gyee | jamielennox, is there a way to make them backward compatible? | 00:02 |
---|---|---|
gyee | right now user needs to specify ---os-auth-plugin | 00:02 |
jamielennox | well that should make it compatible | 00:02 |
jamielennox | oh, | 00:02 |
*** stevemar has joined #openstack-keystone | 00:02 | |
jamielennox | i was wondering about that | 00:02 |
jamielennox | maybe we either need a new auth plugin that would abstract the v2password and token and make that the default? | 00:03 |
gyee | can we sorta take an educated guess, like if username, password, and tenant_id/name, we assume its v2 password | 00:03 |
jamielennox | but i don't want to make that the default in session because then everyone will inherit it | 00:03 |
gyee | right, like backward_compat_auth or something | 00:04 |
gyee | would be awesome if we can make the user experience transition seamless | 00:05 |
jamielennox | right so user experience is going to have to be, it's the developer experience i'm wondering how far we push | 00:06 |
*** stevemar2 has joined #openstack-keystone | 00:06 | |
*** opienkos has joined #openstack-keystone | 00:07 | |
gyee | jamielennox, developer experience is really about good documentation :) | 00:07 |
jamielennox | gyee: ok, can you review the patches in the tree up to https://review.openstack.org/#/c/86237 | 00:08 |
gyee | we code monkeys usually bitch more about lack of documentation than having to write extra code | 00:08 |
jamielennox | they are fairly easy, the last one is the Adapters | 00:08 |
gyee | k, looking | 00:09 |
*** opienkos is now known as jittery | 00:10 | |
*** stevemar has quit IRC | 00:10 | |
*** zhiyan_ is now known as zhiyan | 00:10 | |
*** jittery has left #openstack-keystone | 00:10 | |
*** jittery has joined #openstack-keystone | 00:11 | |
gyee | jamielennox, can you imagine python is multithreaded, passing a shared session object around would be fun :) | 00:11 |
jamielennox | gyee: i actually don't think it would be that bad | 00:12 |
jittery | anyone got Kstone working with LDAP? | 00:12 |
gyee | jittery, define "working" :) | 00:12 |
jamielennox | gyee: once you've created it you never really change the state on the object you just query methods | 00:12 |
jittery | Kstone pulling auth of LDAP and map user, tenant and role with LDAP schema attribs | 00:14 |
hrybacki | could someone explain why we use a fake wsgi app for auth_token_middleware tests? | 00:14 |
hrybacki | trying to understand how exactly it works | 00:16 |
*** jittery has left #openstack-keystone | 00:18 | |
*** jittery has joined #openstack-keystone | 00:19 | |
*** jittery has quit IRC | 00:20 | |
gyee | jamielennox, what happen to other session methods? | 00:20 |
gyee | like post, get, update , etc | 00:21 |
jamielennox | HttpMethodsMixin | 00:22 |
gyee | ah | 00:22 |
gyee | k, I see | 00:23 |
*** gokrokve has quit IRC | 00:24 | |
jamielennox | i'm not sure if it's worth having that class, but i'm repeating that structure a lot | 00:24 |
*** NM has joined #openstack-keystone | 00:29 | |
gyee | jamielennox, see if this make sense https://review.openstack.org/#/c/86237/2/keystoneclient/adapter.py | 00:35 |
gyee | with that you don't need the mixins | 00:35 |
jamielennox | gyee: is that subclassing session? | 00:37 |
gyee | jittery, have you look at ayoung's read-only LDAP blog? http://adam.younglogic.com/2013/10/read-only-ldap-in-keystone/ | 00:37 |
jamielennox | i don't think we need to go that far | 00:37 |
gyee | jamielennox, right, we would use the session methods if one does not override | 00:37 |
jamielennox | i can write a decorator really easily that does the same job as the mixins | 00:37 |
jamielennox | but i've given up on the idea that the adapter and the esssion should be interchangable - they do very different things | 00:38 |
*** marcoemorais has quit IRC | 00:38 | |
gyee | we basically wrap session and override whatever is needed | 00:38 |
*** NM has quit IRC | 00:38 | |
jamielennox | so we just keep as common an interface as makes sense | 00:38 |
*** marcoemorais has joined #openstack-keystone | 00:38 | |
jamielennox | gyee: i think i'd prefer to just rewrite the functions than go to that level of magic | 00:38 |
gyee | jamkelennox, but why the boilerplate stuff | 00:39 |
gyee | if we can just wrap it | 00:39 |
gyee | jamielennox ^ | 00:39 |
jamielennox | that was the point of the mixin | 00:40 |
gyee | I mean is the mixin necessary | 00:40 |
jamielennox | i'd prefer to do the mixin as explicit as an object like that than doing metaclass stuff | 00:42 |
gyee | k, that's good reason | 00:42 |
*** dstanek_zzz is now known as dstanek | 00:44 | |
*** hrybacki has quit IRC | 00:44 | |
*** ncoghlan has joined #openstack-keystone | 00:52 | |
*** dstanek is now known as dstanek_zzz | 00:54 | |
gyee | jamielennox, I need to step away from keyboard a bit, will review the rest later tonight | 00:54 |
jamielennox | gyee: no worries - i'm going to gut barbicanclient and replace it all with session stuff - see what it looks like | 00:54 |
gyee | jamielennox, but we are already doing it | 00:55 |
jamielennox | doing what? | 00:55 |
gyee | https://review.openstack.org/#/c/80124/9/barbicanclient/client.py | 00:55 |
gyee | I mean make it use session | 00:56 |
gyee | may need more work though | 00:56 |
jamielennox | oh, i was going to do it in a non-backwards compat way | 00:56 |
jamielennox | jut rip the entire internals out | 00:56 |
jamielennox | it's one of the newer clients so it's hopefully not too much work | 00:57 |
gyee | oh | 00:57 |
gyee | there's no requirement for backward compat? | 00:57 |
jamielennox | i'm not sure with barbican | 00:58 |
jamielennox | i don't think so | 00:58 |
gyee | may want to double check with them | 00:58 |
jamielennox | they are looking to completely change there URI scheme | 00:58 |
jamielennox | yea, i will | 00:58 |
*** clu_ has quit IRC | 01:00 | |
*** topol has joined #openstack-keystone | 01:07 | |
*** mberlin has joined #openstack-keystone | 01:11 | |
*** mberlin1 has quit IRC | 01:11 | |
morganfainberg | what the heck... https://bugs.launchpad.net/keystone/+bug/1328067 | 01:23 |
uvirtbot | Launchpad bug 1328067 in python-keystoneclient "Token with "placeholder" ID issued" [Critical,New] | 01:23 |
morganfainberg | how is a token being issued with 'placeholder' id? | 01:23 |
* morganfainberg continues looking at the code. | 01:23 | |
*** marcoemorais has quit IRC | 01:26 | |
*** diegows has quit IRC | 01:28 | |
morganfainberg | oooo | 01:28 |
bknudson | maybe we need some kind of uniform token object | 01:30 |
morganfainberg | bknudson, i see what you did there | 01:31 |
morganfainberg | i'm trying to figure out how we're not seeing this more often. | 01:32 |
bknudson | it looks like it passes in auth_token_data['id'] = 'placeholder' and issue_v2_token doesn't change auth_token_data['id'] | 01:33 |
morganfainberg | it's an artifact of how we have to sign the data before we know what the token id is | 01:33 |
bknudson | ah, format_token should move it around | 01:34 |
morganfainberg | bknudson, we shouldn't be putting the token id in the signed body | 01:35 |
morganfainberg | bknudson, token id should be external to signed data, {token_id: id, token_data: {data}} | 01:35 |
morganfainberg | or similar. | 01:35 |
bknudson | return (token_id, token_data) | 01:36 |
morganfainberg | bknudson, right which should be fine, until something looks in the token_data for the id | 01:36 |
morganfainberg | bknudson, something in auth_token is grabbing the wrong value(s) in some cases | 01:36 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Make get_oauth_params conditional for specific oauthlib versions https://review.openstack.org/98534 | 01:37 |
*** sbfox1 has quit IRC | 01:37 | |
bknudson | unblocked! | 01:37 |
morganfainberg | bknudson, !! | 01:38 |
bknudson | morganfainberg: where are we signing anything where "auth_token_data['id'] = 'placeholder'" is set? | 01:39 |
bknudson | looks like it gets converted to token_data | 01:39 |
bknudson | V2TokenDataHelper's format_token takes token_ref (which was auth_token_data) and converts it to token_data | 01:40 |
morganfainberg | hmm. | 01:41 |
morganfainberg | then we call _get_token_id() | 01:41 |
morganfainberg | which does the signing | 01:41 |
bknudson | morganfainberg: ohh... | 01:41 |
morganfainberg | then we swap token_data['access']['token']['id'] with the id returned from _get_token_id | 01:41 |
bknudson | at that point token_data has 'placeholder' in it. | 01:42 |
morganfainberg | yep | 01:42 |
bknudson | weird | 01:42 |
bknudson | so we should ... not have id in the token_data at that point? | 01:42 |
morganfainberg | it should be something like {token_id: <id>, signature: <sig>, token_data: {<data dict>}} | 01:42 |
morganfainberg | and then that whole object should be serialized and b64'd | 01:43 |
bknudson | what is token ID though? | 01:43 |
morganfainberg | bknudson, the b64_urlsafe of the data_struct? | 01:44 |
bknudson | how do you put the token id in the token when the token is the token id? | 01:44 |
morganfainberg | bknudson, right now the id is the signed_b64 data | 01:44 |
morganfainberg | bknudson, that is what we need to solve. | 01:44 |
bknudson | we'll have to ask goedel about this one | 01:44 |
*** dstanek_zzz is now known as dstanek | 01:44 | |
morganfainberg | bknudson, hehe | 01:45 |
morganfainberg | bknudson, let me see if i can figure out where we're going wrong... | 01:45 |
bknudson | there's no way we can put the ID in the token | 01:45 |
bknudson | since it would have to be the hash of the document | 01:45 |
morganfainberg | bknudson, we can sign document, hash that sig, = consistent id | 01:46 |
bknudson | where the document is itself | 01:46 |
morganfainberg | we just can't put the id in the document | 01:46 |
