Wednesday, 2014-05-07

*** praneshp has quit IRC		00:28
*** bknudson has joined #openstack-keystone		00:28
*** richm has quit IRC		00:30
*** dstanek has joined #openstack-keystone		00:43
*** dstanek has quit IRC		00:47
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	00:55
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token hashes PKI token once https://review.openstack.org/92499	00:55
morganfainberg	bknudson, cool, those were the only two things i found in the code that looked suspect	00:56
morganfainberg	bknudson, otherwise it's def looking solid.	00:56
morganfainberg	bknudson, +2 once jenkins weighs in (not that I expect any issues)	00:58
bknudson	morganfainberg: I'm glad somebody complained about it.	00:58
bknudson	morganfainberg: and they complained about it after I'd looked at the test code enough that I have some idea what's going on.	00:58
morganfainberg	bknudson, took me a bit to get through it (not hard code). I wanted to make sure i gave it a serious once over.	00:59
morganfainberg	hehe	00:59
morganfainberg	it's def. a good change.	01:00
ayoung	bknudson, strange to pass in the token_id. Why?	01:02
morganfainberg	ayoung, which part?	01:02
bknudson	ayoung: because we'd already calculated it	01:02
ayoung	morganfainberg, the auth_token hashes PKI token once https://review.openstack.org/92499	01:02
bknudson	and it's somewhat expensive	01:03
*** dstanek has joined #openstack-keystone		01:03
morganfainberg	bknudson, ++	01:03
ayoung	verified = self.verify_signed_token(user_token, token_id)?	01:03
*** david-lyle has joined #openstack-keystone		01:03
bknudson	when we verify the token we check against the revocation list and cms decode	01:04
ayoung	OK...I get it	01:04
ayoung	caught me off guard. I wouldn't have written the verify_signed_token with the check inside it that way. I would have pulled it out.	01:04
ayoung	BUt not really anything wrong with it as is	01:04
bknudson	ayoung: it's a pile of spaghetti	01:04
morganfainberg	ayoung, ah i see why that would catch you off guard	01:05
ayoung	bknudson, yeah, it needs a good refactoring. Too miuch is done in middleware	01:05
ayoung	middleware really should be a binding to a well organized set of classes.	01:05
ayoung	and very little logic	01:05
morganfainberg	ayoung, ++	01:05
*** diegows has quit IRC		01:06
ayoung	I should have made all of those methods private. But part of me still thinks it stinks that Python's "private" methods are nothing be a naming convention	01:06
ayoung	hard to refactor public APIs	01:06
morganfainberg	ayoung, i think we decided auth_token_middleware was 100% private? or are you referencing something else?	01:07
ayoung	Nah, Its all naming conventions these days.	01:07
morganfainberg	ah right	01:07
morganfainberg	i wish there was something better than _ or __ (limited use)	01:08
*** amcrn has quit IRC		01:08
bknudson	we could go with _PRIVATE_HANDS_OFF_	01:11
*** marcoemorais has quit IRC		01:12
gyee	jamielennox, ping	01:13
jamielennox	gyee: hi	01:14
gyee	jamielenoox, I have a couple of questions for https://review.openstack.org/#/c/85920	01:14
jamielennox	gyee: yep	01:14
ayoung	bknudson, or we could code in a language that gave support for types and type checking and information hiding and all that. But then the world would end.	01:15
gyee	first of all, where are all the shell changes	01:15
gyee	jamielennox, I was hoping for an example of how to use OCS	01:15
jamielennox	gyee: there are none, if you don't use a session then the old behaviour is maintained	01:15
gyee	like how to add the common args	01:15
jamielennox	gyee: novaclient and OSC are imlemented completely seperately	01:16
*** gokrokve_ has quit IRC		01:21
*** xianghui has joined #openstack-keystone		01:24
morganfainberg	ayoung, we could do some shaaaaaaaaady things with metaclasses :P	01:24
ayoung	morganfainberg, We already do.	01:24
morganfainberg	ayoung, no i mean horribly shady vs "well thats just how we do it here"	01:25
gyee	jamielennox, so if keystoneclient session and auth is used, there will be lost functionality with _original_only?	01:25
jamielennox	right _original_only will bar it from use	01:25
ayoung	morganfainberg, Python is better than bash. It is better than Perl. As far as scripting, type free, dynamic, interpreted languages go, it is about as good as we are going to get.	01:26
morganfainberg	ayoung, true	01:26
ayoung	And I've almost come to accept that.	01:26
*** rodrigods_ has quit IRC		01:26
morganfainberg	ayoung, if this project was written in perl, i don't think i'd have any sanity left	01:26
ayoung	But I can't help feel I'm being asked to cut down the tallest tree in the forest. With a herring.	01:26
morganfainberg	ayoung, need a shrubbery as well	01:26
ayoung	morganfainberg, sooo.....if I leave in this line events = self.list(since=self._last_fetch) in the revoke code, my scripts fail to show the token revoked. If I take out the last_fetch part, they pass.	01:27
ayoung	I put in a delay in the script between when I trigger the event and when I test for revocation. I needed a 1 second delay to even get it to wrok ar all, which kindof makes sense	01:28
ayoung	but with the last_fetch in there, even a 5 second delay made no difference.	01:28
ayoung	I think there is a bug in the last_fetch logic	01:28
morganfainberg	ayoung, overwriting the current set with the last_fetch set (now omitting the event since it's old)?	01:29
ayoung	So...I'm going to resubmit the client, to include the brokenness. And I'll resubmit the scripts. And File a bug. I am fairly certain the bug is in the server code, but, not sure	01:29
morganfainberg	ayoung, ah. i'll take a closer look at that specific code path	01:30
ayoung	let me resubmit the client code first. I need to untangle some things with the scripts before I resubmit that	01:31
morganfainberg	ayoung, ++	01:31
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166	01:33
ayoung	jamielennox, OS_SERVICE_ENDPOINT or OS_ENDPOINT?	01:39
jamielennox	SERVICE_ENDPOINT in ksclient i think	01:40
jamielennox	i can't remember though	01:40
*** rodrigods_ has joined #openstack-keystone		01:48
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects https://review.openstack.org/79542	01:49
*** gokrokve has joined #openstack-keystone		01:52
*** david-lyle has quit IRC		01:57
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins https://review.openstack.org/81985	01:57
