ayoung | that pass the sanity check>? | 00:00 |
---|---|---|
ayoung | jamielennox, let it atleast pass jenkins before you noodge | 00:00 |
jamielennox | ayoung: fair - just need to get back into nagging mode | 00:01 |
ayoung | Heh..looking at the adapters patch... | 00:01 |
openstackgerrit | Steve Martinelli proposed a change to openstack/keystone: Fix a few typos in the shibboleth doc https://review.openstack.org/100723 | 00:01 |
ayoung | jamielennox, I take it that is just cleanup? | 00:02 |
openstackgerrit | ayoung proposed a change to openstack/keystone: Default to PKIZ tokens https://review.openstack.org/98897 | 00:02 |
jamielennox | ayoung: it's what we need to work with the session in other clients | 00:02 |
morganfainberg | ayoung, i'll keep my eye on that ^ so we can get it moving (barring any major issues) | 00:02 |
morganfainberg | then... yay gate on mod_wsgi! | 00:03 |
ayoung | jamielennox, ah...ok | 00:03 |
jamielennox | i'd like if it was called something other than adapter - but i got nothing | 00:03 |
ayoung | jamielennox, nah, it makes sense, especially in that it is for working with other's code | 00:04 |
ayoung | python33 error | 00:04 |
ayoung | http://logs.openstack.org/81/97681/3/check/gate-python-keystoneclient-python33/fbae529/console.html.gz | 00:04 |
ayoung | TypeError: Can't convert 'bytes' object to str implicitly | 00:04 |
ayoung | File "./keystoneclient/adapter.py", line 94, in request | 00:05 |
ayoung | 2014-06-10 23:39:02.166 | body = resp.json() | 00:05 |
jamielennox | almost c&p https://review.openstack.org/#/c/95986/1/cinderclient/client.py and https://review.openstack.org/#/c/85920/7/novaclient/client.py | 00:05 |
ayoung | jamielennox, I think that is just (str) | 00:05 |
jamielennox | eh, really? | 00:05 |
jamielennox | where's that? | 00:05 |
ayoung | jamielennox, hmmm, maybe? that is what it was for the PKIZ tokens | 00:06 |
*** gokrokve_ has joined #openstack-keystone | 00:06 | |
ayoung | https://review.openstack.org/#/c/100545/ | 00:06 |
ayoung | ah, no, that was from uicode, not bytes | 00:06 |
jamielennox | that one passes | 00:06 |
ayoung | unicode | 00:06 |
ayoung | py33? | 00:06 |
jamielennox | oh - right, yea that one needs a lot more work i just wanted to see if it was ok | 00:07 |
*** hrybacki has joined #openstack-keystone | 00:07 | |
ayoung | msg.decode('utf-8') | 00:08 |
jamielennox | ideally this would eventually fix the circular dependency not cleaning up thing in keystoneclient as well | 00:08 |
ayoung | jamielennox, I think you need ^^ | 00:08 |
jamielennox | yea | 00:08 |
*** gokrokve has quit IRC | 00:09 | |
*** bknudson has quit IRC | 00:11 | |
*** amerine has quit IRC | 00:17 | |
*** amerine has joined #openstack-keystone | 00:19 | |
ayoung | jamielennox, https://review.openstack.org/#/c/81166/ is your territory | 00:23 |
ayoung | morganfainberg, you need ^^ for ephemeral, too | 00:23 |
ayoung | gyee, I'll noodge you just cuz you are here | 00:24 |
jamielennox | ergh, yea such a monster | 00:24 |
morganfainberg | ayoung, yeah. | 00:24 |
ayoung | that one is not that bad | 00:24 |
jamielennox | i'm not sure if you need to break out the revoke model stuff | 00:25 |
morganfainberg | ayoung, "not that bad" (~1200 lines later) :P | 00:25 |
jamielennox | your model is very tied to the v3 format | 00:25 |
ayoung | is it 1200? | 00:25 |
morganfainberg | ayoung, 1162 | 00:25 |
ayoung | ah...cuz it pulled the code over from server | 00:25 |
ayoung | that code is almost a direct copy of code in keystone.contrib.revoke.model | 00:26 |
jamielennox | and it means you have things like RevokeModel that seems to do pretty much only serialize and unserialize - that could be just a resource | 00:26 |
ayoung | all the hard parts are | 00:26 |
ayoung | jamielennox, agreed that it could be restrucutred. I was trying to make it easy by just copying the file over | 00:26 |
morganfainberg | ayoung, going to fix the nits in PKIZ really quickly | 00:26 |
ayoung | there were a few earlier issues that involved modifing the model | 00:27 |
ayoung | morganfainberg, please do | 00:27 |
jamielennox | yea, the other side is i've never quite got through all the process of checking revocations - just trusting | 00:27 |
jamielennox | so if you copied most of model across from the server that make some sense | 00:27 |
jamielennox | _build_token stuff can be entirely replaced by AccessInfo | 00:27 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Default to PKIZ tokens https://review.openstack.org/98897 | 00:28 |
jamielennox | ayoung: can i have a go at cutting it down? | 00:29 |
jamielennox | do you intend to import that code from the server? | 00:29 |
ayoung | jamielennox, absolutely | 00:29 |
ayoung | go for it | 00:29 |
morganfainberg | ayoung, well, moving to apache keystone, tempest is taking 31 minutes instead of 43. that seems to be a win! | 00:29 |
ayoung | ++ | 00:29 |
jamielennox | there was some rally benchmarks going around that showed apache faster as well | 00:30 |
gyee | ayoung, that over 1KLOC to review! | 00:30 |
gyee | its going to take me all night | 00:30 |
ayoung | morganfainberg, we are going to spam the hell out of the logs with that deprecation warning, aren;t we? | 00:31 |
morganfainberg | only on startup. | 00:31 |
ayoung | morganfainberg, is it? | 00:31 |
ayoung | morganfainberg, well, if it does, we an remove it | 00:31 |
morganfainberg | yep. it is used on manager init and in a couple testsshouldn't be bad | 00:32 |
morganfainberg | it's not used over and over afaict | 00:32 |
ayoung | morganfainberg, +13ed. feel free to +2 and gyee feel free to +2a | 00:32 |
ayoung | +1ed. I wish I could +13 | 00:32 |
morganfainberg | ayoung, hah | 00:32 |
gyee | looks good! | 00:33 |
ayoung | OK..still at the office. going to drive home. If you guys put the +2 on it, I'll +A when I'm home, assuming it passes muster | 00:33 |
gyee | gym time, will check back in an hour or so | 00:34 |
ayoung | jamielennox, I'll start cranking through the client code once I'm home. | 00:34 |
morganfainberg | ayoung, +2, once it passes check good for +A (PKIZ) | 00:34 |
morganfainberg | ayoung, i'll +A if I see it finish before you do. | 00:35 |
morganfainberg | i need to get devstack to setup caching (memcached) for keystone. | 00:35 |
morganfainberg | so we can gate on that (not just unit tests) then we need tempest to run with caching. bet that will improve things again. | 00:36 |
hrybacki | ayoung: 830 and you're still not home. Dedication. | 00:36 |
ayoung | hrybacki, just got to your email. | 00:40 |
ayoung | hrybacki, do a code review of the session patch. You'll need to understand how that works to understand why its what you need to do for auth_token | 00:41 |
hrybacki | okay | 00:41 |
ayoung | jamielennox, hrybacki was able to work through getting the revokation script running | 00:41 |
ayoung | if you rework the client, give it to him so he can double check against a live keystone | 00:41 |
ayoung | (that is how we abuse interns at Red Hat) | 00:42 |
ayoung | make em work with thee guys on Australian time | 00:42 |
ayoung | me flees | 00:42 |
hrybacki | hah | 00:42 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076 | 00:42 |
*** browne has quit IRC | 00:42 | |
jamielennox | ayoung: np | 00:43 |
jamielennox | i thought they abused the non-us guys by making them work US time | 00:43 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265 | 00:47 |
*** ayoung has quit IRC | 00:49 | |
*** hrybacki has quit IRC | 00:52 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add trust users to AccessInfo https://review.openstack.org/100733 | 00:54 |
*** rwsu has quit IRC | 00:58 | |
*** huats has quit IRC | 00:58 | |
*** marcoemorais has quit IRC | 01:06 | |
*** rodrigods has joined #openstack-keystone | 01:09 | |
*** rodrigods has joined #openstack-keystone | 01:09 | |
*** mberlin has joined #openstack-keystone | 01:12 | |
*** mberlin1 has quit IRC | 01:13 | |
openstackgerrit | Arun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling. https://review.openstack.org/95300 | 01:13 |
*** huats has joined #openstack-keystone | 01:19 | |
*** huats has quit IRC | 01:19 | |
*** huats has joined #openstack-keystone | 01:19 | |
openstackgerrit | Arun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling. https://review.openstack.org/95300 | 01:26 |
*** nkinder_ has joined #openstack-keystone | 01:32 | |
*** ayoung has joined #openstack-keystone | 01:34 | |
jamielennox | ayoung: does revocation use role_id or role_name? | 01:35 |
ayoung | jamielennox, id, I think | 01:36 |
jamielennox | damn | 01:36 |
* ayoung has to confirm | 01:36 | |
ayoung | http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/core.py#n86 jamielennox role_id | 01:37 |
jamielennox | it's like the only thing that does | 01:37 |
ayoung | jamielennox, why is that a problem? | 01:37 |
openstackgerrit | Arun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling. https://review.openstack.org/95300 | 01:37 |
jamielennox | nothing just another thing to fix in client | 01:38 |
ayoung | jamielennox, I think we could potentially change that | 01:38 |
ayoung | if it really is wrong | 01:38 |
jamielennox | are role_ids available in v2 tokens? | 01:38 |
ayoung | jamielennox, good question. I haven't thought about this code in a month or so... | 01:41 |
ayoung | jamielennox, https://review.openstack.org/#/c/81166/17/keystoneclient/contrib/revoke/model.py line 296 | 01:41 |
ayoung | gyee, https://review.openstack.org/#/c/95989/ when you get back: are you OK with the general flow now, or is something still unclear | 01:45 |
*** richm has left #openstack-keystone | 01:49 | |
*** praneshp has quit IRC | 01:53 | |
*** rodrigods has quit IRC | 01:54 | |
jcromer | is this an appropriate place to ask a question regarding active directory as an ldap backend for keystone? | 01:56 |
*** dims has quit IRC | 01:58 | |
ayoung | jcromer, yes | 01:58 |
jcromer | ayoung, I have read thru a number of your blog posts regarding ldap | 01:59 |
ayoung | I lie | 01:59 |
jcromer | :D | 01:59 |
ayoung | I make things up | 01:59 |
ayoung | I break things | 01:59 |
jcromer | don't we all | 01:59 |
ayoung | all the people, some of the time....me, all the time | 01:59 |
ayoung | what can I help you with? | 01:59 |
jcromer | hah | 01:59 |
jcromer | so i configured keystone for ldap backend for auth | 02:00 |
jcromer | set all my service acounts up | 02:00 |
jcromer | everything works great | 02:01 |
jcromer | but i want to be able to create users | 02:01 |
ayoung | no you don't | 02:01 |
jcromer | well i need to | 02:01 |
jcromer | for rally | 02:01 |
ayoung | in AD? | 02:01 |
jamielennox | ayoung: so do you kow how old that ['metadata']['roles'] thing is because it doesn't exist in any of our test tokens? | 02:01 |
ayoung | your AD is not read only? | 02:01 |
jamielennox | ayoung: when you have time | 02:01 |
ayoung | jamielennox, empirical? | 02:01 |
ayoung | jamielennox, I think I just created one and looked at it? | 02:01 |
ayoung | easy enough to check | 02:02 |
