Tuesday, 2014-10-07

*** gokrokve has quit IRC00:03
*** david-lyle has joined #openstack-keystone00:11
*** _cjones_ has quit IRC00:12
*** _cjones_ has joined #openstack-keystone00:13
*** _cjones_ has quit IRC00:14
*** _cjones_ has joined #openstack-keystone00:14
*** david-lyle has quit IRC00:17
*** gyee has quit IRC00:27
*** ChanServ sets mode: -o morganfainberg00:28
*** gokrokve has joined #openstack-keystone00:39
*** gokrokve has quit IRC00:40
*** gokrokve has joined #openstack-keystone00:47
*** ncoghlan has joined #openstack-keystone00:56
*** dims has quit IRC00:57
*** dims has joined #openstack-keystone00:57
*** dims has quit IRC01:02
*** _cjones_ has quit IRC01:04
*** _cjones_ has joined #openstack-keystone01:04
*** ayoung-afk is now known as ayoung01:07
*** _cjones_ has quit IRC01:09
*** r-daneel has quit IRC01:10
ayoungnkinder, I'm so close on Kerberos I can smell it01:23
*** oomichi has joined #openstack-keystone01:23
ayoungI think I have an S4U2 Config issue...I'm getting a 401 when Horizon talks to Keystone01:23
nkinderdo you smell what the ayoung is cookin? :)01:23
ayoungnkinder, I posted the code anyway...unit tests pass, and I had it working before...01:24
nkinder401's are a pain to troubleshoot.  It would be really nice to have some policy/auth related debug logging01:24
ayoungnkinder, I think I have the S4u2 messd up01:24
ayoungnkinder, http://paste.openstack.org/show/119197/01:25
ayoungso there are 3 hosts:  and I know that 2 of them have working in the past01:25
ayoungHTTP/horizon.cloudlab.freeipa.org@IPA.CLOUDLAB.FREEIPA.ORG  is the one I added with your ldif change earlier01:26
*** gokrokve_ has joined #openstack-keystone01:26
*** dimsum_ has joined #openstack-keystone01:26
*** toddnni has quit IRC01:26
ayoungok...I'm iun rpdb in Horizon01:29
*** toddnni has joined #openstack-keystone01:29
*** gokrokve has quit IRC01:29
ayoungprint request dumps the env vars01:29
ayoung 'REMOTE_USER': 'ayoung'01:29
ayoung'KRB5CCNAME': 'FILE:/run/httpd/krbcache/krb5cc_apache_vSxygc'01:29
ayoungnkinder, is there anything that should show constrained delegation?01:29
*** gokrokve_ has quit IRC01:30
*** marcoemorais has quit IRC01:31
ayounghttp://paste.openstack.org/show/119203/  nkinder that looks like S4U2 failed, right?01:31
nkinderayoung: anything of interest in the kdc log?01:32
ayoungah...good idea01:32
ayounglet me confirm my apache conf first01:32
ayoungnkinder, http://paste.openstack.org/show/119205/  this is a devstack, so that is in:  /etc/httpd/conf.d/horizon.conf01:33
ayoung KrbConstrainedDelegation on01:33
ayoungand I saw that Kerberos worked....ok, lets look on the kdc01:34
ayoungnkinder, I can't tell http://paste.openstack.org/show/119206/01:35
ayoungbut that last line looks like it should be01:36
ayoung ayoung@IPA.CLOUDLAB.FREEIPA.ORG for host/ipa.cloudlab.freeipa.org@IPA.CLOUDLAB.FREEIPA.ORG  looks like a delegated ticket to me01:36
ayoungI have an s4 test not with horizon on another server,  lets see what that generates01:37
nkinderayoung: Those are the current kdc logs that get output when you try to use S4U?01:38
nkinderI'm not sure why it would use the host/fqdn service01:39
ayoungyeah...at least, it was the end of the log.  I just tried from a different server and got this:01:39
ayounghttp://paste.openstack.org/show/119207/  nkinder01:39
nkinderThat looks more like it.  It's the HTTP service.01:39
ayoungthat was using a shell test I had01:40
ayounglet me move the shell test to the horizon server.01:42
*** andreaf has quit IRC01:57
*** andreaf has joined #openstack-keystone01:58
nkinderI'm having a heck of a time setting up an admin domain when trying to use the domain specific backend feature01:58
ayounghttp://horizon.cloudlab.freeipa.org/s4u2test/shell   nkinder02:00
ayoungthat works when I get rid of the horizon setup02:01
ayoungnkinder, "admin" domain meaning default domain?02:01
nkinderayoung: I need to set up DNS for your lab stuff02:01
ayoungits just a bunch of host entries02:01
nkinderayoung: I'm trying to switch over to the v3cloud policy file02:01
ayoung10.16.18.225   horizon.cloudlab.freeipa.org02:02
nkinderayoung: So I create an 'admin_domain' with a 'cloud_user' who has 'admin' on the domain02:02
ayoungnkinder, the domain name is admin_domain?02:02
nkinderayoung: I then update the v3policy cloud_admin rule to specify the domain id of my 'admin_domain'02:02
nkinderand using the openstack CLI can't find the user and gives a 40102:03
nkindercurl lets me get a domain scoped token though... interesting02:03
ayoungstartby using the SERVICE_TOKEN02:03
ayoungthat bypasses all the rules etc02:03
ayoungmake sure that the user has the right role assignments02:04
ayoungcurl works...02:04
ayoungOK, so Curl lets you get a domain scoped token as the admin user.  nkinder did you try to do a GET on /v3/users/<id>  with that token?02:05
nkinderayoung: the token has no roles in it, which is strange02:05
nkinderlet me double check my assignment02:05
ayoungsounds like an unscoped token02:06
nkinderayoung: check it - http://paste.openstack.org/show/119214/02:09
nkinderit's a domain scoped token02:09
nkinderwhat gives with my role not being in the token?02:09
nkinderthis token obviously fails the 'is_admin' portion of the 'cloud_admin' policy rule02:10
ayoungno it is unscoped02:10
ayoungno service catalog02:10
ayoungwhere is this domain stored02:10
ayoungare you explicitly requesting a scoped token?02:11
nkinderayoung: but the token has {"domain": {"id": "60a548e4a98a40dca78b768db5bc53de", "name": "admin_domain"} in it02:11
*** dimsum_ has quit IRC02:11
ayoungthat is the user domain02:11
nkinderayoung: let me paste the request02:11
ayoungnkinder, its an unscoped token:02:11
ayoung"user": {"domain": {"id": "60a548e4a98a40dca78b768db5bc53de",   ....02:11
*** dimsum_ has joined #openstack-keystone02:11
nkinderayoung: http://paste.openstack.org/show/119220/02:12
ayoungnkinder, do we not fail out if there are no roles assigned..02:12
*** Guest33821 is now known as mfisch02:12
ayoungthat is an unscoped request02:12
ayounglook at my example02:12
ayoungsee the scope portion?02:12
ayoungadd in02:12
*** mfisch is now known as Guest1073602:13
ayoung"scope": {02:13
ayoung18            "domain"02:13
*** dimsum_ has quit IRC02:15
*** arborism has quit IRC02:19
nkinderayoung: ok, that looks better02:19
nkinderayoung: but, I still don't think OSC is working unless I get a domain-scoped token first02:19
remote_morgan_Hmm that sounds a little odd02:22
ayoungnkinder, I didn't have keystoneclient-kerberos installed on that machine....02:24
ayoungnkinder, I'll look in a bit...I'm too close to get off track02:24
nkinderremote_morgan_: I'll see what's being sent from the client.  I was trying with --os-domain-name instead of --os-project-name02:25
remote_morgan_Ack! Autocorrect.02:25
remote_morgan_Ahh even.02:25
nkinderPerhaps it's an OSC bug.  After getting my own domain scoped token, OSC is working well to have my cloud_admin manage other domains (including an LDAP domain)02:25
ayoung Exception: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed?02:26
ayoungFuck PBR02:26
*** amerine has joined #openstack-keystone02:26
* ayoung probably should not curse in logs that are saved in perpetuity.02:26
remote_morgan_ayoung: maybe not.02:27
*** zigo has quit IRC02:27
remote_morgan_But I think you'll likely be forgiven in the log run.02:28
ayoungremote_morgan_, but I installed PBR using pip install -e .02:28
ayoungnot PBR< but the pyuthon-keystoneclient-kerberos repo02:28
ayoungI have Git02:28
remote_morgan_There was some weird bug with the unreleased pbr. They held back the release for some reason.02:28
nkinderremote_morgan_, ayoung: I should expect this to work, right? http://paste.openstack.org/show/119224/02:29
*** zigo has joined #openstack-keystone02:29
ayoungnkinder, can you post a successful token request from curl so I can compare?02:29
ayounghttp://paste.openstack.org/show/119220/  worked?02:30
ayoungah, but that is unscoped02:30
ayoungnkinder,  --os-domain-name admin_domain might just be the users domain name, and you are not requesting a scoped token02:30
ayoungnkinder, this is what remote_morgan_ was ranting against...oh back at the midcycle in January IIRC.02:31
nkinderhmm, that might be it (though it should find the user in that case and just give a 403 if I try to do somthing)02:31
ayoungdomain is overloaded02:31
ayoungso we need a way to specify domain for assignments separate from domain for identity02:31
ayoungWith the v3, you need to specify the users domain, almost certain that is what --os-domain-name  is doing02:32
ayoungno,  you need a scoped token to list or get users02:32
nkinderI think I need to use --os-default-domain02:32
ayoungagain, I think that is the identity domain02:32
ayoungis there any switch for project domain or so?02:33
ayounglet me see if I have a semi functional osc02:33
nkinderayoung: got it working02:34
nkinderayoung, remote_morgan_: http://paste.openstack.org/show/119225/02:34
nkinder--os-user-domain-name is the key02:34
nkinderotherwise it looks the user up in the default domain02:34
*** diegows has quit IRC02:35
nkinderayoung: so here's something interesting...02:40
nkinderIf I want to use OSC to grant 'admin' to a user from a domain, I must do it by the id of the user (not name)02:41
nkinderNot a big deal, but a way to specify the user by name and the domain name to look in for the user would be nice02:41
ayoungnkinder, closer....I hacked out PBR and now I can use the keystoneclient to get a token, but not Horizon yet02:43
ayoungnkinder, yeah, that is a pain02:43
ayoungthe whole "use names" approach to make Keystone friendly needs to be hacked in everywhere02:43
ayoungwith Federation its tricky, though02:44
ayoungyou won't know the username02:44
ayoungthe id comes from the IdP, and that and the domain_id get hashed. All that is stored in the mapping table is the original user_id, not the username02:44
nkinderayoung: even more painful is that I can't use 'user show' to show a user form a specific domain02:44
nkinderayoung: I can do a 'user list --domain ipa', and that works02:45
nkinderbut 'user show --domain ipa admin' is not possible02:45
ayoungwelcome to the world of Federation.  Everything you know is broken02:45
nkinder--domain isn't a valid option02:45
nkinderwhich borks me from an automation standpoint02:45
ayoungyou need to know the userids a-priori02:45
