Friday, 2014-06-13

morganfainberggyee, would you argue that MD5 is something that shouldn't be excluded form CMS if we had used that instead (ignore that it's our default)00:00
gyeemorganfainberg, I am saying there's notneed to limit anything in CMS because of this change00:01
gyees/notneed/no need/00:01
gyeewhere things can be easily mitigated with a simple salted hash scheme00:02
morganfainbergin this case, i'm just aiming for the least pushback from the community so we can stop leaking info. stoping the leak is the part i care about.00:02
gyeeI totally agree, the goal is stop leaking info00:03
gyeebut if we can do it in a least intrusive manner that would be awesome00:03
morganfainberganyway i need to go get ready to hit the gym00:03
gyeesame here00:03
morganfainbergi think this is a very un-intrusive way, no one can use SHA1 hashing yet :P00:03
morganfainbergand according to at leas tone person who pushed for the alternate hashing, it wouldn't / shouldn't be used anyway00:04
morganfainbergsince sha256 is available.00:04
gyeek man, up to you, not a big deal00:04
morganfainberggyee, if you can garner support for the hashed + salt i'm great with it00:04
gyeegarner support = pay somebody off?00:05
morganfainbergi just don't know how much more i'm willing to spend arguing with people over this (btw, not considering this an argument w/ you, it's a good discussion)00:05
morganfainberggyee, i don't got the $$$ to do that :P00:05
*** rodrigods has quit IRC00:05
morganfainbergmake them an offer they can't refuse? </godfather>00:05
morganfainberganyway. as long as we stop leaking the info asap (next ksc release plz) i'm content with whatever solution00:06
*** xianghui has joined #openstack-keystone00:08
*** schofield has quit IRC00:13
*** ayoung has joined #openstack-keystone00:14
morganfainbergayoung, /me dislikes finding random factoids about limitations in token things when working on other stuff :P00:24
morganfainbergayoung, we could also make short-hash token ids not work when using a PKI provider (but it would break backwards compat) *darn you compatibility*00:27
*** schofield has joined #openstack-keystone00:30
*** dstanek_zzz is now known as dstanek00:35
*** gordc has joined #openstack-keystone00:36
ayoungmorganfainberg, we can drop the ID support over time.  It really is a hack.  You only need an ID if you are going to look it up in a persistant store, and for tokens, that should be a cache like memcache...something KVS.  Not a database.  And then the key that you use should be specific to the conversation:00:38
*** dims_ has joined #openstack-keystone00:39
morganfainbergayoung, yep.00:39
ayoungI a user hands a full token to swift, swift should be able to hand back a sha256 and say "use this next time"00:39
ayoungmorganfainberg, so there are two things that I am worried about this release that are not under way00:40
morganfainbergas long as swift handles the different id and doesn't then go "hey keystone... what is this thing"00:40
ayoungthe first is the ability for an endpoint to get its own policy file00:40
ayoungand the second is to have different keystone servers sign with different private keys00:40
ayoungmorganfainberg, ++ on your comment00:41
ayoungso,  the first requires an API change:00:41
ayoungget policy by endpoint00:41
morganfainbergayoung, and the endpoint to know it's "id" or whatever it's lookup name is00:41
ayoungand the corresponding calls to set up the policy-endpoint relationship00:41
ayoungthat is a config change, Ithink00:41
ayoungI though t the symas guy was going to take that and run with it, but I haven't heard from him.00:42
morganfainbergayoung, sure. unless there is a better way (i got nothing)00:42
ayoungmorganfainberg, I guess in theory it could be based on the service user00:42
ayoungget policy for user?00:42
morganfainbergayoung, actually, that might be a good approach00:42
ayoungits muddy00:43
morganfainbergboth are good imo00:43
morganfainberggood = good enough00:43
ayoungdolphm, had a good point that we don't need to specify the exact service00:43
ayoungit doesn't matter if we send identity policy to swift, for example00:43
ayoungas swift will only care about the rules that apply to swift00:43
morganfainbergafter i get back from the gym i'm going to respn my specs so i can get some work towards persistenceless tokens done this cycle (at least)00:44
ayoungmorganfainberg, cool.  hrybacki is working on the auth_token side of it00:44
ayoungwith a little bit of help, of course00:44
morganfainbergayoung, oh did you see SpamapS's comment about the indexing and such for the revocation events table? [bug]00:44
ayoungI had Identified that last release00:44
ayoungjust couldn't get it done in time00:44
morganfainberghis big comment was the ids should have been auto-inc int, i still think uuid is a bad choice.00:44
ayoungsame here00:45
morganfainbergayoung, cool.00:45
*** dstanek is now known as dstanek_zzz00:45
ayounguuid was just the default for the baseclass,00:45
morganfainbergyep sounds right00:45
ayoungautoinc, though, might be an issue with Galeria00:45
morganfainberg*shrug* easy enough to fix.00:45
morganfainbergnah galera is smart00:45
morganfainbergit automatically does the offset magic00:45
morganfainbergor at least percona does, and anyone not deploying with percona does it themselves00:45
morganfainbergshouldn't be an issue for us.00:46
morganfainbergi'll take over your spec for splitting the middleware (adding in the details) while i'm mucking with mine unless you really want to work on it.00:47
ayoungNo, please take it00:47
morganfainbergsounds good.00:47
ayoungI'm stuck in Kerberos land these days00:47
morganfainberghehe yah.00:47
ayoungwith a long diversion into theforeman00:47
morganfainbergheh ouch00:48
ayoungWe're calling the internal project StayPuft.  This is my reaction
ayoungI do that anyway00:49
morganfainbergdo you think we'll be able to get agreement on non-persistent tokens this cycle? I'd like to have it as an option so by K horizon can use it.00:50
ayoungI think so00:51
morganfainbergi hope so.00:51
ayoungwhat if we have two different Keystone servers issueing tokens00:51
ayounghow are we going to synchronize revocation events?00:51
ayoungnotifications between the servers?  Polling?00:52
morganfainbergor a way to do a union on the event lists00:52
ayoungthat is easy, since we flush expired events00:52
morganfainbergif we have 2 sources of events, we union them. for cross keystone trust we need to make the same logic happen as auth_token does then00:53
ayoungIf we solve this right, it will make horizontal scaling much easier00:53
morganfainberg"get me events from servers"00:53
morganfainbergok i need to head out. gym time. be back in an hour and some change00:53