jcromer | some of the rally scenarios i am using create users and tenants and then delete them after the tests concludes | 02:02 |
ayoung | jcromer, so, yeah, it is possible to do. I know CERN does it... | 02:03 |
jcromer | this doesn't work anymore since the change to ldap | 02:03 |
ayoung | well, I think they do. They have AD writable | 02:03 |
jcromer | i have been searching the interwebs | 02:03 |
ayoung | jcromer, what happens when you do a user-add? | 02:03 |
jcromer | not finding a whole lot as to how this is accomplished | 02:03 |
jcromer | SvcErr: DSID-031907E9, problem 5003 (WILL_NOT_PERFORM) | 02:03 |
* ayoung stifles inappropriate comment | 02:04 | |
jcromer | HAHA | 02:04 |
jcromer | yea | 02:04 |
jcromer | it's not performing | 02:04 |
ayoung | AD return codes are so refreshing | 02:04 |
jcromer | love them | 02:04 |
ayoung | jcromer, can you inject a user into AD by hand using, say, the openldap command line tools? | 02:05 |
jcromer | i (foolishly) thought it would be as easy as user_allow_create = True | 02:05 |
ayoung | jcromer, heh, don't know what is wrong. But if it were a keystone config option, it wouldn't be getting to AD at all | 02:05 |
jcromer | i have not yet tried that | 02:05 |
ayoung | I assure you SvcErr: DSID-031907E9, problem 5003 (WILL_NOT_PERFORM) is not a Keystone error message | 02:06 |
jcromer | oh i know that much | 02:06 |
jcromer | just wasn't sure if there was something that i was missing | 02:06 |
jcromer | in the config | 02:06 |
ayoung | jcromer, are you doing one level or deep searches for users? | 02:06 |
jcromer | some secret option i was missing | 02:06 |
jcromer | sub | 02:06 |
ayoung | hmmm, that might be the problem... | 02:06 |
jcromer | for the query scope you mean? | 02:06 |
ayoung | just a guess, but to add a user you need a DN, and I think that subtree does something different | 02:07 |
ayoung | OK...here is where I show just how big a hack I am | 02:07 |
ayoung | the LDAP code was origianally written by someone else for Nova and hacked into keystone, then hacked out, and then I hacked it back in | 02:08 |
ayoung | its ugle, and made some really bad assumptions | 02:08 |
ayoung | I got rid of some of those assumptions, but not all | 02:08 |
jcromer | you know what they say, a good artist borrows a great artist steals | 02:08 |
ayoung | one of them was that the userid attribute was the left most segment of the DN | 02:08 |
ayoung | so if your dn is cn=jcromer,cn=someor,cn=com the userid attribute was cn | 02:09 |
ayoung | even if cn for your record was Cromer, Jaques | 02:09 |
ayoung | so the subtree query break free of that, and will actually search on cn= | 02:10 |
ayoung | as opposed to composing the DN. Follow me? | 02:10 |
ayoung | the subtree stuff came later, which is why it is inconsistent | 02:10 |
jcromer | i think so | 02:10 |
ayoung | so, I don;t know if, with subtree, it knows how to create the DN | 02:10 |
morganfainberg | ayoung, getting close to PKIZ! | 02:11 |
ayoung | lets take a look and see | 02:11 |
ayoung | morganfainberg, don't jinx it | 02:11 |
jcromer | ok | 02:11 |
morganfainberg | ayoung, already knocked on wood and toss salt over the shoulder | 02:11 |
ayoung | morganfainberg, I knocked on salt and threw wood over my shoulder. I knew I had something wrong | 02:11 |
morganfainberg | ayoung, hah | 02:12 |
ayoung | jcromer, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n969 | 02:12 |
ayoung | looking at that code, I think: how did that ever work? | 02:12 |
jcromer | heading there now | 02:12 |
morganfainberg | ayoung, looks like we save ~5-10mins on a tempest run with keystone under apache (and PKIZ) | 02:13 |
ayoung | jcromer, how badly do you need this? | 02:13 |
morganfainberg | ayoung, some LDAP stuff wonky? | 02:13 |
ayoung | morganfainberg, he wants to be able to write to AD. Crazy monkey. | 02:13 |
morganfainberg | ayoung, whoa. | 02:13 |
jcromer | it's not like it is a production, do or die type situation | 02:14 |
morganfainberg | i uh.. dunno if we've ever tried that | 02:14 |
jcromer | but for rally testing | 02:14 |
morganfainberg | in theory... possible | 02:14 |
ayoung | morganfainberg, I have ,but not with subtree query for user. Suspect it is broken/unfixable | 02:14 |
jcromer | which we are starting to do a lot of lately | 02:14 |
jcromer | well | 02:14 |
ayoung | jcromer, can you create the users directly? | 02:14 |
morganfainberg | ayoung, ah | 02:14 |
ayoung | If not, can you go from subtree? | 02:14 |
ayoung | er...drop the subtree requirement? | 02:15 |
jcromer | i could potentially drop the subtree requirement | 02:15 |
jcromer | put all users in a specific OU | 02:15 |
ayoung | jcromer, try that. I think that will work for you | 02:15 |
openstackgerrit | A change was merged to openstack/keystone: Default to PKIZ tokens https://review.openstack.org/98897 | 02:15 |
ayoung | jcromer, that is what FreeIPA does. It is very relational in its approach to users, and that leads to sanity | 02:16 |
morganfainberg | boom. | 02:16 |
morganfainberg | ayoung, https://review.openstack.org/#/c/100747/ | 02:16 |
ayoung | morganfainberg, and we now hear the screaming | 02:16 |
jcromer | should i then be taking a look at FreeIPA instead? | 02:16 |
ayoung | jcromer, I am not an impartial judge of that | 02:17 |
ayoung | it depends on your needs. | 02:17 |
jcromer | i think the case is rare where users will need to be created | 02:17 |
ayoung | But in my terribly biased opinion FreeIPA rocks | 02:18 |
jcromer | but it will be required every so often | 02:18 |
ayoung | jcromer, but I think that if, you are up and running , and can drop the subtree requirement, it would not buy you much to change before you get it working | 02:18 |
morganfainberg | ayoung, also.. figured might as well muck with this in here: https://review.openstack.org/#/c/100747/ caching in tempest! | 02:19 |
ayoung | morganfainberg, I put a +1 and a comment on that review | 02:19 |
morganfainberg | :) | 02:19 |
morganfainberg | but that one is WIP | 02:19 |
morganfainberg | want to see how it performs. | 02:19 |
*** nsquare has quit IRC | 02:19 | |
ayoung | morganfainberg, wrong patch. That is the same one you just posted | 02:19 |
morganfainberg | yeah | 02:19 |
morganfainberg | copy/paste fail: https://review.openstack.org/#/c/100738/ | 02:20 |
ayoung | gate-tempest-dsvm-large-ops SUCCESS in 29m 08s | 02:21 |
jcromer | by the way | 02:21 |
jcromer | i found a bug regarding this just now | 02:21 |
ayoung | morganfainberg, what was it before on a comparable run? | 02:21 |
jcromer | after you mentioned | 02:21 |
morganfainberg | ayoung, uhm... | 02:21 |
ayoung | no way, that code is flawless jcromer | 02:21 |
jcromer | hah | 02:22 |
jcromer | https://bugs.launchpad.net/keystone/+bug/1210141. | 02:22 |
uvirtbot | Launchpad bug 1210141 in keystone "Document howto config LDAP identity with non-DN based ids." [Medium,In progress] | 02:22 |
morganfainberg | 32 | 02:22 |
morganfainberg | ayoung, 32 ish from what i was seeing | 02:22 |
morganfainberg | but the real trick will be what is it under apache. | 02:22 |
*** dims has joined #openstack-keystone | 02:24 | |
ayoung | jcromer, so, if you did do subtree...where would you create a new user? | 02:24 |
*** dims has quit IRC | 02:28 | |
jcromer | well right now i three OUs under Accounts: Domestic, International and Service | 02:31 |
jcromer | the problem is my service OU contains accounts for all the openstack services and Domestic contains actual user accounts | 02:32 |
*** Chicago has joined #openstack-keystone | 02:33 | |
*** Chicago has joined #openstack-keystone | 02:33 | |
jcromer | maybe one would work | 02:34 |
ayoung | jamielennox, OK, if you have any reviews that are high priority, makes sure you've added me explicitly as a reviewer. AFAICT I have addressed all that are not -1ed somehwhere | 02:35 |
*** ayoung is now known as ayoung_ZZZzzz | 02:35 | |
jamielennox | ok, i haven't been setting that much anymore | 02:36 |
*** gokrokve_ has quit IRC | 02:43 | |
*** zhiyan_ is now known as zhiyan | 02:44 | |
stevemar | ayoung_ZZZzzz, yay compressed tokens by default | 02:44 |
stevemar | morganfainberg, ping? | 02:48 |
*** harlowja is now known as harlowja_away | 02:48 | |
morganfainberg | stevemar, pong | 02:48 |
stevemar | morganfainberg, so ya know how our keystone dev docs and keystoneclient dev docs have the same layout? | 02:49 |
morganfainberg | stevemar, uh sure | 02:49 |
stevemar | morganfainberg, do you know how to migrate to that format? because http://docs.openstack.org/developer/python-novaclient/ and http://docs.openstack.org/developer/python-openstackclient don't :\ | 02:49 |
morganfainberg | uhhh | 02:49 |
morganfainberg | uhmmm | 02:49 |
morganfainberg | not really sure | 02:50 |
stevemar | did i just blow your mind? is it too late for this nonsense ? | 02:50 |
*** praneshp has joined #openstack-keystone | 02:50 | |
morganfainberg | stevemar, sorry elbow deep in grenade atm, trying to get us gating on mod_wsgi for keystone | 02:53 |
morganfainberg | stevemar, :P | 02:53 |
stevemar | morganfainberg, s'all good :) | 02:54 |
*** gokrokve has joined #openstack-keystone | 02:54 | |
*** praneshp_ has joined #openstack-keystone | 02:59 | |
*** gyee has quit IRC | 02:59 | |
*** praneshp has quit IRC | 03:02 | |
*** praneshp_ is now known as praneshp | 03:02 | |
*** Chicago is now known as SuperUser | 03:15 | |
*** SuperUser is now known as UsurperUser | 03:17 | |
*** UsurperUser has left #openstack-keystone | 03:17 | |
*** topol has joined #openstack-keystone | 03:42 | |
*** dims has joined #openstack-keystone | 04:27 | |
*** dims has quit IRC | 04:32 | |
*** ajayaa has joined #openstack-keystone | 04:44 | |
*** dims has joined #openstack-keystone | 04:46 | |
*** dims has quit IRC | 04:51 | |
*** nsquare has joined #openstack-keystone | 05:16 | |
morganfainberg | dtroyer_zz, https://review.openstack.org/#/c/100747/ needs a grenade upgrade script here: https://review.openstack.org/#/c/100764/ | 05:17 |
*** henrynash has joined #openstack-keystone | 05:40 | |
*** jkappert has quit IRC | 05:45 | |
*** jkappert has joined #openstack-keystone | 05:45 | |
*** dims has joined #openstack-keystone | 05:47 | |
*** dims has quit IRC | 05:51 | |
*** afazekas_ has joined #openstack-keystone | 05:54 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/97005 | 06:00 |
*** topol has quit IRC | 06:04 | |
*** openstackgerrit_ has joined #openstack-keystone | 06:10 | |
*** gokrokve has quit IRC | 06:11 | |
*** stevemar has quit IRC | 06:14 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add trust users to AccessInfo and fixture https://review.openstack.org/100733 | 06:15 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add role ids to the AccessInfo https://review.openstack.org/100774 | 06:15 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add issued handlers to auth_ref and fixtures https://review.openstack.org/100775 | 06:15 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add OAuth data to AccessInfo https://review.openstack.org/100776 | 06:15 |
jamielennox | ayoung_ZZZzzz: tomorrow i'll rebase the revocation events patch on top of ^ so feel free to pressure people into approving them | 06:18 |