nkinderI want to look up the user id with 'user show --domain ipa admin -f value -c id', then use that id to create an assignment02:45
ayoungwe need a service which is like:   If I were to give you user X in domain D  what would his id be?02:46
ayoungor her02:46
nkinder'user show' should take --domain to match the way 'user list' works.  That's just an oversight02:46
nkinderI'll file a bug and propose a patch fo rit02:46
*** ncoghlan is now known as ncoghlan_afk02:50
ayoungnkinder, OK,  I think I know the next problem.03:00
ayoungWSGIDaemonProcess horizon user=ayoung03:00
ayoungguessing that horizon can't read the CCACHE written by apache03:00
ayoungthis other one worked03:01
ayoungWSGIDaemonProcess s4u2 user=apache group=apache maximum-requests=1000003:01
ayounglets see if horizon will let me change that value...03:01
*** toddnni has quit IRC03:05
*** toddnni has joined #openstack-keystone03:06
ayoungnkinder, OK,  how do I pass on the credentials from apache to the unix user ayoung that is running Horizon?03:07
*** ncoghlan_afk is now known as ncoghlan03:10
ayoungnkinder, OK,  so the problem I am having is that devstack is running Horizon as ayoung, but I log in to httpd which is running as apache, and the credentials cache is not readable by ayoung03:15
nkinderso they need to be the same user03:17
ayoungnkinder, or we need to be able to set permissions on them03:18
ayoungIPA does the same user03:18
ayoungnkinder, do you have a clean packstack?  What does that do?03:18
ayoungits the WSGIDaemonProcess  directive03:19
ayoungif it does not specify a user then I think it continues to run as the parent03:19
*** ncoghlan is now known as ncoghlan_afk03:20
*** dguitarbite has quit IRC03:36
*** cjellick has quit IRC03:39
*** cjellick has joined #openstack-keystone03:40
*** cjellick has quit IRC03:40
*** ayoung is now known as ayoung-zz03:45
*** jamielennox has quit IRC03:55
*** ncoghlan_afk is now known as ncoghlan03:55
*** jamielennox has joined #openstack-keystone04:02
*** gokrokve has joined #openstack-keystone04:28
*** lhcheng has quit IRC04:33
*** fifieldt_ has quit IRC04:42
*** gokrokve has quit IRC04:44
*** ncoghlan is now known as ncoghlan_afk05:08
*** ncoghlan_afk is now known as ncoghlan05:18
*** lhcheng has joined #openstack-keystone05:22
*** harlowja is now known as harlowja_away05:26
*** lhcheng has quit IRC05:26
*** lhcheng has joined #openstack-keystone05:27
stevemarnkinder, ping?05:31
*** ajayaa has joined #openstack-keystone05:34
*** oomichi has quit IRC06:02
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12495006:05
*** thiagop has quit IRC06:06
*** thiagop has joined #openstack-keystone06:06
*** ukalifon has joined #openstack-keystone06:13
*** henrynash has joined #openstack-keystone06:15
*** henrynash has quit IRC06:19
*** stevemar has quit IRC06:29
*** lufix has joined #openstack-keystone06:36
*** dguitarbite has joined #openstack-keystone06:42
*** dimsum_ has joined #openstack-keystone06:50
*** henrynash has joined #openstack-keystone06:51
*** dimsum_ has quit IRC06:56
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/10224406:59
*** andreaf has quit IRC06:59
*** fifieldt has joined #openstack-keystone07:22
*** marekd|away is now known as marekd07:39
*** jistr has joined #openstack-keystone07:46
*** amcrn has joined #openstack-keystone07:53
*** lhcheng has quit IRC07:58
*** ncoghlan has quit IRC08:05
*** openstackgerrit has quit IRC08:11
*** nellysmitt has joined #openstack-keystone08:25
*** ajayaa has quit IRC08:35
*** ajayaa has joined #openstack-keystone08:49
*** jaosorior has joined #openstack-keystone08:50
*** aix has joined #openstack-keystone08:52
*** aix has quit IRC09:00
*** aix has joined #openstack-keystone09:01
*** ajayaa has quit IRC09:06
*** ajayaa has joined #openstack-keystone09:08
*** afaranha has quit IRC09:13
*** samuelmz has quit IRC09:13
*** raildo-zzz has quit IRC09:13
*** htruta has quit IRC09:14
*** thiagop has quit IRC09:14
*** tellesnobrega has quit IRC09:14
*** oomichi_ has joined #openstack-keystone09:16
*** amcrn has quit IRC09:26
*** afazekas has joined #openstack-keystone09:32
*** andreaf_ is now known as andreaf09:32
*** Tahmina has joined #openstack-keystone09:38
*** aix has quit IRC09:38
*** Dafna has joined #openstack-keystone09:40
*** gabriel-bezerra has quit IRC09:43
*** openstackgerrit has joined #openstack-keystone09:47
*** aix has joined #openstack-keystone09:52
*** swamireddy has joined #openstack-keystone10:06
*** dimsum_ has joined #openstack-keystone10:29
*** dimsum_ has quit IRC10:35
*** swamireddy1 has joined #openstack-keystone10:47
*** swamireddy has quit IRC10:54
*** dhellmann has quit IRC10:54
*** Guest10736 has quit IRC10:54
*** dhellmann has joined #openstack-keystone10:58
*** dimsum_ has joined #openstack-keystone11:00
*** Guest10736 has joined #openstack-keystone11:06
*** amakarov_away is now known as amakarov11:17
*** jistr has quit IRC11:32
*** diegows has joined #openstack-keystone11:32
*** diegows has quit IRC11:35
*** diegows has joined #openstack-keystone11:36
*** nidonato has joined #openstack-keystone11:42
*** nidonato has left #openstack-keystone11:43
*** jistr has joined #openstack-keystone11:52
*** jistr is now known as jistr|english11:54
*** tellesnobrega has joined #openstack-keystone11:55
*** topol has joined #openstack-keystone12:02
*** afaranha has joined #openstack-keystone12:06
*** topol has quit IRC12:14
*** bknudson has joined #openstack-keystone12:14
*** dimsum_ has quit IRC12:29
*** dimsum_ has joined #openstack-keystone12:29
*** dims_ has joined #openstack-keystone12:30
*** dims_ has quit IRC12:32
*** dimsum_ has quit IRC12:33
*** dimsum_ has joined #openstack-keystone12:33
*** achampion has quit IRC12:37
*** Tahmina has quit IRC12:38
*** swamireddy has joined #openstack-keystone12:47
*** swamireddy1 has quit IRC12:48
*** openstackgerrit has joined #openstack-keystone12:48
*** radez_g0n3 is now known as radez12:59
*** jistr|english is now known as jistr13:07
*** miqui has joined #openstack-keystone13:09
*** thiagop has joined #openstack-keystone13:15
*** gordc has joined #openstack-keystone13:15
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy  https://review.openstack.org/11135513:21
*** r-daneel has joined #openstack-keystone13:23
swamireddyWith latest devstack - I am getting an error with ¨keystone-manage db_sync¨13:24
*** NM has joined #openstack-keystone13:24
swamireddyand filed bug on the same - https://bugs.launchpad.net/keystone/+bug/137827013:25
uvirtbotLaunchpad bug 1378270 in keystone "keystone-manage db_sync command failed" [Undecided,Incomplete]13:25
swamireddyis this known issue?13:25
swamireddydolphm: Iam using the six 1.8.0 and tried with six V 1.7.0, but still the problem persists13:27
dolphmswamireddy: is it a brand new devstack build?13:29
swamireddydolphm: No...I was old one and working till today...before noon, I added a few services like ceilometer and swift etc..and tried with ./unstack.sh;./stack.sh13:31
*** gokrokve has joined #openstack-keystone13:35
*** Kui has quit IRC13:38
*** raildo has joined #openstack-keystone13:40
*** joesavak has joined #openstack-keystone13:41
*** topol has joined #openstack-keystone13:42
*** vhoward has left #openstack-keystone13:44
*** samuelmz has joined #openstack-keystone13:45
*** TemporalBeing has joined #openstack-keystone13:45
*** oomichi_ has quit IRC13:46
dolphmswamireddy: i have to guess that something in the install of one of those services produced a conflict with keystone's dependencies... neither a fresh devstack nor a stand-alone keystone install exhibit the issue, and i can't really reproduce an "old" devstack install13:46
*** victsou is now known as vsilva13:52
*** gokrokve has quit IRC13:53
*** andreaf is now known as andreaf_13:57
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/11668213:58
rodrigodsenforcing: for the brave ones =)13:58
rodrigodsdolphm, when you have a moment (or morganfainberg ), could you rebase our branch again? The KVS removal will impact some patches =)14:04
*** ayoung has joined #openstack-keystone14:06
*** radez is now known as radez_g0n314:08
*** htruta has joined #openstack-keystone14:09
swamireddydolphm: Will try the stack.sh on a new VM and update the status.14:10
*** mewald1 has joined #openstack-keystone14:11
*** stevemar has joined #openstack-keystone14:12
mewald1what exactly is the KVS backend? does it store permanently or just in memory? what are advantages compared to others?14:12
morganfainbergmewald1, KVS is a key-value-store, the old KVS systems are in-memory dictionary based only14:13
morganfainbergmewald1, the newer one (used mostly for token persistence in some cases, e.g. memcached) can use multiple backends14:13
morganfainbergmewald1, via dogpile.cach14:14
tellesnobregaayoung, hey, i'm working with rodrigods and vsilva on the token revocation bug. You guys talked yesterday and from what I saw, we first need to make the connection between domains and idps, implement the revoke by domain id and than we can solve the bug14:16
tellesnobregais that right?14:16
ayoungtellesnobrega, that is about it14:16
ayoungand I think it might be impossible, but, hey, get at it\14:16
*** vsilva is now known as victsou14:16
ayoungtellesnobrega, heh14:16
ayoungI think we should probably normalize the rules14:16
*** victsou is now known as vsilva14:18
tellesnobregaayoung, which part is impossible? connecting domains to idp?14:18
ayoungyeah.  please prove me wrong14:18
tellesnobregawe will try14:18
ayoungtellesnobrega, I think right now all we can do is evaluate the rules14:18
ayounger...well, you know, use the rules to evalue an assertion14:19
*** radez_g0n3 is now known as radez14:19
rodrigodsayoung, tellesnobrega, vsilva maybe we can find another path? besides using the idp domain?14:20
rodrigodswhen I scope a token, after sending a SAML assertion, is the IdP info lost forever? =(14:20
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573814:21
morganfainberglbragstad, woot14:22
*** ajayaa has quit IRC14:22
lbragstadmorganfainberg: I pushed a corresponding patch to tempest14:22
vsilvaAren't domains many to one in this context, anyway? How would we retrieve the IdP given the domain? ayoung rodrigods tellesnobrega14:22
lbragstadmorganfainberg: not *entirely* sure if I'm on the right track but... https://review.openstack.org/#/c/126564/14:22
lbragstadwe had some 345 tests fail w/o the tempest patch14:23
morganfainberglbragstad, right. mtreinish gave you feedback on the tempest patch14:23