bknudson | apparently something is getting the ID from the document | 01:46 |
morganfainberg | and we can validate it forwards and backwards | 01:46 |
bknudson | auth_token middleware? | 01:46 |
morganfainberg | bknudson, yeah thats my thought | 01:46 |
morganfainberg | bknudson, caching in auth_token? | 01:46 |
morganfainberg | do we do that in gate? | 01:46 |
bknudson | _request_admin_token | 01:47 |
morganfainberg | bknudson, let me see how often this is really occurring... | 01:47 |
morganfainberg | oh | 01:47 |
morganfainberg | i think this is heat doing the wrong thing. | 01:48 |
morganfainberg | they load up the auth_token middleware for an admin token, then use that to create a trust | 01:48 |
morganfainberg | so they use the same creds as auth_token middleware. | 01:49 |
bknudson | POST /v2.0/tokens must not return a token with ID = placeholder | 01:49 |
bknudson | otherwise everything would be broken | 01:49 |
morganfainberg | depends on what they're doing to extract the token_id | 01:50 |
morganfainberg | if they used the id returned from the post, it should be fine | 01:50 |
morganfainberg | but i'm guessing they're using the token_data bit. | 01:51 |
morganfainberg | or.. wait ... how.. | 01:51 |
bknudson | we should stop putting 'placeholder' ID in the token and see what else breaks | 01:52 |
morganfainberg | bknudson, ++ i plan on doing that here as well. | 01:52 |
morganfainberg | bknudson, let me figure out what they're doing wrong so we can fix it... | 01:52 |
morganfainberg | then we can break lots of people *evilgrin* | 01:52 |
bknudson | token_info = environ.get('keystone.token_info') | 01:53 |
bknudson | looks like that's where heat is getting it? | 01:53 |
bknudson | and that would be the decrypted document. | 01:54 |
morganfainberg | yeah. | 01:54 |
morganfainberg | and they are using the token from there. | 01:54 |
*** dstanek is now known as dstanek_zzz | 01:54 | |
bknudson | so we *could* have auth_token replace the id in there | 01:54 |
morganfainberg | in their context it looks like. | 01:54 |
morganfainberg | bknudson, we probably should :( | 01:54 |
bknudson | with the hash | 01:55 |
bknudson | or... with the full PKI token | 01:55 |
morganfainberg | bknudson, i'd do it with the full token_id | 01:55 |
bknudson | since hashes aren't going to work soon enough | 01:55 |
morganfainberg | bknudson, yeah | 01:55 |
morganfainberg | will be compat with UUID since you'll have both bits of info | 01:55 |
bknudson | ok, well, that's an easy fix | 01:56 |
bknudson | mystery solved | 01:56 |
morganfainberg | i feel like they're sourcing the data wrong though, it should be pulling the token separate from the keystone.token_info | 01:56 |
*** gokrokve has joined #openstack-keystone | 01:56 | |
morganfainberg | mystery solved sure, but we provide the token in the env right? | 01:56 |
morganfainberg | so ... we should have them sourcing the token_id right out of the env not from the raw decrypted data | 01:56 |
morganfainberg | fixing "auth_token" to replace that would be less optimal i think (and requires a KSC release) | 01:57 |
bknudson | is HTTP_X_AUTH_TOKEN still available? | 01:57 |
morganfainberg | doubtful | 01:57 |
bknudson | then it's only keystone.token_info as far as I can tell | 01:57 |
morganfainberg | hmm | 01:57 |
bknudson | seems like keystone.token_info is going to be different depending on v2 or v3 token | 01:59 |
bknudson | well, good luck, I need to take off. | 02:00 |
*** rodrigods_ has quit IRC | 02:00 | |
morganfainberg | bknudson, cheers, thanks for the help | 02:00 |
*** hrybacki has joined #openstack-keystone | 02:01 | |
morganfainberg | jamielennox, ping you here? have a question about auth_token middleware and what it passes to the underlying app | 02:05 |
jamielennox | morganfainberg: shoot | 02:05 |
openstackgerrit | ChangBo Guo(gcb) proposed a change to openstack/python-keystoneclient: Don't use mock non-exist method assert_called_once https://review.openstack.org/93839 | 02:05 |
morganfainberg | do we pass the token id (as received) to the underlying app, header/env wise? | 02:05 |
morganfainberg | because... for PKI tokens we *uhm* put "placeholder" in the signed document (v2) for token IDs | 02:06 |
morganfainberg | which.. means if someone takes the decrypted data (heat) and uses the token_id in keystone.token_info they have a bogus token_id of "placeholder" | 02:07 |
jamielennox | morganfainberg: no, but we can always get that from X-Auth-Token | 02:07 |
morganfainberg | jamielennox ok so it's going to be a new release of keystoneclient to fix | 02:07 |
jamielennox | hahaha | 02:07 |
morganfainberg | jamielennox, so 2 things, 1: i'm going to make it so we never put a token_id in the token_data. | 02:07 |
morganfainberg | but first need to fix it so heat...can... work | 02:08 |
morganfainberg | trying to see how often this is occuring now | 02:08 |
*** amcrn has quit IRC | 02:08 | |
jamielennox | what is heat doing with the token id/ | 02:08 |
morganfainberg | creating a trust | 02:08 |
jamielennox | from id? | 02:08 |
morganfainberg | well, using the token to pass that same info along, i think | 02:08 |
morganfainberg | wait... there isn't an env var passed down from auth_token with the token_id in it? | 02:09 |
* morganfainberg thought nova used the user's token_id for things | 02:09 | |
jamielennox | no, because token_id should be just X-Auth-Token in the UUID case | 02:09 |
morganfainberg | in UUID case it should be fine | 02:10 |
jamielennox | why would someone use token_id instead of just X-Auth-Token | 02:10 |
morganfainberg | in PKI case it's bad. | 02:10 |
morganfainberg | if i have auth_token middleware running from the underlying app can i get the X-Auth-Token header? | 02:10 |
jamielennox | sure, it's just a header | 02:10 |
morganfainberg | oh we're not stripping it off? | 02:11 |
jamielennox | i don't think so, i can't see why we would | 02:11 |
morganfainberg | ok that makes more sense | 02:11 |
morganfainberg | yeah i think they're just grabbing the token from the wrong place because it looks like it might be the 'correct' place | 02:12 |
jamielennox | token_id like that doesn't exist in v3 tokens - and i thought heat was v3 only now? | 02:12 |
morganfainberg | heat uses v3 to talk to keystone | 02:12 |
jamielennox | oh, but i guess auth is different | 02:12 |
morganfainberg | doesn't mean a user will use v3 to talk to heat... i guess | 02:12 |
morganfainberg | yeah | 02:12 |
morganfainberg | yah just need to go look in req.headers for X-Auth-token | 02:13 |
morganfainberg | jamielennox, cool. i think i can fix this. | 02:13 |
*** gokrokve has quit IRC | 02:18 | |
*** nsquare has quit IRC | 02:21 | |
morganfainberg | jamielennox, ah this is new (to be landed) code | 02:23 |
morganfainberg | aha. so it's not happening in the wild | 02:24 |
morganfainberg | jamielennox, ok phew. | 02:24 |
jamielennox | cool, that seemed unlikely that would have slipped through | 02:24 |
jamielennox | given PKI tokens are default now | 02:24 |
*** rodrigods_ has joined #openstack-keystone | 02:29 | |
*** rodrigods_ has quit IRC | 02:32 | |
*** dstanek_zzz is now known as dstanek | 02:33 | |
*** richm has quit IRC | 02:39 | |
ayoung | I think slipping the token_id into the token body after verifying the signature would probably be OK, so long as no one ever tried to re-sign the data to see that they got the same thing | 02:41 |
*** ncoghlan is now known as ncoghlan_afk | 02:43 | |
openstackgerrit | Li Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942 | 02:46 |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166 | 02:46 |
*** rwsu has quit IRC | 02:52 | |
*** dstanek is now known as dstanek_zzz | 02:52 | |
openstackgerrit | ayoung proposed a change to openstack/keystone: Default to PKIZ tokens https://review.openstack.org/98897 | 02:54 |
*** hrybacki has quit IRC | 02:56 | |
*** praneshp has quit IRC | 03:03 | |
*** dstanek_zzz is now known as dstanek | 03:04 | |
*** david-lyle has joined #openstack-keystone | 03:11 | |
*** lbragstad has quit IRC | 03:11 | |
*** zhiyan is now known as zhiyan_ | 03:20 | |
*** ncoghlan_afk is now known as ncoghlan | 03:26 | |
*** zhiyan_ is now known as zhiyan | 03:26 | |
*** dims_ has quit IRC | 03:53 | |
*** gokrokve has joined #openstack-keystone | 04:25 | |
*** Abhijeet has joined #openstack-keystone | 04:29 | |
*** daneyon has joined #openstack-keystone | 04:30 | |
*** david-lyle has quit IRC | 04:33 | |
*** marcoemorais has joined #openstack-keystone | 04:34 | |
*** henrynash has joined #openstack-keystone | 04:36 | |
*** marcoemorais1 has joined #openstack-keystone | 04:36 | |
*** gokrokve has quit IRC | 04:37 | |
*** lbragstad has joined #openstack-keystone | 04:38 | |
*** marcoemorais has quit IRC | 04:39 | |
*** dims_ has joined #openstack-keystone | 04:46 | |
*** dstanek is now known as dstanek_zzz | 04:50 | |
*** dims_ has quit IRC | 04:50 | |
*** topol has quit IRC | 04:57 | |
*** gokrokve has joined #openstack-keystone | 04:58 | |
*** gokrokve has quit IRC | 04:58 | |
*** harlowja is now known as harlowja_away | 04:59 | |
*** sbfox has joined #openstack-keystone | 05:07 | |
*** lbragstad has quit IRC | 05:13 | |
*** lbragstad has joined #openstack-keystone | 05:15 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 05:30 |
*** Guest36764 has quit IRC | 05:33 | |
*** Ackowa has joined #openstack-keystone | 05:34 | |
*** daneyon has quit IRC | 05:37 | |
*** gyee has quit IRC | 05:38 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session Documentation https://review.openstack.org/84070 | 05:46 |
*** dims_ has joined #openstack-keystone | 05:47 | |
openstackgerrit | Li Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942 | 05:51 |