*** gordc has quit IRC00:55
*** richm has joined #openstack-keystone01:06
*** richm has left #openstack-keystone01:07
*** Chicago has quit IRC01:07
*** mberlin has quit IRC01:07
*** mberlin has joined #openstack-keystone01:07
*** browne has quit IRC01:15
*** Chicago has joined #openstack-keystone01:20
*** Chicago has joined #openstack-keystone01:20
*** NM has joined #openstack-keystone01:29
*** ncoghlan has joined #openstack-keystone01:32
*** dstanek_zzz is now known as dstanek01:33
*** NM has quit IRC01:35
*** Chicago has quit IRC01:37
*** rwsu has quit IRC01:38
*** gordc has joined #openstack-keystone01:38
*** marcoemorais has quit IRC01:49
*** stevemar has joined #openstack-keystone02:10
*** nsquare has quit IRC02:19
*** stevemar has quit IRC02:19
*** dims_ has quit IRC02:24
*** stevemar has joined #openstack-keystone02:29
*** sbfox has joined #openstack-keystone02:33
*** ncoghlan is now known as ncoghlan_afk02:35
*** amcrn has quit IRC02:38
*** daneyon has joined #openstack-keystone02:38
*** dims_ has joined #openstack-keystone02:39
*** dims_ has quit IRC02:44
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure
*** zhiyan_ is now known as zhiyan02:45
*** sbfox has quit IRC02:48
*** xianghui has quit IRC02:48
*** harlowja is now known as harlowja_away02:53
*** amcrn has joined #openstack-keystone02:55
*** ncoghlan_afk is now known as ncoghlan02:57
openstackgerritLi Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option
*** ncoghlan is now known as ncoghlan_afk03:03
*** gokrokve_ has joined #openstack-keystone03:05
*** praneshp has quit IRC03:05
*** dims_ has joined #openstack-keystone03:10
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add cloud auditing notification documentation
morganfainbergstevemar, hmmmm.03:12
*** dims_ has quit IRC03:15
stevemarmorganfainberg, !!!!03:16
morganfainbergstevemar, ¡¡¡¡03:17
morganfainberghows it goin?03:17
stevemarmorganfainberg, mmmm not bad03:17
openstackgerritLi Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option
*** gyee has quit IRC03:19
*** xianghui has joined #openstack-keystone03:19
*** gokrokve_ has quit IRC03:20
*** einarf has quit IRC03:23
stevemarmorganfainberg, i'm actually going to sleep early tonight03:26
stevemarearly morning tmrw03:26
morganfainbergstevemar, whoa.03:27
morganfainbergstevemar, sleeep?03:27
morganfainbergwhat is this thing you call slllleeeeeep?03:27
morganfainberghave a good night man03:27
stevemarmorganfainberg, i'm calling it 3-4 hrs earlier than i normally do :P03:27
*** stevemar has quit IRC03:33
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session Documentation
*** einarf has joined #openstack-keystone03:40
dstanekmorganfainberg: did you see the conversation brant and i had earlier?03:41
morganfainbergdstanek, about?03:41
morganfainbergdstanek, (i just got back a little bit ago, so maybe not)03:41
morganfainbergdstanek, oh oslo.config03:42
morganfainberg*scrolling up*03:42
*** topol has joined #openstack-keystone03:44
morganfainberglol 'return ValueError' really?03:44
ayoungmorganfainberg, dstanek OK  this is how the policy stuff should work:  first:  endpoints are (like)  users.  Instead of one set of credentials that we copy to each Nova etc we give each a distinct Identity.  They should be using an X509 to authenticate to Keystone when they need to do stuff.  And, that is how they fetch  policy:  get the policy assigned to the endpoint-user03:45
morganfainbergdstanek, so that is why it wasn't enforcing a min/max03:45
ayoungThe X509 can be self signed by the endpoint for all we really care, although it means that we will have a bunch of CAs...better to have them issued by Keystone03:46
ayoungThe only reason x509 is because you can't do SSH key based authentication on the web03:46
ayoungand Kerberos is too high a barrier to entry03:46
ayoungbut for the Kerberos shops we should allow it03:46
ayoungI think that even with eventlet we can do X509 based client auth03:47
dstanekayoung: so are endpoints and their credentials kept in a new table?03:47
ayoungupon endpoint registration, upload a cert, or a CSR03:47
ayoungdstanek, I think we can use the existing endpoint table03:47
morganfainbergayoung, this sounds like it _needs_ barbican (or something similar for the ... services cert management/ca)03:48
ayoungjust add a field for the X509, and maybe give them their own auth url03:48
ayoungmorganfainberg, for a professional deployment, yes03:48
ayoungI mean, we can do it with passwords, just like users, but that is not going to make the AD folks happy03:48
dstanekthis may be a good discussion for the hackathon when the barbican guys can be there too03:48
ayoungwe could make a user per endpoint in their own domain03:48
ayoungdstanek, the question is do we need API changes to make this happen03:49
*** hrybacki has joined #openstack-keystone03:49
ayoungand, if we do, will dolphm let us put them in after the J2 deadline03:49
* morganfainberg grumbles about wanting FreeIPA for ubuntu 03:49
ayoungso hackathon is way too late if we need this for J203:49
dstanekwould endpoints then act as users (using a token to get the policy, etc)?03:50
ayoungmorganfainberg, FreeIPA doesn't do user certs anyway03:50
ayoungits hidden away behind dogtag and we need to hack IPA to expose the,m03:50
ayoungdstanek, yes03:50
morganfainbergayoung, oh no? bleh03:50
ayoungdstanek, they use those credentials to get policy ,and also to get revocation lists etc03:50
dstanekayoung: so i guess the api question is whether or not to use the current auth endpoint or add another?03:51
ayoungmorganfainberg, yeah, I've beren complaining about user certs for years with IPA03:51
ayoungdstanek, I would make it another03:51
ayoungIt only accepts client certs, and only checks them against endpoints03:51
topolmorganfainberg, qq if I want to pull down a patch that I don't have on my machine to update I use git review -d <patchnumber> correct?03:52
morganfainbergtopol, yeah that will work03:52
ayoungpki_setup and ssl_setup are already hacks.  This would be an additional hack just like them:  endpoint_cert03:52
*** jdennis has quit IRC03:52
*** hrybacki has quit IRC03:52
topolmorganfainberg, thanks, my vm had  a panic attach earlier03:53
morganfainbergtopol, np!03:53
ayoungdstanek, make it a stand alone CLI operation to start, and then after you register the endpoint, have an api "upload cert for endpoint"03:53
*** jdennis has joined #openstack-keystone03:54
ayoungwe could roll the service users into the endpoint table03:54
dstanekayoung: have you started to spec out the api changes you think you need?03:54
ayoungdstanek, in fits and starts, but not end to end03:54
ayoungdstanek, I was trying to avoid a big bang on this...but I think this is the right approach03:55
ayounglet me see what I have03:55
*** Abhijeet_ has joined #openstack-keystone03:56
ayoungthat is for the assignment side.  But nothing on the X509 client cert side03:56
