Friday, 2014-08-22

*** richm has quit IRC		00:00
*** RicoLin has joined #openstack-keystone		00:10
*** ayoung-afk has quit IRC		00:18
*** gokrokve has joined #openstack-keystone		00:20
*** gokrokve has quit IRC		00:21
*** gokrokve has joined #openstack-keystone		00:22
*** gokrokve has quit IRC		00:26
*** mikedillion has quit IRC		00:33
*** amerine has quit IRC		00:36
openstackgerrit	Brant Knudson proposed a change to openstack/identity-api: Fix typo and grammar issues in os-revoke-ext https://review.openstack.org/116144	00:37
*** gokrokve has joined #openstack-keystone		00:39
*** ayoung has joined #openstack-keystone		00:45
*** amerine has joined #openstack-keystone		00:47
jamielennox	bknudson: moving httpd to warn means that everything for the python process goes to the warn level right	01:00
*** harlowja is now known as harlowja_away		01:00
bknudson	jamielennox: let me find a log...	01:00
bknudson	jamielennox: http://logs.openstack.org/73/111573/4/check/check-tempest-dsvm-full/c5ce3bd/logs/screen-key.txt.gz	01:01
bknudson	jamielennox: there's a bunch of authz_core:debug	01:02
bknudson	jamielennox: looks like all the keystone logging goes to error	01:02
bknudson	(which is probably from stderr or stdout?)	01:02
bknudson	looks like 3/2 of the log is authz_core:debug	01:03
jamielennox	yea, ok so we elevate log level to warn means we should still get the error output from keystone just not the authz_core stuff	01:03
bknudson	yes, that's what happened in my env.	01:03
jamielennox	that makes sense	01:04
jamielennox	firefox keeps timing out trying to even open that file	01:04
bknudson	I don't see any :warn messages in the apache log so I don't know what that includes	01:04
jamielennox	warn messages from apache probably should end up in the logs anyway	01:05
bknudson	jamielennox: want me to copy-paste it into irc?	01:05
jamielennox	bknudson: no that's fine	01:06
jamielennox	bknudson: comment on https://review.openstack.org/#/c/116135/	01:06
bknudson	jamielennox: I'm fine with keystone_error.log, although it also includes keystone debug output, so not sure if that would be confusing.	01:07
jamielennox	bknudson: don't think so it's an apache error log, but i see your point	01:08
bknudson	if people want their keystone logs somewhere else we can using python logging config to do it.	01:08
bknudson	(and maybe that would be a better way to do keystone logging anyways)	01:08
*** dims has quit IRC		01:09
jamielennox	probably should do something like that	01:09
jamielennox	bknudson: hey, i'm somewhat stuck on something - do you have any idea how we can uniquely identity a plugin	01:12
jamielennox	i need to replicate --os-cache with auth plugins	01:13
jamielennox	i have a review that lets us serialize a plugin	01:13
jamielennox	i feel there should be a way to determine like a fingerprint for a keyring key value without having to implement a new method on all the plugins	01:14
*** dims has joined #openstack-keystone		01:17
*** marcoemorais has quit IRC		01:18
*** diegows has quit IRC		01:26
*** harlowja_away is now known as harlowja		01:40
*** gokrokve has quit IRC		01:49
*** KanagarajM2 has quit IRC		01:54
*** yasukun has joined #openstack-keystone		01:58
*** topol has joined #openstack-keystone		02:01
bknudson	jamielennox: not something I'm familiar with.	02:11
bknudson	maybe base it off of the plugin properties?	02:12
jamielennox	bknudson: i was hoping i could just do it off the auth_request	02:13
*** hrybacki has quit IRC		02:13
jamielennox	unfortunately in v3 you pass a session to that method	02:13
jamielennox	i was thinking maybe it could be based on the properties that are used to construct the object from conf or cli	02:14
jamielennox	but that's a classmethod that constructs the object	02:14
jamielennox	trying not to need a new method that returns all the properties	02:15
bknudson	dir() returns the properties	02:15
jamielennox	bknudson: yea i think it will need to be more controlled than that	02:22
*** stevemar has joined #openstack-keystone		02:32
*** dims has quit IRC		02:34
*** rushiagr_away is now known as rushiagr		02:37
openstackgerrit	A change was merged to openstack/identity-api: Fix typo and grammar issues in os-revoke-ext https://review.openstack.org/116144	02:42
*** wanghong has joined #openstack-keystone		02:42
*** harlowja is now known as harlowja_away		02:49
*** KanagarajM has joined #openstack-keystone		02:51
morganfainberg	hmm.	02:52
morganfainberg	why is it that when evening comes my brain feels like there is less of a fog :P	02:52
morganfainberg	and it's easier to write code.	02:52
*** jim33 has joined #openstack-keystone		03:03
jim33	does anyone have a few mins? i have trouble tryin to authenticate	03:04
*** ayoung has quit IRC		03:10
*** ayoung has joined #openstack-keystone		03:11
*** amerine has quit IRC		03:13
*** jim33 has quit IRC		03:14
*** hrybacki has joined #openstack-keystone		03:17
*** hrybacki has quit IRC		03:17
*** hrybacki has joined #openstack-keystone		03:17
*** hrybacki has quit IRC		03:18
*** ayoung has quit IRC		03:18
*** hrybacki has joined #openstack-keystone		03:18
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/111620	03:23