*** tomoiaga1 has joined #openstack-keystone | 06:19 | |
*** ajayaa has quit IRC | 06:19 | |
*** jimbaker has quit IRC | 06:19 | |
*** openstackgerrit has quit IRC | 06:19 | |
*** ajayaa has joined #openstack-keystone | 06:23 | |
*** jimbaker has joined #openstack-keystone | 06:23 | |
*** openstackgerrit has joined #openstack-keystone | 06:23 | |
*** henrynash has quit IRC | 06:30 | |
*** ncoghlan has joined #openstack-keystone | 06:45 | |
*** dims_ has joined #openstack-keystone | 06:47 | |
*** jaosorior has joined #openstack-keystone | 06:51 | |
*** dims_ has quit IRC | 06:53 | |
*** gokrokve has joined #openstack-keystone | 07:02 | |
*** xuhaiwei_ has joined #openstack-keystone | 07:03 | |
*** gokrokve has quit IRC | 07:07 | |
xuhaiwei_ | hi, I met this problem, I ran 'nova --debug list' and got the token, and then copy the curl commands to request to the API directly, but I got an 401 Unauthorized, it is said the token is invalid, this used to work well, so I want to know if something is changed by keystone | 07:08 |
xuhaiwei_ | Could anyone help? | 07:08 |
*** BAKfr has joined #openstack-keystone | 07:12 | |
*** xianghui^ has joined #openstack-keystone | 07:12 | |
*** xianghui has quit IRC | 07:16 | |
*** chandan_kumar has quit IRC | 07:17 | |
*** i159 has joined #openstack-keystone | 07:34 | |
*** henrynash has joined #openstack-keystone | 07:35 | |
*** henrynash has quit IRC | 07:52 | |
*** marekd|away is now known as marekd | 07:55 | |
*** nsquare has quit IRC | 07:58 | |
*** leseb has joined #openstack-keystone | 08:02 | |
*** gokrokve has joined #openstack-keystone | 08:03 | |
*** leseb has quit IRC | 08:06 | |
*** leseb has joined #openstack-keystone | 08:07 | |
*** gokrokve has quit IRC | 08:08 | |
*** praneshp has quit IRC | 08:09 | |
*** andreaf_ has quit IRC | 08:11 | |
*** ncoghlan has quit IRC | 08:18 | |
*** henrynash has joined #openstack-keystone | 08:28 | |
*** dims_ has joined #openstack-keystone | 08:51 | |
*** ByteSore has quit IRC | 08:52 | |
*** ByteSore has joined #openstack-keystone | 08:52 | |
*** leseb has quit IRC | 08:54 | |
*** Gippa has joined #openstack-keystone | 08:55 | |
*** dims_ has quit IRC | 08:56 | |
*** andreaf has joined #openstack-keystone | 08:57 | |
*** andreaf_ has joined #openstack-keystone | 08:58 | |
*** andreaf has quit IRC | 09:01 | |
*** gokrokve has joined #openstack-keystone | 09:03 | |
openstackgerrit | Roman Bodnarchuk proposed a change to openstack/keystone: Return 400 in case request body is JSON, but not a dictionary https://review.openstack.org/92809 | 09:08 |
*** gokrokve has quit IRC | 09:09 | |
*** xuhaiwei_ has quit IRC | 09:18 | |
openstackgerrit | Roman Bodnarchuk proposed a change to openstack/keystone: Fix 500 error if request body is not JSON object https://review.openstack.org/92809 | 09:20 |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users and groups from controller to manager https://review.openstack.org/100833 | 09:25 |
*** ByteSore has quit IRC | 09:28 | |
*** ByteSore has joined #openstack-keystone | 09:28 | |
*** xianghui^ has quit IRC | 09:28 | |
openstackgerrit | Christoph Gysin proposed a change to openstack/keystone: fix flake8 issues https://review.openstack.org/100628 | 09:43 |
*** tomoiaga1 has quit IRC | 09:44 | |
*** zhiyan is now known as zhiyan_ | 09:51 | |
*** dims_ has joined #openstack-keystone | 09:51 | |
*** xianghui^ has joined #openstack-keystone | 09:53 | |
*** pheadron has joined #openstack-keystone | 09:54 | |
pheadron | d | 09:54 |
*** rodrigods has joined #openstack-keystone | 09:55 | |
*** rodrigods has quit IRC | 09:55 | |
*** rodrigods has joined #openstack-keystone | 09:55 | |
*** dims_ has quit IRC | 09:56 | |
*** leseb has joined #openstack-keystone | 09:58 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users and groups from controller to manager https://review.openstack.org/100833 | 09:58 |
*** rodrigods has quit IRC | 09:59 | |
*** gokrokve has joined #openstack-keystone | 10:04 | |
*** ajayaa has quit IRC | 10:05 | |
*** gokrokve has quit IRC | 10:10 | |
*** pheadron has quit IRC | 10:10 | |
*** leseb has quit IRC | 10:13 | |
*** xianghui^ has quit IRC | 10:30 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 10:33 |
*** ajayaa has joined #openstack-keystone | 10:33 | |
*** dims_ has joined #openstack-keystone | 10:43 | |
*** leseb has joined #openstack-keystone | 10:51 | |
*** xianghui^ has joined #openstack-keystone | 10:56 | |
*** leseb has quit IRC | 10:56 | |
*** henrynash has quit IRC | 11:01 | |
*** gokrokve has joined #openstack-keystone | 11:05 | |
*** gokrokve has quit IRC | 11:10 | |
*** topol has joined #openstack-keystone | 11:13 | |
*** dims_ has quit IRC | 11:16 | |
*** i159 has quit IRC | 11:16 | |
openstackgerrit | Kristy Siu proposed a change to openstack/keystone-specs: Trusted Attributes Policy for External Identity Providers https://review.openstack.org/100279 | 11:21 |
*** i159 has joined #openstack-keystone | 11:25 | |
*** d0ugal has quit IRC | 11:33 | |
*** d0ugal has joined #openstack-keystone | 11:34 | |
*** leseb has joined #openstack-keystone | 11:52 | |
openstackgerrit | Ajaya Agrawal proposed a change to openstack/keystone: TestAuthInfo class in test_v3_auth made more efficient. https://review.openstack.org/98072 | 11:54 |
*** leseb has quit IRC | 11:57 | |
*** juanmo has joined #openstack-keystone | 12:01 | |
*** gokrokve has joined #openstack-keystone | 12:06 | |
*** i159 has quit IRC | 12:08 | |
*** gokrokve has quit IRC | 12:10 | |
*** i159 has joined #openstack-keystone | 12:11 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704 | 12:12 |
*** topol has quit IRC | 12:13 | |
*** Gippa has quit IRC | 12:16 | |
*** rodrigods has joined #openstack-keystone | 12:30 | |
*** rodrigods has joined #openstack-keystone | 12:30 | |
*** andreaf_ has quit IRC | 12:37 | |
*** andreaf_ has joined #openstack-keystone | 12:37 | |
*** leseb has joined #openstack-keystone | 12:38 | |
*** andreaf_ is now known as andreaf | 12:40 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 12:40 |
openstackgerrit | Kristy Siu proposed a change to openstack/keystone-specs: Simplified Mapping for Federated Authentication https://review.openstack.org/100280 | 12:44 |
*** gordc has joined #openstack-keystone | 12:45 | |
*** henrynash has joined #openstack-keystone | 12:45 | |
*** tellesnobrega has quit IRC | 12:56 | |
*** rodrigods has quit IRC | 12:56 | |
*** htruta has quit IRC | 12:57 | |
*** richm has joined #openstack-keystone | 13:00 | |
*** htruta has joined #openstack-keystone | 13:00 | |
*** rodrigods has joined #openstack-keystone | 13:01 | |
*** gokrokve has joined #openstack-keystone | 13:01 | |
*** gokrokve_ has joined #openstack-keystone | 13:02 | |
*** tellesnobrega has joined #openstack-keystone | 13:02 | |
*** gokrokv__ has joined #openstack-keystone | 13:02 | |
*** richm has quit IRC | 13:03 | |
*** erecio has joined #openstack-keystone | 13:04 | |
*** dims_ has joined #openstack-keystone | 13:04 | |
*** gokrokve has quit IRC | 13:05 | |
*** gokrokve_ has quit IRC | 13:06 | |
*** gordc has quit IRC | 13:10 | |
*** nkinder_ has quit IRC | 13:13 | |
*** joesavak has joined #openstack-keystone | 13:13 | |
*** dims_ has quit IRC | 13:13 | |
*** bknudson has joined #openstack-keystone | 13:14 | |
*** leseb has quit IRC | 13:15 | |
*** leseb has joined #openstack-keystone | 13:16 | |
*** henrynash has quit IRC | 13:16 | |
*** dims_ has joined #openstack-keystone | 13:17 | |
*** diegows has joined #openstack-keystone | 13:23 | |
dolphm | why were 4 completely irrelevant patches dependent on https://review.openstack.org/#/c/98897/ ? | 13:25 |
*** gordc has joined #openstack-keystone | 13:27 | |
*** dims_ has quit IRC | 13:28 | |
*** richm has joined #openstack-keystone | 13:31 | |
marekd | dstanek_zzz: thanks for the review. | 13:34 |
openstackgerrit | Steven Hardy proposed a change to openstack/python-keystoneclient: Enable forcing re-authentication for trust-scoped clients https://review.openstack.org/96298 | 13:36 |
*** leseb has quit IRC | 13:38 | |
*** stevemar has joined #openstack-keystone | 13:39 | |
*** hrybacki has joined #openstack-keystone | 13:40 | |
ajayaa | dolphm, among those four, I have submitted one. How did it become dependent on 98897? | 13:41 |
ajayaa | I just pulled the latest and resubmitted my patch. | 13:42 |
dolphm | ajayaa: i didn't look at how... i assume that's in the gerrit log | 13:42 |
*** dstanek_zzz is now known as dstanek | 13:42 | |
dolphm | ajayaa: 98897 is already merged so it's not a big deal, but it struck me as super odd | 13:43 |
dstanek | marekd: np | 13:44 |
ajayaa | dolphm, on a side note please review https://review.openstack.org/#/c/98072/ :) | 13:44 |
openstackgerrit | Christoph Gysin proposed a change to openstack/keystone: fix flake8 issues https://review.openstack.org/100628 | 13:45 |
marekd | stevemar: ding dong. | 13:46 |
stevemar | marekd, !! | 13:47 |
marekd | stevemar: i missed our ping yesterday (had some guests and went offline actually) | 13:47 |
marekd | your ping* | 13:47 |
marekd | stevemar: what's up? :-) | 13:48 |
*** ajayaa has quit IRC | 13:48 | |
stevemar | marekd, i'm trying to remember what it was... | 13:48 |
marekd | stevemar: your IBM IdP ? | 13:48 |
*** daneyon_ has quit IRC | 13:48 | |
stevemar | marekd, oh maybe ... we got it working, still some issue with shib's key, cause it signs all the assertions | 13:49 |
stevemar | marekd, i don't recall | 13:49 |
marekd | stevemar: apparently nothing really serious. | 13:49 |
stevemar | marekd, yeah, sorry | 13:51 |
marekd | stevemar: no worries! | 13:51 |
*** bklei has joined #openstack-keystone | 13:53 | |
*** bklei has quit IRC | 13:53 | |
*** sbasam_ is now known as sbasam | 13:57 | |
*** raildo has joined #openstack-keystone | 13:58 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076 | 14:05 |
*** nkinder_ has joined #openstack-keystone | 14:06 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076 | 14:13 |
bknudson | dolphm: I think the depency change happens when the review is rebased. | 14:14 |
*** zuqiang has joined #openstack-keystone | 14:14 | |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone-specs: JSON Home https://review.openstack.org/97359 | 14:14 |
*** zuqiang has left #openstack-keystone | 14:15 | |
bknudson | I use emacs for my rst files and it doesn't clean up trailing whitespace | 14:15 |
stevemar | marekd, oh oh i remember | 14:21 |
*** esmute has quit IRC | 14:22 | |
stevemar | marekd, it was about testing the full flow of federation test cases | 14:22 |
morganfainberg | dolphm, gerrit's display is wonky i think, rebases occurred once PKIZ merged. | 14:22 |
stevemar | marekd, i suspect you will just say 'thats why we need client'! | 14:22 |
openstackgerrit | Steve Martinelli proposed a change to openstack/keystone: Update sample keystone.conf file https://review.openstack.org/100155 | 14:23 |
