Thursday, 2014-08-14

« Wednesday, 2014-08-13 Index Friday, 2014-08-15 »
*** rkofman has quit IRC00:20
*** zzzeek has quit IRC00:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery  https://review.openstack.org/10757000:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768100:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow providing a default value to CLI loading  https://review.openstack.org/11374200:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins  https://review.openstack.org/8114700:20
*** zzzeek has joined #openstack-keystone00:25
*** zzzeek has quit IRC00:26
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Fix handling of deprecated opts in CLI  https://review.openstack.org/11385900:28
*** richm has left #openstack-keystone00:30
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Replace httpretty with requests-mock  https://review.openstack.org/11277700:32
*** rwsu has quit IRC00:42
gyeemorganfainberg, want to have a pow wow on https://review.openstack.org/#/c/107873/?00:50
gyeeI have the medicine bag00:51
*** rwsu has joined #openstack-keystone00:55
*** rwsu has quit IRC00:57
*** rwsu has joined #openstack-keystone00:58
*** gokrokve has joined #openstack-keystone01:00
*** ayoung_is_a_Dad is now known as ayoung01:04
*** Dafna has quit IRC01:07
*** amcrn has quit IRC01:10
*** Krast has quit IRC01:17
*** Krast has joined #openstack-keystone01:17
*** Dafna has joined #openstack-keystone01:28
*** Dafna has quit IRC01:28
*** Dafna has joined #openstack-keystone01:29
ayoung_elmiko, ugh,  and the proxy users are in a different domain than the user that did the GET?01:30
ayoungmorganfainberg, the "load by classname" method  still works01:31
ayoungTHe unit tests depend on that01:31
morganfainbergayoung, not mixed01:31
ayoungmorganfainberg, yeah, the method is external to the plugin01:32
morganfainbergayoung, e.g. if you use one of plugins without the .method attr, it wont wonk01:32
morganfainbergwork*01:32
ayounglets see...01:32
morganfainbergso we should probably remove the load-by-class path01:32
morganfainbergit's suboptimal in my opinion, but eh,01:32
ayoungmorganfainberg, however, to be fair, that method was not documented, and I wasn't aware we were doing it.01:33
morganfainbergi just don't want to force using one over the other or make it so it sortof works one way, if that makes sense01:33
ayoungAI agree, but not in this patch01:33
ayoungthis is the minimal viable patch here01:33
morganfainbergin this patch at least *deprecate* (warning message)01:33
morganfainbergthat load by class-name01:33
ayoungnot in this patch.  It doesn't belong here01:33
ayoungthis is only removing a restriction that is unnecessary01:34
morganfainbergayoung, you are breaking the consistency, it does01:34
ayoungno I am not01:34
ayoungload by class name works fine01:34
morganfainbergyes you are, if a plugin that the method is external to it is used it *cannot* be loaded by classname01:34
ayounglet me show you...01:34
morganfainbergbecause the conf.get() wont work01:34
morganfainbergerm wont be used01:34
morganfainbergand it would fail w/o the .method attr01:35
ayounghrm01:35
ayoungah...I remember01:35
ayoungright, this is not forcing one or the other.01:35
morganfainbergline 55 would fail in the load-by-class name01:35
ayoungit is just making it so you don't *HAVA* to have the method01:35
ayoungand nothing said that we did01:35
ayoungso who made this mess>01:36
ayoung?01:36
morganfainbergayoung, that was an oversight when i implemented it. honestly, my intention was to move 100% to class-name loading01:36
ayoungI don't recall that from the original auth plugin design, was it added later?01:36
morganfainbergand it was done as part of the having to list the auth methods then a class separatly was awful to support01:37
morganfainbergso, my mistake on missing the documentation :(01:37
ayoungok, I missed all of that discussion, and would have recommended a different approach01:37
morganfainbergi'm fine walking away from that method but we should say clearly "do not use this" if we accept this patch01:37
ayoungbut, water under the breidge01:37
morganfainbergaccept yours that is.01:37
ayounglets break the "have to" as that is the thing holding up the Mapping and Kerberos efforts01:37
morganfainbergput a "hey don't use this method" in and i'm fine with your patch01:38
morganfainbergotherwise i am not.01:38
ayoungWhere do I puth that?  It is not in the documentation that you *can* do that01:38
morganfainberglog.warning01:38
ayounghmmm, what is left that does do method....01:38
morganfainberg'loading by classname is deprecated in Juno and slated to be removed in I;01:39
ayoungI think itis token and password that we use in the unit tests01:39
morganfainbergjust put it in around line 58 when plugin_name = driver.method01:39
morganfainbergayoung, maybe. i think a lot of that can be cleaned up because we changed the defaults (can be explored/fixed post this patch)01:39
ayoungis doing it as a comment OK?  I don't really want to spam the logs, as this will only show in the unit tests01:40
ayoung*I* didn't know about this, I doubt few people outside of core did01:40
morganfainbergi'll commit to fixing the tests tomorrow if you put it as a log please.01:40
ayoungDEAL!01:40
morganfainbergor i'll fix it tomorrow and we can rebase your patch on top01:40
ayoungAnd it doesn';t have to be tomorrow01:40
morganfainbergeither way01:40
ayoungI'll fix now01:40
morganfainberg++01:40
morganfainbergyeah not a big deal to fix i think, just really don't want people to look at tests assume this code is doing things correctly loading that way.01:41
morganfainbergand i'm fine walking away from that method of loading auth plugins (yeah missing the doc was my mistake :( )01:41
*** gokrokve has quit IRC01:44
ayoungmorganfainberg, the fact is, most of the plugins should go away, and we will be left with the mapping plugin for all of them.  Even Password could be replaced with and external one if we moved over to basic auth.  That really just leaves token.01:45
ayoungSo, Password, Token, and Mapping.01:46
morganfainbergayoung, yeah we might be able to make things a bit more sane and still allow people to specify their own auth plugins01:47
ayoungmorganfainberg, what I'm seeing is the "method"  part is usually more part of the network setup, or, like in the case of SAML, stuff that happens external to Keystone, than anything that really needs to be handled by the keystone python code01:48
_elmikoayoung: https://gist.github.com/elmiko/647f21b2bd08599695cd01:49
_elmikothat was the output from the call01:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 routers to store basic resource description  https://review.openstack.org/11157301:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Provide the V3 routers to the V3 extension controller  https://review.openstack.org/11157401:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 version controller to provide JSON Home response  https://review.openstack.org/11157501:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change V3 router classes to provide JSON Home data  https://review.openstack.org/11157601:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extensions to provide JSON Home data  https://review.openstack.org/10398301:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change the sub-routers to provide JSON Home data  https://review.openstack.org/11157701:49
ayoungmorganfainberg, how's this for a message 'Loading auth-plugins by class-name is deprecated.'01:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change OS-INHERIT extension to provide JSON Home data  https://review.openstack.org/11157801:49
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extension class to integrate JSON Home data  https://review.openstack.org/11157901:49
morganfainbergayoung, works for me01:49
_elmikoayoung: line 148 is where the proxy user begins01:50
ayoung_elmiko, I'm sorry, I can't refer to you exterannally.  The _ at the beginning of your name indicates you are a module private variable01:50
_elmikorofl!01:51
*** _elmiko is now known as elmiko01:51
elmikoi thought we were within module scope in this channel?01:51
ayoungNah, just package01:51
elmikonice01:51
ayoungelmiko, that might be a bug.  I'm not sure, but I thought the code was supposed to limit the list_users to only users of the same domain as the requestor unless specifically stated01:52
elmikoayoung: i could try updating my keystone, it's probably a few weeks old01:52
elmikoi've become gunshy of running reclone=yes for devstack01:53
ayoungelmiko, don't bother01:53
ayoungthis would have happend a long time back01:53
elmikok01:53
ayoungits not just a multi-dom issue01:53
*** amerine_ has joined #openstack-keystone01:54
ayoungelmiko, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n559  that code there seems to be written to figure out what domain to list for01:54
ayoungso maybe it is the sql backend not honoring it01:55
elmikonot filtering the domain properly?01:56
*** amerine has quit IRC01:56
ayoungelmiko, yeah.  we have this whole 'hints' architecture01:56
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n11801:56
*** amerine__ has joined #openstack-keystone01:56
ayoungmy guess is this is supposed to be a hint, but it never made it...looking01:56
ayoungrefs = self.identity_api.list_users(01:57
ayoung            domain_scope=self._get_domain_id_for_list_request(context),01:57
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n21801:57
ayoungso it is always called with a domain id01:57
ayoungdriver = self._select_identity_driver(domain_scope)01:57
ayoungAh...I think I see the breakdown01:58
ayoungnah, sql should be domain aware...01:58
*** amerine_ has quit IRC02:00
elmikoi was using an admin generated auth token for the request, would that matter?02:01
ayoungelmiko, well, file that as a bug and we can chase it down.  The code looks right to me to a first approximation02:01
ayoungmaybe02:01
elmikoayoung: i'll file a bug though02:01
ayoungit should have failed if it was AUTH_TOKEN02:01
ayoungor ADMIN_TOKEN02:01
ayoungelmiko, this was a real user or using admin_token?02:02
elmikoi did a `keystone token-get` on the admin user, then used that token02:02
elmikoit's a real account though, i can login through horizon and whatnot02:02
ayoung elmiko that user should be in the default domain, and the query should be limited to the default domain02:03
ayoungelmiko, is the system available?02:03
elmikothat user is definitely in the default domain02:03
elmikono, it's a default devstack running on my laptop02:03
ayoungI'd like to step through the code and see what is failing02:03
ayoungok,  wanna step through it for me?  Its cool02:04
elmikosure, where to start?02:04
ayoungyou need remote-pdb02:04
ayoungeither pip install or rpm02:04
ayoungI think I used pip02:04
*** ncoghlan has joined #openstack-keystone02:05
elmikosurprised it isn't in yum02:05
ayoungelmiko, it might be, just don't know what it is named02:05
ayoungyum search remote-pdb  turned up bupkiss02:05
elmikoyea02:05
ayoungthen it is02:05
elmikoeven yum search pdb wasn't much better02:05
elmikoi got it through pip02:06