*** dstanek_zzz is now known as dstanek | 05:51 | |
*** dims_ has quit IRC | 05:51 | |
*** ajayaa has joined #openstack-keystone | 05:55 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/97005 | 06:00 |
*** dstanek is now known as dstanek_zzz | 06:01 | |
*** dims_ has joined #openstack-keystone | 06:17 | |
*** dims_ has quit IRC | 06:22 | |
*** stevemar2 has quit IRC | 06:30 | |
*** ncoghlan is now known as ncoghlan_afk | 06:36 | |
*** jaosorior has joined #openstack-keystone | 06:41 | |
openstackgerrit | A change was merged to openstack/keystone: Consistenly use jsonutils instead of json https://review.openstack.org/97039 | 06:43 |
openstackgerrit | A change was merged to openstack/keystone: Catalog driver generates v3 catalog from v2 catalog https://review.openstack.org/70630 | 06:43 |
*** lbragstad has quit IRC | 06:49 | |
*** lbragstad has joined #openstack-keystone | 06:50 | |
*** afazekas is now known as __afazekas | 06:51 | |
*** amerine has quit IRC | 06:51 | |
*** amerine has joined #openstack-keystone | 06:52 | |
*** BAKfr has joined #openstack-keystone | 07:09 | |
*** ncoghlan_afk is now known as ncoghlan | 07:15 | |
*** leseb has joined #openstack-keystone | 07:16 | |
*** dims_ has joined #openstack-keystone | 07:17 | |
*** dims_ has quit IRC | 07:22 | |
*** andreaf has quit IRC | 07:31 | |
*** afazekas has joined #openstack-keystone | 07:55 | |
*** andreaf has joined #openstack-keystone | 07:58 | |
*** sbfox has quit IRC | 08:03 | |
*** dims_ has joined #openstack-keystone | 08:18 | |
*** leseb has quit IRC | 08:18 | |
*** dims_ has quit IRC | 08:22 | |
*** marcoemorais1 has quit IRC | 08:23 | |
*** ncoghlan is now known as ncoghlan_afk | 08:32 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 08:40 |
*** lbragstad has quit IRC | 08:43 | |
*** lbragstad has joined #openstack-keystone | 08:43 | |
*** leseb has joined #openstack-keystone | 08:50 | |
*** Abhijeet has quit IRC | 08:59 | |
*** leseb has quit IRC | 09:03 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 09:08 |
*** leseb has joined #openstack-keystone | 09:14 | |
*** zhiyan is now known as zhiyan_ | 09:18 | |
*** dims_ has joined #openstack-keystone | 09:19 | |
*** DuncanT- has joined #openstack-keystone | 09:20 | |
*** dims_ has quit IRC | 09:25 | |
*** xianghui has quit IRC | 09:37 | |
*** xianghui has joined #openstack-keystone | 09:50 | |
*** xianghui has quit IRC | 09:51 | |
*** xianghui has joined #openstack-keystone | 09:52 | |
openstackgerrit | Christian Berendt proposed a change to openstack/keystone: Bump hacking to 0.9.x series https://review.openstack.org/98996 | 10:02 |
*** leseb has quit IRC | 10:09 | |
*** leseb has joined #openstack-keystone | 10:10 | |
*** leseb has quit IRC | 10:12 | |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Add endpoint handling to Token/Endpoint auth https://review.openstack.org/91216 | 10:15 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Fix tests to use UUID strings rather than ints for IDs https://review.openstack.org/90621 | 10:15 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Remove _factory methods from auth plugins https://review.openstack.org/81985 | 10:15 |
*** dims_ has joined #openstack-keystone | 10:21 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265 | 10:22 |
*** dims_ has quit IRC | 10:27 | |
*** xianghui has quit IRC | 10:38 | |
*** ekarlso has quit IRC | 10:57 | |
*** ekarlso has joined #openstack-keystone | 10:58 | |
*** xianghui has joined #openstack-keystone | 11:02 | |
openstackgerrit | Christian Berendt proposed a change to openstack/keystone: WIP: Bump hacking to 0.9.x series https://review.openstack.org/98996 | 11:08 |
*** dims_ has joined #openstack-keystone | 11:23 | |
*** leseb has joined #openstack-keystone | 11:32 | |
*** xianghui has quit IRC | 11:40 | |
*** diegows has joined #openstack-keystone | 11:41 | |
openstackgerrit | Boris Pavlovic proposed a change to openstack/keystone: Add rally plugins support https://review.openstack.org/98836 | 11:43 |
*** xianghui has joined #openstack-keystone | 11:53 | |
*** hrybacki has joined #openstack-keystone | 12:05 | |
*** radez_g0n3 is now known as radez | 12:05 | |
*** afazekas has quit IRC | 12:09 | |
*** afazekas has joined #openstack-keystone | 12:24 | |
*** hrybacki_ has joined #openstack-keystone | 12:26 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements https://review.openstack.org/99031 | 12:28 |
*** dhellmann has quit IRC | 12:28 | |
*** bknudson has quit IRC | 12:34 | |
*** Ju has quit IRC | 12:35 | |
*** gordc has joined #openstack-keystone | 12:36 | |
ayoung | hrybacki, fire away and I'll answer as much as I can | 12:38 |
ayoung | might disappear to get a kid to school, but I'll answer when I get back | 12:39 |
hrybacki | ayoung++ | 12:39 |
marekd_ | ayoung: Do you want to take a look here: https://review.openstack.org/92166 ? | 12:40 |
hrybacki | I've been digging around in python-keystoneclient test code quite a bit, as you would imagine. There seems to be fake wsgi apps that are interacting with services but I'm not sure how and if this is how the I should do the revocation events as well -- thoughts? | 12:40 |
*** marekd_ has quit IRC | 12:40 | |
*** marekd has joined #openstack-keystone | 12:41 | |
*** lbragstad has quit IRC | 12:45 | |
BAKfr | Is someone wants review a little patch ? https://review.openstack.org/#/c/95212/ | 12:50 |
*** bknudson has joined #openstack-keystone | 12:52 | |
*** afazekas has quit IRC | 12:53 | |
*** dims_ has quit IRC | 12:59 | |
DuncanT- | Hi. Cinder is having a problem in reusing the tenant's token to run a backup to swift, but horizon is invalidating the token before the backup is finished. Any suggestions please? | 13:00 |
DuncanT- | I was looking that the new composite token stuff, but apparently getting a new token is considered a performance problem so they're going with two tokens, so extending the token there is out | 13:01 |
DuncanT- | I'm not sure if trusts give something usable, I can't find any docs on what is actually implemented there | 13:02 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 13:02 |
ayoung | hrybacki, yes, middleware/auth_token.py:Auth needs to make calls against fake WSGI apps to get revocation events. | 13:04 |
ayoung | marekd, I'll look, but I don't know too much about ECP | 13:04 |
marekd | ayoung: thanks. What I want to get from you is the architectre of the plugin, some code issues... | 13:05 |
ayoung | marekd, what is the general flow there | 13:05 |
hrybacki | ayoung: okay, would you advise reusing FakeApp/FakeAppV3 or constructing a new one? | 13:05 |
ayoung | hrybacki, probably reuse | 13:06 |
hrybacki | ayoung++ | 13:06 |
ayoung | they should be able to respond to the calls you are making as is. Depends on how much work it is to change from making the calls to get the revoke list to calls to get the Revocation Events. | 13:06 |
*** afazekas has joined #openstack-keystone | 13:07 | |
*** jsavak has joined #openstack-keystone | 13:07 | |
*** erecio has quit IRC | 13:07 | |
ayoung | marekd, I see some things you have buried in there that look like reusable components | 13:08 |
*** erecio has joined #openstack-keystone | 13:08 | |
ayoung | def _scope_token(self, session): specifcially | 13:08 |
marekd | ayoung: https://review.openstack.org/#/c/92166/14/keystoneclient/auth/identity/contrib/federation/saml2.py i added some docstrings there (see get_unscoped_token), where I tried to describe the workflow. | 13:08 |
marekd | ayoung: see? that's the feedback i need from you :-) | 13:09 |
ayoung | marekd, it looks really good | 13:09 |
*** gordc has quit IRC | 13:12 | |
ayoung | marekd, in _get_unscoped_token(self, session, **kwargs): you make 3 calls. You do a finally block, but what if one of that calls fails, say on a timeout? | 13:12 |
marekd | your concern is about executing that clear() method, or in general? | 13:12 |
ayoung | marekd, just what is the end user experience going to be? Are they going to end up with a 500 somehow, since the follow on commands don't know that it failed? | 13:13 |
ayoung | marekd, note: I am nitpicking here, as I don;t understand the code yet. Don't take what I say too seriously and start rewriting things | 13:13 |
marekd | ayoung: imo uesr should know why the workflow failed. | 13:14 |
*** nkinder has quit IRC | 13:14 | |
ayoung | marekd, also, this looks kind of stateful | 13:14 |
marekd | ayoung: in most cases AuthorizationFailuer is raised, especially where plugin expects XML response body and gets something else. | 13:15 |
ayoung | is that going to be a problem? | 13:15 |
marekd | ayoung: what do you mean? | 13:15 |
ayoung | Saml2 holds on to local variables from elsewhere inthe request | 13:15 |
ayoung | marekd, is there going to be one Saml2 object per request? | 13:15 |
ayoung | Or is it shared across multiple requests? | 13:16 |
marekd | ha, good question! | 13:16 |
marekd | ayoung: if you are asking if some of those assertions/data can be reused - honestly I don't know. | 13:17 |
*** lbragstad has joined #openstack-keystone | 13:17 | |
marekd | i'd say - after we create a session and have access to a protected resource it's a matter of cookie stored in the session. | 13:18 |
marekd | and i meant: HTTP session, not object session. | 13:18 |
*** leseb has quit IRC | 13:19 | |
*** leseb has joined #openstack-keystone | 13:20 | |
*** dstanek_zzz is now known as dstanek | 13:23 | |
*** leseb has quit IRC | 13:24 | |
*** lbragstad1 has joined #openstack-keystone | 13:26 | |
*** lbragstad has quit IRC | 13:28 | |
*** lbragstad has joined #openstack-keystone | 13:29 | |
*** lbragstad1 has quit IRC | 13:30 | |
ayoung | marekd, I'm talking about the Python object called Saml2 | 13:30 |
*** dims_ has joined #openstack-keystone | 13:30 | |
ayoung | class Saml2(v3._AuthConstructor): | 13:30 |
*** gokrokve has joined #openstack-keystone | 13:31 | |
marekd | ayoung: right. Now I am cleaning all the dynamic attributes, so I think it could be reusable. | 13:31 |