morganfainberglbragstad, you're roughly on the right path, but should be easier with the config :)14:23
morganfainbergless change for now.14:24
lbragstadmorganfainberg: perfect, yeah that will work14:24
tellesnobregaayoung, when you say normalize the rules, what do you mean?14:27
*** swamireddy has quit IRC14:30
*** gokrokve has joined #openstack-keystone14:32
ayoungnkinder, S4U2Proxy for Horizon works.14:35
ayoungtellesnobrega, do you have a federated setup handy?14:36
tellesnobregai don't. I'm not sure if rodrigods has one14:39
tellesnobregahe has been working with federation longer than I, I'm just lending him a helping hand on this problem14:41
tellesnobregawe don't have it running, but rodrigods said that it is not a problem to have one soon14:47
*** amdl has joined #openstack-keystone14:48
amdlhello all, I have a working OpenStack cluster, however, I was just wondering how you guys manage this stuff in production? I've got puppet managing the software, but do you use LDAP for keystone?14:49
amdlI can't think how to roll this out, as it were14:49
stevemarmorganfainberg, what's the deal with the design summit topics this time around? are we leaving them open? is it up to the PTL to decide a broad topic for the session? are all projects doing it this way? cc dolphm14:50
mewald1morganfainberg: I thought KVS is one backend and memcache is another. You make is sound like memcache is a KVS backend!?14:51
morganfainbergstevemar, the etherpad is where all the discussion and determination is going. we'll be using that instead of the summit. site14:51
morganfainbergmewald1, memcache is a key-value-store backend for tokens. it's just using a slightly different configuration. it's the advantage to using dogpile.cache. You can even use redis if you would like.14:52
morganfainbergmewald1, there is also a mongo db driver that uses the same basic kvs interface.14:52
lbragstadmorganfainberg: there will still be slots on the summit site for scheduling purposes, correct?14:52
morganfainbergmewald1, in Kilo the old KVS drivers are all going away. Meaning, only Token (and I think revoke extension) will have a "KVS" backend, but it will be the new-kvs dogpile based one.14:53
morganfainberglbragstad, not sure.14:53
nkinderayoung: cool!  Was it just a permissions problem you were running into last night?14:53
mewald1morganfainberg: so KVS is an interface that can have multiple implementations like mongodb or dogpile. Memcache is another backend with it's own driver - did I get it straight now?14:53
morganfainberglbragstad, but in short the etherpad is where this is all being discussed as of now. i'm sure i'll need to convert that over to the schedule14:54
morganfainbergmewald1, dogpile is the library with the interface (get, set, delete, get_multi, set_multi, delete_multi), and there are multuple drivers/backends for it: Memcached, Redis, MongoDB, in-memory14:55
morganfainbergmewald1, the token memcache persistence driver just makes some smart(ish) desicions on configuring dogpile for you.14:55
morganfainbergmewald1, so it still uses dogpile, but is more friendly to deployers that used the old (pre-icehouse) token driver.14:55
mewald1morganfainberg: but icehouse users still have dogpile / KVS and memcache?14:56
morganfainbergmewald1, icehouse and juno still provide roughly the same way to configure token memcache driver.14:57
ayoungnkinder, yes, it was.14:57
ayoungI am now running apache as the ayoung user and it works14:57
morganfainbergmewald1, the plain kvs backend for tokens should only be used for testing.14:57
morganfainbergmewald1, plain kvs = in-memory dictionary based14:58
ayoungtellesnobrega, ok,  so  look at the rules format in the api docs and you'll see:14:58
mewald1morganfainberg: ok thank for explaining14:58
morganfainbergmewald1, they all use a common library to achieve the key-value-store mechanism, you shouldn't need to worry unless you're configuring something that is not memcached or the in-memory store14:58
morganfainbergmewald1, sure.14:58
ayoungnkinder, I'll try and get a new RPM built for DOA14:59
ayoungand I'll hunt down the answer to the PBR issue.14:59
morganfainbergmewald1, the common library is dogpile.cache, there is a section on configuring it in our docs iirc.14:59
mewald1I have one more question: in the token/backend folder I found rules.py - what kind of a backend is that?15:00
ayoungtopol, can I get you top marshall the troops to do some code reviews for consuming the Kerberos stuff?  Django Openstack auth  stuff15:00
*** thedodd has joined #openstack-keystone15:00
morganfainbergmewald1, i don't see that https://github.com/openstack/keystone/tree/master/keystone/token/backends here15:00
mewald1morganfainberg: sorry my bad: its policy15:01
morganfainbergmewald1, ah,15:01
morganfainbergmewald1, policy is a bit weird. it handles two things.15:01
morganfainbergmewald1, it handles the policy for keystone and serving policy files out to other services (not currently really used)15:01
morganfainbergso policy backend in keystone is a little odd compared to the other parts.15:02
morganfainbergrules is a basic impl that ignores the "serving policy files to other services" part, but implementes the needed methods for keystone's API enforcement15:03
*** jaosorior has quit IRC15:03
*** vsilva is now known as victsou15:04
mewald1morganfainberg: where does rules.py store the policies then? or is SQL the only actual backend?15:05
tellesnobregai found this rules here15:05
morganfainbergfor keystone, it works like the rest of the projects it loads from the policy.json15:05
tellesnobregawhat do you mean by normalize them15:05
*** victsou is now known as vsilva15:06
*** joesavak has quit IRC15:06
*** vsilva has quit IRC15:06
*** victsou has joined #openstack-keystone15:07
mewald1morganfainberg: ok and for all the others it fetches them from sql, right?15:07
*** victsou is now known as vsilva15:07
morganfainbergmewald1, *if* the services store their policies in keystone. No service supports fetching from keystone, so largely you can (for now) assume that interface (the CRUD interface for policy) is not used15:08
*** jamielennox has quit IRC15:08
mewald1yeah ok - I still wanted to understand the concept15:08
*** joesavak has joined #openstack-keystone15:10
bknudsonI've got some questions about using memcache to store tokens...15:15
bknudsonit looks like if memcache fails to store the token, that failure is ignored15:15
*** vsilva is now known as victsou15:18
*** thedodd has quit IRC15:18
*** bdossant has joined #openstack-keystone15:19
bknudsonbut then if we fail to store the token, we still update the user list15:22
mewald1morganfainberg: are the any documents that compare the different backends and give support for decision making?15:22
*** thedodd has joined #openstack-keystone15:22
bknudsonand if the user list update fails then the operation fails15:22
bknudsonseems like if memcache returns False because it didn't store the token then the new token operation should fail and the user list shouldn't be updated.15:23
mewald1morganfainberg: for example: it seems obvious to me that when I scale-out keystone (multiple instances) I wouldn't want a non-shared token cache - things like this15:24
ayoungnkinder, BTW, I saw the project switch was broken On Horizon.    Nothing to do with Kerberos, turns out we really need to have the right endpoint urls in the Keystone service catalog.  Basically, we need to force Keystone V3 for the service catalog15:26
morganfainbergmewald1, to be honest, i recommend the SQL token driver for production deployments15:30
boris-42bknudson morganfainberg guys hi there15:30
morganfainbergmewald1, the memcache driver is a poor choice because it is assuming memcache is a good "stable" storage for data, memcache is *not*15:30
boris-42ayoung hi15:30
boris-42ayoung morganfainberg  bknudson  guys you have some performance regression15:30
ayoungalmost certainly15:30
boris-42compare this15:31
ayoungboris-42, it comes with age15:31
ayoungoh, you mean Keystone15:31
boris-42with this15:31
boris-42ayoung ya Keystone15:31
bknudsonayoung: there's pills for that now.15:31
morganfainbergbknudson, ++15:31
ayoungI can't Rally like I used to15:31
bknudsonI've seen the ads.15:31
boris-42ayoung bknudson  so are you interested?) or not?)15:32
morganfainbergboris-42, isolated runs != trend. some nodes will be slower15:32
ayoungboris-42, do we care15:32
dolphmlbragstad: did you deactivate your second LP account?15:32
mewald1morganfainberg: ok, SQL seems to be the obvious choice: shared location, stable/reliable storage and can be used for any other keystone and OpenStack service15:32
boris-42morganfainberg ayoung  guys let me collect more graphs15:32
bknudsonboris-42: how do we find out what commit caused it?15:32
ayoungcreate user is not critical path.   Foremost concern is the token pipeline15:32
morganfainbergayoung, ++15:32
boris-42bknudson I will just try to find by hands =015:32
ayoungits an interesting piece of info, but not actionable, I think15:32
boris-42ayoung we can test other functional as well15:33
*** k4n0 has quit IRC15:33
morganfainbergboris-42, issue token, validate token would be much better15:33
boris-42ayoung it's not a big deal15:33
ayoungboris-42, the one that I've heard people complain about is list user15:33
ayoungas that can kill Horizon15:33
morganfainbergboris-42, but i think more importantly finding a way to trend this vs. isolated tests is going to be the bigger win.15:34
boris-42morganfainberg heh we have lab in Mirantis for that15:34
morganfainbergboris-42, because you having to hunt for graphs or commits by hand is not really sustainable long term :)15:34
boris-42morganfainberg actually lemme show you something15:34
boris-42morganfainberg we have this section https://github.com/stackforge/rally/blob/master/rally-scenarios/rally.yaml#L11-L1215:34
morganfainbergyou have better things to do i'm sure! :) [and we'd like to not have to ask you to do it each time if it's something we can consume :) ]15:34
boris-42morganfainberg so you can add regression testing15:35
boris-42morganfainberg like if it take in avg more then 5 second in that tests, rally job will fail15:35
boris-42morganfainberg so basically we can add more benchmarks in keystone gates15:35
boris-42morganfainberg and add these SLA checks15:35
boris-42morganfainberg so you won't need to check by hands graphs15:35
