Monday, 2014-08-11

*** ncoghlan has joined #openstack-keystone00:11
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Replace httpretty with requests-mock
*** jsavak has quit IRC00:35
*** diegows has quit IRC01:01
*** xianghui has joined #openstack-keystone01:11
*** ncoghlan is now known as ncoghlan_afk01:58
*** hrybacki has joined #openstack-keystone01:59
*** hrybacki has quit IRC02:04
*** bvandenh has joined #openstack-keystone02:20
*** bvandenh has quit IRC02:28
*** ayoung has quit IRC03:19
*** stevemar has joined #openstack-keystone03:25
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess
*** ncoghlan_afk is now known as ncoghlan03:29
*** chandankumar has joined #openstack-keystone03:33
*** nkinder_away has joined #openstack-keystone03:44
*** hrybacki has joined #openstack-keystone04:01
*** amirosh has joined #openstack-keystone04:05
*** hrybacki has quit IRC04:05
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess
*** chandankumar has quit IRC04:27
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Auth plugin serialization
*** chandankumar has joined #openstack-keystone04:38
*** Lily_shhqp has joined #openstack-keystone04:46
*** k4n0 has joined #openstack-keystone05:38
*** abhishekk has joined #openstack-keystone05:43
*** tomoiaga has joined #openstack-keystone05:54
*** stevemar has quit IRC06:01
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** xianghui has quit IRC06:05
*** Lily_shhqp has quit IRC06:06
*** xianghui has joined #openstack-keystone06:06
*** abhishekk has quit IRC06:12
*** abhishekk has joined #openstack-keystone06:13
*** zigo has quit IRC06:31
openstackgerritMarek Denis proposed a change to openstack/keystone: Remove _BaseFederationExtension.
*** zigo has joined #openstack-keystone06:36
*** abhishekk has quit IRC06:36
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Keystone service throws error on receiving SIGHUP
*** ajayaa has joined #openstack-keystone06:44
*** marekd|weekend is now known as marekd06:46
*** abhishekk has joined #openstack-keystone06:49
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Create an Auth Plugin to pass to users
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS.
*** ildikov has joined #openstack-keystone07:06
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Auth plugin serialization
openstackgerritKanagaraj Manickam proposed a change to openstack/keystone: endpoint table is missing reference to region table
*** jamielennox is now known as jamielennox|away07:28
*** jaosorior has joined #openstack-keystone07:29
*** junhongl has quit IRC07:49
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS.
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: convert the conf value into correct type
*** hrybacki has joined #openstack-keystone08:02
*** hrybacki has quit IRC08:07
*** ncoghlan has quit IRC08:11
*** afazekas_ has joined #openstack-keystone08:15
*** fifieldt__ has quit IRC08:16
*** fifieldt__ has joined #openstack-keystone08:18
ildikovhi All08:29
ildikovis there anyone around for answering some quick questions?08:29
*** k4n0 has quit IRC08:42
*** chandankumar has quit IRC08:48
*** henrynash has joined #openstack-keystone08:50
*** chandankumar has joined #openstack-keystone08:58
*** k4n0 has joined #openstack-keystone08:59
*** abhishekk has quit IRC09:06
*** abhishekk has joined #openstack-keystone09:06
mhumarekd, I got ECP working \o/ thanks again for your help on Friday09:08
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Group related methods for LDAP backend
*** oomichi has quit IRC09:09
*** ajayaa has quit IRC09:16
marekdmhu: jababdabadu!09:18
marekdmhu: what was the issue?09:18
*** ajayaa has joined #openstack-keystone09:28
mhumarekd, I assume it was my SP metadata. I regenerated them, uploaded them on the IdP, restarted the IdP and all went smoothly09:28
*** henrynash has quit IRC09:30
*** afazekas has quit IRC09:38
marekdi wish you had some ADFS IdP installed :-)09:38
marekdas I have adfs code09:39
marekdmhu: one more thing: do you thing you and FLorent have some time to work on openstackclient?09:39
*** jaosorior has quit IRC09:42
mhumarekd, I am switching back on it now that this is done09:48
mhumarekd, the code we have works correctly with the v2password auth plugin, but fails with the other plugins ... I need to see why09:49
mhubefore uploading a new patch09:50
marekdmhu: you are talking about osc, right?09:50
mhumarekd, yes09:50
mhusorry, no ADFS around here AFAIK09:50
marekdmhu: that's great. I started worry that you ran out of time and you are not working on OSC09:51
mhumarekd, sorry, it was just a slow period - summer holidays + florent getting paternity leave :)09:52
marekdmhu: no a problem!09:55
*** bvandenh has joined #openstack-keystone09:55
*** hrybacki has joined #openstack-keystone10:03
*** hrybacki has quit IRC10:08
*** ajayaa has quit IRC10:09
*** ajayaa has joined #openstack-keystone10:25
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS.