*** sbfox has joined #openstack-keystone		01:58
*** morganfainberg is now known as morganfainberg_Z		02:04
*** mberlin1 has joined #openstack-keystone		02:13
*** mberlin has quit IRC		02:13
*** gokrokve_ has joined #openstack-keystone		02:41
*** gokrokve has quit IRC		02:44
*** topol has joined #openstack-keystone		02:47
*** harlowja is now known as harlowja_away		02:50
*** praneshp has joined #openstack-keystone		02:51
*** praneshp_ has joined #openstack-keystone		02:52
*** zhiyan_ is now known as zhiyan		02:53
*** praneshp has quit IRC		02:56
*** praneshp_ is now known as praneshp		02:56
*** harlowja_away has quit IRC		02:58
*** rodrigods_ has quit IRC		03:08
*** dstanek has quit IRC		03:11
*** dstanek has joined #openstack-keystone		03:14
*** dims has quit IRC		03:30
*** gyee has quit IRC		03:34
*** sbfox has quit IRC		03:42
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687	03:52
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: revocation_events script https://review.openstack.org/91895	03:52
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: regions sample script https://review.openstack.org/91894	03:52
*** ayoung has quit IRC		03:54
*** sbfox has joined #openstack-keystone		03:54
*** dstanek has quit IRC		04:14
*** dstanek has joined #openstack-keystone		04:31
*** stevemar has joined #openstack-keystone		04:47
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins https://review.openstack.org/81985	04:50
*** chandan_kumar has joined #openstack-keystone		04:50
*** dstanek has quit IRC		05:00
*** bach has joined #openstack-keystone		05:18
*** amerine has quit IRC		05:23
*** topol has quit IRC		05:26
*** amerine has joined #openstack-keystone		05:28
*** spligak has quit IRC		05:38
*** sudorandom has quit IRC		05:39
*** dstanek has joined #openstack-keystone		05:45
*** bach has quit IRC		05:48
*** dstanek has quit IRC		05:55
*** spligak has joined #openstack-keystone		05:55
*** tomoiaga has joined #openstack-keystone		05:56
*** bach has joined #openstack-keystone		05:57
*** nkinder has quit IRC		05:59
*** nkinder has joined #openstack-keystone		06:00
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:01
*** dstanek has joined #openstack-keystone		06:01
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method https://review.openstack.org/88517	06:05
*** ukalifon1 has joined #openstack-keystone		06:20
*** dstanek has quit IRC		06:20
*** jaosorior has joined #openstack-keystone		06:38
*** sbfox has quit IRC		06:45
*** stevemar has quit IRC		06:55
*** dstanek has joined #openstack-keystone		06:59
*** leseb has joined #openstack-keystone		07:04
*** dstanek has quit IRC		07:04
*** praneshp has quit IRC		07:04
*** leseb has quit IRC		07:19
*** leseb has joined #openstack-keystone		07:25
*** zhiyan is now known as zhiyan_		07:26
*** marekd\|away is now known as marekd		07:33
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes https://review.openstack.org/92535	08:18
*** bach has quit IRC		08:24
*** andreaf has joined #openstack-keystone		08:58
*** sudorandom has joined #openstack-keystone		09:12
*** chandan_kumar has quit IRC		09:17
*** chandan_kumar has joined #openstack-keystone		09:23
*** leseb has quit IRC		09:28
openstackgerrit	Olga Kopylova proposed a change to openstack/keystone: Pagination for api request to users list https://review.openstack.org/64159	09:28
*** leseb has joined #openstack-keystone		09:29
*** chandan_kumar has quit IRC		09:46
*** gokrokve_ has quit IRC		09:50
*** gokrokve has joined #openstack-keystone		09:50
*** gokrokve has quit IRC		09:50
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166	09:53
*** chandan_kumar has joined #openstack-keystone		10:00
*** dims has joined #openstack-keystone		10:10
*** dims has quit IRC		10:10
*** dims has joined #openstack-keystone		10:10
*** leseb has quit IRC		10:28
*** leseb has joined #openstack-keystone		10:29
*** leseb has quit IRC		10:33
*** gabriel-bezerraa is now known as gabriel-bezerra		10:34
*** gokrokve has joined #openstack-keystone		10:38
*** gokrokve has quit IRC		10:43
*** diegows has joined #openstack-keystone		10:59
*** dims has quit IRC		11:11
*** leseb has joined #openstack-keystone		11:29
*** leseb has quit IRC		11:34
*** gokrokve has joined #openstack-keystone		11:37
*** jamielennox is now known as jamielennox\|away		11:40
*** gokrokve has quit IRC		11:42
*** bach has joined #openstack-keystone		11:44
*** vhoward has joined #openstack-keystone		11:45
*** topol has joined #openstack-keystone		11:58
*** d0ugal_ has joined #openstack-keystone		12:06
*** d0ugal_ has quit IRC		12:09
*** xianghui has quit IRC		12:10
*** bach has quit IRC		12:11
*** bach has joined #openstack-keystone		12:11
*** leseb has joined #openstack-keystone		12:29
*** gokrokve has joined #openstack-keystone		12:38
*** gokrokve has quit IRC		12:42
*** dstanek has joined #openstack-keystone		12:46
*** dstanek has quit IRC		12:46
-openstackstatus- NOTICE: Zuul is stuck due to earlier networking issues with Gerrit server, work in progress.		13:02
*** ChanServ changes topic to "Zuul is stuck due to earlier networking issues with Gerrit server, work in progress."		13:02
*** florentflament has joined #openstack-keystone		13:07
*** dstanek has joined #openstack-keystone		13:08
*** ChanServ changes topic to "Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)"		13:11
-openstackstatus- NOTICE: Zuul is processing changes now; some results were lost. Use "recheck bug 1317089" if needed.		13:11
*** lbragstad has joined #openstack-keystone		13:11
*** leseb has quit IRC		13:18
*** leseb_ has joined #openstack-keystone		13:18
*** joesavak has joined #openstack-keystone		13:21
*** ayoung has joined #openstack-keystone		13:24
*** dstanek_zzz has joined #openstack-keystone		13:29
*** dstanek has quit IRC		13:29
*** dstanek_zzz is now known as dstanek		13:29
*** dstanek has quit IRC		13:29
*** dstanek has joined #openstack-keystone		13:29
*** gokrokve has joined #openstack-keystone		13:38
*** gokrokve has quit IRC		13:43
*** tellesnobrega has joined #openstack-keystone		13:44
*** jsavak has joined #openstack-keystone		13:57
*** joesavak has quit IRC		13:58
*** gokrokve has joined #openstack-keystone		14:04
*** topol has quit IRC		14:07
*** stevemar has joined #openstack-keystone		14:12
*** lbragstad has quit IRC		14:13
*** lbragstad has joined #openstack-keystone		14:15
*** shakamunyi has joined #openstack-keystone		14:16
*** thedodd has joined #openstack-keystone		14:17
*** daneyon has joined #openstack-keystone		14:23
*** dims has joined #openstack-keystone		14:25
*** d0ugal has quit IRC		14:34
*** bvandenh has joined #openstack-keystone		14:36
*** jsavak has quit IRC		14:36
*** mberlin1 has quit IRC		14:40
*** topol has joined #openstack-keystone		14:41
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes https://review.openstack.org/92535	14:42
