Wednesday, 2014-08-06

*** ncoghlan is now known as ncoghlan_afk00:01
*** ncoghlan_afk is now known as ncoghlan00:03
*** ncoghlan is now known as ncoghlan_afk00:04
*** yasukun has joined #openstack-keystone00:11
*** ayoung has joined #openstack-keystone00:22
openstackgerritA change was merged to openstack/keystonemiddleware: Convert auth_token middleware to use sessions
*** ncoghlan_afk is now known as ncoghlan01:00
openstackgerritA change was merged to openstack/keystonemiddleware: Updated from global requirements
*** mitz has quit IRC01:10
*** mitz has joined #openstack-keystone01:11
*** gyee has quit IRC01:12
morganfainbergjamielennox, shameless plug :P
jamielennoxmorganfainberg: done01:14
jamielennoxso many proposals01:14
morganfainbergi know01:14
jamielennoxi think i voted on about a dozen before giving up01:14
morganfainbergi also think the site for voting is bad01:15
morganfainbergi hate the "random" thing01:15
morganfainberggive me a list so i can compare and see if one company has submitted the *same* talk 5 times but with different people and slightly different wording01:15
morganfainberga list by category would be fine01:15
*** marcoemorais has quit IRC01:16
jamielennoxlist by category can be done01:16
jamielennoxwell, random by category01:16
*** gokrokve has joined #openstack-keystone01:21
morganfainbergjamielennox, the random part is the part is dislike,01:35
*** amcrn has quit IRC01:36
*** hrybacki has quit IRC01:41
openstackgerritwanghong proposed a change to openstack/python-keystoneclient: expose the revoke token for V3
*** shufflebot has joined #openstack-keystone01:48
openstackgerritA change was merged to openstack/python-keystoneclient: Control identity plugin reauthentication
*** rwsu has quit IRC01:54
*** rwsu has joined #openstack-keystone02:07
*** shakamunyi has joined #openstack-keystone02:17
*** diegows has quit IRC02:22
jamielennoxis there a problem related to  cinder mucking up the gate ATM?02:32
*** RockKuo_Office has joined #openstack-keystone02:44
*** gokrokve_ has joined #openstack-keystone02:56
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Create an Auth Plugin to pass to users
*** gokrokve_ has quit IRC02:58
*** gokrokve_ has joined #openstack-keystone02:59
*** gokrokve has quit IRC03:00
stevemarmorganfainberg, i don't think i can make role assignment notifications fit into the current decorator03:00
stevemarthat makes me sad03:00
*** mrmoje has quit IRC03:23
*** ncoghlan is now known as ncoghlan_afk03:27
jamielennoxmorganfainberg: how far did you get converting people to middleware.auth_token03:28
*** gokrokve has joined #openstack-keystone03:30
*** gokrokve_ has quit IRC03:34
*** ayoung has quit IRC03:34
*** richm has quit IRC03:40
openstackgerritA change was merged to openstack/keystone: Refactor existing endpoint filter tests
*** ncoghlan_afk is now known as ncoghlan03:46
*** gokrokve has quit IRC03:51
*** gokrokve has joined #openstack-keystone03:51
*** ncoghlan is now known as ncoghlan_afk04:16
*** hrybacki has joined #openstack-keystone04:25
*** gokrokve has quit IRC04:33
*** gokrokve has joined #openstack-keystone04:35
*** jasondotstar has joined #openstack-keystone04:38
*** jasondotstar has quit IRC04:43
*** ncoghlan_afk is now known as ncoghlan04:46
*** k4n0 has joined #openstack-keystone04:47
*** jkappert has quit IRC04:51
*** jkappert has joined #openstack-keystone04:52
*** jaosorior has joined #openstack-keystone04:53
*** hrybacki has quit IRC04:55
*** jasondotstar has joined #openstack-keystone04:56
*** ajayaa has joined #openstack-keystone04:57
*** ncoghlan is now known as ncoghlan_afk05:01
stevemari think i found the least invasive way to get notifications on role assignments yay05:06
*** chandankumar has joined #openstack-keystone05:06
*** jasondotstar has quit IRC05:19
*** gokrokve has quit IRC05:24
stevemaris this even used:
*** afazekas has quit IRC05:34
*** ncoghlan_afk is now known as ncoghlan05:41
*** ajayaa has quit IRC05:49
*** gokrokve has joined #openstack-keystone05:52
*** gokrokve has quit IRC05:55
*** gokrokve has joined #openstack-keystone05:56
*** gokrokve has quit IRC06:00
*** ajayaa has joined #openstack-keystone06:02
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add notification for grant created and deleted events
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** mitz has quit IRC06:07
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in identity layer.