*** k4n0 has quit IRC10:27
*** chandankumar has quit IRC10:28
*** chandankumar has joined #openstack-keystone10:30
*** krypto has joined #openstack-keystone10:42
*** henrynash has joined #openstack-keystone10:50
*** jaosorior has joined #openstack-keystone10:50
*** k4n0 has joined #openstack-keystone10:59
*** chandankumar has quit IRC11:01
*** chandankumar has joined #openstack-keystone11:01
*** afazekas_ is now known as afazekas11:29
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Support the hints mechanism in list_credentials()
*** bvandenh has quit IRC11:37
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID
*** rodrigods has joined #openstack-keystone12:01
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in policy layer.
*** hrybacki has joined #openstack-keystone12:04
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects
*** hrybacki has quit IRC12:08
*** zigo has quit IRC12:17
*** zigo has joined #openstack-keystone12:18
*** henrynash has quit IRC12:21
*** henrynash has joined #openstack-keystone12:21
*** diegows has joined #openstack-keystone12:24
*** henrynash has quit IRC12:25
*** diegows has quit IRC12:45
*** diegows has joined #openstack-keystone12:48
*** raildo has joined #openstack-keystone12:50
*** gordc has joined #openstack-keystone12:52
*** diegows has quit IRC12:56
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy
*** diegows has joined #openstack-keystone13:00
*** andreaf has joined #openstack-keystone13:01
*** bvandenh has joined #openstack-keystone13:03
*** nkinder_away has quit IRC13:05
*** diegows has quit IRC13:09
*** krypto has quit IRC13:12
*** jaosorior has quit IRC13:12
*** diegows has joined #openstack-keystone13:23
openstackgerritLance Bragstad proposed a change to openstack/keystone: Add i18n to exceptions in
*** ayoung_ has joined #openstack-keystone13:31
*** andreaf has quit IRC13:35
*** andreaf has joined #openstack-keystone13:35
*** andreaf has quit IRC13:35
*** stevemar has joined #openstack-keystone13:37
dstanekthese ldap live tests are killing me - i cannot get them to run at all the way through13:37
ayoung_dstanek, live or FakeLDAP?13:45
ayoung_dstanek, BTW, remote-pdb  has been working for me.  Thanks.13:45
dstanekayoung_: i'm trying to get the live ones to work13:46
ayoung_What happens?13:46
dstaneki setup slapd to the point where there were no errors, but it basically blocks forever now13:47
dstaneki have to do some debugging to see what is locking13:47
dstaneki started the test and it just hung - went to breakfast for about an hour and it was sitting doing nothing13:48
*** henrynash has joined #openstack-keystone13:48
ayoung_dstanek, which tests and what call, do you know?13:48
dstanekayoung_: trying to find that out now13:48
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID
*** ayoung_ is now known as ayoung_\13:52
*** gabriel-bezerra has joined #openstack-keystone13:55
*** abhishekk has quit IRC13:57
*** nkinder_away has joined #openstack-keystone13:57
*** xianghui has quit IRC13:58
*** xianghui has joined #openstack-keystone13:58
*** ildikov has quit IRC14:00
*** joesavak has joined #openstack-keystone14:01
*** ayoung_\ is now known as ayoung14:03
ayoungIn case anyone is wondering where XChat stores its FreeNode passwords it in /home/ayoung/.config/xchat2/servlist_.conf  under N=FreeNode (formerly B= value that follws i Pasword14:05
*** hrybacki has joined #openstack-keystone14:05
rharwoodso *that's* why you have a home directory on my system ;)14:05
*** xianghui has quit IRC14:07
*** hrybacki has quit IRC14:09
*** hrybacki has joined #openstack-keystone14:14
ayoungrharwood, Almost certainly14:15
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID
*** jsavak has joined #openstack-keystone14:21
*** joesavak has quit IRC14:24
*** xianghui has joined #openstack-keystone14:25
*** amirosh has quit IRC14:29
ayounghenrynash, I'm trying to test out  the multi domain stuff.  Here's what I have:14:29
ayoungBasic devstack,  Identity SQL driver14:29
henrynashayoung: ok14:29
ayoungenabled the two config options:  one to turn on multi-dom, one to put the files in /etc/keystone/domains14:30
*** xianghuihui has joined #openstack-keystone14:30
*** xianghui has quit IRC14:30
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in trust layer.