marekd | ayoung: I don't know if variables that are stored somewhere in the middle of the workflow can be reused. | 13:32 |
ayoung | marekd, I think not | 13:32 |
marekd | ayoung: ++ | 13:32 |
ayoung | you need to create a specific object and pass them through with the request | 13:33 |
marekd | ayoung: I think what can be reused is a session coodie, but it's stored in the keystoeclient.session.Session() object. | 13:33 |
ayoung | marekd, only if you are going to be sending it back to the user. Otherwise, that, too, needs to be passed from function to function | 13:34 |
marekd | ayoung: hm, okay! I wanted to make it cleaner and avoid billions of arguments | 13:34 |
ayoung | marekd, so make it one object, and put the billions of arguments on that | 13:35 |
marekd | right | 13:35 |
ayoung | call it a SamlRequest or something | 13:35 |
marekd | ayoung: ok | 13:35 |
marekd | ayoung: anything else regarding the structure, and Python-specific issues? | 13:41 |
ayoung | marekd, I think that is a pretty big one. Its going to call for a bit of restructuring. I'm not a Python Maven, though. You need dstanek for that kind of madness | 13:42 |
marekd | ayoung: i know it's huge but this is one big block of functionality, I didn't see any way in spliting it into multiple patches. | 13:43 |
marekd | anyway, thanks! | 13:43 |
marekd | dstanek: Hello, sir! | 13:43 |
ayoung | marekd, its not too bad. But lets see what it looks like when it is multi-access safe | 13:43 |
marekd | ayoung: normally keystoneclient plugins are reused? | 13:44 |
marekd | keystoneclient *auth* plugins. | 13:44 |
*** richm has joined #openstack-keystone | 13:48 | |
*** lbragstad has quit IRC | 13:48 | |
*** lbragstad has joined #openstack-keystone | 13:48 | |
*** gordc has joined #openstack-keystone | 13:54 | |
*** lbragstad1 has joined #openstack-keystone | 13:57 | |
*** lbragstad has quit IRC | 13:58 | |
*** nkinder has joined #openstack-keystone | 14:02 | |
*** Ju_ has joined #openstack-keystone | 14:06 | |
openstackgerrit | A change was merged to openstack/keystone-specs: Cross Backend Unique Identifiers for User and Group Entities https://review.openstack.org/97492 | 14:11 |
*** stevemar has joined #openstack-keystone | 14:11 | |
BAKfr | it seem that keystone unit tests doesn't pass when the locale is not en_US | 14:11 |
BAKfr | Should I report a bug ? | 14:12 |
*** lbragstad1 has quit IRC | 14:16 | |
boris-42 | morganfainberg hey there | 14:18 |
boris-42 | morganfainberg could you pls review plugin patch | 14:18 |
boris-42 | morganfainberg this one https://review.openstack.org/#/c/98836/ | 14:19 |
*** dhellmann has joined #openstack-keystone | 14:20 | |
*** leseb has joined #openstack-keystone | 14:20 | |
*** leseb has quit IRC | 14:25 | |
openstackgerrit | A change was merged to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes. https://review.openstack.org/84945 | 14:30 |
*** leseb has joined #openstack-keystone | 14:33 | |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: add docs on v2 & v3 support in the service catalog https://review.openstack.org/99075 | 14:34 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076 | 14:35 |
*** leseb has quit IRC | 14:38 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265 | 14:39 |
*** NM has joined #openstack-keystone | 14:40 | |
*** leseb has joined #openstack-keystone | 14:41 | |
*** thedodd has joined #openstack-keystone | 14:45 | |
*** xianghui has quit IRC | 14:47 | |
*** diegows has quit IRC | 14:52 | |
*** ajayaa has quit IRC | 14:55 | |
*** afazekas has quit IRC | 14:56 | |
marekd | dstanek: ping. | 14:58 |
stevemar | BAKfr, sounds like a bug to me | 14:59 |
*** gokrokve has quit IRC | 14:59 | |
*** gokrokve has joined #openstack-keystone | 15:00 | |
*** sbfox has joined #openstack-keystone | 15:02 | |
*** xianghui has joined #openstack-keystone | 15:04 | |
dstanek | marekd: hi | 15:04 |
dstanek | i'm actually looking at your issue now :-) | 15:04 |
dstanek | well, the py33 venv is building, but i'm close | 15:04 |
marekd | dstanek: great, thanks! | 15:05 |
marekd | dstanek: does py33 accept multiline string wrapped with >>"""<< ? | 15:05 |
dstanek | marekd: yes | 15:07 |
dstanek | marekd: at first glance it seems that the XML is a string instead of a byte string | 15:09 |
marekd | dstanek: yes, it's string. | 15:09 |
marekd | a *long* string :( | 15:09 |
marekd | dstanek: it passes tests under py2, but I suck in py3 so a hint how to make it work on py2 and 3 would be more than welcome :-) | 15:10 |
marekd | welcomed | 15:10 |
dstanek | marekd: the -d arg looks wierd here: http://logs.openstack.org/66/92166/14/check/gate-python-keystoneclient-python33/4471f0f/console.html#_2014-06-10_13_06_51_445 | 15:10 |
marekd | dstanek: because of 'b' ? | 15:11 |
dstanek | yeah | 15:13 |
*** praneshp has joined #openstack-keystone | 15:13 | |
marekd | dstanek: do you think line 73 in https://review.openstack.org/#/c/92166/14/keystoneclient/tests/v3/test_auth_saml2.py might have something to do with that? | 15:14 |
*** daneyon has joined #openstack-keystone | 15:15 | |
*** mberlin has quit IRC | 15:16 | |
dstanek | marekd: i don't think so - but why do you have to make it a single line? | 15:16 |
*** mberlin has joined #openstack-keystone | 15:17 | |
marekd | dstanek: I have some XML strings in saml2_fixtures file. Now, since I must transform it into XML objects (using etree.XML()) and cannot cmpare objects later I dediced I should transform everything again to strings and compare strings. | 15:18 |
marekd | now, etree puts different formatting so the strings would not be equal. | 15:19 |
dstanek | marekd: that is likely to break in the future is other changes happen (like attributes are re-ordered) | 15:20 |
marekd | dstanek: these are tests, so I decide what my fake server responds with... | 15:22 |
marekd | i don't do that stupic comparision in a real code - i don't need to. | 15:22 |
*** jsavak has quit IRC | 15:22 | |
*** jsavak has joined #openstack-keystone | 15:23 | |
dstanek | marekd: no i mean when you convert the xml to strings in the tests | 15:23 |
marekd | dstanek: hm, so any better way of comparing those XMLs ? | 15:24 |
marekd | transforming strings into XML objects and recursively iterating on the tree? | 15:25 |
bknudson | marekd: I think someone was working on an XML matcher for testtools / oslo.test | 15:28 |
marekd | bknudson: oh, that would be nice. | 15:28 |
bknudson | marekd: https://review.openstack.org/#/c/74861/4/oslotest/matchers.py | 15:28 |
marekd | class XMLMatches(object) could do the work... | 15:30 |
marekd | bknudson: how can I use it? Any special import i need to have? | 15:30 |
bknudson | marekd: it's not even merged yet... could steal it and put it in keystone | 15:30 |
marekd | hmm, ok. | 15:31 |
bknudson | and switch to the testtools matcher if that gets merged | 15:31 |
marekd | bknudson: okay! | 15:31 |
*** gyee has joined #openstack-keystone | 15:31 | |
*** thedodd has quit IRC | 15:32 | |
*** thedodd has joined #openstack-keystone | 15:34 | |
dstanek | marekd: there are a couple of odd things i'm working though | 15:35 |
dstanek | you are using str() in at least 1 place which you probably don't want to do | 15:35 |
marekd | dstanek: i'd be great to see some feedback on the patchset! | 15:36 |
dstanek | marekd: in the process :-) | 15:44 |
*** jsavak has quit IRC | 15:44 | |
marekd | dstanek: great, thanks! | 15:44 |
*** sbfox has quit IRC | 15:57 | |
rodrigods | is there a chance of anyone review https://review.openstack.org/#/c/97600/? Maybe it's not a desired script at all? | 15:57 |
dstanek | rodrigods: it likely hasn't been looked at much because it's failing pep8 | 16:01 |
*** sbfox has joined #openstack-keystone | 16:02 | |
*** sbfox has quit IRC | 16:02 | |
*** sbfox has joined #openstack-keystone | 16:03 | |
morganfainberg | morning | 16:03 |
*** jsavak has joined #openstack-keystone | 16:04 | |
gyee | morganfainberg, just added my comments https://review.openstack.org/#/c/96315/ | 16:04 |
morganfainberg | gyee, thanks. | 16:04 |
rodrigods | dstanek, is it? I thought the second patch has passed the tests | 16:05 |
morganfainberg | gyee, should be easy to address the comments. plan on it post meeting today. | 16:05 |
rodrigods | dstanek, it did, actually... | 16:05 |
gyee | morganfainberg, if Glance does image encryption, I wonder how this all going to work | 16:06 |
morganfainberg | hehe | 16:06 |
dstanek | marekd: i got the tests working now | 16:08 |
*** marcoemorais has joined #openstack-keystone | 16:08 | |
marekd | some link? | 16:09 |
marekd | or you want to upload new version of the patch? | 16:09 |
marekd | (both are fine) | 16:09 |
marekd | dstanek: ^^ | 16:09 |
bknudson | marekd: are you aware of plans for Juno to make keystone an IdP? (e.g., producing SAML assertions) | 16:10 |
marekd | bknudson: are you talking about any specific blueprint? | 16:10 |
*** wwriverrat has joined #openstack-keystone | 16:10 | |
bknudson | marekd: no, just wondering if this was something you thought we'd be doing or that we'd need. | 16:11 |
marekd | i am aware of making keystone2kyestone federtion which *may* require Keystone to act as a SAML/whatever fed protocol IdP. | 16:11 |
dstanek | marekd: i can push it up in a sec - i want to finish these last few review comments | 16:11 |
*** jaosorior has quit IRC | 16:12 | |
marekd | dstanek: thanks, probably the cleanest way for that fix. | 16:12 |
bknudson | stevemar: were you looking at making Keystone a federation provider? | 16:12 |
marekd | dstanek: i will try to address your comments later. | 16:12 |
BAKfr | morganfainberg, I've a question to complete https://review.openstack.org/#/c/95212 | 16:12 |
BAKfr | If an empty id (but present) is passed to the request of region creation, should we returns an error or generate a random id ? | 16:13 |