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/116165	03:23
*** hrybacki has quit IRC		03:23
*** gyee has quit IRC		03:24
*** hrybacki has joined #openstack-keystone		03:32
*** dims has joined #openstack-keystone		03:35
*** dims has quit IRC		03:39
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete https://review.openstack.org/112204	03:45
*** topol has quit IRC		04:00
*** amerine has joined #openstack-keystone		04:10
*** praneshp has quit IRC		04:10
*** amerine has quit IRC		04:14
*** wanghong has quit IRC		04:29
*** dims has joined #openstack-keystone		04:36
*** dims has quit IRC		04:41
*** gokrokve has joined #openstack-keystone		04:47
*** praneshp has joined #openstack-keystone		04:52
*** praneshp has quit IRC		04:57
*** amerine has joined #openstack-keystone		05:00
*** shakamunyi has quit IRC		05:03
*** amerine has quit IRC		05:05
*** praneshp has joined #openstack-keystone		05:05
*** rushiagr is now known as rushiagr_away		05:21
*** ncoghlan has joined #openstack-keystone		05:22
*** rushiagr_away is now known as rushiagr		05:29
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: Update revoke-ext https://review.openstack.org/114857	05:29
*** ukalifon1 has joined #openstack-keystone		05:39
*** rushiagr is now known as rushiagr_away		05:40
*** harlowja_away has quit IRC		05:44
*** ukalifon1 has quit IRC		05:47
openstackgerrit	A change was merged to openstack/identity-api: Update revoke-ext https://review.openstack.org/114857	05:50
*** gokrokve has quit IRC		05:54
*** amerine has joined #openstack-keystone		06:01
*** amerine has quit IRC		06:05
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/111920	06:07
*** chandankumar has joined #openstack-keystone		06:09
*** henrynash has joined #openstack-keystone		06:14
*** stevemar has quit IRC		06:20
*** ajayaa has joined #openstack-keystone		06:22
*** dims has joined #openstack-keystone		06:25
*** Jean-Daniel has joined #openstack-keystone		06:28
*** shakamunyi has joined #openstack-keystone		06:29
*** dims has quit IRC		06:30
*** wanghong has joined #openstack-keystone		06:31
*** shakamunyi has quit IRC		06:34
*** rushiagr_away is now known as rushiagr		06:34
*** k4n0 has joined #openstack-keystone		06:35
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/python-keystoneclient: Attributes required using token for auth https://review.openstack.org/115228	06:39
*** ncoghlan is now known as ncoghlan_afk		06:42
*** afazekas has joined #openstack-keystone		06:48
*** gokrokve has joined #openstack-keystone		06:48
*** hrybacki has quit IRC		06:49
*** amirosh has joined #openstack-keystone		06:52
*** gokrokve has quit IRC		06:53
*** ncoghlan_afk is now known as ncoghlan		06:55
*** praneshp has quit IRC		06:55
*** amerine has joined #openstack-keystone		07:02
openstackgerrit	A change was merged to openstack/python-keystoneclient: Allow unauthenticated discovery https://review.openstack.org/107570	07:04
openstackgerrit	A change was merged to openstack/keystone: Add audit ids to tokens https://review.openstack.org/114306	07:04
openstackgerrit	A change was merged to openstack/keystone: Sync with oslo-incubator https://review.openstack.org/114863	07:04
openstackgerrit	A change was merged to openstack/keystone: Convert to urlsafe base64 audit ids https://review.openstack.org/115707	07:05
*** amerine has quit IRC		07:06
*** ajayaa has quit IRC		07:45
*** ajayaa has joined #openstack-keystone		07:48
*** gokrokve has joined #openstack-keystone		07:49
*** gokrokve has quit IRC		07:53
*** wanghong has quit IRC		08:01
*** wanghong has joined #openstack-keystone		08:02
*** sunrenjie6 has joined #openstack-keystone		08:02
*** amerine has joined #openstack-keystone		08:02
*** amerine has quit IRC		08:07
*** dims has joined #openstack-keystone		08:14
*** dims has quit IRC		08:19
*** chandankumar has quit IRC		08:19
*** BAKfr has joined #openstack-keystone		08:24
*** jamielennox is now known as jamielennox\|away		08:29
*** ncoghlan has quit IRC		08:30
*** gokrokve has joined #openstack-keystone		08:48
*** gokrokve has quit IRC		08:53
*** amerine has joined #openstack-keystone		09:03
*** amerine has quit IRC		09:08
*** Kui has joined #openstack-keystone		09:10
*** aix has joined #openstack-keystone		09:14
*** alex_xu has joined #openstack-keystone		09:16
*** henrynash has quit IRC		09:22
*** chandankumar has joined #openstack-keystone		09:25
*** sunrenjie6 has quit IRC		09:39
*** kwss has joined #openstack-keystone		09:42
*** gokrokve has joined #openstack-keystone		09:48
*** gokrokve has quit IRC		09:53
*** dims has joined #openstack-keystone		09:59
*** amerine has joined #openstack-keystone		10:04
*** dims has quit IRC		10:05
*** amerine has quit IRC		10:09
*** diegows has joined #openstack-keystone		10:19
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/keystone: Implement validation on the Catalog V3 resources https://review.openstack.org/96266	10:20
*** ajayaa has quit IRC		10:34
openstackgerrit	Kanagaraj Manickam proposed a change to openstack/keystone: Endpoint table is missing reference to region table https://review.openstack.org/113183	10:46