henrynashseems good14:30
ayounghenrynash, I assume I need to "create" the domain still, right?14:30
dstanekayoung: i think it may be a slapd problem - is there a better ldap server or am i stuck with that?14:31
ayoungOtherwise it is not in the domains table.  OK.  I've done that14:31
ayoungthe domain name is freeipa14:31
ayoungand I have14:31
ayoungwith a basic LDAP config in it, and14:31
ayoungdriver = keystone.identity.backends.ldap.Identity14:32
henrynashneeds to be called keystone.freeipa.conf14:32
ayoungAh...ok, let me rename14:32
*** k4n0 has quit IRC14:33
henrynashcontents of file look fine14:33
ayoung{"error": {"message": "An unexpected error prevented the server from fulfilling your request: No module named ldappool (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}-sh-4.2$14:33
ayoungOk...let me get that in14:33
ayoungBTW, I think we need to put that in requirements.txt14:34
henrynashahh, mayeb true14:34
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in policy layer.
*** rwsu has joined #openstack-keystone14:34
ayounghenrynash, this is a good sign, though.  I didn't see that problem before14:34
henrynashindeed…it must be trying to do ldapy things14:34
henrynash(technical term, that)14:35
*** hrybacki has quit IRC14:35
ayoungOK,. I was able to get a token for a user in the LDAP domain14:35
ayounghenrynash, well done.14:36
henrynashby jove, this stuff actually works, old bean14:36
*** ajayaa has quit IRC14:36
ayounghenrynash, yeah.  At some point, I need to try it where the default Domain is in LDAP and the service users are in an alternate, but I think this is the base use case.14:37
henrynashayoung: ok, understand14:37
morganfainbergdstanek, dirserv is better14:38
ayoungOK,  I'll need to play around with this some.  Would you expect to see hashed usersids in the table, or the LDAP geenrated ones?14:38
morganfainbergdstanek, 389 directory server14:38
henrynashfor those in the ldap domain, regualr UUIDs for the SQL users14:38
ayounghenrynash, what is the table named?14:38
henrynashidenity_mapping? hold on let me check14:39
ayoungI see it14:39
dstanekmorganfainberg: that looks interesting, thx14:39
henrynashthat should only contain those users that we have created a mapping for14:39
ayounghenrynash, what If I need those to be the LDAP Ids?  Is there a switch to make that happen?14:40
dstanekmorganfainberg: slapd seemed to get into an infinite loop and i had to 'kill -9' it14:40
henrynashayoung: eeek!14:40
ayoungI'm thinking for an existing deployment14:40
*** xianghuihui has quit IRC14:40
ayoungWe had the "backwards compat Id" that just for the default domain?14:40
*** diegows has quit IRC14:41
henrynashayoung: yes, it is just for teh defualt domain14:41
*** xianghuihui has joined #openstack-keystone14:41
henrynashyou can create a domain specifc file called keystone.default.conf for that domain as well14:41
ayounghenrynash, AH14:42
ayoungyeah, I was just getting there...14:42
*** jorge_munoz has joined #openstack-keystone14:42
ayounghenrynash, in order to use that, we would need all auth_token middleware users to be set to the non default domain.  Maybe we should do that in devstack:14:43
ayoungcreate two domains by default, one for service users.14:43
*** jorge_munoz has quit IRC14:43
ayoungOK...this rocks.  this is going to be the killer feature for Juno.14:43
henrynashlet’s hope so!14:46
*** henrynash has quit IRC14:46
*** jsavak has quit IRC14:52
*** david-lyle has joined #openstack-keystone14:54
*** zigo has quit IRC14:58
*** radez_g0n3 is now known as radez14:58
*** diegows has joined #openstack-keystone14:59
*** zigo has joined #openstack-keystone14:59
*** bvandenh has quit IRC15:02
*** joesavak has joined #openstack-keystone15:04
*** amirosh has joined #openstack-keystone15:05
*** hrybacki has joined #openstack-keystone15:05
*** tomoiaga has quit IRC15:07
*** hrybacki has quit IRC15:09
*** richm has joined #openstack-keystone15:09
*** marcoemorais has joined #openstack-keystone15:13
*** marcoemorais has quit IRC15:13
*** jasondotstar has joined #openstack-keystone15:14
*** zzzeek has joined #openstack-keystone15:18
*** nkinder_away is now known as nkinder15:19
*** chandankumar has quit IRC15:26
*** joesavak has quit IRC15:35
*** afazekas has quit IRC15:45
*** amerine has quit IRC15:49
*** hrybacki has joined #openstack-keystone15:49
*** jorge_munoz has joined #openstack-keystone15:49
*** ajayaa has joined #openstack-keystone15:52
ajayaamorganfainberg, hi15:57
