Thursday, 2014-06-12

*** sbfox has quit IRC		00:04
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Hide details of HTTP 409 erros unless in debug https://review.openstack.org/98302	00:08
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Hide details of HTTP 409 errors unless in debug https://review.openstack.org/98302	00:08
*** oomichi_sleeping is now known as oomichi		00:09
*** dstanek is now known as dstanek_zzz		00:10
*** dims__ has quit IRC		00:11
*** dims has joined #openstack-keystone		00:11
jamielennox	morganfainberg: do you know how the oslo.config example generator works	00:18
jamielennox	i seem to remember it being you who did that in keystone	00:18
morganfainberg	jamielennox, i have a decent idea of it	00:18
morganfainberg	jamielennox, whats up with it?	00:18
jamielennox	comment here: https://review.openstack.org/#/c/95015/5/keystoneclient/session.py	00:18
jamielennox	ah, on another read after checking out the code that does make a bit more senes	00:19
morganfainberg	jamielennox, he's just saying make sure you've got all the options loaded before returning	00:20
morganfainberg	jamielennox, since it could put different options in depending on the ways (and times) it's called	00:21
*** dims has quit IRC		00:21
*** rodrigods_ has joined #openstack-keystone		00:21
jamielennox	morganfainberg: so part of the reason to make the register function standalone was that it could be called globally, and then load would get called in process later	00:21
jamielennox	obviously that's not sufficient though	00:21
morganfainberg	jamielennox, right and you need to do the entrypoint thing to ensure the stuff is caught by the sample config generator	00:22
morganfainberg	(how keystone does it)	00:22
morganfainberg	does that make sense?	00:23
jamielennox	so why do i need to do the entrypoint thing? if you call register() then the CONF object knows about those options	00:23
morganfainberg	because the way the generator works is it looks for lists of objects	00:24
jamielennox	(also from his comment i think this is a problem for people using this code not for that review)	00:24
jamielennox	so it doesn't actually populate a CONF object and read it from there?	00:24
jamielennox	that seems... dumb	00:24
morganfainberg	it does some of that, but the guessing part is really ugly	00:25
morganfainberg	the entrypoint bit is a lot cleaner imo	00:25
morganfainberg	it also eliminates the need to register opts on import	00:25
morganfainberg	you can do it with a method (like this)	00:26
morganfainberg	i assume this is called at runtime, not at import, right?	00:26
*** zhiyan_ is now known as zhiyan		00:27
jamielennox	register is designed to be called at import	00:27
jamielennox	load is at runtime	00:27
*** dims has joined #openstack-keystone		00:27
morganfainberg	so register is called when you import the session (e.g. import session, then session.register(groupname) ) ?	00:27
*** dstanek_zzz is now known as dstanek		00:28
jamielennox	no,	00:28
jamielennox	oh, kindof	00:28
jamielennox	i look at this as a replacement for defining your own list of options	00:28
morganfainberg	or is it import session... then somewhere at runtime .register_conf()	00:28
morganfainberg	in a function/method/etc	00:28
jamielennox	so you would session.Session.register() in a global conf.py or something	00:28
*** praneshp has quit IRC		00:28
jamielennox	at the same time as you were registering all your other conf options	00:29
morganfainberg	well keystone does't register options except at runtime, ever	00:29
morganfainberg	are we the unique snowflakes here?	00:29
*** ncoghlan has joined #openstack-keystone		00:30
morganfainberg	that is what made the extra work for the sample config generator for us	00:30
jamielennox	oh - huh	00:30
jamielennox	https://github.com/openstack/keystone/blob/master/keystone/common/config.py	00:30
morganfainberg	yep	00:31
jamielennox	i thought that we did registered that on import	00:31
morganfainberg	nope	00:31
morganfainberg	we used to, but it caused all sorts of bad code behavior	00:31
jamielennox	auth_token certainly does: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L336	00:31
morganfainberg	right	00:31
morganfainberg	i would recommending doing register at runtime	00:32
morganfainberg	not at import time	00:32
jamielennox	so i'm in general not a fan of oslo.config providing a global object	00:32
morganfainberg	because i think generate_sample will puke	00:32
jamielennox	but that would be the ONE advantage of that approach	00:32
morganfainberg	i _think_ i needs options to be in a [] of options to work	00:33
jamielennox	ok, not the only - but a REALLY BIG advantage to the global config is you can register whenever you like	00:33
morganfainberg	so [] and then register that []	00:33
morganfainberg	yep.	00:33
jamielennox	so dhellmann seems to have gone - but do you think simply returning opts is sufficient there?	00:34
jamielennox	is it still ok to do the actual register on behalf of the service or shouuld i always just return a list and let the service register it	00:34
morganfainberg	well, you'd need the other service to provide the entrypoint for it then (still)	00:35
jamielennox	i considered that initially as a way to let the service set it's own deprecations	00:35
jamielennox	i think that's going to have to happen anyway	00:35
morganfainberg	but if you just returned a list, i _think_ you could at import say session_opts = session.Session.get_opts(group)	00:36
morganfainberg	if that returns a list	00:36
morganfainberg	or uh, you know what i mean	00:36
morganfainberg	session_opts = session.session.get_opts()	00:36
morganfainberg	then they can register it however they want	00:36
morganfainberg	it's their business.	00:36
morganfainberg	that would solve the need for the entrypoint	00:37
jamielennox	it kind of kills the aesthetics of it	00:37
jamielennox	also why does it remove the need for an entrypoint - you stil lhave that list defined in an external library	00:37
morganfainberg	the entrypoint is needed because you don't end up iwth these options in a list in a module	00:38
morganfainberg	you register it on behalf of the consumer	00:38
morganfainberg	so that consumer needs a method to expose these options (in the group(s) it will want them registered) to the sample_config generator	00:38
morganfainberg	the consumer would have a method called uhmm .session_entry_point_opts	00:39
*** richm has left #openstack-keystone		00:39
morganfainberg	which would get the list of your opts you're providing and do what keystone is doing (essentially)	00:39
*** rodrigods_ has quit IRC		00:39
morganfainberg	in either case you'd need to split the definition of the opts to a second method that could extract them separately from registering them	00:39
morganfainberg	does that help?	00:40
morganfainberg	it's kinda hard to explian	00:40
jamielennox	is it a problem though to register and return - or not worth the effort?	00:41
morganfainberg	i dunno if it's worth the effort.	00:42
morganfainberg	the more straightforward everything is, the better.	00:42
morganfainberg	but i do like providing a helper to "hey go register this for this group"	00:43
morganfainberg	it's... convienient?	00:43
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Properly invalidate cache for get_*_by_name methods https://review.openstack.org/97082	00:43
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf https://review.openstack.org/95015	00:44
jamielennox	morganfainberg: ^^	00:44
jamielennox	i like the symmetry of Session.register_opts(CONF, group) Session.load_opts(CONF, group)	00:44
morganfainberg	sure. the consuming project will still need an entrypoint i think	00:45
jamielennox	yea - i think even if i just return the list they will need an entrypoint right?	00:45
morganfainberg	ooo	00:45
morganfainberg	look at how list_opts works in keystone	00:46
morganfainberg	will need to return (group, [opt, opt, opt]) i it looks like	00:46
jamielennox	yea, but group is defined by the consumer in our case	00:46
morganfainberg	oh ha yeah	00:47
morganfainberg	so the consumer will provide the entrypont	00:47
morganfainberg	and append group info to it	00:47
morganfainberg	erm make the (group, opts) tuple list thing	00:47
jamielennox	yea, that's what i got from dougs comment, the consumer would need to provide an entrypoint to the function that did all the option registering	00:50
jamielennox	i don't know if it matters if the same function actually registers the options so long as it returns them	00:50
jamielennox	so eg heat would have a function that says load_client_config_opts() that registered all the options and returned the list	00:51
jamielennox	that should be able to be the same function that they use internally to actually register them	00:51
morganfainberg	except i think registering might cause issues for the sample_generator	00:53
morganfainberg	with the entrypoint	00:53
jamielennox	seriously	00:53
jamielennox	but then any other project who was registering options at import time would fail	00:54
morganfainberg	as an entrypoint it works slightly differently	00:54
morganfainberg	but i don't think you want to muck with the conf object	00:54
*** jdennis has joined #openstack-keystone		00:54
jamielennox	ok	00:55
jamielennox	so if i can't register in the function called by the endpoint then i have to provide a seperate list and a register - but that's ok because the service wouldn't be able to use the same function to do the registering either	00:56
morganfainberg	jamielennox, right	00:57
morganfainberg	jamielennox, you should check w/ dhellmann on that, but i _think_you want to avoid registerting and listing in one shot	00:57
jamielennox	it's just whether it's worth providing the register function at all - because looking at it now it's just doing really basic oslo.config commands that the service would know how to do anyway	00:58