ayounggyee had some, though03:56
ayoungtoken-less operations were based on X50903:56
dstanekmorganfainberg: this was basically my alternative to your patch after olso.config is fixed
morganfainbergdstanek, cool03:59
dstanekmorganfainberg: i really wanted something like, but i haven't proposed my patch to oslo.config yet (not sure if anyone else cares)04:01
*** Abhijeet_ has quit IRC04:02
*** gordc has left #openstack-keystone04:04
*** schofield has quit IRC04:11
*** dims_ has joined #openstack-keystone04:11
*** schofield has joined #openstack-keystone04:13
*** dims_ has quit IRC04:16
openstackgerritBrad Topol proposed a change to openstack/keystone: Add cloud auditing notification documentation
openstackgerritayoung proposed a change to openstack/keystone-specs: Endpoint Authentication via X509 Certificates
ayoungdstanek, morganfainberg look at that, and then...maybe we say instead that each endpoint has to have a distinct user04:19
ayoungbut I think keeping endpoints distinct makes sense, if only for the policy fetch04:19
ayoungif we do endpoint to user, either we make their IDs match, or we need a column in the endpoint table to get endpoint by endpointuser04:20
ayoungOK...I'm done ranting...I hope I can sleep04:20
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure
*** dstanek is now known as dstanek_zzz04:22
*** ncoghlan_afk is now known as ncoghlan04:24
*** ncoghlan is now known as ncoghlan_afk04:25
ayoungmorganfainberg, OK...can't sleep yet.   Better approach:  ach endpoint does get its own user.  We put them in the endpoints domain (sql) and the X509 for th endpoint goes in the credentials table with a type of X50904:30
ayoungthen we have a separate auth endpoint that uses that information04:30
ayoungit can be done with passwords if people insist...and I can figure out a Kerberos solution, too.04:31
ayoung^^ makes more sense in the light of henrynash 's patch04:31 I think I can sleep.04:34
*** ayoung is now known as ayoung_zzzzzZ04:34
openstackgerritLi Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option
*** dstanek_zzz is now known as dstanek04:43
openstackgerritBrad Topol proposed a change to openstack/keystone: Add instructions for removing pyc files to docs
*** dims_ has joined #openstack-keystone04:46
*** dims_ has quit IRC04:51
*** sbfox has joined #openstack-keystone04:51
*** dstanek is now known as dstanek_zzz04:53
openstackgerritayoung proposed a change to openstack/keystone-specs: endpont policy
*** ncoghlan_afk is now known as ncoghlan04:59
*** schofield has quit IRC05:00
*** schofield has joined #openstack-keystone05:00
*** zhiyan is now known as zhiyan_05:06
*** zhiyan_ is now known as zhiyan05:13
*** ajayaa has joined #openstack-keystone05:26
*** ajayaa has quit IRC05:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add a fixture for keystone version discovery
*** topol has quit IRC05:35
*** ajayaa has joined #openstack-keystone05:41
*** dstanek_zzz is now known as dstanek05:44
*** dims_ has joined #openstack-keystone05:47
*** dims_ has quit IRC05:51
openstackgerritAndre Naehring proposed a change to openstack/python-keystoneclient: Added help text for the debug option
*** xianghui has quit IRC05:54
*** dstanek is now known as dstanek_zzz05:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** praneshp has joined #openstack-keystone06:03
*** xianghui has joined #openstack-keystone06:06
*** praneshp_ has joined #openstack-keystone06:10
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add a fixture for keystone version discovery
*** praneshp has quit IRC06:13
*** praneshp_ is now known as praneshp06:13
*** einarf has quit IRC06:18
*** ihrachyshka has joined #openstack-keystone06:20
*** schofield has quit IRC06:20
ihrachyshkahey. I'm from neutron team, and I have a question re: new [identity|auth]_uri options. I try to migrate to new options with the following patch: The problem we have is that if we remove old auth_[host|...] options from the conf file, and they are still used in our code, we break backwards compatibility (in case user upgrades neutron but doesn't update his conf file with new *uri op06:23
ihrachyshkations). Mark McClain suggested me to work with you guys on providing a utility function to construct those URIs from old pieces. What are your thoughts on that?06:23
*** ihrachyshka has quit IRC06:30
*** leseb has joined #openstack-keystone06:31
*** zhiyan is now known as zhiyan_06:32
*** schofield has joined #openstack-keystone06:34
*** Abhi_ has joined #openstack-keystone06:35
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints
jamielennoxyou mean you are using auth_token options within neutron itself?06:39
jamielennoxmust be gone...06:39
*** Abhi_ has quit IRC06:42
*** dstanek_zzz is now known as dstanek06:45
*** dims_ has joined #openstack-keystone06:47
*** AJain has joined #openstack-keystone06:50
*** AJain has quit IRC06:51
*** dims_ has quit IRC06:54
*** dstanek is now known as dstanek_zzz06:54
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints
*** zhiyan_ is now known as zhiyan07:00
*** BAKfr has joined #openstack-keystone07:08
jamielennoxcommented on ^, have a good weekend07:17
*** jamielennox is now known as jamielennox|away07:17
*** jimbaker has quit IRC07:23
*** afazekas_ has joined #openstack-keystone07:28
*** bobt has joined #openstack-keystone07:29
*** bobt has quit IRC07:30
*** amcrn has quit IRC07:37
*** marekd|away is now known as marekd07:37
chmouelmorganfainberg: hey, sorry missed your hl last night07:37
marekdGood morning everybody!07:38
*** ihrachyshka has joined #openstack-keystone07:38
*** ncoghlan has quit IRC07:43
*** dstanek_zzz is now known as dstanek07:45
*** dims_ has joined #openstack-keystone07:50
ihrachyshkajamielennox|away: hey! thanks for the comment on auth_uri. That said, isn't the code that you've referred to exactly what we would need to construct URI? can we move that into some common public function to reuse in e.g. neutron?07:53
*** dims_ has quit IRC07:55
*** dstanek is now known as dstanek_zzz07:55
*** mberlin has quit IRC07:59
*** mberlin has joined #openstack-keystone08:03
*** zhiyan is now known as zhiyan_08:10
*** amcrn has joined #openstack-keystone08:18
*** sbfox has quit IRC08:23
*** zhiyan_ is now known as zhiyan08:30
*** leseb_ has joined #openstack-keystone08:34
*** leseb has quit IRC08:34
*** leseb has joined #openstack-keystone08:38
*** leseb_ has quit IRC08:39
*** dstanek_zzz is now known as dstanek08:46
*** leseb_ has joined #openstack-keystone08:48
*** leseb has quit IRC08:49
*** dims_ has joined #openstack-keystone08:51
*** zhiyan is now known as zhiyan_08:52
*** dims_ has quit IRC08:56
*** dstanek is now known as dstanek_zzz08:56
marekddolphm: o/ can we please merge it finally? This docfix already has +2 from stevemar and couple of +1 from non-cores.
