetch part, they pass. | 01:27 |
ayoung | I put in a delay in the script between when I trigger the event and when I test for revocation. I needed a 1 second delay to even get it to wrok ar all, which kindof makes sense | 01:28 |
ayoung | but with the last_fetch in there, even a 5 second delay made no difference. | 01:28 |
ayoung | I think there is a bug in the last_fetch logic | 01:28 |
morganfainberg | ayoung, overwriting the current set with the last_fetch set (now omitting the event since it's old)? | 01:29 |
ayoung | So...I'm going to resubmit the client, to include the brokenness. And I'll resubmit the scripts. And File a bug. I am fairly certain the bug is in the server code, but, not sure | 01:29 |
morganfainberg | ayoung, ah. i'll take a closer look at that specific code path | 01:30 |
ayoung | let me resubmit the client code first. I need to untangle some things with the scripts before I resubmit that | 01:31 |
morganfainberg | ayoung, ++ | 01:31 |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166 | 01:33 |
ayoung | jamielennox, OS_SERVICE_ENDPOINT or OS_ENDPOINT? | 01:39 |
jamielennox | SERVICE_ENDPOINT in ksclient i think | 01:40 |
jamielennox | i can't remember though | 01:40 |
*** rodrigods_ has joined #openstack-keystone | 01:48 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects https://review.openstack.org/79542 | 01:49 |
*** gokrokve has joined #openstack-keystone | 01:52 | |
*** david-lyle has quit IRC | 01:57 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins https://review.openstack.org/81985 | 01:57 |
*** sbfox has joined #openstack-keystone | 01:58 | |
*** morganfainberg is now known as morganfainberg_Z | 02:04 | |
*** mberlin1 has joined #openstack-keystone | 02:13 | |
*** mberlin has quit IRC | 02:13 | |
*** gokrokve_ has joined #openstack-keystone | 02:41 | |
*** gokrokve has quit IRC | 02:44 | |
*** topol has joined #openstack-keystone | 02:47 | |
*** harlowja is now known as harlowja_away | 02:50 | |
*** praneshp has joined #openstack-keystone | 02:51 | |
*** praneshp_ has joined #openstack-keystone | 02:52 | |
*** zhiyan_ is now known as zhiyan | 02:53 | |
*** praneshp has quit IRC | 02:56 | |
*** praneshp_ is now known as praneshp | 02:56 | |
*** harlowja_away has quit IRC | 02:58 | |
*** rodrigods_ has quit IRC | 03:08 | |
*** dstanek has quit IRC | 03:11 | |
*** dstanek has joined #openstack-keystone | 03:14 | |
*** dims has quit IRC | 03:30 | |
*** gyee has quit IRC | 03:34 | |
*** sbfox has quit IRC | 03:42 | |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687 | 03:52 |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: revocation_events script https://review.openstack.org/91895 | 03:52 |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: regions sample script https://review.openstack.org/91894 | 03:52 |
*** ayoung has quit IRC | 03:54 | |
*** sbfox has joined #openstack-keystone | 03:54 | |
*** dstanek has quit IRC | 04:14 | |
*** dstanek has joined #openstack-keystone | 04:31 | |
*** stevemar has joined #openstack-keystone | 04:47 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins https://review.openstack.org/81985 | 04:50 |
*** chandan_kumar has joined #openstack-keystone | 04:50 | |
*** dstanek has quit IRC | 05:00 | |
*** bach has joined #openstack-keystone | 05:18 | |
*** amerine has quit IRC | 05:23 | |
*** topol has quit IRC | 05:26 | |
*** amerine has joined #openstack-keystone | 05:28 | |
*** spligak has quit IRC | 05:38 | |
*** sudorandom has quit IRC | 05:39 | |
*** dstanek has joined #openstack-keystone | 05:45 | |
*** bach has quit IRC | 05:48 | |
*** dstanek has quit IRC | 05:55 | |
*** spligak has joined #openstack-keystone | 05:55 | |
*** tomoiaga has joined #openstack-keystone | 05:56 | |
*** bach has joined #openstack-keystone | 05:57 | |
*** nkinder has quit IRC | 05:59 | |
*** nkinder has joined #openstack-keystone | 06:00 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288 | 06:01 |
*** dstanek has joined #openstack-keystone | 06:01 | |
openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method https://review.openstack.org/88517 | 06:05 |
*** ukalifon1 has joined #openstack-keystone | 06:20 | |
*** dstanek has quit IRC | 06:20 | |
*** jaosorior has joined #openstack-keystone | 06:38 | |
*** sbfox has quit IRC | 06:45 | |
*** stevemar has quit IRC | 06:55 | |
*** dstanek has joined #openstack-keystone | 06:59 | |
*** leseb has joined #openstack-keystone | 07:04 | |
*** dstanek has quit IRC | 07:04 | |
*** praneshp has quit IRC | 07:04 | |
*** leseb has quit IRC | 07:19 | |
*** leseb has joined #openstack-keystone | 07:25 | |
*** zhiyan is now known as zhiyan_ | 07:26 | |
*** marekd|away is now known as marekd | 07:33 | |
openstackgerrit | Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes https://review.openstack.org/92535 | 08:18 |
*** bach has quit IRC | 08:24 | |
*** andreaf has joined #openstack-keystone | 08:58 | |
*** sudorandom has joined #openstack-keystone | 09:12 | |
*** chandan_kumar has quit IRC | 09:17 | |
*** chandan_kumar has joined #openstack-keystone | 09:23 | |
*** leseb has quit IRC | 09:28 | |
openstackgerrit | Olga Kopylova proposed a change to openstack/keystone: Pagination for api request to users list https://review.openstack.org/64159 | 09:28 |
