Thursday, 2014-07-24

« Wednesday, 2014-07-23 Index Friday, 2014-07-25 »
nkindergyee, jamielennox: ^^^ that adds the missing unit tests00:00
nkinderone thing I went back and forth on was if I should modify the create/update v2 user tests to just check if the passwords are logged, or if I should add entirely new tests.00:01
nkinderI went with the former, but I can change it if desired00:01
nkinderIt just seemed like a waste to duplicate all of that logic when we only need to add some additional assertions about the logging to the existing tests00:02
morganfainbergjamielennox, any idea why we issue a new token on a user's password change?00:02
jamielennoxnkinder: ah, thanks - i hadn't see that yet00:02
morganfainbergjamielennox, in OS-KSCRUD contrib?00:02
morganfainbergjamielennox, more to the point, we do an awful, broken, very bad new token generation?00:02
*** amerine has quit IRC00:02
jamielennoxyea, i'd have mixed it in with the original tests - it's not purist but i don't see the point in replicating them to test one additional thing00:02
*** amerine has joined #openstack-keystone00:03
nkinderjamielennox: one other thing I changed was that you were logging a user create request if it didn't contain a password for v2, but you never logged a create for v300:03
nkinderjamielennox: I tweaked v3 to be consistent.  Was there some reason you didn't do that in v3, or was it just an oversight?00:03
jamielennoxnkinder: just oversigh i think, i just wanted some log output so that when you were using CLI or something it didn't look like it had just skipped an entire request00:04
jamielennoxmorganfainberg: i don't know about awful and broken things (i obviously had nothing to do with those :) i think the logic was that a change in password was possibly a response to a security issue and we should revoke the old tokens00:05
nkindermorganfainberg: yeah, we revoke tokens with the password changes, so someone likely made it fetch a new token for convenience ?00:06
morganfainbergjamielennox, yeah it's awful we do a .get_token, change the id, resave the *same token with a different embeded, now uuid token even if it was PKI to begin with*, then say "here's your new token"00:06
morganfainbergnkinder, yean ~2yrs ago00:06
morganfainbergnkinder, jamielennox, ok well then, time to *fix* this to actually issue a token.00:07
jamielennoxshould we issue a new token at all?00:08
jamielennoxlet the user/client fetch a new one next time00:08
gyeenkinder, patch looks good to me00:09
jamielennoxmost likely a change password will be done from either the CLI where a new token isn't really useful or horizon which can manage it00:09
nkindergyee: great, thanks for the review!00:10
nkindermorganfainberg: a review from you would be appreciated as well when you get time00:11
nkindermorganfainberg: then we can finally close this password logging thing00:11
jamielennoxbknudson would be good as well as he has had some opinions here, but he doesn't seem to be around00:11
gyeejamielennox, do you understand what's going on with this? https://review.openstack.org/#/c/109141/00:13
gyeeI still don't see the problem00:13
jamielennoxgyee: so i think what's happening is that the ENV variables aren't getting picked up because of the way defaults work00:14
jamielennoxso you define the backwards compatability options and if they are not available it puts the None on the namespace00:14
*** dims has joined #openstack-keystone00:14
gyeebut how's flipping the order make any difference, that's where I got lost00:14
jamielennoxthen when you define the real options and you don't provide those it looks to whether it shouuld provide a default value, and the default is where the ENV is read00:15
jamielennoxso because there is already a value on the namespace it decides it doesn't need to add a default00:15
gyeebut command line trumps env var right?00:15
jamielennoxthis is more interpretation and thinking it through than i have actually experimented with it00:16
jamielennoxright00:16
jamielennoxand if you put an argument on the cli it would still work00:16
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L59500:17
jamielennoxit's just i think when it says i didn't get a cli argument should i add a default of the ENV var it says no because there is already a value on the namespace00:18
jamielennoxit's a bit weird and dumb00:18
gyeeoh, I see what's going on now00:18
gyeeit won't register twice00:18
jamielennoxi guess it's because you are allowed to make your own namespace objects so they could have default values that you don't want to override00:18
gyeefirst registration have no default00:19
jamielennoxgyee: yep no default = default=None00:19
gyeeI completely agree, dumb!00:19
jamielennoxyea, and i would have just tested it with the CLI args00:20
*** gabriel-bezerra has quit IRC00:20
jamielennoxbecause the rest is annoying00:20
gyee-1 for no tests :)00:20
openstackgerritNathan Kinder proposed a change to openstack/keystone: Trust unit tests should target additional threat scenarios  https://review.openstack.org/10912000:20
jamielennoxharsh00:20
jamielennoxbut yea00:20
*** gabriel-bezerra has joined #openstack-keystone00:20
*** gabriel-bezerra has quit IRC00:21
*** richm has quit IRC00:25
*** gabriel-bezerra has joined #openstack-keystone00:25
*** gyee has quit IRC00:33
morganfainbergjamielennox, i don't think i can fix this. we're emitting INTERNAL data to the wire00:40
morganfainbergjamielennox, the entire token_ref as stored in the backend00:41
jamielennoxmorganfainberg: there needs to be an internet acronym for laugh/cry00:41
jamielennoxgot a link to where you're looking?00:41
morganfainbergjamielennox, right?00:41
morganfainbergjamielennox, can i just rm -rf v2.0 now00:42
morganfainbergjamielennox, yeah, sec00:42
morganfainbergjamielennox, https://github.com/openstack/keystone/blob/master/keystone/contrib/user_crud/core.py#L80-L8500:42
morganfainbergfirst off *that isn't a token we're spitting onto the wire*00:42
morganfainbergbut we kinda pretend it is.00:43
*** shakamunyi has joined #openstack-keystone00:43
jamielennoxahahahaha00:44
jamielennoxnuke it from orbit00:44
morganfainbergjamielennox, so when i put a *real* token on the wire... the tests go kersplode00:44
jamielennoxi can only assume that's before we had jenkins?00:45
morganfainbergthis.. i.. ... w.t.f.00:45
morganfainbergoh no, tests pass, just... nothing *obviously* actually consumes that dat00:45
morganfainberga00:45
morganfainbergwell, nothing we wrote00:45
morganfainbergexcept a couple unit tests00:46
jamielennoxi'd strip that, have it return a 204 and see whether we have anyone consuming it00:46
morganfainbergLOL. *sigh*00:46
jamielennoxit looks like client will just pass it through00:46
jamielennoxoh - no it expects something with an 'access' key00:47
morganfainbergi love when we have tests that *ensure* we are emitting broken stuff00:47
morganfainberg        # TODO(morganfainberg): nuke this from orbit...it should die.00:47
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/users.py#L7800:49
jamielennoxit looks like the method will update strip off the 'access' part of the response - and then make a User object from the rest of it00:49
jamielennoxwhat sort of POS doesn't validate enough to realize that this is not even close to the real object type you expect00:50
morganfainbergjamielennox, yeah well i'm just going to emit a real token here00:52
morganfainbergjamielennox, let me just figure out why i'm somehow generating a bad token now (yes our issue_token code apparently just issues whatever the crap you give it, which can result in... duh duh duh, invalid tokens)00:53
*** amerine has quit IRC01:07
*** amerine has joined #openstack-keystone01:07
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence  https://review.openstack.org/10904101:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the new Keystone TokenModel  https://review.openstack.org/10691701:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api  https://review.openstack.org/10916201:11
*** amcrn has quit IRC01:11
*** marcoemorais has quit IRC01:12
*** diegows has quit IRC01:13
morganfainbergmarekd, stevemar, ayoung-aft, for federated-issued tokens is there a way to know what domain the IDP is associated with?01:43
ayoung-aftmorganfainberg, I think so01:44
*** ayoung-aft is now known as ayoung-fore01:44
morganfainbergmarekd, stevemar, ayoung-aft, because right now the logic for revocation events wont work with federated tokens01:44
*** ayoung-fore is now known as ayoung-midship01:44
*** ayoung-midship is now known as ayoung01:44
morganfainbergayoung, since there is no domain in the user bit of the tokne01:44
ayoungmorganfainberg, isn't there a user_id?01:44
morganfainbergayoung, looking01:44
ayoungwe use henrynash's user-id to domain lookup table01:45
morganfainbergayoung, yeah, ok01:45
morganfainbergayoung, that was my next step01:45
ayoungmorganfainberg, BTW, I'm debugging inside Django-Openstack-Auth....in httpd01:45
ayoungnot in a way I can upstream submit yet, but still.01:46
morganfainbergayoung, interesting gaps in our code are found when i start funneling all tokens through token_provider_api.validate_token instead of just doing token_api.get_token() and assuming all is well01:46
ayoungyeah, I think I had a comment to that effect in the events code01:46
*** mberlin has joined #openstack-keystone01:47
ayoungmorganfainberg, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n6501:47
morganfainbergayoung, yeah but the reason you called .get_token there was actually invalid iirc,01:48
*** mberlin1 has quit IRC01:48
ayoungit was due to tow different formats01:48
ayoungtwo01:48
morganfainbergbut anyway01:48
morganfainbergwant to see something fun...01:48
ayoungsure01:48
morganfainbergayoung, how about emitting the raw token data from the persistence backend (no formatting) to the wire ... but pretending it looks like a token: https://review.openstack.org/#/c/109162/1/keystone/contrib/user_crud/core.py01:49
morganfainberg(look at the original, line 80-85)01:49
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Auth Specific Data  https://review.openstack.org/10732501:49
ayoungmorganfainberg, I think Russell Wrote that01:54
ayoungAh, Derek Higgens01:54
morganfainbergayoung, derek higgens?01:54
ayoungHeh, I used to have trouble telling those two apart01:55
ayoungBack when I joined the project, and all of the RHers were pulled together, I met them at the same time.01:55
ayoungI thought I'd gotten over confusing them....one last time, I guess01:56
openstackgerritVictor Morales proposed a change to openstack/keystone: Sqlite files excluded from the repo  https://review.openstack.org/10916501:56
morganfainbergayoung, are IDPs specifically assigned to a domain?02:02
ayoungmorganfainberg, I wanted it the other way around02:02
morganfainbergayoung, i'm not seeing anything that guarantees that.02:02
ayoungone IdP could manage one or more domains02:02
ayoungI know.02:03
morganfainbergayoung, it doesn't look like an IDP is explicitly mapped to *anything*02:03
morganfainbergayoung, i might just be missing where this hooks in, but it looks like IDPs aren't specific to a domain.02:05
ayoungthey are not.  I said "I wanted"02:05
ayoungIt is the right abstraction02:06
morganfainbergah02:07
morganfainbergthis means there is no way to get a domain for a federated user afaict, henry's thing wont work02:08
morganfainbergthe user is tied to an idp not a domain02:08
*** alex_xu has joined #openstack-keystone02:09
morganfainbergbleh, we need to stop making special case token formats.02:10
morganfainbergok i'm going to take a break from this, it's making me kinda annoyed02:10
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api  https://review.openstack.org/10916202:12
*** dims has quit IRC02:14
*** ncoghlan has joined #openstack-keystone02:22
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api  https://review.openstack.org/10917002:37
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api  https://review.openstack.org/10917002:39