* morganfainberg grumbles, ... Rangers up 1-0, 3 mins left in the 1st period.		00:58
jamielennox	(Rangers is what sport again)	00:58
morganfainberg	ice hockey	00:58
jamielennox	ah	00:59
morganfainberg	playoff finals	00:59
morganfainberg	kings are up 3 games to 0 in the series (best 4 of 7 wins the series)	00:59
jamielennox	lol, the history to 4 of 7 that would be intersting	01:00
jamielennox	it's like one of those kids things where you kept uping the number of games you needed until you won	01:00
morganfainberg	haha	01:00
jamielennox	i bet it started as 2/3	01:00
morganfainberg	maybe	01:00
jamielennox	or possible 1	01:01
*** jdennis has quit IRC		01:04
*** mberlin1 has quit IRC		01:10
*** gokrokve has joined #openstack-keystone		01:14
*** PritiDesai has quit IRC		01:18
*** jdennis has joined #openstack-keystone		01:18
*** PritiDesai1 has joined #openstack-keystone		01:18
*** PritiDesai1 has quit IRC		01:22
*** mberlin has joined #openstack-keystone		01:25
*** gyee has quit IRC		01:28
*** jdennis has quit IRC		01:28
*** gokrokve has quit IRC		01:30
*** gokrokve has joined #openstack-keystone		01:30
*** gokrokve has quit IRC		01:35
*** sbfox has joined #openstack-keystone		01:37
*** rwsu has quit IRC		01:42
*** jdennis has joined #openstack-keystone		01:46
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf https://review.openstack.org/95015	01:48
*** ncoghlan is now known as ncoghlan_afk		01:55
*** ncoghlan_afk is now known as ncoghlan		01:56
*** ncoghlan is now known as ncoghlan_afk		02:13
*** browne1 has quit IRC		02:16
*** jdennis has quit IRC		02:16
*** nsquare has quit IRC		02:23
*** jdennis has joined #openstack-keystone		02:31
*** sbfox has quit IRC		02:34
*** dims has quit IRC		02:40
*** jdennis has quit IRC		02:45
*** dstanek is now known as dstanek_zzz		02:50
*** gokrokve has joined #openstack-keystone		03:05
*** dims_ has joined #openstack-keystone		03:07
*** ncoghlan_afk is now known as ncoghlan		03:10
*** dims_ has quit IRC		03:12
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog https://review.openstack.org/74599	03:12
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add invalidate doc string to identity plugin https://review.openstack.org/99558	03:15
*** xianghui has quit IRC		03:16
*** praneshp has joined #openstack-keystone		03:18
*** xianghui has joined #openstack-keystone		03:23
*** dstanek_zzz is now known as dstanek		03:25
*** stevemar has joined #openstack-keystone		03:26
*** zhiyan is now known as zhiyan_		03:30
jamielennox	morganfainberg: ahh, https://review.openstack.org/#/c/99432/2 lands right in the middle of what i was looking at	03:37
morganfainberg	ah	03:38
morganfainberg	will fix in next patch	03:38
morganfainberg	working on the cache invalidation one now.	03:39
morganfainberg	ran into an interesting inconsistency	03:39
jamielennox	no rush	03:39
*** praneshp_ has joined #openstack-keystone		03:39
jamielennox	i still don't have a good solution for the general body case	03:39
*** stevemar has quit IRC		03:40
morganfainberg	start somewhere, right? :)	03:41
*** zhiyan_ is now known as zhiyan		03:41
morganfainberg	actually. ugh	03:41
morganfainberg	just thought of something	03:41
*** praneshp has quit IRC		03:41
*** praneshp_ is now known as praneshp		03:41
morganfainberg	can't use raw sha1	03:41
morganfainberg	that is a valid hash for tokens now.	03:41
morganfainberg	maybe hashlib.sha1().update('Token Obscuring Hash') then update w/ the token_id ?	03:42
*** Ackowa has quit IRC		03:45
*** dstanek is now known as dstanek_zzz		03:45
*** sbfox has joined #openstack-keystone		03:48
*** xiej has quit IRC		03:51
morganfainberg	jamielennox, is there a better way of doing this? http://pasteraw.com/nlhs1onmwgvbb4uy3bwm6bprcclsppy	03:53
jamielennox	morganfainberg: if you are going to update() then there is no point doing the hash is there?	03:54
*** ayoung has quit IRC		03:54
morganfainberg	.update combines doesn't it?	03:54
jamielennox	yea	03:54
jamielennox	oh, you want to know that it's the same token	03:54
jamielennox	just not what that is	03:54
jamielennox	you could just do a rand() or something globally and use that	03:55
morganfainberg	jamielennox, http://pasteraw.com/5p88s3ergakk4cob28ijtsybuvs26qb	03:55
jamielennox	these things are only going to be useful within 1 run right	03:55
morganfainberg	jamielennox, it needs to be consistent, because they want to know if the same token is used in multiple requests	03:55
morganfainberg	at the moment tokens are valid for 1hr (default)	03:56
morganfainberg	they could be reused	03:56
morganfainberg	it might help to know if a token was explicitly reused (and maybe expired along the way)	03:56
jamielennox	and we need the output value to be the same across multiple runs of a client?	03:56
jamielennox	possible i guess	03:56
jamielennox	i'd change {SHA1} to {OBSCURED} or something	03:57
morganfainberg	{SSHA1}	03:58
morganfainberg	Salted SHA1	03:58
*** amcrn has joined #openstack-keystone		03:58
morganfainberg	but i'm ok iwth making it "obscured"	03:58
jamielennox	it is sha1 but that would imply that i can sha1 a token i know about SHA1 it and compare it to the debug	03:58
morganfainberg	so {obscured}? SSHA? SSHA1? {thisisnotarealtokenbutahashdealwithit}?	03:59
jamielennox	morganfainberg: maybe we should do	04:00
jamielennox	32 * '*' + token[:32]	04:01
jamielennox	how big is uuid again - i was going for 64	04:01
morganfainberg	32	04:02
jamielennox	ok, maybe just	04:02
jamielennox	X-Auth-Token: ****token[8:]	04:03
morganfainberg	i think you're going to run into hash collisons there	04:03
morganfainberg	or well... much higher chance	04:03
jamielennox	means you can mostly verify a token you know, but not use it to auth	04:03
morganfainberg	for uuid tokens	04:03
morganfainberg	for pki meh	04:03
jamielennox	so?	04:03
jamielennox	i'm just trying to indicate that all but the last 8 characters are obscured	04:03
morganfainberg	oh oh i see	04:03
morganfainberg	derp	04:04
morganfainberg	eh	04:04
morganfainberg	that "kinda" works	04:04
morganfainberg	and for PKI though, it might be guessable	04:04
jamielennox	not really	04:04
jamielennox	you can't take those 8 characters and use them for anything	04:04
morganfainberg	MII<somethingx8><rest of token>	04:05
morganfainberg	it's only 5 urlsafe b64 characters	04:05
morganfainberg	even 8.	04:05
jamielennox	yea, i changed it to [8:] always take the last ones	04:05
morganfainberg	not much to bruteforce	04:05
morganfainberg	i'd rather hash it	04:05
morganfainberg	tbh	04:05
jamielennox	is that going to be the same on PKI? i didn't think so	04:05
morganfainberg	yeah this is on at the same time as PKI	04:05
morganfainberg	this would show whatever is in X-AUTH-TOKEN	04:06
jamielennox	i mean will there be any repetition in the last 8 chars of a PKI token	04:06
jamielennox	like how they all start with MII	04:06
morganfainberg	could be	04:06
morganfainberg	seriously, i'd rather just hash it and not "guess" about good-enough	04:06
jamielennox	up to you, i think so long as your not providing the whole thing you're fairly secure	04:06
jamielennox	for debug you really don't care much	04:06
jamielennox	and the infra guys will be happy with anything short	04:07
morganfainberg	there is care to know within a good deal of certainty sure a token was reused.	04:07
morganfainberg	shrug	04:07
jamielennox	morganfainberg: but not for this audience	04:08
jamielennox	all we need to do is print something on screen for debug logging	04:08
jamielennox	it doesn't matter if you just --REDACTED-- the whole thing	04:08
morganfainberg	no i was specifically asked not to do --REDACTED-- by infra	04:08
morganfainberg	well sdague	04:09
morganfainberg	specifically for debugging if a token was reused across requests	04:09
jamielennox	that's my current thought for preventing logging of auth packets, i'm just going to say don't log at all then log it in the plugin seperately	04:09
morganfainberg	jamielennox, im fine with that (Re auth packets)	04:10
morganfainberg	maybe the best bet is to do token[:8] + token	04:11
morganfainberg	hash that	04:11
morganfainberg	it will ensure we get different hashes each time.	04:11
morganfainberg	but it wont be a native sha1	04:11
jamielennox	i think you're over thinking it, hash collisions in debug output aren't going to matter	04:12
jamielennox	so to get around the sha1 is a valid thing just hash it twice	04:13
jamielennox	.update(token)	04:13
jamielennox	.update(token)	04:13
jamielennox	.update(token * 2) - i wonder which is faster	04:14
morganfainberg	jamielennox, http://pasteraw.com/8n9d85zxuummplo4pac7qf300060pzu	04:16
*** harlowja is now known as harlowja_away		04:16
jamielennox	morganfainberg: no - that's way off	04:17
morganfainberg	?	04:17
jamielennox	you reduce the input space before expanding it again - you loose all actual benefit of the hash	04:17
jamielennox	do the double update above	04:17
morganfainberg	how am i reducing the input space?	04:18
jamielennox	if you want to do a hash - othrewise just show the last X digits	04:18
jamielennox	oh	04:18
jamielennox	sorry didn't see the + thought it was just the [:13]	04:18
morganfainberg	nah	04:18
morganfainberg	first 13 bytes + the whole id	04:18
morganfainberg	= consistent hash, not predictable (within reason)	04:18
morganfainberg	3 characters [MII] + 10	04:19
jamielennox	.. still think just do the double	04:19
morganfainberg	oh update(bit) then update(bit2)?	04:20
morganfainberg	oooh	04:20
morganfainberg	i see.	04:20
morganfainberg	sure.	04:20
morganfainberg	double hash the token	04:20
jamielennox	it looks kinda nicer too as you can do if k == 'X-Auth-Token': v = hashlib.sha1(token * 2).hexencode()	04:20