*** leseb has joined #openstack-keystone | 09:29 | |
*** chandan_kumar has quit IRC | 09:46 | |
*** gokrokve_ has quit IRC | 09:50 | |
*** gokrokve has joined #openstack-keystone | 09:50 | |
*** gokrokve has quit IRC | 09:50 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 09:53 |
*** chandan_kumar has joined #openstack-keystone | 10:00 | |
*** dims has joined #openstack-keystone | 10:10 | |
*** dims has quit IRC | 10:10 | |
*** dims has joined #openstack-keystone | 10:10 | |
*** leseb has quit IRC | 10:28 | |
*** leseb has joined #openstack-keystone | 10:29 | |
*** leseb has quit IRC | 10:33 | |
*** gabriel-bezerraa is now known as gabriel-bezerra | 10:34 | |
*** gokrokve has joined #openstack-keystone | 10:38 | |
*** gokrokve has quit IRC | 10:43 | |
*** diegows has joined #openstack-keystone | 10:59 | |
*** dims has quit IRC | 11:11 | |
*** leseb has joined #openstack-keystone | 11:29 | |
*** leseb has quit IRC | 11:34 | |
*** gokrokve has joined #openstack-keystone | 11:37 | |
*** jamielennox is now known as jamielennox|away | 11:40 | |
*** gokrokve has quit IRC | 11:42 | |
*** bach has joined #openstack-keystone | 11:44 | |
*** vhoward has joined #openstack-keystone | 11:45 | |
*** topol has joined #openstack-keystone | 11:58 | |
*** d0ugal_ has joined #openstack-keystone | 12:06 | |
*** d0ugal_ has quit IRC | 12:09 | |
*** xianghui has quit IRC | 12:10 | |
*** bach has quit IRC | 12:11 | |
*** bach has joined #openstack-keystone | 12:11 | |
*** leseb has joined #openstack-keystone | 12:29 | |
*** gokrokve has joined #openstack-keystone | 12:38 | |
*** gokrokve has quit IRC | 12:42 | |
*** dstanek has joined #openstack-keystone | 12:46 | |
*** dstanek has quit IRC | 12:46 | |
-openstackstatus- NOTICE: Zuul is stuck due to earlier networking issues with Gerrit server, work in progress. | 13:02 | |
*** ChanServ changes topic to "Zuul is stuck due to earlier networking issues with Gerrit server, work in progress." | 13:02 | |
*** florentflament has joined #openstack-keystone | 13:07 | |
*** dstanek has joined #openstack-keystone | 13:08 | |
*** ChanServ changes topic to "Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)" | 13:11 | |
-openstackstatus- NOTICE: Zuul is processing changes now; some results were lost. Use "recheck bug 1317089" if needed. | 13:11 | |
*** lbragstad has joined #openstack-keystone | 13:11 | |
*** leseb has quit IRC | 13:18 | |
*** leseb_ has joined #openstack-keystone | 13:18 | |
*** joesavak has joined #openstack-keystone | 13:21 | |
*** ayoung has joined #openstack-keystone | 13:24 | |
*** dstanek_zzz has joined #openstack-keystone | 13:29 | |
*** dstanek has quit IRC | 13:29 | |
*** dstanek_zzz is now known as dstanek | 13:29 | |
*** dstanek has quit IRC | 13:29 | |
*** dstanek has joined #openstack-keystone | 13:29 | |
*** gokrokve has joined #openstack-keystone | 13:38 | |
*** gokrokve has quit IRC | 13:43 | |
*** tellesnobrega has joined #openstack-keystone | 13:44 | |
*** jsavak has joined #openstack-keystone | 13:57 | |
*** joesavak has quit IRC | 13:58 | |
*** gokrokve has joined #openstack-keystone | 14:04 | |
*** topol has quit IRC | 14:07 | |
*** stevemar has joined #openstack-keystone | 14:12 | |
*** lbragstad has quit IRC | 14:13 | |
*** lbragstad has joined #openstack-keystone | 14:15 | |
*** shakamunyi has joined #openstack-keystone | 14:16 | |
*** thedodd has joined #openstack-keystone | 14:17 | |
*** daneyon has joined #openstack-keystone | 14:23 | |
*** dims has joined #openstack-keystone | 14:25 | |
*** d0ugal has quit IRC | 14:34 | |
*** bvandenh has joined #openstack-keystone | 14:36 | |
*** jsavak has quit IRC | 14:36 | |
*** mberlin1 has quit IRC | 14:40 | |
*** topol has joined #openstack-keystone | 14:41 | |
openstackgerrit | Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes https://review.openstack.org/92535 | 14:42 |
*** daneyon has quit IRC | 14:43 | |
*** daneyon has joined #openstack-keystone | 14:43 | |
*** d0ugal has joined #openstack-keystone | 14:47 | |
*** d0ugal has quit IRC | 14:47 | |
*** d0ugal has joined #openstack-keystone | 14:47 | |
*** daneyon has quit IRC | 14:49 | |
*** daneyon has joined #openstack-keystone | 14:50 | |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Regions Management https://review.openstack.org/79096 | 14:53 |
*** mberlin has joined #openstack-keystone | 14:54 | |
*** vhoward has left #openstack-keystone | 14:55 | |
*** joesavak has joined #openstack-keystone | 15:00 | |
*** david-lyle has joined #openstack-keystone | 15:15 | |
*** richm has joined #openstack-keystone | 15:19 | |
*** shakamunyi has quit IRC | 15:20 | |
*** jaosorior has quit IRC | 15:21 | |
*** shakamunyi has joined #openstack-keystone | 15:23 | |
*** bvandenh has quit IRC | 15:29 | |
*** jsavak has joined #openstack-keystone | 15:37 | |
*** joesavak has quit IRC | 15:38 | |
*** gyee has joined #openstack-keystone | 15:40 | |
dolphm | sergey nikitin pinged the list on april 17th about an LDAP gate job, with no response. was there a conversation here or anything? that'd be great to have | 15:45 |
dolphm | thread: http://lists.openstack.org/pipermail/openstack-dev/2014-April/033027.html | 15:46 |
*** tomoiaga has quit IRC | 15:51 | |
*** dolphm changes topic to "Sunday summit meetup @ http://www.parkbaratlanta.com/ (5 min walk from conference) | Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)" | 15:53 | |
*** ukalifon1 has quit IRC | 15:55 | |
*** joesavak has joined #openstack-keystone | 15:59 | |
*** jsavak has quit IRC | 16:01 | |
*** chandan_kumar has quit IRC | 16:03 | |
gyee | dolphm, what's the time for the Sunday meetup? | 16:03 |
*** dstanek is now known as dstanek_zzz | 16:08 | |
*** marcoemorais has joined #openstack-keystone | 16:10 | |
*** andreaf has quit IRC | 16:11 | |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token hashes PKI token once https://review.openstack.org/92499 | 16:15 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398 | 16:15 |
*** praneshp has joined #openstack-keystone | 16:19 | |
*** dstanek_zzz is now known as dstanek | 16:30 | |
*** gokrokve has quit IRC | 16:40 | |
*** leseb_ has quit IRC | 16:42 | |
*** leseb has joined #openstack-keystone | 16:47 | |
*** leseb has quit IRC | 16:47 | |
*** leseb_ has joined #openstack-keystone | 16:47 | |
*** jaosorior has joined #openstack-keystone | 16:51 | |
*** chandan_kumar has joined #openstack-keystone | 16:54 | |
*** gokrokve has joined #openstack-keystone | 16:54 | |
*** harlowja has joined #openstack-keystone | 16:58 | |
*** dstanek is now known as dstanek_zzz | 17:04 | |
*** jsavak has joined #openstack-keystone | 17:05 | |
*** florentflament has quit IRC | 17:05 | |
*** joesavak has quit IRC | 17:07 | |
*** bach_ has joined #openstack-keystone | 17:13 | |
*** bach has quit IRC | 17:13 | |
*** gokrokve has quit IRC | 17:21 | |
dolphm | gyee: i land at ~10a, and it sounds like people are trickling in all day, so i might go there when they open (noon) | 17:22 |
gyee | dolphm, sounds good, I'll try to look for you guys there then | 17:26 |