*** gokrokve has joined #openstack-keystone		10:48
*** ajayaa has joined #openstack-keystone		10:51
*** diegows has quit IRC		10:51
*** gokrokve has quit IRC		10:53
*** dimsum_ has joined #openstack-keystone		10:59
*** alex_xu has quit IRC		11:07
*** dims_ has joined #openstack-keystone		11:09
*** dimsum_ has quit IRC		11:11
*** KanagarajM has quit IRC		11:21
openstackgerrit	Yaguang Tang proposed a change to openstack/keystone: Fix Unicode decode error with Windows AD as identity backend https://review.openstack.org/116231	11:23
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints https://review.openstack.org/95545	11:23
*** gokrokve has joined #openstack-keystone		11:48
*** gokrokve has quit IRC		11:53
openstackgerrit	Marek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator https://review.openstack.org/114850	11:57
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	11:57
*** amirosh has quit IRC		12:03
*** amirosh has joined #openstack-keystone		12:04
*** amerine has joined #openstack-keystone		12:06
*** amirosh has quit IRC		12:08
*** amerine has quit IRC		12:11
*** yasukun has quit IRC		12:12
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Generate IdP Metadata with keystone-manage. https://review.openstack.org/115564	12:19
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Routes for Keystone-IdP metadata endpoint. https://review.openstack.org/115883	12:22
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/111620	12:28
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/116165	12:28
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone-specs: Updated from global requirements https://review.openstack.org/116245	12:28
*** jdennis has quit IRC		12:30
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/116255	12:34
*** alex_xu has joined #openstack-keystone		12:34
*** jdennis has joined #openstack-keystone		12:36
*** ajayaa has quit IRC		12:40
*** gokrokve has joined #openstack-keystone		12:48
*** rushiagr is now known as rushiagr_away		12:51
*** gokrokve has quit IRC		12:53
*** gordc has joined #openstack-keystone		12:57
*** dims_ has quit IRC		13:07
*** dimsum_ has joined #openstack-keystone		13:08
*** richm has joined #openstack-keystone		13:10
dstanek	lbragstad: you around?	13:11
*** joesavak has quit IRC		13:12
BAKfr	Is there someone who can give me information about the delete_grant method in assignment/core.py ?	13:12
*** _elmiko is now known as elmiko		13:12
BAKfr	When we revoke a role on a specific project, all tokens of concerned users are revoked.	13:13
BAKfr	Is there a reason it doesn't revoke only tokens associated to the project ?	13:14
lbragstad	dstanek: yes	13:15
*** nkinder has quit IRC		13:19
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects https://review.openstack.org/111842	13:24
*** bknudson has quit IRC		13:24
lbragstad	dstanek: what's up?	13:25
marekd	orsonmmz: in order to setup my devstack with a review patch i shall set KEYSTONE_REPO=https://review.openstack.org/openstack/keystone and KEYSTONE_BRANCH=refs/changes/83/115883/3 or some other way?	13:30
*** amirosh has joined #openstack-keystone		13:31
*** jasondotstar has joined #openstack-keystone		13:37
*** zzzeek has joined #openstack-keystone		13:44
*** bknudson has joined #openstack-keystone		13:48
*** gokrokve has joined #openstack-keystone		13:48
*** gokrokve has quit IRC		13:52
*** russellb is now known as rustlebee		13:54
*** k4n0 has quit IRC		13:55
*** alex_xu has quit IRC		14:06
*** nkinder has joined #openstack-keystone		14:07
*** stevemar has joined #openstack-keystone		14:09
*** oomichi has quit IRC		14:11
*** david-lyle has joined #openstack-keystone		14:19
*** amirosh has quit IRC		14:30
*** amirosh has joined #openstack-keystone		14:31
*** amirosh has quit IRC		14:35
*** chandankumar has quit IRC		14:36
*** ayoung has joined #openstack-keystone		14:43
*** gokrokve has joined #openstack-keystone		14:48
*** rushiagr_away is now known as rushiagr		14:49
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects https://review.openstack.org/111842	14:50
*** bknudson has quit IRC		14:52
*** gokrokve has quit IRC		14:53
*** mflobo has quit IRC		14:58
gabriel-bezerra	Hi. Can Keystone use replicated (for load balancing) LDAPs as backend?	15:00
gabriel-bezerra	more specifically, identity backend	15:00
*** gokrokve has joined #openstack-keystone		15:12
*** maelfius has joined #openstack-keystone		15:12
*** morganfainberg has quit IRC		15:14
*** maelfius is now known as morganfainberg		15:14
*** henrynash has joined #openstack-keystone		15:21
*** cjellick has quit IRC		15:24
*** shakamunyi has joined #openstack-keystone		15:24
*** cjellick_ has joined #openstack-keystone		15:24
*** cjellick has joined #openstack-keystone		15:24
marekd	devstack runs with apache automatically or apache needs some configuration prior to runnin ./stack.sh ?	15:27
richm	marekd: Do you mean, running keystone using apache mod_wsgi?	15:31
*** amirosh has joined #openstack-keystone		15:31
marekd	richm: yeah	15:31
marekd	richm: actually i don't need it at the moment.	15:32
