Friday, 2014-06-13

morganfainberg	gyee, would you argue that MD5 is something that shouldn't be excluded form CMS if we had used that instead (ignore that it's our default)	00:00
morganfainberg	?	00:00
gyee	morganfainberg, I am saying there's notneed to limit anything in CMS because of this change	00:01
gyee	s/notneed/no need/	00:01
gyee	where things can be easily mitigated with a simple salted hash scheme	00:02
morganfainberg	in this case, i'm just aiming for the least pushback from the community so we can stop leaking info. stoping the leak is the part i care about.	00:02
gyee	I totally agree, the goal is stop leaking info	00:03
gyee	but if we can do it in a least intrusive manner that would be awesome	00:03
morganfainberg	anyway i need to go get ready to hit the gym	00:03
gyee	heh	00:03
gyee	same here	00:03
morganfainberg	i think this is a very un-intrusive way, no one can use SHA1 hashing yet :P	00:03
morganfainberg	and according to at leas tone person who pushed for the alternate hashing, it wouldn't / shouldn't be used anyway	00:04
morganfainberg	since sha256 is available.	00:04
gyee	k man, up to you, not a big deal	00:04
morganfainberg	gyee, if you can garner support for the hashed + salt i'm great with it	00:04
morganfainberg	:)	00:04
gyee	garner support = pay somebody off?	00:05
morganfainberg	i just don't know how much more i'm willing to spend arguing with people over this (btw, not considering this an argument w/ you, it's a good discussion)	00:05
morganfainberg	gyee, i don't got the $$$ to do that :P	00:05
*** rodrigods has quit IRC		00:05
morganfainberg	make them an offer they can't refuse? </godfather>	00:05
gyee	nice!	00:06
morganfainberg	anyway. as long as we stop leaking the info asap (next ksc release plz) i'm content with whatever solution	00:06
*** xianghui has joined #openstack-keystone		00:08
gyee	agree	00:08
*** schofield has quit IRC		00:13
*** ayoung has joined #openstack-keystone		00:14
morganfainberg	ayoung, /me dislikes finding random factoids about limitations in token things when working on other stuff :P	00:24
morganfainberg	ayoung, we could also make short-hash token ids not work when using a PKI provider (but it would break backwards compat) darn you compatibility	00:27
*** schofield has joined #openstack-keystone		00:30
*** dstanek_zzz is now known as dstanek		00:35
*** gordc has joined #openstack-keystone		00:36
ayoung	morganfainberg, we can drop the ID support over time. It really is a hack. You only need an ID if you are going to look it up in a persistant store, and for tokens, that should be a cache like memcache...something KVS. Not a database. And then the key that you use should be specific to the conversation:	00:38
*** dims_ has joined #openstack-keystone		00:39
morganfainberg	ayoung, yep.	00:39
ayoung	I a user hands a full token to swift, swift should be able to hand back a sha256 and say "use this next time"	00:39
ayoung	morganfainberg, so there are two things that I am worried about this release that are not under way	00:40
morganfainberg	as long as swift handles the different id and doesn't then go "hey keystone... what is this thing"	00:40
ayoung	the first is the ability for an endpoint to get its own policy file	00:40
ayoung	and the second is to have different keystone servers sign with different private keys	00:40
ayoung	morganfainberg, ++ on your comment	00:41
ayoung	so, the first requires an API change:	00:41
ayoung	get policy by endpoint	00:41
morganfainberg	ayoung, and the endpoint to know it's "id" or whatever it's lookup name is	00:41
ayoung	and the corresponding calls to set up the policy-endpoint relationship	00:41
ayoung	that is a config change, Ithink	00:41
ayoung	I though t the symas guy was going to take that and run with it, but I haven't heard from him.	00:42
morganfainberg	ayoung, sure. unless there is a better way (i got nothing)	00:42
ayoung	morganfainberg, I guess in theory it could be based on the service user	00:42
ayoung	get policy for user?	00:42
morganfainberg	ayoung, actually, that might be a good approach	00:42
ayoung	its muddy	00:43
morganfainberg	both are good imo	00:43
morganfainberg	good = good enough	00:43
ayoung	dolphm, had a good point that we don't need to specify the exact service	00:43
ayoung	it doesn't matter if we send identity policy to swift, for example	00:43
ayoung	as swift will only care about the rules that apply to swift	00:43
morganfainberg	after i get back from the gym i'm going to respn my specs so i can get some work towards persistenceless tokens done this cycle (at least)	00:44
ayoung	morganfainberg, cool. hrybacki is working on the auth_token side of it	00:44
ayoung	with a little bit of help, of course	00:44
morganfainberg	ayoung, oh did you see SpamapS's comment about the indexing and such for the revocation events table? [bug]	00:44
ayoung	I had Identified that last release	00:44
ayoung	just couldn't get it done in time	00:44
morganfainberg	his big comment was the ids should have been auto-inc int, i still think uuid is a bad choice.	00:44
ayoung	same here	00:45
morganfainberg	ayoung, cool.	00:45
*** dstanek is now known as dstanek_zzz		00:45
ayoung	uuid was just the default for the baseclass,	00:45
morganfainberg	yep sounds right	00:45
ayoung	autoinc, though, might be an issue with Galeria	00:45
morganfainberg	shrug easy enough to fix.	00:45
morganfainberg	nah galera is smart	00:45
ayoung	K	00:45
morganfainberg	it automatically does the offset magic	00:45
morganfainberg	or at least percona does, and anyone not deploying with percona does it themselves	00:45
morganfainberg	shouldn't be an issue for us.	00:46
ayoung	++	00:47
morganfainberg	i'll take over your spec for splitting the middleware (adding in the details) while i'm mucking with mine unless you really want to work on it.	00:47
ayoung	No, please take it	00:47
morganfainberg	sounds good.	00:47
ayoung	I'm stuck in Kerberos land these days	00:47
morganfainberg	hehe yah.	00:47
ayoung	with a long diversion into theforeman	00:47
ayoung	ugh	00:47
morganfainberg	heh ouch	00:48
ayoung	We're calling the internal project StayPuft. This is my reaction http://i1.ytimg.com/vi/7aW8oyTgA60/maxresdefault.jpg	00:48
morganfainberg	ayoung, http://www.youtube.com/watch?v=I6LD6ITN2dk	00:49
ayoung	I do that anyway	00:49
morganfainberg	lol	00:49
morganfainberg	do you think we'll be able to get agreement on non-persistent tokens this cycle? I'd like to have it as an option so by K horizon can use it.	00:50
ayoung	I think so	00:51
morganfainberg	i hope so.	00:51
ayoung	Ah...question	00:51
ayoung	what if we have two different Keystone servers issueing tokens	00:51
morganfainberg	sure	00:51
ayoung	how are we going to synchronize revocation events?	00:51
ayoung	notifications between the servers? Polling?	00:52
morganfainberg	or a way to do a union on the event lists	00:52
ayoung	that is easy, since we flush expired events	00:52
morganfainberg	if we have 2 sources of events, we union them. for cross keystone trust we need to make the same logic happen as auth_token does then	00:53
ayoung	If we solve this right, it will make horizontal scaling much easier	00:53
morganfainberg	"get me events from servers"	00:53
morganfainberg	ok i need to head out. gym time. be back in an hour and some change	00:53
ayoung	later	00:54