*** sbfox has joined #openstack-keystone | 17:29 | |
dolphm | gyee: what time do you land? | 17:31 |
*** morganfainberg_Z is now known as morganfainberg | 17:32 | |
*** morganfainberg is now known as needscoffee | 17:33 | |
*** needscoffee is now known as morganfainberg | 17:33 | |
morganfainberg | dolphm, i haven't heard convo on LDAP gate job | 17:34 |
morganfainberg | dolphm, there should be one | 17:34 |
dolphm | morganfainberg: i know we talked about it once, but i don't recall a blocker... | 17:34 |
morganfainberg | dolphm, gyee, i land ~5pm-ish on sunday | 17:34 |
gyee | dolphm, 6pm, taking the redeye | 17:34 |
dolphm | morganfainberg: http://www.parkbaratlanta.com/ | 17:34 |
dolphm | gyee: ack | 17:34 |
morganfainberg | dolphm, sounds good to me | 17:35 |
morganfainberg | dolphm, there is the qa matrix dev session at the summit | 17:35 |
morganfainberg | dolphm, prob should attend that (I'm planning on it) if we're really interested in things like expanding testing (e.g. LDAP gate job) | 17:36 |
dolphm | morganfainberg: ++ | 17:36 |
gyee | morganfainberg, OpenLDAP gate? | 17:36 |
*** praneshp_ has joined #openstack-keystone | 17:37 | |
morganfainberg | gyee, probably. i mean, Active Directory gate might be hard to setup | 17:37 |
morganfainberg | :P | 17:37 |
*** praneshp has quit IRC | 17:37 | |
*** praneshp_ is now known as praneshp | 17:37 | |
gyee | morganfainberg, LDAP performance need some work | 17:38 |
morganfainberg | gyee, ++ | 17:38 |
gyee | I have some POC code using ldappool | 17:38 |
gyee | but ldappool needs some update too | 17:38 |
gyee | morganfainberg, but if we cache user_id to user DN mapping, couple that with connection pooling, performance will be awesomer | 17:39 |
*** gokrokve has joined #openstack-keystone | 17:39 | |
morganfainberg | gyee, i also approve of the word "Awesomer" in this context :) | 17:40 |
ayoung | I land Sunday night 9 ish | 17:40 |
gyee | ayoung, you bringing your running gear, we can jog around the olympic park | 17:41 |
ayoung | FreeIPA Gate FTW. We can do Kerberos too | 17:41 |
ayoung | gyee, ++ | 17:41 |
gyee | ayoung, FreeIPA as a cert provider to Barbican right? | 17:42 |
ayoung | that too | 17:42 |
morganfainberg | ayoung, ++ i like the idea of that, please show up to the test matrix sessions :) | 17:42 |
gyee | or is it standalone | 17:42 |
ayoung | morganfainberg, what slot? | 17:42 |
morganfainberg | ayoung, sec. | 17:42 |
morganfainberg | ayoung, http://junodesignsummit.sched.org/event/fd84ec7ddc3252270fb73e8e9e09cfba | 17:43 |
ayoung | morganfainberg, will do | 17:43 |
morganfainberg | oh look at that | 17:44 |
*** bach_ has quit IRC | 17:44 | |
morganfainberg | there is a whole session on Kite! | 17:45 |
morganfainberg | http://junodesignsummit.sched.org/event/f17f40205979d37158c12dacbc39e21d | 17:45 |
*** bach has joined #openstack-keystone | 17:45 | |
morganfainberg | ayoung, ^ PKI messaging probably will be involved there somehow? | 17:46 |
ayoung | morganfainberg, yep....gonna be spread thin | 17:46 |
morganfainberg | ayoung, yeah. already trying to resolve which sessions are more important to get to | 17:47 |
gyee | morganfainberg, I am having a hard time trying to figure out which party to attend :D | 17:48 |
dolphm | i shuffled 4 of our sessions around last night to accommodate the federation overlap as best as possible | 17:48 |
morganfainberg | gyee, yeah. there is also a Metacloud party i'm supposed to invite people to (not on the official schedule) ;) | 17:49 |
dolphm | morganfainberg: what day? | 17:50 |
gyee | morganfainberg, I presume there's a secret hand gesture to get into one of those? | 17:50 |
morganfainberg | gyee, lol | 17:50 |
morganfainberg | dolphm, same day as redhat party, let me get the details | 17:51 |
ayoung | morganfainberg, Wednesday night I am disappearing an meeting up with College friends | 17:52 |
morganfainberg | Wednesday, May 14, 2014 from 8:30 PM to 11:30 PM | 17:52 |
dolphm | wed = core party? | 17:52 |
morganfainberg | ayoung, better plan than conference-related party imo | 17:53 |
dolphm | <i>sponsored by HP</i> | 17:53 |
*** packet has joined #openstack-keystone | 17:53 | |
morganfainberg | dolphm, hah, given the choice i'd say i need to go to the core party | 17:53 |
gyee | morganfainberg, its very easy to choose between frat party and core party :) | 17:54 |
morganfainberg | huh wonder if I RSVPd for that... | 17:54 |
morganfainberg | (core party) | 17:54 |
dolphm | morganfainberg: going head to head with the red hat party... risky | 17:54 |
dolphm | morganfainberg: i RSVP'd twice, you can have one of mine | 17:55 |
morganfainberg | dolphm, haha i'm pretty sure I RSVPd but... | 17:55 |
dolphm | eventbright.somethign | 17:55 |
morganfainberg | eh worst case i can chase down Mark and bug him. | 17:55 |
dolphm | eventbrite.com | 17:55 |
morganfainberg | dolphm, i sent an email to mark, i'm sure i'll get it all sorted :) | 17:59 |
*** packet has quit IRC | 17:59 | |
*** dims has quit IRC | 18:01 | |
ayoung | morganfainberg, looks like Tuesday is Loaded. I only have Keystone stuff on Wed and THurs, but Tues I am going from dawn til dusk, with double bookins on at least two sessions | 18:01 |
ayoung | 3 | 18:01 |
ayoung | I'll probably drop "Future of Python Support" cuz that resoves down to "Py33 when we can toss eventlet" | 18:01 |
*** joesavak has joined #openstack-keystone | 18:02 | |
dolphm | sounds like py3 support in nova is hopeless | 18:02 |
ayoung | We can drop 2.6, I think, for RH, too, as we have collections now, but I'm sure there will be many people from RH that can address that | 18:02 |
*** marcoemorais has quit IRC | 18:02 | |
ayoung | dolphm, anything more than Eventlet? | 18:03 |
morganfainberg | dolphm, wow, hopeless? | 18:03 |
dolphm | ayoung: just an incredibly tight coupling with eventlet | 18:03 |
morganfainberg | dolphm, yeah. | 18:04 |
*** marcoemorais has joined #openstack-keystone | 18:04 | |
morganfainberg | dolphm, there have been some grumblings that other projects should support deployments in mod_wsgi and/or gunicorn type stuff | 18:04 |
dolphm | :D | 18:04 |
dolphm | they should! because, you know, that's what wsgi is for | 18:04 |