richm	marekd: I'm not sure, but I doubt it, unless ayoung has already added that to devstack	15:32
*** amirosh has quit IRC		15:32
marekd	ayoung: does devstack currently run keystone w/ apache by default?	15:33
richm	marekd: I'm working on adding support for puppet based installs (packstack, astapor, etc.) to automatically set up keystone to use mod_wsgi	15:33
richm	but I don't know about devstack	15:33
*** amirosh has joined #openstack-keystone		15:33
ayoung	marekd, you give me credit for other people's work	15:34
ayoung	twas morganfainberg that did the devstack to httpd	15:34
marekd	ayoung: richm did that credit.	15:35
ayoung	ah...misread	15:35
ayoung	marekd, need to chat with you about WebSSO	15:35
morganfainberg	richm, marekd, all gate checks (except postgres) use mod_Wsgi now	15:35
richm	morganfainberg: Thanks	15:36
marekd	morganfainberg: uhm.	15:36
marekd	ayoung: websso will be a Kilo story i think...but fireaway.	15:36
*** bknudson has joined #openstack-keystone		15:36
*** amirosh has quit IRC		15:37
ayoung	marekd, yeah, but it will also take a lot of collaboration between us and Horizon, so we need to start talking now.	15:38
ayoung	marekd, I've been in Kilo mindset since J2	15:38
marekd	ayoung: ++	15:38
ayoung	marekd, https://keystone.younglogic.net/keystone/cops/	15:38
morganfainberg	dolphm, rekicked https://review.openstack.org/#/c/115941/ so we can get dstanek's changes for catalog through w/o HASHSEED getting in the way	15:39
ayoung	its a straight javascript client for Keystone.	15:39
marekd	ayoung: i think i see what you want to say now.	15:39
ayoung	marekd, a demo is worth 1000 meetings	15:40
*** praneshp has joined #openstack-keystone		15:40
marekd	ayoung: +100	15:40
marekd	ayoung: so you want to have a saml client implemented in JS	15:41
ayoung	marekd, I have it linked up to LDAP as well, but the server seems to be down at the moment. I need to troubleshoot	15:41
ayoung	marekd, so the flow would be like this:	15:41
*** shakamunyi has quit IRC		15:41
ayoung	hit horizon. Javascript lets user select auth mechanism. kicks off an AJAX call to Keystone	15:42
ayoung	So if we do SAML, that handshake would be between Horizon and the SAML provider, with the Javascript sending the SAML to Keystone. I think	15:42
ayoung	that is assuming that the SAML provider does some sort of visual web login	15:42
ayoung	Keystone is assumed to be non-visual/AJAX only	15:43
*** bklei has joined #openstack-keystone		15:43
ayoung	It would require CORS support, which is, I think, the only change we need to make to Keystone itself, and could be done as an optional middleware component. I think that CORS would then be based on the Service catalog	15:44
marekd	ayoung: you are again trying to start federated autn workflow with horizon and end wih keystone.	15:44
*** bklei has left #openstack-keystone		15:44
marekd	i'd say: hit horizon, choose 'federation authn', and js client is smart enough to go and initiate federation authn wokflow with keystone.	15:45
marekd	it let's shibboleth redirect to the IdP, authenticate (with graphical ui), keystone returns a token + headers and JS is again clevel enough to return with that to horizon.	15:46
marekd	unscoped token is fine for horizon to let user in, right?	15:46
ayoung	marekd, there are some business use cases to consider, but basically, yes	15:46
ayoung	the difference between CERN and Rackspace, for example	15:46
marekd	ayoung: you mena?	15:46
ayoung	CERN can prepopulate the list of IdPs	15:46
marekd	mean	15:46
ayoung	Racksapce doesn't want to publish their customer list...	15:47
marekd	ayoung: true.	15:47
ayoung	So the Rackspace case, the user should probably enter the IdP url themselves, or let Rackspace figure out what to show to whom	15:47
marekd	we need to keep in mind one big federation with 100s of IdP inside and 100s of one Idp 'federations'.	15:47
marekd	ayoung: it's still horizon level	15:48
ayoung	fortunately, tuning that in Javascript is pretty lightweight. Question is how to communicate that between Horiozn and Keystone	15:48
*** gokrokve_ has joined #openstack-keystone		15:48
ayoung	Horizon should have a single URL for Keystone. The Horizon service user should be able to query the specific info it needs from Keystone via that URL	15:49
marekd	ayoung: it's easy in Keystone - today you must specify IdP of your choice (v3/OS-FEDERATION/identity_providers/{IDP}/protocols/{protocol}/auth)	15:49
ayoung	marekd, I'd put in a few caveats: Horizon should be able to propopulate the IdP and protocol based on a cookie for an unauthenticated user	15:50
ayoung	but not carte-blanc	15:50