*** daneyon has quit IRC		14:43
*** daneyon has joined #openstack-keystone		14:43
*** d0ugal has joined #openstack-keystone		14:47
*** d0ugal has quit IRC		14:47
*** d0ugal has joined #openstack-keystone		14:47
*** daneyon has quit IRC		14:49
*** daneyon has joined #openstack-keystone		14:50
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Regions Management https://review.openstack.org/79096	14:53
*** mberlin has joined #openstack-keystone		14:54
*** vhoward has left #openstack-keystone		14:55
*** joesavak has joined #openstack-keystone		15:00
*** david-lyle has joined #openstack-keystone		15:15
*** richm has joined #openstack-keystone		15:19
*** shakamunyi has quit IRC		15:20
*** jaosorior has quit IRC		15:21
*** shakamunyi has joined #openstack-keystone		15:23
*** bvandenh has quit IRC		15:29
*** jsavak has joined #openstack-keystone		15:37
*** joesavak has quit IRC		15:38
*** gyee has joined #openstack-keystone		15:40
dolphm	sergey nikitin pinged the list on april 17th about an LDAP gate job, with no response. was there a conversation here or anything? that'd be great to have	15:45
dolphm	thread: http://lists.openstack.org/pipermail/openstack-dev/2014-April/033027.html	15:46
*** tomoiaga has quit IRC		15:51
*** dolphm changes topic to "Sunday summit meetup @ http://www.parkbaratlanta.com/ (5 min walk from conference) \| Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)"		15:53
*** ukalifon1 has quit IRC		15:55
*** joesavak has joined #openstack-keystone		15:59
*** jsavak has quit IRC		16:01
*** chandan_kumar has quit IRC		16:03
gyee	dolphm, what's the time for the Sunday meetup?	16:03
*** dstanek is now known as dstanek_zzz		16:08
*** marcoemorais has joined #openstack-keystone		16:10
*** andreaf has quit IRC		16:11
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token hashes PKI token once https://review.openstack.org/92499	16:15
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	16:15
*** praneshp has joined #openstack-keystone		16:19
*** dstanek_zzz is now known as dstanek		16:30
*** gokrokve has quit IRC		16:40
*** leseb_ has quit IRC		16:42
*** leseb has joined #openstack-keystone		16:47
*** leseb has quit IRC		16:47
*** leseb_ has joined #openstack-keystone		16:47
*** jaosorior has joined #openstack-keystone		16:51
*** chandan_kumar has joined #openstack-keystone		16:54
*** gokrokve has joined #openstack-keystone		16:54
*** harlowja has joined #openstack-keystone		16:58
*** dstanek is now known as dstanek_zzz		17:04
*** jsavak has joined #openstack-keystone		17:05
*** florentflament has quit IRC		17:05
*** joesavak has quit IRC		17:07
*** bach_ has joined #openstack-keystone		17:13
*** bach has quit IRC		17:13
*** gokrokve has quit IRC		17:21
dolphm	gyee: i land at ~10a, and it sounds like people are trickling in all day, so i might go there when they open (noon)	17:22
gyee	dolphm, sounds good, I'll try to look for you guys there then	17:26
*** sbfox has joined #openstack-keystone		17:29
dolphm	gyee: what time do you land?	17:31
*** morganfainberg_Z is now known as morganfainberg		17:32
*** morganfainberg is now known as needscoffee		17:33
*** needscoffee is now known as morganfainberg		17:33
morganfainberg	dolphm, i haven't heard convo on LDAP gate job	17:34
morganfainberg	dolphm, there should be one	17:34
dolphm	morganfainberg: i know we talked about it once, but i don't recall a blocker...	17:34
morganfainberg	dolphm, gyee, i land ~5pm-ish on sunday	17:34
gyee	dolphm, 6pm, taking the redeye	17:34
dolphm	morganfainberg: http://www.parkbaratlanta.com/	17:34
dolphm	gyee: ack	17:34
morganfainberg	dolphm, sounds good to me	17:35
morganfainberg	dolphm, there is the qa matrix dev session at the summit	17:35
morganfainberg	dolphm, prob should attend that (I'm planning on it) if we're really interested in things like expanding testing (e.g. LDAP gate job)	17:36
dolphm	morganfainberg: ++	17:36
gyee	morganfainberg, OpenLDAP gate?	17:36
*** praneshp_ has joined #openstack-keystone		17:37
morganfainberg	gyee, probably. i mean, Active Directory gate might be hard to setup	17:37
morganfainberg	:P	17:37
*** praneshp has quit IRC		17:37
*** praneshp_ is now known as praneshp		17:37
gyee	morganfainberg, LDAP performance need some work	17:38
morganfainberg	gyee, ++	17:38
gyee	I have some POC code using ldappool	17:38
gyee	but ldappool needs some update too	17:38
gyee	morganfainberg, but if we cache user_id to user DN mapping, couple that with connection pooling, performance will be awesomer	17:39
*** gokrokve has joined #openstack-keystone		17:39
morganfainberg	gyee, i also approve of the word "Awesomer" in this context :)	17:40
ayoung	I land Sunday night 9 ish	17:40
gyee	ayoung, you bringing your running gear, we can jog around the olympic park	17:41
ayoung	FreeIPA Gate FTW. We can do Kerberos too	17:41
ayoung	gyee, ++	17:41
gyee	ayoung, FreeIPA as a cert provider to Barbican right?	17:42
ayoung	that too	17:42
morganfainberg	ayoung, ++ i like the idea of that, please show up to the test matrix sessions :)	17:42
gyee	or is it standalone	17:42
ayoung	morganfainberg, what slot?	17:42
morganfainberg	ayoung, sec.	17:42
morganfainberg	ayoung, http://junodesignsummit.sched.org/event/fd84ec7ddc3252270fb73e8e9e09cfba	17:43
ayoung	morganfainberg, will do	17:43
morganfainberg	oh look at that	17:44
*** bach_ has quit IRC		17:44
morganfainberg	there is a whole session on Kite!	17:45
morganfainberg	http://junodesignsummit.sched.org/event/f17f40205979d37158c12dacbc39e21d	17:45
*** bach has joined #openstack-keystone		17:45
morganfainberg	ayoung, ^ PKI messaging probably will be involved there somehow?	17:46
ayoung	morganfainberg, yep....gonna be spread thin	17:46