jamielennox	i don't know if token * 2 is the same output as update twice - i guess it should be	04:20
morganfainberg	>>> '1234567890'*2	04:21
morganfainberg	'12345678901234567890'	04:21
jamielennox	yea	04:22
jamielennox	so *2 and update twice gives the same result - makes sense	04:22
morganfainberg	jamielennox, might fall back to that (the double updatE)	04:24
morganfainberg	i'll post a comment on the review saying that is the alternate option and see what other feedback we get	04:24
jamielennox	i think it's easier than trying to guess that the first [:13] are unique - but again for debug output i don't think anyone cares	04:25
morganfainberg	i actually am doing [-13]:] now	04:29
morganfainberg	up to the last 13 bytes	04:29
openstackgerrit	Morgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output https://review.openstack.org/99432	04:31
jamielennox	do for key, val in headers: if key.lower() == 'x-auth-token': val = hashstuff	04:34
jamielennox	let the string_parts stuff be common	04:35
jamielennox	also, i think pull it out to a function, historically it was called http_log_req https://github.com/openstack/python-novaclient/blob/master/novaclient/client.py#L176	04:35
jamielennox	morganfainberg: lol, just noticed https://github.com/openstack/python-novaclient/blob/master/novaclient/client.py#L166-L174	04:36
morganfainberg	yeah that is where a lot of this comes from	04:36
jamielennox	yea, but i extracted session mostly from keystoneclient	04:37
*** dstanek_zzz is now known as dstanek		04:37
jamielennox	so it's not necessarily the same	04:37
morganfainberg	heh	04:38
*** Abhijeet_ has joined #openstack-keystone		04:43
*** dstanek is now known as dstanek_zzz		04:47
*** gokrokve has quit IRC		04:53
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076	04:55
*** Abhijeet_ has left #openstack-keystone		04:56
morganfainberg	jamielennox, oooh https://jenkins06.openstack.org/job/gate-python-keystoneclient-python33/293/console	04:57
morganfainberg	i got the _islogginenabledfor thing wrong	04:57
morganfainberg	but only for py33?	04:58
jamielennox	morganfainberg: wtf is that	04:58
morganfainberg	yeaaah	04:58
morganfainberg	no idea	04:58
jamielennox	a bug in logging ?	04:58
jamielennox	that'd be fun	04:58
morganfainberg	right?	04:59
morganfainberg	name resolution fail on one of the tempests will recheck when it finishes	04:59
morganfainberg	maaaaybe	04:59
morganfainberg	it'll resolve itself.	04:59
morganfainberg	and be really transient	04:59
jamielennox	morganfainberg: oh - no it's your fault	05:00
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265	05:00
jamielennox	logging.debug is the function logging.DEBUG is the level	05:00
morganfainberg	oh	05:00
morganfainberg	bah!	05:00
morganfainberg	yep	05:00
morganfainberg	thanks	05:00
openstackgerrit	Morgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output https://review.openstack.org/99432	05:01
morganfainberg	there we go	05:02
morganfainberg	crud...	05:02
jamielennox	morganfainberg: uggh https://review.openstack.org/#/c/92390/8	05:10
jamielennox	yay other people doing session based stuff, but wow	05:10
morganfainberg	did they... just...	05:11
morganfainberg	wow	05:11
jamielennox	although some of this can be blamed on neutronclient being another special flower	05:11
morganfainberg	this is why i think all the *clients need to roll up into a single library	05:12
jamielennox	but i don't even think that would work	05:12
morganfainberg	.identity .compute .network .whatever	05:12
morganfainberg	and the have some common code for everyone to share	05:12
jamielennox	the SDK is always looking for more people	05:12
jamielennox	i haven't had time to touch it recently	05:12
morganfainberg	but SDK isn't really... as far as i understand, meant to supplant the *clients	05:13
morganfainberg	it's meant more for .. uhm.. something else?	05:13
* morganfainberg didn't get their mission		05:13
*** dstanek_zzz is now known as dstanek		05:13
jamielennox	if you want everything in one place - that's going to be the place	05:14
jamielennox	it was only recently i realized how bad some of these clients were that i started to agree	05:15
jamielennox	i was sure if i provide some common framework stuff everyone will do the right thing	05:15
*** ncoghlan is now known as ncoghlan_afk		05:23
*** dstanek is now known as dstanek_zzz		05:23
*** deep has joined #openstack-keystone		05:25
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Properly invalidate cache for get_*_by_name methods https://review.openstack.org/97082	05:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Make sure domains are enabled by default https://review.openstack.org/99568	05:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Only emit disable notifications for project/domain on disable https://review.openstack.org/99569	05:26
deep	Hello, I have configured swift with keystone(Active Directory), while creating container i am getting error in syslog "Jun 11 22:52:36 node1 proxy-server: Unexpected response from keystone service: {u'error': {u'message': u'Could not find role, swift.', u'code': 404, u'title': u'Not Found'}} Jun 11 22:52:36 node1 proxy-server: Authorization failed for token 9ece2e7637704563fc61eff8d53e0508 Jun 11 22:52:36 node1 proxy-server	05:27
deep	any idea what is missing ?	05:27
*** ncoghlan_afk is now known as ncoghlan		05:27
*** daneyon_ has quit IRC		05:29
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Only emit disable notifications for project/domain on disable https://review.openstack.org/99569	05:31
*** henrynash has joined #openstack-keystone		05:51
*** oomichi has quit IRC		05:58
*** stevemar has joined #openstack-keystone		05:58
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/97005	06:00
openstackgerrit	Andre Naehring proposed a change to openstack/python-keystoneclient: Added help text for the debug option https://review.openstack.org/99312	06:08
*** dstanek_zzz is now known as dstanek		06:15
*** praneshp has quit IRC		06:16
*** stevemar has quit IRC		06:18
*** dstanek is now known as dstanek_zzz		06:25
*** Ackowa has joined #openstack-keystone		06:27
*** jaosorior has joined #openstack-keystone		06:49
*** oomichi has joined #openstack-keystone		07:04
*** ncoghlan has quit IRC		07:09
*** sbfox has quit IRC		07:09
*** BAKfr has joined #openstack-keystone		07:14
*** dstanek_zzz is now known as dstanek		07:16
*** dstanek is now known as dstanek_zzz		07:26
*** marekd\|away is now known as marekd		07:26
*** leseb has joined #openstack-keystone		07:45
*** jkappert has quit IRC		07:45
*** jkappert has joined #openstack-keystone		07:45
*** leseb has quit IRC		07:56
*** leseb has joined #openstack-keystone		07:57
*** leseb has quit IRC		08:01
*** oomichi has quit IRC		08:05
*** leseb has joined #openstack-keystone		08:12
*** dstanek_zzz is now known as dstanek		08:16
*** dstanek is now known as dstanek_zzz		08:26
*** afazekas has joined #openstack-keystone		08:42
openstackgerrit	liusheng proposed a change to openstack/python-keystoneclient: Set the iso8601 log level to WARN https://review.openstack.org/96413	08:45
*** dims_ has joined #openstack-keystone		08:49
*** rodrigods_ has joined #openstack-keystone		08:50
*** dims_ has quit IRC		08:54
*** jkappert has quit IRC		08:57
*** jkappert has joined #openstack-keystone		08:58
*** henrynash has quit IRC		09:04
*** dstanek_zzz is now known as dstanek		09:17
*** zhiyan is now known as zhiyan_		09:23
*** amcrn has quit IRC		09:24
*** dstanek is now known as dstanek_zzz		09:27
marekd	is it acceptable for class property to raise exception?	09:53
*** oomichi has joined #openstack-keystone		09:54
*** henrynash has joined #openstack-keystone		10:00
*** rodrigods_ has quit IRC		10:01
jaosorior	a class property to raise an exception? what context?	10:02
marekd	obj = A(); obj.property and in case property is not yet ready an exception is raised.	10:03
marekd	hm, actually I think it's is :-)	10:03
marekd	it's like standard obj.idontexist where AttributeError is raised :-)	10:04
marekd	aha, this 'property' is a method decorated with @property ofcourse.	10:04
marekd	that was my point.	10:04
marekd	jaosorior: ^^	10:05
jaosorior	I think it could work, yet, why would it be a property then? why not have a getter method that returns None or raises the exception?	10:07
jaosorior	I would assume that if a variable is accessible as a property it would be available at the point the class is created	10:07
*** leseb has quit IRC		10:14
*** leseb has joined #openstack-keystone		10:15
*** alexknith has joined #openstack-keystone		10:16
*** dstanek_zzz is now known as dstanek		10:18
marekd	I have a class where ater successful auth you have a token	10:19
*** leseb has quit IRC		10:19
*** ajayaa has joined #openstack-keystone		10:20
*** dims_ has joined #openstack-keystone		10:23
*** NM has joined #openstack-keystone		10:24
*** amcrn has joined #openstack-keystone		10:24
marekd	eh, maybe i am complicating it a bit...	10:25
*** dstanek is now known as dstanek_zzz		10:28
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authenticatio https://review.openstack.org/92166	10:39
*** NM has quit IRC		10:41
*** leseb has joined #openstack-keystone		10:46
*** henrynash has quit IRC		10:48
deep	Hello, Any idea about this error : "Jun 12 03:18:42 node1 proxy-server: Authorization failed for token e2e6e8b09916ac22dd714e3dbc155902 Jun 12 03:18:42 node1 proxy-server: Invalid user token - deferring reject downstream"	10:50
*** leseb has quit IRC		10:51
*** NM has joined #openstack-keystone		10:59
*** henrynash has joined #openstack-keystone		11:01
*** dstanek_zzz is now known as dstanek		11:19
*** dstanek is now known as dstanek_zzz		11:29
*** leseb has joined #openstack-keystone		11:30
*** kun_huang has joined #openstack-keystone		11:33
*** jdennis has joined #openstack-keystone		11:34
*** kun_huang has quit IRC		11:48
*** nsquare has joined #openstack-keystone		11:52
*** lbragstad has quit IRC		11:59
*** juanmo has joined #openstack-keystone		12:03
openstackgerrit	A change was merged to openstack/identity-api: Document GET /v3 https://review.openstack.org/89394	12:14