*** mitz has joined #openstack-keystone06:09
*** tomoiaga has joined #openstack-keystone06:09
*** afazekas has joined #openstack-keystone06:13
*** shakamunyi has quit IRC06:16
*** chandankumar has quit IRC06:18
*** k4n0 has quit IRC06:18
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove unused function
*** gokrokve has joined #openstack-keystone06:21
*** chandankumar has joined #openstack-keystone06:22
*** gokrokve_ has joined #openstack-keystone06:25
*** gokrokve has quit IRC06:26
*** zigo has quit IRC06:28
*** gokrokve_ has quit IRC06:31
*** henrynash has joined #openstack-keystone06:32
*** zigo has joined #openstack-keystone06:33
*** ukalifon has joined #openstack-keystone06:42
*** henrynash has quit IRC06:44
*** ukalifon1 has joined #openstack-keystone06:46
*** stevemar has quit IRC06:50
*** marekd|away is now known as marekd07:15
*** gokrokve has joined #openstack-keystone07:22
*** gokrokve has quit IRC07:27
*** andreaf has quit IRC07:35
*** andreaf has joined #openstack-keystone07:35
openstackgerritwanghong proposed a change to openstack/keystone: V2 token from trust cannot be generated with user/pass
*** henrynash has joined #openstack-keystone07:44
*** tomoiaga has quit IRC07:49
openstackgerritMarek Denis proposed a change to openstack/keystone: Add documentation on LDAP 'user_id_attribute'
*** tomoiaga has joined #openstack-keystone07:53
openstackgerritQin Zhao proposed a change to openstack/python-keystoneclient: Fix the condition expression for ssl_insecure
*** tellesnobrega1 has joined #openstack-keystone07:58
*** notmyname has quit IRC07:58
*** tellesnobrega has quit IRC07:58
*** wanghong has quit IRC07:59
*** notmyname has joined #openstack-keystone07:59
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Load session from builtin session loader
*** gokrokve has joined #openstack-keystone08:22
*** gokrokve has quit IRC08:26
*** mrmoje has joined #openstack-keystone08:43
*** henrynash has quit IRC08:45
*** huats_ has joined #openstack-keystone08:52
*** raildo1 has quit IRC08:53
*** gmurphy has quit IRC08:53
*** Guest26240 has quit IRC08:53
*** ByteSore has quit IRC08:53
*** ashepelev has quit IRC08:53
*** raildo has joined #openstack-keystone08:53
*** huats has quit IRC08:54
*** gmurphy has joined #openstack-keystone08:54
*** ByteSore has joined #openstack-keystone08:54
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** ashepelev has joined #openstack-keystone08:55
*** ajayaa has quit IRC09:03
*** wanghong has joined #openstack-keystone09:18
*** gokrokve has joined #openstack-keystone09:22
*** toddnni has quit IRC09:23
*** ajayaa has joined #openstack-keystone09:26
*** gokrokve has quit IRC09:27
openstackgerritQin Zhao proposed a change to openstack/python-keystoneclient: Fix the condition expression for ssl_insecure
*** ncoghlan has quit IRC09:32
*** ajayaa has quit IRC09:43
*** toddnni has joined #openstack-keystone09:50
openstackgerritMatthieu Huin proposed a change to openstack/keystone: Check for empty string value in REMOTE_USER
*** ajayaa has joined #openstack-keystone10:05
*** ajayaa has quit IRC10:20
*** henrynash has joined #openstack-keystone10:22
*** gokrokve has joined #openstack-keystone10:22
*** yasukun has quit IRC10:26
*** toddnni has quit IRC10:27
*** toddnni has joined #openstack-keystone10:27
*** gokrokve has quit IRC10:28
*** jamielennox has quit IRC10:34
*** jamielennox has joined #openstack-keystone10:35
*** ajayaa has joined #openstack-keystone10:44
*** henrynash has quit IRC10:45
*** henrynash has joined #openstack-keystone10:50
*** jamielennox is now known as jamielennox|away10:57
*** diegows has joined #openstack-keystone11:09
*** henrynash has quit IRC11:15
*** amcrn has joined #openstack-keystone11:17
*** amcrn has quit IRC11:18
*** amcrn has joined #openstack-keystone11:18
*** amcrn has quit IRC11:24
*** RockKuo_Office has quit IRC11:25
marekdthanks mhu11:41
*** henrynash has joined #openstack-keystone11:50
*** miqui has quit IRC12:10
*** stevemar has joined #openstack-keystone12:17
*** ajayaa has quit IRC12:20
*** gokrokve has joined #openstack-keystone12:22
*** gokrokve has quit IRC12:26
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints
*** gordc has joined #openstack-keystone12:47
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add OS-FEDERATION section to scoped federation tokens
*** cjellick has joined #openstack-keystone12:55
openstackgerrithenry-nash proposed a change to openstack/identity-api: Extension for endpoint policy association.
*** bknudson has quit IRC13:14
*** vhoward has left #openstack-keystone13:18
openstackgerritA change was merged to openstack/keystone: Remove unused function
marekdsix is a stdlib or 3rd party?13:22
*** gokrokve has joined #openstack-keystone13:22
*** richm has joined #openstack-keystone13:23
*** chandankumar has quit IRC13:23
dstanekmarekd: third party13:24
dstaneki have a patch for the commit i just approved13:24
dstanekmarekd: i didn't want to have people go back and +2 it again13:25
marekddstanek: what patch?13:25
dstanekmarekd: i haven't pushed it yet...waiting about 10 more mins for your to merge13:25
marekdah this...13:26
dstaneki couldn't get git-review not to rebase and want to re-push yours13:26
marekdsure, thanks for +A13:27
marekdit will be finally merged.13:27
marekdand thanks for not lossing other +2s.13:27
*** wchrisj has joined #openstack-keystone13:28
*** gokrokve has quit IRC13:28
*** wchrisj has left #openstack-keystone13:29
*** hrybacki has joined #openstack-keystone13:30
*** ayoung has joined #openstack-keystone13:31
*** bknudson has joined #openstack-keystone13:32
marekddstanek: i think urlencode from six will not work for strings. Do you have something instead that?13:32
marekdi already have a string and simply need to urlencode it.13:32
dstanekmarekd: what do you mean by that? you have a string that you want to urlencode to be something like a query param?13:33
marekdyes, escape some characters etc.13:34
dstanekand then what are you doing with the string?13:34
*** jasondotstar has joined #openstack-keystone13:34
marekdsending as a request body.13:35
dstanekmarekd: does quote work for you then?13:35
dstanekmarekd: also i think many client libraries will take care of that for you. do you have sample code?13:36
marekddstanek: line 60813:36
marekdthis is what i was doing but that's not Py3 compatible, right?13:37
marekdand without that I am getting HTTP 500 :/13:37
*** gokrokve has joined #openstack-keystone13:37
*** jasondotstar has quit IRC13:40
dstanekmarekd: yeah, you'll have to import it from six13:40
openstackgerritA change was merged to openstack/python-keystoneclient: List federated projects and domains