*** gordc has quit IRC		00:55
*** richm has joined #openstack-keystone		01:06
*** richm has left #openstack-keystone		01:07
*** Chicago has quit IRC		01:07
*** mberlin has quit IRC		01:07
*** mberlin has joined #openstack-keystone		01:07
*** browne has quit IRC		01:15
*** Chicago has joined #openstack-keystone		01:20
*** Chicago has joined #openstack-keystone		01:20
*** NM has joined #openstack-keystone		01:29
*** ncoghlan has joined #openstack-keystone		01:32
*** dstanek_zzz is now known as dstanek		01:33
*** NM has quit IRC		01:35
*** Chicago has quit IRC		01:37
*** rwsu has quit IRC		01:38
*** gordc has joined #openstack-keystone		01:38
*** marcoemorais has quit IRC		01:49
*** stevemar has joined #openstack-keystone		02:10
*** nsquare has quit IRC		02:19
*** stevemar has quit IRC		02:19
*** dims_ has quit IRC		02:24
*** stevemar has joined #openstack-keystone		02:29
*** sbfox has joined #openstack-keystone		02:33
*** ncoghlan is now known as ncoghlan_afk		02:35
*** amcrn has quit IRC		02:38
*** daneyon has joined #openstack-keystone		02:38
*** dims_ has joined #openstack-keystone		02:39
*** dims_ has quit IRC		02:44
openstackgerrit	Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325	02:44
*** zhiyan_ is now known as zhiyan		02:45
*** sbfox has quit IRC		02:48
*** xianghui has quit IRC		02:48
*** harlowja is now known as harlowja_away		02:53
*** amcrn has joined #openstack-keystone		02:55
*** ncoghlan_afk is now known as ncoghlan		02:57
openstackgerrit	Li Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942	02:58
*** ncoghlan is now known as ncoghlan_afk		03:03
*** gokrokve_ has joined #openstack-keystone		03:05
*** praneshp has quit IRC		03:05
morganfainberg	phew.	03:05
*** dims_ has joined #openstack-keystone		03:10
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add cloud auditing notification documentation https://review.openstack.org/97146	03:11
morganfainberg	stevemar, hmmmm.	03:12
*** dims_ has quit IRC		03:15
stevemar	morganfainberg, !!!!	03:16
morganfainberg	stevemar, ¡¡¡¡	03:17
morganfainberg	>.>	03:17
morganfainberg	hows it goin?	03:17
stevemar	morganfainberg, mmmm not bad	03:17
openstackgerrit	Li Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942	03:17
*** gyee has quit IRC		03:19
*** xianghui has joined #openstack-keystone		03:19
*** gokrokve_ has quit IRC		03:20
*** einarf has quit IRC		03:23
stevemar	morganfainberg, i'm actually going to sleep early tonight	03:26
stevemar	early morning tmrw	03:26
morganfainberg	stevemar, whoa.	03:27
morganfainberg	stevemar, sleeep?	03:27
morganfainberg	what is this thing you call slllleeeeeep?	03:27
morganfainberg	:P	03:27
morganfainberg	have a good night man	03:27
stevemar	morganfainberg, i'm calling it 3-4 hrs earlier than i normally do :P	03:27
morganfainberg	hehe	03:29
*** stevemar has quit IRC		03:33
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Session Documentation https://review.openstack.org/84070	03:35
*** einarf has joined #openstack-keystone		03:40
dstanek	morganfainberg: did you see the conversation brant and i had earlier?	03:41
morganfainberg	dstanek, about?	03:41
morganfainberg	dstanek, (i just got back a little bit ago, so maybe not)	03:41
morganfainberg	dstanek, oh oslo.config	03:42
morganfainberg	scrolling up	03:42
*** topol has joined #openstack-keystone		03:44
morganfainberg	lol 'return ValueError' really?	03:44
dstanek	:(	03:45
ayoung	morganfainberg, dstanek OK this is how the policy stuff should work: first: endpoints are (like) users. Instead of one set of credentials that we copy to each Nova etc we give each a distinct Identity. They should be using an X509 to authenticate to Keystone when they need to do stuff. And, that is how they fetch policy: get the policy assigned to the endpoint-user	03:45
morganfainberg	dstanek, so that is why it wasn't enforcing a min/max	03:45
ayoung	The X509 can be self signed by the endpoint for all we really care, although it means that we will have a bunch of CAs...better to have them issued by Keystone	03:46
ayoung	The only reason x509 is because you can't do SSH key based authentication on the web	03:46
ayoung	and Kerberos is too high a barrier to entry	03:46
ayoung	but for the Kerberos shops we should allow it	03:46
ayoung	so...	03:46
ayoung	I think that even with eventlet we can do X509 based client auth	03:47
dstanek	ayoung: so are endpoints and their credentials kept in a new table?	03:47
ayoung	upon endpoint registration, upload a cert, or a CSR	03:47
ayoung	dstanek, I think we can use the existing endpoint table	03:47
morganfainberg	ayoung, this sounds like it _needs_ barbican (or something similar for the ... services cert management/ca)	03:48
ayoung	just add a field for the X509, and maybe give them their own auth url	03:48
ayoung	morganfainberg, for a professional deployment, yes	03:48
ayoung	I mean, we can do it with passwords, just like users, but that is not going to make the AD folks happy	03:48
dstanek	this may be a good discussion for the hackathon when the barbican guys can be there too	03:48
ayoung	we could make a user per endpoint in their own domain	03:48
ayoung	dstanek, the question is do we need API changes to make this happen	03:49
*** hrybacki has joined #openstack-keystone		03:49
ayoung	and, if we do, will dolphm let us put them in after the J2 deadline	03:49
* morganfainberg grumbles about wanting FreeIPA for ubuntu		03:49
ayoung	so hackathon is way too late if we need this for J2	03:49
dstanek	would endpoints then act as users (using a token to get the policy, etc)?	03:50
ayoung	morganfainberg, FreeIPA doesn't do user certs anyway	03:50
ayoung	its hidden away behind dogtag and we need to hack IPA to expose the,m	03:50
ayoung	dstanek, yes	03:50
morganfainberg	ayoung, oh no? bleh	03:50
ayoung	dstanek, they use those credentials to get policy ,and also to get revocation lists etc	03:50
dstanek	ayoung: so i guess the api question is whether or not to use the current auth endpoint or add another?	03:51
ayoung	morganfainberg, yeah, I've beren complaining about user certs for years with IPA	03:51
ayoung	dstanek, I would make it another	03:51
ayoung	It only accepts client certs, and only checks them against endpoints	03:51
topol	morganfainberg, qq if I want to pull down a patch that I don't have on my machine to update I use git review -d <patchnumber> correct?	03:52
morganfainberg	topol, yeah that will work	03:52
ayoung	pki_setup and ssl_setup are already hacks. This would be an additional hack just like them: endpoint_cert	03:52
*** jdennis has quit IRC		03:52
*** hrybacki has quit IRC		03:52
topol	morganfainberg, thanks, my vm had a panic attach earlier	03:53
morganfainberg	topol, np!	03:53
ayoung	dstanek, make it a stand alone CLI operation to start, and then after you register the endpoint, have an api "upload cert for endpoint"	03:53
*** jdennis has joined #openstack-keystone		03:54
ayoung	we could roll the service users into the endpoint table	03:54
dstanek	ayoung: have you started to spec out the api changes you think you need?	03:54
ayoung	dstanek, in fits and starts, but not end to end	03:54
ayoung	dstanek, I was trying to avoid a big bang on this...but I think this is the right approach	03:55
ayoung	let me see what I have	03:55
ayoung	dstanek, https://blueprints.launchpad.net/keystone/+spec/endpoint-policy	03:55
*** Abhijeet_ has joined #openstack-keystone		03:56
ayoung	that is for the assignment side. But nothing on the X509 client cert side	03:56
ayoung	gyee had some, though	03:56
ayoung	token-less operations were based on X509	03:56