*** dims has joined #openstack-keystone02:40
*** dims has quit IRC02:44
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api  https://review.openstack.org/10917302:50
*** alex_xu has quit IRC02:55
*** Chicago has joined #openstack-keystone02:57
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes an issue with the XMLEquals matcher  https://review.openstack.org/10917702:58
morganfainbergjamielennox, you're going to win on the location of the token model, simply because i need to avoid circular dependencies.03:02
morganfainbergjamielennox, :)03:02
jamielennoxmorganfainberg: win by default - i'll take it03:02
*** alex_xu has joined #openstack-keystone03:03
jamielennoxmorganfainberg: i heard you and topol did a presentation last week - is there a video?03:06
morganfainbergjamielennox, uhm.. somewhere :P03:07
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Explicity request an unscoped token  https://review.openstack.org/10807103:21
*** stevemar has joined #openstack-keystone03:22
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence  https://review.openstack.org/10904103:29
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the new Keystone TokenModel  https://review.openstack.org/10691703:29
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api  https://review.openstack.org/10917003:29
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api  https://review.openstack.org/10916203:32
morganfainbergjamielennox, https://review.openstack.org/#/c/109141/ passed check (this is the cli option thing)03:36
jamielennoxmorganfainberg: makes sense - nothing tests clis03:36
morganfainbergyep03:36
jamielennoxeven devstack is using OSC03:36
morganfainbergvishy says this fixes the issue, looks sane to me.03:37
jamielennoxgyee was going to -1 for not being tested03:37
jamielennoxi don't know if that's warranted03:37
jamielennoxthe tests for shell already suck03:37
morganfainbergjamielennox, i don't know how i'd test this one tbh03:37
jamielennoxyou can set env variables, you just have to be careful about cleanup i guess03:38
jamielennoxmorganfainberg: meh, just +A i think03:39
*** dims has joined #openstack-keystone03:41
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api  https://review.openstack.org/10917303:42
*** dims has quit IRC03:45
morganfainbergi think i need to go lie down. my brain hurts from staring at token stuff :P03:46
morganfainbergonly another ~7 or so reviews to post for converting things over to use token_provider instead of using token_api03:46
morganfainbergjamielennox, also https://review.openstack.org/#/c/104000/ looks safe to me03:50
morganfainbergjamielennox, strutils is a dependency and doens't need to be listed in openstack-common.conf (automatically sync'd in)03:50
jamielennoxmorganfainberg: +A03:52
*** chandankumar has joined #openstack-keystone03:53
jamielennoxi've received so many gerrit emails that i don't see them any more, and my filters don't show me stuff that i've -1ed03:53
jamielennoxdefinitely not a perfect system03:53
morganfainberghehe03:54
morganfainbergnot a worry just bugging you for the stupidly easy ones03:54
jamielennoxi hate github pull requests, how do you push a new version of a request without loosing access to your history?03:57
*** stevemar has quit IRC03:59
morganfainbergjamielennox, you don't, you add a commit on top of the current one and you end up with a bunch of commits as part of the pull request04:00
jamielennoxthen you end up with all those commits in history04:00
morganfainbergjamielennox, so instead of an --amend, you just keep stacking on commits until it's done04:00
* morganfainberg thinks it's dumb compared to the gerrit model04:00
morganfainbergyep04:00
morganfainbergwelcome to pull requests04:01
jamielennoxhow is this still a thing...04:01
morganfainbergpeople aparently like it04:01
jamielennoxall of the comments on my PR no longer make sense cause i keep push -f changes04:01
*** ncoghlan is now known as ncoghlan_afk04:01
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10621004:02
morganfainbergbasically, you can't -f push (or shouldn't) you're supposed to keep all the commits as part of the history afaict04:02
morganfainbergjamielennox, something about iterative work04:03
jamielennoxi feel a -f is fine for something you are requesting to be merged04:03
jamielennoxi see the point of having a pull have multiple commits04:03
jamielennoxbut that doesn't mean you can't fix mistakes in your commits in the actual commit04:04
morganfainbergi prefer openstack's model04:04
morganfainberggerrit makes this *a lot* easier04:04
jamielennoxyea, just thought github would have jumped on board this by now04:09
morganfainbergjamielennox, nah04:11
*** syedawaisali has joined #openstack-keystone04:13
*** topol has joined #openstack-keystone04:26
*** oomichi has joined #openstack-keystone04:28
openstackgerritA change was merged to openstack/python-keystoneclient: Reorder the old compatibility arguments  https://review.openstack.org/10914104:35
*** dims has joined #openstack-keystone04:41
*** stevemar has joined #openstack-keystone04:43
*** ajayaa has joined #openstack-keystone04:45
openstackgerritA change was merged to openstack/keystonemiddleware: move webob from test-requirements to requirements  https://review.openstack.org/10906404:46
*** dims has quit IRC04:46
*** chandankumar has quit IRC04:49
*** zzzeek has quit IRC04:53
*** stevemar has quit IRC04:56
*** chandankumar has joined #openstack-keystone04:59
*** topol has quit IRC05:04
*** harlowja has quit IRC05:11
*** harlowja has joined #openstack-keystone05:11
*** ncoghlan_afk is now known as ncoghlan05:15
*** k4n0 has joined #openstack-keystone05:24
*** junhongl has joined #openstack-keystone05:41
*** dims has joined #openstack-keystone05:42
*** alex_xu has quit IRC05:45
*** dims has quit IRC05:47
*** tomoiaga has joined #openstack-keystone05:59
*** alex_xu has joined #openstack-keystone06:01
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:05
*** amerine has quit IRC06:07
*** amerine has joined #openstack-keystone06:08
*** _afazekas has quit IRC06:20
*** sbasam has quit IRC06:20
*** afazekas is now known as _afazekas06:20
*** zigo has quit IRC06:27
*** mitz has quit IRC06:30
*** mitz has joined #openstack-keystone06:32
*** zigo has joined #openstack-keystone06:32
*** ChanServ changes topic to "July 9-11 Hackathon notes https://etherpad.openstack.org/p/keystone-juno-hackathon | Now with 100% gate and check runs on Apache deployed Keystone | K release named "Kilo""06:33
*** andreaf has quit IRC06:34
*** sbasam has joined #openstack-keystone06:37
*** harlowja is now known as harlowja_away06:42
*** dims has joined #openstack-keystone06:43
*** dims has quit IRC06:48
*** alex_xu has quit IRC06:59
*** shakamunyi has quit IRC07:03
*** afazekas_ has joined #openstack-keystone07:04
*** syedawaisali has quit IRC07:06
*** alex_xu has joined #openstack-keystone07:13
*** jamielennox is now known as jamielennox|away07:20
*** xianghuihui has joined #openstack-keystone07:23
*** ncoghlan is now known as ncoghlan_afk07:26
*** xianghui has quit IRC07:26
*** jimbaker has quit IRC07:36
*** gabriel-bezerra has quit IRC07:38
*** gabriel-bezerra has joined #openstack-keystone07:38
*** xianghuihuihui has joined #openstack-keystone07:41
*** dims_ has joined #openstack-keystone07:43
*** xianghuihui has quit IRC07:44
*** xianghuihui has joined #openstack-keystone07:48
*** dims_ has quit IRC07:48
*** xianghuihuihui has quit IRC07:51
*** xianghuihuihui has joined #openstack-keystone08:01
*** xianghuihui has quit IRC08:03
*** andreaf has joined #openstack-keystone08:05
*** xianghuihuihui has quit IRC08:11
*** xianghuihui has joined #openstack-keystone08:11
*** ashepelev has joined #openstack-keystone08:29
*** dims_ has joined #openstack-keystone08:44
*** xianghuihuihui has joined #openstack-keystone08:47
*** xianghuihui has quit IRC08:48
*** dims_ has quit IRC08:49
*** miqui has quit IRC08:54
*** jimbaker has joined #openstack-keystone09:05
*** jimbaker has quit IRC09:05
*** jimbaker has joined #openstack-keystone09:05
*** ajayaa has quit IRC09:05
*** miqui has joined #openstack-keystone09:12
*** alex_xu has quit IRC09:17
openstackgerritwanghong proposed a change to openstack/keystone: add internal delete notification for endpoint  https://review.openstack.org/10832909:27
*** dims_ has joined #openstack-keystone09:45
*** dims_ has quit IRC09:50
*** k4n0 has quit IRC10:07
*** vhoward has joined #openstack-keystone10:09
*** k4n0 has joined #openstack-keystone10:21
*** ajayaa has joined #openstack-keystone10:25
*** gabriel-bezerra has quit IRC10:27
*** gabriel-bezerra has joined #openstack-keystone10:27
*** vhoward has left #openstack-keystone10:30
*** harlowja_away has quit IRC10:59
*** k4n0 has quit IRC11:01
fish_hrm.. I'm still a bit confused about keystone, users and tenants. when just looking at keystone, it seems like the common case is to have an tentant for, well a tenant. whether it's a external customer or a team inside your company etc11:07
*** pgnx has joined #openstack-keystone11:07
*** pgnx has quit IRC11:08
fish_but with barbican things look different: since it stores credentials on a per tenant basis, the tenants are more 'entities to grant access to a set of resources' which are the actual services - not teams11:08
fish_but maybe I got something completely wrong11:08
fish_so I'm wondering: if it reasonable to have one tenant per service, or is there a better way to grant access to a set of credentials?11:09
*** miqui has quit IRC11:15
*** chandankumar has quit IRC11:17
*** k4n0 has joined #openstack-keystone11:19
*** chandankumar has joined #openstack-keystone11:32
*** diegows has joined #openstack-keystone11:33
*** marzif has joined #openstack-keystone11:34
*** dims has joined #openstack-keystone11:44
*** k4n0 has quit IRC11:59
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609612:07
*** afazekas_ has quit IRC12:07
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Hierarchical Projects  https://review.openstack.org/10884112:09
*** afazekas_ has joined #openstack-keystone12:24
*** oomichi has quit IRC12:25
*** jamielennox|away has quit IRC12:26
*** jamielennox|away has joined #openstack-keystone12:29
*** gordc has joined #openstack-keystone12:35
*** ajayaa has quit IRC12:52
*** jimbaker has quit IRC13:00
*** jimbaker has joined #openstack-keystone13:01
*** jimbaker has quit IRC13:02
*** jimbaker has joined #openstack-keystone13:02
*** zigo has quit IRC13:03
*** ajayaa has joined #openstack-keystone13:03
*** zigo has joined #openstack-keystone13:04
*** alex_xu has joined #openstack-keystone13:05
*** ajayaa has quit IRC13:08
*** chandankumar has quit IRC13:10
*** dims has quit IRC13:13
*** nkinder has quit IRC13:13
*** dims has joined #openstack-keystone13:14
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609613:16
*** afazekas_ has quit IRC13:20
*** richm has joined #openstack-keystone13:22
*** lbragstad has joined #openstack-keystone13:23
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Add another check of the url in the 'self' link  https://review.openstack.org/10929013:25
*** topol has joined #openstack-keystone13:32
*** afazekas_ has joined #openstack-keystone13:33
*** oomichi has joined #openstack-keystone13:34
*** erecio has joined #openstack-keystone13:35
*** oomichi has quit IRC13:40
*** afazekas_ has quit IRC13:42
*** erecio has quit IRC13:43
*** vhoward has joined #openstack-keystone13:44
*** stevemar has joined #openstack-keystone13:46
openstackgerritayoung proposed a change to openstack/keystone-specs: Cookie for tokens  https://review.openstack.org/10929513:49
openstackgerritayoung proposed a change to openstack/keystone-specs: Cookie for tokens  https://review.openstack.org/10929513:51
*** bknudson has joined #openstack-keystone13:53
dstanekayoung: why is horizon already doing what you suggest with cookies?13:53
dstaneks/is/isn't/13:53
*** radez_g0n3 is now known as radez13:56
ayoungdstanek, because they originally had a "no memcache" rule13:57