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Fixes import grouping
marekddstanek: but what exactly?13:41
*** gokrokve has quit IRC13:42
marekddstanek: i think you can post your patch13:44
dstanekmarekd: already done ^13:45
marekddstanek: aha, ok13:45
dstanekmarekd: for six you import 'from six.moves import urllib'13:45
dstanekand then i think it's urllib.parse.quote13:45
marekddstanek: dstanek yessssssssssssssssssssssssss13:46
dstaneksix.moves makes everything look like the new py3 structure13:46
*** chandankumar has joined #openstack-keystone13:46
*** radez_g0n3 is now known as radez13:49
dstanekmarekd: better?13:51
marekddstanek: perfect!13:52
dstanekmarekd: nice13:52
*** jasondotstar has joined #openstack-keystone13:54
marekddstanek: thanks13:54
*** vhoward has joined #openstack-keystone13:56
*** saipandi has joined #openstack-keystone14:02
dstanekmarekd: yw14:05
*** shakamunyi has joined #openstack-keystone14:08
*** joesavak has joined #openstack-keystone14:12
*** vhoward has left #openstack-keystone14:14
*** ukalifon1 has quit IRC14:22
ayoungdstanek, saw this in in tox run on the client14:23
ayoungNo distributions matching the version for oslo.config>= (from -r /opt/stack/python-keystoneclient/requirements.txt (line 6))14:23
ayounghave you seen that before?14:23
ayoungI needed to rebuilt the venv due to jamielennox|away 's httpretty evisceration.14:24
dstanekayoung: i have no, but i'm tryin to reproduce it now14:24
*** gokrokve has joined #openstack-keystone14:24
ayoungdstanek, thanks14:24
dhellmannayoung: your virtualenv/pip/tox might be a little old. There are some versions that don't automatically install wheels.14:25
ayoungdhellmann, I need an updated tox?14:25
dstanekdhellmann: do you know what version changed that?14:25
dhellmanndstanek: I don't off the top of my head, no.14:25
ayoungWhat is  a Wheel?14:26
dstanekayoung: i'm also on 1.6.114:26
dhellmannayoung: what pip and virtualenv?14:26
dhellmannayoung: a python package type14:26
ayoungdhellmann, is it a new thing or something old?14:26
ayoungpip 1.4.1 from /usr/lib/python2.7/site-packages (python 2.7)14:26
dhellmannayoung: it's not brand new, but it's newish
dhellmannayoung: I have pip 1.5.4, try updating pip first14:28
*** david-lyle has joined #openstack-keystone14:28
*** david-lyle has quit IRC14:28
*** david-lyle has joined #openstack-keystone14:28
ayoung"To everything (churn. churn, churn) there is a version (churn. churn, churn) A new way to solve each problem, under Heaven...."14:28
dstaneki don't actually have pip installed on the host - i depend on it being installed into the venv14:29
ayoungdstanek, tox does that, right?14:29
ayoungI just ran tox -r14:29
*** gokrokve has quit IRC14:30
dstanekayoung: yes, happens when tox creates the venv14:30
ayoungso the only thing we can affect is tox version14:30
dstanekand virtualenv14:30
dstaneki don't have this issue btw14:31
dstanekmy virtualenv is 1.11.414:31
*** gokrokve has joined #openstack-keystone14:35
*** jsavak has joined #openstack-keystone14:44
*** jorge_munoz has joined #openstack-keystone14:45
*** henrynash has quit IRC14:45
*** joesavak has quit IRC14:48
*** thedodd has joined #openstack-keystone14:52
*** tomoiaga has quit IRC14:53
marekdayoung: mhu had the same problem yesterday14:56
marekdmhu: ^^14:56
mhuayoung, marekd : yes, I solved this when I updated virtualenv14:59
ayoungmhu, testing that now.  There is a 1.11 mrunge submitted on Koji14:59
mhuayoung, there's a thread in the ML about it14:59
marekdmhu: what virtualenv ver do you have now?14:59
ayoungsudo yum install
mhumarekd: 1.11.615:00
*** jsavak has quit IRC15:01
*** richm has left #openstack-keystone15:10
*** gokrokve has quit IRC15:12
*** thiagop has joined #openstack-keystone15:16
thiagopHello everybody15:17
dstanekayoung: did updating virtualenv help15:17
dstanekthiagop: hiya15:17
thiagopstevemar: I'm having some troubles here to re-scope a federated token, can you help me?15:17
ayoungdstanek, something failed, but not sure if its the same....15:18
*** joesavak has joined #openstack-keystone15:19
*** richm has joined #openstack-keystone15:24
*** thedodd has quit IRC15:29
*** joesavak has quit IRC15:32
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS.
*** joesavak has joined #openstack-keystone15:33
*** thedodd has joined #openstack-keystone15:35
*** hrybacki has quit IRC15:40
*** joesavak has quit IRC15:47
*** mrmoje has quit IRC15:49
*** joesavak has joined #openstack-keystone15:50
*** gyee has joined #openstack-keystone15:54
*** gyee has quit IRC15:54
*** jsavak has joined #openstack-keystone15:56
*** joesavak has quit IRC16:00
*** ukalifon has joined #openstack-keystone16:00
*** chandankumar has quit IRC16:01
*** gyee has joined #openstack-keystone16:01
*** jorge_munoz has quit IRC16:14
*** marcoemorais has joined #openstack-keystone16:21
*** gokrokve has joined #openstack-keystone16:24
*** thedodd has quit IRC16:45
*** henrynash has joined #openstack-keystone16:47
*** thedodd has joined #openstack-keystone16:48
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence
stevemardolphm, piiiiiiiiing16:54
openstackgerritStuart McLaren proposed a change to openstack/keystonemiddleware: Add composite authentication support
*** hrybacki has joined #openstack-keystone17:11
*** hrybacki has quit IRC17:12
*** hrybacki has joined #openstack-keystone17:12
*** spandhe has joined #openstack-keystone17:16
*** KimJ has joined #openstack-keystone17:18
*** spandhe has quit IRC17:20
*** spandhe has joined #openstack-keystone17:24
*** gokrokve has quit IRC17:25
*** gokrokve has joined #openstack-keystone17:25
*** thiagop has quit IRC17:32
*** packet has joined #openstack-keystone17:35
*** bobt_ has joined #openstack-keystone17:41
*** packet has quit IRC17:41
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes eventlet server SIGHUP handling
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes eventlet server SIGHUP handling
*** afazekas has quit IRC17:52
*** amerine has quit IRC17:56
*** amerine_ has joined #openstack-keystone17:56
dstanekstevemar: hiya18:04
*** ayoung has quit IRC18:24
*** henrynash has quit IRC18:25
*** henrynash has joined #openstack-keystone18:28
openstackgerritDavid Stanek proposed a change to openstack/keystone: Refactor some names in templated catalog backend
*** ukalifon has quit IRC19:01
*** marcoemorais has quit IRC19:01
*** marcoemorais has joined #openstack-keystone19:02
*** ukalifon has joined #openstack-keystone19:03
dstanekmorganfainberg: ping19:06
openstackgerritA change was merged to openstack/keystone: Remove `with_lockmode` use from Trust SQL backend.