*** dstanek_zzz is now known as dstanek		12:19
*** xianghui has quit IRC		12:22
*** dims_ has quit IRC		12:22
*** deep has quit IRC		12:23
*** dims_ has joined #openstack-keystone		12:23
*** dims_ is now known as dims		12:25
*** gordc has joined #openstack-keystone		12:29
*** dstanek is now known as dstanek_zzz		12:29
*** xianghui has joined #openstack-keystone		12:33
*** chandan_kumar has joined #openstack-keystone		12:41
openstackgerrit	John Dennis proposed a change to openstack/keystone: Add missing docstrings and 1 unittest for LDAP utf-8 fixes https://review.openstack.org/99646	12:43
*** chandan_kumar has quit IRC		12:44
*** amcrn has quit IRC		12:46
*** openstackgerrit has quit IRC		12:46
*** NM has joined #openstack-keystone		12:47
*** openstackgerrit has joined #openstack-keystone		12:47
*** oomichi has quit IRC		12:49
*** CaioBrentano has joined #openstack-keystone		12:51
*** chandankumar has joined #openstack-keystone		12:52
*** dims_ has joined #openstack-keystone		12:55
*** dims has quit IRC		12:56
openstackgerrit	sarad patel proposed a change to openstack/keystone: Fixes typo error in Keystone https://review.openstack.org/99651	12:57
*** lbragstad has joined #openstack-keystone		12:57
*** nkinder has quit IRC		13:09
*** ajayaa has quit IRC		13:12
*** bklei has quit IRC		13:13
*** ayoung has joined #openstack-keystone		13:19
*** dstanek_zzz is now known as dstanek		13:20
*** ajayaa has joined #openstack-keystone		13:27
*** tristanC has joined #openstack-keystone		13:42
*** nkinder has joined #openstack-keystone		13:43
*** raildo has quit IRC		13:48
*** tellesnobrega has quit IRC		13:49
*** rodrigods has quit IRC		13:49
*** thiagop has quit IRC		13:50
*** bknudson has joined #openstack-keystone		13:50
*** jkappert has quit IRC		13:52
*** jkappert has joined #openstack-keystone		13:52
*** kun_huang has joined #openstack-keystone		13:57
*** kun_huang has quit IRC		13:58
*** rodrigods has joined #openstack-keystone		14:00
*** rodrigods has joined #openstack-keystone		14:00
*** kun_huang has joined #openstack-keystone		14:01
*** hrybacki has joined #openstack-keystone		14:01
*** tellesnobrega has joined #openstack-keystone		14:01
*** jsavak has joined #openstack-keystone		14:03
*** gordc has quit IRC		14:06
*** tellesnobrega has quit IRC		14:08
openstackgerrit	David Stanek proposed a change to openstack/keystone: Middleware tests now run under Python3 https://review.openstack.org/99669	14:09
*** rodrigods has quit IRC		14:10
*** tellesnobrega has joined #openstack-keystone		14:12
openstackgerrit	David Stanek proposed a change to openstack/keystone: Debug messages don't need translations https://review.openstack.org/99417	14:13
openstackgerrit	David Stanek proposed a change to openstack/keystone: Adds a newline for pep8 compliance https://review.openstack.org/99418	14:13
openstackgerrit	David Stanek proposed a change to openstack/keystone: Stops overriding a builtin for pep8 compliance https://review.openstack.org/99419	14:13
*** rodrigods has joined #openstack-keystone		14:13
*** rodrigods has joined #openstack-keystone		14:13
*** ajayaa has quit IRC		14:20
*** richm has joined #openstack-keystone		14:23
*** davlaps has joined #openstack-keystone		14:24
*** PritiDesai has joined #openstack-keystone		14:27
*** topol has joined #openstack-keystone		14:30
*** kun_huang has quit IRC		14:30
*** radez_g0n3 is now known as radez		14:34
*** kun_huang has joined #openstack-keystone		14:34
*** topol has quit IRC		14:41
*** leseb has quit IRC		14:42
*** leseb has joined #openstack-keystone		14:42
*** gordc has joined #openstack-keystone		14:43
rodrigods	ayoung,	14:45
ayoung	rodrigods, yep	14:47
*** leseb has quit IRC		14:47
rodrigods	ayoung, I remember to read something about a policies service, but I'm not finding the wiki page anymore =/	14:47
rodrigods	ayoung, as I recall, you were the author...	14:48
ayoung	rodrigods, hmmmm...blueprints?	14:48
ayoung	hrybacki, in here, please...	14:48
rodrigods	ayoung, a wiki page, I think	14:49
hrybacki	ayoung: can you explain to me how token caching works as it stands and how, if it all, revocation events change things?	14:49
rodrigods	a proposal for a policy service that would centralize the authorization of all components	14:49
hrybacki	e.g. https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L910	14:50
*** thedodd has joined #openstack-keystone		14:52
ayoung	hrybacki, sure	14:55
ayoung	hrybacki, are you familiar with memcached?	14:56
hrybacki	no, but I've been seeing it a lot in the code	14:56
ayoung	hrybacki, read up on memcached	14:57
hrybacki	ayoung: nods	14:57
ayoung	hrybacki, short of it: it is a key value store	14:57
ayoung	non persisted	14:57
ayoung	shared between proceese	14:57
ayoung	processes	14:57
ayoung	used in Apache and comparable web servers for session type stuff	14:58
hrybacki	okay	14:58
*** leseb has joined #openstack-keystone		14:59
morganfainberg	mornin.	15:00
marekd	morganfainberg: afternoon	15:00
morganfainberg	marekd, :)	15:00
marekd	morganfainberg: :)	15:01
rodrigods	ayoung, just found: https://wiki.openstack.org/wiki/Keystone/EndpointPolicyAssignment =)	15:02
*** vhoward has left #openstack-keystone		15:09
*** PritiDesai has quit IRC		15:09
*** bklei has joined #openstack-keystone		15:15
*** andreaf has quit IRC		15:16
*** daneyon has joined #openstack-keystone		15:18
openstackgerrit	ayoung proposed a change to openstack/keystone: Block delegation escalation of privilege https://review.openstack.org/99687	15:18
hrybacki	ayoung: http://toblender.com/memcached-story-part-1/ worth a chuckle	15:28
*** gyee has joined #openstack-keystone		15:30
*** jsavak has quit IRC		15:30
*** jsavak has joined #openstack-keystone		15:30
*** stevemar has joined #openstack-keystone		15:33
hrybacki	ayoung: okay -- I've got a better handle on memcached	15:40
dstanek	ayoung, hrybacki: and the most important piece of info from a dev perspective is that you are not guaranteed to get back what you put in	15:47
*** bklei has quit IRC		15:47
*** bklei has joined #openstack-keystone		15:49
*** daneyon has quit IRC		15:50
hrybacki	dstanek++	15:50
*** daneyon has joined #openstack-keystone		15:51
stevemar	anyone have any strong feelings about https://review.openstack.org/#/c/97581/1/specs/juno/audit-support-for-federation.rst	15:53
stevemar	I'm uploading a new version soon, and want to get any comments addressed :)	15:53
*** CaioBrentano has quit IRC		15:54
*** gokrokve has joined #openstack-keystone		15:54
*** daneyon_ has joined #openstack-keystone		15:55
*** daneyon has quit IRC		15:55
ayoung	stevemar, can we please just integrate audit with policy?	15:55
ayoung	instead of "audit this" and then "that"...	15:56
ayoung	lets just emit the audit events from policy enforcement	15:56
ayoung	I mean...your BP is right on, except that we need to audit other things too.	15:56
*** NM has quit IRC		15:57
stevemar	ayoung, hmm, i see what you mean, but it's almost a complete redesign in a sence	15:58
bknudson	was looking at the discussion on the -dev ml about dropping postgresql from the gate	15:58
stevemar	sense*	15:58
*** marcoemorais has quit IRC		15:58
bknudson	seems like we should have a gate-keystone-postgresql that runs the unit tests with a live postgresql	15:59
bknudson	same for mysql	15:59
bknudson	and db2	15:59
*** rodrigods has quit IRC		16:00
morganfainberg	so... is there any reason we can't make the API bounce out short-id tokens if we only use PKI?	16:01
morganfainberg	e.g. pki provider means you can't use the short-hash token (keystone says nope)	16:01
morganfainberg	just not on the API front.	16:02
bknudson	one reason is that it works today so that wouldn't be backwards compat	16:03
*** bklei has quit IRC		16:04
morganfainberg	bknudson, the multi-hash configurations + short-id support means we have to do something "clever" to obscure the data in the logs (X-Auth-Token) because we can't assume SHA1 wont net us a "usable" token	16:04
bknudson	morganfainberg: lol	16:05
morganfainberg	bknudson, we can salt the token, but ... we need to add a whole load of documentation around it - qa/infra/etc want to have a consistent way to identityf tokens used across multiple calls (timeout cause token timed out?) and not put bearer tokens in the logs themselves	16:05
bknudson	morganfainberg: I wasn't expecting anyone would pick sha1 for the new hash.	16:06
*** gordc has quit IRC		16:06
morganfainberg	bknudson, but someone could. meaning ... we can't use it as the obscuring hasih in debug	16:06
bknudson	considering sha256 is available	16:07
morganfainberg	bknudson, maybe we just explicitly deny sha1 in the cms config bits?	16:07
morganfainberg	"raise EUseSomeBetterHashThanSHA1	16:07
bknudson	I wouldn't have a problem with that	16:07
morganfainberg	bknudson, ok cool. that makes my life waaaaay easier.	16:08
bknudson	seems like we're going overboard with this to me	16:08
bknudson	could see it as a feature	16:08
bknudson	if you want to have valid tokens in your logs just set the hash algorithm to sha1	16:08
bknudson	wouldn't it be double sha1d ?	16:08
morganfainberg	bknudson, LOL someone would have a feild day with that :P	16:08
bknudson	oh, this is pki->sha1(pki)	16:09
morganfainberg	yep	16:09
morganfainberg	it's... annoying :P	16:09
bknudson	well, the other suggestion was truncate it	16:09
bknudson	rather than sha1	16:09
morganfainberg	how far do you truncate it?	16:09
morganfainberg	and what is the likelyhood of having 2 tokens look the same in the debuglog then?	16:10