ayoungdstanek, so they needed to store the whole token in the users cookie, and I told them about the MD5 hack13:58
dstanekdo they use authtoken middleware too?13:58
*** nkinder has joined #openstack-keystone13:58
*** joesavak has joined #openstack-keystone13:58
morganfainbergayoung, so ... we're precluding the use of non-persistent tokens by that spec.13:59
ayoungmorganfainberg, nope13:59
morganfainbergwell with horizon at least13:59
ayoungmorganfainberg, nope13:59
ayoungmorganfainberg, here's how it would go13:59
ayounguser hits horizon and logs in13:59
ayounghorizon goes to keystone, gets an unscoped token, sticks that in the users session, gets a scoped token, sticks that in memcache, sticks the key in the users session.  THat is prep....14:00
dstanekayoung: you are not guaranteed memcached will hold the token for the entire time it is valid14:00
ayoungnow, Horizon goes to nova and does a status call14:00
ayoungdstanek, I'm aware, and if that is the case, return a 403 or whatever with enough info to send the origianl token14:01
ayoungmaybe "multiple options"14:01
ayoungdstanek, that is always  the risk with memcached14:01
dstanekif the token isn't persistent what do you send? a new token? they would have to go back to keystone for it14:02
dstanekayoung: also you wouldn't want this to happen in front of the other services right? just horizon?14:03
ayoungNo14:03
ayoungdstanek, this is for heat talking to swift, for example14:04
ayoungthe session cookie can have a time out, so the client knows to send the whole token again14:04
morganfainbergi'm still not seeing how this works with non-persistent tokens14:05
morganfainbergespecially in the horizon case14:06
dstanekayoung: i'm a little confused. if heat is the client and swift is the server....they both have the token and an agreed upon short string that is the equivalent of the token?14:07
ayoungdstanek, that is  it14:07
ayoungmorganfainberg, this is a shorthand way of saying "here is the token I'm using, you've already seen it, validated it, and handed back to me a receipt."14:08
dstanekhow does that help horizon then?14:08
ayoungdstanek, in the case of horizon talking to swift, it cuts down on the message size going from Horizon to swift14:08
dstanekayoung: but as you are decreasing the network traffic between the two, you are adding a new network connection to memcached and using the same about of bandwidth there14:10
ayoungdstanek, the memcached call is there already.  We store the tokens in memcached, just keyed by their hash.  This would replace that with keyed by a random number14:10
dstanekayoung: hmmm...i wouldnt14:11
dstanekhave expected that14:11
ayoungdstanek, I want to remove the "hash of the token is as good as the token"  approach14:12
dstaneki would have thought that given a pki token you would need to check the revocation list and not memcached14:12
ayoungrevocation list is going away14:12
ayoungwe need to check the revocation events14:12
ayoungwhich implies the full token14:12
morganfainbergdstanek, ayoung, btw, minimal token (PKIZ) is 1.7k14:12
ayoungneed the full token for RBAC anyway14:12
morganfainberg(no catalog)14:12
dstanekevents can't replace the list - just supplement it14:13
ayoungmorganfainberg, 1.7k unscoped ?  I had it at under 1 K14:13
morganfainbergraw data is 1.4k14:13
morganfainbergno, that is scoped14:13
ayoungdstanek, no, replace14:13
ayoungAbsolutley replace.  the list is a security nightmare14:13
morganfainbergayoung, minimal *useful* token, unscoped tokens today are not-useful14:13
ayoungmorganfainberg, ah.  OK14:13
ayoungwhat else is in there?  role and project?14:13
morganfainbergit is a v2 token as well14:13
morganfainberg{'access': {'token': {'issued_at': '2014-07-24T14:10:42.735309', 'expires': '2014-07-24T15:10:42Z', 'id': 'placeholder', 'tenant': {'domain_id': 'default', 'enabled': True, 'description': 'description', 'name': 'BAZ', 'id': 'baz'}}, 'user': {'username': 'TWO', 'roles_links': [], 'id': '7c3e610c4e274ffda349888ced57e1ce', 'roles': [{'name': '_member_'}], 'name': 'TWO'}, 'metadata': {'is_admin': 0, 'roles': ['9fe2ff9ee4384b1894a9014:13
morganfainberg878d3e92bab']}}}14:13
dstanekayoung: how do you guarantee all events are caught? and how would you can't up new instance to what is already revoked?14:14
ayoungmorganfainberg, ++14:14
morganfainbergthe metadatacrap is an issue14:14
ayoungdstanek, when you switch?  All earlier tokens are revoked14:14
*** ayoung is now known as ayoung-phone14:14
morganfainbergbut, basically, we're not going to get much lower than ~1k even with ID only14:14
dstanekso if i turn on a new instance of nova all previous tokens are revoked? but only by that instance14:15
morganfainbergdstanek, it would ask keystone for the full revocation event list, and we poll the revocation events on X interval14:15
morganfainbergsame as we do for the list14:15
morganfainbergbut events are more accurate14:15
morganfainbergyou don't need to enumerate each token to know it is revoked14:15
morganfainbergoh interesting... we screwed up in issuring tokens14:16
* morganfainberg just noticed expires at is not subsecond14:16
dstanekmorganfainberg: that's what i thought too, but ayoung said it was going away14:17
morganfainbergdstanek, the revocation list is going away14:17
morganfainbergthe enumeration of each token id being revoked, the events will be used which say (tokens for user X revoeked before time Y)14:17
morganfainbergwhich in the revocation list could be 1000s of tokens14:17
*** gabriel-bezerra has quit IRC14:17
dstanekmorganfainberg: how do you have for a full revocation list if it doesn't exist?14:18
dstaneks/have/ask/14:18
morganfainbergdstanek, you're asking for the revocation events, not the *list*14:18
morganfainbergthe list is a list of ids, works like a CRL14:18
morganfainbergrevocation events work based upon data in the token, e.g. user_id14:18
dstaneka list of events?14:18
morganfainbergyep14:18
*** gabriel-bezerra has joined #openstack-keystone14:19
*** YorikSar_ has joined #openstack-keystone14:19
*** ajayaa has joined #openstack-keystone14:19
dstanekah, that makes more sense - we need better naming14:19
morganfainbergon a password change, instead of having to revoke (for example) 1000 tokens and shove the ids into the TRL14:19
morganfainbergwhich is now 32k bigger (assuming md5 hash)14:19
morganfainbergyou issue one event that says user_id=XYZ, timestamp=Q14:20
morganfainbergand all tokens before timestamp Q for user_id XYZ are now revoked14:20
*** gabriel-bezerra has quit IRC14:20
morganfainbergmuch much much less data (and much faster)14:20
morganfainbergmuch faster to generate the list, actually a bit slower to validate a token (at the moment)14:20
*** hrybacki has joined #openstack-keystone14:20
morganfainbergdstanek, but everyone seems to want 32byte magical blobs that work like PKI tokens but use like UUID tokens14:21
*** gabriel-bezerra has joined #openstack-keystone14:21
*** YorikSar has quit IRC14:23
morganfainbergdstanek, i can get a token down to about ~1k just not seeing it getting much lower14:27
*** rwsu has joined #openstack-keystone14:28
*** david-lyle has joined #openstack-keystone14:28
dstanekmorganfainberg: can't we get rid of some of the info like tenant description and if it's enabled?14:28
bknudsonmorganfainberg: shorter names?14:29
bknudsonmorganfainberg: take out the roles like we can take out the catalog?14:29
morganfainbergbknudson, we duplicate a lot of data by shoving "metadata" into the tokens, so we can strip that out (duplication of roles etc)14:29
morganfainbergbknudson, we can strip out the "enabled" flags from tenant etc14:30
*** gabriel-bezerra has quit IRC14:30
*** gabriel-bezerra has joined #openstack-keystone14:30
bknudsonalso, I opened a bug for the expires not being subsecond: https://bugs.launchpad.net/keystone/+bug/134796114:30
uvirtbotLaunchpad bug 1347961 in keystone "Revocation events are broken with mysql" [Undecided,New]14:31
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api  https://review.openstack.org/10917314:31
dstanekmorganfainberg: is anything more than id required in the tenant?14:31
bknudsonit may be different depending on the DB server14:31
nkindermorganfainberg: let's limit the number of defined roles to 16 and make them a bit-field in the token;)14:31
*** gabriel-bezerra has quit IRC14:31
* nkinder ducks14:31
*** shakamunyi has joined #openstack-keystone14:31
morganfainbergnkinder, HAH!14:31
morganfainbergbknudson, i saw.14:31
dstaneknkinder: where i used to work our tokens were packed with python's struct14:32
*** gabriel-bezerra has joined #openstack-keystone14:32
dstanekthe first byte have version number and the rest of the token could vary in format14:32
morganfainbergi think the minimum viable token looks something like (scoped):14:33
morganfainberg{'token': {'issued_at': '2014-07-24T14:26:23.766970', 'expires': '2014-07-24T15:26:23.766970', ‘project': {'domain_id': ‘default', 'id': 'baz', 'name': 'BAZ'}}, 'user': {'username': 'TWO', 'id': 'e44c07606b674d7fa487ead80ae90639', 'roles': [{'name': '_member_'}], 'name': 'TWO'}}14:33
bknudsonthat's got user ID but not role ID14:34
morganfainbergbknudson, policy.json tends to use role names14:34
morganfainbergbknudson, not ids.14:34
morganfainbergbknudson, and v2 hid the role ids in metadata (never in *actual* location you'd expect)14:35
morganfainbergis we strip the username, and the extra 'name' field14:36
morganfainbergi think we're still going to see not much less than 1k in token size.14:36
*** gabriel-bezerra has quit IRC14:36
morganfainbergwhen run through cms14:36
*** gabriel-bezerra has joined #openstack-keystone14:37
*** gordc has quit IRC14:40
*** gordc has joined #openstack-keystone14:44
bknudsonmorganfainberg: cms overhead seems to be the limiting factor14:46
bknudsonand base-64 encoding14:46
morganfainbergbknudson, yep14:46
morganfainbergs/mime may not be a good choice here.14:46
bknudsonmorganfainberg: what if you cms 1 byte?14:46
morganfainbergbknudson, i think you still get a reasonable size blob14:46
*** andreaf has quit IRC14:47
*** lbragstad has quit IRC14:48
dolphmmorganfainberg: what made you deviate from purely ID's?14:49
openstackgerritNathan Kinder proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data  https://review.openstack.org/10179214:50
morganfainbergdolphm, even if we strip down to pure ids (though roles need to be names i think)14:51
morganfainbergdolphm, we'll still end up with ~1k tokens i think14:51
morganfainberg(scoped)14:51
*** gordc has quit IRC14:52
*** gordc has joined #openstack-keystone14:52
*** ukalifon1 has joined #openstack-keystone14:52
dolphmmorganfainberg: if roles were ID based in the token, you'd just have to call keystone and convert them, and cache the results14:52
morganfainbergand for the heirarchical stuff, would we encode that into the token? or make a service that need the hierarchy info ask keystone14:52
morganfainbergdolphm, sur,e but i think most role names are < role uuids14:52
morganfainbergdolphm, 32bytes is a lot of role name ;)14:53
*** shakamunyi has quit IRC14:53
morganfainbergeither way14:53
dolphmmorganfainberg: ++ but roles are a place where i see user-defined IDs fitting in as well14:53
morganfainbergsure14:53
morganfainbergand i just cheked we support role_name=25514:54
morganfainbergso even still, move to uuids14:54
*** ukalifon3 has joined #openstack-keystone14:54
*** ukalifon1 has quit IRC14:56
*** ayoung-phone is now known as ayoung14:58
*** tomoiaga has quit IRC14:58
*** lbragstad has joined #openstack-keystone14:59
ajayaamorganfainberg, hi14:59
ayoungSo glad I let morganfainberg explain that.  I need to copy that discussion and post it where others can read it...let me pull up the evesdrop link14:59
ayounghttp://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2014-07-24.log15:01
ayoungthat page is now  now self referential15:01
morganfainbergdolphm, something like? http://pasteraw.com/k0vohepbo28aywm7egg89t10upu5jfm15:02
morganfainbergayoung, ^15:02
morganfainbergs/endpoint_lists/endpoints15:02