*** ukalifon has quit IRC19:15
*** shakamunyi has quit IRC19:17
openstackgerritDavid Stanek proposed a change to openstack/keystone: Remove S3 middleware tests from tox.ini
*** jorge_munoz has joined #openstack-keystone19:29
*** ayoung has joined #openstack-keystone19:31
*** Guest27295 is now known as mgagne19:31
*** mgagne has quit IRC19:31
*** mgagne has joined #openstack-keystone19:31
*** radez is now known as radez_g0n319:32
*** jsavak has quit IRC19:44
*** marcoemorais has quit IRC19:53
*** marcoemorais has joined #openstack-keystone19:54
*** hrybacki has quit IRC19:59
*** joesavak has joined #openstack-keystone20:03
*** marcoemorais has quit IRC20:04
*** marcoemorais has joined #openstack-keystone20:04
*** marcoemorais has quit IRC20:04
*** marcoemorais has joined #openstack-keystone20:04
*** hrybacki has joined #openstack-keystone20:08
*** joesavak has quit IRC20:08
*** cjellick_ has joined #openstack-keystone20:13
*** cjellick_ has quit IRC20:14
*** cjellick_ has joined #openstack-keystone20:15
*** cjellick has quit IRC20:15
*** huats_ is now known as huats20:19
*** amcrn has joined #openstack-keystone20:21
*** amcrn has quit IRC20:21
*** amcrn has joined #openstack-keystone20:22
*** amcrn has quit IRC20:22
*** amcrn has joined #openstack-keystone20:23
rodrigodsmarekd, quick question about k2k: considering the example given in the spec, when BETA's region with its URL will be added? When registering it as service provider?20:27
marekdrodrigods: I can see that this way.20:28
rodrigodsmarekd, cool20:28
marekdrodrigods: usually federation requires some configuration (metadata exchange, registering idp, adding mapping rules, protocol)20:28
marekdrodrigods: so this region would be a next step in the configuration.20:28
stevemardstanek, hey dude20:29
dstanekstevemar: howdy20:29
dstaneki don't remember what i wanted now :-(  but i did answer your decorator question (i think)20:30
stevemardstanek, awesomeo, thanks for reviewing, i also wasn't a fan of the branching crap going on20:30
rodrigodsmarekd, yeah... was thinking about ACME's users side20:30
stevemardstanek, but i wanted to be as non-invasive as possible20:31
marekdrodrigods: heh, ACME was a SP or IdP (can't remember atm)20:31
marekdrodrigods: what are your concerns?20:32
stevemardstanek, so i should mimic the ManagerNotificationWrapper? seems like a lot of code to dupe :(20:32
stevemaralso, do you think it's worth keeping the change to _send_notification? (from resource_id to payload?)20:33
dstanekstevemar: i don't think you shoud dup the code...but i don't know how i would break that up20:33
rodrigodsmarekd, ACME is the original keystone, that is bursting to BETA20:33
dstanekstevemar: if you are not going to be working on it tonight i can take a deeper look20:33
marekdrodrigods: so IdP.20:34
rodrigodsmarekd, I was trying to figure out, in which step BETA's URL would appear at ACME's service catalog20:34
dstanekstevemar: wasn't that because you have more data for that particular event?20:34
marekdrodrigods: when should it be added or when should be present in the Service Catalog?20:34
stevemardstanek, i was going to duplicate it and take out the arg_index crap20:34
rodrigodsmarekd, both20:35
stevemarcreate a payload, and use _send_notification20:35
marekdrodrigods: i'd say added when the cloud admins configure federation between clouds.20:35
marekdrodrigods: when should appear in the SC...let me take a look at the spec20:37
marekdrodrigods: because there were many potential ways and I cannot recall the final one.20:37
rodrigodsmarekd, ok20:37
stevemarbknudson, thanks for the OSC reviews regarding oslo.i18n20:37
bknudsonstevemar: looked like one of them was a wip20:37
stevemarbknudson, i think maybe the last one in the set, i had changed most of the error messages over, but not the help text :(20:38
marekdrodrigods: it looks like both steps are described in the spec.20:39
marekdrodrigods: adding a region is listed under Figure 1.20:39
marekdrodrigods: and it looks like after marek@ACME authenticated himself with ACME he will get a Service Catalog with all regions (clouds) where he can burst into.20:40
marekdrodrigods: see desc. under Fig 2.20:40
rodrigodsmarekd, so, (1) Add BETA as an SP , right20:40
rodrigodsmarekd, thanks20:41
marekdrodrigods: Cloud Implementer at ACME adds BETA as V3 Regions, supplying BETA’s external authentication URL.20:41
rodrigodsmarekd, I'm there, thanks20:42
marekdrodrigods: cool.20:43
*** amcrn has quit IRC20:50
*** arborism has joined #openstack-keystone20:51
*** arborism is now known as amcrn20:53
*** joesavak has joined #openstack-keystone20:53
stevemardstanek, if you could look @ role assignment stuff tonight that would be super awesome20:54
dstanekstevemar: shore20:54
stevemardstanek, yay, i owe you many beer20:54
*** stevemar has quit IRC21:00
*** joesavak has quit IRC21:04
*** huats has quit IRC21:16
*** hrybacki has quit IRC21:27
*** chellygel has joined #openstack-keystone21:28
*** saipandi has quit IRC21:28
*** chellygel has left #openstack-keystone21:28
*** cjellick has joined #openstack-keystone21:29
*** cjellick has quit IRC21:30
*** cjellick_ has quit IRC21:33
*** amcrn has quit IRC21:34
openstackgerritayoung proposed a change to openstack/keystone-specs: Endpoint policy extension
*** marzif_ has joined #openstack-keystone21:52
*** hrybacki has joined #openstack-keystone21:58
morganfainberghenrynash, ping re email stuff21:58