marekd | bknudson: service provider or identity provider? | 16:13 |
marekd | bknudson: (in your question for stevemar) | 16:13 |
bknudson | marekd: what's the difference? | 16:13 |
gyee | rodrigods, dstanek, I am all for adding more examples, but we need a framework in place so we can gate them just like the unit tests | 16:14 |
gyee | having broken examples is not cool | 16:14 |
marekd | service provider is something that will accept an assertion/claim and basically protects a resource. IdP is something that can authenticate yourself and issue an assertion. | 16:14 |
marekd | currently Keystone is a SP. | 16:15 |
marekd | and your LDAP database with something that talks SAML2 will be IdP. | 16:15 |
bknudson | marekd: right, we've already got SP, so I'm wondering if IdP is something we've got planned. | 16:15 |
marekd | bknudson: i think so... | 16:15 |
morganfainberg | gyee, responded to your comments, have a question in-line | 16:15 |
morganfainberg | gyee, before i upload a new patch, re the multiple filters. | 16:16 |
bknudson | marekd: keystone IdP isn't something your group needs? | 16:16 |
morganfainberg | gyee, i think that would be a masssssssssive scope increase, and honestly, i wont get it done for Juno. | 16:16 |
morganfainberg | gyee, at least not likely. | 16:16 |
gyee | morganfainberg, how so? should be a simple change to auth_token middleware | 16:16 |
morganfainberg | gyee, it feels wrong to require extra filters to make it work. | 16:17 |
gyee | we just need to make them configurable | 16:17 |
morganfainberg | gyee, no, auth_token strips out all the headers etc | 16:17 |
*** jsavak has quit IRC | 16:17 | |
marekd | bknudson: my group? | 16:17 |
morganfainberg | gyee, it's going to be a bunch of work as is. | 16:17 |
*** jsavak has joined #openstack-keystone | 16:17 | |
morganfainberg | gyee, why does it need to be configurable? X-Auth-Token isn't? | 16:17 |
gyee | we just need to make auth_token filter generic | 16:17 |
morganfainberg | gyee, i would rather have a fixed header to use here... predictable and we can drive projects to use it. | 16:17 |
gyee | like where to look for the auth token | 16:18 |
morganfainberg | gyee, i think that is far out of scope | 16:18 |
morganfainberg | gyee, far far far out of scope for this | 16:18 |
gyee | and how to set the headers, it can by any token | 16:18 |
morganfainberg | gyee, auth_token needs a massive refactor | 16:18 |
morganfainberg | gyee, i am not willing to do that here. | 16:18 |
morganfainberg | gyee, if we're making it generic, we should do that on a real cleanup not as part of a new feature | 16:18 |
gyee | morganfainberg, but if we make those configurable, changes should be trivial I think | 16:19 |
gyee | morganfainberg, let me put up some sample code to illustrate | 16:19 |
morganfainberg | gyee, being honest here, I don't see this happening in juno then. | 16:19 |
*** diegows has joined #openstack-keystone | 16:19 | |
gyee | should be a really simple change, but I could be smoking something for breakfast :) | 16:20 |
morganfainberg | gyee, if we want to do the auth_token clean up and make it generic, we do that, we don't commit to a massive refactor of the middleware and a big feature change | 16:20 |
gyee | morganfainberg, let me put up some simple code | 16:20 |
gyee | I don't think it needs to be a massive refactoring | 16:20 |
morganfainberg | gyee, it's not about it being a small code change, we shouldn't be "hacking" it to be more generic. if we're doing that we should do it right | 16:20 |
stevemar | bknudson, marekd sorry - shoulders deep in configuring federation with someone atm | 16:21 |
morganfainberg | gyee, we don't make it worse, i think waht you're proposing will make the middleware worse from a later cleanup perspective. | 16:21 |
morganfainberg | gyee, unless we really do cleanup the middleware | 16:21 |
bknudson | stevemar: you'll be able to start your own consulting business | 16:21 |
gyee | morganfainberg, I honestly think making it generic would make it more flexible | 16:22 |
bknudson | morganfainberg: gyee: here's some middleware cleanups: https://review.openstack.org/#/c/97127/ | 16:22 |
stevemar | bknudson, working with someone from tfim, we're about an 1.5 hrs into a call, i think we're almost done | 16:22 |
morganfainberg | gyee, then we "fix" middleware and commit to that this cycle. hacking it up to be generic is a bad idea | 16:22 |
openstackgerrit | David Stanek proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 16:23 |
dstanek | marekd: ^ | 16:23 |
gyee | morganfainberg, see, see, bknudson started it :) | 16:23 |
morganfainberg | gyee, i'm happy to let you take this spec on if you want. but i wont commit to a cleanup + feature. | 16:23 |
dstanek | marekd: i'll do a real review now too | 16:23 |
marekd | dstanek: cool, | 16:23 |
marekd | dstanek: i will take care of that after you submit your comments. | 16:23 |
morganfainberg | gyee, thats fine, i'm not committing to fighting feature against cleanup this cycle. | 16:23 |
gyee | morganfainberg, making it generic is far from cleaning it up, we have much more work to do | 16:24 |
rodrigods | gyee, ++ | 16:24 |
morganfainberg | gyee, if you're willing to commit to taking on the spec, including making it generic, please do. but i really don't think i can get it done | 16:24 |
rodrigods | gyee, there is any plan to do so? | 16:24 |
morganfainberg | gyee, limits on my time/capabilities within the cycle...especially since ... well we're already running up on J1 | 16:24 |
bknudson | why make auth_token generic? If you need something different then provide your own middleware | 16:25 |
gyee | rodrigods, I am not aware, but you can start :) | 16:25 |
morganfainberg | gyee, i also heartily disagree with making it take <any> header for tokens. | 16:25 |
morganfainberg | bknudson, ++ | 16:25 |
morganfainberg | gyee, what is the use case for making it generic besides "it would be neat"? | 16:25 |
gyee | morganfainberg, just to make it less messy that's all | 16:26 |
morganfainberg | this is security related, i like security related stuff to be consistent and predictable | 16:26 |
*** diegows has quit IRC | 16:26 | |
*** marcoemorais has quit IRC | 16:27 | |
marekd | need to disappear for an hour or two. be back later. | 16:27 |
*** marcoemorais has joined #openstack-keystone | 16:27 | |
gyee | morganfainberg, but it is predictable | 16:27 |
morganfainberg | gyee, i don't think it's the right approach. but if you're really heart set on it, propose it. and if making it generic is (really) a pre-req to this feature, i don't think this will land within j2 | 16:27 |
morganfainberg | or even j3 | 16:28 |
morganfainberg | gyee, no it isn't. | 16:28 |
morganfainberg | gyee, you could accept the token from _any_ header by config. | 16:28 |
morganfainberg | what is the need for that? | 16:28 |
*** marcoemorais has quit IRC | 16:28 | |
rodrigods | gyee, great! | 16:28 |
morganfainberg | it isn't predictable | 16:28 |
*** marcoemorais has joined #openstack-keystone | 16:29 | |
*** marcoemorais has quit IRC | 16:29 | |
morganfainberg | how do i know what header my OpenStack solution is using for passing a token to a service? | 16:29 |
*** BAKfr_ has joined #openstack-keystone | 16:29 | |
morganfainberg | and it could be different for each and ever service | 16:29 |
*** marcoemorais has joined #openstack-keystone | 16:29 | |
*** BAKfr has quit IRC | 16:29 | |
morganfainberg | again i just disagree with that approach | 16:30 |
* morganfainberg hasn't had enough coffee for the morning to go more in depth :P | 16:32 | |
gyee | morganfainberg, that's fine, I was merely making a suggestion with the worries that auth_token is becoming unmanageable as is | 16:32 |
gyee | we can do refactoring later if you want, but we seem to be keep adding more stuff to it where there are good opportunites for refactoring | 16:33 |
morganfainberg | gyee, we can discuss more when i'm more caffienated. i might change my mind :P | 16:34 |
morganfainberg | gyee, you know how it goes pre-morning coffee | 16:34 |
gyee | haha | 16:34 |
morganfainberg | gyee, brain can only connect so many dots before giving up | 16:34 |
gyee | I just had a strong vietnamese drop coffee, the shit is strong | 16:35 |
morganfainberg | nice! | 16:35 |
gyee | drip | 16:35 |
morganfainberg | i'm gonna go get an espresso and a drip coffee | 16:35 |
morganfainberg | maybe a breakfast sammich too | 16:35 |
*** xianghui has quit IRC | 16:35 | |
gyee | morganfainberg, if you found yourself in S.F., try Blue Bottle http://www.bluebottlecoffee.com/ | 16:37 |
morganfainberg | that is absolutely on my list of places! | 16:37 |
gyee | I had to stand in line for at least half hour if not more everytime I go there | 16:37 |
gyee | their coffee is awesome! | 16:38 |
*** diegows has joined #openstack-keystone | 16:38 | |
*** gokrokve_ has joined #openstack-keystone | 16:40 | |
morganfainberg | gyee, yeah have heard nothing but good things. | 16:40 |
*** gokrokve has quit IRC | 16:43 | |
morganfainberg | ayoung, gyee, dolphm said he will be out for the meeting today. but i need to take someone to the ER right now. | 16:47 |
ayoung | morganfainberg, why are you on IRC, then | 16:47 |
ayoung | GO! | 16:47 |
gyee | NOW! | 16:47 |
morganfainberg | ayoung, it's migrane not bleeding out.. i am going. note from dolphm: there's two changes that need to be gating to make juno-1, and i don't have anything new on the hackathon to report other than the RSVP form if anyone missed it (i think everyone responded already) | 16:48 |
morganfainberg | otherwise, meeting is on the list | 16:48 |
morganfainberg | be back later | 16:48 |
ayoung | ++ | 16:48 |