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Mark methods on token_api deprecated https://review.openstack.org/115347	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api https://review.openstack.org/109462	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api https://review.openstack.org/113429	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Notification Constant Cleanup and internal notify type https://review.openstack.org/115337	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove assignment_api dependency on token_api https://review.openstack.org/115338	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove wsgi and base controller dependency on token_api https://review.openstack.org/115205	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api https://review.openstack.org/115045	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove oauth controller dependency on token_api https://review.openstack.org/115343	15:51
marekd	ayoung: and this cookie you would get from...?	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api https://review.openstack.org/115012	15:51
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model https://review.openstack.org/113430	15:51
ayoung	marekd, its a cookie, and thus should only be set and readable from Horizon	15:51
ayoung	its fro second and additional logins	15:51
ayoung	for	15:51
*** gokrokve has quit IRC		15:51
ayoung	but enumerating Protocols for the same IdP is probably OK	15:51
marekd	ayoung: yes.	15:52
ayoung	so if you've already logged in from Cern, but Via X509, its ok to show you the list of protocols available to CERN users, for example	15:52
ayoung	this is in the weeds, just to give some context	15:52
*** afazekas has quit IRC		15:53
*** gokrokve_ has quit IRC		15:53
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add extra guarding to revoke_by_audit_id methods https://review.openstack.org/115147	15:53
marekd	ayoung: let's get back to the workdlow. say, i want websso and will use my cern user/pass credentials against my local IdP. I will hit horizon, choose 'federation authn' option and then specify my IdP ("CERN").	15:54
marekd	ayoung: you want horizon to return a list of protocols I can use?	15:55
ayoung	yep	15:55
ayoung	marekd, lets punt on that for now	15:55
ayoung	I'd say it would be a potential feature in the future	15:55
marekd	ayoung: you w'd be able to bruteforce and guess RAX's clients by checking random (or less random) IdP names.	15:56
marekd	ayoung: but that's fine for me :P	15:56
ayoung	marekd, actually, no. There would be no indication that the IdP is actually valid	15:57
ayoung	hmmm...need to think that one through	15:57
ayoung	we should probably say OK to any request against	15:58
ayoung	v3/OS-FEDERATION/identity_providers/{IDP}/protocols/{protocol}/auth	15:58
*** KanagarajM has joined #openstack-keystone		15:58
ayoung	and just let the IdP say "403"	15:58
ayoung	or 401 or whatever is appropriate	15:58
marekd	ayoung: wait a sec....	15:59
ayoung	actually, since IdP ID is a uuid, we should be OK	15:59
marekd	IdP id in keystone backend is a string...	16:00
marekd	custom string.	16:00
ayoung	marekd, yeah, there are going to be some security concerns there, but I suspect we won't solve them right here and now	16:01
*** ayoung is now known as ayoung-lunch		16:04
ayoung-lunch	marekd, gotta run, back in a few	16:05
*** kwss has quit IRC		16:05
marekd	ayoung-lunch: bin app.	16:07
*** amerine has joined #openstack-keystone		16:08
marekd	ayoung-lunch: so basically I will have it checked next week, but in the websso there is somthing like DS (discovery service). From the user perspective it's usually a website where user chooses the IdP he wants to use. It can be either a list of IdP (say they are all in one federation agreement) or we can also provide a website where User needs to specify his IdP. But that's the SP/DS level.	16:09
marekd	gotta run too.	16:11
*** marekd is now known as marekd\|away		16:11
marekd\|away	morganfainberg: what linux distro are you usually using for running devstack locally ?	16:12
morganfainberg	marekd\|away, ubuntu	16:12
marekd\|away	lts?	16:12
morganfainberg	yeah trusty now	16:12
morganfainberg	previously precise	16:12
marekd\|away	ok thank?	16:13
marekd\|away	thanks	16:13
*** bklei has joined #openstack-keystone		16:22
*** bklei_ has joined #openstack-keystone		16:23
*** bklei_ has left #openstack-keystone		16:24
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller https://review.openstack.org/114138	16:26
*** BAKfr has quit IRC		16:27
*** bklei has quit IRC		16:28
*** amerine has quit IRC		16:29
*** packet has joined #openstack-keystone		16:30
*** rushiagr is now known as rushiagr_away		16:31
*** chandankumar has joined #openstack-keystone		16:32
*** openstackgerrit has quit IRC		16:34
*** gokrokve has joined #openstack-keystone		16:38
*** amerine has joined #openstack-keystone		16:41
stevemar	bknudson, dstanek, i think this one is ready now: https://review.openstack.org/#/c/112204/	16:45
*** amirosh has joined #openstack-keystone		16:45
stevemar	if role_assignment notifications and kristys refactoring of saml auth both go in today, topol is going to have to do a ton of rebasing, it's going to be awesome	16:46
*** bknudson has quit IRC		16:54
*** topol has joined #openstack-keystone		17:01
*** comstud is now known as bearhands		17:02
*** amirosh has quit IRC		17:06
*** amirosh has joined #openstack-keystone		17:07
*** amirosh has quit IRC		17:11
*** gyee has joined #openstack-keystone		17:20
*** packet has quit IRC		17:22
*** dimsum_ has quit IRC		17:24
*** dimsum_ has joined #openstack-keystone		17:25
dstanek	stevemar: nice, was lunching - I'll take a look	17:25