boris-42morganfainberg just if rally job start failing15:36
morganfainbergsure. that isn't the same as trending though, so we can see the progression of improvement / degredation.15:36
boris-42morganfainberg ya but it at least allows to make regression tests15:36
boris-42morganfainberg it's not so simple to make trend testing especially in gates15:36
morganfainbergboris-42, it's def. useful, but it may not be the source it could just indicate the final straw15:36
boris-42morganfainberg yep sure, but at least you'll get it15:37
boris-42morganfainberg now you even don't now that there is regression15:37
boris-42morganfainberg and it happend15:37
*** zzzeek has joined #openstack-keystone15:37
morganfainbergboris-42, honestly, i never look at the rally results.15:37
boris-42morganfainberg that's sad15:37
morganfainbergboris-42, because they're in isolation15:37
boris-42morganfainberg what do you mean by isolation?)15:38
nkinderayoung: speaking of horizon and V3, does Horizon work with Keystone domains?15:38
boris-42morganfainberg I would be more then happy to help you guys start using it..15:38
boris-42morganfainberg I just don't know how=)15:38
nkinderayoung: ...or is it only using v2 and is forced to use the default domain?15:39
morganfainbergboris-42, i look at raly results and unless i look at every result, i can't know if there is a real change.15:39
ayoungnkinder, it works with V3 if set up correctly15:39
boris-42morganfainberg we can setup a job in such way15:39
ayoungnkinder, needs 3 changes15:39
ayoung1:  change the auth url15:39
boris-42morganfainberg that if it passed it means no big regression15:39
boris-42morganfainberg if it failed you'll find what failed15:39
ayoung2:  change the setting the starts wit h MULTI to allow multiple domains15:39
morganfainbergboris-42, this is a case where external CI might be useful, something that runs rally and extracts the data and graphs it.15:39
bknudsonI'm just not seeing how it's safe or normal to have tokens only stored in memcache15:39
ayoung3:  set the identity api version to 3:15:39
morganfainbergboris-42, rather than running rally in the local gate in isolation.15:39
boris-42morganfainberg I don't have hardware=)15:39
ayoungnkinder, in my config file these settings are15:40
nkinderayoung: interesting.  Will try that today15:40
morganfainbergboris-42, but you see my point right? I'm not saying there isn't value to rally, far from it.15:40
bknudsonLooks like memcache is supposed to speed up database queries by caching15:40
bknudsonnot replace the db altogether15:40
ayoungOPENSTACK_API_VERSIONS = {"identity": 3}15:40
morganfainbergboris-42, i'm just looking for how we can get it there and be more useful15:40
ayounger...last one is commented out cuz I'm using a kerberized URL15:40
boris-42morganfainberg so you can at least start using it =)15:40
ayoung^^ works too15:41
morganfainbergbknudson, absolutely correct. if people didnt already have a "memcache" persistence backend that we need to maintain, i'd have removed it a while ago15:41
boris-42morganfainberg cause it's already very useful, it's just not everything15:41
boris-42morganfainberg like trends15:41
*** mewald1 has left #openstack-keystone15:41
boris-42morganfainberg but you can test your patches, that they don't affect performance, and put regression criteria15:41
nkinderayoung: so does Horizon have a dialog where you select the domain then (or a box where you type it in)?15:41
bknudsonmorganfainberg: so you don't think the memcache persistence backend is production ready?15:41
boris-42morganfainberg that will be much better then nothing15:41
bknudsonmorganfainberg: because people are trying to use it in production.15:42
morganfainbergboris-42, again, unless i look at *every* result i don't know what it's telling me except that either 1) that rally run was run on a slow node, or 2) somewhere we got slower over time... if i can remember each and every patch.15:42
morganfainbergbknudson, it has never been production quality. memcache is not a stable store. but removing it would break those people who have accepted that and use it anyway15:42
bknudsonmorganfainberg: and there's other people telling me that they can't use the sql backend.15:42
*** jamielennox has joined #openstack-keystone15:43
morganfainbergbknudson, i think this is part of the summit conversation we're going to need to have on authz (tokens etc)15:43
morganfainbergbknudson, i don't have a good answer today :(15:44
boris-42morganfainberg with reasonable "avg" duration15:44
morganfainbergbknudson, it is something i want us to have a direction on though this cycle if we can.15:44
boris-42morganfainberg criterias you won't get often failures cause of slow nodes15:45
ayoungmemcache is OK for production with UUID tokens only15:45
ayoungwith PKI, you need persisted revocations15:45
morganfainbergayoung, sortof.15:45
morganfainbergayoung, if you use more than 1 memcache server, no guarantees (if one fails) you'll have continuing authorization and 2) maximum numbers of active tokens per user (high, but i've seen those limits hit by active clouds/users).15:46
morganfainbergayoung, it's "passible" for some environments.15:46
ayoungmorganfainberg, you might have false negatives  ,but not false positives...although there might be some lag in revocations15:46
morganfainbergayoung, sure - likely a lot of false negatives (well not so false since the tokens don't exist)15:47
morganfainbergunexpected negatives?15:47
*** ukalifon has quit IRC15:47
ayoungmorganfainberg, false in that they existing in some memcache server, just not the one your endpoint is talking to?15:47
morganfainbergayoung, dpeends on the failure. it could be that the memcache server died.. those tokens are gone, no longer existing. or the user15:48
boris-42morganfainberg so any chance guys to get you involved in performance stuff?15:48
morganfainbergs indexes could go away15:48
boris-42morganfainberg or until everything will be automated you won't be interested?15:48
morganfainbergayoung, meaning you would in theory have tokens that aren't revoked (deleteD) for password changes, trust changes, etc15:49
morganfainbergayoung, i'd counter memcache isn't really "production" ready in any cases15:49
ayoungmorganfainberg, eventual semantics do not make a good authorization system15:49
bknudsonayoung: we're trying to use it in production and it's not working.15:50
morganfainbergboris-42, i'm not opposed ot rally as is, i just can't keep all of the data in my head and it's painful to hunt through to find the source of a slowness.15:50
ayoungbknudson, blame termie15:50
boris-42morganfainberg what about just working for example with me15:50
morganfainbergboris-42, so, we can improve it as is, yes. we should look at how we approach this overall and make it better :)15:50
boris-42morganfainberg to create reasonable regression stuff15:50
boris-42morganfainberg so you won't need to keep all in mind15:50
morganfainbergboris-42, sure - but to be clear, i don't want rally to ever be a voting job.15:51
boris-42morganfainberg if some function start working 2 times slower call juob will fail15:51
boris-42morganfainberg it's not about voting job15:51
morganfainbergboris-42, not unless it grows a lot of smarts.15:51
boris-42morganfainberg it's about +1/-115:51
boris-42morganfainberg lemme show you15:51
boris-42morganfainberg I will make small patch15:51
*** bdossant has quit IRC15:51
boris-42morganfainberg btw could you take a look at this https://review.openstack.org/#/c/98836/ since Jun 9...15:52
morganfainbergboris-42, like i said we can improve it, just letting you know it needs continued thought on moving forward before it becomes a lot more valueable. let me be clear i'm not saying "no" or "i don15:52
morganfainbergt like it" :)15:52
boris-42morganfainberg ^ that patch is about making it better15:52
boris-42morganfainberg it allows to write rally plugins in tree of keystone15:52
boris-42morganfainberg it will be nice to get it in=)15:53
morganfainbergok give me a few i need to get breakfast before the IRC meeting and i'm at a hotel today so, need to do things like checkout15:54
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Add SLA check to create-and-delete-user benchmark  https://review.openstack.org/12660515:55
morganfainbergboris-42, i'll look at that later today, but it should be good (the plugins one) doesn't look wierd or doing something strange15:55
boris-42morganfainberg so this make job +1/-1 https://review.openstack.org/#/c/126605/1/rally-scenarios/keystone.yaml15:56
boris-42morganfainberg if avg duration of any of create-delete will > 2 sec it will fail15:56
boris-42morganfainberg you'll see)15:56
boris-42morganfainberg need to go home be back later15:56
stevemarnkinder, ping15:58
nkinderstevemar: about to jump into a scrum meeting.  I'll get back to you in about 15, cool?15:58
dolphmlbragstad: what version of terminal-notifier are you using?15:58
nkinderstevemar: in the process of rebuilding a set up to try your patch...15:58
*** lufix has quit IRC15:59
stevemarnkinder, you already answered by question, take your time :P15:59
lbragstaddolphm: stable 1.6.115:59
dolphmlbragstad: i can't recreate https://github.com/dolph/gerrit-growler/issues/116:00
dolphmlbragstad: i can workaround it though, thanks to gerrit's redirects16:00
*** afazekas has quit IRC16:03
*** lhcheng has joined #openstack-keystone16:05
lbragstaddolphm: that works16:07
lbragstaddolphm: thanks for fixing!16:07
lbragstaddolphm: mind making a simple comment here to test? https://review.openstack.org/#/c/110803/16:08
*** gyee has joined #openstack-keystone16:08
*** lhcheng has quit IRC16:09
*** lhcheng has joined #openstack-keystone16:09
dolphmlbragstad: done16:13
lbragstaddolphm: sweet, I'll let you know what gg does16:13
ayoungSo Boston to Vancouver is either 7:30 flight time or 48 houirse driving.  ROAD TRIP!16:13
dolphmlbragstad: need to eliminate that delay - i think it might be client-side16:13
dolphmlbragstad: the bulk of it, anyway16:13
lbragstaddolphm: but it varies on location, right?16:14
*** samuelmz has quit IRC16:14
dolphmlbragstad: yeah, it's instant from my cloud server16:14
lbragstaddolphm: but not from your laptop?16:15
dolphmlbragstad: correct16:15
dolphmlbragstad: it's currently about 30 seconds to my laptop at castle16:16
dolphmlbragstad: also, i'm at castle and food trucks16:16
lbragstaddolphm: 30 seconds from gerrit to gg?16:16