*** zhiyan_ is now known as zhiyan09:00
openstackgerritA change was merged to openstack/identity-api: Updated from global requirements
*** jaosorior has joined #openstack-keystone09:03
*** zhiyan is now known as zhiyan_09:09
*** d0ugal has quit IRC09:09
*** d0ugal has joined #openstack-keystone09:10
*** zhiyan_ is now known as zhiyan09:10
*** Ackowa has joined #openstack-keystone09:24
AckowaHi, Does anyone here know if I can get keystone client to use persistent connection. Ex. get the token and then list tenants without opening a new socket?09:26
*** praneshp has quit IRC09:42
*** dstanek_zzz is now known as dstanek09:47
*** dims_ has joined #openstack-keystone09:52
*** einarf has joined #openstack-keystone09:55
*** dims_ has quit IRC09:56
*** dstanek is now known as dstanek_zzz09:57
*** jamielennox|away has quit IRC10:04
*** zhiyan is now known as zhiyan_10:06
*** jamielennox|away has joined #openstack-keystone10:07
*** NM has joined #openstack-keystone10:15
openstackgerritA change was merged to openstack/keystone: Block delegation escalation of privilege
*** NM has quit IRC10:22
*** einarf has quit IRC10:25
openstackgerritStuart McLaren proposed a change to openstack/keystone: enable multiple keystone-all worker processes
*** NM has joined #openstack-keystone10:34
*** leseb_ has quit IRC10:35
*** NM has quit IRC10:43
*** dstanek_zzz is now known as dstanek10:48
*** chandan_kumar has joined #openstack-keystone10:51
*** NM has joined #openstack-keystone10:51
*** chandankumar has quit IRC10:52
*** radez_g0n3 is now known as radez10:52
*** dims_ has joined #openstack-keystone10:52
*** NM has quit IRC10:54
*** chandan_kumar has quit IRC10:56
*** chandan_kumar has joined #openstack-keystone10:57
*** dims_ has quit IRC10:57
*** dstanek is now known as dstanek_zzz10:58
*** NM has joined #openstack-keystone11:00
*** NM has quit IRC11:07
*** dims_ has joined #openstack-keystone11:16
openstackgerritSteven Hardy proposed a change to openstack/keystone-specs: Spec for trusts redelegation
openstackgerritSteven Hardy proposed a change to openstack/keystone-specs: Spec for trusts redelegation
*** juanmo has joined #openstack-keystone11:27
openstackgerritKristy Siu proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations
*** leseb has joined #openstack-keystone11:43
*** leseb has quit IRC11:48
*** dstanek_zzz is now known as dstanek11:48
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.
*** Ackowa has quit IRC11:55
*** leseb has joined #openstack-keystone11:56
*** dstanek is now known as dstanek_zzz11:58
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.
openstackgerritKristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers
*** ihrachyshka has quit IRC12:16
*** ihrachyshka has joined #openstack-keystone12:16
*** rodrigods has joined #openstack-keystone12:22
*** erecio has joined #openstack-keystone12:23
*** radez is now known as radez_g0n312:33
*** jsavak has joined #openstack-keystone12:35
*** NM has joined #openstack-keystone12:36
*** einarf has joined #openstack-keystone12:42
*** stevemar has joined #openstack-keystone12:47
*** ajayaa has quit IRC12:48
*** dstanek_zzz is now known as dstanek12:49
*** einarf has quit IRC12:53
*** hrybacki has joined #openstack-keystone13:12
*** hrybacki has quit IRC13:13
*** hrybacki has joined #openstack-keystone13:13
*** ayoung_zzzzzZ is now known as ayoung13:18
ayounghrybacki, you tracking>13:18
*** topol has joined #openstack-keystone13:19
hrybackiayoung: I've noted several places where revocation checking is done but I'm not sure the best way to note where they all are. TIps?13:22
ayoungMove them one at a time and make sure the unit tests don't break13:22
ayounghrybacki, use a debugger and step through13:23
ayoungthe use cases you need to make sure are covered are:13:23
ayoung(cached and uncached), (pki, pkiz, uuid)13:23
*** topol has quit IRC13:23
ayoungso, 6 total variations13:24
*** thiagop has joined #openstack-keystone13:24
hrybackiayoung++ and you noted the signed tokens need to be unpacked before they can be checked -- when are tokens signed and when wouldn't they be (more from a theoretical point of view than our implementation)13:25
ayounghrybacki, ok,  here is how tokens are used13:26
ayoungthere are two formate:  signed and unsigned, handed out by keystone13:26
ayoungthe end user doesn't know which he is going to get13:26
ayounghe just goes to keystone and gets a token13:26
ayoungthen hands that token over to nova13:26
*** radez_g0n3 is now known as radez13:26
*** lbragstad has joined #openstack-keystone13:26
ayoungor whatever other service,13:27
ayoungnova then looks at the token and performs the is it pki or uuid check13:27
ayoungis_asn_1 or pkiz   mean it is signed13:27
ayoungif not, nova calls back to keystone and gets the token data13:27
ayoungnow, in this case, the revocation check is not really needed, as keystone will say "invalid" if the uuid token has been revoked13:28
hrybackibypassing the user?13:28
ayoungbut for all the other cases, the check needs to be done in auth_token13:28
ayoungthe user has handed the token to auth_token (in nova)  and then nova calls keystone13:28
ayoungno user involved13:28
ayoungso while there is no need to do a revocation check for uuid token on the first look up, skipping that would be performance tune, and probably not worth coding around13:29
ayoungthe next time the user hands the token to keystone, uuid or pki, it is going to come out of the cache13:29
ayoungso it won't have to be unpacked13:30
ayoungbut it will have to be checked against the revocaiton  events13:30
*** juanmo has quit IRC13:31
*** lbragstad has quit IRC13:31
ayounghrybacki, so, feel free to add to the unit tests, but I am pretty sure we have these uses well covered13:34
ayoungjust make sure that they run after each change13:34
ayounghrybacki, you familiar with this
ayoungand the associated book?13:35
hrybackiayoung no13:35
hrybackiI mean refactoring, yes, not this book13:35
ayoungits basically the "how to clean up someone elses code" guide13:35
*** lbragstad has joined #openstack-keystone13:36
hrybackiany sections in particular you'd recommend -- or just it in its entirety?13:36
dstanekor anyone's code really - i refactor my own code daily13:37
ayounghrybacki, the one I use most often is extract_method13:37
ayoungthis is kindof like that13:37
*** vhoward has joined #openstack-keystone13:37
ayounghrybacki,  so the call to validate pki token  does the revocation check before the unpack13:38