*** andreaf has joined #openstack-keystone15:59
morganfainbergajayaa, hello16:00
ajayaamorganfainberg, I could use some review from you. :)16:00
morganfainbergajayaa, fyi, policy layer caching is scary. i'll need to spend a bit of extra time on that one16:04
ajayaamorganfainberg, okay. But why is that?16:04
morganfainbergajayaa, policy is a bit weird in it's implementation16:05
morganfainbergajayaa, it's just not as straight forward as the crud for other subsystems in keystone16:05
morganfainbergi did notice an issue16:06
morganfainbergwhy are you not setting a default cache time?16:06
morganfainbergwe probably do not want to cache these vaules indefinitely16:06
*** gyee has joined #openstack-keystone16:07
ajayaaThese are just for tests. So thought no need of default cache time. When user is using it, he will set it in etc/keystone.conf16:08
morganfainbergif a user doesn't set the cache_time value, we will rely on the cache backend to LRU it16:08
morganfainbergrather than have a fixed window cache16:08
morganfainbergmost of the time I tries to set a sane fixed window cache so we don't over-utilize memcache for example16:09
morganfainbergmost people do not change defaults (expecially not defaults like cache_ttl unless they have a good reason)16:10
ajayaaLet's say a user does not set a cache_time in etc/keystone.conf, then there is no cache time out essentially, right?16:11
morganfainbergand we don't have a *default* cache TTL in the cache layer16:11
*** rushiagr has joined #openstack-keystone16:11
morganfainbergnone = cache until you need to LRU the value16:11
morganfainbergpotentially *forever*16:11
ajayaaThe default behaviour should be forever until the user explicitly sets it in etc/keystone.conf, I guess.16:14
morganfainbergajayaa, i dont know if i agree with that statement.16:14
morganfainbergajayaa, it's too early for me to make that call :P (no coffee / just started looking at work)16:15
ajayaaLRU would come into picture if we have fixed size of memory to store the key, values. I am not sure how that is linked to cache time.16:15
ajayaaokay, I get it. Is there a default memory limit in memcache itself?16:16
dstanekajayaa: if anything i would say that the default should be to never cache or something really short - even if they have caching enabled16:16
ajayaamorganfainberg, We don't want the cache to grow forever. That's why we would need to set either a time limit or memory limit.16:17
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy
dstanekajayaa: it's OK if the cache grows forever; memcache, for example, will start evicting data when it needs to16:19
ajayaadstanek, that is also a possible option.16:19
dstanekajayaa: you want to be very careful when setting a default timeout because it's hard to clear individual values in memcache16:19
dstanekor probably anything16:19
ajayaadstanek, If memcache makes sure that it does not grow forever, we don't need to set a timeout because whenever there is a delete or update we are invalidating that particular key explicitly.16:22
dstanekajayaa: i don't follow. what would ever delete the key?16:24
dstanekajayaa: memcache will evict when necessary, but that could be never if the cluster is sized big enough16:24
ajayaadstanek, okay. It seems to me that we are trying to compensate for memcache deficiency in our application code.16:29
ajayaadstanek, although I don't know the reason behind lazy deletion in memcache.16:30
dstanekajayaa: to my knowledge that how's most caching systems work - i have never heard of anything else16:30
dstanekyou just want to be careful that you don't cache too long by default16:31
*** openstack has joined #openstack-keystone16:32
*** amcrn has joined #openstack-keystone16:42
*** ildikov has joined #openstack-keystone16:48
*** abhishekk has joined #openstack-keystone16:55
morganfainbergdstanek, ++ that is why we have the defaults set lower than forever on most places i implemented caching16:55