morganfainberghenrynash, do you have a real use case wehre you're filtering on email addresses?21:58
henrynashmorganfainberq: hi21:58
morganfainberghenrynash, it seems a little odd as first-class metadata (even though it is common)21:58
henrynashmorganfainberg: I must admit, I don’t....21:58
morganfainberghenrynash, i am concerned about making more first-class columns + optional (i admit i *HATE* extra) unless we really need it. not opposed, just was looking for a "why" (specific use case)21:59
henrynashmorganfainberg: Others have been pushing ths (Juan)…and seemed unable to put a spec up…so I wrote it up for us to force the issue one way or the other22:00
morganfainberghenrynash, sure ok so i'd like to get Juan to comment the real use case22:00
morganfainbergi get the feeling that "we wanted to make the username email addresses but in the past ran into XXXX issue doing so, now we want to fix it"22:00
morganfainbergis the answer22:00
henrynashmorganfainberg: that’s fair enough….there’s a bug report I think that mentions is….someone was writinga custom client (since our cleint explicitly supprots email)….and then discpovered email wasn’t there22:01
morganfainbergw/o impacting current usernames.22:01
ayoungmorganfainberg, I'ma +2ing youses patches22:01
morganfainbergayoung, tyvm.22:02
ayoungDe Nada22:02
morganfainbergayoung, i'll rebase them here shortly (out of date)22:02
ayoungmorganfainberg, I like where it is headed22:02
morganfainbergayoung, need to solve the domain idp issue and i can get the rest of them done22:02
morganfainbergayoung, and as long as we all agree on it, i'm content with the direction (at this point as long as the solution isn't brittle, i'm happy)22:03
ayoungHeh...I think I've made my view on that topic clear.  I'll leave it to you to do the right thing22:03
morganfainbergayoung, as long as we can make it not-brittle, i'm ok with whichever direction.22:03
morganfainbergayoung, so, i'll bug dolphm (hope everything is ok on that front) and folks tomorrow22:03
morganfainbergand we can get steve's fix rolling (either way).22:04
morganfainbergayoung, this one: needs to go in before the others do.22:06
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api
morganfainberghenrynash, ok commented on it and added a -1, but if others see a benefit i wont re-add the -1 on subsequent patches22:08
morganfainbergayoung, you have a fedora (modern vintage) handy right?22:08
morganfainbergayoung, is there an apachectl or good way to know if apache 2.4 is installed instead of 2.2 in RHEL/Cent/Fedora ?22:08
morganfainbergshort of "just knowing what ships with the distro"22:09
morganfainberghenrynash, or will zero the score as needed22:10
*** amcrn has joined #openstack-keystone22:10
morganfainbergayoung, henrynash, second (unrelated) question: any opinion on a "attribute exists" policy rule language format (e.g. this token doesn't have domain_id but has project_id)?22:10
*** bknudson has quit IRC22:11
ayoungmorganfainberg, Ah, so we are renaming the basic token API operations to be specifically token persistance.  I like22:11
morganfainbergayoung, yep! makes it a lot easier to control how we get tokens / interact with persistence22:11
ayoungmorganfainberg, um....I would say that it would be a reject22:12
ayoungwe need to explicitly match or reject22:12
morganfainbergso how do we say in the polcy language reject if the token is domains coped22:12
*** henrynash has quit IRC22:12
ayoungmorganfainberg, rpm -q is the Fedora way22:13
morganfainbergthere is no "does this exist" language in the rules engine22:13
morganfainbergor make sure XXX doesn't exist22:13
ayoungif you mean something that is outside of the RPM mechanism, it wouldn't be Fedora22:13
morganfainbergayoung, ok so i'll need to make devstack be rpm-aware in that case, it's fine, just seeing if there was an `apachectl` analogue before doing that :)22:14
ayoungmorganfainberg, the Oslo language is pretty clear22:14
ayoungoslo-policy that is22:14
morganfainbergayoung, it is, but nova needs to say "domain scoped admin != admin"22:14
ayounglet me see22:14
*** jorge_munoz has quit IRC22:14
morganfainbergin their polcy.json22:14
morganfainbergright now they only check the role "admin"22:14
ayoungmorganfainberg, right.  We have that rule in the cloudsample22:15
morganfainbergthis was a specific request to aid in the march towards v322:15
morganfainbergayoung, we can match "rule:admin_required and domain_id:admin_domain_id but we can't say reject domain scoped tokens22:15
david-lylefun fact, no users in devstack are bootstrapped with a domain scoped role (truestory)22:15
ayoung"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",22:15
morganfainbergayoung, thatis a positive match on a domain scoped token22:16
david-lylewell maybe a heat user, but that doesn't help much22:16
ayoungdavid-lyle, I think the current expected response is "Cool Story Bro"22:16
ayoungmorganfainberg, right22:16
morganfainbergayoung, nova wants a negative match e.g. reject all domain scoped tokens22:16
morganfainbergayoung, or .. only allow project scoped tokens, regardless of project [other filtering is done]22:16
ayoungmorganfainberg, then just enforce that the project_Id needs to match22:17
david-lyleayoung, excellent22:17
morganfainbergayoung, hmm. i think that breaks some other assumptions.22:17
morganfainbergayoung, i'll have to dig further.22:17
morganfainbergayoung, thanks22:17