dolphmlbragstad: yes16:16
dstanekfood trucks!16:16
dolphmlbragstad: i think i fixed it16:16
lbragstaddolphm: that's better than before, isn't is?16:17
dolphmlbragstad: it's a fraction of a second now16:17
*** lhcheng has quit IRC16:18
*** lhcheng has joined #openstack-keystone16:19
dolphmlbragstad: pull the latest gerrit-growler ( cc dstanek )16:19
*** _cjones_ has joined #openstack-keystone16:21
*** lhcheng_ has joined #openstack-keystone16:22
dolphmlbragstad: can you recheck this? https://review.openstack.org/#/c/119654/16:22
*** lhcheng has quit IRC16:23
lbragstaddolphm: waiting on Jenkins?16:24
dolphmlbragstad: my recheck already failed16:25
*** lhcheng_ has quit IRC16:26
*** wwriverrat1 has joined #openstack-keystone16:26
*** lhcheng has joined #openstack-keystone16:26
*** thedodd has quit IRC16:27
lbragstadwoohoo! no more duplicate accounts! If anyone needs to add me to a review go ahead and use lbragstad@gmail.com16:27
*** jistr has quit IRC16:29
*** marcoemorais has joined #openstack-keystone16:29
*** lhcheng has quit IRC16:31
raildolbragstad, do you had some problem with commit due this duplicate account? Some days ago, i was not able to commit due a similar problem16:33
lbragstadraildo: somehow I had two accounts tied to the same email, which I didn't think was possible16:34
*** thedodd has joined #openstack-keystone16:36
*** mewald has joined #openstack-keystone16:37
mewalddo public_endpoint and admin_endpoint refer to the the operations listed in section 2 and 3 respectively? http://docs.openstack.org/api/openstack-identity-service/2.0/content/Overview-Identity-API-d1e62.html16:39
*** wwriverrat1 has left #openstack-keystone16:39
*** lhcheng has joined #openstack-keystone16:42
*** lhcheng has quit IRC16:42
*** wwriverrat has joined #openstack-keystone16:43
*** zigo has quit IRC16:43
rodrigodslbragstad, yeah, and gerrit raises an error when we try to add you as reviewer. maybe the folks from openstack-infra can fix that for you16:43
*** wwriverrat has left #openstack-keystone16:43
*** gokrokve has quit IRC16:45
*** gokrokve has joined #openstack-keystone16:45
*** gokrokve has quit IRC16:45
*** zigo has joined #openstack-keystone16:46
*** lhcheng has joined #openstack-keystone16:49
*** lhcheng has quit IRC16:50
*** lhcheng has joined #openstack-keystone16:51
raildohenrynash, I answered a comment on this patch, I was wondering if it was clear to you https://review.openstack.org/#/c/111355/16:52
*** NM has quit IRC16:55
*** lhcheng has quit IRC16:55
*** harlowja_away is now known as harlowja16:58
*** lhcheng has joined #openstack-keystone16:59
*** _cjones_ has quit IRC17:05
*** _cjones_ has joined #openstack-keystone17:05
*** NM has joined #openstack-keystone17:06
*** _cjones_ has quit IRC17:10
*** jsavak has joined #openstack-keystone17:10
stevemardolphm, test comment17:11
mewalddo public_endpoint and admin_endpoint refer to the the operations listed in section 2 and 3 respectively? http://docs.openstack.org/api/openstack-identity-service/2.0/content/Overview-Identity-API-d1e62.html17:12
*** richm has joined #openstack-keystone17:12
marekdstevemar: o/ does openstack has some auto mechanisms when the response is HTTP 404 ?17:12
*** lufix has joined #openstack-keystone17:14
marekdstevemar: strange thing i noticed  today: openstack mapping show idontexist does actually two calls: https://keystone:5000/v3/OS-FEDERATION/mappings/idontexist , the server returns HTP 404 and after that there is another call /v3/OS-FEDERATION/mappings?name=idontexist which lists all the mappings.17:14
*** joesavak has quit IRC17:14
stevemarmarekd, yes, it tries a few different ways...17:15
*** amcrn has joined #openstack-keystone17:15
*** _cjones_ has joined #openstack-keystone17:16
stevemarit tries a GET call first, then a find call17:16
*** lhcheng has quit IRC17:16
marekdstevemar: it's osc, not keystoneclient, right?17:16
stevemarmarekd, correct17:16
marekdstevemar: how can i disable it?17:16
*** lhcheng has joined #openstack-keystone17:17
*** thedodd has quit IRC17:17
marekdwe end up in a situation where mapping doesn't exist. Server returns all the mappings and OSC gets crazy as list of objects is returned.17:17
*** andreaf has joined #openstack-keystone17:17
stevemarmarekd, instead of a using utils.find_resource you can just call the client17:19
marekdstevemar: good advice ++17:20
marekdi will do that.17:20
marekdstevemar: thanks.17:20
stevemarmarekd, http://paste.openstack.org/show/119427/17:21
*** lhcheng has quit IRC17:22
marekdstevemar: yeah, i figured.17:22
*** lufix has quit IRC17:23
rodrigodshenrynash, there? have a question about the error that should be returned in case of circular references17:27
*** lhcheng has joined #openstack-keystone17:29
morganfainbergrodrigods, raildo, wanted to talk to you guys about the multitenency and if we need a summit session on it. (what would the goal be of said sessions) - it looks like there is some data someone added to the etherpad re: hierarchy17:29
*** lhcheng has quit IRC17:30
morganfainbergrodrigods, how would you end up with circular references?17:30
*** lhcheng has joined #openstack-keystone17:30
rodrigodsmorganfainberg, actually, currently is not possible to have circular references, since we do not allow the update from the parent_id17:31
morganfainbergrodrigods, that was my understanding17:31
morganfainbergrodrigods, cool17:31
rodrigodsmorganfainberg, but I think that would be a nice check at methods that goes through the hierarchy. to avoid future problems17:31
*** lhcheng_ has joined #openstack-keystone17:32
rodrigodsmorganfainberg, following a suggestion from henrynash17:32
morganfainbergrodrigods, i'd rather not have an explicit circular ref check that is never used implemented17:32
morganfainbergif we know it is not currently possible, do we need to run what is known to be a no-op?17:33
rodrigodsmorganfainberg, maybe we can add a test called "check_circular_references" that would break now because we can't update the parent_id, but would be updated later?17:34
morganfainbergif there is legitimate value, i'm open to it, but if it just adds overhead today, lets make sure we *can* implement it down the line if we support moving projects to new parents17:34
morganfainbergrodrigods, i just don't want to run any expensive check we don't need to on all creates etc.17:34
raildomorganfainberg, yes, we suggest a summit session because we have to discuss some points about a more complex way of removing projects, we can recursively delete, or should we delete a project in the middle of the hierarchy and change the parent of the projects below it? the another thing is about update a project in the  middle of the hierarchy. How we can do this, we have to invalidate the tokens, we have to change the roles, and other things.17:34
raildoIn addition, we are implementing in Hierarchical Projects in Horizon17:35
*** lhcheng has quit IRC17:35
raildoand the Nova folks are implementing hierarchical quotas based in our implemention17:35
raildoSo, I believe it would be interesting a session to discuss these features17:36
morganfainbergraildo, sure. just trying to get the topics lined up, if this doesn't end up as a session are you ok with it being handled on the "meetup" day on Friday?17:36
*** lhcheng_ has quit IRC17:36
mewaldcan somebody know what the credential entity is used for? Weird stuff like fingerprint authentication? :D17:37
morganfainbergraildo, not saying it wont end up as a session. right now we have good availability on slots, but I'm making sure I know where these things line up.17:37
rodrigodsmorganfainberg, makes sense, will add a comment in the patch with your concerns17:37
morganfainbergrodrigods, cool. thanks :)17:37
morganfainbergraildo, ah, yeah the deletion bit might require some talking through.17:38
raildomorganfainberg, I understand. I suggested that session as a cross projects, due to changes in other projects besides Keystone.17:38
lbragstadrodrigods: yeah, I think they have it straightened out now17:38
morganfainbergraildo, ++17:38
rodrigodslbragstad, ++17:39
morganfainbergraildo, lets see where it all lines up. will def. keep it as a possibility for a session.17:39
rodrigodsmorganfainberg, btw, can you ff our branch? would be nice to have the KVS removal updates17:39
raildomorganfainberg, ok, thank you :)17:40
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/12663117:40
morganfainbergrodrigods, hm, need to see how to do that again. if it's FF-only i think i need to ask -infra to do it17:40
rodrigodsmorganfainberg, maybe ff won't work because the patch from dolphm17:41
rodrigodsthat was a "manual" ff17:41
rodrigodsI think17:41
morganfainbergrodrigods, yeah not sure. will work on that once we're past the IRC meeting.17:41
rodrigodsmorganfainberg, thanks =)17:42
*** harlowja_ has joined #openstack-keystone17:42
*** harlowja has quit IRC17:42
ayoungmorganfainberg, I'm in dreaming mode:  what if we made an utility for generating policy.json file from a data model.  It would be a nice little stand along project.17:44
ayounglike an intern/senior thesis type thing17:44
morganfainbergayoung, haha knew that was where this came from :)17:45
ayoungstand alone17:45
ayoungmorganfainberg, I'm trying to get a good list of them17:45
ayoungfor things we need17:45
ayoung"I'm interested in Keystone"  "Good....go build me one of these....:"17:45
morganfainbergayoung, that might be very interesting, something that is easier to write (limited types of policy/roles -> acttions) language that parses to the hard-to-read-and-write policy.json17:45
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy  https://review.openstack.org/11135517:46
ayoungmorganfainberg, yeah, and dchadwick and dolphm both think that something like a roles hierarchy should be done on the policy side, not on the keystone server...which means we'll need a better mechanism17:46
morganfainbergayoung, yeah17:47
rodrigodsayoung, morganfainberg, those kind of projects would fit really well in a google summer of code17:47
ayoungrodrigods, or for people's senior thesis projects17:48
rodrigodsayoung, like your final undergrad project?17:51
morganfainbergrodrigods, possibly17:51
ayoungrodrigods, well, hopefull not like "mine"  as that never got finished.  Never did find a working Ada environment17:51
*** cjellick has joined #openstack-keystone17:51
ayoungmorganfainberg, Its not my fault they swiched from HP to Sun workstations between Cow and Firstie year.17:52