*** chandankumar has joined #openstack-keystone15:02
morganfainbergooh forgot the token bind attribute15:03
dolphmmorganfainberg: wouldn't 'endpoints' be part of scope if it's supposed to be used as authorization scope?15:03
morganfainbergdolphm, ++15:03
ayoungI fielded a question yesterday about applying roles to objects.  In SELinux, there is the concept of a "label"  which is added to the inode of a file, and SELinux checks that the caller contains access to that label.  I wonder if there is some way to standardize "label this resource with this role"  in OpenStack.   Do we just suggest that all resources have "role"  field? Or that each service implements some sort of label t15:04
ayoungable?15:04
dolphmmorganfainberg: also, roles -> role_ids & endpoints -> endpoint_ids15:04
*** david-ly_ has joined #openstack-keystone15:04
morganfainbergayoung, how much data can/should go into a token bind?15:04
ayoungmorganfainberg, binding a token to an authentication source?15:05
ayoungor to an endpoint?15:05
dolphmayoung: auth source15:05
morganfainbergayoung, auth15:05
ayoungmorganfainberg, principal or subject;  128 Chars max, maybe?15:05
dolphmmorganfainberg: you might also have OS-FEDERATION attributes (OS-FEDERATION:idp_id & OS-FEDERATION:protocol_id)15:06
dolphmmorganfainberg: and group_ids15:06
morganfainbergayoung ok15:06
dolphmmorganfainberg: also, expires -> expires_at15:06
morganfainbergdolphm, ++ trying to get a "worst case" token together assuming a few roles (and some endpoint binding)15:06
*** david-lyle has quit IRC15:06
dolphmmorganfainberg: so, a federated identity consuming a trust with token/auth binding15:07
morganfainbergdolphm, http://pasteraw.com/n1bh4hjmae1y3ynj7wskj7jogpnrc3i15:11
morganfainberg?15:11
morganfainbergor would the Federation/trust stuff be dicts somewhere else?15:11
morganfainbergayoung, ^15:11
dolphmmorganfainberg: group_ids15:12
morganfainbergdolphm, ah yep15:12
dolphmmorganfainberg: also, bind is an object15:12
*** Chicago has quit IRC15:12
morganfainbergoh it is? bleh15:12
dolphmmorganfainberg: "bind": {"x509": {"fingerprint": "0123456789ABCDEF", "algorithm": "sha1"}}15:13
*** Chicago has joined #openstack-keystone15:13
ayoungmorganfainberg, lets just assume that, for someone, it is going to be too big15:14
ayoung4K ish?15:14
dolphmmorganfainberg: so, fingerprint = 40 bytes assuming we're not including colons in there15:15
morganfainbergdolphm, http://pasteraw.com/5cs18znqsm5rvnq235n86soroof1tjq15:16
*** cjellick has joined #openstack-keystone15:17
morganfainbergthis doesn't mean the work towards non-persistent-otkens is bad, (it unifies the token handling in keystone and moves us to rev. events) but i think 4k is going to cause us problems token wise15:17
*** vhoward has left #openstack-keystone15:18
*** kwss has joined #openstack-keystone15:18
*** tomoiaga has joined #openstack-keystone15:19
morganfainbergpeople want the 32 byte uuid tokens :(15:19
morganfainbergfrom a user -> endpoint experience15:19
*** lbragstad has quit IRC15:19
*** cjellick has quit IRC15:19
*** cjellick has joined #openstack-keystone15:20
*** gyee has joined #openstack-keystone15:23
dolphmmorganfainberg: set the bind fingerprint to 2bfe4c911c38cc51ecdcd04e232d4400c92095f2 for something more realistic15:24
morganfainbergdolphm, ++15:24
dolphmmorganfainberg: and... we actually only include group_ids on unscoped federated tokens, now that i think about it. so, if you're modeling a worst case scenario token, it probably wouldn't have groups15:25
morganfainbergok15:25
dolphmmorganfainberg: and if you care, i don't *think* the trust_id appears in the scope? but i could be wrong15:26
morganfainbergwe call it a "trust-scoped" token15:26
morganfainbergbut i can move it15:26
dolphmmorganfainberg: yeah... https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-trust-ext.md15:26
*** tomoiaga has quit IRC15:26
dolphmmorganfainberg: "scoped to a project according to the trust" would be a more verbose way of saying that15:27
dolphmmorganfainberg: if you just include the trust_id, the rest can be obtained from keystone though15:28
*** lbragstad has joined #openstack-keystone15:28
morganfainbergdolphm, http://pasteraw.com/8it1s716fnvg0tlind9v7220htzy8j915:28
morganfainbergforgot we needed user's domain id in there so we can revoke on domain_id if needed15:29
dolphmmorganfainberg: well now you're just making it bigger lol15:29
morganfainbergprobably also need project's domain_id15:29
morganfainbergdolphm, i did a pretty-print that time15:29
morganfainbergeasier to read15:29
dolphmmorganfainberg: and you broke a bunch of stuff lol15:29
morganfainbergwhat did I break?15:30
*** xianghuihuihui has quit IRC15:30
morganfainbergshould it be OS-FEDERATION:<thing> or is OS-FEDERATION a object?15:30
dolphmmorganfainberg: OS-FEDERATION is a prefix, not an object / attribute15:30
morganfainbergok15:30
morganfainbergsec15:30
dolphmmorganfainberg: trust is still in scope15:30
*** xianghuihuihui has joined #openstack-keystone15:30
dolphmOS-TRUST is also a prefix, not an object15:30
dolphmtrust_id is redudant with what i assume you meant to contain it in, but could be simplified to just "OS-TRUST:trust_id": "abc"15:31
dolphmmorganfainberg: user_id now points to an object instead of an ID15:31
dolphmmorganfainberg: apply coffee and try again :P15:32
morganfainberglol15:32
*** gyee has quit IRC15:33
morganfainbergdolphm, ok15:35
morganfainberglets see15:35
morganfainberghttp://pasteraw.com/3n6tjskwfvmzog1th5lvlniq5muqmqw15:35
morganfainbergi think that is *better*15:35
morganfainbergor is "scope": type bad and it should just be scope: (project_id|domain_id)15:36
morganfainbergdolphm, please ignore the typo in FEDERATON15:37
*** zzzeek has joined #openstack-keystone15:37
morganfainberg:P15:37
morganfainbergdolphm, serialized i clock that at just under 800bytes pre-cms15:38
morganfainberg(pre compress)15:38
dolphmmorganfainberg: i'd be fine with "scope": {"project_id"15:39
morganfainberg*nod*15:40
dolphmmorganfainberg: move "OS-TRUST:trust_id": "---32-byte-trust-id-string-----" out of "scope"15:41
morganfainbergok15:41
richmif the endpoint is explicitly set in keystone.conf, should it have the version in the url path?  e.g.15:42
*** gyee has joined #openstack-keystone15:42
richmadmin_endpoint=http://localhost/keystone/admin/v2.015:43
richmor15:43
richmadmin_endpoint=http://localhost/keystone/admin15:43
richm?15:43
dolphmrichm: no15:44
morganfainbergdolphm, http://pasteraw.com/3d67hkybdzk54mfrr3vfywf7xyc1mvi15:44
dolphmmorganfainberg: why bother including the user's domain_id ?15:45
richmdolphm: Then the client is responsible for adding the version?15:45
morganfainbergdolphm, if we revoke all tokens for a domain, do we need to revoke the tokens for users who live under that domain?15:46
dolphmrichm: those configuration options determine what links the server builds and return to the client to achieve HATEOAS15:46
morganfainbergdolphm, if not, we can go back to plain user_id15:46
dolphmmorganfainberg: oh right, so you need the project's domain ID for the same reason15:46
morganfainbergyeah15:46
morganfainberglet me add project domain_id in15:46
morganfainbergdolphm, http://pasteraw.com/frcyhsw2tqh6fy16lu4fmmio22e39wv15:48
dolphmmorganfainberg: yep, i think that's the nightmare token you're looking for!15:49
morganfainbergdolphm, pre-compress, pre-cms, 832 bytes, and it could get worse with more roles or more endpoints15:51
morganfainbergi'm going to guess, barring 128bytes for krb5 binds, we're going to see 2k tokens regularly.15:51
dolphmmorganfainberg: sounds right15:52
morganfainbergway better than 8k15:52
morganfainbergbut, still15:52
dstanekmorganfainberg: you can get crazy and cut the id sizes in half!15:52
dolphmdstanek: i proposed that once15:53
dstanekuuid.uuid4().bytes instead of .hex15:53
morganfainbergdstanek, how does that serialize?15:53
dolphmdstanek: i actually did base36 encoded uuid4 strings to get it down to 26 or so, and then added a conf option to truncate them15:53
dolphmdstanek: for example, 55nwozjm8479jyiztr9kvhdx715:53
dolphmdstanek: http://pasteraw.com/6u6bdvkx5hn5pjelf0wf8c5s5kyyacx15:54
openstackgerritguang-yee proposed a change to openstack/keystone-specs: X.509 SSL certificate authentication  https://review.openstack.org/10591315:54
dstanekdolphm: why not base64 minus padding?15:55
dolphmdstanek: because i didn't know about base64's url safe mode at the time, and wanted to ensure url safety15:55
dstanekmorganfainberg: as a Python string15:55
morganfainbergdstanek, ah15:55
morganfainbergdstanek, except we aren't guaranteed they'll be 32bytes even now, in fact15:56
morganfainberggoing forward, i would assume we'll have user_ids that are ~64bytes15:56
morganfainberghenry's user_id thing15:56
morganfainbergdoesn't change that we could use bytes15:56
*** YorikSar_ has quit IRC15:57
*** david-ly_ is now known as david-lyle15:57
dstanekright now i think uuids are 16 bytes15:57
*** gabriel-bezerra has quit IRC15:57
*** lbragstad has quit IRC15:58
*** gabriel-bezerra has joined #openstack-keystone15:58
dstanekmorganfainberg: if we have 64byte uuids we'll have to increase column lengths right?15:58
dolphmdstanek: 16?15:58
dstanekor choose a different encoding15:59
morganfainbergdstanek, nah, our columns support 64bytes15:59
*** arun_kant has joined #openstack-keystone15:59
morganfainbergdstanek, it's why we defaulted to sha256 for the user_id thing15:59
dstanekmorganfainberg: but a 16 byte uuid is 32 characters in hex15:59
dolphm$ python -c "import base64, uuid; print base64.urlsafe_b64encode(uuid.uuid4().bytes).replace('=', '')"15:59
morganfainbergdstanek, sorry we'll have 64 hex15:59
dolphmmoObw7LcTpOs9KQJNzbEkA15:59
dolphm22 bytes ^15:59
dolphmis there a way to optimize that further?15:59
dstanekdolphm: yeah, the uuid rfc says 16 bytes (at least 1-4)15:59
morganfainbergin string form, 64bytes :P16:00
dstanekadd move websafe characters like: - , .16:00
dstaneks/move/more16:00
dstanekdolphm: do ID's have to be web safe in the token?16:02
morganfainbergdstanek, nah16:02
morganfainbergas long as they can be converted back to somehting keystone knows.16:02
dstanekuuid.UUID(bytes='...') i think16:03
dolphmdstanek: not in the token, but i was also looking at this from the perspective of replacing v2 UUID tokens with something equivalent, but even shorter16:03
morganfainbergbut if we're already base64 encoding the token, what is the point of encoding the values in the token?16:03
*** ukalifon3 has quit IRC16:04
morganfainbergdolphm, ahh16:04
dstanekdolphm: check this out https://bugs.launchpad.net/keystone/+bug/134789116:06
uvirtbotLaunchpad bug 1347891 in keystone "mis-use of XML canonicalization in keystone tests" [Undecided,In progress]16:06
dstaneki was scratching my head for a while trying to understand why we've never seen the issue before16:06
dolphmsomeone reported that in the channel a couple days ago too16:07
dolphmdstanek: something must have changed recently?16:07
dstanekdolphm: not sure, i can't get the test to fail, but it looks like in zzzeek's environment the XML generated in the response has elements out of order16:08
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10621016:08
dolphmdstanek: then his version of etree is broken16:08
dstanekdolphm: what makes you say that?16:09
dstaneki was under the impression that c14n would order elements, but that's not the case16:09
*** YorikSar has joined #openstack-keystone16:09
dolphmdstanek: because your patch removes our use of the w3c xml canonicalization algorithm provided by the etree api in favor of something arbitrary16:10
*** andreaf has joined #openstack-keystone16:11
*** andreaf has quit IRC16:11
dolphmdstanek: is it a bad implementation of etree that doesn't order the elements?16:11
dstanekc14n doesn't re-order elements - i removed it from my patch because i didn't need it anymore16:11
dstanekdolphm: the test script - http://paste.openstack.org/show/87823/16:12
dolphmdstanek: http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/#DocumentOrder16:12