*** schofield has quit IRC | 16:51 | |
*** schofield has joined #openstack-keystone | 16:52 | |
*** NM has quit IRC | 16:53 | |
*** leseb has quit IRC | 16:57 | |
openstackgerrit | ayoung proposed a change to openstack/keystone: Allow for multiple PKI Style Providers https://review.openstack.org/98845 | 16:59 |
openstackgerrit | ayoung proposed a change to openstack/keystone: Default to PKIZ tokens https://review.openstack.org/98897 | 16:59 |
*** kun_huang has joined #openstack-keystone | 17:01 | |
*** sbfox has quit IRC | 17:02 | |
*** BAKfr_ has quit IRC | 17:04 | |
*** sbfox has joined #openstack-keystone | 17:07 | |
*** harlowja_away is now known as harlowja | 17:08 | |
*** nsquare has joined #openstack-keystone | 17:09 | |
*** sbfox1 has joined #openstack-keystone | 17:11 | |
*** sbfox1 has quit IRC | 17:14 | |
*** sbfox1 has joined #openstack-keystone | 17:14 | |
*** sbfox has quit IRC | 17:15 | |
dstanek | marekd: just went through my first pass of your review | 17:15 |
dstanek | marekd: one thing i noticed, but forgot to comment on was the extra spacing in the License headers | 17:16 |
*** NM has joined #openstack-keystone | 17:22 | |
*** dims_ has quit IRC | 17:28 | |
*** schofield has quit IRC | 17:29 | |
*** schofield has joined #openstack-keystone | 17:32 | |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone-specs: V3 extension advertisement https://review.openstack.org/95973 | 17:33 |
marekd | dstanek: thanks, looking at it now. | 17:38 |
*** dims_ has joined #openstack-keystone | 17:42 | |
*** thedodd has quit IRC | 17:42 | |
*** sbfox1 has quit IRC | 17:48 | |
*** sbfox has joined #openstack-keystone | 17:48 | |
*** sballe_ has quit IRC | 17:50 | |
*** daneyon has quit IRC | 17:50 | |
*** sbfox has quit IRC | 17:58 | |
*** openstack-securi has joined #openstack-keystone | 18:00 | |
*** rwsu has joined #openstack-keystone | 18:02 | |
*** sbfox has joined #openstack-keystone | 18:04 | |
*** jsavak has quit IRC | 18:04 | |
*** jsavak has joined #openstack-keystone | 18:04 | |
*** CraigLee has joined #openstack-keystone | 18:07 | |
*** leseb has joined #openstack-keystone | 18:08 | |
*** leseb has quit IRC | 18:13 | |
*** __afazekas is now known as afazekas | 18:18 | |
*** harlowja is now known as harlowja_away | 18:25 | |
*** dims_ has quit IRC | 18:25 | |
*** gokrokve_ has quit IRC | 18:26 | |
*** thedodd has joined #openstack-keystone | 18:46 | |
*** gokrokve has joined #openstack-keystone | 18:46 | |
*** erecio has quit IRC | 18:48 | |
*** erecio has joined #openstack-keystone | 18:49 | |
*** bknudson has quit IRC | 19:02 | |
*** harlowja_away is now known as harlowja | 19:03 | |
*** thedodd has quit IRC | 19:04 | |
stevemar | marekd, ping | 19:04 |
morganfainberg | ayoung, cool we've got a few to discuss next week, but all-in-all not a bad result | 19:05 |
ayoung | ++ | 19:05 |
*** thedodd has joined #openstack-keystone | 19:05 | |
*** praneshp_ has joined #openstack-keystone | 19:06 | |
*** jsavak has quit IRC | 19:06 | |
*** jsavak has joined #openstack-keystone | 19:07 | |
*** praneshp has quit IRC | 19:08 | |
*** praneshp_ is now known as praneshp | 19:08 | |
*** nkinder has quit IRC | 19:08 | |
ayoung | morganfainberg, here's how it looks http://eavesdrop.openstack.org/meetings/keystone/2014/keystone.2014-06-10-18.01.html | 19:08 |
morganfainberg | ayoung, nice. | 19:08 |
morganfainberg | yeah that works for me. | 19:08 |
marekd | stevemar: 5 min. | 19:09 |
*** erecio has quit IRC | 19:10 | |
*** dims_ has joined #openstack-keystone | 19:10 | |
*** erecio has joined #openstack-keystone | 19:11 | |
*** marcoemorais has quit IRC | 19:11 | |
*** marcoemorais has joined #openstack-keystone | 19:11 | |
*** marcoemorais has quit IRC | 19:12 | |
*** marcoemorais has joined #openstack-keystone | 19:12 | |
*** sbfox has quit IRC | 19:13 | |
marekd | stevemar: sorry, I was on the phone. | 19:20 |
marekd | stevemar: what's up? | 19:20 |
*** gyee has quit IRC | 19:23 | |
stevemar | marekd, not seeing saml attributes in the env. context | 19:24 |
*** CraigLee has quit IRC | 19:25 | |
marekd | did you configure attribute-map.xml in /etc/shibboleth ? | 19:25 |
stevemar | let me poke around in there | 19:25 |
stevemar | there should be defaults shouldn't there? | 19:25 |
marekd | there should. | 19:26 |
marekd | stevemar: are you getting into Keystone (so it complains there is nothing it can map etc etc)? | 19:26 |
*** afazekas has quit IRC | 19:26 | |
stevemar | marekd, yep, its getting into keystone, and then the mapping engine blows up | 19:27 |
stevemar | marekd, when i print out the context, to log, it doesn't show much in the environment | 19:27 |
stevemar | i think you are right, my attribute-map looks pretty sparse | 19:27 |
marekd | hm | 19:28 |
marekd | let me check one option. | 19:28 |
marekd | stevemar: let me look for an option that additionally stores whole assertion into environment. You will be able to see how the assertion looks like, try to check what's in your attribute-map.xml and see if they intersect somehow. | 19:29 |
*** amcrn has joined #openstack-keystone | 19:31 | |
*** daneyon has joined #openstack-keystone | 19:37 | |
marekd | stevemar: i think the option is : ShibExportAssertion set to On in the apache vhost config | 19:38 |
marekd | http://docs.openstack.org/developer/keystone/configure_federation.html#configure-apache-httpd-for-mod-shibboleth | 19:39 |
*** bknudson has joined #openstack-keystone | 19:40 | |
morganfainberg | i wish my laptop's screen was brighter.... | 19:41 |
morganfainberg | would make it easier to sit outside and code | 19:41 |
rodrigods | is there a better way to "emulate" a domain related role in services like Nova, than granting roles to all projects in a domain? | 19:45 |
jamielennox | hey, do people mind having a look over https://review.openstack.org/#/c/98955/ (actually a nova-spec) just to make sure i'm sane before i send it off to the wider -dev community? | 19:46 |
jamielennox | ayoung: ^ | 19:46 |
ayoung | jamielennox, sure | 19:47 |
*** thedodd has quit IRC | 19:47 | |
jamielennox | i'll put it on the -dev list because the same things will happen in cinder etc, but let me know if there's anything that needs to be expanded or better explained first | 19:48 |
ayoung | jamielennox, most of that "spec" is problem description | 19:49 |
*** openstack-securi has quit IRC | 19:49 | |
stevemar | thanks marekd i'll give it a try | 19:49 |
ayoung | jamielennox, that is very sane | 19:49 |
ayoung | option_group = 'neutron'200 | 19:50 |
ayoung | 201 | 19:50 |
ayoung | sess = session.Session.load_from_conf_options(CONF, option_group)202 | 19:50 |
ayoung | sess.auth = conf.plugin_from_conf(CONF, option_group)203 | 19:50 |
ayoung | client = client.Client(session=sess) | 19:50 |
ayoung | that is the heart of it, and it makes a load of sense | 19:50 |
*** thedodd has joined #openstack-keystone | 19:50 | |
jamielennox | ok, but shuffle the rest around into problem description | 19:50 |
ayoung | jamielennox, conf.plugin_from_conf looks off | 19:50 |
*** kun_huang has quit IRC | 19:50 | |
ayoung | that should not be conf | 19:50 |
jamielennox | yea, i thought that too | 19:50 |
ayoung | can we do it off the session? | 19:51 |
jamielennox | umm | 19:51 |
jamielennox | theres a fair bit of code there, i think it needs to be isolated like that somehow | 19:51 |
jamielennox | you could have session call out to it | 19:51 |
ayoung | session.plugin_from_conf(CONF, option_group) would do it in one line | 19:52 |
ayoung | you could reuse the plugin with | 19:52 |
ayoung | auth = session.auth | 19:52 |
jamielennox | so plugin there is auth plugin and in general i think it makes more sense to provide the plugin to the session | 19:53 |
ayoung | infact, | 19:53 |
ayoung | sess.auth = conf.plugin_from_conf(CONF, option_group) is different from previosu examples because you don't know the class to load in, right? | 19:54 |
ayoung | anyway, that is a little awkward, but the overall approach is solid | 19:54 |
jamielennox | what do you mean the class? | 19:55 |
jamielennox | in previous examples i would have always loaded the auth plugin first and then passed it to session, i don't think the from_conf function currently will let me specify additional params | 19:56 |
jamielennox | but that's fixable | 19:56 |
*** marcoemorais has quit IRC | 19:57 | |
*** marcoemorais has joined #openstack-keystone | 19:58 | |
ayoung | right, you loaded the auth plugin by classname | 19:58 |
ayoung | but here you want to get that out of the config file, so there is no obvious facotry, which is why you hung it off the conf | 19:58 |
ayoung | but it doesn't belong there | 19:59 |
marekd | anybody had an issue with py33 tests and missing pyconfig.h header? | 19:59 |
marekd | i did install python3-dev package (using debian) | 19:59 |
jamielennox | ayoung: from keystoneclient.auth import conf | 19:59 |
jamielennox | it's not the actual CONF object | 19:59 |
ayoung | yuck | 19:59 |
ayoung | I'd rather not do that.... | 20:00 |
ayoung | should be something like | 20:00 |
ayoung | auth.Auth | 20:00 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone-specs: JSON Home https://review.openstack.org/97359 | 20:00 |
ayoung | just like session is | 20:00 |
*** NM has quit IRC | 20:00 | |
jamielennox | you mean make an actual plugin object that takes the CONF as params and proxies to the eventual object? | 20:01 |
*** NM has joined #openstack-keystone | 20:01 | |
ayoung | just to keep it consistant, and to encapsulate the discovery logic | 20:01 |
*** daneyon has quit IRC | 20:02 | |
jamielennox | interesting | 20:02 |
*** jsavak has quit IRC | 20:03 | |
jamielennox | ayoung: i'm not sure it's better though, you simply end up wrapping a plugin rather than providing a factory to one | 20:03 |
ayoung | jamielennox, I mean only thjat auth.Auth is the factory, instead of conf | 20:04 |