dstanek	morganfainberg: this was basically my alternative to your patch after olso.config is fixed http://dpaste.com/03YKP2A	03:58
morganfainberg	dstanek, cool	03:59
dstanek	morganfainberg: i really wanted something like http://dpaste.com/2M9WEF9, but i haven't proposed my patch to oslo.config yet (not sure if anyone else cares)	04:01
*** Abhijeet_ has quit IRC		04:02
*** gordc has left #openstack-keystone		04:04
*** schofield has quit IRC		04:11
*** dims_ has joined #openstack-keystone		04:11
*** schofield has joined #openstack-keystone		04:13
*** dims_ has quit IRC		04:16
openstackgerrit	Brad Topol proposed a change to openstack/keystone: Add cloud auditing notification documentation https://review.openstack.org/97146	04:17
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: Endpoint Authentication via X509 Certificates https://review.openstack.org/99837	04:18
ayoung	dstanek, morganfainberg look at that, and then...maybe we say instead that each endpoint has to have a distinct user	04:19
ayoung	but I think keeping endpoints distinct makes sense, if only for the policy fetch	04:19
ayoung	if we do endpoint to user, either we make their IDs match, or we need a column in the endpoint table to get endpoint by endpointuser	04:20
ayoung	OK...I'm done ranting...I hope I can sleep	04:20
openstackgerrit	Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325	04:21
*** dstanek is now known as dstanek_zzz		04:22
*** ncoghlan_afk is now known as ncoghlan		04:24
*** ncoghlan is now known as ncoghlan_afk		04:25
ayoung	morganfainberg, OK...can't sleep yet. Better approach: ach endpoint does get its own user. We put them in the endpoints domain (sql) and the X509 for th endpoint goes in the credentials table with a type of X509	04:30
ayoung	then we have a separate auth endpoint that uses that information	04:30
ayoung	it can be done with passwords if people insist...and I can figure out a Kerberos solution, too.	04:31
ayoung	^^ makes more sense in the light of henrynash 's patch	04:31
ayoung	OK...now I think I can sleep.	04:34
*** ayoung is now known as ayoung_zzzzzZ		04:34
openstackgerrit	Li Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942	04:35
*** dstanek_zzz is now known as dstanek		04:43
openstackgerrit	Brad Topol proposed a change to openstack/keystone: Add instructions for removing pyc files to docs https://review.openstack.org/97140	04:45
*** dims_ has joined #openstack-keystone		04:46
*** dims_ has quit IRC		04:51
*** sbfox has joined #openstack-keystone		04:51
*** dstanek is now known as dstanek_zzz		04:53
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: endpont policy https://review.openstack.org/99842	04:55
*** ncoghlan_afk is now known as ncoghlan		04:59
*** schofield has quit IRC		05:00
*** schofield has joined #openstack-keystone		05:00
*** zhiyan is now known as zhiyan_		05:06
*** zhiyan_ is now known as zhiyan		05:13
*** ajayaa has joined #openstack-keystone		05:26
*** ajayaa has quit IRC		05:31
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add a fixture for keystone version discovery https://review.openstack.org/99846	05:35
*** topol has quit IRC		05:35
*** ajayaa has joined #openstack-keystone		05:41
*** dstanek_zzz is now known as dstanek		05:44
*** dims_ has joined #openstack-keystone		05:47
*** dims_ has quit IRC		05:51
openstackgerrit	Andre Naehring proposed a change to openstack/python-keystoneclient: Added help text for the debug option https://review.openstack.org/99312	05:53
*** xianghui has quit IRC		05:54
*** dstanek is now known as dstanek_zzz		05:54
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/97005	06:00
*** praneshp has joined #openstack-keystone		06:03
*** xianghui has joined #openstack-keystone		06:06
*** praneshp_ has joined #openstack-keystone		06:10
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add a fixture for keystone version discovery https://review.openstack.org/99846	06:11
*** praneshp has quit IRC		06:13
*** praneshp_ is now known as praneshp		06:13
*** einarf has quit IRC		06:18
*** ihrachyshka has joined #openstack-keystone		06:20
*** schofield has quit IRC		06:20
ihrachyshka	hey. I'm from neutron team, and I have a question re: new [identity\|auth]_uri options. I try to migrate to new options with the following patch: https://review.openstack.org/90724 The problem we have is that if we remove old auth_[host\|...] options from the conf file, and they are still used in our code, we break backwards compatibility (in case user upgrades neutron but doesn't update his conf file with new *uri op	06:23
ihrachyshka	tions). Mark McClain suggested me to work with you guys on providing a utility function to construct those URIs from old pieces. What are your thoughts on that?	06:23
*** ihrachyshka has quit IRC		06:30
*** leseb has joined #openstack-keystone		06:31
*** zhiyan is now known as zhiyan_		06:32
*** schofield has joined #openstack-keystone		06:34
*** Abhi_ has joined #openstack-keystone		06:35
openstackgerrit	Andre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints https://review.openstack.org/99278	06:37
jamielennox	you mean you are using auth_token options within neutron itself?	06:39
jamielennox	must be gone...	06:39
*** Abhi_ has quit IRC		06:42
*** dstanek_zzz is now known as dstanek		06:45
*** dims_ has joined #openstack-keystone		06:47
*** AJain has joined #openstack-keystone		06:50
*** AJain has quit IRC		06:51
*** dims_ has quit IRC		06:54
*** dstanek is now known as dstanek_zzz		06:54
openstackgerrit	Andre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints https://review.openstack.org/99278	06:59
*** zhiyan_ is now known as zhiyan		07:00
*** BAKfr has joined #openstack-keystone		07:08
jamielennox	commented on ^, have a good weekend	07:17
*** jamielennox is now known as jamielennox\|away		07:17
*** jimbaker has quit IRC		07:23
*** afazekas_ has joined #openstack-keystone		07:28
*** bobt has joined #openstack-keystone		07:29
*** bobt has quit IRC		07:30
*** amcrn has quit IRC		07:37
marekd\|away	away	07:37
*** marekd\|away is now known as marekd		07:37
chmouel	morganfainberg: hey, sorry missed your hl last night	07:37
marekd	Good morning everybody!	07:38
*** ihrachyshka has joined #openstack-keystone		07:38
*** ncoghlan has quit IRC		07:43
*** dstanek_zzz is now known as dstanek		07:45
*** dims_ has joined #openstack-keystone		07:50
ihrachyshka	jamielennox\|away: hey! thanks for the comment on auth_uri. That said, isn't the code that you've referred to exactly what we would need to construct URI? can we move that into some common public function to reuse in e.g. neutron?	07:53
*** dims_ has quit IRC		07:55
*** dstanek is now known as dstanek_zzz		07:55
*** mberlin has quit IRC		07:59
*** mberlin has joined #openstack-keystone		08:03
*** zhiyan is now known as zhiyan_		08:10
*** amcrn has joined #openstack-keystone		08:18
*** sbfox has quit IRC		08:23
*** zhiyan_ is now known as zhiyan		08:30
*** leseb_ has joined #openstack-keystone		08:34
*** leseb has quit IRC		08:34
*** leseb has joined #openstack-keystone		08:38
*** leseb_ has quit IRC		08:39
*** dstanek_zzz is now known as dstanek		08:46
*** leseb_ has joined #openstack-keystone		08:48
*** leseb has quit IRC		08:49
*** dims_ has joined #openstack-keystone		08:51
*** zhiyan is now known as zhiyan_		08:52
*** dims_ has quit IRC		08:56
*** dstanek is now known as dstanek_zzz		08:56
marekd	dolphm: o/ can we please merge it finally? This docfix already has +2 from stevemar and couple of +1 from non-cores. https://review.openstack.org/#/c/97479	08:58