morganfainberg	ayoung, yeah. already trying to resolve which sessions are more important to get to	17:47
gyee	morganfainberg, I am having a hard time trying to figure out which party to attend :D	17:48
dolphm	i shuffled 4 of our sessions around last night to accommodate the federation overlap as best as possible	17:48
morganfainberg	gyee, yeah. there is also a Metacloud party i'm supposed to invite people to (not on the official schedule) ;)	17:49
dolphm	morganfainberg: what day?	17:50
gyee	morganfainberg, I presume there's a secret hand gesture to get into one of those?	17:50
morganfainberg	gyee, lol	17:50
morganfainberg	dolphm, same day as redhat party, let me get the details	17:51
ayoung	morganfainberg, Wednesday night I am disappearing an meeting up with College friends	17:52
morganfainberg	Wednesday, May 14, 2014 from 8:30 PM to 11:30 PM	17:52
dolphm	wed = core party?	17:52
morganfainberg	ayoung, better plan than conference-related party imo	17:53
dolphm	<i>sponsored by HP</i>	17:53
*** packet has joined #openstack-keystone		17:53
morganfainberg	dolphm, hah, given the choice i'd say i need to go to the core party	17:53
gyee	morganfainberg, its very easy to choose between frat party and core party :)	17:54
morganfainberg	huh wonder if I RSVPd for that...	17:54
morganfainberg	(core party)	17:54
dolphm	morganfainberg: going head to head with the red hat party... risky	17:54
dolphm	morganfainberg: i RSVP'd twice, you can have one of mine	17:55
morganfainberg	dolphm, haha i'm pretty sure I RSVPd but...	17:55
dolphm	eventbright.somethign	17:55
morganfainberg	eh worst case i can chase down Mark and bug him.	17:55
dolphm	eventbrite.com	17:55
morganfainberg	dolphm, i sent an email to mark, i'm sure i'll get it all sorted :)	17:59
*** packet has quit IRC		17:59
*** dims has quit IRC		18:01
ayoung	morganfainberg, looks like Tuesday is Loaded. I only have Keystone stuff on Wed and THurs, but Tues I am going from dawn til dusk, with double bookins on at least two sessions	18:01
ayoung	3	18:01
ayoung	I'll probably drop "Future of Python Support" cuz that resoves down to "Py33 when we can toss eventlet"	18:01
*** joesavak has joined #openstack-keystone		18:02
dolphm	sounds like py3 support in nova is hopeless	18:02
ayoung	We can drop 2.6, I think, for RH, too, as we have collections now, but I'm sure there will be many people from RH that can address that	18:02
*** marcoemorais has quit IRC		18:02
ayoung	dolphm, anything more than Eventlet?	18:03
morganfainberg	dolphm, wow, hopeless?	18:03
dolphm	ayoung: just an incredibly tight coupling with eventlet	18:03
morganfainberg	dolphm, yeah.	18:04
*** marcoemorais has joined #openstack-keystone		18:04
morganfainberg	dolphm, there have been some grumblings that other projects should support deployments in mod_wsgi and/or gunicorn type stuff	18:04
dolphm	:D	18:04
dolphm	they should! because, you know, that's what wsgi is for	18:04
*** jsavak has quit IRC		18:05
morganfainberg	dolphm, it would be really cool if you could run all of openstack under mod_wsgi (e.g. devstack: /identity /compute /storage ....)	18:06
morganfainberg	dolphm, i'd totally dig that deployment model.	18:06
dolphm	morganfainberg: ++	18:07
*** sbfox has quit IRC		18:07
*** joesavak has quit IRC		18:08
*** dstanek_zzz is now known as dstanek		18:13
ayoung	morganfainberg, what a great idea	18:15
ayoung	https://wiki.openstack.org/wiki/URLs	18:15
*** morganfainberg has quit IRC		18:15
*** andreaf_ has joined #openstack-keystone		18:15
*** andreaf_ has quit IRC		18:16
*** morganfainberg has joined #openstack-keystone		18:16
*** andreaf has joined #openstack-keystone		18:16
ayoung	morganfainberg, what a great idea	18:17
ayoung	https://wiki.openstack.org/wiki/URLs	18:17
* ayoung should update that		18:17
*** morganfainberg has quit IRC		18:18
*** morganfainberg_Z has joined #openstack-keystone		18:19
*** morganfainberg_Z is now known as morganfainberg		18:20
ericvw	It appears that on trusty, the python-ldap version has moved (or has been removed) the 'LDAP_CONTROL_PAGE_OID' variable, which is causing errors using keystone (icehouse) on trusty. A quick search on launchpad doesn't reveal anything, but I am happy to make some changes/fixes for this. It appears between precise and trusty the version of python-ldap has	18:22
ericvw	advanced, I am still tracking down what happened to this variable...	18:22
ayoung	morganfainberg, can I get a Hell Yeah (or a hell no) https://review.openstack.org/#/c/79096/ trying to clear out some ofthe client work, and jaypipes deserves his region support	18:23
morganfainberg	ayoung, sec trying to fix my login to gerrit, then yes you can	18:24
dolphm	ericvw: what version of python-ldap is installed?	18:24
ayoung	morganfainberg, thanks	18:24
ayoung	ericvw, we just saw a similar problem. Are you running out of pip for python-ldap or from packages? it might not be quite the same problem	18:25
ericvw	2.4.10-1build1	18:25
ericvw	according to `apt-cache show python-ldap`	18:25
morganfainberg	ayoung, i think your docstrings aren't valid RST.	18:25
ayoung	morganfainberg, passes tox -edocs?	18:25
morganfainberg	ayoung, checking the rendering now. but it looks off	18:26
ericvw	ayoung, trusty's packages	18:26
morganfainberg	ayoung, http://docs-draft.openstack.org/96/79096/11/check/gate-python-keystoneclient-docs/a91ff75/doc/build/html/api/keystoneclient.v3.html#module-keystoneclient.v3.regions	18:26
morganfainberg	ayoung, i think the param bits are off. in update	18:27
*** bvandenh has joined #openstack-keystone		18:27
morganfainberg	ayoung, it should end up looking like http://docs-draft.openstack.org/96/79096/11/check/gate-python-keystoneclient-docs/a91ff75/doc/build/html/api/keystoneclient.v3.html#keystoneclient.v3.client.Client	18:27
morganfainberg	ayoung, i don't think the -edocs will fail, it'll just make for bad rendering with the RST you have	18:28
morganfainberg	ayoung, if you want me to take a swing at the RST i'll do that really quickly instead of a -1.	18:29
morganfainberg	otherwise it looks good	18:29
openstackgerrit	Andreas Jaeger proposed a change to openstack/keystone: Fix version links to docs.openstack.org https://review.openstack.org/92653	18:31
ayoung	param :region:	18:31
ayoung	hmm	18:31
ayoung	looks it	18:31
ayoung	* id: good and param :id: bad ? morganfainberg ?	18:31