morganfainbergdstanek, ajayaa, we do our best to invalidate the cache when / where appropriate, but if for some reason we miss, i would rather not be stuck with that "forever" (** until memcache evicts, etc)16:56
*** bearhands is now known as comstud17:07
*** gokrokve has joined #openstack-keystone17:09
abhishekkdstanek:hi, you around?17:11
*** amerine has joined #openstack-keystone17:23
*** amerine_ has joined #openstack-keystone17:24
*** amirosh has quit IRC17:25
*** amerine has quit IRC17:28
*** amerine_ has quit IRC17:29
*** amerine has joined #openstack-keystone17:34
*** amerine has quit IRC17:38
*** joesavak has joined #openstack-keystone17:45
*** amcrn has quit IRC17:46
*** mdorman has joined #openstack-keystone17:53
*** amcrn has joined #openstack-keystone17:54
dstanekabhishekk: mostly, yes17:56
*** amcrn has quit IRC17:57
abhishekkdstanek:just for update, I have implemented your review comments17:57
dstanekabhishekk: excellent, i'll take a look a little later today then18:00
abhishekk dstanek:thank you for support18:01
*** amcrn has joined #openstack-keystone18:03
*** amerine has joined #openstack-keystone18:08
*** nkinder has quit IRC18:14
*** wwriverrat1 has joined #openstack-keystone18:16
mdormanwe’re running into an issue with the latest icehouse build of keystone.  we use AD for the auth backend, and our AD records contain a couple binary fields.  when keystone loads in the AD records, it tries to convert everything to utf8, which bombs on those binary fields.18:16
mdormanis there a way we can configure an attributes filter for the ldap query, so we don’t pull down those binary fields?18:16
*** amerine has quit IRC18:19
dstanekmdorman: i don't know much about the LDAP backend so I may be way off here, but have you tried the attribute_ignore values in the config file18:20
wwriverrat1ya. I'm seeing binary issue in 2014.1.2 icehouse. Happens in the "self.user._id_to_dn(user_id)" in authenticate method that assumes all fields come back as strings18:20
mdormandstanek: we’ll look at attribute_ignore18:21
wwriverrat1will tinker with attribute_ignore. thx!18:21
dstanekthere is a setting for each of the models user_attribute_ignore, group_attributer_ignore, etc.18:21
dstanekyou can see the full list in the keystone sample conf18:21
dstanekmdorman, wwriverrat1: let me know if that actually works18:23
wwriverrat1will do. should know shortly18:23
*** mgarza has joined #openstack-keystone18:24
*** amerine has joined #openstack-keystone18:25
*** mgarza has quit IRC18:26
*** nkinder has joined #openstack-keystone18:31
*** hrybacki has quit IRC18:32
*** joesavak has quit IRC18:32
dstanekayoung: ldap live tests have a wierd error about an undefined attribute type18:34
*** vhoward has left #openstack-keystone18:35
*** ajayaa has quit IRC18:39
*** abhishekk has quit IRC18:40
*** ayoung has quit IRC18:42
*** diegows has quit IRC18:42
*** rushiagr is now known as rushiagr_away18:44
*** diegows has joined #openstack-keystone18:55
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Clean whitespace off token.
*** amerine has quit IRC19:15
*** zzzeek has quit IRC19:16
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a URL field to region table
*** diegows has quit IRC19:35
*** nkinder has quit IRC19:37
*** andreaf has quit IRC19:39
morganfainbergdstanek, ayoung, what would you think of implementing IMS support in keystone? useful case: revocation events, instead of 'last check XXXX' issue an 'If-modified-since' and if no new events occured since XXX a 304 is issued19:41
morganfainbergdstanek, ayoung, similar thought for the endpoint policy spec (cc henry-nash) ^19:41
morganfainbergoh.. and ayoung and henry-nash are not on irc :P19:41
*** henrynash has joined #openstack-keystone19:42
*** nkinder has joined #openstack-keystone19:44
*** KimJ has joined #openstack-keystone19:47
*** diegows has joined #openstack-keystone19:52
*** vhoward has joined #openstack-keystone19:55
dolphmmorganfainberg: any reason this wasn't +A'd?