*** zhiyan_ is now known as zhiyan		09:00
openstackgerrit	A change was merged to openstack/identity-api: Updated from global requirements https://review.openstack.org/99031	09:00
*** jaosorior has joined #openstack-keystone		09:03
*** zhiyan is now known as zhiyan_		09:09
*** d0ugal has quit IRC		09:09
*** d0ugal has joined #openstack-keystone		09:10
*** zhiyan_ is now known as zhiyan		09:10
*** Ackowa has joined #openstack-keystone		09:24
Ackowa	Hi, Does anyone here know if I can get keystone client to use persistent connection. Ex. get the token and then list tenants without opening a new socket?	09:26
*** praneshp has quit IRC		09:42
*** dstanek_zzz is now known as dstanek		09:47
*** dims_ has joined #openstack-keystone		09:52
*** einarf has joined #openstack-keystone		09:55
*** dims_ has quit IRC		09:56
*** dstanek is now known as dstanek_zzz		09:57
*** jamielennox\|away has quit IRC		10:04
*** zhiyan is now known as zhiyan_		10:06
*** jamielennox\|away has joined #openstack-keystone		10:07
*** NM has joined #openstack-keystone		10:15
openstackgerrit	A change was merged to openstack/keystone: Block delegation escalation of privilege https://review.openstack.org/99687	10:21
*** NM has quit IRC		10:22
*** einarf has quit IRC		10:25
openstackgerrit	Stuart McLaren proposed a change to openstack/keystone: enable multiple keystone-all worker processes https://review.openstack.org/42967	10:31
*** NM has joined #openstack-keystone		10:34
*** leseb_ has quit IRC		10:35
*** NM has quit IRC		10:43
*** dstanek_zzz is now known as dstanek		10:48
*** chandan_kumar has joined #openstack-keystone		10:51
*** NM has joined #openstack-keystone		10:51
*** chandankumar has quit IRC		10:52
*** radez_g0n3 is now known as radez		10:52
*** dims_ has joined #openstack-keystone		10:52
*** NM has quit IRC		10:54
*** chandan_kumar has quit IRC		10:56
*** chandan_kumar has joined #openstack-keystone		10:57
*** dims_ has quit IRC		10:57
*** dstanek is now known as dstanek_zzz		10:58
*** NM has joined #openstack-keystone		11:00
*** NM has quit IRC		11:07
*** dims_ has joined #openstack-keystone		11:16
openstackgerrit	Steven Hardy proposed a change to openstack/keystone-specs: Spec for trusts redelegation https://review.openstack.org/99908	11:21
openstackgerrit	Steven Hardy proposed a change to openstack/keystone-specs: Spec for trusts redelegation https://review.openstack.org/99908	11:22
*** juanmo has joined #openstack-keystone		11:27
openstackgerrit	Kristy Siu proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations https://review.openstack.org/98087	11:37
*** leseb has joined #openstack-keystone		11:43
*** leseb has quit IRC		11:48
*** dstanek_zzz is now known as dstanek		11:48
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	11:53
*** Ackowa has quit IRC		11:55
*** leseb has joined #openstack-keystone		11:56
*** dstanek is now known as dstanek_zzz		11:58
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	11:59
openstackgerrit	Kristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers https://review.openstack.org/60489	12:10
*** ihrachyshka has quit IRC		12:16
*** ihrachyshka has joined #openstack-keystone		12:16
*** rodrigods has joined #openstack-keystone		12:22
*** erecio has joined #openstack-keystone		12:23
*** radez is now known as radez_g0n3		12:33
*** jsavak has joined #openstack-keystone		12:35
*** NM has joined #openstack-keystone		12:36
*** einarf has joined #openstack-keystone		12:42
*** stevemar has joined #openstack-keystone		12:47
*** ajayaa has quit IRC		12:48
*** dstanek_zzz is now known as dstanek		12:49
*** einarf has quit IRC		12:53
*** hrybacki has joined #openstack-keystone		13:12
*** hrybacki has quit IRC		13:13
*** hrybacki has joined #openstack-keystone		13:13
*** ayoung_zzzzzZ is now known as ayoung		13:18
ayoung	hrybacki, you tracking>	13:18
ayoung	?	13:18
*** topol has joined #openstack-keystone		13:19
hrybacki	ayoung: I've noted several places where revocation checking is done but I'm not sure the best way to note where they all are. TIps?	13:22
ayoung	Move them one at a time and make sure the unit tests don't break	13:22
ayoung	hrybacki, use a debugger and step through	13:23
ayoung	the use cases you need to make sure are covered are:	13:23
ayoung	(cached and uncached), (pki, pkiz, uuid)	13:23
*** topol has quit IRC		13:23
ayoung	so, 6 total variations	13:24
*** thiagop has joined #openstack-keystone		13:24
hrybacki	ayoung++ and you noted the signed tokens need to be unpacked before they can be checked -- when are tokens signed and when wouldn't they be (more from a theoretical point of view than our implementation)	13:25
ayoung	hrybacki, ok, here is how tokens are used	13:26
ayoung	there are two formate: signed and unsigned, handed out by keystone	13:26
ayoung	the end user doesn't know which he is going to get	13:26
ayoung	he just goes to keystone and gets a token	13:26
ayoung	then hands that token over to nova	13:26
*** radez_g0n3 is now known as radez		13:26
*** lbragstad has joined #openstack-keystone		13:26
ayoung	or whatever other service,	13:27
ayoung	nova then looks at the token and performs the is it pki or uuid check	13:27
ayoung	is_asn_token	13:27
ayoung	etc	13:27
hrybacki	nods	13:27
ayoung	is_asn_1 or pkiz mean it is signed	13:27
ayoung	if not, nova calls back to keystone and gets the token data	13:27
ayoung	now, in this case, the revocation check is not really needed, as keystone will say "invalid" if the uuid token has been revoked	13:28
hrybacki	bypassing the user?	13:28
ayoung	but for all the other cases, the check needs to be done in auth_token	13:28
hrybacki	ok	13:28
ayoung	the user has handed the token to auth_token (in nova) and then nova calls keystone	13:28
ayoung	no user involved	13:28
ayoung	so while there is no need to do a revocation check for uuid token on the first look up, skipping that would be performance tune, and probably not worth coding around	13:29
ayoung	the next time the user hands the token to keystone, uuid or pki, it is going to come out of the cache	13:29
ayoung	so it won't have to be unpacked	13:30
ayoung	but it will have to be checked against the revocaiton events	13:30
hrybacki	ok	13:30
*** juanmo has quit IRC		13:31
*** lbragstad has quit IRC		13:31
ayoung	hrybacki, so, feel free to add to the unit tests, but I am pretty sure we have these uses well covered	13:34
ayoung	just make sure that they run after each change	13:34
ayoung	hrybacki, you familiar with this http://refactoring.com/	13:35
ayoung	and the associated book?	13:35
hrybacki	ayoung no	13:35
hrybacki	I mean refactoring, yes, not this book	13:35
ayoung	its basically the "how to clean up someone elses code" guide	13:35
*** lbragstad has joined #openstack-keystone		13:36
hrybacki	any sections in particular you'd recommend -- or just it in its entirety?	13:36
ayoung	looking	13:37
dstanek	or anyone's code really - i refactor my own code daily	13:37
ayoung	hrybacki, the one I use most often is extract_method	13:37
ayoung	this is kindof like that	13:37
*** vhoward has joined #openstack-keystone		13:37
ayoung	hrybacki, so the call to validate pki token does the revocation check before the unpack	13:38
ayoung	but how many places is that called?	13:38
*** tristanC has left #openstack-keystone		13:38
hrybacki	validate pki or the revocation check?	13:38