*** kwss has quit IRC16:13
dstanekdolphm: i had to read that very carefully because it talks about reordering the attributes, but not the elements16:13
dolphmdstanek: please hold while i collect bits of my brain off the floor16:14
dstaneklol - this is a mirror of the conversation i had with zzzeek yesterday16:14
dstanekdolphm: so it seems like siblings won't be ordered16:15
zzzeekdstanek: ive found many bugs in openstack test suites in the past two months ive started and most of them seem to involve some degree of “convincing” :)16:15
zzzeekdstanek / dolphm - ignore the spec, run my test case on the issue.  it doesnt work.  the nodes arent reordered16:15
dolphmzzzeek: well i agree with dstanek, i don't see where in the spec it says that the elements will be re-ordered16:16
zzzeekdstanek / dolphm whether or not the spec says it, libxml isn’t doing it.   libxml is *always* deviating from specs16:16
zzzeekdolphm: OK.  i found the spec to be unsurpirsingly vague :) hence test case more useful16:16
*** gokrokve has joined #openstack-keystone16:18
dolphmi hate xml16:18
dolphmmorganfainberg: for bonus points, you can nuke all whitespace between structural elements in the JSON16:20
morganfainbergdolphm, hmm.16:20
morganfainbergdolphm, not without writing a custom json encoder it looks like16:21
morganfainbergdolphm, aha16:23
dolphmmorganfainberg: i might disagree16:23
morganfainbergprint json.dumps(a, sort_keys=True, separators=(',', ':'))16:23
dolphmmorganfainberg: ++16:24
*** marcoemorais has joined #openstack-keystone16:24
*** amcrn has joined #openstack-keystone16:24
morganfainbergdolphm, c = zlib.compress(b)16:25
morganfainberg>>> sys.getsizeof(c)16:26
morganfainberg34616:26
morganfainberg>>> sys.getsizeof(b)16:26
morganfainberg83416:26
morganfainbergb is the serialized data16:26
dolphmmorganfainberg: with whitespace removed?16:26
morganfainbergyep16:26
dolphmmorganfainberg: what was it before?16:27
*** syedawaisali has joined #openstack-keystone16:27
morganfainbergoh w/ wite space?16:27
morganfainbergsec16:27
dolphmmorganfainberg: 289416:27
morganfainbergdolphm, and compressed?16:28
dolphmmorganfainberg: no, that was just an arbitrary number16:29
*** lbragstad has joined #openstack-keystone16:29
morganfainbergno whitespace, non-compressed: 86916:29
dolphmso saving some chars for basically zero cost16:29
morganfainbergcompressed = 35016:29
morganfainbergyeah bascially we save a couple bytes16:29
morganfainbergabout 30 bytes uncompressed, and 4 bytes compressed16:30
dolphmmorganfainberg: i'm pushing a patch to do that to keystone now16:33
morganfainbergdolphm, ++16:33
morganfainbergfor our current toekns it should help a lot more.16:33
*** lbragstad has quit IRC16:34
dstanekdolphm: "i hate xml" - too bad i can't favorite irc like i can twitter16:36
*** jsavak has joined #openstack-keystone16:37
arun_kantayoung: Can you please review https://review.openstack.org/#/c/95300/ as Yuriy is okay with changes now..will be good if it can get your and other core members blessing16:37
openstackgerritDolph Mathews proposed a change to openstack/keystone: Remove unnecessary whitespace from PKI & PKIZ tokens  https://review.openstack.org/10934316:38
dolphmmorganfainberg: dstanek: ^16:38
dolphmdstanek: fixed- https://twitter.com/dolphm/status/49234813202635161716:38
ayoungarun_kant, only question I had left was on why the livetests are so different16:39
*** joesavak has quit IRC16:40
ayoungarun_kant, why should pool vs no pool affect things like  test_password_change_with_auth_pool_disabled  and  test_password_change_with_auth_pool_enabled_long_lifetime16:40
arun_kantThe difference is keystone uses end user ldap bind as way to authenticate and if we use pooling for binds..then it will not recoginize password change as existing user bind (with old password still exists)..16:42
arun_kantSo the option is either no to use pooling for those kind of binds or use pooling with shorter lifetime16:43
*** chandankumar has quit IRC16:44
*** lbragstad has joined #openstack-keystone16:44
*** afazekas_ has joined #openstack-keystone16:44
arun_kantThis came up in review..https://review.openstack.org/#/c/95300/15/keystone/common/ldap/core.py,cm Line # 70216:45
morganfainbergdolphm, nightmare token "pkiz" signed: >>> sys.getsizeof(c) -> 294816:45
dolphmmorganfainberg: ha16:46
morganfainbergthat is w/o whitespace16:46
arun_kantayoung: patches later than addressed that issue and added specific livetest around this issue.16:49
ayoungarun_kant, I can +2 that16:49
ayoungand +a16:49
morganfainbergdolphm, compressing the token data first gets us 300byte savings it looks like16:49
morganfainbergdolphm, so 2740, erm 200bytes16:49
ayoungmorganfainberg, compressiong before signing?16:49
arun_kantwhat is +a ?16:49
ayoungApproved16:49
ayoungworkflow +116:50
morganfainbergayoung, yep, zlib.compress then pkiz = 200bytes savings16:50
morganfainbergayoung, probably difference in zlib.compress defaults16:50
ayoungmorganfainberg, there might be security implications around that.  I know it came up when discussing compression vs signing, there was no issue if the signing happend before compression16:51
morganfainbergayoung, but the PKI token, the signing process is adding ~2391 bytes16:51
morganfainberg*most* of the token data is the signing process16:51
ayoungmorganfainberg, there is something wrong there, then16:53
morganfainbergayoung, not really16:53
morganfainbergayoung, smime has a high-overhead16:53
ayoungmorganfainberg, hmmm, we don't need that16:53
morganfainbergyou're usually not signing 400bytes of data16:53
morganfainbergyou're usually signing more data.16:54
ayoungis there any need to convert to ASN1 first?16:54
ayoungI mean, any ral need, other than the standard?16:54
*** YorikSar_ has joined #openstack-keystone16:54
ayoungreal16:54
*** vhoward has joined #openstack-keystone16:54
ayoungWe need to know what was signed, and the end user needs to be able to reproduce that unambiguously16:55
morganfainbergayoung, if we do cms sign of the raw data, compress, then b64urlendoce -> 148116:55
morganfainbergsame data set16:55
ayoungSo you don't want to parse the JSON.  ASN1  should be a fairly small wrapper around that.  Just a header and a length16:55
morganfainbergabout 1k savings over pkiz16:55
ayoungthere is some junk in there, then16:56
morganfainbergthat is urlsafeencodeing btw16:56
ayoungwhat are we not doing that we should be doing?  Stripping out the  sert?16:56
ayoungcert16:56
morganfainberg1.4k is better, but still over 3x the base size.16:57
*** YorikSar has quit IRC16:57
*** rwsu has quit IRC16:58
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/common/cms.py#n191  that is what we do now,16:58
morganfainbergmaybe we need to re-think this. maybe keystone needs to inject the signed data behind the scenes  into something easy auth_token can query and we should be using a uuid-form, but instead of the full PKI token16:58
ayoungsign, compress, base64.  What are you doing differently above?16:58
morganfainbergi did sign, compress b6416:59
morganfainbergpkiz netted a bigger token16:59
*** lbragstad has quit IRC16:59
ayoungpost your code, please16:59
morganfainbergnot code, was all just hacked out.16:59
morganfainbergso i'll need to re-create16:59
*** rwsu has joined #openstack-keystone16:59
morganfainbergah, i wasn't removing the -----end cms---- bit17:00
morganfainbergbut still17:00
morganfainbergnot that much difference17:00
dstanekmorganfainberg: what does your final token look like?17:01
morganfainbergdstanek, like a urlsafe b64 string17:01
morganfainbergthis is using the "worst-case-id-only" token17:01
morganfainberghttp://pasteraw.com/frcyhsw2tqh6fy16lu4fmmio22e39wv17:02
morganfainbergeven at 1.4k that is a significant improvement over what we have now.17:02
dstanekmorganfainberg: that's not terrible17:02
morganfainbergdstanek, but 1.4k is a lot more than 32 or 64 bytes.17:02
*** lbragstad has joined #openstack-keystone17:03
* morganfainberg shrugs17:03
openstackgerritA change was merged to openstack/identity-api: revise stability deadline to end of j3  https://review.openstack.org/10870117:05
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke tokens under the same domain  https://review.openstack.org/10719417:09
*** lbragstad has quit IRC17:10
*** lbragstad has joined #openstack-keystone17:11
*** gabriel-bezerra has quit IRC17:11
*** gabriel-bezerra has joined #openstack-keystone17:12
*** marzif has quit IRC17:12
*** lbragstad has quit IRC17:16
*** hrybacki has quit IRC17:20
*** gokrokve has quit IRC17:22
*** hrybacki has joined #openstack-keystone17:22
*** lbragstad has joined #openstack-keystone17:23
*** gokrokve has joined #openstack-keystone17:27
ayoungmorganfainberg, $ python tokenify.py17:31
ayoung1641   from running http://paste.openstack.org/show/87980/17:31
ayoungYou lied17:32
*** amcrn has quit IRC17:34
*** amcrn has joined #openstack-keystone17:35
*** harlowja has joined #openstack-keystone17:35
ayoungmorganfainberg, I just tried it with an string of length 0.17:37
ayoung$ python tokenify.py17:37
ayoung75717:37
*** mtl1 has joined #openstack-keystone17:41
*** diegows has quit IRC17:47
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Expand the caching layer in keystone  https://review.openstack.org/10897017:50
ajayaadolphm, morganfainberg, ayoung, please review the above change.17:53
mtl1Hi. I'm working on trying to get keystone to use https for endpoints, currently just on devstack. First problem is that I removed the endpoint for keystone itself, and need to get it back. Is that possible?17:54
mtl1Second, is there a trick to changing the endpoints for keystone itself without first removing the endpoints?17:55
ayoungmtl1, easy17:55
ayoungmtl1, either use SQL or the admin token17:55
ayoungmtl1, which do you prefer17:55
mtl1I have the admin token in my ENV, but I get this for any keystone command I try: WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token17:56
openstackgerritayoung proposed a change to openstack/keystone: cache the catalog  https://review.openstack.org/10897017:57
ayoungajayaa, ^^ is amuch better commit title17:57
ajayaaayoung, thanks! Being a core member, do you get a special privilege to change the commits of a different person? :)18:00
ayoungajayaa, anyone can18:00
ayoungI just edited it right in the Browser18:00
ayoungajayaa, is   expiration_time=EXPIRATION_TIME required?  I don't see ever timing out the catalog cache, just invalidating if it is change from the API18:02
*** marcoemorais has quit IRC18:02
ayoungmtl1, you should be able to use the ADMIN_TOKEN to create an endpoi nt18:02
ayoungyou need to set service url as well18:02
ayoungmtl1, see https://github.com/admiyo/keystone-examples/blob/master/client/initialize_keystone.py18:03
ayoungI use the OS_ENDPOINT https://github.com/admiyo/keystone-examples/blob/master/client/initialize_keystone.py#L86  to create  the client18:03
*** marcoemorais has joined #openstack-keystone18:03
ayoungand then create the service catalog using it https://github.com/admiyo/keystone-examples/blob/master/client/initialize_keystone.py#L6318:04
mtl1ayoung: thanks, I'll have a look.18:04
*** marcoemorais1 has joined #openstack-keystone18:04
*** marcoemorais1 has quit IRC18:05
ajayaaayoung, similar argument could be made for assignment cache as well, I suppose. I just copied the approach followed in assignment caching.18:06
*** marcoemorais1 has joined #openstack-keystone18:07
ayoungajayaa, is that param required or optional?18:07
ajayaaoptional.18:07
*** diegows has joined #openstack-keystone18:07
*** marcoemorais has quit IRC18:08
ayoungmorganfainberg, is there any need to have a cache timeout value for the service catalog in ajayaa 's patch?18:09
ayoungajayaa, do all of the other caches have a cache time out?18:10
ajayaaayoung, yes. assignment cache does have a time out.18:11
ayoungajayaa, I guess for multi backend SQL support, you need it.  OK, it needs to be there, I just convinced myself18:11