*** jsavak has quit IRC | 18:05 | |
morganfainberg | dolphm, it would be really cool if you could run all of openstack under mod_wsgi (e.g. devstack: /identity /compute /storage ....) | 18:06 |
morganfainberg | dolphm, i'd totally dig that deployment model. | 18:06 |
dolphm | morganfainberg: ++ | 18:07 |
*** sbfox has quit IRC | 18:07 | |
*** joesavak has quit IRC | 18:08 | |
*** dstanek_zzz is now known as dstanek | 18:13 | |
ayoung | morganfainberg, what a great idea | 18:15 |
ayoung | https://wiki.openstack.org/wiki/URLs | 18:15 |
*** morganfainberg has quit IRC | 18:15 | |
*** andreaf_ has joined #openstack-keystone | 18:15 | |
*** andreaf_ has quit IRC | 18:16 | |
*** morganfainberg has joined #openstack-keystone | 18:16 | |
*** andreaf has joined #openstack-keystone | 18:16 | |
ayoung | morganfainberg, what a great idea | 18:17 |
ayoung | https://wiki.openstack.org/wiki/URLs | 18:17 |
* ayoung should update that | 18:17 | |
*** morganfainberg has quit IRC | 18:18 | |
*** morganfainberg_Z has joined #openstack-keystone | 18:19 | |
*** morganfainberg_Z is now known as morganfainberg | 18:20 | |
ericvw | It appears that on trusty, the python-ldap version has moved (or has been removed) the 'LDAP_CONTROL_PAGE_OID' variable, which is causing errors using keystone (icehouse) on trusty. A quick search on launchpad doesn't reveal anything, but I am happy to make some changes/fixes for this. It appears between precise and trusty the version of python-ldap has | 18:22 |
ericvw | advanced, I am still tracking down what happened to this variable... | 18:22 |
ayoung | morganfainberg, can I get a Hell Yeah (or a hell no) https://review.openstack.org/#/c/79096/ trying to clear out some ofthe client work, and jaypipes deserves his region support | 18:23 |
morganfainberg | ayoung, sec trying to fix my login to gerrit, then yes you can | 18:24 |
dolphm | ericvw: what version of python-ldap is installed? | 18:24 |
ayoung | morganfainberg, thanks | 18:24 |
ayoung | ericvw, we just saw a similar problem. Are you running out of pip for python-ldap or from packages? it might not be quite the same problem | 18:25 |
ericvw | 2.4.10-1build1 | 18:25 |
ericvw | according to `apt-cache show python-ldap` | 18:25 |
morganfainberg | ayoung, i think your docstrings aren't valid RST. | 18:25 |
ayoung | morganfainberg, passes tox -edocs? | 18:25 |
morganfainberg | ayoung, checking the rendering now. but it looks off | 18:26 |
ericvw | ayoung, trusty's packages | 18:26 |
morganfainberg | ayoung, http://docs-draft.openstack.org/96/79096/11/check/gate-python-keystoneclient-docs/a91ff75/doc/build/html/api/keystoneclient.v3.html#module-keystoneclient.v3.regions | 18:26 |
morganfainberg | ayoung, i think the param bits are off. in update | 18:27 |
*** bvandenh has joined #openstack-keystone | 18:27 | |
morganfainberg | ayoung, it should end up looking like http://docs-draft.openstack.org/96/79096/11/check/gate-python-keystoneclient-docs/a91ff75/doc/build/html/api/keystoneclient.v3.html#keystoneclient.v3.client.Client | 18:27 |
morganfainberg | ayoung, i don't think the -edocs will fail, it'll just make for bad rendering with the RST you have | 18:28 |
morganfainberg | ayoung, if you want me to take a swing at the RST i'll do that really quickly instead of a -1. | 18:29 |
morganfainberg | otherwise it looks good | 18:29 |
openstackgerrit | Andreas Jaeger proposed a change to openstack/keystone: Fix version links to docs.openstack.org https://review.openstack.org/92653 | 18:31 |
ayoung | param :region: | 18:31 |
ayoung | hmm | 18:31 |
ayoung | looks it | 18:31 |
ayoung | * id: good and param :id: bad ? morganfainberg ? | 18:31 |
ayoung | morganfainberg, I just looked at projects.py | 18:31 |
ayoung | http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/projects.py#n24 | 18:31 |
ayoung | But that is not a param list... | 18:32 |
morganfainberg | ayoung, i think you need :param id: | 18:32 |
morganfainberg | let me load it up and check | 18:32 |
morganfainberg | ayoung, (also getting lag on IRC atm) | 18:32 |
stevemar | morganfainberg, ahhh, i should have caught that! | 18:34 |
ayoung | stevemar, morganfainberg how do I run that in my own tree? tox -edocs does not seem to be producing html | 18:34 |
ayoung | python setup.py build_sphinx | 18:35 |
ayoung | would it be something there ? Some param that says :gen html? | 18:35 |
stevemar | ayoung it should be in keystone_dir/doc/build/html/index.html | 18:35 |
ayoung | stevemar, client | 18:35 |
ayoung | stevemar, so I can build it using the makefile, but not by tox? | 18:35 |
stevemar | ayoung, tox should produce it too | 18:35 |
*** bvandenh has quit IRC | 18:36 | |
morganfainberg | ayoung, http://paste.openstack.org/show/79448/ that looks like the diff needed to fix the RST | 18:36 |
ayoung | morganfainberg, how did you test that? | 18:37 |
morganfainberg | ayoung, at least that looks better (haven't run the doc build locally) | 18:37 |
morganfainberg | ayoung, advantage to this IDE it does some of the work for me. | 18:37 |
stevemar | ayoung, firefox doc/build/html/api/modules.html -> click on your new guy | 18:37 |
morganfainberg | ayoung, but i need to do the build here first | 18:37 |
ayoung | morganfainberg, I'm running PyCharm | 18:38 |
morganfainberg | ayoung, if you click on the function dev, and hover there is a lightbulb icon that pops up and if you click on that it allows you to inject the docstring | 18:38 |
morganfainberg | ayoung, the params into the docstring | 18:38 |
morganfainberg | ayoung, http://imgur.com/7C6wRS9 | 18:40 |
morganfainberg | the diff i posted only covered create not update *oops* | 18:41 |
morganfainberg | ayoung, and i confirmed the diff looks like it renders more correctly | 18:42 |
morganfainberg | ayoung, want me to post that fix and +1 for the code? | 18:42 |
ayoung | stevemar, BTW, dolphm recommended I remove Optional for all those where the defaults are specified in the param list. He's right | 18:43 |
morganfainberg | ah. | 18:44 |
stevemar | ayoung, so if description defaults to None, then it's not optional? | 18:44 |
morganfainberg | stevemar, or it's implied to be optional because there is a default | 18:45 |