ayoungbut how many places is that called?13:38
*** tristanC has left #openstack-keystone13:38
hrybackivalidate pki or the revocation check?13:38
ayounghrybacki, so extract the revoke check from
ayoungand move it to13:40
ayoungand you should still have a full set of running unit tests13:41
ayoungthen remove it from the pki  call, and same deal13:41
ayoungthe one thing to watch for is the conditional
ayounghrybacki, that needs to be honored still, although I think it is a mistake and we should always check, but for some UUID setups, they don't publish the list.13:42
hrybackiwhy do you think it's a mistake?13:43
ayounghrybacki, so...I don't think we can get this down to a single call due to that conditional, but we can consolidate where the revoke check is done13:43
ayounghrybacki, I think caching tokens without checking for revocation is a mistake13:43
ayoungtokens can live 12 hours in the old set up13:43
ayoungwe've shortened the default to 1 hour13:44
hrybackiokay, now I understand13:44
ayoungbut that is configurable13:44
*** diegows has joined #openstack-keystone13:51
ayoungdstanek, still thinking policy.  I suspec that making endpoints into users is going to far.  It probably makes more sense for and endpoint to have a userid field, and point to a user record.  All the endpoint users could be in a separate domain.13:56
ayoungwith henrynash 's patch, a domain for the undercloud managed by sql is a reality13:57
openstackgerritIonut Artarisi proposed a change to openstack/python-keystoneclient: allow a user's primary tenant to be modified
*** daneyon has quit IRC14:08
hrybackican an individual token be associated with multiple token ids?14:10
*** thedodd has joined #openstack-keystone14:15
ayounghrybacki, welll, theoretically, with multiple hashing functions, yes.  But practically speaking, no14:15
*** bklei has joined #openstack-keystone14:17
ayounghrybacki, care to take ownership of this
ayoungyou are going to need it, and that way you can submit both patches together.14:18
ayoungThere are hacks to making it work.  It involves git rebase -i and reordering patches14:19
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Propose api-validation blueprint
hrybackiayoung: how do I take ownership of something in gerrit?14:20
ayounghrybacki, just submit an updated patch14:21
ayoungif you make any changes to the patch, add yourself as a co-author14:21
ayounggit log | grep author should show you the format14:21
hrybackiokay -- should I wait until is ready to be merged into it?14:22
*** ihrachyshka has quit IRC14:22
*** diegows has quit IRC14:22
hrybackilbragstad++ that's an excellent SO response, good find14:24
*** BAKfr has quit IRC14:24
*** richm has joined #openstack-keystone14:24
lbragstadthere a lot of git documentation out there :)14:25
rodrigodsdoes anyone know if there is a bp registered, or where is centralized the effort for other components to be compatible with keystone v3?14:27
ayounghrybacki, nope14:28
ayoungtwo separate reviews14:28
ayoungjust fix the nits in
*** topol has joined #openstack-keystone14:29
ayounghrybacki, you should have both reviews as commits on the same branch. Any changes you make to the API code  to as a third commit.  Then, git rebase -i HEAD~3 and reorder the commits so your  new changes are between the API commit and the auth_token changes14:29
ayoungonce they are in the right order, you can squash the two commits together, also with git rebase -i14:30
hrybackiokay -- so add myself as a co-author on patch 14 of 81166?14:35
*** diegows has joined #openstack-keystone14:39
dstanekgrrrr...i hate that we pass in ID's the create functions just for KVS backends14:44
*** diegows has quit IRC14:44
*** zhiyan_ is now known as zhiyan14:46
rodrigodsanyone? =)14:47
*** marekd is now known as marekd|away14:52
*** devlaps has joined #openstack-keystone15:01
openstackgerritLance Bragstad proposed a change to openstack/keystone: Make bash8 compliant
*** zhiyan is now known as zhiyan_15:09
bkleirodrigods maybe this
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: Revocation event API
rodrigodsbklei, yeah! thanks a lot =)15:13
*** schofield has left #openstack-keystone15:21
ayoungrodrigods, yeah?15:24
*** leseb has quit IRC15:33
*** leseb has joined #openstack-keystone15:33
rodrigodsayoung, are you aware about the efforts to make nova use keystone v3 api?15:34
ayoungrodrigods, I've heard about them, but have not been involved recently.  Why?15:35
rodrigodsayoung, i want to help =)15:35
ayoungrodrigods, what in Nova needs to make Keystone calls, outside of auth_token middleware?15:35
*** leseb has quit IRC15:38
*** erecio has quit IRC15:38
rodrigodsayoung, have no idea =) actually, my intent was to not start a work from scratch if is it already in progress15:41
ayoungrodrigods, find out the answer to that question and report back15:42
rodrigodsayoung, ok15:43
*** rwsu has joined #openstack-keystone15:43
bkleirodrigods jamiel has been working on
rodrigodsbklei, ah thanks a lot15:47
*** bknudson has joined #openstack-keystone15:48
*** bknudson has quit IRC15:48
*** bknudson has joined #openstack-keystone15:49
rodrigodsbklei, what about other components?15:49
*** amcrn has quit IRC15:52
*** raildo has joined #openstack-keystone15:52
bkleiI'll post what I know about: barbican (, nova (, glance (, swift (, neutron (, cinder (, ceilometer (, heat (
morganfainbergdstanek, pass ids from the manager to KVS or controller to manager?15:53
bkleirodrigods, i only know about those because i've been working on the neutron one15:54
*** htruta has joined #openstack-keystone15:54
rodrigodsbklei, thanks man, very appreciated15:56
stevemardolphm, trying to be kind to the gate15:56
*** gyee has joined #openstack-keystone15:58
*** sbfox has joined #openstack-keystone16:00
dstanekmorganfainberg: for example,
morganfainbergdstanek, ok so manager -> backend16:02
dstanekmorganfainberg: drives me crazy :-)16:02
morganfainbergdstanek, largely the manager should  control ID generation (it's what henrynash is driving towards for identity) we could just yank the info from the ref once it gets to the driver instead.16:03
dstanekbknudson: should format_url ever return None? re:
bknudsondstanek: I think it can return None now, but I don't see why it should ever do that16:04
dstaneki fixed it locally to raise a malformed exception and none of the tests failed16:05
bknudsondstanek: that works for me16:05