morganfainbergdolphm, all of the token_api ones have had to be rebased a bunch20:19
morganfainbergdolphm, the patch they depended on merged on friday20:19
dolphmmorganfainberg: so it's good to merge?20:19
dolphmmorganfainberg: +A'd then20:20
morganfainbergdolphm, all of these actually should be:,n,z20:20
morganfainbergnext step in that is fixing authcontextmiddleware and the @protect dectorator to not do double duty and looking up / decoding tokens20:21
dolphmmorganfainberg: done and done20:21
morganfainbergthen we need to solve the federated user domain thing (we talked about it last meeting, no definitive answer)20:21
morganfainbergand i think we can be done with token_api by the end of the week (pending federated user thing)20:21
dolphmmorganfainberg: i read through the logs, it seemed the definitive answer was to fix all the things?20:21
morganfainbergdolphm, sortof20:22
morganfainbergdolphm, we do document that tokens (identity-api) have user['domain'] section20:22
morganfainberghonestly, whatever the direction we go, as long as it isn't brittle/prone to breakage, i'm good with it.20:23
*** ayoung has joined #openstack-keystone20:23
dolphmmorganfainberg: doesn't the federation extension mention user domains are specifically not included?20:23
morganfainbergdolphm, i don't think it did, it might now20:23
morganfainbergdolphm, with stevemar's recent toking inclusion to the docs, we do explicitly show no user domain section20:24
morganfainbergso fixing everything is reasonable i guess.20:25
ayoungdstanek, sorry, I was late for a Kid pickup.  Are you still stuck>20:26
*** nonameentername has quit IRC20:27
*** nonameentername has joined #openstack-keystone20:30
ayoungdolphm, morganfainberg I just did a sanity check on henrynash 's multi-domain work.  Work great:
ayoungIt lead to some interesting conclusions:  users for throw-away jobs are now cheap20:31
ayoungso, take the hadoop case, if you have something running for 3 days, create a user for it, and use trusts to add roles to it20:32
dolphmayoung: cool, good to hear!20:32
ayounghadoop is interesting in that it pretty much needs swift or something like it20:32
ayoungread the data , write the results20:32
*** amcrn has quit IRC20:33
ayoungso RBAC could come in to play there,  where the haddoop-job-user gets two tokens, one to read from one swift object store (Genome data say)20:33
ayoungand one to write partial and final results20:33
*** amcrn has joined #openstack-keystone20:33
morganfainbergayoung, quickly, i'm near to +2 on but just had a couple quick questions (would have just fixed the nit about the link if i didn't have the questions).20:33
morganfainbergayoung, thats the endpoint policy spec20:34
morganfainbergah, henry answered them20:34
morganfainbergayoung, yeah other than the two questions henry answered i'm good witht that spec20:34
ayoungmorganfainberg, so when to fetch policy is a whole-nother set of questions20:35
ayoungcertainly at startup, possible at points after that20:35
morganfainbergyes, and if we're doing "on startup" as the baseline for this spec, i'm good with that20:35
morganfainbergjust wanted to have it clear what we were aiming for20:36
ayoungthing is, that is outside the scope of this spec20:36
ayoungit would be a spec on keystonemiddleware20:36
*** joesavak has joined #openstack-keystone20:36
ayoungassuming that will hold the policy enforcement code20:36
morganfainbergexcept you've already mixed in "update middleware to fetch policy" in this spec20:36
morganfainbergas a work item20:36
ayoungwe are not doing any notifications20:36
ayoungah...that is true20:36
ayoungwell, a complete solution would be:20:36
ayoung1/ fetch at startup20:36
ayoung2.  register for notifications and fetch if notified20:37
ayoungfor changes20:37
morganfainbergayoung, so since it's a work item, might as well say "fetch on startup with plans to expand for re-fetch on notification ... and/or poll"20:37
morganfainbergthen we have a clear target. or we split the spec into two bits, one targeting middleware and one targeting keystone20:37
ayoungI like20:38
dolphm /poll how many people use the Star feature in gerrit, and if you do: what reviews do you choose to star? if you don't, why don't you use it?20:38
*** radez is now known as radez_g0n320:38
*** jsavak has joined #openstack-keystone20:38
ayoungdolphm, I use it for ones that I need to go back to20:38
dolphmayoung: as a reviewer, or an author?20:38
morganfainbergdolphm, i use the star feature around freeze and use it to watch the -2'd because of freeze reviews20:38
ayounglike, I got 1/2 through, and want to remind myself to complete it20:38
ayoungI don;t star my own20:38
ayoungmy own list is short enough I can view it and mentally prioritize20:39
morganfainbergdolphm, i also use it if there is something i know i want to check again in say... a week or two. - never star my own reviews20:39
ayoungmore for a short list of ones for me to go back to and review20:39