ajayaaayoung, Can you please tell me what multi backend sql support is in keystone?18:12
ajayaaIs it like there would be multiple sql databases to which keystone is talking?18:12
ayoungajayaa, I mean multiple keystones talking to one sql backend18:13
ayoungajayaa, I've +2ed.  I'm sure Morgan will get back around to it, but it looks straightforward to me18:14
ajayaaayoung, okay, In that case we would want all our caches to synced in regular intervals. Distributed caching would be an overkill, I guess.18:14
ayoungcan never have too much overkill18:14
dolphmayoung: cache invalidation is hard, we'll do it wrong, and timing out stale cache is a reliable fallback :)18:15
ayoungdolphm, ++  yup  that is basically what I came to realize18:16
dolphmayoung: alternatively, if you have multiple caches, you need a shorter timeout as one instance won't be able to invalidate the contents of the other (which is probably a more common problem)18:16
ayoungdolphm, the take away then is that all caching should have a timeout variable required18:17
dolphmayoung: ++18:17
ajayaaayoung, thanks!18:17
*** jimbaker has quit IRC18:21
*** jimbaker has joined #openstack-keystone18:22
*** jimbaker has quit IRC18:23
*** jimbaker has joined #openstack-keystone18:23
*** gyee has quit IRC18:25
*** gabriel-bezerra has quit IRC18:25
*** gabriel-bezerra has joined #openstack-keystone18:26
*** amcrn_ has joined #openstack-keystone18:35
*** ukalifon has joined #openstack-keystone18:35
*** marcoemorais1 has quit IRC18:36
*** amcrn has quit IRC18:37
*** ukalifon has quit IRC18:37
*** marcoemorais has joined #openstack-keystone18:39
*** radez is now known as radez_g0n318:42
bknudsonCan I get an unscoped token from a scoped token?18:42
bknudsonLooks like it18:42
bknudsone.g., if I have a scoped token and then request a token with no scope I get an unscoped token?18:43
bknudsonif so... if I create an unscoped token from a scoped token should the unscoped token be revoked?18:49
*** gabriel-bezerra has quit IRC18:49
bknudsonI'm not sure how revocation events could know that the parent token was unscoped...18:50
bknudsonI mean how could revocation events know that the child tokens are unscoped18:50
*** gabriel-bezerra has joined #openstack-keystone18:50
*** ukalifon has joined #openstack-keystone18:50
openstackgerritThiago Paiva Brito proposed a change to openstack/keystone: Hierarchical Projects  https://review.openstack.org/10884118:54
*** marcoemorais has quit IRC18:56
*** jimbaker has quit IRC18:58
*** marcoemorais has joined #openstack-keystone18:58
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add a test for revoking a scoped token from an unscoped  https://review.openstack.org/10912518:59
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking a scoped token from an unscoped token  https://review.openstack.org/10938918:59
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Add create, update, and delete user to admin API v2.0  https://review.openstack.org/10825918:59
*** jimbaker has joined #openstack-keystone19:00
*** jimbaker has quit IRC19:00
*** jimbaker has joined #openstack-keystone19:00
*** marcoemorais has quit IRC19:01
ayoungbknudson, so we should not allow getting an unscoped token from a scoped.  That is a hole on our story right now19:02
ayoungparent tokens were origianlly supposed to be "all revoked at the same time"19:02
ayoungbut that broken Horizon19:02
ayoungWe need to think about the implications of chaining.  I would think something like this:19:03
*** marcoemorais has joined #openstack-keystone19:03
ayoungonly unscoped to scoped is allowed.  If a scope token is revoked, no other tokens are revoked.  If an unscoped token is revoked, all tokens created from that unscoped token should be revoked, too19:03
*** radez_g0n3 is now known as radez19:04
bknudsonayoung: that's essentially this change: https://review.openstack.org/#/c/109389/1/keystone/tests/test_v3_auth.py19:05
openstackgerritA change was merged to openstack/keystone: Adding support for ldap connection pooling.  https://review.openstack.org/9530019:06
bknudsonayoung: the change to test_list_delete_token_shows_in_event_list19:06
ayoungbknudson, we have no association between tokens right now.19:07
bknudsonit still allows scoped to unscoped... test_list_delete_token_shows_in_event_list does that in the test... but only the scoped token is revoked and the child tokens aren't19:07
ayoungbknudson, if we generated a unique identifier at the authentication, and copied that from parent to child token, we could revoke on that.19:08
*** YorikSar_ is now known as YorikSar19:09
bknudsonayoung: current the unique ID is the expiration time.19:09
bknudsoncurrently19:09
ayoungyeah, but that is going to break if we do the sliding window on session tokens19:09
*** lbragstad has quit IRC19:10
*** jimbaker has quit IRC19:10
ayoungbknudson, and it breaks Horizon today, as they revoke the scoped token when the user switches to a new project19:10
*** jimbaker has joined #openstack-keystone19:11
*** jimbaker has quit IRC19:11
*** jimbaker has joined #openstack-keystone19:11
bknudsonayoung: y. I thought I had a test for it but it turned out mysql gets the wrong expiration time so it wasn't revoking19:11
*** andreaf has joined #openstack-keystone19:15
bknudsonI wonder how the regular token revocation code handles revoking a token with children... do they all get revoked?19:17
ayoungbknudson, no, there is no "chaining" today19:18
bknudsonok, so not revoking the children is more consistent with the current behavior19:19
*** gabriel-bezerra has quit IRC19:19
ayoungbknudson, yeah.  If a user changes their password, we revoke all tokens for that user19:20
*** gabriel-bezerra has joined #openstack-keystone19:21
*** Chicago has quit IRC19:24
bknudsonit does seem a little ridiculous to allow having a chain of tokens from tokens... not sure what the point would be19:27
ayoungbknudson, so you agree with what I wrote?19:32
bknudsonayoung: I agree that keystone should only allow creating a scoped token from an unscoped one.19:33
ayoungbknudson, and revoking an unscoped should revoke all of the scoped, but not the other way around?19:33
*** ukalifon has quit IRC19:33
bknudsonayoung: y, that makes sense19:33
ayoungbknudson, so, to avoid breaking things, first we need "explictly request unscoped"19:34
morganfainberg bknudson, ayoung, ++19:34
ayoung https://review.openstack.org/#/c/109081/r19:34
bknudsonayoung: y, that's the part that's missing since you'll get a scoped token if you have a default project19:34
bknudsonso if you have a default project then you couldn't ever rescope19:34
ayoungbknudson, and one we have that, I'll submit a patch to django-openstack-auth that consumes it19:34
*** gokrokve has quit IRC19:35
ayoungI'm working on that now19:35
*** syedawaisali has quit IRC19:35
bknudsonseems like it has to continue to work with old keystones that don't support it19:35
*** lbragstad has joined #openstack-keystone19:41
morganfainbergbknudson, maybe thats a toggle in settings?19:45
morganfainbergbknudson, make juno+ horizon automatically set it19:45
*** lbragstad has quit IRC19:45
bknudsonmorganfainberg: y.. having a bunch of config options for backwards compat seems like the wrong way to handle everything19:45
bknudsonwhat does keystone do now if you send "scope": {} ?19:46
bknudsonor whatever we decide for how to request an unscoped token19:46
morganfainbergbknudson, not sure tbh, i think it does some magic on default_project?19:46
morganfainbergayoung, has looked at that more recently19:46
bknudsonI think that would be fine for backwards-compat... since the old server also supports rescoping a scoped token19:47
ayoungGood questions.  If scope is none...19:48
morganfainbergbknudson, fairpoint19:51
*** lbragstad has joined #openstack-keystone19:54
*** fish_ has quit IRC20:03
*** hrybacki has quit IRC20:06
*** gokrokve has joined #openstack-keystone20:06
*** AndChat|673521 has joined #openstack-keystone20:10
*** chandankumar has joined #openstack-keystone20:10
*** gokrokve has quit IRC20:11
*** gyee has joined #openstack-keystone20:12
*** chandankumar has quit IRC20:17
*** lbragstad has quit IRC20:18
*** lbragstad has joined #openstack-keystone20:19
*** marzif has joined #openstack-keystone20:19
openstackgerritA change was merged to openstack/keystone: cache the catalog  https://review.openstack.org/10897020:20
dolphmayoung: did you ever email the list about the ldap thing in stable/havana? i just realized havana was security fixes only now20:25
morganfainbergdolphm, does the cache invalidation bit count as security-ish?20:25
morganfainbergdolphm, https://review.openstack.org/#/c/102692/20:26
morganfainbergdolphm, because i'm perfectly happy to let those ones go.20:26
*** gokrokve has joined #openstack-keystone20:26
morganfainbergif they're not worth fixing/pushing to get in20:26
dolphmmorganfainberg: good question...20:27
dolphmmorganfainberg: that depends on a patch that i can't make a security argument for (that i can think of)20:27
morganfainbergit depends on the domains needing ot be enabled by default.20:27
* morganfainberg shrugs, Havana is really close to EOL20:29
ayoungdolphm, I had asked apevec to do so, but just realized he's on PTO20:30
*** vhoward has left #openstack-keystone20:30
ayoungdolphm, its OK if the answer is no, just means that RH carries the patch itself.  We just have a policy that we need to submit upstream first20:30
morganfainbergayoung, does RH mind carrying that one? because if not, i'd be inclined to say no [just so we don't need to argue about havana on the ML]20:31
ayoungmorganfainberg, go ahead and say no.  I think "security only" is a fine response20:32
morganfainbergayoung, ++ works for me.20:32
ayoungnkinder, ^^ is that about right?20:32
nkinderI don't think there was a security reason.  It's more a a problem for people trying to use AD with Keystone20:33
*** amcrn_ has quit IRC20:34
ayoungnkinder, yeah, and the Havana release is "Security fixes only"20:34
ayoungnkinder, So its really not appropriate for Havana20:34
morganfainbergnkinder, ayoung, this one right? https://review.openstack.org/#/c/93060/20:36
ayoungmorganfainberg, yep20:36
*** lbragstad has quit IRC20:38
morganfainbergayoung, nkinder, tossed a -1 on there and link to the releases20:38
*** lbragstad has joined #openstack-keystone20:38
morganfainberglet me know if you need something else :)20:38
*** jsavak has quit IRC20:46
*** mfainberg_phone has joined #openstack-keystone20:57
*** bobt has joined #openstack-keystone20:57
bknudsonwe need to have a git repo for RH and IBM to put our common fixes that we want to carry20:59
*** AndChat|673521 has quit IRC20:59
*** amcrn has joined #openstack-keystone21:02
bknudsonit looks like revocation events doesn't handle domain-scoped tokens correctly21:03
*** mfainberg_phone has quit IRC21:05
*** amcrn has quit IRC21:08
*** hrybacki has joined #openstack-keystone21:08
ayoungbknudson, its called RDO21:11
ayoungI raised the topic with some IBMers21:11
ayoungthere was....resistance21:11
ayoungbknudson, if a domain is disabled, tokens are revoked if any of the domain values are unmatched21:12
ayoungthis something in the code review?21:12
bknudsonlet me find the code21:13
bknudsonayoung: build_token_values: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n26721:14
bknudsonfor a project-scoped token, it adds token_values['project_id'] = project['id']21:14
bknudsonbut for a domain-scoped token, build_token_value doesn't add token_values['domain_id'] = domain['id']21:14
bknudsonso the revocation code doesn't know if the token is domain-scoped21:14
bknudsondoesn't the revocation code need to know that the token is domain-scoped like it needs to know that it's project-scoped?21:15
bknudsonI tried just adding token_values['domain_id'] = domain['id'] but the revocation code still didn't find the domain-scoped token in the revocation events for some reason.21:16
ayoungbknudson, I think you are right.  We actually test for it up in the tree, too21:17
ayoung_TOKEN_KEYS = ['identity_domain_id',21:17