ayoungedit the file where you want to break,  which in this case would be in keystone/identity/controller.py02:06
ayoungAT line...02:06
elmikok02:06
ayoung21602:06
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n21602:06
elmikohmm02:06
ayoungand put this in there02:07
elmikothis is devstack, i need to attach to the screen console and do everything from there?02:07
ayoungfrom remote_pdb import RemotePdb02:07
ayoungnope...I'll show you02:07
elmikok02:07
ayoung RemotePdb('0.0.0.0', 4444).set_trace()02:07
ayoungthose two lines will stop the program and get it to listen on port 444402:07
ayoungthen telnet localhost 444402:08
ayoungand you have a pdb session02:08
ayoungtold you it was cool02:08
elmikovery nice02:08
elmikomy pdb skills are kinda rusty02:08
ayoungyeah, so'r mine02:10
ayoungelmiko, you do need to restart httpd02:10
*** rushiagr_away is now known as rushiagr02:11
elmikook, don't i need to stop the running keystone and this one installed?02:11
elmikoer, get this one02:11
ayoungelmiko, its in httpd now02:13
ayoungso make that edit in /opt/stack/keystone or whereever you put it, and restart httpd.02:13
ayoungIt runs out of tree02:14
elmikook02:14
*** gokrokve has joined #openstack-keystone02:14
elmikowow, crazy...02:14
elmikook, telnetting02:14
elmikoi'm in02:15
elmikoayoung: it stopped me in a weird place02:15
elmikoor i should unexpected02:16
ayoungelmiko, keep your personal problems to yourself02:16
ayoungoh02:16
elmikolol02:16
ayoungmight have been a wrapper,02:16
ayoung_get_attr thing?02:16
elmikoi'm in keystone.common.controller@46902:17
elmikook, guess i'm at the beginning of build_driver_hints02:17
*** gokrokve has quit IRC02:19
morganfainbergayoung, http://paste.openstack.org/show/94760/ i *think* this will solve the subsecond issue with mysql on revocation events02:21
ayoungWow, I haven't had to write a SQL migration in a long time. I'm OK with that02:22
ayoungcode look good02:23
ayoungelmiko, you waiting on me?  Here;s the goal02:23
ayoungstep through and see if the hints get built at all.02:23
elmikoayoung: trying, i just borked it up though lol02:23
ayoungand eventaully you will end up in the sql driver....you might even want to preposition a breakpoint at the list_users call02:23
elmikoi know you said leave my personal life out of it, but i CAN'T02:23
ayoungwhich it02:23
ayoungwhich is02:23
ayoungkeystone/identity/backends/sql.py  line 11902:24
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n11902:24
morganfainbergayoung, i'm going to test it locally first, but going to post it to see if CI freaks out on it02:24
morganfainbergas well02:25
ayoungmorganfainberg, ++++++02:25
morganfainberglonger term using expires_at like we do is bad (talked this over with Mike, SQLAlchemy dude), we're effectively using a timestamp as a PK (alittle more complex) we should evaluate moving to a uuid or something that is non-secure that doesn't have this type of issue02:26
morganfainbergnot that we can drop expires at immidiately, but we could in theory convert over to uuid and use it instead moving forward02:26
morganfainbergexpires_at (in the event that is)02:27
elmikoayoung: so at keystone.identity.controllers line 220, i've got a hints object02:27
ayoungwhats it look like02:27
*** ncoghlan is now known as ncoghlan_afk02:28
ayoungprint hints02:28
elmikokinda lumpy02:28
elmiko<keystone.common.driver_hints.Hints object at 0x7f4dbe4232d0>02:28
elmikohints.filters=[]02:28
ayoungso no filters set02:28
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes an issue with the XMLEquals matcher  https://review.openstack.org/10917702:29
ayoungelmiko, is that before the call to the driver?02:29
ayoungrefs = self.identity_api.list_users(02:29
*** rushiagr is now known as rushiagr_away02:30
ayoungI assume the breakpoint pushed the line numbers up a couple02:30
elmikoi think it might have been after02:30
elmikoi'm having a problem with the telnet session returning on a continue02:30
jamielennoxayoung, morganfainberg: there are at least two patches in a series starting here: https://review.openstack.org/#/c/112563 that are a fairly simple code move ~50 lines changed02:32
jamielennoxdo you guys mind taking a look quickly - if i can get those merged i don't have to do a giant rebasing02:32
ayoungyeah, that happend to me.  I ended up killing the session and reconnecting02:32
ayoungjamielennox, both look good02:34
elmikoayoung: keystone/common/controller.py@485, hints=[] and query_dict={} looks like what's going on02:35
*** stevemar has joined #openstack-keystone02:36
jamielennoxayoung: cheers, i have so many small patches but all relating to a common goal - if i put them in series though then they all get stuck waiting for a nit in the base one02:37
ayoungno query string, so we would only be looking at the hints array02:37
ayoungelmiko, but I think it would be later02:38
ayoungthat returns nothing, as expected02:38
ayoung refs = self.identity_api.list_users(  gets called with the domain id02:38
ayoungelmiko, can you step  into identity/core.py?02:39
ayoungthe code that I am wondering about now is the call http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n59202:39
ayoungas that should turn the domain scope into a hint02:39
elmikoayoung: the call to list_users?02:39
ayoungin that call, yes02:39
ayoungelmiko, alternatively, you could put a breakpoint in the sql driver at list_users and see if ther are any hints02:40
elmikok, i'll get there02:40
ayoungif there are, then we know the problem is the sql driver02:40
ayoungif they are not there, the problem is this call02:40
jamielennoxi realize it's not really something that git can do but i'd love it if a gerrit patch could have multiple dependencies. A lot of these changes don't depend on each other in anyway but they all need to be merged before some larger changes02:41
jamielennoxmy only choice now is to put them all in sequentially02:41
elmikoayoung: looks like also, i don't have CONF.identity.domain_specific_drivers_enabled, which causes a return from _get_domain_id_for_list_request02:42
ayoungACHA!02:42
elmikoayoung: is that my goof for not setting it up, or should that function return the domain regardless of the conf setting?02:43
ayoungso...probably a bug, too, as the list_users should be scoped to domain\02:45
ayoungelmiko, butyeah, you are going to want that to be set.  I should have thought of that.02:45
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342902:46
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not overwrite token expires with lower resolution  https://review.openstack.org/11410302:46
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Convert (for mysql) revocation events expires_at to varchar  https://review.openstack.org/11410402:46
elmikoayoung: this should always be set for the use case we are considering?02:46
ayoungelmiko, yeah02:46
elmikoayoung: ok, good to know.02:46
ayoungI don't think there is any hard to setting it.  It mightr slow down certain domain operations, if no domain_specific drivers are set02:47
elmikoi'm trying to compile all these notes to make sure i have the documentation details correct02:47
elmikothe thing is, once this change goes into sahara, then users who want to use swift will need to have this configuration.02:47
ayoungelmiko, yep02:48
elmikosecurity comes at a cost02:48
ayoungelmiko, so try setting that value and doing the search, and you should not see the sahara users02:49
ayoungelmiko, https://bugs.launchpad.net/keystone/+bug/135668202:50
uvirtbotLaunchpad bug 1356682 in keystone "GET /v3/users lists users in all domains" [Undecided,New]02:50
ayoungplease add whatever info you have that is relevant02:50
elmikoayoung: will do02:50
ayoungelmiko, I copied in your gist02:51
elmikoayoung: ok, cool02:51
openstackgerritayoung proposed a change to openstack/keystone: Do not require method attribute on plugins  https://review.openstack.org/10787302:52
elmikoayoung: it looks like the fix is just to remove that line, should i test a little and offer a patch?02:52
ayoungmorganfainberg, ^^ was waiting on tox.02:52
ayoungyes02:53
ayoungelmiko, that would be superb02:53
elmikoayoung: happy to help :)02:53
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not overwrite token expires with lower resolution  https://review.openstack.org/11410302:55
morganfainbergayoung, +2.02:55
ayounggyee, care to re +2 that one?02:56
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Convert (for mysql) revocation events expires_at to varchar  https://review.openstack.org/11410402:58
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342902:58
morganfainbergok now that ci is chewing on that i need to go setup an env to test this migration a bit more in depth02:58
*** rkofman has joined #openstack-keystone03:04
*** topol has joined #openstack-keystone03:06
elmikoayoung: is it possible that the auth token i'm generating has no domain id associated with it?03:10
elmikoayoung: shouldn't it default to the user's domain03:10
ayoungelmiko, it seems to me that is the case03:13
ayoungelmiko, I'm going to crash03:13
ayounglate here03:13
elmikoayoung: k, may be another bug here too03:13
ayoung++03:13
*** ayoung has quit IRC03:13
*** elmiko is now known as _elmiko03:16
dstanekany reason not to just mark this as 'fixed released' for Keystone? https://bugs.launchpad.net/keystone/+bug/127710403:20
uvirtbotLaunchpad bug 1277104 in python-openstackclient "wrong order of assertEquals args " [Low,In progress]03:20
morganfainbergdstanek, probably can just mark it03:21
morganfainbergdstanek, i have no reason not to03:21
*** spandhe_ has quit IRC03:22
*** gokrokve has joined #openstack-keystone03:25
*** ncoghlan_afk is now known as ncoghlan03:25
*** spandhe_ has joined #openstack-keystone03:28
*** gokrokve has quit IRC03:29
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION  https://review.openstack.org/11399803:34
*** ncoghlan is now known as ncoghlan_afk03:35
*** spandhe_ has quit IRC03:41
*** toddnni_ has joined #openstack-keystone03:48
gyeeah, I see ayoung and morganfainberg got it all figured out :)03:49
*** jraim__ has joined #openstack-keystone03:49
*** KanagarajM has joined #openstack-keystone03:51
KanagarajMHi, i have submitted the patch https://review.openstack.org/#/c/113183/ for the blue print "endpoint table is missing reference to region table". Could you please review it. Thanks.03:52
*** jraim has quit IRC03:52
*** radez_g0n3 has quit IRC03:52
*** lbragstad has quit IRC03:52
*** toddnni has quit IRC03:52
*** mgagne has quit IRC03:52
*** Dafna has quit IRC03:52
*** samuelmz has quit IRC03:52
*** dtroyer has quit IRC03:52
*** comstud has quit IRC03:52
*** toddnni_ is now known as toddnni03:52
*** lbragstad_ has joined #openstack-keystone03:52
*** dutsmoc has joined #openstack-keystone03:52
*** lbragstad_ is now known as lbragstad03:52
*** jraim__ is now known as jraim03:52
*** samuelmz has joined #openstack-keystone03:53
*** mgagne has joined #openstack-keystone03:53
*** Dafna has joined #openstack-keystone03:53
*** mgagne is now known as Guest5467603:53
*** radez_g0n3 has joined #openstack-keystone03:53
*** gyee has quit IRC03:54
*** dtroyer has joined #openstack-keystone03:54
morganfainbergof course....03:55