ayoung	http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n927	13:39
ayoung	hrybacki, so extract the revoke check from http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n1355	13:40
ayoung	and move it to	13:40
ayoung	http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n934	13:40
ayoung	and you should still have a full set of running unit tests	13:41
ayoung	then remove it from the pki call, and same deal	13:41
hrybacki	okay	13:41
ayoung	the one thing to watch for is the conditional http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n915	13:41
ayoung	hrybacki, that needs to be honored still, although I think it is a mistake and we should always check, but for some UUID setups, they don't publish the list.	13:42
hrybacki	why do you think it's a mistake?	13:43
ayoung	hrybacki, so...I don't think we can get this down to a single call due to that conditional, but we can consolidate where the revoke check is done	13:43
ayoung	hrybacki, I think caching tokens without checking for revocation is a mistake	13:43
ayoung	tokens can live 12 hours in the old set up	13:43
ayoung	we've shortened the default to 1 hour	13:44
hrybacki	okay, now I understand	13:44
ayoung	but that is configurable	13:44
*** diegows has joined #openstack-keystone		13:51
ayoung	dstanek, still thinking policy. I suspec that making endpoints into users is going to far. It probably makes more sense for and endpoint to have a userid field, and point to a user record. All the endpoint users could be in a separate domain.	13:56
ayoung	with henrynash 's patch, a domain for the undercloud managed by sql is a reality	13:57
openstackgerrit	Ionut Artarisi proposed a change to openstack/python-keystoneclient: allow a user's primary tenant to be modified https://review.openstack.org/96763	14:03
*** daneyon has quit IRC		14:08
hrybacki	can an individual token be associated with multiple token ids?	14:10
*** thedodd has joined #openstack-keystone		14:15
ayoung	hrybacki, welll, theoretically, with multiple hashing functions, yes. But practically speaking, no	14:15
*** bklei has joined #openstack-keystone		14:17
ayoung	hrybacki, care to take ownership of this https://review.openstack.org/#/c/81166/	14:18
ayoung	you are going to need it, and that way you can submit both patches together.	14:18
ayoung	There are hacks to making it work. It involves git rebase -i and reordering patches	14:19
hrybacki	sure	14:19
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Propose api-validation blueprint https://review.openstack.org/95957	14:20
hrybacki	ayoung: how do I take ownership of something in gerrit?	14:20
ayoung	hrybacki, just submit an updated patch	14:21
ayoung	if you make any changes to the patch, add yourself as a co-author	14:21
ayoung	git log \| grep author should show you the format	14:21
hrybacki	okay -- should I wait until https://review.openstack.org/99751 is ready to be merged into it?	14:22
*** ihrachyshka has quit IRC		14:22
*** diegows has quit IRC		14:22
lbragstad	hrybacki: http://stackoverflow.com/questions/3042437/change-commit-author-at-one-specific-commit	14:23
hrybacki	lbragstad++ that's an excellent SO response, good find	14:24
*** BAKfr has quit IRC		14:24
*** richm has joined #openstack-keystone		14:24
lbragstad	there a lot of git documentation out there :)	14:25
rodrigods	does anyone know if there is a bp registered, or where is centralized the effort for other components to be compatible with keystone v3?	14:27
ayoung	hrybacki, nope	14:28
ayoung	two separate reviews	14:28
ayoung	just fix the nits in https://review.openstack.org/#/c/81166/	14:28
*** topol has joined #openstack-keystone		14:29
ayoung	hrybacki, you should have both reviews as commits on the same branch. Any changes you make to the API code to as a third commit. Then, git rebase -i HEAD~3 and reorder the commits so your new changes are between the API commit and the auth_token changes	14:29
ayoung	once they are in the right order, you can squash the two commits together, also with git rebase -i	14:30
hrybacki	okay -- so add myself as a co-author on patch 14 of 81166?	14:35
*** diegows has joined #openstack-keystone		14:39
dstanek	grrrr...i hate that we pass in ID's the create functions just for KVS backends	14:44
*** diegows has quit IRC		14:44
*** zhiyan_ is now known as zhiyan		14:46
rodrigods	anyone? =)	14:47
*** marekd is now known as marekd\|away		14:52
*** devlaps has joined #openstack-keystone		15:01
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Make gen_pki.sh bash8 compliant https://review.openstack.org/93438	15:08
*** zhiyan is now known as zhiyan_		15:09
bklei	rodrigods maybe this https://blueprints.launchpad.net/keystone/+spec/document-v2-to-v3-transition?	15:12
openstackgerrit	Harry Rybacki proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166	15:13
rodrigods	bklei, yeah! thanks a lot =)	15:13
bklei	np!	15:15
*** schofield has left #openstack-keystone		15:21
rodrigods	ayoung,	15:21
ayoung	rodrigods, yeah?	15:24
*** leseb has quit IRC		15:33
*** leseb has joined #openstack-keystone		15:33
rodrigods	ayoung, are you aware about the efforts to make nova use keystone v3 api?	15:34
ayoung	rodrigods, I've heard about them, but have not been involved recently. Why?	15:35
rodrigods	ayoung, i want to help =)	15:35
ayoung	rodrigods, what in Nova needs to make Keystone calls, outside of auth_token middleware?	15:35
*** leseb has quit IRC		15:38
*** erecio has quit IRC		15:38
rodrigods	ayoung, have no idea =) actually, my intent was to not start a work from scratch if is it already in progress	15:41
ayoung	rodrigods, find out the answer to that question and report back	15:42
rodrigods	ayoung, ok	15:43
*** rwsu has joined #openstack-keystone		15:43
bklei	rodrigods jamiel has been working on https://review.openstack.org/#/c/85920	15:44
rodrigods	bklei, ah thanks a lot	15:47
*** bknudson has joined #openstack-keystone		15:48
*** bknudson has quit IRC		15:48
*** bknudson has joined #openstack-keystone		15:49
rodrigods	bklei, what about other components?	15:49
*** amcrn has quit IRC		15:52
*** raildo has joined #openstack-keystone		15:52
bklei	I'll post what I know about: barbican (https://review.openstack.org/#/c/80124), nova (https://review.openstack.org/#/c/85920), glance (https://review.openstack.org/#/c/82126/), swift (https://review.openstack.org/#/c/91788/), neutron (https://review.openstack.org/#/c/92390), cinder (https://review.openstack.org/#/c/95305/), ceilometer (https://review.openstack.org/#/c/96323/), heat (https://review.openstack.org/#/c/92728/)	15:53
morganfainberg	dstanek, pass ids from the manager to KVS or controller to manager?	15:53
bklei	rodrigods, i only know about those because i've been working on the neutron one	15:54
*** htruta has joined #openstack-keystone		15:54
rodrigods	bklei, thanks man, very appreciated	15:56
bklei	np!	15:56
stevemar	dolphm, trying to be kind to the gate	15:56
*** gyee has joined #openstack-keystone		15:58
*** sbfox has joined #openstack-keystone		16:00
dstanek	morganfainberg: for example, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/core.py#n123	16:01
morganfainberg	dstanek, ok so manager -> backend	16:02
dstanek	morganfainberg: drives me crazy :-)	16:02
morganfainberg	dstanek, largely the manager should control ID generation (it's what henrynash is driving towards for identity) we could just yank the info from the ref once it gets to the driver instead.	16:03