dolphmayoung: do you keep it starred until it merges, or keep it stared until you finish your review pass?20:39
ayoungdolphm until it merges, cuz it means it is a priotiy review, and I assume it will get additional review before merge20:40
ayoungI usually only clean up ones I've starred.  Starred reviews is a fairly short list20:40
dolphmcool - i've been thinking about how to expose starred reviews as a social feature20:40
ayoungI have 5 starred right now, probably should have more20:41
ayounglike, Jose's two Kerberos revews should be starred, but I really don';t need to, because I check them often anyway20:41
*** joesavak has quit IRC20:42
wwriverrat1dstanek, you requested mdorman and I report back on what we found regarding "user_attribute_ignore" to skip ldap binary data items for id_to_dn call.  When we added the ignore config property, our code actually failed earlier when get_all is called.  We're going to roll back to 2014.1.1 until we can put together something adequate to report20:43
ayoungwwriverrat1, is this the whole "build the DN " thing?20:44
ayoungwwriverrat1, are you doing subgroup?20:44
wwriverrat1sorry. coworker distraction.   subgroup?20:46
ayoungwwriverrat1, there are two ways to fetch users.  subgroup queries actually quere the Id attribute, not building the domain name20:47
*** PsionTheory has joined #openstack-keystone20:47
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy
wwriverrat1when I'm in pdb, the id_to_dn is being called with only a 'dn'.  It then fetches that id given his creds to authenticate. When it gets the entries (ours is Active Directory) it gets them all without filtering the binary fields. Those are the ones blowing chunks.20:51
wwriverrat1scope needs to search whole subtree20:52
wwriverrat1blow up here:
*** amerine has joined #openstack-keystone21:07
ayoungwwriverrat1, which fields?21:10
ayoungwwriverrat1, I assume you are not using a custom schema here21:11
wwriverrat1haha... in our enterprise AD installation, they have as few as 5 and as many as 10 binary fields.  aka: thumbnail21:11
wwriverrat1We are using keystone for authentication, keystone for authorization21:12
stevemarthe gate is getting pwned right now21:12
wwriverrat1AD for authentication, keystone for authorization21:12
ayoungwwriverrat1, that quere should only be returning the DN.  Those are attributes on the user objects, I assume, and should not be returned21:13
wwriverrat1yes and yes I agree21:14
ayounglet me see what the code *actually* does21:14
ayoungdn, attrs = search_result[0]21:14
ayoungyep...that indicates something is wrong21:14
ayoungprobably instead of fetching all attributes and then filtering out the ones we don't want it should be an explicit list of attributes we do want21:15
wwriverrat1a white list21:15
ayoungin this case it should be oly DN21:16
ayoungcatching the attributes is an attempt to avoid fetching the object more than once, though21:16
ayoungwwriverrat1, can you edit the code on that server where is blowing up?21:17
ayoungA good test would be to add in a set of fields...let me see if I can craft a line for you21:17
*** andreaf has joined #openstack-keystone21:18
*** andreaf has quit IRC21:19
*** hrybacki has joined #openstack-keystone21:19
*** andreaf has joined #openstack-keystone21:19
wwriverrat1This same user seems to be queried twice: 1) when the keystone user verifies they exist (this one sends in only the return_attrs it wants), then 2) When the user actually authenticates with their creds.  The second doesnt seem to have the return_attrs set and therefore fails to work.21:19
*** andreaf has quit IRC21:19
ayoungOK, I'm guessing that call is a wrapper to
*** jsavak has quit IRC21:20
*** KimJ has quit IRC21:20
*** andreaf has joined #openstack-keystone21:20
ayoungwwriverrat1, not sure if it will work, but try attrlist=None  or attrlist=[]  as an additional param21:20
ayoungIf I remember correctly, it does not treat the DN as one of the attributes, and is returned separately21:21
ayoungNone looks like the default, which makes me suspect we overwrite it somewhere, though21:21
ayoungyeah, that calls21:22
ayoung    def search_s(self, base, scope,21:22
ayoung                 filterstr='(objectClass=*)', attrlist=None, attrsonly=0):21:22
ayoungwwriverrat1, it should not be returning attributes with that query21:24
wwriverrat1k. will check it out21:24
*** hrybacki has quit IRC21:24
*** hrybacki has joined #openstack-keystone21:25
*** amcrn has quit IRC21:26
openstackgerritA change was merged to openstack/keystone: Expose token revocation list via token_provider_api
*** amcrn has joined #openstack-keystone21:27
*** amerine has quit IRC21:27
openstackgerritA change was merged to openstack/keystone: Remove ec2 contrib dependency on token_api
*** amerine has joined #openstack-keystone21:28
wwriverrat1ayoung. so should I be passing a [] into at the end of this line? (instructing it to return no attrs?)