stevemar	dstanek, cool, just finished up lunch myself	17:26
gyee	henrynash, sorry, missed your ping yesterday	17:28
*** openstackgerrit has joined #openstack-keystone		17:29
*** dimsum_ has quit IRC		17:29
*** harlowja has joined #openstack-keystone		17:36
nkinder	if anyone has a few spare minutes, we have a keystone related OSSN that we would like a review on - https://review.openstack.org/#/c/114971/	17:40
*** packet has joined #openstack-keystone		17:50
*** packet has quit IRC		17:55
*** bknudson has joined #openstack-keystone		17:58
*** amirosh has joined #openstack-keystone		18:00
gabriel-bezerra	Hello. Is it currently possible to configure Keystone to use load balancing replicated LDAPs as identity backend?	18:09
henrynash	gyee: np, I think we worked it out (was just asking about how people used regions & endpoints)	18:10
henrynash	gabriel-bezerra: so keystone itself doesn’t do that, but I know of customers who out an haproxy in front of their LDAP cluster of servers and give keystone the url of the proxy	18:11
gabriel-bezerra	henrynash: do you think it would be valuable/feasible to implement such feature in Keystone? Or is the haproxy a better approach anyway?	18:21
henrynash	gabriel-bezerra: I guess I’d want to understand what advantage it would be to support this in keystone directly…would it have better perfomance, or functionality, or debugging…or something to warant duplcation of existing functionality	18:22
gyee	henrynash, JNDI supports multiple LDAP hosts	18:24
gyee	but yeah, talking to a VIP would work too	18:24
gyee	henrynash, btw, I think the user_id map in LDAP is currently broken	18:25
*** dimsum_ has joined #openstack-keystone		18:25
openstackgerrit	henry-nash proposed a change to openstack/identity-api: Change location of OS-ENDPOINT-POLICY name in API urls. https://review.openstack.org/116358	18:26
henrynash	gyee: user_id map is broekn?	18:27
dstanek	stevemar: do you still have the pastie of the JSON output?	18:27
stevemar	dstanek, hmmmmm	18:27
*** chandankumar has quit IRC		18:28
stevemar	dstanek, https://gist.github.com/stevemart/c5f52d0592ca6944b3a2 ?	18:28
gyee	henrynash, yeah, looks like this one no longer works https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L883	18:28
gyee	always map to cn	18:28
gyee	I am still digging	18:29
*** dimsum_ has quit IRC		18:30
henrynash	gyee: so remember with mapping, what that means is that the ID of the user you will see published by keystone will not be ‘cn’ (it will be a hash), but this shoudl still be mapped to ‘cn'	18:30
henrynash	gyee: under teh covers	18:31
gyee	henrynash, we are testing against OpenLDAP, user_id_attribute = uid, user_name_attribute = cn	18:32
dstanek	stevemar: (maybe a question for topol) should the action be more specific like 'create:assignment' vs. just 'create' ?	18:32
gyee	but GET /v3/users have cn in both 'id' and 'name' field	18:32
stevemar	dstanek, action has a very limited set of valid values	18:32
gyee	I haven't had a chance to look at the latest code yet, just from observation so far	18:33
dstanek	stevemar: ah, ok. i thought the spec had some "namespaced" values in there	18:33
stevemar	dstanek, naw https://github.com/openstack/pycadf/blob/master/pycadf/cadftaxonomy.py#L22-L57	18:33
stevemar	dstanek, i was thinking allow/deny/revoke, but i settled on create, since a role assignment is created	18:34
dstanek	stevemar: that only has to start with those values	18:34
dstanek	stevemar: so 'create:assignment' would pass the check	18:34
dstanek	stevemar: https://github.com/openstack/pycadf/blob/master/pycadf/cadftaxonomy.py#L62	18:35
stevemar	really.... i thought i had it as 'create.assignment' and it was failing	18:35
stevemar	let me try	18:36
*** amirosh has quit IRC		18:38
*** amirosh has joined #openstack-keystone		18:39
henrynash	is this teh default domain?	18:39
henrynash	gyee: is this the default domain?	18:39
*** RicoLin has quit IRC		18:39
dstanek	stevemar: no idea if it's valuable, but someone may want to query for all assignments	18:41
dstanek	stevemar: looking at the record in the gist i can't tell what the event type is	18:41
stevemar	dstanek, are you cool with 'create.assignment'	18:43
*** amirosh has quit IRC		18:43
dstanek	stevemar: absolutely	18:43
gyee	henrynash, yes, this is not a per-domain backend setup	18:43
stevemar	dstanek, one more q	18:43
stevemar	dstanek, you know how in the manager, it's called: notifications.role_assignment('created')	18:43
stevemar	is there anyway to pull out "role_assignment" ?	18:43
gabriel-bezerra	gyee: What do you mean when you say JNDI supports multiple LDAP hosts?	18:44
henrynash	gyee: by default it is runs in “backward compatible” mode…which mean we don’t sue mapping for the default domain	18:44
henrynash	gyee: there’s a config switch to disable backward compatibility mode..	18:44
bknudson	gyee is proposing to rewrite keystone in java.	18:44
gyee	henrynash, k, we may have a bug then	18:44
dstanek	stevemar: just make it a clas variable so there's no magic	18:44