bknudsondstanek: it just has a return None in it for some reason16:06
bknudsonso it's probably just poorly spec'd16:06
dstanekit would happen if the url passed in is not a string (or string-like)16:06
dstaneki'm not sure if that's possible16:06
*** dims_ has quit IRC16:07
*** dims_ has joined #openstack-keystone16:08
*** jaosorior has quit IRC16:12
*** marcoemorais has joined #openstack-keystone16:12
henrynashmorganfainberg: ++16:13
henrynashmorganfainberq, dstanek: to that point, I’ve got a bit of a staging problem with my patch for that…16:14
dstanekhenrynash: what do you mean?16:14
henrynashmorganfainberg, dstanek: so i have all teh changes to move ID generation from controller to manager in an un-submitted next version of my multi-backend_uuid patch (teh code to move the generation is minor, the changes to many, many unit tests are indeed many, mechanical, but many)16:16
henrynashdstanek: morganfainberg made the sensible suggestion that it would be better to merge the changes for moving teh generation to teh manager ahead of all teh multu-backend_uuid stuff that would use that16:17
dstanekhenrynash: i think that's probably a good idea16:17
dstanekdoes it apply cleanly against master?16:17
henrynashdstanek: however, I’m not sure I can easily separate out out those changes since the uncommited patch contains, of course, all the multi-backend-uuid changes as well16:18
dstanekhenrynash: it's a separate commit though, right?16:18
dstanekoh, uncommitted. can you commit on top of your patch so it's a commit?16:19
henrynashdstanek: you meanactualy submit it?16:19
dstanekand then cherry-pick to master and see how bad the conflicts are?16:19
henrynashdstanek: so can I cherrypick only teh changes between two version subimitted?16:20
henrynashi.e. version 28 and 29?16:20
dstanekhenrynash: i wouldn't submit to gerrit16:20
dstanekor if you have the changes in your current working copy you can just 'git co master' and see what happens16:21
henrynashbut won’t that have all the other multi-backend-uuisd cahnges in it too?16:21
henrynash(my copy that is)16:21
*** NM has quit IRC16:24
*** comstud is now known as bearhands16:25
morganfainbergdolphm, i'm going to tag the sha512 bug against ksc instead, and make the keystone one "wont fix".16:28
dstanekhenrynash: do you have uncommitted multi-backend changes?16:28
morganfainbergdolphm, i am hesistant to migrate the token table the more we talk about it.16:28
morganfainbergdolphm, and we should either document or limit the hash-types for the token.16:29
dstanekhenrynash: if you do the cherry-pick approach git will try to apply just the commit being picked and not ancestors16:29
henrynashdstanek: so I have (on my machine) commited a whol bunch of changes for moving the gernation to teh manger, on top of the latest mulit-backend-uuid patch16:29
*** afazekas_ has quit IRC16:30
*** browne has joined #openstack-keystone16:30
henrynashso if I do a git log I ony see one commit for (i assume) all teh changes of multi-backend-uuid and my genrator move changes16:31
morganfainbergdolphm, actually. nvm... maybe just documentation.16:31
dstanekhenrynash: you should have one commit for you manager changes and another for your multi-backend changes16:31
henrynashhmmm, let me check16:32
henrynashno, it appears that the head is a combined commit16:33
*** leseb has joined #openstack-keystone16:34
dstanekhenrynash: did you amend?16:34
henrynashyes, I think that was my problme…when I was doing it I assumed I would submit this as a next version of the multi-backend-uuid patch....16:35
henrynashwhich was a mistake, me thinks16:35
dstanekyeah, it's better to have multiple smaller patches16:35
henrynashyeah…I agree16:36
henrynashI think my only real option is to manually split it apart...16:36
*** daneyon has joined #openstack-keystone16:36
henrynashthere are a bunch of unit test files that are ONLY changed in moving genration16:36
henrynashand some that are changed in both, which I’ll just hev to do by hand...16:37
henrynashI think it’s the right path…and will teach me to think before I type16:37
dstanekhaha, ok16:37
*** jimbaker has joined #openstack-keystone16:38
*** daneyon has quit IRC16:39
*** leseb has quit IRC16:39
*** daneyon has joined #openstack-keystone16:39
dstanekhenrynash: i spend a good percent of my dev time trying to spit up my commits into a sensible patch series16:40
*** amcrn has joined #openstack-keystone16:42
*** thedodd has quit IRC16:49
*** PritiDesai has joined #openstack-keystone16:50
*** NM has joined #openstack-keystone16:51
morganfainbergdstanek, sometimes it's painful to try and do that :(16:52
morganfainbergdstanek, esp when i code myself into a corner (has happened some times)16:53
*** bknudson has left #openstack-keystone16:57
*** leseb has joined #openstack-keystone16:59
*** morganfainberg changes topic to "Please make reviewing specifications a priority:,n,z"17:00
*** PritiDesai has quit IRC17:02
dstanekmorganfainberg: true - often painful here, but it lets me make sure things are more correct17:03
dstanekand allows me and reviewers to see the steps i took to get to the final solution17:03
morganfainbergdstanek, ++17:03
*** leseb has quit IRC17:04
*** dims_ has quit IRC17:04
*** harlowja_away is now known as harlowja17:06
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Add sample of rally plugin
boris-42morganfainberg ^ add explanation of this patch, could you pls review it=)17:14
*** einarf has joined #openstack-keystone17:18
boris-42morganfainberg and one more question is keystone going to switch to apache by default in gates?)17:21
morganfainbergboris-42, that is the hope17:21
boris-42morganfainberg some experiments showed that it's quite simple get 4x better performance even in authenticate method
morganfainbergboris-42, but it requires some fixes to land before we can make it the defualt17:22
morganfainbergboris-42, it absolutely is the way we want to go17:22
boris-42morganfainberg good it will improve performance of whole openstack in gates=017:22
morganfainbergi expect to be gating on it (apache running keystone) within Juno, and the default to change in K (for devstack)17:22
boris-42morganfainberg oh quite long period of time=)17:23
boris-42morganfainberg btw we added user_sotries directory17:24
boris-42morganfainberg in rally17:24
nkinder+1 on httpd by default!17:24
morganfainbergwe will need to still run some of the gate tests under eventlet, since we will still support that deployment model17:24