*** jsavak has joined #openstack-keystone | 20:04 | |
jamielennox | session.auth = ConfPlugin(CONF, option_group) seems odd | 20:04 |
ayoung | session.auth = AuthPluginFactory(CONF, option_group) | 20:04 |
stevemar | marekd, how do you specify a prefix for shib? | 20:04 |
ayoung | although not Factory | 20:04 |
jamielennox | where AuthPluginFactory is a class or a function? | 20:05 |
ayoung | session.auth = auth.AuthPlugins(CONF, option_group) | 20:05 |
marekd | stevemar: in keystone config or where? | 20:05 |
ayoung | ah, rihgt...cuz session.Session is a constructor | 20:05 |
stevemar | marekd, in the shib config side of things | 20:05 |
stevemar | i know how to change it in keystone :) | 20:05 |
ayoung | session.auth = auth.plugins(CONF, option_group) | 20:05 |
marekd | stevemar: hehe, of course you do :-) | 20:05 |
marekd | stevemar: let me check. | 20:05 |
jamielennox | ok, so that's mostly saying that i should put it in keystoneclient/auth/__init__.py rather that /auth/conf.py | 20:06 |
*** sbfox has joined #openstack-keystone | 20:06 | |
*** sbfox has quit IRC | 20:06 | |
*** sbfox has joined #openstack-keystone | 20:06 | |
marekd | stevemar: http://linux.web.cern.ch/linux/scientific6/docs/shibboleth/attribute-map.xml -> id tag. | 20:07 |
marekd | later in the environment i was seeing variables named accordingly to the values from the id tag. | 20:07 |
stevemar | ah i see | 20:08 |
marekd | stevemar: yeah, that's kinda shitty :/ | 20:08 |
stevemar | what about just disabling external from keystone.conf? | 20:08 |
marekd | external prefix? | 20:09 |
*** NM has quit IRC | 20:09 | |
stevemar | marekd, from auth_methods | 20:09 |
marekd | stevemar: aaaa, go ahead and disable :-) | 20:09 |
marekd | having issues with REMOTE_USER? | 20:09 |
marekd | actually... | 20:09 |
marekd | right now, even if you disable external and you put something into REMOTE_USER you will be in troubles. | 20:10 |
marekd | stevemar: besides why do you think about disabling external auth method while talking about assertions prefixes? | 20:11 |
stevemar | marekd, then we can keep REMOTE_USER in env, and not go through external auth? | 20:12 |
*** sbfox has quit IRC | 20:12 | |
*** NM has joined #openstack-keystone | 20:13 | |
marekd | stevemar: AFAIR keystone checks for REMOTE_USER at first place and if it finds it there it automatically tries to execute external auth workflow. | 20:13 |
stevemar | marekd, thats kinda lame, even if external auth isn't listed as a method? | 20:14 |
marekd | stevemar: https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L451 | 20:14 |
stevemar | wow | 20:14 |
stevemar | we should really expand that conditional to include: if 'external' in auth_methods: | 20:15 |
marekd | tafam | 20:15 |
marekd | yeah. | 20:15 |
stevemar | bah | 20:16 |
marekd | ? | 20:16 |
stevemar | marekd, do you have a sample assertion somewhere? it's been a while | 20:16 |
marekd | stevemar: pure xml? | 20:16 |
stevemar | marekd, yeah | 20:17 |
*** browne has joined #openstack-keystone | 20:20 | |
marekd | stevemar: https://gist.github.com/zaccone/48ae00a5f9de8ccbbb78 | 20:21 |
marekd | from my test federated-keystone. | 20:21 |
rodrigods | is there any docs where the content from a token is described? | 20:21 |
stevemar | marekd, can you get one that is unencrypted? | 20:22 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: add docs on v2 & v3 support in the service catalog https://review.openstack.org/99075 | 20:23 |
*** afazekas has joined #openstack-keystone | 20:24 | |
marekd | stevemar: hah, right :-) I would have to probably print some debug log in Keystone, but for now I think you can take a look at: http://adam.younglogic.com/2013/10/saml-example/ and http://adam.younglogic.com/resources/adam_example.saml | 20:25 |
marekd | stevemar: i need to pick somebody up from the airport and i am already late :( Be back in 40mins | 20:25 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166 | 20:29 |
marekd | dstanek: ^^ | 20:29 |
*** browne has quit IRC | 20:33 | |
*** arunkant has quit IRC | 20:33 | |
*** esmute has quit IRC | 20:33 | |
*** esmute has joined #openstack-keystone | 20:33 | |
*** arunkant has joined #openstack-keystone | 20:33 | |
*** browne has joined #openstack-keystone | 20:34 | |
*** browne has quit IRC | 20:39 | |
*** browne has joined #openstack-keystone | 20:40 | |
*** dhellmann_ has joined #openstack-keystone | 20:41 | |
*** schofield has quit IRC | 20:46 | |
*** dhellmann_ has quit IRC | 20:48 | |
*** schofield has joined #openstack-keystone | 20:48 | |
*** dhellmann_ has joined #openstack-keystone | 20:48 | |
*** gyee has joined #openstack-keystone | 20:49 | |
*** gyee has quit IRC | 20:51 | |
*** gyee has joined #openstack-keystone | 20:53 | |
*** rodrigods_ has joined #openstack-keystone | 20:54 | |
*** bknudson has quit IRC | 20:54 | |
*** amcrn has quit IRC | 20:54 | |
*** dhellmann has quit IRC | 20:54 | |
*** hrybacki_ has quit IRC | 20:54 | |
*** rodrigods has quit IRC | 20:54 | |
*** DuncanT- has quit IRC | 20:54 | |
*** openstackgerrit has quit IRC | 20:54 | |
*** dhellmann_ is now known as dhellmann | 20:54 | |
*** dhellmann has quit IRC | 20:56 | |
*** openstack-securi has joined #openstack-keystone | 21:01 | |
dolphm | stevemar: i noticed bkhudson provided an update for one of your two comments on https://review.openstack.org/#/c/99075/ ... | 21:03 |
dolphm | stevemar: for the other, would a link to http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html be appropriate? | 21:03 |
stevemar | dolphm, maybe to http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#authenticating specifically | 21:04 |
dolphm | stevemar: works for me | 21:05 |
stevemar | dolphm, i'll wait til jenkins is done, but brants changes look good | 21:05 |
dolphm | stevemar: cool. i made the same change locally and was trying to figure out how to address your other comment :) | 21:05 |
*** marcoemorais has quit IRC | 21:09 | |
*** marcoemorais has joined #openstack-keystone | 21:09 | |
*** leseb has joined #openstack-keystone | 21:10 | |
*** openstack-securi has quit IRC | 21:10 | |
*** bknudson has joined #openstack-keystone | 21:11 | |
*** amcrn has joined #openstack-keystone | 21:11 | |
*** hrybacki_ has joined #openstack-keystone | 21:11 | |
*** DuncanT- has joined #openstack-keystone | 21:11 | |
*** openstackgerrit has joined #openstack-keystone | 21:11 | |
*** htruta has quit IRC | 21:12 | |
stevemar | dolphm, commented | 21:14 |
*** rodrigods_ has quit IRC | 21:18 | |
openstackgerrit | Steven Hardy proposed a change to openstack/python-keystoneclient: Enable forcing re-authentication for trust-scoped clients https://review.openstack.org/96298 | 21:22 |
*** leseb has quit IRC | 21:26 | |
*** NM has quit IRC | 21:30 | |
*** jsavak has quit IRC | 21:31 | |
*** amcrn has quit IRC | 21:31 | |
morganfainberg | jamielennox, ping | 21:33 |
jamielennox | morganfainberg: hello | 21:34 |
morganfainberg | jamielennox, re some heat + ksc work. | 21:34 |
morganfainberg | jamielennox, so, with all the new cool session magic in ksc, is it best to just still (for simplicity sake) just do a if domain_id is provided, use domain_id, else use domain_name? | 21:34 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Add v3 curl examples https://review.openstack.org/96973 | 21:34 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Use code-block for curl examples https://review.openstack.org/98526 | 21:34 |
morganfainberg | jamielennox, they're using V3Client object directly now, not sure if that is the best option. | 21:35 |
*** leseb has joined #openstack-keystone | 21:36 | |
jamielennox | so version discovery hasn't been merged yet - it's actually what i'm looking at again now | 21:36 |
jamielennox | ah - automatic version discovery in the session | 21:37 |
jamielennox | i don't think how you manage domain_id/name will change | 21:37 |
jamielennox | even if you switch to an auth plugin you get like v3.Password() which takes both and takes the one most appropriate | 21:37 |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: add docs on v2 & v3 support in the service catalog https://review.openstack.org/99075 | 21:37 |
morganfainberg | jamielennox, ok | 21:38 |
morganfainberg | jamielennox, so for now i'll keep the same logic | 21:38 |
dolphm | stevemar: dstanek: bknudson: addressed all comments https://review.openstack.org/#/c/99075/ | 21:38 |
jamielennox | i'd like to see heat attempt to go towards a session as i think they will be one of the big winners - but it's not a trivial change | 21:38 |
morganfainberg | jamielennox, ++ make the big swing to session independent of this bug fix | 21:39 |
jamielennox | yea | 21:39 |
morganfainberg | cool | 21:39 |
morganfainberg | thats what i was looking for | 21:39 |
dolphm | is anyone actively reviewing henry's change for multi-backend-uuids? | 21:39 |
dolphm | ^--> https://review.openstack.org/#/c/74214/ | 21:39 |
stevemar | thanks dolphm | 21:40 |
stevemar | dolphm, that one scares me | 21:41 |
stevemar | bknudson, did you mention tempest tests for changes to federation today (or yesterday)? | 21:42 |
stevemar | was wondering if you had any ideas cooking on how we could do that | 21:42 |
bknudson | stevemar: I think I did mention it yesterday | 21:42 |
dstanek | dolphm: i am right now | 21:43 |
bknudson | since there's a section of the spec template for testing considerations | 21:43 |
marekd | bknudson: that's interesting, what was your idea? | 21:43 |
bknudson | stevemar: and since we didn't have that section before, it turns out that there's a lot of things that aren't being tested | 21:43 |
bknudson | marekd: I have no idea how to test it in tempest, since I'm not very familiar with tempest testing | 21:44 |
bknudson | (we didn't worry about it before since we didn't have a spec template that says to worry about it) | 21:44 |