ayoung	morganfainberg, I just looked at projects.py	18:31
ayoung	http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/projects.py#n24	18:31
ayoung	But that is not a param list...	18:32
morganfainberg	ayoung, i think you need :param id:	18:32
morganfainberg	let me load it up and check	18:32
morganfainberg	ayoung, (also getting lag on IRC atm)	18:32
stevemar	morganfainberg, ahhh, i should have caught that!	18:34
ayoung	stevemar, morganfainberg how do I run that in my own tree? tox -edocs does not seem to be producing html	18:34
ayoung	python setup.py build_sphinx	18:35
ayoung	would it be something there ? Some param that says :gen html?	18:35
stevemar	ayoung it should be in keystone_dir/doc/build/html/index.html	18:35
ayoung	stevemar, client	18:35
ayoung	stevemar, so I can build it using the makefile, but not by tox?	18:35
stevemar	ayoung, tox should produce it too	18:35
*** bvandenh has quit IRC		18:36
morganfainberg	ayoung, http://paste.openstack.org/show/79448/ that looks like the diff needed to fix the RST	18:36
ayoung	morganfainberg, how did you test that?	18:37
morganfainberg	ayoung, at least that looks better (haven't run the doc build locally)	18:37
morganfainberg	ayoung, advantage to this IDE it does some of the work for me.	18:37
stevemar	ayoung, firefox doc/build/html/api/modules.html -> click on your new guy	18:37
morganfainberg	ayoung, but i need to do the build here first	18:37
ayoung	morganfainberg, I'm running PyCharm	18:38
morganfainberg	ayoung, if you click on the function dev, and hover there is a lightbulb icon that pops up and if you click on that it allows you to inject the docstring	18:38
morganfainberg	ayoung, the params into the docstring	18:38
morganfainberg	ayoung, http://imgur.com/7C6wRS9	18:40
morganfainberg	the diff i posted only covered create not update oops	18:41
morganfainberg	ayoung, and i confirmed the diff looks like it renders more correctly	18:42
morganfainberg	ayoung, want me to post that fix and +1 for the code?	18:42
ayoung	stevemar, BTW, dolphm recommended I remove Optional for all those where the defaults are specified in the param list. He's right	18:43
morganfainberg	ah.	18:44
stevemar	ayoung, so if description defaults to None, then it's not optional?	18:44
morganfainberg	stevemar, or it's implied to be optional because there is a default	18:45
morganfainberg	stevemar, no need to specifically call it out	18:45
stevemar	morganfainberg, alrighty	18:46
stevemar	morganfainberg, i'm not hard to convince, just like consistency :)	18:46
ayoung	stevemar, also, thje indentation is necessary for the rst transform to HTML.	18:47
ayoung	stevemar, it there is a value in the param list, it is optional by definition	18:47
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Regions Management https://review.openstack.org/79096	18:48
morganfainberg	ayoung, yeah that looks better.	18:49
morganfainberg	bknudson, https://review.openstack.org/#/c/80398/ +2 on that. looks good.	18:51
morganfainberg	bknudson, thanks for eliminating the re-calculation of the hash	18:51
bknudson	morganfainberg: no problem	18:52
bknudson	ayoung: do we need to sign the revocation list? would it be unsecure to send it without encryption?	18:53
ayoung	bknudson, its coming from a trusted source. We would only need to sign if we wanted offline verification	18:53
*** dstanek is now known as dstanek_zzz		18:54
bknudson	ayoung: so for example I changed auth_token recently to optionally check the revocation list	18:54
ayoung	bknudson, so, we can add it in the future, but it does not need to be there out the door. Ideally, any one of our APIs should be deliverable in the same format as the tokens: Signed, and compressed	18:54
bknudson	because we can't get the revocation list without pki_setup	18:54
bknudson	but would it be ok to change the revocation list to not be signed instead?	18:55
*** BAKfr has joined #openstack-keystone		19:03
morganfainberg	dolphm, do i need my real name in the .mailmap file?	19:05
morganfainberg	dolphm, or is email sufficient if name is correct?	19:05
dolphm	morganfainberg: i think all the name is used for there is to map multiple email addresses together (you could use a uuid)	19:06
morganfainberg	dolphm, hm.	19:07
dolphm	morganfainberg: err, maybe i'm thinking of something else	19:07
dolphm	morganfainberg: are you talking about this? https://github.com/openstack/keystone/blob/master/.mailmap	19:07
morganfainberg	dolphm, yes	19:07
dolphm	morganfainberg: looks like not everyone has a name anyway	19:08
morganfainberg	hehe	19:08
morganfainberg	dolphm, i'll just use email address, looks like the name is only needed for typo/name correction itself	19:09
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add mailmap entry https://review.openstack.org/92665	19:10
openstackgerrit	Morgan Fainberg proposed a change to openstack/python-keystoneclient: Add mailmap entry https://review.openstack.org/92669	19:12
*** henrynash has quit IRC		19:14
ayoung	stevemar, WTF is /opt/stack/python-keystoneclient/keystoneclient/openstack/common/apiclient/client.py:docstring of keystoneclient.openstack.common.apiclient.client.HTTPClient.client_request:11: WARNING: Block quote ends without a blank line; unexpected unindent.	19:18
ayoung	bknudson, it would be OK to make the revocation list not be signed.	19:19
bknudson	ayoung: https://review.openstack.org/#/c/73879/	19:20
*** diegows_ has joined #openstack-keystone		19:21
ayoung	bknudson, which change?	19:21
stevemar	ayoung thats already there from before, https://bugs.launchpad.net/python-keystoneclient/+bug/1315523	19:21
uvirtbot	Launchpad bug 1315523 in python-keystoneclient "Building keystoneclient docs generates several warnings" [Low,In progress]	19:21
mfisch	What time is the informal Sunday meetup?	19:21
ayoung	stevemar, I know, I am trying to fix those	19:21
ayoung	mfisch, when ever I get there. Aint a party without me	19:22
stevemar	ayoung, they are in oslo, and bknudson has a fix for them already in place	19:22
ayoung	stevemar, nah, fixing things in KClient	19:22
* mfisch calls his Redhat sales rep to get GPS tracking on ayoung		19:22
ayoung	stevemar, ahhhh	19:22
* ayoung bangs head		19:22
stevemar	ayoung, ahhhh ;)	19:22
*** leseb_ has quit IRC		19:22
stevemar	love facepalm moments	19:23
ayoung	git branch -D docs-cleanup	19:23