stevemar	dstanek, fair enough	18:44
gyee	gabriel-bezerra, with JNDI, you can specify multiple LDAP hosts in the url	18:45
dstanek	stevemar: since the name role_assignment is actually just a label from a class and not the class name it's hard to get at the name	18:45
henrynash	gyee: identity_mapping.backward_compatible_ids	18:45
gyee	it will do the round robin dance when talking to LDAP servers	18:45
dstanek	stevemar: the only way i can think of right now it go up in the stack frames and that's no good	18:45
stevemar	yeah, no good	18:46
gyee	henrynash, I need to specify the mapping there?	18:46
stevemar	role_assignment it is then, create.role_assignment	18:46
*** diegows has joined #openstack-keystone		18:46
henrynash	gyee: that’s a boolean…set it to Fales and mapping will happen for teh default domain as well	18:46
gyee	bknudson, no, in erlang for performance :D	18:46
henrynash	gyee: false, even	18:46
dstanek	stevemar: crazy garbage like - https://github.com/dstanek/snake-guice/blob/master/snakeguice/decorators.py#L61	18:46
bknudson	gyee: then we could upgrades without even shutting down	18:47
* stevemar runs away scared		18:47
gyee	heh	18:47
*** hrybacki has joined #openstack-keystone		18:48
*** henrynash has quit IRC		18:49
gabriel-bezerra	gyee: that is what I was asking if keystone could do	18:52
gabriel-bezerra	I know that shibboleth can	18:52
gyee	don't think python-ldap supports that, but I could be wrong though	18:54
*** hrybacki has quit IRC		18:55
*** radez_g0n3 is now known as radez		18:57
*** nkinder has quit IRC		19:01
*** dimsum_ has joined #openstack-keystone		19:02
*** KanagarajM has quit IRC		19:03
gabriel-bezerra	ok. thanks gyee and henrynash	19:04
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete https://review.openstack.org/112204	19:05
stevemar	dstanek, donezo!	19:05
bknudson	stevemar: http://www.urbandictionary.com/define.php?term=donezo	19:06
stevemar	bknudson, you know it, surprised i spelled it correctly	19:07
stevemar	correct enough for urban dictionary anyway	19:07
bknudson	stevemar: which definition were you using?	19:07
stevemar	bknudson, #1	19:07
stevemar	i'm being confident here, claiming that my patch is done, and it'll land	19:08
bknudson	I was hoping it was one of the other ones	19:08
stevemar	#7 would be an interesting thing to proclaim on IRC	19:08
bknudson	stevemar: I didn't know if the OUTCOME_PENDING notification was required for CADF?	19:09
bknudson	is it an optional thing that you would typically skip it?	19:10
stevemar	bknudson, http://paste.openstack.org/show/98868/	19:13
stevemar	seems like it's supposed to be for long running processes	19:13
bknudson	ok, just wanted to make sure it wasn't a CADF requirement.	19:14
praneshp	henrynnash yt?	19:17
praneshp	morganfainberg: bknudson can one of you point me on how to insert a user into multiple roles in a tenant?	19:18
praneshp	something similar to https://github.com/openstack/keystone/commit/ec995b33763f99755e8512e0e0aa497c01e37449#diff-d6550cfbcb5b15b775973fd8fd58bd05R289	19:18
ayoung-lunch	stevemar, morganfainberg can I get a second +2 here? This is the KC mirror of the patch for auth_token that went into keystonemiddleware already	19:23
ayoung-lunch	https://review.openstack.org/#/c/114654/	19:23
*** radez is now known as radez_g0n3		19:27
*** hrybacki has joined #openstack-keystone		19:35
*** morganfainberg is now known as morganfainberg_Z		19:35
gabriel-bezerra	gyee, bknudson: it seems to be possible https://mail.python.org/pipermail/python-ldap/2014q2/003370.html	19:36
bknudson	gabriel-bezerra: the C api supports it, so the python api should also... I think most deployments would prefer a load balancer.	19:38
gabriel-bezerra	for more control of how to balance?	19:40
bknudson	gabriel-bezerra: yes	19:41
gabriel-bezerra	sounds reasonable :) Thanks	19:43
*** vhoward has left #openstack-keystone		19:45
praneshp	gyee: ping	19:48
*** hrybacki has quit IRC		19:49
*** henrynash has joined #openstack-keystone		19:51
gyee	praneshp, here	19:55
*** ayoung-lunch is now known as ayoung		19:56
gyee	gabriel-bezerra, nice!	19:56
praneshp	gyee I’ve been looking at the keystone patch taht changed UserProjectGrant, etc	19:56
praneshp	https://github.com/openstack/keystone/commit/ec995b33763f99755e8512e0e0aa497c01e37449#diff-d6550cfbcb5b15b775973fd8fd58bd05R289	19:56
praneshp	I want to add a user to several roles in a tenant	19:57
gyee	k	19:57
praneshp	earlier, the call i used to make was something like # session.add(UserProjectGrant(user_id=user_id,	19:57
praneshp	# project_id=project_id,	19:57
praneshp	# data=rec['data']))	19:57
praneshp	sorry	19:58
praneshp	session.add(UserProjectGrant(user_id=user_id, project_id=project_id, data=rec['data']))	19:58
praneshp	where rec[‘data’][‘roles’] contained the list of roles to add to	19:58
praneshp	I was wondering what the equivalent in the new way is	19:58
praneshp	i understand this is a very specific questin though, henry nash left the room before i got in	19:59
praneshp	hey henrynash I see you’re back :)	19:59
gyee	:), henrynahs's the person you are after	19:59