rodrigodsayoung, I meant "anyone" hehe sorry17:52
ayoungHey...this my "Computer Theory" and "Compilers" professor http://www.army.mil/article/72904/First_woman_promoted_to_general_within_Army_Corps_of_Engineers/17:54
ayoungno, I'm serious17:56
ayoungShe was CPT Tubesing back then.17:56
morganfainbergwe'll start the meeting as soon as rally finishes up18:00
stevemarmorganfainberg, we're waiting?18:00
morganfainbergstevemar, hah18:00
*** lhcheng has joined #openstack-keystone18:01
*** victsou is now known as vsilva18:03
*** jwy has joined #openstack-keystone18:06
*** lhcheng has quit IRC18:06
stevemarnkinder, wanted to ping you before i forget, and not interrupt the meeting, do you have any of your automation scripts for setting up IPA available on github?18:11
stevemarnkinder, was hoping to use that as a basis for a CI job18:11
nkinderstevemar: yes, though some of it is using internal yum repos out of convenience18:11
nkinderstevemar: let me clean up some of it for you18:12
stevemarnkinder, whatever works, thanks18:12
*** aix has quit IRC18:14
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295818:17
openstackgerritayoung proposed a change to openstack/keystone-specs: Lost and Found  https://review.openstack.org/12664718:20
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: Lost and Found  https://review.openstack.org/12664718:22
afaranhaayoung: When is the spec deleted from the specs? When ger approved or implemented?18:22
ayoungafaranha, never18:22
ayoungit is approved and lives on in perpetuity!18:23
afaranhaI like the idea, but I think lost-and-found is not a so intuitive name, why not divide it into Approved directory and/or Implemented?18:24
afaranhaLost and found is a directory that I absolutely ignore, unless I miss something18:25
*** mewald has quit IRC18:25
*** swamireddy has joined #openstack-keystone18:25
*** thedodd has joined #openstack-keystone18:26
morganfainbergayoung, ++18:26
afaranhaayoung: But I think its not something that I would -1 it18:26
morganfainbergforevers and evers and evers and evers and evers18:26
openstackgerritayoung proposed a change to openstack/keystone-specs: Lost and Found  https://review.openstack.org/12664718:27
ayoungafaranha, its in the git repo, not posted for review in gerrit18:27
*** david-lyle has joined #openstack-keystone18:32
*** amakarov is now known as amakarov_away18:33
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a parking lot section for approved specs  https://review.openstack.org/12665218:33
openstackgerritA change was merged to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12495018:36
*** lhcheng has joined #openstack-keystone18:42
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a parking lot section for approved specs  https://review.openstack.org/12665218:43
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a parking lot section for approved specs  https://review.openstack.org/12665218:43
*** tqtran has joined #openstack-keystone18:43
*** lhcheng has quit IRC18:45
*** lhcheng has joined #openstack-keystone18:46
stevemarlbragstad, ayoung ^18:46
ayoungstevemar, WTF18:47
ayoungyou taking over my reviews?18:47
ayoungstevemar, seriously, though, keep the review id the same18:48
stevemarayoung, i was actually posting the changes to index.html, kept you as co-author since it was the same content in the readme18:48
ayoungstevemar, that is completely fine with me18:48
ayoungbut lets not have multiple reviews out there18:49
stevemarayoung, where you have it now, won't pass jenkins, the tests expect the files in there to be only specs18:49
ayoungstevemar, you are on the right track...just keep the reviewid.  I'm really not that picky, just don't want to have dead review floating around18:50
*** lhcheng has quit IRC18:50
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a parking lot section for approved specs  https://review.openstack.org/12665218:52
*** gokrokve has joined #openstack-keystone18:52
stevemarayoung, alright, i changed the change-id to match yours, but i don't think that did much :\18:53
stevemaroh did you want me to patch over your change set?18:54
ayoungstevemar, yes, please18:54
stevemarah okay18:54
*** swamireddy has quit IRC18:54
*** vsilva is now known as victsou18:55
nkindermorganfainberg: are there any outstanding RC bugs?18:57
morganfainbergnkinder, not that i'm aware of18:57
nkindermorganfainberg: cool18:57
rodrigodsmorganfainberg, just to remember about the HM rebase or ff =)18:57
morganfainbergrodrigods, right.18:57
*** victsou is now known as vsilva18:57
morganfainbergneed to see how to do that.18:57
*** raildo is now known as raildo_away18:58
nkinderstevemar: I came to the same conclusion as you when looking into the 'user show' issue last night18:58
*** packet has joined #openstack-keystone18:58
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Lost and Found  https://review.openstack.org/12664718:59
nkinderstevemar: we don't have a good way in the API to do a show on a user by name since there is no way to specify the domain to look in18:59
*** ayoung is now known as ayoung-mtg18:59
nkinderstevemar: enumerating all of the users just to find the ID sucks18:59
rodrigodsmorganfainberg, once i saw a script by dolphm that is for this cases, i think18:59
stevemarnkinder, yeah, it's not an obvious problem with keystone server at first glance18:59
nkinderstevemar: it would work, but it's not going to be fun for large domains18:59
stevemardefinitely not19:00
nkinderwe would need the API to allow the domain to be specified19:00
morganfainbergrodrigods, https://review.openstack.org/12666219:00
nkinderotherwise OSC has to hack around it19:00
morganfainbergdolphm, https://review.openstack.org/126662 i *think* moves the feature branch forward.19:01
dstanekmorganfainberg: that's a merge though - doesn't it need to be a FF?19:01
morganfainbergdstanek, can't do FF on that branch19:01
dstanekmorganfainberg: did it diverge from master?19:02
rodrigodsmorganfainberg, yay! \o/19:02
morganfainbergand if it is FF only i need infra to forward the branch19:02
morganfainbergi can't FF-only it.19:02
dstanekmorganfainberg: so what happens now? when the HM stuff is close enough to being merged does it get proposed on master?19:03
morganfainbergdstanek, i think we merge across to master? i dunno19:04
morganfainbergdolphm, ?^19:04
*** thedodd has quit IRC19:06
rodrigodsthe first review is really close to be ready, I think: https://review.openstack.org/#/c/117784/19:07
rodrigodsalready implemented the tests henrynash proposed, just waiting to rebase with morganfainberg review19:08
*** thedodd has joined #openstack-keystone19:08
dstanekrodrigods: is there any tests that show what happens when not specifying the parent_id?19:09
rodrigodsdstanek, i think that is the "regular" create19:11
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/12667419:12
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/12663119:12
rodrigodsrodrigods, for example, the last test does not specifies: https://review.openstack.org/#/c/117786/17/keystone/tests/test_backend.py19:12
rodrigodsdstanek, ^19:13
dolphmmorganfainberg: i don't know how to tell you if it's right or wrong... i only know how to run my script to update the branch myself lol19:14
dolphmmorganfainberg: let me see if i come up with the same commit sha19:14
morganfainbergdolphm, hehe19:14
morganfainbergprobably wont because it19:14
morganfainbergll have your commiter info19:15
dstanekrodrigods: ah ok, i'll take a look - when reading the lists of tests classes i didn't see anyone for that usecase19:15
rodrigodsdstanek, would be nice to have a "create_project_without_parent" test like this one: https://github.com/openstack/keystone/blob/master/keystone/tests/test_backend.py#L1731 ?19:16
dolphmmorganfainberg: oh, boo19:17
morganfainbergdolphm, http://paste.openstack.org/show/119464/19:17
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/12667919:17
morganfainbergdolphm, that was the merge output19:17
dolphmmorganfainberg: yep19:17
dolphmmorganfainberg: and then a giant list of outstanding commits?19:17
dolphmmorganfainberg: this part freaks me out19:18
morganfainbergno outstanding commits in my output19:18
dolphmmorganfainberg: really?19:18
morganfainbergbut i did a clean checkout of the branch and  straight merge19:18
morganfainbergmight have been missing a flag to git19:18
morganfainbergthat deletion list looks "right"19:19
dolphmmorganfainberg: oh - there's a strict process outlined in the wiki19:19
morganfainbergdolphm, hm, i *think* i followed it. must have missed something in there19:19
morganfainbergdolphm, last time i did this was FF only so it broke19:19
dolphmmorganfainberg: http://pasteraw.com/jx4536j0ij1cpdxoq2fcxh6suwuedfl19:19
morganfainberggo with yours19:20
morganfainbergbut it looks like the same-ish output19:20
morganfainbergdolphm, abandoned mine, will let you push yours instead, since it looks more correct19:22
dolphmmorganfainberg: https://review.openstack.org/#/c/126693/19:24
morganfainbergdolphm, provided it passes jenkins i'll approve it19:25
morganfainberg(no no reason it shouldn't)19:25
morganfainbergor you can19:25
*** david-lyle is now known as david-lyle_afk19:25
rodrigodsand i rebase our patches with it =)19:26
*** HenryG has quit IRC19:28
*** david-lyle_afk has quit IRC19:30
morganfainbergfifieldt, ping re Operator session (e.g. the DevOps session at the ATL summit)19:33
morganfainbergfifieldt, looking for feedback on which format worked the best last time, so we can keep as close to that this time, since i think there was definite value to having a dedicated keystone session for that.19:33
dolphmmorganfainberg: rodrigods: dropped my patch in favor of https://review.openstack.org/#/c/126697/ which was generated with slightly more automation19:34
morganfainbergdolphm, ack19:34
*** samuelmz has joined #openstack-keystone19:35
openstackgerritA change was merged to openstack/keystone: Add testcase for coverage of 002_add_endpoint_groups  https://review.openstack.org/11965419:36
vsilvaayoung-mtg, are you around? I looked into the rules and it seems like you're right - I don't see a way that it could give us a link between the token and its IdP. Do you have any other suggestions?19:38
vsilvaMaybe you can check it out as well, dolphm (https://bugs.launchpad.net/keystone/+bug/1291157)19:38