*** henrynash has quit IRC | 21:44 | |
stevemar | well put | 21:44 |
stevemar | it was a to-do on my federation list going into the summit | 21:45 |
bknudson | maybe we'll set something up internally and then hook it up for external CI | 21:45 |
stevemar | bknudson, internally within ibm? | 21:45 |
bknudson | stevemar: yes | 21:45 |
marekd | CI ? | 21:45 |
bknudson | like the DB2 CI | 21:45 |
stevemar | bknudson, cool... cool | 21:45 |
stevemar | ah | 21:45 |
bknudson | marekd: continuous integration | 21:45 |
*** sbfox has joined #openstack-keystone | 21:45 | |
stevemar | bknudson, so, who set up the DB2 CI? | 21:46 |
stevemar | bknudson, would the same team be able to do it for TFIM? | 21:46 |
bknudson | stevemar: we had a team in beijing set it up... zhu zhu | 21:46 |
stevemar | i see | 21:46 |
bknudson | there should be a wiki page that says how the db2 ci works... | 21:46 |
marekd | stevemar: btw - did you succeed with your federation setup? | 21:47 |
bknudson | https://wiki.openstack.org/wiki/IBM/DB2-TEST | 21:47 |
stevemar | marekd, the idp guy had to go, so we will continue tmrw, he was asking if you could get the unencrypted saml assertion | 21:47 |
marekd | Adam's didn't work well? | 21:48 |
marekd | stevemar: let me try get an unencrypted one. | 21:48 |
marekd | but it's not the CERN's one. | 21:48 |
stevemar | marekd, i think the idp guy wants to look @ the values in the saml assertion and the attribute-map.xml file | 21:49 |
dolphm | stevemar: i saw something recently about SAML2 encryption being mandatory over http, but relaxed over https (so make sure you use https?) | 21:51 |
*** dims__ has joined #openstack-keystone | 21:52 | |
stevemar | dolphm, yeah, right now I'm testing it over http, cause I was lazy with devstack | 21:52 |
stevemar | is there an easy way to switch it to https? | 21:52 |
*** hrybacki has quit IRC | 21:53 | |
*** dims_ has quit IRC | 21:54 | |
*** dhellmann has joined #openstack-keystone | 21:55 | |
dolphm | stevemar: "If the Service Provider uses SSL/HTTPS and supports decrypting assertions, the Identity Provider MAY encrypt the assertion." as opposed to MUST with HTTP | 21:55 |
*** openstack-securi has joined #openstack-keystone | 21:56 | |
stevemar | dolphm, previous question, do you know? | 21:57 |
*** hrybacki_ has quit IRC | 21:57 | |
stevemar | dolphm, normally i would just teardown devstack and bring it back up, having tls as an enabled service, but if there is an easier way... | 21:58 |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: remove unnecessary word in docs: 'an' https://review.openstack.org/99218 | 21:58 |
dolphm | stevemar: offhand, i don't recall :( | 22:01 |
dolphm | stevemar: ayoung or bknudson might know better? | 22:01 |
bknudson | if https setup is in devstack I haven't tried it | 22:03 |
*** openstack-securi has quit IRC | 22:04 | |
dstanek | dolphm: thar seems to be dragons lying in the domain specific driver code | 22:04 |
dolphm | dstanek: lots! be afraid to enter | 22:05 |
dolphm | dstanek: are you looking at issues being fixed by henry's patch, or introduced by it? :-/ | 22:05 |
*** marcoemorais has quit IRC | 22:08 | |
dstanek | i think neither - i'm walking through everything trying to understand the implications of the changes | 22:09 |
openstackgerrit | A change was merged to openstack/keystone: fixed several pep8 issues https://review.openstack.org/93686 | 22:09 |
dstanek | i don't understand the whole 'is_domain_aware' deal | 22:09 |
bknudson | some backends are domain aware and some are not | 22:10 |
bknudson | I think it's just LDAP that's not | 22:10 |
dstanek | what does it mean to 'support domains'? that all queries will automatically have a domain_id added for filtering? | 22:10 |
marekd | dolphm: where did you see that spec about encrypting saml assertion and http vs https? | 22:11 |
dstanek | bknudson: for example http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n317 | 22:11 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog https://review.openstack.org/74599 | 22:12 |
dstanek | bknudson: why does selecting a non-domain aware driver clear the hint? because it doesn't support it and the comment is misleading? | 22:12 |
bknudson | dstanek: if the driver isn't domain aware then it only contains 1 domain. | 22:13 |
dstanek | when i say 'list_users(domain_scope="blah")' where does the filter get set? | 22:14 |
*** gordc has quit IRC | 22:14 | |
marekd | stevemar: anyways, I will dig up a little bit and try to somehow decrypt that assertion and send it along with working attribute-map.xml . | 22:17 |
stevemar | woo hoo | 22:17 |
*** bknudson has quit IRC | 22:22 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session Documentation https://review.openstack.org/84070 | 22:25 |
morganfainberg | dstanek, meh, if we get henry's unique id stuff in and per-domain backen logic, we can make any/all backends not "domain aware" | 22:26 |
morganfainberg | dstanek, more to the point, SQL is domian aware because... it lends itself to be, brant did a ton of work to make kvs more domain friendly iirf | 22:27 |
morganfainberg | iirc | 22:27 |
morganfainberg | dstanek, the domain_scope is just used to determine the backend driver. that is part of the multi-backend story (e.g. SQL + LDAP +LDAP _ LDAP | 22:27 |
*** schofield has quit IRC | 22:27 | |
morganfainberg | dstanek, in short, it doesn't filter, it just looks up the specific backend. | 22:28 |
*** PritiDesai has joined #openstack-keystone | 22:29 | |
*** schofield has joined #openstack-keystone | 22:29 | |
jamielennox | dstanek: can you review your -2 on https://review.openstack.org/#/c/87849/ i don't think it matters anymore as lance is going with jsonschema | 22:29 |
*** leseb has quit IRC | 22:32 | |
dstanek | jamielennox: yeah, i can remove the -2 | 22:38 |
marekd | stevemar: dolphm: morganfainberg: docs fix, should be easy: https://review.openstack.org/#/c/97479/ | 22:41 |
*** thedodd has quit IRC | 22:43 | |
marekd | stevemar: thanks for quick +2 :-) | 22:46 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Create HTTP methods mixin object https://review.openstack.org/97680 | 22:49 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681 | 22:49 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session Adapters https://review.openstack.org/86237 | 22:49 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add service_name to URL discovery https://review.openstack.org/97679 | 22:49 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols. https://review.openstack.org/83829 | 22:50 |
marekd | dstanek: do you think you will find few minutes for a second round of https://review.openstack.org/#/c/92166/ ? | 22:56 |
dstanek | marekd: sure | 22:56 |
marekd | somewhere today, not now of course. | 22:56 |
marekd | dstanek: great | 22:57 |
*** marekd is now known as marekd|away | 22:59 | |
*** PritiDesai1 has joined #openstack-keystone | 23:03 | |
*** PritiDesai has quit IRC | 23:03 | |
*** radez is now known as radez_g0n3 | 23:04 | |
ayoung | stevemar, you still have a question? | 23:05 |
jamielennox | marekd|away: how did you go with the redirect thing? | 23:05 |
*** nkinder has joined #openstack-keystone | 23:06 | |
*** dims__ has quit IRC | 23:06 | |
*** dims__ has joined #openstack-keystone | 23:08 | |
*** dstanek is now known as dstanek_zzz | 23:13 | |
*** rodrigods has joined #openstack-keystone | 23:14 | |
*** gokrokve has quit IRC | 23:19 | |
*** sbfox has quit IRC | 23:25 | |
*** hrybacki has joined #openstack-keystone | 23:27 | |
*** rodrigods has quit IRC | 23:28 | |
*** praneshp has quit IRC | 23:30 | |
*** praneshp has joined #openstack-keystone | 23:33 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Create HTTP methods mixin object https://review.openstack.org/97680 | 23:35 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681 | 23:35 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session Adapters https://review.openstack.org/86237 | 23:35 |
jamielennox | ayoung: i'm going through your revocation events change, why is RevokeEvent outside the v3 tree? why doesn't the manager inherit from BaseManager? | 23:40 |
jamielennox | i'm not seeing the point of some of this, why build the RevokeEvent object just to convert it back to a dictionary | 23:41 |
*** kun_huang has joined #openstack-keystone | 23:41 | |
jamielennox | why do you need to call build_token_values before calling is_revoked? why not just handle it there? | 23:43 |
*** PritiDesai1 has quit IRC | 23:45 | |
*** gokrokve has joined #openstack-keystone | 23:52 | |
jamielennox | morganfainberg: as you seem to be interested in logging token - do you have any ideas how to strip that out sanely? | 23:55 |
jamielennox | X-Auth-Token is easy, i've no idea how to signal that this particular request is an auth request and you shouldn't log the password - but everything else is fine | 23:56 |
morganfainberg | jamielennox, obscure them in the session object, never actually put them in a log? | 23:56 |
morganfainberg | jamielennox, pretty much we should never log auth requests or tokens. (maybe some crazy trace level) | 23:57 |
jamielennox | morganfainberg: so x-auth-token is easy, you just put a check https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L243-L245 | 23:57 |
morganfainberg | erm strip out password in the auth request by not logging. | 23:57 |
morganfainberg | aye | 23:57 |
*** kun_huang has quit IRC | 23:57 | |
jamielennox | however, in the case of an auth request - the session doens't really know that | 23:58 |
morganfainberg | but you do know if it's coming from the authenticate code path - might need a flag that says _obscure_fields=[field, field, etc] and have it search/replace | 23:59 |
jamielennox | assuming at that point that we're using json - which is safe but not quite right | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!