morganfainbergtempest *CHECKS* that we use a low resolution timestamp03:55
*** amirosh has joined #openstack-keystone03:58
*** amirosh_ has joined #openstack-keystone04:02
*** rkofman has left #openstack-keystone04:05
*** amirosh has quit IRC04:07
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Role assignment notifications  https://review.openstack.org/11366904:11
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Update region entries to include URLs  https://review.openstack.org/11411804:20
*** ncoghlan_afk is now known as ncoghlan04:24
*** wwriverrat has joined #openstack-keystone04:31
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054204:32
*** wwriverrat1 has joined #openstack-keystone04:44
*** wwriverrat has quit IRC04:46
*** amcrn has joined #openstack-keystone04:46
*** chandankumar has joined #openstack-keystone04:51
*** wwriverrat has joined #openstack-keystone04:54
*** wwriverrat1 has quit IRC04:54
*** wwriverrat has left #openstack-keystone04:55
*** ncoghlan is now known as ncoghlan_afk05:02
*** alex_xu has joined #openstack-keystone05:08
*** gokrokve has joined #openstack-keystone05:10
jamielennoxwho's still awake that can +a some simple reviews?05:17
*** rushiagr_away is now known as rushiagr05:19
*** amcrn has quit IRC05:21
*** arborism has joined #openstack-keystone05:24
*** afazekas has joined #openstack-keystone05:25
*** rushiagr is now known as rushiagr_away05:31
*** rushiagr_away is now known as rushiagr05:31
*** arborism has quit IRC05:35
*** gokrokve has quit IRC05:36
*** gokrokve has joined #openstack-keystone05:36
*** arborism has joined #openstack-keystone05:37
*** chandankumar has quit IRC05:40
*** gokrokve has quit IRC05:41
*** topol has quit IRC05:45
stevemarjamielennox, hit me05:50
jamielennoxpeople are staying up later - i like it05:51
jamielennoxstevemar:  https://review.openstack.org/#/c/112563/305:51
jamielennoxand https://review.openstack.org/#/c/113478/05:51
jamielennoxwhat the hell jenkins05:51
stevemarjamielennox, it's that time of the release05:51
stevemarjamielennox, do you know how i can figure out the ip address of the keystone server?05:52
jamielennoxwhich keystone server?05:52
stevemarthere used to be a config value in CONF05:52
jamielennoxoh, you can still override it in CONF, otherwise it takes it from the incoming request05:52
stevemarknow the exact value?05:52
jamielennoxso it uses whatever the user asked for (because apparently that worked for them )05:53
jamielennoxit's not retrieved from the server anywhere05:53
stevemarthats weird05:54
jamielennoxif i request http://host1:5000/v2 and something bounces me around, the response should still say host105:54
stevemari guess05:54
jamielennoxstevemar: i'd be ok approving that review even though jenkins failed, it's something to do with pip05:55
jamielennoxotherwise i'm stuck till tomorrow05:55
jamielennoxwell not stuck, just have to be careful of what order i put things up for review in05:55
stevemarrecheck it i suppose05:55
stevemari'll +2 it soon05:56
stevemarif jenkins passes, i think you can +A it05:56
jamielennoxthat's true, if it's got the two +2s i'll +a it when jenkins passes05:56
stevemarjamielennox, meh, i +A'ed it too05:59
stevemarsince if jenkins fails, nothing bad will actually happen06:00
stevemaryou'll be stuck in rebaseland06:00
stevemarerr.. recheckland06:00
jamielennoxstevemar: yea, gates quiet this time of day/night06:00
stevemaroh man06:00
jamielennoxno one will mind06:00
stevemarthats right06:00
stevemaryou mean it doesn't take ALL DAY for you to get a jenkins result?06:00
stevemari only get that on the weekend :)06:00
jamielennoxheh, still depends on the day06:00
jamielennoxif it's backed up it will still be backed up06:01
jamielennoxthe down side is obviously that no-one is around for me to make approve stuff06:01
*** ajayaa has joined #openstack-keystone06:01
*** chandankumar has joined #openstack-keystone06:02
*** arborism has quit IRC06:03
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:05
stevemarjamielennox, done!06:05
jamielennoxstevemar: thanks06:06
stevemarnp!06:06
jamielennoxit appears it is going to do a check run first anyway06:07
*** ukalifon has joined #openstack-keystone06:16
*** renlt has joined #openstack-keystone06:16
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413806:23
*** ncoghlan_afk is now known as ncoghlan06:23
*** jamielennox is now known as jamielennox|away06:24
*** tomoiaga has joined #openstack-keystone06:25
*** k4n0 has joined #openstack-keystone06:30
*** stevemar has quit IRC06:31
*** bvandenh has joined #openstack-keystone06:49
*** wanghong has quit IRC06:50
openstackgerritA change was merged to openstack/keystone: Do not require method attribute on plugins  https://review.openstack.org/10787306:56
*** wanghong has joined #openstack-keystone06:57
*** arborism has joined #openstack-keystone06:57
*** dhu has joined #openstack-keystone06:59
*** alex_xu has quit IRC07:02
*** abhishekk has joined #openstack-keystone07:22
abhishekkhi all, can any one review this patch, https://review.openstack.org/#/c/107482/07:23
abhishekkthank you07:23
*** arborism has quit IRC07:30
openstackgerritguang-yee proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559707:41
*** renlt has quit IRC07:52
*** abhishekk has quit IRC07:55
openstackgerritguang-yee proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559707:57
openstackgerritguang-yee proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559708:00
openstackgerritA change was merged to openstack/python-keystoneclient: Individual plugin CLI registering  https://review.openstack.org/11256308:08
openstackgerritA change was merged to openstack/python-keystoneclient: Allow registering individual plugin CONF options  https://review.openstack.org/11347808:09
*** henrynash has joined #openstack-keystone08:16
*** henrynash has quit IRC08:51
*** andreaf_ has quit IRC08:52
*** jaosorior has joined #openstack-keystone08:54
*** andreaf has joined #openstack-keystone09:00
*** ncoghlan has quit IRC09:02
*** yasukun has joined #openstack-keystone09:04
*** ashepelev has quit IRC09:05
openstackgerritIhar Hrachyshka proposed a change to openstack/keystone: migration: adopt for MySQL Connector  https://review.openstack.org/11027109:06
*** andreaf has quit IRC09:06
*** alex_xu has joined #openstack-keystone09:07
*** abhishekk has joined #openstack-keystone09:18
*** andreaf has joined #openstack-keystone09:30
*** andreaf has quit IRC09:30
*** andreaf has joined #openstack-keystone09:30
*** alex_xu has quit IRC09:32
*** andreaf has quit IRC10:02
*** andreaf has joined #openstack-keystone10:03
*** henrynash has joined #openstack-keystone10:05
*** chandankumar has quit IRC10:19
*** chandankumar has joined #openstack-keystone10:31
*** ajayaa has quit IRC10:34
*** alex_xu has joined #openstack-keystone10:58
*** alex_xu has quit IRC10:58
*** alex_xu has joined #openstack-keystone10:58
*** henrynash has quit IRC10:58
*** bvandenh has quit IRC11:00
*** ajayaa has joined #openstack-keystone11:01
*** andreaf has quit IRC11:05
*** bvandenh has joined #openstack-keystone11:06
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/10224411:19
openstackgerritwanghong proposed a change to openstack/keystone: add --rebuild option for ssl/pki_setup  https://review.openstack.org/8820711:28
*** Krast has quit IRC11:31
*** amirosh_ has quit IRC11:49
*** amirosh has joined #openstack-keystone11:49
*** henrynash has joined #openstack-keystone11:55
openstackgerritKristy Siu proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559712:02
openstackgerritwanghong proposed a change to openstack/keystone: trustor_user_id not available in v2 trust token  https://review.openstack.org/10182912:03
openstackgerrithenry-nash proposed a change to openstack/identity-api: Update region entries to include URLs  https://review.openstack.org/11411812:20
*** diegows has joined #openstack-keystone12:20
*** cjellick has joined #openstack-keystone12:24
*** mflobo has joined #openstack-keystone12:27
*** cjellick has quit IRC12:28
*** cjellick has joined #openstack-keystone12:29
*** bvandenh has quit IRC12:31
*** KanagarajM has quit IRC12:33
*** _elmiko is now known as elmiko12:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162012:34
*** andreaf has joined #openstack-keystone12:36
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/11406712:39
*** bvandenh has joined #openstack-keystone12:41
openstackgerritIhar Hrachyshka proposed a change to openstack/keystone: migration: adopt for MySQL Connector  https://review.openstack.org/11027112:46
*** abhishekk has quit IRC12:50
*** gordc has joined #openstack-keystone12:53
*** ajayaa has quit IRC13:01
elmikoif i create a domain specific configuration file for the default domain, do i need to put more than just the identity section's "driver" config?13:03
*** amirosh has quit IRC13:06
*** amirosh has joined #openstack-keystone13:06
elmikohenrynash: hi, i ran into this bug https://bugs.launchpad.net/keystone/+bug/1356682 last night. i have a few questions about it.13:10
uvirtbotLaunchpad bug 1356682 in keystone "GET /v3/users lists users in all domains" [Undecided,New]13:10
henrynashelmiko: ok...13:11
henrynashelmiko: the “design feature”, you mean :-)13:11
elmikohenrynash: so, i turn on specific domain backend. do a `keystone token-get` from the command line, when i issue the /v3/users call from rest i get an error because the token does not have a domain, what's the correct behavior here?13:12
elmikolol13:12
elmikoi was thinking that if you issue the user list without a domain scope, it should return a list from your user's default domain.13:13
henrynashelmiko: so if you put a filter on it (e.g. ?domain_id=XYZ”) the it will work13:13
elmikohenrynash: let me try13:13
elmikoyes, it works as expected13:14
*** nkinder has quit IRC13:14
elmikohenrynash: i was going to propose a patch that scopes the token to the user's default domain, but i wanted to make sure that is appropriate.13:15
elmikowrong wording, not scopes, but returns the user list from their default domain13:15
henrynashelmiko: so many things like that are possible13:16
elmikohenrynash: are you saying that this pattern exists in many places?13:17
henrynashelmiko: the issue I have with all these suggestions is that I think in a production, the ploci engine will drive a lot of what is allowed to happen13:18
elmikohenrynash: so perhaps, the returned error is the most appropriate response?13:19
*** hrybacki has joined #openstack-keystone13:19
henrynashelmiko: well, we do somethings already - e.g. if you create a user and don’t specify the domain_id of the use, it will use the domain scope of the token instead (and if it’s not domain scoped it will fail)13:21
elmikoright13:21
henrynashelmiko: I think this area is an interesting thing to discuss, however…and we the tension is: “production strictness” vs “small cloud where I want to see everything" balance13:23
elmikohenrynash: that makes sense, and it's a good question. how would an admin see all the users regardless of domain.13:25
henrynashelimiko: so, with domain-specific backends, they really can’t…but today they can for regualr SQL…and they question is really should we retain that ability13:26