ayoung	stevemar, I need to do something to keep busy while waiting for jenkins	19:23
ayoung	stevemar, and reviews on https://review.openstack.org/#/c/71181/ and https://review.openstack.org/#/c/81166/	19:24
stevemar	ayoung, likewise https://review.openstack.org/#/c/81980/	19:25
*** henrynash has joined #openstack-keystone		19:25
ayoung	stevemar, getting out my red pen....	19:25
stevemar	by all means!	19:25
ayoung	ah, yeah, I've looked at that a few times, but always when it iwas in transition...	19:25
ayoung	stevemar, so...how do you see that working? You had a script for it, right?	19:26
stevemar	yeah, or through openstackclient	19:27
ayoung	stevemar, care to post? fpaste would be fine	19:28
stevemar	ayoung, marked as abandoned for now: https://review.openstack.org/#/c/80193/	19:29
ayoung	stevemar, BRING IT BACK!	19:29
ayoung	I'll rebase it ontop of my setup/teardown, if you don't ming	19:29
ayoung	mind	19:30
stevemar	where is the defibrillator	19:30
stevemar	sure	19:30
stevemar	it depends on the auth patch too (which needs a rebase as well)	19:30
ayoung	right....sequencing here is awkward	19:31
ayoung	stevemar, so...I need a token already in order to do oauth, or is that an artifact of the client?	19:32
ayoung	oh, wait	19:32
ayoung	line 93 ist	19:32
ayoung	ish	19:32
*** amcrn has joined #openstack-keystone		19:33
*** andreaf has quit IRC		19:34
ayoung	stevemar, what does verifier = client.oauth1.request_tokens.authorize(request_key, roles) actually verify? I create a verifier, and the role assingment goes away does the verifier go away, too?	19:34
stevemar	ayoung, the authorize action associated roles with the request token, and returns a verifier (pin). the request token and verifier are exchanged for an access token (long lived)	19:38
ayoung	stevemar, I remember discussing this back when oauth went in, but...for trusts the rule was that we verified role assignments when the user tried to get a token. In Oauth, when are the role assignments verified for the origianl user?	19:39
ayoung	is it just when I request an access token, or is it when the verifiedr and request token are generated? Both?	19:40
stevemar	ayoung, it's been a while, it might be both,	19:41
ayoung	stevemar, OK...just wondering	19:41
stevemar	definitely in the authroize stage for sure	19:41
stevemar	because in that function, there is code to lookup the user's roles to see if he even has the roles to authorize	19:42
openstackgerrit	Florent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API https://review.openstack.org/88620	19:42
ayoung	stevemar, it needs to be when the user would actually get a Keystone token. Anything earlier is nice-to-have but not necessary.	19:42
openstackgerrit	Andreas Jaeger proposed a change to openstack/keystone: Fix version links to docs.openstack.org https://review.openstack.org/92653	19:45
*** dims has joined #openstack-keystone		19:47
ayoung	stevemar, any reason the short commit message should not read "oauth client API?"	19:49
stevemar	ayoung, i have no reason for that	19:51
*** jaosorior has quit IRC		19:51
stevemar	s/keystoneclient/oauth client API ?	19:52
ayoung	stevemar, I mean, this is it, right? Ther might be fixes, but this really is the client support, no?	19:52
stevemar	ayoung, this, and the auth function (different patch - https://review.openstack.org/#/c/81981/5) need to go in, but thats it	19:54
ayoung	stevemar, Ah, OK...I can see the reason for splitting. It looks good so far, but if there is another iteration, add oauth to the oneliner, ok?	19:55
stevemar	to the commit title?	19:55
stevemar	ayoung, anyone can edit the commit message from gerrit now, just click the little notepad/pencil/edit button,	19:57
ayoung	true	19:57
ayoung	but its your patch. I'll let you craft it	19:57
ayoung	stevemar, what happend before 0.6? oauthlib>=0.6	19:57
stevemar	ayoung, no oauth1.0b server support	19:58
ayoung	++	19:58
stevemar	ayoung, it's a big chunk of stuff, so feel free to hold off on +A'ing it if you want	19:59
ayoung	stevemar, it looks pretty clean and straight forward. I'm not really worried about security violations coming from the client	19:59
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for oauth client API https://review.openstack.org/81980	19:59
* stevemar agrees		19:59
ayoung	does't write anything to disc...	20:00
stevemar	ayoung, this was already approved at one point before, too, btw. we had to take it out because it broke stable/havana builds	20:00
ayoung	stevemar, make it "Oauth request/access token and consumer support"	20:01
ayoung	Drop "add" and "for keystoneclient" for obvious reasons. Ican't seem to edit the commit message	20:01
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: OAuth request/access token and consumer support for oauth client API https://review.openstack.org/81980	20:02
*** joesavak has joined #openstack-keystone		20:05
lbragstad	gyee: I can address my comments here if you want, since they are minor nits.	20:06
lbragstad	https://review.openstack.org/#/c/84945/9	20:06
ayoung	Um...I just went to review, and it jumped to workflow +1	20:09
dolphm	mirantis party on wed just took the cake for me	20:10
*** browne has joined #openstack-keystone		20:10
dolphm	Andretti Indoor Karting & Games	20:10
dolphm	w00t	20:10
ayoung	I'm guessing that means approved, since it looks like it is scheduled.	20:10
ayoung	stevemar, I +2 +A ed it. It looks really good.	20:11
stevemar	ayoung, woo hoo	20:13
stevemar	dolphm, looks like we found a replacement for the mario kart tourney	20:13
*** topol has quit IRC		20:16
gyee	lbragstad, thanks, I'll push a patch shortly	20:17
*** raildo has joined #openstack-keystone		20:26
*** bach has quit IRC		20:26
*** shakamunyi has quit IRC		20:27
*** browne has quit IRC		20:27
ayoung	bknudson, what triggers WARNING: Block quote ends without a blank line; unexpected unindent.	20:28
bknudson	ayoung: the doc format says that things need to be indented and there needs to be a blank line after the end of the indented part	20:28
bknudson	ayoung: so there's a line that's indented 4 chars and the next line is indented 0 chars	20:29
bknudson	ayoung: so this would be for a preformatted section or list	20:29
ayoung	OK...I think I figured which it was complaining about.	20:30
bknudson	ayoung: the line number is the line in the docstring	20:32