bknudson	well, they all start with MII so 3 chars isn't enough	16:10
bknudson	I would go 9?	16:10
morganfainberg	remember we need to also truncate correctly for UUID/short-id tokens	16:10
bknudson	9 might be too much for UUID	16:11
bknudson	maybe remove the first 3 chars and take the next 6	16:11
morganfainberg	yeah, thats why i just want a simple "go hash this one way" mechanism	16:11
marekd	when patchset A depends on patchsest B they should have different Change-Id values, right?	16:11
morganfainberg	marekd, yes	16:11
bknudson	of course, if someone's using the admin token that might be the whole token.	16:11
morganfainberg	bknudson, yep.	16:11
morganfainberg	bknudson, lets stick with silly hashing :P	16:11
bknudson	how about a double-sha1?	16:12
bknudson	that wouldn't match if they used sha1 for token hash	16:12
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	16:12
ayoung	bknudson, I'd sooner drop mysql from the gate than postgres	16:12
morganfainberg	sure, but that comes back to lots of documentation	16:12
bknudson	morganfainberg: why do we need to document?	16:12
bknudson	oh, so they can figure it out	16:13
morganfainberg	yep	16:13
ayoung	I think we should give tokens human read able names	16:13
ayoung	like George	16:13
bknudson	one thing is that this is open source. We could make it easy to change the hash by changing the code	16:13
bknudson	so we don't need yaco (yet another config option)	16:13
morganfainberg	bknudson, i was planning on making this non-configurable :P	16:14
morganfainberg	bknudson, you get this method of obscuring. period	16:14
bknudson	and I don't think "sha1(sha1(token))" is much harder to document than sha1(token)	16:14
morganfainberg	bknudson, sure but sha1 is easily represented as {SHA1}<token>	16:14
morganfainberg	should we do {SHA1}{SHA1}<token>?	16:14
morganfainberg	or {SHA1x2}<token>	16:15
morganfainberg	they didn't like sha1(token) cause it looks like a method	16:15
bknudson	maybe there's some other prefix that's standard?	16:15
morganfainberg	i proposed the LDAP-ish way (e.g. {SSHA} {MD5} etc)	16:15
bknudson	{CRYPT}	16:16
morganfainberg	LOL	16:16
morganfainberg	{CRC32}	16:16
morganfainberg	{BCRYPT}	16:16
morganfainberg	{ROT26}	16:16
morganfainberg	wait a minute...	16:16
*** leseb has quit IRC		16:17
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Audit support for federation spec https://review.openstack.org/97581	16:18
morganfainberg	can you use the admin token to interact with services behind auth_tokne?	16:19
morganfainberg	or only keystone	16:19
bknudson	morganfainberg: only keystone	16:20
morganfainberg	ok	16:20
morganfainberg	then maybe we just use the swift thing and just do the 1st 16 bytes... whatever	16:20
morganfainberg	i'm just done wanting to think about this	16:20
*** sbfox has joined #openstack-keystone		16:20
bknudson	I think sha1 will work fine.	16:20
bknudson	I don't have a problem disabling it as configurable option for token hashing	16:21
morganfainberg	ok	16:21
morganfainberg	that works for me. i'll submit a couple patches for that.	16:21
morganfainberg	i'll include the disable of sha1 in ksc with my patch for this obscuring	16:22
morganfainberg	and i'[ll submit the keystone version today	16:22
*** alexknith has quit IRC		16:22
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication https://review.openstack.org/92166	16:23
*** davlaps is now known as devlaps		16:25
stevemar	morganfainberg, dolphm gyee dstanek henrynash ayoung bknudson lbragstad jamielennox marekd ... i'd appreciate some eyes on https://review.openstack.org/#/c/97581/	16:27
lbragstad	stevemar: added to my queue	16:28
stevemar	lbragstad, yay	16:28
marekd	stevemar: sure. BTW did you manage to decrypt saml2 assertion locally (ref. e-mail)	16:29
stevemar	marekd, that got postponed for a day or two, something has come up	16:29
marekd	stevemar: ok	16:29
stevemar	marekd, but hopefully soon	16:30
marekd	stevemar: it worked for me so will work for ya. you can play with your own assertions.	16:30
gyee	stevemar, sure, that one seem like a no-brainer, I'll go through it	16:31
hrybacki	ayoung: can you point out when and where tokens are getting cached during the middleware tests?	16:32
stevemar	gyee, yeah, hoping thats the case, just some clean up needed	16:32
*** gokrokve has quit IRC		16:33
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	16:33
*** gordc has joined #openstack-keystone		16:36
*** openstackgerrit has quit IRC		16:38
*** marcoemorais has joined #openstack-keystone		16:41
*** marcoemorais has quit IRC		16:42
gyee	stevemar, I don't have any major concerns, a bit more detail on the proposed change section would be awesome	16:42
*** marcoemorais has joined #openstack-keystone		16:42
marekd	stevemar: what CADF notifications are currently implemented?	16:42
marekd	gyee: ++	16:42
*** BAKfr has quit IRC		16:44
*** browne has joined #openstack-keystone		16:46
*** nsquare has quit IRC		16:47
*** amcrn has joined #openstack-keystone		16:47
*** jsavak has quit IRC		16:48
*** leseb has joined #openstack-keystone		16:48
morganfainberg	chmouel, ping	16:50
morganfainberg	chmouel, re: token masking	16:50
morganfainberg	chmouel, when you have a bit	16:50
*** leseb has quit IRC		16:53
*** harlowja_away is now known as harlowja		16:54
hrybacki	ayoung: we are only concerned with checking revocation events for tokens stored in the cache, yeah?	16:54
nkinder	morganfainberg: are we avoiding having a config option for logging the whole token (as was suggested in the review)?	16:55
morganfainberg	nkinder, i don't want to open that door really	16:55
nkinder	morganfainberg: I really don't think we should log the token, even with some "insecure" settings	16:55
nkinder	+100	16:55
morganfainberg	nkinder, :)	16:55
morganfainberg	nkinder, i am going to fight against logging the token at all	16:56
nkinder	just wanted to know if you were standing your ground :)	16:56
morganfainberg	now if OSC wants to offer full curl output w/ token	16:56
morganfainberg	i don't care	16:56
morganfainberg	but anything that is going into logs from services	16:56
morganfainberg	and i have a say about it...	16:56
morganfainberg	HEEEEELLLLL no :)	16:56
nkinder	yes, logs should not have an option	16:56
morganfainberg	nkinder, :)	16:56
nkinder	morganfainberg: I know that jamielennox has been looking at the password logging	16:56
morganfainberg	i think he has the right answer, make the plugin log it	16:57
*** jsavak has joined #openstack-keystone		16:57
morganfainberg	don't log anything from the session	16:57
morganfainberg	specifically for auth packets	16:57
nkinder	morganfainberg: you mean if someone wants it, they write a plugin?	16:57
morganfainberg	each auth plugin is responsivle for logging the info about the auth request it is going to handle	16:58
morganfainberg	so for auth packets, the plugin does the logging (and sanitizes things) instead of session needing to figure out what the heck to sanitize	16:58
*** erecio has quit IRC		16:58
morganfainberg	what if it's XML? what if the secure field is "<pancakes>SECURE DATA</pancakes>"	16:58
morganfainberg	easier if the plugin does the "smart" thing there.	16:59
*** erecio has joined #openstack-keystone		16:59
*** rwsu has joined #openstack-keystone		17:00
*** radez is now known as radez_g0n3		17:00
morganfainberg	nkinder, we still have the issue with sanitizing the debug on the returned token for an auth_request. but small steps, right?	17:00
nkinder	morganfainberg: there is code in oslo for obscuring the password part at least	17:01
nkinder	morganfainberg: it seems like it would be easy to use that	17:01
morganfainberg	probably.	17:01
*** marcoemorais has quit IRC		17:02
nkinder	morganfainberg: it would also be possible to tell that to mask the token	17:02
morganfainberg	i'll work on fighting that next bit of the battle once we get this stuff settled i think :)	17:02
morganfainberg	i need to take a look at what jaimielennox is doing to see what will be needed for the response data. but yeah shouldn't be too bad	17:03
ayoung	hrybacki, no	17:04
ayoung	hrybacki, when a new request comes in, regardless of whether the token is cached or not, we need to check to see if the associated token is revoked	17:05
hrybacki	ayoung: got it	17:05
morganfainberg	nkinder, i added you to both ksc and keystone changes for this part of token obscuring	17:06
*** erecio has quit IRC		17:06
ayoung	hrybacki, you good?	17:07
hrybacki	ayoung: am I reading this wrong https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L920 or does the revoked_list only get checked against cached tokens requests?	17:07
ayoung	hrybacki, it gets checked elsewhere	17:08
ayoung	we only check explicitly on revoked tokens there. but...	17:08
ayoung	self.verify_pkiz_token(user_token, token_ids	17:08
morganfainberg	dstanek, you're saying just ensure that we never exceed passlib's max here: https://review.openstack.org/#/c/98296/ ? part of the concern was that someone could set passlib (env var?) to a different value that the configuration.	17:08
ayoung	https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1355	17:08
ayoung	hrybacki, and comparable for the others.	17:08
hrybacki	ah, got it.	17:09
ayoung	hrybacki, so...you have the opportunity to unify the call for this code	17:09
*** erecio has joined #openstack-keystone		17:09
morganfainberg	dstanek, so you would advocate that we just say 'max is passlib max even if the operator set it to > than passlib max?	17:09
ayoung	the difference is that when revoking by ID, you do not need to unpack the token first	17:09
hrybacki	ayoung: in is_signed_token_revoked() ?	17:09
ayoung	so...make the config option for revocation_events skip the failure logic in	17:09
*** marcoemorais has joined #openstack-keystone		17:10
ayoung	hrybacki, it all resolved to calls to _is_token_id_in_revoked_list(token_id):	17:10