praneshp	henrynash: ping. ypu’re probably the best person to answer ^^	19:59
gyee	can you even do that, adding several roles at a time?	20:01
ayoung	praneshp, I think you are OK doing that still	20:03
praneshp	ayoung: ah really? let me try. I tried to pas roles as a list, which is actually not the same as what was being done bfore	20:03
ayoung	praneshp, not sure if you can pass multiple roles at once	20:04
ayoung	praneshp, lets see...the underlying call is	20:04
praneshp	ayoung: hmmm. so the right way to do this now owuld be loop over each role and call this?	20:05
praneshp	session.add(RoleAssignment( type=AssignmentType.USER_PROJECT, actor_id=user_id, target_id=project_id, role_id=role, inherited=False))	20:05
ayoung	https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#grant-role-to-user-on-domain-put-domainsdomain_idusersuser_idrolesrole_id	20:06
ayoung	that is for domain, but project is the same	20:06
gyee	ayoung, API allows one at a time	20:06
ayoung	https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#grant-role-to-user-on-project-put-projectsproject_idusersuser_idrolesrole_id	20:06
ayoung	praneshp, yes.	20:06
praneshp	ayoung: great, thanks!	20:06
ayoung	praneshp, just remember: Try it your self. I lie. I make things up.	20:07
praneshp	ayoung: of course	20:07
praneshp	thanks ayoung gyee	20:08
*** marcoemorais has joined #openstack-keystone		20:09
*** topol has quit IRC		20:12
*** rwsu has quit IRC		20:13
*** fifieldt has quit IRC		20:23
openstackgerrit	werner mendizabal proposed a change to openstack/keystone: Set revoke_api attribute to None on provider object https://review.openstack.org/116374	20:24
*** rushiagr_away is now known as rushiagr		20:27
*** gyee has quit IRC		20:28
*** vhoward has joined #openstack-keystone		20:32
*** gyee has joined #openstack-keystone		20:35
*** fifieldt has joined #openstack-keystone		20:36
*** Haneef_ has joined #openstack-keystone		20:41
Haneef_	ayoung: Question on ldap mapping. Why do we ignore user_id mapping from keystone.conf and always take the id from dn?	20:42
ayoung	Haneef_, I give up. Why?	20:42
Haneef_	I don't know know. Is there a reason for doing so.	20:43
ayoung	Haneef_, the behavior changes whether you do filtered queries or not	20:44
ayoung	the assumption origianlly was that the users would all be in a single container, with userid being the first segment of the DN	20:44
ayoung	then someone wanted filtered queries	20:44
ayoung	evolution	20:44
bknudson	I think it depends on the scope... if it's set to onelevel or subtree ?	20:45
ayoung	or, another way to put it, sometimes I make bad assumptions	20:45
ayoung	yep	20:45
*** henrynash has quit IRC		20:45
ayoung	subtree does an attribute query	20:45
ayoung	converting user id to DN should be possible without going to the server	20:46
ayoung	so its much more efficient	20:46
Haneef_	I'm taking about the other way. Since it takes the first attribute, which is not what I want as id attribute	20:46
Haneef_	ldap result to rest model	20:47
ayoung	then switch to subtree	20:47
ayoung	Haneef_, it ain't the greatest. I'm willing to entertain alternatives	20:48
gyee	this? https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L851	20:51
gyee	one to sub	20:51
*** meera has joined #openstack-keystone		20:51
ayoung	gyee, yep	20:52
ayoung	The LDAP mapping sucks. Whoever wrote it should be fired.	20:52
gyee	hahahah	20:53
gyee	lmao	20:53
*** stevemar has quit IRC		20:56
*** nkinder has joined #openstack-keystone		21:11
*** dimsum_ has quit IRC		21:17
*** dimsum_ has joined #openstack-keystone		21:18
*** rushiagr is now known as rushiagr_away		21:20
*** dimsum_ has quit IRC		21:22
*** rushiagr_away is now known as rushiagr		21:33
*** rushiagr is now known as rushiagr_away		21:36
openstackgerrit	werner mendizabal proposed a change to openstack/keystone: Set revoke_api attribute to None on provider object https://review.openstack.org/116374	21:44
*** jasondotstar has quit IRC		21:48
*** meera has quit IRC		21:52
*** wwriverrat has joined #openstack-keystone		21:53
*** gordc has quit IRC		21:55
*** wwriverrat has quit IRC		22:00
*** henrynash has joined #openstack-keystone		22:03
*** elmiko is now known as _elmiko		22:11
bambam1	hello fellas does anybody knows if I have to configure something to be able to retrieve the list of users from the rest API? I'm getting a 404 on v2.0/users	22:12
bknudson	bambam1: the admin api supports v2.0/users, the public api doesn't. see http://developer.openstack.org/api-ref-identity-v2.html	22:18
*** dimsum_ has joined #openstack-keystone		22:19
bknudson	also apparently you need the OS-KSADM extension.	22:19
bambam1	thank you bknudson i'm gonna take a look at that	22:21
*** gordc has joined #openstack-keystone		22:22
*** dimsum_ has quit IRC		22:23
*** gordc has quit IRC		22:38
*** gokrokve has quit IRC		22:57
*** david-lyle has quit IRC		23:14
*** henrynash has quit IRC		23:35
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/111620	23:38
*** dimsum_ has joined #openstack-keystone		23:50
*** dimsum_ has quit IRC		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!