henrynashelmiko: plent of folks (ayoung among them) would liek to abolish an unfettered GET /users….and I see their point…except for when small clouds are strating up it’s kind of nice13:27
henrynashelmiko: and right now you can insists on the filter by way of the policy file if you want….and that was the compromise...13:28
elmikohenrynash: interesting topic, i don't have a strong opinion either way. i guess, i thought at the least a v3/users GET should return something aside from an error, but maybe not.13:29
henrynashelmiko: yeah, understand the concern…sounds like a good ongoing conversation13:30
elmikohenrynash: and at the least, i'm thinking the docs for the v3/users endpoint should point out the domain specific issue13:32
*** bknudson has joined #openstack-keystone13:34
*** yasukun has quit IRC13:38
*** andreaf_ has joined #openstack-keystone13:38
*** rushiagr is now known as rushiagr_away13:39
*** andreaf has quit IRC13:41
*** gokrokve has joined #openstack-keystone13:59
*** nkinder has joined #openstack-keystone13:59
*** bvandenh has quit IRC14:00
*** joesavak has joined #openstack-keystone14:03
mfloboQuestion about keystone. Do we have some flow diagram about "what happends" when a request is sent to keystone?14:13
*** jasondotstar has joined #openstack-keystone14:13
mflobowith "what happends" I mean: what files, clases and functions are executed14:14
*** gokrokve has quit IRC14:14
*** gokrokve has joined #openstack-keystone14:14
*** ukalifon has quit IRC14:16
*** ukalifon2 has joined #openstack-keystone14:16
mflobofor example: http://mykeystone.com:5000/v3/whatever14:19
elmikomflobo: keystone novice here, but you might try looking at the code in  keystone/tests. i think the test_v3.py will give some clues about the flow for various calls14:23
*** ayoung has joined #openstack-keystone14:24
mfloboelmiko: thanks for the info but, do you know if there is some flow-chart or something?14:25
elmikomflobo: i haven't seen one, have you poked around http://docs.openstack/org/developer/keystone ?14:25
mfloboelmiko: yes I have but I didn't find nothing similiar14:26
mfloboelmiko: thanks again ;)14:26
*** zzzeek has joined #openstack-keystone14:26
elmikomflobo: yea, i don't think there is a flow chart that shows exactly how a rest call is processed.14:27
morganfainbergayoung, it's not worth fixing expiration time to be isostr, v2 tokens explicitly are 1s resolution (in the identity api, and validated in tempest) on expires time14:27
morganfainbergayoung, i'm going to add the audit id concept instead.14:27
morganfainbergayoung, which means i need to fix the identity api for revoke events14:29
morganfainbergayoung, ...........14:29
bknudsonmorganfainberg: the identity v2 spec says 1s?14:30
bknudson"expires": "2014-01-31T15:30:58Z",14:32
bknudsonweird14:32
morganfainbergbknudson, yep.14:33
morganfainbergbknudson, and tempest validates we use low resolution14:33
bknudsonvery thorough14:33
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION  https://review.openstack.org/11399814:34
bknudsonmorganfainberg: why didn't you like the audit id before? I thought that's what you started with14:34
morganfainbergbknudson, i do like it, i got a few directed complaints about "adding stuff to the token"14:35
*** topol has joined #openstack-keystone14:35
bknudsonmorganfainberg: seems like "adding stuff to the token" is as bad as "changing v2 token timestamp to be millisecond rather than second"14:35
morganfainbergbknudson, both require identity-api changes as revocation events explicitly says (in it's api doc) expiration_time is used14:36
bknudsonis it just that tempest doesn't check that there's no audit id field so it's easier?14:36
morganfainbergbknudson, pretty much. and guaranteed to only be one place in the docs to fix things :P14:36
morganfainbergbknudson, strike that, still need to chase down all the token locations14:37
morganfainbergbknudson, so we can add audit id14:37
bknudsonmorganfainberg: adding audit_id affects both v2 and v3, so seems like it would be more doc work14:37
morganfainbergbknudson, it's probably about the same amount.14:38
bknudsonchanging an existing field is considered a non-backwards compatible change14:38
morganfainbergbknudson, yep.14:38
morganfainbergbknudson, and since revocation events shipped, in *theory* removing the expires_at stuff is non-compatible14:38
morganfainbergbknudson, the audit id would need to replace expires_at use in revovcation events14:38
bknudsonmaybe we need to find a way to support old revocation event format14:39
bknudson(which I would expect requires dropping the revocation tree checking and making it easier to understand)14:39
*** andreaf_ is now known as andreaf14:39
ayoungmorganfainberg, which means you have to work with the tree code, and you are not looking forward to that, so you are contemplating rolling back to the older, easier to understand version?14:39
morganfainbergayoung, i'd like to, but this is turning into an even bigger project than it already is.14:40
ayoungyep14:40
bknudsonthe check code is still there, it's in the test14:40
morganfainbergayoung, i'm fairly certain i could make the tree code work. i currently have my head wrapped around what it is doing14:40
*** stevemar has joined #openstack-keystone14:41
ayoungmorganfainberg, what if we break the v2.0 tokens?  Make their expires time longer.  Would that really break anything?14:41
*** rushiagr_away is now known as rushiagr14:41
morganfainbergayoung, you mean add subsecond resolution? it's considered non-backwards compatible14:41
morganfainbergayoung, we're changing the format of a field14:42
morganfainbergbknudson, i think adding the audit id is the lowest impact change. just a lot of doc work14:42
morganfainbergbknudson, and i *think* i can make the code do "use expires_at if audit id doesn't exist"14:43
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Remove superfluous exception block from auth_token  https://review.openstack.org/11426114:43
bknudsonmorganfainberg: here's the non-tree code: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_revoke.py#n5114:45
*** k4n0 has quit IRC14:45
bknudsonmorganfainberg: I don't have a problem with audit ID.14:45
morganfainbergbknudson, oh you weren't kidding its really in the tests :P14:45
bknudsonmight not need a whole uuid for the audit ID14:45
morganfainbergbknudson, probably not14:45
bknudsoncould be a shorter random string.14:45
morganfainbergbknudson, could probably do uuid4().hex[1:8]14:46
bknudsonsince it's going to be unique to a user14:46
bknudsonmorganfainberg: could do better than limiting to hex chars... should be able to use base6414:46
bknudsonit only has to be unique to a user and for a limited time.14:47
morganfainbergbknudson, sure. could use just about anything that'll json encode decently14:47
bknudsonI'd think 3 chars would be adequate.14:48
morganfainbergbknudson, so uuid4().bytes.encode('base64')[:5] ?14:48
bknudsonmorganfainberg: let me try it...14:49
bknudsonmorganfainberg: I like it14:49
morganfainbergbknudson, cool14:49
elmikoayoung: i dug into that issue we were looking at last night, looks like a bigger can of worms than i initially thought.14:49
*** david-lyle has joined #openstack-keystone14:50
ayoungmorganfainberg, what if V2 tokens had an additional, option field14:50
ayoungthat had the expiration at microseconds or whatnot14:50
ayoungmilis?14:50
morganfainbergayoung, about as much work as adding the audit id string14:50
ayoungmorganfainberg, yeah, but it means we are back to revoking one token at a time14:50
morganfainbergayoung, and there is more benefit if we're doing that (no collisions on expires_time) to go to the audit id route14:50
ayoungpros and cons...I trust your judgement on this14:51
bknudsonayoung: this is the issue that morganfainberg ran into. when revoking a token it was revoking other tokens.14:51
ayoungbknudson, yes, I'm, aware14:51
ayoungand that was due to the overly borad matching of the expires time14:52
morganfainbergayoung, i think audit id is best, we *can* chain the audit id "original_audit_id" or "audit_chain_id" and explicitly revoke on that14:52
ayoungif needs be14:52
morganfainbergayoung, when we want to do a "revoke everything in the chain"14:52
morganfainbergayoung, expires time event at mills resolution is likely to get more collisions14:52
morganfainbergin a big environment with many keystones14:52
ayoungnot for the same user14:52
ayoungsize of the env does not matter, it is single user activity14:53
morganfainbergayoung, 5 processes for user+project combo doing actions at the same time14:53
morganfainbergayoung, multiple keystones (nothing says that is impossible)14:53
morganfainbergayoung, colissions are much more likely especially when tokens are issued across multple processors / servers14:53
ayoungmorganfainberg, fair enough.  We can go the audit ID approach.  It should make topol happy, too14:54
ayoungand yes, topol, summing you was intentional14:54
morganfainbergayoung, yeah, also i think the *smallest* amount of work14:54
morganfainbergof the options14:54
bknudsonif it's really for audit then maybe it should be a full uuid14:54
topolayoung Im here14:54
morganfainbergbknudson, sure. happy to use full uuid14:55
ayoungtopol, for revocation events, we are considering adding an additional identifier to thetoken, just to be used for revoking it14:55
bknudsonstill, seems like we can do better than hex chars14:55
topolbknudson ++ full uuid is alway good for auditing14:55
morganfainbergbknudson, >>> uuid4().bytes.encode('base64').strip()14:55
morganfainberg'tWUiRM/PRDW+lzTks37cLQ=='14:55
ayoungwe are planning on calling it audit_id, as you can then use it to uniquely identify a token in audit without giving away the secret14:55
bknudsonmorganfainberg: always ends in == so that's redundant14:56
morganfainbergbknudson, (strip because of the \n)14:56
topolayoung that sounds like a very good idea14:56
*** jsavak has joined #openstack-keystone14:56
ayoungtopol, we have a couple problems with the current way we process token revocations, and this seems like the best approach14:56
morganfainbergbknudson, hm. yeah because of the length it should always be == at the end14:56
bknudsonuuid.uuid4().bytes.encode('base64')[:-3]14:56
morganfainbergbknudson, >>> uuid4().bytes.encode('base64')[:-3]14:56
morganfainbergbknudson, ++14:56
bknudsonwhy does it add a newline?? weird14:56
topolayoung sounds good to me14:56
*** hrybacki has quit IRC14:56
morganfainbergbknudson, yeah i dunno about that. it's very odd14:57
ayoungmorganfainberg, OK,  lets do this in a managable series of patches.  First merely adds the audit_id to the tokens14:57
*** joesavak has quit IRC14:57
morganfainbergayoung, thats the first one14:57
ayoungSecond allows for revocation by audit_id14:57
ayoungonly14:57
morganfainbergayoung, bknudson, do you *want* to support knowing the token chain?14:58
ayoungthird changes the revocation of a specific token to revoking by audit id14:58
ayoungmorganfainberg, not for now14:58
ayoungmorganfainberg, I think that might be the wrong direction14:58
bknudsonmorganfainberg: I assume if you create  token from a token then it'll get the parent token's audit_id?14:58