ayoung	hrybacki, so make the config option skip the check in that function	17:10
hrybacki	nods	17:11
ayoung	and then add an additional function that checks if the token is revoked via the events.	17:11
ayoung	Or...refactor the code first, so that you can swap it out in a single place	17:11
hrybacki	ayoung++	17:11
ayoung	hrybacki, ^^ might be a good first step: just make sure all of the existing unit tests run and you should be able to refactor	17:12
hrybacki	ayoung: thanks, on it!	17:12
nkinder	morganfainberg: ok, great. I'll review them. I've looked over one of them, but I want to go through it in more detail.	17:12
* ayoung trying to remember why that is a list		17:12
morganfainberg	nkinder, ++	17:12
ayoung	hrybacki, ah...ok	17:13
ayoung	you don't need to worry about multiple token_ids for evetns	17:14
ayoung	because that is dealing with MD5, sha1, sha256 whatever hashing algorithm is used for the token	17:14
dstanek	morganfainberg: yes, because it's not possible to go higher even if they want that ability	17:17
morganfainberg	dstanek, the concern in the original ticket was someone would set passlib to 1, and then all passwords are truncated to 1, even if the keystone option was set to say 50.	17:18
*** PritiDesai has joined #openstack-keystone		17:18
*** mfisch has quit IRC		17:18
morganfainberg	dstanek, i don't mind making those two always in lockstep (well if passlib < keystone configured length)	17:18
morganfainberg	perhaps a warning issued at the same time?	17:19
dstanek	morganfainberg: right, but your fix is to catch the case where keystone is configured to allow a password bigger than what passlib allows	17:19
dstanek	morganfainberg: i was just saying that we should cap that number using oslo.cofig	17:19
morganfainberg	dstanek, correct. i was solving it from a "give reasonable feedback vs ISE" w/o changing the truncation length	17:19
morganfainberg	is .. that even doable?	17:20
dstanek	morganfainberg: yes, integers in oslo.config can have a max value	17:20
marekd	after the authentication I get something in the HTTP header, hidden under 'X-Subject-Token', and a JSON in the response's body. Which should be called a 'token'?	17:20
morganfainberg	dstanek, hm. so you'd just say max=passlib.whateverthatpropertyis?	17:20
dstanek	morganfainberg: you may be to specify the type, i don't recall	17:21
*** gokrokve has joined #openstack-keystone		17:22
morganfainberg	dstanek, i'll look at it.	17:22
*** gyee has quit IRC		17:23
ayoung	morganfainberg, dstanek https://review.openstack.org/#/c/99687/ that was just made public. Can you guys move that along? Still waiting on the jenkis run for the backports	17:24
dstanek	morganfainberg: yeah, pretty sure we can just add a max since we are using an IntOpt	17:25
dstanek	ayoung: sure	17:25
morganfainberg	ayoung, no changes in the code from the bug ticket right?	17:25
morganfainberg	ayoung, it looks the same	17:25
ayoung	identical	17:26
morganfainberg	ayoung, +2.	17:26
ayoung	morganfainberg, only reason the hash is different is because of rebase	17:26
morganfainberg	ayoung, didn't even look at the hash	17:26
morganfainberg	ayoung, was looking at the change and didn't see any differences.	17:26
morganfainberg	ayoung, but wanted to 2x check w/ you	17:26
ayoung	morganfainberg, I actually did a git am of the patch to make sure I knoew I was getting the right version	17:26
morganfainberg	ayoung, ++	17:26
*** topol has joined #openstack-keystone		17:27
topol	dolphm, you there?	17:27
dolphm	topol: o/	17:29
*** nsquare has joined #openstack-keystone		17:30
*** rwsu has quit IRC		17:30
*** praneshp has joined #openstack-keystone		17:31
*** rwsu has joined #openstack-keystone		17:32
topol	dolphm, so how good does my audit spec need to be by end of today?	17:33
dolphm	topol: you don't have a deadline on that today	17:33
topol	dolphm, cause folks wants details that I thought we would do iteratively	17:33
topol	dolphm, whats my deadline?	17:33
dolphm	topol: juno-3?	17:33
topol	dolphm, you always cut me slack :-)	17:33
topol	dolphm, what has a jun-1 deadloine? api changes	17:34
*** marcoemorais1 has joined #openstack-keystone		17:34
*** marcoemorais1 has quit IRC		17:34
dolphm	topol: api-impacting changes have a deadline of juno-2	17:34
*** marcoemorais has quit IRC		17:34
dolphm	topol: so unless you want to make the argument that notifications are a first class API ... in which case i'd agree with you ...	17:34
*** marcoemorais has joined #openstack-keystone		17:35
topol	dolphm, Im good with juno3 and will stop asking questions ... :-)	17:35
dolphm	topol: juno-1 isn't normally a major milestone, but things like refactors and deprecations typically land before then	17:35
dolphm	topol: aim for juno-2 :)	17:36
dolphm	topol: 6 weeks!	17:36
topol	dolphm, will do!	17:36
*** marekd is now known as marekd\|away		17:37
*** lbragstad has quit IRC		17:39
tristanC	Hello folks! we are about to release an OSSA for https://bugs.launchpad.net/ossa/+bug/1324592. Master and Icehouse patches are waiting for approval, but then havana backport have a unit-test failure on TestTrustAuth.test_delete_trust_revokes_tokens	17:39
uvirtbot	Launchpad bug 1324592 in keystone "[OSSA 2014-018] Trust scope can be circumvented by chaining trusts (CVE-2014-3476)" [Critical,In progress]	17:39
*** mfisch has joined #openstack-keystone		17:42
*** mfisch has quit IRC		17:42
*** mfisch has joined #openstack-keystone		17:42
*** rodrigods_ has joined #openstack-keystone		17:44
morganfainberg	ayoung, you looking at ^ or want me to?	17:44
ayoung	morganfainberg, the test failure? I'm on it	17:46
morganfainberg	ayoung, ++ k	17:46
ayoung	morganfainberg, I thought I had addressed that one, basically the test is failing in setuop, as sokmething that was legal before is no longer legal	17:46
ayoung	AppError: Bad response: 404 Not Found (not 200)	17:46
morganfainberg	yeah	17:47
*** afazekas has quit IRC		17:47
*** lbragstad has joined #openstack-keystone		17:49
*** leseb has joined #openstack-keystone		17:49
*** rodrigods_ has quit IRC		17:50
*** sbfox has quit IRC		17:52
ayoung	morganfainberg, ah...somehow had bleedover from later patches: was testing against the revoke events...sloppy backport	17:54
morganfainberg	oops!	17:54
*** leseb has quit IRC		17:54
*** stevemar has quit IRC		17:54
*** daneyon_ has quit IRC		17:55
ayoung	morganfainberg, https://review.openstack.org/#/c/99703/1..2/keystone/tests/test_v3_auth.py,cm	17:56
morganfainberg	ayoung, doh! I thought i ran this against my local system when i reviewed it	17:57
morganfainberg	blink	17:57
ayoung	morganfainberg, same here...there was some ugliness with running specific unit tests due to the _ issue from excpetions, but I didn't see that this time. I was pretty certain I did a complete run.	17:57
morganfainberg	bleh.	17:58
morganfainberg	ayoung, i guess it happens at least we can solve it quickly	17:58
ayoung	morganfainberg, https://review.openstack.org/#/c/99700/ has +1 from jenkins	17:59
morganfainberg	dstanek, i'm not seeing where i put the max value for an IntOpt	17:59
morganfainberg	ayoung, +1 on that from me.	17:59
*** sbfox has joined #openstack-keystone		17:59
dstanek	morganfainberg: jas, looking	17:59
morganfainberg	dstanek, what i'm seeing is we initialize the opt, but don't set any of the values for the type. (the type can have min/max)	18:02
*** jsavak has quit IRC		18:05
*** praneshp_ has joined #openstack-keystone		18:05
*** jsavak has joined #openstack-keystone		18:06
*** praneshp has quit IRC		18:06
*** praneshp_ is now known as praneshp		18:06
*** nsquare has quit IRC		18:08
dstanek	morganfainberg: getting you an example now	18:10
*** stevemar has joined #openstack-keystone		18:11
*** nsquare has joined #openstack-keystone		18:11
*** openstackgerrit has joined #openstack-keystone		18:13
*** leseb has joined #openstack-keystone		18:13
*** leseb has quit IRC		18:14
morganfainberg	dstanek, thanks!	18:14
*** leseb has joined #openstack-keystone		18:14
dstanek	morganfainberg: hmmm...it doesn't seem to enforce it - i may have to dig a little deeper	18:14
morganfainberg	dstanek, the min/max code looks a little odd	18:15
*** jsavak has quit IRC		18:15
*** leseb has quit IRC		18:19
ayoung	dstanek, bknudson dolphm care to move this one along? Its for the trusts backport https://review.openstack.org/#/c/99700/	18:20
bknudson	ayoung: I thought the embargoed fixes were typically just +Ad by ttx	18:23
ayoung	bknudson, Me, too	18:24
ayoung	tristanC, ^^ why is this go round different than in the past?	18:24
bknudson	for example, https://review.openstack.org/#/c/94397/	18:24
bknudson	we can't approve in stable anyways	18:24
tristanC	ayoung: Well we prefer to release the OSSA once we are confident patches won't get reworked, so yes +A are kind of required	18:27
tristanC	ayoung: and for stable, ttx is ready to approve	18:28
*** jaosorior has quit IRC		18:32
*** PritiDesai has quit IRC		18:32
*** PritiDesai1 has joined #openstack-keystone		18:32
*** erecio has quit IRC		18:34
*** erecio has joined #openstack-keystone		18:34
tristanC	Thanks you folks, this one went nicely :) After jenkins +1 the stable/havana patch, I'll send the OSSA!	18:37
morganfainberg	tristanC, great	18:40
*** jsavak has joined #openstack-keystone		18:51
openstackgerrit	A change was merged to openstack/keystone: Use code-block for curl examples https://review.openstack.org/98526	18:52
*** erecio has quit IRC		18:53
*** devlaps has quit IRC		18:58
*** erecio has joined #openstack-keystone		19:03
*** radez_g0n3 is now known as radez		19:05
hrybacki	ayoung: added config, refactored those methods, confirmed tests still work, and set up a mock test to call the new _is_token_in_revocation_events()	19:07
ayoung	hrybacki, run tox -epep8	19:08