ayoungWhat is the API they want to call?22:17
ayoungI mean, to say "you can call this on anything, so long as you have the admin role on any project" sounds suspect22:18
morganfainbergayoung, all nova apis should by default (from the request I got) tell domain scoped tokens to go fly a kite22:18
morganfainbergbut if it is a project scoped, admin is valid (backwards compat) even across projects22:18
ayoungUm.  That is gross22:18
morganfainbergayoung, it's a step towards real v3 support but we can't make the change all at once22:18
ayoungWhy does that make sense to anyone.22:19
morganfainbergayoung, right now it's if you have the amdin role (domain, project, whatever) you're admin22:19
morganfainbergexcept domain scoped tokens would break lots of things in wierd and subtle ways22:19
ayoungIf Admin on project is acceptable, why wouldn't admin on domain be acceptable22:19
*** huats has joined #openstack-keystone22:19
*** huats has quit IRC22:19
*** huats has joined #openstack-keystone22:19
morganfainbergget a domain scoped token and try and boot an instance for example22:19
morganfainbergit just gets very odd22:19
ayoungYou should be admin on the project that owns that instance22:19
ayoungnot on all projects22:20
morganfainbergi agree.22:20
morganfainbergbut that breaks backwards compat if we change that *now*22:20
morganfainbergsince previously the default policy allowed it22:20
ayoungThey actually fetch the objects before they enforce policy22:20
morganfainbergif someone is using default policy and they upgrade and now can't act on things in their cloud, we get very grumpy/annoyed/angry deployers/users22:21
morganfainbergbecause the policy enforcer prevents it22:21
ayoungI'm missing something22:22
morganfainbergayoung, it's ok, i'll see if i can make this work w/o breaking people initially22:23
ayoungIf we said "admin is admin" and ignore the project in the token, it breaks...what?22:23
ayoungPolicy, or are they trying to use policy to keep their code from breaking?22:23
morganfainbergayoung, it's that there is a lot of assumption about projects existing in the context of the user22:23
morganfainbergayoung, so domain scoped tokens are invalid to nova22:23
morganfainbergayoung, and probably all projects *except* keystone intially22:23
*** marcoemorais has quit IRC22:24
*** joesavak has joined #openstack-keystone22:24
*** marcoemorais has joined #openstack-keystone22:24
ayoungthen let them write a middleware that rejects them.  But I suspect relying on policy to reject them across the board is going to fail22:24
*** david-lyle has quit IRC22:24
morganfainbergayoung, i need to look at it a bit more closely, i'll ask again when i have a better idea of what is going on.22:24
ayoungcuz its goingto break before they get to policy22:24
morganfainbergayoung, i suspect there is some kind of really crazy/bad assumption22:24
*** david-lyle has joined #openstack-keystone22:25
*** david-lyle has quit IRC22:25
morganfainbergayoung, oh similar vein, should authcontextmiddleware decode the token or should keystone.wsgi?22:25
morganfainbergayoung, when interacting with keystone22:25
morganfainbergayoung, since we do it multiple times now :(22:25
*** david-lyle has joined #openstack-keystone22:25
ayoungmorganfainberg  ugh.  Yeah, about time to have that discussion22:25
*** bknudson has joined #openstack-keystone22:25
morganfainbergayoung, it's next on the hit list for token_api -> persistence22:26 we would ideally use auth_token middleware, but with local calls22:26
morganfainbergayoung, assuming that is a longer-term end-goal22:26
ayoungso that the logic is written once and only once22:26
ayoungthe  steps are:22:26
morganfainbergayoung, what would the initial case be as in, the short term token_api -> persistence and de-duping work22:26
ayoung1.  validate the signature22:26
ayoung2.  unpack22:26
morganfainbergayoung, so we know where we can plug auth_token in more easily22:26
ayoung3.  check revocations22:26
ayoungauth_token can do all that, but it calls into the client to get data from the server22:27
*** gordc has quit IRC22:27
ayoungideally, it would not reject a request due to no token, but we have an option for that.22:27
ayounglets do it in authcontextmiddleware22:28
morganfainbergayoung, ++ works for me. so w/o authcontextmiddleware we will not decode a token and basically be non-functional (i'm just making sure i plan the documentation "DO NOT REMOVE THIS FROM THE PIPELINE")22:28
ayoungmorganfainberg, so....policy22:29
*** david-lyle has quit IRC22:29
ayoungthat is currently handled by the controller base class22:30
*** bknudson has quit IRC22:30
morganfainbergayoung, correct.22:30
ayoungand that is where the token is expected to be unpacked22:30
morganfainbergayoung, it is expected to be unpacked by that point, but it does the unpacking22:30
morganfainbergayoung, it could reference the auth_context of the request directly, which is populated by authcontextmiddleware22:30
ayoungright...and it should22:30
ayoungI cut a corner there as I recall22:31
morganfainbergayoung, long term, it would be nice if we could move policy enforcement to middleware22:31
morganfainbergbut that might be a hard sell22:31
morganfainbergs/hard sell/massive work across all projects/22:31
ayoungI don't think we can.  I think making it a common library in keystoneclient is more likely22:31
ayoungthere is more logic in
morganfainbergayoung, there is22:32
ayoungrevoke by id ...