*** esmute has joined #openstack-keystone | 14:25 | |
morganfainberg | dolphm, so (beyond the needed fixes for grenade) - it looks like we end up saving up to ~5+ minutes per tempest run moving keystone to under apache https://review.openstack.org/#/c/100747/ | 14:25 |
morganfainberg | ish. | 14:25 |
bknudson | morganfainberg: because it runs in parallel? | 14:26 |
morganfainberg | bknudson, something like that i think | 14:26 |
morganfainberg | either that or eventlet really sucks | 14:26 |
dolphm | morganfainberg: nice! | 14:27 |
*** dims_ has joined #openstack-keystone | 14:27 | |
*** leseb has joined #openstack-keystone | 14:27 | |
dolphm | why is red hat ci falling over | 14:27 |
morganfainberg | dolphm, because it can't install mod_wsgi. | 14:27 |
morganfainberg | dolphm, something that i'll have to fix in devstack | 14:27 |
morganfainberg | obviously never tested :P | 14:27 |
*** beav has joined #openstack-keystone | 14:28 | |
*** rwsu has joined #openstack-keystone | 14:29 | |
morganfainberg | or... | 14:29 |
morganfainberg | not /me is looking through that log | 14:29 |
*** diegows has quit IRC | 14:31 | |
*** henrynash has joined #openstack-keystone | 14:34 | |
morganfainberg | dolphm, really useful error logging :( http://pasteraw.com/s1yhqo2dsw2jh4a934zqbxcha2ehavx | 14:34 |
marekd | stevemar: no, i will say: we need this to be finall merged https://review.openstack.org/#/c/83829/ and feel free to weigh in here: https://review.openstack.org/#/c/92166/ and https://review.openstack.org/#/c/99704/ :-) | 14:34 |
marekd | (sorry, had a confcall) | 14:34 |
stevemar | marekd, yeeeep, thats what i thought you would say :) | 14:35 |
marekd | stevemar: good we are on the same page :-) | 14:35 |
stevemar | marekd, also, when you try this w/ a browser, whats the target URL, does it include :5000 in the request? | 14:35 |
marekd | stevemar: no, i had some issues with nonstandard ssl port :/ | 14:36 |
stevemar | but you include the port #? | 14:36 |
marekd | i had my configuration working on 443, and later used https://keystone/v3/[...] and no...didnt use port. | 14:36 |
marekd | what's up with ports? | 14:36 |
openstackgerrit | Christoph Gysin proposed a change to openstack/keystone: fix flake8 issues https://review.openstack.org/100628 | 14:37 |
dstanek | morganfainberg: i'm really surprised that it's that much faster | 14:40 |
morganfainberg | dstanek, i'm seeing it consistently that much faster under apache (might also be PKIZ related) | 14:40 |
morganfainberg | or the combination of PKIZ + apache | 14:40 |
dstanek | morganfainberg: also you'll be blocked less by the MySQL driver | 14:41 |
morganfainberg | dstanek, yeap | 14:41 |
morganfainberg | ayoung_ZZZzzz, so unique identifier issues in redatcting token ids... | 14:47 |
morganfainberg | ayoung_ZZZzzz, we don't actually rip apart the token in session object | 14:47 |
morganfainberg | ayoung_ZZZzzz, it's an opaque blob. | 14:47 |
*** lbragstad has quit IRC | 14:48 | |
*** lbragstad has joined #openstack-keystone | 14:49 | |
morganfainberg | dstanek, can i pick your brain for a few minutes? | 14:50 |
morganfainberg | dstanek, you might have an idea or three to help on this front. | 14:51 |
dstanek | morganfainberg: sure | 14:52 |
morganfainberg | dstanek, token obfuscation in logs: we can't hash the token, we have been asked to maintain a way of correlating token X was used across Y,Z,andQ requests, we don't decode/explode the token data in the session object | 14:52 |
morganfainberg | dstanek, any thoughts on how to meet those requirements? | 14:53 |
morganfainberg | dstanek, or start to? | 14:53 |
*** daneyon has joined #openstack-keystone | 14:53 | |
dstanek | morganfainberg: why is hashing out? | 14:53 |
morganfainberg | dstanek, compliance reasons | 14:54 |
dstanek | hmmm...not even salted? :-( | 14:54 |
morganfainberg | dstanek, and because if you use a compliant hashing algorithm, and keystone is configured to hash to the same algorithm we end up with the same issue we have now, token is valid to be used | 14:54 |
bknudson | essentially the requirement for compliance is that you must be able to disable the non-compliant hashing algorithms | 14:54 |
morganfainberg | dstanek, i was told yesterday < SHA2 hashing is out | 14:54 |
bknudson | so if it's configurable then that's ok, because it will work with a different algorithm | 14:55 |
dstanek | i guess salting would help anyway | 14:55 |
morganfainberg | bknudson, will using SHA1 for unique user_ids have the same issue? | 14:55 |
dstanek | couldn't match up the tokens to each other with out access to the original token | 14:55 |
bknudson | morganfainberg: yes, because sha1 wouldn't be available | 14:55 |
morganfainberg | bknudson, ... | 14:56 |
bknudson | morganfainberg: but I thought you could use different methods for user IDs? | 14:56 |
morganfainberg | bknudson, we were going to use non-configurable sha1 because uuid is bad, we need it to be reproducable | 14:56 |
morganfainberg | bknudson, this isn't even secure data. this is simply a mechanism to create an ID. | 14:57 |
dstanek | morganfainberg: the requirements are that we need the ability is shrink a token into something that's not reversible (compliance), smaller in the logs and repeatable so they can match? | 14:57 |
morganfainberg | i think the compliance stuff is overzealous. | 14:57 |
morganfainberg | dstanek, yep | 14:57 |
bknudson | sure, but if there's no sha1 function then it won't work | 14:57 |
morganfainberg | bknudson, by that token i think UUID can't be used. | 14:57 |
bknudson | it is overzealous | 14:58 |
morganfainberg | bknudson, i think UUID is a sha1-based system across the board | 14:58 |
* morganfainberg is almost positive about that. | 14:58 | |
dstanek | morganfainberg: what is the tolerance for tokens mapping back to the same thing? (same hash or whatever) | 14:58 |
bknudson | http://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_.28random.29 | 14:59 |
morganfainberg | dstanek, as long as you can look into the logs and see a given token (whatever form we use) was used for multiple requests. | 14:59 |
bknudson | looks like uuid4 is random and not sha1, uuid5 is sha1 | 14:59 |
morganfainberg | and the others are even worse. | 15:00 |
dstanek | bknudson: yeah, only uuid5 is sha based | 15:00 |
bknudson | morganfainberg: y, there's some crappy options in uuid! | 15:00 |
morganfainberg | dstanek, and we don't want to let people take token-repr from logs back to token. | 15:01 |
dstanek | morganfainberg: that really sounds like a hash of some sort | 15:01 |
*** jaosorior has quit IRC | 15:02 | |
dstanek | i can't think of another way to do it right now | 15:02 |
dstanek | unless you maintain a lookup table :-P | 15:02 |
morganfainberg | dstanek, oh god no | 15:02 |
morganfainberg | dstanek, also not really doable | 15:02 |
dstanek | haha | 15:02 |
bknudson | I think that was essentially the idea of the tracking id in the token. | 15:03 |
dstanek | can we pull data from the token and use that instead? user_id and roles maybe? | 15:03 |
morganfainberg | dstanek, maybe we just do token_str = token_id[:10] + token_id[-10:] | 15:03 |
morganfainberg | dstanek, we aren't decoding the token atm | 15:03 |
*** ayoung_ZZZzzz is now known as ayoung | 15:03 | |
bknudson | morganfainberg: I like the idea of taking part of the token... that's how I look for it anyways. | 15:03 |
morganfainberg | if we were, i'd just say: put tracking_id in token | 15:03 |
ayoung | morganfainberg, yes, we treat it as an opaque blob, and we treat it as a symmetric secret. We can;t have it both ways | 15:04 |
morganfainberg | bknudson, yeah its crummy though because we use uuid tokens and pki | 15:04 |
morganfainberg | bknudson, if it was only pki, i'd have less issue with it. | 15:04 |
bknudson | y, just need to make sure we don't take too much | 15:04 |
morganfainberg | bknudson, so 20 bytes? | 15:05 |
morganfainberg | ayoung, i know ... *grumbles* | 15:05 |
ayoung | morganfainberg, but, we don't need to rip apart the token when it is requested | 15:05 |
bknudson | I would think 6 chars is enough, that's what git uses for short hash | 15:05 |
morganfainberg | ayoung, what we're tyring to solve is actually that. | 15:05 |
ayoung | morganfainberg, the response has the body of the token in its expanded form | 15:05 |
morganfainberg | ayoung, this is the curl-like log line in debug mode that has X-AUTH-TOKEN in it | 15:05 |
ayoung | http://docs.openstack.org/developer/keystone/api_curl_examples.html morganfainberg that is v2, but v3 is comparable | 15:05 |
ayoung | look at the example response | 15:06 |
ayoung | and everywhere that is using the token has validated it, so they have it in unpacked form as well. | 15:06 |
dstanek | i would think we would need it longer than 6 because the the number of tokens we have and the chances for collision | 15:06 |
bknudson | dstanek: 7? | 15:06 |
morganfainberg | ayoung, we're not capturing any of that i need to go retrofit the whole auth-plugin model in the client to do that. | 15:07 |
morganfainberg | ayoung, i was hoping for something relatively small. thats all. | 15:07 |
*** dims_ has quit IRC | 15:07 | |
marekd | dstanek: https://review.openstack.org/#/c/99704/5/keystoneclient/contrib/auth/v3/saml2.py regarding your comment from line 515: i am not creating any secial usecase where project and domain ids are required so I think there should always be only one of them, right? | 15:08 |
morganfainberg | ayoung, don't worry about it. i'll figure something out here. | 15:08 |
ayoung | morganfainberg, I'm not worried. I'm right. | 15:08 |
ayoung | :) | 15:08 |
morganfainberg | ayoung, no | 15:09 |
dstanek | bknudson: was never good with statistics :-( | 15:09 |
ayoung | dstanek, 103% of people aren';t | 15:09 |
morganfainberg | ayoung, you're pointing out something i know that i want to avoid mucking with that much code for a stupid logline / that much overhead | 15:09 |
bknudson | also seems like shaing long string is more work than extracting some bytes | 15:09 |
ayoung | morganfainberg, no...its more than that | 15:09 |
ayoung | it is a need to support the audit infrastructure | 15:09 |
ayoung | and, I think, it shows a missing piece of the token architecture | 15:10 |
morganfainberg | ayoung, however we solve this can be used there | 15:10 |
ayoung | I don't think it needs to be horribly invasive to do that, either. | 15:10 |
*** afazekas_ has quit IRC | 15:10 | |
morganfainberg | ayoung, but i'm not advocating not getting there, i'm trying to solve this iteratively w/o needing to muck with a ton of pieces for a "lets make log lines less sucky" | 15:11 |
ayoung | morganfainberg, whne you said "auth plugin" you mean the client auth plugin, right? | 15:11 |
dstanek | morganfainberg: what is the tolerance for tokens "hashing" to the same value as other tokens? | 15:11 |
morganfainberg | ayoung, yes | 15:11 |
bknudson | if a client is passed a token it will also have to be passed the tracking id | 15:11 |
ayoung | ok...let me look | 15:11 |
morganfainberg | ayoung, we just aren't capturing it. it's easy enough to add. | 15:11 |