morganfainberg | stevemar, no need to specifically call it out | 18:45 |
stevemar | morganfainberg, alrighty | 18:46 |
stevemar | morganfainberg, i'm not hard to convince, just like consistency :) | 18:46 |
ayoung | stevemar, also, thje indentation is necessary for the rst transform to HTML. | 18:47 |
ayoung | stevemar, it there is a value in the param list, it is optional by definition | 18:47 |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Regions Management https://review.openstack.org/79096 | 18:48 |
morganfainberg | ayoung, yeah that looks better. | 18:49 |
morganfainberg | bknudson, https://review.openstack.org/#/c/80398/ +2 on that. looks good. | 18:51 |
morganfainberg | bknudson, thanks for eliminating the re-calculation of the hash | 18:51 |
bknudson | morganfainberg: no problem | 18:52 |
bknudson | ayoung: do we need to sign the revocation list? would it be unsecure to send it without encryption? | 18:53 |
ayoung | bknudson, its coming from a trusted source. We would only need to sign if we wanted offline verification | 18:53 |
*** dstanek is now known as dstanek_zzz | 18:54 | |
bknudson | ayoung: so for example I changed auth_token recently to optionally check the revocation list | 18:54 |
ayoung | bknudson, so, we can add it in the future, but it does not need to be there out the door. Ideally, any one of our APIs should be deliverable in the same format as the tokens: Signed, and compressed | 18:54 |
bknudson | because we can't get the revocation list without pki_setup | 18:54 |
bknudson | but would it be ok to change the revocation list to not be signed instead? | 18:55 |
*** BAKfr has joined #openstack-keystone | 19:03 | |
morganfainberg | dolphm, do i need my real name in the .mailmap file? | 19:05 |
morganfainberg | dolphm, or is email sufficient if name is correct? | 19:05 |
dolphm | morganfainberg: i think all the name is used for there is to map multiple email addresses together (you could use a uuid) | 19:06 |
morganfainberg | dolphm, hm. | 19:07 |
dolphm | morganfainberg: err, maybe i'm thinking of something else | 19:07 |
dolphm | morganfainberg: are you talking about this? https://github.com/openstack/keystone/blob/master/.mailmap | 19:07 |
morganfainberg | dolphm, yes | 19:07 |
dolphm | morganfainberg: looks like not everyone has a name anyway | 19:08 |
morganfainberg | hehe | 19:08 |
morganfainberg | dolphm, i'll just use email address, looks like the name is only needed for typo/name correction itself | 19:09 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Add mailmap entry https://review.openstack.org/92665 | 19:10 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/python-keystoneclient: Add mailmap entry https://review.openstack.org/92669 | 19:12 |
*** henrynash has quit IRC | 19:14 | |
ayoung | stevemar, WTF is /opt/stack/python-keystoneclient/keystoneclient/openstack/common/apiclient/client.py:docstring of keystoneclient.openstack.common.apiclient.client.HTTPClient.client_request:11: WARNING: Block quote ends without a blank line; unexpected unindent. | 19:18 |
ayoung | bknudson, it would be OK to make the revocation list not be signed. | 19:19 |
bknudson | ayoung: https://review.openstack.org/#/c/73879/ | 19:20 |
*** diegows_ has joined #openstack-keystone | 19:21 | |
ayoung | bknudson, which change? | 19:21 |
stevemar | ayoung thats already there from before, https://bugs.launchpad.net/python-keystoneclient/+bug/1315523 | 19:21 |
uvirtbot | Launchpad bug 1315523 in python-keystoneclient "Building keystoneclient docs generates several warnings" [Low,In progress] | 19:21 |
mfisch | What time is the informal Sunday meetup? | 19:21 |
ayoung | stevemar, I know, I am trying to fix those | 19:21 |
ayoung | mfisch, when ever I get there. Aint a party without me | 19:22 |
stevemar | ayoung, they are in oslo, and bknudson has a fix for them already in place | 19:22 |
ayoung | stevemar, nah, fixing things in KClient | 19:22 |
* mfisch calls his Redhat sales rep to get GPS tracking on ayoung | 19:22 | |
ayoung | stevemar, ahhhh | 19:22 |
* ayoung bangs head | 19:22 | |
stevemar | ayoung, ahhhh ;) | 19:22 |
*** leseb_ has quit IRC | 19:22 | |
stevemar | love facepalm moments | 19:23 |
ayoung | git branch -D docs-cleanup | 19:23 |
ayoung | stevemar, I need to do something to keep busy while waiting for jenkins | 19:23 |
ayoung | stevemar, and reviews on https://review.openstack.org/#/c/71181/ and https://review.openstack.org/#/c/81166/ | 19:24 |
stevemar | ayoung, likewise https://review.openstack.org/#/c/81980/ | 19:25 |
*** henrynash has joined #openstack-keystone | 19:25 | |
ayoung | stevemar, getting out my red pen.... | 19:25 |
stevemar | by all means! | 19:25 |
ayoung | ah, yeah, I've looked at that a few times, but always when it iwas in transition... | 19:25 |
ayoung | stevemar, so...how do you see that working? You had a script for it, right? | 19:26 |
stevemar | yeah, or through openstackclient | 19:27 |
ayoung | stevemar, care to post? fpaste would be fine | 19:28 |
stevemar | ayoung, marked as abandoned for now: https://review.openstack.org/#/c/80193/ | 19:29 |
ayoung | stevemar, BRING IT BACK! | 19:29 |
ayoung | I'll rebase it ontop of my setup/teardown, if you don't ming | 19:29 |
ayoung | mind | 19:30 |
stevemar | where is the defibrillator | 19:30 |
stevemar | sure | 19:30 |
stevemar | it depends on the auth patch too (which needs a rebase as well) | 19:30 |
ayoung | right....sequencing here is awkward | 19:31 |
ayoung | stevemar, so...I need a token already in order to do oauth, or is that an artifact of the client? | 19:32 |
ayoung | oh, wait | 19:32 |
ayoung | line 93 ist | 19:32 |
ayoung | ish | 19:32 |
*** amcrn has joined #openstack-keystone | 19:33 | |
*** andreaf has quit IRC | 19:34 | |
ayoung | stevemar, what does verifier = client.oauth1.request_tokens.authorize(request_key, roles) actually verify? I create a verifier, and the role assingment goes away does the verifier go away, too? | 19:34 |
stevemar | ayoung, the authorize action associated roles with the request token, and returns a verifier (pin). the request token and verifier are exchanged for an access token (long lived) | 19:38 |