ayoungBut that should be OK.  We will have the ID and the unpacked token at that point.22:33
morganfainbergayoung, well we can cross generic policy bridge as we get there. i'm just looking to de-dupe the get token, unpack it we currently are doing22:33
ayoungauthcontext needs to reject an invalid token, but not enforce policy22:33
morganfainbergtwice-ish on all requests22:33
morganfainbergayoung, yeah that is easy enough to do.22:33
morganfainbergcool thanks22:33
ayoung        if not CONF.token.revoke_by_id:22:34
ayoung            self.token_api.token_provider_api.validate_token(22:34
ayoung                context['token_id'])  needs to move to middleware22:34
morganfainbergthat was the way i was headed, but needed a sanity check / 2nd brain22:34
ayoungthat was the mistake I made.  It should not be in policy enforcement22:34
morganfainbergeh, we all make mistakes22:34
morganfainbergthis one at least is an easy-ish fix22:34
ayoungNah,  I didn't have it clear at the time22:34
ayoungOK, so we are going to move the token fetch to...22:34
morganfainbergto authcontextmiddleware.22:35
ayoung  here is where I punted22:35
morganfainbergayoung, yah22:35
morganfainbergwe'll use that one (and i'll populate the context with the TokenModel i merged earlier)22:35
ayoungdoes your new code work around the cache issue I posted there?22:36
morganfainbergayoung, validate token is way smarter than when that was written22:36
morganfainbergayoung, it checks revocations and expiry22:36
ayoungOK,  we should be good to go then.  After authcontext middleware runs, the token is in the environment, and validate will accept the token data from there22:37
ayoung                    context['token_id'])  validates based on ID22:37
ayoungyeah, that should be simple to merge now22:38
ayoungthanks for cleaning out this particular stable22:38
*** thedodd has quit IRC22:41
*** jamielennox|away is now known as jamielennox22:42
*** joesavak has quit IRC22:43
*** bknudson has joined #openstack-keystone22:43
*** KimJ has quit IRC22:45
jamielennoxgyee: ugh, turns out that cinderclient is relying on specific behaviour from the errors in keystoneclient discovery22:47
jamielennoxgyee: so if i make this change: the gate fails22:48
ayoungjamielennox, sessions for auth token merged22:49
jamielennoxayoung: excellent, need to see if the 0.10 update has merged as well22:51
gyeejamielennox, really?!!22:51
jamielennoxgyee: yea, it's to do with that snippet you showed me22:51
ayoungjamielennox, BTW, I think you httpretty Exocism is mucking with my latest tests for scoped/unscoped...discovery is now failing in the test22:51
ayoungI'm in the process of rebasing, but22:52
*** jaosorior has quit IRC22:52
ayoung+         self.stub_auth(json=self.TEST_RESPONSE_DICT)22:52
ayoung -        self.stub_url(method=httpretty.GET, body=self.TEST_DISCOVERY_RESPONSE)22:52
ayoungand that looks wrong...22:52
ayounglet me fix that22:52
jamielennoxso httpretty.GET -> 'GET'22:53
jamielennoxusing json= rather than body= just means that the library does the JSON encode22:53
jamielennoxgyee: so in gate there is the case where it is throwing a 404 error and so falling back to there other logic, if i change it to discovery error then it hits the except block and bails out22:54
gyeejamielennox, I see, so we have a bit of a decision to make22:54
ayoungjamielennox, it was,cm22:55
*** mrmoje has joined #openstack-keystone22:55
gyeewhat does DiscoveryError covers?22:55
bknudsonwhen I start devstack with ldap I get "ImportError: No module named ldappool"22:55
jamielennoxayoung: i've got 3 blog posts to write, one of them is an intro to requests-mock22:55
ayoungI assumed I need to hack off  @httpretty.activate  and change the httpretty.POST type values to "POST"22:55
ayoungjamielennox, I suspect you should add an equivalent to httpretty.POST22:56
jamielennoxayoung 'POST'22:56
jamielennoxayoung: i did22:56
jamielennoxit just isn't released yet22:56
jamielennoxi found a relatively major problem in the current release so i'll do another one soon22:56
gyeebknudson, ldappool is optional22:56
bknudsongyee: even if using ldap?22:57
bknudsondid I turn it on somehow?22:57
jamielennoxi'm just waiting for infra to approve the extra jobs because i want to test having -infra do the release rather than having to do it manually22:57
ayoungbknudson, yeah, pooling is optional22:57
gyeebknudson, no, what I mean is what's the process of adding optional requirements?22:57
gyeewe have requirements.txt and test-requirements.txt22:57
gyeebut no optional-requirements.txt22:57
ayoungjamielennox, is there a difference between 'POST' and 'post' and I assume we should use the all caps version?22:58
jamielennoxayoung: there's no difference, just http typically uses the uppercase22:58
*** bobt_ has quit IRC22:59
jamielennoxayoung: i've actually found a better option that looks much more requests-y, instead of doing register_uri('POST', ... i just added a method .post()22:59
*** jorge_munoz has joined #openstack-keystone22:59
bknudsongyee: there must be someplace in devstack where it installs extra packages...22:59
ayoungjamielennox, Something is different in how it is processing the Version data23:00
ayoungthe response looks like a valid response to me, but23:00
ayoungbody_resp = resp.json()23:00
ayounggets a value error23:00
jamielennoxayoung: paste the error and the diff for me23:00
jamielennoxgyee: can you have a look at your -1 on
ayoungjamielennox, running with tox is causing major spew, to the point that I can't find it.  I 'm in the debugger at the moment...23:00
jamielennoxthat's the unscoped catalog one23:00
gyeejamielennox, so cinder makes a distinction between DiscoveryError and HTTP error23:01
gyeeDiscoveryFailure means API is there but the response body is wrong23:01
jamielennoxif we kill the proposal then that's ok, but i've got like 4 weeks before i disappear for a while so i need to get that and moving if they are to be done for juno23:01
ayoungjamielennox, I'll paste the code I'm running through23:01
jamielennoxgyee: yep - which i had thought was a feature, i had let them be different on purpose23:02
gyeejamielennox, I'll change it to +0, I am not going to block it, but I am not sure if we really need it either23:02
jamielennoxmostly because a ConnectionError might be different23:02
jamielennoxgyee: that's ok - it turns people off reviewing when it's got a -1 though23:02
ayoungjamielennox,  is the code I'm calling23:03
ayoungI'll paste the test23:03
jamielennoxgyee: so what do you think we should do? if cinderclient is relying on that behaviour i'm not sure what option we have23:04
ayoungOK...I figured out the first mistake23:05
gyeejamielennox, how about catching just 404 and raise a DiscoveryNotSupported exception23:05
jamielennoxgyee: if DiscoverNotSupported is a subclass of DiscoveryError then it will still fail the cinder case23:05