ayoung | morganfainberg, and how does that tie in with logging? | 15:11 |
bknudson | or the client will have to go to keystone to get the tracking id | 15:11 |
morganfainberg | ayoung, i just didn't want to muck with this part *yet* | 15:11 |
ayoung | heh | 15:12 |
morganfainberg | ayoung, this is the curl debug lines that shouldn't leak the token data. | 15:12 |
dstanek | marekd: that's what i'm trying to figure out | 15:12 |
morganfainberg | bknudson, lets not do that :P | 15:12 |
marekd | dstanek: so i think no. | 15:12 |
ayoung | morganfainberg, so we need to not log the token header, ever | 15:12 |
ayoung | and your point is that then we need to log outside of curl? | 15:13 |
morganfainberg | ayoung, nope | 15:13 |
dstanek | marekd: in my mind if the object should only ever have one of those set then checking in the __init__ makes it obvious | 15:13 |
marekd | dstanek: ok | 15:13 |
morganfainberg | ayoung, we need to redact this but let us still know X token (not usable) was used across multiple requests. | 15:13 |
marekd | gonna change it. | 15:13 |
morganfainberg | ayoung, the unique id is the right answer... it's just more work than i wanted to fix the logline. | 15:14 |
dstanek | morganfainberg: my biggest concern of using token[:7] would be the possibility of collision | 15:14 |
morganfainberg | dstanek, yeah not going to do that | 15:14 |
morganfainberg | going to just make sure we capture the unique id properly | 15:14 |
hrybacki | ayoung: that code review didn't connect the dots | 15:14 |
ayoung | morganfainberg, so...since there is sensitive data in the Headers, we can't just turn logging over to curl. We need to intercept the process. However, right now, the context of the token body is thrown away after the token is fecthed by the client. To log anything internal to the token body would require holding on to it, | 15:14 |
dstanek | morganfainberg: so you couldn't use that to legally say this person did some action | 15:14 |
ayoung | or at least, holding on to that piece of data, and linking it to the token in use, right? | 15:14 |
ayoung | Have I stated the problem clearly? | 15:14 |
morganfainberg | ayoung, correct. | 15:15 |
morganfainberg | ayoung, well. sortof | 15:15 |
ayoung | morganfainberg, OK. So your goal has ben to provide a logging mechanism that works with just the blob | 15:15 |
morganfainberg | ayoung, but close enough | 15:15 |
morganfainberg | ayoung, nah. we have all the data we need | 15:15 |
ayoung | but that can connect which token is used across multiple services | 15:15 |
ayoung | and thus must be reproducible. But not give away the token itself | 15:15 |
morganfainberg | ayoung, it just is going to take a bit of work for the session object (not a ton) | 15:15 |
morganfainberg | ayoung, i'm letting the "just use the blob" sail. we'll make it the unique id - its there, it just needs to be made available. you are eitherlogging from auth_token (explodes out the token) or you're logging based upon an auth_request that you made and received a token back for | 15:16 |
ayoung | morganfainberg, so we are now in violent agreement? | 15:17 |
morganfainberg | in the latter case,w e just need to pull the unique_id out of the token_data returned from keystone [it's fine] | 15:17 |
ayoung | and you are just annoyed because what you thought was going to be a simple fix is a lot more invasive? | 15:17 |
morganfainberg | ayoung, yeah, i was just hoping for a short answer now, and the longer answer later on this cycle | 15:17 |
ayoung | morganfainberg, Keystone IPA. Identity. Policy. Audit | 15:17 |
morganfainberg | ayoung, yep because i need to replicate the long answer around a bunch of the client code. | 15:17 |
ayoung | cool. I know that you are on it. Let me know if you want any help. | 15:18 |
morganfainberg | ayoung, client code != ksc, i mean other clients not using session obj | 15:18 |
morganfainberg | ayoung, yeah i'll tag you on the reviews :P | 15:18 |
morganfainberg | ;) | 15:18 |
ayoung | morganfainberg, I think we need to make the tracking number an official API change. | 15:18 |
morganfainberg | ayoung, part of the token data spec. | 15:19 |
ayoung | and retroactive to the V2 api. And if we get a v2 token without a tracking number, we will be in the same boat, but we have an answer of "cannot be tracked" or something | 15:19 |
ayoung | ++ | 15:19 |
morganfainberg | ayoung, i'm going to make the debug line just say X-AUTH-TOKEN: **REDACTED** and just log the tracking id as a separate part of that same thing | 15:20 |
ayoung | ++ | 15:20 |
morganfainberg | ayoung, and the unique_id (just like the token version) will be a top level object - if the token doesn't have a unique id, sorry we don't know what to do for ya | 15:21 |
morganfainberg | so, you can't see it. | 15:21 |
morganfainberg | no tracking id = no tracking (icehouse and older keystones) | 15:21 |
dstanek | is tracking id inside the token? | 15:27 |
morganfainberg | dstanek, it will be | 15:27 |
morganfainberg | dstanek, i'll just use a uuid4 in the token itself *i guess* | 15:28 |
dstanek | does that mean that we could slow down things by having to decode the token everytime it's logged? | 15:29 |
morganfainberg | dstanek, na | 15:29 |
morganfainberg | dstanek, i just need to grab the token_id from the keystone body response | 15:29 |
morganfainberg | dstanek, not actually decode. | 15:29 |
dstanek | oh, i thought you were talking about other services logging the token too | 15:30 |
dstanek | morganfainberg: re: the recent mailing list discussion | 15:30 |
morganfainberg | auth_token and clients are what we care about | 15:30 |
morganfainberg | yah this is the client code and the middleware | 15:30 |
morganfainberg | other services all use client code for debugging :) | 15:30 |
morganfainberg | so, fix it in a couple places, fix it everywhere | 15:30 |
dstanek | cool, i was under the impression that things were also logged in the services | 15:31 |
morganfainberg | if they do, i can't stop them, but that is dumb and they shouldnt! | 15:32 |
*** dims_ has joined #openstack-keystone | 15:32 | |
morganfainberg | :) | 15:32 |
bknudson | the auth_token middleware could extract the tracking id | 15:33 |
morganfainberg | bknudson, yep. that one i'm not worried about | 15:34 |
bknudson | actually it would be in keystone.token_info | 15:34 |
bknudson | just don't try to generate the tracking id from the token id | 15:35 |
*** BAKfr has quit IRC | 15:37 | |
morganfainberg | bknudson, yep | 15:37 |
*** packet has joined #openstack-keystone | 15:38 | |
dstanek | bknudson: question about https://review.openstack.org/#/c/99745/1/keystoneclient/__init__.py | 15:42 |
dstanek | bknudson: why have the __all__? | 15:42 |
*** dims_ has quit IRC | 15:42 | |
bknudson | dstanek: http://legacy.python.org/dev/peps/pep-0008/#public-and-internal-interfaces | 15:43 |
bknudson | dstanek: does that answer? | 15:43 |
*** dims_ has joined #openstack-keystone | 15:44 | |
*** stevemar2 has joined #openstack-keystone | 15:44 | |
bknudson | I wasn't thinking about whether to remove __all__ or not, since I don't really know what it does. | 15:44 |
bknudson | Was just getting the doc build to not generate warnings | 15:44 |
*** i159 has quit IRC | 15:44 | |
stevemar2 | bknudson, the keystoneclient warnings? | 15:44 |
dstanek | bknudson: hmmm...odd. __all__ is really for 'import *' | 15:45 |
*** stevemar has quit IRC | 15:45 | |
dstanek | from keystoneclient import * # import all things from __all__ instead of globals | 15:45 |
bknudson | stevemar2: (is this stevemar?) y, there were warnings for these doing tox -e docs | 15:45 |
bknudson | dstanek: maybe it's a bug in the doc builder? | 15:45 |
stevemar2 | bknudson, yep, i was disconnected, now i am 2.0-ified. | 15:47 |
dstanek | bknudson: no, the problem is that __all__ is advertising that is has those attributes and they are public | 15:47 |
stevemar2 | bknudson, I recall fixing a similar issue with the keystone docs, and the only way to get it working was to delete the block | 15:47 |
bknudson | stevemar2: delete __all__ ? | 15:47 |
dstanek | what's interesting is that pep8 is a little confusing because it says modules should have an __all__ and doesn't say anything about packages | 15:48 |
stevemar2 | bknudson, yeah, let me find the change | 15:48 |
openstackgerrit | A change was merged to openstack/keystone: Fix a few typos in the shibboleth doc https://review.openstack.org/100723 | 15:48 |
stevemar2 | bknudson, oh https://review.openstack.org/#/c/72544/3/keystone/tests/contrib/kds/fixture/__init__.py | 15:49 |
stevemar2 | would that work? | 15:49 |
bknudson | stevemar2: it already had '' | 15:49 |
stevemar2 | gah | 15:49 |
bknudson | it was missing the imports instead | 15:49 |
* morganfainberg needs caffienation | 15:50 | |
dstanek | yeah, __all__ has to be a list of strings that are the names of globals in that module | 15:50 |
bknudson | in this case it would be like "__all__ = ['SqliteDb', 'KvsDb']" but then there was no "SqliteDb = sqlitedb.SqliteDb" | 15:51 |
dstanek | the right solution is to add the imports to get the names in globals or to delete the __all__ | 15:51 |
bknudson | dstanek: when do you use __all__ ? | 15:52 |
*** Ephur has joined #openstack-keystone | 15:53 | |
bknudson | "it's a list of public objects of that module -- it overrides the default of hiding everything that begins with an underscore" ? | 15:53 |
dstanek | bknudson: i have never been in the habit of using it because i don't import *, but i'm not opposed to keeping it | 15:53 |
bknudson | looks like you need it if you want to only make some symbols in the module "public" | 15:54 |
stevemar2 | bknudson, dstanek it seems like it's only used if we explicitly call import * ? | 15:54 |
bknudson | i.e., from p import * | 15:54 |
stevemar2 | bknudson, i think we're on the same page: http://stackoverflow.com/questions/44834/can-someone-explain-all-in-python | 15:55 |
bknudson | stackoverflow is the best | 15:55 |
stevemar2 | delete it and see if the tests pass :) | 15:55 |
bknudson | we should have tests to ensure that all the public symbols are exported as expected | 15:55 |
bknudson | dstanek: so we'd only need __all__ if we wanted some of those imports to not be public | 15:56 |
bknudson | or do imports work differently? | 15:56 |
dstanek | bknudson: jas | 15:56 |
*** dims_ has quit IRC | 15:57 | |
dstanek | bknudson: http://dpaste.com/3P5NGCQ | 15:58 |
dstanek | default with 'import *' is everyting in globals that isn't prefixed with _; __all__ gives you control to say only certain things are included so you don't need the _ | 15:59 |
dstanek | bknudson: people say __all__ documents a modules public API and i guess that's true to some extent | 15:59 |
bknudson | dstanek: so is there an issue with the "import pbr.version" in __init__.py? | 15:59 |
*** gyee has joined #openstack-keystone | 16:00 | |
bknudson | wouldn't we get a pbr in globals? | 16:00 |
bknudson | if someone did import * and we removed __all__ | 16:00 |
dstanek | no, without the __all__ it would be included in 'from keystoneclient import *' | 16:00 |