ayoung | stevemar, I remember discussing this back when oauth went in, but...for trusts the rule was that we verified role assignments when the user tried to get a token. In Oauth, when are the role assignments verified for the origianl user? | 19:39 |
ayoung | is it just when I request an access token, or is it when the verifiedr and request token are generated? Both? | 19:40 |
stevemar | ayoung, it's been a while, it might be both, | 19:41 |
ayoung | stevemar, OK...just wondering | 19:41 |
stevemar | definitely in the authroize stage for sure | 19:41 |
stevemar | because in that function, there is code to lookup the user's roles to see if he even has the roles to authorize | 19:42 |
openstackgerrit | Florent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API https://review.openstack.org/88620 | 19:42 |
ayoung | stevemar, it needs to be when the user would actually get a Keystone token. Anything earlier is nice-to-have but not necessary. | 19:42 |
openstackgerrit | Andreas Jaeger proposed a change to openstack/keystone: Fix version links to docs.openstack.org https://review.openstack.org/92653 | 19:45 |
*** dims has joined #openstack-keystone | 19:47 | |
ayoung | stevemar, any reason the short commit message should not read "oauth client API?" | 19:49 |
stevemar | ayoung, i have no reason for that | 19:51 |
*** jaosorior has quit IRC | 19:51 | |
stevemar | s/keystoneclient/oauth client API ? | 19:52 |
ayoung | stevemar, I mean, this is it, right? Ther might be fixes, but this really is the client support, no? | 19:52 |
stevemar | ayoung, this, and the auth function (different patch - https://review.openstack.org/#/c/81981/5) need to go in, but thats it | 19:54 |
ayoung | stevemar, Ah, OK...I can see the reason for splitting. It looks good so far, but if there is another iteration, add oauth to the oneliner, ok? | 19:55 |
stevemar | to the commit title? | 19:55 |
stevemar | ayoung, anyone can edit the commit message from gerrit now, just click the little notepad/pencil/edit button, | 19:57 |
ayoung | true | 19:57 |
ayoung | but its your patch. I'll let you craft it | 19:57 |
ayoung | stevemar, what happend before 0.6? oauthlib>=0.6 | 19:57 |
stevemar | ayoung, no oauth1.0b server support | 19:58 |
ayoung | ++ | 19:58 |
stevemar | ayoung, it's a big chunk of stuff, so feel free to hold off on +A'ing it if you want | 19:59 |
ayoung | stevemar, it looks pretty clean and straight forward. I'm not really worried about security violations coming from the client | 19:59 |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for oauth client API https://review.openstack.org/81980 | 19:59 |
* stevemar agrees | 19:59 | |
ayoung | does't write anything to disc... | 20:00 |
stevemar | ayoung, this was already approved at one point before, too, btw. we had to take it out because it broke stable/havana builds | 20:00 |
ayoung | stevemar, make it "Oauth request/access token and consumer support" | 20:01 |
ayoung | Drop "add" and "for keystoneclient" for obvious reasons. Ican't seem to edit the commit message | 20:01 |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: OAuth request/access token and consumer support for oauth client API https://review.openstack.org/81980 | 20:02 |
*** joesavak has joined #openstack-keystone | 20:05 | |
lbragstad | gyee: I can address my comments here if you want, since they are minor nits. | 20:06 |
lbragstad | https://review.openstack.org/#/c/84945/9 | 20:06 |
ayoung | Um...I just went to review, and it jumped to workflow +1 | 20:09 |
dolphm | mirantis party on wed just took the cake for me | 20:10 |
*** browne has joined #openstack-keystone | 20:10 | |
dolphm | Andretti Indoor Karting & Games | 20:10 |
dolphm | w00t | 20:10 |
ayoung | I'm guessing that means approved, since it looks like it is scheduled. | 20:10 |
ayoung | stevemar, I +2 +A ed it. It looks really good. | 20:11 |
stevemar | ayoung, woo hoo | 20:13 |
stevemar | dolphm, looks like we found a replacement for the mario kart tourney | 20:13 |
*** topol has quit IRC | 20:16 | |
gyee | lbragstad, thanks, I'll push a patch shortly | 20:17 |
*** raildo has joined #openstack-keystone | 20:26 | |
*** bach has quit IRC | 20:26 | |
*** shakamunyi has quit IRC | 20:27 | |
*** browne has quit IRC | 20:27 | |
ayoung | bknudson, what triggers WARNING: Block quote ends without a blank line; unexpected unindent. | 20:28 |
bknudson | ayoung: the doc format says that things need to be indented and there needs to be a blank line after the end of the indented part | 20:28 |
bknudson | ayoung: so there's a line that's indented 4 chars and the next line is indented 0 chars | 20:29 |
bknudson | ayoung: so this would be for a preformatted section or list | 20:29 |
ayoung | OK...I think I figured which it was complaining about. | 20:30 |
bknudson | ayoung: the line number is the line in the docstring | 20:32 |
ayoung | bknudson, yeah, but it was the block before it that was wrong. Adding a space above it made it go away | 20:32 |
*** amcrn has quit IRC | 20:39 | |
*** jamielennox|away is now known as jamielennox | 20:39 | |
*** bach has joined #openstack-keystone | 20:43 | |
gyee | jamielennox, ping | 20:55 |
*** bach has quit IRC | 20:55 | |
jamielennox | dolphm: can you look at your comment on https://review.openstack.org/#/c/91216/ i think that should be an easy one to get through | 20:55 |
ayoung | gyee, too early | 20:55 |
jamielennox | gyee: for like 2 minutes | 20:55 |
ayoung | Heh, guess I was wrong | 20:55 |
gyee | heh | 20:55 |
gyee | jamielennox, am looking at https://review.openstack.org/#/c/85920 | 20:55 |
gyee | mostly good | 20:55 |
gyee | just a few more questions | 20:55 |
*** shakamunyi has joined #openstack-keystone | 20:56 | |
jamielennox | sure | 20:56 |
gyee | jamielennox, I see proxy_token, proxy_tenant_id, etc in here https://review.openstack.org/#/c/85920/2/novaclient/v3/client.py | 20:56 |
gyee | Session don't care about these? | 20:56 |
gyee | timings, bypass_url, os_cache | 20:57 |
jamielennox | gyee: i really couldn't find them used | 20:57 |
jamielennox | no i don't have timings | 20:57 |
jamielennox | i expected at some point we'd need that in session | 20:57 |
jamielennox | i *think* i can actually pull that info out of the requests.Resonpse | 20:58 |