ayoung	bknudson, yeah, but it was the block before it that was wrong. Adding a space above it made it go away	20:32
*** amcrn has quit IRC		20:39
*** jamielennox\|away is now known as jamielennox		20:39
*** bach has joined #openstack-keystone		20:43
gyee	jamielennox, ping	20:55
*** bach has quit IRC		20:55
jamielennox	dolphm: can you look at your comment on https://review.openstack.org/#/c/91216/ i think that should be an easy one to get through	20:55
ayoung	gyee, too early	20:55
jamielennox	gyee: for like 2 minutes	20:55
ayoung	Heh, guess I was wrong	20:55
gyee	heh	20:55
gyee	jamielennox, am looking at https://review.openstack.org/#/c/85920	20:55
gyee	mostly good	20:55
gyee	just a few more questions	20:55
*** shakamunyi has joined #openstack-keystone		20:56
jamielennox	sure	20:56
gyee	jamielennox, I see proxy_token, proxy_tenant_id, etc in here https://review.openstack.org/#/c/85920/2/novaclient/v3/client.py	20:56
gyee	Session don't care about these?	20:56
gyee	timings, bypass_url, os_cache	20:57
jamielennox	gyee: i really couldn't find them used	20:57
jamielennox	no i don't have timings	20:57
jamielennox	i expected at some point we'd need that in session	20:57
jamielennox	i think i can actually pull that info out of the requests.Resonpse	20:58
*** bach has joined #openstack-keystone		20:58
jamielennox	gyee: anyway the sort of overall point is that all of those things are CLI constructs	20:58
gyee	jamielennox, that's fine, you may want to drop a note in there indicating that you are aware of these args and they may not be needed in Session	20:58
jamielennox	and i get that the way some things are defined i'll need to add them, but i was going for minimal to start with	20:59
gyee	jamielennox, also for CLI, what's our direction moving forward?	20:59
gyee	are we expect to integrate with OSC	20:59
jamielennox	OSC	20:59
jamielennox	i don't know what nova's stance is exactly	20:59
jamielennox	but IMO it should always be OSC	21:00
gyee	seem like quite a bit of refactoring work	21:00
jamielennox	the test's you mean?	21:00
gyee	yeah, that too	21:00
jamielennox	gyee: sure, but it's the best way i could see of testing both clients	21:01
gyee	jamielennox, beside nova, are you plan on do the same for the other clients? I am in the process of doing the same thing, just want to make sure we don't double the work	21:01
jamielennox	gyee: i had a go and cinder in the past, but i did it in such a way that i tried to integrate the old methods with the new	21:02
jamielennox	gyee: the nova way is better, just chop off the old and run the new stuff side-by-side	21:02
openstackgerrit	guang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes. https://review.openstack.org/84945	21:02
jamielennox	gyee: i think i have a glance patch somewhere	21:03
jamielennox	gyee: actually no, i don't have glance because glance uses httplib	21:03
jamielennox	gyee: i gotta run, i'll be back in about 2 hrs, we can make up a list if you like - i'm hoping the summit will help me push these	21:04
gyee	jamielennox, there's a glance one but needs to be amended https://review.openstack.org/#/c/82126/	21:04
jamielennox	hmm that's in shell	21:05
gyee	jamielennox, sounds good, lets hookup in the summit to see if we can divide up the work	21:05
jamielennox	gyee: for that one, we need to pass my auth plugin from conf one, then we can look at an auth plugin from oslo.conf CLI	21:05
gyee	yeah, lemme amend that one	21:05
jamielennox	(actually that's not oslo.config)	21:06
jamielennox	anyway, back later	21:06
*** shakamunyi has quit IRC		21:07
*** bach has quit IRC		21:10
*** morganfainberg has quit IRC		21:11
*** morganfainberg has joined #openstack-keystone		21:11
*** gokrokve_ has joined #openstack-keystone		21:11
*** morganfainberg has quit IRC		21:13
*** morganfainberg has joined #openstack-keystone		21:13
*** bach has joined #openstack-keystone		21:13
*** morganfainberg has quit IRC		21:14
*** gokrokve has quit IRC		21:15
*** bach has quit IRC		21:15
*** morganfainberg has joined #openstack-keystone		21:17
*** joesavak has quit IRC		21:20
*** bach has joined #openstack-keystone		21:22
*** bach has quit IRC		21:26
*** bach has joined #openstack-keystone		21:27
*** chandan_kumar has quit IRC		21:37
*** thedodd has quit IRC		21:39
*** thedodd has joined #openstack-keystone		21:40
*** shakamunyi has joined #openstack-keystone		21:41
*** bach has quit IRC		21:47
*** bach has joined #openstack-keystone		21:47
*** gokrokve_ has quit IRC		22:02
*** gokrokve has joined #openstack-keystone		22:03
*** dims_ has joined #openstack-keystone		22:05
*** dims has quit IRC		22:08
*** thedodd has quit IRC		22:10
*** stevemar has quit IRC		22:11
*** bach has quit IRC		22:12
*** bach has joined #openstack-keystone		22:24
openstackgerrit	A change was merged to openstack/python-keystoneclient: OAuth request/access token and consumer support for oauth client API https://review.openstack.org/81980	22:33
morganfainberg	sooo.. this just merged: https://review.openstack.org/#/c/91797/ once the ACLs roll out, we can abandon/unabandon as cores for our project(s)	22:37
*** bach has quit IRC		22:38
*** bach has joined #openstack-keystone		22:40
*** bach has quit IRC		22:40
*** bach has joined #openstack-keystone		22:41
*** rwsu has quit IRC		22:42
*** gokrokve has quit IRC		22:45
gyee	morganfainberg, nice, that means we can restore any patch?	22:48
morganfainberg	gyee, it means we can restore any patch in keystone from abandoned state	22:48
morganfainberg	or keystoneclient, or identity-api	22:48
morganfainberg	not just the owner	22:48
morganfainberg	gyee, :)	22:49
gyee	nice!	22:50
*** shakamunyi has quit IRC		22:51
*** dims_ has quit IRC		22:53
*** boris-42 has quit IRC		22:57
*** boris-42 has joined #openstack-keystone		22:58
*** david-lyle has quit IRC		22:59
*** bach has quit IRC		22:59
*** rodrigods_ has joined #openstack-keystone		23:01
*** david-ly_ has joined #openstack-keystone		23:03
*** bach has joined #openstack-keystone		23:10
*** gokrokve has joined #openstack-keystone		23:10
*** henrynash has quit IRC		23:12
*** bach has quit IRC		23:15
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token accepts un-signed revocation list https://review.openstack.org/92726	23:20
morganfainberg	bknudson, is that for a usecase where you are sure no MITM attack(s) could occur?	23:21