dstanek	bknudson: should format_url ever return None? re: https://review.openstack.org/#/c/81528/4/keystone/catalog/backends/sql.py	16:04
bknudson	dstanek: I think it can return None now, but I don't see why it should ever do that	16:04
dstanek	i fixed it locally to raise a malformed exception and none of the tests failed	16:05
bknudson	dstanek: that works for me	16:05
bknudson	dstanek: it just has a return None in it for some reason	16:06
bknudson	so it's probably just poorly spec'd	16:06
dstanek	it would happen if the url passed in is not a string (or string-like)	16:06
dstanek	i'm not sure if that's possible	16:06
*** dims_ has quit IRC		16:07
*** dims_ has joined #openstack-keystone		16:08
*** jaosorior has quit IRC		16:12
*** marcoemorais has joined #openstack-keystone		16:12
henrynash	morganfainberg: ++	16:13
henrynash	morganfainberq, dstanek: to that point, I’ve got a bit of a staging problem with my patch for that…	16:14
dstanek	henrynash: what do you mean?	16:14
henrynash	morganfainberg, dstanek: so i have all teh changes to move ID generation from controller to manager in an un-submitted next version of my multi-backend_uuid patch (teh code to move the generation is minor, the changes to many, many unit tests are indeed many, mechanical, but many)	16:16
henrynash	dstanek: morganfainberg made the sensible suggestion that it would be better to merge the changes for moving teh generation to teh manager ahead of all teh multu-backend_uuid stuff that would use that	16:17
dstanek	henrynash: i think that's probably a good idea	16:17
dstanek	does it apply cleanly against master?	16:17
henrynash	dstanek: however, I’m not sure I can easily separate out out those changes since the uncommited patch contains, of course, all the multi-backend-uuid changes as well	16:18
dstanek	henrynash: it's a separate commit though, right?	16:18
dstanek	oh, uncommitted. can you commit on top of your patch so it's a commit?	16:19
henrynash	dstanek: you meanactualy submit it?	16:19
dstanek	and then cherry-pick to master and see how bad the conflicts are?	16:19
henrynash	dstanek: so can I cherrypick only teh changes between two version subimitted?	16:20
henrynash	i.e. version 28 and 29?	16:20
dstanek	henrynash: i wouldn't submit to gerrit	16:20
dstanek	or if you have the changes in your current working copy you can just 'git co master' and see what happens	16:21
henrynash	but won’t that have all the other multi-backend-uuisd cahnges in it too?	16:21
henrynash	(my copy that is)	16:21
*** NM has quit IRC		16:24
*** comstud is now known as bearhands		16:25
morganfainberg	dolphm, i'm going to tag the sha512 bug against ksc instead, and make the keystone one "wont fix".	16:28
dstanek	henrynash: do you have uncommitted multi-backend changes?	16:28
morganfainberg	dolphm, i am hesistant to migrate the token table the more we talk about it.	16:28
morganfainberg	dolphm, and we should either document or limit the hash-types for the token.	16:29
dstanek	henrynash: if you do the cherry-pick approach git will try to apply just the commit being picked and not ancestors	16:29
henrynash	dstanek: so I have (on my machine) commited a whol bunch of changes for moving the gernation to teh manger, on top of the latest mulit-backend-uuid patch	16:29
*** afazekas_ has quit IRC		16:30
*** browne has joined #openstack-keystone		16:30
henrynash	so if I do a git log I ony see one commit for (i assume) all teh changes of multi-backend-uuid and my genrator move changes	16:31
morganfainberg	dolphm, actually. nvm... maybe just documentation.	16:31
dstanek	henrynash: you should have one commit for you manager changes and another for your multi-backend changes	16:31
henrynash	hmmm, let me check	16:32
henrynash	no, it appears that the head is a combined commit	16:33
*** leseb has joined #openstack-keystone		16:34
dstanek	henrynash: did you amend?	16:34
henrynash	yes, I think that was my problme…when I was doing it I assumed I would submit this as a next version of the multi-backend-uuid patch....	16:35
henrynash	which was a mistake, me thinks	16:35
dstanek	yeah, it's better to have multiple smaller patches	16:35
henrynash	yeah…I agree	16:36
henrynash	I think my only real option is to manually split it apart...	16:36
*** daneyon has joined #openstack-keystone		16:36
henrynash	there are a bunch of unit test files that are ONLY changed in moving genration	16:36
henrynash	and some that are changed in both, which I’ll just hev to do by hand...	16:37
henrynash	I think it’s the right path…and will teach me to think before I type	16:37
dstanek	haha, ok	16:37
*** jimbaker has joined #openstack-keystone		16:38
*** daneyon has quit IRC		16:39
*** leseb has quit IRC		16:39
*** daneyon has joined #openstack-keystone		16:39
dstanek	henrynash: i spend a good percent of my dev time trying to spit up my commits into a sensible patch series	16:40
*** amcrn has joined #openstack-keystone		16:42
*** thedodd has quit IRC		16:49
*** PritiDesai has joined #openstack-keystone		16:50
*** NM has joined #openstack-keystone		16:51
morganfainberg	dstanek, sometimes it's painful to try and do that :(	16:52
morganfainberg	dstanek, esp when i code myself into a corner (has happened some times)	16:53
*** bknudson has left #openstack-keystone		16:57
*** leseb has joined #openstack-keystone		16:59
*** morganfainberg changes topic to "Please make reviewing specifications a priority: https://review.openstack.org/#/q/status:open+project:openstack/keystone-specs,n,z"		17:00
*** PritiDesai has quit IRC		17:02
dstanek	morganfainberg: true - often painful here, but it lets me make sure things are more correct	17:03
dstanek	and allows me and reviewers to see the steps i took to get to the final solution	17:03
morganfainberg	dstanek, ++	17:03
*** leseb has quit IRC		17:04
*** dims_ has quit IRC		17:04
*** harlowja_away is now known as harlowja		17:06
openstackgerrit	Boris Pavlovic proposed a change to openstack/keystone: Add sample of rally plugin https://review.openstack.org/98836	17:12
boris-42	morganfainberg ^ add explanation of this patch, could you pls review it=)	17:14
*** einarf has joined #openstack-keystone		17:18
boris-42	morganfainberg and one more question is keystone going to switch to apache by default in gates?)	17:21
morganfainberg	boris-42, that is the hope	17:21
boris-42	morganfainberg some experiments showed that it's quite simple get 4x better performance even in authenticate method https://github.com/stackforge/rally/blob/master/doc/user_stories/keystone/authenticate.rst	17:21
morganfainberg	boris-42, but it requires some fixes to land before we can make it the defualt	17:22
morganfainberg	boris-42, it absolutely is the way we want to go	17:22
boris-42	morganfainberg good it will improve performance of whole openstack in gates=0	17:22
morganfainberg	i expect to be gating on it (apache running keystone) within Juno, and the default to change in K (for devstack)	17:22
morganfainberg	:)	17:23
boris-42	morganfainberg oh quite long period of time=)	17:23
boris-42	morganfainberg btw we added user_sotries directory	17:24
boris-42	morganfainberg https://github.com/stackforge/rally/tree/master/doc/user_stories in rally	17:24
nkinder	+1 on httpd by default!	17:24
morganfainberg	we will need to still run some of the gate tests under eventlet, since we will still support that deployment model	17:24