morganfainbergayoung, figured i'd ask because it really is 4 extra lines and future proffes us14:58
bknudsonor are we going to have both?14:58
bknudsonjust like it gets the parent token's expiration time14:58
ayounginstead, I think  I would rather focus on not trading a scoped token for another token14:58
ayoungand then revoking a scoped token doesn't need a chaing14:59
ayoungchain14:59
morganfainbergbknudson, i was thinking each token always has a unique id, and the first token's audit id is carried forward for all rescoping in a separate field14:59
*** hrybacki has joined #openstack-keystone14:59
*** hrybacki has quit IRC14:59
bknudsonmorganfainberg: separate field works.14:59
*** hrybacki has joined #openstack-keystone14:59
ayoungrevoking an unscoped token OTOH  it might make sense to leave around its scoped children to get work done14:59
morganfainbergbknudson, {'audit_id': <audit id>, 'audit_chain': <original token's audit id, optional>}14:59
ayoungespecially if their lifespan is short14:59
*** hrybacki has quit IRC14:59
*** hrybacki has joined #openstack-keystone15:00
ayoungI clicked log out.  I hope that vm I just kicked off gets built, but I don;'t want to leave my session open to find out"15:00
morganfainbergbknudson, but i'm not heartset on needing that or anything, just asking if we wanted that now, since it is so trivial to add15:00
morganfainbergand updating docs is going to be a bunch of work anyway15:01
bknudsonmorganfainberg: I think it's needed to have it work as it does now15:01
morganfainbergbknudson, ah because we *can* chain revoke we should still support it15:01
morganfainbergbknudson, ok so the original token would then have the same value for audit_id and audit_chain. sound good?15:02
morganfainbergbknudson, all subsequent/rescoped tokens from there would end up with the original's audit_chain value, but their own audit_id15:03
bknudsonayoung: considering that we're past getting new proposals in, I think we're past where we can make the change to trade a scoped token for another token...15:03
bknudsonI think it would be a major improvement15:04
ayoungSo,  bknudson oph, yeah,  I'm tqalking future stuff here15:04
bknudsonbut I think it requires a summit discussion15:04
bknudsonmorganfainberg: I'm fine with an original token having audit_id == audit_chain, although it seems redundant.15:05
bknudsonmost tokens are going to be original tokens, aren't they?15:05
bknudsonso then most token would have something they don't need15:05
morganfainbergbknudson, somewhat. anything in horizon will be unscoped -> scoped -> whoknowswhat15:06
morganfainbergbknudson, there is a *lot* of rescoping that goes on.15:06
bknudsonmaybe it's just because I don't use horizon15:06
ayoungmake audit ID be an array15:06
ayoungthe id for this token is the last element of the array15:06
morganfainbergayoung, ah and only ever end up with 2 in the array (max)15:07
morganfainbergayoung, hm. ... i think that will pose problems in the tree matching15:07
ayoungmorganfainberg, tree code can start by just matching the last15:08
bknudsonI'd prefer it if audit_chain is left off for an original token, and there if it's a rescoped token15:08
morganfainbergbknudson, happy to do so.15:08
morganfainbergbknudson, will leave the chain out15:08
morganfainbergbknudson, for originals that is15:08
morganfainbergbknudson, any thoughts on using an array vs. flat scalar value?15:09
morganfainberg^15:09
ayoungmorganfainberg, why not do it as an array.  That makes us future proof15:10
ayoungthe tree check can be a for-each type logic15:10
bknudsonwith json you could have it a string and then an array if there's more than 115:10
bknudsonwould save a couple bytes15:10
bknudsonI don't have a problem with an array15:10
morganfainbergayoung, didn't have a reason not to, just asking for extra views.15:11
morganfainbergayoung, if there was a reason i wasn't seeing and bknudson did, i'd want to know :)15:11
henrynashstevemar: any chance you could re-apply your +2 to https://review.openstack.org/#/c/99842/ - I fixed the nits you rasied on it15:11
bknudsonI'm assuming it's only going to have 2 elements max15:11
ayounghenrynash, question for you.15:11
morganfainbergbknudson, yeah15:11
ayounglist users15:11
stevemaroops15:11
morganfainbergbknudson, that would be the intent15:11
stevemarhenrynash, sure thing15:11
henrynashayoung: mais oui...15:11
ayounghenrynash, right now the logic is different is domain specific backends is enabled15:11
bknudsonif we allow infinite elements then that could be a denial of service15:11
ayoungshould list users always be confined to a specific domain?15:12
ayoungI would think "yes"15:12
morganfainbergbknudson, i would explicitly only allow 2 in our code. audit id, and audit chain15:12
*** david-lyle has quit IRC15:12
henrynashayoung: yes, if you have domain-specifc backends we inisit there is a domain scope of some kind (either explicit filter of domain scoped token)15:12
bknudsonmorganfainberg: ok, works for me... might make some potential applications a little more difficult to write15:12
ayounghenrynash, but shouldn't that be the case even if there are no domain specific backends?15:13
morganfainbergbknudson, perhaps. but i think we're smart enough.15:13
*** david-lyle has joined #openstack-keystone15:13
morganfainbergbknudson, ;)15:13
ayounghenrynash, say I am a provider.  Each customer goes into their own domain15:13
bknudsone.g., if I wanted to write an application to grab the token with a given audit id I'd have to parse the field15:13
ayoungI don't want customers in dom1  listing users in dom215:13
henrynashayoung: so elmiko and I had quite a long chat about this ealier15:13
ayounghenrynash, I know, I primed that pump15:13
elmikoo/15:13
henrynashayoung: I’d never have guessed :-)15:14
elmikolol15:14
ayoungactually, I didn;t know you guys had talked15:14
ayoungdid you decide something?15:14
*** richm has joined #openstack-keystone15:15
elmikowe agreed it's a good conversation topic =D15:15
henrynashayoung: so most production systems woudl, I’m sure, use the policy so that most users had to specify a filter15:15
marekd|awaydolphm: How about adding a SAML XML response in https://review.openstack.org/#/c/113998/ ?15:15
ayounghenrynash, that is going to be unfriendly.  Why not use the rule that you already put in place?  If no filter, hen filter by users domain?15:16
henrynashayoung: the question is, if we were to mandate scope-ness (either by filter or token), then do you think we would have to allow some kind of admin ability to bypass this?15:16
ayounghenrynash, list all users everywhere?15:16
henrynashayoung: actually we filter by the scope of teh token I think15:16
ayounghenrynash, only if domain_specific_backends is enabled15:17
ayounghenrynash, so it is a  unevenly applied15:17
henrynashayoung: but some principle (and yes, only then)15:17
henrynashayoung: and I agree, unevenly applied15:17
*** david-lyle has quit IRC15:17
ayounghenrynash, so I am just suggesting applying it evenly15:17
henrynashayoung: so I switch on openstack for teh first time15:17
ayounghenrynash, you are worried about "least surprise"  here?15:18
henrynashayoung: well. just don’t want the small clouds who are starting out to find it too hard15:18
elmikoayoung: just to be clear, if domain_specific_backends=false and a GET on /v3/users/ comes in, then the reply should be a list from the user's domain?15:19
ayounghenrynash, if you are looking at multiple domains, it is beyond "small clouds" I think15:19
ayoungelmiko, I think so15:19
henrynashayoung: agreed….15:19
elmikoayoung: then likewise, if domain_specific_backends=true, should the same GET return the same?15:19
ayoungelmiko, yes15:20
henrynashayoung; so we’d be saying that you have to get a domain scoped token to do a naked Get /users15:20
ayounghenrynash, not quite15:20
morganfainbergbknudson, last question, audit_chain first or last?15:20
ayoungit means you need to have an appropriate role for doing that15:20
ayoungso it is policy dependany15:20
henrynashayoung: even if you have justthe default domain15:20
bknudsonmorganfainberg: really makes no difference to me... I'd expect audit_chain last since then the first elem is always the audit_id.15:20
ayoungbut, yeah.  Isn't that waht domain scoped tokens are supposed to be for, though?15:20
morganfainbergbknudson, ++ that was my thought15:21
bknudsonmorganfainberg: or are there always 2 elements?15:21
henrynashayoung: I guess I’d find it hard to argue agains that15:21
morganfainbergbknudson, oh you mean [ID, None] in the case of original token?15:21
bknudsonor [ID, ID]15:21
morganfainbergbknudson, i thought we wanted to not duplicate data for original tokens15:21
ayoung['ME']15:21
ayoung['ME', ['Parent']15:22
bknudsonmorganfainberg: I'd expect 1 element [ID] for original token and [ID, CHAIN_ID]15:22
ayounger15:22
bknudsony15:22
ayoung['ME', 'Parent']15:22
elmikoayoung, henrynash, so it sounds like regardless of the domain specific option, GET on /v3/users/ should return a list of the user's domain, even if the token is unscoped?15:22
ayoungso audit_chain[0] is me15:22
henrynashayoung: so we’d probably have to allow an admin token to work….but in that case, which domain?15:22
morganfainbergbknudson, so ['ME', None] or ['Me', 'Me'] for original token?15:22
bknudsonmorganfainberg: that seems unnecessary.15:22
*** amirosh has quit IRC15:22
henrynashelmiko: so taht’s not true for eitehr case today15:22
ayoungelmiko, hmmm  you should not be able to do list users with an unscoped token15:22
morganfainbergbknudson, k so ['Me'] is original15:23
elmikohenrynash: yea15:23
morganfainbergbknudson, ['me', 'parent'] is chained15:23
bknudsonmorganfainberg: y15:23
ayoungadmin_token is default domain only15:23
*** david-lyle has joined #openstack-keystone15:23
morganfainbergbknudson, cool15:23
elmikoayoung: ok15:23
*** amirosh has joined #openstack-keystone15:23
henrynashelmiko I don’t think we should use the “user’s domain”…it should be the scope of the token15:23
ayounghenrynash, ++15:23
elmikohenrynash: ok, so you need to have a domain scoped token to do a user list then?15:24
henrynashelimiko: or specify a filter15:24
elmikoright, or that15:24
ayounghenrynash, now, what is that going to break?15:24
henrynashayoung: so if i am booting opemstacl, using teh admin token15:25
henrynashayoung: I am sure I want to do a list users15:25
ayoungimplicitly scope it to the default_domain admin role15:25
henrynashayoung: so I only see users in the default domain?15:25
*** gokrokve_ has joined #openstack-keystone15:27
*** dutsmoc is now known as comstud15:27
*** amirosh has quit IRC15:27
henrynashayoung: the other kind of thing that break I suspect is that if a customer is using the default policy file (which bascially says admin can do anyting), and  I was unsing multiple domains in a promiscious way, then my Get /users wouldn’t do what it used to15:28
openstackgerritKristy Siu proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559715:28
henrynashmorganfainberg: when you have a minute, could you reapply your +2 (maybe a +A as well/) to https://review.openstack.org/#/c/99842/ - only chnage since you did it last was fixing some nits from Steve15:29