*** bach has joined #openstack-keystone | 20:58 | |
jamielennox | gyee: anyway the sort of overall point is that all of those things are CLI constructs | 20:58 |
gyee | jamielennox, that's fine, you may want to drop a note in there indicating that you are aware of these args and they may not be needed in Session | 20:58 |
jamielennox | and i get that the way some things are defined i'll need to add them, but i was going for minimal to start with | 20:59 |
gyee | jamielennox, also for CLI, what's our direction moving forward? | 20:59 |
gyee | are we expect to integrate with OSC | 20:59 |
jamielennox | OSC | 20:59 |
jamielennox | i don't know what nova's stance is exactly | 20:59 |
jamielennox | but IMO it should always be OSC | 21:00 |
gyee | seem like quite a bit of refactoring work | 21:00 |
jamielennox | the test's you mean? | 21:00 |
gyee | yeah, that too | 21:00 |
jamielennox | gyee: sure, but it's the best way i could see of testing both clients | 21:01 |
gyee | jamielennox, beside nova, are you plan on do the same for the other clients? I am in the process of doing the same thing, just want to make sure we don't double the work | 21:01 |
jamielennox | gyee: i had a go and cinder in the past, but i did it in such a way that i tried to integrate the old methods with the new | 21:02 |
jamielennox | gyee: the nova way is better, just chop off the old and run the new stuff side-by-side | 21:02 |
openstackgerrit | guang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes. https://review.openstack.org/84945 | 21:02 |
jamielennox | gyee: i think i have a glance patch somewhere | 21:03 |
jamielennox | gyee: actually no, i don't have glance because glance uses httplib | 21:03 |
jamielennox | gyee: i gotta run, i'll be back in about 2 hrs, we can make up a list if you like - i'm hoping the summit will help me push these | 21:04 |
gyee | jamielennox, there's a glance one but needs to be amended https://review.openstack.org/#/c/82126/ | 21:04 |
jamielennox | hmm that's in shell | 21:05 |
gyee | jamielennox, sounds good, lets hookup in the summit to see if we can divide up the work | 21:05 |
jamielennox | gyee: for that one, we need to pass my auth plugin from conf one, then we can look at an auth plugin from oslo.conf CLI | 21:05 |
gyee | yeah, lemme amend that one | 21:05 |
jamielennox | (actually that's not oslo.config) | 21:06 |
jamielennox | anyway, back later | 21:06 |
*** shakamunyi has quit IRC | 21:07 | |
*** bach has quit IRC | 21:10 | |
*** morganfainberg has quit IRC | 21:11 | |
*** morganfainberg has joined #openstack-keystone | 21:11 | |
*** gokrokve_ has joined #openstack-keystone | 21:11 | |
*** morganfainberg has quit IRC | 21:13 | |
*** morganfainberg has joined #openstack-keystone | 21:13 | |
*** bach has joined #openstack-keystone | 21:13 | |
*** morganfainberg has quit IRC | 21:14 | |
*** gokrokve has quit IRC | 21:15 | |
*** bach has quit IRC | 21:15 | |
*** morganfainberg has joined #openstack-keystone | 21:17 | |
*** joesavak has quit IRC | 21:20 | |
*** bach has joined #openstack-keystone | 21:22 | |
*** bach has quit IRC | 21:26 | |
*** bach has joined #openstack-keystone | 21:27 | |
*** chandan_kumar has quit IRC | 21:37 | |
*** thedodd has quit IRC | 21:39 | |
*** thedodd has joined #openstack-keystone | 21:40 | |
*** shakamunyi has joined #openstack-keystone | 21:41 | |
*** bach has quit IRC | 21:47 | |
*** bach has joined #openstack-keystone | 21:47 | |
*** gokrokve_ has quit IRC | 22:02 | |
*** gokrokve has joined #openstack-keystone | 22:03 | |
*** dims_ has joined #openstack-keystone | 22:05 | |
*** dims has quit IRC | 22:08 | |
*** thedodd has quit IRC | 22:10 | |
*** stevemar has quit IRC | 22:11 | |
*** bach has quit IRC | 22:12 | |
*** bach has joined #openstack-keystone | 22:24 | |
openstackgerrit | A change was merged to openstack/python-keystoneclient: OAuth request/access token and consumer support for oauth client API https://review.openstack.org/81980 | 22:33 |
morganfainberg | sooo.. this just merged: https://review.openstack.org/#/c/91797/ once the ACLs roll out, we can abandon/unabandon as cores for our project(s) | 22:37 |
*** bach has quit IRC | 22:38 | |
*** bach has joined #openstack-keystone | 22:40 | |
*** bach has quit IRC | 22:40 | |
*** bach has joined #openstack-keystone | 22:41 | |
*** rwsu has quit IRC | 22:42 | |
*** gokrokve has quit IRC | 22:45 | |
gyee | morganfainberg, nice, that means we can restore any patch? | 22:48 |
morganfainberg | gyee, it means we can restore any patch in keystone from abandoned state | 22:48 |
morganfainberg | or keystoneclient, or identity-api | 22:48 |
morganfainberg | not just the owner | 22:48 |
morganfainberg | gyee, :) | 22:49 |
gyee | nice! | 22:50 |
*** shakamunyi has quit IRC | 22:51 | |
*** dims_ has quit IRC | 22:53 | |
*** boris-42 has quit IRC | 22:57 | |
*** boris-42 has joined #openstack-keystone | 22:58 | |
*** david-lyle has quit IRC | 22:59 | |
*** bach has quit IRC | 22:59 | |
*** rodrigods_ has joined #openstack-keystone | 23:01 | |
*** david-ly_ has joined #openstack-keystone | 23:03 | |
*** bach has joined #openstack-keystone | 23:10 | |
*** gokrokve has joined #openstack-keystone | 23:10 | |
*** henrynash has quit IRC | 23:12 | |
*** bach has quit IRC | 23:15 | |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token accepts un-signed revocation list https://review.openstack.org/92726 | 23:20 |
morganfainberg | bknudson, is that for a usecase where you are sure no MITM attack(s) could occur? | 23:21 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Allow configuring for un-signed revocation list https://review.openstack.org/92727 | 23:22 |
bknudson | morganfainberg: isn't that every use case? | 23:22 |
bknudson | morganfainberg: if you've got MITM attacks going on you're going to have some pretty major problems alreadY? | 23:22 |
morganfainberg | bknudson, well i mean, if we're signing data from keystone isn't that the point? eliminate MITM attacks (not tokens, different case there) | 23:23 |
bknudson | morganfainberg: that's a good question... why was it signed to begin with? | 23:23 |
bknudson | was it unprotected? | 23:23 |