ayoung	and then	19:08
ayoung	tox -epy27	19:08
*** nsquare has quit IRC		19:08
ayoung	if those both run clear, post what you have for review.	19:08
hrybacki	ayoung++	19:09
ayoung	hrybacki, are you familiar enought with git ? Make sure you commit what you have now.	19:09
ayoung	you can always rewrite history before you post for review	19:09
ayoung	git status will show what you've modified	19:10
ayoung	git add keystoneclient	19:10
ayoung	will add the files you've modified.	19:10
ayoung	assuming you've changed nothing higher up in the tree than that...	19:10
ayoung	I often have some file from an IDE or something in the git root	19:10
ayoung	git commit and make sure the top line of the commit is a succinct summary	19:11
ayoung	in this case, something like	19:11
ayoung	check revocation by events in auth_token middleware	19:12
*** Ackowa has quit IRC		19:21
*** leseb has joined #openstack-keystone		19:25
*** leseb has quit IRC		19:29
*** PritiDesai1 has quit IRC		19:30
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Link to docstrings in using-api-v3 https://review.openstack.org/99741	19:31
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Imports to fix build warnings https://review.openstack.org/99745	19:43
dstanek	morganfainberg: so my idea for using oslo.config won't work - oslo.config can only validate options when you are first used	19:50
*** praneshp has quit IRC		19:52
openstackgerrit	Harry Rybacki proposed a change to openstack/python-keystoneclient: check revocation by events in auth_token middleware https://review.openstack.org/99751	20:06
*** radez is now known as radez_g0n3		20:07
*** leseb has joined #openstack-keystone		20:15
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Docstrings for usability. https://review.openstack.org/99755	20:16
bknudson	tip of the hat to anyone who's ever actually gotten something to work with keystoneclient, since there's no docs	20:17
bknudson	dstanek: so use the config option	20:17
bknudson	early	20:17
*** boris-42 has quit IRC		20:18
*** morganfainberg has quit IRC		20:18
*** boris-42 has joined #openstack-keystone		20:18
*** morganfainberg has joined #openstack-keystone		20:18
*** dickson.freenode.net sets mode: +o morganfainberg		20:18
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Audit support for federation spec https://review.openstack.org/97581	20:21
dstanek	bknudson: yeah, i was thinking that, but if felt strange	20:25
bknudson	dstanek: add a comment and it won't be so weird	20:26
dstanek	bknudson: i was hoping to do something like http://dpaste.com/2M9WEF9 using changes in oslo.config like http://dpaste.com/03K184W	20:26
dstanek	bknudson: jas, i have it stashed	20:26
bknudson	dpaste is dstanek's paste?	20:27
bknudson	dstanek: that change makes sense to me	20:28
bknudson	but as dhellmann says, a plugin can add new config options.	20:28
bknudson	so you'd have to find a spot to do it	20:28
dstanek	bknudson: no mine, just what i've always used	20:29
dstanek	bknudson: why would a plugin be loaded after the main server loop starts?	20:29
bknudson	I don't think we have a case of this, but it could be loaded only when the endpoint is hit.	20:30
dstanek	as an architect that goes against my desire to have a system fail at the earliest possible point	20:31
bknudson	don't you want the system to also only use what it needs to?	20:33
dstanek	hmmm...my stash isn't working anymore	20:33
*** radez_g0n3 is now known as radez		20:33
dstanek	no, it leads to nondeterministic behavior	20:34
dstanek	if there is a chance for it to be used i would rather have it initialized so i know it will work	20:35
*** openstackgerrit has quit IRC		20:35
*** hrybacki has quit IRC		20:35
*** praneshp has joined #openstack-keystone		20:35
dstanek	ah, i still needed my oslo.config patch	20:35
bknudson	multithreading leads to nondeterministic behavior	20:35
*** openstackgerrit has joined #openstack-keystone		20:35
dstanek	i can only eliminate what i can eliminate :-)	20:36
*** marcoemorais has quit IRC		20:36
*** nsquare has joined #openstack-keystone		20:36
*** marcoemorais has joined #openstack-keystone		20:36
dstanek	bknudson: http://dpaste.com/03YKP2A	20:37
dstanek	but that only works when oslo.config is fixed	20:37
bknudson	what's wrong with oslo.config?	20:37
dstanek	https://review.openstack.org/#/c/99753/	20:37
bknudson	also, where's the test?	20:37
bknudson	return ValueError	20:38
bknudson	that's a good one	20:38
bknudson	thanks, python	20:38
dstanek	haha	20:38
dstanek	to be fair in one of my paste's i return a list of exceptions	20:38
bknudson	there should be a generator for calling a bunch of functions and storing the exception	20:40
*** gyee has joined #openstack-keystone		20:42
*** __afazekas is now known as afazekas		20:43
lbragstad	so, to anyone using next-review... are the stackforge/puppet-keystone reviews included by default when projects = keystone,keystone-specs,python-keystoneclient ?	20:47
*** dims_ has quit IRC		20:47
openstackgerrit	Matthieu Huin proposed a change to openstack/keystone: PoC external auth using user mapping https://review.openstack.org/92079	20:48
*** bknudson has quit IRC		20:50
*** erecio has quit IRC		20:53
openstackgerrit	A change was merged to openstack/identity-api: Add detail to credential API documentation https://review.openstack.org/98521	20:56
stevemar	bknudson, there are docs, doesn't jamielennox 's blog count as docs?	20:59
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements https://review.openstack.org/99031	21:02
*** gokrokve_ has joined #openstack-keystone		21:02
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076	21:02
*** PritiDesai has joined #openstack-keystone		21:04
*** gokrokve has quit IRC		21:05
*** juanmo has quit IRC		21:08
*** sbfox has quit IRC		21:08
*** sbfox has joined #openstack-keystone		21:09
*** PritiDesai has quit IRC		21:14
*** PritiDesai has joined #openstack-keystone		21:14
*** PritiDesai has quit IRC		21:22
*** hrybacki has joined #openstack-keystone		21:22
henrynash	morganfainberg: ping	21:25
morganfainberg	henrynash, pong	21:26
henrynash	hi, question on conceptual models for controller -> manager communication…..	21:26
henrynash	(this is for the multi-backend uuids)	21:26
morganfainberg	henrynash, sure thing	21:27
henrynash	we need to change the current code since the controller creates a UUID for an ID for the user/group it is creating and then passes this to the manager layer - create_user(user_id user_ref)	21:28
*** jsavak has quit IRC		21:29
henrynash	what I had planned was to make the manager responsible for ID generation….so the controller would just call create_user(user_ref) and the manager would put the ID in it, and then call the driver with the tradtional create_user(user_id, user_ref) API	21:29
morganfainberg	henrynash, this is the _assign_unique_id code, right?	21:29
henrynash	yeah, basically the controller would never call this for uses and groups	21:29
morganfainberg	you could push the _assign_unique_id logic down a level	21:29
henrynash	indeed, so that’s the alternative...	21:30
morganfainberg	sounds reasonable, you probably can't remove the "id" bit from the controller	21:30
henrynash	teh controller could call a method in the manager to get the ID, then pass it back into the manager on the create cal	21:30
henrynash	why?	21:30
morganfainberg	henrynash, oh was thinking assignment not id	21:30
morganfainberg	henrynash, nvm /me was wrong	21:31
morganfainberg	henrynash, hm. or we could just break the identity_api.create_xxxx method's signature	21:31
henrynash	pushing the assign_id (for users and groups) into the manager is the smallest change….	21:32
morganfainberg	is there a reason we _ever_ would want something to create an id and have the identity_api blindly follow that? or we always want to control this.	21:32
morganfainberg	i'd probably push assign_id down to manager, tbh	21:33
henrynash	my gut feeling is that if we are imlementing mapping in the manger layer, then this seems the layer that should own and assign the ID…..who knows what we might wnat to do with it in the future	21:33
morganfainberg	controller is more about web_request -> python data imo	21:33
morganfainberg	we've made a concerted effort to move a lot of the buisiness logic down to the managers from the controllers	21:34
morganfainberg	i'm happy to continue with that pattern	21:34
henrynash	i quuite like teh controller passing the manager the ref (without an ID) and if teh create is succesful the ref returned has the ID in	21:34
morganfainberg	henrynash, i would also like to see the 'enabled' sanitization stuff move down to the manager as well then	21:34
morganfainberg	basically controllers (imo) should be about converting web-requests to data structures and emitting sane serialized data	21:35
*** hrybacki has quit IRC		21:35
henrynash	so in my follow on patch…I moevd the ID generation as described…the pnly issue is that I had to do a LOT of mechanical change sto all our unit tests (‘cause the assign an ID like ‘fake1’ and pass it to teh manager)!!!	21:35
morganfainberg	any/all extra business logic should be at the manager, so in the case extension wants to create a user... it works the same as if the controller does it	21:35
morganfainberg	henrynash, yep, lots of mechanical changes.	21:36
morganfainberg	henrynash, i would almost make that change the 1st of the string (if that makes sense)	21:36
morganfainberg	restructure where id's come from, then layer in the multi-id stuff	21:36
henrynash	oh…	21:36
henrynash	interesting	21:36
henrynash	I’ll see how hard it is to pull all that apart….	21:37
morganfainberg	henrynash, does that make sense?	21:37
henrynash	since there are some othe subtle unit test changes needed	21:37
morganfainberg	henrynash, i mean... happy to help you need any.	21:37