morganfainberghenrynash, done15:29
henrynashmorganfainberg: thx15:29
*** gokrokve has quit IRC15:31
*** gokrokve_ has quit IRC15:31
ayounghenrynash, I'm going read the current state, and I'll click +A15:34
ayoung+2 is on there from 2 core15:34
*** topol has quit IRC15:34
*** joesavak has joined #openstack-keystone15:38
ayounghenrynash, so...now that the spec is in,  lets talk fetching for a moment...15:38
ayoungyou patch made me think that each endpoint should get its own identity15:38
ayoungie  a service domain, with each endpoint getting a distinct user15:38
ayoungthen  user->endpoint  means "fetch policy for me"  can be resolved without the endpoint needing to store its own id15:39
openstackgerritA change was merged to openstack/keystone-specs: Endpoint policy extension  https://review.openstack.org/9984215:40
*** hrybacki_ has joined #openstack-keystone15:40
*** jsavak has quit IRC15:41
*** hrybacki has quit IRC15:41
*** henrynash has quit IRC15:42
*** ukalifon2 has quit IRC15:43
*** tomoiaga has quit IRC15:44
elmikoayoung: does this look like the proper json to create a domain scoped token? https://gist.github.com/elmiko/b6270c626061767fbce715:55
elmikoayoung: oops, disregard... i pasted the wrong thing15:58
ayoungelmiko, I'll paste15:58
ayounger...wait, no I won't15:58
*** henrynash has joined #openstack-keystone15:58
*** KanagarajM has joined #openstack-keystone15:59
ayoungelmiko, but instead of "project"  the level under scoped should be "domain"15:59
elmikoayoung: ok, that's what i'm trying but when i GET v3/auth/tokens i get "user ... has no access to domain default"16:00
elmikoer POST16:00
ayoungelmiko, that is correct16:00
ayoungit is not implicit that a user with a role on a project in the domain has a role on the domain iotslef16:01
ayoungitself16:01
ayoungcreate a role assignment for the user on the domain16:01
*** david-lyle has quit IRC16:01
elmikook, i'll check the roles. thanks16:02
elmikoayoung: there are project roles and domain roles?16:03
*** david-lyle has joined #openstack-keystone16:03
ayoungelmiko, the names of the roles are the same, but yeah, its where the role is assigned that counts, and roles can be assigned to a user on a project or assigned to a user on a domain16:03
openstackgerritA change was merged to openstack/identity-api: Removes WADL references from Identity v2.0 API  https://review.openstack.org/11262016:04
elmikoahh, turtles all the way down :)16:04
ayoungpretty much16:06
*** afazekas has quit IRC16:10
*** ayoung is now known as ayoung_lunch16:15
*** gokrokve has joined #openstack-keystone16:27
*** hrybacki_ is now known as hrybacki16:27
*** hrybacki is now known as hryabcki_afk16:29
*** Guest54676 is now known as mgagne16:30
*** mgagne has joined #openstack-keystone16:30
*** henrynash has quit IRC16:39
*** jaosorior has quit IRC16:42
stevemardstanek, replied to your q on adding url to region16:43
stevemardstanek, i would also appreciate a review on the patch i mention there :)16:43
*** chandankumar has quit IRC16:46
*** afazekas has joined #openstack-keystone16:49
*** david-lyle has quit IRC16:50
*** tpatil has joined #openstack-keystone16:50
*** david-lyle has joined #openstack-keystone16:50
*** raildo has joined #openstack-keystone16:51
*** david-lyle has quit IRC16:53
*** david-lyle has joined #openstack-keystone16:53
*** topol has joined #openstack-keystone16:53
*** david-lyle has quit IRC16:54
*** david-lyle has joined #openstack-keystone16:54
*** harlowja has joined #openstack-keystone16:56
*** spandhe_ has joined #openstack-keystone16:59
*** vhoward has left #openstack-keystone17:02
*** chandankumar has joined #openstack-keystone17:03
*** radez_g0n3 is now known as radez17:10
*** jsavak has joined #openstack-keystone17:34
*** joesavak has quit IRC17:36
dstanekstevemar: nice, i'll check it out17:39
*** abhishekk has joined #openstack-keystone17:48
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559717:50
stevemarmarekd|away, dstanek, dolphm i think it's worth checking out https://review.openstack.org/#/c/105597/8 - kwss patch for refactoring, it's looking pretty good to me...17:52
abhishekkhi all, can any one review this patch, https://review.openstack.org/#/c/107482/17:52
abhishekkthank you17:52
*** hryabcki_afk is now known as hrybacki17:54
*** david-lyle has quit IRC17:55
*** david-lyle has joined #openstack-keystone17:56
*** arun_kant has joined #openstack-keystone17:58
openstackgerritDavid Stanek proposed a change to openstack/keystone: WiP: Script to sync oslo  https://review.openstack.org/11430518:00
*** david-lyle has quit IRC18:00
*** KanagarajM has quit IRC18:00
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: WIP Add Audit IDs to tokens  https://review.openstack.org/11430618:00
*** david-lyle has joined #openstack-keystone18:02
*** spandhe_ has quit IRC18:02
*** spandhe_ has joined #openstack-keystone18:03
*** tpatil has quit IRC18:03
*** spandhe_ has quit IRC18:06
*** radez is now known as radez_g0n318:06
*** andreaf has quit IRC18:18
*** afazekas has quit IRC18:19
*** andreaf has joined #openstack-keystone18:19
*** amirosh has joined #openstack-keystone18:21
*** chandankumar has quit IRC18:22
*** ayoung_lunch has quit IRC18:22
*** leonchio__ has joined #openstack-keystone18:41
stevemarmorganfainberg, ping18:41
stevemarmorganfainberg, if given a token id, and i want to get the user and roles ref, i should be using self.token_provider_api.validate_token(token_id) right?18:42
stevemarthe new token provider api18:43
leonchio__hi folks, just like to post a question, does Keystone V2 APIs support creating Groups and Users via Ldap or they are only available with V3 APIs?18:45
morganfainbergstevemar, ping18:54
morganfainbergstevemar, erm pong18:54
morganfainbergstevemar, yes please, i also suggest funneling it into the KeystoneToken model18:55
morganfainbergstevemar, so you don't need conditional code to know v2 vs v318:55
stevemarmorganfainberg, still worth using token model if it's v3 specific?18:56
stevemaractually... i guess the idp side doesn't have to be18:57
*** david-lyle has quit IRC18:59
stevemarmorganfainberg, <3 the keystone token model19:00
*** david-lyle has joined #openstack-keystone19:02
*** amirosh has quit IRC19:04
stevemarlbragstad, did you validation stuff go in?19:05
*** abhishekk has quit IRC19:06
*** tpatil has joined #openstack-keystone19:10
jsavaklbragstad may or may not be on a boat in the middle of lake travis now.19:12
dstanekstevemar: no, not yet19:12
dstanekjsavak: he on vacation?19:12
jsavaknope - team outing19:12
dstanekah, ok19:12
stevemardstanek, it is in19:13
stevemarthe base stuff is in anyway19:13
stevemari just made a schema to validate stuff19:13
stevemaryay19:13
stevemarAND i'm using the token model19:14
dstanekstevemar: yeah, some of the initial stuff is in, but there are log of outstanding things to deal with19:14
stevemardstanek, i just want to create a simple schema to do my error handling19:14
stevemarvalidator handles the structure of the req, and backends handle if it exists, then i am gold19:15
*** arosen1 has joined #openstack-keystone19:15
arosen1There seems to be a really bad bug that was introduced in the keystoneclient i believe that breaks it against older deployments i blieve: http://paste.openstack.org/show/95157/19:17
*** morganbird has joined #openstack-keystone19:17
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413819:17
arosen1I noticed that my neutronclient doesn't work against our internal cloud anymore. Installing an older one seems to fix it.19:17
arosen1anyone see this trace in keystone before: http://paste.openstack.org/show/95162/19:21
dstanekarosen1: someone mentioned that yesterday and i think we have a bug for it19:24
dstaneki'm not sure what it is though19:24
arosen1dstanek:  which one?19:24
dstanekarosen1: i think https://bugs.launchpad.net/keystone/+bug/1339439 is what they were talking about19:26
uvirtbotLaunchpad bug 1339439 in keystone "TypeError: object of type 'NoneType' has no len()" [Undecided,Incomplete]19:26
arosen1it seems related to the session code i think19:26
arosen1let me digg into it19:26
dstanekarosen1: do you installed an older version of the neutron client to get it to work?19:26
arosen1i did19:26
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054219:27
*** miqui has quit IRC19:33
*** stevemar has quit IRC19:35
*** ayoung has joined #openstack-keystone19:35
*** stevemar has joined #openstack-keystone19:36
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413819:37
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054219:38
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413819:39
*** miqui has joined #openstack-keystone19:40
*** tpatil has quit IRC19:44
openstackgerritKristy Siu proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559719:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Bump hacking to 0.9.x series  https://review.openstack.org/9899619:53
openstackgerritDavid Stanek proposed a change to openstack/keystone: Updates package comment to be more accurate.  https://review.openstack.org/11432619:53
openstackgerritDavid Stanek proposed a change to openstack/keystone: Enable hacking H104 - Full of only comments  https://review.openstack.org/11432719:54
dstanekmorganfainberg: do you not like hacking H104 enabled?19:54
morganfainbergdstanek, which one is H104?19:55
morganfainbergdstanek, oh full of only comments19:55
morganfainbergyeah i don't see a benefit to that one19:55
dstanekfile full of only comments19:55
morganfainbergit seems like a silly test19:55
morganfainbergi mean, i wont -1 it being enabled, but i wouldn't put forther the effort to enable it :P i mean... i've already typed more than i think it's worth on the subject19:56
dstanekmorganfainberg: i just abandoned my patch :-)19:56
morganfainbergdstanek, hehe19:56
dstanekmorganfainberg: i fixed up /opt/stack/keystone/.git/.COMMIT_EDITMSG.swp19:56
dstanekblah....19:56
morganfainbergLOL19:56
dstanekhttps://review.openstack.org/#/c/98996/1119:57
openstackgerritKristy Siu proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559719:57
morganfainbergok i think i almost have the audit_ids in tokens code done19:58
*** nkinder has quit IRC20:04
*** gokrokve has quit IRC20:05
*** gokrokve has joined #openstack-keystone20:06
*** leonchio__ has quit IRC20:08
*** gokrokve has quit IRC20:08
*** gokrokve has joined #openstack-keystone20:08
*** andreaf_ has joined #openstack-keystone20:14
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens  https://review.openstack.org/11430620:14
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens  https://review.openstack.org/11430620:15
morganfainbergdstanek, slowly i'm populating new token unit tests in the keystone.token.unit.token package :)20:16
morganfainbergerm keystone.test.unit.token20:16
*** andreaf has quit IRC20:17
*** jasondotstar has quit IRC20:19
*** nkinder has joined #openstack-keystone20:21
dstanekmorganfainberg: nice,20:21
morganfainbergtopol, ^ you might want to look at that from an audit perspective20:22
morganfainbergjamielennox|away, ping re: printing token information when you're back.20:22