gyeeeverything else would constitute DiscoveryFailure23:05
jamielennoxand if we do just that one case it would seem more logical to me to just let people catch the 404 error23:06
gyeewon't be a subclass23:06
ayoungjamielennox, the code looks like this
ayoungits failing on line 2623:06
gyeewe basically need to be able to distinguish API not supported versus some other error23:06
jamielennoxayoung: you don't want body=, if it's a dict you want json= if it's a string you want text=,23:07
jamielennoxgyee: yes, but we can do that now by catching DiscoveryError and HttpError seperately23:08
gyeejamielennox, alrighty then23:08
jamielennoxgyee: i'm not advocating it - it's not ideal, but i think the best way around it is to document and require the current behaviour23:09
jamielennoxit's not wrong, you just have to be aware of what can be thrown23:09
*** jorge_munoz has quit IRC23:09
ayoungjamielennox, OK,  its probably something along those lines.  I'll dig in after dinner23:09
gyeejamielennox, make sense23:09
gyeeayoung, you dig in during dinner :)23:09
*** jorge_munoz has joined #openstack-keystone23:10
jamielennoxayoung, gyee: do you guys want to have a look at for me23:10
jamielennoxbe strict - this will have a huge impact on how middleware works23:10
ayoungjamielennox, I need to wrap my head around that.  Its ringing alarm bells, but might just be the Dinner bell23:12
gyeejamielennox, I actually like that patch23:12
jamielennoxayoung: no problem, i'm going to line up a few client/middleware patches for you and gyee23:12
gyeeno different than passing logger and memcache object in the env23:12
jamielennoxgyee: it will be really good to have landed23:12
jamielennoxit means the service won't have to deal with headers at all, just make a session with the provided auth plugin23:12
jamielennoxand pass that to whatever client they want23:13
gyeehell yeah!23:13
jamielennoxgyee: it's taken me a long time, but the session and plugin stuff is finally getting to the point i initially wanted23:14
gyeejamielennox, ++, next make the service user auth using verson-agnostic auth plugin23:15
jamielennoxgyee: i've got the plugin in review, and prototype's for the service user23:16
jamielennoxi spun up a new devstack yesterday to try it out23:16
jamielennoxeasy code review along that path:
gyeejamielennox, are you going to backout that change to unbreak cinder? I can review it real quick23:18
jamielennoxgyee: yep23:18
jamielennoxi'll do it now23:18
ayoungok, I'm tracking...23:20
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make token_provider_api contain token persistence
morganfainbergbknudson, hah, i feel dumb for the exception remove / move / readd screwup in that big patchchain. :P23:28
bknudsonmorganfainberg: now you can see why I was confused about it23:29
morganfainbergbknudson, totally23:29
morganfainbergbknudson, this has been one of the largest patch chain's i've had to manage in a while. i just stopped piling things on top of this change until i get it through cause it's giving me a headache trying to keep track of it all23:30
morganfainberg(and the rebasing)23:30
morganfainbergbut at least i hope i'm keeping the patchest small enough to be reviewable.23:30
bknudsonmorganfainberg: it's harder when you try to fan-out23:30
morganfainbergbknudson, yeah.23:31
*** gokrokve has quit IRC23:32
*** gokrokve has joined #openstack-keystone23:32
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Isolate get_discovery function
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery
jamielennoxgyee: ^ i changed it slightly, i moved all of the except handling into the one place23:32
jamielennoxi think that way it is more consistent at least23:33
jamielennoxeveryone has to deal with HTTPError vs DiscoveryError, not just people consuming that one function23:33
gyeejamielennox, yeah, I think that's fine23:34
jamielennoxbknudson: i fixed up an issue i saw on and am hassling cinder-core to push it through23:35
bknudsonjamielennox: what's the issue?23:36
jamielennoxbknudson: you added keystonemiddleware but didn't remove keystoneclient from the dependencies23:36
jamielennoxi did check, they didn't have any other uses of it23:36
bknudsonjamielennox: ah... I suppose most of the projects don't use keystoneclient directly or have a use for it.23:37
jamielennoxyep, most just use it for auth_token23:37
bknudsonjamielennox: it's +A already23:40
jamielennoxbknudson: yea, i just got thingee to look at it in #cinder23:40
jamielennoxbknudson: there's some testing i want to do that requires it, i wrote my own patch for the conversion and then realized you had one23:41
bknudsonjamielennox: looks like that's the last one for keystonemiddleware.23:41
bknudsonoh, wait...23:41
bknudsonstill have marconi, heat, and ironic23:41
bknudsonjamielennox: do you need it in all the projects first?23:43
jamielennoxbknudson: wow, you did everybody, i don't generally get that far out into the non core projects23:43
jamielennoxbknudson: nah, basically i wanted cinder, nova and glance23:43
bknudsonjamielennox: yah, I'm crazy23:43
jamielennoxanyone else is a bonus23:43
jamielennoxdid trove do the convert?23:43
jamielennoxthey were the ones that were causing the problem with defining both a username/password and admin token in the gate that meant i couldn't land those changes in keystoneclient.auth_token23:44
jamielennoxi had a patch that landed in trove/stable that should have fixed it but i didn't chase up23:44
jamielennoxseems it worked though :)23:45
bknudsongyee fixed trove23:45
jamielennoxsee keystone isn't insular - we help everybody23:46
jamielennoxi got a rant the other day at a openstack mini-conf that keystone doesn't tell everyone about the changes we make, we just expect people to adopt what we tell them23:46
*** ncoghlan has joined #openstack-keystone23:47
morganfainbergjamielennox, so they want us to build everything by committee, polling the entire community?23:47
morganfainbergjamielennox, :P23:47
jamielennoxmorganfainberg: not sure, but they wanted us to explain our changes better - though in my experience when you start explaining changes in auth you can see peoples eyes glaze over23:48
morganfainbergjamielennox, yeah so, we're implementing plugins to make it so .. wah wah wha wah wah wah wah... wah wha wah wah.. wah wah... wah wah wah... wah wah wah wah wah... </peanuts>23:49
morganfainberg"but you didn't tell us you were doing that!!!" uh.. yes we did, you just tuned it out23:49
jamielennoxmorganfainberg: heh, yep23:49
jamielennoxstill, i need to write up my stuff more23:50
morganfainbergi should "fix" my blog (it died)23:51
morganfainbergi have like 5 or six things to write up.23:51
jamielennoxi go through periods of how interested i am in it, but it shouldn't die23:52
*** amcrn has quit IRC23:57
*** amcrn has joined #openstack-keystone23:58

Generated by 2.14.0 by Marius Gedminas - find it at!