bknudson | we don't want that | 16:00 |
bknudson | so I think we still need __all__ in __init__.py | 16:00 |
dstanek | people are not import * right now because it's broken, but adding the imports would fix it | 16:01 |
*** leseb has quit IRC | 16:01 | |
bknudson | really? I didn't try it | 16:01 |
*** jsavak has joined #openstack-keystone | 16:01 | |
*** leseb has joined #openstack-keystone | 16:01 | |
dstanek | i think you would get an attribute error | 16:02 |
dstanek | my general rule of thumb is not to 'import *' except in certain cases like Tk or testtools.matchers where the module was designed for it | 16:03 |
*** joesavak has quit IRC | 16:03 | |
bknudson | I don't think we can tell people to not use from keystoneclient import * if they want to | 16:04 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: auth_token _cache_get checks token expired https://review.openstack.org/96785 | 16:04 |
*** joesavak has joined #openstack-keystone | 16:04 | |
dstanek | i don't think we should | 16:04 |
mfisch | When using PKI tokens do the other services (nova, etc) need to be configured to handle them? | 16:05 |
*** leseb has quit IRC | 16:06 | |
bknudson | mfisch: the other services use the auth_token middleware which supports both UUID and PKI tokens | 16:06 |
dolphm | does logstash have a CLI? | 16:06 |
bknudson | no config required | 16:06 |
*** jsavak has quit IRC | 16:06 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/99076 | 16:07 |
mfisch | bknudson: how do the services get the keystone cert? | 16:07 |
bknudson | mfisch: auth_token middleware fetches it from keystone | 16:07 |
dstanek | bknudson: if you take out the __all__ nobody would do an import * anyway; there would be nothing to import | 16:07 |
*** dvorak has joined #openstack-keystone | 16:08 | |
bknudson | dstanek: ['baseclient', 'client', 'pbr', '__builtins__', 'v2_0', 'utils', 'discover', 'auth', '__package__', 'access', 'generic', 'session', 'v3', 'service_catalog', 'openstack', 'exceptions', '__name__', 'base', '__doc__', 'httpclient'] | 16:08 |
bknudson | that's what I get when I remove __all__ from 99745 | 16:09 |
bknudson | globals().keys() | 16:09 |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 16:09 |
stevemar2 | dstanek, bknudson what about http://paste.openstack.org/show/84404/ | 16:09 |
bknudson | vs ['__builtins__', '__package__', 'access', 'generic', 'v3', 'client', 'service_catalog', 'v2_0', 'exceptions', '__name__', '__doc__', 'httpclient'] | 16:09 |
bknudson | stevemar2: ah, I thought apiclient was in oslo-incubator | 16:10 |
dstanek | bknudson: that's interesting - i did not expect that | 16:10 |
stevemar2 | nope | 16:10 |
dstanek | bknudson: is that with your imports in the file? | 16:10 |
bknudson | might as well fix that one too, then | 16:10 |
bknudson | dstanek: yes, that's with the imports | 16:11 |
dstanek | bknudson: ah, that's why | 16:11 |
dstanek | if you have the original file and remove the __all__ you'll get something different | 16:11 |
bknudson | ['__builtins__', '__name__', 'pbr', '__doc__', '__package__'] | 16:11 |
bknudson | dstanek: it's just pbr | 16:11 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265 | 16:12 |
dstanek | like i said, i'm fine with the imports - i was just wondering why we had an __all__ | 16:13 |
bknudson | dstanek: I think it's right having the __all__, since don't want to export pbr | 16:13 |
dstanek | bknudson: it's only not exported in the import * case | 16:13 |
dstanek | if you import the package you can still access it as an attribute | 16:14 |
bknudson | from keystoneclient import pbr | 16:14 |
bknudson | :( | 16:14 |
bknudson | also, it serves as documentation | 16:15 |
bknudson | for what's public and what's not | 16:15 |
bknudson | maybe we could from pbr import version as _version? | 16:15 |
dstanek | bknudson: probably not worth it - we are only talking about the main package now - what about all of the other modules? | 16:16 |
sbasam | How is token revocation handled in the PKI use case? Does each keystone server store the list interally to itself in kvs? | 16:16 |
marekd | dstanek: hey, looking at moving project_id/domain_id to __init__(). | 16:16 |
bknudson | dstanek: they should also use __all__ according to pep8. it's just that we didn't enforce it as we should have | 16:16 |
dstanek | bknudson: what strange about __all__ is that it defines a module API and not a package API | 16:16 |
marekd | dstanek: in this use case the logic should be like: "if none is set, list all available projects and domains" | 16:17 |
mfisch | bknudson: thanks, sounds like it's a simple transition then | 16:17 |
bknudson | sbasam: keystone server searches the token table for revoked and not expired tokens if tokens are stored in sql | 16:17 |
marekd | dstanek: and this happens via HTTP calls to the Keystone. See lines 517,518 https://review.openstack.org/#/c/99704/5/keystoneclient/contrib/auth/v3/saml2.py | 16:17 |
marekd | dstanek: so I don't thnk it's a good idea to move it all to __init__ | 16:18 |
*** chandan_kumar has joined #openstack-keystone | 16:18 | |
bknudson | dstanek: can you import * from a package? | 16:18 |
sbasam | bknudson: We don't want to store the token due to scaling issues with it. Is it possible to just stored revoked tokens in the DB? | 16:18 |
sbasam | We are currently using UUID tokens and looking to migrate to PKI due to storage issues with UUID tokens. | 16:19 |
bknudson | sbasam: there's other work going on in juno to make it so that tokens don't have to be stored | 16:19 |
dstanek | bknudson: yes | 16:19 |
dstanek | marekd: that's unfortunate | 16:20 |
dstanek | bknudson: but what i mean is that doesn't say that keystone.session is public or private when directly imported | 16:20 |
marekd | dstanek: you don't always know what project/domain you can access, since your rolles are assigned dynamically.. | 16:20 |
bknudson | dstanek: using __all__ in a package worked for me | 16:21 |
marekd | dstanek: and of course making the plugin caling keystone evertime an object is created is a nightmare :-) | 16:21 |
dstanek | bknudson: is keystoneclient.session public? | 16:21 |
bknudson | dstanek: I think so. it's got the keystone.session.request function which we supposedly support | 16:22 |
bknudson | some things are public when they probably shouldn't be | 16:23 |
dstanek | bknudson: that's what i mean - it's public and not in the __all__ - it's more from the module perspective than package | 16:24 |
bknudson | dstanek: I think that's a bug | 16:25 |
dstanek | yeah, that's why i've never used it :-( since there is no enforcement there is no way to know if it's up to date | 16:28 |
bknudson | there must be a way to write a test for it | 16:28 |
*** bknudson has quit IRC | 16:30 | |
*** leseb has joined #openstack-keystone | 16:32 | |
*** leseb has quit IRC | 16:37 | |
*** leseb has joined #openstack-keystone | 16:37 | |
dstanek | i think that was bknudson's mic drop | 16:41 |
lbragstad | dstanek: +! | 16:43 |
lbragstad | +1* | 16:44 |
*** ByteSore has quit IRC | 16:48 | |
*** ByteSore has joined #openstack-keystone | 16:49 | |
*** leseb has quit IRC | 16:50 | |
*** leseb has joined #openstack-keystone | 16:50 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704 | 16:54 |
*** leseb has quit IRC | 16:54 | |
*** browne has joined #openstack-keystone | 16:58 | |
*** marekd is now known as marekd|away | 16:59 | |
*** dims_ has joined #openstack-keystone | 16:59 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 17:03 |
*** harlowja_away is now known as harlowja | 17:06 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output https://review.openstack.org/99432 | 17:12 |
*** stevemar2 has quit IRC | 17:13 | |
*** stevemar has joined #openstack-keystone | 17:14 | |
*** hrybacki_ has joined #openstack-keystone | 17:15 | |
*** thedodd has joined #openstack-keystone | 17:16 | |
*** marcoemorais has joined #openstack-keystone | 17:17 | |
*** praneshp has joined #openstack-keystone | 17:17 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 17:18 |
*** hrybacki has quit IRC | 17:18 | |
henrynash | ayoung, dtsanek, morganfainberg: have posted first split out of the multi-backend uuid patch…the one that just migrates ID generation from controller to manager….hopefully pretty uncontenious, so great to push this along: https://review.openstack.org/#/c/100833/ | 17:19 |
*** hrybacki_ has quit IRC | 17:20 | |
morganfainberg | henrynash, nice! thanks for splitting it up | 17:20 |
morganfainberg | henrynash, i'll take a look at it here in a minute | 17:20 |
*** nsquare has joined #openstack-keystone | 17:20 | |
henrynash | morganfainberg: thx….even thats was 680 lines! Couln’t really see how to split it down further….and it is nearly all mechanical changes of the same form | 17:21 |
morganfainberg | henrynash, yeah thats why breaking it up is so helpful | 17:26 |
morganfainberg | henrynash, we can at least not be as overloaded on reviewing the code :) | 17:26 |
morganfainberg | this one should be easier to review in either case | 17:26 |
henrynash | morganfainberg: agreed! | 17:26 |
morganfainberg | henrynash, also... miiiinor tweak to your sha1 bits | 17:27 |
morganfainberg | henrynash, for the spec change | 17:27 |
morganfainberg | we can't use sha1 | 17:27 |
morganfainberg | compliance issues | 17:27 |
henrynash | morganfainberg: eeek! | 17:27 |
morganfainberg | it either needs to be configurable or be sha2 based | 17:28 |
morganfainberg | (sha224, 256, etc) | 17:28 |
henrynash | morganfainberg: and don’t they all generate more than 32 bytes (hex)? | 17:29 |
morganfainberg | 64 is our limit | 17:29 |
morganfainberg | but sha256 is 64 bytes | 17:29 |
morganfainberg | to keep it 32 bytes or less... don't think we can use hashing | 17:29 |
morganfainberg | w/o making it configurable | 17:29 |
morganfainberg | e.g. sha1, sha224, sha256 | 17:29 |
henrynash | I did wonder about allowing a plugable hash driver... | 17:30 |
*** bknudson has joined #openstack-keystone | 17:32 | |
ayoung | henrynash, > 400 lines...any way you can make is smaller | 17:34 |
ayoung | just kidding | 17:34 |
henrynash | ayoung: missile on its way.... | 17:34 |
henrynash | ayoung: :-) | 17:35 |
*** bknudson has quit IRC | 17:36 | |
ayoung | https://review.openstack.org/#/c/100833/7/keystone/identity/core.py,cm I wonder if that is going to mess up the people currently using LDAP. | 17:38 |
ayoung | IE. cern, and the people that are using Rally tests that periodically create users, like that guy last night asked about | 17:38 |
henrynash | ayoung: calling the manager? | 17:39 |
ayoung | henrynash, yeah...probably it is no real change | 17:39 |
ayoung | I think the LDAP code injects a UUID in the CN or something wonky like that anyway | 17:39 |
henrynash | ayoung: if they call the driver itself, their fine | 17:40 |
ayoung | yep | 17:40 |
ayoung | henrynash, and for existing LDAP cases, they should just accept the userid presented by LDAP | 17:40 |
ayoung | henrynash, just to be sure, I'll try this against liveLDAP | 17:41 |