morganbirdHey all, I asked in #openstack-horizon but it seems dead: is there a recommendation or working prototype for third party auth with horizon and keystone? I've got federated keystone working with a SAML IdP but can't find much on integrating horizon with federated keystone.20:24
morganbirdJust looking for a point in the right direction.20:27
openstackgerritBrad Topol proposed a change to openstack/keystone: Add audit support to keystone federation implements bp/audit-support-for-federation  https://review.openstack.org/11433720:32
*** leonchio_ has joined #openstack-keystone20:34
*** tpatil has joined #openstack-keystone20:36
openstackgerritBrad Topol proposed a change to openstack/keystone: Add audit support to keystone federation implements bp audit-support-for-federation  https://review.openstack.org/11433720:36
tpatilayoung: Are you there?20:37
ayoungtpatil, Ain't nobody here but us chickens20:38
*** ayoung is now known as chicken20:39
*** chicken is now known as ayoung20:39
tpatilayoung: Can you please review this patch https://review.openstack.org/#/c/107482/? Need one more +2 to get this patch merged. Thanks.20:39
ayoungtpatil, have you reviewed any of my patches?  I mean, c'mon, fair is fair.20:39
ayoungHeh20:39
ayoungBut I like that patch of yours20:40
ayoungand I'm totally joking.  Don't bother looking at my patch list20:40
ayoungtpatil, check me on this.  the "listen" code is not really dealing with the SIGHUP issue, right?  I mean, it looks good, but it is a different bug?20:41
tpatilayoung: Let me explain it in 2 steps20:44
ayoungplease do20:44
tpatilayoung: 1. First we have added reset method as the service framework requires the wsgiservice to implement reset method.20:44
ayoungOK20:44
ayoungbut that is just a pass20:45
ayoungwhat does that fix?20:45
ayoungah20:45
tpatilayoung: after the reset method wass added, we got "SSL object can not be duplicated" error so we have made other changes including  changing listen method.20:45
ayoung AttributeError: 'Server' object has no attribute 'reset'.20:45
tpatilayoung: Yes20:46
ayoungtpatil, any issues in converting regular socket to ssl?20:46
ayoungit hasn't started listening, so no room for a non-secured request on it, right?20:47
*** rushiagr is now known as rushiagr_away20:47
*** morganbird has quit IRC20:48
tpatilayoung: I need to check this in my environment, checking now..20:49
ayoungtpatil, what is the sequence?  start is called before listen, I assume?20:50
tpatilyoung: listen is called first, in which socket is created, then the service framework calls start method after SIGHUP signal  is sent.20:51
ayoungtpatil, its no different than what happens now, I see20:52
tpatilayoung: after the SIGHUP signal is sent, when the server is killed that socket is closed, so we have duplicated the socket in the start method.20:52
ayoungjust that you are duplicating after the listen, so if there is a problem with your code, it is there in the existing,20:53
ayoungI suspect that nothing can be done until the pool.spawn is called at the bottom.20:54
tpatilayoung: yes, the issue is there in the existing code, we have tried to fix it here.20:54
ayoungtpatil, I assume that the list....wrap_ssl pattern is the greenthread norm?20:55
ayoungtpatil, OK, let me try this on my machine...20:56
tpatilaoyung: FYI, you can find the same design implemented in the cinder/nova  services.20:56
ayoungtpatil, I assure you that gives me no reassurance what-so-ever.  It just means we copied each other.20:56
tpatilayoung: s/aoyung/ayoung20:56
ayoungBut your part of the code looks ok20:56
ayoungtpatil, OK,  how do I trigger the bug?  I am running code without your patch.20:57
tpatilayoung: kill -SIGHUP <process_id>20:58
ayoungtpatil, and....?20:59
tpatilif you are using devstack, then you need to make changes to the "_is_daemon" to return TRUE here or run keystone service as a daemon.20:59
ayoungkilled the server ,but no error20:59
ayoungok20:59
ayoungGot it.21:00
ayoungI can just run bin/keytstone-all &21:00
ayoungnow let me try your code21:00
tpatilayoung: ok21:01
ayoungtpatil, need to update my venv....21:03
tpatilayoung: ok21:04
ayoungtpatil, I kindof need to run this one by hand, as there really is no trusting the CI to catch this, is there21:05
tpatilayoung: I and stank together had tested this patch in his environment few days ago.21:07
tpatils/stank/dstanek21:08
*** jsavak has quit IRC21:10
*** stevemar has quit IRC21:10
ayoungtpatil, Very nice21:12
ayoungtpatil, let me know if Gate chokes on it, but it should merge21:13
tpatilayoung: Aure. Thanks for approving this patch21:13
tpatils/Aure/Sure21:13
openstackgerritDavid Stanek proposed a change to openstack/keystone: WiP: Script to sync oslo  https://review.openstack.org/11430521:14
*** hrybacki has quit IRC21:18
*** zzzeek has quit IRC21:23
*** cjellick_ has joined #openstack-keystone21:24
*** cjellick has quit IRC21:26
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens  https://review.openstack.org/11430621:26
dstanekmarekd|away: you hacking on the "Federation Process" review?21:34
marekd|awaydstanek: https://review.openstack.org/#/c/105597/ this one?21:35
dstanekmarekd|away: yep21:35
marekd|awaydstanek: no, i posted my comments only.21:35
marekd|awayi meant 'their' changes :-)21:35
dstanek:-) i may fix my nits are push again - but i'm not going to address the older tests or the REMOTE_USER issue you brought up21:36
*** zzzeek has joined #openstack-keystone21:36
marekd|awaydstanek: i am gonna crash soon, so could you please copy my comments to the new version so kwss or gyee can see them tmrw?21:38
dstanekmarekd|away: sure, i'll make sure it's obvious that there is still work to be done21:38
morganfainbergdstanek, i like the WIP button for that.21:38
morganfainbergdstanek, forces another patchset before it can merge (at the least)21:39
marekd|awayunless you know what was their idea and can answer on behalf of them.21:39
dstanekmorganfainberg: good point.21:39
*** openstackgerrit has quit IRC21:46
*** openstackgerrit has joined #openstack-keystone21:47
*** topol has quit IRC21:51
*** andreaf has joined #openstack-keystone21:55
*** andreaf has quit IRC21:56
*** andreaf has joined #openstack-keystone21:56
*** andreaf has quit IRC21:56
*** tpatil has quit IRC21:57
*** andreaf_ has quit IRC21:58
*** cjellick_ has quit IRC22:04
*** cjellick has joined #openstack-keystone22:04
*** cjellick has quit IRC22:08
dstanekdolphm, bknudson: i'm heading out for dinner in a bit. when i get back i'll work on https://bugs.launchpad.net/keystone/+bug/1354208 if it's not assigned to anyone else22:09
bknudsondstanek: I haven't had time to work on it, so go ahead22:09
dstanekbknudson: i'm planning on starting off with a whitelist and see who barks22:09
bknudsondstanek: I think that's the direction people are leaning.22:10
dolphmdstanek: =D22:12
morganfainbergdolphm, before i start down the next steps in this path (of resolving the ick in low resolution time stamps): any thoughts concerns about https://review.openstack.org/#/c/114306/ adding audit ids into the token?22:15
morganfainbergdolphm, not sure if you saw the earlier conversation(s)22:15
*** david-lyle has quit IRC22:15
morganfainbergdolphm, i expect some doc updates to go with it as well but nothing too crazy22:16
dolphmmorganfainberg: i missed the earlier conversation, but i already like the direction22:16
dolphmmorganfainberg: "audit id" makes it sound globally unique though :-/22:16
morganfainbergthe audit ids are uuids22:16
morganfainbergthey *should* be unique22:17
dolphmmorganfainberg: oh, maybe i'm misreading22:17
morganfainbergthe concept is you have 2 values, 1 the token's audit, 2 the audit chain id22:17
morganfainbergif a token hasn't been rescoped it only has the audit id22:17
dolphmoh, so tokens way down the line will be huge?22:17
morganfainbergif a token has been rescoped it also contains the 1st token's audit id as index[1]22:17
morganfainbergyou never have more than 2 values22:18
morganfainbergyour id, and the first token in the chain's id22:18
morganfainbergprevents balloning tokens22:18
dolphmmorganfainberg: hmm22:18
morganfainbergit allows us to revoke a whole chain, or an individual token22:18
dolphmmorganfainberg: i read it first as an incrementing integer (like the audit ID was an index into the chain of tokens) <-- which won't work22:19
bknudsonyou can revoke all the tokens in a chain with the same scope22:19
dolphmmorganfainberg: what's the point in having the second, per-token ID ?22:19
morganfainbergbknudson, technically we could expand beyond that w/o causing issues with this. but yes initially that is the limit22:19
bknudsonI don't think we'll be able to revoke an individual token22:19
dolphmjust per token revocation?22:19
morganfainbergdolphm, yes, which solves the horizon can't handle revocing the whole chain issue22:20
morganfainbergdolphm, we can also publish both ids on any auth_token request and show where a token came from.22:20
morganfainbergbknudson, we can use the individual token id, that should be unique22:20
morganfainbergbknudson, if we want to revoke a single token22:20
bknudsonhow would that be represented in a revocation event?22:21
morganfainbergbknudson, audit_id = <id>22:21
morganfainbergbknudson, vs audit_chain_id=<id>22:21
dolphmmorganfainberg: why is this not just 'id' ?22:21
morganfainbergfirst one is one token revocation, one is audit chain22:21
morganfainbergdolphm, token ids are "secure" data (why revocation list was priviledged)22:21
dolphmoh because you have to add this to v2 tokens as well...22:21
bknudsonwe don't have a "revoke audit chain" API22:22
bknudsonall we have is "revoke token"22:22
morganfainbergbknudson, not yet. i was trying to figure out how we'd add that.22:22
dolphmmorganfainberg: revocation list became hashes of tokens anyway22:22
morganfainbergdolphm, except hashes can be used as tokens, uuid-form22:22
dolphmyeah that was dumb22:22
morganfainbergdolphm, if i could un-do it w/o breaking things i would22:23
bknudsonwe could change the revocation list to use these.22:23
dolphmalright, i can't break your approach :)22:23
morganfainbergbknudson, ++ we can.22:23
bknudsonthey're shorter22:23
*** david-lyle has joined #openstack-keystone22:23
morganfainbergbknudson, yep!22:23
morganfainbergi also kinda dig using uuid4().bytes.encode('base64') fwiw22:24
morganfainbergit's... a bit cooler than .hex imo :P a little more work though22:24
*** nkinder has quit IRC22:24
bknudsonmorganfainberg: put it in a function then it's less work22:25
morganfainbergbknudson, it is! :) but i mean from a code perspective, encode does require (minutely) more cpu than .hex iirc22:25
morganfainbergdolphm, i just wanted to run it by you before i did a bunch of extra work on the revocation front to use this. so we aren't using the low resolution and conflicting expires timestamp22:26
morganfainbergbknudson, interesting idea converting to use the audit ids in the revocation list as well22:28
bknudsonmorganfainberg: os.urandom(16).encode('base64') would give the same result22:28
morganfainbergbknudson, *nod*22:28
*** gokrokve has quit IRC22:28
morganfainbergit *could* allow us to make TRL non-priviledged all22:29
morganfainbergall=call22:29