ayoungwwriverrat1, pass it as a named parameter so there is no confusion21:29
ayoungwwriverrat1, this is what you are calling
ayoungso  we are trying to force it to not fetch any attributes21:30
*** gokrokve has quit IRC21:31
*** gokrokve has joined #openstack-keystone21:31
*** andreaf has quit IRC21:32
*** PsionTheory has quit IRC21:32
openstackgerritSteve Martinelli proposed a change to openstack/keystone: remove unused import
*** henrynash has quit IRC21:46
*** andreaf has joined #openstack-keystone21:46
*** andreaf has quit IRC21:46
*** andreaf has joined #openstack-keystone21:47
*** gokrokve has quit IRC21:50
*** gokrokve has joined #openstack-keystone21:50
wwriverrat1ayoung, when I added this, got the binary error (attrlist=[]).  When I added this, all went well (attrlist=['cn']). Seems an empty array somewhere means to return all attr from ldap.21:52
ayoungwwriverrat1 so that value should probably be a throw away that we know exists.  CN is as good as any, I think21:53
ayoungor  id attribute really21:54
wwriverrat1ya. either21:54
*** gokrokve has quit IRC21:54
wwriverrat1something we know for sure is NOT binary ;-)21:54
ayoungwwriverrat1, its more delicate than that.  This is common code, not specific to user or anything21:55
ayoungthe only attribute we can trust is the one we are searching on21:55
ayoung wwriverrat1 so  [ id_attr ]  is correct.  Can you try that?21:56
*** hrybacki has quit IRC21:57
wwriverrat1yep, this works:  After "'objclass': self.object_class}",  I added   ",attrlist=[self.id_attr]" in _id_to_dn method of core.py22:01
ayoungwwriverrat1, submit a bug report and that change, please22:01
wwriverrat1sure. Thanks for your help!22:01
ayoungNo problem.22:01
*** Dafna has quit IRC22:02
*** nkinder has quit IRC22:06
*** ayoung has quit IRC22:14
*** gokrokve has joined #openstack-keystone22:17
*** gokrokve has quit IRC22:19
*** gokrokve has joined #openstack-keystone22:19
*** gokrokve has quit IRC22:19
*** gokrokve has joined #openstack-keystone22:19
*** hrybacki has joined #openstack-keystone22:31
*** gordc has quit IRC22:31
*** KimJ has joined #openstack-keystone22:32
*** andreaf has quit IRC22:35
morganfainbergdolphm, dstanek, ping - re authcontextmiddleware22:37
dolphmmorganfainberg: whats up22:53
*** bknudson has joined #openstack-keystone22:54
morganfainbergdolphm, so i talked with ayoung about where we decode the auth token22:56
morganfainbergdolphm, *in* keystone22:56
morganfainbergdolphm, we generally decided that it made sense to put that in authcontext middleware, but I'm waffling on that because then authcontext becomes *required* and required in paste is semi-icky22:56
morganfainbergdolphm, paste pipeline feels like it should be... configurable, but removing that middleware would break all @protect stuff for v322:57
dolphmmorganfainberg: it's critical to our architecture, just like it's basically critical to have auth_token in front of every other service22:57
morganfainbergdolphm, ok so we're good with "this is a mandatory middleware"?22:58
morganfainbergdolphm, it22:58
morganfainberg's just a sanity check :)22:58
morganfainbergbefore i start hacking away at it22:58
morganfainbergdolphm, i also aim to get it so we don't decode the token twice on all requests going to v3 with this change.22:59
dstanekmorganfainberg: optional middleware seems full of problems23:02
morganfainbergdstanek, the alternative is to make it not middleware23:02
morganfainbergdstanek, it was either make the wsgi code always decode the token or the middelware, but not the middleware, the @protect decorator, and somecases the wsgi code (cleanup)23:03
*** amerine has quit IRC23:07
*** jorge_munoz has quit IRC23:15
*** andreaf has joined #openstack-keystone23:25
dstanekmorganfainberg: what's the driver to move it from where it is now to middleware23:32
morganfainbergdstanek, it's done in both places23:32
morganfainbergdstanek, so either we do it in middleware *or* wsgi *or* protect decorator, not a mix of one, two, or all three23:33
morganfainbergdstanek, right now we do the same work twice on all v3 api calls.23:33
morganfainbergdstanek, at least twice23:33 you have me interested23:36
*** david-lyle has quit IRC23:36
*** david-lyle has joined #openstack-keystone23:37
morganfainbergdstanek, authcontext middleware catches the token and does token_api.get_token, and a token_provider.validate23:38
morganfainbergthen builds the context23:39
morganfainbergthen the @protect decorator does the same thing :P23:39
morganfainbergand i think the wsgi code does it too in some cases23:39
*** nkinder has joined #openstack-keystone23:39
*** david-lyle has quit IRC23:42
*** mdorman has quit IRC23:44
*** jamielennox|away is now known as jamielennox23:54

Generated by 2.14.0 by Marius Gedminas - find it at!