morganfainberg	henrynash, but it might be easier to invert it in this case. :)	21:38
henrynash	but if we are agreed on the direction…then I’ll plan how we do it	21:38
morganfainberg	yeah. i think moving that down to the manager makes a ton of sense	21:38
henrynash	ok, great…agreed	21:38
morganfainberg	for the most part, controllers don't do multi-manager cruft anymore	21:39
morganfainberg	identity controllers almost exclusively talk to identity_api	21:39
morganfainberg	i really like that.	21:39
henrynash	yep, me too	21:39
henrynash	cool..we have a plan	21:39
morganfainberg	henrynash, ++	21:39
morganfainberg	henrynash, i'll take up the follow-on moving all the enabled sanitization stuff down a layer if needed.	21:39
henrynash	i’ll update the spec as well, just to be clear what we are doing (and to say that sha1 will be teh only genrator)	21:40
morganfainberg	oh wait.. not that is already there. phew	21:40
morganfainberg	henrynash, ++ sounds great	21:40
henrynash	thx	21:40
*** nkinder has quit IRC		21:42
*** topol has quit IRC		21:46
*** lbragstad has quit IRC		21:50
*** radez is now known as radez_g0n3		21:50
*** hrybacki has joined #openstack-keystone		21:54
*** kun_huang has quit IRC		21:55
*** marcoemorais has quit IRC		21:56
*** marcoemorais has joined #openstack-keystone		21:56
*** dims_ has joined #openstack-keystone		21:57
*** praneshp_ has joined #openstack-keystone		21:57
*** jamielennox is now known as jamielennox\|away		21:58
*** einarf has joined #openstack-keystone		21:58
*** praneshp has quit IRC		21:59
*** praneshp_ is now known as praneshp		21:59
*** PritiDesai has joined #openstack-keystone		22:02
*** amcrn has quit IRC		22:06
*** gordc has quit IRC		22:07
*** stevemar has quit IRC		22:11
*** PritiDesai has quit IRC		22:18
*** rodrigods has joined #openstack-keystone		22:19
*** andreaf has joined #openstack-keystone		22:20
*** dstanek is now known as dstanek_zzz		22:23
*** dstanek_zzz is now known as dstanek		22:24
*** hrybacki has quit IRC		22:26
*** hrybacki has joined #openstack-keystone		22:29
*** gokrokve_ has quit IRC		22:32
openstackgerrit	ayoung proposed a change to openstack/keystone: Kerberos as method name https://review.openstack.org/95989	22:35
*** PritiDesai has joined #openstack-keystone		22:36
*** leseb has quit IRC		22:36
*** leseb has joined #openstack-keystone		22:36
*** andreaf has quit IRC		22:36
*** nkinder has joined #openstack-keystone		22:37
*** thedodd has quit IRC		22:39
*** rodrigods has quit IRC		22:40
*** leseb has quit IRC		22:41
*** gokrokve has joined #openstack-keystone		22:46
*** ayoung has quit IRC		22:49
*** PritiDesai has quit IRC		22:49
*** PritiDesai has joined #openstack-keystone		22:51
*** hrybacki has quit IRC		22:52
*** hrybacki has joined #openstack-keystone		22:56
*** rodrigods has joined #openstack-keystone		22:57
*** rodrigods has joined #openstack-keystone		22:57
*** dstanek is now known as dstanek_zzz		22:59
*** hrybacki has quit IRC		22:59
morganfainberg	dolphm, been talking to sdague, looks like we're going to try this https://review.openstack.org/#/c/99779/ to help get us from 1 in 10k to like 1 in 100k+ hopefully it works.	23:00
morganfainberg	dolphm, ephemeral port.	23:00
*** dims_ has quit IRC		23:01
*** jamielennox\|away is now known as jamielennox		23:05
*** dstanek_zzz is now known as dstanek		23:09
*** rodrigods has quit IRC		23:16
*** amcrn has joined #openstack-keystone		23:23
*** rodrigods has joined #openstack-keystone		23:25
*** sbfox has quit IRC		23:26
gyee	morganfainberg, just added my comment https://review.openstack.org/#/c/99432/	23:32
*** praneshp_ has joined #openstack-keystone		23:34
morganfainberg	gyee, ok so MD5 is the current default	23:36
morganfainberg	we can't use that	23:36
morganfainberg	:P	23:36
morganfainberg	gyee, and no one _really_ is expected to use SHA1 (bknudson even said he never expected a person to do SHA1) instead of Sha256 or so	23:36
morganfainberg	gyee, Tokens are also not really "short lived throw away" at the moment. They last for 1hr default (and in a lot of environments longer). services do re-use tokens a good deal.	23:37
*** praneshp has quit IRC		23:37
*** praneshp_ is now known as praneshp		23:37
*** richm has left #openstack-keystone		23:37
morganfainberg	gyee, so we still want to know if the same token is used in debug, but we don't want to leak token ids to the world. while the token is active it has roughly the same capabilities as someone using a username/password combo	23:38
morganfainberg	heck..in some cases you could even change your password with a token :P (think admin level and user update) causing a bigger issue if a lower-priv individual could grab the token id	23:38
*** gokrokve has quit IRC		23:39
morganfainberg	honestly, if the default had already been sha1, i'd have picked md5	23:39
gyee	morganfainberg, I like the random salt idea	23:40
gyee	your original idea is much better I think	23:40
morganfainberg	gyee, sure, but this is easier to communicate	23:40
morganfainberg	{sha1}<token id>	23:40
morganfainberg	people still want to be able to determine if it was _their_ token used, just not be able to derive someone else's token	23:41
morganfainberg	say it's salted is saying "go look at the implementation and figure out the salt mechanism and then hash your token"	23:41
morganfainberg	anyone who isn't content with md5 token hashes wont be content with sha1, it's considered broken by those who would care	23:42
*** PritiDesai has quit IRC		23:43
gyee	morganfainberg, but if we publish the salt value we should be fine right?	23:43
morganfainberg	gyee, the complaint is the volume of documentation and headaches to explain it.	23:43
gyee	just a matter of sha1(tokenid + salt)	23:43
morganfainberg	and i sortof agree.	23:43
*** dstanek is now known as dstanek_zzz		23:43
gyee	morganfainberg, "debug" message are reviewed by technical guys	23:43
morganfainberg	i'd rather it be dead simple to hash the id	23:43
morganfainberg	hey it's just a sha1 of whatever your token is.	23:43
morganfainberg	sortof.	23:44
morganfainberg	right now debug kinda = what verbose should be in openstack	23:44
morganfainberg	could be used for a deployer vs a developer	23:44
morganfainberg	debug should _probably_ be developer only, but we're not there yet	23:44
gyee	with the money technical guys making these day, they better damn sure how to handle a simple salt value :)	23:44
morganfainberg	gyee, it's a communication issue. i already was receiving pushback from people (technical) on it being not a dead simple sha1	23:45
gyee	wtf?	23:45
gyee	its a simple salt scheme	23:45
morganfainberg	i asked brant, and he basically said why would anyone who cares it's MD5 use Sha1?	23:45
morganfainberg	if md5 isn't good enough, neither will sha1 be	23:45
morganfainberg	anyone who cares will use sha256	23:46
gyee	excluding sha1 in cms just for that reason doesn't seem right	23:47
*** leseb has joined #openstack-keystone		23:47
gyee	or any hash algorithm in that matter	23:47
morganfainberg	and i'd argue that we should have said you can have MD5 or sha256	23:47
morganfainberg	and not make it "any hashing you want"	23:47
*** xianghui has quit IRC		23:47
morganfainberg	because anyting > sha256 will break SQL token backend :P	23:48
gyee	lovely!	23:48
morganfainberg	and anything less than sha256 is widly considered insufficient for anyone who cares.	23:48
morganfainberg	gyee, https://bugs.launchpad.net/keystone/+bug/1329554	23:48
uvirtbot	Launchpad bug 1329554 in keystone "Setting token hashing to sha512 will not work with the SQL token backend" [Medium,New]	23:48
morganfainberg	there fixed the description	23:49
gyee	well, sha1 is still widely used	23:49
morganfainberg	gyee, sure, but not in the cms system	23:49
morganfainberg	we have	23:49
morganfainberg	we still use MD5, and MD5 is the default	23:49
morganfainberg	shrug i really don't want to fight a ton to get a simple "lets not leak privileged information out" and there is already acceptance for obscuring with sha1	23:50
morganfainberg	and there is already code in the wild (novaclient) that does sha1 (committed)	23:50
gyee	sure, but with that patch, we basically excluded sha1 in cms	23:51
gyee	bad tradeoff IMO	23:51
morganfainberg	gyee, ok, besides principal, who cares if we eliminated sha1?	23:51
*** leseb has quit IRC		23:51
morganfainberg	s/principal/on principle/	23:52
gyee	morganfainberg, dunno, maybe somebody from distribution list will tell us	23:52
morganfainberg	so far dev list has been insupport of this (when not complaining that they can't copy-paste the curl line from the message)	23:53
gyee	try putting a PKI token in curl and see how much fun it is :)	23:53
morganfainberg	you still can copy/paste the line from the debug message	23:54
morganfainberg	it just sucks :P	23:54
morganfainberg	hey my first pass was basically saying --REDACTED--	23:54
morganfainberg	but people want to know if a token has been used across muliple requests	23:54
gyee	I really like the salted hash idea, that solution have little risk	23:55
gyee	log aggregation is usually done by a script anyway	23:56
morganfainberg	doesn't mean token ids should be in them	23:57
gyee	morganfainberg, anyway, not trying to make a big deal because it is not, but given up sha1 just for log sanitation sound like a bad tradeoff	23:57
morganfainberg	logstash, rsyslog, splunk, etc	23:57
morganfainberg	gyee, i'd agree if i wasn't told at every corner that sha1 sucks (by the crypto folks) and that we shouldn;t use it for anything because it's "broken".	23:58
*** sbfox has joined #openstack-keystone		23:58
gyee	morganfainberg, what I mean is we can easily do the token ID hashing in scripts to look for a match	23:58
*** sbfox has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!