uvirtbotLaunchpad bug 1291157 in python-keystoneclient "idp deletion should trigger token revocation" [High,Triaged]19:38
dolphmmorganfainberg: standlone script you can use https://github.com/dolph/dotfiles/blob/master/bin/git-update - i'll look for a place in infra to contribute it long term19:41
morganfainbergdolphm, thnx19:42
*** raildo_away is now known as raildo19:44
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a new section that lists implemented specs for middleware  https://review.openstack.org/12670819:50
*** vsilva is now known as victsou20:01
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a new section that lists implemented specs for middleware  https://review.openstack.org/12670820:03
*** HenryG has joined #openstack-keystone20:06
openstackgerritJin Liu proposed a change to openstack/python-keystoneclient: Error message not saved in Session exception  https://review.openstack.org/12671320:07
lbragstadstevemar: so we're not going to keep jsonutils up to date but we can't remove it?20:08
*** harlowja_ is now known as harlowja_away20:09
nkinderayoung-mtg, morganfainberg: do you have any idea why I'm getting a 403 for this? http://paste.openstack.org/show/119479/20:12
nkinderI don't see what's wrong20:12
*** gokrokve has quit IRC20:13
*** gokrokve has joined #openstack-keystone20:14
remote_morgan_nkinder: nothing stands out as wrong. But honestly harder to see on a phone than laptop screen.20:14
nkinderremote_morgan_: yeah, that'd be a little tough... :)20:15
remote_morgan_nkinder: once I get to where I can plug in my laptop I can look more closely.20:15
remote_morgan_And post lunch.20:15
nkinderremote_morgan_: thanks!20:15
remote_morgan_Sure thing.20:15
*** david-lyle has joined #openstack-keystone20:15
*** lhcheng has joined #openstack-keystone20:17
*** gokrokve has quit IRC20:18
*** ayoung-mtg is now known as ayoung20:21
ayoungvictsou, I think we need to parse the rules20:21
ayoungnkinder, seriously?  I would put a pdb.set_trace() at the start of the policy enforcement in keystone/common/controller.py20:22
nkinderayoung: going to resort to that soon...20:23
ayoungpip install rpdb20:23
ayoungthen edit the controller and20:23
ayoungimport rpdb;  rpdb.set_trace()20:23
ayounghit it from the CLI etc and20:23
nkinderayoung: we really need to improve the logging around policy evaluation to allow people to troubleshoot this stuff without resorting to a debugger20:23
ayoungtelnet localhost 444420:23
ayoungnkinder, was just thinking that20:23
nkinderayoung: will try that after our meeting (and will probably bug you about it) :)20:24
ayoungnkinder, let me see if we have enough control, though20:24
ayoungthe policy rules are already parsed.  It might require a change in oslo20:24
ayoungnkinder, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n15220:25
ayoungnkinder, at a minimum, add20:25
ayoungLOG.debug(  "% % % " %(creds, action, utils.flatten_dict(target)) )20:26
*** __TheDodd__ has joined #openstack-keystone20:26
*** thedodd has quit IRC20:30
*** lhcheng has quit IRC20:31
*** lhcheng has joined #openstack-keystone20:32
*** lhcheng has quit IRC20:36
*** topol has quit IRC20:39
bknudsonhere's an interesting post: http://dormando.livejournal.com/495593.html20:41
bknudsonabout using memcache for sessions20:41
rodrigodsbknudson, ++20:54
stevemarlbragstad, if one of the other things needs it (like service or fileutils), then it'll be updated when we do an oslo-sync20:55
stevemarwhether it's in the .conf file or not20:55
lbragstadstevemar: yeah, I facepalmed when I figured it out...20:55
lbragstadstevemar: thanks for the follow up20:56
stevemarlbragstad, hehe20:56
rodrigodsbknudson, how keystone currently handles it? there is a doc somewhere?20:57
bknudsonrodrigods: I haven't been looking at the docs, the memcache.py isn't too small.20:58
*** marcoemorais has quit IRC20:59
*** marcoemorais has joined #openstack-keystone21:00
rodrigodsbknudson, will take a look, thanks21:00
rodrigodsbknudson, dstanek btw, any of you can +A https://review.openstack.org/#/c/120563/ ?21:01
rodrigodsbknudson, thanks21:02
*** tqtran is now known as tqtran_afk21:03
*** harlowja_away is now known as harlowja_21:04
*** victsou is now known as vsilva21:05
*** david-lyle has quit IRC21:06
*** _cjones_ has quit IRC21:12
*** Kui has joined #openstack-keystone21:12
*** nellysmitt has quit IRC21:13
*** _cjones_ has joined #openstack-keystone21:13
*** richm has quit IRC21:13
*** packet has quit IRC21:24
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes docstrings to be more accurate.  https://review.openstack.org/12673021:25
ayoungrodrigods, looking21:25
openstackgerritA change was merged to openstack/keystone: Use jsonutils from oslo.serialization  https://review.openstack.org/12611621:25
openstackgerritA change was merged to openstack/keystone: Use importutils from oslo.utils  https://review.openstack.org/12611521:25
openstackgerritA change was merged to openstack/keystone: Remove deprecated KVS trust backend.  https://review.openstack.org/12649321:27
openstackgerritDavid Stanek proposed a change to openstack/keystone: WIP: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603021:32
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes endpoint_filter tests  https://review.openstack.org/12602921:32
openstackgerritDavid Stanek proposed a change to openstack/keystone: Remove database setup duplication  https://review.openstack.org/12673421:32
*** jsavak has quit IRC21:37
*** dguitarbite has quit IRC21:45
*** Guest10736 is now known as mfisch21:45
*** mfisch is now known as Guest6946521:46
*** lhcheng has joined #openstack-keystone21:49
*** __TheDodd__ has quit IRC21:55
*** thedodd has joined #openstack-keystone21:55
*** henrynash has quit IRC21:57
*** gordc has quit IRC22:01
rodrigodsmorganfainberg, dolphm, the tests passed, will rebase =)22:01
*** lhcheng has quit IRC22:05
*** lhcheng has joined #openstack-keystone22:06
*** henrynash has joined #openstack-keystone22:08
*** rkofman has quit IRC22:10
*** lhcheng has quit IRC22:11
*** rkofman has joined #openstack-keystone22:11
*** radez is now known as radez_g0n322:12
*** NM has quit IRC22:16
bretonI am lokking for some task with keystone to get started. Got any ideas?22:21
*** gokrokve has joined #openstack-keystone22:24
*** thedodd has quit IRC22:30
*** dguitarbite has joined #openstack-keystone22:31
*** zzzeek has quit IRC22:33
*** david-lyle has joined #openstack-keystone22:33
nkinderayoung: so it turns out that target is an empty dict here for 'user list' - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n19322:34
*** dimsum_ has quit IRC22:34
*** dimsum_ has joined #openstack-keystone22:34
ayoungnkinder, I recall writing that22:35
ayoungI think target was flattened so we could get things out of the payload22:35
ayoungit was origianlly done for trusts22:36
nkinderayoung: that means this won't work - http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n922:36
nkinderayoung: with no target, there's nothing to compare against when looking for the domain_id22:36
ayounguser_list has neither keyword args nor query strings22:36
nkinderayoung: so how can a domain admin list users for their domain only?22:37
nkinderI can show a user if I know their id22:37
ayoungis that logic in the controller or core....22:37
ayoungnkinder, so if you don't add anything....22:38
nkinderayoung: now 'user list' does allow you to specify a domain to filter on with '--domain'22:38
nkinderayoung: the problem is, if you use that option, it attempts to do a domain list22:38
nkinderand only the cloud admin can do that...22:39
*** dimsum_ has quit IRC22:39
ayoungnkinder, is that an API problem or a client problem?22:39
nkinderI wonder if that's purely an OSC bug that it does a domain list22:39
nkinder:)  We're thinking the same22:39
nkinderLet me try it with curl22:39
ayoungtry it from Curl...suspect client there22:39
nkinderhah, I beat you that time22:39
nkinderI suspect client too22:39
*** marcoemorais has quit IRC22:40
*** andreaf has quit IRC22:40
ayoungnkinder, actually, that one I would try with pdb, and see what keystone client code it is calling22:40
nkinderayoung: well, I know it does a domain list, as it tells me I'm not authorized for that action22:40
ayoungso it could be KC or OSC,  suspect the latter22:40
*** andreaf has joined #openstack-keystone22:40
*** henrynash has quit IRC22:40
nkinderso it's pretty clear that OSC or KC does it22:40
*** marcoemorais has joined #openstack-keystone22:40
ayoungso, what rule gets applied if there is no target.22:41
*** marcoemorais has quit IRC22:41
nkinderayoung: my guess is the client is trying to look up the domain id by name (though it does that even if I specify a domain id)22:42
ayoung(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner22:42
ayoungah...so look, token is supposed to always be in the target22:42
ayoungsomeone broke this on me22:43
ayoungI knew it!22:43
ayounggit blame time...22:43
ayoungOK,  we have 3 suspects22:44
ayoungc7a5c6cf (Henry Nash22:44
*** alex_xu has quit IRC22:44
ayoungf1f0bbc4 (Arvind Tiwari22:44
ayounga8ccab37 (Morgan Fainberg22:44
ayoungwhoa...way different22:44
ayoungwhat are awe looking at upstream22:44
*** marcoemorais has joined #openstack-keystone22:45
*** marcoemorais has quit IRC22:45
*** marcoemorais has joined #openstack-keystone22:46
*** marcoemorais has quit IRC22:46
*** marcoemorais has joined #openstack-keystone22:46
ayoungnkinder, I think it was henry22:48
ayoungbut I plus Aed it so I'd be to blame, too22:49
ayoungnkinder, we used to flatten the whole kwargs and pass that to the rule engine22:50
nkinderayoung: this works - curl -i -H "X-Auth-Token: <token>" http://localhost:35357/v3/users?domain_id=<id>22:50
ayoungnkinder, but token should be in the target22:50
ayoungwell, the token data22:50
nkinderdo, the query param should be in the target22:50
ayoungtarget should never be empty22:50
ayoungnkinder, look at the rule22:51
ayoung "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",22:51
nkinderit's the query param that should be in there, not the token.  The token is compared against the target.22:51
nkinderbut this isn't admin_or_owner that protect user_list22:51
ayoungthe query param is the first domain_id22:51
ayoung   "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",22:52
ayoung "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",22:52
nkinderthat's the one that is used22:52
ayoungthat will never work if there is no param22:53