*** david-lyle has quit IRC22:29
*** david-lyle has joined #openstack-keystone22:29
dolphmumm, who wants to be core on pycadf? please form an orderly line22:31
morganfainbergdolphm, if you need reviewers, i'll be.22:34
bknudsondolphm: you own it now22:34
morganfainbergdolphm, but uh. *shrug* doesn't matter to me.22:34
dolphmi'm rewriting it, will need reviews :P22:34
morganfainbergsure. i'll review it22:34
morganfainbergdolphm, topol said you were doing magic to it22:35
bknudsonthere are some projects where core just approve their own changes22:35
morganfainbergbknudson, not sure if we want the audit lib to work like that. just sayin :P22:35
dolphmreplacing all the java with jsonschema22:35
dolphmmorganfainberg: ++ lol22:35
morganfainbergbut it might make sense to do 1 core +2 on it if it doesn't say inherit all of keystonecore22:35
morganfainbergdolphm, you *could* make that core team inherit keystonecore if you wanted.22:36
dolphmmorganfainberg: i was considering exactly that22:37
bknudsondolphm: are you keeping the current cadf core?22:38
dolphmif everyone is still engaged, i think that's reasonable22:38
bknudsonI assume that was gordc and matt rutkowski and etc22:38
morganfainbergbknudson, and dhellmann22:38
morganfainbergbknudson, https://review.openstack.org/#/admin/groups/192,members22:39
morganfainbergthough might want to drop oslo-core, (not sure if that makes sense)22:39
morganfainberginteresting, aparantly everyone in oslo-core is part of pycadf-ptl22:40
bknudsonwhat's the size of the code base?22:40
*** gokrokve has joined #openstack-keystone22:40
bknudsonI assume it's not so big that a keystone core couldn't grasp changes in it already22:41
bknudsonso putting keystone core on there doesn't worry me22:41
dolphmexample of my rewriting it, and also cover topol's new use case for federation: https://review.openstack.org/#/c/114356/5/pycadf/credential.py22:42
bknudsonit is actually pretty big22:42
morganfainbergbknudson, about 6k lines22:43
morganfainberginc. shared oslo-incubator stuff22:43
dolphmbknudson: well i should be making it smaller, hopefully22:43
dolphmit needs more tests too, but that's not a big deal22:43
dolphmi'm not really sure what's public API, either, so i don't know what i need to avoid breaking22:44
bknudsondolphm: that's what I was just thinking... the change of "credential.CRED_KEYNAMES" -- was that a public API?22:45
dolphmor if i just need to bump the major version at the end of this, and focus on maintaining the obviously public APIs22:45
dolphmbknudson: i have no idea on that one. nothing else was using it so i made it go away22:45
dolphmthe tests are calling into what i would consider to be private APIs22:45
dolphmbknudson: in the rewrite, everything will just be dicts with a 'schema' attribute, and a 'valid' attribute. and the dicts self-validate on init22:46
dolphmso that should minimize the API surface area to worry about22:47
morganfainbergdolphm, nice.22:49
openstackgerritDavid Stanek proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559722:50
dolphmthe way end users import this stuff is also a bit messy... it seems logical to break this into service types maybe? from pycadf import identity; identity.Credential() identity.Authentication() etc22:50
*** gordc has quit IRC22:54
*** amcrn has joined #openstack-keystone22:54
bknudsonthis library is kind of weird... I thought it wasn't openstack specific22:55
bknudsonlots of TODOs in there.22:57
*** bknudson has quit IRC23:05
*** leonchio__ has joined #openstack-keystone23:10
dolphmbknudson: any idea what these were supposed to  be used for? TYPE_URI_GEOLOCATION = cadftype.CADF_VERSION_1_0_0 + 'geolocation'23:13
dolphmthere's one in every module23:13
dolphmoh you're gone. boo.23:13
*** leonchio_ has quit IRC23:13
*** leonchio_ has joined #openstack-keystone23:17
*** leonchio__ has quit IRC23:17
*** arun_kant has quit IRC23:20
morganfainbergdolphm, GEOLOCATION?23:20
dolphmmorganfainberg: it's like a location, but on earth?23:22
morganfainbergdolphm, LOL23:22
dolphmmorganfainberg: it's one of hte modules with an event type23:22
morganfainbergdolphm, yeah it looks like it's meant to be something like IP->location magic support23:22
dolphmmorganfainberg: i'm really asking about the TYPE_URI_<MODULE_NAME> = VERSION stuff23:23
morganfainbergright23:23
morganfainbergdolphm, looks like version of cadf spec? lib? and the module identifier, looks like event is the only one using it?23:24
morganfainbergdolphm, aha, looks like it's a TODO https://github.com/openstack/pycadf/blob/master/pycadf/event.py#L13123:26
dolphmmorganfainberg: well, i left that line in https://review.openstack.org/#/c/114356/6/pycadf/geolocation.py23:27
morganfainbergyeah i think it's future looking stuff23:27
morganfainbergdolphm, question on the .is_valid that is potentially used if a dataum is changed after init?23:28
morganfainbergwhich is why it can return false? or is it assumed you never validate outide of init?23:28
dolphmmorganfainberg: yeah, that's why i left it as a public method23:28
morganfainbergah ok23:28
morganfainbergyeah it looked a bit odd since it *seemed* like everything should be init only validation23:28
morganfainbergbut backwards compat23:29
dolphm++23:29
dolphmif i was going to remove it, i'd want it to be an immutable dict23:29
*** elmiko is now known as _elmiko23:30
*** jamielennox|away is now known as jamielennox23:31
morganfainbergdolphm, ++ .__setitem__ raise NotouchyTheValuesOrKeyst()23:31
dolphmlol23:31
dolphmfile a no-touchy blueprint please :D23:31
morganfainberglol23:31
morganfainbergi wish descriptors were easier on the eyes23:32
dolphmand on bkhudson's concern earlier, this lib is VERY openstack centric... i'd like to maybe split it apart into openstack stuff and generic cadf stuff23:32
morganfainbergbut jsonschema + descriptors are particularly brutal23:32
dolphmstill one lib, but make a clean separation if it's going to squat on pypi/pycadf23:32
dolphmbrutal?23:33
morganfainbergyeah it's just really hard to follow23:33
morganfainbergi really like descriptors, they are soooooooo cool23:33
morganfainbergyou also get instant validation if you want23:33
morganfainbergX.prop = thing, raise Exception if not valid23:33
*** nkinder has joined #openstack-keystone23:33
dolphmmorganfainberg: oh i thought you were talking about https://github.com/openstack/pycadf/blob/master/pycadf/event.py#L8123:33
dolphmnow i follow!23:33
morganfainbergdolphm, i'm talking about all the descriptors in pycadf23:34
morganfainbergdolphm, you're switching from descriptors to jsonschema23:34
morganfainbergmuch more readable, but i kinda dig the metaprogramming aspect of descriptors23:34
dolphmlet's talk about it tomorrow23:34
dolphmi'm running off to see guadians of the galaxy now :)23:35
morganfainberghaha Nice enjoy!23:35
jamielennoxdolphm, morganfainberg: i have a +2 from bk on https://review.openstack.org/#/c/107325/23:35
jamielennoxthe /auth spec23:35
morganfainbergand don't get me wrong, i am not saying what you're doing is wrong there. it does help make it a lot more clear what is going on23:35
jamielennoxif we can approve i'll write the code today23:35
morganfainbergjamielennox, let me look before i run off to the gym23:36
jamielennoxmorganfainberg: also, i'm here regarding token informatoin23:36
morganfainbergjamielennox, also, you might like https://review.openstack.org/#/c/114306/23:36
morganfainbergjamielennox, the concept, not the code :P23:36
morganfainbergcode is... open for discussion of course23:36
jamielennoxcool - do you know how this plays into the osprofiler thingy?23:37
morganfainbergjamielennox, this would solve our need, not sure if osprofiler would benefit from it23:37
morganfainbergwe can't rely on osprofiler for secure in-token data23:38
jamielennoxthat's enough for me, i just know they were trying to add there own tracking data as well23:38
jamielennoxmorganfainberg: i had a similar question regarding composite tokens23:38
morganfainbergthis is *mostly* for us to beable to revoke tokens / chains of tokens without needing to rely on expires_at (whcih is crummy and can conflict all over)23:39
jamielennoxif you get a request with a service and user token, and have to make a request to another service, do you replace or chain the service token23:39
jamielennoxmorganfainberg: oh, i thought it was audit trail23:39
morganfainbergjamielennox, it also acts like an audit trail23:39
jamielennoxmorganfainberg: honestly for that all we really need to do is break the link that token_id == sha1(token) right?23:39
morganfainbergjamielennox, we can track a token, not nessicarily a request.23:39
morganfainbergjamielennox, i don't think osprofiler can track tokens easily esp. when it comes to rescoping23:40
morganfainbergthis would let us track that kind of stuff so it is an audit trail, just not the same kind-of audit trail23:40
morganfainbergjamielennox, i would love to break token_id == sha1(token) but lets be honest we can't. and hashing is all sorts of encumbered by auditors.23:41
jamielennoxmorganfainberg: yea, i said it, then thought for a secnod - it can't be done23:41
morganfainbergthis solution no one can really complain about because the data is random, not used for "auth" reasons, and should be unique enough to identify a token (and the originating token for any other tokens)23:41
jamielennoxanyway regarding composite tokens, you don't want to chain service tokens do yo?23:42
morganfainbergre: composite auth, no service tokens should *only* be used by that service23:42
morganfainbergand should not be passed on.23:42
morganfainberge.g. service token to nova should not then be used by nova to talk to glance, nova should use it's own service token if that is needed23:43
morganfainbergwe talked through the chaining stuff and i think it was such an edge case that would be needed, it wasn't worth it.23:43
morganfainbergand it makes things super complex23:43
jamielennoxyep, thats what i thought. there might bevery specific cases where the chain would be useful but it's way too hard23:43
jamielennoxarosen1: i don't know much about how neutronclient uses the sessions, but did you find an answer?23:45
morganfainbergjamielennox, +2 from me on that spec23:47
jamielennoxmorganfainberg: excellent, that's been sitting a while - noone objected but noone cared enough to vote23:47
morganfainbergjamielennox, i didn't +A just giving a little more time in case dolph wants to say something about it23:48
morganfainbergyou know the whole... sneaking things in when no one is awake23:48
morganfainbergbut i would say you're good to write the code (i'll press +A tomorrow if no one says anything else) - i'm sure it'll just be nits if anything though23:48
*** leonchio__ has joined #openstack-keystone23:50
jamielennoxmorganfainberg: yea, i figured i needed to write it anyway, going to figure out my client rebase hell and do that23:50
*** david-lyle has quit IRC23:51
*** david-lyle has joined #openstack-keystone23:51
*** leonchio_ has quit IRC23:53
*** leonchio_ has joined #openstack-keystone23:55
*** david-lyle has quit IRC23:56
*** leonchio__ has quit IRC23:58
« Wednesday, 2014-08-13 Index Friday, 2014-08-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!