morganfainberg | bknudson, no TRL had to be protected | 23:24 |
morganfainberg | bknudson, the revocation events should be unprotected | 23:24 |
bknudson | are revocation events signed? | 23:24 |
morganfainberg | bknudson, good question *looks* | 23:24 |
bknudson | morganfainberg: I don't see the revocation events reponse being signed. | 23:26 |
morganfainberg | bknudson, neither do i | 23:26 |
bknudson | morganfainberg: maybe because it doesn't contain token IDs? | 23:26 |
*** dims_ has joined #openstack-keystone | 23:27 | |
bknudson | but our token IDs aren't protected if you're not using https anyways | 23:27 |
morganfainberg | bknudson, hm. i think we might need to ask ayoung about this one | 23:27 |
morganfainberg | bknudson, maybe the assumption is running https is the right answer. | 23:28 |
morganfainberg | bknudson, which case, sure signing might be overkill (if you could validate the cert) | 23:28 |
*** dims_ has quit IRC | 23:30 | |
*** dims has joined #openstack-keystone | 23:30 | |
*** dims has quit IRC | 23:31 | |
*** dims has joined #openstack-keystone | 23:34 | |
gyee | morganfainberg, more scary than that, https cert is different from signing cert | 23:38 |
gyee | jamielennox, you back? | 23:39 |
morganfainberg | gyee, i don't see that as being horrific, as long as it's planned to be that way | 23:39 |
gyee | morganfainberg, I am not saying is required, but we should offer the capability as each deployment is different | 23:40 |
*** dims has quit IRC | 23:40 | |
morganfainberg | gyee, we should provide a mechanism to deploy explicit verification certs to any auth_token_middleware instead of needing to ask keystone for the cert | 23:41 |
*** dims has joined #openstack-keystone | 23:41 | |
morganfainberg | gyee, as it stands, i think you could use the same SSL cert for https and signing tokens/trl/etc | 23:41 |
ayoung | morganfainberg, you can. | 23:41 |
morganfainberg | ayoung, we can? | 23:41 |
ayoung | but you should not | 23:41 |
morganfainberg | ayoung, didn't think that was an option in auth_token | 23:41 |
gyee | morganfainberg, oh absolutely! | 23:41 |
ayoung | why not? So long as you put the certs in the signing_dir, it will never fetch them from Keystone | 23:41 |
gyee | fingerprint validation at the very least | 23:41 |
morganfainberg | ayoung, i thought the signing dir was tmpdir managed | 23:42 |
morganfainberg | ayoung, i might be mis-remembering | 23:42 |
ayoung | morganfainberg, only by defualt. But it is a config option | 23:42 |
morganfainberg | ayoung, ah. ok then. | 23:42 |
ayoung | the thing is, its the CA cert that is suspect | 23:42 |
ayoung | but getting the other certs from Keystone makes sense, and in fact we are going to want to be able to do that for more than just one signing cert | 23:43 |
ayoung | but...I need to step away for a moment | 23:43 |
morganfainberg | ayoung, some environments will want strict controls over the certs deployed both for auth_token and for the signing. but that would likely be the exception | 23:43 |
morganfainberg | ayoung, ++ don't disagree. but some environments are oddly strict about things. | 23:43 |
*** dims has quit IRC | 23:45 | |
ayoung | morganfainberg, its trickier than that. we want to be able to map a certificate to an entity in OpenStack. It can't just "oh, yeah, this cet validates the docuemtn" | 23:45 |
*** bach has joined #openstack-keystone | 23:45 | |
*** dims has joined #openstack-keystone | 23:46 | |
*** dims has quit IRC | 23:48 | |
*** dims has joined #openstack-keystone | 23:48 | |
*** dims has quit IRC | 23:49 | |
*** dims has joined #openstack-keystone | 23:50 | |
jamielennox | gyee: yea, | 23:51 |
gyee | jamielennox, I am still skeptical about session | 23:52 |
jamielennox | gyee: oh? | 23:52 |
jamielennox | in general? | 23:52 |
gyee | jamielennox, how do I know which auth plugin to use | 23:52 |
gyee | based on auth_version, auth_url? | 23:52 |
jamielennox | gyee: who is 'I' in that | 23:52 |
gyee | what if the auth_url is unversioned? | 23:52 |
jamielennox | the user, the client.. | 23:53 |
gyee | the client | 23:53 |
jamielennox | so the client - it doesn't | 23:53 |
gyee | right now, the way to integrate with keystoneclient is | 23:53 |
jamielennox | taking eg novaclient, it does not care what auth plugin you use | 23:53 |
gyee | 1) construct an auth plugin, 2) construct a session | 23:53 |
gyee | 3) pass both session and auth plugin | 23:53 |
jamielennox | all it knows is i send requests through this object and they are authenticated on the way | 23:53 |
gyee | how does the client know whether to construct a v3 auth plugin or v2 auth plugin? | 23:54 |
jamielennox | gyee: why does the client care? are you talking about the CLI here? | 23:54 |
*** david-ly_ has quit IRC | 23:55 | |
gyee | right | 23:55 |
gyee | how does CLI know which plugin to use? | 23:55 |
jamielennox | i'm thinking we specify it | 23:55 |
jamielennox | --os-auth-plugin XXXX | 23:55 |
gyee | oh | 23:55 |
gyee | how does the CLI get a list of supported plugins? | 23:56 |
jamielennox | probably and for compatibility if you pass --os-username and --os-password without --os-auth-plugin then it should know what to do | 23:56 |
gyee | more specifically, the correct name to use | 23:56 |
jamielennox | they are all stevedore plugins | 23:56 |
jamielennox | https://review.openstack.org/#/c/79542/6/setup.cfg | 23:57 |
gyee | jamielennox, I am trying to figure out how to make the client CLIs support v3 auth | 23:57 |
jamielennox | so i define 4 plugins there v2password, v3password, v2token, v3token | 23:57 |
jamielennox | and for situations where you don't care about v2 or v3 you use https://review.openstack.org/#/c/81147/ | 23:58 |
jamielennox | which will be just 'password' | 23:59 |
gyee | I think I like the last one | 23:59 |
gyee | as it automatically discovery the proper one to use | 23:59 |
jamielennox | gyee: right, but we need to have the first ones available and have the last one a wraer around it | 23:59 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Allow configuring for un-signed revocation list https://review.openstack.org/92727 | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!