ayoung               'assignment_domain_id',21:17
*** topol has quit IRC21:17
bknudsonidentity_domain_id is the user's domain ID from the token21:18
bknudsonassignment_domain_id is the project's domain ID (if the token is project-scoped)21:18
ayoungbknudson, yep,  I think you found a gap.  Can we focus on getting it fixed in the client code?21:19
ayounghttps://review.openstack.org/#/c/81166/  needs to go in, and I can put a fix on top of that21:19
bknudsonok, as long as it can be backported21:19
ayoungbknudson, yep21:21
*** henrynash has quit IRC21:28
openstackgerritA change was merged to openstack/python-keystoneclient: Don't log sensitive auth data  https://review.openstack.org/10179221:30
*** henrynash has joined #openstack-keystone21:31
*** henrynash has quit IRC21:32
bknudsonit looks like the revocation event model is a hierarchy of  trust_id -> consumer_id -> access_token_id -> expires_at -> domain_id -> project_id -> user_id -> role_id -> issued_before21:38
bknudsonbut to handle domain-scoped tokens I think we'd need to have project_id OR domain_id there.21:39
dolphmbknudson: what's matt reidermann's nick?21:39
bknudsonmriedem21:39
bknudsondolphm: also, he's left for the day21:39
dolphmbknudson: boo. i just realized we were both investigating the same bug21:40
*** rwsu has quit IRC21:44
openstackgerritNathan Kinder proposed a change to openstack/keystone: Trust unit tests should target additional threat scenarios  https://review.openstack.org/10912021:46
bknudsonok. I'm going to assume we don't have to handle domain-scoped tokens correctly since it's pretty much impossible.21:46
bknudsonit should be easy to handle the case where the user has a domain-scoped token that's not the user's domain.21:47
bknudsonI think I've got the change for that...21:47
bknudsonbut handling the case where the user has a domain-scoped token in their own domain is not doable...21:47
bknudsonbecause of the mapping of 'domain_id': ['identity_domain_id', 'assignment_domain_id'] ...21:48
bknudsonotherwise I think we'd need a new field in the revocation model and that requires a migration21:49
*** lbragstad has quit IRC21:49
*** gordc has quit IRC21:52
*** nonameentername has joined #openstack-keystone21:53
ayoungbknudson, handling the case where the user has a domain-scoped token in their own domain is doable21:55
ayoungthat domain-scoped token would be assignment_domain_id21:56
bknudsonayoung: ah, good idea21:56
nkindermorganfainberg, jamielennox|away: now that https://review.openstack.org/#/c/101792/ is merged, what is the plan for a keystoneclient update that would include it?21:56
*** radez is now known as radez_g0n322:00
*** lbragstad has joined #openstack-keystone22:01
*** henrynash has joined #openstack-keystone22:02
*** _afazekas is now known as afazekas22:03
dolphmthis would be great to help get people up and running with PKI, but i need a sanity check on the output redirecting https://review.openstack.org/#/c/51610/19/keystone/common/openssl.py22:04
*** lbragsta_ has joined #openstack-keystone22:04
*** nonameentername has quit IRC22:04
david-lyletime for the annoying Horizon developer to ask his keystone question of the day22:05
david-lylecan I rescope a project scoped token to a domain scoped token, or do I have to have the user log out and back in to get a domain scoped token?22:06
*** lbragstad has quit IRC22:07
*** lbragsta_ has quit IRC22:08
*** dims_ has joined #openstack-keystone22:09
openstackgerritA change was merged to openstack/keystone: Disable a domain will revoke tokens under the same domain  https://review.openstack.org/10719422:09
bknudsondavid-lyle: I believe that you can do that rescoping currently22:10
bknudsondavid-lyle: although if ayoung gets his way it will not be allowed22:10
david-lylebknudson: when I pass in the existing token id and a user_domain_id to the client (no project info) I just get a scoped token back to the project I was already scoped to22:11
*** dims has quit IRC22:12
bknudsondavid-lyle: I don't think that's requesting a domain-scoped token22:12
david-lyleif I then, trying to figure out the system call client.authenticate(domain_id=my_domain_id) I get "AuthorizationFailure: Authentication cannot be scoped to multiple targets. Pick one of: project, domain or trust"22:12
bknudsonthe user_domain_id is the domain for the user ... so if you pass in a user name you also need to supply the domain22:12
david-lyleso I have to use the domain name?22:13
*** nkinder has quit IRC22:13
david-lyleoh22:13
bknudsondavid-lyle: the call to do client.authenticate(domain_id=my_domain_id) is probably the way to do it.22:13
david-lyleI see a domain_id as well22:14
bknudsonbut where's the token?22:14
ayoungdavid-lyle, I'll answer in a moment...goal is to not log out.22:14
david-lyleayoung: that's my hope too :)22:14
*** dims_ has quit IRC22:16
*** marzif has quit IRC22:16
dolphmayoung: your spec to abandon REST altogether makes it tempting to abandon PKI completely22:17
ayoungdolphm, I think you misunderstand me if any of my specs come to abandoning rest.  Which spec are you talking about?22:17
dolphmyou can rename it to stateful-all-the-services if you'd like https://review.openstack.org/#/c/109295/22:17
*** lcheng has joined #openstack-keystone22:18
ayoungdolphm, that is a way to formalize what Horizon is doing, but I do not agree that it is anti REST.22:19
ayoungthey don't need to use it if they don't want to. The Swift folks were complaining about token size, and I mentioned this solution to them.  It still keeps the service from going back to keystone.22:20
dolphmayoung: well its a great argument in favor of UUID22:20
ayoungdavid-lyle, the idea for unscoped is this:  user logs in with userid and password, gets unscoped token that is small enough to stick in a cookie as is.22:20
david-lyleayoung, so I keep the unscoped and the scoped token around?22:21
ayoungdolphm, think through that statement and I think you will see it falls down on a number of counts.  Add in a "same origin" mechanism to go along with this22:21
ayoungdavid-lyle, yep22:21
david-lyleok22:21
ayoungthe unscoped stays in the cookie, and is used whenever the user rescopes22:22
david-lylewhat's another token amongst friends22:22
ayoung the scoped tokens are going to be bigger, say 4K, andwill be stored in memcached22:22
ayoungdavid-lyle, so to rescope, use the unscoped tokenm22:22
ayoungdavid-lyle, I'm pushing for more mechanisms than just that22:22
ayounghttps://blueprints.launchpad.net/keystone/+spec/session-extendable-tokens  david-lyle22:23
ayoungdavid-lyle, that would be just the unscoped token22:23
david-lyleayoung, if I use the unscoped token for rescoping, don't I end up with just a scoped token? or does the unscoped remain valid as well?22:25
ayoungdavid-lyle, the unscoped remains valid22:25
david-lyleand that works now?22:26
ayoungdavid-lyle, it is Horizon that revokes the tokens, so, there would be no reason to revoke the unscoped22:26
david-lyleok22:26
david-lylestupid horizon22:26
*** nkinder has joined #openstack-keystone22:26
ayoungdavid-lyle, I'm working on code for django-openstack-auth right now22:26
david-lyleme too :)22:26
david-lyleayoung, yours is probably further than mine given our exchange :)22:27
ayoungdavid-lyle, the first change is making d-o-a use Keystone sessions22:27
ayoungas part of that, it will store the "unscoped" token...but there is no guarantee you will get an unscoped token today22:28
morganfainbergdolphm, maybe the answer is UUID tokens, but uuid tokens + revocation events + memcache (or redis, or something)22:30
morganfainbergdolphm, where keystone injects the token data into the "in-cloud" service, and auth_token goes directly to that service to rtrieve the information (cms signed or not), instead of asking keystone for the data22:30
morganfainbergdolphm, i *think* amazon does something like that for their credentials22:31
morganfainbergayoung, ^22:34
morganfainbergdolphm, re: https://review.openstack.org/#/c/107561/ this is going to need a rebase, we just merged something to token.core22:35
ayoungmorganfainberg, that is basically it.22:35
morganfainbergdolphm, going to rebase it in a few moments.22:35
morganfainbergayoung, so why make auth_token do the work, just make keystone inject it and hand off the short-value22:35
ayoungexcept that the user sends the data as the mule22:35
morganfainbergayoung, it seems odd to hand the tokent o the user and only benefit the requests beyond the first22:35
morganfainbergayoung, i mean, i *think* UUID tokens were trying to do some of that but without the need for an external service that the endpoints can query directly22:36
ayoungmorganfainberg, many ways to skin this cat, but the biggest one is that everything happens in the open22:36
ayounggiving it to the user scales better22:36
ayoungotherwise the user needs to tell keystone ahead of time where to create tokens, and needs to go back there for new operations22:37
morganfainbergayoung, i'd argue minimally at best22:37
morganfainbergno, i mean you have keystone inject the tokens where the endpoints will ask for them22:37
morganfainbergchances are you're not running a memcache server on each endpoint22:38
ayoungmorganfainberg, I need to take care of something right now.  Think about it.  I suspect you will convince yourself that the current architecture is correct.  The cookie proposal is an optimization22:38
dstanekha, back to this fun?22:39
morganfainbergayoung, i jsut spent 15 minutes thinking about it, i'll let you convince me when you're back, because i'm not seeing it at the moment (table the discussion till a bit later)22:39
morganfainbergdstanek, maybe >.> :P22:40
* morganfainberg is tempted to POC this up.22:41
* morganfainberg has some free dreamhost cloud stuffs22:41
*** dims_ has joined #openstack-keystone22:42
*** dims_ has quit IRC22:47
openstackgerritA change was merged to openstack/keystone: Add the new oslo.i18n as a dependency for Python 3  https://review.openstack.org/10881022:49
*** fish_ has joined #openstack-keystone22:56
openstackgerritA change was merged to openstack/keystone-specs: Explicity request an unscoped token  https://review.openstack.org/10807122:58
morganfainberghenrynash, running tests befor epushing that rebase up23:01
morganfainberghenrynash, added to the comment so it's clear why we clear the kvs registry23:01
henrynashmorganfainberg: ok, great23:01
*** nkinder has quit IRC23:01
*** jamielennox|away is now known as jamielennox23:01
henrynashmorganfainberg: will +2 once up23:01
morganfainberghenrynash, ++ :)23:01
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move token persistence classes to token.persistence module  https://review.openstack.org/10756123:04
jamielennoxgerrit login now sends you via ubuntu one?23:04
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the new Keystone TokenModel  https://review.openstack.org/10691723:05
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence  https://review.openstack.org/10904123:05
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api  https://review.openstack.org/10916223:08
jamielennoxgyee: i don't think version discovery would be affected at all by a catalog in an unscoped token23:09
jamielennoxgyee: we don't generally do discovery for auth yet23:09
gyeejamielennox, so today, if user specify an auth_url, we do version discovery first23:10
jamielennoxgyee: depends what you're using23:10
gyeekeystoneclient?23:10
jamielennoxkeystoneclient.client.Client does23:10
jamielennoxneither v2.Client or v3.Client do23:10
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api  https://review.openstack.org/10917323:10
gyeewill we do that in the future?23:11
gyeeI mean will it be part of standard auth flow23:11
jamielennoxgyee: plugins like https://review.openstack.org/#/c/81147/ will23:11
jamielennoxbut i think they are often going to be the special case23:12
gyeejamielennox, so if discovery is done, you already have the url right, which is the same for both auth and management23:15
gyeeI mean the base url is the same23:15