nkinder	morganfainberg: is there any outstanding compressed token stuff that blocks that?	17:24
boris-42	morganfainberg so everybody will be able to share their experiments	17:24
morganfainberg	so i expect in J to be split 50/50, and in K have one of the gate jobs be eventlet and the rest apache	17:24
morganfainberg	nkinder, i think we need to shake out the changes to make pkiz the default	17:25
boris-42	morganfainberg drop event let drop it!=)	17:25
morganfainberg	boris-42, M :(	17:25
morganfainberg	boris-42, earliest i think we can drop eventlet	17:25
boris-42	morganfainberg oh lol=	17:25
boris-42	=)	17:25
morganfainberg	K deprecate, L stays deprecated, M remove	17:25
boris-42	yep	17:26
morganfainberg	nkinder, let me look at what is still required	17:26
boris-42	morganfainberg btw I almost finished this https://github.com/stackforge/osprofiler	17:26
*** einarf has quit IRC		17:26
morganfainberg	nkinder, i think here: https://review.openstack.org/#/c/98845/2	17:26
morganfainberg	nkinder, that is the last bits of the chain.	17:27
morganfainberg	nkinder, then shake out any bugs with other services using PKIZ tokens	17:27
boris-42	morganfainberg wanna be first project with profiling support?)	17:27
morganfainberg	boris-42, not opposed to it. :)	17:27
*** marcoemorais has quit IRC		17:30
*** marcoemorais has joined #openstack-keystone		17:30
*** praneshp has joined #openstack-keystone		17:31
*** amcrn_ has joined #openstack-keystone		17:34
*** amcrn has quit IRC		17:36
*** diegows has joined #openstack-keystone		17:40
*** gyee has quit IRC		17:45
dstanek	morganfainberg, boris-42: i recently swapped gevent for eventlet as a test	17:49
boris-42	dstanek and?)	17:50
boris-42	dstanek how was that did you run any benchmarks?	17:50
dstanek	boris-42: it worked	17:51
boris-42	dstanek better or worse, or just worked/)	17:51
dstanek	i was less concerned with performance and more about py3 support	17:51
dstanek	i got it to work using gunicorn for my test - it would be pretty easy to do a very small concurrency test to guage performance	17:52
boris-42	dstanek hm just use rally	17:55
boris-42	dstanek for test	17:55
*** praneshp has quit IRC		17:55
boris-42	dstanek and it will be super easy=)	17:55
boris-42	dstanek just run couple of commands=)	17:56
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: Add spec for non-persistent-tokens https://review.openstack.org/95976	17:56
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: Propose Specification for non-persistent-tokens https://review.openstack.org/95976	17:56
boris-42	dstanek btw we need some help in rally	17:57
boris-42	dstanek with supporting v3	17:57
boris-42	dstanek do you now anybody that is able to help us?)	17:57
*** PritiDesai has joined #openstack-keystone		17:57
morganfainberg	dstanek, gevent woo!	17:57
morganfainberg	:)	17:57
dstanek	boris-42: do you have specific things to work on? i may be interested in hacking on it a little bit	17:57
boris-42	dstanek yep we have specific task=)	17:57
boris-42	dstanek now we are using hardcoded version2 =)	17:58
dstanek	morganfainberg: my prefs is to deploy nginx->gunicorn->app	17:58
boris-42	dstanek I would like to make everything working with v3 and v2 =)	17:58
boris-42	dstanek https://github.com/stackforge/rally/blob/master/rally/osclients.py#L22	17:58
morganfainberg	dstanek, i want to support uwsgi as well.	17:58
boris-42	dstanek ^ this is how we deal with authentication & clients	17:58
boris-42	dstanek I think most issues are here*	17:58
dstanek	boris-42: i'll setup rally again and poke around	17:59
boris-42	dstanek btw we have good manuals	17:59
boris-42	dstanek actually installing is super simple	17:59
boris-42	dstanek run this https://github.com/stackforge/rally/blob/master/install_rally.sh and you'll get it	17:59
*** NM has quit IRC		18:00
boris-42	dstanek and this is instruction step by step how to run rally against existing cloud https://wiki.openstack.org/wiki/Rally/HowTo	18:00
dstanek	morganfainberg: been there done that and i have the uwsgi.conf to prove it!	18:00
boris-42	dstanek you can take not nova but keystone sample from https://github.com/stackforge/rally/tree/master/doc/samples/tasks/keystone	18:00
morganfainberg	dstanek, awesome! yeah trying to get this whole mess w/ apache working, then we can do more wsgi implementations :)	18:00
dstanek	morganfainberg: what's not working with apache?	18:01
morganfainberg	i'd love to have unicorns and uwsgi powering keystone (documented on how at least)	18:01
morganfainberg	dstanek, compressed tokens are needed	18:01
morganfainberg	dstanek, and some other icky bits (broken devstack - trying to get the fix through gate)	18:01
morganfainberg	dstanek, the fix for devstack is just gating issue, and the compressed tokens are reviews ayoung has up (needs work)	18:02
*** praneshp has joined #openstack-keystone		18:03
*** gyee has joined #openstack-keystone		18:13
*** ihrachyshka has joined #openstack-keystone		18:17
*** amcrn_ has quit IRC		18:18
*** PritiDesai has quit IRC		18:32
*** dims_ has joined #openstack-keystone		18:41
openstackgerrit	David Stanek proposed a change to openstack/keystone: Ignore broken endpoints in get_catalog https://review.openstack.org/81528	18:45
openstackgerrit	David Stanek proposed a change to openstack/keystone: Updates keystone.catalog.core.format_url tests https://review.openstack.org/99987	18:45
openstackgerrit	David Stanek proposed a change to openstack/keystone: Fixes catalog URL formatting to never return None https://review.openstack.org/99988	18:45
*** NM has joined #openstack-keystone		18:50
hrybacki	ayoung: okay -- my changes were in another branch so I did rebased my change branch (from your branch)	18:51
ayoung	++	18:51
hrybacki	run tests, git review	18:51
*** sbfox has quit IRC		18:53
*** ihrachyshka has quit IRC		18:54
*** sbfox has joined #openstack-keystone		18:54
hrybacki	ayoung: I must not have done this correctly -- ! [remote rejected] HEAD -> refs/publish/master/revocation_events_script (change 98534 closed)	18:55
hrybacki	git review is failing on that -- but 98534 is an oauth thing	18:55
*** sbfox1 has joined #openstack-keystone		18:55
*** sbfox has quit IRC		18:55
ayoung	hrybacki, if you run git log, is the second commit 99aa311b4c1c8a20419a93e1a21d9f73c3b861ac	18:57
hrybacki	no -- 86d38a15bdb03d93a036a30dc6faa2ac270d12c5	18:57
*** ihrachyshka has joined #openstack-keystone		18:58
hrybacki	33ed4cfbec87a6551ebc0f1df6de11d16a6f0ca2 \| 86d38a15bdb03d93a036a30dc6faa2ac270d12c5 \| 4655c7886f11be24f85ee6b7ba9f4ca6b3b90b86	18:59
hrybacki	1, 2, 3	18:59
*** stevemar has quit IRC		19:00
*** dims has joined #openstack-keystone		19:00
*** stevemar has joined #openstack-keystone		19:01
ayoung	OK, you need to start with 99aa311b4c1c8a20419a93e1a21d9f73c3b861ac and then apply your other changes. I assume you only have one commit with the auth_token work, or is it two?	19:01
*** daneyon has quit IRC		19:02
*** dims_ has quit IRC		19:03
hrybacki	I didn't see seteve's patch before	19:04
hrybacki	steve*	19:04
*** sbfox1 has quit IRC		19:04
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166	19:05
ayoung	OK, I just rebased on gerrit	19:05
ayoung	the revoke API patch is now f07ba232efe7549ae3ce088170f4eabb61ab70a6	19:05
ayoung	you can get it (without losing your branch)	19:05
ayoung	via	19:05
ayoung	git fetch ssh://ayoung@review.openstack.org:29418/openstack/python-keystoneclient refs/changes/66/81166/17 && git checkout FETCH_HEAD	19:05