henrynash | ayoung: I tried variou s ways of not changing the manager signature, but ‘cause we pass the ID as well as the object (that has to have the ID in it as well!)…it’s messy | 17:41 |
ayoung | agreed | 17:41 |
*** hrybacki has joined #openstack-keystone | 17:41 | |
ayoung | henrynash, why the additional cleanup in the fixture code? Shouldn';t we be going from a blank database when we run this? | 17:42 |
ayoung | # This will clear out any roles on the project as well | 17:42 |
ayoung | self.assignment_api.delete_project(tenant['id']) | 17:42 |
henrynash | ayoung:…ahh, actually you’re right that’s not stricly needed in this patch….it is when we haev different public vs entity IDs cause some of tests re-create the fixture users…and you end up with additonla roles in projects since their Public IDs may have changed depending on what test we are running | 17:44 |
ayoung | henrynash, so it is from the next patch? | 17:45 |
henrynash | ayoung: yes | 17:45 |
ayoung | OK... | 17:45 |
henrynash | ayoung: sorry, slipped into this one by mistake... | 17:45 |
henrynash | ayoung: I’m a git add -i newbie! | 17:45 |
ayoung | heh | 17:46 |
ayoung | not a big deal, just wasn't clear if it was intentional. I know I make changes like that for development sake, and then end up leaving them in during the review | 17:46 |
henrynash | ayoung: I can pull that one out….once a few people have reviewed I’ll do a minor update | 17:47 |
ayoung | cool. I don;t really care | 17:47 |
ayoung | twas others that insisted on the patch splitting | 17:47 |
ayoung | henrynash, why this code | 17:48 |
ayoung | password = self.user1['password'] | 17:48 |
ayoung | self.user1 = self.identity_api.create_user(self.user1) | 17:48 |
ayoung | self.user1['password'] = password | 17:48 |
ayoung | I see that pattern in a few places | 17:48 |
henrynash | ayoung: so often the user record was initialised with teh password in….which is NOT returned by the create, and the test will later refere to it from the object | 17:49 |
*** bknudson has joined #openstack-keystone | 17:49 | |
*** dims_ has quit IRC | 17:53 | |
ayoung | ah, the filter thing | 17:58 |
morganfainberg | bknudson, dolphm, i think for the middleware split the answer is we just freeze the keystoneclient middleware and deprecate it (message that says go install new stuff from XXXX package) | 17:59 |
morganfainberg | bknudson, dolphm, it save circular deps, breaking people, etc. | 17:59 |
bknudson | morganfainberg: works for me | 17:59 |
morganfainberg | bknudson, dolphm, and it's purely a deployer function on which one to use. we can even say release YY of keystoneclient will remove this old middleware if we want | 18:00 |
bknudson | we'll need to fix any security vulns in there | 18:00 |
morganfainberg | bknudson, security maintenance != new features, totally agree | 18:00 |
morganfainberg | bknudson, it means we might have code going into 2 places, but it should be minimal. | 18:00 |
ayoung | henrynash, +2 from me | 18:00 |
morganfainberg | bknudson, it also means we shouldn't refactor to use session (etc) the current one in keystoneclient | 18:00 |
*** jsavak has joined #openstack-keystone | 18:01 | |
morganfainberg | it also means the split is a much much easier proposal | 18:01 |
ayoung | morganfainberg, ARGH!@ | 18:01 |
ayoung | really | 18:01 |
*** dims_ has joined #openstack-keystone | 18:01 | |
morganfainberg | ayoung, i can't in good conscience make a circular dependency for packages. | 18:02 |
ayoung | morganfainberg, ok...lets delay that split we get the current one in a stable state | 18:02 |
ayoung | and that means the refactoring and use of revocation events | 18:02 |
ayoung | then split | 18:02 |
morganfainberg | ayoung, negative, lets not do the massive refactor | 18:02 |
morganfainberg | ayoung, rev. events sure | 18:02 |
morganfainberg | ayoung, actually for juno it wont matter really | 18:03 |
morganfainberg | ayoung, but eh | 18:03 |
morganfainberg | w/e ... if we delay i can work on otherthings | 18:04 |
*** joesavak has quit IRC | 18:04 | |
bknudson | maybe we'll figure out the circ dependency thing soon anyways | 18:04 |
*** packet has quit IRC | 18:05 | |
morganfainberg | bknudson, it isn't that pip can't do it, i was talking with some people in -infra about it | 18:05 |
morganfainberg | its that ... i think it's not worth the headaches it will cause us. | 18:05 |
ayoung | morganfainberg, the events code needs the refactor | 18:06 |
morganfainberg | ayoung, alternatively we could do the split this week and make the 1st release of the new middleware refactor + events | 18:07 |
ayoung | morganfainberg, true | 18:07 |
morganfainberg | ayoung, defer to you on this i'm updating the spec now. | 18:07 |
ayoung | that might be better. Then, revoke events only goes into the new code | 18:07 |
ayoung | lets talk it over with jamielennox when he's around | 18:07 |
morganfainberg | ayoung, ++ if you want the split this week though, i think i'll need to know middle of todayish | 18:08 |
ayoung | morganfainberg, dumb idea | 18:08 |
morganfainberg | middle-to-late pacific | 18:08 |
bknudson | auth_token in keystoneclient is deprecated once middleware is released? | 18:08 |
ayoung | what if we completely strip everything out of python-keystoneclient and put it in new libraries | 18:08 |
morganfainberg | bknudson, correct that would be my goal. | 18:08 |
ayoung | no circular dependencies | 18:09 |
ayoung | keystoneclient the library gets a new name | 18:09 |
morganfainberg | ayoung, that was my first thought. keystonelib? | 18:09 |
ayoung | keystonecommon? | 18:09 |
ayoung | nah | 18:09 |
bknudson | isn't it just cms? | 18:09 |
morganfainberg | we could absolutely do that instead. but it's probably wont be an early juno thing | 18:09 |
morganfainberg | bknudson, and session | 18:10 |
bknudson | what's the circular dependency with session? | 18:10 |
bknudson | session doesn't use auth_token | 18:10 |
morganfainberg | bknudson, we want auth_token to use session | 18:10 |
morganfainberg | bknudson, its on the "lets refactor this correctly to use the new code" list | 18:10 |
bknudson | doesn't session use keystoneclient? | 18:11 |
ayoung | even without that I think we have a circular | 18:11 |
morganfainberg | keystoneclient uses session | 18:11 |
bknudson | I thought session used keystoneclient ... maybe it's the plugins | 18:13 |
morganfainberg | session is what the plugins are for | 18:13 |
morganfainberg | it's something that other python-*client code can consume, if we were to split it the keystoneclient (interacting with keystone) would remain in the keystoneclient lib, but the common code (e.g. session + plugins, cms) would move out | 18:14 |
bknudson | aren't the plugins going to use keystoneclient? | 18:17 |
bknudson | they need to talk to keystone, so seems like they should use keystoneclient for it. | 18:17 |
bknudson | although could do that with injected function | 18:18 |
morganfainberg | i'd need to bug jamielennox to know for sure the grand plan | 18:18 |
bknudson | http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/auth/identity/v3.py | 18:18 |
*** packet has joined #openstack-keystone | 18:19 | |
bknudson | the v3 auth plugin uses exceptions from keystoneclient | 18:19 |
bknudson | but it doesn't use keystoneclient, uses session.post and builds the request itself. | 18:20 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987 | 18:26 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987 | 18:27 |
morganfainberg | bknudson, yeah it is a little intertwined. i think it all depends on where we want the code to live. - it would be doable to split that out as well. | 18:28 |
bknudson | auth plugins | 18:28 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987 | 18:29 |
morganfainberg | ok now that i got all the extra whitespace out... | 18:29 |
ayoung | morganfainberg, OK...so the pieces as I see it are: keystonecli_>dead, becomes common CLI. session mgmt...candidate for the openstack-sdk project, keystonelib specific for calls to keystone, keystone middleware. | 18:30 |
morganfainberg | session management could be openstack-sdk or oslo | 18:31 |
ayoung | the problem with the commons is that it means that a team working on something has to give it up, or a person has to transition over to it to supervise, and gets sucked in to thing beyond what they care about | 18:31 |
morganfainberg | ayoung, yeah basically that covers it | 18:31 |
ayoung | I wish we could put something into common and keep oversight of it | 18:32 |
morganfainberg | that level of split will (i think) be beyond the scope of early juno | 18:32 |
morganfainberg | fwiw | 18:32 |
morganfainberg | or even possiblt juno at all. | 18:33 |
bknudson | there's lots of different oslo libs that have different maintainers | 18:33 |
*** daneyon has quit IRC | 18:34 | |
*** dims_ has quit IRC | 18:36 | |
*** marcoemorais has quit IRC | 18:37 | |
*** ayoung has quit IRC | 18:37 | |
*** marcoemorais has joined #openstack-keystone | 18:37 | |
*** gokrokv__ has quit IRC | 18:42 | |
*** nkinder_ has quit IRC | 18:44 | |
henrynash | ayoung: thx | 18:51 |
*** MEDOU has joined #openstack-keystone | 18:58 | |
*** ozialien has joined #openstack-keystone | 18:59 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987 | 19:00 |
*** dims_ has joined #openstack-keystone | 19:00 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987 | 19:01 |
bknudson | morganfainberg: what middleware is being pulled out of keystone? all of it? | 19:03 |
morganfainberg | bknudson, ec2token | 19:03 |
morganfainberg | bknudson, s3 already has been moved | 19:04 |
morganfainberg | bknudson, and the other middleware is internal (authcontext | 19:04 |
morganfainberg | jsonbody etc | 19:04 |
morganfainberg | i mean.. we could split those out too | 19:04 |
* morganfainberg shrugs | 19:05 | |
*** jsavak has quit IRC | 19:05 | |
*** MEDOU has left #openstack-keystone | 19:06 | |
*** openstackgerrit has quit IRC | 19:06 | |
*** openstackgerrit_ has joined #openstack-keystone | 19:07 | |
bknudson | morganfainberg: seems like some of the middleware could be in oslo. | 19:08 |
bknudson | RequestBodySizeLimiter | 19:08 |
morganfainberg | bknudson, possibly. | 19:08 |
*** openstackgerrit_ is now known as openstackgerrit | 19:08 | |
morganfainberg | bknudson, i'm happy to evaluate that but i'm hesitant to lump that into this spec | 19:08 |
*** dims_ has quit IRC | 19:09 | |
*** joesavak has joined #openstack-keystone | 19:09 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 19:10 |
*** gokrokve has joined #openstack-keystone | 19:15 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 19:17 |
*** ozialien has quit IRC | 19:18 | |
*** gokrokve has quit IRC | 19:20 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987 | 19:21 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: Service Token Composite Authorization Specification https://review.openstack.org/96315 | 19:27 |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Middleware tests now run under Python3 https://review.openstack.org/99669 | 19:38 |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing https://review.openstack.org/95827 | 19:38 |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Updates Python3 requirements to match Python2 https://review.openstack.org/95826 | 19:39 |
morganfainberg | dstanek, i meant to ask you aout the LDAP fork | 19:39 |