nkindermorganfainberg: is there any outstanding compressed token stuff that blocks that?17:24
boris-42morganfainberg so everybody will be able to share their experiments17:24
morganfainbergso i expect in J to be split 50/50, and in K have one of the gate jobs be eventlet and the rest apache17:24
morganfainbergnkinder, i think we need to shake out the changes to make pkiz the default17:25
boris-42morganfainberg drop event let drop it!=)17:25
morganfainbergboris-42, M :(17:25
morganfainbergboris-42, earliest i think we can drop eventlet17:25
boris-42morganfainberg oh lol=17:25
morganfainbergK deprecate, L stays deprecated, M remove17:25
morganfainbergnkinder, let me look at what is still required17:26
boris-42morganfainberg btw I almost finished this
*** einarf has quit IRC17:26
morganfainbergnkinder, i think here:
morganfainbergnkinder, that is the last bits of the chain.17:27
morganfainbergnkinder, then shake out any bugs with other services using PKIZ tokens17:27
boris-42morganfainberg wanna be first project with profiling support?)17:27
morganfainbergboris-42, not opposed to it. :)17:27
*** marcoemorais has quit IRC17:30
*** marcoemorais has joined #openstack-keystone17:30
*** praneshp has joined #openstack-keystone17:31
*** amcrn_ has joined #openstack-keystone17:34
*** amcrn has quit IRC17:36
*** diegows has joined #openstack-keystone17:40
*** gyee has quit IRC17:45
dstanekmorganfainberg, boris-42: i recently swapped gevent for eventlet as a test17:49
boris-42dstanek and?)17:50
boris-42dstanek how was that did you run any benchmarks?17:50
dstanekboris-42: it worked17:51
boris-42dstanek better or worse, or just worked/)17:51
dstaneki was less concerned with performance and more about py3 support17:51
dstaneki got it to work using gunicorn for my test - it would be pretty easy to do a very small concurrency test to guage performance17:52
boris-42dstanek hm just use rally17:55
boris-42dstanek for test17:55
*** praneshp has quit IRC17:55
boris-42dstanek and it will be super easy=)17:55
boris-42dstanek just run couple of commands=)17:56
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Add spec for non-persistent-tokens
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Propose Specification for non-persistent-tokens
boris-42dstanek btw we need some help in rally17:57
boris-42dstanek with supporting v317:57
boris-42dstanek do you now anybody that is able to help us?)17:57
*** PritiDesai has joined #openstack-keystone17:57
morganfainbergdstanek, gevent woo!17:57
dstanekboris-42: do you have specific things to work on? i may be interested in hacking on it a little bit17:57
boris-42dstanek yep we have specific task=)17:57
boris-42dstanek now we are using hardcoded version2 =)17:58
dstanekmorganfainberg: my prefs is to deploy nginx->gunicorn->app17:58
boris-42dstanek I would like to make everything working with v3 and v2 =)17:58
morganfainbergdstanek, i want to support uwsgi as well.17:58
boris-42dstanek ^ this is how we deal with authentication & clients17:58
boris-42dstanek I think most issues are here*17:58
dstanekboris-42: i'll setup rally again and poke around17:59
boris-42dstanek btw we have good manuals17:59
boris-42dstanek actually installing is super simple17:59
boris-42dstanek run this and you'll get it17:59
*** NM has quit IRC18:00
boris-42dstanek and this is instruction step by step how to run rally against existing cloud
dstanekmorganfainberg: been there done that and i have the uwsgi.conf to prove it!18:00
boris-42dstanek you can take not nova but keystone sample from
morganfainbergdstanek, awesome! yeah trying to get this whole mess w/ apache working, then we can do more wsgi implementations :)18:00
dstanekmorganfainberg: what's not working with apache?18:01
morganfainbergi'd love to have unicorns and uwsgi powering keystone (documented on how at least)18:01
morganfainbergdstanek, compressed tokens are needed18:01
morganfainbergdstanek, and some other icky bits (broken devstack - trying to get the fix through gate)18:01
morganfainbergdstanek, the fix for devstack is just gating issue, and the compressed tokens are reviews ayoung has up (needs work)18:02
*** praneshp has joined #openstack-keystone18:03
*** gyee has joined #openstack-keystone18:13
*** ihrachyshka has joined #openstack-keystone18:17
*** amcrn_ has quit IRC18:18
*** PritiDesai has quit IRC18:32
*** dims_ has joined #openstack-keystone18:41
openstackgerritDavid Stanek proposed a change to openstack/keystone: Ignore broken endpoints in get_catalog
openstackgerritDavid Stanek proposed a change to openstack/keystone: Updates keystone.catalog.core.format_url tests
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes catalog URL formatting to never return None
*** NM has joined #openstack-keystone18:50
hrybackiayoung: okay -- my changes were in another branch so I did rebased my change branch (from your branch)18:51
hrybackirun tests, git review18:51
*** sbfox has quit IRC18:53
*** ihrachyshka has quit IRC18:54
*** sbfox has joined #openstack-keystone18:54
hrybackiayoung: I must not have done this correctly -- ! [remote rejected] HEAD -> refs/publish/master/revocation_events_script (change 98534 closed)18:55
hrybackigit review is failing on that -- but 98534 is an oauth thing18:55
*** sbfox1 has joined #openstack-keystone18:55
*** sbfox has quit IRC18:55
ayounghrybacki, if you run git log, is the second commit 99aa311b4c1c8a20419a93e1a21d9f73c3b861ac18:57
hrybackino --  86d38a15bdb03d93a036a30dc6faa2ac270d12c518:57
*** ihrachyshka has joined #openstack-keystone18:58
hrybacki33ed4cfbec87a6551ebc0f1df6de11d16a6f0ca2 | 86d38a15bdb03d93a036a30dc6faa2ac270d12c5  | 4655c7886f11be24f85ee6b7ba9f4ca6b3b90b8618:59
hrybacki1, 2, 318:59
*** stevemar has quit IRC19:00
*** dims has joined #openstack-keystone19:00
*** stevemar has joined #openstack-keystone19:01
ayoungOK, you need to start with 99aa311b4c1c8a20419a93e1a21d9f73c3b861ac  and then apply your other changes.  I assume you only have one commit with the auth_token work, or is it two?19:01
*** daneyon has quit IRC19:02
*** dims_ has quit IRC19:03
hrybackiI didn't see seteve's patch before19:04
*** sbfox1 has quit IRC19:04
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Revocation event API
ayoungOK, I just rebased on gerrit19:05
ayoungthe revoke API patch is now f07ba232efe7549ae3ce088170f4eabb61ab70a619:05
ayoungyou can get it (without losing your branch)19:05
ayounggit fetch ssh:// refs/changes/66/81166/17 && git checkout FETCH_HEAD19:05