ayoung	I'd run that, then name the branch, then cherry pick the commit with your work	19:06
hrybacki	how do you cherry pick commits?	19:07
*** PritiDesai has joined #openstack-keystone		19:10
*** diegows has quit IRC		19:15
openstackgerrit	Harry Rybacki proposed a change to openstack/python-keystoneclient: check revocation by events in auth_token middleware https://review.openstack.org/99751	19:18
ayoung	looks like it	19:22
hrybacki	totally did that from the branch I fetched from you	19:22
hrybacki	odd	19:22
hrybacki	ayoung: so how do I fix this sort of mixup?	19:24
ayoung	one sec	19:24
hrybacki	kk	19:24
ayoung	No mixup. All looks good.	19:26
ayoung	I did a code review. Check it out	19:26
*** diegows has joined #openstack-keystone		19:27
hrybacki	I must have misunderstood -- I thought my change was getting shoved into 81166 with this	19:31
*** sbfox has joined #openstack-keystone		19:40
*** sbfox has quit IRC		19:41
*** sbfox has joined #openstack-keystone		19:41
topol	any chance a core can give a second +2 to https://review.openstack.org/#/c/97581/ ?	19:46
*** mfisch has quit IRC		19:46
topol	I think its good to go and will get one more spec off our plate	19:46
*** mfisch has joined #openstack-keystone		19:46
*** mfisch has quit IRC		19:47
*** mfisch has joined #openstack-keystone		19:47
*** PritiDesai has quit IRC		19:50
*** daneyon has joined #openstack-keystone		19:52
openstackgerrit	Dolph Mathews proposed a change to openstack/python-keystoneclient: add descriptive language of the failing URL in error messages https://review.openstack.org/100006	20:00
*** amcrn has joined #openstack-keystone		20:00
*** joesavak has quit IRC		20:04
*** hrybacki_ has joined #openstack-keystone		20:22
*** hrybacki has quit IRC		20:26
*** hrybacki_ has quit IRC		20:26
*** stevemar has quit IRC		20:32
*** raildo has left #openstack-keystone		20:51
*** PritiDesai has joined #openstack-keystone		20:54
*** topol has quit IRC		20:55
openstackgerrit	A change was merged to openstack/python-keystoneclient: Link to docstrings in using-api-v3 https://review.openstack.org/99741	20:57
*** bklei has quit IRC		20:59
*** rodrigods has quit IRC		21:00
*** radez is now known as radez_g0n3		21:01
*** ihrachyshka has quit IRC		21:05
*** mgagne has quit IRC		21:11
morganfainberg	dtroyer_zz, ping, re https://review.openstack.org/#/c/99779/ and getting the port reservation in fixup_stuff.sh	21:11
morganfainberg	dtroyer_zz, if you're here	21:12
dtroyer_zz	morganfainberg: were you going to update that?	21:13
morganfainberg	dtroyer_zz, yeah just about to.	21:13
dtroyer_zz	cool	21:13
morganfainberg	dtroyer_zz, i was checking to make sure it is safe to assume the KEYSTONE_PORT variables exist in fixup_stuff or should i explicitly source lib/keystone?	21:14
morganfainberg	or uh ... wherever i should be sourcing	21:14
morganfainberg	fixup_stuff.sh looks to only source functions specifically	21:14
dtroyer_zz	when called from stack.sh, lib/keystone has been sourced so it's fine, but not if called directly	21:16
morganfainberg	right.	21:16
dtroyer_zz	it should stand alone cleanly, so check for the vars and use just the 35357 default if they're not defined?	21:16
morganfainberg	works for me	21:16
morganfainberg	just wanting to make sure we're as clean as possible.	21:16
morganfainberg	dtroyer_zz, thanks!	21:17
dtroyer_zz	np, thanks for doing this	21:17
*** mgagne has joined #openstack-keystone		21:20
*** mgagne is now known as Guest61486		21:20
*** daneyon has quit IRC		21:30
*** sbfox1 has joined #openstack-keystone		21:34
*** sbfox has quit IRC		21:34
*** rodrigods has joined #openstack-keystone		21:35
openstackgerrit	Morgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output https://review.openstack.org/99432	21:40
openstackgerrit	Joe Savak proposed a change to openstack/keystone-specs: Implements: blueprint keystone-to-keystone-federation https://review.openstack.org/100023	21:41
morganfainberg	jsavak, woo! ^^ :)	21:41
jsavak	about time, huh?	21:42
jsavak	lol	21:42
morganfainberg	jsavak, something i def. want to see working	21:42
morganfainberg	jsavak, just an FYI you have a lot of trailing whitespace in that doc	21:43
jsavak	yeah - i figured it'd be off first time	21:43
jsavak	thanks - i'll fix	21:43
morganfainberg	np	21:44
*** lbragstad has quit IRC		21:44
*** jsavak has quit IRC		21:49
*** rodrigods has quit IRC		21:54
*** NM has quit IRC		21:55
*** devlaps has quit IRC		21:57
*** harlowja has quit IRC		22:03
*** sbfox1 has quit IRC		22:09
*** marcoemorais has quit IRC		22:10
*** marcoemorais has joined #openstack-keystone		22:11
*** rodrigods has joined #openstack-keystone		22:28
*** henrynash has quit IRC		22:31
*** Guest61486 has quit IRC		22:38
*** rodrigods has quit IRC		22:40
*** mgagne has joined #openstack-keystone		22:41
*** mgagne is now known as Guest8031		22:41
*** amcrn has quit IRC		22:47
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076	22:52
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265	22:57
*** rodrigods has joined #openstack-keystone		22:59
*** rodrigods has quit IRC		23:01
*** ericvw has quit IRC		23:02
*** topol has joined #openstack-keystone		23:08
morganfainberg	topol	23:20
morganfainberg	topol, have a question re your spec.	23:20
topol	hi morganfainberg, sure	23:20
morganfainberg	Notifications Impact: what is retrieving an unscoped token or a scoped token?	23:21
morganfainberg	is that a HEAD/GET of a token, or issuance of a new token?	23:21
morganfainberg	or something else	23:21
*** NM has joined #openstack-keystone		23:21
topol	is that a federation support question or an audit question?	23:22
topol	sounds a pure federation question	23:22
morganfainberg	topol, https://review.openstack.org/#/c/97581/3/specs/juno/audit-support-for-federation.rst in this spec	23:22
morganfainberg	topol, under 'Notification impact' what does 'Federated user attempts to retrieve an unscoped token.' mean?	23:23
morganfainberg	is that an HTTP GET request? or issuance of a new token	23:23
morganfainberg	topol, because if it's a 'GET' request, this makes sense, if it's mean to be attempting to authenticate and get a new token... you see why i am confused?	23:24
topol	I think this is covered in the presentation we presented in Atlanta	23:24
morganfainberg	topol, HTTP GET would be token validation. I assume this is authentication.	23:24
topol	yes I believe this is authentication.	23:25
morganfainberg	topol, sure. but we should be clear what we're implementing here. i don't kniw which one is meant by the verbiage. i want to be sure we're implementing the right one.	23:25
topol	K, my wife is telling me we need to go to dinner. can you please leave a comment and I will make sure to address it?	23:26
topol	I'll look at it later tonight	23:26
topol	basically the auditing will just be auditing what steve has implemented & new stuff implemented	23:27
topol	morganfainberg, sorry but getting yelled at. need to run	23:27
morganfainberg	topol, no worries	23:27
morganfainberg	topol, i -1'd with a comment, otherwise looks good	23:28
topol	K, please leave a comment.	23:28
topol	K, thats fine. THANKS	23:28
morganfainberg	topol, clear that up and i thinkit's ready	23:28
topol	cool	23:28
*** topol has quit IRC		23:33
*** PritiDesai has quit IRC		23:42
*** dims has quit IRC		23:47
*** praneshp has quit IRC		23:53
*** NM has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!