morganfainberg | dstanek, it's just someone trying to get the stuff into upstream python-ldap so we're using it and going to help champion it? | 19:40 |
dstanek | morganfainberg: it's much worse then that :-( jas | 19:41 |
morganfainberg | dstanek, ok | 19:41 |
*** gokrokve has joined #openstack-keystone | 19:42 | |
dstanek | morganfainberg: take a look at my post https://mail.python.org/pipermail/python-ldap/2014q2/thread.html | 19:42 |
dstanek | ...crickets... | 19:42 |
dstanek | morganfainberg: jdennis' response is very enlightening | 19:42 |
morganfainberg | wow | 19:43 |
dstanek | morganfainberg: my goal is not to champion it, but to get as far as i can knowing that we can't really release until all of the i's are crossed and t's dotted | 19:43 |
morganfainberg | yeh | 19:43 |
dstanek | morganfainberg: it may be that i'll jump in and help at some point once i've gone as far as i can go | 19:44 |
morganfainberg | nod | 19:44 |
dstanek | there is also a python3 version (from different devs), but the API is different | 19:44 |
dstanek | https://pypi.python.org/pypi/python3-ldap | 19:45 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create keystonemiddleware repo https://review.openstack.org/95987 | 19:49 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone-specs: create keystonemiddleware repo https://review.openstack.org/95987 | 19:49 |
jdennis | python3-ldap looks interesting, but it relatively immature AFAICT, being pure Python has it's advantages but I wonder about performance and all the nasty ASN.1 which has to be spot on correct, then there is the face it's a different API :-( | 19:49 |
*** rodrigods has quit IRC | 19:51 | |
*** diegows has joined #openstack-keystone | 19:53 | |
bknudson | does the wrapper in keystone make it easier? could it translate to/from python3-ldap? | 19:54 |
morganfainberg | bknudson, interesting thought | 19:55 |
jdennis | bknudson: if you're talking about the wrappers I introduced the answer is no, the wrappers are a 1-to-1 match on the existing python-ldap API | 19:56 |
*** rodrigods has joined #openstack-keystone | 19:59 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager https://review.openstack.org/100833 | 20:02 |
*** leseb has joined #openstack-keystone | 20:02 | |
dstanek | i think it would be possible to write an adapter layer, but probably not worth the effort until more of the dust settles | 20:02 |
*** ayoung has joined #openstack-keystone | 20:08 | |
*** wyllys has joined #openstack-keystone | 20:11 | |
wyllys | is it possible to add users in Active Directory using keystone with the LDAP backend? | 20:11 |
* morganfainberg grumbles valencia is not an approved hotel | 20:12 | |
dstanek | morganfainberg: i think there is an embassy even closer to geekdom | 20:18 |
morganfainberg | Hilton looks to be the closest | 20:18 |
morganfainberg | and the recommended "best choice" one | 20:19 |
dstanek | do you get a better rate there than the rackspace rate? | 20:19 |
morganfainberg | no, but the system is being bitchy about letting me go outside of policy | 20:19 |
dstanek | i'm not sure where the hilton is downtown | 20:20 |
morganfainberg | 200 South Alamo St. | 20:20 |
morganfainberg | claims to be 0.44 mi from geekdom | 20:20 |
*** stevemar has quit IRC | 20:20 | |
morganfainberg | though i'm getting a car this time because i have to be at the airport early on saturday morning. | 20:21 |
morganfainberg | and not staying at the same hotel as other folks | 20:21 |
*** gordc has left #openstack-keystone | 20:21 | |
dstanek | morganfainberg: i think that's closer to the old geekdom | 20:21 |
dstanek | but if you have a car it won't matter | 20:22 |
morganfainberg | yep | 20:22 |
morganfainberg | thats the plan | 20:22 |
*** wyllys has quit IRC | 20:24 | |
*** nkinder_ has joined #openstack-keystone | 20:27 | |
morganfainberg | bknudson, https://review.openstack.org/#/c/100497/ re hashing you seem to know the most about this. | 20:36 |
morganfainberg | bknudson, before we get lost - i want to pre-emptively make sure we're not in violation with whatever is chosen. | 20:36 |
mfisch | does DELETE /v2.0/tokens/{token-id} require some config to make it work?' | 20:39 |
mfisch | like a policy.json entry? | 20:39 |
openstackgerrit | Raildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy https://review.openstack.org/101017 | 20:42 |
*** topol has joined #openstack-keystone | 20:43 | |
raildo | morganfainberg: If you can review =] | 20:43 |
morganfainberg | raildo, Awesome! was going to go looking for you tomorow on that actually | 20:44 |
raildo | morganfainberg: great! thanks | 20:44 |
*** diegows has quit IRC | 20:44 | |
openstackgerrit | ayoung proposed a change to openstack/keystone: Kerberos as method name https://review.openstack.org/95989 | 20:50 |
*** nsquare has quit IRC | 20:51 | |
ayoung | WTF don't people stick around to hear the answer to their questions? | 20:51 |
ayoung | raildo, I thought we were putting an explict param on to get thewhole hierarchy | 20:53 |
ayoung | ah..projects, not project | 20:53 |
ayoung | raildo, on Token must be scoped to the target project on which the action is performed. A higher-project scoping will not work. | 20:54 |
ayoung | I think we need to be clearer that a user with a role on A should or should not be able to get a token scoped to B | 20:54 |
ayoung | based on whether the role is "inheritable" | 20:55 |
ayoung | its implied in there, but should be explicit | 20:55 |
mfisch | it turns out DELETE tokens works if you use curl properly... | 20:55 |
*** dstanek is now known as dstanek_zzz | 20:55 | |
raildo | ayoung: I understand, but which of the two solutions is the ideal? I think the token must be valid. | 20:57 |
ayoung | raildo, no, I just mean make explicit what you have there | 20:58 |
ayoung | if the role is inheritable, then you can get a token for the child project | 20:58 |
*** hrybacki has quit IRC | 20:58 | |
ayoung | if it is not, you need an explicit role | 20:58 |
ayoung | raildo, also, what do you think of this | 20:58 |
raildo | ayoung: ok | 20:58 |
ayoung | merge the domain and project tables and then domain_id become parent_id | 20:59 |
ayoung | a domain is an entry with no parent | 20:59 |
*** erecio has quit IRC | 20:59 | |
sbasam | mfisch: Did you have to do that using an admin role? Default policy.json seems to require an admin role | 21:00 |
raildo | ayoung: I remember this discussion, I think dolph until he had suggested it. In my opinion it is a good idea. | 21:01 |
mfisch | sbasam: I was failing to properly add the Auth-Token to my curl request ;) | 21:01 |
ayoung | raildo, I'll add that to the review | 21:01 |
raildo | ok, thanks | 21:02 |
ayoung | nice work | 21:02 |
*** juanmo has quit IRC | 21:02 | |
raildo | ayoung: thank you | 21:02 |
morganfainberg | raildo, i agree with using domain_id as the top level | 21:03 |
morganfainberg | erm domain | 21:03 |
morganfainberg | ok i am going to go get some food, coffee, etc be back in a bit | 21:04 |
*** dims_ has joined #openstack-keystone | 21:06 | |
raildo | morganfainberg: ayoung I was with two questions about the solution. When a user wants to delete a project that is in the middle of the hierarchy, you must delete the rest of the hierarchy, or throw an exception (the user only to delete the leaves)? | 21:06 |
raildo | The other question is, can I add/change projects in the middle of the hierarchy? | 21:07 |
morganfainberg | i think we agreed that moving projects was a big issue | 21:07 |
morganfainberg | (e.g. adding/removing from the heiarchy) | 21:07 |
morganfainberg | changing a project's info (ID is imuutable) shouldn't matter | 21:07 |
*** jamielennox is now known as jamielennox|away | 21:08 | |
openstackgerrit | A change was merged to openstack/keystone: Update sample keystone.conf file https://review.openstack.org/100155 | 21:08 |
raildo | This is a good argument. | 21:08 |
raildo | I'll have to leave now, but in half an hour I'm back to fix these points. =] | 21:08 |
morganfainberg | sure. | 21:09 |
morganfainberg | thanks for the work on that! | 21:09 |
ayoung | raildo, great question. I think it would be an explicit "delete all" and would require a specific role | 21:09 |
ayoung | add in the middle..no, only leaf nodes | 21:09 |
raildo | morganfainberg: It's nothing! =] | 21:09 |
ayoung | change? no moving | 21:09 |
raildo | ayoung: I was thinking about moving. | 21:10 |
sbasam | question on pki token revocations in a multi node keystone service... Is the revocation list shared between nodes or is each keystone server holds the list that it handled? | 21:10 |
*** topol has quit IRC | 21:10 | |
*** raildo has left #openstack-keystone | 21:10 | |
bknudson | sbasam: if the token backend is shared then they're shared... you can share with memcache and sql | 21:11 |
sbasam | bknudson: thanks. | 21:12 |
ayoung | sbasam, good question | 21:16 |
*** henrynash has quit IRC | 21:17 | |
*** diegows has joined #openstack-keystone | 21:18 | |
*** dims_ has quit IRC | 21:20 | |
*** dims_ has joined #openstack-keystone | 21:21 | |
*** dims_ has quit IRC | 21:26 | |
*** henrynash has joined #openstack-keystone | 21:28 | |
*** packet has quit IRC | 21:38 | |
*** diegows has quit IRC | 21:40 | |
*** nkinder_ has quit IRC | 21:47 | |
*** andreaf has quit IRC | 21:48 | |
*** nkinder_ has joined #openstack-keystone | 21:48 | |
*** raildo_ has joined #openstack-keystone | 21:50 | |
*** henrynash has quit IRC | 21:52 | |
*** sbasam is now known as sbasamaway | 21:53 | |
*** nkinder_ has quit IRC | 22:00 | |
*** nkinder_ has joined #openstack-keystone | 22:01 | |
*** dims_ has joined #openstack-keystone | 22:16 | |
*** dims_ has quit IRC | 22:19 | |
*** dims_ has joined #openstack-keystone | 22:20 | |
*** thedodd has quit IRC | 22:29 | |
*** leseb has quit IRC | 22:42 | |
*** leseb has joined #openstack-keystone | 22:43 | |
*** leseb has quit IRC | 22:47 | |
*** leseb has joined #openstack-keystone | 22:50 | |
*** raildo_ has quit IRC | 22:54 | |
*** leseb has quit IRC | 22:55 | |
*** ozialien has joined #openstack-keystone | 23:03 | |
*** leseb has joined #openstack-keystone | 23:13 | |
*** hrybacki has joined #openstack-keystone | 23:13 | |
*** leseb has quit IRC | 23:14 | |
*** leseb has joined #openstack-keystone | 23:15 | |
*** dims_ has quit IRC | 23:17 | |
*** jamielennox|away is now known as jamielennox | 23:19 | |
*** leseb has quit IRC | 23:19 | |
*** joesavak has quit IRC | 23:19 | |
*** yfujioka has joined #openstack-keystone | 23:49 | |
hrybacki | looking through tempest logs on Gerrit and all I can think about is how much space these things must take up given all of the changes that exist... | 23:52 |
*** dims_ has joined #openstack-keystone | 23:56 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!