ayoungI'd run that, then name the branch, then cherry pick the commit with your work19:06
hrybackihow do you cherry pick commits?19:07
*** PritiDesai has joined #openstack-keystone19:10
*** diegows has quit IRC19:15
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: check revocation by events in auth_token middleware
ayounglooks like it19:22
hrybackitotally did that from the branch I fetched from you19:22
hrybackiayoung: so how do I fix this sort of mixup?19:24
ayoungone sec19:24
ayoungNo mixup.  All looks good.19:26
ayoungI did a code review.  Check it out19:26
*** diegows has joined #openstack-keystone19:27
hrybackiI must have misunderstood -- I thought my change was getting shoved into 81166 with this19:31
*** sbfox has joined #openstack-keystone19:40
*** sbfox has quit IRC19:41
*** sbfox has joined #openstack-keystone19:41
topolany chance a core  can give a second +2 to ?19:46
*** mfisch has quit IRC19:46
topolI think its good to go and will get one more spec off our plate19:46
*** mfisch has joined #openstack-keystone19:46
*** mfisch has quit IRC19:47
*** mfisch has joined #openstack-keystone19:47
*** PritiDesai has quit IRC19:50
*** daneyon has joined #openstack-keystone19:52
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: add descriptive language of the failing URL in error messages
*** amcrn has joined #openstack-keystone20:00
*** joesavak has quit IRC20:04
*** hrybacki_ has joined #openstack-keystone20:22
*** hrybacki has quit IRC20:26
*** hrybacki_ has quit IRC20:26
*** stevemar has quit IRC20:32
*** raildo has left #openstack-keystone20:51
*** PritiDesai has joined #openstack-keystone20:54
*** topol has quit IRC20:55
openstackgerritA change was merged to openstack/python-keystoneclient: Link to docstrings in using-api-v3
*** bklei has quit IRC20:59
*** rodrigods has quit IRC21:00
*** radez is now known as radez_g0n321:01
*** ihrachyshka has quit IRC21:05
*** mgagne has quit IRC21:11
morganfainbergdtroyer_zz, ping, re  and getting the port reservation in fixup_stuff.sh21:11
morganfainbergdtroyer_zz, if you're here21:12
dtroyer_zzmorganfainberg: were you going to update that?21:13
morganfainbergdtroyer_zz, yeah just about to.21:13
morganfainbergdtroyer_zz, i was checking to make sure it is safe to assume the KEYSTONE_PORT variables exist in fixup_stuff or should i explicitly source lib/keystone?21:14
morganfainbergor uh ... wherever i should be sourcing21:14 looks to only source functions specifically21:14
dtroyer_zzwhen called from, lib/keystone has been sourced so it's fine, but not if called directly21:16
dtroyer_zzit should stand alone cleanly, so check for the vars and use just the 35357 default if they're not defined?21:16
morganfainbergworks for me21:16
morganfainbergjust wanting to make sure we're as clean as possible.21:16
morganfainbergdtroyer_zz, thanks!21:17
dtroyer_zznp, thanks for doing this21:17
*** mgagne has joined #openstack-keystone21:20
*** mgagne is now known as Guest6148621:20
*** daneyon has quit IRC21:30
*** sbfox1 has joined #openstack-keystone21:34
*** sbfox has quit IRC21:34
*** rodrigods has joined #openstack-keystone21:35
openstackgerritMorgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output
openstackgerritJoe Savak proposed a change to openstack/keystone-specs: Implements: blueprint keystone-to-keystone-federation
morganfainbergjsavak, woo! ^^ :)21:41
jsavakabout time, huh?21:42
morganfainbergjsavak, something i def. want to see working21:42
morganfainbergjsavak, just an FYI you have a lot of trailing whitespace in that doc21:43
jsavakyeah - i figured it'd be off first time21:43
jsavakthanks - i'll fix21:43
*** lbragstad has quit IRC21:44
*** jsavak has quit IRC21:49
*** rodrigods has quit IRC21:54
*** NM has quit IRC21:55
*** devlaps has quit IRC21:57
*** harlowja has quit IRC22:03
*** sbfox1 has quit IRC22:09
*** marcoemorais has quit IRC22:10
*** marcoemorais has joined #openstack-keystone22:11
*** rodrigods has joined #openstack-keystone22:28
*** henrynash has quit IRC22:31
*** Guest61486 has quit IRC22:38
*** rodrigods has quit IRC22:40
*** mgagne has joined #openstack-keystone22:41
*** mgagne is now known as Guest803122:41
*** amcrn has quit IRC22:47
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
*** rodrigods has joined #openstack-keystone22:59
*** rodrigods has quit IRC23:01
*** ericvw has quit IRC23:02
*** topol has joined #openstack-keystone23:08
morganfainbergtopol, have a question re your spec.23:20
topolhi morganfainberg, sure23:20
morganfainbergNotifications Impact: what is retrieving an unscoped token or a scoped token?23:21
morganfainbergis that a HEAD/GET of a token, or issuance of a new token?23:21
morganfainbergor something else23:21
*** NM has joined #openstack-keystone23:21
topolis that a federation support question or an audit question?23:22
topolsounds a pure federation question23:22
morganfainbergtopol, in this spec23:22
morganfainbergtopol, under 'Notification impact' what does 'Federated user attempts to retrieve an unscoped token.' mean?23:23
morganfainbergis that an HTTP GET request? or issuance of a new token23:23
morganfainbergtopol, because if it's a 'GET' request, this makes sense, if it's mean to be attempting to authenticate and get a new token... you see why i am confused?23:24
topolI think this is covered in the presentation we presented in Atlanta23:24
morganfainbergtopol, HTTP GET would be token validation.  I assume this is authentication.23:24
topolyes I believe this is authentication.23:25
morganfainbergtopol, sure. but we should be clear what we're implementing here. i don't kniw which one is meant by the verbiage. i want to be sure we're implementing the right one.23:25
topolK, my wife is telling me we need to go to dinner.  can you please leave a comment and I will make sure to address it?23:26
topolI'll look at it later tonight23:26
topolbasically the auditing will just be auditing what steve has implemented & new stuff implemented23:27
topolmorganfainberg, sorry but getting yelled at. need to run23:27
morganfainbergtopol, no worries23:27
morganfainbergtopol, i -1'd with a comment, otherwise looks good23:28
topolK, please leave a comment.23:28
topolK, thats fine.  THANKS23:28
morganfainbergtopol, clear that up and i thinkit's ready23:28
*** topol has quit IRC23:33
*** PritiDesai has quit IRC23:42
*** dims has quit IRC23:47
*** praneshp has quit IRC23:53
*** NM has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!