nkinderbut OSC won't supply the domain id unless it looks it up using list_domains first22:53
nkinderayoung: ok, so there are two issues22:53
*** lhcheng has joined #openstack-keystone22:53
ayoungWe had that logic.  Someone yanked it on me.22:53
nkindera bare 'user list' will not set a domain_id22:53
ayoungI remember going through all this with the trust API22:53
nkinderayoung: so if a domain_id wasn't set, you pull it from the token and set it as the query param?22:54
*** marcoemorais has quit IRC22:57
*** marcoemorais has joined #openstack-keystone22:58
ayoungnkinder, I think so, but that happends after the policy check22:59
openstackgerritA change was merged to openstack/keystone: Replace an instance of keystone/openstack/common/timeutils  https://review.openstack.org/12612523:00
openstackgerritA change was merged to openstack/python-keystoneclient: Extracting common code to private method  https://review.openstack.org/12056323:00
ayoungnkinder, AH HA!23:01
ayoung if not CONF.identity.domain_specific_drivers_enabled:23:01
ayoung            # We don't need to specify a domain ID in this case23:01
ayoung            return23:01
ayoungnkinder, this changes when you enable domain_specific drivers23:01
nkinderwhere is that?23:01
*** dimsum_ has joined #openstack-keystone23:02
ayoungnkinder, so...we do the policy enforcement as a decorator.  Novba does not23:02
ayoungNova does not23:02
ayoungthe pattern in Nova is: lookup objects, then make explicit policy call23:02
ayoungthat is what we need here23:02
stevemarayoung, could i bug you for 2 quick reviews https://review.openstack.org/#/c/125535/ and https://review.openstack.org/#/c/124270/23:03
ayoungstevemar, sure23:03
nkinderayoung: I have "domain_specific_drivers_enabled = true"23:03
ayoungnkinder, eggs act lee23:03
*** dimsum_ has quit IRC23:03
nkinderayoung: the problem here is that domain_id is not set in the query param by OSC23:03
*** dimsum_ has joined #openstack-keystone23:04
ayoungnkinder, ok...let me explain what we need to do:23:04
ayoung1.  Break the code inside the decorator out so we can call it directly23:04
ayoung2.  drop the decorator from list_users23:04
morganfainbergayoung, we likely need to do #1 regardless23:04
ayoung3.  add in an explicit check policy call after the call to lookup domain from token23:05
ayoung4..make sure the token data is back in the target23:05
ayoungmorganfainberg, I think we accidentally broke all of the cloudsample token based rules way back....23:05
*** marcoemorais has quit IRC23:05
nkinderok, so you're saying that list_users with no domain_id in the query params should just grab the domain_id out of the token23:05
nkinderayoung: no, they work (sort of)23:06
ayoungmorganfainberg, in c7a5c6cf23:06
ayoungnkinder, not the rule you were looking at...the ones that explicitly reference the token23:06
stevemarmorganfainberg, oh you're here too, excellent, can i get a review of https://review.openstack.org/#/c/125708/23:06
ayoungnkinder, yep23:06
ayoungsecrete  heh23:08
*** tqtran_afk is now known as tqtran23:08
*** jamielennox has quit IRC23:10
ayoungstevemar, -2 on all your patches.  Anything else?23:12
stevemarayoung, nooooo23:12
ayoungstevemar, and I'm now leaving on a month PTO...see you in Paris23:13
stevemaroh fancy23:13
stevemarhave fun23:13
ayoungstevemar, seriously, though, any more?23:13
ayoungstevemar, I'm not really leaving on PTO23:14
stevemarayoung, i have 2 more, https://review.openstack.org/#/c/123933/ and https://review.openstack.org/#/c/126180/23:14
stevemaryou tricked me good23:14
*** NM has joined #openstack-keystone23:15
ayoungstevemar, trick or treat smell my feet23:15
stevemari'd rather give you something good to eat23:15
ayoungstevemar, do we really reecord token id in cadf?  Please tell me that is the audit it.23:15
ayoungstevemar, with all of these +2As I'm handing out I feel like the candyman23:17
nkinderayoung: ok, I have an OSC patch that at least allows me to use '--domain <id>' when listing users23:17
stevemarayoung, the token id is actually a token id, there is a reason for that23:17
ayoungnkinder, so the problem was in osc?23:17
stevemarayoung, trying to find that reason23:18
nkinderayoung: well, part of it was23:18
ayoungstevemar, cuz we didn't have token audit ids when we wrote the cadf impl?23:18
nkinderayoung: we always attempt to look up the passed in '--domain' arg, but a domain admin typically isn't allowed to look any of that info up23:18
nkinderayoung: so the fix is to try to look it up, but fall back to using the arg as a domain_id in the user_list request23:19
nkinderayoung: it requires that the domain admin knows their domain ID though23:19
nkinderayoung: so being able to do a bare 'user list' and have it use the domain from the token would be a nicer experience23:19
nkinderayoung: I'm not sure who should be responsible for that though...23:20
morganfainbergstevemar, notice ayoung didn't say he wasn't -2ing your patches... just he wasn't going on PTO23:20
ayoungnkinder, domain_id should be in the auth_ref23:20
ayoungmorganfainberg, it pains me that we are putting token ids in the audit logs23:21
morganfainbergayoung, wait we're putting token ids in what?!23:21
stevemarayoung, ahhh here we go: it's the 'audit_id"23:21
stevemartoken_audit_id = token_ref.audit_id23:21
morganfainbergcause i was about to go "when did this happen"?23:22
stevemarnah nah, we're good23:22
ayoungmorganfainberg, https://review.openstack.org/#/c/126180/2/doc/source/event_notifications.rst,cm23:22
ayoungwe should still call it the token_audit_id in the cadf message23:22
morganfainbergyes we should23:22
morganfainbergare we allowed to change that though?23:23
morganfainbergmaybe we just comment it is the audit id in the doc for now?23:23
ayoung<vader>I am altering the bargain</vader>23:23
morganfainbergayoung, pray i don't alter it further23:23
morganfainbergok so.. i'm going to abandon out the -2CR specs. do we have any specs that we expect to be resucitated that are just lingering (as in not updated in the last ~2mo)23:24
morganfainbergi'm about to send the "get your specs proposed email" but want to have a "clean-ish" slate23:25
ayoungmorganfainberg, leave any I wrote.  I will see to them myself23:26
morganfainbergayoung, yours except the cookie-for-token were updated recently enough23:26
morganfainbergand session tokens but i know that is coming back23:26
ayoungare you categorically against cookie-for-token?23:26
morganfainbergayoung, i think it solves the problem in the wrong way.23:27
ayoungsession tokens....maybe23:27
morganfainbergayoung, if we're going down that path we should oauth all the things.23:27
morganfainbergayoung, the cookie thing that is23:27
ayoungyou keep using that word....I do not think it means what you think it means23:27
morganfainbergayoung, oauth is exactly what i mean in this case23:28
morganfainbergayoung, or very very closely aligned to oauth23:28
ayoungoauth is not a solution....its just a different mechanism that does what keystone tokens do23:28
ayoungand all the same issues would still apply23:28
morganfainbergayoung, yes, and it would *also* solve the token size issue23:28
morganfainbergwhich is what your cookie thing is solving.23:28
morganfainbergamong other things e.g. no bearer tokens, locked to endpoints23:29
ayoungis that oauth 1 still or moved on to 2 to get that?23:29
morganfainbergayoung, might need to be 2 vs 1.1*23:29
morganfainberg*1.1 being weird and broken23:29
ayoungshhhhhh he'll hear you23:30
morganfainbergfor now i'm against the cookie for token thing. we can revisit at the summit but i don't think that is the right approach to the problem.23:31
ayoungmorganfainberg, I'll read up on it.  As I reacll, it didn't enforce a spec for what is actually in the authorization document23:31
morganfainbergmost cases are new tokens and if we go short-term tokens like you want the cookie is essentially useless anyway23:31
morganfainbergbecause most requests will be a new token, so no size savings, etc23:31
ayoungleave it un-abandondend for now.  if nothing else, we can list it in the "alternatives" to the spec we actually end up selecting23:31
morganfainbergeh, i started abandoning already :P sorry.23:32
morganfainbergwe can unabandon easily23:32
*** marcoemorais has joined #openstack-keystone23:33
*** marcoemorais has quit IRC23:34
*** marcoemorais has joined #openstack-keystone23:36
nkinderayoung, stevemar: https://review.openstack.org/#/c/126754/23:36
nkinderstevemar: going to try your OSC patch out now23:36
ayoungmorganfainberg, for a new request, the session approach doesn't cost us anything.  Bascially, the endpoint makes the decision to save the token in memcache and returns a session id.  This is really no different than if it used sessions directly, which is what most web servers do.23:37
ayoungI don't see a way around it.  oauth is going to have the4 exact same constraints23:37
ayoungit kindof fundamental....23:37
ayoungeither I'm missing something or you are...probably both23:37
morganfainbergayoung, we'll discuss this at the summit.23:37
openstackgerritA change was merged to openstack/keystone-specs: Updated from global requirements  https://review.openstack.org/12063823:38
ayoungmorganfainberg, for certain, but UI'd like to understand what the alternative is...I'll read up on oauth223:38
morganfainbergi'm sure it'll be easier to discuss the views in person.23:38
morganfainbergin this case :)23:38
morganfainbergwe're defintely having the authorization session, tokens, etc23:39
morganfainbergoauth, or something else. what do we do and what makes the most sense.23:39
ayoungnkinder, we don't allow domain name on those calls?  Just id?23:39
nkinderayoung: nope, just id23:40
ayoungnkinder, hmmm, not what I remember....let me see23:40
nkinderayoung: this affect lits_projects too, so a new patch is coming...23:40
ayoungnkinder, yep..just confirmed in the identity API docs.  I think that we should expand those APIs23:42
ayoungprojects are different,23:42
ayoungthose are not implicitly namespaced,  but if they are inside a domain....we should allow for names23:42
ayoungOK...I'm leaving the office and going to the gym23:42
*** ayoung has quit IRC23:43
*** r-daneel has quit IRC23:48
*** NM has quit IRC23:50
*** lhcheng has quit IRC23:53
*** lhcheng has joined #openstack-keystone23:54
stevemarnkinder, taking a looksy now23:57
*** gokrokve has quit IRC23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!