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Allow configuring for un-signed revocation list https://review.openstack.org/92727	23:22
bknudson	morganfainberg: isn't that every use case?	23:22
bknudson	morganfainberg: if you've got MITM attacks going on you're going to have some pretty major problems alreadY?	23:22
morganfainberg	bknudson, well i mean, if we're signing data from keystone isn't that the point? eliminate MITM attacks (not tokens, different case there)	23:23
bknudson	morganfainberg: that's a good question... why was it signed to begin with?	23:23
bknudson	was it unprotected?	23:23
morganfainberg	bknudson, no TRL had to be protected	23:24
morganfainberg	bknudson, the revocation events should be unprotected	23:24
bknudson	are revocation events signed?	23:24
morganfainberg	bknudson, good question looks	23:24
bknudson	morganfainberg: I don't see the revocation events reponse being signed.	23:26
morganfainberg	bknudson, neither do i	23:26
bknudson	morganfainberg: maybe because it doesn't contain token IDs?	23:26
*** dims_ has joined #openstack-keystone		23:27
bknudson	but our token IDs aren't protected if you're not using https anyways	23:27
morganfainberg	bknudson, hm. i think we might need to ask ayoung about this one	23:27
morganfainberg	bknudson, maybe the assumption is running https is the right answer.	23:28
morganfainberg	bknudson, which case, sure signing might be overkill (if you could validate the cert)	23:28
*** dims_ has quit IRC		23:30
*** dims has joined #openstack-keystone		23:30
*** dims has quit IRC		23:31
*** dims has joined #openstack-keystone		23:34
gyee	morganfainberg, more scary than that, https cert is different from signing cert	23:38
gyee	jamielennox, you back?	23:39
morganfainberg	gyee, i don't see that as being horrific, as long as it's planned to be that way	23:39
gyee	morganfainberg, I am not saying is required, but we should offer the capability as each deployment is different	23:40
*** dims has quit IRC		23:40
morganfainberg	gyee, we should provide a mechanism to deploy explicit verification certs to any auth_token_middleware instead of needing to ask keystone for the cert	23:41
*** dims has joined #openstack-keystone		23:41
morganfainberg	gyee, as it stands, i think you could use the same SSL cert for https and signing tokens/trl/etc	23:41
ayoung	morganfainberg, you can.	23:41
morganfainberg	ayoung, we can?	23:41
ayoung	but you should not	23:41
morganfainberg	ayoung, didn't think that was an option in auth_token	23:41
gyee	morganfainberg, oh absolutely!	23:41
ayoung	why not? So long as you put the certs in the signing_dir, it will never fetch them from Keystone	23:41
gyee	fingerprint validation at the very least	23:41
morganfainberg	ayoung, i thought the signing dir was tmpdir managed	23:42
morganfainberg	ayoung, i might be mis-remembering	23:42
ayoung	morganfainberg, only by defualt. But it is a config option	23:42
morganfainberg	ayoung, ah. ok then.	23:42
ayoung	the thing is, its the CA cert that is suspect	23:42
ayoung	but getting the other certs from Keystone makes sense, and in fact we are going to want to be able to do that for more than just one signing cert	23:43
ayoung	but...I need to step away for a moment	23:43
morganfainberg	ayoung, some environments will want strict controls over the certs deployed both for auth_token and for the signing. but that would likely be the exception	23:43
morganfainberg	ayoung, ++ don't disagree. but some environments are oddly strict about things.	23:43
*** dims has quit IRC		23:45
ayoung	morganfainberg, its trickier than that. we want to be able to map a certificate to an entity in OpenStack. It can't just "oh, yeah, this cet validates the docuemtn"	23:45
*** bach has joined #openstack-keystone		23:45
*** dims has joined #openstack-keystone		23:46
*** dims has quit IRC		23:48
*** dims has joined #openstack-keystone		23:48
*** dims has quit IRC		23:49
*** dims has joined #openstack-keystone		23:50
jamielennox	gyee: yea,	23:51
gyee	jamielennox, I am still skeptical about session	23:52
jamielennox	gyee: oh?	23:52
jamielennox	in general?	23:52
gyee	jamielennox, how do I know which auth plugin to use	23:52
gyee	based on auth_version, auth_url?	23:52
jamielennox	gyee: who is 'I' in that	23:52
gyee	what if the auth_url is unversioned?	23:52
jamielennox	the user, the client..	23:53
gyee	the client	23:53
jamielennox	so the client - it doesn't	23:53
gyee	right now, the way to integrate with keystoneclient is	23:53
jamielennox	taking eg novaclient, it does not care what auth plugin you use	23:53
gyee	1) construct an auth plugin, 2) construct a session	23:53
gyee	3) pass both session and auth plugin	23:53
jamielennox	all it knows is i send requests through this object and they are authenticated on the way	23:53
gyee	how does the client know whether to construct a v3 auth plugin or v2 auth plugin?	23:54
jamielennox	gyee: why does the client care? are you talking about the CLI here?	23:54
*** david-ly_ has quit IRC		23:55
gyee	right	23:55
gyee	how does CLI know which plugin to use?	23:55
jamielennox	i'm thinking we specify it	23:55
jamielennox	--os-auth-plugin XXXX	23:55
gyee	oh	23:55
gyee	how does the CLI get a list of supported plugins?	23:56
jamielennox	probably and for compatibility if you pass --os-username and --os-password without --os-auth-plugin then it should know what to do	23:56
gyee	more specifically, the correct name to use	23:56
jamielennox	they are all stevedore plugins	23:56
jamielennox	https://review.openstack.org/#/c/79542/6/setup.cfg	23:57
gyee	jamielennox, I am trying to figure out how to make the client CLIs support v3 auth	23:57
jamielennox	so i define 4 plugins there v2password, v3password, v2token, v3token	23:57
jamielennox	and for situations where you don't care about v2 or v3 you use https://review.openstack.org/#/c/81147/	23:58
jamielennox	which will be just 'password'	23:59
gyee	I think I like the last one	23:59
gyee	as it automatically discovery the proper one to use	23:59
jamielennox	gyee: right, but we need to have the first ones available and have the last one a wraer around it	23:59
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Allow configuring for un-signed revocation list https://review.openstack.org/92727	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!