jamielennoxcould be - could not be, management url is generally the admin interface23:16
jamielennoxwhich may or may not be the same as your auth23:16
gyeebut I can't specify an auth url like this and have discovery return me something else right? http://host:35357/v3/auth/kerberos23:18
gyeeobviously that's not for discovery23:18
*** david-lyle has quit IRC23:19
gyeeso auth_url has to be a base URL23:20
*** gabriel-bezerra has quit IRC23:20
*** gabriel-bezerra has joined #openstack-keystone23:20
jamielennoxgyee: so the whole non-standard route is an interesting concept that is not my main reason23:21
jamielennoxbecause you don't specify /auth/kerberos as a auth_url23:21
jamielennoxyou specify /v3 and let it build it for you23:21
ayoungmorganfainberg, with Kerberos or X.509 Authentication, there really is no reason to go to Keystone first.  The user could go straight to Nova, and authenticate, then Nova would query the Authorization source.  This is how things are typically done in the enterprise, with the authZ source being LDAP.  Its one reason enterprises don't worrry about revoking Kerberos tickets:23:21
jamielennoxif you want that to work you need to mount at like /kerberos/v3/23:21
ayoungyour authentication is never revoked, just your authorization23:21
morganfainbergayoung, uhm. why are we bypassing keystone with x509 and kerberos?23:22
morganfainbergayoung, don't we still need a token?23:22
* morganfainberg is missing something.23:22
ayoungmorganfainberg, for that approach, no we would not23:22
ayoungso why do we even need keystone?23:22
morganfainbergayoung, i agree, lets delete the service23:22
gyee:)23:22
ayoungAnd the answer is to add a layer of distributed authorization for openstack23:22
* gyee thinking one of y'all is smoking something23:23
ayoungsee, if you go to LDAP, and LDAP is read only, you have no way to add your own authorization data23:23
ayoungWith Keystone, we allo a middle ground;  each service endpoint enforces its own policy, but the set of roles are OpenStack specific, and layered on top of authentication from some other service.23:24
gyeejamielennox, my point is the auth_url is a base url23:24
ayoungSAML and OpenID are attempting to solve the same problem, but they each have different short comings23:24
ayoungSAML is that it is issued by the IdP, and so you have no additional authorization attributes23:24
ayoungBut we could have implemented keystone as SAML, and it would have made sense23:25
ayoungOpenID the problem is that there is no standard format for providing the authorization data.23:25
morganfainbergayoung, i am now totallt lost how we ended up off in these weeds23:25
ayoungSo, why do I insist that Keystone tokens are carried by the user?23:25
ayoungLook at the arguments for the OpenID and SAML approachs.23:26
morganfainbergboth authn not authz (really) approaches.23:26
ayoungBoth are desigend such that the Service does not need to know where the token will be used.  Note that this is different from saying "cannot know"23:26
ayoungEr , where I said openID I should have said Oauth23:27
*** gabriel-bezerra has quit IRC23:27
ayoungI've OPenID on the brain due to launchpad23:27
ayoungmorganfainberg, if it is backchannel, as you suggested, then a keystone server needs to know everywhere a token can and will be used up front.23:28
*** gabriel-bezerra has joined #openstack-keystone23:28
ayoungNow, you might argue with Token Binding to endpoints, that is exactly where we are headed.23:28
ayoungBut I see that as a hardening, not a fundamental part of Keystone23:28
gyeejamielennox, the argument for service catalog for unscoped token is to get the management url right? but it is the same as the base_url23:29
ayoungWith the K2K blueprint, we have the potential for something even wider, a distributed system with no backchannel23:29
morganfainbergayoung, no actually i'm going to argue it is likely not going to *solve* the issue of reducing network traffic because you're *still* sending the 1,7k or 10k or <insert size of token> to the endpoint.23:29
morganfainbergayoung, and tokens are meant to be *very* short lived [future talking]23:29
morganfainbergso the caching of the data is at best, minimal scaling benefit without solving the issue people are complaining about23:29
morganfainbergand using the cookie-model for looking up the cache23:29
morganfainbergif people really only want UUID tokens we should provide those not something that sort-of-behaves like them after the first request23:30
ayoungmorganfainberg, an ethernet frame is 1K.  Adding a token to a request at most adds a small handful of  ethernet frames to the round trip.  Doing an online token validation reuquires multiple round trips.23:30
ayoungmorganfainberg, we'll be back to token being bearer tokens, with only admin users being able to validate.23:32
morganfainbergayoung, i'm really not buying this.23:32
morganfainbergayoung, sorry.23:32
ayoungNo way to do ephemeral, no way for a non-privildeged user to validate23:32
ayoungno way to share tokens between untrusted sources23:32
jamielennoxgyee: the argument for unscoped catalogs is to make the workflow less awkward when you're sometimes dealing with scoped tokens and sometimes dealing with unscoped and you have to go and figure out which23:32
ayoungA UUID token is the complete keys to the kingdon23:32
morganfainbergayoung, and you're *not* really solving the complaint with your new cookie system23:33
ayoungcookies are an incremental optimization23:33
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api  https://review.openstack.org/10917023:33
*** richm has quit IRC23:34
morganfainbergayoung, only sortof23:34
morganfainbergayoung, it's not even a *good* optimisation afaict23:34
ayoungmorganfainberg, cookies are between client and server only.  Add on a form of "same source" lock down and there is no additional exposure23:34
ayoungmorganfainberg, it is what most websites do already23:34
jamielennoxis this the 'session tokens' thing? i though morganfainberg agreed with that one?23:34
morganfainbergjamielennox, no this is the cookie hashing thing the endpoint does23:35
ayoungwhen you do user-id/password auth (or Kerberos for that matter) it caches the authentication and issues you a session cookie23:35
morganfainbergthen you keep using that cookie to talk to the endpoint23:35
ayounghttps://review.openstack.org/#/c/109295/  jamielennox23:35
jamielennoxi have not heard of this concept...23:35
ayoungmorganfainberg, SAML and Oauth are built on that mechanism already23:36
morganfainbergayoung, not really23:36
ayoungmorganfainberg, yes really23:36
morganfainbergayoung, no, not really23:36
gyeejamielennox, I am arguing you don't need to, you can always use the base url23:36
ayoungyou don;t send the authorization data more than once23:36
ayoungafter that it is cookied23:36
*** ncoghlan_afk is now known as ncoghlan23:37
morganfainbergayoung, except... you would ask the original source each time you go to an endpoint *anyway*23:37
ayoungnope23:37
morganfainbergayoung, a new endpoint, sorry23:38
ayoungyou go to gerrit, and it redirects yo to laucnpad23:38
ayoungthat is good for a while23:38
morganfainbergayoung, you wouldn't use the same assertion on site XYZ and ZZZ23:38
jamielennoxayoung: sorry it just sounds kind of complicated and with not a lot of value23:38
morganfainbergyou're arguing i login to gerrit via LP, then i go to wiki.openstack.org and don't need to login again23:38
ayoungjamielennox, It was a response to the Swift folks comlaining about the size of the tokens.  Instead of telling them to Hash and hit keystone, they can cache for additional round trips23:39
morganfainbergbut my auth data is already there23:39
jamielennoxgiven that UUID tokens are memcached anyway it just seems like if this is a problem you should use uuids23:39
morganfainbergthat isn't how those work23:39
morganfainbergi would need to login again at wiki.openstack.org, then it's a cookie i can use there.23:39
ayoungmorganfainberg, no, I'm arguing that after you go to wiki.openstack.org and hand over your launchpad oauth token, wiki.  sets a session cookie23:39
ayoungjamielennox, yes, it is using UUIDs, but the UUIDs would be generated by the service, and would not be usable on any other service23:40
ayoungthat is a hell of a lot more secure than handing around a UUID token to ever one23:40
morganfainbergayoung, i'm really not convinced this is solving the issue.23:40
jamielennoxayoung: yea, i see what you're trying to do23:40
*** alex_xu has quit IRC23:41
ayoungmorganfainberg, I'm in no rush to implement that Blueprint, but if the question comes up, I have it to point to, and we can battle it out until then23:41
ayoungOK< family dinner time.23:42
*** ayoung is now known as ayoung-food23:42
*** arun_kant has quit IRC23:42
*** dims_ has joined #openstack-keystone23:43
jamielennoxit's an interesting idea23:44
*** oomichi has joined #openstack-keystone23:45
jamielennoxit means you would need an auth URL on every service?23:45
*** dims_ has quit IRC23:47
jamielennoxi'm just not sure if we add another round trip if it's worth it for token size23:48
morganfainbergjamielennox, i have a few other thoughts on what can be done.23:49
jamielennoxi've also got no idea how you would go about easing it in23:49
morganfainbergjamielennox, but i need to actually do a POC of them.23:49
gyeeif discovery is going to be a permanent fixture, you'll always get back a base url anyway23:49
morganfainbergoh phew it's only 5. thought i missed an appointment23:50
gyeeeven JSON home have the base URL I think23:50
* morganfainberg has been staring at too much token code23:50
morganfainbergoh crap, i needed to bug marekd and stevemar today23:50
stevemarmorganfainberg, bug me in a few hours?23:50
morganfainbergstevemar, sure, like ... uh... in like ~4hrs?23:51
jamielennoxgyee: yes you'll get a base url back from discovery23:51
stevemarmorganfainberg, that works for me23:51
morganfainbergor 3.523:51
jamielennoxgyee: essentially my problem comes from the way that the client is structured i guess23:51
morganfainbergstevemar, it's about saml auth plugin...and that we have a custom-token format for it23:51
morganfainbergstevemar, so... be prepared :P23:51
gyeejamielennox, I totally understand the problem23:52
jamielennoxit can make sense to re-use the auth_url if you called like auth_plugin.list_projects()  - which is something i'm considering23:52
jamielennoxthe way the client is structured now is very indifferent to whether you have a scoped token or not - for 90% of calls it just fails if you don't have a scope23:53
jamielennoxgiven that layout it would help things along a lot if the tokens were more similar - and i don't see any reason you shouldn't have the catalog there23:54
gyeechanging protocol to accomplish code structure seem like a bad tradeoff though23:55
gyees/accomplish/accompany/23:55
jamielennoxsure but to my thinking it really should always have been there23:55
jamielennoxi mean the catalog is the list of services this token can interact with23:56
gyeefirst thing we need to figure out is a consistent flow23:56
jamielennoxand the list of services that an unscoped token can interact with is keystone23:56
stevemarmorganfainberg, go on...23:56
morganfainbergstevemar, you said in a couple hours! :P23:56
morganfainbergstevemar, >.>23:56
gyeejamielennox, from a purest standpoint, you are absolutely right, there's no unscoped token23:57
morganfainbergstevemar, i've got plenty to do between now and then if you're busy (or can even be tomorow)23:57
gyeean unscoped token is implicitly scoped to keystone23:57
gyeebut since you already have the base url to begin with, there's no need to reconstruct it23:58
jamielennoxgyee: ++, IMO service scoped tokens are something that is coming - an unscoped token is simply a keystone scoped token23:58
morganfainbergjamielennox, ++23:58
gyeeoh I am all for service-scoped token23:59
« Wednesday, 2014-07-23 Index Friday, 2014-07-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!